Russell Coker: > I think it would be good to have a package for improving system security.
https://github.com/Whonix/security-misc > It > could depend on packages like spectre-meltdown-checker and also contain > scripts that look for ways of improving system security. For example > recommend SE Linux or Apparmor (if you don't have one installed), recommend > lockdown=confidentiality if using kernel 5.4 or greater, and do other similar > checks and warnings. Maybe you're looking for a hardened by default Debian derivative? https://www.whonix.org/wiki/Kicksecure > For each issue there would ideally be a URL provided > (maybe to the Debian Wiki, maybe to somewhere else) that describes the issue. https://www.whonix.org/wiki/System_Hardening_Checklist > I'm not saying that everyone should use all these features, just that > everyone > who cares about security should know what the options are and have made an > informed choice that they can easily review. > > For subsystems that are complex and security critical (like Apache and Samba > for example) you could have other packages providing check scripts that look > for common configuration choices that might reduce security. Such scripts > would be designed to give false positives rather than false negatives. The > idea being that if you do something potentially risky then you should be > aware > of it and so should whoever takes over your job in a few years time. Then at > relevant times (EG after an upgrade to a new release of Debian) decisions > about security can be reviewed. > > What do you think about this idea? The Problem with Security Guides and How We Can Fix It https://forums.whonix.org/t/the-problem-with-security-guides-and-how-we-can-fix-it/8563
