1.5. Things that need to be written (FIXME/TODO)

This section describes all the things that need to be fixed in this manual. Some paragraphs include FIXME or TODO tags describing what content is missing (or what kind of work needs to be done). The purpose of this section is to describe all the things that could be included in the future in the manual, or enhancements that need to be done (or would be interesting to add).

If you feel you can provide help in contributing content fixing any element of this list (or the inline annotations), contact the main author (Section 1.1, “Authors”).

This document has yet to be updated based on the latest Debian releases. The default configuration of some packages need to be adapted as they have been modified since this document was written.
Expand the incident response information, maybe add some ideas derived from Red Hat's Security Guide's chapter on incident response.
Write about remote monitoring tools (to check for system availability) such as monit, daemontools and mon. See Sysamin Guide.
Consider writing a section on how to build Debian-based network appliances (with information such as the base system, equivs and FAI).
Check if this site has relevant info not yet covered here.
Add information on how to set up a laptop with Debian, look here.
Add information on how to set up a firewall using Debian GNU/Linux. The section regarding firewalling is oriented currently towards a single system (not protecting others...) also talk on how to test the setup.
Add information on setting up a proxy firewall with Debian GNU/Linux stating specifically which packages provide proxy services (like xfwp, ftp-proxy, redir, smtpd, dnrd, jftpgw, oops, pdnsd, perdition, transproxy, tsocks). Should point to the manual for any other info. Note that zorp is now available as a Debian package and is a proxy firewall (they also provide Debian packages upstream).
Information on service configuration with file-rc.
Check all the reference URLs and remove/fix those no longer available.
Add information on available replacements (in Debian) for common servers which are useful for limited functionality. Examples:
- local lpr with cups (package)?
- remote lrp with lpr
- bind with dnrd/maradns
- apache with dhttpd/thttpd/wn (tux?)
- exim/sendmail with ssmtpd/smtpd/postfix
- squid with tinyproxy
- ftpd with oftpd/vsftp
- ...
More information regarding security-related kernel patches in Debian, including the ones shown above and specific information on how to enable these patches in a Debian system.
- Linux Intrusion Detection (kernel-patch-2.4-lids)
- Linux Trustees (in package trustees)
- NSA Enhanced Linux
- linux-patch-openswan
- ...
Details of turning off unnecessary network services (besides inetd), it is partly in the hardening procedure but could be broadened a bit.
Information regarding password rotation which is closely related to policy.
Policy, and educating users about policy.
More about tcpwrappers, and wrappers in general?
hosts.equiv and other major security holes.
Issues with file sharing servers such as Samba and NFS?
suidmanager/dpkg-statoverrides.
lpr and lprng.
Switching off the GNOME IP things.
Talk about pam_chroot (see http://lists.debian.org/debian-security/2002/05/msg00011.html) and its usefulness to limit users. Introduce information related to
→ https://web.archive.org/web/20031204060940/http://www.securityfocus.com/infocus/1575
. pdmenu, for example is available in Debian (whereas flash is not).
Talk about chrooting services, some more info on this Linux Focus article.
Talk about programs to make chroot jails. compartment and chrootuid are waiting in incoming. Some others (makejail, jailer) could also be introduced.
More information regarding log analysis software (i.e. logcheck and logcolorise).
'advanced' routing (traffic policing is security related).
limiting ssh access to running certain commands.
using dpkg-statoverride.
secure ways to share a CD burner among users.
secure ways of providing networked sound in addition to network display capabilities (so that X clients' sounds are played on the X server's sound hardware).
securing web browsers.
setting up ftp over ssh.
using crypto loopback file systems.
encrypting the entire file system.
steganographic tools.
setting up a PKA for an organization.
using LDAP to manage users. There is a HOWTO of ldap+kerberos for Debian at http://www.bayour.com written by Turbo Fredrikson.
How to remove information of reduced utility in production systems such as /usr/share/doc, /usr/share/man (yes, security by obscurity).
More information on lcap based on the packages README file (well, not there yet, see http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=169465) and from the article from LWN: http://lwn.net/1999/1202/kernel.php3.
Add Colin's article on how to setup a chroot environment for a full sid system (https://web.archive.org/web/20030204012846/https://people.debian.org/~walters/chroot.html).
Add information on running multiple snort sensors in a given system (check bug reports sent to snort).
Add information on setting up a honeypot (honeyd).
Describe situation wrt to FreeSwan (orphaned) and OpenSwan. VPN section needs to be rewritten.
Add a specific section about databases, current installation defaults and how to secure access.
Add a section about the usefulness of virtual servers (Xen et al).
Explain how to use some integrity checkers (AIDE, integrit or samhain). The basics are simple and could even explain some configuration improvements.