Task-harden
Hello Ola!
There goes my 2 cent!
| Hi
|
| I'm now packaging a task-harden package as I said in some other
| thread. To make this work fine I need some help:
| * What insecure versions of software that should be avoided.
| So upgrading this package can indicate if you have problems
| with a package. Yes this will create a _large_ conflicts line... :)
| Maybe I will split this to a separate package if it gets too
| complicated. But not yet...
Let's see: bind, timed (I guess I heard some DoS with
this), slrn, inetd, identd
| * What packages should be avoided.
Those rsh-things, wu-ftpd, sendmail (of course), mountd (I guess
this one is to damned important to be in this list!), portmapper (I've
heard is will be splitted from netbase in sid) and every RPCs
Some of these I listed may belong to the other list above.
| * What packages must be installed (security related).
| * What packages should be installed.
| * What packages can imprive security.
Tripwire (I guess LIDS or AIDE can be an option to this. You can
make a Require: IDS and Tripwire, AIDE and LIDS may contain a Provide:
IDS. You should contact David Spreen which is maintaining lids, I
guess), qmail or postfix, gnupg, snort, ssh (of course), shadow, PAM
with md5 and cracklib, john (maybe).
|
| And now some questions (that can be dicussed).
| * I intend to conflict with inetd. Do you think that is ok?
Great! I hate that godamned thing! Too much exploitable!!! I
guess not so much with tcpd. I guess a good approach (as we could have
some inetd lovers) is to make inetd require tcpd or replace it with
xinetd or tcpserver.
| * I will recommend ssh but then this package have go to
| non-US, right? And will it work as a task package then?
I am not sure, but I think task packages may require something
that is in the non-us tree even if this task package does not live in
there. So, if the user hasn't the nonus.debian.org (or mirror) in his
sources.list that non-us package is just not installed.
| This is the control file as it is right now.
| ***
| Source: task-harden
| Section: non-US/base
| Priority: optional
| Maintainer: Ola Lundqvist <opal@debian.org>
| Build-Depends: debhelper (>> 3.0.0)
| Standards-Version: 3.5.2
|
| Package: task-harden
| Architecture: any
| Depends:
| Recommends: ssh
| Suggests: sudo
| Conflicts: telnetd, ftpd, talkd, fingerd
| Description: Helps you make the host less easy to crack.
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
Loved this part ;)
| This package is intended to help the administrator to improve
| the security for the system.
| .
| Some packages should never be installed if you need high security
| so this package conflicts with them.
| And some packages really improves the security of the system so
| it will depend, recommend or suggest them.
| .
| It will also conflict with versions that are known to be buggy to
| force the administrator to upgrade them (and not keep them on hold).
| To make this work I need help with this (send a mail to
| task-harden@packages.debian.org with that information).
| ***
|
| This is of course just a beginning and I need suggestions to make
| this work fine.
May I suggest we use the TrinityOS-HOWTO as a guide. They have
some great advices in that!
| Regards,
|
| // Ola
|
| --
| --------------------- Ola Lundqvist ---------------------------
| / opal@debian.org Björnkärrsgatan 5 A.11 \
| | opal@lysator.liu.se 584 36 LINKÖPING |
| | +46 (0)13-17 69 83 +46 (0)70-332 1551 |
| | http://www.opal.dhs.org UIN/icq: 4912500 |
| \ gpg/f.p.: 7090 A92B 18FE 7994 0C36 4FE4 18A1 B1CF 0FE5 3DD9 /
| ---------------------------------------------------------------
So long.
[]s
Pablo
Reply to: