Hi Paul,
On Sun, Jun 08, 2014 at 10:13:27AM +0800, Paul Wise wrote:
> We kind-of already support that; Debian Live is essentially that. What
> would official support for read-only root look like to you? Option in
> the installer?
Probably fix the last bits of details that makes a read-only insta
On Sat, Jun 7, 2014 at 11:07 AM, Tom Dial wrote:
> I suggest resumption of maintenance for OVAL to support OpenSCAP.
> www.debian.org/security/oval/ seems not to have been maintained since
> some time in late 2010 or early 2011.
Please refer to https://bugs.debian.org/738199
If you would like to
On Sat, Jun 7, 2014 at 9:31 PM, Xavier Roche wrote:
> Would a read-only root filesystem goal be feasible ?
We kind-of already support that; Debian Live is essentially that. What
would official support for read-only root look like to you? Option in
the installer?
> https://wiki.debian.org/Readonl
On Thu, Apr 24, 2014 at 10:57:39AM +0800, Paul Wise wrote:
> I have written a non-exhaustive list of goals for hardening the Debian
> distribution, the Debian project and computer systems of the Debian
> project, contributors and users.
> If you have more ideas, please add them to the wiki page.
W
I suggest resumption of maintenance for OVAL to support OpenSCAP.
www.debian.org/security/oval/ seems not to have been maintained since
some time in late 2010 or early 2011.
Tom Dial
On 04/23/2014 08:57 PM, Paul Wise wrote:
> Hi all,
>
> I have written a non-exhaustive list of goals for harden
Hi,
Giacomo Mulas wrote (24 Apr 2014 16:49:20 GMT) :
> Good to know, actually I had tried apparmor quite some time ago and did not
> try again. I will give it another spin as soon as I can.
https://wiki.debian.org/AppArmor/HowTo :)
> However, I do not agree that I should file bugs against apparm
On 24 Apr 2014 10:58, "Andrew McGlashan" <
andrew.mcglas...@affinityvision.com.au> wrote:
>
> On 24/04/2014 5:49 PM, Lesley Binks wrote:
> > Apologies for the top posting, I'm writing this from my phone.
> > I get a 403 when trying to access via Orbot/Orweb on Android 4.1 phone.
> > Amusing.
>
> It
Marko Randjelovic:
> On Tue, 29 Apr 2014 11:52:14 +
> Patrick Schleizer wrote:
>
>> Marko Randjelovic:
>>> I was thinking about some kind
>>> of wizard:
>>>
>>> - create a chroot if doesn't already exist
>>> - create a launcher for your DE
>>> - create a shell script to run a program from ter
On Tue, 29 Apr 2014 11:52:14 +
Patrick Schleizer wrote:
> Marko Randjelovic:
> > I was thinking about some kind
> > of wizard:
> >
> > - create a chroot if doesn't already exist
> > - create a launcher for your DE
> > - create a shell script to run a program from terminal or a simple WM
> >
>
> chroot is not a security feature?
>
> As far I understand, chroots in Debian/Fedora aren't jails.
>
> Source:
> https://securityblog.redhat.com/2013/03/27/is-chroot-a-security-feature/
>
In deed a Linux chroot - environment is not a jail.
You could use sth. like grsecurity to harden Linux
Marko Randjelovic:
> I was thinking about some kind
> of wizard:
>
> - create a chroot if doesn't already exist
> - create a launcher for your DE
> - create a shell script to run a program from terminal or a simple WM
>
> hint: chroot $CHROOT_PATH su - $USER -c "$command_with_args"
chroot is not
On Tue, 29 Apr 2014 11:35:26 +0800
Paul Wise wrote:
> On Tue, Apr 29, 2014 at 8:07 AM, Marko Randjelovic wrote:
>
> > - security patches should be clearly marked as such in every *.patch
> > file
>
> That sounds like a good idea, could you add it to the wiki page?
I added this:
"Debian poli
On Tue, Apr 29, 2014 at 11:35:26AM +0800, Paul Wise wrote:
> On Tue, Apr 29, 2014 at 8:07 AM, Marko Randjelovic wrote:
>
> > - security patches should be clearly marked as such in every *.patch
> > file
>
> That sounds like a good idea, could you add it to the wiki page?
It's not always easy t
On Tue, Apr 29, 2014 at 8:07 AM, Marko Randjelovic wrote:
> - security patches should be clearly marked as such in every *.patch
> file
That sounds like a good idea, could you add it to the wiki page?
> - easy create and run programs from chroot and alternate users
Could you detail what you m
On Thu, 24 Apr 2014 10:57:39 +0800
Paul Wise wrote:
> Hi all,
>
> I have written a non-exhaustive list of goals for hardening the Debian
> distribution, the Debian project and computer systems of the Debian
> project, contributors and users.
>
> https://wiki.debian.org/Hardening/Goals
>
> If y
On Thu, Apr 24, 2014 at 9:49 AM, Giacomo Mulas
wrote:
> On Thu, 24 Apr 2014, Steve Langasek wrote:
>
>> The apparmor policies in Debian apply a principle of minimal harm,
>> confining
>> only those services for which someone has taken the time to verify the
>> correct profile. There are obviously
On Thu, 24 Apr 2014, Steve Langasek wrote:
The apparmor policies in Debian apply a principle of minimal harm, confining
only those services for which someone has taken the time to verify the
correct profile. There are obviously pros and cons to each approach to MAC,
which I'm not interested in
On Thu, Apr 24, 2014 at 11:45:46AM +0200, Giacomo Mulas wrote:
> On Thu, 24 Apr 2014, Paul Wise wrote:
> >>Would the inclusion of more AppArmor profiles be applicable?
> >Thanks, added along with SELinux/etc.
> I second that. Actually, some time ago I tried using both AppArmor and
> SELinux, but
On 24. huhtikuuta 2014 12.57.45 EEST, Andrew McGlashan
wrote:
>It works for me [Orbot/Orweb -- 4.3 on both i9300 and i9505], did you
>get the case right?
wiki.d.o seems to be blocking at least some Tor exit nodes. IMHO it should not
do that, at least for read-only access.
--
To UNSUBSCRIBE
On Thu, 24 Apr 2014, Paul Wise wrote:
On Thu, 2014-04-24 at 02:53 -0007, Cameron Norman wrote:
Would the inclusion of more AppArmor profiles be applicable?
Thanks, added along with SELinux/etc.
I second that. Actually, some time ago I tried using both AppArmor and
SELinux, but gave up beca
On 24/04/2014 5:49 PM, Lesley Binks wrote:
> Apologies for the top posting, I'm writing this from my phone.
> I get a 403 when trying to access via Orbot/Orweb on Android 4.1 phone.
> Amusing.
It works for me [Orbot/Orweb -- 4.3 on both i9300 and i9505], did you
get the case right?
Strangely thou
> I suggest it might be better if exploits were each given a quick/approximate
> "ranking" in terms of severity (and if the severity is unknown it could be
> assigned a default median ranking), so that the algorithm you mention wouldn't
> just add number of unplugged exploits, but add them by weigh
On 10:57 Thu 24 Apr 2014, Paul Wise wrote:
> ..[snip]..
> https://wiki.debian.org/Hardening/Goals
Regarding the line (at that page):
> Refuse to install packages that are known to have X number of unplugged
> exploits (i.e. X number of open security bugs in the bug tracker) unless
> e.g. --allow-
Apologies for the top posting, I'm writing this from my phone.
I get a 403 when trying to access via Orbot/Orweb on Android 4.1 phone.
Amusing.
Lesley
On 24 Apr 2014 03:58, "Paul Wise" wrote:
> Hi all,
>
> I have written a non-exhaustive list of goals for hardening the Debian
> distribution, the
2014-04-24 4:57 GMT+02:00 Paul Wise :
> Hi all,
>
> I have written a non-exhaustive list of goals for hardening the Debian
> distribution, the Debian project and computer systems of the Debian
> project, contributors and users.
>
> https://wiki.debian.org/Hardening/Goals
>
> If you have more ideas
El Wed, 23 de Apr 2014 a las 7:57 PM, Paul Wise
escribió:
Hi all,
I have written a non-exhaustive list of goals for hardening the Debian
distribution, the Debian project and computer systems of the Debian
project, contributors and users.
https://wiki.debian.org/Hardening/Goals
If you have mor
On Thu, 2014-04-24 at 02:53 -0007, Cameron Norman wrote:
> Would the inclusion of more AppArmor profiles be applicable?
Thanks, added along with SELinux/etc.
--
bye,
pabs
http://wiki.debian.org/PaulWise
signature.asc
Description: This is a digitally signed message part
Hi all,
I have written a non-exhaustive list of goals for hardening the Debian
distribution, the Debian project and computer systems of the Debian
project, contributors and users.
https://wiki.debian.org/Hardening/Goals
If you have more ideas, please add them to the wiki page.
If you have more
28 matches
Mail list logo
