[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Full-Disclosure] a secure base system
- To: full-disclosure@xxxxxxxxxxxxxxxx, security-basics@xxxxxxxxxxxxxxxxx
- Subject: [Full-Disclosure] a secure base system
- From: harry <Rik.Bobbaers@xxxxxxxxxxxxxxxxx>
- Date: Mon, 15 Mar 2004 12:37:13 +0100
hi all,
i have a little question. i'm asked to set up a base system, which has
to be secure. we want a system from which we can easily install a
compromised system. so i had a few ideas to make it as secure and yet as
usable as possible:
- use debian testing (stable is too old, unstable is ... well... you
know ;))
- /var and /tmp mounted nosuid and noexec
- grsec kernel
- use lvm (so you don't need to worry about the sizes af the partitions)
- remote logging to our logging server
- all this in hardware raid 1 for easy transfer to other systems
- iptables with all connections refused (you need physical access to do
something)
- maybe allow ssh (no root logins)?
==> is this ok, too paranoia or is there somenting i'm missing, and
cound it be even more safe?
how about a compiler? normally, all soft on it is compiled by hand, but
it is also "necessary" for a local exploit.
any ideas? remarks?
tnx in advance
--
harry
aka Rik Bobbaers
K.U.Leuven - LUDIT -=- Tel: +32 485 52 71 50
Rik.Bobbaers@xxxxxxxxxxxxxxxxx -=- http://harry.ulyssis.org
"Work hard and do your best, it'll make it easier for the rest"
-- Garfield
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html