[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Task harden.

Ola Lundqvist <opal@debian.org> writes:

> I'm now packaging a task-harden package as I said in some other
> thread. 

I think you're trying to do too much with one package.  It won't
be flexible enough.  For example, what if I absolutely need to
have a certain insecure package installed, but I want my machine
to be as secure as possible subject to that constraint.  I
wouldn't be able to use task-harden for this if it conflicts
with that package.

I think increasing the security of Debian should be broken into
several independent parts:

- a "Secure Debian howto", with lots of advice.  (Something like this
  may already exist.)
- make each package as secure as possible by default (balanced against
- provide a few specialized secure versions of packages in cases
  where there is a significant trade-off between security and usability.
- provide packages that install various kernel packages and secure
  version of libraries
- write a script that analyzes a system and displays warning messages
  about insecure things it finds (a "lintian" for security).  This
  could print messages like "I see you have telnetd installed.  This
  weakens the security of your system for the following reasons...".
- audit code to increase security

I'm sure others will have similar ideas, which can each be used
one component at a time, for maximum flexibility.


Dan Christensen

Reply to: