On 30 December 2015 at 19:05, Paul Rogers <[email protected]> wrote: > I'm still thinking about in/ex-clusions for my LFS build. I've only had > to deal with my own systems, a somewhat restricted set of needs. > > What are the circumstances under which one needs, or does not, the > enhanced internal security of EAs, ACLs, etc. (short of SELinux), in an > LFS system? I'm interested in your thoughts.
Maybe all that is overkill for a single user. I've recently used rbash to secure an account on a laptop, and locked the account down further by restricting the path. I've also used full disk encryption, with the keyfile and long, random character passwords held on a USB flash drive, together with the boot loader. > Some are pretty obvious, e.g. internet "bastion" servers (Is there's any > other kind?) and DMZ residents, multi-user/quasi-public hosts. Others? > "Container servers" but not bare-metal virtual machine servers? (But, > then, does one build those from LFS or "buy" commercial?) I've built a BLFS dual stack ipv4/ipv6 gateway box which works well. It means that I have full control downstream from the D-Link bridge modem which just does the conversion to PPPoE. I added the proprietary bridge modem reluctantly because the cost of a PCI PPPoA to PPPoE adapter is prohibitive IMO. > Not obvious: single user hosts (given that they're behind NAT routers > and have strong internal firewalls, my case), check-pointed virtual > systems (perhaps to be my case)? If the router is supplied by the ISP it's worth asking yourself just how old is that router, or, more importantly. just how old is the software it's running? > What are the characteristics of the systems one builds with LFS that > establish the needs of what kind of internal security enhancements of > what scope? How far do *you* take it, and why? See above; obviously a laptop is more critical regarding security. As it is often stated: the only secure computer is one that is not connected to any network, particularly the internet. Richard -- http://lists.linuxfromscratch.org/listinfo/lfs-support FAQ: http://www.linuxfromscratch.org/blfs/faq.html Unsubscribe: See the above information page Do not top post on this list. A: Because it messes up the order in which people normally read text. Q: Why is top-posting such a bad thing? A: Top-posting. Q: What is the most annoying thing in e-mail? http://en.wikipedia.org/wiki/Posting_style
