Re: What should a Debian-security metapackage should provide?
On Wed, Dec 13, 2000 at 11:35:03AM +0100, Javier Fernandez-Sanguino Peña wrote: > I've thought on the Debian metapackage... how about this: > > task-security > Depends: documentation (securing-howto, lasg) Depends: should be reversed for actual dependencies IMHO, you should never need to depend on documentation. Make that suggests. (IANADD though) > Suggests: task-security-audit, task-firewall-tools, task-security-tools > Recomends: task-network-tools > > > task-security-audit > Depends: nessusd, snort, logcheck, ippl, tcpdump, sxid, syslog-ng, arpwatch > (tripwire, satan, and saint are all non-free IIRC) > > task-security-tools > Depends: pwgen, makepasswd, john, otp, osh, rbash, ssh ,gnupg, tcpd These are useless unless the sysadmin knows and uses them, in which case they would install them anyway. Task packages are meant to help people who *don't* know what they want. > task-network-tools > ecomends: cheops, scotty, queso, nmap, ethereal, netdiag, karpski > > task-firewall-tools > Depends: gfc,firestarter, easyfw (last two not currently in Debian, but will > be > soon) Not qualified to comment. > > Any thoughts? As someone else said, fewer task- packages seems to be the flavour of the moment. I'm in agreement with the "task packages should be for new users to get going quickly without knowing much" point of view. The only one of the above suggestions I think is useful is task-security-audit, specifically the logging stuff like ippl, since that works without intervention; you can select it and forget it, until you actually get attacked when you then need the logs. I'd have a single task-security, which included a few paranoid logging programs, some automatic security checking scripts like sxid, and maybe a simple firewall package too, if it can be installed with a useful default configuration. And maybe Conflicts: a few of the more obviously insecure services. And I'd have it selected by default on all new installations, but I suspect that's unlikely to happen. :-) -- Colin Phippshttp://www.cph.demon.co.uk/
Re: What should a Debian-security metapackage should provide?
* Javier Fernandez-Sanguino Peña | Any thoughts? There is a discussion on -devel about _limiting_ the number of task packages, not increasing it. So until that one is finished, adding four task- packages isn't a good idea, imho. -- Tollef Fog Heen Unix _IS_ user friendly... It's just selective about who its friends are.
Re: What should a Debian-security metapackage should provide?
On Wed, Dec 13, 2000 at 11:35:03AM +0100, Javier Fernandez-Sanguino Peña wrote: > I've thought on the Debian metapackage... how about this: > > task-security > Depends: documentation (securing-howto, lasg) Depends: should be reversed for actual dependencies IMHO, you should never need to depend on documentation. Make that suggests. (IANADD though) > Suggests: task-security-audit, task-firewall-tools, task-security-tools > Recomends: task-network-tools > > > task-security-audit > Depends: nessusd, snort, logcheck, ippl, tcpdump, sxid, syslog-ng, arpwatch > (tripwire, satan, and saint are all non-free IIRC) > > task-security-tools > Depends: pwgen, makepasswd, john, otp, osh, rbash, ssh ,gnupg, tcpd These are useless unless the sysadmin knows and uses them, in which case they would install them anyway. Task packages are meant to help people who *don't* know what they want. > task-network-tools > ecomends: cheops, scotty, queso, nmap, ethereal, netdiag, karpski > > task-firewall-tools > Depends: gfc,firestarter, easyfw (last two not currently in Debian, but will be > soon) Not qualified to comment. > > Any thoughts? As someone else said, fewer task- packages seems to be the flavour of the moment. I'm in agreement with the "task packages should be for new users to get going quickly without knowing much" point of view. The only one of the above suggestions I think is useful is task-security-audit, specifically the logging stuff like ippl, since that works without intervention; you can select it and forget it, until you actually get attacked when you then need the logs. I'd have a single task-security, which included a few paranoid logging programs, some automatic security checking scripts like sxid, and maybe a simple firewall package too, if it can be installed with a useful default configuration. And maybe Conflicts: a few of the more obviously insecure services. And I'd have it selected by default on all new installations, but I suspect that's unlikely to happen. :-) -- Colin Phippshttp://www.cph.demon.co.uk/ -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: What should a Debian-security metapackage should provide?
* Javier Fernandez-Sanguino Peña | Any thoughts? There is a discussion on -devel about _limiting_ the number of task packages, not increasing it. So until that one is finished, adding four task- packages isn't a good idea, imho. -- Tollef Fog Heen Unix _IS_ user friendly... It's just selective about who its friends are. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: What should a Debian-security metapackage should provide?
