My €5 as an non US citizen.
I do not feel comfortable with a guide that seems almost completely ripped off published US military/government documents. Also, way to much direct references to US military/government web pages and documents.
My though is that this needs a complete re-write.
Best regards, //M
Today's Topics:
- PATCH[1/1] Linux Security Guide: edit of General_Principles.xml (Murray McAllister)
- Re: PATCH[1/1] Linux Security Guide: edit of General_Principles.xml (Murray McAllister)
Message: 1 Date: Sat, 3 Jan 2009 14:20:01 +1000 From: "Murray McAllister" murray.mcallister@gmail.com Subject: PATCH[1/1] Linux Security Guide: edit of General_Principles.xml To: "For participants of the Documentation Project" fedora-docs-list@redhat.com Cc: sparks@fedoraproject.org Message-ID: 95f1114b0901022020n3fe734b5icd4792d9e3b78c71@mail.gmail.com Content-Type: text/plain; charset=ISO-8859-1
Hi,
I found some motivation this morning, so I tried to review "...community/fc11/en-US/General_Principles.xml".
If it looks okay, it would be great if a security person (I made minor additions) and a writer person could check it for accuracy.
--- community/fc11/en-US/General_Principles.xml 2009-01-03 13:44:01.000000000 +1000 +++ new/community/fc11/en-US/General_Principles.xml 2009-01-03 13:42:09.000000000 +1000 @@ -5,88 +5,70 @@
<chapter id="chap-Security_Guide-General_Principles_of_Information_Security"> <title>General Principles of Information Security</title> <para> - The United States' <ulink url="www.nsa.gov">National Security Agency</ulink> (NSA) provides hardening guides and hardening tips for many different operating systems to help government agencies, businesses, and individuals help secure their system against attacks. In addition to specific settings to change, a set of general principles have been developed to give you a high level view of information security. + The following general principals provide an overview of good security practices: </para> - <section id="sect-Security_Guide-General_Principles_of_Information_Security-General_Principles"> - <title>General Principles</title> - <itemizedlist> - <listitem> - <para> - Encrypt all data transmitted over the network. Encrypting authentication information (such as passwords) is particularly important. - </para> - </listitem> - <listitem> - <para> - Minimize the amount of software installed and running in order to minimize vulnerability. - </para> - </listitem> - <listitem> - <para> - Use security-enhancing software and tools whenever available (e.g. SELinux and IPTables). - </para> - </listitem> - <listitem> - <para> - Run each network service on a separate server whenever possible. This minimizes the risk that a compromise of one service could lead to a compromise of others. - </para> - </listitem> - <listitem> - <para> - Maintain user accounts. Create a good password policy and enforce its use. Delete unused user accounts. - </para> - </listitem> - <listitem> - <para> - Review system and application logs on a routine basis. Send logs to a dedicated log server. This prevents intruders from easily avoiding detection by modifying the local logs. - </para> - </listitem> - <listitem> - <para> - Never login directly as root, unless absolutely necessary. Administrators should use sudo to execute commands as root when required. The accounts capable of using sudo are specified in /etc/sudoers, which is edited with the visudo utility. By default, relavent logs are written to /var/log/secure. - </para> - </listitem> - </itemizedlist> - </section> + <itemizedlist> + <listitem> + <para> + encrypt all data transmitted over networks to help prevent man-in-the-middle attacks and eavesdropping. It is important to encrypt authentication information, such as passwords. + </para> + </listitem> + <listitem> + <para> + minimize the amount of software installed and running services. + </para> + </listitem> + <listitem> + <para> + use security-enhancing software and tools, for example, Security-Enhanced Linux (SELinux) for Mandatory Access Control (MAC), Netfilter iptables for packet filtering (firewall), and the GNU Privacy Guard (GnuPG) for encrypting documents. + </para> + </listitem> + <listitem> + <para> + if possible, run each network service on a separate system to minimize the risk of one compromised service being used to compromise other services. + </para> + </listitem> + <listitem> + <para> + maintain user accounts: create and enforce a strong password policy; delete unused user accounts. + </para> + </listitem> + <listitem> + <para> + routinely review system and application logs. By default, security-relevant system logs are written to <filename>/var/log/secure</filename> and <filename>/var/log/audit/audit.log</filename>. Note: sending logs to a dedicated log server helps prevent attackers from easily modifying local logs to avoid detection. + </para> + </listitem> + <listitem> + <para> + never log in as the root user unless absolutely necessary. It is recommended that administrators use <command>sudo</command> to execute commands as root when required. Users capable of running <command>sudo</command> are specified in <filename>/etc/sudoers</filename>. Use the <command>visudo</command> utility to edit <filename>/etc/sudoers</filename>. + </para> + </listitem> + </itemizedlist> <section id="sect-Security_Guide-General_Principles_of_Information_Security-Tips_Guides_and_Tools"> <title>Tips, Guides, and Tools</title> <para> - Most of the above tips are very basic. Depending on your knowledge of Linux and how comfortable you are with modifying your system, some changes could be made to help make your installation more secure. As mentioned above, the NSA has hardening guides and tips for securing Red Hat Enterprise Linux 5. Likewise, the <ulink url="http://www.disa.mil/">Defense Information Systems Agency</ulink> (DISA) has an <ulink url="iase.disa.mil">Information Assurance Support Environment</ulink> in which they publish checklists and tests for verifying the security of your system. The documents from the NSA are a good read for anyone familiar with Linux while the information from DISA is extremely specific and advanced knowledge of Unix/Linux would be a great benefit. Links to these documents are listed below. We will try to pull some of the larger items out of these documents and explain how to implement them in Fedora and why they are important. In addition to documentation, DISA has made available SRR scripts that allow an administrator to check specific settings on a system quickly. The SRR scripts will provide an XML-formatted report listing any known vulnerable settings that you have on your system. + The United States' <ulink url="http://www.nsa.gov/">National Security Agency (NSA)</ulink> provides hardening guides and tips for many different operating systems, to help government agencies, businesses, and individuals secure their systems against attack. The following guides (in PDF format) provide guidance for Red Hat Enterprise Linux 5: </para> - </section> - <section id="sect-Security_Guide-General_Principles_of_Information_Security-NSA_Documents"> - <title>NSA Documents</title> <itemizedlist> - <listitem> - <para> - <ulink url="www.nsa.gov/notices/notic00004.cfm?Address=/snac/os/redhat/rhel5-pamphlet-i731.pdf">Hardening Tips for the Red Hat Enterprise Linux 5 (PDF)</ulink> - </para> - </listitem> - <listitem> - <para> - <ulink url="www.nsa.gov/notices/notic00004.cfm?Address=/snac/os/redhat/rhel5-guide-i731.pdf">Guide to the Secure Configuration of Red Hat Enterprise Linux 5 (PDF)</ulink> - </para> - </listitem> + <listitem> + <para> + <ulink url="http://www.nsa.gov/notices/notic00004.cfm?Address=/snac/os/redhat/rhel5-pamphlet-i731.pdf">Hardening Tips for the Red Hat Enterprise Linux 5</ulink> + </para> + </listitem> + <listitem> + <para> + <ulink url="http://www.nsa.gov/notices/notic00004.cfm?Address=/snac/os/redhat/rhel5-guide-i731.pdf">Guide to the Secure Configuration of Red Hat Enterprise Linux 5</ulink> + </para> + </listitem> </itemizedlist> - </section> - <section id="sect-Security_Guide-General_Principles_of_Information_Security-DISA_IASE_Documents"> - <title>DISA IASE Documents</title> - <itemizedlist> - <listitem> - <para> - <ulink url="iase.disa.mil/stigs/stig/index.html">Security Technical Implementation Guides</ulink> (STIG) Scroll down to the Unix STIG - </para> - </listitem> - <listitem> - <para> - <ulink url="iase.disa.mil/stigs/checklist/index.html">Security Checklists</ulink> Scroll down to the Unix Security Checklists - </para> - </listitem> - <listitem> - <para> - <ulink url="iase.disa.mil/stigs/SRR/unix.html">Unix Security Readiness Review Evaluation Script</ulink> - </para> - </listitem> - </itemizedlist> - </section> - </chapter> - + <para> + The <ulink url="http://www.disa.mil/">Defense Information Systems Agency (DISA)</ulink> provides documentation, checklists, and tests to help secure your system (<ulink url="http://iase.disa.mil/index2.html">Information Assurance Support Environment</ulink>). The <ulink url="http://iase.disa.mil/stigs/stig/unix-stig-v5r1.pdf">UNIX SECURITY TECHNICAL IMPLEMENTATION GUIDE</ulink> (PDF) is a very specific guide to UNIX security - an advanced knowledge of UNIX and Linux is recommended before reading this guide. + </para> + <para> + The DISA <ulink url="http://iase.disa.mil/stigs/checklist/unix_checklist_v5r1_15_20081215.ZIP">UNIX Security Checklist Version 5, Release 1.15</ulink> provides a collection of documents and checklists, ranging from the correct ownerships and modes for system files, to patch control. + </para> + <para> + Also, DISA has made available <ulink url="http://iase.disa.mil/stigs/SRR/unix.html">UNIX SPR scripts</ulink> that allow administrators to check specific settings on systems. These scripts provide XML-formatted reports listing any known vulnerable settings. + </para> + </section> +</chapter> \ No newline at end of file
The link for "Hardening Tips for the Red Hat Enterprise Linux 5" does not work after accepting the license agreement. I have mailed nsapao@nsa.gov.
Cheers.
Message: 2 Date: Sat, 3 Jan 2009 14:29:55 +1000 From: "Murray McAllister" murray.mcallister@gmail.com Subject: Re: PATCH[1/1] Linux Security Guide: edit of General_Principles.xml To: "For participants of the Documentation Project" fedora-docs-list@redhat.com Message-ID: 95f1114b0901022029s29abea16h75e87c93160ee001@mail.gmail.com Content-Type: text/plain; charset=ISO-8859-1
I did not test how this would send, sorry. Use:
wget http://mdious.fedorapeople.org/patches/General_Principles.xml.patch
-- fedora-docs-list mailing list fedora-docs-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-docs-list
End of fedora-docs-list Digest, Vol 59, Issue 4
On Sun, Jan 4, 2009 at 7:20 PM, Magnus Glantz mg@hacka.net wrote:
My €5 as an non US citizen.
I do not feel comfortable with a guide that seems almost completely ripped off published US military/government documents.
I only looked at the English. I was not aware of the origins of the content.
I will be more careful in future.
Thanks! :-)
On Sun, Jan 04, 2009 at 09:07:16PM +1000, Murray McAllister wrote:
On Sun, Jan 4, 2009 at 7:20 PM, Magnus Glantz mg@hacka.net wrote:
My €5 as an non US citizen.
I do not feel comfortable with a guide that seems almost completely ripped off published US military/government documents.
I only looked at the English. I was not aware of the origins of the content.
I will be more careful in future.
Thanks! :-)
"Ripped off" seems unnecessarily harsh to me, and incorrectly implies that somehow the content was lifted without permission, when in fact the references in question are freely available to everyone (USA domestic or foreign). The principles embodied in most of those references are fairly universal and you'll find them echoed in most high-level infosec materials. In fact, some foreign governments use these references themselves.
The Security Guide continues to be a collaborative, participatory project, so anyone who is unhappy with the content -- or completely satisfied, too, for that matter -- is free to get involved! :-) You could start by providing equivalent or comparable non-US references, for example.
docs@lists.stg.fedoraproject.org