[NTLUG:Discuss] Secure a system by securing GCC..

Chris Cox cjcox at acm.org
Mon Jul 1 13:00:45 CDT 2002


Richard Geoffrion wrote:

>I had an idea that sounds good, but I thought I'd run it by you guys.
>
>If execute rights to the GCC (and/or other directories) were revoked to all
>but the root user, wouldn't that reduce the chance of damage by keeping
>someone from compiling code to elevate their priveledges should they make it
>in?
>
Kind of.  Better yet is to pull gcc off of the system altogether.

If you are REALLY security conscious.... there are many other things to 
do as well... like
disabling kernel modules (probably have to compile a static kernel with 
modules disabled).
There are many more things of course than just that... but if the goal 
is reduce "code/binary"
attacks... then you really have to shutdown modules too.  Likewise, PAM 
can bite you
as well... you will need to guard the configs and directories well... if 
not remove altogether.

Sadly, you will also want remove the "fun" programs... you know the ones 
that  you normally
use for security analysis.... since these are the very tools that will 
be used against you
by a good hacker (e.g. nmap, nessus, ettercap and the like).

The "flexibility" of a typical Linux install is too "fun" for the hacker.

Just my two cents... the gcc idea is an ok idea, but probably won't stop 
the "good"
hacker at all.

Anyone willing to do a presentation on Linux Internet Security techniques??

Chris






More information about the Discuss mailing list