[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Security through paranoia 2, with proposal...

On Sat, Mar 31, 2001 at 06:02:09PM -0300, DrPablo@mail.com wrote:
> Hello ALL!
> 	I'd like to thanx everyone who replied (even those flames I
> received directly, with no echo through the list...>/dev/null).
> 	Well.. maybe a new port is too much. Maybe some
> task-secure-system (or whatever), kernel-hardened and harden-XXX
> XX packages are a better approach (as suggested by some people). What
> we have to do is get this to work!!!

Not much. A task-harden (or similar) would do quite a lot. And
of course package all the paranoid tools.

A kernel-image-2.4.x-hardend would be quite good to. And package
all the paranoid kernel patches if someone wants to compile their
own one. Tha is often needed if you use not that standard tools.

> 	Some messages I received told me that some users already have
> some of this "paranoid" tools tunned. Could we get this stuff together?
> Maybe creating a sub-project or a workgroup to accomplish this? Is there
> anything alike already running? If there is, how can I join these
> effords?

Join the security team and send maintainers patches that makes the
packages more secure. :)

But here comes a problem. To make a really good task-harden package
(or similar) some changes have to be made to the depends, suggests

First of all a suggests if, recommends if and depends if should
be present. That would be really a great thing because then you
could do like: (maybe a replaces and conflicts if too?)

Depends: apache-ssl | apache_mod-ssl (if apache), 

But maybe that is too hard to implement, or?

One other thing that would be great is a recommends ! and suggests !.
We already have a depends !, and that is conflicts.

So with this approach a task-harden control files could look
something like this: (not complete!)

Depends: apache-ssl | apache_mod-ssl (if apache), uw-imap-ssl (if uw-imap) ...
Conflicts: telnetd
Recommends: ! talkd
Suggests: kernel-image-2.4.2-harden

So what do you all think?

I think this can be a long time goal at least. Maybe we should implement
a library that handles packages dependencies so that this can
be changed without too much problems in tools like dpkg, apt, dselect
and more.


// Ola

 --------------------- Ola Lundqvist ---------------------------
/  opal@debian.org                     Björnkärrsgatan 5 A.11   \
|  opal@lysator.liu.se                 584 36 LINKÖPING         |
|  +46 (0)13-17 69 83                  +46 (0)70-332 1551       |
|  http://www.opal.dhs.org             UIN/icq: 4912500         |
\  gpg/f.p.: 7090 A92B 18FE 7994 0C36  4FE4 18A1 B1CF 0FE5 3DD9 /

Reply to: