1 | <?xml version="1.0" encoding="UTF-8"?>
|
---|
2 | <!DOCTYPE chapter PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN"
|
---|
3 | "http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [
|
---|
4 | <!ENTITY % general-entities SYSTEM "../../general.ent">
|
---|
5 | %general-entities;
|
---|
6 | ]>
|
---|
7 |
|
---|
8 | <chapter id="postlfs-security">
|
---|
9 | <?dbhtml filename="security.html"?>
|
---|
10 |
|
---|
11 | <title>Security</title>
|
---|
12 |
|
---|
13 | <para>
|
---|
14 | Security takes many forms in a computing environment. After some
|
---|
15 | initial discussion, this chapter
|
---|
16 | gives examples of three different types of security: access, prevention
|
---|
17 | and detection.
|
---|
18 | </para>
|
---|
19 |
|
---|
20 | <para>
|
---|
21 | Access for users is usually handled by <command>login</command> or an
|
---|
22 | application designed to handle the login function. In this chapter, we show
|
---|
23 | how to enhance <command>login</command> by setting policies with
|
---|
24 | <application>PAM</application> modules. Access via networks can also be
|
---|
25 | secured by policies set by <application>iptables</application>, commonly
|
---|
26 | referred to as a firewall. The Network Security Services (NSS) and
|
---|
27 | Netscape Portable Runtime (NSPR) libraries can be installed and shared
|
---|
28 | among the many applications requiring them. For applications that don't
|
---|
29 | offer the best security, you can use the
|
---|
30 | <application>Stunnel</application> package to wrap an application daemon
|
---|
31 | inside an SSL tunnel.
|
---|
32 | </para>
|
---|
33 |
|
---|
34 | <para>
|
---|
35 | Prevention of breaches, like a trojan, are assisted by applications like
|
---|
36 | <application>GnuPG</application>, specifically the ability to confirm
|
---|
37 | signed packages, which recognizes modifications of the tarball
|
---|
38 | after the packager creates it.
|
---|
39 | </para>
|
---|
40 |
|
---|
41 | <para>
|
---|
42 | Finally, we touch on detection with a package that stores "signatures"
|
---|
43 | of critical files (defined by the administrator) and then regenerates those
|
---|
44 | "signatures" and compares for files that have been changed.
|
---|
45 | </para>
|
---|
46 |
|
---|
47 | <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="vulnerabilities.xml"/>
|
---|
48 | <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="make-ca.xml"/>
|
---|
49 |
|
---|
50 | <!-- sysv only -->
|
---|
51 | <!--<xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="consolekit.xml"/>-->
|
---|
52 |
|
---|
53 | <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="cracklib.xml"/>
|
---|
54 | <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="cryptsetup.xml"/>
|
---|
55 | <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="cyrus-sasl.xml"/>
|
---|
56 | <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="gnupg2.xml"/>
|
---|
57 | <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="gnutls.xml"/>
|
---|
58 | <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="gpgme.xml"/>
|
---|
59 | <!-- archive
|
---|
60 | <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="haveged.xml"/>
|
---|
61 | -->
|
---|
62 | <!-- Leave in alphabetical order of now -->
|
---|
63 | <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="iptables.xml"/>
|
---|
64 | <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="firewalling.xml"/>
|
---|
65 |
|
---|
66 | <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="libcap.xml"/>
|
---|
67 | <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="linux-pam.xml"/>
|
---|
68 |
|
---|
69 | <!-- systemd only -->
|
---|
70 | <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="liboauth.xml"/>
|
---|
71 |
|
---|
72 | <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="libpwquality.xml"/>
|
---|
73 | <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="mitkrb.xml"/>
|
---|
74 | <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="nettle.xml"/>
|
---|
75 | <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="nss.xml"/>
|
---|
76 | <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="openssh.xml"/>
|
---|
77 | <!-- <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="openssl.xml"/> -->
|
---|
78 | <!-- <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="openssl10.xml"/> -->
|
---|
79 | <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="p11-kit.xml"/>
|
---|
80 | <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="polkit.xml"/>
|
---|
81 | <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="polkit-gnome.xml"/>
|
---|
82 | <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="shadow.xml"/>
|
---|
83 | <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="ssh-askpass.xml"/>
|
---|
84 | <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="stunnel.xml"/>
|
---|
85 | <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="sudo.xml"/>
|
---|
86 | <!-- comment out until shadow really abandon su -->
|
---|
87 | <!--xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="util-linux.xml"/-->
|
---|
88 | <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="tripwire.xml"/>
|
---|
89 | <!-- <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="volume_key.xml"/>-->
|
---|
90 | <!-- <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="firewalling.xml"/>
|
---|
91 | <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="iptables.xml"/>
|
---|
92 | <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="nftables.xml"/>
|
---|
93 | <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="firewalld.xml"/>-->
|
---|
94 |
|
---|
95 | </chapter>
|
---|