Re: Global secure install requested flag(Re: Task harden.)

To: debian-devel@lists.debian.org
Subject: Re: Global secure install requested flag(Re: Task harden.)
From: Ola Lundqvist <opal@debian.org>
Date: Thu, 5 Apr 2001 19:28:35 +0200
Message-id: <[🔎] 20010405192834.A24158@diamond.opal.dhs.org>
Mail-followup-to: Ola Lundqvist <opal@debian.org>, debian-devel@lists.debian.org
Reply-to: opal@debian.org
In-reply-to: <[🔎] 20010404182948.A32330@azure.humbug.org.au>; from aj@azure.humbug.org.au on Wed, Apr 04, 2001 at 06:29:48PM +1000
References: <[🔎] 20010401222607.A3570@diamond.opal.dhs.org> <[🔎] 873dbsb6y6.fsf@uwo.ca> <[🔎] 20010402003302.C3570@diamond.opal.dhs.org> <[🔎] 3ACAAEC6.F1AC960D@visi.com> <[🔎] 20010404073358.A20647@diamond.opal.dhs.org> <[🔎] 20010404182948.A32330@azure.humbug.org.au>

On Wed, Apr 04, 2001 at 06:29:48PM +1000, Anthony Towns wrote:
> On Wed, Apr 04, 2001 at 07:33:59AM +0200, Ola Lundqvist wrote:
> > > Why not have a global "SECURE_INSTALL_REQUESTED" flag for package 
> > > install scripts so they can modify their install to be secure if 
> > > asked for.  
> 
> Because you shouldn't have to make a choice between security and
> usability. Because default installs should be secure. Because multiple
> different ways of installing a package increases the number of cases
> that need testing, and thus increase the number of cases that *aren't*
> tested before release.

I do agree with that. To bad that all maintainers don't... Maybe
this can give people the choice anyway... But probably this can
be a cludge...

> > That shounds like a good idéa. Do people think that this should
> > be automaticly set by task-harden or should I just provide the
> > question?
> 
> Personally, I think limiting yourself to things you can do in a task
> package is silly. If you're paranoid, you'll want to add TCP wrapper

What is silly about this? Helping the busy administrator to get
rid of the most critical setup errors or helping the novice user?

> rules, and remove default services, and remove setuid bits, and setup
> intrusion detection and logging software, and make sure your system
> is non-standard enough that it will hopefully have to be specifically
> targetted to be cracked. Most of this can't be reasonably done just
> by making a package, and much of it can't be done at all by a policy
> compliant package.

I know that too.
 
> Security isn't a matter of pushing a button and forgetting about it. Even
> if that button's marked "Powered by apt-get".

Well have you read the description of the package at all?

Regards,

// Ola

-- 
 --------------------- Ola Lundqvist ---------------------------
/  opal@debian.org                     Björnkärrsgatan 5 A.11   \
|  opal@lysator.liu.se                 584 36 LINKÖPING         |
|  +46 (0)13-17 69 83                  +46 (0)70-332 1551       |
|  http://www.opal.dhs.org             UIN/icq: 4912500         |
\  gpg/f.p.: 7090 A92B 18FE 7994 0C36  4FE4 18A1 B1CF 0FE5 3DD9 /
 ---------------------------------------------------------------

Reply to:

References:
- Task harden.
  - From: Ola Lundqvist <opal@debian.org>
- Re: Task harden.
  - From: Dan Christensen <jdc@uwo.ca>
- Re: Task harden.
  - From: Ola Lundqvist <opal@debian.org>
- Global secure install requested flag(Re: Task harden.)
  - From: Bryan Andersen <bryan@visi.com>
- Re: Global secure install requested flag(Re: Task harden.)
  - From: Ola Lundqvist <opal@debian.org>
- Re: Global secure install requested flag(Re: Task harden.)
  - From: Anthony Towns <aj@azure.humbug.org.au>

Prev by Date: Re: testing is broken
Next by Date: Re: testing is broken
Previous by thread: Re: Global secure install requested flag(Re: Task harden.)
Next by thread: Re: Task harden.
Index(es):
- Date
- Thread