LFS Paper on Secure Servers
bdubbs at swbell.net
Tue May 4 21:27:44 PDT 2004
Bostjan Skufca (at) domenca.si wrote:
>I must agree with Emmanuel that grsecurity is generally a good thing even if
>used without ACLs. Only enabled in kernel (without sysctl function ofcourse)
>it detected and prevented most of recent exploits (tested!). For particular
>system it would be great as it enforces many chroot restrictions, like:
>- double chroots
>- chmod to suid/sgid
>- protects outside processes
>Beside these there is also additional logging functionality, various exec
>restrictions (stuff that most exploits use), resource randomizations
>(including PIDs) which prevent attacker's predictions etc.
Something for me to look into more.
>instead of Tripwire you could use Aide:
>which "is a free replacement for Tripwire. It does the same things as the
>semi-free Tripwire and more." (text extracted from their site)
But what is the 'more'?
>I (personally of course) prefer reiserfs (v3) to ext3 as it feels more robust
>and I (personally and at a company) never had problems with it.
>Also there is a newer version of Bind.
There will be newer versions of most of the software in a system. The
key to administration is to know when to upgrade. Most of the time we
don't upgrade just because someting new is out. A security reason is a
good reason as are new features that you want to use. Neither is the
case here as far as I can tell.
>Otherwise it (paper) is a fine piece of information to improve
>security-consciousness of administrators and also a detailed HOWTO to support
>it right away.
More information about the lfs-security