At 11:38 PM 4/15/2003 -0500, you wrote: >Anyone out there try SE-Linux (from the NSA)? I recently tried to >install it with gentoo on a machine that was going to be a server, but >it would just keep rebooting when the kernel went to load... a horrible >loop :(. Was trying to make a really secure server, like super secure. >I opted to try the regular kernel sources (with gentoo patches) and a >bunch of security enabled in it.
There was a nice article on SE-Linux in SysAdmin Magazine. Try their archive and see if the article is online. >I have seen the thread about the bastille script, but are there any >other resources to building an extremely secure machine for server >applications (http, ftp, maybe irc and mail as well)? There are other scripts out there. Most of these scripts just follow checklist basically. After a while this stuff will just get burned into your brain: 1. Install OS with minimal software. Do not install X. 2. Kill all services. 3. Protect against r* stupid stuff. 4. Check file permissions. 5. Make a lot of stuff only readable to root (ie., /etc/fstab). 6. Run netstat -ln and kill any lingering services. 7. Plug in network cable. 8. Patch. 9. Unplug network cable. 10. Setup file integrity auditing software. 11. Setup log auditing. ... It gets quite automatic after a while. When setting up specific services try to compartmentalize as much as possible. You can do this by keeping each service dedicated to a machine. (Usually not possible with most budgets.) Also, use a jail or chroot for each service that you can. That makes a difference. Also look into special flags and modes of your file system. Mount read-only if possible. Learn append-only and immutable flags on ext* file-systems under Linux. >Any experience with anyone running these servers? >Is anyone even into IRC (other than Tim, Dustin, Neal, and the >occasional person who waits 3 minutes for a response then gives up)? People that give up after 3 minutes suck. :) Honestly, I know that I am busy most of the day and only check the IRC channel once an hour or so. --- Dustin Puryear <[EMAIL PROTECTED]> Puryear Information Technology Windows, UNIX, and IT Consulting http://www.puryear-it.com
