Debian Bug report logs - #81118
High security base system (or separate add-on package)

Package: general; Maintainer for general is debian-devel@lists.debian.org;

Reported by: era eriksson <era@iki.fi>

Date: Wed, 3 Jan 2001 08:18:02 UTC

Severity: wishlist

Done: Holger Levsen <holger@layer-acht.org>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, Enrique Zanardi <sr1-boot-floppies@debian.org>:
Bug#81118; Package base. Full text and rfc822 format available.

Acknowledgement sent to era eriksson <era@iki.fi>:
New Bug report received and forwarded. Copy sent to Enrique Zanardi <sr1-boot-floppies@debian.org>. Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: era eriksson <era@iki.fi>
To: submit@bugs.debian.org
Subject: base: Wishlist: High security base system (or separate add-on package)
Date: Wed, 3 Jan 2001 10:15:43 +0200
Package: base
Version: 20010103
Severity: wishlist

The stock base system comes with various "traditional security holes"
enabled. It would be nice (and probably very constructive) to have a
brief and simple procedure for how to reconfigure the system so as to
run a reasonably tight ship.

Off the top of my head, I can think of the following:

  * Disable telnet; go with ssh instead (but then which ssh?)

  * Recommend disabling any non-critical network services entirely

  * chroot and otherwise patch up everything that can't be turned off

  * Recommend replacing Sendmail with Postfix (or whatever)?

  * Recommend replacing regular ftp server with something more robust

I was thinking of maybe collecting this in a "security" package but
I'm not confident in my abilities to create such a package (I'm a dpkg
novice) and anyway, I'm not sure if that is the right approach.

(Yes, I'm considering an upgrade to 2.2r2)

-- System Information
Debian Release: 2.0
Kernel Version: Linux away 2.0.34 #1 Sun Feb 28 21:48:09 EET 1999 i586 unknown




Information forwarded to debian-bugs-dist@lists.debian.org, Enrique Zanardi <sr1-boot-floppies@debian.org>:
Bug#81118; Package base. Full text and rfc822 format available.

Acknowledgement sent to Michael Bramer <grisu@debian.org>:
Extra info received and forwarded to list. Copy sent to Enrique Zanardi <sr1-boot-floppies@debian.org>. Full text and rfc822 format available.

Message #10 received at 81118@bugs.debian.org (full text, mbox):

From: Michael Bramer <grisu@debian.org>
To: era eriksson <era@iki.fi>, 81118@bugs.debian.org
Subject: Re: Bug#81118: base: Wishlist: High security base system (or separate add-on package)
Date: Wed, 3 Jan 2001 10:58:37 +0100
[Message part 1 (text/plain, inline)]
On Wed, Jan 03, 2001 at 10:15:43AM +0200, era eriksson wrote:
> Package: base
> Version: 20010103
> Severity: wishlist
> 
> The stock base system comes with various "traditional security holes"
> enabled. It would be nice (and probably very constructive) to have a
> brief and simple procedure for how to reconfigure the system so as to
> run a reasonably tight ship.
> 
> Off the top of my head, I can think of the following:
> 
>   * Disable telnet; go with ssh instead (but then which ssh?)

apt-get remove telnetd
 
>   * Recommend disabling any non-critical network services entirely

apt-get remove NETWORK_PACKAGE 
(rwhod, rsh-server, ...)
If you don't know the package name, use: 
	dpkg -S /usr/sbin/server
 
>   * chroot and otherwise patch up everything that can't be turned off

I can deinstall all network packages without problems
 
>   * Recommend replacing Sendmail with Postfix (or whatever)?

IMHO sendmail is not the default mail server. It is exim. But only
write:
	apt-get install postfix
and you have postfix on your system...

>   * Recommend replacing regular ftp server with something more robust

type
	apt-get install MORE-ROBUST-FTP-SERVER
and you get it..


apt-get is a nice package tool, use it. :-)

Gruss
Grisu
-- 
Michael Bramer  -  a Debian Linux Developer http://www.debian.org
PGP: finger grisu@db.debian.org  -- Linux Sysadmin   -- Use Debian Linux
"Verwende Perl. Shell will man koennen, dann aber nicht verwenden."
                                Kristian Koehntopp, de.comp.os.unix.misc
[Message part 2 (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, Enrique Zanardi <sr1-boot-floppies@debian.org>:
Bug#81118; Package base. Full text and rfc822 format available.

Acknowledgement sent to era eriksson <iki.fi@lingsoft.fi>:
Extra info received and forwarded to list. Copy sent to Enrique Zanardi <sr1-boot-floppies@debian.org>. Full text and rfc822 format available.

Message #15 received at 81118@bugs.debian.org (full text, mbox):

From: era eriksson <iki.fi@lingsoft.fi>
To: Michael Bramer <grisu@debian.org>
Cc: 81118@bugs.debian.org
Subject: Re: Bug#81118: base: Wishlist: High security base system (or separate add-on package)
Date: Wed, 3 Jan 2001 16:34:34 +0200 (EET)
On Wed, 3 Jan 2001 10:58:37 +0100, Michael Bramer <grisu@debian.org>
wrote:
 > On Wed, Jan 03, 2001 at 10:15:43AM +0200, era eriksson wrote:
 >> The stock base system comes with various "traditional security holes"
 >> enabled. It would be nice (and probably very constructive) to have a
 >> brief and simple procedure for how to reconfigure the system so as to
 >> run a reasonably tight ship.
 > apt-get remove telnetd
 > apt-get remove NETWORK_PACKAGE 
 > I can deinstall all network packages without problems
 > 	apt-get install postfix
 > 	apt-get install MORE-ROBUST-FTP-SERVER
 > apt-get is a nice package tool, use it. :-)

I'm not saying I can't figure out how to fix these problems; I'm
saying it would be nice if somebody would create a documented and
standard process for doing this, and preferably ship it as an option
with the base system.

Personally, I'm only vaguely security-conscious, so my first problem
is to figure out what more I need to do in order to have a system
which is not trivial to break into. I feel that this information
should be collected and maintained in a place and form where it's
extremely easy to find and use.

I think I like the idea of using one of the available runlevels for
this. Create another runlevel which doesn't start up anything except
the bare essential services for running and administering a "dumb"
server, and update the installation instructions to recommend that you
use this as the base system if you plan to connect your machine to the
Internet.

Hope this can help clarify what I meant,

/* era */

-- 
.signature missing -- creating one on the fly. <http://www.iki.fi/era/>




Information forwarded to debian-bugs-dist@lists.debian.org, Enrique Zanardi <sr1-boot-floppies@debian.org>:
Bug#81118; Package base. Full text and rfc822 format available.

Acknowledgement sent to Christian Kurz <shorty@debian.org>:
Extra info received and forwarded to list. Copy sent to Enrique Zanardi <sr1-boot-floppies@debian.org>. Full text and rfc822 format available.

Message #20 received at 81118@bugs.debian.org (full text, mbox):

From: Christian Kurz <shorty@debian.org>
To: Michael Bramer <grisu@debian.org>, 81118@bugs.debian.org
Subject: Re: Bug#81118: base: Wishlist: High security base system (or separate add-on package)
Date: Wed, 3 Jan 2001 19:50:58 +0100
[Message part 1 (text/plain, inline)]
On 01-01-03 Michael Bramer wrote:
> On Wed, Jan 03, 2001 at 10:15:43AM +0200, era eriksson wrote:
> > The stock base system comes with various "traditional security holes"
> > enabled. It would be nice (and probably very constructive) to have a
> > brief and simple procedure for how to reconfigure the system so as to
> > run a reasonably tight ship.
> > 
> > Off the top of my head, I can think of the following:
> > 
> >   * Disable telnet; go with ssh instead (but then which ssh?)

> apt-get remove telnetd

Well, why do we have telnet enabled after installation? This is a bit
security hole and I think this service should be disabled and only be
enabled by the admin.

> >   * Recommend disabling any non-critical network services entirely

> apt-get remove NETWORK_PACKAGE 
> (rwhod, rsh-server, ...)
> If you don't know the package name, use: 
> 	dpkg -S /usr/sbin/server

Hm, there are services in /etc/inetd.conf that are not belonging to any
package like daytime, echo and this should be disabled by default.
  
> >   * chroot and otherwise patch up everything that can't be turned off

> I can deinstall all network packages without problems

Well, deinstalling a software or chrooting is a big difference.

> >   * Recommend replacing Sendmail with Postfix (or whatever)?

> IMHO sendmail is not the default mail server. It is exim. But only
> write:
> 	apt-get install postfix
> and you have postfix on your system...

But exim is already a better MTA choice then sendmail.

> >   * Recommend replacing regular ftp server with something more robust

> type
> 	apt-get install MORE-ROBUST-FTP-SERVER
> and you get it..

Agreed.

> apt-get is a nice package tool, use it. :-)

Well, but there are things that you can't solve with apt-get and not
everything should be solved by the usage of apt-get.

Ciao
     Christian
-- 
          Debian Developer and Quality Assurance Team Member
    1024/26CC7853 31E6 A8CA 68FC 284F 7D16  63EC A9E6 67FF 26CC 7853
[Message part 2 (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, Enrique Zanardi <sr1-boot-floppies@debian.org>:
Bug#81118; Package base. Full text and rfc822 format available.

Acknowledgement sent to Ethan Benson <erbenson@alaska.net>:
Extra info received and forwarded to list. Copy sent to Enrique Zanardi <sr1-boot-floppies@debian.org>. Full text and rfc822 format available.

Message #25 received at 81118@bugs.debian.org (full text, mbox):

From: Ethan Benson <erbenson@alaska.net>
To: Christian Kurz <shorty@debian.org>, 81118@bugs.debian.org
Subject: Re: Bug#81118: base: Wishlist: High security base system (or separate add-on package)
Date: Thu, 4 Jan 2001 00:33:16 -0900
[Message part 1 (text/plain, inline)]
On Wed, Jan 03, 2001 at 07:50:58PM +0100, Christian Kurz wrote:
> 
> > apt-get remove telnetd
> 
> Well, why do we have telnet enabled after installation? This is a bit
> security hole and I think this service should be disabled and only be
> enabled by the admin.

because telnetd is priority standard, and with dselect (and tasksel in
woody i think) all priority standard packages are installed by
default. (well selected by default in your first dselect session, so
if you do nothing more then run the select step in dselect and then
install you get priority: standard).

$ apt-cache show telnetd
Package: telnetd
Priority: standard
Section: net

nfsd and nfs-common are also standard, but nfs-kernel-server's
initscript won't start the daemons if /etc/exports contains no
exports.  nfs-common and portmap are started by default though.  (and
statd had a nice root hole recently) 

> Hm, there are services in /etc/inetd.conf that are not belonging to any
> package like daytime, echo and this should be disabled by default.

agreed these should be off by default. what are these used for that
makes it necessary for the majority of systems to have them enabled?  

-- 
Ethan Benson
http://www.alaska.net/~erbenson/
[Message part 2 (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, Enrique Zanardi <sr1-boot-floppies@debian.org>:
Bug#81118; Package base. Full text and rfc822 format available.

Acknowledgement sent to Christian Kurz <shorty@debian.org>:
Extra info received and forwarded to list. Copy sent to Enrique Zanardi <sr1-boot-floppies@debian.org>. Full text and rfc822 format available.

Message #30 received at 81118@bugs.debian.org (full text, mbox):

From: Christian Kurz <shorty@debian.org>
To: Ethan Benson <erbenson@alaska.net>
Cc: 81118@bugs.debian.org
Subject: Re: Bug#81118: base: Wishlist: High security base system (or separate add-on package)
Date: Thu, 4 Jan 2001 10:40:46 +0100
On 01-01-04 Ethan Benson wrote:
> On Wed, Jan 03, 2001 at 07:50:58PM +0100, Christian Kurz wrote:
> > > apt-get remove telnetd
> > 
> > Well, why do we have telnet enabled after installation? This is a bit
> > security hole and I think this service should be disabled and only be
> > enabled by the admin.

> because telnetd is priority standard, and with dselect (and tasksel in
> woody i think) all priority standard packages are installed by
> default. (well selected by default in your first dselect session, so
> if you do nothing more then run the select step in dselect and then
> install you get priority: standard).

> $ apt-cache show telnetd
> Package: telnetd
> Priority: standard
> Section: net

Hm, what about changing the postinst of telnetd so, that I ask the admin
who installs debian or the package, if he really wants to activate
telnetd or not? 

> nfsd and nfs-common are also standard, but nfs-kernel-server's
> initscript won't start the daemons if /etc/exports contains no

So that means that this security risk is not by default opened.

> exports.  nfs-common and portmap are started by default though.  (and
> statd had a nice root hole recently) 

And I think we don't need a running portmap as default for all installed
system. I think we should also modify this postinst-script to ask the
user if he really needs a running portmap or not and have it per default
turn portmap off.

> > Hm, there are services in /etc/inetd.conf that are not belonging to any
> > package like daytime, echo and this should be disabled by default.

> agreed these should be off by default. what are these used for that
> makes it necessary for the majority of systems to have them enabled?  

I don't know any software that relies on this internal services of
inetd. I think they should be turned off by default, so that if someone
still needs one of this services has to explicitly turn them on.

Ciao
     Christian
-- 
          Debian Developer and Quality Assurance Team Member
    1024/26CC7853 31E6 A8CA 68FC 284F 7D16  63EC A9E6 67FF 26CC 7853



Information forwarded to debian-bugs-dist@lists.debian.org, Enrique Zanardi <sr1-boot-floppies@debian.org>:
Bug#81118; Package base. Full text and rfc822 format available.

Acknowledgement sent to Ethan Benson <erbenson@alaska.net>:
Extra info received and forwarded to list. Copy sent to Enrique Zanardi <sr1-boot-floppies@debian.org>. Full text and rfc822 format available.

Message #35 received at 81118@bugs.debian.org (full text, mbox):

From: Ethan Benson <erbenson@alaska.net>
To: Christian Kurz <shorty@debian.org>, 81118@bugs.debian.org
Subject: Re: Bug#81118: base: Wishlist: High security base system (or separate add-on package)
Date: Thu, 4 Jan 2001 01:02:27 -0900
[Message part 1 (text/plain, inline)]
On Thu, Jan 04, 2001 at 10:40:46AM +0100, Christian Kurz wrote:
> 
> Hm, what about changing the postinst of telnetd so, that I ask the admin
> who installs debian or the package, if he really wants to activate
> telnetd or not? 

either that or downgrade telnetd to another priority.

> > nfsd and nfs-common are also standard, but nfs-kernel-server's
> > initscript won't start the daemons if /etc/exports contains no
> 
> So that means that this security risk is not by default opened.

correct for nfsd, not for rpc.statd though.

> > exports.  nfs-common and portmap are started by default though.  (and
> > statd had a nice root hole recently) 
> 
> And I think we don't need a running portmap as default for all installed
> system. I think we should also modify this postinst-script to ask the
> user if he really needs a running portmap or not and have it per default
> turn portmap off.

well in unstable portmap is now a seperate package so possibly its
priority could be lowered so the admin would have to install it.  (or
it would be installed when a service requiring portmap is installed
since they must depend on it)  this would require downgrading the
priority on nfs-common (and thus nfsd) along with any other standard
package requiring portmap.  i don't know what the politics of that
would be.  (more then likely a big flamewar where all propronants are
called incompetant morons)

> I don't know any software that relies on this internal services of
> inetd. I think they should be turned off by default, so that if someone
> still needs one of this services has to explicitly turn them on.

fwiw i agree.  

-- 
Ethan Benson
http://www.alaska.net/~erbenson/
[Message part 2 (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, Enrique Zanardi <sr1-boot-floppies@debian.org>:
Bug#81118; Package base. Full text and rfc822 format available.

Acknowledgement sent to Christian Kurz <shorty@debian.org>:
Extra info received and forwarded to list. Copy sent to Enrique Zanardi <sr1-boot-floppies@debian.org>. Full text and rfc822 format available.

Message #40 received at 81118@bugs.debian.org (full text, mbox):

From: Christian Kurz <shorty@debian.org>
To: Ethan Benson <erbenson@alaska.net>
Cc: 81118@bugs.debian.org
Subject: Re: Bug#81118: base: Wishlist: High security base system (or separate add-on package)
Date: Thu, 4 Jan 2001 11:37:08 +0100
On 01-01-04 Ethan Benson wrote:
> On Thu, Jan 04, 2001 at 10:40:46AM +0100, Christian Kurz wrote:
> > Hm, what about changing the postinst of telnetd so, that I ask the admin
> > who installs debian or the package, if he really wants to activate
> > telnetd or not? 

> either that or downgrade telnetd to another priority.

Well, I'm not sure if downgrading would be a good idea, but changing the
postinst-script should be easier to do as this would part of it would be
very generic and could be used in other scripts via cut&paste too.

> > > nfsd and nfs-common are also standard, but nfs-kernel-server's
> > > initscript won't start the daemons if /etc/exports contains no
> > 
> > So that means that this security risk is not by default opened.

> correct for nfsd, not for rpc.statd though.

So rpc.statd still get's started even if it's not used?

> > > exports.  nfs-common and portmap are started by default though.  (and
> > > statd had a nice root hole recently) 
> > 
> > And I think we don't need a running portmap as default for all installed
> > system. I think we should also modify this postinst-script to ask the
> > user if he really needs a running portmap or not and have it per default
> > turn portmap off.

> well in unstable portmap is now a seperate package so possibly its
> priority could be lowered so the admin would have to install it.  (or
> it would be installed when a service requiring portmap is installed
> since they must depend on it)  this would require downgrading the
> priority on nfs-common (and thus nfsd) along with any other standard
> package requiring portmap.  i don't know what the politics of that

Hm, why must it be downgraded? Is the priority to high currently to
remove it from the standard-installation? 

> would be.  (more then likely a big flamewar where all propronants are
> called incompetant morons)

Well, I'm not sure if this will really be a flamewar, since the security
holes in portmap and nfs have been obvious and visible for everyone, so
to increase our security and make debian also the choice for
security-aware people. I think this approach would fit to debian's image
fine.

Ciao
     Christian
-- 
          Debian Developer and Quality Assurance Team Member
    1024/26CC7853 31E6 A8CA 68FC 284F 7D16  63EC A9E6 67FF 26CC 7853



Information forwarded to debian-bugs-dist@lists.debian.org, Enrique Zanardi <sr1-boot-floppies@debian.org>:
Bug#81118; Package base. Full text and rfc822 format available.

Acknowledgement sent to Ethan Benson <erbenson@alaska.net>:
Extra info received and forwarded to list. Copy sent to Enrique Zanardi <sr1-boot-floppies@debian.org>. Full text and rfc822 format available.

Message #45 received at 81118@bugs.debian.org (full text, mbox):

From: Ethan Benson <erbenson@alaska.net>
To: Christian Kurz <shorty@debian.org>
Cc: 81118@bugs.debian.org
Subject: Re: Bug#81118: base: Wishlist: High security base system (or separate add-on package)
Date: Thu, 4 Jan 2001 02:35:56 -0900
[Message part 1 (text/plain, inline)]
On Thu, Jan 04, 2001 at 11:37:08AM +0100, Christian Kurz wrote:
> 
> Well, I'm not sure if downgrading would be a good idea, but changing the
> postinst-script should be easier to do as this would part of it would be
> very generic and could be used in other scripts via cut&paste too.

perhaps, but for the most part daemons packaged in debian are not
priority standard and thus not installed by default.  the decision to
install the daemon should imply the desire to run it IMO.  for some
cases i agree there should probably be a question, especially daemons
that outright require admin configuration before being useful anyway.
i just think a trend of daemons when installed asking whether the
admin really wanted to install and use it would be rather annoying.  

i prefer to not enable daemons by not installing them.  

> So rpc.statd still get's started even if it's not used?

yes, so long as portmap is started, which it is by default.  lockd is
started if needed/supported.  

> Hm, why must it be downgraded? Is the priority to high currently to
> remove it from the standard-installation? 

its priority standard i presume, which unless dselect/tasksel is
changed means it will be installed and started by default.  that can
either be solved by ya postinst/debconf question or by lowering its
priority to make the admin install it if they need it.  

the whole priority standard thing is really sticky, its supposed to
create a basic command line system that a *nix guy will be comfortable
with and not find much missing that triggers a `wtf!' the thing is
nobody can agree on exactly what that is. (ie does it include emacs or
not, does it include TeX or not?, does it include nfsd or not? does it
include telnetd or not?......)

> > would be.  (more then likely a big flamewar where all propronants are
> > called incompetant morons)
> 
> Well, I'm not sure if this will really be a flamewar, since the security
> holes in portmap and nfs have been obvious and visible for everyone, so

don't be so sure, i recently saw someone on -devel get yelled at for
saying portmap is not secure.  

> to increase our security and make debian also the choice for
> security-aware people. I think this approach would fit to debian's image
> fine.

i would hope so.  i really don't see any reason why a default
installation has to run things like portmap and statd by default.
OpenBSD doesn't and it doesn't seem to hurt them any. 

-- 
Ethan Benson
http://www.alaska.net/~erbenson/
[Message part 2 (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, Enrique Zanardi <sr1-boot-floppies@debian.org>:
Bug#81118; Package base. Full text and rfc822 format available.

Acknowledgement sent to Christian Kurz <shorty@debian.org>:
Extra info received and forwarded to list. Copy sent to Enrique Zanardi <sr1-boot-floppies@debian.org>. Full text and rfc822 format available.

Message #50 received at 81118@bugs.debian.org (full text, mbox):

From: Christian Kurz <shorty@debian.org>
To: Ethan Benson <erbenson@alaska.net>, 81118@bugs.debian.org
Subject: Re: Bug#81118: base: Wishlist: High security base system (or separate add-on package)
Date: Thu, 4 Jan 2001 13:09:34 +0100
On 01-01-04 Ethan Benson wrote:
> On Thu, Jan 04, 2001 at 11:37:08AM +0100, Christian Kurz wrote:
> > Well, I'm not sure if downgrading would be a good idea, but changing the
> > postinst-script should be easier to do as this would part of it would be
> > very generic and could be used in other scripts via cut&paste too.

> perhaps, but for the most part daemons packaged in debian are not
> priority standard and thus not installed by default.  the decision to

Agreed.

> install the daemon should imply the desire to run it IMO.  for some
> cases i agree there should probably be a question, especially daemons
> that outright require admin configuration before being useful anyway.

Alright, I think I can agree with this.

> i just think a trend of daemons when installed asking whether the
> admin really wanted to install and use it would be rather annoying.  

Absolutely and I think moving telnetd to a lower priority would give a
better sign that debian is also aware of the security of it's OS.

> i prefer to not enable daemons by not installing them.

Me too.

> > So rpc.statd still get's started even if it's not used?

> yes, so long as portmap is started, which it is by default.  lockd is
> started if needed/supported.  

This is bad behaviour and we should then really fix this.

> > Hm, why must it be downgraded? Is the priority to high currently to
> > remove it from the standard-installation? 

> its priority standard i presume, which unless dselect/tasksel is
> changed means it will be installed and started by default.  that can
> either be solved by ya postinst/debconf question or by lowering its
> priority to make the admin install it if they need it.  

Well, then I would prefer lowering it's priority to match so that I only
gets intalled when the admin decides to install it. And if some people
are against a change of the priority, I think then we should use the
approach to change the postinst/debconf to ask a question about starting
portmap or not.

> the whole priority standard thing is really sticky, its supposed to
> create a basic command line system that a *nix guy will be comfortable
> with and not find much missing that triggers a `wtf!' the thing is
> nobody can agree on exactly what that is. (ie does it include emacs or
> not, does it include TeX or not?, does it include nfsd or not? does it
> include telnetd or not?......)

Well, I think the priority idea is good and useful, but we are currently
not thinking enough about security and check if our base-system is not
vulnerable.

> > > would be.  (more then likely a big flamewar where all propronants are
> > > called incompetant morons)
> > 
> > Well, I'm not sure if this will really be a flamewar, since the security
> > holes in portmap and nfs have been obvious and visible for everyone, so

> don't be so sure, i recently saw someone on -devel get yelled at for
> saying portmap is not secure.  

Well, I would suggest, that those people who yell me for this, either do
a audit of portmap and present it on -devel or shut up.

> > to increase our security and make debian also the choice for
> > security-aware people. I think this approach would fit to debian's image
> > fine.

> i would hope so.  i really don't see any reason why a default
> installation has to run things like portmap and statd by default.
> OpenBSD doesn't and it doesn't seem to hurt them any. 

Well, do you know how FreeBSD or NetBSD handle this? I think we should
not try to create a second OpenBSD called OpenDebian, which is very
security aware, but we should care a bit more about our security.

Ciao
     Christian
-- 
          Debian Developer and Quality Assurance Team Member
    1024/26CC7853 31E6 A8CA 68FC 284F 7D16  63EC A9E6 67FF 26CC 7853



Information forwarded to debian-bugs-dist@lists.debian.org, Enrique Zanardi <sr1-boot-floppies@debian.org>:
Bug#81118; Package base. Full text and rfc822 format available.

Acknowledgement sent to Anthony Towns <aj@azure.humbug.org.au>:
Extra info received and forwarded to list. Copy sent to Enrique Zanardi <sr1-boot-floppies@debian.org>. Full text and rfc822 format available.

Message #55 received at 81118@bugs.debian.org (full text, mbox):

From: Anthony Towns <aj@azure.humbug.org.au>
To: Christian Kurz <shorty@debian.org>, 81118@bugs.debian.org
Cc: Ethan Benson <erbenson@alaska.net>
Subject: Re: Bug#81118: base: Wishlist: High security base system (or separate add-on package)
Date: Thu, 4 Jan 2001 22:14:30 +1000
[Message part 1 (text/plain, inline)]
On Thu, Jan 04, 2001 at 10:40:46AM +0100, Christian Kurz wrote:
> On 01-01-04 Ethan Benson wrote:
> > On Wed, Jan 03, 2001 at 07:50:58PM +0100, Christian Kurz wrote:
> > > > apt-get remove telnetd
> > > Well, why do we have telnet enabled after installation? 
> > because telnetd is priority standard, 
> Hm, what about changing the postinst of telnetd so, that I ask the admin
> who installs debian or the package, if he really wants to activate
> telnetd or not? 

"Standard" (and important) are basically defined as a "free, character
mode Unix system". Probably, this implies having telnet and telnetd
available, and being able to use NFS and so on.

Additionally, we have a more or less implicit policy that all daemons
should be run by default if they're installed. So if you don't want a
daemon running you either don't install it (or uninstall it), or change
the config files.

If you want to change "standard" to not be a "free character mode
Unix system" (and thus not have telnetd or rsh or NFS or portmap),
there probably needs to be some easy way to say "hey, I'm a curmudgeon,
I want my unix system!". Maybe via a task- package of some sort? Or some
other way? I dunno if it makes sense as a `task' per se. [0]

Cheers,
aj

[0] Random thought: maybe some "environment" packages would be an
    interesting task- alternative; so you could have a "traditional-unix"
    environment, or a "KDE" or a "Gnome" environment, or something. That
    is, collections of packages focussed on how you want to do something,
    rather than what you want to do (which is what tasks are for). For
    users who're more experienced than newbies (who've got task packages),
    but who aren't expers (who've got dselect/console-apt). Might be
    hard to keep at all organised.

-- 
Anthony Towns <aj@humbug.org.au> <http://azure.humbug.org.au/~aj/>
I don't speak for anyone save myself. GPG signed mail preferred.

     ``Thanks to all avid pokers out there''
                       -- linux.conf.au, 17-20 January 2001
[Message part 2 (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, Enrique Zanardi <sr1-boot-floppies@debian.org>:
Bug#81118; Package base. Full text and rfc822 format available.

Acknowledgement sent to Anthony Towns <aj@azure.humbug.org.au>:
Extra info received and forwarded to list. Copy sent to Enrique Zanardi <sr1-boot-floppies@debian.org>. Full text and rfc822 format available.

Message #60 received at 81118@bugs.debian.org (full text, mbox):

From: Anthony Towns <aj@azure.humbug.org.au>
To: Christian Kurz <shorty@debian.org>, 81118@bugs.debian.org
Cc: Ethan Benson <erbenson@alaska.net>
Subject: Re: Bug#81118: base: Wishlist: High security base system (or separate add-on package)
Date: Thu, 4 Jan 2001 22:24:13 +1000
On Thu, Jan 04, 2001 at 01:09:34PM +0100, Christian Kurz wrote:
> > don't be so sure, i recently saw someone on -devel get yelled at for
> > saying portmap is not secure.  
> Well, I would suggest, that those people who yell me for this, either do
> a audit of portmap and present it on -devel or shut up.

Oh, and for reference, portmap hasn't has a security update forever
while I've been maintaining it. Heck, there don't seem to have been any
changes to portmap since 1997. But hey, feel free to make the traditional
baseless accusations of insecurity, whatever.

Cheers,
aj

-- 
Anthony Towns <aj@humbug.org.au> <http://azure.humbug.org.au/~aj/>
I don't speak for anyone save myself. GPG signed mail preferred.

     ``Thanks to all avid pokers out there''
                       -- linux.conf.au, 17-20 January 2001



Information forwarded to debian-bugs-dist@lists.debian.org, Enrique Zanardi <sr1-boot-floppies@debian.org>:
Bug#81118; Package base. Full text and rfc822 format available.

Acknowledgement sent to Christian Kurz <shorty@debian.org>:
Extra info received and forwarded to list. Copy sent to Enrique Zanardi <sr1-boot-floppies@debian.org>. Full text and rfc822 format available.

Message #65 received at 81118@bugs.debian.org (full text, mbox):

From: Christian Kurz <shorty@debian.org>
To: Anthony Towns <aj@azure.humbug.org.au>
Cc: 81118@bugs.debian.org, Ethan Benson <erbenson@alaska.net>
Subject: Re: Bug#81118: base: Wishlist: High security base system (or separate add-on package)
Date: Thu, 4 Jan 2001 13:28:29 +0100
On 01-01-04 Anthony Towns wrote:
> On Thu, Jan 04, 2001 at 10:40:46AM +0100, Christian Kurz wrote:
> > On 01-01-04 Ethan Benson wrote:
> > > On Wed, Jan 03, 2001 at 07:50:58PM +0100, Christian Kurz wrote:
> > > > > apt-get remove telnetd
> > > > Well, why do we have telnet enabled after installation? 
> > > because telnetd is priority standard, 
> > Hm, what about changing the postinst of telnetd so, that I ask the admin
> > who installs debian or the package, if he really wants to activate
> > telnetd or not? 

> "Standard" (and important) are basically defined as a "free, character
> mode Unix system". Probably, this implies having telnet and telnetd
> available, and being able to use NFS and so on.

> Additionally, we have a more or less implicit policy that all daemons
> should be run by default if they're installed. So if you don't want a
> daemon running you either don't install it (or uninstall it), or change
> the config files.

And so we don't care about the security of the system that the user has
installed? Do we want to have Debian 2.1 become the next target for
script-kiddies like RedHat 6.1? I hope not.

> If you want to change "standard" to not be a "free character mode
> Unix system" (and thus not have telnetd or rsh or NFS or portmap),

I just propose not to start them automatically and to ask the admin
about this, because they are security risks.

Ciao
     Christian
-- 
          Debian Developer and Quality Assurance Team Member
    1024/26CC7853 31E6 A8CA 68FC 284F 7D16  63EC A9E6 67FF 26CC 7853



Information forwarded to debian-bugs-dist@lists.debian.org, Enrique Zanardi <sr1-boot-floppies@debian.org>:
Bug#81118; Package base. Full text and rfc822 format available.

Acknowledgement sent to Christian Kurz <shorty@debian.org>:
Extra info received and forwarded to list. Copy sent to Enrique Zanardi <sr1-boot-floppies@debian.org>. Full text and rfc822 format available.

Message #70 received at 81118@bugs.debian.org (full text, mbox):

From: Christian Kurz <shorty@debian.org>
To: Anthony Towns <aj@azure.humbug.org.au>
Cc: 81118@bugs.debian.org, Ethan Benson <erbenson@alaska.net>
Subject: Re: Bug#81118: base: Wishlist: High security base system (or separate add-on package)
Date: Thu, 4 Jan 2001 13:33:32 +0100
On 01-01-04 Anthony Towns wrote:
> On Thu, Jan 04, 2001 at 01:09:34PM +0100, Christian Kurz wrote:
> > > don't be so sure, i recently saw someone on -devel get yelled at for
> > > saying portmap is not secure.  
> > Well, I would suggest, that those people who yell me for this, either do
> > a audit of portmap and present it on -devel or shut up.

> Oh, and for reference, portmap hasn't has a security update forever
> while I've been maintaining it. Heck, there don't seem to have been any
> changes to portmap since 1997. But hey, feel free to make the traditional
> baseless accusations of insecurity, whatever.

Oh, are you sure that you are not forgetting those nfs and rpc-bugs that
are all only possible due to some running portmap? Also I remember a bug
in portmap that has been found 1998. And I'm still not convinced that
portmap is secure until it has been fully audited.

Ciao
     Christian
-- 
          Debian Developer and Quality Assurance Team Member
    1024/26CC7853 31E6 A8CA 68FC 284F 7D16  63EC A9E6 67FF 26CC 7853



Information forwarded to debian-bugs-dist@lists.debian.org, Enrique Zanardi <sr1-boot-floppies@debian.org>:
Bug#81118; Package base. Full text and rfc822 format available.

Acknowledgement sent to Ethan Benson <erbenson@alaska.net>:
Extra info received and forwarded to list. Copy sent to Enrique Zanardi <sr1-boot-floppies@debian.org>. Full text and rfc822 format available.

Message #75 received at 81118@bugs.debian.org (full text, mbox):

From: Ethan Benson <erbenson@alaska.net>
To: Anthony Towns <aj@azure.humbug.org.au>
Cc: Christian Kurz <shorty@debian.org>, 81118@bugs.debian.org
Subject: Re: Bug#81118: base: Wishlist: High security base system (or separate add-on package)
Date: Thu, 4 Jan 2001 04:16:07 -0900
[Message part 1 (text/plain, inline)]
On Thu, Jan 04, 2001 at 10:14:30PM +1000, Anthony Towns wrote:
> 
> "Standard" (and important) are basically defined as a "free, character
> mode Unix system". Probably, this implies having telnet and telnetd
> available, and being able to use NFS and so on.

what about rsh, rlogin, rcp and such?  those are pretty standard in
many/most Unix systems. yet rsh-client and rsh-server are priority:
extra.  ssh is a pretty clean replacement for these utilities but ssh
is not priority standard either.  

> Additionally, we have a more or less implicit policy that all daemons
> should be run by default if they're installed. So if you don't want a
> daemon running you either don't install it (or uninstall it), or change
> the config files.

i agree with this policy, but given this policy i think there should
be as little daemons installed by default as possible.  

> If you want to change "standard" to not be a "free character mode
> Unix system" (and thus not have telnetd or rsh or NFS or portmap),
> there probably needs to be some easy way to say "hey, I'm a curmudgeon,
> I want my unix system!". Maybe via a task- package of some sort? Or some
> other way? I dunno if it makes sense as a `task' per se. [0]

well as i said in another message nobody can agree what what a `free
character mode Unix system' is anyway so it doesn't really matter.  in
general i am happy with the set of software installed by priority
standard but would prefer not to have as much listening on the network
immediatly by installing it.   

-- 
Ethan Benson
http://www.alaska.net/~erbenson/
[Message part 2 (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, Enrique Zanardi <sr1-boot-floppies@debian.org>:
Bug#81118; Package base. Full text and rfc822 format available.

Acknowledgement sent to Joey Hess <joeyh@debian.org>:
Extra info received and forwarded to list. Copy sent to Enrique Zanardi <sr1-boot-floppies@debian.org>. Full text and rfc822 format available.

Message #80 received at 81118@bugs.debian.org (full text, mbox):

From: Joey Hess <joeyh@debian.org>
To: Anthony Towns <aj@azure.humbug.org.au>, 81118@bugs.debian.org
Subject: Re: Bug#81118: base: Wishlist: High security base system (or separate add-on package)
Date: Thu, 4 Jan 2001 11:32:48 -0800
Anthony Towns wrote:
> Oh, and for reference, portmap hasn't has a security update forever
> while I've been maintaining it. Heck, there don't seem to have been any
> changes to portmap since 1997. But hey, feel free to make the traditional
> baseless accusations of insecurity, whatever.

If it is a daemon that binds to a port, and it doesn't have "secure" in its
name or "encryption" in its description, it's gotta be insecure.

(Or at least some people seem to think so; ignoring all the clients
which they don't realize _also_ bind to ports; ignoring the propensity
of programs that have "secure" in their name to be anything but;
ignoring how hard encryption is to get right; and ignoring much more
risky things like suid binaries, binary-only programs, and typically-buggy
cgi scripts. :-P)

BTW there are secure uses of telnet. telnet to 'kitenet.net' and log in
as 'beer' (no password) for one of them.

-- 
see shy jo



Information forwarded to debian-bugs-dist@lists.debian.org, Enrique Zanardi <sr1-boot-floppies@debian.org>:
Bug#81118; Package base. Full text and rfc822 format available.

Acknowledgement sent to Arthur Korn <arthur@korn.ch>:
Extra info received and forwarded to list. Copy sent to Enrique Zanardi <sr1-boot-floppies@debian.org>. Full text and rfc822 format available.

Message #85 received at 81118@bugs.debian.org (full text, mbox):

From: Arthur Korn <arthur@korn.ch>
To: Joey Hess <joeyh@debian.org>, 81118@bugs.debian.org
Subject: Re: Bug#81118: base: Wishlist: High security base system (or separate add-on package)
Date: Thu, 4 Jan 2001 22:57:52 +0100
Hi

Joey Hess schrieb:
> If it is a daemon that binds to a port, and it doesn't have "secure" in its
> name or "encryption" in its description, it's gotta be insecure.

Debians minimal system (what's called 'standard') is to fat.
Regardless of how secure it is, many boxes just don't need the
portmapper or a telnet _daemon_ (I don't mind about the client,
I prefer netcat though). The minimal system should really be
minimal, let dependencies do the rest.

> BTW there are secure uses of telnet. telnet to 'kitenet.net' and log in
> as 'beer' (no password) for one of them.

$ telnet bofh.jive.org 666|grep "Your excuse is:"

:)

ciao, 2ri
-- 
"I'm not going to ride on a magic carpet! I'm afraid of grounds!"
"You mean heights, and stop being silly!"
"I know what I mean! It's the grounds that kill you!"
                --Terry Pratchet, "Sourcery"



Information forwarded to debian-bugs-dist@lists.debian.org, Enrique Zanardi <sr1-boot-floppies@debian.org>:
Bug#81118; Package base. Full text and rfc822 format available.

Acknowledgement sent to "Eray Ozkural (exa)" <erayo@cs.bilkent.edu.tr>:
Extra info received and forwarded to list. Copy sent to Enrique Zanardi <sr1-boot-floppies@debian.org>. Full text and rfc822 format available.

Message #90 received at 81118@bugs.debian.org (full text, mbox):

From: "Eray Ozkural (exa)" <erayo@cs.bilkent.edu.tr>
To: Arthur Korn <arthur@korn.ch>, 81118@bugs.debian.org
Cc: Joey Hess <joeyh@debian.org>
Subject: Re: Bug#81118: base: Wishlist: High security base system (or separate add-on package)
Date: Fri, 05 Jan 2001 04:29:13 +0200
Arthur Korn wrote:
> 
> Hi
> 
> Joey Hess schrieb:
> > If it is a daemon that binds to a port, and it doesn't have "secure" in its
> > name or "encryption" in its description, it's gotta be insecure.
> 
> Debians minimal system (what's called 'standard') is to fat.
> Regardless of how secure it is, many boxes just don't need the
> portmapper or a telnet _daemon_ (I don't mind about the client,
> I prefer netcat though). The minimal system should really be
> minimal, let dependencies do the rest.

What? I'd like to be sure to have a telnet daemon fixed in when I do
an installation over network. What will you gain by excluding telnet
daemon other than satisfying some security paranoid out there? Raving
for a few kb's?

The only way to be really secure is to blow up your computer, and send
the pieces into deep space.

-- 
Eray (exa) Ozkural
Comp. Sci. Dept., Bilkent University, Ankara
e-mail: erayo@cs.bilkent.edu.tr
www: http://www.cs.bilkent.edu.tr/~erayo



Information forwarded to debian-bugs-dist@lists.debian.org, Enrique Zanardi <sr1-boot-floppies@debian.org>:
Bug#81118; Package base. Full text and rfc822 format available.

Acknowledgement sent to Anthony Towns <aj@azure.humbug.org.au>:
Extra info received and forwarded to list. Copy sent to Enrique Zanardi <sr1-boot-floppies@debian.org>. Full text and rfc822 format available.

Message #95 received at 81118@bugs.debian.org (full text, mbox):

From: Anthony Towns <aj@azure.humbug.org.au>
To: Arthur Korn <arthur@korn.ch>, 81118@bugs.debian.org
Cc: Joey Hess <joeyh@debian.org>
Subject: Re: Bug#81118: base: Wishlist: High security base system (or separate add-on package)
Date: Fri, 5 Jan 2001 12:25:34 +1000
[Message part 1 (text/plain, inline)]
On Thu, Jan 04, 2001 at 10:57:52PM +0100, Arthur Korn wrote:
> Joey Hess schrieb:
> > If it is a daemon that binds to a port, and it doesn't have "secure" in its
> > name or "encryption" in its description, it's gotta be insecure.
> Debians minimal system (what's called 'standard') is to fat.

That would be because standard isn't intended to be a minimal system at
all. If you want minimal, just install the "important" packages. If you
want _really_ minimal, just install the "required" packages.

Cheers,
aj

-- 
Anthony Towns <aj@humbug.org.au> <http://azure.humbug.org.au/~aj/>
I don't speak for anyone save myself. GPG signed mail preferred.

     ``Thanks to all avid pokers out there''
                       -- linux.conf.au, 17-20 January 2001
[Message part 2 (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, Enrique Zanardi <sr1-boot-floppies@debian.org>:
Bug#81118; Package base. Full text and rfc822 format available.

Acknowledgement sent to Santiago Vila <sanvila@unex.es>:
Extra info received and forwarded to list. Copy sent to Enrique Zanardi <sr1-boot-floppies@debian.org>. Full text and rfc822 format available.

Message #100 received at 81118@bugs.debian.org (full text, mbox):

From: Santiago Vila <sanvila@unex.es>
To: <81118@bugs.debian.org>
Subject: Re: Bug#81118: base: Wishlist: High security base system (or separate add-on package)
Date: Fri, 5 Jan 2001 12:10:42 +0100 (CET)
Anthony Towns wrote:
> If you want minimal, just install the "important" packages. If you
> want _really_ minimal, just install the "required" packages.

Before telling people to do this could you please fix all the wrong
priorities in testing and unstable? [ Or at least the ones regarding
standard and above packages, which are only a few ]. Currently, it's
not always possible to install just the important packages (and above)
or just the required packages. On some architectures there are even
conflicts among the set of packages which are expected to be installed
by default (!).




Information forwarded to debian-bugs-dist@lists.debian.org, Enrique Zanardi <sr1-boot-floppies@debian.org>:
Bug#81118; Package base. Full text and rfc822 format available.

Acknowledgement sent to Adam Di Carlo <adam@onshore.com>:
Extra info received and forwarded to list. Copy sent to Enrique Zanardi <sr1-boot-floppies@debian.org>. Full text and rfc822 format available.

Message #105 received at 81118@bugs.debian.org (full text, mbox):

From: Adam Di Carlo <adam@onshore.com>
To: Anthony Towns <aj@azure.humbug.org.au>
Cc: 81118@bugs.debian.org, Arthur Korn <arthur@korn.ch>, Joey Hess <joeyh@debian.org>, control@bugs.debian.org
Subject: Re: Bug#81118: base: Wishlist: High security base system (or separate add-on package)
Date: 10 Jan 2001 23:19:52 -0500
reassign 81118 ftp.debian.org
thanks

Anthony Towns <aj@azure.humbug.org.au> writes:

> On Thu, Jan 04, 2001 at 10:57:52PM +0100, Arthur Korn wrote:
> > Joey Hess schrieb:
> > > If it is a daemon that binds to a port, and it doesn't have "secure" in its
> > > name or "encryption" in its description, it's gotta be insecure.
> > Debians minimal system (what's called 'standard') is to fat.
> 
> That would be because standard isn't intended to be a minimal system at
> all. If you want minimal, just install the "important" packages. If you
> want _really_ minimal, just install the "required" packages.

No, this is incorrect.

Standard packages all get installed by default, and should be, based
on Policy itself.

Guys, I am fully in agreement that telnetd should *not* be priority
standard.  In fact, no network services should be isntalled by default
in Debian unless asked for!

On the other hand, this problem must be fixed by filing bugs against
ftp.debian.org or else the packages themselves to get the standards on
the packages in question changed.

The base system really has nothing to do with this issue -- it's a
question of debian itself, since base itself doesn't include telnetd,
or any of the NFS stuff.

Refiling this bug against ftp.debian.org.

-- 
.....Adam Di Carlo....adam@onShore.com.....<URL:http://www.onShore.com/>




Bug reassigned from package `base' to `ftp.debian.org'. Request was from Adam Di Carlo <adam@onshore.com> to control@bugs.debian.org. Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, James Troup and others <ftpmaster@debian.org>:
Bug#81118; Package ftp.debian.org. Full text and rfc822 format available.

Acknowledgement sent to James Troup <james@nocrew.org>:
Extra info received and forwarded to list. Copy sent to James Troup and others <ftpmaster@debian.org>. Full text and rfc822 format available.

Message #112 received at 81118@bugs.debian.org (full text, mbox):

From: James Troup <james@nocrew.org>
To: 81118@bugs.debian.org
Subject: Re: Bug#81118: base: Wishlist: High security base system (or separate add-on package)
Date: 12 Jan 2001 20:33:42 +0000
reassign 81118 general
thanks

Hi,

I'm a little confused as to why this was reassigned to f.d.o ?  If you
want priorities changed, we'll need specific cases of what needs
changed and some rough consensus if the changes are large/significant.
If there is such a list of changes and I just missed it, please
reassign it back but without further instructions there's nothing I
can do here.

-- 
James



Bug reassigned from package `ftp.debian.org' to `general'. Request was from James Troup <james@nocrew.org> to control@bugs.debian.org. Full text and rfc822 format available.

Changed Bug title. Request was from Josip Rodin <joy@cibalia.gkvk.hr> to control@bugs.debian.org. Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, <debian-devel@lists.debian.org>:
Bug#81118; Package general. Full text and rfc822 format available.

Acknowledgement sent to Andrew Ferrier <andrew@new-destiny.co.uk>:
Extra info received and forwarded to list. Copy sent to <debian-devel@lists.debian.org>. Full text and rfc822 format available.

Message #121 received at 81118@bugs.debian.org (full text, mbox):

From: Andrew Ferrier <andrew@new-destiny.co.uk>
To: Debian Bug Tracking System <81118@bugs.debian.org>
Subject: general: Harden?
Date: Mon, 9 Aug 2004 20:31:26 +0100
Followup-For: Bug #81118
Package: general
Version: N/A; reported 2004-08-09

It looks to me like the original purpose of this bug is now mostly
covered by the harden suite of packages; they are in a good position to
conflict with things like telnet, provide advice on hardening during
installation, etc. Perhaps this bug should be closed in light of that?
Or maybe the original submitter would like harden more prominently
advertised?

Regards,
Andrew.

-- System Information
Debian Release: 3.0
Architecture: i386
Kernel: Linux laura 2.4.25 #1 Wed Mar 31 22:32:42 BST 2004 i686
Locale: LANG=C, LC_CTYPE=



Information forwarded to debian-bugs-dist@lists.debian.org, <debian-devel@lists.debian.org>:
Bug#81118; Package general. Full text and rfc822 format available.

Acknowledgement sent to Javier Fernández-Sanguino Peña <jfs@computer.org>:
Extra info received and forwarded to list. Copy sent to <debian-devel@lists.debian.org>. Full text and rfc822 format available.

Message #126 received at 81118@bugs.debian.org (full text, mbox):

From: Javier Fernández-Sanguino Peña <jfs@computer.org>
To: Andrew Ferrier <andrew@new-destiny.co.uk>, 81118@bugs.debian.org
Subject: Re: Bug#81118: general: Harden?
Date: Thu, 26 Aug 2004 13:17:35 +0200
[Message part 1 (text/plain, inline)]
On Mon, Aug 09, 2004 at 08:31:26PM +0100, Andrew Ferrier wrote:
> Followup-For: Bug #81118
> Package: general
> Version: N/A; reported 2004-08-09
> 
> It looks to me like the original purpose of this bug is now mostly
> covered by the harden suite of packages; they are in a good position to
> conflict with things like telnet, provide advice on hardening during
> installation, etc. Perhaps this bug should be closed in light of that?
> Or maybe the original submitter would like harden more prominently
> advertised?

Actually the harden packages covers only part of what the original
submitter asked for since the user will not be able to install (and thus
activate) vulnerable network sevices. The Bastille package covers also some
of this, by disabling those network services and providing better (i.e. 
more secure) configurations in some cases. However, there is no documented
and standard process to harden a default installation and Bastille still 
does not cover everything that the "Securing Debian Manual" might suggest 
you to do. 

The current default installation still enables some unnecesary 
services (see #261906) and there is no firewall in the default installation 
(see #212692). Even though we've gone a long way from 2.2 (telnetd is no 
longer installed in most systems, neither is NFS+portmapper) I believe we 
still get to the point that an installation (either by default or by 
choosing) delivers a only-for-paranoids system like OpenBSD.

Regards

Javier
[signature.asc (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, <debian-devel@lists.debian.org>:
Bug#81118; Package general. Full text and rfc822 format available.

Acknowledgement sent to Andrew Ferrier <andrew@new-destiny.co.uk>:
Extra info received and forwarded to list. Copy sent to <debian-devel@lists.debian.org>. Full text and rfc822 format available.

Message #131 received at 81118@bugs.debian.org (full text, mbox):

From: Andrew Ferrier <andrew@new-destiny.co.uk>
To: Javier Fern?ndez-Sanguino Pe?a <jfs@computer.org>
Cc: 81118@bugs.debian.org
Subject: Re: Bug#81118: general: Harden?
Date: Wed, 1 Sep 2004 19:48:36 +0100
On 2004-08-26 at 13:17 +0200, Javier Fern?ndez-Sanguino Pe?a wrote:

> On Mon, Aug 09, 2004 at 08:31:26PM +0100, Andrew Ferrier wrote:
> > Followup-For: Bug #81118
> > Package: general
> > Version: N/A; reported 2004-08-09
> > 
> > It looks to me like the original purpose of this bug is now mostly
> > covered by the harden suite of packages; they are in a good position to
> > conflict with things like telnet, provide advice on hardening during
> > installation, etc. Perhaps this bug should be closed in light of that?
> > Or maybe the original submitter would like harden more prominently
> > advertised?
> 
> Actually the harden packages covers only part of what the original
> submitter asked for since the user will not be able to install (and thus
> activate) vulnerable network sevices. The Bastille package covers also some
> of this, by disabling those network services and providing better (i.e. 
> more secure) configurations in some cases. However, there is no documented
> and standard process to harden a default installation and Bastille still 
> does not cover everything that the "Securing Debian Manual" might suggest 
> you to do. 
> 
> The current default installation still enables some unnecesary 
> services (see #261906) and there is no firewall in the default installation 
> (see #212692). Even though we've gone a long way from 2.2 (telnetd is no 
> longer installed in most systems, neither is NFS+portmapper) I believe we 
> still get to the point that an installation (either by default or by 
> choosing) delivers a only-for-paranoids system like OpenBSD.

OK, fair enough. Was trying to help clear up some old bug reports. Seems
like Debian is getting there with this bug though!

Cheers,
Andrew.

-- 
Andrew Ferrier

email:   andrew@new-destiny.co.uk




Reply sent to Holger Levsen <holger@layer-acht.org>:
You have taken responsibility. Full text and rfc822 format available.

Notification sent to era eriksson <era@iki.fi>:
Bug acknowledged by developer. Full text and rfc822 format available.

Message #136 received at 81118-done@bugs.debian.org (full text, mbox):

From: Holger Levsen <holger@layer-acht.org>
To: 81118-done@bugs.debian.org
Subject: security is a process, not a product
Date: Fri, 5 Sep 2008 00:58:48 +0200
[Message part 1 (text/plain, inline)]
Hi,

even in etch I get:

$ apt-cache search harden
bastille - Security hardening tool
harden - Makes your system hardened
harden-clients - Avoid clients that are known to be insecure
harden-development - Development tools for creating more secure programs
harden-doc - Useful documentation to secure a Debian system
harden-environment - Hardened system environment
harden-nids - Harden a system by using a network intrusion detection system
harden-remoteaudit - Audit your remote systems from this host
harden-servers - Avoid servers that are known to be insecure
harden-surveillance - Check services and/or servers automatically
harden-tools - Tools to enhance or analyze the security of the local system
mrb - Manage incremental data snapshots with make/rsync
php4-suhosin - advanced protection module for php4
php5-suhosin - advanced protection module for php5

Also there is this selinux thingie.

Thus closing this bug report. 

Also it's an illusion to create a secure system. Security is a process, not a 
product.


regards,
	Holger
[Message part 2 (application/pgp-signature, inline)]

Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Fri, 03 Oct 2008 07:26:39 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Thu Apr 17 16:29:43 2014; Machine Name: beach.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.