Re: review of hardening guide

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Wed, 2005-03-30 at 22:17 -0800, Rahul Sundaram wrote:
> Hi
> 
> 
> > 
> > The preview site has been updated.  You can check it
> > out at
> > http://members.cox.net/tuxxer 
> 
> http://members.cox.net/tuxxer/ch-intro.html#intro-audience
> 
> " Most of the threats on the Internet typically target
> Microsoft Windows systems. As more and more users
> start trying and using linux, it will become more and
> more important for the common user to know how to
> harden his or her system against these threats. "
> 
> this suggests that Linux has no security threats at
> present which is not true. I would prefer a guide on
> hardening Linux talk about Linux rather than start by
> a comparison with Windows

Fair enough.

> 
> 
> http://members.cox.net/tuxxer/ch-chapter1.html
> 
> The parts about using gpg or md5 requires more
> explanation. If you are explaning it in a later part
> refer to that
> 

A detailed discussion of these utilities doesn't fall within the scope
of this document.  However, a glossing of how to create a gpg keypair,
and how to check files with both gpg and md5sum will be added shortly.

> 
> http://members.cox.net/tuxxer/sysid-and-role.html
> 
> If you are including abbrevations such as NAT it would
> be better to provide the expansion, explanation or a
> side note

OK.  Done.

> 
> http://members.cox.net/tuxxer/gui-update.html
> 
> afaik I know yum is the recommended command line
> program to use instead of up2date in fedora.  if you
> have sections on both yum and up2date you probably
> need to explain the differences too which I would
> consider out of scope for this article

The only difference I need to really point out, for the scope of this
document, is the fact that one is a GUI tool, and the other is a command
line tool.  This was mentioned on list (thanks Paul), and I would be
more than happy to put in a link to the update-tutorial mentioned there.

> 
> http://members.cox.net/tuxxer/services-gui.html
> 
> 
> " The services that you can *safely* disable will
> depend upon the role of your system."
> 
> if you need to emphasise on safely use italics or what
> the style guide recommends.
> 
> "
> yum - Enable daily run of yum, a program updater.
> (This will depend on your environment.)"
> 
> since every service is pretty much dependant on the
> role of the system special emphasis for the yum deamon
> is unnecessary

True.  However, I specifically said this for yum because I can think of
environments in which the user would NOT want updates to be run every
night automatically.  Perhaps I can make a comment here that would be a
little more clear to that end.

> 
> http://members.cox.net/tuxxer/userconfig-cli.html
> 
> " Below is a list of user accounts that most Fedora
> Core users will want to disable."
> 
> The above wording suggests that most users of Fedora
> do not run the services that follows it. It would be
> better to say something like this
> 
> "The following are some of the services that you might
> want to disable in the system depending on the your
> requirements"
> 
> 
> http://members.cox.net/tuxxer/ch-chapter2.html
> 
> Since this is out of scope for your document by your
> own admission it would be better to just drop this.
> Kernel recompilation or additional hardening is
> unnecessary for the large majority of users and worse
> gives the idea that the kernel requires active manual
> intervention to make it secure.
> 

Fair enough.  This can wait until there is a kernel doc.  Then I can
provide a link.

> http://members.cox.net/tuxxer/ch-chapter3.html
> 
> I am not sure what the policy is for linking to
> external documents but permissions are much better
> explained here
> 
> http://www.tldp.org/LDP/intro-linux/html/
> 
> Either link to this document or copy and paste with
> attribution (The license is compatible)
> 

Linked.

> http://members.cox.net/tuxxer/fssummary.html
> 
> you can mention that these program exist in fedora
> extras. fc4 will have extras repo enabled by default.
> previous versions will require more explanation or how
> to add the repo (steps are different between fc2 and
> fc3 fyi)
> 
> http://members.cox.net/tuxxer/limit-root.html
> 
> a related sshd configuration change is disable ssh1
> protocol which is prone to man-in-the-middle attack
> 

Done.

> 
> 
> http://members.cox.net/tuxxer/ch-chapter4.html
> 
> this section seems to be redundant

How so?  tcp_wrappers could block a connection to a service that is open
in the firewall.  The default firewall utility doesn't provide the
granularity to configure iptables to allow/deny a connection based on
host or network.  This is a measure that provides defense in depth based
on Fedora's default functionality.

> 
> http://members.cox.net/tuxxer/shells.html
> 
> this can probably be clubbed together with the section
> on users 

Makes sense.

> 
> http://members.cox.net/tuxxer/passwd-sec-pam-config.html
> 
> this section requires more information. if you are
> going to just point to external links convert this
> section into a note

I meant to be more detailed here.  I got lazy, then distracted.  I'll
re-address this section.
> 
> http://members.cox.net/tuxxer/iptables-fw-config.html
> 
> it is possible to provide a port range here. More
> information is available in the redhat docs.
> redhat.com/docs. you cannot copy and paste (license
> restrictions) but you very well gather the information
> from there
> 

I'll have to look into that.

> I would prefer a link to the SELinux faq and guide and
> provide references and a bibliography.
> 
> thanks
> 
> 
> 
> Regards
> Rahul Sundaram
> 
> 
> 		
> __________________________________ 
> Do you Yahoo!? 
> Yahoo! Mail - now with 250MB free storage. Learn more. 
> http://info.mail.yahoo.com/mail_250
-- 
-tuxxer

gpg:  57EB F948 76AE 25BC E340  EFA9 FAF6 E1AC F1E1 1EA1

Attachment: signature.asc
Description: This is a digitally signed message part


[Index of Archives]     [Fedora Users]     [Fedora Desktop]     [Red Hat 9]     [Yosemite News]     [KDE Users]

  Powered by Linux