Bug#572712: use hardened sysctl net.* settings per default

To: Christoph Anton Mitterer <calestyo@scientia.net>
Cc: Moritz Muehlenhoff <jmm@inutil.org>, Craig Small <csmall@debian.org>, 572712@bugs.debian.org, control@bugs.debian.org
Subject: Bug#572712: use hardened sysctl net.* settings per default
From: Moritz Muehlenhoff <jmm@inutil.org>
Date: Sat, 10 Jul 2010 14:37:36 +0200
Message-id: <[🔎] 20100710123736.GA2587@galadriel.inutil.org>
Reply-to: Moritz Muehlenhoff <jmm@inutil.org>, 572712@bugs.debian.org
In-reply-to: <1275323355.3155.71.camel@fermat.scientia.net>
References: <1267820749.4491.72.camel@fermat.scientia.net> <20100306231111.GB9908@enc.com.au> <20100530172958.GA3779@galadriel.inutil.org> <1275323355.3155.71.camel@fermat.scientia.net>

reassign 572712 netbase
thanks

On Mon, May 31, 2010 at 06:29:15PM +0200, Christoph Anton Mitterer wrote:
> Hi Moritz, et al.
>
> On Sun, 2010-05-30 at 19:29 +0200, Moritz Muehlenhoff wrote:
> > If you want to modify kernel defaults you'll need to discuss the
> > specific options with upstream, we won't differ in the Debian kernel
> > configuration.
> I don't want to change the kernel defaults...
> 
> For the Debian kernels it would be a very bad idea, as I think that
> software in a distro should nearly always follow the upstream default
> (config) values.
> There are already several packages in Debian where default config values
> where changed. I do not talk about the default config files, but really
> the hardcoded values in the binaries.
> This is really a bad idea, as everybody should be able to expect a more
> or less consistent behaviour of programs on all distros.
> 
> For upstream such changes will probably not going to happen, even if I
> request it.
> But that neither means that the defaults I propose are wrong, nor that
> Debian shouldn't change them in their sysctl defaults.
> We already change many packages (better said their standard
> configuration files) just to make them more secure (and in some examples
> unfortunately also to make them less secure).
> 
> 
> > For now I'd suggest to address Christoph's proposed changes through
> > the harden package. It appears to be designed for exactly this
> > purpose. Christoph, what do you think?
> I think the harden package is the wrong place, at least for the net.*
> sysctl I've proposed.
> 
> I guess there are two main reasons:
> 1) Everybody expects harden packages to be something which is either
> quite complicated to set up or which will probably break many things.
> - Take special patches like PaX/grsecurity or rsbac... they'd probably
> be accounted to "hardening"... both may break things (and RSBAC is quite
> difficult to set up).
> - Another example is something like AIDE... of course the plain install
> is done quickly, but to have it really make sense one most run it from a
> offline/secured host... because if the system is compromised the
> attacker will be also able to hack AIDE or its hash sums.
> 
> These changes here are not complicated to set up, and for the vast
> majority of people, the won't break anything.
> 
> 
> 2) Harden-packages are usually not installed by most people, for the
> above reasons. So most people wouldn't benefit those more secure
> settings.
> 
> 
> 
> Now why do I think that "every" system should get those more secure
> sysctl settings per default.
> I guess most of them won't harm anyway and just give benefit.
> 
> log_martians
> => just logging
> 
> rp_filter
> => well I guess only really hacked setups/systems/networks should ever
> make it necessary to allow such packets per default.
> And people with such setups/systems/networks have them either set up
> wrongly (but just never noticed) and should fix it... or they _really_
> are experts and _really_ need it that way... then they probably know
> about rp_filter, and are able to turn it of.
> 
> tcp_syncookies
> => In their current implementation (see the lwn.net article) it seems to
> me that they mean no _real_ problem. All problems that syncookies
> bring,... don't count here, as they're not activated by the kernel until
> your network ist "fucked up" anyway ;)
> 
> net.ipv4.ip_forward, net.ipv6.conf.all.forwarding, send_redirects,
> accept_source_route
> => Well one could discuss those... but I really think, that the vast
> majority of Debian systems are not used as rooters. And those systems
> that are,.. don't work as a router out of the box. So sysadmins need to
> know "how to set up routing" anyway,... and then they sould also know
> about these sysctl values.
> 
> net.ipv4.conf.all.accept_redirects, net.ipv6.conf.all.accept_redirects
> => Also,.. I guess just really some weird setups need things like ICMP
> redirects.
> 
> 
> Of course there might be more settings we could/should tighten up
> here :)

Sorry for the late reply.

If you want to change the standard Debian sysctl settings, this should
probably be changed by netbase providing a /etc/sysctl.d snippet.

The kernel package is not the right place. Reassigning to netbase.

Cheers,
        Moritz

Reply to:

Follow-Ups:
- Processed: Re: Bug#572712: use hardened sysctl net.* settings per default
  - From: owner@bugs.debian.org (Debian Bug Tracking System)
- Re: Bug#572712: use hardened sysctl net.* settings per default
  - From: Julien Cristau <jcristau@debian.org>

Prev by Date: Processed: Re: linux-image-2.6.26-1-686: ide-tape hangs for 180s on boot and disables the cdrom
Next by Date: Bug#518995: marked as done (kernel: RAM recognition)
Previous by thread: Bug#588602: Bug#: 588601, 588602: xpress 200m 5955 => resume from suspend fails with KMS enabled
Next by thread: Processed: Re: Bug#572712: use hardened sysctl net.* settings per default
Index(es):
- Date
- Thread