Paranoid Penguin - Security Features in Debian 3.1
Last month, I began a three-part series on distribution-specific security features, beginning with SUSE Linux 10.0. This month, I continue with Debian 3.1, and next month I will conclude with Red Hat Enterprise Linux.
As you may recall, unless you missed last month's column or have been enjoying yourself in memory-impairing ways since then, several things about SUSE 10.0 really struck me: its wide variety of security-enhancing software packages and security-scanning tools; its inclusion of several different virtual machine platforms; and Novell AppArmor, which adds Mandatory Access Controls (MACs) to individual applications and processes.
When I began exploring security features in Debian 3.1 (Sarge) GNU/Linux, I was therefore particularly interested to determine how does Debian 3.1 compare with SUSE 10.0 in those areas? And, what unique security features does Debian bring to the table?
Like SUSE, Debian GNU/Linux is a general-purpose Linux distribution designed to be useful in a wide variety of desktop and server roles. Also like SUSE, Debian includes a long and varied bundle of binary software packages.
Unlike SUSE, Debian is a 100% not-for-profit undertaking. There is no expensive Enterprise version of Debian 3.1 with more features than the freeware version. There's only one version of Debian GNU/Linux 3.1, and it's 100% free—;unless you purchase Debian CD-ROMs from a Debian re-packager such as LinuxCentral (see the on-line Resources), in which case you're paying primarily for the cost of CD-ROM production, not for Debian itself.
Arguably, there are security ramifications associated with any purely free software product. Business-oriented IT managers love to ask, “Who's accountable when things go wrong?” But others point to Debian's impressive record of releasing timely security patches as evidence that the Debian Security Team is at least as dependable and responsive as any equivalent commercial entity. My own opinion is that its freeness isn't a major factor one way or the other. Debian doesn't have a reputation for being any more or less secure than commercial general-purpose Linux distributions.
So, what is the Debian installation experience like, and how does it encourage good security?
Compared to other major general-purpose Linux distributions, Debian's installer is decidedly old-school. It uses a bare-bones, text-based GUI that does little more than install software packages. Although this may be off-putting to many users, especially those new to Linux, it minimizes the system resources required to install Debian and the amount of time you'll spend waiting for the installer to load itself into RAM.
Software package installation, as with any Linux distribution, is the heart of the Debian installation process, and in Debian 3.1 it's handled by aptitude. aptitude is similar to its predecessor, dselect, but with a couple of important differences. The first is that although it's text-based like dselect, aptitude sports drop-down menus you can access by pressing the F10 key. The second difference is that, for me at least, aptitude organizes packages in a much less confusing way than dselect. It's still primitive compared to the graphical package installers in SUSE, Red Hat Enterprise Linux and so on (and arguably clunkier than the text-based Slackware installer); however, aptitude is a significant improvement over dselect.
With aptitude, it's also easy to update your local package list and get the latest security patches from the Debian.org site (see Resources). In fact, anytime you install software using the Advanced Packaging Tool (apt) system (for example, when you run aptitude or apt-get), Debian automatically checks for security updates for the packages you're attempting to install.
The bad news about the Debian installer is that it doesn't seem to do very much to harden your system, even in a preliminary way. It doesn't give you an opportunity to create even a basic local firewall policy or choose a preconfigured or default policy. It doesn't even check your root and first nonprivileged-user account passwords for complexity (although it does warn you that passwords need to be complex).
Rather, it appears as though in Debian the emphasis is on providing users with as wide a variety of security-related software packages as possible, rather than actually helping users set up any of those packages. Considering that Debian consists of more than 15,000 software packages in all, you've got many choices indeed. Table 1 lists some Debian packages that directly enhance system security.
Table 1. Some Security-Enhancing Packages in Debian 3.1
|aide, fam, tripwire, osiris||File/system integrity checkers.|
|bastille||Excellent, comprehensive and interactive (yet scriptable) hardening utility.|
|bochs||Bochs virtual x86 PC.|
|bozohttpd, dhttpd, thttpd||Minimally featured, secure Web server daemons.|
|chrootuid, jailer, jailtool, makejail||Utilities for using and creating chroot jails.|
|clamav||General-purpose virus scanner.|
|cracklib2, cracklib-runtime||Library and utilities to prevent users from choosing easily guessed passwords.|
|filtergen, fireflier, firestarter, ferm, fwbuilder, guarddog, mason, shorewall||Tools for generating and managing local firewall policies.|
|flawfinder, pscan, rats||Scripts that parse source code for security vulnerabilities.|
|freeradius, freeradius-ldap, etc.||Free radius server, useful for WLANs running WPA.|
|frox, ftp-proxy||FTP proxies.|
|gnupg, gnupg2, gpa, gnupg-agent||GNU Privacy Guard (gpg), a versatile and ubiquitous e-mail- and file-encryption utility.|
|harden, harden-clients, harden-servers, etc.||Actually an empty package containing only scripts that install and un-install other packages so as to improve system security.|
|ipsec-tools, pipsecd, openswan, openswan-modules-source||Tools for building IPSec-based virtual private networks.|
|libapache-mod-chroot, libapache2-mod-chroot||Apache module to run httpd chrooted without requiring a populated chroot jail.|
|libapache-mod-security, libapache2-mod-security||Proxies user input and server output for Apache.|
|oftpd, twoftpd, vsftpd||Minimally featured, secure FTP server daemons.|
|privoxy||Privacy-enhancing Web proxy.|
|psad||Port-scan attack detector.|
|pyca, tinyca||Certificate authority managers.|
|selinux-utils, libselinux1||Utilities and shared libraries for SELinux.|
|slat||Analyzes information flow in SELinux policies.|
|slapd||OpenLDAP server daemon.|
|squidguard||Adds access controls and other security functions to the popular Squid Web proxy.|
|squidview, srg||Log analyzers for Squid.|
|syslog-ng||Next-generation syslog daemon with many more features than standard syslogd.|
|trustees||Extends file/directory permissions to allow different permissions for different (multiple) groups on a single object.|
|uml-utilities||User-mode Linux virtual machine engine for Linux guests.|
In addition to the local security-enhancing packages in Table 1, Debian includes many tools for analyzing the security of other systems and networks. Table 2 lists some notable ones.
Table 2. Security Audit Tools in Debian 3.1
|dsniff, ettercap||Packet sniffers for switched environments.|
|ethereal, tcpdump||Excellent packet sniffers.|
|fping||Flood ping (multiple-target ping).|
|idswakeup||Attack simulator for testing intrusion detection systems (IDSes).|
|john||John the Ripper, a password-cracking tool (legitimately used for identifying weak passwords).|
|kismet||Wireless LAN sniffer that supports many wireless cards.|
|nessus, nessusd, nessus-plugins||Nessus general-purpose security scanner.|
|nmap||Undisputed king of port scanners.|
|snort||Outstanding packet sniffer, packet logger and intrusion detection system.|
Sifting through all these packages at installation time can be daunting. One thing that helps is aptitude's ability to search for packages by name. Another is the “Securing Debian Manual” (see Resources).
Once you've selected and installed your initial set of software packages, aptitude runs a few post-installation scripts (depending on what you installed). On my test system, I was disappointed to see very little in these scripts germane to security—these deal primarily with basic system setup, such as network settings. If you need to reconfigure these basic settings later (without editing files in /etc directly), you can re-invoke that part of the installer with the base-config command.
In summary, Debian's installation-time security features are disappointing and sparse. It may not be fair to compare the purely volunteer-driven Debian effort to a commercial product, but in my opinion, Debian sorely needs a centralized, security feature-rich installation and administration utility akin to SUSE's YaST.
Like other major Linux distributions, Debian increases in size and complexity with each new release. The paradox here is that Debian's ever-growing, almost unparalleled selection of software packages makes it more complex, even to the point of confusion—confusion causes sloppiness; sloppiness introduces avoidable security holes. A central administration utility would go a long way to reduce this confusion and enhance security for Debian neophytes and power users alike. It would go even further if it included modules for creating local firewall policies, managing virtual machines, managing SELinux or Trustees policies and so on.
All ranting aside, I like Debian, and as of this writing, I'm in the process of migrating my Web server from SUSE to Debian (though my laptop will remain a SUSE box). It's also worth mentioning that there are many unofficial Debian installers available, including other Linux distributions based on Debian and able to run Debian packages (see Resources).
So, moving on, let's talk about some particularly interesting and useful groups of security-related packages in Debian GNU/Linux 3.1.
|Dynamic DNS—an Object Lesson in Problem Solving||May 21, 2013|
|Using Salt Stack and Vagrant for Drupal Development||May 20, 2013|
|Making Linux and Android Get Along (It's Not as Hard as It Sounds)||May 16, 2013|
|Drupal Is a Framework: Why Everyone Needs to Understand This||May 15, 2013|
|Home, My Backup Data Center||May 13, 2013|
|Non-Linux FOSS: Seashore||May 10, 2013|
- RSS Feeds
- Dynamic DNS—an Object Lesson in Problem Solving
- Making Linux and Android Get Along (It's Not as Hard as It Sounds)
- Using Salt Stack and Vagrant for Drupal Development
- New Products
- A Topic for Discussion - Open Source Feature-Richness?
- Validate an E-Mail Address with PHP, the Right Way
- Drupal Is a Framework: Why Everyone Needs to Understand This
- What's the tweeting protocol?
- Tech Tip: Really Simple HTTP Server with Python
- BASH script to log IPs on public web server
4 hours 24 min ago
7 hours 59 min ago
- Reply to comment | Linux Journal
8 hours 32 min ago
- All the articles you talked
10 hours 55 min ago
- All the articles you talked
10 hours 59 min ago
- All the articles you talked
11 hours 20 sec ago
15 hours 25 min ago
- Keeping track of IP address
17 hours 16 min ago
- Roll your own dynamic dns
22 hours 29 min ago
- Please correct the URL for Salt Stack's web site
1 day 1 hour ago
Enter to Win an Adafruit Pi Cobbler Breakout Kit for Raspberry Pi
It's Raspberry Pi month at Linux Journal. Each week in May, Adafruit will be giving away a Pi-related prize to a lucky, randomly drawn LJ reader. Winners will be announced weekly.
Fill out the fields below to enter to win this week's prize-- a Pi Cobbler Breakout Kit for Raspberry Pi.
Congratulations to our winners so far:
- 5-8-13, Pi Starter Pack: Jack Davis
- 5-15-13, Pi Model B 512MB RAM: Patrick Dunn
- 5-21-13, Prototyping Pi Plate Kit: Philip Kirby
- Next winner announced on 5-27-13!
Free Webinar: Hadoop
How to Build an Optimal Hadoop Cluster to Store and Maintain Unlimited Amounts of Data Using Microservers
Realizing the promise of Apache® Hadoop® requires the effective deployment of compute, memory, storage and networking to achieve optimal results. With its flexibility and multitude of options, it is easy to over or under provision the server infrastructure, resulting in poor performance and high TCO. Join us for an in depth, technical discussion with industry experts from leading Hadoop and server companies who will provide insights into the key considerations for designing and deploying an optimal Hadoop cluster.
Some of key questions to be discussed are:
- What is the “typical” Hadoop cluster and what should be installed on the different machine types?
- Why should you consider the typical workload patterns when making your hardware decisions?
- Are all microservers created equal for Hadoop deployments?
- How do I plan for expansion if I require more compute, memory, storage or networking?