Re: Secure/hardened/minimal Debian (or "Why is the base system the way it is?")

To: Nicole Zimmerman <colby@wsu.edu>
Cc: Andrew Pollock <andrew@andrew.net.au>, debian-security@lists.debian.org
Subject: Re: Secure/hardened/minimal Debian (or "Why is the base system the way it is?")
From: Bradley Alexander <storm@tux.org>
Date: 19 May 2002 23:31:40 -0400
Message-id: <[🔎] 1021865500.1525.65.camel@defiant>
In-reply-to: <[🔎] Pine.OSF.4.10.10205191923240.5048-100000@unicorn.it.wsu.edu>
References: <[🔎] Pine.OSF.4.10.10205191923240.5048-100000@unicorn.it.wsu.edu>

On Sun, 2002-05-19 at 22:32, Nicole Zimmerman wrote:

I did something similar in building firewalls.
 
> What I did was:
> 
> 1. Install potato out of the "box" (we have a local mirror)

I did the same, except that I used woody. After doing a base install,
you could use apt's dependency-fixing capability to install only the
end-item packages you wish (e.g. from a base install, apt-get install
iptables).

> 2. Thin potato out (remove unnecessary packages, compilers, etc)
> 3. Make a custom 2.4 kernel with NO loadable modules (because we know the
> hardware, we can do this) and with iptables

I build a custom kernel as well.

> 4. Install back-compiled packages for SSH, postgres, anything else (system
> requirements, plus SSH2 security advantages)
> 5. Switch partitions over to ext3 (if I ship the box and the box goes down
> and fails an fsck, we either give them root or send a tech, expensive
> either way)
> 6. Configure some of the packages to be "more" secure (e.g.
> exim configuration)
> 7. Configure an iptables firewall to further restrict access to
> illegitamite ports (anything but 80 and our 3 proprietary ports)
> (8: Install our software, test, etc)

The other thing I do is to maintain a package list of machines I build.
It for instance, I have selection of workstation packagelists, laptop,
mailserver, firewall and the like. In essence, I do a

dpkg --get-selections > packagelist

This gives me the option of doing a base install, then doing 

dpkg --set-selections < packagelist
apt-get dselect-upgrade

in lieu of FAI. Putting the packagelist, drive partitioning information,
and copies of tweaked datafiles onto a CD (like the woody minicd), would
allow you to replicate machines relatively quickly.

-- 
--Brad
============================================================================
Bradley M. Alexander                |   storm [at] debian.org
Debian Developer, Security Engineer |   storm [at] tux.org
Debian/GNU Linux Developer          | Visit the 99th VFS website at:
MCO, 99th VFS 'Tuskegee Airmen'     |   server2048.virtualave.net/onyx23
============================================================================
Key fingerprints:
DSA 0x54434E65: 37F6 BCA6 621D 920C E02E  E3C8 73B2 C019 5443 4E65
RSA 0xC3BCBA91: 3F 0E 26 C1 90 14 AD 0A  C8 9C F0 93 75 A0 01 34
============================================================================
You don't shoot to kill; You shoot to stay alive.


-- 
To UNSUBSCRIBE, email to debian-security-request@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

Reply to:

Follow-Ups:
- Re: Secure/hardened/minimal Debian (or "Why is the base system the way it is?")
  - From: Federico Grau <grauf@rfa.org>

References:
- Re: Secure/hardened/minimal Debian (or "Why is the base system the way it is?")
  - From: Nicole Zimmerman <colby@wsu.edu>

Prev by Date: Re: Secure/hardened/minimal Debian (or "Why is the base system the way it is?")
Next by Date: deploying pam-opie?
Previous by thread: Re: Secure/hardened/minimal Debian (or "Why is the base system the way it is?")
Next by thread: Re: Secure/hardened/minimal Debian (or "Why is the base system the way it is?")
Index(es):
- Date
- Thread