Changeset 47274444 for postlfs/security

Timestamp:

03/24/2020 07:19:44 PM (4 years ago)

Author:

Pierre Labastie <pieere@…>

Branches:

10.0, 10.1, 11.0, 11.1, 11.2, 11.3, 12.0, 12.1, kea, ken/TL2024, ken/inkscape-core-mods, ken/tuningfonts, lazarus, lxqt, plabs/newcss, plabs/python-mods, python3.11, qt5new, rahul/power-profiles-daemon, renodr/vulkan-addition, trunk, upgradedb, xry111/intltool, xry111/llvm18, xry111/soup3, xry111/test-20220226, xry111/xf86-video-removal

Children:

fa3edfef

Parents:

914049f6

Message:

Format postlfs/security and misc/forgotten

git-svn-id: svn://svn.linuxfromscratch.org/BLFS/trunk/BOOK@22884 af4574ff-66df-0310-9fd7-8a98e5e911e0

Location:

postlfs/security

Files:

• cracklib.xml (modified) (14 diffs)
• cryptsetup.xml (modified) (1 diff)
• gnupg2.xml (modified) (26 diffs)
• haveged.xml (modified) (1 diff)
• libcap.xml (modified) (5 diffs)
• liboauth.xml (modified) (1 diff)
• linux-pam.xml (modified) (5 diffs)
• make-ca.xml (modified) (7 diffs)
• mitkrb.xml (modified) (1 diff)
• nessus.xml (modified) (1 diff)
• nettle.xml (modified) (1 diff)
• nss.xml (modified) (1 diff)
• p11-kit.xml (modified) (4 diffs)
• security.xml (modified) (1 diff)
• shadow.xml (modified) (1 diff)
• stunnel.xml (modified) (17 diffs)
• syslog.xml (modified) (1 diff)
• tripwire.xml (modified) (13 diffs)
• volume_key.xml (modified) (1 diff)
• vulnerabilities.xml (modified) (1 diff)

postlfs/security/cracklib.xml

@@ -36 +36 @@
     <title>Introduction to CrackLib</title>
 
-    <para>The <application>CrackLib</application> package contains a
-    library used to enforce strong passwords by comparing user selected
-    passwords to words in chosen word lists.</para>
+    <para>
+      The <application>CrackLib</application> package contains a
+      library used to enforce strong passwords by comparing user selected
+      passwords to words in chosen word lists.
+    </para>
 
     &lfs91_checked;
@@ -45 +47 @@
     <itemizedlist spacing="compact">
       <listitem>
-        <para>Download (HTTP): <ulink url="&cracklib-download-http;"/></para>
-      </listitem>
-      <listitem>
-        <para>Download (FTP): <ulink url="&cracklib-download-ftp;"/></para>
-      </listitem>
-      <listitem>
-        <para>Download MD5 sum: &cracklib-md5sum;</para>
-      </listitem>
-      <listitem>
-        <para>Download size: &cracklib-size;</para>
-      </listitem>
-      <listitem>
-        <para>Estimated disk space required: &cracklib-buildsize;</para>
-      </listitem>
-      <listitem>
-        <para>Estimated build time: &cracklib-time;</para>
+        <para>
+          Download (HTTP): <ulink url="&cracklib-download-http;"/>
+        </para>
+      </listitem>
+      <listitem>
+        <para>
+          Download (FTP): <ulink url="&cracklib-download-ftp;"/>
+        </para>
+      </listitem>
+      <listitem>
+        <para>
+          Download MD5 sum: &cracklib-md5sum;
+        </para>
+      </listitem>
+      <listitem>
+        <para>
+          Download size: &cracklib-size;
+        </para>
+      </listitem>
+      <listitem>
+        <para>
+          Estimated disk space required: &cracklib-buildsize;
+        </para>
+      </listitem>
+      <listitem>
+        <para>
+          Estimated build time: &cracklib-time;
+        </para>
       </listitem>
     </itemizedlist>
@@ -67 +81 @@
     <itemizedlist spacing="compact">
       <listitem>
-        <para>Recommended word list for English-speaking countries (size:
-        &crackdict-size;; md5sum: &crackdict-md5sum;):
-        <ulink url="&crackdict-download;"/></para>
+        <para>
+          Recommended word list for English-speaking countries (size:
+          &crackdict-size;; md5sum: &crackdict-md5sum;):
+          <ulink url="&crackdict-download;"/>
+        </para>
       </listitem>
     </itemizedlist>
 
-    <para>There are additional word lists available for download, e.g., from
-    <ulink url="http://www.cotse.com/tools/wordlists.htm"/>.
-    <application>CrackLib</application> can utilize as many, or as few word
-    lists you choose to install.</para>
+    <para>
+      There are additional word lists available for download, e.g., from
+      <ulink url="http://www.cotse.com/tools/wordlists.htm"/>.
+      <application>CrackLib</application> can utilize as many, or as few word
+      lists you choose to install.
+    </para>
 
     <important>
-      <para>Users tend to base their passwords on regular words of the spoken
-      language, and crackers know that. <application>CrackLib</application> is
-      intended to filter out such bad passwords at the source using a
-      dictionary created from word lists. To accomplish this, the word list(s)
-      for use with <application>CrackLib</application> must be an exhaustive
-      list of words and word-based keystroke combinations likely to be chosen
-      by users of the system as (guessable) passwords.</para>
-
-      <para>The default word list recommended above for downloading mostly
-      satisfies this role in English-speaking countries. In other situations,
-      it may be necessary to download (or even create) additional word
-      lists.</para>
-
-      <para>Note that word lists suitable for spell-checking are not usable
-      as <application>CrackLib</application> word lists in countries with
-      non-Latin based alphabets, because of <quote>word-based keystroke
-      combinations</quote> that make bad passwords.</para>
+      <para>
+        Users tend to base their passwords on regular words of the spoken
+        language, and crackers know that. <application>CrackLib</application>
+        is intended to filter out such bad passwords at the source using a
+        dictionary created from word lists. To accomplish this, the word
+        list(s) for use with <application>CrackLib</application> must be an
+        exhaustive list of words and word-based keystroke combinations likely
+        to be chosen by users of the system as (guessable) passwords.
+      </para>
+
+      <para>
+        The default word list recommended above for downloading mostly
+        satisfies this role in English-speaking countries. In other situations,
+        it may be necessary to download (or even create) additional word lists.
+      </para>
+
+      <para>
+        Note that word lists suitable for spell-checking are not usable
+        as <application>CrackLib</application> word lists in countries with
+        non-Latin based alphabets, because of <quote>word-based keystroke
+        combinations</quote> that make bad passwords.
+      </para>
     </important>
 
@@ -113 +136 @@
     <title>Installation of CrackLib</title>
 
-    <para>Install <application>CrackLib</application> by running the following
-    commands:</para>
+    <para>
+      Install <application>CrackLib</application> by running the following
+      commands:
+    </para>
 
 <screen><userinput>sed -i '/skipping/d' util/packer.c &amp;&amp;
@@ -123 +148 @@
 make</userinput></screen>
 
-    <para>Now, as the <systemitem class="username">root</systemitem> user:</para>
+    <para>
+      Now, as the <systemitem class="username">root</systemitem> user:
+    </para>
 
 <screen role="root"><userinput>make install                      &amp;&amp;
@@ -129 +156 @@
 ln -sfv ../../lib/$(readlink /usr/lib/libcrack.so) /usr/lib/libcrack.so</userinput></screen>
 
-    <para>Issue the following commands as the
-    <systemitem class="username">root</systemitem> user to install the
-    recommended word list and create the <application>CrackLib</application>
-    dictionary. Other word lists (text based, one word per line) can also be
-    used by simply installing them into
-    <filename class="directory">/usr/share/dict</filename> and adding them
-    to the <command>create-cracklib-dict</command> command.</para>
+    <para>
+      Issue the following commands as the
+      <systemitem class="username">root</systemitem> user to install the
+      recommended word list and create the <application>CrackLib</application>
+      dictionary. Other word lists (text based, one word per line) can also be
+      used by simply installing them into
+      <filename class="directory">/usr/share/dict</filename> and adding them
+      to the <command>create-cracklib-dict</command> command.
+    </para>
 
 <screen role="root"><userinput>install -v -m644 -D    ../cracklib-words-&cracklib-version;.bz2 \
@@ -148 +177 @@
                          /usr/share/dict/cracklib-extra-words</userinput></screen>
 
-    <para>If desired, check the proper operation of the library as an
-    unprivileged user by issuing the following command:</para>
+    <para>
+      If desired, check the proper operation of the library as an
+      unprivileged user by issuing the following command:
+    </para>
 
 <screen remap="test"><userinput>make test</userinput></screen>
 
     <important>
-      <para>If you are installing <application>CrackLib</application> after
-      your LFS system has been completed and you have the
-      <application>Shadow</application> package installed, you must
-      reinstall <xref linkend="shadow"/> if you wish to provide strong
-      password support on your system. If you are now going to install the
-      <xref linkend="linux-pam"/> package, you may disregard this note as
-      <application>Shadow</application> will be reinstalled after the
-      <application>Linux-PAM</application> installation.</para>
+      <para>
+        If you are installing <application>CrackLib</application> after
+        your LFS system has been completed and you have the
+        <application>Shadow</application> package installed, you must
+        reinstall <xref linkend="shadow"/> if you wish to provide strong
+        password support on your system. If you are now going to install the
+        <xref linkend="linux-pam"/> package, you may disregard this note as
+        <application>Shadow</application> will be reinstalled after the
+        <application>Linux-PAM</application> installation.
+      </para>
     </important>
 
@@ -169 +202 @@
     <title>Command Explanations</title>
 
-    <para><command>sed -i '/skipping/d' util/packer.c</command>:
-    Remove a meaningless warning.</para>
-
-    <para><parameter>--with-default-dict=/lib/cracklib/pw_dict</parameter>:
-    This parameter forces the installation of the
-    <application>CrackLib</application> dictionary to the
-    <filename class="directory">/lib</filename> hierarchy.</para>
+    <para>
+      <command>sed -i '/skipping/d' util/packer.c</command>:
+      Remove a meaningless warning.
+    </para>
+
+    <para>
+      <parameter>--with-default-dict=/lib/cracklib/pw_dict</parameter>:
+      This parameter forces the installation of the
+      <application>CrackLib</application> dictionary to the
+      <filename class="directory">/lib</filename> hierarchy.
+    </para>
 
     <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
       href="../../xincludes/static-libraries.xml"/>
 
-    <para><command>mv -v /usr/lib/libcrack.so.2* /lib</command> and
-    <command>ln -v -sf ../../lib/libcrack.so.2.9.0 ...</command>: These two
-    commands move the <filename class="libraryfile">libcrack.so.2.9.0</filename>
-    library and associated symlink from
-    <filename class="directory">/usr/lib</filename> to
-    <filename class="directory">/lib</filename>, then recreates the
-    <filename class="symlink">/usr/lib/libcrack.so</filename> symlink pointing
-    to the relocated file.</para>
-
-    <para><command>install -v -m644 -D ...</command>: This command creates the
-    <filename class="directory">/usr/share/dict</filename> directory (if it
-    doesn't already exist) and installs the compressed word list there.</para>
-
-    <para><command>ln -v -s cracklib-words /usr/share/dict/words</command>: The
-    word list is linked to <filename>/usr/share/dict/words</filename> as
-    historically, <filename>words</filename> is the primary word list in the
-    <filename class="directory">/usr/share/dict</filename> directory. Omit this
-    command if you already have a <filename>/usr/share/dict/words</filename>
-    file installed on your system.</para>
-
-    <para><command>echo $(hostname) >>...</command>: The value of
-    <command>hostname</command> is echoed to a file called
-    <filename>cracklib-extra-words</filename>. This extra file is intended to be
-    a site specific list which includes easy to guess passwords such as company
-    or department names, user names, product names, computer names, domain
-    names, etc.</para>
-
-    <para><command>create-cracklib-dict ...</command>: This command creates the
-    <application>CrackLib</application> dictionary from the word lists. Modify
-    the command to add any additional word lists you have installed.</para>
+    <para>
+      <command>mv -v /usr/lib/libcrack.so.2* /lib</command> and
+      <command>ln -v -sf ../../lib/libcrack.so.2.9.0 ...</command>: These two
+      commands move the <filename
+      class="libraryfile">libcrack.so.2.9.0</filename>
+      library and associated symlink from
+      <filename class="directory">/usr/lib</filename> to
+      <filename class="directory">/lib</filename>, then recreates the
+      <filename class="symlink">/usr/lib/libcrack.so</filename> symlink
+      pointing to the relocated file.
+    </para>
+
+    <para>
+      <command>install -v -m644 -D ...</command>: This command creates the
+      <filename class="directory">/usr/share/dict</filename> directory (if it
+      doesn't already exist) and installs the compressed word list there.
+    </para>
+
+    <para>
+      <command>ln -v -s cracklib-words /usr/share/dict/words</command>: The
+      word list is linked to <filename>/usr/share/dict/words</filename> as
+      historically, <filename>words</filename> is the primary word list in the
+      <filename class="directory">/usr/share/dict</filename> directory. Omit
+      this command if you already have a
+      <filename>/usr/share/dict/words</filename> file installed on your system.
+    </para>
+
+    <para>
+      <command>echo $(hostname) >>...</command>: The value of
+      <command>hostname</command> is echoed to a file called
+      <filename>cracklib-extra-words</filename>. This extra file is intended
+      to be a site specific list which includes easy to guess passwords such
+      as company or department names, user names, product names, computer
+      names, domain names, etc.
+    </para>
+
+    <para>
+      <command>create-cracklib-dict ...</command>: This command creates the
+      <application>CrackLib</application> dictionary from the word lists.
+      Modify the command to add any additional word lists you have installed.
+    </para>
 
   </sect2>
@@ -240 +288 @@
         <term><command>cracklib-check</command></term>
         <listitem>
-          <para>is used to determine if a password is strong.</para>
+          <para>
+            is used to determine if a password is strong.
+          </para>
           <indexterm zone="cracklib cracklib-check">
             <primary sortas="b-cracklib-check">cracklib-check</primary>
@@ -250 +300 @@
         <term><command>cracklib-format</command></term>
         <listitem>
-          <para>is used to format text files (lowercases all words,
-          removes control characters and sorts the lists).</para>
+          <para>
+            is used to format text files (lowercases all words,
+            removes control characters and sorts the lists).
+          </para>
           <indexterm zone="cracklib cracklib-format">
             <primary sortas="b-cracklib-format">cracklib-format</primary>
@@ -261 +313 @@
         <term><command>cracklib-packer</command></term>
         <listitem>
-          <para>creates a database with words read from standard input.</para>
+          <para>
+            creates a database with words read from standard input.
+          </para>
           <indexterm zone="cracklib cracklib-packer">
             <primary sortas="b-cracklib-packer">cracklib-packer</primary>
@@ -271 +325 @@
         <term><command>cracklib-unpacker</command></term>
         <listitem>
-          <para>displays on standard output the database specified.</para>
+          <para>
+            displays on standard output the database specified.
+          </para>
           <indexterm zone="cracklib cracklib-packer">
             <primary sortas="b-cracklib-packer">cracklib-packer</primary>
@@ -281 +337 @@
         <term><command>create-cracklib-dict</command></term>
         <listitem>
-          <para>is used to create the <application>CrackLib</application>
-          dictionary from the given word list(s).</para>
+          <para>
+            is used to create the <application>CrackLib</application>
+            dictionary from the given word list(s).
+          </para>
           <indexterm zone="cracklib create-cracklib-dict">
             <primary sortas="b-create-cracklib-dict">create-cracklib-dict</primary>
@@ -292 +350 @@
         <term><filename class="libraryfile">libcrack.so</filename></term>
         <listitem>
-          <para>provides a fast dictionary lookup method for strong
-          password enforcement.</para>
+          <para>
+            provides a fast dictionary lookup method for strong
+            password enforcement.
+          </para>
           <indexterm zone="cracklib libcrack">
             <primary sortas="c-libcrack">libcrack.so</primary>

postlfs/security/cryptsetup.xml

@@ -141 +141 @@
     </para>
 
-    <para>Now, as the <systemitem class="username">root</systemitem> user:</para>
+    <para>
+      Now, as the <systemitem class="username">root</systemitem> user:
+    </para>
 
 <screen role="root"><userinput>make install</userinput></screen>

postlfs/security/gnupg2.xml

@@ -30 +30 @@
     <title>Introduction to GnuPG</title>
 
-    <para>The <application>GnuPG</application> package is GNU's tool for
-    secure communication and data storage. It can be used to encrypt data and
-    to create digital signatures. It includes an advanced key management
-    facility and is compliant with the proposed OpenPGP Internet standard as
-    described in RFC2440 and the S/MIME standard as described by several RFCs.
-    GnuPG 2 is the stable version of GnuPG integrating support for OpenPGP and
-    S/MIME.</para>
+    <para>
+      The <application>GnuPG</application> package is GNU's tool for
+      secure communication and data storage. It can be used to encrypt data and
+      to create digital signatures. It includes an advanced key management
+      facility and is compliant with the proposed OpenPGP Internet standard as
+      described in RFC2440 and the S/MIME standard as described by several RFCs.
+      GnuPG 2 is the stable version of GnuPG integrating support for OpenPGP and
+      S/MIME.
+    </para>
 
     &lfs91_checked;
@@ -43 +45 @@
     <itemizedlist spacing="compact">
       <listitem>
-        <para>Download (HTTP): <ulink url="&gnupg2-download-http;"/></para>
-      </listitem>
-      <listitem>
-        <para>Download (FTP): <ulink url="&gnupg2-download-ftp;"/></para>
-      </listitem>
-      <listitem>
-        <para>Download MD5 sum: &gnupg2-md5sum;</para>
-      </listitem>
-      <listitem>
-        <para>Download size: &gnupg2-size;</para>
-      </listitem>
-      <listitem>
-        <para>Estimated disk space required: &gnupg2-buildsize;</para>
-      </listitem>
-      <listitem>
-        <para>Estimated build time: &gnupg2-time;</para>
+        <para>
+          Download (HTTP): <ulink url="&gnupg2-download-http;"/>
+        </para>
+      </listitem>
+      <listitem>
+        <para>
+          Download (FTP): <ulink url="&gnupg2-download-ftp;"/>
+        </para>
+      </listitem>
+      <listitem>
+        <para>
+          Download MD5 sum: &gnupg2-md5sum;
+        </para>
+      </listitem>
+      <listitem>
+        <para>
+          Download size: &gnupg2-size;
+        </para>
+      </listitem>
+      <listitem>
+        <para>
+          Estimated disk space required: &gnupg2-buildsize;
+        </para>
+      </listitem>
+      <listitem>
+        <para>
+          Estimated build time: &gnupg2-time;
+        </para>
       </listitem>
     </itemizedlist>
@@ -103 +117 @@
   <sect2 role="installation">
     <title>Installation of GnuPG</title>
-    <!-- It's been well over three years. I think this can be commented for now.
-    <warning>
-      <para>
-        If you are upgrading from gnupg prior to version 2.1, upstream
-        developers recommend backing up
-        <filename class="directory">~/.gnupg</filename> because some additional
-        configuration will probably be necessary and you could lose your keys.
-        You can find instructions at
-        <ulink url="http://jo-ke.name/wp/?p=111"></ulink> and
-        <ulink url="https://wiki.archlinux.org/index.php/GnuPG#.22Lost.22_keys.2C_upgrading_to_gnupg_version_2.1"></ulink>.
-      </para>
-    </warning>
-    -->
-
-    <para>By default GnuPG doesn't install the deprecated gpg-zip script,
-    but it is still needed by some programs.  Make GnuPG install it with:
+
+    <para>
+      By default GnuPG doesn't install the deprecated gpg-zip script,
+      but it is still needed by some programs.  Make GnuPG install it with:
     </para>
 
@@ -124 +126 @@
     -i tools/Makefile.in</userinput></screen>
 
-    <para>Install <application>GnuPG</application> by running the following
-    commands:</para>
+    <para>
+      Install <application>GnuPG</application> by running the following
+      commands:
+    </para>
 
 <screen><userinput>./configure --prefix=/usr            \
@@ -137 +141 @@
 make -C doc html</userinput></screen>
 
-    <para>If you have <xref linkend="texlive"/>
-    installed and you wish to create documentation in alternate formats,
-    issue the following commands
-    (<ulink url="http://mcj.sourceforge.net/">fig2dev</ulink> is needed for
-    the ps format):</para>
+    <para>
+      If you have <xref linkend="texlive"/>
+      installed and you wish to create documentation in alternate formats,
+      issue the following commands
+      (<ulink url="http://mcj.sourceforge.net/">fig2dev</ulink> is needed for
+      the ps format):
+    </para>
 
 <screen remap="doc"><userinput>make -C doc pdf ps</userinput></screen>
 
-    <para>To test the results, issue: <command>make check</command>.</para>
-
-    <para>Note that if you have already installed
-    <application>GnuPG</application>, the instructions below will overwrite
-    <filename>/usr/share/man/man1/gpg-zip.1</filename>. Now, as the
-    <systemitem class="username">root</systemitem> user:</para>
+    <para>
+      To test the results, issue: <command>make check</command>.
+    </para>
+
+    <para>
+      Note that if you have already installed
+      <application>GnuPG</application>, the instructions below will overwrite
+      <filename>/usr/share/man/man1/gpg-zip.1</filename>. Now, as the
+      <systemitem class="username">root</systemitem> user:
+    </para>
 
 <screen role="root"><userinput>make install &amp;&amp;
@@ -161 +171 @@
 install -v -m644    doc/gnupg.html/* \
                     /usr/share/doc/gnupg-&gnupg2-version;/html</userinput></screen>
-    <para>If you created alternate formats of the documentation, install them
-    using the following command as the
-    <systemitem class="username">root</systemitem> user:</para>
+    <para>
+      If you created alternate formats of the documentation, install them
+      using the following command as the
+      <systemitem class="username">root</systemitem> user:
+    </para>
 
 <screen role="root"
@@ -174 +186 @@
     <title>Command Explanations</title>
 
-    <para><command>sed ... tools/Makefile.in</command>:
-    This command is needed to build the gpg-zip program.</para>
-
-    <para><parameter>--docdir=/usr/share/doc/gnupg-&gnupg2-version;</parameter>:
-    This switch changes the default docdir to <filename
-    class="directory">/usr/share/doc/gnupg-&gnupg2-version;</filename>.</para>
-
-    <para><parameter>--enable-symcryptrun</parameter>: This switch enables
-    building the symcryptrun program.</para>
+    <para>
+      <command>sed ... tools/Makefile.in</command>:
+      This command is needed to build the gpg-zip program.
+    </para>
+
+    <para>
+      <parameter>--docdir=/usr/share/doc/gnupg-&gnupg2-version;</parameter>:
+      This switch changes the default docdir to <filename
+      class="directory">/usr/share/doc/gnupg-&gnupg2-version;</filename>.
+    </para>
+
+    <para>
+      <parameter>--enable-symcryptrun</parameter>: This switch enables
+      building the symcryptrun program.
+    </para>
 
     <para>
@@ -223 +241 @@
         <term><command>addgnupghome</command></term>
         <listitem>
-          <para>is used to create and populate a user's
-          <filename class='directory'>~/.gnupg</filename> directories</para>
+          <para>
+            is used to create and populate a user's
+            <filename class='directory'>~/.gnupg</filename> directories
+          </para>
           <indexterm zone="gnupg2 addgnupghome">
             <primary sortas="b-addgnupghome">addgnupghome</primary>
@@ -234 +254 @@
         <term><command>applygnupgdefaults</command></term>
         <listitem>
-          <para>is a wrapper script used to run <command>gpgconf</command>
-          with the <parameter>--apply-defaults</parameter> parameter on all
-          user's GnuPG home directories.</para>
+          <para>
+            is a wrapper script used to run <command>gpgconf</command>
+            with the <parameter>--apply-defaults</parameter> parameter on all
+            user's GnuPG home directories.
+          </para>
           <indexterm zone="gnupg2 applygnupgdefaults">
             <primary sortas="b-applygnupgdefaults">applygnupgdefaults</primary>
@@ -246 +268 @@
         <term><command>dirmngr</command></term>
         <listitem>
-          <para> is a tool that takes care of accessing the OpenPGP keyservers.
+          <para>
+            is a tool that takes care of accessing the OpenPGP keyservers.
           </para>
           <indexterm zone="gnupg2 dirmngr">
@@ -257 +280 @@
         <term><command>dirmngr-client</command></term>
         <listitem>
-          <para> is a tool to contact a running dirmngr and test whether a
-          certificate has been revoked. </para>
+          <para>
+            is a tool to contact a running dirmngr and test whether a
+            certificate has been revoked. 
+          </para>
           <indexterm zone="gnupg2 dirmngr-client">
             <primary sortas="b-dirmngr-client">dirmngr-client</primary>
@@ -268 +293 @@
         <term><command>g13</command></term>
         <listitem>
-          <para>is a tool to create, mount or unmount an encrypted file system
-          container (optional).</para>
+          <para>
+            is a tool to create, mount or unmount an encrypted file system
+            container (optional).
+          </para>
           <indexterm zone="gnupg2 g13">
             <primary sortas="b-g13">g13</primary>
@@ -279 +306 @@
         <term><command>gpg-agent</command></term>
         <listitem>
-          <para>is a daemon used to manage secret (private) keys independently
-          from any protocol. It is used as a backend for <command>gpg2</command>
-          and <command>gpgsm</command> as well as for a couple of other
-          utilities.</para>
+          <para>
+            is a daemon used to manage secret (private) keys independently
+            from any protocol. It is used as a backend for
+            <command>gpg2</command> and <command>gpgsm</command> as well as
+            for a couple of other utilities.
+          </para>
           <indexterm zone="gnupg2 gpg-agent">
             <primary sortas="b-gpg-agent">gpg-agent</primary>
@@ -292 +321 @@
         <term><command>gpg-connect-agent</command></term>
         <listitem>
-          <para>is a utility used to communicate with a running
-          <command>gpg-agent</command>.</para>
+          <para>
+            is a utility used to communicate with a running
+            <command>gpg-agent</command>.
+          </para>
           <indexterm zone="gnupg2 gpg-connect-agent">
             <primary sortas="b-gpg-connect-agent">gpg-connect-agent</primary>
@@ -303 +334 @@
         <term><command>gpg</command></term>
         <listitem>
-          <para>is the OpenPGP part of the GNU Privacy Guard (GnuPG). It is a
-          tool used to provide digital encryption and signing services using
-          the OpenPGP standard.</para>
+          <para>
+            is the OpenPGP part of the GNU Privacy Guard (GnuPG). It is a
+            tool used to provide digital encryption and signing services using
+            the OpenPGP standard.
+          </para>
           <indexterm zone="gnupg2 gpg">
             <primary sortas="b-gpg">gpg</primary>
@@ -315 +348 @@
         <term><command>gpgconf</command></term>
         <listitem>
-          <para>is a utility used to automatically and reasonably safely
-          query and modify configuration files in the
-          <filename class='directory'>~/.gnupg</filename> home directory. It is
-          designed not to be invoked manually by the user, but automatically by
-          graphical user interfaces.</para>
+          <para>
+            is a utility used to automatically and reasonably safely
+            query and modify configuration files in the
+            <filename class='directory'>~/.gnupg</filename> home directory. It
+            is designed not to be invoked manually by the user, but
+            automatically by graphical user interfaces.
+          </para>
           <indexterm zone="gnupg2 gpgconf">
             <primary sortas="b-gpgconf">gpgconf</primary>
@@ -329 +364 @@
         <term><command>gpgparsemail</command></term>
         <listitem>
-          <para>is a utility currently only useful for debugging. Run it with
-          <parameter>--help</parameter> for usage information.</para>
+          <para>
+            is a utility currently only useful for debugging. Run it with
+            <parameter>--help</parameter> for usage information.
+          </para>
           <indexterm zone="gnupg2 gpgparsemail">
             <primary sortas="b-gpgparsemail">gpgparsemail</primary>
@@ -340 +377 @@
         <term><command>gpgscm</command></term>
         <listitem>
-          <para>executes the given scheme program or spawns an interactive
-          shell.</para>
+          <para>
+            executes the given scheme program or spawns an interactive shell.
+          </para>
           <indexterm zone="gnupg2 gpgscm">
             <primary sortas="b-gpgscm">gpgscm</primary>
@@ -351 +389 @@
         <term><command>gpgsm</command></term>
         <listitem>
-          <para>is a tool similar to <command>gpg2</command> used to provide
-          digital encryption and signing services on X.509 certificates and the
-          CMS protocol. It is mainly used as a backend for S/MIME mail
-          processing.</para>
+          <para>
+            is a tool similar to <command>gpg2</command> used to provide
+            digital encryption and signing services on X.509 certificates and
+            the CMS protocol. It is mainly used as a backend for S/MIME mail
+            processing.
+          </para>
           <indexterm zone="gnupg2 gpgsm">
             <primary sortas="b-gpgsm">gpgsm</primary>
@@ -364 +404 @@
         <term><command>gpgtar</command></term>
         <listitem>
-          <para> is a tool to encrypt or sign files into an archive.</para>
+          <para>
+            is a tool to encrypt or sign files into an archive.
+          </para>
           <indexterm zone="gnupg2 gpgtar">
             <primary sortas="b-gpgtar">gpgtar</primary>
@@ -374 +416 @@
         <term><command>gpgv</command></term>
         <listitem>
-          <para>is a verify only version of <command>gpg2</command>.</para>
+          <para>
+            is a verify only version of <command>gpg2</command>.
+          </para>
           <indexterm zone="gnupg2 gpgv">
             <primary sortas="b-gpgv">gpgv</primary>
@@ -384 +428 @@
         <term><command>gpg-wks-server</command></term>
         <listitem>
-          <para>provides a server for the
-          <application>Web Key Service</application> protocol.</para>
+          <para>
+            provides a server for the
+            <application>Web Key Service</application> protocol.
+          </para>
           <indexterm zone="gnupg2 gpg-wks-server">
             <primary sortas="b-gpg-wks-server">gpg-wks-server</primary>
@@ -395 +441 @@
         <term><command>gpg-zip</command></term>
         <listitem>
-          <para>encrypts or signs files into an archive.</para>
+          <para>
+            encrypts or signs files into an archive.
+          </para>
           <indexterm zone="gnupg2 gpg-zip">
             <primary sortas="b-gpg-zip">gpg-zip</primary>
@@ -405 +453 @@
         <term><command>kbxutil</command></term>
         <listitem>
-          <para>is used to list, export and import Keybox data.</para>
+          <para>
+            is used to list, export and import Keybox data.
+          </para>
           <indexterm zone="gnupg2 kbxutil">
             <primary sortas="b-kbxutil">kbxutil</primary>
@@ -415 +465 @@
         <term><command>symcryptrun</command></term>
         <listitem>
-          <para>is a simple symmetric encryption tool.</para>
+          <para>
+            is a simple symmetric encryption tool.
+          </para>
           <indexterm zone="gnupg2 symcryptrun">
             <primary sortas="b-symcryptrun">symcryptrun</primary>
@@ -425 +477 @@
         <term><command>watchgnupg</command></term>
         <listitem>
-          <para>is used to listen to a Unix Domain socket created by any of
-          the GnuPG tools.</para>
+          <para>
+            is used to listen to a Unix Domain socket created by any of
+            the GnuPG tools.
+          </para>
           <indexterm zone="gnupg2 watchgnupg">
             <primary sortas="b-watchgnupg">watchgnupg</primary>

postlfs/security/haveged.xml

@@ -80 +80 @@
     <title>Installation of Haveged</title>
 
-    <para>Install <application>Haveged</application> by running the following
-    commands:</para>
+    <para>
+      Install <application>Haveged</application> by running the following
+      commands:
+    </para>
 
 <screen><userinput>./configure --prefix=/usr &amp;&amp;

postlfs/security/libcap.xml

@@ -30 +30 @@
     <title>Introduction to libcap with PAM</title>
 
-    <para>The <application>libcap</application> package was installed in 
-    LFS, but if <application>Linux-PAM</application> support is desired,
-    the PAM module must be built (after installation of
-    <application>Linux-PAM</application>).</para>
+    <para>
+      The <application>libcap</application> package was installed in 
+      LFS, but if <application>Linux-PAM</application> support is desired,
+      the PAM module must be built (after installation of
+      <application>Linux-PAM</application>).
+    </para>
 
     &lfs91_checked;
@@ -40 +42 @@
     <itemizedlist spacing="compact">
       <listitem>
-        <para>Download (HTTP): <ulink url="&libcap-download-http;"/></para>
+        <para>
+          Download (HTTP): <ulink url="&libcap-download-http;"/>
+        </para>
       </listitem>
       <listitem>
-        <para>Download (FTP): <ulink url="&libcap-download-ftp;"/></para>
+        <para>
+          Download (FTP): <ulink url="&libcap-download-ftp;"/>
+        </para>
       </listitem>
       <listitem>
-        <para>Download MD5 sum: &libcap-md5sum;</para>
+        <para>
+          Download MD5 sum: &libcap-md5sum;
+        </para>
       </listitem>
       <listitem>
-        <para>Download size: &libcap-size;</para>
+        <para>
+          Download size: &libcap-size;
+        </para>
       </listitem>
       <listitem>
-        <para>Estimated disk space required: &libcap-buildsize;</para>
+        <para>
+          Estimated disk space required: &libcap-buildsize;
+        </para>
       </listitem>
       <listitem>
-        <para>Estimated build time: &libcap-time;</para>
+        <para>
+          Estimated build time: &libcap-time;
+        </para>
       </listitem>
     </itemizedlist>
@@ -75 +89 @@
 
     <note>
-      <para>If you are upgrading libcap from a previous version, use the
-      instructions in 
-      <ulink url="../../../../lfs/view/development/chapter06/libcap.html">LFS libcap page</ulink>
-      to upgrade libcap. If the PAM module has been built, it will automatically
-      be picked up.</para>
+      <para>
+        If you are upgrading libcap from a previous version, use the
+        instructions in
+        <ulink url="../../../../lfs/view/development/chapter06/libcap.html">
+          LFS libcap page
+        </ulink> to upgrade libcap. If <xref linkend="linux-pam"/> has been
+        built, the PAM module will automatically be built too.
+      </para>
     </note>
 
-    <para>Install <application>libcap</application> by running the following
-    commands:</para>
+    <para>
+      Install <application>libcap</application> by running the following
+      commands:
+    </para>
 
 <screen><userinput>make -C pam_cap</userinput></screen>
 
-    <para>This package does not come with a test suite.</para>
+    <para>
+      This package does not come with a test suite.
+    </para>
 
-    <para>Now, as the <systemitem class="username">root</systemitem> user:</para>
+    <para>
+      Now, as the <systemitem class="username">root</systemitem> user:
+    </para>
 
 <screen role="root"><userinput>install -v -m755 pam_cap/pam_cap.so /lib/security &amp;&amp;
@@ -99 +122 @@
     <title>Configuring Libcap</title>
 
-    <para>In order to allow <application>Linux-PAM</application> to grant
-    privileges based on POSIX capabilites, you need to add the libcap module
-    to the begining of the <filename>/etc/pam.d/system-auth</filename> file.
-    Make the required edits with the following commands:</para>
+    <para>
+      In order to allow <application>Linux-PAM</application> to grant
+      privileges based on POSIX capabilites, you need to add the libcap module
+      to the begining of the <filename>/etc/pam.d/system-auth</filename> file.
+      Make the required edits with the following commands:
+    </para>
 
 <screen role="root"><userinput>mv -v /etc/pam.d/system-auth{,.bak} &amp;&amp;
@@ -112 +137 @@
 tail -n +3 /etc/pam.d/system-auth.bak &gt;&gt; /etc/pam.d/system-auth</userinput></screen>
 
-    <para>Additonally, you'll need to modify the
-    <filename>/etc/security/capability.conf</filename> file to grant necessary
-    privileges to users, and utilize the <command>setcap</command>
-    utility to set capabilities on specific utilities as needed. See
-    <command>man 8 setcap</command> and <command>man 3 cap_from_text</command>
-    for additional information.</para>
+    <para>
+      Additonally, you'll need to modify the
+      <filename>/etc/security/capability.conf</filename> file to grant
+      necessary privileges to users, and utilize the <command>setcap</command>
+      utility to set capabilities on specific utilities as needed. See
+      <command>man 8 setcap</command> and
+      <command>man 3 cap_from_text</command> for additional information.
+    </para>
  
   </sect2>

postlfs/security/liboauth.xml

@@ -77 +77 @@
     <itemizedlist spacing="compact">
       <listitem>
-        <para>Required patch for use with openssl: <ulink 
-        url="&patch-root;/liboauth-&liboauth-version;-openssl-1.1.0-3.patch"/>
+        <para>
+          Required patch for use with openssl: <ulink url=
+            "&patch-root;/liboauth-&liboauth-version;-openssl-1.1.0-3.patch"/>
         </para>
       </listitem>

postlfs/security/linux-pam.xml

@@ -304 +304 @@
 # End /etc/pam.d/other</literal></screen>
 
-      <para>Now set up some generic files.  As root:</para>
+      <para>
+        Now set up some generic files.  As root:
+      </para>
 
 <screen role="root"><userinput>install -vdm755 /etc/pam.d &amp;&amp;
@@ -331 +333 @@
 EOF</userinput></screen>
 
-    <para>The remaining generic file depends on whether <xref linkend="cracklib"/>
-    is installed.  If it is installed, use:</para>
+      <para>
+        The remaining generic file depends on whether <xref
+        linkend="cracklib"/> is installed.  If it is installed, use:
+      </para>
 
 <screen role="root"><userinput>cat &gt; /etc/pam.d/system-password &lt;&lt; "EOF"
@@ -352 +356 @@
 EOF</userinput></screen>
 
-        <note>
-          <para>
-            In its default configuration, pam_cracklib will
-            allow multiple case passwords as short as 6 characters, even with
-            the <parameter>minlen</parameter> value set to 11. You should review
-            the pam_cracklib(8) man page and determine if these default values
-            are acceptable for the security of your system.
-          </para>
-        </note>
-
-   <para>If <xref linkend="cracklib"/> is <emphasis>NOT</emphasis> installed,
-   use:</para>
+      <note>
+        <para>
+          In its default configuration, pam_cracklib will
+          allow multiple case passwords as short as 6 characters, even with
+          the <parameter>minlen</parameter> value set to 11. You should review
+          the pam_cracklib(8) man page and determine if these default values
+          are acceptable for the security of your system.
+        </para>
+      </note>
+
+      <para>
+        If <xref linkend="cracklib"/> is <emphasis>NOT</emphasis> installed,
+        use:
+      </para>
 
 <screen role="nodump"><userinput>cat &gt; /etc/pam.d/system-password &lt;&lt; "EOF"
@@ -375 +381 @@
 EOF</userinput></screen>
 
-      <para>Now add a restrictive <filename>/etc/pam.d/other</filename>
-      configuration file.  With this file, programs that are PAM aware will not
-      run unless a configuration file specifically for that application is
-      created.</para>
+      <para>
+        Now add a restrictive <filename>/etc/pam.d/other</filename>
+        configuration file.  With this file, programs that are PAM aware will
+        not run unless a configuration file specifically for that application
+        is created.
+      </para>
 
 <screen role="root"><userinput>cat &gt; /etc/pam.d/other &lt;&lt; "EOF"
@@ -398 +406 @@
         The <application>PAM</application> man page (<command>man
         pam</command>) provides a good starting point for descriptions
-        of fields and allowable entries. The <ulink
-        url="http://www.linux-pam.org/Linux-PAM-html/Linux-PAM_SAG.html">Linux-PAM
-        System Administrators' Guide</ulink> is recommended for additional
-        information.
-      </para>
-<!-- No longer there
-      <para>
-        Refer to <ulink url="&debian-pam-docs;/modules.html"/> for a list
-        of various third-party modules available.
-      </para>
--->
+        of fields and allowable entries. The
+        <ulink url="http://www.linux-pam.org/Linux-PAM-html/Linux-PAM_SAG.html">
+          Linux-PAM System Administrators' Guide
+        </ulink> is recommended for additional information.
+      </para>
+
       <important>
         <para>

postlfs/security/make-ca.xml

@@ -58 +58 @@
     <itemizedlist spacing="compact">
       <listitem>
-        <para>Download (HTTP): <ulink url="&make-ca-download;"/></para>
-      </listitem>
-      <listitem>
-        <para>Download size: &make-ca-size;</para>
-      </listitem>
-      <listitem>
-        <para>Download MD5 Sum: &make-ca-md5sum;</para>
-      </listitem>
-      <listitem>
-        <para>Estimated disk space required: &make-ca-buildsize;</para>
-      </listitem>
-      <listitem>
-        <para>Estimated build time: &make-ca-time;</para>
+        <para>
+          Download (HTTP): <ulink url="&make-ca-download;"/>
+        </para>
+      </listitem>
+      <listitem>
+        <para>
+          Download size: &make-ca-size;
+        </para>
+      </listitem>
+      <listitem>
+        <para>
+          Download MD5 Sum: &make-ca-md5sum;
+        </para>
+      </listitem>
+      <listitem>
+        <para>
+          Estimated disk space required: &make-ca-buildsize;
+        </para>
+      </listitem>
+      <listitem>
+        <para>
+          Estimated build time: &make-ca-time;
+        </para>
       </listitem>
     </itemizedlist>
@@ -77 +87 @@
 
     <bridgehead renderas="sect4">Required</bridgehead>
-    <para role="required"><xref linkend="p11-kit"/> (required at runtime to
-    generate certificate stores from trust anchors)</para>
+    <para role="required">
+      <xref linkend="p11-kit"/> (required at runtime to
+      generate certificate stores from trust anchors)
+    </para>
     <!-- /usr/bin/trust is needed to extract the certs to /etc/ssl/certs -->
 
@@ -93 +105 @@
     <title>Installation of make-ca</title>
 
-    <para>The <application>make-ca</application> script will download and
-    process the certificates included in the <filename>certdata.txt</filename>
-    file for use as trust anchors for the <xref linkend="p11-kit"/> trust
-    module. Additionally, it will generate system certificate stores used by
-    BLFS applications (if the recommended and optional applications are present
-    on the system). Any local certificates stored in
-    <filename>/etc/ssl/local</filename> will be imported to both the trust
-    anchors and the generated certificate stores (overriding Mozilla's
-    trust). Additionally, any modified trust values will be copied from the
-    trust anchors to <filename>/etc/ssl/local</filename> prior to any updates,
-    preserving custom trust values that differ from Mozilla when using the
-    <command>trust</command> utility from <application>p11-kit</application>
-    to operate on the trust store.</para>
-
-    <para>To install the various certificate stores, first install the
-    <application>make-ca</application> script into the correct location.
-    As the <systemitem class="username">root</systemitem> user:</para>
+    <para>
+      The <application>make-ca</application> script will download and process
+      the certificates included in the <filename>certdata.txt</filename> file
+      for use as trust anchors for the <xref linkend="p11-kit"/> trust module.
+      Additionally, it will generate system certificate stores used by BLFS
+      applications (if the recommended and optional applications are present
+      on the system). Any local certificates stored in
+      <filename>/etc/ssl/local</filename> will be imported to both the trust
+      anchors and the generated certificate stores (overriding Mozilla's
+      trust). Additionally, any modified trust values will be copied from the
+      trust anchors to <filename>/etc/ssl/local</filename> prior to any
+      updates, preserving custom trust values that differ from Mozilla when
+      using the <command>trust</command> utility from
+      <application>p11-kit</application> to operate on the trust store.
+    </para>
+
+    <para>
+      To install the various certificate stores, first install the
+      <application>make-ca</application> script into the correct location.
+      As the <systemitem class="username">root</systemitem> user:
+    </para>
 
 <screen role="root"><userinput>make install &amp;&amp;
 install -vdm755 /etc/ssl/local</userinput></screen>
 
-   <para>As the <systemitem class="username">root</systemitem> user, after
-   installing <xref linkend="p11-kit"/>, download the certificate source and
-   prepare for system use with the following command:</para>
+   <para>
+     As the <systemitem class="username">root</systemitem> user, after
+     installing <xref linkend="p11-kit"/>, download the certificate source and
+     prepare for system use with the following command:
+   </para>
 
     <note>
-      <para>If running the script a second time with the same version of
-      <filename>certdata.txt</filename>, for instance, to add additional stores
-      as the requisite software is installed, add the <parameter>-r</parameter>
-      switch to the command line. If packaging, run <command>make-ca
-      --help</command> to see all available command line options.</para>
+      <para>
+        If running the script a second time with the same version of
+        <filename>certdata.txt</filename>, for instance, to add additional
+        stores as the requisite software is installed, add the
+        <parameter>-r</parameter> switch to the command line. If packaging,
+        run <command>make-ca --help</command> to see all available command
+        line options.
+      </para>
     </note>
 
 <screen role="root"><userinput>/usr/sbin/make-ca -g</userinput></screen>
 
-    <!-- Remove at 8.5 or 9.0 -->
-<!--    <para>Previous versions of BLFS used the path
-    <filename>/etc/ssl/ca-bundle.crt</filename> for the
-    <xref linkend="gnutls"/> certificate store. If software is still installed
-    that references this file, create a compatibility symlink for the old
-    location as the <systemitem class="username">root</systemitem> user:</para>
-
-<screen role="nodump"><userinput>ln -sfv /etc/pki/tls/certs/ca-bundle.crt /etc/ssl/ca-bundle.crt</userinput></screen>
-   It's after 9.0 -->
-
-    <para>You should periodically update the store with the above command,
-    either manually, or via a <phrase revision="sysv">cron job.</phrase>
-    <phrase revision="systemd">systemd timer. A timer is installed at
-    <filename>/usr/lib/systemd/system/update-pki.timer</filename> that, if
-    enabled, will check for updates weekly. </phrase><phrase revision="sysv">If
-    you've installed <xref linkend="fcron"/> and completed the section on
-    periodic jobs, execute</phrase><phrase revision="systemd">Execute</phrase>
-    the following commands, as the
-    <systemitem class="username">root</systemitem> user, to
-    <phrase revision="sysv">create a weekly cron job:</phrase>
-    <phrase revision="systemd">enable the systemd timer:</phrase>
+    <para>
+      You should periodically update the store with the above command,
+      either manually, or via a <phrase revision="sysv">cron job.</phrase>
+      <phrase revision="systemd">systemd timer. A timer is installed at
+      <filename>/usr/lib/systemd/system/update-pki.timer</filename> that, if
+      enabled, will check for updates weekly.</phrase><phrase
+      revision="sysv">If you've installed <xref linkend="fcron"/> and
+      completed the section on periodic jobs, execute</phrase><phrase
+      revision="systemd">Execute</phrase> the following commands, as the
+      <systemitem class="username">root</systemitem> user, to <phrase
+      revision="sysv">create a weekly cron job:</phrase><phrase
+      revision="systemd">enable the systemd timer:</phrase>
     </para>
 
@@ -165 +177 @@
     <title>Configuring make-ca</title>
 
-    <para>For most users, no additional configuration is necessary, however,
-    the default <filename>certdata.txt</filename> file provided by make-ca
-    is obtained from the mozilla-release branch, and is modified to provide a
-    Mercurial revision. This will be the correct version for most systems.
-    There are several other variants of the file available for use that might
-    be preferred for one reason or another, including the files shipped with
-    Mozilla products in this book. RedHat and OpenSUSE, for instance, use the
-    version included in <xref linkend="nss"/>. Additional upstream downloads
-    are available at the links included in
-    <filename>/etc/make-ca.conf.dist</filename>. Simply copy the file to
-    <filename>/etc/make-ca.conf</filename> and edit as appropriate.</para>
+    <para>
+      For most users, no additional configuration is necessary, however,
+      the default <filename>certdata.txt</filename> file provided by make-ca
+      is obtained from the mozilla-release branch, and is modified to provide a
+      Mercurial revision. This will be the correct version for most systems.
+      There are several other variants of the file available for use that might
+      be preferred for one reason or another, including the files shipped with
+      Mozilla products in this book. RedHat and OpenSUSE, for instance, use the
+      version included in <xref linkend="nss"/>. Additional upstream downloads
+      are available at the links included in
+      <filename>/etc/make-ca.conf.dist</filename>. Simply copy the file to
+      <filename>/etc/make-ca.conf</filename> and edit as appropriate.
+    </para>
 
     <indexterm zone="make-ca make-ca-config">
@@ -183 +197 @@
     <bridgehead renderas="sect3">About Trust Arguments</bridgehead>
 
-    <para>There are three trust types that are recognized by the
-    <application>make-ca</application> script, SSL/TLS, S/Mime, and code
-    signing. For <application>OpenSSL</application>, these are
-    <parameter>serverAuth</parameter>, <parameter>emailProtection</parameter>,
-    and <parameter>codeSigning</parameter> respectively. If one of the three
-    trust arguments is omitted, the certificate is neither trusted, nor
-    rejected for that role. Clients that use <application>OpenSSL</application>
-    or <application>NSS</application> encountering this certificate will
-    present a warning to the user. Clients using
-    <application>GnuTLS</application> without
-    <application>p11-kit</application> support are not aware of trusted
-    certificates. To include this CA into the
-    <filename>ca-bundle.crt</filename>,
-    <filename>email-ca-bundle.crt</filename>, or
-    <filename>objsign-ca-bundle.crt</filename> files
-    (the <application>GnuTLS</application> legacy bundles), it must have the
-    appropriate trust arguments.</para>
+    <para>
+      There are three trust types that are recognized by the
+      <application>make-ca</application> script, SSL/TLS, S/Mime, and code
+      signing. For <application>OpenSSL</application>, these are
+      <parameter>serverAuth</parameter>,
+      <parameter>emailProtection</parameter>, and
+      <parameter>codeSigning</parameter> respectively. If one of the three
+      trust arguments is omitted, the certificate is neither trusted, nor
+      rejected for that role. Clients that use
+      <application>OpenSSL</application> or <application>NSS</application>
+      encountering this certificate will present a warning to the user.
+      Clients using
+      <application>GnuTLS</application> without
+      <application>p11-kit</application> support are not aware of trusted
+      certificates. To include this CA into the
+      <filename>ca-bundle.crt</filename>,
+      <filename>email-ca-bundle.crt</filename>, or
+      <filename>objsign-ca-bundle.crt</filename> files
+      (the <application>GnuTLS</application> legacy bundles), it must have the
+      appropriate trust arguments.
+    </para>
 
     <bridgehead renderas="sect3">Adding Additional CA Certificates</bridgehead>
 
-    <para>The <filename class="directory">/etc/ssl/local</filename> directory
-    is available to add additional CA certificates to the system. For instance,
-    you might need to add an organization or government CA certificate.
-    Files in this directory must be in the <application>OpenSSL</application>
-    trusted certificate format. To create an <application>OpenSSL</application>
-    trusted certificate from a regular PEM encoded file, you need to add trust
-    arguments to the <command>openssl</command> command, and create a new
-    certificate. For example, using the
-    <ulink url="http://www.cacert.org/">CAcert</ulink> roots, if you want to
-    trust both for all three roles, the following commands will create
-    appropriate OpenSSL trusted certificates (run as the
-    <systemitem class="username">root</systemitem> user after
-    <xref linkend="wget"/> is installed):</para>
+    <para>
+      The <filename class="directory">/etc/ssl/local</filename> directory
+      is available to add additional CA certificates to the system. For
+      instance, you might need to add an organization or government CA
+      certificate. Files in this directory must be in the
+      <application>OpenSSL</application> trusted certificate format. To
+      create an <application>OpenSSL</application> trusted certificate from
+      a regular PEM encoded file, you need to add trust arguments to the
+      <command>openssl</command> command, and create a new certificate. For
+      example, using the <ulink url="http://www.cacert.org/">CAcert</ulink>
+      roots, if you want to trust both for all three roles, the following
+      commands will create appropriate OpenSSL trusted certificates (run as
+      the <systemitem class="username">root</systemitem> user after <xref
+      linkend="wget"/> is installed):
+    </para>
 
 <screen role="nodump"><userinput>wget http://www.cacert.org/certs/root.crt &amp;&amp;
@@ -229 +249 @@
     <bridgehead renderas="sect3">Overriding Mozilla Trust</bridgehead>
 
-    <para>Occasionally, there may be instances where you don't agree with
-    Mozilla's inclusion of a particular certificate authority. If you'd like
-    to override the default trust of a particular CA, simply create a copy of
-    the existing certificate in
-    <filename class="directory">/etc/ssl/local</filename> with different trust
-    arguments. For example, if you'd like to distrust the "Makebelieve_CA_Root"
-    file, run the following commands:</para>
+    <para>
+      Occasionally, there may be instances where you don't agree with
+      Mozilla's inclusion of a particular certificate authority. If you'd like
+      to override the default trust of a particular CA, simply create a copy of
+      the existing certificate in <filename
+      class="directory">/etc/ssl/local</filename> with different trust
+      arguments. For example, if you'd like to distrust the
+      "Makebelieve_CA_Root" file, run the following commands:
+    </para>
 
 <screen role="nodump"><userinput>openssl x509 -in /etc/ssl/certs/Makebelieve_CA_Root.pem \
@@ -271 +293 @@
         <term><command>make-ca</command></term>
         <listitem>
-          <para>is a shell script that adapts a current version of
-          <filename>certdata.txt</filename>, and prepares it for use
-          as the system trust store.</para>
+          <para>
+            is a shell script that adapts a current version of
+            <filename>certdata.txt</filename>, and prepares it for use
+            as the system trust store.
+          </para>
           <indexterm zone="make-ca make-ca">
             <primary sortas="b-make-ca">make-ca</primary>

postlfs/security/mitkrb.xml

@@ -469 +469 @@
 
     <title>Contents</title>
-    <para></para>
 
     <segmentedlist>

postlfs/security/nessus.xml

@@ -1 +1 @@
 <sect1 id="postlfs-security-nessus">
-<sect1info>
-<othername>$LastChangedBy$</othername>
-<date>$Date$</date>
-</sect1info>
-<?dbhtml filename="nessus.html"?>
-<title>nessus</title>
+  <?dbhtml filename="nessus.html"?>
 
-<para>TO BE WRITTEN - NEW</para>
+  <sect1info>
+    <othername>$LastChangedBy$</othername>
+    <date>$Date$</date>
+  </sect1info>
+
+  <title>nessus</title>
+
+  <para>
+    TO BE WRITTEN - NEW
+  </para>
 
 </sect1>

postlfs/security/nettle.xml

@@ -86 +86 @@
     <title>Installation of Nettle</title>
 
-    <para>Install <application>Nettle</application> by running the following
-    commands:</para>
+    <para>
+      Install <application>Nettle</application> by running the following
+      commands:
+    </para>
 
 <screen><userinput>./configure --prefix=/usr --disable-static &amp;&amp;

postlfs/security/nss.xml

@@ -213 +213 @@
     <title>Configuring NSS</title>
 
-    <para>If <xref linkend="p11-kit"/> is installed, the
-    <application>p11-kit</application> trust module
-    (<filename>/usr/lib/pkcs11/p11-kit-trust.so</filename>) can be used as a
-    drop-in replacement for <filename>/usr/lib/libnssckbi.so</filename> to
-    transparently make the system CAs available to
-    <application>NSS</application> aware applications, rather than the static
-    list provided by <filename>/usr/lib/libnssckbi.so</filename>. As the
-    <systemitem class="username">root</systemitem> user, execute the following
-    commands:</para>
+    <para>
+      If <xref linkend="p11-kit"/> is installed, the
+      <application>p11-kit</application> trust module
+      (<filename>/usr/lib/pkcs11/p11-kit-trust.so</filename>) can be used as a
+      drop-in replacement for <filename>/usr/lib/libnssckbi.so</filename> to
+      transparently make the system CAs available to
+      <application>NSS</application> aware applications, rather than the static
+      list provided by <filename>/usr/lib/libnssckbi.so</filename>. As the
+      <systemitem class="username">root</systemitem> user, execute the following
+      commands:
+    </para>
 
 <screen role="root"><userinput>ln -sfv ./pkcs11/p11-kit-trust.so /usr/lib/libnssckbi.so</userinput></screen>
 
-    <para>Additionally, for dependent applications that do not use the internal
-    database (<filename>/usr/lib/libnssckbi.so</filename>), the
-    <filename>/usr/sbin/make-ca</filename> script, included on the
-    <xref linkend="make-ca"/> page can generate a system wide NSS DB with the
-    <parameter>-n</parameter> switch, or by modifying the
-    <filename>/etc/make-ca.conf</filename> file.</para>
+    <para>
+      Additionally, for dependent applications that do not use the internal
+      database (<filename>/usr/lib/libnssckbi.so</filename>), the
+      <filename>/usr/sbin/make-ca</filename> script, included on the
+      <xref linkend="make-ca"/> page can generate a system wide NSS DB with the
+      <parameter>-n</parameter> switch, or by modifying the
+      <filename>/etc/make-ca.conf</filename> file.
+    </para>
 
   </sect2>

postlfs/security/p11-kit.xml

@@ -96 +96 @@
     <title>Installation of p11-kit</title>
 
-    <para>Prepare the distribution specific anchor hook:</para>
+    <para>
+      Prepare the distribution specific anchor hook:
+    </para>
 
 <screen><userinput>sed '20,$ d' -i trust/trust-extract-compat.in &amp;&amp;
@@ -158 +160 @@
     <title>Configuring p11-kit</title>
 
-    <para>The <application>p11-kit</application> trust module
-    (<filename>/usr/lib/pkcs11/p11-kit-trust.so</filename>) can be used as a
-    drop-in replacement for <filename>/usr/lib/libnssckbi.so</filename> to
-    transparently make the system CAs available to
-    <application>NSS</application> aware applications, rather than the static
-    list provided by <filename>/usr/lib/libnssckbi.so</filename>. As the
-    <systemitem class="username">root</systemitem> user, execute the following
-    commands:</para>
+    <para>
+      The <application>p11-kit</application> trust module
+      (<filename>/usr/lib/pkcs11/p11-kit-trust.so</filename>) can be used as a
+      drop-in replacement for <filename>/usr/lib/libnssckbi.so</filename> to
+      transparently make the system CAs available to
+      <application>NSS</application> aware applications, rather than the static
+      list provided by <filename>/usr/lib/libnssckbi.so</filename>. As the
+      <systemitem class="username">root</systemitem> user, execute the
+      following commands:
+    </para>
 
 <screen role="root"><userinput>ln -sfv ./pkcs11/p11-kit-trust.so /usr/lib/libnssckbi.so</userinput></screen>
@@ -207 +211 @@
           <para>
             is a command line tool that can be used to perform operations
-             on PKCS#11 modules configured on the system.
+            on PKCS#11 modules configured on the system.
           </para>
           <indexterm zone="p11-kit p11-kit-prog">
@@ -234 +238 @@
             is a command line tool to both extract local certificates from an
             updated anchor store, and regenerate all anchors and certificate
-                 stores on the system. This is done unconditionally on BLFS using
+            stores on the system. This is done unconditionally on BLFS using
             the <parameter>--force</parameter> and <parameter>--get</parameter>
             flags to <command>make-ca</command> and should likely not be used

postlfs/security/security.xml

@@ -16 +16 @@
   <title>Security</title>
 
-  <para>Security takes many forms in a computing environment. After some
-  initial discussion, this chapter
-  gives examples of three different types of security: access, prevention
-  and detection.</para>
+  <para>
+    Security takes many forms in a computing environment. After some
+    initial discussion, this chapter
+    gives examples of three different types of security: access, prevention
+    and detection.
+  </para>
 
-  <para>Access for users is usually handled by <command>login</command> or an
-  application designed to handle the login function.  In this chapter, we show
-  how to enhance <command>login</command> by setting policies with
-  <application>PAM</application> modules.  Access via networks
-  can also be secured by policies set by <application>iptables</application>,
-  commonly referred to as a firewall. The Network Security Services (NSS) and
-  Netscape Portable Runtime (NSPR) libraries can be installed and shared among
-  the many applications requiring them. For applications that don't offer the
-  best security, you can use the <application>Stunnel</application> package to
-  wrap an application daemon inside an SSL tunnel.</para>
+  <para>
+    Access for users is usually handled by <command>login</command> or an
+    application designed to handle the login function. In this chapter, we show
+    how to enhance <command>login</command> by setting policies with
+    <application>PAM</application> modules.  Access via networks can also be
+    secured by policies set by <application>iptables</application>, commonly
+    referred to as a firewall. The Network Security Services (NSS) and
+    Netscape Portable Runtime (NSPR) libraries can be installed and shared
+    among the many applications requiring them. For applications that don't
+    offer the best security, you can use the
+    <application>Stunnel</application> package to wrap an application daemon
+    inside an SSL tunnel.
+  </para>
 
-  <para>Prevention of breaches, like a trojan, are assisted by applications like
-  <application>GnuPG</application>, specifically the ability to confirm signed
-  packages, which recognizes modifications of the tarball
-  after the packager creates it.</para>
+  <para>
+    Prevention of breaches, like a trojan, are assisted by applications like
+    <application>GnuPG</application>, specifically the ability to confirm
+    signed packages, which recognizes modifications of the tarball
+    after the packager creates it.
+  </para>
 
-  <para> Finally, we touch on detection with a package that stores "signatures"
-  of critical files (defined by the administrator) and then regenerates those
-  "signatures" and compares for files that have been changed.</para>
+  <para>
+    Finally, we touch on detection with a package that stores "signatures"
+    of critical files (defined by the administrator) and then regenerates those
+    "signatures" and compares for files that have been changed.
+  </para>
 
   <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="vulnerabilities.xml"/>

postlfs/security/shadow.xml

@@ -474 +474 @@
 done</userinput></screen>
 
-        <para revision="systemd">Because the installation of
-        <application>systemd</application> is not yet complete, you will need
-        to remove the <filename>/run/nologin</filename> file before testing the
-        installation. Execute the following command as the
-        <systemitem class="username">root</systemitem> user:</para>
+        <para revision="systemd">
+          Because the installation of <application>systemd</application> is
+          not yet complete, you will need to remove the
+          <filename>/run/nologin</filename> file before testing the
+          installation. Execute the following command as the
+          <systemitem class="username">root</systemitem> user:
+        </para>
 
 <screen role="root" revision="systemd"><userinput>rm -f /run/nologin</userinput></screen>

postlfs/security/stunnel.xml

@@ -33 +33 @@
     <title>Introduction to stunnel</title>
 
-    <para>The <application>stunnel</application> package contains a program
-    that allows you to encrypt arbitrary TCP connections inside SSL (Secure
-    Sockets Layer) so you can easily communicate with clients over secure
-    channels. <application>stunnel</application> can be used to add SSL
-    functionality to commonly used <application>Inetd</application> daemons
-    such as POP-2, POP-3, and IMAP servers, along with standalone daemons such
-    as NNTP, SMTP, and HTTP. <application>stunnel</application> can also be
-    used to tunnel PPP over network sockets without changes to the server
-    package source code.</para>
+    <para>
+      The <application>stunnel</application> package contains a program
+      that allows you to encrypt arbitrary TCP connections inside SSL (Secure
+      Sockets Layer) so you can easily communicate with clients over secure
+      channels. <application>stunnel</application> can be used to add SSL
+      functionality to commonly used <application>Inetd</application> daemons
+      such as POP-2, POP-3, and IMAP servers, along with standalone daemons
+      such as NNTP, SMTP, and HTTP. <application>stunnel</application> can
+      also be used to tunnel PPP over network sockets without changes to the
+      server package source code.
+    </para>
 
     &lfs91_checked;
@@ -48 +50 @@
     <itemizedlist spacing="compact">
       <listitem>
-        <para>Download (HTTP): <ulink url="&stunnel-download-http;"/></para>
-      </listitem>
-      <listitem>
-        <para>Download (FTP): <ulink url="&stunnel-download-ftp;"/></para>
-      </listitem>
-      <listitem>
-        <para>Download MD5 sum: &stunnel-md5sum;</para>
-      </listitem>
-      <listitem>
-        <para>Download size: &stunnel-size;</para>
-      </listitem>
-      <listitem>
-        <para>Estimated disk space required: &stunnel-buildsize;</para>
-      </listitem>
-      <listitem>
-        <para>Estimated build time: &stunnel-time;</para>
+        <para>
+          Download (HTTP): <ulink url="&stunnel-download-http;"/>
+        </para>
+      </listitem>
+      <listitem>
+        <para>
+          Download (FTP): <ulink url="&stunnel-download-ftp;"/>
+        </para>
+      </listitem>
+      <listitem>
+        <para>
+          Download MD5 sum: &stunnel-md5sum;
+        </para>
+      </listitem>
+      <listitem>
+        <para>
+          Download size: &stunnel-size;
+        </para>
+      </listitem>
+      <listitem>
+        <para>
+          Estimated disk space required: &stunnel-buildsize;
+        </para>
+      </listitem>
+      <listitem>
+        <para>
+          Estimated build time: &stunnel-time;
+        </para>
       </listitem>
     </itemizedlist>
@@ -71 +85 @@
     <bridgehead renderas="sect4">Optional</bridgehead>
     <para role="optional">
-      <ulink url="http://netcat.sourceforge.net/">netcat</ulink> (required for tests),
-      <ulink url="ftp://ftp.porcupine.org/pub/security/">tcpwrappers</ulink> and
+      <ulink url="http://netcat.sourceforge.net/">netcat</ulink>
+      (required for tests),
+      <ulink url="ftp://ftp.porcupine.org/pub/security/">tcpwrappers</ulink>,
+      and
       <ulink url="https://dist.torproject.org/">TOR</ulink>
     </para>
@@ -84 +100 @@
     <title>Installation of stunnel</title>
 
-    <para>The <command>stunnel</command> daemon will be run in a
-    <command>chroot</command> jail by an unprivileged user. Create the
-    new user and group using the following commands as the
-    <systemitem class="username">root</systemitem> user:</para>
+    <para>
+      The <command>stunnel</command> daemon will be run in a
+      <command>chroot</command> jail by an unprivileged user. Create the
+      new user and group using the following commands as the
+      <systemitem class="username">root</systemitem> user:
+    </para>
 
 <screen role="root"><userinput>groupadd -g 51 stunnel &amp;&amp;
@@ -94 +112 @@
 
     <note>
-      <para>A signed SSL Certificate and a Private Key is necessary to run the
-      <command>stunnel</command> daemon. After the package is installed, there
-      are instructions to generate them. However, if you own or have already
-      created a signed SSL Certificate you wish to use, copy it to
-      <filename>/etc/stunnel/stunnel.pem</filename> before starting the build
-      (ensure only <systemitem class="username">root</systemitem> has read and
-      write access).  The <filename class="extension">.pem</filename> file must
-      be formatted as shown below:</para>
+      <para>
+        A signed SSL Certificate and a Private Key is necessary to run the
+        <command>stunnel</command> daemon. After the package is installed,
+        there are instructions to generate them. However, if you own or have
+        already created a signed SSL Certificate you wish to use, copy it to
+        <filename>/etc/stunnel/stunnel.pem</filename> before starting the
+        build (ensure only <systemitem class="username">root</systemitem> has
+        read and write access). The <filename class="extension">.pem</filename>
+        file must be formatted as shown below:
+      </para>
 
 <screen><literal>-----BEGIN PRIVATE KEY-----
@@ -112 +132 @@
 <replaceable>&lt;encrypted lines of dh parms&gt;</replaceable>
 -----END DH PARAMETERS-----</literal></screen>
+
     </note>
 
-    <para>Install <application>stunnel</application> by running the following
-    commands:</para>
+    <para>
+      Install <application>stunnel</application> by running the following
+      commands:
+    </para>
 
     <note>
-      <para>For some systems with <application>binutils</application>
-      versions prior to 2.25, <command>configure</command> may fail.  If
-      necessary, fix it either with:</para>
+      <para>
+        For some systems with <application>binutils</application>
+        versions prior to 2.25, <command>configure</command> may fail.  If
+        necessary, fix it either with:
+      </para>
 
 <screen><userinput>sed -i '/LDFLAGS.*static_flag/ s/^/#/' configure</userinput></screen>
 
-      <para>or, if <xref linkend="llvm"/> with Clang is installed, you can
-      replace <command>./configure ...</command> with <command>CC=clang
-      ./configure ...</command> in the first command below.</para>
+      <para>
+        or, if <xref linkend="llvm"/> with Clang is installed, you can
+        replace <command>./configure ...</command> with <command>CC=clang
+        ./configure ...</command> in the first command below.
+      </para>
     </note>
 
@@ -140 +167 @@
 make</userinput></screen>
 
-    <para>If you have installed the optional netcat application, the
-    regression tests can be run with <command>make check</command>.</para>
-
-    <para>Now, as the <systemitem class="username">root</systemitem> user:</para>
+    <para>
+      If you have installed the optional netcat application, the
+      regression tests can be run with <command>make check</command>.
+    </para>
+
+    <para>
+      Now, as the <systemitem class="username">root</systemitem> user:
+    </para>
 
 <screen role="root"><userinput>make docdir=/usr/share/doc/stunnel-&stunnel-version; install</userinput></screen>
@@ -154 +185 @@
 <screen role="root" revision="systemd"><userinput>install -v -m644 tools/stunnel.service /lib/systemd/system</userinput></screen>
 
-    <para>If you do not already have a signed SSL Certificate and Private Key,
-    create the <filename>stunnel.pem</filename> file in the
-    <filename class="directory">/etc/stunnel</filename> directory using the
-    command below. You will be prompted to enter the necessary
-    information. Ensure you reply to the</para>
+    <para>
+      If you do not already have a signed SSL Certificate and Private Key,
+      create the <filename>stunnel.pem</filename> file in the
+      <filename class="directory">/etc/stunnel</filename> directory using the
+      command below. You will be prompted to enter the necessary
+      information. Ensure you reply to the
+    </para>
 
 <screen><prompt>Common Name (FQDN of your server) [localhost]:</prompt></screen>
 
-    <para>prompt with the name or IP address you will be using
-    to access the service(s).</para>
-
-    <para>To generate a certificate, as the
-    <systemitem class="username">root</systemitem> user, issue:</para>
+    <para>
+      prompt with the name or IP address you will be using
+      to access the service(s).
+    </para>
+
+    <para>
+      To generate a certificate, as the
+      <systemitem class="username">root</systemitem> user, issue:
+    </para>
 
 <screen role="root"><userinput>make cert</userinput></screen>
@@ -175 +212 @@
     <title>Command Explanations</title>
 
-    <para revision="sysv"><parameter>--disable-systemd</parameter>: This switch
-    disables systemd socket activation support which is not available in
-    BLFS.</para>
-
-    <para><command>make docdir=... install</command>: This command installs the
-    package and changes the documentation installation directory to standard
-    naming conventions.</para>
+    <para revision="sysv">
+      <parameter>--disable-systemd</parameter>: This switch disables systemd
+      socket activation support which is not available in BLFS.
+    </para>
+
+    <para>
+      <command>make docdir=... install</command>: This command installs the
+      package and changes the documentation installation directory to standard
+      naming conventions.
+    </para>
 
   </sect2>
@@ -191 +231 @@
       <title>Config Files</title>
 
-      <para><filename>/etc/stunnel/stunnel.conf</filename></para>
+      <para>
+        <filename>/etc/stunnel/stunnel.conf</filename>
+      </para>
 
       <indexterm zone="stunnel stunnel-config">
@@ -202 +244 @@
       <title>Configuration Information</title>
 
-      <para>As the <systemitem class="username">root</systemitem> user,
-      create the directory used for the
-      <filename class="extension">.pid</filename> file created
-      when the <application>stunnel</application> daemon starts:</para>
+      <para>
+        As the <systemitem class="username">root</systemitem> user,
+        create the directory used for the
+        <filename class="extension">.pid</filename> file created
+        when the <application>stunnel</application> daemon starts:
+      </para>
 
 <screen role="root"><userinput>install -v -m750 -o stunnel -g stunnel -d /var/lib/stunnel/run &amp;&amp;
 chown stunnel:stunnel /var/lib/stunnel</userinput></screen>
 
-      <para>Next, create a basic <filename>/etc/stunnel/stunnel.conf</filename>
-      configuration file using the following commands as the
-      <systemitem class="username">root</systemitem> user:</para>
+      <para>
+        Next, create a basic <filename>/etc/stunnel/stunnel.conf</filename>
+        configuration file using the following commands as the
+        <systemitem class="username">root</systemitem> user:
+      </para>
 
 <screen role="root"><userinput>cat &gt;/etc/stunnel/stunnel.conf &lt;&lt; "EOF" 
@@ -239 +285 @@
 EOF</userinput></screen>
 
-      <para>Finally, add the service(s) you wish to encrypt to the
-      configuration file. The format is as follows:</para>
+      <para>
+        Finally, add the service(s) you wish to encrypt to the
+        configuration file. The format is as follows:
+      </para>
 
 <screen><literal>[<replaceable>&lt;service&gt;</replaceable>]
@@ -246 +294 @@
 connect = <replaceable>&lt;hostname:portnumber&gt;</replaceable></literal></screen>
 
-      <para>If you use <application>stunnel</application> to encrypt a daemon
-      started from <command>[x]inetd</command>, you may need to disable that
-      daemon in the <filename>/etc/[x]inetd.conf</filename> file and enable a
-      corresponding <replaceable>&lt;service&gt;</replaceable>_stunnel service. You
-      may have to add an appropriate entry in <filename>/etc/services</filename>
-      as well.</para>
-
-      <para>For a full explanation of the commands and syntax used in the
-      configuration file, issue <command>man stunnel</command>.</para>
+      <para>
+        If you use <application>stunnel</application> to encrypt a daemon
+        started from <command>[x]inetd</command>, you may need to disable that
+        daemon in the <filename>/etc/[x]inetd.conf</filename> file and enable a
+        corresponding <replaceable>&lt;service&gt;</replaceable>_stunnel
+        service. You may have to add an appropriate entry in
+        <filename>/etc/services</filename> as well.
+      </para>
+
+      <para>
+        For a full explanation of the commands and syntax used in the
+        configuration file, issue <command>man stunnel</command>.
+      </para>
 
     </sect3>
@@ -262 +314 @@
              <phrase revision="systemd">Systemd Unit</phrase></title>
 
-      <para revision="sysv">To automatically start the
-      <command>stunnel</command> daemon when the system is booted, install the
-      <filename>/etc/rc.d/init.d/stunnel</filename> bootscript from the
-      <xref linkend="bootscripts"/> package.</para>
-
-      <para revision="systemd">To start the <command>stunnel</command>
-      daemon at boot, enable the previously installed
-      <application>systemd</application> unit by running the following command
-     as the <systemitem class="username">root</systemitem> user:</para>
+      <para revision="sysv">
+        To automatically start the <command>stunnel</command> daemon when the
+        system is booted, install the
+        <filename>/etc/rc.d/init.d/stunnel</filename> bootscript from the
+        <xref linkend="bootscripts"/> package.
+      </para>
+
+      <para revision="systemd">
+        To start the <command>stunnel</command>
+        daemon at boot, enable the previously installed
+        <application>systemd</application> unit by running the following
+        command as the <systemitem class="username">root</systemitem> user:
+      </para>
 
       <indexterm zone="stunnel stunnel-init">
@@ -314 +370 @@
         <term><command>stunnel</command></term>
         <listitem>
-          <para> is a program designed to work as an SSL
-          encryption wrapper between remote clients and local
-          (<command>{x}inetd</command>-startable) or remote servers.</para>
+          <para>
+            is a program designed to work as an SSL
+            encryption wrapper between remote clients and local
+            (<command>{x}inetd</command>-startable) or remote servers.
+          </para>
           <indexterm zone="stunnel stunnel-prog">
             <primary sortas="b-stunnel">stunnel</primary>
@@ -326 +384 @@
         <term><command>stunnel3</command></term>
         <listitem>
-          <para>is a <application>Perl</application> wrapper script to use
-          <command>stunnel</command> 3.x syntax with <command>stunnel</command>
-          >=4.05.</para>
+          <para>
+            is a <application>Perl</application> wrapper script to use
+            <command>stunnel</command> 3.x syntax with
+            <command>stunnel</command> 4.05 or later.
+          </para>
           <indexterm zone="stunnel stunnel3">
             <primary sortas="b-stunnel3">stunnel3</primary>
@@ -338 +398 @@
         <term><filename class='libraryfile'>libstunnel.so</filename></term>
         <listitem>
-          <para> contains the API functions required by
-          <application>stunnel</application>.</para>
+          <para>
+            contains the API functions required by
+            <application>stunnel</application>.
+          </para>
           <indexterm zone="stunnel libstunnel">
             <primary sortas="c-libstunnel">libstunnel.so</primary>

postlfs/security/syslog.xml

@@ -1 +1 @@
 <sect1 id="postlfs-security-syslog">
-<sect1info>
-<othername>$LastChangedBy$</othername>
-<date>$Date$</date>
-</sect1info>
-<?dbhtml filename="syslog.html"?>
-<title>Configuring syslog</title>
+  <?dbhtml filename="syslog.html"?>
+  <sect1info>
+    <othername>$LastChangedBy$</othername>
+    <date>$Date$</date>
+  </sect1info>
 
-<para>TO BE WRITTEN - NEW</para>
+  <title>Configuring syslog</title>
+
+  <para>
+    TO BE WRITTEN - NEW
+  </para>
 
 </sect1>

postlfs/security/tripwire.xml

@@ -30 +30 @@
     <title>Introduction to Tripwire</title>
 
-    <para>The <application>Tripwire</application> package contains programs
-    used to verify the integrity of the files on a given system.</para>
+    <para>
+      The <application>Tripwire</application> package contains programs
+      used to verify the integrity of the files on a given system.
+    </para>
 
     &lfs91_checked;
@@ -38 +40 @@
     <itemizedlist spacing="compact">
       <listitem>
-        <para>Download (HTTP): <ulink url="&tripwire-download-http;"/></para>
-      </listitem>
-      <listitem>
-        <para>Download (FTP): <ulink url="&tripwire-download-ftp;"/></para>
-      </listitem>
-      <listitem>
-        <para>Download MD5 sum: &tripwire-md5sum;</para>
-      </listitem>
-      <listitem>
-        <para>Download size: &tripwire-size;</para>
-      </listitem>
-      <listitem>
-        <para>Estimated disk space required: &tripwire-buildsize;</para>
-      </listitem>
-      <listitem>
-        <para>Estimated build time: &tripwire-time;</para>
+        <para>
+          Download (HTTP): <ulink url="&tripwire-download-http;"/>
+        </para>
+      </listitem>
+      <listitem>
+        <para>
+          Download (FTP): <ulink url="&tripwire-download-ftp;"/>
+        </para>
+      </listitem>
+      <listitem>
+        <para>
+          Download MD5 sum: &tripwire-md5sum;
+        </para>
+      </listitem>
+      <listitem>
+        <para>
+          Download size: &tripwire-size;
+        </para>
+      </listitem>
+      <listitem>
+        <para>
+          Estimated disk space required: &tripwire-buildsize;
+        </para>
+      </listitem>
+      <listitem>
+        <para>
+          Estimated build time: &tripwire-time;
+        </para>
       </listitem>
     </itemizedlist>
-<!--
-    <note>
-      <para>
-        The <application>tripwire</application> source tarball shown above
-        downloads with the correct name, tripwire-open-source-&tripwire-version;.tar.gz,
-        if using a browser such as Firefox. If you prefer to use a command line
-        program such as wget, you normally would obtain
-        &tripwire-version;.tar.gz. To obtain this package with the proper
-        filename, run:
-
-<screen><userinput>wget -c https://github.com/Tripwire/tripwire-open-source/archive/&tripwire-version;.tar.gz \
-     -O tripwire-open-source-&tripwire-version;.tar.gz</userinput></screen>.
-      </para>
-    </note>
--->
+
     <bridgehead renderas="sect3">Tripwire Dependencies</bridgehead>
 <!--
     <bridgehead renderas="sect4">Recommended</bridgehead>
-    <para role="recommended"><xref linkend="openssl"/></para>
+    <para role="recommended">
+      <xref linkend="openssl"/>
+    </para>
 -->
 
     <bridgehead renderas="sect4">Optional</bridgehead>
-    <para role="optional">An <xref linkend="server-mail"/></para>
+    <para role="optional">
+      An <xref linkend="server-mail"/>
+    </para>
 
     <para condition="html" role="usernotes">User Notes:
@@ -88 +92 @@
     <title>Installation of Tripwire</title>
 
-    <para>Compile <application>Tripwire</application> by running the following
-    commands:</para>
+    <para>
+      Compile <application>Tripwire</application> by running the following
+      commands:
+    </para>
 
 <screen><userinput>sed -e '/^CLOBBER/s/false/true/'         \
@@ -106 +112 @@
 make</userinput></screen>
 
-    <note><para>The default configuration is to use a local MTA. If
-    you don't have an MTA installed and have no wish to install
-    one, modify <filename>install/install.cfg</filename> to use an SMTP
-    server instead.  Otherwise the install will fail.</para></note>
-
-    <para>This package does not come with a test suite.</para>
-
-    <para>Now, as the <systemitem class="username">root</systemitem> user:</para>
+    <note>
+      <para>
+        The default configuration is to use a local MTA. If
+        you don't have an MTA installed and have no wish to install
+        one, modify <filename>install/install.cfg</filename> to use an SMTP
+        server instead.  Otherwise the install will fail.
+      </para>
+    </note>
+
+    <para>
+      This package does not come with a test suite.
+    </para>
+
+    <para>
+      Now, as the <systemitem class="username">root</systemitem> user:
+    </para>
 
 <screen role="root"><userinput>make install &amp;&amp;
@@ -183 +197 @@
       <title>Config Files</title>
 
-      <para><filename>/etc/tripwire/*</filename></para>
+      <para>
+        <filename>/etc/tripwire/*</filename>
+      </para>
 
       <indexterm zone="tripwire tripwire-config">
@@ -194 +210 @@
       <title>Configuration Information</title>
 
-      <para><application>Tripwire</application> uses a policy file to
-      determine which files are integrity checked. The default policy
-      file (<filename>/etc/tripwire/twpol.txt</filename>) is for a
-      default installation and will need to be updated for your
-      system.</para>
-
-      <para>Policy files should be tailored to each individual distribution
-      and/or installation. Some example policy files can be found in <filename
-      class="directory">/usr/share/doc/tripwire/</filename>.</para>
-
-      <para>If desired, copy the policy file you'd like to try into <filename
-      class="directory">/etc/tripwire/</filename> instead of using the default
-      policy file, <filename>twpol.txt</filename>.  It is, however, recommended
-      that you edit your policy file. Get ideas from the examples above and
-      read <filename>/usr/share/doc/tripwire/policyguide.txt</filename> for
-      additional information. <filename>twpol.txt</filename> is a good policy
-      file for learning about <application>Tripwire</application> as it will
-      note any changes to the file system and can even be used as an annoying
-      way of keeping track of changes for uninstallation of software.</para>
-
-      <para>After your policy file has been edited to your satisfaction you may
-      begin the configuration steps (perform as the <systemitem
-      class='username'>root</systemitem>) user:</para>
+      <para>
+        <application>Tripwire</application> uses a policy file to
+        determine which files are integrity checked. The default policy
+        file (<filename>/etc/tripwire/twpol.txt</filename>) is for a
+        default installation and will need to be updated for your
+        system.
+      </para>
+
+      <para>
+        Policy files should be tailored to each individual distribution and/or
+        installation. Some example policy files can be found in <filename
+        class="directory">/usr/share/doc/tripwire/</filename>.
+      </para>
+
+      <para>
+        If desired, copy the policy file you'd like to try into <filename
+        class="directory">/etc/tripwire/</filename> instead of using the
+        default policy file, <filename>twpol.txt</filename>.  It is, however,
+        recommended that you edit your policy file. Get ideas from the
+        examples above and read
+        <filename>/usr/share/doc/tripwire/policyguide.txt</filename> for
+        additional information. <filename>twpol.txt</filename> is a good
+        policy file for learning about <application>Tripwire</application>
+        as it will note any changes to the file system and can even be used
+        as an annoying way of keeping track of changes for uninstallation of
+        software.
+      </para>
+
+      <para>
+        After your policy file has been edited to your satisfaction you may
+        begin the configuration steps (perform as the <systemitem
+        class='username'>root</systemitem>) user:
+      </para>
 
 <screen role="root"><userinput>twadmin --create-polfile --site-keyfile /etc/tripwire/site.key \
@@ -222 +248 @@
 tripwire --init</userinput></screen>
 
-    <para>Depending on your system and the contents of the policy file, the
-    initialization phase above can take a relatively long time.</para>
+      <para>
+        Depending on your system and the contents of the policy file, the
+        initialization phase above can take a relatively long time.
+      </para>
 
     </sect3>
@@ -230 +258 @@
       <title>Usage Information</title>
 
-      <para><application>Tripwire</application> will identify file changes in
-      the critical system files specified in the policy file.  Using
-      <application>Tripwire</application> while making frequent changes to
-      these directories will flag all these changes.  It is most useful after a
-      system has reached a configuration that the user considers stable.</para>
-
-      <para>To use <application>Tripwire</application> after creating a policy
-      file to run a report, use the following command:</para>
+      <para>
+        <application>Tripwire</application> will identify file changes in
+        the critical system files specified in the policy file.  Using
+        <application>Tripwire</application> while making frequent changes to
+        these directories will flag all these changes.  It is most useful
+        after a system has reached a configuration that the user considers
+        stable.
+      </para>
+
+      <para>
+        To use <application>Tripwire</application> after creating a policy
+        file to run a report, use the following command:
+      </para>
 
 <screen role="root"><userinput>tripwire --check &gt; /etc/tripwire/report.txt</userinput></screen>
 
-      <para>View the output to check the integrity of your files. An automatic
-      integrity report can be produced by using a cron facility to schedule the
-      runs.</para>
-
-      <para>Reports are stored in binary and, if desired, encrypted.  View reports,
-      as the <systemitem class="username">root</systemitem> user, with:</para>
-
-<screen role="root"><userinput>twprint --print-report -r /var/lib/tripwire/report/<replaceable>&lt;report-name.twr&gt;</replaceable></userinput></screen>
-
-      <para>After you run an integrity check, you should examine the
-      report (or email) and then modify the <application>Tripwire</application>
-      database to reflect the changed files on your system. This is so that
-      <application>Tripwire</application> will not continually notify you that
-      files you intentionally changed are a security violation. To do this you
-      must first <command>ls -l /var/lib/tripwire/report/</command> and note
-      the name of the newest file which starts with your system name as
-      presented by the command <userinput>uname -n</userinput>
-      and ends in <filename>.twr</filename>. These files were created
-      during report creation and the most current one is needed to update the
-      <application>Tripwire</application> database of your system. As the
-      <systemitem class='username'>root</systemitem> user, type in the
-      following command making the appropriate report name:</para>
-
-<screen role="root"><userinput>tripwire --update --twrfile /var/lib/tripwire/report/<replaceable>&lt;report-name.twr&gt;</replaceable></userinput></screen>
-
-      <para>You will be placed into <application>Vim</application> with a copy
-      of the report in front of you. If all the changes were good, then just
-      type <command>:wq</command> and after entering your local key, the database
-      will be updated. If there are files which you still want to be warned
-      about, remove the 'x' before the filename in the report and type
-      <command>:wq</command>.</para>
-
-     <!-- 10-12-2013 bad URL and no good URL found
-      <para>A good summary of tripwire operations can be found at
-      <ulink url="http://va-holladays.no-ip.info:2200/tools/security-docs/tripwire-v1.0.pdf"/>.</para>
-     -->
+      <para>
+        View the output to check the integrity of your files. An automatic
+        integrity report can be produced by using a cron facility to schedule
+        the runs.
+      </para>
+
+      <para>
+        Reports are stored in binary and, if desired, encrypted.  View reports,
+        as the <systemitem class="username">root</systemitem> user, with:
+      </para>
+
+<screen role="nodump"><userinput>twprint --print-report -r /var/lib/tripwire/report/<replaceable>&lt;report-name.twr&gt;</replaceable></userinput></screen>
+
+      <para>
+        After you run an integrity check, you should examine the report (or
+        email) and then modify the <application>Tripwire</application> database
+        to reflect the changed files on your system. This is so that
+        <application>Tripwire</application> will not continually notify you 
+        hat files you intentionally changed are a security violation. To do
+        this you must first <command>ls -l /var/lib/tripwire/report/</command>
+        and note the name of the newest file which starts with your system
+        name as presented by the command <userinput>uname -n</userinput> and
+        ends in <filename>.twr</filename>. These files were created during
+        report creation and the most current one is needed to update the
+        <application>Tripwire</application> database of your system. As the
+        <systemitem class='username'>root</systemitem> user, type in the
+        following command making the appropriate report name:
+      </para>
+
+<screen role="nodump"><userinput>tripwire --update --twrfile /var/lib/tripwire/report/<replaceable>&lt;report-name.twr&gt;</replaceable></userinput></screen>
+
+      <para>
+        You will be placed into <application>Vim</application> with a copy
+        of the report in front of you. If all the changes were good, then just
+        type <command>:wq</command> and after entering your local key, the
+        database will be updated. If there are files which you still want to
+        be warned about, remove the 'x' before the filename in the report and
+        type <command>:wq</command>.
+      </para>
+
     </sect3>
 
@@ -282 +319 @@
       <title>Changing the Policy File</title>
 
-      <para>If you are unhappy with your policy file and would like to modify
-      it or use a new one, modify the policy file and then execute the following
-      commands as the <systemitem class='username'>root</systemitem> user:</para>
-
-<screen role="root"><userinput>twadmin --create-polfile /etc/tripwire/twpol.txt &amp;&amp;
+      <para>
+        If you are unhappy with your policy file and would like to modify it
+        or use a new one, modify the policy file and then execute the following
+        commands as the <systemitem class='username'>root</systemitem> user:
+      </para>
+
+<screen role="nodump"><userinput>twadmin --create-polfile /etc/tripwire/twpol.txt &amp;&amp;
 tripwire --init</userinput></screen>
 
@@ -317 +356 @@
         <term><command>siggen</command></term>
         <listitem>
-          <para>is a signature gathering utility that displays
-          the hash function values for the specified files.</para>
+          <para>
+            is a signature gathering utility that displays
+            the hash function values for the specified files.
+          </para>
           <indexterm zone="tripwire siggen">
             <primary sortas="b-siggen">siggen</primary>
@@ -328 +369 @@
         <term><command>tripwire</command></term>
         <listitem>
-          <para>is the main file integrity checking program.</para>
+          <para>
+            is the main file integrity checking program.
+          </para>
           <indexterm zone="tripwire tripwire">
             <primary sortas="b-tripwire">tripwire</primary>
@@ -338 +381 @@
         <term><command>twadmin</command></term>
         <listitem>
-          <para>administrative and utility tool used to perform
-          certain administrative functions related to
-          <application>Tripwire</application> files and configuration
-          options.</para>
+          <para>
+            administrative and utility tool used to perform
+            certain administrative functions related to
+            <application>Tripwire</application> files and configuration
+            options.
+          </para>
           <indexterm zone="tripwire twadmin">
             <primary sortas="b-twadmin">twadmin</primary>
@@ -351 +396 @@
         <term><command>twprint</command></term>
         <listitem>
-          <para>prints <application>Tripwire</application>
-          database and report files in clear text format.</para>
+          <para>
+            prints <application>Tripwire</application>
+            database and report files in clear text format.
+          </para>
           <indexterm zone="tripwire twprint">
             <primary sortas="b-twprint">twprint</primary>

postlfs/security/volume_key.xml

@@ -106 +106 @@
 
     <note>
-      <para>This package expands to the directory
-            volume_key-volume_key-&volume_key-version;.
+      <para>
+        This package expands to the directory
+        volume_key-volume_key-&volume_key-version;.
       </para>
     </note>

postlfs/security/vulnerabilities.xml

@@ -24 +24 @@
     <title>About vulnerabilities</title>
 
-    <para>All software has bugs. Sometimes, a bug can be exploited, for example
-    to allow users to gain enhanced privileges (perhaps gaining a root shell, or
-    simply accessing or deleting other user&apos;s files), or to allow a remote
-    site to crash an application (denial of service), or for theft of data. These
-    bugs are labelled as vulnerabilities.</para>
-
-    <para>The main place where vulnerabilities get logged is
-    <ulink url="http://cve.mitre.org">cve.mitre.org</ulink>.
-    Unfortunately, many vulnerability numbers (CVE-yyyy-nnnn) are initially only
-    labelled as "reserved" when distributions start issuing fixes.  Also, some
-    vulnerabilities apply to particular combinations of
-    <command>configure</command> options, or only apply to old versions of
-    packages which have long since been updated in BLFS.</para>
-
-    <para>BLFS differs from distributions - there is no BLFS security team, and
-    the editors only become aware of vulnerabilities after they are public
-    knowledge. Sometimes, a package with a vulnerability will not be updated in
-    the book for a long time.  Issues can be logged in the Trac system, which
-    might speed up resolution.</para>
-
-    <para>The normal way for BLFS to fix a vulnerability is, ideally, to update
-    the book to a new fixed release of the package.  Sometimes that happens even
-    before the vulnerability is public knowledge, so there is no guarantee that
-    it will be shown as a vulnerability fix in the Changelog. Alternatively, a
-    <command>sed</command> command, or a patch taken from a distribution, may be
-    appropriate.</para>
-
-    <para>The bottom line is that you are responsible for your own security, and
-    for assessing the potential impact of any problems.</para>
-
-    <para>To keep track of what is being discovered, you may wish to follow the
-    security announcements of one or more distributions.  For example, Debian has
-    <ulink url="http://www.debian.org/security">Debian security</ulink>.
-    Fedora's links on security are at
-    <ulink url="http://fedoraproject.org/wiki/Security">the Fedora wiki</ulink>.
-    Details of Gentoo linux security announcements are discussed at
-    <ulink url="https://security.gentoo.org">Gentoo security</ulink>.
-    Finally, the Slackware archives of security announcements are at
-    <ulink url="http://slackware.com/security">Slackware security</ulink>.
+    <para>
+      All software has bugs. Sometimes, a bug can be exploited, for example to
+      allow users to gain enhanced privileges (perhaps gaining a root shell,
+      or simply accessing or deleting other user&apos;s files), or to allow a
+      remote site to crash an application (denial of service), or for theft of
+      data. These bugs are labelled as vulnerabilities.
     </para>
 
-    <para>The most general English source is perhaps
-    <ulink url="http://seclists.org/fulldisclosure">the Full Disclosure Mailing
-    List</ulink>, but please read the comment on that page. If you use other
-    languages you may prefer other sites such as http://www.heise.de/security
-    <ulink url="http://www.heise.de/security">heise.de</ulink> (German) or
-    <ulink url="http://www.cert.hr">cert.hr</ulink> (Croatian). These are not
-    linux-specific. There is also a daily update at lwn.net for subscribers
-    (free access to the data after 2 weeks, but their vulnerabilities database at
-    <ulink url="http://lwn.net/Vulnerabilities/">lwn.net/Vulnerabilities</ulink>
-    is unrestricted).</para>
+    <para>
+      The main place where vulnerabilities get logged is
+      <ulink url="http://cve.mitre.org">cve.mitre.org</ulink>. Unfortunately,
+      many vulnerability numbers (CVE-yyyy-nnnn) are initially only labelled
+      as "reserved" when distributions start issuing fixes.  Also, some
+      vulnerabilities apply to particular combinations of
+      <command>configure</command> options, or only apply to old versions of
+      packages which have long since been updated in BLFS.
+    </para>
 
-    <para>For some packages, subscribing to their &apos;announce&apos; lists
-    will provide prompt news of newer versions.</para>
+    <para>
+      BLFS differs from distributions&mdash;there is no BLFS security team, and
+      the editors only become aware of vulnerabilities after they are public
+      knowledge. Sometimes, a package with a vulnerability will not be updated
+      in the book for a long time.  Issues can be logged in the Trac system,
+      which might speed up resolution.
+    </para>
+
+    <para>
+      The normal way for BLFS to fix a vulnerability is, ideally, to update
+      the book to a new fixed release of the package.  Sometimes that happens
+      even before the vulnerability is public knowledge, so there is no
+      guarantee that it will be shown as a vulnerability fix in the Changelog.
+      Alternatively, a <command>sed</command> command, or a patch taken from
+      a distribution, may be appropriate.
+    </para>
+
+    <para>
+      The bottom line is that you are responsible for your own security, and
+      for assessing the potential impact of any problems.
+    </para>
+
+    <para>
+      To keep track of what is being discovered, you may wish to follow the
+      security announcements of one or more distributions. For example, Debian
+      has <ulink url="http://www.debian.org/security">Debian security</ulink>.
+      Fedora's links on security are at <ulink
+        url="http://fedoraproject.org/wiki/Security">the Fedora wiki</ulink>.
+      Details of Gentoo linux security announcements are discussed at
+      <ulink url="https://security.gentoo.org">Gentoo security</ulink>.
+      Finally, the Slackware archives of security announcements are at
+      <ulink url="http://slackware.com/security">Slackware security</ulink>.
+    </para>
+
+    <para>
+      The most general English source is perhaps
+      <ulink url="http://seclists.org/fulldisclosure">the Full Disclosure
+      Mailing List</ulink>, but please read the comment on that page. If you
+      use other languages you may prefer other sites such as <ulink
+        url="http://www.heise.de/security">heise.de</ulink> (German) or <ulink
+        url="http://www.cert.hr">cert.hr</ulink> (Croatian). These are not
+      linux-specific. There is also a daily update at lwn.net for subscribers
+      (free access to the data after 2 weeks, but their vulnerabilities
+      database at <ulink
+        url="http://lwn.net/Vulnerabilities/">lwn.net/Vulnerabilities</ulink>
+      is unrestricted).
+    </para>
+
+    <para>
+      For some packages, subscribing to their &apos;announce&apos; lists
+      will provide prompt news of newer versions.
+    </para>
 
     <para condition="html" role="usernotes">User Notes: