linux-from-scratch/glfs
1
0
Fork 0
mirror of https://github.com/Zeckmathederg/glfs.git synced 2025-01-23 22:42:14 +08:00
Code Issues Actions Packages Projects Releases Wiki Activity

New XML Chapter 4

Browse Source 
git-svn-id: svn://svn.linuxfromscratch.org/BLFS/trunk/BOOK@2288 af4574ff-66df-0310-9fd7-8a98e5e911e0
This commit is contained in:
Bruce Dubbs 2004-06-10 05:47:11 +00:00
parent f8d632ace2
commit b4b71892e5
12 changed files with 2587 additions and 61 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

21
general.ent
View File

@ -18,7 +18,22 @@
<!ENTITY blfs-bootscripts-version "2004-05-22">
<!ENTITY blfs-bootscripts-download "&downloads-root;/blfs-bootscripts-&blfs-bootscripts-version;.tar.bz2">
<!ENTITY reiser-version "3.6.14">
<!ENTITY xfsprogs-version "2.6.13">
<!-- Chapter 4 -->
<!ENTITY cracklib-version "2.7">
<!ENTITY Linux_PAM-version "0.77">
<!ENTITY shadow-version "4.0.4.1">
<!ENTITY iptables-version "1.2.9">
<!ENTITY gnupg-version "1.2.4">
<!ENTITY tripwire-version "2.3.1-2">
<!ENTITY heimdal-version "0.6.2">
<!ENTITY mitkrb-version "1.3.3">
<!ENTITY gnome-version "2.6">
<!-- Chapter 5 -->
<!ENTITY reiser-version "3.6.14">
<!ENTITY xfsprogs-version "2.6.13">
<!ENTITY gnome-version "2.6">

8
postlfs/postlfs.xml
View File

@ -2,11 +2,15 @@
<?dbhtml filename="postlfs.html" dir="postlfs"?>
<title>Post <acronym>LFS</acronym> Configuration and Extra Software</title>
<xi:include xmlns:xi="http://www.w3.org/2003/XInclude" href="postlfs/config/config.xml"/>
<!-- &postlfs-config; -->
&postlfs-security;
<xi:include xmlns:xi="http://www.w3.org/2003/XInclude" href="postlfs/config/config.xml"/>
<!-- &postlfs-security; -->
<xi:include xmlns:xi="http://www.w3.org/2003/XInclude" href="postlfs/security/security.xml"/>
<!-- &postlfs-filesystems; -->
<xi:include xmlns:xi="http://www.w3.org/2003/XInclude" href="postlfs/filesystems/filesystems.xml"/>
&postlfs-editors;
&postlfs-shells;

109
postlfs/security/cracklib.xml
View File

@ -1,9 +1,112 @@
<?xml version="1.0" encoding="ISO-8859-1"?>
<!DOCTYPE sect1 PUBLIC "-//OASIS//DTD DocBook XML V4.3//EN"
"http://www.oasis-open.org/docbook/xml/4.3/docbookx.dtd" [
<!ENTITY % general-entities SYSTEM "../../general.ent">
%general-entities;
<!ENTITY cracklib-download-http "http://www.crypticide.com/users/alecm/security/cracklib,&cracklib-version;.tar.gz">
<!ENTITY cracklib-download-ftp "ftp://ftp.cerias.purdue.edu/pub/tools/unix/libs/cracklib/cracklib.&cracklib-version;.tar.gz">
<!ENTITY cracklib-size "21 KB">
<!ENTITY cracklib-buildsize "17 MB">
<!ENTITY cracklib-time "0.10 SBU">
<!ENTITY crackdict-size "15.6MB">
<!ENTITY alldict-size "466KB">
]>
<sect1 id="cracklib" xreflabel="cracklib-&cracklib-version;">
<?dbhtml filename="cracklib.html"?>
<title>cracklib-&cracklib-version;</title>
&cracklib-intro;
&cracklib-inst;
&cracklib-desc;
<sect2>
<title>Introduction to <application>cracklib</application></title>
<para>The cracklib package contains a library used to enforce strong passwords
by comparing user selected passwords to words in a chosen wordlist.</para>
<sect3><title>Package information</title>
<itemizedlist spacing='compact'>
<listitem><para>Download (HTTP): <ulink
url="&cracklib-download-http;"/></para></listitem>
<listitem><para>Download (FTP): <ulink
url="&cracklib-download-ftp;"/></para></listitem>
<listitem><para>Download size: &cracklib-size;</para></listitem>
<listitem><para>Estimated Disk space required (with cracklib wordlist):
&cracklib-buildsize;</para></listitem>
<listitem><para>Estimated build time:
&cracklib-time;</para></listitem></itemizedlist>
</sect3>
<sect3><title>Additional downloads</title>
<itemizedlist spacing='compact'>
<listitem><para>Required patch: <ulink
url="&patch-root;/cracklib,&cracklib-version;-blfs-1.patch"/></para></listitem>
<listitem><para>Recommended patch: <ulink
url="&patch-root;/cracklib,&cracklib-version;-heimdal-1.patch"/></para></listitem>
</itemizedlist>
<para>You will also need to download a wordlist for use with cracklib. There
are two wordlists to choose from at the following location. Use the
<filename>cracklib</filename> word list for good security, or opt for the
<filename>allwords</filename> word list for lightweight machines short on
<acronym>RAM</acronym>. You can of course choose any other word list that you
have at your disposal.</para>
<para>cracklib (&crackdict-size;): <ulink url="http://www.cotse.com/wordlists/cracklib"/></para>
<para>allwords (&alldict-size;): <ulink url="http://www.cotse.com/wordlists/allwords"/></para>
</sect3>
</sect2>
<sect2>
<title>Installation of <application>cracklib</application></title>
<para>First, we need to install the chosen word list for cracklib:</para>
<screen><userinput><command>install -d -m755 /usr/share/dict &amp;&amp;
install -m644 <replaceable>[wordlist]</replaceable> /usr/share/dict &amp;&amp;
ln -sf <replaceable>[wordlist]</replaceable> /usr/share/dict/words &amp;&amp;
echo $(hostname) >> /usr/share/dict/extra.words</command></userinput></screen>
<para>Our wordlist is linked to <filename>/usr/share/dict/words</filename> as
historically, <filename>words</filename> is the primary wordlist in the
<filename class="directory">/usr/share/dict</filename> directory. We also echo
the value of hostname to a file called extra.words. This extra file is intened
to be a site specific list which includes easy to guess passwords such as
company or department name, user's names, product names, computer name, domain
name, etc.</para>
<para>Now apply BLFS patch:</para>
<screen><userinput><command>patch -Np1 -i ../cracklib,&cracklib-version;-blfs-1.patch</command></userinput></screen>
<para>If necessary, apply the heimdal patch:</para>
<screen><userinput><command>cp -R cracklib cracklib_krb5 &amp;&amp;
patch -Np1 -i ../cracklib,&cracklib-version;-heimdal-1.patch</command></userinput></screen>
<para>Finally install the package:</para>
<screen><userinput><command>make install</command></userinput></screen>
</sect2>
<sect2>
<title>Contents</title>
<para>The <application>cracklib</application> package
contains the <filename class="libraryfile">libcrack</filename>
library.</para>
</sect2>
<sect2><title>Description</title>
<sect3><title>libcrack library</title>
<para>The <filename class="libraryfile">libcrack</filename> library
provides a fast dictionary lookup method for strong password
enforcement.</para></sect3>
</sect2>
</sect1>

665
postlfs/security/firewalling.xml
View File

@ -1,3 +1,10 @@
<?xml version="1.0" encoding="ISO-8859-1"?>
<!DOCTYPE sect1 PUBLIC "-//OASIS//DTD DocBook XML V4.3//EN"
"http://www.oasis-open.org/docbook/xml/4.3/docbookx.dtd" [
<!ENTITY % general-entities SYSTEM "../../general.ent">
%general-entities;
]>
<sect1 id="postlfs-security-fw-firewall" xreflabel="Firewalling">
<?dbhtml filename="firewall.html"?>
<title>Setting up a network firewall</title>
@ -5,12 +12,658 @@
<para>Before you read this part of the chapter, note that we assume that you
have already installed iptables as described in the previous section.</para>
&postlfs-security-fw-intro;
&postlfs-security-fw-disclaimer;
&postlfs-security-fw-kernel;
&postlfs-security-fw-writing;
&postlfs-security-fw-finale;
&postlfs-security-fw-extrainfo;
<sect2 id="postlfs-security-fw-intro" xreflabel="Firewalling Introduction">
<title>Introduction to Firewall Creation</title>
<para>The general purpose of a firewall is to protect a network
against malicious access by using a single machine as a firewall.
This does imply that the firewall is to be considered a single point
of failure, but it can make the administrator's life a lot easier.</para>
<para>In a perfect world where you knew that every daemon or service
on every machine was perfectly configured and was immune to, e.g.,
buffer-overflows and any other imaginable problem regarding its
security, and where you trusted every user accessing your services
to aim no harm, you wouldn't need to have a firewall!
In the real world however, daemons may be misconfigured,
exploits against essential services are freely available, you
may wish to choose which services are accessible by certain machines,
you may wish to limit which machines or applications are allowed
to have Internet access, or you may simply not trust some of your
apps or users.
In these situations you might benefit by using a firewall.</para>
<para>Don't assume however, that having a firewall makes careful
configuration redundant, or that it makes any negligent
misconfiguration harmless. It also doesn't prevent anyone from exploiting a
service you intentionally offer but haven't recently updated or patched
after an exploit went public. Despite having a firewall, you need to
keep applications and daemons on your system well-configured and
up-to-date; a firewall is not a cure-all!</para>
</sect2>
<sect2>
<title>Meaning of the word firewall.</title>
<para>The word firewall can have several different meanings.</para>
<sect3><title><xref linkend="postlfs-security-fw-persFw"/></title>
<para>This is a setup or program, for Windows commercially sold by
companies such as Symantec, of which they claim or pretend that it
secures a home or desktop-pc with Internet access. This topic is
highly relevant for users who do not know the methods their computers
might be accessed via the Internet or how to disable them,
especially if they are always online and connected via
broadband links.</para></sect3>
<sect3><title><xref linkend="postlfs-security-fw-masqRouter"/></title>
<para>This is a box placed between the Internet and an intranet.
To minimize the risk of compromising the firewall itself it
should generally have only one role, that of protecting the intranet.
Although not completely risk free, the tasks of doing the routing
and eventually IP masquerading (rewriting IP-headers
of the packets it routes from clients with private IP-addresses onto
the Internet so that they seem to come from the firewall
itself) are commonly considered harmless.</para></sect3>
<sect3><title><xref linkend="postlfs-security-fw-busybox"/></title>
<para>This is often an old box you may have retired and nearly forgotten,
performing masquerading or routing functions, but offering a bunch of
services, e.g., web-cache, mail, etc. This may be very commonly used
for home networks, but can definitely not be considered as secure
anymore because the combining of server and router on one machine raises
the complexity of the setup.</para></sect3>
<sect3><title>Firewall with a demilitarized zone [not further described
here]</title>
<para>This box performs masquerading or routing, but grants public access to
some branch of your network which, because of public IP's and a physically
separated structure, is neither considered to be part of the inter- nor
intranet. These servers are those which must be easily accessible
from both the inter- and intranet. The firewall protects
them all.</para></sect3>
<sect3><title>Packetfilter / partly accessible net [partly described
here, see <xref linkend="postlfs-security-fw-busybox"/>]</title>
<para>Doing routing or masquerading, but permitting only selected
services to be accessible, sometimes only by selected internal users or boxes;
mostly used in highly secure business contexts, sometimes by distrusting
employers. This was the common configuration of a firewall at the time of
the Linux 2.2 kernel. It's still possible to configure a firewall this way,
but it makes the rules quite complex and lengthy.</para></sect3>
</sect2>
<sect2 id="postlfs-security-fw-disclaimer" xreflabel="Disclaimer">
<title>Disclaimer</title>
<!-- <para><emphasis>NEITHER THE AUTHOR NOR ANY OF THE LINUXFROMSCRATCH TEAM
ARE RESPONSIBLE FOR ANY DAMAGES INCURRED DUE TO ACTIONS TAKEN BASED ON THIS
DOCUMENT.</emphasis></para> -->
<para>This document is meant as an introduction to how to setup a firewall. It
is not a complete guide to securing systems. Firewalling is a complex issue
that requires careful configuration. The scripts quoted here are simply
intended to give examples as to how a firewall works, they are not intended to
fit into any imaginable configuration and may not prevent any imaginable
attack.</para>
<para>The purpose of this text is simply to give you a hint on how to get
started with a firewall.</para>
<para>Customization of these scripts for your specific situation will
be necessary for an optimal configuration, but you should make a serious
study of the iptables documentation and creating firewalls in general before hacking
away. Have a look at the list of <xref linkend="postlfs-security-fw-library"/> at the end
of this section for more details. Here you will find a list of URLs that
contain quite comprehensive information about building your own firewall.</para>
</sect2>
<sect2 id="postlfs-security-fw-kernel" xreflabel="getting a firewalling-enabled Kernel">
<title>Getting a firewall enabled Kernel</title>
<para>If you want your Linux-Box to have a firewall, you must first ensure
that your kernel has been compiled with the relevant options turned on.
<!-- <footnote><para>If you needed assistance how to configure, compile and install
a new kernel, refer back to chapter VIII of the LinuxFromScratch book,
<ulink url="http://www.linuxfromscratch.org/view/3.1/chapter08/kernel.html">Installing a kernel</ulink>
and eventually
<ulink url="http://www.linuxfromscratch.org/view/3.1/chapter08/lilo.html">Making the LFS system bootable</ulink>
; note, that you'll need to reboot
to actually run your new kernel.</para></footnote>-->
</para>
<para>How to configure your kernel, with enabling the options to be
either compiled into the kernel or as modules, depends on your personal
preferences and experience. Note, that for the quoted scripts it is assumed
that the modules need to be loaded at first.</para>
<screen>Network options menu
Network packet filtering: Y
Unix domain sockets: Y or M
TCP/IP networking: Y
IP: advanced router: Y
IP: verbose route monitoring: Y
IP: TCP Explicit Congestion Notification support: Y
IP: TCP syncookie support: Y
IP: Netfilter Configuration menu
Every option except: Y or M
ipchains (2.2-style) support N
ipfwadm (2.0-style) support N
Fast switching: N</screen>
<!--
<table frame='none'>
<title>Essential config-options for a firewall enabled Kernel</title>
<tgroup cols='5'>
<colspec colnum='1' colwidth='8*' align='center'/>
<colspec colnum='2' colwidth='19*' align='left'/>
<colspec colnum='3' colwidth='11*' align='center'/>
<colspec colnum='4' colwidth='1*' align='center'/>
<colspec colnum='5' colwidth='14*' align='left'/>
<tbody>
<row>
<entry><emphasis><userinput>Networking options:</userinput></emphasis></entry>
<entry><userinput>Network packet filtering</userinput></entry>
<entry></entry>
<entry>=</entry>
<entry>CONFIG_NETFILTER</entry>
</row>
<row>
<entry></entry>
<entry><userinput>Unix domain sockets</userinput></entry>
<entry></entry>
<entry>=</entry>
<entry>CONFIG_UNIX</entry>
</row>
<row>
<entry></entry>
<entry><userinput>IP: TCP/IP networking</userinput></entry>
<entry></entry>
<entry>=</entry>
<entry>CONFIG_INET</entry>
</row>
<row>
<entry></entry>
<entry><userinput>IP: advanced router</userinput></entry>
<entry></entry>
<entry>=</entry>
<entry>CONFIG_IP_ADVANCED_ROUTER</entry>
</row>
<row>
<entry></entry>
<entry><userinput>IP: verbose route monitoring</userinput></entry>
<entry></entry>
<entry>=</entry>
<entry>CONFIG_IP_ROUTE_VERBOSE</entry>
</row>
<row>
<entry></entry>
<entry><userinput>IP: TCP Explicit Congestion Notification support</userinput></entry>
<entry></entry>
<entry>=</entry>
<entry>CONFIG_INET_ECN</entry>
</row>
<row>
<entry></entry>
<entry><userinput>IP: TCP syncookie support</userinput></entry>
<entry></entry>
<entry>=</entry>
<entry>CONFIG_SYN_COOKIES</entry>
</row>
<row>
<entry></entry>
<entry align='center'>
<emphasis><userinput>IP: Netfilter Configuration:</userinput></emphasis></entry>
<entry align='left'><userinput>every option</userinput></entry>
<entry>=</entry>
<entry>CONFIG_IP_NF_*</entry>
</row>
<row>
<entry></entry>
<entry align='right'><emphasis>WITHOUT:</emphasis></entry>
<entry align='left'><literallayout><userinput>ipchains (2.2-style) support
ipfw-adm (2.0-style) support</userinput></literallayout></entry>
<entry>w\</entry>
<entry>CONFIG_IP_NF_COMPAT_*</entry>
</row>
<row>
<entry></entry>
<entry><userinput>Fast switching</userinput></entry>
<entry>Make sure to disable it because it would setup a bypass around
your firewall rules.</entry>
<entry>w\</entry>
<entry>CONFIG_NET_FASTROUTE</entry>
</row>
</tbody>
</tgroup>
</table> -->
</sect2>
<sect2 id="postlfs-security-fw-writing" xreflabel="writing the firewalling-setup-scripts">
<title>Now you can start to build your Firewall</title>
<sect3 id="postlfs-security-fw-persFw" xreflabel="Personal Firewall">
<title>Personal Firewall</title>
<para>A Personal Firewall is supposed to let you access all the services
offered on the Internet, but keep your box secure and your data private.</para>
<para>Below is a slightly modified version of Rusty Russell's recommendation
from the <ulink
url="http://www.netfilter.org/documentation/HOWTO/packet-filtering-HOWTO.html">Linux
2.4 Packet Filtering HOWTO</ulink>:</para>
<screen><userinput><command>cat &gt; /etc/rc.d/init.d/firewall &lt;&lt; "EOF"</command>
#!/bin/sh
# Begin $rc_base/init.d/firewall
# Insert connection-tracking modules (not needed if built into the kernel).
modprobe ip_tables
modprobe iptable_filter
modprobe ip_conntrack
modprobe ip_conntrack_ftp
modprobe ipt_state
modprobe ipt_LOG
# allow local-only connections
iptables -A INPUT -i lo -j ACCEPT
# free output on any interface to any ip for any service (equal to -P ACCEPT)
iptables -A OUTPUT -j ACCEPT
# permit answers on already established connections
# and permit new connections related to established ones (eg active-ftp)
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
# Log everything else: What's Windows' latest exploitable vulnerability?
iptables -A INPUT -j LOG --log-prefix "FIREWALL:INPUT "
# set a sane policy: everything not accepted &gt; /dev/null
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT DROP
# be verbose on dynamic ip-addresses (not needed in case of static IP)
echo 2 &gt; /proc/sys/net/ipv4/ip_dynaddr
# disable ExplicitCongestionNotification - too many routers are still ignorant
echo 0 &gt; /proc/sys/net/ipv4/tcp_ecn
# End $rc_base/init.d/firewall
<command>EOF</command></userinput></screen>
<para>His script is quite simple, it drops all traffic coming in into your
computer that wasn't initiated from your box, but as long as you are simply
surfing the Internet you are unlikely to exceed its limits.</para>
<para>If you frequently encounter certain delays at accessing ftp-servers,
please have a look at <xref linkend="postlfs-security-fw-busybox"/> -
<xref linkend="postlfs-security-fw-BB-4"/>.</para>
<para>Even if you have daemons or services running on your box, these
should be inaccessible everywhere but from your box itself.
If you want to allow access to services on your machine, such as ssh or pinging,
take a look at <xref linkend="postlfs-security-fw-busybox"/>.</para>
</sect3>
<sect3 id="postlfs-security-fw-masqRouter" xreflabel="Masquerading Router">
<title>Masquerading Router</title>
<para>A true Firewall has two interfaces, one connected to an intranet,
in this example, <emphasis role="strong">eth0</emphasis>, and one
connected to the Internet, here, <emphasis role="strong">ppp0</emphasis>.
To provide the maximum security against the box itself being broken into,
make sure that there are no servers running on it, especially not
<application>X11</application> et
al. And, as a general principle, the box itself should not access any untrusted
service (Think of a name server giving answers that make your
bind crash, or, even worse, that implement a worm via a
buffer-overflow).</para>
<screen><userinput><command>cat &gt; /etc/rc.d/init.d/firewall &lt;&lt; "EOF"</command>
#!/bin/sh
# Begin $rc_base/init.d/firewall
echo
echo "You're using the example-config for a setup of a firewall"
echo "from the firewalling-hint written for LinuxFromScratch."
echo "This example is far from being complete, it is only meant"
echo "to be a reference."
echo "Firewall security is a complex issue, that exceeds the scope"
echo "of the quoted configuration rules."
echo "You can find some quite comprehensive information"
echo "about firewalls in Chapter 4 of the BLFS book."
echo "http://www.linuxfromscratch.org/blfs"
echo
# Insert iptables modules (not needed if built into the kernel).
modprobe ip_tables
modprobe iptable_filter
modprobe ip_conntrack
modprobe ip_conntrack_ftp
modprobe ipt_state
modprobe iptable_nat
modprobe ip_nat_ftp
modprobe ipt_MASQUERADE
modprobe ipt_LOG
modprobe ipt_REJECT
# allow local-only connections
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT
# allow forwarding
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -m state --state NEW -i ! ppp+ -j ACCEPT
# do masquerading (not needed if intranet is not using private ip-addresses)
iptables -t nat -A POSTROUTING -o ppp+ -j MASQUERADE
# Log everything for debugging (last of all rules, but before DROP/REJECT)
iptables -A INPUT -j LOG --log-prefix "FIREWALL:INPUT "
iptables -A FORWARD -j LOG --log-prefix "FIREWALL:FORWARD"
iptables -A OUTPUT -j LOG --log-prefix "FIREWALL:OUTPUT "
# set a sane policy
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT DROP
# be verbose on dynamic ip-addresses (not needed in case of static IP)
echo 2 &gt; /proc/sys/net/ipv4/ip_dynaddr
# disable ExplicitCongestionNotification
echo 0 &gt; /proc/sys/net/ipv4/tcp_ecn
# activate TCPsyncookies
echo 1 &gt; /proc/sys/net/ipv4/tcp_syncookies
# activate Route-Verification = IP-Spoofing_protection
for f in /proc/sys/net/ipv4/conf/*/rp_filter; do
echo 1 &gt; $f
done
# activate IP-Forwarding
echo 1 &gt; /proc/sys/net/ipv4/ip_forward
<command>EOF</command></userinput></screen>
<para>With this script your intranet should be sufficiently secure against
external attacks. No one should be able to setup a new connection to any
internal service and, if it's masqueraded, it's even invisible. Furthermore,
your firewall should be nearly immune because there are no services running
that a cracker could attack.</para>
<para>Note: if the interface you're connecting to the Internet
doesn't connect via ppp, you will need to change
<replaceable>ppp+</replaceable> to the name of the interface which you are
using. If you are using the same interface type to connect to both your
intranet and the Internet, you need to use the actual name of the
interface such as <emphasis role="strong">eth0</emphasis>,
on both interfaces.</para>
<para>If you need stronger security (e.g., against DOS, connection
highjacking, spoofing, etc.), have a look at the list of
<xref linkend="postlfs-security-fw-library"/> at the end of this section.</para>
</sect3>
<sect3 id="postlfs-security-fw-busybox" xreflabel="BusyBox">
<title>BusyBox</title>
<para>This scenario isn't too different from (<xref linkend="postlfs-security-fw-masqRouter"/>),
but in this case you want to offer some services to your intranet.
Examples of this can be when you want to admin your box from another host
on your intranet or use it as a proxy or a name server. Note: Outlining a true
concept of how to protect a server that offers services on the Internet
goes far beyond the scope of this document,
see <xref linkend="postlfs-security-fw-disclaimer"/>.</para>
<para>Be cautious. Every service you offer and have enabled makes your
setup more complex and your box less secure. You induce the risks of
misconfigured services or running a service with an exploitable bug. A firewall
should generally not run any extra services. See the introduction to
<xref linkend="postlfs-security-fw-masqRouter"/> for some more details.</para>
<para>If the services you'd like to offer do not need to access the Internet
themselves, like internal-only samba- or name-servers, it's quite
simple and should still be acceptable from a security standpoint.
Just add the following lines <emphasis>before</emphasis> the logging-rules
into the script.</para>
<screen>iptables -A INPUT -i ! ppp+ -j ACCEPT
iptables -A OUTPUT -o ! ppp+ -j ACCEPT</screen>
<para>If your daemons have to access the web themselves, like squid would need
to, you could open OUTPUT generally and restrict INPUT.</para>
<screen>iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -j ACCEPT</screen>
<para>However, it is generally not advisable to leave OUTPUT unrestricted. You lose
any control over trojans who'd like to "call home", and a bit of redundancy in case
you've (mis-)configured a service so that it does broadcast its existence to the
world.</para>
<para>If you prefer to have this protection, you may restrict INPUT and OUTPUT
on all ports except those that it's absolutely necessary to have open.
Which ports you have to open depends on your needs: mostly you will find them
by looking for failed accesses in your log-files.</para>
<itemizedlist spacing="compact">
<!-- <orderedlist numeration="arabic" spacing="compact"> -->
<title>Have a look at the following examples:</title>
<listitem><para>Squid is caching the web:</para>
<screen>iptables -A OUTPUT -p tcp --dport 80 -j ACCEPT
iptables -A INPUT -p tcp --sport 80 -m state --state ESTABLISHED -j ACCEPT</screen></listitem>
<listitem><para>Your caching name server (e.g., dnscache) does its
lookups via udp:</para>
<screen>iptables -A OUTPUT -p udp --dport 53 -j ACCEPT
iptables -A INPUT -p udp --sport 53 -m state --state ESTABLISHED -j ACCEPT</screen></listitem>
<listitem><para>Alternatively, if you want to be able to ping your box to ensure
it's still alive:</para>
<screen>iptables -A INPUT -p icmp -m icmp --icmp-type echo-request -j ACCEPT
iptables -A OUTPUT -p icmp -m icmp --icmp-type echo-reply -j ACCEPT</screen></listitem>
<listitem><para><anchor id='postlfs-security-fw-BB-4' xreflabel="example no. 4"/>If you are
frequently accessing ftp-servers or enjoy chatting, you might notice certain
delays because some implementations of these daemons have the feature of
querying an identd on your box for logging usernames.
Although there's really no harm in this, having an identd running is not
recommended because some implementations are known to be vulnerable.</para>
<para>To avoid these delays you could reject the requests
with a 'tcp-reset':</para>
<screen>iptables -A INPUT -p tcp --dport 113 -j REJECT --reject-with tcp-reset
iptables -A OUTPUT -p tcp --sport 113 -m state --state RELATED -j ACCEPT</screen></listitem>
<listitem><para>To log and drop invalid packets (harmless packets
that came in after netfilter's timeout or some types of network scans):</para>
<screen>iptables -I INPUT 1 -p tcp -m state --state INVALID -j LOG --log-prefix \
"FIREWALL:INVALID"
iptables -I INPUT 2 -p tcp -m state --state INVALID -j DROP</screen></listitem>
<listitem><para>Anything coming from the outside should not have a
private address, this is a common attack called IP-spoofing:</para>
<screen>iptables -t nat -A PREROUTING -i ppp+ -s 10.0.0.0/8 -j DROP
iptables -t nat -A PREROUTING -i ppp+ -s 172.16.0.0/12 -j DROP
iptables -t nat -A PREROUTING -i ppp+ -s 192.168.0.0/16 -j DROP</screen></listitem>
<listitem><para>To simplify debugging and be fair to anyone who'd like to
access a service you have disabled, purposely or by mistake, you should REJECT
those packets that are dropped.</para>
<para>Obviously this must be done directly after logging as the very
last lines before the packets are dropped by policy:</para>
<screen>iptables -A INPUT -j REJECT
iptables -A OUTPUT -p icmp --icmp-type 3 -j ACCEPT</screen></listitem>
</itemizedlist>
<!--</orderedlist>-->
<para>These are only examples to show you some of the capabilities of the new
firewall code in Linux-Kernel 2.4. Have a look at the man page of
iptables.
There you will find more of them. The port-numbers you'll need for this
can be found in <filename>/etc/services</filename>, in case you didn't
find them by trial and error in your log file.</para>
<para>If you add any of your offered or accessed services such as the above,
maybe even in FORWARD and for intranet-communication, and delete the
general clauses, you get an old fashioned packet filter.</para>
</sect3>
</sect2>
<sect2 id="postlfs-security-fw-finale" xreflabel="Conclusion">
<title>Conclusion</title>
<para>Finally, I'd like to remind you of one fact we must not forget:
The effort spent attacking a system corresponds to the value the cracker
expects to gain from it.
If you are responsible for such valuable assets that you expect great
effort to be made by potential crackers, you hopefully won't be in the
need of this hint!</para>
<!-- <para><literallayout>Be cautious!
Henning Rohde
<email>Henning.Rohde@uni-bayreuth.de</email></literallayout></para>
<para>PS: And always do remember:
SecureIT is not a matter of a status-quo but one of never stopping
to take care!</para>
<para>PPS: If any of these scripts fail, please tell me. I will try to trace
any faults.</para> -->
</sect2>
<sect2 id="postlfs-security-fw-extra" xreflabel="Extra Information">
<title>Extra Information</title>
<sect3 id="postlfs-security-fw-library" xreflabel="Links for further reading">
<title>Where to start with further reading on firewalls.</title>
<para><blockquote><literallayout>
<ulink url="http://www.netfilter.org/">www.netfilter.org - Homepage of the netfilter/iptables project</ulink>
<ulink url="http://www.netfilter.org/documentation/FAQ/netfilter-faq.html">Netfilter related FAQ</ulink>
<ulink url="http://www.netfilter.org/documentation/index.html#HOWTO">Netfilter related HOWTO's</ulink>
<ulink url="http://en.tldp.org/LDP/nag2/x-087-2-firewall.html">en.tldp.org/LDP/nag2/x-087-2-firewall.html</ulink>
<ulink url="http://en.tldp.org/HOWTO/Security-HOWTO.html">en.tldp.org/HOWTO/Security-HOWTO.html</ulink>
<ulink url="http://en.tldp.org/HOWTO/Firewall-HOWTO.html">en.tldp.org/HOWTO/Firewall-HOWTO.html</ulink>
<ulink url="http://www-106.ibm.com/developerworks/security/library/s-fire.html">www.ibm.com/developerworks/security/library/s-fire.html</ulink>
<ulink url="http://www-106.ibm.com/developerworks/security/library/s-fire2.html">www.ibm.com/developerworks/security/library/s-fire2.html</ulink>
<ulink url="http://www.interhack.net/pubs/fw-faq/">www.interhack.net/pubs/fw-faq/</ulink>
<ulink url="http://www.linuxsecurity.com/docs/">www.linuxsecurity.com/docs/</ulink>
<ulink url="http://www.little-idiot.de/firewall">www.little-idiot.de/firewall (German &amp; outdated, but very comprehensive)</ulink>
<ulink url="http://www.linuxgazette.com/issue65/stumpel.html">www.linuxgazette.com/issue65/stumpel.html</ulink>
<ulink url="http://linux.oreillynet.com/pub/a/linux/2000/03/10/netadmin/ddos.html">linux.oreillynet.com/pub/a/linux/2000/03/10/netadmin/ddos.html</ulink>
<ulink url="http://staff.washington.edu/dittrich/misc/ddos">staff.washington.edu/dittrich/misc/ddos</ulink>
<ulink url="http://www.e-infomax.com/ipmasq">www.e-infomax.com/ipmasq</ulink>
<ulink url="http://www.circlemud.org/~jelson/writings/security/index.htm">www.circlemud.org/~jelson/writings/security/index.htm</ulink>
<ulink url="http://www.securityfocus.com">www.securityfocus.com</ulink>
<ulink url="http://www.cert.org/tech_tips/">www.cert.org - tech_tips</ulink>
<ulink url="http://security.ittoolbox.com/">security.ittoolbox.com</ulink>
<ulink url="http://www.linux-firewall-tools.com/linux/">www.linux-firewall-tools.com/linux/</ulink>
<ulink url="http://logi.cc/linux/athome-firewall.php3">logi.cc/linux/athome-firewall.php3</ulink>
<ulink url="http://www.insecure.org/reading.html">www.insecure.org/reading.html</ulink>
<ulink url="http://www.robertgraham.com/pubs/firewall-seen.html">www.robertgraham.com/pubs/firewall-seen.html</ulink>
</literallayout></blockquote></para>
<!-- <para>If a link proves to be dead or if you think I missed one,
please mail!</para> -->
</sect3>
<sect3 id="postlfs-security-fw-status" xreflabel="/etc/rc.d/init.d/firewall.status">
<title>firewall.status</title>
<para>If you'd like to have a look at the chains your firewall consists of and
the order in which the rules take effect:</para>
<screen><userinput><command>cat &gt; /etc/rc.d/init.d/firewall.status &lt;&lt; "EOF"</command>
#!/bin/sh
# Begin $rc_base/init.d/firewall.status
echo "iptables.mangling:"
iptables -t mangle -v -L -n --line-numbers
echo
echo "iptables.nat:"
iptables -t nat -v -L -n --line-numbers
echo
echo "iptables.filter:"
iptables -v -L -n --line-numbers
<command>EOF</command></userinput></screen>
</sect3>
<sect3 id="postlfs-security-fw-stop" xreflabel="/etc/rc.d/init.d/firewall.stop">
<title>firewall.stop</title>
<para>If you need to turn the firewall off, this script will do it:</para>
<screen><userinput><command>cat &gt; /etc/rc.d/init.d/firewall.stop &lt;&lt; "EOF"</command>
#!/bin/sh
# Being $rc_base/init.d/firewall.stop
# deactivate IP-Forwarding
echo 0 > /proc/sys/net/ipv4/ip_forward
iptables -Z
iptables -F
iptables -t nat -F PREROUTING
iptables -t nat -F OUTPUT
iptables -t nat -F POSTROUTING
iptables -t mangle -F PREROUTING
iptables -t mangle -F OUTPUT
iptables -X
iptables -P INPUT ACCEPT
iptables -P FORWARD ACCEPT
iptables -P OUTPUT ACCEPT
<command>EOF</command></userinput></screen>
</sect3>
</sect2>
</sect1>

94
postlfs/security/gnupg.xml
View File

@ -1,10 +1,96 @@
<?xml version="1.0" encoding="ISO-8859-1"?>
<!DOCTYPE sect1 PUBLIC "-//OASIS//DTD DocBook XML V4.3//EN"
"http://www.oasis-open.org/docbook/xml/4.3/docbookx.dtd" [
<!ENTITY % general-entities SYSTEM "../../general.ent">
%general-entities;
<!ENTITY gnupg-download-http "http://public.ftp.planetmirror.com/pub/gnupg/gnupg-&gnupg-version;.tar.bz2">
<!ENTITY gnupg-download-ftp "ftp://ftp.gnupg.org/gcrypt/gnupg/gnupg-&gnupg-version;.tar.bz2">
<!ENTITY gnupg-size "2.3 MB">
<!ENTITY gnupg-buildsize "26 MB">
<!ENTITY gnupg-time "0.44 SBU">
]>
<sect1 id="gnupg" xreflabel="GnuPG-&gnupg-version;">
<?dbhtml filename="gnupg.html"?>
<title>GnuPG-&gnupg-version;</title>
&gnupg-intro;
&gnupg-inst;
&gnupg-exp;
&gnupg-desc;
<sect2>
<title>Introduction to <application>GnuPG</application></title>
<para>The <application>GnuPG</application> package contains a public/private
key encryptor. This is
becoming useful for signing files or emails as proof of identity and
preventing tampering with contents of the file or email.</para>
<sect3><title>Package information</title>
<itemizedlist spacing='compact'>
<listitem><para>Download (HTTP): <ulink
url="&gnupg-download-http;"/></para></listitem>
<listitem><para>Download (FTP): <ulink
url="&gnupg-download-ftp;"/></para></listitem>
<listitem><para>Download size: &gnupg-size;</para></listitem>
<listitem><para>Estimated Disk space required:
&gnupg-buildsize;</para></listitem>
<listitem><para>Estimated build time:
&gnupg-time;</para></listitem></itemizedlist>
</sect3>
<sect3><title><application>GnuPG</application> dependencies</title>
<sect4><title>Optional</title>
<para><xref linkend="openldap"/></para></sect4>
</sect3>
</sect2>
<sect2>
<title>Installation of <application>GnuPG</application></title>
<para>Install <application>GnuPG</application> by running the following commands:</para>
<screen><userinput><command>./configure --prefix=/usr --libexecdir=/usr/lib &amp;&amp;
make &amp;&amp;
make install &amp;&amp;
chmod 4755 /usr/bin/gpg</command></userinput></screen>
</sect2>
<sect2>
<title>Command explanations</title>
<para><parameter>--libexecdir=/usr/lib</parameter>: This command
creates a <filename class="directory">gnupg</filename> directory in
<filename class="directory">/usr/lib</filename> instead of
<filename class="directory">/usr/libexec</filename>.</para>
<para><command>chmod 4755 /usr/bin/gpg</command>: We install
<command>gpg</command> setuid root to avoid swapping out of
sensitive data.</para>
</sect2>
<sect2>
<title>Contents</title>
<para>The <application>GnuPG</application> package contains <command>gpg</command>,
<command>gpgsplit</command> and <command>gpgv</command>.</para>
</sect2>
<sect2><title>Description</title>
<sect3><title>gpg</title>
<para><command>gpg</command> is the backend (command-line interface) for
this Open<acronym>PGP</acronym>
implementation.</para></sect3>
<sect3><title>gpgsplit</title>
<para><command>gpgsplit</command> separates key rings.</para></sect3>
<sect3><title>gpgv</title>
<para><command>gpgv</command> is a verify only version of
<command>gpg</command>.</para></sect3>
</sect2>
</sect1>

582
postlfs/security/heimdal.xml
View File

@ -1,11 +1,583 @@
<?xml version="1.0" encoding="ISO-8859-1"?>
<!DOCTYPE sect1 PUBLIC "-//OASIS//DTD DocBook XML V4.3//EN"
"http://www.oasis-open.org/docbook/xml/4.3/docbookx.dtd" [
<!ENTITY % general-entities SYSTEM "../../general.ent">
%general-entities;
<!ENTITY heimdal-download-http "http://ftp.vc-graz.ac.at/mirror/crypto/kerberos/heimdal/heimdal-&heimdal-version;.tar.gz">
<!ENTITY heimdal-download-ftp "ftp://ftp.pdc.kth.se/pub/heimdal/src/heimdal-&heimdal-version;.tar.gz">
<!ENTITY heimdal-size "3.2 MB">
<!ENTITY heimdal-buildsize "142 MB">
<!ENTITY heimdal-time "2.55 SBU">
]>
<sect1 id="heimdal" xreflabel="Heimdal-&heimdal-version;">
<?dbhtml filename="heimdal.html"?>
<title>Heimdal-&heimdal-version;</title>
&heimdal-intro;
&heimdal-inst;
&heimdal-exp;
&heimdal-config;
&heimdal-desc;
<sect2>
<title>Introduction to <application>Heimdal</application></title>
<para> <application>Heimdal</application> is a free implementation of Kerberos
5, that aims to be compatible with <acronym>MIT</acronym> krb5 and is backwards
compatible with krb4. Kerberos is a network authentication protocol. Basically
it preserves the integrity of passwords in any untrusted network (like the
Internet). Kerberized applications work hand-in-hand with sites that support
Kerberos to ensure that passwords cannot be stolen. A Kerberos installation
will make changes to the authentication mechanisms on your network and will
overwrite several programs and daemons from the Coreutils, Inetutils, Qpopper
and Shadow packages. </para>
<sect3><title>Package information</title>
<itemizedlist spacing='compact'>
<listitem><para>Download (HTTP): <ulink url="&heimdal-download-http;"/></para></listitem>
<listitem><para>Download (FTP): <ulink url="&heimdal-download-ftp;"/></para></listitem>
<listitem><para>Download size: &heimdal-size;</para></listitem>
<listitem><para>Estimated Disk space required: &heimdal-buildsize;</para></listitem>
<listitem><para>Estimated build time: &heimdal-time;</para></listitem></itemizedlist>
</sect3>
<sect3><title>Additional downloads</title>
<itemizedlist spacing='compact'>
<listitem><para>Required patch: <ulink
url="&patch-root;/heimdal-&heimdal-version;-fhs-compliance-1.patch"/></para>
</listitem>
<listitem><para>Required patch for cracklib: <ulink
url="&patch-root;/heimdal-&heimdal-version;-cracklib-1.patch"/></para>
</listitem>
</itemizedlist>
</sect3>
<sect3><title><application>Heimdal</application> dependencies</title>
<sect4><title>Required</title>
<para>
<xref linkend="openssl"/> and
<xref linkend="db"/>
</para></sect4>
<sect4><title>Optional</title>
<para>
<xref linkend="readline"/>,
<xref linkend="Linux_PAM"/>,
<xref linkend="openldap"/>,
X (<xref linkend="xorg"/> or <xref linkend="xfree86"/>),
<xref linkend="cracklib"/> and
<ulink url="http://www.pdc.kth.se/kth-krb/">krb4</ulink>
</para>
<note><para>
Some sort of time synchronization facility on your system (like <xref
linkend="ntp"/>) is required since Kerberos won't authenticate if the
time differential between a kerberized client and the
<acronym>KDC</acronym> server is more than 5 minutes.</para></note>
</sect4>
</sect3>
</sect2>
<sect2>
<title>Installation of <application>Heimdal</application></title>
<para>
Before installing the package, you may want to preserve the
<command>ftp</command> program from the Inetutils package. This is
because using the Heimdal <command>ftp</command> program to connect to
non kerberized ftp servers may not work properly. It will allow you to
connect (letting you know that transmission of the password is clear
text) but will have problems doing puts and gets.
</para>
<screen><userinput><command>mv /usr/bin/ftp /usr/bin/ftpn</command></userinput></screen>
<para>
If you wish the Heimdal package to link against the cracklib library,
you must apply a patch:
</para>
<screen><userinput><command>patch -Np1 -i ../heimdal-&heimdal-version;-cracklib-1.patch</command></userinput></screen>
<para>Install <application>Heimdal</application> by running the following commands:</para>
<screen><userinput><command>patch -Np1 -i ../heimdal-&heimdal-version;-fhs-compliance-1.patch &amp;&amp;
./configure --prefix=/usr --sysconfdir=/etc/heimdal \
--datadir=/var/lib/heimdal --libexecdir=/usr/sbin \
--sharedstatedir=/usr/share --localstatedir=/var/lib/heimdal \
--enable-shared --with-openssl=/usr &amp;&amp;
make &amp;&amp;
make install &amp;&amp;
mv /bin/login /bin/login.shadow &amp;&amp;
mv /bin/su /bin/su.coreutils &amp;&amp;
mv /usr/bin/{login,su} /bin &amp;&amp;
ln -sf ../../bin/login /usr/bin &amp;&amp;
mv /usr/lib/lib{otp.so.0,otp.so.0.1.4,kafs.so.0,kafs.so.0.4.0} /lib &amp;&amp;
mv /usr/lib/lib{krb5.so.17,krb5.so.17.3.0,asn1.so.6,asn1.so.6.0.2} /lib &amp;&amp;
mv /usr/lib/lib{roken.so.16,roken.so.16.0.3,crypto.so.0.9.7} /lib &amp;&amp;
mv /usr/lib/lib{com_err.so.2,com_err.so.2.1,db-4.1.so} /lib &amp;&amp;
ln -sf ../../lib/lib{otp.so.0,otp.so.0.1.4,kafs.so.0,kafs.so.0.4.0} /usr/lib &amp;&amp;
ln -sf ../../lib/lib{krb5.so.17,krb5.so.17.3.0,asn1.so.6,asn1.so.6.0.2} /usr/lib &amp;&amp;
ln -sf ../../lib/lib{roken.so.16,roken.so.16.0.3,crypto.so.0.9.7} /usr/lib &amp;&amp;
ln -sf ../../lib/lib{com_err.so.2,com_err.so.2.1,db-4.1.so} /usr/lib &amp;&amp;
ldconfig</command></userinput></screen>
</sect2>
<sect2>
<title>Command explanations</title>
<para><parameter>--libexecdir=/usr/sbin</parameter>:
This switch puts the daemon programs into <filename
class="directory">/usr/sbin</filename>.
</para>
<note><para>
If you want to preserve all your existing Inetutils package daemons,
install the Heimdal daemons into <filename
class="directory">/usr/sbin/heimdal</filename> (or wherever you want).
Since these programs will be called from <command>(x)inetd</command> or
<command>rc</command> scripts, it really doesn't matter where they live,
as long as they are correctly specified in the
<filename>/etc/(x)inetd.conf</filename> file and <command>rc</command>
scripts. If you choose something other than <filename
class="directory">/usr/sbin</filename>, you may want to move some of the
user programs (such as <command>kadmin</command>) to <filename
class="directory">/usr/sbin</filename> manually.
</para></note>
<para>
<screen><command>mv /bin/login /bin/login.shadow
mv /bin/su /bin/su.coreutils
mv /usr/bin/{login,su} /bin
ln -sf ../../bin/login /usr/bin</command></screen>
The <command>login</command> and <command>su</command> programs
installed by Heimdal belong in the <filename
class="directory">/bin</filename> directory. The
<command>login</command> program is symlinked because Heimdal is expecting
to find it in <filename class="directory">/usr/bin</filename>. We
preserve the old executables before the move to keep things sane should
breaks occur.
</para>
<para>
<screen><command>mv /usr/lib/lib{otp.so.0,otp.so.0.1.4,kafs.so.0,kafs.so.0.4.0} /lib
mv /usr/lib/lib{krb5.so.17,krb5.so.17.3.0,asn1.so.6,asn1.so.6.0.2} /lib
mv /usr/lib/lib{roken.so.16,roken.so.16.0.3,crypto.so.0.9.7} /lib
mv /usr/lib/lib{com_err.so.2,com_err.so.2.1,db-4.1.so} /lib
ln -sf ../../lib/lib{otp.so.0,otp.so.0.1.4,kafs.so.0,kafs.so.0.4.0} /usr/lib
ln -sf ../../lib/lib{krb5.so.17,krb5.so.17.3.0,asn1.so.6,asn1.so.6.0.2} /usr/lib
ln -sf ../../lib/lib{roken.so.16,roken.so.16.0.3,crypto.so.0.9.7} /usr/lib
ln -sf ../../lib/lib{com_err.so.2,com_err.so.2.1,db-4.1.so} /usr/lib</command></screen>
The <command>login</command> and <command>su</command> programs
installed by Heimdal link against Heimdal libraries as well as crypto
and db libraries. We move these libraries to <filename
class="directory">/lib</filename> to be <acronym>FHS</acronym>
compliant and in case when <filename
class="directory">/usr</filename> is located on a separate partition which
may not always be mounted.
</para>
</sect2>
<sect2>
<title>Configuring Heimdal</title>
<sect3><title>Config files</title>
<para><filename>/etc/heimdal/*</filename></para>
</sect3>
<sect3><title>Configuration Information</title>
<sect4><title>Master KDC Server Configuration</title>
<para>
Create the Kerberos configuration file with the following command:
</para>
<screen><userinput><command>install -d /etc/heimdal &amp;&amp;
cat &gt; /etc/heimdal/krb5.conf &lt;&lt; "EOF"</command>
# Begin /etc/heimdal/krb5.conf
[libdefaults]
default_realm = <replaceable>[LFS.ORG]</replaceable>
encrypt = true
[realms]
<replaceable>[LFS.ORG]</replaceable> = {
kdc = <replaceable>[belgarath.lfs.org]</replaceable>
admin_server = <replaceable>[belgarath.lfs.org]</replaceable>
kpasswd_server = <replaceable>[belgarath.lfs.org]</replaceable>
}
[domain_realm]
.<replaceable>[lfs.org]</replaceable> = <replaceable>[LFS.ORG]</replaceable>
[logging]
kdc = FILE:/var/log/kdc.log
admin_server = FILE:/var/log/kadmin.log
default = FILE:/var/log/krb.log
# End /etc/heimdal/krb5.conf
<command>EOF</command></userinput></screen>
<para>
You will need to substitute your domain and proper hostname for the
occurances of the belgarath and lfs.org names.
</para>
<para>
<userinput>default_realm</userinput> should be the name of your domain changed to ALL CAPS.
This isn't required, but both Heimdal and <acronym>MIT</acronym>
recommend it.
</para>
<para>
<userinput>encrypt = true</userinput> provides encryption of all traffic between kerberized
clients and servers. It's not necessary and can be left off. If you
leave it off, you can encrypt all traffic from the client to the server
using a switch on the client program instead.
</para>
<para>
The <userinput>[realms]</userinput> parameters tell the client programs where to look for the
<acronym>KDC</acronym> authentication services.
</para>
<para>
The <userinput>[domain_realm]</userinput> section maps a domain to a realm.
</para>
<para>
Store the master password in a key file using the following commands:
</para>
<screen><userinput><command>install -d -m 755 /var/lib/heimdal &amp;&amp;
kstash</command></userinput></screen>
<para>
Create the <acronym>KDC</acronym> database:
</para>
<screen><userinput><command>kadmin -l</command></userinput></screen>
<para>
Choose the defaults for now. You can go in later and change the
defaults, should you feel the need. At the
<userinput>kadmin&gt;</userinput> prompt, issue the following statement:
</para>
<screen><userinput><command>init <replaceable>[LFS.ORG]</replaceable></command></userinput></screen>
<para>
Now we need to populate the database with principles (users). For now,
just use your regular login name or root.
</para>
<screen><userinput><command>add <replaceable>[loginname]</replaceable></command></userinput></screen>
<para>
The <acronym>KDC</acronym> server and any machine running kerberized
server daemons must have a host key installed:
</para>
<screen><userinput><command>add --random-key host/<replaceable>[belgarath.lfs.org]</replaceable></command></userinput></screen>
<para>
After choosing the defaults when prompted, you will have to export the
data to a keytab file:
</para>
<screen><userinput><command>ext host/<replaceable>[belgarath.lfs.org]</replaceable></command></userinput></screen>
<para>
This should have created two files in
<filename class="directory">/etc/heimdal</filename>;
<filename>krb5.keytab</filename> (Kerberos 5) and
<filename>srvtab</filename> (Kerberos 4). Both files should have 600
(root rw only) permissions. Keeping the keytab files from public access
is crucial to the overall security of the Kerberos installation.
</para>
<para>
Eventually, you'll want to add server daemon principles to the database
and extract them to the keytab file. You do this in the same way you
created the host principles. Below is an example:
</para>
<screen><userinput><command>add --random-key ftp/<replaceable>[belgarath.lfs.org]</replaceable></command></userinput></screen>
<para>
(choose the defaults)
</para>
<screen><userinput><command>ext ftp/<replaceable>[belgarath.lfs.org]</replaceable></command></userinput></screen>
<para>
Exit the <command>kadmin</command> program (use <command>quit</command>
or <command>exit</command>) and return back to the shell prompt. Start
the <acronym>KDC</acronym> daemon manually, just to test out the
installation:
</para>
<screen><userinput><command>/usr/sbin/kdc &amp;</command></userinput></screen>
<para>
Attempt to get a <acronym>TGT</acronym> (ticket granting ticket) with the
following command:
</para>
<screen><userinput><command>kinit <replaceable>[loginname]</replaceable></command></userinput></screen>
<para>
You will be prompted for the password you created. After you get your
ticket, you should list it with the following command:
</para>
<screen><userinput><command>klist</command></userinput></screen>
<para>
Information about the ticket should be displayed on the screen.
</para>
<para>
To test the functionality of the keytab file, issue the following
command:
</para>
<screen><userinput><command>ktutil list</command></userinput></screen>
<para>
This should dump a list of the host principals, along with the encryption
methods used to access the principals.
</para>
<para>
At this point, if everything has been successful so far, you can feel
fairly confident in the installation and configuration of the package.
</para>
<para>Install the <filename>/etc/rc.d/init.d/heimdal</filename> init script
included in the <xref linkend="intro-important-bootscripts"/>
package.</para>
<screen><userinput><command>make install-heimdal</command></userinput></screen>
</sect4>
<sect4><title>Using Kerberized Client Programs</title>
<para>
To use the kerberized client programs (<command>telnet</command>,
<command>ftp</command>, <command>rsh</command>,
<command>rxterm</command>, <command>rxtelnet</command>,
<command>rcp</command>, <command>xnlock</command>), you first must get
a <acronym>TGT</acronym>. Use the <command>kinit</command> program to
get the ticket. After you've acquired the ticket, you can use the
kerberized programs to connect to any kerberized server on the network.
You will not be prompted for authentication until your ticket expires
(default is one day), unless you specify a different user as a command
line argument to the program.
</para>
<para>
The kerberized programs will connect to non kerberized daemons, warning
you that authentication is not encrypted. As mentioned earlier, only the
<command>ftp</command> program gives any trouble connecting to non
kerberized daemons.
</para>
<para>
For additional information consult <ulink
url="http://www.linuxfromscratch.org/hints/downloads/files/heimdal.txt">the
Heimdal hint</ulink> on which the above instructions are based.
</para>
</sect4>
</sect3>
</sect2>
<sect2>
<title>Contents</title>
<para>The <application>Heimdal</application> package contains
<command>afslog</command>,
<command>dump_log</command>,
<command>ftp</command>,
<command>ftpd</command>,
<command>hprop</command>,
<command>hpropd</command>,
<command>ipropd-master</command>,
<command>ipropd-slave</command>,
<command>kadmin</command>,
<command>kadmind</command>,
<command>kauth</command>,
<command>kdc</command>,
<command>kdestroy</command>,
<command>kf</command>,
<command>kfd</command>,
<command>kgetcred</command>,
<command>kinit</command>,
<command>klist</command>,
<command>kpasswd</command>,
<command>kpasswdd</command>,
<command>krb5-config</command>,
<command>kstash</command>,
<command>ktutil</command>,
<command>kx</command>,
<command>kxd</command>,
<command>login</command>,
<command>mk_cmds</command>,
<command>otp</command>,
<command>otpprint</command>,
<command>pagsh</command>,
<command>pfrom</command>,
<command>popper</command>,
<command>push</command>,
<command>rcp</command>,
<command>replay_log</command>,
<command>rsh</command>,
<command>rshd</command>,
<command>rxtelnet</command>,
<command>rxterm</command>,
<command>string2key</command>,
<command>su</command>,
<command>telnet</command>,
<command>telnetd</command>,
<command>tenletxr</command>,
<command>truncate_log</command>,
<command>verify_krb5_conf</command>,
<command>xnlock</command>,
<filename class="libraryfile">libasn1</filename>,
<filename class="libraryfile">libeditline</filename>,
<filename class="libraryfile">libgssapi</filename>,
<filename class="libraryfile">libhdb</filename>,
<filename class="libraryfile">libkadm5clnt</filename>,
<filename class="libraryfile">libkadm5srv</filename>,
<filename class="libraryfile">libkafs</filename>,
<filename class="libraryfile">libkrb5</filename>,
<filename class="libraryfile">libotp</filename>,
<filename class="libraryfile">libroken</filename>,
<filename class="libraryfile">libsl</filename> and
<filename class="libraryfile">libss</filename>.
</para>
</sect2>
<sect2><title>Description</title>
<sect3><title>afslog</title>
<para><command>afslog</command> obtains AFS tokens for a number of
cells.</para></sect3>
<sect3><title>hprop</title>
<para><command>hprop</command> takes a principal database in a specified
format and converts it into a stream of Heimdal database
records.</para></sect3>
<sect3><title>hpropd</title>
<para><command>hpropd</command> receives a database sent by
<command>hprop</command> and writes it as a local
database.</para></sect3>
<sect3><title>kadmin</title>
<para><command>kadmin</command> is an utility used to make modifications
to the Kerberos database.</para></sect3>
<sect3><title>kadmind</title>
<para><command>kadmind</command> is a server for administrative access
to Kerberos database.</para></sect3>
<sect3><title>kauth, kinit</title>
<para><command>kauth</command> and <command>kinit</command> are used to
authenticate to the Kerberos server as principal and acquire a ticket
granting ticket that can later be used to obtain tickets for other
services.</para></sect3>
<sect3><title>kdc</title>
<para><command>kdc</command> is a Kerberos 5 server.</para></sect3>
<sect3><title>kdestroy</title>
<para><command>kdestroy</command> removes the current set of
tickets.</para></sect3>
<sect3><title>kf</title>
<para><command>kf</command> is a program which forwards tickets to a
remote host through an authenticated and encrypted
stream.</para></sect3>
<sect3><title>kfd</title>
<para><command>kfd</command> receives forwarded tickets.</para></sect3>
<sect3><title>kgetcred</title>
<para><command>kgetcred</command> obtains a ticket for a
service.</para></sect3>
<sect3><title>klist</title>
<para><command>klist</command> reads and displays the current tickets in
the credential cache.</para></sect3>
<sect3><title>kpasswd</title>
<para><command>kpasswd</command> is a program for changing Kerberos 5
passwords.</para></sect3>
<sect3><title>kpasswdd</title>
<para><command>kpasswdd</command> is a Kerberos 5 password changing
server.</para></sect3>
<sect3><title>krb5-config</title>
<para><command>krb5-config</command> gives information on how to link
programs against Heimdal libraries.</para></sect3>
<sect3><title>kstash</title>
<para><command>kstash</command> stores the <acronym>KDC</acronym> master
password in a file.</para></sect3>
<sect3><title>ktutil</title>
<para><command>ktutil</command> is a program for managing Kerberos
keytabs.</para></sect3>
<sect3><title>kx</title>
<para><command>kx</command> is a program which securely forwards X
connections.</para></sect3>
<sect3><title>kxd</title>
<para><command>kxd</command> is the daemon for
<command>kx</command>.</para></sect3>
<sect3><title>otp</title>
<para><command>otp</command> manages one-time passwords.</para></sect3>
<sect3><title>otpprint</title>
<para><command>otpprint</command> prints lists of one-time
passwords.</para></sect3>
<sect3><title>rxtelnet</title>
<para><command>rxtelnet</command> program starts an
<command>xterm</command> window with a telnet to given host and forwards
X connections.</para></sect3>
<sect3><title>rxterm</title>
<para><command>rxterm</command> starts a secure remote
<command>xterm</command>.</para></sect3>
<sect3><title>string2key</title>
<para><command>string2key</command> maps a password into a
key.</para></sect3>
<sect3><title>tenletxr</title>
<para><command>tenletxr</command> forwards X connections
backwards.</para></sect3>
<sect3><title>verify_krb5_conf</title>
<para><command>verify_krb5_conf</command> checks
<filename>krb5.conf</filename> file for obvious errors.</para></sect3>
<sect3><title>xnlock</title>
<para><command>xnlock</command> is a program that acts as a secure screen
saver for workstations running X.</para></sect3>
</sect2>
</sect1>

