RE: [fw-wiz] Securing a Linux Firewall

From: Roger Marquis (marquis@roble.com)
Date: 07/23/02


From: Roger Marquis <marquis@roble.com>
To: firewall-wizards@honor.icsalabs.com
Date: Tue Jul 23 19:54:01 2002


> I've had to maintain "jumpstart"-like images for secure servers.
> Maintaining a "known-good" list for privileged binaries is relatively
> straightforward. Maintaining a "known-good" list of _all_ binaries is a
> nightmare. I further assert that maintaining a "known-bad" list is a lost
> cause.

I agree. It's really a matter of cost vs. benefit. If you kept
track of all the binaries that a Unix server doesn't need you
wouldn't have time to read firewall-wizards much less securityfocus,
CERT, and all the other information sources required to keep current.

Deleting unused binaries on non-shell servers has a negligible
effect on the risk. De-suid sure, delete known-vulnerable binaries
sure, but much beyond that is a waste of time.

It's already hard enough to secure Unix much less Linux or Windows.
My cheet sheet is already over 850 lines long (some of which can
be found at <http://www.roble.com/docs/secure_solaris.html>).
These are all substantive hardening measures. Adding marginal
stuff like 'rm /bin/rcp' would only skew the signal to noise ratio
in the wrong direction.

IMHO

-- 
Roger Marquis
Roble Systems Consulting
http://www.roble.com/