Re: Security Changes For Fedora 9

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

On Friday 21 December 2007 09:13:21 am Kevin Fenzi wrote:
<snip to address only Bastille>
> > 5: Bastille
> > Be sure to incorporate the most important Bastille fixes
> > (  This project appears to have stalled and
> > requires an older version of Fedora to run, unless you're a Perl
> > ninja =) Maybe we should contact the developer (Jay Beale), and ask
> > him what he needs to revive the project?  Perhaps the Fedora
> > community can be of assistance.
Since 2000 or so I, or people I know, have found the Bastille project stalled 
for a platform that it needed to be evaluated against, on at least three 
occasions. Pulling it up on, the last changelog entry reads:

* Sun Apr 16 2006 Jay Beale <email redacted> 3.0.9-1.0
  - Added support for Fedora Core 5
  - Added support for SUSE 10.0
  - Added support for Mandrake 10.0, 10.1, 2006...
  - Added support for OS X Tiger (10.4) - preliminary
> We should take a look I agree, but many of the things bastille did/does
> are not useful these days. Disabling rsh/rlogin? Disabling compilers
> (your point 4 I guess)? Setting more agressive security defaults on
> some applications? Many of the things it does we should be doing in the
> packages we ship, not trying to modify after install.
Usefulness depends upon what you're doing. For instance, Bastille was 
supported on HP-UX, though I no longer know how well. I've seen one 
environment where not only were the Berkeley 'r' programs were still used 
very heavily, but also rusers, in which case the portmapper had to be 
accessible. Granted, this is the sort of thing that applies mostly to 
non-GUI, often headless, installs. This is probably not a typical environment 
for Fedora, but one that definitely does happen, and with some frequency.

> Would anyone be interested in culling through and coming up with a list
> of items we should address that bastille does?
That would require someone who's running a distro that's pretty old. If I 
still had a SuSE 10.0 or FC5 box, I'd have already run Bastille in evaluation 
mode, just to see where it was a couple of years ago.  If enough people want 
to see the information, I'd be willing to load FC5 on a box, on a temporary 
basis, after the holidays. I could also run it from the source tarball on 
more recent Fedoras, again in eval mode, just for some comparison data.

Be advised that working alone, it could take me a couple of weeks to produce 
all the data. Time is somewhat limited. I've not looked at the code in some 
time, so I don't know if I'd have to run it against, say, a minimal, GNOME, 
and KDE install for each version. Also, not being familiar with the current 
code, it could be full of security or other bugs. The bz2 tarball is 312 KB. 
That's a fair amount of Perl, which may not have received a plethora of 
eyeballs, and I've no idea what (if any) test harnesses may have been used, 

If there's a lot of demand for the information, hopefully someone will also 
come forward to split the testing load with me. If not, I can live with that, 
and run everything by mid-January. Actually, I'd *have* to complete it by 
then, and I can't offer even a cursory code review. Someone may want to take 
a look at the requires and provides list for some hints about that. This is 
down to time issues that are beyond my control. My window runs from 1/2/07 
through 1/14/07, inclusive. Sorry, folks, but it's the best I can do.

I have to admit that I'm not sanguine about receiving an adequate return on 
investment from Bastille. The periodic halts in the project could mean a fair 
commitment of resources to avoid future problems. I've also heard stories 
from people who were able to run it, but found major problems in the ability 
of typical end users to use it correctly. Overall quality of code is also a 
huge unknown.

That said, I'm not wedded to my opinion. This is just my two cents. Actual 
data is always preferable, if the community decides to seriously explore 
this. Not knowing exactly how to define that, as I don't know the size of 
this community, I'm making an arbitrary call that if a dozen people ask me to 
do it, I will. If any one person volunteers to split the load, I'll do it.

I should probably look for list archives, and grep around for unique posters, 
just to get an idea of community size. But not today. Last-minute Christmas 
shopping is the higher priority.

Jingle bells, and best wishes,


Fedora-security-list mailing list

[Home]     [Fedora Legacy List]     [Fedora Maintainers]     [Fedora Desktop]     [Red Hat 9 Bible]     [Fedora Bible]     [Fedora SELinux]     [Big List of Linux Books]     [Yosemite News]     [Yosemite Photos]     [KDE Users]     [Coolkey]     [Fedora Tools]

Powered by Linux