msgid ""
msgstr ""
"Project-Id-Version: harden-doc3.19\n"
"POT-Creation-Date: 2017-05-01 19:29+0200\n"
"PO-Revision-Date: 2017-04-24 01:07+0200\n"
"Last-Translator: desconocido <desconocido@unknow.com>\n"
"Language-Team: debian-l10n-spanish@lists.debian.org\n"
"Language: es \n"
"Report-Msgid-Bugs-To: https://www.debian.org/Bugs/\n"
"MIME-Version: 1.0\n"
"Content-Type: text/plain; charset=UTF-8\n"
"Content-Transfer-Encoding: 8bit\n"
"X-Generator: Publican v4.3.2\n"

msgid "After installation"
msgstr "Después de la instalación"

msgid "Once the system is installed you can still do more to secure the system; some of the steps described in this chapter can be taken. Of course this really depends on your setup but for physical access prevention you should read <xref linkend=\"bios-boot\" />,<xref linkend=\"lilo-passwd\" />, <xref linkend=\"kernel-root-prompt\" />, <xref linkend=\"restrict-console-login\" />, and <xref linkend=\"restrict-reboots\" />."
msgstr ""

msgid "Before connecting to any network, especially if it's a public one you should, at the very least, execute a security update (see <xref linkend=\"security-update\" />). Optionally, you could take a snapshot of your system (see <xref linkend=\"snapshot\" />)."
msgstr ""

msgid "Subscribe to the Debian Security Announce mailing list"
msgstr ""

msgid "In order to receive information on available security updates you should subscribe yourself to the debian-security-announce mailing list in order to receive the Debian Security Advisories (DSAs). See <xref linkend=\"debian-sec-team\" /> for more information on how the Debian security team works. For information on how to subscribe to the Debian mailing lists read <ulink url=\"http://lists.debian.org\" />."
msgstr ""

msgid "DSAs are signed with the Debian Security Team's signature which can be retrieved from <ulink url=\"http://security.debian.org\" />."
msgstr ""

msgid "You should consider, also, subscribing to the <ulink url=\"http://lists.debian.org/debian-security\" /> for general discussion on security issues in the Debian operating system. You will be able to contact other fellow system administrators in the list as well as Debian developers and upstream developers of security tools who can answer your questions and offer advice."
msgstr ""

msgid "FIXME: Add the key here too?"
msgstr ""

msgid "Execute a security update"
msgstr "Ejecute una actualización de seguridad"

msgid "As soon as new security bugs are detected in packages, Debian maintainers and upstream authors generally patch them within days or even hours. After the bug is fixed, a new package is provided on <ulink url=\"http://security.debian.org\" />."
msgstr ""

msgid "If you are installing a Debian release you must take into account that since the release was made there might have been security updates after it has been determined that a given package is vulnerable. Also, there might have been minor releases (there have been four for the Debian 3.0 <emphasis>sarge</emphasis> release) which include these package updates."
msgstr ""

msgid "During installation security updates are configured for your system and pending updates downloaded and applied, unless you specifically opt out of this or the system was not connected to the Internet. The updates are applied even before the first boot, so the new system starts its life as up to date as possible."
msgstr ""

msgid "To manually update the system, put the following line in your <filename>sources.list</filename> and you will get security updates automatically, whenever you update your system. Replace <replaceable>[CODENAME]</replaceable> with the release codename, e.g. <emphasis>squeeze</emphasis>."
msgstr ""

msgid "\n"
"  deb http://security.debian.org/ [CODENAME]/updates main contrib non-free"
msgstr ""

msgid "<emphasis>Note</emphasis>: If you are using the <emphasis>testing</emphasis> branch use the security testing mirror sources as described in <xref linkend=\"security-support-testing\" />."
msgstr ""

msgid "Once you've done this you can use multiple tools to upgrade your system. If you are running a desktop system you will have<footnote><para>In <emphasis>Etch</emphasis> and later releases</para></footnote> an application called <command>update-notifier</command> that will make it easy to check if new updates are available, by selecting it you can make a system upgrade from the desktop (using <command>update-manager</command>). For more information see <xref linkend=\"update-desktop\" />. In desktop environments you can also use <application>synaptic</application> (GNOME), <application>kpackage</application> or <application>adept</application> (KDE) for more advanced interfaces. If you are running a text-only terminal you can use <application>aptitude</application>, <application>apt</application> or <application>dselect</application> (deprecated) to upgrade:"
msgstr ""

msgid "If you want to use <application>aptitude</application>'s text interface you just have to press <emphasis>u</emphasis> (update) followed by <emphasis>g</emphasis> (to upgrade). Or just do the following from the command line (as root):"
msgstr ""

msgid ""
"\n"
"# aptitude update\n"
"# aptitude upgrade"
msgstr ""
"\n"
"# aptitude update\n"
"# aptitude upgrade"

msgid "If you want to use <application>apt</application> do just like with aptitude but substitute the <command>aptitude</command> lines above with <command>apt-get</command>."
msgstr ""

msgid "If you want to use <application>dselect</application> then first [U]pdate, then [I]nstall and finally, [C]onfigure the installed/upgraded packages."
msgstr ""

msgid "If you like, you can add the deb-src lines to <filename>/etc/apt/sources.list</filename> as well. See <citerefentry><refentrytitle>apt</refentrytitle><manvolnum>8</manvolnum></citerefentry> for further details."
msgstr ""

msgid "Security update of libraries"
msgstr ""

msgid "Once you have executed a security update you might need to restart some of the system services. If you do not do this, some services might still be vulnerable after a security upgrade. The reason for this is that daemons that are running before an upgrade might still be using the old libraries before the upgrade <footnote><para>Even though the libraries have been removed from the filesystem the inodes will not be cleared up until no program has an open file descriptor pointing to them.</para></footnote>."
msgstr ""

msgid "From Debian <emphasis>Jessie</emphasis> and up, you can install the <application>needrestart</application> package, which will run automatically after each APT upgrade and prompt you to restart services that are affected by the just-installed updates. In earlier releases, you can run the <command>checkrestart</command> program (available in the <application>debian-goodies</application> package) manually after your APT upgrade."
msgstr ""

msgid "Some packages (like <application>libc6</application>) will do this check in the postinst phase for a limited set of services specially since an upgrade of essential libraries might break some applications (until restarted)<footnote><para>This happened, for example, in the upgrade from libc6 2.2.x to 2.3.x due to NSS authentication issues, see <ulink url=\"http://lists.debian.org/debian-glibc/2003/debian-glibc-200303/msg00276.html\" />.</para></footnote>."
msgstr ""

msgid "Bringing the system to run level 1 (single user) and then back to run level 3 (multi user) should take care of the restart of most (if not all) system services. But this is not an option if you are executing the security upgrade from a remote connection (like ssh) since it will be severed."
msgstr ""

msgid "Excercise caution when dealing with security upgrades if you are doing them over a remote connection like ssh. A suggested procedure for a security upgrade that involves a service restart is to restart the SSH daemon and then, immediately, attempt a new ssh connection without breaking the previous one. If the connection fails, revert the upgrade and investigate the issue."
msgstr ""

msgid "Security update of the kernel"
msgstr ""

msgid "First, make sure your kernel is being managed through the packaging system. If you have installed using the installation system from Debian 3.0 or previous releases, your kernel is <emphasis>not</emphasis> integrated into the packaging system and might be out of date. You can easily confirm this by running:"
msgstr ""

msgid ""
"\n"
"$ dpkg -S `readlink -f /vmlinuz`\n"
"linux-image-2.6.18-4-686: /boot/vmlinuz-2.6.18-4-686"
msgstr ""
"\n"
"$ dpkg -S `readlink -f /vmlinuz`\n"
"linux-image-2.6.18-4-686: /boot/vmlinuz-2.6.18-4-686"

msgid "If your kernel is not being managed you will see a message saying that the package manager did not find the file associated to any package instead of the message above, which says that the file associated to the current running kernel is being provided by the <application>linux-image-2.6.18-4-686</application>. So first, you will need to manually install a kernel image package. The exact kernel image you need to install depends on your architecture and your prefered kernel version. Once this is done, you will be able to manage the security updates of the kernel just like those of any other package. In any case, notice that the kernel updates will <emphasis>only</emphasis> be done for kernel updates of the same kernel version you are using, that is, <command>apt</command> will not automatically upgrade your kernel from the 2.4 release to the 2.6 release (or from the 2.4.26 release to the 2.4.27 release<footnote><para>Unless you have installed a kernel metapackage like <application>linux-image-2.6-686</application> which will always pull in the latest kernel minor revision for a kernel release and a given architecture.</para></footnote>)."
msgstr ""

msgid "The installation system of recent Debian releases will handle the selected kernel as part of the package system. You can review which kernels you have installed by running:"
msgstr ""

msgid "\n"
"$ COLUMNS=150 dpkg -l 'linux-image*' | awk '$1 ~ /ii/ { print $0 }'"
msgstr "\n"
"$ COLUMNS=150 dpkg -l 'linux-image*' | awk '$1 ~ /ii/ { print $0 }'"

msgid "To see if your kernel needs to be updated run:"
msgstr ""

msgid ""
"\n"
"$ kernfile=`readlink -f /vmlinuz`\n"
"$ kernel=`dpkg -S $kernfile | awk -F : '{print $1}'`\n"
"$ apt-cache policy $kernel\n"
"linux-image-2.6.18-4-686:\n"
"  Installed: 2.6.18.dfsg.1-12\n"
"  Candidate: 2.6.18.dfsg.1-12\n"
"  Version table:\n"
" *** 2.6.18.dfsg.1-12 0\n"
"        100 /var/lib/dpkg/status"
msgstr ""
"\n"
"$ kernfile=`readlink -f /vmlinuz`\n"
"$ kernel=`dpkg -S $kernfile | awk -F : '{print $1}'`\n"
"$ apt-cache policy $kernel\n"
"linux-image-2.6.18-4-686:\n"
"  Installed: 2.6.18.dfsg.1-12\n"
"  Candidate: 2.6.18.dfsg.1-12\n"
"  Version table:\n"
" *** 2.6.18.dfsg.1-12 0\n"
"        100 /var/lib/dpkg/status"

msgid "If you are doing a security update which includes the kernel image you <emphasis>need</emphasis> to reboot the system in order for the security update to be useful. Otherwise, you will still be running the old (and vulnerable) kernel image."
msgstr ""

msgid "If you need to do a system reboot (because of a kernel upgrade) you should make sure that the kernel will boot up correctly and network connectivity will be restored, specially if the security upgrade is done over a remote connection like ssh. For the former you can configure your boot loader to reboot to the original kernel in the event of a failure (for more detailed information read <ulink url=\"http://www.debian-administration.org/?article=70\">Remotely rebooting Debian GNU/Linux machines</ulink>). For the latter you have to introduce a network connectivity test script that will check if the kernel has started up the network subsystem properly and reboot the system if it did not<footnote><para>A sample script called <ulink url=\"http://www.debian-administration.org/articles/70/testnet\">testnet</ulink> is available in the <ulink url=\"http://www.debian-administration.org/?article=70\"> Remotely rebooting Debian GNU/Linux machines</ulink> article. A more elaborate network connectivity testing script is available in this <ulink url=\"http://www.debian-administration.org/?article=128\"> Testing network connectivity article.</ulink></para></footnote>. This should prevent nasty surprises like updating the kernel and then realizing, after a reboot, that it did not detect or configure the network hardware properly and you need to travel a long distance to bring the system up again. Of course, having the system serial console <footnote><para>Setting up a serial console is beyond the scope of this document, for more information read the <ulink url=\"http://www.tldp.org/HOWTO/Serial-HOWTO.html\">Serial HOWTO</ulink> and the <ulink url=\"http://www.tldp.org/HOWTO/Remote-Serial-Console-HOWTO/index.html\"> Remote Serial Console HOWTO</ulink>.</para></footnote> in the system connected to a console or terminal server should also help debug reboot issues remotely."
msgstr ""

msgid "Change the BIOS (again)"
msgstr ""

msgid "Remember <xref linkend=\"bios-passwd\" />? Well, then you should now, once you do not need to boot from removable media, to change the default BIOS setup so that it <emphasis>only</emphasis> boots from the hard drive. Make sure you will not lose the BIOS password, otherwise, in the event of a hard disk failure you will not be able to return to the BIOS and change the setup so you can recover it using, for example, a CD-ROM."
msgstr ""

msgid "Another less secure but more convenient way is to change the setup to have the system boot up from the hard disk and, if it fails, try removable media. By the way, this is often done because most people don't use the BIOS password that often; it's easily forgotten."
msgstr ""

msgid "Set a LILO or GRUB password"
msgstr "Colocar una contraseña a lilo o grub"

msgid "Anybody can easily get a root-shell and change your passwords by entering"
msgstr ""

msgid "<userinput>&lt;name-of-your-bootimage&gt; init=/bin/sh</userinput>"
msgstr ""

msgid "at the boot prompt. After changing the passwords and rebooting the system, the person has unlimited root-access and can do anything he/she wants to the system. After this procedure you will not have root access to your system, as you do not know the root password."
msgstr "Es muy fácil entrar a una shell con el usuario root y cambiar las contraseñas simplemente tecleando \"&lt;name-of-your-bootimage&gt; init=/bin/sh\". Luego de cambiar las contraseñas y reingresar al sistema, la persona ha tiene acceso ilimitado (como root) y puede hacer cualquier cosa que el/ella quiera en el sistema. Después de este procedimiento, usted no tendrá acceso a su sistema, porque usted no conoce la contraseña de root."

msgid "To make sure that this cannot happen, you should set a password for the boot loader. You can choose between a global password or a password for a certain image."
msgstr "Asegúrese que esto no pueda suceder, usted debería colocar una contraseña para el cargador de linux. Usted puede escoger entre una contraseña global y una contraseña para una imagen."

msgid "For LILO you need to edit the config file <filename>/etc/lilo.conf</filename> and add a <userinput>password</userinput> and <userinput>restricted</userinput> line as in the example below."
msgstr "Para LILO usted necesita editar el archivo <filename>/etc/lilo.conf</filename> y agregar una contraseña y restringirlo como en el siguiente ejemplo:"

msgid ""
"\n"
"  image=/boot/2.2.14-vmlinuz\n"
"     label=Linux\n"
"     read-only\n"
"     password=hackme\n"
"     restricted"
msgstr ""
"\n"
"image=/boot/2.2.14-vmlinuz\n"
" label=Linux\n"
" read-only\n"
" password=hackme\n"
" restricted"

msgid "Then, make sure that the configuration file is not world readable to prevent local users from reading the password. When done, rerun lilo. Omitting the <literal>restricted</literal> line causes lilo to always prompt for a password, regardless of whether LILO was passed parameters. The default permissions for <filename>/etc/lilo.conf</filename> grant read and write permissions to root, and enable read-only access for <filename>lilo.conf</filename>'s group, root."
msgstr ""

msgid "If you use GRUB instead of LILO, edit <filename>/boot/grub/menu.lst</filename> and add the following two lines at the top (substituting, of course <userinput>hackme</userinput> with the desired password). This prevents users from editing the boot items. <userinput>timeout 3</userinput> specifies a 3 second delay before <command>grub</command> boots the default item."
msgstr "Si usted usa GRUB en lugar de LILO, edite <filename>/boot/grub/menu.lst</filename> y agregue las siguientes dos líneas al inicio (sustituyendo, por supuesto 'hackme' con la contraseña deseada). Esto previene a los usuarios de editar los ítems de entrada. 'timeout3' especifica tres segundos antes del arranque del sistema por defecto."

msgid ""
"\n"
"  timeout 3\n"
"  password hackme"
msgstr ""
"\n"
"timeout 3\n"
"password hackme"

msgid "To further harden the integrity of the password, you may store the password in an encrypted form. The utility <command>grub-md5-crypt</command> generates a hashed password which is compatible with GRUB's encrypted password algorithm (MD5). To specify in <command>grub</command> that an MD5 format password will be used, use the following directive:"
msgstr "Para asegurar mas la integridad de la contraseña, usted podría guardarla una forma encriptada. La utilidad de grub-d5-crypt es que genera una contraseña la cual es compatible con el algorítmo (md5) de encripción de grub. Para especificar en GRUB que el formato de la contraseña md5 será usado, use la siguiente instrucción:"

msgid ""
"\n"
"  timeout 3\n"
"  password --md5 $1$bw0ez$tljnxxKLfMzmnDVaQWgjP0"
msgstr ""
"\n"
"  timeout 3\n"
"  password --md5 $1$bw0ez$tljnxxKLfMzmnDVaQWgjP0"

msgid "The --md5 parameter was added to instruct <command>grub</command> to perform the MD5 authentication process. The provided password is the MD5 encrypted version of hackme. Using the MD5 password method is preferable to choosing its clear-text counterpart. More information about <command>grub</command> passwords may be found in the <application>grub-doc</application> package."
msgstr "El parámetro --md5 fue agregado para instruir a grub a realizar el proceso de autenticación. La contraseña proporcionada es la versión encriptada en md5 de \"hackme\". Usar el método de encripción md5 es preferible a su contraparte en solo texto. Mas información acera de la contraseña GRUB puede ser encontrada en el paquete de grub-doc."

msgid "Disable root prompt on the initramfs"
msgstr ""

msgid "Note: This applies to the default kernels provided for releases after Debian 3.1"
msgstr ""

msgid "Linux 2.6 kernels provide a way to access a root shell while booting which will be presented during loading the initramfs on error. This is helpful to permit the administrator to enter a rescue shell with root permissions. This shell can be used to manually load modules when autodetection fails. This behavior is the default for <command>initramfs-tools</command> generated initramfs. The following message will appear:"
msgstr "Los núcleos de Linux 2.6 proporcionan una forma para tener acceso a la línea de comandos del administrador que será presentada justo después de cargar el sistema de archivos cramfs. Un mensaje aparecerá para permitir al administrador entrar en una línea de comandos con permisos de root, esta línea de comandos puede ser usada manualmente para cargar módulos cuando la autodetección falla. Este comportamiento es el predeterminado para initrd's linuxrc. El siguiente mensaje aparecerá:"

msgid "\n"
"  \"ALERT!  /dev/sda1 does not exist.  Dropping to a shell!"
msgstr ""

msgid "In order to remove this behavior you need to set the following boot argument:<emphasis>panic=0</emphasis>. Add this to the variable <varname>GRUB_CMDLINE_LINUX</varname> in <filename>/etc/default/grub</filename> and issue <command>update-grub</command> or to the append section of <filename>/etc/lilo.conf</filename>."
msgstr ""

msgid "Remove root prompt on the kernel"
msgstr "Eliminar el prompt de root del núcleo"

msgid "Note: This does not apply to the kernels provided for Debian 3.1 as the timeout for the kernel delay has been changed to 0."
msgstr ""

msgid "Linux 2.4 kernels provide a way to access a root shell while booting which will be presented just after loading the cramfs file system. A message will appear to permit the administrator to enter an executable shell with root permissions, this shell can be used to manually load modules when autodetection fails. This behavior is the default for <command>initrd</command>'s <filename>linuxrc</filename>. The following message will appear:"
msgstr "Los núcleos de Linux 2.6 proporcionan una forma para tener acceso a la línea de comandos del administrador que será presentada justo después de cargar el sistema de archivos cramfs. Un mensaje aparecerá para permitir al administrador entrar en una línea de comandos con permisos de root, esta línea de comandos puede ser usada manualmente para cargar módulos cuando la autodetección falla. Este comportamiento es el predeterminado para initrd's linuxrc. El siguiente mensaje aparecerá:"

msgid "\n"
"  Press ENTER to obtain a shell (waits 5 seconds)"
msgstr "\n"
"Press ENTER to obtain a shell (waits 5 seconds)"

msgid "In order to remove this behavior you need to change <filename>/etc/mkinitrd/mkinitrd.conf</filename> and set:"
msgstr "Para eliminar este comportamiento usted necesita cambiar <filename>/etc/mkinitrd/mkinitrd.conf</filename> y colocar:"

msgid ""
"\n"
"  # DELAY  The  number  of seconds the linuxrc script should wait to\n"
"  # allow the user to interrupt it before the system is brought up\n"
"  DELAY=0"
msgstr ""
"\n"
"  # DELAY define lo segundos que el script linuxrc debe esperar para\n"
"  # que el ususario pueda interrunpir el inicio del sistema\n"
"  DELAY=0"

msgid "Then regenerate your ramdisk image. You can do this for example with:"
msgstr "Luego regenera su imagen del disco RAM. Usted puede hacer esto por ejemplo con:"

msgid ""
"\n"
"  # cd /boot\n"
"  # mkinitrd -o initrd.img-2.4.18-k7 /lib/modules/2.4.18-k7"
msgstr ""
"\n"
"  # cd /boot\n"
"  # mkinitrd -o initrd.img-2.4.18-k7 /lib/modules/2.4.18-k7"

msgid "or (preferred):"
msgstr "O hacer (preferir):"

msgid "\n"
"  # dpkg-reconfigure -plow kernel-image-2.4.x-yz"
msgstr "\n"
"  # dpkg-reconfigure kernel-image-2.4.x-yz"

msgid "Restricting console login access"
msgstr "Restricción del acceso a la consola"

msgid "Some security policies might force administrators to log in to the system through the console with their user/password and then become superuser (with <command>su</command> or <command>sudo</command>). This policy is implemented in Debian by editing the <filename>/etc/pam.d/login</filename> and the <filename>/etc/securetty</filename> when using PAM:"
msgstr "Algunas políticas de seguridad quieren forzar a los administradores para registrarse en el sistema a través de la consola con su usuario/contraseña y luego llegar a ser un superusuario (con<command>su</command> o <command>sudo</command>). Esta política es implementada en Debian al editar el archivo <filename>/etc/login.defs</filename> o <filename>/etc/securetty</filename> cuando se usa PAM. En:"

msgid "<filename>/etc/pam.d/login</filename> In older Debian releases you would need to edit <filename>login.defs</filename>, and use the CONSOLE variable which defines a file or list of terminals on which root logins are allowed. enables the pam_securetty.so module. This module, when properly configured will not ask for a password when the root user tries to login on an insecure console, rejecting access as this user."
msgstr ""

msgid "<filename>securetty</filename> The <filename>/etc/securetty</filename> is a configuration file that belongs to the <application>login</application> package. by adding/removing the terminals to which root access will be allowed. If you wish to allow only local console access then you need <emphasis>console</emphasis>, <emphasis>ttyX</emphasis> Or <emphasis>ttyvX</emphasis> in GNU/FreeBSD, and <emphasis>ttyE0</emphasis> in GNU/KNetBSD. and <emphasis>vc/X</emphasis> (if using <emphasis>devfs</emphasis> devices), you might want to add also <emphasis>ttySX</emphasis> Or <emphasis>comX</emphasis> in GNU/Hurd, <emphasis>cuaaX</emphasis> in GNU/FreeBSD, and <emphasis>ttyXX</emphasis> in GNU/KNetBSD. if you are using a serial console for local access (where X is an integer, you might want to have multiple instances. The default configuration for <emphasis>Wheezy</emphasis> The default configuration in <emphasis>woody</emphasis> includes 12 local tty and vc consoles, as well as the <emphasis>console</emphasis> device but does not allow remote logins. In <emphasis>sarge</emphasis> the default configuration provides 64 consoles for tty and vc consoles. includes many tty devices, serial ports, vc consoles as well as the X server and the <emphasis>console</emphasis> device. You can safely adjust this if you are not using that many consoles. You can confirm the virtual consoles and the tty devices you have by reviewing <filename>/etc/inittab</filename> Look for the <emphasis>getty</emphasis> calls. . For more information on terminal devices read the <ulink url=\"http://tldp.org/HOWTO/Text-Terminal-HOWTO-6.html\">Text-Terminal-HOWTO </ulink>"
msgstr ""

msgid "When using PAM, other changes to the login process, which might include restrictions to users and groups at given times, can be configured in <filename>/etc/pam.d/login</filename>. An interesting feature that can be disabled is the possibility to login with null (blank) passwords. This feature can be limited by removing <emphasis>nullok</emphasis> from the line:"
msgstr "Cuando use PAM se hacen otros cambios para el proceso de registro, los cuales pueden incluir restricciones para usuarios y grupos a tiempos dados, puede ser configurado en <filename>/etc/pam.d/login</filename>. Una interesante característica que puede ser incapacitada es la posibilidad de registrar con contraseñas sin efecto (nulas). Esta característica puede ser limitada removiendo el <emphasis>nullok</emphasis> de la linea:"

msgid "\n"
"  auth       required   pam_unix.so nullok"
msgstr "\n"
"  auth required pam_unix.so nullok"

msgid "Restricting system reboots through the console"
msgstr ""

msgid "If your system has a keyboard attached to it anyone (yes <emphasis>anyone</emphasis>) with physical access to the system can reboot the system through it without login in just pressing the <emphasis>Ctrl+Alt+Delete</emphasis> keyboard combination, also known as the <emphasis>three finger salute</emphasis>. This might, or might not, adhere to your security policy."
msgstr ""

msgid "This is aggravated in environments in which the operating system is running virtualised. In these environments, the possibility extends to users that have access to the virtual console (which might be accessed over the network). Also note that, in these environments, this keyboard combination is used constantly (to open a login shell in some GUI operating systems) and an administrator might <emphasis>virtually</emphasis> send it and force a system reboot."
msgstr ""

msgid "There are two ways to restrict this:"
msgstr ""

msgid "configure it so that only <emphasis>allowed</emphasis> users can reboot the system,"
msgstr ""

msgid "disable this feature completely."
msgstr ""

msgid "If you want to restrict this, you must check the <filename>/etc/inittab</filename> so that the line that includes <userinput>ctrlaltdel</userinput> calls <command>shutdown</command> with the <userinput>-a</userinput> switch."
msgstr ""

msgid "The default in Debian includes this switch:"
msgstr ""

msgid "\n"
"  ca:12345:ctrlaltdel:/sbin/shutdown -t1 -a -r now"
msgstr "\n"
"  ca:12345:ctrlaltdel:/sbin/shutdown -t1 -a -r now"

msgid "The <userinput>-a</userinput> switch, as the <citerefentry><refentrytitle>shutdown</refentrytitle><manvolnum>8</manvolnum></citerefentry> manpage describes,makes it possible to allow <emphasis>some</emphasis> users to shutdown the system. For this the file <filename>/etc/shutdown.allow</filename> must be created and the administrator has to include there the name of users which can boot the system. When the <emphasis>three finger salute</emphasis> combination is pressed in a console the program will check if any of the users listed in the file are logged in. If none of them is, <command>shutdown</command> will <emphasis>not</emphasis> reboot the system."
msgstr ""

msgid "If you want to disable the Ctrl+Alt+Del combination you just need to comment the line with the <emphasis>ctrlaltdel</emphasis> definition in the <filename>/etc/inittab</filename>."
msgstr ""

msgid "Remember to run <userinput>init q</userinput> after making any changes to the <filename>/etc/inittab</filename> file for the changes to take effect."
msgstr ""

msgid "Restricting the use of the Magic SysRq key"
msgstr ""

msgid "The <emphasis>Magic SysRq key</emphasis> is a key combination that allows users connected to the system console of a Linux kernel to perform some low-level commands. These low-level commands are sent by pressing simultaneously <emphasis>Alt+SysRq</emphasis> and a command key. The SysRq key in many keyboards is labeled as the <emphasis>Print Screen</emphasis> key."
msgstr ""

msgid "Since the Etch release, the Magic SysRq key feature is enabled in the Linux kernel to allow console users certain privileges. You can confirm this by checking if the <filename>/proc/sys/kernel/sysrq</filename> exists and reviewing its value:"
msgstr ""

msgid ""
"\n"
"$ cat /proc/sys/kernel/sysrq \n"
"438"
msgstr ""
"\n"
"$ cat /proc/sys/kernel/sysrq \n"
"438"

msgid "The default value shown above allows all of the SysRq functions except for the possibility of sending signals to processes. For example, it allow users connected to the console to remount all systems read-only, reboot the system or cause a kernel panic. In all the features are enabled, or in older kernels (earlier than 2.6.12) the value will be just 1."
msgstr ""

msgid "You should disable this functionality ifaccess to the console is not restricted to authorised users: the console is connected to a modem line, there is easy physical access to the system or it is running in a virtualised environment and other users access the console. To do this edit the <filename>/etc/sysctl.conf</filename> and add the following lines:"
msgstr ""

msgid ""
"\n"
"# Disables the magic SysRq key\n"
"kernel.sysrq = 0"
msgstr ""

msgid "For more information, read <ulink url=\"http://tldp.org/HOWTO/Remote-Serial-Console-HOWTO/security-sysrq.html\">security chapter in the Remote Serial Console HOWTO</ulink>, <ulink url=\"http://kernel.org/doc/Documentation/sysrq.txt\">Kernel SysRQ documentation</ulink>. and the <ulink url=\"http://en.wikipedia.org/wiki/Magic_SysRq_key\">Magic_SysRq_key wikipedia entry</ulink>."
msgstr ""

msgid "Mounting partitions the right way"
msgstr "Montando particiones de manera correcta"

msgid "When mounting an <literal>Ext</literal> file system (<literal>ext2</literal>, <literal>ext3</literal> or <literal>ext4</literal>), there are several additional options you can apply to the mount call or to <filename>/etc/fstab</filename>. For instance, this is my fstab entry for the <filename>/tmp</filename> partition:"
msgstr ""

msgid "\n"
"  /dev/hda7    /tmp    ext2    defaults,nosuid,noexec,nodev    0    2"
msgstr "\n"
"  /dev/hda7    /tmp    ext2    defaults,nosuid,noexec,nodev    0    2"

msgid "You see the difference in the options sections. The option <literal>nosuid</literal> ignores the setuid and setgid bits completely, while <literal>noexec</literal> forbids execution of any program on that mount point, and <literal>nodev</literal> ignores device files. This sounds great, but it:"
msgstr "usted ve la diferencia a las secciones de opciones . La opción <literal>nosuid</literal> ignora los bits setuid y setgid completamente , mientras que <literal>noexec</literal> prohibe la ejecución de programas en ese punto de montaje, y <literal>nodev</literal>, ignora los dispositivos.Esto suena grandioso , pero esto"

msgid "only applies to <literal>ext2</literal> or <literal>ext3</literal> file systems"
msgstr ""

msgid "can be circumvented easily"
msgstr "puede ser evitado fácilmente"

msgid "The <literal>noexec</literal> option prevents binaries from being executed directly, but was easily circumvented in earlier versions of the kernel:"
msgstr "La opción <literal>noexec</literal> previene los binarios de ejecutarse directamente, pero se engaña fácilmente:"

msgid ""
"\n"
"  alex@joker:/tmp# mount | grep tmp\n"
"  /dev/hda7 on /tmp type ext2 (rw,noexec,nosuid,nodev)\n"
"  alex@joker:/tmp# ./date\n"
"  bash: ./date: Permission denied\n"
"  alex@joker:/tmp# /lib/ld-linux.so.2 ./date\n"
"  Sun Dec  3 17:49:23 CET 2000"
msgstr ""
"\n"
"alex@joker:/tmp# mount | grep tmp\n"
"/dev/hda7 on /tmp type ext2 (rw,noexec,nosuid,nodev)\n"
"alex@joker:/tmp# ./date\n"
"bash: ./date: Permission denied\n"
"alex@joker:/tmp# /lib/ld-linux.so.2 ./date\n"
"Sun Dec 3 17:49:23 CET 2000"

msgid "Newer versions of the kernel do however handle the <literal>noexec</literal> flag properly:"
msgstr ""

msgid ""
"\n"
"  angrist:/tmp# mount | grep /tmp\n"
"  /dev/hda3 on /tmp type ext3 (rw,noexec,nosuid,nodev)\n"
"  angrist:/tmp# ./date\n"
"  bash: ./tmp: Permission denied \n"
"  angrist:/tmp# /lib/ld-linux.so.2 ./date \n"
"  ./date: error while loading shared libraries: ./date: failed to map segment \n"
"  from shared object: Operation not permitted"
msgstr ""
"\n"
"  angrist:/tmp# mount | grep /tmp\n"
"  /dev/hda3 on /tmp type ext3 (rw,noexec,nosuid,nodev)\n"
"  angrist:/tmp# ./date\n"
"  bash: ./tmp: Permission denied \n"
"  angrist:/tmp# /lib/ld-linux.so.2 ./date \n"
"  ./date: error while loading shared libraries: ./date: failed to map segment \n"
"  from shared object: Operation not permitted"

msgid "However, many script kiddies have exploits which try to create and execute files in <filename>/tmp</filename>. If they do not have a clue, they will fall into this pit. In other words, a user cannot be tricked into executing a trojanized binary in <filename>/tmp</filename> e.g. when <filename>/tmp</filename> is accidentally added into the local PATH."
msgstr "Sin embargo, muchos \"script kiddies\" cuentan con \"xploits\" que intentan crear y ejecutar los archivos en <filename>/tmp</filename>.Si ellos no tienen una pista, ellos entrarán en esta trampa. En otros términos, un usuario no puede engañarse en ejecutar un binario troyanizado en <filename>/tmp</filename> e.g. por ejemplo cuando él agrega a propósito <filename>/tmp</filename>dentro de su PATH."

msgid "Also be forewarned, some script might depend on <filename>/tmp</filename> being executable. Most notably, Debconf has (had?) some issues regarding this, for more information see <ulink name=\"Debian Bug nº116448\" url=\"http://bugs.debian.org/116448\" />."
msgstr "También se previene de algún programa que podría depender en que <filename>/tmp</filename> sea ejecutable. Más notablemente, Debconf tiene (¿tenía?) algunos problemas que consideran esto, para más información vea Bug <ulink url=\"http://bugs.debian.org/116448\" name=\"116448\" />."

msgid "The following is a more thorough example. A note, though: <filename>/var</filename> could be set noexec, but some software <footnote><para>Some of this includes the package manager <application>dpkg</application> since the installation (post,pre) and removal (post,pre) scripts are at <filename>/var/lib/dpkg/</filename> and Smartlist</para></footnote> keeps its programs under in <filename>/var</filename>. The same applies to the nosuid option."
msgstr ""

msgid ""
"\n"
"/dev/sda6   /usr          ext3    defaults,ro,nodev       0       2\n"
"/dev/sda12  /usr/share    ext3    defaults,ro,nodev,nosuid        0       2\n"
"/dev/sda7   /var          ext3    defaults,nodev,usrquota,grpquota 0      2\n"
"/dev/sda8   /tmp          ext3    defaults,nodev,nosuid,noexec,usrquota,grpquota    0       2\n"
"/dev/sda9   /var/tmp      ext3    defaults,nodev,nosuid,noexec,usrquota,grpquota    0       2\n"
"/dev/sda10  /var/log      ext3    defaults,nodev,nosuid,noexec    0       2\n"
"/dev/sda11  /var/account  ext3    defaults,nodev,nosuid,noexec    0       2\n"
"/dev/sda13  /home         ext3    rw,nosuid,nodev,exec,auto,nouser,async,usrquota,grpquota                0       2\n"
"/dev/fd0    /mnt/fd0      ext3    defaults,users,nodev,nosuid,noexec      0       0\n"
"/dev/fd0    /mnt/floppy   vfat    defaults,users,nodev,nosuid,noexec      0       0\n"
"/dev/hda    /mnt/cdrom    iso9660 ro,users,nodev,nosuid,noexec            0       0"
msgstr ""
"\n"
"/dev/sda6       /usr            ext2    defaults,ro,nodev       0       2\n"
"/dev/sda12      /usr/share      ext2    defaults,ro,nodev,nosuid        0       2\n"
"/dev/sda7       /var            ext2    defaults,nodev,usrquota,grpquota          0       2\n"
"/dev/sda8       /tmp            ext2    defaults,nodev,nosuid,noexec,usrquota,grpquota    0       2\n"
"/dev/sda9       /var/tmp        ext2    defaults,nodev,nosuid,noexec,usrquota,grpquota    0       2\n"
"/dev/sda10      /var/log        ext2    defaults,nodev,nosuid,noexec    0       2\n"
"/dev/sda11      /var/account    ext2    defaults,nodev,nosuid,noexec    0       2\n"
"/dev/sda13      /home           ext2    rw,nosuid,nodev,exec,auto,nouser,async,usrquota,grpquota                0       2\n"
"/dev/fd0        /mnt/fd0        ext2    defaults,users,nodev,nosuid,noexec      0       0\n"
"/dev/fd0        /mnt/floppy     vfat    defaults,users,nodev.nosuid,noexec      0       0\n"
"/dev/hda        /mnt/cdrom      iso9660 ro,users,nodev.nosuid,noexec            0       0"

msgid "Setting <filename>/tmp</filename> noexec"
msgstr ""

msgid "Be careful if setting <filename>/tmp</filename> noexec when you want to install new software, since some programs might use it for installation. <application>apt</application> is one such program (see <ulink name=\"Debian Bug nº116448\" url=\"http://bugs.debian.org/116448\" />) if not configured properly <varname>APT::ExtractTemplates::TempDir</varname> (see <citerefentry><refentrytitle>apt-extracttemplates</refentrytitle><manvolnum>1</manvolnum></citerefentry>). You can set this variable in <filename>/etc/apt/apt.conf</filename> to another directory with exec privileges other than <filename>/tmp</filename>."
msgstr "Tenga cuidado si esta poniendo <filename>/tmp</filename>y usted quiere instalar el nuevo software, desde que alguno podría usarlo para la instalación. Apt es uno de esos programas (vea <ulink url=\"http://bugs.debian.org/116448\" />) si no configuró propiamente <literal>APT::ExtractTemplates::TempDir</literal> (vea <citerefentry><refentrytitle>apt-extracttemplates</refentrytitle><manvolnum>1</manvolnum></citerefentry>). Usted puede poner esta variable en <filename>/etc/apt/apt.conf</filename> a otro directorio con privilegios exec que no sea <filename>/tmp</filename>"

msgid "Setting /usr read-only"
msgstr "Serie /usr leer-únicamente"

msgid "If you set <filename>/usr</filename> read-only you will not be able to install new packages on your Debian GNU/Linux system. You will have to first remount it read-write, install the packages and then remount it read-only. <application>apt</application> can be configured to run commands before and after installing packages, so you might want to configure it properly."
msgstr "Si usted pusiera <filename>/usr</filename> leer - únicamente usted no podrá instalar los nuevos paquetes en su Debian GNU / sistema Linux. Usted tendrá, primero que remontar leer -escribir, instale los paquetes y entonces remóntelo leer-únicamente. La última versión apt (en Debian 3.0ŽwoodyŽ) puede configurarse para ejecutar las órdenes antes y después de instalar los paquetes, para que usted pueda propiamente querer configurarlo."

msgid "To do this modify <filename>/etc/apt/apt.conf</filename> and add:"
msgstr "Hacer esto modifica <filename>/etc/apt/apt.conf</filename> y agrega:"

msgid ""
"\n"
"  DPkg\n"
"  {\n"
"      Pre-Invoke  { \"mount /usr -o remount,rw\" };\n"
"      Post-Invoke { \"mount /usr -o remount,ro\" };\n"
"  };"
msgstr ""
"\n"
" DPkg\n"
" {\n"
" Pre-Invoke { \"mount /usr -o remount,rw\" };\n"
" Post-Invoke { \"mount /usr -o remount,ro\" };\n"
" };"

msgid "Note that the Post-Invoke may fail with a \"/usr busy\" error message. This happens mainly when you are using files during the update that got updated. You can find these programs by running"
msgstr ""

msgid "\n"
"# lsof +L1"
msgstr "\n"
"# lsof +L1"

msgid "Stop or restart these programs and run the Post-Invoke manually. <emphasis>Beware!</emphasis> This means you'll likely need to restart your X session (if you're running one) every time you do a major upgrade of your system. You might want to reconsider whether a read-only <filename>/usr</filename> is suitable for your system. See also this <ulink url=\"http://lists.debian.org/debian-devel/2001/11/threads.html#00212\"> discussion on debian-devel about read-only</ulink>."
msgstr ""

msgid "Providing secure user access"
msgstr "Acceso seguro para los usuarios"

msgid "User authentication: PAM"
msgstr "Uso de la autentificación: PAM"

msgid "PAM (Pluggable Authentication Modules) allows system administrators to choose how applications authenticate users. Note that PAM can do nothing unless an application is compiled with support for PAM. Most of the applications that are shipped with Debian have this support built in (Debian did not have PAM support before 2.2). The current default configuration for any PAM-enabled service is to emulate UNIX authentication (read <filename>/usr/share/doc/libpam0g/Debian-PAM-MiniPolicy.gz</filename> for more information on how PAM services <emphasis>should</emphasis> work in Debian)."
msgstr ""

msgid "Each application with PAM support provides a configuration file in <filename>/etc/pam.d/</filename> which can be used to modify its behavior:"
msgstr ""

msgid "what backend is used for authentication."
msgstr ""

msgid "what backend is used for sessions."
msgstr ""

msgid "how do password checks behave."
msgstr ""

msgid "The following description is far from complete, for more information you might want to read the <ulink url=\"http://www.linux-pam.org/Linux-PAM-html/\"> Linux-PAM Guides</ulink> as a reference. This documentation is available in the system if you install the <application>libpam-doc</application> at <filename>/usr/share/doc/libpam-doc/html/</filename>."
msgstr ""

msgid "PAM offers you the possibility to go through several authentication steps at once, without the user's knowledge. You could authenticate against a Berkeley database and against the normal <filename>passwd</filename> file, and the user only logs in if the authentication succeeds in both. You can restrict a lot with PAM, just as you can open your system doors very wide. So be careful. A typical configuration line has a control field as its second element. Generally it should be set to <literal>requisite</literal>, which returns a login failure if one module fails."
msgstr "PAM le ofrece a usted la posibilidad a ir por varios pasos de autenticación una vez, sin el uso de conocimientos .Usted puede autenticar de nuevo una base de datos Berkeley y de nuevo el archivo de password normal y el uso únicamente de registros en si correctamente autenticos en ambos. Usted puede limitar a muchos con PAM , así como usted puede abrir sus puertas del sistema muy extensamente. Así que tenga cuidado. Una línea de la típica configuración tiene un campo de mando como su segundo elemento."

msgid "Password security in PAM"
msgstr ""

msgid "Review the <filename>/etc/pam.d/common-password</filename>, included by <filename>/etc/pam.d/passwd</filename> <footnote><para>In old Debian releases the configuration of the modules was defined directly in <filename>/etc/pam.d/passwd</filename>.</para></footnote> This file is included by other files in <filename>/etc/pam.d/</filename> to define the behaviour of password use in subsystems that grant access to services in the machine, like the console login (<application>login</application>), graphical login managers (such as <application>gdm</application> or <application>lightdm</application>), and remote login (such as <application>sshd</application>). This definition is"
msgstr ""

msgid "You have to make sure that the pam_unix.so module uses the \"sha512\" option to use encrypted passwords. This is the default in Debian Squeeze."
msgstr ""

msgid "The line with the definition of the pam_unix module will look something like:"
msgstr ""

msgid ""
"\n"
"  password   [success=1 default=ignore]      pam_unix.so nullok obscure minlen=8 sha512 \n"
"  "
msgstr ""
"\n"
"  password   [success=1 default=ignore]      pam_unix.so nullok obscure minlen=8 sha512 \n"
"  "

msgid "This definition:"
msgstr "Esta definición"

msgid "Enforces password encryption when storing passwords, using the SHA-512 hash function (option <emphasis>sha512</emphasis>),"
msgstr ""

msgid "Enables password complexity checks (option <emphasis>obscure</emphasis>) as defined in the <citerefentry><refentrytitle>pam_unix</refentrytitle><manvolnum>8</manvolnum></citerefentry> manpage,"
msgstr ""

msgid "Imposes a minimum password length (option <emphasis>min</emphasis>) of 8."
msgstr ""

msgid "You have to ensure that encrypted passwords are used in PAM applications, since this helps protect against dictionary cracks. Using encryption also makes it possible to use passwords longer than 8 characters."
msgstr ""

msgid "Since this module is also used to define how passwords are changed (it is included by <command>chpasswd</command>) you can strengthen the password security in the system by installing <application>libpam-cracklib</application> and introducing this definition in the <filename>/etc/pam.d/common-password</filename> configuration file:"
msgstr ""

msgid ""
"\n"
"  # Be sure to install libpam-cracklib first or you will not be able to log in\n"
"  password   required     pam_cracklib.so retry=3 minlen=12 difok=3\n"
"  password   [success=1 default=ignore]      pam_unix.so obscure minlen=8 sha512 use_authok"
msgstr ""
"\n"
"# Asegúrese de tener instalado libpam-cracklib, sino no podrá entrar en el sistema\n"
"  password   required     pam_cracklib.so retry=3 minlen=12 difok=3\n"
"  password   [success=1 default=ignore]      pam_unix.so obscure minlen=8 sha512 use_authok"

msgid "So, what does this incantation do? The first line loads the cracklib PAM module, which provides password strength-checking, prompts for a new password with a minimum size <footnote><para>The minlen option is not entirely straightforward and is not exactly the number of characters in the password. A tradeoff can be defined between complexity and length by adjusting the \"credit\" parameters of different character classes. For more information read the <citerefentry><refentrytitle>pam_cracklib</refentrytitle><manvolnum>8</manvolnum></citerefentry> manpage.</para></footnote> of 12 characters, and difference of at least 3 characters from the old password, and allows 3 retries. Cracklib depends on a wordlist package (such as <application>wenglish</application>, <application>wspanish</application>, <application>wbritish</application>, ...), so make sure you install one that is appropriate for your language or cracklib might not be useful to you at all."
msgstr ""

msgid "The second line (using the pam_unix.so module) is the default configuration in Debian, as described above, save for the <emphasis>use_authok</emphasis> option. The <emphasis>use_authok</emphasis> option is required if pam_unix.so is stacked after pam_cracklib.so, and is used to hand over the password from the previous module. Otherwise, the user would be prompted for the password twice."
msgstr ""

msgid "For more information about setting up Cracklib, read the <citerefentry><refentrytitle>pam_cracklib</refentrytitle><manvolnum>8</manvolnum></citerefentry> manpage and the article <ulink url=\"http://www.deer-run.com/~hal/sysadmin/pam_cracklib.html\">Linux Password Security with pam_cracklib</ulink> by Hal Pomeranz."
msgstr ""

msgid "By enabling the cracklib PAM module you setup a policy that forces uses to use strong passwords."
msgstr ""

msgid "Alternatively, you can setup and configure PAM modules to use double factor authentication such as: <application>libpam-barada</application>, <application>libpam-google-authenticator</application>, <application>libpam-oath</application>, <application>libpam-otpw</application>, <application>libpam-poldi</application>, <application>libpam-usb</application> or <application>libpam-yubico</application>. The configuration of these modules would make it possible to access the system using external authentication mechanisms such as smartcards, external USB keys, or One-Time-Passwords generated by external applications running, for example, in the user's mobile phone."
msgstr ""

msgid "Please note that these restrictions apply to all users but <emphasis>not</emphasis> to the password changes done by the root user. The root user will be able to set up any password (any length or complexity) for personal use or others regardless of the restrictions defined here."
msgstr ""

msgid "User access control in PAM"
msgstr "Control de acceso de usuarios con PAM"

msgid "To make sure that the user root can only log into the system from local terminals, the following line should be enabled in <filename>/etc/pam.d/login</filename>:"
msgstr "Para asegurarse que el root (administrador de Linux) del usuario sólo puede anotarse en el sistema de los términos locales, la línea siguiente debe habilitarse en <filename>/etc/pam.d/login</filename>:"

msgid "\n"
"  auth     requisite  pam_securetty.so"
msgstr "\n"
"  auth     requisite  pam_securetty.so"

msgid "Then you should modify the list of terminals on which direct root login is allowed in <filename>/etc/securetty</filename> (as described in <xref linkend=\"restrict-console-login\" />). Alternatively, you could enable the <application>pam_access</application> module and modify <filename>/etc/security/access.conf</filename> which allows for a more general and fine-tuned access control, but (unfortunately) lacks decent log messages (logging within PAM is not standardized and is particularly unrewarding problem to deal with). We'll return to <filename>access.conf</filename> a little later."
msgstr ""

msgid "User limits in PAM"
msgstr "Limites para los usuarios mediante PAM"

msgid "The following line should be enabled in <filename>/etc/pam.d/login</filename> to set up user resource limits."
msgstr ""

msgid "\n"
"  session  required   pam_limits.so"
msgstr "\n"
"  session  required   pam_limits.so"

msgid "This restricts the system resources that users are allowed (see below in <xref linkend=\"user-limits\" />). For example, you could restrict the number of concurrent logins (of a given group of users, or system-wide), number of processes, memory size etc."
msgstr "Esto restringe los recursos del sistema que se permiten a los usuarios (vea en la siguiente pagina <ulink url=\"user-limits\" />. Por ejemplo, usted podría restringir el número de logins coexistente (de un grupo dado de usuarios, o sistema-ancho) usted puede tener, el número de procesos, el tamaño de memoria......"

msgid "Control of su in PAM"
msgstr "Control de 'su' mediante PAM"

msgid "If you want to protect <command>su</command>, so that only some people can use it to become root on your system, you need to add a new group \"wheel\" to your system (that is the cleanest way, since no file has such a group permission yet). Add root and the other users that should be able to <command>su</command> to the root user to this group. Then add the following line to <filename>/etc/pam.d/su</filename>:"
msgstr "Si usted quiere proteger su (un comando), para que sólo algunas personas puedan usarlo para volverse a root en su sistema, usted necesita agregar uno nuevo para agregar un nuevo \"wheel\" de grupo a su sistema (ésa es la manera más limpia, desde que ningún archivo tiene tal un permiso de grupo todavía). Agregue el root y los otros usuarios que deberian ser capaces de ejecutar <literal>su</literal> a el usuario de root a este grupo. Entonces agregue la línea siguiente a <filename>/etc/pam.d/su</filename>:"

msgid "\n"
"  auth        requisite   pam_wheel.so group=wheel debug"
msgstr "\n"
"  auth        requisite   pam_wheel.so group=wheel debug"

msgid "This makes sure that only people from the group \"wheel\" can use <command>su</command> to become root. Other users will not be able to become root. In fact they will get a denied message if they try to become root."
msgstr "Esto asegura que sólo personas de el grupo wheel pueden usar <command>su</command> para volverse root. Otros usuarios no seran capaces de volverse root. De hecho ellos conseguirán un mensaje negado si ellos intentan volverse volverse root."

msgid "If you want only certain users to authenticate at a PAM service, this is quite easy to achieve by using files where the users who are allowed to login (or not) are stored. Imagine you only want to allow users 'ref' to log in via <command>ssh</command>. So you put them into <filename>/etc/sshusers-allowed</filename> and write the following into <filename>/etc/pam.d/ssh</filename>:"
msgstr "Si usted quiere que sólo ciertos usuarios autentiquen a un servicio de PAM, esto es bastante fácil de lograr usando los archivos dónde los usuarios que son permitidos al login (o no) se guarden. Sólo imagine que usted quiere permitirle el login de ŽrefŽto al usuario vía ssh. Así que usted lo pone en <filename>/etc/sshusers-allowed</filename> y le escribe lo siguiente en <filename>/etc/pam.d/ssh</filename>:"

msgid "\n"
"  auth        required    pam_listfile.so item=user sense=allow file=/etc/sshusers-allowed onerr=fail"
msgstr "\n"
"  auth        required    pam_listfile.so item=user sense=allow file=/etc/sshusers-allowed onerr=fail"

msgid "Temporary directories in PAM"
msgstr "Carpetas temporales en PAM"

msgid "Since there have been a number of so called insecure tempfile vulnerabilities, thttpd is one example (see <ulink url=\"http://www.debian.org/security/2005/dsa-883\">DSA-883-1</ulink>), the <application>libpam-tmpdir</application> is a good package to install. All you have to do is add the following to <filename>/etc/pam.d/common-session</filename>:"
msgstr ""

msgid "\n"
" session    optional     pam_tmpdir.so"
msgstr "\n"
" session    optional     pam_tmpdir.so"

msgid "There has also been a discussion about adding this by default in Debian configuration, but it s. See <ulink url=\"http://lists.debian.org/debian-devel/2005/11/msg00297.html\" /> for more information."
msgstr ""

msgid "Configuration for undefined PAM applications"
msgstr "Configuración de aplicaciones genéricas de PAM"

msgid "Finally, but not least, create <filename>/etc/pam.d/other</filename> and enter the following lines:"
msgstr "Por último, pero no menos importante, cree <filename>/etc/pam.d/other</filename> y coloque las líneas siguientes:"

msgid ""
"\n"
"  auth     required       pam_securetty.so\n"
"  auth     required       pam_unix_auth.so\n"
"  auth     required       pam_warn.so\n"
"  auth     required       pam_deny.so\n"
"  account  required       pam_unix_acct.so\n"
"  account  required       pam_warn.so\n"
"  account  required       pam_deny.so\n"
"  password required       pam_unix_passwd.so\n"
"  password required       pam_warn.so\n"
"  password required       pam_deny.so\n"
"  session  required       pam_unix_session.so\n"
"  session  required       pam_warn.so\n"
"  session  required       pam_deny.so"
msgstr ""
"\n"
"  auth     required       pam_securetty.so\n"
"  auth     required       pam_unix_auth.so\n"
"  auth     required       pam_warn.so\n"
"  auth     required       pam_deny.so\n"
"  account  required       pam_unix_acct.so\n"
"  account  required       pam_warn.so\n"
"  account  required       pam_deny.so\n"
"  password required       pam_unix_passwd.so\n"
"  password required       pam_warn.so\n"
"  password required       pam_deny.so\n"
"  session  required       pam_unix_session.so\n"
"  session  required       pam_warn.so\n"
"  session  required       pam_deny.so"

msgid "These lines will provide a good default configuration for all applications that support PAM (access is denied by default)."
msgstr "Estas líneas mantendrán una buena configuración predefinida en todas las aplicaciones que apoyan PAM (se niega el acceso por el valor predeterminado)."

msgid "Limiting resource usage: the <filename>limits.conf</filename> file"
msgstr "Limitación de recursos: archivo <filename>limits.conf</filename>"

msgid "You should really take a serious look into this file. Here you can define user resource limits. In old releases this configuration file was <filename>/etc/limits.conf</filename>, but in newer releases (with PAM) the <filename>/etc/security/limits.conf</filename> configuration file should be used instead."
msgstr ""

msgid "If you do not restrict resource usage, <emphasis>any</emphasis> user with a valid shell in your system (or even an intruder who compromised the system through a service or a daemon going awry) can use up as much CPU, memory, stack, etc. as the system can provide. This <emphasis>resource exhaustion</emphasis> problem can be fixed by the use of PAM."
msgstr ""

msgid "There is a way to add resource limits to some shells (for example, <command>bash</command> has <command>ulimit</command>, see <citerefentry><refentrytitle>bash</refentrytitle><manvolnum>1</manvolnum></citerefentry>), but since not all of them provide the same limits and since the user can change shells (see <citerefentry><refentrytitle>chsh</refentrytitle><manvolnum>1</manvolnum></citerefentry>) it is better to place the limits on the PAM modules as they will apply regardless of the shell used and will also apply to PAM modules that are not shell-oriented."
msgstr ""

msgid "Resource limits are imposed by the kernel, but they need to be configured through the <filename>limits.conf</filename> and the PAM configuration of the different services need to load the appropriate PAM. You can check which services are enforcing limits by running:"
msgstr ""

msgid "\n"
"$ find /etc/pam.d/ \\! -name \"*.dpkg*\" | xargs -- grep limits |grep -v \":#\""
msgstr "\n"
"$ find /etc/pam.d/ \\! -name \"*.dpkg*\" | xargs -- grep limits |grep -v \":#\""

msgid "Commonly, <filename>login</filename>, <filename>ssh</filename> and the graphic session managers (<filename>gdm</filename>, <filename>kdm</filename> or <filename>xdm</filename>) should enforce user limits but you might want to do this in other PAM configuration files, such as <filename>cron</filename>, to prevent system daemons from taking over all system resources."
msgstr ""

msgid "The specific limits settings you might want to enforce depend on your system's resources, that's one of the main reasons why no limits are enforced in the default installation."
msgstr ""

msgid "For example, the configuration example below enforces a 100 process limit for all users (to prevent <emphasis>fork bombs</emphasis>) as well as a limit of 10MB of memory per process and a limit of 10 simultaneous logins. Users in the <literal>adm</literal> group have higher limits and can produce core files if they want to (there is only a <emphasis>soft</emphasis> limit)."
msgstr ""

msgid ""
"\n"
"*              soft    core            0\n"
"*              hard    core            0\n"
"*              hard    rss             1000\n"
"*              hard    memlock         1000\n"
"*              hard    nproc           100\n"
"*              -       maxlogins       1\n"
"*              hard    data            102400\n"
"*              hard    fsize           2048\n"
"@adm           hard    core            100000\n"
"@adm           hard    rss             100000\n"
"@adm           soft    nproc           2000\n"
"@adm           hard    nproc           3000\n"
"@adm           hard    fsize           100000\n"
"@adm           -       maxlogins       10"
msgstr ""
"\n"
"*              soft    core            0\n"
"*              hard    core            0\n"
"*              hard    rss             1000\n"
"*              hard    memlock         1000\n"
"*              hard    nproc           100\n"
"*              -       maxlogins       1\n"
"*              hard    data            102400\n"
"*              hard    fsize           2048\n"
"@adm           hard    core            100000\n"
"@adm           hard    rss             100000\n"
"@adm           soft    nproc           2000\n"
"@adm           hard    nproc           3000\n"
"@adm           hard    fsize           100000\n"
"@adm           -       maxlogins       10"

msgid "These would be the limits a default user (including system daemons) would have:"
msgstr ""

msgid ""
"\n"
"$ ulimit -a\n"
"core file size        (blocks, -c) 0\n"
"data seg size         (kbytes, -d) 102400\n"
"file size             (blocks, -f) 2048\n"
"max locked memory     (kbytes, -l) 10000\n"
"max memory size       (kbytes, -m) 10000\n"
"open files                    (-n) 1024\n"
"pipe size          (512 bytes, -p) 8\n"
"stack size            (kbytes, -s) 8192\n"
"cpu time             (seconds, -t) unlimited\n"
"max user processes            (-u) 100\n"
"virtual memory        (kbytes, -v) unlimited"
msgstr ""
"\n"
"$ ulimit -a\n"
"core file size        (blocks, -c) 0\n"
"data seg size         (kbytes, -d) 102400\n"
"file size             (blocks, -f) 2048\n"
"max locked memory     (kbytes, -l) 10000\n"
"max memory size       (kbytes, -m) 10000\n"
"open files                    (-n) 1024\n"
"pipe size          (512 bytes, -p) 8\n"
"stack size            (kbytes, -s) 8192\n"
"cpu time             (seconds, -t) unlimited\n"
"max user processes            (-u) 100\n"
"virtual memory        (kbytes, -v) unlimited"

msgid "And these are the limits for an administrative user:"
msgstr "estos son los limites para un usuarios administrador:"

msgid ""
"\n"
"$ ulimit -a\n"
"core file size        (blocks, -c) 0\n"
"data seg size         (kbytes, -d) 102400\n"
"file size             (blocks, -f) 100000\n"
"max locked memory     (kbytes, -l) 100000\n"
"max memory size       (kbytes, -m) 100000\n"
"open files                    (-n) 1024\n"
"pipe size          (512 bytes, -p) 8\n"
"stack size            (kbytes, -s) 8192\n"
"cpu time             (seconds, -t) unlimited\n"
"max user processes            (-u) 2000\n"
"virtual memory        (kbytes, -v) unlimited"
msgstr ""
"\n"
"$ ulimit -a\n"
"core file size        (blocks, -c) 0\n"
"data seg size         (kbytes, -d) 102400\n"
"file size             (blocks, -f) 100000\n"
"max locked memory     (kbytes, -l) 100000\n"
"max memory size       (kbytes, -m) 100000\n"
"open files                    (-n) 1024\n"
"pipe size          (512 bytes, -p) 8\n"
"stack size            (kbytes, -s) 8192\n"
"cpu time             (seconds, -t) unlimited\n"
"max user processes            (-u) 2000\n"
"virtual memory        (kbytes, -v) unlimited"

msgid "For more information read:"
msgstr ""

msgid "<ulink url=\"http://www.kernel.org/pub/linux/libs/pam/Linux-PAM-html/pam-6.html\"> PAM reference guide for available modules</ulink>"
msgstr ""

msgid "<ulink url=\"http://www.samag.com/documents/s=1161/sam0009a/0009a.htm\">PAM configuration article</ulink>."
msgstr ""

msgid "<ulink url=\"http://seifried.org/security/os/linux/20020324-securing-linux-step-by-step.html\"> Seifried's Securing Linux Step by Step</ulink> on the <emphasis>Limiting users overview</emphasis> section."
msgstr ""

msgid "<ulink url=\"http://seifried.org/lasg/users/\">LASG</ulink> in the <emphasis>Limiting and monitoring users</emphasis> section."
msgstr ""

msgid "User login actions: edit <filename>/etc/login.defs</filename>"
msgstr ""

msgid "The next step is to edit the basic configuration and action upon user login. Note that this file is not part of the PAM configuration, it's a configuration file honored by <application>login</application> and <command>su</command> programs, so it doesn't make sense tuning it for cases where neither of the two programs are at least indirectly called (the <command>getty</command> program which sits on the consoles and offers the initial login prompt <emphasis>does</emphasis> invoke <command>login</command>)."
msgstr ""

msgid "\n"
"  FAILLOG_ENAB        yes"
msgstr "\n"
"  FAILLOG_ENAB        yes"

msgid "If you enable this variable, failed logins will be logged. It is important to keep track of them to catch someone who tries a brute force attack."
msgstr "Si usted habilita esta variable, se anotarán los logins fallados. Es importante guardar huella de ellos para coger a alguien que pruebe un ataque de fuerza bruta."

msgid "\n"
"  LOG_UNKFAIL_ENAB    no"
msgstr "\n"
"  LOG_UNKFAIL_ENAB    no"

msgid "If you set this variable to 'yes' it will record unknown usernames if the login failed. It is best if you use 'no' (the default) since, otherwise, user passwords might be inadvertenly logged here (if a user mistypes and they enter their password as the username). If you set it to 'yes', make sure the logs have the proper permissions (640 for example, with an appropriate group setting such as adm)."
msgstr ""

msgid "\n"
"  SYSLOG_SU_ENAB      yes"
msgstr "\n"
"  SYSLOG_SU_ENAB      yes"

msgid "This one enables logging of <command>su</command> attempts to <filename>syslog</filename>. Quite important on serious machines but note that this can create privacy issues as well."
msgstr "Este uno habilita el logging de la pueba <literal>su</literal> a syslog. Bastante importante en serias maquinas pero note que esto puede crear el retiro de los resultados a medida que esten bien."

msgid "\n"
"  SYSLOG_SG_ENAB      yes"
msgstr "\n"
"  SYSLOG_SG_ENAB      yes"

msgid "The same as <varname>SYSLOG_SU_ENAB</varname> but applies to the <command>sg</command> program."
msgstr ""

msgid "\n"
"  ENCRYPT_METHOD  SHA512"
msgstr "\n"
"  ENCRYPT_METHOD  SHA512"

msgid "As stated above, encrypted passwords greatly reduce the problem of dictionary attacks, since you can use longer passwords. This definition has to be consistent with the value defined in <filename>/etc/pam.d/common-password</filename>."
msgstr ""

msgid "User login actions: edit <filename>/etc/pam.d/login</filename>"
msgstr ""

msgid "You can adjust the login configuration file to implement an stricter policy. For example, you can change the default configuration and increase the delay time between login prompts. The default configuration sets a 3 seconds delay:"
msgstr ""

msgid "\n"
"auth       optional   pam_faildelay.so  delay=3000000"
msgstr "\n"
"auth       optional   pam_faildelay.so  delay=3000000"

msgid "Increasing the <emphasis>delay</emphasis> value to a higher value to make it harder to use the terminal to log in using brute force. If a wrong password is typed in, the possible attacker (or normal user!) has to wait longer seconds to get a new login prompt, which is quite time consuming when you test passwords. For example, if you set <emphasis>delay=10000000</emphasis>, users will have to wait 10 seconds if they type a wrong password."
msgstr ""

msgid "In this file you can also set the system to present a message to users before a user logs in. The default is disabled, as shown below:"
msgstr ""

msgid "\n"
"# auth       required   pam_issue.so issue=/etc/issue"
msgstr "\n"
"# auth       required   pam_issue.so issue=/etc/issue"

msgid "If required by your security policy, this file can be used to show a standard message indicating that access to the system is restricted and user acess is logged. This kind of disclaimer might be required in some environments and jurisdictions. To enable it, just include the relevant information in the <filename>/etc/issue</filename> <footnote><para>The default content of this file provides information about the operating system and version run by the system, which you might not want to provide to anonymous users.</para></footnote> file and uncomment the line enabling the pam_issue.so module in <filename>/etc/pam.d/login</filename>. In this file you can also enable additional features which might be relevant to apply local security policies such as:"
msgstr ""

msgid "setting rules for which users can access at which times, by enabling the <emphasis>pam_time.so</emphasis> module and configuring <filename>/etc/security/time.conf</filename> accordingly (disabled by default),"
msgstr ""

msgid "setup login sessions to use user limits as defined in <filename>/etc/security/limits.conf</filename> (enabled by default),"
msgstr ""

msgid "present the user with the information of previous login information (enabled by default),"
msgstr ""

msgid "print a message (<filename>/etc/motd</filename> and <filename>/run/motd.dynamic</filename>) to users after login in (enabled by default),"
msgstr ""

msgid "Restricting ftp: editing <filename>/etc/ftpusers</filename>"
msgstr ""

msgid "The <filename>/etc/ftpusers</filename> file contains a list of users who are not allowed to log into the host using ftp. Only use this file if you really want to allow ftp (which is not recommended in general, because it uses clear-text passwords). If your daemon supports PAM, you can also use that to allow and deny users for certain services."
msgstr "Este archivo contiene una lista de usuarios no autorizados a entrar en el sistema mediante ftp. Sĺo debería emplear este archivo si desea prpoprcionar ftp (lo cual es -en general- poco aconsejable debido al uso de contraseñas sin cifrar). Si incorpora soporte para PAM, puede autorizar o denegar el uso de ciertos servicios a los usuarios."

msgid "FIXME (BUG): Is it a bug that the default <filename>ftpusers</filename> in Debian does <emphasis>not</emphasis> include all the administrative users (in <application>base-passwd</application>)."
msgstr "FIXME (BUG): Is it a bug that the default <filename>ftpusers</filename> in Debian does <emphasis>not</emphasis> include all the administrative users (in <application>base-passwd</application>)."

msgid "A convenient way to add all system accounts to the <filename>/etc/ftpusers</filename> is to run"
msgstr ""

msgid "\n"
"$ awk -F : '{if ($3&lt;1000) print $1}' /etc/passwd &gt; /etc/ftpusers"
msgstr "\n"
"$ awk -F : '{if ($3&lt;1000) print $1}' /etc/passwd &gt; /etc/ftpusers"

msgid "Using su"
msgstr "Uso de su"

msgid "If you really need users to become the super user on your system, e.g. for installing packages or adding users, you can use the command <command>su</command> to change your identity. You should try to avoid any login as user root and instead use <command>su</command>. Actually, the best solution is to remove <command>su</command> and switch to the <command>sudo</command> mechanism which has a broader logic and more features than <command>su</command>. However, <command>su</command> is more common as it is used on many other Unices."
msgstr "Si usted realmente necesita que los usuarios se vuelvan el super usuario en su sistema,e.g. por instalar los paquetes o agregar usuarios, usted puede usar el comando <command>su</command> para cambiar su identidad. Usted debe intentar evitar cualquier login como root del usuario y en cambio usar <command>su</command>. Realmente, la mejor solución es quitar su y cambiar a <command>sudo</command>, como él tiene más rasgos que <command>su</command>. Sin embargo,<command>su</command> es más común como se usa en muchos otro Unixes."

msgid "Using sudo"
msgstr "Uso de sudo"

msgid "<command>sudo</command> allows the user to execute defined commands under another user's identity, even as root. If the user is added to <filename>/etc/sudoers</filename> and authenticates correctly, the commands defined in <filename>/etc/sudoers</filename> get enabled. Violations, such as incorrect passwords or trying to run a program you don't have permission for, are logged and mailed to root."
msgstr "sudo le permite al usuario ejecutar los comandos definidos bajo la identidad de otro usuario, así como root. Si el usuario agrega a <filename>/etc/sudoers</filename> y se autentica correctamente, él es capaz de avanzar comandos en que se ha definido <filename>/etc/sudoers</filename>. Las Violaciones, como las contraseñas incorrectas o intentos de ejecutar un programa usted no tienen permiso para ser anotado y mandado por correo a root."

msgid "Disallow remote administrative access"
msgstr "Prohibición administración remota"

msgid "You should also modify <filename>/etc/security/access.conf</filename> to disallow remote logins to administrative accounts. This way users need to invoke <command>su</command> (or <command>sudo</command>) to use any administrative powers and the appropriate audit trace will always be generated."
msgstr ""

msgid "You need to add the following line to <filename>/etc/security/access.conf</filename>, the default Debian configuration file has a sample line commented out:"
msgstr ""

msgid "\n"
"   -:wheel:ALL EXCEPT LOCAL"
msgstr "\n"
"   -:wheel:ALL EXCEPT LOCAL"

msgid "Remember to enable the <application>pam_access</application> module for every service (or default configuration) in <filename>/etc/pam.d/</filename> if you want your changes to <filename>/etc/security/access.conf</filename> honored."
msgstr ""

msgid "Restricting users's access"
msgstr "Restringiendo usuarios"

msgid "Sometimes you might think you need to have users created in your local system in order to provide a given service (pop3 mail service or ftp). Before doing so, first remember that the PAM implementation in Debian GNU/Linux allows you to validate users with a wide variety of external directory services (radius, ldap, etc.) provided by the libpam packages."
msgstr "A veces usted podría pensar que necesita tener los usuarios creados en su sistema local para proporcionar un servicio (pop3 manda por correo el servicio o ftp). Antes de hacer eso, primero recuerde que la aplicación de PAM en Debian GNU/Linux le permite validar a los usuarios con una variedad ancha de el servicio de directorio externo (el radio, el ldap, etc.) con tal de que por el ,el libpam sea empacado."

msgid "If users need to be created and the system can be accessed remotely take into account that users will be able to log in to the system. You can fix this by giving users a null (<filename>/dev/null</filename>) shell (it would need to be listed in <filename>/etc/shells</filename>). If you want to allow users to access the system but limit their movements, you can use the <filename>/bin/rbash</filename>, equivalent to adding the <literal>-r</literal> option in <command>bash</command> (<emphasis>RESTRICTED SHELL</emphasis> see <citerefentry><refentrytitle>bash</refentrytitle><manvolnum>1</manvolnum></citerefentry> ). Please note that even with restricted shell, a user that access an interactive program (that might allow execution of a subshell) could be able to bypass the limits of the shell."
msgstr "Si los usuarios necesitan ser creados y el sistema puede ser remotamente de acceso tome en cuenta que los usuarios sean capaces al login al sistema. Usted puede arreglar esto dando a los usuarios una nula (<filename>/dev/null</filename>) interfaz de comandos (él necesitaría ser listada en <filename>/etc/shells</filename>). Si usted quiere permítales a los usuarios acceder a el sistema pero limitar sus movimientos, usted puede usar el <filename>/bin/rbash</filename>, equivalente a agregar la opción <literal>-r</literal> en bash (<emphasis>RESTICTED SHELL</emphasis> ver <citerefentry><refentrytitle>bash</refentrytitle><manvolnum>1</manvolnum></citerefentry>). Por favor note que incluso con la interfaz de comandos restringido, un usuario que entra en acceso a un programa interactivo (eso podría permitirle la ejecución de un subshell) podría poder desviar los límites de el shell."

msgid "Debian currently provides in the unstable release (and might be included in the next stable releases) the <filename>pam_chroot</filename> module (in the <application> libpam-chroot</application>). An alternative to it is to <command>chroot</command> the service that provides remote logging (<command>ssh</command>, <command>telnet</command>). <footnote><para><application>libpam-chroot</application> has not been yet thoroughly tested, it does work for <command>login</command> but it might not be easy to set up the environment for other programs</para></footnote>"
msgstr ""

msgid "If you wish to restrict <emphasis>when</emphasis> users can access the system you will have to customize <filename>/etc/security/access.conf</filename> for your needs."
msgstr "Si usted desea restringirlo <emphasis>when</emphasis> los usuarios pueden acceder a el sistema que usted quiere tener personalizado <filename>/etc/security/access.conf</filename> para sus necesidades."

msgid "Information on how to <command>chroot</command> users accessing the system through the <command>ssh</command> service is described in <xref linkend=\"chroot-ssh-env\" />."
msgstr ""

msgid "User auditing"
msgstr "Auditoría de usuarios"

msgid "If you are really paranoid you might want to add a system-wide configuration to audit what the users are doing in your system. This sections presents some tips using diverse utilities you can use."
msgstr ""

msgid "Input and output audit with script"
msgstr ""

msgid "You can use the <command>script</command> command to audit both what the users run and what are the results of those commands. You cannot setup <command>script</command> as a shell (even if you add it to <filename>/etc/shells</filename>). But you can have the shell initialization file run the following:"
msgstr ""

msgid ""
"\n"
"umask 077\n"
"exec script -q -a \"/var/log/sessions/$USER\""
msgstr ""
"\n"
"umask 077\n"
"exec script -q -a \"/var/log/sessions/$USER\""

msgid "Of course, if you do this system wide it means that the shell would not continue reading personal initialization files (since the shell gets overwritten by <command>script</command>). An alternative is to do this in the user's initialization files (but then the user could remove this, see the comments about this below)"
msgstr ""

msgid "You also need to setup the files in the audit directory (in the example <filename>/var/log/sessions/</filename>) so that users can write to it but cannot remove the file. This could be done, for example, by creating the user session files in advance and setting them with the <emphasis>append-only</emphasis> flag using <command>chattr</command>."
msgstr ""

msgid "A useful alternative for sysadmins, which includes date information would be:"
msgstr ""

msgid ""
"\n"
"umask 077\n"
"exec script -q -a \"/var/log/sessions/$USER-`date +%Y%m%d`\""
msgstr ""
"\n"
"umask 077\n"
"exec script -q -a \"/var/log/sessions/$USER-`date +%Y%m%d`\""

msgid "Using the shell history file"
msgstr ""

msgid "If you want to review what does the user type in the shell (but not what the result of that is) you can setup a system-wide <filename>/etc/profile</filename> that configures the environment so that all commands are saved into a history file. The system-wide configuration needs to be setup in such a way that users cannot remove audit capabilities from their shell. This is somewhat shell specific so make sure that all users are using a shell that supports this."
msgstr ""

msgid "For example, for bash, the <filename>/etc/profile</filename> could be set as follows <footnote><para> Setting HISTSIZE to a very large number can cause issues under some shells since the history is kept in memory for every user session. You might be safer if you set this to a high-enough value and backup user's history files (if you need all of the user's history for some reason)</para></footnote> :"
msgstr ""

msgid ""
"\n"
"  HISTFILE=~/.bash_history\n"
"  HISTSIZE=10000\n"
"  HISTFILESIZE=999999\n"
"  # Don't let the users enter commands that are ignored\n"
"  # in the history file\n"
"  HISTIGNORE=\"\"\n"
"  HISTCONTROL=\"\"\n"
"  readonly HISTFILE\n"
"  readonly HISTSIZE\n"
"  readonly HISTFILESIZE\n"
"  readonly HISTIGNORE\n"
"  readonly HISTCONTROL\n"
"  export HISTFILE HISTSIZE HISTFILESIZE HISTIGNORE HISTCONTROL"
msgstr ""
"\n"
"  HISTFILE=~/.bash_history\n"
"  HISTSIZE=10000\n"
"  HISTFILESIZE=999999\n"
"  # Don't let the users enter commands that are ignored\n"
"  # in the history file\n"
"  HISTIGNORE=\"\"\n"
"  HISTCONTROL=\"\"\n"
"  readonly HISTFILE\n"
"  readonly HISTSIZE\n"
"  readonly HISTFILESIZE\n"
"  readonly HISTIGNORE\n"
"  readonly HISTCONTROL\n"
"  export HISTFILE HISTSIZE HISTFILESIZE HISTIGNORE HISTCONTROL"

msgid "For this to work, the user can only append information to <filename>.bash_history</filename> file. You need <emphasis>also</emphasis> to set the <emphasis>append-only</emphasis> option using <command>chattr</command> program for <filename>.bash_history</filename> for all users. <footnote><para> Without the append-only flag users would be able to empty the contents of the history file running <filename> &gt; .bash_history</filename></para></footnote>."
msgstr ""

msgid "Note that you could introduce the configuration above in the user's <filename>.profile</filename>. But then you would need to setup permissions properly in such a way that prevents the user from modifying this file. This includes: having the user's home directories <emphasis>not</emphasis> belong to the user (since the user would be able to remove the file otherwise) but at the same time allow the user to read the <filename>.profile</filename> configuration file and write on the <filename>.bash_history</filename>. It would be good to set the <emphasis>immutable</emphasis> flag (also using <command>chattr</command>) for <filename>.profile</filename> too if you do it this way."
msgstr ""

msgid "Complete user audit with accounting utilities"
msgstr "Auditoría total de usuarios mediante contabilidad de utilidades"

msgid "The previous example is a simple way to configure user auditing but might be not useful for complex systems or for those in which users do not run shells at all (or exclusively). If this is your case, you need to look at <application>acct</application>, the accounting utilities. These utilities will log all the commands run by users or processes in the system, at the expense of disk space."
msgstr "El ejemplo anterior es una manera simple de configurar el usuario interviniendo el cual no podría ser útil para los sistemas complejos. Si éste es su caso, usted necesita mirar a <application>acct</application>, la contabilidad de utilidades. Éstos anotarán todos los comandos corridos por usuarios o procesos en el sistema, al gasto de espacio del disco."

msgid "When activating accounting, all the information on processes and users is kept under <filename>/var/account/</filename>, more specifically in the <filename>pacct</filename>. The accounting package includes some tools (<command>sa</command>, <command>ac</command> and <command>lastcomm</command>) to analyse this data."
msgstr "Al activar la contabilidad, toda la información sobre los procesos y el usuario se guarda bajo <filename>/var/account/</filename>, más específicamente en el <filename>pacct</filename>. El paquete de contabilidad incluye algunas herramientas (<command>sa</command> y <command>ac</command>) para analizar estos datos."

msgid "Other user auditing methods"
msgstr "Otros métodos de auditoría"

msgid "If you are completely paranoid and want to audit every user's command, you could take <command>bash</command> source code, edit it and have it send all that the user typed into another file. Or have <application>ttysnoop</application> constantly monitor any new ttys <footnote><para>Ttys are spawned for local logins and remote logins through ssh and telnet</para></footnote> and dump the output into a file. Other useful program is <application>snoopy</application> (see also <ulink name=\"the project page\" url=\"http://sourceforge.net/projects/snoopylogger/\" />) which is a user-transparent program that hooks in as a library providing a wrapper around <varname>execve()</varname> calls, any command executed is logged to <command>syslogd</command> using the <literal>authpriv</literal> facility (usually stored at <filename>/var/log/auth.log</filename>)."
msgstr "Si usted es completamente paranoico y quiere intervenir en el comando de cada usuario,usted podría tomar bash a el código de la fuente, revise este y haga envío a todos de que el usuario tecleó en otro archivo. O tiene <application>ttysnoop</application> constantemente algun nuevo monitor ttys y dump en el rendimiento en un archivo. Otro programa útil es <ulink name=\"Snoopy\" url=\"http://sourceforge.net/project/?group_id=2091\" /> el cual es un programa usuario-transparente que engancha como en una bibliotecaproporcionando una envoltura alrededor del execve llamadas (), cualquier comando ejecuta el estar anotado a syslogd usando la facilidad del <literal>authpriv</literal> facility (usualmente storead a <filename>/var/log/auth.log</filename>."

msgid "Reviewing user profiles"
msgstr "Repasando los perfiles del usuario"

msgid "If you want to <emphasis>see</emphasis> what users are actually doing when they logon to the system you can use the <filename>wtmp</filename> database that includes all login information. This file can be processed with several utilities, amongst them <command>sac</command> which can output a profile on each user showing in which timeframe they usually log on to the system."
msgstr "Si usted quiere normalmente <emphasis>see</emphasis> a los usuarios qué están haciendo, cuando esten ellos conectándos usted pueden usar la base de datos de <filename>wtmp</filename> que incluye toda la información del login. Este archivo puede procesarse con varias utilidades, entre ellos <command>sac</command> el cual puede hacer un profile en cada usuario que muestra en que estructura de tiempo ellos normalmente anotan adelante en el sistema."

msgid "In case you have accounting activated, you can also use the tools provided by it in order to determine when the users access the system and what do they execute."
msgstr "En caso de que usted tiene la contabilidad activada, usted también puede usar las herramientas con tal de que por esto en el comando determine cuando los usuarios acceden a el sistema y qué ellos ejecuten."

msgid "Setting users umasks"
msgstr ""

msgid "Depending on your user policy you might want to change how information is shared between users, that is, what the default permissions of new files created by users are."
msgstr ""

msgid "Debian's default <literal>umask</literal> setting is <emphasis>022</emphasis> this means that files (and directories) can be read and accessed by the user's group and by any other users in the system. This definition is set in the standard configuration file <filename>/etc/profile</filename> which is used by all shells."
msgstr ""

msgid "If Debian's default value is too permissive for your system you will have to change the umask setting for all the shells. More restrictive umask settings include 027 (no access is allowed to new files for the <emphasis>other</emphasis> group, i.e. to other users in the system) or 077 (no access is allowed to new files to the members the user's group). Debian (by default<footnote><para>As defined in <filename>/etc/adduser.conf</filename> (USERGROUPS=yes). You can change this behaviour if you set this value to no, although it is not recommended</para></footnote>) creates one group per user so that only the user is included in its group. Consequently 027 and 077 are equivalent as the user's group contains only the user."
msgstr ""

msgid "This change is set by defining a proper <literal>umask</literal> setting for all users. You can change this by introducing an <command>umask</command> call in the shell configuration files: <filename>/etc/profile</filename> (source by all Bourne-compatible shells), <filename>/etc/csh.cshrc</filename>, <filename>/etc/csh.login</filename>, <filename>/etc/zshrc</filename> and probably some others (depending on the shells you have installed on your system). You can also change the <varname>UMASK</varname> setting in <filename>/etc/login.defs</filename>, Of all of these the last one that gets loaded by the shell takes precedence. The order is: the default system configuration for the user's shell (i.e. <filename>/etc/profile</filename> and other system-wide configuration files) and then the user's shell (his <filename>~/.profile</filename>, <filename>~/.bash_profile</filename>, etc...). Some shells, however, can be executed with a <emphasis>nologin</emphasis> value which might skip sourcing some of those files. See your shell's manpage for additional information."
msgstr ""

msgid "For connections that make use of <command>login</command> the UMASK definition in <filename>/etc/login.defs</filename> is used before any of the others. However, that value does not apply to user executed programs that do not use <command>login</command> such as those run through <command>su</command>, <command>cron</command> or <command>ssh</command>."
msgstr ""

msgid "Don't forget to review and maybe modify the dotfiles under <filename>/etc/skel/</filename> since these will be new user's defaults when created with the <command>adduser</command> command. Debian default dotfiles do not include any <command>umask</command> call but if there is any in the dotfiles newly created users might a different value."
msgstr ""

msgid "Note, however that users can modify their own <literal>umask</literal> setting if they want to, making it more permissive or more restricted, by changing their own dotfiles."
msgstr ""

msgid "The <application>libpam-umask</application> package adjusts the users' default <literal>umask</literal> using PAM. Add the following, after installing the package, to <filename>/etc/pam.d/common-session</filename>:"
msgstr ""

msgid "\n"
"session    optional     pam_umask.so umask=077"
msgstr "\n"
"session    optional     pam_umask.so umask=077"

msgid "Finally, you should consider changing root's default 022 umask (as defined in <filename>/root/.bashrc</filename>) to a more strict umask. That will prevent the system administrator from inadvertenly dropping sensitive files when working as root to world-readable directories (such as <filename>/tmp</filename>) and having them available for your average user."
msgstr ""

msgid "Limiting what users can see/access"
msgstr "Limitar el acceso a los usuarios"

msgid "FIXME: Content needed. Describe the consequences of changing packages permissions when upgrading (an admin this paranoid should <command>chroot</command> his users BTW) if not using <command>dpkg-statoverride</command>."
msgstr "FIXME: Content needed. Describe the consequences of changing packages permissions when upgrading (an admin this paranoid should <command>chroot</command> his users BTW) if not using <command>dpkg-statoverride</command>."

msgid "If you need to grant users access to the system with a shell think about it very carefully. A user can, by default unless in a severely restricted environment (like a <literal>chroot</literal> jail), retrieve quite a lot of information from your system including:"
msgstr ""

msgid "some configuration files in <filename>/etc</filename>. However, Debian's default permissions for some sensitive files (which might, for example, contain passwords), will prevent access to critical information. To see which files are only accessible by the root user for example"
msgstr ""

msgid "<userinput>find /etc -type f -a -perm 600 -a -uid 0</userinput>"
msgstr "<userinput>find /etc -type f -a -perm 600 -a -uid 0</userinput>"

msgid "as superuser."
msgstr ""

msgid "your installed packages, either by looking at the package database, at the <filename>/usr/share/doc</filename> directory or by guessing by looking at the binaries and libraries installed in your system."
msgstr ""

msgid "some log files at <filename>/var/log</filename>. Note also that some log files are only accessible to root and the <literal>adm</literal> group (try"
msgstr ""

msgid "<userinput>find /var/log -type f -a -perm 640</userinput>"
msgstr "<userinput>find /var/log -type f -a -perm 640</userinput>"

msgid ") and some are even only available to the root user (try"
msgstr ""

msgid "<userinput>find /var/log -type f -a -perm\n"
"    600 -a -uid 0</userinput>"
msgstr "<userinput>find /var/log -type f -a -perm\n"
"    600 -a -uid 0</userinput>"

msgid ")."
msgstr ")."

msgid "What can a user see in your system? Probably quite a lot of things, try this (take a deep breath):"
msgstr ""

msgid ""
"\n"
"  find / -type f -a -perm +006 2&gt;/dev/null  \n"
"  find / -type d -a -perm +007 2&gt;/dev/null  "
msgstr ""
"\n"
"  find / -type f -a -perm +006 2&gt;/dev/null  \n"
"  find / -type d -a -perm +007 2&gt;/dev/null  "

msgid "The output is the list of files that a user can <emphasis>see</emphasis> and the accessable directories."
msgstr ""

msgid "Limiting access to other user's information"
msgstr "Limitar el acceso a los datos de otros usuarios"

msgid "If you still grant shell access to users you might want to limit what information they can view from other users. Users with shell access have a tendency to create quite a number of files under their $HOMEs: mailboxes, personal documents, configuration of X/GNOME/KDE applications..."
msgstr ""

msgid "In Debian each user is created with one associated group, and no two users belong to the same group. This is the default behavior: when an user account is created, a group of the same name is created too, and the user is assigned to it. This avoids the concept of a common <emphasis>users</emphasis> group which might make it more difficult for users to hide information from other users."
msgstr ""

msgid "However, users' <varname>$HOME</varname> directories are created with 0755 permissions (group-readable and world-readable). The group permissions is not an issue since only the user belongs to the group, however the world permissions might (or might not) be an issue depending on your local policy."
msgstr ""

msgid "You can change this behavior so that user creation provides different <varname>$HOME</varname> permissions. To change the behavior for <emphasis>new</emphasis> users when they get created, change <emphasis>DIR_MODE</emphasis> in the configuration file <filename>/etc/adduser.conf</filename> to 0750 (no world-readable access)."
msgstr ""

msgid "Users can still share information, but not directly in their <varname>$HOME</varname> directories unless they change its permissions."
msgstr ""

msgid "Note that disabling world-readable home directories will prevent users from creating their personal web pages in the <filename>~/public_html</filename> directory, since the web server will not be able to read one component in the path - namely their <varname>$HOME</varname> directory. If you want to permit users to publish HTML pages in their <filename>~/public_html</filename>, then change <emphasis>DIR_MODE</emphasis> to 0751. This will allow the web server to access the final <filename>public_html</filename> directory (which itself should have a mode of 0755) and provide the content published by users. Of course, we are only talking about a default configuration here; users can generally tune modes of their own files completely to their liking, or you could keep content intended for the web in a separate location which is not a subdirectory of user's <varname>$HOME</varname> directory."
msgstr ""

msgid "Generating user passwords"
msgstr "Generación de contraseñas de usuario"

msgid "There are many cases when an administrator needs to create many user accounts and provide passwords for all of them. Of course, the administrator could easily just set the password to be the same as the user's account name, but that would not be very sensitive security-wise. A better approach is to use a password generating program. Debian provides <application>makepasswd</application>, <application>apg</application> and <application>pwgen</application> packages which provide programs (the name is the same as the package) that can be used for this purpose. <command>Makepasswd</command> will generate true random passwords with an emphasis on security over pronounceability while <command>pwgen</command> will try to make meaningless but pronounceable passwords (of course this might depend on your mother language). <command>Apg</command> has algorithms to provide for both (there is a client/server version for this program but it is not included in the Debian package)."
msgstr ""

msgid "<command>Passwd</command> does not allow non-interactive assignation of passwords (since it uses direct tty access). If you want to change passwords when creating a large number of users you can create them using <command>adduser</command> with the <literal>--disabled-login</literal> option and then use <command>usermod</command> or <command>chpasswd</command> <footnote><para> <command>Chpasswd</command> cannot handle MD5 password generation so it needs to be given the password in encrypted form before using it, with the <screen><userinput>-e</userinput></screen> option. </para></footnote> (both from the <application>passwd</application> package so you already have them installed). If you want to use a file with all the information to make users as a batch process you might be better off using <command>newusers</command>."
msgstr ""

msgid "Checking user passwords"
msgstr "Comprobación de contraseñas de usuarios"

msgid "User passwords can sometimes become the <emphasis>weakest link</emphasis> in the security of a given system. This is due to some users choosing weak passwords for their accounts (and the more of them that have access to it the greater the chances of this happening). Even if you established checks with the cracklib PAM module and password limits as described in <xref linkend=\"auth-pam\" /> users will still be able to use weak passwords. Since user access might include remote shell access (over <command>ssh</command>, hopefully) it's important to make password guessing as hard as possible for the remote attackers, especially if they were somehow able to collect important information such as usernames or even the <filename>passwd</filename> and <filename>shadow</filename> files themselves."
msgstr ""

msgid "A system administrator must, given a big number of users, check if the passwords they have are consistent with the local security policy. How to check? Try to crack them as an attacker would if having access to the hashed passwords (the <filename>/etc/shadow</filename> file)."
msgstr ""

msgid "An administrator can use <application>john</application> or <application>crack</application> (both are brute force password crackers) together with an appropriate wordlist to check users' passwords and take appropriate action when a weak password is detected. You can search for Debian GNU packages that contain word lists using <command>apt-cache search wordlist</command>, or visit the classic Internet wordlist sites such as <ulink url=\"ftp://ftp.ox.ac.uk/pub/wordlists\" /> or <ulink url=\"ftp://ftp.cerias.purdue.edu/pub/dict\" />."
msgstr ""

msgid "Logging off idle users"
msgstr "Sacando usuarios inactivos"

msgid "Idle users are usually a security problem, a user might be idle maybe because he's out to lunch or because a remote connection hung and was not re-established. For whatever the reason, idle users might lead to a compromise:"
msgstr ""

msgid "because the user's console might be unlocked and can be accessed by an intruder."
msgstr ""

msgid "because an attacker might be able to re-attach to a closed network connection and send commands to the remote shell (this is fairly easy if the remote shell is not encrypted as in the case of <command>telnet</command>)."
msgstr ""

msgid "Some remote systems have even been compromised through an idle (and detached) <command>screen</command>."
msgstr ""

msgid "Automatic disconnection of idle users is usually a part of the local security policy that must be enforced. There are several ways to do this:"
msgstr ""

msgid "If <application>bash</application> is the user shell, a system administrator can set a default <varname>TMOUT</varname> value (see <citerefentry><refentrytitle>bash</refentrytitle><manvolnum>1</manvolnum></citerefentry>) which will make the shell automatically log off remote idle users. Note that it must be set with the <literal>-o</literal> option or users will be able to change (or unset) it."
msgstr ""

msgid "Install <application>timeoutd</application> and configure <filename>/etc/timeouts</filename> according to your local security policy. The daemon will watch for idle users and time out their shells accordingly."
msgstr ""

msgid "Install <application>autolog</application> and configure it to remove idle users."
msgstr ""

msgid "The <command>timeoutd</command> or <command>autolog</command> daemons are the preferred method since, after all, users can change their default shell or can, after running their default shell, switch to another (uncontrolled) shell."
msgstr ""

msgid "Using tcpwrappers"
msgstr "Uso de tcpwrappers"

msgid "TCP wrappers were developed when there were no real packet filters available and access control was needed. Nevertheless, they're still very interesting and useful. The TCP wrappers allow you to allow or deny a service for a host or a domain and define a default allow or deny rule (all performed on the application level). If you want more information take a look at <citerefentry><refentrytitle>hosts_access</refentrytitle> <manvolnum>5</manvolnum></citerefentry> manual page."
msgstr ""

msgid "Many services installed in Debian are either:"
msgstr "Muchos servicios instalados en Debian son cualquiera de estos dos:"

msgid "launched through the tcpwrapper service (<filename>tcpd</filename>)"
msgstr "lanzó a través del servicio del tcpwrapper (<filename>tcpd</filename>)"

msgid "compiled with libwrapper support built-in."
msgstr "compiló con el soporte libwrapper incorporado."

msgid "On the one hand, for services configured in <filename>/etc/inetd.conf</filename> (this includes <command>telnet</command>, <command>ftp</command>, <command>netbios</command>, <command>swat</command> and <command>finger</command>) you will see that the configuration file executes <command>/usr/sbin/tcpd</command> first. On the other hand, even if a service is not launched by the <command>inetd</command> superdaemon, support for the tcp wrappers rules can be compiled into it. Services compiled with tcp wrappers in Debian include <command>ssh</command>, <command>portmap</command>, <command>in.talk</command>, <command>rpc.statd</command>, <command>rpc.mountd</command>, <command>gdm</command>, <command>oaf</command> (the GNOME activator daemon), <command>nessus</command> and many others."
msgstr ""

msgid "To see which packages use tcpwrappers <footnote><para> On older Debian releases you might need to do this: <screen> $ apt-cache showpkg libwrap0 | egrep '^[[:space:]]' | sort -u | \\ sed 's/,libwrap0$//;s/^[[:space:]]\\+//' </screen> </para></footnote> try:"
msgstr ""

msgid "\n"
"  $ apt-cache rdepends libwrap0"
msgstr "\n"
"  $ apt-cache rdepends libwrap0"

msgid "Take this into account when running <command>tcpdchk</command> (a very useful TCP wrappers config file rule and syntax checker). When you add stand-alone services (that are directly linked with the wrapper library) into the <filename>hosts.deny</filename> and <filename>hosts.allow</filename> files, <command>tcpdchk</command> will warn you that it is not able to find the mentioned services since it only looks for them in <filename>/etc/inetd.conf</filename> (the manpage is not totally accurate here)."
msgstr "Tenga en cuenta esto cuando el <command>tcpchk</command> está avanzando. Usted puede agregar servicios en que se unen a la biblioteca de la envoltura de los archivos <filename>host.deny</filename> y <filename>hosts.allow</filename> pero los <command>tcpchk</command> advertirá que este no puede encontrar esos servicios desde que parece para ellos en <filename>/etc/inetd.conf</filename> (el manpage no es totalmente exacto aquí)."

msgid "Now, here comes a small trick, and probably the smallest intrusion detection system available. In general, you should have a decent firewall policy as a first line, and tcp wrappers as the second line of defense. One little trick is to set up a <varname>SPAWN</varname> <footnote><para>be sure to use uppercase here since <emphasis>spawn</emphasis> will not work</para></footnote> command in <filename>/etc/hosts.deny</filename> that sends mail to root whenever a denied service triggers wrappers:"
msgstr "Ahora, aquí viene un truco pequeño, y probablemente la intrusión más pequeña del sistema de descubrimiento disponible. En general, usted debe tener una política decente del cortafuego como una primera línea, y envolturas del tcp como la segunda línea de defensa. Un truco pequeño es poner un comando SPAWN <footnote><para>beware of the case here since <emphasis>spawn</emphasis> will not work</para></footnote>en /etc/hosts.deny que envía correos a root siempre que hay un servicio negado en las envolturas de los gatillos:"

msgid ""
"\n"
"  ALL: ALL: SPAWN ( \\\n"
"    echo -e \"\\n\\\n"
"    TCP Wrappers\\: Connection refused\\n\\\n"
"    By\\: $(uname -n)\\n\\\n"
"    Process\\: %d (pid %p)\\n\\\n"
"    User\\: %u\\n\\\n"
"    Host\\: %c\\n\\\n"
"    Date\\: $(date)\\n\\\n"
"  \" | /usr/bin/mail -s \"Connection to %d blocked\" root) &amp;"
msgstr ""
"\n"
"  ALL: ALL: SPAWN ( \\\n"
"    echo -e \"\\n\\\n"
"    TCP Wrappers\\: Connection refused\\n\\\n"
"    By\\: $(uname -n)\\n\\\n"
"    Process\\: %d (pid %p)\\n\\\n"
"    User\\: %u\\n\\\n"
"    Host\\: %c\\n\\\n"
"    Date\\: $(date)\\n\\\n"
"  \" | /usr/bin/mail -s \"Connection to %d blocked\" root) &amp;"

msgid "<emphasis>Beware</emphasis>: The above printed example is open to a DoS attack by making many connections in a short period of time. Many emails mean a lot of file I/O by sending only a few packets."
msgstr "<emphasis> Beware </emphasis>(tenga cuidado): El ejemplo anterior impreso puede fácilmente ser DoSed por estar haciendo las muchas conexiones en un período corto de tiempo. Muchos correos electrónicos significan mucho del archivo I/O para enviar únicamente unos correos."

msgid "The importance of logs and alerts"
msgstr "La importancia de logs y alarmas"

msgid "It is easy to see that the treatment of logs and alerts is an important issue in a secure system. Suppose a system is perfectly configured and 99% secure. If the 1% attack occurs, and there are no security measures in place to, first, detect this and, second, raise alarms, the system is not secure at all."
msgstr "Cómo las bitácoras y alarmas son tratadas es un problema importante en un sistema seguro. Es fácil ver que, aun cuando el sistema está perfectamente configurado y, supuestamente, 99% asegurado. Si el 1% sucede, y no hay seguridad midiendo en tales situaciones, primero, descubra esto y, segundo, las alarmas del aumento, el sistema no está en absoluto seguro."

msgid "Debian GNU/Linux provides some tools to perform log analysis, most notably <application>swatch</application>, <footnote><para>there's a very good article on it written by <ulink name=\"Lance Spitzner\" url=\"http://www.spitzner.net/swatch.html\" /> </para></footnote> <application>logcheck</application> or <application>log-analysis</application> (all will need some customisation to remove unnecessary things from the report). It might also be useful, if the system is nearby, to have the system logs printed on a virtual console. This is useful since you can (from a distance) see if the system is behaving properly. Debian's <filename>/etc/syslog.conf</filename> comes with a commented default configuration; to enable it uncomment the lines and restart <command>syslogd</command> (<userinput>/etc/init.d/syslogd restart</userinput>):"
msgstr ""

msgid ""
"\n"
"  daemon,mail.*;\\\n"
"        news.=crit;news.=err;news.=notice;\\\n"
"        *.=debug;*.=info;\\\n"
"        *.=notice;*.=warn       /dev/tty8"
msgstr ""
"\n"
"  daemon,mail.*;\\\n"
"        news.=crit;news.=err;news.=notice;\\\n"
"        *.=debug;*.=info;\\\n"
"        *.=notice;*.=warn       /dev/tty8"

msgid "To colorize the logs, you could take a look at <application>colorize</application>, <application>ccze</application> or <application>glark</application>. There is a lot to log analysis that cannot be fully covered here, so a good information resource would be books should as <ulink name=\"Security log management: identifying patterns in the chaos\" url=\"http://books.google.com/books?id=UyktqN6GnWEC\" />. In any case, even automated tools are no match for the best analysis tool: your brain."
msgstr ""

msgid "Using and customizing <command>logcheck</command>"
msgstr "Uso y personalización de <command>logcheck</command>"

msgid "The <command>logcheck</command> package in Debian is divided into the three packages <application>logcheck</application> (the main program), <application>logcheck-database</application> (a database of regular expressions for the program) and <application>logtail</application> (prints loglines that have not yet been read). The Debian default (in <filename>/etc/cron.d/logcheck</filename>) is that <command>logcheck</command> is run every hour and after reboots."
msgstr ""

msgid "This tool can be quite useful if properly customized to alert the administrator of unusual system events. <command>Logcheck</command> can be fully customized so that it sends mails based on events found in the logs and worthy of attention. The default installation includes profiles for ignored events and policy violations for three different setups (workstation, server and paranoid). The Debian package includes a configuration file <filename>/etc/logcheck/logcheck.conf</filename>, sourced by the program, that defines which user the checks are sent to. It also provides a way for packages that provide services to implement new policies in the directories: <filename>/etc/logcheck/cracking.d/_packagename_</filename>, <filename>/etc/logcheck/violations.d/_packagename_</filename>, <filename>/etc/logcheck/violations.ignore.d/_packagename_</filename>, <filename>/etc/logcheck/ignore.d.paranoid/_packagename_</filename>, <filename>/etc/logcheck/ignore.d.server/_packagename_</filename>, and <filename>/etc/logcheck/ignore.d.workstation/_packagename_</filename>. However, not many packages currently do so. If you have a policy that can be useful for other users, please send it as a bug report for the appropriate package (as a <emphasis>wishlist</emphasis> bug). For more information read <filename>/usr/share/doc/logcheck/README.Debian</filename>."
msgstr "Hay también un número de registros de auditorias de herramientas, en el site, como logcheck. Estas herramientas pueden ser absolutamente usables si se garantiza propiamente para alertar al administrador sobre eventos inusuales en el sistema de archivos locales. <application>logcheck</application>. pude ser enteramente garantizado, pude enviar mensajes desde eventos recuperados y desde los registros que son meritorios de atención. El abandono de instalación incluye perfiles para eventos ignorados y violaciones políticas para tres diferentes montajes (estación de trabajo, servidor y paranoia). Los paquetes de Debian incluyen un archivo de configuración <filename>/etc/logcheck/logcheck.conf</filename>, dirigido por el programa, que define al usuario y que también revisa sus envios. También suministra una forma de paquete que provee servicios para implementar nuevas políticas en los directorios: <filename>/etc/logcheck/hacking.d/_packagename_</filename>, <filename>/etc/logcheck/violations.d/_packagename_</filename>, <filename>/etc/logcheck/violations.ignore.d/_packagename_</filename>, <filename>/etc/logcheck/ignore.d.paranoid/_packagename_</filename>, <filename>/etc/logcheck/ignore.d.server/_packagename_</filename>, and <filename>/etc/logcheck/ignore.d.workstation/_packagename_</filename>. Sin embargo, no muchos paquetes lo hacen actualmente. Si usted tiene una política que puede ser útil para otros usuarios , por favor envielo como un pequeño reporte para los paquetes apropiados, mire mas información en <filename>/usr/share/doc/logcheck/README.Debian</filename>"

msgid "The best way to configure <command>logcheck</command> is to edit its main configuration file <filename>/etc/logcheck/logcheck.conf</filename> after installation. Change the default user (root) to whom reports should be mailed. You should set the reportlevel in there, too. <application>logcheck-database</application> has three report levels of increasing verbosity: workstation, server, paranoid. \"server\" being the default level, paranoid is only recommended for high-security machines running as few services as possible and workstation for relatively sheltered, non-critical machines. If you wish to add new log files just add them to <filename>/etc/logcheck/logcheck.logfiles</filename>. It is tuned for default syslog install."
msgstr ""

msgid "Once this is done you might want to check the mails that are sent, for the first few days/weeks/months. If you find you are sent messages you do not wish to receive, just add the regular expressions (see <citerefentry><refentrytitle>regex</refentrytitle><manvolnum>7</manvolnum></citerefentry> and <citerefentry><refentrytitle>egrep</refentrytitle><manvolnum>1</manvolnum></citerefentry>) that correspond to these messages to the <filename>/etc/logcheck/ignore.d.<varname>reportlevel</varname>/local</filename>. Try to match the whole logline. Details on howto write rules are explained in <filename>/usr/share/doc/logcheck-database/README.logcheck-database.gz</filename>. It's an ongoing tuning process; once the messages that are sent are always relevant you can consider the tuning finished. Note that if <command>logcheck</command> does not find anything relevant in your system it will not mail you even if it does run (so you might get a mail only once a week, if you are lucky)."
msgstr ""

msgid "Configuring where alerts are sent"
msgstr "Configurando el sitio donde las alertas son enviadas"

msgid "Debian comes with a standard <application>syslog</application> configuration (in <filename>/etc/syslog.conf</filename>) that logs messages to the appropriate files depending on the system facility. You should be familiar with this; have a look at the <filename>syslog.conf</filename> file and the documentation if not. If you intend to maintain a secure system you should be aware of where log messages are sent so they do not go unnoticed."
msgstr "Debian viene con una configuración de syslog estándard dentro de (etc/syslog.conf)que anota mensajes para apropiar archivos dependiendo de la facilidad del sistema. Usted debería familiarizarse con ésto, debe mirar el archivo <filename>syslog.conf</filename> o sino la documentación. Si usted pretende mantener un sistema seguro usted podrá estar precavido de a dónde se mandan los mensajes de registro de manera que no pasen inadvertidos."

msgid "For example, sending messages to the console also is an interesting setup useful for many production-level systems. But for many such systems it is also important to add a new machine that will serve as loghost (i.e. it receives logs from all other systems)."
msgstr "Por ejemplo, enviar mensajes a la consola es una configuración interesante ya que es útil para muchos sistemas de nivel de producción. Pero para muchos sistemas también es importante añadir una nueva máquina que podría servir como servidor de registro (i.e. esto recibe los registros desde todos los otros sistemas)."

msgid "Root's mail should be considered also, many security controls (like <application>snort</application>) send alerts to root's mailbox. This mailbox usually points to the first user created in the system (check <filename>/etc/aliases</filename>). Take care to send root's mail to some place where it will be read (either locally or remotely)."
msgstr "El correo de Root también deberia ser considerado, muchos controles de seguridad como <application>snort</application>) envían alarmas al buzón de Root. Este buzón normalmente apunta al primer usuario que se creó en el sistema (compruebe <filename>/etc/aliases</filename>). Tenga cuidado de enviar correo de root a cualquier lugar donde pueda ser leído (ya sea local ó remotamente)"

msgid "There are other role accounts and aliases on your system. On a small system, it's probably simplest to make sure that all such aliases point to the root account, and that mail to root is forwarded to the system administrator's personal mailbox."
msgstr "Hay otros informes y alianzas en su sistema. En un pequeño sistema, ésto probablemente lo más simple para asegurarse de que todas las alianzas apunten hacia la cuenta de root, y que el correo para root este dispuesto para el sistema de buzón personal del administrador."

msgid "FIXME: It would be interesting to tell how a Debian system can send/receive SNMP traps related to security problems (jfs). Check: <application>snmptrapfmt</application>, <application>snmp</application> and <application>snmpd</application>."
msgstr "ARREGLAME: it would be interesting to tell how a Debian system can send/receive SNMP traps related to security problems (jfs). Check: <application>snmptraglogd</application>, <application>snmp</application> and <application>snmpd</application>."

msgid "Using a loghost"
msgstr "Usar un servidor de registro"

msgid "A loghost is a host which collects syslog data remotely over the network. If one of your machines is cracked, the intruder is not able to cover the tracks, unless hacking the loghost as well. So, the loghost should be especially secure. Making a machine a loghost is simple. Just start the <command>syslogd</command> with"
msgstr ""

msgid "<userinput>syslogd -r</userinput>"
msgstr "<userinput>syslogd -r</userinput>"

msgid "and a new loghost is born. In order to do this permanently in Debian, edit <filename>/etc/default/syslogd</filename> and change the line"
msgstr ""

msgid "\n"
"SYSLOGD=\"\""
msgstr "\n"
"SYSLOGD=\"\""

msgid "to"
msgstr "a"

msgid "\n"
"SYSLOGD=\"-r\""
msgstr "\n"
"SYSLOGD=\"-r\""

msgid "Next, configure the other machines to send data to the loghost. Add an entry like the following to <filename>/etc/syslog.conf</filename>:"
msgstr "Luego, configure las otras máquinas al enviar los datos al servidor de registro. Agrege una entrada como la siguiente <filename>/etc/syslog.conf</filename>:"

msgid "\n"
"  facility.level            @your_loghost"
msgstr "\n"
"  facility.level            @your_loghost"

msgid "See the documentation for what to use in place of <emphasis>facility</emphasis> and <emphasis>level</emphasis> (they should not be entered verbatim like this). If you want to log everything remotely, just write:"
msgstr "Mire la documentación para saber que usar en lugar de <emphasis>facility</emphasis> y <emphasis>level</emphasis> (ellos no deben ser introducirse de forma literal como se hace aquí). Si usted quiere registrar todo remotamente, escriba:"

msgid "\n"
"  *.*                       @your_loghost"
msgstr "\n"
"  *.*                       @your_loghost"

msgid "into your <filename>syslog.conf</filename>. Logging remotely as well as locally is the best solution (the attacker might presume to have covered his tracks after deleting the local log files). See the <citerefentry><refentrytitle>syslog</refentrytitle><manvolnum>3</manvolnum></citerefentry>, <citerefentry><refentrytitle>syslogd</refentrytitle><manvolnum>8</manvolnum></citerefentry> and <citerefentry><refentrytitle>syslog.conf</refentrytitle><manvolnum>5</manvolnum></citerefentry> manpages for additional information."
msgstr ""

msgid "Log file permissions"
msgstr "Permisos para el archivo de registro"

msgid "It is not only important to decide how alerts are used, but also who has read/modify access to the log files (if not using a remote loghost). Security alerts which the attacker can change or disable are not worth much in the event of an intrusion. Also, you have to take into account that log files might reveal quite a lot of information about your system to an intruder who has access to them."
msgstr ""

msgid "Some log file permissions are not perfect after the installation (but of course this really depends on your local security policy). First <filename>/var/log/lastlog</filename> and <filename>/var/log/faillog</filename> do not need to be readable by normal users. In the <filename>lastlog</filename> file you can see who logged in recently, and in the <filename>faillog</filename> you see a summary of failed logins. The author recommends <command>chmod 660</command> for both. Take a brief look at your log files and decide very carefully which log files to make readable/writable for a user with a UID other than 0 and a group other than 'adm' or 'root'. You can easily check this in your system with:"
msgstr "Algunos permisos para el achivo de registro no son perfectos despúes de la instalación. Primero <filename>/var/log/lastlog</filename> y <filename>/var/log/faillog</filename>no necesitan tener un permiso de lectura para un usuario normal. En el archivo lastlog usted puede ver quien entró recientemente y en faillog usted mira un resumen de las entradas fallidas. El autor recomienda cambiar permisos a 660.Haga una breve revisión en sus archivos de registro y decida muy cuidadosamente cuales logfile deben tener permiso de lectura y escritura para un usuario con UID distinto a 0 y un grupo aparte de 'adm' o 'root'."

msgid ""
"\n"
"  #  find /var/log -type f -exec ls -l {} \\; | cut -c 17-35 |sort -u\n"
"  (see to what users do files in /var/log belong)\n"
"  #  find /var/log -type f -exec ls -l {} \\; | cut -c 26-34 |sort -u\n"
"  (see to what groups do files in /var/log belong)\n"
"  # find /var/log -perm +004\n"
"  (files which are readable by any user)\n"
"  #  find /var/log \\! -group root \\! -group adm -exec ls -ld {} \\;\n"
"  (files which belong to groups not root or adm)"
msgstr ""
"\n"
"  #  find /var/log -type f -exec ls -l {} \\; | cut -c 17-35 |sort -u\n"
"  (see to what users do files in /var/log belong)\n"
"  #  find /var/log -type f -exec ls -l {} \\; | cut -c 26-34 |sort -u\n"
"  (see to what groups do files in /var/log belong)\n"
"  # find /var/log -perm +004\n"
"  (files which are readable by any user)\n"
"  #  find /var/log \\! -group root \\! -group adm -exec ls -ld {} \\;\n"
"  (files which belong to groups not root or adm)"

msgid "To customize how log files are created you will probably have to customize the program that generates them. If the log file gets rotated, however, you can customize the behavior of creation and rotation."
msgstr ""

msgid "Adding kernel patches"
msgstr "Añadiendo parches al kernel"

msgid "Debian GNU/Linux provides some of the patches for the Linux kernel that enhance its security. These include:"
msgstr "Debian GNU/Linux suministra algunos de los parches para el kernel de Linux que aumentan su aseguramiento. Estos incluyen:"

msgid "<ulink url=\"http://www.lids.org\">Linux Intrusion Detection</ulink> provided in the <application>kernel-patch-2.4-lids</application> package. This kernel patch makes the process of hardening your Linux system easier by allowing you to restrict, hide and protect processes, even from root. It implements mandatory access control capabilities."
msgstr ""

msgid "<ulink url=\"http://trustees.sourceforge.net/\">Linux Trustees</ulink>, provided in package <application>trustees</application>. This patch adds a decent advanced permissions management system to your Linux kernel. Special objects (called trustees) are bound to every file or directory, and are stored in kernel memory, which allows fast lookup of all permissions."
msgstr ""

msgid "NSA Enhanced Linux (in package <application>selinux</application>). Backports of the SElinux-enabled packages are available at <ulink url=\"http://selinux.alioth.debian.org/\" />. More information available at <ulink url=\"http://wiki.debian.org/SELinux\">SElinux in Debian Wiki page</ulink>, at <ulink url=\"http://www.golden-gryphon.com/software/security/selinux.xhtml\">Manoj Srivastava's</ulink> and <ulink url=\"http://www.coker.com.au/selinux/\">Russell Cookers's</ulink> SElinux websites."
msgstr ""

msgid "The kernel patch <ulink url=\"http://people.redhat.com/mingo/exec-shield\" /> provided in the <application>kernel-patch-exec-shield</application> package. This patch provides protection against some buffer overflows (stack smashing attacks)."
msgstr ""

msgid "The <ulink url=\"http://www.grsecurity.net/\">Grsecurity patch</ulink>, provided by the <application>kernel-patch-2.4-grsecurity</application> and <application>kernel-patch-grsecurity2</application> packages <footnote><para> Notice that this patch conflicts with patches already included in Debian's 2.4 kernel source package. You will need to use the stock vanilla kernel. You can do this with the following steps: <screen> # apt-get install kernel-source-2.4.22 kernel-patch-debian-2.4.22 # tar xjf /usr/src/kernel-source-2.4.22.tar.bz2 # cd kernel-source-2.4.22 # /usr/src/kernel-patches/all/2.4.22/unpatch/debian </screen> For more information see <ulink name=\"#194225\" url=\"http://bugs.debian.org/194225\" />, <ulink name=\"#199519\" url=\"http://bugs.debian.org/199519\" />, <ulink name=\"#206458\" url=\"http://bugs.debian.org/206458\" />, <ulink name=\"#203759\" url=\"http://bugs.debian.org/203759\" />, <ulink name=\"#204424\" url=\"http://bugs.debian.org/204424\" />, <ulink name=\"#210762\" url=\"http://bugs.debian.org/210762\" />, <ulink name=\"#211213\" url=\"http://bugs.debian.org/211213\" />, and the <ulink name=\"discussion at debian-devel\" url=\"http://lists.debian.org/debian-devel/2003/debian-devel-200309/msg01133.html\" /> </para></footnote> implements Mandatory Access Control through RBAC, provides buffer overflow protection through PaX, ACLs, network randomness (to make OS fingerprinting more difficult) and <ulink url=\"http://www.grsecurity.net/features.php\">many more features</ulink>."
msgstr ""

msgid "The <application>kernel-patch-adamantix</application> provides the patches developed for <ulink url=\"http://www.adamantix.org/\">Adamantix</ulink>, a Debian-based distribution. This kernel patch for the 2.4.x kernel releases introduces some security features such as a non-executable stack through the use of <ulink name=\"PaX\" url=\"http://pageexec.virtualave.net/\" /> and mandatory access control based on <ulink name=\"RSBAC\" url=\"http://www.rsbac.org/\" />. Other features include: <ulink name=\"the Random PID patch\" url=\"http://www.vanheusden.com/Linux/sp/\" />, AES encrypted loop device, MPPE support and an IPSEC v2.6 backport."
msgstr ""

msgid "<application>cryptoloop-source</application>. This patches allows you to use the functions of the kernel crypto API to create encrypted filesystems using the loopback device."
msgstr ""

msgid "IPSEC kernel support (in package <application>linux-patch-openswan</application>). If you want to use the IPsec protocol with Linux, you need this patch. You can create VPNs with this quite easily, even to Windows machines, as IPsec is a common standard. IPsec capabilities have been added to the 2.5 development kernel, so this feature will be present by default in the future Linux Kernel 2.6. Homepage: <ulink url=\"http://www.openswan.org\" />. <emphasis>FIXME</emphasis>: The latest 2.4 kernels provided in Debian include a backport of the IPSEC code from 2.5. Comment on this."
msgstr ""

msgid "The following security kernel patches are only available for old kernel versions in woody and are deprecated:"
msgstr ""

msgid "<ulink name=\"POSIX Access Control Lists\" url=\"http://acl.bestbits.at/\" /> (ACLs) for Linux provided in the package <application>kernel-patch-acl</application>. This kernel patch adds access control lists, an advanced method for restricting access to files. It allows you to control fine-grain access to files and directory."
msgstr ""

msgid "The <ulink name=\"Openwall\" url=\"http://www.openwall.com/linux/\" /> linux kernel patch by Solar Designer, provided in the <application>kernel-patch-2.2.18-openwall</application> package. This is a useful set of kernel restrictions, like restricted links, FIFOs in <filename>/tmp</filename>, a restricted <filename>/proc</filename> file system, special file descriptor handling, non-executable user stack area and other features. Note: This package applies to the 2.2 release, no packages are available for the 2.4 release patches provided by Solar."
msgstr ""

msgid "<application>kernel-patch-int</application>. This patch also adds cryptographic capabilities to the Linux kernel, and was useful with Debian releases up to Potato. It doesn't work with Woody, and if you are using Sarge or a newer version, you should use a more recent kernel which includes these features already."
msgstr ""

msgid "However, some patches have not been provided in Debian yet. If you feel that some of these should be included please ask for it at the <ulink name=\"Work Needing and Prospective Packages\" url=\"http://www.debian.org/devel/wnpp/\" />."
msgstr ""

msgid "Protecting against buffer overflows"
msgstr "Protección contra desbordamiento de búfer"

msgid "<emphasis>Buffer overflow</emphasis> is the name of a common attack to software <footnote><para>So common, in fact, that they have been the basis of 20% of the reported security vulnerabilities every year, as determined by <ulink name=\"statistics from ICAT's vulnerability database\" url=\"http://icat.nist.gov/icat.cfm?function=statistics\" /></para></footnote> which makes use of insufficient boundary checking (a programming error, most commonly in the C language) in order to execute machine code through program inputs. These attacks, against server software which listen to connections remotely and against local software which grant higher privileges to users (<literal>setuid</literal> or <literal>setgid</literal>) can result in the compromise of any given system."
msgstr ""

msgid "There are mainly four methods to protect against buffer overflows:"
msgstr ""

msgid "patch the kernel to prevent stack execution. You can use either: Exec-shield, OpenWall or PaX (included in the Grsecurity and Adamantix patches)."
msgstr ""

msgid "fix the source code by using tools to find fragments of it that might introduce this vulnerability."
msgstr ""

msgid "recompile the source code to introduce proper checks that prevent overflows, using the <ulink name=\"Stack Smashing Protector (SSP)\" url=\"http://www.research.ibm.com/trl/projects/security/ssp/\" /> patch for GCC (which is used by <ulink name=\"Adamantix\" url=\"http://www.adamantix.org\" />)"
msgstr ""

msgid "Debian GNU/Linux, as of the 3.0 release, provides software to introduce all of these methods except for the protection on source code compilation (but this has been requested in <ulink name=\"Bug #213994\" url=\"http://bugs.debian.org/213994\" />)."
msgstr ""

msgid "Notice that even if Debian provided a compiler which featured stack/buffer overflow protection all packages would need to be recompiled in order to introduce this feature. This is, in fact, what the Adamantix distribution does (among other features). The effect of this new feature on the stability of software is yet to be determined (some programs or some processor architectures might break due to it)."
msgstr ""

msgid "In any case, be aware that even these workarounds might not prevent buffer overflows since there are ways to circumvent these, as described in phrack's magazine <ulink name=\"issue 58\" url=\"http://packetstorm.linuxsecurity.com/mag/phrack/phrack58.tar.gz\" /> or in CORE's Advisory <ulink name=\"Multiple vulnerabilities in stack smashing protection technologies\" url=\"http://online.securityfocus.com/archive/1/269246\" />."
msgstr ""

msgid "If you want to test out your buffer overflow protection once you have implemented it (regardless of the method) you might want to install the <application>paxtest</application> and run the tests it provides."
msgstr ""

msgid "Kernel patch protection for buffer overflows"
msgstr "Parches contra el desbordamiento de búfer para el núcleo"

msgid "Kernel patches related to buffer overflows include the Openwall patch provides protection against buffer overflows in 2.2 linux kernels. For 2.4 or newer kernels, you need to use the Exec-shield implementation, or the PaX implementation (provided in the grsecurity patch, <application>kernel-patch-2.4-grsecurity</application>, and in the Adamantix patch, <application>kernel-patch-adamantix</application>). For more information on using these patches read the the section <xref linkend=\"kernel-patches\" />."
msgstr ""

msgid "Testing programs for overflows"
msgstr ""

msgid "The use of tools to detect buffer overflows requires, in any case, of programming experience in order to fix (and recompile) the code. Debian provides, for example: <application>bfbtester</application> (a buffer overflow tester that brute-forces binaries through command line and environment overflows). Other packages of interest would also be <application>rats</application>, <application>pscan</application>, <application>flawfinder</application> and <application>splint</application>."
msgstr ""

msgid "Secure file transfers"
msgstr "Transferencia segura de archivos"

msgid "During normal system administration one usually needs to transfer files in and out from the installed system. Copying files in a secure manner from a host to another can be achieved by using the <application>ssh</application> server package. Another possibility is the use of <application>ftpd-ssl</application>, a ftp server which uses the <emphasis>Secure Socket Layer</emphasis> to encrypt the transmissions."
msgstr ""

msgid "Any of these methods need special clients. Debian does provide client software, such as <command>scp</command> from the <application>ssh</application> package, which works like <command>rcp</command> but is encrypted completely, so the <emphasis>bad guys</emphasis> cannot even find out WHAT you copy. There is also a <application>ftp-ssl</application> package for the equivalent server. You can find clients for these software even for other operating systems (non-UNIX), <command>putty</command> and <command>winscp</command> provide secure copy implementations for any version of Microsoft's operating system."
msgstr ""

msgid "Note that using <command>scp</command> provides access to the users to all the file system unless <command>chroot</command>'ed as described in <xref linkend=\"ssh-chroot\" />. FTP access can be <command>chroot</command>'ed, probably easier depending on you chosen daemon, as described in <xref linkend=\"ftp-secure\" />. If you are worried about users browsing your local files and want to have encrypted communication you can either use an ftp daemon with SSL support or combine clear-text ftp and a VPN setup (see <xref linkend=\"vpn\" />)."
msgstr ""

msgid "File system limits and control"
msgstr "Límites y control de los sistemas de archivos"

msgid "Using quotas"
msgstr "Uso de Quotas"

msgid "Having a good quota policy is important, as it keeps users from filling up the hard disk(s)."
msgstr "Tener una buena política de quotas es importante, esto abstiene a los usuarios de llenar el disco duro."

msgid "You can use two different quota systems: user quota and group quota. As you probably figured out, user quota limits the amount of space a user can take up, group quota does the equivalent for groups. Keep this in mind when you're working out quota sizes."
msgstr "Usted puede usar dos sistemas diferentes de quotas: quota de usuario y quota de grupo. Como usted provablemente dedujo, la quota del usuario límita la cantidad de espacio del que un usuario puede disponer, la quota del grupo hace lo equivalente para los grupos. Tenga en cuenta ésto cuando esté organizando el tamaño de quotas."

msgid "There are a few important points to think about in setting up a quota system:"
msgstr "Hay algunos puntos importantes para considerar acerca de la configuración del sistema de quotas:"

msgid "Keep the quotas small enough, so users do not eat up your disk space."
msgstr "Mantener las quotas suficientemente pequeñas, para que los usuarios no ocupen el espacio de su disco."

msgid "Keep the quotas big enough, so users do not complain or their mail quota keeps them from accepting mail over a longer period."
msgstr "Mantener las quotas lo suficientemente grandes, para que los usuarios no se quejen o su quota de correo les impida aceptar un correo por un periodo de tiempo largo."

msgid "Use quotas on all user-writable areas, on <filename>/home</filename> as well as on <filename>/tmp</filename>."
msgstr "Use las quotas para todas las áreas en las que los usuarios puedan escribir, en <filename>/home</filename> como también en <filename>/tmp</filename>."

msgid "Every partition or directory to which users have full write access should be quota enabled. Calculate and assign a workable quota size for those partitions and directories which combines usability and security."
msgstr ""

msgid "So, now you want to use quotas. First of all you need to check whether you enabled quota support in your kernel. If not, you will need to recompile it. After this, control whether the package <application>quota</application> is installed. If not you will need this one as well."
msgstr "Ahora que usted quiere usar quotas. Primero que todo usted necesita revisar que habilito el uso de quotas en el kernel. Si no, usted necesitará recompilarla. Después de ésto dése cuenta que el paquete 'quota' esté instalado. Si no está usted necesitará este."

msgid "Enabling quota for the respective file systems is as easy as modifying the <literal>defaults</literal> setting to <literal>defaults,usrquota</literal> in your <filename>/etc/fstab</filename> file. If you need group quota, substitute <literal>usrquota</literal> to <literal>grpquota</literal>. You can also use them both. Then create empty quota.user and quota.group files in the roots of the file systems you want to use quotas on (e.g."
msgstr "Habilitar la quota para los respectivos sistemas de archivos es tan fácil como modificar la configuración <literal>inicial</literal> ajustándola a <literal>defaults,usrquota</literal> en su archivo <filename>/etc/fstab</filename> . Si usted necesita un quota para grupos, sustituya <literal>usrquota</literal> por <literal>grpquota</literal>. Puede usar ambos. Luego cree unos archivos quota.user y quota.group vacios en la raíz de los sistemas de archivos en los que usted quiera usar quotas (Ej. con <literal>touch /home/quota.user /home/quota.group</literal> para el sistema de archivos <filename>/home</filename>)."

msgid "<userinput>touch\n"
"/home/quota.user /home/quota.group</userinput>"
msgstr "<userinput>touch\n"
"/home/quota.user /home/quota.group</userinput>"

msgid "for a <filename>/home</filename> file system)."
msgstr ""

msgid "Restart <command>quota</command> by doing"
msgstr ""

msgid "<userinput>/etc/init.d/quota stop;/etc/init.d/quota\n"
"        start</userinput>"
msgstr ""

msgid ". Now quota should be running, and quota sizes can be set."
msgstr ""

msgid "Editing quotas for a specific user can be done by"
msgstr ""

msgid "<userinput>edquota -u &lt;user&gt;</userinput>"
msgstr "<userinput>edquota -u &lt;user&gt;</userinput>"

msgid ". Group quotas can be modified with"
msgstr ""

msgid "<userinput>edquota -g &lt;group&gt;</userinput>"
msgstr "<userinput>edquota -g &lt;group&gt;</userinput>"

msgid ". Then set the soft and hard quota and/or inode quotas as needed."
msgstr ""

msgid "For more information about quotas, read the quota man page, and the quota mini-howto (<filename>/usr/share/doc/HOWTO/en-html/mini/Quota.html</filename>). You may also want to look at <filename>pam_limits.so</filename>."
msgstr "Para más información acerca de las quotas, lea el manual de páginas sobre las quotas, y el mini-howto (<filename>/usr/share/doc/HOWTO/en-html/mini/Quota.html</filename>)."

msgid "The ext2 filesystem specific attributes (<command>chattr</command>/<command>lsattr</command>)"
msgstr ""

msgid "In addition to the usual Unix permissions, the ext2 and ext3 filesystems offer a set of specific attributes that give you more control over the files on your system. Unlike the basic permissions, these attributes are not displayed by the usual <command>ls -l</command> command or changed using <command>chmod</command>, and you need two other utilities, <command>lsattr</command> and <command>chattr</command> (in package <application>e2fsprogs</application>) to manage them. Note that this means that these attributes will usually not be saved when you backup your system, so if you change any of them, it may be worth saving the successive <command>chattr</command> commands in a script so that you can set them again later if you have to restore a backup."
msgstr ""

msgid "Among all available attributes, the two that are most important for increasing security are referenced by the letters 'i' and 'a', and they can only be set (or removed) by the superuser:"
msgstr ""

msgid "The 'i' attribute ('immutable'): a file with this attribute can neither be modified nor deleted or renamed and no link can be created to it, even by the superuser."
msgstr ""

msgid "The 'a' attribute ('append'): this attribute has the same effect that the immutable attribute, except that you can still open the file in append mode. This means that you can still add more content to it but it is impossible to modify previous content. This attribute is especially useful for the log files stored in <filename>/var/log/</filename>, though you should consider that they get moved sometimes due to the log rotation scripts."
msgstr ""

msgid "These attributes can also be set for directories, in which case everyone is denied the right to modify the contents of a directory list (e.g. rename or remove a file, ...). When applied to a directory, the append attribute only allows file creation."
msgstr ""

msgid "It is easy to see how the 'a' attribute improves security, by giving to programs that are not running as the superuser the ability to add data to a file without modifying its previous content. On the other hand, the 'i' attribute seems less interesting: after all, the superuser can already use the basic Unix permissions to restrict access to a file, and an intruder that would get access to the superuser account could always use the <command>chattr</command> program to remove the attribute. Such an intruder may first be confused when noticing not being able to remove a file, but you should not assume blindness - after all, the intruder got into your system! Some manuals (including a previous version of this document) suggest to simply remove the <command>chattr</command> and <command>lsattr</command> programs from the system to increase security, but this kind of strategy, also known as \"security by obscurity\", is to be absolutely avoided, since it provides a false sense of security."
msgstr ""

msgid "A secure way to solve this problem is to use the capabilities of the Linux kernel, as described in <xref linkend=\"proactive\" />. The capability of interest here is called <literal>CAP_LINUX_IMMUTABLE</literal>: if you remove it from the capabilities bounding set (using for example the command <command>lcap <varname>CAP_LINUX_IMMUTABLE</varname></command>) it won't be possible to change any 'a' or 'i' attribute on your system anymore, even by the superuser ! A complete strategy could be as follows:"
msgstr ""

msgid "Set the attributes 'a' and 'i' on any file you want;"
msgstr ""

msgid "Add the command <command>lcap <varname>CAP_LINUX_IMMUTABLE</varname></command> (as well as <command>lcap <varname>CAP_SYS_MODULE</varname></command>, as suggested in <xref linkend=\"proactive\" />) to one of the startup scripts;"
msgstr ""

msgid "Set the 'i' attribute on this script and other startup files, as well as on the <command>lcap</command> binary itself;"
msgstr ""

msgid "Execute the above command manually (or reboot your system to make sure everything works as planned)."
msgstr ""

msgid "Now that the capability has been removed from the system, an intruder cannot change any attribute on the protected files, and thus cannot change or remove the files. If the machine is forced to reboot (which is the only way to restore the capabilities bounding set), it will easily be detected, and the capability will be removed again as soon as the system restarts anyway. The only way to change a protected file would be to boot the system in single-user mode or using another bootdisk, two operations that require physical access to the machine !"
msgstr ""

msgid "Checking file system integrity"
msgstr "Integridad de su sistema de archivos"

msgid "Are you sure <filename>/bin/login</filename> on your hard drive is still the binary you installed there some months ago? What if it is a hacked version, which stores the entered password in a hidden file or mails it in clear-text version all over the Internet?"
msgstr "¿Está usted seguro de que el <filename>/bin/login</filename> en su disco duro es todavía el binario que instaló allí hace unos meses? ¿Qué pasaría si es una versión hackeada, que guarda la contraseña introducida en un archivo oculto o la envía por un correo claro pro todoel internet?"

msgid "The only method to have some kind of protection is to check your files every hour/day/month (I prefer daily) by comparing the actual and the old md5sum of this file. Two files cannot have the same md5sum (the MD5 digest is 128 bits, so the chance that two different files will have the same md5sum is roughly one in 3.4e3803), so you're on the safe site here, unless someone has also hacked the algorithm that creates md5sums on that machine. This is, well, extremely difficult and very unlikely. You really should consider this auditing of your binaries as very important, since it is an easy way to recognize changes at your binaries."
msgstr "El único método para tener alguna protección es comprobar sus archivos cada día/hora/mes (yo prefiero cada día) comparando la vieja md5sum y la actual. Dos archivos no pueden tener la misma md5sum, de modo que anda sobre seguro aquí, excepto alquien que hackeó el algoroitmo para crear md5sums un la máquina. Esto es bueno, extremadamente difícil y muy improbable. Realmente usted debería considerar que auditar sus binarios es muy importante, ya que es un modo fácil para reconocer los cambios en sus binarios. Las herramientas que comúnmente se uaan para ésto son <application>sXid</application>, <application>AIDE</application> (Ambientación Avanzada de Detección de Intrusos), <application>TripWire</application> (no es libre; la nueva versió será GPL), <application>integrit</application> y <application>samhain</application>."

msgid "Common tools used for this are <application>sxid</application>, <application>aide</application> (Advanced Intrusion Detection Environment), <application>tripwire</application>, <application>integrit</application> and <application>samhain</application>. Installing <command>debsums</command> will also help you to check the file system integrity, by comparing the md5sums of every file against the md5sums used in the Debian package archive. But beware: those files can easily be changed by an attacker and not all packages provide md5sums listings for the binaries they provided. For more information please read <xref linkend=\"periodic-integrity\" /> and <xref linkend=\"snapshot\" />."
msgstr ""

msgid "You might want to use <command>locate</command> to index the whole filesystem, if so, consider the implications of that. The Debian <application>findutils</application> package contains <command>locate</command> which runs as user nobody, and so it only indexes files which are visible to everybody. However, if you change it's behaviour you will make all file locations visible to all users. If you want to index all the filesystem (not the bits that the user nobody can see) you can replace <command>locate</command> with the package <application>slocate</application>. slocate is labeled as a security enhanced version of GNU locate, but it actually provides additional file-locating functionality. When using <command>slocate</command>, the user only sees the actually accessible files and you can exclude any files or directories on the system. The <application>slocate</application> package runs its update process with higher privledges than locate, and indexes every file. Users are then able to quickly search for every file which they are able to see. <command>slocate</command> doesn't let them see new files; it filters the output based on your UID."
msgstr ""

msgid "You might want to use <application>bsign</application> or <application>elfsign</application>. <application>elfsign</application> provides an utility to add a digital signature to an ELF binary and a second utility to verify that signature. The current implementation uses PKI to sign the checksum of the binary. The benefits of doing this are that it enables one to determine if a binary has been modified and who created it. <application>bsign</application> uses GPG, <application>elfsign</application> uses PKI (X.509) certificates (OpenSSL)."
msgstr ""

msgid "Setting up setuid check"
msgstr "Configuración de revisión de setuid"

msgid "The Debian <application>checksecurity</application> package provides a <command>cron</command> job that runs daily in <filename>/etc/cron.daily/checksecurity</filename> <footnote><para>In previous releases, checksecurity was integrated into cron and the file was <filename>/etc/cron.daily/standard</filename></para></footnote>. This <command>cron</command> job will run the <command>/usr/sbin/checksecurity</command> script that will store information of this changes."
msgstr ""

msgid "The default behavior does not send this information to the superuser but, instead keeps daily copies of the changes in <filename>/var/log/setuid.changes</filename>. You should set the MAILTO variable (in <filename>/etc/checksecurity.conf</filename>) to 'root' to have this information mailed to the superuser. See <citerefentry><refentrytitle>checksecurity</refentrytitle> <manvolnum>8</manvolnum></citerefentry> manual page for more configuration info."
msgstr "El comportamiento por defecto no manda la información al superusuario, pero en cambio guarda diariamente copias de los cambios dentro de <filename>/var/log/setuid.changes</filename>. Usted debe colocar el CHECKSECURITY_EMAIL (dentro de <filename>/etc/checksecurity.conf</filename>) a 'root'. Mire <citerefentry><refentrytitle>checksecurity</refentrytitle> <manvolnum>8</manvolnum></citerefentry> para mas información de configuración."

msgid "Securing network access"
msgstr "Conectividad de red segura"

msgid "FIXME: More (Debian-specific) content needed."
msgstr "FIXME: More (Debian-specific) content needed."

msgid "Configuring kernel network features"
msgstr "Características de la red configurando kernel"

msgid "Many features of the kernel can be modified while running by echoing something into the <filename>/proc</filename> file system or by using <command>sysctl</command>. By entering <command>/sbin/sysctl</command> <literal>-A</literal> you can see what you can configure and what the options are, and it can be modified running"
msgstr ""

msgid "<userinput>/sbin/sysctl -w variable=value</userinput>"
msgstr "<userinput>/sbin/sysctl -w variable=value</userinput>"

msgid "(see <citerefentry><refentrytitle>sysctl</refentrytitle><manvolnum>8</manvolnum></citerefentry>). Only in rare cases do you need to edit something here, but you can increase security that way as well. For example:"
msgstr ""

msgid "\n"
"net/ipv4/icmp_echo_ignore_broadcasts = 1"
msgstr "\n"
"net/ipv4/icmp_echo_ignore_broadcasts = 1"

msgid "This is a <emphasis>Windows emulator</emphasis> because it acts like Windows on broadcast ping if this option is set to 1. That is, ICMP echo requests sent to the broadcast address will be ignored. Otherwise, it does nothing."
msgstr ""

msgid "If you want to prevent you system from answering ICMP echo requests, just enable this configuration option:"
msgstr ""

msgid "\n"
"net/ipv4/icmp_echo_ignore_all = 1"
msgstr "\n"
"net/ipv4/icmp_echo_ignore_all = 0"

msgid "To log packets with impossible addresses (due to wrong routes) on your network use:"
msgstr "Los paquetes con direcciones imposibles (debido a las rutas incorectas) sobre el registro que obtuvo su red."

msgid "\n"
"/proc/sys/net/ipv4/conf/all/log_martians = 1"
msgstr "\n"
"/proc/sys/net/ipv4/conf/all/log_martians = 1"

msgid "For more information on what things can be done with <filename>/proc/sys/net/ipv4/*</filename> read <filename>/usr/src/linux/Documentation/filesystems/proc.txt</filename>. All the options are described thoroughly under <filename>/usr/src/linux/Documentation/networking/ip-sysctl.txt</filename> <footnote><para>In Debian the <application>kernel-source-<varname>version</varname></application> packages copy the sources to <filename>/usr/src/kernel-source-<varname>version</varname>.tar.bz2</filename>, just substitute <varname>version</varname> to whatever kernel version sources you have installed</para></footnote>."
msgstr ""

msgid "Configuring syncookies"
msgstr ""

msgid "This option is a double-edged sword. On the one hand it protects your system against syn packet flooding; on the other hand it violates defined standards (RFCs)."
msgstr ""

msgid "\n"
"net/ipv4/tcp_syncookies = 1"
msgstr "\n"
"net/ipv4/tcp_syncookies = 1"

msgid "If you want to change this option each time the kernel is working you need to change it in <filename>/etc/network/options</filename> by setting <literal>syncookies=yes</literal>. This will take effect when ever <filename>/etc/init.d/networking</filename> is run (which is typically done at boot time) while the following will have a one-time effect until the reboot:"
msgstr ""

msgid "\n"
"echo 1 &gt; /proc/sys/net/ipv4/tcp_syncookies "
msgstr "\n"
"echo 1 &gt; /proc/sys/net/ipv4/tcp_syncookies "

msgid "This option will only be available if the kernel is compiled with the <literal>CONFIG_SYNCOOKIES</literal>. All Debian kernels are compiled with this option builtin but you can verify it running:"
msgstr ""

msgid ""
"\n"
"$ sysctl -A |grep syncookies\n"
"net/ipv4/tcp_syncookies = 1"
msgstr ""
"\n"
"$ sysctl -A |grep syncookies\n"
"net/ipv4/tcp_syncookies = 1"

msgid "For more information on TCP syncookies read <ulink url=\"http://cr.yp.to/syncookies.html\" />."
msgstr ""

msgid "Securing the network on boot-time"
msgstr ""

msgid "When setting configuration options for the kernel networking you need configure it so that it's loaded every time the system is restarted. The following example enables many of the previous options as well as other useful options."
msgstr ""

msgid "There are actually two ways to configure your network at boot time. You can configure <filename>/etc/sysctl.conf</filename> (see: <citerefentry><refentrytitle>sysctl.conf</refentrytitle><manvolnum>5</manvolnum></citerefentry>) or introduce a script that is called when the interface is enabled. The first option will be applied to all interfaces, whileas the second option allows you to configure this on a per-interface basis."
msgstr ""

msgid "An example of a <filename>/etc/sysctl.conf</filename> configuration that will secure some network options at the kernel level is shown below. Notice the comment in it, <filename>/etc/network/options</filename> might override some values if they contradict those in this file when the <filename>/etc/init.d/networking</filename> is run (which is later than <filename>procps</filename> on the startup sequence)."
msgstr ""

msgid ""
"\n"
"#\n"
"# /etc/sysctl.conf - Configuration file for setting system variables\n"
"# See sysctl.conf (5) for information. Also see the files under\n"
"# Documentation/sysctl/, Documentation/filesystems/proc.txt, and\n"
"# Documentation/networking/ip-sysctl.txt in the kernel sources \n"
"# (/usr/src/kernel-$version if you have a kernel-package installed)\n"
"# for more information of the values that can be defined here.\n"
"\n"
"#\n"
"# Be warned that /etc/init.d/procps is executed to set the following\n"
"# variables.  However, after that, /etc/init.d/networking sets some\n"
"# network options with builtin values.  These values may be overridden\n"
"# using /etc/network/options.\n"
"#\n"
"#kernel.domainname = example.com\n"
"\n"
"# Additional settings - adapted from the script contributed\n"
"# by Dariusz Puchala (see below)\n"
"# Ignore ICMP broadcasts\n"
"net/ipv4/icmp_echo_ignore_broadcasts = 1\n"
"#\n"
"# Ignore bogus ICMP errors\n"
"net/ipv4/icmp_ignore_bogus_error_responses = 1\n"
"# \n"
"# Do not accept ICMP redirects (prevent MITM attacks)\n"
"net/ipv4/conf/all/accept_redirects = 0\n"
"# _or_\n"
"# Accept ICMP redirects only for gateways listed in our default\n"
"# gateway list (enabled by default)\n"
"# net/ipv4/conf/all/secure_redirects = 1\n"
"#\n"
"# Do not send ICMP redirects (we are not a router)\n"
"net/ipv4/conf/all/send_redirects = 0\n"
"#\n"
"# Do not forward IP packets (we are not a router)\n"
"# Note: Make sure that /etc/network/options has 'ip_forward=no'\n"
"net/ipv4/conf/all/forwarding = 0\n"
"#\n"
"# Enable TCP Syn Cookies\n"
"# Note: Make sure that /etc/network/options has 'syncookies=yes'\n"
"net/ipv4/tcp_syncookies = 1\n"
"#\n"
"# Log Martian Packets\n"
"net/ipv4/conf/all/log_martians = 1\n"
"#\n"
"# Turn on Source Address Verification in all interfaces to\n"
"# prevent some spoofing attacks\n"
"# Note: Make sure that /etc/network/options has 'spoofprotect=yes'\n"
"net/ipv4/conf/all/rp_filter = 1\n"
"#\n"
"# Do not accept IP source route packets (we are not a router)\n"
"net/ipv4/conf/all/accept_source_route = 0"
msgstr ""

msgid "To use the script you need to first create the script, for example, in <filename>/etc/network/interface-secure</filename> (the name is given as an example) and call it from <filename>/etc/network/interfaces</filename> like this:"
msgstr ""

msgid ""
"\n"
"auto eth0\n"
"iface eth0 inet static\n"
"        address xxx.xxx.xxx.xxx\n"
"        netmask 255.255.255.xxx\n"
"        broadcast xxx.xxx.xxx.xxx\n"
"        gateway xxx.xxx.xxx.xxx\n"
"        pre-up /etc/network/interface-secure"
msgstr ""
"\n"
"auto eth0\n"
"iface eth0 inet static\n"
"        address xxx.xxx.xxx.xxx\n"
"        netmask 255.255.255.xxx\n"
"        broadcast xxx.xxx.xxx.xxx\n"
"        gateway xxx.xxx.xxx.xxx\n"
"        pre-up /etc/network/interface-secure"

msgid "In this example, before the interface eth0 is enabled the script will be called to secure all network interfaces as shown below."
msgstr ""

msgid ""
"\n"
"#!/bin/sh -e\n"
"# Script-name: /etc/network/interface-secure\n"
"#\n"
"# Modifies some default behavior in order to secure against \n"
"# some TCP/IP spoofing &amp; attacks for all interfaces.\n"
"#\n"
"# Contributed by Dariusz Puchalak.\n"
"#\n"
"echo 1 &gt; /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts \n"
"                                           # Broadcast echo protection enabled.\n"
"echo 0 &gt; /proc/sys/net/ipv4/conf/all/forwarding\n"
"                                           # IP forwarding disabled.\n"
"echo 1 &gt; /proc/sys/net/ipv4/tcp_syncookies # TCP syn cookies protection enabled.\n"
"echo 1 &gt;/proc/sys/net/ipv4/conf/all/log_martians # Log strange packets.\n"
"# (this includes spoofed packets, source routed packets, redirect packets)\n"
"# but be careful with this on heavy loaded web servers.\n"
"echo 1 &gt; /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses \n"
"                                           # Bad error message protection enabled.\n"
"\n"
"# IP spoofing protection.\n"
"echo 1 &gt; /proc/sys/net/ipv4/conf/all/rp_filter\n"
"\n"
"# Disable ICMP redirect acceptance.\n"
"echo 0 &gt; /proc/sys/net/ipv4/conf/all/accept_redirects\n"
"echo 0 &gt; /proc/sys/net/ipv4/conf/all/send_redirects\n"
"\n"
"# Disable source routed packets.\n"
"echo 0 &gt; /proc/sys/net/ipv4/conf/all/accept_source_route\n"
"\n"
"exit 0"
msgstr ""
"\n"
"#!/bin/sh -e\n"
"# Script-name: /etc/network/interface-secure\n"
"#\n"
"# Modifies some default behavior in order to secure against \n"
"# some TCP/IP spoofing &amp; attacks for all interfaces.\n"
"#\n"
"# Contributed by Dariusz Puchalak.\n"
"#\n"
"echo 1 &gt; /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts \n"
"                                           # Broadcast echo protection enabled.\n"
"echo 0 &gt; /proc/sys/net/ipv4/conf/all/forwarding\n"
"                                           # IP forwarding disabled.\n"
"echo 1 &gt; /proc/sys/net/ipv4/tcp_syncookies # TCP syn cookies protection enabled.\n"
"echo 1 &gt;/proc/sys/net/ipv4/conf/all/log_martians # Log strange packets.\n"
"# (this includes spoofed packets, source routed packets, redirect packets)\n"
"# but be careful with this on heavy loaded web servers.\n"
"echo 1 &gt; /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses \n"
"                                           # Bad error message protection enabled.\n"
"\n"
"# IP spoofing protection.\n"
"echo 1 &gt; /proc/sys/net/ipv4/conf/all/rp_filter\n"
"\n"
"# Disable ICMP redirect acceptance.\n"
"echo 0 &gt; /proc/sys/net/ipv4/conf/all/accept_redirects\n"
"echo 0 &gt; /proc/sys/net/ipv4/conf/all/send_redirects\n"
"\n"
"# Disable source routed packets.\n"
"echo 0 &gt; /proc/sys/net/ipv4/conf/all/accept_source_route\n"
"\n"
"exit 0"

msgid "Notice that you can actually have per-interface scripts that will enable different network options for different interfaces (if you have more than one), just change the pre-up line to:"
msgstr ""

msgid "\n"
"pre-up /etc/network/interface-secure $IFACE"
msgstr "\n"
"pre-up /etc/network/interface-secure $IFACE"

msgid "And use a script which will only apply changes to a specific interface, not to all of the interfaces available. Notice that some networking options can only be enabled globally, however. A sample script is this one:"
msgstr ""

msgid ""
"\n"
"#!/bin/sh -e\n"
"# Script-name: /etc/network/interface-secure\n"
"#\n"
"# Modifies some default behavior in order to secure against \n"
"# some TCP/IP spoofing &amp; attacks for a given interface.\n"
"#\n"
"# Contributed by Dariusz Puchalak.\n"
"#\n"
"\n"
"IFACE=$1\n"
"if [ -z \"$IFACE\" ] ; then\n"
"   echo \"$0: Must give an interface name as argument!\"\n"
"   echo \"Usage: $0 &lt;interface&gt;\"\n"
"   exit 1\n"
"fi\n"
"\n"
"if [ ! -e /proc/sys/net/ipv4/conf/$IFACE/ ]; then\n"
"   echo \"$0: Interface $IFACE does not exit (cannot find /proc/sys/net/ipv4/conf/)\"\n"
"   exit 1\n"
"fi\n"
"\n"
"echo 0 &gt; /proc/sys/net/ipv4/conf/$IFACE/forwarding  # IP forwarding disabled.\n"
"echo 1 &gt;/proc/sys/net/ipv4/conf/$IFACE/log_martians # Log strange packets.\n"
"# (this includes spoofed packets, source routed packets, redirect packets)\n"
"# but be careful with this on heavy loaded web servers.\n"
"\n"
"# IP spoofing protection.\n"
"echo 1 &gt; /proc/sys/net/ipv4/conf/$IFACE/rp_filter\n"
"\n"
"# Disable ICMP redirect acceptance.\n"
"echo 0 &gt; /proc/sys/net/ipv4/conf/$IFACE/accept_redirects\n"
"echo 0 &gt; /proc/sys/net/ipv4/conf/$IFACE/send_redirects\n"
"\n"
"# Disable source routed packets.\n"
"echo 0 &gt; /proc/sys/net/ipv4/conf/$IFACE/accept_source_route\n"
"\n"
"exit 0"
msgstr ""
"\n"
"#!/bin/sh -e\n"
"# Script-name: /etc/network/interface-secure\n"
"#\n"
"# Modifies some default behavior in order to secure against \n"
"# some TCP/IP spoofing &amp; attacks for a given interface.\n"
"#\n"
"# Contributed by Dariusz Puchalak.\n"
"#\n"
"\n"
"IFACE=$1\n"
"if [ -z \"$IFACE\" ] ; then\n"
"   echo \"$0: Must give an interface name as argument!\"\n"
"   echo \"Usage: $0 &lt;interface&gt;\"\n"
"   exit 1\n"
"fi\n"
"\n"
"if [ ! -e /proc/sys/net/ipv4/conf/$IFACE/ ]; then\n"
"   echo \"$0: Interface $IFACE does not exit (cannot find /proc/sys/net/ipv4/conf/)\"\n"
"   exit 1\n"
"fi\n"
"\n"
"echo 0 &gt; /proc/sys/net/ipv4/conf/$IFACE/forwarding  # IP forwarding disabled.\n"
"echo 1 &gt;/proc/sys/net/ipv4/conf/$IFACE/log_martians # Log strange packets.\n"
"# (this includes spoofed packets, source routed packets, redirect packets)\n"
"# but be careful with this on heavy loaded web servers.\n"
"\n"
"# Protección contra falsificación de IP (IP spoofing).\n"
"echo 1 &gt; /proc/sys/net/ipv4/conf/$IFACE/rp_filter\n"
"\n"
"# Disable ICMP redirect acceptance.\n"
"echo 0 &gt; /proc/sys/net/ipv4/conf/$IFACE/accept_redirects\n"
"echo 0 &gt; /proc/sys/net/ipv4/conf/$IFACE/send_redirects\n"
"\n"
"# Desativa el ruteo en origen (source routing).\n"
"echo 0 &gt; /proc/sys/net/ipv4/conf/$IFACE/accept_source_route\n"
"\n"
"exit 0"

msgid "An alternative solution is to create an <filename>init.d</filename> script and have it run on bootup (using <command>update-rc.d</command> to create the appropriate <filename>rc.d</filename> links)."
msgstr ""

msgid "Configuring firewall features"
msgstr "Configuarción de las características de los cortafuegos"

msgid "In order to have firewall capabilities, either to protect the local system or others <emphasis>behind</emphasis> it, the kernel needs to be compiled with firewall capabilities. The standard Debian 2.2 kernel (Linux 2.2) provides the packet filter <command>ipchains</command> firewall, Debian 3.0 standard kernel (Linux 2.4) provides the <emphasis>stateful</emphasis> packet filter <command>iptables</command> (netfilter) firewall."
msgstr "Para tener la capacidad del cortafuego, para proteger el sistema local u otros <emphasis>detrás</emphasis> de este, el kernel necesita estar compidalo con las capacidades del cortefuego. El Debian normal 2.2 kernel (también 2.2) susmistra el paquete de filtro del cortafuego <command>ipchains</command>, el kernel normal de Debian 3.0 (kernel 2.4) suministra el <emphasis>poderoso</emphasis> paquete de filtros de cortafuegos <command>iptables</command> (filtro de la red). Las distribucines más viejas de Debian necesitan el parche apropiado del kernel (Debian 2.1 usa el kernel 2.0.34)."

msgid "In any case, it is pretty easy to use a kernel different from the one provided by Debian. You can find pre-compiled kernels as packages you can easily install in the Debian system. You can also download the kernel sources using the <application>kernel-source-<varname>X</varname></application> and build custom kernel packages using <command>make-kpkg</command> from the <application>kernel-package</application> package."
msgstr "En todo caso, es bastante fácil usar un kernel diferente al suministrado por Debian. Usted puede encontrar paquetes de kernel pre-compilados que puede instalar fácilmente en el sistemas de Debian. Usted tambiém puede obtener las fuentes del kernel usando <application>kernel-source-X</application> y armar paquetes de kernel personalizados con <application>make-kpkg</application>."

msgid "Setting up firewalls in Debian is discussed more thoroughly in <xref linkend=\"firewall-setup\" />."
msgstr "Configurando los cortafuegos en Debian se discute más a fondo en <xref linkend=\"firewall-setup\" />."

msgid "Disabling weak-end hosts issues"
msgstr ""

msgid "Systems with more than one interface on different networks can have services configured so that they will bind only to a given IP address. This usually prevents access to services when requested through any other address. However, this does not mean (although it is a common misconception) that the service is bound to a given <emphasis>hardware</emphasis> address (interface card). <footnote><para> To reproduce this (example provided by Felix von Leitner on the Bugtraq mailing list): <screen> host a (eth0 connected to eth0 of host b): ifconfig eth0 10.0.0.1 ifconfig eth1 23.0.0.1 tcpserver -RHl localhost 23.0.0.1 8000 echo fnord host b: ifconfig eth0 10.0.0.2 route add 23.0.0.1 gw 10.0.0.1 telnet 23.0.0.1 8000 </screen></para></footnote>"
msgstr ""

msgid "It seems, however, not to work with services bound to 127.0.0.1, you might need to write the tests using raw sockets."
msgstr ""

msgid "This is not an ARP issue and it's not an RFC violation (it's called <emphasis>weak end host</emphasis> in <ulink url=\"ftp://ftp.isi.edu/in-notes/rfc1122.txt\">RFC1122</ulink>, (in the section 3.3.4.2). Remember, IP addresses have nothing to do with physical interfaces."
msgstr ""

msgid "On 2.2 (and previous) kernels this can be fixed with:"
msgstr ""

msgid ""
"\n"
"# echo 1 &gt; /proc/sys/net/ipv4/conf/all/hidden\n"
"# echo 1 &gt; /proc/sys/net/ipv4/conf/eth0/hidden\n"
"# echo 1 &gt; /proc/sys/net/ipv4/conf/eth1/hidden\n"
"....."
msgstr ""
"\n"
"# echo 1 &gt; /proc/sys/net/ipv4/conf/all/hidden\n"
"# echo 1 &gt; /proc/sys/net/ipv4/conf/eth0/hidden\n"
"# echo 1 &gt; /proc/sys/net/ipv4/conf/eth1/hidden\n"
"....."

msgid "On later kernels this can be fixed either with:"
msgstr ""

msgid "iptables rules."
msgstr "Reglas Iptables"

msgid "properly configured routing. <footnote><para> The fact that this behavior can be changed through routing was described by Matthew G. Marsh in the Bugtraq thread: <screen> eth0 = 1.1.1.1/24 eth1 = 2.2.2.2/24 ip rule add from 1.1.1.1/32 dev lo table 1 prio 15000 ip rule add from 2.2.2.2/32 dev lo table 2 prio 16000 ip route add default dev eth0 table 1 ip route add default dev eth1 table 2 </screen> </para></footnote>"
msgstr ""

msgid "kernel patching. <footnote><para> There are some patches available for this behavior as described in Bugtraq's thread at <ulink url=\"http://www.linuxvirtualserver.org/~julian/#hidden\" /> and <ulink url=\"http://www.fefe.de/linux-eth-forwarding.diff\" />. </para></footnote>"
msgstr ""

msgid "Along this text there will be many occasions in which it is shown how to configure some services (sshd server, apache, printer service...) in order to have them listening on any given address, the reader should take into account that, without the fixes given here, the fix would not prevent accesses from within the same (local) network. <footnote><para> An attacker might have many problems pulling the access through after configuring the IP-address binding while not being on the same broadcast domain (same network) as the attacked host. If the attack goes through a router it might be quite difficult for the answers to return somewhere. </para></footnote>"
msgstr ""

msgid "FIXME: Comments on Bugtraq indicate there is a Linux specific method to bind to a given interface."
msgstr "FIXME: Comments on Bugtraq indicate there is a Linux specific method to bind to a given interface."

msgid "FIXME: Submit a bug against netbase so that the routing fix is standard behavior in Debian?"
msgstr "FIXME: Submit a bug against netbase so that the routing fix is standard behavior in Debian?"

msgid "Protecting against ARP attacks"
msgstr "Protección contra ataques ARP"

msgid "When you don't trust the other boxes on your LAN (which should always be the case, because it's the safest attitude) you should protect yourself from the various existing ARP attacks."
msgstr ""

msgid "As you know the ARP protocol is used to link IP addresses to MAC addresses (see <ulink name=\"RFC826\" url=\"ftp://ftp.isi.edu/in-notes/rfc826.txt\" /> for all the details). Every time you send a packet to an IP address an ARP resolution is done (first by looking into the local ARP cache then if the IP isn't present in the cache by broadcasting an ARP query) to find the target's hardware address. All the ARP attacks aim to fool your box into thinking that box B's IP address is associated to the intruder's box's MAC address; Then every packet that you want to send to the IP associated to box B will be send to the intruder's box..."
msgstr ""

msgid "Those attacks (ARP cache poisoning, ARP spoofing...) allow the attacker to sniff the traffic even on switched networks, to easily hijack connections, to disconnect any host from the network... ARP attacks are powerful and simple to implement, and several tools exists, such as <command>arpspoof</command> from the <application>dsniff</application> package or <ulink name=\"arpoison\" url=\"http://arpoison.sourceforge.net/\" />."
msgstr ""

msgid "However, there is always a solution:"
msgstr ""

msgid "Use a static ARP cache. You can set up \"static\" entries in your ARP cache with:"
msgstr ""

msgid ""
"\n"
"  arp -s host_name hdwr_addr \n"
"  "
msgstr ""
"\n"
"  arp -s host_name hdwr_addr \n"
"  "

msgid "By setting static entries for each important host in your network you ensure that nobody will create/modify a (fake) entry for these hosts (static entries don't expire and can't be modified) and spoofed ARP replies will be ignored."
msgstr ""

msgid "Detect suspicious ARP traffic. You can use <application>arpwatch</application>, <application>karpski</application> or more general IDS that can also detect suspicious ARP traffic (<application>snort</application>, <ulink name=\"prelude\" url=\"http://www.prelude-ids.org\" />...)."
msgstr ""

msgid "Implement IP traffic filtering validating the MAC address."
msgstr ""

msgid "Taking a snapshot of the system"
msgstr ""

msgid "Before putting the system into production system you could take a snapshot of the whole system. This snapshot could be used in the event of a compromise (see <xref linkend=\"after-compromise\" />). You should remake this upgrade whenever the system is upgraded, especially if you upgrade to a new Debian release."
msgstr ""

msgid "For this you can use a writable removable-media that can be set up read-only, this could be a floppy disk (read protected after use), a CD on a CD-ROM unit (you could use a rewritable CD-ROM so you could even keep backups of md5sums in different dates), or a USB disk or MMC card (if your system can access those and they can be write protected)."
msgstr ""

msgid "The following script creates such a snapshot:"
msgstr ""

msgid ""
"\n"
"#!/bin/bash\n"
"/bin/mount /dev/fd0 /mnt/floppy\n"
"trap \"/bin/umount /dev/fd0\" 0 1 2 3 9 13 15\n"
"if [ ! -f /usr/bin/md5sum ] ; then\n"
"	echo \"Cannot find md5sum. Aborting.\"\n"
"	exit 1\n"
"fi\n"
"/bin/cp /usr/bin/md5sum /mnt/floppy\n"
"echo \"Calculating md5 database\"\n"
"&gt;/mnt/floppy/md5checksums.txt\n"
"for dir in /bin/ /sbin/ /usr/bin/ /usr/sbin/ /lib/ /usr/lib/\n"
"do\n"
"   find $dir -type f | xargs /usr/bin/md5sum &gt;&gt;/mnt/floppy/md5checksums-lib.txt\n"
"done\n"
"echo \"post installation md5 database calculated\"\n"
"if [ ! -f /usr/bin/sha1sum ] ; then\n"
"	echo \"Cannot find sha1sum\"\n"
"        echo \"WARNING: Only md5 database will be stored\"\n"
"else\n"
"	/bin/cp /usr/bin/sha1sum /mnt/floppy\n"
"	echo \"Calculating SHA-1 database\"\n"
"	&gt;/mnt/floppy/sha1checksums.txt\n"
"	for dir in /bin/ /sbin/ /usr/bin/ /usr/sbin/ /lib/ /usr/lib/\n"
"	do\n"
"	   find $dir -type f | xargs /usr/bin/sha1sum &gt;&gt;/mnt/floppy/sha1checksums-lib.txt\n"
"	done\n"
"	echo \"post installation sha1 database calculated\"\n"
"fi\n"
"exit 0"
msgstr ""

msgid "Note that the md5sum binary (and sha1sum, if available) is placed on the floppy drive so it can be used later on to check the binaries of the system (just in case it gets trojaned). However, if you want to make sure that you are running a legitimate binary, you might want to either compile a static copy of the md5sum binary and use that one (to prevent a trojaned libc library from interfering with the binary) or to use the snapshot of md5sums only from a clean environment such as a rescue CD-ROM or a Live-CD (to prevent a trojaned kernel from interfering). I cannot stress this enough: if you are on a compromised system you cannot trust its output, see <xref linkend=\"after-compromise\" />."
msgstr ""

msgid "The snapshot does not include the files under <filename>/var/lib/dpkg/info</filename> which includes the MD5 hashes of installed packages (in files ending with <filename>.md5sums</filename>). You could copy this information along too, however you should notice:"
msgstr ""

msgid "the md5sums files include the md5sum of all files provided by the Debian packages, not just system binaries. As a consequence, that database is bigger (5 Mb versus 600 Kb in a Debian GNU/Linux system with a graphical system and around 2.5 Gb of software installed) and will not fit in small removable media (like a single floppy disk, but would probably fit in a removable USB memory)."
msgstr ""

msgid "not all Debian packages provide md5sums for the files installed since it is not (currently) mandated policy. Notice, however, that you can generate the md5sums for all packages using <application>debsums</application> after you've finished the system installation:"
msgstr ""

msgid "\n"
"# debsums --generate=missing,keep"
msgstr "\n"
"# debsums --generate=missing,keep"

msgid "Once the snapshot is done you should make sure to set the medium read-only. You can then store it for backup or place it in the drive and use it to drive a <command>cron</command> check nightly comparing the original md5sums against those on the snapshot."
msgstr ""

msgid "If you do not want to setup a manual check you can always use any of the integrity systems available that will do this and more, for more information please read <xref linkend=\"periodic-integrity\" />."
msgstr ""

msgid "Other recommendations"
msgstr "Otras recomendaciones"

msgid "Do not use software depending on svgalib"
msgstr "No use software que dependa de svgalib"

msgid "SVGAlib is very nice for console lovers like me, but in the past it has been proven several times that it is very insecure. Exploits against <command>zgv</command> were released, and it was simple to become root. Try to prevent using SVGAlib programs wherever possible."
msgstr "SVGAlib es muy bueno para los amantes de la consola como yo, pero durante mucho tiempo se ha comprobado que esto ha sido muy inseguro. Han sido liberadas fallas en contra de <command>zgv</command> y era sencillo convertirse en root. Intente evitar el uso de programas que usen SVGAlib siempre que sea posible."