Re: making Debian secure by default
On Thu, Mar 28, 2024 at 01:30:32PM +0000, Andy Smith wrote:
> I'm just not sure that you'll find any "hardening" guide that will
> specifically say "disable writing to your terminal as there might be
> a bug in a binary that is setgid tty" before yesterday's reveal that
> there is such a bug in "wall".
>
> The more general advice to audit every setuid/setgid binary is more
> likely to be present.
[...]
> If the maintainer of util-linux doesn't agree, then the next thing
> I'd try is a bug against the Debian Administrator's Handbook:
>
> https://www.debian.org/doc/manuals/debian-handbook/
>
> This has a chapter on security, so possibly it would be appropriate
> to mention "m,esg n" there.
A more proactive endeavor would be to document known best practices
on the wiki. A quick search found a couple pages that might serve
as starting points:
https://wiki.debian.org/SecurityManagement
https://wiki.debian.org/Hardening -- says it's for package maintainers
Anyone who is serious about such a project probably has a long road ahead
of them.
Reply to: