Re: Hardening, (was Re: chroot useful?)

["Jim Raykowski" <jimrski () cts com>]

Hello,
  What are some of the binaries you deleted from your systems.  The reason I
ask is that I am trying to make a linux 3.30 with kernel 2.0.30 more secure
than out of the box/net.  I installed an minimal system with just the things
needed to boot and then re-compile the kernel for my system then added
networking and that was it.  I then re compiled the kernel again to add the
networking hardware the un-installed the compiler and its things then
un-installed the kernel sources.
  I then added another disk to the system and put the GNU compiler and
kernel sources over there as best I could figure.  Then un zipped TIS FWTK
2.0 and went to town setting it up.  After it was installed I umount the
disk with the compilers and various sources code on it and re-boot the
system.
  I think it is secure and it seems secure after testing it with tools form
the net to try and penetrate, that leads to allot more questions itself,
the system.  However, is there a list of programs that come with systems
that should be deleted?

Jim Raykowski
jimrski () cts com
raykowsj () nosc mil

-----Original Message-----
From: Marcus J. Ranum <mjr () nfr net>
To: firewall-wizards () nfr net <firewall-wizards () nfr net>
Date: Thursday, November 20, 1997 4:25 PM
Subject: Hardening, (was Re: chroot useful?)


> Rick Murphy writes:
> > I only know the details of a couple of firewall products well enough to
> > say that the "hardened OS" really isn't -
>
> I share Rick's experience. "Hardening" the O/S usually means
> something like:
> - we deleted some of the obvious binaries someone might use
> - we shut down a bunch of run-time servers from inetd.conf
> - we shut down a bunch of stuff from /etc/rc.boot
> - we may have done a few kernel hacks like the ones I talk
> about, but probably not
> - we added something like tripwire
>
> There was one vendor that used to sell a "hardened" firewall
> on a specially secured UNIX O/S -- basically it was a bait and
> switch: they had done a lot of work for a long time on NSA
> funded secure O/S' but the firewall was BSD with a few bits
> of the secure O/S technology stapled onto the side in a paper
> bag.
>
> Back when I worked for a vendor that sold workstations running a
> BSD-derived version of UNIX, the sales droids would often tell
> customers things like "It's BSD-based, but we fixed all the bugs."
> I actually heard on sales droid from one firewall vendor claim that
> "It runs on FreeBSD/Linux/BSDI/you guess, but we fixed all the
> bugs." Maybe that's what they mean when they say "hardened"  :)
>
> I'm not convinced that hardening the O/S is worthwhile. If you are
> going to go that far, just do away with the O/S entirely and replace
> it with a simple program loader and bootstrap. DOS, for example.
> When Network-1 came out with a DOS-based firewall years ago
> a lot of folks gave them a hard time. I thought it was terrific design
> because you know it's either going to work, or lock up solid. It's
> all really a kind of nitpick point anyhow, since the most likely failure
> mode for the firewall is going to be user configuration errors
> or the incoming traffic problem.
>
> mjr.
> --
> Marcus J. Ranum, CEO, Network Flight Recorder, Inc.
> work - http://www.nfr.net
> home - http://www.clark.net/pub/mjr