Keywords related to security in the package browser
Javier Fernández-Sanguino Peña
jfs@computer.org
Mon, 28 Apr 2003 21:14:36 +0200
--SLDf9lqlvOQaIe6s
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable
On Mon, Apr 28, 2003 at 06:56:23PM +0200, Erich Schubert wrote:
> > Hi there Enrico,
>=20
> Actually you wrote to erich ;) but we're working on that project
> together.
Ah ok.
>=20
> > It would be nice if the "Security" packages were fine-grained even furt=
her.
> > I would recommend dividing security packages further by adding the
> > following tags:
>=20
> IMHO the tags you are suggesting are too fine grained. Often they are
> just a combination of two tags, or they differ by a tag.
> But a couple of these tags will be added.
Ok. No problem.
>=20
> > - "Filesystem integrity": test the integrity of the system by storing=
=20
> > filesystem information (MD5 hashes, file types.., aide, tripwire, samha=
in=20
> > and integrit fall into this category.
>=20
> I'm going to add this:
> Tag: security::integrity
> Implies: admin, security
> Description: File integrity verification
Intgrity is fine.
>=20
> Maybe also add the "file" and "utility" tag? after all they are
> utilities (not creating new information) and operate on files?
They are all utilities and operate on files, but they create databases
with information on these.
>=20
> > - "Remote Vulnerability assesment": test remotely) the system for=20
> > vulnerabilities: nessus, raccess, whisker, nikto, bass, satan..
>=20
> > - "Local Vulnerability assessment": ditto locally: tiger, sxid
>=20
> These two seem to differ by the "net" tag.
> "sxid" fit's into the filesystem integrity section IMHO. I think it
> searches for suid files and checkes these for integrity.
Don't know about sxid, don't use it.
> by the description "tiger" is similar, so they probably should all go
> into "security::integrity".
Not tiger. Tiger does check integrity (relies on external tools) but does=
=20
local checks to test for security issues.
>=20
> I'm not yet decided, but i think the "remote..." should be tagged
> "admin, security, net, net::scanner"
>=20
'vulnerabilityassess' is better than 'scanner' (and more to the point)
> > - "Network scanner": network based security tests (not VA): nmap, xprob=
e,=20
> > queso, knocker, strobe, hping2, nbtscan, icmpush, isic, fragrouter...
>=20
> whereas these should only be tagged "net, net::scanner" (and "util"...
> but the "application" vs. "util" thing is a real mess. we really need
> some task force for these.)
>=20
These are probably also "security,net, net::scanner"
> Suggestion:
> Tag: net::scanner
> Implies: net
> Description: Network scanners
>=20
But add only those there, VA tools might use scanners but they have much=20
more than that.
> > - "Source code audit": Audit source code in different programming langu=
ages=20
> > for vulnerabilities: flawfinder, rats, spling
>=20
> They fit into "devel::testing-qa" IMHO. They can be tagged
Sounds good.
> "devel::testing-qa, security" so they will form a subgroup "security"
> below "testing-qa" and a "software testing and qa" subgroup below "securi=
ty"
>=20
Ok.
> > - "Virtual Private Networks": setup a secure network between two sites:=
=20
> > vtun, tunnelv, cipe, vpnd, tinc, secvpn, pptpd, freeswan
>=20
> IMHO this doesn't belong into the security section, but deserves a tag
> Tag: net::tunnel
> Implies: net
> Description: Network tunneling
>=20
Maybe "net::vpn" makes more sense. A VPN is not a tunnel, not always.
> Not all of them are actually "secure". these can be tagged "security" as
> well as "net::tunnel".
>=20
> > - "Antivirus tools": sanitizer, amavis-postfix
>=20
> suggestion:
> Tag: security::antivirus
> Implies: admin, security
> Description: Anti Virus Scanner
>=20
Fine.
> > - "Password cracking tools": john, crack
>=20
> undecided on these. cracklib and john are IMHO "authentification"
> related, so probably "admin, security, authentification" is enough.
Sure.
>=20
> > - "Intrusion detection": snort, tiger, scanlogd, scandetd, portsentry,=
=20
> > chkrootkit
>=20
> suggestion:
> Tag: security::ids
> Implies: admin, security
> Description: Intrusion Detection Systems
>=20
That's ok.
> > - "Forensics": tct, fenris
>=20
> Hmm... hard to say actually. Guess they'll also get a new tag.
>=20
Ok.
> > - "System Hardening": develop and maintain a bastion host: bastille,=20
> > harden-* packages.
>=20
> harden-* should be tagged "security, special::meta" Don't know about
> bastille.
Bastille is a hardening tool, i.e. will walk the user/admin through=20
configuration changes to lock it down. If it's going to be alone it does=20
not necessarily need a tag. If it does it should be 'harden'
>=20
> > - "Kernel hardening": Patches that can be introduced in the kernel to=
=20
> > improve security: lcap, kernel-patch-*-lids, kernel-patch-int,=20
> > kernel-patch-systrace, kernel-patch-*-openwall, kernel-patch-*-lsm, =
=20
> > kernel-patch-*-grsecurity
>=20
> use "security, kernel" for these.
Maybe add 'harden' too?
>=20
> > Also, the 'admin' tag and the 'system' tag seem quite redundant to me. =
It=20
> > has taken me quite some time to figure out that the security-related=20
> > packages only came up in the packagebrowser until I filtered first by=
=20
> > 'Administration and System Maintainance' and then by 'System software a=
nd=20
> > maintainance' and then by 'Security'.
>=20
> Yes, they need some work. There needs to be a policy what they are
> actually for. IMHO it's about "system administration" (meaning software)
> vs. "user administraion" vs. "web administration" (if that goes into
> this "admin" section actually, and we don't add an web::webmaster
> section for that... ;)
> More work for the to-be task force.
That's a lot of work :-)
Should I add the tags to the packages I talked about or are you going to do=
=20
it yourself? (i.e. mass change)
Regards
Javi
--SLDf9lqlvOQaIe6s
Content-Type: application/pgp-signature
Content-Disposition: inline
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)
iD8DBQE+rX2csandgtyBSwkRAqaTAJ9j8jwH9aBAQ8GaWXV237lmhttm+wCfavK7
bTG4+rRXhFsRwZZ4B9y9Wic=
=g4Wq
-----END PGP SIGNATURE-----
--SLDf9lqlvOQaIe6s--