[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] RE: Re: [FW1] OT: harden solaris
I am not sure what Alexander means by "Both of these can easily be implemented in the secure driver for jass-0.2" but in my shop after the OS has been installed we move the files you mention, and a few others into a directory called /rootonly or /tools and then set permissions so that only root (user and/or group GID 0) can access the directory. Using staticly linked binaries is also an excellent idea, and one that we use here. The only time there is a problem is when someone changes the root password without telling everyone. :-) >To: "Hartmann, Josef" <[email protected]> >Cc: [email protected] >Subject: Re: [FW1] OT: harden solaris >From: Alexander Hoogerhuis <[email protected]> >Date: 17 Apr 2001 00:04:54 +0200 > > > >As far as I know Soalris 2.[678] doesn't support mouting any kind of >loopback fs. Feel free to flame me if I am very wrong on this >point. :) > >Apart from that, there are two ways to this that should be acceptably >secure: > >a) use something like /usr/local/bin owned by root:sys with r-x for >owner only, and have statically linked binaries of whatever you need >in here. > >b) (my favourite) Always have /root as homedir for root and owned by >root:sys, and permissions rwx for owner only. Under here you have your >own /root/bin, again with things statically linked so there are no >external dependencies. > >Both of these assume it is only root that needs to execute these >commands, but it could be modified by using a group in the >/usr/local/bin case to include more users. > >Both of these can easily be implemented in the secure driver for >jass-0.2 and quite possibly any other way of installing the machine. > >cheers, >Alexander > >"Hartmann, Josef" <[email protected]> writes: > >> Hi, >> >> thinking about harden solaris but still having a few tools like gzip, snoop >> etc. I am questioning if solaris can mount an encrypted file using loopback >> device? >> >> >> Thanks >> Josef >> >> >> ================================================================================ >> To unsubscribe from this mailing list, please see the instructions at >> http://www.checkpoint.com/services/mailing.html >> ================================================================================ > >-- >Alexander Hoogerhuis >FYI: perl -e 'print $i=pack(c5,(41*2),sqrt(7056),(unpack(c,H)-2),oct(115),10);' > > >================================================================================ > To unsubscribe from this mailing list, please see the instructions at > http://www.checkpoint.com/services/mailing.html >================================================================================ ------------------------------------------------------------ Email account furnished courtesy of AntiOnline - http://www.AntiOnline.com AntiOnline - The Internet's Information Security Super Center! - - - - - - - - - - - - - - - - - - - - - - - - - - advertisement - - - - - - Limited Time Offer: FREE Products! Pay only shipping and handling. Get FREE Software, CDR's, Cellular Accessories, Videos, DVD's, Music, Injet Refills and much more. Only when you click here now - - > http://www.free-irewards.com/cgi-bin/bmb2 ================================================================================ To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================================================
|