Re: Proposed: task-secure-system package

To: Robert van der Meulen <rvdm@cistron.nl>
Cc: debian-devel@lists.debian.org
Subject: Re: Proposed: task-secure-system package
From: Russell Coker <russell@coker.com.au>
Date: Fri, 20 Oct 2000 13:27:21 +0200
Message-id: <00102013272100.04543@lyta>
Reply-to: Russell Coker <russell@coker.com.au>
In-reply-to: <20001020131056.C4179@cistron.nl>
References: <00102012455600.00754@lyta> <20001020131056.C4179@cistron.nl>

On 2000-10-20 13:10, Robert van der Meulen wrote:
>Quoting Russell Coker (russell@coker.com.au):
>
><packages that check for old/buggy versions of programs>
>
>> I think that it would be good if there was a task-secure-system package
>> for Debian that did this.
>
>I have been thinking about this, and think it would be cool. Checking for
>old/buggy versions of programs is probably not useful, as a
>security.debian.org apt-rule would've fixed that in the next upgrade. At

If you have web access.  Please don't forget that there are huge numbers of 
machines behind various firewalls, in locations without phone lines, etc.

I would like to have a floppy disk containing some software that I could 
install on a machine anywhere.  Then that software would tell me (in some 
fashion) what programs I need.  I could dump that output to a file and return 
the next day with all the relevant packages.

>upgrade-time the task-secure-system package would get to know about the
>old/buggy programs, but that would be too late as they're being upgraded at
>that moment anyways ;)

Apart from held packages...  Some people like to put packages on hold when 
they work well and not upgrade them (some proposed changed to dselect/apt may 
remove the need for this).  People who have packages on hold currently won't 
know that the new version fixes a root exploit.

>What i _would_ like is a set of packages that make alterations of
>configurations/configuration files (i.e. clean up /etc/inetd.conf, tighten

Same here.

>permissions, disallow remote-root ssh logins etc.).

I disagree.  I think that in the way machines get used in large networks 
allowing remote root logins via RSA key is good.  I have written a patch for 
openssh 2 which will put the email-address field from the authorized_keys 
file into the syslog message when someone logs in.  This means that if you 
have administrators logging in directly as root from their workstations with 
RSA authentication (using a pass-phrase of course) then you will know who 
logged in each time at a glance.  Also such information travels well through 
various log file analysis software.
If administrators login to their own accounts and su then things aren't 
nearly as clear.

>If you pull this a bit further, things like 'task-firewall-masq' (would set
>up a basic masq box to do masquerading/firewalling trough a debconf
>interface) come to mind.
>
>I would like to work on stuff like this, but probably can't find the time to
>do this by myself ;)

OK.  Maybe this is something we can discuss at the next debian-devel-nl 
meeting or linux-prog-nl meeting.

-- 
http://www.coker.com.au/bonnie++/     Bonnie++ hard drive benchmark
http://www.coker.com.au/postal/       Postal SMTP/POP benchmark
http://www.coker.com.au/projects.html Projects I am working on
http://www.coker.com.au/~russell/     My home page

Reply to:

Follow-Ups:
- Re: Proposed: task-secure-system package
  - From: Robert van der Meulen <rvdm@cistron.nl>

References:
- Proposed: task-secure-system package
  - From: Russell Coker <russell@coker.com.au>
- Re: Proposed: task-secure-system package
  - From: Robert van der Meulen <rvdm@cistron.nl>

Prev by Date: RE: Hardware GL with a G400
Next by Date: Re: Proposed: task-secure-system package
Previous by thread: Re: Proposed: task-secure-system package
Next by thread: Re: Proposed: task-secure-system package
Index(es):
- Date
- Thread