Debian Hardened Aims For Security

larryg writes "Debian Hardened is a new project that wants be an official Debian sub-project. It aims to provide a complete tree of hardened kernel and software packages for a standard Debian distribution, without changing to another like Adamantix and making easy the hardening of any machine running Debian GNU/Linux. The hardened kernels use the grSecurity patch and some of the Adamantix kernel patches; also, its packages are compiled with the ProPolice/SSP gcc extension and some libraries to prevent and trace buffer overflow attacks. Also, and as a second project, we are working on some enhacements against the Linux Entropy Pool engine, using an external TRNG (True Random Numbers Generator) device which uses thermal noise and also the atomic decay from a Geiger counter, making true unpredictable random numbers."

Re:Hardened Gentoo

[MadMethod]

Ok, how about this go to http://debianhardened.sourceforge.net/ and read all the documentation they have (hint, there isn't any), then go to http://hardened.gentoo.org and read all the docs we've put there and notice that, indeed there is a difference and one would gain a higher understanding of security

Re:Deban could use it

[Wonko]

Take for example the fact that I can remotely shutdown a debiaTake for example the fact that I can remotely shutdown a debian machine over ssh with the "halt" command. A RedHat distro had that little feature blocked

Why exactly is this a bad thing? Have you never had to shutdown or reboot a remote server? I know I've had to do both at least a few times... Although rebooting would be much more common, and it would probably be safer as well :p.

On my Debian machines you seem to need to be root to do it. If someone I don't know is logged in over ssh as root on one of my boxes the last thing I am worried about is his ability to shut it down :p.

Who are these people?

[ConsumedByTV]

First off, who are these guys?

Debian already has a security project, a few of them actually.

I looked at google for either of these guys names and unless I am mistaken, this is what I got: developer one and developer two.

Interesting that anyone else that they haven't ever used those names to contribute to say at least a single debian security mailing list, or say ANY debian lists?

Even more interesting is that they don't seem to have much but a slashdot plug and they are accepting donations.

I am not impressed. Working with the debian security team is the way to go.

Steve Kemp is one of the main guys heading up the debian audit project, these guys should be working with him. Not for some other project.

The official debian project for this is the debian audit project.

Hell advertising that they use SSP enabled GCC! Steve makes those packages for use with debian already!

Re:Interesting.......

[OmegaBlac]

I still think the less you have the more secure it is.... as long as what you have isnt bloated.

I agree.

So if this thing is more than one iso image ill be rather skeptical since debian tends to be a very large distro...

You only need to download 1 Debian ISO to install it. There even is a minimal iso version for network installs. The default Debian install is the bare miniumum. Hardly if any services are running on a default Deb install. Yes Debian has the largest selection of packages, but no one is forcing anyone to download all the ISOs just to install Deb. Just install and apt-get away what you need!

Re:Enhacements against the Linux Entropy Pool engi

No, in that case they did not use any random data (or "salt" as cryptographers call it) in the encoding at all.

The problem was not the quality of the random number generation.