[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: What should a Debian-security metapackage should provide?

On Wed, Dec 13, 2000 at 11:35:03AM +0100, Javier Fernandez-Sanguino Peña wrote:
> 	I've thought on the Debian metapackage... how about this:
> task-security
> Depends: documentation (securing-howto, lasg)

Depends: should be reversed for actual dependencies IMHO, you should never 
need to depend on documentation. Make that suggests. (IANADD though)

> Suggests:  task-security-audit, task-firewall-tools, task-security-tools
> Recomends: task-network-tools
> task-security-audit
> Depends: nessusd, snort, logcheck, ippl, tcpdump, sxid, syslog-ng, arpwatch
> (tripwire, satan, and saint are all non-free IIRC)
> task-security-tools
> Depends: pwgen, makepasswd, john, otp, osh, rbash, ssh ,gnupg, tcpd

These are useless unless the sysadmin knows and uses them, in which case they 
would install them anyway. Task packages are meant to help people who *don't*
know what they want.

> task-network-tools
> ecomends: cheops, scotty, queso, nmap, ethereal, netdiag, karpski
> task-firewall-tools
> Depends: gfc,firestarter, easyfw (last two not currently in Debian, but will be
> soon)

Not qualified to comment.

> 	Any thoughts?

As someone else said, fewer task- packages seems to be the flavour of the 
moment. I'm in agreement with the "task packages should be for new users
to get going quickly without knowing much" point of view. The only one of the 
above suggestions I think is useful is task-security-audit, specifically the 
logging stuff like ippl, since that works without intervention; you can 
select it and forget it, until you actually get attacked when you then need 
the logs.

I'd have a single task-security, which included a few paranoid logging 
programs, some automatic security checking scripts like sxid, and maybe 
a simple firewall package too, if it can be installed with a useful default 
configuration. And maybe Conflicts: a few of the more obviously insecure 
services. And I'd have it selected by default on all new installations, 
but I suspect that's unlikely to happen.

</IMHO> :-)

Colin Phipps                            http://www.cph.demon.co.uk/

Reply to: