harden-doc-3.15.1/0000755000000000000000000000000012015440271010467 5ustar harden-doc-3.15.1/howto-source/0000755000000000000000000000000012015440415013125 5ustar harden-doc-3.15.1/howto-source/po4a/0000755000000000000000000000000012015435301013766 5ustar harden-doc-3.15.1/howto-source/po4a/po4a.cfg0000644000000000000000000000024611740132500015313 0ustar [po_directory] po4a/po/ [type: sgml] securing-debian-howto.en.sgml \ $lang:securing-debian-howto.$lang.sgml \ add_$lang:?po4a/$lang.add \ opt:"-M ISO-8859-1" harden-doc-3.15.1/howto-source/po4a/po/0000755000000000000000000000000012015435301014404 5ustar harden-doc-3.15.1/howto-source/po4a/po/securing-howto.pot0000644000000000000000000305522611740132500020121 0ustar # SOME DESCRIPTIVE TITLE # Copyright (C) YEAR Free Software Foundation, Inc. # This file is distributed under the same license as the PACKAGE package. # FIRST AUTHOR , YEAR. # #, fuzzy msgid "" msgstr "" "Project-Id-Version: PACKAGE VERSION\n" "POT-Creation-Date: 2012-04-01 15:48-0400\n" "PO-Revision-Date: YEAR-MO-DA HO:MI+ZONE\n" "Last-Translator: FULL NAME \n" "Language-Team: LANGUAGE \n" "Language: \n" "MIME-Version: 1.0\n" "Content-Type: text/plain; charset=UTF-8\n" "Content-Transfer-Encoding: 8bit\n" #. type: definition of entity &language; #, no-wrap msgid "en" msgstr "" #. type: definition of entity &docdate; #, no-wrap msgid "Sun, 01 Apr 2012 15:48:10 -0400" msgstr "" #. type: definition of entity &docversion; #, no-wrap msgid "CVS" msgstr "" #. type: definition of entity &bookname; #, no-wrap msgid "Anleitung zum Absichern von Debian" msgstr "" #. type: definition of entity &version; #, no-wrap msgid "Version: 3.11" msgstr "" #. type: definition of entity &bookname; #, no-wrap msgid "Manual de Seguridad de Debian" msgstr "" #. type: definition of entity &version; #, no-wrap msgid "Version: 2.4 (revisión de traducción 3)" msgstr "" #. type: definition of entity &bookname; #, no-wrap msgid "Manuel de sécurisation de Debian" msgstr "" #. type: definition of entity &version; #, no-wrap msgid "Version: 3.4" msgstr "" #. type: definition of entity &bookname; #: #, no-wrap msgid "Securing Debian Manual" msgstr "" #. type: definition of entity &version; #: #, no-wrap msgid "Version: 3.13" msgstr "" #. type: definition of entity &version; #, no-wrap msgid "v3.1" msgstr "" #. type: definition of entity &version; #, no-wrap msgid "v1.1" msgstr "" #. type: definition of entity &version; #, no-wrap msgid "v3.2" msgstr "" #. type: definition of entity &bookid; #, no-wrap msgid "HOWTO-Secure-Debian" msgstr "" #. type: definition of entity &gplhome; #, no-wrap msgid "http://www.gnu.org/copyleft/gpl.html" msgstr "" #. type: definition of entity &gplhomev2; #, no-wrap msgid "http://www.gnu.org/licenses/old-licenses/gpl-2.0.html" msgstr "" #. type: definition of entity &dochome; #, no-wrap msgid "/usr/share/doc" msgstr "" #. type: definition of entity &filehome; #, no-wrap msgid "&dochome;/Debian" msgstr "" #. type: definition of entity &httphome; #, no-wrap msgid "http://www.debian.org/doc/manuals" msgstr "" #. type: definition of entity &httphome2; #, no-wrap msgid "http://www.debian.org/manuals" msgstr "" #. type: definition of entity &ftphome; #, no-wrap msgid "ftp://www.debian.org/doc" msgstr "" #. type: definition of entity &cdromhome; #, no-wrap msgid "/doc" msgstr "" #. type: definition of entity &manualname; #, no-wrap msgid "manualname" msgstr "" #. type: definition of entity &packagename; #, no-wrap msgid "packagename" msgstr "" #. type: definition of entity &langname; #, no-wrap msgid "LANG" msgstr "" #. type: definition of entity &localename; #, no-wrap msgid "LOCALE" msgstr "" #. type: definition of entity &debiandoc2xml; #, no-wrap msgid "http://lists.debian.org/debian-doc/2002/debian-doc-200209/msg00094.html" msgstr "" #. type: definition of entity &authorname; #, no-wrap msgid "Javier Fernández-Sanguino Peña" msgstr "" #. type: definition of entity &authoremail; #, no-wrap msgid "jfs@debian.org" msgstr "" #. type: #: securing-debian-howto.en.sgml:46 en/titletoc.sgml:7 msgid "&authorname;&authoremail;" msgstr "" #. type: #: securing-debian-howto.en.sgml:46 en/titletoc.sgml:13 msgid "&version;, &docdate;" msgstr "" #. type: #: securing-debian-howto.en.sgml:46 en/titletoc.sgml:25 msgid "" "This document describes security in the Debian project and in the Debian " "operating system. Starting with the process of securing and hardening the " "default Debian GNU/Linux distribution installation, it also covers some of " "the common tasks to set up a secure network environment using Debian " "GNU/Linux, gives additional information on the security tools available and " "talks about how security is enforced in Debian by the security and audit " "team." msgstr "" #. type: #: securing-debian-howto.en.sgml:47 en/copyleft.sgml:4 msgid "Copyright © 2002-2007 Javier Fernández-Sanguino Peña" msgstr "" #. type:

#: securing-debian-howto.en.sgml:47 en/copyleft.sgml:6 msgid "Copyright © 2001 Alexander Reelsen, Javier Fernández-Sanguino Peña" msgstr "" #. type:

#: securing-debian-howto.en.sgml:47 en/copyleft.sgml:7 msgid "Copyright © 2000 Alexander Reelsen" msgstr "" #. type:

#: securing-debian-howto.en.sgml:47 en/copyleft.sgml:10 msgid "" "Some sections are copyright © their respective authors, for details " "please refer to ." msgstr "" #. type:

#: securing-debian-howto.en.sgml:47 en/copyleft.sgml:16 msgid "" "Permission is granted to copy, distribute and/or modify this document under " "the terms of the or any published " "by the Free Software Foundation. It is distributed in the hope that it will " "be useful, but WITHOUT ANY WARRANTY." msgstr "" #. type:

#: securing-debian-howto.en.sgml:47 en/copyleft.sgml:20 msgid "" "Permission is granted to make and distribute verbatim copies of this " "document provided the copyright notice and this permission notice are " "preserved on all copies." msgstr "" #. type:

#: securing-debian-howto.en.sgml:47 en/copyleft.sgml:25 msgid "" "Permission is granted to copy and distribute modified versions of this " "document under the conditions for verbatim copying, provided that the entire " "resulting derived work is distributed under the terms of a permission notice " "identical to this one." msgstr "" #. type:

#: securing-debian-howto.en.sgml:47 en/copyleft.sgml:31 msgid "" "Permission is granted to copy and distribute translations of this document " "into another language, under the above conditions for modified versions, " "except that this permission notice may be included in translations approved " "by the Free Software Foundation instead of in the original English." msgstr "" #. type: #: securing-debian-howto.en.sgml:49 en/intro.sgml:4 securing-debian-howto.en.sgml:61 en/appendix.sgml:1810 msgid "Introduction" msgstr "" #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:16 msgid "" "One of the hardest things about writing security documents is that every " "case is unique. Two things you have to pay attention to are the threat " "environment and the security needs of the individual site, host, or " "network. For instance, the security needs of a home user are completely " "different from a network in a bank. While the primary threat a home user " "needs to face is the script kiddie type of cracker, a bank network has to " "worry about directed attacks. Additionally, the bank has to protect their " "customer's data with arithmetic precision. In short, every user has to " "consider the trade-off between usability and security/paranoia." msgstr "" #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:26 msgid "" "Note that this manual only covers issues relating to software. The best " "software in the world can't protect you if someone can physically access the " "machine. You can place it under your desk, or you can place it in a hardened " "bunker with an army in front of it. Nevertheless the desktop computer can be " "much more secure (from a software point of view) than a physically protected " "one if the desktop is configured properly and the software on the protected " "machine is full of security holes. Obviously, you must consider both issues." msgstr "" #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:43 msgid "" "This document just gives an overview of what you can do to increase the " "security of your Debian GNU/Linux system. If you have read other documents " "regarding Linux security, you will find that there are common issues which " "might overlap with this document. However, this document does not try to be " "the ultimate source of information you will be using, it only tries to adapt " "this same information so that it is meaningful to a Debian GNU/Linux " "system. Different distributions do some things in different ways (startup of " "daemons is one example); here, you will find material which is appropriate " "for Debian's procedures and tools." msgstr "" #. type: #: securing-debian-howto.en.sgml:49 en/intro.sgml:45 msgid "Authors" msgstr "" #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:50 msgid "" "The current maintainer of this document is . Please forward him any comments, " "additions or suggestions, and they will be considered for inclusion in " "future releases of this manual." msgstr "" #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:60 msgid "" "This manual was started as a HOWTO by . After it was published on the Internet, " "incorporated it into the . A number of people have contributed to this manual " "(all contributions are listed in the changelog) but the following deserve " "special mention since they have provided significant contributions (full " "sections, chapters or appendices):" msgstr "" #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:62 msgid "Stefano Canepa" msgstr "" #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:63 msgid "Era Eriksson" msgstr "" #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:64 msgid "Carlo Perassi" msgstr "" #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:65 msgid "Alexandre Ratti" msgstr "" #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:66 msgid "Jaime Robles" msgstr "" #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:67 msgid "Yotam Rubin" msgstr "" #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:68 msgid "Frederic Schutz" msgstr "" #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:69 msgid "Pedro Zorzenon Neto" msgstr "" #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:70 msgid "Oohara Yuuma" msgstr "" #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:71 msgid "Davor Ocelic" msgstr "" #. type: #: securing-debian-howto.en.sgml:49 en/intro.sgml:74 msgid "Where to get the manual (and available formats)" msgstr "" #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:87 msgid "" "You can download or view the latest version of the Securing Debian Manual " "from the . If you are reading a copy from " "another site, please check the primary copy in case it provides new " "information. If you are reading a translation, please review the version the " "translation refers to to the latest version available. If you find that the " "version is behind please consider using the original copy or review the to see what has changed." msgstr "" #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:97 msgid "" "If you want a full copy of the manual you can either download the or the from the Debian Documentation Project's site. These " "versions might be more useful if you intend to copy the document over to a " "portable device for offline reading or you want to print it out. Be " "forewarned, the manual is over two hundred pages long and some of the code " "fragments, due to the formatting tools used, are not wrapped in the PDF " "version and might be printed incomplete." msgstr "" #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:103 msgid "" "The document is also provided in text, html and PDF formats in the " "package. Notice, however, that the package maybe not be completely up to " "date with the document provided on the Debian site (but you can always use " "the source package to build an updated version yourself)." msgstr "" #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:113 msgid "" "This document is part of the documents distributed by the . You can review the changes introduced in the document using a " "web browser and obtaining information from the . You can also checkout the code using " "SVN with the following call in the command line:" msgstr "" #. type: #: securing-debian-howto.en.sgml:49 en/intro.sgml:115 #, no-wrap msgid "svn co svn://svn.debian.org/svn/ddp/manuals/trunk/securing-howto/" msgstr "" #. type: #: securing-debian-howto.en.sgml:49 en/intro.sgml:118 msgid "Organizational notes/feedback" msgstr "" #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:125 msgid "" "Now to the official part. At the moment I (Alexander Reelsen) wrote most " "paragraphs of this manual, but in my opinion this should not stay the " "case. I grew up and live with free software, it is part of my everyday use " "and I guess yours, too. I encourage everybody to send me feedback, hints, " "additions or any other suggestions you might have." msgstr "" #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:132 msgid "" "If you think, you can maintain a certain section or paragraph better, then " "write to the document maintainer and you are welcome to do it. Especially if " "you find a section marked as FIXME, that means the authors did not have the " "time yet or the needed knowledge about the topic. Drop them a mail " "immediately." msgstr "" #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:136 msgid "" "The topic of this manual makes it quite clear that it is important to keep " "it up to date, and you can do your part. Please contribute." msgstr "" #. type: #: securing-debian-howto.en.sgml:49 en/intro.sgml:137 msgid "Prior knowledge" msgstr "" #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:148 msgid "" "The installation of Debian GNU/Linux is not very difficult and you should " "have been able to install it. If you already have some knowledge about Linux " "or other Unices and you are a bit familiar with basic security, it will be " "easier to understand this manual, as this document cannot explain every " "little detail of a feature (otherwise this would have been a book instead of " "a manual). If you are not that familiar, however, you might want to take a " "look at for where to find more in-depth information." msgstr "" #. type: #: securing-debian-howto.en.sgml:49 en/intro.sgml:150 msgid "Things that need to be written (FIXME/TODO)" msgstr "" #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:157 msgid "" "This section describes all the things that need to be fixed in this " "manual. Some paragraphs include FIXME or TODO tags " "describing what content is missing (or what kind of work needs to be " "done). The purpose of this section is to describe all the things that could " "be included in the future in the manual, or enhancements that need to be " "done (or would be interesting to add)." msgstr "" #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:162 msgid "" "If you feel you can provide help in contributing content fixing any element " "of this list (or the inline annotations), contact the main author ()." msgstr "" #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:168 msgid "" "This document has yet to be updated based on the latest Debian releases. The " "default configuration of some packages need to be adapted as they have been " "modified since this document was written." msgstr "" #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:172 msgid "" "Expand the incident response information, maybe add some ideas derived from " "Red Hat's Security Guide's ." msgstr "" #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:177 msgid "" "Write about remote monitoring tools (to check for system availability) such " "as monit, daemontools and " "mon. See ." msgstr "" #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:181 msgid "" "Consider writing a section on how to build Debian-based network appliances " "(with information such as the base system, equivs and " "FAI)." msgstr "" #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:185 msgid "" "Check if has " "relevant info not yet covered here." msgstr "" #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:188 msgid "" "Add information on how to set up a laptop with Debian ." msgstr "" #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:193 msgid "" "Add information on how to set up a firewall using Debian GNU/Linux. The " "section regarding firewalling is oriented currently towards a single system " "(not protecting others...) also talk on how to test the setup." msgstr "" #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:205 msgid "" "Add information on setting up a proxy firewall with Debian GNU/Linux stating " "specifically which packages provide proxy services (like " "xfwp, ftp-proxy, " "redir, smtpd, dnrd, " "jftpgw, oops, " "pdnsd, perdition, " "transproxy, tsocks). Should point to " "the manual for any other info. Note that zorp is now " "available as a Debian package and is a proxy firewall (they also " "provide Debian packages upstream)." msgstr "" #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:207 msgid "Information on service configuration with file-rc." msgstr "" #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:209 msgid "Check all the reference URLs and remove/fix those no longer available." msgstr "" #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:211 msgid "" "Add information on available replacements (in Debian) for common servers " "which are useful for limited functionality. Examples:" msgstr "" #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:213 msgid "local lpr with cups (package)?" msgstr "" #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:214 msgid "remote lrp with lpr" msgstr "" #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:215 msgid "bind with dnrd/maradns" msgstr "" #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:216 msgid "apache with dhttpd/thttpd/wn (tux?)" msgstr "" #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:217 msgid "exim/sendmail with ssmtpd/smtpd/postfix" msgstr "" #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:218 msgid "squid with tinyproxy" msgstr "" #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:219 msgid "ftpd with oftpd/vsftp" msgstr "" #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:220 msgid "..." msgstr "" #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:225 msgid "" "More information regarding security-related kernel patches in Debian, " "including the ones shown above and specific information on how to enable " "these patches in a Debian system." msgstr "" #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:227 msgid "Linux Intrusion Detection (kernel-patch-2.4-lids)" msgstr "" #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:228 msgid "Linux Trustees (in package trustees)" msgstr "" #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:230 msgid "linux-patch-openswan" msgstr "" #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:236 msgid "" "Details of turning off unnecessary network services (besides " "inetd), it is partly in the hardening procedure but could be " "broadened a bit." msgstr "" #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:239 msgid "Information regarding password rotation which is closely related to policy." msgstr "" #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:241 msgid "Policy, and educating users about policy." msgstr "" #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:243 msgid "More about tcpwrappers, and wrappers in general?" msgstr "" #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:245 msgid "hosts.equiv and other major security holes." msgstr "" #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:247 msgid "Issues with file sharing servers such as Samba and NFS?" msgstr "" #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:249 msgid "suidmanager/dpkg-statoverrides." msgstr "" #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:251 msgid "lpr and lprng." msgstr "" #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:253 msgid "Switching off the GNOME IP things." msgstr "" #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:259 msgid "" "Talk about pam_chroot (see ) " "and its usefulness to limit users. Introduce information related to . " "pdmenu, for example is available in Debian (whereas flash " "is not)." msgstr "" #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:266 msgid "" "Talk about chrooting services, some more info on ." msgstr "" #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:282 msgid "" "Talk about programs to make chroot jails. compartment and " "chrootuid are waiting in incoming. Some others (makejail, " "jailer) could also be introduced." msgstr "" #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:285 msgid "" "More information regarding log analysis software (i.e. logcheck and " "logcolorise)." msgstr "" #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:287 msgid "'advanced' routing (traffic policing is security related)." msgstr "" #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:289 msgid "limiting ssh access to running certain commands." msgstr "" #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:291 msgid "using dpkg-statoverride." msgstr "" #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:293 msgid "secure ways to share a CD burner among users." msgstr "" #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:297 msgid "" "secure ways of providing networked sound in addition to network display " "capabilities (so that X clients' sounds are played on the X server's sound " "hardware)." msgstr "" #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:299 msgid "securing web browsers." msgstr "" #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:301 msgid "setting up ftp over ssh." msgstr "" #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:303 msgid "using crypto loopback file systems." msgstr "" #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:305 msgid "encrypting the entire file system." msgstr "" #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:307 msgid "steganographic tools." msgstr "" #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:309 msgid "setting up a PKA for an organization." msgstr "" #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:312 msgid "" "using LDAP to manage users. There is a HOWTO of ldap+kerberos for Debian at " " written by Turbo Fredrikson." msgstr "" #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:315 msgid "" "How to remove information of reduced utility in production systems such as " "/usr/share/doc, /usr/share/man (yes, security by " "obscurity)." msgstr "" #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:322 msgid "" "More information on lcap based on the packages README file (well, not there " "yet, see ) and from the article from LWN: ." msgstr "" #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:325 msgid "" "Add Colin's article on how to setup a chroot environment for a full sid " "system ()." msgstr "" #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:328 msgid "" "Add information on running multiple snort sensors in a given " "system (check bug reports sent to snort)." msgstr "" #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:330 msgid "Add information on setting up a honeypot (honeyd)." msgstr "" #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:333 msgid "" "Describe situation wrt to FreeSwan (orphaned) and OpenSwan. VPN section " "needs to be rewritten." msgstr "" #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:336 msgid "" "Add a specific section about databases, current installation defaults and " "how to secure access." msgstr "" #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:338 msgid "Add a section about the usefulness of virtual servers (Xen et al)." msgstr "" #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:342 msgid "" "Explain how to use some integrity checkers (AIDE, integrit or samhain). The " "basics are simple and could even explain some configuration improvements." msgstr "" #. type: #: securing-debian-howto.en.sgml:49 en/intro.sgml:346 msgid "Changelog/History" msgstr "" #. type: #: securing-debian-howto.en.sgml:49 en/intro.sgml:348 msgid "Version 3.16 (March 2011)" msgstr "" #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:350 securing-debian-howto.en.sgml:49 en/intro.sgml:371 securing-debian-howto.en.sgml:49 en/intro.sgml:381 securing-debian-howto.en.sgml:49 en/intro.sgml:395 securing-debian-howto.en.sgml:49 en/intro.sgml:412 securing-debian-howto.en.sgml:49 en/intro.sgml:476 securing-debian-howto.en.sgml:49 en/intro.sgml:493 securing-debian-howto.en.sgml:49 en/intro.sgml:514 securing-debian-howto.en.sgml:49 en/intro.sgml:531 securing-debian-howto.en.sgml:49 en/intro.sgml:541 securing-debian-howto.en.sgml:49 en/intro.sgml:587 securing-debian-howto.en.sgml:49 en/intro.sgml:609 securing-debian-howto.en.sgml:49 en/intro.sgml:630 securing-debian-howto.en.sgml:49 en/intro.sgml:645 securing-debian-howto.en.sgml:49 en/intro.sgml:674 securing-debian-howto.en.sgml:49 en/intro.sgml:690 securing-debian-howto.en.sgml:49 en/intro.sgml:698 securing-debian-howto.en.sgml:49 en/intro.sgml:725 securing-debian-howto.en.sgml:49 en/intro.sgml:733 securing-debian-howto.en.sgml:49 en/intro.sgml:762 securing-debian-howto.en.sgml:49 en/intro.sgml:769 securing-debian-howto.en.sgml:49 en/intro.sgml:781 securing-debian-howto.en.sgml:49 en/intro.sgml:1085 securing-debian-howto.en.sgml:49 en/intro.sgml:1091 securing-debian-howto.en.sgml:49 en/intro.sgml:1108 securing-debian-howto.en.sgml:49 en/intro.sgml:1118 securing-debian-howto.en.sgml:49 en/intro.sgml:1130 securing-debian-howto.en.sgml:49 en/intro.sgml:1210 securing-debian-howto.en.sgml:49 en/intro.sgml:1222 securing-debian-howto.en.sgml:49 en/intro.sgml:1228 securing-debian-howto.en.sgml:49 en/intro.sgml:1235 securing-debian-howto.en.sgml:49 en/intro.sgml:1248 securing-debian-howto.en.sgml:49 en/intro.sgml:1258 securing-debian-howto.en.sgml:49 en/intro.sgml:1269 securing-debian-howto.en.sgml:49 en/intro.sgml:1278 securing-debian-howto.en.sgml:49 en/intro.sgml:1292 securing-debian-howto.en.sgml:49 en/intro.sgml:1306 securing-debian-howto.en.sgml:49 en/intro.sgml:1326 securing-debian-howto.en.sgml:49 en/intro.sgml:1350 securing-debian-howto.en.sgml:49 en/intro.sgml:1357 msgid "Changes by Javier Fernández-Sanguino Peña." msgstr "" #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:354 msgid "Indicate that the document is not updated with latest versions." msgstr "" #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:356 msgid "Update pointers to current location of sources." msgstr "" #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:358 msgid "Update information on security updates for newer releases." msgstr "" #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:361 msgid "" "Point information for Developers to online sources instead of keeping the " "information in the document, to prevent duplication." msgstr "" #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:363 msgid "Fix shell script example in Appendix." msgstr "" #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:365 msgid "Fix reference errors." msgstr "" #. type: #: securing-debian-howto.en.sgml:49 en/intro.sgml:369 msgid "Version 3.15 (December 2010)" msgstr "" #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:375 msgid "Change reference to Log Analysis' website as this is no longer available." msgstr "" #. type: #: securing-debian-howto.en.sgml:49 en/intro.sgml:379 msgid "Version 3.14 (March 2009)" msgstr "" #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:386 msgid "" "Change the section related to choosing a filesystem: note that ext3 is now " "the default." msgstr "" #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:389 msgid "" "Change the name of the packages related to enigmail to reflect naming " "changes introduced in Debian." msgstr "" #. type: #: securing-debian-howto.en.sgml:49 en/intro.sgml:393 msgid "Version 3.13 (Februrary 2008)" msgstr "" #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:400 msgid "" "Change URLs pointing to Bastille Linux since the domain has been ." msgstr "" #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:402 msgid "Fix pointers to Linux Ramen and Lion worms." msgstr "" #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:404 msgid "Use linux-image in the examples instead of the (old) kernel-image packages." msgstr "" #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:406 msgid "Fix typos spotted by Francesco Poli." msgstr "" #. type: #: securing-debian-howto.en.sgml:49 en/intro.sgml:410 msgid "Version 3.12 (August 2007)" msgstr "" #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:418 msgid "" "Update the information related to security updates. Drop the text talking " "about Tiger and include information on the update-notifier and adept tools " "(for Desktops) as well as debsecan. Also include some pointers to other " "tools available." msgstr "" #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:420 msgid "" "Divide the firewall applications based on target users and add fireflier to " "the Desktop firewall applications list." msgstr "" #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:423 msgid "" "Remove references to libsafe, it's not in the archive any longer (was " "removed January 2006)." msgstr "" #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:425 msgid "Fix the location of syslog's configuration, thanks to John Talbut." msgstr "" #. type: #: securing-debian-howto.en.sgml:49 en/intro.sgml:429 msgid "Version 3.11 (January 2007)" msgstr "" #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:432 msgid "" "Changes by Javier Fernández-Sanguino Peña. Thanks go to Francesco Poli for " "his extensive review of the document." msgstr "" #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:437 msgid "" "Remove most references to the woody release as it is no longer available (in " "the archive) and security support for it is no longer available." msgstr "" #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:438 msgid "Describe how to restrict users so that they can only do file transfers." msgstr "" #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:439 msgid "Added a note regarding the debian-private declasiffication decision." msgstr "" #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:440 msgid "Updated link of incident handling guides." msgstr "" #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:442 msgid "" "Added a note saying that development tools (compilers, etc.) are not " "installed now in the default 'etch' installation." msgstr "" #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:443 msgid "Fix references to the master security server." msgstr "" #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:444 msgid "Add pointers to additional APT-secure documentation." msgstr "" #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:445 msgid "Improve the description of APT signatures." msgstr "" #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:447 msgid "" "Comment out some things which are not yet final related to the mirror's " "official public keys." msgstr "" #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:448 msgid "Fixed name of the Debian Testing Security Team." msgstr "" #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:449 msgid "Remove reference to sarge in an example." msgstr "" #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:451 msgid "" "Update the antivirus section, clamav is now available on the release. Also " "mention the f-prot installer." msgstr "" #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:452 msgid "Removes all references to freeswan as it is obsolete." msgstr "" #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:454 msgid "" "Describe issues related to ruleset changes to the firewall if done remotely " "and provide some tips (in footnotes)." msgstr "" #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:456 msgid "" "Update the information related to the IDS installation, mention BASE and the " "need to setup a logging database." msgstr "" #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:459 msgid "" "Rewrite the \"running bind as a non-root user\" section as this no longer " "applies to Bind9. Also remove the reference to the init.d script since the " "changes need to be done through /etc/default." msgstr "" #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:461 msgid "" "Remove the obsolete way to setup iptables rulesets as woody is no longer " "supported." msgstr "" #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:463 msgid "" "Revert the advice regarding LOG_UNKFAIL_ENAB it should be set to 'no' (as " "per default)." msgstr "" #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:466 msgid "" "Added more information related to updating the system with desktop tools " "(including update-notifier) and describe aptitude usage to update the " "system. Also note that dselect is deprecated." msgstr "" #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:467 msgid "Updated the contents of the FAQ and remove redundant paragraphs." msgstr "" #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:469 msgid "Review and update the section related to forensic analysis of malware." msgstr "" #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:470 msgid "Remove or fix some dead links." msgstr "" #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:472 msgid "Fix many typos and gramatical errors reported by Francesco Poli." msgstr "" #. type: #: securing-debian-howto.en.sgml:49 en/intro.sgml:475 msgid "Version 3.10 (November 2006)" msgstr "" #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:480 msgid "Provide examples using apt-cache's rdepends as suggested by Ozer Sarilar." msgstr "" #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:483 msgid "" "Fix location of Squid's user's manual because of its relocation as notified " "by Oskar Pearson (its maintainer)." msgstr "" #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:488 msgid "" "Fix information regarding umask, it's logins.defs (and not limits.conf) " "where this can be configured for all login connections. Also state what is " "Debian's default and what would be a more restrictive value for both users " "and root. Thanks to Reinhard Tartler for spotting the bug." msgstr "" #. type: #: securing-debian-howto.en.sgml:49 en/intro.sgml:491 msgid "Version 3.9 (October 2006)" msgstr "" #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:498 msgid "" "Add information on how to track security vulnerabilities and add references " "to the Debian Testing Security Tracker." msgstr "" #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:500 msgid "Add more information on the security support for testing." msgstr "" #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:502 msgid "Fix a large number of typos with a patch provided by Simon Brandmair." msgstr "" #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:505 msgid "" "Added section on how to disable root prompt on initramfs provided by Max " "Attems." msgstr "" #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:507 msgid "Remove references to queso." msgstr "" #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:509 msgid "Note that testing is now security-supported in the introduction." msgstr "" #. type: #: securing-debian-howto.en.sgml:49 en/intro.sgml:512 msgid "Version 3.8 (July 2006)" msgstr "" #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:520 msgid "" "Rewrote the information on how to setup ssh chroots to clarify the different " "options available, thank to Bruce Park for bringing up the different " "mistakes in this appendix." msgstr "" #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:522 msgid "Fix lsof call as suggested by Christophe Sahut." msgstr "" #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:524 msgid "Include patches for typo fixes from Uwe Hermann." msgstr "" #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:526 msgid "Fix typo in reference spotted by Moritz Naumann." msgstr "" #. type: #: securing-debian-howto.en.sgml:49 en/intro.sgml:529 msgid "Version 3.7 (April 2006)" msgstr "" #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:534 msgid "Add a section on Debian Developer's best practices for security." msgstr "" #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:536 msgid "Ammended firewall script with comments from WhiteGhost." msgstr "" #. type: #: securing-debian-howto.en.sgml:49 en/intro.sgml:539 msgid "Version 3.6 (March 2006)" msgstr "" #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:546 msgid "" "Included a patch from Thomas Sjögren which describes that noexec " "works as expected with \"new\" kernels, adds information regarding tempfile " "handling, and some new pointers to external documentation." msgstr "" #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:550 msgid "" "Add a pointer to Dan Farmer's and Wietse Venema's forensic discovery web " "site, as suggested by Freek Dijkstra, and expanded a little bit the forensic " "analysis section with more pointers." msgstr "" #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:552 msgid "Fixed URL of Italy's CERT, thanks to Christoph Auer." msgstr "" #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:555 msgid "" "Reuse Joey Hess' information at the wiki on secure apt and introduce it in " "the infrastructure section." msgstr "" #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:557 msgid "Review sections referring to old versions (woody or potato)." msgstr "" #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:559 msgid "Fix some cosmetic issues with patch from Simon Brandmair." msgstr "" #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:565 msgid "" "Included patches from Carlo Perassi: acl patches are obsolete, openwall " "patches are obsolete too, removed fixme notes about 2.2 and 2.4 series " "kernels, hap is obsolete (and not present in WNPP), remove references to " "Immunix (StackGuard is now in Novell's hands), and fix a FIXME about the use " "of bsign or elfsign." msgstr "" #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:568 msgid "" "Updated references to SElinux web pages to point to the Wiki (currently the " "most up to date source of information)." msgstr "" #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:571 msgid "" "Include file tags and make a more consistent use of \"MD5 sum\" with a patch " "from Jens Seidel." msgstr "" #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:574 msgid "" "Patch from Joost van Baal improving the information on the firewall section " "(pointing to the wiki instead of listing all firewall packages available) " "(Closes: #339865)." msgstr "" #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:577 msgid "" "Review the FAQ section on vulnerability stats, thanks to Carlos Galisteo de " "Cabo for pointing out that it was out of date." msgstr "" #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:580 msgid "" "Use the quote from the Social Contract 1.1 instead of 1.0 as suggested by " "Francesco Poli." msgstr "" #. type: #: securing-debian-howto.en.sgml:49 en/intro.sgml:585 msgid "Version 3.5 (November 2005)" msgstr "" #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:592 msgid "" "Note on the SSH section that the chroot will not work if using the nodev " "option in the partition and point to the latest ssh packages with the chroot " "patch, thanks to Lutz Broedel for pointing these issues out." msgstr "" #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:594 msgid "" "Fix typo spotted by Marcos Roberto Greiner (md5sum should be sha1sum in code " "snippet)." msgstr "" #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:596 msgid "Included Jens Seidel's patch fixing a number of package names and typos." msgstr "" #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:599 msgid "" "Slightly update of the tools section, removed tools no longer available and " "added some new ones." msgstr "" #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:604 msgid "" "Rewrite parts of the section related to where to find this document and what " "formats are available (the website does provide a PDF version). Also note " "that copies on other sites and translations might be obsolete (many of the " "Google hits for the manual in other sites are actually out of date)." msgstr "" #. type: #: securing-debian-howto.en.sgml:49 en/intro.sgml:607 msgid "Version 3.4 (August-September 2005)" msgstr "" #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:615 msgid "" "Improved the after installation security enhancements related to kernel " "configuration for network level protection with a sysctl.conf file provided " "by Will Moy." msgstr "" #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:617 msgid "Improved the gdm section, thanks to Simon Brandmair." msgstr "" #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:619 msgid "Typo fixes from Frédéric Bothamy and Simon Brandmair." msgstr "" #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:622 msgid "" "Improvements in the after installation sections related to how to generate " "the MD5 (or SHA-1) sums of binaries for periodic review." msgstr "" #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:625 msgid "" "Updated the after installation sections regarding checksecurity " "configuration (was out of date)." msgstr "" #. type: #: securing-debian-howto.en.sgml:49 en/intro.sgml:628 msgid "Version 3.3 (June 2005)" msgstr "" #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:635 msgid "" "Added a code snippet to use grep-available to generate the list of packages " "depending on Perl. As requested in #302470." msgstr "" #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:638 msgid "" "Rewrite of the section on network services (which ones are installed and how " "to disable them)." msgstr "" #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:641 msgid "" "Added more information to the honeypot deployment section mentioning useful " "Debian packages." msgstr "" #. type: #: securing-debian-howto.en.sgml:49 en/intro.sgml:644 msgid "Version 3.2 (March 2005)" msgstr "" #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:647 msgid "Expanded the PAM configuration limits section." msgstr "" #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:649 msgid "" "Added information on how to use pam_chroot for openssh (based on " "pam_chroot's README)." msgstr "" #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:650 msgid "Fixed some minor issues reported by Dan Jacobson." msgstr "" #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:653 msgid "" "Updated the kernel patches information partially based on a patch from Carlo " "Perassi and also by adding deprecation notes and new kernel patches " "available (adamantix)." msgstr "" #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:655 msgid "" "Included patch from Simon Brandmair that fixes a sentence related to login " "failures in terminal." msgstr "" #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:657 msgid "" "Added Mozilla/Thunderbird to the valid GPG agents as suggested by Kapolnai " "Richard." msgstr "" #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:659 msgid "" "Expanded the section on security updates mentioning library and kernel " "updates and how to detect when services need to be restarted." msgstr "" #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:663 msgid "" "Rewrote the firewall section, moved the information that applies to woody " "down and expand the other sections including some information on how to " "manually set the firewall (with a sample script) and how to test the " "firewall configuration." msgstr "" #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:664 msgid "Added some information preparing for the 3.1 release." msgstr "" #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:666 msgid "" "Added more detailed information on kernel upgrades, specifically targeted at " "those that used the old installation system." msgstr "" #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:669 msgid "" "Added a small section on the experimental apt 0.6 release which provides " "package signing checks. Moved old content to the section and also added a " "pointer to changes made in aptitude." msgstr "" #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:670 msgid "Typo fixes spotted by Frédéric Bothamy." msgstr "" #. type: #: securing-debian-howto.en.sgml:49 en/intro.sgml:673 msgid "Version 3.1 (January 2005)" msgstr "" #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:676 msgid "Added clarification to ro /usr with patch from Joost van Baal." msgstr "" #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:677 msgid "Apply patch from Jens Seidel fixing many typos." msgstr "" #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:678 msgid "FreeSWAN is dead, long live OpenSWAN." msgstr "" #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:680 msgid "" "Added information on restricting access to RPC services (when they cannot be " "disabled) also included patch provided by Aarre Laakso." msgstr "" #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:681 msgid "Update aj's apt-check-sigs script." msgstr "" #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:682 msgid "Apply patch Carlo Perassi fixing URLs." msgstr "" #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:684 msgid "" "Apply patch from Davor Ocelic fixing many errors, typos, urls, grammar and " "FIXMEs. Also adds some additional information to some sections." msgstr "" #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:686 msgid "" "Rewrote the section on user auditing, highlight the usage of script which " "does not have some of the issues associated to shell history." msgstr "" #. type: #: securing-debian-howto.en.sgml:49 en/intro.sgml:689 msgid "Version 3.0 (December 2004)" msgstr "" #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:693 msgid "" "Rewrote the user-auditing information and include examples on how to use " "script." msgstr "" #. type: #: securing-debian-howto.en.sgml:49 en/intro.sgml:697 msgid "Version 2.99 (March 2004)" msgstr "" #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:700 msgid "Added information on references in DSAs and CVE-Compatibility." msgstr "" #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:701 msgid "Added information on apt 0.6 (apt-secure merge in experimental)." msgstr "" #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:702 msgid "Fixed location of Chroot daemons HOWTO as suggested by Shuying Wang." msgstr "" #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:704 msgid "" "Changed APACHECTL line in the Apache chroot example (even if its not used at " "all) as suggested by Leonard Norrgard." msgstr "" #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:706 msgid "" "Added a footnote regarding hardlink attacks if partitions are not setup " "properly." msgstr "" #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:708 msgid "" "Added some missing steps in order to run bind as named as provided by " "Jeffrey Prosa." msgstr "" #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:710 msgid "" "Added notes about Nessus and Snort out-of-dateness in woody and availability " "of backported packages." msgstr "" #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:711 msgid "Added a chapter regarding periodic integrity test checks." msgstr "" #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:713 msgid "" "Clarified the status of testing regarding security updates (Debian bug " "233955)." msgstr "" #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:715 msgid "" "Added more information regarding expected contents in securetty (since it's " "kernel specific)." msgstr "" #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:716 msgid "Added pointer to snoopylogger (Debian bug 179409)." msgstr "" #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:717 msgid "Added reference to guarddog (Debian bug 170710)." msgstr "" #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:719 msgid "" "apt-ftparchive is in apt-utils, not in " "apt (thanks to Emmanuel Chantreau for pointing this out)." msgstr "" #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:720 msgid "Removed jvirus from AV list." msgstr "" #. type: #: securing-debian-howto.en.sgml:49 en/intro.sgml:724 msgid "Version 2.98 (December 2003)" msgstr "" #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:727 msgid "Fixed URL as suggested by Frank Lichtenheld." msgstr "" #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:728 msgid "Fixed PermitRootLogin typo as suggested by Stefan Lindenau." msgstr "" #. type: #: securing-debian-howto.en.sgml:49 en/intro.sgml:732 msgid "Version 2.97 (September 2003)" msgstr "" #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:739 msgid "" "Added those that have made the most significant contributions to this manual " "(please mail me if you think you should be in the list and are not)." msgstr "" #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:741 msgid "Added some blurb about FIXME/TODOs." msgstr "" #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:744 msgid "" "Moved the information on security updates to the beginning of the section as " "suggested by Elliott Mitchell." msgstr "" #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:748 msgid "" "Added grsecurity to the list of kernel-patches for security but added a " "footnote on the current issues with it as suggested by Elliott Mitchell." msgstr "" #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:751 msgid "" "Removed loops (echo to 'all') in the kernel's network security script as " "suggested by Elliott Mitchell." msgstr "" #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:753 msgid "Added more (up-to-date) information in the antivirus section." msgstr "" #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:757 msgid "" "Rewrote the buffer overflow protection section and added more information on " "patches to the compiler to enable this kind of protection." msgstr "" #. type: #: securing-debian-howto.en.sgml:49 en/intro.sgml:761 msgid "Version 2.96 (August 2003)" msgstr "" #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:765 msgid "" "Removed (and then re-added) appendix on chrooting Apache. The appendix is " "now dual-licensed." msgstr "" #. type: #: securing-debian-howto.en.sgml:49 en/intro.sgml:768 msgid "Version 2.95 (June 2003)" msgstr "" #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:771 msgid "Fixed typos spotted by Leonard Norrgard." msgstr "" #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:773 msgid "" "Added a section on how to contact CERT for incident handling ()." msgstr "" #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:774 msgid "More information on setting up a Squid proxy." msgstr "" #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:775 msgid "Added a pointer and removed a FIXME thanks to Helge H. F." msgstr "" #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:776 msgid "Fixed a typo (save_inactive) spotted by Philippe Faes." msgstr "" #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:777 msgid "Fixed several typos spotted by Jaime Robles." msgstr "" #. type: #: securing-debian-howto.en.sgml:49 en/intro.sgml:780 msgid "Version 2.94 (April 2003)" msgstr "" #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:784 msgid "" "Following Maciej Stachura's suggestions I've expanded the section on " "limiting users." msgstr "" #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:785 msgid "Fixed typo spotted by Wolfgang Nolte." msgstr "" #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:786 msgid "Fixed links with patch contributed by Ruben Leote Mendes." msgstr "" #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:788 msgid "" "Added a link to David Wheeler's excellent document on the footnote about " "counting security vulnerabilities." msgstr "" #. type: #: securing-debian-howto.en.sgml:49 en/intro.sgml:791 msgid "Version 2.93 (March 2003)" msgstr "" #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:792 msgid "Changes made by Frédéric Schütz." msgstr "" #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:795 msgid "rewrote entirely the section of ext2 attributes (lsattr/chattr)." msgstr "" #. type: #: securing-debian-howto.en.sgml:49 en/intro.sgml:798 msgid "Version 2.92 (February 2003)" msgstr "" #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:800 msgid "Changes by Javier Fernández-Sanguino Peña and Frédéric Schütz." msgstr "" #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:803 msgid "" "Merge section 9.3 (\"useful kernel patches\") into section 4.13 (\"Adding " "kernel patches\"), and added some content." msgstr "" #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:804 msgid "Added a few more TODOs." msgstr "" #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:807 msgid "" "Added information on how to manually check for updates and also about " "cron-apt. That way Tiger is not perceived as the only way to do automatic " "update checks." msgstr "" #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:809 msgid "" "Slightly rewrite of the section on executing a security updates due to " "Jean-Marc Ranger comments." msgstr "" #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:811 msgid "" "Added a note on Debian's installation (which will suggest the user to " "execute a security update right after installation)." msgstr "" #. type: #: securing-debian-howto.en.sgml:49 en/intro.sgml:814 msgid "Version 2.91 (January/February 2003)" msgstr "" #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:815 securing-debian-howto.en.sgml:49 en/intro.sgml:830 securing-debian-howto.en.sgml:49 en/intro.sgml:839 securing-debian-howto.en.sgml:49 en/intro.sgml:872 msgid "Changes by Javier Fernández-Sanguino Peña (me)." msgstr "" #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:817 msgid "Added a patch contributed by Frédéric Schütz." msgstr "" #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:818 msgid "Added a few more references on capabilities thanks to Frédéric." msgstr "" #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:820 msgid "" "Slight changes in the bind section adding a reference to BIND's 9 online " "documentation and proper references in the first area (Hi Pedro!)." msgstr "" #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:821 msgid "Fixed the changelog date - new year :-)." msgstr "" #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:822 msgid "Added a reference to Colin's articles for the TODOs." msgstr "" #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:823 msgid "Removed reference to old ssh+chroot patches." msgstr "" #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:824 msgid "More patches from Carlo Perassi." msgstr "" #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:826 msgid "Typo fixes (recursive in Bind is recursion), pointed out by Maik Holtkamp." msgstr "" #. type: #: securing-debian-howto.en.sgml:49 en/intro.sgml:829 msgid "Version 2.9 (December 2002)" msgstr "" #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:833 msgid "" "Reorganized the information on chroot (merged two sections, it didn't make " "much sense to have them separated)." msgstr "" #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:834 msgid "Added the notes on chrooting Apache provided by Alexandre Ratti." msgstr "" #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:835 msgid "Applied patches contributed by Guillermo Jover." msgstr "" #. type: #: securing-debian-howto.en.sgml:49 en/intro.sgml:838 msgid "Version 2.8 (November 2002)" msgstr "" #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:842 msgid "" "Applied patches from Carlo Perassi, fixes include: re-wrapping the lines, " "URL fixes, and fixed some FIXMEs." msgstr "" #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:843 msgid "Updated the contents of the Debian security team FAQ." msgstr "" #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:845 msgid "" "Added a link to the Debian security team FAQ and the Debian Developer's " "reference, the duplicated sections might (just might) be removed in the " "future." msgstr "" #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:846 msgid "Fixed the hand-made auditing section with comments from Michal Zielinski." msgstr "" #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:847 msgid "Added links to wordlists (contributed by Carlo Perassi)." msgstr "" #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:848 msgid "Fixed some typos (still many around)." msgstr "" #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:849 msgid "Fixed TDP links as suggested by John Summerfield." msgstr "" #. type: #: securing-debian-howto.en.sgml:49 en/intro.sgml:852 msgid "Version 2.7 (October 2002)" msgstr "" #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:855 msgid "" "Changes by Javier Fernández-Sanguino Peña (me). Note: I still have a lot of " "pending changes in my mailbox (which is currently about 5 Mbs in size)." msgstr "" #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:858 msgid "" "Some typo fixes contributed by Tuyen Dinh, Bartek Golenko and Daniel " "K. Gebhart." msgstr "" #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:859 msgid "Note regarding /dev/kmem rootkits contributed by Laurent Bonnaud." msgstr "" #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:860 msgid "Fixed typos and FIXMEs contributed by Carlo Perassi." msgstr "" #. type: #: securing-debian-howto.en.sgml:49 en/intro.sgml:863 msgid "Version 2.6 (September 2002)" msgstr "" #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:864 msgid "Changes by Chris Tillman, tillman@voicetrak.com." msgstr "" #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:866 msgid "Changed around to improve grammar/spelling." msgstr "" #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:867 msgid "s/host.deny/hosts.deny/ (1 place)." msgstr "" #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:868 msgid "Applied Larry Holish's patch (quite big, fixes a lot of FIXMEs)." msgstr "" #. type: #: securing-debian-howto.en.sgml:49 en/intro.sgml:871 msgid "Version 2.5 (September 2002)" msgstr "" #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:874 msgid "Fixed minor typos submitted by Thiemo Nagel." msgstr "" #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:875 msgid "Added a footnote suggested by Thiemo Nagel." msgstr "" #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:876 msgid "Fixed an URL link." msgstr "" #. type: #: securing-debian-howto.en.sgml:49 en/intro.sgml:880 msgid "Version 2.5 (August 2002)" msgstr "" #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:884 msgid "" "Changes by Javier Fernández-Sanguino Peña (me). There were many things " "waiting on my inbox (as far back as February) to be included, so I'm going " "to tag this the back from honeymoon release :)." msgstr "" #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:889 msgid "" "Applied a patch contributed by Philipe Gaspar regarding the Squid which also " "kills a FIXME." msgstr "" #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:893 msgid "" "Yet another FAQ item regarding service banners taken from the " "debian-security mailing list (thread \"Telnet information\" started 26th " "July 2002)." msgstr "" #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:897 msgid "" "Added a note regarding use of CVE cross references in the How much time " "does the Debian security team... FAQ item." msgstr "" #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:900 msgid "" "Added a new section regarding ARP attacks contributed by Arnaud \"Arhuman\" " "Assad." msgstr "" #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:902 msgid "New FAQ item regarding dmesg and console login by the kernel." msgstr "" #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:905 msgid "" "Small tidbits of information to the signature-checking issues in packages " "(it seems to not have gotten past beta release)." msgstr "" #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:908 msgid "New FAQ item regarding vulnerability assessment tools false positives." msgstr "" #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:912 msgid "" "Added new sections to the chapter that contains information on package " "signatures and reorganized it as a new Debian Security " "Infrastructure chapter." msgstr "" #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:914 msgid "New FAQ item regarding Debian vs. other Linux distributions." msgstr "" #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:917 msgid "" "New section on mail user agents with GPG/PGP functionality in the security " "tools chapter." msgstr "" #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:920 msgid "" "Clarified how to enable MD5 passwords in woody, added a pointer to PAM as " "well as a note regarding the max definition in PAM." msgstr "" #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:924 msgid "" "Added a new appendix on how to create chroot environments (after fiddling a " "bit with makejail and fixing, as well, some of its bugs), integrated " "duplicate information in all the appendix." msgstr "" #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:929 msgid "" "Added some more information regarding SSH chrooting and its " "impact on secure file transfers. Some information has been retrieved from " "the debian-security mailing list (June 2002 thread: secure file " "transfers)." msgstr "" #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:932 msgid "" "New sections on how to do automatic updates on Debian systems as well as the " "caveats of using testing or unstable regarding security updates." msgstr "" #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:936 msgid "" "New section regarding keeping up to date with security patches in the " "Before compromise section as well as a new section about the " "debian-security-announce mailing list." msgstr "" #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:938 msgid "Added information on how to automatically generate strong passwords." msgstr "" #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:940 msgid "New section regarding login of idle users." msgstr "" #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:944 msgid "" "Reorganized the securing mail server section based on the " "Secure/hardened/minimal Debian (or \"Why is the base system the way it " "is?\") thread on the debian-security mailing list (May 2002)." msgstr "" #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:948 msgid "" "Reorganized the section on kernel network parameters, with information " "provided in the debian-security mailing list (May 2002, syn flood " "attacked? thread) and added a new FAQ item as well." msgstr "" #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:951 msgid "" "New section on how to check users passwords and which packages to install " "for this." msgstr "" #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:954 msgid "" "New section on PPTP encryption with Microsoft clients discussed in the " "debian-security mailing list (April 2002)." msgstr "" #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:960 msgid "" "Added a new section describing what problems are there when binding any " "given service to a specific IP address, this information was written based " "on the Bugtraq mailing list in the thread: Linux kernel 2.4 \"weak end " "host\" issue (previously discussed on debian-security as \"arp " "problem\") (started on May 9th 2002 by Felix von Leitner)." msgstr "" #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:962 msgid "Added information on ssh protocol version 2." msgstr "" #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:965 msgid "" "Added two subsections related to Apache secure configuration (the things " "specific to Debian, that is)." msgstr "" #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:969 msgid "" "Added a new FAQ related to raw sockets, one related to /root, an item " "related to users' groups and another one related to log and configuration " "files permissions." msgstr "" #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:972 msgid "" "Added a pointer to a bug in libpam-cracklib that might still be " "open... (need to check)." msgstr "" #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:975 msgid "" "Added more information regarding forensics analysis (pending more " "information on packet inspection tools such as tcpflow)." msgstr "" #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:978 msgid "" "Changed the \"what should I do regarding compromise\" into a bullet list and " "included some more stuff." msgstr "" #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:981 msgid "" "Added some information on how to set up the Xscreensaver to lock the screen " "automatically after the configured timeout." msgstr "" #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:986 msgid "" "Added a note related to the utilities you should not install in the " "system. Included a note regarding Perl and why it cannot be easily removed " "in Debian. The idea came after reading Intersect's documents regarding Linux " "hardening." msgstr "" #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:989 msgid "" "Added information on lvm and journalling file systems, ext3 recommended. The " "information there might be too generic, however." msgstr "" #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:991 msgid "Added a link to the online text version (check)." msgstr "" #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:994 msgid "" "Added some more stuff to the information on firewalling the local system, " "triggered by a comment made by Hubert Chan in the mailing list." msgstr "" #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:999 msgid "" "Added more information on PAM limits and pointers to Kurt Seifried's " "documents (related to a post by him to Bugtraq on April 4th 2002 answering a " "person that had ``discovered'' a vulnerability in Debian GNU/Linux related " "to resource starvation)." msgstr "" #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:1003 msgid "" "As suggested by Julián Muñoz, provided more information on the default " "Debian umask and what a user can access if he has been given a shell in the " "system (scary, huh?)." msgstr "" #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:1006 msgid "" "Included a note in the BIOS password section due to a comment from Andreas " "Wohlfeld." msgstr "" #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:1009 msgid "" "Included patches provided by Alfred E. Heggestad fixing many of the typos " "still present in the document." msgstr "" #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:1012 msgid "" "Added a pointer to the changelog in the Credits section since most people " "who contribute are listed here (and not there)." msgstr "" #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:1016 msgid "" "Added a few more notes to the chattr section and a new section after " "installation talking about system snapshots. Both ideas were contributed by " "Kurt Pomeroy." msgstr "" #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:1019 msgid "" "Added a new section after installation just to remind users to change the " "boot-up sequence." msgstr "" #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:1021 msgid "Added some more TODO items provided by Korn Andras." msgstr "" #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:1024 msgid "" "Added a pointer to the NIST's guidelines on how to secure DNS provided by " "Daniel Quinlan." msgstr "" #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:1027 msgid "Added a small paragraph regarding Debian's SSL certificates infrastructure." msgstr "" #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:1030 msgid "" "Added Daniel Quinlan's suggestions regarding ssh authentication " "and exim's relay configuration." msgstr "" #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:1034 msgid "" "Added more information regarding securing bind including changes suggested " "by Daniel Quinlan and an appendix with a script to make some of the changes " "commented on in that section." msgstr "" #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:1037 msgid "" "Added a pointer to another item regarding Bind chrooting (needs to be " "merged)." msgstr "" #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:1040 msgid "" "Added a one liner contributed by Cristian Ionescu-Idbohrn to retrieve " "packages with tcpwrappers support." msgstr "" #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:1042 msgid "Added a little bit more info on Debian's default PAM setup." msgstr "" #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:1045 msgid "" "Included a FAQ question about using PAM to provide services without shell " "accounts." msgstr "" #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:1048 msgid "" "Moved two FAQ items to another section and added a new FAQ regarding attack " "detection (and compromised systems)." msgstr "" #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:1052 msgid "" "Included information on how to set up a bridge firewall (including a sample " "Appendix). Thanks to Francois Bayart who sent this to me in March." msgstr "" #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:1056 msgid "" "Added a FAQ regarding the syslogd's MARK heartbeat from a " "question answered by Noah Meyerhans and Alain Tesio in December 2001." msgstr "" #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:1059 msgid "" "Included information on buffer overflow protection as well as some " "information on kernel patches." msgstr "" #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:1063 msgid "" "Added more information (and reorganized) the firewall section. Updated the " "information regarding the iptables package and the firewall generators " "available." msgstr "" #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:1066 msgid "" "Reorganized the information regarding log checking, moved logcheck " "information from host intrusion detection to that section." msgstr "" #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:1069 msgid "" "Added some information on how to prepare a static package for bind for " "chrooting (untested)." msgstr "" #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:1073 msgid "" "Added a FAQ item regarding some specific servers/services (could be expanded " "with some of the recommendations from the debian-security list)." msgstr "" #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:1075 msgid "Added some information on RPC services (and when it's necessary)." msgstr "" #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:1079 msgid "" "Added some more information on capabilities (and what lcap does). Is there " "any good documentation on this? I haven't found any documentation on my 2.4 " "kernel." msgstr "" #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:1081 securing-debian-howto.en.sgml:49 en/intro.sgml:1372 msgid "Fixed some typos." msgstr "" #. type: #: securing-debian-howto.en.sgml:49 en/intro.sgml:1084 msgid "Version 2.4" msgstr "" #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:1087 msgid "Rewritten part of the BIOS section." msgstr "" #. type: #: securing-debian-howto.en.sgml:49 en/intro.sgml:1090 securing-debian-howto.en.sgml:49 en/intro.sgml:1107 msgid "Version 2.3" msgstr "" #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:1093 msgid "Wrapped most file locations with the file tag." msgstr "" #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:1094 msgid "Fixed typo noticed by Edi Stojicevi." msgstr "" #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:1095 msgid "Slightly changed the remote audit tools section." msgstr "" #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:1096 msgid "Added some todo items." msgstr "" #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:1098 msgid "" "Added more information regarding printers and cups config file (taken from a " "thread on debian-security)." msgstr "" #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:1100 msgid "" "Added a patch submitted by Jesus Climent regarding access of valid system " "users to Proftpd when configured as anonymous server." msgstr "" #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:1102 msgid "Small change on partition schemes for the special case of mail servers." msgstr "" #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:1103 msgid "Added Hacking Linux Exposed to the books section." msgstr "" #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:1104 msgid "Fixed directory typo noticed by Eduardo Pérez Ureta." msgstr "" #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:1105 msgid "Fixed /etc/ssh typo in checklist noticed by Edi Stojicevi." msgstr "" #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:1110 msgid "Fixed location of dpkg conffile." msgstr "" #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:1111 msgid "Remove Alexander from contact information." msgstr "" #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:1112 msgid "Added alternate mail address." msgstr "" #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:1113 msgid "Fixed Alexander mail address (even if commented out)." msgstr "" #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:1115 msgid "" "Fixed location of release keys (thanks to Pedro Zorzenon for pointing this " "out)." msgstr "" #. type: #: securing-debian-howto.en.sgml:49 en/intro.sgml:1117 msgid "Version 2.2" msgstr "" #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:1120 msgid "Fixed typos, thanks to Jamin W. Collins." msgstr "" #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:1122 msgid "" "Added a reference to apt-extracttemplate manpage (documents the " "APT::ExtractTemplate config)." msgstr "" #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:1125 msgid "" "Added section about restricted SSH. Information based on that posted by Mark " "Janssen, Christian G. Warden and Emmanuel Lacour on the debian-security " "mailing list." msgstr "" #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:1126 msgid "Added information on antivirus software." msgstr "" #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:1127 msgid "Added a FAQ: su logs due to the cron running as root." msgstr "" #. type: #: securing-debian-howto.en.sgml:49 en/intro.sgml:1129 msgid "Version 2.1" msgstr "" #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:1132 msgid "Changed FIXME from lshell thanks to Oohara Yuuma." msgstr "" #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:1133 msgid "Added package to sXid and removed comment since it *is* available." msgstr "" #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:1134 msgid "Fixed a number of typos discovered by Oohara Yuuma." msgstr "" #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:1136 msgid "" "ACID is now available in Debian (in the acidlab package) thanks to Oohara " "Yuuma for noticing." msgstr "" #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:1137 msgid "Fixed LinuxSecurity links (thanks to Dave Wreski for telling)." msgstr "" #. type: #: securing-debian-howto.en.sgml:49 en/intro.sgml:1139 msgid "Version 2.0" msgstr "" #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:1142 msgid "" "Changes by Javier Fernández-Sanguino Peña. I wanted to change to 2.0 when " "all the FIXMEs were fixed but I ran out of 1.9X numbers :(." msgstr "" #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:1145 msgid "Converted the HOWTO into a Manual (now I can properly say RTFM)." msgstr "" #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:1149 msgid "" "Added more information regarding tcp wrappers and Debian (now many services " "are compiled with support for them so it's no longer an inetd " "issue)." msgstr "" #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:1152 msgid "" "Clarified the information on disabling services to make it more consistent " "(rpc info still referred to update-rc.d)." msgstr "" #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:1154 msgid "Added small note on lprng." msgstr "" #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:1156 msgid "Added some more info on compromised servers (still very rough)." msgstr "" #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:1158 msgid "Fixed typos reported by Mark Bucciarelli." msgstr "" #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:1161 msgid "" "Added some more steps in password recovery to cover the cases when the admin " "has set paranoid-mode=on." msgstr "" #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:1164 msgid "Added some information to set paranoid-mode=on when login in console." msgstr "" #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:1166 msgid "New paragraph to introduce service configuration." msgstr "" #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:1169 msgid "" "Reorganized the After installation section so it is more broken up " "into several issues and it's easier to read." msgstr "" #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:1172 msgid "" "Wrote information on how to set up firewalls with the standard Debian 3.0 " "setup (iptables package)." msgstr "" #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:1175 msgid "" "Small paragraph explaining why installing connected to the Internet is not a " "good idea and how to avoid this using Debian tools." msgstr "" #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:1177 msgid "Small paragraph on timely patching referencing to IEEE paper." msgstr "" #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:1180 msgid "" "Appendix on how to set up a Debian snort box, based on what Vladimir sent to " "the debian-security mailing list (September 3rd 2001)." msgstr "" #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:1183 msgid "" "Information on how logcheck is set up in Debian and how it can be used to " "set up HIDS." msgstr "" #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:1185 msgid "Information on user accounting and profile analysis." msgstr "" #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:1188 msgid "" "Included apt.conf configuration for read-only /usr copied from Olaf " "Meeuwissen's post to the debian-security mailing list." msgstr "" #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:1193 msgid "" "New section on VPN with some pointers and the packages available in Debian " "(needs content on how to set up the VPNs and Debian-specific issues), based " "on Jaroslaw Tabor's and Samuli Suonpaa's post to debian-security." msgstr "" #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:1195 msgid "Small note regarding some programs to automatically build chroot jails." msgstr "" #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:1198 msgid "" "New FAQ item regarding identd based on a discussion in the debian-security " "mailing list (February 2002, started by Johannes Weiss)." msgstr "" #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:1201 msgid "" "New FAQ item regarding inetd based on a discussion in the " "debian-security mailing list (February 2002)." msgstr "" #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:1203 msgid "Introduced note on rcconf in the \"disabling services\" section." msgstr "" #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:1205 msgid "Varied the approach regarding LKM, thanks to Philipe Gaspar." msgstr "" #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:1206 msgid "Added pointers to CERT documents and Counterpane resources." msgstr "" #. type: #: securing-debian-howto.en.sgml:49 en/intro.sgml:1209 msgid "Version 1.99" msgstr "" #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:1212 msgid "Added a new FAQ item regarding time to fix security vulnerabilities." msgstr "" #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:1213 msgid "Reorganized FAQ sections." msgstr "" #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:1215 msgid "" "Started writing a section regarding firewalling in Debian GNU/Linux (could " "be broadened a bit)." msgstr "" #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:1216 msgid "Fixed typos sent by Matt Kraai." msgstr "" #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:1217 msgid "Fixed DNS information." msgstr "" #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:1218 msgid "Added information on whisker and nbtscan to the auditing section." msgstr "" #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:1219 msgid "Fixed some wrong URLs." msgstr "" #. type: #: securing-debian-howto.en.sgml:49 en/intro.sgml:1221 msgid "Version 1.98" msgstr "" #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:1224 msgid "Added a new section regarding auditing using Debian GNU/Linux." msgstr "" #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:1225 msgid "Added info regarding finger daemon taken from the security mailing list." msgstr "" #. type: #: securing-debian-howto.en.sgml:49 en/intro.sgml:1227 msgid "Version 1.97" msgstr "" #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:1230 msgid "Fixed link for Linux Trustees." msgstr "" #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:1231 msgid "Fixed typos (patches from Oohara Yuuma and Pedro Zorzenon)." msgstr "" #. type: #: securing-debian-howto.en.sgml:49 en/intro.sgml:1234 msgid "Version 1.96" msgstr "" #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:1239 msgid "Reorganized service installation and removal and added some new notes." msgstr "" #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:1242 msgid "" "Added some notes regarding using integrity checkers as intrusion detection " "tools." msgstr "" #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:1244 msgid "Added a chapter regarding package signatures." msgstr "" #. type: #: securing-debian-howto.en.sgml:49 en/intro.sgml:1247 msgid "Version 1.95" msgstr "" #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:1252 msgid "Added notes regarding Squid security sent by Philipe Gaspar." msgstr "" #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:1254 msgid "Fixed rootkit links thanks to Philipe Gaspar." msgstr "" #. type: #: securing-debian-howto.en.sgml:49 en/intro.sgml:1257 msgid "Version 1.94" msgstr "" #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:1262 msgid "Added some notes regarding Apache and Lpr/lpng." msgstr "" #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:1264 msgid "Added some information regarding noexec and read-only partitions." msgstr "" #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:1265 msgid "Rewrote how users can help in Debian security issues (FAQ item)." msgstr "" #. type: #: securing-debian-howto.en.sgml:49 en/intro.sgml:1268 msgid "Version 1.93" msgstr "" #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:1273 msgid "Fixed location of mail program." msgstr "" #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:1274 securing-debian-howto.en.sgml:49 en/intro.sgml:1288 msgid "Added some new items to the FAQ." msgstr "" #. type: #: securing-debian-howto.en.sgml:49 en/intro.sgml:1277 msgid "Version 1.92" msgstr "" #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:1282 msgid "Added a small section on how Debian handles security." msgstr "" #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:1284 msgid "Clarified MD5 passwords (thanks to `rocky')." msgstr "" #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:1286 msgid "Added some more information regarding harden-X from Stephen van Egmond." msgstr "" #. type: #: securing-debian-howto.en.sgml:49 en/intro.sgml:1291 msgid "Version 1.91" msgstr "" #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:1296 msgid "Added some forensics information sent by Yotam Rubin." msgstr "" #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:1298 msgid "Added information on how to build a honeynet using Debian GNU/Linux." msgstr "" #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:1300 msgid "Added some more TODOS." msgstr "" #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:1302 msgid "Fixed more typos (thanks Yotam!)." msgstr "" #. type: #: securing-debian-howto.en.sgml:49 en/intro.sgml:1305 msgid "Version 1.9" msgstr "" #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:1311 msgid "" "Added patch to fix misspellings and some new information (contributed by " "Yotam Rubin)." msgstr "" #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:1314 msgid "" "Added references to other online (and offline) documentation both in a " "section (see ) by itself and inline in some sections." msgstr "" #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:1317 msgid "" "Added some information on configuring Bind options to restrict access to the " "DNS server." msgstr "" #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:1320 msgid "" "Added information on how to automatically harden a Debian system (regarding " "the harden package and bastille)." msgstr "" #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:1322 msgid "Removed some done TODOs and added some new ones." msgstr "" #. type: #: securing-debian-howto.en.sgml:49 en/intro.sgml:1325 msgid "Version 1.8" msgstr "" #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:1331 msgid "" "Added the default user/group list provided by Joey Hess to the " "debian-security mailing list." msgstr "" #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:1334 msgid "" "Added information on LKM root-kits () contributed by Philipe " "Gaspar." msgstr "" #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:1336 msgid "Added information on Proftp contributed by Emmanuel Lacour." msgstr "" #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:1338 msgid "Recovered the checklist Appendix from Era Eriksson." msgstr "" #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:1340 msgid "Added some new TODO items and removed other fixed ones." msgstr "" #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:1343 msgid "" "Manually included Era's patches since they were not all included in the " "previous version." msgstr "" #. type: #: securing-debian-howto.en.sgml:49 en/intro.sgml:1345 msgid "Version 1.7" msgstr "" #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:1346 msgid "Changes by Era Eriksson." msgstr "" #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:1348 msgid "Typo fixes and wording changes." msgstr "" #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:1353 msgid "" "Minor changes to tags in order to keep on removing the tt tags and " "substitute prgn/package tags for them." msgstr "" #. type: #: securing-debian-howto.en.sgml:49 en/intro.sgml:1356 msgid "Version 1.6" msgstr "" #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:1360 msgid "" "Added pointer to document as published in the DDP (should supersede the " "original in the near future)." msgstr "" #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:1362 msgid "" "Started a mini-FAQ (should be expanded) with some questions recovered from " "my mailbox." msgstr "" #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:1363 msgid "Added general information to consider while securing." msgstr "" #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:1364 msgid "Added a paragraph regarding local (incoming) mail delivery." msgstr "" #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:1365 msgid "Added some pointers to more information." msgstr "" #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:1366 msgid "Added information regarding the printing service." msgstr "" #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:1367 msgid "Added a security hardening checklist." msgstr "" #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:1368 msgid "Reorganized NIS and RPC information." msgstr "" #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:1370 msgid "Added some notes taken while reading this document on my new Visor :)." msgstr "" #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:1371 msgid "Fixed some badly formatted lines." msgstr "" #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:1374 msgid "Added a Genius/Paranoia idea contributed by Gaby Schilders." msgstr "" #. type: #: securing-debian-howto.en.sgml:49 en/intro.sgml:1377 msgid "Version 1.5" msgstr "" #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:1379 msgid "Changes by Josip Rodin and Javier Fernández-Sanguino Peña." msgstr "" #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:1383 msgid "Added paragraphs related to BIND and some FIXMEs." msgstr "" #. type: #: securing-debian-howto.en.sgml:49 en/intro.sgml:1385 msgid "Version 1.4" msgstr "" #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:1387 msgid "Small setuid check paragraph" msgstr "" #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:1388 msgid "Various minor cleanups." msgstr "" #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:1390 msgid "Found out how to use sgml2txt -f for the txt version." msgstr "" #. type: #: securing-debian-howto.en.sgml:49 en/intro.sgml:1393 msgid "Version 1.3" msgstr "" #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:1396 msgid "Added a security update after installation paragraph." msgstr "" #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:1397 msgid "Added a proftpd paragraph." msgstr "" #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:1398 msgid "This time really wrote something about XDM, sorry for last time." msgstr "" #. type: #: securing-debian-howto.en.sgml:49 en/intro.sgml:1401 msgid "Version 1.2" msgstr "" #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:1405 msgid "Lots of grammar corrections by James Treacy, new XDM paragraph." msgstr "" #. type: #: securing-debian-howto.en.sgml:49 en/intro.sgml:1408 msgid "Version 1.1" msgstr "" #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:1411 msgid "Typo fixes, miscellaneous additions." msgstr "" #. type: #: securing-debian-howto.en.sgml:49 en/intro.sgml:1414 msgid "Version 1.0" msgstr "" #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:1417 msgid "Initial release." msgstr "" #. type: #: securing-debian-howto.en.sgml:49 en/intro.sgml:1420 msgid "Credits and thanks!" msgstr "" #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:1424 msgid "Alexander Reelsen wrote the original document." msgstr "" #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:1426 msgid "Javier Fernández-Sanguino added more info to the original doc." msgstr "" #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:1428 msgid "Robert van der Meulen provided the quota paragraphs and many good ideas." msgstr "" #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:1430 msgid "Ethan Benson corrected the PAM paragraph and had some good ideas." msgstr "" #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:1433 msgid "Dariusz Puchalak contributed some information to several chapters." msgstr "" #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:1435 msgid "Gaby Schilders contributed a nice Genius/Paranoia idea." msgstr "" #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:1438 msgid "" "Era Eriksson smoothed out the language in a lot of places and contributed " "the checklist appendix." msgstr "" #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:1440 msgid "Philipe Gaspar wrote the LKM information." msgstr "" #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:1443 msgid "" "Yotam Rubin contributed fixes for many typos as well as information " "regarding bind versions and MD5 passwords." msgstr "" #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:1446 msgid "" "Francois Bayart provided the appendix describing how to set up a bridge " "firewall." msgstr "" #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:1449 msgid "" "Joey Hess wrote the section describing how Secure Apt works on the ." msgstr "" #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:1452 msgid "" "Martin F. Krafft wrote some information on his blog regarding fingerprint " "verification which was also reused for the Secure Apt section." msgstr "" #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:1456 msgid "" "Francesco Poli did an extensive review of the manual and provided quite a " "lot of bug reports and typo fixes which improved and helped update the " "document." msgstr "" #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:1459 msgid "" "All the people who made suggestions for improvements that (eventually) were " "included here (see )." msgstr "" #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:1462 msgid "" "(Alexander) All the folks who encouraged me to write this HOWTO (which was " "later turned into a manual)." msgstr "" #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:1463 msgid "The whole Debian project." msgstr "" #. type: #: securing-debian-howto.en.sgml:50 en/before-begin.sgml:6 msgid "Before you begin" msgstr "" #. type: #: securing-debian-howto.en.sgml:50 en/before-begin.sgml:8 msgid "What do you want this system for?" msgstr "" #. type:

#: securing-debian-howto.en.sgml:50 en/before-begin.sgml:14 msgid "" "Securing Debian is not very different from securing any other system; in " "order to do it properly, you must first decide what you intend to do with " "it. After this, you will have to consider that the following tasks need to " "be taken care of if you want a really secure system." msgstr "" #. type:

#: securing-debian-howto.en.sgml:50 en/before-begin.sgml:19 msgid "" "You will find that this manual is written from the bottom up, that is, you " "will read some information on tasks to do before, during and after you " "install your Debian system. The tasks can also be thought of as:" msgstr "" #. type:

#: securing-debian-howto.en.sgml:50 en/before-begin.sgml:25 msgid "" "Decide which services you need and limit your system to those. This includes " "deactivating/uninstalling unneeded services, and adding firewall-like " "filters, or tcpwrappers." msgstr "" #. type:

#: securing-debian-howto.en.sgml:50 en/before-begin.sgml:27 msgid "Limit users and permissions in your system." msgstr "" #. type:

#: securing-debian-howto.en.sgml:50 en/before-begin.sgml:31 msgid "" "Harden offered services so that, in the event of a service compromise, the " "impact to your system is minimized." msgstr "" #. type:

#: securing-debian-howto.en.sgml:50 en/before-begin.sgml:34 msgid "" "Use appropriate tools to guarantee that unauthorized use is detected so that " "you can take appropriate measures." msgstr "" #. type: #: securing-debian-howto.en.sgml:50 en/before-begin.sgml:38 msgid "Be aware of general security problems" msgstr "" #. type:

#: securing-debian-howto.en.sgml:50 en/before-begin.sgml:48 msgid "" "The following manual does not (usually) go into the details on why some " "issues are considered security risks. However, you might want to have a " "better background regarding general UNIX and (specific) Linux security. Take " "some time to read over security related documents in order to make informed " "decisions when you are encountered with different choices. Debian GNU/Linux " "is based on the Linux kernel, so much of the information regarding Linux, as " "well as from other distributions and general UNIX security also apply to it " "(even if the tools used, or the programs available, differ)." msgstr "" #. type:

#: securing-debian-howto.en.sgml:50 en/before-begin.sgml:50 msgid "Some useful documents include:" msgstr "" #. type:

#: securing-debian-howto.en.sgml:50 en/before-begin.sgml:57 msgid "" "The (also available at ) is one of the best references regarding general " "Linux security." msgstr "" #. type:

#: securing-debian-howto.en.sgml:50 en/before-begin.sgml:62 msgid "" "The is also a very good starting " "point for novice users (both to Linux and security)." msgstr "" #. type:

#: securing-debian-howto.en.sgml:50 en/before-begin.sgml:75 msgid "" "The is a complete guide that touches all the issues " "related to security in Linux, from kernel security to VPNs. Note that it has " "not been updated since 2001, but some information is still " "relevant.

At a given time it was superseded by the \"Linux " "Security Knowledge Base\". This documentation is also provided in Debian " "through the lskb package. Now it's back as the " "Lasg again.

" msgstr "" #. type:

#: securing-debian-howto.en.sgml:50 en/before-begin.sgml:79 msgid "" "Kurt Seifried's ." msgstr "" #. type:

#: securing-debian-howto.en.sgml:50 en/before-begin.sgml:84 msgid "" "In you can find a " "similar document to this manual but related to Red Hat, some of the issues " "are not distribution-specific and also apply to Debian." msgstr "" #. type:

#: securing-debian-howto.en.sgml:50 en/before-begin.sgml:88 msgid "" "Another Red Hat related document is ." msgstr "" #. type:

#: securing-debian-howto.en.sgml:50 en/before-begin.sgml:94 msgid "" "IntersectAlliance has published some documents that can be used as reference " "cards on how to harden Linux servers (and their services), the documents are " "available at ." msgstr "" #. type:

#: securing-debian-howto.en.sgml:50 en/before-begin.sgml:98 msgid "" "For network administrators, a good reference for building a secure network " "is the ." msgstr "" #. type:

#: securing-debian-howto.en.sgml:50 en/before-begin.sgml:106 msgid "" "If you want to evaluate the programs you are going to use (or want to build " "up some new ones) you should read the (master copy is available at , it includes slides and " "talks from the author, David Wheeler)" msgstr "" #. type:

#: securing-debian-howto.en.sgml:50 en/before-begin.sgml:113 msgid "" "If you are considering installing firewall capabilities, you should read the " " and the (for kernels previous to 2.4)." msgstr "" #. type:

#: securing-debian-howto.en.sgml:50 en/before-begin.sgml:117 msgid "" "Finally, a good card to keep handy is the ." msgstr "" #. type:

#: securing-debian-howto.en.sgml:50 en/before-begin.sgml:125 msgid "" "In any case, there is more information regarding the services explained here " "(NFS, NIS, SMB...) in many of the HOWTOs of the . Some " "of these documents speak on the security side of a given service, so be sure " "to take a look there too." msgstr "" #. type:

#: securing-debian-howto.en.sgml:50 en/before-begin.sgml:133 msgid "" "The HOWTO documents from the Linux Documentation Project are available in " "Debian GNU/Linux through the installation of the " "doc-linux-text (text version) or " "doc-linux-html (HTML version). After installation these " "documents will be available at the /usr/share/doc/HOWTO/en-txt " "and /usr/share/doc/HOWTO/en-html directories, respectively." msgstr "" #. type:

#: securing-debian-howto.en.sgml:50 en/before-begin.sgml:135 msgid "Other recommended Linux books:" msgstr "" #. type:

#: securing-debian-howto.en.sgml:50 en/before-begin.sgml:141 msgid "" "Maximum Linux Security : A Hacker's Guide to Protecting Your Linux Server " "and Network. Anonymous. Paperback - 829 pages. Sams Publishing. ISBN: " "0672313413. July 1999." msgstr "" #. type:

#: securing-debian-howto.en.sgml:50 en/before-begin.sgml:144 msgid "Linux Security By John S. Flowers. New Riders; ISBN: 0735700354. March 1999." msgstr "" #. type:

#: securing-debian-howto.en.sgml:50 en/before-begin.sgml:148 msgid "" " By Brian Hatch. McGraw-Hill Higher Education. ISBN " "0072127732. April, 2001" msgstr "" #. type:

#: securing-debian-howto.en.sgml:50 en/before-begin.sgml:153 msgid "" "Other books (which might be related to general issues regarding UNIX and " "security and not Linux specific):" msgstr "" #. type:

#: securing-debian-howto.en.sgml:50 en/before-begin.sgml:160 msgid "" " Garfinkel, Simpson, and " "Spafford, Gene; O'Reilly Associates; ISBN 0-56592-148-8; 1004pp; 1996." msgstr "" #. type:

#: securing-debian-howto.en.sgml:50 en/before-begin.sgml:163 msgid "" "Firewalls and Internet Security Cheswick, William R. and Bellovin, Steven " "M.; Addison-Wesley; 1994; ISBN 0-201-63357-4; 320pp." msgstr "" #. type:

#: securing-debian-howto.en.sgml:50 en/before-begin.sgml:167 msgid "Some useful web sites to keep up to date regarding security:" msgstr "" #. type:

#: securing-debian-howto.en.sgml:50 en/before-begin.sgml:172 msgid "" "." msgstr "" #. type:

#: securing-debian-howto.en.sgml:50 en/before-begin.sgml:177 msgid "" " the server " "that hosts the Bugtraq vulnerability database and list, and provides general " "security information, news and reports." msgstr "" #. type:

#: securing-debian-howto.en.sgml:50 en/before-begin.sgml:184 msgid "" ". General " "information regarding Linux security (tools, news...). Most useful is the " " page." msgstr "" #. type:

#: securing-debian-howto.en.sgml:50 en/before-begin.sgml:189 msgid "" ". General information regarding Linux firewalls " "and tools to control and administrate them." msgstr "" #. type: #: securing-debian-howto.en.sgml:50 en/before-begin.sgml:192 msgid "How does Debian handle security?" msgstr "" #. type:

#: securing-debian-howto.en.sgml:50 en/before-begin.sgml:196 msgid "" "Just so you have a general overview of security in Debian GNU/Linux you " "should take note of the different issues that Debian tackles in order to " "provide an overall secure system:" msgstr "" #. type:

#: securing-debian-howto.en.sgml:50 en/before-begin.sgml:205 msgid "" "Debian problems are always handled openly, even security related. Security " "issues are discussed openly on the debian-security mailing list. Debian " "Security Advisories (DSAs) are sent to public mailing lists (both internal " "and external) and are published on the public server. As the states:" msgstr "" #. type:

#: securing-debian-howto.en.sgml:50 en/before-begin.sgml:207 msgid "We will not hide problems" msgstr "" #. type:

#: securing-debian-howto.en.sgml:50 en/before-begin.sgml:211 msgid "" "We will keep our entire bug report database open for public view at all " "times. Reports that people file online will promptly become visible to " "others." msgstr "" #. type:

#: securing-debian-howto.en.sgml:50 en/before-begin.sgml:219 msgid "" "Debian follows security issues closely. The security team checks many " "security related sources, the most important being , on " "the lookout for packages with security issues that might be included in " "Debian." msgstr "" #. type:

#: securing-debian-howto.en.sgml:50 en/before-begin.sgml:224 msgid "" "Security updates are the first priority. When a security problem arises in a " "Debian package, the security update is prepared as fast as possible and " "distributed for our stable, testing and unstable releases, including all " "architectures." msgstr "" #. type:

#: securing-debian-howto.en.sgml:50 en/before-begin.sgml:227 msgid "" "Information regarding security is centralized in a single point, ." msgstr "" #. type:

#: securing-debian-howto.en.sgml:50 en/before-begin.sgml:231 msgid "" "Debian is always trying to improve the overall security of the distribution " "by starting new projects, such as automatic package signature verification " "mechanisms." msgstr "" #. type:

#: securing-debian-howto.en.sgml:50 en/before-begin.sgml:238 msgid "" "Debian provides a number of useful security related tools for system " "administration and monitoring. Developers try to tightly integrate these " "tools with the distribution in order to make them a better suite to enforce " "local security policies. Tools include: integrity checkers, auditing tools, " "hardening tools, firewall tools, intrusion detection tools, etc." msgstr "" #. type:

#: securing-debian-howto.en.sgml:50 en/before-begin.sgml:247 msgid "" "Package maintainers are aware of security issues. This leads to many " "\"secure by default\" service installations which could impose certain " "restrictions on their normal use. Debian does, however, try to balance " "security and ease of administration - the programs are not de-activated when " "you install them (as it is the case with say, the BSD family of operating " "systems). In any case, prominent security issues (such as setuid " "programs) are part of the ." msgstr "" #. type:

#: securing-debian-howto.en.sgml:51 en/before-install.sgml:3 msgid "" "By publishing security information specific to Debian and complementing " "other information-security documents related to Debian (see ), this document aims to produce better system " "installations security-wise." msgstr "" #. type: #: securing-debian-howto.en.sgml:51 en/before-install.sgml:6 msgid "Before and during the installation" msgstr "" #. type: #: securing-debian-howto.en.sgml:51 en/before-install.sgml:7 msgid "Choose a BIOS password" msgstr "" #. type:

#: securing-debian-howto.en.sgml:51 en/before-install.sgml:15 msgid "" "Before you install any operating system on your computer, set up a BIOS " "password. After installation (once you have enabled bootup from the hard " "disk) you should go back to the BIOS and change the boot sequence to disable " "booting from floppy, CD-ROM and other devices that shouldn't boot. Otherwise " "a cracker only needs physical access and a boot disk to access your entire " "system." msgstr "" #. type:

#: securing-debian-howto.en.sgml:51 en/before-install.sgml:20 msgid "" "Disabling booting unless a password is supplied is even better. This can be " "very effective if you run a server, because it is not rebooted very " "often. The downside to this tactic is that rebooting requires human " "intervention which can cause problems if the machine is not easily " "accessible." msgstr "" #. type:

#: securing-debian-howto.en.sgml:51 en/before-install.sgml:25 msgid "" "Note: many BIOSes have well known default master passwords, and applications " "also exist to retrieve the passwords from the BIOS. Corollary: don't depend " "on this measure to secure console access to system." msgstr "" #. type: #: securing-debian-howto.en.sgml:51 en/before-install.sgml:27 msgid "Partitioning the system" msgstr "" #. type: #: securing-debian-howto.en.sgml:51 en/before-install.sgml:28 msgid "Choose an intelligent partition scheme" msgstr "" #. type:

#: securing-debian-howto.en.sgml:51 en/before-install.sgml:33 msgid "" "An intelligent partition scheme depends on how the machine is used. A good " "rule of thumb is to be fairly liberal with your partitions and to pay " "attention to the following factors:" msgstr "" #. type:

#: securing-debian-howto.en.sgml:51 en/before-install.sgml:57 msgid "" "Any directory tree which a user has write permissions to, such as " "e.g. /home, /tmp and /var/tmp/, " "should be on a separate partition. This reduces the risk of a user DoS by " "filling up your \"/\" mount point and rendering the system unusable (Note: " "this is not strictly true, since there is always some space reserved for " "root which a normal user cannot fill), and it also prevents hardlink " "attacks.

A very good example of this kind of attacks using /tmp " "is detailed in and (notice that the " "incident is Debian-related). It is basicly an attack in which a local user " "stashes away a vulnerable setuid application by making a hard link " "to it, effectively avoiding any updates (or removal) of the binary itself " "made by the system administrator. Dpkg was recently fixed to prevent this " "(see ) but other " "setuid binaries (not controlled by the package manager) are at risk if " "partitions are not setup correctly.

" msgstr "" #. type:

#: securing-debian-howto.en.sgml:51 en/before-install.sgml:65 msgid "" "Any partition which can fluctuate, e.g. /var (especially " "/var/log) should also be on a separate partition. On a Debian " "system, you should create /var a little bit bigger than on " "other systems, because downloaded packages (the apt cache) are stored in " "/var/cache/apt/archives." msgstr "" #. type:

#: securing-debian-howto.en.sgml:51 en/before-install.sgml:71 msgid "" "Any partition where you want to install non-distribution software should be " "on a separate partition. According to the File Hierarchy Standard, this is " "/opt or /usr/local. If these are separate " "partitions, they will not be erased if you (have to) reinstall Debian " "itself." msgstr "" #. type:

#: securing-debian-howto.en.sgml:51 en/before-install.sgml:75 msgid "" "From a security point of view, it makes sense to try to move static data to " "its own partition, and then mount that partition read-only. Better yet, put " "the data on read-only media. See below for more details." msgstr "" #. type:

#: securing-debian-howto.en.sgml:51 en/before-install.sgml:88 msgid "" "In the case of a mail server it is important to have a separate partition " "for the mail spool. Remote users (either knowingly or unknowingly) can fill " "the mail spool (/var/mail and/or " "/var/spool/mail). If the spool is on a separate partition, this " "situation will not render the system unusable. Otherwise (if the spool " "directory is on the same partition as /var) the system might " "have important problems: log entries will not be created, packages cannot be " "installed, and some programs might even have problems starting up (if they " "use /var/run)." msgstr "" #. type:

#: securing-debian-howto.en.sgml:51 en/before-install.sgml:96 msgid "" "Also, for partitions in which you cannot be sure of the needed space, " "installing Logical Volume Manager (lvm-common and the " "needed binaries for your kernel, this might be either " "lvm10, lvm6, or " "lvm5). Using lvm, you can create volume groups " "that expand multiple physical volumes." msgstr "" #. type: #: securing-debian-howto.en.sgml:51 en/before-install.sgml:98 msgid "Selecting the appropriate file systems" msgstr "" #. type:

#: securing-debian-howto.en.sgml:51 en/before-install.sgml:107 msgid "" "During the system partitioning you also have to decide which file system you " "want to use. The default file system

Since Debian GNU/Linux 4.0, " "codename etch

selected in the Debian installation " "for Linux partitions is ext3, a journaling file system. It is " "recommended that you always use a journaling file system, such as " "ext3, reiserfs, jfs or xfs, to minimize " "the problems derived from a system crash in the following cases:" msgstr "" #. type:

#: securing-debian-howto.en.sgml:51 en/before-install.sgml:114 msgid "" "for laptops in all the file systems installed. That way if you run out of " "battery unexpectedly or the system freezes due to a hardware issue (such as " "X configuration which is somewhat common) you will be less likely to lose " "data during a hardware reboot." msgstr "" #. type:

#: securing-debian-howto.en.sgml:51 en/before-install.sgml:120 msgid "" "for production systems which store large amounts of data (like mail servers, " "ftp servers, network file systems...) it is recommended on these " "partitions. That way, in the event of a system crash, the server will take " "less time to recover and check the file systems, and data loss will be less " "likely." msgstr "" #. type:

#: securing-debian-howto.en.sgml:51 en/before-install.sgml:137 msgid "" "Leaving aside the performance issues regarding journalling file systems " "(since this can sometimes turn into a religious war), it is usually better " "to use the ext3 file system. The reason for this is that it is " "backwards compatible with ext2, so if there are any issues with the " "journalling you can disable it and still have a working file system. Also, " "if you need to recover the system with a bootdisk (or CD-ROM) you do not " "need a custom kernel. If the kernel is 2.4 or 2.6 ext3 support is " "already available, if it is a 2.2 kernel you will be able to boot the file " "system even if you lose journalling capabilities. If you are using other " "journalling file systems you will find that you might not be able to recover " "unless you have a 2.4 or 2.6 kernel with the needed modules built-in. If you " "are stuck with a 2.2 kernel on the rescue disk, it might be even more " "difficult to have it access reiserfs or xfs." msgstr "" #. type:

#: securing-debian-howto.en.sgml:51 en/before-install.sgml:141 msgid "" "In any case, data integrity might be better under ext3 since it " "does file-data journalling while others do only meta-data journalling, see " "." msgstr "" #. type:

#: securing-debian-howto.en.sgml:51 en/before-install.sgml:147 msgid "" "Notice, however, that there are some partitions that might not benefit from " "using a journaling filesystem. For example, if you are using a separate " "partition for /tmp/ you might be better off using a standard " "ext2 filesystem as it will be cleaned up when the system boots." msgstr "" #. type: #: securing-debian-howto.en.sgml:51 en/before-install.sgml:149 msgid "Do not plug to the Internet until ready" msgstr "" #. type:

#: securing-debian-howto.en.sgml:51 en/before-install.sgml:155 msgid "" "The system should not be immediately connected to the Internet during " "installation. This could sound stupid but network installation is a common " "method. Since the system will install and activate services immediately, if " "the system is connected to the Internet and the services are not properly " "configured you are opening it to attack." msgstr "" #. type:

#: securing-debian-howto.en.sgml:51 en/before-install.sgml:161 msgid "" "Also note that some services might have security vulnerabilities not fixed " "in the packages you are using for installation. This is usually true if you " "are installing from old media (like CD-ROMs). In this case, the system could " "even be compromised before you finish installation!" msgstr "" #. type:

#: securing-debian-howto.en.sgml:51 en/before-install.sgml:175 msgid "" "Since Debian installation and upgrades can be done over the Internet you " "might think it is a good idea to use this feature on installation. If the " "system is going to be directly connected to the Internet (and not protected " "by a firewall or NAT), it is best to install without connection to the " "Internet, using a local packages mirror for both the Debian package sources " "and the security updates. You can set up package mirrors by using another " "system connected to the Internet with Debian-specific tools (if it's a " "Debian system) like apt-move or " "apt-proxy, or other common mirroring tools, to provide " "the archive to the installed system. If you cannot do this, you can set up " "firewall rules to limit access to the system while doing the update (see " ")." msgstr "" #. type: #: securing-debian-howto.en.sgml:51 en/before-install.sgml:176 msgid "Set a root password" msgstr "" #. type:

#: securing-debian-howto.en.sgml:51 en/before-install.sgml:183 msgid "" "Setting a good root password is the most basic requirement for having a " "secure system. See for some hints on " "how to create good passwords. You can also use an automatic password " "generation program to do this for you (see )." msgstr "" #. type:

#: securing-debian-howto.en.sgml:51 en/before-install.sgml:194 msgid "" "Plenty of information on choosing good passwords can be found on the " "Internet; two that provide a decent summary and rationale are Eric Wolfram's " " and Walter Belgers' " msgstr "" #. type: #: securing-debian-howto.en.sgml:51 en/before-install.sgml:195 msgid "Activate shadow passwords and MD5 passwords" msgstr "" #. type:

#: securing-debian-howto.en.sgml:51 en/before-install.sgml:205 msgid "" "At the end of the installation, you will be asked if shadow passwords should " "be enabled. Answer yes to this question, so passwords will be kept in the " "file /etc/shadow. Only the root user and the group shadow have " "read access to this file, so no users will be able to grab a copy of this " "file in order to run a password cracker against it. You can switch between " "shadow passwords and normal passwords at any time by using " "shadowconfig." msgstr "" #. type:

#: securing-debian-howto.en.sgml:51 en/before-install.sgml:211 msgid "" "Read more on shadow passwords in " "(/usr/share/doc/HOWTO/en-txt/Shadow-Password.txt.gz)." msgstr "" #. type:

#: securing-debian-howto.en.sgml:51 en/before-install.sgml:221 msgid "" "Furthermore, the installation uses MD5 hashed passwords per default. This is " "generally a very good idea since it allows longer passwords and better " "encryption. MD5 allows for passwords longer than 8 characters. This, if used " "wisely, can make it more difficult for attackers to brute-force the system's " "passwords. Regarding MD5 passwords, this is the default option when " "installing the latest passwd package. You can recognize " "MD5 passwords in the /etc/shadow file by their $1$ prefix." msgstr "" #. type:

#: securing-debian-howto.en.sgml:51 en/before-install.sgml:224 msgid "" "This, as a matter of fact, modifies all files under /etc/pam.d " "by substituting the password line and include md5 in it:" msgstr "" #. type: #: securing-debian-howto.en.sgml:51 en/before-install.sgml:226 #, no-wrap msgid " password required pam_unix.so md5 nullok obscure min=6 max=16" msgstr "" #. type:

#: securing-debian-howto.en.sgml:51 en/before-install.sgml:230 msgid "" "If max is not set over 8 the change will not be useful at all. For " "more information on this read ." msgstr "" #. type:

#: securing-debian-howto.en.sgml:51 en/before-install.sgml:233 msgid "" "Note: the default configuration in Debian, even when activating MD5 " "passwords, does not modify the previously set max value." msgstr "" #. type: #: securing-debian-howto.en.sgml:51 en/before-install.sgml:235 msgid "Run the minimum number of services required" msgstr "" #. type:

#: securing-debian-howto.en.sgml:51 en/before-install.sgml:241 msgid "" "Services are programs such as ftp servers and web servers. Since they have " "to be listening for incoming connections that request the service, " "external computers can connect to yours. Services are sometimes vulnerable " "(i.e. can be compromised under a given attack) and hence present a security " "risk." msgstr "" #. type:

#: securing-debian-howto.en.sgml:51 en/before-install.sgml:245 msgid "" "You should not install services which are not needed on your machine. Every " "installed service might introduce new, perhaps not obvious (or known), " "security holes on your computer." msgstr "" #. type:

#: securing-debian-howto.en.sgml:51 en/before-install.sgml:262 msgid "" "As you may already know, when you install a given service the default " "behavior is to activate it. In a default Debian installation, with no " "services installed, the number of running services is quite low and the " "number of network-oriented services is even lower. In a default Debian 3.1 " "standard installation you will end up with OpenSSH, Exim (depending on how " "you configured it) and the RPC portmapper available as network " "services

The footprint in Debian 3.0 and earlier releases wasn't " "as tight, since some inetd services were enabled by " "default. Also standard installations of Debian 2.2 installed the NFS server " "as well as the telnet server.

. If you did not go through a " "standard installation but selected an expert installation you can end up " "with no active network services. The RPC portmapper is installed by default " "because it is needed for many services, for example NFS, to run on a given " "system. However, it can be easily removed, see for more " "information on how to secure or disable RPC services." msgstr "" #. type:

#: securing-debian-howto.en.sgml:51 en/before-install.sgml:273 msgid "" "When you install a new network-related service (daemon) in your Debian " "GNU/Linux system it can be enabled in two ways: through the " "inetd superdaemon (i.e. a line will be added to " "/etc/inetd.conf) or through a standalone program that binds " "itself to your network interfaces. Standalone programs are controlled " "through the /etc/init.d files, which are called at boot time " "through the SysV mechanism (or an alternative one) by using symlinks in " "/etc/rc?.d/* (for more information on how this is done read " "/usr/share/doc/sysvinit/README.runlevels.gz)." msgstr "" #. type:

#: securing-debian-howto.en.sgml:51 en/before-install.sgml:285 msgid "" "If you want to keep some services but use them rarely, use the " "update-* commands, e.g. update-inetd and " "update-rc.d to remove them from the startup process. For more " "information on how to disable network services read . If you want to change the default behaviour of starting " "up services on installation of their associated packages

This is " "desirable if you are setting up a development chroot, for " "example.

 use policy-rc.d, please read " "/usr/share/doc/sysv-rc/README.policy-rc.d.gz for more " "information." msgstr "" #. type:

#: securing-debian-howto.en.sgml:51 en/before-install.sgml:291 msgid "" "invoke-rc.d support is mandatory in Debian, which means that " "for Debian 4.0 etch and later releases you can write a policy-rc.d " "file that forbids starting new daemons before you configure them. Although " "no such scripts are packaged yet, they are quite simple to write. See " "policyrcd-script-zg2." msgstr "" #. type: #: securing-debian-howto.en.sgml:51 en/before-install.sgml:293 msgid "Disabling daemon services" msgstr "" #. type:

#: securing-debian-howto.en.sgml:51 en/before-install.sgml:305 msgid "" "Disabling a daemon service is quite simple. You either remove the package " "providing the program for that service or you remove or rename the startup " "links under /etc/rc${runlevel}.d/. If you rename them make sure " "they do not begin with 'S' so that they don't get started by " "/etc/init.d/rc. Do not remove all the available links or the " "package management system will regenerate them on package upgrades, make " "sure you leave at least one link (typically a 'K', i.e. kill, link). For " "more information read section of the Debian Reference (Chapter 2 - " "Debian fundamentals)." msgstr "" #. type:

#: securing-debian-howto.en.sgml:51 en/before-install.sgml:309 msgid "" "You can remove these links manually or using update-rc.d (see " "). For example, you can disable a " "service from executing in the multi-user runlevels by doing:" msgstr "" #. type: #: securing-debian-howto.en.sgml:51 en/before-install.sgml:311 #, no-wrap msgid " # update-rc.d name stop XX 2 3 4 5 ." msgstr "" #. type:

#: securing-debian-howto.en.sgml:51 en/before-install.sgml:325 msgid "" "Where XX is a number that determines when the stop action for that " "service will be executed. Please note that, if you are not using " "file-rc, update-rc.d -f service " "remove will not work properly, since all links are removed, " "upon re-installation or upgrade of the package these links will be " "re-generated (probably not what you wanted). If you think this is not " "intuitive you are probably right (see ). From the manpage:" msgstr "" #. type: #: securing-debian-howto.en.sgml:51 en/before-install.sgml:330 #, no-wrap msgid "" " If any files /etc/rcrunlevel.d/[SK]??name already exist then\n" " update-rc.d does nothing. This is so that the system administrator \n" " can rearrange the links, provided that they leave at least one\n" " link remaining, without having their configuration overwritten." msgstr "" #. type:

#: securing-debian-howto.en.sgml:51 en/before-install.sgml:336 msgid "" "If you are using file-rc all the information regarding " "services bootup is handled by a common configuration file and is maintained " "even if packages are removed from the system." msgstr "" #. type:

#: securing-debian-howto.en.sgml:51 en/before-install.sgml:343 msgid "" "You can use the TUI (Text User Interface) provided by " "sysv-rc-conf to do all these changes easily " "(sysv-rc-conf works both for file-rc and " "normal System V runlevels). You will also find similar GUIs for desktop " "systems. You can also use the command line interface of " "sysv-rc-conf:" msgstr "" #. type: #: securing-debian-howto.en.sgml:51 en/before-install.sgml:345 #, no-wrap msgid " # sysv-rc-conf foobar off" msgstr "" #. type:

#: securing-debian-howto.en.sgml:51 en/before-install.sgml:351 msgid "" "The advantage of using this utility is that the rc.d links are returned to " "the status they had before the 'off' call if you re-enable the service with:" msgstr "" #. type: #: securing-debian-howto.en.sgml:51 en/before-install.sgml:353 #, no-wrap msgid " # sysv-rc-conf foobar on" msgstr "" #. type:

#: securing-debian-howto.en.sgml:51 en/before-install.sgml:358 msgid "Other (less recommended) methods of disabling services are:" msgstr "" #. type:

#: securing-debian-howto.en.sgml:51 en/before-install.sgml:363 msgid "" "Removing the /etc/init.d/service_name script and " "removing the startup links using:" msgstr "" #. type: #: securing-debian-howto.en.sgml:51 en/before-install.sgml:365 #, no-wrap msgid " # update-rc.d name remove" msgstr "" #. type:

#: securing-debian-howto.en.sgml:51 en/before-install.sgml:374 msgid "" "Move the script file (/etc/init.d/service_name) to " "another name (for example " "/etc/init.d/OFF.service_name). This will leave " "dangling symlinks under /etc/rc${runlevel}.d/ and will generate " "error messages when booting up the system." msgstr "" #. type:

#: securing-debian-howto.en.sgml:51 en/before-install.sgml:378 msgid "" "Remove the execute permission from the " "/etc/init.d/service_name file. That will also " "generate error messages when booting." msgstr "" #. type:

#: securing-debian-howto.en.sgml:51 en/before-install.sgml:384 msgid "" "Edit the /etc/init.d/service_name script to have it " "stop immediately once it is executed (by adding an exit 0 line " "at the beginning or commenting out the start-stop-daemon part in " "it). If you do this, you will not be able to use the script to startup the " "service manually later on." msgstr "" #. type:

#: securing-debian-howto.en.sgml:51 en/before-install.sgml:390 msgid "" "Nevertheless, the files under /etc/init.d are configuration " "files and should not get overwritten due to package upgrades if you have " "made local changes to them." msgstr "" #. type:

#: securing-debian-howto.en.sgml:51 en/before-install.sgml:394 msgid "" "Unlike other (UNIX) operating systems, services in Debian cannot be disabled " "by modifying files in /etc/default/service_name." msgstr "" #. type:

#: securing-debian-howto.en.sgml:51 en/before-install.sgml:397 msgid "" "FIXME: Add more information on handling daemons using " "file-rc." msgstr "" #. type: #: securing-debian-howto.en.sgml:51 en/before-install.sgml:398 msgid "Disabling inetd or its services" msgstr "" #. type:

#: securing-debian-howto.en.sgml:51 en/before-install.sgml:408 msgid "" "You should check if you really need the inetd daemon " "nowadays. Inetd was always a way to compensate for kernel deficiencies, but " "those have been taken care of in modern Linux kernels. Denial of Service " "possibilities exist against inetd (which can increase the " "machine's load tremendously), and many people always preferred using " "stand-alone daemons instead of calling services via inetd. If " "you still want to run some kind of inetd service, then at least " "switch to a more configurable Inet daemon like xinetd, " "rlinetd or openbsd-inetd." msgstr "" #. type:

#: securing-debian-howto.en.sgml:51 en/before-install.sgml:416 msgid "" "You should stop all unneeded Inetd services on your system, like " "echo, chargen, discard, " "daytime, time, talk, " "ntalk and r-services (rsh, rlogin and " "rcp) which are considered HIGHLY insecure (use ssh " "instead)." msgstr "" #. type:

#: securing-debian-howto.en.sgml:51 en/before-install.sgml:423 msgid "" "You can disable services by editing /etc/inetd.conf directly, " "but Debian provides a better alternative: update-inetd (which " "comments the services in a way that it can easily be turned on again). You " "could remove the telnet daemon by executing this commands to " "change the config file and to restart the daemon (in this case the " "telnet service is disabled):" msgstr "" #. type: #: securing-debian-howto.en.sgml:51 en/before-install.sgml:425 #, no-wrap msgid " /usr/sbin/update-inetd --disable telnet" msgstr "" #. type:

#: securing-debian-howto.en.sgml:51 en/before-install.sgml:434 msgid "" "If you do want services listening, but do not want to have them listen on " "all IP addresses of your host, you might want to use an undocumented feature " "on inetd (replace service name with service@ip syntax) or use " "an alternative inetd daemon like xinetd." msgstr "" #. type: #: securing-debian-howto.en.sgml:51 en/before-install.sgml:436 msgid "Install the minimum amount of software required" msgstr "" #. type:

#: securing-debian-howto.en.sgml:51 en/before-install.sgml:455 msgid "" "Debian comes with a lot of software, for example the Debian 3.0 " "woody release includes 6 or 7 (depending on architecture) CD-ROMs " "of software and thousands of packages, and the Debian 3.1 sarge " "release ships with around 13 CD-ROMs of software. With so much software, and " "even if the base system installation is quite reduced

For " "example, in Debian woody it is around 400-500 Mbs, try this: $ " "size=0 $ for i in `grep -A 1 -B 1 \"^Section: base\" /var/lib/dpkg/available " "| grep -A 2 \"^Priority: required\" |grep \"^Installed-Size\" |cut -d : -f 2 " "`; do size=$(($size+$i)); done $ echo $size 47762

 " "you might get carried away and install more than is really needed for your " "system." msgstr "" #. type:

#: securing-debian-howto.en.sgml:51 en/before-install.sgml:462 msgid "" "Since you already know what the system is for (don't you?) you should only " "install software that is really needed for it to work. Any unnecessary tool " "that is installed might be used by a user that wants to compromise the " "system or by an external intruder that has gotten shell access (or remote " "code execution through an exploitable service)." msgstr "" #. type:

#: securing-debian-howto.en.sgml:51 en/before-install.sgml:467 msgid "" "The presence, for example, of development utilities (a C compiler) or " "interpreted languages (such as perl - but see below -, " "python, tcl...) may help an attacker compromise " "the system even further:" msgstr "" #. type:

#: securing-debian-howto.en.sgml:51 en/before-install.sgml:472 msgid "" "allowing him to do privilege escalation. It's easier, for example, to run " "local exploits in the system if there is a debugger and compiler ready to " "compile and test them!" msgstr "" #. type:

#: securing-debian-howto.en.sgml:51 en/before-install.sgml:481 msgid "" "providing tools that could help the attacker to use the compromised system " "as a base of attack against other systems.

Many " "intrusions are made just to get access to resources to do illegitimate " "activity (denial of service attacks, spam, rogue ftp servers, dns " "pollution...) rather than to obtain confidential data from the compromised " "system.

" msgstr "" #. type:

#: securing-debian-howto.en.sgml:51 en/before-install.sgml:493 msgid "" "Of course, an intruder with local shell access can download his own set of " "tools and execute them, and even the shell itself can be used to make " "complex programs. Removing unnecessary software will not help " "prevent the problem but will make it slightly more difficult for an " "attacker to proceed (and some might give up in this situation looking for " "easier targets). So, if you leave tools in a production system that could be " "used to remotely attack systems (see ) you can expect " "an intruder to use them too if available." msgstr "" #. type:

#: securing-debian-howto.en.sgml:51 en/before-install.sgml:501 msgid "" "Please notice that a default installation of Debian sarge (i.e. an " "installation where no individual packages are selected) will install a " "number of development packages that are not usually needed. This is because " "some development packages are of Standard priority. If you are not " "going to do any development you can safely remove the following packages " "from your system, which will also help free up some space:" msgstr "" #. type: #: securing-debian-howto.en.sgml:51 en/before-install.sgml:520 #, no-wrap msgid "" "Package Size\n" "------------------------+--------\n" "gdb 2,766,822\n" "gcc-3.3 1,570,284\n" "dpkg-dev 166,800\n" "libc6-dev 2,531,564\n" "cpp-3.3 1,391,346\n" "manpages-dev 1,081,408\n" "flex 257,678\n" "g++ 1,384 (Note: virtual package)\n" "linux-kernel-headers 1,377,022\n" "bin86 82,090\n" "cpp 29,446\n" "gcc 4,896 (Note: virtual package)\n" "g++-3.3 1,778,880\n" "bison 702,830\n" "make 366,138\n" "libstdc++5-3.3-dev 774,982" msgstr "" #. type:

#: securing-debian-howto.en.sgml:51 en/before-install.sgml:530 msgid "" "This is something that is fixed in releases post-sarge, see and . Due to a bug in the installation system this did not happen when " "installing with the installation system of the Debian 3.0 woody " "release." msgstr "" #. type: #: securing-debian-howto.en.sgml:51 en/before-install.sgml:532 msgid "Removing Perl" msgstr "" #. type:

#: securing-debian-howto.en.sgml:51 en/before-install.sgml:542 msgid "" "You must take into account that removing perl might not be too " "easy (as a matter of fact it can be quite difficult) in a Debian system " "since it is used by many system utilities. Also, the " "perl-base is Priority: required (that about says " "it all). It's still doable, but you will not be able to run any " "perl application in the system; you will also have to fool the " "package management system to think that the perl-base is " "installed even if it's not.

You can make (on another system) a " "dummy package with equivs.

" msgstr "" #. type:

#: securing-debian-howto.en.sgml:51 en/before-install.sgml:544 msgid "Which utilities use perl? You can see for yourself:" msgstr "" #. type: #: securing-debian-howto.en.sgml:51 en/before-install.sgml:547 #, no-wrap msgid "" " $ for i in /bin/* /sbin/* /usr/bin/* /usr/sbin/*; do [ -f $i ] && {\n" " type=`file $i | grep -il perl`; [ -n \"$type\" ] && echo $i; }; done" msgstr "" #. type:

#: securing-debian-howto.en.sgml:51 en/before-install.sgml:552 msgid "" "These include the following utilities in packages with priority " "required or important:" msgstr "" #. type:

#: securing-debian-howto.en.sgml:51 en/before-install.sgml:556 msgid "/usr/bin/chkdupexe of package util-linux." msgstr "" #. type:

#: securing-debian-howto.en.sgml:51 en/before-install.sgml:559 msgid "/usr/bin/replay of package bsdutils." msgstr "" #. type:

#: securing-debian-howto.en.sgml:51 en/before-install.sgml:562 msgid "/usr/sbin/cleanup-info of package dpkg." msgstr "" #. type:

#: securing-debian-howto.en.sgml:51 en/before-install.sgml:565 msgid "/usr/sbin/dpkg-divert of package dpkg." msgstr "" #. type:

#: securing-debian-howto.en.sgml:51 en/before-install.sgml:568 msgid "/usr/sbin/dpkg-statoverride of package dpkg." msgstr "" #. type:

#: securing-debian-howto.en.sgml:51 en/before-install.sgml:571 msgid "/usr/sbin/install-info of package dpkg." msgstr "" #. type:

#: securing-debian-howto.en.sgml:51 en/before-install.sgml:574 msgid "" "/usr/sbin/update-alternatives of package " "dpkg." msgstr "" #. type:

#: securing-debian-howto.en.sgml:51 en/before-install.sgml:577 msgid "/usr/sbin/update-rc.d of package sysvinit." msgstr "" #. type:

#: securing-debian-howto.en.sgml:51 en/before-install.sgml:580 msgid "/usr/bin/grog of package groff-base." msgstr "" #. type:

#: securing-debian-howto.en.sgml:51 en/before-install.sgml:583 msgid "/usr/sbin/adduser of package adduser." msgstr "" #. type:

#: securing-debian-howto.en.sgml:51 en/before-install.sgml:586 msgid "/usr/sbin/debconf-show of package debconf." msgstr "" #. type:

#: securing-debian-howto.en.sgml:51 en/before-install.sgml:589 msgid "/usr/sbin/deluser of package adduser." msgstr "" #. type:

#: securing-debian-howto.en.sgml:51 en/before-install.sgml:592 msgid "" "/usr/sbin/dpkg-preconfigure of package " "debconf." msgstr "" #. type:

#: securing-debian-howto.en.sgml:51 en/before-install.sgml:595 msgid "" "/usr/sbin/dpkg-reconfigure of package " "debconf." msgstr "" #. type:

#: securing-debian-howto.en.sgml:51 en/before-install.sgml:598 msgid "/usr/sbin/exigrep of package exim." msgstr "" #. type:

#: securing-debian-howto.en.sgml:51 en/before-install.sgml:601 msgid "/usr/sbin/eximconfig of package exim." msgstr "" #. type:

#: securing-debian-howto.en.sgml:51 en/before-install.sgml:604 msgid "/usr/sbin/eximstats of package exim." msgstr "" #. type:

#: securing-debian-howto.en.sgml:51 en/before-install.sgml:607 msgid "" "/usr/sbin/exim-upgrade-to-r3 of package " "exim." msgstr "" #. type:

#: securing-debian-howto.en.sgml:51 en/before-install.sgml:610 msgid "/usr/sbin/exiqsumm of package exim." msgstr "" #. type:

#: securing-debian-howto.en.sgml:51 en/before-install.sgml:613 msgid "/usr/sbin/keytab-lilo of package lilo." msgstr "" #. type:

#: securing-debian-howto.en.sgml:51 en/before-install.sgml:616 msgid "/usr/sbin/liloconfig of package lilo." msgstr "" #. type:

#: securing-debian-howto.en.sgml:51 en/before-install.sgml:619 msgid "/usr/sbin/lilo_find_mbr of package lilo." msgstr "" #. type:

#: securing-debian-howto.en.sgml:51 en/before-install.sgml:622 msgid "" "/usr/sbin/syslogd-listfiles of package " "sysklogd." msgstr "" #. type:

#: securing-debian-howto.en.sgml:51 en/before-install.sgml:625 msgid "" "/usr/sbin/syslog-facility of package " "sysklogd." msgstr "" #. type:

#: securing-debian-howto.en.sgml:51 en/before-install.sgml:628 msgid "/usr/sbin/update-inetd of package netbase." msgstr "" #. type:

#: securing-debian-howto.en.sgml:51 en/before-install.sgml:635 msgid "" "So, without Perl and, unless you remake these utilities in shell script, you " "will probably not be able to manage any packages (so you will not be able to " "upgrade the system, which is not a Good Thing)." msgstr "" #. type:

#: securing-debian-howto.en.sgml:51 en/before-install.sgml:640 msgid "" "If you are determined to remove Perl from the Debian base system, and you " "have spare time, submit bug reports to the previous packages including (as a " "patch) replacements for the utilities above written in shell script." msgstr "" #. type:

#: securing-debian-howto.en.sgml:51 en/before-install.sgml:642 msgid "If you wish to check out which Debian packages depend on Perl you can use" msgstr "" #. type: #: securing-debian-howto.en.sgml:51 en/before-install.sgml:644 #, no-wrap msgid "$ grep-available -s Package,Priority -F Depends perl" msgstr "" #. type:

#: securing-debian-howto.en.sgml:51 en/before-install.sgml:647 msgid "or" msgstr "" #. type: #: securing-debian-howto.en.sgml:51 en/before-install.sgml:649 #, no-wrap msgid "$ apt-cache rdepends perl" msgstr "" #. type: #: securing-debian-howto.en.sgml:51 en/before-install.sgml:653 msgid "Read the Debian security mailing lists" msgstr "" #. type:

#: securing-debian-howto.en.sgml:51 en/before-install.sgml:659 msgid "" "It is never wrong to take a look at either the debian-security-announce " "mailing list, where advisories and fixes to released packages are announced " "by the Debian security team, or at , where you can participate " "in discussions about things related to Debian security." msgstr "" #. type:

#: securing-debian-howto.en.sgml:51 en/before-install.sgml:667 msgid "" "In order to receive important security update alerts, send an email to with the word " "\"subscribe\" in the subject line. You can also subscribe to this moderated " "email list via the web page at ." msgstr "" #. type:

#: securing-debian-howto.en.sgml:52 en/after-install.sgml:3 msgid "" "This mailing list has very low volume, and by subscribing to it you will be " "immediately alerted of security updates for the Debian distribution. This " "allows you to quickly download new packages with security bug fixes, which " "is very important in maintaining a secure system (see for details on how to do this)." msgstr "" #. type: #: securing-debian-howto.en.sgml:52 en/after-install.sgml:5 msgid "After installation" msgstr "" #. type:

#: securing-debian-howto.en.sgml:52 en/after-install.sgml:12 msgid "" "Once the system is installed you can still do more to secure the system; " "some of the steps described in this chapter can be taken. Of course this " "really depends on your setup but for physical access prevention you should " "read ,,, , and ." msgstr "" #. type:

#: securing-debian-howto.en.sgml:52 en/after-install.sgml:17 msgid "" "Before connecting to any network, especially if it's a public one you " "should, at the very least, execute a security update (see ). Optionally, you could take a snapshot of your " "system (see )." msgstr "" #. type: #: securing-debian-howto.en.sgml:52 en/after-install.sgml:19 msgid "Subscribe to the Debian Security Announce mailing list" msgstr "" #. type:

#: securing-debian-howto.en.sgml:52 en/after-install.sgml:26 msgid "" "In order to receive information on available security updates you should " "subscribe yourself to the debian-security-announce mailing list in order to " "receive the Debian Security Advisories (DSAs). See for more information on how the Debian security team " "works. For information on how to subscribe to the Debian mailing lists read " "." msgstr "" #. type:

#: securing-debian-howto.en.sgml:52 en/after-install.sgml:29 msgid "" "DSAs are signed with the Debian Security Team's signature which can be " "retrieved from ." msgstr "" #. type:

#: securing-debian-howto.en.sgml:52 en/after-install.sgml:37 msgid "" "You should consider, also, subscribing to the for general discussion on security issues in the Debian " "operating system. You will be able to contact other fellow system " "administrators in the list as well as Debian developers and upstream " "developers of security tools who can answer your questions and offer advice." msgstr "" #. type:

#: securing-debian-howto.en.sgml:52 en/after-install.sgml:39 msgid "FIXME: Add the key here too?" msgstr "" #. type: #: securing-debian-howto.en.sgml:52 en/after-install.sgml:41 msgid "Execute a security update" msgstr "" #. type:

#: securing-debian-howto.en.sgml:52 en/after-install.sgml:46 msgid "" "As soon as new security bugs are detected in packages, Debian maintainers " "and upstream authors generally patch them within days or even hours. After " "the bug is fixed, a new package is provided on ." msgstr "" #. type:

#: securing-debian-howto.en.sgml:52 en/after-install.sgml:52 msgid "" "If you are installing a Debian release you must take into account that since " "the release was made there might have been security updates after it has " "been determined that a given package is vulnerable. Also, there might have " "been minor releases (there have been four for the Debian 3.0 sarge " "release) which include these package updates." msgstr "" #. type:

#: securing-debian-howto.en.sgml:52 en/after-install.sgml:58 msgid "" "During installation security updates are configured for your system and " "pending updates downloaded and applied, unless you specifically opt out of " "this or the system was not connected to the Internet. The updates are " "applied even before the first boot, so the new system starts its life as up " "to date as possible." msgstr "" #. type:

#: securing-debian-howto.en.sgml:52 en/after-install.sgml:63 msgid "" "To manually update the system, put the following line in your " "sources.list and you will get security updates automatically, " "whenever you update your system. Replace [CODENAME] with the " "release codename, e.g. squeeze." msgstr "" #. type: #: securing-debian-howto.en.sgml:52 en/after-install.sgml:65 #, no-wrap msgid " deb http://security.debian.org/ [CODENAME]/updates main contrib non-free" msgstr "" #. type:

#: securing-debian-howto.en.sgml:52 en/after-install.sgml:70 msgid "" "Note: If you are using the testing branch use the security " "testing mirror sources as described in ." msgstr "" #. type:

#: securing-debian-howto.en.sgml:52 en/after-install.sgml:83 msgid "" "Once you've done this you can use multiple tools to upgrade your system. If " "you are running a desktop system you will have

In etch " "and later releases

an application called " "update-notifier that will make it easy to check if new updates " "are available, by selecting it you can make a system upgrade from the " "desktop (using update-manager). For more information see . In desktop environments you can also use " "synaptic (GNOME), kpackage or " "adept (KDE) for more advanced interfaces. If you are " "running a text-only terminal you can use aptitude, " "apt or dselect (deprecated) to " "upgrade:" msgstr "" #. type:

#: securing-debian-howto.en.sgml:52 en/after-install.sgml:87 msgid "" "If you want to use aptitude's text interface you just " "have to press u (update) followed by g (to upgrade). Or " "just do the following from the command line (as root):" msgstr "" #. type: #: securing-debian-howto.en.sgml:52 en/after-install.sgml:90 #, no-wrap msgid "" "# aptitude update\n" "# aptitude upgrade" msgstr "" #. type:

#: securing-debian-howto.en.sgml:52 en/after-install.sgml:95 msgid "" "If you want to use apt do just like with aptitude but " "substitute the aptitude lines above with apt-get." msgstr "" #. type:

#: securing-debian-howto.en.sgml:52 en/after-install.sgml:97 msgid "" "If you want to use dselect then first [U]pdate, then " "[I]nstall and finally, [C]onfigure the installed/upgraded packages." msgstr "" #. type:

#: securing-debian-howto.en.sgml:52 en/after-install.sgml:103 msgid "" "If you like, you can add the deb-src lines to " "/etc/apt/sources.list as well. See for further details." msgstr "" #. type: #: securing-debian-howto.en.sgml:52 en/after-install.sgml:105 msgid "Security update of libraries" msgstr "" #. type:

#: securing-debian-howto.en.sgml:52 en/after-install.sgml:115 msgid "" "Once you have executed a security update you might need to restart some of " "the system services. If you do not do this, some services might still be " "vulnerable after a security upgrade. The reason for this is that daemons " "that are running before an upgrade might still be using the old libraries " "before the upgrade

Even though the libraries have been removed " "from the filesystem the inodes will not be cleared up until no program has " "an open file descriptor pointing to them.

. In order to detect " "which daemons might need to be restarted you can use the " "checkrestart program (available in the " "debian-goodies package) or use this one " "liner

Depending on your lsof version you might need to use $8 " "instead of $9

 (as root):" msgstr "" #. type: #: securing-debian-howto.en.sgml:52 en/after-install.sgml:117 #, no-wrap msgid "" "# lsof | grep <the_upgraded_library> | awk '{print $1, $9}' | uniq | " "sort -k 1" msgstr "" #. type:

#: securing-debian-howto.en.sgml:52 en/after-install.sgml:125 msgid "" "Some packages (like libc6) will do this check in the " "postinst phase for a limited set of services specially since an upgrade of " "essential libraries might break some applications (until " "restarted)

This happened, for example, in the upgrade from libc6 " "2.2.x to 2.3.x due to NSS authentication issues, see .

." msgstr "" #. type:

#: securing-debian-howto.en.sgml:52 en/after-install.sgml:130 msgid "" "Bringing the system to run level 1 (single user) and then back to run level " "3 (multi user) should take care of the restart of most (if not all) system " "services. But this is not an option if you are executing the security " "upgrade from a remote connection (like ssh) since it will be severed." msgstr "" #. type:

#: securing-debian-howto.en.sgml:52 en/after-install.sgml:136 msgid "" "Excercise caution when dealing with security upgrades if you are doing them " "over a remote connection like ssh. A suggested procedure for a security " "upgrade that involves a service restart is to restart the SSH daemon and " "then, inmediately, attempt a new ssh connection without breaking the " "previous one. If the connection fails, revert the upgrade and investigate " "the issue." msgstr "" #. type: #: securing-debian-howto.en.sgml:52 en/after-install.sgml:139 msgid "Security update of the kernel" msgstr "" #. type:

#: securing-debian-howto.en.sgml:52 en/after-install.sgml:145 msgid "" "First, make sure your kernel is being managed through the packaging " "system. If you have installed using the installation system from Debian 3.0 " "or previous releases, your kernel is not integrated into the " "packaging system and might be out of date. You can easily confirm this by " "running:" msgstr "" #. type: #: securing-debian-howto.en.sgml:52 en/after-install.sgml:148 #, no-wrap msgid "" "$ dpkg -S `readlink -f /vmlinuz`\n" "linux-image-2.6.18-4-686: /boot/vmlinuz-2.6.18-4-686" msgstr "" #. type:

#: securing-debian-howto.en.sgml:52 en/after-install.sgml:168 msgid "" "If your kernel is not being managed you will see a message saying that the " "package manager did not find the file associated to any package instead of " "the message above, which says that the file associated to the current " "running kernel is being provided by the " "linux-image-2.6.18-4-686. So first, you will need to " "manually install a kernel image package. The exact kernel image you need to " "install depends on your architecture and your prefered kernel version. Once " "this is done, you will be able to manage the security updates of the kernel " "just like those of any other package. In any case, notice that the kernel " "updates will only be done for kernel updates of the same kernel " "version you are using, that is, apt will not automatically " "upgrade your kernel from the 2.4 release to the 2.6 release (or from the " "2.4.26 release to the 2.4.27 release

Unless you have installed a " "kernel metapackage like linux-image-2.6-686 which will " "always pull in the latest kernel minor revision for a kernel release and a " "given architecture.

)." msgstr "" #. type:

#: securing-debian-howto.en.sgml:52 en/after-install.sgml:172 msgid "" "The installation system of recent Debian releases will handle the selected " "kernel as part of the package system. You can review which kernels you have " "installed by running:" msgstr "" #. type: #: securing-debian-howto.en.sgml:52 en/after-install.sgml:174 #, no-wrap msgid "$ COLUMNS=150 dpkg -l 'linux-image*' | awk '$1 ~ /ii/ { print $0 }'" msgstr "" #. type:

#: securing-debian-howto.en.sgml:52 en/after-install.sgml:178 msgid "To see if your kernel needs to be updated run:" msgstr "" #. type: #: securing-debian-howto.en.sgml:52 en/after-install.sgml:188 #, no-wrap msgid "" "$ kernfile=`readlink -f /vmlinuz`\n" "$ kernel=`dpkg -S $kernfile | awk -F : '{print $1}'`\n" "$ apt-cache policy $kernel\n" "linux-image-2.6.18-4-686:\n" " Installed: 2.6.18.dfsg.1-12\n" " Candidate: 2.6.18.dfsg.1-12\n" " Version table:\n" " *** 2.6.18.dfsg.1-12 0\n" " 100 /var/lib/dpkg/status" msgstr "" #. type:

#: securing-debian-howto.en.sgml:52 en/after-install.sgml:198 msgid "" "If you are doing a security update which includes the kernel image you " "need to reboot the system in order for the security update to be " "useful. Otherwise, you will still be running the old (and vulnerable) kernel " "image." msgstr "" #. type:

#: securing-debian-howto.en.sgml:52 en/after-install.sgml:222 msgid "" "If you need to do a system reboot (because of a kernel upgrade) you should " "make sure that the kernel will boot up correctly and network connectivity " "will be restored, specially if the security upgrade is done over a remote " "connection like ssh. For the former you can configure your boot loader to " "reboot to the original kernel in the event of a failure (for more detailed " "information read ). For the latter you have to " "introduce a network connectivity test script that will check if the kernel " "has started up the network subsystem properly and reboot the system if it " "did not

A sample script called is available in the article. A more elaborate network " "connectivity testing script is available in the article.

. This should prevent nasty " "surprises like updating the kernel and then realizing, after a reboot, that " "it did not detect or configure the network hardware properly and you need to " "travel a long distance to bring the system up again. Of course, having the " "system serial console

Setting up a serial console is beyond the " "scope of this document, for more information read the " "and the .

 in the system " "connected to a console or terminal server should also help debug reboot " "issues remotely." msgstr "" #. type: #: securing-debian-howto.en.sgml:52 en/after-install.sgml:228 msgid "Change the BIOS (again)" msgstr "" #. type:

#: securing-debian-howto.en.sgml:52 en/after-install.sgml:235 msgid "" "Remember ? Well, then you should now, once you do " "not need to boot from removable media, to change the default BIOS setup so " "that it only boots from the hard drive. Make sure you will not lose " "the BIOS password, otherwise, in the event of a hard disk failure you will " "not be able to return to the BIOS and change the setup so you can recover it " "using, for example, a CD-ROM." msgstr "" #. type:

#: securing-debian-howto.en.sgml:52 en/after-install.sgml:240 msgid "" "Another less secure but more convenient way is to change the setup to have " "the system boot up from the hard disk and, if it fails, try removable " "media. By the way, this is often done because most people don't use the BIOS " "password that often; it's easily forgotten." msgstr "" #. type: #: securing-debian-howto.en.sgml:52 en/after-install.sgml:241 msgid "Set a LILO or GRUB password" msgstr "" #. type:

#: securing-debian-howto.en.sgml:52 en/after-install.sgml:248 msgid "" "Anybody can easily get a root-shell and change your passwords by entering " "<name-of-your-bootimage> init=/bin/sh at the boot " "prompt. After changing the passwords and rebooting the system, the person " "has unlimited root-access and can do anything he/she wants to the " "system. After this procedure you will not have root access to your system, " "as you do not know the root password." msgstr "" #. type:

#: securing-debian-howto.en.sgml:52 en/after-install.sgml:252 msgid "" "To make sure that this cannot happen, you should set a password for the boot " "loader. You can choose between a global password or a password for a certain " "image." msgstr "" #. type:

#: securing-debian-howto.en.sgml:52 en/after-install.sgml:256 msgid "" "For LILO you need to edit the config file /etc/lilo.conf and " "add a password and restricted line as in the example " "below." msgstr "" #. type: #: securing-debian-howto.en.sgml:52 en/after-install.sgml:262 #, no-wrap msgid "" " image=/boot/2.2.14-vmlinuz\n" " label=Linux\n" " read-only\n" " password=hackme\n" " restricted" msgstr "" #. type:

#: securing-debian-howto.en.sgml:52 en/after-install.sgml:272 msgid "" "Then, make sure that the configuration file is not world readable to prevent " "local users from reading the password. When done, rerun lilo. Omitting the " "restricted line causes lilo to always prompt for a password, " "regardless of whether LILO was passed parameters. The default permissions " "for /etc/lilo.conf grant read and write permissions to root, " "and enable read-only access for lilo.conf's group, root." msgstr "" #. type:

#: securing-debian-howto.en.sgml:52 en/after-install.sgml:279 msgid "" "If you use GRUB instead of LILO, edit /boot/grub/menu.lst and " "add the following two lines at the top (substituting, of course " "hackme with the desired password). This prevents users from editing " "the boot items. timeout 3 specifies a 3 second delay before " "grub boots the default item." msgstr "" #. type: #: securing-debian-howto.en.sgml:52 en/after-install.sgml:282 #, no-wrap msgid "" " timeout 3\n" " password hackme" msgstr "" #. type:

#: securing-debian-howto.en.sgml:52 en/after-install.sgml:290 msgid "" "To further harden the integrity of the password, you may store the password " "in an encrypted form. The utility grub-md5-crypt generates a " "hashed password which is compatible with GRUB's encrypted password algorithm " "(MD5). To specify in grub that an MD5 format password will be " "used, use the following directive:" msgstr "" #. type: #: securing-debian-howto.en.sgml:52 en/after-install.sgml:293 #, no-wrap msgid "" " timeout 3\n" " password --md5 $1$bw0ez$tljnxxKLfMzmnDVaQWgjP0" msgstr "" #. type:

#: securing-debian-howto.en.sgml:52 en/after-install.sgml:301 msgid "" "The --md5 parameter was added to instruct grub to perform the " "MD5 authentication process. The provided password is the MD5 encrypted " "version of hackme. Using the MD5 password method is preferable to choosing " "its clear-text counterpart. More information about grub " "passwords may be found in the grub-doc package." msgstr "" #. type: #: securing-debian-howto.en.sgml:52 en/after-install.sgml:303 msgid "Disable root prompt on the initramfs" msgstr "" #. type:

#: securing-debian-howto.en.sgml:52 en/after-install.sgml:306 msgid "" "Note: This applies to the default kernels provided for releases after Debian " "3.1" msgstr "" #. type:

#: securing-debian-howto.en.sgml:52 en/after-install.sgml:312 msgid "" "Linux 2.6 kernels provide a way to access a root shell while booting which " "will be presented during loading the initramfs on error. This is helpful to " "permit the administrator to enter a rescue shell with root permissions. This " "shell can be used to manually load modules when autodetection fails. This " "behavior is the default for initramfs-tools generated " "initramfs. The following message will appear:" msgstr "" #. type: #: securing-debian-howto.en.sgml:52 en/after-install.sgml:314 #, no-wrap msgid " \"ALERT! /dev/sda1 does not exist. Dropping to a shell!" msgstr "" #. type:

#: securing-debian-howto.en.sgml:52 en/after-install.sgml:321 msgid "" "In order to remove this behavior you need to set the following boot " "argument:panic=0. Either add it to the kopt section of " "/boot/grub/menu.lst and issue update-grub or to " "the append section of /etc/lilo.conf." msgstr "" #. type: #: securing-debian-howto.en.sgml:52 en/after-install.sgml:323 msgid "Remove root prompt on the kernel" msgstr "" #. type:

#: securing-debian-howto.en.sgml:52 en/after-install.sgml:326 msgid "" "Note: This does not apply to the kernels provided for Debian 3.1 as the " "timeout for the kernel delay has been changed to 0." msgstr "" #. type:

#: securing-debian-howto.en.sgml:52 en/after-install.sgml:332 msgid "" "Linux 2.4 kernels provide a way to access a root shell while booting which " "will be presented just after loading the cramfs file system. A message will " "appear to permit the administrator to enter an executable shell with root " "permissions, this shell can be used to manually load modules when " "autodetection fails. This behavior is the default for initrd's " "linuxrc. The following message will appear:" msgstr "" #. type: #: securing-debian-howto.en.sgml:52 en/after-install.sgml:334 #, no-wrap msgid " Press ENTER to obtain a shell (waits 5 seconds)" msgstr "" #. type:

#: securing-debian-howto.en.sgml:52 en/after-install.sgml:338 msgid "" "In order to remove this behavior you need to change " "/etc/mkinitrd/mkinitrd.conf and set:" msgstr "" #. type: #: securing-debian-howto.en.sgml:52 en/after-install.sgml:342 #, no-wrap msgid "" " # DELAY The number of seconds the linuxrc script should wait to\n" " # allow the user to interrupt it before the system is brought up\n" " DELAY=0" msgstr "" #. type:

#: securing-debian-howto.en.sgml:52 en/after-install.sgml:344 msgid "Then regenerate your ramdisk image. You can do this for example with:" msgstr "" #. type: #: securing-debian-howto.en.sgml:52 en/after-install.sgml:347 #, no-wrap msgid "" " # cd /boot\n" " # mkinitrd -o initrd.img-2.4.18-k7 /lib/modules/2.4.18-k7" msgstr "" #. type:

#: securing-debian-howto.en.sgml:52 en/after-install.sgml:349 msgid "or (preferred):" msgstr "" #. type: #: securing-debian-howto.en.sgml:52 en/after-install.sgml:351 #, no-wrap msgid " # dpkg-reconfigure -plow kernel-image-2.4.x-yz" msgstr "" #. type: #: securing-debian-howto.en.sgml:52 en/after-install.sgml:356 msgid "Restricting console login access" msgstr "" #. type:

#: securing-debian-howto.en.sgml:52 en/after-install.sgml:363 msgid "" "Some security policies might force administrators to log in to the system " "through the console with their user/password and then become superuser (with " "su or sudo). This policy is implemented in Debian " "by editing the /etc/login.defs file or " "/etc/securetty when using PAM. In:" msgstr "" #. type:

#: securing-debian-howto.en.sgml:52 en/after-install.sgml:368 msgid "" "login.defs, editing the CONSOLE variable which defines a file " "or list of terminals on which root logins are allowed" msgstr "" #. type:

#: securing-debian-howto.en.sgml:52 en/after-install.sgml:397 msgid "" "securetty

The /etc/securetty is a " "configuration file that belongs to the login " "package.

 by adding/removing the terminals to which root " "access will be allowed. If you wish to allow only local console access then " "you need console, ttyX

Or ttyvX in " "GNU/FreeBSD, and ttyE0 in GNU/KNetBSD.

 and " "vc/X (if using devfs devices), you might want to add also " "ttySX

Or comX in GNU/Hurd, cuaaX in " "GNU/FreeBSD, and ttyXX in GNU/KNetBSD.

 if you are " "using a serial console for local access (where X is an integer, you might " "want to have multiple instances

The default configuration in " "woody includes 12 local tty and vc consoles, as well as the " "console device but does not allow remote logins. In sarge " "the default configuration provides 64 consoles for tty and vc consoles. You " "can safely remove this if you are not using that many " "consoles.

 depending on the number of virtual consoles you " "have enabled in /etc/inittab

Look for the " "getty calls.

). For more information on terminal " "devices read the ." msgstr "" #. type:

#: securing-debian-howto.en.sgml:52 en/after-install.sgml:406 msgid "" "When using PAM, other changes to the login process, which might include " "restrictions to users and groups at given times, can be configured in " "/etc/pam.d/login. An interesting feature that can be disabled " "is the possibility to login with null (blank) passwords. This feature can be " "limited by removing nullok from the line:" msgstr "" #. type: #: securing-debian-howto.en.sgml:52 en/after-install.sgml:408 #, no-wrap msgid " auth required pam_unix.so nullok" msgstr "" #. type: #: securing-debian-howto.en.sgml:52 en/after-install.sgml:412 msgid "Restricting system reboots through the console" msgstr "" #. type:

#: securing-debian-howto.en.sgml:52 en/after-install.sgml:421 msgid "" "If your system has a keyboard attached to it anyone (yes anyone) " "can reboot the system through it without login to the system. This might, or " "might not, adhere to your security policy. If you want to restrict this, you " "must check the /etc/inittab so that the line that includes " "ctrlaltdel calls shutdown with the -a switch " "(remember to run init q after making any changes to this file). The " "default in Debian includes this switch:" msgstr "" #. type: #: securing-debian-howto.en.sgml:52 en/after-install.sgml:423 #, no-wrap msgid " ca:12345:ctrlaltdel:/sbin/shutdown -t1 -a -r now" msgstr "" #. type:

#: securing-debian-howto.en.sgml:52 en/after-install.sgml:433 msgid "" "Now, in order to allow some users to shutdown the system, as the " "manpage describes, you must create " "the file /etc/shutdown.allow and include there the name of " "users which can boot the system. When the three finger salute " "(a.k.a. ctrl+alt+del) is given the program will check if any of the " "users listed in the file are logged in. If none of them is, " "shutdown will not reboot the system." msgstr "" #. type: #: securing-debian-howto.en.sgml:52 en/after-install.sgml:436 msgid "Mounting partitions the right way" msgstr "" #. type:

#: securing-debian-howto.en.sgml:52 en/after-install.sgml:442 msgid "" "When mounting an ext2 or ext3 file system, there are " "several additional options you can apply to the mount call or to " "/etc/fstab. For instance, this is my fstab entry for the " "/tmp partition:" msgstr "" #. type: #: securing-debian-howto.en.sgml:52 en/after-install.sgml:444 #, no-wrap msgid " /dev/hda7 /tmp ext2 defaults,nosuid,noexec,nodev 0 2" msgstr "" #. type:

#: securing-debian-howto.en.sgml:52 en/after-install.sgml:452 msgid "" "You see the difference in the options sections. The option nosuid " "ignores the setuid and setgid bits completely, while noexec forbids " "execution of any program on that mount point, and nodev ignores " "device files. This sounds great, but it:" msgstr "" #. type:

#: securing-debian-howto.en.sgml:52 en/after-install.sgml:454 msgid "only applies to ext2 or ext3 file systems" msgstr "" #. type:

#: securing-debian-howto.en.sgml:52 en/after-install.sgml:455 msgid "can be circumvented easily" msgstr "" #. type:

#: securing-debian-howto.en.sgml:52 en/after-install.sgml:460 msgid "" "The noexec option prevents binaries from being executed directly, " "but was easily circumvented in earlier versions of the kernel:" msgstr "" #. type: #: securing-debian-howto.en.sgml:52 en/after-install.sgml:467 #, no-wrap msgid "" " alex@joker:/tmp# mount | grep tmp\n" " /dev/hda7 on /tmp type ext2 (rw,noexec,nosuid,nodev)\n" " alex@joker:/tmp# ./date\n" " bash: ./date: Permission denied\n" " alex@joker:/tmp# /lib/ld-linux.so.2 ./date\n" " Sun Dec 3 17:49:23 CET 2000" msgstr "" #. type:

#: securing-debian-howto.en.sgml:52 en/after-install.sgml:472 msgid "" "Newer versions of the kernel do however handle the noexec flag " "properly:" msgstr "" #. type: #: securing-debian-howto.en.sgml:52 en/after-install.sgml:480 #, no-wrap msgid "" " angrist:/tmp# mount | grep /tmp\n" " /dev/hda3 on /tmp type ext3 (rw,noexec,nosuid,nodev)\n" " angrist:/tmp# ./date\n" " bash: ./tmp: Permission denied \n" " angrist:/tmp# /lib/ld-linux.so.2 ./date \n" " ./date: error while loading shared libraries: ./date: failed to map " "segment \n" " from shared object: Operation not permitted" msgstr "" #. type:

#: securing-debian-howto.en.sgml:52 en/after-install.sgml:488 msgid "" "However, many script kiddies have exploits which try to create and execute " "files in /tmp. If they do not have a clue, they will fall into " "this pit. In other words, a user cannot be tricked into executing a " "trojanized binary in /tmp e.g. when he incidentally adds " "/tmp into his PATH." msgstr "" #. type:

#: securing-debian-howto.en.sgml:52 en/after-install.sgml:493 msgid "" "Also be forewarned, some script might depend on /tmp being " "executable. Most notably, Debconf has (had?) some issues regarding this, for " "more information see Bug ." msgstr "" #. type:

#: securing-debian-howto.en.sgml:52 en/after-install.sgml:502 msgid "" "The following is a more thorough example. A note, though: /var " "could be set noexec, but some software

Some of this includes " "the package manager dpkg since the installation " "(post,pre) and removal (post,pre) scripts are at /var/lib/dpkg/ " "and Smartlist

keeps its programs under in " "/var. The same applies to the nosuid option." msgstr "" #. type: #: securing-debian-howto.en.sgml:52 en/after-install.sgml:514 #, no-wrap msgid "" "/dev/sda6 /usr ext3 defaults,ro,nodev 0 2\n" "/dev/sda12 /usr/share ext3 defaults,ro,nodev,nosuid 0 " "2\n" "/dev/sda7 /var ext3 defaults,nodev,usrquota,grpquota 0 " "2\n" "/dev/sda8 /tmp ext3 " "defaults,nodev,nosuid,noexec,usrquota,grpquota 0 2\n" "/dev/sda9 /var/tmp ext3 " "defaults,nodev,nosuid,noexec,usrquota,grpquota 0 2\n" "/dev/sda10 /var/log ext3 defaults,nodev,nosuid,noexec 0 " "2\n" "/dev/sda11 /var/account ext3 defaults,nodev,nosuid,noexec 0 " "2\n" "/dev/sda13 /home ext3 " "rw,nosuid,nodev,exec,auto,nouser,async,usrquota,grpquota 0 " "2\n" "/dev/fd0 /mnt/fd0 ext3 defaults,users,nodev,nosuid,noexec 0 " "0\n" "/dev/fd0 /mnt/floppy vfat defaults,users,nodev,nosuid,noexec 0 " "0\n" "/dev/hda /mnt/cdrom iso9660 ro,users,nodev,nosuid,noexec 0 " "0" msgstr "" #. type: #: securing-debian-howto.en.sgml:52 en/after-install.sgml:517 msgid "Setting /tmp noexec" msgstr "" #. type:

#: securing-debian-howto.en.sgml:52 en/after-install.sgml:540 msgid "" "Be careful if setting /tmp noexec when you want to install new " "software, since some programs might use it for " "installation. apt is one such program (see ) if not configured properly " "APT::ExtractTemplates::TempDir (see ). You can set this variable in " "/etc/apt/apt.conf to another directory with exec privileges " "other than /tmp." msgstr "" #. type: #: securing-debian-howto.en.sgml:52 en/after-install.sgml:541 msgid "Setting /usr read-only" msgstr "" #. type:

#: securing-debian-howto.en.sgml:52 en/after-install.sgml:548 msgid "" "If you set /usr read-only you will not be able to install new " "packages on your Debian GNU/Linux system. You will have to first remount it " "read-write, install the packages and then remount it " "read-only. apt can be configured to run commands before " "and after installing packages, so you might want to configure it properly." msgstr "" #. type:

#: securing-debian-howto.en.sgml:52 en/after-install.sgml:549 msgid "To do this modify /etc/apt/apt.conf and add:" msgstr "" #. type: #: securing-debian-howto.en.sgml:52 en/after-install.sgml:555 #, no-wrap msgid "" " DPkg\n" " {\n" " Pre-Invoke { \"mount /usr -o remount,rw\" };\n" " Post-Invoke { \"mount /usr -o remount,ro\" };\n" " };" msgstr "" #. type:

#: securing-debian-howto.en.sgml:52 en/after-install.sgml:560 msgid "" "Note that the Post-Invoke may fail with a \"/usr busy\" error message. This " "happens mainly when you are using files during the update that got " "updated. You can find these programs by running" msgstr "" #. type: #: securing-debian-howto.en.sgml:52 en/after-install.sgml:562 #, no-wrap msgid "# lsof +L1" msgstr "" #. type:

#: securing-debian-howto.en.sgml:52 en/after-install.sgml:572 msgid "" "Stop or restart these programs and run the Post-Invoke " "manually. Beware! This means you'll likely need to restart your X " "session (if you're running one) every time you do a major upgrade of your " "system. You might want to reconsider whether a read-only /usr " "is suitable for your system. See also this ." msgstr "" #. type: #: securing-debian-howto.en.sgml:52 en/after-install.sgml:574 msgid "Providing secure user access" msgstr "" #. type: #: securing-debian-howto.en.sgml:52 en/after-install.sgml:576 msgid "User authentication: PAM" msgstr "" #. type:

#: securing-debian-howto.en.sgml:52 en/after-install.sgml:586 msgid "" "PAM (Pluggable Authentication Modules) allows system administrators to " "choose how applications authenticate users. Note that PAM can do nothing " "unless an application is compiled with support for PAM. Most of the " "applications that are shipped with Debian have this support built in (Debian " "did not have PAM support before 2.2). The current default configuration for " "any PAM-enabled service is to emulate UNIX authentication (read " "/usr/share/doc/libpam0g/Debian-PAM-MiniPolicy.gz for more " "information on how PAM services should work in Debian)." msgstr "" #. type:

#: securing-debian-howto.en.sgml:52 en/after-install.sgml:589 msgid "" "Each application with PAM support provides a configuration file in " "/etc/pam.d/ which can be used to modify its behavior:" msgstr "" #. type:

#: securing-debian-howto.en.sgml:52 en/after-install.sgml:591 msgid "what backend is used for authentication." msgstr "" #. type:

#: securing-debian-howto.en.sgml:52 en/after-install.sgml:592 msgid "what backend is used for sessions." msgstr "" #. type:

#: securing-debian-howto.en.sgml:52 en/after-install.sgml:593 msgid "how do password checks behave." msgstr "" #. type:

#: securing-debian-howto.en.sgml:52 en/after-install.sgml:604 msgid "" "The following description is far from complete, for more information you " "might want to read the (at the ). This document is also provided in the " "libpam-doc Debian package." msgstr "" #. type:

#: securing-debian-howto.en.sgml:52 en/after-install.sgml:616 msgid "" "PAM offers you the possibility to go through several authentication steps at " "once, without the user's knowledge. You could authenticate against a " "Berkeley database and against the normal passwd file, and the " "user only logs in if he authenticates correct in both. You can restrict a " "lot with PAM, just as you can open your system doors very wide. So be " "careful. A typical configuration line has a control field as its second " "element. Generally it should be set to requisite, which returns a " "login failure if one module fails." msgstr "" #. type:

#: securing-debian-howto.en.sgml:52 en/after-install.sgml:622 msgid "" "The first thing I like to do, is to add MD5 support to PAM applications, " "since this helps protect against dictionary cracks (passwords can be longer " "if using MD5). The following two lines should be added to all files in " "/etc/pam.d/ that grant access to the machine, like " "login and ssh." msgstr "" #. type: #: securing-debian-howto.en.sgml:52 en/after-install.sgml:626 #, no-wrap msgid "" " # Be sure to install libpam-cracklib first or you will not be able to log " "in\n" " password required pam_cracklib.so retry=3 minlen=12 difok=3\n" " password required pam_unix.so use_authtok nullok md5" msgstr "" #. type:

#: securing-debian-howto.en.sgml:52 en/after-install.sgml:646 msgid "" "So, what does this incantation do? The first line loads the cracklib PAM " "module, which provides password strength-checking, prompts for a new " "password with a minimum length of 12 characters, a difference of at least 3 " "characters from the old password, and allows 3 retries. Cracklib depends on " "a wordlist package (such as wenglish, " "wspanish, wbritish, ...), so make sure " "you install one that is appropriate for your language or cracklib might not " "be useful to you at all.

This dependency is not fixed, however, " "in the Debian 3.0 package. Please see .

 " "The second line introduces the standard authentication module with MD5 " "passwords and allows a zero length password. The use_authtok " "directive is necessary to hand over the password from the previous module." msgstr "" #. type:

#: securing-debian-howto.en.sgml:52 en/after-install.sgml:650 msgid "" "To make sure that the user root can only log into the system from local " "terminals, the following line should be enabled in " "/etc/pam.d/login:" msgstr "" #. type: #: securing-debian-howto.en.sgml:52 en/after-install.sgml:652 #, no-wrap msgid " auth requisite pam_securetty.so" msgstr "" #. type:

#: securing-debian-howto.en.sgml:52 en/after-install.sgml:663 msgid "" "Then you should modify the list of terminals on which direct root login is " "allowed in /etc/securetty. Alternatively, you could enable the " "pam_access module and modify /etc/security/access.conf " "which allows for a more general and fine-tuned access control, but " "(unfortunately) lacks decent log messages (logging within PAM is not " "standardized and is particularly unrewarding problem to deal with). We'll " "return to access.conf a little later." msgstr "" #. type:

#: securing-debian-howto.en.sgml:52 en/after-install.sgml:668 msgid "" "Last but not the least, the following line should be enabled in " "/etc/pam.d/login to set up user resource limits." msgstr "" #. type: #: securing-debian-howto.en.sgml:52 en/after-install.sgml:670 #, no-wrap msgid " session required pam_limits.so" msgstr "" #. type:

#: securing-debian-howto.en.sgml:52 en/after-install.sgml:677 msgid "" "This restricts the system resources that users are allowed (see below in " "). For example, you could restrict the number of " "concurrent logins (of a given group of users, or system-wide), number of " "processes, memory size etc." msgstr "" #. type:

#: securing-debian-howto.en.sgml:52 en/after-install.sgml:682 msgid "" "Now edit /etc/pam.d/passwd and change the first line. You " "should add the option \"md5\" to use MD5 passwords, change the minimum " "length of password from 4 to 6 (or more) and set a maximum length, if you " "desire. The resulting line will look something like:" msgstr "" #. type: #: securing-debian-howto.en.sgml:52 en/after-install.sgml:684 #, no-wrap msgid " password required pam_unix.so nullok obscure min=6 max=11 md5" msgstr "" #. type:

#: securing-debian-howto.en.sgml:52 en/after-install.sgml:693 msgid "" "If you want to protect su, so that only some people can use it to become " "root on your system, you need to add a new group \"wheel\" to your system " "(that is the cleanest way, since no file has such a group permission " "yet). Add root and the other users that should be able to su to " "the root user to this group. Then add the following line to " "/etc/pam.d/su:" msgstr "" #. type: #: securing-debian-howto.en.sgml:52 en/after-install.sgml:695 #, no-wrap msgid " auth requisite pam_wheel.so group=wheel debug" msgstr "" #. type:

#: securing-debian-howto.en.sgml:52 en/after-install.sgml:702 msgid "" "This makes sure that only people from the group \"wheel\" can use " "su to become root. Other users will not be able to become " "root. In fact they will get a denied message if they try to become root." msgstr "" #. type:

#: securing-debian-howto.en.sgml:52 en/after-install.sgml:709 msgid "" "If you want only certain users to authenticate at a PAM service, this is " "quite easy to achieve by using files where the users who are allowed to " "login (or not) are stored. Imagine you only want to allow user 'ref' to log " "in via ssh. So you put him into " "/etc/sshusers-allowed and write the following into " "/etc/pam.d/ssh:" msgstr "" #. type: #: securing-debian-howto.en.sgml:52 en/after-install.sgml:711 #, no-wrap msgid "" " auth required pam_listfile.so item=user sense=allow " "file=/etc/sshusers-allowed onerr=fail" msgstr "" #. type:

#: securing-debian-howto.en.sgml:52 en/after-install.sgml:720 msgid "" "Since there have been a number of so called insecure tempfile " "vulnerabilities, thttpd is one example (see ), the " "libpam-tmpdir is a good package to install. All you have " "to do is add the following to /etc/pam.d/common-session:" msgstr "" #. type: #: securing-debian-howto.en.sgml:52 en/after-install.sgml:722 #, no-wrap msgid " session optional pam_tmpdir.so" msgstr "" #. type:

#: securing-debian-howto.en.sgml:52 en/after-install.sgml:728 msgid "" "There has also been a discussion about adding this by default in etch. See " " for " "more information." msgstr "" #. type:

#: securing-debian-howto.en.sgml:52 en/after-install.sgml:731 msgid "" "Last, but not least, create /etc/pam.d/other and enter the " "following lines:" msgstr "" #. type: #: securing-debian-howto.en.sgml:52 en/after-install.sgml:745 #, no-wrap msgid "" " auth required pam_securetty.so\n" " auth required pam_unix_auth.so\n" " auth required pam_warn.so\n" " auth required pam_deny.so\n" " account required pam_unix_acct.so\n" " account required pam_warn.so\n" " account required pam_deny.so\n" " password required pam_unix_passwd.so\n" " password required pam_warn.so\n" " password required pam_deny.so\n" " session required pam_unix_session.so\n" " session required pam_warn.so\n" " session required pam_deny.so" msgstr "" #. type:

#: securing-debian-howto.en.sgml:52 en/after-install.sgml:751 msgid "" "These lines will provide a good default configuration for all applications " "that support PAM (access is denied by default)." msgstr "" #. type: #: securing-debian-howto.en.sgml:52 en/after-install.sgml:753 msgid "Limiting resource usage: the limits.conf file" msgstr "" #. type:

#: securing-debian-howto.en.sgml:52 en/after-install.sgml:759 msgid "" "You should really take a serious look into this file. Here you can define " "user resource limits. In old releases this configuration file was " "/etc/limits.conf, but in newer releases (with PAM) the " "/etc/security/limits.conf configuration file should be used " "instead." msgstr "" #. type:

#: securing-debian-howto.en.sgml:52 en/after-install.sgml:765 msgid "" "If you do not restrict resource usage, any user with a valid shell " "in your system (or even an intruder who compromised the system through a " "service or a daemon going awry) can use up as much CPU, memory, stack, " "etc. as the system can provide. This resource exhaustion problem " "can be fixed by the use of PAM." msgstr "" #. type:

#: securing-debian-howto.en.sgml:52 en/after-install.sgml:773 msgid "" "There is a way to add resource limits to some shells (for example, " "bash has ulimit, see ), but since not all of them provide the same limits and since " "the user can change shells (see ) it is " "better to place the limits on the PAM modules as they will apply regardless " "of the shell used and will also apply to PAM modules that are not " "shell-oriented." msgstr "" #. type:

#: securing-debian-howto.en.sgml:52 en/after-install.sgml:778 msgid "" "Resource limits are imposed by the kernel, but they need to be configured " "through the limits.conf and the PAM configuration of the " "different services need to load the appropriate PAM. You can check which " "services are enforcing limits by running:" msgstr "" #. type: #: securing-debian-howto.en.sgml:52 en/after-install.sgml:780 #, no-wrap msgid "" "$ find /etc/pam.d/ \\! -name \"*.dpkg*\" | xargs -- grep limits |grep -v " "\":#\"" msgstr "" #. type:

#: securing-debian-howto.en.sgml:52 en/after-install.sgml:788 msgid "" "Commonly, login, ssh and the graphic session " "managers (gdm, kdm or xdm) should " "enforce user limits but you might want to do this in other PAM configuration " "files, such as cron, to prevent system daemons from taking over " "all system resources." msgstr "" #. type:

#: securing-debian-howto.en.sgml:52 en/after-install.sgml:790 msgid "" "The specific limits settings you might want to enforce depend on your " "system's resources, that's one of the main reasons why no limits are " "enforced in the default installation." msgstr "" #. type:

#: securing-debian-howto.en.sgml:52 en/after-install.sgml:799 msgid "" "For example, the configuration example below enforces a 100 process limit " "for all users (to prevent fork bombs) as well as a limit of 10MB of " "memory per process and a limit of 10 simultaneous logins. Users in the " "adm group have higher limits and can produce core files if they " "want to (there is only a soft limit)." msgstr "" #. type: #: securing-debian-howto.en.sgml:52 en/after-install.sgml:815 #, no-wrap msgid "" "* soft core 0\n" "* hard core 0\n" "* hard rss 1000\n" "* hard memlock 1000\n" "* hard nproc 100\n" "* - maxlogins 1\n" "* hard data 102400\n" "* hard fsize 2048\n" "@adm hard core 100000\n" "@adm hard rss 100000\n" "@adm soft nproc 2000\n" "@adm hard nproc 3000\n" "@adm hard fsize 100000\n" "@adm - maxlogins 10" msgstr "" #. type:

#: securing-debian-howto.en.sgml:52 en/after-install.sgml:820 msgid "" "These would be the limits a default user (including system daemons) would " "have:" msgstr "" #. type: #: securing-debian-howto.en.sgml:52 en/after-install.sgml:833 #, no-wrap msgid "" "$ ulimit -a\n" "core file size (blocks, -c) 0\n" "data seg size (kbytes, -d) 102400\n" "file size (blocks, -f) 2048\n" "max locked memory (kbytes, -l) 10000\n" "max memory size (kbytes, -m) 10000\n" "open files (-n) 1024\n" "pipe size (512 bytes, -p) 8\n" "stack size (kbytes, -s) 8192\n" "cpu time (seconds, -t) unlimited\n" "max user processes (-u) 100\n" "virtual memory (kbytes, -v) unlimited" msgstr "" #. type:

#: securing-debian-howto.en.sgml:52 en/after-install.sgml:837 msgid "And these are the limits for an administrative user:" msgstr "" #. type: #: securing-debian-howto.en.sgml:52 en/after-install.sgml:850 #, no-wrap msgid "" "$ ulimit -a\n" "core file size (blocks, -c) 0\n" "data seg size (kbytes, -d) 102400\n" "file size (blocks, -f) 100000\n" "max locked memory (kbytes, -l) 100000\n" "max memory size (kbytes, -m) 100000\n" "open files (-n) 1024\n" "pipe size (512 bytes, -p) 8\n" "stack size (kbytes, -s) 8192\n" "cpu time (seconds, -t) unlimited\n" "max user processes (-u) 2000\n" "virtual memory (kbytes, -v) unlimited" msgstr "" #. type:

#: securing-debian-howto.en.sgml:52 en/after-install.sgml:854 msgid "For more information read:" msgstr "" #. type:

#: securing-debian-howto.en.sgml:52 en/after-install.sgml:860 msgid "" "." msgstr "" #. type:

#: securing-debian-howto.en.sgml:52 en/after-install.sgml:864 msgid "" "." msgstr "" #. type:

#: securing-debian-howto.en.sgml:52 en/after-install.sgml:869 msgid "" " on the Limiting users " "overview section." msgstr "" #. type:

#: securing-debian-howto.en.sgml:52 en/after-install.sgml:872 msgid "" " in the " "Limiting and monitoring users section." msgstr "" #. type: #: securing-debian-howto.en.sgml:52 en/after-install.sgml:875 msgid "User login actions: edit /etc/login.defs" msgstr "" #. type:

#: securing-debian-howto.en.sgml:52 en/after-install.sgml:884 msgid "" "The next step is to edit the basic configuration and action upon user " "login. Note that this file is not part of the PAM configuration, it's a " "configuration file honored by login and su programs, so it " "doesn't make sense tuning it for cases where neither of the two programs are " "at least indirectly called (the getty program which sits on the " "consoles and offers the initial login prompt does invoke " "login)." msgstr "" #. type: #: securing-debian-howto.en.sgml:52 en/after-install.sgml:886 #, no-wrap msgid " FAIL_DELAY 10" msgstr "" #. type:

#: securing-debian-howto.en.sgml:52 en/after-install.sgml:896 msgid "" "This variable should be set to a higher value to make it harder to use the " "terminal to log in using brute force. If a wrong password is typed in, the " "possible attacker (or normal user!) has to wait for 10 seconds to get a new " "login prompt, which is quite time consuming when you test passwords. Pay " "attention to the fact that this setting is useless if using program other " "than getty, such as mingetty for example." msgstr "" #. type: #: securing-debian-howto.en.sgml:52 en/after-install.sgml:898 #, no-wrap msgid " FAILLOG_ENAB yes" msgstr "" #. type: #: securing-debian-howto.en.sgml:52 en/after-install.sgml:903 msgid "" "If you enable this variable, failed logins will be logged. It is important " "to keep track of them to catch someone who tries a brute force attack." msgstr "" #. type: #: securing-debian-howto.en.sgml:52 en/after-install.sgml:905 #, no-wrap msgid " LOG_UNKFAIL_ENAB no" msgstr "" #. type:

#: securing-debian-howto.en.sgml:52 en/after-install.sgml:915 msgid "" "If you set this variable to 'yes' it will record unknown usernames if the " "login failed. It is best if you use 'no' (the default) since, otherwise, " "user passwords might be inadvertenly logged here (if a user mistypes and " "they enter their password as the username). If you set it to 'yes', make " "sure the logs have the proper permissions (640 for example, with an " "appropriate group setting such as adm)." msgstr "" #. type: #: securing-debian-howto.en.sgml:52 en/after-install.sgml:917 #, no-wrap msgid " SYSLOG_SU_ENAB yes" msgstr "" #. type:

#: securing-debian-howto.en.sgml:52 en/after-install.sgml:923 msgid "" "This one enables logging of su attempts to " "syslog. Quite important on serious machines but note that this " "can create privacy issues as well." msgstr "" #. type: #: securing-debian-howto.en.sgml:52 en/after-install.sgml:925 #, no-wrap msgid " SYSLOG_SG_ENAB yes" msgstr "" #. type:

#: securing-debian-howto.en.sgml:52 en/after-install.sgml:930 msgid "" "The same as SYSLOG_SU_ENAB but applies to the sg " "program." msgstr "" #. type: #: securing-debian-howto.en.sgml:52 en/after-install.sgml:932 #, no-wrap msgid " MD5_CRYPT_ENAB yes" msgstr "" #. type:

#: securing-debian-howto.en.sgml:52 en/after-install.sgml:939 msgid "" "As stated above, MD5 sum passwords greatly reduce the problem of dictionary " "attacks, since you can use longer passwords. If you are using slink, read " "the docs about MD5 before enabling this option. Otherwise this is set in " "PAM." msgstr "" #. type: #: securing-debian-howto.en.sgml:52 en/after-install.sgml:941 #, no-wrap msgid " PASS_MAX_LEN 50" msgstr "" #. type:

#: securing-debian-howto.en.sgml:52 en/after-install.sgml:947 msgid "" "If MD5 passwords are activated in your PAM configuration, then this variable " "should be set to the same value as used there." msgstr "" #. type: #: securing-debian-howto.en.sgml:52 en/after-install.sgml:948 msgid "Restricting ftp: editing /etc/ftpusers" msgstr "" #. type:

#: securing-debian-howto.en.sgml:52 en/after-install.sgml:955 msgid "" "The /etc/ftpusers file contains a list of users who are not " "allowed to log into the host using ftp. Only use this file if you really " "want to allow ftp (which is not recommended in general, because it uses " "clear-text passwords). If your daemon supports PAM, you can also use that to " "allow and deny users for certain services." msgstr "" #. type:

#: securing-debian-howto.en.sgml:52 en/after-install.sgml:959 msgid "" "FIXME (BUG): Is it a bug that the default ftpusers in Debian " "does not include all the administrative users (in " "base-passwd)." msgstr "" #. type:

#: securing-debian-howto.en.sgml:52 en/after-install.sgml:963 msgid "" "A convenient way to add all system accounts to the " "/etc/ftpusers is to run" msgstr "" #. type: #: securing-debian-howto.en.sgml:52 en/after-install.sgml:965 #, no-wrap msgid "$ awk -F : '{if ($3<1000) print $1}' /etc/passwd > /etc/ftpusers" msgstr "" #. type: #: securing-debian-howto.en.sgml:52 en/after-install.sgml:969 msgid "Using su" msgstr "" #. type:

#: securing-debian-howto.en.sgml:52 en/after-install.sgml:980 msgid "" "If you really need users to become the super user on your system, e.g. for " "installing packages or adding users, you can use the command su " "to change your identity. You should try to avoid any login as user root and " "instead use su. Actually, the best solution is to remove " "su and switch to the sudo mechanism which has a " "broader logic and more features than su. However, " "su is more common as it is used on many other Unices." msgstr "" #. type: #: securing-debian-howto.en.sgml:52 en/after-install.sgml:982 msgid "Using sudo" msgstr "" #. type:

#: securing-debian-howto.en.sgml:52 en/after-install.sgml:991 msgid "" "sudo allows the user to execute defined commands under another " "user's identity, even as root. If the user is added to " "/etc/sudoers and authenticates himself correctly, he is able to " "run commands which have been defined in " "/etc/sudoers. Violations, such as incorrect passwords or trying " "to run a program you don't have permission for, are logged and mailed to " "root." msgstr "" #. type: #: securing-debian-howto.en.sgml:52 en/after-install.sgml:992 msgid "Disallow remote administrative access" msgstr "" #. type:

#: securing-debian-howto.en.sgml:52 en/after-install.sgml:998 msgid "" "You should also modify /etc/security/access.conf to disallow " "remote logins to administrative accounts. This way users need to invoke " "su (or sudo) to use any administrative powers and " "the appropriate audit trace will always be generated." msgstr "" #. type:

#: securing-debian-howto.en.sgml:52 en/after-install.sgml:1001 msgid "" "You need to add the following line to " "/etc/security/access.conf, the default Debian configuration " "file has a sample line commented out:" msgstr "" #. type: #: securing-debian-howto.en.sgml:52 en/after-install.sgml:1003 #, no-wrap msgid " -:wheel:ALL EXCEPT LOCAL" msgstr "" #. type:

#: securing-debian-howto.en.sgml:52 en/after-install.sgml:1010 msgid "" "Remember to enable the pam_access module for every service (or " "default configuration) in /etc/pam.d/ if you want your changes " "to /etc/security/access.conf honored." msgstr "" #. type: #: securing-debian-howto.en.sgml:52 en/after-install.sgml:1012 msgid "Restricting users's access" msgstr "" #. type:

#: securing-debian-howto.en.sgml:52 en/after-install.sgml:1019 msgid "" "Sometimes you might think you need to have users created in your local " "system in order to provide a given service (pop3 mail service or " "ftp). Before doing so, first remember that the PAM implementation in Debian " "GNU/Linux allows you to validate users with a wide variety of external " "directory services (radius, ldap, etc.) provided by the libpam packages." msgstr "" #. type:

#: securing-debian-howto.en.sgml:52 en/after-install.sgml:1030 msgid "" "If users need to be created and the system can be accessed remotely take " "into account that users will be able to log in to the system. You can fix " "this by giving users a null (/dev/null) shell (it would need to " "be listed in /etc/shells). If you want to allow users to access " "the system but limit their movements, you can use the " "/bin/rbash, equivalent to adding the -r option in " "bash (RESTRICTED SHELL see ). Please note that even with restricted shell, a user that " "access an interactive program (that might allow execution of a subshell) " "could be able to bypass the limits of the shell." msgstr "" #. type:

#: securing-debian-howto.en.sgml:52 en/after-install.sgml:1038 msgid "" "Debian currently provides in the unstable release (and might be included in " "the next stable releases) the pam_chroot module (in the " "libpam-chroot). An alternative to it is to " "chroot the service that provides remote logging " "(ssh, " "telnet).

libpam-chroot has not " "been yet thoroughly tested, it does work for login but it might " "not be easy to set up the environment for other programs

" msgstr "" #. type:

#: securing-debian-howto.en.sgml:52 en/after-install.sgml:1042 msgid "" "If you wish to restrict when users can access the system you will " "have to customize /etc/security/access.conf for your needs." msgstr "" #. type:

#: securing-debian-howto.en.sgml:52 en/after-install.sgml:1046 msgid "" "Information on how to chroot users accessing the system through " "the ssh service is described in ." msgstr "" #. type: #: securing-debian-howto.en.sgml:52 en/after-install.sgml:1048 msgid "User auditing" msgstr "" #. type:

#: securing-debian-howto.en.sgml:52 en/after-install.sgml:1052 msgid "" "If you are really paranoid you might want to add a system-wide configuration " "to audit what the users are doing in your system. This sections presents " "some tips using diverse utilities you can use." msgstr "" #. type: #: securing-debian-howto.en.sgml:52 en/after-install.sgml:1054 msgid "Input and output audit with script" msgstr "" #. type:

#: securing-debian-howto.en.sgml:52 en/after-install.sgml:1060 msgid "" "You can use the script command to audit both what the users run " "and what are the results of those commands. You cannot setup " "script as a shell (even if you add it to " "/etc/shells). But you can have the shell initialization file " "run the following:" msgstr "" #. type: #: securing-debian-howto.en.sgml:52 en/after-install.sgml:1063 #, no-wrap msgid "" "umask 077\n" "exec script -q -a \"/var/log/sessions/$USER\"" msgstr "" #. type:

#: securing-debian-howto.en.sgml:52 en/after-install.sgml:1070 msgid "" "Of course, if you do this system wide it means that the shell would not " "continue reading personal initialization files (since the shell gets " "overwritten by script). An alternative is to do this in the " "user's initialization files (but then the user could remove this, see the " "comments about this below)" msgstr "" #. type:

#: securing-debian-howto.en.sgml:52 en/after-install.sgml:1077 msgid "" "You also need to setup the files in the audit directory (in the example " "/var/log/sessions/) so that users can write to it but cannot " "remove the file. This could be done, for example, by creating the user " "session files in advance and setting them with the append-only flag " "using chattr." msgstr "" #. type:

#: securing-debian-howto.en.sgml:52 en/after-install.sgml:1082 msgid "" "A useful alternative for sysadmins, which includes date information would " "be:" msgstr "" #. type: #: securing-debian-howto.en.sgml:52 en/after-install.sgml:1085 #, no-wrap msgid "" "umask 077\n" "exec script -q -a \"/var/log/sessions/$USER-`date +%Y%m%d`\"" msgstr "" #. type: #: securing-debian-howto.en.sgml:52 en/after-install.sgml:1089 msgid "Using the shell history file" msgstr "" #. type:

#: securing-debian-howto.en.sgml:52 en/after-install.sgml:1096 msgid "" "If you want to review what does the user type in the shell (but not what the " "result of that is) you can setup a system-wide /etc/profile " "that configures the environment so that all commands are saved into a " "history file. The system-wide configuration needs to be setup in such a way " "that users cannot remove audit capabilities from their shell. This is " "somewhat shell specific so make sure that all users are using a shell that " "supports this." msgstr "" #. type:

#: securing-debian-howto.en.sgml:52 en/after-install.sgml:1109 msgid "" "For example, for bash, the /etc/profile could be set as follows " "

Setting HISTSIZE to a very large number can cause issues under " "some shells since the history is kept in memory for every user session. You " "might be safer if you set this to a high-enough value and backup user's " "history files (if you need all of the user's history for some " "reason)

:" msgstr "" #. type: #: securing-debian-howto.en.sgml:52 en/after-install.sgml:1123 #, no-wrap msgid "" " HISTFILE=~/.bash_history\n" " HISTSIZE=10000\n" " HISTFILESIZE=999999\n" " # Don't let the users enter commands that are ignored\n" " # in the history file\n" " HISTIGNORE=\"\"\n" " HISTCONTROL=\"\"\n" " readonly HISTFILE\n" " readonly HISTSIZE\n" " readonly HISTFILESIZE\n" " readonly HISTIGNORE\n" " readonly HISTCONTROL\n" " export HISTFILE HISTSIZE HISTFILESIZE HISTIGNORE HISTCONTROL" msgstr "" #. type:

#: securing-debian-howto.en.sgml:52 en/after-install.sgml:1134 msgid "" "For this to work, the user can only append information to " ".bash_history file. You need also to set the " "append-only option using chattr program for " ".bash_history for all users.

Without the " "append-only flag users would be able to empty the contents of the history " "file running > .bash_history

." msgstr "" #. type:

#: securing-debian-howto.en.sgml:52 en/after-install.sgml:1145 msgid "" "Note that you could introduce the configuration above in the user's " ".profile. But then you would need to setup permissions properly " "in such a way that prevents the user from modifying this file. This " "includes: having the user's home directories not belong to the user " "(since he would be able to remove the file otherwise) but at the same time " "enable them to read the .profile configuration file and write " "on the .bash_history. It would be good to set the " "immutable flag (also using chattr) for " ".profile too if you do it this way." msgstr "" #. type: #: securing-debian-howto.en.sgml:52 en/after-install.sgml:1147 msgid "Complete user audit with accounting utilities" msgstr "" #. type:

#: securing-debian-howto.en.sgml:52 en/after-install.sgml:1154 msgid "" "The previous example is a simple way to configure user auditing but might be " "not useful for complex systems or for those in which users do not run shells " "at all (or exclusively). If this is your case, you need to look at " "acct, the accounting utilities. These utilities will log " "all the commands run by users or processes in the system, at the expense of " "disk space." msgstr "" #. type:

#: securing-debian-howto.en.sgml:52 en/after-install.sgml:1160 msgid "" "When activating accounting, all the information on processes and users is " "kept under /var/account/, more specifically in the " "pacct. The accounting package includes some tools " "(sa, ac and lastcomm) to analyse this " "data." msgstr "" #. type: #: securing-debian-howto.en.sgml:52 en/after-install.sgml:1161 msgid "Other user auditing methods" msgstr "" #. type:

#: securing-debian-howto.en.sgml:52 en/after-install.sgml:1174 msgid "" "If you are completely paranoid and want to audit every user's command, you " "could take bash source code, edit it and have it send all that " "the user typed into another file. Or have ttysnoop " "constantly monitor any new ttys

Ttys are spawned for local " "logins and remote logins through ssh and telnet

 and dump the " "output into a file. Other useful program is snoopy (see " "also ) which is a user-transparent program that hooks in as a " "library providing a wrapper around execve() calls, any command " "executed is logged to syslogd using the authpriv " "facility (usually stored at /var/log/auth.log)." msgstr "" #. type: #: securing-debian-howto.en.sgml:52 en/after-install.sgml:1176 msgid "Reviewing user profiles" msgstr "" #. type:

#: securing-debian-howto.en.sgml:52 en/after-install.sgml:1183 msgid "" "If you want to see what users are actually doing when they logon to " "the system you can use the wtmp database that includes all " "login information. This file can be processed with several utilities, " "amongst them sac which can output a profile on each user " "showing in which timeframe they usually log on to the system." msgstr "" #. type:

#: securing-debian-howto.en.sgml:52 en/after-install.sgml:1187 msgid "" "In case you have accounting activated, you can also use the tools provided " "by it in order to determine when the users access the system and what do " "they execute." msgstr "" #. type: #: securing-debian-howto.en.sgml:52 en/after-install.sgml:1189 msgid "Setting users umasks" msgstr "" #. type:

#: securing-debian-howto.en.sgml:52 en/after-install.sgml:1193 msgid "" "Depending on your user policy you might want to change how information is " "shared between users, that is, what the default permissions of new files " "created by users are." msgstr "" #. type:

#: securing-debian-howto.en.sgml:52 en/after-install.sgml:1199 msgid "" "Debian's default umask setting is 022 this means that " "files (and directories) can be read and accessed by the user's group and by " "any other users in the system. This definition is set in the standard " "configuration file /etc/profile which is used by all shells." msgstr "" #. type:

#: securing-debian-howto.en.sgml:52 en/after-install.sgml:1210 msgid "" "If Debian's default value is too permissive for your system you will have to " "change the umask setting for all the shells. More restrictive umask settings " "include 027 (no access is allowed to new files for the other group, " "i.e. to other users in the system) or 077 (no access is allowed to new files " "to the members the user's group). Debian (by default

As defined " "in /etc/adduser.conf (USERGROUPS=yes). You can change this " "behaviour if you set this value to no, although it is not " "recommended

) creates one group per user so that only the user " "is included in its group. Consequently 027 and 077 are equivalent as the " "user's group contains only the user himself." msgstr "" #. type:

#: securing-debian-howto.en.sgml:52 en/after-install.sgml:1225 msgid "" "This change is set by defining a proper umask setting for all " "users. You can change this by introducing an umask call in the " "shell configuration files: /etc/profile (source by all " "Bourne-compatible shells), /etc/csh.cshrc, " "/etc/csh.login, /etc/zshrc and probably some " "others (depending on the shells you have installed on your system). You can " "also change the UMASK setting in /etc/login.defs, Of " "all of these the last one that gets loaded by the shell takes " "precedence. The order is: the default system configuration for the user's " "shell (i.e. /etc/profile and other system-wide configuration " "files) and then the user's shell (his ~/.profile, " "~/.bash_profile, etc...). Some shells, however, can be executed " "with a nologin value which might skip sourcing some of those " "files. See your shell's manpage for additional information." msgstr "" #. type:

#: securing-debian-howto.en.sgml:52 en/after-install.sgml:1231 msgid "" "For connections that make use of login the UMASK definition in " "/etc/login.defs is used before any of the others. However, that " "value does not apply to user executed programs that do not use " "login such as those run through su, " "cron or ssh." msgstr "" #. type:

#: securing-debian-howto.en.sgml:52 en/after-install.sgml:1237 msgid "" "Don't forget to review and maybe modify the dotfiles under " "/etc/skel/ since these will be new user's defaults when created " "with the adduser command. Debian default dotfiles do not " "include any umask call but if there is any in the dotfiles " "newly created users might a different value." msgstr "" #. type:

#: securing-debian-howto.en.sgml:52 en/after-install.sgml:1241 msgid "" "Note, however that users can modify their own umask setting if they " "want to, making it more permissive or more restricted, by changing their own " "dotfiles." msgstr "" #. type:

#: securing-debian-howto.en.sgml:52 en/after-install.sgml:1245 msgid "" "The libpam-umask package adjusts the users' default " "umask using PAM. Add the following, after installing the package, " "to /etc/pam.d/common-session:" msgstr "" #. type: #: securing-debian-howto.en.sgml:52 en/after-install.sgml:1247 #, no-wrap msgid "session optional pam_umask.so umask=077" msgstr "" #. type:

#: securing-debian-howto.en.sgml:52 en/after-install.sgml:1255 msgid "" "Finally, you should consider changing root's default 022 umask (as defined " "in /root/.bashrc) to a more strict umask. That will prevent the " "system administrator from inadvertenly dropping sensitive files when working " "as root to world-readable directories (such as /tmp) and having " "them available for your average user." msgstr "" #. type: #: securing-debian-howto.en.sgml:52 en/after-install.sgml:1257 msgid "Limiting what users can see/access" msgstr "" #. type:

#: securing-debian-howto.en.sgml:52 en/after-install.sgml:1261 msgid "" "FIXME: Content needed. Describe the consequences of changing packages " "permissions when upgrading (an admin this paranoid should " "chroot his users BTW) if not using " "dpkg-statoverride." msgstr "" #. type:

#: securing-debian-howto.en.sgml:52 en/after-install.sgml:1266 msgid "" "If you need to grant users access to the system with a shell think about it " "very carefully. A user can, by default unless in a severely restricted " "environment (like a chroot jail), retrieve quite a lot of " "information from your system including:" msgstr "" #. type:

#: securing-debian-howto.en.sgml:52 en/after-install.sgml:1275 msgid "" "some configuration files in /etc. However, Debian's default " "permissions for some sensitive files (which might, for example, contain " "passwords), will prevent access to critical information. To see which files " "are only accessible by the root user for example find /etc -type f -a " "-perm 600 -a -uid 0 as superuser." msgstr "" #. type:

#: securing-debian-howto.en.sgml:52 en/after-install.sgml:1279 msgid "" "your installed packages, either by looking at the package database, at the " "/usr/share/doc directory or by guessing by looking at the " "binaries and libraries installed in your system." msgstr "" #. type:

#: securing-debian-howto.en.sgml:52 en/after-install.sgml:1285 msgid "" "some log files at /var/log. Note also that some log files are " "only accessible to root and the adm group (try find /var/log " "-type f -a -perm 640) and some are even only available to the root user " "(try find /var/log -type f -a -perm 600 -a -uid 0)." msgstr "" #. type:

#: securing-debian-howto.en.sgml:52 en/after-install.sgml:1290 msgid "" "What can a user see in your system? Probably quite a lot of things, try this " "(take a deep breath):" msgstr "" #. type: #: securing-debian-howto.en.sgml:52 en/after-install.sgml:1293 #, no-wrap msgid "" " find / -type f -a -perm +006 2>/dev/null \n" " find / -type d -a -perm +007 2>/dev/null" msgstr "" #. type:

#: securing-debian-howto.en.sgml:52 en/after-install.sgml:1298 msgid "" "The output is the list of files that a user can see and the " "directories to which he has access." msgstr "" #. type: #: securing-debian-howto.en.sgml:52 en/after-install.sgml:1300 msgid "Limiting access to other user's information" msgstr "" #. type:

#: securing-debian-howto.en.sgml:52 en/after-install.sgml:1306 msgid "" "If you still grant shell access to users you might want to limit what " "information they can view from other users. Users with shell access have a " "tendency to create quite a number of files under their $HOMEs: mailboxes, " "personal documents, configuration of X/GNOME/KDE applications..." msgstr "" #. type:

#: securing-debian-howto.en.sgml:52 en/after-install.sgml:1314 msgid "" "In Debian each user is created with one associated group, and no two users " "belong to the same group. This is the default behavior: when an user account " "is created, a group of the same name is created too, and the user is " "assigned to it. This avoids the concept of a common users group " "which might make it more difficult for users to hide information from other " "users." msgstr "" #. type:

#: securing-debian-howto.en.sgml:52 en/after-install.sgml:1319 msgid "" "However, users' $HOME directories are created with 0755 " "permissions (group-readable and world-readable). The group permissions is " "not an issue since only the user belongs to the group, however the world " "permissions might (or might not) be an issue depending on your local policy." msgstr "" #. type:

#: securing-debian-howto.en.sgml:52 en/after-install.sgml:1324 msgid "" "You can change this behavior so that user creation provides different " "$HOME permissions. To change the behavior for new users " "when they get created, change DIR_MODE in the configuration file " "/etc/adduser.conf to 0750 (no world-readable access)." msgstr "" #. type:

#: securing-debian-howto.en.sgml:52 en/after-install.sgml:1327 msgid "" "Users can still share information, but not directly in their " "$HOME directories unless they change its permissions." msgstr "" #. type:

#: securing-debian-howto.en.sgml:52 en/after-install.sgml:1341 msgid "" "Note that disabling world-readable home directories will prevent users from " "creating their personal web pages in the ~/public_html " "directory, since the web server will not be able to read one component in " "the path - namely their $HOME directory. If you want to permit " "users to publish HTML pages in their ~/public_html, then change " "DIR_MODE to 0751. This will allow the web server to access the " "final public_html directory (which itself should have a mode of " "0755) and provide the content published by users. Of course, we are only " "talking about a default configuration here; users can generally tune modes " "of their own files completely to their liking, or you could keep content " "intended for the web in a separate location which is not a subdirectory of " "user's $HOME directory." msgstr "" #. type: #: securing-debian-howto.en.sgml:52 en/after-install.sgml:1343 msgid "Generating user passwords" msgstr "" #. type:

#: securing-debian-howto.en.sgml:52 en/after-install.sgml:1359 msgid "" "There are many cases when an administrator needs to create many user " "accounts and provide passwords for all of them. Of course, the administrator " "could easily just set the password to be the same as the user's account " "name, but that would not be very sensitive security-wise. A better approach " "is to use a password generating program. Debian provides " "makepasswd, apg and " "pwgen packages which provide programs (the name is the " "same as the package) that can be used for this " "purpose. Makepasswd will generate true random passwords with an " "emphasis on security over pronounceability while pwgen will try " "to make meaningless but pronounceable passwords (of course this might depend " "on your mother language). Apg has algorithms to provide for " "both (there is a client/server version for this program but it is not " "included in the Debian package)." msgstr "" #. type:

#: securing-debian-howto.en.sgml:52 en/after-install.sgml:1374 msgid "" "Passwd does not allow non-interactive assignation of passwords " "(since it uses direct tty access). If you want to change passwords when " "creating a large number of users you can create them using " "adduser with the --disabled-login option and then use " "usermod or chpasswd " "

Chpasswd cannot handle MD5 password generation so " "it needs to be given the password in encrypted form before using it, with " "the -e option.

 (both from the " "passwd package so you already have them installed). If " "you want to use a file with all the information to make users as a batch " "process you might be better off using newusers." msgstr "" #. type: #: securing-debian-howto.en.sgml:52 en/after-install.sgml:1376 msgid "Checking user passwords" msgstr "" #. type:

#: securing-debian-howto.en.sgml:52 en/after-install.sgml:1388 msgid "" "User passwords can sometimes become the weakest link in the " "security of a given system. This is due to some users choosing weak " "passwords for their accounts (and the more of them that have access to it " "the greater the chances of this happening). Even if you established checks " "with the cracklib PAM module and password limits as described in users will still be able to use weak passwords. Since user " "access might include remote shell access (over ssh, hopefully) " "it's important to make password guessing as hard as possible for the remote " "attackers, especially if they were somehow able to collect important " "information such as usernames or even the passwd and " "shadow files themselves." msgstr "" #. type:

#: securing-debian-howto.en.sgml:52 en/after-install.sgml:1393 msgid "" "A system administrator must, given a big number of users, check if the " "passwords they have are consistent with the local security policy. How to " "check? Try to crack them as an attacker would if he had access to the hashed " "passwords (the /etc/shadow file)." msgstr "" #. type:

#: securing-debian-howto.en.sgml:52 en/after-install.sgml:1403 msgid "" "An administrator can use john or crack " "(both are brute force password crackers) together with an appropriate " "wordlist to check users' passwords and take appropriate action when a weak " "password is detected. You can search for Debian GNU packages that contain " "word lists using apt-cache search wordlist, or visit the " "classic Internet wordlist sites such as or ." msgstr "" #. type: #: securing-debian-howto.en.sgml:52 en/after-install.sgml:1405 msgid "Logging off idle users" msgstr "" #. type:

#: securing-debian-howto.en.sgml:52 en/after-install.sgml:1410 msgid "" "Idle users are usually a security problem, a user might be idle maybe " "because he's out to lunch or because a remote connection hung and was not " "re-established. For whatever the reason, idle users might lead to a " "compromise:" msgstr "" #. type:

#: securing-debian-howto.en.sgml:52 en/after-install.sgml:1414 msgid "" "because the user's console might be unlocked and can be accessed by an " "intruder." msgstr "" #. type:

#: securing-debian-howto.en.sgml:52 en/after-install.sgml:1418 msgid "" "because an attacker might be able to re-attach himself to a closed network " "connection and send commands to the remote shell (this is fairly easy if the " "remote shell is not encrypted as in the case of telnet)." msgstr "" #. type:

#: securing-debian-howto.en.sgml:52 en/after-install.sgml:1423 msgid "" "Some remote systems have even been compromised through an idle (and " "detached) screen." msgstr "" #. type:

#: securing-debian-howto.en.sgml:52 en/after-install.sgml:1426 msgid "" "Automatic disconnection of idle users is usually a part of the local " "security policy that must be enforced. There are several ways to do this:" msgstr "" #. type:

#: securing-debian-howto.en.sgml:52 en/after-install.sgml:1433 msgid "" "If bash is the user shell, a system administrator can set a " "default TMOUT value (see ) " "which will make the shell automatically log off remote idle users. Note that " "it must be set with the -o option or users will be able to change " "(or unset) it." msgstr "" #. type:

#: securing-debian-howto.en.sgml:52 en/after-install.sgml:1440 msgid "" "Install timeoutd and configure /etc/timeouts " "according to your local security policy. The daemon will watch for idle " "users and time out their shells accordingly." msgstr "" #. type:

#: securing-debian-howto.en.sgml:52 en/after-install.sgml:1442 msgid "Install autolog and configure it to remove idle users." msgstr "" #. type:

#: securing-debian-howto.en.sgml:52 en/after-install.sgml:1450 msgid "" "The timeoutd or autolog daemons are the preferred " "method since, after all, users can change their default shell or can, after " "running their default shell, switch to another (uncontrolled) shell." msgstr "" #. type: #: securing-debian-howto.en.sgml:52 en/after-install.sgml:1452 msgid "Using tcpwrappers" msgstr "" #. type:

#: securing-debian-howto.en.sgml:52 en/after-install.sgml:1461 msgid "" "TCP wrappers were developed when there were no real packet filters available " "and access control was needed. Nevertheless, they're still very interesting " "and useful. The TCP wrappers allow you to allow or deny a service for a host " "or a domain and define a default allow or deny rule (all performed on the " "application level). If you want more information take a look at ." msgstr "" #. type:

#: securing-debian-howto.en.sgml:52 en/after-install.sgml:1463 msgid "Many services installed in Debian are either:" msgstr "" #. type:

#: securing-debian-howto.en.sgml:52 en/after-install.sgml:1465 msgid "launched through the tcpwrapper service (tcpd)" msgstr "" #. type:

#: securing-debian-howto.en.sgml:52 en/after-install.sgml:1466 msgid "compiled with libwrapper support built-in." msgstr "" #. type:

#: securing-debian-howto.en.sgml:52 en/after-install.sgml:1481 msgid "" "On the one hand, for services configured in /etc/inetd.conf " "(this includes telnet, ftp, netbios, " "swat and finger) you will see that the " "configuration file executes /usr/sbin/tcpd first. On the other " "hand, even if a service is not launched by the inetd " "superdaemon, support for the tcp wrappers rules can be compiled into " "it. Services compiled with tcp wrappers in Debian include ssh, " "portmap, in.talk, rpc.statd, " "rpc.mountd, gdm, oaf (the GNOME " "activator daemon), nessus and many others." msgstr "" #. type:

#: securing-debian-howto.en.sgml:52 en/after-install.sgml:1491 msgid "" "To see which packages use tcpwrappers

On older Debian releases " "you might need to do this: $ apt-cache showpkg libwrap0 | egrep " "'^[[:space:]]' | sort -u | \\ sed " "'s/,libwrap0$//;s/^[[:space:]]\\+//'

try:" msgstr "" #. type: #: securing-debian-howto.en.sgml:52 en/after-install.sgml:1493 #, no-wrap msgid " $ apt-cache rdepends libwrap0" msgstr "" #. type:

#: securing-debian-howto.en.sgml:52 en/after-install.sgml:1504 msgid "" "Take this into account when running tcpdchk (a very useful TCP " "wrappers config file rule and syntax checker). When you add stand-alone " "services (that are directly linked with the wrapper library) into the " "hosts.deny and hosts.allow files, " "tcpdchk will warn you that it is not able to find the mentioned " "services since it only looks for them in /etc/inetd.conf (the " "manpage is not totally accurate here)." msgstr "" #. type:

#: securing-debian-howto.en.sgml:52 en/after-install.sgml:1512 msgid "" "Now, here comes a small trick, and probably the smallest intrusion detection " "system available. In general, you should have a decent firewall policy as a " "first line, and tcp wrappers as the second line of defense. One little trick " "is to set up a SPAWN

be sure to use uppercase here " "since spawn will not work

command in " "/etc/hosts.deny that sends mail to root whenever a denied " "service triggers wrappers:" msgstr "" #. type: #: securing-debian-howto.en.sgml:52 en/after-install.sgml:1522 #, no-wrap msgid "" " ALL: ALL: SPAWN ( \\\n" " echo -e \"\\n\\\n" " TCP Wrappers\\: Connection refused\\n\\\n" " By\\: $(uname -n)\\n\\\n" " Process\\: %d (pid %p)\\n\\\n" " User\\: %u\\n\\\n" " Host\\: %c\\n\\\n" " Date\\: $(date)\\n\\\n" " \" | /usr/bin/mail -s \"Connection to %d blocked\" root) &" msgstr "" #. type:

#: securing-debian-howto.en.sgml:52 en/after-install.sgml:1556 msgid "" "Beware: The above printed example is open to a DoS attack by making " "many connections in a short period of time. Many emails mean a lot of file " "I/O by sending only a few packets." msgstr "" #. type: #: securing-debian-howto.en.sgml:52 en/after-install.sgml:1558 msgid "The importance of logs and alerts" msgstr "" #. type:

#: securing-debian-howto.en.sgml:52 en/after-install.sgml:1564 msgid "" "It is easy to see that the treatment of logs and alerts is an important " "issue in a secure system. Suppose a system is perfectly configured and 99% " "secure. If the 1% attack occurs, and there are no security measures in place " "to, first, detect this and, second, raise alarms, the system is not secure " "at all." msgstr "" #. type:

#: securing-debian-howto.en.sgml:52 en/after-install.sgml:1576 msgid "" "Debian GNU/Linux provides some tools to perform log analysis, most notably " "swatch,

there's a very good article on it " "written by

logcheck or " "log-analysis (all will need some customisation to remove " "unnecessary things from the report). It might also be useful, if the system " "is nearby, to have the system logs printed on a virtual console. This is " "useful since you can (from a distance) see if the system is behaving " "properly. Debian's /etc/syslog.conf comes with a commented " "default configuration; to enable it uncomment the lines and restart " "syslogd (/etc/init.d/syslogd restart):" msgstr "" #. type: #: securing-debian-howto.en.sgml:52 en/after-install.sgml:1581 #, no-wrap msgid "" " daemon,mail.*;\\\n" " news.=crit;news.=err;news.=notice;\\\n" " *.=debug;*.=info;\\\n" " *.=notice;*.=warn /dev/tty8" msgstr "" #. type:

#: securing-debian-howto.en.sgml:52 en/after-install.sgml:1619 msgid "" "To colorize the logs, you could take a look at colorize, " "ccze or glark. There is a lot to log " "analysis that cannot be fully covered here, so a good information resource " "would be books should as . In any case, even " "automated tools are no match for the best analysis tool: your brain." msgstr "" #. type: #: securing-debian-howto.en.sgml:52 en/after-install.sgml:1621 msgid "Using and customizing logcheck" msgstr "" #. type:

#: securing-debian-howto.en.sgml:52 en/after-install.sgml:1629 msgid "" "The logcheck package in Debian is divided into the three " "packages logcheck (the main program), " "logcheck-database (a database of regular expressions for " "the program) and logtail (prints loglines that have not " "yet been read). The Debian default (in /etc/cron.d/logcheck) is " "that logcheck is run every hour and after reboots." msgstr "" #. type:

#: securing-debian-howto.en.sgml:52 en/after-install.sgml:1650 msgid "" "This tool can be quite useful if properly customized to alert the " "administrator of unusual system events. Logcheck can be fully " "customized so that it sends mails based on events found in the logs and " "worthy of attention. The default installation includes profiles for ignored " "events and policy violations for three different setups (workstation, server " "and paranoid). The Debian package includes a configuration file " "/etc/logcheck/logcheck.conf, sourced by the program, that " "defines which user the checks are sent to. It also provides a way for " "packages that provide services to implement new policies in the directories: " "/etc/logcheck/cracking.d/_packagename_, " "/etc/logcheck/violations.d/_packagename_, " "/etc/logcheck/violations.ignore.d/_packagename_, " "/etc/logcheck/ignore.d.paranoid/_packagename_, " "/etc/logcheck/ignore.d.server/_packagename_, and " "/etc/logcheck/ignore.d.workstation/_packagename_. However, not " "many packages currently do so. If you have a policy that can be useful for " "other users, please send it as a bug report for the appropriate package (as " "a wishlist bug). For more information read " "/usr/share/doc/logcheck/README.Debian." msgstr "" #. type:

#: securing-debian-howto.en.sgml:52 en/after-install.sgml:1663 msgid "" "The best way to configure logcheck is to edit its main " "configuration file /etc/logcheck/logcheck.conf after " "installation. Change the default user (root) to whom reports should be " "mailed. You should set the reportlevel in there, " "too. logcheck-database has three report levels of " "increasing verbosity: workstation, server, paranoid. \"server\" being the " "default level, paranoid is only recommended for high-security machines " "running as few services as possible and workstation for relatively " "sheltered, non-critical machines. If you wish to add new log files just add " "them to /etc/logcheck/logcheck.logfiles. It is tuned for " "default syslog install." msgstr "" #. type:

#: securing-debian-howto.en.sgml:52 en/after-install.sgml:1678 msgid "" "Once this is done you might want to check the mails that are sent, for the " "first few days/weeks/months. If you find you are sent messages you do not " "wish to receive, just add the regular expressions (see and ) that correspond " "to these messages to the " "/etc/logcheck/ignore.d.reportlevel/local. Try to " "match the whole logline. Details on howto write rules are explained in " "/usr/share/doc/logcheck-database/README.logcheck-database.gz. " "It's an ongoing tuning process; once the messages that are sent are always " "relevant you can consider the tuning finished. Note that if " "logcheck does not find anything relevant in your system it will " "not mail you even if it does run (so you might get a mail only once a week, " "if you are lucky)." msgstr "" #. type: #: securing-debian-howto.en.sgml:52 en/after-install.sgml:1680 msgid "Configuring where alerts are sent" msgstr "" #. type:

#: securing-debian-howto.en.sgml:52 en/after-install.sgml:1687 msgid "" "Debian comes with a standard syslog configuration (in " "/etc/syslog.conf) that logs messages to the appropriate files " "depending on the system facility. You should be familiar with this; have a " "look at the syslog.conf file and the documentation if not. If " "you intend to maintain a secure system you should be aware of where log " "messages are sent so they do not go unnoticed." msgstr "" #. type:

#: securing-debian-howto.en.sgml:52 en/after-install.sgml:1692 msgid "" "For example, sending messages to the console also is an interesting setup " "useful for many production-level systems. But for many such systems it is " "also important to add a new machine that will serve as loghost (i.e. it " "receives logs from all other systems)." msgstr "" #. type:

#: securing-debian-howto.en.sgml:52 en/after-install.sgml:1699 msgid "" "Root's mail should be considered also, many security controls (like " "snort) send alerts to root's mailbox. This mailbox " "usually points to the first user created in the system (check " "/etc/aliases). Take care to send root's mail to some place " "where it will be read (either locally or remotely)." msgstr "" #. type:

#: securing-debian-howto.en.sgml:52 en/after-install.sgml:1704 msgid "" "There are other role accounts and aliases on your system. On a small system, " "it's probably simplest to make sure that all such aliases point to the root " "account, and that mail to root is forwarded to the system administrator's " "personal mailbox." msgstr "" #. type:

#: securing-debian-howto.en.sgml:52 en/after-install.sgml:1710 msgid "" "FIXME: It would be interesting to tell how a Debian system can send/receive " "SNMP traps related to security problems (jfs). Check: " "snmptrapfmt, snmp and " "snmpd." msgstr "" #. type: #: securing-debian-howto.en.sgml:52 en/after-install.sgml:1712 msgid "Using a loghost" msgstr "" #. type:

#: securing-debian-howto.en.sgml:52 en/after-install.sgml:1727 msgid "" "A loghost is a host which collects syslog data remotely over the network. If " "one of your machines is cracked, the intruder is not able to cover his " "tracks, unless he hacks the loghost as well. So, the loghost should be " "especially secure. Making a machine a loghost is simple. Just start the " "syslogd with syslogd -r and a new loghost is born. In " "order to do this permanently in Debian, edit " "/etc/default/syslogd and change the line" msgstr "" #. type: #: securing-debian-howto.en.sgml:52 en/after-install.sgml:1729 #, no-wrap msgid "SYSLOGD=\"\"" msgstr "" #. type: #: securing-debian-howto.en.sgml:52 en/after-install.sgml:1731 msgid "to" msgstr "" #. type: #: securing-debian-howto.en.sgml:52 en/after-install.sgml:1733 #, no-wrap msgid "SYSLOGD=\"-r\"" msgstr "" #. type: #: securing-debian-howto.en.sgml:52 en/after-install.sgml:1738 msgid "" "Next, configure the other machines to send data to the loghost. Add an entry " "like the following to /etc/syslog.conf:" msgstr "" #. type: #: securing-debian-howto.en.sgml:52 en/after-install.sgml:1740 #, no-wrap msgid " facility.level @your_loghost" msgstr "" #. type: #: securing-debian-howto.en.sgml:52 en/after-install.sgml:1746 msgid "" "See the documentation for what to use in place of facility and " "level (they should not be entered verbatim like this). If you want " "to log everything remotely, just write:" msgstr "" #. type: #: securing-debian-howto.en.sgml:52 en/after-install.sgml:1748 #, no-wrap msgid " *.* @your_loghost" msgstr "" #. type:

#: securing-debian-howto.en.sgml:52 en/after-install.sgml:1757 msgid "" "into your syslog.conf. Logging remotely as well as locally is " "the best solution (the attacker might presume to have covered his tracks " "after deleting the local log files). See the , and manpages for additional information." msgstr "" #. type: #: securing-debian-howto.en.sgml:52 en/after-install.sgml:1759 msgid "Log file permissions" msgstr "" #. type:

#: securing-debian-howto.en.sgml:52 en/after-install.sgml:1770 msgid "" "It is not only important to decide how alerts are used, but also who has " "read/modify access to the log files (if not using a remote " "loghost). Security alerts which the attacker can change or disable are not " "worth much in the event of an intrusion. Also, you have to take into account " "that log files might reveal quite a lot of information about your system to " "an intruder if he has access to them." msgstr "" #. type:

#: securing-debian-howto.en.sgml:52 en/after-install.sgml:1780 msgid "" "Some log file permissions are not perfect after the installation (but of " "course this really depends on your local security policy). First " "/var/log/lastlog and /var/log/faillog do not need " "to be readable by normal users. In the lastlog file you can see " "who logged in recently, and in the faillog you see a summary of " "failed logins. The author recommends chmod 660 for both. Take a " "brief look at your log files and decide very carefully which log files to " "make readable/writable for a user with a UID other than 0 and a group other " "than 'adm' or 'root'. You can easily check this in your system with:" msgstr "" #. type: #: securing-debian-howto.en.sgml:52 en/after-install.sgml:1789 #, no-wrap msgid "" " # find /var/log -type f -exec ls -l {} \\; | cut -c 17-35 |sort -u\n" " (see to what users do files in /var/log belong)\n" " # find /var/log -type f -exec ls -l {} \\; | cut -c 26-34 |sort -u\n" " (see to what groups do files in /var/log belong)\n" " # find /var/log -perm +004\n" " (files which are readable by any user)\n" " # find /var/log \\! -group root \\! -group adm -exec ls -ld {} \\;\n" " (files which belong to groups not root or adm)" msgstr "" #. type:

#: securing-debian-howto.en.sgml:52 en/after-install.sgml:1803 msgid "" "To customize how log files are created you will probably have to customize " "the program that generates them. If the log file gets rotated, however, you " "can customize the behavior of creation and rotation." msgstr "" #. type: #: securing-debian-howto.en.sgml:52 en/after-install.sgml:1805 msgid "Adding kernel patches" msgstr "" #. type:

#: securing-debian-howto.en.sgml:52 en/after-install.sgml:1808 msgid "" "Debian GNU/Linux provides some of the patches for the Linux kernel that " "enhance its security. These include:" msgstr "" #. type:

#: securing-debian-howto.en.sgml:52 en/after-install.sgml:1819 msgid "" " provided " "in the kernel-patch-2.4-lids package. This kernel patch " "makes the process of hardening your Linux system easier by allowing you to " "restrict, hide and protect processes, even from root. It implements " "mandatory access control capabilities." msgstr "" #. type:

#: securing-debian-howto.en.sgml:52 en/after-install.sgml:1825 msgid "" ", " "provided in package trustees. This patch adds a decent " "advanced permissions management system to your Linux kernel. Special objects " "(called trustees) are bound to every file or directory, and are stored in " "kernel memory, which allows fast lookup of all permissions." msgstr "" #. type:

#: securing-debian-howto.en.sgml:52 en/after-install.sgml:1837 msgid "" "NSA Enhanced Linux (in package selinux). Backports of the " "SElinux-enabled packages are available at . More information available at " ", at and SElinux " "websites." msgstr "" #. type:

#: securing-debian-howto.en.sgml:52 en/after-install.sgml:1842 msgid "" "The provided in the " "kernel-patch-exec-shield package. This patch provides " "protection against some buffer overflows (stack smashing attacks)." msgstr "" #. type:

#: securing-debian-howto.en.sgml:52 en/after-install.sgml:1873 msgid "" "The , " "provided by the kernel-patch-2.4-grsecurity and " "kernel-patch-grsecurity2 packages

Notice " "that this patch conflicts with patches already included in Debian's 2.4 " "kernel source package. You will need to use the stock vanilla kernel. You " "can do this with the following steps: # apt-get install " "kernel-source-2.4.22 kernel-patch-debian-2.4.22 # tar xjf " "/usr/src/kernel-source-2.4.22.tar.bz2 # cd kernel-source-2.4.22 # " "/usr/src/kernel-patches/all/2.4.22/unpatch/debian

For more " "information see , " ", , , , , , and the

implements Mandatory " "Access Control through RBAC, provides buffer overflow protection through " "PaX, ACLs, network randomness (to make OS fingerprinting more difficult) and " "." msgstr "" #. type:

#: securing-debian-howto.en.sgml:52 en/after-install.sgml:1885 msgid "" "The kernel-patch-adamantix provides the patches developed " "for , a " "Debian-based distribution. This kernel patch for the 2.4.x kernel releases " "introduces some security features such as a non-executable stack through the " "use of and " "mandatory access control based on . Other features include: , " "AES encrypted loop device, MPPE support and an IPSEC v2.6 backport." msgstr "" #. type:

#: securing-debian-howto.en.sgml:52 en/after-install.sgml:1889 msgid "" "cryptoloop-source. This patches allows you to use the " "functions of the kernel crypto API to create encrypted filesystems using the " "loopback device." msgstr "" #. type:

#: securing-debian-howto.en.sgml:52 en/after-install.sgml:1900 msgid "" "IPSEC kernel support (in package " "linux-patch-openswan). If you want to use the IPsec " "protocol with Linux, you need this patch. You can create VPNs with this " "quite easily, even to Windows machines, as IPsec is a common standard. IPsec " "capabilities have been added to the 2.5 development kernel, so this feature " "will be present by default in the future Linux Kernel 2.6. Homepage: . FIXME: The latest 2.4 kernels " "provided in Debian include a backport of the IPSEC code from 2.5. Comment on " "this." msgstr "" #. type:

#: securing-debian-howto.en.sgml:52 en/after-install.sgml:1905 msgid "" "The following security kernel patches are only available for old kernel " "versions in woody and are deprecated:" msgstr "" #. type:

#: securing-debian-howto.en.sgml:52 en/after-install.sgml:1912 msgid "" " " "(ACLs) for Linux provided in the package " "kernel-patch-acl. This kernel patch adds access control " "lists, an advanced method for restricting access to files. It allows you to " "control fine-grain access to files and directory." msgstr "" #. type:

#: securing-debian-howto.en.sgml:52 en/after-install.sgml:1922 msgid "" "The linux " "kernel patch by Solar Designer, provided in the " "kernel-patch-2.2.18-openwall package. This is a useful " "set of kernel restrictions, like restricted links, FIFOs in " "/tmp, a restricted /proc file system, special file " "descriptor handling, non-executable user stack area and other " "features. Note: This package applies to the 2.2 release, no packages are " "available for the 2.4 release patches provided by Solar." msgstr "" #. type:

#: securing-debian-howto.en.sgml:52 en/after-install.sgml:1928 msgid "" "kernel-patch-int. This patch also adds cryptographic " "capabilities to the Linux kernel, and was useful with Debian releases up to " "Potato. It doesn't work with Woody, and if you are using Sarge or a newer " "version, you should use a more recent kernel which includes these features " "already." msgstr "" #. type:

#: securing-debian-howto.en.sgml:52 en/after-install.sgml:1938 msgid "" "However, some patches have not been provided in Debian yet. If you feel that " "some of these should be included please ask for it at the ." msgstr "" #. type: #: securing-debian-howto.en.sgml:52 en/after-install.sgml:1940 msgid "Protecting against buffer overflows" msgstr "" #. type:

#: securing-debian-howto.en.sgml:52 en/after-install.sgml:1953 msgid "" "Buffer overflow is the name of a common attack to software " "

So common, in fact, that they have been the basis of 20% of the " "reported security vulnerabilities every year, as determined by

which makes use of " "insufficient boundary checking (a programming error, most commonly in the C " "language) in order to execute machine code through program inputs. These " "attacks, against server software which listen to connections remotely and " "against local software which grant higher privileges to users " "(setuid or setgid) can result in the compromise of any " "given system." msgstr "" #. type:

#: securing-debian-howto.en.sgml:52 en/after-install.sgml:1955 msgid "There are mainly four methods to protect against buffer overflows:" msgstr "" #. type:

#: securing-debian-howto.en.sgml:52 en/after-install.sgml:1961 msgid "" "patch the kernel to prevent stack execution. You can use either: " "Exec-shield, OpenWall or PaX (included in the Grsecurity and Adamantix " "patches)." msgstr "" #. type:

#: securing-debian-howto.en.sgml:52 en/after-install.sgml:1964 msgid "" "fix the source code by using tools to find fragments of it that might " "introduce this vulnerability." msgstr "" #. type:

#: securing-debian-howto.en.sgml:52 en/after-install.sgml:1970 msgid "" "recompile the source code to introduce proper checks that prevent overflows, " "using the patch for GCC (which is used by " ")" msgstr "" #. type:

#: securing-debian-howto.en.sgml:52 en/after-install.sgml:1977 msgid "" "Debian GNU/Linux, as of the 3.0 release, provides software to introduce all " "of these methods except for the protection on source code compilation (but " "this has been requested in )." msgstr "" #. type:

#: securing-debian-howto.en.sgml:52 en/after-install.sgml:1984 msgid "" "Notice that even if Debian provided a compiler which featured stack/buffer " "overflow protection all packages would need to be recompiled in order to " "introduce this feature. This is, in fact, what the Adamantix distribution " "does (among other features). The effect of this new feature on the stability " "of software is yet to be determined (some programs or some processor " "architectures might break due to it)." msgstr "" #. type:

#: securing-debian-howto.en.sgml:52 en/after-install.sgml:1992 msgid "" "In any case, be aware that even these workarounds might not prevent buffer " "overflows since there are ways to circumvent these, as described in phrack's " "magazine or in CORE's Advisory ." msgstr "" #. type:

#: securing-debian-howto.en.sgml:52 en/after-install.sgml:1996 msgid "" "If you want to test out your buffer overflow protection once you have " "implemented it (regardless of the method) you might want to install the " "paxtest and run the tests it provides." msgstr "" #. type: #: securing-debian-howto.en.sgml:52 en/after-install.sgml:1998 msgid "Kernel patch protection for buffer overflows" msgstr "" #. type:

#: securing-debian-howto.en.sgml:52 en/after-install.sgml:2007 msgid "" "Kernel patches related to buffer overflows include the Openwall patch " "provides protection against buffer overflows in 2.2 linux kernels. For 2.4 " "or newer kernels, you need to use the Exec-shield implementation, or the PaX " "implementation (provided in the grsecurity patch, " "kernel-patch-2.4-grsecurity, and in the Adamantix patch, " "kernel-patch-adamantix). For more information on using " "these patches read the the section ." msgstr "" #. type: #: securing-debian-howto.en.sgml:52 en/after-install.sgml:2009 msgid "Testing programs for overflows" msgstr "" #. type:

#: securing-debian-howto.en.sgml:52 en/after-install.sgml:2018 msgid "" "The use of tools to detect buffer overflows requires, in any case, of " "programming experience in order to fix (and recompile) the code. Debian " "provides, for example: bfbtester (a buffer overflow " "tester that brute-forces binaries through command line and environment " "overflows). Other packages of interest would also be " "rats, pscan, " "flawfinder and splint." msgstr "" #. type: #: securing-debian-howto.en.sgml:52 en/after-install.sgml:2020 msgid "Secure file transfers" msgstr "" #. type:

#: securing-debian-howto.en.sgml:52 en/after-install.sgml:2027 msgid "" "During normal system administration one usually needs to transfer files in " "and out from the installed system. Copying files in a secure manner from a " "host to another can be achieved by using the ssh server " "package. Another possibility is the use of ftpd-ssl, a " "ftp server which uses the Secure Socket Layer to encrypt the " "transmissions." msgstr "" #. type:

#: securing-debian-howto.en.sgml:52 en/after-install.sgml:2037 msgid "" "Any of these methods need special clients. Debian does provide client " "software, such as scp from the ssh package, " "which works like rcp but is encrypted completely, so the " "bad guys cannot even find out WHAT you copy. There is also a " "ftp-ssl package for the equivalent server. You can find " "clients for these software even for other operating systems (non-UNIX), " "putty and winscp provide secure copy " "implementations for any version of Microsoft's operating system." msgstr "" #. type:

#: securing-debian-howto.en.sgml:52 en/after-install.sgml:2046 msgid "" "Note that using scp provides access to the users to all the " "file system unless chroot'ed as described in . FTP access can be chroot'ed, probably " "easier depending on you chosen daemon, as described in . If you are worried about users browsing your local files " "and want to have encrypted communication you can either use an ftp daemon " "with SSL support or combine clear-text ftp and a VPN setup (see )." msgstr "" #. type: #: securing-debian-howto.en.sgml:52 en/after-install.sgml:2048 msgid "File system limits and control" msgstr "" #. type: #: securing-debian-howto.en.sgml:52 en/after-install.sgml:2050 msgid "Using quotas" msgstr "" #. type:

#: securing-debian-howto.en.sgml:52 en/after-install.sgml:2053 msgid "" "Having a good quota policy is important, as it keeps users from filling up " "the hard disk(s)." msgstr "" #. type:

#: securing-debian-howto.en.sgml:52 en/after-install.sgml:2059 msgid "" "You can use two different quota systems: user quota and group quota. As you " "probably figured out, user quota limits the amount of space a user can take " "up, group quota does the equivalent for groups. Keep this in mind when " "you're working out quota sizes." msgstr "" #. type:

#: securing-debian-howto.en.sgml:52 en/after-install.sgml:2062 msgid "" "There are a few important points to think about in setting up a quota " "system:" msgstr "" #. type:

#: securing-debian-howto.en.sgml:52 en/after-install.sgml:2066 msgid "Keep the quotas small enough, so users do not eat up your disk space." msgstr "" #. type:

#: securing-debian-howto.en.sgml:52 en/after-install.sgml:2069 msgid "" "Keep the quotas big enough, so users do not complain or their mail quota " "keeps them from accepting mail over a longer period." msgstr "" #. type:

#: securing-debian-howto.en.sgml:52 en/after-install.sgml:2071 msgid "" "Use quotas on all user-writable areas, on /home as well as on " "/tmp." msgstr "" #. type:

#: securing-debian-howto.en.sgml:52 en/after-install.sgml:2077 msgid "" "Every partition or directory to which users have full write access should be " "quota enabled. Calculate and assign a workable quota size for those " "partitions and directories which combines usability and security." msgstr "" #. type:

#: securing-debian-howto.en.sgml:52 en/after-install.sgml:2084 msgid "" "So, now you want to use quotas. First of all you need to check whether you " "enabled quota support in your kernel. If not, you will need to recompile " "it. After this, control whether the package quota is " "installed. If not you will need this one as well." msgstr "" #. type:

#: securing-debian-howto.en.sgml:52 en/after-install.sgml:2093 msgid "" "Enabling quota for the respective file systems is as easy as modifying the " "defaults setting to defaults,usrquota in your " "/etc/fstab file. If you need group quota, substitute " "usrquota to grpquota. You can also use them both. Then " "create empty quota.user and quota.group files in the roots of the file " "systems you want to use quotas on (e.g. touch /home/quota.user " "/home/quota.group for a /home file system)." msgstr "" #. type:

#: securing-debian-howto.en.sgml:52 en/after-install.sgml:2097 msgid "" "Restart quota by doing /etc/init.d/quota " "stop;/etc/init.d/quota start. Now quota should be running, and quota " "sizes can be set." msgstr "" #. type:

#: securing-debian-howto.en.sgml:52 en/after-install.sgml:2104 msgid "" "Editing quotas for a specific user can be done by edquota -u " "<user>. Group quotas can be modified with edquota -g " "<group>. Then set the soft and hard quota and/or inode quotas as " "needed." msgstr "" #. type:

#: securing-debian-howto.en.sgml:52 en/after-install.sgml:2109 msgid "" "For more information about quotas, read the quota man page, and the quota " "mini-howto (/usr/share/doc/HOWTO/en-html/mini/Quota.html). You " "may also want to look at pam_limits.so." msgstr "" #. type: #: securing-debian-howto.en.sgml:52 en/after-install.sgml:2112 msgid "The ext2 filesystem specific attributes (chattr/lsattr)" msgstr "" #. type:

#: securing-debian-howto.en.sgml:52 en/after-install.sgml:2125 msgid "" "In addition to the usual Unix permissions, the ext2 and ext3 filesystems " "offer a set of specific attributes that give you more control over the files " "on your system. Unlike the basic permissions, these attributes are not " "displayed by the usual ls -l command or changed using " "chmod, and you need two other utilities, lsattr " "and chattr (in package e2fsprogs) to manage " "them. Note that this means that these attributes will usually not be saved " "when you backup your system, so if you change any of them, it may be worth " "saving the successive chattr commands in a script so that you " "can set them again later if you have to restore a backup." msgstr "" #. type:

#: securing-debian-howto.en.sgml:52 en/after-install.sgml:2130 msgid "" "Among all available attributes, the two that are most important for " "increasing security are referenced by the letters 'i' and 'a', and they can " "only be set (or removed) by the superuser:" msgstr "" #. type:

#: securing-debian-howto.en.sgml:52 en/after-install.sgml:2135 msgid "" "The 'i' attribute ('immutable'): a file with this attribute can neither be " "modified nor deleted or renamed and no link can be created to it, even by " "the superuser." msgstr "" #. type:

#: securing-debian-howto.en.sgml:52 en/after-install.sgml:2142 msgid "" "The 'a' attribute ('append'): this attribute has the same effect that the " "immutable attribute, except that you can still open the file in append " "mode. This means that you can still add more content to it but it is " "impossible to modify previous content. This attribute is especially useful " "for the log files stored in /var/log/, though you should " "consider that they get moved sometimes due to the log rotation scripts." msgstr "" #. type:

#: securing-debian-howto.en.sgml:52 en/after-install.sgml:2150 msgid "" "These attributes can also be set for directories, in which case everyone is " "denied the right to modify the contents of a directory list (e.g. rename or " "remove a file, ...). When applied to a directory, the append attribute only " "allows file creation." msgstr "" #. type:

#: securing-debian-howto.en.sgml:52 en/after-install.sgml:2167 msgid "" "It is easy to see how the 'a' attribute improves security, by giving to " "programs that are not running as the superuser the ability to add data to a " "file without modifying its previous content. On the other hand, the 'i' " "attribute seems less interesting: after all, the superuser can already use " "the basic Unix permissions to restrict access to a file, and an intruder " "that would get access to the superuser account could always use the " "chattr program to remove the attribute. Such an intruder may " "first be confused when he sees that he is not able to remove a file, but you " "should not assume that he is blind - after all, he got into your system! " "Some manuals (including a previous version of this document) suggest to " "simply remove the chattr and lsattr programs from " "the system to increase security, but this kind of strategy, also known as " "\"security by obscurity\", is to be absolutely avoided, since it provides a " "false sense of security." msgstr "" #. type:

#: securing-debian-howto.en.sgml:52 en/after-install.sgml:2176 msgid "" "A secure way to solve this problem is to use the capabilities of the Linux " "kernel, as described in . The capability of interest " "here is called CAP_LINUX_IMMUTABLE: if you remove it from the " "capabilities bounding set (using for example the command lcap " "CAP_LINUX_IMMUTABLE) it won't be possible to change any 'a' or 'i' " "attribute on your system anymore, even by the superuser ! A complete " "strategy could be as follows:" msgstr "" #. type:

#: securing-debian-howto.en.sgml:52 en/after-install.sgml:2177 msgid "Set the attributes 'a' and 'i' on any file you want;" msgstr "" #. type:

#: securing-debian-howto.en.sgml:52 en/after-install.sgml:2182 msgid "" "Add the command lcap CAP_LINUX_IMMUTABLE (as well as lcap " "CAP_SYS_MODULE, as suggested in ) to one of the " "startup scripts;" msgstr "" #. type:

#: securing-debian-howto.en.sgml:52 en/after-install.sgml:2184 msgid "" "Set the 'i' attribute on this script and other startup files, as well as on " "the lcap binary itself;" msgstr "" #. type:

#: securing-debian-howto.en.sgml:52 en/after-install.sgml:2187 msgid "" "Execute the above command manually (or reboot your system to make sure " "everything works as planned)." msgstr "" #. type:

#: securing-debian-howto.en.sgml:52 en/after-install.sgml:2201 msgid "" "Now that the capability has been removed from the system, an intruder cannot " "change any attribute on the protected files, and thus cannot change or " "remove the files. If he forces the machine to reboot (which is the only way " "to restore the capabilities bounding set), it will easily be detected, and " "the capability will be removed again as soon as the system restarts " "anyway. The only way to change a protected file would be to boot the system " "in single-user mode or using another bootdisk, two operations that require " "physical access to the machine !" msgstr "" #. type: #: securing-debian-howto.en.sgml:52 en/after-install.sgml:2203 msgid "Checking file system integrity" msgstr "" #. type:

#: securing-debian-howto.en.sgml:52 en/after-install.sgml:2208 msgid "" "Are you sure /bin/login on your hard drive is still the binary " "you installed there some months ago? What if it is a hacked version, which " "stores the entered password in a hidden file or mails it in clear-text " "version all over the Internet?" msgstr "" #. type:

#: securing-debian-howto.en.sgml:52 en/after-install.sgml:2220 msgid "" "The only method to have some kind of protection is to check your files every " "hour/day/month (I prefer daily) by comparing the actual and the old md5sum " "of this file. Two files cannot have the same md5sum (the MD5 digest is 128 " "bits, so the chance that two different files will have the same md5sum is " "roughly one in 3.4e3803), so you're on the safe site here, unless someone " "has also hacked the algorithm that creates md5sums on that machine. This is, " "well, extremely difficult and very unlikely. You really should consider this " "auditing of your binaries as very important, since it is an easy way to " "recognize changes at your binaries." msgstr "" #. type:

#: securing-debian-howto.en.sgml:52 en/after-install.sgml:2231 msgid "" "Common tools used for this are sxid, " "aide (Advanced Intrusion Detection Environment), " "tripwire, integrit and " "samhain. Installing debsums will also help " "you to check the file system integrity, by comparing the md5sums of every " "file against the md5sums used in the Debian package archive. But beware: " "those files can easily be changed by an attacker and not all packages " "provide md5sums listings for the binaries they provided. For more " "information please read and ." msgstr "" #. type:

#: securing-debian-howto.en.sgml:52 en/after-install.sgml:2250 msgid "" "You might want to use locate to index the whole filesystem, if " "so, consider the implications of that. The Debian " "findutils package contains locate which runs " "as user nobody, and so it only indexes files which are visible to " "everybody. However, if you change it's behaviour you will make all file " "locations visible to all users. If you want to index all the filesystem (not " "the bits that the user nobody can see) you can replace locate " "with the package slocate. slocate is labeled as a " "security enhanced version of GNU locate, but it actually provides additional " "file-locating functionality. When using slocate, the user only " "sees the files he really has access to and you can exclude any files or " "directories on the system. The slocate package runs its " "update process with higher privledges than locate, and indexes every " "file. Users are then able to quickly search for every file which they are " "able to see. slocate doesn't let them see new files; it filters " "the output based on your UID." msgstr "" #. type:

#: securing-debian-howto.en.sgml:52 en/after-install.sgml:2258 msgid "" "You might want to use bsign or " "elfsign. elfsign provides an utility " "to add a digital signature to an ELF binary and a second utility to verify " "that signature. The current implementation uses PKI to sign the checksum of " "the binary. The benefits of doing this are that it enables one to determine " "if a binary has been modified and who created it. bsign " "uses GPG, elfsign uses PKI (X.509) certificates " "(OpenSSL)." msgstr "" #. type: #: securing-debian-howto.en.sgml:52 en/after-install.sgml:2260 msgid "Setting up setuid check" msgstr "" #. type:

#: securing-debian-howto.en.sgml:52 en/after-install.sgml:2270 msgid "" "The Debian checksecurity package provides a " "cron job that runs daily in " "/etc/cron.daily/checksecurity

In previous " "releases, checksecurity was integrated into cron and the file was " "/etc/cron.daily/standard

. This cron " "job will run the /usr/sbin/checksecurity script that will store " "information of this changes." msgstr "" #. type:

#: securing-debian-howto.en.sgml:52 en/after-install.sgml:2277 msgid "" "The default behavior does not send this information to the superuser but, " "instead keeps daily copies of the changes in " "/var/log/setuid.changes. You should set the MAILTO variable (in " "/etc/checksecurity.conf) to 'root' to have this information " "mailed to him. See for more " "configuration info." msgstr "" #. type: #: securing-debian-howto.en.sgml:52 en/after-install.sgml:2279 msgid "Securing network access" msgstr "" #. type:

#: securing-debian-howto.en.sgml:52 en/after-install.sgml:2281 msgid "FIXME: More (Debian-specific) content needed." msgstr "" #. type: #: securing-debian-howto.en.sgml:52 en/after-install.sgml:2283 msgid "Configuring kernel network features" msgstr "" #. type:

#: securing-debian-howto.en.sgml:52 en/after-install.sgml:2294 msgid "" "Many features of the kernel can be modified while running by echoing " "something into the /proc file system or by using " "sysctl. By entering /sbin/sysctl -A you can see what " "you can configure and what the options are, and it can be modified running " "/sbin/sysctl -w variable=value (see ). Only in rare cases do you need to edit something here, " "but you can increase security that way as well. For example:" msgstr "" #. type: #: securing-debian-howto.en.sgml:52 en/after-install.sgml:2296 #, no-wrap msgid "net/ipv4/icmp_echo_ignore_broadcasts = 1" msgstr "" #. type:

#: securing-debian-howto.en.sgml:52 en/after-install.sgml:2303 msgid "" "This is a Windows emulator because it acts like Windows on " "broadcast ping if this option is set to 1. That is, ICMP echo requests sent " "to the broadcast address will be ignored. Otherwise, it does nothing." msgstr "" #. type:

#: securing-debian-howto.en.sgml:52 en/after-install.sgml:2306 msgid "" "If you want to prevent you system from answering ICMP echo requests, just " "enable this configuration option:" msgstr "" #. type: #: securing-debian-howto.en.sgml:52 en/after-install.sgml:2308 #, no-wrap msgid "net/ipv4/icmp_echo_ignore_all = 1" msgstr "" #. type:

#: securing-debian-howto.en.sgml:52 en/after-install.sgml:2313 msgid "" "To log packets with impossible addresses (due to wrong routes) on your " "network use:" msgstr "" #. type: #: securing-debian-howto.en.sgml:52 en/after-install.sgml:2315 #, no-wrap msgid "/proc/sys/net/ipv4/conf/all/log_martians = 1" msgstr "" #. type:

#: securing-debian-howto.en.sgml:52 en/after-install.sgml:2327 msgid "" "For more information on what things can be done with " "/proc/sys/net/ipv4/* read " "/usr/src/linux/Documentation/filesystems/proc.txt. All the " "options are described thoroughly under " "/usr/src/linux/Documentation/networking/ip-sysctl.txt " "

In Debian the " "kernel-source-version packages copy the " "sources to /usr/src/kernel-source-version.tar.bz2, " "just substitute version to whatever kernel version sources you " "have installed

." msgstr "" #. type: #: securing-debian-howto.en.sgml:52 en/after-install.sgml:2330 msgid "Configuring syncookies" msgstr "" #. type:

#: securing-debian-howto.en.sgml:52 en/after-install.sgml:2339 msgid "" "This option is a double-edged sword. On the one hand it protects your system " "against syn packet flooding; on the other hand it violates defined standards " "(RFCs)." msgstr "" #. type: #: securing-debian-howto.en.sgml:52 en/after-install.sgml:2341 #, no-wrap msgid "net/ipv4/tcp_syncookies = 1" msgstr "" #. type:

#: securing-debian-howto.en.sgml:52 en/after-install.sgml:2349 msgid "" "If you want to change this option each time the kernel is working you need " "to change it in /etc/network/options by setting " "syncookies=yes. This will take effect when ever " "/etc/init.d/networking is run (which is typically done at boot " "time) while the following will have a one-time effect until the reboot:" msgstr "" #. type: #: securing-debian-howto.en.sgml:52 en/after-install.sgml:2351 #, no-wrap msgid "echo 1 > /proc/sys/net/ipv4/tcp_syncookies" msgstr "" #. type:

#: securing-debian-howto.en.sgml:52 en/after-install.sgml:2357 msgid "" "This option will only be available if the kernel is compiled with the " "CONFIG_SYNCOOKIES. All Debian kernels are compiled with this option " "builtin but you can verify it running:" msgstr "" #. type: #: securing-debian-howto.en.sgml:52 en/after-install.sgml:2360 #, no-wrap msgid "" "$ sysctl -A |grep syncookies\n" "net/ipv4/tcp_syncookies = 1" msgstr "" #. type:

#: securing-debian-howto.en.sgml:52 en/after-install.sgml:2365 msgid "" "For more information on TCP syncookies read ." msgstr "" #. type: #: securing-debian-howto.en.sgml:52 en/after-install.sgml:2367 msgid "Securing the network on boot-time" msgstr "" #. type:

#: securing-debian-howto.en.sgml:52 en/after-install.sgml:2372 msgid "" "When setting configuration options for the kernel networking you need " "configure it so that it's loaded every time the system is restarted. The " "following example enables many of the previous options as well as other " "useful options." msgstr "" #. type:

#: securing-debian-howto.en.sgml:52 en/after-install.sgml:2379 msgid "" "There are actually two ways to configure your network at boot time. You can " "configure /etc/sysctl.conf (see: ) or introduce a script that is called when the " "interface is enabled. The first option will be applied to all interfaces, " "whileas the second option allows you to configure this on a per-interface " "basis." msgstr "" #. type:

#: securing-debian-howto.en.sgml:52 en/after-install.sgml:2382 msgid "" "An example of a /etc/sysctl.conf configuration that will secure " "some network options at the kernel level is shown below. Notice the comment " "in it, /etc/network/options might override some values if they " "contradict those in this file when the /etc/init.d/networking " "is run (which is later than procps on the startup sequence)." msgstr "" #. type: #: securing-debian-howto.en.sgml:52 en/after-install.sgml:2435 #, no-wrap msgid "" "#\n" "# /etc/sysctl.conf - Configuration file for setting system variables\n" "# See sysctl.conf (5) for information. Also see the files under\n" "# Documentation/sysctl/, Documentation/filesystems/proc.txt, and\n" "# Documentation/networking/ip-sysctl.txt in the kernel sources \n" "# (/usr/src/kernel-$version if you have a kernel-package installed)\n" "# for more information of the values that can be defined here.\n" "\n" "#\n" "# Be warned that /etc/init.d/procps is executed to set the following\n" "# variables. However, after that, /etc/init.d/networking sets some\n" "# network options with builtin values. These values may be overridden\n" "# using /etc/network/options.\n" "#\n" "#kernel.domainname = example.com\n" "\n" "# Additional settings - adapted from the script contributed\n" "# by Dariusz Puchala (see below)\n" "# Ignore ICMP broadcasts\n" "net/ipv4/icmp_echo_ignore_broadcasts = 1\n" "#\n" "# Ignore bogus ICMP errors\n" "net/ipv4/icmp_ignore_bogus_error_responses = 1\n" "# \n" "# Do not accept ICMP redirects (prevent MITM attacks)\n" "net/ipv4/conf/all/accept_redirects = 0\n" "# _or_\n" "# Accept ICMP redirects only for gateways listed in our default\n" "# gateway list (enabled by default)\n" "# net/ipv4/conf/all/secure_redirects = 1\n" "#\n" "# Do not send ICMP redirects (we are not a router)\n" "net/ipv4/conf/all/send_redirects = 0\n" "#\n" "# Do not forward IP packets (we are not a router)\n" "# Note: Make sure that /etc/network/options has 'ip_forward=no'\n" "net/ipv4/conf/all/forwarding = 0\n" "#\n" "# Enable TCP Syn Cookies\n" "# Note: Make sure that /etc/network/options has 'syncookies=yes'\n" "net/ipv4/tcp_syncookies = 1\n" "#\n" "# Log Martian Packets\n" "net/ipv4/conf/all/log_martians = 1\n" "#\n" "# Turn on Source Address Verification in all interfaces to\n" "# prevent some spoofing attacks\n" "# Note: Make sure that /etc/network/options has 'spoofprotect=yes'\n" "net/ipv4/conf/all/rp_filter = 1\n" "#\n" "# Do not accept IP source route packets (we are not a router)\n" "net/ipv4/conf/all/accept_source_route = 0" msgstr "" #. type:

#: securing-debian-howto.en.sgml:52 en/after-install.sgml:2442 msgid "" "To use the script you need to first create the script, for example, in " "/etc/network/interface-secure (the name is given as an example) " "and call it from /etc/network/interfaces like this:" msgstr "" #. type: #: securing-debian-howto.en.sgml:52 en/after-install.sgml:2450 #, no-wrap msgid "" "auto eth0\n" "iface eth0 inet static\n" " address xxx.xxx.xxx.xxx\n" " netmask 255.255.255.xxx\n" " broadcast xxx.xxx.xxx.xxx\n" " gateway xxx.xxx.xxx.xxx\n" " pre-up /etc/network/interface-secure" msgstr "" #. type:

#: securing-debian-howto.en.sgml:52 en/after-install.sgml:2455 msgid "" "In this example, before the interface eth0 is enabled the script will be " "called to secure all network interfaces as shown below." msgstr "" #. type: #: securing-debian-howto.en.sgml:52 en/after-install.sgml:2486 #, no-wrap msgid "" "#!/bin/sh -e\n" "# Script-name: /etc/network/interface-secure\n" "#\n" "# Modifies some default behavior in order to secure against \n" "# some TCP/IP spoofing & attacks for all interfaces.\n" "#\n" "# Contributed by Dariusz Puchalak.\n" "#\n" "echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts \n" " # Broadcast echo protection " "enabled.\n" "echo 0 > /proc/sys/net/ipv4/conf/all/forwarding\n" " # IP forwarding disabled.\n" "echo 1 > /proc/sys/net/ipv4/tcp_syncookies # TCP syn cookies protection " "enabled.\n" "echo 1 >/proc/sys/net/ipv4/conf/all/log_martians # Log strange packets.\n" "# (this includes spoofed packets, source routed packets, redirect packets)\n" "# but be careful with this on heavy loaded web servers.\n" "echo 1 > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses \n" " # Bad error message protection " "enabled.\n" "\n" "# IP spoofing protection.\n" "echo 1 > /proc/sys/net/ipv4/conf/all/rp_filter\n" "\n" "# Disable ICMP redirect acceptance.\n" "echo 0 > /proc/sys/net/ipv4/conf/all/accept_redirects\n" "echo 0 > /proc/sys/net/ipv4/conf/all/send_redirects\n" "\n" "# Disable source routed packets.\n" "echo 0 > /proc/sys/net/ipv4/conf/all/accept_source_route\n" "\n" "exit 0" msgstr "" #. type:

#: securing-debian-howto.en.sgml:52 en/after-install.sgml:2492 msgid "" "Notice that you can actually have per-interface scripts that will enable " "different network options for different interfaces (if you have more than " "one), just change the pre-up line to:" msgstr "" #. type: #: securing-debian-howto.en.sgml:52 en/after-install.sgml:2494 #, no-wrap msgid "pre-up /etc/network/interface-secure $IFACE" msgstr "" #. type:

#: securing-debian-howto.en.sgml:52 en/after-install.sgml:2501 msgid "" "And use a script which will only apply changes to a specific interface, not " "to all of the interfaces available. Notice that some networking options can " "only be enabled globally, however. A sample script is this one:" msgstr "" #. type: #: securing-debian-howto.en.sgml:52 en/after-install.sgml:2539 #, no-wrap msgid "" "#!/bin/sh -e\n" "# Script-name: /etc/network/interface-secure\n" "#\n" "# Modifies some default behavior in order to secure against \n" "# some TCP/IP spoofing & attacks for a given interface.\n" "#\n" "# Contributed by Dariusz Puchalak.\n" "#\n" "\n" "IFACE=$1\n" "if [ -z \"$IFACE\" ] ; then\n" " echo \"$0: Must give an interface name as argument!\"\n" " echo \"Usage: $0 <interface>\"\n" " exit 1\n" "fi\n" "\n" "if [ ! -e /proc/sys/net/ipv4/conf/$IFACE/ ]; then\n" " echo \"$0: Interface $IFACE does not exit (cannot find " "/proc/sys/net/ipv4/conf/)\"\n" " exit 1\n" "fi\n" "\n" "echo 0 > /proc/sys/net/ipv4/conf/$IFACE/forwarding # IP forwarding " "disabled.\n" "echo 1 >/proc/sys/net/ipv4/conf/$IFACE/log_martians # Log strange packets.\n" "# (this includes spoofed packets, source routed packets, redirect packets)\n" "# but be careful with this on heavy loaded web servers.\n" "\n" "# IP spoofing protection.\n" "echo 1 > /proc/sys/net/ipv4/conf/$IFACE/rp_filter\n" "\n" "# Disable ICMP redirect acceptance.\n" "echo 0 > /proc/sys/net/ipv4/conf/$IFACE/accept_redirects\n" "echo 0 > /proc/sys/net/ipv4/conf/$IFACE/send_redirects\n" "\n" "# Disable source routed packets.\n" "echo 0 > /proc/sys/net/ipv4/conf/$IFACE/accept_source_route\n" "\n" "exit 0" msgstr "" #. type:

#: securing-debian-howto.en.sgml:52 en/after-install.sgml:2546 msgid "" "An alternative solution is to create an init.d script and have it " "run on bootup (using update-rc.d to create the appropriate " "rc.d links)." msgstr "" #. type: #: securing-debian-howto.en.sgml:52 en/after-install.sgml:2548 msgid "Configuring firewall features" msgstr "" #. type:

#: securing-debian-howto.en.sgml:52 en/after-install.sgml:2555 msgid "" "In order to have firewall capabilities, either to protect the local system " "or others behind it, the kernel needs to be compiled with firewall " "capabilities. The standard Debian 2.2 kernel (Linux 2.2) provides the packet " "filter ipchains firewall, Debian 3.0 standard kernel (Linux " "2.4) provides the stateful packet filter iptables " "(netfilter) firewall." msgstr "" #. type:

#: securing-debian-howto.en.sgml:52 en/after-install.sgml:2562 msgid "" "In any case, it is pretty easy to use a kernel different from the one " "provided by Debian. You can find pre-compiled kernels as packages you can " "easily install in the Debian system. You can also download the kernel " "sources using the kernel-source-X and build " "custom kernel packages using make-kpkg from the " "kernel-package package." msgstr "" #. type:

#: securing-debian-howto.en.sgml:52 en/after-install.sgml:2566 msgid "" "Setting up firewalls in Debian is discussed more thoroughly in ." msgstr "" #. type: #: securing-debian-howto.en.sgml:52 en/after-install.sgml:2570 msgid "Disabling weak-end hosts issues" msgstr "" #. type:

#: securing-debian-howto.en.sgml:52 en/after-install.sgml:2594 msgid "" "Systems with more than one interface on different networks can have services " "configured so that they will bind only to a given IP address. This usually " "prevents access to services when requested through any other " "address. However, this does not mean (although it is a common misconception) " "that the service is bound to a given hardware address (interface " "card).

To reproduce this (example provided by Felix von Leitner " "on the Bugtraq mailing list): host a (eth0 connected to eth0 of " "host b): ifconfig eth0 10.0.0.1 ifconfig eth1 23.0.0.1 tcpserver -RHl " "localhost 23.0.0.1 8000 echo fnord host b: ifconfig eth0 10.0.0.2 route add " "23.0.0.1 gw 10.0.0.1 telnet 23.0.0.1 8000

It seems, however, " "not to work with services bound to 127.0.0.1, you might need to write the " "tests using raw sockets.

" msgstr "" #. type:

#: securing-debian-howto.en.sgml:52 en/after-install.sgml:2600 msgid "" "This is not an ARP issue and it's not an RFC violation (it's called weak " "end host in , section 3.3.4.2). Remember, IP addresses have nothing to " "do with physical interfaces." msgstr "" #. type:

#: securing-debian-howto.en.sgml:52 en/after-install.sgml:2601 msgid "On 2.2 (and previous) kernels this can be fixed with:" msgstr "" #. type: #: securing-debian-howto.en.sgml:52 en/after-install.sgml:2606 #, no-wrap msgid "" "# echo 1 > /proc/sys/net/ipv4/conf/all/hidden\n" "# echo 1 > /proc/sys/net/ipv4/conf/eth0/hidden\n" "# echo 1 > /proc/sys/net/ipv4/conf/eth1/hidden\n" "....." msgstr "" #. type:

#: securing-debian-howto.en.sgml:52 en/after-install.sgml:2608 msgid "On later kernels this can be fixed either with:" msgstr "" #. type:

#: securing-debian-howto.en.sgml:52 en/after-install.sgml:2610 msgid "iptables rules." msgstr "" #. type:

#: securing-debian-howto.en.sgml:52 en/after-install.sgml:2625 msgid "" "properly configured routing.

The fact that this behavior can be " "changed through routing was described by Matthew G. Marsh in the Bugtraq " "thread: eth0 = 1.1.1.1/24 eth1 = 2.2.2.2/24 ip rule add from " "1.1.1.1/32 dev lo table 1 prio 15000 ip rule add from 2.2.2.2/32 dev lo " "table 2 prio 16000 ip route add default dev eth0 table 1 ip route add " "default dev eth1 table 2

" msgstr "" #. type:

#: securing-debian-howto.en.sgml:52 en/after-install.sgml:2632 msgid "" "kernel patching.

There are some patches available for this " "behavior as described in Bugtraq's thread at and .

" msgstr "" #. type:

#: securing-debian-howto.en.sgml:52 en/after-install.sgml:2647 msgid "" "Along this text there will be many occasions in which it is shown how to " "configure some services (sshd server, apache, printer service...) in order " "to have them listening on any given address, the reader should take into " "account that, without the fixes given here, the fix would not prevent " "accesses from within the same (local) network.

An attacker " "might have many problems pulling the access through after configuring the " "IP-address binding if he is not on the same broadcast domain (same network) " "as the attacked host. If the attack goes through a router it might be quite " "difficult for the answers to return somewhere.

" msgstr "" #. type:

#: securing-debian-howto.en.sgml:52 en/after-install.sgml:2650 msgid "" "FIXME: Comments on Bugtraq indicate there is a Linux specific method to bind " "to a given interface." msgstr "" #. type:

#: securing-debian-howto.en.sgml:52 en/after-install.sgml:2653 msgid "" "FIXME: Submit a bug against netbase so that the routing fix is standard " "behavior in Debian?" msgstr "" #. type: #: securing-debian-howto.en.sgml:52 en/after-install.sgml:2655 msgid "Protecting against ARP attacks" msgstr "" #. type:

#: securing-debian-howto.en.sgml:52 en/after-install.sgml:2659 msgid "" "When you don't trust the other boxes on your LAN (which should always be the " "case, because it's the safest attitude) you should protect yourself from the " "various existing ARP attacks." msgstr "" #. type:

#: securing-debian-howto.en.sgml:52 en/after-install.sgml:2670 msgid "" "As you know the ARP protocol is used to link IP addresses to MAC addresses " "(see for " "all the details). Every time you send a packet to an IP address an ARP " "resolution is done (first by looking into the local ARP cache then if the IP " "isn't present in the cache by broadcasting an ARP query) to find the " "target's hardware address. All the ARP attacks aim to fool your box into " "thinking that box B's IP address is associated to the intruder's box's MAC " "address; Then every packet that you want to send to the IP associated to box " "B will be send to the intruder's box..." msgstr "" #. type:

#: securing-debian-howto.en.sgml:52 en/after-install.sgml:2678 msgid "" "Those attacks (ARP cache poisoning, ARP spoofing...) allow the attacker to " "sniff the traffic even on switched networks, to easily hijack connections, " "to disconnect any host from the network... ARP attacks are powerful and " "simple to implement, and several tools exists, such as arpspoof " "from the dsniff package or ." msgstr "" #. type:

#: securing-debian-howto.en.sgml:52 en/after-install.sgml:2680 msgid "However, there is always a solution:" msgstr "" #. type:

#: securing-debian-howto.en.sgml:52 en/after-install.sgml:2685 msgid "" "Use a static ARP cache. You can set up \"static\" entries in your ARP cache " "with:" msgstr "" #. type: #: securing-debian-howto.en.sgml:52 en/after-install.sgml:2687 #, no-wrap msgid " arp -s host_name hdwr_addr" msgstr "" #. type:

#: securing-debian-howto.en.sgml:52 en/after-install.sgml:2695 msgid "" "By setting static entries for each important host in your network you ensure " "that nobody will create/modify a (fake) entry for these hosts (static " "entries don't expire and can't be modified) and spoofed ARP replies will be " "ignored." msgstr "" #. type:

#: securing-debian-howto.en.sgml:52 en/after-install.sgml:2701 msgid "" "Detect suspicious ARP traffic. You can use arpwatch, " "karpski or more general IDS that can also detect " "suspicious ARP traffic (snort, ...)." msgstr "" #. type:

#: securing-debian-howto.en.sgml:52 en/after-install.sgml:2702 msgid "Implement IP traffic filtering validating the MAC address." msgstr "" #. type: #: securing-debian-howto.en.sgml:52 en/after-install.sgml:2707 msgid "Taking a snapshot of the system" msgstr "" #. type:

#: securing-debian-howto.en.sgml:52 en/after-install.sgml:2713 msgid "" "Before putting the system into production system you could take a snapshot " "of the whole system. This snapshot could be used in the event of a " "compromise (see ). You should remake this " "upgrade whenever the system is upgraded, especially if you upgrade to a new " "Debian release." msgstr "" #. type:

#: securing-debian-howto.en.sgml:52 en/after-install.sgml:2719 msgid "" "For this you can use a writable removable-media that can be set up " "read-only, this could be a floppy disk (read protected after use), a CD on a " "CD-ROM unit (you could use a rewritable CD-ROM so you could even keep " "backups of md5sums in different dates), or a USB disk or MMC card (if your " "system can access those and they can be write protected)." msgstr "" #. type:

#: securing-debian-howto.en.sgml:52 en/after-install.sgml:2721 msgid "The following script creates such a snapshot:" msgstr "" #. type: #: securing-debian-howto.en.sgml:52 en/after-install.sgml:2751 #, no-wrap msgid "" "#!/bin/bash\n" "/bin/mount /dev/fd0 /mnt/floppy\n" "trap \"/bin/umount /dev/fd0\" 0 1 2 3 9 13 15\n" "if [ ! -f /usr/bin/md5sum ] ; then\n" "\techo \"Cannot find md5sum. Aborting.\"\n" "\texit 1\n" "fi\n" "/bin/cp /usr/bin/md5sum /mnt/floppy\n" "echo \"Calculating md5 database\"\n" ">/mnt/floppy/md5checksums.txt\n" "for dir in /bin/ /sbin/ /usr/bin/ /usr/sbin/ /lib/ /usr/lib/\n" "do\n" " find $dir -type f | xargs /usr/bin/md5sum " ">>/mnt/floppy/md5checksums-lib.txt\n" "done\n" "echo \"post installation md5 database calculated\"\n" "if [ ! -f /usr/bin/sha1sum ] ; then\n" "\techo \"Cannot find sha1sum\"\n" " echo \"WARNING: Only md5 database will be stored\"\n" "else\n" "\t/bin/cp /usr/bin/sha1sum /mnt/floppy\n" "\techo \"Calculating SHA-1 database\"\n" "\t>/mnt/floppy/sha1checksums.txt\n" "\tfor dir in /bin/ /sbin/ /usr/bin/ /usr/sbin/ /lib/ /usr/lib/\n" "\tdo\n" "\t find $dir -type f | xargs /usr/bin/sha1sum " ">>/mnt/floppy/sha1checksums-lib.txt\n" "\tdone\n" "\techo \"post installation sha1 database calculated\"\n" "fi\n" "exit 0" msgstr "" #. type:

#: securing-debian-howto.en.sgml:52 en/after-install.sgml:2765 msgid "" "Note that the md5sum binary (and sha1sum, if available) is placed on the " "floppy drive so it can be used later on to check the binaries of the system " "(just in case it gets trojaned). However, if you want to make sure that you " "are running a legitimate binary, you might want to either compile a static " "copy of the md5sum binary and use that one (to prevent a trojaned libc " "library from interfering with the binary) or to use the snapshot of md5sums " "only from a clean environment such as a rescue CD-ROM or a Live-CD (to " "prevent a trojaned kernel from interfering). I cannot stress this enough: if " "you are on a compromised system you cannot trust its output, see ." msgstr "" #. type:

#: securing-debian-howto.en.sgml:52 en/after-install.sgml:2770 msgid "" "The snapshot does not include the files under " "/var/lib/dpkg/info which includes the MD5 hashes of installed " "packages (in files ending with .md5sums). You could copy this " "information along too, however you should notice:" msgstr "" #. type:

#: securing-debian-howto.en.sgml:52 en/after-install.sgml:2779 msgid "" "the md5sums files include the md5sum of all files provided by the Debian " "packages, not just system binaries. As a consequence, that database is " "bigger (5 Mb versus 600 Kb in a Debian GNU/Linux system with a graphical " "system and around 2.5 Gb of software installed) and will not fit in small " "removable media (like a single floppy disk, but would probably fit in a " "removable USB memory)." msgstr "" #. type:

#: securing-debian-howto.en.sgml:52 en/after-install.sgml:2783 msgid "" "not all Debian packages provide md5sums for the files installed since it is " "not (currently) mandated policy. Notice, however, that you can generate the " "md5sums for all packages using debsums after you've " "finished the system installation:" msgstr "" #. type: #: securing-debian-howto.en.sgml:52 en/after-install.sgml:2785 #, no-wrap msgid "# debsums --generate=missing,keep" msgstr "" #. type:

#: securing-debian-howto.en.sgml:52 en/after-install.sgml:2794 msgid "" "Once the snapshot is done you should make sure to set the medium " "read-only. You can then store it for backup or place it in the drive and use " "it to drive a cron check nightly comparing the original md5sums " "against those on the snapshot." msgstr "" #. type:

#: securing-debian-howto.en.sgml:52 en/after-install.sgml:2798 msgid "" "If you do not want to setup a manual check you can always use any of the " "integrity systems available that will do this and more, for more information " "please read ." msgstr "" #. type: #: securing-debian-howto.en.sgml:52 en/after-install.sgml:2802 msgid "Other recommendations" msgstr "" #. type: #: securing-debian-howto.en.sgml:52 en/after-install.sgml:2804 msgid "Do not use software depending on svgalib" msgstr "" #. type:

#: securing-debian-howto.en.sgml:53 en/services.sgml:3 msgid "" "SVGAlib is very nice for console lovers like me, but in the past it has been " "proven several times that it is very insecure. Exploits against " "zgv were released, and it was simple to become root. Try to " "prevent using SVGAlib programs wherever possible." msgstr "" #. type: #: securing-debian-howto.en.sgml:53 en/services.sgml:5 msgid "Securing services running on your system" msgstr "" #. type:

