Richard Melville wrote:
On 30 December 2015 at 19:05, Paul Rogers <[email protected]> wrote:
I'm still thinking about in/ex-clusions for my LFS build. I've only had
to deal with my own systems, a somewhat restricted set of needs.
What are the circumstances under which one needs, or does not, the
enhanced internal security of EAs, ACLs, etc. (short of SELinux), in an
LFS system? I'm interested in your thoughts.
Maybe all that is overkill for a single user. I've recently used
rbash to secure an account on a laptop, and locked the account down
further by restricting the path. I've also used full disk encryption,
with the keyfile and long, random character passwords held on a USB
flash drive, together with the boot loader.
Some are pretty obvious, e.g. internet "bastion" servers (Is there's any
other kind?) and DMZ residents, multi-user/quasi-public hosts. Others?
"Container servers" but not bare-metal virtual machine servers? (But,
then, does one build those from LFS or "buy" commercial?)
I've built a BLFS dual stack ipv4/ipv6 gateway box which works well.
It means that I have full control downstream from the D-Link bridge
modem which just does the conversion to PPPoE. I added the
proprietary bridge modem reluctantly because the cost of a PCI PPPoA
to PPPoE adapter is prohibitive IMO.
Not obvious: single user hosts (given that they're behind NAT routers
and have strong internal firewalls, my case), check-pointed virtual
systems (perhaps to be my case)?
If the router is supplied by the ISP it's worth asking yourself just
how old is that router, or, more importantly. just how old is the
software it's running?
What are the characteristics of the systems one builds with LFS that
establish the needs of what kind of internal security enhancements of
what scope? How far do *you* take it, and why?
I do not trust an ISP's router. I have my own between that and my
internal network.
There is always a tradeoff between security and convenience. How much
inconvenience you will but up with depends on the value of the data on
your system. You have to decide the value for yourself.
See above; obviously a laptop is more critical regarding security. As
it is often stated: the only secure computer is one that is not
connected to any network, particularly the internet.
A laptop is more critical if you have data there that is confidential.
Full disk encryption is a little overkill unless you are in a situation
where someone might try to insert a Trojan. I suspect it would be a rare
person that would know enough to be able to insert something like that on
a Linux based laptop.
-- Bruce
--
http://lists.linuxfromscratch.org/listinfo/lfs-support
FAQ: http://www.linuxfromscratch.org/blfs/faq.html
Unsubscribe: See the above information page
Do not top post on this list.
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?
A: Top-posting.
Q: What is the most annoying thing in e-mail?
http://en.wikipedia.org/wiki/Posting_style
