Product SiteDocumentation Site

Capitolo 6. Irrobustimento automatico di un sistema Debian

6.1. Harden
6.2. Bastille Linux
Dopo aver letto tutte le informazioni dei capitoli precedenti potreste chiedervi "Devo fare molte cose per rendere sicuro il mio sistema, non potrebbero essere automatizzate?". La risposta è sì, ma fate attenzione agli strumenti automatizzati. Alcune persone credono che uno strumento per l'irrobustimento non elimini il bisogno di una buona amministrazione. Perciò non pensate stupidamente che si possa automatizzare l'intero processo e risolvere i problemi correlati. La sicurezza è un processo continuo al quale l'amministratore deve partecipare e al quale non può solo assistere e lasciare che gli strumenti svolgano il loro lavoro. Non esiste un solo strumento che possa risolvere i problemi per tutte le possibili implementazioni delle politiche di sicurezza, tutti i tipi di attacchi e tutti gli ambienti.
Since woody (Debian 3.0) there are two specific packages that are useful for security hardening. The harden package which takes an approach based on the package dependencies to quickly install valuable security packages and remove those with flaws, configuration of the packages must be done by the administrator. The bastille package that implements a given security policy on the local system based on previous configuration by the administrator (the building of the configuration can be a guided process done with simple yes/no questions).

6.1. Harden

The harden package tries to make it more easy to install and administer hosts that need good security. This package should be used by people that want some quick help to enhance the security of the system. It automatically installs some tools that should enhance security in some way: intrusion detection tools, security analysis tools, etc. Harden installs the following virtual packages (i.e. no contents, just dependencies or recommendations on others):
  • harden-tools: tools to enhance system security (integrity checkers, intrusion detection, kernel patches...)
  • harden-environment: helps configure a hardened environment (currently empty).
  • harden-servers: removes servers considered insecure for some reason.
  • harden-clients: removes clients considered insecure for some reason.
  • harden-remoteaudit: tools to remotely audit a system.
  • harden-nids: helps to install a network intrusion detection system.
  • harden-surveillance: helps to install tools for monitoring of networks and services.
Package utili che non costituiscono dipendenze:
  • harden-doc: provides this same manual and other security-related documentation packages.
  • harden-development: development tools for creating more secure programs.
Be careful because if you have software you need (and which you do not wish to uninstall for some reason) and it conflicts with some of the packages above you might not be able to fully use harden. The harden packages do not (directly) do a thing. They do have, however, intentional package conflicts with known non-secure packages. This way, the Debian packaging system will not approve the installation of these packages. For example, when you try to install a telnet daemon with harden-servers, apt will say:
# apt-get install telnetd 
The following packages will be REMOVED:
  harden-servers
The following NEW packages will be installed:
  telnetd 
Do you want to continue? [Y/n]
Questo dovrebbe far nascere qualche dubbio nella testa dell'amministratore che, a questo punto, dovrebbe riconsiderare questa azione.