hardening hardening-tutorial-en.xml,1.1,1.2
Karsten Wade (kwade)
fedora-docs-commits at redhat.com
Tue Jul 26 08:37:17 UTC 2005
- Previous message (by thread): hardening hardening-tutorial-en.xml, NONE, 1.1 Makefile, 1.1, 1.2 fedora-hardening-guide-en.xml, 1.1, NONE
- Next message (by thread): release-notes/FC4 RELEASE-NOTES-en.xml, 1.12, 1.13 splash.xml, 1.11, 1.12
- Messages sorted by:
[ date ]
[ thread ]
[ subject ]
[ author ]
Author: kwade
Update of /cvs/docs/hardening
In directory cvs-int.fedora.redhat.com:/tmp/cvs-serv11560
Modified Files:
hardening-tutorial-en.xml
Log Message:
Mainly formatting, this allows for more odular use of sections; some style and writing changes included.
Index: hardening-tutorial-en.xml
===================================================================
RCS file: /cvs/docs/hardening/hardening-tutorial-en.xml,v
retrieving revision 1.1
retrieving revision 1.2
diff -u -r1.1 -r1.2
--- hardening-tutorial-en.xml 26 Jul 2005 03:49:57 -0000 1.1
+++ hardening-tutorial-en.xml 26 Jul 2005 08:37:14 -0000 1.2
@@ -4,7 +4,7 @@
<!ENTITY % FEDORA-ENTITIES-EN SYSTEM "../docs-common/common/fedora-entities-en.ent">
%FEDORA-ENTITIES-EN;
-<!ENTITY BOOKID "hardening-tutorial-en-0.2 (2005-04-26)"> <!-- change version -->
+<!ENTITY BOOKID "hardening-tutorial-en-0.3 (2005-07-26)"> <!-- change version -->
<!-- of manual and date here -->
<!ENTITY BUG-NUM "129957">
@@ -15,7 +15,7 @@
<book id="hardening-tutorial" lang="en">
<bookinfo>
- <title>&FC; &FCLOCALVER; Hardening Tutorial</title>
+ <title>&FC; &FCLOCALVER; Hardening Tutorial - <emphasis>RC Document</emphasis></title>
<copyright>
<year>2005</year>
<holder>&FORMAL-RHI;</holder>
@@ -28,6 +28,32 @@
</author>
</authorgroup>
&LEGALNOTICE;
+ <revhistory>
+ <revision>
+ <revnumber>0.2</revnumber>
+ <date>2005-04-26</date>
+ <authorinitials>Charles Heselton</authorinitials>
+ <revdescription>
+ <para>
+ Latest build made available for import into cvs.fedora.redhat.com
+ </para>
+ </revdescription>
+ </revision>
+ <revision>
+ <revnumber>0.3</revnumber>
+ <date>2005-07-26</date>
+ <authorinitials>Karsten Wade</authorinitials>
+ <revdescription>
+ <para>
+ Changes made are wide, including title, structural, stylistic,
+ Documentation Project generic usage guidelines, writing editorial,
+ technical, format. Changes are checked into CVS in stages with
+ descriptive logs to help make contextual sense of the 'cvs diff
+ -u'. Made available as RC.
+ </para>
+ </revdescription>
+ </revision>
+ </revhistory>
</bookinfo>
<preface id="ch-intro">
@@ -35,73 +61,79 @@
&DRAFTNOTICE;
<para>
- This tutorial is a basic walk-through of how to harden a basic install
- of &FC;. Many of the actions and principles discussed here will apply
- to many different linux distributions. However, for the purpose of this
- tutorial we will be regarding &FC;, specifically.
+ This tutorial is a walk-through of how to harden an install
+ of &FC;. Many of the actions and principles discussed here apply
+ to many different Linux distributions. This tutorial focuses on how to
+ perform these actions using &FC;.
</para>
- <sect1 id="intro-scope">
+ <section id="sn-intro-scope">
<title>Document Scope</title>
<para>
- While describing the techniques and tools used in this tutorial, it is
- the goal of the author to present both the Graphical User Interface (GUI) tools, and the
- more traditional command line (CLI) tools that are available in
- FC3.
+ This tutorial has a goal of presenting both the graphical user interface
+ (GUI) tools and the more traditional command line (CLI) tools that are
+ available in &FC;.
</para>
<para>
- Many users will have customized the appearance of their desktop (if running
- one), panels, menus, etc. This guide makes direction based on the default
- install and configuration of &FC;. The locations of items, menus,
- commands, etc. may differ from your actual experience.
+ Many users have customized the appearance of their desktop (if running
+ one), panels, menus, etc. This tutorial provides directions based on
+ the default install and configuration of &FC;. The locations of items,
+ menus, commands, and so forth may differ from your actual experience.
</para>
- </sect1>
+ </section>
- <sect1 id="intro-audience">
+ <section id="sn-intro-audience">
<title>Intended Audience</title>
<para>
- This document is intended for use by all &FC; users. However, there is a
- focus for home or small-business users. Enterprise deployments of Fedora
- will want to make some different considerations such as centralized syslog
- storage, unified (central) user authentication, etc. Most of the
- principles discussed will apply, however there are some enterprise
- applications which are outside the scope of this document.
+ This document is intended for use by all &FC; users. However, there
+ is a focus for home or small-business users. Enterprise deployments
+ of &FED; want to make different considerations, such as centralized
+ syslog storage, unified (central) user authentication, etc. Most of
+ the principles discussed still apply, however there are some
+ enterprise applications which are outside the scope of this document.
</para>
- </sect1>
+ </section>
</preface>
- <chapter id="ch-chapter1">
+ <chapter id="ch-intial-steps">
<title>Initial Steps</title>
&DRAFTNOTICE;
- <sect1 id="pkg-considerations">
+ <section id="sn-pkg-considerations">
<title>Package Installation Considerations</title>
<para>
- This section will not go into the actual process of installing packages,
- that falls under the scope of the Installation Guide. However, there
- are some important things to consider, in regards to security, when you are installing &FC;
- and selecting your packages for installation, and when you are
- installing new packages on an already built system.
+ This section does not go into the actual process of installing packages.
+ Refer to the <citetitle>&IG;</citetitle> for new installations, and the
+ documentation at <ulink
+ url="http://fedora.redhat.com/docs">http://fedora.redhat.com/docs</ulink>
+ for more information on updating systems and installing packages.
+ </para>
+ <para>
+ However, there are some important things to consider in regards to
+ security when you are selecting packages during installation or for
+ adding to an existing system.
</para>
- <sect2 id="pkg-considerations-install">
+ <section id="sn-pkg-considerations-install">
<title>Package Selections During Install</title>
<para>
- When you are first installing your &FC; system, take careful
- consideration of the packages that you are installing. Know what type
- of system you are building before you build it. Fedora offers a
- "system role" method of choosing packages, which can be customized to
+ When you are first installing your &FC; system, carefully
+ consider of the packages that you are installing. Know what type
+ of system you are building before you build it. &FC; offers a
+ system role method of choosing packages, which can be customized to
remove or not install certain packages, and install others that may not be
- designated as part of that particular role. A good approach would be to,
- first, draw out a plan of what your system is to be used for, and what
- services you will want to offer (if any). You can then make an
- educated decision about what installation type you want to start
- with. Fedora offers the following in terms of installation types:
+ designated as part of that particular role.
+ </para>
+ <para>
+ A good approach is to draw out a plan of what your system is to be
+ used for and what services you will want to offer (if any). Then make
+ an educated decision about what installation type you want to start
+ with. Fedora offers the following installation types:
</para>
<para>
<itemizedlist>
@@ -118,34 +150,37 @@
<application>yum</application> command line utility, to install any additional
packages required for your needs.
</para>
- </sect2>
+ </section>
- <sect2 id="pkg-considerations-update">
+ <section id="sn-pkg-considerations-update">
<title>Package Considerations for Installation of New Software</title>
<para>
If you are updating, or adding to, a system that is already
- installed with &FC;, then there are some other considerations that
+ installed with &FC;, then there are some other considerations that
need to be made.
</para>
<para>
- When installing a new package, you should check the integrity of the
- package. Most reliable sources will provide a signed checksum file
- for a package file. You can use <application>gpg</application> or
- <application>md5sum</application> to verify the checksum provided,
- depending on the digital signature provided.
- <command>gpg</command> is a utility which allows you to manage digital
- signatures. These signatures allow you to digitally sign or encrypt
- data (including text messages or files). For more details on
- <command>gpg</command> visit the GNU gpg website at <ulink
- url="http://www.gnupg.org">http://www.gnupg.org</ulink>.
- <command>md5sum</command> is a utility which is based off of the MD5
- algorithm. This utility can be used to create a digital signature of
- a file, which can then be compared to the MD5 checksum downloaded with
- the software package. For more details on the MD5 hashing algorithm,
- and associated utilities, you can visit the MD5 website at <ulink
- url="http://www.fourmilab.ch/md5/">http://www.fourmilab.ch/md5/</ulink>.
+ When installing a new package, you should check the integrity of the
+ package. Most reliable sources provide a signed checksum file for a
+ package file. You can use <application>gpg</application> or
+ <application>md5sum</application> to verify the checksum provided,
+ depending on the digital signature provided.
+ </para>
+ <para>
+ GnuPG<command>gpg</command> is a utility that allows you to manage
+ digital signatures. These signatures allow you to digitally sign or
+ encrypt data (including text messages or files). For more details
+ on <command>gpg</command> visit the GNU gpg website at <ulink
+ url="http://www.gnupg.org">http://www.gnupg.org</ulink>.
+ <command>md5sum</command> is a utility which is based off of the MD5
+ algorithm. This utility can be used to create a digital signature
+ of a file, which can then be compared to the MD5 checksum downloaded
+ with the software package. For more details on the MD5 hashing
+ algorithm, and associated utilities, you can visit the MD5 website
+ at <ulink
+ url="http://www.fourmilab.ch/md5/">http://www.fourmilab.ch/md5/</ulink>.
</para>
<para>
@@ -159,7 +194,7 @@
two sections.
</para>
- <sect3 id="s3-intro-gpg-example">
+ <section id="sn-intro-gpg-example">
<title><command>gpg</command> usage example</title>
<para>
@@ -372,9 +407,9 @@
The line "gpg: Good signature from ... " indicates that the
signatures is valid, and the file is verified.
</para>
- </sect3>
+ </section>
- <sect3 id="s3-intro-md5sum-example">
+ <section id="sn-intro-md5sum-example">
<title><command>md5sum</command> usage example</title>
<para>
The <command>md5sum</command> command is used to get an MD5 checksum
@@ -444,11 +479,11 @@
then you can be assured that the file you downloaded is an
unmodified version of the file that was posted.
</para>
- </sect3>
- </sect2>
- </sect1>
+ </section>
+ </section>
+ </section>
- <sect1 id="s1-sudo">
+ <section id="sn-sudo">
<title>Configuring and Using <command>sudo</command></title>
<para>
Using the <command>sudo</command> utility allows a user to run another
@@ -502,9 +537,9 @@
</listitem>
</itemizedlist>
</para>
- </sect1>
+ </section>
- <sect1 id="sysid-and-role">
+ <section id="sn-sysid-and-role">
<title>Identifying system role and usage</title>
&DRAFTNOTICE;
<para>
@@ -532,9 +567,9 @@
and the like. It is also assumed that there will be one primary user for
this system.
</para>
- </sect1>
+ </section>
- <sect1 id="gui-update">
+ <section id="sn-gui-update">
<title>GUI: Updates with <application>up2date</application></title>
<para>
@@ -566,9 +601,9 @@
system is up to date, you will receive a notification that indicates this.
Otherwise, the <application>up2date</application> program will download the
necessary packages and install them for you.</para>
- </sect1>
+ </section>
- <sect1 id="cli-updates">
+ <section id="sn-cli-updates">
<title>CLI: Updates with <command>yum</command></title>
&DRAFTNOTICE;
<para>
@@ -651,12 +686,12 @@
<para>
<ulink url="http://fedora.redhat.com/docs/updates/index.html">http://fedora.redhat.com/docs/updates/index.html</ulink>
</para>
- </sect1>
+ </section>
- <sect1 id="services-gui">
+ <section id="sn-services-gui">
<title>Disabling unnecessary services</title>
&DRAFTNOTICE;
- <sect2 id="services-gui-2">
+ <section id="sn-services-gui-2">
<title>GUI: Service Configuration</title>
<para>
To get to the GUI tool to edit the default services, select
@@ -765,9 +800,9 @@
have on your system.
</para>
</important>
- </sect2>
+ </section>
- <sect2 id="services-cli">
+ <section id="sn-services-cli">
<title>CLI: Service Configuration</title>
<note>
<title>Note:</title>
@@ -885,10 +920,10 @@
which are multi-user runlevels: level 3 for command line only, and
level 5 for X, or GUI, mode.
