Slashdot Mirror
Debian Hardened Aims For Security
larryg writes "Debian Hardened is a new project that wants be an official Debian sub-project. It aims to provide a complete tree of hardened kernel and software packages for a standard Debian distribution, without changing to another like Adamantix and making easy the hardening of any machine running Debian GNU/Linux. The hardened kernels use the grSecurity patch and some of the Adamantix kernel patches; also, its packages are compiled with the ProPolice/SSP gcc extension and some libraries to prevent and trace buffer overflow attacks. Also, and as a second project, we are working on some enhacements against the Linux Entropy Pool engine, using an external TRNG (True Random Numbers Generator) device which uses thermal noise and also the atomic decay from a Geiger counter, making true unpredictable random numbers."
I s'pose you'd put some code in there that would look for stack overwrites and such and such...
I don't know the meaning of the word 'don't' - J
Ok, how about this go to http://debianhardened.sourceforge.net/ and read all the documentation they have (hint, there isn't any), then go to http://hardened.gentoo.org and read all the docs we've put there and notice that, indeed there is a difference and one would gain a higher understanding of security
I liked this back when Gentoo did it, and I think this is a great trend; having a completely security minded Linux OS (since BSD has been there forever ;))
personally I'm really interested in the Security-Enhanced Linux that the NSA is working on. To have something that complete is really intriquing. Now if they don't have something like apt to keep it steady I dunno...but you have to admit it's got 'wow' factor written all over it!
BCDFY^&D&S^F
free ipod and free gmail!
Take for example the fact that I can remotely shutdown a debiaTake for example the fact that I can remotely shutdown a debian machine over ssh with the "halt" command. A RedHat distro had that little feature blocked
Why exactly is this a bad thing? Have you never had to shutdown or reboot a remote server? I know I've had to do both at least a few times... Although rebooting would be much more common, and it would probably be safer as well :p.
On my Debian machines you seem to need to be root to do it. If someone I don't know is logged in over ssh as root on one of my boxes the last thing I am worried about is his ability to shut it down :p.
Updated link: http://www.debian.org/doc/manuals/securing-debian- howto/
First off, who are these guys?
Debian already has a security project, a few of them actually.
I looked at google for either of these guys names and unless I am mistaken, this is what I got: developer one and developer two.
Interesting that anyone else that they haven't ever used those names to contribute to say at least a single debian security mailing list, or say ANY debian lists?
Even more interesting is that they don't seem to have much but a slashdot plug and they are accepting donations.
I am not impressed. Working with the debian security team is the way to go.
Steve Kemp is one of the main guys heading up the debian audit project, these guys should be working with him. Not for some other project.
The official debian project for this is the debian audit project.
Hell advertising that they use SSP enabled GCC! Steve makes those packages for use with debian already!
"Not my manner of thinking but the manner of thinking of others has been the source of my unhappiness." - M
The crap about Geiger counters seems to indicate the author seems more interested in studly buzzwords than actually developing practical solutions. A soundcard with nothing plugged in is a perfectly acceptable source of entropy, the problem is just in accurately estimating the rate. Also, many chipsets and an increasing number of CPUs include hardware random number generators which can be used too.
In case you were wondering, it's a Devo quote, from the song "Freedom of Choice". Are we not men? D E V O.
"You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
Does this count?
That's ok, Jesus likes me anyway.
Being able to remotely shutdown or halt a machine is a godsend. The trick is to restrict SSH access-in from certain 'secure' IP addresses, and firewall the rest of them out. Secondly, I guess only allow root access from a non-root account (ie: no ssh'ing in as root).
:)
But I guess to each their own
"That is not dead which can eternal lie...."
Nimheil
No, in that case they did not use any random data (or "salt" as cryptographers call it) in the encoding at all.
The problem was not the quality of the random number generation.
Definitely. There was a gambling agency that people ripped alot of money off from other people cause they seeded the generator with the amount of milliseconds since midnight and used a public lookup table to generate the random number. Not only is this a stupid way of doing it - it's only security through obscurity cause you only need a few queries to syncronise your clock with the agency's clock, but the idiots actually published their code!!!
Now consider this example - random number generators are anything but secure.
The official harden* packages are purely virtual. Their only purpose is to conflict with other packages which are insecure. In contrast Debian hardened wants to change the contents of the insecure packages
Not exactly correct.
It pulls in a documentation called harden-doc which goes through all the actions local admin should take to make the system secure. I think Javi is always putting good efforts to update it. This SGML source of this doc package is a part of the source tree creating dependency if I remember correct.
The same document is available as "Securing Debian Manual".
Cheers,
Osamu
Who says you shouldn't run X on a server? Just make sure you have -nolisten tcp in the server setup. And for good measure, block the ports it uses.
http://catlin.casinocitytimes.com/articles/1243.ht ml
Someone once beat Keno 3 times in a row and won $620,000 by figuring out a weakness in the 'randomly' generated numbers.
I agree entirely with this. Before jumping on the bandwagon, read here for a synopsis of what a secure *nix operating system is about.
Which is the default in Debian.