PATCH[1/1] Linux Security Guide
Magnus Glantz
mg at hacka.net
Sun Jan 4 09:20:25 UTC 2009
My €5 as an non US citizen.
I do not feel comfortable with a guide that seems almost completely
ripped off published US military/government documents. Also, way to much
direct references to US military/government web pages and documents.
My though is that this needs a complete re-write.
Best regards,
//M
>
> Today's Topics:
>
> 1. PATCH[1/1] Linux Security Guide: edit of
> General_Principles.xml (Murray McAllister)
> 2. Re: PATCH[1/1] Linux Security Guide: edit of
> General_Principles.xml (Murray McAllister)
>
>
> ----------------------------------------------------------------------
>
> Message: 1
> Date: Sat, 3 Jan 2009 14:20:01 +1000
> From: "Murray McAllister" <murray.mcallister at gmail.com>
> Subject: PATCH[1/1] Linux Security Guide: edit of
> General_Principles.xml
> To: "For participants of the Documentation Project"
> <fedora-docs-list at redhat.com>
> Cc: sparks at fedoraproject.org
> Message-ID:
> <95f1114b0901022020n3fe734b5icd4792d9e3b78c71 at mail.gmail.com>
> Content-Type: text/plain; charset=ISO-8859-1
>
> Hi,
>
> I found some motivation this morning, so I tried to review
> "...community/fc11/en-US/General_Principles.xml".
>
> If it looks okay, it would be great if a security person (I made minor
> additions) and a writer person could check it for accuracy.
>
>
> ----
>
> --- community/fc11/en-US/General_Principles.xml 2009-01-03
> 13:44:01.000000000 +1000
> +++ new/community/fc11/en-US/General_Principles.xml 2009-01-03
> 13:42:09.000000000 +1000
> @@ -5,88 +5,70 @@
> <chapter id="chap-Security_Guide-General_Principles_of_Information_Security">
> <title>General Principles of Information Security</title>
> <para>
> - The United States' <ulink url="www.nsa.gov">National Security
> Agency</ulink> (NSA) provides hardening guides and hardening tips for
> many different operating systems to help government agencies,
> businesses, and individuals help secure their system against attacks.
> In addition to specific settings to change, a set of general
> principles have been developed to give you a high level view of
> information security.
> + The following general principals provide an overview of good
> security practices:
> </para>
> - <section id="sect-Security_Guide-General_Principles_of_Information_Security-General_Principles">
> - <title>General Principles</title>
> - <itemizedlist>
> - <listitem>
> - <para>
> - Encrypt all data transmitted over the network. Encrypting
> authentication information (such as passwords) is particularly
> important.
> - </para>
> - </listitem>
> - <listitem>
> - <para>
> - Minimize the amount of software installed and running in order to
> minimize vulnerability.
> - </para>
> - </listitem>
> - <listitem>
> - <para>
> - Use security-enhancing software and tools whenever available (e.g.
> SELinux and IPTables).
> - </para>
> - </listitem>
> - <listitem>
> - <para>
> - Run each network service on a separate server whenever possible.
> This minimizes the risk that a compromise of one service could lead to
> a compromise of others.
> - </para>
> - </listitem>
> - <listitem>
> - <para>
> - Maintain user accounts. Create a good password policy and enforce
> its use. Delete unused user accounts.
> - </para>
> - </listitem>
> - <listitem>
> - <para>
> - Review system and application logs on a routine basis. Send logs
> to a dedicated log server. This prevents intruders from easily
> avoiding detection by modifying the local logs.
> - </para>
> - </listitem>
> - <listitem>
> - <para>
> - Never login directly as root, unless absolutely necessary.
> Administrators should use sudo to execute commands as root when
> required. The accounts capable of using sudo are specified in
> /etc/sudoers, which is edited with the visudo utility. By default,
> relavent logs are written to /var/log/secure.
> - </para>
> - </listitem>
> - </itemizedlist>
> - </section>
> + <itemizedlist>
> + <listitem>
> + <para>
> + encrypt all data transmitted over networks to help prevent
> man-in-the-middle attacks and eavesdropping. It is important to
> encrypt authentication information, such as passwords.
> + </para>
> + </listitem>
> + <listitem>
> + <para>
> + minimize the amount of software installed and running services.
> + </para>
> + </listitem>
> + <listitem>
> + <para>
> + use security-enhancing software and tools, for example,
> Security-Enhanced Linux (SELinux) for Mandatory Access Control (MAC),
> Netfilter iptables for packet filtering (firewall), and the GNU
> Privacy Guard (GnuPG) for encrypting documents.
> + </para>
> + </listitem>
> + <listitem>
> + <para>
> + if possible, run each network service on a separate system to
> minimize the risk of one compromised service being used to compromise
> other services.
> + </para>
> + </listitem>
> + <listitem>
> + <para>
> + maintain user accounts: create and enforce a strong password
> policy; delete unused user accounts.
> + </para>
> + </listitem>
> + <listitem>
> + <para>
> + routinely review system and application logs. By default,
> security-relevant system logs are written to
> <filename>/var/log/secure</filename> and
> <filename>/var/log/audit/audit.log</filename>. Note: sending logs to a
> dedicated log server helps prevent attackers from easily modifying
> local logs to avoid detection.
> + </para>
> + </listitem>
> + <listitem>
> + <para>
> + never log in as the root user unless absolutely necessary. It is
> recommended that administrators use <command>sudo</command> to execute
> commands as root when required. Users capable of running
> <command>sudo</command> are specified in
> <filename>/etc/sudoers</filename>. Use the <command>visudo</command>
> utility to edit <filename>/etc/sudoers</filename>.
> + </para>
> + </listitem>
> + </itemizedlist>
> <section id="sect-Security_Guide-General_Principles_of_Information_Security-Tips_Guides_and_Tools">
> <title>Tips, Guides, and Tools</title>
> <para>
> - Most of the above tips are very basic. Depending on your knowledge
> of Linux and how comfortable you are with modifying your system, some
> changes could be made to help make your installation more secure. As
> mentioned above, the NSA has hardening guides and tips for securing
> Red Hat Enterprise Linux 5. Likewise, the <ulink
> url="http://www.disa.mil/">Defense Information Systems Agency</ulink>
> (DISA) has an <ulink url="iase.disa.mil">Information Assurance Support
> Environment</ulink> in which they publish checklists and tests for
> verifying the security of your system. The documents from the NSA are
> a good read for anyone familiar with Linux while the information from
> DISA is extremely specific and advanced knowledge of Unix/Linux would
> be a great benefit. Links to these documents are listed below. We will
> try to pull some of the larger items out of these documents and
> explain how to implement them in Fedora and why they are important. In
> addition to documentation, DISA has made available SRR scripts that
> allow an administrator to check specific settings on a system quickly.
> The SRR scripts will provide an XML-formatted report listing any known
> vulnerable settings that you have on your system.
> + The United States' <ulink url="http://www.nsa.gov/">National
> Security Agency (NSA)</ulink> provides hardening guides and tips for
> many different operating systems, to help government agencies,
> businesses, and individuals secure their systems against attack. The
> following guides (in PDF format) provide guidance for Red Hat
> Enterprise Linux 5:
> </para>
> - </section>
> - <section id="sect-Security_Guide-General_Principles_of_Information_Security-NSA_Documents">
> - <title>NSA Documents</title>
> <itemizedlist>
> - <listitem>
> - <para>
> - <ulink
> url="www.nsa.gov/notices/notic00004.cfm?Address=/snac/os/redhat/rhel5-pamphlet-i731.pdf">Hardening
> Tips for the Red Hat Enterprise Linux 5 (PDF)</ulink>
> - </para>
> - </listitem>
> - <listitem>
> - <para>
> - <ulink
> url="www.nsa.gov/notices/notic00004.cfm?Address=/snac/os/redhat/rhel5-guide-i731.pdf">Guide
> to the Secure Configuration of Red Hat Enterprise Linux 5
> (PDF)</ulink>
> - </para>
> - </listitem>
> + <listitem>
> + <para>
> + <ulink url="http://www.nsa.gov/notices/notic00004.cfm?Address=/snac/os/redhat/rhel5-pamphlet-i731.pdf">Hardening
> Tips for the Red Hat Enterprise Linux 5</ulink>
> + </para>
> + </listitem>
> + <listitem>
> + <para>
> + <ulink url="http://www.nsa.gov/notices/notic00004.cfm?Address=/snac/os/redhat/rhel5-guide-i731.pdf">Guide
> to the Secure Configuration of Red Hat Enterprise Linux 5</ulink>
> + </para>
> + </listitem>
> </itemizedlist>
> - </section>
> - <section id="sect-Security_Guide-General_Principles_of_Information_Security-DISA_IASE_Documents">
> - <title>DISA IASE Documents</title>
> - <itemizedlist>
> - <listitem>
> - <para>
> - <ulink url="iase.disa.mil/stigs/stig/index.html">Security
> Technical Implementation Guides</ulink> (STIG) Scroll down to the Unix
> STIG
> - </para>
> - </listitem>
> - <listitem>
> - <para>
> - <ulink
> url="iase.disa.mil/stigs/checklist/index.html">Security
> Checklists</ulink> Scroll down to the Unix Security Checklists
> - </para>
> - </listitem>
> - <listitem>
> - <para>
> - <ulink url="iase.disa.mil/stigs/SRR/unix.html">Unix Security
> Readiness Review Evaluation Script</ulink>
> - </para>
> - </listitem>
> - </itemizedlist>
> - </section>
> - </chapter>
> -
> + <para>
> + The <ulink url="http://www.disa.mil/">Defense Information Systems
> Agency (DISA)</ulink> provides documentation, checklists, and tests to
> help secure your system (<ulink
> url="http://iase.disa.mil/index2.html">Information Assurance Support
> Environment</ulink>). The <ulink
> url="http://iase.disa.mil/stigs/stig/unix-stig-v5r1.pdf">UNIX SECURITY
> TECHNICAL IMPLEMENTATION GUIDE</ulink> (PDF) is a very specific guide
> to UNIX security - an advanced knowledge of UNIX and Linux is
> recommended before reading this guide.
> + </para>
> + <para>
> + The DISA <ulink
> url="http://iase.disa.mil/stigs/checklist/unix_checklist_v5r1_15_20081215.ZIP">UNIX
> Security Checklist Version 5, Release 1.15</ulink> provides a
> collection of documents and checklists, ranging from the correct
> ownerships and modes for system files, to patch control.
> + </para>
> + <para>
> + Also, DISA has made available <ulink
> url="http://iase.disa.mil/stigs/SRR/unix.html">UNIX SPR
> scripts</ulink> that allow administrators to check specific settings
> on systems. These scripts provide XML-formatted reports listing any
> known vulnerable settings.
> + </para>
> + </section>
> +</chapter>
> \ No newline at end of file
>
> ----
>
> The link for "Hardening Tips for the Red Hat Enterprise Linux 5" does
> not work after accepting the license agreement. I have mailed
> <nsapao at nsa.gov>.
>
> Cheers.
>
>
>
> ------------------------------
>
> Message: 2
> Date: Sat, 3 Jan 2009 14:29:55 +1000
> From: "Murray McAllister" <murray.mcallister at gmail.com>
> Subject: Re: PATCH[1/1] Linux Security Guide: edit of
> General_Principles.xml
> To: "For participants of the Documentation Project"
> <fedora-docs-list at redhat.com>
> Message-ID:
> <95f1114b0901022029s29abea16h75e87c93160ee001 at mail.gmail.com>
> Content-Type: text/plain; charset=ISO-8859-1
>
> I did not test how this would send, sorry. Use:
>
> wget http://mdious.fedorapeople.org/patches/General_Principles.xml.patch
>
>
>
> ------------------------------
>
> --
> fedora-docs-list mailing list
> fedora-docs-list at redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-docs-list
>
> End of fedora-docs-list Digest, Vol 59, Issue 4
> ***********************************************
More information about the fedora-docs-list
mailing list