on Wed, Dec 03, 2003 at 04:57:29PM +0100, Adam ENDRODI (borso@vekoll.saturnus.vein.hu) wrote: > On Wed, Dec 03, 2003 at 06:46:51AM -0800, Karsten M. Self wrote: > > on Wed, Dec 03, 2003 at 01:31:29PM +0000, Dale Amon (amon@vnl.com) wrote: > > > On Wed, Dec 03, 2003 at 03:21:57PM +0200, Riku Valli wrote: > > > > This is reason why i ask what about stock kernels, because i belive i am not > > > > lonely cowboy at the middle of the no where. Debian is distrubution and > > > > > > Probably not... it is just that amongst a security conscious > > > group you are likely to find that most will build their own > > > kernels and add their own security patches. Paranoia is your friend > > > in security. > > [...] > > Having a team that shares experience and combines talents in patching a > > kernel and tuning it to secure configurations is a preferable approach. > > I tend to disagree. The kernel is a versatile program, it can be > patched, configured and compiled in too many ways. ...including many of which are wrong, broken, or suboptimal. This doesn't preclude shipping configurations, or even configuration files, which meet many or sufficing case needs. Nor does it mean that you can't patch your own, if you choose. I already count seven builds of the 2.4.20 kernel on x86 architecture, fitting specific needs of different specific kernel types as well as uni- and multi-processor systems. > As far as I know, Debian is not is not intended to best fit the needs > of a security architecture, but to provide a usable environment to the > mass of slightly advanced skills. I see Debian much as Ian Murdoch's described as a distribution infrastructure on which you can build what you specifically need, through package selection, and if necessary, modification. Debian offers three different hardening options -- bastille, the harden* group of packages, and the SELinux* set of packages. There are a number of metapackages targeting specific "vertical markets" for Debian, including DebianJr., and IIRC a primary/secondary education target. While not specifically addressing security contexts, these *do* point out that the Debian Project is a platform on which specific goals can be supported. > The requirements often conflict, and while the developers do their > best to fulfill as many as possible of them (for instance, by creating > alternative kernel packages), in certain situation they might choose > to prefer something else over security. I disagree. The dependencies and package-management capabilities of Debian make it a preferred base from which to build a secure system. This can be as a full system, capable of apt-get updates itself, or a minimal, bootable system lacking the requirements of a full Debian system, but built using the Debian infrastructure. By contrast, OpenBSD, the "other" secure platform, is very specifically hardened, but is > To sum up, it's always great to have a chance to learn from > the more experienced, but I don't expect them to do my homework. > They are not supposed to. You're missing the point of collaborative development. For the individual, or group, which puts the effort into building a secure architecture, Debian offers distribution, bugtracking, QC, and release mechanisms which can prove highly useful. In the specific case of kernel hardening, there's the question of how to package and structure things in a way that's useful across other axes of variance (arches, SMP/UP, server/workstation/desktop, etc.), but the task isn't impossible. > > While you _might_ do well on your own, the typical admin doesn't have > > these skills. > > As times go I'm more and more convinced you're right. Conversely... > we're on debian-security, after all. ;-) Peace. -- Karsten M. Self <kmself@ix.netcom.com> http://kmself.home.netcom.com/ What Part of "Gestalt" don't you understand? Information is not power after all: Old-fashioned power is power. If you aren't big industry or government, you have very little power. Once they've hacked the electronic voting system, you'll have no power at all. - Robert X. Cringely
Attachment:
pgpZI9yAqF3hc.pgp
Description: PGP signature