Debian Hardened Aims For Security 167
larryg writes "Debian Hardened is a new project that wants be an official Debian sub-project. It aims to provide a complete tree of hardened kernel and software packages for a standard Debian distribution, without changing to another like Adamantix and making easy the hardening of any machine running Debian GNU/Linux. The hardened kernels use the grSecurity patch and some of the Adamantix kernel patches; also, its packages are compiled with the ProPolice/SSP gcc extension and some libraries to prevent and trace buffer overflow attacks. Also, and as a second project, we are working on some enhacements against the Linux Entropy Pool engine, using an external TRNG (True Random Numbers Generator) device which uses thermal noise and also the atomic decay from a Geiger counter, making true unpredictable random numbers."
Re:www.lids.org (Score:3, Informative)
Re:Hardened Gentoo (Score:4, Informative)
good trend (Score:3, Informative)
personally I'm really interested in the Security-Enhanced Linux [nsa.gov] that the NSA is working on. To have something that complete is really intriquing. Now if they don't have something like apt to keep it steady I dunno...but you have to admit it's got 'wow' factor written all over it!
BCDFY^&D&S^F
Re:Deban could use it (Score:4, Informative)
Take for example the fact that I can remotely shutdown a debiaTake for example the fact that I can remotely shutdown a debian machine over ssh with the "halt" command. A RedHat distro had that little feature blocked
Why exactly is this a bad thing? Have you never had to shutdown or reboot a remote server? I know I've had to do both at least a few times... Although rebooting would be much more common, and it would probably be safer as well :p.
On my Debian machines you seem to need to be root to do it. If someone I don't know is logged in over ssh as root on one of my boxes the last thing I am worried about is his ability to shut it down :p.
Securing Debian Manual (Score:2, Informative)
Who are these people? (Score:5, Informative)
Debian already has a security project, a few of them actually.
I looked at google for either of these guys names and unless I am mistaken, this is what I got: developer one [google.com] and developer two [google.com].
Interesting that anyone else that they haven't ever used those names to contribute to say at least a single debian security mailing list, or say ANY debian lists?
Even more interesting is that they don't seem to have much but a slashdot plug and they are accepting donations.
I am not impressed. Working with the debian security team is the way to go.
Steve Kemp [steve.org.uk] is one of the main guys heading up the debian audit project, these guys should be working with him. Not for some other project.
The official debian project for this is the debian audit project [debian.org].
Hell advertising that they use SSP enabled GCC! Steve makes those packages for use with debian already!
TRNG (Score:4, Informative)
Re:Interesting....... (Score:5, Informative)
Re:Hardened Gentoo (Score:4, Informative)
Re:Enhacements against the Linux Entropy Pool engi (Score:4, Informative)
Re:Deban could use it (Score:4, Informative)
But I guess to each their own
Re:Enhacements against the Linux Entropy Pool engi (Score:4, Informative)
The problem was not the quality of the random number generation.
Re:Enhacements against the Linux Entropy Pool engi (Score:4, Informative)
Now consider this example - random number generators are anything but secure.
Re:http://packages.debian.org/harden (Score:3, Informative)
Not exactly correct.
It pulls in a documentation called harden-doc which goes through all the actions local admin should take to make the system secure. I think Javi is always putting good efforts to update it. This SGML source of this doc package is a part of the source tree creating dependency if I remember correct.
The same document is available as "Securing Debian Manual" [debian.org].
Cheers,
Osamu
Re:Who are these people? (Score:2, Informative)
Debian by default does not ship with an SSP enabled GCC.
I've made packages available [debian.org], and others have too - but by default the patch isn't applied to Debian's compiler.
Please see bugs 233208 [debian.org] and 213994 [debian.org] for details.
Re:Sarge... (Score:3, Informative)
Re:Who are these people? (Score:1, Informative)
href="http://lists.debian.org/debian-legal/2004/0
Hi Martin,
El mar, 14-09-2004 a las 17:40, Martin Michlmayr escribió:
> * Lorenzo Hernandez Garcia-Hierro [2004-09-08 16:26]:
> > I want to know if i can use the trademark "Debian" on the name of a
> > project that i've started , "Debian Hardened" which i want to see as
> > an official Debian sup-project.
>
> I personally feel that this name has the same problems that "Trusted
> Debian" has - it suggests that "normal" Debian is not secure. In any
> case, I think you should post your question to debian-project rather
> than -legal since -project is more appropriate and might get more
> feedback.
A "normal" Debian is secure, depending on how the sysadmin works with
the packages and how he confgiures them.
But, if you have, for example, ProPolice/SSP compiled packages, there
wouldn't be anyway to exploit a buffer overflow condition in the
package.
That's the same with kernel packages...you can choose a better secure
kernel or a simple one, the difference is just what you want to choose:
secure or not secure as the other...
Security stays OK until somebody breaks it, and you can't predict when
it will happen (and also you can't predict how it will happen!).
I want to see Debian Hardened as an official Debian subproject, it's not
a "better, more secure" un-official version of Debian, it's just a
hardened tree of official Debian packafes for official Debian versions!
(Also i'm working with a friend to make some enhacements for the Linux
entropy pool engine, using an external TRNG device).
Cheers,
--
Lorenzo Hernandez Garcia-Hierro
Re:Enhacements against the Linux Entropy Pool engi (Score:3, Informative)
Re:If you need a secure system... (Score:2, Informative)
I agree entirely with this. Before jumping on the bandwagon, read here [openbsd.org] for a synopsis of what a secure *nix operating system is about.
Re:Sarge... (Score:2, Informative)
Which is the default in Debian.