Re: Task-harden

To: debian-devel@lists.debian.org
Subject: Re: Task-harden
From: "Vince Mulhollon" <vlm@norlight.com>
Date: Thu, 12 Apr 2001 08:55:28 -0500
Message-id: <[🔎] OF48303B53.17E96508-ON86256A2C.004A0405@norlight.com>

On 04/12/2001 07:16:22 AM David Spreen wrote:

>> Hi there,
>> PLEASE:
>>
>> Put only packages in the Conflict field which are replaced by others
installed
>> by task-harden. Removing insecure solutions is easy, but when we provide
>> a package that does all the security stuff, we have to provide
alternatives.
>> The system should not become unusable with this package installed.
>> We have to provide the possibility to secure a nfs-server without
>> saying "You are a NFS server, you cannot be secure, so let's remove
>> nfs. Ok you're useless now, but who cares? It's secure.".

I agree with you.  Obviously my webserver would be more secure if I removed
apache.  That doesn't mean I want to remove apache from my webserver.

Maybe it would be easier to make task-harden depend on a package called
"security.deb" that acts similar to "vrms" and sends a gripe email either
monthly or when requested that lists every security failling.

For example, an /etc/exports file containing something like "/ (rw)" could
be discouraged and would generate an email similar to vrms combined with
lintian:

to: root
subject: security.deb monthly report

To get detailed information on a security failling, from a command line run
security --title "title".

The following security issues are new issues since last months report:

New Major problems:

blah-blah-blah: blah is insecure, upgrade the blah package immediately to
ver 9.0

New Minor problems:

nfsserver-exports-anonymous-rw: /etc/exports has anonymous write access

The following security issues were reported in the past and still aren't
fixed:

Old Major problems:

sendmail-relay-open: /etc/sendmail.cf has an open mail relay

Old Minor problems:

none

The following security items are not tested because security --title
"title" --ignore was run:

proftpd-generally-naughty
apache-permissions-problem
mount-users-can-unmount-partitions-root-mounted

Then look at a specific details of a complaint:

bash$ security --title nfsserver-exports-anonymous-rw

Title: nfsserver-exports-anonymous-rw

Description:
Your /etc/exports file has a (rw) entry without any access control lists.
That means anyone on your LAN or the internet can molest your files.

Reason for classification:
Classified as a minor problem because you might only be using this to
export temp space or you may not have internet connectivity, so it might
not really be a problem.

Possible Solutions:
1) Add access control to only allow trusted hosts (rw) access
2) Remove the (rw) line from your exports file
3) Change the (rw) line to (ro) (note, still allows anyone to read you
files, just can't write anymore)
4) Remove the nfs server package (note, a bad idea if this machine is
supposed to be a NFS server)

Related documentation:
http://nfs.org/security

bash$ security --title nfsserver-exports-anonymous-rw --ignore

Debian security system touched file
/var/spool/security/ignore/nfsserver-exports-anonymous-rw and the results
of this test will occur in the "ignored" part of the email.

Reply to:

Follow-Ups:
- Re: Task-harden
  - From: Ola Lundqvist <opal@debian.org>

Prev by Date: Re: ftp filesystem
Next by Date: Re: Another case of `why isn't this in testing yet'
Previous by thread: Re: Task-harden
Next by thread: Re: Task-harden
Index(es):
- Date
- Thread