Re: package for security advice
> I think it would be good to have a package for improving system security.
> could depend on packages like spectre-meltdown-checker and also contain
> scripts that look for ways of improving system security. For example
> recommend SE Linux or Apparmor (if you don't have one installed), recommend
> lockdown=confidentiality if using kernel 5.4 or greater, and do other similar
> checks and warnings.
Maybe you're looking for a hardened by default Debian derivative?
> For each issue there would ideally be a URL provided
> (maybe to the Debian Wiki, maybe to somewhere else) that describes the issue.
> I'm not saying that everyone should use all these features, just that everyone
> who cares about security should know what the options are and have made an
> informed choice that they can easily review.
> For subsystems that are complex and security critical (like Apache and Samba
> for example) you could have other packages providing check scripts that look
> for common configuration choices that might reduce security. Such scripts
> would be designed to give false positives rather than false negatives. The
> idea being that if you do something potentially risky then you should be aware
> of it and so should whoever takes over your job in a few years time. Then at
> relevant times (EG after an upgrade to a new release of Debian) decisions
> about security can be reviewed.
> What do you think about this idea?
The Problem with Security Guides and How We Can Fix It