Re: Debian Hardened project (question about use of the "Debian" trademark)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Lorenzo Hernandez Garcia-Hierro wrote:
| Hi John,
|
| El vie, 17-09-2004 a las 19:04, John Richard Moser escribió:
|
|>-----BEGIN PGP SIGNED MESSAGE-----
|>Hash: SHA1
|>
|>
|>
|>Lorenzo Hernandez Garcia-Hierro wrote:
|>| Hi,
|>|
|>
|>[...]
|>
[...]
|>I prefer directly hardening Debian with things that don't get in the way
|>of the user. That's what I was going on about a month ago with PaX (I'm
|>still working with that, just waiting until after Sarge). As long as
|>the user doesn't have to see it, it can and I think should go into
|>mainline Debian.
|
|
| Debian Hardened is not a Debian-based distro, i said that it is a
| hardened tree of packages and kernels that should replace (with user
| election or by default, for example asking the user during the
| installation if he wants to have extra security or if it will be used
| for critical uses).
| I think the same as you, it must go in the Debian mainline.
Yes yes I understand you're a subproject.
The kernel can be elective, but some of the work that gets done will
require either a separate copy of the entire debian tree, or will
require that the changes go into mainline. Building binaries with SSP
and PIE is like building binaries using gcc 2.95 or gcc 3.4: the
decision won't directly affect the users' experience, and it can't be
made an option to the user without a lot of extra storage space on the
mirrors and a lot of work maintainer side.
|
| Debian.
| -----------------------------
| | |
| ^ ^
| Kernel packages Software Packages.
| --------------|----------- --------------|-----------------
| Not Hardened | Hardened Hardened | Not hardened.
| -------------------------- --------------------------------
| \apt-get install harden /
| \ debian-hardened /
| \ /
| | *KISS* |
| |Keep it simple,stupid|
| \---------------------/
|
|
Debian
|- Kernels
||- Hardened (PaX enabled, SELinux enforcing, etc)
||- Non-Hardened
|- Maintenance
||- Compiler used
|||- Options used
||||- Optimizations
|||||- -O2
||||- Security options
|||||- -fstack-protector
|||||- -fpie
||- Packaging
|||- Mirrors
We have the same goals basically; but I don't think that for most of
this there is room for an 'apt-get install hardened' or whatever. The
changes are too integral to be covered by a handfull of packages; you
would need an entire mirror of all Debian packages with all hardening
features.
Now, if you're after creating SELinux, GRSecurity, and RSBAC policies,
those can be controlled by boot time parameters to the kernel. Also, as
long as they're off, there's no need for the user to install the policy.
~ Those are the types of things that can *feasibly* be made optional,
because they don't require a recompile.
|>My point here is, you mention "advanced users" and "sysadmins;" but I'm
|>focused on people who are too stupid to remember how to save a document
|>in MS Word in RTF format instead of .doc.
|
|
| Look above.
| People is not stupid, my father is not stupid because he doesn't know
| which "Debian" means...people want to do simply their things in their
| live, that's usability and we can't make people start learning, for
| example, LaTeX,TeX,whatever you want... if they only want to write poems
| on a "page", or teach maths to their children.
|
You need to get out more; a *lot* of people are stupid. ;)
Don't go on the assumption that people know wtf they're doing. I know
wtf I'm doing. I could rebuild a Debian Sarge installation as it exists
today with all hardening features. It's still a pain in the ass, and I
don't want to be bothered. Even when the target isn't an idiot, he may
still prefer to have the work done for him; otherwise he'd be using LFS.
|
|>[...]
|>| if
|>| you a hardened binary (+SSP/ProPOlice and a library to trace the BOF
|>| conditions) in a hardened environment (hardened kernel and RBAC/RSBAC
|>| policies) it will be not dangerous as having a simple Debian!
|>
|>Ummmmmm, update anyway dude. It's still a DoS attack.
|
|
| Buffer Overflow conditions in the stack will be stopped by ProPolice
| (__guard ...).
|
Yes and then the program halts and gets SIGABRT. Do you not know what a
DoS attack is?
[...]
|
|
| Yes, ProPolice/SSP is a GCC extension.
| Rebuild?
| Ok, i'm a Gentoo user, mea culpa :P, but i thought that i din't say to
| recompile packages, i said make binary packages in a different "branch".
| (Again, the theme of the graphic i wrote above) .
|
I don't believe that forking a Debian package for these protections is
appropriate. They don't harm anything; anything that they do harm of
course you can't protect anyway. There's no point in separating the two
bases, and no point in wasting tons of mirror space and maintainer
effort to implement this project.
These things need to be implemented as painlessly as possible. The
maintainers don't want to eat up twice as much mirror space just to
support a security option. I'm sure nobody wants to try and keep up
with the maintainers and perpetuate said option; but you seem eager
enough to do it yourselves, so I'll watch you get burned.
|
|>RBAC I'll agree with, it can be a pain in the ass and can change the way
|>an administrator has to interact with the system, which can become
|>confusing to the user. GRSecurity with active ACLs or an active SELinux
|>shouldn't be on by default; but they can easily be options which the
|>user can activate with a debconf program.
|
|
| s/RBAC/RSBAC/
RBAC == Role Based Access Control. RSBAC and GRSecurity allow these
schemes of access control to be implemented (SE uses the Flask model or
something).
| Yes, i agree with you.RSBAC is not "usable" for everybody.
| But debconf can make a simple dialog asking for RBAC (grSecurity RSBAC
| implementation in this case) password, then it starts.... -L
| /var/log/rbac (or ${RBAC_LOG} for use it by debconf and asking what path
| is the right one for the log).
Yes, you're on the ball here.
| Then it starts the engine....rbac learning....et voilá!
|
| Cheers!
- --
All content of all messages exchanged herein are left in the
Public Domain, unless otherwise explicitly stated.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.6 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org
iD8DBQFBS0AqhDd4aOud5P8RAmS9AJ4lTdqPFkoyOsIDSZKjECsEyTm2qgCcC+y0
uePmbVikpGmOmw16h741wIw=
=8C+K
-----END PGP SIGNATURE-----
Reply to: