1.5. 書くべきこと (FIXME/TODO)

This section describes all the things that need to be fixed in this manual. Some paragraphs include FIXME or TODO tags describing what content is missing (or what kind of work needs to be done). The purpose of this section is to describe all the things that could be included in the future in the manual, or enhancements that need to be done (or would be interesting to add).

If you feel you can provide help in contributing content fixing any element of this list (or the inline annotations), contact the main author (「Authors」).

This document has yet to be updated based on the latest Debian releases. The default configuration of some packages need to be adapted as they have been modified since this document was written.
Expand the incident response information, maybe add some ideas derived from Red Hat's Security Guide's chapter on incident response.
Write about remote monitoring tools (to check for system availability) such as monit, daemontools and mon. See Sysamin Guide.
Consider writing a section on how to build Debian-based network appliances (with information such as the base system, equivs and FAI).
Check if this site has relevant info not yet covered here.
Add information on how to set up a laptop with Debian, look here.
Debian GNU/Linux を使ってファイアウォールを構築する方法についての情報を加える。ファイアウォールについての章は今のところ一台だけのシステム向けだ (他のマシンを守るわけではない...)
Add information on setting up a proxy firewall with Debian GNU/Linux stating specifically which packages provide proxy services (like xfwp, ftp-proxy, redir, smtpd, dnrd, jftpgw, oops, pdnsd, perdition, transproxy, tsocks). Should point to the manual for any other info. Note that zorp is now available as a Debian package and is a proxy firewall (they also provide Debian packages upstream).
file-rc でのサービス設定についての情報
参照している URL をすべて調べて、もう有効でないものを削除するなり修正するなりする
一般的なサーバについて、限定された機能に役立つ (Debian で) 利用可能な代替物についての情報を加える。たとえば:
- ローカル lpr のかわりに cups (パッケージ)?
- リモート lrp のかわりに lpr
- bind のかわりに dnrd/maradns
- apache のかわりに dhttpd/thttpd/wn (tux?)
- exim/sendmail のかわりに ssmtpd/smtpd/postfix
- squid のかわりに tinyproxy
- ftpd のかわりに oftpd/vsftp
- ...
Debian のセキュリティ関連のカーネルパッチについて、それを紹介するとともにそれらのパッチを Debian システムでどう有効にするかを特に述べた情報をさらに多く。
- Linux Intrusion Detection (kernel-patch-2.4-lids)
- Linux Trustees (trusteesパッケージ中)
- NSA Enhanced Linux
- linux-patch-openswan
- ...
不要なネットワークサービスを切ることの詳細 (inetd のほかに)。強化過程の一部だがすこし広くできるかも。
ポリシーと密接に関連したパスワード回転についての情報。
ポリシー、そしてユーザに対するポリシー教育。
tcpwrappers についてさらに、そして wrapper 一般?
hosts.equiv そしてその他のセキュリティホール。
Issues with file sharing servers such as Samba and NFS?
suidmanager/dpkg-statoverrides。
lpr と lprng。
gnome の IP 関連を停止すること。
Talk about pam_chroot (see http://lists.debian.org/debian-security/2002/05/msg00011.html) and its usefulness to limit users. Introduce information related to
→ https://web.archive.org/web/20031204060940/http://www.securityfocus.com/infocus/1575
. pdmenu, for example is available in Debian (whereas flash is not).
Talk about chrooting services, some more info on this Linux Focus article.
Talk about programs to make chroot jails. compartment and chrootuid are waiting in incoming. Some others (makejail, jailer) could also be introduced.
More information regarding log analysis software (i.e. logcheck and logcolorise).
'advanced' routing (traffic policing is security related).
limiting ssh access to running certain commands.
using dpkg-statoverride.
secure ways to share a CD burner among users.
secure ways of providing networked sound in addition to network display capabilities (so that X clients' sounds are played on the X server's sound hardware).
securing web browsers.
setting up ftp over ssh.
using crypto loopback file systems.
encrypting the entire file system.
steganographic tools.
setting up a PKA for an organization.
using LDAP to manage users. There is a HOWTO of ldap+kerberos for Debian at http://www.bayour.com written by Turbo Fredrikson.
How to remove information of reduced utility in production systems such as /usr/share/doc, /usr/share/man (yes, security by obscurity).
More information on lcap based on the packages README file (well, not there yet, see http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=169465) and from the article from LWN: http://lwn.net/1999/1202/kernel.php3.
Add Colin's article on how to setup a chroot environment for a full sid system (https://web.archive.org/web/20030204012846/https://people.debian.org/~walters/chroot.html).
Add information on running multiple snort sensors in a given system (check bug reports sent to snort).
Add information on setting up a honeypot (honeyd).
Describe situation wrt to FreeSwan (orphaned) and OpenSwan. VPN section needs to be rewritten.
Add a specific section about databases, current installation defaults and how to secure access.
Add a section about the usefulness of virtual servers (Xen et al).
Explain how to use some integrity checkers (AIDE, integrit or samhain). The basics are simple and could even explain some configuration improvements.