lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <Pine.GSO.4.43.0403151151440.20383-100000@tundra.winternet.com>
From: dufresne at winternet.com (Ron DuFresne)
Subject: a secure base system

On Mon, 15 Mar 2004, Jochem Kossen wrote:

> On Mon, Mar 15, 2004 at 12:37:13PM +0100, harry wrote:
> > hi all,
> >
> > i have a little question. i'm asked to set up a base system, which has
> > to be secure. we want a system from which we can easily install a
> > compromised system. so i had a few ideas to make it as secure and yet as
> > usable as possible:
> >

install a compromised system?  This is a forensics box?  then perhaps to
really kppe it secured it should be un-networked, at least when analysis
is beong one.  I'm taking it as a forensics box, you plan on popping in a
DD'ed copy of the drive of the host that was in fact compromised for
analysis?


Ten again, perhaps I'm either mis reading your intentions for the system,
or you mis-stated your desires?

Thanks,

Ron DuFresne

> > - use debian testing (stable is too old, unstable is ... well... you
> > know ;))
>
> As testing doesn't get security updates (at least, it's not guaranteed),
> IMHO it's a bad point to start with.
>
> > - /var and /tmp mounted nosuid and noexec
>
> How about /home? and how about nodev? (dunno if Linux has nodev)
>
> > - grsec kernel
> > - use lvm (so you don't need to worry about the sizes af the partitions)
> >
> > - remote logging to our logging server
> >
> > - all this in hardware raid 1 for easy transfer to other systems
> > - iptables with all connections refused (you need physical access to do
> > something)
> > - maybe allow ssh (no root logins)?
> >
> > ==> is this ok, too paranoia or is there somenting i'm missing, and
> > cound it be even more safe?
>
> It could be more safe definitely. How about OpenBSD? (ye ye i'm
> biased ;), but there are more security oriented solutions around)
>
> > how about a compiler? normally, all soft on it is compiled by hand, but
> > it is also "necessary" for a local exploit.
>
> If you don't install a compiler, make sure users can't upload
> precompiled compilers :)
>
> > any ideas? remarks?
>
> It all depends on what you want to do with the system (webserver?
> desktop pc's?)
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html
>

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
"Cutting the space budget really restores my faith in humanity.  It
eliminates dreams, goals, and ideals and lets us get straight to the
business of hate, debauchery, and self-annihilation." -- Johnny Hart
	***testing, only testing, and damn good at it too!***

OK, so you're a Ph.D.  Just don't touch anything.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