Updating kernel mandrake
We'll end the chapter by discussing Bastille Linux, a handy tool with which Red Hat and Mandrake Linux users can automate much of the hardening process.
This is the most obvious of our submaxims/corollaries. What if you don't Common sense, for example, dictates that a firewall shouldn't be running apache and that a public FTP server doesn't need a C compiler.
However, it scales very well to most other information security endeavors, including system hardening.
Another concept originally forged in a somewhat different context is the Principle of Least Privilege.
Remember, since our guiding principle is "that which is not expressly permitted must be denied," it follows that "that which is not necessary should be considered needlessly risky." Put different services on different hosts whenever possible.
The more roles a single host plays, the more applications you will need to run on it, and therefore the greater the odds that that particular machine will be compromised.
(If compromised, the FTP server may be used to attack them, but the attacker won't be able to capitalize on the same vulnerability she exploited on the FTP server).
When you select a package for deletion (by marking it with a minus sign), dselect automatically lists the packages that depend on it, conveniently marking them for deletion too.
To undo your original deletion flag, type "X"; to continue (accepting dselect's suggested additional package deletions), hit RETURN.
Therefore, securing a Linux system not only requires you to understand the inner workings of your system; you may also have to undo work others have done in the interest of shielding you from those inner workings!
Having said that, the principles of Linux hardening in specific and OS hardening in general can be summed up by a single maxim: "that which is not explicitly permitted is forbidden." As I mentioned in the previous chapter, this phrase was coined by Marcus Ranum in the context of building firewall rules and access-control lists.