I've thought on the Debian metapackage... how about this: task-security Depends: documentation (securing-howto, lasg) Suggests: task-security-audit, task-firewall-tools, task-security-tools Recomends: task-network-tools task-security-audit Depends: nessusd, snort, logcheck, ippl, tcpdump, sxid, syslog-ng, arpwatch (tripwire, satan, and saint are all non-free IIRC) task-security-tools Depends: pwgen, makepasswd, john, otp, osh, rbash, ssh ,gnupg, tcpd task-network-tools ecomends: cheops, scotty, queso, nmap, ethereal, netdiag, karpski task-firewall-tools Depends: gfc,firestarter, easyfw (last two not currently in Debian, but will be soon) Any thoughts? Javi
Re: What should a Debian-security metapackage should provide?
I've thought on the Debian metapackage... how about this: task-security Depends: documentation (securing-howto, lasg) Suggests: task-security-audit, task-firewall-tools, task-security-tools Recomends: task-network-tools task-security-audit Depends: nessusd, snort, logcheck, ippl, tcpdump, sxid, syslog-ng, arpwatch (tripwire, satan, and saint are all non-free IIRC) task-security-tools Depends: pwgen, makepasswd, john, otp, osh, rbash, ssh ,gnupg, tcpd task-network-tools ecomends: cheops, scotty, queso, nmap, ethereal, netdiag, karpski task-firewall-tools Depends: gfc,firestarter, easyfw (last two not currently in Debian, but will be soon) Any thoughts? Javi -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: What should a Debian-security metapackage should provide?
Christian Kurz escribió: > > On 00-12-04 Javier Fernandez-Sanguino Peña wrote: I'm sorry. Having read this I have gone through the list archives and I have not found any reference to this discussion. Yes, there was a discussion regarding metapackages but on how to use it to make automatic downloads. I'm talking of other issues here (documentation+dependancies+hardening scripts). If this has been talked about before feel free to point me to the exact thread > > (I'm taking this out of the previous thread) > > > I've been giving some thought on a Debian metapackage related to > > security.. and I think that it might be useful to have a package > > that : > > Do we really need to discuss this again? There has just been one > discussion about this and you can read about it in the archives. > > Ciao > Christian > > P.S.: Turn that v-card off. Done. Javi
Re: What should a Debian-security metapackage should provide?
Christian Kurz escribió: > > On 00-12-04 Javier Fernandez-Sanguino Peña wrote: I'm sorry. Having read this I have gone through the list archives and I have not found any reference to this discussion. Yes, there was a discussion regarding metapackages but on how to use it to make automatic downloads. I'm talking of other issues here (documentation+dependancies+hardening scripts). If this has been talked about before feel free to point me to the exact thread > > (I'm taking this out of the previous thread) > > > I've been giving some thought on a Debian metapackage related to > > security.. and I think that it might be useful to have a package > > that : > > Do we really need to discuss this again? There has just been one > discussion about this and you can read about it in the archives. > > Ciao > Christian > > P.S.: Turn that v-card off. Done. Javi -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: What should a Debian-security metapackage should provide?
On 00-12-04 Javier Fernandez-Sanguino Peña wrote: > (I'm taking this out of the previous thread) > I've been giving some thought on a Debian metapackage related to > security.. and I think that it might be useful to have a package > that : Do we really need to discuss this again? There has just been one discussion about this and you can read about it in the archives. Ciao Christian P.S.: Turn that v-card off. -- Debian Developer and Quality Assurance Team Member 1024/26CC7853 31E6 A8CA 68FC 284F 7D16 63EC A9E6 67FF 26CC 7853 pgp35uuc7EJc0.pgp Description: PGP signature
Re: What should a Debian-security metapackage should provide?
On Mon, Dec 04, 2000, Javier Fernandez-Sanguino Peña wrote: > For example, I would add dependancies on snort, nessus, nmap, queso, > cracklib2, ethereal, firestarter (when available as a Debian package), > john, netdiag, sniffit, otp, makepasswd, logcheck, secpolicy, libpam, > lasg... (might have left others outs). Kind of a swiss-army security > knife :) I would remove sniffit from the list, since the sniffit development seems to have stopped, since sniffit is not as secure as it should be (numerous buffer overflows were found some times ago), and since snort is far more efficient and secure. I would also add ippl (IP Protocols Logger). Well, many other things could be added, other removed, maybe other reconfigured (?) in order to harden the Debian system. Should this be discussed now/here? Best regards, -- MaXX
Re: What should a Debian-security metapackage should provide?
On 00-12-04 Javier Fernandez-Sanguino Peña wrote: > (I'm taking this out of the previous thread) > I've been giving some thought on a Debian metapackage related to > security.. and I think that it might be useful to have a package > that : Do we really need to discuss this again? There has just been one discussion about this and you can read about it in the archives. Ciao Christian P.S.: Turn that v-card off. -- Debian Developer and Quality Assurance Team Member 1024/26CC7853 31E6 A8CA 68FC 284F 7D16 63EC A9E6 67FF 26CC 7853 PGP signature
Re: What should a Debian-security metapackage should provide?
from the secret journal of Javier Fernandez-Sanguino Pe?a ([EMAIL PROTECTED]): > For example, I would add dependancies on snort, nessus, nmap, queso, > cracklib2, > ethereal, firestarter (when available as a Debian package), john, netdiag, > sniffit, otp, makepasswd, logcheck, secpolicy, libpam, lasg... (might have > left > others outs). Kind of a swiss-army security knife :) for the same reason as including security documentation, i would include pwgen rather than (or in addition to) makepasswd. pwgen makes pronouncable random passwords that are easier for users to remember, and thus less likely to be on a postit note on the monitor. > > It could also Conflict with known no-security packages.. > > Any ideas? Is it really interesting or just a pointless idea? i think it's a good idea, but i haven't read the rest of this thread yet :) > > Javi -- jacob kuntz [EMAIL PROTECTED] underworld.net/~jake
Re: What should a Debian-security metapackage should provide?
On Mon, Dec 04, 2000, Javier Fernandez-Sanguino Peña wrote: > For example, I would add dependancies on snort, nessus, nmap, queso, > cracklib2, ethereal, firestarter (when available as a Debian package), > john, netdiag, sniffit, otp, makepasswd, logcheck, secpolicy, libpam, > lasg... (might have left others outs). Kind of a swiss-army security > knife :) I would remove sniffit from the list, since the sniffit development seems to have stopped, since sniffit is not as secure as it should be (numerous buffer overflows were found some times ago), and since snort is far more efficient and secure. I would also add ippl (IP Protocols Logger). Well, many other things could be added, other removed, maybe other reconfigured (?) in order to harden the Debian system. Should this be discussed now/here? Best regards, -- MaXX -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: What should a Debian-security metapackage should provide?
On 4 Dec 2000, Tollef Fog Heen wrote: > etheral? That's an X program - I would _never_ install X on a > server. :) you don't need to be running X to run X applications; just use ssh forwarding. just make sure you're not running anything setuid -- assuming this, i don't see where the risk is. -tl , , ,, ., ,. . . .. .. . . ,. who's watching your watchmen? gpg: pub 1024D/81FD4B43 sub 4096g/BB6D2B11=>p.nu/d 2B72 53DB 8104 2041 BDB4 F053 4AE5 01DF 81FD 4B43
Re: What should a Debian-security metapackage should provide?
* J C Lawrence | Which does not mean that you can't install the X libraries and run | ethereal from a remote X server. Yes, X clients on servers are | bad. X client libraries are not so bad. Having depenency on Xlibs in a 'task-secure' package might not be a very good idea, anyhow? -- Tollef Fog Heen Unix _IS_ user friendly... It's just selective about who its friends are.
Re: What should a Debian-security metapackage should provide?
On 04 Dec 2000 18:37:36 +0100 Tollef Fog Heen <[EMAIL PROTECTED]> wrote: > etheral? That's an X program - I would _never_ install X on a > server. :) Which does not mean that you can't install the X libraries and run ethereal from a remote X server. Yes, X clients on servers are bad. X client libraries are not so bad. -- J C Lawrence [EMAIL PROTECTED] -(*): http://www.kanga.nu/~claw/ --=| A man is as sane as he is dangerous to his environment |=--
Re: What should a Debian-security metapackage should provide?
from the secret journal of Javier Fernandez-Sanguino Pe?a ([EMAIL PROTECTED]): > For example, I would add dependancies on snort, nessus, nmap, queso, cracklib2, > ethereal, firestarter (when available as a Debian package), john, netdiag, > sniffit, otp, makepasswd, logcheck, secpolicy, libpam, lasg... (might have left > others outs). Kind of a swiss-army security knife :) for the same reason as including security documentation, i would include pwgen rather than (or in addition to) makepasswd. pwgen makes pronouncable random passwords that are easier for users to remember, and thus less likely to be on a postit note on the monitor. > > It could also Conflict with known no-security packages.. > > Any ideas? Is it really interesting or just a pointless idea? i think it's a good idea, but i haven't read the rest of this thread yet :) > > Javi -- jacob kuntz [EMAIL PROTECTED] underworld.net/~jake -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: What should a Debian-security metapackage should provide?
Wel... nessus is almost graphic also (although it does run on the CLI) so you would just install the server (nessusd), and firestarter (see http://sourceforge.net/projects/firestarter/) would also be out of the list. We could maybe split it into security and network-analysis maybe (since most of them are of that kind...) Javi > > * Javier Fernandez-Sanguino Peña > > | For example, I would add dependancies on snort, nessus, nmap, queso, > | cracklib2, ethereal, firestarter (when available as a Debian > | package), john, netdiag, sniffit, otp, makepasswd, logcheck, > | secpolicy, libpam, lasg... > > etheral? That's an X program - I would _never_ install X on a > server. :) >begin:vcard n:Fernández-Sanguino Peña;Javier tel;fax:+34-91 806 46 41 tel;work:+34-91 806 46 40 x-mozilla-html:FALSE org:SGI-GMV sistemas;Seguridad Lógica adr:;;Sector Foresta 1;Tres Cantos;Madrid;E-28760;Spain version:2.1 email;internet:[EMAIL PROTECTED] x-mozilla-cpt:;28448 fn:Javier Fernández-Sanguino Peña end:vcard
Re: What should a Debian-security metapackage should provide?
On 4 Dec 2000, Tollef Fog Heen wrote: > etheral? That's an X program - I would _never_ install X on a > server. :) you don't need to be running X to run X applications; just use ssh forwarding. just make sure you're not running anything setuid -- assuming this, i don't see where the risk is. -tl , , ,, ., ,. . . .. .. . . ,. who's watching your watchmen? gpg: pub 1024D/81FD4B43 sub 4096g/BB6D2B11=>p.nu/d 2B72 53DB 8104 2041 BDB4 F053 4AE5 01DF 81FD 4B43 -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: What should a Debian-security metapackage should provide?
* Javier Fernandez-Sanguino Peña | For example, I would add dependancies on snort, nessus, nmap, queso, | cracklib2, ethereal, firestarter (when available as a Debian | package), john, netdiag, sniffit, otp, makepasswd, logcheck, | secpolicy, libpam, lasg... etheral? That's an X program - I would _never_ install X on a server. :) -- Tollef Fog Heen Unix _IS_ user friendly... It's just selective about who its friends are.
Re: What should a Debian-security metapackage should provide?
* J C Lawrence | Which does not mean that you can't install the X libraries and run | ethereal from a remote X server. Yes, X clients on servers are | bad. X client libraries are not so bad. Having depenency on Xlibs in a 'task-secure' package might not be a very good idea, anyhow? -- Tollef Fog Heen Unix _IS_ user friendly... It's just selective about who its friends are. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: What should a Debian-security metapackage should provide?
On 04 Dec 2000 18:37:36 +0100 Tollef Fog Heen <[EMAIL PROTECTED]> wrote: > etheral? That's an X program - I would _never_ install X on a > server. :) Which does not mean that you can't install the X libraries and run ethereal from a remote X server. Yes, X clients on servers are bad. X client libraries are not so bad. -- J C Lawrence [EMAIL PROTECTED] -(*): http://www.kanga.nu/~claw/ --=| A man is as sane as he is dangerous to his environment |=-- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: What should a Debian-security metapackage should provide?
Wel... nessus is almost graphic also (although it does run on the CLI) so you would just install the server (nessusd), and firestarter (see http://sourceforge.net/projects/firestarter/) would also be out of the list. We could maybe split it into security and network-analysis maybe (since most of them are of that kind...) Javi > > * Javier Fernandez-Sanguino Peña > > | For example, I would add dependancies on snort, nessus, nmap, queso, > | cracklib2, ethereal, firestarter (when available as a Debian > | package), john, netdiag, sniffit, otp, makepasswd, logcheck, > | secpolicy, libpam, lasg... > > etheral? That's an X program - I would _never_ install X on a > server. :) > begin:vcard n:Fernández-Sanguino Peña;Javier tel;fax:+34-91 806 46 41 tel;work:+34-91 806 46 40 x-mozilla-html:FALSE org:SGI-GMV sistemas;Seguridad Lógica adr:;;Sector Foresta 1;Tres Cantos;Madrid;E-28760;Spain version:2.1 email;internet:[EMAIL PROTECTED] x-mozilla-cpt:;28448 fn:Javier Fernández-Sanguino Peña end:vcard
Re: What should a Debian-security metapackage should provide?
* Javier Fernandez-Sanguino Peña | For example, I would add dependancies on snort, nessus, nmap, queso, | cracklib2, ethereal, firestarter (when available as a Debian | package), john, netdiag, sniffit, otp, makepasswd, logcheck, | secpolicy, libpam, lasg... etheral? That's an X program - I would _never_ install X on a server. :) -- Tollef Fog Heen Unix _IS_ user friendly... It's just selective about who its friends are. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]