</para>
- </sect2>
- </sect1>
+ </section>
+ </section>
- <sect1 id="userconfig-cli">
+ <section id="sn-userconfig-cli">
<title>Disabling or Deleting Unnecessary Users and Groups</title>
&DRAFTNOTICE;
<para>
@@ -919,7 +954,7 @@
removed.
</para>
- <sect2 id="userconfig-gui">
+ <section id="sn-userconfig-gui">
<title>GUI: Disabling unnecessary users</title>
<para>
@@ -982,11 +1017,11 @@
a service, and there is a user associated with that service, you will
want to disable the user as well.
</para>
- </sect2>
- </sect1>
+ </section>
+ </section>
</chapter>
- <chapter id="ch-chapter2">
+ <chapter id="ch-securing-file-system">
<title>Securing the File System</title>
&DRAFTNOTICE;
@@ -998,9 +1033,9 @@
"reasonable" permission already set. However, it never hurts to be sure.
</para>
- <sect1 id="fileleaks">
+ <section id="sn-fileleaks">
<title>Searching for insecure files</title>
- <sect2 id="fileleaks-fpintro">
+ <section id="sn-fileleaks-fpintro">
<title>Basic File Permissions Introduction</title>
<para>&FC; (and most other Unices) separates access control on
files and directories according to three characteristics: user, group,
@@ -1100,9 +1135,9 @@
<ulink
url="http://www.tldp.org/LDP/intro-linux/html/sect_03_04.html">http://www.tldp.org/LDP/intro-linux/html/sect_03_04.html</ulink>
</para>
- </sect2>
+ </section>
- <sect2 id="s2-chapter2--fileleaks-wwf">
+ <section id="sn-fileleaks-wwf">
<title>Finding world-writable files</title>
<para>
Unfortunately, there is no Fedora-specific tool (or GUI tool, for that
@@ -1133,8 +1168,8 @@
likely marker files for devices that don't exist, or aren't in use on your
system.
</para>
- </sect2>
- <sect2 id="s1-chapter2-fileleaks-setuid">
+ </section>
+ <section id="sn-fileleaks-setuid">
<title>Finding SetUID/SetGID files</title>
<para>
@@ -1164,8 +1199,8 @@
of files, to make sure that there is nothing "odd" in the list.
</para>
- </sect2>
- <sect2 id="fileleaks-summary">
+ </section>
+ <section id="sn-fileleaks-summary">
<title>Insecure files summary</title>
<para>
@@ -1236,10 +1271,10 @@
This will run the script every night at midnight. You will want to make
adjustments for your own application.
</para>
- </sect2>
- </sect1>
+ </section>
+ </section>
- <sect1 id="rpm-verify">
+ <section id="sn-rpm-verify">
<title>Verifying packages with <command>rpm</command></title>
<para>
@@ -1311,9 +1346,9 @@
especially if you have yum configured to update packages automatically.
However you should verify changes that you don't recognize.
</para>
- </sect1>
+ </section>
- <sect1 id="verify-config-file">
+ <section id="sn-verify-config-file">
<title>Configuration File Verification</title>
<para>
If you are running any types of network services, i.e. web, mail, ftp,
@@ -1344,9 +1379,9 @@
You can also find more information on md5sum, and a more complete
example in the previous section: <xref linkend="s3-intro-md5sum-example"></xref>.
</para>
- </sect1>
+ </section>
- <sect1 id="umask">
+ <section id="sn-umask">
<title>Setting the default umask</title>
<para>
@@ -1377,9 +1412,9 @@
<command>umask</command> at the command line as root.)
</para>
- </sect1>
+ </section>
- <sect1 id="fssummary">
+ <section id="sn-fssummary">
<title>File System Security Summary: Where to go from here?</title>
<para>
@@ -1400,14 +1435,14 @@
<listitem><para><ulink url="http://sourceforge.net/projects/tripwire/">http://sourceforge.net/projects/tripwire/</ulink></para></listitem>
<listitem><para><ulink url="http://www.cs.tut.fi/~rammer/aide.html">http://www.cs.tut.fi/~rammer/aide.html</ulink></para></listitem>
</itemizedlist>
- </sect1>
+ </section>
</chapter>
-<chapter id="ch-chapter3">
+<chapter id="ch-securing-user-accounts">
<title>Securing User Accounts</title>
&DRAFTNOTICE;
- <sect1 id="unnecessary-accounts">
+ <section id="sn-unnecessary-accounts">
<title>Disabling Unnecessary Users</title>
<para>Disabling unnecessary users can stop possible attacks by
@@ -1416,9 +1451,9 @@
linkend="userconfig-gui"></xref>.
</para>
- </sect1>
+ </section>
- <sect1 id="limit-root">
+ <section id="sn-limit-root">
<title>Limiting root logins</title>
<para>
@@ -1428,7 +1463,7 @@
<command>su</command> logins only.
</para>
- <sect2 id="limit-root-gui">
+ <section id="sn-limit-root-gui">
<title>GUI: Limiting root</title>
<para>
As alluded to in earlier sections, where GUI configurations were
@@ -1441,9 +1476,9 @@
password, you may be better off running it from a terminal with the
<command>su</command>.
</para>
- </sect2>
+ </section>
- <sect2 id="limit-root-cli">
+ <section id="sn-limit-root-cli">
<title>CLI: Limiting root</title>
<para>
Unfortunately, the command line isn't so forgiving. Unless you are
@@ -1527,10 +1562,10 @@
This will force users to login as a normal user account and then
<command>su</command> to root, or utilize <command>sudo</command>.
</para>
- </sect2>
- </sect1>
+ </section>
+ </section>
- <sect1 id="shells">
+ <section id="sn-shells">
<title>Verifying and Correcting System user shells</title>
<para>
System users, such as bin, sys, nobody, lp, etc. should not have valid
@@ -1555,9 +1590,9 @@
There are some users which will have a special shell, like the shutdown or
halt users. These special shells can be left alone.
</para>
- </sect1>
+ </section>
- <sect1 id="passwd-sec-pam-config">
+ <section id="sn-passwd-sec-pam-config">
<title>Password Security and PAM Configuration</title>
<para>
@@ -1615,12 +1650,12 @@
setting set to 4, the "new" password passways would fail, whereas
pastels would succeed.
</para>
- </sect1>
+ </section>
</chapter>
-<chapter id="ch-tcpwrappers-n-fw">
+<chapter id="ch-tcpwrappers-firewall">
<title>tcp_wrappers and Firewall Configuration</title>
- <sect1 id="tcp_wrappers_config">
+ <section id="sn-tcp_wrappers_config">
<title><application>tcp_wrappers</application> Configuration</title>
<para>
<application>tcp_wrappers</application> is a method of limiting the
@@ -1634,7 +1669,7 @@
more granular in your network defense.
</para>
- <sect2 id="hosts.deny">
+ <section id="sn-hosts.deny">
<title>The <filename>hosts.deny</filename> file.</title>
<para>
The basic <application>tcp_wrappers</application> configuration consists
@@ -1657,8 +1692,8 @@
attempting to make a connection to your system, unless they are
specifically allowed in the <filename>hosts.allow</filename> file.
</para>
- </sect2>
- <sect2 id="hosts.allow">
+ </section>
+ <section id="sn-hosts.allow">
<title>The <filename>hosts.allow</filename> file.</title>
<para>
The <filename>hosts.allow</filename> file is only slightly more
@@ -1718,10 +1753,10 @@
</para>
</listitem>
</itemizedlist>
- </sect2>
- </sect1>
+ </section>
+ </section>
- <sect1 id="iptables-fw-config">
+ <section id="sn-iptables-fw-config">
<title>Firewall/IPTables Configuration</title>
<para>
The default &FC; firewall configuration utility is
@@ -1762,7 +1797,7 @@
consider a utility such as Firestarter. Or do some reading on the
configuration of <command>iptables</command>.
</para>
- </sect1>
+ </section>
</chapter>
<chapter id="ch-conclusion">
@@ -1787,7 +1822,7 @@
</para>
</chapter>
-<chapter id="ch-bibb-n-refs">
+<chapter id="ch-biblio-references">
<title>Bibliography and References</title>
<itemizedlist>
- Previous message (by thread): hardening hardening-tutorial-en.xml, NONE, 1.1 Makefile, 1.1, 1.2 fedora-hardening-guide-en.xml, 1.1, NONE
- Next message (by thread): release-notes/FC4 RELEASE-NOTES-en.xml, 1.12, 1.13 splash.xml, 1.11, 1.12
- Messages sorted by:
[ date ]
[ thread ]
[ subject ]
[ author ]
More information about the Fedora-docs-commits
mailing list