On Wed, 2005-03-30 at 22:17 -0800, Rahul Sundaram wrote:
Hi
>
> The preview site has been updated. You can check it
> out at
>
http://members.cox.net/tuxxer
http://members.cox.net/tuxxer/ch-intro.html#intro-audience
" Most of the threats on the Internet typically target
Microsoft Windows systems. As more and more users
start trying and using linux, it will become more and
more important for the common user to know how to
harden his or her system against these threats. "
this suggests that Linux has no security threats at
present which is not true. I would prefer a guide on
hardening Linux talk about Linux rather than start by
a comparison with Windows
Fair enough.
http://members.cox.net/tuxxer/ch-chapter1.html
The parts about using gpg or md5 requires more
explanation. If you are explaning it in a later part
refer to that
A detailed discussion of these utilities doesn't fall within the scope
of this document. However, a glossing of how to create a gpg keypair,
and how to check files with both gpg and md5sum will be added shortly.
http://members.cox.net/tuxxer/sysid-and-role.html
If you are including abbrevations such as NAT it would
be better to provide the expansion, explanation or a
side note
OK. Done.
http://members.cox.net/tuxxer/gui-update.html
afaik I know yum is the recommended command line
program to use instead of up2date in fedora. if you
have sections on both yum and up2date you probably
need to explain the differences too which I would
consider out of scope for this article
The only difference I need to really point out, for the scope of this
document, is the fact that one is a GUI tool, and the other is a command
line tool. This was mentioned on list (thanks Paul), and I would be
more than happy to put in a link to the update-tutorial mentioned there.
http://members.cox.net/tuxxer/services-gui.html
" The services that you can *safely* disable will
depend upon the role of your system."
if you need to emphasise on safely use italics or what
the style guide recommends.
"
yum - Enable daily run of yum, a program updater.
(This will depend on your environment.)"
since every service is pretty much dependant on the
role of the system special emphasis for the yum deamon
is unnecessary
True. However, I specifically said this for yum because I can think of
environments in which the user would NOT want updates to be run every
night automatically. Perhaps I can make a comment here that would be a
little more clear to that end.
http://members.cox.net/tuxxer/userconfig-cli.html
" Below is a list of user accounts that most Fedora
Core users will want to disable."
The above wording suggests that most users of Fedora
do not run the services that follows it. It would be
better to say something like this
"The following are some of the services that you might
want to disable in the system depending on the your
requirements"
http://members.cox.net/tuxxer/ch-chapter2.html
Since this is out of scope for your document by your
own admission it would be better to just drop this.
Kernel recompilation or additional hardening is
unnecessary for the large majority of users and worse
gives the idea that the kernel requires active manual
intervention to make it secure.
Fair enough. This can wait until there is a kernel doc. Then I can
provide a link.
http://members.cox.net/tuxxer/ch-chapter3.html
I am not sure what the policy is for linking to
external documents but permissions are much better
explained here
http://www.tldp.org/LDP/intro-linux/html/
Either link to this document or copy and paste with
attribution (The license is compatible)
Linked.
http://members.cox.net/tuxxer/fssummary.html
you can mention that these program exist in fedora
extras. fc4 will have extras repo enabled by default.
previous versions will require more explanation or how
to add the repo (steps are different between fc2 and
fc3 fyi)
http://members.cox.net/tuxxer/limit-root.html
a related sshd configuration change is disable ssh1
protocol which is prone to man-in-the-middle attack
Done.
How so? tcp_wrappers could block a connection to a service that is open
in the firewall. The default firewall utility doesn't provide the
granularity to configure iptables to allow/deny a connection based on
host or network. This is a measure that provides defense in depth based
on Fedora's default functionality.
http://members.cox.net/tuxxer/shells.html
this can probably be clubbed together with the section
on users
Makes sense.
http://members.cox.net/tuxxer/passwd-sec-pam-config.html
this section requires more information. if you are
going to just point to external links convert this
section into a note
I meant to be more detailed here. I got lazy, then distracted. I'll
re-address this section.
http://members.cox.net/tuxxer/iptables-fw-config.html
it is possible to provide a port range here. More
information is available in the redhat docs.
redhat.com/docs. you cannot copy and paste (license
restrictions) but you very well gather the information
from there
I'll have to look into that.
I would prefer a link to the SELinux faq and guide and
provide references and a bibliography.
thanks
Regards
Rahul Sundaram
__________________________________
Do you Yahoo!?
Yahoo! Mail - now with 250MB free storage. Learn more.
http://info.mail.yahoo.com/mail_250 --
-tuxxer
gpg: 57EB F948 76AE 25BC E340 EFA9 FAF6 E1AC F1E1 1EA1