[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: package for security advice

Russell Coker:
> I think it would be good to have a package for improving system security.


> It 
> could depend on packages like spectre-meltdown-checker and also contain 
> scripts that look for ways of improving system security.  For example 
> recommend SE Linux or Apparmor (if you don't have one installed), recommend 
> lockdown=confidentiality if using kernel 5.4 or greater, and do other similar 
> checks and warnings.

Maybe you're looking for a hardened by default Debian derivative?


> For each issue there would ideally be a URL provided 
> (maybe to the Debian Wiki, maybe to somewhere else) that describes the issue.


> I'm not saying that everyone should use all these features, just that everyone 
> who cares about security should know what the options are and have made an 
> informed choice that they can easily review.
> For subsystems that are complex and security critical (like Apache and Samba 
> for example) you could have other packages providing check scripts that look 
> for common configuration choices that might reduce security.  Such scripts 
> would be designed to give false positives rather than false negatives.  The 
> idea being that if you do something potentially risky then you should be aware 
> of it and so should whoever takes over your job in a few years time.  Then at 
> relevant times (EG after an upgrade to a new release of Debian) decisions 
> about security can be reviewed.
> What do you think about this idea?

The Problem with Security Guides and How We Can Fix It


Reply to: