Debian Security An overview of features and processes Debian Security http://www.debian.org Todd Troxell <[email protected]> Who is this guy? Debian Security http://www.debian.org Todd Troxell <[email protected]> Todd Troxell Debian Security http://www.debian.org Todd Troxell <[email protected]> Debian Developer Debian Security http://www.debian.org Todd Troxell <[email protected]> “Security Enthusiast” Debian Security http://www.debian.org Todd Troxell <[email protected]> Logcheck maintainer Debian Security http://www.debian.org Todd Troxell <[email protected]> What is Debian? Debian Security http://www.debian.org Todd Troxell <[email protected]> Linux Distribution Debian Security http://www.debian.org Todd Troxell <[email protected]> Free Operating System Debian Security http://www.debian.org Todd Troxell <[email protected]> Volunteer project Debian Security http://www.debian.org Todd Troxell <[email protected]> Based on Linux Kernel Debian Security http://www.debian.org Todd Troxell <[email protected]> and 15,000+ free software packages Debian Security http://www.debian.org Todd Troxell <[email protected]> 12 Architectures i386, m68k, sparc, alpha, powerpc, arm, mips, mipsel ,hppa, ia64, s/390, amd64 Debian Security http://www.debian.org Todd Troxell <[email protected]> Universal Debian Security http://www.debian.org Todd Troxell <[email protected]> Freedom Debian Security http://www.debian.org Todd Troxell <[email protected]> Debian Security Team http://www.debian.org/security Debian Security http://www.debian.org Todd Troxell <[email protected]> Review security problems Debian Security http://www.debian.org Todd Troxell <[email protected]> Upload pathced packages Debian Security http://www.debian.org Todd Troxell <[email protected]> Issue Advisories Debian Security http://www.debian.org Todd Troxell <[email protected]> Public Disclosure Debian Security http://www.debian.org Todd Troxell <[email protected]> Not security through obscurity Debian Security http://www.debian.org Todd Troxell <[email protected]> Advisories: DSAs Debian Security http://www.debian.org Todd Troxell <[email protected]> Available in multiple formats Debian Security http://www.debian.org Todd Troxell <[email protected]> debian-security-announce Debian Security http://www.debian.org Todd Troxell <[email protected]> http://debian.org/security Debian Security http://www.debian.org Todd Troxell <[email protected]> http://www.debian.org/security/dsa-long (RSS) Debian Security http://www.debian.org Todd Troxell <[email protected]> Best format: Debian Security http://www.debian.org Todd Troxell <[email protected]> Easily installed verified patches Debian Security http://www.debian.org Todd Troxell <[email protected]> Updates: change as little as possible Debian Security http://www.debian.org Todd Troxell <[email protected]> Favor patching Debian Security http://www.debian.org Todd Troxell <[email protected]> Not upgrading Debian Security http://www.debian.org Todd Troxell <[email protected]> Secure-APT Debian Security http://www.debian.org Todd Troxell <[email protected]> Automated updating Debian Security http://www.debian.org Todd Troxell <[email protected]> Ideal: no security problems ever! Debian Security http://www.debian.org Todd Troxell <[email protected]> Not going to happen Debian Security http://www.debian.org Todd Troxell <[email protected]> Pro-active search for vulnerabilities Debian Security http://www.debian.org Todd Troxell <[email protected]> Debian Audit Project http://www.debian.org/security/audit Debian Security http://www.debian.org Todd Troxell <[email protected]> Steve Kemp Ulf Härnhammar David A. Wheeler Debian Security http://www.debian.org Todd Troxell <[email protected]> White hats, pen-testers Debian Security http://www.debian.org Todd Troxell <[email protected]> Discovered near 100 vulnerabilities Debian Security http://www.debian.org Todd Troxell <[email protected]> Audit as many packages as possible Debian Security http://www.debian.org Todd Troxell <[email protected]> Not a short order Debian Security http://www.debian.org Todd Troxell <[email protected]> 15,000 Packages Debian Security http://www.debian.org Todd Troxell <[email protected]> 20 CDs Debian Security http://www.debian.org Todd Troxell <[email protected]> 3 DVDs Debian Security http://www.debian.org Todd Troxell <[email protected]> Counting only i386 binary Debian Security http://www.debian.org Todd Troxell <[email protected]> Priority Debian Security http://www.debian.org Todd Troxell <[email protected]> Packages with setuid/setgid binaries Debian Security http://www.debian.org Todd Troxell <[email protected]> Anything providing a sevice over a network Debian Security http://www.debian.org Todd Troxell <[email protected]> Widely- distributed packages Debian Security http://www.debian.org Todd Troxell <[email protected]> Anything associated with CGI/PHP Debian Security http://www.debian.org Todd Troxell <[email protected]> Automated jobs running as root Debian Security http://www.debian.org Todd Troxell <[email protected]> -flawfinder -ITS4 -RATS -pscan (many more) http://www.debian.org/security/audit/tools Debian Security http://www.debian.org Todd Troxell <[email protected]> Open code Debian Security http://www.debian.org Todd Troxell <[email protected]> from boot loader Debian Security http://www.debian.org Todd Troxell <[email protected]> to web browser. Debian Security http://www.debian.org Todd Troxell <[email protected]> Not “Trust me” code. Debian Security http://www.debian.org Todd Troxell <[email protected]> possible to audit from top to bottom Debian Security http://www.debian.org Todd Troxell <[email protected]> rarely possible in proprietary software Debian Security http://www.debian.org Todd Troxell <[email protected]> Security related packages Debian Security http://www.debian.org Todd Troxell <[email protected]> Intrusion Detection Debian Security http://www.debian.org Todd Troxell <[email protected]> Snort, Ntop + modules for My/Pg SQL logging and analysis applications: acidlab, ethereal Debian Security http://www.debian.org Todd Troxell <[email protected]> Integrit, AIDE, Tripwire, Fcheck Debian Security http://www.debian.org Todd Troxell <[email protected]> Logcheck, Logwatch, Epylog Debian Security http://www.debian.org Todd Troxell <[email protected]> debsigs, dpkg-sig Debian Security http://www.debian.org Todd Troxell <[email protected]> Encryption Debian Security http://www.debian.org Todd Troxell <[email protected]> GNU Privacy Guard (GPG) Debian Security http://www.debian.org Todd Troxell <[email protected]> OpenSSL/SSH Debian Security http://www.debian.org Todd Troxell <[email protected]> CFS, EncFS, loop-aes Debian Security http://www.debian.org Todd Troxell <[email protected]> Gaim-OTR Debian Security http://www.debian.org Todd Troxell <[email protected]> OpenVPN, Racoon/ipsec, stunnel, OpenSWAN Debian Security http://www.debian.org Todd Troxell <[email protected]> Kerberos Debian Security http://www.debian.org Todd Troxell <[email protected]> OpenAFS Debian Security http://www.debian.org Todd Troxell <[email protected]> Various libraries, APIs Debian Security http://www.debian.org Todd Troxell <[email protected]> Cryptographic algorithms already written and tested. Debian Security http://www.debian.org Todd Troxell <[email protected]> Penetration Testing Debian Security http://www.debian.org Todd Troxell <[email protected]> NMAP Debian Security http://www.debian.org Todd Troxell <[email protected]> Nikito, Airsnort, Aircrack Debian Security http://www.debian.org Todd Troxell <[email protected]> smb-nat, tiger, irpas Debian Security http://www.debian.org Todd Troxell <[email protected]> Anti-virus Debian Security http://www.debian.org Todd Troxell <[email protected]> Typically referring to Windows AV Debian Security http://www.debian.org Todd Troxell <[email protected]> ClamAV, amavis Debian Security http://www.debian.org Todd Troxell <[email protected]> PAM Debian Security http://www.debian.org Todd Troxell <[email protected]> Allows for a wide array of auth/sesssion options Debian Security http://www.debian.org Todd Troxell <[email protected]> libpam-chroot Debian Security http://www.debian.org Todd Troxell <[email protected]> libpam-cracklib Debian Security http://www.debian.org Todd Troxell <[email protected]> libpam-krb5 Debian Security http://www.debian.org Todd Troxell <[email protected]> libpam-ldap Debian Security http://www.debian.org Todd Troxell <[email protected]> PAM Smartcard modules, SecureID Debian Security http://www.debian.org Todd Troxell <[email protected]> libpam-ccreds - Pam module to cache authentication credentials libpam-chroot - Chroot Pluggable Authentication Module for PAM libpam-cracklib - PAM module to enable cracklib support. libpam-devperm - PAM module to change device ownership on login libpam-doc - Documentation of PAM libpam-dotfile - A PAM module which allows users to have more than one password libpam-encfs - PAM module to automatically mount encfs filesystems on login libpam-foreground - create lockfiles describing which users own which console libpam-heimdal - PAM module for Heimdal Kerberos 5 libpam-http - a PAM module to authenticate via http/https libpam-krb5 - PAM module for MIT Kerberos libpam-ldap - Pluggable Authentication Module allowing LDAP interfaces libpam-modules - Pluggable Authentication Modules for