Better host security was Re: Several Different kernel related (?) problems
Hans Kristian Rosbach
hk at isphuset.no
Tue Aug 17 13:25:28 UTC 2004
> On public servers, I now put
> /tmp
> /var/tmp
>
> as seperate partitions with noexec,nosuid on them. We may also put nodev
> on them but I am not sure if that broke things or not. Each are limited
> to 100->500 megs in size. We were looking at a script that did an hourly
> cleanup of files that were in it so that nothing stayed too long, but I
> think we dropped that in case we needed to keep an audit trail.
nosuid, good idea
nodev? What does that do, positive/negative?
> I am hoping SELinux for dummies gets published or that the NSA does a
> 'SELinux Bootcamp' although I hope without drill seargeants. I am not
> sure I can still handle an Army or Marine Drill Sgt yelling at me to
> keep my ACLs in line.
One of our customers wanted us to enable extra security measures. I
spent 3 straight days to get SELinux running properly with backup,
snmp executed scripts, ntpd, mysql. ++
All in all, I see that the customers application and our maintainance
apps should have been developed differently with regards to SELinux.
But it would have been a pain in the ass to do that now.
So our config is stuffed with things like this:
allow snmpd_t bin_t:dir { search getattr };
allow snmpd_t bin_t:file { getattr execute read execute_no_trans };
allow snmpd_t bin_t:lnk_file { read search };
About 70 lines like that actually.
Now, what really bothered me was the preexisting rules for games
and X and all the other shit that I didn't install. I tried to
remove the rules, but soon found myself reinstalling the source
to get back to scratch. There were too many dependencies.
I wish there was a file where I could just switch "ntpd=on" to off
or something like that so that all those rules would go away.
All in all.. It's pretty darn secure as far as I can tell, and not
too hard to _modify_ the rules either.. As long as you're very
linux experienced. =)
-HK
More information about the fedora-devel-list
mailing list