Date: Thu, 9 Aug 2001 07:10:28 -0700 (PDT) From: John Murphy <jfm@blueyonder.co.uk> To: freebsd-gnats-submit@freebsd.org Subject: docs/29566: some punctuation etc. for Handbook Chapter 10. Security Message-ID: <200108091410.f79EASH34226@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
>Number: 29566 >Category: docs >Synopsis: some punctuation etc. for Handbook Chapter 10. Security >Confidential: no >Severity: non-critical >Priority: low >Responsible: freebsd-doc >State: open >Quarter: >Keywords: >Date-Required: >Class: doc-bug >Submitter-Id: current-users >Arrival-Date: Thu Aug 09 07:20:01 PDT 2001 >Closed-Date: >Last-Modified: >Originator: John Murphy >Release: 4.x Stable >Organization: none. >Environment: Not Relevant >Description: Fixed some typos, added some commas and a couple of emphasis tags to: doc/en_US.ISO8859-1/books/handbook/security/chapter.sgml Revision 1.64 The diff should apply against Revision 1.65 as line numbers are the same. (This is my first attempt to send a diff via the web interface to send-pr. Let me know if I must use a different method, thanks.) >How-To-Repeat: >Fix: diff for doc/en_US.ISO8859-1/books/handbook/security/chapter.sgml (v1.64) It should apply against Revision 1.65 ok. 54,55c54,55 < attack, including attacks that attempt to crash or otherwise make a < system unusable but do not attempt to break root. Security concerns --- > attack, including attacks that attempt to crash, or otherwise make a > system unusable, but do not attempt to break root. Security concerns 95c95 < D.O.S. attacks try to take advantages of bugs in the networking --- > D.O.S. attacks try to take advantage of bugs in the networking 101c101 < spoofed-packet attack, for example, is nearly impossible to stop --- > spoofed-packet attack, for example, is nearly impossible to stop, 128c128 < nothing more than mess with the user's files or crash the machine. --- > nothing more than mess with the user's files, or crash the machine. 148c148 < backdoors. Backdoors provide the attacker with a way to easily --- > backdoors. A backdoor provides the attacker with a way to easily 152c152 < actually be detrimental to your security because it will not --- > actually be detrimental to your security, because it will not 297c297 < sessions which closes an important hole used by many --- > sessions, which closes an important hole used by many 310c310 < you should consider but you should also consider the fact that the --- > you should consider, but you should also consider the fact that the 317,319c317,319 < disable or change the password for a staff account in one place < and have it immediately effect all the machine the staff member < may have an account on. If a staff member's account gets --- > disable or change the password for a staff account in one place, > and have it immediately effect all the machines on which the staff > member may have an account. If a staff member's account gets 366c366 < user <literal>sandboxes</literal>. A sandbox isn't perfect unless --- > user <literal>sandboxes</literal>. A sandbox is not perfect, unless 406c406 < <para>The other big potential root hole in a system are the --- > <para>The other big potential root holes in a system are the 417,418c417,418 < sysadmin will restrict suid binaries that only staff should run to < a special group that only staff can access, and get rid of --- > sysadmin will restrict suid binaries, that only staff should run, > to a special group that only staff can access, and get rid of 422c422 < almost as dangerous. If an intruder can break an sgid-kmem binary --- > almost as dangerous. If an intruder can break an sgid-kmem binary, 442c442 < have sufficient control then you may win out and be able to secure --- > have sufficient control, then you may win out and be able to secure 446c446 < more problematic due to the extra administration and technical --- > more problematic, due to the extra administration and technical 488,489c488,489 < use a KLD module to install his own bpf device or other sniffing < device on a running kernel. To avoid these problems you have to --- > use a KLD module to install his own bpf device, or other sniffing > device, on a running kernel. To avoid these problems you have to 519c519 < <filename>/usr</filename> is probably counterproductive because --- > <filename>/usr</filename> is probably counterproductive, because 525c525 < of the onion is to slow down the attacker rather than stop him in --- > of the onion is to slow down the attacker, rather than stop him, in 539c539 < allow the limit-access box to <application>ssh</application> to --- > allow the limited-access box to <application>ssh</application> to 546c546 < hub or through several layers of routing, the NFS method may be --- > hub, or through several layers of routing, the NFS method may be 552c552 < <para>Once you give a limit-access box at least read access to the --- > <para>Once you give a limited-access box, at least read access to the 557c557 < boxes at least once a day, and to test control files such as those --- > at least once a day, and to test control files such as those 560c560 < mismatches are found relative to the base md5 information the --- > mismatches are found, relative to the base md5 information the 575c575 < unsecure links, but it's also a lot harder to deal with.</para> --- > unsecure links, but it is also a lot harder to deal with.</para> 584c584 < <para>If you have a huge amount of user disk space it may take too --- > <para>If you have a huge amount of user disk space, it may take too 589c589 < want to look into. You should probably scan them anyway at least --- > want to look into. You should probably scan them anyway, at least 600c600 < <para>Finally, security scripts should process the log files and the --- > <para>Finally, security scripts should process the log files, and the 615,621c615,621 < any number of security features as long as they do not effect < convenience, and can add security features that do effect < convenience with some added thought. Even more importantly, a < security administrator should mix it up a bit – if you use < recommendations such as those given by this document verbatim, you < give away your methodologies to the prospective attacker who also < has access to this document.</para> --- > any number of security features, as long as they do not effect > convenience, and can add security features that > <emphasis>do</emphasis> effect convenience with some added thought. > Even more importantly, a security administrator should mix it up a > bit – if you use recommendations such as those given by this > document verbatim, you give away your methodologies to the > prospective attacker who also has access to this document.</para> 650c650 < to cause the server to eat processes, file descriptors, and memory --- > to cause the server to eat processes, file descriptors, and memory, 653c653 < while it is possible to prevent a machine from going down it is --- > while it is possible to prevent a machine from going down, it is 663c663 < <option>-OMaxDaemonChildren</option> option which tends to work --- > <option>-OMaxDaemonChildren</option> option, which tends to work 666,668c666,668 < <literal>MaxDaemonChildren</literal> parameter when you start < <application>sendmail</application> high enough to handle your < expected load but no so high that the computer cannot handle that --- > <literal>MaxDaemonChildren</literal> parameter, when you start > <application>sendmail</application>, high enough to handle your > expected load, but not so high that the computer cannot handle that 676,677c676,678 < <literal>MaxDaemonChildren</literal> option for that sendmail to < prevent cascade failures.</para> --- > <literal>MaxDaemonChildren</literal> option for > <emphasis>that</emphasis> sendmail to prevent cascade failures. > </para> 704c705 < services or that you will add a new internal service and forget --- > services, or that you will add a new internal service and forget 706c707 < port range on the firewall to allow permissive-like operation --- > port range on the firewall, to allow permissive-like operation, 709c710 < binding via the various <literal>net.inet.ip.portrange</literal> --- > binding, via the various <literal>net.inet.ip.portrange</literal> 714c715 < 65535, then block everything under 4000 off in your firewall --- > 65535, then block off everything under 4000 in your firewall 779c780 < better it may be prudent to manually override both --- > better, it may be prudent to manually override both 782c783 < you want to crash the machine. Setting both --- > you want to crash the machine). Setting both 795c796 < authentication protocol but there are bugs in the kerberized --- > authentication protocol, but there are bugs in the kerberized 810c811 < duration of your login and if a attacker has broken root on the --- > duration of your login, and if an attacker has broken root on the 860c861 < Standard. This is not such a problem for users that live in --- > Standard. This was not such a problem for users resident in 864c865 < variants that still use DES.</para> --- > variants that still used DES.</para> 880c881 < Passwords encrypted with the MD5 hash are longer than those with --- > Passwords encrypted with the MD5 hash are longer than those 899c900 < against libcrypt which for each type of library is a symbolic link --- > against libcrypt, which for each type of library is a symbolic link 983c984 < to initialized S/Key, and to change passwords, iteration counts, or --- > to initialize S/Key, and to change passwords, iteration counts, or 1264c1265 < database, of if Kerberos is not running, simply delete the extra --- > database, or if Kerberos is not running, simply delete the extra 1432c1433 < renamed to <filename>srvtab</filename> so that all the server can pick --- > renamed to <filename>srvtab</filename> so that all the servers can pick 1958c1959 < <para>If an <emphasis>index</emphasis> value is supplied, it used to --- > <para>If an <emphasis>index</emphasis> value is supplied, it is used to 2172c2173 < connection (the SYN bit set is set but the ACK bit is --- > connection (the SYN bit is set but the ACK bit is 2351c2352 < packet can be passed on. syslogd with also start using up a lot --- > packet can be passed on. syslogd will also start using up a lot 2386c2387 < traffic there is normally a security threat (e.g. Suns RPC and --- > traffic there is, is normally a security threat (e.g. Suns RPC and 2391c2392 < If you want to allow access to archie, you'll have to allow --- > If you want to allow access to archie, you will have to allow 2478c2479 < <para>The IPsec mechanism provides secure communication either for IP --- > <para>The IPsec mechanism provides secure communication for IP 2499c2500 < <para>Let's setup security association to deploy a secure channel --- > <para>Let us setup security association to deploy a secure channel 2504c2505 < <para>Now we should choose algorithm to be used corresponding to --- > <para>Now we should choose an algorithm to be used corresponding to 2514c2515 < <para>OK, let's assign SPI (Security Parameter Index) for each protocol. --- > <para>OK, let us assign SPI (Security Parameter Index) for each protocol. 2549c2550 < <para>Now, let's setup security association. Execute &man.setkey.8; --- > <para>Now, let us setup security association. Execute &man.setkey.8; 2560,2561c2561,2562 < <para>Actually, IPsec communication doesn't process until security policy < entries will be defined. In this case, you must setup each host.</para> --- > <para>Actually, IPsec communication does not process until security policy > entries are defined. In this case, you must setup each host.</para> 2678c2679 < <para>If port number field is omitted such above then "[any]" is --- > <para>If the port number field is omitted such as above then "[any]" is 2862,2863c2863,2864 < client connects. The user is prompted to enter 'yes' only during < the first time connecting. Future attempts to login are all --- > client connects. The user is prompted to enter 'yes' only when > connecting for the first time. Future attempts to login are all >Release-Note: >Audit-Trail: >Unformatted: To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-doc" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200108091410.f79EASH34226>