RE: Security trough paranoia
On 2 Apr, Joris Lambrecht wrote:
> I've also been a debian user since it's very early days, think there was
> just one release before hamm wasn't there ? Forgot about the name (rain ?)
> Anyway, i was out of it for a few years but i'm not planning on backing out
Yeah! The one before hamm was "bo" (1.3), but I had little
contact with this.
> In fact you'd be setting up an entirely new distribution wich would be
> debian based, no ? The idea must be very appealing to Company's working with
> the internet of course ... why not simply post your idea on a security
> mailinglist ? Isn't there one for debian security ?
We have discussed this subject as a thread for my previous message at
debian-devel (Refer to debian-devel archives). People have thought it
would be unnecessary to launch a new port (or even a new distro), and
the solution pointed by some more experienced users and developers was
to create alternative versions of every package that needs hardening
(mainly those which must be suid), including kernel. Those packages
could be hooked to a virtual package (let's say task-secure-system or
task-harden...) and could be available to those who needed is
(corporations, paranoid users, ...) as their local law permits (I guess
German government has an issue with this kind of stuff, I don't know).
This efford will be coordinated by Ola Lundqvist (firstname.lastname@example.org) with
our contribution. He have already (I guess) written an ITP for this.
I have asked if this discussion should take place at another
list, but debian-devel seemed to like this discussion, so it went on.
> Also, there is something called the trinity project wich is all about
> networking etc. Why not set up some kind of How TO on securing you
> distribution with recompiling you software ? This might be a possible
> parallell track with the secure distro but would in fact be a nice ramp-up
> to start securing your systems while waiting for Fort Knox GNU/Linux to come
> out. This kind of project might also be worth to have a page at
I guess every efford already conducted (such as immunix tools
and TrinityOS) will be used in this "debian hardening" project.
> Greetings and good luck with this project,
> PS : let me know if this reply was usefull in a way.
Of course... every feedback is always wanted. Thanx again.
BTW, I forwarded this reply to debian-devel, hope you don't
> -----Original Message-----
> From: DrPablo@mail.com [mailto:DrPablo@mail.com]
> Sent: vrijdag 30 maart 2001 22:47
> To: email@example.com
> Cc: firstname.lastname@example.org;
> Subject: Security trough paranoia
> I'm a Debian user since its hamm release. Some of the things that
> always woried me (and I guess, a couple of other users) is the lack of
> security hardening in the Debian distro. This email is to report some
> idea I've got sometime ago. I have already posted this idea to
> debian-user, but it doesn't appear in the archives. I don't know what
> happened to my first post, so, here it is, but a little more elaborated:
> I know... the Debian security team is one of the best things about
> Debian. All you have to do to agree is read some security advisories
> (like Bugtraq): The first distribution to always correct a recently
> discovered exploit is Debian. Sometimes even before it become known.
> Ok... but this is done, a little later, of course, by other distros,
> like RH, TL, SuSE, ans so on... I was thinking... Why isn't Debian in the
> Security Linux Projects list at lwn.net? I know!!! That list includes
> Linux, Immunix, Nexus, SLinux, NSA Security-Enhanced, and Trustix.
> Alright... my idea is to create something that makes Debian enters
> that list. But what?... It could be a port!!! Like Debian Hurd, or Debian
> or Debian Alpha, and so on.... (We can call this Debian Paranoid ;-) )
> But why an entire port? These are the reasons:
> * everything must be recompiled under stackguard
> (http://www.immunix.org/stackguard.html). This would prevent the
> "stack smashing" attack.
> * glibc must be patched with formatguard
> (http://www.immunix.org/formatguard.html). This would prevent the
> "format bugs", a bug in the printf function.
> * libsafe (http://www.avayalabs.com/project/libsafe/index.html) must
> incorporated, in order to prevent several buffer overflow
> * the kernel may be patched with the latest security patches, not
> from the official tree, but also the followings:
> * Openwall (http://www.openwall.com/linux/), which adds a
> Security section in kernel configuration. This is one of
> most known patches around;
> * HAP-linux (http://www.theaimsgroup.com/~hlein/hap-linux/),
> which is a set of patches incremental to the first one.
> * LIDS (http://www.lids.org), which is a Intrusion Detection
> System patched into the kernel.
> * Linux IP Personality patch
> which makes remote SO query very hard (I guess only kernel
> 2.4 is
> * NSA Security-Enhanced patch (http://www.nsa.gov/selinux/),
> adds mandatory access controls to linux.
> * Stealth Kernel Patch
> (I guess this one is too early yet) which hides your
> machine from
> the network.
> * SysRq_X patch (http://pusa.uv.es/~ulisses/sysrq_X.tar.gz),
> adds the option to execute a program when system crashes
> (using Alt-SysRq-X)
> * SubDomain kernel extension
> which is a better implementation of the chroot jail
> * International Kernel Patch (http://www.kerneli.org), which
> loopback encryption filesystems
> * every package that deals with network must be defaultly configured
> to the
> most paranoid options (e.g. Squid should have lots of headers
> turned on, etc)
> * PAM must come with md5 hash enabled by default.
> * ....
> Well, there are just tooooooo many things that, I guess, justify a
> port (although the first reason I gave is the strongest one). Of course, the
> target of this "port" would be Debian i386, but, I don't see why other ports
> join it.
> This is my idea. I sent it to debian-user and to debian-devel.
> **Please**, I'd like to hear your opinion (I mean opinion, not flames.
> Flames will
> silently be redirected to /dev/null, as usual). Send them to me directly (or
> CC me
> if you prefer), 'cause I am not a signed member of these lists.
> TIA. Sorry the looooooong email, and my bad english, but I am from
> (BTW, did it sound english anyway?).