LFS Paper on Secure Servers

Bruce Dubbs bdubbs at swbell.net
Tue May 4 21:27:44 PDT 2004


Bostjan Skufca (at) domenca.si wrote:

>Hello,
>
>I must agree with Emmanuel that grsecurity is generally a good thing even if 
>used without ACLs. Only enabled in kernel (without sysctl function ofcourse) 
>it detected and prevented most of recent exploits (tested!). For particular 
>system it would be great as it enforces many chroot restrictions, like:
>- mouns
>- double chroots
>- mknods
>- chmod to suid/sgid
>- protects outside processes
>
>Beside these there is also additional logging functionality, various exec 
>restrictions (stuff that most exploits use), resource randomizations 
>(including PIDs) which prevent attacker's predictions etc.
>  
>

Something for me to look into more.

>Tripwire: 
>instead of Tripwire you could use Aide:
>http://www.cs.tut.fi/~rammer/aide.html
>which "is a free replacement for Tripwire. It does the same things as the 
>semi-free Tripwire and more." (text extracted from their site)
>  
>
But what is the 'more'? 

>Filesystem:
>I (personally of course) prefer reiserfs (v3) to ext3 as it feels more robust 
>and I (personally and at a company) never had problems with it.
>
>Also there is a newer version of Bind.
>  
>
There will be newer versions of most of the software in a system.  The 
key to administration is to know when to upgrade.  Most of the time we 
don't upgrade just because someting new is out.  A security reason is a 
good reason as are new features that you want to use.  Neither is the 
case here as far as I can tell.

>Otherwise it (paper) is a fine piece of information to improve 
>security-consciousness of administrators and also a detailed HOWTO to support 
>it right away.
>  
>
Thank you.

  -- Bruce




More information about the lfs-security mailing list