[Secure-testing-commits] r17240 - hardening

Wed Sep 14 12:33:51 UTC 2011

Author: pollux
Date: 2011-09-14 12:33:50 +0000 (Wed, 14 Sep 2011)
New Revision: 17240

Added:
   hardening/subgoal-daemons.txt
   hardening/subgoal-interpreters.txt
Log:
Add hardening subgoals for interpreters and daemons


Added: hardening/subgoal-daemons.txt
===================================================================

--- hardening/subgoal-daemons.txt	                        (rev 0)
+++ hardening/subgoal-daemons.txt	2011-09-14 12:33:50 UTC (rev 17240)
@@ -0,0 +1,345 @@
+Hardening subgoal for Wheezy:
+All daemons and libraries accessible from the network
+
+debtags search --names 'interface::daemon && implemented-in::c'
+
+Instructions:
+- After checking a package, add it to the "Candidates:" or "Non-candidates:" list
+- After NMUing a candidate where all build flags have been successfully enabled, 
+  add it to the "Resolved/fixed:" list
+- After NMUing a candidate with only some of the build flags enabled, add it to
+  the "Partially fixed: list (in order to remember what needs further work in the
+  future)
+
+This list needs cleaned up further:
+- Packages with same source should be merged
+- Packages without tags should be added
+
+To check:
+
+aiccu
+amanda-server
+ample
+amule-daemon
+and
+apache2
+apache2-mpm-event
+apache2-mpm-itk
+apache2-mpm-prefork
+apache2-mpm-worker
+apache2-prefork-dev
+apache2-threaded-dev
+apache2.2-common
+apt-cacher-ng
+archfs
+asterisk
+at
+atm-tools
+autofs
+autofs-hesiod
+autofs-ldap
+autossh
+avahi-autoipd
+avahi-daemon
+avahi-dnsconfd
+avr-evtd
+bacula-director-sqlite3
+bandwidthd
+bandwidthd-pgsql
+bcron
+beanstalkd
+binkd
+bip
+bird6
+bitlbee
+bluemon
+bluez-utils
+boa
+bozohttpd
+busybox-syslogd
+c-icap
+cfengine2
+cherokee
+clamav-daemon
+clamav-freshclam
+clamav-milter
+clamsmtp
+collectd
+collectd-dbg
+conntrackd
+consolekit
+cpqarrayd
+cron
+crossfire-server
+ctrlproxy
+cvsd
+cyrus-common-2.2
+cyrus-imapd-2.2
+cyrus-pop3d-2.2
+daemon
+daemontools
+dancer-ircd
+dancer-services
+dante-server
+dbndns
+dbus
+dbus-x11
+dhis-dns-engine
+dhis-mx-sendmail-engine
+dhis-server
+dicod
+djbdns
+dma
+dnsproxy
+dovecot-common
+dovecot-imapd
+dovecot-pop3d
+dsyslog
+dynamips
+eggdrop
+ekeyd
+esmtp
+exim4
+exim4-base
+exim4-daemon-heavy
+exim4-daemon-light
+ez-ipupdate
+fair
+fetchmail
+fldigi
+fprobe-ng
+freepops
+freeradius
+ftpd
+gamin
+gammu-smsd
+gconf2
+git-daemon-run
+gnome-keyring
+gnome-settings-daemon
+gpe-confd
+gpe-soundserver
+gpm
+gpsd
+gw6c
+hal
+haveged
+hdapsd
+hlbr
+hobbit
+httptunnel
+hybserv
+ibod
+icecast2
+ident2
+ifcico
+ifgate
+ifplugd
+ifuse
+imapproxy
+inetutils-ftpd
+inetutils-inetd
+inetutils-syslogd
+inetutils-talkd
+inetutils-telnetd
+inn
+inn2
+inn2-dev
+inn2-lfs
+innfeed
+inoticoming
+inputlirc
+iodine
+ipband
+ipopd
+ircd-hybrid
+ircd-irc2
+ircd-ircu
+isakmpd
+iscsitarget
+isns
+kannel
+kdm
+kerneloops
+keynav
+keytouch
+klone
+krb5-admin-server
+krb5-ftpd
+krb5-kdc
+krb5-rsh-server
+krb5-telnetd
+ksysguardd
+labrea
+ldm-server
+leafnode
+libchipcard-tools
+libdaemon-dev
+libdaemon0
+libpam-ssh
+lighttpd
+linux-igd
+lldpd
+lnpd
+lsh-server
+lsyncd
+lyskom-server
+maradns
+masqmail
+mathopd
+mdadm
+memcached
+micro-httpd
+milter-greylist
+mini-httpd
+minit
+miredo
+miredo-server
+mmpongd
+moc
+mpd
+mpdscribble
+mt-daapd
+muroard
+mxallowd
+mysql-server
+nagios-plugins
+nagios3
+nas
+nbd-server
+net-acct
+netatalk
+netplug
+network-manager
+network-manager-gnome
+nfdump
+nfs-common
+nfs-kernel-server
+ngetty
+nginx
+ngircd
+notification-daemon
+notify-osd
+nslcd
+nuttcp
+obex-data-server
+oftc-hybrid
+open-iscsi
+openafs-dbserver
+openafs-fileserver
+openbsd-inetd
+opencryptoki
+openvas-server
+p910nd
+pacemaker
+pads
+pcscd
+php5-xdebug
+pkspxy
+polipo
+pommed
+portmap
+portsentry
+postfix
+postfix-gld
+powernowd
+ppp
+prayer-accountd
+preload
+privoxy
+pvm
+pvm-dev
+quagga
+radioclk
+radiusd-livingston
+randomsound
+readahead
+remctl-server
+rlinetd
+rpld
+rrdcollect
+rsh-redone-server
+rsyslog
+scanbuttond
+shell-fm
+shishi-kdc
+silcd
+sl-modem-daemon
+slapd
+sleepd
+slony1-bin
+smcroute
+snmpd
+snmptrapfmt
+solid-pop3d
+squid
+squid3
+squidguard
+stunnel4
+sup
+swapspace
+synergy
+sysrqd
+sysstat
+sysvinit
+tcpd
+tcpspy
+telepathy-gabble
+telepathy-haze
+telepathy-idle
+telepathy-salut
+telepathy-sofiasip
+telnetd-ssl
+tetrinet-server
+thttpd
+timidity
+timps
+tinc
+tor
+tracker
+transmission-daemon
+tsocks
+ttysnoop
+udev
+udisks
+upower
+upstart
+uptimed
+usbmuxd
+uucp
+uw-imapd
+v86d
+varnish
+vsftpd
+vtun
+warsow-server
+webfs
+wicd-cli
+wims
+wmaloader
+wu-ftpd
+xdm
+xfce4-session
+xfce4-volumed
+xfstt
+xfwm4
+xmms2-core
+xneur
+xrdp
+xserver-xephyr
+xymon
+yubikey-server-c
+zabbix-agent
+zabbix-server-mysql
+zabbix-server-pgsql
+zephyr-server
+
+Non-candidates:
+
+Candidates:
+
+Partially fixed:
+
+Resolved/fixed:
+
+

Added: hardening/subgoal-interpreters.txt
===================================================================
--- hardening/subgoal-interpreters.txt	                        (rev 0)
+++ hardening/subgoal-interpreters.txt	2011-09-14 12:33:50 UTC (rev 17240)
@@ -0,0 +1,92 @@
+Hardening subgoal for Wheezy:
+All interpreters written in C
+
+debtags search --names 'devel::interpreter && implemented-in::c'
+
+Instructions:
+- After checking a package, add it to the "Candidates:" or "Non-candidates:" list
+- After NMUing a candidate where all build flags have been successfully enabled, 
+  add it to the "Resolved/fixed:" list
+- After NMUing a candidate with only some of the build flags enabled, add it to
+  the "Partially fixed: list (in order to remember what needs further work in the
+  future)
+
+This list needs cleaned up further:
+- Packages with same source should be merged
+- Packages without tags should be added (ex ruby)
+
+To check:
+
+9base
+bc
+beef
+chemeq
+clips
+clips-common
+clisp
+cpp
+cpp-4.1
+cpp-4.3
+cpp-4.4
+freesci
+frotz
+gambas2-script
+gambc
+gawk
+gcl
+gclcvs
+ghc6
+goo
+gplcver
+gs-gpl
+guile-1.8-libs
+hugs
+icont
+iconx
+ikarus
+jzip
+libapache2-mod-php5
+libapache2-mod-php5filter
+libclips
+libclips-dev
+libmono-dev
+libmono0
+libmozjs-dev
+lua5.1
+lua50
+mawk
+mdk
+mksh
+original-awk
+parrot
+perl
+php5-cli
+pike7.6-core
+pike7.8-core
+python2.5
+python2.5-minimal
+python2.6
+python2.6-minimal
+python3
+python3-minimal
+python3.1
+python3.1-minimal
+ragel
+ruby1.8
+ruby1.9.1
+seed
+slsh
+spidermonkey-bin
+tads3
+tcl-dev
+yorick
+
+Non-candidates:
+
+Candidates:
+
+Partially fixed:
+
+Resolved/fixed:
+
+


