1879 lines
89 KiB
HTML
1879 lines
89 KiB
HTML
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0//EN">
|
|
|
|
<html>
|
|
|
|
<head>
|
|
|
|
<meta http-equiv="content-type" content="text/html; charset=iso-8859-1">
|
|
|
|
<title>Securing Debian Manual - Debian Security Infrastructure</title>
|
|
|
|
<link href="index.en.html" rel="start">
|
|
<link href="ch-automatic-harden.en.html" rel="prev">
|
|
<link href="ch-sec-tools.en.html" rel="next">
|
|
<link href="index.en.html#contents" rel="contents">
|
|
<link href="index.en.html#copyright" rel="copyright">
|
|
<link href="ch1.en.html" rel="chapter" title="1 Introduction">
|
|
<link href="ch2.en.html" rel="chapter" title="2 Before you begin">
|
|
<link href="ch3.en.html" rel="chapter" title="3 Before and during the installation">
|
|
<link href="ch4.en.html" rel="chapter" title="4 After installation">
|
|
<link href="ch-sec-services.en.html" rel="chapter" title="5 Securing services running on your system">
|
|
<link href="ch-automatic-harden.en.html" rel="chapter" title="6 Automatic hardening of Debian systems">
|
|
<link href="ch7.en.html" rel="chapter" title="7 Debian Security Infrastructure">
|
|
<link href="ch-sec-tools.en.html" rel="chapter" title="8 Security tools in Debian">
|
|
<link href="ch9.en.html" rel="chapter" title="9 Developer's Best Practices for OS Security">
|
|
<link href="ch10.en.html" rel="chapter" title="10 Before the compromise">
|
|
<link href="ch-after-compromise.en.html" rel="chapter" title="11 After the compromise (incident response)">
|
|
<link href="ch12.en.html" rel="chapter" title="12 Frequently asked Questions (FAQ)">
|
|
<link href="ap-harden-step.en.html" rel="appendix" title="A The hardening process step by step">
|
|
<link href="ap-checklist.en.html" rel="appendix" title="B Configuration checklist">
|
|
<link href="ap-snort-box.en.html" rel="appendix" title="C Setting up a stand-alone IDS">
|
|
<link href="ap-bridge-fw.en.html" rel="appendix" title="D Setting up a bridge firewall">
|
|
<link href="ap-bind-chuser.en.html" rel="appendix" title="E Sample script to change the default Bind installation.">
|
|
<link href="ap-fw-security-update.en.html" rel="appendix" title="F Security update protected by a firewall">
|
|
<link href="ap-chroot-ssh-env.en.html" rel="appendix" title="G <code>Chroot</code> environment for <code>SSH</code>">
|
|
<link href="ap-chroot-apache-env.en.html" rel="appendix" title="H <code>Chroot</code> environment for <code>Apache</code>">
|
|
<link href="ch1.en.html#s-authors" rel="section" title="1.1 Authors">
|
|
<link href="ch1.en.html#s1.2" rel="section" title="1.2 Where to get the manual (and available formats)">
|
|
<link href="ch1.en.html#s1.3" rel="section" title="1.3 Organizational notes/feedback">
|
|
<link href="ch1.en.html#s1.4" rel="section" title="1.4 Prior knowledge">
|
|
<link href="ch1.en.html#s1.5" rel="section" title="1.5 Things that need to be written (FIXME/TODO)">
|
|
<link href="ch1.en.html#s-changelog" rel="section" title="1.6 Changelog/History">
|
|
<link href="ch1.en.html#s-credits" rel="section" title="1.7 Credits and thanks!">
|
|
<link href="ch2.en.html#s2.1" rel="section" title="2.1 What do you want this system for?">
|
|
<link href="ch2.en.html#s-references" rel="section" title="2.2 Be aware of general security problems">
|
|
<link href="ch2.en.html#s2.3" rel="section" title="2.3 How does Debian handle security?">
|
|
<link href="ch3.en.html#s-bios-passwd" rel="section" title="3.1 Choose a BIOS password">
|
|
<link href="ch3.en.html#s3.2" rel="section" title="3.2 Partitioning the system">
|
|
<link href="ch3.en.html#s3.3" rel="section" title="3.3 Do not plug to the Internet until ready">
|
|
<link href="ch3.en.html#s3.4" rel="section" title="3.4 Set a root password">
|
|
<link href="ch3.en.html#s3.5" rel="section" title="3.5 Activate shadow passwords and MD5 passwords">
|
|
<link href="ch3.en.html#s3.6" rel="section" title="3.6 Run the minimum number of services required">
|
|
<link href="ch3.en.html#s3.7" rel="section" title="3.7 Install the minimum amount of software required">
|
|
<link href="ch3.en.html#s3.8" rel="section" title="3.8 Read the Debian security mailing lists">
|
|
<link href="ch4.en.html#s-debian-sec-announce" rel="section" title="4.1 Subscribe to the Debian Security Announce mailing list">
|
|
<link href="ch4.en.html#s-security-update" rel="section" title="4.2 Execute a security update">
|
|
<link href="ch4.en.html#s-bios-boot" rel="section" title="4.3 Change the BIOS (again)">
|
|
<link href="ch4.en.html#s-lilo-passwd" rel="section" title="4.4 Set a LILO or GRUB password">
|
|
<link href="ch4.en.html#s-kernel-initramfs-prompt" rel="section" title="4.5 Disable root prompt on the initramfs">
|
|
<link href="ch4.en.html#s-kernel-root-prompt" rel="section" title="4.6 Remove root prompt on the kernel">
|
|
<link href="ch4.en.html#s-restrict-console-login" rel="section" title="4.7 Restricting console login access">
|
|
<link href="ch4.en.html#s-restrict-reboots" rel="section" title="4.8 Restricting system reboots through the console">
|
|
<link href="ch4.en.html#s4.9" rel="section" title="4.9 Mounting partitions the right way">
|
|
<link href="ch4.en.html#s4.10" rel="section" title="4.10 Providing secure user access">
|
|
<link href="ch4.en.html#s-tcpwrappers" rel="section" title="4.11 Using tcpwrappers">
|
|
<link href="ch4.en.html#s-log-alerts" rel="section" title="4.12 The importance of logs and alerts">
|
|
<link href="ch4.en.html#s-kernel-patches" rel="section" title="4.13 Adding kernel patches">
|
|
<link href="ch4.en.html#s4.14" rel="section" title="4.14 Protecting against buffer overflows">
|
|
<link href="ch4.en.html#s4.15" rel="section" title="4.15 Secure file transfers">
|
|
<link href="ch4.en.html#s4.16" rel="section" title="4.16 File system limits and control">
|
|
<link href="ch4.en.html#s-network-secure" rel="section" title="4.17 Securing network access">
|
|
<link href="ch4.en.html#s-snapshot" rel="section" title="4.18 Taking a snapshot of the system">
|
|
<link href="ch4.en.html#s4.19" rel="section" title="4.19 Other recommendations">
|
|
<link href="ch-sec-services.en.html#s5.1" rel="section" title="5.1 Securing ssh">
|
|
<link href="ch-sec-services.en.html#s5.2" rel="section" title="5.2 Securing Squid">
|
|
<link href="ch-sec-services.en.html#s-ftp-secure" rel="section" title="5.3 Securing FTP">
|
|
<link href="ch-sec-services.en.html#s5.4" rel="section" title="5.4 Securing access to the X Window System">
|
|
<link href="ch-sec-services.en.html#s5.5" rel="section" title="5.5 Securing printing access (the lpd and lprng issue)">
|
|
<link href="ch-sec-services.en.html#s5.6" rel="section" title="5.6 Securing the mail service">
|
|
<link href="ch-sec-services.en.html#s-sec-bind" rel="section" title="5.7 Securing BIND">
|
|
<link href="ch-sec-services.en.html#s5.8" rel="section" title="5.8 Securing Apache">
|
|
<link href="ch-sec-services.en.html#s5.9" rel="section" title="5.9 Securing finger">
|
|
<link href="ch-sec-services.en.html#s-chroot" rel="section" title="5.10 General chroot and suid paranoia">
|
|
<link href="ch-sec-services.en.html#s5.11" rel="section" title="5.11 General cleartext password paranoia">
|
|
<link href="ch-sec-services.en.html#s5.12" rel="section" title="5.12 Disabling NIS">
|
|
<link href="ch-sec-services.en.html#s-rpc" rel="section" title="5.13 Securing RPC services">
|
|
<link href="ch-sec-services.en.html#s-firewall-setup" rel="section" title="5.14 Adding firewall capabilities">
|
|
<link href="ch-automatic-harden.en.html#s6.1" rel="section" title="6.1 Harden">
|
|
<link href="ch-automatic-harden.en.html#s6.2" rel="section" title="6.2 Bastille Linux">
|
|
<link href="ch7.en.html#s-debian-sec-team" rel="section" title="7.1 The Debian Security Team">
|
|
<link href="ch7.en.html#s-dsa" rel="section" title="7.2 Debian Security Advisories">
|
|
<link href="ch7.en.html#s7.3" rel="section" title="7.3 Security Tracker">
|
|
<link href="ch7.en.html#s7.4" rel="section" title="7.4 Debian Security Build Infrastructure">
|
|
<link href="ch7.en.html#s-deb-pack-sign" rel="section" title="7.5 Package signing in Debian">
|
|
<link href="ch-sec-tools.en.html#s-vuln-asses" rel="section" title="8.1 Remote vulnerability assessment tools">
|
|
<link href="ch-sec-tools.en.html#s8.2" rel="section" title="8.2 Network scanner tools">
|
|
<link href="ch-sec-tools.en.html#s8.3" rel="section" title="8.3 Internal audits">
|
|
<link href="ch-sec-tools.en.html#s8.4" rel="section" title="8.4 Auditing source code">
|
|
<link href="ch-sec-tools.en.html#s-vpn" rel="section" title="8.5 Virtual Private Networks">
|
|
<link href="ch-sec-tools.en.html#s8.6" rel="section" title="8.6 Public Key Infrastructure (PKI)">
|
|
<link href="ch-sec-tools.en.html#s8.7" rel="section" title="8.7 SSL Infrastructure">
|
|
<link href="ch-sec-tools.en.html#s8.8" rel="section" title="8.8 Antivirus tools">
|
|
<link href="ch-sec-tools.en.html#s-gpg-agent" rel="section" title="8.9 GPG agent">
|
|
<link href="ch9.en.html#s-bpp-devel-design" rel="section" title="9.1 Best practices for security review and design">
|
|
<link href="ch9.en.html#s-bpp-lower-privs" rel="section" title="9.2 Creating users and groups for software daemons">
|
|
<link href="ch10.en.html#s-keep-secure" rel="section" title="10.1 Keep your system secure">
|
|
<link href="ch10.en.html#s-periodic-integrity" rel="section" title="10.2 Do periodic integrity checks">
|
|
<link href="ch10.en.html#s-intrusion-detect" rel="section" title="10.3 Set up Intrusion Detection">
|
|
<link href="ch10.en.html#s10.4" rel="section" title="10.4 Avoiding root-kits">
|
|
<link href="ch10.en.html#s10.5" rel="section" title="10.5 Genius/Paranoia Ideas — what you could do">
|
|
<link href="ch-after-compromise.en.html#s11.1" rel="section" title="11.1 General behavior">
|
|
<link href="ch-after-compromise.en.html#s11.2" rel="section" title="11.2 Backing up the system">
|
|
<link href="ch-after-compromise.en.html#s11.3" rel="section" title="11.3 Contact your local CERT">
|
|
<link href="ch-after-compromise.en.html#s11.4" rel="section" title="11.4 Forensic analysis">
|
|
<link href="ch12.en.html#s12.1" rel="section" title="12.1 Security in the Debian operating system">
|
|
<link href="ch12.en.html#s-vulnerable-system" rel="section" title="12.2 My system is vulnerable! (Are you sure?)">
|
|
<link href="ch12.en.html#s-debian-sec-team-faq" rel="section" title="12.3 Questions regarding the Debian security team">
|
|
<link href="ap-bridge-fw.en.html#sD.1" rel="section" title="D.1 A bridge providing NAT and firewall capabilities">
|
|
<link href="ap-bridge-fw.en.html#sD.2" rel="section" title="D.2 A bridge providing firewall capabilities">
|
|
<link href="ap-bridge-fw.en.html#sD.3" rel="section" title="D.3 Basic IPtables rules">
|
|
<link href="ap-chroot-ssh-env.en.html#sG.1" rel="section" title="G.1 Chrooting the ssh users">
|
|
<link href="ap-chroot-ssh-env.en.html#sG.2" rel="section" title="G.2 Chrooting the ssh server">
|
|
<link href="ap-chroot-apache-env.en.html#sH.1" rel="section" title="H.1 Introduction">
|
|
<link href="ap-chroot-apache-env.en.html#sH.2" rel="section" title="H.2 Installing the server">
|
|
<link href="ap-chroot-apache-env.en.html#sH.3" rel="section" title="H.3 See also">
|
|
<link href="ch1.en.html#s1.6.1" rel="subsection" title="1.6.1 Version 3.16 (March 2011)">
|
|
<link href="ch1.en.html#s1.6.2" rel="subsection" title="1.6.2 Version 3.15 (December 2010)">
|
|
<link href="ch1.en.html#s1.6.3" rel="subsection" title="1.6.3 Version 3.14 (March 2009)">
