Re: Re: Re: a secure base system

[Tobias Weisserth <tobias () weisserth de>]

Hi Martin,

Am Mo, den 15.03.2004 schrieb martin f krafft um 22:50:
> also sprach Tobias Weisserth <tobias () weisserth de> [2004.03.15.2208 +0100]:
> > Which means that he has to a little bit more work because he can't
> > *rely* on the distributor to supply patches in time. It's a trade-off.
>
> Sure, it's a trade-off. But with the administrative tools provided
> by Debian, as well as the cleanliness of a Debian system, I'd choose
> that over OpenBSD anytime. After all, FHS-compliance and system
> integrity/cleanliness contribute a significant portion to security.

I'd chose Debian over OpenBSD on workstations anytime because of
usability. How many people have experience with BSD style systems
compared against GNU/Linux? And the 6000+ packages in Debian speak for
themselves. Though comparing Debian to other desktop Linux distributions
is a totally different matter. For example, I'd prefer Fedora Core 1
over Debian right now because they have a decent security policy too and
they keep improving on community aspects while offering top of the notch
software. Holding Debian's very good tools against other distributions
will become more and more difficult because most other RPM based
distributions have begun to ad"apt" (*g*) Debian tools: apt4rpm, yum,
up2date and Mandrake has something else too... just to name a few.

And the soon to be released Core 2 will feature a 2.6 kernel, KDE 3.2
and lots of other cool stuff. There's one other interesting thing:
Fedora Core 2 will feature SELinux by default as it seems. See
http://fedora.redhat.com/participate/schedule/ for more information.
Considering security issues, this is a real surplus.

> > He'll have to stay informed himself if the Debian Security Team
> > doesn't warn in time about critical packages in unstable or
> > testing. Maybe it mustn't be this way and there are regular
> > updates for unstable. But the Debian site itself advises against
> > the use of unstable regarding the security issues.
>
> I use testing on over 100 production systems and have never had
> a single problem. By the time that security updates make it to
> security.debian.org for stable, an updated version makes it to
> unstable. So I mix testing and unstable and only update when really
> necessary. This has treated me very well.

Isn't mixing unstable and testing a Bad Thing(tm)? I've no experience
with this but it tends to result in trouble when making larger
modifications or upgrades. This is why there is not one single positive
recommendation out there to install "Debian" by simply putting a Knoppix
CD inside your PC and copy it to the hard-drive. Most people advise
against this because Klaus Knopper heavily mixed unstable and testing.

> > > And concerning workstations: your security better shield a security
> > > problem on a workstation.
> >
> > Non comprende? ;-)
>
> If, in a productive setting, you are concerned about remote exploits
> to your workstation, then you've got a whole different problem. Of
> course, exploits may still come from inside, but the risk should be
> relatively low since productive workstations should not be able to
> inflict any harm.

Maybe I should have told you before. I happen to be a student at the
university Harry is employed :-) So I'm assuming he is talking about the
public terminals in the PC classes where he wants to upgrade the
GNU/Linux installations. Anybody can get into these classes and log on
if he has a valid login. So it only takes a lost or stolen login and you
have a potential bad guy right inside your network. That's why he wants
to have a "secure" base installation he can use as a backup image to
simply write over compromised boxes. No big fuss, if a box is suspected
to be "funny business" it just gets written over with the default
installation image. Right now, there is already a Debian installation on
most machines next to WindowsXP but the software is hopefully outdated
with KDE 2 and lots of other unusable stuff by today's standards. I'm
pretty glad there seem to be plans to upgrade the GNU/Linux systems
because I really don't want to work with the XP installations but Gnome
1.4 and KDE 2 are way to ugly to work with :-)

[kidding]@Harry: Please consider installing XFCE4. It's fast, it's small
and it's beautiful :-)[/kidding]

> > Though a lot of work if we're talking about workstations here...
>
> Our productive workstations get installed once and stay like that
> for months. With the appropriate AIDE/Tripwire rulesets, that's not
> different than a server.

See above: the boxes can be accessed by virtually everyone who is able
to sniff up a valid account. It's even possible to bring along an own
notebook and just plug it into the net. The possibility of a box being
hacked from the inside is maybe more probable than a single box being
hacked from the outside. I am assuming Harry has the PCs from the PC
classes in mind here and not some other installation on the campus
though.

regards,
Tobias W.

-- 
***************************************************
   ____  _____
  |  _ \| ____| Tobias Weisserth
  | | | |  _|   tobias@weisserth.[de|com|net|org]
 _| |_| | |___  http://www.weisserth.org
(_)____/|_____|
                
Encrypted mail is welcome.
Key and fingerprint: http://imprint.weisserth.org

***************************************************

Attachment: signature.asc
Description: Dies ist ein digital signierter Nachrichtenteil