Re: Enhancements/enabled hardening flags in Wheezy pkgs/release.

[Michael Gilbert <mgilbert@debian.org>]

On Wed, Jan 1, 2014 at 12:24 PM, Daniel Curtis wrote:
> Hi Moritz,
>
> 90 percent of the hardening via 'dpkg-buildflags'? That's
> a good information. I'd hoped, that the majority of all base
> packages and that's security-sensitive will be protected
> well. It's really a huge satisfaction.

You can also follow total archive buildflag progress:
http://outflux.net/debian/hardening

And consider helping:
https://wiki.debian.org/Hardening

> One more thing - does Debian include something like e.g.
> Ubuntu or openSUSE does? I mean a Security Features field.
> To mention a few: setuid binaries (kept to minimum),
> minimal set of daemons in the default instalation, no open
> ports or ptrace scope (via /kernel/yama/ptrace_scope sysctl),
> and so on. What about kernel hardening?

There is a lintian check for setuid binaries, which prompts
maintainers to avoid that.

There isn't really any group effort tackling or monitoring the
assortment of useful hardening features.  That is something that could
definitely be improved.  There are ubuntu pages on their progress in
that area that may be worthwhile checking to see where debian stands.

Best wishes,
Mike