On Fri, 2004-12-24 at 09:49 -0500, Paul W. Frields wrote: > On Thu, 2004-12-23 at 21:42 -0800, tuxxer wrote: [...snip...] > > > > I checked, and I didn't see anything DIDN'T look like you suggested. Do > > you have a specific part that looks "off" that you can point me to? > > Yes, go to the very first one: > > <screen> > <userinput> > yum check-update > </userinput> > </screen> > > This should instead be formatted like this: > > <screen> > <userinput>yum check-update</userinput> > </screen> > Gotcha. I think I misinterpreted what you said initially. [...snip...] > > I think it would be worth explaining how this works in Fedora (as > opposed to other UNIX-family systems), so people aren't worried > needlessly about specific security factors. But, as the point of your > tutorial is to harden the system, you don't want to discourage people > from being paranoid. :-) > > > > 7. Also in chapter 3, you mention tripwire, et al., but don't note > > > anything about the rpm -V function. > > > > > > > The 'rpm -V' function has a slightly smaller scope than I was going for, > > since you can only verify packages, AND only those that were installed > > with rpm. But it may be worth a bullet. ;-) > > Of course, using RPM has specific security concerns as well. If a reader > is worried about security, they should only be installing software that > they can trust is not compromised. Any tutorial on hardening should be > *discouraging* people from just getting tarballs and building from them, > *unless* those tarballs are cryptographically signed by a trusted party. > (Note that comparing an MD5 or SHA-1 checksum isn't automatically > helpful, unless the document providing the checksum is itself > cryptographically signed by a trusted party.) RPMs don't automatically > mean better security unless you trust the vendor who provides them to > (a) check their content, and (b) certify to you they have done so. Only > RPM packages signed by a trusted party should be installed and used. > > Note also that for all these factors, "trusted party" != "the Web site > that comes up in my Web browser." True. Defense in depth. ;-) I was trying to stay away from mentioning installing anything from source (tarball) as it would stray away from the core install. But everyone installs "other" software, so it's a good point to mention. [...snip...] > > > > > Just some thoughts.... > > > > And they are ALWAYS appreciated! I never claim to be the pentultimate > > source on linux or linux security, and I'm learning more and more every > > day. There is a learning curve with this documentation method, and > > insight from those that have been here a while is always valuable. > > FC3 is SELinux-enabled. Wait! I hear Karsten's footsteps outside the > door. Hide! QUICK! :-D > > Thanks for your continued hard work, it's much appreciated! Thanks. Should have some more updates soon. > > -- > > fedora-docs-list@xxxxxxxxxx > To unsubscribe: > http://www.redhat.com/mailman/listinfo/fedora-docs-list -- -tuxxer gpg: 57EB F948 76AE 25BC E340 EFA9 FAF6 E1AC F1E1 1EA1
Attachment:
signature.asc
Description: This is a digitally signed message part
