LFS Paper on Secure Servers
wingmanREMOVEME at waika9.com
Sat May 1 13:03:11 PDT 2004
>De : lfs-security-bounces at linuxfromscratch.org [mailto:lfs-security-
>bounces at linuxfromscratch.org] De la part de Bruce Dubbs
>Envoyé : samedi 1 mai 2004 08:58
>À : lfs-dev at linuxfromscratch.org; BLFS Development List; LFS Security
>Objet : LFS Paper on Secure Servers
>I've been working on a major paper based on LFS for the last few months
>and have now come to the point where it should be released. The paper
>The files are also available at:
>so you might want to use that site to not overload the main lfs site.
>The html file is not what I consider well rendered and is a single file,
>but I wanted to get the paper released. I intend to redo the format in
>the new LFS XML style that Manuel and others have been working on so hard.
>The files are fairly large (306K html, 493K pdf). The paper is 59 pages
>plus about 100 pages of appendicies, so its not a quick read. I am
>interested in maintaing the paper, so if there are any suggestions for
>improvement, they are welcome.
>The abstract reads:
>"When securing a server, most administrators start with a commercial
>distribution and try to modify the configuration to
>eliminate security problem areas. The problem is that most distributions
>have many packages installed that are unnecessary on a server. For
>instance, the RedHat 9 distribution loads a minimum of 115 packages.
>Knowing what these packages are and the security implementations of each
>is very difficult.
>This paper takes a different approach. It starts by building a base
>system from "scratch" using the techniques from the Linux From Scratch
>project. To that base, the administration and security tools required to
>manage the system are added. Finally, the server applications are
Great job. Very interesting and useful. I will probably test it in a few
weeks for my own environement. I no security expert, though.
I do have small comments/questions/suggestions..
1) The use of sendmail as an MTA .. since it is secure oriented, isn't is
more interesting to put postfix or qmail instead ?
2) Going to nALFS for the build will be great. I am newbie to LFS, but have
already built dozens of LFS with it. It works great, profiles are quick to
write, easy to maintain/change.
3) isn't it interesting to use grsecurity in such environement ? Again, I'm
no expert, but building such an security oriented system with grsecurity and
a well desgined ACL seems useful.
Hope my comments were useful..
More information about the lfs-security