[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: status of introducing security mechanisms in Debian

On Tue, Feb 08, 2011 at 01:33:12PM +0100, mircan@poczta.onet.pl wrote:
> As stated in the articles in Debian Lenny there were very little of
> available security mechanisms of the Linux environment included. I
> just wanted to know what is the status of this in Squeeze and also

Squeeze has no distro-wide hardening features. Some packages are built
with hardening options enabled in their debian/rules files -- those
are a bit harder to spot. The ever-growing list of packages that use[1]
hardening-wrapper or hardening-includes seem to be:

aria2 autotrust batctl batmand bind9 bird botan1.8 chromium-browser confget
cookietool cups dma dnssec-tools donkey epdfview ffmpeg-php grap
graphicsmagick gtkcookie gweled hexer hfsprogs iodine ipsec-tools jd jed
kaptain ldns libdebug libg3d libinfinity libpam-script libpipeline
mailavenger man-db midori mupen64plus mysql-5.1 nast netatalk ngrep nsd3
openbsd-inetd opendnssec openntpd openssh php5 postfix postgresql-8.4
postgresql-9.0 prips qliss3d quagga robodoc rtpproxy s3d ser slrn softhsm
squid strongswan switchsh tcpdump tcpflow tina tmux tnftp udev wireshark
worker xmahjongg zoem

> rise a release goal for Wheezy to enable some pro-active security
> mechanisms mentioned in the articles. For example, I guess enabling
> PIE in iceweasel, other web browsers and network daemons is worth
> taking into consideration. I know my point is extremely general, I
> just hope to start a discussion about this topic.

As you might expect, this topic has been brought up before[2]. Probably
the most up-to-date thread is here[3].

Besides tool-chain hardening, attempts to request additional
kernel-supported hardening have generally been rejected[4] by the
Debian kernel team, though some basic work has been done[5] to support
kernel-internal hardening that is available from upstream.



[1] I generated this list from:
  reverse-build-depends --only-main --distribution unstable hardening-wrapper
  reverse-build-depends --only-main --distribution unstable hardening-includes

[2] http://lists.debian.org/debian-gcc/2009/10/msg00186.html

[3] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=552688

[4] http://lists.debian.org/debian-devel/2010/11/msg00381.html

    CONFIG_DEFAULT_MMAP_MIN_ADDR, module filtering:

Kees Cook                                            @debian.org

Reply to: