[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Task-harden

On 04/12/2001 07:16:22 AM David Spreen wrote:

>> Hi there,
>> Put only packages in the Conflict field which are replaced by others
>> by task-harden. Removing insecure solutions is easy, but when we provide
>> a package that does all the security stuff, we have to provide
>> The system should not become unusable with this package installed.
>> We have to provide the possibility to secure a nfs-server without
>> saying "You are a NFS server, you cannot be secure, so let's remove
>> nfs. Ok you're useless now, but who cares? It's secure.".

I agree with you.  Obviously my webserver would be more secure if I removed
apache.  That doesn't mean I want to remove apache from my webserver.

Maybe it would be easier to make task-harden depend on a package called
"security.deb" that acts similar to "vrms" and sends a gripe email either
monthly or when requested that lists every security failling.

For example, an /etc/exports file containing something like "/ (rw)" could
be discouraged and would generate an email similar to vrms combined with

to: root
subject: security.deb monthly report

To get detailed information on a security failling, from a command line run
security --title "title".

The following security issues are new issues since last months report:

New Major problems:

blah-blah-blah: blah is insecure, upgrade the blah package immediately to
ver 9.0

New Minor problems:

nfsserver-exports-anonymous-rw: /etc/exports has anonymous write access

The following security issues were reported in the past and still aren't

Old Major problems:

sendmail-relay-open: /etc/sendmail.cf has an open mail relay

Old Minor problems:


The following security items are not tested because security --title
"title" --ignore was run:


Then look at a specific details of a complaint:

bash$ security --title nfsserver-exports-anonymous-rw

Title: nfsserver-exports-anonymous-rw

Your /etc/exports file has a (rw) entry without any access control lists.
That means anyone on your LAN or the internet can molest your files.

Reason for classification:
Classified as a minor problem because you might only be using this to
export temp space or you may not have internet connectivity, so it might
not really be a problem.

Possible Solutions:
1) Add access control to only allow trusted hosts (rw) access
2) Remove the (rw) line from your exports file
3) Change the (rw) line to (ro) (note, still allows anyone to read you
files, just can't write anymore)
4) Remove the nfs server package (note, a bad idea if this machine is
supposed to be a NFS server)

Related documentation:

bash$ security --title nfsserver-exports-anonymous-rw --ignore

Debian security system touched file
/var/spool/security/ignore/nfsserver-exports-anonymous-rw and the results
of this test will occur in the "ignored" part of the email.

Reply to: