I certainly think having an up to date "Securing Debian" document is a worthy endeavor, especially for server management. I've been using Debian to host my family home server for years now and have learned a lot in that time, so I actually started my own take on a re-write a while back that I was considering proposing, but found it was a much bigger task than I was prepared to undertake alone. Between my inexperience in producing quality documentation (I tend to get quite wordy) to my lack of expert knowledge in all the various topics that might need to be covered I kinda gave up on it. I'll keep it as my own sort of reference point, but I'm not sure it's something I would want to distribute to the wider community.
If you, or anybody else for that matter, would like to look at what I got written before I quit on it, I've shared it from my personal Nextcloud here: Link: https://cloud.marcusandash.net/index.php/s/aY9Tw2gHDagwsbo -- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Marcus Dean Adams Signal: [gerowen.81](https://signal.me/#eu/w6xoMZp6YTJUDK5TYOmeV50wPtl6TgXD2F4hTedAL9IO_0CUeX9FpqpbENRsH9JQ) Mastodon: [[email protected]](https://mastodon.social/@gerowen) Website: https://marcusadams.me "Civilization is the limitless multiplication of unnecessary necessities." -- Mark Twain On Mon, 2025-06-09 at 12:20 -0400, Noah Meyerhans - noahm at debian.org wrote: > Hi all. The Securing Debian Manual (the harden-doc package) is > woefully out of date and doesn't provide accurate guidance for > operating modern software in the current threat landscape. I'd like > to begin the task of updating it to reflect current best practice and > to document current tools and technologies. > > Most basically, I wonder if folks think this is a worthy idea. The > landscape has changed significantly since harden-doc was first > written. Default configurations don't require as much hardening, and > there are lots more available resources. Maybe harden-doc has > stagnated because there's no real need for it? > > Assuming we do revive the doc, here are some ideas of what I'd like to > do with the document. I'd like to also get feedback, ideas, and > contributions from others interested in the topic. > > 1. More background information on principles such as: > a. Threat modeling > b. Defense in depth > c. Least privilege > 2. Modern server deployment practices, such as: > a. Sandboxing (with systemd, containers, etc) > b. Image-based deployments, including cloud > c. Update deployment strategies for large fleets > 3. Data privacy: > a. VPNs, wireguard, etc > b. Disk encryption > 4. Workstation best practices, including: > a. Ssh key generation and handling > b. Basic browser hygine > c. Password managers and other password hygine > > My inclination is to primarily focus on general principles rather than > try to document specific settings in specific packages, as in the > current document's Chapter 5 ("Securing services running on your > system"). It'll make sense to document some approaches to safe usage of > the most common software (firefox, openssh, etc), but I don't believe > that it's feasible to provide useful advice for a meaningful subset of > Debian packages. > > Should we maybe consider maintaining this document on wiki.debian.org, > rather than being a centrally maintained document? The wiki may scale > better to multiple contributors, leading to better content and more > active maintenance. > > If you've got ideas for other topics, I'd love to hear them. > > noah
