[gentoo-user] Re: Gentoo as a production server - insecure?

[James <wireless@tampabay.rr.com>]

Johannes Frandsen <jsf <at> imento.dk> writes:


> Somebody pointed out that having a productions server with a gcc  
> installed was a big no no security wise, so I did a bit of goggling on  
> that topic and found a couple of articles supporting that view.


From 10,000 feet above, for those less versed in running a daily
"tight" network, it totally misses the point.

If you want to run a really secure network. Model and profile the 
activity,
set soft (say 5%) and hard alarms (10%) for certain types of traffic
flows that could contain interloper activity.   Then add tools that
analyze the traffic, where you perceive vulnerability. If your
organization does not have a "pathelogical hacker" on the payroll, then
consider retaining a consultant periodically to perform penetration
tests. Stay away from corporations, as most of their talent pool, is
on the weak side of modern genectic apptitude. Lock up your "special 
consultant" with a aggressive legal contract. Some really paranoid 
groups get different "special consultants" to perform penetration 
tests over time.

Layer your security
through several firewalls. Partition the network via managed
switches. If you suspect an internal interloper, then put him
on an isolated segment with a stealth sniffer monitoring his activities.
(my idea of a stealth sniffer is set the eth-int to 0.0.0.0)
on that segment. 

But why stop there. Most cell phone protocols/encyption have 
been cracked.
Spend some money and start sniffing the local cell phone 
calls.  (monitoring 
for quality assurance) Note, may be illegal in your area,
unless you pay the local goverments money and show them how to
do the same....
Amature lie detection electronics are a lot of fun too! (at least 
for the
prick that gets to ask the questions). Then there are urine
tests. Anyone that has a good time with recreational drugs is
automatically an interloper, (guilty by association right?)

Build a network that requires tons of manual intervention, unlike 
what anyone else does....Lots of other "out of the box" 
security ideas abound ==> caveat emptor!


If the rub is  really the gcc compiler, then do not have it installed;
activate a remote partition with any such tools as gcc, coreutils
and use them for admin things. Then unmount these (NFS or such)
necessary system tools, when your not actively using them.
Or put then on a usb stick with (ivman or your favorite mechanism).

Prolly (I like this term so much, I "borrowed" it from another
gentooer...)  what you will discover is other admins do not like
your "Gentoo" tendencies, because it's not their idea....
(just a hunch).... My experience is when you constantly flesh_out
a system and constantly update stuff, it stays more secure. Systems
that get little attention are where the interlopers like to hide; imho.
Gentoo does fall short on anomaly detection as do most operating
systems, but, it's easy to remedy with modeling, profiling and 
analysis of the traffic flows....


I find the best security is obscurity, and secrecy of the admin's
tools and traits for administration. Don't follow the herd/vendor
rhetoric. Using the common approaches to security, makes your
life much easier. Add your own unique "spices" to the mixture
of security tools you use. The "change_up" is the best and easiest
pitch in baseball. Some admins never use the "change_up"?


SElinux is superb but a pain in the wazoooo. Lots of folks do not
trust the NSA, mostly from a historical perspective. All governments
have a vested interest in their citizens and businesses having
really secure computers and networks. It makes their jobs (the spoofs)
much easier.

SElinux
is focused on software security policy enforcement (orange book).
SElinux in and of itself, is not a complete solution for a tight
network. It is a component that needs to be augmented with network
and statistical tools and lots of tricks. Without admin tools, it is 
tedious and  laborious,  imho.  I found a really cool java based tool to
implement and manage it, but there was not much enthusiasm , amongst 
the java nor selinux folks here at gentoo to implement the tool:

http://bugs.gentoo.org/show_bug.cgi?id=209435

This is just the tip of the ice-burg, you can (and many do) go crazy
with security. My best advice is make security "fun" for the
nerds that perform the security admin work on a daily basis.
You get a lot of satisfaction, watching the CFO play video games
or the board members connect to a foreign bank account,
on a network you secure....(grin). Not to mention folks with 
elite skills, never seem to go unemployed, nor suffer from
a lack of resources...... Our planet is corrupt, then questions
is who do we throw the first stone at, and for what 'bonafide'
reasons.


ymmv,
James