Re: Security trough paranoia

To: DrPablo@mail.com
Cc: debian-devel@lists.debian.org
Subject: Re: Security trough paranoia
From: Robert van der Meulen <rvdm@cistron.nl>
Date: Sat, 31 Mar 2001 00:33:13 +0200
Message-id: <[🔎] 20010331003313.B32006@lin-gen.com>
In-reply-to: <[🔎] 20010330204642.496B5124045@thespectra.cjb.net>; from DrPablo@mail.com on Fri, Mar 30, 2001 at 05:46:42PM -0300
References: <[🔎] 20010330204642.496B5124045@thespectra.cjb.net>

Hi,

Quoting DrPablo@mail.com (DrPablo@mail.com):
> like RH, TL, SuSE, ans so on... I was thinking... Why isn't Debian in the
> Security Linux Projects list at lwn.net? I know!!! That list includes Bastille
> Linux, Immunix, Nexus, SLinux, NSA Security-Enhanced, and Trustix.
Because all the distributions above are specific distributions, aimed at a
hardened platform.

> 	* libsafe (http://www.avayalabs.com/project/libsafe/index.html) must be
> 	  incorporated, in order to prevent several buffer overflow exploits.
<rvdm@trinity:~> apt-cache search libsafe | grep -w libsafe
libsafe - Protection against buffer overflow vulnerabilities
libsafe-hole-perl - Perl module which makes a hole in the Safe compartment
<rvdm@trinity:~> 

> 		* Openwall (http://www.openwall.com/linux/), which adds a new
> 		  Security section in kernel configuration. This is one of the
> 		  most known patches around;
I already maintain this one.

> 		* LIDS (http://www.lids.org), which is a Intrusion Detection
> 		  System patched into the kernel.
<rvdm@trinity:~> apt-cache search lids
lids-2.2.18 - LIDS Kernel Patch and admintool
lids-2.4.1 - LIDS Kernel Patch and Admintool
<rvdm@trinity:~> 

> 		* NSA Security-Enhanced patch (http://www.nsa.gov/selinux/), which
> 		  adds mandatory access controls to linux.
See the discussion earlier this week on -devel.

> 		* International Kernel Patch (http://www.kerneli.org), which permits
> 		  loopback encryption filesystems
I maintain this one as well.

> 	* every package that deals with network must be defaultly configured to the
> 	  most paranoid options (e.g. Squid should have lots of headers filters
> 	  turned on, etc)
> 	* PAM must come with md5 hash enabled by default.
See below..

I think a ´more security conscious' version of debian would be a great idea.
We talked on debian-devel earlier about a 'task-secure-system' (wrong name,
i know) package, to handle this with, and this would, in my opinion, be a
better approach. The hardening process is something that is quite the same
among ports; it is not a different architecture entering the archives.
Packages to 'harden' specific parts of the system would be nicer. I can
imagine a 'harden-kernel' package, maybe a 'harden-network' or
harden-whatever packages, scripts that tighten things up, make things more
secure. Apart from that, hardening things is a very personal decision, and a
very 'local' one as well. I for myself know that i wouldn't want to run a
patch that hides my machine from the network, for example. There is no
single configuration that 'makes things safe'.
If people still think the 'task-secure-system' is a good idea (after the
name is changed ;) ) - i'd be happy to help working on it.

Greets,
	Robert
-- 
			      Linux Generation
	"You must have an IQ of at least half a million."  -- Popeye

Reply to:

Follow-Ups:
- Re: Security trough paranoia
  - From: Ola Lundqvist <opal@debian.org>

References:
- Security trough paranoia
  - From: DrPablo@mail.com

Prev by Date: Re: How do I get Japanese to print?
Next by Date: Re: Security trough paranoia
Previous by thread: Security trough paranoia
Next by thread: Re: Security trough paranoia
Index(es):
- Date
- Thread