Re: What should a Debian-security metapackage should provide?
On Wed, Dec 13, 2000 at 11:35:03AM +0100, Javier Fernandez-Sanguino Peña wrote:
> I've thought on the Debian metapackage... how about this:
> Depends: documentation (securing-howto, lasg)
Depends: should be reversed for actual dependencies IMHO, you should never
need to depend on documentation. Make that suggests. (IANADD though)
> Suggests: task-security-audit, task-firewall-tools, task-security-tools
> Recomends: task-network-tools
> Depends: nessusd, snort, logcheck, ippl, tcpdump, sxid, syslog-ng, arpwatch
> (tripwire, satan, and saint are all non-free IIRC)
> Depends: pwgen, makepasswd, john, otp, osh, rbash, ssh ,gnupg, tcpd
These are useless unless the sysadmin knows and uses them, in which case they
would install them anyway. Task packages are meant to help people who *don't*
know what they want.
> ecomends: cheops, scotty, queso, nmap, ethereal, netdiag, karpski
> Depends: gfc,firestarter, easyfw (last two not currently in Debian, but will be
Not qualified to comment.
> Any thoughts?
As someone else said, fewer task- packages seems to be the flavour of the
moment. I'm in agreement with the "task packages should be for new users
to get going quickly without knowing much" point of view. The only one of the
above suggestions I think is useful is task-security-audit, specifically the
logging stuff like ippl, since that works without intervention; you can
select it and forget it, until you actually get attacked when you then need
I'd have a single task-security, which included a few paranoid logging
programs, some automatic security checking scripts like sxid, and maybe
a simple firewall package too, if it can be installed with a useful default
configuration. And maybe Conflicts: a few of the more obviously insecure
services. And I'd have it selected by default on all new installations,
but I suspect that's unlikely to happen.
Colin Phipps http://www.cph.demon.co.uk/