From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from pigeon.gentoo.org ([69.77.167.62] helo=lists.gentoo.org) by finch.gentoo.org with esmtp (Exim 4.60) (envelope-from ) id 1LZ5kq-0000eb-Mx for garchives@archives.gentoo.org; Mon, 16 Feb 2009 15:51:33 +0000 Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id 703F2E02C1; Mon, 16 Feb 2009 15:51:31 +0000 (UTC) Received: from smtp.gentoo.org (smtp.gentoo.org [140.211.166.183]) by pigeon.gentoo.org (Postfix) with ESMTP id 2DF2BE02C1 for ; Mon, 16 Feb 2009 15:51:31 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by smtp.gentoo.org (Postfix) with ESMTP id BDB70B50A7 for ; Mon, 16 Feb 2009 15:51:30 +0000 (UTC) X-Virus-Scanned: amavisd-new at gentoo.org X-Spam-Score: -2.899 X-Spam-Level: X-Spam-Status: No, score=-2.899 required=5.5 tests=[AWL=0.700, BAYES_00=-2.599, RCVD_IN_DNSWL_LOW=-1] Received: from smtp.gentoo.org ([127.0.0.1]) by localhost (smtp.gentoo.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id h7SZS+aILkws for ; Mon, 16 Feb 2009 15:51:24 +0000 (UTC) Received: from ciao.gmane.org (main.gmane.org [80.91.229.2]) (using TLSv1 with cipher AES256-SHA (256/256 bits)) (No client certificate requested) by smtp.gentoo.org (Postfix) with ESMTP id A2061B50BF for ; Mon, 16 Feb 2009 15:51:23 +0000 (UTC) Received: from list by ciao.gmane.org with local (Exim 4.43) id 1LZ5ke-0005E4-L3 for gentoo-user@gentoo.org; Mon, 16 Feb 2009 15:51:21 +0000 Received: from www.buffer.net ([24.73.161.102]) by main.gmane.org with esmtp (Gmexim 0.1 (Debian)) id 1AlnuQ-0007hv-00 for ; Mon, 16 Feb 2009 15:51:20 +0000 Received: from wireless by www.buffer.net with local (Gmexim 0.1 (Debian)) id 1AlnuQ-0007hv-00 for ; Mon, 16 Feb 2009 15:51:20 +0000 X-Injected-Via-Gmane: http://gmane.org/ To: gentoo-user@lists.gentoo.org From: James Subject: [gentoo-user] Re: Gentoo as a production server - insecure? Date: Mon, 16 Feb 2009 15:51:11 +0000 (UTC) Message-ID: References: <6b16fb4c0902160405t6a2fcd3alb069d8e1a869e509@mail.gmail.com> <200902161326.07025.shrdlu@unlimitedmail.org> Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-user@lists.gentoo.org Reply-to: gentoo-user@lists.gentoo.org Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit X-Complaints-To: usenet@ger.gmane.org X-Gmane-NNTP-Posting-Host: main.gmane.org User-Agent: Loom/3.14 (http://gmane.org/) X-Loom-IP: 24.73.161.102 (Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.8.1.19) Gecko/20090210 SeaMonkey/1.1.14) Sender: news X-Archives-Salt: 95a48e9b-f988-48c4-b7f1-decbda39a2ad X-Archives-Hash: a8a91b3bb47b74e6d8f084efe2d6b794 Johannes Frandsen imento.dk> writes: > Somebody pointed out that having a productions server with a gcc > installed was a big no no security wise, so I did a bit of goggling on > that topic and found a couple of articles supporting that view. >From 10,000 feet above, for those less versed in running a daily "tight" network, it totally misses the point. If you want to run a really secure network. Model and profile the activity, set soft (say 5%) and hard alarms (10%) for certain types of traffic flows that could contain interloper activity. Then add tools that analyze the traffic, where you perceive vulnerability. If your organization does not have a "pathelogical hacker" on the payroll, then consider retaining a consultant periodically to perform penetration tests. Stay away from corporations, as most of their talent pool, is on the weak side of modern genectic apptitude. Lock up your "special consultant" with a aggressive legal contract. Some really paranoid groups get different "special consultants" to perform penetration tests over time. Layer your security through several firewalls. Partition the network via managed switches. If you suspect an internal interloper, then put him on an isolated segment with a stealth sniffer monitoring his activities. (my idea of a stealth sniffer is set the eth-int to 0.0.0.0) on that segment. But why stop there. Most cell phone protocols/encyption have been cracked. Spend some money and start sniffing the local cell phone calls. (monitoring for quality assurance) Note, may be illegal in your area, unless you pay the local goverments money and show them how to do the same.... Amature lie detection electronics are a lot of fun too! (at least for the prick that gets to ask the questions). Then there are urine tests. Anyone that has a good time with recreational drugs is automatically an interloper, (guilty by association right?) Build a network that requires tons of manual intervention, unlike what anyone else does....Lots of other "out of the box" security ideas abound ==> caveat emptor! If the rub is really the gcc compiler, then do not have it installed; activate a remote partition with any such tools as gcc, coreutils and use them for admin things. Then unmount these (NFS or such) necessary system tools, when your not actively using them. Or put then on a usb stick with (ivman or your favorite mechanism). Prolly (I like this term so much, I "borrowed" it from another gentooer...) what you will discover is other admins do not like your "Gentoo" tendencies, because it's not their idea.... (just a hunch).... My experience is when you constantly flesh_out a system and constantly update stuff, it stays more secure. Systems that get little attention are where the interlopers like to hide; imho. Gentoo does fall short on anomaly detection as do most operating systems, but, it's easy to remedy with modeling, profiling and analysis of the traffic flows.... I find the best security is obscurity, and secrecy of the admin's tools and traits for administration. Don't follow the herd/vendor rhetoric. Using the common approaches to security, makes your life much easier. Add your own unique "spices" to the mixture of security tools you use. The "change_up" is the best and easiest pitch in baseball. Some admins never use the "change_up"? SElinux is superb but a pain in the wazoooo. Lots of folks do not trust the NSA, mostly from a historical perspective. All governments have a vested interest in their citizens and businesses having really secure computers and networks. It makes their jobs (the spoofs) much easier. SElinux is focused on software security policy enforcement (orange book). SElinux in and of itself, is not a complete solution for a tight network. It is a component that needs to be augmented with network and statistical tools and lots of tricks. Without admin tools, it is tedious and laborious, imho. I found a really cool java based tool to implement and manage it, but there was not much enthusiasm , amongst the java nor selinux folks here at gentoo to implement the tool: http://bugs.gentoo.org/show_bug.cgi?id=209435 This is just the tip of the ice-burg, you can (and many do) go crazy with security. My best advice is make security "fun" for the nerds that perform the security admin work on a daily basis. You get a lot of satisfaction, watching the CFO play video games or the board members connect to a foreign bank account, on a network you secure....(grin). Not to mention folks with elite skills, never seem to go unemployed, nor suffer from a lack of resources...... Our planet is corrupt, then questions is who do we throw the first stone at, and for what 'bonafide' reasons. ymmv, James