review of hardening guide

Thu Mar 31 06:17:12 UTC 2005

Hi

> 
> The preview site has been updated.  You can check it
> out at
> http://members.cox.net/tuxxer 

http://members.cox.net/tuxxer/ch-intro.html#intro-audience

" Most of the threats on the Internet typically target
Microsoft Windows systems. As more and more users
start trying and using linux, it will become more and
more important for the common user to know how to
harden his or her system against these threats. "

this suggests that Linux has no security threats at
present which is not true. I would prefer a guide on
hardening Linux talk about Linux rather than start by
a comparison with Windows

http://members.cox.net/tuxxer/ch-chapter1.html

The parts about using gpg or md5 requires more
explanation. If you are explaning it in a later part
refer to that

http://members.cox.net/tuxxer/sysid-and-role.html

If you are including abbrevations such as NAT it would
be better to provide the expansion, explanation or a
side note

http://members.cox.net/tuxxer/gui-update.html

afaik I know yum is the recommended command line
program to use instead of up2date in fedora.  if you
have sections on both yum and up2date you probably
need to explain the differences too which I would
consider out of scope for this article

http://members.cox.net/tuxxer/services-gui.html

" The services that you can *safely* disable will
depend upon the role of your system."

if you need to emphasise on safely use italics or what
the style guide recommends.

"
yum - Enable daily run of yum, a program updater.
(This will depend on your environment.)"

since every service is pretty much dependant on the
role of the system special emphasis for the yum deamon
is unnecessary

http://members.cox.net/tuxxer/userconfig-cli.html

" Below is a list of user accounts that most Fedora
Core users will want to disable."

The above wording suggests that most users of Fedora
do not run the services that follows it. It would be
better to say something like this

"The following are some of the services that you might
want to disable in the system depending on the your
requirements"

http://members.cox.net/tuxxer/ch-chapter2.html

Since this is out of scope for your document by your
own admission it would be better to just drop this.
Kernel recompilation or additional hardening is
unnecessary for the large majority of users and worse
gives the idea that the kernel requires active manual
intervention to make it secure.

http://members.cox.net/tuxxer/ch-chapter3.html

I am not sure what the policy is for linking to
external documents but permissions are much better
explained here

http://www.tldp.org/LDP/intro-linux/html/

Either link to this document or copy and paste with
attribution (The license is compatible)

http://members.cox.net/tuxxer/fssummary.html

you can mention that these program exist in fedora
extras. fc4 will have extras repo enabled by default.
previous versions will require more explanation or how
to add the repo (steps are different between fc2 and
fc3 fyi)

http://members.cox.net/tuxxer/limit-root.html

a related sshd configuration change is disable ssh1
protocol which is prone to man-in-the-middle attack

http://members.cox.net/tuxxer/ch-chapter4.html

this section seems to be redundant

http://members.cox.net/tuxxer/shells.html

this can probably be clubbed together with the section
on users 

http://members.cox.net/tuxxer/passwd-sec-pam-config.html

this section requires more information. if you are
going to just point to external links convert this
section into a note

http://members.cox.net/tuxxer/iptables-fw-config.html

it is possible to provide a port range here. More
information is available in the redhat docs.
redhat.com/docs. you cannot copy and paste (license
restrictions) but you very well gather the information
from there

I would prefer a link to the SELinux faq and guide and
provide references and a bibliography.

thanks

Regards
Rahul Sundaram

__________________________________ 
Do you Yahoo!? 
Yahoo! Mail - now with 250MB free storage. Learn more. 
http://info.mail.yahoo.com/mail_250