[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Task harden.

On Mon, Apr 02, 2001 at 10:11:24AM +0200, Alexander Reelsen wrote:
> Hi
> 
> On Mon, Apr 02, 2001 at 12:33:03AM +0200, Ola Lundqvist wrote:
> > On Sun, Apr 01, 2001 at 06:17:53PM -0400, Dan Christensen wrote:
> > > I think increasing the security of Debian should be broken into
> > > several independent parts:
> > > 
> > > - a "Secure Debian howto", with lots of advice.  (Something like this
> > >   may already exist.)
> > Maybe I do not know. But that would be a good thing, yes.
> http://www.debian.org/doc/manuals/securing-debian-howto/

Thanks, added to the description of the package.

> > > - provide a few specialized secure versions of packages in cases
> > >   where there is a significant trade-off between security and usability.
> > That can be a good thing yes. And if that exists I'll conflict
> > one of them so that only the other can be installed.
> Hm. That's some sort of bloating. Often (not always) you only need to
> change the config files. You could try to create secure configurations
> (which then might limit usability) and put them into
> /usr/share/doc/$package/examples/, as long you don't need to do
> compiletime changes.

Well if it is just the configs that needs to be changed than (of course?)
it should not be a different package.

I was thinking about things like: telnet and telnet-ssl. :)

> > > - write a script that analyzes a system and displays warning messages
> > >   about insecure things it finds (a "lintian" for security).  This
> > >   could print messages like "I see you have telnetd installed.  This
> > >   weakens the security of your system for the following reasons...".
> > Well when this tool is implemented I'll make sure that it is
> > installed.
> Sounds like a non-acting BastilleLinux for Debian...
> IMHO a good and clean (and secure) default install beats every security
> check script. Oh, and isn't nessus at least partly what you are proposing
> here?

I have now suggested (just before I got this mail) nessus. But I do
agree that a clean default setup is one of the best things. :)

> > > - audit code to increase security
> > Of course.
> If you got the loads of time :-)

Well I do not intend to do it alone ;)
 
> > But still I do not see why a task-harden package can not be a good thing?
> > I will not use it for everything and it is no guarantee.
> It's unflexible. Security always depends on the machine and the purpose of
> it. You cannot know both as a packager.

Well of course it would not be that flexible. It will just help people
_a bit_.

> But if you want, just put it in and wait for flame^Wreactions ;-)

I will...
And let us see what happens :) 

Regards,

// Ola

-- 
 --------------------- Ola Lundqvist ---------------------------
/  opal@debian.org                     Björnkärrsgatan 5 A.11   \
|  opal@lysator.liu.se                 584 36 LINKÖPING         |
|  +46 (0)13-17 69 83                  +46 (0)70-332 1551       |
|  http://www.opal.dhs.org             UIN/icq: 4912500         |
\  gpg/f.p.: 7090 A92B 18FE 7994 0C36  4FE4 18A1 B1CF 0FE5 3DD9 /
 ---------------------------------------------------------------
Reply to: