Track hardening status of the binaries shipped in Tails
Originally created by @intrigeri on #6918 (Redmine)
One area where Tails security could be improved is hardening of binaries. Debian has made great progress on this for the Wheezy release, and Jessie will be even better. To help improve this in areas that matter to Tails (read: in packages that are shipped in Tails), we need:
- statistics about the current status, to track progress of the proportion of the binaries shipped in Tails are hardened. That is, something like the Debian Security Hardening Statistics, but limited to the binaries shipped in Tails;
- the list of packages that still lack hardening, to know where we should focus our efforts.
Note that we need statistics about the current state of binaries in Debian unstable (as opposed to the binaries shipped in current Tails), because this is where improvements can be made.
One should use the list of binary packages shipped in ISO images built
from the feature/stretch
branch
(see the .build-manifest
file there) as input data.
There is no need to reinvent the wheel: the Debian Security Hardening Statistics link to the source code used to generate it. We should improve these scripts to take any parameter we need (likely: our list of packages as input, and an option to output the list of packages that lack hardening), and contribute the changes upstream. Note that Kees Cook <kees@debian.org> has published hardening statistics limited to the packages present in a default Debian installation, so probably most of the functionality we need is already there.
Hopefully, Kees will happily run the resulting scripts for us, and add a “Tails Security Hardening Statistics” page to his website. Worst case, we’ll run it and host the resulting web pages on our own infrastructure.
Attachments
- packages-missing-hardening
- output.yml
- packages-missing-hardening-udd.py
- packages-missing-hardening-udd.output
Related issues
- Related to tails#6919 (closed)