review of hardening guide
tuxxer
tuxxer at cox.net
Fri Apr 1 02:46:38 UTC 2005
On Wed, 2005-03-30 at 22:17 -0800, Rahul Sundaram wrote:
> Hi
>
>
> >
> > The preview site has been updated. You can check it
> > out at
> > http://members.cox.net/tuxxer
>
> http://members.cox.net/tuxxer/ch-intro.html#intro-audience
>
> " Most of the threats on the Internet typically target
> Microsoft Windows systems. As more and more users
> start trying and using linux, it will become more and
> more important for the common user to know how to
> harden his or her system against these threats. "
>
> this suggests that Linux has no security threats at
> present which is not true. I would prefer a guide on
> hardening Linux talk about Linux rather than start by
> a comparison with Windows
Fair enough.
>
>
> http://members.cox.net/tuxxer/ch-chapter1.html
>
> The parts about using gpg or md5 requires more
> explanation. If you are explaning it in a later part
> refer to that
>
A detailed discussion of these utilities doesn't fall within the scope
of this document. However, a glossing of how to create a gpg keypair,
and how to check files with both gpg and md5sum will be added shortly.
>
> http://members.cox.net/tuxxer/sysid-and-role.html
>
> If you are including abbrevations such as NAT it would
> be better to provide the expansion, explanation or a
> side note
OK. Done.
>
> http://members.cox.net/tuxxer/gui-update.html
>
> afaik I know yum is the recommended command line
> program to use instead of up2date in fedora. if you
> have sections on both yum and up2date you probably
> need to explain the differences too which I would
> consider out of scope for this article
The only difference I need to really point out, for the scope of this
document, is the fact that one is a GUI tool, and the other is a command
line tool. This was mentioned on list (thanks Paul), and I would be
more than happy to put in a link to the update-tutorial mentioned there.
>
> http://members.cox.net/tuxxer/services-gui.html
>
>
> " The services that you can *safely* disable will
> depend upon the role of your system."
>
> if you need to emphasise on safely use italics or what
> the style guide recommends.
>
> "
> yum - Enable daily run of yum, a program updater.
> (This will depend on your environment.)"
>
> since every service is pretty much dependant on the
> role of the system special emphasis for the yum deamon
> is unnecessary
True. However, I specifically said this for yum because I can think of
environments in which the user would NOT want updates to be run every
night automatically. Perhaps I can make a comment here that would be a
little more clear to that end.
>
> http://members.cox.net/tuxxer/userconfig-cli.html
>
> " Below is a list of user accounts that most Fedora
> Core users will want to disable."
>
> The above wording suggests that most users of Fedora
> do not run the services that follows it. It would be
> better to say something like this
>
> "The following are some of the services that you might
> want to disable in the system depending on the your
> requirements"
>
>
> http://members.cox.net/tuxxer/ch-chapter2.html
>
> Since this is out of scope for your document by your
> own admission it would be better to just drop this.
> Kernel recompilation or additional hardening is
> unnecessary for the large majority of users and worse
> gives the idea that the kernel requires active manual
> intervention to make it secure.
>
Fair enough. This can wait until there is a kernel doc. Then I can
provide a link.
> http://members.cox.net/tuxxer/ch-chapter3.html
>
> I am not sure what the policy is for linking to
> external documents but permissions are much better
> explained here
>
> http://www.tldp.org/LDP/intro-linux/html/
>
> Either link to this document or copy and paste with
> attribution (The license is compatible)
>
Linked.
> http://members.cox.net/tuxxer/fssummary.html
>
> you can mention that these program exist in fedora
> extras. fc4 will have extras repo enabled by default.
> previous versions will require more explanation or how
> to add the repo (steps are different between fc2 and
> fc3 fyi)
>
> http://members.cox.net/tuxxer/limit-root.html
>
> a related sshd configuration change is disable ssh1
> protocol which is prone to man-in-the-middle attack
>
Done.
>
>
> http://members.cox.net/tuxxer/ch-chapter4.html
>
> this section seems to be redundant
How so? tcp_wrappers could block a connection to a service that is open
in the firewall. The default firewall utility doesn't provide the
granularity to configure iptables to allow/deny a connection based on
host or network. This is a measure that provides defense in depth based
on Fedora's default functionality.
>
> http://members.cox.net/tuxxer/shells.html
>
> this can probably be clubbed together with the section
> on users
Makes sense.
>
> http://members.cox.net/tuxxer/passwd-sec-pam-config.html
>
> this section requires more information. if you are
> going to just point to external links convert this
> section into a note
I meant to be more detailed here. I got lazy, then distracted. I'll
re-address this section.
>
> http://members.cox.net/tuxxer/iptables-fw-config.html
>
> it is possible to provide a port range here. More
> information is available in the redhat docs.
> redhat.com/docs. you cannot copy and paste (license
> restrictions) but you very well gather the information
> from there
>
I'll have to look into that.
> I would prefer a link to the SELinux faq and guide and
> provide references and a bibliography.
>
> thanks
>
>
>
> Regards
> Rahul Sundaram
>
>
>
> __________________________________
> Do you Yahoo!?
> Yahoo! Mail - now with 250MB free storage. Learn more.
> http://info.mail.yahoo.com/mail_250
--
-tuxxer
gpg: 57EB F948 76AE 25BC E340 EFA9 FAF6 E1AC F1E1 1EA1
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://lists.fedoraproject.org/pipermail/docs/attachments/20050331/d265616a/attachment.bin
More information about the docs
mailing list