[Freedombox-discuss] Policy questions
sandyinchina at gmail.com
Wed May 4 04:27:01 UTC 2011
Sandy Harris <sandyinchina at gmail.com> wrote:
> We have a bit of a design problem in that we want the FB to
> be very secure, but also to require a minimum of system
Among other things, that means we want it to ship with
secure default policies in a number of areas.
Ubuntu comes with netfilter installed but no rules applied.
I do not know for Debian. Whatever the usual system
defaults -- null as for Ubuntu or something else -- they
probably need to change for the box since it will run a
different set of services than a default install.
Should the rules include blocking TCP resets?
Likely the exact set of rules needed will vary depending
on which FB services a particular box enables. Arranging
for this to happen without subjecting users to a heavy
system admin load will require some clever scripts.
DNS is an essential service but in some countries the
governments mess with it as part of a censorship
program. In the long run, we may need a design
where Freedom Boxes give each other DNS services.
At least for a box just coming up that does not know
where other boxes are, we need more, Likely a list of
open DNS servers -- Google's 126.96.36.199 and a few dozen
others -- and a script that pings them all to find ones
that are fast and reachable.
A standard tactic for security is isolation of services.
You put the web server and the mail server on two
different machines so that an enemy who finds a
flaw in the web server does not get your mail, and
Clearly we cannot expect to use a separate machine
for each FB service, but we need some strategy that
limits the damage if any one service turns out to have
a security flaw. Some list posts suggest using virtual
machines, and that is one plausible solution, though
costly. Can we do with careful use of user & group
IDs? With chroot jails? With capabilities? Whatever?
There are other security mechanisms available. We
might choose the Debian/FreeBSD distro instead of
LInux to get immutable files, or enable the Linux
capabilities stuff, or use Security Enhanced LInux.
However, none of those is useful alone; each needs
a set of policies appropriate for this application.
More information about the Freedombox-discuss