Re: Task-harden
On Mon, Apr 02, 2001 at 11:58:00AM -0300, DrPablo@mail.com wrote:
> tatus: O
> Content-Length: 3877
> Lines: 110
>
> Hello Ola!
Hi
> | I'm now packaging a task-harden package as I said in some other
> | thread. To make this work fine I need some help:
> | * What insecure versions of software that should be avoided.
> | So upgrading this package can indicate if you have problems
> | with a package. Yes this will create a _large_ conflicts line... :)
> | Maybe I will split this to a separate package if it gets too
> | complicated. But not yet...
>
> Let's see: bind, timed (I guess I heard some DoS with
> this), slrn, inetd, identd
Well bind is hard to replace. Someone was digging up a chrooted
one though.
timed, dos on the entire machine or just the specific service?
slrn, isn't that a news reader? suid root or?
identd, already fixed. :)
> | * What packages should be avoided.
>
> Those rsh-things, wu-ftpd, sendmail (of course), mountd (I guess
> this one is to damned important to be in this list!), portmapper (I've
> heard is will be splitted from netbase in sid) and every RPCs
It is splitted out (as far as I can see), and are avoided.
> Some of these I listed may belong to the other list above.
>
> | * What packages must be installed (security related).
> | * What packages should be installed.
> | * What packages can imprive security.
>
> Tripwire (I guess LIDS or AIDE can be an option to this. You can
> make a Require: IDS and Tripwire, AIDE and LIDS may contain a Provide:
> IDS. You should contact David Spreen which is maintaining lids, I
> guess), qmail or postfix, gnupg, snort, ssh (of course), shadow, PAM
> with md5 and cracklib, john (maybe).
Added gnupg, john to suggest.
is IDS with capital letters?
> |
> | And now some questions (that can be dicussed).
> | * I intend to conflict with inetd. Do you think that is ok?
>
> Great! I hate that godamned thing! Too much exploitable!!! I
> guess not so much with tcpd. I guess a good approach (as we could have
> some inetd lovers) is to make inetd require tcpd or replace it with
> xinetd or tcpserver.
Is it inetd that is the prob or the packages that needs it?
Regards,
// Ola
--
--------------------- Ola Lundqvist ---------------------------
/ opal@debian.org Björnkärrsgatan 5 A.11 \
| opal@lysator.liu.se 584 36 LINKÖPING |
| +46 (0)13-17 69 83 +46 (0)70-332 1551 |
| http://www.opal.dhs.org UIN/icq: 4912500 |
\ gpg/f.p.: 7090 A92B 18FE 7994 0C36 4FE4 18A1 B1CF 0FE5 3DD9 /
---------------------------------------------------------------
Reply to: