I think it would be good to have a package for improving system security. It could depend on packages like spectre-meltdown-checker and also contain scripts that look for ways of improving system security. For example recommend SE Linux or Apparmor (if you don't have one installed), recommend lockdown=confidentiality if using kernel 5.4 or greater, and do other similar checks and warnings. For each issue there would ideally be a URL provided (maybe to the Debian Wiki, maybe to somewhere else) that describes the issue. I'm not saying that everyone should use all these features, just that everyone who cares about security should know what the options are and have made an informed choice that they can easily review.
For subsystems that are complex and security critical (like Apache and Samba for example) you could have other packages providing check scripts that look for common configuration choices that might reduce security. Such scripts would be designed to give false positives rather than false negatives. The idea being that if you do something potentially risky then you should be aware of it and so should whoever takes over your job in a few years time. Then at relevant times (EG after an upgrade to a new release of Debian) decisions about security can be reviewed. What do you think about this idea? -- My Main Blog http://etbe.coker.com.au/ My Documents Blog http://doc.coker.com.au/
