[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Task harden.

On Sun, Apr 01, 2001 at 06:17:53PM -0400, Dan Christensen wrote:
> Ola Lundqvist <opal@debian.org> writes:
> > I'm now packaging a task-harden package as I said in some other
> > thread. 
> I think you're trying to do too much with one package.  It won't
> be flexible enough.  For example, what if I absolutely need to
Not flexible in what sense?

> have a certain insecure package installed, but I want my machine
> to be as secure as possible subject to that constraint.  I
> wouldn't be able to use task-harden for this if it conflicts
> with that package.

No that is true. But this is a task-foo package and is just used
to help you out. But to make this useful at all it has to
conflict something.

Well how du you suggest that I should do?

There is no recommends: ! foo

But if you implement that I will be very happy. :)

> I think increasing the security of Debian should be broken into
> several independent parts:
> - a "Secure Debian howto", with lots of advice.  (Something like this
>   may already exist.)
Maybe I do not know. But that would be a good thing, yes.

> - make each package as secure as possible by default (balanced against
>   usability).
Well I assume that this is already the case. That effort are put
on every package.

> - provide a few specialized secure versions of packages in cases
>   where there is a significant trade-off between security and usability.
That can be a good thing yes. And if that exists I'll conflict
one of them so that only the other can be installed.

> - provide packages that install various kernel packages and secure
>   version of libraries
And then I'll suggest them.

> - write a script that analyzes a system and displays warning messages
>   about insecure things it finds (a "lintian" for security).  This
>   could print messages like "I see you have telnetd installed.  This
>   weakens the security of your system for the following reasons...".
Well when this tool is implemented I'll make sure that it is

> - audit code to increase security
Of course.

> I'm sure others will have similar ideas, which can each be used
> one component at a time, for maximum flexibility.


But still I do not see why a task-harden package can not be a good thing?
I will not use it for everything and it is no guarantee.

It will just help people to not install insecure packages. And if
someone have to install a insecure package then task-harden is probably
not a good thing. But of course I can break out the
conflict buggy packages part in a separate package if that is
what you want.


// Ola

 --------------------- Ola Lundqvist ---------------------------
/  opal@debian.org                     Björnkärrsgatan 5 A.11   \
|  opal@lysator.liu.se                 584 36 LINKÖPING         |
|  +46 (0)13-17 69 83                  +46 (0)70-332 1551       |
|  http://www.opal.dhs.org             UIN/icq: 4912500         |
\  gpg/f.p.: 7090 A92B 18FE 7994 0C36  4FE4 18A1 B1CF 0FE5 3DD9 /

Reply to: