On Tue, Feb 08, 2011 at 01:33:12PM +0100, [email protected] wrote: > As stated in the articles in Debian Lenny there were very little of > available security mechanisms of the Linux environment included. I > just wanted to know what is the status of this in Squeeze and also
Squeeze has no distro-wide hardening features. Some packages are built with hardening options enabled in their debian/rules files -- those are a bit harder to spot. The ever-growing list of packages that use[1] hardening-wrapper or hardening-includes seem to be: aria2 autotrust batctl batmand bind9 bird botan1.8 chromium-browser confget cookietool cups dma dnssec-tools donkey epdfview ffmpeg-php grap graphicsmagick gtkcookie gweled hexer hfsprogs iodine ipsec-tools jd jed kaptain ldns libdebug libg3d libinfinity libpam-script libpipeline mailavenger man-db midori mupen64plus mysql-5.1 nast netatalk ngrep nsd3 openbsd-inetd opendnssec openntpd openssh php5 postfix postgresql-8.4 postgresql-9.0 prips qliss3d quagga robodoc rtpproxy s3d ser slrn softhsm squid strongswan switchsh tcpdump tcpflow tina tmux tnftp udev wireshark worker xmahjongg zoem > rise a release goal for Wheezy to enable some pro-active security > mechanisms mentioned in the articles. For example, I guess enabling > PIE in iceweasel, other web browsers and network daemons is worth > taking into consideration. I know my point is extremely general, I > just hope to start a discussion about this topic. As you might expect, this topic has been brought up before[2]. Probably the most up-to-date thread is here[3]. Besides tool-chain hardening, attempts to request additional kernel-supported hardening have generally been rejected[4] by the Debian kernel team, though some basic work has been done[5] to support kernel-internal hardening that is available from upstream. Thanks, -Kees [1] I generated this list from: reverse-build-depends --only-main --distribution unstable hardening-wrapper reverse-build-depends --only-main --distribution unstable hardening-includes [2] http://lists.debian.org/debian-gcc/2009/10/msg00186.html [3] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=552688 [4] http://lists.debian.org/debian-devel/2010/11/msg00381.html [5] CONFIG_DEBUG_RODATA, CONFIG_CC_STACKPROTECTOR, CONFIG_STRICT_DEVMEM, CONFIG_DEFAULT_MMAP_MIN_ADDR, module filtering: http://lists.debian.org/debian-kernel/2010/11/msg00378.html -- Kees Cook @debian.org -- To UNSUBSCRIBE, email to [email protected] with a subject of "unsubscribe". Trouble? Contact [email protected] Archive: http://lists.debian.org/[email protected]
