| 1 |
On 14.03.02 10:11 +0100(+0000), kn@××××××××××.dk wrote: |
| 2 |
> Considerations before installation |
| 3 |
> BIOS password |
| 4 |
If the machine is a server set the bios password only to guard |
| 5 |
against modifying the settings i.e. it should not be asked on |
| 6 |
startup because of remote reboots. Also make sure the machine |
| 7 |
will not boot from floppy/cd/network. |
| 8 |
|
| 9 |
> Password policy |
| 10 |
Gentoo could have a stricter pam config on this |
| 11 |
because currently very weak passwords get through. |
| 12 |
|
| 13 |
> Tightening the security after/during installation |
| 14 |
> /etc/make.conf |
| 15 |
To this I would like to add signed ebuilds. |
| 16 |
|
| 17 |
> Grub/Lilo password |
| 18 |
Against modifications yes, but not hindering the boot. |
| 19 |
|
| 20 |
> More Logging |
| 21 |
Add log rotation to this |
| 22 |
|
| 23 |
> -noexec |
| 24 |
Noexec is no real solution on linux. |
| 25 |
|
| 26 |
> PAM |
| 27 |
Should be IMHO tighter by default. |
| 28 |
|
| 29 |
> Kernel security |
| 30 |
> /proc |
| 31 |
Some form restricting proc i.e. all |
| 32 |
users but those belonging to one group |
| 33 |
cannot see *anything* they don't need. |
| 34 |
|
| 35 |
> Kernel patches |
| 36 |
> Grsecurity |
| 37 |
Currently fails against the gentoo kernel |
| 38 |
(see some posts this week about it on the |
| 39 |
gentoo-dev list) |
| 40 |
|
| 41 |
> Using xinetd |
| 42 |
Or using no inetd at all. Many servers/home machines |
| 43 |
which run only http, ssh and mail do not imho need |
| 44 |
inetd at all. |
| 45 |
|
| 46 |
> X |
| 47 |
Make sure the default installation does not listen to tcp. |
| 48 |
|
| 49 |
> Lpd |
| 50 |
For home users pdq is more easy. |
| 51 |
|
| 52 |
> FTP |
| 53 |
oftpd |
| 54 |
|
| 55 |
> Mail |
| 56 |
On desktop machines the mail daemon should not accept connections |
| 57 |
from outside. |
| 58 |
|
| 59 |
> Chroot |
| 60 |
I have an jail ebuild if someone is interested. |
| 61 |
|
| 62 |
- Einar Karttunen |
Archives