File: 12_faq.po

package info (click to toggle)
harden-doc 3.19%2Bnmu1
  • links: PTS, VCS
  • area: main
  • in suites: bookworm, bullseye, sid
  • size: 15,332 kB
  • sloc: xml: 11,790; sh: 52; makefile: 16
file content (713 lines) | stat: -rw-r--r-- 44,961 bytes parent folder | download | duplicates (4)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
msgid ""
msgstr ""
"Project-Id-Version: 0\n"
"POT-Creation-Date: 2018-03-19 00:26+0100\n"
"PO-Revision-Date: 2018-03-19 00:26+0100\n"
"Last-Translator: Automatically generated\n"
"Language-Team: None\n"
"Language: en-US \n"
"MIME-Version: 1.0\n"
"Content-Type: application/x-publican; charset=UTF-8\n"
"Content-Transfer-Encoding: 8bit\n"
"X-Generator: Publican v4.3.2\n"

msgid "Frequently asked Questions (FAQ)"
msgstr ""

msgid "This chapter introduces some of the most common questions from the Debian security mailing list. You should read them before posting there or else people might tell you to RTFM."
msgstr ""

msgid "Security in the Debian operating system"
msgstr ""

msgid "Is Debian more secure than X?"
msgstr ""

msgid "A system is only as secure as its administrator is capable of making it. Debian's default installation of services aims to be <emphasis>secure</emphasis>, but may not be as paranoid as some other operating systems which install all services <emphasis>disabled by default</emphasis>. In any case, the system administrator needs to adapt the security of the system to the local security policy."
msgstr ""

msgid "For a collection of data regarding security vulnerabilities for many operating systems, see the <ulink name=\"US-CERT stats\" url=\"http://www.cert.org/stats/cert_stats.html\" /> or generate stats using the <ulink name=\"National Vulnerability Database\" url=\"http://nvd.nist.gov/statistics.cfm\" /> (formerly ICAT) Is this data useful? There are several factors to consider when interpreting the data, and it is worth noticing that the data cannot be used to compare the vulnerabilities of one operating system versus another.<footnote><para>For example, based on some data, it might seem that Windows NT is more secure than Linux, which is a questionable assertion. After all, Linux distributions usually provide many more applications compared to Microsoft's Windows NT. This <emphasis>counting vulnerabilities</emphasis> issues are better described in <ulink name=\"Why Open Source Software / Free Software (OSS/FS)? Look at the Numbers!\" url=\"http://www.dwheeler.com/oss_fs_why.html#security\" /> by David A. Wheeler</para></footnote> Also, keep in mind that some reported vulnerabilities regarding Debian apply only to the <emphasis>unstable</emphasis> (i.e. unreleased) branch."
msgstr ""

msgid "Is Debian more secure than other Linux distributions (such as Red Hat, SuSE...)?"
msgstr ""

msgid "There are not really many differences between Linux distributions, with exceptions to the base installation and package management system. Most distributions share many of the same applications, with differences mainly in the versions of these applications that are shipped with the distribution's stable release. For example, the kernel, Bind, Apache, OpenSSH, Xorg, gcc, zlib, etc. are all common across Linux distributions."
msgstr ""

msgid "For example, Red Hat was unlucky and shipped when foo 1.2.3 was current, which was then later found to have a security hole. Debian, on the other hand, was lucky enough to ship foo 1.2.4, which incorporated the bug fix. That was the case in the big <ulink name=\"rpc.statd\" url=\"http://www.cert.org/advisories/CA-2000-17.html\" /> problem from a couple years ago."
msgstr ""

msgid "There is a lot of collaboration between the respective security teams for the major Linux distributions. Known security updates are rarely, if ever, left unfixed by a distribution vendor. Knowledge of a security vulnerability is never kept from another distribution vendor, as fixes are usually coordinated upstream, or by <ulink name=\"CERT\" url=\"http://www.cert.org\" />. As a result, necessary security updates are usually released at the same time, and the relative security of the different distributions is very similar."
msgstr ""

msgid "One of Debian's main advantages with regards to security is the ease of system updates through the use of <command>apt</command>. Here are some other aspects of security in Debian to consider:"
msgstr ""

msgid "Debian provides more security tools than other distributions, see <xref linkend=\"sec-tools\" />."
msgstr ""

msgid "Debian's standard installation is smaller (less functionality), and thus more secure. Other distributions, in the name of usability, tend to install many services by default, and sometimes they are not properly configured (remember the <ulink name=\"Lion\" url=\"http://www.sophos.com/virusinfo/analyses/linuxlion.html\" /> <ulink name=\"Ramen\" url=\"http://www.sophos.com/virusinfo/analyses/linuxramen.html\" />). Debian's installation is not as limited as OpenBSD (no daemons are active per default), but it's a good compromise. <footnote><para>&gt;Without diminishing the fact that some distributions, such as Red Hat or Mandrake, are also taking into account security in their standard installations by having the user select <emphasis>security profiles</emphasis>, or using wizards to help with configuration of <emphasis>personal firewalls</emphasis>.</para></footnote>"
msgstr ""

msgid "Debian documents best security practices in documents like this one."
msgstr ""