134
postlfs/security/iptables.xml
View File

@ -1,18 +1,134 @@
<?xml version="1.0" encoding="ISO-8859-1"?>
<!DOCTYPE sect1 PUBLIC "-//OASIS//DTD DocBook XML V4.3//EN"
"http://www.oasis-open.org/docbook/xml/4.3/docbookx.dtd" [
<!ENTITY % general-entities SYSTEM "../../general.ent">
%general-entities;
<!ENTITY iptables-download-http "http://www.iptables.org/files/iptables-&iptables-version;.tar.bz2">
<!ENTITY iptables-download-ftp "ftp://ftp.netfilter.org/pub/iptables/iptables-&iptables-version;.tar.bz2">
<!ENTITY iptables-size "183 KB">
<!ENTITY iptables-buildsize "3.4 MB">
<!ENTITY iptables-time "0.13 SBU">
]>
<sect1 id="postlfs-security-iptables">
<?dbhtml filename="iptables.html"?>
<title>iptables-&iptables-version;</title>
<para>The next part of this chapter deals with firewalls. The
principle firewall tool for Linux, as of the 2.4 kernel series, is
<para>The next part of this chapter deals with firewalls. The principle
firewall tool for Linux, as of the 2.4 kernel series, is
<application>iptables</application>. It replaces
<application>ipchains</application> from the 2.2 series and
<application>ipfwadm</application> from the
2.0 series. You will need to install <application>iptables</application> if
you intend on using any form of a firewall.</para>
<application>ipfwadm</application> from the 2.0 series. You will need to
install <application>iptables</application> if you intend on using any form of
a firewall.</para>
&iptables-intro;
&iptables-inst;
&iptables-exp;
&iptables-desc;
<sect2>
<title>Introduction to <application>iptables</application></title>
<para>To use a firewall, as well as installing
<application>iptables</application>, you will need
to configure the relevant options into your kernel. This is discussed
in the next part of this chapter - <xref linkend="postlfs-security-fw-kernel"/>.</para>
<para>If you intend to use <acronym>IP</acronym>v6 you might consider extending
the kernel by running <command>make patch-o-matic</command> in the top-level
directory of the sources of <application>iptables</application>. If you are
going to do this, on a freshly untarred kernel, you need to run
<command>yes "" | make config &amp;&amp; make dep</command> first because
otherwise the patch-o-matic command is likely to fail while setting up
some dependencies.</para>
<para>If you are going to patch the kernel, you need to do it before you
compile <application>iptables</application>, because during the compilation,
the kernel source tree is checked (if it is available at <filename
class="directory">/usr/src/linux-<replaceable>[version]</replaceable>
</filename>) to see which features are available. Support will only be compiled
into <application>iptables</application> for the features recognized at
compile-time. Applying a kernel patch may result in errors, often because the
hooks for the patches have changed or because the runme script doesn't
recognize that a patch has already been incorporated.</para>
<para>Note that for most people, patching the kernel is unnecessary.
With the later 2.4.x kernels, most functionality is already available
and those who need to patch it are generally those who need a specific
feature; if you don't know why you need to patch the kernel, you're
unlikely to need to!</para>
<sect3><title>Package information</title>
<itemizedlist spacing='compact'>
<listitem><para>Download (HTTP): <ulink
url="&iptables-download-http;"/></para></listitem>
<listitem><para>Download (FTP): <ulink
url="&iptables-download-ftp;"/></para></listitem>
<listitem><para>Download size: &iptables-size;</para></listitem>
<listitem><para>Estimated Disk space required:
&iptables-buildsize;</para></listitem>
<listitem><para>Estimated build time:
&iptables-time;</para></listitem></itemizedlist>
</sect3>
</sect2>
<sect2>
<title>Installation of <application>iptables</application></title>
<para>Install <application>iptables</application> by running the following commands:</para>
<screen><userinput><command>make PREFIX=/usr LIBDIR=/lib BINDIR=/sbin &amp;&amp;
make PREFIX=/usr LIBDIR=/lib BINDIR=/sbin install</command></userinput></screen>
</sect2>
<sect2>
<title>Command explanations</title>
<para><parameter>PREFIX=/usr LIBDIR=/lib BINDIR=/sbin</parameter>: Compiles and installs
<application>iptables</application> libraries into <filename
class="directory">/lib</filename>, binaries into <filename
class="directory">/sbin</filename> and the remainder into the
<filename class="directory">/usr</filename> hierarchy instead of
<filename class="directory">/usr/local</filename>. Firewalls are
generally set during the boot process and <filename
class="directory">/usr</filename> may not be mounted at that time.</para>
</sect2>
<sect2>
<title>Contents</title>
<para>The <application>iptables</application> package contains <command>iptables</command>,
<command>iptables-restore</command>, <command>iptables-save</command>,
<command>ip6tables</command> and some libraries.</para>
</sect2>
<sect2><title>Description</title>
<sect3><title>iptables</title>
<para><command>iptables</command> is used to set up, maintain, and inspect the
tables of <acronym>IP</acronym> packet filter rules in the Linux kernel.</para>
</sect3>
<sect3><title>iptables-restore, iptables-save</title>
<para>These are used to save and to restore your elaborated set of chains and
rules. Until <application>iptables</application>-1.2.5, they were declared
experimental.</para>
</sect3>
<sect3 id="ip6tables" xreflabel="ip6tables"><title>ip6tables</title>
<para>This is the same as <command>iptables</command> but for use with
<acronym>IP</acronym>v6. As of v1.2.5, it is not as complete as the standard
<acronym>IP</acronym>v4 version, especially with regard to some of the modules.</para>
</sect3>
<sect3><title>libip*.so</title>
<para>These are various modules (implemented as dynamic libraries) which
extend the core functionality of <command>iptables</command>.</para>
</sect3>
</sect2>
</sect1>

