Re: NFS rooted (new thread).

To: debian-devel@lists.debian.org
Subject: Re: NFS rooted (new thread).
From: Ola Lundqvist <opal@debian.org>
Date: Thu, 12 Apr 2001 22:42:24 +0200
Message-id: <[🔎] 20010412224223.A4912@diamond.opal.dhs.org>
Mail-followup-to: Ola Lundqvist <opal@debian.org>, debian-devel@lists.debian.org
Reply-to: opal@debian.org
In-reply-to: <[🔎] 20010412211050.A1703@foobar.toppoint.de>; from david@spreen.de on Thu, Apr 12, 2001 at 09:10:50PM +0200
References: <[🔎] 20010412144359.A24837@diamond.opal.dhs.org> <[🔎] 20010412141409.A762@foobar.toppoint.de> <[🔎] 20010412184236.C31099@diamond.opal.dhs.org> <[🔎] 20010412211050.A1703@foobar.toppoint.de>

On Thu, Apr 12, 2001 at 09:10:50PM +0200, David Spreen wrote:
> Hi there,
> 
> On Thu, Apr 12, 2001 at 06:42:37PM +0200, Ola Lundqvist wrote:
> > Well we should of course use a special kernel for hardening. This thread
> > was for network booted machines. I have a lot if things on my mind :)
> 
> great, what do you thin about posting a package definition of task-harden
> here? Send us a brainstorming of your ideas :).

Sure. I have made quite a lot of changes now. I have splitted it into
a couple of harden packages (with a task-package that combines them).

---------------------

Source: task-harden
Section: admin
Priority: optional
Maintainer: Ola Lundqvist <opal@debian.org>
Build-Depends: debhelper (>> 3.0.0)
Standards-Version: 3.5.2

Package: task-harden
Architecture: all
Depends: harden-tools, harden-servers, harden-remoteflaws, harden-localflaws
Suggests: sudo, harden-clients
Description: Harden your system
 This package is intended to help the administrator to improve
 the security of the system, or at least make the host less susceptible.
 .
 NOTE! This package will not make your system uncrackable, and it is
 not intended to do so. Making your system secure involves a LOT
 more than just installing a task-package. You are recommended to
 read (some urls) as a start.
 .
 For more information on how to secure your system see:
 http://www.debian.org/doc/manuals/securing-debian-howto/

Package: harden-tools
Architecture: all
Depends: debsums | tripwire | aide | ids, sash
Recommends: snort | logcheck
Suggests: nessus, john, gnupg
Description: Tools to enhance or analyze the security.
 Harden-tools helps you to install tools that the administrator can use to enhance
 the security of the system in some way.
 .
 NOTE! This package will not make your system uncrackable, and it is
 not intended to do so. Making your system secure involves a LOT
 more than just installing a task-package. You are recommended to
 read (some urls) as a start.
 .
 For more information on how to secure your system see:
 http://www.debian.org/doc/manuals/securing-debian-howto/

Package: harden-environment
Architecture: all
Depends: harden-kernel???
Description: Hardend system environment.
 Harden-environment provides a hardend system environment, or at least
 helps the administrator to configure such an environment.
 .
 NOTE! This package will not make your system uncrackable, and it is
 not intended to do so. Making your system secure involves a LOT
 more than just installing a task-package. You are recommended to
 read (some urls) as a start.
 .
 For more information on how to secure your system see:
 http://www.debian.org/doc/manuals/securing-debian-howto/

Package: harden-servers
Architecture: all
Conflicts: telnetd, ftpd, talkd, fingerd, sendmail, nfs-common, netkit-rpc, nfs-kernel-server, nfs-user-server, rwalld, rusersd, fingerd, portmap, rsh-server, wu-ftpd, uw-imapd, cyrus-imapd, rstartd, vncserver
Description: Avoid servers that are known to be insecure.
 This package is intended to give the administrator a easy option to avoid
 servers that in some sense are insecure. It can be a servers that needs
 passwords in plaintext, packages that can give someone access to the local
 host without permission, or packages that gives system information to remote
 users.
 .
 NOTE! This package will not make your system uncrackable, and it is
 not intended to do so. Making your system secure involves a LOT
 more than just installing a task-package. You are recommended to
 read (some urls) as a start.
 .
 For more information on how to secure your system see:
 http://www.debian.org/doc/manuals/securing-debian-howto/

Package: harden-clients
Architecture: all
Conflicts: x2vnc, xvncviewer, svncviewer, telnet, fetchmail
Suggests: ssh
Description: Avoid servers that are known to be insecure.
 Harden-clients is intended to give the administrator a easy option to avoid
 clients that in some sense are insecure. It can be a client that needs to send
 passwords in plaintext, or packages that can give someone access to the local
 host without permission.
 .
 NOTE! This package will not make your system uncrackable, and it is
 not intended to do so. Making your system secure involves a LOT
 more than just installing a task-package. You are recommended to
 read (some urls) as a start.
 .
 For more information on how to secure your system see:
 http://www.debian.org/doc/manuals/securing-debian-howto/

Package: harden-remoteflaws
Architecture: all
Conflicts: mailx (<< 8.1.1-10.1.5), zope (<< 2.1.6-7), man2html (<< 1.5-23), mc-common (<< 4.5.42-11)
Description: Avoid packages with security holes.
 Harden-remoteflaws is intended to help the administrator to avoid packages that are known to have security flaws that allows a remote user access to the system without permission. Normaly an update manages this but sometime  you just want to
 check for security changes and then this package can help.
 .
 If you want to avoid packages that can users on the local user can use
 to compromise the system you should look at the harden-localflaws instead.
 .
 NOTE! This package will not make your system uncrackable, and it is
 not intended to do so. Making your system secure involves a LOT
 more than just installing a package.

Package: harden-localflaws
Architecture: all
Conflicts: glibc (<< 2.1.3-17)
Description: Avoid packages with security holes.
 Harden-localflaws is intended to help the administrator to avoid packages that
 are known to give a local user a way to compromise the system. Normaly an update
 manages this but sometime you just want to check for security changes and then
 this package can help.
 .
 If you want to avoid packages that can users on the local user can use
 to compromise the system you should look at the harden-localflaws instead.
 .
 NOTE! This package will not make your system uncrackable, and it is
 not intended to do so. Making your system secure involves a LOT
 more than just installing a package.

---------------------

I have not uploaded this yet becuase it might need some changes. For example
the harden-environment contains nothing because I do not know that
to add there. One thing is a hardend kernel (with lids for example) and
some _automatic_ tools for analyzing the security.

> And because task-harden is no standard package I suppose it would be great to
> let more than one person work on it, so what do you think about upload 
> it to an apt-repository and update it everytime you make changes.
> So We can help you developing...

Well I will probably do that later on. I just want to have a little bit
more stable package before. Why I simply don't allow everyone to
change it is because the purpose have to be clear first.

I'll include the text from the README.Debian that I have just written and
I hope that it describe what I want to do with this package:

------------------

task-harden for Debian
----------------------

STATUS:
=======

This is a package in early progress. The first version will not be
very useful but in the future it will probably give you a quite good
indication on what is good and what is bad in sence of security.

GOAL:
=====

The goal is to make it easier to install and administrate hosts
that needs good security.

POLICY:
=======

This package should be used by people that want some quick help to
enhance the security of the system. To do this it will conflict with
packages with known flaws.

Flaws can be:
* Bugs, like buffer overflows.
* Sends passwords in plaintext.
* No access control.
* other.

It should also provide some tools that enhances the security in some
sense:

* Security analyzation.
* Intrusion detection.
* Security tightening (only recommended).
* more.

NOTE! No other packages should be depended or recommended because the
administrator should have the opportunity to remove them. Ssh are for
example not requred to make a secure host.

FUTURE:
=======

In the future this package should be maintained by a group of people.
But until there is some kind of consensus about what this package should
do I'll keep the maintainence of this package.

 -- Ola Lundqvist <opal@debian.org>, Thu,  12 Apr 2001 22:23:09 +0200

-----------------

> so long...

Hope this boosts some creative discussion.  :)

Regards,

// Ola

-- 
 --------------------- Ola Lundqvist ---------------------------
/  opal@debian.org                     Björnkärrsgatan 5 A.11   \
|  opal@lysator.liu.se                 584 36 LINKÖPING         |
|  +46 (0)13-17 69 83                  +46 (0)70-332 1551       |
|  http://www.opal.dhs.org             UIN/icq: 4912500         |
\  gpg/f.p.: 7090 A92B 18FE 7994 0C36  4FE4 18A1 B1CF 0FE5 3DD9 /
 ---------------------------------------------------------------

Reply to:

Follow-Ups:
- Re: NFS rooted (new thread).
  - From: David Spreen <david@spreen.de>

References:
- NFS rooted (new thread).
  - From: Ola Lundqvist <opal@debian.org>
- Re: NFS rooted (new thread).
  - From: David Spreen <david@spreen.de>
- Re: NFS rooted (new thread).
  - From: Ola Lundqvist <opal@debian.org>
- Re: NFS rooted (new thread).
  - From: David Spreen <david@spreen.de>

Prev by Date: Re: mozilla0.8.x?
Next by Date: Re: testing installation bot just plain doesn't like XFree86
Previous by thread: Re: NFS rooted (new thread).
Next by thread: Re: NFS rooted (new thread).
Index(es):
- Date
- Thread