Debian Hardened Aims For Security

larryg writes "Debian Hardened is a new project that wants be an official Debian sub-project. It aims to provide a complete tree of hardened kernel and software packages for a standard Debian distribution, without changing to another like Adamantix and making easy the hardening of any machine running Debian GNU/Linux. The hardened kernels use the grSecurity patch and some of the Adamantix kernel patches; also, its packages are compiled with the ProPolice/SSP gcc extension and some libraries to prevent and trace buffer overflow attacks. Also, and as a second project, we are working on some enhacements against the Linux Entropy Pool engine, using an external TRNG (True Random Numbers Generator) device which uses thermal noise and also the atomic decay from a Geiger counter, making true unpredictable random numbers."

Cool

Cant wait to use it with my Lexar JumpDrive loaded with security sofware against hackers.

Hardened Gentoo

Doesn't provide as many choices or the technological /security understanding of Hardened Gentoo
(not to mention the very similar name)
http://hardened.gentoo.org

Re:Hardened Gentoo

[Aardpig]

Doesn't provide as many choices or the technological /security understanding of Hardened Gentoo

While I confess to being a hard-core Gentoo nut, isn't choice often the mother of all fuck ups? What's wrong with doing one thing and doing it right?

Re:Hardened Gentoo

[gl4ss]

soo.. what you're telling me is that just by using gentoo you gain magical insight into understanding secure systems and how security is built from ground up?

gentoo is nice and all, but it certainl doesn't make it's users magically understand the underlying system. btw, just because you can copy and 'discuss' compiler flags on a forum doesn't make yourself an expert on building fast software or make you understand what kind of speed ups are even technically possible and of all things it doesn't make you magically understand how software is executed at run time or the operating system built so you could see that saying stuff like "my mozilla has no ps/2 support" doesn't really show you in good light.

one choice in reducing possible user fuckups is reducing easy user choices("do you want to have a theoretical speedup by disabling using shadow file y/n?").

Re:Hardened Gentoo

[Stevyn]

Because people disagree what is the right way of doing it. I share some frustration that the choice offered of using linux makes some things more complicated than on a windows machine. But in the end, it just generate more competition, which is what has been killing the software industry for the past few years. Actually the industry has been fine, it's the consumers who are getting shafted.

Re:Hardened Gentoo

[MadMethod]

Ok, how about this go to http://debianhardened.sourceforge.net/ and read all the documentation they have (hint, there isn't any), then go to http://hardened.gentoo.org and read all the docs we've put there and notice that, indeed there is a difference and one would gain a higher understanding of security

Re:Hardened Gentoo

[savagedome]

isn't choice often the mother of all fuck ups

I read this in of the /.'s sig: "Freedom of choice is what you have. Freedom from choice is what you want". I think it applies to the general populace and is relevant here.

Re:Hardened Gentoo

[big+tex]

Ok, how about this go to http://debianhardened.sourceforge.net/ and read all the documentation they have (hint, there isn't any),

OK, that's what we call 'security through obscurity'. See no evil, hear no evil, all that.

Re:Hardened Gentoo

[sirsnork]

Or maybe, just maybe the project is a ALPHA status and is very new and has only been active for 2 weeks so no one has had a chance to write any documentation?

Re:Hardened Gentoo

[drinkypoo]

In case you were wondering, it's a Devo quote, from the song "Freedom of Choice". Are we not men? D E V O.

Re:Hardened Gentoo

[bluefoxlucid]

D:SbD has only been active about as long, and is in beta (almost production) stage. Of course, we're just supplying information about the systems that are out there; what impact they have; why they're good; and how to use them. In essence, D:SbD is just "this is what you do to implement a secure system without pissing the user off with tons of extra crap and breakage."

It's done the way it is because I can't myself implement these things; and I'm not forking Debian. It'd be easy enough to rebuild the whole system, track down the holes, and make sure everything works and is handled so the user sees nothing. Problem is, I'd have to rebuild each and every package to get PIE, SSP, and PT_PAX_FLAGS. Wrong approach.

Forking Debian into a generally usable distribution that is 100% suitable as a drop-in replacement for 100% of the current Debian installations is two things: excess work for me, and pointless. It's pointless because if everyone can safely use it anyway, then it should just BE Debian. This is not me trying to make a name for myself; it's all of us trying to make things better.

Because of the approach these people are taking, I don't honestly see their project escaping alpha. If they do, they'll either have done exactly what I said in the above paragraph; or they'll have a couple of changes that don't really do anything useful. You have to work with them, not against them.

www.lids.org

[hsidhu]

How is this going to be different than just installing Woody and applying the lids kernel patch to your particular kernel and locking the system down that way?

why need a distro for that?

[techefnet]

why would you need a distro for securing your machine? you should just secure your favorite distro yourself :)

Debian could use that as a spam headline!

Hard3n y0ur Debian/w0ody t0day!

Interesting.......

[AcidFnTonic]

Being a slackware guy myself, I still would very much like to inspect this branch when released....

