Get Gentoo!
gentoo.org sites
gentoo.org Wiki Bugs Forums Packages
Planet Archives Sources
Infra Status

Gentoo Archives: gentoo-doc-cvs

From: Xavier Neys <neysx@×××××××××××.org>
To: gentoo-doc-cvs@l.g.o
Subject: [gentoo-doc-cvs] cvs commit: shb-chroot.xml shb-firewalls.xml shb-intrusion.xml shb-kernel.xml shb-limits.xml shb-logging.xml shb-mounting.xml shb-pam.xml shb-perms.xml shb-pre.xml shb-services.xml shb-tight.xml shb-uptodate.xml
Date: Mon, 18 Sep 2006 09:22:38
Message-Id: 20060918092249.03024643B1@smtp.gentoo.org
1 neysx 06/09/18 09:22:48
2
3 Modified: shb-chroot.xml shb-firewalls.xml shb-intrusion.xml
4 shb-kernel.xml shb-limits.xml shb-logging.xml
5 shb-mounting.xml shb-pam.xml shb-perms.xml
6 shb-pre.xml shb-services.xml shb-tight.xml
7 shb-uptodate.xml
8 Log:
9 #147760 Removed all trailing spaces, no content change
10
11 Revision Changes Path
12 1.3 xml/htdocs/doc/en/security/shb-chroot.xml
13
14 file : http://sources.gentoo.org/viewcvs.py/gentoo/xml/htdocs/doc/en/security/shb-chroot.xml?rev=1.3&view=markup
15 plain: http://sources.gentoo.org/viewcvs.py/gentoo/xml/htdocs/doc/en/security/shb-chroot.xml?rev=1.3&content-type=text/plain
16 diff : http://sources.gentoo.org/viewcvs.py/gentoo/xml/htdocs/doc/en/security/shb-chroot.xml?r1=1.2&r2=1.3
17
18 Index: shb-chroot.xml
19 ===================================================================
20 RCS file: /var/cvsroot/gentoo/xml/htdocs/doc/en/security/shb-chroot.xml,v
21 retrieving revision 1.2
22 retrieving revision 1.3
23 diff -u -r1.2 -r1.3
24 --- shb-chroot.xml 15 Dec 2005 22:45:57 -0000 1.2
25 +++ shb-chroot.xml 18 Sep 2006 09:22:48 -0000 1.3
26 @@ -1,5 +1,5 @@
27 <?xml version='1.0' encoding='UTF-8'?>
28 -<!-- $Header: /var/cvsroot/gentoo/xml/htdocs/doc/en/security/shb-chroot.xml,v 1.2 2005/12/15 22:45:57 rane Exp $ -->
29 +<!-- $Header: /var/cvsroot/gentoo/xml/htdocs/doc/en/security/shb-chroot.xml,v 1.3 2006/09/18 09:22:48 neysx Exp $ -->
30 <!DOCTYPE sections SYSTEM "/dtd/book.dtd">
31
32 <!-- The content of this document is licensed under the CC-BY-SA license -->
33 @@ -32,13 +32,13 @@
34 </p>
35
36 <p>
37 -Create the <path>/chroot</path> directory with <c>mkdir /chroot</c>. And find what
38 -dynamic libraries that <c>bash</c> is compiled with (if it is compiled with
39 +Create the <path>/chroot</path> directory with <c>mkdir /chroot</c>. And find what
40 +dynamic libraries that <c>bash</c> is compiled with (if it is compiled with
41 <c>-static</c> this step is not necessary):
42 </p>
43
44 <p>
45 -The following command will create a list of libraries used by <c>bash</c>.
46 +The following command will create a list of libraries used by <c>bash</c>.
47 </p>
48
49 <pre caption="Get listing of used libraries">
50 @@ -63,28 +63,28 @@
51 Next copy the files used by <c>bash</c> (<path>/lib</path>) to the chrooted
52 <path>lib</path> and copy the bash command to the chrooted <path>bin</path>
53 directory. This will create the exact same environment, just with less
54 -functionality. After copying try it out: <c>chroot /chroot/bash /bin/bash</c>.
55 +functionality. After copying try it out: <c>chroot /chroot/bash /bin/bash</c>.
56 If you get an prompt saying <path>/</path> it works! Otherwise it will properly
57 tell you what a file is missing. Some shared libraries depend on each other.
58 </p>
59
60 <p>
61 -You will notice that inside the chroot nothing works except <c>echo</c>. This
62 -is because we have no other commands in out chroot environment than bash and
63 +You will notice that inside the chroot nothing works except <c>echo</c>. This
64 +is because we have no other commands in out chroot environment than bash and
65 <c>echo</c> is a build-in functionality.
66 </p>
67
68 <p>
69 -This is basically the same way you would create a chrooted service. The only
70 -difference is that services sometimes rely on devices and configuration files
71 -in <path>/etc</path>. Simply copy them (devices can be copied with <c>cp
72 --a</c>) to the chrooted environment, edit the init script to use chroot before
73 -executing. It can be difficult to find what devices and configuration files a
74 -services need. This is where the <c>strace</c> command becomes handy. Start
75 -the service with <c>/usr/bin/strace</c> bash and look for open, read, stat and
76 -maybe connect. This will give you a clue on what files to copy. But in most
77 -cases just copy the passwd file (edit the copy and remove users that has
78 -nothing to do with the service), <path>/dev/zero</path>, <path>/dev/log</path>
79 +This is basically the same way you would create a chrooted service. The only
80 +difference is that services sometimes rely on devices and configuration files
81 +in <path>/etc</path>. Simply copy them (devices can be copied with <c>cp
82 +-a</c>) to the chrooted environment, edit the init script to use chroot before
83 +executing. It can be difficult to find what devices and configuration files a
84 +services need. This is where the <c>strace</c> command becomes handy. Start
85 +the service with <c>/usr/bin/strace</c> bash and look for open, read, stat and
86 +maybe connect. This will give you a clue on what files to copy. But in most
87 +cases just copy the passwd file (edit the copy and remove users that has
88 +nothing to do with the service), <path>/dev/zero</path>, <path>/dev/log</path>
89 and <path>/dev/random</path>.
90 </p>
91
92
93
94
95 1.4 xml/htdocs/doc/en/security/shb-firewalls.xml
96
97 file : http://sources.gentoo.org/viewcvs.py/gentoo/xml/htdocs/doc/en/security/shb-firewalls.xml?rev=1.4&view=markup
98 plain: http://sources.gentoo.org/viewcvs.py/gentoo/xml/htdocs/doc/en/security/shb-firewalls.xml?rev=1.4&content-type=text/plain
99 diff : http://sources.gentoo.org/viewcvs.py/gentoo/xml/htdocs/doc/en/security/shb-firewalls.xml?r1=1.3&r2=1.4
100
101 Index: shb-firewalls.xml
102 ===================================================================
103 RCS file: /var/cvsroot/gentoo/xml/htdocs/doc/en/security/shb-firewalls.xml,v
104 retrieving revision 1.3
105 retrieving revision 1.4
106 diff -u -r1.3 -r1.4
107 --- shb-firewalls.xml 12 Dec 2005 02:10:43 -0000 1.3
108 +++ shb-firewalls.xml 18 Sep 2006 09:22:48 -0000 1.4
109 @@ -1,5 +1,5 @@
110 <?xml version='1.0' encoding='UTF-8'?>
111 -<!-- $Header: /var/cvsroot/gentoo/xml/htdocs/doc/en/security/shb-firewalls.xml,v 1.3 2005/12/12 02:10:43 vanquirius Exp $ -->
112 +<!-- $Header: /var/cvsroot/gentoo/xml/htdocs/doc/en/security/shb-firewalls.xml,v 1.4 2006/09/18 09:22:48 neysx Exp $ -->
113 <!DOCTYPE sections SYSTEM "/dtd/book.dtd">
114
115 <!-- The content of this document is licensed under the CC-BY-SA license -->
116 @@ -15,10 +15,10 @@
117 <body>
118
119 <p>
120 -People often think that a firewall provides the ultimate security, but they
121 -are wrong. In most cases a misconfigured firewall gives less security than
122 -not having one at all. A firewall is also a piece of software and should be
123 -treated the same way as any other piece of software, because it is just as likely
124 +People often think that a firewall provides the ultimate security, but they
125 +are wrong. In most cases a misconfigured firewall gives less security than
126 +not having one at all. A firewall is also a piece of software and should be
127 +treated the same way as any other piece of software, because it is just as likely
128 to contain bugs.
129 </p>
130
131 @@ -101,7 +101,7 @@
132 <ul>
133 <li>Simple and easy to implement</li>
134 <li>
135 - Can give warnings of a possible attack before it happens (ie. by detecting
136 + Can give warnings of a possible attack before it happens (ie. by detecting
137 port scans)
138 </li>
139 <li>Good for stopping SYN attacks</li>
140 @@ -120,7 +120,7 @@
141 </ul>
142 <!--FIXME: should SmoothWall really be included, since it uses iptables?-->
143 <note>
144 -It is recommended that you use iptables. Ipchains is obsoleted.
145 +It is recommended that you use iptables. Ipchains is obsoleted.
146 </note>
147
148 </body>
149 @@ -241,7 +241,7 @@
150 <p>
151 Iptables is the new and heavily improved packet filter in the Linux 2.4.x
152 kernel. It is the successor of the previous ipchains packet filter in the Linux
153 -2.2.x kernel. One of the major improvements is that iptables is able to perform
154 +2.2.x kernel. One of the major improvements is that iptables is able to perform
155 stateful packet filtering. With stateful packet filtering it is possible to
156 keep track of each established TCP connection.
157 </p>
158 @@ -273,41 +273,41 @@
159 </p>
160
161 <p>
162 -Iptables provides several other features like NAT (Network Address Translation)
163 -and rate limiting. Rate limiting is extremely useful when trying to prevent
164 +Iptables provides several other features like NAT (Network Address Translation)
165 +and rate limiting. Rate limiting is extremely useful when trying to prevent
166 certain DoS (Denial of Service) attacks like SYN floods.
167 </p>
168
169 <p>
170 -A TCP connection is established by a so called three-way handshake. When
171 -establishing a TCP connection the client-side sends a packet to the server
172 -with the SYN flag set. When the server-side receives the SYN packet it
173 -responds by sending a SYN+ACK packet back to the client-side. When the SYN+ACK
174 -is received the client-side responds with a third ACK packet in effect
175 +A TCP connection is established by a so called three-way handshake. When
176 +establishing a TCP connection the client-side sends a packet to the server
177 +with the SYN flag set. When the server-side receives the SYN packet it
178 +responds by sending a SYN+ACK packet back to the client-side. When the SYN+ACK
179 +is received the client-side responds with a third ACK packet in effect
180 acknowledging the connection.
181 </p>
182
183 <p>
184 -A SYN flood attack is performed by sending the SYN packet but failing to
185 -respond to the SYN+ACK packet. The client-side can forge a packet with a fake
186 +A SYN flood attack is performed by sending the SYN packet but failing to
187 +respond to the SYN+ACK packet. The client-side can forge a packet with a fake
188 source IP address because it does not need a reply. The server-side system will
189 -add an entry to a queue of half-open connections when it receives the SYN
190 -packet and then wait for the final ACK packet before deleting the entry from
191 -the queue. The queue has a limited number of slots and if all the slots are
192 -filled it is unable to open any further connections. If the ACK packet is not
193 -received before a specified timeout period the entry will automatically be
194 -deleted from the queue. The timeout settings vary but will typically be 30-60
195 -seconds or even more. The client-side initiates the attack by forging a lot of
196 -SYN packets with different source IP addresses and sends them to the target IP
197 -address as fast as possible and thereby filling up the queue of half-open
198 +add an entry to a queue of half-open connections when it receives the SYN
199 +packet and then wait for the final ACK packet before deleting the entry from
200 +the queue. The queue has a limited number of slots and if all the slots are
201 +filled it is unable to open any further connections. If the ACK packet is not
202 +received before a specified timeout period the entry will automatically be
203 +deleted from the queue. The timeout settings vary but will typically be 30-60
204 +seconds or even more. The client-side initiates the attack by forging a lot of
205 +SYN packets with different source IP addresses and sends them to the target IP
206 +address as fast as possible and thereby filling up the queue of half-open
207 connections and thus preventing other clients from establishing a legitimate
208 connection with the server.
209 </p>
210
211 <p>
212 -This is where the rate limit becomes handy. It is possible to limit the rate
213 -of accepted SYN packets by using the <c>-m limit --limit 1/s</c>. This will
214 -limit the number of SYN packets accepted to one per second and therefore
215 +This is where the rate limit becomes handy. It is possible to limit the rate
216 +of accepted SYN packets by using the <c>-m limit --limit 1/s</c>. This will
217 +limit the number of SYN packets accepted to one per second and therefore
218 restricting the SYN flood on our resources.
219 </p>
220
221 @@ -324,16 +324,16 @@
222 </p>
223
224 <p>
225 -When iptables is loaded in the kernel it has 5 hooks where you can place your
226 -rules. They are called <c>INPUT</c>, <c>OUTPUT</c>, <c>FORWARD</c>,
227 -<c>PREROUTING</c> and <c>POSTROUTING</c>. Each of these is called a chain and
228 -consists of a list of rules. Each rule says if the packet header looks like
229 -this, then here is what to do with the packet. If the rule does not match the
230 +When iptables is loaded in the kernel it has 5 hooks where you can place your
231 +rules. They are called <c>INPUT</c>, <c>OUTPUT</c>, <c>FORWARD</c>,
232 +<c>PREROUTING</c> and <c>POSTROUTING</c>. Each of these is called a chain and
233 +consists of a list of rules. Each rule says if the packet header looks like
234 +this, then here is what to do with the packet. If the rule does not match the
235 packet the next rule in the chain is consulted.
236 </p>
237
238 <p>
239 -You can place rules directly in the 5 main chains or create new chains and add
240 +You can place rules directly in the 5 main chains or create new chains and add
241 them to as a rule to an existing chain. Iptables supports the following options.
242 </p>
243
244 @@ -528,7 +528,7 @@
245 <ti>owner</ti>
246 <ti>Attempt to match various characteristics of the packet creator</ti>
247 <ti>
248 - --uid-owner userid --gid-owner groupid --pid-owner processid --sid-owner
249 + --uid-owner userid --gid-owner groupid --pid-owner processid --sid-owner
250 sessionid
251 </ti>
252 </tr>
253 @@ -539,7 +539,7 @@
254 </table>
255
256 <p>
257 -Lets try to create a user-defined chain and apply it to one of the existing
258 +Lets try to create a user-defined chain and apply it to one of the existing
259 chains:
260 </p>
261
262 @@ -556,7 +556,7 @@
263 </pre>
264
265 <p>
266 -By applying the rule to the input chain we get the policy: All outgoing packets
267 +By applying the rule to the input chain we get the policy: All outgoing packets
268 are allowed and all incoming packets are dropped.
269 </p>
270
271 @@ -573,11 +573,11 @@
272 <ul>
273 <li>Connections to the firewall are only allowed through SSH (port 22)</li>
274 <li>
275 - The local network should have access to HTTP, HTTPS and SSH (DNS should also
276 + The local network should have access to HTTP, HTTPS and SSH (DNS should also
277 be allowed)
278 </li>
279 <li>
280 - ICMP traffic can contain payload and should not be allowed. Of course we have
281 + ICMP traffic can contain payload and should not be allowed. Of course we have
282 to allow some ICMP traffic.
283 </li>
284 <li>Port scans should be detected and logged</li>
285 @@ -621,7 +621,7 @@
286 $IPTABLES -N allowed-connection
287 $IPTABLES -F allowed-connection
288 $IPTABLES -A allowed-connection -m state --state ESTABLISHED,RELATED -j ACCEPT
289 - $IPTABLES -A allowed-connection -i $IINTERFACE -m limit -j LOG --log-prefix \
290 + $IPTABLES -A allowed-connection -i $IINTERFACE -m limit -j LOG --log-prefix \
291 "Bad packet from ${IINTERFACE}:"
292 $IPTABLES -A allowed-connection -j DROP
293
294 @@ -629,9 +629,9 @@
295 einfo "Creating icmp chain"
296 $IPTABLES -N icmp_allowed
297 $IPTABLES -F icmp_allowed
298 - $IPTABLES -A icmp_allowed -m state --state NEW -p icmp --icmp-type \
299 + $IPTABLES -A icmp_allowed -m state --state NEW -p icmp --icmp-type \
300 time-exceeded -j ACCEPT
301 - $IPTABLES -A icmp_allowed -m state --state NEW -p icmp --icmp-type \
302 + $IPTABLES -A icmp_allowed -m state --state NEW -p icmp --icmp-type \
303 destination-unreachable -j ACCEPT
304 $IPTABLES -A icmp_allowed -p icmp -j LOG --log-prefix "Bad ICMP traffic:"
305 $IPTABLES -A icmp_allowed -p icmp -j DROP
306 @@ -641,11 +641,11 @@
307 $IPTABLES -N allow-ssh-traffic-in
308 $IPTABLES -F allow-ssh-traffic-in
309 #Flood protection
310 - $IPTABLES -A allow-ssh-traffic-in -m limit --limit 1/second -p tcp --tcp-flags \
311 + $IPTABLES -A allow-ssh-traffic-in -m limit --limit 1/second -p tcp --tcp-flags \
312 ALL RST --dport ssh -j ACCEPT
313 - $IPTABLES -A allow-ssh-traffic-in -m limit --limit 1/second -p tcp --tcp-flags \
314 + $IPTABLES -A allow-ssh-traffic-in -m limit --limit 1/second -p tcp --tcp-flags \
315 ALL FIN --dport ssh -j ACCEPT
316 - $IPTABLES -A allow-ssh-traffic-in -m limit --limit 1/second -p tcp --tcp-flags \
317 + $IPTABLES -A allow-ssh-traffic-in -m limit --limit 1/second -p tcp --tcp-flags \
318 ALL SYN --dport ssh -j ACCEPT
319 $IPTABLES -A allow-ssh-traffic-in -m state --state RELATED,ESTABLISHED -p tcp --dport ssh -j ACCEPT
320
321 @@ -658,9 +658,9 @@
322 einfo "Creating outgoing dns traffic chain"
323 $IPTABLES -N allow-dns-traffic-out
324 $IPTABLES -F allow-dns-traffic-out
325 - $IPTABLES -A allow-dns-traffic-out -p udp -d $DNS1 --dport domain \
326 + $IPTABLES -A allow-dns-traffic-out -p udp -d $DNS1 --dport domain \
327 -j ACCEPT
328 - $IPTABLES -A allow-dns-traffic-out -p udp -d $DNS2 --dport domain \
329 + $IPTABLES -A allow-dns-traffic-out -p udp -d $DNS2 --dport domain \
330 -j ACCEPT
331
332 einfo "Creating outgoing http/https traffic chain"
333 @@ -673,29 +673,29 @@
334 einfo "Creating portscan detection chain"
335 $IPTABLES -N check-flags
336 $IPTABLES -F check-flags
337 - $IPTABLES -A check-flags -p tcp --tcp-flags ALL FIN,URG,PSH -m limit \
338 - --limit 5/minute -j LOG --log-level alert --log-prefix "NMAP-XMAS:"
339 + $IPTABLES -A check-flags -p tcp --tcp-flags ALL FIN,URG,PSH -m limit \
340 + --limit 5/minute -j LOG --log-level alert --log-prefix "NMAP-XMAS:"
341 $IPTABLES -A check-flags -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP
342 - $IPTABLES -A check-flags -p tcp --tcp-flags ALL ALL -m limit --limit \
343 + $IPTABLES -A check-flags -p tcp --tcp-flags ALL ALL -m limit --limit \
344 5/minute -j LOG --log-level 1 --log-prefix "XMAS:"
345 $IPTABLES -A check-flags -p tcp --tcp-flags ALL ALL -j DROP
346 - $IPTABLES -A check-flags -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG \
347 + $IPTABLES -A check-flags -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG \
348 -m limit --limit 5/minute -j LOG --log-level 1 --log-prefix "XMAS-PSH:"
349 $IPTABLES -A check-flags -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP
350 - $IPTABLES -A check-flags -p tcp --tcp-flags ALL NONE -m limit \
351 + $IPTABLES -A check-flags -p tcp --tcp-flags ALL NONE -m limit \
352 --limit 5/minute -j LOG --log-level 1 --log-prefix "NULL_SCAN:"
353 $IPTABLES -A check-flags -p tcp --tcp-flags ALL NONE -j DROP
354 - $IPTABLES -A check-flags -p tcp --tcp-flags SYN,RST SYN,RST -m limit \
355 + $IPTABLES -A check-flags -p tcp --tcp-flags SYN,RST SYN,RST -m limit \
356 --limit 5/minute -j LOG --log-level 5 --log-prefix "SYN/RST:"
357 $IPTABLES -A check-flags -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
358 - $IPTABLES -A check-flags -p tcp --tcp-flags SYN,FIN SYN,FIN -m limit \
359 + $IPTABLES -A check-flags -p tcp --tcp-flags SYN,FIN SYN,FIN -m limit \
360 --limit 5/minute -j LOG --log-level 5 --log-prefix "SYN/FIN:"
361 $IPTABLES -A check-flags -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
362
363 # Apply and add invalid states to the chains
364 einfo "Applying chains to INPUT"
365 $IPTABLES -A INPUT -m state --state INVALID -j DROP
366 - $IPTABLES -A INPUT -j icmp_allowed
367 + $IPTABLES -A INPUT -j icmp_allowed
368 $IPTABLES -A INPUT -j check-flags
369 $IPTABLES -A INPUT -i lo -j ACCEPT
370 $IPTABLES -A INPUT -j allow-ssh-traffic-in
371 @@ -703,7 +703,7 @@
372
373 einfo "Applying chains to FORWARD"
374 $IPTABLES -A FORWARD -m state --state INVALID -j DROP
375 - $IPTABLES -A FORWARD -j icmp_allowed
376 + $IPTABLES -A FORWARD -j icmp_allowed
377 $IPTABLES -A FORWARD -j check-flags
378 $IPTABLES -A FORWARD -o lo -j ACCEPT
379 $IPTABLES -A FORWARD -j allow-ssh-traffic-in
380 @@ -721,7 +721,7 @@
381 $IPTABLES -A OUTPUT -j allowed-connection
382
383 #Allow client to route through via NAT (Network Address Translation)
384 - $IPTABLES -t nat -A POSTROUTING -o $IINTERFACE -j MASQUERADE
385 + $IPTABLES -t nat -A POSTROUTING -o $IINTERFACE -j MASQUERADE
386 eend $?
387 }
388
389 @@ -791,7 +791,7 @@
390 echo "rules) force settings of new rules"
391 echo "save) will store settings in ${FIREWALL}"
392 echo "restore) will restore settings from ${FIREWALL}"
393 - echo "showstatus) Shows the status"
394 + echo "showstatus) Shows the status"
395 }
396 </pre>
397
398 @@ -831,7 +831,7 @@
399 browser, authenticated user name, MIME type, and port number (protocol). I
400 probably forgot some features, but it can be hard to cover the entire list right
401 here.