164
postlfs/security/linux_pam.xml
View File

@ -1,12 +1,166 @@
<?xml version="1.0" encoding="ISO-8859-1"?>
<!DOCTYPE sect1 PUBLIC "-//OASIS//DTD DocBook XML V4.3//EN"
"http://www.oasis-open.org/docbook/xml/4.3/docbookx.dtd" [
<!ENTITY % general-entities SYSTEM "../../general.ent">
%general-entities;
<!ENTITY Linux_PAM-download-http "http://www.kernel.org/pub/linux/libs/pam/pre/library/Linux-PAM-&Linux_PAM-version;.tar.bz2">
<!ENTITY Linux_PAM-download-ftp "ftp://ftp.kernel.org/pub/linux/libs/pam/pre/library/Linux-PAM-&Linux_PAM-version;.tar.bz2">
<!ENTITY Linux_PAM-size "332 KB">
<!ENTITY Linux_PAM-buildsize "4.1 MB">
<!ENTITY Linux_PAM-time "0.07 SBU">
]>
<sect1 id="Linux_PAM" xreflabel="Linux-PAM-&Linux_PAM-version;">
<?dbhtml filename="linux_pam.html"?>
<title>Linux-PAM-&Linux_PAM-version;</title>
&Linux_PAM-intro;
&Linux_PAM-inst;
&Linux_PAM-exp;
&Linux_PAM-config;
&Linux_PAM-desc;
<sect2>
<title>Introduction to <application>Linux-<acronym>PAM</acronym></application>
</title>
<para>The <application>Linux-<acronym>PAM</acronym></application> package
contains Pluggable Authentication Modules. This is useful to enable the local
system administrator to choose how applications authenticate users.</para>
<sect3><title>Package information</title>
<itemizedlist spacing='compact'>
<listitem><para>Download (HTTP): <ulink
url="&Linux_PAM-download-http;"/></para></listitem>
<listitem><para>Download (FTP): <ulink
url="&Linux_PAM-download-ftp;"/></para></listitem>
<listitem><para>Download size: &Linux_PAM-size;</para></listitem>
<listitem><para>Estimated Disk space required:
&Linux_PAM-buildsize;</para></listitem>
<listitem><para>Estimated build time:
&Linux_PAM-time;</para></listitem></itemizedlist>
</sect3>
<sect3><title>Additional download</title>
<itemizedlist spacing='compact'>
<listitem><para>Required patch:
<ulink url="&patch-root;/Linux-PAM-0.77-linkage-3.patch"/></para></listitem></itemizedlist>
</sect3>
<sect3><title><application>Linux-<acronym>PAM</acronym></application> dependencies</title>
<sect4><title>Optional</title>
<para><xref linkend="cracklib"/></para></sect4>
</sect3>
</sect2>
<sect2>
<title>Installation of <application>Linux-<acronym>PAM</acronym></application>
</title>
<para>Install <application>Linux-<acronym>PAM</acronym></application> by
running the following commands:</para>
<screen><userinput><command>patch -Np1 -i ../Linux-PAM-0.77-linkage-3.patch &amp;&amp;
autoconf &amp;&amp;
./configure --enable-static-libpam --with-mailspool=/var/mail \
--enable-read-both-confs --sysconfdir=/etc &amp;&amp;
make &amp;&amp;
make install &amp;&amp;
mv /lib/libpam.a /lib/libpam_misc.a /lib/libpamc.a /usr/lib &amp;&amp;
ln -sf ../../lib/libpam.so.&Linux_PAM-version; /usr/lib/libpam.so &amp;&amp;
ln -sf ../../lib/libpam_misc.so.&Linux_PAM-version; /usr/lib/libpam_misc.so &amp;&amp;
ln -sf ../../lib/libpamc.so.&Linux_PAM-version; /usr/lib/libpamc.so</command></userinput></screen>
</sect2>
<sect2>
<title>Command explanations</title>
<para><command>autoconf</command>: This is necessary as in the patch, we
change where <acronym>PAM</acronym> looks for the cracklib libs. This
requires that the configure script be recreated.</para>
<para><option>--enable-static-libpam</option>: This switch builds
static <acronym>PAM</acronym> libraries as well as the dynamic libraries.</para>
<para><parameter>--with-mailspool=/var/mail</parameter>: This switch makes
the mailspool directory <acronym>FHS</acronym> compliant.</para>
<para><option>--enable-read-both-confs</option>: This switch lets the local
administrator choose which configuration file setup to use.</para>
<para><command>mv /lib/libpam.a /lib/libpam_misc.a /lib/libpamc.a
/usr/lib</command>: This command moves the static libraries to
<filename>/usr/lib</filename> to comply with <acronym>FHS</acronym>.</para>
</sect2>
<sect2>
<title>Configuring <application>Linux-<acronym>PAM</acronym></application>
</title>
<sect3><title>Config files</title>
<para><filename>/etc/pam.d</filename> or <filename>/etc/pam.conf</filename>
</para></sect3>
<sect3><title>Configuration Information</title>
<para>Configuration information is placed in <filename>/etc/pam.d</filename> or
<filename>/etc/pam.conf</filename> depending on user preference. Below are
example files of each type:</para>
<screen># Begin /etc/pam.d/other
auth required pam_unix.so nullok
account required pam_unix.so
session required pam_unix.so
password required pam_unix.so nullok
# End /etc/pam.d/other
# Begin /etc/pam.conf
other auth required pam_unix.so nullok
other account required pam_unix.so
other session required pam_unix.so
other password required pam_unix.so nullok
# End /etc/pam.conf</screen>
<para>The <application><acronym>PAM</acronym></application> man page
(<command>man pam</command>) provides a good starting point for descriptions
of fields and allowable entries. The
<ulink url="http://www.kernel.org/pub/linux/libs/pam/Linux-PAM-html/pam.html">
Linux-PAM guide for system administrators</ulink>
is recommended for further reading.</para>
<para>Refer to <ulink url="http://www.kernel.org/pub/linux/libs/pam/modules.html"/>
for a list of various modules available.</para>
</sect3>
</sect2>
<sect2>
<title>Contents</title>
<para>The <application>Linux-<acronym>PAM</acronym></application> package
contains <command>unix-chkpwd</command> and <filename
class="libraryfile">libpam</filename>
libraries.</para>
</sect2>
<sect2><title>Description</title>
<sect3><title>unix-chkpwd</title>
<para>No description available.</para></sect3>
<sect3><title>libpam libraries</title>
<para><filename class="libraryfile">libpam</filename> libraries provide the interfaces between
applications and the modules included with <acronym>PAM</acronym>.</para></sect3>
</sect2>
</sect1>

