[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Binary patches



Subject: Re: Binary patches Date: Mon, Sep 27, 1999 at 10:48:55AM -0600 Quoting Bob Beck (beck@bofh.ucs.ualberta.ca):
> 
> >Hello,
> >
> >Sorry, if it is obvious, but anyway: 
> >
> >Let's assume that I have production bastion host. So it shouldn't have
> >nor source code neither any development tools (yeah, I'm paranoid ;)
> 
>        IMO, this is not really productive. An intruder can always
> bring their own tools. You shouldn't run anything extra on a bastion
> host, but tools being there isn't a big deal - If an attacker gets on
> it you're dead anyway. making it difficult to administer and apply
> fixes too only hurts you, not a knowledgeable attacker.
> 
> >So, how should I upgrade system to current level, or just security patches?
> >
> 	
> 	Build the patches on another machine and bring them over. That's
> what I'd do.

FWIW, TIS/NAI Gauntlet _requires_ you to have gcc and stuff on it to work, 
beacuse it rebuilds the kernel as part of the install process. 
I'll second the idea of it being necessary to stop the intruder before s/he has
command prompt access on the bastion. Gone so far, the bastion is just a place
from which you launch attacks on other, more ripe, systems. 

-- 
Måns Nilsson 					MN1334-RIPE	
www.df.lth.se/~mansaxel for details		GSM 070 8344045

Content:  80% POLYESTER, 20% DACRONi ... The waitress's UNIFORM sheds
TARTAR SAUCE like an 8" by 10" GLOSSY ...