lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <40559569.602@cc.kuleuven.ac.be>
From: Rik.Bobbaers at cc.kuleuven.ac.be (harry)
Subject: a secure base system

hi all,

i have a little question. i'm asked to set up a base system, which has 
to be secure. we want a system from which we can easily install a 
compromised system. so i had a few ideas to make it as secure and yet as 
usable as possible:

- use debian testing (stable is too old, unstable is ... well... you 
know ;))
- /var and /tmp mounted nosuid and noexec
- grsec kernel
- use lvm (so you don't need to worry about the sizes af the partitions)
- remote logging to our logging server
- all this in hardware raid 1 for easy transfer to other systems
- iptables with all connections refused (you need physical access to do 
something)
- maybe allow ssh (no root logins)?

==> is this ok, too paranoia or is there somenting i'm missing, and 
cound it be even more safe?

how about a compiler? normally, all soft on it is compiled by hand, but 
it is also "necessary" for a local exploit.

any ideas? remarks?

tnx in advance

-- 
harry
aka Rik Bobbaers

K.U.Leuven - LUDIT             -=- Tel: +32 485 52 71 50
Rik.Bobbaers@...kuleuven.ac.be -=- http://harry.ulyssis.org

"Work hard and do your best, it'll make it easier for the rest"
-- Garfield


Powered by blists - more mailing lists