Re: Secure/hardened/minimal Debian (or "Why is the base system the way it is?")
On Mon, May 20, 2002 at 12:10:47PM +1000, Andrew Pollock wrote:
> Hi,
>
> I'm currently working for a company that provides managed security
(...)
>
Good luck! (and what's the company name?) :)
Even if you already know it, some general suggestions would be:
1.- Read the Securing Debian Manual
2.- Install and run Bastille in a test box and re-use the configuration
changes to harden boxes.
> One thing in particular is inetd. It seems it's unavoidable to have
(...)
I'm afraid it will be installed. However, since it has a small
fingerprint (Install Size: 136) IMHO it's not a big issue to install it
and not run it (remove the rc links).
Regarding the inet.d vs xinet.d issue I agree with you that
xinet.d is best. I would support a bug in 'general' (wishlist priority) to
make xinet.d the standard inetd daemon. It is also a little bit more
secure since it will allow binding to specific interfaces. I don't know
how does update-inet.d work with xinet.d, and that might be an issue. But
we probably should "evolve" to use xinet.d instead of inetd. However,
notice that xinet.d package is 114232 in size, probably too much for
'base'.
>
> Secondly, even the base system comes with exim installed and port 25 open
> (granted, I haven't checked to see if it's only on localhost). A lot of
> reasonably necessary packages depend on a mail-transport-agent virtual
> package being installed. For example, on my home machine, if I try to
> remove the sendmail package, I can also kiss goodbye:
>
IIRC port 25 was open to the world. In any case somebody else
already recommended nullmailer which might be a better solution. Binding
exim to 127.0.0.1:25 is pretty easy however (Bastille does not do it but I
plan to add this feature Really Soon (tm) :)
> Some of these I find a little bit strange to be losing because I've gotten
> rid of my mail transport agent... Log rotation, for example, is something
> I'd need and want in any build I make. I don't understand why I lose at
> but not cron either...
This is due to reports being sent through mail to the local 'root'
(or other configured) user.
>
> So my main conundrum at present is what is the best way to make a truly
> minmalist Debian installation, the "Debian Way", in a highly security
> conscious environment? I'd really like to see Debian get up in this
> organisation.
>
> Anything insightful (and hopefully not inciteful) appreciated.
Hopefully I helped a little bit. I would really appreciate that
you sent me technical details so I could add this info to the "Debian
Securing Manual" as an appendix. Information on how to use FAI to build
hardened computers would be pretty useful.
Finally, since you are managing the box (is that right?) I would
add some kind of intrusion detection system. On one side, logcheck does a
pretty good job if properly customized in analysing log files. On the
other side, Tiger (even if I'm the maintainer and I'm pretty proud of
the improvements in the Debian package) will do a pretty good job in
analysing some common issues. Might not be as complete as Snort in
detecting remote attacks but it might help.
Best regards
Javi
--
To UNSUBSCRIBE, email to debian-security-request@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Reply to: