PATCH[1/1] Linux Security Guide

Magnus Glantz mg at hacka.net
Tue Jan 6 00:47:53 UTC 2009


This e-mail is about security and user friendliness, and how I think this guide perhaps may be modified into something better.
This may also be me misunderstanding the purpose of this guide. Be aware.

I agree that Government Security Agencies and Banks has more to loose than a lot of other people :-)

Last night I couldn't get to sleep, due to my big mouth, so I thought a bit more about the security guide.
I guess this guide aims to the users of Fedora. This may be a huuge misconception on my part, but, I though
regular home users are the main users of Fedora. So.. this guide should perhaps to be focused on that kind of usage and
that kind of knowledge levels.

My experience, working with security in highly secure government/telco environments is that security
and ease of use/user friendliness is two most important main counter parts.

On one hand, it's "pretty easy" to make something extremely secure, but extremely secure systems is a total drag to be in
- because they are difficult to access, use and communicate to and from, due to all restrictions and security related administration.
I believe the standard Fedora user never would want such a system. In a system like that security has compromised to much user friendliness for it to be fun.
If security isn't your definition of happy-happy joy-joy :-)

I had a thought that perhaps this guide should mainly not focus on different things that makes a system secure as a bank.
Instead perhaps it should focus on covering techniques that allows ones home computer to operate in a secure
_and_ user friendly manner.

Here's what I wrote on my phone last night, trying to kill demons of guilt and shame spawned out of my nonconstructive mail yesterday.
I tried to sort them in order of positive impact on security weighed against user friendliness.

1) Keep your system up-to-date.
1.1) Perhaps advocacy that users should prefer "Yum installed software", as it automatically will get updated via Yum.
2) Keep backups of your data.
2.1) Some easy ways of backing up data. Burn on CD/DVD, put on external storage, backup hard drive, etc. S/W recommendations.	
3) Running a firewall.
3.1) Using the shipped Fedora firewall setup tools, enabling the firewall at install.
4) Use SE-Linux
5) Use common sense
5.1 Do not accept unknown stuff/software from unknown people. If a stranger walked up to you in real life and offered you an unidentifiable object.. and you at the same time
    constantly heard and read stories of people accepting unidentifiable objects from strangers - finding out the object was a bomb / robotic miniature robber - YOU WOULD RUN AWAY!
5) Do not run server software that you do not use (as web, mail, ftp, nfs or even a ssh server (if it's a desktop))
6) Advanced topics -  Here one may cover more "user unfriendly" stuff for the paranoid government spy user types :-) 
6.1 Encryption of different kinds (files, file systems, e-mail, etc)
6.2 Advanced hardening techniques and tools.
6.3 Advanced auditing techniques and tools
6.4 Security policy and/or paranoid thinking

Some more links.

Organizations:
http://www.cert.org/archive/pdf/aia-handbook.pdf
http://www.first.org/resources/guides/
http://www.sans.org/reading_room/

//M

mån 2009-01-05 klockan 12:00 -0500 
> 
> Message: 2
> Date: Sun, 04 Jan 2009 22:23:45 -0500
> From: Eric Christensen <eric at christensenplace.us>
> Subject: Re: PATCH[1/1] Linux Security Guide
> To: For participants of the Documentation Project
> 	<fedora-docs-list at redhat.com>
> Message-ID: <49617D41.5040205 at christensenplace.us>
> Content-Type: text/plain; charset=ISO-8859-1
> 
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> Good resources.  Thanks for sending them.  My reasoning for building
> that part of the Security Guide based on US Government documents and not
> documents from Universities or commercial sources has a simple
> explanation.  Government computers HAVE to be secure.  I've seen way too
> many universities and businesses run a half-way security mindset.  They
> are too interested in the bottom line than a secure system even though a
> secure system will help the bottom line in the long run.
> 
> The only other industry that I would like to pull from is the banking
> industry.  They are generally notorious for their secure systems (I'm
> talking about the larger banks).  They could stand to loose billions of
> dollars if they are "broken into".  Of course most of the banks make
> their documentation secret as to not tip off anyone with a possible
> documented flaw.
> 
> I agree that we should be looking at multiple sources and that will come
> in time.  Please feel free to add information into the guide.  I'll be
> happy to read any patches that you, or anyone else, has to offer to the
> guide.  If you have any specific interests, please let me know!
> 
> Thanks,
> Eric Christensen
> E-Mail: sparks at fedoraproject.org
> GPG Key: BD0C14C1
> 
> 
> 
> Magnus Glantz wrote:
> > I'm sorry if I came off a bit rude, it wasn't my intent.
> > Also, I'm sorry for not being constructive, I'll try not and e-mail during rush our in the future :-)
> > 
> > About a more wide spread flora of security references. My thought was that the more known universities around the world
> > must have written kilometers of papers on Linux Security. Finding freely available papers describing general security on
> > Linux was easier said than done. I found some references during a quick scan this evening.
> > 
> > I guess it's a matter of trust. Of course the US Government and the NSA has excellent and trustworthy security people,
> > and that information in this subject is collaborative.. but at least I feel more secure seeing that it's not only
> > the US Government and secret service that approves and advocates the security issues brought out in this security guide.
> > 
> > Universities:
> > http://www.princeton.edu/~essweb/linux/linuxsecurity.html
> > http://www.yale.edu/its/secure-computing/
> > http://www.yale.edu/its/security/sysadmin/server-guidelines.html
> > http://www.yale.edu/its/security/network/unix.html
> > http://www-uxsup.csx.cam.ac.uk/security/unix-box.html
> > 
> > Other:
> > http://www.tldp.org/HOWTO/Security-HOWTO/
> > http://tldp.org/HOWTO/Security-Quickstart-HOWTO/
> > http://en.tldp.org/HOWTO/Secure-Programs-HOWTO/open-source-security.html
> > http://www.puschitz.com/SecuringLinux.shtml
> > http://en.wikipedia.org/wiki/Linux_Security_Modules
> > 
> > Vendors:
> > http://www.redhat.com/docs/manuals/enterprise/RHEL-4-Manual/en-US/Security_Guide/
> > 
> > I'll try and find some more / better references as soon as I have some more free time.
> > 
> > //M
> > 
> > 
> > sn 2009-01-04 klockan 12:00 -0500 skrev Message: 8
> > Date: Sun, 4 Jan 2009 09:44:55 -0500
> > From: "Paul W. Frields" <stickster at gmail.com>
> > Subject: Re: PATCH[1/1] Linux Security Guide
> > To: fedora-docs-list at redhat.com
> > Message-ID: <20090104144455.GB18821 at localhost.localdomain>
> > Content-Type: text/plain; charset="utf-8"
> > 
> > On Sun, Jan 04, 2009 at 09:07:16PM +1000, Murray McAllister wrote:
> >> On Sun, Jan 4, 2009 at 7:20 PM, Magnus Glantz <mg at hacka.net> wrote:
> >>> My 5 as an non US citizen.
> >>>
> >>> I do not feel comfortable with a guide that seems almost completely
> >>> ripped off published US military/government documents.
> >> I only looked at the English. I was not aware of the origins of the
> > content.
> >> I will be more careful in future.
> >>
> >> Thanks! :-)
> > 
> > "Ripped off" seems unnecessarily harsh to me, and incorrectly implies
> > that somehow the content was lifted without permission, when in fact
> > the references in question are freely available to everyone (USA
> > domestic or foreign).  The principles embodied in most of those
> > references are fairly universal and you'll find them echoed in most
> > high-level infosec materials.  In fact, some foreign governments use
> > these references themselves.
> > 
> > The Security Guide continues to be a collaborative, participatory
> > project, so anyone who is unhappy with the content -- or completely
> > satisfied, too, for that matter -- is free to get involved! :-)  You
> > could start by providing equivalent or comparable non-US references,
> > for example.
> > 
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.9 (GNU/Linux)
> Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org
> 
> iEYEARECAAYFAklhfT4ACgkQfQTSQL0MFMELjwCgpdCn9TKLWOcWs8eWtE+MHTsq
> tuIAoNE0uJypOTF8ScTOr9IXyyBdw5e1
> =HflS
> -----END PGP SIGNATURE-----
> 
> 
> 
> ------------------------------
> 
> Message: 3
> Date: Mon, 05 Jan 2009 10:12:20 +0530
> From: Rahul Sundaram <sundaram at fedoraproject.org>
> Subject: curl instead of wget
> To: For participants of the Documentation Project
> 	<fedora-docs-list at redhat.com>
> Message-ID: <49618FAC.30400 at fedoraproject.org>
> Content-Type: text/plain; charset=ISO-8859-1; format=flowed
> 
> Hi,
> 
> In documentation, wherever we are using wget, it is probably better to 
> use curl instead since wget is not installed by default on the Live CD 
> while curl is. Just a thought.
> 
> Rahul
> 
> 
> 
> ------------------------------
> 
> Message: 4
> Date: Mon, 05 Jan 2009 07:01:54 +0200
> From: Basil Mohamed Gohar <abu_hurayrah at hidayahonline.org>
> Subject: Re: curl instead of wget
> To: For participants of the Documentation Project
> 	<fedora-docs-list at redhat.com>
> Message-ID: <1231131714.3714.7.camel at localhost.localdomain>
> Content-Type: text/plain
> 
> On Mon, 2009-01-05 at 10:12 +0530, Rahul Sundaram wrote:
> > Hi,
> > 
> > In documentation, wherever we are using wget, it is probably better to 
> > use curl instead since wget is not installed by default on the Live CD 
> > while curl is. Just a thought.
> > 
> > Rahul
> > 
> I ran into this problem (missing wget) after installing from the F10
> LiveCD, so I can relate.  However, I've no experience with curl, and I
> must say, curl --help is somewhat intimidating.  Is it as
> straightforward to use as wget, especially for someone that may be new
> (e.g., the majority of those using documentation on a new installation
> of Fedora)?
> 
> ________________________________________________________________________
> 
> Basil Mohamed Gohar
> abu_hurayrah at hidayahonline.org
> www.basilgohar.com
> 
> 
> 
> ------------------------------
> 
> Message: 5
> Date: Sun, 4 Jan 2009 23:04:11 -0600
> From: Ian Weller <ianweller at gmail.com>
> Subject: Re: curl instead of wget
> To: For participants of the Documentation Project
> 	<fedora-docs-list at redhat.com>
> Message-ID: <20090105050411.GA3404 at gmail.com>
> Content-Type: text/plain; charset="us-ascii"
> 
> On Mon, Jan 05, 2009 at 07:01:54AM +0200, Basil Mohamed Gohar wrote:
> > On Mon, 2009-01-05 at 10:12 +0530, Rahul Sundaram wrote:
> > > Hi,
> > > 
> > > In documentation, wherever we are using wget, it is probably better to 
> > > use curl instead since wget is not installed by default on the Live CD 
> > > while curl is. Just a thought.
> > > 
> > > Rahul
> > > 
> > I ran into this problem (missing wget) after installing from the F10
> > LiveCD, so I can relate.  However, I've no experience with curl, and I
> > must say, curl --help is somewhat intimidating.  Is it as
> > straightforward to use as wget, especially for someone that may be new
> > (e.g., the majority of those using documentation on a new installation
> > of Fedora)?
> > 
> Then shouldn't wget be installed by default?
> 
> -- 
> Ian Weller <ianweller at gmail.com>                  http://ianweller.org
> GnuPG fingerprint:  E51E 0517 7A92 70A2 4226  B050 87ED 7C97 EFA8 4A36
> "Technology is a word that describes something that doesn't work yet."
>   ~ Douglas Adams
> -------------- next part --------------
