lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20040315132441.GA26445@jochem.dyndns.org>
From: jkossen at xs4all.nl (Jochem Kossen)
Subject: a secure base system

On Mon, Mar 15, 2004 at 12:37:13PM +0100, harry wrote:
> hi all,
> 
> i have a little question. i'm asked to set up a base system, which has 
> to be secure. we want a system from which we can easily install a 
> compromised system. so i had a few ideas to make it as secure and yet as 
> usable as possible:
> 
> - use debian testing (stable is too old, unstable is ... well... you 
> know ;))

As testing doesn't get security updates (at least, it's not guaranteed),
IMHO it's a bad point to start with.

> - /var and /tmp mounted nosuid and noexec

How about /home? and how about nodev? (dunno if Linux has nodev)

> - grsec kernel
> - use lvm (so you don't need to worry about the sizes af the partitions)
>
> - remote logging to our logging server
>
> - all this in hardware raid 1 for easy transfer to other systems
> - iptables with all connections refused (you need physical access to do 
> something)
> - maybe allow ssh (no root logins)?
> 
> ==> is this ok, too paranoia or is there somenting i'm missing, and 
> cound it be even more safe?

It could be more safe definitely. How about OpenBSD? (ye ye i'm
biased ;), but there are more security oriented solutions around)

> how about a compiler? normally, all soft on it is compiled by hand, but 
> it is also "necessary" for a local exploit.

If you don't install a compiler, make sure users can't upload
precompiled compilers :)

> any ideas? remarks?

It all depends on what you want to do with the system (webserver?
desktop pc's?)


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