[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Global secure install requested flag(Re: Task harden.)

On Wed, Apr 04, 2001 at 06:29:48PM +1000, Anthony Towns wrote:
> On Wed, Apr 04, 2001 at 07:33:59AM +0200, Ola Lundqvist wrote:
> > > Why not have a global "SECURE_INSTALL_REQUESTED" flag for package 
> > > install scripts so they can modify their install to be secure if 
> > > asked for.  
> Because you shouldn't have to make a choice between security and
> usability. Because default installs should be secure. Because multiple
> different ways of installing a package increases the number of cases
> that need testing, and thus increase the number of cases that *aren't*
> tested before release.

I do agree with that. To bad that all maintainers don't... Maybe
this can give people the choice anyway... But probably this can
be a cludge...

> > That shounds like a good idéa. Do people think that this should
> > be automaticly set by task-harden or should I just provide the
> > question?
> Personally, I think limiting yourself to things you can do in a task
> package is silly. If you're paranoid, you'll want to add TCP wrapper

What is silly about this? Helping the busy administrator to get
rid of the most critical setup errors or helping the novice user?

> rules, and remove default services, and remove setuid bits, and setup
> intrusion detection and logging software, and make sure your system
> is non-standard enough that it will hopefully have to be specifically
> targetted to be cracked. Most of this can't be reasonably done just
> by making a package, and much of it can't be done at all by a policy
> compliant package.

I know that too.
> Security isn't a matter of pushing a button and forgetting about it. Even
> if that button's marked "Powered by apt-get".

Well have you read the description of the package at all?


// Ola

 --------------------- Ola Lundqvist ---------------------------
/  opal@debian.org                     Björnkärrsgatan 5 A.11   \
|  opal@lysator.liu.se                 584 36 LINKÖPING         |
|  +46 (0)13-17 69 83                  +46 (0)70-332 1551       |
|  http://www.opal.dhs.org             UIN/icq: 4912500         |
\  gpg/f.p.: 7090 A92B 18FE 7994 0C36  4FE4 18A1 B1CF 0FE5 3DD9 /

Reply to: