[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Full-Disclosure] a secure base system
- To: harry <Rik.Bobbaers@xxxxxxxxxxxxxxxxx>
- Subject: Re: [Full-Disclosure] a secure base system
- From: Jochem Kossen <jkossen@xxxxxxxxx>
- Date: Mon, 15 Mar 2004 14:24:41 +0100
On Mon, Mar 15, 2004 at 12:37:13PM +0100, harry wrote:
> hi all,
>
> i have a little question. i'm asked to set up a base system, which has
> to be secure. we want a system from which we can easily install a
> compromised system. so i had a few ideas to make it as secure and yet as
> usable as possible:
>
> - use debian testing (stable is too old, unstable is ... well... you
> know ;))
As testing doesn't get security updates (at least, it's not guaranteed),
IMHO it's a bad point to start with.
> - /var and /tmp mounted nosuid and noexec
How about /home? and how about nodev? (dunno if Linux has nodev)
> - grsec kernel
> - use lvm (so you don't need to worry about the sizes af the partitions)
>
> - remote logging to our logging server
>
> - all this in hardware raid 1 for easy transfer to other systems
> - iptables with all connections refused (you need physical access to do
> something)
> - maybe allow ssh (no root logins)?
>
> ==> is this ok, too paranoia or is there somenting i'm missing, and
> cound it be even more safe?
It could be more safe definitely. How about OpenBSD? (ye ye i'm
biased ;), but there are more security oriented solutions around)
> how about a compiler? normally, all soft on it is compiled by hand, but
> it is also "necessary" for a local exploit.
If you don't install a compiler, make sure users can't upload
precompiled compilers :)
> any ideas? remarks?
It all depends on what you want to do with the system (webserver?
desktop pc's?)
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html