Not quite. Just secure the desktops the right way
Not quite. Just secure the desktops the right way
Posted Mar 15, 2004 22:49 UTC (Mon) by NZheretic (guest, #409)Parent article: Mainstream means more malicious code for Linux (SearchSecurity.com)
On Windows, most of the viruses are e-mail borne. On the Linux side, today and in the future, viruses are network-aware, and [they] take advantage of vulnerabilities in networks or systems to infect machines. The Slapper worm, for example, attacked vulnerabilities in OpenSSL and Apache.
I have deployed Linux on the desktop (RH8+Ximian to RH9+StarOffice) in an enterprise and they do not suffer from such problems for long.
1) The only network service the desktop systems expose is OpenSSH and the Iptables limit access from only three addresses.( We use a custom script with ssh to keep the systems rpms uptodate from a private mirror).
2) The iptables are configured to allow the desktops client services to connect only to the specified server.
3) The /usr partions are mounted read only and the /tmp, /home, /var directories are mounted non executable.
4) None of the users have, or need, root access. They have access to printer setting etc via Webmin's Usermin which runs on a dedicated server.
5) Mounting the users home directory required shares etc ( we use Samba for domain, file and print services ) is performed by script when the user logs in.
6) We update all the desktops within minutes of a updated RPM package becoming available. The window of opportunity for any disclosed vulnerability is very small.
7) We schedule Tripwire to check the intergrity of the desktops a couple time a day.
Posted Mar 15, 2004 23:57 UTC (Mon)
by paulj (subscriber, #341)
[Link] (3 responses)
Posted Mar 16, 2004 0:28 UTC (Tue)
by Ross (guest, #4065)
[Link]
But thankfully most distributions are making things more secure by default I'd also like to see fewer suid and suid group binaries but that doesn't
Posted Mar 16, 2004 0:55 UTC (Tue)
by AnswerGuy (guest, #1256)
[Link]
mount -o remount,rw /usr; mount -o remount,rw /boot ... where "aide" can be supplemented with tripwire, samhain or other HIDS (host intrusion detection) updates and where you can insert any chattr -i and/or lidsadm commands or other commands that are needed to unlock and re-"seal" the system. Under Debian its even easier since you can create a 999-local file in /etc/apt/apt.conf.d which can contain DPkg::Pre-Invoke and DPkg::Post-Invoke command suites, to run after automatically after every apt-get install, upgrade or dist-upgrade. Granted any *other* updates can be hampered a little; but using the distributions own package management utilities with a wrapper should alleviate most of the issue and the rest is simply training. Provide a similar script "syslock.sh" that provides a switch to "unlock" the system for updates, and a default that re-locks the system; then add a cron job that relocks the system every night and an rc script that locks it on boot up (all calling the same sysunlock.sh script so you've consolidated all actions into a SPOT --- single point of truth; yes the rpm/dpkg wrapper script should also call syslock.sh for this same reason). Similarly your own 'installkernel' script (called by the kernel build Makefile) should call the appropriate system locking/unlocking script. JimD
Posted Mar 16, 2004 0:59 UTC (Tue)
by NZheretic (guest, #409)
[Link]
Not really, the upgrade script just remounts the /usr partition write enabled during upgrades.
and the /tmp, /home, /var directories are mounted non executable.
Hmm.. not worth much, might stop an automated worm, but otherwise noexec is worthless. If you can read data, you can execute it. (/lib/ld.so /tmp/bin).
It's actually more effective at stopping the users from "accidentally" executing downloaded scripts/binaries. To expect more than that would require a solution like SElinux's LSMs.
Ever heard of autofs? ;)
The whole point is to mount only the network filesystems required by each user on a per user/group basis.
3) The /usr partions are mounted read onlyNot quite. Just secure the desktops the right way
Good idea. Makes upgrades harder though.
and the /tmp, /home, /var directories are mounted non executable.
Hmm.. not worth much, might stop an automated worm, but otherwise noexec is worthless. If you can read data, you can execute it. (/lib/ld.so /tmp/bin).
5) Mounting the users home directory required shares etc ( we use Samba for domain, file and print services ) is performed by script when the user logs in.
Ever heard of autofs? ;)
Not true if you are chrooted and there is no /lib :)Not quite. Just secure the desktops the right way
But seriously not every Linux admin is as careful as this. Linux worms
are possible and with a wider user base (which will be less paranoid on
average) they could become more common.
and I expect to see more stack smashing detection/protection/randomization,
W^R, pre-configured firewalls, and use of security modules to remove even
more permissions from started daemons.
seem to be happening. Is there a real need for users to run dump or
undump? And why is ssh suid? It works perfectly well without it. It's
annoying that rpm silently reverts file permission changes.
It's easy to write an RPM wrapper that does:Updates on read-only /usr and /boot
/sbin/rpm.real "$@"
aide --update
mount remount,ro /usr; mount -o remount,rw /boot
3) The /usr partions are mounted read onlyNot quite. Just secure the desktops the right way
Good idea. Makes upgrades harder though