Re: Secure OS's
hi ya paul
there is NO such thing as secure OS .. esp in linux-land
and openbsd enjoying their ability to be more secure than other *nix
- somebody can always get in if they wanted to
On Mon, 10 May 2004, dircha wrote:
> firstname.lastname@example.org wrote:
> > I guess what I mean by a secure os is an os whose packages themselves
> > are secure, obviously if someone doesn't set up a server securely, it
> > doesn't matter how secure the packages are. Like wise, if a person
> > set up a server keeping security as a priority, all their efforts are
> > for naught if the package is built insecurely, (like the common
> > buffer overflow).
buffer overflow is relatively trivial to fix in comparason to other
security issues ( you have the source code to review and put your
stamp of approval on tit - so to speak )
- ie ... write a tool or use a tool to check for buffer overflow
> > I know that debian releases security patches that solve many of these
> > issues, when the come up.
and that security patches are good ... best thing to happen
along with everybody else that puts out patches and fixes and warnings
> However, this process leads me to believe
> > that the packages in general are not built with security in mind
congrats !! ... security is usually not the 1st priority when writing code
and if you notice, even supposed secure code still require security
patches and fixes because nobody can forsee any problems "once"
and requires constant review
> > How important of an issue do you guys feel this is and do you think
> > projects like bastille are important towards this effort?
for me, its not important .... i use my own smurfy goofy rules for
security and work backwards
automated tools are good ...but it will miss other important security
> Also, I
> > do not know of any other debian compatible security packages and
> > would love to learn more about them.
what kind of security issues are you looking to solve ??
( upgrades ==> improve its security - compared to its default distro )
- is your door locked ? to the where the supposed secure computers are
- security policy specifications ( computer and people management ) ?
- kernel security upgrades ??
- ssh/ssl security upgrades ??
- apache seucrity upgrades ?
- mta security upgrades ?
- file system upgrades ?
- user-land whackyness upgrades ?
- vpn security upgrades ?
... on and on ... its a 24x7 full time job
if security is an issue, than in my world of security, you cannot
be using these apps/methodology
- telnet, ftp, pop3, imap,
- dhcp, wireless, vpn
- laptops .. easiest way to break ones security policy
and if security is an issue ... you will have lots of layers of
security policies that if the INTERNAL or external [h/cr]acker
gets thru one vulnerability, they can have fun playing there, but
they have to have another skill set to get pass the next hurdle
> Whether or not a software application itself is security-minded is
> primarily a judgment call about the application's developers, its
> security model, and its maturity.