[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Gnumed-devel] Re: GNUmed (debian) servers and security

From: Andreas Tille
Subject: [Gnumed-devel] Re: GNUmed (debian) servers and security
Date: Mon, 28 Jan 2008 13:38:40 +0100 (CET)
User-agent: Alpine 1.00 (DEB 882 2007-12-20)

On Sun, 27 Jan 2008, James Busser wrote:

1. The server needs adequate physical protection. Even if the room in which it resides can be accessed by thieves it would be good to have some additional physical lockdown of the machine. I understand that it is not unusual for thieves to bring boltcutters with them, therefore special hardened chain that cannot be severed with bolt cutters be must instead be cut with a grinder may be better for this situation.

Encrypt your hard disk.  In case a thieve takes away the box chances
are good that the data remain unaccessable.  You can choose encrypting
the hard disk during the installation process (which worked perfectly
on my laptop without any problems).  On the other hand this
requires physical access to the machine on reboot (at least I do not
know an other way).

2. Debian etch - what should be done with it to make it more secure? Does it comes with services that should be removed or turned off? What manner of things (like Bastille Linux?) should be activated? Is there any set of practices we would encourage and anywhere to be pointed to?

You just found

I think following those hints is a very good idea.

3. The server medical data (Postgres cluster for GNUmed, dumps, downloaded HL7 messages etc) should live on an encrypted partition. Truecrypt seems to have become the standard for multi-OS encryption but its license does not qualify for direct Debian distributions. Is it still wiser / better to use it, over (say) cryptmount?

I would stick to the default encryption method that is used at installation
time.  I admit I did not cared what actually is used.  (I only care about
things that do not work as I want them to work and there was no need to
worry about anything so far.)

BTW, regarding GNUmed server packages: It is not that I would not like to
build thos packages but I feel that they require a certain amount of time
to test any make sure that everything works fine.  I'm currently not able
to spend much time in a row that I expect to be needed.  I really hope
(but only _hope_) that it might become better soon.  If you would like
to speed this up you might perhaps try to prepare some packages and I
will verify / test / enhance them.

Kind regards



reply via email to

[Prev in Thread] Current Thread [Next in Thread]