[DISCLAIMER: I've played with this here at home, and think I've got a fairly secure system, but I'm no expert, I'm just an interested geek]
On Mon, Feb 03, 2003 at 02:21:33PM +0100, Russell Coker wrote: > Is anyone here running a Debian system with no daemons running as root > other than init, inetd, and sshd, no SUID-root programs other than > passwd, su, etc, and generally having everything locked down as much > as possible (chroot's for daemons, etc)? I'm running bind9 in a chroot (using Martin's bind9-chroot package); everything else is as normal. > If so what kernel patches do you apply for security? I'm using a couple at the moment: grsecurity and the pseudo-socket ACL one. grsecurity is quite well documented out there, and provides a huge number of hardening options, as well as it's own ACL implementation. the pseudo-socket ACL patch gets around the currently simplistic TCP port security system (root can bind <1024, everyone can take those above that) by letting you create particular groups that are allowed to bind to low ports, but do not otherwise have root privileges. > What do you consider to be the main area of weakness in your system > security that needs to be addressed? Privileged daemons seem to be the largest issue these days. AIUI, SELinux significantly reduces the privileges that daemons have, so this is already a large step in the right direction. [snip] > I am interested in improving the general security of Debian and am > involved in some discussions as to what is the best way to do it. I > am searching for background data to help with this. I'd say your SELinux work is the single most useful thing that could be used to improve the security of Debian, since it (AFAIK) uses MAC to lock down broad swathes of the system, only opening the small holes that are needed. More support for daemons running as non-privileged users and in chroots are always good though, especially with kernel 2.4's bind mounts. More general things, like source audits and using packages like libsafe and valgrind to reduce the effects and find the sources of buffer overflows is essential also, but it's not Debian-specific. I'm sure this is all already obvious, but perhaps it'll help... -- Rob Weir <[EMAIL PROTECTED]> http://ertius.org/
msg29654/pgp00000.pgp
Description: PGP signature
