Changeset 1ea79a1 for postlfs/security

Timestamp:

05/30/2004 05:30:47 AM (20 years ago)

Author:

Bruce Dubbs <bdubbs@…>

Branches:

10.0, 10.1, 11.0, 11.1, 11.2, 11.3, 12.0, 12.1, 6.0, 6.1, 6.2, 6.2.0, 6.2.0-rc1, 6.2.0-rc2, 6.3, 6.3-rc1, 6.3-rc2, 6.3-rc3, 7.10, 7.4, 7.5, 7.6, 7.6-blfs, 7.6-systemd, 7.7, 7.8, 7.9, 8.0, 8.1, 8.2, 8.3, 8.4, 9.0, 9.1, basic, bdubbs/svn, elogind, gnome, kde5-13430, kde5-14269, kde5-14686, kea, ken/TL2024, ken/inkscape-core-mods, ken/tuningfonts, krejzi/svn, lazarus, lxqt, nosym, perl-modules, plabs/newcss, plabs/python-mods, python3.11, qt5new, rahul/power-profiles-daemon, renodr/vulkan-addition, systemd-11177, systemd-13485, trunk, upgradedb, v5_1, xry111/intltool, xry111/llvm18, xry111/soup3, xry111/test-20220226, xry111/xf86-video-removal

Children:

1dad4a4

Parents:

4ea49a31

Message:

Typos and punctuation

git-svn-id: svn://svn.linuxfromscratch.org/BLFS/trunk/BOOK@2236 af4574ff-66df-0310-9fd7-8a98e5e911e0

Location:

postlfs/security

Files:

• cracklib/cracklib-intro.xml (modified) (2 diffs)
• firewalling/busybox.xml (modified) (4 diffs)
• firewalling/disclaimer.xml (modified) (1 diff)
• firewalling/intro.xml (modified) (5 diffs)
• firewalling/kernel.xml (modified) (2 diffs)
• firewalling/masqrouter.xml (modified) (2 diffs)
• firewalling/persfw.xml (modified) (2 diffs)
• pam/linux_pam-config.xml (modified) (1 diff)
• pam/linux_pam-exp.xml (modified) (1 diff)
• security.xml (modified) (1 diff)
• shadow/shadow-config.xml (modified) (1 diff)
• tripwire/tripwire-config.xml (modified) (2 diffs)

postlfs/security/cracklib/cracklib-intro.xml

@@ -2 +2 @@
 <title>Introduction to <application>cracklib</application></title>
 
-<para>The cracklib package contains a library used to enforce strong 
-passwords by comparing user selected passwords to words in a 
-chosen wordlist.</para>
+<para>The cracklib package contains a library used to enforce strong passwords
+by comparing user selected passwords to words in a chosen wordlist.</para>
 
 <sect3><title>Package information</title>
@@ -27 +26 @@
 </itemizedlist>
 
-<para>You will also need to download a wordlist for use with cracklib.  
-There are two wordlists to choose from at the following location.
-Use the <filename>cracklib</filename> word list for good security,
-or opt for the <filename>allwords</filename> word list for
-lightweight machines short on <acronym>RAM</acronym>.  You can of course choose any other
-word list that you have at your disposal.</para>
+<para>You will also need to download a wordlist for use with cracklib.  There
+are two wordlists to choose from at the following location.  Use the
+<filename>cracklib</filename> word list for good security, or opt for the
+<filename>allwords</filename> word list for lightweight machines short on
+<acronym>RAM</acronym>.  You can of course choose any other word list that you
+have at your disposal.</para>
 
 <para>cracklib (&crackdict-size;): <ulink url="http://www.cotse.com/wordlists/cracklib"/></para>

postlfs/security/firewalling/busybox.xml

@@ -11 +11 @@
 
 <para>Be cautious.  Every service you offer and have enabled makes your
-setup more complex and your box less secure: You induce the risks of 
-misconfigured services or running a service with an exploitable bug, both risks 
-that a firewall principally should be immune of. See the introduction to 
+setup more complex and your box less secure. You induce the risks of 
+misconfigured services or running a service with an exploitable bug.  A firewall
+should generally not run any extra services.  See the introduction to 
 <xref linkend="postlfs-security-fw-masqRouter"/> for some more details.</para>
 
@@ -31 +31 @@
 iptables -A OUTPUT                                      -j ACCEPT</screen>
 
-<para>However, it is generally not advisable to leave OUTPUT unrestricted: you lose 
-any control on trojans who'd like to "call home", and a bit of redundancy in case 
+<para>However, it is generally not advisable to leave OUTPUT unrestricted. You lose 
+any control over trojans who'd like to "call home", and a bit of redundancy in case 
 you've (mis-)configured a service so that it does broadcast its existence to the 
 world.</para>
@@ -59 +59 @@
 
 <listitem><para><anchor id='postlfs-security-fw-BB-4' xreflabel="example no. 4"/>If you are 
-frequently accessing ftp-servers or enjoy chatting you might notice certain 
+frequently accessing ftp-servers or enjoy chatting, you might notice certain 
 delays because some implementations of these daemons have the feature of 
-querying an identd on your box for your username for logging.
+querying an identd on your box for logging usernames.
 Although there's really no harm in this, having an identd running is not 
 recommended because some implementations are known to be vulnerable.</para>
@@ -71 +71 @@
 iptables -A OUTPUT -p tcp --sport 113 -m state --state RELATED -j ACCEPT</screen></listitem>
 
-<listitem><para>To log and drop invalid packets, mostly harmless packets
-that came in after netfilter's timeout, sometimes scans:</para>
+<listitem><para>To log and drop invalid packets (harmless packets
+that came in after netfilter's timeout or some types of network scans):</para>
 
 <screen>iptables -I INPUT 1 -p tcp -m state --state INVALID -j LOG --log-prefix \ 

postlfs/security/firewalling/disclaimer.xml

@@ -6 +6 @@
 DOCUMENT.</emphasis></para> -->
 
-<para>This document is meant as an introduction to how to setup a
-firewall - it is not a complete guide to securing systems.  Firewalling
-is a complex issue that requires careful configuration.
-The scripts quoted here are simply intended to give examples as to how
-a firewall works, they are not intended to fit into any imaginable 
-configuration and may not prevent any imaginable attack.</para>
+<para>This document is meant as an introduction to how to setup a firewall.  It
+is not a complete guide to securing systems.  Firewalling is a complex issue
+that requires careful configuration.  The scripts quoted here are simply
+intended to give examples as to how a firewall works, they are not intended to
+fit into any imaginable configuration and may not prevent any imaginable
+attack.</para>
 
 <para>The purpose of this text is simply to give you a hint on how to get

postlfs/security/firewalling/intro.xml

@@ -5 +5 @@
 against malicious access by using a single machine as a firewall. 
 This does imply that the firewall is to be considered a single point 
-of failure, but it can make the administrators life a lot easier.</para>
+of failure, but it can make the administrator's life a lot easier.</para>
 
 <para>In a perfect world where you knew that every daemon or service 
@@ -11 +11 @@
 buffer-overflows and any other imaginable problem regarding its 
 security, and where you trusted every user accessing your services 
-to aim no harm, you wouldn't need to do have a firewall!  
+to aim no harm, you wouldn't need to have a firewall!  
 In the real world however, daemons may be misconfigured, 
 exploits against essential services are freely available, you 
@@ -21 +21 @@
 
 <para>Don't assume however, that having a firewall makes careful
-configuration redundant, nor that it makes any negligent
-misconfiguration harmless, nor that it prevents anyone from exploiting a
+configuration redundant, or that it makes any negligent
+misconfiguration harmless. It also doesn't prevent anyone from exploiting a
 service you intentionally offer but haven't recently updated or patched
 after an exploit went public.  Despite having a firewall, you need to
@@ -40 +40 @@
 companies such as Symantec, of which they claim or pretend that it
 secures a home or desktop-pc with Internet access. This topic is 
-highly relevant for users who do not know the ways their computers 
-might be accessed via the Internet and how to disable these, 
-especially if they are always online and if they are connected via 
+highly relevant for users who do not know the methods their computers 
+might be accessed via the Internet or how to disable them, 
+especially if they are always online and connected via 
 broadband links.</para></sect3>
 
@@ -59 +59 @@
 performing masquerading or routing functions, but offering a bunch of 
 services, e.g., web-cache, mail, etc.  This may be very commonly used 
-for home networks, but can definitely not to be considered as secure 
+for home networks, but can definitely not be considered as secure 
 anymore because the combining of server and router on one machine raises 
 the complexity of the setup.</para></sect3>

postlfs/security/firewalling/kernel.xml

@@ -3 +3 @@
 
 <para>If you want your Linux-Box to have a firewall, you must first ensure 
-that your kernel has been compiled with the relevant options turned on
+that your kernel has been compiled with the relevant options turned on.
 <!-- <footnote><para>If you needed assistance how to configure, compile and install 
 a new kernel, refer back to chapter VIII of the LinuxFromScratch book, 
@@ -10 +10 @@
 <ulink url="http://www.linuxfromscratch.org/view/3.1/chapter08/lilo.html">Making the LFS system bootable</ulink>
 ; note, that you'll need to reboot 
-to actually run your new kernel.</para></footnote>-->.</para>
+to actually run your new kernel.</para></footnote>-->
+</para>
 
 <para>How to configure your kernel, with enabling the options to be 

postlfs/security/firewalling/masqrouter.xml

@@ -82 +82 @@
 <command>EOF</command></userinput></screen>
 
-<para>With this script your intranet should be sufficiently 
-secure against external attacks: no one should be able to setup a 
-new connection to any internal service and, if it's masqueraded, 
-it s even invisible; furthermore, your firewall should be nearly immune 
-because there are no services running that a cracker could attack.</para>
+<para>With this script your intranet should be sufficiently secure against
+external attacks. No one should be able to setup a new connection to any
+internal service and, if it's masqueraded, it's even invisible. Furthermore,
+your firewall should be nearly immune because there are no services running
+that a cracker could attack.</para>
 
 <para>Note: if the interface you're connecting to the Internet 
@@ -97 +97 @@
 
 <para>If you need stronger security (e.g., against DOS, connection 
-highjacking, spoofing, etc.) have a look at the list of 
+highjacking, spoofing, etc.), have a look at the list of 
 <xref linkend="postlfs-security-fw-library"/> at the end of this section.</para>
 

postlfs/security/firewalling/persfw.xml

@@ -2 +2 @@
 <title>Personal Firewall</title>
 
-<para>A Personal Firewall is supposed to let you access the all services
+<para>A Personal Firewall is supposed to let you access all the services
 offered on the Internet, but keep your box secure and your data private.</para>
 
-<para>Below is a slightly modified version of Rusty Russell's
-recommendation from the <ulink url="http://www.netfilter.org/documentation/HOWTO/packet-filtering-HOWTO.html">Linux
+<para>Below is a slightly modified version of Rusty Russell's recommendation
+from the <ulink
+url="http://www.netfilter.org/documentation/HOWTO/packet-filtering-HOWTO.html">Linux
 2.4 Packet Filtering HOWTO</ulink>:</para>
 
@@ -56 +57 @@
 <xref linkend="postlfs-security-fw-BB-4"/>.</para>
 
-<para>Even if you have daemons / services running on your box, these
+<para>Even if you have daemons or services running on your box, these
 should be inaccessible everywhere but from your box itself.
 If you want to allow access to services on your machine, such as ssh or pinging, 

postlfs/security/pam/linux_pam-config.xml

@@ -9 +9 @@
 <sect3><title>Configuration Information</title>
 
-<para>Configuration information is placed in <filename>/etc/pam.d</filename> or 
-<filename>/etc/pam.conf</filename> depending on the application that is using 
-<application><acronym>PAM</acronym></application>. Below are example files of
-each type:</para>
+<para>Configuration information is placed in <filename>/etc/pam.d</filename> or
+<filename>/etc/pam.conf</filename> depending on user preference.  Below are
+example files of each type:</para>
 
 <screen># Begin /etc/pam.d/other

postlfs/security/pam/linux_pam-exp.xml

@@ -12 +12 @@
 the mailspool directory <acronym>FHS</acronym> compliant.</para>
 
-<para><option>--enable-read-both-confs</option>: This switch lets the local administrator choose which configuration file setup to use.</para>
+<para><option>--enable-read-both-confs</option>: This switch lets the local
+administrator choose which configuration file setup to use.</para>
 
 <para><command>mv /lib/libpam.a /lib/libpam_misc.a /lib/libpamc.a

postlfs/security/security.xml

@@ -16 +16 @@
 <para>Prevention of breaches, like a trojan, are assisted by applications like 
 <application>GnuPG</application>, specifically the ability to confirm signed 
-packages, which prevents modification of the <acronym>TAR</acronym> ball after 
+packages, which recognizes modifications of the <acronym>TAR</acronym> ball after 
 the packager creates it.</para>
 

postlfs/security/shadow/shadow-config.xml

@@ -7 +7 @@
 <filename>/etc/pam.d/passwd</filename>,
 <filename>/etc/pam.d/su</filename>,
-<filename>/etc/pam.d/shadow</filename>,
+<filename>/etc/pam.d/shadow</filename>, and
 <filename>/etc/pam.d/useradd</filename></para>
 </sect3>

postlfs/security/tripwire/tripwire-config.xml

@@ -38 +38 @@
 tripwire -m i</command></userinput></screen>
 
-<para>During configuration <application>Tripwire</application> will create two (2) keys: a site key and
- a local key which will be stored in <filename class="directory">/etc/tripwire/
-</filename>.</para>
+<para>During installation <application>Tripwire</application> will create two
+(2) keys: a site key and a local key which will be stored in <filename
+class="directory">/etc/tripwire/</filename>.</para>
 
 </sect3>
@@ -59 +59 @@
 on your system so that <application>Tripwire</application> will not continually notify you that
 files you intentionally changed are a security violation. To do this you
-must first <command>ls /var/lib/tripwire/report/</command> and note
+must first <command>ls -l /var/lib/tripwire/report/</command> and note
 the name of the newest file which starts with <filename>linux-</filename> and 
 ends in <filename>.twr</filename>. This encrypted file was created during the