Re: status of introducing security mechanisms in Debian
On Tue, Feb 08, 2011 at 01:33:12PM +0100, mircan@poczta.onet.pl wrote:
> As stated in the articles in Debian Lenny there were very little of
> available security mechanisms of the Linux environment included. I
> just wanted to know what is the status of this in Squeeze and also
Squeeze has no distro-wide hardening features. Some packages are built
with hardening options enabled in their debian/rules files -- those
are a bit harder to spot. The ever-growing list of packages that use[1]
hardening-wrapper or hardening-includes seem to be:
aria2 autotrust batctl batmand bind9 bird botan1.8 chromium-browser confget
cookietool cups dma dnssec-tools donkey epdfview ffmpeg-php grap
graphicsmagick gtkcookie gweled hexer hfsprogs iodine ipsec-tools jd jed
kaptain ldns libdebug libg3d libinfinity libpam-script libpipeline
mailavenger man-db midori mupen64plus mysql-5.1 nast netatalk ngrep nsd3
openbsd-inetd opendnssec openntpd openssh php5 postfix postgresql-8.4
postgresql-9.0 prips qliss3d quagga robodoc rtpproxy s3d ser slrn softhsm
squid strongswan switchsh tcpdump tcpflow tina tmux tnftp udev wireshark
worker xmahjongg zoem
> rise a release goal for Wheezy to enable some pro-active security
> mechanisms mentioned in the articles. For example, I guess enabling
> PIE in iceweasel, other web browsers and network daemons is worth
> taking into consideration. I know my point is extremely general, I
> just hope to start a discussion about this topic.
As you might expect, this topic has been brought up before[2]. Probably
the most up-to-date thread is here[3].
Besides tool-chain hardening, attempts to request additional
kernel-supported hardening have generally been rejected[4] by the
Debian kernel team, though some basic work has been done[5] to support
kernel-internal hardening that is available from upstream.
Thanks,
-Kees
[1] I generated this list from:
reverse-build-depends --only-main --distribution unstable hardening-wrapper
reverse-build-depends --only-main --distribution unstable hardening-includes
[2] http://lists.debian.org/debian-gcc/2009/10/msg00186.html
[3] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=552688
[4] http://lists.debian.org/debian-devel/2010/11/msg00381.html
[5] CONFIG_DEBUG_RODATA, CONFIG_CC_STACKPROTECTOR, CONFIG_STRICT_DEVMEM,
CONFIG_DEFAULT_MMAP_MIN_ADDR, module filtering:
http://lists.debian.org/debian-kernel/2010/11/msg00378.html
--
Kees Cook @debian.org
Reply to: