Re: Basic setup for a home RedHat 7 box

From: Steve Bremer (steveb@nebcoinc.com)
Date: 03/04/02


From: "Steve Bremer" <steveb@nebcoinc.com>
To: security-basics@securityfocus.com
Date: Mon, 4 Mar 2002 14:08:09 -0600


> Has anyone else used this article, and if so is it useful? I'm sure it
> should provide some improvement over my original installation.

I've read many of Lance's articles, and I've found them all to be very
useful/informative. I'm pretty sure I've read that one, but it's been
awhile, so I can't comment on it specifically.

> Could someone please explain exactly what it is that kernel hardeners, like
> Bastille Linux (am I right? Is it a kernel hardener?) do on the system. I've
> read into it a bit, but not in any great depth. I'll go and check out the
> bastille-linux domain you gave me.

I wouldn't call Bastille a kernel hardener per say, it's more of a
system hardening utility. It doesn't really make kernel changes (at
least the version that I tried for RH 6.2 didn't). Bastille is a good
utility to use in my opinion because it teaches you as it secures your
box. There is a good knowledge exchange there. If you use Bastille
on your system, it will tell you every little thing that it does and
explain to you why it should be done. That's the best way to learn
what it does. :-)

A kernel hardener, in my opinion, is something more along the lines
of LIDS, the OpenWall non-exec stack patch, or the GR Security
patch. These actually patch your kernel in order to provide
additional security features not found in the standard kernel. To get
a better idea, check out grsecurity.net, www.lids.org, and
www.openwall.com. However, I would recommend learning more
about basic *nix security before jumping into kernel hardeners.
Bastille is a good place to start, as are Lance's articles.

Steve Bremer