[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] Re: [FW1] OT: harden solaris
What i meant was tha tboth solutions could easily be implemented in jass (a collection of scripts meant as an extention to JumpStart, have a look in the Blueprint section of their website for more info on both). Basically it automates the locking donw and hardening of Solaris 2.[678] and allows me to create a firewall in 10 minutes form unpacking the hardware :) cheers, Alexander "cy bear" <[email protected]> writes: > I am not sure what Alexander means by "Both of these can easily be > implemented in the secure driver for jass-0.2" but in my shop after > the OS has been installed we move the files you mention, and a few > others into a directory called /rootonly or /tools and then set > permissions so that only root (user and/or group GID 0) can access > the directory. > > Using staticly linked binaries is also an excellent idea, and one > that we use here. > > The only time there is a problem is when someone changes the root > password without telling everyone. :-) > > > > >To: "Hartmann, Josef" <[email protected]> > >Cc: [email protected] > >Subject: Re: [FW1] OT: harden solaris > >From: Alexander Hoogerhuis <[email protected]> > >Date: 17 Apr 2001 00:04:54 +0200 > > > > > > > >As far as I know Soalris 2.[678] doesn't support mouting any kind of > >loopback fs. Feel free to flame me if I am very wrong on this > >point. :) > > > >Apart from that, there are two ways to this that should be acceptably > >secure: > > > >a) use something like /usr/local/bin owned by root:sys with r-x for > >owner only, and have statically linked binaries of whatever you need > >in here. > > > >b) (my favourite) Always have /root as homedir for root and owned by > >root:sys, and permissions rwx for owner only. Under here you have your > >own /root/bin, again with things statically linked so there are no > >external dependencies. > > > >Both of these assume it is only root that needs to execute these > >commands, but it could be modified by using a group in the > >/usr/local/bin case to include more users. > > > >Both of these can easily be implemented in the secure driver for > >jass-0.2 and quite possibly any other way of installing the machine. > > > >cheers, > >Alexander > > > >"Hartmann, Josef" <[email protected]> writes: > > > >> Hi, > >> > >> thinking about harden solaris but still having a few tools like gzip, snoop > >> etc. I am questioning if solaris can mount an encrypted file using loopback > >> device? > >> > >> > >> Thanks > >> Josef > >> > >> > >> ================================================================================ > >> To unsubscribe from this mailing list, please see the instructions at > >> http://www.checkpoint.com/services/mailing.html > >> ================================================================================ > > > >-- > >Alexander Hoogerhuis > >FYI: perl -e 'print $i=pack(c5,(41*2),sqrt(7056),(unpack(c,H)-2),oct(115),10);' > > > > > >================================================================================ > > To unsubscribe from this mailing list, please see the instructions at > > http://www.checkpoint.com/services/mailing.html > >================================================================================ > > > ------------------------------------------------------------ > Email account furnished courtesy of AntiOnline - http://www.AntiOnline.com > AntiOnline - The Internet's Information Security Super Center! > > > - - - - - - - - - - - - - - - - - - - - - - - - - - advertisement - - - - - - > Limited Time Offer: FREE Products! Pay only shipping and handling. > Get FREE Software, CDR's, Cellular Accessories, Videos, DVD's, Music, > Injet Refills and much more. > Only when you click here now - - > http://www.free-irewards.com/cgi-bin/bmb2 -- Alexander Hoogerhuis FYI: perl -e 'print $i=pack(c5,(41*2),sqrt(7056),(unpack(c,H)-2),oct(115),10);' ================================================================================ To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================================================
|