PATCH[1/1] Linux Security Guide: edit of General_Principles.xml
Murray McAllister
murray.mcallister at gmail.com
Sat Jan 3 04:20:01 UTC 2009
Hi,
I found some motivation this morning, so I tried to review
"...community/fc11/en-US/General_Principles.xml".
If it looks okay, it would be great if a security person (I made minor
additions) and a writer person could check it for accuracy.
----
--- community/fc11/en-US/General_Principles.xml 2009-01-03
13:44:01.000000000 +1000
+++ new/community/fc11/en-US/General_Principles.xml 2009-01-03
13:42:09.000000000 +1000
@@ -5,88 +5,70 @@
<chapter id="chap-Security_Guide-General_Principles_of_Information_Security">
<title>General Principles of Information Security</title>
<para>
- The United States' <ulink url="www.nsa.gov">National Security
Agency</ulink> (NSA) provides hardening guides and hardening tips for
many different operating systems to help government agencies,
businesses, and individuals help secure their system against attacks.
In addition to specific settings to change, a set of general
principles have been developed to give you a high level view of
information security.
+ The following general principals provide an overview of good
security practices:
</para>
- <section id="sect-Security_Guide-General_Principles_of_Information_Security-General_Principles">
- <title>General Principles</title>
- <itemizedlist>
- <listitem>
- <para>
- Encrypt all data transmitted over the network. Encrypting
authentication information (such as passwords) is particularly
important.
- </para>
- </listitem>
- <listitem>
- <para>
- Minimize the amount of software installed and running in order to
minimize vulnerability.
- </para>
- </listitem>
- <listitem>
- <para>
- Use security-enhancing software and tools whenever available (e.g.
SELinux and IPTables).
- </para>
- </listitem>
- <listitem>
- <para>
- Run each network service on a separate server whenever possible.
This minimizes the risk that a compromise of one service could lead to
a compromise of others.
- </para>
- </listitem>
- <listitem>
- <para>
- Maintain user accounts. Create a good password policy and enforce
its use. Delete unused user accounts.
- </para>
- </listitem>
- <listitem>
- <para>
- Review system and application logs on a routine basis. Send logs
to a dedicated log server. This prevents intruders from easily
avoiding detection by modifying the local logs.
- </para>
- </listitem>
- <listitem>
- <para>
- Never login directly as root, unless absolutely necessary.
Administrators should use sudo to execute commands as root when
required. The accounts capable of using sudo are specified in
/etc/sudoers, which is edited with the visudo utility. By default,
relavent logs are written to /var/log/secure.
- </para>
- </listitem>
- </itemizedlist>
- </section>
+ <itemizedlist>
+ <listitem>
+ <para>
+ encrypt all data transmitted over networks to help prevent
man-in-the-middle attacks and eavesdropping. It is important to
encrypt authentication information, such as passwords.
+ </para>
+ </listitem>
+ <listitem>
+ <para>
+ minimize the amount of software installed and running services.
+ </para>
+ </listitem>
+ <listitem>
+ <para>
+ use security-enhancing software and tools, for example,
Security-Enhanced Linux (SELinux) for Mandatory Access Control (MAC),
Netfilter iptables for packet filtering (firewall), and the GNU
Privacy Guard (GnuPG) for encrypting documents.
+ </para>
+ </listitem>
+ <listitem>
+ <para>
+ if possible, run each network service on a separate system to
minimize the risk of one compromised service being used to compromise
other services.
+ </para>
+ </listitem>
+ <listitem>
+ <para>
+ maintain user accounts: create and enforce a strong password
policy; delete unused user accounts.
+ </para>
+ </listitem>
+ <listitem>
+ <para>
+ routinely review system and application logs. By default,
security-relevant system logs are written to
<filename>/var/log/secure</filename> and
<filename>/var/log/audit/audit.log</filename>. Note: sending logs to a
dedicated log server helps prevent attackers from easily modifying
local logs to avoid detection.
+ </para>
+ </listitem>
+ <listitem>
+ <para>
+ never log in as the root user unless absolutely necessary. It is
recommended that administrators use <command>sudo</command> to execute
commands as root when required. Users capable of running
<command>sudo</command> are specified in
<filename>/etc/sudoers</filename>. Use the <command>visudo</command>
utility to edit <filename>/etc/sudoers</filename>.
+ </para>
+ </listitem>
+ </itemizedlist>
<section id="sect-Security_Guide-General_Principles_of_Information_Security-Tips_Guides_and_Tools">
<title>Tips, Guides, and Tools</title>
<para>
- Most of the above tips are very basic. Depending on your knowledge
of Linux and how comfortable you are with modifying your system, some
changes could be made to help make your installation more secure. As
mentioned above, the NSA has hardening guides and tips for securing
Red Hat Enterprise Linux 5. Likewise, the <ulink
url="http://www.disa.mil/">Defense Information Systems Agency</ulink>
(DISA) has an <ulink url="iase.disa.mil">Information Assurance Support
Environment</ulink> in which they publish checklists and tests for
verifying the security of your system. The documents from the NSA are
a good read for anyone familiar with Linux while the information from
DISA is extremely specific and advanced knowledge of Unix/Linux would
be a great benefit. Links to these documents are listed below. We will
try to pull some of the larger items out of these documents and
explain how to implement them in Fedora and why they are important. In
addition to documentation, DISA has made available SRR scripts that
allow an administrator to check specific settings on a system quickly.
The SRR scripts will provide an XML-formatted report listing any known
vulnerable settings that you have on your system.
+ The United States' <ulink url="http://www.nsa.gov/">National
Security Agency (NSA)</ulink> provides hardening guides and tips for
many different operating systems, to help government agencies,
businesses, and individuals secure their systems against attack. The
following guides (in PDF format) provide guidance for Red Hat
Enterprise Linux 5:
</para>
- </section>
- <section id="sect-Security_Guide-General_Principles_of_Information_Security-NSA_Documents">
- <title>NSA Documents</title>
<itemizedlist>
- <listitem>
- <para>
- <ulink
url="www.nsa.gov/notices/notic00004.cfm?Address=/snac/os/redhat/rhel5-pamphlet-i731.pdf">Hardening
Tips for the Red Hat Enterprise Linux 5 (PDF)</ulink>
- </para>
- </listitem>
- <listitem>
- <para>
- <ulink
url="www.nsa.gov/notices/notic00004.cfm?Address=/snac/os/redhat/rhel5-guide-i731.pdf">Guide
to the Secure Configuration of Red Hat Enterprise Linux 5
(PDF)</ulink>
- </para>
- </listitem>
+ <listitem>
+ <para>
+ <ulink url="http://www.nsa.gov/notices/notic00004.cfm?Address=/snac/os/redhat/rhel5-pamphlet-i731.pdf">Hardening
Tips for the Red Hat Enterprise Linux 5</ulink>
+ </para>
+ </listitem>
+ <listitem>
+ <para>
+ <ulink url="http://www.nsa.gov/notices/notic00004.cfm?Address=/snac/os/redhat/rhel5-guide-i731.pdf">Guide
to the Secure Configuration of Red Hat Enterprise Linux 5</ulink>
+ </para>
+ </listitem>
</itemizedlist>
- </section>
- <section id="sect-Security_Guide-General_Principles_of_Information_Security-DISA_IASE_Documents">
- <title>DISA IASE Documents</title>
- <itemizedlist>
- <listitem>
- <para>
- <ulink url="iase.disa.mil/stigs/stig/index.html">Security
Technical Implementation Guides</ulink> (STIG) Scroll down to the Unix
STIG
- </para>
- </listitem>
- <listitem>
- <para>
- <ulink
url="iase.disa.mil/stigs/checklist/index.html">Security
Checklists</ulink> Scroll down to the Unix Security Checklists
- </para>
- </listitem>
- <listitem>
- <para>
- <ulink url="iase.disa.mil/stigs/SRR/unix.html">Unix Security
Readiness Review Evaluation Script</ulink>
- </para>
- </listitem>
- </itemizedlist>
- </section>
- </chapter>
-
+ <para>
+ The <ulink url="http://www.disa.mil/">Defense Information Systems
Agency (DISA)</ulink> provides documentation, checklists, and tests to
help secure your system (<ulink
url="http://iase.disa.mil/index2.html">Information Assurance Support
Environment</ulink>). The <ulink
url="http://iase.disa.mil/stigs/stig/unix-stig-v5r1.pdf">UNIX SECURITY
TECHNICAL IMPLEMENTATION GUIDE</ulink> (PDF) is a very specific guide
to UNIX security - an advanced knowledge of UNIX and Linux is
recommended before reading this guide.
+ </para>
+ <para>
+ The DISA <ulink
url="http://iase.disa.mil/stigs/checklist/unix_checklist_v5r1_15_20081215.ZIP">UNIX
Security Checklist Version 5, Release 1.15</ulink> provides a
collection of documents and checklists, ranging from the correct
ownerships and modes for system files, to patch control.
+ </para>
+ <para>
+ Also, DISA has made available <ulink
url="http://iase.disa.mil/stigs/SRR/unix.html">UNIX SPR
scripts</ulink> that allow administrators to check specific settings
on systems. These scripts provide XML-formatted reports listing any
known vulnerable settings.
+ </para>
+ </section>
+</chapter>
\ No newline at end of file
----
The link for "Hardening Tips for the Red Hat Enterprise Linux 5" does
not work after accepting the license agreement. I have mailed
<nsapao at nsa.gov>.
Cheers.
More information about the docs
mailing list