Re: package for security advice
Russell Coker:
> I think it would be good to have a package for improving system security.
https://github.com/Whonix/security-misc
> It
> could depend on packages like spectre-meltdown-checker and also contain
> scripts that look for ways of improving system security. For example
> recommend SE Linux or Apparmor (if you don't have one installed), recommend
> lockdown=confidentiality if using kernel 5.4 or greater, and do other similar
> checks and warnings.
Maybe you're looking for a hardened by default Debian derivative?
https://www.whonix.org/wiki/Kicksecure
> For each issue there would ideally be a URL provided
> (maybe to the Debian Wiki, maybe to somewhere else) that describes the issue.
https://www.whonix.org/wiki/System_Hardening_Checklist
> I'm not saying that everyone should use all these features, just that everyone
> who cares about security should know what the options are and have made an
> informed choice that they can easily review.
>
> For subsystems that are complex and security critical (like Apache and Samba
> for example) you could have other packages providing check scripts that look
> for common configuration choices that might reduce security. Such scripts
> would be designed to give false positives rather than false negatives. The
> idea being that if you do something potentially risky then you should be aware
> of it and so should whoever takes over your job in a few years time. Then at
> relevant times (EG after an upgrade to a new release of Debian) decisions
> about security can be reviewed.
>
> What do you think about this idea?
The Problem with Security Guides and How We Can Fix It
https://forums.whonix.org/t/the-problem-with-security-guides-and-how-we-can-fix-it/8563
Reply to: