Firewall Wizards mailing list archives

RE: Custom Unix server installations -- to harden extensively ?

From: "Keith A. Glass" <salgak () speakeasy net>
Date: Tue, 13 May 2003 22:01:14 -0400

-----Original Message-----
From: firewall-wizards-admin () honor icsalabs com
[mailto:firewall-wizards-admin () honor icsalabs com]On Behalf Of Julian
Gomez
Sent: Tuesday, May 13, 2003 10:21 AM
To: firewall-wizards () honor icsalabs com
Subject: [fw-wiz] Custom Unix server installations -- to harden
extensively ?

Hi,

What is the relative opinion of hardening general purpose Unix servers
(general == mail, web, db hosts). Obviously, wherever possible, I'd like to
get most of the unwanted packages stripped and removed; but very frequently
-- this is extremely time consuming and is alot of documentation work
(which btw, no one ever bothers to read).

Alas, this usually conflicts in the future when there is a need for
additional software to be implemented, the whole compiling + installation
steps, but the relevant packages have been removed as per the hardening
work done in the above paragraph.

So, what do most of you all do :

      a) Leave the possibly-relevant future packages, intact on the
         system, and just perform permission tweaks ?


Actually (in Solaris), I comment out most of /etc/inet.d, and disable
most rc2 and rc3 scripts. . .

      b) Remove the packages, and when the need arises, reinstall the
         packages -- I have to note here that alot of cross-dependencies
         make this hell. At least on RH, if there is opinion on different
         distributions which make this somewhat painless, closest thing
         which might be relevant, I think is FBSD's ports system (though
         I haven't used it myself) ?


We're starting to talk about playing with saferm

http://www.cert.org/security-improvement/implementations/i027.02.html#saferm

      c) Leave the server, its screwed anyway because local users have
         access :-)


Well, not the FIREWALLS. . .


_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

Current thread:

Custom Unix server installations -- to harden extensively ? Julian Gomez (May 13)
- Re: Custom Unix server installations -- to harden extensively ? Paul Robertson (May 13)
- Re: Custom Unix server installations -- to harden extensively ? John Adams (May 13)
  - Re: Custom Unix server installations -- to harden extensively ? Julian Gomez (May 15)
- RE: Custom Unix server installations -- to harden extensively ? Keith A. Glass (May 14)
  - RE: Custom Unix server installations -- to harden extensively ? Ben Nagy (May 14)
- Re: Custom Unix server installations -- to harden extensively ? Carson Gaspar (May 14)
  - Re: Custom Unix server installations -- to harden extensively ? Devdas Bhagat (May 15)
    - Re: Custom Unix server installations -- to harden extensively ? Bill Royds (May 16)
  - Re: Custom Unix server installations -- to harden extensively ? Marcus J. Ranum (May 15)
  - Re: Custom Unix server installations -- to harden extensively ? Matthew Kirkwood (May 16)
- Re: Custom Unix server installations -- to harden extensively ? Crispin Cowan (May 14)
- Re: Custom Unix server installations -- to harden extensively ? Mason Schmitt (May 15)
- <Possible follow-ups>
- RE: Custom Unix server installations -- to harden extensively ? salgak (May 15)
  - Re: Custom Unix server installations -- to harden extensively ? Barney Wolff (May 15)

(Thread continues...)