[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Security trough paranoia


Quoting DrPablo@mail.com (DrPablo@mail.com):
> like RH, TL, SuSE, ans so on... I was thinking... Why isn't Debian in the
> Security Linux Projects list at lwn.net? I know!!! That list includes Bastille
> Linux, Immunix, Nexus, SLinux, NSA Security-Enhanced, and Trustix.
Because all the distributions above are specific distributions, aimed at a
hardened platform.

> 	* libsafe (http://www.avayalabs.com/project/libsafe/index.html) must be
> 	  incorporated, in order to prevent several buffer overflow exploits.
<rvdm@trinity:~> apt-cache search libsafe | grep -w libsafe
libsafe - Protection against buffer overflow vulnerabilities
libsafe-hole-perl - Perl module which makes a hole in the Safe compartment

> 		* Openwall (http://www.openwall.com/linux/), which adds a new
> 		  Security section in kernel configuration. This is one of the
> 		  most known patches around;
I already maintain this one.

> 		* LIDS (http://www.lids.org), which is a Intrusion Detection
> 		  System patched into the kernel.
<rvdm@trinity:~> apt-cache search lids
lids-2.2.18 - LIDS Kernel Patch and admintool
lids-2.4.1 - LIDS Kernel Patch and Admintool

> 		* NSA Security-Enhanced patch (http://www.nsa.gov/selinux/), which
> 		  adds mandatory access controls to linux.
See the discussion earlier this week on -devel.

> 		* International Kernel Patch (http://www.kerneli.org), which permits
> 		  loopback encryption filesystems
I maintain this one as well.

> 	* every package that deals with network must be defaultly configured to the
> 	  most paranoid options (e.g. Squid should have lots of headers filters
> 	  turned on, etc)
> 	* PAM must come with md5 hash enabled by default.
See below..

I think a īmore security conscious' version of debian would be a great idea.
We talked on debian-devel earlier about a 'task-secure-system' (wrong name,
i know) package, to handle this with, and this would, in my opinion, be a
better approach. The hardening process is something that is quite the same
among ports; it is not a different architecture entering the archives.
Packages to 'harden' specific parts of the system would be nicer. I can
imagine a 'harden-kernel' package, maybe a 'harden-network' or
harden-whatever packages, scripts that tighten things up, make things more
secure. Apart from that, hardening things is a very personal decision, and a
very 'local' one as well. I for myself know that i wouldn't want to run a
patch that hides my machine from the network, for example. There is no
single configuration that 'makes things safe'.
If people still think the 'task-secure-system' is a good idea (after the
name is changed ;) ) - i'd be happy to help working on it.

			      Linux Generation
	"You must have an IQ of at least half a million."  -- Popeye

Reply to: