1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 200 201 202 203 204 205 206 207 208 209 210 211 212 213 214 215 216 217 218 219 220 221 222 223 224 225 226 227 228 229 230 231 232 233 234 235 236 237 238 239 240 241 242 243 244 245 246 247 248 249 250 251 252 253 254 255 256 257 258 259 260 261 262 263 264 265 266 267 268 269 270 271 272 273 274 275 276 277 278 279 280 281 282 283 284 285 286 287 288 289 290 291 292 293 294 295 296 297 298 299 300 301 302 303 304 305 306 307 308 309 310 311 312 313 314 315 316 317 318 319 320 321 322 323 324 325 326 327 328 329 330 331 332 333 334 335 336 337 338 339 340 341 342 343 344 345 346 347 348 349 350 351 352 353 354 355 356 357 358 359 360 361 362 363 364 365 366 367 368 369 370 371 372 373 374 375 376 377 378 379 380 381 382 383 384 385 386 387 388 389 390 391 392 393 394 395 396 397 398 399 400 401 402 403 404 405 406 407 408 409 410 411 412 413 414 415 416 417 418 419 420 421 422 423 424 425 426 427 428 429 430 431 432 433 434 435 436 437 438 439 440 441 442 443 444 445 446 447 448 449 450 451 452 453 454 455 456 457 458 459 460 461 462 463 464 465 466 467 468 469 470 471 472 473 474 475 476 477 478 479 480 481 482 483 484 485 486 487 488 489 490 491 492 493 494 495 496 497 498 499 500 501 502 503 504 505 506 507 508 509 510 511 512 513 514 515 516 517 518 519 520 521 522 523 524 525 526 527 528 529 530 531 532 533 534 535 536 537 538 539 540 541 542 543 544 545 546 547 548 549 550 551 552 553 554 555 556 557 558 559 560 561 562 563 564 565 566 567 568 569 570 571 572 573 574 575 576 577 578 579 580 581 582 583 584 585 586 587 588 589 590 591 592 593 594 595 596 597 598 599 600 601 602 603 604 605 606 607 608 609 610 611 612 613 614 615 616 617 618 619 620 621 622 623 624 625 626 627 628 629 630 631 632 633 634 635 636 637 638 639 640 641 642 643 644 645 646 647 648 649 650 651 652 653 654 655 656 657 658 659 660 661 662 663 664 665 666 667 668 669 670 671 672 673 674 675 676 677 678 679 680 681 682 683 684 685 686 687 688 689 690 691 692 693 694 695 696 697 698 699 700 701 702 703 704 705 706 707 708 709 710 711 712 713 714 715 716 717 718 719 720 721 722 723 724 725 726 727 728 729 730 731 732 733 734 735 736 737 738 739 740 741 742 743 744 745 746 747 748 749 750 751 752 753 754 755 756 757 758 759 760 761 762 763 764 765 766 767 768 769 770 771 772 773 774 775 776 777 778 779 780 781 782 783 784 785 786 787 788 789 790 791 792 793 794 795 796 797 798 799 800 801 802 803 804 805 806 807 808 809 810 811 812 813 814 815 816 817 818 819 820 821 822 823 824 825 826 827 828 829 830 831 832 833 834 835 836 837 838 839 840 841 842 843 844 845 846 847 848 849 850 851 852 853 854 855 856 857 858 859 860 861 862 863 864 865 866 867 868 869 870 871 872 873 874 875 876 877 878 879 880 881 882 883 884 885 886 887 888 889 890 891 892 893 894 895 896 897 898 899 900 901 902 903 904 905 906 907 908 909 910 911 912 913 914 915 916 917 918 919 920 921 922 923 924 925 926 927 928 929 930 931 932 933 934 935 936 937 938 939 940 941 942 943 944 945 946 947 948 949 950 951 952 953 954 955 956 957 958 959 960 961 962 963 964 965 966 967 968 969 970 971 972 973 974 975 976 977 978 979 980 981 982 983 984 985 986 987 988 989 990 991 992 993 994 995 996 997 998 999 1000 1001 1002 1003 1004 1005 1006 1007 1008 1009 1010 1011 1012 1013 1014 1015 1016 1017 1018 1019 1020 1021 1022 1023 1024 1025 1026 1027 1028 1029 1030 1031 1032 1033 1034 1035 1036 1037 1038 1039 1040 1041 1042 1043 1044 1045 1046 1047 1048 1049 1050 1051 1052 1053 1054 1055 1056 1057 1058 1059 1060 1061 1062 1063 1064 1065 1066 1067 1068 1069 1070 1071 1072 1073 1074 1075 1076 1077 1078 1079 1080 1081 1082 1083 1084 1085 1086 1087 1088 1089 1090 1091 1092 1093 1094 1095 1096 1097 1098 1099 1100 1101 1102 1103 1104 1105 1106 1107 1108 1109 1110 1111 1112 1113 1114 1115 1116 1117 1118 1119 1120 1121 1122 1123 1124 1125 1126 1127 1128 1129 1130 1131 1132 1133 1134 1135 1136 1137 1138 1139 1140 1141 1142 1143 1144 1145 1146 1147 1148 1149 1150 1151 1152 1153 1154 1155 1156 1157 1158 1159 1160 1161 1162 1163 1164 1165 1166 1167 1168 1169 1170 1171 1172 1173 1174 1175 1176 1177 1178 1179 1180 1181 1182 1183 1184 1185 1186 1187 1188 1189 1190 1191 1192 1193 1194 1195 1196 1197 1198 1199 1200 1201 1202 1203 1204 1205 1206 1207 1208 1209 1210 1211 1212 1213 1214 1215 1216 1217 1218 1219 1220 1221 1222 1223 1224 1225 1226 1227 1228 1229 1230 1231 1232 1233 1234 1235 1236 1237 1238 1239 1240 1241 1242 1243 1244 1245 1246 1247 1248 1249 1250 1251 1252 1253 1254 1255 1256 1257 1258 1259 1260 1261 1262 1263 1264 1265 1266 1267 1268 1269 1270 1271 1272 1273 1274 1275 1276 1277 1278 1279 1280 1281 1282 1283 1284 1285 1286 1287 1288 1289 1290 1291 1292 1293 1294 1295 1296 1297 1298 1299 1300 1301 1302 1303 1304 1305 1306 1307 1308 1309 1310 1311 1312 1313 1314 1315 1316 1317 1318 1319 1320 1321 1322 1323 1324 1325 1326 1327 1328 1329 1330 1331 1332 1333 1334 1335 1336 1337 1338 1339 1340 1341 1342 1343 1344 1345 1346 1347 1348 1349 1350 1351 1352 1353 1354 1355 1356 1357 1358 1359 1360 1361 1362 1363 1364 1365 1366 1367 1368 1369 1370 1371 1372 1373 1374 1375 1376 1377 1378 1379 1380 1381 1382 1383 1384 1385 1386 1387 1388 1389 1390 1391 1392 1393 1394 1395 1396 1397 1398 1399 1400 1401 1402 1403 1404 1405 1406 1407 1408 1409 1410 1411 1412 1413 1414 1415 1416 1417 1418 1419 1420 1421 1422 1423 1424 1425 1426 1427 1428 1429 1430 1431 1432 1433 1434 1435 1436 1437 1438 1439 1440 1441 1442 1443 1444 1445 1446 1447 1448 1449 1450 1451 1452 1453 1454 1455 1456 1457 1458 1459 1460 1461 1462 1463 1464 1465 1466 1467 1468 1469 1470 1471 1472 1473 1474 1475 1476 1477 1478 1479 1480 1481 1482 1483 1484 1485 1486 1487 1488 1489 1490 1491 1492 1493 1494 1495 1496 1497 1498 1499 1500 1501 1502 1503 1504 1505 1506 1507 1508 1509 1510 1511 1512 1513 1514 1515 1516 1517 1518 1519 1520 1521 1522 1523 1524 1525 1526 1527 1528 1529 1530 1531 1532 1533 1534 1535 1536 1537 1538 1539 1540 1541 1542 1543 1544 1545 1546 1547 1548 1549 1550 1551 1552 1553 1554 1555 1556 1557 1558 1559 1560 1561 1562 1563 1564 1565 1566 1567 1568 1569 1570 1571 1572 1573 1574 1575 1576 1577 1578 1579 1580 1581 1582 1583 1584 1585 1586 1587 1588 1589 1590 1591 1592 1593 1594 1595 1596 1597 1598 1599 1600 1601 1602 1603 1604 1605 1606 1607 1608 1609 1610 1611 1612 1613 1614 1615 1616 1617 1618 1619 1620 1621 1622 1623 1624 1625 1626 1627 1628 1629 1630 1631 1632 1633 1634 1635 1636 1637 1638 1639 1640 1641 1642 1643 1644 1645 1646 1647 1648 1649 1650 1651 1652 1653 1654 1655 1656 1657 1658 1659 1660 1661 1662 1663 1664 1665 1666 1667 1668 1669 1670 1671 1672 1673 1674 1675 1676 1677 1678 1679 1680 1681 1682 1683 1684 1685 1686 1687 1688 1689 1690 1691 1692 1693 1694 1695 1696 1697 1698 1699 1700 1701 1702 1703 1704 1705 1706 1707 1708 1709 1710 1711 1712 1713 1714 1715 1716 1717 1718 1719 1720 1721 1722 1723 1724 1725 1726 1727 1728 1729 1730 1731 1732 1733 1734 1735 1736 1737 1738 1739 1740 1741 1742 1743 1744 1745 1746 1747 1748 1749 1750 1751 1752 1753 1754 1755 1756 1757 1758 1759 1760 1761 1762 1763 1764 1765 1766 1767 1768 1769 1770 1771 1772 1773 1774 1775 1776 1777 1778 1779 1780 1781 1782 1783 1784 1785 1786 1787 1788 1789 1790 1791 1792 1793 1794 1795 1796 1797 1798 1799 1800
|
msgid ""
msgstr ""
"Project-Id-Version: harden-doc 3.19\n"
"Report-Msgid-Bugs-To: <debian-i18n@lists.debian.org>\n"
"POT-Creation-Date: 2018-05-01 10:29+0200\n"
"PO-Revision-Date: 2018-05-01 17:35+0200\n"
"Last-Translator: Oohara Yuuma <oohara@libra.interq.or.jp>\n"
"Language-Team: japanese <debian-japanese@lists.debian.org>\n"
"Language: ja\n"
"MIME-Version: 1.0\n"
"Content-Type: text/plain; charset=UTF-8\n"
"Content-Transfer-Encoding: 8bit\n"
"X-Generator: Poedit 2.0.6\n"
msgid "Appendix"
msgstr ""
msgid "The hardening process step by step"
msgstr "段階ごとの強化過程"
msgid "Below is a post-installation, step-by-step procedure for hardening a Debian 2.2 GNU/Linux system. This is one possible approach to such a procedure and is oriented toward the hardening of network services. It is included to show the entire process you might use during configuration. Also, see <xref linkend=\"checklist\" />."
msgstr ""
msgid "Install the system, taking into account the information regarding partitioning included earlier in this document. After base installation, go into custom install. Do not select task packages."
msgstr ""
msgid "Using <command>dselect</command>, remove all unneeded but selected packages before doing [I]nstall. Keep the bare minimum of packages for the system."
msgstr "<command>dselect</command> を行い、[I]nstall の前に不要だが選択されている パッケージを削除しましょう。本当に最小限のソフトウェアだけをサーバに 残しましょう。"
msgid "Update all software from the latest packages available at security.debian.org as explained previously in <xref linkend=\"security-update\" />."
msgstr "<xref linkend=\"security-update\" /> ですでに説明されているように security.debian.org で 利用できる最新のパッケージすべてを更新しましょう。"
msgid "Implement the suggestions presented in this manual regarding user quotas, login definitions and <command>lilo</command>"
msgstr "ユーザ quota、ログインの定義や lilo など、このマニュアルで示されて いる提案を導入しましょう。"
msgid "Make a list of services currently running on your system. Try:"
msgstr ""
msgid ""
"\n"
" $ ps aux\n"
" $ netstat -pn -l -A inet \n"
" # /usr/sbin/lsof -i | grep LISTEN"
msgstr ""
"\n"
" $ ps aux\n"
" $ netstat -pn -l -A inet \n"
" # /usr/sbin/lsof -i | grep LISTEN"
msgid "You will need to install <package>lsof-2.2</package> for the third command to work (run it as root). You should be aware that <command>lsof</command> can translate the word LISTEN to your locale settings."
msgstr "3 番目のコマンドがうまくいくためには <application>lsof-2.2</application> をインストール する必要があるでしょう (root として実行してください)。lsof は LISTEN という 単語をあなたのロケールの設定にあわせて翻訳するかもしれないことに注意する べきです。"
msgid "In order to remove unnecessary services, first determine what package provides the service and how it is started. This can be accomplished by checking the program that listens in the socket. The following shell script, which uses the programs <command>lsof</command> and <command>dpkg</command>, does just that:"
msgstr ""
msgid ""
"\n"
"#!/bin/sh\n"
"# FIXME: this is quick and dirty; replace with a more robust script snippet\n"
"for i in `sudo lsof -i | grep LISTEN | cut -d \" \" -f 1 |sort -u` ; do\n"
" pack=`dpkg -S $i |grep bin |cut -f 1 -d : | uniq`\n"
" echo \"Service $i is installed by $pack\";\n"
" init=`dpkg -L $pack |grep init.d/ `\n"
" if [ ! -z \"$init\" ]; then\n"
" echo \"and is run by $init\"\n"
" fi\n"
"done"
msgstr ""
"\n"
"#!/bin/sh\n"
"# FIXME: this is quick and dirty; replace with a more robust script snippet\n"
"for i in `sudo lsof -i | grep LISTEN | cut -d \" \" -f 1 |sort -u` ; do\n"
" pack=`dpkg -S $i |grep bin |cut -f 1 -d : | uniq`\n"
" echo \"Service $i is installed by $pack\";\n"
" init=`dpkg -L $pack |grep init.d/ `\n"
" if [ ! -z \"$init\" ]; then\n"
" echo \"and is run by $init\"\n"
" fi\n"
"done"
msgid "Once you find any unwanted services, remove the associated package (with <command>dpkg --purge</command>), or disable the service from starting automatically at boot time using <command>update-rc.d</command> (see <xref linkend=\"disableserv\" />)."
msgstr ""
msgid "For inetd services (launched by the superdaemon), check which services are enabled in <filename>/etc/inetd.conf</filename> using:"
msgstr ""
msgid ""
"\n"
" $ grep -v \"^#\" /etc/inetd.conf | sort -u"
msgstr ""
"\n"
" $ grep -v \"^#\" /etc/inetd.conf | sort -u"
msgid "Then disable those services that are not needed by commenting out the line that includes them in <filename>/etc/inetd.conf</filename>, removing the package, or using <command>update-inetd</command>."
msgstr ""
msgid "If you have wrapped services (those using <command>/usr/sbin/tcpd</command>), check that the files <filename>/etc/hosts.allow</filename> and <filename>/etc/hosts.deny</filename> are configured according to your service policy."
msgstr "ラップされたサービス (<command>/usr/sbin/tcpd</command> を使うもの) が あれば、<filename>/etc/hosts.allow</filename> と <filename>/etc/hosts.deny</filename> が あなたのサービスポリシーにしたがって設定されていることを確かめましょう。"
msgid "If the server uses more than one external interface, depending on the service, you may want to limit the service to listen on a specific interface. For example, if you want internal FTP access only, make the FTP daemon listen only on your management interface, not on all interfaces (i.e, 0.0.0.0:21)."
msgstr ""
msgid "Re-boot the machine, or switch to single user mode and then back to multiuser using the commands:"
msgstr "マシンを再起動するか、シングルユーザに移行してこのようにして マルチユーザに戻りましょう。"
msgid ""
"\n"
" # init 1\n"
" (....)\n"
" # init 2"
msgstr ""
"\n"
" # init 1\n"
" (....)\n"
" # init 2"
msgid "Check the services now available, and, if necessary, repeat the steps above."
msgstr "サービスがいまでも利用可能か調べて、もし必要ならば、上記の手順を くりかえしましょう。"
msgid "Now install the needed services, if you have not done so already, and configure them properly."
msgstr "そしてまだインストールしていないなら必要なサービスをインストールし、 適切に設定しましょう。"
msgid "Use the following shell command to determine what user each available service is running as:"
msgstr ""
msgid ""
"\n"
" # for i in `/usr/sbin/lsof -i |grep LISTEN |cut -d \" \" -f 1 |sort -u`; \\\n"
" > do user=`ps ef |grep $i |grep -v grep |cut -f 1 -d \" \"` ; \\\n"
" > echo \"Service $i is running as user $user\"; done"
msgstr ""
"\n"
" # for i in `/usr/sbin/lsof -i |grep LISTEN |cut -d \" \" -f 1 |sort -u`; \\\n"
" > do user=`ps ef |grep $i |grep -v grep |cut -f 1 -d \" \"` ; \\\n"
" > echo \"Service $i is running as user $user\"; done"
msgid "Consider changing these services to a specific user/group and maybe <command>chroot</command>'ing them for increased security. You can do this by changing the <filename>/etc/init.d</filename> scripts which start the service. Most services in Debian use <command>start-stop-daemon</command>, which has options (<literal>--change-uid</literal> and <literal>--chroot</literal>) for accomplishing this. A word of warning regarding the <command>chroot</command>'ing of services: you may need to put all the files installed by the package (use dpkg -L) providing the service, as well as any packages it depends on, in the <command>chroot</command>'ed environment. Information about setting up a <command>chroot</command> environment for the <command>ssh</command> program can be found in <xref linkend=\"chroot-ssh-env\" />."
msgstr ""
msgid "Repeat the steps above in order to check that only desired services are running and that they are running as the desired user/group combination."
msgstr "望むサービスだけが動いていて、それも望むユーザやグループの組みあわせで 動いているのを確かめるため上記の手順をくりかえしましょう。"
msgid "Test the installed services in order to see if they work as expected."
msgstr "期待どおりに動いていることを確かめるためインストールされている サービスをテストしましょう。"
msgid "Check the system using a vulnerability assessment scanner (like <package>nessus</package>), in order to determine vulnerabilities in the system (i.e., misconfiguration, old services or unneeded services)."
msgstr "システムの脆弱性 (設定ミス、古いサービスまたは不要なサービス) を 調べるために (<application>nessus</application> のような) 脆弱性評価スキャナを使って システムを調べましょう。"
msgid "Install network and host intrusion measures like <package>snort</package> and <package>logcheck</package>."
msgstr ""
msgid "Repeat the network scanner step and verify that the intrusion detection systems are working correctly."
msgstr "ネットワークスキャナの手順をくりかえして侵入検知システムがきちんと 動いているかどうか検証しましょう。"
msgid "For the truly paranoid, also consider the following:"
msgstr "本物のパラノイアのためには、以下も考慮しましょう:"
msgid "Add firewalling capabilities to the system, accepting incoming connections only to offered services and limiting outgoing connections only to those that are authorized."
msgstr "ファイアウォール能力をシステムに追加して、外部からの接続を 提供されているサービスへのみ受けいれ、外部への接続を公認のものだけに 制限しましょう。"
msgid "Re-check the installation with a new vulnerability assessment using a network scanner."
msgstr ""
msgid "Using a network scanner, check outbound connections from the system to an outside host and verify that unwanted connections do not find their way out."
msgstr ""
msgid "FIXME: this procedure considers service hardening but not system hardening at the user level, include information regarding checking user permissions, SETUID files and freezing changes in the system using the ext2 file system."
msgstr ""
msgid "Configuration checklist"
msgstr "設定チェックリスト"
msgid "This appendix briefly reiterates points from other sections in this manual in a condensed checklist format. This is intended as a quick summary for someone who has already read the manual. There are other good checklists available, including Kurt Seifried's <ulink name=\"Securing Linux Step by Step\" url=\"http://seifried.org/security/os/linux/20020324-securing-linux-step-by-step.html\" /> and <ulink name=\"CERT's Unix Security Checklist\" url=\"http://www.cert.org/tech_tips/usc20_full.html\" />."
msgstr ""
msgid "FIXME: This is based on v1.4 of the manual and might need to be updated."
msgstr ""
msgid "Limit physical access and booting capabilities"
msgstr "物理的なアクセスやブートの能力を制限する"
msgid "Enable a password in the BIOS."
msgstr ""
msgid "Disable floppy/cdrom/... booting in the system's BIOS."
msgstr ""
msgid "Set a LILO or GRUB password (<filename>/etc/lilo.conf</filename> or <filename>/boot/grub/menu.lst</filename>, respectively); check that the LILO or GRUB configuration file is read-protected."
msgstr "LILO か GRUB のパスワードを設定する (それぞれ <filename>/etc/lilo.conf</filename> か <filename>/boot/grub/menu.lst</filename>)。 LILO か GRUB の設定が読みとり保護されているか調べる。"
msgid "Partitioning"
msgstr "パーティションの分割"
msgid "Separate user-writable data, non-system data, and rapidly changing run-time data to their own partitions"
msgstr "ユーザが書きこめるデータ、Debian システムでないデータそして 急速に変化するランタイムのデータを独自のパーティションに分ける"
msgid "Set <literal>nosuid,noexec,nodev</literal> mount options in <filename>/etc/fstab</filename> on ext2/3 partitions that should not hold binaries such as <filename>/home</filename> or <filename>/tmp</filename>."
msgstr ""
msgid "Password hygiene and login security"
msgstr "パスワードの衛生およびログインのセキュリティ"
msgid "Set a good root password"
msgstr "よい root パスワードを設定する"
msgid "Install and use PAM"
msgstr "PAM をインストールして使う"
msgid "Add MD5 support to PAM and make sure that (generally speaking) entries in <filename>/etc/pam.d/</filename> files which grant access to the machine have the second field in the pam.d file set to <literal>requisite</literal> or <literal>required</literal>."
msgstr "PAM に MD5 サポートを追加して (一般的に言って) <filename>/etc/pam.d/</filename> ファイルのマシンへのアクセスを 認める項目についてその pam.d で 2 番目の フィールドが 「requisite」か「required」に設定されているようにする"
msgid "Tweak <filename>/etc/pam.d/login</filename> so as to only permit local root logins."
msgstr "ローカルからだけ root のログインを許可するように <filename>/etc/pam.d/login</filename> をいじる"
msgid "Also mark authorized tty:s in <filename>/etc/security/access.conf</filename> and generally set up this file to limit root logins as much as possible."
msgstr "さらに <filename>/etc/security/access.conf</filename> に 公認されている tty を記して一般的に root ログインをできるだけ 制限するようこのファイルを設定する"
msgid "Add pam_limits.so if you want to set per-user limits"
msgstr "ユーザごとの制限を設定したいなら pam_limits.so を追加する"
msgid "Tweak <filename>/etc/pam.d/passwd</filename>: set minimum length of passwords higher (6 characters maybe) and enable MD5"
msgstr "<filename>/etc/pam.d/passwd</filename> をいじる: パスワードの最小の 長さを大きくし (6 文字かも) md5 を有効にする"
msgid "Add group wheel to <filename>/etc/group</filename> if desired; add pam_wheel.so group=wheel entry to <filename>/etc/pam.d/su</filename>"
msgstr "望むなら <filename>/etc/group</filename> に wheel を追加する。 pam_wheel.so group=wheel の項目を <filename>/etc/pam.d/su</filename> に 追加する"
msgid "For custom per-user controls, use pam_listfile.so entries where appropriate"
msgstr "独自のユーザごとの制御には、pam_listfile.so の項目を適切な 場所で使う"
msgid "Have an <filename>/etc/pam.d/other</filename> file and set it up with tight security"
msgstr "<filename>/etc/pam.d/other</filename> ファイルを作り、セキュリティを きつく設定する"
msgid "Set up limits in <filename>/etc/security/limits.conf</filename> (note that <filename>/etc/limits</filename> is not used if you are using PAM)"
msgstr "<filename>/etc/security/limits.conf</filename> で制限を設定する (PAM を 使っているなら <filename>/etc/limits</filename> は使われないことに注意)"
msgid "Tighten up <filename>/etc/login.defs</filename>; also, if you enabled MD5 and/or PAM, make sure you make the corresponding changes here, too"
msgstr "<filename>/etc/login.defs</filename> をきつくする。さらに、もし MD5 または PAM またはその両方を有効にしているなら、ここでも対応する 変更を行う"
msgid "Tighten up <filename>/etc/pam.d/login</filename>"
msgstr ""
msgid "Disable root ftp access in <filename>/etc/ftpusers</filename>"
msgstr "root での ftp アクセスを <filename>/etc/ftpusers</filename> で禁止する"
msgid "Disable network root login; use <citerefentry><refentrytitle>su</refentrytitle> <manvolnum>1</manvolnum></citerefentry> or <citerefentry><refentrytitle>sudo</refentrytitle> <manvolnum>1</manvolnum></citerefentry>. (consider installing <package>sudo</package>)"
msgstr ""
msgid "Use PAM to enforce additional constraints on logins?"
msgstr "ログインをさらに制限するのに PAM を使う?"
msgid "Other local security issues"
msgstr "その他のローカルのセキュリティ問題"
msgid "Kernel tweaks (see <xref linkend=\"kernel-conf\" />)"
msgstr "カーネルをいじる (<xref linkend=\"kernel-conf\" /> 参照)"
msgid "Kernel patches (see <xref linkend=\"kernel-patches\" />)"
msgstr "カーネルパッチ (<xref linkend=\"kernel-patches\" /> 参照)"
msgid "Tighten up log file permissions (<filename>/var/log/{last,fail}log</filename>, Apache logs)"
msgstr "ログファイルのパーミッションをきつくする (<filename>/var/log/{last,fail}log</filename>、Apache logs)"
msgid "Verify that SETUID checking is enabled in <filename>/etc/checksecurity.conf</filename>"
msgstr "<filename>/etc/checksecurity.conf</filename> で setuid チェックが 有効になっていることを検証する"
msgid "Consider making some log files append-only and configuration files immutable using chattr (ext2/3 file systems only)"
msgstr "chattr でログファイルを追加専用にして設定ファイルを immutable に することを検討する (ext2 ファイルシステム専用)"
msgid "Set up file integrity (see <xref linkend=\"check-integ\" />). Install <package>debsums</package>"
msgstr "ファイルの完全性を設定する (<xref linkend=\"check-integ\" /> 参照)。 <application>debsums</application> をインストールする"
msgid "Log everything to a local printer?"
msgstr "何もかもローカルのプリンタで記録する?"
msgid "Burn your configuration on a boot-able CD and boot off that?"
msgstr "設定を CD に焼いてそこからブートする?"
msgid "Disable kernel modules?"
msgstr "カーネルモジュールを無効にする?"
msgid "Limit network access"
msgstr "ネットワークアクセスを制限する"
msgid "Install and configure <command>ssh</command> (suggest PermitRootLogin No in <filename>/etc/ssh/sshd_config</filename>, PermitEmptyPasswords No; note other suggestions in text also)"
msgstr "<command>ssh</command> をインストールして設定する (<filename>/etc/ssh</filename> で PermitRootLogin No、 PermitEmptyPasswords No にすることを提案。本文中の他の 提案も参照)"
msgid "Disable or remove <command>in.telnetd</command>, if installed"
msgstr ""
msgid "Generally, disable gratuitous services in <filename>/etc/inetd.conf</filename> using <command>update-inetd --disable</command> (or disable <command>inetd</command> altogether, or use a replacement such as <command>xinetd</command> or <command>rlinetd</command>)"
msgstr "一般的に、<literal>update-inetd --disable</literal> を使って <filename>/etc/inetd.conf</filename> 中の不要なサービスを停止する (または、inetd も停止するか、xinetd や rlinetd などの 代用品を使う)"
msgid "Disable other gratuitous network services; ftp, DNS, WWW etc should not be running if you do not need them and monitor them regularly. In most cases mail should be running but configured for local delivery only."
msgstr ""
msgid "For those services which you do need, do not just use the most common programs, look for more secure versions shipped with Debian (or from other sources). Whatever you end up running, make sure you understand the risks."
msgstr "必要なサービスに対しては、単に最も一般的なプログラムを 使うのではなく、Debian から (またはその他のところから) 入手できるより安全なバージョンを調べる。何を動かすにせよ、 リスクを理解するようにする"
msgid "Set up <command>chroot</command> jails for outside users and daemons."
msgstr "外部のユーザやデーモンに檻を設定する"
msgid "Configure firewall and tcpwrappers (i.e. <citerefentry><refentrytitle>hosts_access</refentrytitle> <manvolnum>5</manvolnum></citerefentry>); note trick for <filename>/etc/hosts.deny</filename> in text."
msgstr ""
msgid "If you run ftp, set up your ftpd server to always run <command>chroot</command>'ed to the user's home directory"
msgstr "ftp を動かすなら、つねにユーザのホームディレクトリに chroot された状態で動くように ftpd サーバを設定する"
msgid "If you run X, disable xhost authentication and go with <command>ssh</command> instead; better yet, disable remote X if you can (add -nolisten tcp to the X command line and turn off XDMCP in <filename>/etc/X11/xdm/xdm-config</filename> by setting the requestPort to 0)"
msgstr "X を動かすなら、xhost 認証を禁止してかわりに ssh を使う。 よりよいのは、もし可能ならリモートの X を禁止することだ (-nolisten tcp を X のコマンドラインに加え、 <filename>/etc/X11/xdm/xdm-config</filename> 中で requestPort を 0 に設定して XDMCP を無効にする)"
msgid "Disable remote access to printers"
msgstr "外部からプリンタへのアクセスを禁止する"
msgid "Tunnel any IMAP or POP sessions through SSL or <command>ssh</command>; install stunnel if you want to provide this service to remote mail users"
msgstr "IMAP または POP のセッションをすべて SSL または ssh を 通じて行う。このサービスをリモートのメールユーザに 提供したいなら stunnel をインストールする"
msgid "Set up a log host and configure other machines to send logs to this host (<filename>/etc/syslog.conf</filename>)"
msgstr "ログホストを設置して他のマシンがログをそのホストに送るように 設定する (<filename>/etc/syslog.conf</filename>)"
msgid "Secure BIND, Sendmail, and other complex daemons (run in a <command>chroot</command> jail; run as a non-root pseudo-user)"
msgstr "BIND、Sendmail などの複雑なデーモンを安全にする (chroot の檻の中で動かす。root でない仮ユーザで動かす)"
msgid "Install tiger or a similar network intrusion detection tool."
msgstr ""
msgid "Install snort or a similar network intrusion detection tool.v"
msgstr ""
msgid "Do without NIS and RPC if you can (disable portmap)."
msgstr "もし可能なら NIS や RPC なしですます (portmap を停止する)。"
msgid "Policy issues"
msgstr "ポリシーの問題"
msgid "Educate users about the whys and hows of your policies. When you have prohibited something which is regularly available on other systems, provide documentation which explains how to accomplish similar results using other, more secure means."
msgstr "ポリシーがなぜあるか、どんなポリシーかについてユーザを 教育する。他のシステムでふつう利用可能なものを禁止するときは、 他のより安全な手段を使って同様の結果を達成する方法を説明する 文書を提供する"
msgid "Prohibit use of protocols which use clear-text passwords (<command>telnet</command>, <command>rsh</command> and friends; ftp, imap, http, ...)."
msgstr "平文パスワードを使うプロトコル (telnet、rsh およびその一族。 ftp、imap、http など) を禁止する"
msgid "Prohibit programs which use SVGAlib."
msgstr "SVGAlib を使うプログラムを禁止する"
msgid "Use disk quotas."
msgstr "ディスク quota を使う"
msgid "Keep informed about security issues"
msgstr "セキュリティ問題についての情報を得る"
msgid "Subscribe to security mailing lists"
msgstr "セキュリティ関連のメーリングリストを講読する"
msgid "Configure <package>apt</package> for security updates -- add to <filename>/etc/apt/sources.list</filename> an entry (or entries) for http://security.debian.org/"
msgstr "セキュリティの更新を講読する -- <filename>/etc/apt/sources.list</filename> に http://security.debian.org/debian-security への項目 (複数かも) を追加する"
msgid "Also remember to periodically run <command>apt-get update ; apt-get upgrade</command> (perhaps install as a <command>cron</command> job?) as explained in <xref linkend=\"security-update\" />."
msgstr "さらに <command>apt-get update ; apt-get upgrade</command> を <xref linkend=\"security-update\" /> で説明されているように周期的に 実行するようにする (もしかしたら cron job として インストールする?)"
msgid "Setting up a stand-alone IDS"
msgstr "独立の IDS を設置する"
msgid "You can easily set up a dedicated Debian system as a stand-alone Intrusion Detection System using <package>snort</package> and a web-based interface to analyse the intrusion detection alerts:"
msgstr ""
msgid "Install a base Debian system and select no additional packages."
msgstr "ベース Debian システムをインストールし、他にパッケージを追加しないように しましょう。"
msgid "Install one of the Snort versions with database support and configure the IDS to log alerts into the database."
msgstr ""
msgid "Download and install BASE (Basic Analysis and Security Engine), or ACID (Analysis Console for Intrusion Databases). Configure it to use the same database than Snort."
msgstr ""
msgid "Download and install the necessary packages<footnote><para>Typically the needed packages will be installed through the dependencies</para></footnote>."
msgstr ""
msgid "BASE is currently packaged for Debian in <package>acidbase</package> and ACID is packaged as <package>acidlab</package><footnote><para> It can also be downloaded from <ulink url=\"http://www.cert.org/kb/acid/\" />, <ulink url=\"http://acidlab.sourceforge.net\" /> or <ulink url=\"http://www.andrew.cmu.edu/~rdanyliw/snort/\" />. </para></footnote>. Both provide a graphical WWW interface to Snort's output."
msgstr ""
msgid "Besides the base installation you will also need a web server (such as <package>apache</package>), a <command>PHP</command> interpreter and a relational database (such <package>postgresql</package> or <package>mysql</package>) where Snort will store its alerts."
msgstr ""
msgid "This system should be set up with at least two interfaces: one interface connected to a management LAN (for accessing the results and maintaining the system), and one interface with no IP address attached to the network segment being analyzed. You should configure the web server to listen only on the interface connected to the management LAN."
msgstr ""
msgid "You should configure both interfaces in the standard Debian <filename>/etc/network/interfaces</filename> configuration file. One (the management LAN) address can be configured as you would normally do. The other interface needs to be configured so that it is started up when the system boots, but with no interface address. You can use the following interface definition:"
msgstr ""
msgid ""
"\n"
"auto eth0\n"
"iface eth0 inet manual\n"
" up ifconfig $IFACE 0.0.0.0 up\n"
" up ip link set $IFACE promisc on\n"
" down ip link set $IFACE promisc off\n"
" down ifconfig $IFACE down"
msgstr ""
msgid "The above configures an interface to read all the traffic on the network in a <emphasis>stealth</emphasis>-type configuration. This prevents the NIDS system to be a direct target in a hostile network since the sensors have no IP address on the network. Notice, however, that there have been known bugs over time in sensors part of NIDS (for example see <ulink name=\"DSA-297\" url=\"http://www.debian.org/security/2003/dsa-297\" /> related to Snort) and remote buffer overflows might even be triggered by network packet processing."
msgstr ""
msgid "You might also want to read the <ulink name=\"Snort Statistics HOWTO\" url=\"http://www.faqs.org/docs/Linux-HOWTO/Snort-Statistics-HOWTO.html\" /> and the documentation available at the <ulink name=\"Snort official site\" url=\"http://www.snort.org/docs/\" />."
msgstr ""
msgid "Setting up a bridge firewall"
msgstr ""
msgid "This information was contributed by Francois Bayart in order to help users set up a Linux bridge/firewall with the 2.4.x kernel and <package>iptables</package>. Kernel patches are no more needed as the code was made standard part of the Linux kernel distribution."
msgstr ""
msgid "To configure the kernel with necessary support, run <literal>make menuconfig</literal> or <literal>make xconfig</literal>. In the section <emphasis>Networking options</emphasis>, enable the following options:"
msgstr ""
msgid ""
"\n"
"[*] Network packet filtering (replaces ipchains)\n"
"[ ] Network packet filtering debugging (NEW)\n"
"<*> 802.1d Ethernet Bridging\n"
"[*] netfilter (firewalling) support (NEW)"
msgstr ""
msgid "Caution: you must disable this if you want to apply some firewalling rules or else <command>iptables</command> will not work:"
msgstr ""
msgid ""
"\n"
"[ ] Network packet filtering debugging (NEW)"
msgstr ""
msgid "Next, add the correct options in the section <emphasis>IP: Netfilter Configuration</emphasis>. Then, compile and install the kernel. If you want to do it the <emphasis>Debian way</emphasis>, install <package>kernel-package</package> and run <command>make-kpkg</command> to create a custom Debian kernel package you can install on your server using dpkg. Once the new kernel is compiled and installed, install the <package>bridge-utils</package> package."
msgstr ""
msgid "Once these steps are complete, you can complete the configuration of your bridge. The next section presents two different possible configurations for the bridge, each with a hypothetical network map and the necessary commands."
msgstr ""
msgid "A bridge providing NAT and firewall capabilities"
msgstr ""
msgid "The first configuration uses the bridge as a firewall with network address translation (NAT) that protects a server and internal LAN clients. A diagram of the network configuration is shown below:"
msgstr ""
msgid ""
"\n"
"Internet ---- router ( 62.3.3.25 ) ---- bridge (62.3.3.26 gw 62.3.3.25 / 192.168.0.1)\n"
" |\n"
" |\n"
" |---- WWW Server (62.3.3.27 gw 62.3.3.25)\n"
" |\n"
" |\n"
" LAN --- Zipowz (192.168.0.2 gw 192.168.0.1)"
msgstr ""
msgid "The following commands show how this bridge can be configured."
msgstr ""
msgid ""
"\n"
"# Create the interface br0\n"
"/usr/sbin/brctl addbr br0\n"
"\n"
"# Add the Ethernet interface to use with the bridge\n"
"/usr/sbin/brctl addif br0 eth0\n"
"/usr/sbin/brctl addif br0 eth1\n"
"\n"
"# Start up the Ethernet interface\n"
"/sbin/ifconfig eth0 0.0.0.0\n"
"/sbin/ifconfig eth1 0.0.0.0\n"
"\n"
"# Configure the bridge ethernet\n"
"# The bridge will be correct and invisible ( transparent firewall ).\n"
"# It's hidden in a traceroute and you keep your real gateway on the \n"
"# other computers. Now if you want you can config a gateway on your \n"
"# bridge and choose it as your new gateway for the other computers.\n"
"\n"
"/sbin/ifconfig br0 62.3.3.26 netmask 255.255.255.248 broadcast 62.3.3.31\n"
"\n"
"# I have added this internal IP to create my NAT \n"
"ip addr add 192.168.0.1/24 dev br0\n"
"/sbin/route add default gw 62.3.3.25"
msgstr ""
msgid "A bridge providing firewall capabilities"
msgstr "ファイアウォール機能を追加する"
msgid "A second possible configuration is a system that is set up as a transparent firewall for a LAN with a public IP address space."
msgstr ""
msgid ""
"\n"
"Internet ---- router (62.3.3.25) ---- bridge (62.3.3.26)\n"
" |\n"
" |\n"
" |---- WWW Server (62.3.3.28 gw 62.3.3.25)\n"
" |\n"
" |\n"
" |---- Mail Server (62.3.3.27 gw 62.3.3.25)"
msgstr ""
msgid ""
"\n"
"# Create the interface br0\n"
"/usr/sbin/brctl addbr br0\n"
"\n"
"# Add the Ethernet interface to use with the bridge\n"
"/usr/sbin/brctl addif br0 eth0\n"
"/usr/sbin/brctl addif br0 eth1\n"
"\n"
"# Start up the Ethernet interface\n"
"/sbin/ifconfig eth0 0.0.0.0\n"
"/sbin/ifconfig eth1 0.0.0.0\n"
"\n"
"# Configure the bridge Ethernet\n"
"# The bridge will be correct and invisible ( transparent firewall ).\n"
"# It's hidden in a traceroute and you keep your real gateway on the \n"
"# other computers. Now if you want you can config a gateway on your\n"
"# bridge and choose it as your new gateway for the other computers.\n"
"\n"
"/sbin/ifconfig br0 62.3.3.26 netmask 255.255.255.248 broadcast 62.3.3.31"
msgstr ""
msgid "If you traceroute the Linux Mail Server, you won't see the bridge. If you want access to the bridge with <command>ssh</command>, you must have a gateway or you must first connect to another server, such as the \"Mail Server\", and then connect to the bridge through the internal network card."
msgstr ""
msgid "Basic IPtables rules"
msgstr ""
msgid "This is an example of the basic rules that could be used for either of these setups."
msgstr ""
msgid "Basic Iptables rules"
msgstr "Iptables の規則"
msgid ""
"\n"
"iptables -F FORWARD\n"
"iptables -P FORWARD DROP\n"
"iptables -A FORWARD -s 0.0.0.0/0.0.0.0 -d 0.0.0.0/0.0.0.0 -m state --state INVALID -j DROP\n"
"iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT\n"
"\n"
"# Some funny rules but not in a classic Iptables sorry ...\n"
"# Limit ICMP \n"
"# iptables -A FORWARD -p icmp -m limit --limit 4/s -j ACCEPT\n"
"# Match string, a good simple method to block some VIRUS very quickly\n"
"# iptables -I FORWARD -j DROP -p tcp -s 0.0.0.0/0 -m string --string \"cmd.exe\"\n"
"\n"
"# Block all MySQL connection just to be sure\n"
"iptables -A FORWARD -p tcp -s 0/0 -d 62.3.3.0/24 --dport 3306 -j DROP\n"
"\n"
"# Linux Mail Server Rules\n"
"\n"
"# Allow FTP-DATA (20), FTP (21), SSH (22) \n"
"iptables -A FORWARD -p tcp -s 0.0.0.0/0 -d 62.3.3.27/32 --dport 20:22 -j ACCEPT\n"
"\n"
"# Allow the Mail Server to connect to the outside\n"
"# Note: This is *not* needed for the previous connections \n"
"# (remember: stateful filtering) and could be removed.\n"
"iptables -A FORWARD -p tcp -s 62.3.3.27/32 -d 0/0 -j ACCEPT\n"
"\n"
"# WWW Server Rules\n"
"\n"
"# Allow HTTP ( 80 ) connections with the WWW server\n"
"iptables -A FORWARD -p tcp -s 0.0.0.0/0 -d 62.3.3.28/32 --dport 80 -j ACCEPT\n"
"\n"
"# Allow HTTPS ( 443 ) connections with the WWW server\n"
"iptables -A FORWARD -p tcp -s 0.0.0.0/0 -d 62.3.3.28/32 --dport 443 -j ACCEPT\n"
"\n"
"# Allow the WWW server to go out\n"
"# Note: This is *not* needed for the previous connections \n"
"# (remember: stateful filtering) and could be removed.\n"
"iptables -A FORWARD -p tcp -s 62.3.3.28/32 -d 0/0 -j ACCEPT"
msgstr ""
msgid "Sample script to change the default Bind installation."
msgstr ""
msgid "This script automates the procedure for changing the <command>bind</command> version 8 name server's default installation so that it does <emphasis>not</emphasis> run as the superuser. Notice that <command>bind</command> version 9 in Debian already does this by default <footnote><para> Since version 9.2.1-5. That is, since Debian release <emphasis>sarge</emphasis>.</para></footnote> , and you are much better using that version than <command>bind</command> version 8."
msgstr ""
msgid "This script is here for historical purposes and to show how you can automate this kind of changes system-wide. The script will create the user and groups defined for the name server and will modify both <filename>/etc/default/bind</filename> and <filename>/etc/init.d/bind</filename> so that the program will run with that user. Use with extreme care since it has not been tested thoroughly."
msgstr ""
msgid "You can also create the users manually and use the patch available for the default init.d script attached to <ulink name=\"bug report #157245\" url=\"http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=157245\" />."
msgstr ""
msgid ""
"\n"
" #!/bin/sh\n"
" # Change the default Debian bind v8 configuration to have it run\n"
" # with a non-root user and group.\n"
" # \n"
" # DO NOT USER this with version 9, use debconf for configure this instead\n"
" #\n"
" # WARN: This script has not been tested thoroughly, please\n"
" # verify the changes made to the INITD script\n"
"\n"
" # (c) 2002 Javier Fernandez-Sanguino Pena\n"
" #\n"
" # This program is free software; you can redistribute it and/or modify\n"
" # it under the terms of the GNU General Public License as published by\n"
" # the Free Software Foundation; either version 1, or (at your option)\n"
" # any later version.\n"
" #\n"
" # This program is distributed in the hope that it will be useful,\n"
" # but WITHOUT ANY WARRANTY; without even the implied warranty of\n"
" # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n"
" # GNU General Public License for more details.\n"
" #\n"
" # Please see the file `COPYING' for the complete copyright notice.\n"
" #\n"
"\n"
" restore() {\n"
" # Just in case, restore the system if the changes fail\n"
" echo \"WARN: Restoring to the previous setup since I'm unable to properly change it.\"\n"
" echo \"WARN: Please check the $INITDERR script.\"\n"
" mv $INITD $INITDERR\n"
" cp $INITDBAK $INITD\n"
" }\n"
"\n"
"\n"
" USER=named\n"
" GROUP=named\n"
" INITD=/etc/init.d/bind\n"
" DEFAULT=/etc/default/bind\n"
" INITDBAK=$INITD.preuserchange\n"
" INITDERR=$INITD.changeerror\n"
" AWKS=\"awk ' /\\/usr\\/sbin\\/ndc reload/ { print \\\"stop; sleep 2; start;\\\"; noprint = 1; } /\\\\\\\\$/ { if ( noprint != 0 ) { noprint = noprint + 1;} } /^.*$/ { if ( noprint != 0 ) { noprint = noprint - 1; } else { print \\$0; } } '\"\n"
"\n"
" [ `id -u` -ne 0 ] && {\n"
" echo \"This program must be run by the root user\"\n"
" exit 1\n"
" }\n"
"\n"
" RUNUSER=`ps eo user,fname |grep named |cut -f 1 -d \" \"`\n"
"\n"
" if [ \"$RUNUSER\" = \"$USER\" ] \n"
" then\n"
" echo \"WARN: The name server running daemon is already running as $USER\"\n"
" echo \"ERR: This script will not do any changes to your setup.\"\n"
" exit 1\n"
" fi\n"
" if [ ! -f \"$INITD\" ]\n"
" then\n"
" echo \"ERR: This system does not have $INITD (which this script tries to change)\"\n"
" RUNNING=`ps eo fname |grep named`\n"
" [ -z \"$RUNNING\" ] && \\\n"
" echo \"ERR: In fact the name server daemon is not even running (is it installed?)\"\n"
" echo \"ERR: No changes will be made to your system\"\n"
" exit 1\n"
" fi\n"
"\n"
" # Check if there are options already setup \n"
" if [ -e \"$DEFAULT\" ]\n"
" then\n"
" if grep -q ^OPTIONS $DEFAULT; then\n"
" echo \"ERR: The $DEFAULT file already has options set.\"\n"
" echo \"ERR: No changes will be made to your system\"\n"
" fi\n"
" fi\n"
"\n"
" # Check if named group exists\n"
" if [ -z \"`grep $GROUP /etc/group`\" ] \n"
" then\n"
" echo \"Creating group $GROUP:\"\n"
" addgroup $GROUP\n"
" else\n"
" echo \"WARN: Group $GROUP already exists. Will not create it\"\n"
" fi\n"
" # Same for the user\n"
" if [ -z \"`grep $USER /etc/passwd`\" ] \n"
" then\n"
" echo \"Creating user $USER:\"\n"
" adduser --system --home /home/$USER \\\n"
" --no-create-home --ingroup $GROUP \\\n"
" --disabled-password --disabled-login $USER\n"
" else\n"
" echo \"WARN: The user $USER already exists. Will not create it\"\n"
" fi\n"
"\n"
" # Change the init.d script\n"
"\n"
" # First make a backup (check that there is not already\n"
" # one there first)\n"
" if [ ! -f $INITDBAK ] \n"
" then\n"
" cp $INITD $INITDBAK\n"
" fi\n"
"\n"
" # Then use it to change it\n"
" cat $INITDBAK |\n"
" eval $AWKS > $INITD\n"
"\n"
" # Now put the options in the /etc/default/bind file:\n"
" cat >>$DEFAULT <<EOF\n"
"# Make bind run with the user we defined\n"
"OPTIONS=\"-u $USER -g $GROUP\"\n"
"EOF\n"
"\n"
" echo \"WARN: The script $INITD has been changed, trying to test the changes.\"\n"
" echo \"Restarting the named daemon (check for errors here).\"\n"
"\n"
" $INITD restart\n"
" if [ $? -ne 0 ] \n"
" then\n"
" echo \"ERR: Failed to restart the daemon.\"\n"
" restore\n"
" exit 1\n"
" fi\n"
"\n"
" RUNNING=`ps eo fname |grep named`\n"
" if [ -z \"$RUNNING\" ] \n"
" then\n"
" echo \"ERR: Named is not running, probably due to a problem with the changes.\"\n"
" restore\n"
" exit 1\n"
" fi\n"
"\n"
" # Check if it's running as expected\n"
" RUNUSER=`ps eo user,fname |grep named |cut -f 1 -d \" \"`\n"
"\n"
" if [ \"$RUNUSER\" = \"$USER\" ] \n"
" then\n"
" echo \"All has gone well, named seems to be running now as $USER.\"\n"
" else\n"
" echo \"ERR: The script failed to automatically change the system.\"\n"
" echo \"ERR: Named is currently running as $RUNUSER.\"\n"
" restore\n"
" exit 1\n"
" fi\n"
"\n"
" exit 0"
msgstr ""
msgid "The previous script, run on Woody's (Debian 3.0) custom <command>bind</command> (version 8), will modify the initd file after creating the 'named' user and group and will"
msgstr ""
msgid "Security update protected by a firewall"
msgstr ""
msgid "After a standard installation, a system may still have some security vulnerabilities. Unless you can download updates for the vulnerable packages on another system (or you have mirrored security.debian.org for local use), the system will have to be connected to the Internet for the downloads."
msgstr ""
msgid "However, as soon as you connect to the Internet you are exposing this system. If one of your local services is vulnerable, you might be compromised even before the update is finished! This may seem paranoid but, in fact, analysis from the <ulink name=\"Honeynet Project\" url=\"http://www.honeynet.org\" /> has shown that systems can be compromised in less than three days, even if the system is not publicly known (i.e., not published in DNS records)."
msgstr ""
msgid "When doing an update on a system not protected by an external system like a firewall, it is possible to properly configure your local firewall to restrict connections involving only the security update itself. The example below shows how to set up such local firewall capabilities, which allow connections from security.debian.org only, logging all others."
msgstr ""
msgid "The following example can be use to setup a restricted firewall ruleset. Run this commands from a local console (not a remote one) to reduce the chances of locking yourself out of the system."
msgstr ""
msgid ""
"\n"
" # iptables -F\n"
" # iptables -L\n"
" Chain INPUT (policy ACCEPT)\n"
" target prot opt source destination\n"
"\n"
" Chain FORWARD (policy ACCEPT)\n"
" target prot opt source destination\n"
"\n"
" Chain OUTPUT (policy ACCEPT)\n"
" target prot opt source destination\n"
" # iptables -A OUTPUT -d security.debian.org --dport 80 -j ACCEPT\n"
" # iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT\n"
" # iptables -A INPUT -p icmp -j ACCEPT\n"
" # iptables -A INPUT -j LOG\n"
" # iptables -A OUTPUT -j LOG\n"
" # iptables -P INPUT DROP\n"
" # iptables -P FORWARD DROP\n"
" # iptables -P OUTPUT DROP\n"
" # iptables -L\n"
" Chain INPUT (policy DROP)\n"
" target prot opt source destination\n"
" ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED\n"
" ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0\n"
" LOG all -- anywhere anywhere LOG level warning\n"
"\n"
" Chain FORWARD (policy DROP)\n"
" target prot opt source destination\n"
"\n"
" Chain OUTPUT (policy DROP)\n"
" target prot opt source destination\n"
" ACCEPT 80 -- anywhere security.debian.org\n"
" LOG all -- anywhere anywhere LOG level warning"
msgstr ""
msgid "Note: Using a <emphasis>DROP</emphasis> policy in the INPUT chain is the most correct thing to do, but be <emphasis>very</emphasis> careful when doing this after flushing the chain from a remote connection. When testing firewall rulesets from a remote location it is best if you run a script with the firewall ruleset (instead of introducing the ruleset line by line through the command line) and, as a precaution, keep a backdoor<footnote><para>Such as <emphasis>knockd</emphasis>. Alternatively, you can open a different console and have the system ask for confirmation that there is somebody on the other side, and reset the firewall chain if no confirmation is given. The following test script could be of use: <programlisting> #!/bin/bash while true; do read -n 1 -p \"Are you there? \" -t 30 ayt if [ -z \"$ayt\" ] ; then break fi done # Reset the firewall chain, user is not available echo echo \"Resetting firewall chain!\" iptables -F iptables -P INPUT ACCEPT iptables -P FORWARD ACCEPT iptables -P OUTPUT ACCEPT exit 1 </programlisting></para></footnote>"
msgstr ""
msgid "Of course, you should disable any backdoors before getting the system into production. configured so that you can re-enable access to the system if you make a mistake. That way there would be no need to go to a remote location to fix a firewall ruleset that blocks you."
msgstr ""
msgid "FIXME: This needs DNS to be working properly since it is required for security.debian.org to work. You can add security.debian.org to /etc/hosts but now it is a CNAME to several hosts (there is more than one security mirror)"
msgstr ""
msgid "FIXME: this will only work with HTTP URLs since ftp might need the ip_conntrack_ftp module, or use passive mode."
msgstr ""
msgid "Chroot environment for <application>SSH</application>"
msgstr ""
msgid "Creating a restricted environment for <application>SSH</application> is a tough job due to its dependencies and the fact that, unlike other servers, <application>SSH</application> provides a remote shell to users. Thus, you will also have to consider the applications users will be allowed to use in the environment."
msgstr ""
msgid "You have two options to setup a restricted remote shell:"
msgstr ""
msgid "Chrooting the ssh users, by properly configuring the ssh daemon you can ask it to chroot a user after authentication just before it is provided a shell. Each user can have their own environment."
msgstr ""
msgid "Chrooting the ssh server, since you chroot the ssh application itself all users are chrooted to the defined environment."
msgstr ""
msgid "The first option has the advantage of making it possible to have both non-chrooted and chrooted users, if you don't introduce any setuid application in the user's chroots it is more difficult to break out of it. However, you might need to setup individual chroots for each user and it is more difficult to setup (as it requires cooperation from the SSH server). The second option is more easy to setup, and protects from an exploitation of the ssh server itself (since it's also in the chroot) but it will have the limitation that all users will share the same chroot environment (you cannot setup a per-user chroot environment)."
msgstr ""
msgid "Chrooting the ssh users"
msgstr ""
msgid "You can setup the ssh server so that it will chroot a set of defined users into a shell with a limited set of applications available."
msgstr ""
msgid "Using <package>libpam-chroot</package>"
msgstr ""
msgid "Probably the easiest way is to use the <package>libpam-chroot</package> package provided in Debian. Once you install it you need to:"
msgstr ""
msgid "Modify <filename>/etc/pam.d/ssh</filename> to use this PAM module, add as its last line<footnote><para>You can use the <emphasis>debug</emphasis> option to have it send the progress of the module to the <emphasis>authpriv.notice</emphasis> facility</para></footnote>:"
msgstr ""
msgid ""
"\n"
"session required pam_chroot.so"
msgstr ""
"\n"
"session required pam_chroot.so"
msgid "set a proper chroot environment for the user. You can try using the scripts available at <filename>/usr/share/doc/libpam-chroot/examples/</filename>, use the <package>makejail</package> <footnote><para>You can create a very limited bash environment with the following python definition for makejail, just create the directory <filename>/var/chroots/users/foo</filename> and a file with the following contents and call it <filename>bash.py</filename>: <screen> chroot=\"/var/chroots/users/foo\" cleanJailFirst=1 testCommandsInsideJail=[\"bash ls\"] </screen> And then run <emphasis>makejail bash.py</emphasis> to create the user environment at <filename>/var/chroots/users/foo</filename>. To test the environment run: <screen> # chroot /var/chroots/users/foo/ ls bin dev etc lib proc sbin usr </screen> </para></footnote> program or setup a minimum Debian environment with <package>debootstrap</package>. Make sure the environment includes the needed devices <footnote><para>In some occasions you might need the <filename>/dev/ptmx</filename> and <filename>/dev/pty*</filename> devices and the <filename>/dev/pts/</filename> subdirectory. Running MAKEDEV in the <filename>/dev</filename> directory of the chrooted environment should be sufficient to create them if they do not exist. If you are using kernels (version 2.6) which dynamically create device files you will need to create the /dev/pts/ files yourself and grant them the proper privileges.</para></footnote>."
msgstr ""
msgid "Configure <filename>/etc/security/chroot.conf</filename> so that the users you determine are chrooted to the directory you setup previously. You might want to have independent directories for different users so that they will not be able to see neither the whole system nor each other's."
msgstr ""
msgid "Configure SSH: Depending on your OpenSSH version the chroot environment might work straight of the box or not. Since 3.6.1p2 the <emphasis>do_pam_session()</emphasis> function is called after sshd has dropped privileges, since chroot() needs root priviledges it will not work with Privilege separation on. In newer OpenSSH versions, however, the PAM code has been modified and do_pam_session is called before dropping priviledges so it will work even with Privilege separation is on. If you have to disable it modify <filename>/etc/ssh/sshd_config</filename> like this:"
msgstr ""
msgid ""
"\n"
"UsePrivilegeSeparation no"
msgstr ""
msgid "Notice that this will lower the security of your system since the OpenSSH server will then run as <emphasis>root</emphasis> user. This means that if a remote attack is found against OpenSSH an attacker will get <emphasis>root</emphasis> privileges instead of <emphasis>sshd</emphasis>, thus compromising the whole system. <footnote><para> If you are using a kernel that implements Mandatory Access Control (RSBAC/SElinux) you can avoid changing this configuration just by granting the <emphasis>sshd</emphasis> user privileges to make the chroot() system call. </para></footnote>"
msgstr ""
msgid "If you don't disable <emphasis>Privilege Separation</emphasis> you will need an <filename>/etc/passwd</filename> which includes the user's UID inside the chroot for <emphasis>Privilege Separation</emphasis> to work properly."
msgstr ""
msgid "If you have <emphasis>Privilege Separation</emphasis> set to <emphasis>yes</emphasis> and your OpenSSH version does not behave properly you will need to disable it. If you don't, users that try to connect to your server and would be chrooted by this module will see this:"
msgstr ""
msgid ""
"\n"
"$ ssh -l user server\n"
"user@server's password:\n"
"Connection to server closed by remote host.\n"
"Connection to server closed."
msgstr ""
msgid "This is because the ssh daemon, which is running as 'sshd', is not be able to make the chroot() system call. To disable Privilege separation you have to modify the <filename>/etc/ssh/sshd_config</filename> configuration file as described above."
msgstr ""
msgid "Notice that if any of the following is missing the users will not be able to logon to the chroot:"
msgstr ""
msgid "The <filename>/proc</filename> filesystem needs to be mounted in the users' chroot."
msgstr ""
msgid "The necessary <filename>/dev/pts/</filename> devices need to exist. If the files are generated by your running kernel automatically then you have to manually create them on the chroot's <filename>/dev/</filename>."
msgstr ""
msgid "The user's home directory has to exist in the chroot, otherwise the ssh daemon will not continue."
msgstr ""
msgid "You can debug all these issues if you use the <emphasis>debug</emphasis> keyword in the <filename>/etc/pam.d/ssh</filename> PAM definition. If you encounter issues you might find it useful to enable the debugging mode on the ssh client too."
msgstr ""
msgid "Note: This information is also available (and maybe more up to date) in <filename>/usr/share/doc/libpam-chroot/README.Debian.gz</filename>, please review it for updated information before taking the above steps."
msgstr ""
msgid "Patching the <command>ssh</command> server"
msgstr ""
msgid "Debian's <command>sshd</command> does not allow restriction of a user's movement through the server, since it lacks the <command>chroot</command> function that the commercial program <command>sshd2</command> includes (using 'ChrootGroups' or 'ChrootUsers', see <citerefentry><refentrytitle>sshd2_config</refentrytitle> <manvolnum>5</manvolnum></citerefentry>). However, there is a patch available to add this functionality available from <ulink name=\"ChrootSSH project\" url=\"http://chrootssh.sourceforge.net\" /> (requested and available in <ulink name=\"Bug #139047\" url=\"http://bugs.debian.org/139047\" /> in Debian). The patch may be included in future releases of the OpenSSH package. Emmanuel Lacour has <command>ssh</command> deb packages for <emphasis>sarge</emphasis> with this feature. They are available at <ulink url=\"http://debian.home-dn.net/sarge/ssh/\" />. Notice that those might not be up to date so completing the compilation step is recommended."
msgstr ""
msgid "After applying the patch, modify <filename>/etc/passwd</filename> by changing the home path of the users (with the special <literal>/./</literal> token):"
msgstr ""
msgid ""
"\n"
" joeuser:x:1099:1099:Joe Random User:/home/joe/./:/bin/bash"
msgstr ""
"\n"
" joeuser:x:1099:1099:Joe Random User:/home/joe/./:/bin/bash"
msgid "This will restrict <emphasis>both</emphasis> remote shell access, as well as remote copy through the <command>ssh</command> channel."
msgstr "これはリモートシェルアクセスおよび ssh チャンネル経由のリモートコピーの <emphasis>両方</emphasis>を制限します。"
msgid "Make sure to have all the needed binaries and libraries in the <command>chroot</command>'ed path for users. These files should be owned by root to avoid tampering by the user (so as to exit the <command>chroot</command>'ed jailed). A sample might include:"
msgstr "必要なバイナリおよびライブラリがすべてユーザの chroot パスの中にあるように してください。これらのファイルはユーザに (chroot の檻から脱出するなどの 目的で) 改ざんされないように root によって所有されるべきです。たとえば 以下が含まるでしょう:"
msgid ""
"\n"
"./bin:\n"
"total 660\n"
"drwxr-xr-x 2 root root 4096 Mar 18 13:36 .\n"
"drwxr-xr-x 8 guest guest 4096 Mar 15 16:53 ..\n"
"-r-xr-xr-x 1 root root 531160 Feb 6 22:36 bash\n"
"-r-xr-xr-x 1 root root 43916 Nov 29 13:19 ls\n"
"-r-xr-xr-x 1 root root 16684 Nov 29 13:19 mkdir\n"
"-rwxr-xr-x 1 root root 23960 Mar 18 13:36 more\n"
"-r-xr-xr-x 1 root root 9916 Jul 26 2001 pwd\n"
"-r-xr-xr-x 1 root root 24780 Nov 29 13:19 rm\n"
"lrwxrwxrwx 1 root root 4 Mar 30 16:29 sh -> bash"
msgstr ""
msgid ""
"\n"
"./etc:\n"
"total 24\n"
"drwxr-xr-x 2 root root 4096 Mar 15 16:13 .\n"
"drwxr-xr-x 8 guest guest 4096 Mar 15 16:53 ..\n"
"-rw-r--r-- 1 root root 54 Mar 15 13:23 group\n"
"-rw-r--r-- 1 root root 428 Mar 15 15:56 hosts\n"
"-rw-r--r-- 1 root root 44 Mar 15 15:53 passwd\n"
"-rw-r--r-- 1 root root 52 Mar 15 13:23 shells"
msgstr ""
msgid ""
"\n"
"./lib:\n"
"total 1848\n"
"drwxr-xr-x 2 root root 4096 Mar 18 13:37 .\n"
"drwxr-xr-x 8 guest guest 4096 Mar 15 16:53 ..\n"
"-rwxr-xr-x 1 root root 92511 Mar 15 12:49 ld-linux.so.2\n"
"-rwxr-xr-x 1 root root 1170812 Mar 15 12:49 libc.so.6\n"
"-rw-r--r-- 1 root root 20900 Mar 15 13:01 libcrypt.so.1\n"
"-rw-r--r-- 1 root root 9436 Mar 15 12:49 libdl.so.2\n"
"-rw-r--r-- 1 root root 248132 Mar 15 12:48 libncurses.so.5\n"
"-rw-r--r-- 1 root root 71332 Mar 15 13:00 libnsl.so.1\n"
"-rw-r--r-- 1 root root 34144 Mar 15 16:10\n"
"libnss_files.so.2\n"
"-rw-r--r-- 1 root root 29420 Mar 15 12:57 libpam.so.0\n"
"-rw-r--r-- 1 root root 105498 Mar 15 12:51 libpthread.so.0\n"
"-rw-r--r-- 1 root root 25596 Mar 15 12:51 librt.so.1\n"
"-rw-r--r-- 1 root root 7760 Mar 15 12:59 libutil.so.1\n"
"-rw-r--r-- 1 root root 24328 Mar 15 12:57 libwrap.so.0"
msgstr ""
msgid ""
"\n"
"./usr:\n"
"total 16\n"
"drwxr-xr-x 4 root root 4096 Mar 15 13:00 .\n"
"drwxr-xr-x 8 guest guest 4096 Mar 15 16:53 ..\n"
"drwxr-xr-x 2 root root 4096 Mar 15 15:55 bin\n"
"drwxr-xr-x 2 root root 4096 Mar 15 15:37 lib"
msgstr ""
msgid ""
"\n"
"./usr/bin:\n"
"total 340\n"
"drwxr-xr-x 2 root root 4096 Mar 15 15:55 .\n"
"drwxr-xr-x 4 root root 4096 Mar 15 13:00 ..\n"
"-rwxr-xr-x 1 root root 10332 Mar 15 15:55 env\n"
"-rwxr-xr-x 1 root root 13052 Mar 15 13:13 id\n"
"-r-xr-xr-x 1 root root 25432 Mar 15 12:40 scp\n"
"-rwxr-xr-x 1 root root 43768 Mar 15 15:15 sftp\n"
"-r-sr-xr-x 1 root root 218456 Mar 15 12:40 ssh\n"
"-rwxr-xr-x 1 root root 9692 Mar 15 13:17 tty"
msgstr ""
msgid ""
"\n"
"./usr/lib:\n"
"total 852\n"
"drwxr-xr-x 2 root root 4096 Mar 15 15:37 .\n"
"drwxr-xr-x 4 root root 4096 Mar 15 13:00 ..\n"
"-rw-r--r-- 1 root root 771088 Mar 15 13:01\n"
"libcrypto.so.0.9.6\n"
"-rw-r--r-- 1 root root 54548 Mar 15 13:00 libz.so.1\n"
"-rwxr-xr-x 1 root root 23096 Mar 15 15:37 sftp-server"
msgstr ""
msgid "Chrooting the ssh server"
msgstr ""
msgid "If you create a chroot which includes the SSH server files in, for example <filename>/var/chroot/ssh</filename>, you would start the <command>ssh</command> server <command>chroot</command>'ed with this command:"
msgstr ""
msgid ""
"\n"
" # chroot /var/chroot/ssh /sbin/sshd -f /etc/sshd_config"
msgstr ""
msgid "That would make startup the <command>sshd</command> daemon inside the chroot. In order to do that you have to first prepare the contents of the <filename>/var/chroot/ssh</filename> directory so that it includes both the SSH server and all the utilities that the users connecting to that server might need. If you are doing this you should make certain that OpenSSH uses <emphasis>Privilege Separation</emphasis> (which is the default) having the following line in the configuration file <filename>/etc/ssh/sshd_config</filename>:"
msgstr ""
msgid ""
"\n"
"UsePrivilegeSeparation yes"
msgstr ""
msgid "That way the remote daemon will do as few things as possible as the root user so even if there is a bug in it it will not compromise the chroot. Notice that, unlike the case in which you setup a per-user chroot, the ssh daemon is running in the same chroot as the users so there is at least one potential process running as root which could break out of the chroot."
msgstr ""
msgid "Notice, also, that in order for SSH to work in that location, the partition where the chroot directory resides cannot be mounted with the <emphasis>nodev</emphasis> option. If you use that option, then you will get the following error: <emphasis>PRNG is not seeded</emphasis>, because <filename>/dev/urandom</filename> does not work in the chroot."
msgstr ""
msgid "Setup a minimal system (the really easy way)"
msgstr ""
msgid "You can use <package>debootstrap</package> to setup a minimal environment that just includes the ssh server. In order to do this you just have to create a chroot as described in the <ulink name=\"chroot section of the Debian Reference\" url=\"http://www.debian.org/doc/manuals/reference/ch09#_chroot_system\" /> document. This method is bound to work (you will get all the necessary componentes for the chroot) but at the cost of disk space (a minimal installation of Debian will amount to several hundred megabytes). This minimal system might also include setuid files that a user in the chroot could use to break out of the chroot if any of those could be use for a privilege escalation."
msgstr ""
msgid "Automatically making the environment (the easy way)"
msgstr ""
msgid "You can easily create a restricted environment with the <package>makejail</package> package, since it automatically takes care of tracing the server daemon (with <command>strace</command>), and makes it run under the restricted environment."
msgstr ""
msgid "The advantage of programs that automatically generate <command>chroot</command> environments is that they are capable of copying any package to the <command>chroot</command> environment (even following the package's dependencies and making sure it's complete). Thus, providing user applications is easier."
msgstr ""
msgid "To set up the environment using <command>makejail</command>'s provided examples, just create <filename>/var/chroot/sshd</filename> and use the command:"
msgstr ""
msgid ""
"\n"
" # makejail /usr/share/doc/makejail/examples/sshd.py"
msgstr ""
msgid "This will setup the chroot in the <filename>/var/chroot/sshd</filename> directory. Notice that this chroot will not fully work unless you:"
msgstr ""
msgid "Mount the <emphasis>procfs</emphasis> filesystem in <filename>/var/chroot/sshd/proc</filename>. <command>Makejail</command> will mount it for you but if the system reboots you need to remount it running:"
msgstr ""
msgid ""
"\n"
"# mount -t proc proc /var/chroot/sshd/proc"
msgstr ""
msgid "You can also have it be mounted automatically by editing <filename>/etc/fstab</filename> and including this line:"
msgstr ""
msgid ""
"\n"
"proc-ssh /var/chroot/sshd/proc proc none 0 0"
msgstr ""
msgid "Have syslog listen to the device <filename>/dev/log</filename> inside the chroot. In order to do this you have modify <filename>/etc/default/syslogd</filename> and add <emphasis>-a /var/chroot/sshd/dev/log</emphasis> to the <varname>SYSLOGD</varname> variable definition."
msgstr ""
msgid "Read the sample file to see what other changes need to be made to the environment. Some of these changes, such as copying user's home directories, cannot be done automatically. Also, limit the exposure of sensitive information by only copying the data from a given number of users from the files <filename>/etc/shadow</filename> or <filename>/etc/group</filename>. Notice that if you are using Privilege Separation the <emphasis>sshd</emphasis> user needs to exist in those files."
msgstr ""
msgid "The following sample environment has been (slightly) tested in Debian 3.0 and is built with the configuration file provided in the package and includes the <package>fileutils</package> package:"
msgstr ""
msgid ""
"\n"
".\n"
"|-- bin\n"
"| |-- ash\n"
"| |-- bash\n"
"| |-- chgrp\n"
"| |-- chmod\n"
"| |-- chown\n"
"| |-- cp\n"
"| |-- csh -> /etc/alternatives/csh\n"
"| |-- dd\n"
"| |-- df\n"
"| |-- dir\n"
"| |-- fdflush\n"
"| |-- ksh\n"
"| |-- ln\n"
"| |-- ls\n"
"| |-- mkdir\n"
"| |-- mknod\n"
"| |-- mv\n"
"| |-- rbash -> bash\n"
"| |-- rm\n"
"| |-- rmdir\n"
"| |-- sh -> bash\n"
"| |-- sync\n"
"| |-- tcsh\n"
"| |-- touch\n"
"| |-- vdir\n"
"| |-- zsh -> /etc/alternatives/zsh\n"
"| `-- zsh4\n"
"|-- dev\n"
"| |-- null\n"
"| |-- ptmx\n"
"| |-- pts\n"
"| |-- ptya0\n"
"(...)\n"
"| |-- tty\n"
"| |-- tty0\n"
"(...)\n"
"| `-- urandom\n"
"|-- etc\n"
"| |-- alternatives\n"
"| | |-- csh -> /bin/tcsh\n"
"| | `-- zsh -> /bin/zsh4\n"
"| |-- environment\n"
"| |-- hosts\n"
"| |-- hosts.allow\n"
"| |-- hosts.deny\n"
"| |-- ld.so.conf\n"
"| |-- localtime -> /usr/share/zoneinfo/Europe/Madrid\n"
"| |-- motd\n"
"| |-- nsswitch.conf\n"
"| |-- pam.conf\n"
"| |-- pam.d\n"
"| | |-- other\n"
"| | `-- ssh\n"
"| |-- passwd\n"
"| |-- resolv.conf\n"
"| |-- security\n"
"| | |-- access.conf\n"
"| | |-- chroot.conf\n"
"| | |-- group.conf\n"
"| | |-- limits.conf\n"
"| | |-- pam_env.conf\n"
"| | `-- time.conf\n"
"| |-- shadow\n"
"| |-- shells\n"
"| `-- ssh\n"
"| |-- moduli\n"
"| |-- ssh_host_dsa_key\n"
"| |-- ssh_host_dsa_key.pub\n"
"| |-- ssh_host_rsa_key\n"
"| |-- ssh_host_rsa_key.pub\n"
"| `-- sshd_config\n"
"|-- home\n"
"| `-- userX\n"
"|-- lib\n"
"| |-- ld-2.2.5.so\n"
"| |-- ld-linux.so.2 -> ld-2.2.5.so\n"
"| |-- libc-2.2.5.so\n"
"| |-- libc.so.6 -> libc-2.2.5.so\n"
"| |-- libcap.so.1 -> libcap.so.1.10\n"
"| |-- libcap.so.1.10\n"
"| |-- libcrypt-2.2.5.so\n"
"| |-- libcrypt.so.1 -> libcrypt-2.2.5.so\n"
"| |-- libdl-2.2.5.so\n"
"| |-- libdl.so.2 -> libdl-2.2.5.so\n"
"| |-- libm-2.2.5.so\n"
"| |-- libm.so.6 -> libm-2.2.5.so\n"
"| |-- libncurses.so.5 -> libncurses.so.5.2\n"
"| |-- libncurses.so.5.2\n"
"| |-- libnsl-2.2.5.so\n"
"| |-- libnsl.so.1 -> libnsl-2.2.5.so\n"
"| |-- libnss_compat-2.2.5.so\n"
"| |-- libnss_compat.so.2 -> libnss_compat-2.2.5.so\n"
"| |-- libnss_db-2.2.so\n"
"| |-- libnss_db.so.2 -> libnss_db-2.2.so\n"
"| |-- libnss_dns-2.2.5.so\n"
"| |-- libnss_dns.so.2 -> libnss_dns-2.2.5.so\n"
"| |-- libnss_files-2.2.5.so\n"
"| |-- libnss_files.so.2 -> libnss_files-2.2.5.so\n"
"| |-- libnss_hesiod-2.2.5.so\n"
"| |-- libnss_hesiod.so.2 -> libnss_hesiod-2.2.5.so\n"
"| |-- libnss_nis-2.2.5.so\n"
"| |-- libnss_nis.so.2 -> libnss_nis-2.2.5.so\n"
"| |-- libnss_nisplus-2.2.5.so\n"
"| |-- libnss_nisplus.so.2 -> libnss_nisplus-2.2.5.so\n"
"| |-- libpam.so.0 -> libpam.so.0.72\n"
"| |-- libpam.so.0.72\n"
"| |-- libpthread-0.9.so\n"
"| |-- libpthread.so.0 -> libpthread-0.9.so\n"
"| |-- libresolv-2.2.5.so\n"
"| |-- libresolv.so.2 -> libresolv-2.2.5.so\n"
"| |-- librt-2.2.5.so\n"
"| |-- librt.so.1 -> librt-2.2.5.so\n"
"| |-- libutil-2.2.5.so\n"
"| |-- libutil.so.1 -> libutil-2.2.5.so\n"
"| |-- libwrap.so.0 -> libwrap.so.0.7.6\n"
"| |-- libwrap.so.0.7.6\n"
"| `-- security\n"
"| |-- pam_access.so\n"
"| |-- pam_chroot.so\n"
"| |-- pam_deny.so\n"
"| |-- pam_env.so\n"
"| |-- pam_filter.so\n"
"| |-- pam_ftp.so\n"
"| |-- pam_group.so\n"
"| |-- pam_issue.so\n"
"| |-- pam_lastlog.so\n"
"| |-- pam_limits.so\n"
"| |-- pam_listfile.so\n"
"| |-- pam_mail.so\n"
"| |-- pam_mkhomedir.so\n"
"| |-- pam_motd.so\n"
"| |-- pam_nologin.so\n"
"| |-- pam_permit.so\n"
"| |-- pam_rhosts_auth.so\n"
"| |-- pam_rootok.so\n"
"| |-- pam_securetty.so\n"
"| |-- pam_shells.so\n"
"| |-- pam_stress.so\n"
"| |-- pam_tally.so\n"
"| |-- pam_time.so\n"
"| |-- pam_unix.so\n"
"| |-- pam_unix_acct.so -> pam_unix.so\n"
"| |-- pam_unix_auth.so -> pam_unix.so\n"
"| |-- pam_unix_passwd.so -> pam_unix.so\n"
"| |-- pam_unix_session.so -> pam_unix.so\n"
"| |-- pam_userdb.so\n"
"| |-- pam_warn.so\n"
"| `-- pam_wheel.so\n"
"|-- sbin\n"
"| `-- start-stop-daemon\n"
"|-- usr\n"
"| |-- bin\n"
"| | |-- dircolors\n"
"| | |-- du\n"
"| | |-- install\n"
"| | |-- link\n"
"| | |-- mkfifo\n"
"| | |-- shred\n"
"| | |-- touch -> /bin/touch\n"
"| | `-- unlink\n"
"| |-- lib\n"
"| | |-- libcrypto.so.0.9.6\n"
"| | |-- libdb3.so.3 -> libdb3.so.3.0.2\n"
"| | |-- libdb3.so.3.0.2\n"
"| | |-- libz.so.1 -> libz.so.1.1.4\n"
"| | `-- libz.so.1.1.4\n"
"| |-- sbin\n"
"| | `-- sshd\n"
"| `-- share\n"
"| |-- locale\n"
"| | `-- es\n"
"| | |-- LC_MESSAGES\n"
"| | | |-- fileutils.mo\n"
"| | | |-- libc.mo\n"
"| | | `-- sh-utils.mo\n"
"| | `-- LC_TIME -> LC_MESSAGES\n"
"| `-- zoneinfo\n"
"| `-- Europe\n"
"| `-- Madrid\n"
"`-- var\n"
" `-- run\n"
" |-- sshd\n"
" `-- sshd.pid\n"
"\n"
"27 directories, 733 files"
msgstr ""
msgid "For Debian release 3.1 you have to make sure that the environment includes also the common files for PAM. The following files need to be copied over to the chroot if <command>makejail</command> did not do it for you:"
msgstr ""
msgid ""
"\n"
"$ ls /etc/pam.d/common-*\n"
"/etc/pam.d/common-account /etc/pam.d/common-password\n"
"/etc/pam.d/common-auth /etc/pam.d/common-session"
msgstr ""
msgid "Manually creating the environment (the hard way)"
msgstr ""
msgid "It is possible to create an environment, using a trial-and-error method, by monitoring the <command>sshd</command> server traces and log files in order to determine the necessary files. The following environment, contributed by José Luis Ledesma, is a sample listing of files in a <command>chroot</command> environment for <command>ssh</command> in Debian woody (3.0): <footnote><para> Notice that there are no SETUID files. This makes it more difficult for remote users to escape the <command>chroot</command> environment. However, it also prevents users from changing their passwords, since the <command>passwd</command> program cannot modify the files <filename>/etc/passwd</filename> or <filename>/etc/shadow</filename>. </para></footnote>"
msgstr ""
msgid ""
"\n"
".:\n"
"total 36\n"
"drwxr-xr-x 9 root root 4096 Jun 5 10:05 ./\n"
"drwxr-xr-x 11 root root 4096 Jun 3 13:43 ../\n"
"drwxr-xr-x 2 root root 4096 Jun 4 12:13 bin/\n"
"drwxr-xr-x 2 root root 4096 Jun 4 12:16 dev/\n"
"drwxr-xr-x 4 root root 4096 Jun 4 12:35 etc/\n"
"drwxr-xr-x 3 root root 4096 Jun 4 12:13 lib/\n"
"drwxr-xr-x 2 root root 4096 Jun 4 12:35 sbin/\n"
"drwxr-xr-x 2 root root 4096 Jun 4 12:32 tmp/\n"
"drwxr-xr-x 2 root root 4096 Jun 4 12:16 usr/\n"
"./bin:\n"
"total 8368\n"
"drwxr-xr-x 2 root root 4096 Jun 4 12:13 ./\n"
"drwxr-xr-x 9 root root 4096 Jun 5 10:05 ../\n"
"-rwxr-xr-x 1 root root 109855 Jun 3 13:45 a2p*\n"
"-rwxr-xr-x 1 root root 387764 Jun 3 13:45 bash*\n"
"-rwxr-xr-x 1 root root 36365 Jun 3 13:45 c2ph*\n"
"-rwxr-xr-x 1 root root 20629 Jun 3 13:45 dprofpp*\n"
"-rwxr-xr-x 1 root root 6956 Jun 3 13:46 env*\n"
"-rwxr-xr-x 1 root root 158116 Jun 3 13:45 fax2ps*\n"
"-rwxr-xr-x 1 root root 104008 Jun 3 13:45 faxalter*\n"
"-rwxr-xr-x 1 root root 89340 Jun 3 13:45 faxcover*\n"
"-rwxr-xr-x 1 root root 441584 Jun 3 13:45 faxmail*\n"
"-rwxr-xr-x 1 root root 96036 Jun 3 13:45 faxrm*\n"
"-rwxr-xr-x 1 root root 107000 Jun 3 13:45 faxstat*\n"
"-rwxr-xr-x 1 root root 77832 Jun 4 11:46 grep*\n"
"-rwxr-xr-x 1 root root 19597 Jun 3 13:45 h2ph*\n"
"-rwxr-xr-x 1 root root 46979 Jun 3 13:45 h2xs*\n"
"-rwxr-xr-x 1 root root 10420 Jun 3 13:46 id*\n"
"-rwxr-xr-x 1 root root 4528 Jun 3 13:46 ldd*\n"
"-rwxr-xr-x 1 root root 111386 Jun 4 11:46 less*\n"
"-r-xr-xr-x 1 root root 26168 Jun 3 13:45 login*\n"
"-rwxr-xr-x 1 root root 49164 Jun 3 13:45 ls*\n"
"-rwxr-xr-x 1 root root 11600 Jun 3 13:45 mkdir*\n"
"-rwxr-xr-x 1 root root 24780 Jun 3 13:45 more*\n"
"-rwxr-xr-x 1 root root 154980 Jun 3 13:45 pal2rgb*\n"
"-rwxr-xr-x 1 root root 27920 Jun 3 13:46 passwd*\n"
"-rwxr-xr-x 1 root root 4241 Jun 3 13:45 pl2pm*\n"
"-rwxr-xr-x 1 root root 2350 Jun 3 13:45 pod2html*\n"
"-rwxr-xr-x 1 root root 7875 Jun 3 13:45 pod2latex*\n"
"-rwxr-xr-x 1 root root 17587 Jun 3 13:45 pod2man*\n"
"-rwxr-xr-x 1 root root 6877 Jun 3 13:45 pod2text*\n"
"-rwxr-xr-x 1 root root 3300 Jun 3 13:45 pod2usage*\n"
"-rwxr-xr-x 1 root root 3341 Jun 3 13:45 podchecker*\n"
"-rwxr-xr-x 1 root root 2483 Jun 3 13:45 podselect*\n"
"-r-xr-xr-x 1 root root 82412 Jun 4 11:46 ps*\n"
"-rwxr-xr-x 1 root root 36365 Jun 3 13:45 pstruct*\n"
"-rwxr-xr-x 1 root root 7120 Jun 3 13:45 pwd*\n"
"-rwxr-xr-x 1 root root 179884 Jun 3 13:45 rgb2ycbcr*\n"
"-rwxr-xr-x 1 root root 20532 Jun 3 13:45 rm*\n"
"-rwxr-xr-x 1 root root 6720 Jun 4 10:15 rmdir*\n"
"-rwxr-xr-x 1 root root 14705 Jun 3 13:45 s2p*\n"
"-rwxr-xr-x 1 root root 28764 Jun 3 13:46 scp*\n"
"-rwxr-xr-x 1 root root 385000 Jun 3 13:45 sendfax*\n"
"-rwxr-xr-x 1 root root 67548 Jun 3 13:45 sendpage*\n"
"-rwxr-xr-x 1 root root 88632 Jun 3 13:46 sftp*\n"
"-rwxr-xr-x 1 root root 387764 Jun 3 13:45 sh*\n"
"-rws--x--x 1 root root 744500 Jun 3 13:46 slogin*\n"
"-rwxr-xr-x 1 root root 14523 Jun 3 13:46 splain*\n"
"-rws--x--x 1 root root 744500 Jun 3 13:46 ssh*\n"
"-rwxr-xr-x 1 root root 570960 Jun 3 13:46 ssh-add*\n"
"-rwxr-xr-x 1 root root 502952 Jun 3 13:46 ssh-agent*\n"
"-rwxr-xr-x 1 root root 575740 Jun 3 13:46 ssh-keygen*\n"
"-rwxr-xr-x 1 root root 383480 Jun 3 13:46 ssh-keyscan*\n"
"-rwxr-xr-x 1 root root 39 Jun 3 13:46 ssh_europa*\n"
"-rwxr-xr-x 1 root root 107252 Jun 4 10:14 strace*\n"
"-rwxr-xr-x 1 root root 8323 Jun 4 10:14 strace-graph*\n"
"-rwxr-xr-x 1 root root 158088 Jun 3 13:46 thumbnail*\n"
"-rwxr-xr-x 1 root root 6312 Jun 3 13:46 tty*\n"
"-rwxr-xr-x 1 root root 55904 Jun 4 11:46 useradd*\n"
"-rwxr-xr-x 1 root root 585656 Jun 4 11:47 vi*\n"
"-rwxr-xr-x 1 root root 6444 Jun 4 11:45 whoami*\n"
"./dev:\n"
"total 8\n"
"drwxr-xr-x 2 root root 4096 Jun 4 12:16 ./\n"
"drwxr-xr-x 9 root root 4096 Jun 5 10:05 ../\n"
"crw-r--r-- 1 root root 1, 9 Jun 3 13:43 urandom\n"
"./etc:\n"
"total 208\n"
"drwxr-xr-x 4 root root 4096 Jun 4 12:35 ./\n"
"drwxr-xr-x 9 root root 4096 Jun 5 10:05 ../\n"
"-rw------- 1 root root 0 Jun 4 11:46 .pwd.lock\n"
"-rw-r--r-- 1 root root 653 Jun 3 13:46 group\n"
"-rw-r--r-- 1 root root 242 Jun 4 11:33 host.conf\n"
"-rw-r--r-- 1 root root 857 Jun 4 12:04 hosts\n"
"-rw-r--r-- 1 root root 1050 Jun 4 11:29 ld.so.cache\n"
"-rw-r--r-- 1 root root 304 Jun 4 11:28 ld.so.conf\n"
"-rw-r--r-- 1 root root 235 Jun 4 11:27 ld.so.conf~\n"
"-rw-r--r-- 1 root root 88039 Jun 3 13:46 moduli\n"
"-rw-r--r-- 1 root root 1342 Jun 4 11:34 nsswitch.conf\n"
"drwxr-xr-x 2 root root 4096 Jun 4 12:02 pam.d/\n"
"-rw-r--r-- 1 root root 28 Jun 4 12:00 pam_smb.conf\n"
"-rw-r--r-- 1 root root 2520 Jun 4 11:57 passwd\n"
"-rw-r--r-- 1 root root 7228 Jun 3 13:48 profile\n"
"-rw-r--r-- 1 root root 1339 Jun 4 11:33 protocols\n"
"-rw-r--r-- 1 root root 274 Jun 4 11:44 resolv.conf\n"
"drwxr-xr-x 2 root root 4096 Jun 3 13:43 security/\n"
"-rw-r----- 1 root root 1178 Jun 4 11:51 shadow\n"
"-rw------- 1 root root 80 Jun 4 11:45 shadow-\n"
"-rw-r----- 1 root root 1178 Jun 4 11:48 shadow.old\n"
"-rw-r--r-- 1 root root 161 Jun 3 13:46 shells\n"
"-rw-r--r-- 1 root root 1144 Jun 3 13:46 ssh_config\n"
"-rw------- 1 root root 668 Jun 3 13:46 ssh_host_dsa_key\n"
"-rw-r--r-- 1 root root 602 Jun 3 13:46 ssh_host_dsa_key.pub\n"
"-rw------- 1 root root 527 Jun 3 13:46 ssh_host_key\n"
"-rw-r--r-- 1 root root 331 Jun 3 13:46 ssh_host_key.pub\n"
"-rw------- 1 root root 883 Jun 3 13:46 ssh_host_rsa_key\n"
"-rw-r--r-- 1 root root 222 Jun 3 13:46 ssh_host_rsa_key.pub\n"
"-rw-r--r-- 1 root root 2471 Jun 4 12:15 sshd_config\n"
"./etc/pam.d:\n"
"total 24\n"
"drwxr-xr-x 2 root root 4096 Jun 4 12:02 ./\n"
"drwxr-xr-x 4 root root 4096 Jun 4 12:35 ../\n"
"lrwxrwxrwx 1 root root 4 Jun 4 12:02 other -> sshd\n"
"-rw-r--r-- 1 root root 318 Jun 3 13:46 passwd\n"
"-rw-r--r-- 1 root root 546 Jun 4 11:36 ssh\n"
"-rw-r--r-- 1 root root 479 Jun 4 12:02 sshd\n"
"-rw-r--r-- 1 root root 370 Jun 3 13:46 su\n"
"./etc/security:\n"
"total 32\n"
"drwxr-xr-x 2 root root 4096 Jun 3 13:43 ./\n"
"drwxr-xr-x 4 root root 4096 Jun 4 12:35 ../\n"
"-rw-r--r-- 1 root root 1971 Jun 3 13:46 access.conf\n"
"-rw-r--r-- 1 root root 184 Jun 3 13:46 chroot.conf\n"
"-rw-r--r-- 1 root root 2145 Jun 3 13:46 group.conf\n"
"-rw-r--r-- 1 root root 1356 Jun 3 13:46 limits.conf\n"
"-rw-r--r-- 1 root root 2858 Jun 3 13:46 pam_env.conf\n"
"-rw-r--r-- 1 root root 2154 Jun 3 13:46 time.conf\n"
"./lib:\n"
"total 8316\n"
"drwxr-xr-x 3 root root 4096 Jun 4 12:13 ./\n"
"drwxr-xr-x 9 root root 4096 Jun 5 10:05 ../\n"
"-rw-r--r-- 1 root root 1024 Jun 4 11:51 cracklib_dict.hwm\n"
"-rw-r--r-- 1 root root 214324 Jun 4 11:51 cracklib_dict.pwd\n"
"-rw-r--r-- 1 root root 11360 Jun 4 11:51 cracklib_dict.pwi\n"
"-rwxr-xr-x 1 root root 342427 Jun 3 13:46 ld-linux.so.2*\n"
"-rwxr-xr-x 1 root root 4061504 Jun 3 13:46 libc.so.6*\n"
"lrwxrwxrwx 1 root root 15 Jun 4 12:11 libcrack.so -> libcrack.so.2.7*\n"
"lrwxrwxrwx 1 root root 15 Jun 4 12:11 libcrack.so.2 -> libcrack.so.2.7*\n"
"-rwxr-xr-x 1 root root 33291 Jun 4 11:39 libcrack.so.2.7*\n"
"-rwxr-xr-x 1 root root 60988 Jun 3 13:46 libcrypt.so.1*\n"
"-rwxr-xr-x 1 root root 71846 Jun 3 13:46 libdl.so.2*\n"
"-rwxr-xr-x 1 root root 27762 Jun 3 13:46 libhistory.so.4.0*\n"
"lrwxrwxrwx 1 root root 17 Jun 4 12:12 libncurses.so.4 -> libncurses.so.4.2*\n"
"-rwxr-xr-x 1 root root 503903 Jun 3 13:46 libncurses.so.4.2*\n"
"lrwxrwxrwx 1 root root 17 Jun 4 12:12 libncurses.so.5 -> libncurses.so.5.0*\n"
"-rwxr-xr-x 1 root root 549429 Jun 3 13:46 libncurses.so.5.0*\n"
"-rwxr-xr-x 1 root root 369801 Jun 3 13:46 libnsl.so.1*\n"
"-rwxr-xr-x 1 root root 142563 Jun 4 11:49 libnss_compat.so.1*\n"
"-rwxr-xr-x 1 root root 215569 Jun 4 11:49 libnss_compat.so.2*\n"
"-rwxr-xr-x 1 root root 61648 Jun 4 11:34 libnss_dns.so.1*\n"
"-rwxr-xr-x 1 root root 63453 Jun 4 11:34 libnss_dns.so.2*\n"
"-rwxr-xr-x 1 root root 63782 Jun 4 11:34 libnss_dns6.so.2*\n"
"-rwxr-xr-x 1 root root 205715 Jun 3 13:46 libnss_files.so.1*\n"
"-rwxr-xr-x 1 root root 235932 Jun 3 13:49 libnss_files.so.2*\n"
"-rwxr-xr-x 1 root root 204383 Jun 4 11:33 libnss_nis.so.1*\n"
"-rwxr-xr-x 1 root root 254023 Jun 4 11:33 libnss_nis.so.2*\n"
"-rwxr-xr-x 1 root root 256465 Jun 4 11:33 libnss_nisplus.so.2*\n"
"lrwxrwxrwx 1 root root 14 Jun 4 12:12 libpam.so.0 -> libpam.so.0.72*\n"
"-rwxr-xr-x 1 root root 31449 Jun 3 13:46 libpam.so.0.72*\n"
"lrwxrwxrwx 1 root root 19 Jun 4 12:12 libpam_misc.so.0 ->\n"
"libpam_misc.so.0.72*\n"
"-rwxr-xr-x 1 root root 8125 Jun 3 13:46 libpam_misc.so.0.72*\n"
"lrwxrwxrwx 1 root root 15 Jun 4 12:12 libpamc.so.0 -> libpamc.so.0.72*\n"
"-rwxr-xr-x 1 root root 10499 Jun 3 13:46 libpamc.so.0.72*\n"
"-rwxr-xr-x 1 root root 176427 Jun 3 13:46 libreadline.so.4.0*\n"
"-rwxr-xr-x 1 root root 44729 Jun 3 13:46 libutil.so.1*\n"
"-rwxr-xr-x 1 root root 70254 Jun 3 13:46 libz.a*\n"
"lrwxrwxrwx 1 root root 13 Jun 4 12:13 libz.so -> libz.so.1.1.3*\n"
"lrwxrwxrwx 1 root root 13 Jun 4 12:13 libz.so.1 -> libz.so.1.1.3*\n"
"-rwxr-xr-x 1 root root 63312 Jun 3 13:46 libz.so.1.1.3*\n"
"drwxr-xr-x 2 root root 4096 Jun 4 12:00 security/\n"
"./lib/security:\n"
"total 668\n"
"drwxr-xr-x 2 root root 4096 Jun 4 12:00 ./\n"
"drwxr-xr-x 3 root root 4096 Jun 4 12:13 ../\n"
"-rwxr-xr-x 1 root root 10067 Jun 3 13:46 pam_access.so*\n"
"-rwxr-xr-x 1 root root 8300 Jun 3 13:46 pam_chroot.so*\n"
"-rwxr-xr-x 1 root root 14397 Jun 3 13:46 pam_cracklib.so*\n"
"-rwxr-xr-x 1 root root 5082 Jun 3 13:46 pam_deny.so*\n"
"-rwxr-xr-x 1 root root 13153 Jun 3 13:46 pam_env.so*\n"
"-rwxr-xr-x 1 root root 13371 Jun 3 13:46 pam_filter.so*\n"
"-rwxr-xr-x 1 root root 7957 Jun 3 13:46 pam_ftp.so*\n"
"-rwxr-xr-x 1 root root 12771 Jun 3 13:46 pam_group.so*\n"
"-rwxr-xr-x 1 root root 10174 Jun 3 13:46 pam_issue.so*\n"
"-rwxr-xr-x 1 root root 9774 Jun 3 13:46 pam_lastlog.so*\n"
"-rwxr-xr-x 1 root root 13591 Jun 3 13:46 pam_limits.so*\n"
"-rwxr-xr-x 1 root root 11268 Jun 3 13:46 pam_listfile.so*\n"
"-rwxr-xr-x 1 root root 11182 Jun 3 13:46 pam_mail.so*\n"
"-rwxr-xr-x 1 root root 5923 Jun 3 13:46 pam_nologin.so*\n"
"-rwxr-xr-x 1 root root 5460 Jun 3 13:46 pam_permit.so*\n"
"-rwxr-xr-x 1 root root 18226 Jun 3 13:46 pam_pwcheck.so*\n"
"-rwxr-xr-x 1 root root 12590 Jun 3 13:46 pam_rhosts_auth.so*\n"
"-rwxr-xr-x 1 root root 5551 Jun 3 13:46 pam_rootok.so*\n"
"-rwxr-xr-x 1 root root 7239 Jun 3 13:46 pam_securetty.so*\n"
"-rwxr-xr-x 1 root root 6551 Jun 3 13:46 pam_shells.so*\n"
"-rwxr-xr-x 1 root root 55925 Jun 4 12:00 pam_smb_auth.so*\n"
"-rwxr-xr-x 1 root root 12678 Jun 3 13:46 pam_stress.so*\n"
"-rwxr-xr-x 1 root root 11170 Jun 3 13:46 pam_tally.so*\n"
"-rwxr-xr-x 1 root root 11124 Jun 3 13:46 pam_time.so*\n"
"-rwxr-xr-x 1 root root 45703 Jun 3 13:46 pam_unix.so*\n"
"-rwxr-xr-x 1 root root 45703 Jun 3 13:46 pam_unix2.so*\n"
"-rwxr-xr-x 1 root root 45386 Jun 3 13:46 pam_unix_acct.so*\n"
"-rwxr-xr-x 1 root root 45386 Jun 3 13:46 pam_unix_auth.so*\n"
"-rwxr-xr-x 1 root root 45386 Jun 3 13:46 pam_unix_passwd.so*\n"
"-rwxr-xr-x 1 root root 45386 Jun 3 13:46 pam_unix_session.so*\n"
"-rwxr-xr-x 1 root root 9726 Jun 3 13:46 pam_userdb.so*\n"
"-rwxr-xr-x 1 root root 6424 Jun 3 13:46 pam_warn.so*\n"
"-rwxr-xr-x 1 root root 7460 Jun 3 13:46 pam_wheel.so*\n"
"./sbin:\n"
"total 3132\n"
"drwxr-xr-x 2 root root 4096 Jun 4 12:35 ./\n"
"drwxr-xr-x 9 root root 4096 Jun 5 10:05 ../\n"
"-rwxr-xr-x 1 root root 178256 Jun 3 13:46 choptest*\n"
"-rwxr-xr-x 1 root root 184032 Jun 3 13:46 cqtest*\n"
"-rwxr-xr-x 1 root root 81096 Jun 3 13:46 dialtest*\n"
"-rwxr-xr-x 1 root root 1142128 Jun 4 11:28 ldconfig*\n"
"-rwxr-xr-x 1 root root 2868 Jun 3 13:46 lockname*\n"
"-rwxr-xr-x 1 root root 3340 Jun 3 13:46 ondelay*\n"
"-rwxr-xr-x 1 root root 376796 Jun 3 13:46 pagesend*\n"
"-rwxr-xr-x 1 root root 13950 Jun 3 13:46 probemodem*\n"
"-rwxr-xr-x 1 root root 9234 Jun 3 13:46 recvstats*\n"
"-rwxr-xr-x 1 root root 64480 Jun 3 13:46 sftp-server*\n"
"-rwxr-xr-x 1 root root 744412 Jun 3 13:46 sshd*\n"
"-rwxr-xr-x 1 root root 30750 Jun 4 11:46 su*\n"
"-rwxr-xr-x 1 root root 194632 Jun 3 13:46 tagtest*\n"
"-rwxr-xr-x 1 root root 69892 Jun 3 13:46 tsitest*\n"
"-rwxr-xr-x 1 root root 43792 Jun 3 13:46 typetest*\n"
"./tmp:\n"
"total 8\n"
"drwxr-xr-x 2 root root 4096 Jun 4 12:32 ./\n"
"drwxr-xr-x 9 root root 4096 Jun 5 10:05 ../\n"
"./usr:\n"
"total 8\n"
"drwxr-xr-x 2 root root 4096 Jun 4 12:16 ./\n"
"drwxr-xr-x 9 root root 4096 Jun 5 10:05 ../\n"
"lrwxrwxrwx 1 root root 7 Jun 4 12:14 bin -> ../bin//\n"
"lrwxrwxrwx 1 root root 7 Jun 4 11:33 lib -> ../lib//\n"
"lrwxrwxrwx 1 root root 8 Jun 4 12:13 sbin -> ../sbin//"
msgstr ""
msgid "Chroot environment for <application>Apache</application>"
msgstr ""
msgid "Introduction"
msgstr "まえがき"
msgid "The <command>chroot</command> utility is often used to jail a daemon in a restricted tree. You can use it to insulate services from one another, so that security issues in a software package do not jeopardize the whole server. When using the <command>makejail</command> script, setting up and updating the chrooted tree is much easier."
msgstr ""
msgid "FIXME: Apache can also be chrooted using <ulink url=\"http://www.modsecurity.org\" /> which is available in <package>libapache-mod-security</package> (for Apache 1.x) and <package>libapache2-mod-security</package> (for Apache 2.x)."
msgstr ""
msgid "Licensing"
msgstr ""
msgid "This document is copyright 2002 Alexandre Ratti. It has been dual-licensed and released under the GPL version 2 (GNU General Public License) the GNU-FDL 1.2 (GNU Free Documentation Licence) and is included in this manual with his explicit permission. (from the <ulink name=\"original document\" url=\"http://www.gabuzomeu.net/alex/doc/apache/index-en.html\" />)"
msgstr ""
msgid "Installing the server"
msgstr ""
msgid "This procedure was tested on Debian GNU/Linux 3.0 (Woody) with <command>makejail</command> 0.0.4-1 (in Debian/testing)."
msgstr ""
msgid "Log in as <command>root</command> and create a new jail directory:"
msgstr ""
msgid ""
"\n"
"$ mkdir -p /var/chroot/apache"
msgstr ""
msgid "Create a new user and a new group. The chrooted Apache server will run as this user/group, which isn't used for anything else on the system. In this example, both user and group are called <command>chrapach</command>."
msgstr ""
msgid ""
" \n"
" $ adduser --home /var/chroot/apache --shell /bin/false \\\n"
" --no-create-home --system --group chrapach\n"
" "
msgstr ""
msgid "FIXME: is a new user needed? (Apache already runs as the apache user)"
msgstr ""
msgid "Install Apache as usual on Debian: <literal>apt-get install apache</literal>"
msgstr ""
msgid "Set up Apache (e.g. define your subdomains, etc.). In the <filename>/etc/apache/httpd.conf</filename> configuration file, set the <emphasis>Group</emphasis> and <emphasis>User</emphasis> options to <literal>chrapach</literal>. Restart Apache and make sure the server is working correctly. Now, stop the Apache daemon."
msgstr ""
msgid "Install <command>makejail</command> (available in Debian/testing for now). You should also install <command>wget</command> and <command>lynx</command> as they will be used by <command>makejail</command> to test the chrooted server: <literal>apt-get install makejail wget lynx</literal>"
msgstr ""
msgid "Copy the sample configuration file for Apache to the <filename>/etc/makejail</filename> directory:"
msgstr ""
msgid ""
" \n"
" # cp /usr/share/doc/makejail/examples/apache.py /etc/makejail/ \n"
" "
msgstr ""
msgid "Edit <filename>/etc/makejail/apache.py</filename>. You need to change the <emphasis>chroot</emphasis>, <emphasis>users</emphasis> and <emphasis>groups</emphasis> options. To run this version of <command>makejail</command>, you can also add a <command>packages</command> option. See the <ulink name=\"makejail documentation\" url=\"http://www.floc.net/makejail/current/doc/\" />. A sample is shown here:"
msgstr ""
msgid ""
"\n"
"chroot=\"/var/chroot/apache\"\n"
"testCommandsInsideJail=[\"/usr/sbin/apachectl start\"]\n"
"processNames=[\"apache\"]\n"
"testCommandsOutsideJail=[\"wget -r --spider http://localhost/\",\n"
" \"lynx --source https://localhost/\"]\n"
"preserve=[\"/var/www\",\n"
" \"/var/log/apache\",\n"
" \"/dev/log\"]\n"
"users=[\"chrapach\"]\n"
"groups=[\"chrapach\"]\n"
"packages=[\"apache\", \"apache-common\"]\n"
"userFiles=[\"/etc/password\",\n"
" \"/etc/shadow\"]\n"
"groupFiles=[\"/etc/group\",\n"
" \"/etc/gshadow\"]\n"
"forceCopy=[\"/etc/hosts\",\n"
" \"/etc/mime.types\"]"
msgstr ""
msgid "<emphasis>FIXME:</emphasis> some options do not seem to work properly. For instance, <filename>/etc/shadow</filename> and <filename>/etc/gshadow</filename> are not copied, whereas <filename>/etc/password</filename> and <filename>/etc/group</filename> are fully copied instead of being filtered."
msgstr ""
msgid "Create the chroot tree: <literal>makejail /etc/makejail/apache.py</literal>"
msgstr ""
msgid "If <filename>/etc/password</filename> and <filename>/etc/group</filename> were fully copied, type:"
msgstr ""
msgid ""
"\n"
" $ grep chrapach /etc/passwd > /var/chroot/apache/etc/passwd\n"
" $ grep chrapach /etc/group > /var/chroot/apache/etc/group\n"
" "
msgstr ""
msgid "to replace them with filtered copies."
msgstr ""
msgid "Copy the Web site pages and the logs into the jail. These files are not copied automatically (see the <emphasis>preserve</emphasis> option in <command>makejail</command>'s configuration file)."
msgstr ""
msgid ""
"\n"
" # cp -Rp /var/www /var/chroot/apache/var\n"
" # cp -Rp /var/log/apache/*.log /var/chroot/apache/var/log/apache\n"
" "
msgstr ""
msgid "Edit the startup script for the system logging daemon so that it also listen to the <filename>/var/chroot/apache/dev/log</filename> socket. In <filename>/etc/default/syslogd</filename>, replace: <literal>SYSLOGD=\"\"</literal> with <literal>SYSLOGD=\" -a /var/chroot/apache/dev/log\"</literal> and restart the daemon (<literal>/etc/init.d/sysklogd restart</literal>)."
msgstr ""
msgid "Edit the Apache startup script (<filename>/etc/init.d/apache</filename>). You might need to make some changes to the default startup script for it to run properly with a chrooted tree. Such as:"
msgstr ""
msgid "set a new <emphasis>CHRDIR</emphasis> variable at the top of the file;"
msgstr ""
msgid "edit the <emphasis>start</emphasis>, <emphasis>stop</emphasis>, <emphasis>reload</emphasis>, etc. sections;"
msgstr ""
msgid "add a line to mount and unmount the <filename>/proc</filename> filesystem within the jail."
msgstr ""
msgid ""
"\n"
"#! /bin/bash\n"
"#\n"
"# apache Start the apache HTTP server.\n"
"#\n"
"\n"
"CHRDIR=/var/chroot/apache\n"
"\n"
"NAME=apache\n"
"PATH=/bin:/usr/bin:/sbin:/usr/sbin\n"
"DAEMON=/usr/sbin/apache\n"
"SUEXEC=/usr/lib/apache/suexec\n"
"PIDFILE=/var/run/$NAME.pid\n"
"CONF=/etc/apache/httpd.conf\n"
"APACHECTL=/usr/sbin/apachectl \n"
"\n"
"trap \"\" 1\n"
"export LANG=C\n"
"export PATH\n"
"\n"
"test -f $DAEMON || exit 0\n"
"test -f $APACHECTL || exit 0\n"
"\n"
"# ensure we don't leak environment vars into apachectl\n"
"APACHECTL=\"env -i LANG=${LANG} PATH=${PATH} chroot $CHRDIR $APACHECTL\"\n"
"\n"
"if egrep -q -i \"^[[:space:]]*ServerType[[:space:]]+inet\" $CONF\n"
"then\n"
" exit 0\n"
"fi\n"
"\n"
"case \"$1\" in\n"
" start)\n"
" echo -n \"Starting web server: $NAME\"\n"
" mount -t proc proc /var/chroot/apache/proc\n"
" start-stop-daemon --start --pidfile $PIDFILE --exec $DAEMON \\\n"
" --chroot $CHRDIR\n"
" ;;\n"
"\n"
" stop)\n"
" echo -n \"Stopping web server: $NAME\"\n"
" start-stop-daemon --stop --pidfile \"$CHRDIR/$PIDFILE\" --oknodo\n"
" umount /var/chroot/apache/proc\n"
" ;;\n"
"\n"
" reload)\n"
" echo -n \"Reloading $NAME configuration\"\n"
" start-stop-daemon --stop --pidfile \"$CHRDIR/$PIDFILE\" \\\n"
" --signal USR1 --startas $DAEMON --chroot $CHRDIR\n"
" ;;\n"
"\n"
" reload-modules)\n"
" echo -n \"Reloading $NAME modules\"\n"
" start-stop-daemon --stop --pidfile \"$CHRDIR/$PIDFILE\" --oknodo \\\n"
" --retry 30\n"
" start-stop-daemon --start --pidfile $PIDFILE \\\n"
" --exec $DAEMON --chroot $CHRDIR\n"
" ;;\n"
"\n"
" restart)\n"
" $0 reload-modules\n"
" exit $?\n"
" ;;\n"
"\n"
" force-reload)\n"
" $0 reload-modules\n"
" exit $?\n"
" ;;\n"
"\n"
" *)\n"
" echo \"Usage: /etc/init.d/$NAME {start|stop|reload|reload-modules|force-reload|restart}\"\n"
" exit 1\n"
" ;;\n"
"esac\n"
"\n"
"if [ $? == 0 ]; then\n"
" echo .\n"
" exit 0\n"
"else\n"
" echo failed\n"
" exit 1\n"
"fi"
msgstr ""
msgid "<emphasis>FIXME</emphasis>: should the first Apache process be run as another user than root (i.e. add --chuid chrapach:chrapach)? Cons: chrapach will need write access to the logs, which is awkward."
msgstr ""
msgid "Replace in <filename>/etc/logrotate.d/apache</filename> <literal>/var/log/apache/*.log</literal> with <literal>/var/chroot/apache/var/log/apache/*.log</literal>"
msgstr ""
msgid "Start Apache (<command>/etc/init.d/apache start</command>) and check what is it reported in the jail log (<filename>/var/chroot/apache/var/log/apache/error.log</filename>). If your setup is more complex, (e.g. if you also use PHP and MySQL), files will probably be missing. if some files are not copied automatically by <command>makejail</command>, you can list them in the <emphasis>forceCopy</emphasis> (to copy files directly) or <emphasis>packages</emphasis> (to copy full packages and their dependencies) option the <filename>/etc/makejail/apache.py</filename> configuration file."
msgstr ""
msgid "Type <literal>ps aux | grep apache</literal> to make sure Apache is running. You should see something like:"
msgstr ""
msgid ""
"\n"
" root 180 0.0 1.1 2936 1436 ? S 04:03 0:00 /usr/sbin/apache\n"
" chrapach 189 0.0 1.1 2960 1456 ? S 04:03 0:00 /usr/sbin/apache\n"
" chrapach 190 0.0 1.1 2960 1456 ? S 04:03 0:00 /usr/sbin/apache\n"
" chrapach 191 0.0 1.1 2960 1456 ? S 04:03 0:00 /usr/sbin/apache\n"
" chrapach 192 0.0 1.1 2960 1456 ? S 04:03 0:00 /usr/sbin/apache\n"
" chrapach 193 0.0 1.1 2960 1456 ? S 04:03 0:00 /usr/sbin/apache\n"
" "
msgstr ""
msgid "Make sure the Apache processes are running chrooted by looking in the <filename>/proc</filename> filesystem: <literal>ls -la /proc/<varname>process_number</varname>/root/.</literal> where <varname>process_number</varname> is one of the PID numbers listed above (2nd column; 189 for instance). The entries for a restricted tree should be listed:"
msgstr ""
msgid ""
"\n"
" drwxr-sr-x 10 root staff 240 Dec 2 16:06 .\n"
" drwxrwsr-x 4 root staff 72 Dec 2 08:07 ..\n"
" drwxr-xr-x 2 root root 144 Dec 2 16:05 bin\n"
" drwxr-xr-x 2 root root 120 Dec 3 04:03 dev\n"
" drwxr-xr-x 5 root root 408 Dec 3 04:03 etc\n"
" drwxr-xr-x 2 root root 800 Dec 2 16:06 lib\n"
" dr-xr-xr-x 43 root root 0 Dec 3 05:03 proc\n"
" drwxr-xr-x 2 root root 48 Dec 2 16:06 sbin\n"
" drwxr-xr-x 6 root root 144 Dec 2 16:04 usr\n"
" drwxr-xr-x 7 root root 168 Dec 2 16:06 var\n"
" "
msgstr ""
msgid "To automate this test, you can type:<literal>ls -la /proc/`cat /var/chroot/apache/var/run/apache.pid`/root/.</literal>"
msgstr ""
msgid "<emphasis>FIXME</emphasis>: Add other tests that can be run to make sure the jail is closed?"
msgstr ""
msgid "The reason I like this is because setting up the jail is not very difficult and the server can be updated in just two lines:"
msgstr ""
msgid ""
" \n"
"apt-get update && apt-get install apache\n"
"makejail /etc/makejail/apache.py"
msgstr ""
msgid "See also"
msgstr ""
msgid "If you are looking for more information you can consider these sources of information in which the information presented is based: <ulink name=\"makejail homepage\" url=\"http://www.floc.net/makejail/\" />, this program was written by Alain Tesio"
msgstr ""
|