<!-- CVS revision of this document "$Revision: 1.9 $" -->

<chapt>Before you begin 


<sect>What do you want this system for?

<p>Securing Debian is not very different from securing any other
system; in order to do it properly, you must first decide what you
intend to do with it. After this, you will have to consider that the
following tasks need to be taken care of if you want a really secure
system. 

<p>You will find that this manual is written from the bottom
up, that is, you will read some information on tasks to do before,
during and after you install your Debian system. The
tasks can also be thought of as:

<list>

<item>Decide which services you need and limit your system to those.
This includes deactivating/uninstalling unneeded services, and adding
firewall-like filters, or tcpwrappers.

<item>Limit users and permissions in your system. 

<item>Harden offered services so that, in
the event of a service compromise, the impact to your system is
minimized.

<item>Use appropriate tools to guarantee that unauthorized
use is detected so that you can take appropriate measures.

</list>

<sect id="references">Be aware of general security problems

<p>The following manual does not (usually) go into the details on why
some issues are considered security risks. However, you might want to
have a better background regarding general UNIX and (specific) Linux
security. Take some time to read over security related documents in
order to make informed decisions when you are encountered with
different choices. Debian GNU/Linux is based on the Linux kernel, so
much of the information regarding Linux, as well as from other
distributions and general UNIX security also apply to it (even if the
tools used, or the programs available, differ).

<p>Some useful documents include:

<list>

<item>The <url name="Linux Security HOWTO"
id="http://www.tldp.org/HOWTO/Security-HOWTO/">
(also available at <url id="http://www.linuxsecurity.com/docs/LDP/Security-HOWTO.html" name="LinuxSecurity">) is one of the
best references regarding general Linux security.

<item>The <url name="Security Quick-Start HOWTO for Linux" 
id="http://www.tldp.org/HOWTO/Security-Quickstart-HOWTO/">
is also a very good starting point for novice users (both to Linux
and security).

<item>The <url id="http://seifried.org/lasg/" name="Linux Security
Administrator's Guide"> is a complete guide that touches
all the issues related to security in Linux, from kernel security to
VPNs. Note that it has not been updated since 2001, but some information
is still relevant.
<footnote>
At a given time it was superseded by the 
"Linux Security Knowledge Base".
This documentation is also provided in
Debian through the <package>lskb</package> package. Now it's back
as the <em>Lasg</em> again.
</footnote>

<item> Kurt Seifried's <url
id="http://seifried.org/security/os/linux/20020324-securing-linux-step-by-step.html"
name="Securing Linux Step by Step">.

<item>In <url name="Securing and Optimizing Linux: RedHat Edition"
id="http://www.tldp.org/links/p_books.html#securing_linux"> you
can find a similar document to this manual but related to Red Hat, some
of the issues are not distribution-specific and also apply to Debian.

<item>Another Red Hat related document is <url name="EAL3 Evaluated Configuration 
Guide for Red Hat Enterprise" 
id="http://ltp.sourceforge.net/docs/RHEL-EAL3-Configuration-Guide.pdf">.

<item>IntersectAlliance has published some documents that can be used
as reference cards on how to harden Linux servers (and their
services), the documents are available at <url
id="http://www.intersectalliance.com/projects/index.html" name="their
site">.

<item>For network administrators, a good reference for building a
 secure network is the <url name="Securing your Domain HOWTO"
 id="http://www.linuxsecurity.com/docs/LDP/Securing-Domain-HOWTO/">.

<item>If you want to evaluate the programs you are 
going to use (or want to build up some new ones) you 
should read the <url name="Secure Programs HOWTO"
id="http://www.tldp.org/HOWTO/Secure-Programs-HOWTO/"> (master copy
is available at 
<url id="http://www.dwheeler.com/secure-programs/">, it includes slides
and talks from the author, David Wheeler)

<item>If you are considering installing firewall capabilities, you
should read the <url name="Firewall HOWTO"
id="http://www.tldp.org/HOWTO/Firewall-HOWTO.html"> and the <url
name="IPCHAINS HOWTO"
id="http://www.tldp.org/HOWTO/IPCHAINS-HOWTO.html"> (for kernels
previous to 2.4).

<item>Finally, a good card to keep handy is the
<url name="Linux Security ReferenceCard"
 id="http://www.linuxsecurity.com/docs/QuickRefCard.pdf">.

</list>

<p>In any case, there is more information regarding the services
explained here (NFS, NIS, SMB...) in many of the HOWTOs of the <url
name="The Linux Documentation Project" id="http://www.tldp.org/">. Some of 
these documents speak on the security side of a given service, so be sure to
take a look there too.

<p>The HOWTO documents from the Linux Documentation Project are
available in Debian GNU/Linux through the installation of the
<package>doc-linux-text</package> (text version) or
<package>doc-linux-html</package> (HTML version). After installation
these documents will be available at the
<file>/usr/share/doc/HOWTO/en-txt</file> and
<file>/usr/share/doc/HOWTO/en-html</file> directories, respectively.

<p>Other recommended Linux books:

<list>

<item>Maximum Linux Security : A Hacker's Guide to Protecting Your Linux
Server and Network. Anonymous. Paperback - 829 pages. Sams Publishing.
ISBN: 0672313413. July 1999.

<item>Linux Security By John S. Flowers. New Riders; ISBN: 0735700354.
March 1999.

<item><url id="http://www.linux.org/books/ISBN_0072127732.html" 
name="Hacking Linux Exposed"> By Brian Hatch. McGraw-Hill Higher Education.
ISBN 0072127732. April, 2001

</list>

<p>Other books (which might be related to general issues
regarding UNIX and security and not Linux specific):

<list>

<item><url id="http://www.ora.com/catalog/puis/noframes.html"
name="Practical Unix and Internet Security (2nd Edition)">
Garfinkel, Simpson, and Spafford, Gene; O'Reilly Associates;
ISBN 0-56592-148-8; 1004pp; 1996.

<item>Firewalls and Internet Security Cheswick, William R. and Bellovin,
Steven M.; Addison-Wesley; 1994; ISBN 0-201-63357-4; 320pp.

</list>

<p>Some useful web sites to keep up to date regarding security:

<list>

<item><url name="NIST Security Guidelines"
id="http://csrc.nist.gov/fasp/index.html">.

<item><url name="Security Focus" id="http://www.securityfocus.com">
	the server that hosts the Bugtraq vulnerability database and
	list, and provides general security information, news and
	reports.

<item> <url name="Linux Security"
	id="http://www.linuxsecurity.com/">. General information
	regarding Linux security (tools, news...). Most useful is the
	<url name="main documentation"
	id="http://www.linuxsecurity.com/resources/documentation-1.html">
	page.

<item> <url name="Linux firewall and security site" id="
	http://www.linux-firewall-tools.com/linux/">. General
	information regarding Linux firewalls and tools to control and
	administrate them.

</list>

<sect>How does Debian handle security?
<p>Just so you have a general overview of security in Debian GNU/Linux
you should take note of the different issues that Debian tackles in
order to provide an overall secure system:

<list>

<item>Debian problems are always handled openly, even security
related. Security issues are discussed openly on the debian-security
mailing list. Debian Security Advisories (DSAs) are sent to public mailing
lists (both internal and external) and are published on the public
server. As the <url name="Debian Social Contract"
id="http://www.debian.org/social_contract"> states:

<p><em>
We will not hide problems
</em></p><p><em>
We will keep our entire bug report database open for public view
at all times. Reports that people file online will promptly become
visible to others.
</em></p>

<item>Debian follows security issues closely. The security team 
checks many security related sources, the most important being
<url name="Bugtraq" id="http://www.securityfocus.com/cgi-bin/vulns.pl">,
on the lookout for packages with security issues that might be
included in Debian.

<item>Security updates are the first priority. When a security problem
arises in a Debian package, the security update is prepared as fast
as possible and distributed for our stable, testing and unstable releases,
including all architectures.

<item>Information regarding security is centralized in a single point,
<url id="http://security.debian.org/">.

<item>Debian is always trying to improve the overall security of the
distribution by starting new projects, such as automatic package signature 
verification mechanisms.

<item>Debian provides a number of useful security related tools
for system administration and monitoring. Developers try to tightly
integrate these tools with the distribution in order to make them a better
suite to enforce local security policies. Tools include: integrity checkers, 
auditing tools, hardening tools, firewall tools, intrusion detection tools,
etc.

<item>Package maintainers are aware of security issues. This leads
to many "secure by default" service installations which could
impose certain restrictions on their normal use. Debian does, however, try to
balance security and ease of administration - the programs are not de-activated
when you install them (as it is the case with say, the BSD family of
operating systems). In any case, prominent security issues (such as
<tt>setuid</tt> programs) are part of the
<url id="http://www.debian.org/doc/debian-policy/" name="Debian Policy">.

</list>

<p>By publishing security information specific to Debian and complementing
other information-security documents related to Debian (see
<ref id="references">), this document aims to produce better system
installations security-wise.