Text from bug update:
Here's the Intro and Chapter 1. If you reference the outline I posted a while ago, you'll notice that kernel hardening is supposed to be chapter 2. Since that doc is still in the works, I'm going to jump right into chapter 3, and if I can assist on the Kernel Compilation doc, I will. Will post more as it is available.
Link to bug: http://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=129957
I think that the kernel compilation doc should be referenced in this doc, but I'm not sure that it should be the only text on the subject. I envision the reference to be for people who don't know how to compile/recompile a kernel, and my Chapter 2, will discuss things that can be included or left out to make the system more secure (for example, a discussion of building the kernel without modules). Perhaps the kernel compilation doc should cross reference this section of my doc?
Anyhow, in the meantime, I will continue on with Chapter 3: Securing the Filesystem.
An html view of the doc, as well as ongoing developments (in html format), will still be available at the link below. Please provide direct feedback, criticisms, praise, jeers, etc. to the list, or my email off-list, if desired.
Thanks.
-Charlie
On Fri, 2004-10-01 at 18:45, tuxxer wrote: [...snip...]
An html view of the doc, as well as ongoing developments (in html format), will still be available at the link below. Please provide direct feedback, criticisms, praise, jeers, etc. to the list, or my email off-list, if desired.
Hi Charlie, you may want to change the bottom example in Section 2.1. The way I read it, you are doing 64 (!!!) complete traversals of the file system to find these files, when only one is necessary. Try removing the "for" loops and doing instead:
find / -perm +002 | tee -a world-writable-files.txt
Keep in mind that this list will include a lot of /dev entries that don't really indicate a problem (tty's and such), not to mention links. You might want to declare that you do not want to look at block or character special devices, or links, and just regular files and directories. Although it's conceivable one might miss something glaring, system hardening should probably be done before one is connected to the Internet, and right after installation, so it's unlikely that skipping these files would expose you to much risk.
find / ( -type d -o -type f ) -perm +002 | tee -a world-writable.txt
On Sat, 2004-10-02 at 13:21, Paul W. Frields wrote:
On Fri, 2004-10-01 at 18:45, tuxxer wrote: [...snip...]
An html view of the doc, as well as ongoing developments (in html format), will still be available at the link below. Please provide direct feedback, criticisms, praise, jeers, etc. to the list, or my email off-list, if desired.
Hi Charlie, you may want to change the bottom example in Section 2.1. The way I read it, you are doing 64 (!!!) complete traversals of the file system to find these files, when only one is necessary. Try removing the "for" loops and doing instead:
find / -perm +002 | tee -a world-writable-files.txt
Keep in mind that this list will include a lot of /dev entries that don't really indicate a problem (tty's and such), not to mention links. You might want to declare that you do not want to look at block or character special devices, or links, and just regular files and directories. Although it's conceivable one might miss something glaring, system hardening should probably be done before one is connected to the Internet, and right after installation, so it's unlikely that skipping these files would expose you to much risk.
find / ( -type d -o -type f ) -perm +002 | tee -a world-writable.txt
-- Paul W. Frields, RHCE
Much more elegant, and quite effective. Thanks. I've updated it in the html draft at http://members.cox.net/tuxxer, but I'm not going to submit a new tarball until I have more of Chapter 3 done (or completely done).
Also, it was pointed out that I missed a step when uploading the tarball to the bug. I didn't select the MIME type. So, if you have any issues, the file is a gzipped-tarball in *.tgz format. Sorry, I'll get it next time. ;-)
-Charlie
docs@lists.stg.fedoraproject.org