Changeset 8558044 for postlfs/security
- Timestamp:
- 09/06/2021 05:42:49 PM (3 years ago)
- Branches:
- 11.1, 11.2, 11.3, 12.0, 12.1, kea, ken/TL2024, ken/inkscape-core-mods, ken/tuningfonts, lazarus, lxqt, plabs/newcss, plabs/python-mods, python3.11, qt5new, rahul/power-profiles-daemon, renodr/vulkan-addition, trunk, upgradedb, xry111/intltool, xry111/llvm18, xry111/soup3, xry111/test-20220226, xry111/xf86-video-removal
- Children:
- fef4473
- Parents:
- 7999839
- Location:
- postlfs/security
- Files:
-
- 19 edited
Legend:
- Unmodified
- Added
- Removed
-
postlfs/security/cryptsetup.xml
r7999839 r8558044 31 31 <para> 32 32 cryptsetup is used to set up transparent encryption of block devices 33 using the kernel crypto API. 33 using the kernel crypto API. 34 34 </para> 35 35 … … 112 112 </para> 113 113 114 <screen><literal>Device Drivers ---> 114 <screen><literal>Device Drivers ---> 115 115 [*] Multiple devices driver support (RAID and LVM) ---> [CONFIG_MD] 116 116 <*/M> Device mapper support [CONFIG_BLK_DEV_DM] 117 117 <*/M> Crypt target support [CONFIG_DM_CRYPT] 118 118 119 Cryptographic API ---> 119 Cryptographic API ---> 120 120 <*/M> XTS support [CONFIG_CRYPTO_XTS] 121 121 <*/M> SHA224 and SHA256 digest algorithm [CONFIG_CRYPTO_SHA256] … … 137 137 <!-- No longer needed with 2.3.2 138 138 <para> 139 First, apply a patch to fix a build problem caused by API changes in 139 First, apply a patch to fix a build problem caused by API changes in 140 140 <xref role="nodep" linkend="json-c"/>: 141 141 </para> … … 156 156 class="username">root</systemitem> user: <command>make check</command>. 157 157 Some tests will fail if appropriate kernel configuration options are not 158 set. Some additional options that may be needed for tests are: 158 set. Some additional options that may be needed for tests are: 159 159 CONFIG_SCSI_LOWLEVEL, 160 160 CONFIG_SCSI_DEBUG, … … 174 174 CONFIG_CRYPTO_SERPENT_AVX_X86_64, 175 175 CONFIG_CRYPTO_SERPENT_AVX2_X86_64, and 176 CONFIG_CRYPTO_TWOFISH_X86_64. 177 <!--I still had 5 of 19 tests fail after adding the above crypto options in the 176 CONFIG_CRYPTO_TWOFISH_X86_64. 177 <!--I still had 5 of 19 tests fail after adding the above crypto options in the 178 178 kernel. bdubbs --> 179 179 </para> … … 224 224 </seg> 225 225 <seg> 226 None 226 None 227 227 </seg> 228 228 </seglistitem> -
postlfs/security/gnupg2.xml
r7999839 r8558044 236 236 <seglistitem> 237 237 <seg>addgnupghome, applygnupgdefaults, dirmngr, dirmngr-client, g13 238 (optional), gpg-agent, gpg-connect-agent, gpg, gpgconf, gpgparsemail, 239 gpgscm, gpgsm, gpgsplit, gpgtar, gpgv, gpg-wks-server, gpg-zip, kbxutil, 238 (optional), gpg-agent, gpg-connect-agent, gpg, gpgconf, gpgparsemail, 239 gpgscm, gpgsm, gpgsplit, gpgtar, gpgv, gpg-wks-server, gpg-zip, kbxutil, 240 240 <!--symcryptrun,--> and watchgnupg</seg> 241 241 <seg>None</seg> -
postlfs/security/gnutls.xml
r7999839 r8558044 110 110 <xref linkend="gtk-doc"/>, 111 111 <xref linkend="guile"/>, 112 <xref linkend="libidn"/> or 112 <xref linkend="libidn"/> or 113 113 <xref linkend="libidn2"/>, 114 114 <xref linkend="libseccomp"/>, -
postlfs/security/iptables.xml
r7999839 r8558044 81 81 (required for connlabel support), 82 82 <ulink url="https://netfilter.org/projects/libnetfilter_conntrack/">libnetfilter_conntrack</ulink> 83 (required for connlabel support), and 83 (required for connlabel support), and 84 84 <ulink url="https://netfilter.org/projects/nftables/">nftables</ulink> 85 85 </para> … … 638 638 639 639 </sect3> 640 640 641 641 <sect3 id="fw-busybox-ipt" xreflabel="Creating a BusyBox With iptables"> 642 642 <title>BusyBox</title> … … 853 853 <seglistitem> 854 854 <seg> 855 ip6tables, 855 ip6tables, 856 856 ip6tables-apply, 857 857 ip6tables-legacy, 858 858 ip6tables-legacy-restore, 859 859 ip6tables-legacy-save, 860 ip6tables-restore, 861 ip6tables-save, 862 iptables, 860 ip6tables-restore, 861 ip6tables-save, 862 iptables, 863 863 iptables-apply, 864 864 iptables-legacy, … … 866 866 iptables-legacy-apply, 867 867 iptables-restore, 868 iptables-save, 869 iptables-xml, 868 iptables-save, 869 iptables-xml, 870 870 nfsynproxy (optional), 871 871 and xtables-multi 872 872 </seg> 873 873 <seg> 874 libip4tc.so, 875 libip6tc.so, 876 libipq.so, 874 libip4tc.so, 875 libip6tc.so, 876 libipq.so, 877 877 libiptc.so, 878 878 and libxtables.so 879 879 </seg> 880 880 <seg> 881 /lib/xtables and 881 /lib/xtables and 882 882 /usr/include/libiptc 883 883 </seg> -
postlfs/security/libcap.xml
r7999839 r8558044 30 30 31 31 <para> 32 The <application>libcap</application> package was installed in 32 The <application>libcap</application> package was installed in 33 33 LFS, but if <application>Linux-PAM</application> support is desired, 34 34 the PAM module must be built (after installation of … … 144 144 <command>man 3 cap_from_text</command> for additional information. 145 145 </para> 146 146 147 147 </sect2> 148 148 -
postlfs/security/liboauth.xml
r7999839 r8558044 87 87 <bridgehead renderas="sect4">Required</bridgehead> 88 88 <para role="required"> 89 <xref linkend="curl"/> 89 <xref linkend="curl"/> 90 90 </para> 91 91 -
postlfs/security/libpwquality.xml
r7999839 r8558044 115 115 Now, as the <systemitem class="username">root</systemitem> user: 116 116 </para> 117 117 118 118 <screen role="root"><userinput>make install</userinput></screen> 119 119 … … 177 177 178 178 </sect2> 179 179 180 180 <sect2 role="content"> 181 181 <title>Contents</title> -
postlfs/security/linux-pam.xml
r7999839 r8558044 105 105 <xref linkend="db"/>, 106 106 <xref linkend="libnsl"/>, 107 <xref linkend="libtirpc"/>, 107 <xref linkend="libtirpc"/>, 108 108 <ulink url="https://github.com/linux-audit/audit-userspace">libaudit</ulink>, and 109 109 <ulink url="http://www.prelude-siem.org">Prelude</ulink> … … 313 313 314 314 <para> 315 Now set up some generic files. As the 315 Now set up some generic files. As the 316 316 <systemitem class="username">root</systemitem> user: 317 317 </para> -
postlfs/security/make-ca.xml
r7999839 r8558044 39 39 Certificate Authority (CA) that is trusted by the local machine. 40 40 </para> 41 41 42 42 <para> 43 43 Establishing trust with a CA involves validating things like company -
postlfs/security/mitkrb.xml
r7999839 r8558044 159 159 160 160 <para> 161 The first <command>sed</command> increases the width of the virtual 161 The first <command>sed</command> increases the width of the virtual 162 162 terminal used for some tests to prevent some spurious text in the output 163 163 which is taken as a failure. The second <command>sed</command> removes a … … 212 212 <!-- FIXME: Removed due to merged-/usr setup 213 213 <para> 214 <command>mv -v /usr/lib/libk... /lib </command> and 215 <command>ln -v -sf ../../lib/libk... /usr/lib/libk...</command>: 214 <command>mv -v /usr/lib/libk... /lib </command> and 215 <command>ln -v -sf ../../lib/libk... /usr/lib/libk...</command>: 216 216 Move critical libraries to the 217 217 <filename class="directory">/lib</filename> directory so that they are … … 221 221 222 222 <para> 223 <command>find /usr/lib -type f -name "lib$f*.so*" -exec chmod -v 755 {} \;</command>: 224 This command changes the permisison of installed libraries. 223 <command>find /usr/lib -type f -name "lib$f*.so*" -exec chmod -v 755 {} \;</command>: 224 This command changes the permisison of installed libraries. 225 225 </para> 226 226 … … 498 498 /usr/lib/krb5, 499 499 /usr/share/{doc/krb5-&mitkrb-version;,examples/krb5}, 500 /var/lib/krb5kdc, and 501 /run/krb5kdc 500 /var/lib/krb5kdc, and 501 /run/krb5kdc 502 502 </seg> 503 503 </seglistitem> -
postlfs/security/nss.xml
r7999839 r8558044 150 150 HOST=localhost DOMSUF=localdomain ./all.sh 151 151 cd ../</userinput></screen> 152 153 <note> 152 153 <note> 154 154 <para>Some information about the tests:</para> 155 155 <itemizedlist spacing="compact"> 156 156 <listitem> 157 157 <para> 158 HOST=localhost and DOMSUF=localdomain are required 158 HOST=localhost and DOMSUF=localdomain are required 159 159 Without these variables, a FQDN is 160 160 required to specified and this generic way should work for … … 165 165 <para> 166 166 The tests take an extremely long time to run. If desired there is 167 information in the all.sh script about running subsets of the 167 information in the all.sh script about running subsets of the 168 168 total test suite. 169 169 </para> … … 179 179 <listitem> 180 180 <para> 181 Test suite results (in HTML format!) can be found at 181 Test suite results (in HTML format!) can be found at 182 182 ../../test_results/security/localhost.1/results.html 183 183 </para> … … 302 302 libcrmf.a, libfreebl3.so, libfreeblpriv3.so, 303 303 libnss3.so, libnssckbi.so, libnssckbi-testlib.so, 304 libnssdbm3.so, libnsssysinit.so, libnssutil3.so, 305 libpkcs11testmodule.so, libsmime3.so, libsoftokn3.so, 304 libnssdbm3.so, libnsssysinit.so, libnssutil3.so, 305 libpkcs11testmodule.so, libsmime3.so, libsoftokn3.so, 306 306 and libssl3.so 307 307 </seg> -
postlfs/security/openssh.xml
r7999839 r8558044 13 13 <!ENTITY openssh-size "1.7 MB"> 14 14 <!ENTITY openssh-buildsize "48 MB (add 18 MB for tests)"> 15 <!ENTITY openssh-time "0.3 SBU (Using parallelism=4; 15 <!ENTITY openssh-time "0.3 SBU (Using parallelism=4; 16 16 running the tests takes 20+ minutes, 17 17 irrespective of processor speed)"> … … 143 143 144 144 <screen><userinput remap="pre">patch -Np1 -i ../openssh-&openssh-version;-glibc_2.31_fix-1.patch</userinput></screen> 145 --> 145 --> 146 146 147 147 <!-- Applied in 8.5p1 -
postlfs/security/p11-kit.xml
r7999839 r8558044 122 122 123 123 <para> 124 To test the results, issue: <command>ninja test</command>. 124 To test the results, issue: <command>ninja test</command>. 125 125 </para> 126 126 -
postlfs/security/polkit.xml
r7999839 r8558044 94 94 <xref linkend="linux-pam"/> 95 95 <phrase revision="sysv"> 96 and <xref role="first" linkend="elogind"/> 96 and <xref role="first" linkend="elogind"/> 97 97 </phrase> 98 98 </para> … … 118 118 <bridgehead renderas="sect4">Optional</bridgehead> 119 119 <para role="optional"> 120 <xref linkend="dbus-python"/> and 120 <xref linkend="dbus-python"/> and 121 121 <xref linkend="python-dbusmock"/> (for tests), 122 122 <xref linkend="DocBook"/>, … … 220 220 221 221 <para> 222 To test the results, first ensure that the system 222 To test the results, first ensure that the system 223 223 <application>D-Bus</application> daemon is running. 224 224 Then run <command>make check</command>. -
postlfs/security/shadow.xml
r7999839 r8558044 146 146 147 147 <screen role="root"><userinput>make exec_prefix=/usr install</userinput></screen> 148 148 149 149 </sect2> 150 150 … … 168 168 <para> 169 169 <command>sed -e 's@#ENCRYPT_METHOD DES@ENCRYPT_METHOD SHA512@' -e 170 's@/var/spool/mail@/var/mail@' -e '/PATH=/{s@/sbin:@@;s@/bin:@@}' 170 's@/var/spool/mail@/var/mail@' -e '/PATH=/{s@/sbin:@@;s@/bin:@@}' 171 171 -i etc/login.defs</command>: Instead of using 172 172 the default 'DES' method, this command modifies the installation to use … … 180 180 181 181 <para> 182 <command>sed ... libmisc/salt.c</command> and 182 <command>sed ... libmisc/salt.c</command> and 183 183 <command>sed ... libsubid/Makefile.am</command>: Fix a couple of errors 184 184 that were found after the package was released. -
postlfs/security/stunnel.xml
r7999839 r8558044 261 261 </para> 262 262 263 <screen role="root"><userinput>cat > /etc/stunnel/stunnel.conf << "EOF" 263 <screen role="root"><userinput>cat > /etc/stunnel/stunnel.conf << "EOF" 264 264 <literal>; File: /etc/stunnel/stunnel.conf 265 265 -
postlfs/security/sudo.xml
r7999839 r8558044 111 111 To test the results, issue: <command>env LC_ALL=C make check 2>&1 112 112 | tee make-check.log</command>. Check the results with <command>grep 113 failed make-check.log</command>. 113 failed make-check.log</command>. 114 114 </para> 115 115 … … 220 220 %wheel ALL=(ALL) ALL</literal> 221 221 EOF</userinput></screen> 222 222 223 223 <para> 224 224 For details, see <command>man sudoers</command>. -
postlfs/security/tripwire.xml
r7999839 r8558044 176 176 <para> 177 177 <option>CPPFLAGS=-std=c++11</option>: Setting the C++ preprocessor 178 flags to version 11 is necessary to prevent a confict with the 178 flags to version 11 is necessary to prevent a confict with the 179 179 default version which is c++17 in recent version of gcc. 180 180 </para> … … 296 296 email) and then modify the <application>Tripwire</application> database 297 297 to reflect the changed files on your system. This is so that 298 <application>Tripwire</application> will not continually notify you 298 <application>Tripwire</application> will not continually notify you 299 299 hat files you intentionally changed are a security violation. To do 300 300 this you must first <command>ls -l /var/lib/tripwire/report/</command> -
postlfs/security/volume_key.xml
r7999839 r8558044 30 30 31 31 <para> 32 The <application>volume_key</application> package provides 33 a library for manipulating storage volume encryption keys and storing 32 The <application>volume_key</application> package provides 33 a library for manipulating storage volume encryption keys and storing 34 34 them separately from volumes to handle forgotten passphrases. 35 35 </para>
Note:
See TracChangeset
for help on using the changeset viewer.