[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Secure/hardened/minimal Debian (or "Why is the base system the way it is?")

On Sun, 2002-05-19 at 22:32, Nicole Zimmerman wrote:

I did something similar in building firewalls.
> What I did was:
> 1. Install potato out of the "box" (we have a local mirror)

I did the same, except that I used woody. After doing a base install,
you could use apt's dependency-fixing capability to install only the
end-item packages you wish (e.g. from a base install, apt-get install

> 2. Thin potato out (remove unnecessary packages, compilers, etc)
> 3. Make a custom 2.4 kernel with NO loadable modules (because we know the
> hardware, we can do this) and with iptables

I build a custom kernel as well.

> 4. Install back-compiled packages for SSH, postgres, anything else (system
> requirements, plus SSH2 security advantages)
> 5. Switch partitions over to ext3 (if I ship the box and the box goes down
> and fails an fsck, we either give them root or send a tech, expensive
> either way)
> 6. Configure some of the packages to be "more" secure (e.g.
> exim configuration)
> 7. Configure an iptables firewall to further restrict access to
> illegitamite ports (anything but 80 and our 3 proprietary ports)
> (8: Install our software, test, etc)

The other thing I do is to maintain a package list of machines I build.
It for instance, I have selection of workstation packagelists, laptop,
mailserver, firewall and the like. In essence, I do a

dpkg --get-selections > packagelist

This gives me the option of doing a base install, then doing 

dpkg --set-selections < packagelist
apt-get dselect-upgrade

in lieu of FAI. Putting the packagelist, drive partitioning information,
and copies of tweaked datafiles onto a CD (like the woody minicd), would
allow you to replicate machines relatively quickly.

Bradley M. Alexander                |   storm [at] debian.org
Debian Developer, Security Engineer |   storm [at] tux.org
Debian/GNU Linux Developer          | Visit the 99th VFS website at:
MCO, 99th VFS 'Tuskegee Airmen'     |   server2048.virtualave.net/onyx23
Key fingerprints:
DSA 0x54434E65: 37F6 BCA6 621D 920C E02E  E3C8 73B2 C019 5443 4E65
RSA 0xC3BCBA91: 3F 0E 26 C1 90 14 AD 0A  C8 9C F0 93 75 A0 01 34
You don't shoot to kill; You shoot to stay alive.

To UNSUBSCRIBE, email to debian-security-request@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

Reply to: