Re: services installed and running "out of the box"
I like that idea, and it sounds fairly simple - packages just check
/etc/secure_level (or something similar) and do the "right thing". The
tricky part is convincing every package maintainer to adopt it ;)
There are some "hardening" packages available, but I haven't had a
chance to play with them yet. (and I didn't want them breaking my setup
while I didn't have time to fix things)
On Wed, 2003-09-24 at 16:12, Steve Wray wrote:
> For what its worth, and without wanting a distro-religious war about it,
> Mandrake has a variety of security levels, which can be locally configured,
> and which can allow exactly this sort of behavior;
>
> At high security levels, any new services that get installed (from RPMs)
> are only allowed from localhost or even, IIRC, services may not even
> be started by default, neither post-install nor on reboot: you have to
> set them up manually.
>
> Might be worth a look to see how they did it to see if it can be easily
> implemented on debian?
>
>
> On Thu, 25 Sep 2003 10:04, Florian Weimer wrote:
> > On Wed, Sep 24, 2003 at 01:42:01PM -0700, Adam Lydick wrote:
> > > Is there any effort to reduce the number of services running on a
> > > default debian install? For example: a typical workstation user doesn't
> > > really need to have inetd enabled, nor portmap (unless they are running
> > > fam or nfs -- which isn't enabled by default)
> >
> > I think it's more important that services only bind to localhost after
> > installation (in the default configuration).
>
Reply to: