Tugger the SLUGger!SLUG Mailing List Archives

Re: [SLUG] Firewall security audit report

LANNet Computing Associates <http://lannetlinux.com>
"...well, it worked before _you_ touched it!"   --me
"I trust just one person,
 and there are times when I don't even trust myself"

On Tue, 27 Feb 2001, chesty wrote:

> We had our linux firewalls audited and I wanted to get some opinions on some
> of the issues raised.
> We were advised to turn sshd PasswordAuthentication off because it allows
> clear text passwords.
> hey? That doesn't sound right.

Sounds like good cause to not pay the auditors as they seem not to know
what they talk about.

> Mount partitions read only where possible.
> I guess this is a good idea, but in what situation would this add security?
> You need to be root to be able to write to the partitions that I could mount read
> only, and if someone gets root, they can remount partitions read write.
> Remove man pages.
> Again, I can't see the harm in doing this, but I can't see the point.
> Remove unnecessary binaries.
> A good idea no doubt, but the firewall doesn't allow shell access, and the
> way I see it is if someone gets shell access they can upload their own bin's.

You could say the same about some libraries after you have done an
assessment of those required by the remaining binaries, but then the
auditors wouldn't even know what these are, judging by their earlier

> It doesn't mention it in the report, but would mounting /home, /tmp and /var with
> noexec help? It might stop a non root user from running their own programs, but it
> won't stop root.

What about cgi-bins in /home/httpd (old RH) or /var/www (FSSTD, I think)?
OK, so it's your firewall and you would not run cgi-bins on that, would

> Capabilities wasn't mentioned in the report, and I haven't removed any (yet).
> Time to do some reading on removing linux kernel capabilities I think.
> What do people use for analysing firewall log files?
> Theres 84 projects under that category on freshmeat.