Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Debian Hardened Aims For Security

timothy posted more than 10 years ago | from the it's-certainly-safe-from-me dept.

Security 167

larryg writes "Debian Hardened is a new project that wants be an official Debian sub-project. It aims to provide a complete tree of hardened kernel and software packages for a standard Debian distribution, without changing to another like Adamantix and making easy the hardening of any machine running Debian GNU/Linux. The hardened kernels use the grSecurity patch and some of the Adamantix kernel patches; also, its packages are compiled with the ProPolice/SSP gcc extension and some libraries to prevent and trace buffer overflow attacks. Also, and as a second project, we are working on some enhacements against the Linux Entropy Pool engine, using an external TRNG (True Random Numbers Generator) device which uses thermal noise and also the atomic decay from a Geiger counter, making true unpredictable random numbers."

cancel ×

167 comments

Sorry! There are no comments related to the filter you selected.

A few GMail invites, you know what to do! (-1, Troll)

Anonymous Coward | more than 10 years ago | (#10251486)

Re:A few GMail invites, you know what to do! (-1, Offtopic)

NeoSkandranon (515696) | more than 10 years ago | (#10251505)

Yeah, Fuck you i started at the bottom ;p

Re:A few GMail invites, you know what to do! (-1, Offtopic)

Anonymous Coward | more than 10 years ago | (#10251517)

The link you followed to create a Gmail account has already been used to create an account for tory2k@gmail.com [mailto] . Now, its account creating powers are all gone. To create another Gmail account, you'll need a shiny new account creation link. We apologize for the inconvenience.

The link you followed to create a Gmail account has already been used to create an account for hugocastellanos@gmail.com. Now, its account creating powers are all gone. To create another Gmail account, you'll need a shiny new account creation link. We apologize for the inconvenience.

If you've already created a Gmail account, go to http://gmail.google.com to log in.

The link you followed to create a Gmail account has already been used to create an account for Kayger@gmail.com [mailto] . Now, its account creating powers are all gone. To create another Gmail account, you'll need a shiny new account creation link. We apologize for the inconvenience.

[goatse]

The link you followed to create a Gmail account has already been used to create an account for thomas.hathaway@gmail.com [mailto] . Now, its account creating powers are all gone. To create another Gmail account, you'll need a shiny new account creation link. We apologize for the inconvenience.

aasdfg ds (-1, Offtopic)

Anonymous Coward | more than 10 years ago | (#10251487)

first post!

frist? (-1, Offtopic)

Anonymous Coward | more than 10 years ago | (#10251489)

frost pist?

Debian meets OpenBSD, who hasn't dreamt of it ? (-1, Offtopic)

Anonymous Coward | more than 10 years ago | (#10251492)

Oh yeah...

Cool (5, Funny)

Anonymous Coward | more than 10 years ago | (#10251503)

Cant wait to use it with my Lexar JumpDrive loaded with security sofware against hackers.

Re:Cool (1)

nbert (785663) | more than 10 years ago | (#10251536)

Cant wait to use it with my Lexar JumpDrive loaded with security sofware against hackers.

Do these feature a Geiger counter?

Hardened Gentoo (5, Interesting)

Anonymous Coward | more than 10 years ago | (#10251504)

Doesn't provide as many choices or the technological /security understanding of Hardened Gentoo
(not to mention the very similar name)
http://hardened.gentoo.org

Re:Hardened Gentoo (4, Insightful)

Aardpig (622459) | more than 10 years ago | (#10251512)

Doesn't provide as many choices or the technological /security understanding of Hardened Gentoo

While I confess to being a hard-core Gentoo nut, isn't choice often the mother of all fuck ups? What's wrong with doing one thing and doing it right?

Re:Hardened Gentoo (4, Insightful)

Stevyn (691306) | more than 10 years ago | (#10251577)

Because people disagree what is the right way of doing it. I share some frustration that the choice offered of using linux makes some things more complicated than on a windows machine. But in the end, it just generate more competition, which is what has been killing the software industry for the past few years. Actually the industry has been fine, it's the consumers who are getting shafted.

HOW? (1)

Progman3K (515744) | more than 10 years ago | (#10251723)

>Because people disagree what is the right way of doing it. [...] linux makes some things more complicated than on a windows machine.

That's what makes growth. And more people every day are choosing Linux over Windows. Face it, Windows is NO picnic either, especially when you consider the quality of Microsoft's software!

>[...] it just generate more competition, [...] it's the consumers who are getting shafted.

Consumers do not get shafted by having choice, that is illogical. Choice is to the consumer's advantage.

Re:HOW? (3, Insightful)

Stevyn (691306) | more than 10 years ago | (#10251866)

I think you misunderstood. I meant that users get shafted with there are just a few large companies competing, but it is better to have lots of smaller organizations writing FOSS. For most users, the advances in FOSS haven't affected them in the past few years. OSS projects like firefox and gaim are starting to become popular for the every day folk and that's the advantage to the consumer I was referring too.

Re:Hardened Gentoo (4, Insightful)

savagedome (742194) | more than 10 years ago | (#10251611)

isn't choice often the mother of all fuck ups

I read this in of the /.'s sig: "Freedom of choice is what you have. Freedom from choice is what you want". I think it applies to the general populace and is relevant here.

Re:Hardened Gentoo (3, Informative)

drinkypoo (153816) | more than 10 years ago | (#10251797)

In case you were wondering, it's a Devo quote, from the song "Freedom of Choice". Are we not men? D E V O.

Re:Hardened Gentoo (1)

SWroclawski (95770) | more than 10 years ago | (#10252251)

Actually, "Are we not men? We are DEVO" is from the song Jocko Homo.

(ugg waiting for the trolls to pick up on that..)

Re:Hardened Gentoo (1)

drinkypoo (153816) | more than 10 years ago | (#10252367)

Believe it or not, I'm aware of that. I guess I should have put it on a separate line or something so it didn't look so much like I was trying to connect the lyrics.

Re:Hardened Gentoo (-1, Troll)

Anonymous Coward | more than 10 years ago | (#10251560)

Hey now you you you gentoo jerk!! Maybe someday you'll need help from debian and debian won't be there for you!!! You better think about that! There is NOTHING ON GODS GREEN EARTH as important as debian gnuz/linooks. Hampsterbrain!!

It's good for both, actually; (5, Interesting)

Progman3K (515744) | more than 10 years ago | (#10251587)

Debian's team can implement it a certain way and whatever amazing thing they cook-up can be re-used by the Gentoo team!

The goal is not a religious war, the goal is for you and I to get ahead.

Re:It's good for both, actually; (0)

Anonymous Coward | more than 10 years ago | (#10252296)

I thought it was we all run linux and would like to get some head.

Well, it's what I thought anyway...

Re:Hardened Gentoo (4, Insightful)

gl4ss (559668) | more than 10 years ago | (#10251570)

soo.. what you're telling me is that just by using gentoo you gain magical insight into understanding secure systems and how security is built from ground up?

gentoo is nice and all, but it certainl doesn't make it's users magically understand the underlying system. btw, just because you can copy and 'discuss' compiler flags on a forum doesn't make yourself an expert on building fast software or make you understand what kind of speed ups are even technically possible and of all things it doesn't make you magically understand how software is executed at run time or the operating system built so you could see that saying stuff like "my mozilla has no ps/2 support" doesn't really show you in good light.

one choice in reducing possible user fuckups is reducing easy user choices("do you want to have a theoretical speedup by disabling using shadow file y/n?").

WOW, that's offtopic. (-1, Offtopic)

Anonymous Coward | more than 10 years ago | (#10251578)

Anything else you want to bring up that has nothing to do with the story, or the parent post?

Re:WOW, that's offtopic. (-1, Offtopic)

gl4ss (559668) | more than 10 years ago | (#10251842)

*
WOW, that's offtopic. (Score:-1, Offtopic)
by Anonymous Coward on Tuesday September 14, @08:20PM (#10251578)
Anything else you want to bring up that has nothing to do with the story, or the parent post?
*

yes, that I got excess karma and slashdot moderation system is broken(in principle)! and that you're an ac pussy!(karma bonus wooo)

Re:Hardened Gentoo (4, Informative)

MadMethod (703012) | more than 10 years ago | (#10251594)

Ok, how about this go to http://debianhardened.sourceforge.net/ and read all the documentation they have (hint, there isn't any), then go to http://hardened.gentoo.org and read all the docs we've put there and notice that, indeed there is a difference and one would gain a higher understanding of security

Re:Hardened Gentoo (3, Funny)

big tex (15917) | more than 10 years ago | (#10251691)

Ok, how about this go to http://debianhardened.sourceforge.net/ and read all the documentation they have (hint, there isn't any),

OK, that's what we call 'security through obscurity'. See no evil, hear no evil, all that.

Re:Hardened Gentoo (4, Insightful)

sirsnork (530512) | more than 10 years ago | (#10251766)

Or maybe, just maybe the project is a ALPHA status and is very new and has only been active for 2 weeks so no one has had a chance to write any documentation?

Re:Hardened Gentoo (1)

OverlordQ (264228) | more than 10 years ago | (#10251783)

Ok, how about this goto Debian Hardened [sf.net] and read the status (hint, hint 3 - Alpha). Now goto Gentoo [gentoo.org] and read the status and then notice that, indeed there is a difference between alpha and stable code and therefor one would gain a higher understanding of code maturity.

Re:Hardened Gentoo (1)

gl4ss (559668) | more than 10 years ago | (#10251812)

how about this: it's a new project.

besides, documentation doesn't seem to make people understand the use flags and things like if theres any difference in -O3 and -O666 so how it will help here? the people will read them? as if.

a pre-hardened system needs to be that, hardened. most of use it is to people who don't entirely know what they're doing(otherwise they could just harden up a distro of their choosing).

(disclaimer: gentoo is a great distro but it doesn't grant magical insight about the kernel or gcc to the users who have no real ambition to understand them, and neither will hardened gentoo provide magical insight to it's users just because there's options and documentation available)

Re:Hardened Gentoo (1)

Trejkaz (615352) | more than 10 years ago | (#10252337)

Those same users probably don't give a wet toss about security anyway.

Re:Hardened Gentoo (2, Interesting)

mrchaotica (681592) | more than 10 years ago | (#10252401)

While I agree that Gentoo won't create deep insight and turn you into Stallman himself, the reason people claim this is that you have to have a certain amount of understanding just to install the damn thing.

You have to admit that reading the N-thousand-word Gentoo Handbook (heh, I remember when it was just the install guide) teaches you a bit more than the "next, next, next, done!" of Red Hat or Mandrake. I know I certainly didn't know what the hell was going on when I used Mandrake (let alone Corel Linux, my first distro -- Mandrake was my second, and Gentoo my third), but I really did learn a lot just between booting up with the liveCD and making my computer usable.

Re:Hardened Gentoo (1)

hsidhu (184286) | more than 10 years ago | (#10251609)

on a side note though can some one please let me know how lids and the grsecuirty patches differ from each other with regards to what they do?

Re:Hardened Gentoo (1)

OverlordQ (264228) | more than 10 years ago | (#10251803)

Re-read the first sentence of the summary. I'll emphasise the relavent text just in case you missed it the first time:

Debian Hardened is a new project that wants be an official Debian sub-project.

It's been going a whopping 2 weeks. What the hell do expect?

Second project (1)

merlin_jim (302773) | more than 10 years ago | (#10251506)

If its a second project, where are the links to that? I don't feel like poring through your sourceforge site to find it... not that I have a ton of hope that it'll be in there.

sourceforge is designed so that authors of software can find resources easily. I've never been able to figure out their interface without getting a migraine, however...

Hardened debain is meh to me. However, TRNG hacking is something I'd love to see! Where's the linkage at???

i use random generated numbers for my public keys. (-1, Offtopic)

peculiarmethod (301094) | more than 10 years ago | (#10251507)

2 49f2 3490fg ji3 09 34jif903 e334fjf093w jfg3903rh, ghnvn349) 29324r098)

j3r5g

ouch. burned my finger on the bic lighter while opening the smoke detector.

Why the fuss? (-1, Redundant)

iamatlas (597477) | more than 10 years ago | (#10251522)

Debian Hardened Aims For Security

Why so much worrying over Aol Instant Messaging Systems? I though we were an open source crowd, Jabber and all that.

Re:Why the fuss? (-1, Redundant)

merlin_jim (302773) | more than 10 years ago | (#10251558)

Debian Hardened Aims For Security
Why so much worrying over Aol Instant Messaging Systems? I though we were an open source crowd, Jabber and all that.


Oh dear lord, where is the (-1, Unfunny) moderation at?

Re:Why the fuss? (0, Redundant)

iamatlas (597477) | more than 10 years ago | (#10251575)

I know, cheap joke, if it can even be called "joke", but it was already modded redundant which I just don't understand. But, as you point out wishing for an unfunny mod, there are flaws in the system.....

Re:Why the fuss? (1)

merlin_jim (302773) | more than 10 years ago | (#10251603)

I would've used Overrated. 2 is too nice for that joke ;)

But redundant... come on, do you really believe that someone else has already made that joke? With maybe only 5 non-troll posts?

Re:Why the fuss? (1)

vettemph (540399) | more than 10 years ago | (#10252026)

Oh dear lord, where is the (-1, Unfunny) moderation at?

Is (-1, Unfunny) eqaul to (+1, Funny)???

PS- I would have modded you (+1,funny, wears crash helmet on short bus). ;)

www.lids.org (4, Interesting)

hsidhu (184286) | more than 10 years ago | (#10251526)

How is this going to be different than just installing Woody and applying the lids kernel patch to your particular kernel and locking the system down that way?

Re:www.lids.org (2, Informative)

Progman3K (515744) | more than 10 years ago | (#10251554)

I s'pose you'd put some code in there that would look for stack overwrites and such and such...

why need a distro for that? (5, Insightful)

techefnet (634210) | more than 10 years ago | (#10251530)

why would you need a distro for securing your machine? you should just secure your favorite distro yourself :)

Re:why need a distro for that? (2, Insightful)

OmegaBlac (752432) | more than 10 years ago | (#10251722)

why would you need a distro for securing your machine? you should just secure your favorite distro yourself :)
My first though was laziness, but thats a lil harsh. I guess some people like certain things, in this instance security, to be automated for them. Some people also may have a difficult time trying to read documentation and understand the process of installing those security patches.

Re:why need a distro for that? (0)

Anonymous Coward | more than 10 years ago | (#10251829)

This isnt a new distro, it's hardening Debian.

Re:why need a distro for that? (2, Insightful)

CableModemSniper (556285) | more than 10 years ago | (#10252442)

Not everyone has time to be a security expert. And not everyone likes for instance, the OpenBSD way of doing things(Not that OpenBSD is the only secures OS). Maybe I like Debian. Maybe I worry about Sercurity but I don't have all this time to recompile everything with bounds-checking etc.

Its for the same reason we have distributions period. Why doesn't everyone do LFS and assemble their own userland and tools?

Of course I did just notice your smiley, so I don't think you were completely serious ;)

What about Windows? (2, Funny)

bholub (738473) | more than 10 years ago | (#10251555)

Why not just get Windows XP; I mean, didn't you guys hear MS when they said they were focusing on security now???

Debian could use that as a spam headline! (5, Funny)

Anonymous Coward | more than 10 years ago | (#10251556)

Hard3n y0ur Debian/w0ody t0day!

wtf? Hey moderators.... (2, Funny)

Mad_Rain (674268) | more than 10 years ago | (#10251643)

Debian could use that as a spam headline!:
Hard3n y0ur Debian/w0ody t0day!


That was funny. C'mon, laugh.

Re:wtf? Hey moderators.... (1)

sm3ggy (790661) | more than 10 years ago | (#10251768)

Hilarious. Hah..hah.. hah :/

Interesting....... (3, Interesting)

AcidFnTonic (791034) | more than 10 years ago | (#10251582)

Being a slackware guy myself, I still would very much like to inspect this branch when released....

I still think the less you have the more secure it is.... as long as what you have isnt bloated. Thats why in my opinion slackware is great on security.

So if this thing is more than one iso image ill be rather skeptical since debian tends to be a very large distro...

Re:Interesting....... (5, Informative)

OmegaBlac (752432) | more than 10 years ago | (#10251774)

I still think the less you have the more secure it is.... as long as what you have isnt bloated.
I agree.
So if this thing is more than one iso image ill be rather skeptical since debian tends to be a very large distro...
You only need to download 1 Debian ISO to install it. There even is a minimal iso version for network installs. The default Debian install is the bare miniumum. Hardly if any services are running on a default Deb install. Yes Debian has the largest selection of packages, but no one is forcing anyone to download all the ISOs just to install Deb. Just install and apt-get away what you need!

Sarge... (0)

Anonymous Coward | more than 10 years ago | (#10251585)

is now getting the attention of the security team. What are the possibilities of getting this release with Sarge, instead of Woody (actually, in addition to Woody, not instead of)?

If this release becomes available for Sarge, and I can use KDE as a graphical front end while setting up the installation, I'd give it a shot, and if I found it usable, I'd donate to keep the project going.

I've had some trouble with the Debian installer, so I used Mepis to install Debian, and commented out all the unstable servers in the sources list, so it is slowly becoming a testing-only install. It's going to be a web/mail/dns server, so locking it down is what I'm trying to learn right now (ran apache for a couple of years on an rpm distro without problems).

If the distro covers Sarge, and I can use it with kde for setup, then I'll find it useful for myself (yeah, I know, not supposed to run X on a server, but I'm only going to use it for setting up and getting used to it, X will be removed from the system before it faces the internet, unless I can get the hang of a front end for iptables, and only leave port 80, the dns and mail ports open, then I might leave X installed).

Security-enhanced Debian sounds good to me!

This could be a good thing in the future (2, Insightful)

Anonymous Coward | more than 10 years ago | (#10251597)

IF it results in many of the security features that make Debian (and GNU/Linux in general) hard to use being moved over to a specially oriented project, and removed from the main one.

For example, if you are setting up a single user box to access the internet with a modem (something that GNU/Linux should shine at) you often run into problems related to pppd requiring all sorts of obnoxious nonsense to get it to run as a regular user.

Policies such as new accounts having their own group by default, and not being readable by all other accounts, make sense in the ISP, server, and in business settings in general. But tipping point is being reached, to where soon most people setting up Debian are setting it up to use it at home, not to run a business or train themselves to get business related job skills. Things like pam have to go to where they belong, and not get in the way of the rest of us.

Enhacements against the Linux Entropy Pool engine? (5, Interesting)

Anonymous Coward | more than 10 years ago | (#10251618)

Has anyone ever,ever,ever compromised a computer or encrypted document by predicting the output of a random number generator?

Would the time not be better spent looking for the next OpenSSH/SSL hole?

I'm not trolling, most security flaws come from everyday apps rather than esoteric problems.

Re:Enhacements against the Linux Entropy Pool engi (3, Informative)

bomb_number_20 (168641) | more than 10 years ago | (#10251984)

Does this [com.com] count?

New pickup line for geeks... (5, Funny)

vettemph (540399) | more than 10 years ago | (#10251625)

Wanna mount my hardened woody?

Re:New pickup line for geeks... (5, Funny)

vettemph (540399) | more than 10 years ago | (#10251644)

....Hardened Woody set for release!

Re:New pickup line for geeks... (1)

mod_parent_down (692943) | more than 10 years ago | (#10251770)

Oh No, I found a bug!

And later with the Sarge!!! (0)

Anonymous Coward | more than 10 years ago | (#10251778)

Really really hardened Sarge!

Just in time for the new Stable release(...soon!) (1)

OmegaBlac (752432) | more than 10 years ago | (#10251871)

Can you help stable my Sarge and bring it to full attention?

Re:New pickup line for geeks... (0)

Anonymous Coward | more than 10 years ago | (#10251967)

If your Woody gets hacked would we say you've been Bobbited?

TRNG (1)

Rakishi (759894) | more than 10 years ago | (#10251638)

A professor of mine mentioned how they tried TRNG back in the day using vacuum tubes however due to the output not having a set distribution (fluctuations caused some numbers to come up more often than others and they couldn't predict which) it wasn't all that useful. I guess that in non-statistical applications this flaw isn't really that damaging, sounds interesting.

Question: Stability? (1)

Progman3K (515744) | more than 10 years ago | (#10251639)

Is a hardened version more or less stable?
I have no first-hand experience, so... Anyone?

Re:Question: Stability? (1, Funny)

OmegaBlac (752432) | more than 10 years ago | (#10251902)

Is a hardened version more or less stable? I have no first-hand experience, so... Anyone?
Download the Paris Hilton video, get some lotion, and find out for yourself. Oh wait...you were talking about Debian nevermind...


I swear some people just make it too easy ;)

Not that this is like Fark or anything, but (1)

Progman3K (515744) | more than 10 years ago | (#10251653)

how-come no one has made any sexual jokes with "hardened" ?

Re:Not that this is like Fark or anything, but (1)

OmegaBlac (752432) | more than 10 years ago | (#10251799)

how-come no one has made any sexual jokes with "hardened" ?
Could it be that they are actually RTFA?

Re:Not that this is like Fark or anything, but (1)

damiam (409504) | more than 10 years ago | (#10251964)

They have [slashdot.org] .

SE Linux (1)

datadriven (699893) | more than 10 years ago | (#10251659)

Is the grSecurity patch the same thing as SE Linux [nsa.gov] ?

Deban could use it (-1, Flamebait)

Neo-Rio-101 (700494) | more than 10 years ago | (#10251661)

I have to admit that deban could be a lttle bit more secure. Compared to RedHat, Debian has a few areas which (while not toally bad) could be better.

Take for example the fact that I can remotely shutdown a debian machine over ssh with the "halt" command. A RedHat distro had that little feature blocked

Re:Deban could use it (4, Informative)

Wonko (15033) | more than 10 years ago | (#10251732)

Take for example the fact that I can remotely shutdown a debiaTake for example the fact that I can remotely shutdown a debian machine over ssh with the "halt" command. A RedHat distro had that little feature blocked

Why exactly is this a bad thing? Have you never had to shutdown or reboot a remote server? I know I've had to do both at least a few times... Although rebooting would be much more common, and it would probably be safer as well :p.

On my Debian machines you seem to need to be root to do it. If someone I don't know is logged in over ssh as root on one of my boxes the last thing I am worried about is his ability to shut it down :p.

Re:Deban could use it (1)

chris_mahan (256577) | more than 10 years ago | (#10251773)

Ssh should be able to do anything you can do at the console.

If you are afraid ssh will be compromised, then don't use ssh.

Re:Deban could use it (3, Informative)

darkewolf (24563) | more than 10 years ago | (#10252024)

Being able to remotely shutdown or halt a machine is a godsend. The trick is to restrict SSH access-in from certain 'secure' IP addresses, and firewall the rest of them out. Secondly, I guess only allow root access from a non-root account (ie: no ssh'ing in as root).

But I guess to each their own :)

good trend (2, Informative)

Chuck Bucket (142633) | more than 10 years ago | (#10251670)

I liked this back when Gentoo did it, and I think this is a great trend; having a completely security minded Linux OS (since BSD has been there forever ;))

personally I'm really interested in the Security-Enhanced Linux [nsa.gov] that the NSA is working on. To have something that complete is really intriquing. Now if they don't have something like apt to keep it steady I dunno...but you have to admit it's got 'wow' factor written all over it!

BCDFY^&D&S^F

Re:good trend (4, Insightful)

LittleLebowskiUrbanA (619114) | more than 10 years ago | (#10251830)

I kind of get a kick out of all of the anti US gov't people on /. using something the NSA developed and gave back to the community.

Re:good trend (4, Insightful)

drinkypoo (153816) | more than 10 years ago | (#10251943)

I prefer to discard only the bathwater. Baby can stay. I get a kick of the NSA giving back to the community that hates them...

Re:good trend (4, Interesting)

drinkypoo (153816) | more than 10 years ago | (#10251835)

If you look at the SElinux download page [nsa.gov] you can read the following tidbit:

The Linux 2.6 kernel already includes the extended attribute (EA) support, the Linux Security Module (LSM) framework, and the SELinux module, but the changes to the SELinux module that have not yet been upstreamed can be obtained from here.

In other words, SElinux comes with the kernel.

They'd need more drastic changes (5, Interesting)

bluefoxlucid (723572) | more than 10 years ago | (#10251675)

I'm a Hardened Gentoo user; although, I only use a subset of all the hardened herd's efforts :) I actually do understand what I'm doing, though, and am trying to spread that understanding myself. I am in no way affiliated with [Hardened] Gentoo or Debian.

At any rate, these people don't understand that they'll need more drastic changes. Why not bring attention to http://d-sbd.alioth.debian.org/ while you're at it? This is my project, just a demonstrational effort to bring these things to the attention of the Debian maintainers.

The idea isn't to have a hardened "Enhancement," but rather to incorporate anything you can put in that won't hurt. For example, you can compile glibc, gnome, and bash with SSP/ProPolice, and nothing else will use ProPolice but those. Those programs also won't be hurt by ProPolice. We can extend this to, "Compile any program or library that won't break with it with SSP." The user will never notice; but it'll stop a range of attacks.

My point is that you need to aim low. A hardened system like Hardened Gentoo or Adamantix will supply you with *everything* -- PaX, SSP, ET_DYN binaries, rediculously complicated MAC systems, firewalling maybe, network sniffers, etc. A non-hardened distribution should look at each of these, determine which don't change the end user's experience (administrator included), and implement them. This is "Do what's easy" rather than "Do EVERYTHING we possibly can," but it's still better than just being lame in the area of security.

Re:They'd need more drastic changes (1, Funny)

OmegaBlac (752432) | more than 10 years ago | (#10252050)

I'm a Hardened Gentoo user
Ah, first you Gentoo users are bragging about your compile times and speed of your distro now you all are bragging about your use of Viagra? So it was you that responds to those viagra email spam!

Adamantix? (0)

Anonymous Coward | more than 10 years ago | (#10251685)

Okay, deriving Linux from Linus + UNIX, I can see. Who knew Adam Ant [mac.com] would get into free OS hacking though?

Re:Adamantix? (0, Offtopic)

XanC (644172) | more than 10 years ago | (#10251725)

Adamantium [wikipedia.org]

I'll tell you one thing... (1)

Hypocritical Guy (674824) | more than 10 years ago | (#10251688)

my cock is sure getting hardened just thinking about it.

Securing Debian Manual (1)

CFrankBernard (605994) | more than 10 years ago | (#10251713)

http://www.linuxsecurity.com/docs/harden-doc/html/ securing-debian-howto/ [linuxsecurity.com] Are Javier Fernández-Sanguino Peña and/or Alexander Reelsen involved in Debian Hardened?

Who are these people? (5, Informative)

ConsumedByTV (243497) | more than 10 years ago | (#10251753)

First off, who are these guys?

Debian already has a security project, a few of them actually.

I looked at google for either of these guys names and unless I am mistaken, this is what I got: developer one [google.com] and developer two [google.com] .

Interesting that anyone else that they haven't ever used those names to contribute to say at least a single debian security mailing list, or say ANY debian lists?

Even more interesting is that they don't seem to have much but a slashdot plug and they are accepting donations.

I am not impressed. Working with the debian security team is the way to go.

Steve Kemp [steve.org.uk] is one of the main guys heading up the debian audit project, these guys should be working with him. Not for some other project.

The official debian project for this is the debian audit project [debian.org] .

Hell advertising that they use SSP enabled GCC! Steve makes those packages for use with debian already!

Re:Who are these people? (1)

bluefoxlucid (723572) | more than 10 years ago | (#10252345)

iceslab:/home/bluefox# grep -i guard /bin/cat iceslab:/home/bluefox# No guard symbol, cat was compiled without SSP. bluefox@icebox ~ $ grep -i guard /bin/cat Binary file /bin/cat matches I compiled mine with -fstack-protector :) Debian makes SSP enabled GCC available, but it doesn't use it for its packages.

TRNG (3, Informative)

dmiller (581) | more than 10 years ago | (#10251758)

The crap about Geiger counters seems to indicate the author seems more interested in studly buzzwords than actually developing practical solutions. A soundcard with nothing plugged in is a perfectly acceptable source of entropy, the problem is just in accurately estimating the rate. Also, many chipsets and an increasing number of CPUs include hardware random number generators which can be used too.

Rate of what? (1)

Thinkit4 (745166) | more than 10 years ago | (#10251933)

Of random number generation? Sure some CPUs and chipsets have a thermal noise TRNG, but how much is still an ugly LCG seeded by the time?

Should be.. (0, Flamebait)

artlu (265391) | more than 10 years ago | (#10251767)

relatively easy. They can contain all the packages and kernel upgrades via apt/dpkg, thus, limiting the software as well as the upgradability of the machine. Similar to Microsoft....

gShares.net [gshares.net]

selinux? (3, Interesting)

starseeker (141897) | more than 10 years ago | (#10251810)

I'm curious as to why they chose the particular tools they did. I don't know too much about these issues, but from what I understand the NSA's selinux patches are a very robust and powerful set of tools. IIRC Redhat has been integrating it into their systems. It may be that this isn't the best choice, but I'd be curious if someone who knows them well could give us a rundown of why some solutions might be better/worse.

One issue with selinux I (think) I understand is that in order for applications to run properly you need to have predefined rules which allow them to do what they need to do (the nature of MAC is they can't do anything except what is explicitly allowed, as I understand it). This is possible for servers, which do only a few jobs repeatedly, but for a desktop machine with hundreds of potential applications to fire up and more being developed such a burden becomes huge. A normal user would end up turning off MAC in order to use the computer the way they want to, unless each application they want or may want to use already has a default ruleset present. I would be really happy to see this happen - various distributions collaborate on default rules for large numbers of applications, so end users could actually use systems that are seriously hardened. I know it's probably overkill, but given what casual Windows users on the network have done over the years (as well as unsecured Linux boxes and other OSes, for that matter) I think if some combination of projects could deliver a usable desktop machine with mandatory access control and any other features which might defend their box while letting it be useful would be a Very Good Thing. One thing is for sure - too little security does more harm to the internet community than having more protection than you need.

http://packages.debian.org/harden (4, Interesting)

Anonymous Coward | more than 10 years ago | (#10251813)

debian packages: harden [debian.org]

how is Hardened Debian going to be different from installing the harden* packages?

awesome ... good job (1)

hpavc (129350) | more than 10 years ago | (#10251851)

congradulations to hese folks. even if most of the work they do is ripping open packages and setting up more secure settings.

such as providing a ... exim4.41+eximscan+clam+spamassasin ... out of the box

a openswan package that works directly from a dialog script.

not to mention a basic iptables front end like redhat has, where is the 'low, medium, high' trusted interface prompt upon install for debian?

harden what?? (-1, Flamebait)

Anonymous Coward | more than 10 years ago | (#10251878)

thought linux was secure already, or so the trolling zeelots of slashdot seem to always say...

proves that linux must have some serious flaws and vulnerabilities if it needs to be hardened.....

Itch scratching, and audit (2, Interesting)

RedPhoenix (124662) | more than 10 years ago | (#10251879)

At the risk of the post sounding like a discussion at a head-lice convention, everyone has their own personal itch to scratch.

Several posts thus far, have questioned the viability of establishing yet another secure-debian project, similar to other existing projects, and have indicated that there would be a better use of available resources if everyone would just get along and work together (or at least, form under a single project). Fair enough.

However, there are a whole range of reasons why diversity and natural selection w.r.t many competing projects can provide benefits over and above a single large project - organisational inertia, effective and efficient communication, and development priority differences, for example.

'Organisational inertia' in particular, whereby the larger a organisation/project gets, the slower it can react to changing requirements, is a good reason why this effort-amalgamation can potentially be a bad thing.

Each of these projects probably has a slightly different 'itch' to 'scratch'. There's no reason why, later on down the track, that the best elements of each of these projects cannot be merged into something cohesive.

A good example is the current situation in Linux Auditing (as in C2/CAPP style auditing and event logging, not code verification) and host-based audit-related intrusion detection. Over time, we've had Snare (http://www.intersectalliance.com), SLES (http://www.suse.com), and Riks Audit Daemon (http://www.redhat.com). Each project had a slightly different focus, and each development team have come up with some great solutions to the problems of auditing / event logging.

The developers of each of these projects are now communicating and collaborating, with a view to bringing a effective audit subsystem to Linux that incorporates the best ideas from each approach.

BTW: How about auditing in this project? Here's a starting point:
http://www.gweep.net/~malk/snare_debian.sh tml

Red. (Snare Developer)

True random numbers are impossible! (0)

Anonymous Coward | more than 10 years ago | (#10251903)

If chaos theory tells us anything it's that true random numbers are impossible. Everything is determined by something.

random + random = ? (0)

Anonymous Coward | more than 10 years ago | (#10251924)

thermal noise and also the atomic decay from a Geiger counter
If you're using one, why bother using the other?

what's wrong with /dev/urandom (3, Insightful)

mo (2873) | more than 10 years ago | (#10251977)

Does anyone have evidence where a system was cracked due to the lack of entropy from things like interrupt timing?

I would think that there exists a limited number of people in the world who could exploit a diffie-helman exchange between systems using the usual sources of randomness on an x86 machine.

Heh... (2, Funny)

Anonymous Coward | more than 10 years ago | (#10251979)

I can imagine the newest spams: get your Woody hardened now...

as *if*! (5, Funny)

Llewyn (17984) | more than 10 years ago | (#10252076)

i suppose 'Debian Hardened' is not referring to the installation process... yegods! it was hard enough already!


but seriously... as a debian user, i fully condone harder, faster, and stronger debians.

Penis Linux (-1, Offtopic)

Anonymous Coward | more than 10 years ago | (#10252112)

I'm working on a distro called PenisLinux. My mascot is Tux with a 10" schlong.

Later on I think I'll do a Hardened Penis Linux.
Load More Comments
Slashdot Login

Need an Account?

Forgot your password?