|
|
<link href="ch1.en.html#s1.6.4" rel="subsection" title="1.6.4 Version 3.13 (Februrary 2008)">
|
|
<link href="ch1.en.html#s1.6.5" rel="subsection" title="1.6.5 Version 3.12 (August 2007)">
|
|
<link href="ch1.en.html#s1.6.6" rel="subsection" title="1.6.6 Version 3.11 (January 2007)">
|
|
<link href="ch1.en.html#s1.6.7" rel="subsection" title="1.6.7 Version 3.10 (November 2006)">
|
|
<link href="ch1.en.html#s1.6.8" rel="subsection" title="1.6.8 Version 3.9 (October 2006)">
|
|
<link href="ch1.en.html#s1.6.9" rel="subsection" title="1.6.9 Version 3.8 (July 2006)">
|
|
<link href="ch1.en.html#s1.6.10" rel="subsection" title="1.6.10 Version 3.7 (April 2006)">
|
|
<link href="ch1.en.html#s1.6.11" rel="subsection" title="1.6.11 Version 3.6 (March 2006)">
|
|
<link href="ch1.en.html#s1.6.12" rel="subsection" title="1.6.12 Version 3.5 (November 2005)">
|
|
<link href="ch1.en.html#s1.6.13" rel="subsection" title="1.6.13 Version 3.4 (August-September 2005)">
|
|
<link href="ch1.en.html#s1.6.14" rel="subsection" title="1.6.14 Version 3.3 (June 2005)">
|
|
<link href="ch1.en.html#s1.6.15" rel="subsection" title="1.6.15 Version 3.2 (March 2005)">
|
|
<link href="ch1.en.html#s1.6.16" rel="subsection" title="1.6.16 Version 3.1 (January 2005)">
|
|
<link href="ch1.en.html#s1.6.17" rel="subsection" title="1.6.17 Version 3.0 (December 2004)">
|
|
<link href="ch1.en.html#s1.6.18" rel="subsection" title="1.6.18 Version 2.99 (March 2004)">
|
|
<link href="ch1.en.html#s1.6.19" rel="subsection" title="1.6.19 Version 2.98 (December 2003)">
|
|
<link href="ch1.en.html#s1.6.20" rel="subsection" title="1.6.20 Version 2.97 (September 2003)">
|
|
<link href="ch1.en.html#s1.6.21" rel="subsection" title="1.6.21 Version 2.96 (August 2003)">
|
|
<link href="ch1.en.html#s1.6.22" rel="subsection" title="1.6.22 Version 2.95 (June 2003)">
|
|
<link href="ch1.en.html#s1.6.23" rel="subsection" title="1.6.23 Version 2.94 (April 2003)">
|
|
<link href="ch1.en.html#s1.6.24" rel="subsection" title="1.6.24 Version 2.93 (March 2003)">
|
|
<link href="ch1.en.html#s1.6.25" rel="subsection" title="1.6.25 Version 2.92 (February 2003)">
|
|
<link href="ch1.en.html#s1.6.26" rel="subsection" title="1.6.26 Version 2.91 (January/February 2003)">
|
|
<link href="ch1.en.html#s1.6.27" rel="subsection" title="1.6.27 Version 2.9 (December 2002)">
|
|
<link href="ch1.en.html#s1.6.28" rel="subsection" title="1.6.28 Version 2.8 (November 2002)">
|
|
<link href="ch1.en.html#s1.6.29" rel="subsection" title="1.6.29 Version 2.7 (October 2002)">
|
|
<link href="ch1.en.html#s1.6.30" rel="subsection" title="1.6.30 Version 2.6 (September 2002)">
|
|
<link href="ch1.en.html#s1.6.31" rel="subsection" title="1.6.31 Version 2.5 (September 2002)">
|
|
<link href="ch1.en.html#s1.6.32" rel="subsection" title="1.6.32 Version 2.5 (August 2002)">
|
|
<link href="ch1.en.html#s1.6.33" rel="subsection" title="1.6.33 Version 2.4">
|
|
<link href="ch1.en.html#s1.6.34" rel="subsection" title="1.6.34 Version 2.3">
|
|
<link href="ch1.en.html#s1.6.35" rel="subsection" title="1.6.35 Version 2.3">
|
|
<link href="ch1.en.html#s1.6.36" rel="subsection" title="1.6.36 Version 2.2">
|
|
<link href="ch1.en.html#s1.6.37" rel="subsection" title="1.6.37 Version 2.1">
|
|
<link href="ch1.en.html#s1.6.38" rel="subsection" title="1.6.38 Version 2.0">
|
|
<link href="ch1.en.html#s1.6.39" rel="subsection" title="1.6.39 Version 1.99">
|
|
<link href="ch1.en.html#s1.6.40" rel="subsection" title="1.6.40 Version 1.98">
|
|
<link href="ch1.en.html#s1.6.41" rel="subsection" title="1.6.41 Version 1.97">
|
|
<link href="ch1.en.html#s1.6.42" rel="subsection" title="1.6.42 Version 1.96">
|
|
<link href="ch1.en.html#s1.6.43" rel="subsection" title="1.6.43 Version 1.95">
|
|
<link href="ch1.en.html#s1.6.44" rel="subsection" title="1.6.44 Version 1.94">
|
|
<link href="ch1.en.html#s1.6.45" rel="subsection" title="1.6.45 Version 1.93">
|
|
<link href="ch1.en.html#s1.6.46" rel="subsection" title="1.6.46 Version 1.92">
|
|
<link href="ch1.en.html#s1.6.47" rel="subsection" title="1.6.47 Version 1.91">
|
|
<link href="ch1.en.html#s1.6.48" rel="subsection" title="1.6.48 Version 1.9">
|
|
<link href="ch1.en.html#s1.6.49" rel="subsection" title="1.6.49 Version 1.8">
|
|
<link href="ch1.en.html#s1.6.50" rel="subsection" title="1.6.50 Version 1.7">
|
|
<link href="ch1.en.html#s1.6.51" rel="subsection" title="1.6.51 Version 1.6">
|
|
<link href="ch1.en.html#s1.6.52" rel="subsection" title="1.6.52 Version 1.5">
|
|
<link href="ch1.en.html#s1.6.53" rel="subsection" title="1.6.53 Version 1.4">
|
|
<link href="ch1.en.html#s1.6.54" rel="subsection" title="1.6.54 Version 1.3">
|
|
<link href="ch1.en.html#s1.6.55" rel="subsection" title="1.6.55 Version 1.2">
|
|
<link href="ch1.en.html#s1.6.56" rel="subsection" title="1.6.56 Version 1.1">
|
|
<link href="ch1.en.html#s1.6.57" rel="subsection" title="1.6.57 Version 1.0">
|
|
<link href="ch3.en.html#s3.2.1" rel="subsection" title="3.2.1 Choose an intelligent partition scheme">
|
|
<link href="ch3.en.html#s3.2.1.1" rel="subsection" title="3.2.1.1 Selecting the appropriate file systems">
|
|
<link href="ch3.en.html#s-disableserv" rel="subsection" title="3.6.1 Disabling daemon services">
|
|
<link href="ch3.en.html#s-inetd" rel="subsection" title="3.6.2 Disabling <code>inetd</code> or its services">
|
|
<link href="ch3.en.html#s3.7.1" rel="subsection" title="3.7.1 Removing Perl">
|
|
<link href="ch4.en.html#s-lib-security-update" rel="subsection" title="4.2.1 Security update of libraries">
|
|
<link href="ch4.en.html#s-kernel-security-update" rel="subsection" title="4.2.2 Security update of the kernel">
|
|
<link href="ch4.en.html#s4.9.1" rel="subsection" title="4.9.1 Setting <code>/tmp</code> noexec">
|
|
<link href="ch4.en.html#s4.9.2" rel="subsection" title="4.9.2 Setting /usr read-only">
|
|
<link href="ch4.en.html#s-auth-pam" rel="subsection" title="4.10.1 User authentication: PAM">
|
|
<link href="ch4.en.html#s-user-limits" rel="subsection" title="4.10.2 Limiting resource usage: the <code>limits.conf</code> file">
|
|
<link href="ch4.en.html#s4.10.3" rel="subsection" title="4.10.3 User login actions: edit <code>/etc/login.defs</code>">
|
|
<link href="ch4.en.html#s4.10.4" rel="subsection" title="4.10.4 Restricting ftp: editing <code>/etc/ftpusers</code>">
|
|
<link href="ch4.en.html#s4.10.5" rel="subsection" title="4.10.5 Using su">
|
|
<link href="ch4.en.html#s4.10.6" rel="subsection" title="4.10.6 Using sudo">
|
|
<link href="ch4.en.html#s4.10.7" rel="subsection" title="4.10.7 Disallow remote administrative access">
|
|
<link href="ch4.en.html#s-user-restrict" rel="subsection" title="4.10.8 Restricting users's access">
|
|
<link href="ch4.en.html#s4.10.9" rel="subsection" title="4.10.9 User auditing">
|
|
<link href="ch4.en.html#s4.10.9.1" rel="subsection" title="4.10.9.1 Input and output audit with script">
|
|
<link href="ch4.en.html#s4.10.9.2" rel="subsection" title="4.10.9.2 Using the shell history file">
|
|
<link href="ch4.en.html#s4.10.9.3" rel="subsection" title="4.10.9.3 Complete user audit with accounting utilities">
|
|
<link href="ch4.en.html#s4.10.9.4" rel="subsection" title="4.10.9.4 Other user auditing methods">
|
|
<link href="ch4.en.html#s4.10.10" rel="subsection" title="4.10.10 Reviewing user profiles">
|
|
<link href="ch4.en.html#s4.10.11" rel="subsection" title="4.10.11 Setting users umasks">
|
|
<link href="ch4.en.html#s4.10.12" rel="subsection" title="4.10.12 Limiting what users can see/access">
|
|
<link href="ch4.en.html#s-limit-user-perm" rel="subsection" title="4.10.12.1 Limiting access to other user's information">
|
|
<link href="ch4.en.html#s-user-pwgen" rel="subsection" title="4.10.13 Generating user passwords">
|
|
<link href="ch4.en.html#s4.10.14" rel="subsection" title="4.10.14 Checking user passwords">
|
|
<link href="ch4.en.html#s-idle-logoff" rel="subsection" title="4.10.15 Logging off idle users">
|
|
<link href="ch4.en.html#s-custom-logcheck" rel="subsection" title="4.12.1 Using and customizing <code>logcheck</code>">
|
|
<link href="ch4.en.html#s4.12.2" rel="subsection" title="4.12.2 Configuring where alerts are sent">
|
|
<link href="ch4.en.html#s4.12.3" rel="subsection" title="4.12.3 Using a loghost">
|
|
<link href="ch4.en.html#s4.12.4" rel="subsection" title="4.12.4 Log file permissions">
|
|
<link href="ch4.en.html#s4.14.1" rel="subsection" title="4.14.1 Kernel patch protection for buffer overflows">
|
|
<link href="ch4.en.html#s4.14.2" rel="subsection" title="4.14.2 Testing programs for overflows">
|
|
<link href="ch4.en.html#s4.16.1" rel="subsection" title="4.16.1 Using quotas">
|
|
<link href="ch4.en.html#s-ext2attr" rel="subsection" title="4.16.2 The ext2 filesystem specific attributes (chattr/lsattr)">
|
|
<link href="ch4.en.html#s-check-integ" rel="subsection" title="4.16.3 Checking file system integrity">
|
|
<link href="ch4.en.html#s4.16.4" rel="subsection" title="4.16.4 Setting up setuid check">
|
|
<link href="ch4.en.html#s-kernel-conf" rel="subsection" title="4.17.1 Configuring kernel network features">
|
|
<link href="ch4.en.html#s-tcp-syncookies" rel="subsection" title="4.17.2 Configuring syncookies">
|
|
<link href="ch4.en.html#s-net-harden" rel="subsection" title="4.17.3 Securing the network on boot-time">
|
|
<link href="ch4.en.html#s-kernel-fw" rel="subsection" title="4.17.4 Configuring firewall features">
|
|
<link href="ch4.en.html#s-limit-bindaddr" rel="subsection" title="4.17.5 Disabling weak-end hosts issues">
|
|
<link href="ch4.en.html#s4.17.6" rel="subsection" title="4.17.6 Protecting against ARP attacks">
|
|
<link href="ch4.en.html#s4.19.1" rel="subsection" title="4.19.1 Do not use software depending on svgalib">
|
|
<link href="ch-sec-services.en.html#s-ssh-chroot" rel="subsection" title="5.1.1 Chrooting ssh">
|
|
<link href="ch-sec-services.en.html#s5.1.2" rel="subsection" title="5.1.2 Ssh clients">
|
|
<link href="ch-sec-services.en.html#s5.1.3" rel="subsection" title="5.1.3 Disallowing file transfers">
|
|
<link href="ch-sec-services.en.html#s-ssh-only-file" rel="subsection" title="5.1.4 Restricing access to file transfer only">
|
|
<link href="ch-sec-services.en.html#s5.4.1" rel="subsection" title="5.4.1 Check your display manager">
|
|
<link href="ch-sec-services.en.html#s5.6.1" rel="subsection" title="5.6.1 Configuring a Nullmailer">
|
|
<link href="ch-sec-services.en.html#s5.6.2" rel="subsection" title="5.6.2 Providing secure access to mailboxes">
|
|
<link href="ch-sec-services.en.html#s5.6.3" rel="subsection" title="5.6.3 Receiving mail securely">
|
|
<link href="ch-sec-services.en.html#s-configure-bind" rel="subsection" title="5.7.1 Bind configuration to avoid misuse">
|
|
<link href="ch-sec-services.en.html#s-user-bind" rel="subsection" title="5.7.2 Changing BIND's user">
|
|
<link href="ch-sec-services.en.html#s-chroot-bind" rel="subsection" title="5.7.3 Chrooting the name server">
|
|
<link href="ch-sec-services.en.html#s5.8.1" rel="subsection" title="5.8.1 Disabling users from publishing web contents">
|
|
<link href="ch-sec-services.en.html#s5.8.2" rel="subsection" title="5.8.2 Logfiles permissions">
|
|
<link href="ch-sec-services.en.html#s5.8.3" rel="subsection" title="5.8.3 Published web files">
|
|
<link href="ch-sec-services.en.html#s-auto-chroot" rel="subsection" title="5.10.1 Making chrooted environments automatically">
|
|
<link href="ch-sec-services.en.html#s5.13.1" rel="subsection" title="5.13.1 Disabling RPC services completely">
|
|
<link href="ch-sec-services.en.html#s5.13.2" rel="subsection" title="5.13.2 Limiting access to RPC services">
|
|
<link href="ch-sec-services.en.html#s5.14.1" rel="subsection" title="5.14.1 Firewalling the local system">
|
|
<link href="ch-sec-services.en.html#s5.14.2" rel="subsection" title="5.14.2 Using a firewall to protect other systems">
|
|
<link href="ch-sec-services.en.html#s5.14.3" rel="subsection" title="5.14.3 Setting up a firewall">
|
|
<link href="ch-sec-services.en.html#s-firewall-pack" rel="subsection" title="5.14.3.1 Using firewall packages">
|
|
<link href="ch-sec-services.en.html#s5.14.3.2" rel="subsection" title="5.14.3.2 Manual init.d configuration">
|
|
<link href="ch-sec-services.en.html#s5.14.3.3" rel="subsection" title="5.14.3.3 Configuring firewall rules through <code>ifup</code>">
|
|
<link href="ch-sec-services.en.html#s5.14.3.4" rel="subsection" title="5.14.3.4 Testing your firewall configuration">
|
|
<link href="ch7.en.html#s-crossreference" rel="subsection" title="7.2.1 Vulnerability cross references">
|
|
<link href="ch7.en.html#s-cve-compatible" rel="subsection" title="7.2.2 CVE compatibility">
|
|
<link href="ch7.en.html#s7.4.1" rel="subsection" title="7.4.1 Developer's guide to security updates">
|
|
<link href="ch7.en.html#s7.5.1" rel="subsection" title="7.5.1 The current scheme for package signature checks">
|
|
<link href="ch7.en.html#s-apt-0.6" rel="subsection" title="7.5.2 Secure apt">
|
|
<link href="ch7.en.html#s-check-releases" rel="subsection" title="7.5.3 Per distribution release check">
|
|
<link href="ch7.en.html#s7.5.3.1" rel="subsection" title="7.5.3.1 Basic concepts">
|
|
<link href="ch7.en.html#s7.5.3.2" rel="subsection" title="7.5.3.2 <code>Release</code> checksums">
|
|
<link href="ch7.en.html#s7.5.3.3" rel="subsection" title="7.5.3.3 Verification of the <code>Release</code> file">
|
|
<link href="ch7.en.html#s7.5.3.4" rel="subsection" title="7.5.3.4 Check of <code>Release.gpg</code> by <code>apt</code>">
|
|
<link href="ch7.en.html#s7.5.3.5" rel="subsection" title="7.5.3.5 How to tell apt what to trust">
|
|
<link href="ch7.en.html#s7.5.3.6" rel="subsection" title="7.5.3.6 Finding the key for a repository">
|
|
<link href="ch7.en.html#s-secure-apt-add-key" rel="subsection" title="7.5.3.7 Safely adding a key">
|
|
<link href="ch7.en.html#s7.5.3.8" rel="subsection" title="7.5.3.8 Verifying key integrity">
|
|
<link href="ch7.en.html#s7.5.3.9" rel="subsection" title="7.5.3.9 Debian archive key yearly rotation">
|
|
<link href="ch7.en.html#s7.5.3.10" rel="subsection" title="7.5.3.10 Known release checking problems">
|
|
<link href="ch7.en.html#s-manual-check-releases" rel="subsection" title="7.5.3.11 Manual per distribution release check">
|
|
<link href="ch7.en.html#s-check-non-debian-releases" rel="subsection" title="7.5.4 Release check of non Debian sources">
|
|
<link href="ch7.en.html#s-check-pkg-sign" rel="subsection" title="7.5.5 Alternative per-package signing scheme">
|
|
<link href="ch-sec-tools.en.html#s8.5.1" rel="subsection" title="8.5.1 Point to Point tunneling">
|
|
<link href="ch10.en.html#s-track-vulns" rel="subsection" title="10.1.1 Tracking security vulnerabilities">
|
|
<link href="ch10.en.html#s-keep-up-to-date" rel="subsection" title="10.1.2 Continuously update the system">
|
|
<link href="ch10.en.html#s10.1.2.1" rel="subsection" title="10.1.2.1 Manually checking which security updates are available">
|
|
<link href="ch10.en.html#s-update-desktop" rel="subsection" title="10.1.2.2 Checking for updates at the Desktop">
|
|
<link href="ch10.en.html#s-cron-apt" rel="subsection" title="10.1.2.3 Automatically checking for updates with cron-apt">
|
|
<link href="ch10.en.html#s-debsecan" rel="subsection" title="10.1.2.4 Automatically checking for security issues with debsecan">
|
|
<link href="ch10.en.html#s10.1.2.5" rel="subsection" title="10.1.2.5 Other methods for security updates">
|
|
<link href="ch10.en.html#s10.1.3" rel="subsection" title="10.1.3 Avoid using the unstable branch">
|
|
<link href="ch10.en.html#s-security-support-testing" rel="subsection" title="10.1.4 Security support for the testing branch">
|
|
<link href="ch10.en.html#s10.1.5" rel="subsection" title="10.1.5 Automatic updates in a Debian GNU/Linux system">
|
|
<link href="ch10.en.html#s10.3.1" rel="subsection" title="10.3.1 Network based intrusion detection">
|
|
<link href="ch10.en.html#s10.3.2" rel="subsection" title="10.3.2 Host based intrusion detection">
|
|
<link href="ch10.en.html#s-LKM" rel="subsection" title="10.4.1 Loadable Kernel Modules (LKM)">
|
|
<link href="ch10.en.html#s10.4.2" rel="subsection" title="10.4.2 Detecting root-kits">
|
|
<link href="ch10.en.html#s-proactive" rel="subsection" title="10.4.2.1 Proactive defense">
|
|
<link href="ch10.en.html#s10.4.2.2" rel="subsection" title="10.4.2.2 Reactive defense">
|
|
<link href="ch10.en.html#s10.5.1" rel="subsection" title="10.5.1 Building a honeypot">
|
|
<link href="ch-after-compromise.en.html#s11.4.1" rel="subsection" title="11.4.1 Analysis of malware">
|
|
<link href="ch12.en.html#s12.1.1" rel="subsection" title="12.1.1 Is Debian more secure than X?">
|
|
<link href="ch12.en.html#s12.1.1.1" rel="subsection" title="12.1.1.1 Is Debian more secure than other Linux distributions (such as Red Hat, SuSE...)?">
|
|
<link href="ch12.en.html#s12.1.2" rel="subsection" title="12.1.2 There are many Debian bugs in Bugtraq. Does this mean that it is very vulnerable?">
|
|
<link href="ch12.en.html#s12.1.3" rel="subsection" title="12.1.3 Does Debian have any certification related to security?">
|
|
<link href="ch12.en.html#s12.1.4" rel="subsection" title="12.1.4 Are there any hardening programs for Debian?">
|
|
<link href="ch12.en.html#s12.1.5" rel="subsection" title="12.1.5 I want to run XYZ service, which one should I choose?">
|
|
<link href="ch12.en.html#s12.1.6" rel="subsection" title="12.1.6 How can I make service XYZ more secure in Debian?">
|
|
<link href="ch12.en.html#s12.1.7" rel="subsection" title="12.1.7 How can I remove all the banners for services?">
|
|
<link href="ch12.en.html#s12.1.8" rel="subsection" title="12.1.8 Are all Debian packages safe?">
|
|
<link href="ch12.en.html#s12.1.9" rel="subsection" title="12.1.9 Why are some log files/configuration files world-readable, isn't this insecure?">
|
|
<link href="ch12.en.html#s12.1.10" rel="subsection" title="12.1.10 Why does /root/ (or UserX) have 755 permissions?">
|
|
<link href="ch12.en.html#s12.1.11" rel="subsection" title="12.1.11 After installing a grsec/firewall, I started receiving many console messages! How do I remove them?">
|
|
<link href="ch12.en.html#s-faq-os-users" rel="subsection" title="12.1.12 Operating system users and groups">
|
|
<link href="ch12.en.html#s12.1.12.1" rel="subsection" title="12.1.12.1 Are all system users necessary?">
|
|
<link href="ch12.en.html#s12.1.12.2" rel="subsection" title="12.1.12.2 I removed a system user! How can I recover?">
|
|
<link href="ch12.en.html#s12.1.12.3" rel="subsection" title="12.1.12.3 What is the difference between the adm and the staff group?">
|
|
<link href="ch12.en.html#s12.1.13" rel="subsection" title="12.1.13 Why is there a new group when I add a new user? (or Why does Debian give each user one group?)">
|
|
<link href="ch12.en.html#s12.1.14" rel="subsection" title="12.1.14 Questions regarding services and open ports">
|
|
<link href="ch12.en.html#s12.1.14.1" rel="subsection" title="12.1.14.1 Why are all services activated upon installation?">
|
|
<link href="ch12.en.html#s12.1.14.2" rel="subsection" title="12.1.14.2 Can I remove <code>inetd</code>?">
|
|
<link href="ch12.en.html#s12.1.14.3" rel="subsection" title="12.1.14.3 Why do I have port 111 open?">
|
|
<link href="ch12.en.html#s12.1.14.4" rel="subsection" title="12.1.14.4 What use is <code>identd</code> (port 113) for?">
|
|
<link href="ch12.en.html#s12.1.14.5" rel="subsection" title="12.1.14.5 I have services using port 1 and 6, what are they and how can I remove them?">
|
|
<link href="ch12.en.html#s12.1.14.6" rel="subsection" title="12.1.14.6 I found the port XYZ open, can I close it?">
|
|
<link href="ch12.en.html#s12.1.14.7" rel="subsection" title="12.1.14.7 Will removing services from <code>/etc/services</code> help secure my box?">
|
|
<link href="ch12.en.html#s12.1.15" rel="subsection" title="12.1.15 Common security issues">
|
|
<link href="ch12.en.html#s12.1.15.1" rel="subsection" title="12.1.15.1 I have lost my password and cannot access the system!">
|
|
<link href="ch12.en.html#s12.1.16" rel="subsection" title="12.1.16 How do I accomplish setting up a service for my users without giving out shell accounts?">
|
|
<link href="ch12.en.html#s-vulnasses-false-positive" rel="subsection" title="12.2.1 Vulnerability assessment scanner X says my Debian system is vulnerable!">
|
|
<link href="ch12.en.html#s12.2.2" rel="subsection" title="12.2.2 I've seen an attack in my system's logs. Is my system compromised?">
|
|
<link href="ch12.en.html#s12.2.3" rel="subsection" title="12.2.3 I have found strange 'MARK' lines in my logs: Am I compromised?">
|
|
<link href="ch12.en.html#s12.2.4" rel="subsection" title="12.2.4 I found users using 'su' in my logs: Am I compromised?">
|
|
<link href="ch12.en.html#s12.2.5" rel="subsection" title="12.2.5 I have found 'possible SYN flooding' in my logs: Am I under attack?">
|
|
<link href="ch12.en.html#s12.2.6" rel="subsection" title="12.2.6 I have found strange root sessions in my logs: Am I compromised?">
|
|
<link href="ch12.en.html#s12.2.7" rel="subsection" title="12.2.7 I have suffered a break-in, what do I do?">
|
|
<link href="ch12.en.html#s12.2.8" rel="subsection" title="12.2.8 How can I trace an attack?">
|
|
<link href="ch12.en.html#s12.2.9" rel="subsection" title="12.2.9 Program X in Debian is vulnerable, what do I do?">
|
|
<link href="ch12.en.html#s-version-backport" rel="subsection" title="12.2.10 The version number for a package indicates that I am still running a vulnerable version!">
|
|
<link href="ch12.en.html#s12.2.11" rel="subsection" title="12.2.11 Specific software">
|
|
<link href="ch12.en.html#s12.2.11.1" rel="subsection" title="12.2.11.1 <code>proftpd</code> is vulnerable to a Denial of Service attack.">
|
|
<link href="ch12.en.html#s12.2.11.2" rel="subsection" title="12.2.11.2 After installing <code>portsentry</code>, there are a lot of ports open.">
|
|
<link href="ch12.en.html#s12.3.1" rel="subsection" title="12.3.1 What is a Debian Security Advisory (DSA)?">
|
|
<link href="ch12.en.html#s12.3.2" rel="subsection" title="12.3.2 The signature on Debian advisories does not verify correctly!">
|
|
<link href="ch12.en.html#s12.3.3" rel="subsection" title="12.3.3 How is security handled in Debian?">
|
|
<link href="ch12.en.html#s12.3.4" rel="subsection" title="12.3.4 Why are you fiddling with an old version of that package?">
|
|
<link href="ch12.en.html#s12.3.5" rel="subsection" title="12.3.5 What is the policy for a fixed package to appear in security.debian.org?">
|
|
<link href="ch12.en.html#s12.3.6" rel="subsection" title="12.3.6 What does "local (remote)" mean?">
|
|
<link href="ch12.en.html#s12.3.7" rel="subsection" title="12.3.7 The version number for a package indicates that I am still running a vulnerable version!">
|
|
<link href="ch12.en.html#s-sec-unstable" rel="subsection" title="12.3.8 How is security handled for <samp>testing</samp> and <samp>unstable</samp>?">
|
|
<link href="ch12.en.html#s-sec-older" rel="subsection" title="12.3.9 I use an older version of Debian, is it supported by the Debian Security Team?">
|
|
<link href="ch12.en.html#s12.3.10" rel="subsection" title="12.3.10 How does <em>testing</em> get security updates?">
|
|
<link href="ch12.en.html#s12.3.11" rel="subsection" title="12.3.11 How is security handled for contrib and non-free?">
|
|
<link href="ch12.en.html#s12.3.12" rel="subsection" title="12.3.12 Why are there no official mirrors for security.debian.org?">
|
|
<link href="ch12.en.html#s12.3.13" rel="subsection" title="12.3.13 I've seen DSA 100 and DSA 102, now where is DSA 101?">
|
|
<link href="ch12.en.html#s12.3.14" rel="subsection" title="12.3.14 I tried to download a package listed in one of the security advisories, but I got a `file not found' error.">
|
|
<link href="ch12.en.html#s12.3.15" rel="subsection" title="12.3.15 How can I reach the security team?">
|
|
<link href="ch12.en.html#s12.3.16" rel="subsection" title="12.3.16 What difference is there between security@debian.org and debian-security@lists.debian.org?">
|
|
<link href="ch12.en.html#s12.3.17" rel="subsection" title="12.3.17 I guess I found a security problem, what should I do?">
|
|
<link href="ch12.en.html#s12.3.18" rel="subsection" title="12.3.18 How can I contribute to the Debian security team?">
|
|
<link href="ch12.en.html#s12.3.19" rel="subsection" title="12.3.19 Who is the Security Team composed of?">
|
|
<link href="ch12.en.html#s12.3.20" rel="subsection" title="12.3.20 Does the Debian Security team check every new package in Debian?">
|
|
<link href="ch12.en.html#s12.3.21" rel="subsection" title="12.3.21 How much time will it take Debian to fix vulnerability XXXX?">
|
|
<link href="ch12.en.html#s12.3.22" rel="subsection" title="12.3.22 How long will security updates be provided?">
|
|
<link href="ch12.en.html#s12.3.23" rel="subsection" title="12.3.23 How can I check the integrity of packages?">
|
|
<link href="ch12.en.html#s12.3.24" rel="subsection" title="12.3.24 What to do if a random package breaks after a security update?">
|
|
<link href="ap-chroot-ssh-env.en.html#sG.1.1" rel="subsection" title="G.1.1 Using <code>libpam-chroot</code>">
|
|
<link href="ap-chroot-ssh-env.en.html#sG.1.2" rel="subsection" title="G.1.2 Patching the <code>ssh</code> server">
|
|
<link href="ap-chroot-ssh-env.en.html#sG.2.1" rel="subsection" title="G.2.1 Setup a minimal system (the really easy way)">
|
|
<link href="ap-chroot-ssh-env.en.html#sG.2.2" rel="subsection" title="G.2.2 Automatically making the environment (the easy way)">
|
|
<link href="ap-chroot-ssh-env.en.html#sG.2.3" rel="subsection" title="G.2.3 Manually creating the environment (the hard way)">
|
|
<link href="ap-chroot-apache-env.en.html#sH.1.1" rel="subsection" title="H.1.1 Licensing">
|
|
|
|
</head>
|
|
|
|
<body>
|
|
|
|
<p><a name="ch7"></a></p>
|
|
<hr>
|
|
|
|
<p>
|
|
[ <a href="ch-automatic-harden.en.html">previous</a> ]
|
|
[ <a href="index.en.html#contents">Contents</a> ]
|
|
[ <a href="ch1.en.html">1</a> ]
|
|
[ <a href="ch2.en.html">2</a> ]
|
|
[ <a href="ch3.en.html">3</a> ]
|
|
[ <a href="ch4.en.html">4</a> ]
|
|
[ <a href="ch-sec-services.en.html">5</a> ]
|
|
[ <a href="ch-automatic-harden.en.html">6</a> ]
|
|
[ 7 ]
|
|
[ <a href="ch-sec-tools.en.html">8</a> ]
|
|
[ <a href="ch9.en.html">9</a> ]
|
|
[ <a href="ch10.en.html">10</a> ]
|
|
[ <a href="ch-after-compromise.en.html">11</a> ]
|
|
[ <a href="ch12.en.html">12</a> ]
|
|
[ <a href="ap-harden-step.en.html">A</a> ]
|
|
[ <a href="ap-checklist.en.html">B</a> ]
|
|
[ <a href="ap-snort-box.en.html">C</a> ]
|
|
[ <a href="ap-bridge-fw.en.html">D</a> ]
|
|
[ <a href="ap-bind-chuser.en.html">E</a> ]
|
|
[ <a href="ap-fw-security-update.en.html">F</a> ]
|
|
[ <a href="ap-chroot-ssh-env.en.html">G</a> ]
|
|
[ <a href="ap-chroot-apache-env.en.html">H</a> ]
|
|
[ <a href="ch-sec-tools.en.html">next</a> ]
|
|
</p>
|
|
|
|
<hr>
|
|
|
|
<h1>
|
|
Securing Debian Manual
|
|
<br>Chapter 7 - Debian Security Infrastructure
|
|
</h1>
|
|
|
|
<hr>
|
|
|
|
<h2><a name="s-debian-sec-team"></a>7.1 The Debian Security Team</h2>
|
|
|
|
<p>
|
|
Debian has a Security Team, that handles security in the <em>stable</em>
|
|
distribution. Handling security means they keep track of vulnerabilities that
|
|
arise in software (watching forums such as Bugtraq, or vuln-dev) and determine
|
|
if the <em>stable</em> distribution is affected by it.
|
|
</p>
|
|
|
|
<p>
|
|
Also, the Debian Security Team is the contact point for problems that are
|
|
coordinated by upstream developers or organizations such as <code><a
|
|
href="http://www.cert.org">CERT</a></code> which might affect multiple vendors.
|
|
That is, when problems are not Debian-specific. The contact point of the
|
|
Security Team is <code><a
|
|
href="mailto:team@security.debian.org">team@security.debian.org</a></code>
|
|
which only the members of the security team read.
|
|
</p>
|
|
|
|
<p>
|
|
Sensitive information should be sent to the first address and, in some cases,
|
|
should be encrypted with the Debian Security Contact key (as found in the
|
|
Debian keyring).
|
|
</p>
|
|
|
|
<p>
|
|
Once a probable problem is received by the Security Team it will investigate if
|
|
the <em>stable</em> distribution is affected and if it is, a fix is made for
|
|
the source code base. This fix will sometimes include backporting the patch
|
|
made upstream (which usually is some versions ahead of the one distributed by
|
|
Debian). After testing of the fix is done, new packages are prepared and
|
|
published in the <code><a
|
|
href="http://security.debian.org">http://security.debian.org</a></code> site so
|
|
they can be retrieved through <code>apt</code> (see <a
|
|
href="ch4.en.html#s-security-update">Execute a security update, Section
|
|
4.2</a>). At the same time a <em>Debian Security Advisory</em> (DSA) is
|
|
published on the web site and sent to public mailing lists including <code><a
|
|
href="http://lists.debian.org/debian-security-announce">debian-security-announce</a></code>
|
|
and Bugtraq.
|
|
</p>
|
|
|
|
<p>
|
|
Some other frequently asked questions on the Debian Security Team can be found
|
|
at <a href="ch12.en.html#s-debian-sec-team-faq">Questions regarding the Debian
|
|
security team, Section 12.3</a>.
|
|
</p>
|
|
|
|
<hr>
|
|
|
|
<h2><a name="s-dsa"></a>7.2 Debian Security Advisories</h2>
|
|
|
|
<p>
|
|
Debian Security Advisories (DSAs) are made whenever a security vulnerability is
|
|
discovered that affects a Debian package. These advisories, signed by one of
|
|
the Security Team members, include information of the versions affected as well
|
|
as the location of the updates. This information is:
|
|
</p>
|
|
<ul>
|
|
<li>
|
|
<p>
|
|
version number for the fix.
|
|
</p>
|
|
</li>
|
|
</ul>
|
|
<ul>
|
|
<li>
|
|
<p>
|
|
problem type.
|
|
</p>
|
|
</li>
|
|
</ul>
|
|
<ul>
|
|
<li>
|
|
<p>
|
|
whether it is remote or locally exploitable.
|
|
</p>
|
|
</li>
|
|
</ul>
|
|
<ul>
|
|
<li>
|
|
<p>
|
|
short description of the package.
|
|
</p>
|
|
</li>
|
|
</ul>
|
|
<ul>
|
|
<li>
|
|
<p>
|
|
description of the problem.
|
|
</p>
|
|
</li>
|
|
</ul>
|
|
<ul>
|
|
<li>
|
|
<p>
|
|
description of the exploit.
|
|
</p>
|
|
</li>
|
|
</ul>
|
|
<ul>
|
|
<li>
|
|
<p>
|
|
description of the fix.
|
|
</p>
|
|
</li>
|
|
</ul>
|
|
|
|
<p>
|
|
DSAs are published both on <code><a href="http://www.debian.org/">Debian's
|
|
frontpage</a></code> and in the <code><a
|
|
href="http://www.debian.org/security/">Debian security pages</a></code>.
|
|
Usually this does not happen until the website is rebuilt (every four hours) so
|
|
they might not be present immediately. The preferred channel is the
|
|
debian-security-announce mailing list.
|
|
</p>
|
|
|
|
<p>
|
|
Interested users can, however (and this is done in some Debian-related portals)
|
|
use the RDF channel to download automatically the DSAs to their desktop. Some
|
|
applications, such as <code>Evolution</code> (an email client and personal
|
|
information assistant) and <code>Multiticker</code> (a GNOME applet), can be
|
|
used to retrieve the advisories automatically. The RDF channel is available at
|
|
<code><a
|
|
href="http://www.debian.org/security/dsa.rdf">http://www.debian.org/security/dsa.rdf</a></code>.
|
|
</p>
|
|
|
|
<p>
|
|
DSAs published on the website might be updated after being sent to the
|
|
public-mailing lists. A common update is adding cross references to security
|
|
vulnerability databases. Also, translations[<a href="footnotes.en.html#f49"
|
|
name="fr49">49</a>] of DSAs are not sent to the security mailing lists but are
|
|
directly included in the website.
|
|
</p>
|
|
|
|
<hr>
|
|
|
|
<h3><a name="s-crossreference"></a>7.2.1 Vulnerability cross references</h3>
|
|
|
|
<p>
|
|
Debian provides a fully <code><a
|
|
href="http://www.debian.org/security/crossreferences">crossreferenced
|
|
table</a></code> including all the references available for all the advisories
|
|
published since 1998. This table is provided to complement the <code><a
|
|
href="http://cve.mitre.org/cve/refs/refmap/source-DEBIAN.html">reference map
|
|
available at CVE</a></code>.
|
|
</p>
|
|
|
|
<p>
|
|
You will notice that this table provides references to security databases such
|
|
as <code><a href="http://www.securityfocus.com/bid">Bugtraq</a></code>,
|
|
<code><a href="http://www.cert.org/advisories/">CERT/CC Advisories</a></code>
|
|
and <code><a href="http://www.kb.cert.org/vuls">US-CERT Vulnerability Notes
|
|
Database</a></code> as well as CVE names (see below). These references are
|
|
provided for convenience use, but only CVE references are periodically reviewed
|
|
and included.
|
|
</p>
|
|
|
|
<p>
|
|
Advantages of adding cross references to these vulnerability databases are:
|
|
</p>
|
|
<ul>
|
|
<li>
|
|
<p>
|
|
it makes it easier for Debian users to see and track which general (published)
|
|
advisories have already been covered by Debian.
|
|
</p>
|
|
</li>
|
|
</ul>
|
|
<ul>
|
|
<li>
|
|
<p>
|
|
system administrators can learn more about the vulnerability and its impact by
|
|
following the cross references.
|
|
</p>
|
|
</li>
|
|
</ul>
|
|
<ul>
|
|
<li>
|
|
<p>
|
|
this information can be used to cross-check output from vulnerability scanners
|
|
that include references to CVE to remove false positives (see <a
|
|
href="ch12.en.html#s-vulnasses-false-positive">Vulnerability assessment scanner
|
|
X says my Debian system is vulnerable!, Section 12.2.1</a>).
|
|
</p>
|
|
</li>
|
|
</ul>
|
|
|
|
<hr>
|
|
|
|
<h3><a name="s-cve-compatible"></a>7.2.2 CVE compatibility</h3>
|
|
|
|
<p>
|
|
Debian Security Advisories were <code><a
|
|
href="http://www.debian.org/security/CVE-certificate.jpg">declared
|
|
CVE-Compatible</a></code>[<a href="footnotes.en.html#f50" name="fr50">50</a>]
|
|
in February 24, 2004.
|
|
</p>
|
|
|
|
<p>
|
|
Debian developers understand the need to provide accurate and up to date
|
|
information of the security status of the Debian distribution, allowing users
|
|
to manage the risk associated with new security vulnerabilities. CVE enables
|
|
us to provide standardized references that allow users to develop a <code><a
|
|
href="http://www.cve.mitre.org/compatible/enterprise.html">CVE-enabled security
|
|
management process</a></code>.
|
|
</p>
|
|
|
|
<p>
|
|
The <code><a href="http://cve.mitre.org">Common Vulnerabilities and Exposures
|
|
(CVE)</a></code> project is maintained by the MITRE Corporation and provides a
|
|
list of standardized names for vulnerabilities and security exposures.
|
|
</p>
|
|
|
|
<p>
|
|
Debian believes that providing users with additional information related to
|
|
security issues that affect the Debian distribution is extremely important.
|
|
The inclusion of CVE names in advisories help users associate generic
|
|
vulnerabilities with specific Debian updates, which reduces the time spent
|
|
handling vulnerabilities that affect our users. Also, it eases the management
|
|
of security in an environment where CVE-enabled security tools -such as network
|
|
or host intrusion detection systems, or vulnerability assessment tools- are
|
|
already deployed regardless of whether or not they are based on the Debian
|
|
distribution.
|
|
</p>
|
|
|
|
<p>
|
|
Debian provides CVE names for all DSAs released since September 1998. All of
|
|
the advisories can be retrieved on the Debian web site, and announcements
|
|
related to new vulnerabilities include CVE names if available at the time of
|
|
their release. Advisories associated with a given CVE name can be searched
|
|
directly through the Debian Security Tracker (see below).
|
|
</p>
|
|
|
|
<p>
|
|
In some cases you might not find a given CVE name in published advisories, for
|
|
example because:
|
|
</p>
|
|
<ul>
|
|
<li>
|
|
<p>
|
|
No Debian products are affected by that vulnerability.
|
|
</p>
|
|
</li>
|
|
</ul>
|
|
<ul>
|
|
<li>
|
|
<p>
|
|
There is not yet an advisory covering that vulnerability (the security issue
|
|
might have been reported as a <code><a
|
|
href="http://bugs.debian.org/cgi-bin/pkgreport.cgi?tag=security">security
|
|
bug</a></code> but a fix has not been tested and uploaded).
|
|
</p>
|
|
</li>
|
|
</ul>
|
|
<ul>
|
|
<li>
|
|
<p>
|
|
An advisory was published before a CVE name was assigned to a given
|
|
vulnerability (look for an update at the web site).
|
|
</p>
|
|
</li>
|
|
</ul>
|
|
|
|
<hr>
|
|
|
|
<h2><a name="s7.3"></a>7.3 Security Tracker</h2>
|
|
|
|
<p>
|
|
The central database of what the Debian security teams know about
|
|
vulnerabilities is the <code><a
|
|
href="http://security-tracker.debian.net">Debian Security Tracker</a></code>.
|
|
It cross references packages, vulnerable and fixed versions for different
|
|
suites, CVE names, Debian bug numbers, DSA's and miscellaneous notes. It can
|
|
be searched, e.g. by CVE name to see which Debian packages are affected or
|
|
fixed, or by package to show unresolved security issues. The only information
|
|
missing from the tracker is confidential information that the security team
|
|
received under embargo.
|
|
</p>
|
|
|
|
<p>
|
|
The package <code>debsecan</code> uses the information in the tracker to report
|
|
to the administrator of a system which of the installed packages are
|
|
vulnerable, and for which updates are available to fix security issues.
|
|
</p>
|
|
|
|
<hr>
|
|
|
|
<h2><a name="s7.4"></a>7.4 Debian Security Build Infrastructure</h2>
|
|
|
|
<p>
|
|
Since Debian is currently supported in a large number of architectures,
|
|
administrators sometimes wonder if a given architecture might take more time to
|
|
receive security updates than another. As a matter of fact, except for rare
|
|
circumstances, updates are available to all architectures at the same time.
|
|
</p>
|
|
|
|
<p>
|
|
Packages in the security archive are autobuilt, just like the regular archive.
|
|
However, security updates are a little more different than normal uploads sent
|
|
by package maintainers since, in some cases, before being published they need
|
|
to wait until they can be tested further, an advisory written, or need to wait
|
|
for a week or more to avoid publicizing the flaw until all vendors have had a
|
|
reasonable chance to fix it.
|
|
</p>
|
|
|
|
<p>
|
|
Thus, the security upload archive works with the following procedure:
|
|
</p>
|
|
<ul>
|
|
<li>
|
|
<p>
|
|
Someone finds a security problem.
|
|
</p>
|
|
</li>
|
|
</ul>
|
|
<ul>
|
|
<li>
|
|
<p>
|
|
Someone fixes the problem, and makes an upload to security-master.debian.org's
|
|
incoming (this <em>someone</em> is usually a Security Team member but can be
|
|
also a package maintainer with an appropriate fix that has contacted the
|
|
Security Team previously). The Changelog includes a <em>testing-security</em>
|
|
or <em>stable-security</em> as target distribution.
|
|
</p>
|
|
</li>
|
|
</ul>
|
|
<ul>
|
|
<li>
|
|
<p>
|
|
The upload gets checked and processed by a Debian system and moved into
|
|
queue/accepted, and the buildds are notified. Files in here can be accessed by
|
|
the security team and (somewhat indirectly) by the buildds.
|
|
</p>
|
|
</li>
|
|
</ul>
|
|
<ul>
|
|
<li>
|
|
<p>
|
|
Security-enabled buildds pick up the source package (prioritized over normal
|
|
builds), build it, and send the logs to the security team.
|
|
</p>
|
|
</li>
|
|
</ul>
|
|
<ul>
|
|
<li>
|
|
<p>
|
|
The security team reply to the logs, and the newly built packages are uploaded
|
|
to queue/unchecked, where they're processed by a Debian system, and moved into
|
|
queue/accepted.
|
|
</p>
|
|
</li>
|
|
</ul>
|
|
<ul>
|
|
<li>
|
|
<p>
|
|
When the security team find the source package acceptable (i.e., that it's been
|
|
correctly built for all applicable architectures and that it fixes the security
|
|
hole and doesn't introduce new problems of its own) they run a script which:
|
|
</p>
|
|
<ul>
|
|
<li>
|
|
<p>
|
|
installs the package into the security archive.
|
|
</p>
|
|
</li>
|
|
</ul>
|
|
<ul>
|
|
<li>
|
|
<p>
|
|
updates the <code>Packages</code>, <code>Sources</code> and
|
|
<code>Release</code> files of security.debian.org in the usual way
|
|
(<code>dpkg-scanpackages</code>, <code>dpkg-scansources</code>, ...).
|
|
</p>
|
|
</li>
|
|
</ul>
|
|
<ul>
|
|
<li>
|
|
<p>
|
|
sets up a template advisory that the security team can finish off.
|
|
</p>
|
|
</li>
|
|
</ul>
|
|
<ul>
|
|
<li>
|
|
<p>
|
|
forwards the packages to the appropriate proposed-updates so that it can be
|
|
included in the real archive as soon as possible.
|
|
</p>
|
|
</li>
|
|
</ul>
|
|
</li>
|
|
</ul>
|
|
|
|
<p>
|
|
This procedure, previously done by hand, was tested and put through during the
|
|
freezing stage of Debian 3.0 woody (July 2002). Thanks to this infrastructure
|
|
the Security Team was able to have updated packages ready for the apache and
|
|
OpenSSH issues for all the supported (almost twenty) architectures in less than
|
|
a day.
|
|
</p>
|
|
|
|
<hr>
|
|
|
|
<h3><a name="s7.4.1"></a>7.4.1 Developer's guide to security updates</h3>
|
|
|
|
<p>
|
|
Debian developers that need to coordinate with the security team on fixing in
|
|
issue in their packages, can refer to the Developer's Reference section
|
|
<code><a
|
|
href="http://www.debian.org/doc/manuals/developers-reference/pkgs.html#bug-security">Handling
|
|
security-related bugs</a></code>.
|
|
</p>
|
|
|
|
<hr>
|
|
|
|
<h2><a name="s-deb-pack-sign"></a>7.5 Package signing in Debian</h2>
|
|
|
|
<p>
|
|
This section could also be titled "how to upgrade/update safely your
|
|
Debian GNU/Linux system" and it deserves its own section basically because
|
|
it is an important part of the Security Infrastructure. Package signing is an
|
|
important issue since it avoids tampering of packages distributed in mirrors
|
|
and of downloads with man-in-the-middle attacks. Automatic software update is
|
|
an important feature but it's also important to remove security threats that
|
|
could help the distribution of trojans and the compromise of systems during
|
|
updates[<a href="footnotes.en.html#f51" name="fr51">51</a>].
|
|
</p>
|
|
|
|
<p>
|
|
Debian does not provide signed packages but provides a mechanism available
|
|
since Debian 4.0 (codename <em>etch</em>) to check for downloaded package's
|
|
integrity[<a href="footnotes.en.html#f52" name="fr52">52</a>]. For more
|
|
information, see <a href="#s-apt-0.6">Secure apt, Section 7.5.2</a>.
|
|
</p>
|
|
|
|
<p>
|
|
This issue is better described in the <code><a
|
|
href="http://www.cryptnet.net/fdp/crypto/strong_distro.html">Strong
|
|
Distribution HOWTO</a></code> by V. Alex Brennen.
|
|
</p>
|
|
|
|
<hr>
|
|
|
|
<h3><a name="s7.5.1"></a>7.5.1 The current scheme for package signature checks</h3>
|
|
|
|
<p>
|
|
The current scheme for package signature checking using <code>apt</code> is:
|
|
</p>
|
|
<ul>
|
|
<li>
|
|
<p>
|
|
the <code>Release</code> file includes the MD5 sum of <code>Packages.gz</code>
|
|
(which contains the MD5 sums of packages) and will be signed. The signature is
|
|
one of a trusted source.
|
|
</p>
|
|
</li>
|
|
</ul>
|
|
<ul>
|
|
<li>
|
|
<p>
|
|
This signed <code>Release</code> file is downloaded by 'apt-get update' and
|
|
stored along with <code>Packages.gz</code>.
|
|
</p>
|
|
</li>
|
|
</ul>
|
|
<ul>
|
|
<li>
|
|
<p>
|
|
When a package is going to be installed, it is first downloaded, then the MD5
|
|
sum is generated.
|
|
</p>
|
|
</li>
|
|
</ul>
|
|
<ul>
|
|
<li>
|
|
<p>
|
|
The signed <code>Release</code> file is checked (signature ok) and it extracts
|
|
from it the MD5 sum for the <code>Packages.gz</code> file, the
|
|
<code>Packages.gz</code> checksum is generated and (if ok) the MD5 sum of the
|
|
downloaded package is extracted from it.
|
|
</p>
|
|
</li>
|
|
</ul>
|
|
<ul>
|
|
<li>
|
|
<p>
|
|
If the MD5 sum from the downloaded package is the same as the one in the
|
|
<code>Packages.gz</code> file the package will be installed, otherwise the
|
|
administrator will be alerted and the package will be left in the cache (so the
|
|
administrator can decide whether to install it or not). If the package is not
|
|
in the <code>Packages.gz</code> and the administrator has configured the system
|
|
to only install checked packages it will not be installed either.
|
|
</p>
|
|
</li>
|
|
</ul>
|
|
|
|
<p>
|
|
By following the chain of MD5 sums <code>apt</code> is capable of verifying
|
|
that a package originates from a a specific release. This is less flexible
|
|
than signing each package one by one, but can be combined with that scheme too
|
|
(see below).
|
|
</p>
|
|
|
|
<p>
|
|
This scheme is <code><a
|
|
href="http://lists.debian.org/debian-devel/2003/debian-devel-200312/msg01986.html">fully
|
|
implemented</a></code> in apt 0.6 and is available since the Debian 4.0
|
|
release. For more information see <a href="#s-apt-0.6">Secure apt, Section
|
|
7.5.2</a>. Packages that provide a front-end to apt need to be modified to
|
|
adapt to this new feature; this is the case of <code>aptitude</code> which was
|
|
<code><a
|
|
href="http://lists.debian.org/debian-devel/2005/03/msg02641.html">modified</a></code>
|
|
to adapt to this scheme. Front-ends currently known to work properly with this
|
|
feature include <code>aptitude</code> and <code>synaptic</code>.
|
|
</p>
|
|
|
|
<p>
|
|
Package signing has been discussed in Debian for quite some time, for more
|
|
information you can read: <code><a
|
|
href="http://www.debian.org/News/weekly/2001/8/">http://www.debian.org/News/weekly/2001/8/</a></code>
|
|
and <code><a
|
|
href="http://www.debian.org/News/weekly/2000/11/">http://www.debian.org/News/weekly/2000/11/</a></code>.
|
|
</p>
|
|
|
|
<hr>
|
|
|
|
<h3><a name="s-apt-0.6"></a>7.5.2 Secure apt</h3>
|
|
|
|
<p>
|
|
The apt 0.6 release, available since Debian 4.0 <em>etch</em> and later
|
|
releases, includes <em>apt-secure</em> (also known as <em>secure apt</em>)
|
|
which is a tool that will allow a system administrator to test the integrity of
|
|
the packages downloaded through the above scheme. This release includes the
|
|
tool <code>apt-key</code> for adding new keys to apt's keyring, which by
|
|
default includes only the current Debian archive signing key.
|
|
</p>
|
|
|
|
<p>
|
|
These changes are based on the patch for <code>apt</code> (available in
|
|
<code><a href="http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=203741">Bug
|
|
#203741</a></code>) which provides this implementation.
|
|
</p>
|
|
|
|
<p>
|
|
Secure apt works by checking the distribution through the <code>Release</code>
|
|
file, as discussed in <a href="#s-check-releases">Per distribution release
|
|
check, Section 7.5.3</a>. Typically, this process will be transparent to the
|
|
administrator although you will need to intervene every year[<a
|
|
href="footnotes.en.html#f53" name="fr53">53</a>] to add the new archive key
|
|
when it is rotated, for more information on the steps an administrator needs to
|
|
take a look at <a href="#s-secure-apt-add-key">Safely adding a key, Section
|
|
7.5.3.7</a>.
|
|
</p>
|
|
|
|
<p>
|
|
This feature is still under development, if you believe you find bugs in it,
|
|
please, make first sure you are using the latest version (as this package might
|
|
change quite a bit before it is finally released) and, if running the latest
|
|
version, submit a bug against the <code>apt</code> package.
|
|
</p>
|
|
|
|
<p>
|
|
You can find more information at <code><a
|
|
href="http://wiki.debian.org/SecureApt">the wiki pages</a></code> and the
|
|
official documentation: <code><a
|
|
href="http://www.enyo.de/fw/software/apt-secure/">Migration to APT
|
|
0.6</a></code> and <code><a href="http://www.syntaxpolice.org/apt-secure/">APT
|
|
Signature Checking</a></code>.
|
|
</p>
|
|
|
|
<hr>
|
|
|
|
<h3><a name="s-check-releases"></a>7.5.3 Per distribution release check</h3>
|
|
|
|
<p>
|
|
This section describes how the distribution release check mechanism works, it
|
|
was written by Joey Hess and is also available at the <code><a
|
|
href="http://wiki.debian.org/SecureApt">Debian Wiki</a></code>.
|
|
</p>
|
|
|
|
<hr>
|
|
|
|
<h4><a name="s7.5.3.1"></a>7.5.3.1 Basic concepts</h4>
|
|
|
|
<p>
|
|
Here are a few basic concepts that you'll need to understand for the rest of
|
|
this section.
|
|
</p>
|
|
|
|
<p>
|
|
A checksum is a method of taking a file and boiling it down to a reasonably
|
|
short number that uniquely identifies the content of the file. This is a lot
|
|
harder to do well than it might seem, and the most commonly used type of
|
|
checksum, the MD5 sum, is in the process of being broken.
|
|
</p>
|
|
|
|
<p>
|
|
Public key cryptography is based on pairs of keys, a public key and a private
|
|
key. The public key is given out to the world; the private key must be kept a
|
|
secret. Anyone possessing the public key can encrypt a message so that it can
|
|
only be read by someone possessing the private key. It's also possible to use
|
|
a private key to sign a file, not encrypt it. If a private key is used to sign
|
|
a file, then anyone who has the public key can check that the file was signed
|
|
by that key. No one who doesn't have the private key can forge such a
|
|
signature.
|
|
</p>
|
|
|
|
<p>
|
|
These keys are quite long numbers (1024 to 2048 digits or longer), and to make
|
|
them easier to work with they have a key id, which is a shorter, 8 or 16 digit
|
|
number that can be used to refer to them.
|
|
</p>
|
|
|
|
<p>
|
|
<code>gpg</code> is the tool used in secure apt to sign files and check their
|
|
signatures.
|
|
</p>
|
|
|
|
<p>
|
|
<code>apt-key</code> is a program that is used to manage a keyring of gpg keys
|
|
for secure apt. The keyring is kept in the file
|
|
<code>/etc/apt/trusted.gpg</code> (not to be confused with the related but not
|
|
very interesting <code>/etc/apt/trustdb.gpg</code>). <code>apt-key</code> can
|
|
be used to show the keys in the keyring, and to add or remove a key.
|
|
</p>
|
|
|
|
<hr>
|
|
|
|
<h4><a name="s7.5.3.2"></a>7.5.3.2 <code>Release</code> checksums</h4>
|
|
|
|
<p>
|
|
A Debian archive contains a <code>Release</code> file, which is updated each
|
|
time any of the packages in the archive change. Among other things, the
|
|
<code>Release</code> file contains some MD5 sums of other files in the archive.
|
|
An excerpt of an example <code>Release</code> file:
|
|
</p>
|
|
|
|
<pre>
|
|
MD5Sum:
|
|
6b05b392f792ba5a436d590c129de21f 3453 Packages
|
|
1356479a23edda7a69f24eb8d6f4a14b 1131 Packages.gz
|
|
2a5167881adc9ad1a8864f281b1eb959 1715 Sources
|
|
88de3533bf6e054d1799f8e49b6aed8b 658 Sources.gz
|
|
</pre>
|
|
|
|
<p>
|
|
The <code>Release</code> files also include SHA-1 checksums, which will be
|
|
useful once MD5 sums become fully broken, however apt doesn't use them yet.
|
|
</p>
|
|
|
|
<p>
|
|
Now if we look inside a <code>Packages</code> file, we'll find more MD5 sums,
|
|
one for each package listed in it. For example:
|
|
</p>
|
|
|
|
<pre>
|
|
Package: uqm
|
|
Priority: optional
|
|
...
|
|
Filename: unstable/uqm_0.4.0-1_i386.deb
|
|
Size: 580558
|
|
MD5sum: 864ec6157c1eea88acfef44d0f34d219
|
|
</pre>
|
|
|
|
<p>
|
|
These two checksums can be used to verify that you have downloaded a correct
|
|
copy of the <code>Packages</code> file, with a md5sum that matches the one in
|
|
the <code>Release</code> file. And when it downloads an individual package, it
|
|
can also check its md5sum against the content of the <code>Packages</code>
|
|
file. If apt fails at either of these steps, it will abort.
|
|
</p>
|
|
|
|
<p>
|
|
None of this is new in secure apt, but it does provide the foundation. Notice
|
|
that so far there is one file that apt doesn't have a way to check: The Release
|
|
file. Secure apt is all about making apt verify the <code>Release</code> file
|
|
before it does anything else with it, and plugging this hole, so that there is
|
|
a chain of verification from the package that you are going to install all the
|
|
way back to the provider of the package.
|
|
</p>
|
|
|
|
<hr>
|
|
|
|
<h4><a name="s7.5.3.3"></a>7.5.3.3 Verification of the <code>Release</code> file</h4>
|
|
|
|
<p>
|
|
To verify the <code>Release</code> file, a gpg signature is added for the
|
|
<code>Release</code> file. This is put in a file named
|
|
<code>Release.gpg</code> that is shipped alongside the <code>Release</code>
|
|
file. It looks something like this [<a href="footnotes.en.html#f54"
|
|
name="fr54">54</a>] , although only gpg actually looks at its contents
|
|
normally:
|
|
</p>
|
|
|
|
<pre>
|
|
-----BEGIN PGP SIGNATURE-----
|
|
Version: GnuPG v1.4.1 (GNU/Linux)
|
|
|
|
iD8DBQBCqKO1nukh8wJbxY8RAsfHAJ9hu8oGNRAl2MSmP5+z2RZb6FJ8kACfWvEx
|
|
UBGPVc7jbHHsg78EhMBlV/U=
|
|
=x6og
|
|
-----END PGP SIGNATURE-----
|
|
</pre>
|
|
|
|
<hr>
|
|
|
|
<h4><a name="s7.5.3.4"></a>7.5.3.4 Check of <code>Release.gpg</code> by <code>apt</code></h4>
|
|
|
|
<p>
|
|
Secure apt always downloads <code>Release.gpg</code> files when it's
|
|
downloading <code>Release</code> files, and if it cannot download the
|
|
<code>Release.gpg</code>, or if the signature is bad, it will complain, and
|
|
will make note that the <code>Packages</code> files that the
|
|
<code>Release</code> file points to, and all the packages listed therein, are
|
|
from an untrusted source. Here's how it looks during an <code>apt-get
|
|
update</code>:
|
|
</p>
|
|
|
|
<pre>
|
|
W: GPG error: http://ftp.us.debian.org testing Release: The following signatures
|
|
couldn't be verified because the public key is not available: NO_PUBKEY 010908312D230C5F
|
|
</pre>
|
|
|
|
<p>
|
|
Note that the second half of the long number is the key id of the key that apt
|
|
doesn't know about, in this case that's 2D230C5F.
|
|
</p>
|
|
|
|
<p>
|
|
If you ignore that warning and try to install a package later, apt will warn
|
|
again:
|
|
</p>
|
|
|
|
<pre>
|
|
WARNING: The following packages cannot be authenticated!
|
|
libglib-perl libgtk2-perl
|
|
Install these packages without verification [y/N]?
|
|
</pre>
|
|
|
|
<p>
|
|
If you say Y here you have no way to know if the file you're getting is the
|
|
package you're supposed to install, or if it's something else entirely that
|
|
somebody that can intercept the communication against the server[<a
|
|
href="footnotes.en.html#f55" name="fr55">55</a>] has arranged for you,
|
|
containing a nasty suprise.
|
|
</p>
|
|
|
|
<p>
|
|
Note that you can disable these checks by running apt with
|
|
--allow-unauthenticated.
|
|
</p>
|
|
|
|
<p>
|
|
It's also worth noting that newer versions of the Debian installer use the same
|
|
signed <code>Release</code> file mechanism during their debootstrap of the
|
|
Debian base system, before apt is available, and that the installer even uses
|
|
this system to verify pieces of itself that it downloads from the net. Also,
|
|
Debian does not currently sign the <code>Release</code> files on its CDs; apt
|
|
can be configured to always trust packages from CDs so this is not a large
|
|
problem.
|
|
</p>
|
|
|
|
<hr>
|
|
|
|
<h4><a name="s7.5.3.5"></a>7.5.3.5 How to tell apt what to trust</h4>
|
|
|
|
<p>
|
|
So the security of the whole system depends on there being a
|
|
<code>Release.gpg</code> file, which signs a <code>Release</code> file, and of
|
|
<code>apt</code> checking that signature using gpg. To check the signature, it
|
|
has to know the public key of the person who signed the file. These keys are
|
|
kept in apt's own keyring (<code>/etc/apt/trusted.gpg</code>), and managing the
|
|
keys is where secure apt comes in.
|
|
</p>
|
|
|
|
<p>
|
|
By default, Debian systems come preconfigured with the Debian archive key in
|
|
the keyring.
|
|
</p>
|
|
|
|
<pre>
|
|
# apt-key list
|
|
/etc/apt/trusted.gpg
|
|
--------------------
|
|
pub 1024D/4F368D5D 2005-01-31 [expires: 2006-01-31]
|
|
uid Debian Archive Automatic Signing Key (2005) <ftpmaster@debian.org>
|
|
</pre>
|
|
|
|
<p>
|
|
Here 4F368D5D is the key id, and notice that this key was only valid for a one
|
|
year period. Debian rotates these keys as a last line of defense against some
|
|
sort of security breach breaking a key.
|
|
</p>
|
|
|
|
<p>
|
|
That will make <code>apt</code> trust the official Debian archive, but if you
|
|
add some other apt repository to <code>/etc/apt/sources.list</code>, you'll
|
|
also have to give <code>apt</code> its key if you want apt to trust it. Once
|
|
you have the key and have verified it, it's a simple matter of running
|
|
<code>apt-key add file</code> to add it. Getting the key and verifying it are
|
|
the trickier parts.
|
|
</p>
|
|
|
|
<hr>
|
|
|
|
<h4><a name="s7.5.3.6"></a>7.5.3.6 Finding the key for a repository</h4>
|
|
|
|
<p>
|
|
The debian-archive-keyring package is used to distribute keys to
|
|
<code>apt</code>. Upgrades to this package can add (or remove) gpg keys for
|
|
the main Debian archive.
|
|
</p>
|
|
|
|
<p>
|
|
For other archives, there is not yet a standard location where you can find the
|
|
key for a given apt repository. There's a rough standard of putting the key up
|
|
on the web page for the repository or as a file in the repository itself, but
|
|
no real standard, so you might have to hunt for it.
|
|
</p>
|
|
|
|
<p>
|
|
The Debian archive signing key is available at <code><a
|
|
href="http://ftp-master.debian.org/ziyi_key_2006.asc">http://ftp-master.debian.org/ziyi_key_2006.asc</a></code>
|
|
(replace 2006 with current year).[<a href="footnotes.en.html#f56"
|
|
name="fr56">56</a>]
|
|
</p>
|
|
|
|
<p>
|
|
<code>gpg</code> itself has a standard way to distribute keys, using a
|
|
keyserver that gpg can download a key from and add it to its keyring. For
|
|
example:
|
|
</p>
|
|
|
|
<pre>
|
|
$ gpg --keyserver pgpkeys.mit.edu --recv-key 2D230C5F
|
|
gpg: requesting key 2D230C5F from hkp server pgpkeys.mit.edu
|
|
gpg: key 2D230C5F: public key "Debian Archive Automatic Signing Key (2006) <ftpm
|
|
aster@debian.org>" imported
|
|
gpg: Total number processed: 1
|
|
gpg: imported: 1
|
|
</pre>
|
|
|
|
<p>
|
|
You can then export that key from your own keyring and feed it to
|
|
<code>apt-key</code>:
|
|
</p>
|
|
|
|
<pre>
|
|
$ gpg -a --export 2D230C5F | sudo apt-key add -
|
|
gpg: no ultimately trusted keys found
|
|
OK
|
|
</pre>
|
|
|
|
<p>
|
|
The "gpg: no ultimately trusted keys found" warning means that gpg
|
|
was not configured to ultimately trust a specific key. Trust settings are part
|
|
of OpenPGPs Web-of-Trust which does not apply here. So there is no problem
|
|
with this warning. In typical setups the user's own key is ultimately trusted.
|
|
</p>
|
|
|
|
<hr>
|
|
|
|
<h4><a name="s-secure-apt-add-key"></a>7.5.3.7 Safely adding a key</h4>
|
|
|
|
<p>
|
|
By adding a key to apt's keyring, you're telling apt to trust everything signed
|
|
by the key, and this lets you know for sure that apt won't install anything not
|
|
signed by the person who possesses the private key. But if you're sufficiently
|
|
paranoid, you can see that this just pushes things up a level, now instead of
|
|
having to worry if a package, or a <code>Release</code> file is valid, you can
|
|
worry about whether you've actually gotten the right key. Is the <code><a
|
|
href="http://ftp-master.debian.org/ziyi_key_2006.asc">http://ftp-master.debian.org/ziyi_key_2006.asc</a></code>
|
|
file mentioned above really Debian's archive signing key, or has it been
|
|
modified (or this document lies).
|
|
</p>
|
|
|
|
<p>
|
|
It's good to be paranoid in security, but verifying things from here is harder.
|
|
<code>gpg</code> has the concept of a chain of trust, which can start at
|
|
someone you're sure of, who signs someone's key, who signs some other key,
|
|
etc., until you get to the archive key. If you're sufficiently paranoid you'll
|
|
want to check that your archive key is signed by a key that you can trust, with
|
|
a trust chain that goes back to someone you know personally. If you want to do
|
|
this, visit a Debian conference or perhaps a local LUG for a key signing [<a
|
|
href="footnotes.en.html#f57" name="fr57">57</a>].
|
|
</p>
|
|
|
|
<p>
|
|
If you can't afford this level of paranoia, do whatever feels appropriate to
|
|
you when adding a new apt source and a new key. Maybe you'll want to mail the
|
|
person providing the key and verify it, or maybe you're willing to take your
|
|
chances with downloading it and assuming you got the real thing. The important
|
|
thing is that by reducing the problem to what archive keys to trust, secure apt
|
|
lets you be as careful and secure as it suits you to be.
|
|
</p>
|
|
|
|
<hr>
|
|
|
|
<h4><a name="s7.5.3.8"></a>7.5.3.8 Verifying key integrity</h4>
|
|
|
|
<p>
|
|
You can verify the fingerprint as well as the signatures on the key.
|
|
Retrieving the fingerprint can be done for multiple sources, you can check
|
|
<code><a href="http://debiansystem.info/readers/changes/547-ziyi-key-2006">The
|
|
Debian System Book</a></code>, talk to Debian Developers on IRC, read the
|
|
mailing list where the key change will be announced or any other additional
|
|
means to verify the fingerprint. For example you can do this:
|
|
</p>
|
|
|
|
<pre>
|
|
$ GET http://ftp-master.debian.org/ziyi_key_2006.asc | gpg --import
|
|
gpg: key 2D230C5F: public key "Debian Archive Automatic Signing Key (2006)
|
|
<ftpmaster&debian.org>" imported
|
|
gpg: Total number processed: 1
|
|
gpg: imported: 1
|
|
$ gpg --check-sigs --fingerprint 2D230C5F
|
|
pub 1024D/2D230C5F 2006-01-03 [expires: 2007-02-07]
|
|
Key fingerprint = 0847 50FC 01A6 D388 A643 D869 0109 0831 2D23 0C5F
|
|
uid Debian Archive Automatic Signing Key (2006) <ftpmaster@debian.org>
|
|
sig!3 2D230C5F 2006-01-03 Debian Archive Automatic Signing Key
|
|
(2006) <ftpmaster@debian.org>
|
|
sig! 2A4E3EAA 2006-01-03 Anthony Towns <aj@azure.humbug.org.au>
|
|
sig! 4F368D5D 2006-01-03 Debian Archive Automatic Signing Key
|
|
(2005) <ftpmaster@debian.org>
|
|
sig! 29982E5A 2006-01-04 Steve Langasek <vorlon@dodds.net>
|
|
sig! FD6645AB 2006-01-04 Ryan Murray <rmurray@cyberhqz.com>
|
|
sig! AB2A91F5 2006-01-04 James Troup <james@nocrew.org>
|
|
</pre>
|
|
|
|
<p>
|
|
and then <code><a
|
|
href="http://www.debian.org/doc/manuals/securing-debian-howto/ch7.en.html#s-deb-pack-sign">check
|
|
the trust path</a></code> from your key (or a key you trust) to at least one of
|
|
the keys used to sign the archive key. If you are sufficiently paranoid you
|
|
will tell apt to trust the key only if you find an acceptable path:
|
|
</p>
|
|
|
|
<pre>
|
|
$ gpg --export -a 2D230C5F | sudo apt-key add -
|
|
Ok
|
|
</pre>
|
|
|
|
<p>
|
|
Note that the key is signed with the previous archive key, so theoretically you
|
|
can just build on your previous trust.
|
|
</p>
|
|
|
|
<hr>
|
|
|
|
<h4><a name="s7.5.3.9"></a>7.5.3.9 Debian archive key yearly rotation</h4>
|
|
|
|
<p>
|
|
As mentioned above, the Debian archive signing key is changed each year, in
|
|
January. Since secure apt is young, we don't have a great deal of experience
|
|
with changing the key and there are still rough spots.
|
|
</p>
|
|
|
|
<p>
|
|
In January 2006, a new key for 2006 was made and the <code>Release</code> file
|
|
began to be signed by it, but to try to avoid breaking systems that had the old
|
|
2005 key, the <code>Release</code> file was signed by that as well. The intent
|
|
was that apt would accept one signature or the other depending on the key it
|
|
had, but apt turned out to be buggy and refused to trust the file unless it had
|
|
both keys and was able to check both signatures. This was fixed in apt version
|
|
0.6.43.1. There was also confusion about how the key was distributed to users
|
|
who already had systems using secure apt; initially it was uploaded to the web
|
|
site with no announcement and no real way to verify it and users were forced to
|
|
download it by hand.
|
|
</p>
|
|
|
|
<p>
|
|
In January 2006, a new key for 2006 was made and the Release file began to be
|
|
signed by it, but to try to avoid breaking systems that had the old 2005 key,
|
|
the <code>Release</code> file was signed by that as well. In order to prevent
|
|
confusion on the best distribution mechanism for users who already have systems
|
|
using secure apt, the debian-archive-keyring package was introduced, which
|
|
manages apt keyring updates.
|
|
</p>
|
|
|
|
<hr>
|
|
|
|
<h4><a name="s7.5.3.10"></a>7.5.3.10 Known release checking problems</h4>
|
|
|
|
<p>
|
|
One not so obvious problem is that if your clock is very far off, secure apt
|
|
will not work. If it's set to a date in the past, such as 1999, apt will fail
|
|
with an unhelpful message such as this:
|
|
</p>
|
|
|
|
<pre>
|
|
W: GPG error: http://archive.progeny.com sid Release: Unknown error executing gpg
|
|
</pre>
|
|
|
|
<p>
|
|
Although <code>apt-key</code> list will make the problem plain:
|
|
</p>
|
|
|
|
<pre>
|
|
gpg: key 2D230C5F was created 192324901 seconds in the future (time warp or clock problem)
|
|
gpg: key 2D230C5F was created 192324901 seconds in the future (time warp or clock problem)
|
|
pub 1024D/2D230C5F 2006-01-03
|
|
uid Debian Archive Automatic Signing Key (2006) <ftpmaster@debian.org>
|
|
</pre>
|
|
|
|
<p>
|
|
If it's set to a date too far in the future, apt will treat the keys as
|
|
expired.
|
|
</p>
|
|
|
|
<p>
|
|
Another problem you may encouter if using testing or unstable is that if you
|
|
have not run <code>apt-get update</code> lately and <code>apt-get
|
|
install</code> a package, apt might complain that it cannot be authenticated
|
|
(why does it do this?). <code>apt-get update</code> will fix this.
|
|
</p>
|
|
|
|
<hr>
|
|
|
|
<h4><a name="s-manual-check-releases"></a>7.5.3.11 Manual per distribution release check</h4>
|
|
|
|
<p>
|
|
In case you want to add now the additional security checks and don't want or
|
|
cannot run the latest apt version[<a href="footnotes.en.html#f58"
|
|
name="fr58">58</a>] you can use the script below, provided by Anthony Towns.
|
|
This script can automatically do some new security checks to allow the user to
|
|
be sure that the software s/he's downloading matches the software Debian's
|
|
distributing. This stops Debian developers from hacking into someone's system
|
|
without the accountability provided by uploading to the main archive, or
|
|
mirrors mirroring something almost, but not quite like Debian, or mirrors
|
|
providing out of date copies of unstable with known security problems.
|
|
</p>
|
|
|
|
<p>
|
|
This sample code, renamed as <code>apt-check-sigs</code>, should be used in the
|
|
following way:
|
|
</p>
|
|
|
|
<pre>
|
|
# apt-get update
|
|
# apt-check-sigs
|
|
(...results...)
|
|
# apt-get dist-upgrade
|
|
</pre>
|
|
|
|
<p>
|
|
First you need to:
|
|
</p>
|
|
<ul>
|
|
<li>
|
|
<p>
|
|
get the keys the archive software uses to sign <code>Release</code> files,
|
|
<code><a
|
|
href="http://ftp-master.debian.org/ziyi_key_2006.asc">http://ftp-master.debian.org/ziyi_key_2006.asc</a></code>
|
|
and add them to <code>~/.gnupg/trustedkeys.gpg</code> (which is what
|
|
<code>gpgv</code> uses by default).
|
|
</p>
|
|
|
|
<pre>
|
|
gpg --no-default-keyring --keyring trustedkeys.gpg --import ziyi_key_2006.asc
|
|
</pre>
|
|
</li>
|
|
</ul>
|
|
<ul>
|
|
<li>
|
|
<p>
|
|
remove any <code>/etc/apt/sources.list</code> lines that don't use the normal
|
|
"dists" structure, or change the script so that it works with them.
|
|
</p>
|
|
</li>
|
|
</ul>
|
|
<ul>
|
|
<li>
|
|
<p>
|
|
be prepared to ignore the fact that Debian security updates don't have signed
|
|
<code>Release</code> files, and that <code>Sources</code> files don't have
|
|
appropriate checksums in the <code>Release</code> file (yet).
|
|
</p>
|
|
</li>
|
|
</ul>
|
|
<ul>
|
|
<li>
|
|
<p>
|
|
be prepared to check that the appropriate sources are signed by the appropriate
|
|
keys.
|
|
</p>
|
|
</li>
|
|
</ul>
|
|
|
|
<p>
|
|
This is the example code for <code>apt-check-sigs</code>, the latest version
|
|
can be retrieved from <code><a
|
|
href="http://people.debian.org/~ajt/apt-check-sigs">http://people.debian.org/~ajt/apt-check-sigs</a></code>.
|
|
This code is currently in beta, for more information read <code><a
|
|
href="http://lists.debian.org/debian-devel/2002/debian-devel-200207/msg00421.html">http://lists.debian.org/debian-devel/2002/debian-devel-200207/msg00421.html</a></code>.
|
|
</p>
|
|
|
|
<pre>
|
|
#!/bin/bash
|
|
|
|
# Copyright (c) 2001 Anthony Towns <ajt@debian.org>
|
|
#
|
|
# This program is free software; you can redistribute it and/or modify
|
|
# it under the terms of the GNU General Public License as published by
|
|
# the Free Software Foundation; either version 2 of the License, or
|
|
# (at your option) any later version.
|
|
#
|
|
# This program is distributed in the hope that it will be useful,
|
|
# but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
|
# GNU General Public License for more details.
|
|
|
|
rm -rf /tmp/apt-release-check
|
|
mkdir /tmp/apt-release-check || exit 1
|
|
cd /tmp/apt-release-check
|
|
|
|
>OK
|
|
>MISSING
|
|
>NOCHECK
|
|
>BAD
|
|
|
|
arch=`dpkg --print-installation-architecture`
|
|
|
|
am_root () {
|
|
[ `id -u` -eq 0 ]
|
|
}
|
|
|
|
get_md5sumsize () {
|
|
cat "$1" | awk '/^MD5Sum:/,/^SHA1:/' |
|
|
MYARG="$2" perl -ne '@f = split /\s+/; if ($f[3] eq $ENV{"MYARG"}) {
|
|
print "$f[1] $f[2]\n"; exit(0); }'
|
|
}
|
|
|
|
checkit () {
|
|
local FILE="$1"
|
|
local LOOKUP="$2"
|
|
|
|
Y="`get_md5sumsize Release "$LOOKUP"`"
|
|
Y="`echo "$Y" | sed 's/^ *//;s/ */ /g'`"
|
|
|
|
if [ ! -e "/var/lib/apt/lists/$FILE" ]; then
|
|
if [ "$Y" = "" ]; then
|
|
# No file, but not needed anyway
|
|
echo "OK"
|
|
return
|
|
fi
|
|
echo "$FILE" >>MISSING
|
|
echo "MISSING $Y"
|
|
return
|
|
fi
|
|
if [ "$Y" = "" ]; then
|
|
echo "$FILE" >>NOCHECK
|
|
echo "NOCHECK"
|
|
return
|
|
fi
|
|
X="`md5sum < /var/lib/apt/lists/$FILE | cut -d\ -f1` `wc -c < /var/lib
|
|
/apt/lists/$FILE`"
|
|
X="`echo "$X" | sed 's/^ *//;s/ */ /g'`"
|
|
if [ "$X" != "$Y" ]; then
|
|
echo "$FILE" >>BAD
|
|
echo "BAD"
|
|
return
|
|
fi
|
|
echo "$FILE" >>OK
|
|
echo "OK"
|
|
}
|
|
|
|
echo
|
|
echo "Checking sources in /etc/apt/sources.list:"
|
|
echo "~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~"
|
|
echo
|
|
(echo "You should take care to ensure that the distributions you're downloading
|
|
"
|
|
echo "are the ones you think you are downloading, and that they are as up to"
|
|
echo "date as you would expect (testing and unstable should be no more than"
|
|
echo "two or three days out of date, stable-updates no more than a few weeks"
|
|
echo "or a month)."
|
|
) | fmt
|
|
echo
|
|
|
|
cat /etc/apt/sources.list |
|
|
sed 's/^ *//' | grep '^[^#]' |
|
|
while read ty url dist comps; do
|
|
if [ "${url%%:*}" = "http" -o "${url%%:*}" = "ftp" ]; then
|
|
baseurl="${url#*://}"
|
|
else
|
|
continue
|
|
fi
|
|
|
|
echo "Source: ${ty} ${url} ${dist} ${comps}"
|
|
|
|
rm -f Release Release.gpg
|
|
lynx -reload -dump "${url}/dists/${dist}/Release" >/dev/null 2>&1
|
|
wget -q -O Release "${url}/dists/${dist}/Release"
|
|
|
|
if ! grep -q '^' Release; then
|
|
echo " * NO TOP-LEVEL Release FILE"
|
|
>Release
|
|
else
|
|
origline=`sed -n 's/^Origin: *//p' Release | head -1`
|
|
lablline=`sed -n 's/^Label: *//p' Release | head -1`
|
|
suitline=`sed -n 's/^Suite: *//p' Release | head -1`
|
|
codeline=`sed -n 's/^Codename: *//p' Release | head -1`
|
|
dateline=`grep "^Date:" Release | head -1`
|
|
dscrline=`grep "^Description:" Release | head -1`
|
|
echo " o Origin: $origline/$lablline"
|
|
echo " o Suite: $suitline/$codeline"
|
|
echo " o $dateline"
|
|
echo " o $dscrline"
|
|
|
|
if [ "${dist%%/*}" != "$suitline" -a "${dist%%/*}" != "$codeline" ]; then
|
|
echo " * WARNING: asked for $dist, got $suitline/$codeline"
|
|
fi
|
|
|
|
lynx -reload -dump "${url}/dists/${dist}/Release.gpg" >/dev/null 2>&1
|
|
wget -q -O Release.gpg "${url}/dists/${dist}/Release.gpg"
|
|
|
|
gpgv --status-fd 3 Release.gpg Release 3>&1 >/dev/null 2>&1 | sed -n "s/^\[GNUPG:\] //p" | (okay=0; err=""; while read gpgcode rest; do
|
|
if [ "$gpgcode" = "GOODSIG" ]; then
|
|
if [ "$err" != "" ]; then
|
|
echo " * Signed by ${err# } key: ${rest#* }"
|
|
else
|
|
echo " o Signed by: ${rest#* }"
|
|
okay=1
|
|
fi
|
|
err=""
|
|
elif [ "$gpgcode" = "BADSIG" ]; then
|
|
echo " * BAD SIGNATURE BY: ${rest#* }"
|
|
err=""
|
|
elif [ "$gpgcode" = "ERRSIG" ]; then
|
|
echo " * COULDN'T CHECK SIGNATURE BY KEYID: ${rest %% *}"
|
|
err=""
|
|
elif [ "$gpgcode" = "SIGREVOKED" ]; then
|
|
err="$err REVOKED"
|
|
elif [ "$gpgcode" = "SIGEXPIRED" ]; then
|
|
err="$err EXPIRED"
|
|
fi
|
|
done
|
|
if [ "$okay" != 1 ]; then
|
|
echo " * NO VALID SIGNATURE"
|
|
>Release
|
|
fi)
|
|
fi
|
|
okaycomps=""
|
|
for comp in $comps; do
|
|
if [ "$ty" = "deb" ]; then
|
|
X=$(checkit "`echo "${baseurl}/dists/${dist}/${comp}/binary-${arch}/Release" | sed 's,//*,_,g'`" "${comp}/binary-${arch}/Release")
|
|
Y=$(checkit "`echo "${baseurl}/dists/${dist}/${comp}/binary-${arch}/Packages" | sed 's,//*,_,g'`" "${comp}/binary-${arch}/Packages")
|
|
if [ "$X $Y" = "OK OK" ]; then
|
|
okaycomps="$okaycomps $comp"
|
|
else
|
|
echo " * PROBLEMS WITH $comp ($X, $Y)"
|
|
fi
|
|
elif [ "$ty" = "deb-src" ]; then
|
|
X=$(checkit "`echo "${baseurl}/dists/${dist}/${comp}/source/Release" | sed 's,//*,_,g'`" "${comp}/source/Release")
|
|
Y=$(checkit "`echo "${baseurl}/dists/${dist}/${comp}/source/Sources" | sed 's,//*,_,g'`" "${comp}/source/Sources")
|
|
if [ "$X $Y" = "OK OK" ]; then
|
|
okaycomps="$okaycomps $comp"
|
|
else
|
|
echo " * PROBLEMS WITH component $comp ($X, $Y)"
|
|
fi
|
|
fi
|
|
done
|
|
[ "$okaycomps" = "" ] || echo " o Okay:$okaycomps"
|
|
echo
|
|
done
|
|
|
|
echo "Results"
|
|
echo "~~~~~~~"
|
|
echo
|
|
|
|
allokay=true
|
|
|
|
cd /tmp/apt-release-check
|
|
diff <(cat BAD MISSING NOCHECK OK | sort) <(cd /var/lib/apt/lists && find . -type f -maxdepth 1 | sed 's,^\./,,g' | grep '_' | sort) | sed -n 's/^> //p' >UNVALIDATED
|
|
|
|
cd /tmp/apt-release-check
|
|
if grep -q ^ UNVALIDATED; then
|
|
allokay=false
|
|
(echo "The following files in /var/lib/apt/lists have not been validated."
|
|
echo "This could turn out to be a harmless indication that this script"
|
|
echo "is buggy or out of date, or it could let trojaned packages get onto"
|
|
echo "your system."
|
|
) | fmt
|
|
echo
|
|
sed 's/^/ /' < UNVALIDATED
|
|
echo
|
|
fi
|
|
|
|
if grep -q ^ BAD; then
|
|
allokay=false
|
|
(echo "The contents of the following files in /var/lib/apt/lists does not"
|
|
echo "match what was expected. This may mean these sources are out of date,"
|
|
echo "that the archive is having problems, or that someone is actively"
|
|
echo "using your mirror to distribute trojans."
|
|
if am_root; then
|
|
echo "The files have been renamed to have the extension .FAILED and"
|
|
echo "will be ignored by apt."
|
|
cat BAD | while read a; do
|
|
mv /var/lib/apt/lists/$a /var/lib/apt/lists/${a}.FAILED
|
|
done
|
|
fi) | fmt
|
|
echo
|
|
sed 's/^/ /' < BAD
|
|
echo
|
|
fi
|
|
|
|
if grep -q ^ MISSING; then
|
|
allokay=false
|
|
(echo "The following files from /var/lib/apt/lists were missing. This"
|
|
echo "may cause you to miss out on updates to some vulnerable packages."
|
|
) | fmt
|
|
echo
|
|
sed 's/^/ /' < MISSING
|
|
echo
|
|
fi
|
|
|
|
if grep -q ^ NOCHECK; then
|
|
allokay=false
|
|
(echo "The contents of the following files in /var/lib/apt/lists could not"
|
|
echo "be validated due to the lack of a signed Release file, or the lack"
|
|
echo "of an appropriate entry in a signed Release file. This probably"
|
|
echo "means that the maintainers of these sources are slack, but may mean"
|
|
echo "these sources are being actively used to distribute trojans."
|
|
if am_root; then
|
|
echo "The files have been renamed to have the extension .FAILED and"
|
|
echo "will be ignored by apt."
|
|
cat NOCHECK | while read a; do
|
|
mv /var/lib/apt/lists/$a /var/lib/apt/lists/${a}.FAILED
|
|
done
|
|
fi) | fmt
|
|
echo
|
|
sed 's/^/ /' < NOCHECK
|
|
echo
|
|
fi
|
|
|
|
if $allokay; then
|
|
echo 'Everything seems okay!'
|
|
echo
|
|
fi
|
|
|
|
rm -rf /tmp/apt-release-check
|
|
</pre>
|
|
|
|
<p>
|
|
You might need to apply the following patch for <em>sid</em> since
|
|
<code>md5sum</code> adds an '-' after the sum when the input is stdin:
|
|
</p>
|
|
|
|
<pre>
|
|
@@ -37,7 +37,7 @@
|
|
local LOOKUP="$2"
|
|
|
|
Y="`get_md5sumsize Release "$LOOKUP"`"
|
|
- Y="`echo "$Y" | sed 's/^ *//;s/ */ /g'`"
|
|
+ Y="`echo "$Y" | sed 's/-//;s/^ *//;s/ */ /g'`"
|
|
|
|
if [ ! -e "/var/lib/apt/lists/$FILE" ]; then
|
|
if [ "$Y" = "" ]; then
|
|
@@ -55,7 +55,7 @@
|
|
return
|
|
fi
|
|
X="`md5sum < /var/lib/apt/lists/$FILE` `wc -c < /var/lib/apt/lists/$FILE`"
|
|
- X="`echo "$X" | sed 's/^ *//;s/ */ /g'`"
|
|
+ X="`echo "$X" | sed 's/-//;s/^ *//;s/ */ /g'`"
|
|
if [ "$X" != "$Y" ]; then
|
|
echo "$FILE" >>BAD
|
|
echo "BAD"
|
|
</pre>
|
|
|
|
<hr>
|
|
|
|
<h3><a name="s-check-non-debian-releases"></a>7.5.4 Release check of non Debian sources</h3>
|
|
|
|
<p>
|
|
Notice that, when using the latest apt version (with <em>secure apt</em>) no
|
|
extra effort should be required on your part unless you use non-Debian sources,
|
|
in which case an extra confirmation step will be required by apt-get. This is
|
|
avoided by providing <code>Release</code> and <code>Release.gpg</code> files in
|
|
the non-Debian sources. The <code>Release</code> file can be generated with
|
|
<code>apt-ftparchive</code> (available in <code>apt-utils</code> 0.5.0 and
|
|
later), the <code>Release.gpg</code> is just a detached signature. To generate
|
|
both follow this simple procedure:
|
|
</p>
|
|
|
|
<pre>
|
|
$ rm -f dists/unstable/Release
|
|
$ apt-ftparchive release dists/unstable > dists/unstable/Release
|
|
$ gpg --sign -ba -o dists/unstable/Release.gpg dists/unstable/Release
|
|
</pre>
|
|
|
|
<hr>
|
|
|
|
<h3><a name="s-check-pkg-sign"></a>7.5.5 Alternative per-package signing scheme</h3>
|
|
|
|
<p>
|
|
The additional scheme of signing each and every packages allows packages to be
|
|
checked when they are no longer referenced by an existing <code>Packages</code>
|
|
file, and also third-party packages where no <code>Packages</code> ever existed
|
|
for them can be also used in Debian but will not be default scheme.
|
|
</p>
|
|
|
|
<p>
|
|
This package signing scheme can be implemented using <code>debsig-verify</code>
|
|
and <code>debsigs</code>. These two packages can sign and verify embedded
|
|
signatures in the .deb itself. Debian already has the capability to do this
|
|
now, but there is no feature plan to implement the policy or other tools since
|
|
the archive signing scheme is prefered. These tools are available for users
|
|
and archive administrators that would rather use this scheme instead.
|
|
</p>
|
|
|
|
<p>
|
|
Latest <code>dpkg</code> versions (since 1.9.21) incorporate a <code><a
|
|
href="http://lists.debian.org/debian-dpkg/2001/debian-dpkg-200103/msg00024.html">patch</a></code>
|
|
that provides this functionality as soon as <code>debsig-verify</code> is
|
|
installed.
|
|
</p>
|
|
|
|
<p>
|
|
NOTE: Currently <code>/etc/dpkg/dpkg.cfg</code> ships with
|
|
"no-debsig" as per default.
|
|
</p>
|
|
|
|
<p>
|
|
NOTE2: Signatures from developers are currently stripped when they enter off
|
|
the package archive since the currently preferred method is release checks as
|
|
described previously.
|
|
</p>
|
|
|
|
<hr>
|
|
|
|
<p>
|
|
[ <a href="ch-automatic-harden.en.html">previous</a> ]
|
|
[ <a href="index.en.html#contents">Contents</a> ]
|
|
[ <a href="ch1.en.html">1</a> ]
|
|
[ <a href="ch2.en.html">2</a> ]
|
|
[ <a href="ch3.en.html">3</a> ]
|
|
[ <a href="ch4.en.html">4</a> ]
|
|
[ <a href="ch-sec-services.en.html">5</a> ]
|
|
[ <a href="ch-automatic-harden.en.html">6</a> ]
|
|
[ 7 ]
|
|
[ <a href="ch-sec-tools.en.html">8</a> ]
|
|
[ <a href="ch9.en.html">9</a> ]
|
|
[ <a href="ch10.en.html">10</a> ]
|
|
[ <a href="ch-after-compromise.en.html">11</a> ]
|
|
[ <a href="ch12.en.html">12</a> ]
|
|
[ <a href="ap-harden-step.en.html">A</a> ]
|
|
[ <a href="ap-checklist.en.html">B</a> ]
|
|
[ <a href="ap-snort-box.en.html">C</a> ]
|
|
[ <a href="ap-bridge-fw.en.html">D</a> ]
|
|
[ <a href="ap-bind-chuser.en.html">E</a> ]
|
|
[ <a href="ap-fw-security-update.en.html">F</a> ]
|
|
[ <a href="ap-chroot-ssh-env.en.html">G</a> ]
|
|
[ <a href="ap-chroot-apache-env.en.html">H</a> ]
|
|
[ <a href="ch-sec-tools.en.html">next</a> ]
|
|
</p>
|
|
|
|
<hr>
|
|
|
|
<p>
|
|
Securing Debian Manual
|
|
</p>
|
|
|
|
<address>
|
|
Version: 3.13, Sun, 08 Apr 2012 02:48:09 +0000<br>
|
|
<br>
|
|
Javier Fernández-Sanguino Peña <code><a href="mailto:jfs@debian.org">jfs@debian.org</a></code><br>
|
|
<a href="ch1.en.html#s-authors">Authors, Section 1.1</a><br>
|
|
<br>
|
|
</address>
|
|
<hr>
|
|
|
|
</body>
|
|
|
|
</html>
|
|
|