[rescue] Security lockdown (was: SMP on intel wasteful?)

[rescue at sunhelp.org]

> ok, while i do somewhat agree with you, having done solaris
> as long as i have, it takes me 5 minutes to quickly lock it
> down.  but to really secure a solaris box may only take
> another 10-20 minutes.  when you are intamately familiar with
> an OS, it is not very time consuming.
For clarity:  I'm talking about locking the system down to
include review of *every* file on the system...and to also
include redefining the "expected" permissions on things (in
/var/sadm/install/contents) so that subsequent "Sun Recommended"
patch installs don't revert my changes...oh, and installing
either Tripwire or Aide so that I have configuration control
(and a poor man's host-based IDS).  If you can do that to
anything more than a brand-new install in < 1 hour/system then
you're either damn fast or you have a set of canned scripts.
I have a set of canned scripts and I still can't work that
fast reliably (unless the particular installation is 100%
vanilla and requires no thought or customization--and that
never seems to be the case).

> i'm not against OpenBSD, but i *AM* against the false sense
> of security it leaves people with since it is "secure out of
> the box" which in my not so humble opinion is BS.
Agreed...in part.  I like OpenBSD because the integrated
cryptography and basic approach make me more confident when
I try to use it to solve a subset of problems.  I don't preach
to Theo, and I don't get myself in knots if he preaches to
others (or me).  The OpenBSD developers I've met personally
are quite friendly and knowledgeable.  Mostly, though, I use
OpenBSD same as I use Solaris, HP-UX, IRIX, Linux, and Windows--
as another tool, to be used appropriately based on requirements
and available resources.

Anyone who thinks that because they use OpenBSD as the under-
pinnings, they'll never need to maintain/update the OS...I
would hope that such folks learn the error of their ways without
compromising systems I care about.  *Every* system requires
initial thought and continual maintenance, if it will be
exposed to a measurable threat (internal or external).

> also keep in mind that a majority of what i do involves
> large sun boxes that are never directly connected to the
> internet, so there is not as much of a need to really lock
> them down tight, since more often than not it's not only
> a waste of time, but reduces the machines usefulness.

I'm more typically supporting medium-to-large Sun (or HP, or
other) boxes that are never _directly_ connected to the Internet
but *are* considered to be "threatened".  Defense in depth
is your friend, and if you find a lock-down procedure that
impacts the system performance or makes it less reliable then I
agree you might not do it...but document the *crap* out of
why you didn't.

> in most cases the applications that run on these boxes are
> the security weakspots anyway, so no amount of system
> lockdown will make the machine secure if you have to leave
> this giant gaping hole open.  god i hate the stupid business
> decisions people make sometime, but excuse me, i digress.

It's true everywhere.  In a previous lifetime, I described
my job to a co-worker as the electronic equivalent of 
"installing vault doors on grass huts."

>> The two choices that Sun and SGI (among others) made a while
>> back that continue to hurt them in this area were 1.  Have an
>> install that by default is *very* open and 2.  Don't change
>> the default install, since everyone "expects" it to be open
>> at this point.  Off-the-record discussions with Sun and SGI
>> folks indicate that even within the companies there's a large
>> contingent which wants a more secure default install.

> so it takes an extra 20-60 minutes to setup a box.  a box
> that i'm setting up to run for YEARS on end without stopping.
> that's an hour i'm willing to spend.
Like I said, I don't know that it would only take an hour if
you're as thorough as I am.  Then again, I may just be slow.
In any case, you're entirely correct that the time spent up-front
is both necessary and negligible in the big scheme of things.

> again, i'm not against OpenBSD, but it's not the end-all to
> security, you know?
If what I want is a reliable and standards-compliant (where
applicable) bridging firewall (packet filter, not ALG) that
can also act as a 6-to-4 router and an IPSec endpoint, then
OpenBSD is my current choice.  2 of those three items are
strongly security-relevant.

There do seem to be a lot of OpenBSD fanboys popping up lately,
though...it's as though Linux is too mainstream and so some
of the folks who don't actually *do* anything are now trying
to jump on the OpenBSD bandwagon.  I'll let someone else throw
them off and pee on them, though--I just want a good tool for
the things I need to do.

  --Rip