Re: Task harden.

To: debian-devel@lists.debian.org
Subject: Re: Task harden.
From: Ola Lundqvist <opal@debian.org>
Date: Mon, 2 Apr 2001 00:33:03 +0200
Message-id: <[🔎] 20010402003302.C3570@diamond.opal.dhs.org>
Mail-followup-to: Ola Lundqvist <opal@debian.org>, debian-devel@lists.debian.org
Reply-to: opal@debian.org
In-reply-to: <[🔎] 873dbsb6y6.fsf@uwo.ca>; from jdc@uwo.ca on Sun, Apr 01, 2001 at 06:17:53PM -0400
References: <[🔎] 20010401222607.A3570@diamond.opal.dhs.org> <[🔎] 873dbsb6y6.fsf@uwo.ca>

On Sun, Apr 01, 2001 at 06:17:53PM -0400, Dan Christensen wrote:
> Ola Lundqvist <opal@debian.org> writes:
> 
> > I'm now packaging a task-harden package as I said in some other
> > thread. 
> 
> I think you're trying to do too much with one package.  It won't
> be flexible enough.  For example, what if I absolutely need to
Not flexible in what sense?

> have a certain insecure package installed, but I want my machine
> to be as secure as possible subject to that constraint.  I
> wouldn't be able to use task-harden for this if it conflicts
> with that package.

No that is true. But this is a task-foo package and is just used
to help you out. But to make this useful at all it has to
conflict something.

Well how du you suggest that I should do?

There is no recommends: ! foo

But if you implement that I will be very happy. :)

> I think increasing the security of Debian should be broken into
> several independent parts:
> 
> - a "Secure Debian howto", with lots of advice.  (Something like this
>   may already exist.)
Maybe I do not know. But that would be a good thing, yes.

> - make each package as secure as possible by default (balanced against
>   usability).
Well I assume that this is already the case. That effort are put
on every package.

> - provide a few specialized secure versions of packages in cases
>   where there is a significant trade-off between security and usability.
That can be a good thing yes. And if that exists I'll conflict
one of them so that only the other can be installed.

> - provide packages that install various kernel packages and secure
>   version of libraries
And then I'll suggest them.

> - write a script that analyzes a system and displays warning messages
>   about insecure things it finds (a "lintian" for security).  This
>   could print messages like "I see you have telnetd installed.  This
>   weakens the security of your system for the following reasons...".
Well when this tool is implemented I'll make sure that it is
installed.

> - audit code to increase security
Of course.

> I'm sure others will have similar ideas, which can each be used
> one component at a time, for maximum flexibility.

Yes.

But still I do not see why a task-harden package can not be a good thing?
I will not use it for everything and it is no guarantee.

It will just help people to not install insecure packages. And if
someone have to install a insecure package then task-harden is probably
not a good thing. But of course I can break out the
conflict buggy packages part in a separate package if that is
what you want.

Regards,

// Ola

-- 
 --------------------- Ola Lundqvist ---------------------------
/  opal@debian.org                     Björnkärrsgatan 5 A.11   \
|  opal@lysator.liu.se                 584 36 LINKÖPING         |
|  +46 (0)13-17 69 83                  +46 (0)70-332 1551       |
|  http://www.opal.dhs.org             UIN/icq: 4912500         |
\  gpg/f.p.: 7090 A92B 18FE 7994 0C36  4FE4 18A1 B1CF 0FE5 3DD9 /
 ---------------------------------------------------------------

Reply to:

Follow-Ups:
- Re: Task harden.
  - From: Alexander Reelsen <ar@rhwd.net>
- Re: Task harden.
  - From: Dan Christensen <jdc@uwo.ca>
- Global secure install requested flag(Re: Task harden.)
  - From: Bryan Andersen <bryan@visi.com>

References:
- Task harden.
  - From: Ola Lundqvist <opal@debian.org>
- Re: Task harden.
  - From: Dan Christensen <jdc@uwo.ca>

Prev by Date: Re: Task harden.
Next by Date: Re: Task harden.
Previous by thread: Re: Task harden.
Next by thread: Re: Task harden.
Index(es):
- Date
- Thread