I still think the less you have the more secure it is.... as long as what you have isnt bloated. Thats why in my opinion slackware is great on security.

So if this thing is more than one iso image ill be rather skeptical since debian tends to be a very large distro...

Re:Interesting.......

[OmegaBlac]

I still think the less you have the more secure it is.... as long as what you have isnt bloated.

I agree.

So if this thing is more than one iso image ill be rather skeptical since debian tends to be a very large distro...

You only need to download 1 Debian ISO to install it. There even is a minimal iso version for network installs. The default Debian install is the bare miniumum. Hardly if any services are running on a default Deb install. Yes Debian has the largest selection of packages, but no one is forcing anyone to download all the ISOs just to install Deb. Just install and apt-get away what you need!

It's good for both, actually;

[Progman3K]

Debian's team can implement it a certain way and whatever amazing thing they cook-up can be re-used by the Gentoo team!

The goal is not a religious war, the goal is for you and I to get ahead.

Enhacements against the Linux Entropy Pool engine?

Has anyone ever,ever,ever compromised a computer or encrypted document by predicting the output of a random number generator?

Would the time not be better spent looking for the next OpenSSH/SSL hole?

I'm not trolling, most security flaws come from everyday apps rather than esoteric problems.

New pickup line for geeks...

[vettemph]

Wanna mount my hardened woody?

Re:New pickup line for geeks...

[vettemph]

....Hardened Woody set for release!

They'd need more drastic changes

[bluefoxlucid]

I'm a Hardened Gentoo user; although, I only use a subset of all the hardened herd's efforts :) I actually do understand what I'm doing, though, and am trying to spread that understanding myself. I am in no way affiliated with [Hardened] Gentoo or Debian.

At any rate, these people don't understand that they'll need more drastic changes. Why not bring attention to http://d-sbd.alioth.debian.org/ while you're at it? This is my project, just a demonstrational effort to bring these things to the attention of the Debian maintainers.

The idea isn't to have a hardened "Enhancement," but rather to incorporate anything you can put in that won't hurt. For example, you can compile glibc, gnome, and bash with SSP/ProPolice, and nothing else will use ProPolice but those. Those programs also won't be hurt by ProPolice. We can extend this to, "Compile any program or library that won't break with it with SSP." The user will never notice; but it'll stop a range of attacks.

My point is that you need to aim low. A hardened system like Hardened Gentoo or Adamantix will supply you with *everything* -- PaX, SSP, ET_DYN binaries, rediculously complicated MAC systems, firewalling maybe, network sniffers, etc. A non-hardened distribution should look at each of these, determine which don't change the end user's experience (administrator included), and implement them. This is "Do what's easy" rather than "Do EVERYTHING we possibly can," but it's still better than just being lame in the area of security.

Re:Deban could use it

[Wonko]

Take for example the fact that I can remotely shutdown a debiaTake for example the fact that I can remotely shutdown a debian machine over ssh with the "halt" command. A RedHat distro had that little feature blocked

Why exactly is this a bad thing? Have you never had to shutdown or reboot a remote server? I know I've had to do both at least a few times... Although rebooting would be much more common, and it would probably be safer as well :p.

On my Debian machines you seem to need to be root to do it. If someone I don't know is logged in over ssh as root on one of my boxes the last thing I am worried about is his ability to shut it down :p.

Who are these people?

[ConsumedByTV]

First off, who are these guys?

Debian already has a security project, a few of them actually.

I looked at google for either of these guys names and unless I am mistaken, this is what I got: developer one and developer two.

Interesting that anyone else that they haven't ever used those names to contribute to say at least a single debian security mailing list, or say ANY debian lists?

Even more interesting is that they don't seem to have much but a slashdot plug and they are accepting donations.

I am not impressed. Working with the debian security team is the way to go.

Steve Kemp is one of the main guys heading up the debian audit project, these guys should be working with him. Not for some other project.

The official debian project for this is the debian audit project.

Hell advertising that they use SSP enabled GCC! Steve makes those packages for use with debian already!

TRNG

[dmiller]

The crap about Geiger counters seems to indicate the author seems more interested in studly buzzwords than actually developing practical solutions. A soundcard with nothing plugged in is a perfectly acceptable source of entropy, the problem is just in accurately estimating the rate. Also, many chipsets and an increasing number of CPUs include hardware random number generators which can be used too.

selinux?

[starseeker]

I'm curious as to why they chose the particular tools they did. I don't know too much about these issues, but from what I understand the NSA's selinux patches are a very robust and powerful set of tools. IIRC Redhat has been integrating it into their systems. It may be that this isn't the best choice, but I'd be curious if someone who knows them well could give us a rundown of why some solutions might be better/worse.

One issue with selinux I (think) I understand is that in order for applications to run properly you need to have predefined rules which allow them to do what they need to do (the nature of MAC is they can't do anything except what is explicitly allowed, as I understand it). This is possible for servers, which do only a few jobs repeatedly, but for a desktop machine with hundreds of potential applications to fire up and more being developed such a burden becomes huge. A normal user would end up turning off MAC in order to use the computer the way they want to, unless each application they want or may want to use already has a default ruleset present. I would be really happy to see this happen - various distributions collaborate on default rules for large numbers of applications, so end users could actually use systems that are seriously hardened. I know it's probably overkill, but given what casual Windows users on the network have done over the years (as well as unsecured Linux boxes and other OSes, for that matter) I think if some combination of projects could deliver a usable desktop machine with mandatory access control and any other features which might defend their box while letting it be useful would be a Very Good Thing. One thing is for sure - too little security does more harm to the internet community than having more protection than you need.

http://packages.debian.org/harden

debian packages: harden

how is Hardened Debian going to be different from installing the harden* packages?

Re:http://packages.debian.org/harden

[OA]

The official harden* packages are purely virtual. Their only purpose is to conflict with other packages which are insecure. In contrast Debian hardened wants to change the contents of the insecure packages

Not exactly correct.

It pulls in a documentation called harden-doc which goes through all the actions local admin should take to make the system secure. I think Javi is always putting good efforts to update it. This SGML source of this doc package is a part of the source tree creating dependency if I remember correct.

The same document is available as "Securing Debian Manual".

Cheers,

Osamu

Re:good trend

[LittleLebowskiUrbanA]

I kind of get a kick out of all of the anti US gov't people on /. using something the NSA developed and gave back to the community.

Re:good trend

[drinkypoo]

If you look at the SElinux download page you can read the following tidbit:

The Linux 2.6 kernel already includes the extended attribute (EA) support, the Linux Security Module (LSM) framework, and the SELinux module, but the changes to the SELinux module that have not yet been upstreamed can be obtained from here.

In other words, SElinux comes with the kernel.

Re:HOW?

[Stevyn]

I think you misunderstood. I meant that users get shafted with there are just a few large companies competing, but it is better to have lots of smaller organizations writing FOSS. For most users, the advances in FOSS haven't affected them in the past few years. OSS projects like firefox and gaim are starting to become popular for the every day folk and that's the advantage to the consumer I was referring too.

Re:good trend

[drinkypoo]

I prefer to discard only the bathwater. Baby can stay. I get a kick of the NSA giving back to the community that hates them...

what's wrong with /dev/urandom

[mo]

Does anyone have evidence where a system was cracked due to the lack of entropy from things like interrupt timing?

I would think that there exists a limited number of people in the world who could exploit a diffie-helman exchange between systems using the usual sources of randomness on an x86 machine.

Re:Enhacements against the Linux Entropy Pool engi

[bomb_number_20]

Does this count?

Re:Deban could use it

[darkewolf]

Being able to remotely shutdown or halt a machine is a godsend. The trick is to restrict SSH access-in from certain 'secure' IP addresses, and firewall the rest of them out. Secondly, I guess only allow root access from a non-root account (ie: no ssh'ing in as root).

But I guess to each their own :)

as *if*!

[Llewyn]

i suppose 'Debian Hardened' is not referring to the installation process... yegods! it was hard enough already!

but seriously... as a debian user, i fully condone harder, faster, and stronger debians.

Re:Enhacements against the Linux Entropy Pool engi

No, in that case they did not use any random data (or "salt" as cryptographers call it) in the encoding at all.

The problem was not the quality of the random number generation.

Re:Enhacements against the Linux Entropy Pool engi

[strider44]

Definitely. There was a gambling agency that people ripped alot of money off from other people cause they seeded the generator with the amount of milliseconds since midnight and used a public lookup table to generate the random number. Not only is this a stupid way of doing it - it's only security through obscurity cause you only need a few queries to syncronise your clock with the agency's clock, but the idiots actually published their code!!!

Now consider this example - random number generators are anything but secure.

Re:harden what??

[808140]

Security is like an erection: it can always be harder and longer lasting. That doesn't necessarily imply impotence (unless it comes from the aptly named Microsoft, haha).

If you need a secure system...

...just use OpenBSD, where security is not a patch or an afterthought.

It might surprise some linux fanbois, but other OSs are better suited than their beloved linux for certain tasks.

Too much security

[emiste]

Sometimes I get a feeling saying that people spend too much time thinking about security in the OSS world. Security is important, but as mentioned earlier, has a system's security for example ever been compromised because of insecure random number generation?

It's just like the VPN softwares around. Take for example IPsec/FreeSWAN and OpenVPN. OpenVPN offers great security using SSL and TLS. Both those protocols are in the present time considered secure and it's fairly simple to setup.

IPsec on the other hand, takes the concept of security to a whole new level. This affects the overall software, turning it into a pain to set up and understand. And in order to make full use of the security you have to understand how it works.

I bet many security issues arises out of misconfiguration due to unnecessary complexity in the software. Keep it simple stupid is the way to go.

My point is: isn't secure security enough? Does it have to be better?