lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Message-ID: <20040315201539.GA26073@piper.madduck.net> From: madduck at madduck.net (martin f krafft) Subject: Re: a secure base system also sprach harry <Rik.Bobbaers@...kuleuven.ac.be> [2004.03.15.1237 +0100]: > - /var and /tmp mounted nosuid and noexec as others have probably written, this won't do much. first, noexec can be easily overriden: /lib/ld-linux.so.2 /tmp/trojan and second, nosuid on /var will make a couple of programs in Debian fail. i don't remember which. > - grsec kernel why not use SELinux? > ==> is this ok, too paranoia or is there somenting i'm missing, and > cound it be even more safe? you can surely get this a lot more save, especially against local access. > how about a compiler? normally, all soft on it is compiled by > hand, but it is also "necessary" for a local exploit. i can compile on my system and then run it on yours. you can install a compiler if you need it. also sprach Jochem Kossen <jkossen@...all.nl> [2004.03.15.1424 +0100]: > How about /home? and how about nodev? (dunno if Linux has nodev) sure it does. mounting /home and the others nodev is a good idea. > It could be more safe definitely. How about OpenBSD? (ye ye i'm > biased ;), but there are more security oriented solutions around) OpenBSD, Debian, OpenBSD, Debian... guess which one I'll pick. And that's not a hard decision. also sprach Tobias Weisserth <tobias@...sserth.de> [2004.03.15.1933 +0100]: > If you want an up to date and modern productivity distribution with a > good security policy you mustn't use Debian but an alternative like > Fedora or SuSE or maybe Mandrake. You may just as well use Debian and stay up to date with the security problems. > I know this will raise flames en masse from Debian fans. But it's > a sour truth that Debian woody is hopefully outdated and as long > as the Debian security team doesn't support the other releases > it's no option at all to use these other releases in productive > environments. Productive environments are one of two kinds: servers and workstations. What's missing from Woody for a server? And concerning workstations: your security better shield a security problem on a workstation. > /tmp should always be mounted noexec. Add /home as well with noexec. Why > should users be able to install or run programs from within their home > directories anyway? Administered systems supply everything users need, > so there's no need to give them this freedom. This may be a trade-off, > but the result is more security. whatever. read above. > You have missed the most important thing: file integrity checking. Take > a look at Tripwire or AIDE. good point! -- martin; (greetings from the heart of the sun.) \____ echo mailto: !#^."<*>"|tr "<*> mailto:" net@...duck invalid/expired pgp subkeys? use subkeys.pgp.net as keyserver! kill ugly radio -- frank zappa -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: Digital signature Url : http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20040315/eb6fe3b2/attachment.bin
Powered by blists - more mailing lists