also sprach harry <Rik.Bobbaers@xxxxxxxxxxxxxxxxx> [2004.03.15.1237 +0100]:
> - /var and /tmp mounted nosuid and noexec
as others have probably written, this won't do much. first, noexec
can be easily overriden:
/lib/ld-linux.so.2 /tmp/trojan
and second, nosuid on /var will make a couple of programs in Debian
fail. i don't remember which.
> - grsec kernel
why not use SELinux?
> ==> is this ok, too paranoia or is there somenting i'm missing, and
> cound it be even more safe?
you can surely get this a lot more save, especially against local
access.
> how about a compiler? normally, all soft on it is compiled by
> hand, but it is also "necessary" for a local exploit.
i can compile on my system and then run it on yours. you can install
a compiler if you need it.
also sprach Jochem Kossen <jkossen@xxxxxxxxx> [2004.03.15.1424 +0100]:
> How about /home? and how about nodev? (dunno if Linux has nodev)
sure it does. mounting /home and the others nodev is a good idea.
> It could be more safe definitely. How about OpenBSD? (ye ye i'm
> biased ;), but there are more security oriented solutions around)
OpenBSD, Debian, OpenBSD, Debian... guess which one I'll pick. And
that's not a hard decision.
also sprach Tobias Weisserth <tobias@xxxxxxxxxxxx> [2004.03.15.1933 +0100]:
> If you want an up to date and modern productivity distribution with a
> good security policy you mustn't use Debian but an alternative like
> Fedora or SuSE or maybe Mandrake.
You may just as well use Debian and stay up to date with the
security problems.
> I know this will raise flames en masse from Debian fans. But it's
> a sour truth that Debian woody is hopefully outdated and as long
> as the Debian security team doesn't support the other releases
> it's no option at all to use these other releases in productive
> environments.
Productive environments are one of two kinds: servers and
workstations.
What's missing from Woody for a server?
And concerning workstations: your security better shield a security
problem on a workstation.
> /tmp should always be mounted noexec. Add /home as well with noexec. Why
> should users be able to install or run programs from within their home
> directories anyway? Administered systems supply everything users need,
> so there's no need to give them this freedom. This may be a trade-off,
> but the result is more security.
whatever. read above.
> You have missed the most important thing: file integrity checking. Take
> a look at Tripwire or AIDE.
good point!
--
martin; (greetings from the heart of the sun.)
\____ echo mailto: !#^."<*>"|tr "<*> mailto:"; net@madduck
invalid/expired pgp subkeys? use subkeys.pgp.net as keyserver!
kill ugly radio
-- frank zappa
Attachment:
signature.asc
Description: Digital signature