Re: Proposed: task-secure-system package
Hi,
Quoting David Z. Maze (dmaze@MIT.EDU):
> (1) This package is only worthwhile if people are running the most current
> version of it, since if it's going to Conflict with a version of a package
> with a security flaw, there's probably a newer version of it. In other
> words, using it to keep your system secure involves periodically updating
> it, which is probably equivalent to periodically updating your system in
> general anyways.
I was not thinking in the sense of updates; more in the sense of checking-
and hack-fixing it (remove suid bit if possible, check for configuration
flaws that fix the problem, disable service/program if possible/acceptable).
This should all be done trough debconf, not trough apt/dselect. It would be
a program to check your system with, with updatable data files, that are
included in the most current version of it.
It can advise about updating packages.
> (2) This package seems a great way to give people a false sense of
> security: "Of course my system is secure, I have the task-secure-system
> package installed on it!" UNIX security is a Hard Problem, and it's
> probably not a good idea to try to make people think otherwise.
True, but same goes for any firewall. Maybe it should be called
task-security-helper or something. Large 'do not think you are secure now'
banners will help, too.
Updating from security.debian.org, keeping (almost) no suids on my system,
checking everything with tripwire, _and_ logging to a remote syslog host
with sms-notification doesn't give _me_ a sense of security ;)
Greets,
Robert
--
| rvdm@cistron.nl - Cistron Internet Services - www.cistron.nl |
| php3/c/perl/html/c++/sed/awk/linux/sql/cgi/security |
| My statements are mine, and not necessarily cistron's. |
Despite all appearances, your boss is a thinking, feeling, human being.
Reply to: