Securing Debian Manual
Chapter 2 - Before you begin

2.1 What do you want this system for?

Securing Debian is not very different from securing any other system; in order to do it properly, you must first decide what you intend to do with it. After this, you will have to consider that the following tasks need to be taken care of if you want a really secure system.

You will find that this manual is written from the bottom up, that is, you will read some information on tasks to do before, during and after you install your Debian system. The tasks can also be thought of as:

• Decide which services you need and limit your system to those. This includes deactivating/uninstalling unneeded services, and adding firewall-like filters, or tcpwrappers.

• Limit users and permissions in your system.

• Harden offered services so that, in the event of a service compromise, the impact to your system is minimized.

• Use appropriate tools to guarantee that unauthorized use is detected so that you can take appropriate measures.

2.2 Be aware of general security problems

The following manual does not (usually) go into the details on why some issues are considered security risks. However, you might want to have a better background regarding general UNIX and (specific) Linux security. Take some time to read over security related documents in order to make informed decisions when you are encountered with different choices. Debian GNU/Linux is based on the Linux kernel, so much of the information regarding Linux, as well as from other distributions and general UNIX security also apply to it (even if the tools used, or the programs available, differ).

Some useful documents include:

• The Linux Security HOWTO (also available at LinuxSecurity) is one of the best references regarding general Linux Security.

• The Security Quick-Start HOWTO for Linux is also a very good starting point for novice users (both to Linux and security).

• The Linux Security Administrator's Guide (provided in Debian through the lasg package) is a complete guide that touches all the issues related to security in Linux, from kernel security to VPNs. It is somewhat obsolete (not updated since 1999) and has been superseded by the Linux Security Knowledge Base. This documentation is also provided in Debian through the lskb package.

• Kurt Seifried's Securing Linux Step by Step.

• In Securing and Optimizing Linux: RedHat Edition you can find a similar document to this manual but related to RedHat, some of the issues are not distribution-specific and also apply to Debian.

• IntersectAlliance has published some documents that can be used as reference cards on how to harden linux servers (and their services), the documents are available at their site.

• For network administrators, a good reference for building a secure network is the Securing your Domain HOWTO.

• If you want to evaluate the programs you are going to use (or want to build up some new ones) you should read the Secure Programs HOWTO.

• If you are considering installing Firewall capabilities, you should read the Firewall HOWTO and the IPCHAINS HOWTO (for kernels previous to 2.4).

• Finally, a good card to keep handy is the Linux Security ReferenceCard

In any case, there is more information regarding the services explained here (NFS, NIS, SMB...) in many of the HOWTOs of the Linuxdoc Project. Some of these documents speak on the security side of a given service, so be sure to take a look there too.

The HOWTO documents from the Linux Documentation Project are available in Debian GNU/Linux through the installation of the doc-linux-text (text version) or doc-linux-html (html version). After installation these documents will be available at the /usr/share/doc/HOWTO/en-txt and /usr/share/doc/HOWTO/en-html directories, respectively.

Other recommended Linux books:

• Maximum Linux Security : A Hacker's Guide to Protecting Your Linux Server and Network. Anonymous. Paperback - 829 pages. Sams Publishing. ISBN: 0672313413. July 1999.

• Linux Security By John S. Flowers. New Riders; ISBN: 0735700354. March 1999

• Hacking Linux Exposed By Brian Hatch. McGraw-Hill Higher Education. ISBN 0072127732. April, 2001

Other books (which might be related to general issues regarding UNIX and security and not Linux specific):

• Practical Unix and Internet Security (2nd Edition) Garfinkel, Simpson, and Spafford, Gene; O'Reilly Associates; ISBN 0-56592-148-8; 1004pp; 1996.

• Firewalls and Internet Security Cheswick, William R. and Bellovin, Steven M.; Addison-Wesley; 1994; ISBN 0-201-63357-4; 320pp.

Some useful Web sites to keep up to date regarding security:

• NIST Security Guidelines.

• Security Focus the server that hosts the Bugtraq vulnerability database and list, and provides general security information, news and reports.

• Linux Security. General information regarding Linux security (tools, news...). Most useful is the main documentation page.

• Linux firewall and security site. General information regarding Linux firewalls and tools to control and administrate them.

2.3 How does Debian handle security?

Just so you have a general overview of security in Debian GNU/Linux you should take note of the different issues that Debian tackles in order to provide an overall secure system:

• Debian problems are always handled openly, even security related. Security issues are discussed openly on the debian-security mailing list. Debian Security Advisories are sent to public mailing lists (both internal and external) and are published on the public server. As the Debian Social Contract states:

  We Won't Hide Problems

  We will keep our entire bug-report database open for public view at all times. Reports that users file on-line will immediately become visible to others.

• Debian follows security issues closely. The security team checks many security related sources, the most important being Bugtraq, on the lookout for packages with security issues that might be included in Debian.

• Security updates are the first priority. When a security problem arises in a Debian package, the security update is prepared as fast as possible and distributed for our stable and unstable releases, including all architectures.

• Information regarding security is centralized in a single point, http://security.debian.org/.

• Debian is always trying to improve the overall security of the distribution for starting new projects, like automatic package signature verification mechanisms.

• Debian provides a number of useful security related tools for system administration and monitoring. Developers try to tightly integrate these tools with the distribution in order to make them a better suite to enforce local security policies. Tools include: integrity checkers, auditing tools, hardening tools, firewall tools, intrusion detection tools, etc.

• Package maintainers are aware of security issues. This leads to many "secure by default" service installations which might put some limits, sometimes, on its normal use. However, Debian does try to balance security issues and ease of administration, systems are not installed de-activated, for example, like the BSD family distributions. In any case, some special security issues, like setuid programs, are part of the Debian Policy.

This document as well, tries to enforce a better distribution security-wise, by publishing security information specific to Debian which complements other information-security documents related to the tools used by Debian or the operating system itself (see Be aware of general security problems, Section 2.2.

Securing Debian Manual