Re: Task-harden
On Thu, Apr 12, 2001 at 08:55:28AM -0500, Vince Mulhollon wrote:
>
> On 04/12/2001 07:16:22 AM David Spreen wrote:
> I agree with you. Obviously my webserver would be more secure if I removed
> apache. That doesn't mean I want to remove apache from my webserver.
Well my intention is not to remove things like apache. Only to conflict with
versions of apache that are known to be insecure.
> Maybe it would be easier to make task-harden depend on a package called
> "security.deb" that acts similar to "vrms" and sends a gripe email either
> monthly or when requested that lists every security failling.
That is a good idéa. Anyone that want to write this kind of package are
welcome! :) I'll gladly depend on that (if it works).
> For example, an /etc/exports file containing something like "/ (rw)" could
> be discouraged and would generate an email similar to vrms combined with
> lintian:
>
> to: root
> subject: security.deb monthly report
>
> To get detailed information on a security failling, from a command line run
> security --title "title".
>
> The following security issues are new issues since last months report:
>
> New Major problems:
>
> blah-blah-blah: blah is insecure, upgrade the blah package immediately to
> ver 9.0
>
> New Minor problems:
>
> nfsserver-exports-anonymous-rw: /etc/exports has anonymous write access
>
> The following security issues were reported in the past and still aren't
> fixed:
>
> Old Major problems:
>
> sendmail-relay-open: /etc/sendmail.cf has an open mail relay
>
> Old Minor problems:
>
> none
>
> The following security items are not tested because security --title
> "title" --ignore was run:
>
> proftpd-generally-naughty
> apache-permissions-problem
> mount-users-can-unmount-partitions-root-mounted
>
> Then look at a specific details of a complaint:
>
> bash$ security --title nfsserver-exports-anonymous-rw
>
> Title: nfsserver-exports-anonymous-rw
>
> Description:
> Your /etc/exports file has a (rw) entry without any access control lists.
> That means anyone on your LAN or the internet can molest your files.
>
> Reason for classification:
> Classified as a minor problem because you might only be using this to
> export temp space or you may not have internet connectivity, so it might
> not really be a problem.
>
> Possible Solutions:
> 1) Add access control to only allow trusted hosts (rw) access
> 2) Remove the (rw) line from your exports file
> 3) Change the (rw) line to (ro) (note, still allows anyone to read you
> files, just can't write anymore)
> 4) Remove the nfs server package (note, a bad idea if this machine is
> supposed to be a NFS server)
>
> Related documentation:
> http://nfs.org/security
>
> bash$ security --title nfsserver-exports-anonymous-rw --ignore
>
> Debian security system touched file
> /var/spool/security/ignore/nfsserver-exports-anonymous-rw and the results
> of this test will occur in the "ignored" part of the email.
This scanning mechanism sounds find to me.
Regards,
// Ola
--
--------------------- Ola Lundqvist ---------------------------
/ opal@debian.org Björnkärrsgatan 5 A.11 \
| opal@lysator.liu.se 584 36 LINKÖPING |
| +46 (0)13-17 69 83 +46 (0)70-332 1551 |
| http://www.opal.dhs.org UIN/icq: 4912500 |
\ gpg/f.p.: 7090 A92B 18FE 7994 0C36 4FE4 18A1 B1CF 0FE5 3DD9 /
---------------------------------------------------------------
Reply to: