Re: secure install

To: Raphael Bauduin <rb@tiscali.be>
Cc: debian-security@lists.debian.org
Subject: Re: secure install
From: Bradley M Alexander <storm@tux.org>
Date: Thu, 15 Feb 2001 12:53:42 -0500
Message-id: <20010215125342.B913@orinoko>
In-reply-to: <3A8BE8DF.79654342@tiscali.be>; from rb@tiscali.be on Thu, Feb 15, 2001 at 03:34:07PM +0100
References: <20010211030436.A3627@overdue.dhis.net> <3A8BE8DF.79654342@tiscali.be>

On Thu, Feb 15, 2001 at 03:34:07PM +0100, Raphael Bauduin wrote:
> Hi,
> 
> I'm looking for a way to install a debian potato as securely as
> possible. I would follow this procedure in the future to install a lot
> of servers. The problem I have is that a lot of unwanted packages get
> installed by default (telnetd, exim, at, bc, fingerd, gpm, lpr, mtools,
> mutt, nfs-server, talkd, ....), and having to deinstall them manually
> each time is not very secure as one could forget a package anytime. It
> is also time consuming.

I am working on a web page to step through this, but in essence, I do a
base install, and after the reboot, I step through the install to the point
where I enter dselect, then choose 6 to exit.

One of the best features of dpkg is that you can do dpkg --get-selections
and dpkg --set-selections combined with an apt-get dselect-upgrade. I have
found that there are a finite number of base configurations, mailserver,
firewall, etc. I am working on my perspective of a package list for several
of these installs.

In any case, I sneaker-net the package list over to the box being built,
then do

dpkg --set-selections
apt-get dselect-upgrade

The system builds with the custom tailored package list. You can then
select the few specific packages that are host-specific as needed. 

This has the effect of giving you a custom-tailored list of what gets
installed and also simplifies backups. If you are careful about division of
your partitions, you can simply tar up the non-standard or unique
partitions (e.g. /home, /usr/local, /opt, etc.) and dpkg --get-selections
and redirect a file and you can regenerate a machine fairly quickly.

cfengine could also be an option in your situation too.

-- 
--Brad
============================================================================
Bradley M. Alexander, CISSP              |   Co-Chairman,
Beowulf System Admin/Security Specialist |    NoVALUG/DCLUG Security SIG
Winstar Telecom                          |   balexander@winstar.com
(703) 889-1049                           |   storm@tux.org
============================================================================
If you don't know your rights, you don't have any.

Reply to:

References:
- Food for thought - SECURITY (design flaw?)
  - From: Lazarus Long <lazarus@overdue.dhis.net>
- secure install
  - From: Raphael Bauduin <rb@tiscali.be>

Prev by Date: Re: secure install
Next by Date: Re: secure install
Previous by thread: Re: secure install
Next by thread: How to use apt to install security updates ?
Index(es):
- Date
- Thread