Hi,
I've started a few time ago (as many of you could know) the Debian
Hardened project , as an approach to Debian's mainline security.

Currently, the project is in a mature state of development with many
things already done and also a lot of testing of the work.

I've ported to Debian Sarge's GCC (3.3.4-6) the PIE stuff (got from LFS
archives) and also updated the SSP to the latest version.
These GCC packages can be found at
http://sourceforge.net/projects/debianhardened until i get an available
machine for host an apt repository (at the moment, the installation of
the packages by downloading each-one from SF.net is an XXX-pain).

Talking about the GLIBC...i've ported the Hardened Gentoo's SSP
implementation, made by pappy (Alexander Gabbert) and i've also worked
out on libssp (i need some help on testing this) for make the stuff
independant of GCC (my gcc packages are patched with SSP, so, every
compiled binary will have the __guard symbols, getting more big
binaries), also Peter Busser from Adamantix has done a great job on
this, but the code it's not yet available.

I have hardened also the binutils, and some of ./net packages:
- rinetd (some work for make it able to be chroot'ed as unprivileged
user)
- openssh (i'm working on the patches that bring SecurID Token use
features, and others from independent hackers)
- wu-ftpd , just added the stuff from WU-FTPD guys.

About the kernels...the work is in production state, i've currently
tested them on some machines , 2 of them are shared environments
(software-libre.org & ourproject.org) with user chroots, etc.
I've also did the DHKP, but i'm going to remix it and use instead of the
current patches (OW and others) the PaX + RSBAC + SELinux mix.
No reasons to leave grsecurity, just improving *different* solutions, in
my opinion with wide support and testing.

All of this has been done for Sarge (except the kernels... i need a
decent machine to re-compile them, is anybody interested in giving me
access to a machine, maybe inside a compile farm?)

I've done a wiki with some information on the project development
organization, i need contributors, developers, anybody which is
interested in contributing the Debian project.

http://www.debian-hardened.org/wiki

JFS, tell me if you are interested in it...you're spanish and that
should make easier the communication, and , due to your high valuable
work on Debian , i can mind about making you the co-manager of the
project and also i'm interested in working together with the Security
Response team.

I will send these "status" messages for maintain informed the people of
debian-security on my efforts in Debian Hardened, if there's anything to
ask me, please give me a line at my email address or sent any inquiry to
debianhardened-hackers@lists.sourceforge.net, thanks.

Cheers,
-- 
Lorenzo Hernandez Garcia-Hierro <lorenzo@gnu.org>
Debian Hardened project leader - http://www.debian-hardened.org

[ Post a follow-up to this message ]

On Sun, 26 Sep 2004 07:22, Lorenzo Hernandez Garcia-Hierro <lorenzo@gnu.org>
wrote:
> - openssh (i'm working on the patches that bring SecurID Token use
> features, and others from independent hackers)

Most of the features you list are things that are difficult to get into
Debian/main.  But token based security for openssh is something that seems
like it could go in without too much pain.  Have you talked to Matthew Verno
n
about this?

> About the kernels...the work is in production state, i've currently
> tested them on some machines , 2 of them are shared environments
> (software-libre.org & ourproject.org) with user chroots, etc.
> I've also did the DHKP, but i'm going to remix it and use instead of the
> current patches (OW and others) the PaX + RSBAC + SELinux mix.

You have RSBAC and SE Linux in the same kernel?  What's the point?

--
http://www.coker.com.au/selinux/   My NSA Security Enhanced Linux packages
http://www.coker.com.au/bonnie++/  Bonnie++ hard drive benchmark
http://www.coker.com.au/postal/    Postal SMTP/POP benchmark
http://www.coker.com.au/~russell/  My home page


--
To UNSUBSCRIBE, email to debian-security-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.or
g

[ Post a follow-up to this message ]

On Sun, Sep 26, 2004 at 10:02:03PM +1000, Russell Coker wrote:
>On Sun, 26 Sep 2004 07:22, Lorenzo Hernandez Garcia-Hierro <lorenzo@gnu.org
>
>wrote: 
>
>Most of the features you list are things that are difficult to get into
>Debian/main.  But token based security for openssh is something that seems
>like it could go in without too much pain.  Have you talked to Matthew Vern
on
>about this?

This is something that should be handled at the pam level and shouldn't
require special handling from ssh. (Assuming a good ssh pam
implementation.) The last time I looked at the securid pam module from
rsa it didn't work with our ssh, but that's because they made it
dependent on bugs in ssh pam handling from older versions of ssh.
<shrug>

Mike Stone


--
To UNSUBSCRIBE, email to debian-security-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.or
g

[ Post a follow-up to this message ]

Hi Russell,

El dom, 26-09-2004 a las 14:02, Russell Coker escribió:
> On Sun, 26 Sep 2004 07:22, Lorenzo Hernandez Garcia-Hierro <lorenzo@gnu.or
g> 
> wrote: 
> 
> Most of the features you list are things that are difficult to get into 
> Debian/main. 

Not too really difficult, it depends on how it gets developed:
http://www.debian-hardened.org/wiki...nt_Organization

SSP and PIE don't affect the binaries performance (not seriously), and arbit
rary patches get tested before using them.
It goes under the lead210 pool before it goes to system-dh.

>  But token based security for openssh is something that seems 
> like it could go in without too much pain.  Have you talked to Matthew Ver
non 
> about this?

Not yet, i would do it.Anyway, the patches are not mine, i'm just
porting them to the Debian packages (converting and implementing them as
dpatches).
 
> 
> You have RSBAC and SE Linux in the same kernel?  What's the point?

I haven't done that work, we are just starting to decided what's the
painless solution.

Cheers,
-- 
Lorenzo Hernandez Garcia-Hierro <lorenzo@gnu.org>

[ Post a follow-up to this message ]

* Michael Stone (mstone@debian.org) wrote:
> This is something that should be handled at the pam level and shouldn't
> require special handling from ssh. (Assuming a good ssh pam
> implementation.) The last time I looked at the securid pam module from
> rsa it didn't work with our ssh, but that's because they made it
> dependent on bugs in ssh pam handling from older versions of ssh.
> <shrug>

That's unfortunate.  Do you know of any workarounds?  We're seriously
considering using RSA secureid with ssh (and quite possibly other
things via pam...).  Has RSA acknowledged this or said anything about
correcting it?

Thanks,

Stephen

[ Post a follow-up to this message ]

On Sun, Sep 26, 2004 at 11:45:23AM -0400, Stephen Frost wrote:
>That's unfortunate.  Do you know of any workarounds?

Haven't looked into it lately.

>We're seriously considering using RSA secureid with ssh (and quite
>possibly other things via pam...).  Has RSA acknowledged this or said
>anything about correcting it?

When I was looking at it they were very careful to state that the pam
module worked only with one specific version of ssh. I assume that when
redhat uses a newer version in their enterprise edition rsa will
suddenly make it all work.  That may have already happened, as I said
it's been a little while since I looked at it.

Mike Stone


--
To UNSUBSCRIBE, email to debian-security-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.or
g

[ Post a follow-up to this message ]

On Mon, 27 Sep 2004 00:39, Lorenzo Hernandez Garcia-Hierro <lorenzo@gnu.org>
wrote: 
>
> Not too really difficult, it depends on how it gets developed:
> http://www.debian-hardened.org/wiki...nt_Organization
>
> SSP and PIE don't affect the binaries performance (not seriously), and
> arbitrary patches get tested before using them. It goes under the lead210
> pool before it goes to system-dh.

These things are obviously difficult due to the amount of time that has been
spent on them without anything getting into main.

The last discussion of SSP resulted in the GCC package maintainers indicatin
g
that they wanted to wait for Mudflap, other discussion indicates that Mudfla
p
won't do what we really want in regard to such things (more of a debugging
tool than a method of securing production code).  So I guess SSP is on hold
until after Mudflap.
 
>
> I haven't done that work, we are just starting to decided what's the
> painless solution.

Best thing to do is to have separate kernels for GRSEC, RSBAC, and SE Linux.

I am happy to test out all the SE Linux kernels you produce and review all
code and configuration that you use.  Let me know when you are ready for me
to do this.

--
http://www.coker.com.au/selinux/   My NSA Security Enhanced Linux packages
http://www.coker.com.au/bonnie++/  Bonnie++ hard drive benchmark
http://www.coker.com.au/postal/    Postal SMTP/POP benchmark
http://www.coker.com.au/~russell/  My home page


--
To UNSUBSCRIBE, email to debian-security-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.or
g

[ Post a follow-up to this message ]