I think it would be good to have a package for improving system security. It could depend on packages like spectre-meltdown-checker and also contain
scripts that look for ways of improving system security. For example
recommend SE Linux or Apparmor (if you don't have one installed), recommend lockdown=confidentiality if using kernel 5.4 or greater, and do other similar checks and warnings. For each issue there would ideally be a URL provided (maybe to the Debian Wiki, maybe to somewhere else) that describes the issue. I'm not saying that everyone should use all these features, just that everyone who cares about security should know what the options are and have made an informed choice that they can easily review.

For subsystems that are complex and security critical (like Apache and Samba for example) you could have other packages providing check scripts that look for common configuration choices that might reduce security. Such scripts would be designed to give false positives rather than false negatives. The idea being that if you do something potentially risky then you should be aware of it and so should whoever takes over your job in a few years time. Then at relevant times (EG after an upgrade to a new release of Debian) decisions
about security can be reviewed.

What do you think about this idea?

--
My Main Blog http://etbe.coker.com.au/
My Documents Blog http://doc.coker.com.au/

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

Russell Coker:

I think it would be good to have a package for improving system security.

https://github.com/Whonix/security-misc

It
could depend on packages like spectre-meltdown-checker and also contain scripts that look for ways of improving system security. For example recommend SE Linux or Apparmor (if you don't have one installed), recommend lockdown=confidentiality if using kernel 5.4 or greater, and do other similar checks and warnings.

Maybe you're looking for a hardened by default Debian derivative?

https://www.whonix.org/wiki/Kicksecure

For each issue there would ideally be a URL provided
(maybe to the Debian Wiki, maybe to somewhere else) that describes the issue.

https://www.whonix.org/wiki/System_Hardening_Checklist

I'm not saying that everyone should use all these features, just that everyone
who cares about security should know what the options are and have made an informed choice that they can easily review.

For subsystems that are complex and security critical (like Apache and Samba for example) you could have other packages providing check scripts that look for common configuration choices that might reduce security. Such scripts would be designed to give false positives rather than false negatives. The idea being that if you do something potentially risky then you should be aware
of it and so should whoever takes over your job in a few years time. Then at relevant times (EG after an upgrade to a new release of Debian) decisions about security can be reviewed.

What do you think about this idea?

The Problem with Security Guides and How We Can Fix It

https://forums.whonix.org/t/the-problem-with-security-guides-and-how-we-can-fix-it/8563

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On Sat, Mar 7, 2020 at 9:30 AM Russell Coker wrote:

I think it would be good to have a package for improving system security.

...

What do you think about this idea?

There are a number of other tools for this sort of thing already,
usually they get written and become outdated at some point then
someone writes a new one and so on and so on. An example of a tool I
sponsored in the past is lynis.

ISTR seeing some tools for checking Debian deployments in
high-security environments on GitHub somewhere, but I don't recall the
repo.

--
bye,
pabs

https://wiki.debian.org/PaulWise

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

* Russell Coker:

I think it would be good to have a package for improving system
security. It could depend on packages like spectre-meltdown-checker
and also contain scripts that look for ways of improving system
security. For example recommend SE Linux or Apparmor (if you don't
have one installed), recommend lockdown=confidentiality if using
kernel 5.4 or greater, and do other similar checks and warnings.
For each issue there would ideally be a URL provided (maybe to the
Debian Wiki, maybe to somewhere else) that describes the issue.

This sounds related to OpenSCAP <https://www.open-scap.org/>. Some
people value having such tools.

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

Isn't this what Tiger does?

apt-cache search tiger

tiger - Report system security vulnerabilities
tiger-otheros - Scripts to run Tiger in other operating systems


Vince




On 2020/03/07 07:08 AM, Paul Wise wrote:

On Sat, Mar 7, 2020 at 9:30 AM Russell Coker wrote:

I think it would be good to have a package for improving system security.

...

What do you think about this idea?

There are a number of other tools for this sort of thing already,
usually they get written and become outdated at some point then
someone writes a new one and so on and so on. An example of a tool I sponsored in the past is lynis.

ISTR seeing some tools for checking Debian deployments in
high-security environments on GitHub somewhere, but I don't recall the
repo.

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On Saturday, 7 March 2020 11:39:05 PM AEDT vince@vheuser.com wrote:

Isn't this what Tiger does?

apt-cache search tiger

tiger - Report system security vulnerabilities
tiger-otheros - Scripts to run Tiger in other operating systems

Tiger is something that the tool I'm proposing could suggest or recommend. Thanks for mentioning Tiger, it's something I need to include in this.

But Tiger is just covering part of it. I want to have a central place for recommending security improvements covering a variety of configuration issues, the vast majority of which won't be vulnerabilities. One of the aims is to have a hardened configuration that is less likely to have problems in the face of unexpected future security issues.

--
My Main Blog http://etbe.coker.com.au/
My Documents Blog http://doc.coker.com.au/

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

The only way to achieve real security is through knowledge. Pressing a
shiny automated button is just going to implement what somebody else
thinks is good for the system they assume you're running. Find the
security websites, podcasts, newsletters, books. Learn what you really
need to do for your actual case, not what somebody else thinks you
should do. Learn what is superstitious paranoia that will never even
come close to a private personal system.

If you're going to run a public web server, mail server, or whatever,
one run of a script is not going to keep you secure. You need to know
what the actual attack vectors can be, and need to be prepared for a
threat that nobody's thought of yet.

Microsoft tells you all you have to do is click the little check box
that turns on the security they've built and you're all safe.

Microsoft lies.

Read.

--
Jonathan

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On Sat, Mar 07, 2020 at 11:46:54AM -0600, Jonathan Hutchins wrote:

The only way to achieve real security is through knowledge. Pressing a
shiny automated button is just going to implement what somebody else thinks is good for the system they assume you're running. Find the security websites, podcasts, newsletters, books. Learn what you really need to do
for your actual case, not what somebody else thinks you should do. Learn what is superstitious paranoia that will never even come close to a private personal system.

By your logic, we shouldn't bother taking any steps to help our users
secure their systems. Everything should be on them. This may come as a surprise to you, but many computer users (I'll stop short of saying
anything about "the vast majority"), have no interest whatsoever in
"security websites, podcasts, newsletters, books". But guess what,
they're still using computers, and they're not going to stop. We can
either help them do so a little more safely, or we can watch them fail.
One of these choices is aligned with our social contract.

If you're going to run a public web server, mail server, or whatever, one
run of a script is not going to keep you secure. You need to know what the actual attack vectors can be, and need to be prepared for a threat that nobody's thought of yet.

Why? *Somebody* certainly needs to think about these things, but the
notion that *everybody* needs to do so to the deepest possible level
ignores the reality of human nature. It is our responsibility as a
Linux distribution to make difficult OS management tasks easier, and
that includes taking reasonable steps to configure a system for use on
today's internet.

Microsoft tells you all you have to do is click the little check box that turns on the security they've built and you're all safe.

We're not talking about Microsoft.

noah

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On Sat, Mar 07, 2020 at 08:22:59PM +1100, Russell Coker wrote:

For subsystems that are complex and security critical (like Apache and Samba for example) you could have other packages providing check scripts that look for common configuration choices that might reduce security. Such scripts would be designed to give false positives rather than false negatives. The idea being that if you do something potentially risky then you should be aware
of it and so should whoever takes over your job in a few years time. Then at relevant times (EG after an upgrade to a new release of Debian) decisions about security can be reviewed.

I worry that package-specific guidelines will be hard to maintain with
uniform quality over time. Do general tools for evaluating the security posture of an Apache or nginx installation exist today? How useful are
they? If they exist and are useful, can we package them? If they don't
exist, why not? My guess is that high quality tools don't exist today,
in large part because web server security is so application dependent.

A tool to provide a baseline evaluation of general system security seems worthwhile. Especially if we're diligent about updating it as new
hardware security flaws are found and mitigated, etc.

noah

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

Nice discussion.
Having learned Linux out of disgust for Microsoft,
and now having run server and networks for many years,
I have to agree that knowledge and forethought are key,
but the notifications and tips that Tiger and other packages provided
have helped me gain the knowledge necessary
to have avoided many serious problems.

I think an overall security suite package for Debian
would be an appropriate vaccination for newbies
and make a great system even better.
I can't think of a faster way to learn that by doing
and I can't imagine the pain of having had to learn without help.

The choice is between doing it blind and having
automatic access to expert scripts and context based advice.
I only wish I knew enough to be able to help!
Thanks, Russell and thanks, Florian, for the link to open-scap.org.

Does Open-scap accomplish what Russell is suggesting?

Vince H.
Louisville KY




On 2020/03/07 13:29 PM, Noah Meyerhans wrote:

On Sat, Mar 07, 2020 at 11:46:54AM -0600, Jonathan Hutchins wrote:

The only way to achieve real security is through knowledge. Pressing a
shiny automated button is just going to implement what somebody else thinks >> is good for the system they assume you're running. Find the security
websites, podcasts, newsletters, books. Learn what you really need to do
for your actual case, not what somebody else thinks you should do. Learn
what is superstitious paranoia that will never even come close to a private >> personal system.

By your logic, we shouldn't bother taking any steps to help our users
secure their systems. Everything should be on them. This may come as a surprise to you, but many computer users (I'll stop short of saying
anything about "the vast majority"), have no interest whatsoever in
"security websites, podcasts, newsletters, books". But guess what,
they're still using computers, and they're not going to stop. We can
either help them do so a little more safely, or we can watch them fail.
One of these choices is aligned with our social contract.

If you're going to run a public web server, mail server, or whatever, one
run of a script is not going to keep you secure. You need to know what the >> actual attack vectors can be, and need to be prepared for a threat that
nobody's thought of yet.

Why? *Somebody* certainly needs to think about these things, but the
notion that *everybody* needs to do so to the deepest possible level
ignores the reality of human nature. It is our responsibility as a
Linux distribution to make difficult OS management tasks easier, and
that includes taking reasonable steps to configure a system for use on today's internet.

Microsoft tells you all you have to do is click the little check box that
turns on the security they've built and you're all safe.

We're not talking about Microsoft.

noah

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

I would suggest that the effort you're asking for is already going in to
Debian itself, and that together the maintainers deliver a system that
is a reasonable compromise between security and convenience for a
general use personal computer. People who want to go beyond that and
offer a public service really do need to be expected to learn the vulnerabilities and vectors that apply to the type of service they're
running.

There is no blanket security policy that would be able to apply the
correct security for every circumstance. Believe me, you wouldn't enjoy running a fully PCI/DOC secured system as your daily driver.

--
Jonathan

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)