Re: Secure Kickstart Installation

From: Jon Hart (warchild_at_spoofed.org)
Date: 05/26/05

  • Next message: antoine: "Re: Secure Kickstart Installation"
    Date: Thu, 26 May 2005 16:51:32 -0400
    To: Mathieu KRETCHNER <m.kretchner@siig.u-bordeaux.fr>
    
    

    On Wed, May 25, 2005 at 10:02:52AM +0200, Mathieu KRETCHNER wrote:
    > Hi,
    >
    > Me and my team have installed approximativly all the packages. But we
    > have choosen to configure only services that we need. So we can add
    > services withtout new installation !
    > For my own it's a political choice.

    That will certainly work. But, I wouldn't advocate installing all of
    the base/available services and just not enabling them. Sure, you
    aren't running those services, but you still have all the files provided
    with that package installed. This can make securing the system against
    local attackers quite a bit more difficult.

    The most common example I can think of is setuid/setgid files. Do you
    really want unused setuid/setgid files laying around?

    Potentially worse yet... You install service foobar at initial install
    time but don't enable it. 6 months down the road you find a need for
    foobar and fire it up. You are suddenly at risk of running
    a 6 month-old foobar, which may or may not be a problem depending on
    your security policies (i.e., how often you update).

    Take your pick: security or convenience. Or try to find a happy medium.

    My $0.02,

    -jon


  • Next message: antoine: "Re: Secure Kickstart Installation"

    Relevant Pages

    • Re: zero install - serious critiques?
      ... no security updates or whatever I guess ... > whole os if they zero install some malware since the zero install ... "APT relies on a database to keep track of what's installed and what ... Some packages have been ...
      (Debian-User)
    • Re: New user Q: Best way to stay up to date on "testing"?
      ... > understand the entire Debian environment and need a little advise. ... > I was reading the security FAQ and am somewhat alarmed to find (if I ... > packages, most of which seem to be related to X (we won't ever be using X ... Only install the packages that your really need to have. ...
      (Debian-User)
    • FS: Complete Linux Recording Package Ready To Roll.
      ... How to install Rehmudi-2.0 ... if you don't have any sound, ... dependencies of Agnula Packages ... ... from the new kernel. ...
      (comp.os.linux.misc)
    • Re: Complete Linux Recording Package Ready To Roll.
      ... How to install Rehmudi-2.0 ... if you don't have any sound, ... dependencies of Agnula Packages ... ... from the new kernel. ...
      (comp.os.linux.misc)
    • Apt Gone Mad?-Or Is It Me?-Expert Help Needed
      ... So tried to upgrade OO to 2.0 but Apt refused to do so. ... Aptitude doesn't show anything but Wajig shows unmet dependency for kdelibs-data. ... The following packages are unused and will be REMOVED: agsync arson barcode brahms cdda2wav cddb digikam digikamimageplugins gmessage guarddog guidedog hotswap-gui hotswap-text i2e id3v2 kbarcode kbear kbiff kdebase-dev kdirstat kile kimdaba klog klogic kmymoney2 knetfilter knutclient komba2 kover kprof kpsk krusader ksimus ksimus-boolean ksimus-datarecorder ksimus-floatingpoint ksocrat ksocrat-data kvdr kvirc kvirc-data kvirc-doc kwavecontrol kxmleditor lesstif2 libdynamite libimlib2-dev libkonq4-dev libmimedir liborange ... ChatagnierL-Home:/temp# wajig install openoffice.org Reading Package Lists... ...
      (Debian-User)