Context Navigation

← Previous Changeset
Next Changeset →

Changeset b4b71892

Timestamp:

06/10/2004 05:47:11 AM (20 years ago)

Author:

Bruce Dubbs <bdubbs@…>

Branches:

10.0, 10.1, 11.0, 11.1, 11.2, 11.3, 12.0, 12.1, 6.0, 6.1, 6.2, 6.2.0, 6.2.0-rc1, 6.2.0-rc2, 6.3, 6.3-rc1, 6.3-rc2, 6.3-rc3, 7.10, 7.4, 7.5, 7.6, 7.6-blfs, 7.6-systemd, 7.7, 7.8, 7.9, 8.0, 8.1, 8.2, 8.3, 8.4, 9.0, 9.1, basic, bdubbs/svn, elogind, gnome, kde5-13430, kde5-14269, kde5-14686, kea, ken/TL2024, ken/inkscape-core-mods, ken/tuningfonts, krejzi/svn, lazarus, lxqt, nosym, perl-modules, plabs/newcss, plabs/python-mods, python3.11, qt5new, rahul/power-profiles-daemon, renodr/vulkan-addition, systemd-11177, systemd-13485, trunk, upgradedb, xry111/intltool, xry111/llvm18, xry111/soup3, xry111/test-20220226, xry111/xf86-video-removal

Children:

cf43c83

Parents:

f8d632a

Message:

New XML Chapter 4

git-svn-id: svn://svn.linuxfromscratch.org/BLFS/trunk/BOOK@2288 af4574ff-66df-0310-9fd7-8a98e5e911e0

Files:

: 12 edited

general.ent (modified) (1 diff)
postlfs/postlfs.xml (modified) (1 diff)
postlfs/security/cracklib.xml (modified) (1 diff)
postlfs/security/firewalling.xml (modified) (2 diffs)
postlfs/security/gnupg.xml (modified) (1 diff)
postlfs/security/heimdal.xml (modified) (1 diff)
postlfs/security/iptables.xml (modified) (1 diff)
postlfs/security/linux_pam.xml (modified) (1 diff)
postlfs/security/mitkrb.xml (modified) (1 diff)
postlfs/security/security.xml (modified) (2 diffs)
postlfs/security/shadow.xml (modified) (2 diffs)
postlfs/security/tripwire.xml (modified) (1 diff)

Legend:

: Unmodified
: Added
: Removed

general.ent

-              rf8d632a
+              rb4b71892
 <!ENTITY blfs-bootscripts-download "&downloads-root;/blfs-bootscripts-&blfs-bootscripts-version;.tar.bz2">
+<!ENTITY reiser-version "3.6.14">
+<!ENTITY xfsprogs-version "2.6.13">
+<!-- Chapter 4 -->
+<!ENTITY cracklib-version  "2.7">
+<!ENTITY Linux_PAM-version "0.77">
+<!ENTITY shadow-version    "4.0.4.1">
+<!ENTITY iptables-version  "1.2.9">
+<!ENTITY gnupg-version     "1.2.4">
+<!ENTITY tripwire-version  "2.3.1-2">
+<!ENTITY heimdal-version   "0.6.2">
+<!ENTITY mitkrb-version    "1.3.3">
+<!ENTITY gnome-version   "2.6">
+<!-- Chapter 5 -->
+<!ENTITY reiser-version    "3.6.14">
+<!ENTITY xfsprogs-version  "2.6.13">
+<!ENTITY gnome-version     "2.6">

postlfs/postlfs.xml

-              rf8d632a
+              rb4b71892
 <title>Post <acronym>LFS</acronym> Configuration and Extra Software</title>
+<!-- &postlfs-config; -->
 <xi:include xmlns:xi="http://www.w3.org/2003/XInclude" href="postlfs/config/config.xml"/>
+<!-- &postlfs-config; -->
+&postlfs-security;
+<!-- &postlfs-security; -->
+<xi:include xmlns:xi="http://www.w3.org/2003/XInclude" href="postlfs/security/security.xml"/>
 <!-- &postlfs-filesystems; -->
 <xi:include xmlns:xi="http://www.w3.org/2003/XInclude" href="postlfs/filesystems/filesystems.xml"/>
 &postlfs-editors;
 &postlfs-shells;

postlfs/security/cracklib.xml

-              rf8d632a
+              rb4b71892
+<?xml version="1.0" encoding="ISO-8859-1"?>
+<!DOCTYPE sect1 PUBLIC "-//OASIS//DTD DocBook XML V4.3//EN"
+   "http://www.oasis-open.org/docbook/xml/4.3/docbookx.dtd" [
+  <!ENTITY % general-entities SYSTEM "../../general.ent">
+  %general-entities;
+  <!ENTITY cracklib-download-http "http://www.crypticide.com/users/alecm/security/cracklib,&cracklib-version;.tar.gz">
+  <!ENTITY cracklib-download-ftp "ftp://ftp.cerias.purdue.edu/pub/tools/unix/libs/cracklib/cracklib.&cracklib-version;.tar.gz">
+  <!ENTITY cracklib-size      "21 KB">
+  <!ENTITY cracklib-buildsize "17 MB">
+  <!ENTITY cracklib-time      "0.10 SBU">
+  <!ENTITY crackdict-size     "15.6MB">
+  <!ENTITY alldict-size       "466KB">
+]>
 <sect1 id="cracklib" xreflabel="cracklib-&cracklib-version;">
 <?dbhtml filename="cracklib.html"?>
 <title>cracklib-&cracklib-version;</title>
+&cracklib-intro;
+&cracklib-inst;
+&cracklib-desc;
+<sect2>
+<title>Introduction to <application>cracklib</application></title>
+<para>The cracklib package contains a library used to enforce strong passwords
+by comparing user selected passwords to words in a chosen wordlist.</para>
+<sect3><title>Package information</title>
+<itemizedlist spacing='compact'>
+<listitem><para>Download (HTTP): <ulink
+url="&cracklib-download-http;"/></para></listitem>
+<listitem><para>Download (FTP): <ulink
+url="&cracklib-download-ftp;"/></para></listitem>
+<listitem><para>Download size: &cracklib-size;</para></listitem>
+<listitem><para>Estimated Disk space required (with cracklib wordlist):
+&cracklib-buildsize;</para></listitem>
+<listitem><para>Estimated build time:
+&cracklib-time;</para></listitem></itemizedlist>
+</sect3>
+<sect3><title>Additional downloads</title>
+<itemizedlist spacing='compact'>
+<listitem><para>Required patch: <ulink
+url="&patch-root;/cracklib,&cracklib-version;-blfs-1.patch"/></para></listitem>
+<listitem><para>Recommended patch: <ulink
+url="&patch-root;/cracklib,&cracklib-version;-heimdal-1.patch"/></para></listitem>
+</itemizedlist>
+<para>You will also need to download a wordlist for use with cracklib.  There
+are two wordlists to choose from at the following location.  Use the
+<filename>cracklib</filename> word list for good security, or opt for the
+<filename>allwords</filename> word list for lightweight machines short on
+<acronym>RAM</acronym>.  You can of course choose any other word list that you
+have at your disposal.</para>
+<para>cracklib (&crackdict-size;): <ulink url="http://www.cotse.com/wordlists/cracklib"/></para>
+<para>allwords (&alldict-size;): <ulink url="http://www.cotse.com/wordlists/allwords"/></para>
+</sect3>
+</sect2>
+<sect2>
+<title>Installation of <application>cracklib</application></title>
+<para>First, we need to install the chosen word list for cracklib:</para>
+<screen><userinput><command>install -d -m755 /usr/share/dict &amp;&amp;
+install -m644 <replaceable>[wordlist]</replaceable> /usr/share/dict &amp;&amp;
+ln -sf <replaceable>[wordlist]</replaceable> /usr/share/dict/words &amp;&amp;
+echo $(hostname) >> /usr/share/dict/extra.words</command></userinput></screen>
+<para>Our wordlist is linked to <filename>/usr/share/dict/words</filename> as
+historically, <filename>words</filename> is the primary wordlist in the
+<filename class="directory">/usr/share/dict</filename> directory.  We also echo
+the value of hostname to a file called extra.words.  This extra file is intened
+to be a site specific list which includes easy to guess passwords such as
+company or department name, user's names, product names, computer name, domain
+name, etc.</para>
+<para>Now apply BLFS patch:</para>
+<screen><userinput><command>patch -Np1 -i ../cracklib,&cracklib-version;-blfs-1.patch</command></userinput></screen>
+<para>If necessary, apply the heimdal patch:</para>
+<screen><userinput><command>cp -R cracklib cracklib_krb5 &amp;&amp;
+patch -Np1 -i ../cracklib,&cracklib-version;-heimdal-1.patch</command></userinput></screen>
+<para>Finally install the package:</para>
+<screen><userinput><command>make install</command></userinput></screen>
+</sect2>
+<sect2>
+<title>Contents</title>
+<para>The <application>cracklib</application> package
+contains the <filename class="libraryfile">libcrack</filename>
+library.</para>
+</sect2>
+<sect2><title>Description</title>
+<sect3><title>libcrack library</title>
+<para>The <filename class="libraryfile">libcrack</filename> library
+provides a fast dictionary lookup method for strong password
+enforcement.</para></sect3>
+</sect2>
 </sect1>

postlfs/security/firewalling.xml

-              rf8d632a
+              rb4b71892
+<?xml version="1.0" encoding="ISO-8859-1"?>
+<!DOCTYPE sect1 PUBLIC "-//OASIS//DTD DocBook XML V4.3//EN"
+   "http://www.oasis-open.org/docbook/xml/4.3/docbookx.dtd" [
+  <!ENTITY % general-entities SYSTEM "../../general.ent">
+  %general-entities;
+]>
 <sect1 id="postlfs-security-fw-firewall" xreflabel="Firewalling">
 <?dbhtml filename="firewall.html"?>
 …
 have already installed iptables as described in the previous section.</para>
+&postlfs-security-fw-intro;
+&postlfs-security-fw-disclaimer;
+&postlfs-security-fw-kernel;
+&postlfs-security-fw-writing;
+&postlfs-security-fw-finale;
+&postlfs-security-fw-extrainfo;
+<sect2 id="postlfs-security-fw-intro" xreflabel="Firewalling Introduction">
+<title>Introduction to Firewall Creation</title>
+<para>The general purpose of a firewall is to protect a network
+against malicious access by using a single machine as a firewall.
+This does imply that the firewall is to be considered a single point
+of failure, but it can make the administrator's life a lot easier.</para>
+<para>In a perfect world where you knew that every daemon or service
+on every machine was perfectly configured and was immune to, e.g.,
+buffer-overflows and any other imaginable problem regarding its
+security, and where you trusted every user accessing your services
+to aim no harm, you wouldn't need to have a firewall!
+In the real world however, daemons may be misconfigured,
+exploits against essential services are freely available, you
+may wish to choose which services are accessible by certain machines,
+you may wish to limit which machines or applications are allowed
+to have Internet access, or you may simply  not trust some of your
+apps or users.
+In these situations you might  benefit by using a firewall.</para>
+<para>Don't assume however, that having a firewall makes careful
+configuration redundant, or that it makes any negligent
+misconfiguration harmless. It also doesn't prevent anyone from exploiting a
+service you intentionally offer but haven't recently updated or patched
+after an exploit went public.  Despite having a firewall, you need to
+keep applications and daemons on your system well-configured and
+up-to-date; a firewall is not a cure-all!</para>
+</sect2>
+<sect2>
+<title>Meaning of the word firewall.</title>
+<para>The word firewall can have several different meanings.</para>
+<sect3><title><xref linkend="postlfs-security-fw-persFw"/></title>
+<para>This is a setup or program, for Windows commercially sold by
+companies such as Symantec, of which they claim or pretend that it
+secures a home or desktop-pc with Internet access. This topic is
+highly relevant for users who do not know the methods their computers
+might be accessed via the Internet or how to disable them,
+especially if they are always online and connected via
+broadband links.</para></sect3>
+<sect3><title><xref linkend="postlfs-security-fw-masqRouter"/></title>
+<para>This is a box placed between the Internet and an intranet.
+To minimize the risk of compromising the firewall itself it
+should generally have only one role, that of protecting the intranet.
+Although not completely risk free, the tasks of doing the routing
+and eventually IP masquerading (rewriting IP-headers
+of the packets it routes from clients with private IP-addresses onto
+the Internet so that they seem to come from the firewall
+itself) are commonly considered harmless.</para></sect3>
+<sect3><title><xref linkend="postlfs-security-fw-busybox"/></title>
+<para>This is often an old box you may have retired and nearly forgotten,
+performing masquerading or routing functions, but offering a bunch of
+services, e.g., web-cache, mail, etc.  This may be very commonly used
+for home networks, but can definitely not be considered as secure
+anymore because the combining of server and router on one machine raises
+the complexity of the setup.</para></sect3>
+<sect3><title>Firewall with a demilitarized zone [not further described
+here]</title>
+<para>This box performs masquerading or routing, but grants public access to
+some branch of your network which, because of public IP's and a physically
+separated structure, is neither considered to be part of the inter- nor
+intranet.  These servers are those which must be easily accessible
+from both the inter- and intranet. The firewall protects
+them all.</para></sect3>
+<sect3><title>Packetfilter / partly accessible net [partly described
+here, see <xref linkend="postlfs-security-fw-busybox"/>]</title>
+<para>Doing routing or masquerading, but permitting only selected
+services to be accessible, sometimes only by selected internal users or boxes;
+mostly used in highly secure business contexts, sometimes by distrusting
+employers.  This was the common configuration of a firewall at the time of
+the Linux 2.2 kernel.  It's still possible to configure a firewall this way,
+but it makes the rules quite complex and lengthy.</para></sect3>
+</sect2>
+<sect2 id="postlfs-security-fw-disclaimer" xreflabel="Disclaimer">
+<title>Disclaimer</title>
+<!-- <para><emphasis>NEITHER THE AUTHOR NOR ANY OF THE LINUXFROMSCRATCH TEAM
+ARE RESPONSIBLE FOR ANY DAMAGES INCURRED DUE TO ACTIONS TAKEN BASED ON THIS
+DOCUMENT.</emphasis></para> -->
+<para>This document is meant as an introduction to how to setup a firewall.  It
+is not a complete guide to securing systems.  Firewalling is a complex issue
+that requires careful configuration.  The scripts quoted here are simply
+intended to give examples as to how a firewall works, they are not intended to
+fit into any imaginable configuration and may not prevent any imaginable
+attack.</para>
+<para>The purpose of this text is simply to give you a hint on how to get
+started with a firewall.</para>
+<para>Customization of these scripts for your specific situation will
+be necessary for an optimal configuration, but you should make a serious
+study of the iptables documentation and creating firewalls in general before hacking
+away.  Have a look at the list of <xref linkend="postlfs-security-fw-library"/> at the end
+of this section for more details.  Here you will find a list of URLs that
+contain quite comprehensive information about building your own firewall.</para>
+</sect2>
+<sect2 id="postlfs-security-fw-kernel" xreflabel="getting a firewalling-enabled Kernel">
+<title>Getting a firewall enabled Kernel</title>
+<para>If you want your Linux-Box to have a firewall, you must first ensure
+that your kernel has been compiled with the relevant options turned on.
+<!-- <footnote><para>If you needed assistance how to configure, compile and install
+a new kernel, refer back to chapter VIII of the LinuxFromScratch book,
+<ulink url="http://www.linuxfromscratch.org/view/3.1/chapter08/kernel.html">Installing a kernel</ulink>
+ and eventually
+<ulink url="http://www.linuxfromscratch.org/view/3.1/chapter08/lilo.html">Making the LFS system bootable</ulink>
+; note, that you'll need to reboot
+to actually run your new kernel.</para></footnote>-->
+</para>
+<para>How to configure your kernel, with enabling the options to be
+either compiled into the kernel or as modules, depends on your personal
+preferences and experience. Note, that for the quoted scripts it is assumed
+that the modules need to be loaded at first.</para>
+<screen>Network options menu
+  Network packet filtering:                         Y
+  Unix domain sockets:                         Y or M
+  TCP/IP networking:                                Y
+  IP: advanced router:                              Y
+  IP: verbose route monitoring:                     Y
+  IP: TCP Explicit Congestion Notification support: Y
+  IP: TCP syncookie support:                        Y
+  IP: Netfilter Configuration menu
+    Every option except:                       Y or M
+      ipchains (2.2-style) support                  N
+      ipfwadm (2.0-style) support                   N
+  Fast switching:                                   N</screen>
+<!--
+<table frame='none'>
+<title>Essential config-options for a firewall enabled Kernel</title>
+<tgroup cols='5'>
+<colspec colnum='1' colwidth='8*'  align='center'/>
+<colspec colnum='2' colwidth='19*' align='left'/>
+<colspec colnum='3' colwidth='11*' align='center'/>
+<colspec colnum='4' colwidth='1*'  align='center'/>
+<colspec colnum='5' colwidth='14*' align='left'/>
+<tbody>
+<row>
+<entry><emphasis><userinput>Networking options:</userinput></emphasis></entry>
+<entry><userinput>Network packet filtering</userinput></entry>
+<entry></entry>
+<entry>=</entry>
+<entry>CONFIG_NETFILTER</entry>
+</row>
+<row>
+<entry></entry>
+<entry><userinput>Unix domain sockets</userinput></entry>
+<entry></entry>
+<entry>=</entry>
+<entry>CONFIG_UNIX</entry>
+</row>
+<row>
+<entry></entry>
+<entry><userinput>IP: TCP/IP networking</userinput></entry>
+<entry></entry>
+<entry>=</entry>
+<entry>CONFIG_INET</entry>
+</row>
+<row>
+<entry></entry>
+<entry><userinput>IP: advanced router</userinput></entry>
+<entry></entry>
+<entry>=</entry>
+<entry>CONFIG_IP_ADVANCED_ROUTER</entry>
+</row>
+<row>
+<entry></entry>
+<entry><userinput>IP: verbose route monitoring</userinput></entry>
+<entry></entry>
+<entry>=</entry>
+<entry>CONFIG_IP_ROUTE_VERBOSE</entry>
+</row>
+<row>
+<entry></entry>
+<entry><userinput>IP: TCP Explicit Congestion Notification support</userinput></entry>
+<entry></entry>
+<entry>=</entry>
+<entry>CONFIG_INET_ECN</entry>
+</row>
+<row>
+<entry></entry>
+<entry><userinput>IP: TCP syncookie support</userinput></entry>
+<entry></entry>
+<entry>=</entry>
+<entry>CONFIG_SYN_COOKIES</entry>
+</row>
+<row>
+<entry></entry>
+<entry align='center'>
+<emphasis><userinput>IP: Netfilter Configuration:</userinput></emphasis></entry>
+<entry align='left'><userinput>every option</userinput></entry>
+<entry>=</entry>
+<entry>CONFIG_IP_NF_*</entry>
+</row>
+<row>
+<entry></entry>
+<entry align='right'><emphasis>WITHOUT:</emphasis></entry>
+<entry align='left'><literallayout><userinput>ipchains (2.2-style) support
+ipfw-adm (2.0-style) support</userinput></literallayout></entry>
+<entry>w\</entry>
+<entry>CONFIG_IP_NF_COMPAT_*</entry>
+</row>
+<row>
+<entry></entry>
+<entry><userinput>Fast switching</userinput></entry>
+<entry>Make sure to disable it because it would setup a bypass around
+your firewall rules.</entry>
+<entry>w\</entry>
+<entry>CONFIG_NET_FASTROUTE</entry>
+</row>
+</tbody>
+</tgroup>
+</table> -->
+</sect2>
+<sect2 id="postlfs-security-fw-writing" xreflabel="writing the firewalling-setup-scripts">
+<title>Now you can start to build your Firewall</title>
+<sect3 id="postlfs-security-fw-persFw" xreflabel="Personal Firewall">
+<title>Personal Firewall</title>
+<para>A Personal Firewall is supposed to let you access all the services
+offered on the Internet, but keep your box secure and your data private.</para>
+<para>Below is a slightly modified version of Rusty Russell's recommendation
+from the <ulink
+url="http://www.netfilter.org/documentation/HOWTO/packet-filtering-HOWTO.html">Linux
+.4 Packet Filtering HOWTO</ulink>:</para>
+<screen><userinput><command>cat &gt; /etc/rc.d/init.d/firewall &lt;&lt; "EOF"</command>
+#!/bin/sh
+# Begin $rc_base/init.d/firewall
+# Insert connection-tracking modules (not needed if built into the kernel).
+modprobe ip_tables
+modprobe iptable_filter
+modprobe ip_conntrack
+modprobe ip_conntrack_ftp
+modprobe ipt_state
+modprobe ipt_LOG
+# allow local-only connections
+iptables -A INPUT  -i lo -j ACCEPT
+# free output on any interface to any ip for any service (equal to -P ACCEPT)
+iptables -A OUTPUT -j ACCEPT
+# permit answers on already established connections
+# and permit new connections related to established ones (eg active-ftp)
+iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
+# Log everything else:  What's Windows' latest exploitable vulnerability?
+iptables -A INPUT -j LOG --log-prefix "FIREWALL:INPUT "
+# set a sane policy:    everything not accepted &gt; /dev/null
+iptables -P INPUT    DROP
+iptables -P FORWARD  DROP
+iptables -P OUTPUT   DROP
+# be verbose on dynamic ip-addresses     (not needed in case of static IP)
+echo 2 &gt; /proc/sys/net/ipv4/ip_dynaddr
+# disable ExplicitCongestionNotification - too many routers are still ignorant
+echo 0 &gt; /proc/sys/net/ipv4/tcp_ecn
+# End $rc_base/init.d/firewall
+<command>EOF</command></userinput></screen>
+<para>His script is quite simple, it drops all traffic coming in into your
+computer that wasn't initiated from your box, but as long as you are simply
+surfing the Internet you are unlikely to exceed its limits.</para>
+<para>If you frequently encounter certain delays at accessing ftp-servers,
+please have a look at <xref linkend="postlfs-security-fw-busybox"/> -
+<xref linkend="postlfs-security-fw-BB-4"/>.</para>
+<para>Even if you have daemons or services running on your box, these
+should be inaccessible everywhere but from your box itself.
+If you want to allow access to services on your machine, such as ssh or pinging,
+take a look at <xref linkend="postlfs-security-fw-busybox"/>.</para>
+</sect3>
+<sect3 id="postlfs-security-fw-masqRouter" xreflabel="Masquerading Router">
+<title>Masquerading Router</title>
+<para>A true Firewall has two interfaces, one connected to an intranet,
+in this example, <emphasis role="strong">eth0</emphasis>, and one
+connected to the Internet, here, <emphasis role="strong">ppp0</emphasis>.
+To provide the maximum security against the box itself being broken into,
+make sure that there are no servers running on it, especially not
+<application>X11</application> et
+al.  And, as a general principle, the box itself should not access any untrusted
+service (Think of a name server giving answers that make your
+bind crash, or, even worse, that implement a worm via a
+buffer-overflow).</para>
+<screen><userinput><command>cat &gt; /etc/rc.d/init.d/firewall &lt;&lt; "EOF"</command>
+#!/bin/sh
+# Begin $rc_base/init.d/firewall
+echo
+echo "You're using the example-config for a setup of a firewall"
+echo "from the firewalling-hint written for LinuxFromScratch."
+echo "This example is far from being complete, it is only meant"
+echo "to be a reference."
+echo "Firewall security is a complex issue, that exceeds the scope"
+echo "of the quoted configuration rules."
+echo "You can find some quite comprehensive information"
+echo "about firewalls in Chapter 4 of the BLFS book."
+echo "http://www.linuxfromscratch.org/blfs"
+echo
+# Insert iptables modules (not needed if built into the kernel).
+modprobe ip_tables
+modprobe iptable_filter
+modprobe ip_conntrack
+modprobe ip_conntrack_ftp
+modprobe ipt_state
+modprobe iptable_nat
+modprobe ip_nat_ftp
+modprobe ipt_MASQUERADE
+modprobe ipt_LOG
+modprobe ipt_REJECT
+# allow local-only connections
+iptables -A INPUT  -i lo -j ACCEPT
+iptables -A OUTPUT -o lo -j ACCEPT
+# allow forwarding
+iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
+iptables -A FORWARD -m state --state NEW -i ! ppp+       -j ACCEPT
+# do masquerading    (not needed if intranet is not using private ip-addresses)
+iptables -t nat -A POSTROUTING -o ppp+ -j MASQUERADE
+# Log everything for debugging (last of all rules, but before DROP/REJECT)
+iptables -A INPUT   -j LOG --log-prefix "FIREWALL:INPUT  "
+iptables -A FORWARD -j LOG --log-prefix "FIREWALL:FORWARD"
+iptables -A OUTPUT  -j LOG --log-prefix "FIREWALL:OUTPUT "
+# set a sane policy
+iptables -P INPUT   DROP
+iptables -P FORWARD DROP
+iptables -P OUTPUT  DROP
+# be verbose on dynamic ip-addresses (not needed in case of static IP)
+echo 2 &gt; /proc/sys/net/ipv4/ip_dynaddr
+# disable ExplicitCongestionNotification
+echo 0 &gt; /proc/sys/net/ipv4/tcp_ecn
+# activate TCPsyncookies
+echo 1 &gt; /proc/sys/net/ipv4/tcp_syncookies
+# activate Route-Verification = IP-Spoofing_protection
+for f in /proc/sys/net/ipv4/conf/*/rp_filter; do
+        echo 1 &gt; $f
+done
+# activate IP-Forwarding
+echo 1 &gt; /proc/sys/net/ipv4/ip_forward
+<command>EOF</command></userinput></screen>
+<para>With this script your intranet should be sufficiently secure against
+external attacks. No one should be able to setup a new connection to any
+internal service and, if it's masqueraded, it's even invisible. Furthermore,
+your firewall should be nearly immune because there are no services running
+that a cracker could attack.</para>
+<para>Note: if the interface you're connecting to the Internet
+doesn't connect via ppp, you will need to change
+<replaceable>ppp+</replaceable> to the name of the interface which you are
+using.  If you are using the same interface type to connect to both your
+intranet and the Internet, you need to use the actual name of the
+interface such as <emphasis role="strong">eth0</emphasis>,
+on both interfaces.</para>
+<para>If you need stronger security (e.g., against DOS, connection
+highjacking, spoofing, etc.), have a look at the list of
+<xref linkend="postlfs-security-fw-library"/> at the end of this section.</para>
+</sect3>
+<sect3 id="postlfs-security-fw-busybox" xreflabel="BusyBox">
+<title>BusyBox</title>
+<para>This scenario isn't too different from (<xref linkend="postlfs-security-fw-masqRouter"/>),
+but in this case you want to offer some services to your intranet.
+Examples of this can be when you want to admin your box from another host
+on your intranet or use it as a proxy or a name server. Note: Outlining a true
+concept of how to protect a server that offers services on the Internet
+goes far beyond the scope of this document,
+see <xref linkend="postlfs-security-fw-disclaimer"/>.</para>
+<para>Be cautious.  Every service you offer and have enabled makes your
+setup more complex and your box less secure. You induce the risks of
+misconfigured services or running a service with an exploitable bug.  A firewall
+should generally not run any extra services.  See the introduction to
+<xref linkend="postlfs-security-fw-masqRouter"/> for some more details.</para>
+<para>If the services you'd like to offer do not need to access the Internet
+themselves, like internal-only samba- or name-servers, it's quite
+simple and should still be acceptable from a security standpoint.
+Just add the following lines <emphasis>before</emphasis> the logging-rules
+into the script.</para>
+<screen>iptables -A INPUT  -i ! ppp+  -j ACCEPT
+iptables -A OUTPUT -o ! ppp+  -j ACCEPT</screen>
+<para>If your daemons have to access the web themselves, like squid would need
+to, you could open OUTPUT generally and restrict INPUT.</para>
+<screen>iptables -A INPUT -m state --state ESTABLISHED,RELATED  -j ACCEPT
+iptables -A OUTPUT                                      -j ACCEPT</screen>
+<para>However, it is generally not advisable to leave OUTPUT unrestricted. You lose
+any control over trojans who'd like to "call home", and a bit of redundancy in case
+you've (mis-)configured a service so that it does broadcast its existence to the
+world.</para>
+<para>If you prefer to have this protection, you may restrict INPUT and OUTPUT
+on all ports except those that it's absolutely necessary to have open.
+Which ports you have to open depends on your needs: mostly you will find them
+by looking for failed accesses in your log-files.</para>
+<itemizedlist spacing="compact">
+<!-- <orderedlist numeration="arabic" spacing="compact"> -->
+<title>Have a look at the following examples:</title>
+<listitem><para>Squid is caching the web:</para>
+<screen>iptables -A OUTPUT -p tcp --dport 80                              -j ACCEPT
+iptables -A INPUT  -p tcp --sport 80 -m state --state ESTABLISHED -j ACCEPT</screen></listitem>
+<listitem><para>Your caching name server (e.g., dnscache) does its
+lookups via udp:</para>
+<screen>iptables -A OUTPUT -p udp --dport 53                              -j ACCEPT
+iptables -A INPUT  -p udp --sport 53 -m state --state ESTABLISHED -j ACCEPT</screen></listitem>
+<listitem><para>Alternatively, if you want to be able to ping your box to ensure
+it's still alive:</para>
+<screen>iptables -A INPUT  -p icmp -m icmp --icmp-type echo-request -j ACCEPT
+iptables -A OUTPUT -p icmp -m icmp --icmp-type echo-reply   -j ACCEPT</screen></listitem>
+<listitem><para><anchor id='postlfs-security-fw-BB-4' xreflabel="example no. 4"/>If you are
+frequently accessing ftp-servers or enjoy chatting, you might notice certain
+delays because some implementations of these daemons have the feature of
+querying an identd on your box for logging usernames.
+Although there's really no harm in this, having an identd running is not
+recommended because some implementations are known to be vulnerable.</para>
+<para>To avoid these delays you could reject the requests
+with a 'tcp-reset':</para>
+<screen>iptables -A INPUT  -p tcp --dport 113 -j REJECT --reject-with tcp-reset
+iptables -A OUTPUT -p tcp --sport 113 -m state --state RELATED -j ACCEPT</screen></listitem>
+<listitem><para>To log and drop invalid packets (harmless packets
+that came in after netfilter's timeout or some types of network scans):</para>
+<screen>iptables -I INPUT 1 -p tcp -m state --state INVALID -j LOG --log-prefix \
+"FIREWALL:INVALID"
+iptables -I INPUT 2 -p tcp -m state --state INVALID -j DROP</screen></listitem>
+<listitem><para>Anything coming from the outside should not have a
+private address, this is a common attack called IP-spoofing:</para>
+<screen>iptables -t nat -A PREROUTING -i ppp+ -s 10.0.0.0/8     -j DROP
+iptables -t nat -A PREROUTING -i ppp+ -s 172.16.0.0/12  -j DROP
+iptables -t nat -A PREROUTING -i ppp+ -s 192.168.0.0/16 -j DROP</screen></listitem>
+<listitem><para>To simplify debugging and be fair to anyone who'd like to
+access a service you have disabled, purposely or by mistake, you should REJECT
+those packets that are dropped.</para>
+<para>Obviously this must be done directly after logging as the very
+last lines before the packets are dropped by policy:</para>
+<screen>iptables -A INPUT                        -j REJECT
+iptables -A OUTPUT -p icmp --icmp-type 3 -j ACCEPT</screen></listitem>
+</itemizedlist>
+<!--</orderedlist>-->
+<para>These are only examples to show you some of the capabilities of the new
+firewall code in Linux-Kernel 2.4. Have a look at the man page of
+iptables.
+There you will find more of them. The port-numbers you'll need for this
+can be found in <filename>/etc/services</filename>, in case you didn't
+find them by trial and error in your log file.</para>
+<para>If you add any of your offered or accessed services such as the above,
+maybe even in FORWARD and for intranet-communication, and delete the
+general clauses, you get an old fashioned packet filter.</para>
+</sect3>
+</sect2>
+<sect2 id="postlfs-security-fw-finale" xreflabel="Conclusion">
+<title>Conclusion</title>
+<para>Finally, I'd like to remind you of one fact we must not forget:
+The effort spent attacking a system corresponds to the value the cracker
+expects to gain from it.
+If you are responsible for such valuable assets that you expect great
+effort to be made by potential crackers, you hopefully won't be in the
+need of this hint!</para>
+<!-- <para><literallayout>Be cautious!
+    Henning Rohde
+<email>Henning.Rohde@uni-bayreuth.de</email></literallayout></para>
+<para>PS: And always do remember:
+SecureIT is not a matter of a status-quo but one of never stopping
+to take care!</para>
+<para>PPS: If any of these scripts fail, please tell me. I will try to trace
+any faults.</para> -->
+</sect2>
+<sect2 id="postlfs-security-fw-extra" xreflabel="Extra Information">
+<title>Extra Information</title>
+<sect3 id="postlfs-security-fw-library" xreflabel="Links for further reading">
+<title>Where to start with further reading on firewalls.</title>
+<para><blockquote><literallayout>
+<ulink url="http://www.netfilter.org/">www.netfilter.org - Homepage of the netfilter/iptables project</ulink>
+<ulink url="http://www.netfilter.org/documentation/FAQ/netfilter-faq.html">Netfilter related FAQ</ulink>
+<ulink url="http://www.netfilter.org/documentation/index.html#HOWTO">Netfilter related HOWTO's</ulink>
+<ulink url="http://en.tldp.org/LDP/nag2/x-087-2-firewall.html">en.tldp.org/LDP/nag2/x-087-2-firewall.html</ulink>
+<ulink url="http://en.tldp.org/HOWTO/Security-HOWTO.html">en.tldp.org/HOWTO/Security-HOWTO.html</ulink>
+<ulink url="http://en.tldp.org/HOWTO/Firewall-HOWTO.html">en.tldp.org/HOWTO/Firewall-HOWTO.html</ulink>
+<ulink url="http://www-106.ibm.com/developerworks/security/library/s-fire.html">www.ibm.com/developerworks/security/library/s-fire.html</ulink>
+<ulink url="http://www-106.ibm.com/developerworks/security/library/s-fire2.html">www.ibm.com/developerworks/security/library/s-fire2.html</ulink>
+<ulink url="http://www.interhack.net/pubs/fw-faq/">www.interhack.net/pubs/fw-faq/</ulink>
+<ulink url="http://www.linuxsecurity.com/docs/">www.linuxsecurity.com/docs/</ulink>
+<ulink url="http://www.little-idiot.de/firewall">www.little-idiot.de/firewall (German &amp; outdated, but very comprehensive)</ulink>
+<ulink url="http://www.linuxgazette.com/issue65/stumpel.html">www.linuxgazette.com/issue65/stumpel.html</ulink>
+<ulink url="http://linux.oreillynet.com/pub/a/linux/2000/03/10/netadmin/ddos.html">linux.oreillynet.com/pub/a/linux/2000/03/10/netadmin/ddos.html</ulink>
+<ulink url="http://staff.washington.edu/dittrich/misc/ddos">staff.washington.edu/dittrich/misc/ddos</ulink>
+<ulink url="http://www.e-infomax.com/ipmasq">www.e-infomax.com/ipmasq</ulink>
+<ulink url="http://www.circlemud.org/~jelson/writings/security/index.htm">www.circlemud.org/~jelson/writings/security/index.htm</ulink>
+<ulink url="http://www.securityfocus.com">www.securityfocus.com</ulink>
+<ulink url="http://www.cert.org/tech_tips/">www.cert.org - tech_tips</ulink>
+<ulink url="http://security.ittoolbox.com/">security.ittoolbox.com</ulink>
+<ulink url="http://www.linux-firewall-tools.com/linux/">www.linux-firewall-tools.com/linux/</ulink>
+<ulink url="http://logi.cc/linux/athome-firewall.php3">logi.cc/linux/athome-firewall.php3</ulink>
+<ulink url="http://www.insecure.org/reading.html">www.insecure.org/reading.html</ulink>
+<ulink url="http://www.robertgraham.com/pubs/firewall-seen.html">www.robertgraham.com/pubs/firewall-seen.html</ulink>
+</literallayout></blockquote></para>
+<!-- <para>If a link proves to be dead or if you think I missed one,
+please mail!</para> -->
+</sect3>
+<sect3 id="postlfs-security-fw-status" xreflabel="/etc/rc.d/init.d/firewall.status">
+<title>firewall.status</title>
+<para>If you'd like to have a look at the chains your firewall consists of and
+the order in which the rules take effect:</para>
+<screen><userinput><command>cat &gt; /etc/rc.d/init.d/firewall.status &lt;&lt; "EOF"</command>
+#!/bin/sh
+# Begin $rc_base/init.d/firewall.status
+echo "iptables.mangling:"
+iptables -t mangle  -v -L -n --line-numbers
+echo
+echo "iptables.nat:"
+iptables -t nat     -v -L -n --line-numbers
+echo
+echo "iptables.filter:"
+iptables            -v -L -n --line-numbers
+<command>EOF</command></userinput></screen>
+</sect3>
+<sect3 id="postlfs-security-fw-stop" xreflabel="/etc/rc.d/init.d/firewall.stop">
+<title>firewall.stop</title>
+<para>If you need to turn the firewall off, this script will do it:</para>
+<screen><userinput><command>cat &gt; /etc/rc.d/init.d/firewall.stop &lt;&lt; "EOF"</command>
+#!/bin/sh
+# Being $rc_base/init.d/firewall.stop
+# deactivate IP-Forwarding
+echo 0 > /proc/sys/net/ipv4/ip_forward
+iptables -Z
+iptables -F
+iptables -t nat         -F PREROUTING
+iptables -t nat         -F OUTPUT
+iptables -t nat         -F POSTROUTING
+iptables -t mangle      -F PREROUTING
+iptables -t mangle      -F OUTPUT
+iptables -X
+iptables -P INPUT       ACCEPT
+iptables -P FORWARD     ACCEPT
+iptables -P OUTPUT      ACCEPT
+<command>EOF</command></userinput></screen>
+</sect3>
+</sect2>
 </sect1>

postlfs/security/gnupg.xml

-              rf8d632a
+              rb4b71892
+<?xml version="1.0" encoding="ISO-8859-1"?>
+<!DOCTYPE sect1 PUBLIC "-//OASIS//DTD DocBook XML V4.3//EN"
+   "http://www.oasis-open.org/docbook/xml/4.3/docbookx.dtd" [
+  <!ENTITY % general-entities SYSTEM "../../general.ent">
+  %general-entities;
+  <!ENTITY gnupg-download-http "http://public.ftp.planetmirror.com/pub/gnupg/gnupg-&gnupg-version;.tar.bz2">
+  <!ENTITY gnupg-download-ftp  "ftp://ftp.gnupg.org/gcrypt/gnupg/gnupg-&gnupg-version;.tar.bz2">
+  <!ENTITY gnupg-size          "2.3 MB">
+  <!ENTITY gnupg-buildsize     "26 MB">
+  <!ENTITY gnupg-time          "0.44 SBU">
+]>
 <sect1 id="gnupg" xreflabel="GnuPG-&gnupg-version;">
 <?dbhtml filename="gnupg.html"?>
 <title>GnuPG-&gnupg-version;</title>
+&gnupg-intro;
+&gnupg-inst;
+&gnupg-exp;
+&gnupg-desc;
+<sect2>
+<title>Introduction to <application>GnuPG</application></title>
+<para>The <application>GnuPG</application> package contains a public/private
+key encryptor. This is
+becoming useful for signing files or emails as proof of identity and
+preventing tampering with contents of the file or email.</para>
+<sect3><title>Package information</title>
+<itemizedlist spacing='compact'>
+<listitem><para>Download (HTTP): <ulink
+url="&gnupg-download-http;"/></para></listitem>
+<listitem><para>Download (FTP): <ulink
+url="&gnupg-download-ftp;"/></para></listitem>
+<listitem><para>Download size: &gnupg-size;</para></listitem>
+<listitem><para>Estimated Disk space required:
+&gnupg-buildsize;</para></listitem>
+<listitem><para>Estimated build time:
+&gnupg-time;</para></listitem></itemizedlist>
+</sect3>
+<sect3><title><application>GnuPG</application> dependencies</title>
+<sect4><title>Optional</title>
+<para><xref linkend="openldap"/></para></sect4>
+</sect3>
+</sect2>
+<sect2>
+<title>Installation of <application>GnuPG</application></title>
+<para>Install <application>GnuPG</application> by running the following commands:</para>
+<screen><userinput><command>./configure --prefix=/usr --libexecdir=/usr/lib &amp;&amp;
+make &amp;&amp;
+make install &amp;&amp;
+chmod 4755 /usr/bin/gpg</command></userinput></screen>
+</sect2>
+<sect2>
+<title>Command explanations</title>
+<para><parameter>--libexecdir=/usr/lib</parameter>: This command
+creates a <filename class="directory">gnupg</filename> directory in
+<filename class="directory">/usr/lib</filename> instead of
+<filename class="directory">/usr/libexec</filename>.</para>
+<para><command>chmod 4755 /usr/bin/gpg</command>: We install
+<command>gpg</command> setuid root to avoid swapping out of
+sensitive data.</para>
+</sect2>
+<sect2>
+<title>Contents</title>
+<para>The <application>GnuPG</application> package contains <command>gpg</command>,
+<command>gpgsplit</command> and <command>gpgv</command>.</para>
+</sect2>
+<sect2><title>Description</title>
+<sect3><title>gpg</title>
+<para><command>gpg</command> is the backend (command-line interface) for
+this Open<acronym>PGP</acronym>
+implementation.</para></sect3>
+<sect3><title>gpgsplit</title>
+<para><command>gpgsplit</command> separates key rings.</para></sect3>
+<sect3><title>gpgv</title>
+<para><command>gpgv</command> is a verify only version of
+<command>gpg</command>.</para></sect3>
+</sect2>
 </sect1>

postlfs/security/heimdal.xml

-              rf8d632a
+              rb4b71892
+<?xml version="1.0" encoding="ISO-8859-1"?>
+<!DOCTYPE sect1 PUBLIC "-//OASIS//DTD DocBook XML V4.3//EN"
+   "http://www.oasis-open.org/docbook/xml/4.3/docbookx.dtd" [
+  <!ENTITY % general-entities SYSTEM "../../general.ent">
+  %general-entities;
+  <!ENTITY heimdal-download-http "http://ftp.vc-graz.ac.at/mirror/crypto/kerberos/heimdal/heimdal-&heimdal-version;.tar.gz">
+  <!ENTITY heimdal-download-ftp  "ftp://ftp.pdc.kth.se/pub/heimdal/src/heimdal-&heimdal-version;.tar.gz">
+  <!ENTITY heimdal-size          "3.2 MB">
+  <!ENTITY heimdal-buildsize     "142 MB">
+  <!ENTITY heimdal-time          "2.55 SBU">
+]>
 <sect1 id="heimdal" xreflabel="Heimdal-&heimdal-version;">
 <?dbhtml filename="heimdal.html"?>
 <title>Heimdal-&heimdal-version;</title>
+&heimdal-intro;
+&heimdal-inst;
+&heimdal-exp;
+&heimdal-config;
+&heimdal-desc;
+<sect2>
+<title>Introduction to <application>Heimdal</application></title>
+<para> <application>Heimdal</application> is a free implementation of Kerberos
+, that aims to be compatible with <acronym>MIT</acronym> krb5 and is backwards
+compatible with krb4. Kerberos is a network authentication protocol. Basically
+it preserves the integrity of passwords in any untrusted network (like the
+Internet). Kerberized applications work hand-in-hand with sites that support
+Kerberos to ensure that passwords cannot be stolen. A Kerberos installation
+will make changes to the authentication mechanisms on your network and will
+overwrite several programs and daemons from the Coreutils, Inetutils, Qpopper
+and Shadow packages.  </para>
+<sect3><title>Package information</title>
+<itemizedlist spacing='compact'>
+<listitem><para>Download (HTTP): <ulink url="&heimdal-download-http;"/></para></listitem>
+<listitem><para>Download (FTP): <ulink url="&heimdal-download-ftp;"/></para></listitem>
+<listitem><para>Download size: &heimdal-size;</para></listitem>
+<listitem><para>Estimated Disk space required: &heimdal-buildsize;</para></listitem>
+<listitem><para>Estimated build time: &heimdal-time;</para></listitem></itemizedlist>
+</sect3>
+<sect3><title>Additional downloads</title>
+<itemizedlist spacing='compact'>
+<listitem><para>Required patch: <ulink
+url="&patch-root;/heimdal-&heimdal-version;-fhs-compliance-1.patch"/></para>
+</listitem>
+<listitem><para>Required patch for cracklib: <ulink
+url="&patch-root;/heimdal-&heimdal-version;-cracklib-1.patch"/></para>
+</listitem>
+</itemizedlist>
+</sect3>
+<sect3><title><application>Heimdal</application> dependencies</title>
+<sect4><title>Required</title>
+<para>
+<xref linkend="openssl"/> and
+<xref linkend="db"/>
+</para></sect4>
+<sect4><title>Optional</title>
+<para>
+<xref linkend="readline"/>,
+<xref linkend="Linux_PAM"/>,
+<xref linkend="openldap"/>,
+X (<xref linkend="xorg"/> or <xref linkend="xfree86"/>),
+<xref linkend="cracklib"/> and
+<ulink url="http://www.pdc.kth.se/kth-krb/">krb4</ulink>
+</para>
+<note><para>
+Some sort of time synchronization facility on your system (like <xref
+linkend="ntp"/>) is required since Kerberos won't authenticate if the
+time differential between a kerberized client and the
+<acronym>KDC</acronym> server is more than 5 minutes.</para></note>
+</sect4>
+</sect3>
+</sect2>
+<sect2>
+<title>Installation of <application>Heimdal</application></title>
+<para>
+Before installing the package, you may want to preserve the
+<command>ftp</command> program from the Inetutils package. This is
+because using the Heimdal <command>ftp</command> program to connect to
+non kerberized ftp servers may not work properly. It will allow you to
+connect (letting you know that transmission of the password is clear
+text) but will have problems doing puts and gets.
+</para>
+<screen><userinput><command>mv /usr/bin/ftp /usr/bin/ftpn</command></userinput></screen>
+<para>
+If you wish the Heimdal package to link against the cracklib library,
+you must apply a patch:
+</para>
+<screen><userinput><command>patch -Np1 -i ../heimdal-&heimdal-version;-cracklib-1.patch</command></userinput></screen>
+<para>Install <application>Heimdal</application> by running the following commands:</para>
+<screen><userinput><command>patch -Np1 -i ../heimdal-&heimdal-version;-fhs-compliance-1.patch &amp;&amp;
+./configure --prefix=/usr --sysconfdir=/etc/heimdal \
+    --datadir=/var/lib/heimdal --libexecdir=/usr/sbin \
+    --sharedstatedir=/usr/share --localstatedir=/var/lib/heimdal \
+    --enable-shared --with-openssl=/usr &amp;&amp;
+make &amp;&amp;
+make install &amp;&amp;
+mv /bin/login /bin/login.shadow &amp;&amp;
+mv /bin/su /bin/su.coreutils &amp;&amp;
+mv /usr/bin/{login,su} /bin &amp;&amp;
+ln -sf ../../bin/login /usr/bin &amp;&amp;
+mv /usr/lib/lib{otp.so.0,otp.so.0.1.4,kafs.so.0,kafs.so.0.4.0} /lib &amp;&amp;
+mv /usr/lib/lib{krb5.so.17,krb5.so.17.3.0,asn1.so.6,asn1.so.6.0.2} /lib &amp;&amp;
+mv /usr/lib/lib{roken.so.16,roken.so.16.0.3,crypto.so.0.9.7} /lib &amp;&amp;
+mv /usr/lib/lib{com_err.so.2,com_err.so.2.1,db-4.1.so} /lib &amp;&amp;
+ln -sf ../../lib/lib{otp.so.0,otp.so.0.1.4,kafs.so.0,kafs.so.0.4.0} /usr/lib &amp;&amp;
+ln -sf ../../lib/lib{krb5.so.17,krb5.so.17.3.0,asn1.so.6,asn1.so.6.0.2} /usr/lib &amp;&amp;
+ln -sf ../../lib/lib{roken.so.16,roken.so.16.0.3,crypto.so.0.9.7} /usr/lib &amp;&amp;
+ln -sf ../../lib/lib{com_err.so.2,com_err.so.2.1,db-4.1.so} /usr/lib &amp;&amp;
+ldconfig</command></userinput></screen>
+</sect2>
+<sect2>
+<title>Command explanations</title>
+<para><parameter>--libexecdir=/usr/sbin</parameter>:
+This switch puts the daemon programs into <filename
+class="directory">/usr/sbin</filename>.
+</para>
+<note><para>
+If you want to preserve all your existing Inetutils package daemons,
+install the Heimdal daemons into <filename
+class="directory">/usr/sbin/heimdal</filename> (or wherever you want).
+Since these programs will be called from <command>(x)inetd</command> or
+<command>rc</command> scripts, it really doesn't matter where they live,
+as long as they are correctly specified in the
+<filename>/etc/(x)inetd.conf</filename> file and <command>rc</command>
+scripts. If you choose something other than <filename
+class="directory">/usr/sbin</filename>, you may want to move some of the
+user programs (such as <command>kadmin</command>) to <filename
+class="directory">/usr/sbin</filename> manually.
+</para></note>
+<para>
+<screen><command>mv /bin/login /bin/login.shadow
+mv /bin/su /bin/su.coreutils
+mv /usr/bin/{login,su} /bin
+ln -sf ../../bin/login /usr/bin</command></screen>
+The <command>login</command> and <command>su</command> programs
+installed by Heimdal belong in the <filename
+class="directory">/bin</filename> directory. The
+<command>login</command> program is symlinked because Heimdal is expecting
+to find it in <filename class="directory">/usr/bin</filename>. We
+preserve the old executables before the move to keep things sane should
+breaks occur.
+</para>
+<para>
+<screen><command>mv /usr/lib/lib{otp.so.0,otp.so.0.1.4,kafs.so.0,kafs.so.0.4.0} /lib
+mv /usr/lib/lib{krb5.so.17,krb5.so.17.3.0,asn1.so.6,asn1.so.6.0.2} /lib
+mv /usr/lib/lib{roken.so.16,roken.so.16.0.3,crypto.so.0.9.7} /lib
+mv /usr/lib/lib{com_err.so.2,com_err.so.2.1,db-4.1.so} /lib
+ln -sf ../../lib/lib{otp.so.0,otp.so.0.1.4,kafs.so.0,kafs.so.0.4.0} /usr/lib
+ln -sf ../../lib/lib{krb5.so.17,krb5.so.17.3.0,asn1.so.6,asn1.so.6.0.2} /usr/lib
+ln -sf ../../lib/lib{roken.so.16,roken.so.16.0.3,crypto.so.0.9.7} /usr/lib
+ln -sf ../../lib/lib{com_err.so.2,com_err.so.2.1,db-4.1.so} /usr/lib</command></screen>
+The <command>login</command> and <command>su</command> programs
+installed by Heimdal link against Heimdal libraries as well as crypto
+and db libraries. We move these libraries to <filename
+class="directory">/lib</filename> to be <acronym>FHS</acronym>
+compliant and in case when <filename
+class="directory">/usr</filename> is located on a separate partition which
+may not always be mounted.
+</para>
+</sect2>
+<sect2>
+<title>Configuring Heimdal</title>
+<sect3><title>Config files</title>
+<para><filename>/etc/heimdal/*</filename></para>
+</sect3>
+<sect3><title>Configuration Information</title>
+<sect4><title>Master KDC Server Configuration</title>
+<para>
+Create the Kerberos configuration file with the following command:
+</para>
+<screen><userinput><command>install -d /etc/heimdal &amp;&amp;
+cat &gt; /etc/heimdal/krb5.conf &lt;&lt; "EOF"</command>
+# Begin /etc/heimdal/krb5.conf
+[libdefaults]
+    default_realm = <replaceable>[LFS.ORG]</replaceable>
+    encrypt = true
+[realms]
+    <replaceable>[LFS.ORG]</replaceable> = {
+        kdc = <replaceable>[belgarath.lfs.org]</replaceable>
+        admin_server = <replaceable>[belgarath.lfs.org]</replaceable>
+        kpasswd_server = <replaceable>[belgarath.lfs.org]</replaceable>
+    }
+[domain_realm]
+    .<replaceable>[lfs.org]</replaceable> = <replaceable>[LFS.ORG]</replaceable>
+[logging]
+    kdc = FILE:/var/log/kdc.log
+    admin_server = FILE:/var/log/kadmin.log
+    default = FILE:/var/log/krb.log
+# End /etc/heimdal/krb5.conf
+<command>EOF</command></userinput></screen>
+<para>
+You will need to substitute your domain and proper hostname for the
+occurances of the belgarath and lfs.org names.
+</para>
+<para>
+<userinput>default_realm</userinput> should be the name of your domain changed to ALL CAPS.
+This isn't required, but both Heimdal and <acronym>MIT</acronym>
+recommend it.
+</para>
+<para>
+<userinput>encrypt = true</userinput> provides encryption of all traffic between kerberized
+clients and servers. It's not necessary and can be left off. If you
+leave it off, you can encrypt all traffic from the client to the server
+using a switch on the client program instead.
+</para>
+<para>
+The <userinput>[realms]</userinput> parameters tell the client programs where to look for the
+<acronym>KDC</acronym> authentication services.
+</para>
+<para>
+The <userinput>[domain_realm]</userinput> section maps a domain to a realm.
+</para>
+<para>
+Store the master password in a key file using the following commands:
+</para>
+<screen><userinput><command>install -d -m 755 /var/lib/heimdal &amp;&amp;
+kstash</command></userinput></screen>
+<para>
+Create the <acronym>KDC</acronym> database:
+</para>
+<screen><userinput><command>kadmin -l</command></userinput></screen>
+<para>
+Choose the defaults for now. You can go in later and change the
+defaults, should you feel the need. At the
+<userinput>kadmin&gt;</userinput> prompt, issue the following statement:
+</para>
+<screen><userinput><command>init <replaceable>[LFS.ORG]</replaceable></command></userinput></screen>
+<para>
+Now we need to populate the database with principles (users). For now,
+just use your regular login name or root.
+</para>
+<screen><userinput><command>add <replaceable>[loginname]</replaceable></command></userinput></screen>
+<para>
+The <acronym>KDC</acronym> server and any machine running kerberized
+server daemons must have a host key installed:
+</para>
+<screen><userinput><command>add --random-key host/<replaceable>[belgarath.lfs.org]</replaceable></command></userinput></screen>
+<para>
+After choosing the defaults when prompted, you will have to export the
+data to a keytab file:
+</para>
+<screen><userinput><command>ext host/<replaceable>[belgarath.lfs.org]</replaceable></command></userinput></screen>
+<para>
+This should have created two files in
+<filename class="directory">/etc/heimdal</filename>;
+<filename>krb5.keytab</filename> (Kerberos 5) and
+<filename>srvtab</filename> (Kerberos 4). Both files should have 600
+(root rw only) permissions. Keeping the keytab files from public access
+is crucial to the overall security of the Kerberos installation.
+</para>
+<para>
+Eventually, you'll want to add server daemon principles to the database
+and extract them to the keytab file. You do this in the same way you
+created the host principles. Below is an example:
+</para>
+<screen><userinput><command>add --random-key ftp/<replaceable>[belgarath.lfs.org]</replaceable></command></userinput></screen>
+<para>
+(choose the defaults)
+</para>
+<screen><userinput><command>ext ftp/<replaceable>[belgarath.lfs.org]</replaceable></command></userinput></screen>
+<para>
+Exit the <command>kadmin</command> program (use <command>quit</command>
+or <command>exit</command>) and return back to the shell prompt. Start
+the <acronym>KDC</acronym> daemon manually, just to test out the
+installation:
+</para>
+<screen><userinput><command>/usr/sbin/kdc &amp;</command></userinput></screen>
+<para>
+Attempt to get a <acronym>TGT</acronym> (ticket granting ticket) with the
+following command:
+</para>
+<screen><userinput><command>kinit <replaceable>[loginname]</replaceable></command></userinput></screen>
+<para>
+You will be prompted for the password you created. After you get your
+ticket, you should list it with the following command:
+</para>
+<screen><userinput><command>klist</command></userinput></screen>
+<para>
+Information about the ticket should be displayed on the screen.
+</para>
+<para>
+To test the functionality of the keytab file, issue the following
+command:
+</para>
+<screen><userinput><command>ktutil list</command></userinput></screen>
+<para>
+This should dump a list of the host principals, along with the encryption
+methods used to access the principals.
+</para>
+<para>
+At this point, if everything has been successful so far, you can feel
+fairly confident in the installation and configuration of the package.
+</para>
+<para>Install the <filename>/etc/rc.d/init.d/heimdal</filename> init script
+included in the <xref linkend="intro-important-bootscripts"/>
+package.</para>
+<screen><userinput><command>make install-heimdal</command></userinput></screen>
+</sect4>
+<sect4><title>Using Kerberized Client Programs</title>
+<para>
+To use the kerberized client programs (<command>telnet</command>,
+<command>ftp</command>, <command>rsh</command>,
+<command>rxterm</command>, <command>rxtelnet</command>,
+<command>rcp</command>, <command>xnlock</command>), you first must get
+a <acronym>TGT</acronym>. Use the <command>kinit</command> program to
+get the ticket. After you've acquired the ticket, you can use the
+kerberized programs to connect to any kerberized server on the network.
+You will not be prompted for authentication until your ticket expires
+(default is one day), unless you specify a different user as a command
+line argument to the program.
+</para>
+<para>
+The kerberized programs will connect to non kerberized daemons, warning
+you that authentication is not encrypted. As mentioned earlier, only the
+<command>ftp</command> program gives any trouble connecting to non
+kerberized daemons.
+</para>
+<para>
+For additional information consult <ulink
+url="http://www.linuxfromscratch.org/hints/downloads/files/heimdal.txt">the
+Heimdal hint</ulink> on which the above instructions are based.
+</para>
+</sect4>
+</sect3>
+</sect2>
+<sect2>
+<title>Contents</title>
+<para>The <application>Heimdal</application> package contains
+<command>afslog</command>,
+<command>dump_log</command>,
+<command>ftp</command>,
+<command>ftpd</command>,
+<command>hprop</command>,
+<command>hpropd</command>,
+<command>ipropd-master</command>,
+<command>ipropd-slave</command>,
+<command>kadmin</command>,
+<command>kadmind</command>,
+<command>kauth</command>,
+<command>kdc</command>,
+<command>kdestroy</command>,
+<command>kf</command>,
+<command>kfd</command>,
+<command>kgetcred</command>,
+<command>kinit</command>,
+<command>klist</command>,
+<command>kpasswd</command>,
+<command>kpasswdd</command>,
+<command>krb5-config</command>,
+<command>kstash</command>,
+<command>ktutil</command>,
+<command>kx</command>,
+<command>kxd</command>,
+<command>login</command>,
+<command>mk_cmds</command>,
+<command>otp</command>,
+<command>otpprint</command>,
+<command>pagsh</command>,
+<command>pfrom</command>,
+<command>popper</command>,
+<command>push</command>,
+<command>rcp</command>,
+<command>replay_log</command>,
+<command>rsh</command>,
+<command>rshd</command>,
+<command>rxtelnet</command>,
+<command>rxterm</command>,
+<command>string2key</command>,
+<command>su</command>,
+<command>telnet</command>,
+<command>telnetd</command>,
+<command>tenletxr</command>,
+<command>truncate_log</command>,
+<command>verify_krb5_conf</command>,
+<command>xnlock</command>,
+<filename class="libraryfile">libasn1</filename>,
+<filename class="libraryfile">libeditline</filename>,
+<filename class="libraryfile">libgssapi</filename>,
+<filename class="libraryfile">libhdb</filename>,
+<filename class="libraryfile">libkadm5clnt</filename>,
+<filename class="libraryfile">libkadm5srv</filename>,
+<filename class="libraryfile">libkafs</filename>,
+<filename class="libraryfile">libkrb5</filename>,
+<filename class="libraryfile">libotp</filename>,
+<filename class="libraryfile">libroken</filename>,
+<filename class="libraryfile">libsl</filename> and
+<filename class="libraryfile">libss</filename>.
+</para>
+</sect2>
+<sect2><title>Description</title>
+<sect3><title>afslog</title>
+<para><command>afslog</command> obtains AFS tokens for a number of
+cells.</para></sect3>
+<sect3><title>hprop</title>
+<para><command>hprop</command> takes a principal database in a specified
+format and converts it into a stream of Heimdal database
+records.</para></sect3>
+<sect3><title>hpropd</title>
+<para><command>hpropd</command> receives a database sent by
+<command>hprop</command> and writes it as a local
+database.</para></sect3>
+<sect3><title>kadmin</title>
+<para><command>kadmin</command> is an utility used to make modifications
+to the Kerberos database.</para></sect3>
+<sect3><title>kadmind</title>
+<para><command>kadmind</command> is a server for administrative access
+to Kerberos database.</para></sect3>
+<sect3><title>kauth, kinit</title>
+<para><command>kauth</command> and <command>kinit</command> are used to
+authenticate to the Kerberos server as principal and acquire a ticket
+granting ticket that can later be used to obtain tickets for other
+services.</para></sect3>
+<sect3><title>kdc</title>
+<para><command>kdc</command> is a Kerberos 5 server.</para></sect3>
+<sect3><title>kdestroy</title>
+<para><command>kdestroy</command> removes the current set of
+tickets.</para></sect3>
+<sect3><title>kf</title>
+<para><command>kf</command> is a program which forwards tickets to a
+remote host through an authenticated and encrypted
+stream.</para></sect3>
+<sect3><title>kfd</title>
+<para><command>kfd</command> receives forwarded tickets.</para></sect3>
+<sect3><title>kgetcred</title>
+<para><command>kgetcred</command> obtains a ticket for a
+service.</para></sect3>
+<sect3><title>klist</title>
+<para><command>klist</command> reads and displays the current tickets in
+the credential cache.</para></sect3>
+<sect3><title>kpasswd</title>
+<para><command>kpasswd</command> is a program for changing Kerberos 5
+passwords.</para></sect3>
+<sect3><title>kpasswdd</title>
+<para><command>kpasswdd</command> is a Kerberos 5 password changing
+server.</para></sect3>
+<sect3><title>krb5-config</title>
+<para><command>krb5-config</command> gives information on how to link
+programs against Heimdal libraries.</para></sect3>
+<sect3><title>kstash</title>
+<para><command>kstash</command> stores the <acronym>KDC</acronym> master
+password in a file.</para></sect3>
+<sect3><title>ktutil</title>
+<para><command>ktutil</command> is a program for managing Kerberos
+keytabs.</para></sect3>
+<sect3><title>kx</title>
+<para><command>kx</command> is a program which securely forwards X
+connections.</para></sect3>
+<sect3><title>kxd</title>
+<para><command>kxd</command> is the daemon for
+<command>kx</command>.</para></sect3>
+<sect3><title>otp</title>
+<para><command>otp</command> manages one-time passwords.</para></sect3>
+<sect3><title>otpprint</title>
+<para><command>otpprint</command> prints lists of one-time
+passwords.</para></sect3>
+<sect3><title>rxtelnet</title>
+<para><command>rxtelnet</command> program starts an
+<command>xterm</command> window with a telnet to given host and forwards
+X connections.</para></sect3>
+<sect3><title>rxterm</title>
+<para><command>rxterm</command> starts a secure remote
+<command>xterm</command>.</para></sect3>
+<sect3><title>string2key</title>
+<para><command>string2key</command> maps a password into a
+key.</para></sect3>
+<sect3><title>tenletxr</title>
+<para><command>tenletxr</command> forwards X connections
+backwards.</para></sect3>
+<sect3><title>verify_krb5_conf</title>
+<para><command>verify_krb5_conf</command> checks
+<filename>krb5.conf</filename> file for obvious errors.</para></sect3>
+<sect3><title>xnlock</title>
+<para><command>xnlock</command> is a program that acts as a secure screen
+saver for workstations running X.</para></sect3>
+</sect2>
 </sect1>

postlfs/security/iptables.xml

-              rf8d632a
+              rb4b71892
+<?xml version="1.0" encoding="ISO-8859-1"?>
+<!DOCTYPE sect1 PUBLIC "-//OASIS//DTD DocBook XML V4.3//EN"
+   "http://www.oasis-open.org/docbook/xml/4.3/docbookx.dtd" [
+  <!ENTITY % general-entities SYSTEM "../../general.ent">
+  %general-entities;
+  <!ENTITY iptables-download-http "http://www.iptables.org/files/iptables-&iptables-version;.tar.bz2">
+  <!ENTITY iptables-download-ftp  "ftp://ftp.netfilter.org/pub/iptables/iptables-&iptables-version;.tar.bz2">
+  <!ENTITY iptables-size          "183 KB">
+  <!ENTITY iptables-buildsize     "3.4 MB">
+  <!ENTITY iptables-time          "0.13 SBU">
+]>
 <sect1 id="postlfs-security-iptables">
 <?dbhtml filename="iptables.html"?>
 <title>iptables-&iptables-version;</title>
 <para>The next part of this chapter deals with firewalls.  The
 principle firewall tool for Linux, as of the 2.4 kernel series, is
+<para>The next part of this chapter deals with firewalls.  The principle
+firewall tool for Linux, as of the 2.4 kernel series, is
 <application>iptables</application>.  It replaces
 <application>ipchains</application> from the 2.2 series and
 <application>ipfwadm</application> from the
+.0 series. You will need to install <application>iptables</application> if
 you intend on using any form of a firewall.</para>
+<application>ipfwadm</application> from the 2.0 series. You will need to
+install <application>iptables</application> if you intend on using any form of
+a firewall.</para>
+&iptables-intro;
+&iptables-inst;
+&iptables-exp;
+&iptables-desc;
+<sect2>
+<title>Introduction to <application>iptables</application></title>
+<para>To use a firewall, as well as installing
+<application>iptables</application>, you will need
+to configure the relevant options into your kernel.  This is discussed
+in the next part of this chapter - <xref linkend="postlfs-security-fw-kernel"/>.</para>
+<para>If you intend to use <acronym>IP</acronym>v6 you might consider extending
+the kernel by running <command>make patch-o-matic</command> in the top-level
+directory of the sources of <application>iptables</application>.  If you are
+going to do this, on a freshly untarred kernel, you need to run
+<command>yes "" | make config &amp;&amp; make dep</command> first because
+otherwise the patch-o-matic command is likely to fail while setting up
+some dependencies.</para>
+<para>If you are going to patch the kernel, you need to do it before you
+compile <application>iptables</application>, because during the compilation,
+the kernel source tree is checked (if it is available at <filename
+class="directory">/usr/src/linux-<replaceable>[version]</replaceable>
+</filename>) to see which features are available.  Support will only be compiled
+into <application>iptables</application> for the features recognized at
+compile-time.  Applying a kernel patch may result in errors, often because the
+hooks for the patches have changed or because the runme script doesn't
+recognize that a patch has already been incorporated.</para>
+<para>Note that for most people, patching the kernel is unnecessary.
+With the later 2.4.x kernels, most functionality is already available
+and those who need to patch it are generally those who need a specific
+feature; if you don't know why you need to patch the kernel, you're
+unlikely to need to!</para>
+<sect3><title>Package information</title>
+<itemizedlist spacing='compact'>
+<listitem><para>Download (HTTP): <ulink
+url="&iptables-download-http;"/></para></listitem>
+<listitem><para>Download (FTP): <ulink
+url="&iptables-download-ftp;"/></para></listitem>
+<listitem><para>Download size: &iptables-size;</para></listitem>
+<listitem><para>Estimated Disk space required:
+&iptables-buildsize;</para></listitem>
+<listitem><para>Estimated build time:
+&iptables-time;</para></listitem></itemizedlist>
+</sect3>
+</sect2>
+<sect2>
+<title>Installation of <application>iptables</application></title>
+<para>Install <application>iptables</application> by running the following commands:</para>
+<screen><userinput><command>make PREFIX=/usr LIBDIR=/lib BINDIR=/sbin &amp;&amp;
+make PREFIX=/usr LIBDIR=/lib BINDIR=/sbin install</command></userinput></screen>
+</sect2>
+<sect2>
+<title>Command explanations</title>
+<para><parameter>PREFIX=/usr LIBDIR=/lib BINDIR=/sbin</parameter>: Compiles and installs
+<application>iptables</application> libraries into <filename
+class="directory">/lib</filename>, binaries into <filename
+class="directory">/sbin</filename> and the remainder into the
+<filename class="directory">/usr</filename> hierarchy instead of
+<filename class="directory">/usr/local</filename>. Firewalls are
+generally set during the boot process and <filename
+class="directory">/usr</filename> may not be mounted at that time.</para>
+</sect2>
+<sect2>
+<title>Contents</title>
+<para>The <application>iptables</application> package contains <command>iptables</command>,
+<command>iptables-restore</command>, <command>iptables-save</command>,
+<command>ip6tables</command> and some libraries.</para>
+</sect2>
+<sect2><title>Description</title>
+<sect3><title>iptables</title>
+<para><command>iptables</command> is used to set up, maintain, and inspect the
+tables of <acronym>IP</acronym> packet filter rules in the Linux kernel.</para>
+</sect3>
+<sect3><title>iptables-restore, iptables-save</title>
+<para>These are used to save and to restore your elaborated set of chains and
+rules. Until <application>iptables</application>-1.2.5, they were declared
+experimental.</para>
+</sect3>
+<sect3 id="ip6tables" xreflabel="ip6tables"><title>ip6tables</title>
+<para>This is the same as <command>iptables</command> but for use with
+<acronym>IP</acronym>v6.  As of v1.2.5, it is not as complete as the standard
+<acronym>IP</acronym>v4 version, especially with regard to some of the modules.</para>
+</sect3>
+<sect3><title>libip*.so</title>
+<para>These are various modules (implemented as dynamic libraries) which
+extend the core functionality of <command>iptables</command>.</para>
+</sect3>
+</sect2>
 </sect1>

postlfs/security/linux_pam.xml

-              rf8d632a
+              rb4b71892
+<?xml version="1.0" encoding="ISO-8859-1"?>
+<!DOCTYPE sect1 PUBLIC "-//OASIS//DTD DocBook XML V4.3//EN"
+   "http://www.oasis-open.org/docbook/xml/4.3/docbookx.dtd" [
+  <!ENTITY % general-entities SYSTEM "../../general.ent">
+  %general-entities;
+  <!ENTITY Linux_PAM-download-http "http://www.kernel.org/pub/linux/libs/pam/pre/library/Linux-PAM-&Linux_PAM-version;.tar.bz2">
+  <!ENTITY Linux_PAM-download-ftp "ftp://ftp.kernel.org/pub/linux/libs/pam/pre/library/Linux-PAM-&Linux_PAM-version;.tar.bz2">
+  <!ENTITY Linux_PAM-size      "332 KB">
+  <!ENTITY Linux_PAM-buildsize "4.1 MB">
+  <!ENTITY Linux_PAM-time      "0.07 SBU">
+]>
 <sect1 id="Linux_PAM" xreflabel="Linux-PAM-&Linux_PAM-version;">
 <?dbhtml filename="linux_pam.html"?>
 <title>Linux-PAM-&Linux_PAM-version;</title>
+&Linux_PAM-intro;
+&Linux_PAM-inst;
+&Linux_PAM-exp;
+&Linux_PAM-config;
+&Linux_PAM-desc;
+<sect2>
+<title>Introduction to <application>Linux-<acronym>PAM</acronym></application>
+</title>
+<para>The <application>Linux-<acronym>PAM</acronym></application> package
+contains Pluggable Authentication Modules. This is useful to enable the local
+system administrator to choose how applications authenticate users.</para>
+<sect3><title>Package information</title>
+<itemizedlist spacing='compact'>
+<listitem><para>Download (HTTP): <ulink
+url="&Linux_PAM-download-http;"/></para></listitem>
+<listitem><para>Download (FTP): <ulink
+url="&Linux_PAM-download-ftp;"/></para></listitem>
+<listitem><para>Download size: &Linux_PAM-size;</para></listitem>
+<listitem><para>Estimated Disk space required:
+&Linux_PAM-buildsize;</para></listitem>
+<listitem><para>Estimated build time:
+&Linux_PAM-time;</para></listitem></itemizedlist>
+</sect3>
+<sect3><title>Additional download</title>
+<itemizedlist spacing='compact'>
+<listitem><para>Required patch:
+<ulink url="&patch-root;/Linux-PAM-0.77-linkage-3.patch"/></para></listitem></itemizedlist>
+</sect3>
+<sect3><title><application>Linux-<acronym>PAM</acronym></application> dependencies</title>
+<sect4><title>Optional</title>
+<para><xref linkend="cracklib"/></para></sect4>
+</sect3>
+</sect2>
+<sect2>
+<title>Installation of <application>Linux-<acronym>PAM</acronym></application>
+</title>
+<para>Install <application>Linux-<acronym>PAM</acronym></application> by
+running the following commands:</para>
+<screen><userinput><command>patch -Np1 -i ../Linux-PAM-0.77-linkage-3.patch &amp;&amp;
+autoconf &amp;&amp;
+./configure --enable-static-libpam --with-mailspool=/var/mail \
+    --enable-read-both-confs --sysconfdir=/etc &amp;&amp;
+make &amp;&amp;
+make install &amp;&amp;
+mv /lib/libpam.a /lib/libpam_misc.a /lib/libpamc.a /usr/lib &amp;&amp;
+ln -sf ../../lib/libpam.so.&Linux_PAM-version; /usr/lib/libpam.so &amp;&amp;
+ln -sf ../../lib/libpam_misc.so.&Linux_PAM-version; /usr/lib/libpam_misc.so &amp;&amp;
+ln -sf ../../lib/libpamc.so.&Linux_PAM-version; /usr/lib/libpamc.so</command></userinput></screen>
+</sect2>
+<sect2>
+<title>Command explanations</title>
+<para><command>autoconf</command>:  This is necessary as in the patch, we
+change where <acronym>PAM</acronym> looks for the cracklib libs.  This
+requires that the configure script be recreated.</para>
+<para><option>--enable-static-libpam</option>: This switch builds
+static <acronym>PAM</acronym> libraries as well as the dynamic libraries.</para>
+<para><parameter>--with-mailspool=/var/mail</parameter>: This switch makes
+the mailspool directory <acronym>FHS</acronym> compliant.</para>
+<para><option>--enable-read-both-confs</option>: This switch lets the local
+administrator choose which configuration file setup to use.</para>
+<para><command>mv /lib/libpam.a /lib/libpam_misc.a /lib/libpamc.a
+/usr/lib</command>: This command moves the static libraries to
+<filename>/usr/lib</filename> to comply with <acronym>FHS</acronym>.</para>
+</sect2>
+<sect2>
+<title>Configuring <application>Linux-<acronym>PAM</acronym></application>
+</title>
+<sect3><title>Config files</title>
+<para><filename>/etc/pam.d</filename> or <filename>/etc/pam.conf</filename>
+</para></sect3>
+<sect3><title>Configuration Information</title>
+<para>Configuration information is placed in <filename>/etc/pam.d</filename> or
+<filename>/etc/pam.conf</filename> depending on user preference.  Below are
+example files of each type:</para>
+<screen># Begin /etc/pam.d/other
+auth            required        pam_unix.so     nullok
+account         required        pam_unix.so
+session         required        pam_unix.so
+password        required        pam_unix.so     nullok
+# End /etc/pam.d/other
+# Begin /etc/pam.conf
+other           auth            required        pam_unix.so     nullok
+other           account         required        pam_unix.so
+other           session         required        pam_unix.so
+other           password        required        pam_unix.so     nullok
+# End /etc/pam.conf</screen>
+<para>The <application><acronym>PAM</acronym></application> man page
+(<command>man pam</command>) provides a good starting point for descriptions
+of fields and allowable entries.  The
+<ulink url="http://www.kernel.org/pub/linux/libs/pam/Linux-PAM-html/pam.html">
+Linux-PAM guide for system administrators</ulink>
+is recommended for further reading.</para>
+<para>Refer to <ulink url="http://www.kernel.org/pub/linux/libs/pam/modules.html"/>
+for a list of various modules available.</para>
+</sect3>
+</sect2>
+<sect2>
+<title>Contents</title>
+<para>The <application>Linux-<acronym>PAM</acronym></application> package
+contains <command>unix-chkpwd</command> and <filename
+class="libraryfile">libpam</filename>
+libraries.</para>
+</sect2>
+<sect2><title>Description</title>
+<sect3><title>unix-chkpwd</title>
+<para>No description available.</para></sect3>
+<sect3><title>libpam libraries</title>
+<para><filename class="libraryfile">libpam</filename> libraries provide the interfaces between
+applications and the modules included with <acronym>PAM</acronym>.</para></sect3>
+</sect2>
 </sect1>

postlfs/security/mitkrb.xml

-              rf8d632a
+              rb4b71892
+<?xml version="1.0" encoding="ISO-8859-1"?>
+<!DOCTYPE sect1 PUBLIC "-//OASIS//DTD DocBook XML V4.3//EN"
+   "http://www.oasis-open.org/docbook/xml/4.3/docbookx.dtd" [
+  <!ENTITY % general-entities SYSTEM "../../general.ent">
+  %general-entities;
+  <!ENTITY mitkrb-download-http "http://web.mit.edu/kerberos/www/dist/krb5/1.3/krb5-&mitkrb-version;.tar">
+  <!ENTITY mitkrb-download-ftp " ">
+  <!ENTITY mitkrb-size "6.2 MB">
+  <!ENTITY mitkrb-buildsize "137.4 MB">
+  <!ENTITY mitkrb-time "2.55 SBU">
+]>
 <sect1 id="mitkrb" xreflabel="MIT krb5-&mitkrb-version;">
 <?dbhtml filename="mitkrb.html"?>
 <title>MIT krb5-&mitkrb-version;</title>
+&mitkrb-intro;
+&mitkrb-inst;
+&mitkrb-exp;
+&mitkrb-config;
+&mitkrb-desc;
+<sect2>
+<title>Introduction to <application><acronym>MIT</acronym> krb5</application></title>
+<para>
+<application>MIT krb5</application> is a free implementation of Kerberos
+. Kerberos is a network authentication protocol. It centralizes the
+authentication database and uses kerberized applications to work with
+servers or services that support Kerberos allowing single logins and
+encrypted communication over internal networks or the Internet.</para>
+<sect3><title>Package information</title>
+<itemizedlist spacing='compact'>
+<listitem><para>Download (HTTP): <ulink url="&mitkrb-download-http;"/></para></listitem>
+<listitem><para>Download (FTP): <ulink url="&mitkrb-download-ftp;"/></para></listitem>
+<listitem><para>Download size: &mitkrb-size;</para></listitem>
+<listitem><para>Estimated Disk space required: &mitkrb-buildsize;</para></listitem>
+<listitem><para>Estimated build time: &mitkrb-time;</para></listitem></itemizedlist>
+</sect3>
+<sect3><title><application><acronym>MIT</acronym> krb5</application> dependencies</title>
+<sect4><title>Optional</title>
+<para>
+<xref linkend="xinetd"/> (services servers only),
+<xref linkend="Linux_PAM"/> (for xdm based logins) and
+<xref linkend="openldap"/> (alternative for krb5kdc password database)
+</para>
+<note><para>
+Some sort of time synchronization facility on your system (like <xref
+linkend="ntp"/>) is required since Kerberos won't authenticate if there
+is a time difference between a kerberized client and the
+<acronym>KDC</acronym> server.</para></note>
+</sect4>
+</sect3>
+</sect2>
+<sect2>
+<title>Installation of <application>MIT krb5</application></title>
+<para>Install <application>MIT krb5</application> by running the following commands:</para>
+<screen><userinput><command>./configure --prefix=/usr --sysconfdir=/etc \
+    --localstatedir=/var/lib --enable-dns --enable-shared --mandir=/usr/share/man &amp;&amp;
+make &amp;&amp;
+make install &amp;&amp;
+mv /bin/login /bin/login.shadow &amp;&amp;
+cp /usr/sbin/login.krb5 /bin/login &amp;&amp;
+mv /usr/bin/ksu /bin &amp;&amp;
+mv /usr/lib/libkrb5.so.3* /lib &amp;&amp;
+mv /usr/lib/libkrb4.so.2* /lib &amp;&amp;
+mv /usr/lib/libdes425.so.3* /lib &amp;&amp;
+mv /usr/lib/libk5crypto.so.3* /lib &amp;&amp;
+mv /usr/lib/libcom_err.so.3* /lib &amp;&amp;
+ln -sf ../../lib/libkrb5.so /usr/lib &amp;&amp;
+ln -sf ../../lib/libkrb4.so /usr/lib &amp;&amp;
+ln -sf ../../lib/libdes425.so /usr/lib &amp;&amp;
+ln -sf ../../lib/libk5crypto.so /usr/lib &amp;&amp;
+ln -sf ../../lib/libcom_err.so /usr/lib &amp;&amp;
+ldconfig</command></userinput></screen>
+</sect2>
+<sect2>
+<title>Command explanations</title>
+<para><parameter>--enable-dns</parameter>: This switch allows realms to
+be resolved using the <acronym>DNS</acronym> server.</para>
+<para><screen><command>mv /bin/login /bin/login.shadow
+cp /usr/sbin/login.krb5 /bin/login
+mv /usr/bin/ksu /bin</command></screen>
+Preserves <application>Shadow</application>'s <command>login</command>
+command, moves <command>ksu</command> and <command>login</command> to
+the <filename class="directory">/bin</filename> directory.</para>
+<para><screen><command>mv /usr/lib/libkrb5.so.3* /lib
+mv /usr/lib/libkrb4.so.2* /lib
+mv /usr/lib/libdes425.so.3* /lib
+mv /usr/lib/libk5crypto.so.3* /lib
+mv /usr/lib/libcom_err.so.3* /lib
+ln -sf ../../lib/libkrb5.so /usr/lib
+ln -sf ../../lib/libkrb4.so /usr/lib
+ln -sf ../../lib/libdes425.so /usr/lib
+ln -sf ../../lib/libk5crypto.so /usr/lib
+ln -sf ../../lib/libcom_err.so /usr/lib</command></screen>
+The <command>login</command> and <command>ksu</command> programs
+are linked against these libraries, therefore we move these libraries to
+<filename class="directory">/lib</filename> to allow logins without mounting <filename class="directory">/usr</filename>.</para>
+</sect2>
+<sect2>
+<title>Configuring <application><acronym>MIT</acronym> krb5</application></title>
+<sect3><title>Config files</title>
+<para><filename>/etc/krb5.conf</filename> and
+<filename>/var/lib/krb5kdc/kdc.conf</filename></para>
+</sect3>
+<sect3><title>Configuration Information</title>
+<sect4><title>Kerberos Configuration</title>
+<para>
+Create the Kerberos configuration file with the following command:
+</para>
+<screen><userinput><command>cat &gt; /etc/krb5.conf &lt;&lt; "EOF"</command>
+# Begin /etc/krb5.conf
+[libdefaults]
+    default_realm = <replaceable>[LFS.ORG]</replaceable>
+    encrypt = true
+[realms]
+    <replaceable>[LFS.ORG]</replaceable> = {
+        kdc = <replaceable>[belgarath.lfs.org]</replaceable>
+        admin_server = <replaceable>[belgarath.lfs.org]</replaceable>
+    }
+[domain_realm]
+    .<replaceable>[lfs.org]</replaceable> = <replaceable>[LFS.ORG]</replaceable>
+[logging]
+    kdc = SYSLOG[:INFO[:AUTH]]
+    admin_server = SYSLOG[INFO[:AUTH]]
+    default = SYSLOG[[:SYS]]
+# End /etc/krb5.conf
+<command>EOF</command></userinput></screen>
+<para>
+You will need to substitute your domain and proper hostname for the
+occurances of the belgarath and lfs.org names.
+</para>
+<para>
+<userinput>default_realm</userinput> should be the name of your domain changed to ALL CAPS.
+This isn't required, but both Heimdal and <acronym>MIT</acronym>
+recommend it.
+</para>
+<para>
+<userinput>encrypt = true</userinput> provides encryption of all traffic between kerberized
+clients and servers. It's not necessary and can be left off. If you
+leave it off, you can encrypt all traffic from the client to the server
+using a switch on the client program instead.
+</para>
+<para>
+The <userinput>[realms]</userinput> parameters tell the client programs where to look for the
+<acronym>KDC</acronym> authentication services.
+</para>
+<para>
+The <userinput>[domain_realm]</userinput> section maps a domain to a realm.
+</para>
+<para>
+Create the <acronym>KDC</acronym> database:
+</para>
+<screen><userinput><command>kdb5_util create -r <replaceable>[LFS.ORG]</replaceable> -s </command></userinput></screen>
+<para>
+Now we need to populate the database with principles (users). For now,
+just use your regular login name or root.
+</para>
+<screen><userinput><command>kadmin.local</command></userinput>
+<prompt>kadmin:</prompt><userinput><command>addprinc <replaceable>[loginname]</replaceable></command></userinput></screen>
+<para>
+The <acronym>KDC</acronym> server and any machine running kerberized
+server daemons must have a host key installed:
+</para>
+<screen><prompt>kadmin:</prompt><userinput><command>addprinc --randkey host/<replaceable>[belgarath.lfs.org]</replaceable></command></userinput></screen>
+<para>
+After choosing the defaults when prompted, you will have to export the
+data to a keytab file:
+</para>
+<screen><prompt>kadmin:</prompt><userinput><command>ktadd host/<replaceable>[belgarath.lfs.org]</replaceable></command></userinput></screen>
+<para>
+This should have created a file in
+<filename class="directory">/etc</filename> named
+<filename>krb5.keytab</filename> (Kerberos 5). This file should have 600
+(root rw only) permissions. Keeping the keytab files from public access
+is crucial to the overall security of the Kerberos installation.
+</para>
+<para>
+Eventually, you'll want to add server daemon principles to the database
+and extract them to the keytab file. You do this in the same way you
+created the host principles. Below is an example:
+</para>
+<screen><prompt>kadmin:</prompt><userinput><command>addprinc --randkey ftp/<replaceable>[belgarath.lfs.org]</replaceable></command></userinput>
+<prompt>kadmin:</prompt><userinput><command>ktadd ftp/<replaceable>[belgarath.lfs.org]</replaceable></command></userinput></screen>
+<para>
+Exit the <command>kadmin</command> program (use <command>quit</command>
+or <command>exit</command>) and return back to the shell prompt. Start
+the <acronym>KDC</acronym> daemon manually, just to test out the
+installation:
+</para>
+<screen><userinput><command>/usr/sbin/krb5kdc &amp;</command></userinput></screen>
+<para>
+Attempt to get a ticket with the following command:
+</para>
+<screen><userinput><command>kinit <replaceable>[loginname]</replaceable></command></userinput></screen>
+<para>
+You will be prompted for the password you created. After you get your
+ticket, you can list it with the following command:
+</para>
+<screen><userinput><command>klist</command></userinput></screen>
+<para>
+Information about the ticket should be displayed on the screen.
+</para>
+<para>
+To test the functionality of the keytab file, issue the following
+command:
+</para>
+<screen><userinput><command>ktutil</command></userinput>
+<prompt>ktutil:</prompt><userinput><command>rkt /etc/krb5.keytab</command></userinput>
+<prompt>ktutil:</prompt><userinput><command>l</command></userinput></screen>
+<para>
+This should dump a list of the host principal, along with the encryption
+methods used to access the principal.
+</para>
+<para>
+At this point, if everything has been successful so far, you can feel
+fairly confident in the installation and configuration of the package.
+</para>
+<para>Install the <filename>/etc/rc.d/init.d/kerberos</filename> init script
+included in the <xref linkend="intro-important-bootscripts"/>
+package.</para>
+<screen><userinput><command>make install-kerberos</command></userinput></screen>
+</sect4>
+<sect4><title>Using Kerberized Client Programs</title>
+<para>
+To use the kerberized client programs (<command>telnet</command>,
+<command>ftp</command>, <command>rsh</command>,
+<command>rcp</command>, <command>rlogin</command>), you first must get
+an authentication ticket. Use the <command>kinit</command> program to
+get the ticket. After you've acquired the ticket, you can use the
+kerberized programs to connect to any kerberized server on the network.
+You will not be prompted for authentication until your ticket expires
+(default is one day), unless you specify a different user as a command
+line argument to the program.
+</para>
+<para>
+The kerberized programs will connect to non kerberized daemons, warning
+you that authentication is not encrypted.</para></sect4>
+<sect4><title>Using Kerberized Server Programs</title>
+<para>Using kerberized server programs (<command>telnetd</command>,
+<command>kpropd</command>,
+<command>klogind</command> and <command>kshd</command>) requires two additional configuration steps.
+First the <filename>/etc/services</filename> file must be updated to
+include  eklogin and krb5_prop. Second, the
+<filename>inetd.conf</filename> or <filename>xinetd.conf</filename> must
+be modified for each server that will be activated, usually replacing
+the server from <application>inetutils</application>.</para></sect4>
+<sect4><title>Additional Information</title>
+<para>
+For additional information consult <ulink
+url="http://web.mit.edu/kerberos/www/krb5-1.3/#documentation">Documentation
+for krb-&mitkrb-version;</ulink> on which the above instructions are based.
+</para>
+</sect4>
+</sect3>
+</sect2>
+<sect2>
+<title>Contents</title>
+<para>The <application>MIT krb5</application> package contains
+<command>compile-et</command>,
+<command>ftp</command>,
+<command>ftpd</command>,
+<command>gss-client</command>,
+<command>gss-server</command>,
+<command>k5srvutil</command>,
+<command>kadmin</command>,
+<command>kadmin.local</command>,
+<command>kadmind</command>,
+<command>kadmind4</command>,
+<command>kdb5_util</command>
+<command>kdestroy</command>,
+<command>kinit</command>,
+<command>klist</command>,
+<command>klogind</command>,
+<command>kpasswd</command>,
+<command>kprop</command>,
+<command>kpropd</command>,
+<command>krb5-send-pr</command>,
+<command>krb5-config</command>,
+<command>krb524d</command>,
+<command>krb524init</command>,
+<command>krb5kdc</command>,
+<command>kshd</command>,
+<command>ksu</command>,
+<command>ktutil</command>,
+<command>kvno</command>,
+<command>login.krb5</command>,
+<command>rcp</command>,
+<command>rlogin</command>,
+<command>rsh</command>,
+<command>rshd</command>,
+<command>rxtelnet</command>,
+<command>rxterm</command>,
+<command>sclient</command>,
+<command>sim_client</command>,
+<command>sim_server</command>,
+<command>sserver</command>,
+<command>telnet</command>,
+<command>telnetd</command>,
+<command>uuclient</command>,
+<command>uuserver</command>,
+<command>v5passwd</command>,
+<command>v5passwdd</command>,
+<filename class="libraryfile">libcom_err</filename>,
+<filename class="libraryfile">libdes425</filename>,
+<filename class="libraryfile">libgssapi</filename>,
+<filename class="libraryfile">libgssrpc</filename>,
+<filename class="libraryfile">lib5crypto</filename>,
+<filename class="libraryfile">libkadm5clnt</filename>,
+<filename class="libraryfile">libkadm5srv</filename>,
+<filename class="libraryfile">libkdb5</filename>,
+<filename class="libraryfile">libkrb4</filename>,
+<filename class="libraryfile">libkrb5</filename>.</para>
+</sect2>
+<sect2><title>Description</title>
+<sect3><title>compile_et</title>
+<para><command>compile_et</command> converts the table listing
+error-code names into a <application>C</application> source file.</para></sect3>
+<sect3><title>k5srvutil</title>
+<para><command>k5srvutil</command> is a host keytable manipulation
+utility.</para></sect3>
+<sect3><title>kadmin</title>
+<para><command>kadmin</command> is an utility used to make modifications
+to the Kerberos database.</para></sect3>
+<sect3><title>kadmind</title>
+<para><command>kadmind</command> is a server for administrative access
+to Kerberos database.</para></sect3>
+<sect3><title>kinit</title>
+<para><command>kinit</command> is used to
+authenticate to the Kerberos server as principal and acquire a ticket
+granting ticket that can later be used to obtain tickets for other
+services.</para></sect3>
+<sect3><title>krb5kdc</title>
+<para><command>kdc</command> is a Kerberos 5 server.</para></sect3>
+<sect3><title>kdestroy</title>
+<para><command>kdestroy</command> removes the current set of
+tickets.</para></sect3>
+<sect3><title>kdb5_util</title>
+<para><command>kdb5_util</command> is the <acronym>KDC</acronym>
+database utility.</para></sect3>
+<sect3><title>klist</title>
+<para><command>klist</command> reads and displays the current tickets in
+the credential cache.</para></sect3>
+<sect3><title>klogind</title>
+<para><command>klogind</command> is the server that responds to rlogin
+requests.</para></sect3>
+<sect3><title>kpasswd</title>
+<para><command>kpasswd</command> is a program for changing Kerberos 5
+passwords.</para></sect3>
+<sect3><title>kprop</title>
+<para><command>kprop</command> takes a principal database in a specified
+format and converts it into a stream of database
+records.</para></sect3>
+<sect3><title>kpropd</title>
+<para><command>kpropd</command> receives a database sent by
+<command>hprop</command> and writes it as a local
+database.</para></sect3>
+<sect3><title>krb5-config</title>
+<para><command>krb5-config</command> gives information on how to link
+programs against libraries.</para></sect3>
+<sect3><title>ksu</title>
+<para><command>ksu</command> is the super user program using Kerberos
+protocol. Requires a properly configured
+<filename>/etc/shells</filename> and <filename>~/.k5login</filename>
+containing principals authorized to become super users.</para></sect3>
+<sect3><title>ktutil</title>
+<para><command>ktutil</command> is a program for managing Kerberos
+keytabs.</para></sect3>
+<sect3><title>kvno</title>
+<para><command>kvno</command> prints keyversion numbers of Kerberos
+principals.</para></sect3>
+</sect2>
 </sect1>

postlfs/security/security.xml

-              rf8d632a
+              rb4b71892
+<?xml version="1.0" encoding="ISO-8859-1"?>
+<!DOCTYPE chapter PUBLIC "-//OASIS//DTD DocBook XML V4.3//EN"
+   "http://www.oasis-open.org/docbook/xml/4.3/docbookx.dtd" [
+  <!ENTITY % general-entities SYSTEM "../../general.ent">
+  %general-entities;
+]>
 <chapter id="postlfs-security">
 <?dbhtml filename="security.html"?>
 …
 "signatures" and compares for files that have been changed.</para>
+&cracklib;
+&Linux_PAM;
+&shadow;
+&iptables;
+&postlfs-security-fw;
+&gnupg;
+&tripwire;
+&heimdal;
+&mitkrb;
+<!--&postlfs-security-syslog;-->
+<xi:include xmlns:xi="http://www.w3.org/2003/XInclude" href="cracklib.xml"/>
+<xi:include xmlns:xi="http://www.w3.org/2003/XInclude" href="linux_pam.xml"/>
+<xi:include xmlns:xi="http://www.w3.org/2003/XInclude" href="shadow.xml"/>
+<xi:include xmlns:xi="http://www.w3.org/2003/XInclude" href="iptables.xml"/>
+<xi:include xmlns:xi="http://www.w3.org/2003/XInclude" href="firewalling.xml"/>
+<xi:include xmlns:xi="http://www.w3.org/2003/XInclude" href="gnupg.xml"/>
+<xi:include xmlns:xi="http://www.w3.org/2003/XInclude" href="tripwire.xml"/>
+<xi:include xmlns:xi="http://www.w3.org/2003/XInclude" href="heimdal.xml"/>
+<xi:include xmlns:xi="http://www.w3.org/2003/XInclude" href="mitkrb.xml"/>
 </chapter>

postlfs/security/shadow.xml

-              rf8d632a
+              rb4b71892
+<?xml version="1.0" encoding="ISO-8859-1"?>
+<!DOCTYPE sect1 PUBLIC "-//OASIS//DTD DocBook XML V4.3//EN"
+   "http://www.oasis-open.org/docbook/xml/4.3/docbookx.dtd" [
+  <!ENTITY % general-entities SYSTEM "../../general.ent">
+  %general-entities;
+]>
 <sect1 id="shadow">
 <?dbhtml filename="shadow.html"?>
 …
 </sect2>
 -->
+&shadow-intro;
+&shadow-inst;
+&shadow-exp;
+&shadow-config;
+<sect2>
+<title>Introduction to <application>Shadow</application></title>
+<para>Shadow was indeed installed in <acronym>LFS</acronym> and there is
+no reason to reinstall it unless you installed
+<application>Linux-<acronym>PAM</acronym></application>.  If you did,
+this will allow programs like <command>login</command> and
+<command>su</command> to utilize
+<acronym>PAM</acronym>.</para>
+<sect3><title>Additional downloads</title>
+<itemizedlist spacing='compact'>
+<listitem><para>Patch to fix linking against PAM:
+<ulink url="&patch-root;/shadow-&shadow-version;-pam-1.patch"/></para></listitem>
+</itemizedlist>
+</sect3>
+<sect3><title><application>Shadow</application> dependencies</title>
+<sect4><title>Required</title>
+<para><xref linkend="Linux_PAM"/></para></sect4>
+</sect3>
+</sect2>
+<sect2>
+<title>Installation of <application>shadow</application></title>
+<para>Reinstall shadow by running the following commands:</para>
+<screen><userinput><command>patch -Np1 -i ../shadow-&shadow-version;-pam-1.patch &amp;&amp;
+LIBS="-lpam -lpam_misc" ./configure --libdir=/usr/lib \
+    --enable-shared --with-libpam --without-libcrack &amp;&amp;
+echo '#define HAVE_SETLOCALE 1' >> config.h &amp;&amp;
+make &amp;&amp;
+make install &amp;&amp;
+mv /bin/sg /usr/bin &amp;&amp;
+mv /bin/vigr /usr/sbin &amp;&amp;
+rm /bin/groups &amp;&amp;
+mv /usr/lib/lib{misc,shadow}.so.0* /lib &amp;&amp;
+ln -sf ../../lib/libshadow.so.0 /usr/lib/libshadow.so &amp;&amp;
+ln -sf ../../lib/libmisc.so.0 /usr/lib/libmisc.so</command></userinput></screen>
+</sect2>
+<sect2>
+<title>Command explanations</title>
+<para><parameter>--without-libcrack</parameter>: This switch tells shadow
+not to use libcrack. This is desired as
+<application>Linux-<acronym>PAM</acronym></application> already
+contains libcrack.</para>
+<!--  Leftover from older instructions????
+<para><command>cp debian/securetty /etc/securetty</command>: This
+command sets the tty's that allow logins through <acronym>PAM</acronym>.</para>
+-->
+</sect2>
+<sect2>
+<title>Configuring <application><acronym>PAM</acronym></application> to work
+with <application>shadow</application></title>
+<sect3><title>Config files</title>
+<para><filename>/etc/pam.d/login</filename>,
+<filename>/etc/pam.d/passwd</filename>,
+<filename>/etc/pam.d/su</filename>,
+<filename>/etc/pam.d/shadow</filename>, and
+<filename>/etc/pam.d/useradd</filename></para>
+</sect3>
+<sect3><title>Configuration Information</title>
+<para>Add the following <application><acronym>PAM</acronym></application>
+configuration files to <filename class="directory">/etc/pam.d</filename> (or add them to
+<filename>/etc/pam.conf</filename> with the additional field for the program).
+</para>
+<screen><userinput><command>cat &gt; /etc/pam.d/login &lt;&lt; "EOF"</command>
+# Begin /etc/pam.d/login
+auth        requisite      pam_securetty.so
+auth        requisite      pam_nologin.so
+auth        required       pam_env.so
+auth        required       pam_unix.so
+account     required       pam_access.so
+account     required       pam_unix.so
+session     required       pam_motd.so
+session     required       pam_limits.so
+session     optional       pam_mail.so     dir=/var/mail standard
+session     optional       pam_lastlog.so
+session     required       pam_unix.so
+# End /etc/pam.d/login
+<command>EOF
+cat &gt; /etc/pam.d/passwd &lt;&lt; "EOF"</command>
+# Begin /etc/pam.d/passwd
+password    required       pam_unix.so     md5 shadow
+# End /etc/pam.d/passwd
+<command>EOF
+cat &gt; /etc/pam.d/shadow &lt;&lt; "EOF"</command>
+# Begin /etc/pam.d/shadow
+auth        sufficient      pam_rootok.so
+auth        required        pam_unix.so
+account     required        pam_unix.so
+session     required        pam_unix.so
+password    required        pam_permit.so
+# End /etc/pam.d/shadow
+<command>EOF
+cat &gt; /etc/pam.d/su &lt;&lt; "EOF"</command>
+# Begin /etc/pam.d/su
+auth        sufficient      pam_rootok.so
+auth        required        pam_unix.so
+account     required        pam_unix.so
+session     required        pam_unix.so
+# End /etc/pam.d/su
+<command>EOF
+cat &gt; /etc/pam.d/useradd &lt;&lt; "EOF"</command>
+# Begin /etc/pam.d/useradd
+auth        sufficient      pam_rootok.so
+auth        required        pam_unix.so
+account     required        pam_unix.so
+session     required        pam_unix.so
+password    required        pam_permit.so
+# End /etc/pam.d/useradd
+<command>EOF
+cat &gt; /etc/pam.d/chage &lt;&lt; "EOF"</command>
+# Begin /etc/pam.d/chage
+auth        sufficient      pam_rootok.so
+auth        required        pam_unix.so
+account     required        pam_unix.so
+session     required        pam_unix.so
+password    required        pam_permit.so
+# End /etc/pam.d/chage
+<command>EOF</command></userinput></screen>
+<para>Currently, <filename>/etc/pam.d/other</filename> is configured to
+allow anyone with an account on the machine to use programs
+that do not specifically have a configuration file of their own. After
+testing <application><acronym>PAM</acronym></application> for proper
+configuration, it can be changed to the following:</para>
+<screen><userinput><command>cat &gt; /etc/pam.d/other &lt;&lt; "EOF"</command>
+# Begin /etc/pam.d/other
+auth        required        pam_deny.so
+auth        required        pam_warn.so
+account     required        pam_deny.so
+session     required        pam_deny.so
+password    required        pam_deny.so
+password    required        pam_warn.so
+# End /etc/pam.d/other
+<command>EOF</command></userinput></screen>
+<para>Finally, edit <filename>/etc/login.defs</filename> by adding '#'
+to the beginning of the following lines:</para>
+<screen>LASTLOG_ENAB
+MAIL_CHECK_ENAB
+PORTTIME_CHECKS_ENAB
+CONSOLE
+MOTD_FILE
+NOLOGINS_FILE
+PASS_MIN_LEN
+SU_WHEEL_ONLY
+MD5_CRYPT_ENAB
+CONSOLE_GROUPS
+ENVIRON_FILE</screen>
+<para>This stops <command>login</command> from performing these functions, as
+they will now be performed by <acronym>PAM</acronym> modules.</para>
+</sect3>
+</sect2>
 </sect1>

postlfs/security/tripwire.xml

-              rf8d632a
+              rb4b71892
+<?xml version="1.0" encoding="ISO-8859-1"?>
+<!DOCTYPE sect1 PUBLIC "-//OASIS//DTD DocBook XML V4.3//EN"
+   "http://www.oasis-open.org/docbook/xml/4.3/docbookx.dtd" [
+  <!ENTITY % general-entities SYSTEM "../../general.ent">
+  %general-entities;
+  <!ENTITY tripwire-download-http "http://prdownloads.sourceforge.net/tripwire/tripwire-&tripwire-version;.tar.gz">
+  <!ENTITY tripwire-download-ftp  "ftp://ftp.fu-berlin.de/unix/security/tripwire/tripwire-&tripwire-version;.tar.gz">
+  <!ENTITY tripwire-size          "1.4 MB">
+  <!ENTITY tripwire-buildsize     "63 MB">
+  <!ENTITY tripwire-time          "2.35 SBU">
+]>
 <sect1 id="tripwire" xreflabel="Tripwire-&tripwire-version;">
 <?dbhtml filename="tripwire.html"?>
 <title>Tripwire-&tripwire-version;</title>
+&tripwire-intro;
+&tripwire-inst;
+&tripwire-exp;
+&tripwire-config;
+&tripwire-desc;
+<sect2>
+<title>Introduction to <application>Tripwire</application></title>
+<para>The <application>Tripwire</application> package contains the programs
+used by <application>Tripwire</application> to verify the integrity of the
+files on a given system.</para>
+<sect3><title>Package information</title>
+<itemizedlist spacing='compact'>
+<listitem><para>Download (HTTP): <ulink
+url="&tripwire-download-http;"/></para></listitem>
+<listitem><para>Download (FTP): <ulink
+url="&tripwire-download-ftp;"/></para></listitem>
+<listitem><para>Download size: &tripwire-size;</para></listitem>
+<listitem><para>Estimated Disk space required:
+&tripwire-buildsize;</para></listitem>
+<listitem><para>Estimated build time:
+&tripwire-time;</para></listitem></itemizedlist>
+</sect3>
+<sect3><title>Additional downloads</title>
+<itemizedlist spacing='compact'>
+<listitem><para>Required patch to fix multiple build issues (see patch for more information):
+<ulink url="&patch-root;/tripwire-&tripwire-version;-gcc3-build-fixes.patch"/></para></listitem>
+</itemizedlist>
+</sect3>
+<sect3><title><application>Shadow</application> dependencies</title>
+<sect4><title>Optional</title>
+<para>MTA (See <xref linkend="server-mail"/>)</para></sect4>
+</sect3>
+</sect2>
+<sect2>
+<title>Installation of <application>Tripwire</application></title>
+<para>Compile <application>Tripwire</application> by running the following
+commands:</para>
+<screen><userinput><command>patch -Np1 -i ../tripwire-&tripwire-version;-gcc3-build-fixes.patch &amp;&amp;
+make -C src release &amp;&amp;
+cp install/install.{sh,cfg} .</command></userinput></screen>
+<para>The default configuration is to use a local MTA. If you don't have
+a MTA installed and have no wish to install one, modify the
+<filename>install.cfg</filename> to use an SMTP server instead.
+Install <application>Tripwire</application> by running the following
+commands:</para>
+<screen><userinput><command>./install.sh &amp;&amp;
+cp /etc/tripwire/tw.cfg /usr/sbin &amp;&amp;
+cp policy/*.txt /usr/share/doc/tripwire</command></userinput></screen>
+</sect2>
+<sect2>
+<title>Command explanations</title>
+<para><command>make release</command>: This command creates the
+<application>Tripwire</application> binaries.</para>
+<para><command>cp install.{sh,cfg} .</command>: These are copied to the main
+<application>Tripwire</application> directory so that the script can be used to
+install the package.</para>
+<para><command>cp policy/*.txt /usr/share/doc/tripwire</command>: This command
+installs the documentation.</para>
+</sect2>
+<sect2>
+<title>Configuring <application>Tripwire</application></title>
+<sect3><title>Config files</title>
+<para><filename class="directory">/etc/tripwire</filename></para>
+</sect3>
+<sect3><title>Configuration Information</title>
+<para><application>Tripwire</application> uses a policy file to determine which
+files integrity are checked. The default policy file (<filename>twpol.txt
+</filename> found in <filename class="directory">/etc/tripwire/</filename>) is for a default
+installation of Redhat 7.0 and is woefully outdated.</para>
+<para>Policy files are also a custom thing and should be tailored to each
+individual distribution and/or installation. Some custom policy files can be
+found below: </para>
+<screen><ulink url="http://home.iprimus.com.au/glombowski/blfs/twpol-all.txt">http://home.iprimus.com.au/glombowski/blfs/twpol-all.txt</ulink>
+Checks integrity of all files
+<ulink url="http://home.iprimus.com.au/glombowski/blfs/twpol-lfs.txt">http://home.iprimus.com.au/glombowski/blfs/twpol-lfs.txt</ulink>
+Custom policy file for Base LFS 3.0 system
+<ulink url="http://home.iprimus.com.au/glombowski/blfs/twpol-suse7.2.txt">http://home.iprimus.com.au/glombowski/blfs/twpol-suse7.2.txt</ulink>
+Custom policy file for SuSE 7.2 system</screen>
+<para>Download the custom policy file you'd like to try, copy it into
+<filename class="directory">/etc/tripwire/</filename>, and use it instead of
+<filename>twpol.txt</filename>. It is, however, recommended that you make your own policy file.
+Get ideas from the examples above and read <filename>
+/usr/share/doc/tripwire/policyguide.txt</filename>. <filename>twpol.txt
+</filename> is a good policy file for beginners as it will note any changes to
+the file system and can even be used as an annoying way of keeping track of
+changes for uninstallation of software.</para>
+<para>After your policy file has been transferred to <filename
+class="directory">/etc/tripwire/</filename> you may begin the configuration steps:</para>
+<screen><userinput><command>twadmin -m P /etc/tripwire/twpol.txt &amp;&amp;
+tripwire -m i</command></userinput></screen>
+<para>During installation <application>Tripwire</application> will create two
+(2) keys: a site key and a local key which will be stored in <filename
+class="directory">/etc/tripwire/</filename>.</para>
+</sect3>
+<sect3><title>Usage Information</title>
+<para>To use <application>Tripwire</application> after this and run a report,
+use the following command:</para>
+<screen><userinput><command>tripwire -m c &gt; /etc/tripwire/report.txt</command></userinput></screen>
+<para>View the output to check the integrity of your files. An automatic
+integrity report can be produced by using a cron facility to schedule
+the runs. </para>
+<para>Please note that after you run an integrity check, you must check
+the report or email and then modify the
+<application>Tripwire</application> database of the files
+on your system so that <application>Tripwire</application> will not continually notify you that
+files you intentionally changed are a security violation. To do this you
+must first <command>ls -l /var/lib/tripwire/report/</command> and note
+the name of the newest file which starts with <filename>linux-</filename> and
+ends in <filename>.twr</filename>. This encrypted file was created during the
+last report creation and is needed to update the
+<application>Tripwire</application> database of your
+system. Then, type in the following command making the appropriate
+substitutions for '?':</para>
+<screen><userinput><command>tripwire -m u -r /var/lib/tripwire/report/linux-???????-??????.twr </command></userinput></screen>
+<para>You will be placed into vim with a copy of the report in front of you. If
+all the changes were good, then just type <command>:x</command> and after
+entering your local key, the database will be updated. If there are files which
+you still want to be warned about, please remove the x before the filename in
+the report and type <command>:x</command>. </para>
+</sect3>
+<sect3><title>Changing the Policy File</title>
+<para>If you are unhappy with your policy file and would like to modify it or
+use a new one, modify the policy file and then execute the following
+commands:</para>
+<screen><userinput><command>twadmin -m P /etc/tripwire/twpol.txt &amp;&amp;
+tripwire -m i</command></userinput></screen>
+</sect3>
+</sect2>
+<sect2>
+<title>Contents</title>
+<para>The <application>Tripwire</application> package contains <command>siggen
+</command>,
+<command>tripwire</command>, <command>twadmin</command>
+and <command>twprint</command>.</para>
+</sect2>
 </sect1>

Note: See TracChangeset for help on using the changeset viewer.

Context Navigation

Changeset b4b71892

Legend:

Download in other formats: