Re: default security
On Tue, Jan 15, 2002 at 10:21:00AM +0100, Tarjei wrote:
> >
> >
> >I recall there being discussion a while back about packaging chroot
> >bind. I don't know whether or not anything came of it at all. There is
> >
> Debian being what it is, are there any reasons why the debian bind
> package should not be chroot as the default instalation?
RTFM. That is:
http://www.debian.org/doc/manuals/securing-debian-howto/ch-sec-services.en.html#s-sec-bind
:)
>
> One thing that might be a good idea, would be a security review of the
> main debian packages. It's probably beeing done for some already, but I
> would guess a lot of debian packages could benefit from even stricter
> default setups. For example, maybe libsafe should be default inn all
> installs.
Agreed. Feel free to point to better security measures in the
Default installation and document them, once done it is a major point of
pressure to change Debian policy.
>
> I know this would take some time to implement, but I think it would help
> the image of debian and linux over time. I'm often frustrated that the
> big distros (rh, mandrake) doesn't do more to harden their distros. For
> example the default install of ssh in RH still provides both ssh1 and
> ssh2 & root login.
>
Debian, unlike RedHat or Mandrake provides and gives support for
Bastille Linux. Even if the default setup is quite good (security-wise) it
can easily be made even better.
> I know this is a rant, but maybe it would be wise to think of a way to
> implement this. At least, put more deamons in chroot jails and get
> libsafe compiled into every package.
Debian could provide, with only some effort from package
maintainers versions of daemons chrooted to given environments. This
however, might break Policy (IMHO).
BTW, Bastille does have modules for chrooting services (it has one
for Bind) that can be selected when hardening the system. You could also
help having Bastille's module (for Bind) adapted to Debian (I have not had
time to do so myself)
Regards
Javi
Reply to: