1. Forum
  2. Usenet
  3. LINUX.DEBIAN.SECURITY

  • Re: Resurrecting the Securing Debian Manual

    From Jeffrey Chimene@21:1/5 to Noah Meyerhans on Mon Jun 9 19:10:01 2025
    I'd like to see updates on Active Response.
    I've adopted Wazuh for such a task.

    On 6/9/25 09:20, Noah Meyerhans wrote:
    Hi all. The Securing Debian Manual (the harden-doc package) is
    woefully out of date and doesn't provide accurate guidance for
    operating modern software in the current threat landscape. I'd like
    to begin the task of updating it to reflect current best practice and
    to document current tools and technologies.

    Most basically, I wonder if folks think this is a worthy idea. The
    landscape has changed significantly since harden-doc was first
    written. Default configurations don't require as much hardening, and
    there are lots more available resources. Maybe harden-doc has
    stagnated because there's no real need for it?

    Assuming we do revive the doc, here are some ideas of what I'd like to
    do with the document. I'd like to also get feedback, ideas, and contributions from others interested in the topic.

    1. More background information on principles such as:
    a. Threat modeling
    b. Defense in depth
    c. Least privilege
    2. Modern server deployment practices, such as:
    a. Sandboxing (with systemd, containers, etc)
    b. Image-based deployments, including cloud
    c. Update deployment strategies for large fleets
    3. Data privacy:
    a. VPNs, wireguard, etc
    b. Disk encryption
    4. Workstation best practices, including:
    a. Ssh key generation and handling
    b. Basic browser hygine
    c. Password managers and other password hygine

    My inclination is to primarily focus on general principles rather than
    try to document specific settings in specific packages, as in the
    current document's Chapter 5 ("Securing services running on your
    system"). It'll make sense to document some approaches to safe usage of
    the most common software (firefox, openssh, etc), but I don't believe
    that it's feasible to provide useful advice for a meaningful subset of
    Debian packages.

    Should we maybe consider maintaining this document on wiki.debian.org,
    rather than being a centrally maintained document? The wiki may scale
    better to multiple contributors, leading to better content and more
    active maintenance.

    If you've got ideas for other topics, I'd love to hear them.

    noah


    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)