msgid "There are many Debian bugs in Bugtraq. Does this mean that it is very vulnerable?"
msgstr ""

msgid "The Debian distribution boasts a large and growing number of software packages, probably more than provided by many proprietary operating systems. The more packages installed, the greater the potential for security issues in any given system."
msgstr ""

msgid "More and more people are examining source code for flaws. There are many advisories related to source code audits of the major software components included in Debian. Whenever such source code audits turn up security flaws, they are fixed and an advisory is sent to lists such as Bugtraq."
msgstr ""

msgid "Bugs that are present in the Debian distribution usually affect other vendors and distributions as well. Check the \"Debian specific: yes/no\" section at the top of each advisory (DSA)."
msgstr ""

msgid "Does Debian have any certification related to security?"
msgstr ""

msgid "Short answer: no."
msgstr ""

msgid "Long answer: certification costs money (specially a <emphasis>serious</emphasis> security certification), nobody has dedicated the resources in order to certify Debian GNU/Linux to any level of, for example, the <ulink name=\"Common Criteria\" url=\"http://niap.nist.gov/cc-scheme/st/\" />. If you are interested in having a security-certified GNU/Linux distribution, try to provide the resources needed to make it possible."
msgstr ""

msgid "There are currently at least two linux distributions certified at different <ulink name=\"EAL\" url=\"http://en.wikipedia.org/wiki/Evaluation_Assurance_Level\" /> levels. Notice that some of the CC tests are being integrated into the <ulink name=\"Linux Testing Project\" url=\"http://ltp.sourceforge.net\" /> which is available in Debian in the <package>ltp</package>."
msgstr ""

msgid "Are there any hardening programs for Debian?"
msgstr ""

msgid "Yes. <ulink name=\"Bastille Linux\" url=\"http://bastille-linux.sourceforge.net/\" />, originally oriented toward other Linux distributions (Red Hat and Mandrake), it currently works also for Debian. Steps are being taken to integrate the changes made to the upstream version into the Debian package, named <package>bastille</package>."
msgstr ""

msgid "Some people believe, however, that a hardening tool does not eliminate the need for good administration."
msgstr ""

msgid "I want to run XYZ service, which one should I choose?"
msgstr ""

msgid "One of Debian's great strengths is the wide variety of choice available between packages that provide the same functionality (DNS servers, mail servers, ftp servers, web servers, etc.). This can be confusing to the novice administrator when trying to determine which package is right for you. The best match for a given situation depends on a balance between your feature and security needs. Here are some questions to ask yourself when deciding between similar packages:"
msgstr ""

msgid "Is the software maintained upstream? When was the last release?"
msgstr ""

msgid "Is the package mature? The version number really does <emphasis>not</emphasis> tell you about its maturity. Try to trace the software's history."
msgstr ""

msgid "Is the software bug-ridden? Have there been security advisories related to it?"
msgstr ""

msgid "Does the software provide all the functionality you need? Does it provide more than you really need?"
msgstr ""

msgid "How can I make service XYZ more secure in Debian?"
msgstr ""

msgid "You will find information in this document to make some services (FTP, Bind) more secure in Debian GNU/Linux. For services not covered here, check the program's documentation, or general Linux information. Most of the security guidelines for Unix systems also apply to Debian. In most cases, securing service X in Debian is like securing that service in any other Linux distribution (or Un*x, for that matter)."
msgstr ""

msgid "How can I remove all the banners for services?"
msgstr ""

msgid "If you do not like users connecting to your POP3 daemon, for example, and retrieving information about your system, you might want to remove (or change) the banner the service shows to users. <footnote><para>&gt;Note that this is 'security by obscurity', and will probably not be worth the effort in the long term.</para></footnote> Doing so depends on the software you are running for a given service. For example, in <command>postfix</command>, you can set your SMTP banner in <filename>/etc/postfix/main.cf</filename>:"
msgstr ""

msgid " \n"
"  smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU) "
msgstr ""

msgid "Other software is not as easy to change. <package>ssh</package> will need to be recompiled in order to change the version that it prints. Take care not to remove the first part (<literal>SSH-2.0</literal>) of the banner, which clients use to identify which protocol(s) is supported by your package."
msgstr ""

msgid "Are all Debian packages safe?"
msgstr ""

msgid "The Debian security team cannot possibly analyze all the packages included in Debian for potential security vulnerabilities, since there are just not enough resources to source code audit the whole project. However, Debian does benefit from the source code audits made by upstream developers."
msgstr ""

msgid "As a matter of fact, a Debian developer could distribute a Trojan in a package, and there is no possible way to check it out. Even if introduced into a Debian branch, it would be impossible to cover all the possible situations in which the Trojan would execute. This is why Debian has a <emphasis>\"no guarantees\"</emphasis> license clause."
msgstr ""

msgid "However, Debian users can take confidence in the fact that the stable code has a wide audience and most problems would be uncovered through use. Installing untested software is not recommended in a critical system (if you cannot provide the necessary code audit). In any case, if there were a security vulnerability introduced into the distribution, the process used to include packages (using digital signatures) ensures that the problem can be ultimately traced back to the developer. The Debian project has not taken this issue lightly."
msgstr ""

msgid "Why are some log files/configuration files world-readable, isn't this insecure?"
msgstr ""

msgid "Of course, you can change the default Debian permissions on your system. The current policy regarding log files and configuration files is that they are world readable <emphasis>unless</emphasis> they provide sensitive information."
msgstr ""

msgid "Be careful if you do make changes since:"
msgstr ""

msgid "Processes might not be able to write to log files if you restrict their permissions."
msgstr ""

msgid "Some applications may not work if the configuration file they depend on cannot be read. For example, if you remove the world-readable permission from <filename>/etc/samba/smb.conf</filename>, the <command>smbclient</command> program will not work when run by a normal user."
msgstr ""

msgid "FIXME: Check if this is written in the Policy. Some packages (i.e. ftp daemons) seem to enforce different permissions."
msgstr ""

msgid "Why does /root/ (or UserX) have 755 permissions?"
msgstr ""

msgid "As a matter of fact, the same questions stand for any other user. Since Debian's installation does not place <emphasis>any</emphasis> file under that directory, there's no sensitive information to protect there. If you feel these permissions are too broad for your system, consider tightening them to 750. For users, read <xref linkend=\"limit-user-perm\" />."
msgstr ""

msgid "This Debian security mailing list <ulink name=\"thread\" url=\"http://lists.debian.org/debian-devel/2000/debian-devel-200011/msg00783.html\" /> has more on this issue."
msgstr ""

msgid "After installing a grsec/firewall, I started receiving many console messages! How do I remove them?"
msgstr ""

msgid "If you are receiving console messages, and have configured <filename>/etc/syslog.conf</filename> to redirect them to either files or a special TTY, you might be seeing messages sent directly to the console."
msgstr ""

msgid "The default console log level for any given kernel is 7, which means that any message with lower priority will appear in the console. Usually, firewalls (the LOG rule) and some other security tools log lower that this priority, and thus, are sent directly to the console."
msgstr ""

msgid "To reduce messages sent to the console, you can use <command>dmesg</command> (<literal>-n</literal> option, see <citerefentry><refentrytitle>dmseg</refentrytitle> <manvolnum>8</manvolnum></citerefentry>), which examines and <emphasis>controls</emphasis> the kernel ring buffer. To fix this after the next reboot, change <filename>/etc/init.d/klogd</filename> from:"
msgstr ""

msgid "\n"
"  KLOGD=\"\""
msgstr ""

msgid "to:"
msgstr ""

msgid "\n"
"  KLOGD=\"-c 4\""
msgstr ""

msgid "Use a lower number for <literal>-c</literal> if you are still seeing them. A description of the different log levels can be found in <filename>/usr/include/sys/syslog.h</filename>:"
msgstr ""

msgid ""
"\n"
"  #define LOG_EMERG       0       /* system is unusable */\n"
"  #define LOG_ALERT       1       /* action must be taken immediately */\n"
"  #define LOG_CRIT        2       /* critical conditions */\n"
"  #define LOG_ERR         3       /* error conditions */\n"
"  #define LOG_WARNING     4       /* warning conditions */\n"
"  #define LOG_NOTICE      5       /* normal but significant condition */\n"
"  #define LOG_INFO        6       /* informational */\n"
"  #define LOG_DEBUG       7       /* debug-level messages */"
msgstr ""

msgid "Operating system users and groups"
msgstr ""

msgid "Are all system users necessary?"
msgstr ""

msgid "Yes and no. Debian comes with some predefined users (user id (UID) &lt; 99 as described in <ulink name=\"Debian Policy\" url=\"http://www.debian.org/doc/debian-policy/\" /> or <filename>/usr/share/doc/base-passwd/README</filename>) to ease the installation of some services that require that they run under an appropriate user/UID. If you do not intend to install new services, you can safely remove those users who do not own any files in your system and do not run any services. In any case, the default behavior is that UID's from 0 to 99 are reserved in Debian, and UID's from 100 to 999 are created by packages on install (and deleted when the package is purged)."
msgstr ""

msgid "To easily find users who don't own any files, execute the following command<footnote><para>Be careful, as this will traverse your whole system. If you have a lot of disk and partitions you might want to reduce it in scope.</para></footnote> (run it as root, since a common user might not have enough permissions to go through some sensitive directories):"
msgstr ""

msgid ""
"\n"
"  cut -f 1 -d : /etc/passwd | \\\n"
"  while read i; do find / -user \"$i\" | grep -q . || echo \"$i\"; done"
msgstr ""

msgid "These users are provided by <package>base-passwd</package>. Look in its documentation for more information on how these users are handled in Debian. The list of default users (with a corresponding group) follows:"
msgstr ""

msgid "root: Root is (typically) the superuser."
msgstr ""

msgid "daemon: Some unprivileged daemons that need to write to files on disk run as daemon.daemon (e.g., <command>portmap</command>, <command>atd</command>, probably others). Daemons that don't need to own any files can run as nobody.nogroup instead, and more complex or security conscious daemons run as dedicated users. The daemon user is also handy for locally installed daemons."
msgstr ""

msgid "bin: maintained for historic reasons."
msgstr ""

msgid "sys: same as with bin. However, /dev/vcs* and <filename>/var/spool/cups</filename> are owned by group sys."
msgstr ""

msgid "sync: The shell of user sync is <filename>/bin/sync</filename>. Thus, if its password is set to something easy to guess (such as \"\"), anyone can sync the system at the console even if they have don't have an account."
msgstr ""

msgid "games: Many games are SETGID to games so they can write their high score files. This is explained in policy."
msgstr ""

msgid "man: The man program (sometimes) runs as user man, so it can write cat pages to <filename>/var/cache/man</filename>"
msgstr ""

msgid "lp: Used by printer daemons."
msgstr ""

msgid "mail: Mailboxes in <filename>/var/mail</filename> are owned by group mail, as explained in policy. The user and group are used for other purposes by various MTA's as well."
msgstr ""

msgid "news: Various news servers and other associated programs (such as <command>suck</command>) use user and group news in various ways. Files in the news spool are often owned by user and group news. Programs such as <command>inews</command> that can be used to post news are typically SETGID news."
msgstr ""

msgid "uucp: The uucp user and group is used by the UUCP subsystem. It owns spool and configuration files. Users in the uucp group may run uucico."
msgstr ""

msgid "proxy: Like daemon, this user and group is used by some daemons (specifically, proxy daemons) that don't have dedicated user id's and that need to own files. For example, group proxy is used by <command>pdnsd</command>, and <command>squid</command> runs as user proxy."
msgstr ""

msgid "majordom: <command>Majordomo</command> has a statically allocated UID on Debian systems for historical reasons. It is not installed on new systems."
msgstr ""

msgid "postgres: <command>Postgresql</command> databases are owned by this user and group. All files in <filename>/var/lib/postgresql</filename> are owned by this user to enforce proper security."
msgstr ""

msgid "www-data: Some web servers run as www-data. Web content should <emphasis>not</emphasis> be owned by this user, or a compromised web server would be able to rewrite a web site. Data written out by web servers, including log files, will be owned by www-data."
msgstr ""

msgid "backup: So backup/restore responsibilities can be locally delegated to someone without full root permissions."
msgstr ""

msgid "operator: Operator is historically (and practically) the only 'user' account that can login remotely, and doesn't depend on NIS/NFS."
msgstr ""

msgid "list: Mailing list archives and data are owned by this user and group. Some mailing list programs may run as this user as well."
msgstr ""

msgid "irc: Used by irc daemons. A statically allocated user is needed only because of a bug in <command>ircd</command>, which SETUID()s itself to a given UID on startup."
msgstr ""

msgid "gnats."
msgstr ""

msgid "nobody, nogroup: Daemons that need not own any files run as user nobody and group nogroup. Thus, no files on a system should be owned by this user or group."
msgstr ""

msgid "Other groups which have no associated user:"
msgstr ""

msgid "adm: Group adm is used for system monitoring tasks. Members of this group can read many log files in <filename>/var/log</filename>, and can use xconsole. Historically, <filename>/var/log</filename> was <filename>/usr/adm</filename> (and later <filename>/var/adm</filename>), thus the name of the group."
msgstr ""

msgid "tty: TTY devices are owned by this group. This is used by write and wall to enable them to write to other people's TTYs."
msgstr ""

msgid "disk: Raw access to disks. Mostly equivalent to root access."
msgstr ""

msgid "kmem: /dev/kmem and similar files are readable by this group. This is mostly a BSD relic, but any programs that need direct read access to the system's memory can thus be made SETGID kmem."
msgstr ""

msgid "dialout: Full and direct access to serial ports. Members of this group can reconfigure the modem, dial anywhere, etc."
msgstr ""

msgid "dip: The group's name stands for \"Dial-up IP\", and membership in dip allows you to use tools like <command>ppp</command>, <command>dip</command>, <command>wvdial</command>, etc. to dial up a connection. The users in this group cannot configure the modem, but may run the programs that make use of it."
msgstr ""

msgid "fax: Allows members to use fax software to send / receive faxes."
msgstr ""

msgid "voice: Voicemail, useful for systems that use modems as answering machines."
msgstr ""

msgid "cdrom: This group can be used locally to give a set of users access to a CDROM drive."
msgstr ""

msgid "floppy: This group can be used locally to give a set of users access to a floppy drive."
msgstr ""

msgid "tape: This group can be used locally to give a set of users access to a tape drive."
msgstr ""

msgid "sudo: Members of this group don't need to type their password when using <command>sudo</command>. See <filename>/usr/share/doc/sudo/OPTIONS</filename>."
msgstr ""

msgid "audio: This group can be used locally to give a set of users access to an audio device."
msgstr ""

msgid "src: This group owns source code, including files in <filename>/usr/src</filename>. It can be used locally to give a user the ability to manage system source code."
msgstr ""

msgid "shadow: <filename>/etc/shadow</filename> is readable by this group. Some programs that need to be able to access the file are SETGID shadow."
msgstr ""

msgid "utmp: This group can write to <filename>/var/run/utmp</filename> and similar files. Programs that need to be able to write to it are SETGID utmp."
msgstr ""

msgid "video: This group can be used locally to give a set of users access to a video device."
msgstr ""