402 -</p>
403 +</p>
404
405 <p>
406 In the following example I have added a banner filter instead of a filter based
407
408
409
410 1.3 xml/htdocs/doc/en/security/shb-intrusion.xml
411
412 file : http://sources.gentoo.org/viewcvs.py/gentoo/xml/htdocs/doc/en/security/shb-intrusion.xml?rev=1.3&view=markup
413 plain: http://sources.gentoo.org/viewcvs.py/gentoo/xml/htdocs/doc/en/security/shb-intrusion.xml?rev=1.3&content-type=text/plain
414 diff : http://sources.gentoo.org/viewcvs.py/gentoo/xml/htdocs/doc/en/security/shb-intrusion.xml?r1=1.2&r2=1.3
415
416 Index: shb-intrusion.xml
417 ===================================================================
418 RCS file: /var/cvsroot/gentoo/xml/htdocs/doc/en/security/shb-intrusion.xml,v
419 retrieving revision 1.2
420 retrieving revision 1.3
421 diff -u -r1.2 -r1.3
422 --- shb-intrusion.xml 23 Nov 2005 18:02:07 -0000 1.2
423 +++ shb-intrusion.xml 18 Sep 2006 09:22:48 -0000 1.3
424 @@ -1,5 +1,5 @@
425 <?xml version='1.0' encoding='UTF-8'?>
426 -<!-- $Header: /var/cvsroot/gentoo/xml/htdocs/doc/en/security/shb-intrusion.xml,v 1.2 2005/11/23 18:02:07 neysx Exp $ -->
427 +<!-- $Header: /var/cvsroot/gentoo/xml/htdocs/doc/en/security/shb-intrusion.xml,v 1.3 2006/09/18 09:22:48 neysx Exp $ -->
428 <!DOCTYPE sections SYSTEM "/dtd/book.dtd">
429
430 <!-- The content of this document is licensed under the CC-BY-SA license -->
431 @@ -196,7 +196,7 @@
432 </table>
433
434 <p>
435 -Now you can create you own rules based on the above flags by combining them
436 +Now you can create you own rules based on the above flags by combining them
437 like this:
438 </p>
439
440 @@ -232,11 +232,11 @@
441 </p>
442
443 <pre caption="/etc/aide/aide.conf">
444 -@@ifndef TOPDIR
445 +@@ifndef TOPDIR
446 @@define TOPDIR /
447 @@endif
448
449 -@@ifndef AIDEDIR
450 +@@ifndef AIDEDIR
451 @@define AIDEDIR /etc/aide
452 @@endif
453
454 @@ -278,7 +278,7 @@
455 when checking for file integrity. But when updating or creating a new file it
456 stores the information in <path>/etc/aide/aide.db.new</path>. This is done so it
457 won't automatically overwrite the old db file. The option
458 -<c>report_URL</c> is not yet implemented, but the author's intention was that
459 +<c>report_URL</c> is not yet implemented, but the author's intention was that
460 it should be able to e-mail or maybe even execute scripts.
461 </p>
462
463 @@ -456,7 +456,7 @@
464
465 <p>
466 The best way to use <c>chkrootkit</c> to detect an intrusion is to run it
467 -routinely from <c>cron</c>. To start, emerge <path>app-admin/chkrootkit</path>.
468 +routinely from <c>cron</c>. To start, emerge <path>app-admin/chkrootkit</path>.
469 <c>chkrootkit</c> can be run from the command line by the command of the same
470 name, or from <c>cron</c> with an entry such as this:
471 </p>
472
473
474
475 1.3 xml/htdocs/doc/en/security/shb-kernel.xml
476
477 file : http://sources.gentoo.org/viewcvs.py/gentoo/xml/htdocs/doc/en/security/shb-kernel.xml?rev=1.3&view=markup
478 plain: http://sources.gentoo.org/viewcvs.py/gentoo/xml/htdocs/doc/en/security/shb-kernel.xml?rev=1.3&content-type=text/plain
479 diff : http://sources.gentoo.org/viewcvs.py/gentoo/xml/htdocs/doc/en/security/shb-kernel.xml?r1=1.2&r2=1.3
480
481 Index: shb-kernel.xml
482 ===================================================================
483 RCS file: /var/cvsroot/gentoo/xml/htdocs/doc/en/security/shb-kernel.xml,v
484 retrieving revision 1.2
485 retrieving revision 1.3
486 diff -u -r1.2 -r1.3
487 --- shb-kernel.xml 4 Aug 2006 10:01:50 -0000 1.2
488 +++ shb-kernel.xml 18 Sep 2006 09:22:48 -0000 1.3
489 @@ -1,5 +1,5 @@
490 <?xml version='1.0' encoding='UTF-8'?>
491 -<!-- $Header: /var/cvsroot/gentoo/xml/htdocs/doc/en/security/shb-kernel.xml,v 1.2 2006/08/04 10:01:50 rane Exp $ -->
492 +<!-- $Header: /var/cvsroot/gentoo/xml/htdocs/doc/en/security/shb-kernel.xml,v 1.3 2006/09/18 09:22:48 neysx Exp $ -->
493 <!DOCTYPE sections SYSTEM "/dtd/book.dtd">
494
495 <!-- The content of this document is licensed under the CC-BY-SA license -->
496 @@ -40,7 +40,7 @@
497 <p>
498 To dynamically change kernel parameters and variables on the fly, you need
499 <c>CONFIG_SYSCTL</c> defined in your kernel. This is on by default in
500 -a standard 2.4 kernel.
501 +a standard 2.4 kernel.
502 </p>
503
504 <pre caption="Deactivate IP forwarding">
505 @@ -215,7 +215,7 @@
506 </ul>
507
508 <p>
509 -And there are probably a lot more.
510 +And there are probably a lot more.
511 </p>
512
513 </body>
514
515
516
517 1.5 xml/htdocs/doc/en/security/shb-limits.xml
518
519 file : http://sources.gentoo.org/viewcvs.py/gentoo/xml/htdocs/doc/en/security/shb-limits.xml?rev=1.5&view=markup
520 plain: http://sources.gentoo.org/viewcvs.py/gentoo/xml/htdocs/doc/en/security/shb-limits.xml?rev=1.5&content-type=text/plain
521 diff : http://sources.gentoo.org/viewcvs.py/gentoo/xml/htdocs/doc/en/security/shb-limits.xml?r1=1.4&r2=1.5
522
523 Index: shb-limits.xml
524 ===================================================================
525 RCS file: /var/cvsroot/gentoo/xml/htdocs/doc/en/security/shb-limits.xml,v
526 retrieving revision 1.4
527 retrieving revision 1.5
528 diff -u -r1.4 -r1.5
529 --- shb-limits.xml 26 Feb 2006 12:37:22 -0000 1.4
530 +++ shb-limits.xml 18 Sep 2006 09:22:48 -0000 1.5
531 @@ -1,5 +1,5 @@
532 <?xml version='1.0' encoding='UTF-8'?>
533 -<!-- $Header: /var/cvsroot/gentoo/xml/htdocs/doc/en/security/shb-limits.xml,v 1.4 2006/02/26 12:37:22 nightmorph Exp $ -->
534 +<!-- $Header: /var/cvsroot/gentoo/xml/htdocs/doc/en/security/shb-limits.xml,v 1.5 2006/09/18 09:22:48 neysx Exp $ -->
535 <!DOCTYPE sections SYSTEM "/dtd/book.dtd">
536
537 <!-- The content of this document is licensed under the CC-BY-SA license -->
538 @@ -41,7 +41,7 @@
539 </p>
540
541 <note>
542 -<path>/etc/security/limits.conf</path> is part of the PAM package and will
543 +<path>/etc/security/limits.conf</path> is part of the PAM package and will
544 only apply to packages that use PAM.
545 </note>
546
547 @@ -52,7 +52,7 @@
548 <body>
549
550 <p>
551 -<path>/etc/limits</path> is very similar to the limit file
552 +<path>/etc/limits</path> is very similar to the limit file
553 <path>/etc/security/limits.conf</path>. The only difference is the format and
554 that it only works on users or wild cards (not groups). Let's have a look at a
555 sample configuration:
556 @@ -97,7 +97,7 @@
557
558 <p>
559 Start by installing quotas with <c>emerge quota</c>. Then modify your
560 -<path>/etc/fstab</path> and add <c>usrquota</c> and <c>grpquota</c> to the
561 +<path>/etc/fstab</path> and add <c>usrquota</c> and <c>grpquota</c> to the
562 partitions that you want to restrict disk usage on, like in the example below.
563 </p>
564
565 @@ -153,8 +153,8 @@
566 </p>
567
568 <pre caption="Setting up quota's for user kn">
569 -Quotas for user kn:
570 -/dev/sda4: blocks in use: 2594, limits (soft = 5000, hard = 6500)
571 +Quotas for user kn:
572 +/dev/sda4: blocks in use: 2594, limits (soft = 5000, hard = 6500)
573 inodes in use: 356, limits (soft = 1000, hard = 1500)
574 </pre>
575
576 @@ -168,7 +168,7 @@
577 <section>
578 <title>/etc/login.defs</title>
579 <body>
580 -
581 +
582 <p>
583 If your security policy states that users should change their password
584 every other week, change the value <c>PASS_MAX_DAYS</c> to 14
585 @@ -203,19 +203,19 @@
586 </pre>
587
588 <impo>
589 -Be careful when configuring these options, since mistakes will leave you
590 +Be careful when configuring these options, since mistakes will leave you
591 with no access to the machine if you do not have root access.
592 </impo>
593
594 <note>
595 -These settings do not apply to SSH, since SSH does not execute
596 -<c>/bin/login</c> per default. This can be enabled by setting <c>UseLogin
597 -yes</c> in <path>/etc/ssh/sshd_config</path>.
598 +These settings do not apply to SSH, since SSH does not execute
599 +<c>/bin/login</c> per default. This can be enabled by setting <c>UseLogin
600 +yes</c> in <path>/etc/ssh/sshd_config</path>.
601 </note>
602
603 <p>
604 -This will setup login access so members of the wheel group can login locally
605 -or from the gentoo.org domain. Maybe too paranoid, but better to be safe than
606 +This will setup login access so members of the wheel group can login locally
607 +or from the gentoo.org domain. Maybe too paranoid, but better to be safe than
608 sorry.
609 </p>
610
611
612
613
614 1.4 xml/htdocs/doc/en/security/shb-logging.xml
615
616 file : http://sources.gentoo.org/viewcvs.py/gentoo/xml/htdocs/doc/en/security/shb-logging.xml?rev=1.4&view=markup
617 plain: http://sources.gentoo.org/viewcvs.py/gentoo/xml/htdocs/doc/en/security/shb-logging.xml?rev=1.4&content-type=text/plain
618 diff : http://sources.gentoo.org/viewcvs.py/gentoo/xml/htdocs/doc/en/security/shb-logging.xml?r1=1.3&r2=1.4
619
620 Index: shb-logging.xml
621 ===================================================================
622 RCS file: /var/cvsroot/gentoo/xml/htdocs/doc/en/security/shb-logging.xml,v
623 retrieving revision 1.3
624 retrieving revision 1.4
625 diff -u -r1.3 -r1.4
626 --- shb-logging.xml 25 Nov 2005 13:54:03 -0000 1.3
627 +++ shb-logging.xml 18 Sep 2006 09:22:48 -0000 1.4
628 @@ -1,5 +1,5 @@
629 <?xml version='1.0' encoding='UTF-8'?>
630 -<!-- $Header: /var/cvsroot/gentoo/xml/htdocs/doc/en/security/shb-logging.xml,v 1.3 2005/11/25 13:54:03 neysx Exp $ -->
631 +<!-- $Header: /var/cvsroot/gentoo/xml/htdocs/doc/en/security/shb-logging.xml,v 1.4 2006/09/18 09:22:48 neysx Exp $ -->
632 <!DOCTYPE sections SYSTEM "/dtd/book.dtd">
633
634 <!-- The content of this document is licensed under the CC-BY-SA license -->
635 @@ -31,17 +31,17 @@
636 <body>
637
638 <p>
639 -Syslogd is the most common logger for Linux and Unix in general.
640 -It has some log rotation facilities, but using
641 +Syslogd is the most common logger for Linux and Unix in general.
642 +It has some log rotation facilities, but using
643 <path>/usr/sbin/logrotate</path> in a cron job (logrotate is configured in
644 <path>/etc/logrotate.conf</path>) might prove to be more powerful as
645 -<c>logrotate</c> has many features. How often
646 +<c>logrotate</c> has many features. How often
647 log rotation should be done depends on the system load.
648 </p>
649
650 <p>
651 -Below is the standard <path>syslog.conf</path> with some added features. We
652 -have uncommented the <c>cron</c> and <c>tty</c> lines and added a remote
653 +Below is the standard <path>syslog.conf</path> with some added features. We
654 +have uncommented the <c>cron</c> and <c>tty</c> lines and added a remote
655 logging server. To further enhance security you could add logging to two places.
656 </p>
657
658 @@ -113,7 +113,7 @@
659
660 # The named pipe /dev/xconsole is for the `xconsole' utility. To use it,
661 # you must invoke `xconsole' with the `-file' option:
662 -#
663 +#
664 # $ xconsole -file /dev/xconsole [...]
665 #
666 # NOTE: adjust the list below, or you'll go crazy if you have a reasonably
667 @@ -147,7 +147,7 @@
668 facility (like syslogd), and comes with regular expression matching with which
669 you can launch external scripts when specific patterns are found. It is very good
670 at taking action when needed.
671 -</p>
672 +</p>
673
674 <p>
675 The standard configuration is usually enough. If you want to be notified by
676 @@ -170,18 +170,18 @@
677 <pre caption="/usr/local/sbin/mail_pwd_failures.sh for qmail">
678 #!/bin/sh
679 echo "To: root
680 -Subject:Failure (Warning: $2)
681 +Subject:Failure (Warning: $2)
682 $3
683 " | /var/qmail/bin/qmail-inject -f root
684 </pre>
685
686 <p>
687 -Remember to make the script executable by issuing <c>/bin/chmod +x
688 +Remember to make the script executable by issuing <c>/bin/chmod +x
689 /usr/local/sbin/mail_pwd_failures.sh</c>
690 </p>
691
692 <p>
693 -Then uncomment the command line under "Password failures" in
694 +Then uncomment the command line under "Password failures" in
695 <path>/etc/metalog/metalog.conf</path> like:
696 </p>
697
698 @@ -248,7 +248,7 @@
699 filter f_mail { facility(mail); };
700 filter f_user { facility(user); };
701 filter f_debug { not facility(auth, authpriv, news, mail); };
702 -filter f_messages { level(info..warn)
703 +filter f_messages { level(info..warn)
704 and not facility(auth, authpriv, mail, news); };
705 filter f_emergency { level(emerg); };
706
707
708
709
710 1.3 xml/htdocs/doc/en/security/shb-mounting.xml
711
712 file : http://sources.gentoo.org/viewcvs.py/gentoo/xml/htdocs/doc/en/security/shb-mounting.xml?rev=1.3&view=markup
713 plain: http://sources.gentoo.org/viewcvs.py/gentoo/xml/htdocs/doc/en/security/shb-mounting.xml?rev=1.3&content-type=text/plain
714 diff : http://sources.gentoo.org/viewcvs.py/gentoo/xml/htdocs/doc/en/security/shb-mounting.xml?r1=1.2&r2=1.3
715
716 Index: shb-mounting.xml
717 ===================================================================
718 RCS file: /var/cvsroot/gentoo/xml/htdocs/doc/en/security/shb-mounting.xml,v
719 retrieving revision 1.2
720 retrieving revision 1.3
721 diff -u -r1.2 -r1.3
722 --- shb-mounting.xml 1 Jun 2005 17:42:46 -0000 1.2
723 +++ shb-mounting.xml 18 Sep 2006 09:22:48 -0000 1.3
724 @@ -1,5 +1,5 @@
725 <?xml version='1.0' encoding='UTF-8'?>
726 -<!-- $Header: /var/cvsroot/gentoo/xml/htdocs/doc/en/security/shb-mounting.xml,v 1.2 2005/06/01 17:42:46 neysx Exp $ -->
727 +<!-- $Header: /var/cvsroot/gentoo/xml/htdocs/doc/en/security/shb-mounting.xml,v 1.3 2006/09/18 09:22:48 neysx Exp $ -->
728 <!DOCTYPE sections SYSTEM "/dtd/book.dtd">
729
730 <!-- The content of this document is licensed under the CC-BY-SA license -->
731 @@ -22,7 +22,7 @@
732
733 <ul>
734 <li>
735 - <c>nosuid</c> - Will ignore the SUID bit and make it just like an ordinary
736 + <c>nosuid</c> - Will ignore the SUID bit and make it just like an ordinary
737 file
738 </li>
739 <li>
740 @@ -63,14 +63,14 @@
741 <note>
742 I do not set <path>/var</path> to <c>noexec</c> or <c>nosuid</c>, even if files
743 normally are never executed from this mount point. The reason for this is that
744 -qmail is installed in <path>/var/qmail</path> and must be allowed to execute
745 -and access one SUID file. I setup <path>/usr</path> in read-only mode since I
746 -never write anything there unless I want to update Gentoo. Then I remount the
747 +qmail is installed in <path>/var/qmail</path> and must be allowed to execute
748 +and access one SUID file. I setup <path>/usr</path> in read-only mode since I
749 +never write anything there unless I want to update Gentoo. Then I remount the
750 file system in read-write mode, update and remount again.
751 </note>
752
753 <note>
754 -Even if you do not use qmail, Gentoo still needs the executable bit set on
755 +Even if you do not use qmail, Gentoo still needs the executable bit set on
756 <path>/var/tmp</path> since ebuilds are made here. But an alternative path can
757 be setup if you insist on having <path>/var</path> mounted in <c>noexec</c>
758 mode.
759
760
761
762 1.4 xml/htdocs/doc/en/security/shb-pam.xml
763
764 file : http://sources.gentoo.org/viewcvs.py/gentoo/xml/htdocs/doc/en/security/shb-pam.xml?rev=1.4&view=markup
765 plain: http://sources.gentoo.org/viewcvs.py/gentoo/xml/htdocs/doc/en/security/shb-pam.xml?rev=1.4&content-type=text/plain
766 diff : http://sources.gentoo.org/viewcvs.py/gentoo/xml/htdocs/doc/en/security/shb-pam.xml?r1=1.3&r2=1.4
767
768 Index: shb-pam.xml
769 ===================================================================
770 RCS file: /var/cvsroot/gentoo/xml/htdocs/doc/en/security/shb-pam.xml,v
771 retrieving revision 1.3
772 retrieving revision 1.4
773 diff -u -r1.3 -r1.4
774 --- shb-pam.xml 4 Aug 2006 10:20:13 -0000 1.3
775 +++ shb-pam.xml 18 Sep 2006 09:22:48 -0000 1.4
776 @@ -1,5 +1,5 @@
777 <?xml version='1.0' encoding='UTF-8'?>
778 -<!-- $Header: /var/cvsroot/gentoo/xml/htdocs/doc/en/security/shb-pam.xml,v 1.3 2006/08/04 10:20:13 rane Exp $ -->
779 +<!-- $Header: /var/cvsroot/gentoo/xml/htdocs/doc/en/security/shb-pam.xml,v 1.4 2006/09/18 09:22:48 neysx Exp $ -->
780 <!DOCTYPE sections SYSTEM "/dtd/book.dtd">
781
782 <!-- The content of this document is licensed under the CC-BY-SA license -->
783 @@ -43,7 +43,7 @@
784 </p>
785
786 <pre caption="/etc/pam.d/sshd">
787 -auth required pam_unix.so nullok
788 +auth required pam_unix.so nullok
789 auth required pam_shells.so
790 auth required pam_nologin.so
791 auth required pam_env.so
792 @@ -65,13 +65,13 @@
793 </p>
794
795 <pre caption="/etc/pam.d/other">
796 -auth required pam_deny.so
797 -auth required pam_warn.so
798 -account required pam_deny.so
799 -account required pam_warn.so
800 -password required pam_deny.so
801 -password required pam_warn.so
802 -session required pam_deny.so
803 +auth required pam_deny.so
804 +auth required pam_warn.so
805 +account required pam_deny.so
806 +account required pam_warn.so
807 +password required pam_deny.so
808 +password required pam_warn.so
809 +session required pam_deny.so
810 session required pam_warn.so
811 </pre>
812
813
814
815
816 1.4 xml/htdocs/doc/en/security/shb-perms.xml
817
818 file : http://sources.gentoo.org/viewcvs.py/gentoo/xml/htdocs/doc/en/security/shb-perms.xml?rev=1.4&view=markup
819 plain: http://sources.gentoo.org/viewcvs.py/gentoo/xml/htdocs/doc/en/security/shb-perms.xml?rev=1.4&content-type=text/plain
820 diff : http://sources.gentoo.org/viewcvs.py/gentoo/xml/htdocs/doc/en/security/shb-perms.xml?r1=1.3&r2=1.4
821
822 Index: shb-perms.xml
823 ===================================================================
824 RCS file: /var/cvsroot/gentoo/xml/htdocs/doc/en/security/shb-perms.xml,v
825 retrieving revision 1.3
826 retrieving revision 1.4
827 diff -u -r1.3 -r1.4
828 --- shb-perms.xml 16 Sep 2006 20:52:02 -0000 1.3
829 +++ shb-perms.xml 18 Sep 2006 09:22:48 -0000 1.4
830 @@ -1,5 +1,5 @@
831 <?xml version='1.0' encoding='UTF-8'?>
832 -<!-- $Header: /var/cvsroot/gentoo/xml/htdocs/doc/en/security/shb-perms.xml,v 1.3 2006/09/16 20:52:02 neysx Exp $ -->
833 +<!-- $Header: /var/cvsroot/gentoo/xml/htdocs/doc/en/security/shb-perms.xml,v 1.4 2006/09/18 09:22:48 neysx Exp $ -->
834 <!DOCTYPE sections SYSTEM "/dtd/book.dtd">
835
836 <!-- The content of this document is licensed under the CC-BY-SA license -->
837 @@ -117,33 +117,33 @@
838 <body>
839
840 <p>
841 -A file is only considered deleted when there are no more links pointing to it.
842 -This might sound like a strange concept, but consider that a filename like
843 -<path>/usr/bin/perl</path> is actually a link to the inode where the data is
844 +A file is only considered deleted when there are no more links pointing to it.
845 +This might sound like a strange concept, but consider that a filename like
846 +<path>/usr/bin/perl</path> is actually a link to the inode where the data is
847 stored. Any number of links can point to the file, and until all of them are
848 gone, the file still exists.
849 </p>
850
851 <p>
852 If your users have access to a partition that isn't mounted with <c>nosuid</c>
853 -or <c>noexec</c> (for example, if <path>/tmp</path>, <path>/home</path>, or
854 -<path>/var/tmp</path> are not separate partitions) you should take care to
855 -ensure your users don't create hard links to SUID or SGID binaries, so that
856 +or <c>noexec</c> (for example, if <path>/tmp</path>, <path>/home</path>, or
857 +<path>/var/tmp</path> are not separate partitions) you should take care to
858 +ensure your users don't create hard links to SUID or SGID binaries, so that
859 after Portage updates they still have access to the old versions.
860 </p>
861
862 <warn>
863 -if you have received a warning from portage about remaining hard links, and your
864 -users can write to a partition that allows executing SUID/SGID files, you
865 -should read this section carefully. One of your users may be attempting to
866 -circumvent your update by keeping an outdated version of a program. If your
867 +if you have received a warning from portage about remaining hard links, and your
868 +users can write to a partition that allows executing SUID/SGID files, you
869 +should read this section carefully. One of your users may be attempting to
870 +circumvent your update by keeping an outdated version of a program. If your
871 users cannot create their own SUID files, or can only execute programs using
872 -the dynamic loader (partitions mounted <c>noexec</c>), you do not have to
873 +the dynamic loader (partitions mounted <c>noexec</c>), you do not have to
874 worry.
875 </warn>
876
877 <note>
878 -Users do not need read access to a file to create a link to it, they only need
879 +Users do not need read access to a file to create a link to it, they only need
880 read permission to the directory that contains it.
881 </note>
882
883 @@ -152,7 +152,7 @@
884 </p>
885
886 <pre caption="Stat command">
887 -$ stat /bin/su
888 +$ stat /bin/su
889 File: `/bin/su'
890 Size: 29350 Blocks: 64 IO Block: 131072 regular file
891 Device: 900h/2304d Inode: 2057419 Links: 1
892
893
894
895 1.3 xml/htdocs/doc/en/security/shb-pre.xml
896
897 file : http://sources.gentoo.org/viewcvs.py/gentoo/xml/htdocs/doc/en/security/shb-pre.xml?rev=1.3&view=markup
898 plain: http://sources.gentoo.org/viewcvs.py/gentoo/xml/htdocs/doc/en/security/shb-pre.xml?rev=1.3&content-type=text/plain
899 diff : http://sources.gentoo.org/viewcvs.py/gentoo/xml/htdocs/doc/en/security/shb-pre.xml?r1=1.2&r2=1.3
900
901 Index: shb-pre.xml
902 ===================================================================
903 RCS file: /var/cvsroot/gentoo/xml/htdocs/doc/en/security/shb-pre.xml,v
904 retrieving revision 1.2
905 retrieving revision 1.3
906 diff -u -r1.2 -r1.3
907 --- shb-pre.xml 1 Jun 2005 17:42:46 -0000 1.2
908 +++ shb-pre.xml 18 Sep 2006 09:22:48 -0000 1.3
909 @@ -1,5 +1,5 @@
910 <?xml version='1.0' encoding='UTF-8'?>
911 -<!-- $Header: /var/cvsroot/gentoo/xml/htdocs/doc/en/security/shb-pre.xml,v 1.2 2005/06/01 17:42:46 neysx Exp $ -->
912 +<!-- $Header: /var/cvsroot/gentoo/xml/htdocs/doc/en/security/shb-pre.xml,v 1.3 2006/09/18 09:22:48 neysx Exp $ -->
913 <!DOCTYPE sections SYSTEM "/dtd/book.dtd">
914
915 <!-- The content of this document is licensed under the CC-BY-SA license -->
916 @@ -62,7 +62,7 @@
917
918 <ul>
919 <li>
920 - Any directory tree a user should be able to write to (e.g. <path>/home</path>,
921 + Any directory tree a user should be able to write to (e.g. <path>/home</path>,
922 <path>/tmp</path>) should be on a separate partition and use disk quotas. This
923 reduces the risk of a user filling up your whole filesystem. Portage
924 uses <path>/var/tmp</path> to compile files, so that partition should be large.
925 @@ -143,7 +143,7 @@
926 <p>
927 There are several reasons to draft a security policy for your system(s) and
928 network.
929 -</p>
930 +</p>
931
932 <ul>
933 <li>
934
935
936
937 1.4 xml/htdocs/doc/en/security/shb-services.xml
938
939 file : http://sources.gentoo.org/viewcvs.py/gentoo/xml/htdocs/doc/en/security/shb-services.xml?rev=1.4&view=markup
940 plain: http://sources.gentoo.org/viewcvs.py/gentoo/xml/htdocs/doc/en/security/shb-services.xml?rev=1.4&content-type=text/plain
941 diff : http://sources.gentoo.org/viewcvs.py/gentoo/xml/htdocs/doc/en/security/shb-services.xml?r1=1.3&r2=1.4
942
943 Index: shb-services.xml
944 ===================================================================
945 RCS file: /var/cvsroot/gentoo/xml/htdocs/doc/en/security/shb-services.xml,v
946 retrieving revision 1.3
947 retrieving revision 1.4
948 diff -u -r1.3 -r1.4
949 --- shb-services.xml 11 Mar 2006 16:44:44 -0000 1.3
950 +++ shb-services.xml 18 Sep 2006 09:22:48 -0000 1.4
951 @@ -1,5 +1,5 @@
952 <?xml version='1.0' encoding='UTF-8'?>
953 -<!-- $Header: /var/cvsroot/gentoo/xml/htdocs/doc/en/security/shb-services.xml,v 1.3 2006/03/11 16:44:44 swift Exp $ -->
954 +<!-- $Header: /var/cvsroot/gentoo/xml/htdocs/doc/en/security/shb-services.xml,v 1.4 2006/09/18 09:22:48 neysx Exp $ -->
955 <!DOCTYPE sections SYSTEM "/dtd/book.dtd">
956
957 <!-- The content of this document is licensed under the CC-BY-SA license -->
958 @@ -35,8 +35,8 @@
959 #Make it listen on your ip
960 Listen 127.0.0.1
961 BindAddress 127.0.0.1
962 -#It is not a good idea to use nobody or nogroup -
963 -#for every service not running as root
964 +#It is not a good idea to use nobody or nogroup -
965 +#for every service not running as root
966 #(just add the user apache with group apache)
967 User apache
968 Group apache
969 @@ -46,7 +46,7 @@
970 </pre>
971
972 <p>
973 -Apache is compiled with <c>--enable-shared=max</c> and
974 +Apache is compiled with <c>--enable-shared=max</c> and
975 <c>--enable-module=all</c>. This will by default enable all modules, so you
976 should comment out all modules in the <c>LoadModule</c> section
977 (<c>LoadModule</c> and <c>AddModule</c>) that you do not use. Restart the
978 @@ -72,13 +72,13 @@
979 </p>
980
981 <p>
982 -The newer BIND ebuilds support chrooting out of the box. After emerging
983 +The newer BIND ebuilds support chrooting out of the box. After emerging
984 <c>bind</c> follow these simple instructions:
985 </p>
986
987 <pre caption="Chrooting BIND">
988 ebuild /var/db/pkg/net-dns/bind-9.2.2-r2/bind-9.2.2-r2.ebuild config\`"
989 -<comment>(Before running the above command you might want to change the chroot
990 +<comment>(Before running the above command you might want to change the chroot
991 directory in /etc/conf.d/named. Otherwise /chroot/dns will be used.)</comment>
992 <comment>(You might need to substitute the version number with the current version number )</comment>
993 </pre>
994 @@ -118,7 +118,7 @@
995 <body>
996
997 <p>
998 -If you only need local applications to access the <c>mysql</c> database,
999 +If you only need local applications to access the <c>mysql</c> database,
1000 uncomment the following line in <path>/etc/mysql/my.cnf</path>.
1001 </p>
1002
1003 @@ -227,7 +227,7 @@
1004 <p>
1005 Use virtual users (never system accounts) by enabling the <c>AUTH</c> option.
1006 Set this to <c>-lpuredb:/etc/pureftpd.pdb</c> and create your users by using
1007 -<c>/usr/bin/pure-pw</c>.
1008 +<c>/usr/bin/pure-pw</c>.
1009 </p>
1010
1011 <pre caption="/etc/conf.d/pure-ftpd">
1012 @@ -261,7 +261,7 @@
1013
1014 <p>
1015 Vsftpd (short for very secure ftp) is a small ftp daemon running a reasonably
1016 -default configuration. It is simple and does not have as many features as
1017 +default configuration. It is simple and does not have as many features as
1018 pureftp and proftp.
1019 </p>
1020
1021 @@ -327,7 +327,7 @@
1022 #allow traffic from 10.0.0.*
1023 hosts allow = 10.0.0.
1024
1025 - #Enables user authentication
1026 + #Enables user authentication
1027 #(don't use the share mode)
1028 security = user
1029
1030 @@ -366,7 +366,7 @@
1031 <p>
1032 The only securing that OpenSSH needs is turning on a stronger authentication
1033 based on public key encryption. Too many sites (like
1034 -<uri>http://www.sourceforge.net</uri>, <uri>http://www.php.net</uri> and
1035 +<uri>http://www.sourceforge.net</uri>, <uri>http://www.php.net</uri> and
1036 <uri>http://www.apache.org</uri>) have suffered unauthorized intrusion
1037 due to password leaks or bad passwords.
1038 </p>
1039 @@ -391,11 +391,11 @@
1040 AllowGroups wheel admin
1041
1042 #In those groups only allow the following users
1043 -#The @&lt;domainname&gt; is optional but replaces the
1044 +#The @&lt;domainname&gt; is optional but replaces the
1045 #older AllowHosts directive
1046 AllowUsers kn@g.o bs@g.o
1047
1048 -#Logging
1049 +#Logging
1050 SyslogFacility AUTH
1051 LogLevel INFO
1052
1053 @@ -433,8 +433,8 @@
1054 </pre>
1055
1056 <p>
1057 -This will add two files in your <path>~/.ssh/</path> directory called
1058 -<path>id_dsa</path> and <path>id_dsa.pub</path>. The file called
1059 +This will add two files in your <path>~/.ssh/</path> directory called
1060 +<path>id_dsa</path> and <path>id_dsa.pub</path>. The file called
1061 <path>id_dsa</path> is your private key and should be kept from other people
1062 than yourself. The other file <path>id_dsa.pub</path> is to be distributed to
1063 every server that you have access to. Add the key to the users home directory
1064 @@ -444,7 +444,7 @@
1065 <pre caption="Adding the id_dsa.pub file to the authorized_keys file">
1066 $ <i>scp id_dsa.pub other-host:/var/tmp/currenthostname.pub</i>
1067 $ <i>ssh other-host</i>
1068 -password:
1069 +password:
1070 $ <i>cat /var/tmp/currenthostname.pub >> ~/.ssh/authorized_keys</i>
1071 </pre>
1072
1073 @@ -466,10 +466,10 @@
1074 <body>
1075
1076 <p>
1077 -xinetd is a replacement for <c>inetd</c> (which Gentoo does not have),
1078 +xinetd is a replacement for <c>inetd</c> (which Gentoo does not have),
1079 the Internet services daemon. It supports access control based on the address of
1080 -the remote host and the time of access. It also provide extensive logging
1081 -capabilities, including server start time, remote host address, remote user
1082 +the remote host and the time of access. It also provide extensive logging
1083 +capabilities, including server start time, remote host address, remote user
1084 name, server run time, and actions requested.
1085 </p>
1086
1087 @@ -506,10 +506,10 @@
1088 # bind the interfaces to only 1 ip
1089 # allow access from 10.0.0.*
1090 # limit the time developers can use cvs from 8am to 5pm
1091 -# use tpcd wrappers (access control controlled in
1092 +# use tpcd wrappers (access control controlled in
1093 # <i>/etc/hosts.allow</i> and <i>/etc/hosts.deny</i>)
1094 # max_load on the machine set to 1.0
1095 -# The disable flag is per default set to no but I like having
1096 +# The disable flag is per default set to no but I like having
1097 # it in case of it should be disabled
1098 service cvspserver
1099 {
1100 @@ -547,28 +547,28 @@
1101 </p>
1102
1103 <impo>
1104 -If you do not need this service disable it!
1105 +If you do not need this service disable it!
1106 </impo>
1107
1108 <p>
1109 -But if you depend on using your workstation as a Xserver use the
1110 -<c>/usr/X11R6/bin/xhost</c> command with caution. This command allows clients
1111 -from other hosts to connect and use your display. This can become handy if you
1112 -need an X application from a different machine and the only way is through the
1113 +But if you depend on using your workstation as a Xserver use the
1114 +<c>/usr/X11R6/bin/xhost</c> command with caution. This command allows clients
1115 +from other hosts to connect and use your display. This can become handy if you
1116 +need an X application from a different machine and the only way is through the
1117 network, but it can also be exploited by an attacker. The syntax of this
1118 command is <c>/usr/X11R6/bin/xhost +hostname</c>
1119 </p>
1120
1121 <warn>
1122 -Do not ever use the <c>xhost +</c> feature! This will allow any client to
1123 -connect and take control of your X. If an attacker can get access to your X,
1124 -he can log your keystrokes and take control over your desktop. If you have to
1125 +Do not ever use the <c>xhost +</c> feature! This will allow any client to
1126 +connect and take control of your X. If an attacker can get access to your X,
1127 +he can log your keystrokes and take control over your desktop. If you have to
1128 use it always remember to specify a host.
1129 </warn>
1130
1131 <p>
1132 -A more secure solution is to disable this feature completely by starting X with
1133 -<c>startx -- -nolisten tcp</c> or disable it permanently in the configuration.
1134 +A more secure solution is to disable this feature completely by starting X with
1135 +<c>startx -- -nolisten tcp</c> or disable it permanently in the configuration.
1136 </p>
1137
1138 <pre caption="/usr/X11R6/bin/startx">
1139 @@ -603,7 +603,7 @@
1140 </p>
1141
1142 <pre caption="/etc/X11/xdm/Xservers">
1143 -:0 local /usr/bin/X11/X -nolisten tcp
1144 +:0 local /usr/bin/X11/X -nolisten tcp
1145 </pre>
1146
1147 </body>
1148
1149
1150
1151 1.3 xml/htdocs/doc/en/security/shb-tight.xml
1152
1153 file : http://sources.gentoo.org/viewcvs.py/gentoo/xml/htdocs/doc/en/security/shb-tight.xml?rev=1.3&view=markup
1154 plain: http://sources.gentoo.org/viewcvs.py/gentoo/xml/htdocs/doc/en/security/shb-tight.xml?rev=1.3&content-type=text/plain
1155 diff : http://sources.gentoo.org/viewcvs.py/gentoo/xml/htdocs/doc/en/security/shb-tight.xml?r1=1.2&r2=1.3
1156
1157 Index: shb-tight.xml
1158 ===================================================================
1159 RCS file: /var/cvsroot/gentoo/xml/htdocs/doc/en/security/shb-tight.xml,v
1160 retrieving revision 1.2
1161 retrieving revision 1.3
1162 diff -u -r1.2 -r1.3
1163 --- shb-tight.xml 4 Mar 2006 05:58:44 -0000 1.2
1164 +++ shb-tight.xml 18 Sep 2006 09:22:48 -0000 1.3
1165 @@ -1,5 +1,5 @@
1166 <?xml version='1.0' encoding='UTF-8'?>
1167 -<!-- $Header: /var/cvsroot/gentoo/xml/htdocs/doc/en/security/shb-tight.xml,v 1.2 2006/03/04 05:58:44 fox2mike Exp $ -->
1168 +<!-- $Header: /var/cvsroot/gentoo/xml/htdocs/doc/en/security/shb-tight.xml,v 1.3 2006/09/18 09:22:48 neysx Exp $ -->
1169 <!DOCTYPE sections SYSTEM "/dtd/book.dtd">
1170
1171 <!-- The content of this document is licensed under the CC-BY-SA license -->
1172 @@ -66,7 +66,7 @@
1173 grub> <i>md5crypt</i>
1174
1175 Password: <i>********</i>
1176 -<comment>(Typed changeme at the prompt)</comment>
1177 +<comment>(Typed changeme at the prompt)</comment>
1178 Encrypted: $1$T7/dgdIJ$dJM.n2wZ8RG.oEiIOwJUs.
1179
1180 grub> <i>quit</i>
1181 @@ -77,7 +77,7 @@
1182 </p>
1183
1184 <pre caption="/boot/grub/grub.conf">
1185 -timeout 5
1186 +timeout 5
1187 password --md5 $1$T7/dgdIJ$dJM.n2wZ8RG.oEiIOwJUs.
1188 </pre>
1189
1190 @@ -104,8 +104,8 @@
1191 </p>
1192
1193 <pre caption="/etc/lilo.conf">
1194 -password=changeme
1195 -restricted
1196 +password=changeme
1197 +restricted
1198 delay=3
1199 </pre>
1200
1201 @@ -114,9 +114,9 @@
1202 </p>
1203
1204 <pre caption="/etc/lilo.conf">
1205 -image=/boot/bzImage
1206 - read-only
1207 - password=changeme
1208 +image=/boot/bzImage
1209 + read-only
1210 + password=changeme
1211 restricted
1212 </pre>
1213
1214
1215
1216
1217 1.3 xml/htdocs/doc/en/security/shb-uptodate.xml
1218
1219 file : http://sources.gentoo.org/viewcvs.py/gentoo/xml/htdocs/doc/en/security/shb-uptodate.xml?rev=1.3&view=markup
1220 plain: http://sources.gentoo.org/viewcvs.py/gentoo/xml/htdocs/doc/en/security/shb-uptodate.xml?rev=1.3&content-type=text/plain
1221 diff : http://sources.gentoo.org/viewcvs.py/gentoo/xml/htdocs/doc/en/security/shb-uptodate.xml?r1=1.2&r2=1.3
1222
1223 Index: shb-uptodate.xml
1224 ===================================================================
1225 RCS file: /var/cvsroot/gentoo/xml/htdocs/doc/en/security/shb-uptodate.xml,v
1226 retrieving revision 1.2
1227 retrieving revision 1.3
1228 diff -u -r1.2 -r1.3
1229 --- shb-uptodate.xml 13 Oct 2005 15:34:30 -0000 1.2
1230 +++ shb-uptodate.xml 18 Sep 2006 09:22:48 -0000 1.3
1231 @@ -1,5 +1,5 @@
1232 <?xml version='1.0' encoding='UTF-8'?>
1233 -<!-- $Header: /var/cvsroot/gentoo/xml/htdocs/doc/en/security/shb-uptodate.xml,v 1.2 2005/10/13 15:34:30 neysx Exp $ -->
1234 +<!-- $Header: /var/cvsroot/gentoo/xml/htdocs/doc/en/security/shb-uptodate.xml,v 1.3 2006/09/18 09:22:48 neysx Exp $ -->
1235 <!DOCTYPE sections SYSTEM "/dtd/book.dtd">
1236
1237 <!-- The content of this document is licensed under the CC-BY-SA license -->
1238 @@ -108,7 +108,7 @@
1239 </p>
1240
1241 <p>
1242 -If you want an email each time a GLSA is released subscribe to the
1243 +If you want an email each time a GLSA is released subscribe to the
1244 <c>gentoo-announce</c> mailing list. Instructions for joining it and many other
1245 great mailing lists can be found <uri link="/main/en/lists.xml">Gentoo Linux
1246 Mailing List Overview</uri>.
1247
1248
1249
1250 --
1251 gentoo-doc-cvs@g.o mailing list
Report Message
Find on MARC Find on Google Groups