Better host security was Re: Several Different kernel related (?) problems

Stephen J Smoogen smoogen at lanl.gov
Tue Aug 17 13:39:56 UTC 2004


Hans Kristian Rosbach wrote:
>>On public servers, I now put
>>/tmp
>>/var/tmp
>>
>>as seperate partitions with noexec,nosuid on them. We may also put nodev 
>>on them but I am not sure if that broke things or not. Each are limited 
>>to 100->500 megs in size. We were looking at a script that did an hourly 
>>cleanup of files that were in it so that nothing stayed too long, but I 
>>think we dropped that in case we needed to keep an audit trail.
> 
> 
> nosuid, good idea
> nodev? What does that do, positive/negative?
> 

For certain kinds of attacks/machines a /tmp/kmem that is the /dev/kmem 
device and crw-rw-rw is very bad. Not allowing it to be used can fix 
that. I cant rememeber what the problem was though..

-- 
Stephen John Smoogen		smoogen at lanl.gov
Los Alamos National Lab  CCN-5 Sched 5/40  PH: 4-0645
Ta-03 SM-1498 MailStop B255 DP 10S  Los Alamos, NM 87545





More information about the fedora-devel-list mailing list