Re: What should a Debian-security metapackage should provide?

To: Debian Security Mailing List <debian-security@lists.debian.org>
Subject: Re: What should a Debian-security metapackage should provide?
From: Colin Phipps <cph@netcraft.com>
Date: Wed, 13 Dec 2000 16:44:59 +0000
Message-id: <[🔎] 20001213164459.A884@ns0.netcraft.com>
Mail-followup-to: Debian Security Mailing List <debian-security@lists.debian.org>
In-reply-to: <[🔎] 3A3750D7.81972CDE@sgi.es>; from jfernandez@sgi.es on Wed, Dec 13, 2000 at 11:35:03AM +0100
References: <[🔎] 3A2BDEF5.35B7E676@sgi.es> <[🔎] 3A3750D7.81972CDE@sgi.es>

On Wed, Dec 13, 2000 at 11:35:03AM +0100, Javier Fernandez-Sanguino Peña wrote:
> 	I've thought on the Debian metapackage... how about this:
> 
> task-security
> Depends: documentation (securing-howto, lasg)

Depends: should be reversed for actual dependencies IMHO, you should never 
need to depend on documentation. Make that suggests. (IANADD though)

> Suggests:  task-security-audit, task-firewall-tools, task-security-tools
> Recomends: task-network-tools
> 
> 
> task-security-audit
> Depends: nessusd, snort, logcheck, ippl, tcpdump, sxid, syslog-ng, arpwatch
> (tripwire, satan, and saint are all non-free IIRC)
> 
> task-security-tools
> Depends: pwgen, makepasswd, john, otp, osh, rbash, ssh ,gnupg, tcpd

These are useless unless the sysadmin knows and uses them, in which case they 
would install them anyway. Task packages are meant to help people who *don't*
know what they want.

> task-network-tools
> ecomends: cheops, scotty, queso, nmap, ethereal, netdiag, karpski
> 
> task-firewall-tools
> Depends: gfc,firestarter, easyfw (last two not currently in Debian, but will be
> soon)

Not qualified to comment.

> 
> 	Any thoughts?

As someone else said, fewer task- packages seems to be the flavour of the 
moment. I'm in agreement with the "task packages should be for new users
to get going quickly without knowing much" point of view. The only one of the 
above suggestions I think is useful is task-security-audit, specifically the 
logging stuff like ippl, since that works without intervention; you can 
select it and forget it, until you actually get attacked when you then need 
the logs.

I'd have a single task-security, which included a few paranoid logging 
programs, some automatic security checking scripts like sxid, and maybe 
a simple firewall package too, if it can be installed with a useful default 
configuration. And maybe Conflicts: a few of the more obviously insecure 
services. And I'd have it selected by default on all new installations, 
but I suspect that's unlikely to happen.

</IMHO> :-)

-- 
Colin Phipps                            http://www.cph.demon.co.uk/

Reply to:

References:
- What should a Debian-security metapackage should provide?
  - From: Javier Fernandez-Sanguino Peña <jfernandez@sgi.es>
- Re: What should a Debian-security metapackage should provide?
  - From: Javier Fernandez-Sanguino Peña <jfernandez@sgi.es>

Prev by Date: Re: What should a Debian-security metapackage should provide?
Next by Date: Items for the HOWTO (was Re: OS Hardening)
Previous by thread: Re: What should a Debian-security metapackage should provide?
Next by thread: Snort Log?
Index(es):
- Date
- Thread