FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Debian > Debian Development

 
 
LinkBack Thread Tools
 
Old 02-17-2011, 02:36 PM
Lars Wirzenius
 
Default Auditing systems for default homedir permissions and other potential security risks and also for overly long subjects and needlessly antagonistic mailing list discussion threads

On to, 2011-02-17 at 15:24 +0000, Roger Leigh wrote:
> I would argue that a change that /would/ make a real difference, would
> be to have (as an example) emblems in Nautilus that flag files and
> folders depending on if other people have read or write access. That
> would visually show what is (and is not) secure either by intention or
> by accident.

I'm with Roger and Ian on the default permissions, but that's not why I
am making this thread needlessly longer. I am making it needlessly
longer because I had a mildly related idea that I am hoping someone will
pick up and implement.

It would be really cool if there was an automatic auditor for people to
use. Not just showing emblems in Nautilus, but offering to fix things as
well. Here's how I imagine it might work.

You tell the auditor what kind of system this is. d-i would set up a
default. For example, personal laptop, or web server, or mail server.
You also tell the auditor how much security you want: normal, a lot, or
too much.

The auditor then looks for things in the system, and in home
directories, which might be problems. For example, if it's meant to be a
mail server with a lot of security, having telnetd installed and running
would be a problem for it to flag. Likewise, it might flag home
directory permissions.

It then presents the user with a prioritized report, with most urgent
things first. The user can then say "I'm ok with this, don't tell me
about it again", or "Fix this now, please", or "I don't know what I'm
doing, just do something smart", or "I'm suddenly busy, just tell me
about this when I ask for a new report".

The automatic fixing might do things like remove or disable services, or
fix permissions, or install missing security updates, or, on the "too
much" security level, wipe all disks and send an e-mail to the nearest
secure destruction service to come and pick up the computer and take to
it where it can be melted.

(If you like the idea, start hacking! I will not get around to this
until some other millennium, when I've finished my backup application. I
want my backups done before I request my computer to be destroyed.)


--
To UNSUBSCRIBE, email to debian-devel-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: 1297957018.22676.40.camel@tacticus">http://lists.debian.org/1297957018.22676.40.camel@tacticus
 
Old 02-22-2011, 05:25 PM
Timo Juhani Lindfors
 
Default Auditing systems for default homedir permissions and other potential security risks and also for overly long subjects and needlessly antagonistic mailing list discussion threads

Lars Wirzenius <liw@liw.fi> writes:
> The auditor then looks for things in the system, and in home
> directories, which might be problems. For example, if it's meant to be a
> mail server with a lot of security, having telnetd installed and running
> would be a problem for it to flag. Likewise, it might flag home
> directory permissions.

We use tiger for this.


--
To UNSUBSCRIBE, email to debian-devel-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: 84wrksrkow.fsf@sauna.l.org">http://lists.debian.org/84wrksrkow.fsf@sauna.l.org
 
Old 02-23-2011, 11:52 PM
Javier Fernandez-Sanguino
 
Default Auditing systems for default homedir permissions and other potential security risks and also for overly long subjects and needlessly antagonistic mailing list discussion threads

On 17 February 2011 16:36, Lars Wirzenius <liw@liw.fi> wrote:
> It would be really cool if there was an automatic auditor for people to
> use. Not just showing emblems in Nautilus, but offering to fix things as
> well. Here's how I imagine it might work.
(...)

>From your description you are not looking at an 'auditor' but also a
hardening tool. These two niches are (sub-optimally) covered in Debian
separately by the Tiger security tool and Bastille, which I maintain.

Unfortunately, both of these tools are more oriented towards
security-knowledgeable users than end home users and they lack a
"nice" GUI: Tiger's reports are simple text files and Bastille uses
perl-tk which is hmmm a little bit ugly.

Other approaches I've send in other distributions are SuSE's yast
security "levels" [1] and Mandrake's msec tool [2]. The concept of
these tools is good, since they both define profiles for different
(typical) users and try to set some system configuration variables
accordingly. In addition, Mandrake's msec configures also periodical
reviews of the system (something we in Debian implement through
checksecurity or Tiger).

None of them, however, take the "expert system" approach you are
suggesting i.e. they do not ask the user what type of system they
have, which security level they want and provide a list of things "to
fix". The user just selects a desired security level and the tools
implements all the associated "improvements" to get to that level.


Anyway, your idea is nice, and IMHO could be a proposal for this
year's GSOC. I would happily mentor (or co-mentor) such a tool. Even
though my past experience is that GSOC proposals related to OS
security do not grab too much attention / students requests. For
reference see [3] [4] [5] [6], of these, only [3] had a followup.

Regards

Javier


PS: RedHat uses the 'system-config-securitylevel' which is used to
configure firewall rules and SELinux but it is a different approach.



[1] http://doc.opensuse.org/products/draft/SLES/SLES-security/cha.yast_security.html
[2] http://wiki.mandriva.com/en/Draksec
[3] http://wiki.debian.org/SummerOfCode2007/ovalagent
[4] http://wiki.debian.org/SummerOfCode2007/commonsecuritychecks
[5] http://wiki.debian.org/SummerOfCode2007/autosecreview
[6] http://wiki.debian.org/SummerOfCode2008/SecurityPolicy


--
To UNSUBSCRIBE, email to debian-devel-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: AANLkTinOqnPVh9_E15FGx-fe6ykXjLN31ZXfjOrjE4RS@mail.gmail.com">http://lists.debian.org/AANLkTinOqnPVh9_E15FGx-fe6ykXjLN31ZXfjOrjE4RS@mail.gmail.com
 

Thread Tools




All times are GMT. The time now is 08:13 PM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org