Secure installation and updating

Cal Cornils ccornils at napavalley.edu
Mon Mar 7 18:24:22 GMT 2005 

Stian - My understanding of the source downloading process is that every 
file that you download from the 'trusted' source (freebsd.org) has an 
included checksum.  When you unpack and start to use that file on your 
machine, one of the first things that's done is to verify that the (trusted) 
checksum matches the calculated (by your own calculation) checksum of the 
actual collection of bits you got.  If is doesn't, then the download was 
faulty or someone modified the file on the way to your machine.  The chance 
of modifying a file while keeping the checksum unchanged is vanishingly 
small, especially for source code.

Cal Cornils
Napa Valley College

----- Original Message ----- 
From: "Stian Øvrevåge" <sovrevage at gmail.com>
To: <freebsd-newbies at freebsd.org>
Sent: Monday, March 07, 2005 6:04 AM
Subject: Secure installation and updating


> Hi list, first time reader, first time poster...
>
> To build some practical skills within Unix, Networking and Security, I
> have made myself a case study to provide some services for a fictional
> corporation. I have some ( very limited ) experience with FreeBSD and
> have therefore choosen that as my primary server OS.
>
> I want to assure trustworthyness and integrity along the whole
> lifetime of the installations. Including secure installation and
> initial updating as well as secure destruction and sanitizing,
> something I feel is left out from many security-related discussions.
>
> In security-related questions regarding the whole operation I assume
> the worst, that my "trusted" network is already compromised, that
> there are remote vuln's to every program I run, that connections I
> make to the Internet is not to be relied upon. It's within the latter
> my current dilemma is. After reading countless pages on secure
> installation I've understood that it is highly recommended to download
> the newest kernel and rebuild. I'm not aware of which methods CVSup
> uses for authentication and encryption. Assuming that my session with
> updating my sources can be sniffed, hijacked, mitm-ed, or substituted
> from the beginning, I would have grave problems with trusting my fresh
> box. There is also another problem I with this; I want to keep the box
> completely shielded from any hostile network, including my own
> "trusted". This to minimize exposure to the possible undisclosed
> vuln's that might reside within the default installation.
>
> To sum it all up: Is it possible to download the newest source to for
> example a USB pen drive ( keywords: ultra-portable and
> super-unpredictable ), and transfer this to my isolated box, and hence
> updating without exposure?
>
> Regards,
> Stian
> _______________________________________________
> freebsd-newbies at freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-newbies
> To unsubscribe, send any mail to "freebsd-newbies-unsubscribe at freebsd.org"
>

More information about the freebsd-newbies mailing list