Dear All, It has come to my attention over the past 2 years that there are a number of deficiencies when dealing with the security software such as snort and Nessus in the current stable release. The list of problems are: o So out of date the exploit and signature databases are so out of date that no protection is afforded against current attacks and detection of today's software vulnerabilities. o Updating vulnerability databases does not work as generally the new data on the 'Net is no longer compatible with the binaries in stable. o New versions have new detection algorithms, capabilities, and methodologies that are needed to deal with current and serious threats. All of the above combine to make the packages in stable a security risk if depended on for a site's security, even though they do not make the machine running the software insecure. Bit rot in this type of software (IDS tools, Vulnerability scanners, Virus scanners) is in fact a great cause for concern about security. I would even suggest that once such software and signature data is out of date, this be logged as a security bug. To deal with the above problem I am proposing a new subsection for non-US called security. This would be the one part of the stable distribution that would be allowed to contain new software due to the security risks mentioned above. The attributes of this section will be: o Binary/Program Packages will back-ported from the the latest in stable with no RC bugs on them. Same criteria as for a package to be moved from unstable to testing, unless there is an urgent need to counter a security threat such as a rampant e-mail virus, IDS for a devastating worm etc. o Data set packages will either be auto-downloader packages to download an install the latest data sets for machines, or they will be up to the minute as much as possible. All signature (virus, IDS, and security scanning probes) data/binary will be in separate packages to the program packages above. o Almost all bugs where it effects the effective operation of the above software in its security task will be treated as a security bug. This includes bugs where the auto-downloading of signature updates does not happen properly etc. o The archive will also contain the necessary and optional dependent packages for the security software to perform its job if it is not in the current stable release, or the current version is unusable. This includes the software for e-mail virus scanning, squid proxy content scanning, libpcap required to get latest snort running at its best etc. o Because of its dynamic nature due to its requirement to be kept up to date, non-US/security will never be released officially on CD, only as download from the Internet. o It is placed in non-US, as the security scanning software uses encryption in lots of places. o We would leave out potato, and start with woody for this section as woody is very close to release. o A high standard of packaging will be required for the software in the section, with debconf set up to get the packages easily operating on install. o Documentation for the software will have to be comprehensive. Howtos and FAQs on the software will have to be written, as well as a well constructed Web site. It it hoped that this will augment things like the Debian Gibraltar firewall, and email server projects etc. I am putting this proposal forward for someone else to run with. I have a lot of commitments to the Linux Aid Server project (http://www.anathoth.gen.nz) and I have found that I have had to devote lots of time to getting e-mail virus scanning up to snuff under Debian for this project. Hence my interest in this to help Debian puul its socks up with regard to this sort of software. Please let me know what you think. I will be following the discussion on debian-devel and debian-security. Best Regards, Matthew Grant -- =============================================================================== Matthew Grant /\ ^/\^ grantma@anathoth.gen.nz /~~~~\ A Linux Network Guy /~~\^/~~\_/~~~~~\_______/~~~~~~~~~~\____/******\ ===GPG KeyID: 2EE20270 FingerPrint: 8C2535E1A11DF3EA5EA19125BA4E790E2EE20270==
Attachment:
signature.asc
Description: This is a digitally signed message part