Better host security was Re: Several Different kernel related (?) problems

Hans Kristian Rosbach hk at isphuset.no
Tue Aug 17 13:25:28 UTC 2004


> On public servers, I now put
> /tmp
> /var/tmp
> 
> as seperate partitions with noexec,nosuid on them. We may also put nodev 
> on them but I am not sure if that broke things or not. Each are limited 
> to 100->500 megs in size. We were looking at a script that did an hourly 
> cleanup of files that were in it so that nothing stayed too long, but I 
> think we dropped that in case we needed to keep an audit trail.

nosuid, good idea
nodev? What does that do, positive/negative?

> I am hoping SELinux for dummies gets published or that the NSA does a 
> 'SELinux Bootcamp' although I hope without drill seargeants. I am not 
> sure I can still handle an Army or Marine Drill Sgt yelling at me to 
> keep my ACLs in line.

One of our customers wanted us to enable extra security measures. I
spent 3 straight days to get SELinux running properly with backup,
snmp executed scripts, ntpd, mysql. ++

All in all, I see that the customers application and our maintainance
apps should have been developed differently with regards to SELinux.
But it would have been a pain in the ass to do that now.

So our config is stuffed with things like this:
allow snmpd_t bin_t:dir { search getattr };
allow snmpd_t bin_t:file { getattr execute read execute_no_trans };
allow snmpd_t bin_t:lnk_file { read search };
About 70 lines like that actually.

Now, what really bothered me was the preexisting rules for games
and X and all the other shit that I didn't install. I tried to
remove the rules, but soon found myself reinstalling the source
to get back to scratch. There were too many dependencies.

I wish there was a file where I could just switch "ntpd=on" to off
or something like that so that all those rules would go away.

All in all..  It's pretty darn secure as far as I can tell, and not
too hard to _modify_ the rules either..  As long as you're very
linux experienced. =)

-HK





More information about the fedora-devel-list mailing list