Re: Task-harden

To: debian-devel@lists.debian.org
Cc: DrPablo@mail.com
Subject: Re: Task-harden
From: Ola Lundqvist <opal@debian.org>
Date: Mon, 2 Apr 2001 17:51:24 +0200
Message-id: <[🔎] 20010402175124.A7855@diamond.opal.dhs.org>
Mail-followup-to: Ola Lundqvist <opal@debian.org>, debian-devel@lists.debian.org, DrPablo@mail.com
Reply-to: opal@debian.org
In-reply-to: <[🔎] 20010402145800.27253124045@thespectra.cjb.net>; from DrPablo@mail.com on Mon, Apr 02, 2001 at 11:58:00AM -0300
References: <[🔎] 20010402145800.27253124045@thespectra.cjb.net>

On Mon, Apr 02, 2001 at 11:58:00AM -0300, DrPablo@mail.com wrote:
> tatus: O
> Content-Length: 3877
> Lines: 110
> 
> Hello Ola!

Hi

> | I'm now packaging a task-harden package as I said in some other
> | thread. To make this work fine I need some help:
> | * What insecure versions of software that should be avoided.
> |   So upgrading this package can indicate if you have problems
> |   with a package. Yes this will create a _large_ conflicts line... :)
> |   Maybe I will split this to a separate package if it gets too
> |   complicated. But not yet...
> 
> 	Let's see: bind, timed (I guess I heard some DoS with
> this), slrn, inetd, identd

Well bind is hard to replace. Someone was digging up a chrooted
one though.

timed, dos on the entire machine or just the specific service?

slrn, isn't that a news reader? suid root or?

identd, already fixed. :)
 
> | * What packages should be avoided.
> 
> 	Those rsh-things, wu-ftpd, sendmail (of course), mountd (I guess
> this one is to damned important to be in this list!), portmapper (I've
> heard is will be splitted from netbase in sid) and every RPCs
It is splitted out (as far as I can see), and are avoided.

> 	Some of these I listed may belong to the other list above.
> 	
> | * What packages must be installed (security related).
> | * What packages should be installed.
> | * What packages can imprive security.
> 
> 	Tripwire (I guess LIDS or AIDE can be an option to this. You can
> make a Require: IDS and Tripwire, AIDE and LIDS may contain a Provide:
> IDS. You should contact David Spreen which is maintaining lids, I
> guess), qmail or postfix, gnupg, snort, ssh (of course), shadow, PAM
> with md5 and cracklib, john (maybe).

Added gnupg, john to suggest.

is IDS with capital letters?

> | 
> | And now some questions (that can be dicussed).
> | * I intend to conflict with inetd. Do you think that is ok?
> 
> 	Great! I hate that godamned thing! Too much exploitable!!! I
> guess not so much with tcpd. I guess a good approach (as we could have
> some inetd lovers) is to make inetd require tcpd or replace it with
> xinetd or tcpserver.

Is it inetd that is the prob or the packages that needs it?

Regards,

// Ola

-- 
 --------------------- Ola Lundqvist ---------------------------
/  opal@debian.org                     Björnkärrsgatan 5 A.11   \
|  opal@lysator.liu.se                 584 36 LINKÖPING         |
|  +46 (0)13-17 69 83                  +46 (0)70-332 1551       |
|  http://www.opal.dhs.org             UIN/icq: 4912500         |
\  gpg/f.p.: 7090 A92B 18FE 7994 0C36  4FE4 18A1 B1CF 0FE5 3DD9 /
 ---------------------------------------------------------------

Reply to:

Follow-Ups:
- Re: Task-harden
  - From: "John H. Robinson, IV" <jhriv@ucsd.edu>
- Re: Task-harden
  - From: DrPablo@mail.com

References:
- Task-harden
  - From: DrPablo@mail.com

Prev by Date: Re: Task harden.
Next by Date: Re: RFC: new update-inetd
Previous by thread: Task-harden
Next by thread: Re: Task-harden
Index(es):
- Date
- Thread