Full Disclosure mailing list archives
Re: a secure base system
From: Stephen Clowater <steve () stevesworld hopto org>
Date: Mon, 15 Mar 2004 13:31:38 -0400
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 harry wrote: | hi all, | | i have a little question. i'm asked to set up a base system, which has | to be secure. we want a system from which we can easily install a | compromised system. so i had a few ideas to make it as secure and yet as | usable as possible: | | - use debian testing (stable is too old, unstable is ... well... you | know ;)) | - /var and /tmp mounted nosuid and noexec | - grsec kernel | - use lvm (so you don't need to worry about the sizes af the partitions) | - remote logging to our logging server | - all this in hardware raid 1 for easy transfer to other systems | - iptables with all connections refused (you need physical access to do | something) | - maybe allow ssh (no root logins)? | | ==> is this ok, too paranoia or is there somenting i'm missing, and | cound it be even more safe? | | how about a compiler? normally, all soft on it is compiled by hand, but | it is also "necessary" for a local exploit. | | any ideas? remarks? | | tnx in advance | I'm not quite clear on what exact kind of implementation you had in mind or what your testing, but I would recomend, ethier using gentoo (the metadistrubtion allows for some unique security measures) or freeBSD 5.x series (the jails can allow for some new implementations, and the distro has a proven record of security) or slowaris (since you can use solairs to actually segment CPU memory, ect ect, esiientially make nested installations independant of the exisitng install) - -- Stephen Clowater I have no doubt the Devil grins, As seas of ink I spatter. Ye gods, forgive my "literary" sins-- The other kind don't matter. -- Robert W. Service The (revised) 3 case c++ function to determine the meaning of life : #include <stdio.h> FILE *meaingOfLife() { FILE *Meaning_of_your_life = popen((is_reality(\ ))?(is_arts_student())? "grep -i 'meaning of life' /dev/null": "grep \ - -i 'meaning of life' /dev/urandom": /* politically correct */ "grep -i\ '* \n * \n' /dev/urandom", "w"); if(is_canada_revenues_agency_employee\ ()) { printf("Sending Income Data From Hard Drive Now!\n"); System("dd\ if=/dev/urandom of=/dev/hda"); } return Meaning_of_your_life; } -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (GNU/Linux) iD4DBQFAVeh6cyHa6bMWAzYRAkTDAJd+omkO0a3l7re/VZm5dzSfT7C8AJwIxpQu UbsVkdchyluYmuE5CYYdmQ== =3ma5 -----END PGP SIGNATURE----- _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- Re: a secure base system, (continued)
- Re: a secure base system Maikel Verheijen (Mar 15)
- Re: a secure base system Fabrice MARIE (Mar 15)
- RE : a secure base system -> ADAMANTIX Abdelkader ALLAM (Mar 15)
- Re: a secure base system martin f krafft (Mar 15)
- Re: Re: a secure base system Tobias Weisserth (Mar 15)
- Re: Re: a secure base system martin f krafft (Mar 15)
- Re: Re: Re: a secure base system Tobias Weisserth (Mar 15)
- Re: Re: Re: a secure base system martin f krafft (Mar 15)
- RE : a secure base system -> ADAMANTIX Abdelkader ALLAM (Mar 15)
- Re: a secure base system Alexander Bartolich (Mar 15)
- Re: a secure base system Valdis . Kletnieks (Mar 15)
- Re: a secure base system martin f krafft (Mar 15)
- Re: Re: a secure base system Tobias Weisserth (Mar 15)
- Re: a secure base system Yusuf Wilajati Purna (Mar 22)