roadmap

Declan Moriarty declan.moriartyt at ntlworld.ie
Mon Jan 5 03:02:31 PST 2004


On Sun, Jan 04, 2004 at 09:07:09PM -0500, ashes enlightened us thusly
> Mission Statement
> 
> Hardened Linux From Scratch is a text book that teaches Linux system security 
> by implementing it in a flexable way on an already existing Linux system. 
> This is done in a way that will create a new independent hardended Linux 
> system.
> 
> Roadmap
> 
> Define threat assessment.
> Decide on a default system security policy.
> Decide on a default user policy for root, regular users, chroot users, with 
> and without X11, with and without network access. This assumes enforcement.
> Define user requirements.
> Decide on a default system accounting policy. (Process, filesystem, and memory 
> access)
> Decide on a default intrusion detection and reaction policy.
> Decide on a default software auditing policy. (Minimum security requirements)
> 
> Provide detailed analysis of all of the above.
> ----
> 
> We can start with the first one. Who are we protecting ourselves against, and 
> what do they want?


I agree that 'everyone & everything' is a good answer. I would include a DoS 
attack; As it stands, more processing is done checking a request than
making it. I read a very interesting thing on Bernstein's site about the
'correct' way to handle DoS attacks which reversed this. Some of it was
over my head, but bears thought.

As you cannot rely on everybody having an old box lying there to use as
a firewall, how about local firewall implementation as well as a remote
one (for those whose last box still boots).

So the ultimate would be a box online running & X protected from 
	1. It's own software, including a local X and at least 1 window manager.
	2. local users.
	3. Determined proficient hackers
	4. DoS attacks (while continuing Services)
	5. A breakdown of some nature not requiring a reboot
	6. Spamming.
with
	7. Intrusion detection to allow drastic action (process kills,
	or reboots) if violated
 
Before you hack in and give out, I reckon this is not possible. It's the
ideal. You would also need a charter of approved software. Enough to
keep your heads buried for months, but quite commercially valuable if
you had it.

-- 

	With best Regards,


	Declan Moriarty.



More information about the hlfs-dev mailing list