1325 lines
66 KiB
HTML
1325 lines
66 KiB
HTML
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0//EN">
|
|
|
|
<html>
|
|
|
|
<head>
|
|
|
|
<meta http-equiv="content-type" content="text/html; charset=iso-8859-1">
|
|
|
|
<title>Securing Debian Manual - Before and during the installation</title>
|
|
|
|
<link href="index.en.html" rel="start">
|
|
<link href="ch2.en.html" rel="prev">
|
|
<link href="ch4.en.html" rel="next">
|
|
<link href="index.en.html#contents" rel="contents">
|
|
<link href="index.en.html#copyright" rel="copyright">
|
|
<link href="ch1.en.html" rel="chapter" title="1 Introduction">
|
|
<link href="ch2.en.html" rel="chapter" title="2 Before you begin">
|
|
<link href="ch3.en.html" rel="chapter" title="3 Before and during the installation">
|
|
<link href="ch4.en.html" rel="chapter" title="4 After installation">
|
|
<link href="ch-sec-services.en.html" rel="chapter" title="5 Securing services running on your system">
|
|
<link href="ch-automatic-harden.en.html" rel="chapter" title="6 Automatic hardening of Debian systems">
|
|
<link href="ch7.en.html" rel="chapter" title="7 Debian Security Infrastructure">
|
|
<link href="ch-sec-tools.en.html" rel="chapter" title="8 Security tools in Debian">
|
|
<link href="ch9.en.html" rel="chapter" title="9 Developer's Best Practices for OS Security">
|
|
<link href="ch10.en.html" rel="chapter" title="10 Before the compromise">
|
|
<link href="ch-after-compromise.en.html" rel="chapter" title="11 After the compromise (incident response)">
|
|
<link href="ch12.en.html" rel="chapter" title="12 Frequently asked Questions (FAQ)">
|
|
<link href="ap-harden-step.en.html" rel="appendix" title="A The hardening process step by step">
|
|
<link href="ap-checklist.en.html" rel="appendix" title="B Configuration checklist">
|
|
<link href="ap-snort-box.en.html" rel="appendix" title="C Setting up a stand-alone IDS">
|
|
<link href="ap-bridge-fw.en.html" rel="appendix" title="D Setting up a bridge firewall">
|
|
<link href="ap-bind-chuser.en.html" rel="appendix" title="E Sample script to change the default Bind installation.">
|
|
<link href="ap-fw-security-update.en.html" rel="appendix" title="F Security update protected by a firewall">
|
|
<link href="ap-chroot-ssh-env.en.html" rel="appendix" title="G <code>Chroot</code> environment for <code>SSH</code>">
|
|
<link href="ap-chroot-apache-env.en.html" rel="appendix" title="H <code>Chroot</code> environment for <code>Apache</code>">
|
|
<link href="ch1.en.html#s-authors" rel="section" title="1.1 Authors">
|
|
<link href="ch1.en.html#s1.2" rel="section" title="1.2 Where to get the manual (and available formats)">
|
|
<link href="ch1.en.html#s1.3" rel="section" title="1.3 Organizational notes/feedback">
|
|
<link href="ch1.en.html#s1.4" rel="section" title="1.4 Prior knowledge">
|
|
<link href="ch1.en.html#s1.5" rel="section" title="1.5 Things that need to be written (FIXME/TODO)">
|
|
<link href="ch1.en.html#s-changelog" rel="section" title="1.6 Changelog/History">
|
|
<link href="ch1.en.html#s-credits" rel="section" title="1.7 Credits and thanks!">
|
|
<link href="ch2.en.html#s2.1" rel="section" title="2.1 What do you want this system for?">
|
|
<link href="ch2.en.html#s-references" rel="section" title="2.2 Be aware of general security problems">
|
|
<link href="ch2.en.html#s2.3" rel="section" title="2.3 How does Debian handle security?">
|
|
<link href="ch3.en.html#s-bios-passwd" rel="section" title="3.1 Choose a BIOS password">
|
|
<link href="ch3.en.html#s3.2" rel="section" title="3.2 Partitioning the system">
|
|
<link href="ch3.en.html#s3.3" rel="section" title="3.3 Do not plug to the Internet until ready">
|
|
<link href="ch3.en.html#s3.4" rel="section" title="3.4 Set a root password">
|
|
<link href="ch3.en.html#s3.5" rel="section" title="3.5 Activate shadow passwords and MD5 passwords">
|
|
<link href="ch3.en.html#s3.6" rel="section" title="3.6 Run the minimum number of services required">
|
|
<link href="ch3.en.html#s3.7" rel="section" title="3.7 Install the minimum amount of software required">
|
|
<link href="ch3.en.html#s3.8" rel="section" title="3.8 Read the Debian security mailing lists">
|
|
<link href="ch4.en.html#s-debian-sec-announce" rel="section" title="4.1 Subscribe to the Debian Security Announce mailing list">
|
|
<link href="ch4.en.html#s-security-update" rel="section" title="4.2 Execute a security update">
|
|
<link href="ch4.en.html#s-bios-boot" rel="section" title="4.3 Change the BIOS (again)">
|
|
<link href="ch4.en.html#s-lilo-passwd" rel="section" title="4.4 Set a LILO or GRUB password">
|
|
<link href="ch4.en.html#s-kernel-initramfs-prompt" rel="section" title="4.5 Disable root prompt on the initramfs">
|
|
<link href="ch4.en.html#s-kernel-root-prompt" rel="section" title="4.6 Remove root prompt on the kernel">
|
|
<link href="ch4.en.html#s-restrict-console-login" rel="section" title="4.7 Restricting console login access">
|
|
<link href="ch4.en.html#s-restrict-reboots" rel="section" title="4.8 Restricting system reboots through the console">
|
|
<link href="ch4.en.html#s4.9" rel="section" title="4.9 Mounting partitions the right way">
|
|
<link href="ch4.en.html#s4.10" rel="section" title="4.10 Providing secure user access">
|
|
<link href="ch4.en.html#s-tcpwrappers" rel="section" title="4.11 Using tcpwrappers">
|
|
<link href="ch4.en.html#s-log-alerts" rel="section" title="4.12 The importance of logs and alerts">
|
|
<link href="ch4.en.html#s-kernel-patches" rel="section" title="4.13 Adding kernel patches">
|
|
<link href="ch4.en.html#s4.14" rel="section" title="4.14 Protecting against buffer overflows">
|
|
<link href="ch4.en.html#s4.15" rel="section" title="4.15 Secure file transfers">
|
|
<link href="ch4.en.html#s4.16" rel="section" title="4.16 File system limits and control">
|
|
<link href="ch4.en.html#s-network-secure" rel="section" title="4.17 Securing network access">
|
|
<link href="ch4.en.html#s-snapshot" rel="section" title="4.18 Taking a snapshot of the system">
|
|
<link href="ch4.en.html#s4.19" rel="section" title="4.19 Other recommendations">
|
|
<link href="ch-sec-services.en.html#s5.1" rel="section" title="5.1 Securing ssh">
|
|
<link href="ch-sec-services.en.html#s5.2" rel="section" title="5.2 Securing Squid">
|
|
<link href="ch-sec-services.en.html#s-ftp-secure" rel="section" title="5.3 Securing FTP">
|
|
<link href="ch-sec-services.en.html#s5.4" rel="section" title="5.4 Securing access to the X Window System">
|
|
<link href="ch-sec-services.en.html#s5.5" rel="section" title="5.5 Securing printing access (the lpd and lprng issue)">
|
|
<link href="ch-sec-services.en.html#s5.6" rel="section" title="5.6 Securing the mail service">
|
|
<link href="ch-sec-services.en.html#s-sec-bind" rel="section" title="5.7 Securing BIND">
|
|
<link href="ch-sec-services.en.html#s5.8" rel="section" title="5.8 Securing Apache">
|
|
<link href="ch-sec-services.en.html#s5.9" rel="section" title="5.9 Securing finger">
|
|
<link href="ch-sec-services.en.html#s-chroot" rel="section" title="5.10 General chroot and suid paranoia">
|
|
<link href="ch-sec-services.en.html#s5.11" rel="section" title="5.11 General cleartext password paranoia">
|
|
<link href="ch-sec-services.en.html#s5.12" rel="section" title="5.12 Disabling NIS">
|
|
<link href="ch-sec-services.en.html#s-rpc" rel="section" title="5.13 Securing RPC services">
|
|
<link href="ch-sec-services.en.html#s-firewall-setup" rel="section" title="5.14 Adding firewall capabilities">
|
|
<link href="ch-automatic-harden.en.html#s6.1" rel="section" title="6.1 Harden">
|
|
<link href="ch-automatic-harden.en.html#s6.2" rel="section" title="6.2 Bastille Linux">
|
|
<link href="ch7.en.html#s-debian-sec-team" rel="section" title="7.1 The Debian Security Team">
|
|
<link href="ch7.en.html#s-dsa" rel="section" title="7.2 Debian Security Advisories">
|
|
<link href="ch7.en.html#s7.3" rel="section" title="7.3 Security Tracker">
|
|
<link href="ch7.en.html#s7.4" rel="section" title="7.4 Debian Security Build Infrastructure">
|
|
<link href="ch7.en.html#s-deb-pack-sign" rel="section" title="7.5 Package signing in Debian">
|
|
<link href="ch-sec-tools.en.html#s-vuln-asses" rel="section" title="8.1 Remote vulnerability assessment tools">
|
|
<link href="ch-sec-tools.en.html#s8.2" rel="section" title="8.2 Network scanner tools">
|
|
<link href="ch-sec-tools.en.html#s8.3" rel="section" title="8.3 Internal audits">
|
|
<link href="ch-sec-tools.en.html#s8.4" rel="section" title="8.4 Auditing source code">
|
|
<link href="ch-sec-tools.en.html#s-vpn" rel="section" title="8.5 Virtual Private Networks">
|
|
<link href="ch-sec-tools.en.html#s8.6" rel="section" title="8.6 Public Key Infrastructure (PKI)">
|
|
<link href="ch-sec-tools.en.html#s8.7" rel="section" title="8.7 SSL Infrastructure">
|
|
<link href="ch-sec-tools.en.html#s8.8" rel="section" title="8.8 Antivirus tools">
|
|
<link href="ch-sec-tools.en.html#s-gpg-agent" rel="section" title="8.9 GPG agent">
|
|
<link href="ch9.en.html#s-bpp-devel-design" rel="section" title="9.1 Best practices for security review and design">
|
|
<link href="ch9.en.html#s-bpp-lower-privs" rel="section" title="9.2 Creating users and groups for software daemons">
|
|
<link href="ch10.en.html#s-keep-secure" rel="section" title="10.1 Keep your system secure">
|
|
<link href="ch10.en.html#s-periodic-integrity" rel="section" title="10.2 Do periodic integrity checks">
|
|
<link href="ch10.en.html#s-intrusion-detect" rel="section" title="10.3 Set up Intrusion Detection">
|
|
<link href="ch10.en.html#s10.4" rel="section" title="10.4 Avoiding root-kits">
|
|
<link href="ch10.en.html#s10.5" rel="section" title="10.5 Genius/Paranoia Ideas — what you could do">
|
|
<link href="ch-after-compromise.en.html#s11.1" rel="section" title="11.1 General behavior">
|
|
<link href="ch-after-compromise.en.html#s11.2" rel="section" title="11.2 Backing up the system">
|
|
<link href="ch-after-compromise.en.html#s11.3" rel="section" title="11.3 Contact your local CERT">
|
|
<link href="ch-after-compromise.en.html#s11.4" rel="section" title="11.4 Forensic analysis">
|
|
<link href="ch12.en.html#s12.1" rel="section" title="12.1 Security in the Debian operating system">
|
|
<link href="ch12.en.html#s-vulnerable-system" rel="section" title="12.2 My system is vulnerable! (Are you sure?)">
|
|
<link href="ch12.en.html#s-debian-sec-team-faq" rel="section" title="12.3 Questions regarding the Debian security team">
|
|
<link href="ap-bridge-fw.en.html#sD.1" rel="section" title="D.1 A bridge providing NAT and firewall capabilities">
|
|
<link href="ap-bridge-fw.en.html#sD.2" rel="section" title="D.2 A bridge providing firewall capabilities">
|
|
<link href="ap-bridge-fw.en.html#sD.3" rel="section" title="D.3 Basic IPtables rules">
|
|
<link href="ap-chroot-ssh-env.en.html#sG.1" rel="section" title="G.1 Chrooting the ssh users">
|
|
<link href="ap-chroot-ssh-env.en.html#sG.2" rel="section" title="G.2 Chrooting the ssh server">
|
|
<link href="ap-chroot-apache-env.en.html#sH.1" rel="section" title="H.1 Introduction">
|
|
<link href="ap-chroot-apache-env.en.html#sH.2" rel="section" title="H.2 Installing the server">
|
|
<link href="ap-chroot-apache-env.en.html#sH.3" rel="section" title="H.3 See also">
|
|
<link href="ch1.en.html#s1.6.1" rel="subsection" title="1.6.1 Version 3.16 (March 2011)">
|
|
<link href="ch1.en.html#s1.6.2" rel="subsection" title="1.6.2 Version 3.15 (December 2010)">
|
|
<link href="ch1.en.html#s1.6.3" rel="subsection" title="1.6.3 Version 3.14 (March 2009)">
|
|
<link href="ch1.en.html#s1.6.4" rel="subsection" title="1.6.4 Version 3.13 (Februrary 2008)">
|
|
<link href="ch1.en.html#s1.6.5" rel="subsection" title="1.6.5 Version 3.12 (August 2007)">
|
|
<link href="ch1.en.html#s1.6.6" rel="subsection" title="1.6.6 Version 3.11 (January 2007)">
|
|
<link href="ch1.en.html#s1.6.7" rel="subsection" title="1.6.7 Version 3.10 (November 2006)">
|
|
<link href="ch1.en.html#s1.6.8" rel="subsection" title="1.6.8 Version 3.9 (October 2006)">
|
|
<link href="ch1.en.html#s1.6.9" rel="subsection" title="1.6.9 Version 3.8 (July 2006)">
|
|
<link href="ch1.en.html#s1.6.10" rel="subsection" title="1.6.10 Version 3.7 (April 2006)">
|
|
<link href="ch1.en.html#s1.6.11" rel="subsection" title="1.6.11 Version 3.6 (March 2006)">
|
|
<link href="ch1.en.html#s1.6.12" rel="subsection" title="1.6.12 Version 3.5 (November 2005)">
|
|
<link href="ch1.en.html#s1.6.13" rel="subsection" title="1.6.13 Version 3.4 (August-September 2005)">
|
|
<link href="ch1.en.html#s1.6.14" rel="subsection" title="1.6.14 Version 3.3 (June 2005)">
|
|
<link href="ch1.en.html#s1.6.15" rel="subsection" title="1.6.15 Version 3.2 (March 2005)">
|
|
<link href="ch1.en.html#s1.6.16" rel="subsection" title="1.6.16 Version 3.1 (January 2005)">
|
|
<link href="ch1.en.html#s1.6.17" rel="subsection" title="1.6.17 Version 3.0 (December 2004)">
|
|
<link href="ch1.en.html#s1.6.18" rel="subsection" title="1.6.18 Version 2.99 (March 2004)">
|
|
<link href="ch1.en.html#s1.6.19" rel="subsection" title="1.6.19 Version 2.98 (December 2003)">
|
|
<link href="ch1.en.html#s1.6.20" rel="subsection" title="1.6.20 Version 2.97 (September 2003)">
|
|
<link href="ch1.en.html#s1.6.21" rel="subsection" title="1.6.21 Version 2.96 (August 2003)">
|
|
<link href="ch1.en.html#s1.6.22" rel="subsection" title="1.6.22 Version 2.95 (June 2003)">
|
|
<link href="ch1.en.html#s1.6.23" rel="subsection" title="1.6.23 Version 2.94 (April 2003)">
|
|
<link href="ch1.en.html#s1.6.24" rel="subsection" title="1.6.24 Version 2.93 (March 2003)">
|
|
<link href="ch1.en.html#s1.6.25" rel="subsection" title="1.6.25 Version 2.92 (February 2003)">
|
|
<link href="ch1.en.html#s1.6.26" rel="subsection" title="1.6.26 Version 2.91 (January/February 2003)">
|
|
<link href="ch1.en.html#s1.6.27" rel="subsection" title="1.6.27 Version 2.9 (December 2002)">
|
|
<link href="ch1.en.html#s1.6.28" rel="subsection" title="1.6.28 Version 2.8 (November 2002)">
|
|
<link href="ch1.en.html#s1.6.29" rel="subsection" title="1.6.29 Version 2.7 (October 2002)">
|
|
<link href="ch1.en.html#s1.6.30" rel="subsection" title="1.6.30 Version 2.6 (September 2002)">
|
|
<link href="ch1.en.html#s1.6.31" rel="subsection" title="1.6.31 Version 2.5 (September 2002)">
|
|
<link href="ch1.en.html#s1.6.32" rel="subsection" title="1.6.32 Version 2.5 (August 2002)">
|
|
<link href="ch1.en.html#s1.6.33" rel="subsection" title="1.6.33 Version 2.4">
|
|
<link href="ch1.en.html#s1.6.34" rel="subsection" title="1.6.34 Version 2.3">
|
|
<link href="ch1.en.html#s1.6.35" rel="subsection" title="1.6.35 Version 2.3">
|
|
<link href="ch1.en.html#s1.6.36" rel="subsection" title="1.6.36 Version 2.2">
|
|
<link href="ch1.en.html#s1.6.37" rel="subsection" title="1.6.37 Version 2.1">
|
|
<link href="ch1.en.html#s1.6.38" rel="subsection" title="1.6.38 Version 2.0">
|
|
<link href="ch1.en.html#s1.6.39" rel="subsection" title="1.6.39 Version 1.99">
|
|
<link href="ch1.en.html#s1.6.40" rel="subsection" title="1.6.40 Version 1.98">
|
|
<link href="ch1.en.html#s1.6.41" rel="subsection" title="1.6.41 Version 1.97">
|
|
<link href="ch1.en.html#s1.6.42" rel="subsection" title="1.6.42 Version 1.96">
|
|
<link href="ch1.en.html#s1.6.43" rel="subsection" title="1.6.43 Version 1.95">
|
|
<link href="ch1.en.html#s1.6.44" rel="subsection" title="1.6.44 Version 1.94">
|
|
<link href="ch1.en.html#s1.6.45" rel="subsection" title="1.6.45 Version 1.93">
|
|
<link href="ch1.en.html#s1.6.46" rel="subsection" title="1.6.46 Version 1.92">
|
|
<link href="ch1.en.html#s1.6.47" rel="subsection" title="1.6.47 Version 1.91">
|
|
<link href="ch1.en.html#s1.6.48" rel="subsection" title="1.6.48 Version 1.9">
|
|
<link href="ch1.en.html#s1.6.49" rel="subsection" title="1.6.49 Version 1.8">
|
|
<link href="ch1.en.html#s1.6.50" rel="subsection" title="1.6.50 Version 1.7">
|
|
<link href="ch1.en.html#s1.6.51" rel="subsection" title="1.6.51 Version 1.6">
|
|
<link href="ch1.en.html#s1.6.52" rel="subsection" title="1.6.52 Version 1.5">
|
|
<link href="ch1.en.html#s1.6.53" rel="subsection" title="1.6.53 Version 1.4">
|
|
<link href="ch1.en.html#s1.6.54" rel="subsection" title="1.6.54 Version 1.3">
|
|
<link href="ch1.en.html#s1.6.55" rel="subsection" title="1.6.55 Version 1.2">
|
|
<link href="ch1.en.html#s1.6.56" rel="subsection" title="1.6.56 Version 1.1">
|
|
<link href="ch1.en.html#s1.6.57" rel="subsection" title="1.6.57 Version 1.0">
|
|
<link href="ch3.en.html#s3.2.1" rel="subsection" title="3.2.1 Choose an intelligent partition scheme">
|
|
<link href="ch3.en.html#s3.2.1.1" rel="subsection" title="3.2.1.1 Selecting the appropriate file systems">
|
|
<link href="ch3.en.html#s-disableserv" rel="subsection" title="3.6.1 Disabling daemon services">
|
|
<link href="ch3.en.html#s-inetd" rel="subsection" title="3.6.2 Disabling <code>inetd</code> or its services">
|
|
<link href="ch3.en.html#s3.7.1" rel="subsection" title="3.7.1 Removing Perl">
|
|
<link href="ch4.en.html#s-lib-security-update" rel="subsection" title="4.2.1 Security update of libraries">
|
|
<link href="ch4.en.html#s-kernel-security-update" rel="subsection" title="4.2.2 Security update of the kernel">
|
|
<link href="ch4.en.html#s4.9.1" rel="subsection" title="4.9.1 Setting <code>/tmp</code> noexec">
|
|
<link href="ch4.en.html#s4.9.2" rel="subsection" title="4.9.2 Setting /usr read-only">
|
|
<link href="ch4.en.html#s-auth-pam" rel="subsection" title="4.10.1 User authentication: PAM">
|
|
<link href="ch4.en.html#s-user-limits" rel="subsection" title="4.10.2 Limiting resource usage: the <code>limits.conf</code> file">
|
|
<link href="ch4.en.html#s4.10.3" rel="subsection" title="4.10.3 User login actions: edit <code>/etc/login.defs</code>">
|
|
<link href="ch4.en.html#s4.10.4" rel="subsection" title="4.10.4 Restricting ftp: editing <code>/etc/ftpusers</code>">
|
|
<link href="ch4.en.html#s4.10.5" rel="subsection" title="4.10.5 Using su">
|
|
<link href="ch4.en.html#s4.10.6" rel="subsection" title="4.10.6 Using sudo">
|
|
<link href="ch4.en.html#s4.10.7" rel="subsection" title="4.10.7 Disallow remote administrative access">
|
|
<link href="ch4.en.html#s-user-restrict" rel="subsection" title="4.10.8 Restricting users's access">
|
|
<link href="ch4.en.html#s4.10.9" rel="subsection" title="4.10.9 User auditing">
|
|
<link href="ch4.en.html#s4.10.9.1" rel="subsection" title="4.10.9.1 Input and output audit with script">
|
|
<link href="ch4.en.html#s4.10.9.2" rel="subsection" title="4.10.9.2 Using the shell history file">
|
|
<link href="ch4.en.html#s4.10.9.3" rel="subsection" title="4.10.9.3 Complete user audit with accounting utilities">
|
|
<link href="ch4.en.html#s4.10.9.4" rel="subsection" title="4.10.9.4 Other user auditing methods">
|
|
<link href="ch4.en.html#s4.10.10" rel="subsection" title="4.10.10 Reviewing user profiles">
|
|
<link href="ch4.en.html#s4.10.11" rel="subsection" title="4.10.11 Setting users umasks">
|
|
<link href="ch4.en.html#s4.10.12" rel="subsection" title="4.10.12 Limiting what users can see/access">
|
|
<link href="ch4.en.html#s-limit-user-perm" rel="subsection" title="4.10.12.1 Limiting access to other user's information">
|
|
<link href="ch4.en.html#s-user-pwgen" rel="subsection" title="4.10.13 Generating user passwords">
|
|
<link href="ch4.en.html#s4.10.14" rel="subsection" title="4.10.14 Checking user passwords">
|
|
<link href="ch4.en.html#s-idle-logoff" rel="subsection" title="4.10.15 Logging off idle users">
|
|
<link href="ch4.en.html#s-custom-logcheck" rel="subsection" title="4.12.1 Using and customizing <code>logcheck</code>">
|
|
<link href="ch4.en.html#s4.12.2" rel="subsection" title="4.12.2 Configuring where alerts are sent">
|
|
<link href="ch4.en.html#s4.12.3" rel="subsection" title="4.12.3 Using a loghost">
|
|
<link href="ch4.en.html#s4.12.4" rel="subsection" title="4.12.4 Log file permissions">
|
|
<link href="ch4.en.html#s4.14.1" rel="subsection" title="4.14.1 Kernel patch protection for buffer overflows">
|
|
<link href="ch4.en.html#s4.14.2" rel="subsection" title="4.14.2 Testing programs for overflows">
|
|
<link href="ch4.en.html#s4.16.1" rel="subsection" title="4.16.1 Using quotas">
|
|
<link href="ch4.en.html#s-ext2attr" rel="subsection" title="4.16.2 The ext2 filesystem specific attributes (chattr/lsattr)">
|
|
<link href="ch4.en.html#s-check-integ" rel="subsection" title="4.16.3 Checking file system integrity">
|
|
<link href="ch4.en.html#s4.16.4" rel="subsection" title="4.16.4 Setting up setuid check">
|
|
<link href="ch4.en.html#s-kernel-conf" rel="subsection" title="4.17.1 Configuring kernel network features">
|
|
<link href="ch4.en.html#s-tcp-syncookies" rel="subsection" title="4.17.2 Configuring syncookies">
|
|
<link href="ch4.en.html#s-net-harden" rel="subsection" title="4.17.3 Securing the network on boot-time">
|
|
<link href="ch4.en.html#s-kernel-fw" rel="subsection" title="4.17.4 Configuring firewall features">
|
|
<link href="ch4.en.html#s-limit-bindaddr" rel="subsection" title="4.17.5 Disabling weak-end hosts issues">
|
|
<link href="ch4.en.html#s4.17.6" rel="subsection" title="4.17.6 Protecting against ARP attacks">
|
|
<link href="ch4.en.html#s4.19.1" rel="subsection" title="4.19.1 Do not use software depending on svgalib">
|
|
<link href="ch-sec-services.en.html#s-ssh-chroot" rel="subsection" title="5.1.1 Chrooting ssh">
|
|
<link href="ch-sec-services.en.html#s5.1.2" rel="subsection" title="5.1.2 Ssh clients">
|
|
<link href="ch-sec-services.en.html#s5.1.3" rel="subsection" title="5.1.3 Disallowing file transfers">
|
|
<link href="ch-sec-services.en.html#s-ssh-only-file" rel="subsection" title="5.1.4 Restricing access to file transfer only">
|
|
<link href="ch-sec-services.en.html#s5.4.1" rel="subsection" title="5.4.1 Check your display manager">
|
|
<link href="ch-sec-services.en.html#s5.6.1" rel="subsection" title="5.6.1 Configuring a Nullmailer">
|
|
<link href="ch-sec-services.en.html#s5.6.2" rel="subsection" title="5.6.2 Providing secure access to mailboxes">
|
|
<link href="ch-sec-services.en.html#s5.6.3" rel="subsection" title="5.6.3 Receiving mail securely">
|
|
<link href="ch-sec-services.en.html#s-configure-bind" rel="subsection" title="5.7.1 Bind configuration to avoid misuse">
|
|
<link href="ch-sec-services.en.html#s-user-bind" rel="subsection" title="5.7.2 Changing BIND's user">
|
|
<link href="ch-sec-services.en.html#s-chroot-bind" rel="subsection" title="5.7.3 Chrooting the name server">
|
|
<link href="ch-sec-services.en.html#s5.8.1" rel="subsection" title="5.8.1 Disabling users from publishing web contents">
|
|
<link href="ch-sec-services.en.html#s5.8.2" rel="subsection" title="5.8.2 Logfiles permissions">
|
|
<link href="ch-sec-services.en.html#s5.8.3" rel="subsection" title="5.8.3 Published web files">
|
|
<link href="ch-sec-services.en.html#s-auto-chroot" rel="subsection" title="5.10.1 Making chrooted environments automatically">
|
|
<link href="ch-sec-services.en.html#s5.13.1" rel="subsection" title="5.13.1 Disabling RPC services completely">
|
|
<link href="ch-sec-services.en.html#s5.13.2" rel="subsection" title="5.13.2 Limiting access to RPC services">
|
|
<link href="ch-sec-services.en.html#s5.14.1" rel="subsection" title="5.14.1 Firewalling the local system">
|
|
<link href="ch-sec-services.en.html#s5.14.2" rel="subsection" title="5.14.2 Using a firewall to protect other systems">
|
|
<link href="ch-sec-services.en.html#s5.14.3" rel="subsection" title="5.14.3 Setting up a firewall">
|
|
<link href="ch-sec-services.en.html#s-firewall-pack" rel="subsection" title="5.14.3.1 Using firewall packages">
|
|
<link href="ch-sec-services.en.html#s5.14.3.2" rel="subsection" title="5.14.3.2 Manual init.d configuration">
|
|
<link href="ch-sec-services.en.html#s5.14.3.3" rel="subsection" title="5.14.3.3 Configuring firewall rules through <code>ifup</code>">
|
|
<link href="ch-sec-services.en.html#s5.14.3.4" rel="subsection" title="5.14.3.4 Testing your firewall configuration">
|
|
<link href="ch7.en.html#s-crossreference" rel="subsection" title="7.2.1 Vulnerability cross references">
|
|
<link href="ch7.en.html#s-cve-compatible" rel="subsection" title="7.2.2 CVE compatibility">
|
|
<link href="ch7.en.html#s7.4.1" rel="subsection" title="7.4.1 Developer's guide to security updates">
|
|
<link href="ch7.en.html#s7.5.1" rel="subsection" title="7.5.1 The current scheme for package signature checks">
|
|
<link href="ch7.en.html#s-apt-0.6" rel="subsection" title="7.5.2 Secure apt">
|
|
<link href="ch7.en.html#s-check-releases" rel="subsection" title="7.5.3 Per distribution release check">
|
|
<link href="ch7.en.html#s7.5.3.1" rel="subsection" title="7.5.3.1 Basic concepts">
|
|
<link href="ch7.en.html#s7.5.3.2" rel="subsection" title="7.5.3.2 <code>Release</code> checksums">
|
|
<link href="ch7.en.html#s7.5.3.3" rel="subsection" title="7.5.3.3 Verification of the <code>Release</code> file">
|
|
<link href="ch7.en.html#s7.5.3.4" rel="subsection" title="7.5.3.4 Check of <code>Release.gpg</code> by <code>apt</code>">
|
|
<link href="ch7.en.html#s7.5.3.5" rel="subsection" title="7.5.3.5 How to tell apt what to trust">
|
|
<link href="ch7.en.html#s7.5.3.6" rel="subsection" title="7.5.3.6 Finding the key for a repository">
|
|
<link href="ch7.en.html#s-secure-apt-add-key" rel="subsection" title="7.5.3.7 Safely adding a key">
|
|
<link href="ch7.en.html#s7.5.3.8" rel="subsection" title="7.5.3.8 Verifying key integrity">
|
|
<link href="ch7.en.html#s7.5.3.9" rel="subsection" title="7.5.3.9 Debian archive key yearly rotation">
|
|
<link href="ch7.en.html#s7.5.3.10" rel="subsection" title="7.5.3.10 Known release checking problems">
|
|
<link href="ch7.en.html#s-manual-check-releases" rel="subsection" title="7.5.3.11 Manual per distribution release check">
|
|
<link href="ch7.en.html#s-check-non-debian-releases" rel="subsection" title="7.5.4 Release check of non Debian sources">
|
|
<link href="ch7.en.html#s-check-pkg-sign" rel="subsection" title="7.5.5 Alternative per-package signing scheme">
|
|
<link href="ch-sec-tools.en.html#s8.5.1" rel="subsection" title="8.5.1 Point to Point tunneling">
|
|
<link href="ch10.en.html#s-track-vulns" rel="subsection" title="10.1.1 Tracking security vulnerabilities">
|
|
<link href="ch10.en.html#s-keep-up-to-date" rel="subsection" title="10.1.2 Continuously update the system">
|
|
<link href="ch10.en.html#s10.1.2.1" rel="subsection" title="10.1.2.1 Manually checking which security updates are available">
|
|
<link href="ch10.en.html#s-update-desktop" rel="subsection" title="10.1.2.2 Checking for updates at the Desktop">
|
|
<link href="ch10.en.html#s-cron-apt" rel="subsection" title="10.1.2.3 Automatically checking for updates with cron-apt">
|
|
<link href="ch10.en.html#s-debsecan" rel="subsection" title="10.1.2.4 Automatically checking for security issues with debsecan">
|
|
<link href="ch10.en.html#s10.1.2.5" rel="subsection" title="10.1.2.5 Other methods for security updates">
|
|
<link href="ch10.en.html#s10.1.3" rel="subsection" title="10.1.3 Avoid using the unstable branch">
|
|
<link href="ch10.en.html#s-security-support-testing" rel="subsection" title="10.1.4 Security support for the testing branch">
|
|
<link href="ch10.en.html#s10.1.5" rel="subsection" title="10.1.5 Automatic updates in a Debian GNU/Linux system">
|
|
<link href="ch10.en.html#s10.3.1" rel="subsection" title="10.3.1 Network based intrusion detection">
|
|
<link href="ch10.en.html#s10.3.2" rel="subsection" title="10.3.2 Host based intrusion detection">
|
|
<link href="ch10.en.html#s-LKM" rel="subsection" title="10.4.1 Loadable Kernel Modules (LKM)">
|
|
<link href="ch10.en.html#s10.4.2" rel="subsection" title="10.4.2 Detecting root-kits">
|
|
<link href="ch10.en.html#s-proactive" rel="subsection" title="10.4.2.1 Proactive defense">
|
|
<link href="ch10.en.html#s10.4.2.2" rel="subsection" title="10.4.2.2 Reactive defense">
|
|
<link href="ch10.en.html#s10.5.1" rel="subsection" title="10.5.1 Building a honeypot">
|
|
<link href="ch-after-compromise.en.html#s11.4.1" rel="subsection" title="11.4.1 Analysis of malware">
|
|
<link href="ch12.en.html#s12.1.1" rel="subsection" title="12.1.1 Is Debian more secure than X?">
|
|
<link href="ch12.en.html#s12.1.1.1" rel="subsection" title="12.1.1.1 Is Debian more secure than other Linux distributions (such as Red Hat, SuSE...)?">
|
|
<link href="ch12.en.html#s12.1.2" rel="subsection" title="12.1.2 There are many Debian bugs in Bugtraq. Does this mean that it is very vulnerable?">
|
|
<link href="ch12.en.html#s12.1.3" rel="subsection" title="12.1.3 Does Debian have any certification related to security?">
|
|
<link href="ch12.en.html#s12.1.4" rel="subsection" title="12.1.4 Are there any hardening programs for Debian?">
|
|
<link href="ch12.en.html#s12.1.5" rel="subsection" title="12.1.5 I want to run XYZ service, which one should I choose?">
|
|
<link href="ch12.en.html#s12.1.6" rel="subsection" title="12.1.6 How can I make service XYZ more secure in Debian?">
|
|
<link href="ch12.en.html#s12.1.7" rel="subsection" title="12.1.7 How can I remove all the banners for services?">
|
|
<link href="ch12.en.html#s12.1.8" rel="subsection" title="12.1.8 Are all Debian packages safe?">
|
|
<link href="ch12.en.html#s12.1.9" rel="subsection" title="12.1.9 Why are some log files/configuration files world-readable, isn't this insecure?">
|
|
<link href="ch12.en.html#s12.1.10" rel="subsection" title="12.1.10 Why does /root/ (or UserX) have 755 permissions?">
|
|
<link href="ch12.en.html#s12.1.11" rel="subsection" title="12.1.11 After installing a grsec/firewall, I started receiving many console messages! How do I remove them?">
|
|
<link href="ch12.en.html#s-faq-os-users" rel="subsection" title="12.1.12 Operating system users and groups">
|
|
<link href="ch12.en.html#s12.1.12.1" rel="subsection" title="12.1.12.1 Are all system users necessary?">
|
|
<link href="ch12.en.html#s12.1.12.2" rel="subsection" title="12.1.12.2 I removed a system user! How can I recover?">
|
|
<link href="ch12.en.html#s12.1.12.3" rel="subsection" title="12.1.12.3 What is the difference between the adm and the staff group?">
|
|
<link href="ch12.en.html#s12.1.13" rel="subsection" title="12.1.13 Why is there a new group when I add a new user? (or Why does Debian give each user one group?)">
|
|
<link href="ch12.en.html#s12.1.14" rel="subsection" title="12.1.14 Questions regarding services and open ports">
|
|
<link href="ch12.en.html#s12.1.14.1" rel="subsection" title="12.1.14.1 Why are all services activated upon installation?">
|
|
<link href="ch12.en.html#s12.1.14.2" rel="subsection" title="12.1.14.2 Can I remove <code>inetd</code>?">
|
|
<link href="ch12.en.html#s12.1.14.3" rel="subsection" title="12.1.14.3 Why do I have port 111 open?">
|
|
<link href="ch12.en.html#s12.1.14.4" rel="subsection" title="12.1.14.4 What use is <code>identd</code> (port 113) for?">
|
|
<link href="ch12.en.html#s12.1.14.5" rel="subsection" title="12.1.14.5 I have services using port 1 and 6, what are they and how can I remove them?">
|
|
<link href="ch12.en.html#s12.1.14.6" rel="subsection" title="12.1.14.6 I found the port XYZ open, can I close it?">
|
|
<link href="ch12.en.html#s12.1.14.7" rel="subsection" title="12.1.14.7 Will removing services from <code>/etc/services</code> help secure my box?">
|
|
<link href="ch12.en.html#s12.1.15" rel="subsection" title="12.1.15 Common security issues">
|
|
<link href="ch12.en.html#s12.1.15.1" rel="subsection" title="12.1.15.1 I have lost my password and cannot access the system!">
|
|
<link href="ch12.en.html#s12.1.16" rel="subsection" title="12.1.16 How do I accomplish setting up a service for my users without giving out shell accounts?">
|
|
<link href="ch12.en.html#s-vulnasses-false-positive" rel="subsection" title="12.2.1 Vulnerability assessment scanner X says my Debian system is vulnerable!">
|
|
<link href="ch12.en.html#s12.2.2" rel="subsection" title="12.2.2 I've seen an attack in my system's logs. Is my system compromised?">
|
|
<link href="ch12.en.html#s12.2.3" rel="subsection" title="12.2.3 I have found strange 'MARK' lines in my logs: Am I compromised?">
|
|
<link href="ch12.en.html#s12.2.4" rel="subsection" title="12.2.4 I found users using 'su' in my logs: Am I compromised?">
|
|
<link href="ch12.en.html#s12.2.5" rel="subsection" title="12.2.5 I have found 'possible SYN flooding' in my logs: Am I under attack?">
|
|
<link href="ch12.en.html#s12.2.6" rel="subsection" title="12.2.6 I have found strange root sessions in my logs: Am I compromised?">
|
|
<link href="ch12.en.html#s12.2.7" rel="subsection" title="12.2.7 I have suffered a break-in, what do I do?">
|
|
<link href="ch12.en.html#s12.2.8" rel="subsection" title="12.2.8 How can I trace an attack?">
|
|
<link href="ch12.en.html#s12.2.9" rel="subsection" title="12.2.9 Program X in Debian is vulnerable, what do I do?">
|
|
<link href="ch12.en.html#s-version-backport" rel="subsection" title="12.2.10 The version number for a package indicates that I am still running a vulnerable version!">
|
|
<link href="ch12.en.html#s12.2.11" rel="subsection" title="12.2.11 Specific software">
|
|
<link href="ch12.en.html#s12.2.11.1" rel="subsection" title="12.2.11.1 <code>proftpd</code> is vulnerable to a Denial of Service attack.">
|
|
<link href="ch12.en.html#s12.2.11.2" rel="subsection" title="12.2.11.2 After installing <code>portsentry</code>, there are a lot of ports open.">
|
|
<link href="ch12.en.html#s12.3.1" rel="subsection" title="12.3.1 What is a Debian Security Advisory (DSA)?">
|
|
<link href="ch12.en.html#s12.3.2" rel="subsection" title="12.3.2 The signature on Debian advisories does not verify correctly!">
|
|
<link href="ch12.en.html#s12.3.3" rel="subsection" title="12.3.3 How is security handled in Debian?">
|
|
<link href="ch12.en.html#s12.3.4" rel="subsection" title="12.3.4 Why are you fiddling with an old version of that package?">
|
|
<link href="ch12.en.html#s12.3.5" rel="subsection" title="12.3.5 What is the policy for a fixed package to appear in security.debian.org?">
|
|
<link href="ch12.en.html#s12.3.6" rel="subsection" title="12.3.6 What does "local (remote)" mean?">
|
|
<link href="ch12.en.html#s12.3.7" rel="subsection" title="12.3.7 The version number for a package indicates that I am still running a vulnerable version!">
|
|
<link href="ch12.en.html#s-sec-unstable" rel="subsection" title="12.3.8 How is security handled for <samp>testing</samp> and <samp>unstable</samp>?">
|
|
<link href="ch12.en.html#s-sec-older" rel="subsection" title="12.3.9 I use an older version of Debian, is it supported by the Debian Security Team?">
|
|
<link href="ch12.en.html#s12.3.10" rel="subsection" title="12.3.10 How does <em>testing</em> get security updates?">
|
|
<link href="ch12.en.html#s12.3.11" rel="subsection" title="12.3.11 How is security handled for contrib and non-free?">
|
|
<link href="ch12.en.html#s12.3.12" rel="subsection" title="12.3.12 Why are there no official mirrors for security.debian.org?">
|
|
<link href="ch12.en.html#s12.3.13" rel="subsection" title="12.3.13 I've seen DSA 100 and DSA 102, now where is DSA 101?">
|
|
<link href="ch12.en.html#s12.3.14" rel="subsection" title="12.3.14 I tried to download a package listed in one of the security advisories, but I got a `file not found' error.">
|
|
<link href="ch12.en.html#s12.3.15" rel="subsection" title="12.3.15 How can I reach the security team?">
|
|
<link href="ch12.en.html#s12.3.16" rel="subsection" title="12.3.16 What difference is there between security@debian.org and debian-security@lists.debian.org?">
|
|
<link href="ch12.en.html#s12.3.17" rel="subsection" title="12.3.17 I guess I found a security problem, what should I do?">
|
|
<link href="ch12.en.html#s12.3.18" rel="subsection" title="12.3.18 How can I contribute to the Debian security team?">
|
|
<link href="ch12.en.html#s12.3.19" rel="subsection" title="12.3.19 Who is the Security Team composed of?">
|
|
<link href="ch12.en.html#s12.3.20" rel="subsection" title="12.3.20 Does the Debian Security team check every new package in Debian?">
|
|
<link href="ch12.en.html#s12.3.21" rel="subsection" title="12.3.21 How much time will it take Debian to fix vulnerability XXXX?">
|
|
<link href="ch12.en.html#s12.3.22" rel="subsection" title="12.3.22 How long will security updates be provided?">
|
|
<link href="ch12.en.html#s12.3.23" rel="subsection" title="12.3.23 How can I check the integrity of packages?">
|
|
<link href="ch12.en.html#s12.3.24" rel="subsection" title="12.3.24 What to do if a random package breaks after a security update?">
|
|
<link href="ap-chroot-ssh-env.en.html#sG.1.1" rel="subsection" title="G.1.1 Using <code>libpam-chroot</code>">
|
|
<link href="ap-chroot-ssh-env.en.html#sG.1.2" rel="subsection" title="G.1.2 Patching the <code>ssh</code> server">
|
|
<link href="ap-chroot-ssh-env.en.html#sG.2.1" rel="subsection" title="G.2.1 Setup a minimal system (the really easy way)">
|
|
<link href="ap-chroot-ssh-env.en.html#sG.2.2" rel="subsection" title="G.2.2 Automatically making the environment (the easy way)">
|
|
<link href="ap-chroot-ssh-env.en.html#sG.2.3" rel="subsection" title="G.2.3 Manually creating the environment (the hard way)">
|
|
<link href="ap-chroot-apache-env.en.html#sH.1.1" rel="subsection" title="H.1.1 Licensing">
|
|
|
|
</head>
|
|
|
|
<body>
|
|
|
|
<p><a name="ch3"></a></p>
|
|
<hr>
|
|
|
|
<p>
|
|
[ <a href="ch2.en.html">previous</a> ]
|
|
[ <a href="index.en.html#contents">Contents</a> ]
|
|
[ <a href="ch1.en.html">1</a> ]
|
|
[ <a href="ch2.en.html">2</a> ]
|
|
[ 3 ]
|
|
[ <a href="ch4.en.html">4</a> ]
|
|
[ <a href="ch-sec-services.en.html">5</a> ]
|
|
[ <a href="ch-automatic-harden.en.html">6</a> ]
|
|
[ <a href="ch7.en.html">7</a> ]
|
|
[ <a href="ch-sec-tools.en.html">8</a> ]
|
|
[ <a href="ch9.en.html">9</a> ]
|
|
[ <a href="ch10.en.html">10</a> ]
|
|
[ <a href="ch-after-compromise.en.html">11</a> ]
|
|
[ <a href="ch12.en.html">12</a> ]
|
|
[ <a href="ap-harden-step.en.html">A</a> ]
|
|
[ <a href="ap-checklist.en.html">B</a> ]
|
|
[ <a href="ap-snort-box.en.html">C</a> ]
|
|
[ <a href="ap-bridge-fw.en.html">D</a> ]
|
|
[ <a href="ap-bind-chuser.en.html">E</a> ]
|
|
[ <a href="ap-fw-security-update.en.html">F</a> ]
|
|
[ <a href="ap-chroot-ssh-env.en.html">G</a> ]
|
|
[ <a href="ap-chroot-apache-env.en.html">H</a> ]
|
|
[ <a href="ch4.en.html">next</a> ]
|
|
</p>
|
|
|
|
<hr>
|
|
|
|
<h1>
|
|
Securing Debian Manual
|
|
<br>Chapter 3 - Before and during the installation
|
|
</h1>
|
|
|
|
<hr>
|
|
|
|
<h2><a name="s-bios-passwd"></a>3.1 Choose a BIOS password</h2>
|
|
|
|
<p>
|
|
Before you install any operating system on your computer, set up a BIOS
|
|
password. After installation (once you have enabled bootup from the hard disk)
|
|
you should go back to the BIOS and change the boot sequence to disable booting
|
|
from floppy, CD-ROM and other devices that shouldn't boot. Otherwise a cracker
|
|
only needs physical access and a boot disk to access your entire system.
|
|
</p>
|
|
|
|
<p>
|
|
Disabling booting unless a password is supplied is even better. This can be
|
|
very effective if you run a server, because it is not rebooted very often. The
|
|
downside to this tactic is that rebooting requires human intervention which can
|
|
cause problems if the machine is not easily accessible.
|
|
</p>
|
|
|
|
<p>
|
|
Note: many BIOSes have well known default master passwords, and applications
|
|
also exist to retrieve the passwords from the BIOS. Corollary: don't depend on
|
|
this measure to secure console access to system.
|
|
</p>
|
|
|
|
<hr>
|
|
|
|
<h2><a name="s3.2"></a>3.2 Partitioning the system</h2>
|
|
|
|
<hr>
|
|
|
|
<h3><a name="s3.2.1"></a>3.2.1 Choose an intelligent partition scheme</h3>
|
|
|
|
<p>
|
|
An intelligent partition scheme depends on how the machine is used. A good
|
|
rule of thumb is to be fairly liberal with your partitions and to pay attention
|
|
to the following factors:
|
|
</p>
|
|
<ul>
|
|
<li>
|
|
<p>
|
|
Any directory tree which a user has write permissions to, such as e.g.
|
|
<code>/home</code>, <code>/tmp</code> and <code>/var/tmp/</code>, should be on
|
|
a separate partition. This reduces the risk of a user DoS by filling up your
|
|
"/" mount point and rendering the system unusable (Note: this is not
|
|
strictly true, since there is always some space reserved for root which a
|
|
normal user cannot fill), and it also prevents hardlink attacks. [<a
|
|
href="footnotes.en.html#f2" name="fr2">2</a>]
|
|
</p>
|
|
</li>
|
|
</ul>
|
|
<ul>
|
|
<li>
|
|
<p>
|
|
Any partition which can fluctuate, e.g. <code>/var</code> (especially
|
|
<code>/var/log</code>) should also be on a separate partition. On a Debian
|
|
system, you should create <code>/var</code> a little bit bigger than on other
|
|
systems, because downloaded packages (the apt cache) are stored in
|
|
<code>/var/cache/apt/archives</code>.
|
|
</p>
|
|
</li>
|
|
</ul>
|
|
<ul>
|
|
<li>
|
|
<p>
|
|
Any partition where you want to install non-distribution software should be on
|
|
a separate partition. According to the File Hierarchy Standard, this is
|
|
<code>/opt</code> or <code>/usr/local</code>. If these are separate
|
|
partitions, they will not be erased if you (have to) reinstall Debian itself.
|
|
</p>
|
|
</li>
|
|
</ul>
|
|
<ul>
|
|
<li>
|
|
<p>
|
|
From a security point of view, it makes sense to try to move static data to its
|
|
own partition, and then mount that partition read-only. Better yet, put the
|
|
data on read-only media. See below for more details.
|
|
</p>
|
|
</li>
|
|
</ul>
|
|
|
|
<p>
|
|
In the case of a mail server it is important to have a separate partition for
|
|
the mail spool. Remote users (either knowingly or unknowingly) can fill the
|
|
mail spool (<code>/var/mail</code> and/or <code>/var/spool/mail</code>). If
|
|
the spool is on a separate partition, this situation will not render the system
|
|
unusable. Otherwise (if the spool directory is on the same partition as
|
|
<code>/var</code>) the system might have important problems: log entries will
|
|
not be created, packages cannot be installed, and some programs might even have
|
|
problems starting up (if they use <code>/var/run</code>).
|
|
</p>
|
|
|
|
<p>
|
|
Also, for partitions in which you cannot be sure of the needed space,
|
|
installing Logical Volume Manager (<code>lvm-common</code> and the needed
|
|
binaries for your kernel, this might be either <code>lvm10</code>,
|
|
<code>lvm6</code>, or <code>lvm5</code>). Using <samp>lvm</samp>, you can
|
|
create volume groups that expand multiple physical volumes.
|
|
</p>
|
|
|
|
<hr>
|
|
|
|
<h4><a name="s3.2.1.1"></a>3.2.1.1 Selecting the appropriate file systems</h4>
|
|
|
|
<p>
|
|
During the system partitioning you also have to decide which file system you
|
|
want to use. The default file system[<a href="footnotes.en.html#f3"
|
|
name="fr3">3</a>] selected in the Debian installation for Linux partitions is
|
|
<samp>ext3</samp>, a journaling file system. It is recommended that you always
|
|
use a journaling file system, such as <samp>ext3</samp>, <samp>reiserfs</samp>,
|
|
<samp>jfs</samp> or <samp>xfs</samp>, to minimize the problems derived from a
|
|
system crash in the following cases:
|
|
</p>
|
|
<ul>
|
|
<li>
|
|
<p>
|
|
for laptops in all the file systems installed. That way if you run out of
|
|
battery unexpectedly or the system freezes due to a hardware issue (such as X
|
|
configuration which is somewhat common) you will be less likely to lose data
|
|
during a hardware reboot.
|
|
</p>
|
|
</li>
|
|
</ul>
|
|
<ul>
|
|
<li>
|
|
<p>
|
|
for production systems which store large amounts of data (like mail servers,
|
|
ftp servers, network file systems...) it is recommended on these partitions.
|
|
That way, in the event of a system crash, the server will take less time to
|
|
recover and check the file systems, and data loss will be less likely.
|
|
</p>
|
|
</li>
|
|
</ul>
|
|
|
|
<p>
|
|
Leaving aside the performance issues regarding journalling file systems (since
|
|
this can sometimes turn into a religious war), it is usually better to use the
|
|
<samp>ext3</samp> file system. The reason for this is that it is backwards
|
|
compatible with <samp>ext2</samp>, so if there are any issues with the
|
|
journalling you can disable it and still have a working file system. Also, if
|
|
you need to recover the system with a bootdisk (or CD-ROM) you do not need a
|
|
custom kernel. If the kernel is 2.4 or 2.6 <samp>ext3</samp> support is
|
|
already available, if it is a 2.2 kernel you will be able to boot the file
|
|
system even if you lose journalling capabilities. If you are using other
|
|
journalling file systems you will find that you might not be able to recover
|
|
unless you have a 2.4 or 2.6 kernel with the needed modules built-in. If you
|
|
are stuck with a 2.2 kernel on the rescue disk, it might be even more difficult
|
|
to have it access <samp>reiserfs</samp> or <samp>xfs</samp>.
|
|
</p>
|
|
|
|
<p>
|
|
In any case, data integrity might be better under <samp>ext3</samp> since it
|
|
does file-data journalling while others do only meta-data journalling, see
|
|
<code><a
|
|
href="http://lwn.net/2001/0802/a/ext3-modes.php3">http://lwn.net/2001/0802/a/ext3-modes.php3</a></code>.
|
|
</p>
|
|
|
|
<p>
|
|
Notice, however, that there are some partitions that might not benefit from
|
|
using a journaling filesystem. For example, if you are using a separate
|
|
partition for <code>/tmp/</code> you might be better off using a standard
|
|
<samp>ext2</samp> filesystem as it will be cleaned up when the system boots.
|
|
</p>
|
|
|
|
<hr>
|
|
|
|
<h2><a name="s3.3"></a>3.3 Do not plug to the Internet until ready</h2>
|
|
|
|
<p>
|
|
The system should not be immediately connected to the Internet during
|
|
installation. This could sound stupid but network installation is a common
|
|
method. Since the system will install and activate services immediately, if
|
|
the system is connected to the Internet and the services are not properly
|
|
configured you are opening it to attack.
|
|
</p>
|
|
|
|
<p>
|
|
Also note that some services might have security vulnerabilities not fixed in
|
|
the packages you are using for installation. This is usually true if you are
|
|
installing from old media (like CD-ROMs). In this case, the system could even
|
|
be compromised before you finish installation!
|
|
</p>
|
|
|
|
<p>
|
|
Since Debian installation and upgrades can be done over the Internet you might
|
|
think it is a good idea to use this feature on installation. If the system is
|
|
going to be directly connected to the Internet (and not protected by a firewall
|
|
or NAT), it is best to install without connection to the Internet, using a
|
|
local packages mirror for both the Debian package sources and the security
|
|
updates. You can set up package mirrors by using another system connected to
|
|
the Internet with Debian-specific tools (if it's a Debian system) like
|
|
<code>apt-move</code> or <code>apt-proxy</code>, or other common mirroring
|
|
tools, to provide the archive to the installed system. If you cannot do this,
|
|
you can set up firewall rules to limit access to the system while doing the
|
|
update (see <a href="ap-fw-security-update.en.html">Security update protected
|
|
by a firewall, Appendix F</a>).
|
|
</p>
|
|
|
|
<hr>
|
|
|
|
<h2><a name="s3.4"></a>3.4 Set a root password</h2>
|
|
|
|
<p>
|
|
Setting a good root password is the most basic requirement for having a secure
|
|
system. See <code>passwd(1)</code> for some hints on how to create good
|
|
passwords. You can also use an automatic password generation program to do
|
|
this for you (see <a href="ch4.en.html#s-user-pwgen">Generating user passwords,
|
|
Section 4.10.13</a>).
|
|
</p>
|
|
|
|
<p>
|
|
Plenty of information on choosing good passwords can be found on the Internet;
|
|
two that provide a decent summary and rationale are Eric Wolfram's <code><a
|
|
href="http://wolfram.org/writing/howto/password.html">How to: Pick a Safe
|
|
Password</a></code> and Walter Belgers' <code><a
|
|
href="http://www.belgers.com/write/pwseceng.txt">Unix Password
|
|
Security</a></code>
|
|
</p>
|
|
|
|
<hr>
|
|
|
|
<h2><a name="s3.5"></a>3.5 Activate shadow passwords and MD5 passwords</h2>
|
|
|
|
<p>
|
|
At the end of the installation, you will be asked if shadow passwords should be
|
|
enabled. Answer yes to this question, so passwords will be kept in the file
|
|
<code>/etc/shadow</code>. Only the root user and the group shadow have read
|
|
access to this file, so no users will be able to grab a copy of this file in
|
|
order to run a password cracker against it. You can switch between shadow
|
|
passwords and normal passwords at any time by using <samp>shadowconfig</samp>.
|
|
</p>
|
|
|
|
<p>
|
|
Read more on shadow passwords in <code><a
|
|
href="http://www.tldp.org/HOWTO/Shadow-Password-HOWTO.html">Shadow
|
|
Password</a></code>
|
|
(<code>/usr/share/doc/HOWTO/en-txt/Shadow-Password.txt.gz</code>).
|
|
</p>
|
|
|
|
<p>
|
|
Furthermore, the installation uses MD5 hashed passwords per default. This is
|
|
generally a very good idea since it allows longer passwords and better
|
|
encryption. MD5 allows for passwords longer than 8 characters. This, if used
|
|
wisely, can make it more difficult for attackers to brute-force the system's
|
|
passwords. Regarding MD5 passwords, this is the default option when installing
|
|
the latest <code>passwd</code> package. You can recognize MD5 passwords in the
|
|
<code>/etc/shadow</code> file by their $1$ prefix.
|
|
</p>
|
|
|
|
<p>
|
|
This, as a matter of fact, modifies all files under <code>/etc/pam.d</code> by
|
|
substituting the password line and include md5 in it:
|
|
</p>
|
|
|
|
<pre>
|
|
password required pam_unix.so md5 nullok obscure min=6 max=16
|
|
</pre>
|
|
|
|
<p>
|
|
If <samp>max</samp> is not set over 8 the change will not be useful at all.
|
|
For more information on this read <a href="ch4.en.html#s-auth-pam">User
|
|
authentication: PAM, Section 4.10.1</a>.
|
|
</p>
|
|
|
|
<p>
|
|
Note: the default configuration in Debian, even when activating MD5 passwords,
|
|
does not modify the previously set <samp>max</samp> value.
|
|
</p>
|
|
|
|
<hr>
|
|
|
|
<h2><a name="s3.6"></a>3.6 Run the minimum number of services required</h2>
|
|
|
|
<p>
|
|
Services are programs such as ftp servers and web servers. Since they have to
|
|
be <em>listening</em> for incoming connections that request the service,
|
|
external computers can connect to yours. Services are sometimes vulnerable
|
|
(i.e. can be compromised under a given attack) and hence present a security
|
|
risk.
|
|
</p>
|
|
|
|
<p>
|
|
You should not install services which are not needed on your machine. Every
|
|
installed service might introduce new, perhaps not obvious (or known), security
|
|
holes on your computer.
|
|
</p>
|
|
|
|
<p>
|
|
As you may already know, when you install a given service the default behavior
|
|
is to activate it. In a default Debian installation, with no services
|
|
installed, the number of running services is quite low and the number of
|
|
network-oriented services is even lower. In a default Debian 3.1 standard
|
|
installation you will end up with OpenSSH, Exim (depending on how you
|
|
configured it) and the RPC portmapper available as network services[<a
|
|
href="footnotes.en.html#f4" name="fr4">4</a>]. If you did not go through a
|
|
standard installation but selected an expert installation you can end up with
|
|
no active network services. The RPC portmapper is installed by default because
|
|
it is needed for many services, for example NFS, to run on a given system.
|
|
However, it can be easily removed, see <a
|
|
href="ch-sec-services.en.html#s-rpc">Securing RPC services, Section 5.13</a>
|
|
for more information on how to secure or disable RPC services.
|
|
</p>
|
|
|
|
<p>
|
|
When you install a new network-related service (daemon) in your Debian
|
|
GNU/Linux system it can be enabled in two ways: through the <code>inetd</code>
|
|
superdaemon (i.e. a line will be added to <code>/etc/inetd.conf</code>) or
|
|
through a standalone program that binds itself to your network interfaces.
|
|
Standalone programs are controlled through the <code>/etc/init.d</code> files,
|
|
which are called at boot time through the SysV mechanism (or an alternative
|
|
one) by using symlinks in <code>/etc/rc?.d/*</code> (for more information on
|
|
how this is done read
|
|
<code>/usr/share/doc/sysvinit/README.runlevels.gz</code>).
|
|
</p>
|
|
|
|
<p>
|
|
If you want to keep some services but use them rarely, use the
|
|
<code>update-*</code> commands, e.g. <code>update-inetd</code> and
|
|
<code>update-rc.d</code> to remove them from the startup process. For more
|
|
information on how to disable network services read <a
|
|
href="#s-disableserv">Disabling daemon services, Section 3.6.1</a>. If you
|
|
want to change the default behaviour of starting up services on installation of
|
|
their associated packages[<a href="footnotes.en.html#f5" name="fr5">5</a>] use
|
|
<code>policy-rc.d</code>, please read
|
|
<code>/usr/share/doc/sysv-rc/README.policy-rc.d.gz</code> for more information.
|
|
</p>
|
|
|
|
<p>
|
|
<code>invoke-rc.d</code> support is mandatory in Debian, which means that for
|
|
Debian 4.0 <em>etch</em> and later releases you can write a policy-rc.d file
|
|
that forbids starting new daemons before you configure them. Although no such
|
|
scripts are packaged yet, they are quite simple to write. See
|
|
<code>policyrcd-script-zg2</code>.
|
|
</p>
|
|
|
|
<hr>
|
|
|
|
<h3><a name="s-disableserv"></a>3.6.1 Disabling daemon services</h3>
|
|
|
|
<p>
|
|
Disabling a daemon service is quite simple. You either remove the package
|
|
providing the program for that service or you remove or rename the startup
|
|
links under <code>/etc/rc${runlevel}.d/</code>. If you rename them make sure
|
|
they do not begin with 'S' so that they don't get started by
|
|
<code>/etc/init.d/rc</code>. Do not remove all the available links or the
|
|
package management system will regenerate them on package upgrades, make sure
|
|
you leave at least one link (typically a 'K', i.e. kill, link). For more
|
|
information read <code><a
|
|
href="http://www.debian.org/doc/manuals/reference/ch-system.en.html#s-custombootscripts">Customizing
|
|
runlevels</a></code> section of the Debian Reference (Chapter 2 - Debian
|
|
fundamentals).
|
|
</p>
|
|
|
|
<p>
|
|
You can remove these links manually or using <samp>update-rc.d</samp> (see
|
|
<code>update-rc.d(8)</code>). For example, you can disable a service from
|
|
executing in the multi-user runlevels by doing:
|
|
</p>
|
|
|
|
<pre>
|
|
# update-rc.d <var>name</var> stop <var>XX</var> 2 3 4 5 .
|
|
</pre>
|
|
|
|
<p>
|
|
Where <em>XX</em> is a number that determines when the stop action for that
|
|
service will be executed. Please note that, if you are <em>not</em> using
|
|
<code>file-rc</code>, <samp>update-rc.d -f <var>service</var> remove</samp>
|
|
will not work properly, since <em>all</em> links are removed, upon
|
|
re-installation or upgrade of the package these links will be re-generated
|
|
(probably not what you wanted). If you think this is not intuitive you are
|
|
probably right (see <code><a href="http://bugs.debian.org/67095">Bug
|
|
67095</a></code>). From the manpage:
|
|
</p>
|
|
|
|
<pre>
|
|
If any files /etc/rc<var>runlevel</var>.d/[SK]??name already exist then
|
|
update-rc.d does nothing. This is so that the system administrator
|
|
can rearrange the links, provided that they leave at least one
|
|
link remaining, without having their configuration overwritten.
|
|
</pre>
|
|
|
|
<p>
|
|
If you are using <code>file-rc</code> all the information regarding services
|
|
bootup is handled by a common configuration file and is maintained even if
|
|
packages are removed from the system.
|
|
</p>
|
|
|
|
<p>
|
|
You can use the TUI (Text User Interface) provided by <code>sysv-rc-conf</code>
|
|
to do all these changes easily (<code>sysv-rc-conf</code> works both for
|
|
<code>file-rc</code> and normal System V runlevels). You will also find
|
|
similar GUIs for desktop systems. You can also use the command line interface
|
|
of <code>sysv-rc-conf</code>:
|
|
</p>
|
|
|
|
<pre>
|
|
# sysv-rc-conf foobar off
|
|
</pre>
|
|
|
|
<p>
|
|
The advantage of using this utility is that the rc.d links are returned to the
|
|
status they had before the 'off' call if you re-enable the service with:
|
|
</p>
|
|
|
|
<pre>
|
|
# sysv-rc-conf foobar on
|
|
</pre>
|
|
|
|
<p>
|
|
Other (less recommended) methods of disabling services are:
|
|
</p>
|
|
<ul>
|
|
<li>
|
|
<p>
|
|
Removing the <code>/etc/init.d/<var>service_name</var></code> script and
|
|
removing the startup links using:
|
|
</p>
|
|
|
|
<pre>
|
|
# update-rc.d <var>name</var> remove
|
|
</pre>
|
|
</li>
|
|
</ul>
|
|
<ul>
|
|
<li>
|
|
<p>
|
|
Move the script file (<code>/etc/init.d/<var>service_name</var></code>) to
|
|
another name (for example
|
|
<code>/etc/init.d/OFF.<var>service_name</var></code>). This will leave
|
|
dangling symlinks under <code>/etc/rc${runlevel}.d/</code> and will generate
|
|
error messages when booting up the system.
|
|
</p>
|
|
</li>
|
|
</ul>
|
|
<ul>
|
|
<li>
|
|
<p>
|
|
Remove the execute permission from the
|
|
<code>/etc/init.d/<var>service_name</var></code> file. That will also generate
|
|
error messages when booting.
|
|
</p>
|
|
</li>
|
|
</ul>
|
|
<ul>
|
|
<li>
|
|
<p>
|
|
Edit the <code>/etc/init.d/<var>service_name</var></code> script to have it
|
|
stop immediately once it is executed (by adding an <code>exit 0</code> line at
|
|
the beginning or commenting out the <samp>start-stop-daemon</samp> part in it).
|
|
If you do this, you will not be able to use the script to startup the service
|
|
manually later on.
|
|
</p>
|
|
</li>
|
|
</ul>
|
|
|
|
<p>
|
|
Nevertheless, the files under <code>/etc/init.d</code> are configuration files
|
|
and should not get overwritten due to package upgrades if you have made local
|
|
changes to them.
|
|
</p>
|
|
|
|
<p>
|
|
Unlike other (UNIX) operating systems, services in Debian cannot be disabled by
|
|
modifying files in <code>/etc/default/<var>service_name</var></code>.
|
|
</p>
|
|
|
|
<p>
|
|
FIXME: Add more information on handling daemons using <code>file-rc</code>.
|
|
</p>
|
|
|
|
<hr>
|
|
|
|
<h3><a name="s-inetd"></a>3.6.2 Disabling <code>inetd</code> or its services</h3>
|
|
|
|
<p>
|
|
You should check if you really need the <code>inetd</code> daemon nowadays.
|
|
Inetd was always a way to compensate for kernel deficiencies, but those have
|
|
been taken care of in modern Linux kernels. Denial of Service possibilities
|
|
exist against <code>inetd</code> (which can increase the machine's load
|
|
tremendously), and many people always preferred using stand-alone daemons
|
|
instead of calling services via <code>inetd</code>. If you still want to run
|
|
some kind of <code>inetd</code> service, then at least switch to a more
|
|
configurable Inet daemon like <code>xinetd</code>, <code>rlinetd</code> or
|
|
<code>openbsd-inetd</code>.
|
|
</p>
|
|
|
|
<p>
|
|
You should stop all unneeded Inetd services on your system, like
|
|
<code>echo</code>, <code>chargen</code>, <code>discard</code>,
|
|
<code>daytime</code>, <code>time</code>, <code>talk</code>, <code>ntalk</code>
|
|
and r-services (<code>rsh</code>, <code>rlogin</code> and <code>rcp</code>)
|
|
which are considered HIGHLY insecure (use <code>ssh</code> instead).
|
|
</p>
|
|
|
|
<p>
|
|
You can disable services by editing <code>/etc/inetd.conf</code> directly, but
|
|
Debian provides a better alternative: <samp>update-inetd</samp> (which comments
|
|
the services in a way that it can easily be turned on again). You could remove
|
|
the <code>telnet</code> daemon by executing this commands to change the config
|
|
file and to restart the daemon (in this case the <code>telnet</code> service is
|
|
disabled):
|
|
</p>
|
|
|
|
<pre>
|
|
/usr/sbin/update-inetd --disable telnet
|
|
</pre>
|
|
|
|
<p>
|
|
If you do want services listening, but do not want to have them listen on all
|
|
IP addresses of your host, you might want to use an undocumented feature on
|
|
<code>inetd</code> (replace service name with service@ip syntax) or use an
|
|
alternative <code>inetd</code> daemon like <code>xinetd</code>.
|
|
</p>
|
|
|
|
<hr>
|
|
|
|
<h2><a name="s3.7"></a>3.7 Install the minimum amount of software required</h2>
|
|
|
|
<p>
|
|
Debian comes with <em>a lot</em> of software, for example the Debian 3.0
|
|
<em>woody</em> release includes 6 or 7 (depending on architecture) CD-ROMs of
|
|
software and thousands of packages, and the Debian 3.1 <em>sarge</em> release
|
|
ships with around 13 CD-ROMs of software. With so much software, and even if
|
|
the base system installation is quite reduced [<a href="footnotes.en.html#f6"
|
|
name="fr6">6</a>] you might get carried away and install more than is really
|
|
needed for your system.
|
|
</p>
|
|
|
|
<p>
|
|
Since you already know what the system is for (don't you?) you should only
|
|
install software that is really needed for it to work. Any unnecessary tool
|
|
that is installed might be used by a user that wants to compromise the system
|
|
or by an external intruder that has gotten shell access (or remote code
|
|
execution through an exploitable service).
|
|
</p>
|
|
|
|
<p>
|
|
The presence, for example, of development utilities (a C compiler) or
|
|
interpreted languages (such as <code>perl</code> - but see below -,
|
|
<code>python</code>, <code>tcl</code>...) may help an attacker compromise the
|
|
system even further:
|
|
</p>
|
|
<ul>
|
|
<li>
|
|
<p>
|
|
allowing him to do privilege escalation. It's easier, for example, to run
|
|
local exploits in the system if there is a debugger and compiler ready to
|
|
compile and test them!
|
|
</p>
|
|
</li>
|
|
</ul>
|
|
<ul>
|
|
<li>
|
|
<p>
|
|
providing tools that could help the attacker to use the compromised system as a
|
|
<em>base of attack</em> against other systems. [<a href="footnotes.en.html#f7"
|
|
name="fr7">7</a>]
|
|
</p>
|
|
</li>
|
|
</ul>
|
|
|
|
<p>
|
|
Of course, an intruder with local shell access can download his own set of
|
|
tools and execute them, and even the shell itself can be used to make complex
|
|
programs. Removing unnecessary software will not help <em>prevent</em> the
|
|
problem but will make it slightly more difficult for an attacker to proceed
|
|
(and some might give up in this situation looking for easier targets). So, if
|
|
you leave tools in a production system that could be used to remotely attack
|
|
systems (see <a href="ch-sec-tools.en.html#s-vuln-asses">Remote vulnerability
|
|
assessment tools, Section 8.1</a>) you can expect an intruder to use them too
|
|
if available.
|
|
</p>
|
|
|
|
<p>
|
|
Please notice that a default installation of Debian <em>sarge</em> (i.e. an
|
|
installation where no individual packages are selected) will install a number
|
|
of development packages that are not usually needed. This is because some
|
|
development packages are of <em>Standard</em> priority. If you are not going
|
|
to do any development you can safely remove the following packages from your
|
|
system, which will also help free up some space:
|
|
</p>
|
|
|
|
<pre>
|
|
Package Size
|
|
------------------------+--------
|
|
gdb 2,766,822
|
|
gcc-3.3 1,570,284
|
|
dpkg-dev 166,800
|
|
libc6-dev 2,531,564
|
|
cpp-3.3 1,391,346
|
|
manpages-dev 1,081,408
|
|
flex 257,678
|
|
g++ 1,384 (Note: virtual package)
|
|
linux-kernel-headers 1,377,022
|
|
bin86 82,090
|
|
cpp 29,446
|
|
gcc 4,896 (Note: virtual package)
|
|
g++-3.3 1,778,880
|
|
bison 702,830
|
|
make 366,138
|
|
libstdc++5-3.3-dev 774,982
|
|
</pre>
|
|
|
|
<p>
|
|
This is something that is fixed in releases post-sarge, see <code><a
|
|
href="http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=301273">Bug
|
|
#301273</a></code> and <code><a
|
|
href="http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=301138">Bug
|
|
#301138</a></code>. Due to a bug in the installation system this did not
|
|
happen when installing with the installation system of the Debian 3.0
|
|
<em>woody</em> release.
|
|
</p>
|
|
|
|
<hr>
|
|
|
|
<h3><a name="s3.7.1"></a>3.7.1 Removing Perl</h3>
|
|
|
|
<p>
|
|
You must take into account that removing <code>perl</code> might not be too
|
|
easy (as a matter of fact it can be quite difficult) in a Debian system since
|
|
it is used by many system utilities. Also, the <code>perl-base</code> is
|
|
<em>Priority: required</em> (that about says it all). It's still doable, but
|
|
you will not be able to run any <code>perl</code> application in the system;
|
|
you will also have to fool the package management system to think that the
|
|
<code>perl-base</code> is installed even if it's not. [<a
|
|
href="footnotes.en.html#f8" name="fr8">8</a>]
|
|
</p>
|
|
|
|
<p>
|
|
Which utilities use <code>perl</code>? You can see for yourself:
|
|
</p>
|
|
|
|
<pre>
|
|
$ for i in /bin/* /sbin/* /usr/bin/* /usr/sbin/*; do [ -f $i ] && {
|
|
type=`file $i | grep -il perl`; [ -n "$type" ] && echo $i; }; done
|
|
</pre>
|
|
|
|
<p>
|
|
These include the following utilities in packages with priority
|
|
<em>required</em> or <em>important</em>:
|
|
</p>
|
|
<ul>
|
|
<li>
|
|
<p>
|
|
<code>/usr/bin/chkdupexe</code> of package <code>util-linux</code>.
|
|
</p>
|
|
</li>
|
|
</ul>
|
|
<ul>
|
|
<li>
|
|
<p>
|
|
<code>/usr/bin/replay</code> of package <code>bsdutils</code>.
|
|
</p>
|
|
</li>
|
|
</ul>
|
|
<ul>
|
|
<li>
|
|
<p>
|
|
<code>/usr/sbin/cleanup-info</code> of package <code>dpkg</code>.
|
|
</p>
|
|
</li>
|
|
</ul>
|
|
<ul>
|
|
<li>
|
|
<p>
|
|
<code>/usr/sbin/dpkg-divert</code> of package <code>dpkg</code>.
|
|
</p>
|
|
</li>
|
|
</ul>
|
|
<ul>
|
|
<li>
|
|
<p>
|
|
<code>/usr/sbin/dpkg-statoverride</code> of package <code>dpkg</code>.
|
|
</p>
|
|
</li>
|
|
</ul>
|
|
<ul>
|
|
<li>
|
|
<p>
|
|
<code>/usr/sbin/install-info</code> of package <code>dpkg</code>.
|
|
</p>
|
|
</li>
|
|
</ul>
|
|
<ul>
|
|
<li>
|
|
<p>
|
|
<code>/usr/sbin/update-alternatives</code> of package <code>dpkg</code>.
|
|
</p>
|
|
</li>
|
|
</ul>
|
|
<ul>
|
|
<li>
|
|
<p>
|
|
<code>/usr/sbin/update-rc.d</code> of package <code>sysvinit</code>.
|
|
</p>
|
|
</li>
|
|
</ul>
|
|
<ul>
|
|
<li>
|
|
<p>
|
|
<code>/usr/bin/grog</code> of package <code>groff-base</code>.
|
|
</p>
|
|
</li>
|
|
</ul>
|
|
<ul>
|
|
<li>
|
|
<p>
|
|
<code>/usr/sbin/adduser</code> of package <code>adduser</code>.
|
|
</p>
|
|
</li>
|
|
</ul>
|
|
<ul>
|
|
<li>
|
|
<p>
|
|
<code>/usr/sbin/debconf-show</code> of package <code>debconf</code>.
|
|
</p>
|
|
</li>
|
|
</ul>
|
|
<ul>
|
|
<li>
|
|
<p>
|
|
<code>/usr/sbin/deluser</code> of package <code>adduser</code>.
|
|
</p>
|
|
</li>
|
|
</ul>
|
|
<ul>
|
|
<li>
|
|
<p>
|
|
<code>/usr/sbin/dpkg-preconfigure</code> of package <code>debconf</code>.
|
|
</p>
|
|
</li>
|
|
</ul>
|
|
<ul>
|
|
<li>
|
|
<p>
|
|
<code>/usr/sbin/dpkg-reconfigure</code> of package <code>debconf</code>.
|
|
</p>
|
|
</li>
|
|
</ul>
|
|
<ul>
|
|
<li>
|
|
<p>
|
|
<code>/usr/sbin/exigrep</code> of package <code>exim</code>.
|
|
</p>
|
|
</li>
|
|
</ul>
|
|
<ul>
|
|
<li>
|
|
<p>
|
|
<code>/usr/sbin/eximconfig</code> of package <code>exim</code>.
|
|
</p>
|
|
</li>
|
|
</ul>
|
|
<ul>
|
|
<li>
|
|
<p>
|
|
<code>/usr/sbin/eximstats</code> of package <code>exim</code>.
|
|
</p>
|
|
</li>
|
|
</ul>
|
|
<ul>
|
|
<li>
|
|
<p>
|
|
<code>/usr/sbin/exim-upgrade-to-r3</code> of package <code>exim</code>.
|
|
</p>
|
|
</li>
|
|
</ul>
|
|
<ul>
|
|
<li>
|
|
<p>
|
|
<code>/usr/sbin/exiqsumm</code> of package <code>exim</code>.
|
|
</p>
|
|
</li>
|
|
</ul>
|
|
<ul>
|
|
<li>
|
|
<p>
|
|
<code>/usr/sbin/keytab-lilo</code> of package <code>lilo</code>.
|
|
</p>
|
|
</li>
|
|
</ul>
|
|
<ul>
|
|
<li>
|
|
<p>
|
|
<code>/usr/sbin/liloconfig</code> of package <code>lilo</code>.
|
|
</p>
|
|
</li>
|
|
</ul>
|
|
<ul>
|
|
<li>
|
|
<p>
|
|
<code>/usr/sbin/lilo_find_mbr</code> of package <code>lilo</code>.
|
|
</p>
|
|
</li>
|
|
</ul>
|
|
<ul>
|
|
<li>
|
|
<p>
|
|
<code>/usr/sbin/syslogd-listfiles</code> of package <code>sysklogd</code>.
|
|
</p>
|
|
</li>
|
|
</ul>
|
|
<ul>
|
|
<li>
|
|
<p>
|
|
<code>/usr/sbin/syslog-facility</code> of package <code>sysklogd</code>.
|
|
</p>
|
|
</li>
|
|
</ul>
|
|
<ul>
|
|
<li>
|
|
<p>
|
|
<code>/usr/sbin/update-inetd</code> of package <code>netbase</code>.
|
|
</p>
|
|
</li>
|
|
</ul>
|
|
|
|
<p>
|
|
So, without Perl and, unless you remake these utilities in shell script, you
|
|
will probably not be able to manage any packages (so you will not be able to
|
|
upgrade the system, which is <em>not a Good Thing</em>).
|
|
</p>
|
|
|
|
<p>
|
|
If you are determined to remove Perl from the Debian base system, and you have
|
|
spare time, submit bug reports to the previous packages including (as a patch)
|
|
replacements for the utilities above written in shell script.
|
|
</p>
|
|
|
|
<p>
|
|
If you wish to check out which Debian packages depend on Perl you can use
|
|
</p>
|
|
|
|
<pre>
|
|
$ grep-available -s Package,Priority -F Depends perl
|
|
</pre>
|
|
|
|
<p>
|
|
or
|
|
</p>
|
|
|
|
<pre>
|
|
$ apt-cache rdepends perl
|
|
</pre>
|
|
|
|
<hr>
|
|
|
|
<h2><a name="s3.8"></a>3.8 Read the Debian security mailing lists</h2>
|
|
|
|
<p>
|
|
It is never wrong to take a look at either the debian-security-announce mailing
|
|
list, where advisories and fixes to released packages are announced by the
|
|
Debian security team, or at <code><a
|
|
href="mailto:debian-security@lists.debian.org">mailto:debian-security@lists.debian.org</a></code>,
|
|
where you can participate in discussions about things related to Debian
|
|
security.
|
|
</p>
|
|
|
|
<p>
|
|
In order to receive important security update alerts, send an email to <code><a
|
|
href="mailto:debian-security-announce-request@lists.debian.org">debian-security-announce-request@lists.debian.org</a></code>
|
|
with the word "subscribe" in the subject line. You can also
|
|
subscribe to this moderated email list via the web page at <code><a
|
|
href="http://www.debian.org/MailingLists/subscribe">http://www.debian.org/MailingLists/subscribe</a></code>.
|
|
</p>
|
|
|
|
<p>
|
|
This mailing list has very low volume, and by subscribing to it you will be
|
|
immediately alerted of security updates for the Debian distribution. This
|
|
allows you to quickly download new packages with security bug fixes, which is
|
|
very important in maintaining a secure system (see <a
|
|
href="ch4.en.html#s-security-update">Execute a security update, Section 4.2</a>
|
|
for details on how to do this).
|
|
</p>
|
|
|
|
<hr>
|
|
|
|
<p>
|
|
[ <a href="ch2.en.html">previous</a> ]
|
|
[ <a href="index.en.html#contents">Contents</a> ]
|
|
[ <a href="ch1.en.html">1</a> ]
|
|
[ <a href="ch2.en.html">2</a> ]
|
|
[ 3 ]
|
|
[ <a href="ch4.en.html">4</a> ]
|
|
[ <a href="ch-sec-services.en.html">5</a> ]
|
|
[ <a href="ch-automatic-harden.en.html">6</a> ]
|
|
[ <a href="ch7.en.html">7</a> ]
|
|
[ <a href="ch-sec-tools.en.html">8</a> ]
|
|
[ <a href="ch9.en.html">9</a> ]
|
|
[ <a href="ch10.en.html">10</a> ]
|
|
[ <a href="ch-after-compromise.en.html">11</a> ]
|
|
[ <a href="ch12.en.html">12</a> ]
|
|
[ <a href="ap-harden-step.en.html">A</a> ]
|
|
[ <a href="ap-checklist.en.html">B</a> ]
|
|
[ <a href="ap-snort-box.en.html">C</a> ]
|
|
[ <a href="ap-bridge-fw.en.html">D</a> ]
|
|
[ <a href="ap-bind-chuser.en.html">E</a> ]
|
|
[ <a href="ap-fw-security-update.en.html">F</a> ]
|
|
[ <a href="ap-chroot-ssh-env.en.html">G</a> ]
|
|
[ <a href="ap-chroot-apache-env.en.html">H</a> ]
|
|
[ <a href="ch4.en.html">next</a> ]
|
|
</p>
|
|
|
|
<hr>
|
|
|
|
<p>
|
|
Securing Debian Manual
|
|
</p>
|
|
|
|
<address>
|
|
Version: 3.13, Sun, 08 Apr 2012 02:48:09 +0000<br>
|
|
<br>
|
|
Javier Fernández-Sanguino Peña <code><a href="mailto:jfs@debian.org">jfs@debian.org</a></code><br>
|
|
<a href="ch1.en.html#s-authors">Authors, Section 1.1</a><br>
|
|
<br>
|
|
</address>
|
|
<hr>
|
|
|
|
</body>
|
|
|
|
</html>
|
|
|