Slashdot Mirror

← Back to Stories (view on slashdot.org)

Debian Hardened Aims For Security

Posted by timothy on from the it's-certainly-safe-from-me dept.

larryg writes "Debian Hardened is a new project that wants be an official Debian sub-project. It aims to provide a complete tree of hardened kernel and software packages for a standard Debian distribution, without changing to another like Adamantix and making easy the hardening of any machine running Debian GNU/Linux. The hardened kernels use the grSecurity patch and some of the Adamantix kernel patches; also, its packages are compiled with the ProPolice/SSP gcc extension and some libraries to prevent and trace buffer overflow attacks. Also, and as a second project, we are working on some enhacements against the Linux Entropy Pool engine, using an external TRNG (True Random Numbers Generator) device which uses thermal noise and also the atomic decay from a Geiger counter, making true unpredictable random numbers."

16 of 167 comments (clear)

  1. Re:Hardened Gentoo by Aardpig · · Score: 4, Insightful

    Doesn't provide as many choices or the technological /security understanding of Hardened Gentoo

    While I confess to being a hard-core Gentoo nut, isn't choice often the mother of all fuck ups? What's wrong with doing one thing and doing it right?

    --
    Tubal-Cain smokes the white owl.
  2. why need a distro for that? by techefnet · · Score: 4, Insightful

    why would you need a distro for securing your machine? you should just secure your favorite distro yourself :)

    1. Re:why need a distro for that? by OmegaBlac · · Score: 2, Insightful
      why would you need a distro for securing your machine? you should just secure your favorite distro yourself :)
      My first though was laziness, but thats a lil harsh. I guess some people like certain things, in this instance security, to be automated for them. Some people also may have a difficult time trying to read documentation and understand the process of installing those security patches.
    2. Re:why need a distro for that? by CableModemSniper · · Score: 2, Insightful

      Not everyone has time to be a security expert. And not everyone likes for instance, the OpenBSD way of doing things(Not that OpenBSD is the only secures OS). Maybe I like Debian. Maybe I worry about Sercurity but I don't have all this time to recompile everything with bounds-checking etc.

      Its for the same reason we have distributions period. Why doesn't everyone do LFS and assemble their own userland and tools?

      Of course I did just notice your smiley, so I don't think you were completely serious ;)

      --
      Why not fork?
  3. Re:Hardened Gentoo by gl4ss · · Score: 4, Insightful

    soo.. what you're telling me is that just by using gentoo you gain magical insight into understanding secure systems and how security is built from ground up?

    gentoo is nice and all, but it certainl doesn't make it's users magically understand the underlying system. btw, just because you can copy and 'discuss' compiler flags on a forum doesn't make yourself an expert on building fast software or make you understand what kind of speed ups are even technically possible and of all things it doesn't make you magically understand how software is executed at run time or the operating system built so you could see that saying stuff like "my mozilla has no ps/2 support" doesn't really show you in good light.

    one choice in reducing possible user fuckups is reducing easy user choices("do you want to have a theoretical speedup by disabling using shadow file y/n?").

    --
    world was created 5 seconds before this post as it is.
  4. Re:Hardened Gentoo by Stevyn · · Score: 4, Insightful

    Because people disagree what is the right way of doing it. I share some frustration that the choice offered of using linux makes some things more complicated than on a windows machine. But in the end, it just generate more competition, which is what has been killing the software industry for the past few years. Actually the industry has been fine, it's the consumers who are getting shafted.

  5. This could be a good thing in the future by Anonymous Coward · · Score: 2, Insightful

    IF it results in many of the security features that make Debian (and GNU/Linux in general) hard to use being moved over to a specially oriented project, and removed from the main one.

    For example, if you are setting up a single user box to access the internet with a modem (something that GNU/Linux should shine at) you often run into problems related to pppd requiring all sorts of obnoxious nonsense to get it to run as a regular user.

    Policies such as new accounts having their own group by default, and not being readable by all other accounts, make sense in the ISP, server, and in business settings in general. But tipping point is being reached, to where soon most people setting up Debian are setting it up to use it at home, not to run a business or train themselves to get business related job skills. Things like pam have to go to where they belong, and not get in the way of the rest of us.

