Updated Hardening guide.

Wed May 11 00:11:32 UTC 2005

On Sun, 2005-04-24 at 15:42 +0530, Rahul Sundaram wrote:
> tuxxer wrote:
> 
> >Beat me up again guys and gals.  ;-)
> >
> >http://members.cox.net/tuxxer
> >http://members.cox.net/tuxxer/fedora-hardening-guide-whole-en.xml
> >
> >XML also posted to bug #129957.
> >
> >-Charlie
> >
> 
> Hello Charlie
> 
> A quick review:
> 
> http://members.cox.net/tuxxer/ch-intro.html
> 
> I think you should just drop the first two sentences. If the current 
> list of vulnerabilities would just keep growing then it would imply that 
> Linux is getting more insecure everyday
> 
> " As more and more users start trying and using linux, it will become 
> more and more important for the common user to know how to harden his or 
> her system against these threats. The current list of vulnerabilities in 
> linux systems will continue to grow as linux gains more momentum in the 
> home desktop environment."

The implication here is that as Linux gains more popularity, more
malicious-ness will be directed towards it.  There are very few linux
malware specimens, and it simply doesn't get the scrutiny Windows does
by people with mal-intent because it doesn't have the same widespread
user foot print.  IMHO this will change as linux becomes more
predominant.  Maybe I can rephrase it a bit.

> 
> http://members.cox.net/tuxxer/services-gui.html#services-gui-2
> 
> sendmail - Sendmail is a Mail Transport Agent.
> 
> This deamon is also used to send critical mails to root users by default 
> which also contains logwatch reports and other security related 
> informatio. You typically should modify the MTA configuration to send 
> mails to your normal user account instead of disabling it.

Removed from the suggested disable list.

> 
> http://members.cox.net/tuxxer/gui-update.html
> 
> The "customizationn observation" note is better done as generic 
> statement that applies to the whole of the document that everything is 
> assumed to be in the default locations.
> 

Gotcha.  That'll go in the scope statement.

> http://members.cox.net/tuxxer/userconfig-cli.html#userconfig-gui
> 
> " By default, the *User Manager* will filter all of the "unnecessary" 
> users, by designating them as "default" or "system" users"
> 
> The system users cannot be called as unnecessary. They just arent 
> required typically.  If a system user is definitely not required in any 
> of the potential roles then thats  a packaging and security bug
> 

Done.

> 
> http://members.cox.net/tuxxer/iptables-fw-config.html
> 
> SELinux is totally unusable for all practial purposes in FC2.  Just drop 
> the following sentence which also contains a mispelled word. You might 
> want to run your document through a spell checker after every major 
> revision.  "It will also allow you to change the SELinux settings, 
> however that discussion is currentply outside of the scope of this document"
> 

The guide has been updated for FC3, so as to not be relegated to the
Legacy docs group.  Also, the only reference to SELinux is that you
*can* configure it here.  It is out of the scope of this document.
Misspelling is fixed.  I have actually run it through aspell, several
times.  Interesting that that didn't get picked up.

> http://members.cox.net/tuxxer/ch-bibb-n-refs.html
> 
> All of these websites should be hyperlinks
> 

Done.

> regards
> Rahul

Thanks.  Please check again.  The html and XML should be available
immediately.

-- 
-tuxxer

echo "uvyyfsAdpy/ofu" | perl -pe 's/(.)/chr(ord($1) - 1)/ge'
gpg:  57EB F948 76AE 25BC E340  EFA9 FAF6 E1AC F1E1 1EA1

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
URL: <http://listman.redhat.com/archives/fedora-docs-list/attachments/20050511/fa790fd4/attachment.sig>