FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Debian > Debian Kernel

 
 
LinkBack Thread Tools
 
Old 05-30-2010, 05:29 PM
Moritz Muehlenhoff
 
Default Bug#572712: use hardened sysctl net.* settings per default

On Sun, Mar 07, 2010 at 10:11:11AM +1100, Craig Small wrote:
> On Fri, Mar 05, 2010 at 09:25:49PM +0100, Christoph Anton Mitterer wrote:
> > I think it would be a good idea to use at least the settings blow per
> > default:
> You're asking in the wrong place then. To change the default behaviour
> of the kernel, you need to apply this bug to the kernel, not procps.
>
> sysctl.conf is for suggested things that are off by default. Or perhaps
> more correctly can be changed but by default are not changed.

If you want to modify kernel defaults you'll need to discuss the
specific options with upstream, we won't differ in the Debian kernel
configuration.

For now I'd suggest to address Christoph's proposed changes through
the harden package. It appears to be designed for exactly this
purpose. Christoph, what do you think?

Cheers,
Moritz



--
To UNSUBSCRIBE, email to debian-kernel-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: 20100530172958.GA3779@galadriel.inutil.org">http://lists.debian.org/20100530172958.GA3779@galadriel.inutil.org
 
Old 05-31-2010, 04:29 PM
Christoph Anton Mitterer
 
Default Bug#572712: use hardened sysctl net.* settings per default

Hi Moritz, et al.

On Sun, 2010-05-30 at 19:29 +0200, Moritz Muehlenhoff wrote:
> If you want to modify kernel defaults you'll need to discuss the
> specific options with upstream, we won't differ in the Debian kernel
> configuration.
I don't want to change the kernel defaults...

For the Debian kernels it would be a very bad idea, as I think that
software in a distro should nearly always follow the upstream default
(config) values.
There are already several packages in Debian where default config values
where changed. I do not talk about the default config files, but really
the hardcoded values in the binaries.
This is really a bad idea, as everybody should be able to expect a more
or less consistent behaviour of programs on all distros.

For upstream such changes will probably not going to happen, even if I
request it.
But that neither means that the defaults I propose are wrong, nor that
Debian shouldn't change them in their sysctl defaults.
We already change many packages (better said their standard
configuration files) just to make them more secure (and in some examples
unfortunately also to make them less secure).


> For now I'd suggest to address Christoph's proposed changes through
> the harden package. It appears to be designed for exactly this
> purpose. Christoph, what do you think?
I think the harden package is the wrong place, at least for the net.*
sysctl I've proposed.

I guess there are two main reasons:
1) Everybody expects harden packages to be something which is either
quite complicated to set up or which will probably break many things.
- Take special patches like PaX/grsecurity or rsbac... they'd probably
be accounted to "hardening"... both may break things (and RSBAC is quite
difficult to set up).
- Another example is something like AIDE... of course the plain install
is done quickly, but to have it really make sense one most run it from a
offline/secured host... because if the system is compromised the
attacker will be also able to hack AIDE or its hash sums.

These changes here are not complicated to set up, and for the vast
majority of people, the won't break anything.


2) Harden-packages are usually not installed by most people, for the
above reasons. So most people wouldn't benefit those more secure
settings.



Now why do I think that "every" system should get those more secure
sysctl settings per default.
I guess most of them won't harm anyway and just give benefit.

log_martians
=> just logging

rp_filter
=> well I guess only really hacked setups/systems/networks should ever
make it necessary to allow such packets per default.
And people with such setups/systems/networks have them either set up
wrongly (but just never noticed) and should fix it... or they _really_
are experts and _really_ need it that way... then they probably know
about rp_filter, and are able to turn it of.

tcp_syncookies
=> In their current implementation (see the lwn.net article) it seems to
me that they mean no _real_ problem. All problems that syncookies
bring,... don't count here, as they're not activated by the kernel until
your network ist "fucked up" anyway

net.ipv4.ip_forward, net.ipv6.conf.all.forwarding, send_redirects,
accept_source_route
=> Well one could discuss those... but I really think, that the vast
majority of Debian systems are not used as rooters. And those systems
that are,.. don't work as a router out of the box. So sysadmins need to
know "how to set up routing" anyway,... and then they sould also know
about these sysctl values.

net.ipv4.conf.all.accept_redirects, net.ipv6.conf.all.accept_redirects
=> Also,.. I guess just really some weird setups need things like ICMP
redirects.


Of course there might be more settings we could/should tighten up
here


Cheers,
Chris.
 
Old 07-10-2010, 12:37 PM
Moritz Muehlenhoff
 
Default Bug#572712: use hardened sysctl net.* settings per default

reassign 572712 netbase
thanks

On Mon, May 31, 2010 at 06:29:15PM +0200, Christoph Anton Mitterer wrote:
> Hi Moritz, et al.
>
> On Sun, 2010-05-30 at 19:29 +0200, Moritz Muehlenhoff wrote:
> > If you want to modify kernel defaults you'll need to discuss the
> > specific options with upstream, we won't differ in the Debian kernel
> > configuration.
> I don't want to change the kernel defaults...
>
> For the Debian kernels it would be a very bad idea, as I think that
> software in a distro should nearly always follow the upstream default
> (config) values.
> There are already several packages in Debian where default config values
> where changed. I do not talk about the default config files, but really
> the hardcoded values in the binaries.
> This is really a bad idea, as everybody should be able to expect a more
> or less consistent behaviour of programs on all distros.
>
> For upstream such changes will probably not going to happen, even if I
> request it.
> But that neither means that the defaults I propose are wrong, nor that
> Debian shouldn't change them in their sysctl defaults.
> We already change many packages (better said their standard
> configuration files) just to make them more secure (and in some examples
> unfortunately also to make them less secure).
>
>
> > For now I'd suggest to address Christoph's proposed changes through
> > the harden package. It appears to be designed for exactly this
> > purpose. Christoph, what do you think?
> I think the harden package is the wrong place, at least for the net.*
> sysctl I've proposed.
>
> I guess there are two main reasons:
> 1) Everybody expects harden packages to be something which is either
> quite complicated to set up or which will probably break many things.
> - Take special patches like PaX/grsecurity or rsbac... they'd probably
> be accounted to "hardening"... both may break things (and RSBAC is quite
> difficult to set up).
> - Another example is something like AIDE... of course the plain install
> is done quickly, but to have it really make sense one most run it from a
> offline/secured host... because if the system is compromised the
> attacker will be also able to hack AIDE or its hash sums.
>
> These changes here are not complicated to set up, and for the vast
> majority of people, the won't break anything.
>
>
> 2) Harden-packages are usually not installed by most people, for the
> above reasons. So most people wouldn't benefit those more secure
> settings.
>
>
>
> Now why do I think that "every" system should get those more secure
> sysctl settings per default.
> I guess most of them won't harm anyway and just give benefit.
>
> log_martians
> => just logging
>
> rp_filter
> => well I guess only really hacked setups/systems/networks should ever
> make it necessary to allow such packets per default.
> And people with such setups/systems/networks have them either set up
> wrongly (but just never noticed) and should fix it... or they _really_
> are experts and _really_ need it that way... then they probably know
> about rp_filter, and are able to turn it of.
>
> tcp_syncookies
> => In their current implementation (see the lwn.net article) it seems to
> me that they mean no _real_ problem. All problems that syncookies
> bring,... don't count here, as they're not activated by the kernel until
> your network ist "fucked up" anyway
>
> net.ipv4.ip_forward, net.ipv6.conf.all.forwarding, send_redirects,
> accept_source_route
> => Well one could discuss those... but I really think, that the vast
> majority of Debian systems are not used as rooters. And those systems
> that are,.. don't work as a router out of the box. So sysadmins need to
> know "how to set up routing" anyway,... and then they sould also know
> about these sysctl values.
>
> net.ipv4.conf.all.accept_redirects, net.ipv6.conf.all.accept_redirects
> => Also,.. I guess just really some weird setups need things like ICMP
> redirects.
>
>
> Of course there might be more settings we could/should tighten up
> here

Sorry for the late reply.

If you want to change the standard Debian sysctl settings, this should
probably be changed by netbase providing a /etc/sysctl.d snippet.

The kernel package is not the right place. Reassigning to netbase.

Cheers,
Moritz














--
To UNSUBSCRIBE, email to debian-kernel-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: 20100710123736.GA2587@galadriel.inutil.org">http://lists.debian.org/20100710123736.GA2587@galadriel.inutil.org
 
Old 07-10-2010, 12:45 PM
Julien Cristau
 
Default Bug#572712: use hardened sysctl net.* settings per default

On Sat, Jul 10, 2010 at 14:37:36 +0200, Moritz Muehlenhoff wrote:

> If you want to change the standard Debian sysctl settings, this should
> probably be changed by netbase providing a /etc/sysctl.d snippet.
>
> The kernel package is not the right place. Reassigning to netbase.
>
Can you explain why the kernel package is not the right place to change
kernel defaults? I think it would be inappropriate for netbase to
change these things...

Cheers,
Julien
 
Old 07-10-2010, 01:03 PM
Julien Cristau
 
Default Bug#572712: use hardened sysctl net.* settings per default

On Sat, Jul 10, 2010 at 13:45:44 +0100, Julien Cristau wrote:

> On Sat, Jul 10, 2010 at 14:37:36 +0200, Moritz Muehlenhoff wrote:
>
> > If you want to change the standard Debian sysctl settings, this should
> > probably be changed by netbase providing a /etc/sysctl.d snippet.
> >
> > The kernel package is not the right place. Reassigning to netbase.
> >
> Can you explain why the kernel package is not the right place to change
> kernel defaults? I think it would be inappropriate for netbase to
> change these things...
>
My point is, either the request is legitimate and the defaults should be
changed in the kernel where they belong, or they aren't, and the bug
should be closed.

Cheers,
Julien
 

Thread Tools




All times are GMT. The time now is 10:54 AM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org