Flylib.com

Books Software

 
 
 

Category list


Similar pages

2.7. Wrapping Up


Buy on amazon.com >>
Hope P. Korff Y. Potter B.
    << Previous page
    Table of contents
    Next page >>
     < Day Day Up > 

    2.7. Wrapping Up

    We've covered a number of security-oriented features that make FreeBSD and OpenBSD unique among Unices, as well as among operating systems in general. These features give you an edge in securing your system. By adding a few sysctl variables to your standard configuration, you can tune the behavior to fit the security posture that you need. You can reduce your visibility in the network, help thwart scans and denial-of-service attacks, and reduce the amount of resources malicious folks can consume on your network. By combining the kernel securelevel and UFS filesystem flags you can more strongly protect many critical pieces of the operating system. If your users need the flexibility of ACLs, you can give them ACLs as well to specify filesystem permissions with finer granularity.

    Your options are not quite as diverse on OpenBSD systems. Still, it's clear that the effort the development team has gone through to follow the defense in depth, least-privilege, fail-safe, and other principles yield great rewards. Careful code audits , privilege separation whenever possible, service-based users, W^X, and ProPolice—it's all good stuff.

    As you read through the chapters in this book, look for places where the building blocks in this chapter can be put to good use. Feel free to play around with them and find a solution that works for you.

     < Day Day Up > 
     < Day Day Up > 

    2.8. Resources


    TrustedBSD (http://www.trustedbsd.org/)

    The TrustedBSD project is an effort to add options to FreeBSD that make it compliant with the Common Criteria for Information Technology Security Evaluation. ACLs were implemented as part of this effort.


    ProPolice Stack Protection (http://www.trl.ibm.com/projects/security/ssp/)

    "GCC extension for protecting applications from stack-smashing attacks."


    Posix.1e (http://wt.xpilot.org/ publications /posix.1e/)

    The IEEE 1003.1e standard that was used as a reference when designing FreeBSD's ACLs. The standard itself has been abandoned by IEEE, but some vendors continue to use it as a reference.

     < Day Day Up > 
     < Day Day Up > 

    Chapter 3. Secure Installation and Hardening

    So the combination is one, two, three, four, five.
    That's the stupidest combination
    I've ever heard in my life. That's the kinda
    thing an idiot would have on his luggage     .

    —Dark Helmet
    Spaceballs

    Securing a system doesn't necessarily begin with a running system. Given the option, it's a good idea to start thinking about system security early on: before and during installation. In this chapter, we step through the installation process for both OpenBSD and FreeBSD and address some of the security implications of your early decisions.

    If you are not comfortable with the install process for either operating system, now is the perfect time to read the relevant documentation. For FreeBSD, read Chapter 2 of the Handbook . For OpenBSD, see section 4 of the FAQ. If you have not signed up for the FreeBSD and OpenBSD security lists, do so immediately. Links to these lists are available in Section 3.8 at the end of this chapter.


    Throughout this chapter we will be following the fundamental security principles laid out in Chapter 1 of this book. Keep in mind that in the context of system security it's not always true that "more is better." The consequences of increased security often include greater administrative overhead in maintenance and installation, more complicated configuration, and a general decrease in flexibility and convenience. Balance the trade-offs appropriately for your environment to arrive at a solution that meets both your usability and security requirements.

    This chapter is divided into three sections. The first section, "General Concerns," covers some of the decisions you should make and security issues of which you should be aware before beginning the install. As the name implies, this section is applicable to both FreeBSD and OpenBSD administrators. The second section provides a security-minded installation walkthrough: first for FreeBSD and subsequently for OpenBSD. Feel free to skip the part that doesn't apply to your system and proceed to the last section of the chapter: platform-independent security concerns in Section 3.6.

     < Day Day Up > 

    Buy on amazon.com >>
    Hope P. Korff Y. Potter B.
      << Previous page
      Table of contents
      Next page >>

      Similar products

       
      flylib.com © Copyright 2008-2013. All Rights Reserved.
      if you may any questions please contact us: flylib@qtcs.net
      Privacy policy