Your message dated Mon, 29 Feb 2016 09:51:54 +0000 with message-id <1456739514.3098.91.camel@decadent.org.uk> and subject line Re: Bug#816247: general: hardening distro is an afterthought has caused the Debian Bug report #816247, regarding general: hardening distro is an afterthought to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact owner@bugs.debian.org immediately.) -- 816247: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=816247 Debian Bug Tracking System Contact owner@bugs.debian.org with problems
--- Begin Message ---
- To: Debian Bug Tracking System <submit@bugs.debian.org>
- Subject: general: hardening distro is an afterthought
- From: Richard Jasmin <frazzledjazz@gmail.com>
- Date: Sun, 28 Feb 2016 22:42:00 -0600
- Message-id: <[🔎] 20160229044200.21338.29229.reportbug@livingroom.c4home.net>
Package: general Severity: normal Tags: newcomer upstream patch Dear Maintainer, In RE of my overview of debian security(and the forced do-it-yourself mentality) I am providing a general coverage of hardening policy with Debian STABLE. There is much to learn from other distros here, namely the INDUSTRY LEADER, RED HAT. Of note is the change in Fedora 23 to the distro base. Two major changes are noted: Mono to v4 Better hardened system packages in the repos (With hardened by default config for source builds) And a CLEAR snapshot of running processes hilights the problem. Debian IS NOT THERE YET. I know SOME processes may be nearly impossible to harden, but the WHOLE system? [wide view] Look at all that NO PIE and Partial RELRO.... Hackers have stated that NX is a moot point. It can be bypassed. Stack canaries as well, but they do slow them down. --- systemd 1351 Full RELRO Canary found NX enabled PIE enabled lxsession 1367 Partial RELRO Canary found NX enabled No PIE dbus-launch 1391 Partial RELRO Canary found NX enabled No PIE dbus-daemon 1392 Partial RELRO Canary found NX enabled No PIE gvfsd 1403 Partial RELRO Canary found NX enabled No PIE gvfsd-fuse 1407 Partial RELRO Canary found NX enabled No PIE openbox 1491 Full RELRO Canary found NX enabled PIE enabled lxpolkit 1494 Partial RELRO Canary found NX enabled No PIE lxpanel 1497 Full RELRO Canary found NX enabled PIE enabled pcmanfm 1499 Full RELRO Canary found NX enabled PIE enabled xscreensaver 1500 Partial RELRO Canary found NX enabled No PIE gvfs-udisks2-vo 1508 Partial RELRO Canary found NX enabled No PIE wicd-client 1510 Partial RELRO Canary found NX enabled No PIE mate-volume-con 1520 Partial RELRO Canary found NX enabled No PIE nm-applet 1532 Partial RELRO Canary found NX enabled No PIE gvfs-afc-volume 1544 Partial RELRO Canary found NX enabled No PIE at-spi-bus-laun 1547 Full RELRO Canary found NX enabled PIE enabled dbus-daemon 1551 Partial RELRO Canary found NX enabled No PIE at-spi2-registr 1554 Full RELRO Canary found NX enabled PIE enabled notification-da 1557 Partial RELRO Canary found NX enabled No PIE mate-screensave 1562 Partial RELRO Canary found NX enabled No PIE gvfs-mtp-volume 1565 Partial RELRO Canary found NX enabled No PIE gvfs-goa-volume 1579 Partial RELRO Canary found NX enabled No PIE gconfd-2 1585 Partial RELRO Canary found NX enabled No PIE clipit 1589 Full RELRO Canary found NX enabled PIE enabled pulseaudio 1592 Full RELRO Canary found NX enabled No PIE gvfs-gphoto2-vo 1603 Partial RELRO Canary found NX enabled No PIE menu-cached 1616 Partial RELRO Canary found NX enabled No PIE gvfsd-trash 1624 Partial RELRO Canary found NX enabled No PIE start-pulseaudi 1643 Full RELRO Canary found NX enabled PIE enabled xprop 1644 Partial RELRO Canary found NX enabled No PIE lxterminal 16673 Partial RELRO Canary found NX enabled No PIE bash 16675 Partial RELRO Canary found NX enabled No PIE bash 16677 Partial RELRO Canary found NX enabled No PIE dconf-service 17709 Partial RELRO Canary found NX enabled No PIE ssh 18617 Full RELRO Canary found NX enabled PIE enabled sshfs 18621 Full RELRO Canary found NX enabled PIE enabled kdeinit4 20831 Partial RELRO Canary found NX enabled No PIE klauncher 20834 Partial RELRO Canary found NX enabled No PIE kded4 20836 Partial RELRO Canary found NX enabled No PIE kactivitymanage 20846 Partial RELRO Canary found NX enabled No PIE gvfsd-network 2191 Partial RELRO Canary found NX enabled No PIE gvfsd-dnssd 2207 Partial RELRO Canary found NX enabled No PIE mono 22484 Partial RELRO Canary found NX enabled No PIE gvfsd-metadata 2454 Partial RELRO Canary found NX enabled No PIE mate-settings-d 2542 Partial RELRO Canary found NX enabled No PIE python 2705 Partial RELRO Canary found NX enabled No PIE python 2706 Partial RELRO Canary found NX enabled No PIE python 2707 Partial RELRO Canary found NX enabled No PIE --- I can look aside on mono. Not building SECURE code by default is a SERIOUS NO NO.I could quote you the Debian policy book on this, but I dont have it memorized. Now, I said I have a solution and I do. On debian this has something to do with the setting of build flags and use of the hardening wrapper. Oddly, this is a poorly documented feature or one that is hard in practice to implement.I have tried to look into this with some custom apps that I have and I cant figure it out. So to the average joe, this means that this process is impossible to implement. By default the distro should enforce this(ideally as well as SELinux) and build non-packaged apps in source form in a hardened manner. As an aside: the frame pointer seems a circle jerk logic. There is use for the stack frame pointer yet, optimization wants to remove it. As you know: O3 and O4 yield better performance, especially when kernel is recompiled with tickless or 1K hertz(or realtime) ticks. -- System Information: Debian Release: 8.3 APT prefers stable-updates APT policy: (500, 'stable-updates'), (500, 'stable') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 3.16.0-4-amd64 (SMP w/8 CPU cores) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system)
--- End Message ---
--- Begin Message ---
- To: 816247-done@bugs.debian.org
- Subject: Re: Bug#816247: general: hardening distro is an afterthought
- From: Ben Hutchings <ben@decadent.org.uk>
- Date: Mon, 29 Feb 2016 09:51:54 +0000
- Message-id: <1456739514.3098.91.camel@decadent.org.uk>
- In-reply-to: <[🔎] 20160229044200.21338.29229.reportbug@livingroom.c4home.net>
- References: <[🔎] 20160229044200.21338.29229.reportbug@livingroom.c4home.net>
You should discuss these issues on the debian-project list, not the bug tracking system. Ben. -- Ben Hutchings If God had intended Man to program, we'd have been born with serial I/O ports.Attachment: signature.asc
Description: This is a digitally signed message part
--- End Message ---