1 |
My thoughts: |
2 |
Gentoo is about choice and Gentoo Hardened is about adding the |
3 |
advanced security features that are available in the linux/open source |
4 |
world to the stock gentoo distro. |
5 |
|
6 |
I think that the problem going forward is that a 'secure' distro |
7 |
means different things to different people. |
8 |
I run a Gentoo based firewall / gateway server. On this box my idea |
9 |
of security is mainly shutting off (or not installing) unecessary |
10 |
services and a good IPTables / firewall config. Maybe some IDS and |
11 |
every now and then I run etheral for a while. |
12 |
On this box I think about things like caching dns and squid. |
13 |
|
14 |
On another box I host multiple domains and run a bunch of differnent |
15 |
services for different companies. On this server I am interested in the |
16 |
ACL's, chroot jails, and the things that I am hearing about on Gentoo |
17 |
Hardened. |
18 |
|
19 |
As far as the qmail issue - I like qmail, but also dislike djb's |
20 |
complete "do it my way" attitude. Personally I run qmail from xinit |
21 |
rather then tcpwappers, making qmail 'fit' into my distro better. |
22 |
|
23 |
I would like to see two levels of gentoo hardened |
24 |
1) Integration of the secure software into Gentoo |
25 |
How to install things like ACL's, kernal patches.... |
26 |
2) How to use these packages: |
27 |
How to use ACL's to protect files.. |
28 |
3) Best practices |
29 |
How to audit logsfiles |
30 |
|
31 |
So rather then how to replace sendmail w/ qmail lets document how to use |
32 |
ACL's and chroot to protect your MTA, and then maybe give a specific |
33 |
qmail example. |
34 |
|
35 |
I installed shorewall, but even after the install there were a number of |
36 |
items I had to manually finish off, things like editing |
37 |
/etc/ssmtp/ssmpt.conf so the sendmail stub can work when an event it |
38 |
fired from metalog based on a log entry generated by shorewall. |
39 |
I will try to document that for the list, but Gentoo specific |
40 |
instructions like emergeing the kernel source for netfilter and updating |
41 |
the ebuild to look for metalog rather then syslog. |
42 |
|
43 |
Thanks, |
44 |
-Aaron Held |
45 |
|
46 |
Joshua Brindle wrote: |
47 |
|
48 |
>I think that there are very many distributions build on that premise, however this |
49 |
>is not really a goal of gentoo-hardened for this reason: Gentoo is based |
50 |
>on availability of choice. We will provide applications considered secure (those |
51 |
>listed are all in portage) but we won't restrict users to anything. |
52 |
> |
53 |
>The gentoo-hardened project is to build a security hardened distribution using |
54 |
>known security mechanisms and tools available. That includes ACL's MACS, |
55 |
>auditing, chrooting, stack protection, adding security patches wherever possible |
56 |
>et al. in theory once an installation is complete one could give out their root |
57 |
>password and not worry about any problems (russell coker provides the root |
58 |
>password to his selinux play machine to demonstrate the security provided |
59 |
>by selinux, this machine hasn't been compromised at all. |
60 |
> |
61 |
>We will be handling documentation, and we can certainly give our opinions |
62 |
>or widely thought beliefs about the security impacts of certain applications. |
63 |
> |
64 |
>Also, I am a fairly security aware person, but i do not share your sentiment about |
65 |
>djb's work so I find it hard to recomment his software to users. This is not |
66 |
>an opinion formed about the security of his products, the opinion is based |
67 |
>on his treatment of the opensource world, and the non-rfc compliance of his |
68 |
>applications. This IS a personal opinion so i don't want a flamewar on this list, |
69 |
>if you wish to flame me come to irc and scream all you want :) |
70 |
> |
71 |
>Joshua Brindle |
72 |
> |
73 |
> |
74 |
> |
75 |
>>>><dscott@×××××××××××.com> 03/19/03 04:14PM >>> |
76 |
>>>> |
77 |
>>>> |
78 |
>Hello All, |
79 |
> |
80 |
>My thought: |
81 |
>I would like to see a secure distribution that would strongly encourage users to use proven audited applications and daemons. |
82 |
>ie: qmail, djbdns, pure-ftpd, etc etc. |
83 |
> |
84 |
>D. |
85 |
> |
86 |
> |
87 |
|
88 |
|
89 |
|
90 |
-- |
91 |
gentoo-hardened@g.o mailing list |