You can also use rpm -Va to verify the integrity of all the rpms that have been installed. You can also check signatures, or verify against a remote database of rpms. This is one of the advantages of using an rpm based distribution.
Since ltsp/k12 requires that the users have local accounts on the server, you do have to be more concerned about local exploits than in a pure Internet server. Eternal vigilance is the price of security. Lots of this is basic sysadmin stuff, but it bears repeating. 1) Make sure you have processes in place to monitor /var/log/messages and other system logs. 2) Be sure you have backups of all your config files, and data. 3) Have a root disk prestaged to replace one that has been compromised. 4) If you think someone is really pushing it, hire him! ie, give him a job helping you. He/she is the one you want in your corner. 5) Use a TOTALLY different root password on this box than anywhere else in your environment. 6) Change password often 7) Firewall the box off from every other system in the environment and monitor the communications at all times. This means running snort or as similar program on another box. 8) Complacency is your enemy. ------------------------------------------------------------------------ Jim Wildman, CISSP [EMAIL PROTECTED] http://www.rossberry.com On Sat, 21 Sep 2002, John_Cuzzola wrote: > > Does anyone out there have some advice they could share with me on > > security? My first real exposure to linux was this summer when we decided > > to go all out and run all our school's dorm computers as LTSP stations... > > > > Specifically my concern is this: On all our the PCs (yes, I'm paranoid, > > and yes it's been justified many times over :) in our system i have used > > registry hacks to hide the C: drive, disable command prompts, etc... This > > year especially we have actually had THREATS from students to try and hack > > our servers. The gall! > ... > I guess maybe what I'm asking is what can I chmod 770 (?) to lock it down; > the less they can read of my config files the better... I don't want to do > something however like chmod 770 /etc and then have my system not startup! > ... > > *** Well first off don't blanket chmod 770 anything unless you know > exactly what you're doing (which files will be affected). Chmod 770 /etc > will break your system instantly (files like passwd, group, and a whole > bunch more need to be readable by everyone). So I would forget about the > chmod thing on /etc. Security is an ongoing thing and a system is only as > secure as the system admin makes it. So it's a good idea to start reading > up on security. Also it's a good thing to join a couple of security > mailing lists so that you are informed of the latest vulnerability that > needs to be fixed. How old are the kids? I find 'threats' of hacking and > kids who call themselves hackers are nothing more than script kiddies or > wannabees - there's only a rare few that truly would understand. Windows > is insecure by default and if that's all the kids were exposed to in the > past then they will find Linux more difficult to mess with. AnyWays here's > a couple of suggestions. I would research them thoroughly: > > - TripWire (or similiar). Lets you know which files on the system have > been changed. > > - chkrootkit. Run this program periodically to see if your system has been > compromised. > > - Mark /home, /tmp partition "noexec"...If you have a /var/tmp directory > then I would symbolic link /var/tmp to /home/var_tmp. "noxec" can be > by-passed but you have to know how. > > - Recompile your kernel with BSD STYLE ACCOUNTING enabled. This will > record every command/executable a user runs. You can query the entire > database for particular commands or query all commands by a user - Very > useful. > > > > > > > > ------------------------------------------------------- > This sf.net email is sponsored by:ThinkGeek > Welcome to geek heaven. > http://thinkgeek.com/sf > _____________________________________________________________________ > Ltsp-discuss mailing list. To un-subscribe, or change prefs, goto: > https://lists.sourceforge.net/lists/listinfo/ltsp-discuss > For additional LTSP help, try #ltsp channel on irc.openprojects.net > ------------------------------------------------------- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf _____________________________________________________________________ Ltsp-discuss mailing list. To un-subscribe, or change prefs, goto: https://lists.sourceforge.net/lists/listinfo/ltsp-discuss For additional LTSP help, try #ltsp channel on irc.openprojects.net
