| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
From: Rik.Bobbaers at cc.kuleuven.ac.be (harry) Subject: a secure base system hi all, i have a little question. i'm asked to set up a base system, which has to be secure. we want a system from which we can easily install a compromised system. so i had a few ideas to make it as secure and yet as usable as possible: - use debian testing (stable is too old, unstable is ... well... you know ;)) - /var and /tmp mounted nosuid and noexec - grsec kernel - use lvm (so you don't need to worry about the sizes af the partitions) - remote logging to our logging server - all this in hardware raid 1 for easy transfer to other systems - iptables with all connections refused (you need physical access to do something) - maybe allow ssh (no root logins)? ==> is this ok, too paranoia or is there somenting i'm missing, and cound it be even more safe? how about a compiler? normally, all soft on it is compiled by hand, but it is also "necessary" for a local exploit. any ideas? remarks? tnx in advance -- harry aka Rik Bobbaers K.U.Leuven - LUDIT -=- Tel: +32 485 52 71 50 Rik.Bobbaers@...kuleuven.ac.be -=- http://harry.ulyssis.org "Work hard and do your best, it'll make it easier for the rest" -- Garfield
Powered by blists - more mailing lists