Re: goals for hardening Debian: ideas and help wanted

2014-04-24 Thread Giacomo Mulas 

On Thu, 24 Apr 2014, Paul Wise wrote:


On Thu, 2014-04-24 at 02:53 -0007, Cameron Norman wrote:


Would the inclusion of more AppArmor profiles be applicable?


Thanks, added along with SELinux/etc.


I second that. Actually, some time ago I tried using both AppArmor and
SELinux, but gave up because it took forever to find legitimate behaviour of
all kinds of common packages (most of them standard debian packages) and
prepare configuration files for things to work. If debian wants to foster
adoption of such security enhancements, it must go to great lengths in
making sure that (in order of importance in my humble opinion)

1) all debian-packaged software works (very nearly) out of the box with
debian-supported MAC frameworks. It should be very clear that if they don't
it's an important bug that needs fixing. For example, such bugs should
prevent the inclusion of a package in an official stable release. Or split
the main debian archive in two, one that is MAC-ready and one that is not,
so each user can decide to only use packages known to work well with
debian-supported MAC frameworks.

2) for each debian-supported MAC framework there should be an expert team
which should a) help package maintainers learn how to create and include
appropriate configuration files so that their package works with the MAC
framework b) create some tools (debhelper-like?) to make it relatively easy 
to find the minimum access rights a package needs and implement them in a

configuration file c) define appropriate "style" guidelines to make
configuration files as readable and maintainable as possible. All of 
this is going to be a lot of work at the beginning, but it will quickly

decrease as more and more package maintainers get familiar with MAC
frameworks.

3) there should be a category of packages in contrib which just contain
configuration files for commonly used non-free software. Such configuration
files should be audited by the appropriate expert teams before acceptance,
to make sure they do not grant unnecessary access privileges.


Until at very least point 1) is fulfilled, I doubt there will be widespread
adoption of MAC frameworks, except for very specialised systems for which
the amount of effort in setting them up is limited. General purpose
computers (i.e. the ones in a pool of computers available for PhD students
at a University, which must have a lot of packages installed for general
use) will remain out of the question.

Bye
Giacomo

--
_________

Giacomo Mulas 
_

INAF - Osservatorio Astronomico di Cagliari
via della scienza 5 - 09047 Selargius (CA)

tel.   +39 070 71180244
mob. : +39 329  6603810
_

"When the storms are raging around you, stay right where you are"
 (Freddy Mercury)
_


--
To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: 
https://lists.debian.org/alpine.deb.2.10.1404241121540.8...@capitanata.oa-cagliari.inaf.it

Re: goals for hardening Debian: ideas and help wanted

2014-04-24 Thread Giacomo Mulas 

On Thu, 24 Apr 2014, Steve Langasek wrote:


The apparmor policies in Debian apply a principle of minimal harm, confining
only those services for which someone has taken the time to verify the
correct profile.  There are obviously pros and cons to each approach to MAC,
which I'm not interested in arguing about; but one of the pros of the
approach taken for apparmor is that all software *does* continue to work out
of the box.  If you found it otherwise, I think you should be filing a bug
report against apparmor.


Good to know, actually I had tried apparmor quite some time ago and did not
try again. I will give it another spin as soon as I can.

However, I do not agree that I should file bugs against apparmor if a debian
package does not work properly, it should go to the package manager (and
maybe cc to some apparmor expert team).  It cannot be the maintainer(s) of
apparmor to have to shoulder the effort of creating and maintaining profiles
for all debian packages.  They may be called in for support, but regular
package maintainers should be involved IMHO, otherwise it will never really
take off and provide significantly better security.

Thanks for the information.
Giacomo

--
_____

Giacomo Mulas 
_

INAF - Osservatorio Astronomico di Cagliari
via della scienza 5 - 09047 Selargius (CA)

tel.   +39 070 71180244
mob. : +39 329  6603810
_

"When the storms are raging around you, stay right where you are"
 (Freddy Mercury)
_


--
To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: 
https://lists.debian.org/alpine.deb.2.10.1404241841420.15...@capitanata.oa-cagliari.inaf.it