msgid "staff: Allows users to add local modifications to the system (<filename>/usr/local</filename>, <filename>/home</filename>) without needing root privileges. Compare with group \"adm\", which is more related to monitoring/security."
msgstr ""

msgid "users: While Debian systems use the private user group system by default (each user has their own group), some prefer to use a more traditional group system, in which each user is a member of this group."
msgstr ""

msgid "I removed a system user! How can I recover?"
msgstr ""

msgid "If you have removed a system user and have not made a backup of your <filename>password</filename> and <filename>group</filename> files you can try recovering from this issue using <command>update-passwd</command> (see <citerefentry><refentrytitle>update-passwd</refentrytitle> <manvolnum>8</manvolnum></citerefentry>)."
msgstr ""

msgid "What is the difference between the adm and the staff group?"
msgstr ""

msgid "The 'adm' group are usually administrators, and this group permission allows them to read log files without having to <command>su</command>. The 'staff' group are usually help-desk/junior sysadmins, allowing them to work in <filename>/usr/local</filename> and create directories in <filename>/home</filename>."
msgstr ""

msgid "Why is there a new group when I add a new user? (or Why does Debian give each user one group?)"
msgstr ""

msgid "The default behavior in Debian is that each user has its own, private group. The traditional UN*X scheme assigned all users to the <emphasis>users</emphasis> group. Additional groups were created and used to restrict access to shared files associated with different project directories. Managing files became difficult when a single user worked on multiple projects because when someone created a file, it was associated with the primary group to which they belong (e.g. 'users')."
msgstr ""

msgid "Debian's scheme solves this problem by assigning each user to their own group; so that with a proper umask (0002) and the SETGID bit set on a given project directory, the correct group is automatically assigned to files created in that directory. This makes it easier for people who work on multiple projects, because they will not have to change groups or umasks when working on shared files."
msgstr ""

msgid "You can, however, change this behavior by modifying <filename>/etc/adduser.conf</filename>. Change the <emphasis>USERGROUPS</emphasis> variable to 'no', so that a new group is not created when a new user is created. Also, set <emphasis>USERS_GID</emphasis> to the GID of the users group which all users will belong to."
msgstr ""

msgid "Questions regarding services and open ports"
msgstr ""

msgid "Why are all services activated upon installation?"
msgstr ""

msgid "That's just an approach to the problem of being, on one side, security conscious and on the other side user friendly. Unlike OpenBSD, which disables all services unless activated by the administrator, Debian GNU/Linux will activate all installed services unless deactivated (see <xref linkend=\"disableserv\" /> for more information). After all you installed the service, didn't you?"
msgstr ""

msgid "There has been much discussion on Debian mailing lists (both at debian-devel and at debian-security) regarding which is the better approach for a standard installation. However, as of this writing (March 2002), there still isn't a consensus."
msgstr ""

msgid "Can I remove <command>inetd</command>?"
msgstr ""

msgid "<command>Inetd</command> is not easy to remove since <package>netbase</package> depends on the package that provides it (<package>netkit-inetd</package>). If you want to remove it, you can either disable it (see <xref linkend=\"disableserv\" />) or remove the package by using the <package>equivs</package> package."
msgstr ""

msgid "Why do I have port 111 open?"
msgstr ""

msgid "Port 111 is sunrpc's portmapper, and it is installed by default as part of Debian's base installation since there is no need to know when a user's program might need RPC to work correctly. In any case, it is used mostly for NFS. If you do not need it, remove it as explained in <xref linkend=\"rpc\" />."
msgstr ""

msgid "In versions of the <package>portmap</package> package later than 5-5 you can actually have the portmapper installed but listening only on localhost (by modifying <filename>/etc/default/portmap</filename>)"
msgstr ""

msgid "What use is <command>identd</command> (port 113) for?"
msgstr ""

msgid "Identd service is an authentication service that identifies the owner of a specific TCP/IP connection to the remote server accepting the connection. Typically, when a user connects to a remote host, <command>inetd</command> on the remote host sends back a query to port 113 to find the owner information. It is often used by mail, FTP and IRC servers, and can also be used to track down which user in your local system is attacking a remote system."
msgstr ""

msgid "There has been extensive discussion on the security of <command>identd</command> (See <ulink name=\"mailing list archives\" url=\"http://lists.debian.org/debian-security/2001/debian-security-200108/msg00297.html\" />). In general, <command>identd</command> is more helpful on a multi-user system than on a single user workstation. If you don't have a use for it, disable it, so that you are not leaving a service open to the outside world. If you decide to firewall the identd port, <emphasis>please</emphasis> use a reject policy and not a deny policy, otherwise a connection to a server utilizing <command>identd</command> will hang until a timeout expires (see <ulink name=\"reject or deny issues\" url=\"http://logi.cc/linux/reject_or_deny.php3\" />)."
msgstr ""

msgid "I have services using port 1 and 6, what are they and how can I remove them?"
msgstr ""

msgid "If you have run the command <literal>netstat -an</literal> and receive:"
msgstr ""

msgid ""
"\n"
"  Active Internet connections (servers and established)\n"
"  Proto Recv-Q Send-Q Local Address           Foreign Address         State\n"
"  PID/Program name\n"
"  raw        0      0 0.0.0.0:1               0.0.0.0:*               7\n"
"  -\n"
"  raw        0      0 0.0.0.0:6               0.0.0.0:*               7\n"
"  -"
msgstr ""

msgid "You are <emphasis>not</emphasis> seeing processes listening on TCP/UDP port 1 and 6. In fact, you are seeing a process listening on a <emphasis>raw</emphasis> socket for protocols 1 (ICMP) and 6 (TCP). Such behavior is common to both legitimate software like intrustion detection systems, such as <package>iplogger</package> and <package>portsentry</package>, but some trojans have also been known yo use them. If you have the mentioned packages simply remove them to close the port. If you do not, try netstat's <literal>-p</literal> (process) option to see which process is running these listeners."
msgstr ""

msgid "I found the port XYZ open, can I close it?"
msgstr ""

msgid "Yes, of course. The ports you are leaving open should adhere to your individual site's policy regarding public services available to other networks. Check if they are being opened by <command>inetd</command> (see <xref linkend=\"inetd\" />), or by other installed packages and take the appropriate measures (i.e, configure inetd, remove the package, avoid it running on boot-up)."
msgstr ""

msgid "Will removing services from <filename>/etc/services</filename> help secure my box?"
msgstr ""

msgid "<emphasis>No</emphasis>, <filename>/etc/services</filename> only provides a mapping between a virtual name and a given port number. Removing names from this file will not (usually) prevent services from being started. Some daemons may not run if <filename>/etc/services</filename> is modified, but that's not the norm. To properly disable the service, see <xref linkend=\"disableserv\" />."
msgstr ""

msgid "Common security issues"
msgstr ""

msgid "I have lost my password and cannot access the system!"
msgstr ""

msgid "The steps you need to take in order to recover from this depend on whether or not you have applied the suggested procedure for limiting access to <command>lilo</command> and your system's BIOS."
msgstr ""

msgid "If you have limited both, you need to disable the BIOS setting that only allows booting from the hard disk before proceeding. If you have also forgotten your BIOS password, you will have to reset your BIOS by opening the system and manually removing the BIOS battery."
msgstr ""

msgid "Once you have enabled booting from a CD-ROM or diskette enable, try the following:"
msgstr ""

msgid "Boot-up from a rescue disk and start the kernel"
msgstr ""

msgid "Go to the virtual console (Alt+F2)"
msgstr ""

msgid "Mount the hard disk where your /root is"
msgstr ""

msgid "Edit (Debian 2.2 rescue disk comes with the editor <command>ae</command>, and Debian 3.0 comes with <command>nano-tiny</command> which is similar to <command>vi</command>) <filename>/etc/shadow</filename> and change the line:"
msgstr ""

msgid "\n"
"  root:asdfjl290341274075:XXXX:X:XXXX:X::: (X=any number)"
msgstr ""

msgid "\n"
"  root::XXXX:X:XXXX:X:::"
msgstr ""

msgid "This will remove the forgotten root password, contained in the first colon separated field after the user name. Save the file, reboot the system and login with root using an empty password. Remember to reset the password. This will work unless you have configured the system more tightly, i.e. if you have not allowed users to have null passwords or not allowed root to login from the console."
msgstr ""

msgid "If you have introduced these features, you will need to enter into single user mode. If LILO has been restricted, you will need to rerun <command>lilo</command> just after the root reset above. This is quite tricky since your <filename>/etc/lilo.conf</filename> will need to be tweaked due to the root (/) file system being a ramdisk and not the real hard disk."
msgstr ""

msgid "Once LILO is unrestricted, try the following:"
msgstr ""

msgid "Press the Alt, shift or Control key just before the system BIOS finishes, and you should get the LILO prompt."
msgstr ""

msgid "Type <literal>linux single</literal>, <literal>linux init=/bin/sh</literal> or <literal>linux 1</literal> at the prompt."
msgstr ""

msgid "This will give you a shell prompt in single-user mode (it will ask for a password, but you already know it)"
msgstr ""

msgid "Re-mount read/write the root (/) partition, using the mount command."
msgstr ""

msgid "\n"
"  # mount -o remount,rw / "
msgstr ""

msgid "Change the superuser password with <command>passwd</command> (since you are superuser it will not ask for the previous password)."
msgstr ""

msgid "How do I accomplish setting up a service for my users without giving out shell accounts?"
msgstr ""

msgid "For example, if you want to set up a POP service, you don't need to set up a user account for each user accessing it. It's best to set up directory-based authentication through an external service (like Radius, LDAP or an SQL database). Just install the appropriate PAM library (<package>libpam-radius-auth</package>, <package>libpam-ldap</package>, <package>libpam-pgsql</package> or <package>libpam-mysql</package>), read the documentation (for starters, see <xref linkend=\"auth-pam\" />) and configure the PAM-enabled service to use the back end you have chosen. This is done by editing the files under <filename>/etc/pam.d/</filename> for your service and modifying the"
msgstr ""

msgid " \n"
"  auth   required    pam_unix_auth.so shadow nullok use_first_pass "
msgstr ""

msgid "to, for example, ldap:"
msgstr ""

msgid "\n"
"  auth   required    pam_ldap.so "
msgstr ""

msgid "In the case of LDAP directories, some services provide LDAP schemas to be included in your directory that are required in order to use LDAP authentication. If you are using a relational database, a useful trick is to use the <emphasis>where</emphasis> clause when configuring the PAM modules. For example, if you have a database with the following table attributes:"
msgstr ""

msgid "\n"
"  (user_id, user_name, realname, shell, password, UID, GID, homedir, sys, pop, imap, ftp)"
msgstr ""

msgid "By making the services attributes boolean fields, you can use them to enable or disable access to the different services just by inserting the appropriate lines in the following files:"
msgstr ""

msgid "<filename>/etc/pam.d/imap</filename>:<literal>where=imap=1</literal>."
msgstr ""

msgid "<filename>/etc/pam.d/qpopper</filename>:<literal>where=pop=1</literal>."
msgstr ""

msgid "<filename>/etc/nss-mysql*.conf</filename>:<literal>users.where_clause = user.sys = 1;</literal>."
msgstr ""

msgid "<filename>/etc/proftpd.conf</filename>:<literal> SQLWhereClause \"ftp=1\"</literal>."
msgstr ""

msgid "My system is vulnerable! (Are you sure?)"
msgstr ""

msgid "Vulnerability assessment scanner X says my Debian system is vulnerable!"
msgstr ""

msgid "Many vulnerability assessment scanners give false positives when used on Debian systems, since they only use version checks to determine if a given software package is vulnerable, but do not really test the security vulnerability itself. Since Debian does not change software versions when fixing a package (many times the fix made for newer releases is back ported), some tools tend to think that an updated Debian system is vulnerable when it is not."
msgstr ""

msgid "If you think your system is up to date with security patches, you might want to use the cross references to security vulnerability databases published with the DSAs (see <xref linkend=\"dsa\" />) to weed out false positives, if the tool you are using includes CVE references."
msgstr ""

msgid "I've seen an attack in my system's logs. Is my system compromised?"
msgstr ""

msgid "A trace of an attack does not always mean that your system has been compromised, and you should take the usual steps to determine if the system is indeed compromised (see <xref linkend=\"after-compromise\" />). Even if your system was not vulnerable to the attack that was logged, a determined attacker might have used some other vulnerability besides the ones you have detected."
msgstr ""

msgid "I have found strange 'MARK' lines in my logs: Am I compromised?"
msgstr ""

msgid "You might find the following lines in your system logs:"
msgstr ""

msgid ""
"\n"
"  Dec 30 07:33:36 debian -- MARK --\n"
"  Dec 30 07:53:36 debian -- MARK --\n"
"  Dec 30 08:13:36 debian -- MARK --"
msgstr ""

msgid "This does not indicate any kind of compromise, and users changing between Debian releases might find it strange. If your system does not have high loads (or many active services), these lines might appear throughout your logs. This is an indication that your <command>syslogd</command> daemon is running properly. From <citerefentry><refentrytitle>syslogd</refentrytitle> <manvolnum>8</manvolnum></citerefentry>:"
msgstr ""

msgid ""
"\n"
"       -m interval\n"
"              The syslogd logs a mark timestamp  regularly.   The\n"
"              default interval between two -- MARK -- lines is 20\n"
"              minutes.  This can be  changed  with  this  option.\n"
"              Setting the interval to zero turns it off entirely.\n"
"              "
msgstr ""

msgid "I found users using 'su' in my logs: Am I compromised?"
msgstr ""

msgid "You might find lines in your logs like:"
msgstr ""

msgid ""
"\n"
"  Apr  1 09:25:01 server su[30315]: + ??? root-nobody\n"
"  Apr  1 09:25:01 server PAM_unix[30315]: (su) session opened for user nobody by (UID=0)"
msgstr ""

msgid "Don't worry too much. Check to see if these entries are due to <command>cron</command> jobs (usually <filename>/etc/cron.daily/find</filename> or <command>logrotate</command>):"
msgstr ""

msgid ""
"\n"
"  $ grep 25 /etc/crontab\n"
"  25 9    * * *   root    test -e /usr/sbin/anacron || run-parts --report\n"
"  /etc/cron.daily\n"
"  $ grep nobody /etc/cron.daily/*\n"
"  find:cd / &amp;&amp; updatedb --localuser=nobody 2&gt;/dev/null\n"
"    "
msgstr ""

msgid "I have found 'possible SYN flooding' in my logs: Am I under attack?"
msgstr ""

msgid "If you see entries like these in your logs:"
msgstr ""

msgid ""
"\n"
"  May 1 12:35:25 linux kernel: possible SYN flooding on port X. Sending cookies.\n"
"  May 1 12:36:25 linux kernel: possible SYN flooding on port X. Sending cookies.\n"
"  May 1 12:37:25 linux kernel: possible SYN flooding on port X. Sending cookies.\n"
"  May 1 13:43:11 linux kernel: possible SYN flooding on port X. Sending cookies."
msgstr ""

msgid "Check if there is a high number of connections to the server using <command>netstat</command>, for example:"
msgstr ""

msgid ""
"\n"
"  linux:~# netstat -ant | grep SYN_RECV | wc -l\n"
"     9000"
msgstr ""

msgid "This is an indication of a denial of service (DoS) attack against your system's X port (most likely against a public service such as a web server or mail server). You should activate TCP syncookies in your kernel, see <xref linkend=\"tcp-syncookies\" />. Note, however, that a DoS attack might flood your network even if you can stop it from crashing your systems (due to file descriptors being depleted, the system might become unresponsive until the TCP connections timeout). The only effective way to stop this attack is to contact your network provider."
msgstr ""

msgid "I have found strange root sessions in my logs: Am I compromised?"
msgstr ""

msgid "You might see these kind of entries in your <filename>/var/log/auth.log</filename> file:"
msgstr ""

msgid ""
"\n"
"  May 2 11:55:02 linux PAM_unix[1477]: (cron) session closed for user root\n"
"  May 2 11:55:02 linux PAM_unix[1476]: (cron) session closed for user root\n"
"  May 2 12:00:01 linux PAM_unix[1536]: (cron) session opened for user root by\n"
"  (UID=0)\n"
"  May 2 12:00:02 linux PAM_unix[1536]: (cron) session closed for user root"
msgstr ""

msgid "These are due to a <command>cron</command> job being executed (in this example, every five minutes). To determine which program is responsible for these jobs, check entries under: <filename>/etc/crontab</filename>, <filename>/etc/cron.d</filename>, <filename>/etc/crond.daily</filename> and root's <filename>crontab</filename> under <filename>/var/spool/cron/crontabs</filename>."
msgstr ""

msgid "I have suffered a break-in, what do I do?"
msgstr ""

msgid "There are several steps you might want to take in case of a break-in:"
msgstr ""

msgid "Check if your system is up to date with security patches for published vulnerabilities. If your system is vulnerable, the chances that the system is in fact compromised are increased. The chances increase further if the vulnerability has been known for a while, since there is usually more activity related to older vulnerabilities. Here is a link to <ulink name=\"SANS Top 20 Security Vulnerabilities\" url=\"http://www.sans.org/top20/\" />."
msgstr ""

msgid "Read this document, especially the <xref linkend=\"after-compromise\" /> section."
msgstr ""

msgid "Ask for assistance. You might use the debian-security mailing list and ask for advice on how to recover/patch your system."
msgstr ""

msgid "Notify your local <ulink name=\"CERT\" url=\"http://www.cert.org\" /> (if it exists, otherwise you may want to consider contacting CERT directly). This might or might not help you, but, at the very least, it will inform CERT of ongoing attacks. This information is very valuable in determining which tools and attacks are being used by the <emphasis>blackhat</emphasis> community."
msgstr ""

msgid "How can I trace an attack?"
msgstr ""

msgid "By watching the logs (if they have not been tampered with), using intrusion detection systems (see <xref linkend=\"intrusion-detect\" />), <command>traceroute</command>, <command>whois</command> and similar tools (including forensic analysis), you may be able to trace an attack to the source. The way you should react to this information depends solely on your security policy, and what <emphasis>you</emphasis> consider is an attack. Is a remote scan an attack? Is a vulnerability probe an attack?"
msgstr ""

msgid "Program X in Debian is vulnerable, what do I do?"
msgstr ""

msgid "First, take a moment to see if the vulnerability has been announced in public security mailing lists (like Bugtraq) or other forums. The Debian Security Team keeps up to date with these lists, so they may also be aware of the problem. Do not take any further actions if you see an announcement at <ulink url=\"http://security.debian.org\" />."
msgstr ""

msgid "If no information seems to be published, please send e-mail about the affected package(s), as well as a detailed description of the vulnerability (proof of concept code is also OK), to <ulink name=\"team@security.debian.org\" url=\"mailto:team@security.debian.org\" />. This will get you in touch with Debian's security team."
msgstr ""

msgid "The version number for a package indicates that I am still running a vulnerable version!"
msgstr ""

msgid "Instead of upgrading to a new release, Debian backports security fixes to the version that was shipped in the stable release. The reason for this is to make sure that the stable release changes as little as possible, so that things will not change or break unexpectedly as a result of a security fix. You can check if you are running a secure version of a package by looking at the package changelog, or comparing its exact (upstream version -slash- debian release) version number with the version indicated in the Debian Security Advisory."
msgstr ""

msgid "Specific software"
msgstr ""

msgid "<package>proftpd</package> is vulnerable to a Denial of Service attack."
msgstr ""

msgid "Add <literal>DenyFilter \\*.*/</literal> to your configuration file, and for more information see <ulink url=\"http://www.proftpd.org/bugs.html\" />."
msgstr ""

msgid "After installing <package>portsentry</package>, there are a lot of ports open."
msgstr ""

msgid "That's just the way <command>portsentry</command> works. It opens about twenty unused ports to try to detect port scans."
msgstr ""

msgid "Questions regarding the Debian security team"
msgstr ""

msgid "The security team keeps its list of Frequently Asked Questions at the <ulink name=\"Debian Security FAQ\" url=\"http://www.debian.org/security/faq\" />. Please refer to that web page for up to date information."
msgstr ""