| 1 |
My thoughts: |
| 2 |
Gentoo is about choice and Gentoo Hardened is about adding the |
| 3 |
advanced security features that are available in the linux/open source |
| 4 |
world to the stock gentoo distro. |
| 5 |
|
| 6 |
I think that the problem going forward is that a 'secure' distro |
| 7 |
means different things to different people. |
| 8 |
I run a Gentoo based firewall / gateway server. On this box my idea |
| 9 |
of security is mainly shutting off (or not installing) unecessary |
| 10 |
services and a good IPTables / firewall config. Maybe some IDS and |
| 11 |
every now and then I run etheral for a while. |
| 12 |
On this box I think about things like caching dns and squid. |
| 13 |
|
| 14 |
On another box I host multiple domains and run a bunch of differnent |
| 15 |
services for different companies. On this server I am interested in the |
| 16 |
ACL's, chroot jails, and the things that I am hearing about on Gentoo |
| 17 |
Hardened. |
| 18 |
|
| 19 |
As far as the qmail issue - I like qmail, but also dislike djb's |
| 20 |
complete "do it my way" attitude. Personally I run qmail from xinit |
| 21 |
rather then tcpwappers, making qmail 'fit' into my distro better. |
| 22 |
|
| 23 |
I would like to see two levels of gentoo hardened |
| 24 |
1) Integration of the secure software into Gentoo |
| 25 |
How to install things like ACL's, kernal patches.... |
| 26 |
2) How to use these packages: |
| 27 |
How to use ACL's to protect files.. |
| 28 |
3) Best practices |
| 29 |
How to audit logsfiles |
| 30 |
|
| 31 |
So rather then how to replace sendmail w/ qmail lets document how to use |
| 32 |
ACL's and chroot to protect your MTA, and then maybe give a specific |
| 33 |
qmail example. |
| 34 |
|
| 35 |
I installed shorewall, but even after the install there were a number of |
| 36 |
items I had to manually finish off, things like editing |
| 37 |
/etc/ssmtp/ssmpt.conf so the sendmail stub can work when an event it |
| 38 |
fired from metalog based on a log entry generated by shorewall. |
| 39 |
I will try to document that for the list, but Gentoo specific |
| 40 |
instructions like emergeing the kernel source for netfilter and updating |
| 41 |
the ebuild to look for metalog rather then syslog. |
| 42 |
|
| 43 |
Thanks, |
| 44 |
-Aaron Held |
| 45 |
|
| 46 |
Joshua Brindle wrote: |
| 47 |
|
| 48 |
>I think that there are very many distributions build on that premise, however this |
| 49 |
>is not really a goal of gentoo-hardened for this reason: Gentoo is based |
| 50 |
>on availability of choice. We will provide applications considered secure (those |
| 51 |
>listed are all in portage) but we won't restrict users to anything. |
| 52 |
> |
| 53 |
>The gentoo-hardened project is to build a security hardened distribution using |
| 54 |
>known security mechanisms and tools available. That includes ACL's MACS, |
| 55 |
>auditing, chrooting, stack protection, adding security patches wherever possible |
| 56 |
>et al. in theory once an installation is complete one could give out their root |
| 57 |
>password and not worry about any problems (russell coker provides the root |
| 58 |
>password to his selinux play machine to demonstrate the security provided |
| 59 |
>by selinux, this machine hasn't been compromised at all. |
| 60 |
> |
| 61 |
>We will be handling documentation, and we can certainly give our opinions |
| 62 |
>or widely thought beliefs about the security impacts of certain applications. |
| 63 |
> |
| 64 |
>Also, I am a fairly security aware person, but i do not share your sentiment about |
| 65 |
>djb's work so I find it hard to recomment his software to users. This is not |
| 66 |
>an opinion formed about the security of his products, the opinion is based |
| 67 |
>on his treatment of the opensource world, and the non-rfc compliance of his |
| 68 |
>applications. This IS a personal opinion so i don't want a flamewar on this list, |
| 69 |
>if you wish to flame me come to irc and scream all you want :) |
| 70 |
> |
| 71 |
>Joshua Brindle |
| 72 |
> |
| 73 |
> |
| 74 |
> |
| 75 |
>>>><dscott@×××××××××××.com> 03/19/03 04:14PM >>> |
| 76 |
>>>> |
| 77 |
>>>> |
| 78 |
>Hello All, |
| 79 |
> |
| 80 |
>My thought: |
| 81 |
>I would like to see a secure distribution that would strongly encourage users to use proven audited applications and daemons. |
| 82 |
>ie: qmail, djbdns, pure-ftpd, etc etc. |
| 83 |
> |
| 84 |
>D. |
| 85 |
> |
| 86 |
> |
| 87 |
|
| 88 |
|
| 89 |
|
| 90 |
-- |
| 91 |
gentoo-hardened@g.o mailing list |
Archives