[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Proposal for new Security subsection for non-US

Dear All,

It has come to my attention over the past 2 years that there are a
number of deficiencies when dealing with the security software such as
snort and Nessus in the current stable release.  

The list of problems are:

o So out of date the exploit and signature databases are so out of date
that no protection is afforded against current attacks and detection of
today's software vulnerabilities.

o Updating vulnerability databases does not work as generally the new
data on the 'Net is no longer compatible with the binaries in stable.

o New versions have new detection algorithms, capabilities, and
methodologies that are needed to deal with current and serious threats.

All of the above combine to make the packages in stable a security risk
if depended on for a site's security, even though they do not make the
machine running the software insecure.  Bit rot in this type of software
(IDS tools, Vulnerability scanners, Virus scanners) is in fact a great
cause for concern about security.  I would even suggest that once such
software and signature data is out of date, this be logged as a security

To deal with the above problem I am proposing a new subsection for
non-US called security.  This would be the one part of the stable
distribution that would be allowed to contain new software due to the
security risks mentioned above. The attributes of this section will be:

o Binary/Program Packages will back-ported from the the latest in stable
with no RC bugs on them.  Same criteria as for a package to be moved
from unstable to testing, unless there is an urgent need to counter a
security threat such as a rampant e-mail virus, IDS for a devastating
worm etc.

o Data set packages will either be auto-downloader packages to download
an install the latest data sets for machines, or they will be up to the
minute as much as possible.  All signature (virus, IDS, and security
scanning probes) data/binary will be in separate packages to the program
packages above.

o Almost all bugs where it effects the effective operation of the above
software in its security task will be treated as a security bug.  This
includes bugs where the auto-downloading of signature updates does not
happen properly etc.

o The archive will also contain the necessary and optional dependent
packages for the security software to perform its job if it is not in
the current stable release, or the current version is unusable.  This
includes the software for e-mail virus scanning, squid proxy content
scanning, libpcap required to get latest snort running at its best etc.

o Because of its dynamic nature due to its requirement to be kept up to
date, non-US/security will never be released officially on CD, only as
download from the Internet.

o It is placed in non-US, as the security scanning software uses
encryption in lots of places.

o We would leave out potato, and start with woody for this section as
woody is very close to release.

o A high standard of packaging will be required for the software in the
section, with debconf set up to get the packages easily operating on

o Documentation for the software will have to be comprehensive.  Howtos 
and FAQs on the software will have to be written, as well as a well
constructed Web site.

It it hoped that this will augment things like the Debian Gibraltar
firewall, and email server projects etc.  

I am putting this proposal forward for someone else to run with.  I have
a lot of commitments to the Linux Aid Server project
(http://www.anathoth.gen.nz) and I have found that I have had to devote
lots of time to getting e-mail virus scanning up to snuff under Debian
for this project.  Hence my interest in this to help Debian puul its
socks up with regard to this sort of software.

Please let me know what you think. I will be following the discussion on
debian-devel and debian-security.

Best Regards,

Matthew Grant

Matthew Grant	     /\	 ^/\^	grantma@anathoth.gen.nz      /~~~~\
A Linux Network Guy /~~\^/~~\_/~~~~~\_______/~~~~~~~~~~\____/******\
===GPG KeyID: 2EE20270  FingerPrint:

Attachment: signature.asc
Description: This is a digitally signed message part

Reply to: