RE: [fw-wiz] Securing a Linux Firewall

From: Roger Marquis (marquis@roble.com)
Date: 07/23/02


From: Roger Marquis <marquis@roble.com>
To: firewall-wizards@honor.icsalabs.com
Date: Tue Jul 23 19:54:01 2002


> I've had to maintain "jumpstart"-like images for secure servers.
> Maintaining a "known-good" list for privileged binaries is relatively
> straightforward. Maintaining a "known-good" list of _all_ binaries is a
> nightmare. I further assert that maintaining a "known-bad" list is a lost
> cause.

I agree. It's really a matter of cost vs. benefit. If you kept
track of all the binaries that a Unix server doesn't need you
wouldn't have time to read firewall-wizards much less securityfocus,
CERT, and all the other information sources required to keep current.

Deleting unused binaries on non-shell servers has a negligible
effect on the risk. De-suid sure, delete known-vulnerable binaries
sure, but much beyond that is a waste of time.

It's already hard enough to secure Unix much less Linux or Windows.
My cheet sheet is already over 850 lines long (some of which can
be found at <http://www.roble.com/docs/secure_solaris.html>).
These are all substantive hardening measures. Adding marginal
stuff like 'rm /bin/rcp' would only skew the signal to noise ratio
in the wrong direction.

IMHO

-- 
Roger Marquis
Roble Systems Consulting
http://www.roble.com/


Relevant Pages

  • Re: VPN client software
    ... thanks for your responses. ... binaries that i need to set up ssh on my unix server? ... It comes with HP-UX, however you can get the latest binaries, free, from ...
    (comp.sys.hp.hpux)
  • Re: a new syscalls table
    ... I'll look into the NetBSD thing. ... I am trying to create an environment where you can't run my binaries on ... but you can raise the cost of people running your binaries ... On the other hand, once you realize that it's a security issue, you ...
    (freebsd-hackers)
  • Re: RIP Usenet
    ... be more than offset by the cost savings. ... 'cost' in running the service, apart from disk space and maybe some trafic, ... (apart from binaries users - are they are NOT all crims or paedophiles). ... C'est suisse, et tres, tres precis." ...
    (rec.audio.pro)
  • Re: Durofix Li-Ion screwdriver from CostCo, anyone?
    ... this newsgroup stuff shows up above the noise level, no matter whether binary or not. ... The binaries just roll off the server much faster. ...
    (sci.electronics.design)
  • Re: a new syscalls table
    ... I am trying to create an environment where you can't run my binaries on your ... I think the correct approach would be to have a cpu that no else in the ... but you can raise the cost of people running your binaries ... On the other hand, once you realize that it's a security issue, you ...
    (freebsd-hackers)