Additional information on securing services, common criteria evaluation,

updated apt-check-sigs and added a changelog entry
parent 0dbebb64
<!-- CVS revision of this document "$Revision: 1.10 $" -->
<!-- CVS revision of this document "$Revision: 1.11 $" -->
<chapt>After Installation
......@@ -1165,7 +1165,7 @@ or can, after running their default shell, switch to another
(uncontrolled) shell.
<sect>Using tcpwrappers
<sect id="tcpwrappers">Using tcpwrappers
<p>TCP wrappers were developed when there were no real packet filters
available and access control was needed. Nevertheless, they're still very
......
<!-- CVS revision of this document "$Revision: 1.6 $" -->
<!-- CVS revision of this document "$Revision: 1.7 $" -->
<appendix id="harden-step">The hardening process step by step
......@@ -1656,6 +1656,11 @@ so that security issues in a software package do not jeoparize the
whole server. When using the <prgn>makejail</prgn> script, setting up
and updating the chrooted tree is much easier.</p>
<p>FIXME: Apache can also be chrooted using
<url id="http://www.modsecurity.org"> which is available in
<package>libapache-mod-security</package> (for Apache 1.x) and
<package>libapache2-mod-security</package> (for Apache 2.x).
<sect1>Licensing
<p>This document is copyright 2002 Alexandre Ratti. It has been
......
<!-- CVS revision of this document "$Revision: 1.3 $" -->
<!-- CVS revision of this document "$Revision: 1.4 $" -->
<chapt>Frequently asked Questions (FAQ)
......@@ -111,11 +111,22 @@ yes/no" section at the top of each advisory (DSA).
<p>Short answer: no.
<p>Long answer: certification costs money and nobody has dedicated the
<p>Long answer: certification costs money (specially a <em>serious</em>
security certification), nobody has dedicated the
resources in order to certify Debian GNU/Linux to any level of, for
example, the Common Criteria. If you are interested in having a
certified GNU/Linux distribution, try to provide the resources needed
to make it possible.
example, the
<!-- NOTE: commoncriteria.org is no longer available, jfs -->
<url id="http://niap.nist.gov/cc-scheme/st/" name="Common Criteria">.
If you are interested in having a
security-certified GNU/Linux distribution, try to provide the resources
needed to make it possible.
<p>There are currently at least two linux distributions certified at
different
<url id="http://en.wikipedia.org/wiki/Evaluation_Assurance_Level" name="EAL">
levels. Notice that some of the CC tests are being integrated into the
<url id="http://ltp.sourceforge.net" name="Linux Testing Project"> which
is available in Debian in the <package>ltp</package>.
<sect1>Are there any hardening programs for Debian?
......@@ -550,6 +561,10 @@ a user's program might need RPC to work correctly. In any case, it is
used mostly for NFS. If you do not need it, remove it as explained in
<ref id="rpc">.
<P>In versions of the portmap package later than 5-5 you can actually have
the portmapper installed but listening only on localhost (by modifying
<file>/etc/default/portmap</file>)
<sect2>What use is <prgn>identd</prgn> (port 113) for?
<p>Identd service is an authentication service that identifies the
......
<!-- CVS revision of this document "$Revision: 1.4 $" -->
<!-- CVS revision of this document "$Revision: 1.5 $" -->
<chapt>Debian Security Infrastructure
......@@ -584,13 +584,14 @@ This code is currently in beta, for more information read
<example>
#!/bin/bash
# This script is copyright (c) 2001, Anthony Towns
# Copyright (c) 2001 Anthony Towns &lt;ajt@debian.org&gt;
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation; either version 2 of the License, or
# (at your option) any later version.
#
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
......@@ -613,8 +614,10 @@ am_root () {
get_md5sumsize () {
cat "$1" | awk '/^MD5Sum:/,/^SHA1:/' |
MYARG="$2" perl -ne '@f = split /\s+/; if ($f[3] eq $ENV{"MYARG"}) { print "$f[1] $f[2]\n"; exit(0); }'
MYARG="$2" perl -ne '@f = split /\s+/; if ($f[3] eq $ENV{"MYARG"}) {
print "$f[1] $f[2]\n"; exit(0); }'
}
checkit () {
local FILE="$1"
local LOOKUP="$2"
......@@ -637,7 +640,8 @@ checkit () {
echo "NOCHECK"
return
fi
X="`md5sum < /var/lib/apt/lists/$FILE` `wc -c < /var/lib/apt/lists/$FILE`"
X="`md5sum < /var/lib/apt/lists/$FILE | cut -d\ -f1` `wc -c < /var/lib
/apt/lists/$FILE`"
X="`echo "$X" | sed 's/^ *//;s/ */ /g'`"
if [ "$X" != "$Y" ]; then
echo "$FILE" >>BAD
......@@ -652,7 +656,8 @@ echo
echo "Checking sources in /etc/apt/sources.list:"
echo "~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~"
echo
(echo "You should take care to ensure that the distributions you're downloading"
(echo "You should take care to ensure that the distributions you're downloading
"
echo "are the ones you think you are downloading, and that they are as up to"
echo "date as you would expect (testing and unstable should be no more than"
echo "two or three days out of date, stable-updates no more than a few weeks"
......@@ -668,13 +673,16 @@ cat /etc/apt/sources.list |
else
continue
fi
echo "Source: ${ty} ${url} ${dist} ${comps}"
rm -f Release Release.gpg
lynx -reload -dump "${url}/dists/${dist}/Release" >/dev/null 2>&1
wget -q -O Release "${url}/dists/${dist}/Release"
if ! grep -q '^' Release; then
echo " * NO TOP-LEVEL Release FILE"
>Release
else
origline=`sed -n 's/^Origin: *//p' Release | head -1`
lablline=`sed -n 's/^Label: *//p' Release | head -1`
......@@ -687,36 +695,66 @@ cat /etc/apt/sources.list |
echo " o $dateline"
echo " o $dscrline"
if [ "${dist%%/*}" != "$suitline" -a "${dist%%/*}" != "$codeline" ]; then
echo " * WARNING: asked for $dist, got $suitline/$codeline"
if [ "${dist%%/*}" != "$suitline" -a "${dist%%/*}" != "$codelin
e" ]; then
echo " * WARNING: asked for $dist, got $suitline/$code
line"
fi
lynx -reload -dump "${url}/dists/${dist}/Release.gpg" >/dev/nul
l 2>&1
wget -q -O Release.gpg "${url}/dists/${dist}/Release.gpg"
sigline="`gpgv --status-fd 3 Release.gpg Release 3>&1 >/dev/null 2>&1 | sed -n "s/^\[GNUPG:\] GOODSIG [0-9A-Fa-f]* //p"`"
if [ "$sigline" ]; then
echo " o Signed by: $sigline"
else
gpgv --status-fd 3 Release.gpg Release 3>&1 >/dev/null 2>&1 | s
ed -n "s/^\[GNUPG:\] //p" | (okay=0; err=""; while read gpgcode rest; do
if [ "$gpgcode" = "GOODSIG" ]; then
if [ "$err" != "" ]; then
echo " * Signed by ${err# } key: ${rest#* }"
else
echo " o Signed by: ${rest#* }"
okay=1
fi
err=""
elif [ "$gpgcode" = "BADSIG" ]; then
echo " * BAD SIGNATURE BY: ${rest#* }"
err=""
elif [ "$gpgcode" = "ERRSIG" ]; then
echo " * COULDN'T CHECK SIGNATURE BY KEYID: ${rest
%% *}"
err=""
elif [ "$gpgcode" = "SIGREVOKED" ]; then
err="$err REVOKED"
elif [ "$gpgcode" = "SIGEXPIRED" ]; then
err="$err EXPIRED"
fi
done
if [ "$okay" != 1 ]; then
echo " * NO VALID SIGNATURE"
>Release
fi
fi)
fi
okaycomps=""
for comp in $comps; do
if [ "$ty" = "deb" ]; then
X=$(checkit "`echo "${baseurl}/dists/${dist}/${comp}/binary-${arch}/Release" | sed 's,//*,_,g'`" "${comp}/binary-${arch}/Release")
Y=$(checkit "`echo "${baseurl}/dists/${dist}/${comp}/binary-${arch}/Packages" | sed 's,//*,_,g'`" "${comp}/binary-${arch}/Packages")
X=$(checkit "`echo "${baseurl}/dists/${dist}/${comp}/bi
nary-${arch}/Release" | sed 's,//*,_,g'`" "${comp}/binary-${arch}/Release")
Y=$(checkit "`echo "${baseurl}/dists/${dist}/${comp}/bi
nary-${arch}/Packages" | sed 's,//*,_,g'`" "${comp}/binary-${arch}/Packages")
if [ "$X $Y" = "OK OK" ]; then
okaycomps="$okaycomps $comp"
else
echo " * PROBLEMS WITH $comp ($X, $Y)"
fi
elif [ "$ty" = "deb-src" ]; then
X=$(checkit "`echo "${baseurl}/dists/${dist}/${comp}/source/Release" | sed 's,//*,_,g'`" "${comp}/source/Release")
Y=$(checkit "`echo "${baseurl}/dists/${dist}/${comp}/source/Sources" | sed 's,//*,_,g'`" "${comp}/source/Sources")
X=$(checkit "`echo "${baseurl}/dists/${dist}/${comp}/so
urce/Release" | sed 's,//*,_,g'`" "${comp}/source/Release")
Y=$(checkit "`echo "${baseurl}/dists/${dist}/${comp}/so
urce/Sources" | sed 's,//*,_,g'`" "${comp}/source/Sources")
if [ "$X $Y" = "OK OK" ]; then
okaycomps="$okaycomps $comp"
else
echo " * PROBLEMS WITH component $comp ($X, $Y)"
echo " * PROBLEMS WITH component $comp ($X, $Y
)"
fi
fi
done
......@@ -731,7 +769,9 @@ echo
allokay=true
cd /tmp/apt-release-check
diff <(cat BAD MISSING NOCHECK OK | sort) <(cd /var/lib/apt/lists && find . -type f -maxdepth 1 | sed 's,^\./,,g' | grep '_' | sort) | sed -n 's/^> //p' >UNVALIDATED
diff <(cat BAD MISSING NOCHECK OK | sort) <(cd /var/lib/apt/lists && find . -ty
pe f -maxdepth 1 | sed 's,^\./,,g' | grep '_' | sort) | sed -n 's/^> //p' >UNVA
LIDATED
cd /tmp/apt-release-check
if grep -q ^ UNVALIDATED; then
......@@ -749,7 +789,8 @@ fi
if grep -q ^ BAD; then
allokay=false
(echo "The contents of the following files in /var/lib/apt/lists does not"
echo "match what was expected. This may mean these sources are out of date,"
echo "match what was expected. This may mean these sources are out of date,
"
echo "that the archive is having problems, or that someone is actively"
echo "using your mirror to distribute trojans."
if am_root; then
......
<!-- CVS revision of this document "$Revision: 1.7 $" -->
<!-- CVS revision of this document "$Revision: 1.8 $" -->
<chapt>Introduction
<p>
......@@ -67,6 +67,7 @@ appendices):
<item>Frederic Schutz
<item>Pedro Zorzenon Neto
<item>Oohara Yuuma
<item>Davor Ocelic
</list>
<sect>Download the manual
......@@ -340,6 +341,19 @@ system (check bug reports sent to snort)
<sect id="changelog">Changelog/History
<sect1>Version 3.1 (december 2004)
<p>Changes by Javier Fernández-Sanguino Peña
<list>
<item>Added information on restricting access to RPC services (when
they cannot be disabled)
<item>Update aj's apt-check-sigs script.
<item>Apply patch Carlo Perassi fixing URLs.
<item>Apply patch from Davor Ocelic fixing many errors, typos, urls, grammar
and FIXMEs. Also adds some additional information to some sections.
<item>Rewrote the section on user auditing, highlight the usage of script
which does not have some of the issues associated to shell history.
</list>
<sect1>Version 3.0 (december 2004)
<p>Changes by Javier Fernández-Sanguino Peña
<list>
......
<!-- CVS revision of this document "$Revision: 1.4 $" -->
<!-- CVS revision of this document "$Revision: 1.5 $" -->
<chapt id="sec-services">Securing services running on your system
......@@ -557,7 +557,12 @@ mail can be sent to a central mailserver.
this. The daemon could, as well, be configured to only listen on the
loopback address.
<p>To do this in a Debian system, you will have to remove the smtp
<P>FIXME: This should be updated for exim4, which is the default
mail transport agent in sarge and later (and listens only to localhost
in the minimum default configuration)
<p>To do this in a Debian 3.0 system using <package>exim</package>,
you will have to remove the smtp
daemon from <prgn>inetd</prgn>:
<example>
$ update-inetd --disable smtp
......@@ -1334,26 +1339,31 @@ name="NIS-HOWTO" id="http://www.tldp.org/HOWTO/NIS-HOWTO.html">
<p>FIXME (jfs): Add info on how to set this up in Debian
<sect id="rpc">Disabling RPC services
<sect id="rpc">Securing RPC services
<p>You should disable RPC wherever possible, that is, when you do not need it.
<footnote>
You only probably need it if using NFS (Network File System), NIS
(Network Information System) or some other RPC-based service.
</footnote>
Many security holes for both the portmapper service and RPC-based
services are known and could easily be exploited. On the other hand NFS
services are quite important in some networks, so find a balance of
security and usability in your network. Some of the DDoS (distributed
RPC-based services have had a bad record of security holes, although
the portmapper itself hasn't (but still provides information to
a remote attacker). Notice that some of the DDoS (distributed
denial of service) attacks use rpc exploits to get into the system and
act as a so called agent/handler. Read more on NFS security in
act as a so called agent/handler.
<p>On the other hand, NFS services are quite important in some
networks, so find a balance of security and usability in your network.
Read more on NFS security in
<url
name="NFS-HOWTO" id="http://www.tldp.org/HOWTO/NFS-HOWTO.html">
(<file>/usr/share/doc/HOWTO/en-txt/NFS-HOWTO.txt.gz</file>).
<sect1>Disabling RPC services completely
<p>Disabling portmap is quite simple. There are different methods. The
simplest one in a Debian 3.0 system is to uninstall the
<package>portmap</package> package. If you are running another version
simplest one in a Debian 3.0 system and later releases is to uninstall the
<package>portmap</package> package. If you are running an older Debian version
you will have to disable the service as seen in <ref
id="disableserv">, this is due to the program being a part of the
<package>net-base</package> package (which cannot be de-installed
......@@ -1366,6 +1376,34 @@ manually. Another possibility is to <tt>chmod 644
booting. You can also strip off the <tt>start-stop-daemon</tt> part in
<file>/etc/init.d/portmap</file> shell script.
<sect1>Limiting access to RPC services
<p>Unfortunately, in some cases removing RPC services from the system is not
an option. Some local desktop services (notably SGI's <package>fam</package>)
are RPC based and thus need a local portmapper. This means that under
some situations, users installing a desktop environment (like GNOME)
will install the portmapper too.
<P>There are several ways to limit access to the portmapper and to
RPC services:
<list>
<item>Block access to the ports used by these services
with a local firewall (see <ref id="firewall-setup">).
<item>Block access to these services using tcp wrappers, since
the portmapper (and some RPC services) are compiled with
<file>libwrap</file> (see <ref id="tcpwrappers">. this means that you can
block access to them through the <file>hosts.allow</file> and
<file>hosts.deny</file> tcp wrappers configuration.
<item>Since version 5-5, the <package>portmap</package> package
can be configured to listen only on the loopback interface. To do this,
modify <file>/etc/default/portmap</file>, uncomment the following line:
<tt>#OPTIONS="-i 127.0.0.1"</tt> and restart the portmapper. This
is sufficient to allow local RPC services to work while at the same time
prevents remote systems from accessing them (see,
however, <ref id="limit-bindaddr">.
</list>
<sect id="firewall-setup">Adding firewall capabilities
<p>The Debian GNU/Linux operating system has the built-in capabilities
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment