Securing Debian Manual
Footnotes

1

For example, in Debian woody it is around 40Mbs, try this:

     $ size=0
     $ for i in `grep -A 1 -B 1 "^Section: base" /var/lib/dpkg/available |
     grep -A 2 "^Priority: required" |grep "^Installed-Size" |cut -d : -f 2
     `; do size=$(($size+$i)); done
     $ echo $size
     34234

2

Many intrusions are just made to get access to resources to do ilegitimate activity (denial of service attacks, spam, rogue ftp servers, dns pollution...) rather than to just obtain confidential data from the compromised system.

3

You can make (on another system) a dummy package with equivs

4

beware of the case here since spawn will not work

5

unless you use the instdir option when calling dpkg but then the chroot jail might be a little more complex

6

You only probably need it if using NFS (Network FileSystem), NIS (Network Information System) or some other RPC-based service.

7

Unlike personal firewalls in other operating systems, Debian GNU/Linux does not (yet) provide firewall generation interfaces that can make rules limiting them per process or user. However, the iptables code can be configured to do this (see the owner module in the iptables(8) manpage)

8

There are over 28 capabilities including: CAP_BSET, CAP_CHOWN, CAP_FOWNER, CAP_FSETID, CAP_FS_MASK, CAP_FULL_SET, CAP_INIT_EFF_SET, CAP_INIT_INH_SET, CAP_IPC_LOCK, CAP_IPC_OWNER, CAP_KILL, CAP_LEASE, CAP_LINUX_IMMUTABLE, CAP_MKNOD, CAP_NET_ADMIN, CAP_NET_BIND_SERVICE, CAP_NET_RAW, CAP_SETGID, CAP_SETPCAP, CAP_SETUID, CAP_SYS_ADMIN, CAP_SYS_BOOT, CAP_SYS_CHROOT, CAP_SYS_MODULE, CAP_SYS_NICE, CAP_SYS_PACCT, CAP_SYS_PTRACE, CAP_SYS_RAWIO, CAP_SYS_RESOURCE, CAP_SYS_TIME, and CAP_SYS_TTY_CONFIG. All of them can be activated or de-activated in or to harden your kernel.

9

You do not need to install lcap to do this but it's easier than setting /proc/sys/kernel/cap-bound by hand.


Securing Debian Manual

2.5 (beta) 29 augusti 2002Sat, 17 Aug 2002 12:23:36 +0200
Javier Fernández-Sanguino Peña jfs@computer.org