Date: Sun, 19 Aug 2018 11:58:48 +0000 (UTC) From: Benedict Reuschling <bcr@FreeBSD.org> To: doc-committers@freebsd.org, svn-doc-all@freebsd.org, svn-doc-head@freebsd.org Subject: svn commit: r52158 - head/en_US.ISO8859-1/books/handbook/security Message-ID: <201808191158.w7JBwmrj076401@repo.freebsd.org>
next in thread | raw e-mail | index | archive | help
Author: bcr Date: Sun Aug 19 11:58:47 2018 New Revision: 52158 URL: https://svnweb.freebsd.org/changeset/doc/52158 Log: Properly wrap overlong lines reported by textproc/igor. Modified: head/en_US.ISO8859-1/books/handbook/security/chapter.xml Modified: head/en_US.ISO8859-1/books/handbook/security/chapter.xml ============================================================================== --- head/en_US.ISO8859-1/books/handbook/security/chapter.xml Sun Aug 19 11:58:01 2018 (r52157) +++ head/en_US.ISO8859-1/books/handbook/security/chapter.xml Sun Aug 19 11:58:47 2018 (r52158) @@ -419,8 +419,8 @@ Enter new password:</screen> the most prudent security or systems engineer will miss something an attacker left behind.</para> - <para>A rootkit does do one thing useful for administrators: once - detected, it is a sign that a compromise happened at some + <para>A rootkit does do one thing useful for administrators: + once detected, it is a sign that a compromise happened at some point. But, these types of applications tend to be very well hidden. This section demonstrates a tool that can be used to detect rootkits, <package>security/rkhunter</package>.</para> @@ -2127,9 +2127,10 @@ Connection closed by foreign host.</screen> information on the <acronym>IPsec</acronym> subsystem in &os;.</para> - <para><acronym>IPsec</acronym> support is enabled by default on &os; 11 and later. - For previous versions of &os;, add these options to a custom kernel - configuration file and rebuild the kernel using the instructions in <xref + <para><acronym>IPsec</acronym> support is enabled by default on + &os; 11 and later. For previous versions of &os;, add + these options to a custom kernel configuration file and rebuild + the kernel using the instructions in <xref linkend="kernelconfig"/>:</para> <indexterm> @@ -3986,16 +3987,16 @@ jail:httpd:memoryuse:deny=2G/jail</programlisting> is no reason to provide such access to end users because tools exist to manage this exact requirement.</para> - <para>Up to this point, the security chapter has covered permitting - access to authorized users and attempting to prevent unauthorized - access. Another problem arises once authorized users have access - to the system resources. In many cases, some users may need - access to application startup scripts, or a team of - administrators need to maintain the system. Traditionally, the - standard users and groups, file permissions, and even the - &man.su.1; command would manage this access. And as applications - required more access, as more users needed to use system - resources, a better solution was required. The most used + <para>Up to this point, the security chapter has covered + permitting access to authorized users and attempting to prevent + unauthorized access. Another problem arises once authorized + users have access to the system resources. In many cases, some + users may need access to application startup scripts, or a team + of administrators need to maintain the system. Traditionally, + the standard users and groups, file permissions, and even the + &man.su.1; command would manage this access. And as + applications required more access, as more users needed to use + system resources, a better solution was required. The most used application is currently <application>Sudo</application>.</para> <para><application>Sudo</application> allows administrators @@ -4051,8 +4052,8 @@ jail:httpd:memoryuse:deny=2G/jail</programlisting> <programlisting>%webteam ALL=(ALL) /usr/sbin/service webservice *</programlisting> - <para>Unlike &man.su.1;, <application>Sudo</application> - only requires the end user password. This adds an advantage where + <para>Unlike &man.su.1;, <application>Sudo</application> only + requires the end user password. This adds an advantage where users will not need shared passwords, a finding in most security audits and just bad all the way around.</para> @@ -4066,13 +4067,12 @@ jail:httpd:memoryuse:deny=2G/jail</programlisting> <tip> <para>Most organizations are moving or have moved toward a two - factor authentication model. In these cases, the user may - not have a password to enter. <application>Sudo</application> + factor authentication model. In these cases, the user may not + have a password to enter. <application>Sudo</application> provides for these cases with the <literal>NOPASSWD</literal> - variable. Adding it to the configuration above - will allow all members of the <replaceable>webteam</replaceable> - group to manage the service without the password - requirement:</para> + variable. Adding it to the configuration above will allow all + members of the <replaceable>webteam</replaceable> group to + manage the service without the password requirement:</para> <programlisting>%webteam ALL=(ALL) NOPASSWD: /usr/sbin/service webservice *</programlisting> </tip> @@ -4098,17 +4098,17 @@ jail:httpd:memoryuse:deny=2G/jail</programlisting> <para>This directory will be created automatically after the logging is configured. It is best to let the system create directory with default permissions just to be safe. In - addition, this entry will also log administrators who use the - <application>sudoreplay</application> command. To change - this behavior, read and uncomment the logging options inside - <filename>sudoers</filename>.</para> + addition, this entry will also log administrators who use + the <application>sudoreplay</application> command. To + change this behavior, read and uncomment the logging options + inside <filename>sudoers</filename>.</para> </tip> <para>Once this directive has been added to the - <filename>sudoers</filename> file, any user configuration - can be updated with the request to log access. In the - example shown, the updated <replaceable>webteam</replaceable> - entry would have the following additional changes:</para> + <filename>sudoers</filename> file, any user configuration can + be updated with the request to log access. In the example + shown, the updated <replaceable>webteam</replaceable> entry + would have the following additional changes:</para> <programlisting>%webteam ALL=(ALL) NOPASSWD: LOG_INPUT: LOG_OUTPUT: /usr/sbin/service webservice *</programlisting> @@ -4120,20 +4120,20 @@ jail:httpd:memoryuse:deny=2G/jail</programlisting> <screen>&prompt.root; <userinput>sudoreplay -l</userinput></screen> - <para>In the output, to replay a specific session, search for the - <literal>TSID=</literal> entry, and pass that to + <para>In the output, to replay a specific session, search for + the <literal>TSID=</literal> entry, and pass that to <application>sudoreplay</application> with no other options to replay the session at normal speed. For example:</para> <screen>&prompt.root; <userinput>sudoreplay user1/00/00/02</userinput></screen> <warning> - <para>While sessions are logged, any administrator is - able to remove sessions and leave only a question of why they - had done so. It is worthwhile to add a daily check - through an intrusion detection system (<acronym>IDS</acronym>) - or similar software so that other administrators are alerted - to manual alterations.</para> + <para>While sessions are logged, any administrator is able to + remove sessions and leave only a question of why they had + done so. It is worthwhile to add a daily check through an + intrusion detection system (<acronym>IDS</acronym>) or + similar software so that other administrators are alerted to + manual alterations.</para> </warning> <para>The <command>sudoreplay</command> is extremely extendable.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201808191158.w7JBwmrj076401>