On Wed, 2005-03-30 at 22:17 -0800, Rahul Sundaram wrote:
Hi
The preview site has been updated. You can check it out at http://members.cox.net/tuxxer
http://members.cox.net/tuxxer/ch-intro.html#intro-audience
" Most of the threats on the Internet typically target Microsoft Windows systems. As more and more users start trying and using linux, it will become more and more important for the common user to know how to harden his or her system against these threats. "
this suggests that Linux has no security threats at present which is not true. I would prefer a guide on hardening Linux talk about Linux rather than start by a comparison with Windows
Fair enough.
http://members.cox.net/tuxxer/ch-chapter1.html
The parts about using gpg or md5 requires more explanation. If you are explaning it in a later part refer to that
A detailed discussion of these utilities doesn't fall within the scope of this document. However, a glossing of how to create a gpg keypair, and how to check files with both gpg and md5sum will be added shortly.
http://members.cox.net/tuxxer/sysid-and-role.html
If you are including abbrevations such as NAT it would be better to provide the expansion, explanation or a side note
OK. Done.
http://members.cox.net/tuxxer/gui-update.html
afaik I know yum is the recommended command line program to use instead of up2date in fedora. if you have sections on both yum and up2date you probably need to explain the differences too which I would consider out of scope for this article
The only difference I need to really point out, for the scope of this document, is the fact that one is a GUI tool, and the other is a command line tool. This was mentioned on list (thanks Paul), and I would be more than happy to put in a link to the update-tutorial mentioned there.
http://members.cox.net/tuxxer/services-gui.html
" The services that you can *safely* disable will depend upon the role of your system."
if you need to emphasise on safely use italics or what the style guide recommends.
" yum - Enable daily run of yum, a program updater. (This will depend on your environment.)"
since every service is pretty much dependant on the role of the system special emphasis for the yum deamon is unnecessary
True. However, I specifically said this for yum because I can think of environments in which the user would NOT want updates to be run every night automatically. Perhaps I can make a comment here that would be a little more clear to that end.
http://members.cox.net/tuxxer/userconfig-cli.html
" Below is a list of user accounts that most Fedora Core users will want to disable."
The above wording suggests that most users of Fedora do not run the services that follows it. It would be better to say something like this
"The following are some of the services that you might want to disable in the system depending on the your requirements"
http://members.cox.net/tuxxer/ch-chapter2.html
Since this is out of scope for your document by your own admission it would be better to just drop this. Kernel recompilation or additional hardening is unnecessary for the large majority of users and worse gives the idea that the kernel requires active manual intervention to make it secure.
Fair enough. This can wait until there is a kernel doc. Then I can provide a link.
http://members.cox.net/tuxxer/ch-chapter3.html
I am not sure what the policy is for linking to external documents but permissions are much better explained here
http://www.tldp.org/LDP/intro-linux/html/
Either link to this document or copy and paste with attribution (The license is compatible)
Linked.
http://members.cox.net/tuxxer/fssummary.html
you can mention that these program exist in fedora extras. fc4 will have extras repo enabled by default. previous versions will require more explanation or how to add the repo (steps are different between fc2 and fc3 fyi)
http://members.cox.net/tuxxer/limit-root.html
a related sshd configuration change is disable ssh1 protocol which is prone to man-in-the-middle attack
Done.
http://members.cox.net/tuxxer/ch-chapter4.html
this section seems to be redundant
How so? tcp_wrappers could block a connection to a service that is open in the firewall. The default firewall utility doesn't provide the granularity to configure iptables to allow/deny a connection based on host or network. This is a measure that provides defense in depth based on Fedora's default functionality.
http://members.cox.net/tuxxer/shells.html
this can probably be clubbed together with the section on users
Makes sense.
http://members.cox.net/tuxxer/passwd-sec-pam-config.html
this section requires more information. if you are going to just point to external links convert this section into a note
I meant to be more detailed here. I got lazy, then distracted. I'll re-address this section.
http://members.cox.net/tuxxer/iptables-fw-config.html
it is possible to provide a port range here. More information is available in the redhat docs. redhat.com/docs. you cannot copy and paste (license restrictions) but you very well gather the information from there
I'll have to look into that.
I would prefer a link to the SELinux faq and guide and provide references and a bibliography.
thanks
Regards Rahul Sundaram
__________________________________ Do you Yahoo!? Yahoo! Mail - now with 250MB free storage. Learn more. http://info.mail.yahoo.com/mail_250