[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: PATCH[1/1] Linux Security Guide



-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

The General Principles page was supposed to address what you have asked
about.  It is a general overview of security and includes basic items
that people should understand.

That was written before the Red Hat information was pushed up so a lot
of what is in the General Principles is also spread around the Red Hat
information.  I'm going to work on making sure all the information is
accounted for and then clean up what is left.  That is going to be a
major portion of what needs to be merged.  After that is completed I'll
be able to really look at structure and such.

- - Eric

Magnus Glantz wrote:
> Correctional double-post! I mailed using the wrong subject, this is the
> correct one.
> 
> What I feel is missing is perhaps not content, but structure or
> presentation of content.
> 
> This guide seems focused on administrators working in SME or large
> enterprises.
> I guess that would be natural, if the base of the guide is the RHEL
> Security Guide.. ( Thank you Karsten for pointing this out :-> )
> 
> As a new or a not very security interested Fedora user, I would say this
> guide is much too big and complex to make proper use of.
> It's like facing the worlds biggest all-you-can-eat buffet, when you to
> the best of your knowledge haven't tasted any of the food on display.
> And on second thought
> your too lazy and uninterested of food to try and find the essential
> good stuff.
> 
> What I'm looking for is perhaps a chapter for regular home users with
> focus on usability rather than security.
> People that like Fedora but who doesn't know or care much about
> security.
> 
> "Security for Home Users"
> 
> I would volunteer to write such a chapter.
> 
> //M
> 
> tis 2009-01-06 klockan 03:00 -0500 skrev 
>> Message: 5
>> Date: Mon, 05 Jan 2009 23:24:36 -0500
>> From: Eric Christensen <eric christensenplace us>
>> Subject: Re: PATCH[1/1] Linux Security Guide
>> To: For participants of the Documentation Project
>>       <fedora-docs-list redhat com>
>> Message-ID: <4962DD04 80709 christensenplace us>
>> Content-Type: text/plain; charset=ISO-8859-1
>>
>> -----BEGIN PGP SIGNED MESSAGE-----
>> Hash: SHA1
>>
>> I agree, in part, with your overview.  A completely secure system is
> one
>> that is unplugged and that isn't exactly useful.  I would dare say
> that
>> you don't want the same level of security as I do or as anyone else
>> might which is why it is important to give as much information as
>> possible and let people pick and choose what they feel is important to
>> their specific needs.
>>
>> Case in point, admin A has a server in a cave that is physically
> highly
>> protected.  Disk encryption and securing single user mode might not be
>> as important as securing the network connection.  So that admin might
>> only care about the VPN, SSH, IPTables, and related chapters and not
> so
>> much on the LUKS Disk Encryption.
>>
>> I feel that it is important to give admins and users as much
> information
>> as possible so they can make an educated decision on mitigating their
>> systems down to an acceptable level of risk.  Users should know that
>> their systems are NOT secure as soon as they install Fedora or any
> other
>> operating system.
>>
>> If we are missing something you think should be addressed please feel
>> free to develop a chapter.
>>
>> Thanks,
>> Eric Christensen
>> E-Mail: sparks fedoraproject org
>> GPG Key: BD0C14C1
>>
>>
>>
>>
>>
>> Magnus Glantz wrote:
>>> This e-mail is about security and user friendliness, and how I think
> this guide perhaps may be modified into something better.
>>> This may also be me misunderstanding the purpose of this guide. Be
> aware.
>>> I agree that Government Security Agencies and Banks has more to
> loose than a lot of other people :-)
>>> Last night I couldn't get to sleep, due to my big mouth, so I
> thought a bit more about the security guide.
>>> I guess this guide aims to the users of Fedora. This may be a huuge
> misconception on my part, but, I though
>>> regular home users are the main users of Fedora. So.. this guide
> should perhaps to be focused on that kind of usage and
>>> that kind of knowledge levels.
>>>
>>> My experience, working with security in highly secure
> government/telco environments is that security
>>> and ease of use/user friendliness is two most important main counter
> parts.
>>> On one hand, it's "pretty easy" to make something extremely secure,
> but extremely secure systems is a total drag to be in
>>> - because they are difficult to access, use and communicate to and
> from, due to all restrictions and security related administration.
>>> I believe the standard Fedora user never would want such a system.
> In a system like that security has compromised to much user friendliness
> for it to be fun.
>>> If security isn't your definition of happy-happy joy-joy :-)
>>>
>>> I had a thought that perhaps this guide should mainly not focus on
> different things that makes a system secure as a bank.
>>> Instead perhaps it should focus on covering techniques that allows
> ones home computer to operate in a secure
>>> _and_ user friendly manner.
>>>
>>> Here's what I wrote on my phone last night, trying to kill demons of
> guilt and shame spawned out of my nonconstructive mail yesterday.
>>> I tried to sort them in order of positive impact on security weighed
> against user friendliness.
>>> 1) Keep your system up-to-date.
>>> 1.1) Perhaps advocacy that users should prefer "Yum installed
> software", as it automatically will get updated via Yum.
>>> 2) Keep backups of your data.
>>> 2.1) Some easy ways of backing up data. Burn on CD/DVD, put on
> external storage, backup hard drive, etc. S/W recommendations.       
>>> 3) Running a firewall.
>>> 3.1) Using the shipped Fedora firewall setup tools, enabling the
> firewall at install.
>>> 4) Use SE-Linux
>>> 5) Use common sense
>>> 5.1 Do not accept unknown stuff/software from unknown people. If a
> stranger walked up to you in real life and offered you an unidentifiable
> object.. and you at the same time
>>>     constantly heard and read stories of people accepting
> unidentifiable objects from strangers - finding out the object was a
> bomb / robotic miniature robber - YOU WOULD RUN AWAY!
>>> 5) Do not run server software that you do not use (as web, mail,
> ftp, nfs or even a ssh server (if it's a desktop))
>>> 6) Advanced topics -  Here one may cover more "user unfriendly"
> stuff for the paranoid government spy user types :-) 
>>> 6.1 Encryption of different kinds (files, file systems, e-mail, etc)
>>> 6.2 Advanced hardening techniques and tools.
>>> 6.3 Advanced auditing techniques and tools
>>> 6.4 Security policy and/or paranoid thinking
>>>
>>> Some more links.
>>>
>>> Organizations:
>>> http://www.cert.org/archive/pdf/aia-handbook.pdf
>>> http://www.first.org/resources/guides/
>>> http://www.sans.org/reading_room/
>>>
>>> //M
>>>
>>> mn 2009-01-05 klockan 12:00 -0500 
>>>> Message: 2
>>>> Date: Sun, 04 Jan 2009 22:23:45 -0500
>>>> From: Eric Christensen <eric christensenplace us>
>>>> Subject: Re: PATCH[1/1] Linux Security Guide
>>>> To: For participants of the Documentation Project
>>>>    <fedora-docs-list redhat com>
>>>> Message-ID: <49617D41 5040205 christensenplace us>
>>>> Content-Type: text/plain; charset=ISO-8859-1
>>>>
>>> Good resources.  Thanks for sending them.  My reasoning for building
>>> that part of the Security Guide based on US Government documents and
> not
>>> documents from Universities or commercial sources has a simple
>>> explanation.  Government computers HAVE to be secure.  I've seen way
> too
>>> many universities and businesses run a half-way security mindset.
> They
>>> are too interested in the bottom line than a secure system even
> though a
>>> secure system will help the bottom line in the long run.
>>>
>>> The only other industry that I would like to pull from is the
> banking
>>> industry.  They are generally notorious for their secure systems
> (I'm
>>> talking about the larger banks).  They could stand to loose billions
> of
>>> dollars if they are "broken into".  Of course most of the banks make
>>> their documentation secret as to not tip off anyone with a possible
>>> documented flaw.
>>>
>>> I agree that we should be looking at multiple sources and that will
> come
>>> in time.  Please feel free to add information into the guide.  I'll
> be
>>> happy to read any patches that you, or anyone else, has to offer to
> the
>>> guide.  If you have any specific interests, please let me know!
>>>
>>> Thanks,
>>> Eric Christensen
>>> E-Mail: sparks fedoraproject org
>>> GPG Key: BD0C14C1
>>>
>>>
>>>
>>> Magnus Glantz wrote:
>>>>>> I'm sorry if I came off a bit rude, it wasn't my intent.
>>>>>> Also, I'm sorry for not being constructive, I'll try not and
> e-mail during rush our in the future :-)
>>>>>> About a more wide spread flora of security references. My thought
> was that the more known universities around the world
>>>>>> must have written kilometers of papers on Linux Security. Finding
> freely available papers describing general security on
>>>>>> Linux was easier said than done. I found some references during a
> quick scan this evening.
>>>>>> I guess it's a matter of trust. Of course the US Government and
> the NSA has excellent and trustworthy security people,
>>>>>> and that information in this subject is collaborative.. but at
> least I feel more secure seeing that it's not only
>>>>>> the US Government and secret service that approves and advocates
> the security issues brought out in this security guide.
>>>>>> Universities:
>>>>>> http://www.princeton.edu/~essweb/linux/linuxsecurity.html
>>>>>> http://www.yale.edu/its/secure-computing/
>>>>>> http://www.yale.edu/its/security/sysadmin/server-guidelines.html
>>>>>> http://www.yale.edu/its/security/network/unix.html
>>>>>> http://www-uxsup.csx.cam.ac.uk/security/unix-box.html
>>>>>>
>>>>>> Other:
>>>>>> http://www.tldp.org/HOWTO/Security-HOWTO/
>>>>>> http://tldp.org/HOWTO/Security-Quickstart-HOWTO/
>>>>>>
> http://en.tldp.org/HOWTO/Secure-Programs-HOWTO/open-source-security.html
>>>>>> http://www.puschitz.com/SecuringLinux.shtml
>>>>>> http://en.wikipedia.org/wiki/Linux_Security_Modules
>>>>>>
>>>>>> Vendors:
>>>>>>
> http://www.redhat.com/docs/manuals/enterprise/RHEL-4-Manual/en-US/Security_Guide/
>>>>>> I'll try and find some more / better references as soon as I have
> some more free time.
>>>>>> //M
>>>>>>
>>>>>>
>>>>>> sn 2009-01-04 klockan 12:00 -0500 skrev Message: 8
>>>>>> Date: Sun, 4 Jan 2009 09:44:55 -0500
>>>>>> From: "Paul W. Frields" <stickster gmail com>
>>>>>> Subject: Re: PATCH[1/1] Linux Security Guide
>>>>>> To: fedora-docs-list redhat com
>>>>>> Message-ID: <20090104144455 GB18821 localhost localdomain>
>>>>>> Content-Type: text/plain; charset="utf-8"
>>>>>>
>>>>>> On Sun, Jan 04, 2009 at 09:07:16PM +1000, Murray McAllister
> wrote:
>>>>>>> On Sun, Jan 4, 2009 at 7:20 PM, Magnus Glantz <mg hacka net>
> wrote:
>>>>>>>> My 5 as an non US citizen.
>>>>>>>>
>>>>>>>> I do not feel comfortable with a guide that seems almost
> completely
>>>>>>>> ripped off published US military/government documents.
>>>>>>> I only looked at the English. I was not aware of the origins of
> the
>>>>>> content.
>>>>>>> I will be more careful in future.
>>>>>>>
>>>>>>> Thanks! :-)
>>>>>> "Ripped off" seems unnecessarily harsh to me, and incorrectly
> implies
>>>>>> that somehow the content was lifted without permission, when in
> fact
>>>>>> the references in question are freely available to everyone (USA
>>>>>> domestic or foreign).  The principles embodied in most of those
>>>>>> references are fairly universal and you'll find them echoed in
> most
>>>>>> high-level infosec materials.  In fact, some foreign governments
> use
>>>>>> these references themselves.
>>>>>>
>>>>>> The Security Guide continues to be a collaborative, participatory
>>>>>> project, so anyone who is unhappy with the content -- or
> completely
>>>>>> satisfied, too, for that matter -- is free to get involved! :-)
> You
>>>>>> could start by providing equivalent or comparable non-US
> references,
>>>>>> for example.
>>>>>>
>>>>
>>>>
> 
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iEYEARECAAYFAkljcxEACgkQfQTSQL0MFMHhGgCgn+Mt5laa5cpMoABom0hvkFVu
b7QAn1EKfBJPBGG4E9lgfrJuIHelJr7l
=lQ0H
-----END PGP SIGNATURE-----


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]