File: 04_after-install.po

package info (click to toggle)
harden-doc 3.19%2Bnmu1
  • links: PTS, VCS
  • area: main
  • in suites: bookworm, bullseye, sid
  • size: 15,332 kB
  • sloc: xml: 11,790; sh: 52; makefile: 16
file content (1907 lines) | stat: -rw-r--r-- 139,168 bytes parent folder | download | duplicates (4)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
845
846
847
848
849
850
851
852
853
854
855
856
857
858
859
860
861
862
863
864
865
866
867
868
869
870
871
872
873
874
875
876
877
878
879
880
881
882
883
884
885
886
887
888
889
890
891
892
893
894
895
896
897
898
899
900
901
902
903
904
905
906
907
908
909
910
911
912
913
914
915
916
917
918
919
920
921
922
923
924
925
926
927
928
929
930
931
932
933
934
935
936
937
938
939
940
941
942
943
944
945
946
947
948
949
950
951
952
953
954
955
956
957
958
959
960
961
962
963
964
965
966
967
968
969
970
971
972
973
974
975
976
977
978
979
980
981
982
983
984
985
986
987
988
989
990
991
992
993
994
995
996
997
998
999
1000
1001
1002
1003
1004
1005
1006
1007
1008
1009
1010
1011
1012
1013
1014
1015
1016
1017
1018
1019
1020
1021
1022
1023
1024
1025
1026
1027
1028
1029
1030
1031
1032
1033
1034
1035
1036
1037
1038
1039
1040
1041
1042
1043
1044
1045
1046
1047
1048
1049
1050
1051
1052
1053
1054
1055
1056
1057
1058
1059
1060
1061
1062
1063
1064
1065
1066
1067
1068
1069
1070
1071
1072
1073
1074
1075
1076
1077
1078
1079
1080
1081
1082
1083
1084
1085
1086
1087
1088
1089
1090
1091
1092
1093
1094
1095
1096
1097
1098
1099
1100
1101
1102
1103
1104
1105
1106
1107
1108
1109
1110
1111
1112
1113
1114
1115
1116
1117
1118
1119
1120
1121
1122
1123
1124
1125
1126
1127
1128
1129
1130
1131
1132
1133
1134
1135
1136
1137
1138
1139
1140
1141
1142
1143
1144
1145
1146
1147
1148
1149
1150
1151
1152
1153
1154
1155
1156
1157
1158
1159
1160
1161
1162
1163
1164
1165
1166
1167
1168
1169
1170
1171
1172
1173
1174
1175
1176
1177
1178
1179
1180
1181
1182
1183
1184
1185
1186
1187
1188
1189
1190
1191
1192
1193
1194
1195
1196
1197
1198
1199
1200
1201
1202
1203
1204
1205
1206
1207
1208
1209
1210
1211
1212
1213
1214
1215
1216
1217
1218
1219
1220
1221
1222
1223
1224
1225
1226
1227
1228
1229
1230
1231
1232
1233
1234
1235
1236
1237
1238
1239
1240
1241
1242
1243
1244
1245
1246
1247
1248
1249
1250
1251
1252
1253
1254
1255
1256
1257
1258
1259
1260
1261
1262
1263
1264
1265
1266
1267
1268
1269
1270
1271
1272
1273
1274
1275
1276
1277
1278
1279
1280
1281
1282
1283
1284
1285
1286
1287
1288
1289
1290
1291
1292
1293
1294
1295
1296
1297
1298
1299
1300
1301
1302
1303
1304
1305
1306
1307
1308
1309
1310
1311
1312
1313
1314
1315
1316
1317
1318
1319
1320
1321
1322
1323
1324
1325
1326
1327
1328
1329
1330
1331
1332
1333
1334
1335
1336
1337
1338
1339
1340
1341
1342
1343
1344
1345
1346
1347
1348
1349
1350
1351
1352
1353
1354
1355
1356
1357
1358
1359
1360
1361
1362
1363
1364
1365
1366
1367
1368
1369
1370
1371
1372
1373
1374
1375
1376
1377
1378
1379
1380
1381
1382
1383
1384
1385
1386
1387
1388
1389
1390
1391
1392
1393
1394
1395
1396
1397
1398
1399
1400
1401
1402
1403
1404
1405
1406
1407
1408
1409
1410
1411
1412
1413
1414
1415
1416
1417
1418
1419
1420
1421
1422
1423
1424
1425
1426
1427
1428
1429
1430
1431
1432
1433
1434
1435
1436
1437
1438
1439
1440
1441
1442
1443
1444
1445
1446
1447
1448
1449
1450
1451
1452
1453
1454
1455
1456
1457
1458
1459
1460
1461
1462
1463
1464
1465
1466
1467
1468
1469
1470
1471
1472
1473
1474
1475
1476
1477
1478
1479
1480
1481
1482
1483
1484
1485
1486
1487
1488
1489
1490
1491
1492
1493
1494
1495
1496
1497
1498
1499
1500
1501
1502
1503
1504
1505
1506
1507
1508
1509
1510
1511
1512
1513
1514
1515
1516
1517
1518
1519
1520
1521
1522
1523
1524
1525
1526
1527
1528
1529
1530
1531
1532
1533
1534
1535
1536
1537
1538
1539
1540
1541
1542
1543
1544
1545
1546
1547
1548
1549
1550
1551
1552
1553
1554
1555
1556
1557
1558
1559
1560
1561
1562
1563
1564
1565
1566
1567
1568
1569
1570
1571
1572
1573
1574
1575
1576
1577
1578
1579
1580
1581
1582
1583
1584
1585
1586
1587
1588
1589
1590
1591
1592
1593
1594
1595
1596
1597
1598
1599
1600
1601
1602
1603
1604
1605
1606
1607
1608
1609
1610
1611
1612
1613
1614
1615
1616
1617
1618
1619
1620
1621
1622
1623
1624
1625
1626
1627
1628
1629
1630
1631
1632
1633
1634
1635
1636
1637
1638
1639
1640
1641
1642
1643
1644
1645
1646
1647
1648
1649
1650
1651
1652
1653
1654
1655
1656
1657
1658
1659
1660
1661
1662
1663
1664
1665
1666
1667
1668
1669
1670
1671
1672
1673
1674
1675
1676
1677
1678
1679
1680
1681
1682
1683
1684
1685
1686
1687
1688
1689
1690
1691
1692
1693
1694
1695
1696
1697
1698
1699
1700
1701
1702
1703
1704
1705
1706
1707
1708
1709
1710
1711
1712
1713
1714
1715
1716
1717
1718
1719
1720
1721
1722
1723
1724
1725
1726
1727
1728
1729
1730
1731
1732
1733
1734
1735
1736
1737
1738
1739
1740
1741
1742
1743
1744
1745
1746
1747
1748
1749
1750
1751
1752
1753
1754
1755
1756
1757
1758
1759
1760
1761
1762
1763
1764
1765
1766
1767
1768
1769
1770
1771
1772
1773
1774
1775
1776
1777
1778
1779
1780
1781
1782
1783
1784
1785
1786
1787
1788
1789
1790
1791
1792
1793
1794
1795
1796
1797
1798
1799
1800
1801
1802
1803
1804
1805
1806
1807
1808
1809
1810
1811
1812
1813
1814
1815
1816
1817
1818
1819
1820
1821
1822
1823
1824
1825
1826
1827
1828
1829
1830
1831
1832
1833
1834
1835
1836
1837
1838
1839
1840
1841
1842
1843
1844
1845
1846
1847
1848
1849
1850
1851
1852
1853
1854
1855
1856
1857
1858
1859
1860
1861
1862
1863
1864
1865
1866
1867
1868
1869
1870
1871
1872
1873
1874
1875
1876
1877
1878
1879
1880
1881
1882
1883
1884
1885
1886
1887
1888
1889
1890
1891
1892
1893
1894
1895
1896
1897
1898
1899
1900
1901
1902
1903
1904
1905
1906
1907
msgid ""
msgstr ""
"Project-Id-Version: 0\n"
"POT-Creation-Date: 2018-03-19 00:26+0100\n"
"PO-Revision-Date: 2018-03-19 00:26+0100\n"
"Last-Translator: Automatically generated\n"
"Language-Team: None\n"
"Language: en-US \n"
"MIME-Version: 1.0\n"
"Content-Type: application/x-publican; charset=UTF-8\n"
"Content-Transfer-Encoding: 8bit\n"
"X-Generator: Publican v4.3.2\n"

msgid "After installation"
msgstr ""

msgid "Once the system is installed you can still do more to secure the system; some of the steps described in this chapter can be taken. Of course this really depends on your setup but for physical access prevention you should read <xref linkend=\"bios-boot\" />,<xref linkend=\"lilo-passwd\" />, <xref linkend=\"kernel-root-prompt\" />, <xref linkend=\"restrict-console-login\" />, and <xref linkend=\"restrict-reboots\" />."
msgstr ""

msgid "Before connecting to any network, especially if it's a public one you should, at the very least, execute a security update (see <xref linkend=\"security-update\" />). Optionally, you could take a snapshot of your system (see <xref linkend=\"snapshot\" />)."
msgstr ""

msgid "Subscribe to the Debian Security Announce mailing list"
msgstr ""

msgid "In order to receive information on available security updates you should subscribe yourself to the debian-security-announce mailing list in order to receive the Debian Security Advisories (DSAs). See <xref linkend=\"debian-sec-team\" /> for more information on how the Debian security team works. For information on how to subscribe to the Debian mailing lists read <ulink url=\"http://lists.debian.org\" />."
msgstr ""

msgid "DSAs are signed with the Debian Security Team's signature which can be retrieved from <ulink url=\"http://security.debian.org\" />."
msgstr ""

msgid "You should consider, also, subscribing to the <ulink url=\"http://lists.debian.org/debian-security\" /> for general discussion on security issues in the Debian operating system. You will be able to contact other fellow system administrators in the list as well as Debian developers and upstream developers of security tools who can answer your questions and offer advice."
msgstr ""

msgid "FIXME: Add the key here too?"
msgstr ""

msgid "Execute a security update"
msgstr ""

msgid "As soon as new security bugs are detected in packages, Debian maintainers and upstream authors generally patch them within days or even hours. After the bug is fixed, a new package is provided on <ulink url=\"http://security.debian.org\" />."
msgstr ""

msgid "If you are installing a Debian release you must take into account that since the release was made there might have been security updates after it has been determined that a given package is vulnerable. Also, there might have been minor releases (there have been four for the Debian 3.0 <emphasis>sarge</emphasis> release) which include these package updates."
msgstr ""

msgid "During installation security updates are configured for your system and pending updates downloaded and applied, unless you specifically opt out of this or the system was not connected to the Internet. The updates are applied even before the first boot, so the new system starts its life as up to date as possible."
msgstr ""

msgid "To manually update the system, put the following line in your <filename>sources.list</filename> and you will get security updates automatically, whenever you update your system. Replace <replaceable>[CODENAME]</replaceable> with the release codename, e.g. <emphasis>squeeze</emphasis>."
msgstr ""

msgid "\n"
"  deb http://security.debian.org/ [CODENAME]/updates main contrib non-free"
msgstr ""

msgid "<emphasis>Note</emphasis>: If you are using the <emphasis>testing</emphasis> branch use the security testing mirror sources as described in <xref linkend=\"security-support-testing\" />."
msgstr ""

msgid "Once you've done this you can use multiple tools to upgrade your system. If you are running a desktop system you will have<footnote><para>In <emphasis>Etch</emphasis> and later releases</para></footnote> an application called <command>update-notifier</command> that will make it easy to check if new updates are available, by selecting it you can make a system upgrade from the desktop (using <command>update-manager</command>). For more information see <xref linkend=\"update-desktop\" />. In desktop environments you can also use <application>synaptic</application> (GNOME), <application>kpackage</application> or <application>adept</application> (KDE) for more advanced interfaces. If you are running a text-only terminal you can use <application>aptitude</application>, <application>apt</application> or <application>dselect</application> (deprecated) to upgrade:"
msgstr ""

msgid "If you want to use <application>aptitude</application>'s text interface you just have to press <emphasis>u</emphasis> (update) followed by <emphasis>g</emphasis> (to upgrade). Or just do the following from the command line (as root):"
msgstr ""

msgid ""
"\n"
"# aptitude update\n"
"# aptitude upgrade"
msgstr ""

msgid "If you want to use <application>apt</application> do just like with aptitude but substitute the <command>aptitude</command> lines above with <command>apt-get</command>."
msgstr ""

msgid "If you want to use <application>dselect</application> then first [U]pdate, then [I]nstall and finally, [C]onfigure the installed/upgraded packages."
msgstr ""

msgid "If you like, you can add the deb-src lines to <filename>/etc/apt/sources.list</filename> as well. See <citerefentry><refentrytitle>apt</refentrytitle><manvolnum>8</manvolnum></citerefentry> for further details."
msgstr ""

msgid "Security update of libraries"
msgstr ""

msgid "Once you have executed a security update you might need to restart some of the system services. If you do not do this, some services might still be vulnerable after a security upgrade. The reason for this is that daemons that are running before an upgrade might still be using the old libraries before the upgrade <footnote><para>Even though the libraries have been removed from the filesystem the inodes will not be cleared up until no program has an open file descriptor pointing to them.</para></footnote>."
msgstr ""

msgid "From Debian <emphasis>Jessie</emphasis> and up, you can install the <application>needrestart</application> package, which will run automatically after each APT upgrade and prompt you to restart services that are affected by the just-installed updates. In earlier releases, you can run the <command>checkrestart</command> program (available in the <application>debian-goodies</application> package) manually after your APT upgrade."
msgstr ""

msgid "Some packages (like <application>libc6</application>) will do this check in the postinst phase for a limited set of services specially since an upgrade of essential libraries might break some applications (until restarted)<footnote><para>This happened, for example, in the upgrade from libc6 2.2.x to 2.3.x due to NSS authentication issues, see <ulink url=\"http://lists.debian.org/debian-glibc/2003/debian-glibc-200303/msg00276.html\" />.</para></footnote>."
msgstr ""

msgid "Bringing the system to run level 1 (single user) and then back to run level 3 (multi user) should take care of the restart of most (if not all) system services. But this is not an option if you are executing the security upgrade from a remote connection (like ssh) since it will be severed."
msgstr ""

msgid "Excercise caution when dealing with security upgrades if you are doing them over a remote connection like ssh. A suggested procedure for a security upgrade that involves a service restart is to restart the SSH daemon and then, immediately, attempt a new ssh connection without breaking the previous one. If the connection fails, revert the upgrade and investigate the issue."
msgstr ""

msgid "Security update of the kernel"
msgstr ""

msgid "First, make sure your kernel is being managed through the packaging system. If you have installed using the installation system from Debian 3.0 or previous releases, your kernel is <emphasis>not</emphasis> integrated into the packaging system and might be out of date. You can easily confirm this by running:"
msgstr ""

msgid ""
"\n"
"$ dpkg -S `readlink -f /vmlinuz`\n"
"linux-image-2.6.18-4-686: /boot/vmlinuz-2.6.18-4-686"
msgstr ""

msgid "If your kernel is not being managed you will see a message saying that the package manager did not find the file associated to any package instead of the message above, which says that the file associated to the current running kernel is being provided by the <application>linux-image-2.6.18-4-686</application>. So first, you will need to manually install a kernel image package. The exact kernel image you need to install depends on your architecture and your prefered kernel version. Once this is done, you will be able to manage the security updates of the kernel just like those of any other package. In any case, notice that the kernel updates will <emphasis>only</emphasis> be done for kernel updates of the same kernel version you are using, that is, <command>apt</command> will not automatically upgrade your kernel from the 2.4 release to the 2.6 release (or from the 2.4.26 release to the 2.4.27 release<footnote><para>Unless you have installed a kernel metapackage like <application>linux-image-2.6-686</application> which will always pull in the latest kernel minor revision for a kernel release and a given architecture.</para></footnote>)."
msgstr ""

msgid "The installation system of recent Debian releases will handle the selected kernel as part of the package system. You can review which kernels you have installed by running:"
msgstr ""

msgid "\n"
"$ COLUMNS=150 dpkg -l 'linux-image*' | awk '$1 ~ /ii/ { print $0 }'"
msgstr ""

msgid "To see if your kernel needs to be updated run:"
msgstr ""

msgid ""
"\n"
"$ kernfile=`readlink -f /vmlinuz`\n"
"$ kernel=`dpkg -S $kernfile | awk -F : '{print $1}'`\n"
"$ apt-cache policy $kernel\n"
"linux-image-2.6.18-4-686:\n"
"  Installed: 2.6.18.dfsg.1-12\n"
"  Candidate: 2.6.18.dfsg.1-12\n"
"  Version table:\n"
" *** 2.6.18.dfsg.1-12 0\n"
"        100 /var/lib/dpkg/status"
msgstr ""

msgid "If you are doing a security update which includes the kernel image you <emphasis>need</emphasis> to reboot the system in order for the security update to be useful. Otherwise, you will still be running the old (and vulnerable) kernel image."
msgstr ""

msgid "If you need to do a system reboot (because of a kernel upgrade) you should make sure that the kernel will boot up correctly and network connectivity will be restored, specially if the security upgrade is done over a remote connection like ssh. For the former you can configure your boot loader to reboot to the original kernel in the event of a failure (for more detailed information read <ulink url=\"http://www.debian-administration.org/?article=70\">Remotely rebooting Debian GNU/Linux machines</ulink>). For the latter you have to introduce a network connectivity test script that will check if the kernel has started up the network subsystem properly and reboot the system if it did not<footnote><para>A sample script called <ulink url=\"http://www.debian-administration.org/articles/70/testnet\">testnet</ulink> is available in the <ulink url=\"http://www.debian-administration.org/?article=70\"> Remotely rebooting Debian GNU/Linux machines</ulink> article. A more elaborate network connectivity testing script is available in this <ulink url=\"http://www.debian-administration.org/?article=128\"> Testing network connectivity article.</ulink></para></footnote>. This should prevent nasty surprises like updating the kernel and then realizing, after a reboot, that it did not detect or configure the network hardware properly and you need to travel a long distance to bring the system up again. Of course, having the system serial console <footnote><para>Setting up a serial console is beyond the scope of this document, for more information read the <ulink url=\"http://www.tldp.org/HOWTO/Serial-HOWTO.html\">Serial HOWTO</ulink> and the <ulink url=\"http://www.tldp.org/HOWTO/Remote-Serial-Console-HOWTO/index.html\"> Remote Serial Console HOWTO</ulink>.</para></footnote> in the system connected to a console or terminal server should also help debug reboot issues remotely."
msgstr ""

msgid "Change the BIOS (again)"
msgstr ""

msgid "Remember <xref linkend=\"bios-passwd\" />? Well, then you should now, once you do not need to boot from removable media, to change the default BIOS setup so that it <emphasis>only</emphasis> boots from the hard drive. Make sure you will not lose the BIOS password, otherwise, in the event of a hard disk failure you will not be able to return to the BIOS and change the setup so you can recover it using, for example, a CD-ROM."
msgstr ""

msgid "Another less secure but more convenient way is to change the setup to have the system boot up from the hard disk and, if it fails, try removable media. By the way, this is often done because most people don't use the BIOS password that often; it's easily forgotten."
msgstr ""

msgid "Set a LILO or GRUB password"
msgstr ""

msgid "Anybody can easily get a root-shell and change your passwords by entering"
msgstr ""

msgid "<userinput>&lt;name-of-your-bootimage&gt; init=/bin/sh</userinput>"
msgstr ""

msgid "at the boot prompt. After changing the passwords and rebooting the system, the person has unlimited root-access and can do anything he/she wants to the system. After this procedure you will not have root access to your system, as you do not know the root password."
msgstr ""

msgid "To make sure that this cannot happen, you should set a password for the boot loader. You can choose between a global password or a password for a certain image."
msgstr ""

msgid "For LILO you need to edit the config file <filename>/etc/lilo.conf</filename> and add a <userinput>password</userinput> and <userinput>restricted</userinput> line as in the example below."
msgstr ""

msgid ""
"\n"
"  image=/boot/2.2.14-vmlinuz\n"
"     label=Linux\n"
"     read-only\n"
"     password=hackme\n"
"     restricted"
msgstr ""

msgid "Then, make sure that the configuration file is not world readable to prevent local users from reading the password. When done, rerun lilo. Omitting the <literal>restricted</literal> line causes lilo to always prompt for a password, regardless of whether LILO was passed parameters. The default permissions for <filename>/etc/lilo.conf</filename> grant read and write permissions to root, and enable read-only access for <filename>lilo.conf</filename>'s group, root."
msgstr ""

msgid "If you use GRUB instead of LILO, edit <filename>/boot/grub/menu.lst</filename> and add the following two lines at the top (substituting, of course <userinput>hackme</userinput> with the desired password). This prevents users from editing the boot items. <userinput>timeout 3</userinput> specifies a 3 second delay before <command>grub</command> boots the default item."
msgstr ""

msgid ""
"\n"
"  timeout 3\n"
"  password hackme"
msgstr ""

msgid "To further harden the integrity of the password, you may store the password in an encrypted form. The utility <command>grub-md5-crypt</command> generates a hashed password which is compatible with GRUB's encrypted password algorithm (MD5). To specify in <command>grub</command> that an MD5 format password will be used, use the following directive:"
msgstr ""

msgid ""
"\n"
"  timeout 3\n"
"  password --md5 $1$bw0ez$tljnxxKLfMzmnDVaQWgjP0"
msgstr ""

msgid "The --md5 parameter was added to instruct <command>grub</command> to perform the MD5 authentication process. The provided password is the MD5 encrypted version of hackme. Using the MD5 password method is preferable to choosing its clear-text counterpart. More information about <command>grub</command> passwords may be found in the <application>grub-doc</application> package."
msgstr ""

msgid "Disable root prompt on the initramfs"
msgstr ""

msgid "Note: This applies to the default kernels provided for releases after Debian 3.1"
msgstr ""

msgid "Linux 2.6 kernels provide a way to access a root shell while booting which will be presented during loading the initramfs on error. This is helpful to permit the administrator to enter a rescue shell with root permissions. This shell can be used to manually load modules when autodetection fails. This behavior is the default for <command>initramfs-tools</command> generated initramfs. The following message will appear:"
msgstr ""

msgid "\n"
"  \"ALERT!  /dev/sda1 does not exist.  Dropping to a shell!"
msgstr ""

msgid "In order to remove this behavior you need to set the following boot argument:<emphasis>panic=0</emphasis>. Add this to the variable <varname>GRUB_CMDLINE_LINUX</varname> in <filename>/etc/default/grub</filename> and issue <command>update-grub</command> or to the append section of <filename>/etc/lilo.conf</filename>."
msgstr ""

msgid "Remove root prompt on the kernel"
msgstr ""

msgid "Note: This does not apply to the kernels provided for Debian 3.1 as the timeout for the kernel delay has been changed to 0."
msgstr ""

msgid "Linux 2.4 kernels provide a way to access a root shell while booting which will be presented just after loading the cramfs file system. A message will appear to permit the administrator to enter an executable shell with root permissions, this shell can be used to manually load modules when autodetection fails. This behavior is the default for <command>initrd</command>'s <filename>linuxrc</filename>. The following message will appear:"
msgstr ""

msgid "\n"
"  Press ENTER to obtain a shell (waits 5 seconds)"
msgstr ""

msgid "In order to remove this behavior you need to change <filename>/etc/mkinitrd/mkinitrd.conf</filename> and set:"
msgstr ""

msgid ""
"\n"
"  # DELAY  The  number  of seconds the linuxrc script should wait to\n"
"  # allow the user to interrupt it before the system is brought up\n"
"  DELAY=0"
msgstr ""

msgid "Then regenerate your ramdisk image. You can do this for example with:"
msgstr ""

msgid ""
"\n"
"  # cd /boot\n"
"  # mkinitrd -o initrd.img-2.4.18-k7 /lib/modules/2.4.18-k7"
msgstr ""

msgid "or (preferred):"
msgstr ""

msgid "\n"
"  # dpkg-reconfigure -plow kernel-image-2.4.x-yz"
msgstr ""

msgid "Restricting console login access"
msgstr ""

msgid "Some security policies might force administrators to log in to the system through the console with their user/password and then become superuser (with <command>su</command> or <command>sudo</command>). This policy is implemented in Debian by editing the <filename>/etc/pam.d/login</filename> and the <filename>/etc/securetty</filename> when using PAM:"
msgstr ""

msgid "<filename>/etc/pam.d/login</filename> In older Debian releases you would need to edit <filename>login.defs</filename>, and use the CONSOLE variable which defines a file or list of terminals on which root logins are allowed. enables the pam_securetty.so module. This module, when properly configured will not ask for a password when the root user tries to login on an insecure console, rejecting access as this user."
msgstr ""

msgid "<filename>securetty</filename> The <filename>/etc/securetty</filename> is a configuration file that belongs to the <application>login</application> package. by adding/removing the terminals to which root access will be allowed. If you wish to allow only local console access then you need <emphasis>console</emphasis>, <emphasis>ttyX</emphasis> Or <emphasis>ttyvX</emphasis> in GNU/FreeBSD, and <emphasis>ttyE0</emphasis> in GNU/KNetBSD. and <emphasis>vc/X</emphasis> (if using <emphasis>devfs</emphasis> devices), you might want to add also <emphasis>ttySX</emphasis> Or <emphasis>comX</emphasis> in GNU/Hurd, <emphasis>cuaaX</emphasis> in GNU/FreeBSD, and <emphasis>ttyXX</emphasis> in GNU/KNetBSD. if you are using a serial console for local access (where X is an integer, you might want to have multiple instances. The default configuration for <emphasis>Wheezy</emphasis> The default configuration in <emphasis>woody</emphasis> includes 12 local tty and vc consoles, as well as the <emphasis>console</emphasis> device but does not allow remote logins. In <emphasis>sarge</emphasis> the default configuration provides 64 consoles for tty and vc consoles. includes many tty devices, serial ports, vc consoles as well as the X server and the <emphasis>console</emphasis> device. You can safely adjust this if you are not using that many consoles. You can confirm the virtual consoles and the tty devices you have by reviewing <filename>/etc/inittab</filename> Look for the <emphasis>getty</emphasis> calls. . For more information on terminal devices read the <ulink url=\"http://tldp.org/HOWTO/Text-Terminal-HOWTO-6.html\">Text-Terminal-HOWTO </ulink>"
msgstr ""

msgid "When using PAM, other changes to the login process, which might include restrictions to users and groups at given times, can be configured in <filename>/etc/pam.d/login</filename>. An interesting feature that can be disabled is the possibility to login with null (blank) passwords. This feature can be limited by removing <emphasis>nullok</emphasis> from the line:"
msgstr ""

msgid "\n"
"  auth       required   pam_unix.so nullok"
msgstr ""

msgid "Restricting system reboots through the console"
msgstr ""

msgid "If your system has a keyboard attached to it anyone (yes <emphasis>anyone</emphasis>) with physical access to the system can reboot the system through it without login in just pressing the <emphasis>Ctrl+Alt+Delete</emphasis> keyboard combination, also known as the <emphasis>three finger salute</emphasis>. This might, or might not, adhere to your security policy."
msgstr ""

msgid "This is aggravated in environments in which the operating system is running virtualised. In these environments, the possibility extends to users that have access to the virtual console (which might be accessed over the network). Also note that, in these environments, this keyboard combination is used constantly (to open a login shell in some GUI operating systems) and an administrator might <emphasis>virtually</emphasis> send it and force a system reboot."
msgstr ""

msgid "There are two ways to restrict this:"
msgstr ""

msgid "configure it so that only <emphasis>allowed</emphasis> users can reboot the system,"
msgstr ""

msgid "disable this feature completely."
msgstr ""

msgid "If you want to restrict this, you must check the <filename>/etc/inittab</filename> so that the line that includes <userinput>ctrlaltdel</userinput> calls <command>shutdown</command> with the <userinput>-a</userinput> switch."
msgstr ""

msgid "The default in Debian includes this switch:"
msgstr ""

msgid "\n"
"  ca:12345:ctrlaltdel:/sbin/shutdown -t1 -a -r now"
msgstr ""

msgid "The <userinput>-a</userinput> switch, as the <citerefentry><refentrytitle>shutdown</refentrytitle><manvolnum>8</manvolnum></citerefentry> manpage describes,makes it possible to allow <emphasis>some</emphasis> users to shutdown the system. For this the file <filename>/etc/shutdown.allow</filename> must be created and the administrator has to include there the name of users which can boot the system. When the <emphasis>three finger salute</emphasis> combination is pressed in a console the program will check if any of the users listed in the file are logged in. If none of them is, <command>shutdown</command> will <emphasis>not</emphasis> reboot the system."
msgstr ""

msgid "If you want to disable the Ctrl+Alt+Del combination you just need to comment the line with the <emphasis>ctrlaltdel</emphasis> definition in the <filename>/etc/inittab</filename>."
msgstr ""

msgid "Remember to run <userinput>init q</userinput> after making any changes to the <filename>/etc/inittab</filename> file for the changes to take effect."
msgstr ""

msgid "Restricting the use of the Magic SysRq key"
msgstr ""

msgid "The <emphasis>Magic SysRq key</emphasis> is a key combination that allows users connected to the system console of a Linux kernel to perform some low-level commands. These low-level commands are sent by pressing simultaneously <emphasis>Alt+SysRq</emphasis> and a command key. The SysRq key in many keyboards is labeled as the <emphasis>Print Screen</emphasis> key."
msgstr ""

msgid "Since the Etch release, the Magic SysRq key feature is enabled in the Linux kernel to allow console users certain privileges. You can confirm this by checking if the <filename>/proc/sys/kernel/sysrq</filename> exists and reviewing its value:"
msgstr ""

msgid ""
"\n"
"$ cat /proc/sys/kernel/sysrq \n"
"438"
msgstr ""

msgid "The default value shown above allows all of the SysRq functions except for the possibility of sending signals to processes. For example, it allow users connected to the console to remount all systems read-only, reboot the system or cause a kernel panic. In all the features are enabled, or in older kernels (earlier than 2.6.12) the value will be just 1."
msgstr ""

msgid "You should disable this functionality ifaccess to the console is not restricted to authorised users: the console is connected to a modem line, there is easy physical access to the system or it is running in a virtualised environment and other users access the console. To do this edit the <filename>/etc/sysctl.conf</filename> and add the following lines:"
msgstr ""

msgid ""
"\n"
"# Disables the magic SysRq key\n"
"kernel.sysrq = 0"
msgstr ""

msgid "For more information, read <ulink url=\"http://tldp.org/HOWTO/Remote-Serial-Console-HOWTO/security-sysrq.html\">security chapter in the Remote Serial Console HOWTO</ulink>, <ulink url=\"http://kernel.org/doc/Documentation/sysrq.txt\">Kernel SysRQ documentation</ulink>. and the <ulink url=\"http://en.wikipedia.org/wiki/Magic_SysRq_key\">Magic_SysRq_key wikipedia entry</ulink>."
msgstr ""

msgid "Mounting partitions the right way"
msgstr ""

msgid "When mounting an <literal>Ext</literal> file system (<literal>ext2</literal>, <literal>ext3</literal> or <literal>ext4</literal>), there are several additional options you can apply to the mount call or to <filename>/etc/fstab</filename>. For instance, this is my fstab entry for the <filename>/tmp</filename> partition:"
msgstr ""

msgid "\n"
"  /dev/hda7    /tmp    ext2    defaults,nosuid,noexec,nodev    0    2"
msgstr ""

msgid "You see the difference in the options sections. The option <literal>nosuid</literal> ignores the setuid and setgid bits completely, while <literal>noexec</literal> forbids execution of any program on that mount point, and <literal>nodev</literal> ignores device files. This sounds great, but it:"
msgstr ""

msgid "only applies to <literal>ext2</literal> or <literal>ext3</literal> file systems"
msgstr ""

msgid "can be circumvented easily"
msgstr ""

msgid "The <literal>noexec</literal> option prevents binaries from being executed directly, but was easily circumvented in earlier versions of the kernel:"
msgstr ""

msgid ""
"\n"
"  alex@joker:/tmp# mount | grep tmp\n"
"  /dev/hda7 on /tmp type ext2 (rw,noexec,nosuid,nodev)\n"
"  alex@joker:/tmp# ./date\n"
"  bash: ./date: Permission denied\n"
"  alex@joker:/tmp# /lib/ld-linux.so.2 ./date\n"
"  Sun Dec  3 17:49:23 CET 2000"
msgstr ""

msgid "Newer versions of the kernel do however handle the <literal>noexec</literal> flag properly:"
msgstr ""

msgid ""
"\n"
"  angrist:/tmp# mount | grep /tmp\n"
"  /dev/hda3 on /tmp type ext3 (rw,noexec,nosuid,nodev)\n"
"  angrist:/tmp# ./date\n"
"  bash: ./tmp: Permission denied \n"
"  angrist:/tmp# /lib/ld-linux.so.2 ./date \n"
"  ./date: error while loading shared libraries: ./date: failed to map segment \n"
"  from shared object: Operation not permitted"
msgstr ""

msgid "However, many script kiddies have exploits which try to create and execute files in <filename>/tmp</filename>. If they do not have a clue, they will fall into this pit. In other words, a user cannot be tricked into executing a trojanized binary in <filename>/tmp</filename> e.g. when <filename>/tmp</filename> is accidentally added into the local PATH."
msgstr ""

msgid "Also be forewarned, some script might depend on <filename>/tmp</filename> being executable. Most notably, Debconf has (had?) some issues regarding this, for more information see <ulink name=\"Debian Bug nº116448\" url=\"http://bugs.debian.org/116448\" />."
msgstr ""

msgid "The following is a more thorough example. A note, though: <filename>/var</filename> could be set noexec, but some software <footnote><para>Some of this includes the package manager <application>dpkg</application> since the installation (post,pre) and removal (post,pre) scripts are at <filename>/var/lib/dpkg/</filename> and Smartlist</para></footnote> keeps its programs under in <filename>/var</filename>. The same applies to the nosuid option."
msgstr ""

msgid ""
"\n"
"/dev/sda6   /usr          ext3    defaults,ro,nodev       0       2\n"
"/dev/sda12  /usr/share    ext3    defaults,ro,nodev,nosuid        0       2\n"
"/dev/sda7   /var          ext3    defaults,nodev,usrquota,grpquota 0      2\n"
"/dev/sda8   /tmp          ext3    defaults,nodev,nosuid,noexec,usrquota,grpquota    0       2\n"
"/dev/sda9   /var/tmp      ext3    defaults,nodev,nosuid,noexec,usrquota,grpquota    0       2\n"
"/dev/sda10  /var/log      ext3    defaults,nodev,nosuid,noexec    0       2\n"
"/dev/sda11  /var/account  ext3    defaults,nodev,nosuid,noexec    0       2\n"
"/dev/sda13  /home         ext3    rw,nosuid,nodev,exec,auto,nouser,async,usrquota,grpquota                0       2\n"
"/dev/fd0    /mnt/fd0      ext3    defaults,users,nodev,nosuid,noexec      0       0\n"
"/dev/fd0    /mnt/floppy   vfat    defaults,users,nodev,nosuid,noexec      0       0\n"
"/dev/hda    /mnt/cdrom    iso9660 ro,users,nodev,nosuid,noexec            0       0"
msgstr ""

msgid "Setting <filename>/tmp</filename> noexec"
msgstr ""

msgid "Be careful if setting <filename>/tmp</filename> noexec when you want to install new software, since some programs might use it for installation. <application>apt</application> is one such program (see <ulink name=\"Debian Bug nº116448\" url=\"http://bugs.debian.org/116448\" />) if not configured properly <varname>APT::ExtractTemplates::TempDir</varname> (see <citerefentry><refentrytitle>apt-extracttemplates</refentrytitle><manvolnum>1</manvolnum></citerefentry>). You can set this variable in <filename>/etc/apt/apt.conf</filename> to another directory with exec privileges other than <filename>/tmp</filename>."
msgstr ""

msgid "Setting /usr read-only"
msgstr ""

msgid "If you set <filename>/usr</filename> read-only you will not be able to install new packages on your Debian GNU/Linux system. You will have to first remount it read-write, install the packages and then remount it read-only. <application>apt</application> can be configured to run commands before and after installing packages, so you might want to configure it properly."
msgstr ""

msgid "To do this modify <filename>/etc/apt/apt.conf</filename> and add:"
msgstr ""

msgid ""
"\n"
"  DPkg\n"
"  {\n"
"      Pre-Invoke  { \"mount /usr -o remount,rw\" };\n"
"      Post-Invoke { \"mount /usr -o remount,ro\" };\n"
"  };"
msgstr ""

msgid "Note that the Post-Invoke may fail with a \"/usr busy\" error message. This happens mainly when you are using files during the update that got updated. You can find these programs by running"
msgstr ""

msgid "\n"
"# lsof +L1"
msgstr ""

msgid "Stop or restart these programs and run the Post-Invoke manually. <emphasis>Beware!</emphasis> This means you'll likely need to restart your X session (if you're running one) every time you do a major upgrade of your system. You might want to reconsider whether a read-only <filename>/usr</filename> is suitable for your system. See also this <ulink url=\"http://lists.debian.org/debian-devel/2001/11/threads.html#00212\"> discussion on debian-devel about read-only</ulink>."
msgstr ""

msgid "Providing secure user access"
msgstr ""

msgid "User authentication: PAM"
msgstr ""

msgid "PAM (Pluggable Authentication Modules) allows system administrators to choose how applications authenticate users. Note that PAM can do nothing unless an application is compiled with support for PAM. Most of the applications that are shipped with Debian have this support built in (Debian did not have PAM support before 2.2). The current default configuration for any PAM-enabled service is to emulate UNIX authentication (read <filename>/usr/share/doc/libpam0g/Debian-PAM-MiniPolicy.gz</filename> for more information on how PAM services <emphasis>should</emphasis> work in Debian)."
msgstr ""

msgid "Each application with PAM support provides a configuration file in <filename>/etc/pam.d/</filename> which can be used to modify its behavior:"
msgstr ""

msgid "what backend is used for authentication."
msgstr ""

msgid "what backend is used for sessions."
msgstr ""

msgid "how do password checks behave."
msgstr ""

msgid "The following description is far from complete, for more information you might want to read the <ulink url=\"http://www.linux-pam.org/Linux-PAM-html/\"> Linux-PAM Guides</ulink> as a reference. This documentation is available in the system if you install the <application>libpam-doc</application> at <filename>/usr/share/doc/libpam-doc/html/</filename>."
msgstr ""

msgid "PAM offers you the possibility to go through several authentication steps at once, without the user's knowledge. You could authenticate against a Berkeley database and against the normal <filename>passwd</filename> file, and the user only logs in if the authentication succeeds in both. You can restrict a lot with PAM, just as you can open your system doors very wide. So be careful. A typical configuration line has a control field as its second element. Generally it should be set to <literal>requisite</literal>, which returns a login failure if one module fails."
msgstr ""

msgid "Password security in PAM"
msgstr ""

msgid "Review the <filename>/etc/pam.d/common-password</filename>, included by <filename>/etc/pam.d/passwd</filename> <footnote><para>In old Debian releases the configuration of the modules was defined directly in <filename>/etc/pam.d/passwd</filename>.</para></footnote> This file is included by other files in <filename>/etc/pam.d/</filename> to define the behaviour of password use in subsystems that grant access to services in the machine, like the console login (<application>login</application>), graphical login managers (such as <application>gdm</application> or <application>lightdm</application>), and remote login (such as <application>sshd</application>). This definition is"
msgstr ""

msgid "You have to make sure that the pam_unix.so module uses the \"sha512\" option to use encrypted passwords. This is the default in Debian Squeeze."
msgstr ""

msgid "The line with the definition of the pam_unix module will look something like:"
msgstr ""

msgid ""
"\n"
"  password   [success=1 default=ignore]      pam_unix.so nullok obscure minlen=8 sha512 \n"
"  "
msgstr ""

msgid "This definition:"
msgstr ""

msgid "Enforces password encryption when storing passwords, using the SHA-512 hash function (option <emphasis>sha512</emphasis>),"
msgstr ""

msgid "Enables password complexity checks (option <emphasis>obscure</emphasis>) as defined in the <citerefentry><refentrytitle>pam_unix</refentrytitle><manvolnum>8</manvolnum></citerefentry> manpage,"
msgstr ""

msgid "Imposes a minimum password length (option <emphasis>min</emphasis>) of 8."
msgstr ""

msgid "You have to ensure that encrypted passwords are used in PAM applications, since this helps protect against dictionary cracks. Using encryption also makes it possible to use passwords longer than 8 characters."
msgstr ""

msgid "Since this module is also used to define how passwords are changed (it is included by <command>chpasswd</command>) you can strengthen the password security in the system by installing <application>libpam-cracklib</application> and introducing this definition in the <filename>/etc/pam.d/common-password</filename> configuration file:"
msgstr ""

msgid ""
"\n"
"  # Be sure to install libpam-cracklib first or you will not be able to log in\n"
"  password   required     pam_cracklib.so retry=3 minlen=12 difok=3\n"
"  password   [success=1 default=ignore]      pam_unix.so obscure minlen=8 sha512 use_authok"
msgstr ""

msgid "So, what does this incantation do? The first line loads the cracklib PAM module, which provides password strength-checking, prompts for a new password with a minimum size <footnote><para>The minlen option is not entirely straightforward and is not exactly the number of characters in the password. A tradeoff can be defined between complexity and length by adjusting the \"credit\" parameters of different character classes. For more information read the <citerefentry><refentrytitle>pam_cracklib</refentrytitle><manvolnum>8</manvolnum></citerefentry> manpage.</para></footnote> of 12 characters, and difference of at least 3 characters from the old password, and allows 3 retries. Cracklib depends on a wordlist package (such as <application>wenglish</application>, <application>wspanish</application>, <application>wbritish</application>, ...), so make sure you install one that is appropriate for your language or cracklib might not be useful to you at all."
msgstr ""

msgid "The second line (using the pam_unix.so module) is the default configuration in Debian, as described above, save for the <emphasis>use_authok</emphasis> option. The <emphasis>use_authok</emphasis> option is required if pam_unix.so is stacked after pam_cracklib.so, and is used to hand over the password from the previous module. Otherwise, the user would be prompted for the password twice."
msgstr ""

msgid "For more information about setting up Cracklib, read the <citerefentry><refentrytitle>pam_cracklib</refentrytitle><manvolnum>8</manvolnum></citerefentry> manpage and the article <ulink url=\"http://www.deer-run.com/~hal/sysadmin/pam_cracklib.html\">Linux Password Security with pam_cracklib</ulink> by Hal Pomeranz."
msgstr ""

msgid "By enabling the cracklib PAM module you setup a policy that forces uses to use strong passwords."
msgstr ""

msgid "Alternatively, you can setup and configure PAM modules to use double factor authentication such as: <application>libpam-barada</application>, <application>libpam-google-authenticator</application>, <application>libpam-oath</application>, <application>libpam-otpw</application>, <application>libpam-poldi</application>, <application>libpam-usb</application> or <application>libpam-yubico</application>. The configuration of these modules would make it possible to access the system using external authentication mechanisms such as smartcards, external USB keys, or One-Time-Passwords generated by external applications running, for example, in the user's mobile phone."
msgstr ""

msgid "Please note that these restrictions apply to all users but <emphasis>not</emphasis> to the password changes done by the root user. The root user will be able to set up any password (any length or complexity) for personal use or others regardless of the restrictions defined here."
msgstr ""

msgid "User access control in PAM"
msgstr ""

msgid "To make sure that the user root can only log into the system from local terminals, the following line should be enabled in <filename>/etc/pam.d/login</filename>:"
msgstr ""

msgid "\n"
"  auth     requisite  pam_securetty.so"
msgstr ""

msgid "Then you should modify the list of terminals on which direct root login is allowed in <filename>/etc/securetty</filename> (as described in <xref linkend=\"restrict-console-login\" />). Alternatively, you could enable the <application>pam_access</application> module and modify <filename>/etc/security/access.conf</filename> which allows for a more general and fine-tuned access control, but (unfortunately) lacks decent log messages (logging within PAM is not standardized and is particularly unrewarding problem to deal with). We'll return to <filename>access.conf</filename> a little later."
msgstr ""

msgid "User limits in PAM"
msgstr ""

msgid "The following line should be enabled in <filename>/etc/pam.d/login</filename> to set up user resource limits."
msgstr ""

msgid "\n"
"  session  required   pam_limits.so"
msgstr ""

msgid "This restricts the system resources that users are allowed (see below in <xref linkend=\"user-limits\" />). For example, you could restrict the number of concurrent logins (of a given group of users, or system-wide), number of processes, memory size etc."
msgstr ""

msgid "Control of su in PAM"
msgstr ""

msgid "If you want to protect <command>su</command>, so that only some people can use it to become root on your system, you need to add a new group \"wheel\" to your system (that is the cleanest way, since no file has such a group permission yet). Add root and the other users that should be able to <command>su</command> to the root user to this group. Then add the following line to <filename>/etc/pam.d/su</filename>:"
msgstr ""

msgid "\n"
"  auth        requisite   pam_wheel.so group=wheel debug"
msgstr ""

msgid "This makes sure that only people from the group \"wheel\" can use <command>su</command> to become root. Other users will not be able to become root. In fact they will get a denied message if they try to become root."
msgstr ""

msgid "If you want only certain users to authenticate at a PAM service, this is quite easy to achieve by using files where the users who are allowed to login (or not) are stored. Imagine you only want to allow users 'ref' to log in via <command>ssh</command>. So you put them into <filename>/etc/sshusers-allowed</filename> and write the following into <filename>/etc/pam.d/ssh</filename>:"
msgstr ""

msgid "\n"
"  auth        required    pam_listfile.so item=user sense=allow file=/etc/sshusers-allowed onerr=fail"
msgstr ""

msgid "Temporary directories in PAM"
msgstr ""

msgid "Since there have been a number of so called insecure tempfile vulnerabilities, thttpd is one example (see <ulink url=\"http://www.debian.org/security/2005/dsa-883\">DSA-883-1</ulink>), the <application>libpam-tmpdir</application> is a good package to install. All you have to do is add the following to <filename>/etc/pam.d/common-session</filename>:"
msgstr ""

msgid "\n"
" session    optional     pam_tmpdir.so"
msgstr ""

msgid "There has also been a discussion about adding this by default in Debian configuration, but it s. See <ulink url=\"http://lists.debian.org/debian-devel/2005/11/msg00297.html\" /> for more information."
msgstr ""

msgid "Configuration for undefined PAM applications"
msgstr ""

msgid "Finally, but not least, create <filename>/etc/pam.d/other</filename> and enter the following lines:"
msgstr ""

msgid ""
"\n"
"  auth     required       pam_securetty.so\n"
"  auth     required       pam_unix_auth.so\n"
"  auth     required       pam_warn.so\n"
"  auth     required       pam_deny.so\n"
"  account  required       pam_unix_acct.so\n"
"  account  required       pam_warn.so\n"
"  account  required       pam_deny.so\n"
"  password required       pam_unix_passwd.so\n"
"  password required       pam_warn.so\n"
"  password required       pam_deny.so\n"
"  session  required       pam_unix_session.so\n"
"  session  required       pam_warn.so\n"
"  session  required       pam_deny.so"
msgstr ""

msgid "These lines will provide a good default configuration for all applications that support PAM (access is denied by default)."
msgstr ""

msgid "Limiting resource usage: the <filename>limits.conf</filename> file"
msgstr ""

msgid "You should really take a serious look into this file. Here you can define user resource limits. In old releases this configuration file was <filename>/etc/limits.conf</filename>, but in newer releases (with PAM) the <filename>/etc/security/limits.conf</filename> configuration file should be used instead."
msgstr ""

msgid "If you do not restrict resource usage, <emphasis>any</emphasis> user with a valid shell in your system (or even an intruder who compromised the system through a service or a daemon going awry) can use up as much CPU, memory, stack, etc. as the system can provide. This <emphasis>resource exhaustion</emphasis> problem can be fixed by the use of PAM."
msgstr ""

msgid "There is a way to add resource limits to some shells (for example, <command>bash</command> has <command>ulimit</command>, see <citerefentry><refentrytitle>bash</refentrytitle><manvolnum>1</manvolnum></citerefentry>), but since not all of them provide the same limits and since the user can change shells (see <citerefentry><refentrytitle>chsh</refentrytitle><manvolnum>1</manvolnum></citerefentry>) it is better to place the limits on the PAM modules as they will apply regardless of the shell used and will also apply to PAM modules that are not shell-oriented."
msgstr ""

msgid "Resource limits are imposed by the kernel, but they need to be configured through the <filename>limits.conf</filename> and the PAM configuration of the different services need to load the appropriate PAM. You can check which services are enforcing limits by running:"
msgstr ""

msgid "\n"
"$ find /etc/pam.d/ \\! -name \"*.dpkg*\" | xargs -- grep limits |grep -v \":#\""
msgstr ""

msgid "Commonly, <filename>login</filename>, <filename>ssh</filename> and the graphic session managers (<filename>gdm</filename>, <filename>kdm</filename> or <filename>xdm</filename>) should enforce user limits but you might want to do this in other PAM configuration files, such as <filename>cron</filename>, to prevent system daemons from taking over all system resources."
msgstr ""

msgid "The specific limits settings you might want to enforce depend on your system's resources, that's one of the main reasons why no limits are enforced in the default installation."
msgstr ""

msgid "For example, the configuration example below enforces a 100 process limit for all users (to prevent <emphasis>fork bombs</emphasis>) as well as a limit of 10MB of memory per process and a limit of 10 simultaneous logins. Users in the <literal>adm</literal> group have higher limits and can produce core files if they want to (there is only a <emphasis>soft</emphasis> limit)."
msgstr ""

msgid ""
"\n"
"*              soft    core            0\n"
"*              hard    core            0\n"
"*              hard    rss             1000\n"
"*              hard    memlock         1000\n"
"*              hard    nproc           100\n"
"*              -       maxlogins       1\n"
"*              hard    data            102400\n"
"*              hard    fsize           2048\n"
"@adm           hard    core            100000\n"
"@adm           hard    rss             100000\n"
"@adm           soft    nproc           2000\n"
"@adm           hard    nproc           3000\n"
"@adm           hard    fsize           100000\n"
"@adm           -       maxlogins       10"
msgstr ""

msgid "These would be the limits a default user (including system daemons) would have:"
msgstr ""

msgid ""
"\n"
"$ ulimit -a\n"
"core file size        (blocks, -c) 0\n"
"data seg size         (kbytes, -d) 102400\n"
"file size             (blocks, -f) 2048\n"
"max locked memory     (kbytes, -l) 10000\n"
"max memory size       (kbytes, -m) 10000\n"
"open files                    (-n) 1024\n"
"pipe size          (512 bytes, -p) 8\n"
"stack size            (kbytes, -s) 8192\n"
"cpu time             (seconds, -t) unlimited\n"
"max user processes            (-u) 100\n"
"virtual memory        (kbytes, -v) unlimited"
msgstr ""

msgid "And these are the limits for an administrative user:"
msgstr ""

msgid ""
"\n"
"$ ulimit -a\n"
"core file size        (blocks, -c) 0\n"
"data seg size         (kbytes, -d) 102400\n"
"file size             (blocks, -f) 100000\n"
"max locked memory     (kbytes, -l) 100000\n"
"max memory size       (kbytes, -m) 100000\n"
"open files                    (-n) 1024\n"
"pipe size          (512 bytes, -p) 8\n"
"stack size            (kbytes, -s) 8192\n"
"cpu time             (seconds, -t) unlimited\n"
"max user processes            (-u) 2000\n"
"virtual memory        (kbytes, -v) unlimited"
msgstr ""

msgid "For more information read:"
msgstr ""

msgid "<ulink url=\"http://www.kernel.org/pub/linux/libs/pam/Linux-PAM-html/pam-6.html\"> PAM reference guide for available modules</ulink>"
msgstr ""

msgid "<ulink url=\"http://www.samag.com/documents/s=1161/sam0009a/0009a.htm\">PAM configuration article</ulink>."
msgstr ""

msgid "<ulink url=\"http://seifried.org/security/os/linux/20020324-securing-linux-step-by-step.html\"> Seifried's Securing Linux Step by Step</ulink> on the <emphasis>Limiting users overview</emphasis> section."
msgstr ""

msgid "<ulink url=\"http://seifried.org/lasg/users/\">LASG</ulink> in the <emphasis>Limiting and monitoring users</emphasis> section."
msgstr ""

msgid "User login actions: edit <filename>/etc/login.defs</filename>"
msgstr ""

msgid "The next step is to edit the basic configuration and action upon user login. Note that this file is not part of the PAM configuration, it's a configuration file honored by <application>login</application> and <command>su</command> programs, so it doesn't make sense tuning it for cases where neither of the two programs are at least indirectly called (the <command>getty</command> program which sits on the consoles and offers the initial login prompt <emphasis>does</emphasis> invoke <command>login</command>)."
msgstr ""

msgid "\n"
"  FAILLOG_ENAB        yes"
msgstr ""

msgid "If you enable this variable, failed logins will be logged. It is important to keep track of them to catch someone who tries a brute force attack."
msgstr ""

msgid "\n"
"  LOG_UNKFAIL_ENAB    no"
msgstr ""

msgid "If you set this variable to 'yes' it will record unknown usernames if the login failed. It is best if you use 'no' (the default) since, otherwise, user passwords might be inadvertenly logged here (if a user mistypes and they enter their password as the username). If you set it to 'yes', make sure the logs have the proper permissions (640 for example, with an appropriate group setting such as adm)."
msgstr ""

msgid "\n"
"  SYSLOG_SU_ENAB      yes"
msgstr ""

msgid "This one enables logging of <command>su</command> attempts to <filename>syslog</filename>. Quite important on serious machines but note that this can create privacy issues as well."
msgstr ""

msgid "\n"
"  SYSLOG_SG_ENAB      yes"
msgstr ""

msgid "The same as <varname>SYSLOG_SU_ENAB</varname> but applies to the <command>sg</command> program."
msgstr ""

msgid "\n"
"  ENCRYPT_METHOD  SHA512"
msgstr ""

msgid "As stated above, encrypted passwords greatly reduce the problem of dictionary attacks, since you can use longer passwords. This definition has to be consistent with the value defined in <filename>/etc/pam.d/common-password</filename>."
msgstr ""

msgid "User login actions: edit <filename>/etc/pam.d/login</filename>"
msgstr ""

msgid "You can adjust the login configuration file to implement an stricter policy. For example, you can change the default configuration and increase the delay time between login prompts. The default configuration sets a 3 seconds delay:"
msgstr ""

msgid "\n"
"auth       optional   pam_faildelay.so  delay=3000000"
msgstr ""

msgid "Increasing the <emphasis>delay</emphasis> value to a higher value to make it harder to use the terminal to log in using brute force. If a wrong password is typed in, the possible attacker (or normal user!) has to wait longer seconds to get a new login prompt, which is quite time consuming when you test passwords. For example, if you set <emphasis>delay=10000000</emphasis>, users will have to wait 10 seconds if they type a wrong password."
msgstr ""

msgid "In this file you can also set the system to present a message to users before a user logs in. The default is disabled, as shown below:"
msgstr ""

msgid "\n"
"# auth       required   pam_issue.so issue=/etc/issue"
msgstr ""

msgid "If required by your security policy, this file can be used to show a standard message indicating that access to the system is restricted and user acess is logged. This kind of disclaimer might be required in some environments and jurisdictions. To enable it, just include the relevant information in the <filename>/etc/issue</filename> <footnote><para>The default content of this file provides information about the operating system and version run by the system, which you might not want to provide to anonymous users.</para></footnote> file and uncomment the line enabling the pam_issue.so module in <filename>/etc/pam.d/login</filename>. In this file you can also enable additional features which might be relevant to apply local security policies such as:"
msgstr ""

msgid "setting rules for which users can access at which times, by enabling the <emphasis>pam_time.so</emphasis> module and configuring <filename>/etc/security/time.conf</filename> accordingly (disabled by default),"
msgstr ""

msgid "setup login sessions to use user limits as defined in <filename>/etc/security/limits.conf</filename> (enabled by default),"
msgstr ""

msgid "present the user with the information of previous login information (enabled by default),"
msgstr ""

msgid "print a message (<filename>/etc/motd</filename> and <filename>/run/motd.dynamic</filename>) to users after login in (enabled by default),"
msgstr ""

msgid "Restricting ftp: editing <filename>/etc/ftpusers</filename>"
msgstr ""

msgid "The <filename>/etc/ftpusers</filename> file contains a list of users who are not allowed to log into the host using ftp. Only use this file if you really want to allow ftp (which is not recommended in general, because it uses clear-text passwords). If your daemon supports PAM, you can also use that to allow and deny users for certain services."
msgstr ""

msgid "FIXME (BUG): Is it a bug that the default <filename>ftpusers</filename> in Debian does <emphasis>not</emphasis> include all the administrative users (in <application>base-passwd</application>)."
msgstr ""

msgid "A convenient way to add all system accounts to the <filename>/etc/ftpusers</filename> is to run"
msgstr ""

msgid "\n"
"$ awk -F : '{if ($3&lt;1000) print $1}' /etc/passwd &gt; /etc/ftpusers"
msgstr ""

msgid "Using su"
msgstr ""

msgid "If you really need users to become the super user on your system, e.g. for installing packages or adding users, you can use the command <command>su</command> to change your identity. You should try to avoid any login as user root and instead use <command>su</command>. Actually, the best solution is to remove <command>su</command> and switch to the <command>sudo</command> mechanism which has a broader logic and more features than <command>su</command>. However, <command>su</command> is more common as it is used on many other Unices."
msgstr ""

msgid "Using sudo"
msgstr ""

msgid "<command>sudo</command> allows the user to execute defined commands under another user's identity, even as root. If the user is added to <filename>/etc/sudoers</filename> and authenticates correctly, the commands defined in <filename>/etc/sudoers</filename> get enabled. Violations, such as incorrect passwords or trying to run a program you don't have permission for, are logged and mailed to root."
msgstr ""

msgid "Disallow remote administrative access"
msgstr ""

msgid "You should also modify <filename>/etc/security/access.conf</filename> to disallow remote logins to administrative accounts. This way users need to invoke <command>su</command> (or <command>sudo</command>) to use any administrative powers and the appropriate audit trace will always be generated."
msgstr ""

msgid "You need to add the following line to <filename>/etc/security/access.conf</filename>, the default Debian configuration file has a sample line commented out:"
msgstr ""

msgid "\n"
"   -:wheel:ALL EXCEPT LOCAL"
msgstr ""

msgid "Remember to enable the <application>pam_access</application> module for every service (or default configuration) in <filename>/etc/pam.d/</filename> if you want your changes to <filename>/etc/security/access.conf</filename> honored."
msgstr ""

msgid "Restricting users's access"
msgstr ""

msgid "Sometimes you might think you need to have users created in your local system in order to provide a given service (pop3 mail service or ftp). Before doing so, first remember that the PAM implementation in Debian GNU/Linux allows you to validate users with a wide variety of external directory services (radius, ldap, etc.) provided by the libpam packages."
msgstr ""

msgid "If users need to be created and the system can be accessed remotely take into account that users will be able to log in to the system. You can fix this by giving users a null (<filename>/dev/null</filename>) shell (it would need to be listed in <filename>/etc/shells</filename>). If you want to allow users to access the system but limit their movements, you can use the <filename>/bin/rbash</filename>, equivalent to adding the <literal>-r</literal> option in <command>bash</command> (<emphasis>RESTRICTED SHELL</emphasis> see <citerefentry><refentrytitle>bash</refentrytitle><manvolnum>1</manvolnum></citerefentry> ). Please note that even with restricted shell, a user that access an interactive program (that might allow execution of a subshell) could be able to bypass the limits of the shell."
msgstr ""

msgid "Debian currently provides in the unstable release (and might be included in the next stable releases) the <filename>pam_chroot</filename> module (in the <application> libpam-chroot</application>). An alternative to it is to <command>chroot</command> the service that provides remote logging (<command>ssh</command>, <command>telnet</command>). <footnote><para><application>libpam-chroot</application> has not been yet thoroughly tested, it does work for <command>login</command> but it might not be easy to set up the environment for other programs</para></footnote>"
msgstr ""

msgid "If you wish to restrict <emphasis>when</emphasis> users can access the system you will have to customize <filename>/etc/security/access.conf</filename> for your needs."
msgstr ""

msgid "Information on how to <command>chroot</command> users accessing the system through the <command>ssh</command> service is described in <xref linkend=\"chroot-ssh-env\" />."
msgstr ""

msgid "User auditing"
msgstr ""

msgid "If you are really paranoid you might want to add a system-wide configuration to audit what the users are doing in your system. This sections presents some tips using diverse utilities you can use."
msgstr ""

msgid "Input and output audit with script"
msgstr ""

msgid "You can use the <command>script</command> command to audit both what the users run and what are the results of those commands. You cannot setup <command>script</command> as a shell (even if you add it to <filename>/etc/shells</filename>). But you can have the shell initialization file run the following:"
msgstr ""

msgid ""
"\n"
"umask 077\n"
"exec script -q -a \"/var/log/sessions/$USER\""
msgstr ""

msgid "Of course, if you do this system wide it means that the shell would not continue reading personal initialization files (since the shell gets overwritten by <command>script</command>). An alternative is to do this in the user's initialization files (but then the user could remove this, see the comments about this below)"
msgstr ""

msgid "You also need to setup the files in the audit directory (in the example <filename>/var/log/sessions/</filename>) so that users can write to it but cannot remove the file. This could be done, for example, by creating the user session files in advance and setting them with the <emphasis>append-only</emphasis> flag using <command>chattr</command>."
msgstr ""

msgid "A useful alternative for sysadmins, which includes date information would be:"
msgstr ""

msgid ""
"\n"
"umask 077\n"
"exec script -q -a \"/var/log/sessions/$USER-`date +%Y%m%d`\""
msgstr ""

msgid "Using the shell history file"
msgstr ""

msgid "If you want to review what does the user type in the shell (but not what the result of that is) you can setup a system-wide <filename>/etc/profile</filename> that configures the environment so that all commands are saved into a history file. The system-wide configuration needs to be setup in such a way that users cannot remove audit capabilities from their shell. This is somewhat shell specific so make sure that all users are using a shell that supports this."
msgstr ""

msgid "For example, for bash, the <filename>/etc/profile</filename> could be set as follows <footnote><para> Setting HISTSIZE to a very large number can cause issues under some shells since the history is kept in memory for every user session. You might be safer if you set this to a high-enough value and backup user's history files (if you need all of the user's history for some reason)</para></footnote> :"
msgstr ""

msgid ""
"\n"
"  HISTFILE=~/.bash_history\n"
"  HISTSIZE=10000\n"
"  HISTFILESIZE=999999\n"
"  # Don't let the users enter commands that are ignored\n"
"  # in the history file\n"
"  HISTIGNORE=\"\"\n"
"  HISTCONTROL=\"\"\n"
"  readonly HISTFILE\n"
"  readonly HISTSIZE\n"
"  readonly HISTFILESIZE\n"
"  readonly HISTIGNORE\n"
"  readonly HISTCONTROL\n"
"  export HISTFILE HISTSIZE HISTFILESIZE HISTIGNORE HISTCONTROL"
msgstr ""

msgid "For this to work, the user can only append information to <filename>.bash_history</filename> file. You need <emphasis>also</emphasis> to set the <emphasis>append-only</emphasis> option using <command>chattr</command> program for <filename>.bash_history</filename> for all users. <footnote><para> Without the append-only flag users would be able to empty the contents of the history file running <filename> &gt; .bash_history</filename></para></footnote>."
msgstr ""

msgid "Note that you could introduce the configuration above in the user's <filename>.profile</filename>. But then you would need to setup permissions properly in such a way that prevents the user from modifying this file. This includes: having the user's home directories <emphasis>not</emphasis> belong to the user (since the user would be able to remove the file otherwise) but at the same time allow the user to read the <filename>.profile</filename> configuration file and write on the <filename>.bash_history</filename>. It would be good to set the <emphasis>immutable</emphasis> flag (also using <command>chattr</command>) for <filename>.profile</filename> too if you do it this way."
msgstr ""

msgid "Complete user audit with accounting utilities"
msgstr ""

msgid "The previous example is a simple way to configure user auditing but might be not useful for complex systems or for those in which users do not run shells at all (or exclusively). If this is your case, you need to look at <application>acct</application>, the accounting utilities. These utilities will log all the commands run by users or processes in the system, at the expense of disk space."
msgstr ""

msgid "When activating accounting, all the information on processes and users is kept under <filename>/var/account/</filename>, more specifically in the <filename>pacct</filename>. The accounting package includes some tools (<command>sa</command>, <command>ac</command> and <command>lastcomm</command>) to analyse this data."
msgstr ""

msgid "Other user auditing methods"
msgstr ""

msgid "If you are completely paranoid and want to audit every user's command, you could take <command>bash</command> source code, edit it and have it send all that the user typed into another file. Or have <application>ttysnoop</application> constantly monitor any new ttys <footnote><para>Ttys are spawned for local logins and remote logins through ssh and telnet</para></footnote> and dump the output into a file. Other useful program is <application>snoopy</application> (see also <ulink name=\"the project page\" url=\"http://sourceforge.net/projects/snoopylogger/\" />) which is a user-transparent program that hooks in as a library providing a wrapper around <varname>execve()</varname> calls, any command executed is logged to <command>syslogd</command> using the <literal>authpriv</literal> facility (usually stored at <filename>/var/log/auth.log</filename>)."
msgstr ""

msgid "Reviewing user profiles"
msgstr ""

msgid "If you want to <emphasis>see</emphasis> what users are actually doing when they logon to the system you can use the <filename>wtmp</filename> database that includes all login information. This file can be processed with several utilities, amongst them <command>sac</command> which can output a profile on each user showing in which timeframe they usually log on to the system."
msgstr ""

msgid "In case you have accounting activated, you can also use the tools provided by it in order to determine when the users access the system and what do they execute."
msgstr ""

msgid "Setting users umasks"
msgstr ""

msgid "Depending on your user policy you might want to change how information is shared between users, that is, what the default permissions of new files created by users are."
msgstr ""

msgid "Debian's default <literal>umask</literal> setting is <emphasis>022</emphasis> this means that files (and directories) can be read and accessed by the user's group and by any other users in the system. This definition is set in the standard configuration file <filename>/etc/profile</filename> which is used by all shells."
msgstr ""

msgid "If Debian's default value is too permissive for your system you will have to change the umask setting for all the shells. More restrictive umask settings include 027 (no access is allowed to new files for the <emphasis>other</emphasis> group, i.e. to other users in the system) or 077 (no access is allowed to new files to the members the user's group). Debian (by default<footnote><para>As defined in <filename>/etc/adduser.conf</filename> (USERGROUPS=yes). You can change this behaviour if you set this value to no, although it is not recommended</para></footnote>) creates one group per user so that only the user is included in its group. Consequently 027 and 077 are equivalent as the user's group contains only the user."
msgstr ""

msgid "This change is set by defining a proper <literal>umask</literal> setting for all users. You can change this by introducing an <command>umask</command> call in the shell configuration files: <filename>/etc/profile</filename> (source by all Bourne-compatible shells), <filename>/etc/csh.cshrc</filename>, <filename>/etc/csh.login</filename>, <filename>/etc/zshrc</filename> and probably some others (depending on the shells you have installed on your system). You can also change the <varname>UMASK</varname> setting in <filename>/etc/login.defs</filename>, Of all of these the last one that gets loaded by the shell takes precedence. The order is: the default system configuration for the user's shell (i.e. <filename>/etc/profile</filename> and other system-wide configuration files) and then the user's shell (his <filename>~/.profile</filename>, <filename>~/.bash_profile</filename>, etc...). Some shells, however, can be executed with a <emphasis>nologin</emphasis> value which might skip sourcing some of those files. See your shell's manpage for additional information."
msgstr ""

msgid "For connections that make use of <command>login</command> the UMASK definition in <filename>/etc/login.defs</filename> is used before any of the others. However, that value does not apply to user executed programs that do not use <command>login</command> such as those run through <command>su</command>, <command>cron</command> or <command>ssh</command>."
msgstr ""

msgid "Don't forget to review and maybe modify the dotfiles under <filename>/etc/skel/</filename> since these will be new user's defaults when created with the <command>adduser</command> command. Debian default dotfiles do not include any <command>umask</command> call but if there is any in the dotfiles newly created users might a different value."
msgstr ""

msgid "Note, however that users can modify their own <literal>umask</literal> setting if they want to, making it more permissive or more restricted, by changing their own dotfiles."
msgstr ""

msgid "The <application>libpam-umask</application> package adjusts the users' default <literal>umask</literal> using PAM. Add the following, after installing the package, to <filename>/etc/pam.d/common-session</filename>:"
msgstr ""

msgid "\n"
"session    optional     pam_umask.so umask=077"
msgstr ""

msgid "Finally, you should consider changing root's default 022 umask (as defined in <filename>/root/.bashrc</filename>) to a more strict umask. That will prevent the system administrator from inadvertenly dropping sensitive files when working as root to world-readable directories (such as <filename>/tmp</filename>) and having them available for your average user."
msgstr ""

msgid "Limiting what users can see/access"
msgstr ""

msgid "FIXME: Content needed. Describe the consequences of changing packages permissions when upgrading (an admin this paranoid should <command>chroot</command> his users BTW) if not using <command>dpkg-statoverride</command>."
msgstr ""

msgid "If you need to grant users access to the system with a shell think about it very carefully. A user can, by default unless in a severely restricted environment (like a <literal>chroot</literal> jail), retrieve quite a lot of information from your system including:"
msgstr ""

msgid "some configuration files in <filename>/etc</filename>. However, Debian's default permissions for some sensitive files (which might, for example, contain passwords), will prevent access to critical information. To see which files are only accessible by the root user for example"
msgstr ""

msgid "<userinput>find /etc -type f -a -perm 600 -a -uid 0</userinput>"
msgstr ""

msgid "as superuser."
msgstr ""

msgid "your installed packages, either by looking at the package database, at the <filename>/usr/share/doc</filename> directory or by guessing by looking at the binaries and libraries installed in your system."
msgstr ""

msgid "some log files at <filename>/var/log</filename>. Note also that some log files are only accessible to root and the <literal>adm</literal> group (try"
msgstr ""

msgid "<userinput>find /var/log -type f -a -perm 640</userinput>"
msgstr ""

msgid ") and some are even only available to the root user (try"
msgstr ""

msgid "<userinput>find /var/log -type f -a -perm\n"
"    600 -a -uid 0</userinput>"
msgstr ""

msgid ")."
msgstr ""

msgid "What can a user see in your system? Probably quite a lot of things, try this (take a deep breath):"
msgstr ""

msgid ""
"\n"
"  find / -type f -a -perm +006 2&gt;/dev/null  \n"
"  find / -type d -a -perm +007 2&gt;/dev/null  "
msgstr ""

msgid "The output is the list of files that a user can <emphasis>see</emphasis> and the accessable directories."
msgstr ""

msgid "Limiting access to other user's information"
msgstr ""

msgid "If you still grant shell access to users you might want to limit what information they can view from other users. Users with shell access have a tendency to create quite a number of files under their $HOMEs: mailboxes, personal documents, configuration of X/GNOME/KDE applications..."
msgstr ""

msgid "In Debian each user is created with one associated group, and no two users belong to the same group. This is the default behavior: when an user account is created, a group of the same name is created too, and the user is assigned to it. This avoids the concept of a common <emphasis>users</emphasis> group which might make it more difficult for users to hide information from other users."
msgstr ""

msgid "However, users' <varname>$HOME</varname> directories are created with 0755 permissions (group-readable and world-readable). The group permissions is not an issue since only the user belongs to the group, however the world permissions might (or might not) be an issue depending on your local policy."
msgstr ""

msgid "You can change this behavior so that user creation provides different <varname>$HOME</varname> permissions. To change the behavior for <emphasis>new</emphasis> users when they get created, change <emphasis>DIR_MODE</emphasis> in the configuration file <filename>/etc/adduser.conf</filename> to 0750 (no world-readable access)."
msgstr ""

msgid "Users can still share information, but not directly in their <varname>$HOME</varname> directories unless they change its permissions."
msgstr ""

msgid "Note that disabling world-readable home directories will prevent users from creating their personal web pages in the <filename>~/public_html</filename> directory, since the web server will not be able to read one component in the path - namely their <varname>$HOME</varname> directory. If you want to permit users to publish HTML pages in their <filename>~/public_html</filename>, then change <emphasis>DIR_MODE</emphasis> to 0751. This will allow the web server to access the final <filename>public_html</filename> directory (which itself should have a mode of 0755) and provide the content published by users. Of course, we are only talking about a default configuration here; users can generally tune modes of their own files completely to their liking, or you could keep content intended for the web in a separate location which is not a subdirectory of user's <varname>$HOME</varname> directory."
msgstr ""

msgid "Generating user passwords"
msgstr ""

msgid "There are many cases when an administrator needs to create many user accounts and provide passwords for all of them. Of course, the administrator could easily just set the password to be the same as the user's account name, but that would not be very sensitive security-wise. A better approach is to use a password generating program. Debian provides <application>makepasswd</application>, <application>apg</application> and <application>pwgen</application> packages which provide programs (the name is the same as the package) that can be used for this purpose. <command>Makepasswd</command> will generate true random passwords with an emphasis on security over pronounceability while <command>pwgen</command> will try to make meaningless but pronounceable passwords (of course this might depend on your mother language). <command>Apg</command> has algorithms to provide for both (there is a client/server version for this program but it is not included in the Debian package)."
msgstr ""

msgid "<command>Passwd</command> does not allow non-interactive assignation of passwords (since it uses direct tty access). If you want to change passwords when creating a large number of users you can create them using <command>adduser</command> with the <literal>--disabled-login</literal> option and then use <command>usermod</command> or <command>chpasswd</command> <footnote><para> <command>Chpasswd</command> cannot handle MD5 password generation so it needs to be given the password in encrypted form before using it, with the <screen><userinput>-e</userinput></screen> option. </para></footnote> (both from the <application>passwd</application> package so you already have them installed). If you want to use a file with all the information to make users as a batch process you might be better off using <command>newusers</command>."
msgstr ""

msgid "Checking user passwords"
msgstr ""

msgid "User passwords can sometimes become the <emphasis>weakest link</emphasis> in the security of a given system. This is due to some users choosing weak passwords for their accounts (and the more of them that have access to it the greater the chances of this happening). Even if you established checks with the cracklib PAM module and password limits as described in <xref linkend=\"auth-pam\" /> users will still be able to use weak passwords. Since user access might include remote shell access (over <command>ssh</command>, hopefully) it's important to make password guessing as hard as possible for the remote attackers, especially if they were somehow able to collect important information such as usernames or even the <filename>passwd</filename> and <filename>shadow</filename> files themselves."
msgstr ""

msgid "A system administrator must, given a big number of users, check if the passwords they have are consistent with the local security policy. How to check? Try to crack them as an attacker would if having access to the hashed passwords (the <filename>/etc/shadow</filename> file)."
msgstr ""

msgid "An administrator can use <application>john</application> or <application>crack</application> (both are brute force password crackers) together with an appropriate wordlist to check users' passwords and take appropriate action when a weak password is detected. You can search for Debian GNU packages that contain word lists using <command>apt-cache search wordlist</command>, or visit the classic Internet wordlist sites such as <ulink url=\"ftp://ftp.ox.ac.uk/pub/wordlists\" /> or <ulink url=\"ftp://ftp.cerias.purdue.edu/pub/dict\" />."
msgstr ""

msgid "Logging off idle users"
msgstr ""

msgid "Idle users are usually a security problem, a user might be idle maybe because he's out to lunch or because a remote connection hung and was not re-established. For whatever the reason, idle users might lead to a compromise:"
msgstr ""

msgid "because the user's console might be unlocked and can be accessed by an intruder."
msgstr ""

msgid "because an attacker might be able to re-attach to a closed network connection and send commands to the remote shell (this is fairly easy if the remote shell is not encrypted as in the case of <command>telnet</command>)."
msgstr ""

msgid "Some remote systems have even been compromised through an idle (and detached) <command>screen</command>."
msgstr ""

msgid "Automatic disconnection of idle users is usually a part of the local security policy that must be enforced. There are several ways to do this:"
msgstr ""

msgid "If <application>bash</application> is the user shell, a system administrator can set a default <varname>TMOUT</varname> value (see <citerefentry><refentrytitle>bash</refentrytitle><manvolnum>1</manvolnum></citerefentry>) which will make the shell automatically log off remote idle users. Note that it must be set with the <literal>-o</literal> option or users will be able to change (or unset) it."
msgstr ""

msgid "Install <application>timeoutd</application> and configure <filename>/etc/timeouts</filename> according to your local security policy. The daemon will watch for idle users and time out their shells accordingly."
msgstr ""

msgid "Install <application>autolog</application> and configure it to remove idle users."
msgstr ""

msgid "The <command>timeoutd</command> or <command>autolog</command> daemons are the preferred method since, after all, users can change their default shell or can, after running their default shell, switch to another (uncontrolled) shell."
msgstr ""

msgid "Using tcpwrappers"
msgstr ""

msgid "TCP wrappers were developed when there were no real packet filters available and access control was needed. Nevertheless, they're still very interesting and useful. The TCP wrappers allow you to allow or deny a service for a host or a domain and define a default allow or deny rule (all performed on the application level). If you want more information take a look at <citerefentry><refentrytitle>hosts_access</refentrytitle> <manvolnum>5</manvolnum></citerefentry> manual page."
msgstr ""

msgid "Many services installed in Debian are either:"
msgstr ""

msgid "launched through the tcpwrapper service (<filename>tcpd</filename>)"
msgstr ""

msgid "compiled with libwrapper support built-in."
msgstr ""

msgid "On the one hand, for services configured in <filename>/etc/inetd.conf</filename> (this includes <command>telnet</command>, <command>ftp</command>, <command>netbios</command>, <command>swat</command> and <command>finger</command>) you will see that the configuration file executes <command>/usr/sbin/tcpd</command> first. On the other hand, even if a service is not launched by the <command>inetd</command> superdaemon, support for the tcp wrappers rules can be compiled into it. Services compiled with tcp wrappers in Debian include <command>ssh</command>, <command>portmap</command>, <command>in.talk</command>, <command>rpc.statd</command>, <command>rpc.mountd</command>, <command>gdm</command>, <command>oaf</command> (the GNOME activator daemon), <command>nessus</command> and many others."
msgstr ""

msgid "To see which packages use tcpwrappers <footnote><para> On older Debian releases you might need to do this: <screen> $ apt-cache showpkg libwrap0 | egrep '^[[:space:]]' | sort -u | \\ sed 's/,libwrap0$//;s/^[[:space:]]\\+//' </screen> </para></footnote> try:"
msgstr ""

msgid "\n"
"  $ apt-cache rdepends libwrap0"
msgstr ""

msgid "Take this into account when running <command>tcpdchk</command> (a very useful TCP wrappers config file rule and syntax checker). When you add stand-alone services (that are directly linked with the wrapper library) into the <filename>hosts.deny</filename> and <filename>hosts.allow</filename> files, <command>tcpdchk</command> will warn you that it is not able to find the mentioned services since it only looks for them in <filename>/etc/inetd.conf</filename> (the manpage is not totally accurate here)."
msgstr ""

msgid "Now, here comes a small trick, and probably the smallest intrusion detection system available. In general, you should have a decent firewall policy as a first line, and tcp wrappers as the second line of defense. One little trick is to set up a <varname>SPAWN</varname> <footnote><para>be sure to use uppercase here since <emphasis>spawn</emphasis> will not work</para></footnote> command in <filename>/etc/hosts.deny</filename> that sends mail to root whenever a denied service triggers wrappers:"
msgstr ""

msgid ""
"\n"
"  ALL: ALL: SPAWN ( \\\n"
"    echo -e \"\\n\\\n"
"    TCP Wrappers\\: Connection refused\\n\\\n"
"    By\\: $(uname -n)\\n\\\n"
"    Process\\: %d (pid %p)\\n\\\n"
"    User\\: %u\\n\\\n"
"    Host\\: %c\\n\\\n"
"    Date\\: $(date)\\n\\\n"
"  \" | /usr/bin/mail -s \"Connection to %d blocked\" root) &amp;"
msgstr ""

msgid "<emphasis>Beware</emphasis>: The above printed example is open to a DoS attack by making many connections in a short period of time. Many emails mean a lot of file I/O by sending only a few packets."
msgstr ""

msgid "The importance of logs and alerts"
msgstr ""

msgid "It is easy to see that the treatment of logs and alerts is an important issue in a secure system. Suppose a system is perfectly configured and 99% secure. If the 1% attack occurs, and there are no security measures in place to, first, detect this and, second, raise alarms, the system is not secure at all."
msgstr ""

msgid "Debian GNU/Linux provides some tools to perform log analysis, most notably <application>swatch</application>, <footnote><para>there's a very good article on it written by <ulink name=\"Lance Spitzner\" url=\"http://www.spitzner.net/swatch.html\" /> </para></footnote> <application>logcheck</application> or <application>log-analysis</application> (all will need some customisation to remove unnecessary things from the report). It might also be useful, if the system is nearby, to have the system logs printed on a virtual console. This is useful since you can (from a distance) see if the system is behaving properly. Debian's <filename>/etc/syslog.conf</filename> comes with a commented default configuration; to enable it uncomment the lines and restart <command>syslogd</command> (<userinput>/etc/init.d/syslogd restart</userinput>):"
msgstr ""

msgid ""
"\n"
"  daemon,mail.*;\\\n"
"        news.=crit;news.=err;news.=notice;\\\n"
"        *.=debug;*.=info;\\\n"
"        *.=notice;*.=warn       /dev/tty8"
msgstr ""

msgid "To colorize the logs, you could take a look at <application>colorize</application>, <application>ccze</application> or <application>glark</application>. There is a lot to log analysis that cannot be fully covered here, so a good information resource would be books should as <ulink name=\"Security log management: identifying patterns in the chaos\" url=\"http://books.google.com/books?id=UyktqN6GnWEC\" />. In any case, even automated tools are no match for the best analysis tool: your brain."
msgstr ""

msgid "Using and customizing <command>logcheck</command>"
msgstr ""

msgid "The <command>logcheck</command> package in Debian is divided into the three packages <application>logcheck</application> (the main program), <application>logcheck-database</application> (a database of regular expressions for the program) and <application>logtail</application> (prints loglines that have not yet been read). The Debian default (in <filename>/etc/cron.d/logcheck</filename>) is that <command>logcheck</command> is run every hour and after reboots."
msgstr ""

msgid "This tool can be quite useful if properly customized to alert the administrator of unusual system events. <command>Logcheck</command> can be fully customized so that it sends mails based on events found in the logs and worthy of attention. The default installation includes profiles for ignored events and policy violations for three different setups (workstation, server and paranoid). The Debian package includes a configuration file <filename>/etc/logcheck/logcheck.conf</filename>, sourced by the program, that defines which user the checks are sent to. It also provides a way for packages that provide services to implement new policies in the directories: <filename>/etc/logcheck/cracking.d/_packagename_</filename>, <filename>/etc/logcheck/violations.d/_packagename_</filename>, <filename>/etc/logcheck/violations.ignore.d/_packagename_</filename>, <filename>/etc/logcheck/ignore.d.paranoid/_packagename_</filename>, <filename>/etc/logcheck/ignore.d.server/_packagename_</filename>, and <filename>/etc/logcheck/ignore.d.workstation/_packagename_</filename>. However, not many packages currently do so. If you have a policy that can be useful for other users, please send it as a bug report for the appropriate package (as a <emphasis>wishlist</emphasis> bug). For more information read <filename>/usr/share/doc/logcheck/README.Debian</filename>."
msgstr ""

msgid "The best way to configure <command>logcheck</command> is to edit its main configuration file <filename>/etc/logcheck/logcheck.conf</filename> after installation. Change the default user (root) to whom reports should be mailed. You should set the reportlevel in there, too. <application>logcheck-database</application> has three report levels of increasing verbosity: workstation, server, paranoid. \"server\" being the default level, paranoid is only recommended for high-security machines running as few services as possible and workstation for relatively sheltered, non-critical machines. If you wish to add new log files just add them to <filename>/etc/logcheck/logcheck.logfiles</filename>. It is tuned for default syslog install."
msgstr ""

msgid "Once this is done you might want to check the mails that are sent, for the first few days/weeks/months. If you find you are sent messages you do not wish to receive, just add the regular expressions (see <citerefentry><refentrytitle>regex</refentrytitle><manvolnum>7</manvolnum></citerefentry> and <citerefentry><refentrytitle>egrep</refentrytitle><manvolnum>1</manvolnum></citerefentry>) that correspond to these messages to the <filename>/etc/logcheck/ignore.d.<varname>reportlevel</varname>/local</filename>. Try to match the whole logline. Details on howto write rules are explained in <filename>/usr/share/doc/logcheck-database/README.logcheck-database.gz</filename>. It's an ongoing tuning process; once the messages that are sent are always relevant you can consider the tuning finished. Note that if <command>logcheck</command> does not find anything relevant in your system it will not mail you even if it does run (so you might get a mail only once a week, if you are lucky)."
msgstr ""

msgid "Configuring where alerts are sent"
msgstr ""

msgid "Debian comes with a standard <application>syslog</application> configuration (in <filename>/etc/syslog.conf</filename>) that logs messages to the appropriate files depending on the system facility. You should be familiar with this; have a look at the <filename>syslog.conf</filename> file and the documentation if not. If you intend to maintain a secure system you should be aware of where log messages are sent so they do not go unnoticed."
msgstr ""

msgid "For example, sending messages to the console also is an interesting setup useful for many production-level systems. But for many such systems it is also important to add a new machine that will serve as loghost (i.e. it receives logs from all other systems)."
msgstr ""

msgid "Root's mail should be considered also, many security controls (like <application>snort</application>) send alerts to root's mailbox. This mailbox usually points to the first user created in the system (check <filename>/etc/aliases</filename>). Take care to send root's mail to some place where it will be read (either locally or remotely)."
msgstr ""

msgid "There are other role accounts and aliases on your system. On a small system, it's probably simplest to make sure that all such aliases point to the root account, and that mail to root is forwarded to the system administrator's personal mailbox."
msgstr ""

msgid "FIXME: It would be interesting to tell how a Debian system can send/receive SNMP traps related to security problems (jfs). Check: <application>snmptrapfmt</application>, <application>snmp</application> and <application>snmpd</application>."
msgstr ""

msgid "Using a loghost"
msgstr ""

msgid "A loghost is a host which collects syslog data remotely over the network. If one of your machines is cracked, the intruder is not able to cover the tracks, unless hacking the loghost as well. So, the loghost should be especially secure. Making a machine a loghost is simple. Just start the <command>syslogd</command> with"
msgstr ""

msgid "<userinput>syslogd -r</userinput>"
msgstr ""

msgid "and a new loghost is born. In order to do this permanently in Debian, edit <filename>/etc/default/syslogd</filename> and change the line"
msgstr ""

msgid "\n"
"SYSLOGD=\"\""
msgstr ""

msgid "to"
msgstr ""

msgid "\n"
"SYSLOGD=\"-r\""
msgstr ""

msgid "Next, configure the other machines to send data to the loghost. Add an entry like the following to <filename>/etc/syslog.conf</filename>:"
msgstr ""

msgid "\n"
"  facility.level            @your_loghost"
msgstr ""

msgid "See the documentation for what to use in place of <emphasis>facility</emphasis> and <emphasis>level</emphasis> (they should not be entered verbatim like this). If you want to log everything remotely, just write:"
msgstr ""

msgid "\n"
"  *.*                       @your_loghost"
msgstr ""

msgid "into your <filename>syslog.conf</filename>. Logging remotely as well as locally is the best solution (the attacker might presume to have covered his tracks after deleting the local log files). See the <citerefentry><refentrytitle>syslog</refentrytitle><manvolnum>3</manvolnum></citerefentry>, <citerefentry><refentrytitle>syslogd</refentrytitle><manvolnum>8</manvolnum></citerefentry> and <citerefentry><refentrytitle>syslog.conf</refentrytitle><manvolnum>5</manvolnum></citerefentry> manpages for additional information."
msgstr ""

msgid "Log file permissions"
msgstr ""

msgid "It is not only important to decide how alerts are used, but also who has read/modify access to the log files (if not using a remote loghost). Security alerts which the attacker can change or disable are not worth much in the event of an intrusion. Also, you have to take into account that log files might reveal quite a lot of information about your system to an intruder who has access to them."
msgstr ""

msgid "Some log file permissions are not perfect after the installation (but of course this really depends on your local security policy). First <filename>/var/log/lastlog</filename> and <filename>/var/log/faillog</filename> do not need to be readable by normal users. In the <filename>lastlog</filename> file you can see who logged in recently, and in the <filename>faillog</filename> you see a summary of failed logins. The author recommends <command>chmod 660</command> for both. Take a brief look at your log files and decide very carefully which log files to make readable/writable for a user with a UID other than 0 and a group other than 'adm' or 'root'. You can easily check this in your system with:"
msgstr ""

msgid ""
"\n"
"  #  find /var/log -type f -exec ls -l {} \\; | cut -c 17-35 |sort -u\n"
"  (see to what users do files in /var/log belong)\n"
"  #  find /var/log -type f -exec ls -l {} \\; | cut -c 26-34 |sort -u\n"
"  (see to what groups do files in /var/log belong)\n"
"  # find /var/log -perm +004\n"
"  (files which are readable by any user)\n"
"  #  find /var/log \\! -group root \\! -group adm -exec ls -ld {} \\;\n"
"  (files which belong to groups not root or adm)"
msgstr ""

msgid "To customize how log files are created you will probably have to customize the program that generates them. If the log file gets rotated, however, you can customize the behavior of creation and rotation."
msgstr ""

msgid "Adding kernel patches"
msgstr ""

msgid "Debian GNU/Linux provides some of the patches for the Linux kernel that enhance its security. These include:"
msgstr ""

msgid "<ulink url=\"http://www.lids.org\">Linux Intrusion Detection</ulink> provided in the <application>kernel-patch-2.4-lids</application> package. This kernel patch makes the process of hardening your Linux system easier by allowing you to restrict, hide and protect processes, even from root. It implements mandatory access control capabilities."
msgstr ""

msgid "<ulink url=\"http://trustees.sourceforge.net/\">Linux Trustees</ulink>, provided in package <application>trustees</application>. This patch adds a decent advanced permissions management system to your Linux kernel. Special objects (called trustees) are bound to every file or directory, and are stored in kernel memory, which allows fast lookup of all permissions."
msgstr ""

msgid "NSA Enhanced Linux (in package <application>selinux</application>). Backports of the SElinux-enabled packages are available at <ulink url=\"http://selinux.alioth.debian.org/\" />. More information available at <ulink url=\"http://wiki.debian.org/SELinux\">SElinux in Debian Wiki page</ulink>, at <ulink url=\"http://www.golden-gryphon.com/software/security/selinux.xhtml\">Manoj Srivastava's</ulink> and <ulink url=\"http://www.coker.com.au/selinux/\">Russell Cookers's</ulink> SElinux websites."
msgstr ""

msgid "The kernel patch <ulink url=\"http://people.redhat.com/mingo/exec-shield\" /> provided in the <application>kernel-patch-exec-shield</application> package. This patch provides protection against some buffer overflows (stack smashing attacks)."
msgstr ""

msgid "The <ulink url=\"http://www.grsecurity.net/\">Grsecurity patch</ulink>, provided by the <application>kernel-patch-2.4-grsecurity</application> and <application>kernel-patch-grsecurity2</application> packages <footnote><para> Notice that this patch conflicts with patches already included in Debian's 2.4 kernel source package. You will need to use the stock vanilla kernel. You can do this with the following steps: <screen> # apt-get install kernel-source-2.4.22 kernel-patch-debian-2.4.22 # tar xjf /usr/src/kernel-source-2.4.22.tar.bz2 # cd kernel-source-2.4.22 # /usr/src/kernel-patches/all/2.4.22/unpatch/debian </screen> For more information see <ulink name=\"#194225\" url=\"http://bugs.debian.org/194225\" />, <ulink name=\"#199519\" url=\"http://bugs.debian.org/199519\" />, <ulink name=\"#206458\" url=\"http://bugs.debian.org/206458\" />, <ulink name=\"#203759\" url=\"http://bugs.debian.org/203759\" />, <ulink name=\"#204424\" url=\"http://bugs.debian.org/204424\" />, <ulink name=\"#210762\" url=\"http://bugs.debian.org/210762\" />, <ulink name=\"#211213\" url=\"http://bugs.debian.org/211213\" />, and the <ulink name=\"discussion at debian-devel\" url=\"http://lists.debian.org/debian-devel/2003/debian-devel-200309/msg01133.html\" /> </para></footnote> implements Mandatory Access Control through RBAC, provides buffer overflow protection through PaX, ACLs, network randomness (to make OS fingerprinting more difficult) and <ulink url=\"http://www.grsecurity.net/features.php\">many more features</ulink>."
msgstr ""

msgid "The <application>kernel-patch-adamantix</application> provides the patches developed for <ulink url=\"http://www.adamantix.org/\">Adamantix</ulink>, a Debian-based distribution. This kernel patch for the 2.4.x kernel releases introduces some security features such as a non-executable stack through the use of <ulink name=\"PaX\" url=\"http://pageexec.virtualave.net/\" /> and mandatory access control based on <ulink name=\"RSBAC\" url=\"http://www.rsbac.org/\" />. Other features include: <ulink name=\"the Random PID patch\" url=\"http://www.vanheusden.com/Linux/sp/\" />, AES encrypted loop device, MPPE support and an IPSEC v2.6 backport."
msgstr ""

msgid "<application>cryptoloop-source</application>. This patches allows you to use the functions of the kernel crypto API to create encrypted filesystems using the loopback device."
msgstr ""

msgid "IPSEC kernel support (in package <application>linux-patch-openswan</application>). If you want to use the IPsec protocol with Linux, you need this patch. You can create VPNs with this quite easily, even to Windows machines, as IPsec is a common standard. IPsec capabilities have been added to the 2.5 development kernel, so this feature will be present by default in the future Linux Kernel 2.6. Homepage: <ulink url=\"http://www.openswan.org\" />. <emphasis>FIXME</emphasis>: The latest 2.4 kernels provided in Debian include a backport of the IPSEC code from 2.5. Comment on this."
msgstr ""

msgid "The following security kernel patches are only available for old kernel versions in woody and are deprecated:"
msgstr ""

msgid "<ulink name=\"POSIX Access Control Lists\" url=\"http://acl.bestbits.at/\" /> (ACLs) for Linux provided in the package <application>kernel-patch-acl</application>. This kernel patch adds access control lists, an advanced method for restricting access to files. It allows you to control fine-grain access to files and directory."
msgstr ""

msgid "The <ulink name=\"Openwall\" url=\"http://www.openwall.com/linux/\" /> linux kernel patch by Solar Designer, provided in the <application>kernel-patch-2.2.18-openwall</application> package. This is a useful set of kernel restrictions, like restricted links, FIFOs in <filename>/tmp</filename>, a restricted <filename>/proc</filename> file system, special file descriptor handling, non-executable user stack area and other features. Note: This package applies to the 2.2 release, no packages are available for the 2.4 release patches provided by Solar."
msgstr ""

msgid "<application>kernel-patch-int</application>. This patch also adds cryptographic capabilities to the Linux kernel, and was useful with Debian releases up to Potato. It doesn't work with Woody, and if you are using Sarge or a newer version, you should use a more recent kernel which includes these features already."
msgstr ""

msgid "However, some patches have not been provided in Debian yet. If you feel that some of these should be included please ask for it at the <ulink name=\"Work Needing and Prospective Packages\" url=\"http://www.debian.org/devel/wnpp/\" />."
msgstr ""

msgid "Protecting against buffer overflows"
msgstr ""

msgid "<emphasis>Buffer overflow</emphasis> is the name of a common attack to software <footnote><para>So common, in fact, that they have been the basis of 20% of the reported security vulnerabilities every year, as determined by <ulink name=\"statistics from ICAT's vulnerability database\" url=\"http://icat.nist.gov/icat.cfm?function=statistics\" /></para></footnote> which makes use of insufficient boundary checking (a programming error, most commonly in the C language) in order to execute machine code through program inputs. These attacks, against server software which listen to connections remotely and against local software which grant higher privileges to users (<literal>setuid</literal> or <literal>setgid</literal>) can result in the compromise of any given system."
msgstr ""

msgid "There are mainly four methods to protect against buffer overflows:"
msgstr ""

msgid "patch the kernel to prevent stack execution. You can use either: Exec-shield, OpenWall or PaX (included in the Grsecurity and Adamantix patches)."
msgstr ""

msgid "fix the source code by using tools to find fragments of it that might introduce this vulnerability."
msgstr ""

msgid "recompile the source code to introduce proper checks that prevent overflows, using the <ulink name=\"Stack Smashing Protector (SSP)\" url=\"http://www.research.ibm.com/trl/projects/security/ssp/\" /> patch for GCC (which is used by <ulink name=\"Adamantix\" url=\"http://www.adamantix.org\" />)"
msgstr ""

msgid "Debian GNU/Linux, as of the 3.0 release, provides software to introduce all of these methods except for the protection on source code compilation (but this has been requested in <ulink name=\"Bug #213994\" url=\"http://bugs.debian.org/213994\" />)."
msgstr ""

msgid "Notice that even if Debian provided a compiler which featured stack/buffer overflow protection all packages would need to be recompiled in order to introduce this feature. This is, in fact, what the Adamantix distribution does (among other features). The effect of this new feature on the stability of software is yet to be determined (some programs or some processor architectures might break due to it)."
msgstr ""

msgid "In any case, be aware that even these workarounds might not prevent buffer overflows since there are ways to circumvent these, as described in phrack's magazine <ulink name=\"issue 58\" url=\"http://packetstorm.linuxsecurity.com/mag/phrack/phrack58.tar.gz\" /> or in CORE's Advisory <ulink name=\"Multiple vulnerabilities in stack smashing protection technologies\" url=\"http://online.securityfocus.com/archive/1/269246\" />."
msgstr ""

msgid "If you want to test out your buffer overflow protection once you have implemented it (regardless of the method) you might want to install the <application>paxtest</application> and run the tests it provides."
msgstr ""

msgid "Kernel patch protection for buffer overflows"
msgstr ""

msgid "Kernel patches related to buffer overflows include the Openwall patch provides protection against buffer overflows in 2.2 linux kernels. For 2.4 or newer kernels, you need to use the Exec-shield implementation, or the PaX implementation (provided in the grsecurity patch, <application>kernel-patch-2.4-grsecurity</application>, and in the Adamantix patch, <application>kernel-patch-adamantix</application>). For more information on using these patches read the the section <xref linkend=\"kernel-patches\" />."
msgstr ""

msgid "Testing programs for overflows"
msgstr ""

msgid "The use of tools to detect buffer overflows requires, in any case, of programming experience in order to fix (and recompile) the code. Debian provides, for example: <application>bfbtester</application> (a buffer overflow tester that brute-forces binaries through command line and environment overflows). Other packages of interest would also be <application>rats</application>, <application>pscan</application>, <application>flawfinder</application> and <application>splint</application>."
msgstr ""

msgid "Secure file transfers"
msgstr ""

msgid "During normal system administration one usually needs to transfer files in and out from the installed system. Copying files in a secure manner from a host to another can be achieved by using the <application>ssh</application> server package. Another possibility is the use of <application>ftpd-ssl</application>, a ftp server which uses the <emphasis>Secure Socket Layer</emphasis> to encrypt the transmissions."
msgstr ""

msgid "Any of these methods need special clients. Debian does provide client software, such as <command>scp</command> from the <application>ssh</application> package, which works like <command>rcp</command> but is encrypted completely, so the <emphasis>bad guys</emphasis> cannot even find out WHAT you copy. There is also a <application>ftp-ssl</application> package for the equivalent server. You can find clients for these software even for other operating systems (non-UNIX), <command>putty</command> and <command>winscp</command> provide secure copy implementations for any version of Microsoft's operating system."
msgstr ""

msgid "Note that using <command>scp</command> provides access to the users to all the file system unless <command>chroot</command>'ed as described in <xref linkend=\"ssh-chroot\" />. FTP access can be <command>chroot</command>'ed, probably easier depending on you chosen daemon, as described in <xref linkend=\"ftp-secure\" />. If you are worried about users browsing your local files and want to have encrypted communication you can either use an ftp daemon with SSL support or combine clear-text ftp and a VPN setup (see <xref linkend=\"vpn\" />)."
msgstr ""

msgid "File system limits and control"
msgstr ""

msgid "Using quotas"
msgstr ""

msgid "Having a good quota policy is important, as it keeps users from filling up the hard disk(s)."
msgstr ""

msgid "You can use two different quota systems: user quota and group quota. As you probably figured out, user quota limits the amount of space a user can take up, group quota does the equivalent for groups. Keep this in mind when you're working out quota sizes."
msgstr ""

msgid "There are a few important points to think about in setting up a quota system:"
msgstr ""

msgid "Keep the quotas small enough, so users do not eat up your disk space."
msgstr ""

msgid "Keep the quotas big enough, so users do not complain or their mail quota keeps them from accepting mail over a longer period."
msgstr ""

msgid "Use quotas on all user-writable areas, on <filename>/home</filename> as well as on <filename>/tmp</filename>."
msgstr ""

msgid "Every partition or directory to which users have full write access should be quota enabled. Calculate and assign a workable quota size for those partitions and directories which combines usability and security."
msgstr ""

msgid "So, now you want to use quotas. First of all you need to check whether you enabled quota support in your kernel. If not, you will need to recompile it. After this, control whether the package <application>quota</application> is installed. If not you will need this one as well."
msgstr ""

msgid "Enabling quota for the respective file systems is as easy as modifying the <literal>defaults</literal> setting to <literal>defaults,usrquota</literal> in your <filename>/etc/fstab</filename> file. If you need group quota, substitute <literal>usrquota</literal> to <literal>grpquota</literal>. You can also use them both. Then create empty quota.user and quota.group files in the roots of the file systems you want to use quotas on (e.g."
msgstr ""

msgid "<userinput>touch\n"
"/home/quota.user /home/quota.group</userinput>"
msgstr ""

msgid "for a <filename>/home</filename> file system)."
msgstr ""

msgid "Restart <command>quota</command> by doing"
msgstr ""

msgid "<userinput>/etc/init.d/quota stop;/etc/init.d/quota\n"
"        start</userinput>"
msgstr ""

msgid ". Now quota should be running, and quota sizes can be set."
msgstr ""

msgid "Editing quotas for a specific user can be done by"
msgstr ""

msgid "<userinput>edquota -u &lt;user&gt;</userinput>"
msgstr ""

msgid ". Group quotas can be modified with"
msgstr ""

msgid "<userinput>edquota -g &lt;group&gt;</userinput>"
msgstr ""

msgid ". Then set the soft and hard quota and/or inode quotas as needed."
msgstr ""

msgid "For more information about quotas, read the quota man page, and the quota mini-howto (<filename>/usr/share/doc/HOWTO/en-html/mini/Quota.html</filename>). You may also want to look at <filename>pam_limits.so</filename>."
msgstr ""

msgid "The ext2 filesystem specific attributes (<command>chattr</command>/<command>lsattr</command>)"
msgstr ""

msgid "In addition to the usual Unix permissions, the ext2 and ext3 filesystems offer a set of specific attributes that give you more control over the files on your system. Unlike the basic permissions, these attributes are not displayed by the usual <command>ls -l</command> command or changed using <command>chmod</command>, and you need two other utilities, <command>lsattr</command> and <command>chattr</command> (in package <application>e2fsprogs</application>) to manage them. Note that this means that these attributes will usually not be saved when you backup your system, so if you change any of them, it may be worth saving the successive <command>chattr</command> commands in a script so that you can set them again later if you have to restore a backup."
msgstr ""

msgid "Among all available attributes, the two that are most important for increasing security are referenced by the letters 'i' and 'a', and they can only be set (or removed) by the superuser:"
msgstr ""

msgid "The 'i' attribute ('immutable'): a file with this attribute can neither be modified nor deleted or renamed and no link can be created to it, even by the superuser."
msgstr ""

msgid "The 'a' attribute ('append'): this attribute has the same effect that the immutable attribute, except that you can still open the file in append mode. This means that you can still add more content to it but it is impossible to modify previous content. This attribute is especially useful for the log files stored in <filename>/var/log/</filename>, though you should consider that they get moved sometimes due to the log rotation scripts."
msgstr ""

msgid "These attributes can also be set for directories, in which case everyone is denied the right to modify the contents of a directory list (e.g. rename or remove a file, ...). When applied to a directory, the append attribute only allows file creation."
msgstr ""

msgid "It is easy to see how the 'a' attribute improves security, by giving to programs that are not running as the superuser the ability to add data to a file without modifying its previous content. On the other hand, the 'i' attribute seems less interesting: after all, the superuser can already use the basic Unix permissions to restrict access to a file, and an intruder that would get access to the superuser account could always use the <command>chattr</command> program to remove the attribute. Such an intruder may first be confused when noticing not being able to remove a file, but you should not assume blindness - after all, the intruder got into your system! Some manuals (including a previous version of this document) suggest to simply remove the <command>chattr</command> and <command>lsattr</command> programs from the system to increase security, but this kind of strategy, also known as \"security by obscurity\", is to be absolutely avoided, since it provides a false sense of security."
msgstr ""

msgid "A secure way to solve this problem is to use the capabilities of the Linux kernel, as described in <xref linkend=\"proactive\" />. The capability of interest here is called <literal>CAP_LINUX_IMMUTABLE</literal>: if you remove it from the capabilities bounding set (using for example the command <command>lcap <varname>CAP_LINUX_IMMUTABLE</varname></command>) it won't be possible to change any 'a' or 'i' attribute on your system anymore, even by the superuser ! A complete strategy could be as follows:"
msgstr ""

msgid "Set the attributes 'a' and 'i' on any file you want;"
msgstr ""

msgid "Add the command <command>lcap <varname>CAP_LINUX_IMMUTABLE</varname></command> (as well as <command>lcap <varname>CAP_SYS_MODULE</varname></command>, as suggested in <xref linkend=\"proactive\" />) to one of the startup scripts;"
msgstr ""

msgid "Set the 'i' attribute on this script and other startup files, as well as on the <command>lcap</command> binary itself;"
msgstr ""

msgid "Execute the above command manually (or reboot your system to make sure everything works as planned)."
msgstr ""

msgid "Now that the capability has been removed from the system, an intruder cannot change any attribute on the protected files, and thus cannot change or remove the files. If the machine is forced to reboot (which is the only way to restore the capabilities bounding set), it will easily be detected, and the capability will be removed again as soon as the system restarts anyway. The only way to change a protected file would be to boot the system in single-user mode or using another bootdisk, two operations that require physical access to the machine !"
msgstr ""

msgid "Checking file system integrity"
msgstr ""

msgid "Are you sure <filename>/bin/login</filename> on your hard drive is still the binary you installed there some months ago? What if it is a hacked version, which stores the entered password in a hidden file or mails it in clear-text version all over the Internet?"
msgstr ""

msgid "The only method to have some kind of protection is to check your files every hour/day/month (I prefer daily) by comparing the actual and the old md5sum of this file. Two files cannot have the same md5sum (the MD5 digest is 128 bits, so the chance that two different files will have the same md5sum is roughly one in 3.4e3803), so you're on the safe site here, unless someone has also hacked the algorithm that creates md5sums on that machine. This is, well, extremely difficult and very unlikely. You really should consider this auditing of your binaries as very important, since it is an easy way to recognize changes at your binaries."
msgstr ""

msgid "Common tools used for this are <application>sxid</application>, <application>aide</application> (Advanced Intrusion Detection Environment), <application>tripwire</application>, <application>integrit</application> and <application>samhain</application>. Installing <command>debsums</command> will also help you to check the file system integrity, by comparing the md5sums of every file against the md5sums used in the Debian package archive. But beware: those files can easily be changed by an attacker and not all packages provide md5sums listings for the binaries they provided. For more information please read <xref linkend=\"periodic-integrity\" /> and <xref linkend=\"snapshot\" />."
msgstr ""

msgid "You might want to use <command>locate</command> to index the whole filesystem, if so, consider the implications of that. The Debian <application>findutils</application> package contains <command>locate</command> which runs as user nobody, and so it only indexes files which are visible to everybody. However, if you change it's behaviour you will make all file locations visible to all users. If you want to index all the filesystem (not the bits that the user nobody can see) you can replace <command>locate</command> with the package <application>slocate</application>. slocate is labeled as a security enhanced version of GNU locate, but it actually provides additional file-locating functionality. When using <command>slocate</command>, the user only sees the actually accessible files and you can exclude any files or directories on the system. The <application>slocate</application> package runs its update process with higher privledges than locate, and indexes every file. Users are then able to quickly search for every file which they are able to see. <command>slocate</command> doesn't let them see new files; it filters the output based on your UID."
msgstr ""

msgid "You might want to use <application>bsign</application> or <application>elfsign</application>. <application>elfsign</application> provides an utility to add a digital signature to an ELF binary and a second utility to verify that signature. The current implementation uses PKI to sign the checksum of the binary. The benefits of doing this are that it enables one to determine if a binary has been modified and who created it. <application>bsign</application> uses GPG, <application>elfsign</application> uses PKI (X.509) certificates (OpenSSL)."
msgstr ""

msgid "Setting up setuid check"
msgstr ""

msgid "The Debian <application>checksecurity</application> package provides a <command>cron</command> job that runs daily in <filename>/etc/cron.daily/checksecurity</filename> <footnote><para>In previous releases, checksecurity was integrated into cron and the file was <filename>/etc/cron.daily/standard</filename></para></footnote>. This <command>cron</command> job will run the <command>/usr/sbin/checksecurity</command> script that will store information of this changes."
msgstr ""

msgid "The default behavior does not send this information to the superuser but, instead keeps daily copies of the changes in <filename>/var/log/setuid.changes</filename>. You should set the MAILTO variable (in <filename>/etc/checksecurity.conf</filename>) to 'root' to have this information mailed to the superuser. See <citerefentry><refentrytitle>checksecurity</refentrytitle> <manvolnum>8</manvolnum></citerefentry> manual page for more configuration info."
msgstr ""

msgid "Securing network access"
msgstr ""

msgid "FIXME: More (Debian-specific) content needed."
msgstr ""

msgid "Configuring kernel network features"
msgstr ""

msgid "Many features of the kernel can be modified while running by echoing something into the <filename>/proc</filename> file system or by using <command>sysctl</command>. By entering <command>/sbin/sysctl</command> <literal>-A</literal> you can see what you can configure and what the options are, and it can be modified running"
msgstr ""

msgid "<userinput>/sbin/sysctl -w variable=value</userinput>"
msgstr ""

msgid "(see <citerefentry><refentrytitle>sysctl</refentrytitle><manvolnum>8</manvolnum></citerefentry>). Only in rare cases do you need to edit something here, but you can increase security that way as well. For example:"
msgstr ""

msgid "\n"
"net/ipv4/icmp_echo_ignore_broadcasts = 1"
msgstr ""

msgid "This is a <emphasis>Windows emulator</emphasis> because it acts like Windows on broadcast ping if this option is set to 1. That is, ICMP echo requests sent to the broadcast address will be ignored. Otherwise, it does nothing."
msgstr ""

msgid "If you want to prevent you system from answering ICMP echo requests, just enable this configuration option:"
msgstr ""

msgid "\n"
"net/ipv4/icmp_echo_ignore_all = 1"
msgstr ""

msgid "To log packets with impossible addresses (due to wrong routes) on your network use:"
msgstr ""

msgid "\n"
"/proc/sys/net/ipv4/conf/all/log_martians = 1"
msgstr ""

msgid "For more information on what things can be done with <filename>/proc/sys/net/ipv4/*</filename> read <filename>/usr/src/linux/Documentation/filesystems/proc.txt</filename>. All the options are described thoroughly under <filename>/usr/src/linux/Documentation/networking/ip-sysctl.txt</filename> <footnote><para>In Debian the <application>kernel-source-<varname>version</varname></application> packages copy the sources to <filename>/usr/src/kernel-source-<varname>version</varname>.tar.bz2</filename>, just substitute <varname>version</varname> to whatever kernel version sources you have installed</para></footnote>."
msgstr ""

msgid "Configuring syncookies"
msgstr ""

msgid "This option is a double-edged sword. On the one hand it protects your system against syn packet flooding; on the other hand it violates defined standards (RFCs)."
msgstr ""

msgid "\n"
"net/ipv4/tcp_syncookies = 1"
msgstr ""

msgid "If you want to change this option each time the kernel is working you need to change it in <filename>/etc/network/options</filename> by setting <literal>syncookies=yes</literal>. This will take effect when ever <filename>/etc/init.d/networking</filename> is run (which is typically done at boot time) while the following will have a one-time effect until the reboot:"
msgstr ""

msgid "\n"
"echo 1 &gt; /proc/sys/net/ipv4/tcp_syncookies "
msgstr ""

msgid "This option will only be available if the kernel is compiled with the <literal>CONFIG_SYNCOOKIES</literal>. All Debian kernels are compiled with this option builtin but you can verify it running:"
msgstr ""

msgid ""
"\n"
"$ sysctl -A |grep syncookies\n"
"net/ipv4/tcp_syncookies = 1"
msgstr ""

msgid "For more information on TCP syncookies read <ulink url=\"http://cr.yp.to/syncookies.html\" />."
msgstr ""

msgid "Securing the network on boot-time"
msgstr ""

msgid "When setting configuration options for the kernel networking you need configure it so that it's loaded every time the system is restarted. The following example enables many of the previous options as well as other useful options."
msgstr ""

msgid "There are actually two ways to configure your network at boot time. You can configure <filename>/etc/sysctl.conf</filename> (see: <citerefentry><refentrytitle>sysctl.conf</refentrytitle><manvolnum>5</manvolnum></citerefentry>) or introduce a script that is called when the interface is enabled. The first option will be applied to all interfaces, whileas the second option allows you to configure this on a per-interface basis."
msgstr ""

msgid "An example of a <filename>/etc/sysctl.conf</filename> configuration that will secure some network options at the kernel level is shown below. Notice the comment in it, <filename>/etc/network/options</filename> might override some values if they contradict those in this file when the <filename>/etc/init.d/networking</filename> is run (which is later than <filename>procps</filename> on the startup sequence)."
msgstr ""

msgid ""
"\n"
"#\n"
"# /etc/sysctl.conf - Configuration file for setting system variables\n"
"# See sysctl.conf (5) for information. Also see the files under\n"
"# Documentation/sysctl/, Documentation/filesystems/proc.txt, and\n"
"# Documentation/networking/ip-sysctl.txt in the kernel sources \n"
"# (/usr/src/kernel-$version if you have a kernel-package installed)\n"
"# for more information of the values that can be defined here.\n"
"\n"
"#\n"
"# Be warned that /etc/init.d/procps is executed to set the following\n"
"# variables.  However, after that, /etc/init.d/networking sets some\n"
"# network options with builtin values.  These values may be overridden\n"
"# using /etc/network/options.\n"
"#\n"
"#kernel.domainname = example.com\n"
"\n"
"# Additional settings - adapted from the script contributed\n"
"# by Dariusz Puchala (see below)\n"
"# Ignore ICMP broadcasts\n"
"net/ipv4/icmp_echo_ignore_broadcasts = 1\n"
"#\n"
"# Ignore bogus ICMP errors\n"
"net/ipv4/icmp_ignore_bogus_error_responses = 1\n"
"# \n"
"# Do not accept ICMP redirects (prevent MITM attacks)\n"
"net/ipv4/conf/all/accept_redirects = 0\n"
"# _or_\n"
"# Accept ICMP redirects only for gateways listed in our default\n"
"# gateway list (enabled by default)\n"
"# net/ipv4/conf/all/secure_redirects = 1\n"
"#\n"
"# Do not send ICMP redirects (we are not a router)\n"
"net/ipv4/conf/all/send_redirects = 0\n"
"#\n"
"# Do not forward IP packets (we are not a router)\n"
"# Note: Make sure that /etc/network/options has 'ip_forward=no'\n"
"net/ipv4/conf/all/forwarding = 0\n"
"#\n"
"# Enable TCP Syn Cookies\n"
"# Note: Make sure that /etc/network/options has 'syncookies=yes'\n"
"net/ipv4/tcp_syncookies = 1\n"
"#\n"
"# Log Martian Packets\n"
"net/ipv4/conf/all/log_martians = 1\n"
"#\n"
"# Turn on Source Address Verification in all interfaces to\n"
"# prevent some spoofing attacks\n"
"# Note: Make sure that /etc/network/options has 'spoofprotect=yes'\n"
"net/ipv4/conf/all/rp_filter = 1\n"
"#\n"
"# Do not accept IP source route packets (we are not a router)\n"
"net/ipv4/conf/all/accept_source_route = 0"
msgstr ""

msgid "To use the script you need to first create the script, for example, in <filename>/etc/network/interface-secure</filename> (the name is given as an example) and call it from <filename>/etc/network/interfaces</filename> like this:"
msgstr ""

msgid ""
"\n"
"auto eth0\n"
"iface eth0 inet static\n"
"        address xxx.xxx.xxx.xxx\n"
"        netmask 255.255.255.xxx\n"
"        broadcast xxx.xxx.xxx.xxx\n"
"        gateway xxx.xxx.xxx.xxx\n"
"        pre-up /etc/network/interface-secure"
msgstr ""

msgid "In this example, before the interface eth0 is enabled the script will be called to secure all network interfaces as shown below."
msgstr ""

msgid ""
"\n"
"#!/bin/sh -e\n"
"# Script-name: /etc/network/interface-secure\n"
"#\n"
"# Modifies some default behavior in order to secure against \n"
"# some TCP/IP spoofing &amp; attacks for all interfaces.\n"
"#\n"
"# Contributed by Dariusz Puchalak.\n"
"#\n"
"echo 1 &gt; /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts \n"
"                                           # Broadcast echo protection enabled.\n"
"echo 0 &gt; /proc/sys/net/ipv4/conf/all/forwarding\n"
"                                           # IP forwarding disabled.\n"
"echo 1 &gt; /proc/sys/net/ipv4/tcp_syncookies # TCP syn cookies protection enabled.\n"
"echo 1 &gt;/proc/sys/net/ipv4/conf/all/log_martians # Log strange packets.\n"
"# (this includes spoofed packets, source routed packets, redirect packets)\n"
"# but be careful with this on heavy loaded web servers.\n"
"echo 1 &gt; /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses \n"
"                                           # Bad error message protection enabled.\n"
"\n"
"# IP spoofing protection.\n"
"echo 1 &gt; /proc/sys/net/ipv4/conf/all/rp_filter\n"
"\n"
"# Disable ICMP redirect acceptance.\n"
"echo 0 &gt; /proc/sys/net/ipv4/conf/all/accept_redirects\n"
"echo 0 &gt; /proc/sys/net/ipv4/conf/all/send_redirects\n"
"\n"
"# Disable source routed packets.\n"
"echo 0 &gt; /proc/sys/net/ipv4/conf/all/accept_source_route\n"
"\n"
"exit 0"
msgstr ""

msgid "Notice that you can actually have per-interface scripts that will enable different network options for different interfaces (if you have more than one), just change the pre-up line to:"
msgstr ""

msgid "\n"
"pre-up /etc/network/interface-secure $IFACE"
msgstr ""

msgid "And use a script which will only apply changes to a specific interface, not to all of the interfaces available. Notice that some networking options can only be enabled globally, however. A sample script is this one:"
msgstr ""

msgid ""
"\n"
"#!/bin/sh -e\n"
"# Script-name: /etc/network/interface-secure\n"
"#\n"
"# Modifies some default behavior in order to secure against \n"
"# some TCP/IP spoofing &amp; attacks for a given interface.\n"
"#\n"
"# Contributed by Dariusz Puchalak.\n"
"#\n"
"\n"
"IFACE=$1\n"
"if [ -z \"$IFACE\" ] ; then\n"
"   echo \"$0: Must give an interface name as argument!\"\n"
"   echo \"Usage: $0 &lt;interface&gt;\"\n"
"   exit 1\n"
"fi\n"
"\n"
"if [ ! -e /proc/sys/net/ipv4/conf/$IFACE/ ]; then\n"
"   echo \"$0: Interface $IFACE does not exit (cannot find /proc/sys/net/ipv4/conf/)\"\n"
"   exit 1\n"
"fi\n"
"\n"
"echo 0 &gt; /proc/sys/net/ipv4/conf/$IFACE/forwarding  # IP forwarding disabled.\n"
"echo 1 &gt;/proc/sys/net/ipv4/conf/$IFACE/log_martians # Log strange packets.\n"
"# (this includes spoofed packets, source routed packets, redirect packets)\n"
"# but be careful with this on heavy loaded web servers.\n"
"\n"
"# IP spoofing protection.\n"
"echo 1 &gt; /proc/sys/net/ipv4/conf/$IFACE/rp_filter\n"
"\n"
"# Disable ICMP redirect acceptance.\n"
"echo 0 &gt; /proc/sys/net/ipv4/conf/$IFACE/accept_redirects\n"
"echo 0 &gt; /proc/sys/net/ipv4/conf/$IFACE/send_redirects\n"
"\n"
"# Disable source routed packets.\n"
"echo 0 &gt; /proc/sys/net/ipv4/conf/$IFACE/accept_source_route\n"
"\n"
"exit 0"
msgstr ""

msgid "An alternative solution is to create an <filename>init.d</filename> script and have it run on bootup (using <command>update-rc.d</command> to create the appropriate <filename>rc.d</filename> links)."
msgstr ""

msgid "Configuring firewall features"
msgstr ""

msgid "In order to have firewall capabilities, either to protect the local system or others <emphasis>behind</emphasis> it, the kernel needs to be compiled with firewall capabilities. The standard Debian 2.2 kernel (Linux 2.2) provides the packet filter <command>ipchains</command> firewall, Debian 3.0 standard kernel (Linux 2.4) provides the <emphasis>stateful</emphasis> packet filter <command>iptables</command> (netfilter) firewall."
msgstr ""

msgid "In any case, it is pretty easy to use a kernel different from the one provided by Debian. You can find pre-compiled kernels as packages you can easily install in the Debian system. You can also download the kernel sources using the <application>kernel-source-<varname>X</varname></application> and build custom kernel packages using <command>make-kpkg</command> from the <application>kernel-package</application> package."
msgstr ""

msgid "Setting up firewalls in Debian is discussed more thoroughly in <xref linkend=\"firewall-setup\" />."
msgstr ""

msgid "Disabling weak-end hosts issues"
msgstr ""

msgid "Systems with more than one interface on different networks can have services configured so that they will bind only to a given IP address. This usually prevents access to services when requested through any other address. However, this does not mean (although it is a common misconception) that the service is bound to a given <emphasis>hardware</emphasis> address (interface card). <footnote><para> To reproduce this (example provided by Felix von Leitner on the Bugtraq mailing list): <screen> host a (eth0 connected to eth0 of host b): ifconfig eth0 10.0.0.1 ifconfig eth1 23.0.0.1 tcpserver -RHl localhost 23.0.0.1 8000 echo fnord host b: ifconfig eth0 10.0.0.2 route add 23.0.0.1 gw 10.0.0.1 telnet 23.0.0.1 8000 </screen></para></footnote>"
msgstr ""

msgid "It seems, however, not to work with services bound to 127.0.0.1, you might need to write the tests using raw sockets."
msgstr ""

msgid "This is not an ARP issue and it's not an RFC violation (it's called <emphasis>weak end host</emphasis> in <ulink url=\"ftp://ftp.isi.edu/in-notes/rfc1122.txt\">RFC1122</ulink>, (in the section 3.3.4.2). Remember, IP addresses have nothing to do with physical interfaces."
msgstr ""

msgid "On 2.2 (and previous) kernels this can be fixed with:"
msgstr ""

msgid ""
"\n"
"# echo 1 &gt; /proc/sys/net/ipv4/conf/all/hidden\n"
"# echo 1 &gt; /proc/sys/net/ipv4/conf/eth0/hidden\n"
"# echo 1 &gt; /proc/sys/net/ipv4/conf/eth1/hidden\n"
"....."
msgstr ""

msgid "On later kernels this can be fixed either with:"
msgstr ""

msgid "iptables rules."
msgstr ""

msgid "properly configured routing. <footnote><para> The fact that this behavior can be changed through routing was described by Matthew G. Marsh in the Bugtraq thread: <screen> eth0 = 1.1.1.1/24 eth1 = 2.2.2.2/24 ip rule add from 1.1.1.1/32 dev lo table 1 prio 15000 ip rule add from 2.2.2.2/32 dev lo table 2 prio 16000 ip route add default dev eth0 table 1 ip route add default dev eth1 table 2 </screen> </para></footnote>"
msgstr ""

msgid "kernel patching. <footnote><para> There are some patches available for this behavior as described in Bugtraq's thread at <ulink url=\"http://www.linuxvirtualserver.org/~julian/#hidden\" /> and <ulink url=\"http://www.fefe.de/linux-eth-forwarding.diff\" />. </para></footnote>"
msgstr ""

msgid "Along this text there will be many occasions in which it is shown how to configure some services (sshd server, apache, printer service...) in order to have them listening on any given address, the reader should take into account that, without the fixes given here, the fix would not prevent accesses from within the same (local) network. <footnote><para> An attacker might have many problems pulling the access through after configuring the IP-address binding while not being on the same broadcast domain (same network) as the attacked host. If the attack goes through a router it might be quite difficult for the answers to return somewhere. </para></footnote>"
msgstr ""

msgid "FIXME: Comments on Bugtraq indicate there is a Linux specific method to bind to a given interface."
msgstr ""

msgid "FIXME: Submit a bug against netbase so that the routing fix is standard behavior in Debian?"
msgstr ""

msgid "Protecting against ARP attacks"
msgstr ""

msgid "When you don't trust the other boxes on your LAN (which should always be the case, because it's the safest attitude) you should protect yourself from the various existing ARP attacks."
msgstr ""

msgid "As you know the ARP protocol is used to link IP addresses to MAC addresses (see <ulink name=\"RFC826\" url=\"ftp://ftp.isi.edu/in-notes/rfc826.txt\" /> for all the details). Every time you send a packet to an IP address an ARP resolution is done (first by looking into the local ARP cache then if the IP isn't present in the cache by broadcasting an ARP query) to find the target's hardware address. All the ARP attacks aim to fool your box into thinking that box B's IP address is associated to the intruder's box's MAC address; Then every packet that you want to send to the IP associated to box B will be send to the intruder's box..."
msgstr ""

msgid "Those attacks (ARP cache poisoning, ARP spoofing...) allow the attacker to sniff the traffic even on switched networks, to easily hijack connections, to disconnect any host from the network... ARP attacks are powerful and simple to implement, and several tools exists, such as <command>arpspoof</command> from the <application>dsniff</application> package or <ulink name=\"arpoison\" url=\"http://arpoison.sourceforge.net/\" />."
msgstr ""

msgid "However, there is always a solution:"
msgstr ""

msgid "Use a static ARP cache. You can set up \"static\" entries in your ARP cache with:"
msgstr ""

msgid ""
"\n"
"  arp -s host_name hdwr_addr \n"
"  "
msgstr ""

msgid "By setting static entries for each important host in your network you ensure that nobody will create/modify a (fake) entry for these hosts (static entries don't expire and can't be modified) and spoofed ARP replies will be ignored."
msgstr ""

msgid "Detect suspicious ARP traffic. You can use <application>arpwatch</application>, <application>karpski</application> or more general IDS that can also detect suspicious ARP traffic (<application>snort</application>, <ulink name=\"prelude\" url=\"http://www.prelude-ids.org\" />...)."
msgstr ""

msgid "Implement IP traffic filtering validating the MAC address."
msgstr ""

msgid "Taking a snapshot of the system"
msgstr ""

msgid "Before putting the system into production system you could take a snapshot of the whole system. This snapshot could be used in the event of a compromise (see <xref linkend=\"after-compromise\" />). You should remake this upgrade whenever the system is upgraded, especially if you upgrade to a new Debian release."
msgstr ""

msgid "For this you can use a writable removable-media that can be set up read-only, this could be a floppy disk (read protected after use), a CD on a CD-ROM unit (you could use a rewritable CD-ROM so you could even keep backups of md5sums in different dates), or a USB disk or MMC card (if your system can access those and they can be write protected)."
msgstr ""

msgid "The following script creates such a snapshot:"
msgstr ""

msgid ""
"\n"
"#!/bin/bash\n"
"/bin/mount /dev/fd0 /mnt/floppy\n"
"trap \"/bin/umount /dev/fd0\" 0 1 2 3 9 13 15\n"
"if [ ! -f /usr/bin/md5sum ] ; then\n"
"	echo \"Cannot find md5sum. Aborting.\"\n"
"	exit 1\n"
"fi\n"
"/bin/cp /usr/bin/md5sum /mnt/floppy\n"
"echo \"Calculating md5 database\"\n"
"&gt;/mnt/floppy/md5checksums.txt\n"
"for dir in /bin/ /sbin/ /usr/bin/ /usr/sbin/ /lib/ /usr/lib/\n"
"do\n"
"   find $dir -type f | xargs /usr/bin/md5sum &gt;&gt;/mnt/floppy/md5checksums-lib.txt\n"
"done\n"
"echo \"post installation md5 database calculated\"\n"
"if [ ! -f /usr/bin/sha1sum ] ; then\n"
"	echo \"Cannot find sha1sum\"\n"
"        echo \"WARNING: Only md5 database will be stored\"\n"
"else\n"
"	/bin/cp /usr/bin/sha1sum /mnt/floppy\n"
"	echo \"Calculating SHA-1 database\"\n"
"	&gt;/mnt/floppy/sha1checksums.txt\n"
"	for dir in /bin/ /sbin/ /usr/bin/ /usr/sbin/ /lib/ /usr/lib/\n"
"	do\n"
"	   find $dir -type f | xargs /usr/bin/sha1sum &gt;&gt;/mnt/floppy/sha1checksums-lib.txt\n"
"	done\n"
"	echo \"post installation sha1 database calculated\"\n"
"fi\n"
"exit 0"
msgstr ""

msgid "Note that the md5sum binary (and sha1sum, if available) is placed on the floppy drive so it can be used later on to check the binaries of the system (just in case it gets trojaned). However, if you want to make sure that you are running a legitimate binary, you might want to either compile a static copy of the md5sum binary and use that one (to prevent a trojaned libc library from interfering with the binary) or to use the snapshot of md5sums only from a clean environment such as a rescue CD-ROM or a Live-CD (to prevent a trojaned kernel from interfering). I cannot stress this enough: if you are on a compromised system you cannot trust its output, see <xref linkend=\"after-compromise\" />."
msgstr ""

msgid "The snapshot does not include the files under <filename>/var/lib/dpkg/info</filename> which includes the MD5 hashes of installed packages (in files ending with <filename>.md5sums</filename>). You could copy this information along too, however you should notice:"
msgstr ""

msgid "the md5sums files include the md5sum of all files provided by the Debian packages, not just system binaries. As a consequence, that database is bigger (5 Mb versus 600 Kb in a Debian GNU/Linux system with a graphical system and around 2.5 Gb of software installed) and will not fit in small removable media (like a single floppy disk, but would probably fit in a removable USB memory)."
msgstr ""

msgid "not all Debian packages provide md5sums for the files installed since it is not (currently) mandated policy. Notice, however, that you can generate the md5sums for all packages using <application>debsums</application> after you've finished the system installation:"
msgstr ""

msgid "\n"
"# debsums --generate=missing,keep"
msgstr ""

msgid "Once the snapshot is done you should make sure to set the medium read-only. You can then store it for backup or place it in the drive and use it to drive a <command>cron</command> check nightly comparing the original md5sums against those on the snapshot."
msgstr ""

msgid "If you do not want to setup a manual check you can always use any of the integrity systems available that will do this and more, for more information please read <xref linkend=\"periodic-integrity\" />."
msgstr ""

msgid "Other recommendations"
msgstr ""

msgid "Do not use software depending on svgalib"
msgstr ""

msgid "SVGAlib is very nice for console lovers like me, but in the past it has been proven several times that it is very insecure. Exploits against <command>zgv</command> were released, and it was simple to become root. Try to prevent using SVGAlib programs wherever possible."
msgstr ""