package for security advice
I think it would be good to have a package for improving system security. It
could depend on packages like spectre-meltdown-checker and also contain
scripts that look for ways of improving system security. For example
recommend SE Linux or Apparmor (if you don't have one installed), recommend
lockdown=confidentiality if using kernel 5.4 or greater, and do other similar
checks and warnings. For each issue there would ideally be a URL provided
(maybe to the Debian Wiki, maybe to somewhere else) that describes the issue.
I'm not saying that everyone should use all these features, just that everyone
who cares about security should know what the options are and have made an
informed choice that they can easily review.
For subsystems that are complex and security critical (like Apache and Samba
for example) you could have other packages providing check scripts that look
for common configuration choices that might reduce security. Such scripts
would be designed to give false positives rather than false negatives. The
idea being that if you do something potentially risky then you should be aware
of it and so should whoever takes over your job in a few years time. Then at
relevant times (EG after an upgrade to a new release of Debian) decisions
about security can be reviewed.
What do you think about this idea?
--
My Main Blog http://etbe.coker.com.au/
My Documents Blog http://doc.coker.com.au/
Reply to: