Changeset 47274444 for postlfs/security
- Timestamp:
- 03/24/2020 07:19:44 PM (4 years ago)
- Branches:
- 10.0, 10.1, 11.0, 11.1, 11.2, 11.3, 12.0, 12.1, kea, ken/TL2024, ken/inkscape-core-mods, ken/tuningfonts, lazarus, lxqt, plabs/newcss, plabs/python-mods, python3.11, qt5new, rahul/power-profiles-daemon, renodr/vulkan-addition, trunk, upgradedb, xry111/intltool, xry111/llvm18, xry111/soup3, xry111/test-20220226, xry111/xf86-video-removal
- Children:
- fa3edfef
- Parents:
- 914049f6
- Location:
- postlfs/security
- Files:
-
- 20 edited
Legend:
- Unmodified
- Added
- Removed
-
postlfs/security/cracklib.xml
r914049f6 r47274444 36 36 <title>Introduction to CrackLib</title> 37 37 38 <para>The <application>CrackLib</application> package contains a 39 library used to enforce strong passwords by comparing user selected 40 passwords to words in chosen word lists.</para> 38 <para> 39 The <application>CrackLib</application> package contains a 40 library used to enforce strong passwords by comparing user selected 41 passwords to words in chosen word lists. 42 </para> 41 43 42 44 &lfs91_checked; … … 45 47 <itemizedlist spacing="compact"> 46 48 <listitem> 47 <para>Download (HTTP): <ulink url="&cracklib-download-http;"/></para> 48 </listitem> 49 <listitem> 50 <para>Download (FTP): <ulink url="&cracklib-download-ftp;"/></para> 51 </listitem> 52 <listitem> 53 <para>Download MD5 sum: &cracklib-md5sum;</para> 54 </listitem> 55 <listitem> 56 <para>Download size: &cracklib-size;</para> 57 </listitem> 58 <listitem> 59 <para>Estimated disk space required: &cracklib-buildsize;</para> 60 </listitem> 61 <listitem> 62 <para>Estimated build time: &cracklib-time;</para> 49 <para> 50 Download (HTTP): <ulink url="&cracklib-download-http;"/> 51 </para> 52 </listitem> 53 <listitem> 54 <para> 55 Download (FTP): <ulink url="&cracklib-download-ftp;"/> 56 </para> 57 </listitem> 58 <listitem> 59 <para> 60 Download MD5 sum: &cracklib-md5sum; 61 </para> 62 </listitem> 63 <listitem> 64 <para> 65 Download size: &cracklib-size; 66 </para> 67 </listitem> 68 <listitem> 69 <para> 70 Estimated disk space required: &cracklib-buildsize; 71 </para> 72 </listitem> 73 <listitem> 74 <para> 75 Estimated build time: &cracklib-time; 76 </para> 63 77 </listitem> 64 78 </itemizedlist> … … 67 81 <itemizedlist spacing="compact"> 68 82 <listitem> 69 <para>Recommended word list for English-speaking countries (size: 70 &crackdict-size;; md5sum: &crackdict-md5sum;): 71 <ulink url="&crackdict-download;"/></para> 83 <para> 84 Recommended word list for English-speaking countries (size: 85 &crackdict-size;; md5sum: &crackdict-md5sum;): 86 <ulink url="&crackdict-download;"/> 87 </para> 72 88 </listitem> 73 89 </itemizedlist> 74 90 75 <para>There are additional word lists available for download, e.g., from 76 <ulink url="http://www.cotse.com/tools/wordlists.htm"/>. 77 <application>CrackLib</application> can utilize as many, or as few word 78 lists you choose to install.</para> 91 <para> 92 There are additional word lists available for download, e.g., from 93 <ulink url="http://www.cotse.com/tools/wordlists.htm"/>. 94 <application>CrackLib</application> can utilize as many, or as few word 95 lists you choose to install. 96 </para> 79 97 80 98 <important> 81 <para>Users tend to base their passwords on regular words of the spoken 82 language, and crackers know that. <application>CrackLib</application> is 83 intended to filter out such bad passwords at the source using a 84 dictionary created from word lists. To accomplish this, the word list(s) 85 for use with <application>CrackLib</application> must be an exhaustive 86 list of words and word-based keystroke combinations likely to be chosen 87 by users of the system as (guessable) passwords.</para> 88 89 <para>The default word list recommended above for downloading mostly 90 satisfies this role in English-speaking countries. In other situations, 91 it may be necessary to download (or even create) additional word 92 lists.</para> 93 94 <para>Note that word lists suitable for spell-checking are not usable 95 as <application>CrackLib</application> word lists in countries with 96 non-Latin based alphabets, because of <quote>word-based keystroke 97 combinations</quote> that make bad passwords.</para> 99 <para> 100 Users tend to base their passwords on regular words of the spoken 101 language, and crackers know that. <application>CrackLib</application> 102 is intended to filter out such bad passwords at the source using a 103 dictionary created from word lists. To accomplish this, the word 104 list(s) for use with <application>CrackLib</application> must be an 105 exhaustive list of words and word-based keystroke combinations likely 106 to be chosen by users of the system as (guessable) passwords. 107 </para> 108 109 <para> 110 The default word list recommended above for downloading mostly 111 satisfies this role in English-speaking countries. In other situations, 112 it may be necessary to download (or even create) additional word lists. 113 </para> 114 115 <para> 116 Note that word lists suitable for spell-checking are not usable 117 as <application>CrackLib</application> word lists in countries with 118 non-Latin based alphabets, because of <quote>word-based keystroke 119 combinations</quote> that make bad passwords. 120 </para> 98 121 </important> 99 122 … … 113 136 <title>Installation of CrackLib</title> 114 137 115 <para>Install <application>CrackLib</application> by running the following 116 commands:</para> 138 <para> 139 Install <application>CrackLib</application> by running the following 140 commands: 141 </para> 117 142 118 143 <screen><userinput>sed -i '/skipping/d' util/packer.c && … … 123 148 make</userinput></screen> 124 149 125 <para>Now, as the <systemitem class="username">root</systemitem> user:</para> 150 <para> 151 Now, as the <systemitem class="username">root</systemitem> user: 152 </para> 126 153 127 154 <screen role="root"><userinput>make install && … … 129 156 ln -sfv ../../lib/$(readlink /usr/lib/libcrack.so) /usr/lib/libcrack.so</userinput></screen> 130 157 131 <para>Issue the following commands as the 132 <systemitem class="username">root</systemitem> user to install the 133 recommended word list and create the <application>CrackLib</application> 134 dictionary. Other word lists (text based, one word per line) can also be 135 used by simply installing them into 136 <filename class="directory">/usr/share/dict</filename> and adding them 137 to the <command>create-cracklib-dict</command> command.</para> 158 <para> 159 Issue the following commands as the 160 <systemitem class="username">root</systemitem> user to install the 161 recommended word list and create the <application>CrackLib</application> 162 dictionary. Other word lists (text based, one word per line) can also be 163 used by simply installing them into 164 <filename class="directory">/usr/share/dict</filename> and adding them 165 to the <command>create-cracklib-dict</command> command. 166 </para> 138 167 139 168 <screen role="root"><userinput>install -v -m644 -D ../cracklib-words-&cracklib-version;.bz2 \ … … 148 177 /usr/share/dict/cracklib-extra-words</userinput></screen> 149 178 150 <para>If desired, check the proper operation of the library as an 151 unprivileged user by issuing the following command:</para> 179 <para> 180 If desired, check the proper operation of the library as an 181 unprivileged user by issuing the following command: 182 </para> 152 183 153 184 <screen remap="test"><userinput>make test</userinput></screen> 154 185 155 186 <important> 156 <para>If you are installing <application>CrackLib</application> after 157 your LFS system has been completed and you have the 158 <application>Shadow</application> package installed, you must 159 reinstall <xref linkend="shadow"/> if you wish to provide strong 160 password support on your system. If you are now going to install the 161 <xref linkend="linux-pam"/> package, you may disregard this note as 162 <application>Shadow</application> will be reinstalled after the 163 <application>Linux-PAM</application> installation.</para> 187 <para> 188 If you are installing <application>CrackLib</application> after 189 your LFS system has been completed and you have the 190 <application>Shadow</application> package installed, you must 191 reinstall <xref linkend="shadow"/> if you wish to provide strong 192 password support on your system. If you are now going to install the 193 <xref linkend="linux-pam"/> package, you may disregard this note as 194 <application>Shadow</application> will be reinstalled after the 195 <application>Linux-PAM</application> installation. 196 </para> 164 197 </important> 165 198 … … 169 202 <title>Command Explanations</title> 170 203 171 <para><command>sed -i '/skipping/d' util/packer.c</command>: 172 Remove a meaningless warning.</para> 173 174 <para><parameter>--with-default-dict=/lib/cracklib/pw_dict</parameter>: 175 This parameter forces the installation of the 176 <application>CrackLib</application> dictionary to the 177 <filename class="directory">/lib</filename> hierarchy.</para> 204 <para> 205 <command>sed -i '/skipping/d' util/packer.c</command>: 206 Remove a meaningless warning. 207 </para> 208 209 <para> 210 <parameter>--with-default-dict=/lib/cracklib/pw_dict</parameter>: 211 This parameter forces the installation of the 212 <application>CrackLib</application> dictionary to the 213 <filename class="directory">/lib</filename> hierarchy. 214 </para> 178 215 179 216 <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" 180 217 href="../../xincludes/static-libraries.xml"/> 181 218 182 <para><command>mv -v /usr/lib/libcrack.so.2* /lib</command> and 183 <command>ln -v -sf ../../lib/libcrack.so.2.9.0 ...</command>: These two 184 commands move the <filename class="libraryfile">libcrack.so.2.9.0</filename> 185 library and associated symlink from 186 <filename class="directory">/usr/lib</filename> to 187 <filename class="directory">/lib</filename>, then recreates the 188 <filename class="symlink">/usr/lib/libcrack.so</filename> symlink pointing 189 to the relocated file.</para> 190 191 <para><command>install -v -m644 -D ...</command>: This command creates the 192 <filename class="directory">/usr/share/dict</filename> directory (if it 193 doesn't already exist) and installs the compressed word list there.</para> 194 195 <para><command>ln -v -s cracklib-words /usr/share/dict/words</command>: The 196 word list is linked to <filename>/usr/share/dict/words</filename> as 197 historically, <filename>words</filename> is the primary word list in the 198 <filename class="directory">/usr/share/dict</filename> directory. Omit this 199 command if you already have a <filename>/usr/share/dict/words</filename> 200 file installed on your system.</para> 201 202 <para><command>echo $(hostname) >>...</command>: The value of 203 <command>hostname</command> is echoed to a file called 204 <filename>cracklib-extra-words</filename>. This extra file is intended to be 205 a site specific list which includes easy to guess passwords such as company 206 or department names, user names, product names, computer names, domain 207 names, etc.</para> 208 209 <para><command>create-cracklib-dict ...</command>: This command creates the 210 <application>CrackLib</application> dictionary from the word lists. Modify 211 the command to add any additional word lists you have installed.</para> 219 <para> 220 <command>mv -v /usr/lib/libcrack.so.2* /lib</command> and 221 <command>ln -v -sf ../../lib/libcrack.so.2.9.0 ...</command>: These two 222 commands move the <filename 223 class="libraryfile">libcrack.so.2.9.0</filename> 224 library and associated symlink from 225 <filename class="directory">/usr/lib</filename> to 226 <filename class="directory">/lib</filename>, then recreates the 227 <filename class="symlink">/usr/lib/libcrack.so</filename> symlink 228 pointing to the relocated file. 229 </para> 230 231 <para> 232 <command>install -v -m644 -D ...</command>: This command creates the 233 <filename class="directory">/usr/share/dict</filename> directory (if it 234 doesn't already exist) and installs the compressed word list there. 235 </para> 236 237 <para> 238 <command>ln -v -s cracklib-words /usr/share/dict/words</command>: The 239 word list is linked to <filename>/usr/share/dict/words</filename> as 240 historically, <filename>words</filename> is the primary word list in the 241 <filename class="directory">/usr/share/dict</filename> directory. Omit 242 this command if you already have a 243 <filename>/usr/share/dict/words</filename> file installed on your system. 244 </para> 245 246 <para> 247 <command>echo $(hostname) >>...</command>: The value of 248 <command>hostname</command> is echoed to a file called 249 <filename>cracklib-extra-words</filename>. This extra file is intended 250 to be a site specific list which includes easy to guess passwords such 251 as company or department names, user names, product names, computer 252 names, domain names, etc. 253 </para> 254 255 <para> 256 <command>create-cracklib-dict ...</command>: This command creates the 257 <application>CrackLib</application> dictionary from the word lists. 258 Modify the command to add any additional word lists you have installed. 259 </para> 212 260 213 261 </sect2> … … 240 288 <term><command>cracklib-check</command></term> 241 289 <listitem> 242 <para>is used to determine if a password is strong.</para> 290 <para> 291 is used to determine if a password is strong. 292 </para> 243 293 <indexterm zone="cracklib cracklib-check"> 244 294 <primary sortas="b-cracklib-check">cracklib-check</primary> … … 250 300 <term><command>cracklib-format</command></term> 251 301 <listitem> 252 <para>is used to format text files (lowercases all words, 253 removes control characters and sorts the lists).</para> 302 <para> 303 is used to format text files (lowercases all words, 304 removes control characters and sorts the lists). 305 </para> 254 306 <indexterm zone="cracklib cracklib-format"> 255 307 <primary sortas="b-cracklib-format">cracklib-format</primary> … … 261 313 <term><command>cracklib-packer</command></term> 262 314 <listitem> 263 <para>creates a database with words read from standard input.</para> 315 <para> 316 creates a database with words read from standard input. 317 </para> 264 318 <indexterm zone="cracklib cracklib-packer"> 265 319 <primary sortas="b-cracklib-packer">cracklib-packer</primary> … … 271 325 <term><command>cracklib-unpacker</command></term> 272 326 <listitem> 273 <para>displays on standard output the database specified.</para> 327 <para> 328 displays on standard output the database specified. 329 </para> 274 330 <indexterm zone="cracklib cracklib-packer"> 275 331 <primary sortas="b-cracklib-packer">cracklib-packer</primary> … … 281 337 <term><command>create-cracklib-dict</command></term> 282 338 <listitem> 283 <para>is used to create the <application>CrackLib</application> 284 dictionary from the given word list(s).</para> 339 <para> 340 is used to create the <application>CrackLib</application> 341 dictionary from the given word list(s). 342 </para> 285 343 <indexterm zone="cracklib create-cracklib-dict"> 286 344 <primary sortas="b-create-cracklib-dict">create-cracklib-dict</primary> … … 292 350 <term><filename class="libraryfile">libcrack.so</filename></term> 293 351 <listitem> 294 <para>provides a fast dictionary lookup method for strong 295 password enforcement.</para> 352 <para> 353 provides a fast dictionary lookup method for strong 354 password enforcement. 355 </para> 296 356 <indexterm zone="cracklib libcrack"> 297 357 <primary sortas="c-libcrack">libcrack.so</primary> -
postlfs/security/cryptsetup.xml
r914049f6 r47274444 141 141 </para> 142 142 143 <para>Now, as the <systemitem class="username">root</systemitem> user:</para> 143 <para> 144 Now, as the <systemitem class="username">root</systemitem> user: 145 </para> 144 146 145 147 <screen role="root"><userinput>make install</userinput></screen> -
postlfs/security/gnupg2.xml
r914049f6 r47274444 30 30 <title>Introduction to GnuPG</title> 31 31 32 <para>The <application>GnuPG</application> package is GNU's tool for 33 secure communication and data storage. It can be used to encrypt data and 34 to create digital signatures. It includes an advanced key management 35 facility and is compliant with the proposed OpenPGP Internet standard as 36 described in RFC2440 and the S/MIME standard as described by several RFCs. 37 GnuPG 2 is the stable version of GnuPG integrating support for OpenPGP and 38 S/MIME.</para> 32 <para> 33 The <application>GnuPG</application> package is GNU's tool for 34 secure communication and data storage. It can be used to encrypt data and 35 to create digital signatures. It includes an advanced key management 36 facility and is compliant with the proposed OpenPGP Internet standard as 37 described in RFC2440 and the S/MIME standard as described by several RFCs. 38 GnuPG 2 is the stable version of GnuPG integrating support for OpenPGP and 39 S/MIME. 40 </para> 39 41 40 42 &lfs91_checked; … … 43 45 <itemizedlist spacing="compact"> 44 46 <listitem> 45 <para>Download (HTTP): <ulink url="&gnupg2-download-http;"/></para> 46 </listitem> 47 <listitem> 48 <para>Download (FTP): <ulink url="&gnupg2-download-ftp;"/></para> 49 </listitem> 50 <listitem> 51 <para>Download MD5 sum: &gnupg2-md5sum;</para> 52 </listitem> 53 <listitem> 54 <para>Download size: &gnupg2-size;</para> 55 </listitem> 56 <listitem> 57 <para>Estimated disk space required: &gnupg2-buildsize;</para> 58 </listitem> 59 <listitem> 60 <para>Estimated build time: &gnupg2-time;</para> 47 <para> 48 Download (HTTP): <ulink url="&gnupg2-download-http;"/> 49 </para> 50 </listitem> 51 <listitem> 52 <para> 53 Download (FTP): <ulink url="&gnupg2-download-ftp;"/> 54 </para> 55 </listitem> 56 <listitem> 57 <para> 58 Download MD5 sum: &gnupg2-md5sum; 59 </para> 60 </listitem> 61 <listitem> 62 <para> 63 Download size: &gnupg2-size; 64 </para> 65 </listitem> 66 <listitem> 67 <para> 68 Estimated disk space required: &gnupg2-buildsize; 69 </para> 70 </listitem> 71 <listitem> 72 <para> 73 Estimated build time: &gnupg2-time; 74 </para> 61 75 </listitem> 62 76 </itemizedlist> … … 103 117 <sect2 role="installation"> 104 118 <title>Installation of GnuPG</title> 105 <!-- It's been well over three years. I think this can be commented for now. 106 <warning> 107 <para> 108 If you are upgrading from gnupg prior to version 2.1, upstream 109 developers recommend backing up 110 <filename class="directory">~/.gnupg</filename> because some additional 111 configuration will probably be necessary and you could lose your keys. 112 You can find instructions at 113 <ulink url="http://jo-ke.name/wp/?p=111"></ulink> and 114 <ulink url="https://wiki.archlinux.org/index.php/GnuPG#.22Lost.22_keys.2C_upgrading_to_gnupg_version_2.1"></ulink>. 115 </para> 116 </warning> 117 --> 118 119 <para>By default GnuPG doesn't install the deprecated gpg-zip script, 120 but it is still needed by some programs. Make GnuPG install it with: 119 120 <para> 121 By default GnuPG doesn't install the deprecated gpg-zip script, 122 but it is still needed by some programs. Make GnuPG install it with: 121 123 </para> 122 124 … … 124 126 -i tools/Makefile.in</userinput></screen> 125 127 126 <para>Install <application>GnuPG</application> by running the following 127 commands:</para> 128 <para> 129 Install <application>GnuPG</application> by running the following 130 commands: 131 </para> 128 132 129 133 <screen><userinput>./configure --prefix=/usr \ … … 137 141 make -C doc html</userinput></screen> 138 142 139 <para>If you have <xref linkend="texlive"/> 140 installed and you wish to create documentation in alternate formats, 141 issue the following commands 142 (<ulink url="http://mcj.sourceforge.net/">fig2dev</ulink> is needed for 143 the ps format):</para> 143 <para> 144 If you have <xref linkend="texlive"/> 145 installed and you wish to create documentation in alternate formats, 146 issue the following commands 147 (<ulink url="http://mcj.sourceforge.net/">fig2dev</ulink> is needed for 148 the ps format): 149 </para> 144 150 145 151 <screen remap="doc"><userinput>make -C doc pdf ps</userinput></screen> 146 152 147 <para>To test the results, issue: <command>make check</command>.</para> 148 149 <para>Note that if you have already installed 150 <application>GnuPG</application>, the instructions below will overwrite 151 <filename>/usr/share/man/man1/gpg-zip.1</filename>. Now, as the 152 <systemitem class="username">root</systemitem> user:</para> 153 <para> 154 To test the results, issue: <command>make check</command>. 155 </para> 156 157 <para> 158 Note that if you have already installed 159 <application>GnuPG</application>, the instructions below will overwrite 160 <filename>/usr/share/man/man1/gpg-zip.1</filename>. Now, as the 161 <systemitem class="username">root</systemitem> user: 162 </para> 153 163 154 164 <screen role="root"><userinput>make install && … … 161 171 install -v -m644 doc/gnupg.html/* \ 162 172 /usr/share/doc/gnupg-&gnupg2-version;/html</userinput></screen> 163 <para>If you created alternate formats of the documentation, install them 164 using the following command as the 165 <systemitem class="username">root</systemitem> user:</para> 173 <para> 174 If you created alternate formats of the documentation, install them 175 using the following command as the 176 <systemitem class="username">root</systemitem> user: 177 </para> 166 178 167 179 <screen role="root" … … 174 186 <title>Command Explanations</title> 175 187 176 <para><command>sed ... tools/Makefile.in</command>: 177 This command is needed to build the gpg-zip program.</para> 178 179 <para><parameter>--docdir=/usr/share/doc/gnupg-&gnupg2-version;</parameter>: 180 This switch changes the default docdir to <filename 181 class="directory">/usr/share/doc/gnupg-&gnupg2-version;</filename>.</para> 182 183 <para><parameter>--enable-symcryptrun</parameter>: This switch enables 184 building the symcryptrun program.</para> 188 <para> 189 <command>sed ... tools/Makefile.in</command>: 190 This command is needed to build the gpg-zip program. 191 </para> 192 193 <para> 194 <parameter>--docdir=/usr/share/doc/gnupg-&gnupg2-version;</parameter>: 195 This switch changes the default docdir to <filename 196 class="directory">/usr/share/doc/gnupg-&gnupg2-version;</filename>. 197 </para> 198 199 <para> 200 <parameter>--enable-symcryptrun</parameter>: This switch enables 201 building the symcryptrun program. 202 </para> 185 203 186 204 <para> … … 223 241 <term><command>addgnupghome</command></term> 224 242 <listitem> 225 <para>is used to create and populate a user's 226 <filename class='directory'>~/.gnupg</filename> directories</para> 243 <para> 244 is used to create and populate a user's 245 <filename class='directory'>~/.gnupg</filename> directories 246 </para> 227 247 <indexterm zone="gnupg2 addgnupghome"> 228 248 <primary sortas="b-addgnupghome">addgnupghome</primary> … … 234 254 <term><command>applygnupgdefaults</command></term> 235 255 <listitem> 236 <para>is a wrapper script used to run <command>gpgconf</command> 237 with the <parameter>--apply-defaults</parameter> parameter on all 238 user's GnuPG home directories.</para> 256 <para> 257 is a wrapper script used to run <command>gpgconf</command> 258 with the <parameter>--apply-defaults</parameter> parameter on all 259 user's GnuPG home directories. 260 </para> 239 261 <indexterm zone="gnupg2 applygnupgdefaults"> 240 262 <primary sortas="b-applygnupgdefaults">applygnupgdefaults</primary> … … 246 268 <term><command>dirmngr</command></term> 247 269 <listitem> 248 <para> is a tool that takes care of accessing the OpenPGP keyservers. 270 <para> 271 is a tool that takes care of accessing the OpenPGP keyservers. 249 272 </para> 250 273 <indexterm zone="gnupg2 dirmngr"> … … 257 280 <term><command>dirmngr-client</command></term> 258 281 <listitem> 259 <para> is a tool to contact a running dirmngr and test whether a 260 certificate has been revoked. </para> 282 <para> 283 is a tool to contact a running dirmngr and test whether a 284 certificate has been revoked. 285 </para> 261 286 <indexterm zone="gnupg2 dirmngr-client"> 262 287 <primary sortas="b-dirmngr-client">dirmngr-client</primary> … … 268 293 <term><command>g13</command></term> 269 294 <listitem> 270 <para>is a tool to create, mount or unmount an encrypted file system 271 container (optional).</para> 295 <para> 296 is a tool to create, mount or unmount an encrypted file system 297 container (optional). 298 </para> 272 299 <indexterm zone="gnupg2 g13"> 273 300 <primary sortas="b-g13">g13</primary> … … 279 306 <term><command>gpg-agent</command></term> 280 307 <listitem> 281 <para>is a daemon used to manage secret (private) keys independently 282 from any protocol. It is used as a backend for <command>gpg2</command> 283 and <command>gpgsm</command> as well as for a couple of other 284 utilities.</para> 308 <para> 309 is a daemon used to manage secret (private) keys independently 310 from any protocol. It is used as a backend for 311 <command>gpg2</command> and <command>gpgsm</command> as well as 312 for a couple of other utilities. 313 </para> 285 314 <indexterm zone="gnupg2 gpg-agent"> 286 315 <primary sortas="b-gpg-agent">gpg-agent</primary> … … 292 321 <term><command>gpg-connect-agent</command></term> 293 322 <listitem> 294 <para>is a utility used to communicate with a running 295 <command>gpg-agent</command>.</para> 323 <para> 324 is a utility used to communicate with a running 325 <command>gpg-agent</command>. 326 </para> 296 327 <indexterm zone="gnupg2 gpg-connect-agent"> 297 328 <primary sortas="b-gpg-connect-agent">gpg-connect-agent</primary> … … 303 334 <term><command>gpg</command></term> 304 335 <listitem> 305 <para>is the OpenPGP part of the GNU Privacy Guard (GnuPG). It is a 306 tool used to provide digital encryption and signing services using 307 the OpenPGP standard.</para> 336 <para> 337 is the OpenPGP part of the GNU Privacy Guard (GnuPG). It is a 338 tool used to provide digital encryption and signing services using 339 the OpenPGP standard. 340 </para> 308 341 <indexterm zone="gnupg2 gpg"> 309 342 <primary sortas="b-gpg">gpg</primary> … … 315 348 <term><command>gpgconf</command></term> 316 349 <listitem> 317 <para>is a utility used to automatically and reasonably safely 318 query and modify configuration files in the 319 <filename class='directory'>~/.gnupg</filename> home directory. It is 320 designed not to be invoked manually by the user, but automatically by 321 graphical user interfaces.</para> 350 <para> 351 is a utility used to automatically and reasonably safely 352 query and modify configuration files in the 353 <filename class='directory'>~/.gnupg</filename> home directory. It 354 is designed not to be invoked manually by the user, but 355 automatically by graphical user interfaces. 356 </para> 322 357 <indexterm zone="gnupg2 gpgconf"> 323 358 <primary sortas="b-gpgconf">gpgconf</primary> … … 329 364 <term><command>gpgparsemail</command></term> 330 365 <listitem> 331 <para>is a utility currently only useful for debugging. Run it with 332 <parameter>--help</parameter> for usage information.</para> 366 <para> 367 is a utility currently only useful for debugging. Run it with 368 <parameter>--help</parameter> for usage information. 369 </para> 333 370 <indexterm zone="gnupg2 gpgparsemail"> 334 371 <primary sortas="b-gpgparsemail">gpgparsemail</primary> … … 340 377 <term><command>gpgscm</command></term> 341 378 <listitem> 342 <para>executes the given scheme program or spawns an interactive 343 shell.</para> 379 <para> 380 executes the given scheme program or spawns an interactive shell. 381 </para> 344 382 <indexterm zone="gnupg2 gpgscm"> 345 383 <primary sortas="b-gpgscm">gpgscm</primary> … … 351 389 <term><command>gpgsm</command></term> 352 390 <listitem> 353 <para>is a tool similar to <command>gpg2</command> used to provide 354 digital encryption and signing services on X.509 certificates and the 355 CMS protocol. It is mainly used as a backend for S/MIME mail 356 processing.</para> 391 <para> 392 is a tool similar to <command>gpg2</command> used to provide 393 digital encryption and signing services on X.509 certificates and 394 the CMS protocol. It is mainly used as a backend for S/MIME mail 395 processing. 396 </para> 357 397 <indexterm zone="gnupg2 gpgsm"> 358 398 <primary sortas="b-gpgsm">gpgsm</primary> … … 364 404 <term><command>gpgtar</command></term> 365 405 <listitem> 366 <para> is a tool to encrypt or sign files into an archive.</para> 406 <para> 407 is a tool to encrypt or sign files into an archive. 408 </para> 367 409 <indexterm zone="gnupg2 gpgtar"> 368 410 <primary sortas="b-gpgtar">gpgtar</primary> … … 374 416 <term><command>gpgv</command></term> 375 417 <listitem> 376 <para>is a verify only version of <command>gpg2</command>.</para> 418 <para> 419 is a verify only version of <command>gpg2</command>. 420 </para> 377 421 <indexterm zone="gnupg2 gpgv"> 378 422 <primary sortas="b-gpgv">gpgv</primary> … … 384 428 <term><command>gpg-wks-server</command></term> 385 429 <listitem> 386 <para>provides a server for the 387 <application>Web Key Service</application> protocol.</para> 430 <para> 431 provides a server for the 432 <application>Web Key Service</application> protocol. 433 </para> 388 434 <indexterm zone="gnupg2 gpg-wks-server"> 389 435 <primary sortas="b-gpg-wks-server">gpg-wks-server</primary> … … 395 441 <term><command>gpg-zip</command></term> 396 442 <listitem> 397 <para>encrypts or signs files into an archive.</para> 443 <para> 444 encrypts or signs files into an archive. 445 </para> 398 446 <indexterm zone="gnupg2 gpg-zip"> 399 447 <primary sortas="b-gpg-zip">gpg-zip</primary> … … 405 453 <term><command>kbxutil</command></term> 406 454 <listitem> 407 <para>is used to list, export and import Keybox data.</para> 455 <para> 456 is used to list, export and import Keybox data. 457 </para> 408 458 <indexterm zone="gnupg2 kbxutil"> 409 459 <primary sortas="b-kbxutil">kbxutil</primary> … … 415 465 <term><command>symcryptrun</command></term> 416 466 <listitem> 417 <para>is a simple symmetric encryption tool.</para> 467 <para> 468 is a simple symmetric encryption tool. 469 </para> 418 470 <indexterm zone="gnupg2 symcryptrun"> 419 471 <primary sortas="b-symcryptrun">symcryptrun</primary> … … 425 477 <term><command>watchgnupg</command></term> 426 478 <listitem> 427 <para>is used to listen to a Unix Domain socket created by any of 428 the GnuPG tools.</para> 479 <para> 480 is used to listen to a Unix Domain socket created by any of 481 the GnuPG tools. 482 </para> 429 483 <indexterm zone="gnupg2 watchgnupg"> 430 484 <primary sortas="b-watchgnupg">watchgnupg</primary> -
postlfs/security/haveged.xml
r914049f6 r47274444 80 80 <title>Installation of Haveged</title> 81 81 82 <para>Install <application>Haveged</application> by running the following 83 commands:</para> 82 <para> 83 Install <application>Haveged</application> by running the following 84 commands: 85 </para> 84 86 85 87 <screen><userinput>./configure --prefix=/usr && -
postlfs/security/libcap.xml
r914049f6 r47274444 30 30 <title>Introduction to libcap with PAM</title> 31 31 32 <para>The <application>libcap</application> package was installed in 33 LFS, but if <application>Linux-PAM</application> support is desired, 34 the PAM module must be built (after installation of 35 <application>Linux-PAM</application>).</para> 32 <para> 33 The <application>libcap</application> package was installed in 34 LFS, but if <application>Linux-PAM</application> support is desired, 35 the PAM module must be built (after installation of 36 <application>Linux-PAM</application>). 37 </para> 36 38 37 39 &lfs91_checked; … … 40 42 <itemizedlist spacing="compact"> 41 43 <listitem> 42 <para>Download (HTTP): <ulink url="&libcap-download-http;"/></para> 44 <para> 45 Download (HTTP): <ulink url="&libcap-download-http;"/> 46 </para> 43 47 </listitem> 44 48 <listitem> 45 <para>Download (FTP): <ulink url="&libcap-download-ftp;"/></para> 49 <para> 50 Download (FTP): <ulink url="&libcap-download-ftp;"/> 51 </para> 46 52 </listitem> 47 53 <listitem> 48 <para>Download MD5 sum: &libcap-md5sum;</para> 54 <para> 55 Download MD5 sum: &libcap-md5sum; 56 </para> 49 57 </listitem> 50 58 <listitem> 51 <para>Download size: &libcap-size;</para> 59 <para> 60 Download size: &libcap-size; 61 </para> 52 62 </listitem> 53 63 <listitem> 54 <para>Estimated disk space required: &libcap-buildsize;</para> 64 <para> 65 Estimated disk space required: &libcap-buildsize; 66 </para> 55 67 </listitem> 56 68 <listitem> 57 <para>Estimated build time: &libcap-time;</para> 69 <para> 70 Estimated build time: &libcap-time; 71 </para> 58 72 </listitem> 59 73 </itemizedlist> … … 75 89 76 90 <note> 77 <para>If you are upgrading libcap from a previous version, use the 78 instructions in 79 <ulink url="../../../../lfs/view/development/chapter06/libcap.html">LFS libcap page</ulink> 80 to upgrade libcap. If the PAM module has been built, it will automatically 81 be picked up.</para> 91 <para> 92 If you are upgrading libcap from a previous version, use the 93 instructions in 94 <ulink url="../../../../lfs/view/development/chapter06/libcap.html"> 95 LFS libcap page 96 </ulink> to upgrade libcap. If <xref linkend="linux-pam"/> has been 97 built, the PAM module will automatically be built too. 98 </para> 82 99 </note> 83 100 84 <para>Install <application>libcap</application> by running the following 85 commands:</para> 101 <para> 102 Install <application>libcap</application> by running the following 103 commands: 104 </para> 86 105 87 106 <screen><userinput>make -C pam_cap</userinput></screen> 88 107 89 <para>This package does not come with a test suite.</para> 108 <para> 109 This package does not come with a test suite. 110 </para> 90 111 91 <para>Now, as the <systemitem class="username">root</systemitem> user:</para> 112 <para> 113 Now, as the <systemitem class="username">root</systemitem> user: 114 </para> 92 115 93 116 <screen role="root"><userinput>install -v -m755 pam_cap/pam_cap.so /lib/security && … … 99 122 <title>Configuring Libcap</title> 100 123 101 <para>In order to allow <application>Linux-PAM</application> to grant 102 privileges based on POSIX capabilites, you need to add the libcap module 103 to the begining of the <filename>/etc/pam.d/system-auth</filename> file. 104 Make the required edits with the following commands:</para> 124 <para> 125 In order to allow <application>Linux-PAM</application> to grant 126 privileges based on POSIX capabilites, you need to add the libcap module 127 to the begining of the <filename>/etc/pam.d/system-auth</filename> file. 128 Make the required edits with the following commands: 129 </para> 105 130 106 131 <screen role="root"><userinput>mv -v /etc/pam.d/system-auth{,.bak} && … … 112 137 tail -n +3 /etc/pam.d/system-auth.bak >> /etc/pam.d/system-auth</userinput></screen> 113 138 114 <para>Additonally, you'll need to modify the 115 <filename>/etc/security/capability.conf</filename> file to grant necessary 116 privileges to users, and utilize the <command>setcap</command> 117 utility to set capabilities on specific utilities as needed. See 118 <command>man 8 setcap</command> and <command>man 3 cap_from_text</command> 119 for additional information.</para> 139 <para> 140 Additonally, you'll need to modify the 141 <filename>/etc/security/capability.conf</filename> file to grant 142 necessary privileges to users, and utilize the <command>setcap</command> 143 utility to set capabilities on specific utilities as needed. See 144 <command>man 8 setcap</command> and 145 <command>man 3 cap_from_text</command> for additional information. 146 </para> 120 147 121 148 </sect2> -
postlfs/security/liboauth.xml
r914049f6 r47274444 77 77 <itemizedlist spacing="compact"> 78 78 <listitem> 79 <para>Required patch for use with openssl: <ulink 80 url="&patch-root;/liboauth-&liboauth-version;-openssl-1.1.0-3.patch"/> 79 <para> 80 Required patch for use with openssl: <ulink url= 81 "&patch-root;/liboauth-&liboauth-version;-openssl-1.1.0-3.patch"/> 81 82 </para> 82 83 </listitem> -
postlfs/security/linux-pam.xml
r914049f6 r47274444 304 304 # End /etc/pam.d/other</literal></screen> 305 305 306 <para>Now set up some generic files. As root:</para> 306 <para> 307 Now set up some generic files. As root: 308 </para> 307 309 308 310 <screen role="root"><userinput>install -vdm755 /etc/pam.d && … … 331 333 EOF</userinput></screen> 332 334 333 <para>The remaining generic file depends on whether <xref linkend="cracklib"/> 334 is installed. If it is installed, use:</para> 335 <para> 336 The remaining generic file depends on whether <xref 337 linkend="cracklib"/> is installed. If it is installed, use: 338 </para> 335 339 336 340 <screen role="root"><userinput>cat > /etc/pam.d/system-password << "EOF" … … 352 356 EOF</userinput></screen> 353 357 354 <note> 355 <para> 356 In its default configuration, pam_cracklib will 357 allow multiple case passwords as short as 6 characters, even with 358 the <parameter>minlen</parameter> value set to 11. You should review 359 the pam_cracklib(8) man page and determine if these default values 360 are acceptable for the security of your system. 361 </para> 362 </note> 363 364 <para>If <xref linkend="cracklib"/> is <emphasis>NOT</emphasis> installed, 365 use:</para> 358 <note> 359 <para> 360 In its default configuration, pam_cracklib will 361 allow multiple case passwords as short as 6 characters, even with 362 the <parameter>minlen</parameter> value set to 11. You should review 363 the pam_cracklib(8) man page and determine if these default values 364 are acceptable for the security of your system. 365 </para> 366 </note> 367 368 <para> 369 If <xref linkend="cracklib"/> is <emphasis>NOT</emphasis> installed, 370 use: 371 </para> 366 372 367 373 <screen role="nodump"><userinput>cat > /etc/pam.d/system-password << "EOF" … … 375 381 EOF</userinput></screen> 376 382 377 <para>Now add a restrictive <filename>/etc/pam.d/other</filename> 378 configuration file. With this file, programs that are PAM aware will not 379 run unless a configuration file specifically for that application is 380 created.</para> 383 <para> 384 Now add a restrictive <filename>/etc/pam.d/other</filename> 385 configuration file. With this file, programs that are PAM aware will 386 not run unless a configuration file specifically for that application 387 is created. 388 </para> 381 389 382 390 <screen role="root"><userinput>cat > /etc/pam.d/other << "EOF" … … 398 406 The <application>PAM</application> man page (<command>man 399 407 pam</command>) provides a good starting point for descriptions 400 of fields and allowable entries. The <ulink 401 url="http://www.linux-pam.org/Linux-PAM-html/Linux-PAM_SAG.html">Linux-PAM 402 System Administrators' Guide</ulink> is recommended for additional 403 information. 404 </para> 405 <!-- No longer there 406 <para> 407 Refer to <ulink url="&debian-pam-docs;/modules.html"/> for a list 408 of various third-party modules available. 409 </para> 410 --> 408 of fields and allowable entries. The 409 <ulink url="http://www.linux-pam.org/Linux-PAM-html/Linux-PAM_SAG.html"> 410 Linux-PAM System Administrators' Guide 411 </ulink> is recommended for additional information. 412 </para> 413 411 414 <important> 412 415 <para> -
postlfs/security/make-ca.xml
r914049f6 r47274444 58 58 <itemizedlist spacing="compact"> 59 59 <listitem> 60 <para>Download (HTTP): <ulink url="&make-ca-download;"/></para> 61 </listitem> 62 <listitem> 63 <para>Download size: &make-ca-size;</para> 64 </listitem> 65 <listitem> 66 <para>Download MD5 Sum: &make-ca-md5sum;</para> 67 </listitem> 68 <listitem> 69 <para>Estimated disk space required: &make-ca-buildsize;</para> 70 </listitem> 71 <listitem> 72 <para>Estimated build time: &make-ca-time;</para> 60 <para> 61 Download (HTTP): <ulink url="&make-ca-download;"/> 62 </para> 63 </listitem> 64 <listitem> 65 <para> 66 Download size: &make-ca-size; 67 </para> 68 </listitem> 69 <listitem> 70 <para> 71 Download MD5 Sum: &make-ca-md5sum; 72 </para> 73 </listitem> 74 <listitem> 75 <para> 76 Estimated disk space required: &make-ca-buildsize; 77 </para> 78 </listitem> 79 <listitem> 80 <para> 81 Estimated build time: &make-ca-time; 82 </para> 73 83 </listitem> 74 84 </itemizedlist> … … 77 87 78 88 <bridgehead renderas="sect4">Required</bridgehead> 79 <para role="required"><xref linkend="p11-kit"/> (required at runtime to 80 generate certificate stores from trust anchors)</para> 89 <para role="required"> 90 <xref linkend="p11-kit"/> (required at runtime to 91 generate certificate stores from trust anchors) 92 </para> 81 93 <!-- /usr/bin/trust is needed to extract the certs to /etc/ssl/certs --> 82 94 … … 93 105 <title>Installation of make-ca</title> 94 106 95 <para>The <application>make-ca</application> script will download and 96 process the certificates included in the <filename>certdata.txt</filename> 97 file for use as trust anchors for the <xref linkend="p11-kit"/> trust 98 module. Additionally, it will generate system certificate stores used by 99 BLFS applications (if the recommended and optional applications are present 100 on the system). Any local certificates stored in 101 <filename>/etc/ssl/local</filename> will be imported to both the trust 102 anchors and the generated certificate stores (overriding Mozilla's 103 trust). Additionally, any modified trust values will be copied from the 104 trust anchors to <filename>/etc/ssl/local</filename> prior to any updates, 105 preserving custom trust values that differ from Mozilla when using the 106 <command>trust</command> utility from <application>p11-kit</application> 107 to operate on the trust store.</para> 108 109 <para>To install the various certificate stores, first install the 110 <application>make-ca</application> script into the correct location. 111 As the <systemitem class="username">root</systemitem> user:</para> 107 <para> 108 The <application>make-ca</application> script will download and process 109 the certificates included in the <filename>certdata.txt</filename> file 110 for use as trust anchors for the <xref linkend="p11-kit"/> trust module. 111 Additionally, it will generate system certificate stores used by BLFS 112 applications (if the recommended and optional applications are present 113 on the system). Any local certificates stored in 114 <filename>/etc/ssl/local</filename> will be imported to both the trust 115 anchors and the generated certificate stores (overriding Mozilla's 116 trust). Additionally, any modified trust values will be copied from the 117 trust anchors to <filename>/etc/ssl/local</filename> prior to any 118 updates, preserving custom trust values that differ from Mozilla when 119 using the <command>trust</command> utility from 120 <application>p11-kit</application> to operate on the trust store. 121 </para> 122 123 <para> 124 To install the various certificate stores, first install the 125 <application>make-ca</application> script into the correct location. 126 As the <systemitem class="username">root</systemitem> user: 127 </para> 112 128 113 129 <screen role="root"><userinput>make install && 114 130 install -vdm755 /etc/ssl/local</userinput></screen> 115 131 116 <para>As the <systemitem class="username">root</systemitem> user, after 117 installing <xref linkend="p11-kit"/>, download the certificate source and 118 prepare for system use with the following command:</para> 132 <para> 133 As the <systemitem class="username">root</systemitem> user, after 134 installing <xref linkend="p11-kit"/>, download the certificate source and 135 prepare for system use with the following command: 136 </para> 119 137 120 138 <note> 121 <para>If running the script a second time with the same version of 122 <filename>certdata.txt</filename>, for instance, to add additional stores 123 as the requisite software is installed, add the <parameter>-r</parameter> 124 switch to the command line. If packaging, run <command>make-ca 125 --help</command> to see all available command line options.</para> 139 <para> 140 If running the script a second time with the same version of 141 <filename>certdata.txt</filename>, for instance, to add additional 142 stores as the requisite software is installed, add the 143 <parameter>-r</parameter> switch to the command line. If packaging, 144 run <command>make-ca --help</command> to see all available command 145 line options. 146 </para> 126 147 </note> 127 148 128 149 <screen role="root"><userinput>/usr/sbin/make-ca -g</userinput></screen> 129 150 130 <!-- Remove at 8.5 or 9.0 --> 131 <!-- <para>Previous versions of BLFS used the path 132 <filename>/etc/ssl/ca-bundle.crt</filename> for the 133 <xref linkend="gnutls"/> certificate store. If software is still installed 134 that references this file, create a compatibility symlink for the old 135 location as the <systemitem class="username">root</systemitem> user:</para> 136 137 <screen role="nodump"><userinput>ln -sfv /etc/pki/tls/certs/ca-bundle.crt /etc/ssl/ca-bundle.crt</userinput></screen> 138 It's after 9.0 --> 139 140 <para>You should periodically update the store with the above command, 141 either manually, or via a <phrase revision="sysv">cron job.</phrase> 142 <phrase revision="systemd">systemd timer. A timer is installed at 143 <filename>/usr/lib/systemd/system/update-pki.timer</filename> that, if 144 enabled, will check for updates weekly. </phrase><phrase revision="sysv">If 145 you've installed <xref linkend="fcron"/> and completed the section on 146 periodic jobs, execute</phrase><phrase revision="systemd">Execute</phrase> 147 the following commands, as the 148 <systemitem class="username">root</systemitem> user, to 149 <phrase revision="sysv">create a weekly cron job:</phrase> 150 <phrase revision="systemd">enable the systemd timer:</phrase> 151 <para> 152 You should periodically update the store with the above command, 153 either manually, or via a <phrase revision="sysv">cron job.</phrase> 154 <phrase revision="systemd">systemd timer. A timer is installed at 155 <filename>/usr/lib/systemd/system/update-pki.timer</filename> that, if 156 enabled, will check for updates weekly.</phrase><phrase 157 revision="sysv">If you've installed <xref linkend="fcron"/> and 158 completed the section on periodic jobs, execute</phrase><phrase 159 revision="systemd">Execute</phrase> the following commands, as the 160 <systemitem class="username">root</systemitem> user, to <phrase 161 revision="sysv">create a weekly cron job:</phrase><phrase 162 revision="systemd">enable the systemd timer:</phrase> 151 163 </para> 152 164 … … 165 177 <title>Configuring make-ca</title> 166 178 167 <para>For most users, no additional configuration is necessary, however, 168 the default <filename>certdata.txt</filename> file provided by make-ca 169 is obtained from the mozilla-release branch, and is modified to provide a 170 Mercurial revision. This will be the correct version for most systems. 171 There are several other variants of the file available for use that might 172 be preferred for one reason or another, including the files shipped with 173 Mozilla products in this book. RedHat and OpenSUSE, for instance, use the 174 version included in <xref linkend="nss"/>. Additional upstream downloads 175 are available at the links included in 176 <filename>/etc/make-ca.conf.dist</filename>. Simply copy the file to 177 <filename>/etc/make-ca.conf</filename> and edit as appropriate.</para> 179 <para> 180 For most users, no additional configuration is necessary, however, 181 the default <filename>certdata.txt</filename> file provided by make-ca 182 is obtained from the mozilla-release branch, and is modified to provide a 183 Mercurial revision. This will be the correct version for most systems. 184 There are several other variants of the file available for use that might 185 be preferred for one reason or another, including the files shipped with 186 Mozilla products in this book. RedHat and OpenSUSE, for instance, use the 187 version included in <xref linkend="nss"/>. Additional upstream downloads 188 are available at the links included in 189 <filename>/etc/make-ca.conf.dist</filename>. Simply copy the file to 190 <filename>/etc/make-ca.conf</filename> and edit as appropriate. 191 </para> 178 192 179 193 <indexterm zone="make-ca make-ca-config"> … … 183 197 <bridgehead renderas="sect3">About Trust Arguments</bridgehead> 184 198 185 <para>There are three trust types that are recognized by the 186 <application>make-ca</application> script, SSL/TLS, S/Mime, and code 187 signing. For <application>OpenSSL</application>, these are 188 <parameter>serverAuth</parameter>, <parameter>emailProtection</parameter>, 189 and <parameter>codeSigning</parameter> respectively. If one of the three 190 trust arguments is omitted, the certificate is neither trusted, nor 191 rejected for that role. Clients that use <application>OpenSSL</application> 192 or <application>NSS</application> encountering this certificate will 193 present a warning to the user. Clients using 194 <application>GnuTLS</application> without 195 <application>p11-kit</application> support are not aware of trusted 196 certificates. To include this CA into the 197 <filename>ca-bundle.crt</filename>, 198 <filename>email-ca-bundle.crt</filename>, or 199 <filename>objsign-ca-bundle.crt</filename> files 200 (the <application>GnuTLS</application> legacy bundles), it must have the 201 appropriate trust arguments.</para> 199 <para> 200 There are three trust types that are recognized by the 201 <application>make-ca</application> script, SSL/TLS, S/Mime, and code 202 signing. For <application>OpenSSL</application>, these are 203 <parameter>serverAuth</parameter>, 204 <parameter>emailProtection</parameter>, and 205 <parameter>codeSigning</parameter> respectively. If one of the three 206 trust arguments is omitted, the certificate is neither trusted, nor 207 rejected for that role. Clients that use 208 <application>OpenSSL</application> or <application>NSS</application> 209 encountering this certificate will present a warning to the user. 210 Clients using 211 <application>GnuTLS</application> without 212 <application>p11-kit</application> support are not aware of trusted 213 certificates. To include this CA into the 214 <filename>ca-bundle.crt</filename>, 215 <filename>email-ca-bundle.crt</filename>, or 216 <filename>objsign-ca-bundle.crt</filename> files 217 (the <application>GnuTLS</application> legacy bundles), it must have the 218 appropriate trust arguments. 219 </para> 202 220 203 221 <bridgehead renderas="sect3">Adding Additional CA Certificates</bridgehead> 204 222 205 <para>The <filename class="directory">/etc/ssl/local</filename> directory 206 is available to add additional CA certificates to the system. For instance, 207 you might need to add an organization or government CA certificate. 208 Files in this directory must be in the <application>OpenSSL</application> 209 trusted certificate format. To create an <application>OpenSSL</application> 210 trusted certificate from a regular PEM encoded file, you need to add trust 211 arguments to the <command>openssl</command> command, and create a new 212 certificate. For example, using the 213 <ulink url="http://www.cacert.org/">CAcert</ulink> roots, if you want to 214 trust both for all three roles, the following commands will create 215 appropriate OpenSSL trusted certificates (run as the 216 <systemitem class="username">root</systemitem> user after 217 <xref linkend="wget"/> is installed):</para> 223 <para> 224 The <filename class="directory">/etc/ssl/local</filename> directory 225 is available to add additional CA certificates to the system. For 226 instance, you might need to add an organization or government CA 227 certificate. Files in this directory must be in the 228 <application>OpenSSL</application> trusted certificate format. To 229 create an <application>OpenSSL</application> trusted certificate from 230 a regular PEM encoded file, you need to add trust arguments to the 231 <command>openssl</command> command, and create a new certificate. For 232 example, using the <ulink url="http://www.cacert.org/">CAcert</ulink> 233 roots, if you want to trust both for all three roles, the following 234 commands will create appropriate OpenSSL trusted certificates (run as 235 the <systemitem class="username">root</systemitem> user after <xref 236 linkend="wget"/> is installed): 237 </para> 218 238 219 239 <screen role="nodump"><userinput>wget http://www.cacert.org/certs/root.crt && … … 229 249 <bridgehead renderas="sect3">Overriding Mozilla Trust</bridgehead> 230 250 231 <para>Occasionally, there may be instances where you don't agree with 232 Mozilla's inclusion of a particular certificate authority. If you'd like 233 to override the default trust of a particular CA, simply create a copy of 234 the existing certificate in 235 <filename class="directory">/etc/ssl/local</filename> with different trust 236 arguments. For example, if you'd like to distrust the "Makebelieve_CA_Root" 237 file, run the following commands:</para> 251 <para> 252 Occasionally, there may be instances where you don't agree with 253 Mozilla's inclusion of a particular certificate authority. If you'd like 254 to override the default trust of a particular CA, simply create a copy of 255 the existing certificate in <filename 256 class="directory">/etc/ssl/local</filename> with different trust 257 arguments. For example, if you'd like to distrust the 258 "Makebelieve_CA_Root" file, run the following commands: 259 </para> 238 260 239 261 <screen role="nodump"><userinput>openssl x509 -in /etc/ssl/certs/Makebelieve_CA_Root.pem \ … … 271 293 <term><command>make-ca</command></term> 272 294 <listitem> 273 <para>is a shell script that adapts a current version of 274 <filename>certdata.txt</filename>, and prepares it for use 275 as the system trust store.</para> 295 <para> 296 is a shell script that adapts a current version of 297 <filename>certdata.txt</filename>, and prepares it for use 298 as the system trust store. 299 </para> 276 300 <indexterm zone="make-ca make-ca"> 277 301 <primary sortas="b-make-ca">make-ca</primary> -
postlfs/security/mitkrb.xml
r914049f6 r47274444 469 469 470 470 <title>Contents</title> 471 <para></para>472 471 473 472 <segmentedlist> -
postlfs/security/nessus.xml
r914049f6 r47274444 1 1 <sect1 id="postlfs-security-nessus"> 2 <sect1info> 3 <othername>$LastChangedBy$</othername> 4 <date>$Date$</date> 5 </sect1info> 6 <?dbhtml filename="nessus.html"?> 7 <title>nessus</title> 2 <?dbhtml filename="nessus.html"?> 8 3 9 <para>TO BE WRITTEN - NEW</para> 4 <sect1info> 5 <othername>$LastChangedBy$</othername> 6 <date>$Date$</date> 7 </sect1info> 8 9 <title>nessus</title> 10 11 <para> 12 TO BE WRITTEN - NEW 13 </para> 10 14 11 15 </sect1> -
postlfs/security/nettle.xml
r914049f6 r47274444 86 86 <title>Installation of Nettle</title> 87 87 88 <para>Install <application>Nettle</application> by running the following 89 commands:</para> 88 <para> 89 Install <application>Nettle</application> by running the following 90 commands: 91 </para> 90 92 91 93 <screen><userinput>./configure --prefix=/usr --disable-static && -
postlfs/security/nss.xml
r914049f6 r47274444 213 213 <title>Configuring NSS</title> 214 214 215 <para>If <xref linkend="p11-kit"/> is installed, the 216 <application>p11-kit</application> trust module 217 (<filename>/usr/lib/pkcs11/p11-kit-trust.so</filename>) can be used as a 218 drop-in replacement for <filename>/usr/lib/libnssckbi.so</filename> to 219 transparently make the system CAs available to 220 <application>NSS</application> aware applications, rather than the static 221 list provided by <filename>/usr/lib/libnssckbi.so</filename>. As the 222 <systemitem class="username">root</systemitem> user, execute the following 223 commands:</para> 215 <para> 216 If <xref linkend="p11-kit"/> is installed, the 217 <application>p11-kit</application> trust module 218 (<filename>/usr/lib/pkcs11/p11-kit-trust.so</filename>) can be used as a 219 drop-in replacement for <filename>/usr/lib/libnssckbi.so</filename> to 220 transparently make the system CAs available to 221 <application>NSS</application> aware applications, rather than the static 222 list provided by <filename>/usr/lib/libnssckbi.so</filename>. As the 223 <systemitem class="username">root</systemitem> user, execute the following 224 commands: 225 </para> 224 226 225 227 <screen role="root"><userinput>ln -sfv ./pkcs11/p11-kit-trust.so /usr/lib/libnssckbi.so</userinput></screen> 226 228 227 <para>Additionally, for dependent applications that do not use the internal 228 database (<filename>/usr/lib/libnssckbi.so</filename>), the 229 <filename>/usr/sbin/make-ca</filename> script, included on the 230 <xref linkend="make-ca"/> page can generate a system wide NSS DB with the 231 <parameter>-n</parameter> switch, or by modifying the 232 <filename>/etc/make-ca.conf</filename> file.</para> 229 <para> 230 Additionally, for dependent applications that do not use the internal 231 database (<filename>/usr/lib/libnssckbi.so</filename>), the 232 <filename>/usr/sbin/make-ca</filename> script, included on the 233 <xref linkend="make-ca"/> page can generate a system wide NSS DB with the 234 <parameter>-n</parameter> switch, or by modifying the 235 <filename>/etc/make-ca.conf</filename> file. 236 </para> 233 237 234 238 </sect2> -
postlfs/security/p11-kit.xml
r914049f6 r47274444 96 96 <title>Installation of p11-kit</title> 97 97 98 <para>Prepare the distribution specific anchor hook:</para> 98 <para> 99 Prepare the distribution specific anchor hook: 100 </para> 99 101 100 102 <screen><userinput>sed '20,$ d' -i trust/trust-extract-compat.in && … … 158 160 <title>Configuring p11-kit</title> 159 161 160 <para>The <application>p11-kit</application> trust module 161 (<filename>/usr/lib/pkcs11/p11-kit-trust.so</filename>) can be used as a 162 drop-in replacement for <filename>/usr/lib/libnssckbi.so</filename> to 163 transparently make the system CAs available to 164 <application>NSS</application> aware applications, rather than the static 165 list provided by <filename>/usr/lib/libnssckbi.so</filename>. As the 166 <systemitem class="username">root</systemitem> user, execute the following 167 commands:</para> 162 <para> 163 The <application>p11-kit</application> trust module 164 (<filename>/usr/lib/pkcs11/p11-kit-trust.so</filename>) can be used as a 165 drop-in replacement for <filename>/usr/lib/libnssckbi.so</filename> to 166 transparently make the system CAs available to 167 <application>NSS</application> aware applications, rather than the static 168 list provided by <filename>/usr/lib/libnssckbi.so</filename>. As the 169 <systemitem class="username">root</systemitem> user, execute the 170 following commands: 171 </para> 168 172 169 173 <screen role="root"><userinput>ln -sfv ./pkcs11/p11-kit-trust.so /usr/lib/libnssckbi.so</userinput></screen> … … 207 211 <para> 208 212 is a command line tool that can be used to perform operations 209 213 on PKCS#11 modules configured on the system. 210 214 </para> 211 215 <indexterm zone="p11-kit p11-kit-prog"> … … 234 238 is a command line tool to both extract local certificates from an 235 239 updated anchor store, and regenerate all anchors and certificate 236 240 stores on the system. This is done unconditionally on BLFS using 237 241 the <parameter>--force</parameter> and <parameter>--get</parameter> 238 242 flags to <command>make-ca</command> and should likely not be used -
postlfs/security/security.xml
r914049f6 r47274444 16 16 <title>Security</title> 17 17 18 <para>Security takes many forms in a computing environment. After some 19 initial discussion, this chapter 20 gives examples of three different types of security: access, prevention 21 and detection.</para> 18 <para> 19 Security takes many forms in a computing environment. After some 20 initial discussion, this chapter 21 gives examples of three different types of security: access, prevention 22 and detection. 23 </para> 22 24 23 <para>Access for users is usually handled by <command>login</command> or an 24 application designed to handle the login function. In this chapter, we show 25 how to enhance <command>login</command> by setting policies with 26 <application>PAM</application> modules. Access via networks 27 can also be secured by policies set by <application>iptables</application>, 28 commonly referred to as a firewall. The Network Security Services (NSS) and 29 Netscape Portable Runtime (NSPR) libraries can be installed and shared among 30 the many applications requiring them. For applications that don't offer the 31 best security, you can use the <application>Stunnel</application> package to 32 wrap an application daemon inside an SSL tunnel.</para> 25 <para> 26 Access for users is usually handled by <command>login</command> or an 27 application designed to handle the login function. In this chapter, we show 28 how to enhance <command>login</command> by setting policies with 29 <application>PAM</application> modules. Access via networks can also be 30 secured by policies set by <application>iptables</application>, commonly 31 referred to as a firewall. The Network Security Services (NSS) and 32 Netscape Portable Runtime (NSPR) libraries can be installed and shared 33 among the many applications requiring them. For applications that don't 34 offer the best security, you can use the 35 <application>Stunnel</application> package to wrap an application daemon 36 inside an SSL tunnel. 37 </para> 33 38 34 <para>Prevention of breaches, like a trojan, are assisted by applications like 35 <application>GnuPG</application>, specifically the ability to confirm signed 36 packages, which recognizes modifications of the tarball 37 after the packager creates it.</para> 39 <para> 40 Prevention of breaches, like a trojan, are assisted by applications like 41 <application>GnuPG</application>, specifically the ability to confirm 42 signed packages, which recognizes modifications of the tarball 43 after the packager creates it. 44 </para> 38 45 39 <para> Finally, we touch on detection with a package that stores "signatures" 40 of critical files (defined by the administrator) and then regenerates those 41 "signatures" and compares for files that have been changed.</para> 46 <para> 47 Finally, we touch on detection with a package that stores "signatures" 48 of critical files (defined by the administrator) and then regenerates those 49 "signatures" and compares for files that have been changed. 50 </para> 42 51 43 52 <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="vulnerabilities.xml"/> -
postlfs/security/shadow.xml
r914049f6 r47274444 474 474 done</userinput></screen> 475 475 476 <para revision="systemd">Because the installation of 477 <application>systemd</application> is not yet complete, you will need 478 to remove the <filename>/run/nologin</filename> file before testing the 479 installation. Execute the following command as the 480 <systemitem class="username">root</systemitem> user:</para> 476 <para revision="systemd"> 477 Because the installation of <application>systemd</application> is 478 not yet complete, you will need to remove the 479 <filename>/run/nologin</filename> file before testing the 480 installation. Execute the following command as the 481 <systemitem class="username">root</systemitem> user: 482 </para> 481 483 482 484 <screen role="root" revision="systemd"><userinput>rm -f /run/nologin</userinput></screen> -
postlfs/security/stunnel.xml
r914049f6 r47274444 33 33 <title>Introduction to stunnel</title> 34 34 35 <para>The <application>stunnel</application> package contains a program 36 that allows you to encrypt arbitrary TCP connections inside SSL (Secure 37 Sockets Layer) so you can easily communicate with clients over secure 38 channels. <application>stunnel</application> can be used to add SSL 39 functionality to commonly used <application>Inetd</application> daemons 40 such as POP-2, POP-3, and IMAP servers, along with standalone daemons such 41 as NNTP, SMTP, and HTTP. <application>stunnel</application> can also be 42 used to tunnel PPP over network sockets without changes to the server 43 package source code.</para> 35 <para> 36 The <application>stunnel</application> package contains a program 37 that allows you to encrypt arbitrary TCP connections inside SSL (Secure 38 Sockets Layer) so you can easily communicate with clients over secure 39 channels. <application>stunnel</application> can be used to add SSL 40 functionality to commonly used <application>Inetd</application> daemons 41 such as POP-2, POP-3, and IMAP servers, along with standalone daemons 42 such as NNTP, SMTP, and HTTP. <application>stunnel</application> can 43 also be used to tunnel PPP over network sockets without changes to the 44 server package source code. 45 </para> 44 46 45 47 &lfs91_checked; … … 48 50 <itemizedlist spacing="compact"> 49 51 <listitem> 50 <para>Download (HTTP): <ulink url="&stunnel-download-http;"/></para> 51 </listitem> 52 <listitem> 53 <para>Download (FTP): <ulink url="&stunnel-download-ftp;"/></para> 54 </listitem> 55 <listitem> 56 <para>Download MD5 sum: &stunnel-md5sum;</para> 57 </listitem> 58 <listitem> 59 <para>Download size: &stunnel-size;</para> 60 </listitem> 61 <listitem> 62 <para>Estimated disk space required: &stunnel-buildsize;</para> 63 </listitem> 64 <listitem> 65 <para>Estimated build time: &stunnel-time;</para> 52 <para> 53 Download (HTTP): <ulink url="&stunnel-download-http;"/> 54 </para> 55 </listitem> 56 <listitem> 57 <para> 58 Download (FTP): <ulink url="&stunnel-download-ftp;"/> 59 </para> 60 </listitem> 61 <listitem> 62 <para> 63 Download MD5 sum: &stunnel-md5sum; 64 </para> 65 </listitem> 66 <listitem> 67 <para> 68 Download size: &stunnel-size; 69 </para> 70 </listitem> 71 <listitem> 72 <para> 73 Estimated disk space required: &stunnel-buildsize; 74 </para> 75 </listitem> 76 <listitem> 77 <para> 78 Estimated build time: &stunnel-time; 79 </para> 66 80 </listitem> 67 81 </itemizedlist> … … 71 85 <bridgehead renderas="sect4">Optional</bridgehead> 72 86 <para role="optional"> 73 <ulink url="http://netcat.sourceforge.net/">netcat</ulink> (required for tests), 74 <ulink url="ftp://ftp.porcupine.org/pub/security/">tcpwrappers</ulink> and 87 <ulink url="http://netcat.sourceforge.net/">netcat</ulink> 88 (required for tests), 89 <ulink url="ftp://ftp.porcupine.org/pub/security/">tcpwrappers</ulink>, 90 and 75 91 <ulink url="https://dist.torproject.org/">TOR</ulink> 76 92 </para> … … 84 100 <title>Installation of stunnel</title> 85 101 86 <para>The <command>stunnel</command> daemon will be run in a 87 <command>chroot</command> jail by an unprivileged user. Create the 88 new user and group using the following commands as the 89 <systemitem class="username">root</systemitem> user:</para> 102 <para> 103 The <command>stunnel</command> daemon will be run in a 104 <command>chroot</command> jail by an unprivileged user. Create the 105 new user and group using the following commands as the 106 <systemitem class="username">root</systemitem> user: 107 </para> 90 108 91 109 <screen role="root"><userinput>groupadd -g 51 stunnel && … … 94 112 95 113 <note> 96 <para>A signed SSL Certificate and a Private Key is necessary to run the 97 <command>stunnel</command> daemon. After the package is installed, there 98 are instructions to generate them. However, if you own or have already 99 created a signed SSL Certificate you wish to use, copy it to 100 <filename>/etc/stunnel/stunnel.pem</filename> before starting the build 101 (ensure only <systemitem class="username">root</systemitem> has read and 102 write access). The <filename class="extension">.pem</filename> file must 103 be formatted as shown below:</para> 114 <para> 115 A signed SSL Certificate and a Private Key is necessary to run the 116 <command>stunnel</command> daemon. After the package is installed, 117 there are instructions to generate them. However, if you own or have 118 already created a signed SSL Certificate you wish to use, copy it to 119 <filename>/etc/stunnel/stunnel.pem</filename> before starting the 120 build (ensure only <systemitem class="username">root</systemitem> has 121 read and write access). The <filename class="extension">.pem</filename> 122 file must be formatted as shown below: 123 </para> 104 124 105 125 <screen><literal>-----BEGIN PRIVATE KEY----- … … 112 132 <replaceable><encrypted lines of dh parms></replaceable> 113 133 -----END DH PARAMETERS-----</literal></screen> 134 114 135 </note> 115 136 116 <para>Install <application>stunnel</application> by running the following 117 commands:</para> 137 <para> 138 Install <application>stunnel</application> by running the following 139 commands: 140 </para> 118 141 119 142 <note> 120 <para>For some systems with <application>binutils</application> 121 versions prior to 2.25, <command>configure</command> may fail. If 122 necessary, fix it either with:</para> 143 <para> 144 For some systems with <application>binutils</application> 145 versions prior to 2.25, <command>configure</command> may fail. If 146 necessary, fix it either with: 147 </para> 123 148 124 149 <screen><userinput>sed -i '/LDFLAGS.*static_flag/ s/^/#/' configure</userinput></screen> 125 150 126 <para>or, if <xref linkend="llvm"/> with Clang is installed, you can 127 replace <command>./configure ...</command> with <command>CC=clang 128 ./configure ...</command> in the first command below.</para> 151 <para> 152 or, if <xref linkend="llvm"/> with Clang is installed, you can 153 replace <command>./configure ...</command> with <command>CC=clang 154 ./configure ...</command> in the first command below. 155 </para> 129 156 </note> 130 157 … … 140 167 make</userinput></screen> 141 168 142 <para>If you have installed the optional netcat application, the 143 regression tests can be run with <command>make check</command>.</para> 144 145 <para>Now, as the <systemitem class="username">root</systemitem> user:</para> 169 <para> 170 If you have installed the optional netcat application, the 171 regression tests can be run with <command>make check</command>. 172 </para> 173 174 <para> 175 Now, as the <systemitem class="username">root</systemitem> user: 176 </para> 146 177 147 178 <screen role="root"><userinput>make docdir=/usr/share/doc/stunnel-&stunnel-version; install</userinput></screen> … … 154 185 <screen role="root" revision="systemd"><userinput>install -v -m644 tools/stunnel.service /lib/systemd/system</userinput></screen> 155 186 156 <para>If you do not already have a signed SSL Certificate and Private Key, 157 create the <filename>stunnel.pem</filename> file in the 158 <filename class="directory">/etc/stunnel</filename> directory using the 159 command below. You will be prompted to enter the necessary 160 information. Ensure you reply to the</para> 187 <para> 188 If you do not already have a signed SSL Certificate and Private Key, 189 create the <filename>stunnel.pem</filename> file in the 190 <filename class="directory">/etc/stunnel</filename> directory using the 191 command below. You will be prompted to enter the necessary 192 information. Ensure you reply to the 193 </para> 161 194 162 195 <screen><prompt>Common Name (FQDN of your server) [localhost]:</prompt></screen> 163 196 164 <para>prompt with the name or IP address you will be using 165 to access the service(s).</para> 166 167 <para>To generate a certificate, as the 168 <systemitem class="username">root</systemitem> user, issue:</para> 197 <para> 198 prompt with the name or IP address you will be using 199 to access the service(s). 200 </para> 201 202 <para> 203 To generate a certificate, as the 204 <systemitem class="username">root</systemitem> user, issue: 205 </para> 169 206 170 207 <screen role="root"><userinput>make cert</userinput></screen> … … 175 212 <title>Command Explanations</title> 176 213 177 <para revision="sysv"><parameter>--disable-systemd</parameter>: This switch 178 disables systemd socket activation support which is not available in 179 BLFS.</para> 180 181 <para><command>make docdir=... install</command>: This command installs the 182 package and changes the documentation installation directory to standard 183 naming conventions.</para> 214 <para revision="sysv"> 215 <parameter>--disable-systemd</parameter>: This switch disables systemd 216 socket activation support which is not available in BLFS. 217 </para> 218 219 <para> 220 <command>make docdir=... install</command>: This command installs the 221 package and changes the documentation installation directory to standard 222 naming conventions. 223 </para> 184 224 185 225 </sect2> … … 191 231 <title>Config Files</title> 192 232 193 <para><filename>/etc/stunnel/stunnel.conf</filename></para> 233 <para> 234 <filename>/etc/stunnel/stunnel.conf</filename> 235 </para> 194 236 195 237 <indexterm zone="stunnel stunnel-config"> … … 202 244 <title>Configuration Information</title> 203 245 204 <para>As the <systemitem class="username">root</systemitem> user, 205 create the directory used for the 206 <filename class="extension">.pid</filename> file created 207 when the <application>stunnel</application> daemon starts:</para> 246 <para> 247 As the <systemitem class="username">root</systemitem> user, 248 create the directory used for the 249 <filename class="extension">.pid</filename> file created 250 when the <application>stunnel</application> daemon starts: 251 </para> 208 252 209 253 <screen role="root"><userinput>install -v -m750 -o stunnel -g stunnel -d /var/lib/stunnel/run && 210 254 chown stunnel:stunnel /var/lib/stunnel</userinput></screen> 211 255 212 <para>Next, create a basic <filename>/etc/stunnel/stunnel.conf</filename> 213 configuration file using the following commands as the 214 <systemitem class="username">root</systemitem> user:</para> 256 <para> 257 Next, create a basic <filename>/etc/stunnel/stunnel.conf</filename> 258 configuration file using the following commands as the 259 <systemitem class="username">root</systemitem> user: 260 </para> 215 261 216 262 <screen role="root"><userinput>cat >/etc/stunnel/stunnel.conf << "EOF" … … 239 285 EOF</userinput></screen> 240 286 241 <para>Finally, add the service(s) you wish to encrypt to the 242 configuration file. The format is as follows:</para> 287 <para> 288 Finally, add the service(s) you wish to encrypt to the 289 configuration file. The format is as follows: 290 </para> 243 291 244 292 <screen><literal>[<replaceable><service></replaceable>] … … 246 294 connect = <replaceable><hostname:portnumber></replaceable></literal></screen> 247 295 248 <para>If you use <application>stunnel</application> to encrypt a daemon 249 started from <command>[x]inetd</command>, you may need to disable that 250 daemon in the <filename>/etc/[x]inetd.conf</filename> file and enable a 251 corresponding <replaceable><service></replaceable>_stunnel service. You 252 may have to add an appropriate entry in <filename>/etc/services</filename> 253 as well.</para> 254 255 <para>For a full explanation of the commands and syntax used in the 256 configuration file, issue <command>man stunnel</command>.</para> 296 <para> 297 If you use <application>stunnel</application> to encrypt a daemon 298 started from <command>[x]inetd</command>, you may need to disable that 299 daemon in the <filename>/etc/[x]inetd.conf</filename> file and enable a 300 corresponding <replaceable><service></replaceable>_stunnel 301 service. You may have to add an appropriate entry in 302 <filename>/etc/services</filename> as well. 303 </para> 304 305 <para> 306 For a full explanation of the commands and syntax used in the 307 configuration file, issue <command>man stunnel</command>. 308 </para> 257 309 258 310 </sect3> … … 262 314 <phrase revision="systemd">Systemd Unit</phrase></title> 263 315 264 <para revision="sysv">To automatically start the 265 <command>stunnel</command> daemon when the system is booted, install the 266 <filename>/etc/rc.d/init.d/stunnel</filename> bootscript from the 267 <xref linkend="bootscripts"/> package.</para> 268 269 <para revision="systemd">To start the <command>stunnel</command> 270 daemon at boot, enable the previously installed 271 <application>systemd</application> unit by running the following command 272 as the <systemitem class="username">root</systemitem> user:</para> 316 <para revision="sysv"> 317 To automatically start the <command>stunnel</command> daemon when the 318 system is booted, install the 319 <filename>/etc/rc.d/init.d/stunnel</filename> bootscript from the 320 <xref linkend="bootscripts"/> package. 321 </para> 322 323 <para revision="systemd"> 324 To start the <command>stunnel</command> 325 daemon at boot, enable the previously installed 326 <application>systemd</application> unit by running the following 327 command as the <systemitem class="username">root</systemitem> user: 328 </para> 273 329 274 330 <indexterm zone="stunnel stunnel-init"> … … 314 370 <term><command>stunnel</command></term> 315 371 <listitem> 316 <para> is a program designed to work as an SSL 317 encryption wrapper between remote clients and local 318 (<command>{x}inetd</command>-startable) or remote servers.</para> 372 <para> 373 is a program designed to work as an SSL 374 encryption wrapper between remote clients and local 375 (<command>{x}inetd</command>-startable) or remote servers. 376 </para> 319 377 <indexterm zone="stunnel stunnel-prog"> 320 378 <primary sortas="b-stunnel">stunnel</primary> … … 326 384 <term><command>stunnel3</command></term> 327 385 <listitem> 328 <para>is a <application>Perl</application> wrapper script to use 329 <command>stunnel</command> 3.x syntax with <command>stunnel</command> 330 >=4.05.</para> 386 <para> 387 is a <application>Perl</application> wrapper script to use 388 <command>stunnel</command> 3.x syntax with 389 <command>stunnel</command> 4.05 or later. 390 </para> 331 391 <indexterm zone="stunnel stunnel3"> 332 392 <primary sortas="b-stunnel3">stunnel3</primary> … … 338 398 <term><filename class='libraryfile'>libstunnel.so</filename></term> 339 399 <listitem> 340 <para> contains the API functions required by 341 <application>stunnel</application>.</para> 400 <para> 401 contains the API functions required by 402 <application>stunnel</application>. 403 </para> 342 404 <indexterm zone="stunnel libstunnel"> 343 405 <primary sortas="c-libstunnel">libstunnel.so</primary> -
postlfs/security/syslog.xml
r914049f6 r47274444 1 1 <sect1 id="postlfs-security-syslog"> 2 <sect1info> 3 <othername>$LastChangedBy$</othername> 4 <date>$Date$</date> 5 </sect1info> 6 <?dbhtml filename="syslog.html"?> 7 <title>Configuring syslog</title> 2 <?dbhtml filename="syslog.html"?> 3 <sect1info> 4 <othername>$LastChangedBy$</othername> 5 <date>$Date$</date> 6 </sect1info> 8 7 9 <para>TO BE WRITTEN - NEW</para> 8 <title>Configuring syslog</title> 9 10 <para> 11 TO BE WRITTEN - NEW 12 </para> 10 13 11 14 </sect1> -
postlfs/security/tripwire.xml
r914049f6 r47274444 30 30 <title>Introduction to Tripwire</title> 31 31 32 <para>The <application>Tripwire</application> package contains programs 33 used to verify the integrity of the files on a given system.</para> 32 <para> 33 The <application>Tripwire</application> package contains programs 34 used to verify the integrity of the files on a given system. 35 </para> 34 36 35 37 &lfs91_checked; … … 38 40 <itemizedlist spacing="compact"> 39 41 <listitem> 40 <para>Download (HTTP): <ulink url="&tripwire-download-http;"/></para> 41 </listitem> 42 <listitem> 43 <para>Download (FTP): <ulink url="&tripwire-download-ftp;"/></para> 44 </listitem> 45 <listitem> 46 <para>Download MD5 sum: &tripwire-md5sum;</para> 47 </listitem> 48 <listitem> 49 <para>Download size: &tripwire-size;</para> 50 </listitem> 51 <listitem> 52 <para>Estimated disk space required: &tripwire-buildsize;</para> 53 </listitem> 54 <listitem> 55 <para>Estimated build time: &tripwire-time;</para> 42 <para> 43 Download (HTTP): <ulink url="&tripwire-download-http;"/> 44 </para> 45 </listitem> 46 <listitem> 47 <para> 48 Download (FTP): <ulink url="&tripwire-download-ftp;"/> 49 </para> 50 </listitem> 51 <listitem> 52 <para> 53 Download MD5 sum: &tripwire-md5sum; 54 </para> 55 </listitem> 56 <listitem> 57 <para> 58 Download size: &tripwire-size; 59 </para> 60 </listitem> 61 <listitem> 62 <para> 63 Estimated disk space required: &tripwire-buildsize; 64 </para> 65 </listitem> 66 <listitem> 67 <para> 68 Estimated build time: &tripwire-time; 69 </para> 56 70 </listitem> 57 71 </itemizedlist> 58 <!-- 59 <note> 60 <para> 61 The <application>tripwire</application> source tarball shown above 62 downloads with the correct name, tripwire-open-source-&tripwire-version;.tar.gz, 63 if using a browser such as Firefox. If you prefer to use a command line 64 program such as wget, you normally would obtain 65 &tripwire-version;.tar.gz. To obtain this package with the proper 66 filename, run: 67 68 <screen><userinput>wget -c https://github.com/Tripwire/tripwire-open-source/archive/&tripwire-version;.tar.gz \ 69 -O tripwire-open-source-&tripwire-version;.tar.gz</userinput></screen>. 70 </para> 71 </note> 72 --> 72 73 73 <bridgehead renderas="sect3">Tripwire Dependencies</bridgehead> 74 74 <!-- 75 75 <bridgehead renderas="sect4">Recommended</bridgehead> 76 <para role="recommended"><xref linkend="openssl"/></para> 76 <para role="recommended"> 77 <xref linkend="openssl"/> 78 </para> 77 79 --> 78 80 79 81 <bridgehead renderas="sect4">Optional</bridgehead> 80 <para role="optional">An <xref linkend="server-mail"/></para> 82 <para role="optional"> 83 An <xref linkend="server-mail"/> 84 </para> 81 85 82 86 <para condition="html" role="usernotes">User Notes: … … 88 92 <title>Installation of Tripwire</title> 89 93 90 <para>Compile <application>Tripwire</application> by running the following 91 commands:</para> 94 <para> 95 Compile <application>Tripwire</application> by running the following 96 commands: 97 </para> 92 98 93 99 <screen><userinput>sed -e '/^CLOBBER/s/false/true/' \ … … 106 112 make</userinput></screen> 107 113 108 <note><para>The default configuration is to use a local MTA. If 109 you don't have an MTA installed and have no wish to install 110 one, modify <filename>install/install.cfg</filename> to use an SMTP 111 server instead. Otherwise the install will fail.</para></note> 112 113 <para>This package does not come with a test suite.</para> 114 115 <para>Now, as the <systemitem class="username">root</systemitem> user:</para> 114 <note> 115 <para> 116 The default configuration is to use a local MTA. If 117 you don't have an MTA installed and have no wish to install 118 one, modify <filename>install/install.cfg</filename> to use an SMTP 119 server instead. Otherwise the install will fail. 120 </para> 121 </note> 122 123 <para> 124 This package does not come with a test suite. 125 </para> 126 127 <para> 128 Now, as the <systemitem class="username">root</systemitem> user: 129 </para> 116 130 117 131 <screen role="root"><userinput>make install && … … 183 197 <title>Config Files</title> 184 198 185 <para><filename>/etc/tripwire/*</filename></para> 199 <para> 200 <filename>/etc/tripwire/*</filename> 201 </para> 186 202 187 203 <indexterm zone="tripwire tripwire-config"> … … 194 210 <title>Configuration Information</title> 195 211 196 <para><application>Tripwire</application> uses a policy file to 197 determine which files are integrity checked. The default policy 198 file (<filename>/etc/tripwire/twpol.txt</filename>) is for a 199 default installation and will need to be updated for your 200 system.</para> 201 202 <para>Policy files should be tailored to each individual distribution 203 and/or installation. Some example policy files can be found in <filename 204 class="directory">/usr/share/doc/tripwire/</filename>.</para> 205 206 <para>If desired, copy the policy file you'd like to try into <filename 207 class="directory">/etc/tripwire/</filename> instead of using the default 208 policy file, <filename>twpol.txt</filename>. It is, however, recommended 209 that you edit your policy file. Get ideas from the examples above and 210 read <filename>/usr/share/doc/tripwire/policyguide.txt</filename> for 211 additional information. <filename>twpol.txt</filename> is a good policy 212 file for learning about <application>Tripwire</application> as it will 213 note any changes to the file system and can even be used as an annoying 214 way of keeping track of changes for uninstallation of software.</para> 215 216 <para>After your policy file has been edited to your satisfaction you may 217 begin the configuration steps (perform as the <systemitem 218 class='username'>root</systemitem>) user:</para> 212 <para> 213 <application>Tripwire</application> uses a policy file to 214 determine which files are integrity checked. The default policy 215 file (<filename>/etc/tripwire/twpol.txt</filename>) is for a 216 default installation and will need to be updated for your 217 system. 218 </para> 219 220 <para> 221 Policy files should be tailored to each individual distribution and/or 222 installation. Some example policy files can be found in <filename 223 class="directory">/usr/share/doc/tripwire/</filename>. 224 </para> 225 226 <para> 227 If desired, copy the policy file you'd like to try into <filename 228 class="directory">/etc/tripwire/</filename> instead of using the 229 default policy file, <filename>twpol.txt</filename>. It is, however, 230 recommended that you edit your policy file. Get ideas from the 231 examples above and read 232 <filename>/usr/share/doc/tripwire/policyguide.txt</filename> for 233 additional information. <filename>twpol.txt</filename> is a good 234 policy file for learning about <application>Tripwire</application> 235 as it will note any changes to the file system and can even be used 236 as an annoying way of keeping track of changes for uninstallation of 237 software. 238 </para> 239 240 <para> 241 After your policy file has been edited to your satisfaction you may 242 begin the configuration steps (perform as the <systemitem 243 class='username'>root</systemitem>) user: 244 </para> 219 245 220 246 <screen role="root"><userinput>twadmin --create-polfile --site-keyfile /etc/tripwire/site.key \ … … 222 248 tripwire --init</userinput></screen> 223 249 224 <para>Depending on your system and the contents of the policy file, the 225 initialization phase above can take a relatively long time.</para> 250 <para> 251 Depending on your system and the contents of the policy file, the 252 initialization phase above can take a relatively long time. 253 </para> 226 254 227 255 </sect3> … … 230 258 <title>Usage Information</title> 231 259 232 <para><application>Tripwire</application> will identify file changes in 233 the critical system files specified in the policy file. Using 234 <application>Tripwire</application> while making frequent changes to 235 these directories will flag all these changes. It is most useful after a 236 system has reached a configuration that the user considers stable.</para> 237 238 <para>To use <application>Tripwire</application> after creating a policy 239 file to run a report, use the following command:</para> 260 <para> 261 <application>Tripwire</application> will identify file changes in 262 the critical system files specified in the policy file. Using 263 <application>Tripwire</application> while making frequent changes to 264 these directories will flag all these changes. It is most useful 265 after a system has reached a configuration that the user considers 266 stable. 267 </para> 268 269 <para> 270 To use <application>Tripwire</application> after creating a policy 271 file to run a report, use the following command: 272 </para> 240 273 241 274 <screen role="root"><userinput>tripwire --check > /etc/tripwire/report.txt</userinput></screen> 242 275 243 <para>View the output to check the integrity of your files. An automatic 244 integrity report can be produced by using a cron facility to schedule the 245 runs.</para> 246 247 <para>Reports are stored in binary and, if desired, encrypted. View reports, 248 as the <systemitem class="username">root</systemitem> user, with:</para> 249 250 <screen role="root"><userinput>twprint --print-report -r /var/lib/tripwire/report/<replaceable><report-name.twr></replaceable></userinput></screen> 251 252 <para>After you run an integrity check, you should examine the 253 report (or email) and then modify the <application>Tripwire</application> 254 database to reflect the changed files on your system. This is so that 255 <application>Tripwire</application> will not continually notify you that 256 files you intentionally changed are a security violation. To do this you 257 must first <command>ls -l /var/lib/tripwire/report/</command> and note 258 the name of the newest file which starts with your system name as 259 presented by the command <userinput>uname -n</userinput> 260 and ends in <filename>.twr</filename>. These files were created 261 during report creation and the most current one is needed to update the 262 <application>Tripwire</application> database of your system. As the 263 <systemitem class='username'>root</systemitem> user, type in the 264 following command making the appropriate report name:</para> 265 266 <screen role="root"><userinput>tripwire --update --twrfile /var/lib/tripwire/report/<replaceable><report-name.twr></replaceable></userinput></screen> 267 268 <para>You will be placed into <application>Vim</application> with a copy 269 of the report in front of you. If all the changes were good, then just 270 type <command>:wq</command> and after entering your local key, the database 271 will be updated. If there are files which you still want to be warned 272 about, remove the 'x' before the filename in the report and type 273 <command>:wq</command>.</para> 274 275 <!-- 10-12-2013 bad URL and no good URL found 276 <para>A good summary of tripwire operations can be found at 277 <ulink url="http://va-holladays.no-ip.info:2200/tools/security-docs/tripwire-v1.0.pdf"/>.</para> 278 --> 276 <para> 277 View the output to check the integrity of your files. An automatic 278 integrity report can be produced by using a cron facility to schedule 279 the runs. 280 </para> 281 282 <para> 283 Reports are stored in binary and, if desired, encrypted. View reports, 284 as the <systemitem class="username">root</systemitem> user, with: 285 </para> 286 287 <screen role="nodump"><userinput>twprint --print-report -r /var/lib/tripwire/report/<replaceable><report-name.twr></replaceable></userinput></screen> 288 289 <para> 290 After you run an integrity check, you should examine the report (or 291 email) and then modify the <application>Tripwire</application> database 292 to reflect the changed files on your system. This is so that 293 <application>Tripwire</application> will not continually notify you 294 hat files you intentionally changed are a security violation. To do 295 this you must first <command>ls -l /var/lib/tripwire/report/</command> 296 and note the name of the newest file which starts with your system 297 name as presented by the command <userinput>uname -n</userinput> and 298 ends in <filename>.twr</filename>. These files were created during 299 report creation and the most current one is needed to update the 300 <application>Tripwire</application> database of your system. As the 301 <systemitem class='username'>root</systemitem> user, type in the 302 following command making the appropriate report name: 303 </para> 304 305 <screen role="nodump"><userinput>tripwire --update --twrfile /var/lib/tripwire/report/<replaceable><report-name.twr></replaceable></userinput></screen> 306 307 <para> 308 You will be placed into <application>Vim</application> with a copy 309 of the report in front of you. If all the changes were good, then just 310 type <command>:wq</command> and after entering your local key, the 311 database will be updated. If there are files which you still want to 312 be warned about, remove the 'x' before the filename in the report and 313 type <command>:wq</command>. 314 </para> 315 279 316 </sect3> 280 317 … … 282 319 <title>Changing the Policy File</title> 283 320 284 <para>If you are unhappy with your policy file and would like to modify 285 it or use a new one, modify the policy file and then execute the following 286 commands as the <systemitem class='username'>root</systemitem> user:</para> 287 288 <screen role="root"><userinput>twadmin --create-polfile /etc/tripwire/twpol.txt && 321 <para> 322 If you are unhappy with your policy file and would like to modify it 323 or use a new one, modify the policy file and then execute the following 324 commands as the <systemitem class='username'>root</systemitem> user: 325 </para> 326 327 <screen role="nodump"><userinput>twadmin --create-polfile /etc/tripwire/twpol.txt && 289 328 tripwire --init</userinput></screen> 290 329 … … 317 356 <term><command>siggen</command></term> 318 357 <listitem> 319 <para>is a signature gathering utility that displays 320 the hash function values for the specified files.</para> 358 <para> 359 is a signature gathering utility that displays 360 the hash function values for the specified files. 361 </para> 321 362 <indexterm zone="tripwire siggen"> 322 363 <primary sortas="b-siggen">siggen</primary> … … 328 369 <term><command>tripwire</command></term> 329 370 <listitem> 330 <para>is the main file integrity checking program.</para> 371 <para> 372 is the main file integrity checking program. 373 </para> 331 374 <indexterm zone="tripwire tripwire"> 332 375 <primary sortas="b-tripwire">tripwire</primary> … … 338 381 <term><command>twadmin</command></term> 339 382 <listitem> 340 <para>administrative and utility tool used to perform 341 certain administrative functions related to 342 <application>Tripwire</application> files and configuration 343 options.</para> 383 <para> 384 administrative and utility tool used to perform 385 certain administrative functions related to 386 <application>Tripwire</application> files and configuration 387 options. 388 </para> 344 389 <indexterm zone="tripwire twadmin"> 345 390 <primary sortas="b-twadmin">twadmin</primary> … … 351 396 <term><command>twprint</command></term> 352 397 <listitem> 353 <para>prints <application>Tripwire</application> 354 database and report files in clear text format.</para> 398 <para> 399 prints <application>Tripwire</application> 400 database and report files in clear text format. 401 </para> 355 402 <indexterm zone="tripwire twprint"> 356 403 <primary sortas="b-twprint">twprint</primary> -
postlfs/security/volume_key.xml
r914049f6 r47274444 106 106 107 107 <note> 108 <para>This package expands to the directory 109 volume_key-volume_key-&volume_key-version;. 108 <para> 109 This package expands to the directory 110 volume_key-volume_key-&volume_key-version;. 110 111 </para> 111 112 </note> -
postlfs/security/vulnerabilities.xml
r914049f6 r47274444 24 24 <title>About vulnerabilities</title> 25 25 26 <para>All software has bugs. Sometimes, a bug can be exploited, for example 27 to allow users to gain enhanced privileges (perhaps gaining a root shell, or 28 simply accessing or deleting other user's files), or to allow a remote 29 site to crash an application (denial of service), or for theft of data. These 30 bugs are labelled as vulnerabilities.</para> 31 32 <para>The main place where vulnerabilities get logged is 33 <ulink url="http://cve.mitre.org">cve.mitre.org</ulink>. 34 Unfortunately, many vulnerability numbers (CVE-yyyy-nnnn) are initially only 35 labelled as "reserved" when distributions start issuing fixes. Also, some 36 vulnerabilities apply to particular combinations of 37 <command>configure</command> options, or only apply to old versions of 38 packages which have long since been updated in BLFS.</para> 39 40 <para>BLFS differs from distributions - there is no BLFS security team, and 41 the editors only become aware of vulnerabilities after they are public 42 knowledge. Sometimes, a package with a vulnerability will not be updated in 43 the book for a long time. Issues can be logged in the Trac system, which 44 might speed up resolution.</para> 45 46 <para>The normal way for BLFS to fix a vulnerability is, ideally, to update 47 the book to a new fixed release of the package. Sometimes that happens even 48 before the vulnerability is public knowledge, so there is no guarantee that 49 it will be shown as a vulnerability fix in the Changelog. Alternatively, a 50 <command>sed</command> command, or a patch taken from a distribution, may be 51 appropriate.</para> 52 53 <para>The bottom line is that you are responsible for your own security, and 54 for assessing the potential impact of any problems.</para> 55 56 <para>To keep track of what is being discovered, you may wish to follow the 57 security announcements of one or more distributions. For example, Debian has 58 <ulink url="http://www.debian.org/security">Debian security</ulink>. 59 Fedora's links on security are at 60 <ulink url="http://fedoraproject.org/wiki/Security">the Fedora wiki</ulink>. 61 Details of Gentoo linux security announcements are discussed at 62 <ulink url="https://security.gentoo.org">Gentoo security</ulink>. 63 Finally, the Slackware archives of security announcements are at 64 <ulink url="http://slackware.com/security">Slackware security</ulink>. 26 <para> 27 All software has bugs. Sometimes, a bug can be exploited, for example to 28 allow users to gain enhanced privileges (perhaps gaining a root shell, 29 or simply accessing or deleting other user's files), or to allow a 30 remote site to crash an application (denial of service), or for theft of 31 data. These bugs are labelled as vulnerabilities. 65 32 </para> 66 33 67 <para>The most general English source is perhaps 68 <ulink url="http://seclists.org/fulldisclosure">the Full Disclosure Mailing 69 List</ulink>, but please read the comment on that page. If you use other 70 languages you may prefer other sites such as http://www.heise.de/security 71 <ulink url="http://www.heise.de/security">heise.de</ulink> (German) or 72 <ulink url="http://www.cert.hr">cert.hr</ulink> (Croatian). These are not 73 linux-specific. There is also a daily update at lwn.net for subscribers 74 (free access to the data after 2 weeks, but their vulnerabilities database at 75 <ulink url="http://lwn.net/Vulnerabilities/">lwn.net/Vulnerabilities</ulink> 76 is unrestricted).</para> 34 <para> 35 The main place where vulnerabilities get logged is 36 <ulink url="http://cve.mitre.org">cve.mitre.org</ulink>. Unfortunately, 37 many vulnerability numbers (CVE-yyyy-nnnn) are initially only labelled 38 as "reserved" when distributions start issuing fixes. Also, some 39 vulnerabilities apply to particular combinations of 40 <command>configure</command> options, or only apply to old versions of 41 packages which have long since been updated in BLFS. 42 </para> 77 43 78 <para>For some packages, subscribing to their 'announce' lists 79 will provide prompt news of newer versions.</para> 44 <para> 45 BLFS differs from distributions—there is no BLFS security team, and 46 the editors only become aware of vulnerabilities after they are public 47 knowledge. Sometimes, a package with a vulnerability will not be updated 48 in the book for a long time. Issues can be logged in the Trac system, 49 which might speed up resolution. 50 </para> 51 52 <para> 53 The normal way for BLFS to fix a vulnerability is, ideally, to update 54 the book to a new fixed release of the package. Sometimes that happens 55 even before the vulnerability is public knowledge, so there is no 56 guarantee that it will be shown as a vulnerability fix in the Changelog. 57 Alternatively, a <command>sed</command> command, or a patch taken from 58 a distribution, may be appropriate. 59 </para> 60 61 <para> 62 The bottom line is that you are responsible for your own security, and 63 for assessing the potential impact of any problems. 64 </para> 65 66 <para> 67 To keep track of what is being discovered, you may wish to follow the 68 security announcements of one or more distributions. For example, Debian 69 has <ulink url="http://www.debian.org/security">Debian security</ulink>. 70 Fedora's links on security are at <ulink 71 url="http://fedoraproject.org/wiki/Security">the Fedora wiki</ulink>. 72 Details of Gentoo linux security announcements are discussed at 73 <ulink url="https://security.gentoo.org">Gentoo security</ulink>. 74 Finally, the Slackware archives of security announcements are at 75 <ulink url="http://slackware.com/security">Slackware security</ulink>. 76 </para> 77 78 <para> 79 The most general English source is perhaps 80 <ulink url="http://seclists.org/fulldisclosure">the Full Disclosure 81 Mailing List</ulink>, but please read the comment on that page. If you 82 use other languages you may prefer other sites such as <ulink 83 url="http://www.heise.de/security">heise.de</ulink> (German) or <ulink 84 url="http://www.cert.hr">cert.hr</ulink> (Croatian). These are not 85 linux-specific. There is also a daily update at lwn.net for subscribers 86 (free access to the data after 2 weeks, but their vulnerabilities 87 database at <ulink 88 url="http://lwn.net/Vulnerabilities/">lwn.net/Vulnerabilities</ulink> 89 is unrestricted). 90 </para> 91 92 <para> 93 For some packages, subscribing to their 'announce' lists 94 will provide prompt news of newer versions. 95 </para> 80 96 81 97 <para condition="html" role="usernotes">User Notes:
Note:
See TracChangeset
for help on using the changeset viewer.