I certainly think having an up to date "Securing Debian" document is a worthy endeavor, especially for server management. I've been using Debian to host my family home server for years now and have learned a lot in that time, so I actually started my own take on a re-write a while back that I was considering proposing, but found it was a much bigger task than I was prepared to undertake alone. Between my inexperience in producing quality documentation (I tend to get quite wordy) to my lack of expert knowledge in all the various topics that might need to be covered I kinda gave up on it. I'll keep it as my own sort of reference point, but I'm not sure it's something I would want to distribute to the wider community.
If you, or anybody else for that matter, would like to look at what I got written before I quit on it, I've shared it from my personal Nextcloud here:
Hi all. The Securing Debian Manual (the harden-doc package) is
woefully out of date and doesn't provide accurate guidance for
operating modern software in the current threat landscape. I'd like
to begin the task of updating it to reflect current best practice and
to document current tools and technologies.
Most basically, I wonder if folks think this is a worthy idea. The
landscape has changed significantly since harden-doc was first
written. Default configurations don't require as much hardening, and
there are lots more available resources. Maybe harden-doc has
stagnated because there's no real need for it?
Assuming we do revive the doc, here are some ideas of what I'd like to
do with the document. I'd like to also get feedback, ideas, and
contributions from others interested in the topic.
1. More background information on principles such as:
a. Threat modeling
b. Defense in depth
c. Least privilege
2. Modern server deployment practices, such as:
a. Sandboxing (with systemd, containers, etc)
b. Image-based deployments, including cloud
c. Update deployment strategies for large fleets
3. Data privacy:
a. VPNs, wireguard, etc
b. Disk encryption
4. Workstation best practices, including:
a. Ssh key generation and handling
b. Basic browser hygine
c. Password managers and other password hygine
My inclination is to primarily focus on general principles rather than
try to document specific settings in specific packages, as in the
current document's Chapter 5 ("Securing services running on your
system"). It'll make sense to document some approaches to safe usage of
the most common software (firefox, openssh, etc), but I don't believe
that it's feasible to provide useful advice for a meaningful subset of
Debian packages.
Should we maybe consider maintaining this document on wiki.debian.org,
rather than being a centrally maintained document? The wiki may scale
better to multiple contributors, leading to better content and more
active maintenance.
If you've got ideas for other topics, I'd love to hear them.
noah