Author: pollux Date: 2011-09-14 12:33:50 +0000 (Wed, 14 Sep 2011) New Revision: 17240 Added: hardening/subgoal-daemons.txt hardening/subgoal-interpreters.txt Log: Add hardening subgoals for interpreters and daemons Added: hardening/subgoal-daemons.txt ==================================================================--- hardening/subgoal-daemons.txt (rev 0) +++ hardening/subgoal-daemons.txt 2011-09-14 12:33:50 UTC (rev 17240) @@ -0,0 +1,345 @@ +Hardening subgoal for Wheezy: +All daemons and libraries accessible from the network + +debtags search --names ''interface::daemon && implemented-in::c'' + +Instructions: +- After checking a package, add it to the "Candidates:" or "Non-candidates:" list +- After NMUing a candidate where all build flags have been successfully enabled, + add it to the "Resolved/fixed:" list +- After NMUing a candidate with only some of the build flags enabled, add it to + the "Partially fixed: list (in order to remember what needs further work in the + future) + +This list needs cleaned up further: +- Packages with same source should be merged +- Packages without tags should be added + +To check: + +aiccu +amanda-server +ample +amule-daemon +and +apache2 +apache2-mpm-event +apache2-mpm-itk +apache2-mpm-prefork +apache2-mpm-worker +apache2-prefork-dev +apache2-threaded-dev +apache2.2-common +apt-cacher-ng +archfs +asterisk +at +atm-tools +autofs +autofs-hesiod +autofs-ldap +autossh +avahi-autoipd +avahi-daemon +avahi-dnsconfd +avr-evtd +bacula-director-sqlite3 +bandwidthd +bandwidthd-pgsql +bcron +beanstalkd +binkd +bip +bird6 +bitlbee +bluemon +bluez-utils +boa +bozohttpd +busybox-syslogd +c-icap +cfengine2 +cherokee +clamav-daemon +clamav-freshclam +clamav-milter +clamsmtp +collectd +collectd-dbg +conntrackd +consolekit +cpqarrayd +cron +crossfire-server +ctrlproxy +cvsd +cyrus-common-2.2 +cyrus-imapd-2.2 +cyrus-pop3d-2.2 +daemon +daemontools +dancer-ircd +dancer-services +dante-server +dbndns +dbus +dbus-x11 +dhis-dns-engine +dhis-mx-sendmail-engine +dhis-server +dicod +djbdns +dma +dnsproxy +dovecot-common +dovecot-imapd +dovecot-pop3d +dsyslog +dynamips +eggdrop +ekeyd +esmtp +exim4 +exim4-base +exim4-daemon-heavy +exim4-daemon-light +ez-ipupdate +fair +fetchmail +fldigi +fprobe-ng +freepops +freeradius +ftpd +gamin +gammu-smsd +gconf2 +git-daemon-run +gnome-keyring +gnome-settings-daemon +gpe-confd +gpe-soundserver +gpm +gpsd +gw6c +hal +haveged +hdapsd +hlbr +hobbit +httptunnel +hybserv +ibod +icecast2 +ident2 +ifcico +ifgate +ifplugd +ifuse +imapproxy +inetutils-ftpd +inetutils-inetd +inetutils-syslogd +inetutils-talkd +inetutils-telnetd +inn +inn2 +inn2-dev +inn2-lfs +innfeed +inoticoming +inputlirc +iodine +ipband +ipopd +ircd-hybrid +ircd-irc2 +ircd-ircu +isakmpd +iscsitarget +isns +kannel +kdm +kerneloops +keynav +keytouch +klone +krb5-admin-server +krb5-ftpd +krb5-kdc +krb5-rsh-server +krb5-telnetd +ksysguardd +labrea +ldm-server +leafnode +libchipcard-tools +libdaemon-dev +libdaemon0 +libpam-ssh +lighttpd +linux-igd +lldpd +lnpd +lsh-server +lsyncd +lyskom-server +maradns +masqmail +mathopd +mdadm +memcached +micro-httpd +milter-greylist +mini-httpd +minit +miredo +miredo-server +mmpongd +moc +mpd +mpdscribble +mt-daapd +muroard +mxallowd +mysql-server +nagios-plugins +nagios3 +nas +nbd-server +net-acct +netatalk +netplug +network-manager +network-manager-gnome +nfdump +nfs-common +nfs-kernel-server +ngetty +nginx +ngircd +notification-daemon +notify-osd +nslcd +nuttcp +obex-data-server +oftc-hybrid +open-iscsi +openafs-dbserver +openafs-fileserver +openbsd-inetd +opencryptoki +openvas-server +p910nd +pacemaker +pads +pcscd +php5-xdebug +pkspxy +polipo +pommed +portmap +portsentry +postfix +postfix-gld +powernowd +ppp +prayer-accountd +preload +privoxy +pvm +pvm-dev +quagga +radioclk +radiusd-livingston +randomsound +readahead +remctl-server +rlinetd +rpld +rrdcollect +rsh-redone-server +rsyslog +scanbuttond +shell-fm +shishi-kdc +silcd +sl-modem-daemon +slapd +sleepd +slony1-bin +smcroute +snmpd +snmptrapfmt +solid-pop3d +squid +squid3 +squidguard +stunnel4 +sup +swapspace +synergy +sysrqd +sysstat +sysvinit +tcpd +tcpspy +telepathy-gabble +telepathy-haze +telepathy-idle +telepathy-salut +telepathy-sofiasip +telnetd-ssl +tetrinet-server +thttpd +timidity +timps +tinc +tor +tracker +transmission-daemon +tsocks +ttysnoop +udev +udisks +upower +upstart +uptimed +usbmuxd +uucp +uw-imapd +v86d +varnish +vsftpd +vtun +warsow-server +webfs +wicd-cli +wims +wmaloader +wu-ftpd +xdm +xfce4-session +xfce4-volumed +xfstt +xfwm4 +xmms2-core +xneur +xrdp +xserver-xephyr +xymon +yubikey-server-c +zabbix-agent +zabbix-server-mysql +zabbix-server-pgsql +zephyr-server + +Non-candidates: + +Candidates: + +Partially fixed: + +Resolved/fixed: + + Added: hardening/subgoal-interpreters.txt ==================================================================--- hardening/subgoal-interpreters.txt (rev 0) +++ hardening/subgoal-interpreters.txt 2011-09-14 12:33:50 UTC (rev 17240) @@ -0,0 +1,92 @@ +Hardening subgoal for Wheezy: +All interpreters written in C + +debtags search --names ''devel::interpreter && implemented-in::c'' + +Instructions: +- After checking a package, add it to the "Candidates:" or "Non-candidates:" list +- After NMUing a candidate where all build flags have been successfully enabled, + add it to the "Resolved/fixed:" list +- After NMUing a candidate with only some of the build flags enabled, add it to + the "Partially fixed: list (in order to remember what needs further work in the + future) + +This list needs cleaned up further: +- Packages with same source should be merged +- Packages without tags should be added (ex ruby) + +To check: + +9base +bc +beef +chemeq +clips +clips-common +clisp +cpp +cpp-4.1 +cpp-4.3 +cpp-4.4 +freesci +frotz +gambas2-script +gambc +gawk +gcl +gclcvs +ghc6 +goo +gplcver +gs-gpl +guile-1.8-libs +hugs +icont +iconx +ikarus +jzip +libapache2-mod-php5 +libapache2-mod-php5filter +libclips +libclips-dev +libmono-dev +libmono0 +libmozjs-dev +lua5.1 +lua50 +mawk +mdk +mksh +original-awk +parrot +perl +php5-cli +pike7.6-core +pike7.8-core +python2.5 +python2.5-minimal +python2.6 +python2.6-minimal +python3 +python3-minimal +python3.1 +python3.1-minimal +ragel +ruby1.8 +ruby1.9.1 +seed +slsh +spidermonkey-bin +tads3 +tcl-dev +yorick + +Non-candidates: + +Candidates: + +Partially fixed: + +Resolved/fixed: + +