glfs/postlfs/security/security.xml

<?xml version="1.0" encoding="ISO-8859-1"?>
<!DOCTYPE chapter PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN"
   "http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [
  <!ENTITY % general-entities SYSTEM "../../general.ent">
  %general-entities;
]>

<!--
$LastChangedBy$
$Date$
-->

<chapter id="postlfs-security">
  <?dbhtml filename="security.html"?>

  <title>Security</title>

  <para>
    Security takes many forms in a computing environment. After some
    initial discussion, this chapter
    gives examples of three different types of security: access, prevention
    and detection.
  </para>

  <para>
    Access for users is usually handled by <command>login</command> or an
    application designed to handle the login function. In this chapter, we show
    how to enhance <command>login</command> by setting policies with
    <application>PAM</application> modules.  Access via networks can also be
    secured by policies set by <application>iptables</application>, commonly
    referred to as a firewall. The Network Security Services (NSS) and
    Netscape Portable Runtime (NSPR) libraries can be installed and shared
    among the many applications requiring them. For applications that don't
    offer the best security, you can use the
    <application>Stunnel</application> package to wrap an application daemon
    inside an SSL tunnel.
  </para>

  <para>
    Prevention of breaches, like a trojan, are assisted by applications like
    <application>GnuPG</application>, specifically the ability to confirm
    signed packages, which recognizes modifications of the tarball
    after the packager creates it.
  </para>

  <para>
    Finally, we touch on detection with a package that stores "signatures"
    of critical files (defined by the administrator) and then regenerates those
    "signatures" and compares for files that have been changed.
  </para>

  <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="vulnerabilities.xml"/>
  <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="make-ca.xml"/>

  <!-- sysv only -->
  <!--<xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="consolekit.xml"/>-->

  <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="cracklib.xml"/>
  <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="cryptsetup.xml"/>
  <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="cyrus-sasl.xml"/>
  <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="gnupg2.xml"/>
  <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="gnutls.xml"/>
  <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="gpgme.xml"/>
  <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="haveged.xml"/>
<!-- Leave in alphabetical order of now -->
  <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="iptables.xml"/>
  <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="firewalling.xml"/>

  <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="libcap.xml"/>
  <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="linux-pam.xml"/>

  <!-- systemd only -->
  <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="liboauth.xml"/>

  <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="libpwquality.xml"/>
  <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="mitkrb.xml"/>
  <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="nettle.xml"/>
  <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="nss.xml"/>
  <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="openssh.xml"/>
<!-- <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="openssl.xml"/> -->
<!-- <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="openssl10.xml"/> -->
  <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="p11-kit.xml"/>
  <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="polkit.xml"/>
  <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="polkit-gnome.xml"/>
  <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="shadow.xml"/>
  <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="ssh-askpass.xml"/>
  <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="stunnel.xml"/>
  <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="sudo.xml"/>
  <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="tripwire.xml"/>
  <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="volume_key.xml"/>
<!--  <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="firewalling.xml"/>
  <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="iptables.xml"/>
  <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="nftables.xml"/>
  <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="firewalld.xml"/>-->

</chapter>
New XML Chapter 4 git-svn-id: svn://svn.linuxfromscratch.org/BLFS/trunk/BOOK@2288 af4574ff-66df-0310-9fd7-8a98e5e911e0 2004-06-10 13:47:11 +08:00			`<?xml version="1.0" encoding="ISO-8859-1"?>`
Updated all the XML files (and the one stylesheet) to use the 4.5 version of DocBook XML DTD git-svn-id: svn://svn.linuxfromscratch.org/BLFS/trunk/BOOK@6716 af4574ff-66df-0310-9fd7-8a98e5e911e0 2007-04-05 03:42:53 +08:00			`<!DOCTYPE chapter PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN"`
			`"http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [`
New XML Chapter 4 git-svn-id: svn://svn.linuxfromscratch.org/BLFS/trunk/BOOK@2288 af4574ff-66df-0310-9fd7-8a98e5e911e0 2004-06-10 13:47:11 +08:00			`<!ENTITY % general-entities SYSTEM "../../general.ent">`
			`%general-entities;`
			`]>`

Added the LastChangedBy and Date keywords then set the corresponding keyword property on each file in the repo git-svn-id: svn://svn.linuxfromscratch.org/BLFS/trunk/BOOK@6430 af4574ff-66df-0310-9fd7-8a98e5e911e0 2007-01-19 03:38:19 +08:00			`<!--`
			$LastChangedBy$
			$Date$
			`-->`

Initial revision git-svn-id: svn://svn.linuxfromscratch.org/BLFS/trunk/BOOK@3 af4574ff-66df-0310-9fd7-8a98e5e911e0 2002-07-08 04:28:42 +08:00			`<chapter id="postlfs-security">`
Tagged security.xml git-svn-id: svn://svn.linuxfromscratch.org/BLFS/trunk/BOOK@4207 af4574ff-66df-0310-9fd7-8a98e5e911e0 2005-05-14 23:23:17 +08:00			`<?dbhtml filename="security.html"?>`

			`<title>Security</title>`

Format postlfs/security and misc/forgotten git-svn-id: svn://svn.linuxfromscratch.org/BLFS/trunk/BOOK@22884 af4574ff-66df-0310-9fd7-8a98e5e911e0 2020-03-25 03:19:44 +08:00			`<para>`
			`Security takes many forms in a computing environment. After some`
			`initial discussion, this chapter`
			`gives examples of three different types of security: access, prevention`
			`and detection.`
			`</para>`

			`<para>`
			`Access for users is usually handled by <command>login</command> or an`
			`application designed to handle the login function. In this chapter, we show`
			`how to enhance <command>login</command> by setting policies with`
			`<application>PAM</application> modules. Access via networks can also be`
			`secured by policies set by <application>iptables</application>, commonly`
			`referred to as a firewall. The Network Security Services (NSS) and`
			`Netscape Portable Runtime (NSPR) libraries can be installed and shared`
			`among the many applications requiring them. For applications that don't`
			`offer the best security, you can use the`
			`<application>Stunnel</application> package to wrap an application daemon`
			`inside an SSL tunnel.`
			`</para>`

			`<para>`
			`Prevention of breaches, like a trojan, are assisted by applications like`
			`<application>GnuPG</application>, specifically the ability to confirm`
			`signed packages, which recognizes modifications of the tarball`
			`after the packager creates it.`
			`</para>`

			`<para>`
			`Finally, we touch on detection with a package that stores "signatures"`
			`of critical files (defined by the administrator) and then regenerates those`
			`"signatures" and compares for files that have been changed.`
			`</para>`
Tagged security.xml git-svn-id: svn://svn.linuxfromscratch.org/BLFS/trunk/BOOK@4207 af4574ff-66df-0310-9fd7-8a98e5e911e0 2005-05-14 23:23:17 +08:00
Add pages on libraries and vulnerabilities, icewm-1.3.7, gvolwheel-1.0.0 and retire gnome-media. git-svn-id: svn://svn.linuxfromscratch.org/BLFS/trunk/BOOK@10406 af4574ff-66df-0310-9fd7-8a98e5e911e0 2012-07-10 02:31:25 +08:00			`<xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="vulnerabilities.xml"/>`
Rename make-ca page. git-svn-id: svn://svn.linuxfromscratch.org/BLFS/trunk/BOOK@19860 af4574ff-66df-0310-9fd7-8a98e5e911e0 2018-02-25 07:05:35 +08:00			`<xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="make-ca.xml"/>`
[systemd-merge] - Section II layout git-svn-id: svn://svn.linuxfromscratch.org/BLFS/trunk/BOOK@17433 af4574ff-66df-0310-9fd7-8a98e5e911e0 2016-06-04 11:04:06 +08:00
			`<!-- sysv only -->`
Archive consolkit. Update to gparted-1.0.0. git-svn-id: svn://svn.linuxfromscratch.org/BLFS/trunk/BOOK@21836 af4574ff-66df-0310-9fd7-8a98e5e911e0 2019-07-16 03:33:13 +08:00			`<!--<xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="consolekit.xml"/>-->`
[systemd-merge] - Section II layout git-svn-id: svn://svn.linuxfromscratch.org/BLFS/trunk/BOOK@17433 af4574ff-66df-0310-9fd7-8a98e5e911e0 2016-06-04 11:04:06 +08:00
Replaced deprecated w3.org XInclude throughout the book git-svn-id: svn://svn.linuxfromscratch.org/BLFS/trunk/BOOK@8411 af4574ff-66df-0310-9fd7-8a98e5e911e0 2010-04-22 02:48:34 +08:00			`<xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="cracklib.xml"/>`
Add volume_key-0.3.9 as a required dependency of libblockdev. Add libbytesize-0.10 as a required depedency of libblockdev. Add cryptsetup-1.7.5 as a dependency of libblockdev and required for udisks2. Add libblockdev-2.9-1 as required depencency for udisks2-2.7.0. Update to udisks2-2.7.0. Yes, it was a PITA, git-svn-id: svn://svn.linuxfromscratch.org/BLFS/trunk/BOOK@18843 af4574ff-66df-0310-9fd7-8a98e5e911e0 2017-06-22 05:49:37 +08:00			`<xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="cryptsetup.xml"/>`
Update to glib-2.31.0. Update to pkg-config-0.26. Remove gcc3. More package reorganization. git-svn-id: svn://svn.linuxfromscratch.org/BLFS/trunk/BOOK@8935 af4574ff-66df-0310-9fd7-8a98e5e911e0 2011-11-05 05:03:36 +08:00			`<xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="cyrus-sasl.xml"/>`
Replaced deprecated w3.org XInclude throughout the book git-svn-id: svn://svn.linuxfromscratch.org/BLFS/trunk/BOOK@8411 af4574ff-66df-0310-9fd7-8a98e5e911e0 2010-04-22 02:48:34 +08:00			`<xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="gnupg2.xml"/>`
Gnome 3.4.2 (See changelog for which components were upgraded/added). Converted all of Gnome XML files to the 'new xml format'. Sorted 'Postlfs' and 'General' section packages in some kind of order. Moved Colord into 'System Utilities' and SpiderMonkey into 'General Utilities'. Fixed Avahi dependencies as reported last night. Fixed several typos and dependencies in other packages. Sorted general.ent according to other packages. git-svn-id: svn://svn.linuxfromscratch.org/BLFS/trunk/BOOK@10209 af4574ff-66df-0310-9fd7-8a98e5e911e0 2012-05-17 00:39:28 +08:00			`<xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="gnutls.xml"/>`
Added new package, GPGME-1.3.0. git-svn-id: svn://svn.linuxfromscratch.org/BLFS/trunk/BOOK@8579 af4574ff-66df-0310-9fd7-8a98e5e911e0 2010-08-29 14:03:39 +08:00			`<xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="gpgme.xml"/>`
Add haveged git-svn-id: svn://svn.linuxfromscratch.org/BLFS/trunk/BOOK@12869 af4574ff-66df-0310-9fd7-8a98e5e911e0 2014-03-17 05:29:50 +08:00			`<xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="haveged.xml"/>`
Comment out the nftables and firewalld sections until we can make them a bit more usable. git-svn-id: svn://svn.linuxfromscratch.org/BLFS/trunk/BOOK@22759 af4574ff-66df-0310-9fd7-8a98e5e911e0 2020-02-27 00:20:10 +08:00			`<!-- Leave in alphabetical order of now -->`
			`<xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="iptables.xml"/>`
			`<xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="firewalling.xml"/>`

Rename all references of libcap2 to libcap git-svn-id: svn://svn.linuxfromscratch.org/BLFS/trunk/BOOK@12013 af4574ff-66df-0310-9fd7-8a98e5e911e0 2013-10-22 02:54:34 +08:00			`<xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="libcap.xml"/>`
Gnome 3.4.2 (See changelog for which components were upgraded/added). Converted all of Gnome XML files to the 'new xml format'. Sorted 'Postlfs' and 'General' section packages in some kind of order. Moved Colord into 'System Utilities' and SpiderMonkey into 'General Utilities'. Fixed Avahi dependencies as reported last night. Fixed several typos and dependencies in other packages. Sorted general.ent according to other packages. git-svn-id: svn://svn.linuxfromscratch.org/BLFS/trunk/BOOK@10209 af4574ff-66df-0310-9fd7-8a98e5e911e0 2012-05-17 00:39:28 +08:00			`<xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="linux-pam.xml"/>`
[systemd-merge] - Section II layout git-svn-id: svn://svn.linuxfromscratch.org/BLFS/trunk/BOOK@17433 af4574ff-66df-0310-9fd7-8a98e5e911e0 2016-06-04 11:04:06 +08:00
			`<!-- systemd only -->`
			`<xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="liboauth.xml"/>`

