Re: Certifying a RedHat Install
From: Alan Hicks (alan_at_lizella.net)
Date: 07/14/04
- Previous message: Mario Ohnewald: "RE: Visited by a cracker"
- In reply to: abe: "Certifying a RedHat Install"
- Next in thread: abe: "Re: Certifying a RedHat Install"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Wed, 14 Jul 2004 16:12:50 -0400 To: focus-linux@securityfocus.com
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On Jul 14, 2004, at 1:37 PM, abe wrote:
> My client wants me to certify there are no back doors in the RedHat 9
> server we are going to deliver. It's a base RH9 install with a few
> extra RPM's, like Guarddog.
Well you can't be absolutely certain that there aren't any backdoors in
the software (call them vulnerabilities instead of back doors. The
first is unintentional), but there are some things you can do, starting
with not using RedHat 9. I'm not going to get into a distro flame war
here, but RedHat 9 is kinda old now, and Fedora Core 1 and 2 aren't
exactly something I would feel comfortable deploying as a server (too
bleeding edge). As for minimizing the chance of a back door being
present on the system, I would recommend culling any software you don't
use, right down to the libraries. From what I know of RedHat, this is
easier said than done, for you'll soon wind up in dependency hell.
Personally, I would install a very trimmed down Slackware. Version
10.0 was just recently released and I don't know of any vulnerabilities
have been found for the software versions included in it yet. Also, the
smaller an installation, the less chance that you'll be cracked.
Imagine a cracker gaining some control over a service your server is
running (let's say apache), but only has user privileges (exploit
doesn't allow for privilege escalation). If there's a flaw in some
userland utility you don't use, it could possible be used for such
privilege escalation. At least that's my reasoning behind that.
> Question is what's the best way for us to certify this?
> * rpm -Va ?
> * A global md5 on each file?
All that will do is verify that the software that is installed as an
RPM is identical to what was originally shipped by RedHat. Personally I
think that's way too much work.
> Also, what's the best way to minimize liability if they are hacked?
A disclaimer that they read over and sign.
- --
It is better to hear the rebuke of the wise,
Than for a man to hear the song of fools.
Ecclesiastes 7:5
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.2 (Darwin)
iD8DBQFA9ZPDlKR45I6cfKARAu7WAJ9rhKn8F8hxa6IIg8KTe6ker0lhsQCeLFJz
34sz6lSQwACwAjbduqCK2AU=
=qVtc
-----END PGP SIGNATURE-----
- Previous message: Mario Ohnewald: "RE: Visited by a cracker"
- In reply to: abe: "Certifying a RedHat Install"
- Next in thread: abe: "Re: Certifying a RedHat Install"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
