Secure/hardened/minimal Debian (or "Why is the base system the way it is?")
Hi,
I'm currently working for a company that provides managed security
solutions. Linux is used fairly extensively in the internal
infrastructure. Currently it's Mandrake, however my immediate superior
(who is the Mandrake guy) is open minded and has allowed me to run up some
Debian installations so he can see what it's capable of.
Firstly, the main reason why he chose Mandrake in the first place (over
say the likes of Red Hat) was that you were able to do a minimalist
installation, and actually not get very much. (i.e. the base system was
very minimalist). Unlike Red Hat, where in the installation process you'd
tell it to install "nothing" (i.e. just a base system) and you'd wind up
with all sorts of things running that you really didn't want running (like
an SMTP server). The other reason was it is apparently relatively easy to
create a "build" under Mandrake and just blat this build onto as many
boxes as you like (I'm guessing something like Red Hat's KickStart).
Okay, so he's let me run with Debian (for the time being at least, which
I'm happy with because I really don't like supporting RPM based systems).
Some of the requirements that were given to me was that we had to be able
deploy a consistent "build" of Debian, generally task oriented. So we
might have a build for a Debian box that was a DNS server, a build for a
Debian box that was an SMTP relay, a proxy server etc etc.
At this point I asked on the Debian-User list for something KickStart-ish
and was directed to FAI (Fully Automatic Install) and after a couple of
weeks of playing around I believe I can make this work for me. FAI is a
Good Thing (tm) as I previously had a gripe that Debian had nothing
KickStart-ish.
The reason that I'm writing this email, is because I have a gripe about
the base Debian packages.
We want these "builds" to be as "hardened" as possible. For example, we
don't want compilers installed, unnecessary binaries floating around, etc
etc. I really don't want to deviate from using the packaging system to
maintain what's installed. I don't want to wind up with a
Frankenstein Debian installation that can't be maintained easily. It's
just not the Debian Way either.
One thing in particular is inetd. It seems it's unavoidable to have
inetd installed, with the netbase package depending on netkit-inetd. Is it
possible to completely remove the inetd binary and use a diversion or
something to keep the package system reasonably happy with what's happened
(I'm not very clued up on more advanced elements of the packaging system
like diversions). (Side issue, but why the heck is Woody shipping with
inetd and not xinetd? After seeing the way Red Hat manages xinetd based
services, it's so much more elegant than using update-inetd).
Secondly, even the base system comes with exim installed and port 25 open
(granted, I haven't checked to see if it's only on localhost). A lot of
reasonably necessary packages depend on a mail-transport-agent virtual
package being installed. For example, on my home machine, if I try to
remove the sendmail package, I can also kiss goodbye:
apache
at
linpopup
log2mail
logcheck
logrotate
mailx
mindterm
mutt
netsaint
samba
squid
squid-cgi
Some of these I find a little bit strange to be losing because I've gotten
rid of my mail transport agent... Log rotation, for example, is something
I'd need and want in any build I make. I don't understand why I lose at
but not cron either...
So my main conundrum at present is what is the best way to make a truly
minmalist Debian installation, the "Debian Way", in a highly security
conscious environment? I'd really like to see Debian get up in this
organisation.
Anything insightful (and hopefully not inciteful) appreciated.
Andrew
--
To UNSUBSCRIBE, email to debian-security-request@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Reply to: