Slashdot Mirror

← Back to Stories (view on slashdot.org)

Debian Hardened Aims For Security

Posted by timothy on from the it's-certainly-safe-from-me dept.

larryg writes "Debian Hardened is a new project that wants be an official Debian sub-project. It aims to provide a complete tree of hardened kernel and software packages for a standard Debian distribution, without changing to another like Adamantix and making easy the hardening of any machine running Debian GNU/Linux. The hardened kernels use the grSecurity patch and some of the Adamantix kernel patches; also, its packages are compiled with the ProPolice/SSP gcc extension and some libraries to prevent and trace buffer overflow attacks. Also, and as a second project, we are working on some enhacements against the Linux Entropy Pool engine, using an external TRNG (True Random Numbers Generator) device which uses thermal noise and also the atomic decay from a Geiger counter, making true unpredictable random numbers."

25 of 167 comments (clear)

  1. Cool by Anonymous Coward · · Score: 5, Funny

    Cant wait to use it with my Lexar JumpDrive loaded with security sofware against hackers.

  2. Hardened Gentoo by Anonymous Coward · · Score: 5, Interesting

    Doesn't provide as many choices or the technological /security understanding of Hardened Gentoo
    (not to mention the very similar name)
    http://hardened.gentoo.org

    1. Re:Hardened Gentoo by Aardpig · · Score: 4, Insightful

      Doesn't provide as many choices or the technological /security understanding of Hardened Gentoo

      While I confess to being a hard-core Gentoo nut, isn't choice often the mother of all fuck ups? What's wrong with doing one thing and doing it right?

      --
      Tubal-Cain smokes the white owl.
    2. Re:Hardened Gentoo by gl4ss · · Score: 4, Insightful

      soo.. what you're telling me is that just by using gentoo you gain magical insight into understanding secure systems and how security is built from ground up?

      gentoo is nice and all, but it certainl doesn't make it's users magically understand the underlying system. btw, just because you can copy and 'discuss' compiler flags on a forum doesn't make yourself an expert on building fast software or make you understand what kind of speed ups are even technically possible and of all things it doesn't make you magically understand how software is executed at run time or the operating system built so you could see that saying stuff like "my mozilla has no ps/2 support" doesn't really show you in good light.

      one choice in reducing possible user fuckups is reducing easy user choices("do you want to have a theoretical speedup by disabling using shadow file y/n?").

      --
      world was created 5 seconds before this post as it is.
    3. Re:Hardened Gentoo by Stevyn · · Score: 4, Insightful

      Because people disagree what is the right way of doing it. I share some frustration that the choice offered of using linux makes some things more complicated than on a windows machine. But in the end, it just generate more competition, which is what has been killing the software industry for the past few years. Actually the industry has been fine, it's the consumers who are getting shafted.

    4. Re:Hardened Gentoo by MadMethod · · Score: 4, Informative

      Ok, how about this go to http://debianhardened.sourceforge.net/ and read all the documentation they have (hint, there isn't any), then go to http://hardened.gentoo.org and read all the docs we've put there and notice that, indeed there is a difference and one would gain a higher understanding of security

    5. Re:Hardened Gentoo by savagedome · · Score: 4, Insightful

      isn't choice often the mother of all fuck ups

      I read this in of the /.'s sig: "Freedom of choice is what you have. Freedom from choice is what you want". I think it applies to the general populace and is relevant here.

      --


      Free XBox, PS2
    6. Re:Hardened Gentoo by sirsnork · · Score: 4, Insightful

      Or maybe, just maybe the project is a ALPHA status and is very new and has only been active for 2 weeks so no one has had a chance to write any documentation?

      --

      Normal people worry me!
  3. www.lids.org by hsidhu · · Score: 4, Interesting

    How is this going to be different than just installing Woody and applying the lids kernel patch to your particular kernel and locking the system down that way?

  4. why need a distro for that? by techefnet · · Score: 4, Insightful

    why would you need a distro for securing your machine? you should just secure your favorite distro yourself :)

  5. Debian could use that as a spam headline! by Anonymous Coward · · Score: 5, Funny

    Hard3n y0ur Debian/w0ody t0day!

  6. It's good for both, actually; by Progman3K · · Score: 5, Interesting

    Debian's team can implement it a certain way and whatever amazing thing they cook-up can be re-used by the Gentoo team!

    The goal is not a religious war, the goal is for you and I to get ahead.

    --
    I don't know the meaning of the word 'don't' - J
  7. Enhacements against the Linux Entropy Pool engine? by Anonymous Coward · · Score: 5, Interesting

    Has anyone ever,ever,ever compromised a computer or encrypted document by predicting the output of a random number generator?

    Would the time not be better spent looking for the next OpenSSH/SSL hole?

    I'm not trolling, most security flaws come from everyday apps rather than esoteric problems.

  8. New pickup line for geeks... by vettemph · · Score: 5, Funny

    Wanna mount my hardened woody?

    --
    The government which is strong enough to protect you from everything is strong enough to take everything from you.
    1. Re:New pickup line for geeks... by vettemph · · Score: 5, Funny

      ....Hardened Woody set for release!

      --
      The government which is strong enough to protect you from everything is strong enough to take everything from you.
  9. They'd need more drastic changes by bluefoxlucid · · Score: 5, Interesting

    I'm a Hardened Gentoo user; although, I only use a subset of all the hardened herd's efforts :) I actually do understand what I'm doing, though, and am trying to spread that understanding myself. I am in no way affiliated with [Hardened] Gentoo or Debian.

    At any rate, these people don't understand that they'll need more drastic changes. Why not bring attention to http://d-sbd.alioth.debian.org/ while you're at it? This is my project, just a demonstrational effort to bring these things to the attention of the Debian maintainers.

    The idea isn't to have a hardened "Enhancement," but rather to incorporate anything you can put in that won't hurt. For example, you can compile glibc, gnome, and bash with SSP/ProPolice, and nothing else will use ProPolice but those. Those programs also won't be hurt by ProPolice. We can extend this to, "Compile any program or library that won't break with it with SSP." The user will never notice; but it'll stop a range of attacks.

    My point is that you need to aim low. A hardened system like Hardened Gentoo or Adamantix will supply you with *everything* -- PaX, SSP, ET_DYN binaries, rediculously complicated MAC systems, firewalling maybe, network sniffers, etc. A non-hardened distribution should look at each of these, determine which don't change the end user's experience (administrator included), and implement them. This is "Do what's easy" rather than "Do EVERYTHING we possibly can," but it's still better than just being lame in the area of security.

    --
    Support my political activism on Patreon.
  10. Re:Deban could use it by Wonko · · Score: 4, Informative

    Take for example the fact that I can remotely shutdown a debiaTake for example the fact that I can remotely shutdown a debian machine over ssh with the "halt" command. A RedHat distro had that little feature blocked

    Why exactly is this a bad thing? Have you never had to shutdown or reboot a remote server? I know I've had to do both at least a few times... Although rebooting would be much more common, and it would probably be safer as well :p.

    On my Debian machines you seem to need to be root to do it. If someone I don't know is logged in over ssh as root on one of my boxes the last thing I am worried about is his ability to shut it down :p.

  11. Who are these people? by ConsumedByTV · · Score: 5, Informative

    First off, who are these guys?

    Debian already has a security project, a few of them actually.

    I looked at google for either of these guys names and unless I am mistaken, this is what I got: developer one and developer two.

    Interesting that anyone else that they haven't ever used those names to contribute to say at least a single debian security mailing list, or say ANY debian lists?

    Even more interesting is that they don't seem to have much but a slashdot plug and they are accepting donations.

    I am not impressed. Working with the debian security team is the way to go.

    Steve Kemp is one of the main guys heading up the debian audit project, these guys should be working with him. Not for some other project.

    The official debian project for this is the debian audit project.

    Hell advertising that they use SSP enabled GCC! Steve makes those packages for use with debian already!

    --


    "Not my manner of thinking but the manner of thinking of others has been the source of my unhappiness." - M
  12. Re:Interesting....... by OmegaBlac · · Score: 5, Informative
    I still think the less you have the more secure it is.... as long as what you have isnt bloated.
    I agree.
    So if this thing is more than one iso image ill be rather skeptical since debian tends to be a very large distro...
    You only need to download 1 Debian ISO to install it. There even is a minimal iso version for network installs. The default Debian install is the bare miniumum. Hardly if any services are running on a default Deb install. Yes Debian has the largest selection of packages, but no one is forcing anyone to download all the ISOs just to install Deb. Just install and apt-get away what you need!
  13. http://packages.debian.org/harden by Anonymous Coward · · Score: 4, Interesting
    debian packages: harden

    how is Hardened Debian going to be different from installing the harden* packages?

  14. Re:good trend by LittleLebowskiUrbanA · · Score: 4, Insightful

    I kind of get a kick out of all of the anti US gov't people on /. using something the NSA developed and gave back to the community.

    --
    This guy is way out there
  15. Re:good trend by drinkypoo · · Score: 4, Interesting

    If you look at the SElinux download page you can read the following tidbit:

    The Linux 2.6 kernel already includes the extended attribute (EA) support, the Linux Security Module (LSM) framework, and the SELinux module, but the changes to the SELinux module that have not yet been upstreamed can be obtained from here.

    In other words, SElinux comes with the kernel.

    --
    "You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
  16. Re:good trend by drinkypoo · · Score: 4, Insightful

    I prefer to discard only the bathwater. Baby can stay. I get a kick of the NSA giving back to the community that hates them...

    --
    "You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
  17. as *if*! by Llewyn · · Score: 5, Funny
    i suppose 'Debian Hardened' is not referring to the installation process... yegods! it was hard enough already!


    but seriously... as a debian user, i fully condone harder, faster, and stronger debians.

  18. Re:Enhacements against the Linux Entropy Pool engi by Anonymous Coward · · Score: 4, Informative

    No, in that case they did not use any random data (or "salt" as cryptographers call it) in the encoding at all.

    The problem was not the quality of the random number generation.