[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Security Plan



> 
> This is a plan I've worked up to improve Indy's security. Comments are
> more than welcome.
> 
> - - Remove ALL services, unless otherwise authorised by user during install.
> 
> - - Remove as many SUIDs as possible. (Is removing ALL possible?)
> 

No, it isn't.

> - - The three 'r' utilities are big problems, don't install by default,
> inform user of problems with them before letting the user install them.
> 
> - - Stop remote printing ability, unless asked for by user.
> 
> - - For the admin utilities (fdisk, etc.) move away from 755, to 510.
> 
> ? - Collect similar commands into 'groups', assign group name to that
> collection of commands, and if a user needs to have that functionallity,
> add them to that group (provide easy way for root-user to add other users
> to groups). (i.e. have groups: local (for users accessing from terminal) 
> remote (if install is server, for remote users), printing, admin, etc...) 
> [Unsure about this one. Anyone any thoughts?]
> 
> - - firewall set to DENY, unless service is explicitly asked for
> 
> - - GUI Tool for setting up logs. [Any log monitoring software out there?]
> 
> - - Get firewall to log requests/detect portscans, and warn user.
> 
> - - Suggest against use of telnet, include ssh.
> 
> - - Promote use of GPG/encryption software, include intergration for all
> mail readers, if possible.
> 
> - - make the default umask 027
> 
> - - Introduce single user groups. (i.e. when a user gets added to a system,
> a group with that name( or similar if existing) is made, and the new user
> is added to groups that the need to be in.
> 

The goal is not making Indy an electronic version of Fort Knox: this
brings up many inconveniences for the user.

In addition: the whole setuid concept is a major problem for security
=> Unix will never be as secure as a mainframe with a mildly vigilant
sysadmin.

Now there are three problems in security: internal and external.
Because people need to share data easily for work Unix by default does
not try to put strong barreers against people in the same organization
(it is implicitly assumed employees are loyal and none is a spy
working for a competitor, notice that if one of your employees is
disloyal he will have many opportunities to gather information from
non electronic sources).

However people needing really strong protection (like military) have
experienced syadmins at ahnd.  Our problem is the user who has nothing
to hide to other users in his household (except to his wirfe :-) but
don't want to find half his disk has been wiped out by a never do well
who exploited a security hole in a daemon he shouldn't have been
running in first place.

That is why instead of going for very strong protection we should go
for easy or automatic protection, specially protection from the
outside.  As abn example Lokkit detected that I has a dial up box and
then blocked all ports, it asked me for a few ones like http and that
was all.

-- 
			Jean Francois Martinez

Project Independence: Linux for the Masses
http://www.independence.seul.org