I am usually radio silent on this list but this project is interesting to me because I have 11 years of experience doing forensics in a purely Debian environment. I am not a full stack developer, I can script in bash and python but this is not enough to contribute to code. Contributing to this manual is in my set of skills and I would like to help with this project.
Thank you, Michael Lazin .. τὸ γὰρ αὐτὸ νοεῖν ἐστίν τε καὶ εἶναι. On Mon, Jun 9, 2025 at 12:21 PM Noah Meyerhans <[email protected]> wrote: > Hi all. The Securing Debian Manual (the harden-doc package) is > woefully out of date and doesn't provide accurate guidance for > operating modern software in the current threat landscape. I'd like > to begin the task of updating it to reflect current best practice and > to document current tools and technologies. > > Most basically, I wonder if folks think this is a worthy idea. The > landscape has changed significantly since harden-doc was first > written. Default configurations don't require as much hardening, and > there are lots more available resources. Maybe harden-doc has > stagnated because there's no real need for it? > > Assuming we do revive the doc, here are some ideas of what I'd like to > do with the document. I'd like to also get feedback, ideas, and > contributions from others interested in the topic. > > 1. More background information on principles such as: > a. Threat modeling > b. Defense in depth > c. Least privilege > 2. Modern server deployment practices, such as: > a. Sandboxing (with systemd, containers, etc) > b. Image-based deployments, including cloud > c. Update deployment strategies for large fleets > 3. Data privacy: > a. VPNs, wireguard, etc > b. Disk encryption > 4. Workstation best practices, including: > a. Ssh key generation and handling > b. Basic browser hygine > c. Password managers and other password hygine > > My inclination is to primarily focus on general principles rather than > try to document specific settings in specific packages, as in the > current document's Chapter 5 ("Securing services running on your > system"). It'll make sense to document some approaches to safe usage of > the most common software (firefox, openssh, etc), but I don't believe > that it's feasible to provide useful advice for a meaningful subset of > Debian packages. > > Should we maybe consider maintaining this document on wiki.debian.org, > rather than being a centrally maintained document? The wiki may scale > better to multiple contributors, leading to better content and more > active maintenance. > > If you've got ideas for other topics, I'd love to hear them. > > noah > >
