Re: making Debian secure by default

[Jeffrey Walton <noloader@gmail.com>]

On Wed, Mar 27, 2024 at 8:37 PM Lee <ler762@gmail.com> wrote:
>
> I just saw this advisory
>   Escape sequence injection in util-linux wall (CVE-2024-28085)
>     https://seclists.org/fulldisclosure/2024/Mar/35
> where they're talking about grabbing other users sudo password.
>
> Apparently the root of the security issue is that wall is a setguid program?
>
> Even more fun is the instructions
>   To make sure the PoC will work, make sure your victim user can
>   actually receive messages. First check that mesg is set to y
>   (`mesg y`). If a user does not have mesg turned on, they are not
>   exploitable.
>
> WTF??  I've never heard of a mesg, but
>   $ which mesg
>   /usr/bin/mesg
>
> So.  There is a program called 'mesg',  hrmmm..
>   man mesg
>     ...
>   Traditionally, write access is allowed by default.  However,  as  users
>   become  more  conscious  of various security risks, there is a trend to
>   remove write access by default, at least for the primary  login  shell.
>   To  make  sure  your ttys are set the way you want them to be set, mesg
>   should be executed in your login scripts.
>
> oof.  Are there instructions somewhere on how to make Debian secure by default?

There are Security Technical Implementation Guides (STIG) for Red Hat,
Solaris, SUSE, and Ubuntu. Unfortunately, nothing for Debian. See
<https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=unix-linux>.
More generally, for Operating Systems, see
<https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems>.

Jeff