| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20040315132441.GA26445@jochem.dyndns.org> From: jkossen at xs4all.nl (Jochem Kossen) Subject: a secure base system On Mon, Mar 15, 2004 at 12:37:13PM +0100, harry wrote: > hi all, > > i have a little question. i'm asked to set up a base system, which has > to be secure. we want a system from which we can easily install a > compromised system. so i had a few ideas to make it as secure and yet as > usable as possible: > > - use debian testing (stable is too old, unstable is ... well... you > know ;)) As testing doesn't get security updates (at least, it's not guaranteed), IMHO it's a bad point to start with. > - /var and /tmp mounted nosuid and noexec How about /home? and how about nodev? (dunno if Linux has nodev) > - grsec kernel > - use lvm (so you don't need to worry about the sizes af the partitions) > > - remote logging to our logging server > > - all this in hardware raid 1 for easy transfer to other systems > - iptables with all connections refused (you need physical access to do > something) > - maybe allow ssh (no root logins)? > > ==> is this ok, too paranoia or is there somenting i'm missing, and > cound it be even more safe? It could be more safe definitely. How about OpenBSD? (ye ye i'm biased ;), but there are more security oriented solutions around) > how about a compiler? normally, all soft on it is compiled by hand, but > it is also "necessary" for a local exploit. If you don't install a compiler, make sure users can't upload precompiled compilers :) > any ideas? remarks? It all depends on what you want to do with the system (webserver? desktop pc's?)
Powered by blists - more mailing lists