Re: PATCH[1/1] Linux Security Guide

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



My €5 as an non US citizen.

I do not feel comfortable with a guide that seems almost completely
ripped off published US military/government documents. Also, way to much
direct references to US military/government web pages and documents.

My though is that this needs a complete re-write.

Best regards,
//M

> 
> Today's Topics:
> 
>    1. PATCH[1/1] Linux Security Guide: edit of
>       General_Principles.xml (Murray McAllister)
>    2. Re: PATCH[1/1] Linux Security Guide: edit of
>       General_Principles.xml (Murray McAllister)
> 
> 
> ----------------------------------------------------------------------
> 
> Message: 1
> Date: Sat, 3 Jan 2009 14:20:01 +1000
> From: "Murray McAllister" <murray.mcallister@xxxxxxxxx>
> Subject: PATCH[1/1] Linux Security Guide: edit of
> 	General_Principles.xml
> To: "For participants of the Documentation Project"
> 	<fedora-docs-list@xxxxxxxxxx>
> Cc: sparks@xxxxxxxxxxxxxxxxx
> Message-ID:
> 	<95f1114b0901022020n3fe734b5icd4792d9e3b78c71@xxxxxxxxxxxxxx>
> Content-Type: text/plain; charset=ISO-8859-1
> 
> Hi,
> 
> I found some motivation this morning, so I tried to review
> "...community/fc11/en-US/General_Principles.xml".
> 
> If it looks okay, it would be great if a security person (I made minor
> additions) and a writer person could check it for accuracy.
> 
> 
> ----
> 
> --- community/fc11/en-US/General_Principles.xml	2009-01-03
> 13:44:01.000000000 +1000
> +++ new/community/fc11/en-US/General_Principles.xml	2009-01-03
> 13:42:09.000000000 +1000
> @@ -5,88 +5,70 @@
>  <chapter id="chap-Security_Guide-General_Principles_of_Information_Security">
>  	<title>General Principles of Information Security</title>
>  	<para>
> -		The United States' <ulink url="www.nsa.gov">National Security
> Agency</ulink> (NSA) provides hardening guides and hardening tips for
> many different operating systems to help government agencies,
> businesses, and individuals help secure their system against attacks.
> In addition to specific settings to change, a set of general
> principles have been developed to give you a high level view of
> information security.
> +		The following general principals provide an overview of good
> security practices:
>  	</para>
> -	<section id="sect-Security_Guide-General_Principles_of_Information_Security-General_Principles">
> -		<title>General Principles</title>
> -		  <itemizedlist>
> -		    <listitem>
> -		      <para>
> -			Encrypt all data transmitted over the network. Encrypting
> authentication information (such as passwords) is particularly
> important.
> -		      </para>
> -		    </listitem>
> -		    <listitem>
> -		      <para>
> -			Minimize the amount of software installed and running in order to
> minimize vulnerability.
> -		      </para>
> -		    </listitem>
> -		    <listitem>
> -		      <para>		
> -			Use security-enhancing software and tools whenever available (e.g.
> SELinux and IPTables).
> -		      </para>
> -		    </listitem>
> -		    <listitem>
> -		      <para>
> -			Run each network service on a separate server whenever possible.
> This minimizes the risk that a compromise of one service could lead to
> a compromise of others.
> -		      </para>
> -		    </listitem>
> -		    <listitem>
> -		      <para>
> -			Maintain user accounts. Create a good password policy and enforce
> its use. Delete unused user accounts.
> -		      </para>
> -		    </listitem>
> -		    <listitem>
> -		      <para>
> -			Review system and application logs on a routine basis. Send logs
> to a dedicated log server. This prevents intruders from easily
> avoiding detection by modifying the local logs.
> -		      </para>
> -		    </listitem>
> -		    <listitem>
> -		      <para>
> -			Never login directly as root, unless absolutely necessary.
> Administrators should use sudo to execute commands as root when
> required. The accounts capable of using sudo are specified in
> /etc/sudoers, which is edited with the visudo utility. By default,
> relavent logs are written to /var/log/secure.
> -		      </para>
> -		    </listitem>
> -		  </itemizedlist>
> -		</section>
> +	<itemizedlist>
> +		<listitem>
> +			<para>
> +				encrypt all data transmitted over networks to help prevent
> man-in-the-middle attacks and eavesdropping. It is important to
> encrypt authentication information, such as passwords.
> +			</para>
> +		</listitem>
> +		<listitem>
> +			<para>
> +				minimize the amount of software installed and running services.
> +			</para>
> +		</listitem>
> +		<listitem>
> +			<para>
> +				use security-enhancing software and tools, for example,
> Security-Enhanced Linux (SELinux) for Mandatory Access Control (MAC),
> Netfilter iptables for packet filtering (firewall), and the GNU
> Privacy Guard (GnuPG) for encrypting documents.
> +			</para>
> +		</listitem>
> +		<listitem>
> +			<para>
> +				if possible, run each network service on a separate system to
> minimize the risk of one compromised service being used to compromise
> other services.
> +			</para>
> +		</listitem>
> +		<listitem>
> +			<para>
> +				maintain user accounts: create and enforce a strong password
> policy; delete unused user accounts.
> +			</para>
> +		</listitem>
> +		<listitem>
> +			<para>
> +				routinely review system and application logs. By default,
> security-relevant system logs are written to
> <filename>/var/log/secure</filename> and
> <filename>/var/log/audit/audit.log</filename>. Note: sending logs to a
> dedicated log server helps prevent attackers from easily modifying
> local logs to avoid detection.
> +			</para>
> +		</listitem>
> +		<listitem>
> +			<para>
> +				never log in as the root user unless absolutely necessary. It is
> recommended that administrators use <command>sudo</command> to execute
> commands as root when required. Users capable of running
> <command>sudo</command> are specified in
> <filename>/etc/sudoers</filename>. Use the <command>visudo</command>
> utility to edit <filename>/etc/sudoers</filename>.
> +			</para>
> +		</listitem>
> +	</itemizedlist>
>  		<section id="sect-Security_Guide-General_Principles_of_Information_Security-Tips_Guides_and_Tools">
>  		<title>Tips, Guides, and Tools</title>
>  		<para>
> -			Most of the above tips are very basic. Depending on your knowledge
> of Linux and how comfortable you are with modifying your system, some
> changes could be made to help make your installation more secure. As
> mentioned above, the NSA has hardening guides and tips for securing
> Red Hat Enterprise Linux 5. Likewise, the <ulink
> url="http://www.disa.mil/";>Defense Information Systems Agency</ulink>
> (DISA) has an <ulink url="iase.disa.mil">Information Assurance Support
> Environment</ulink> in which they publish checklists and tests for
> verifying the security of your system. The documents from the NSA are
> a good read for anyone familiar with Linux while the information from
> DISA is extremely specific and advanced knowledge of Unix/Linux would
> be a great benefit. Links to these documents are listed below. We will
> try to pull some of the larger items out of these documents and
> explain how to implement them in Fedora and why they are important. In
> addition to documentation, DISA has made available SRR scripts that
> allow an administrator to check specific settings on a system quickly.
> The SRR scripts will provide an XML-formatted report listing any known
> vulnerable settings that you have on your system.
> +			The United States' <ulink url="http://www.nsa.gov/";>National
> Security Agency (NSA)</ulink> provides hardening guides and tips for
> many different operating systems, to help government agencies,
> businesses, and individuals secure their systems against attack. The
> following guides (in PDF format) provide guidance for Red Hat
> Enterprise Linux 5:
>  		</para>
> -		</section>
> -		<section id="sect-Security_Guide-General_Principles_of_Information_Security-NSA_Documents">
> -		<title>NSA Documents</title>
>  		<itemizedlist>
> -		  <listitem>
> -		    <para>
> -		      <ulink
> url="www.nsa.gov/notices/notic00004.cfm?Address=/snac/os/redhat/rhel5-pamphlet-i731.pdf">Hardening
> Tips for the Red Hat Enterprise Linux 5 (PDF)</ulink>
> -		    </para>
> -		  </listitem>
> -		  <listitem>
> -		    <para>		
> -		      <ulink
> url="www.nsa.gov/notices/notic00004.cfm?Address=/snac/os/redhat/rhel5-guide-i731.pdf">Guide
> to the Secure Configuration of Red Hat Enterprise Linux 5
> (PDF)</ulink>
> -		    </para>
> -		  </listitem>
> +			<listitem>
> +				<para>
> +					<ulink url="http://www.nsa.gov/notices/notic00004.cfm?Address=/snac/os/redhat/rhel5-pamphlet-i731.pdf";>Hardening
> Tips for the Red Hat Enterprise Linux 5</ulink>
> +				</para>
> +			</listitem>
> +			<listitem>
> +				<para>
> +					<ulink url="http://www.nsa.gov/notices/notic00004.cfm?Address=/snac/os/redhat/rhel5-guide-i731.pdf";>Guide
> to the Secure Configuration of Red Hat Enterprise Linux 5</ulink>
> +				</para>
> +			</listitem>
>  		</itemizedlist>
> -		</section>
> -		<section id="sect-Security_Guide-General_Principles_of_Information_Security-DISA_IASE_Documents">
> -		<title>DISA IASE Documents</title>
> -		<itemizedlist>
> -		  <listitem>
> -		    <para>
> -		      <ulink url="iase.disa.mil/stigs/stig/index.html">Security
> Technical Implementation Guides</ulink> (STIG) Scroll down to the Unix
> STIG
> -		    </para>
> -		  </listitem>
> -		  <listitem>
> -		    <para>
> -		      <ulink
> url="iase.disa.mil/stigs/checklist/index.html">Security
> Checklists</ulink> Scroll down to the Unix Security Checklists
> -		    </para>
> -		  </listitem>
> -		  <listitem>
> -		    <para>
> -		      <ulink url="iase.disa.mil/stigs/SRR/unix.html">Unix Security
> Readiness Review Evaluation Script</ulink>
> -		    </para>
> -		  </listitem>
> -		</itemizedlist>
> -		</section>
> -	      </chapter>
> -
> +		<para>
> +			The <ulink url="http://www.disa.mil/";>Defense Information Systems
> Agency (DISA)</ulink> provides documentation, checklists, and tests to
> help secure your system (<ulink
> url="http://iase.disa.mil/index2.html";>Information Assurance Support
> Environment</ulink>). The <ulink
> url="http://iase.disa.mil/stigs/stig/unix-stig-v5r1.pdf";>UNIX SECURITY
> TECHNICAL IMPLEMENTATION GUIDE</ulink> (PDF) is a very specific guide
> to UNIX security - an advanced knowledge of UNIX and Linux is
> recommended before reading this guide.
> +		</para>
> +		<para>
> +			The DISA <ulink
> url="http://iase.disa.mil/stigs/checklist/unix_checklist_v5r1_15_20081215.ZIP";>UNIX
> Security Checklist Version 5, Release 1.15</ulink> provides a
> collection of documents and checklists, ranging from the correct
> ownerships and modes for system files, to patch control.
> +		</para>
> +		<para>
> +			Also, DISA has made available <ulink
> url="http://iase.disa.mil/stigs/SRR/unix.html";>UNIX SPR
> scripts</ulink> that allow administrators to check specific settings
> on systems. These scripts provide XML-formatted reports listing any
> known vulnerable settings.
> +		</para>
> +	</section>
> +</chapter>
> \ No newline at end of file
> 
> ----
> 
> The link for "Hardening Tips for the Red Hat Enterprise Linux 5" does
> not work after accepting the license agreement. I have mailed
> <nsapao@xxxxxxx>.
> 
> Cheers.
> 
> 
> 
> ------------------------------
> 
> Message: 2
> Date: Sat, 3 Jan 2009 14:29:55 +1000
> From: "Murray McAllister" <murray.mcallister@xxxxxxxxx>
> Subject: Re: PATCH[1/1] Linux Security Guide: edit of
> 	General_Principles.xml
> To: "For participants of the Documentation Project"
> 	<fedora-docs-list@xxxxxxxxxx>
> Message-ID:
> 	<95f1114b0901022029s29abea16h75e87c93160ee001@xxxxxxxxxxxxxx>
> Content-Type: text/plain; charset=ISO-8859-1
> 
> I did not test how this would send, sorry. Use:
> 
> wget http://mdious.fedorapeople.org/patches/General_Principles.xml.patch
> 
> 
> 
> ------------------------------
> 
> --
> fedora-docs-list mailing list
> fedora-docs-list@xxxxxxxxxx
> https://www.redhat.com/mailman/listinfo/fedora-docs-list
> 
> End of fedora-docs-list Digest, Vol 59, Issue 4
> ***********************************************

-- 
fedora-docs-list mailing list
fedora-docs-list@xxxxxxxxxx
To unsubscribe: 
https://www.redhat.com/mailman/listinfo/fedora-docs-list

[Index of Archives]     [Fedora Users]     [Fedora Desktop]     [Red Hat 9]     [Yosemite News]     [KDE Users]

  Powered by Linux