On Thu, Apr 12, 2001 at 08:55:28AM -0500, Vince Mulhollon wrote:
> On 04/12/2001 07:16:22 AM David Spreen wrote:
> I agree with you. Obviously my webserver would be more secure if I removed
> apache. That doesn't mean I want to remove apache from my webserver.
Well my intention is not to remove things like apache. Only to conflict with
versions of apache that are known to be insecure.
> Maybe it would be easier to make task-harden depend on a package called
> "security.deb" that acts similar to "vrms" and sends a gripe email either
> monthly or when requested that lists every security failling.
That is a good idéa. Anyone that want to write this kind of package are
welcome! :) I'll gladly depend on that (if it works).
> For example, an /etc/exports file containing something like "/ (rw)" could
> be discouraged and would generate an email similar to vrms combined with
> to: root
> subject: security.deb monthly report
> To get detailed information on a security failling, from a command line run
> security --title "title".
> The following security issues are new issues since last months report:
> New Major problems:
> blah-blah-blah: blah is insecure, upgrade the blah package immediately to
> ver 9.0
> New Minor problems:
> nfsserver-exports-anonymous-rw: /etc/exports has anonymous write access
> The following security issues were reported in the past and still aren't
> Old Major problems:
> sendmail-relay-open: /etc/sendmail.cf has an open mail relay
> Old Minor problems:
> The following security items are not tested because security --title
> "title" --ignore was run:
> Then look at a specific details of a complaint:
> bash$ security --title nfsserver-exports-anonymous-rw
> Title: nfsserver-exports-anonymous-rw
> Your /etc/exports file has a (rw) entry without any access control lists.
> That means anyone on your LAN or the internet can molest your files.
> Reason for classification:
> Classified as a minor problem because you might only be using this to
> export temp space or you may not have internet connectivity, so it might
> not really be a problem.
> Possible Solutions:
> 1) Add access control to only allow trusted hosts (rw) access
> 2) Remove the (rw) line from your exports file
> 3) Change the (rw) line to (ro) (note, still allows anyone to read you
> files, just can't write anymore)
> 4) Remove the nfs server package (note, a bad idea if this machine is
> supposed to be a NFS server)
> Related documentation:
> bash$ security --title nfsserver-exports-anonymous-rw --ignore
> Debian security system touched file
> /var/spool/security/ignore/nfsserver-exports-anonymous-rw and the results
> of this test will occur in the "ignored" part of the email.
This scanning mechanism sounds find to me.
--------------------- Ola Lundqvist ---------------------------
/ email@example.com Björnkärrsgatan 5 A.11 \
| firstname.lastname@example.org 584 36 LINKÖPING |
| +46 (0)13-17 69 83 +46 (0)70-332 1551 |
| http://www.opal.dhs.org UIN/icq: 4912500 |
\ gpg/f.p.: 7090 A92B 18FE 7994 0C36 4FE4 18A1 B1CF 0FE5 3DD9 /