Re: OS Hardening
> Oh, I totally agree; this would have to be on a per-package basis,
> however. Hence, it would rely on each maintainers willingness
> to do so. For example, a chrooted bind (running as user nobody
> or something) would be nice, but the bind maintainer has refused
> (at least until bind 9.1 is released.. see bug #50013). A debconf
> option would be ideal here; the trick is to convince the maintainer
> to add it.
Not only chrooted. Bind could be easily made to run as 'named' user and group,
and it is easy to script this if the maintainer does not provide it. Alas,
Debian policy does not allow a package to change another one upon installation,
but that does not mean we cannot provide a harden script that makes this.
Users should *not* have to read through a document thoroughly to have a secure
installation. If things are not provided as hardened as necessary since only a
limited range of users will need this hardened, there should be automatic
procedures to turn off to a hardened setting. I.e. do not make users:
1.- addgroup named
2.- adduser --system --ingroup named named
3.- edit /etc/init.d/bind in order to make start-stop give -u named -g named
options to named.