Re: [fw-wiz] Custom Unix server installations -- to harden extensively ?
From: Carson Gaspar (carson_at_taltos.org)
Date: 05/14/03
- Previous message: Erick Mechler: "Re: [fw-wiz] FW-1 NG management interface on Linux"
- In reply to: Julian Gomez: "[fw-wiz] Custom Unix server installations -- to harden extensively ?"
- Next in thread: Devdas Bhagat: "Re: [fw-wiz] Custom Unix server installations -- to harden extensively ?"
- Reply: Devdas Bhagat: "Re: [fw-wiz] Custom Unix server installations -- to harden extensively ?"
- Reply: Marcus J. Ranum: "Re: [fw-wiz] Custom Unix server installations -- to harden extensively ?"
- Reply: Matthew Kirkwood: "Re: [fw-wiz] Custom Unix server installations -- to harden extensively ?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: firewall-wizards@honor.icsalabs.com Date: Wed, 14 May 2003 14:12:16 -0400
--On Tuesday, May 13, 2003 22:21:04 +0800 Julian Gomez <kluivert@tm.net.my>
wrote:
> Hi,
>
> What is the relative opinion of hardening general purpose Unix servers
> (general == mail, web, db hosts). Obviously, wherever possible, I'd like
> to get most of the unwanted packages stripped and removed; but very
> frequently -- this is extremely time consuming and is alot of
> documentation work (which btw, no one ever bothers to read).
>
> Alas, this usually conflicts in the future when there is a need for
> additional software to be implemented, the whole compiling + installation
> steps, but the relevant packages have been removed as per the hardening
> work done in the above paragraph.
>
> So, what do most of you all do :
>
> a) Leave the possibly-relevant future packages, intact on the
> system, and just perform permission tweaks ?
I seem to be in the minority here, but I firmly believe that the costs of
maintaining a stripped down build exceed the security gains achieved by
removing binaries. Once you have:
- removed setuid permissions
- removed setgid permissions
- removed world writeable files/directories
- removed group writeable files/directories
- ensured all files are owned by root
- ensured that only the required software is started at boot time
An attacker is left with no method for privilege escalation. Removing
binaries only stops script kiddies - anyone who has access to run processes
on your box can install anything they want (assuming they can create
executable files).
Of course, some application software requires exception to the above, and
some OS functions do as well (such as the pt_chown binary on solaris to
implement the grantpt() function).
-- Carson _______________________________________________ firewall-wizards mailing list firewall-wizards@honor.icsalabs.com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
- Previous message: Erick Mechler: "Re: [fw-wiz] FW-1 NG management interface on Linux"
- In reply to: Julian Gomez: "[fw-wiz] Custom Unix server installations -- to harden extensively ?"
- Next in thread: Devdas Bhagat: "Re: [fw-wiz] Custom Unix server installations -- to harden extensively ?"
- Reply: Devdas Bhagat: "Re: [fw-wiz] Custom Unix server installations -- to harden extensively ?"
- Reply: Marcus J. Ranum: "Re: [fw-wiz] Custom Unix server installations -- to harden extensively ?"
- Reply: Matthew Kirkwood: "Re: [fw-wiz] Custom Unix server installations -- to harden extensively ?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
