Author: kwade
Update of /cvs/docs/hardening In directory cvs-int.fedora.redhat.com:/tmp/cvs-serv11560
Modified Files: hardening-tutorial-en.xml Log Message: Mainly formatting, this allows for more odular use of sections; some style and writing changes included.
Index: hardening-tutorial-en.xml =================================================================== RCS file: /cvs/docs/hardening/hardening-tutorial-en.xml,v retrieving revision 1.1 retrieving revision 1.2 diff -u -r1.1 -r1.2 --- hardening-tutorial-en.xml 26 Jul 2005 03:49:57 -0000 1.1 +++ hardening-tutorial-en.xml 26 Jul 2005 08:37:14 -0000 1.2 @@ -4,7 +4,7 @@ <!ENTITY % FEDORA-ENTITIES-EN SYSTEM "../docs-common/common/fedora-entities-en.ent"> %FEDORA-ENTITIES-EN;
-<!ENTITY BOOKID "hardening-tutorial-en-0.2 (2005-04-26)"> <!-- change version --> +<!ENTITY BOOKID "hardening-tutorial-en-0.3 (2005-07-26)"> <!-- change version --> <!-- of manual and date here -->
<!ENTITY BUG-NUM "129957"> @@ -15,7 +15,7 @@
<book id="hardening-tutorial" lang="en"> <bookinfo> - <title>&FC; &FCLOCALVER; Hardening Tutorial</title> + <title>&FC; &FCLOCALVER; Hardening Tutorial - <emphasis>RC Document</emphasis></title> <copyright> <year>2005</year> <holder>&FORMAL-RHI;</holder> @@ -28,6 +28,32 @@ </author> </authorgroup> &LEGALNOTICE; + <revhistory> + <revision> + <revnumber>0.2</revnumber> + <date>2005-04-26</date> + <authorinitials>Charles Heselton</authorinitials> + <revdescription> + <para> + Latest build made available for import into cvs.fedora.redhat.com + </para> + </revdescription> + </revision> + <revision> + <revnumber>0.3</revnumber> + <date>2005-07-26</date> + <authorinitials>Karsten Wade</authorinitials> + <revdescription> + <para> + Changes made are wide, including title, structural, stylistic, + Documentation Project generic usage guidelines, writing editorial, + technical, format. Changes are checked into CVS in stages with + descriptive logs to help make contextual sense of the 'cvs diff + -u'. Made available as RC. + </para> + </revdescription> + </revision> + </revhistory> </bookinfo>
<preface id="ch-intro"> @@ -35,73 +61,79 @@
&DRAFTNOTICE; <para> - This tutorial is a basic walk-through of how to harden a basic install - of &FC;. Many of the actions and principles discussed here will apply - to many different linux distributions. However, for the purpose of this - tutorial we will be regarding &FC;, specifically. + This tutorial is a walk-through of how to harden an install + of &FC;. Many of the actions and principles discussed here apply + to many different Linux distributions. This tutorial focuses on how to + perform these actions using &FC;. </para> - <sect1 id="intro-scope"> + <section id="sn-intro-scope"> <title>Document Scope</title> <para> - While describing the techniques and tools used in this tutorial, it is - the goal of the author to present both the Graphical User Interface (GUI) tools, and the - more traditional command line (CLI) tools that are available in - FC3. + This tutorial has a goal of presenting both the graphical user interface + (GUI) tools and the more traditional command line (CLI) tools that are + available in &FC;. </para>
<para> - Many users will have customized the appearance of their desktop (if running - one), panels, menus, etc. This guide makes direction based on the default - install and configuration of &FC;. The locations of items, menus, - commands, etc. may differ from your actual experience. + Many users have customized the appearance of their desktop (if running + one), panels, menus, etc. This tutorial provides directions based on + the default install and configuration of &FC;. The locations of items, + menus, commands, and so forth may differ from your actual experience. </para> - </sect1> + </section>
- <sect1 id="intro-audience"> + <section id="sn-intro-audience"> <title>Intended Audience</title> <para> - This document is intended for use by all &FC; users. However, there is a - focus for home or small-business users. Enterprise deployments of Fedora - will want to make some different considerations such as centralized syslog - storage, unified (central) user authentication, etc. Most of the - principles discussed will apply, however there are some enterprise - applications which are outside the scope of this document. + This document is intended for use by all &FC; users. However, there + is a focus for home or small-business users. Enterprise deployments + of &FED; want to make different considerations, such as centralized + syslog storage, unified (central) user authentication, etc. Most of + the principles discussed still apply, however there are some + enterprise applications which are outside the scope of this document. </para> - </sect1> + </section> </preface>
- <chapter id="ch-chapter1"> + <chapter id="ch-intial-steps">
<title>Initial Steps</title>
&DRAFTNOTICE;
- <sect1 id="pkg-considerations"> + <section id="sn-pkg-considerations"> <title>Package Installation Considerations</title>
<para> - This section will not go into the actual process of installing packages, - that falls under the scope of the Installation Guide. However, there - are some important things to consider, in regards to security, when you are installing &FC; - and selecting your packages for installation, and when you are - installing new packages on an already built system. + This section does not go into the actual process of installing packages. + Refer to the <citetitle>&IG;</citetitle> for new installations, and the + documentation at <ulink + url="http://fedora.redhat.com/docs%22%3Ehttp://fedora.redhat.com/docs</ulink> + for more information on updating systems and installing packages. + </para> + <para> + However, there are some important things to consider in regards to + security when you are selecting packages during installation or for + adding to an existing system. </para>
- <sect2 id="pkg-considerations-install"> + <section id="sn-pkg-considerations-install"> <title>Package Selections During Install</title>
<para> - When you are first installing your &FC; system, take careful - consideration of the packages that you are installing. Know what type - of system you are building before you build it. Fedora offers a - "system role" method of choosing packages, which can be customized to + When you are first installing your &FC; system, carefully + consider of the packages that you are installing. Know what type + of system you are building before you build it. &FC; offers a + system role method of choosing packages, which can be customized to remove or not install certain packages, and install others that may not be - designated as part of that particular role. A good approach would be to, - first, draw out a plan of what your system is to be used for, and what - services you will want to offer (if any). You can then make an - educated decision about what installation type you want to start - with. Fedora offers the following in terms of installation types: + designated as part of that particular role. + </para> + <para> + A good approach is to draw out a plan of what your system is to be + used for and what services you will want to offer (if any). Then make + an educated decision about what installation type you want to start + with. Fedora offers the following installation types: </para> <para> <itemizedlist> @@ -118,34 +150,37 @@ <application>yum</application> command line utility, to install any additional packages required for your needs. </para> - </sect2> + </section>
- <sect2 id="pkg-considerations-update"> + <section id="sn-pkg-considerations-update"> <title>Package Considerations for Installation of New Software</title>
<para> If you are updating, or adding to, a system that is already - installed with &FC;, then there are some other considerations that + installed with &FC;, then there are some other considerations that need to be made. </para>
<para> - When installing a new package, you should check the integrity of the - package. Most reliable sources will provide a signed checksum file - for a package file. You can use <application>gpg</application> or - <application>md5sum</application> to verify the checksum provided, - depending on the digital signature provided. - <command>gpg</command> is a utility which allows you to manage digital - signatures. These signatures allow you to digitally sign or encrypt - data (including text messages or files). For more details on - <command>gpg</command> visit the GNU gpg website at <ulink - url="http://www.gnupg.org%22%3Ehttp://www.gnupg.org</ulink>. - <command>md5sum</command> is a utility which is based off of the MD5 - algorithm. This utility can be used to create a digital signature of - a file, which can then be compared to the MD5 checksum downloaded with - the software package. For more details on the MD5 hashing algorithm, - and associated utilities, you can visit the MD5 website at <ulink - url="http://www.fourmilab.ch/md5/%22%3Ehttp://www.fourmilab.ch/md5/</ulink>. + When installing a new package, you should check the integrity of the + package. Most reliable sources provide a signed checksum file for a + package file. You can use <application>gpg</application> or + <application>md5sum</application> to verify the checksum provided, + depending on the digital signature provided. + </para> + <para> + GnuPG<command>gpg</command> is a utility that allows you to manage + digital signatures. These signatures allow you to digitally sign or + encrypt data (including text messages or files). For more details + on <command>gpg</command> visit the GNU gpg website at <ulink + url="http://www.gnupg.org%22%3Ehttp://www.gnupg.org</ulink>. + <command>md5sum</command> is a utility which is based off of the MD5 + algorithm. This utility can be used to create a digital signature + of a file, which can then be compared to the MD5 checksum downloaded + with the software package. For more details on the MD5 hashing + algorithm, and associated utilities, you can visit the MD5 website + at <ulink + url="http://www.fourmilab.ch/md5/%22%3Ehttp://www.fourmilab.ch/md5/</ulink>. </para> <para> @@ -159,7 +194,7 @@ two sections. </para> - <sect3 id="s3-intro-gpg-example"> + <section id="sn-intro-gpg-example"> <title><command>gpg</command> usage example</title>
<para> @@ -372,9 +407,9 @@ The line "gpg: Good signature from ... " indicates that the signatures is valid, and the file is verified. </para> - </sect3> + </section> - <sect3 id="s3-intro-md5sum-example"> + <section id="sn-intro-md5sum-example"> <title><command>md5sum</command> usage example</title> <para> The <command>md5sum</command> command is used to get an MD5 checksum @@ -444,11 +479,11 @@ then you can be assured that the file you downloaded is an unmodified version of the file that was posted. </para> - </sect3> - </sect2> - </sect1> + </section> + </section> + </section>
- <sect1 id="s1-sudo"> + <section id="sn-sudo"> <title>Configuring and Using <command>sudo</command></title> <para> Using the <command>sudo</command> utility allows a user to run another @@ -502,9 +537,9 @@ </listitem> </itemizedlist> </para> - </sect1> + </section>
- <sect1 id="sysid-and-role"> + <section id="sn-sysid-and-role"> <title>Identifying system role and usage</title> &DRAFTNOTICE; <para> @@ -532,9 +567,9 @@ and the like. It is also assumed that there will be one primary user for this system. </para> - </sect1> + </section>
- <sect1 id="gui-update"> + <section id="sn-gui-update"> <title>GUI: Updates with <application>up2date</application></title>
<para> @@ -566,9 +601,9 @@ system is up to date, you will receive a notification that indicates this. Otherwise, the <application>up2date</application> program will download the necessary packages and install them for you.</para> - </sect1> + </section>
- <sect1 id="cli-updates"> + <section id="sn-cli-updates"> <title>CLI: Updates with <command>yum</command></title> &DRAFTNOTICE; <para> @@ -651,12 +686,12 @@ <para> <ulink url="http://fedora.redhat.com/docs/updates/index.html">http://fedora.redhat.com/docs/updates/index.html</ulink> </para> - </sect1> + </section>
- <sect1 id="services-gui"> + <section id="sn-services-gui"> <title>Disabling unnecessary services</title> &DRAFTNOTICE; - <sect2 id="services-gui-2"> + <section id="sn-services-gui-2"> <title>GUI: Service Configuration</title> <para> To get to the GUI tool to edit the default services, select @@ -765,9 +800,9 @@ have on your system. </para> </important> - </sect2> + </section>
- <sect2 id="services-cli"> + <section id="sn-services-cli"> <title>CLI: Service Configuration</title> <note> <title>Note:</title> @@ -885,10 +920,10 @@ which are multi-user runlevels: level 3 for command line only, and level 5 for X, or GUI, mode. </para> - </sect2> - </sect1> + </section> + </section>
- <sect1 id="userconfig-cli"> + <section id="sn-userconfig-cli"> <title>Disabling or Deleting Unnecessary Users and Groups</title> &DRAFTNOTICE; <para> @@ -919,7 +954,7 @@ removed. </para>
- <sect2 id="userconfig-gui"> + <section id="sn-userconfig-gui"> <title>GUI: Disabling unnecessary users</title> <para> @@ -982,11 +1017,11 @@ a service, and there is a user associated with that service, you will want to disable the user as well. </para> - </sect2> - </sect1> + </section> + </section> </chapter>
- <chapter id="ch-chapter2"> + <chapter id="ch-securing-file-system"> <title>Securing the File System</title> &DRAFTNOTICE;
@@ -998,9 +1033,9 @@ "reasonable" permission already set. However, it never hurts to be sure. </para>
- <sect1 id="fileleaks"> + <section id="sn-fileleaks"> <title>Searching for insecure files</title> - <sect2 id="fileleaks-fpintro"> + <section id="sn-fileleaks-fpintro"> <title>Basic File Permissions Introduction</title> <para>&FC; (and most other Unices) separates access control on files and directories according to three characteristics: user, group, @@ -1100,9 +1135,9 @@ <ulink url="http://www.tldp.org/LDP/intro-linux/html/sect_03_04.html">http://www.tldp.org/LDP/intro-linux/html/sect_03_04.html</ulink> </para> - </sect2> + </section>
- <sect2 id="s2-chapter2--fileleaks-wwf"> + <section id="sn-fileleaks-wwf"> <title>Finding world-writable files</title> <para> Unfortunately, there is no Fedora-specific tool (or GUI tool, for that @@ -1133,8 +1168,8 @@ likely marker files for devices that don't exist, or aren't in use on your system. </para> - </sect2> - <sect2 id="s1-chapter2-fileleaks-setuid"> + </section> + <section id="sn-fileleaks-setuid"> <title>Finding SetUID/SetGID files</title> <para> @@ -1164,8 +1199,8 @@ of files, to make sure that there is nothing "odd" in the list. </para> - </sect2> - <sect2 id="fileleaks-summary"> + </section> + <section id="sn-fileleaks-summary"> <title>Insecure files summary</title> <para> @@ -1236,10 +1271,10 @@ This will run the script every night at midnight. You will want to make adjustments for your own application. </para> - </sect2> - </sect1> + </section> + </section>
- <sect1 id="rpm-verify"> + <section id="sn-rpm-verify"> <title>Verifying packages with <command>rpm</command></title>
<para> @@ -1311,9 +1346,9 @@ especially if you have yum configured to update packages automatically. However you should verify changes that you don't recognize. </para> - </sect1> + </section>
- <sect1 id="verify-config-file"> + <section id="sn-verify-config-file"> <title>Configuration File Verification</title> <para> If you are running any types of network services, i.e. web, mail, ftp, @@ -1344,9 +1379,9 @@ You can also find more information on md5sum, and a more complete example in the previous section: <xref linkend="s3-intro-md5sum-example"></xref>. </para> - </sect1> + </section>
- <sect1 id="umask"> + <section id="sn-umask"> <title>Setting the default umask</title>
<para> @@ -1377,9 +1412,9 @@ <command>umask</command> at the command line as root.) </para>
- </sect1> + </section>
- <sect1 id="fssummary"> + <section id="sn-fssummary"> <title>File System Security Summary: Where to go from here?</title>
<para> @@ -1400,14 +1435,14 @@ <listitem><para><ulink url="http://sourceforge.net/projects/tripwire/">http://sourceforge.net/projects/tripwire/</ulink></para></listitem> <listitem><para><ulink url="http://www.cs.tut.fi/~rammer/aide.html">http://www.cs.tut.fi/~rammer/aide.html</ulink></para></listitem> </itemizedlist> - </sect1> + </section> </chapter> -<chapter id="ch-chapter3"> +<chapter id="ch-securing-user-accounts"> <title>Securing User Accounts</title>
&DRAFTNOTICE;
- <sect1 id="unnecessary-accounts"> + <section id="sn-unnecessary-accounts"> <title>Disabling Unnecessary Users</title>
<para>Disabling unnecessary users can stop possible attacks by @@ -1416,9 +1451,9 @@ linkend="userconfig-gui"></xref>. </para>
- </sect1> + </section>
- <sect1 id="limit-root"> + <section id="sn-limit-root"> <title>Limiting root logins</title>
<para> @@ -1428,7 +1463,7 @@ <command>su</command> logins only. </para>
- <sect2 id="limit-root-gui"> + <section id="sn-limit-root-gui"> <title>GUI: Limiting root</title> <para> As alluded to in earlier sections, where GUI configurations were @@ -1441,9 +1476,9 @@ password, you may be better off running it from a terminal with the <command>su</command>. </para> - </sect2> + </section>
- <sect2 id="limit-root-cli"> + <section id="sn-limit-root-cli"> <title>CLI: Limiting root</title> <para> Unfortunately, the command line isn't so forgiving. Unless you are @@ -1527,10 +1562,10 @@ This will force users to login as a normal user account and then <command>su</command> to root, or utilize <command>sudo</command>. </para> - </sect2> - </sect1> + </section> + </section>
- <sect1 id="shells"> + <section id="sn-shells"> <title>Verifying and Correcting System user shells</title> <para> System users, such as bin, sys, nobody, lp, etc. should not have valid @@ -1555,9 +1590,9 @@ There are some users which will have a special shell, like the shutdown or halt users. These special shells can be left alone. </para> - </sect1> + </section>
- <sect1 id="passwd-sec-pam-config"> + <section id="sn-passwd-sec-pam-config"> <title>Password Security and PAM Configuration</title>
<para> @@ -1615,12 +1650,12 @@ setting set to 4, the "new" password passways would fail, whereas pastels would succeed. </para> - </sect1> + </section> </chapter>
-<chapter id="ch-tcpwrappers-n-fw"> +<chapter id="ch-tcpwrappers-firewall"> <title>tcp_wrappers and Firewall Configuration</title> - <sect1 id="tcp_wrappers_config"> + <section id="sn-tcp_wrappers_config"> <title><application>tcp_wrappers</application> Configuration</title> <para> <application>tcp_wrappers</application> is a method of limiting the @@ -1634,7 +1669,7 @@ more granular in your network defense. </para>
- <sect2 id="hosts.deny"> + <section id="sn-hosts.deny"> <title>The <filename>hosts.deny</filename> file.</title> <para> The basic <application>tcp_wrappers</application> configuration consists @@ -1657,8 +1692,8 @@ attempting to make a connection to your system, unless they are specifically allowed in the <filename>hosts.allow</filename> file. </para> - </sect2> - <sect2 id="hosts.allow"> + </section> + <section id="sn-hosts.allow"> <title>The <filename>hosts.allow</filename> file.</title> <para> The <filename>hosts.allow</filename> file is only slightly more @@ -1718,10 +1753,10 @@ </para> </listitem> </itemizedlist> - </sect2> - </sect1> + </section> + </section>
- <sect1 id="iptables-fw-config"> + <section id="sn-iptables-fw-config"> <title>Firewall/IPTables Configuration</title> <para> The default &FC; firewall configuration utility is @@ -1762,7 +1797,7 @@ consider a utility such as Firestarter. Or do some reading on the configuration of <command>iptables</command>. </para> - </sect1> + </section> </chapter>
<chapter id="ch-conclusion"> @@ -1787,7 +1822,7 @@ </para> </chapter>
-<chapter id="ch-bibb-n-refs"> +<chapter id="ch-biblio-references"> <title>Bibliography and References</title>
<itemizedlist>
docs-commits@lists.fedoraproject.org