Hi Paul,
On Sun, Jun 08, 2014 at 10:13:27AM +0800, Paul Wise wrote:
> We kind-of already support that; Debian Live is essentially that. What
> would official support for read-only root look like to you? Option in
> the installer?
Probably fix the last bits of details that makes a read-only insta
On Sat, Jun 7, 2014 at 11:07 AM, Tom Dial wrote:
> I suggest resumption of maintenance for OVAL to support OpenSCAP.
> www.debian.org/security/oval/ seems not to have been maintained since
> some time in late 2010 or early 2011.
Please refer to https://bugs.debian.org/738199
If you would like to
On Sat, Jun 7, 2014 at 9:31 PM, Xavier Roche wrote:
> Would a read-only root filesystem goal be feasible ?
We kind-of already support that; Debian Live is essentially that. What
would official support for read-only root look like to you? Option in
the installer?
> https://wiki.debian.org/Readonl
On Thu, Apr 24, 2014 at 10:57:39AM +0800, Paul Wise wrote:
> I have written a non-exhaustive list of goals for hardening the Debian
> distribution, the Debian project and computer systems of the Debian
> project, contributors and users.
> If you have more ideas, please add them to the wiki page.
W
I suggest resumption of maintenance for OVAL to support OpenSCAP.
www.debian.org/security/oval/ seems not to have been maintained since
some time in late 2010 or early 2011.
Tom Dial
On 04/23/2014 08:57 PM, Paul Wise wrote:
> Hi all,
>
> I have written a non-exhaustive list of goals for harden
Hi,
Giacomo Mulas wrote (24 Apr 2014 16:49:20 GMT) :
> Good to know, actually I had tried apparmor quite some time ago and did not
> try again. I will give it another spin as soon as I can.
https://wiki.debian.org/AppArmor/HowTo :)
> However, I do not agree that I should file bugs against apparm
On 24 Apr 2014 10:58, "Andrew McGlashan" <
andrew.mcglas...@affinityvision.com.au> wrote:
>
> On 24/04/2014 5:49 PM, Lesley Binks wrote:
> > Apologies for the top posting, I'm writing this from my phone.
> > I get a 403 when trying to access via Orbot/Orweb on Android 4.1 phone.
> > Amusing.
>
> It
Marko Randjelovic:
> On Tue, 29 Apr 2014 11:52:14 +
> Patrick Schleizer wrote:
>
>> Marko Randjelovic:
>>> I was thinking about some kind
>>> of wizard:
>>>
>>> - create a chroot if doesn't already exist
>>> - create a launcher for your DE
>>> - create a shell script to run a program from ter
On Tue, 29 Apr 2014 11:52:14 +
Patrick Schleizer wrote:
> Marko Randjelovic:
> > I was thinking about some kind
> > of wizard:
> >
> > - create a chroot if doesn't already exist
> > - create a launcher for your DE
> > - create a shell script to run a program from terminal or a simple WM
> >
>
> chroot is not a security feature?
>
> As far I understand, chroots in Debian/Fedora aren't jails.
>
> Source:
> https://securityblog.redhat.com/2013/03/27/is-chroot-a-security-feature/
>
In deed a Linux chroot - environment is not a jail.
You could use sth. like grsecurity to harden Linux
Marko Randjelovic:
> I was thinking about some kind
> of wizard:
>
> - create a chroot if doesn't already exist
> - create a launcher for your DE
> - create a shell script to run a program from terminal or a simple WM
>
> hint: chroot $CHROOT_PATH su - $USER -c "$command_with_args"
chroot is not
On Tue, 29 Apr 2014 11:35:26 +0800
Paul Wise wrote:
> On Tue, Apr 29, 2014 at 8:07 AM, Marko Randjelovic wrote:
>
> > - security patches should be clearly marked as such in every *.patch
> > file
>
> That sounds like a good idea, could you add it to the wiki page?
I added this:
"Debian poli
On Tue, Apr 29, 2014 at 11:35:26AM +0800, Paul Wise wrote:
> On Tue, Apr 29, 2014 at 8:07 AM, Marko Randjelovic wrote:
>
> > - security patches should be clearly marked as such in every *.patch
> > file
>
> That sounds like a good idea, could you add it to the wiki page?
It's not always easy t
On Tue, Apr 29, 2014 at 8:07 AM, Marko Randjelovic wrote:
> - security patches should be clearly marked as such in every *.patch
> file
That sounds like a good idea, could you add it to the wiki page?
> - easy create and run programs from chroot and alternate users
Could you detail what you m
On Thu, 24 Apr 2014 10:57:39 +0800
Paul Wise wrote:
> Hi all,
>
> I have written a non-exhaustive list of goals for hardening the Debian
> distribution, the Debian project and computer systems of the Debian
> project, contributors and users.
>
> https://wiki.debian.org/Hardening/Goals
>
> If y
On Thu, Apr 24, 2014 at 9:49 AM, Giacomo Mulas
wrote:
> On Thu, 24 Apr 2014, Steve Langasek wrote:
>
>> The apparmor policies in Debian apply a principle of minimal harm,
>> confining
>> only those services for which someone has taken the time to verify the
>> correct profile. There are obviously
On Thu, 24 Apr 2014, Steve Langasek wrote:
The apparmor policies in Debian apply a principle of minimal harm, confining
only those services for which someone has taken the time to verify the
correct profile. There are obviously pros and cons to each approach to MAC,
which I'm not interested in
On Thu, Apr 24, 2014 at 11:45:46AM +0200, Giacomo Mulas wrote:
> On Thu, 24 Apr 2014, Paul Wise wrote:
> >>Would the inclusion of more AppArmor profiles be applicable?
> >Thanks, added along with SELinux/etc.
> I second that. Actually, some time ago I tried using both AppArmor and
> SELinux, but
On 24. huhtikuuta 2014 12.57.45 EEST, Andrew McGlashan
wrote:
>It works for me [Orbot/Orweb -- 4.3 on both i9300 and i9505], did you
>get the case right?
wiki.d.o seems to be blocking at least some Tor exit nodes. IMHO it should not
do that, at least for read-only access.
--
To UNSUBSCRIBE
On Thu, 24 Apr 2014, Paul Wise wrote:
On Thu, 2014-04-24 at 02:53 -0007, Cameron Norman wrote:
Would the inclusion of more AppArmor profiles be applicable?
Thanks, added along with SELinux/etc.
I second that. Actually, some time ago I tried using both AppArmor and
SELinux, but gave up beca
On 24/04/2014 5:49 PM, Lesley Binks wrote:
> Apologies for the top posting, I'm writing this from my phone.
> I get a 403 when trying to access via Orbot/Orweb on Android 4.1 phone.
> Amusing.
It works for me [Orbot/Orweb -- 4.3 on both i9300 and i9505], did you
get the case right?
Strangely thou
> I suggest it might be better if exploits were each given a quick/approximate
> "ranking" in terms of severity (and if the severity is unknown it could be
> assigned a default median ranking), so that the algorithm you mention wouldn't
> just add number of unplugged exploits, but add them by weigh
On 10:57 Thu 24 Apr 2014, Paul Wise wrote:
> ..[snip]..
> https://wiki.debian.org/Hardening/Goals
Regarding the line (at that page):
> Refuse to install packages that are known to have X number of unplugged
> exploits (i.e. X number of open security bugs in the bug tracker) unless
> e.g. --allow-
Apologies for the top posting, I'm writing this from my phone.
I get a 403 when trying to access via Orbot/Orweb on Android 4.1 phone.
Amusing.
Lesley
On 24 Apr 2014 03:58, "Paul Wise" wrote:
> Hi all,
>
> I have written a non-exhaustive list of goals for hardening the Debian
> distribution, the
2014-04-24 4:57 GMT+02:00 Paul Wise :
> Hi all,
>
> I have written a non-exhaustive list of goals for hardening the Debian
> distribution, the Debian project and computer systems of the Debian
> project, contributors and users.
>
> https://wiki.debian.org/Hardening/Goals
>
> If you have more ideas
El Wed, 23 de Apr 2014 a las 7:57 PM, Paul Wise
escribió:
Hi all,
I have written a non-exhaustive list of goals for hardening the Debian
distribution, the Debian project and computer systems of the Debian
project, contributors and users.
https://wiki.debian.org/Hardening/Goals
If you have mor
On Thu, 2014-04-24 at 02:53 -0007, Cameron Norman wrote:
> Would the inclusion of more AppArmor profiles be applicable?
Thanks, added along with SELinux/etc.
--
bye,
pabs
http://wiki.debian.org/PaulWise
signature.asc
Description: This is a digitally signed message part
Hi all,
I have written a non-exhaustive list of goals for hardening the Debian
distribution, the Debian project and computer systems of the Debian
project, contributors and users.
https://wiki.debian.org/Hardening/Goals
If you have more ideas, please add them to the wiki page.
If you have more
Thanks guys.
I've received quite a massive response it seems. All the information I
was looking for.
Thanks again,
Dan
On Wed, Nov 24, 2010 at 10:48 AM, Daniel Hood wrote:
> Does anyone have a good checklist or script to harden a vanilla debian
> box after installation?
>
> Dan
>
--
To UNSU
On 24 November 2010 00:52, CHACO wrote:
>
>
> On Tue, Nov 23, 2010 at 5:48 PM, Daniel Hood wrote:
>>
>> Does anyone have a good checklist or script to harden a vanilla debian
>> box after installation?
>
>
> http://www.debian.org/doc/manuals/securing-debian-howto/
More specifically, the checklis
It's also worth looking at Cfengine to ensure that your hardening
changes stay in place after you initially set them.
--
Neil Watson
Linux/UNIX Consultant
http://watson-wilson.ca
--
To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Conta
>Does anyone have a good checklist or script to harden a vanilla debian
>box after installation?
>
>Dan
>
>
http://wiki.debian.org/Hardening
also very good, though for ubuntu, but definitely worth reading
https://wiki.ubuntu.com/Security/Features
--
To UNSUBSCRIBE, email to debian-security-req
You could also check out the packages 'harden' and 'bastille'. But I always
deselect everything in the package selection menu during the Debian setup (
http://www.linuxjournal.com/ufiles/debian_netinstall.png ). And then I
install some basic things like: 'module-assistant apt-listbugs preload
updat
On Wed, Nov 24, 2010 at 10:05 AM, Michiel Klaver wrote:
> At 24-11-2010 00:48, Daniel Hood wrote:
>>
>> Does anyone have a good checklist or script to harden a vanilla debian
>> box after installation?
What about CIS Benchmarks for example?
http://cisecurity.org/en-us/?route=downloads.browse.cat
At 24-11-2010 00:48, Daniel Hood wrote:
Does anyone have a good checklist or script to harden a vanilla debian
box after installation?
Dan
Some quick notes for basic checks, not a full security guide:
http://klaver.it/linux/debian-security.txt
--
To UNSUBSCRIBE, email to debian-security-re
> On Tue, Nov 23, 2010 at 5:48 PM, Daniel Hood wrote:
>
>> Does anyone have a good checklist or script to harden a vanilla debian
>> box after installation?
>>
>
>
> http://www.debian.org/doc/manuals/securing-debian-howto/
>
RTFM is the law, the securing debian howto is a good start. On top of
th
On Tue, Nov 23, 2010 at 5:48 PM, Daniel Hood wrote:
> Does anyone have a good checklist or script to harden a vanilla debian
> box after installation?
>
http://www.debian.org/doc/manuals/securing-debian-howto/
--
Diego Chacón Rojas
diego.cha...@gmail.com
San Jose Costa Rica
.-.
/v\
Does anyone have a good checklist or script to harden a vanilla debian
box after installation?
Dan
--
To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive:
http://lists.debian.org/aanlktinouo_zt2
38 matches
Mail list logo
