[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Security

On Sat, 4 Dec 1999, JF Martinez wrote:

> means Indy must be reasonably secure out of the box.

I couldn't agree more.
> For next release I am comitted to include lokkit who requirres far
> less knowledge than gfcc (it asks you some questions about usage and
> blocs every dangerous service and every unneeded one) however we still
> have the problem of the user knowing in the first place about lokkit.
> Three solutions: integrate it on install, make it a post install
> question (ie after install the user reboots and before getting to
> first login prompt he is dropped into post install (Suse uses this
> tyechnique) or tell it in the documentation and hope for the best.
> :-)

I like the option of setting it up during install. That way users cannot
boot the box into "slut mode" (i.e. wide open). If we give the user the
option not to set up the firewall, we should have the install set the
firewall to DENY everything. We'd obviously have to inform the user of
this having been done, let them know how to run a tool they'd be able to
use to change it. I'm a big fan of easy to understand commands, like
'firewall' would run a firewall setup program, 'help' would give the user
information on finding the HOWTOs, their local lug (to ask for help) and
the 'man -k' command, and 'security' could provide them with a security
setup program. Could this security program be a custom one that checks the
perms on the main directories, on key exe's, the number of SUIDs, etc...?

> We would also need volunteering for taking caharge about the finding
> and testing of security related tools and studying Indy for
> integrating into it.

I'd be more than willing (time permitting) to help/coordinate security
'auditing'(?), I know a fair bit about security (not as much as some, but 
I'm learning all the time :), but I'm not sure how to intergrate things
into the installer/make rpms/etc... Also all the boxes I have a production
machines, so I'm unable to install indy to play with (I'm trying to find
an old [3,4]86 that I'd be able to play with). Apart from that, I've been
speaking to a security consultant friend I have, Brian Martin (aka
Jericho), from Attrition.org, and he is sending me the slides/notes to a
class he teaches on Securing Linux in a day (or some title like that). In
addition to that he has pointed out somethings he feels need to be changed
in current Linux distributions, from our discussions (which are still
ongoing), I have compiled a list of actions points, which should (IMHO) be
taken. I'll make that my next post, and also put in on the /security/ page
on the web site.
--		   ,------------------------------,
,==================| S H U N  A N T I O N L I N E |=================,
| David M. Webster '------------------------------' (aka cogNiTioN) |
|===| I use Linux everyday to up my productivity - so up yours! |===|
|=================|-| PGP KeyID: 0x 45 FA C2 83 |-|=================|
| <cognition@bigfoot.com> |-|===========|-| http://www.cognite.net/ |
`===========| I walk to the beat of a different drummer |==========='