Bug#796642: debian-policy: hardening is an afterthought and should never be

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: Bug#796642: debian-policy: hardening is an afterthought and should never be
From: Richard Jasmin <frazzledjazz@gmail.com>
Date: Sun, 23 Aug 2015 00:46:22 -0500
Message-id: <[🔎] 20150823054622.12097.14732.reportbug@livingroom.c4home.net>
Reply-to: Richard Jasmin <frazzledjazz@gmail.com>, 796642@bugs.debian.org

Package: debian-policy
Severity: normal
Tags: newcomer upstream security

Hardening according to many devs I have spoken with is an afterthought,
especially post install. This is like reccommending Debian to be hacked.
Im not saying one move can stop a hacker, security is always an ongoing
situation, either you are ahead of the curve, or you have fallen behind.

Programming like this and packaging with this mindset is just no good.

There are MANY ways one can harden a debian install, most are common sense
items. Others are easy to implement solutions that could be setup by the
installer or its packages BY DEFAULT. Many of these solutions protect the end
user and help to secure a network environment. IGNORING ME is asking for
trouble.

Simple things:

SELinux ENABLED and ENFORCING and INSTALLED WITH SeTroubleshoot [like Fedora
has]
Harden flags set AND ENFORCED on build environment(harden package)
Use of RELRO and PIE where possible
NOEXEC and NOSUID on /tmp and /var/tmp
VA.randomize(HEAP?) set by default in /etc/sysctl.conf [I have many tweaks
here, some for gigabit ethernet]

ENCRYPTED SWAP enabled by DEFAULT with a RANDOM key
/etc/securetty set to near nothing or nothing with comments on why nothing is
here and the local login methods commented.
ufw/gufw installed and set on startup
fail2ban installed and base configured
password backups disabled (why is this even a thought to enable this?)
grub password protection should work (it doesnt and not only that but users and
admins should have a clear cut method to enable this)
Documentation of mainline system installed and linked to in ~/Desktop. (Like a
pdf of the debian handbook...)
non-free video (and other hardware) detection and installation help offered
post install [like ubuntu has]

This is what is on the top of my head, as I have BEEN IGNORED in the past by
people saying "well this isnt our policy, make a hardening reccomends..." GUESS
WHAT? IM MAKING IT. Debian is INSECURE by default. Neither admins nor end-users
want the headache of figuring out all of these things by themselves, and all of
this takes TIME to implement. PEOPLE FORGET. ADMINS get busy with other tasks
like merging in a user database. USERS get busy with packages and putting all
thier files back on the system.

Dunno about you, it usually takes me DAYS to get all of my packages installed
and setup correctly.

And AM I the only one to semi-automate a lockdown and install method? (even if
invoked by hand)



-- System Information:
Debian Release: stretch/sid
  APT prefers testing
  APT policy: (500, 'testing')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 4.0.0-2-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Reply to:

Follow-Ups:
- Processed: Re: Bug#796642: debian-policy: hardening is an afterthought and should never be
  - From: owner@bugs.debian.org (Debian Bug Tracking System)
- Bug#796642: debian-policy: hardening is an afterthought and should never be
  - From: Steve Langasek <vorlon@debian.org>

Prev by Date: Re: debian/copyright in source package
Next by Date: Bug#796660: Binaries in binary packages match the architecture
Previous by thread: Bug#796442: marked as done (§5.5 Uploads to suites other than unstable/experimental should use codenames, not suites)
Next by thread: Processed: Re: Bug#796642: debian-policy: hardening is an afterthought and should never be
Index(es):
- Date
- Thread