Re: making Debian secure by default

To: debian-user@lists.debian.org
Subject: Re: making Debian secure by default
From: Michael Kjörling <2695bd53d63c@ewoof.net>
Date: Thu, 28 Mar 2024 11:10:48 +0000
Message-id: <[🔎] bf3105a4-bfab-4507-a220-81103a5f5c95@home.arpa>
In-reply-to: <[🔎] 87edbvx7f3.fsf@dataswamp.org>
References: <[🔎] CAD8GWssBoRrCzW0TSUGxMeuY=y_bTM-nMuSO7_4g1Kyk79fgqQ@mail.gmail.com> <[🔎] ZgT78PHTtJppwDLd@tuxteam.de> <[🔎] 87edbvx7f3.fsf@dataswamp.org>

On 28 Mar 2024 06:16 +0100, from incal@dataswamp.org (Emanuel Berg):
> "Secure by default" is an OpenBSD slogan BTW. Or they have
> made it into one at least. But I'm not sure it is any more
> secure than Debian - maybe.
> 
>   https://www.openbsd.org/security.html

If I'm not mistaken, OpenBSD is "secure by default" by being
"extremely minimalistic by default".

Last I looked, which in fairness was a while ago, a default
installation of OpenBSD includes almost nothing that normal,
present-day users would expect to find on their system. Once you go
beyond the default installation by adding useful packages, you also go
beyond at least a large part of the "secure by default" promise.

And similarly that most network-enabled software installs by default
with all network-related functionality turned off or heavily
restricted, so the first thing you have to do after installing
something is to turn on the functionality for which you installed it.
But up until the point that you do that, the software you installed
very likely is secure (because it's reachable at most by people you
already trust at least to some degree).

Which doesn't mean that Debian can't be "more secure by default" by
installing services in a turned-off and locked-down manner and
expecting the administrator to open them up and do so in a secure
manner. But I rather suspect that most people who do install a package
do so because they want to use it; so a reasonably secure but still
useful setup out of the package manager would seem more practically
useful to most people.

Security and usability are often (but not always) at odds with each
other. The most secure system possible generally won't be very usable.

And for a real-world use case for wall, I have apcupsd set up to send
notifications to everywhere if there's a power failure, and ahead of a
power-failure system shutdown. Doesn't make much difference if I am at
the console, but is very useful if I'm logged in remotely.

-- 
Michael Kjörling                     🔗 https://michael.kjorling.se
“Remember when, on the Internet, nobody cared that you were a dog?”

Reply to:

Follow-Ups:
- Re: making Debian secure by default
  - From: Emanuel Berg <incal@dataswamp.org>

References:
- making Debian secure by default
  - From: Lee <ler762@gmail.com>
- Re: making Debian secure by default
  - From: <tomas@tuxteam.de>
- Re: making Debian secure by default
  - From: Emanuel Berg <incal@dataswamp.org>

Prev by Date: Re: making Debian secure by default
Next by Date: Re: variables in bash
Previous by thread: Re: making Debian secure by default
Next by thread: Re: making Debian secure by default
Index(es):
- Date
- Thread