Could you please provide a reliable source for hardening? I'm not looking for just a recipe, but an analysis rationale behind it: i.e. bash has been disabled due to a feature embedded which allows kernel level rights to be inherited from being a normal user with certain directory permission. Things along those lines would help determine whether a feature is really at high risk or can be managed. Everyone has a formula.
What is hardening? Here are some options:
- Removal of all known and potential buffer overflow conditions
- Removal of all binaries that are not needed
- Application of basic Unix file system security from a paranoia perspective
- Ensuring that all unnecessary services are turned off
- Implementation of a secure firewall
- Design and implementation of a rigorous demiliterized zone architecture
- Implementation of extended auditing, reporting and analysis facilities
- Implementation of real-time exception reporting
- Implementation and enforcement of more secure user identity management and authentication facilities
- Implementation and configuration of all vital service in a chrooted jail
- Implementation of a fail-over and high availability infrastructure
- Implementation of a rigorous source address validation system
- Implementation of virus scanning and integrity validation process on all incoming remote data streams
Each of these subjects is wide and deep enough to warrant a book. There are many books on each subject. It is a complex subject -- the complexity of which is made intense as a result of extreme opinions on the relative merits and importance of each of these.
I do apologize for not answering your question; to me you're asking for the equivalent to a brief reference index to the universe: the past, the present and the hereafter. I wish I could give a more definitive answer in a shorter space but, like many others, I'm with you all the way.
This was first published in August 2003