My €5 as an non US citizen. I do not feel comfortable with a guide that seems almost completely ripped off published US military/government documents. Also, way to much direct references to US military/government web pages and documents. My though is that this needs a complete re-write. Best regards, //M > > Today's Topics: > > 1. PATCH[1/1] Linux Security Guide: edit of > General_Principles.xml (Murray McAllister) > 2. Re: PATCH[1/1] Linux Security Guide: edit of > General_Principles.xml (Murray McAllister) > > > ---------------------------------------------------------------------- > > Message: 1 > Date: Sat, 3 Jan 2009 14:20:01 +1000 > From: "Murray McAllister" <murray.mcallister@xxxxxxxxx> > Subject: PATCH[1/1] Linux Security Guide: edit of > General_Principles.xml > To: "For participants of the Documentation Project" > <fedora-docs-list@xxxxxxxxxx> > Cc: sparks@xxxxxxxxxxxxxxxxx > Message-ID: > <95f1114b0901022020n3fe734b5icd4792d9e3b78c71@xxxxxxxxxxxxxx> > Content-Type: text/plain; charset=ISO-8859-1 > > Hi, > > I found some motivation this morning, so I tried to review > "...community/fc11/en-US/General_Principles.xml". > > If it looks okay, it would be great if a security person (I made minor > additions) and a writer person could check it for accuracy. > > > ---- > > --- community/fc11/en-US/General_Principles.xml 2009-01-03 > 13:44:01.000000000 +1000 > +++ new/community/fc11/en-US/General_Principles.xml 2009-01-03 > 13:42:09.000000000 +1000 > @@ -5,88 +5,70 @@ > <chapter id="chap-Security_Guide-General_Principles_of_Information_Security"> > <title>General Principles of Information Security</title> > <para> > - The United States' <ulink url="www.nsa.gov">National Security > Agency</ulink> (NSA) provides hardening guides and hardening tips for > many different operating systems to help government agencies, > businesses, and individuals help secure their system against attacks. > In addition to specific settings to change, a set of general > principles have been developed to give you a high level view of > information security. > + The following general principals provide an overview of good > security practices: > </para> > - <section id="sect-Security_Guide-General_Principles_of_Information_Security-General_Principles"> > - <title>General Principles</title> > - <itemizedlist> > - <listitem> > - <para> > - Encrypt all data transmitted over the network. Encrypting > authentication information (such as passwords) is particularly > important. > - </para> > - </listitem> > - <listitem> > - <para> > - Minimize the amount of software installed and running in order to > minimize vulnerability. > - </para> > - </listitem> > - <listitem> > - <para> > - Use security-enhancing software and tools whenever available (e.g. > SELinux and IPTables). > - </para> > - </listitem> > - <listitem> > - <para> > - Run each network service on a separate server whenever possible. > This minimizes the risk that a compromise of one service could lead to > a compromise of others. > - </para> > - </listitem> > - <listitem> > - <para> > - Maintain user accounts. Create a good password policy and enforce > its use. Delete unused user accounts. > - </para> > - </listitem> > - <listitem> > - <para> > - Review system and application logs on a routine basis. Send logs > to a dedicated log server. This prevents intruders from easily > avoiding detection by modifying the local logs. > - </para> > - </listitem> > - <listitem> > - <para> > - Never login directly as root, unless absolutely necessary. > Administrators should use sudo to execute commands as root when > required. The accounts capable of using sudo are specified in > /etc/sudoers, which is edited with the visudo utility. By default, > relavent logs are written to /var/log/secure. > - </para> > - </listitem> > - </itemizedlist> > - </section> > + <itemizedlist> > + <listitem> > + <para> > + encrypt all data transmitted over networks to help prevent > man-in-the-middle attacks and eavesdropping. It is important to > encrypt authentication information, such as passwords. > + </para> > + </listitem> > + <listitem> > + <para> > + minimize the amount of software installed and running services. > + </para> > + </listitem> > + <listitem> > + <para> > + use security-enhancing software and tools, for example, > Security-Enhanced Linux (SELinux) for Mandatory Access Control (MAC), > Netfilter iptables for packet filtering (firewall), and the GNU > Privacy Guard (GnuPG) for encrypting documents. > + </para> > + </listitem> > + <listitem> > + <para> > + if possible, run each network service on a separate system to > minimize the risk of one compromised service being used to compromise > other services. > + </para> > + </listitem> > + <listitem> > + <para> > + maintain user accounts: create and enforce a strong password > policy; delete unused user accounts. > + </para> > + </listitem> > + <listitem> > + <para> > + routinely review system and application logs. By default, > security-relevant system logs are written to > <filename>/var/log/secure</filename> and > <filename>/var/log/audit/audit.log</filename>. Note: sending logs to a > dedicated log server helps prevent attackers from easily modifying > local logs to avoid detection. > + </para> > + </listitem> > + <listitem> > + <para> > + never log in as the root user unless absolutely necessary. It is > recommended that administrators use <command>sudo</command> to execute > commands as root when required. Users capable of running > <command>sudo</command> are specified in > <filename>/etc/sudoers</filename>. Use the <command>visudo</command> > utility to edit <filename>/etc/sudoers</filename>. > + </para> > + </listitem> > + </itemizedlist> > <section id="sect-Security_Guide-General_Principles_of_Information_Security-Tips_Guides_and_Tools"> > <title>Tips, Guides, and Tools</title> > <para> > - Most of the above tips are very basic. Depending on your knowledge > of Linux and how comfortable you are with modifying your system, some > changes could be made to help make your installation more secure. As > mentioned above, the NSA has hardening guides and tips for securing > Red Hat Enterprise Linux 5. Likewise, the <ulink > url="http://www.disa.mil/";>Defense Information Systems Agency</ulink> > (DISA) has an <ulink url="iase.disa.mil">Information Assurance Support > Environment</ulink> in which they publish checklists and tests for > verifying the security of your system. The documents from the NSA are > a good read for anyone familiar with Linux while the information from > DISA is extremely specific and advanced knowledge of Unix/Linux would > be a great benefit. Links to these documents are listed below. We will > try to pull some of the larger items out of these documents and > explain how to implement them in Fedora and why they are important. In > addition to documentation, DISA has made available SRR scripts that > allow an administrator to check specific settings on a system quickly. > The SRR scripts will provide an XML-formatted report listing any known > vulnerable settings that you have on your system. > + The United States' <ulink url="http://www.nsa.gov/";>National > Security Agency (NSA)</ulink> provides hardening guides and tips for > many different operating systems, to help government agencies, > businesses, and individuals secure their systems against attack. The > following guides (in PDF format) provide guidance for Red Hat > Enterprise Linux 5: > </para> > - </section> > - <section id="sect-Security_Guide-General_Principles_of_Information_Security-NSA_Documents"> > - <title>NSA Documents</title> > <itemizedlist> > - <listitem> > - <para> > - <ulink > url="www.nsa.gov/notices/notic00004.cfm?Address=/snac/os/redhat/rhel5-pamphlet-i731.pdf">Hardening > Tips for the Red Hat Enterprise Linux 5 (PDF)</ulink> > - </para> > - </listitem> > - <listitem> > - <para> > - <ulink > url="www.nsa.gov/notices/notic00004.cfm?Address=/snac/os/redhat/rhel5-guide-i731.pdf">Guide > to the Secure Configuration of Red Hat Enterprise Linux 5 > (PDF)</ulink> > - </para> > - </listitem> > + <listitem> > + <para> > + <ulink url="http://www.nsa.gov/notices/notic00004.cfm?Address=/snac/os/redhat/rhel5-pamphlet-i731.pdf";>Hardening > Tips for the Red Hat Enterprise Linux 5</ulink> > + </para> > + </listitem> > + <listitem> > + <para> > + <ulink url="http://www.nsa.gov/notices/notic00004.cfm?Address=/snac/os/redhat/rhel5-guide-i731.pdf";>Guide > to the Secure Configuration of Red Hat Enterprise Linux 5</ulink> > + </para> > + </listitem> > </itemizedlist> > - </section> > - <section id="sect-Security_Guide-General_Principles_of_Information_Security-DISA_IASE_Documents"> > - <title>DISA IASE Documents</title> > - <itemizedlist> > - <listitem> > - <para> > - <ulink url="iase.disa.mil/stigs/stig/index.html">Security > Technical Implementation Guides</ulink> (STIG) Scroll down to the Unix > STIG > - </para> > - </listitem> > - <listitem> > - <para> > - <ulink > url="iase.disa.mil/stigs/checklist/index.html">Security > Checklists</ulink> Scroll down to the Unix Security Checklists > - </para> > - </listitem> > - <listitem> > - <para> > - <ulink url="iase.disa.mil/stigs/SRR/unix.html">Unix Security > Readiness Review Evaluation Script</ulink> > - </para> > - </listitem> > - </itemizedlist> > - </section> > - </chapter> > - > + <para> > + The <ulink url="http://www.disa.mil/";>Defense Information Systems > Agency (DISA)</ulink> provides documentation, checklists, and tests to > help secure your system (<ulink > url="http://iase.disa.mil/index2.html";>Information Assurance Support > Environment</ulink>). The <ulink > url="http://iase.disa.mil/stigs/stig/unix-stig-v5r1.pdf";>UNIX SECURITY > TECHNICAL IMPLEMENTATION GUIDE</ulink> (PDF) is a very specific guide > to UNIX security - an advanced knowledge of UNIX and Linux is > recommended before reading this guide. > + </para> > + <para> > + The DISA <ulink > url="http://iase.disa.mil/stigs/checklist/unix_checklist_v5r1_15_20081215.ZIP";>UNIX > Security Checklist Version 5, Release 1.15</ulink> provides a > collection of documents and checklists, ranging from the correct > ownerships and modes for system files, to patch control. > + </para> > + <para> > + Also, DISA has made available <ulink > url="http://iase.disa.mil/stigs/SRR/unix.html";>UNIX SPR > scripts</ulink> that allow administrators to check specific settings > on systems. These scripts provide XML-formatted reports listing any > known vulnerable settings. > + </para> > + </section> > +</chapter> > \ No newline at end of file > > ---- > > The link for "Hardening Tips for the Red Hat Enterprise Linux 5" does > not work after accepting the license agreement. I have mailed > <nsapao@xxxxxxx>. > > Cheers. > > > > ------------------------------ > > Message: 2 > Date: Sat, 3 Jan 2009 14:29:55 +1000 > From: "Murray McAllister" <murray.mcallister@xxxxxxxxx> > Subject: Re: PATCH[1/1] Linux Security Guide: edit of > General_Principles.xml > To: "For participants of the Documentation Project" > <fedora-docs-list@xxxxxxxxxx> > Message-ID: > <95f1114b0901022029s29abea16h75e87c93160ee001@xxxxxxxxxxxxxx> > Content-Type: text/plain; charset=ISO-8859-1 > > I did not test how this would send, sorry. Use: > > wget http://mdious.fedorapeople.org/patches/General_Principles.xml.patch > > > > ------------------------------ > > -- > fedora-docs-list mailing list > fedora-docs-list@xxxxxxxxxx > https://www.redhat.com/mailman/listinfo/fedora-docs-list > > End of fedora-docs-list Digest, Vol 59, Issue 4 > *********************************************** -- fedora-docs-list mailing list fedora-docs-list@xxxxxxxxxx To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-docs-list
