[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: OS Hardening

On Tue, Dec 12, 2000 at 08:41:30PM -0500, S.Salman Ahmed wrote:
> >>>>> "AS" == Andres Salomon <dilinger@mp3revolution.net> writes:
>     AS>  Oh, I totally agree; this would have to be on a per-package
>     AS> basis, however.  Hence, it would rely on each maintainers
>     AS> willingness to do so.  For example, a chrooted bind (running as
>     AS> user nobody or something) would be nice, but the bind maintainer
>     AS> has refused (at least until bind 9.1 is released.. see bug
>     AS> #50013).  A debconf option would be ideal here; the trick is to
>     AS> convince the maintainer to add it.
>     AS> 
> I was thinking more along the lines of install time profiles. Something
> along the lines of how Manrake supposedly does it (never tried it,
> probably should one of these days) where the user is given the choice of
> selecting a security profile from a predefined set.
> If it was done on a per-package basis, that would be nice too.

The problem with this is that, generally speaking, there are as many
configurations as there are sysadmins or users out there. You would run the
risk of bogging down in the mire of details and asking questions that the
user really has no clue about. In this case, as a security person, the idea
of "profiles" in lieu of actual knowledge or familiarity is a dangerous

If I understand, you are thinking about, for instance, a "workstation"
profile that would set certain parameters, and a "fileserver" profile that
would set them differently, and a "firewall" and so forth. The problem
you run into here is that, for insance, most people leave ftp and telnet
open so they can get around. Personally I turn them off and rely on secure
shell on my network at home. So do you go for the lower security and leave
these on, or do you close down security and open yourself to the "why can't
I telnet into the box?" type of question and frustration? Another good case
is servers. On my home network, I have a firewall, a DHCP server, a mail
server, and a DNS server. Each requires different ports etc to be
open/enabled. Are you going to have a mailerver profile? A DNS profile? A
DHCP profile? Are they going to be mutually exclusive?

Unfortunately, security times usability tend to be a constant, and profiles
are a good way to promote a false sense of security...Not to mention a
nightmare to set up and maintain. It is much better for a user to go to
Barnes and Noble or read online and get familiar with security. These are
decisions that should be made with some forthought, not trusted to an
arbitrary profile.

Now some distributions other than Debian *need* something like Bastille,
which is an aftermarket product that spends a good percentage of its cycles
cleaning up mistakes coming out of the factory. The reason Debian doesn't
need a script like this because forethought and coordination and attention
to detail do their best to eliminate these very problems prior to release.

Just my $0.02.
Bradley M. Alexander, CISSP              |   Co-Chairman,
Beowulf System Admin/Security Specialist |    NoVALUG/DCLUG Security SIG
Winstar Telecom                          |   balexander@winstar.com
(703) 889-1049                           |   storm@tux.org
A 'good' landing is one from which you can walk away. A 'great'
landing is one after which they can use the plane again.
					--Rules of the Air, #8

Attachment: pgpw3CPHv_ChN.pgp
Description: PGP signature

Reply to: