1.5. 需要添加一些内容(FIXME/TODO)

This section describes all the things that need to be fixed in this manual. Some paragraphs include FIXME or TODO tags describing what content is missing (or what kind of work needs to be done). The purpose of this section is to describe all the things that could be included in the future in the manual, or enhancements that need to be done (or would be interesting to add).

If you feel you can provide help in contributing content fixing any element of this list (or the inline annotations), contact the main author (第 1.1 节 “作者”).

  • This document has yet to be updated based on the latest Debian releases. The default configuration of some packages need to be adapted as they have been modified since this document was written.

  • Expand the incident response information, maybe add some ideas derived from Red Hat’s Security Guide’s chapter on incident response.

  • Write about remote monitoring tools (to check for system availability) such as monit, daemontools and mon. See Sysamin Guide.

  • 考虑添加关于如何构建基于 Debian 的网络应用的部分(以及如基本系统, equivs 和 FAI 一类的信息).

  • Check if this site has relevant info not yet covered here.

  • Add information on how to set up a laptop with Debian, look here.

  • 增加使用 Debian GNU/Linux 配置防火墙的内容. 此部分假定要保护的是单系统(不保护其他…)并就如何测试设定进行讨论.

  • Add information on setting up a proxy firewall with Debian GNU/Linux stating specifically which packages provide proxy services (like xfwp, ftp-proxy, redir, smtpd, dnrd, jftpgw, oops, pdnsd, perdition, transproxy, tsocks). Should point to the manual for any other info. Note that zorp is now available as a Debian package and is a proxy firewall (they also provide Debian packages upstream).

  • Information on service configuration with file-rc.

  • 检查所有参考 URL, 删除/修正不再可用的部分.

  • 增加关于对一般服务器进行功能限制性替换方面的内容(Debian)。例如:

    • 用 cups(软件包)本地打印?

    • 用 lpr 远程打印

    • 用 dnrd/maradns 替代 bind

    • 用 dhttpd/thttpd/wn(tux?) 替代 apache

    • 用 ssmtpd/smtpd/postfix 替代 exim/sendmail

    • 用 tinyproxy 替代 squid

    • 用 oftpd/vsftp 替代 ftpd

  • Debian 中更多有关内核安全补丁的内容, 包括上边提到的和具体如何使用这些补丁应用到 Debian 系统中的内容.

    • Linux Intrusion Detection (kernel-patch-2.4-lids)

    • Linux Trustees (在 trustees 软件包中)

    • NSA Enhanced Linux

    • linux-patch-openswan

  • 禁用不必要的网络服务(包括 inetd )的内容, 这属于程序安全化部分, 但可以涉及的更广一点.

  • 有关口令转换的内容,这与策略关系更密切.

  • 策略,和用户培训策略.

  • 更多关于 tcpwrappers, 和 wrappers 的内容?

  • hosts.equiv 以及其它主要安全漏洞.

  • 文件共享服务方面的问题如 Samba 和 NFS?

  • suidmanager/dpkg-statoverrides.

  • lpr 和 lprng.

  • Switching off the GNOME IP things.

  • Talk about pam_chroot (see http://lists.debian.org/debian-security/2002/debian-security-200205/msg00011.html) and its usefulness to limit users. Introduce information related to

    http://online.securityfocus.com/infocus/1575

    . pdmenu, for example is available in Debian (whereas flash is not).

  • Talk about chrooting services, some more info on this Linux Focus article.

  • Talk about programs to make chroot jails. compartment and chrootuid are waiting in incoming. Some others (makejail, jailer) could also be introduced.

  • 更多关于日志分析软件的内容 (即 logcheck 和 logcolorise).

  • ‘advanced’ routing (traffic policing is security related).

  • 限制 ssh 对于某些运行命令的访问.

  • dpkg-statoverride 的使用.

  • 对用户共享 CD 刻录机的安全方法.

  • secure ways of providing networked sound in addition to network display capabilities (so that X clients’ sounds are played on the X server’s sound hardware).

  • 安全的网络浏览器.

  • ssh 上设置 ftp.

  • 使用加密回环文件系统.

  • ncrypting the entire file system.

  • steganographic 工具.

  • 为一个组织设置 PKA .

  • using LDAP to manage users. There is a HOWTO of ldap+kerberos for Debian at http://www.bayour.com written by Turbo Fredrikson.

  • How to remove information of reduced utility in production systems such as /usr/share/doc, /usr/share/man (yes, security by obscurity).

  • More information on lcap based on the packages README file (well, not there yet, see http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=169465) and from the article from LWN: http://lwn.net/1999/1202/kernel.php3.

  • Add Colin’s article on how to setup a chroot environment for a full sid system (http://people.debian.org/~walters/chroot.html).

  • Add information on running multiple snort sensors in a given system (check bug reports sent to snort).

  • Add information on setting up a honeypot (honeyd).

  • Describe situation wrt to FreeSwan (orphaned) and OpenSwan. VPN section needs to be rewritten.

  • Add a specific section about databases, current installation defaults and how to secure access.

  • Add a section about the usefulness of virtual servers (Xen et al).

  • Explain how to use some integrity checkers (AIDE, integrit or samhain). The basics are simple and could even explain some configuration improvements.