RE: [fw-wiz] Securing a Linux Firewall

From: Roger Marquis (marquis@roble.com)
Date: 07/23/02 

From: Roger Marquis <marquis@roble.com>
To: firewall-wizards@honor.icsalabs.com
Date: Tue Jul 23 19:54:01 2002

> I've had to maintain "jumpstart"-like images for secure servers.
> Maintaining a "known-good" list for privileged binaries is relatively
> straightforward. Maintaining a "known-good" list of _all_ binaries is a
> nightmare. I further assert that maintaining a "known-bad" list is a lost
> cause.

I agree. It's really a matter of cost vs. benefit. If you kept
track of all the binaries that a Unix server doesn't need you
wouldn't have time to read firewall-wizards much less securityfocus,
CERT, and all the other information sources required to keep current.

Deleting unused binaries on non-shell servers has a negligible
effect on the risk. De-suid sure, delete known-vulnerable binaries
sure, but much beyond that is a waste of time.

It's already hard enough to secure Unix much less Linux or Windows.
My cheet *** is already over 850 lines long (some of which can
be found at <http://www.roble.com/docs/secure_solaris.html>).
These are all substantive hardening measures. Adding marginal
stuff like 'rm /bin/rcp' would only skew the signal to noise ratio
in the wrong direction.

IMHO 

-- 
Roger Marquis
Roble Systems Consulting
http://www.roble.com/