LinuxQuestions.org
Help answer threads with 0 replies.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 09-24-2007, 08:09 PM   #1
slimm609
Member
 
Registered: May 2007
Location: Chas, SC
Distribution: slackware, gentoo, fedora, LFS, sidewinder G2, solaris, FreeBSD, RHEL, SUSE, Backtrack
Posts: 430

Rep: Reputation: 67
Linux Security!!! What am I missing?


I am working on a project and I would like to know what i more i could add for security.

Heres the list.

SELinux W/strict MLS policys

GrSecurity protection features and ASLR with no grsecurity acls.

Entire system compiled with SSP, PIC, PIE, FORITIFY_SOURCE.

Please dont post about home grown scripts i am looking for serious Multi-level security.

I have almost all the script hardening one could ever imagine.

I have researched for months upon months and i am seeing if there is anything that i have missed.

BTW. Please dont say RSBAC. Its no good for this instance.

Last edited by slimm609; 09-24-2007 at 08:10 PM.
 
Old 09-24-2007, 09:54 PM   #2
IBall
Senior Member
 
Registered: Nov 2003
Location: Perth, Western Australia
Distribution: Ubuntu, Debian, Various using VMWare
Posts: 2,088

Rep: Reputation: 62
Can you give us more information about what you are trying to achieve?

One thing to remember - don't have any programs installed and/or running that are not required. Eg: not running a mail server? Get rid of sendmail and friends. Also, make sure you are running a firewall, and as with all security policies, everything that is not explicity allowed should be denied.

--Ian
 
Old 09-25-2007, 03:51 AM   #3
almatic
Member
 
Registered: Mar 2007
Distribution: Debian
Posts: 547

Rep: Reputation: 67
you should particularly give more infos about the project. What exactly do you want to protect against ?
Before you secure something you should think of possible threats, e.g. scenarios which could compromise your system/network/whatever.
After you make a general list of possible threat scenarios, you give a weight to the scenarios, e.g. which of these scenarios are more likely to hit you, or are more deadly if they hit you.
After doing this you can think of countermeasures for every scenario, based on the results of your risk analysis.
In case you have to present the results of your project you should also take the outlay/complexity into your considerations. Especially complexity is a risk of itself, since it increases the probability of implementation flaws on all layers.

You cannot just install everything you find and then say 'now i'm secure'. Also the list you have posted appears a bit thin to me for several months of research ...
 
Old 09-25-2007, 06:29 AM   #4
slimm609
Member
 
Registered: May 2007
Location: Chas, SC
Distribution: slackware, gentoo, fedora, LFS, sidewinder G2, solaris, FreeBSD, RHEL, SUSE, Backtrack
Posts: 430

Original Poster
Rep: Reputation: 67
The project is a trusted distro for MLS file server. I have removed all programs that are not required. The type of threat is everything you could ever imagine. The key here is different security levels on one system. ie. TS, Secret, and unclass all on one machine at the same time. Like i said above i am looking for a system level protection. The idea is no firewall because of how its would be connected to 3 different networks and dealing with IPtables and MLS is just not feasible. as long as it is complete my august next year it will be going to defcon for "hack this box". The list may look short if you have never messed with some of this stuff. (Not being rude) but SELinux with MLS is the most complex linux project i have ever come across. for that matter it might be one of the most complex linux things to date. NSA and a few other have been working with MLS with about 5-6 years and there is no MLS linux distros. If you feel that it is easy please let me know and i will be more than glad to let you help with the project if you want. not only selinux but grsecurity with selinux has also never been done before. The PIC, PIE, SSP, and FORTIFY_SOURCE all require a complete compile of every program with those options except the kernel, grub, and glibc. I have more things going into play like i said but i am trying to see if there are any very serious protection features that i could incorporate
 
Old 09-25-2007, 07:28 AM   #5
almatic
Member
 
Registered: Mar 2007
Distribution: Debian
Posts: 547

Rep: Reputation: 67
Quote:
Originally Posted by slimm609 View Post
it will be going to defcon for "hack this box".
I was naming your list 'short' because we were obviously talking of different things. When you said 'project' I was assuming that you are securing a network (or whatever) for a company and present it at university (I did something similar with wireless networks). For such a project the whole 'hacking' stuff would only be a small part of the concept, that's why I found your list small. You didn't reveal the purpose of your project in the first post.

I cannot say anything to the quoted purpose because I have no idea what it is. Is it a contest for the most secure system ?
 
Old 09-25-2007, 08:56 AM   #6
slimm609
Member
 
Registered: May 2007
Location: Chas, SC
Distribution: slackware, gentoo, fedora, LFS, sidewinder G2, solaris, FreeBSD, RHEL, SUSE, Backtrack
Posts: 430

Original Poster
Rep: Reputation: 67
Yes hack this box is a contest that runs the length of defcon (like 4 days or so) and the point is to try and break into these boxes. It is actually a distro that i am working on. Now here is the catch. I cannot use a firewall and no chroot jails. The system will be using MAC, type enforcement and MLS. I have already compiled the entire system once but have to do it again because i left out 1 build flag. After defcon and some tuning this will be presented to DOD for EAL 7 certification. So i am looking for any missing flags or kernel patches that i may have over looked. Also the entire source code has been scanned in RATS and Flawfinder.
 
Old 09-26-2007, 05:23 AM   #7
almatic
Member
 
Registered: Mar 2007
Distribution: Debian
Posts: 547

Rep: Reputation: 67
what about encryption ? Let's say a top-secret-user fetches a file from the server. An attacker could sniff on the connection and/or attack the client-machine, which would probably be easier than attacking the hardened server.

btw. will you publish the result of your project ?
 
Old 09-26-2007, 06:15 AM   #8
slimm609
Member
 
Registered: May 2007
Location: Chas, SC
Distribution: slackware, gentoo, fedora, LFS, sidewinder G2, solaris, FreeBSD, RHEL, SUSE, Backtrack
Posts: 430

Original Poster
Rep: Reputation: 67
Quote:
Originally Posted by almatic View Post
what about encryption ? Let's say a top-secret-user fetches a file from the server. An attacker could sniff on the connection and/or attack the client-machine, which would probably be easier than attacking the hardened server.

btw. will you publish the result of your project ?
yes i will publish it. for the connection sniffing the server would have a network card on each network and very strict policys.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
todays requirements regarding security (not limited to linux security) markus1982 Linux - Security 8 04-25-2004 11:58 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 09:39 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration