I like that idea, and it sounds fairly simple - packages just check /etc/secure_level (or something similar) and do the "right thing". The tricky part is convincing every package maintainer to adopt it ;)
There are some "hardening" packages available, but I haven't had a chance to play with them yet. (and I didn't want them breaking my setup while I didn't have time to fix things) On Wed, 2003-09-24 at 16:12, Steve Wray wrote: > For what its worth, and without wanting a distro-religious war about it, > Mandrake has a variety of security levels, which can be locally configured, > and which can allow exactly this sort of behavior; > > At high security levels, any new services that get installed (from RPMs) > are only allowed from localhost or even, IIRC, services may not even > be started by default, neither post-install nor on reboot: you have to > set them up manually. > > Might be worth a look to see how they did it to see if it can be easily > implemented on debian? > > > On Thu, 25 Sep 2003 10:04, Florian Weimer wrote: > > On Wed, Sep 24, 2003 at 01:42:01PM -0700, Adam Lydick wrote: > > > Is there any effort to reduce the number of services running on a > > > default debian install? For example: a typical workstation user doesn't > > > really need to have inetd enabled, nor portmap (unless they are running > > > fam or nfs -- which isn't enabled by default) > > > > I think it's more important that services only bind to localhost after > > installation (in the default configuration). >
