Re: Task harden.
Ola Lundqvist <firstname.lastname@example.org> writes:
> I'm now packaging a task-harden package as I said in some other
I think you're trying to do too much with one package. It won't
be flexible enough. For example, what if I absolutely need to
have a certain insecure package installed, but I want my machine
to be as secure as possible subject to that constraint. I
wouldn't be able to use task-harden for this if it conflicts
with that package.
I think increasing the security of Debian should be broken into
several independent parts:
- a "Secure Debian howto", with lots of advice. (Something like this
may already exist.)
- make each package as secure as possible by default (balanced against
- provide a few specialized secure versions of packages in cases
where there is a significant trade-off between security and usability.
- provide packages that install various kernel packages and secure
version of libraries
- write a script that analyzes a system and displays warning messages
about insecure things it finds (a "lintian" for security). This
could print messages like "I see you have telnetd installed. This
weakens the security of your system for the following reasons...".
- audit code to increase security
I'm sure others will have similar ideas, which can each be used
one component at a time, for maximum flexibility.