[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#816247: marked as done (general: hardening distro is an afterthought)



Your message dated Mon, 29 Feb 2016 09:51:54 +0000
with message-id <1456739514.3098.91.camel@decadent.org.uk>
and subject line Re: Bug#816247: general: hardening distro is an afterthought
has caused the Debian Bug report #816247,
regarding general: hardening distro is an afterthought
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
816247: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=816247
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message ---
Package: general
Severity: normal
Tags: newcomer upstream patch

Dear Maintainer,

In RE of my overview of debian security(and the forced do-it-yourself
mentality) I am providing a general coverage of hardening policy with Debian
STABLE.

There is much to learn from other distros here, namely the INDUSTRY LEADER, RED
HAT.

Of note is the change in Fedora 23 to the distro base. Two major changes are
noted:

Mono to v4
Better hardened system packages in the repos
   (With hardened by default config for source builds)

And a CLEAR snapshot of running processes hilights the problem. Debian IS NOT
THERE YET.
I know SOME processes may be nearly impossible to harden, but the WHOLE system?

[wide view] Look at all that NO PIE and Partial RELRO....
Hackers have stated that NX is a moot point. It can be bypassed. Stack canaries
as well, but they do slow them down.
---
     systemd   1351 Full RELRO        Canary found           NX enabled    PIE
enabled
       lxsession   1367 Partial RELRO     Canary found           NX enabled
No PIE
     dbus-launch   1391 Partial RELRO     Canary found           NX enabled
No PIE
     dbus-daemon   1392 Partial RELRO     Canary found           NX enabled
No PIE
           gvfsd   1403 Partial RELRO     Canary found           NX enabled
No PIE
      gvfsd-fuse   1407 Partial RELRO     Canary found           NX enabled
No PIE
         openbox   1491 Full RELRO        Canary found           NX enabled
PIE enabled
        lxpolkit   1494 Partial RELRO     Canary found           NX enabled
No PIE
         lxpanel   1497 Full RELRO        Canary found           NX enabled
PIE enabled
         pcmanfm   1499 Full RELRO        Canary found           NX enabled
PIE enabled
    xscreensaver   1500 Partial RELRO     Canary found           NX enabled
No PIE
 gvfs-udisks2-vo   1508 Partial RELRO     Canary found           NX enabled
No PIE
     wicd-client   1510 Partial RELRO     Canary found           NX enabled
No PIE
 mate-volume-con   1520 Partial RELRO     Canary found           NX enabled
No PIE
       nm-applet   1532 Partial RELRO     Canary found           NX enabled
No PIE
 gvfs-afc-volume   1544 Partial RELRO     Canary found           NX enabled
No PIE
 at-spi-bus-laun   1547 Full RELRO        Canary found           NX enabled
PIE enabled
     dbus-daemon   1551 Partial RELRO     Canary found           NX enabled
No PIE
 at-spi2-registr   1554 Full RELRO        Canary found           NX enabled
PIE enabled
 notification-da   1557 Partial RELRO     Canary found           NX enabled
No PIE
 mate-screensave   1562 Partial RELRO     Canary found           NX enabled
No PIE
 gvfs-mtp-volume   1565 Partial RELRO     Canary found           NX enabled
No PIE
 gvfs-goa-volume   1579 Partial RELRO     Canary found           NX enabled
No PIE
        gconfd-2   1585 Partial RELRO     Canary found           NX enabled
No PIE
          clipit   1589 Full RELRO        Canary found           NX enabled
PIE enabled
      pulseaudio   1592 Full RELRO        Canary found           NX enabled
No PIE
 gvfs-gphoto2-vo   1603 Partial RELRO     Canary found           NX enabled
No PIE
     menu-cached   1616 Partial RELRO     Canary found           NX enabled
No PIE
     gvfsd-trash   1624 Partial RELRO     Canary found           NX enabled
No PIE
 start-pulseaudi   1643 Full RELRO        Canary found           NX enabled
PIE enabled
           xprop   1644 Partial RELRO     Canary found           NX enabled
No PIE
      lxterminal  16673 Partial RELRO     Canary found           NX enabled
No PIE
            bash  16675 Partial RELRO     Canary found           NX enabled
No PIE
            bash  16677 Partial RELRO     Canary found           NX enabled
No PIE
   dconf-service  17709 Partial RELRO     Canary found           NX enabled
No PIE
             ssh  18617 Full RELRO        Canary found           NX enabled
PIE enabled
           sshfs  18621 Full RELRO        Canary found           NX enabled
PIE enabled
        kdeinit4  20831 Partial RELRO     Canary found           NX enabled
No PIE
       klauncher  20834 Partial RELRO     Canary found           NX enabled
No PIE
           kded4  20836 Partial RELRO     Canary found           NX enabled
No PIE
 kactivitymanage  20846 Partial RELRO     Canary found           NX enabled
No PIE
   gvfsd-network   2191 Partial RELRO     Canary found           NX enabled
No PIE
     gvfsd-dnssd   2207 Partial RELRO     Canary found           NX enabled
No PIE
            mono  22484 Partial RELRO     Canary found           NX enabled
No PIE
  gvfsd-metadata   2454 Partial RELRO     Canary found           NX enabled
No PIE
 mate-settings-d   2542 Partial RELRO     Canary found           NX enabled
No PIE
          python   2705 Partial RELRO     Canary found           NX enabled
No PIE
          python   2706 Partial RELRO     Canary found           NX enabled
No PIE
          python   2707 Partial RELRO     Canary found           NX enabled
No PIE

---


I can look aside on mono. Not building SECURE code by default is a SERIOUS NO
NO.I could quote you the Debian policy book on this, but I dont have it
memorized.

Now, I said I have a solution and I do. On debian this has something to do with
the setting of build flags and use of the hardening wrapper. Oddly, this is a
poorly documented feature or one that is hard in practice to implement.I have
tried to look into this with some custom apps that I have and I cant figure it
out.

So to the average joe, this means that this process is impossible to implement.
By default the distro should enforce this(ideally as well as SELinux) and build
non-packaged apps in source form in a hardened manner.

As an aside:
the frame pointer seems a circle jerk logic. There is use for the stack frame
pointer yet, optimization wants to remove it.

As you know:
O3 and O4 yield better performance, especially when kernel is recompiled with
tickless or 1K hertz(or realtime) ticks.



-- System Information:
Debian Release: 8.3
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'stable')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 3.16.0-4-amd64 (SMP w/8 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

--- End Message ---
--- Begin Message ---
You should discuss these issues on the debian-project list, not the bug
tracking system.

Ben.

-- 
Ben Hutchings
If God had intended Man to program,
we'd have been born with serial I/O ports.

Attachment: signature.asc
Description: This is a digitally signed message part


--- End Message ---

Reply to: