Will H. Backman wrote:
Turning this into a learning experience: Does anyone have any hints or
advice about hardening OpenBSD for shell accounts. Do people tweak
things other than the login.conf settings? I have to deal with student
shell accounts where students are learning to program and often create
problems by accident.
Apart from login.conf(5):
It is really hard on UNIX(tm) systems to protect a system if users are
conspiring to kill it. Therefore, the first rule should be to trust your
users to a certain extent. Assume that the students are not dumb, but
know that they will create code where malloc()'s are not free()'d
(Leading to 800+Mb memory usage for a single process, login.conf(5) is
your friend). Also, they will, after talking with their old somewhat
nutty professor, attempt to write a simple protocol implementation in
which every new incoming UDP packet results in a fork() being made....
Filesystem quotas can help a lot. So can process accounting in
post-mortem analysis. A single odd-process-reaper running via cron(1)
can do wonders to those 99%CPU spinning Matlab processes running under
Linux-emulation where theres no source code fix. Remember to generalize
the reaper and let the process accounting data be the guide of what to add.
Do not underestimate the power of policy. A student having signed the
Acceptable-Use-Policy form will not conspire as much against the system
since the consequence is account deletion. Many computer users are
accustomed to environments where there is a single user on a PC.
A typical attack vector, however, for 1000+ account sites is a
compromised account. You can assume at least 5 per 1000 accounts are
compromised or have easily guessable passwords. Those will not heed your
policy forms whatever you do. You can mitigate the risk by separating
systems and limiting account access. When this is not possible,
ProPolice, W^X, StackGhost, etc will come in very handy.
Monitoring is also something you should ponder about. In general,
students need the freedom to play -- they are in this to learn, so you
should give them the freedom, but use policy enforcement if they abuse
the freedom given. Network and filesystems can be monitored easily as
well as memory, interrupt counts etc. The monitoring will make you able
to act when something goes wrong in a quick manner. Beware of
micro-management though.
