Sandy Harris <[email protected]> wrote: > We have a bit of a design problem in that we want the FB to > be very secure, but also to require a minimum of system > administration.
Among other things, that means we want it to ship with secure default policies in a number of areas. Ubuntu comes with netfilter installed but no rules applied. I do not know for Debian. Whatever the usual system defaults -- null as for Ubuntu or something else -- they probably need to change for the box since it will run a different set of services than a default install. Should the rules include blocking TCP resets? http://news.techworld.com/security/6371/uk-boffins-douse-chinas-great-firewall/ Likely the exact set of rules needed will vary depending on which FB services a particular box enables. Arranging for this to happen without subjecting users to a heavy system admin load will require some clever scripts. DNS is an essential service but in some countries the governments mess with it as part of a censorship program. In the long run, we may need a design where Freedom Boxes give each other DNS services. At least for a box just coming up that does not know where other boxes are, we need more, Likely a list of open DNS servers -- Google's 8.8.8.8 and a few dozen others -- and a script that pings them all to find ones that are fast and reachable. A standard tactic for security is isolation of services. You put the web server and the mail server on two different machines so that an enemy who finds a flaw in the web server does not get your mail, and vice versa. Clearly we cannot expect to use a separate machine for each FB service, but we need some strategy that limits the damage if any one service turns out to have a security flaw. Some list posts suggest using virtual machines, and that is one plausible solution, though costly. Can we do with careful use of user & group IDs? With chroot jails? With capabilities? Whatever? There are other security mechanisms available. We might choose the Debian/FreeBSD distro instead of LInux to get immutable files, or enable the Linux capabilities stuff, or use Security Enhanced LInux. However, none of those is useful alone; each needs a set of policies appropriate for this application. _______________________________________________ Freedombox-discuss mailing list [email protected] http://lists.alioth.debian.org/mailman/listinfo/freedombox-discuss