Add libinput, wayland, and libpwquality for KDE Plasma5. Add preliminary Plasma5 instructions. Packages build, but the desktop does not yet run properly. git-svn-id: svn://svn.linuxfromscratch.org/BLFS/trunk/BOOK@16576 af4574ff-66df-0310-9fd7-8a98e5e911e0 2015-10-29 12:11:00 +08:00			`<xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="libpwquality.xml"/>`
Replaced deprecated w3.org XInclude throughout the book git-svn-id: svn://svn.linuxfromscratch.org/BLFS/trunk/BOOK@8411 af4574ff-66df-0310-9fd7-8a98e5e911e0 2010-04-22 02:48:34 +08:00			`<xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="mitkrb.xml"/>`
Update to gnutls-3.0.7. Add nettle-2.4. git-svn-id: svn://svn.linuxfromscratch.org/BLFS/trunk/BOOK@8955 af4574ff-66df-0310-9fd7-8a98e5e911e0 2011-11-11 06:12:32 +08:00			`<xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="nettle.xml"/>`
Replaced deprecated w3.org XInclude throughout the book git-svn-id: svn://svn.linuxfromscratch.org/BLFS/trunk/BOOK@8411 af4574ff-66df-0310-9fd7-8a98e5e911e0 2010-04-22 02:48:34 +08:00			`<xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="nss.xml"/>`
Update to glib-2.31.0. Update to pkg-config-0.26. Remove gcc3. More package reorganization. git-svn-id: svn://svn.linuxfromscratch.org/BLFS/trunk/BOOK@8935 af4574ff-66df-0310-9fd7-8a98e5e911e0 2011-11-05 05:03:36 +08:00			`<xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="openssh.xml"/>`
Archive openssl10 and add qca patch. git-svn-id: svn://svn.linuxfromscratch.org/BLFS/trunk/BOOK@20779 af4574ff-66df-0310-9fd7-8a98e5e911e0 2018-12-06 05:39:03 +08:00			`<!-- <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="openssl.xml"/> -->`
			`<!-- <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="openssl10.xml"/> -->`
Add p11-kit. git-svn-id: svn://svn.linuxfromscratch.org/BLFS/trunk/BOOK@9311 af4574ff-66df-0310-9fd7-8a98e5e911e0 2012-02-08 08:36:11 +08:00			`<xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="p11-kit.xml"/>`
Replaced deprecated w3.org XInclude throughout the book git-svn-id: svn://svn.linuxfromscratch.org/BLFS/trunk/BOOK@8411 af4574ff-66df-0310-9fd7-8a98e5e911e0 2010-04-22 02:48:34 +08:00			`<xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="polkit.xml"/>`
Update to gnome-settings-daemon-3.36.0 Add umockdev to the book Adjust libgudev so that the test suite is present Change the umockdev reference from external to internal in gnome-settings-daemon and upower Move notification-daemon to System Utilities Move polkit-gnome to Security git-svn-id: svn://svn.linuxfromscratch.org/BLFS/trunk/BOOK@22934 af4574ff-66df-0310-9fd7-8a98e5e911e0 2020-04-03 02:07:58 +08:00			`<xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="polkit-gnome.xml"/>`
Update to glib-2.31.0. Update to pkg-config-0.26. Remove gcc3. More package reorganization. git-svn-id: svn://svn.linuxfromscratch.org/BLFS/trunk/BOOK@8935 af4574ff-66df-0310-9fd7-8a98e5e911e0 2011-11-05 05:03:36 +08:00			`<xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="shadow.xml"/>`
New package: ssh-askpass-6.4p1. Remove instructions to build it and rephrase pkexec and other parts of Gparted-0.17.0. git-svn-id: svn://svn.linuxfromscratch.org/BLFS/trunk/BOOK@12536 af4574ff-66df-0310-9fd7-8a98e5e911e0 2014-01-09 01:56:18 +08:00			`<xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="ssh-askpass.xml"/>`
Update to glib-2.31.0. Update to pkg-config-0.26. Remove gcc3. More package reorganization. git-svn-id: svn://svn.linuxfromscratch.org/BLFS/trunk/BOOK@8935 af4574ff-66df-0310-9fd7-8a98e5e911e0 2011-11-05 05:03:36 +08:00			`<xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="stunnel.xml"/>`
			`<xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="sudo.xml"/>`
			`<xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="tripwire.xml"/>`
Add volume_key-0.3.9 as a required dependency of libblockdev. Add libbytesize-0.10 as a required depedency of libblockdev. Add cryptsetup-1.7.5 as a dependency of libblockdev and required for udisks2. Add libblockdev-2.9-1 as required depencency for udisks2-2.7.0. Update to udisks2-2.7.0. Yes, it was a PITA, git-svn-id: svn://svn.linuxfromscratch.org/BLFS/trunk/BOOK@18843 af4574ff-66df-0310-9fd7-8a98e5e911e0 2017-06-22 05:49:37 +08:00			`<xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="volume_key.xml"/>`
Comment out the nftables and firewalld sections until we can make them a bit more usable. git-svn-id: svn://svn.linuxfromscratch.org/BLFS/trunk/BOOK@22759 af4574ff-66df-0310-9fd7-8a98e5e911e0 2020-02-27 00:20:10 +08:00			`<!-- <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="firewalling.xml"/>`
Add nftables-0.9.2. Fixes #4620. Add firewalld-0.7.2. Add libnftnl-1.1.4. Add libmnl-1.0.4. Add decorator-4.4.0. Add python-slip-0.6.5. Update to blfs-bootscripts-20191025. git-svn-id: svn://svn.linuxfromscratch.org/BLFS/trunk/BOOK@22301 af4574ff-66df-0310-9fd7-8a98e5e911e0 2019-10-25 14:28:45 +08:00			`<xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="iptables.xml"/>`
			`<xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="nftables.xml"/>`
Comment out the nftables and firewalld sections until we can make them a bit more usable. git-svn-id: svn://svn.linuxfromscratch.org/BLFS/trunk/BOOK@22759 af4574ff-66df-0310-9fd7-8a98e5e911e0 2020-02-27 00:20:10 +08:00			`<xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="firewalld.xml"/>-->`
Initial revision git-svn-id: svn://svn.linuxfromscratch.org/BLFS/trunk/BOOK@3 af4574ff-66df-0310-9fd7-8a98e5e911e0 2002-07-08 04:28:42 +08:00
			`</chapter>`