  6. Re:Hardened Gentoo by savagedome · · Score: 4, Insightful

    isn't choice often the mother of all fuck ups

    I read this in of the /.'s sig: "Freedom of choice is what you have. Freedom from choice is what you want". I think it applies to the general populace and is relevant here.

    --


    Free XBox, PS2
  7. Re:Hardened Gentoo by sirsnork · · Score: 4, Insightful

    Or maybe, just maybe the project is a ALPHA status and is very new and has only been active for 2 weeks so no one has had a chance to write any documentation?

    --

    Normal people worry me!
  8. Re:good trend by LittleLebowskiUrbanA · · Score: 4, Insightful

    I kind of get a kick out of all of the anti US gov't people on /. using something the NSA developed and gave back to the community.

    --
    This guy is way out there
  9. Re:HOW? by Stevyn · · Score: 3, Insightful

    I think you misunderstood. I meant that users get shafted with there are just a few large companies competing, but it is better to have lots of smaller organizations writing FOSS. For most users, the advances in FOSS haven't affected them in the past few years. OSS projects like firefox and gaim are starting to become popular for the every day folk and that's the advantage to the consumer I was referring too.

  10. Re:good trend by drinkypoo · · Score: 4, Insightful

    I prefer to discard only the bathwater. Baby can stay. I get a kick of the NSA giving back to the community that hates them...

    --
    "You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
  11. what's wrong with /dev/urandom by mo · · Score: 3, Insightful

    Does anyone have evidence where a system was cracked due to the lack of entropy from things like interrupt timing?

    I would think that there exists a limited number of people in the world who could exploit a diffie-helman exchange between systems using the usual sources of randomness on an x86 machine.

  12. Re:Deban could use it by doorbot.com · · Score: 2, Insightful

    If someone I don't know is logged in over ssh as root on one of my boxes the last thing I am worried about is his ability to shut it down

    Actually, if someone I don't know is logged into my system as root, I'd prefer they simply shut the machine down. Then they can't do any (more) damage...

  13. If you need a secure system... by Anonymous Coward · · Score: 3, Insightful

    ...just use OpenBSD, where security is not a patch or an afterthought.

    It might surprise some linux fanbois, but other OSs are better suited than their beloved linux for certain tasks.

  14. Re:selinux? by IamTheRealMike · · Score: 2, Insightful
    This is possible for servers, which do only a few jobs repeatedly, but for a desktop machine with hundreds of potential applications to fire up and more being developed such a burden becomes huge ... I would be really happy to see this happen - various distributions collaborate on default rules for large numbers of applications, so end users could actually use systems that are seriously hardened

    No, the solution for SELinux is for the application developers themselves to write policy.

    Last time I discussed this with the guys on #selinux, they appeared to think that being non-experts, "regular" developers could not write SELinux policy. I think this is the wrong way to go for several reasons:

    • Attempting to maintain policy centrally for desktop systems is going to be a disaster - the policy will always be out of date or wrong because no matter how much testing they do, the policy maintainers cannot know every operation the program may wish to take. Current testing seems rather basic - does it start? If I play with it for a few minutes, does anything appear obviously broken? etc etc. Software that breaks in mysterious ways will be the result. Only the developers of the software can write accurate policy IMHO - this opinion is in direct contrast to some of the current SELinux developers however.

      You'll have the same mess people have with broken and out of date packages in fact.

    • Most apps won't have any policy at all

    • If SELinux policy is so convoluted that you need tons of training in order to write it, it's pretty much doomed as a system we can use globally outside of niche "appliance" scenarios.

    Fortunately it's possible to install policy within packages like any other data file. So it just requires good community training, like anything else. When FC3 comes out with a basic SELinux implementation active by default I'd expect to see people play with it a lot more.

    Sometimes people get confused - SELinux isn't about preventing malware/spyware type stuff, though theoretically you could use it to help quarantine "alien" programs. It's about giving programs the least priviledge necessary to do their job, so if they are compromised (buffer overflowed etc) somehow, the damage that can be done is limited. It's a defence mechanism.