[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: goals for hardening Debian: ideas and help wanted

On Thu, 24 Apr 2014, Paul Wise wrote:


On Thu, 2014-04-24 at 02:53 -0007, Cameron Norman wrote:


Would the inclusion of more AppArmor profiles be applicable?


Thanks, added along with SELinux/etc.


I second that. Actually, some time ago I tried using both AppArmor and
SELinux, but gave up because it took forever to find legitimate behaviour of
all kinds of common packages (most of them standard debian packages) and
prepare configuration files for things to work. If debian wants to foster
adoption of such security enhancements, it must go to great lengths in
making sure that (in order of importance in my humble opinion)

1) all debian-packaged software works (very nearly) out of the box with
debian-supported MAC frameworks. It should be very clear that if they don't
it's an important bug that needs fixing. For example, such bugs should
prevent the inclusion of a package in an official stable release. Or split
the main debian archive in two, one that is MAC-ready and one that is not,
so each user can decide to only use packages known to work well with
debian-supported MAC frameworks.

2) for each debian-supported MAC framework there should be an expert team
which should a) help package maintainers learn how to create and include
appropriate configuration files so that their package works with the MAC
framework b) create some tools (debhelper-like?) to make it relatively easy to find the minimum access rights a package needs and implement them in a 
configuration file c) define appropriate "style" guidelines to make
configuration files as readable and maintainable as possible. All of this is going to be a lot of work at the beginning, but it will quickly 
decrease as more and more package maintainers get familiar with MAC
frameworks.

3) there should be a category of packages in contrib which just contain
configuration files for commonly used non-free software. Such configuration
files should be audited by the appropriate expert teams before acceptance,
to make sure they do not grant unnecessary access privileges.


Until at very least point 1) is fulfilled, I doubt there will be widespread
adoption of MAC frameworks, except for very specialised systems for which
the amount of effort in setting them up is limited. General purpose
computers (i.e. the ones in a pool of computers available for PhD students
at a University, which must have a lot of packages installed for general
use) will remain out of the question.

Bye
Giacomo

--
_________________________________________________________________

Giacomo Mulas <gmulas@oa-cagliari.inaf.it>
_________________________________________________________________

INAF - Osservatorio Astronomico di Cagliari
via della scienza 5 - 09047 Selargius (CA)

tel.   +39 070 71180244
mob. : +39 329  6603810
_________________________________________________________________

"When the storms are raging around you, stay right where you are"
                         (Freddy Mercury)
_________________________________________________________________
Reply to: