Hi, I found some motivation this morning, so I tried to review "...community/fc11/en-US/General_Principles.xml". If it looks okay, it would be great if a security person (I made minor additions) and a writer person could check it for accuracy. ---- --- community/fc11/en-US/General_Principles.xml 2009-01-03 13:44:01.000000000 +1000 +++ new/community/fc11/en-US/General_Principles.xml 2009-01-03 13:42:09.000000000 +1000 @@ -5,88 +5,70 @@ <chapter id="chap-Security_Guide-General_Principles_of_Information_Security"> <title>General Principles of Information Security</title> <para> - The United States' <ulink url="www.nsa.gov">National Security Agency</ulink> (NSA) provides hardening guides and hardening tips for many different operating systems to help government agencies, businesses, and individuals help secure their system against attacks. In addition to specific settings to change, a set of general principles have been developed to give you a high level view of information security. + The following general principals provide an overview of good security practices: </para> - <section id="sect-Security_Guide-General_Principles_of_Information_Security-General_Principles"> - <title>General Principles</title> - <itemizedlist> - <listitem> - <para> - Encrypt all data transmitted over the network. Encrypting authentication information (such as passwords) is particularly important. - </para> - </listitem> - <listitem> - <para> - Minimize the amount of software installed and running in order to minimize vulnerability. - </para> - </listitem> - <listitem> - <para> - Use security-enhancing software and tools whenever available (e.g. SELinux and IPTables). - </para> - </listitem> - <listitem> - <para> - Run each network service on a separate server whenever possible. This minimizes the risk that a compromise of one service could lead to a compromise of others. - </para> - </listitem> - <listitem> - <para> - Maintain user accounts. Create a good password policy and enforce its use. Delete unused user accounts. - </para> - </listitem> - <listitem> - <para> - Review system and application logs on a routine basis. Send logs to a dedicated log server. This prevents intruders from easily avoiding detection by modifying the local logs. - </para> - </listitem> - <listitem> - <para> - Never login directly as root, unless absolutely necessary. Administrators should use sudo to execute commands as root when required. The accounts capable of using sudo are specified in /etc/sudoers, which is edited with the visudo utility. By default, relavent logs are written to /var/log/secure. - </para> - </listitem> - </itemizedlist> - </section> + <itemizedlist> + <listitem> + <para> + encrypt all data transmitted over networks to help prevent man-in-the-middle attacks and eavesdropping. It is important to encrypt authentication information, such as passwords. + </para> + </listitem> + <listitem> + <para> + minimize the amount of software installed and running services. + </para> + </listitem> + <listitem> + <para> + use security-enhancing software and tools, for example, Security-Enhanced Linux (SELinux) for Mandatory Access Control (MAC), Netfilter iptables for packet filtering (firewall), and the GNU Privacy Guard (GnuPG) for encrypting documents. + </para> + </listitem> + <listitem> + <para> + if possible, run each network service on a separate system to minimize the risk of one compromised service being used to compromise other services. + </para> + </listitem> + <listitem> + <para> + maintain user accounts: create and enforce a strong password policy; delete unused user accounts. + </para> + </listitem> + <listitem> + <para> + routinely review system and application logs. By default, security-relevant system logs are written to <filename>/var/log/secure</filename> and <filename>/var/log/audit/audit.log</filename>. Note: sending logs to a dedicated log server helps prevent attackers from easily modifying local logs to avoid detection. + </para> + </listitem> + <listitem> + <para> + never log in as the root user unless absolutely necessary. It is recommended that administrators use <command>sudo</command> to execute commands as root when required. Users capable of running <command>sudo</command> are specified in <filename>/etc/sudoers</filename>. Use the <command>visudo</command> utility to edit <filename>/etc/sudoers</filename>. + </para> + </listitem> + </itemizedlist> <section id="sect-Security_Guide-General_Principles_of_Information_Security-Tips_Guides_and_Tools"> <title>Tips, Guides, and Tools</title> <para> - Most of the above tips are very basic. Depending on your knowledge of Linux and how comfortable you are with modifying your system, some changes could be made to help make your installation more secure. As mentioned above, the NSA has hardening guides and tips for securing Red Hat Enterprise Linux 5. Likewise, the <ulink url="http://www.disa.mil/";>Defense Information Systems Agency</ulink> (DISA) has an <ulink url="iase.disa.mil">Information Assurance Support Environment</ulink> in which they publish checklists and tests for verifying the security of your system. The documents from the NSA are a good read for anyone familiar with Linux while the information from DISA is extremely specific and advanced knowledge of Unix/Linux would be a great benefit. Links to these documents are listed below. We will try to pull some of the larger items out of these documents and explain how to implement them in Fedora and why they are important. In addition to documentation, DISA has made available SRR scripts that allow an administrator to check specific settings on a system quickly. The SRR scripts will provide an XML-formatted report listing any known vulnerable settings that you have on your system. + The United States' <ulink url="http://www.nsa.gov/";>National Security Agency (NSA)</ulink> provides hardening guides and tips for many different operating systems, to help government agencies, businesses, and individuals secure their systems against attack. The following guides (in PDF format) provide guidance for Red Hat Enterprise Linux 5: </para> - </section> - <section id="sect-Security_Guide-General_Principles_of_Information_Security-NSA_Documents"> - <title>NSA Documents</title> <itemizedlist> - <listitem> - <para> - <ulink url="www.nsa.gov/notices/notic00004.cfm?Address=/snac/os/redhat/rhel5-pamphlet-i731.pdf">Hardening Tips for the Red Hat Enterprise Linux 5 (PDF)</ulink> - </para> - </listitem> - <listitem> - <para> - <ulink url="www.nsa.gov/notices/notic00004.cfm?Address=/snac/os/redhat/rhel5-guide-i731.pdf">Guide to the Secure Configuration of Red Hat Enterprise Linux 5 (PDF)</ulink> - </para> - </listitem> + <listitem> + <para> + <ulink url="http://www.nsa.gov/notices/notic00004.cfm?Address=/snac/os/redhat/rhel5-pamphlet-i731.pdf";>Hardening Tips for the Red Hat Enterprise Linux 5</ulink> + </para> + </listitem> + <listitem> + <para> + <ulink url="http://www.nsa.gov/notices/notic00004.cfm?Address=/snac/os/redhat/rhel5-guide-i731.pdf";>Guide to the Secure Configuration of Red Hat Enterprise Linux 5</ulink> + </para> + </listitem> </itemizedlist> - </section> - <section id="sect-Security_Guide-General_Principles_of_Information_Security-DISA_IASE_Documents"> - <title>DISA IASE Documents</title> - <itemizedlist> - <listitem> - <para> - <ulink url="iase.disa.mil/stigs/stig/index.html">Security Technical Implementation Guides</ulink> (STIG) Scroll down to the Unix STIG - </para> - </listitem> - <listitem> - <para> - <ulink url="iase.disa.mil/stigs/checklist/index.html">Security Checklists</ulink> Scroll down to the Unix Security Checklists - </para> - </listitem> - <listitem> - <para> - <ulink url="iase.disa.mil/stigs/SRR/unix.html">Unix Security Readiness Review Evaluation Script</ulink> - </para> - </listitem> - </itemizedlist> - </section> - </chapter> - + <para> + The <ulink url="http://www.disa.mil/";>Defense Information Systems Agency (DISA)</ulink> provides documentation, checklists, and tests to help secure your system (<ulink url="http://iase.disa.mil/index2.html";>Information Assurance Support Environment</ulink>). The <ulink url="http://iase.disa.mil/stigs/stig/unix-stig-v5r1.pdf";>UNIX SECURITY TECHNICAL IMPLEMENTATION GUIDE</ulink> (PDF) is a very specific guide to UNIX security - an advanced knowledge of UNIX and Linux is recommended before reading this guide. + </para> + <para> + The DISA <ulink url="http://iase.disa.mil/stigs/checklist/unix_checklist_v5r1_15_20081215.ZIP";>UNIX Security Checklist Version 5, Release 1.15</ulink> provides a collection of documents and checklists, ranging from the correct ownerships and modes for system files, to patch control. + </para> + <para> + Also, DISA has made available <ulink url="http://iase.disa.mil/stigs/SRR/unix.html";>UNIX SPR scripts</ulink> that allow administrators to check specific settings on systems. These scripts provide XML-formatted reports listing any known vulnerable settings. + </para> + </section> +</chapter> \ No newline at end of file ---- The link for "Hardening Tips for the Red Hat Enterprise Linux 5" does not work after accepting the license agreement. I have mailed <nsapao@xxxxxxx>. Cheers. -- fedora-docs-list mailing list fedora-docs-list@xxxxxxxxxx To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-docs-list
