On Fri, Feb 13, 2004 at 06:41:19PM +0000, Andrew Suffield wrote: > > > I think that regular Debian equals or beats the exact claims made as > > > to openbsd's "security" (which aren't much - just regarding holes in > > > the default install that can lead to a remote root compromise). Note > > > that this mostly says "We have a default install that doesn't do > > > anything, too". > > > > Umm.. it's really a default install with no network services, which is > > usually quite ok for most users. Our "default" general install is much more > > bloated. > > And precisely how many network services does it include? Anything that > doesn't listen on a network port can't be a remote root issue. > > (I checked first. Did you?) Well, I was drawing from experience (I've hardened a number of Debian systems). Ok, let me see, in woody: 1) exim listens to all remote ports, is installed as the default MTA and run by inetd 2) inetd comes with daytime, time and discard services enabled (that's the netkit-inetd package) [that's just priority 'important'] [ priority 'standard' follows:] 3) portmapper is also enabled 4) nfs-common is also installed, which means lockd and statd RPC services are up and running 5) pidentd is priority 'standard', so you got the identd running through inetd too 6) the printer spooler server lpd, is also installed and open "free for all" 7) OpenSSH is also installed So a user going through the installation+no tasksel+dselect (i.e. a default 'standard' installation) would have 10 remote services open to the world. Not all of them are potential attack vectors, obviously, and some are a functionality vs. exposure (security?) decission (portmap and allies and, probably, pidentd). All of these might be mitigated if netbase configuration for tcp-wrappers (see #62145), or iptables (see #212692) could be configured in a _very_ restricted way (i.e. default 'DENY') This is less exposure [0] than a Solaris 9 default install [1], but more than a RedHat 8 default install [2] (they cheat, they setup a firewall per default since 7.2 :-) and bigger than an OpenBSD default install (IIRC it's only openssh there and some inetd services, no portmaper since 3.2, no mail listening daemon since 3.0, no printer daemon) Notice I do believe that we are improving from release to release (exim4, for example, should not do in sarge what exim3 did on woody) > > Also, the user-space has been audited, something we cannot say we have done > > ourselves. [3] > > In and as of itself, that means nothing. > > Audited by who, how hard, with what objectives, for how long, and how > much code was checked? How much of that code is actually shared with > Debian? What about other independent auditing groups? As far as I can "see" (from afar) OpenBSD has been audited by the same people that work in the project, with a security perspective in mind (no strcpy/strcat/sprintf/vsprintf which have been replaced with "safe" bound checkings alternatives) for some time (they claim 1997). What? I believe the kernel and much the BSD user-space (not all the applications in the ports tree) looks like it has been audited. I don't have time to review all the CVS logs, but a number of vulnerabilities that have been found in *BSD did not apply to OpenBSD. I would need to dig out my database in order to tell you which ones, no time for that though. Regards Javier [0] "Exposure" as defined by the number of network services that can be accessed from outside hosts in a default install. [1] http://www.infosecwriters.com/projects/osscan/sun9dr.php [2] http://www.infosecwriters.com/projects/osscan/redhat8_dr.php
Attachment:
signature.asc
Description: Digital signature