> A non-text attachment was scrubbed...
> Name: not available
> Type: application/pgp-signature
> Size: 197 bytes
> Desc: not available
> Url : https://www.redhat.com/archives/fedora-docs-list/attachments/20090104/db4785c8/attachment.bin
> 
> ------------------------------
> 
> Message: 6
> Date: Mon, 5 Jan 2009 00:07:10 -0500
> From: Matthew Daniels <danielsmw at gmail.com>
> Subject: Re: curl instead of wget
> To: For participants of the Documentation Project
> 	<fedora-docs-list at redhat.com>
> Message-ID: <E5D39042-AD6E-4915-A4B1-5B6EEF320481 at gmail.com>
> Content-Type: text/plain; charset=US-ASCII; format=flowed; delsp=yes
> 
> >> I ran into this problem (missing wget) after installing from the F10
> >> LiveCD, so I can relate.  However, I've no experience with curl,  
> >> and I
> >> must say, curl --help is somewhat intimidating.  Is it as
> >> straightforward to use as wget, especially for someone that may be  
> >> new
> >> (e.g., the majority of those using documentation on a new  
> >> installation
> >> of Fedora)?
> >>
> > Then shouldn't wget be installed by default?
> 
> I would think so.  Can we call that a bug/enhancement and see if  
> they'll do that for F11?  I mean... what's the size of wget?  I can't  
> be more than a few hundred KB.
> 
> - Matthew
> 
> 
> 
> ------------------------------
> 
> Message: 7
> Date: Mon, 05 Jan 2009 07:28:57 +0200
> From: Basil Mohamed Gohar <abu_hurayrah at hidayahonline.org>
> Subject: Re: curl instead of wget
> To: fedora-docs-list at redhat.com
> Message-ID: <1231133338.3714.10.camel at localhost.localdomain>
> Content-Type: text/plain
> 
> On Sun, 2009-01-04 at 23:04 -0600, Ian Weller wrote:
> > > 
> > Then shouldn't wget be installed by default?
> 
> I was fearful of making the same suggestion myself, since this is the
> Docs list, but that's what I think is best as well.  Frankly, I'm quite
> surprised it was never included in the first place.  I actually thought
> it was part of the core utilities needed to admin a system.
> 
> 
> ________________________________________________________________________
> 
> Basil Mohamed Gohar
> abu_hurayrah at hidayahonline.org
> www.basilgohar.com
> 
> 
> 
> ------------------------------
> 
> Message: 8
> Date: Mon, 05 Jan 2009 15:35:33 +1000
> From: Christopher Curran <ccurran at redhat.com>
> Subject: Re: curl instead of wget
> To: For participants of the Documentation Project
> 	<fedora-docs-list at redhat.com>
> Message-ID: <49619C25.9020804 at redhat.com>
> Content-Type: text/plain; charset=ISO-8859-1; format=flowed
> 
> Rahul Sundaram wrote:
> > Hi,
> >
> > In documentation, wherever we are using wget, it is probably better to 
> > use curl instead since wget is not installed by default on the Live CD 
> > while curl is. Just a thought.
> >
> > Rahul
> >
> Sure I can update future docs if you can point me at the thread where 
> they decided to drop it.
> 
> Chris
> 
> 
> 
> ------------------------------
> 
> Message: 9
> Date: Mon, 5 Jan 2009 00:21:13 -0600
> From: Ian Weller <ianweller at gmail.com>
> Subject: Re: curl instead of wget
> To: For participants of the Documentation Project
> 	<fedora-docs-list at redhat.com>
> Message-ID: <20090105062113.GB5608 at gmail.com>
> Content-Type: text/plain; charset="us-ascii"
> 
> On Mon, Jan 05, 2009 at 12:07:10AM -0500, Matthew Daniels wrote:
> > I would think so.  Can we call that a bug/enhancement and see if they'll 
> > do that for F11?  I mean... what's the size of wget?  I can't be more 
> > than a few hundred KB.
> >
> It's 1.5 MB, according to rpm -qi wget, but the .rpm file itself is
> 600kB. IIRC, the former would be on the Live distribution, while the
> latter is on the mirrors and the install media.
> 
> -- 
> Ian Weller <ianweller at gmail.com>                  http://ianweller.org
> GnuPG fingerprint:  E51E 0517 7A92 70A2 4226  B050 87ED 7C97 EFA8 4A36
> "Technology is a word that describes something that doesn't work yet."
>   ~ Douglas Adams
> -------------- next part --------------
> A non-text attachment was scrubbed...
> Name: not available
> Type: application/pgp-signature
> Size: 197 bytes
> Desc: not available
> Url : https://www.redhat.com/archives/fedora-docs-list/attachments/20090105/cb59213d/attachment.bin
> 
> ------------------------------
> 
> Message: 10
> Date: Mon, 05 Jan 2009 11:55:15 +0530
> From: Rahul Sundaram <sundaram at fedoraproject.org>
> Subject: Re: curl instead of wget
> To: For participants of the Documentation Project
> 	<fedora-docs-list at redhat.com>
> Message-ID: <4961A7CB.6080704 at fedoraproject.org>
> Content-Type: text/plain; charset=ISO-8859-1; format=flowed
> 
> Basil Mohamed Gohar wrote:
> > On Mon, 2009-01-05 at 10:12 +0530, Rahul Sundaram wrote:
> >> Hi,
> >>
> >> In documentation, wherever we are using wget, it is probably better to 
> >> use curl instead since wget is not installed by default on the Live CD 
> >> while curl is. Just a thought.
> >>
> >> Rahul
> >>
> > I ran into this problem (missing wget) after installing from the F10
> > LiveCD, so I can relate.  However, I've no experience with curl, and I
> > must say, curl --help is somewhat intimidating.  Is it as
> > straightforward to use as wget, especially for someone that may be new
> > (e.g., the majority of those using documentation on a new installation
> > of Fedora)?
> 
> The basic usage is simple.
> 
> curl <url>
> 
> If you want to suggest wget be (re-)added, that is a fedora-desktop list 
> discussion.
> 
> Rahul
> 
> 
> 
> ------------------------------
> 
> Message: 11
> Date: Mon, 5 Jan 2009 07:21:57 -0800
> From: Karsten Wade <kwade at redhat.com>
> Subject: Wed. 07 Jan planning meeting
> To: fedora-docs-list at redhat.com
> Message-ID: <20090105152157.GI5819 at calliope.phig.org>
> Content-Type: text/plain; charset="us-ascii"
> 
> We have a chance to get some important work moved forward, and
> important information spread, at the upcoming FUDCon this week.
> 
> Let's use the meeting this Wednesday to finalize plans for FUDCon;
> discussions here in advance.
> 
> https://fedoraproject.org/wiki/DocsProject/SteeringCommittee/Meetings#Wednesday.2C_07_January_2008
> 
> Please add to that any FUDCon planning activities you think of.
> 
> - Karsten
> -- 
> Karsten 'quaid' Wade, Community Gardener
> http://quaid.fedorapeople.org
> AD0E0C41
> -------------- next part --------------
> A non-text attachment was scrubbed...
> Name: not available
> Type: application/pgp-signature
> Size: 189 bytes
> Desc: not available
> Url : https://www.redhat.com/archives/fedora-docs-list/attachments/20090105/18f56d87/attachment.bin
> 
> ------------------------------
> 
> Message: 12
> Date: Mon, 5 Jan 2009 10:37:03 -0500
> From: "Paul W. Frields" <stickster at gmail.com>
> Subject: Re: Wed. 07 Jan planning meeting
> To: fedora-docs-list at redhat.com
> Message-ID: <20090105153703.GQ25582 at localhost.localdomain>
> Content-Type: text/plain; charset="us-ascii"
> 
> On Mon, Jan 05, 2009 at 07:21:57AM -0800, Karsten Wade wrote:
> > We have a chance to get some important work moved forward, and
> > important information spread, at the upcoming FUDCon this week.
> > 
> > Let's use the meeting this Wednesday to finalize plans for FUDCon;
> > discussions here in advance.
> > 
> > https://fedoraproject.org/wiki/DocsProject/SteeringCommittee/Meetings#Wednesday.2C_07_January_2008
> > 
> > Please add to that any FUDCon planning activities you think of.
> 
> Not trying to be confusing -- on the contrary, making sure I can keep
> my schedule clear, be there, and pay attention purely to our meeting.
> We're meeting at 1900 UTC / 2:00pm EST / 11:00am PST?
> 
> -- 
> Paul W. Frields                                http://paul.frields.org/
>   gpg fingerprint: 3DA6 A0AC 6D58 FEC4 0233  5906 ACDB C937 BD11 3717
>   http://redhat.com/   -  -  -  -   http://pfrields.fedorapeople.org/
>   irc.freenode.net: stickster @ #fedora-docs, #fedora-devel, #fredlug
> -------------- next part --------------
> A non-text attachment was scrubbed...
> Name: not available
> Type: application/pgp-signature
> Size: 189 bytes
> Desc: not available
> Url : https://www.redhat.com/archives/fedora-docs-list/attachments/20090105/35aa1cbf/attachment.bin
> 
> ------------------------------
> 
> --
> fedora-docs-list mailing list
> fedora-docs-list at redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-docs-list
> 
> End of fedora-docs-list Digest, Vol 59, Issue 6
> ***********************************************




More information about the fedora-docs-list mailing list