module design

Robert Day zarin at dscn.net
Tue Jan 6 04:11:16 PST 2004


On Tue, 2004-01-06 at 03:24, ken_i_m at elegantinnovations.net wrote:
> I think a module design is called for.  Some of the ideas being discussed 
> I would not want on one of my systems.  Security decisions are a trade 
> off in risk management.  I have significant physical security so I don't 
> have to trade away ease of use.
> 
> OTOH, a laptop that travels out into the cruel world needs a different 
> profile.  One where an encrypted filesystem would make sense.

Well, we're not starting so much of a Module collection..  I was
thinking that most chapters and sections are going to be optional.  The
base of HLFS - that is the OS Hardening at the Code level (ie. the
propolice patches that ashes is working on ATM).  This part of the
system, and a few others, will be a required build.  As in, anyone who
wants to build HLFS will need that basic security and hardening before
building a chroot jailed apache server etc. etc.

Most of the rest (filesystem encryption, services, pgp encryption, yadda
yadda blah blah blah) is going to be on a per-user choice bases.  I for
one am not going to encrypt my filesystems. My box is a server on the
net, that other people rely on to get online (like the rest of the
family, all 3 of their computers need mine to get online) and I am not
always here to boot it up if it crashes, or the power is offline long
enough to drain the UPS...  I am also not going to be installing a
mailserver cause port 25 is firewalled at the ISP level - I cannot sent
or recieve using my own mailserver. I WILL be using a firewall..  a
fairly heavy firewall with NAT.  I want my kids boxens to be secure, I
want the GF's system to be online and not restricted, etc. etc.  Some
other users will not need a firewall, cause they are behind a coirporate
firewall, or campus firewall, and a personal firewall might be useless
for them.  Some people will not need any services, but being a laptop,
will need the encrypred filesystem.  But, that is not to say we are
going to build "Modules" - we are going to include a tradeoffs summary
with each section, and list the main reasons for installing or not
installing a specific application/service etc.

  Rob Day (BOFH)




More information about the hlfs-dev mailing list