Skip site navigation (1)Skip section navigation (2)
Date:      Thu, 12 Jul 2001 18:31:24 -0400
From:      Bill Vermillion <bill@wjv.com>
To:        Bart Silverstrim <bsilver@sosbbs.com>
Cc:        freebsd-isp@FreeBSD.ORG
Subject:   Re: gcc on production server
Message-ID:  <20010712183124.A44876@wjv.com>
In-Reply-To: <007c01c10b14$5462d820$0100a8c0@sosbbs.com>; from bsilver@sosbbs.com on Thu, Jul 12, 2001 at 04:50:45PM -0400
References:  <20010711170336.B84178@krijt.livens.net> <20010711123133.A21587@pitr.tuxinternet.com> <20010712123523.G53408@jake.akitanet.co.uk> <007c01c10b14$5462d820$0100a8c0@sosbbs.com>

next in thread | previous in thread | raw e-mail | index | archive | help
On Thu, Jul 12, 2001 at 04:50:45PM -0400, Bart Silverstrim thus sprach:

> On Jul 11, Hug Me <hugme@hugme.org> wrote:

> >> if you are REALLY worried about security, get a drive that has
> >> a jumper you can change to read only, put your operating system
> >> on it, move the jumper

> >Ummmm... that's not clever. That's stupid. So, you're an ISP.
> >If you're running this system, exactly how do you deliver mail,
> >allow users to change webpages, etc? Oh yeah, and just out or
> >curiosity, what happens to /var and /tmp ? As one colleague just
> >replied when I read that paragraph to him "that's not an OS -
> >it's a coaster". I hope it keeps your coffee warm.

> Why not use two drives, one read only with the OS on it, one
> with multiple partitions to mount to /var and /tmp, <swap>,
> /home...stuff like that...or some variation of that theme?

> I toyed with the idea of trying to make bootable CD's for the key
> system files and such before, should work in a similar manner to
> what is basically described above (although performance from the
> read operations would be terrible) if I actually had the time and
> extra hardware to dedicate to making system laid out to create a
> "image" and make a slave drive on another system with a CD-R drive
> :-) Gotta admit, that would make it terribly difficult to crack
> into and lay trojaned system binaries...

Using the highest security level and performing a noschg on
all the important system directores can make the OS look almost
like a ROM.   Leave the file systems which need to be written as
set normally.   

Eric Brueggmann posted this last August to this same list.


===============================================================================


#!/bin/sh

#  Run this after a make world, for better security.

chflags noschg /bin/*
chflags noschg /usr/bin/*
chflags noschg /sbin/*
chflags noschg /usr/sbin/*
chflags noschg /bin ; chflags noschg /sbin
chflags noschg /usr/bin ; chflags noschg /usr/sbin
cd /var/log; chmod g-w,o-r * ; chmod a+r wtmp


echo "Edit /etc/rc.conf and change the kernellevel to 2"


for i in ` find / -type f -perm -2000 | egrep -wv  "lockfile" ` ; do chmod g-s $i ; done

for i in ` find / -type f -perm -4000 | egrep -wv "man|login|passwd|su|ssh|sendmail|procmail|sudo|mail.local" ` ; do chmod u-s $i ; done

for i in ` find / -type d -perm -002 | egrep -v  "tmp" ` ; do chmod o-w $i ; done

chmod 700 /root
# cd to /home and chmod 700 every directory except "apache|newuser|ftp|?????"


chflags schg /bin/*
chflags schg /usr/bin/*
chflags schg /sbin/*
chflags schg /usr/sbin/*
chflags schg /bin ; chflags schg /sbin
chflags schg /usr/bin ; chflags schg /usr/sbin

#


===============================================================================



-- 
Bill Vermillion -   bv @ wjv . com

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-isp" in the body of the message




Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20010712183124.A44876>