I'm sorry if I came off a bit rude, it wasn't my intent. Also, I'm sorry for not being constructive, I'll try not and e-mail during rush our in the future :-)
About a more wide spread flora of security references. My thought was that the more known universities around the world must have written kilometers of papers on Linux Security. Finding freely available papers describing general security on Linux was easier said than done. I found some references during a quick scan this evening.
I guess it's a matter of trust. Of course the US Government and the NSA has excellent and trustworthy security people, and that information in this subject is collaborative.. but at least I feel more secure seeing that it's not only the US Government and secret service that approves and advocates the security issues brought out in this security guide.
Universities: http://www.princeton.edu/~essweb/linux/linuxsecurity.html http://www.yale.edu/its/secure-computing/ http://www.yale.edu/its/security/sysadmin/server-guidelines.html http://www.yale.edu/its/security/network/unix.html http://www-uxsup.csx.cam.ac.uk/security/unix-box.html
Other: http://www.tldp.org/HOWTO/Security-HOWTO/ http://tldp.org/HOWTO/Security-Quickstart-HOWTO/ http://en.tldp.org/HOWTO/Secure-Programs-HOWTO/open-source-security.html http://www.puschitz.com/SecuringLinux.shtml http://en.wikipedia.org/wiki/Linux_Security_Modules
Vendors: http://www.redhat.com/docs/manuals/enterprise/RHEL-4-Manual/en-US/Security_G...
I'll try and find some more / better references as soon as I have some more free time.
//M
sön 2009-01-04 klockan 12:00 -0500 skrev Message: 8 Date: Sun, 4 Jan 2009 09:44:55 -0500 From: "Paul W. Frields" stickster@gmail.com Subject: Re: PATCH[1/1] Linux Security Guide To: fedora-docs-list@redhat.com Message-ID: 20090104144455.GB18821@localhost.localdomain Content-Type: text/plain; charset="utf-8"
On Sun, Jan 04, 2009 at 09:07:16PM +1000, Murray McAllister wrote:
On Sun, Jan 4, 2009 at 7:20 PM, Magnus Glantz mg@hacka.net wrote:
My 5 as an non US citizen.
I do not feel comfortable with a guide that seems almost completely ripped off published US military/government documents.
I only looked at the English. I was not aware of the origins of the
content.
I will be more careful in future.
Thanks! :-)
"Ripped off" seems unnecessarily harsh to me, and incorrectly implies that somehow the content was lifted without permission, when in fact the references in question are freely available to everyone (USA domestic or foreign). The principles embodied in most of those references are fairly universal and you'll find them echoed in most high-level infosec materials. In fact, some foreign governments use these references themselves.
The Security Guide continues to be a collaborative, participatory project, so anyone who is unhappy with the content -- or completely satisfied, too, for that matter -- is free to get involved! :-) You could start by providing equivalent or comparable non-US references, for example.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
Good resources. Thanks for sending them. My reasoning for building that part of the Security Guide based on US Government documents and not documents from Universities or commercial sources has a simple explanation. Government computers HAVE to be secure. I've seen way too many universities and businesses run a half-way security mindset. They are too interested in the bottom line than a secure system even though a secure system will help the bottom line in the long run.
The only other industry that I would like to pull from is the banking industry. They are generally notorious for their secure systems (I'm talking about the larger banks). They could stand to loose billions of dollars if they are "broken into". Of course most of the banks make their documentation secret as to not tip off anyone with a possible documented flaw.
I agree that we should be looking at multiple sources and that will come in time. Please feel free to add information into the guide. I'll be happy to read any patches that you, or anyone else, has to offer to the guide. If you have any specific interests, please let me know!
Thanks, Eric Christensen E-Mail: sparks@fedoraproject.org GPG Key: BD0C14C1
Magnus Glantz wrote:
I'm sorry if I came off a bit rude, it wasn't my intent. Also, I'm sorry for not being constructive, I'll try not and e-mail during rush our in the future :-)
About a more wide spread flora of security references. My thought was that the more known universities around the world must have written kilometers of papers on Linux Security. Finding freely available papers describing general security on Linux was easier said than done. I found some references during a quick scan this evening.
I guess it's a matter of trust. Of course the US Government and the NSA has excellent and trustworthy security people, and that information in this subject is collaborative.. but at least I feel more secure seeing that it's not only the US Government and secret service that approves and advocates the security issues brought out in this security guide.
Universities: http://www.princeton.edu/~essweb/linux/linuxsecurity.html http://www.yale.edu/its/secure-computing/ http://www.yale.edu/its/security/sysadmin/server-guidelines.html http://www.yale.edu/its/security/network/unix.html http://www-uxsup.csx.cam.ac.uk/security/unix-box.html
Other: http://www.tldp.org/HOWTO/Security-HOWTO/ http://tldp.org/HOWTO/Security-Quickstart-HOWTO/ http://en.tldp.org/HOWTO/Secure-Programs-HOWTO/open-source-security.html http://www.puschitz.com/SecuringLinux.shtml http://en.wikipedia.org/wiki/Linux_Security_Modules
Vendors: http://www.redhat.com/docs/manuals/enterprise/RHEL-4-Manual/en-US/Security_G...
I'll try and find some more / better references as soon as I have some more free time.
//M
sön 2009-01-04 klockan 12:00 -0500 skrev Message: 8 Date: Sun, 4 Jan 2009 09:44:55 -0500 From: "Paul W. Frields" stickster@gmail.com Subject: Re: PATCH[1/1] Linux Security Guide To: fedora-docs-list@redhat.com Message-ID: 20090104144455.GB18821@localhost.localdomain Content-Type: text/plain; charset="utf-8"
On Sun, Jan 04, 2009 at 09:07:16PM +1000, Murray McAllister wrote:
On Sun, Jan 4, 2009 at 7:20 PM, Magnus Glantz mg@hacka.net wrote:
My 5 as an non US citizen.
I do not feel comfortable with a guide that seems almost completely ripped off published US military/government documents.
I only looked at the English. I was not aware of the origins of the
content.
I will be more careful in future.
Thanks! :-)
"Ripped off" seems unnecessarily harsh to me, and incorrectly implies that somehow the content was lifted without permission, when in fact the references in question are freely available to everyone (USA domestic or foreign). The principles embodied in most of those references are fairly universal and you'll find them echoed in most high-level infosec materials. In fact, some foreign governments use these references themselves.
The Security Guide continues to be a collaborative, participatory project, so anyone who is unhappy with the content -- or completely satisfied, too, for that matter -- is free to get involved! :-) You could start by providing equivalent or comparable non-US references, for example.
On Sun, Jan 04, 2009 at 11:34:53PM +0100, Magnus Glantz wrote:
Vendors: http://www.redhat.com/docs/manuals/enterprise/RHEL-4-Manual/en-US/Security_G...
Just a note for the historical record. The above content is in fact the basis for the 'Linux Security Guide' being discussed here.
Just thought it was an ironic reference. ;-D
- Karsten
docs@lists.stg.fedoraproject.org
-
Eric Christensen -
Karsten Wade -
Magnus Glantz