[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Task harden.



Hi

On Mon, Apr 02, 2001 at 12:33:03AM +0200, Ola Lundqvist wrote:
> On Sun, Apr 01, 2001 at 06:17:53PM -0400, Dan Christensen wrote:
> > I think increasing the security of Debian should be broken into
> > several independent parts:
> > 
> > - a "Secure Debian howto", with lots of advice.  (Something like this
> >   may already exist.)
> Maybe I do not know. But that would be a good thing, yes.
http://www.debian.org/doc/manuals/securing-debian-howto/


> > - provide a few specialized secure versions of packages in cases
> >   where there is a significant trade-off between security and usability.
> That can be a good thing yes. And if that exists I'll conflict
> one of them so that only the other can be installed.
Hm. That's some sort of bloating. Often (not always) you only need to
change the config files. You could try to create secure configurations
(which then might limit usability) and put them into
/usr/share/doc/$package/examples/, as long you don't need to do
compiletime changes.

> > - write a script that analyzes a system and displays warning messages
> >   about insecure things it finds (a "lintian" for security).  This
> >   could print messages like "I see you have telnetd installed.  This
> >   weakens the security of your system for the following reasons...".
> Well when this tool is implemented I'll make sure that it is
> installed.
Sounds like a non-acting BastilleLinux for Debian...
IMHO a good and clean (and secure) default install beats every security
check script. Oh, and isn't nessus at least partly what you are proposing
here?

> > - audit code to increase security
> Of course.
If you got the loads of time :-)

> But still I do not see why a task-harden package can not be a good thing?
> I will not use it for everything and it is no guarantee.
It's unflexible. Security always depends on the machine and the purpose of
it. You cannot know both as a packager.

But if you want, just put it in and wait for flame^Wreactions ;-)


MfG/Regards, Alexander

-- 
Alexander Reelsen   http://joker.rhwd.de
ref@linux.com       GnuPG: pub 1024D/F0D7313C  sub 2048g/6AA2EDDB
ar@rhwd.net         7D44 F4E3 1993 FDDF 552E  7C88 EE9C CBD1 F0D7 313C
Securing Debian:    http://joker.rhwd.de/doc/Securing-Debian-HOWTO



Reply to: