Bug#796642: debian-policy: hardening is an afterthought and should never be
Control: tags -1 =
On Sun, Aug 23, 2015 at 12:46:22AM -0500, Richard Jasmin wrote:
> SELinux ENABLED and ENFORCING and INSTALLED WITH SeTroubleshoot [like
> Fedora has]
This is not a question for policy. SELinux is not enabled by default in
Debian because no one has gone to the effort of ensuring there is an SELinux
policy in Debian that could work out of the box. There is nothing that
policy needs to say on this question.
If you are interested in seeing SELinux enabled by default in Debian, I
recommend you use the Debian mailing lists (debian-devel is a good starting
point) to find other people you could collaborate with to make this
possible.
> Harden flags set AND ENFORCED on build environment(harden package)
There is no way to "enforce" the use of hardening flags. Debian does
already enable hardening flags by default, as shown by the output of
'dpkg-buildflags'.
> Use of RELRO and PIE where possible
relro is already part of the default hardening flags. Maintainers already
use PIE where it's believed possible. So what change are you looking for?
> NOEXEC and NOSUID on /tmp and /var/tmp
dpkg needs to unpack maintainer scripts and execute them, which means
unpacking to /tmp. This will never be supported so long as Debian uses
dpkg.
> VA.randomize(HEAP?) set by default in /etc/sysctl.conf [I have many tweaks
> here, some for gigabit ethernet]
This should be filed as a bug report against the procps package, not against
policy.
> ENCRYPTED SWAP enabled by DEFAULT with a RANDOM key
This should be discussed on debian-devel or with the debian-installer
maintainers on debian-boot, not in policy.
> /etc/securetty set to near nothing or nothing with comments on why nothing is
> here and the local login methods commented.
The right package for this suggestion would be the login package.
However this is a nonsense suggestion, which I expect the login maintainers
to rightly reject. The purpose of this file is to declare which terminals
have a secure path to the host so that login knows whether or not to allow
root logins. If you want to completely disallow root logins on your system,
configure your system without a root password - this has nothing to do with
/etc/securetty.
> ufw/gufw installed and set on startup
> fail2ban installed and base configured
Default package selections: -devel or -boot, not -policy.
> password backups disabled
Should be a bug report on the shadow package
> grub password protection should work (it doesnt and not only that but
> users and admins should have a clear cut method to enable this)
Should be a bug report on the grub2 package (but possibly this is bug
#545163)
> Documentation of mainline system installed and linked to in ~/Desktop.
> (Like a pdf of the debian handbook...)
I don't know what documentation would be suitable here. If you have a
specific recommendation (whether that's the Debian handbook or otherwise),
you should probably bring this up as a bug report on the gnome package.
> non-free video (and other hardware) detection and installation help offered
> post install [like ubuntu has]
It severely harms your credibility that you are complaining that Debian is
not secure, and then go on to insist that Debian should make it easier to
install unauditable non-free drivers.
--
Steve Langasek Give me a lever long enough and a Free OS
Debian Developer to set it on, and I can move the world.
Ubuntu Developer http://www.debian.org/
slangasek@ubuntu.com vorlon@debian.org
Reply to: