Hi Moritz, et al. On Sun, 2010-05-30 at 19:29 +0200, Moritz Muehlenhoff wrote: > If you want to modify kernel defaults you'll need to discuss the > specific options with upstream, we won't differ in the Debian kernel > configuration. I don't want to change the kernel defaults... For the Debian kernels it would be a very bad idea, as I think that software in a distro should nearly always follow the upstream default (config) values. There are already several packages in Debian where default config values where changed. I do not talk about the default config files, but really the hardcoded values in the binaries. This is really a bad idea, as everybody should be able to expect a more or less consistent behaviour of programs on all distros. For upstream such changes will probably not going to happen, even if I request it. But that neither means that the defaults I propose are wrong, nor that Debian shouldn't change them in their sysctl defaults. We already change many packages (better said their standard configuration files) just to make them more secure (and in some examples unfortunately also to make them less secure). > For now I'd suggest to address Christoph's proposed changes through > the harden package. It appears to be designed for exactly this > purpose. Christoph, what do you think? I think the harden package is the wrong place, at least for the net.* sysctl I've proposed. I guess there are two main reasons: 1) Everybody expects harden packages to be something which is either quite complicated to set up or which will probably break many things. - Take special patches like PaX/grsecurity or rsbac... they'd probably be accounted to "hardening"... both may break things (and RSBAC is quite difficult to set up). - Another example is something like AIDE... of course the plain install is done quickly, but to have it really make sense one most run it from a offline/secured host... because if the system is compromised the attacker will be also able to hack AIDE or its hash sums. These changes here are not complicated to set up, and for the vast majority of people, the won't break anything. 2) Harden-packages are usually not installed by most people, for the above reasons. So most people wouldn't benefit those more secure settings. Now why do I think that "every" system should get those more secure sysctl settings per default. I guess most of them won't harm anyway and just give benefit. log_martians => just logging rp_filter => well I guess only really hacked setups/systems/networks should ever make it necessary to allow such packets per default. And people with such setups/systems/networks have them either set up wrongly (but just never noticed) and should fix it... or they _really_ are experts and _really_ need it that way... then they probably know about rp_filter, and are able to turn it of. tcp_syncookies => In their current implementation (see the lwn.net article) it seems to me that they mean no _real_ problem. All problems that syncookies bring,... don't count here, as they're not activated by the kernel until your network ist "fucked up" anyway ;) net.ipv4.ip_forward, net.ipv6.conf.all.forwarding, send_redirects, accept_source_route => Well one could discuss those... but I really think, that the vast majority of Debian systems are not used as rooters. And those systems that are,.. don't work as a router out of the box. So sysadmins need to know "how to set up routing" anyway,... and then they sould also know about these sysctl values. net.ipv4.conf.all.accept_redirects, net.ipv6.conf.all.accept_redirects => Also,.. I guess just really some weird setups need things like ICMP redirects. Of course there might be more settings we could/should tighten up here :) Cheers, Chris.
Attachment:
smime.p7s
Description: S/MIME cryptographic signature