I think it would be good to have a package for improving system security.
It
could depend on packages like spectre-meltdown-checker and also contain scripts that look for ways of improving system security. For example recommend SE Linux or Apparmor (if you don't have one installed), recommend lockdown=confidentiality if using kernel 5.4 or greater, and do other similar checks and warnings.
For each issue there would ideally be a URL provided
(maybe to the Debian Wiki, maybe to somewhere else) that describes the issue.
I'm not saying that everyone should use all these features, just that everyone
who cares about security should know what the options are and have made an informed choice that they can easily review.
For subsystems that are complex and security critical (like Apache and Samba for example) you could have other packages providing check scripts that look for common configuration choices that might reduce security. Such scripts would be designed to give false positives rather than false negatives. The idea being that if you do something potentially risky then you should be aware
of it and so should whoever takes over your job in a few years time. Then at relevant times (EG after an upgrade to a new release of Debian) decisions about security can be reviewed.
What do you think about this idea?
I think it would be good to have a package for improving system security....
What do you think about this idea?
I think it would be good to have a package for improving system
security. It could depend on packages like spectre-meltdown-checker
and also contain scripts that look for ways of improving system
security. For example recommend SE Linux or Apparmor (if you don't
have one installed), recommend lockdown=confidentiality if using
kernel 5.4 or greater, and do other similar checks and warnings.
For each issue there would ideally be a URL provided (maybe to the
Debian Wiki, maybe to somewhere else) that describes the issue.
On Sat, Mar 7, 2020 at 9:30 AM Russell Coker wrote:
I think it would be good to have a package for improving system security....
What do you think about this idea?There are a number of other tools for this sort of thing already,
usually they get written and become outdated at some point then
someone writes a new one and so on and so on. An example of a tool I sponsored in the past is lynis.
ISTR seeing some tools for checking Debian deployments in
high-security environments on GitHub somewhere, but I don't recall the
repo.
Isn't this what Tiger does?
apt-cache search tiger
tiger - Report system security vulnerabilities
tiger-otheros - Scripts to run Tiger in other operating systems
The only way to achieve real security is through knowledge. Pressing a
shiny automated button is just going to implement what somebody else thinks is good for the system they assume you're running. Find the security websites, podcasts, newsletters, books. Learn what you really need to do
for your actual case, not what somebody else thinks you should do. Learn what is superstitious paranoia that will never even come close to a private personal system.
If you're going to run a public web server, mail server, or whatever, one
run of a script is not going to keep you secure. You need to know what the actual attack vectors can be, and need to be prepared for a threat that nobody's thought of yet.
Microsoft tells you all you have to do is click the little check box that turns on the security they've built and you're all safe.
For subsystems that are complex and security critical (like Apache and Samba for example) you could have other packages providing check scripts that look for common configuration choices that might reduce security. Such scripts would be designed to give false positives rather than false negatives. The idea being that if you do something potentially risky then you should be aware
of it and so should whoever takes over your job in a few years time. Then at relevant times (EG after an upgrade to a new release of Debian) decisions about security can be reviewed.
On Sat, Mar 07, 2020 at 11:46:54AM -0600, Jonathan Hutchins wrote:
The only way to achieve real security is through knowledge. Pressing aBy your logic, we shouldn't bother taking any steps to help our users
shiny automated button is just going to implement what somebody else thinks >> is good for the system they assume you're running. Find the security
websites, podcasts, newsletters, books. Learn what you really need to do
for your actual case, not what somebody else thinks you should do. Learn
what is superstitious paranoia that will never even come close to a private >> personal system.
secure their systems. Everything should be on them. This may come as a surprise to you, but many computer users (I'll stop short of saying
anything about "the vast majority"), have no interest whatsoever in
"security websites, podcasts, newsletters, books". But guess what,
they're still using computers, and they're not going to stop. We can
either help them do so a little more safely, or we can watch them fail.
One of these choices is aligned with our social contract.
If you're going to run a public web server, mail server, or whatever, oneWhy? *Somebody* certainly needs to think about these things, but the
run of a script is not going to keep you secure. You need to know what the >> actual attack vectors can be, and need to be prepared for a threat that
nobody's thought of yet.
notion that *everybody* needs to do so to the deepest possible level
ignores the reality of human nature. It is our responsibility as a
Linux distribution to make difficult OS management tasks easier, and
that includes taking reasonable steps to configure a system for use on today's internet.
Microsoft tells you all you have to do is click the little check box thatWe're not talking about Microsoft.
turns on the security they've built and you're all safe.
noah
Sysop: | Keyop |
---|---|
Location: | Huddersfield, West Yorkshire, UK |
Users: | 296 |
Nodes: | 16 (2 / 14) |
Uptime: | 39:40:57 |
Calls: | 6,648 |
Files: | 12,193 |
Messages: | 5,329,319 |