Package: harden-doc Version: 3.19 Severity: important
Hi, I've look at the content of the Securing Debian Manual 3.19 and was really wondering that several parts are old and outdated. The overall quality of the information in this manual is very bad. There have been many changes (like systemd) in Debian, which are not covered. The changelog/history of this manual shows that after 2013 no major changes were done. There are so many broken links, I could not list all. - more than 80 FIXME comments - systemd and journalctl is not covered - unattended-upgrades which is very important is not mentioned at all, only cron-apt I recommend a major review/rewrite. I'm not sure if it's worth to recommend this manual to our users these days. Sorry for being so critical. best regards Thomas (DD, member of the web team) Here are my additional notes: broken Links: http://www.giac.org/practical/gsec/Chris_Koutras_GSEC.pdf http://www.giac.org/practical/gcux/Stephanie_Thomas_GCUX.pdf http://www.rootprompt.org https://www.belgers.com/write/pwseceng.txt http://xforce.iss.net/static/6449.php http://security-tracker.debian.net multiple times ftp://ftp.ox.ac.uk/pub/wordlists ftp://ftp.cerias.purdue.edu/pub/dict www.spitzner.net/swatch.html http://www.securityfocus.com/bid https://cve.mitre.org/compatible/phase2/SPI_Debian.html http://www.syntaxpolice.org/apt-secure/ https://ftp-master.debian.org/ziyi_key_2006.asc http://debiansystem.info/readers/changes/547-ziyi-key-2006 https://people.debian.org/~ajt/apt-check-sigs http://www.computer-networking.de/~link/security/av-linux_e.txt http://www.ravantivirus.com redirects to new domain https://people.debian.org/~zugschlus/clamav-data/ http://enigmail.mozdev.org/ http://www.dewinter.com/gnupg_howto/english/GPGMiniHowto.html https://www.uk.pgp.net/pgpnet/pgp-faq/ issues with certificate https://www.cryptnet.net/fdp/crypto/gpg-party.html https://www.debian.org/security/audit/tools http://vulncat.fortifysoftware.com/ epmty page http://lintian.debian.org/reports/Tsetgid-binary.html https://buildsecurityin.us-cert.gov/portal/ http://project.honeynet.org/ http://www.net-security.org/text/articles/spitzner/honeypot.shtml http://marc.theaimsgroup.com/?l=incidents empty page http://forensics.alioth.debian.org/ http://staff.washington.edu/dittrich/ http://niap.nist.gov/cc-scheme/st/ 3.2.2. Selecting the appropriate file systems Examples are using ext3, talks about kernel 2.4, 2.6 and reiserfs. Old info, with a link from 2001: "In any case, data integrity might be better under ext3 since it does file-data journalling while others do only meta-data journalling, see http://lwn.net/2001/0802/a/ext3-modes.php3. " 3.5.1. Disabling daemon services Only old style /etc/init.d is covered. 4.X Device name /dev/hda is used 4.4. Set a LILO or GRUB password Lilo does not exist any more. 4.6. Remove root prompt on the kernel AFAIK mkinitrd is outdated. The kernel image name is not kernel-image-2.4.x-yz any more. 4.11.21. Checking user passwords Today password are cracked using GPU and rainbow tables. hashcat is the state of the art for GPU password checking. 4.13. The importance of logs and alerts Use journalctl instead of dmesg. No more rsyslog 4.19. Taking a snapshot of the system Shows an example using floppy 4.20.1. Do not use software depending on svgalib svgalib does not exists since 2013. 5.3 Link to http://www.castaglia.org/proftpd/#Patches is outdated (from 2001) 5.4. Securing access to the X Window System Talks about Xfree (3.3.6 and 4.1.0), no Xorg mentioned. 5.5. Securing printing access It only mentions lpr and lprng, which are mostly unused these days. There it links to https://pdq.sourceforge.net/ a web page from 2006. Two FIXME footnotes which mentions things that are not in Debian. 6.1. Harden Maybe the package is now hardening-runtime 6.2. Bastille Linux Bastille linux has last time active 5 years ago. IMO that's very bad for security software. The Debian package bastille was removed 2013 7.5 https://www.cryptnet.net/fdp/crypto/strong_distro.html is very outdated 7.5.2. Secure apt Since secure apt is now default such sentences can be removed: "These changes are based on the patch for apt (available in http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=203741) which provides this implementation. " "In January 2006, a new key for 2006 was made and the Release file ..." 8.2. Network scanner tools fragrouter does not exist xprobe was removed in 2022 isic was removed in 2008 8.8. Antivirus tools package amavis-ng does not exist, new name? amavis-postfix does not exist any more
