LFS Paper on Secure Servers

Bertrand JUGLAS bertrand at juglas.name
Sat May 1 02:59:09 PDT 2004

Bruce Dubbs wrote:
> I've been working on a major paper based on LFS for the last few months 
> and have now come to the point where it should be released.  The paper 
> is at:
> http://www.linuxfromscratch.org/~bdubbs/secure-linux.pdf
> http://www.linuxfromscratch.org/~bdubbs/secure-linux.html
> The files are also available at:
> http://sol.sac.accd.edu/~bdubbs/secure-linux.pdf
> http://sol.sac.accd.edu/~bdubbs/secure-linux.html
> so you might want to use that site to not overload the main lfs site.
> The html file is not what I consider well rendered and is a single file, 
> but I wanted to get the paper released. I intend to redo the format in 
> the new LFS XML style that Manuel and others have been working on so hard.
> The files are fairly large (306K html, 493K pdf).  The paper is 59 pages 
> plus about 100 pages of appendicies, so its not a quick read.  I am 
> interested in maintaing the paper, so if there are any suggestions for 
> improvement, they are welcome.
> The abstract reads:
> "When securing a server, most administrators start with a commercial 
> distribution and try to modify the configuration to
> eliminate security problem areas. The problem is that most distributions 
> have many packages installed that are unnecessary on a server. For 
> instance, the RedHat 9 distribution loads a minimum of 115 packages. 
> Knowing what these packages are and the security implementations of each 
> is very difficult.
> This paper takes a different approach. It starts by building a base 
> system from "scratch" using the techniques from the Linux From Scratch 
> project. To that base, the administration and security tools required to 
> manage the system are added. Finally, the server applications are 
> installed.
> After the system is built however, configuration is not finished. Even 
> though a small number of packages have been
> installed, some files need to be removed for security reasons. After 
> that, final configuration tasks are required before deploying the server.
> When deployed, the job of maintaining security is never complete. The 
> administrator must continue to be vigilant and enter
> an ongoing cycle of security tasks. This cycle consists of four phases: 
> Planning, Implementing, Monitoring, and Analyzing security and 
> performance issues for the life of the system.
> To demonstrate the principles described above, this paper will provide a 
> step by step guide to implementing a Domain Name System (DNS) server for 
> a medium size organization. From this description, an administrator can 
> use most of the techniques described to build many types of servers by 
> removing the DNS software and adding a few applications to the secured 
> base system.
> There are some prerequsites for developing this type of system. A 
> moderate amount of UNIX system administrator skills including 
> familiarity with building software from source distributions is needed. 
> Beyond that, the only other skill needed is to be able to precisely 
> follow instructions. In some cases, deviations made by a knowledgeable 
> administrator are appropriate, however changes to the procedures given 
> are not recommended for the first build."
> Enjoy.
>  -- Bruce

Thanks for your great work, i will try to test it on my development 
server and write back to you my comments to help you maintain it ;)
if you are searching for a tester, i propose myself.
Thanks a lot,

More information about the lfs-security mailing list