On Wed, Jan 1, 2014 at 12:24 PM, Daniel Curtis wrote: > Hi Moritz, > > 90 percent of the hardening via 'dpkg-buildflags'? That's > a good information. I'd hoped, that the majority of all base > packages and that's security-sensitive will be protected > well. It's really a huge satisfaction.
You can also follow total archive buildflag progress: http://outflux.net/debian/hardening And consider helping: https://wiki.debian.org/Hardening > One more thing - does Debian include something like e.g. > Ubuntu or openSUSE does? I mean a Security Features field. > To mention a few: setuid binaries (kept to minimum), > minimal set of daemons in the default instalation, no open > ports or ptrace scope (via /kernel/yama/ptrace_scope sysctl), > and so on. What about kernel hardening? There is a lintian check for setuid binaries, which prompts maintainers to avoid that. There isn't really any group effort tackling or monitoring the assortment of useful hardening features. That is something that could definitely be improved. There are ubuntu pages on their progress in that area that may be worthwhile checking to see where debian stands. Best wishes, Mike -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/CANTw=mn2brwy9g0yeid-u-9tdmrjz9tv-tyll3_ij_hyqz4...@mail.gmail.com
