Re: Security trough paranoia
Quoting DrPablo@mail.com (DrPablo@mail.com):
> like RH, TL, SuSE, ans so on... I was thinking... Why isn't Debian in the
> Security Linux Projects list at lwn.net? I know!!! That list includes Bastille
> Linux, Immunix, Nexus, SLinux, NSA Security-Enhanced, and Trustix.
Because all the distributions above are specific distributions, aimed at a
> * libsafe (http://www.avayalabs.com/project/libsafe/index.html) must be
> incorporated, in order to prevent several buffer overflow exploits.
<rvdm@trinity:~> apt-cache search libsafe | grep -w libsafe
libsafe - Protection against buffer overflow vulnerabilities
libsafe-hole-perl - Perl module which makes a hole in the Safe compartment
> * Openwall (http://www.openwall.com/linux/), which adds a new
> Security section in kernel configuration. This is one of the
> most known patches around;
I already maintain this one.
> * LIDS (http://www.lids.org), which is a Intrusion Detection
> System patched into the kernel.
<rvdm@trinity:~> apt-cache search lids
lids-2.2.18 - LIDS Kernel Patch and admintool
lids-2.4.1 - LIDS Kernel Patch and Admintool
> * NSA Security-Enhanced patch (http://www.nsa.gov/selinux/), which
> adds mandatory access controls to linux.
See the discussion earlier this week on -devel.
> * International Kernel Patch (http://www.kerneli.org), which permits
> loopback encryption filesystems
I maintain this one as well.
> * every package that deals with network must be defaultly configured to the
> most paranoid options (e.g. Squid should have lots of headers filters
> turned on, etc)
> * PAM must come with md5 hash enabled by default.
I think a īmore security conscious' version of debian would be a great idea.
We talked on debian-devel earlier about a 'task-secure-system' (wrong name,
i know) package, to handle this with, and this would, in my opinion, be a
better approach. The hardening process is something that is quite the same
among ports; it is not a different architecture entering the archives.
Packages to 'harden' specific parts of the system would be nicer. I can
imagine a 'harden-kernel' package, maybe a 'harden-network' or
harden-whatever packages, scripts that tighten things up, make things more
secure. Apart from that, hardening things is a very personal decision, and a
very 'local' one as well. I for myself know that i wouldn't want to run a
patch that hides my machine from the network, for example. There is no
single configuration that 'makes things safe'.
If people still think the 'task-secure-system' is a good idea (after the
name is changed ;) ) - i'd be happy to help working on it.
"You must have an IQ of at least half a million." -- Popeye