[rescue] Security lockdown (was: SMP on intel wasteful?)

Ken Caruso ken at ipl31.net
Tue Jun 25 00:56:32 CDT 2002 

Just lurking on the thread and came across this which was posted
yesterday, figured it kind of fitted.

http://marc.theaimsgroup.com/?l=openssh-unix-dev&m=102495293705094


Ken Caruso

"when in doubt tell the truth" -Mark Twain

On Tue, 25 Jun 2002, Loomis, Rip wrote:

> > ok, while i do somewhat agree with you, having done solaris
> > as long as i have, it takes me 5 minutes to quickly lock it
> > down.  but to really secure a solaris box may only take
> > another 10-20 minutes.  when you are intamately familiar with
> > an OS, it is not very time consuming.
> For clarity:  I'm talking about locking the system down to
> include review of *every* file on the system...and to also
> include redefining the "expected" permissions on things (in
> /var/sadm/install/contents) so that subsequent "Sun Recommended"
> patch installs don't revert my changes...oh, and installing
> either Tripwire or Aide so that I have configuration control
> (and a poor man's host-based IDS).  If you can do that to
> anything more than a brand-new install in < 1 hour/system then
> you're either damn fast or you have a set of canned scripts.
> I have a set of canned scripts and I still can't work that
> fast reliably (unless the particular installation is 100%
> vanilla and requires no thought or customization--and that
> never seems to be the case).
>
> > i'm not against OpenBSD, but i *AM* against the false sense
> > of security it leaves people with since it is "secure out of
> > the box" which in my not so humble opinion is BS.
> Agreed...in part.  I like OpenBSD because the integrated
> cryptography and basic approach make me more confident when
> I try to use it to solve a subset of problems.  I don't preach
> to Theo, and I don't get myself in knots if he preaches to
> others (or me).  The OpenBSD developers I've met personally
> are quite friendly and knowledgeable.  Mostly, though, I use
> OpenBSD same as I use Solaris, HP-UX, IRIX, Linux, and Windows--
> as another tool, to be used appropriately based on requirements
> and available resources.
>
> Anyone who thinks that because they use OpenBSD as the under-
> pinnings, they'll never need to maintain/update the OS...I
> would hope that such folks learn the error of their ways without
> compromising systems I care about.  *Every* system requires
> initial thought and continual maintenance, if it will be
> exposed to a measurable threat (internal or external).
>
> > also keep in mind that a majority of what i do involves
> > large sun boxes that are never directly connected to the
> > internet, so there is not as much of a need to really lock
> > them down tight, since more often than not it's not only
> > a waste of time, but reduces the machines usefulness.
>
> I'm more typically supporting medium-to-large Sun (or HP, or
> other) boxes that are never _directly_ connected to the Internet
> but *are* considered to be "threatened".  Defense in depth
> is your friend, and if you find a lock-down procedure that
> impacts the system performance or makes it less reliable then I
> agree you might not do it...but document the *crap* out of
> why you didn't.
>
> > in most cases the applications that run on these boxes are
> > the security weakspots anyway, so no amount of system
> > lockdown will make the machine secure if you have to leave
> > this giant gaping hole open.  god i hate the stupid business
> > decisions people make sometime, but excuse me, i digress.
>
> It's true everywhere.  In a previous lifetime, I described
> my job to a co-worker as the electronic equivalent of
> "installing vault doors on grass huts."
>
> >> The two choices that Sun and SGI (among others) made a while
> >> back that continue to hurt them in this area were 1.  Have an
> >> install that by default is *very* open and 2.  Don't change
> >> the default install, since everyone "expects" it to be open
> >> at this point.  Off-the-record discussions with Sun and SGI
> >> folks indicate that even within the companies there's a large
> >> contingent which wants a more secure default install.
>
> > so it takes an extra 20-60 minutes to setup a box.  a box
> > that i'm setting up to run for YEARS on end without stopping.
> > that's an hour i'm willing to spend.
> Like I said, I don't know that it would only take an hour if
> you're as thorough as I am.  Then again, I may just be slow.
> In any case, you're entirely correct that the time spent up-front
> is both necessary and negligible in the big scheme of things.
>
> > again, i'm not against OpenBSD, but it's not the end-all to
> > security, you know?
> If what I want is a reliable and standards-compliant (where
> applicable) bridging firewall (packet filter, not ALG) that
> can also act as a 6-to-4 router and an IPSec endpoint, then
> OpenBSD is my current choice.  2 of those three items are
> strongly security-relevant.
>
> There do seem to be a lot of OpenBSD fanboys popping up lately,
> though...it's as though Linux is too mainstream and so some
> of the folks who don't actually *do* anything are now trying
> to jump on the OpenBSD bandwagon.  I'll let someone else throw
> them off and pee on them, though--I just want a good tool for
> the things I need to do.
>
>   --Rip
> _______________________________________________
> rescue list - http://www.sunhelp.org/mailman/listinfo/rescue

More information about the rescue mailing list