Re: Secure Kickstart Installation

From: Jon Hart (warchild_at_spoofed.org)
Date: 05/26/05

  • Next message: antoine: "Re: Secure Kickstart Installation"
    Date: Thu, 26 May 2005 16:51:32 -0400
    To: Mathieu KRETCHNER <m.kretchner@siig.u-bordeaux.fr>
    
    

    On Wed, May 25, 2005 at 10:02:52AM +0200, Mathieu KRETCHNER wrote:
    > Hi,
    >
    > Me and my team have installed approximativly all the packages. But we
    > have choosen to configure only services that we need. So we can add
    > services withtout new installation !
    > For my own it's a political choice.

    That will certainly work. But, I wouldn't advocate installing all of
    the base/available services and just not enabling them. Sure, you
    aren't running those services, but you still have all the files provided
    with that package installed. This can make securing the system against
    local attackers quite a bit more difficult.

    The most common example I can think of is setuid/setgid files. Do you
    really want unused setuid/setgid files laying around?

    Potentially worse yet... You install service foobar at initial install
    time but don't enable it. 6 months down the road you find a need for
    foobar and fire it up. You are suddenly at risk of running
    a 6 month-old foobar, which may or may not be a problem depending on
    your security policies (i.e., how often you update).

    Take your pick: security or convenience. Or try to find a happy medium.

    My $0.02,

    -jon


  • Next message: antoine: "Re: Secure Kickstart Installation"

    Relevant Pages

    • Re: zero install - serious critiques?
      ... no security updates or whatever I guess ... > whole os if they zero install some malware since the zero install ... "APT relies on a database to keep track of what's installed and what ... Some packages have been ...
      (Debian-User)
    • Re: New user Q: Best way to stay up to date on "testing"?
      ... > understand the entire Debian environment and need a little advise. ... > I was reading the security FAQ and am somewhat alarmed to find (if I ... > packages, most of which seem to be related to X (we won't ever be using X ... Only install the packages that your really need to have. ...
      (Debian-User)
    • FS: Complete Linux Recording Package Ready To Roll.
      ... How to install Rehmudi-2.0 ... if you don't have any sound, ... dependencies of Agnula Packages ... ... from the new kernel. ...
      (comp.os.linux.misc)
    • Re: Complete Linux Recording Package Ready To Roll.
      ... How to install Rehmudi-2.0 ... if you don't have any sound, ... dependencies of Agnula Packages ... ... from the new kernel. ...
      (comp.os.linux.misc)
    • Which debian sources to use to install to Knoppix 4.0.2?
      ... running into a problem when I install software to version 4.0.2 that I ... Check out the list of extra packages to be installed, ... akregator ark cupsys cupsys-bsd cupsys-client gcc-4.0-base gs-common ... kdepim-kfile-plugins kdepim-kio-plugins kdeprint kdesktop kdessh kdf ...
      (comp.os.linux.misc)