Re: Task harden.
On Sun, Apr 01, 2001 at 06:17:53PM -0400, Dan Christensen wrote:
> Ola Lundqvist <opal@debian.org> writes:
>
> > I'm now packaging a task-harden package as I said in some other
> > thread.
>
> I think you're trying to do too much with one package. It won't
> be flexible enough. For example, what if I absolutely need to
Not flexible in what sense?
> have a certain insecure package installed, but I want my machine
> to be as secure as possible subject to that constraint. I
> wouldn't be able to use task-harden for this if it conflicts
> with that package.
No that is true. But this is a task-foo package and is just used
to help you out. But to make this useful at all it has to
conflict something.
Well how du you suggest that I should do?
There is no recommends: ! foo
But if you implement that I will be very happy. :)
> I think increasing the security of Debian should be broken into
> several independent parts:
>
> - a "Secure Debian howto", with lots of advice. (Something like this
> may already exist.)
Maybe I do not know. But that would be a good thing, yes.
> - make each package as secure as possible by default (balanced against
> usability).
Well I assume that this is already the case. That effort are put
on every package.
> - provide a few specialized secure versions of packages in cases
> where there is a significant trade-off between security and usability.
That can be a good thing yes. And if that exists I'll conflict
one of them so that only the other can be installed.
> - provide packages that install various kernel packages and secure
> version of libraries
And then I'll suggest them.
> - write a script that analyzes a system and displays warning messages
> about insecure things it finds (a "lintian" for security). This
> could print messages like "I see you have telnetd installed. This
> weakens the security of your system for the following reasons...".
Well when this tool is implemented I'll make sure that it is
installed.
> - audit code to increase security
Of course.
> I'm sure others will have similar ideas, which can each be used
> one component at a time, for maximum flexibility.
Yes.
But still I do not see why a task-harden package can not be a good thing?
I will not use it for everything and it is no guarantee.
It will just help people to not install insecure packages. And if
someone have to install a insecure package then task-harden is probably
not a good thing. But of course I can break out the
conflict buggy packages part in a separate package if that is
what you want.
Regards,
// Ola
--
--------------------- Ola Lundqvist ---------------------------
/ opal@debian.org Björnkärrsgatan 5 A.11 \
| opal@lysator.liu.se 584 36 LINKÖPING |
| +46 (0)13-17 69 83 +46 (0)70-332 1551 |
| http://www.opal.dhs.org UIN/icq: 4912500 |
\ gpg/f.p.: 7090 A92B 18FE 7994 0C36 4FE4 18A1 B1CF 0FE5 3DD9 /
---------------------------------------------------------------
Reply to: