Re: package for security advice

[Noah Meyerhans <noahm@debian.org>]

On Sat, Mar 07, 2020 at 08:22:59PM +1100, Russell Coker wrote:
> For subsystems that are complex and security critical (like Apache and Samba 
> for example) you could have other packages providing check scripts that look 
> for common configuration choices that might reduce security.  Such scripts 
> would be designed to give false positives rather than false negatives.  The 
> idea being that if you do something potentially risky then you should be aware 
> of it and so should whoever takes over your job in a few years time.  Then at 
> relevant times (EG after an upgrade to a new release of Debian) decisions 
> about security can be reviewed.

I worry that package-specific guidelines will be hard to maintain with
uniform quality over time.  Do general tools for evaluating the security
posture of an Apache or nginx installation exist today?  How useful are
they?  If they exist and are useful, can we package them?  If they don't
exist, why not?  My guess is that high quality tools don't exist today,
in large part because web server security is so application dependent.

A tool to provide a baseline evaluation of general system security seems
worthwhile.  Especially if we're diligent about updating it as new
hardware security flaws are found and mitigated, etc.

noah