Package: debian-policy Severity: normal Tags: newcomer upstream security Hardening according to many devs I have spoken with is an afterthought, especially post install. This is like reccommending Debian to be hacked. Im not saying one move can stop a hacker, security is always an ongoing situation, either you are ahead of the curve, or you have fallen behind.
Programming like this and packaging with this mindset is just no good. There are MANY ways one can harden a debian install, most are common sense items. Others are easy to implement solutions that could be setup by the installer or its packages BY DEFAULT. Many of these solutions protect the end user and help to secure a network environment. IGNORING ME is asking for trouble. Simple things: SELinux ENABLED and ENFORCING and INSTALLED WITH SeTroubleshoot [like Fedora has] Harden flags set AND ENFORCED on build environment(harden package) Use of RELRO and PIE where possible NOEXEC and NOSUID on /tmp and /var/tmp VA.randomize(HEAP?) set by default in /etc/sysctl.conf [I have many tweaks here, some for gigabit ethernet] ENCRYPTED SWAP enabled by DEFAULT with a RANDOM key /etc/securetty set to near nothing or nothing with comments on why nothing is here and the local login methods commented. ufw/gufw installed and set on startup fail2ban installed and base configured password backups disabled (why is this even a thought to enable this?) grub password protection should work (it doesnt and not only that but users and admins should have a clear cut method to enable this) Documentation of mainline system installed and linked to in ~/Desktop. (Like a pdf of the debian handbook...) non-free video (and other hardware) detection and installation help offered post install [like ubuntu has] This is what is on the top of my head, as I have BEEN IGNORED in the past by people saying "well this isnt our policy, make a hardening reccomends..." GUESS WHAT? IM MAKING IT. Debian is INSECURE by default. Neither admins nor end-users want the headache of figuring out all of these things by themselves, and all of this takes TIME to implement. PEOPLE FORGET. ADMINS get busy with other tasks like merging in a user database. USERS get busy with packages and putting all thier files back on the system. Dunno about you, it usually takes me DAYS to get all of my packages installed and setup correctly. And AM I the only one to semi-automate a lockdown and install method? (even if invoked by hand) -- System Information: Debian Release: stretch/sid APT prefers testing APT policy: (500, 'testing') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 4.0.0-2-amd64 (SMP w/4 CPU cores) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system)