458
postlfs/security/mitkrb.xml
View File

@ -1,11 +1,459 @@
<?xml version="1.0" encoding="ISO-8859-1"?>
<!DOCTYPE sect1 PUBLIC "-//OASIS//DTD DocBook XML V4.3//EN"
"http://www.oasis-open.org/docbook/xml/4.3/docbookx.dtd" [
<!ENTITY % general-entities SYSTEM "../../general.ent">
%general-entities;
<!ENTITY mitkrb-download-http "http://web.mit.edu/kerberos/www/dist/krb5/1.3/krb5-&mitkrb-version;.tar">
<!ENTITY mitkrb-download-ftp " ">
<!ENTITY mitkrb-size "6.2 MB">
<!ENTITY mitkrb-buildsize "137.4 MB">
<!ENTITY mitkrb-time "2.55 SBU">
]>
<sect1 id="mitkrb" xreflabel="MIT krb5-&mitkrb-version;">
<?dbhtml filename="mitkrb.html"?>
<title>MIT krb5-&mitkrb-version;</title>
&mitkrb-intro;
&mitkrb-inst;
&mitkrb-exp;
&mitkrb-config;
&mitkrb-desc;
<sect2>
<title>Introduction to <application><acronym>MIT</acronym> krb5</application></title>
<para>
<application>MIT krb5</application> is a free implementation of Kerberos
5. Kerberos is a network authentication protocol. It centralizes the
authentication database and uses kerberized applications to work with
servers or services that support Kerberos allowing single logins and
encrypted communication over internal networks or the Internet.</para>
<sect3><title>Package information</title>
<itemizedlist spacing='compact'>
<listitem><para>Download (HTTP): <ulink url="&mitkrb-download-http;"/></para></listitem>
<listitem><para>Download (FTP): <ulink url="&mitkrb-download-ftp;"/></para></listitem>
<listitem><para>Download size: &mitkrb-size;</para></listitem>
<listitem><para>Estimated Disk space required: &mitkrb-buildsize;</para></listitem>
<listitem><para>Estimated build time: &mitkrb-time;</para></listitem></itemizedlist>
</sect3>
<sect3><title><application><acronym>MIT</acronym> krb5</application> dependencies</title>
<sect4><title>Optional</title>
<para>
<xref linkend="xinetd"/> (services servers only),
<xref linkend="Linux_PAM"/> (for xdm based logins) and
<xref linkend="openldap"/> (alternative for krb5kdc password database)
</para>
<note><para>
Some sort of time synchronization facility on your system (like <xref
linkend="ntp"/>) is required since Kerberos won't authenticate if there
is a time difference between a kerberized client and the
<acronym>KDC</acronym> server.</para></note>
</sect4>
</sect3>
</sect2>
<sect2>
<title>Installation of <application>MIT krb5</application></title>
<para>Install <application>MIT krb5</application> by running the following commands:</para>
<screen><userinput><command>./configure --prefix=/usr --sysconfdir=/etc \
--localstatedir=/var/lib --enable-dns --enable-shared --mandir=/usr/share/man &amp;&amp;
make &amp;&amp;
make install &amp;&amp;
mv /bin/login /bin/login.shadow &amp;&amp;
cp /usr/sbin/login.krb5 /bin/login &amp;&amp;
mv /usr/bin/ksu /bin &amp;&amp;
mv /usr/lib/libkrb5.so.3* /lib &amp;&amp;
mv /usr/lib/libkrb4.so.2* /lib &amp;&amp;
mv /usr/lib/libdes425.so.3* /lib &amp;&amp;
mv /usr/lib/libk5crypto.so.3* /lib &amp;&amp;
mv /usr/lib/libcom_err.so.3* /lib &amp;&amp;
ln -sf ../../lib/libkrb5.so /usr/lib &amp;&amp;
ln -sf ../../lib/libkrb4.so /usr/lib &amp;&amp;
ln -sf ../../lib/libdes425.so /usr/lib &amp;&amp;
ln -sf ../../lib/libk5crypto.so /usr/lib &amp;&amp;
ln -sf ../../lib/libcom_err.so /usr/lib &amp;&amp;
ldconfig</command></userinput></screen>
</sect2>
<sect2>
<title>Command explanations</title>
<para><parameter>--enable-dns</parameter>: This switch allows realms to
be resolved using the <acronym>DNS</acronym> server.</para>
<para><screen><command>mv /bin/login /bin/login.shadow
cp /usr/sbin/login.krb5 /bin/login
mv /usr/bin/ksu /bin</command></screen>
Preserves <application>Shadow</application>'s <command>login</command>
command, moves <command>ksu</command> and <command>login</command> to
the <filename class="directory">/bin</filename> directory.</para>
<para><screen><command>mv /usr/lib/libkrb5.so.3* /lib
mv /usr/lib/libkrb4.so.2* /lib
mv /usr/lib/libdes425.so.3* /lib
mv /usr/lib/libk5crypto.so.3* /lib
mv /usr/lib/libcom_err.so.3* /lib
ln -sf ../../lib/libkrb5.so /usr/lib
ln -sf ../../lib/libkrb4.so /usr/lib
ln -sf ../../lib/libdes425.so /usr/lib
ln -sf ../../lib/libk5crypto.so /usr/lib
ln -sf ../../lib/libcom_err.so /usr/lib</command></screen>
The <command>login</command> and <command>ksu</command> programs
are linked against these libraries, therefore we move these libraries to
<filename class="directory">/lib</filename> to allow logins without mounting <filename class="directory">/usr</filename>.</para>
</sect2>
<sect2>
<title>Configuring <application><acronym>MIT</acronym> krb5</application></title>
<sect3><title>Config files</title>
<para><filename>/etc/krb5.conf</filename> and
<filename>/var/lib/krb5kdc/kdc.conf</filename></para>
</sect3>
<sect3><title>Configuration Information</title>
<sect4><title>Kerberos Configuration</title>
<para>
Create the Kerberos configuration file with the following command:
</para>
<screen><userinput><command>cat &gt; /etc/krb5.conf &lt;&lt; "EOF"</command>
# Begin /etc/krb5.conf
[libdefaults]
default_realm = <replaceable>[LFS.ORG]</replaceable>
encrypt = true
[realms]
<replaceable>[LFS.ORG]</replaceable> = {
kdc = <replaceable>[belgarath.lfs.org]</replaceable>
admin_server = <replaceable>[belgarath.lfs.org]</replaceable>
}
[domain_realm]
.<replaceable>[lfs.org]</replaceable> = <replaceable>[LFS.ORG]</replaceable>
[logging]
kdc = SYSLOG[:INFO[:AUTH]]
admin_server = SYSLOG[INFO[:AUTH]]
default = SYSLOG[[:SYS]]
# End /etc/krb5.conf
<command>EOF</command></userinput></screen>
<para>
You will need to substitute your domain and proper hostname for the
occurances of the belgarath and lfs.org names.
</para>
<para>
<userinput>default_realm</userinput> should be the name of your domain changed to ALL CAPS.
This isn't required, but both Heimdal and <acronym>MIT</acronym>
recommend it.
</para>
<para>
<userinput>encrypt = true</userinput> provides encryption of all traffic between kerberized
clients and servers. It's not necessary and can be left off. If you
leave it off, you can encrypt all traffic from the client to the server
using a switch on the client program instead.
</para>
<para>
The <userinput>[realms]</userinput> parameters tell the client programs where to look for the
<acronym>KDC</acronym> authentication services.
</para>
<para>
The <userinput>[domain_realm]</userinput> section maps a domain to a realm.
</para>
<para>
Create the <acronym>KDC</acronym> database:
</para>
<screen><userinput><command>kdb5_util create -r <replaceable>[LFS.ORG]</replaceable> -s </command></userinput></screen>
<para>
Now we need to populate the database with principles (users). For now,
just use your regular login name or root.
</para>
<screen><userinput><command>kadmin.local</command></userinput>
<prompt>kadmin:</prompt><userinput><command>addprinc <replaceable>[loginname]</replaceable></command></userinput></screen>
<para>
The <acronym>KDC</acronym> server and any machine running kerberized
server daemons must have a host key installed:
</para>
<screen><prompt>kadmin:</prompt><userinput><command>addprinc --randkey host/<replaceable>[belgarath.lfs.org]</replaceable></command></userinput></screen>
<para>
After choosing the defaults when prompted, you will have to export the
data to a keytab file:
</para>
<screen><prompt>kadmin:</prompt><userinput><command>ktadd host/<replaceable>[belgarath.lfs.org]</replaceable></command></userinput></screen>
<para>
This should have created a file in
<filename class="directory">/etc</filename> named
<filename>krb5.keytab</filename> (Kerberos 5). This file should have 600
(root rw only) permissions. Keeping the keytab files from public access
is crucial to the overall security of the Kerberos installation.
</para>
<para>
Eventually, you'll want to add server daemon principles to the database
and extract them to the keytab file. You do this in the same way you
created the host principles. Below is an example:
</para>
<screen><prompt>kadmin:</prompt><userinput><command>addprinc --randkey ftp/<replaceable>[belgarath.lfs.org]</replaceable></command></userinput>
<prompt>kadmin:</prompt><userinput><command>ktadd ftp/<replaceable>[belgarath.lfs.org]</replaceable></command></userinput></screen>
<para>
Exit the <command>kadmin</command> program (use <command>quit</command>
or <command>exit</command>) and return back to the shell prompt. Start
the <acronym>KDC</acronym> daemon manually, just to test out the
installation:
</para>
<screen><userinput><command>/usr/sbin/krb5kdc &amp;</command></userinput></screen>
<para>
Attempt to get a ticket with the following command:
</para>
<screen><userinput><command>kinit <replaceable>[loginname]</replaceable></command></userinput></screen>
<para>
You will be prompted for the password you created. After you get your
ticket, you can list it with the following command:
</para>
<screen><userinput><command>klist</command></userinput></screen>
<para>
Information about the ticket should be displayed on the screen.
</para>
<para>
To test the functionality of the keytab file, issue the following
command:
</para>
<screen><userinput><command>ktutil</command></userinput>
<prompt>ktutil:</prompt><userinput><command>rkt /etc/krb5.keytab</command></userinput>
<prompt>ktutil:</prompt><userinput><command>l</command></userinput></screen>
<para>
This should dump a list of the host principal, along with the encryption
methods used to access the principal.
</para>
<para>
At this point, if everything has been successful so far, you can feel
fairly confident in the installation and configuration of the package.
</para>
<para>Install the <filename>/etc/rc.d/init.d/kerberos</filename> init script
included in the <xref linkend="intro-important-bootscripts"/>
package.</para>
<screen><userinput><command>make install-kerberos</command></userinput></screen>
</sect4>
<sect4><title>Using Kerberized Client Programs</title>
<para>
To use the kerberized client programs (<command>telnet</command>,
<command>ftp</command>, <command>rsh</command>,
<command>rcp</command>, <command>rlogin</command>), you first must get
an authentication ticket. Use the <command>kinit</command> program to
get the ticket. After you've acquired the ticket, you can use the
kerberized programs to connect to any kerberized server on the network.
You will not be prompted for authentication until your ticket expires
(default is one day), unless you specify a different user as a command
line argument to the program.
</para>
<para>
The kerberized programs will connect to non kerberized daemons, warning
you that authentication is not encrypted.</para></sect4>
<sect4><title>Using Kerberized Server Programs</title>
<para>Using kerberized server programs (<command>telnetd</command>,
<command>kpropd</command>,
<command>klogind</command> and <command>kshd</command>) requires two additional configuration steps.
First the <filename>/etc/services</filename> file must be updated to
include eklogin and krb5_prop. Second, the
<filename>inetd.conf</filename> or <filename>xinetd.conf</filename> must
be modified for each server that will be activated, usually replacing
the server from <application>inetutils</application>.</para></sect4>
<sect4><title>Additional Information</title>
<para>
For additional information consult <ulink
url="http://web.mit.edu/kerberos/www/krb5-1.3/#documentation">Documentation
for krb-&mitkrb-version;</ulink> on which the above instructions are based.
</para>
</sect4>
</sect3>
</sect2>
<sect2>
<title>Contents</title>
<para>The <application>MIT krb5</application> package contains
<command>compile-et</command>,
<command>ftp</command>,
<command>ftpd</command>,
<command>gss-client</command>,
<command>gss-server</command>,
<command>k5srvutil</command>,
<command>kadmin</command>,
<command>kadmin.local</command>,
<command>kadmind</command>,
<command>kadmind4</command>,
<command>kdb5_util</command>
<command>kdestroy</command>,
<command>kinit</command>,
<command>klist</command>,
<command>klogind</command>,
<command>kpasswd</command>,
<command>kprop</command>,
<command>kpropd</command>,
<command>krb5-send-pr</command>,
<command>krb5-config</command>,
<command>krb524d</command>,
<command>krb524init</command>,
<command>krb5kdc</command>,
<command>kshd</command>,
<command>ksu</command>,
<command>ktutil</command>,
<command>kvno</command>,
<command>login.krb5</command>,
<command>rcp</command>,
<command>rlogin</command>,
<command>rsh</command>,
<command>rshd</command>,
<command>rxtelnet</command>,
<command>rxterm</command>,
<command>sclient</command>,
<command>sim_client</command>,
<command>sim_server</command>,
<command>sserver</command>,
<command>telnet</command>,
<command>telnetd</command>,
<command>uuclient</command>,
<command>uuserver</command>,
<command>v5passwd</command>,
<command>v5passwdd</command>,
<filename class="libraryfile">libcom_err</filename>,
<filename class="libraryfile">libdes425</filename>,
<filename class="libraryfile">libgssapi</filename>,
<filename class="libraryfile">libgssrpc</filename>,
<filename class="libraryfile">lib5crypto</filename>,
<filename class="libraryfile">libkadm5clnt</filename>,
<filename class="libraryfile">libkadm5srv</filename>,
<filename class="libraryfile">libkdb5</filename>,
<filename class="libraryfile">libkrb4</filename>,
<filename class="libraryfile">libkrb5</filename>.</para>
</sect2>
<sect2><title>Description</title>
<sect3><title>compile_et</title>
<para><command>compile_et</command> converts the table listing
error-code names into a <application>C</application> source file.</para></sect3>
<sect3><title>k5srvutil</title>
<para><command>k5srvutil</command> is a host keytable manipulation
utility.</para></sect3>
<sect3><title>kadmin</title>
<para><command>kadmin</command> is an utility used to make modifications
to the Kerberos database.</para></sect3>
<sect3><title>kadmind</title>
<para><command>kadmind</command> is a server for administrative access
to Kerberos database.</para></sect3>
<sect3><title>kinit</title>
<para><command>kinit</command> is used to
authenticate to the Kerberos server as principal and acquire a ticket
granting ticket that can later be used to obtain tickets for other
services.</para></sect3>
<sect3><title>krb5kdc</title>
<para><command>kdc</command> is a Kerberos 5 server.</para></sect3>
<sect3><title>kdestroy</title>
<para><command>kdestroy</command> removes the current set of
tickets.</para></sect3>
<sect3><title>kdb5_util</title>
<para><command>kdb5_util</command> is the <acronym>KDC</acronym>
database utility.</para></sect3>
<sect3><title>klist</title>
<para><command>klist</command> reads and displays the current tickets in
the credential cache.</para></sect3>
<sect3><title>klogind</title>
<para><command>klogind</command> is the server that responds to rlogin
requests.</para></sect3>
<sect3><title>kpasswd</title>
<para><command>kpasswd</command> is a program for changing Kerberos 5
passwords.</para></sect3>
<sect3><title>kprop</title>
<para><command>kprop</command> takes a principal database in a specified
format and converts it into a stream of database
records.</para></sect3>
<sect3><title>kpropd</title>
<para><command>kpropd</command> receives a database sent by
<command>hprop</command> and writes it as a local
database.</para></sect3>
<sect3><title>krb5-config</title>
<para><command>krb5-config</command> gives information on how to link
programs against libraries.</para></sect3>
<sect3><title>ksu</title>
<para><command>ksu</command> is the super user program using Kerberos
protocol. Requires a properly configured
<filename>/etc/shells</filename> and <filename>~/.k5login</filename>
containing principals authorized to become super users.</para></sect3>
<sect3><title>ktutil</title>
<para><command>ktutil</command> is a program for managing Kerberos
keytabs.</para></sect3>
<sect3><title>kvno</title>
<para><command>kvno</command> prints keyversion numbers of Kerberos
principals.</para></sect3>
</sect2>
</sect1>

26
postlfs/security/security.xml
View File

@ -1,3 +1,10 @@
<?xml version="1.0" encoding="ISO-8859-1"?>
<!DOCTYPE chapter PUBLIC "-//OASIS//DTD DocBook XML V4.3//EN"
"http://www.oasis-open.org/docbook/xml/4.3/docbookx.dtd" [
<!ENTITY % general-entities SYSTEM "../../general.ent">
%general-entities;
]>
<chapter id="postlfs-security">
<?dbhtml filename="security.html"?>
<title>Security</title>
@ -22,15 +29,14 @@ the packager creates it.</para>
of critical files (defined by the administrator) and then regenerates those
"signatures" and compares for files that have been changed.</para>
&cracklib;
&Linux_PAM;
&shadow;
&iptables;
&postlfs-security-fw;
&gnupg;
&tripwire;
&heimdal;
&mitkrb;
<!--&postlfs-security-syslog;-->
<xi:include xmlns:xi="http://www.w3.org/2003/XInclude" href="cracklib.xml"/>
<xi:include xmlns:xi="http://www.w3.org/2003/XInclude" href="linux_pam.xml"/>
<xi:include xmlns:xi="http://www.w3.org/2003/XInclude" href="shadow.xml"/>
<xi:include xmlns:xi="http://www.w3.org/2003/XInclude" href="iptables.xml"/>
<xi:include xmlns:xi="http://www.w3.org/2003/XInclude" href="firewalling.xml"/>
<xi:include xmlns:xi="http://www.w3.org/2003/XInclude" href="gnupg.xml"/>
<xi:include xmlns:xi="http://www.w3.org/2003/XInclude" href="tripwire.xml"/>
<xi:include xmlns:xi="http://www.w3.org/2003/XInclude" href="heimdal.xml"/>
<xi:include xmlns:xi="http://www.w3.org/2003/XInclude" href="mitkrb.xml"/>
</chapter>

199
postlfs/security/shadow.xml
View File

@ -1,3 +1,10 @@
<?xml version="1.0" encoding="ISO-8859-1"?>
<!DOCTYPE sect1 PUBLIC "-//OASIS//DTD DocBook XML V4.3//EN"
"http://www.oasis-open.org/docbook/xml/4.3/docbookx.dtd" [
<!ENTITY % general-entities SYSTEM "../../general.ent">
%general-entities;
]>
<sect1 id="shadow">
<?dbhtml filename="shadow.html"?>
<title>Shadow-&shadow-version;</title>
@ -23,9 +30,193 @@ Passwords created after this change will be encrypted using
</para>
</sect2>
-->
&shadow-intro;
&shadow-inst;
&shadow-exp;
&shadow-config;
<sect2>
<title>Introduction to <application>Shadow</application></title>
<para>Shadow was indeed installed in <acronym>LFS</acronym> and there is
no reason to reinstall it unless you installed
<application>Linux-<acronym>PAM</acronym></application>. If you did,
this will allow programs like <command>login</command> and
<command>su</command> to utilize
<acronym>PAM</acronym>.</para>
<sect3><title>Additional downloads</title>
<itemizedlist spacing='compact'>
<listitem><para>Patch to fix linking against PAM:
<ulink url="&patch-root;/shadow-&shadow-version;-pam-1.patch"/></para></listitem>
</itemizedlist>
</sect3>
<sect3><title><application>Shadow</application> dependencies</title>
<sect4><title>Required</title>
<para><xref linkend="Linux_PAM"/></para></sect4>
</sect3>
</sect2>
<sect2>
<title>Installation of <application>shadow</application></title>
<para>Reinstall shadow by running the following commands:</para>
<screen><userinput><command>patch -Np1 -i ../shadow-&shadow-version;-pam-1.patch &amp;&amp;
LIBS="-lpam -lpam_misc" ./configure --libdir=/usr/lib \
--enable-shared --with-libpam --without-libcrack &amp;&amp;
echo '#define HAVE_SETLOCALE 1' >> config.h &amp;&amp;
make &amp;&amp;
make install &amp;&amp;
mv /bin/sg /usr/bin &amp;&amp;
mv /bin/vigr /usr/sbin &amp;&amp;
rm /bin/groups &amp;&amp;
mv /usr/lib/lib{misc,shadow}.so.0* /lib &amp;&amp;
ln -sf ../../lib/libshadow.so.0 /usr/lib/libshadow.so &amp;&amp;
ln -sf ../../lib/libmisc.so.0 /usr/lib/libmisc.so</command></userinput></screen>
</sect2>
<sect2>
<title>Command explanations</title>
<para><parameter>--without-libcrack</parameter>: This switch tells shadow
not to use libcrack. This is desired as
<application>Linux-<acronym>PAM</acronym></application> already
contains libcrack.</para>
<!-- Leftover from older instructions????
<para><command>cp debian/securetty /etc/securetty</command>: This
command sets the tty's that allow logins through <acronym>PAM</acronym>.</para>
-->
</sect2>
<sect2>
<title>Configuring <application><acronym>PAM</acronym></application> to work
with <application>shadow</application></title>
<sect3><title>Config files</title>
<para><filename>/etc/pam.d/login</filename>,
<filename>/etc/pam.d/passwd</filename>,
<filename>/etc/pam.d/su</filename>,
<filename>/etc/pam.d/shadow</filename>, and
<filename>/etc/pam.d/useradd</filename></para>
</sect3>
<sect3><title>Configuration Information</title>
<para>Add the following <application><acronym>PAM</acronym></application>
configuration files to <filename class="directory">/etc/pam.d</filename> (or add them to
<filename>/etc/pam.conf</filename> with the additional field for the program).
</para>
<screen><userinput><command>cat &gt; /etc/pam.d/login &lt;&lt; "EOF"</command>
# Begin /etc/pam.d/login
auth requisite pam_securetty.so
auth requisite pam_nologin.so
auth required pam_env.so
auth required pam_unix.so
account required pam_access.so
account required pam_unix.so
session required pam_motd.so
session required pam_limits.so
session optional pam_mail.so dir=/var/mail standard
session optional pam_lastlog.so
session required pam_unix.so
# End /etc/pam.d/login
<command>EOF
cat &gt; /etc/pam.d/passwd &lt;&lt; "EOF"</command>
# Begin /etc/pam.d/passwd
password required pam_unix.so md5 shadow
# End /etc/pam.d/passwd
<command>EOF
cat &gt; /etc/pam.d/shadow &lt;&lt; "EOF"</command>
# Begin /etc/pam.d/shadow
auth sufficient pam_rootok.so
auth required pam_unix.so
account required pam_unix.so
session required pam_unix.so
password required pam_permit.so
# End /etc/pam.d/shadow
<command>EOF
cat &gt; /etc/pam.d/su &lt;&lt; "EOF"</command>
# Begin /etc/pam.d/su
auth sufficient pam_rootok.so
auth required pam_unix.so
account required pam_unix.so
session required pam_unix.so
# End /etc/pam.d/su
<command>EOF
cat &gt; /etc/pam.d/useradd &lt;&lt; "EOF"</command>
# Begin /etc/pam.d/useradd
auth sufficient pam_rootok.so
auth required pam_unix.so
account required pam_unix.so
session required pam_unix.so
password required pam_permit.so
# End /etc/pam.d/useradd
<command>EOF
cat &gt; /etc/pam.d/chage &lt;&lt; "EOF"</command>
# Begin /etc/pam.d/chage
auth sufficient pam_rootok.so
auth required pam_unix.so
account required pam_unix.so
session required pam_unix.so
password required pam_permit.so
# End /etc/pam.d/chage
<command>EOF</command></userinput></screen>
<para>Currently, <filename>/etc/pam.d/other</filename> is configured to
allow anyone with an account on the machine to use programs
that do not specifically have a configuration file of their own. After
testing <application><acronym>PAM</acronym></application> for proper
configuration, it can be changed to the following:</para>
<screen><userinput><command>cat &gt; /etc/pam.d/other &lt;&lt; "EOF"</command>
# Begin /etc/pam.d/other
auth required pam_deny.so
auth required pam_warn.so
account required pam_deny.so
session required pam_deny.so
password required pam_deny.so
password required pam_warn.so
# End /etc/pam.d/other
<command>EOF</command></userinput></screen>
<para>Finally, edit <filename>/etc/login.defs</filename> by adding '#'
to the beginning of the following lines:</para>
<screen>LASTLOG_ENAB
MAIL_CHECK_ENAB
PORTTIME_CHECKS_ENAB
CONSOLE
MOTD_FILE
NOLOGINS_FILE
PASS_MIN_LEN
SU_WHEEL_ONLY
MD5_CRYPT_ENAB
CONSOLE_GROUPS
ENVIRON_FILE</screen>
<para>This stops <command>login</command> from performing these functions, as
they will now be performed by <acronym>PAM</acronym> modules.</para>
</sect3>
</sect2>
</sect1>

188
postlfs/security/tripwire.xml
View File

@ -1,12 +1,190 @@
<?xml version="1.0" encoding="ISO-8859-1"?>
<!DOCTYPE sect1 PUBLIC "-//OASIS//DTD DocBook XML V4.3//EN"
"http://www.oasis-open.org/docbook/xml/4.3/docbookx.dtd" [
<!ENTITY % general-entities SYSTEM "../../general.ent">
%general-entities;
<!ENTITY tripwire-download-http "http://prdownloads.sourceforge.net/tripwire/tripwire-&tripwire-version;.tar.gz">
<!ENTITY tripwire-download-ftp "ftp://ftp.fu-berlin.de/unix/security/tripwire/tripwire-&tripwire-version;.tar.gz">
<!ENTITY tripwire-size "1.4 MB">
<!ENTITY tripwire-buildsize "63 MB">
<!ENTITY tripwire-time "2.35 SBU">
]>
<sect1 id="tripwire" xreflabel="Tripwire-&tripwire-version;">
<?dbhtml filename="tripwire.html"?>
<title>Tripwire-&tripwire-version;</title>
&tripwire-intro;
&tripwire-inst;
&tripwire-exp;
&tripwire-config;
&tripwire-desc;
<sect2>
<title>Introduction to <application>Tripwire</application></title>
<para>The <application>Tripwire</application> package contains the programs
used by <application>Tripwire</application> to verify the integrity of the
files on a given system.</para>
<sect3><title>Package information</title>
<itemizedlist spacing='compact'>
<listitem><para>Download (HTTP): <ulink
url="&tripwire-download-http;"/></para></listitem>
<listitem><para>Download (FTP): <ulink
url="&tripwire-download-ftp;"/></para></listitem>
<listitem><para>Download size: &tripwire-size;</para></listitem>
<listitem><para>Estimated Disk space required:
&tripwire-buildsize;</para></listitem>
<listitem><para>Estimated build time:
&tripwire-time;</para></listitem></itemizedlist>
</sect3>
<sect3><title>Additional downloads</title>
<itemizedlist spacing='compact'>
<listitem><para>Required patch to fix multiple build issues (see patch for more information):
<ulink url="&patch-root;/tripwire-&tripwire-version;-gcc3-build-fixes.patch"/></para></listitem>
</itemizedlist>
</sect3>
<sect3><title><application>Shadow</application> dependencies</title>
<sect4><title>Optional</title>
<para>MTA (See <xref linkend="server-mail"/>)</para></sect4>
</sect3>
</sect2>
<sect2>
<title>Installation of <application>Tripwire</application></title>
<para>Compile <application>Tripwire</application> by running the following
commands:</para>
<screen><userinput><command>patch -Np1 -i ../tripwire-&tripwire-version;-gcc3-build-fixes.patch &amp;&amp;
make -C src release &amp;&amp;
cp install/install.{sh,cfg} .</command></userinput></screen>
<para>The default configuration is to use a local MTA. If you don't have
a MTA installed and have no wish to install one, modify the
<filename>install.cfg</filename> to use an SMTP server instead.
Install <application>Tripwire</application> by running the following
commands:</para>
<screen><userinput><command>./install.sh &amp;&amp;
cp /etc/tripwire/tw.cfg /usr/sbin &amp;&amp;
cp policy/*.txt /usr/share/doc/tripwire</command></userinput></screen>
</sect2>
<sect2>
<title>Command explanations</title>
<para><command>make release</command>: This command creates the
<application>Tripwire</application> binaries.</para>
<para><command>cp install.{sh,cfg} .</command>: These are copied to the main
<application>Tripwire</application> directory so that the script can be used to
install the package.</para>
<para><command>cp policy/*.txt /usr/share/doc/tripwire</command>: This command
installs the documentation.</para>
</sect2>
<sect2>
<title>Configuring <application>Tripwire</application></title>
<sect3><title>Config files</title>
<para><filename class="directory">/etc/tripwire</filename></para>
</sect3>
<sect3><title>Configuration Information</title>
<para><application>Tripwire</application> uses a policy file to determine which
files integrity are checked. The default policy file (<filename>twpol.txt
</filename> found in <filename class="directory">/etc/tripwire/</filename>) is for a default
installation of Redhat 7.0 and is woefully outdated.</para>
<para>Policy files are also a custom thing and should be tailored to each
individual distribution and/or installation. Some custom policy files can be
found below: </para>
<screen><ulink url="http://home.iprimus.com.au/glombowski/blfs/twpol-all.txt">http://home.iprimus.com.au/glombowski/blfs/twpol-all.txt</ulink>
Checks integrity of all files
<ulink url="http://home.iprimus.com.au/glombowski/blfs/twpol-lfs.txt">http://home.iprimus.com.au/glombowski/blfs/twpol-lfs.txt</ulink>
Custom policy file for Base LFS 3.0 system
<ulink url="http://home.iprimus.com.au/glombowski/blfs/twpol-suse7.2.txt">http://home.iprimus.com.au/glombowski/blfs/twpol-suse7.2.txt</ulink>
Custom policy file for SuSE 7.2 system</screen>
<para>Download the custom policy file you'd like to try, copy it into
<filename class="directory">/etc/tripwire/</filename>, and use it instead of
<filename>twpol.txt</filename>. It is, however, recommended that you make your own policy file.
Get ideas from the examples above and read <filename>
/usr/share/doc/tripwire/policyguide.txt</filename>. <filename>twpol.txt
</filename> is a good policy file for beginners as it will note any changes to
the file system and can even be used as an annoying way of keeping track of
changes for uninstallation of software.</para>
<para>After your policy file has been transferred to <filename
class="directory">/etc/tripwire/</filename> you may begin the configuration steps:</para>
<screen><userinput><command>twadmin -m P /etc/tripwire/twpol.txt &amp;&amp;
tripwire -m i</command></userinput></screen>
<para>During installation <application>Tripwire</application> will create two
(2) keys: a site key and a local key which will be stored in <filename
class="directory">/etc/tripwire/</filename>.</para>
</sect3>
<sect3><title>Usage Information</title>
<para>To use <application>Tripwire</application> after this and run a report,
use the following command:</para>
<screen><userinput><command>tripwire -m c &gt; /etc/tripwire/report.txt</command></userinput></screen>
<para>View the output to check the integrity of your files. An automatic
integrity report can be produced by using a cron facility to schedule
the runs. </para>
<para>Please note that after you run an integrity check, you must check
the report or email and then modify the
<application>Tripwire</application> database of the files
on your system so that <application>Tripwire</application> will not continually notify you that
files you intentionally changed are a security violation. To do this you
must first <command>ls -l /var/lib/tripwire/report/</command> and note
the name of the newest file which starts with <filename>linux-</filename> and
ends in <filename>.twr</filename>. This encrypted file was created during the
last report creation and is needed to update the
<application>Tripwire</application> database of your
system. Then, type in the following command making the appropriate
substitutions for '?':</para>
<screen><userinput><command>tripwire -m u -r /var/lib/tripwire/report/linux-???????-??????.twr </command></userinput></screen>
<para>You will be placed into vim with a copy of the report in front of you. If
all the changes were good, then just type <command>:x</command> and after
entering your local key, the database will be updated. If there are files which
you still want to be warned about, please remove the x before the filename in
the report and type <command>:x</command>. </para>
</sect3>
<sect3><title>Changing the Policy File</title>
<para>If you are unhappy with your policy file and would like to modify it or
use a new one, modify the policy file and then execute the following
commands:</para>
<screen><userinput><command>twadmin -m P /etc/tripwire/twpol.txt &amp;&amp;
tripwire -m i</command></userinput></screen>
</sect3>
</sect2>
<sect2>
<title>Contents</title>
<para>The <application>Tripwire</application> package contains <command>siggen
</command>,
<command>tripwire</command>, <command>twadmin</command>
and <command>twprint</command>.</para>
</sect2>
</sect1>