Firewall Wizards mailing list archives
RE: Custom Unix server installations -- to harden extensively ?
From: "Keith A. Glass" <salgak () speakeasy net>
Date: Tue, 13 May 2003 22:01:14 -0400
-----Original Message----- From: firewall-wizards-admin () honor icsalabs com [mailto:firewall-wizards-admin () honor icsalabs com]On Behalf Of Julian Gomez Sent: Tuesday, May 13, 2003 10:21 AM To: firewall-wizards () honor icsalabs com Subject: [fw-wiz] Custom Unix server installations -- to harden extensively ?
Hi,
What is the relative opinion of hardening general purpose Unix servers (general == mail, web, db hosts). Obviously, wherever possible, I'd like to get most of the unwanted packages stripped and removed; but very frequently -- this is extremely time consuming and is alot of documentation work (which btw, no one ever bothers to read).
Alas, this usually conflicts in the future when there is a need for additional software to be implemented, the whole compiling + installation steps, but the relevant packages have been removed as per the hardening work done in the above paragraph.
So, what do most of you all do :
a) Leave the possibly-relevant future packages, intact on the system, and just perform permission tweaks ?
Actually (in Solaris), I comment out most of /etc/inet.d, and disable most rc2 and rc3 scripts. . .
b) Remove the packages, and when the need arises, reinstall the packages -- I have to note here that alot of cross-dependencies make this hell. At least on RH, if there is opinion on different distributions which make this somewhat painless, closest thing which might be relevant, I think is FBSD's ports system (though I haven't used it myself) ?
We're starting to talk about playing with saferm http://www.cert.org/security-improvement/implementations/i027.02.html#saferm
c) Leave the server, its screwed anyway because local users have access :-)
Well, not the FIREWALLS. . . _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Custom Unix server installations -- to harden extensively ? Julian Gomez (May 13)
- Re: Custom Unix server installations -- to harden extensively ? Paul Robertson (May 13)
- Re: Custom Unix server installations -- to harden extensively ? John Adams (May 13)
- Re: Custom Unix server installations -- to harden extensively ? Julian Gomez (May 15)
- RE: Custom Unix server installations -- to harden extensively ? Keith A. Glass (May 14)
- RE: Custom Unix server installations -- to harden extensively ? Ben Nagy (May 14)
- Re: Custom Unix server installations -- to harden extensively ? Carson Gaspar (May 14)
- Re: Custom Unix server installations -- to harden extensively ? Devdas Bhagat (May 15)
- Re: Custom Unix server installations -- to harden extensively ? Bill Royds (May 16)
- Re: Custom Unix server installations -- to harden extensively ? Marcus J. Ranum (May 15)
- Re: Custom Unix server installations -- to harden extensively ? Matthew Kirkwood (May 16)
- Re: Custom Unix server installations -- to harden extensively ? Devdas Bhagat (May 15)
- Re: Custom Unix server installations -- to harden extensively ? Crispin Cowan (May 14)
- Re: Custom Unix server installations -- to harden extensively ? Mason Schmitt (May 15)
- <Possible follow-ups>
- RE: Custom Unix server installations -- to harden extensively ? salgak (May 15)
- Re: Custom Unix server installations -- to harden extensively ? Barney Wolff (May 15)
(Thread continues...)