1 |
On 14.03.02 10:11 +0100(+0000), kn@××××××××××.dk wrote: |
2 |
> Considerations before installation |
3 |
> BIOS password |
4 |
If the machine is a server set the bios password only to guard |
5 |
against modifying the settings i.e. it should not be asked on |
6 |
startup because of remote reboots. Also make sure the machine |
7 |
will not boot from floppy/cd/network. |
8 |
|
9 |
> Password policy |
10 |
Gentoo could have a stricter pam config on this |
11 |
because currently very weak passwords get through. |
12 |
|
13 |
> Tightening the security after/during installation |
14 |
> /etc/make.conf |
15 |
To this I would like to add signed ebuilds. |
16 |
|
17 |
> Grub/Lilo password |
18 |
Against modifications yes, but not hindering the boot. |
19 |
|
20 |
> More Logging |
21 |
Add log rotation to this |
22 |
|
23 |
> -noexec |
24 |
Noexec is no real solution on linux. |
25 |
|
26 |
> PAM |
27 |
Should be IMHO tighter by default. |
28 |
|
29 |
> Kernel security |
30 |
> /proc |
31 |
Some form restricting proc i.e. all |
32 |
users but those belonging to one group |
33 |
cannot see *anything* they don't need. |
34 |
|
35 |
> Kernel patches |
36 |
> Grsecurity |
37 |
Currently fails against the gentoo kernel |
38 |
(see some posts this week about it on the |
39 |
gentoo-dev list) |
40 |
|
41 |
> Using xinetd |
42 |
Or using no inetd at all. Many servers/home machines |
43 |
which run only http, ssh and mail do not imho need |
44 |
inetd at all. |
45 |
|
46 |
> X |
47 |
Make sure the default installation does not listen to tcp. |
48 |
|
49 |
> Lpd |
50 |
For home users pdq is more easy. |
51 |
|
52 |
> FTP |
53 |
oftpd |
54 |
|
55 |
> Mail |
56 |
On desktop machines the mail daemon should not accept connections |
57 |
from outside. |
58 |
|
59 |
> Chroot |
60 |
I have an jail ebuild if someone is interested. |
61 |
|
62 |
- Einar Karttunen |