On Wed, 2005-03-30 at 22:17 -0800, Rahul Sundaram wrote: > Hi > > > > > > The preview site has been updated. You can check it > > out at > > http://members.cox.net/tuxxer > > http://members.cox.net/tuxxer/ch-intro.html#intro-audience > > " Most of the threats on the Internet typically target > Microsoft Windows systems. As more and more users > start trying and using linux, it will become more and > more important for the common user to know how to > harden his or her system against these threats. " > > this suggests that Linux has no security threats at > present which is not true. I would prefer a guide on > hardening Linux talk about Linux rather than start by > a comparison with Windows Fair enough. > > > http://members.cox.net/tuxxer/ch-chapter1.html > > The parts about using gpg or md5 requires more > explanation. If you are explaning it in a later part > refer to that > A detailed discussion of these utilities doesn't fall within the scope of this document. However, a glossing of how to create a gpg keypair, and how to check files with both gpg and md5sum will be added shortly. > > http://members.cox.net/tuxxer/sysid-and-role.html > > If you are including abbrevations such as NAT it would > be better to provide the expansion, explanation or a > side note OK. Done. > > http://members.cox.net/tuxxer/gui-update.html > > afaik I know yum is the recommended command line > program to use instead of up2date in fedora. if you > have sections on both yum and up2date you probably > need to explain the differences too which I would > consider out of scope for this article The only difference I need to really point out, for the scope of this document, is the fact that one is a GUI tool, and the other is a command line tool. This was mentioned on list (thanks Paul), and I would be more than happy to put in a link to the update-tutorial mentioned there. > > http://members.cox.net/tuxxer/services-gui.html > > > " The services that you can *safely* disable will > depend upon the role of your system." > > if you need to emphasise on safely use italics or what > the style guide recommends. > > " > yum - Enable daily run of yum, a program updater. > (This will depend on your environment.)" > > since every service is pretty much dependant on the > role of the system special emphasis for the yum deamon > is unnecessary True. However, I specifically said this for yum because I can think of environments in which the user would NOT want updates to be run every night automatically. Perhaps I can make a comment here that would be a little more clear to that end. > > http://members.cox.net/tuxxer/userconfig-cli.html > > " Below is a list of user accounts that most Fedora > Core users will want to disable." > > The above wording suggests that most users of Fedora > do not run the services that follows it. It would be > better to say something like this > > "The following are some of the services that you might > want to disable in the system depending on the your > requirements" > > > http://members.cox.net/tuxxer/ch-chapter2.html > > Since this is out of scope for your document by your > own admission it would be better to just drop this. > Kernel recompilation or additional hardening is > unnecessary for the large majority of users and worse > gives the idea that the kernel requires active manual > intervention to make it secure. > Fair enough. This can wait until there is a kernel doc. Then I can provide a link. > http://members.cox.net/tuxxer/ch-chapter3.html > > I am not sure what the policy is for linking to > external documents but permissions are much better > explained here > > http://www.tldp.org/LDP/intro-linux/html/ > > Either link to this document or copy and paste with > attribution (The license is compatible) > Linked. > http://members.cox.net/tuxxer/fssummary.html > > you can mention that these program exist in fedora > extras. fc4 will have extras repo enabled by default. > previous versions will require more explanation or how > to add the repo (steps are different between fc2 and > fc3 fyi) > > http://members.cox.net/tuxxer/limit-root.html > > a related sshd configuration change is disable ssh1 > protocol which is prone to man-in-the-middle attack > Done. > > > http://members.cox.net/tuxxer/ch-chapter4.html > > this section seems to be redundant How so? tcp_wrappers could block a connection to a service that is open in the firewall. The default firewall utility doesn't provide the granularity to configure iptables to allow/deny a connection based on host or network. This is a measure that provides defense in depth based on Fedora's default functionality. > > http://members.cox.net/tuxxer/shells.html > > this can probably be clubbed together with the section > on users Makes sense. > > http://members.cox.net/tuxxer/passwd-sec-pam-config.html > > this section requires more information. if you are > going to just point to external links convert this > section into a note I meant to be more detailed here. I got lazy, then distracted. I'll re-address this section. > > http://members.cox.net/tuxxer/iptables-fw-config.html > > it is possible to provide a port range here. More > information is available in the redhat docs. > redhat.com/docs. you cannot copy and paste (license > restrictions) but you very well gather the information > from there > I'll have to look into that. > I would prefer a link to the SELinux faq and guide and > provide references and a bibliography. > > thanks > > > > Regards > Rahul Sundaram > > > > __________________________________ > Do you Yahoo!? > Yahoo! Mail - now with 250MB free storage. Learn more. > http://info.mail.yahoo.com/mail_250 -- -tuxxer gpg: 57EB F948 76AE 25BC E340 EFA9 FAF6 E1AC F1E1 1EA1
Attachment:
signature.asc
Description: This is a digitally signed message part
