lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20040315201539.GA26073@piper.madduck.net>
From: madduck at madduck.net (martin f krafft)
Subject: Re: a secure base system

also sprach harry <Rik.Bobbaers@...kuleuven.ac.be> [2004.03.15.1237 +0100]:
> - /var and /tmp mounted nosuid and noexec

as others have probably written, this won't do much. first, noexec
can be easily overriden:

  /lib/ld-linux.so.2 /tmp/trojan

and second, nosuid on /var will make a couple of programs in Debian
fail. i don't remember which.

> - grsec kernel

why not use SELinux?

> ==> is this ok, too paranoia or is there somenting i'm missing, and 
> cound it be even more safe?

you can surely get this a lot more save, especially against local
access.

> how about a compiler? normally, all soft on it is compiled by
> hand, but it is also "necessary" for a local exploit.

i can compile on my system and then run it on yours. you can install
a compiler if you need it.

also sprach Jochem Kossen <jkossen@...all.nl> [2004.03.15.1424 +0100]:
> How about /home? and how about nodev? (dunno if Linux has nodev)

sure it does. mounting /home and the others nodev is a good idea.

> It could be more safe definitely. How about OpenBSD? (ye ye i'm
> biased ;), but there are more security oriented solutions around)

OpenBSD, Debian, OpenBSD, Debian... guess which one I'll pick. And
that's not a hard decision.

also sprach Tobias Weisserth <tobias@...sserth.de> [2004.03.15.1933 +0100]:
> If you want an up to date and modern productivity distribution with a
> good security policy you mustn't use Debian but an alternative like
> Fedora or SuSE or maybe Mandrake.

You may just as well use Debian and stay up to date with the
security problems.

> I know this will raise flames en masse from Debian fans. But it's
> a sour truth that Debian woody is hopefully outdated and as long
> as the Debian security team doesn't support the other releases
> it's no option at all to use these other releases in productive
> environments.

Productive environments are one of two kinds: servers and
workstations.

What's missing from Woody for a server?

And concerning workstations: your security better shield a security
problem on a workstation.

> /tmp should always be mounted noexec. Add /home as well with noexec. Why
> should users be able to install or run programs from within their home
> directories anyway? Administered systems supply everything users need,
> so there's no need to give them this freedom. This may be a trade-off,
> but the result is more security.

whatever. read above.

> You have missed the most important thing: file integrity checking. Take
> a look at Tripwire or AIDE.

good point!

-- 
martin;              (greetings from the heart of the sun.)
  \____ echo mailto: !#^."<*>"|tr "<*> mailto:" net@...duck
 
invalid/expired pgp subkeys? use subkeys.pgp.net as keyserver!
 
kill ugly radio
                                                        -- frank zappa
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: Digital signature
Url : http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20040315/eb6fe3b2/attachment.bin

Powered by blists - more mailing lists