Re: status of introducing security mechanisms in Debian

To: mircan@poczta.onet.pl
Cc: debian-security@lists.debian.org
Subject: Re: status of introducing security mechanisms in Debian
From: Kees Cook <kees@debian.org>
Date: Tue, 8 Feb 2011 09:06:42 -0800
Message-id: <[🔎] 20110208170642.GK1457@outflux.net>
In-reply-to: <[🔎] AANLkTi=+m+qnO2w2AbkNfFPueOaF3jA4OhgfPRfW35G0@mail.gmail.com>
References: <[🔎] AANLkTi=+m+qnO2w2AbkNfFPueOaF3jA4OhgfPRfW35G0@mail.gmail.com>

On Tue, Feb 08, 2011 at 01:33:12PM +0100, mircan@poczta.onet.pl wrote:
> As stated in the articles in Debian Lenny there were very little of
> available security mechanisms of the Linux environment included. I
> just wanted to know what is the status of this in Squeeze and also

Squeeze has no distro-wide hardening features. Some packages are built
with hardening options enabled in their debian/rules files -- those
are a bit harder to spot. The ever-growing list of packages that use[1]
hardening-wrapper or hardening-includes seem to be:

aria2 autotrust batctl batmand bind9 bird botan1.8 chromium-browser confget
cookietool cups dma dnssec-tools donkey epdfview ffmpeg-php grap
graphicsmagick gtkcookie gweled hexer hfsprogs iodine ipsec-tools jd jed
kaptain ldns libdebug libg3d libinfinity libpam-script libpipeline
mailavenger man-db midori mupen64plus mysql-5.1 nast netatalk ngrep nsd3
openbsd-inetd opendnssec openntpd openssh php5 postfix postgresql-8.4
postgresql-9.0 prips qliss3d quagga robodoc rtpproxy s3d ser slrn softhsm
squid strongswan switchsh tcpdump tcpflow tina tmux tnftp udev wireshark
worker xmahjongg zoem

> rise a release goal for Wheezy to enable some pro-active security
> mechanisms mentioned in the articles. For example, I guess enabling
> PIE in iceweasel, other web browsers and network daemons is worth
> taking into consideration. I know my point is extremely general, I
> just hope to start a discussion about this topic.

As you might expect, this topic has been brought up before[2]. Probably
the most up-to-date thread is here[3].

Besides tool-chain hardening, attempts to request additional
kernel-supported hardening have generally been rejected[4] by the
Debian kernel team, though some basic work has been done[5] to support
kernel-internal hardening that is available from upstream.

Thanks,

-Kees

[1] I generated this list from:
  reverse-build-depends --only-main --distribution unstable hardening-wrapper
  reverse-build-depends --only-main --distribution unstable hardening-includes

[2] http://lists.debian.org/debian-gcc/2009/10/msg00186.html

[3] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=552688

[4] http://lists.debian.org/debian-devel/2010/11/msg00381.html

[5] CONFIG_DEBUG_RODATA, CONFIG_CC_STACKPROTECTOR, CONFIG_STRICT_DEVMEM,
    CONFIG_DEFAULT_MMAP_MIN_ADDR, module filtering:
    http://lists.debian.org/debian-kernel/2010/11/msg00378.html

-- 
Kees Cook                                            @debian.org

Reply to:

References:
- status of introducing security mechanisms in Debian
  - From: mircan@poczta.onet.pl

Prev by Date: status of introducing security mechanisms in Debian
Next by Date: Re: status of introducing security mechanisms in Debian
Previous by thread: status of introducing security mechanisms in Debian
Next by thread: Re: status of introducing security mechanisms in Debian
Index(es):
- Date
- Thread