> On Mon, 28 May 2001, Arne P. Boettger wrote: > * Mounting as many partitions RO, including /etc, /usr etc.. and thus > * Having two modes of boot, > maintenance mode - which lets you edit the files > production mode - which is used for actual run > * Setting Append only attribute for /var/log > * Having ssh xinetd syslog-ng etc configured instead of insecure > alternatives > * Fully locking down the ports > * Configured firewall and snort by default > * Automatic log analysis and reporting on a secure web page. (so that any > one with the username and password can look at the summary and details of > the logs by visiting a page on the machine) > * Removal (non installation) of all but very essential programs. > * Use of encrypted protocols instead of plain text ones ie the daemons > used should use encryption if the clients support them > But I want to mount bare minimum of file systems RW. The /var/log can be > made append only so that the logs can be appended only. The distribution > should have only minimum of utilities that are required for the work in > hand. The box is designed to work with minimal intervention.
I would suggest working on a CD-ROMable distribution, and to forget the idea of modes on the production system. An upgrade of utilities, and/or kernel would be done by testing on disk based system, and then burning the ISO's. As many exploits depend on being able to alter the underlying filesystems in sneaky ways, many security fixes would not actually need to be applied. For software that is less stable, and needs a way of patching it, you could use a small program to exec the real copies on disk, based on a table stored on RO floppy. An update of unstable programs could be done, by having 2 'patch' partitions, which are installed over the network mounted rw. The updated one would be remounted ro before use, and then a switch could be made by swapping to a new floppy. syslog supports logging over the network, so use that and log to a secure system in a private network, rather than inherently modifiable local disk on systems in the DMZ. Obviously this idea is simpler for dedicated firewall/routing systems. But I believe it could be adapted to your secure web/DNS server idea. You'ld need to seperate out config files which may need to be changed, could you remount them rw and ro just for updates, or perhaps again use the 'patch' idea using a table? The actual source for things like websites, and master zone files, should be managed on a machine in the internal network, and then copied in using rsync(1) with an ssh(1) pipe. Thus any breakins or defacements, to the disk areas that have to be rw can be wiped out easily. Rob
