[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: making Debian secure by default

On Thu, Mar 28, 2024 at 01:30:32PM +0000, Andy Smith wrote:
> I'm just not sure that you'll find any "hardening" guide that will
> specifically say "disable writing to your terminal as there might be
> a bug in a binary that is setgid tty" before yesterday's reveal that
> there is such a bug in "wall".
> 
> The more general advice to audit every setuid/setgid binary is more
> likely to be present.
[...]
> If the maintainer of util-linux doesn't agree, then the next thing
> I'd try is a bug against the Debian Administrator's Handbook:
> 
>     https://www.debian.org/doc/manuals/debian-handbook/
> 
> This has a chapter on security, so possibly it would be appropriate
> to mention "m,esg n" there.

A more proactive endeavor would be to document known best practices
on the wiki.  A quick search found a couple pages that might serve
as starting points:

    https://wiki.debian.org/SecurityManagement
    https://wiki.debian.org/Hardening  -- says it's for package maintainers

Anyone who is serious about such a project probably has a long road ahead
of them.
Reply to: