[NTLUG:Discuss] Secure a system by securing GCC..
Chris Cox
cjcox at acm.org
Mon Jul 1 13:00:45 CDT 2002
Richard Geoffrion wrote:
>I had an idea that sounds good, but I thought I'd run it by you guys.
>
>If execute rights to the GCC (and/or other directories) were revoked to all
>but the root user, wouldn't that reduce the chance of damage by keeping
>someone from compiling code to elevate their priveledges should they make it
>in?
>
Kind of. Better yet is to pull gcc off of the system altogether.
If you are REALLY security conscious.... there are many other things to
do as well... like
disabling kernel modules (probably have to compile a static kernel with
modules disabled).
There are many more things of course than just that... but if the goal
is reduce "code/binary"
attacks... then you really have to shutdown modules too. Likewise, PAM
can bite you
as well... you will need to guard the configs and directories well... if
not remove altogether.
Sadly, you will also want remove the "fun" programs... you know the ones
that you normally
use for security analysis.... since these are the very tools that will
be used against you
by a good hacker (e.g. nmap, nessus, ettercap and the like).
The "flexibility" of a typical Linux install is too "fun" for the hacker.
Just my two cents... the gcc idea is an ok idea, but probably won't stop
the "good"
hacker at all.
Anyone willing to do a presentation on Linux Internet Security techniques??
Chris
More information about the Discuss
mailing list