Re: making Debian secure by default

To: tomas@tuxteam.de
Cc: debian-user@lists.debian.org
Subject: Re: making Debian secure by default
From: Lee <ler762@gmail.com>
Date: Thu, 28 Mar 2024 12:22:57 -0400
Message-id: <[🔎] CAD8GWst7t-M5NUi9VVQQ0GRXXAL-dbO2YMZ1VGumF6msSQ4dNA@mail.gmail.com>
In-reply-to: <[🔎] ZgT78PHTtJppwDLd@tuxteam.de>
References: <[🔎] CAD8GWssBoRrCzW0TSUGxMeuY=y_bTM-nMuSO7_4g1Kyk79fgqQ@mail.gmail.com> <[🔎] ZgT78PHTtJppwDLd@tuxteam.de>

On Thu, Mar 28, 2024 at 1:11 AM tomas wrote:
>
> On Wed, Mar 27, 2024 at 05:30:50PM -0400, Lee wrote:
> > I just saw this advisory
> >   Escape sequence injection in util-linux wall (CVE-2024-28085)
> >     https://seclists.org/fulldisclosure/2024/Mar/35
> > where they're talking about grabbing other users sudo password.
>
> Are there any users logged in to your computer you dont't trust?
>
> Thought so.
>
> Relax.
>
> Security means first and foremost understanding the threat.

Which I don't.  Hence the request for 'secure by default' instructions
for Debian.  Even better would be a secure by default installation
option.

To be clear, I'm not all that concerned about _this_ CVE.  I've got
the disable_mesg.sh file in /etc/profile.d so sending messages with
control codes to other terminals should be disabled for all.

My concern is all the other stuff that I don't even know about that
could be configured in a more secure manner but isn't.  For heavens
sake, the man page says

       Traditionally, write access is allowed by default.  However,  as  users
       become  more  conscious  of various security risks, there is a trend to
       remove write access by default, at least for the primary  login  shell.
       To  make  sure  your ttys are set the way you want them to be set, mesg
       should be executed in your login scripts.

Clearly at least the man page writer realized there was a threat there
_and chose not to remove the threat_ !?

So what other goodies are there that I don't know about?  Is there
really nothing better than sudo find / <something to show files with
uid or gid perms> and try to figure out which of those program are not
necessary?

And I'm still a bit surprised that needrestart isn't included as part
of the default install.  Or at least as part of the synaptic package
manager install.  I never guessed that I would _not_ be warned that I
needed to reboot after updating software with the synaptic package
manager -- that didn't happen until after I installed needrestart.

> Randomly
> reaching into the CVE box will most probably keep you from actually
> working on your real issues. E.g. your browser.

I think it's up to date:
$ cat /etc/motd

lee@spot ~
$ sudo crontab -l
[sudo] password for lee:
   ...
 47  4  *  *  *  (apt update >> apt-update.log 2>/dev/null) && \
                      (apt list --upgradable 2>/dev/null |\
                      egrep -v '^Listing' >| /etc/motd)

> Or your social media
> account.

I've never had one.

> Cheers
>
> [1] https://xkcd.com/1200/

I like the quote I saved from the full disclosure mailing list back
when it was fun & exploits were mailed out as attachments:

And at some point, you really have to ask yourself "Is this really a
plausible attack method, or did I forget to take my meds again?"
   -- Valdis Kletnieks

Regards
Lee

Reply to:

Follow-Ups:
- Re: making Debian secure by default
  - From: Andy Smith <andy@strugglers.net>
- Re: making Debian secure by default
  - From: tomas@tuxteam.de

References:
- making Debian secure by default
  - From: Lee <ler762@gmail.com>
- Re: making Debian secure by default
  - From: <tomas@tuxteam.de>

Prev by Date: Re: making Debian secure by default
Next by Date: Re: making Debian secure by default
Previous by thread: Re: making Debian secure by default
Next by thread: Re: making Debian secure by default
Index(es):
- Date
- Thread