Hardening Doc Update

tuxxer tuxxer at cox.net
Fri Dec 24 03:34:39 UTC 2004 

On Thu, 2004-12-23 at 16:57 -0500, Paul W. Frields wrote:
> On Wed, 2004-12-22 at 18:53 -0800, tuxxer wrote:
> > Ok guys,  sorry I've been gone for so long.  It seems others have been
> > out as well.  Anyhow, I've finished the hardening doc, and would like to
> > get some feedback: glaring omissions, errors, etc.  I have to try to
> > remember what my bug number is (it HAS been a while), and once I get
> > some feedback, I'll post it up there so it can hopefully go to editing.
> > 
> > Check out the html version at http://members.cox.net/tuxxer/ .
> 
> Hi Charlie,
> 
> Thanks for the link. Here are some preliminary suggestions that you
> could address before editorial:
> 
> 1. Give us a link to the XML so we can check for tagging issues.
> 
> 2. Remove prompts from your <screen> sections. Also, pursuant to prior
> threads, make sure your screen sections look like this, all flush left.
> (Emacs unfortunately doesn't do this automatically, but you can override
> throughout.)
> 
> <screen>
> <userinput>run command</userinput>
> <computeroutut>see this result</computeroutput>
> </screen>
> 
> That will remove some of the extraneous whitespace around the top and
> bottom of your command examples.
> 
> 3. You have a section on disabling/locking user accounts, but don't
> mention that some of these users are not installed unless the packages
> that use them (e.g. mysql-server, httpd) are installed. It's probably
> worth a small section (or at least a <para>) to talk about package
> selection during installation.
> 
> 4. Don't use periods after titles.
> 
> 5. In 3.1.4, your crontab entry is wrong; you actually have too many
> time fields (there's only five). Plus, the way it's written, you're
> running that script every minute from 12:00 a.m. to 12:59 a.m. You want:
> 
>   0 0 * * * /SCRIPTS/security/harden/check_files.sh
> 
> 6. In 3.2, the command "umask" only changes the umask for the current
> session. You would have to edit /etc/bashrc to do that, but it's already
> done for users with UID <= 99 and users whose UID == their GID. In
> addition /etc/rc.d/init.d/functions uses a umask of 022.
>    A umask of 002 for non-privileged users provides administrators the
> ability to share documents to groups more easily (the idea is what Red
> Hat calls "User Private Groups"). Make sure you understand exactly when
> and why this change should be made, and note the possible effects for
> real administrators. Since users in Fedora only get default membership
> in their own private group, having a default umask of 002 presents much
> less risk than it would with a default membership in, say, a global "all
> users" group.
> 
> 7. Also in chapter 3, you mention tripwire, et al., but don't note
> anything about the rpm -V function.
> 
> 8. Why nothing on password hardening, since this is the most common
> security problem in the world? How about something on using PAM rules to
> enforce more stringent password requirements?
> 
> 9. You may want to bracket the whole article in some way to point out
> that it doesn't address SELinux at all... which I realize is a whole
> different can of worms. An eventual Fedora Security Guide would have to
> incorporate not just this hardening info after some fashion, but also a
> mountain of information about setting up and administering an SELinux
> system.
> 
> Just some thoughts....
> 
> -- 
> fedora-docs-list mailing list
> fedora-docs-list at redhat.com
> To unsubscribe: 
> http://www.redhat.com/mailman/listinfo/fedora-docs-list

Thanks for the tips Paul.  Right off the bat, I tried to put all of my
documents into a single, monolithic document so it would be easier to
download.  But something got screwy in the process.  Now whenever I try
'make html' I get errors similar to the following:

/home/charlie/fedora-docs/fedora-docs/hardening/fedora-hardening-guide-
whole-en.xml:888: element listitem: validity error : Element listitem
content does not follow the DTD, expecting (a bunch of other XML tags)

Doesn't really make much sense, since I haven't changed anything, other
than combining my docs all into one file.  Any thoughts?

I've posted the xml file at the link below:

http://members.cox.net/tuxxer/fedora-hardening-guide-whole-en.xml

Thanks.

-Charlie

PS I'm working on some of the other things, but I thought this would be
an easy one, till I ran into problems.  ;-)
-- 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
URL: <http://listman.redhat.com/archives/fedora-docs-list/attachments/20041223/5baee2cd/attachment.sig>

More information about the fedora-docs-list mailing list