On Mon, Mar 15, 2004 at 12:37:13PM +0100, harry wrote: > hi all, > > i have a little question. i'm asked to set up a base system, which has > to be secure. we want a system from which we can easily install a > compromised system. so i had a few ideas to make it as secure and yet as > usable as possible: > > - use debian testing (stable is too old, unstable is ... well... you > know ;))
As testing doesn't get security updates (at least, it's not guaranteed), IMHO it's a bad point to start with. > - /var and /tmp mounted nosuid and noexec How about /home? and how about nodev? (dunno if Linux has nodev) > - grsec kernel > - use lvm (so you don't need to worry about the sizes af the partitions) > > - remote logging to our logging server > > - all this in hardware raid 1 for easy transfer to other systems > - iptables with all connections refused (you need physical access to do > something) > - maybe allow ssh (no root logins)? > > ==> is this ok, too paranoia or is there somenting i'm missing, and > cound it be even more safe? It could be more safe definitely. How about OpenBSD? (ye ye i'm biased ;), but there are more security oriented solutions around) > how about a compiler? normally, all soft on it is compiled by hand, but > it is also "necessary" for a local exploit. If you don't install a compiler, make sure users can't upload precompiled compilers :) > any ideas? remarks? It all depends on what you want to do with the system (webserver? desktop pc's?) _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