#: securing-debian-howto.en.sgml:53 en/services.sgml:7 msgid "Services can be secured in a running system in two ways:" msgstr "" #. type:

#: securing-debian-howto.en.sgml:53 en/services.sgml:12 msgid "" "Making them only accessible at the access points (interfaces) they need to " "be in." msgstr "" #. type:

#: securing-debian-howto.en.sgml:53 en/services.sgml:15 msgid "" "Configuring them properly so that they can only be used by legitimate users " "in an authorized manner." msgstr "" #. type:

#: securing-debian-howto.en.sgml:53 en/services.sgml:24 msgid "" "Restricting services so that they can only be accessed from a given place " "can be done by restricting access to them at the kernel (i.e. firewall) " "level, configure them to listen only on a given interface (some services " "might not provide this feature) or using some other methods, for example the " "Linux vserver patch (for 2.4.16) can be used to force processes to use only " "one interface." msgstr "" #. type:

#: securing-debian-howto.en.sgml:53 en/services.sgml:35 msgid "" "Regarding the services running from inetd (telnet, " "ftp, finger, pop3...) it is worth " "noting that inetd can be configured so that services only " "listen on a given interface (using service@ip syntax) but that's an " "undocumented feature. One of its substitutes, the xinetd " "meta-daemon includes a bind option just for this matter. See " "." msgstr "" #. type: #: securing-debian-howto.en.sgml:53 en/services.sgml:48 #, no-wrap msgid "" "service nntp\n" "{\n" " socket_type = stream\n" " protocol = tcp\n" " wait = no\n" " user = news\n" " group = news\n" " server = /usr/bin/env\n" " server_args = POSTING_OK=1 " "PATH=/usr/sbin/:/usr/bin:/sbin/:/bin\n" "+/usr/sbin/snntpd logger -p news.info\n" " bind = 127.0.0.1\n" "}" msgstr "" #. type:

#: securing-debian-howto.en.sgml:53 en/services.sgml:54 msgid "" "The following sections detail how specific individual services can be " "configured properly depending on their intended use." msgstr "" #. type: #: securing-debian-howto.en.sgml:53 en/services.sgml:55 msgid "Securing ssh" msgstr "" #. type:

#: securing-debian-howto.en.sgml:53 en/services.sgml:63 msgid "" "If you are still running telnet instead of ssh, you should take a break from " "this manual and change this. Ssh should be used for all remote logins " "instead of telnet. In an age where it is easy to sniff Internet traffic and " "get clear-text passwords, you should use only protocols which use " "cryptography. So, perform an apt-get install ssh on your system " "now." msgstr "" #. type:

#: securing-debian-howto.en.sgml:53 en/services.sgml:71 msgid "" "Encourage all the users on your system to use ssh instead of telnet, or even " "better, uninstall telnet/telnetd. In addition you should avoid logging into " "the system using ssh as root and use alternative methods to become root " "instead, like su or sudo. Finally, the " "sshd_config file, in /etc/ssh, should be modified " "to increase security as well:" msgstr "" #. type:

#: securing-debian-howto.en.sgml:53 en/services.sgml:71 msgid "ListenAddress 192.168.0.1" msgstr "" #. type:

#: securing-debian-howto.en.sgml:53 en/services.sgml:77 msgid "" "Have ssh listen only on a given interface, just in case you have more than " "one (and do not want ssh available on it) or in the future add a new network " "card (and don't want ssh connections from it)." msgstr "" #. type:

#: securing-debian-howto.en.sgml:53 en/services.sgml:79 msgid "PermitRootLogin no" msgstr "" #. type:

#: securing-debian-howto.en.sgml:53 en/services.sgml:83 msgid "" "Try not to permit Root Login wherever possible. If anyone wants to become " "root via ssh, now two logins are needed and the root password cannot be " "brute forced via SSH." msgstr "" #. type:

#: securing-debian-howto.en.sgml:53 en/services.sgml:85 msgid "Port 666 or ListenAddress 192.168.0.1:666" msgstr "" #. type:

#: securing-debian-howto.en.sgml:53 en/services.sgml:89 msgid "" "Change the listen port, so the intruder cannot be completely sure whether a " "sshd daemon runs (be forewarned, this is security by obscurity)." msgstr "" #. type:

#: securing-debian-howto.en.sgml:53 en/services.sgml:90 msgid "PermitEmptyPasswords no" msgstr "" #. type:

#: securing-debian-howto.en.sgml:53 en/services.sgml:92 msgid "Empty passwords make a mockery of system security." msgstr "" #. type:

#: securing-debian-howto.en.sgml:53 en/services.sgml:93 msgid "AllowUsers alex ref me@somewhere" msgstr "" #. type:

#: securing-debian-howto.en.sgml:53 en/services.sgml:97 msgid "" "Allow only certain users to have access via ssh to this " "machine. user@host can also be used to restrict a given user from " "accessing only at a given host." msgstr "" #. type:

#: securing-debian-howto.en.sgml:53 en/services.sgml:98 msgid "AllowGroups wheel admin" msgstr "" #. type:

#: securing-debian-howto.en.sgml:53 en/services.sgml:103 msgid "" "Allow only certain group members to have access via ssh to this " "machine. AllowGroups and AllowUsers have equivalent directives for denying " "access to a machine. Not surprisingly they are called \"DenyUsers\" and " "\"DenyGroups\"." msgstr "" #. type:

#: securing-debian-howto.en.sgml:53 en/services.sgml:105 msgid "PasswordAuthentication yes" msgstr "" #. type:

#: securing-debian-howto.en.sgml:53 en/services.sgml:117 msgid "" "It is completely your choice what you want to do. It is more secure to only " "allow access to the machine from users with ssh-keys placed in the " "~/.ssh/authorized_keys file. If you want so, set this one to " "\"no\"." msgstr "" #. type:

#: securing-debian-howto.en.sgml:53 en/services.sgml:124 msgid "" "Disable any form of authentication you do not really need, if you do not " "use, for example RhostsRSAAuthentication, " "HostbasedAuthentication, KerberosAuthentication or " "RhostsAuthentication you should disable them, even if they are " "already by default (see the manpage )." msgstr "" #. type:

#: securing-debian-howto.en.sgml:53 en/services.sgml:125 msgid "Protocol 2" msgstr "" #. type:

#: securing-debian-howto.en.sgml:53 en/services.sgml:131 msgid "" "Disable the protocol version 1, since it has some design flaws that make it " "easier to crack passwords. For more information read or the ." msgstr "" #. type:

#: securing-debian-howto.en.sgml:53 en/services.sgml:132 msgid "Banner /etc/some_file" msgstr "" #. type:

#: securing-debian-howto.en.sgml:53 en/services.sgml:137 msgid "" "Add a banner (it will be retrieved from the file) to users connecting to the " "ssh server. In some countries sending a warning before access to a given " "system about unauthorized access or user monitoring should be added to have " "legal protection." msgstr "" #. type:

#: securing-debian-howto.en.sgml:53 en/services.sgml:145 msgid "" "You can also restrict access to the ssh server using pam_listfile " "or pam_wheel in the PAM control file. For example, you could keep " "anyone not listed in /etc/loginusers away by adding this line " "to /etc/pam.d/ssh:" msgstr "" #. type: #: securing-debian-howto.en.sgml:53 en/services.sgml:147 #, no-wrap msgid "" "auth required pam_listfile.so sense=allow onerr=fail item=user " "file=/etc/loginusers" msgstr "" #. type:

#: securing-debian-howto.en.sgml:53 en/services.sgml:159 msgid "" "As a final note, be aware that these directives are from a OpenSSH " "configuration file. Right now, there are three commonly used SSH daemons, " "ssh1, ssh2, and OpenSSH by the OpenBSD people. Ssh1 was the first ssh daemon " "available and it is still the most commonly used (there are rumors that " "there is even a Windows port). Ssh2 has many advantages over ssh1 except it " "is released under a closed-source license. OpenSSH is completely free ssh " "daemon, which supports both ssh1 and ssh2. OpenSSH is the version installed " "on Debian when the package ssh is chosen." msgstr "" #. type:

#: securing-debian-howto.en.sgml:53 en/services.sgml:164 msgid "" "You can read more information on how to set up SSH with PAM support in the " "." msgstr "" #. type: #: securing-debian-howto.en.sgml:53 en/services.sgml:165 msgid "Chrooting ssh" msgstr "" #. type:

#: securing-debian-howto.en.sgml:53 en/services.sgml:176 msgid "" "Currently OpenSSH does not provide a way to chroot automatically users upon " "connection (the commercial version does provide this functionality). However " "there is a project to provide this functionality for OpenSSH too, see , it is not currently packaged for " "Debian, though. You could use, however, the pam_chroot module " "as described in ." msgstr "" #. type:

#: securing-debian-howto.en.sgml:53 en/services.sgml:179 msgid "" "In you can find several options to make a chroot " "environment for SSH." msgstr "" #. type: #: securing-debian-howto.en.sgml:53 en/services.sgml:181 msgid "Ssh clients" msgstr "" #. type:

#: securing-debian-howto.en.sgml:53 en/services.sgml:187 msgid "" "If you are using an SSH client against the SSH server you must make sure " "that it supports the same protocols that are enforced on the server. For " "example, if you use the mindterm package, it only " "supports protocol version 1. However, the sshd server is, by default, " "configured to only accept version 2 (for security reasons)." msgstr "" #. type: #: securing-debian-howto.en.sgml:53 en/services.sgml:189 msgid "Disallowing file transfers" msgstr "" #. type:

#: securing-debian-howto.en.sgml:53 en/services.sgml:195 msgid "" "If you do not want users to transfer files to and from the ssh " "server you need to restrict access to the sftp-server " "and the scp access. You can restrict " "sftp-server by configuring the proper Subsystem in the " "/etc/ssh/sshd_config." msgstr "" #. type:

#: securing-debian-howto.en.sgml:53 en/services.sgml:199 msgid "" "You can also chroot users (using libpam-chroot so that, " "even if file transfer is allowed, they are limited to an environment which " "does not include any system files." msgstr "" #. type: #: securing-debian-howto.en.sgml:53 en/services.sgml:201 msgid "Restricing access to file transfer only" msgstr "" #. type:

#: securing-debian-howto.en.sgml:53 en/services.sgml:205 msgid "" "You might want to restrict access to users so that they can only do file " "transfers and cannot have interactive shells. In order to do this you can " "either:" msgstr "" #. type:

#: securing-debian-howto.en.sgml:53 en/services.sgml:210 msgid "" "disallow users from login to the ssh server (as described above either " "through the configuration file or PAM configuration)." msgstr "" #. type:

#: securing-debian-howto.en.sgml:53 en/services.sgml:215 msgid "" "give users a restricted shell such as scponly or " "rssh. These shells restrict the commands available to the " "users so that they are not provided any remote execution priviledges." msgstr "" #. type: #: securing-debian-howto.en.sgml:53 en/services.sgml:219 msgid "Securing Squid" msgstr "" #. type:

#: securing-debian-howto.en.sgml:53 en/services.sgml:242 msgid "" "Squid is one of the most popular proxy/cache server, and there are some " "security issues that should be taken into account. Squid's default " "configuration file denies all users requests. However the Debian package " "allows access from 'localhost', you just need to configure your browser " "properly. You should configure Squid to allow access to trusted users, hosts " "or networks defining an Access Control List on " "/etc/squid/squid.conf, see the for more information about defining ACLs rules. Notice that " "Debian provides a minimum configuration for Squid that will prevent " "anything, except from localhost to connect to your proxy server " "(which will run in the default port 3128). You will need to customize your " "/etc/squid/squid.conf as needed. The recommended minimum " "configuration (provided with the package) is shown below:" msgstr "" #. type: #: securing-debian-howto.en.sgml:53 en/services.sgml:282 #, no-wrap msgid "" "acl all src 0.0.0.0/0.0.0.0\n" "acl manager proto cache_object\n" "acl localhost src 127.0.0.1/255.255.255.255\n" "acl SSL_ports port 443 563\n" "acl Safe_ports port 80 # http\n" "acl Safe_ports port 21 # ftp\n" "acl Safe_ports port 443 563 # https, snews\n" "acl Safe_ports port 70 # gopher\n" "acl Safe_ports port 210 # wais\n" "acl Safe_ports port 1025-65535 # unregistered ports\n" "acl Safe_ports port 280 # http-mgmt\n" "acl Safe_ports port 488 # gss-http\n" "acl Safe_ports port 591 # filemaker\n" "acl Safe_ports port 777 # multiling http\n" "acl Safe_ports port 901 # SWAT\n" "acl purge method PURGE\n" "acl CONNECT method CONNECT\n" "(...)\n" "# Only allow cachemgr access from localhost\n" "http_access allow manager localhost\n" "http_access deny manager\n" "# Only allow purge requests from localhost\n" "http_access allow purge localhost\n" "http_access deny purge\n" "# Deny requests to unknown ports\n" "http_access deny !Safe_ports\n" "# Deny CONNECT to other than SSL ports\n" "http_access deny CONNECT !SSL_ports\n" "#\n" "# INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS\n" "#\n" "http_access allow localhost\n" "# And finally deny all other access to this proxy\n" "http_access deny all\n" "#Default:\n" "# icp_access deny all\n" "#\n" "#Allow ICP queries from everyone\n" "icp_access allow all" msgstr "" #. type:

#: securing-debian-howto.en.sgml:53 en/services.sgml:288 msgid "" "You should also configure Squid based on your system resources, including " "cache memory (option cache_mem), location of the cached files and " "the amount of space they will take up on disk (option cache_dir)." msgstr "" #. type:

#: securing-debian-howto.en.sgml:53 en/services.sgml:294 msgid "" "Notice that, if not properly configured, someone may relay a mail message " "through Squid, since the HTTP and SMTP protocols are designed " "similarly. Squid's default configuration file denies access to port 25. If " "you wish to allow connections to port 25 just add it to Safe_ports " "lists. However, this is NOT recommended." msgstr "" #. type:

#: securing-debian-howto.en.sgml:53 en/services.sgml:301 msgid "" "Setting and configuring the proxy/cache server properly is only part of " "keeping your site secure. Another necessary task is to analyze Squid's logs " "to assure that all things are working as they should be working. There are " "some packages in Debian GNU/Linux that can help an administrator to do " "this. The following packages are available in Debian 3.0 and Debian 3.1 " "(sarge):" msgstr "" #. type:

#: securing-debian-howto.en.sgml:53 en/services.sgml:304 msgid "" "calamaris - Log analyzer for Squid or Oops proxy log " "files." msgstr "" #. type:

#: securing-debian-howto.en.sgml:53 en/services.sgml:305 msgid "modlogan - A modular logfile analyzer." msgstr "" #. type:

#: securing-debian-howto.en.sgml:53 en/services.sgml:306 msgid "sarg - Squid Analysis Report Generator." msgstr "" #. type:

#: securing-debian-howto.en.sgml:53 en/services.sgml:307 msgid "squidtaild - Squid log monitoring program." msgstr "" #. type:

#: securing-debian-howto.en.sgml:53 en/services.sgml:318 msgid "" "When using Squid in Accelerator Mode it acts as a web server too. Turning on " "this option increases code complexity, making it less reliable. By default " "Squid is not configured to act as a web server, so you don't need to worry " "about this. Note that if you want to use this feature be sure that it is " "really necessary. To find more information about Accelerator Mode on Squid " "see the " msgstr "" #. type: #: securing-debian-howto.en.sgml:53 en/services.sgml:320 msgid "Securing FTP" msgstr "" #. type:

#: securing-debian-howto.en.sgml:53 en/services.sgml:329 msgid "" "If you really have to use FTP (without wrapping it with sslwrap or inside a " "SSL or SSH tunnel), you should chroot ftp into the ftp users' home " "directory, so that the user is unable to see anything else than their own " "directory. Otherwise they could traverse your root file system just like if " "they had a shell in it. You can add the following line in your " "proftpd.conf in your global section to enable this chroot " "feature:" msgstr "" #. type: #: securing-debian-howto.en.sgml:53 en/services.sgml:331 #, no-wrap msgid "DefaultRoot ~" msgstr "" #. type:

#: securing-debian-howto.en.sgml:53 en/services.sgml:336 msgid "" "Restart ProFTPd by /etc/init.d/proftpd restart and check whether " "you can escape from your homedir now." msgstr "" #. type:

#: securing-debian-howto.en.sgml:53 en/services.sgml:341 msgid "" "To prevent ProFTPd DoS attacks using ../../.., add the following line in " "/etc/proftpd.conf: DenyFilter \\*.*/" msgstr "" #. type:

#: securing-debian-howto.en.sgml:53 en/services.sgml:351 msgid "" "Always remember that FTP sends login and authentication passwords in clear " "text (this is not an issue if you are providing an anonymous public service) " "and there are better alternatives in Debian for this. For example, " "sftp (provided by ssh). There are also free " "implementations of SSH for other operating systems: " "and for example." msgstr "" #. type:

#: securing-debian-howto.en.sgml:53 en/services.sgml:363 msgid "" "However, if you still maintain the FTP server while making users access " "through SSH you might encounter a typical problem. Users accessing anonymous " "FTP servers inside SSH-secured systems might try to log in the FTP " "server. While the access will be refused, the password will " "nevertheless be sent through the net in clear form. To avoid that, ProFTPd " "developer TJ Saunders has created a patch that prevents users feeding the " "anonymous FTP server with valid SSH accounts. More information and patch " "available at: . This patch has been reported to Debian too, see " "." msgstr "" #. type: #: securing-debian-howto.en.sgml:53 en/services.sgml:364 msgid "Securing access to the X Window System" msgstr "" #. type:

#: securing-debian-howto.en.sgml:53 en/services.sgml:375 msgid "" "Today, X terminals are used by more and more companies where one server is " "needed for a lot of workstations. This can be dangerous, because you need to " "allow the file server to connect to the clients (X server from the X point " "of view. X switches the definition of client and server). If you follow the " "(very bad) suggestion of many docs, you type xhost + on your " "machine. This allows any X client to connect to your system. For slightly " "better security, you can use the command xhost +hostname instead to " "only allow access from specific hosts." msgstr "" #. type:

#: securing-debian-howto.en.sgml:53 en/services.sgml:398 msgid "" "A much more secure solution, though, is to use ssh to tunnel X and encrypt " "the whole session. This is done automatically when you ssh to another " "machine. For this to work, you have to configure both the ssh client and the " "ssh server. On the ssh client, ForwardX11 should be set to " "yes in /etc/ssh/ssh_config. On the ssh server, " "X11Forwarding should be set to yes in " "/etc/ssh/sshd_config and the package " "xbase-clients should be installed because the ssh server " "uses /usr/X11R6/bin/xauth (/usr/bin/xauth on " "Debian unstable) when setting up the pseudo X display. In times of SSH, you " "should drop the xhost based access control completely." msgstr "" #. type:

#: securing-debian-howto.en.sgml:53 en/services.sgml:402 msgid "" "For best security, if you do not need X access from other machines, switch " "off the binding on TCP port 6000 simply by typing:" msgstr "" #. type: #: securing-debian-howto.en.sgml:53 en/services.sgml:404 #, no-wrap msgid "$ startx -- -nolisten tcp" msgstr "" #. type:

#: securing-debian-howto.en.sgml:53 en/services.sgml:411 msgid "" "This is the default behavior in Xfree 4.1.0 (the Xserver provided in Debian " "3.0 and 3.1). If you are running Xfree 3.3.6 (i.e. you have Debian 2.2 " "installed) you can edit /etc/X11/xinit/xserverrc to have it " "something along the lines of:" msgstr "" #. type: #: securing-debian-howto.en.sgml:53 en/services.sgml:414 #, no-wrap msgid "" "#!/bin/sh\n" "exec /usr/bin/X11/X -dpi 100 -nolisten tcp" msgstr "" #. type:

#: securing-debian-howto.en.sgml:53 en/services.sgml:427 msgid "" "If you are using XDM set /etc/X11/xdm/Xservers to: :0 local " "/usr/bin/X11/X vt7 -dpi 100 -nolisten tcp. If you are using Gdm make " "sure that the DisallowTCP=true option is set in the " "/etc/gdm/gdm.conf (which is the default in Debian). This will " "basically append -nolisten tcp to every X command line " "

Gdm will not append -nolisten tcp if it finds " "a -query or -indirect on the command line since the query " "wouldn't work.

." msgstr "" #. type:

#: securing-debian-howto.en.sgml:53 en/services.sgml:431 msgid "" "You can also set the default's system timeout for xscreensaver " "locks. Even if the user can override it, you should edit the " "/etc/X11/app-defaults/XScreenSaver configuration file and " "change the lock line:" msgstr "" #. type: #: securing-debian-howto.en.sgml:53 en/services.sgml:433 #, no-wrap msgid "*lock: False" msgstr "" #. type:

#: securing-debian-howto.en.sgml:53 en/services.sgml:435 msgid "(which is the default in Debian) to:" msgstr "" #. type: #: securing-debian-howto.en.sgml:53 en/services.sgml:437 #, no-wrap msgid "*lock: True" msgstr "" #. type:

#: securing-debian-howto.en.sgml:53 en/services.sgml:442 msgid "" "FIXME: Add information on how to disable the screensavers which show the " "user desktop (which might have sensitive information)." msgstr "" #. type:

#: securing-debian-howto.en.sgml:53 en/services.sgml:448 msgid "" "Read more on X Window security in " "(/usr/share/doc/HOWTO/en-txt/XWindow-User-HOWTO.txt.gz)." msgstr "" #. type:

#: securing-debian-howto.en.sgml:53 en/services.sgml:451 msgid "" "FIXME: Add info on thread of debian-security on how to change config files " "of XFree 3.3.6 to do this." msgstr "" #. type: #: securing-debian-howto.en.sgml:53 en/services.sgml:452 msgid "Check your display manager" msgstr "" #. type:

#: securing-debian-howto.en.sgml:53 en/services.sgml:458 msgid "" "If you only want to have a display manager installed for local usage (having " "a nice graphical login, that is), make sure the XDMCP (X Display Manager " "Control Protocol) stuff is disabled. In XDM you can do this with this line " "in /etc/X11/xdm/xdm-config:" msgstr "" #. type: #: securing-debian-howto.en.sgml:53 en/services.sgml:460 #, no-wrap msgid "DisplayManager.requestPort: 0" msgstr "" #. type:

#: securing-debian-howto.en.sgml:53 en/services.sgml:464 msgid "For GDM there should be in your gdm.conf:" msgstr "" #. type: #: securing-debian-howto.en.sgml:53 en/services.sgml:467 #, no-wrap msgid "" "[xdmcp]\n" "Enable=false" msgstr "" #. type:

#: securing-debian-howto.en.sgml:53 en/services.sgml:473 msgid "" "Normally, all display managers are configured not to start XDMCP services " "per default in Debian." msgstr "" #. type: #: securing-debian-howto.en.sgml:53 en/services.sgml:475 msgid "Securing printing access (the lpd and lprng issue)" msgstr "" #. type:

#: securing-debian-howto.en.sgml:53 en/services.sgml:480 msgid "" "Imagine, you arrive at work, and the printer is spitting out endless amounts " "of paper because someone is DoSing your line printer daemon. Nasty, isn't " "it?" msgstr "" #. type:

#: securing-debian-howto.en.sgml:53 en/services.sgml:485 msgid "" "In any UNIX printing architecture, there has to be a way to get the client's " "data to the host's print server. In traditional lpr and " "lp, the client command copies or symlinks the data into the " "spool directory (which is why these programs are usually SUID or SGID)." msgstr "" #. type:

#: securing-debian-howto.en.sgml:53 en/services.sgml:491 msgid "" "In order to avoid any issues you should keep your printer servers especially " "secure. This means you need to configure your printer service so it will " "only allow connections from a set of trusted servers. In order to do this, " "add the servers you want to allow printing to your " "/etc/hosts.lpd." msgstr "" #. type:

#: securing-debian-howto.en.sgml:53 en/services.sgml:504 msgid "" "However, even if you do this, the lpr daemon accepts incoming " "connections on port 515 of any interface. You should consider firewalling " "connections from networks/hosts which are not allowed printing (the " "lpr daemon cannot be limited to listen only on a given IP " "address)." msgstr "" #. type:

#: securing-debian-howto.en.sgml:53 en/services.sgml:511 msgid "" "Lprng should be preferred over lpr since it can be " "configured to do IP access control. And you can specify which interface to " "bind to (although somewhat weirdly)." msgstr "" #. type:

#: securing-debian-howto.en.sgml:53 en/services.sgml:518 msgid "" "If you are using a printer in your system, but only locally, you will not " "want to share this service over a network. You can consider using other " "printing systems, like the one provided by cups or which is based on user " "permissions of the /dev/lp0 device." msgstr "" #. type:

#: securing-debian-howto.en.sgml:53 en/services.sgml:523 msgid "" "In cups, the print data is transferred to the server via " "the HTTP protocol. This means the client program doesn't need any special " "privileges, but does require that the server is listening on a port " "somewhere." msgstr "" #. type:

#: securing-debian-howto.en.sgml:53 en/services.sgml:527 msgid "" "However, if you want to use cups, but only locally, you can " "configure it to bind to the loopback interface by changing " "/etc/cups/cupsd.conf:" msgstr "" #. type: #: securing-debian-howto.en.sgml:53 en/services.sgml:529 #, no-wrap msgid "Listen 127.0.0.1:631" msgstr "" #. type:

#: securing-debian-howto.en.sgml:53 en/services.sgml:538 msgid "" "There are many other security options like allowing or denying networks and " "hosts in this config file. However, if you do not need them you might be " "better off just limiting the listening port. Cups also serves " "documentation through the HTTP port, if you do not want to disclose " "potential useful information to outside attackers (and the port is open) add " "also:" msgstr "" #. type: #: securing-debian-howto.en.sgml:53 en/services.sgml:544 #, no-wrap msgid "" "<Location />\n" " Order Deny,Allow\n" " Deny From All\n" " Allow From 127.0.0.1\n" "</Location>" msgstr "" #. type:

#: securing-debian-howto.en.sgml:53 en/services.sgml:550 msgid "" "This configuration file can be modified to add some more features including " "SSL/TLS certificates and crypto. The manuals are available at " "http://localhost:631/ or at ." msgstr "" #. type:

#: securing-debian-howto.en.sgml:53 en/services.sgml:554 msgid "" "FIXME: Add more content (the article on " "provides some very interesting views)." msgstr "" #. type:

#: securing-debian-howto.en.sgml:53 en/services.sgml:557 msgid "" "FIXME: Check if PDG is available in Debian, and if so, suggest this as the " "preferred printing system." msgstr "" #. type:

#: securing-debian-howto.en.sgml:53 en/services.sgml:560 msgid "" "FIXME: Check if Farmer/Wietse has a replacement for printer daemon and if " "it's available in Debian." msgstr "" #. type: #: securing-debian-howto.en.sgml:53 en/services.sgml:562 msgid "Securing the mail service" msgstr "" #. type:

#: securing-debian-howto.en.sgml:53 en/services.sgml:567 msgid "" "If your server is not a mailing system, you do not really need to have a " "mail daemon listening for incoming connections, but you might want local " "mail delivered in order, for example, to receive mail for the root user from " "any alert systems you have in place." msgstr "" #. type:

#: securing-debian-howto.en.sgml:53 en/services.sgml:571 msgid "" "If you have exim you do not need the daemon to be working in " "order to do this since the standard cron job flushes the mail " "queue. See on how to do this." msgstr "" #. type: #: securing-debian-howto.en.sgml:53 en/services.sgml:573 msgid "Configuring a Nullmailer" msgstr "" #. type:

#: securing-debian-howto.en.sgml:53 en/services.sgml:580 msgid "" "You might want to have a local mailer daemon so that it can relay the mails " "sent locally to another system. This is common when you have to administer a " "number of systems and do not want to connect to each of them to read the " "mail sent locally. Just as all logging of each individual system can be " "centralized by using a central syslog server, mail can be sent to a central " "mailserver." msgstr "" #. type:

#: securing-debian-howto.en.sgml:53 en/services.sgml:584 msgid "" "Such a relay-only system should be configured properly for " "this. The daemon could, as well, be configured to only listen on the " "loopback address." msgstr "" #. type:

#: securing-debian-howto.en.sgml:53 en/services.sgml:592 msgid "" "The following configuration steps only need to be taken to configure the " "exim package in the Debian 3.0 release. If you are using " "a later release (such as 3.1 which uses exim4) the " "installation system has been improved so that if the mail transport agent is " "configured to only deliver local mail it will automatically only allow " "connections from the local host and will not permit remote connections." msgstr "" #. type:

#: securing-debian-howto.en.sgml:53 en/services.sgml:594 msgid "" "In a Debian 3.0 system using exim, you will have to " "remove the SMTP daemon from inetd:" msgstr "" #. type: #: securing-debian-howto.en.sgml:53 en/services.sgml:596 #, no-wrap msgid "$ update-inetd --disable smtp" msgstr "" #. type:

#: securing-debian-howto.en.sgml:53 en/services.sgml:603 msgid "" "and configure the mailer daemon to only listen on the loopback interface. In " "exim (the default MTA) you can do this by editing the file " "/etc/exim.conf and adding the following line:" msgstr "" #. type: #: securing-debian-howto.en.sgml:53 en/services.sgml:605 #, no-wrap msgid "local_interfaces = \"127.0.0.1\"" msgstr "" #. type:

#: securing-debian-howto.en.sgml:53 en/services.sgml:612 msgid "" "Restart both daemons (inetd and exim) and you will have exim listening on " "the 127.0.0.1:25 socket only. Be careful, and first disable inetd, " "otherwise, exim will not start since the inetd daemon is already handling " "incoming connections." msgstr "" #. type:

#: securing-debian-howto.en.sgml:53 en/services.sgml:614 msgid "For postfix edit /etc/postfix/main.conf:" msgstr "" #. type: #: securing-debian-howto.en.sgml:53 en/services.sgml:616 #, no-wrap msgid "inet_interfaces = localhost" msgstr "" #. type:

#: securing-debian-howto.en.sgml:53 en/services.sgml:628 msgid "" "If you only want local mail, this approach is better than tcp-wrapping the " "mailer daemon or adding firewalling rules to limit anybody accessing " "it. However, if you do need it to listen on other interfaces, you might " "consider launching it from inetd and adding a tcp wrapper so incoming " "connections are checked against /etc/hosts.allow and " "/etc/hosts.deny. Also, you will be aware of when an " "unauthorized access is attempted against your mailer daemon, if you set up " "proper logging for any of the methods above." msgstr "" #. type:

#: securing-debian-howto.en.sgml:53 en/services.sgml:631 msgid "" "In any case, to reject mail relay attempts at the SMTP level, you can change " "/etc/exim/exim.conf to include:" msgstr "" #. type: #: securing-debian-howto.en.sgml:53 en/services.sgml:633 #, no-wrap msgid "receiver_verify = true" msgstr "" #. type:

#: securing-debian-howto.en.sgml:53 en/services.sgml:640 msgid "" "Even if your mail server will not relay the message, this kind of " "configuration is needed for the relay tester at to determine that your server is " "not relay capable." msgstr "" #. type:

#: securing-debian-howto.en.sgml:53 en/services.sgml:657 msgid "" "If you want a relay-only setup, however, you can consider changing the " "mailer daemon to programs that can only be configured to forward " "the mail to a remote mail server. Debian provides currently both " "ssmtp and nullmailer for this " "purpose. In any case, you can evaluate for yourself any of the mail " "transport agents

To retrieve the list of mailer daemons " "available in Debian try: $ apt-cache search " "mail-transport-agent

The list will not include " "qmail, which is distributed only as source code in the " "qmail-src package.

 provided by Debian and " "see which one suits best to the system's purposes." msgstr "" #. type: #: securing-debian-howto.en.sgml:53 en/services.sgml:659 msgid "Providing secure access to mailboxes" msgstr "" #. type:

#: securing-debian-howto.en.sgml:53 en/services.sgml:673 msgid "" "If you want to give remote access to mailboxes there are a number of POP3 " "and IMAP daemons available.

A list of servers/daemons which " "support these protocols in Debian can be retrieved with: $ " "apt-cache search pop3-server $ apt-cache search " "imap-server

 However, if you provide IMAP access " "note that it is a general file access protocol, it can become the equivalent " "of a shell access because users might be able to retrieve any file that they " "can through it." msgstr "" #. type:

#: securing-debian-howto.en.sgml:53 en/services.sgml:677 msgid "" "Try, for example, to configure as your inbox path " "{server.com}/etc/passwd if it succeeds your IMAP daemon is not " "properly configured to prevent this kind of access." msgstr "" #. type:

#: securing-debian-howto.en.sgml:53 en/services.sgml:686 msgid "" "Of the IMAP servers in Debian the cyrus server (in the " "cyrus-imapd package) gets around this by having all " "access to a database in a restricted part of the file system. Also, " "uw-imapd (either install the uw-imapd or " "better, if your IMAP clients support it, uw-imapd-ssl) " "can be configured to chroot the users mail directory but this is not enabled " "by default. The documentation provided gives more information on how to " "configure it." msgstr "" #. type:

#: securing-debian-howto.en.sgml:53 en/services.sgml:697 msgid "" "Also, you might want to run an IMAP server that does not need valid users to " "be created on the local system (which would grant shell access too), " "courier-imap (for IMAP) and " "courier-pop, teapop (for POP3) and " "cyrus-imapd (for both POP3 and IMAP) provide servers with " "authentication methods beside the local user accounts. cyrus " "can use any authentication method that can be configured through PAM while " "teapop might use databases (such as " "postgresql and mysql) for user " "authentication." msgstr "" #. type:

#: securing-debian-howto.en.sgml:53 en/services.sgml:700 msgid "" "FIXME: Check: uw-imapd might be configured with user " "authentication through PAM too." msgstr "" #. type: #: securing-debian-howto.en.sgml:53 en/services.sgml:701 msgid "Receiving mail securely" msgstr "" #. type:

#: securing-debian-howto.en.sgml:53 en/services.sgml:710 msgid "" "Reading/receiving mail is the most common clear-text protocol. If you use " "either POP3 or IMAP to get your mail, you send your clear-text password " "across the net, so almost anyone can read your mail from now on. Instead, " "use SSL (Secure Sockets Layer) to receive your mail. The other alternative " "is SSH, if you have a shell account on the box which acts as your POP or " "IMAP server. Here is a basic fetchmailrc to demonstrate this:" msgstr "" #. type: #: securing-debian-howto.en.sgml:53 en/services.sgml:718 #, no-wrap msgid "" "poll my-imap-mailserver.org via \"localhost\"\n" " with proto IMAP port 1236\n" " user \"ref\" there with password \"hackme\" is alex here warnings " "3600\n" " folders\n" " .Mail/debian\n" " preconnect 'ssh -f -P -C -L 1236:my-imap-mailserver.org:143 -l ref\n" " my-imap-mailserver.org sleep 15 </dev/null > /dev/null'" msgstr "" #. type:

#: securing-debian-howto.en.sgml:53 en/services.sgml:725 msgid "" "The preconnect is the important line. It fires up an ssh session and creates " "the necessary tunnel, which automatically forwards connections to localhost " "port 1236 to the IMAP mail server, but encrypted. Another possibility would " "be to use fetchmail with the SSL feature." msgstr "" #. type:

#: securing-debian-howto.en.sgml:53 en/services.sgml:728 msgid "" "If you want to provide encrypted mail services like POP and IMAP, " "apt-get install stunnel and start your daemons this way:" msgstr "" #. type: #: securing-debian-howto.en.sgml:53 en/services.sgml:730 #, no-wrap msgid "stunnel -p /etc/ssl/certs/stunnel.pem -d pop3s -l /usr/sbin/popd" msgstr "" #. type:

#: securing-debian-howto.en.sgml:53 en/services.sgml:736 msgid "" "This command wraps the provided daemon (-l) to the port (-d) and uses the " "specified SSL certificate (-p)." msgstr "" #. type: #: securing-debian-howto.en.sgml:53 en/services.sgml:738 msgid "Securing BIND" msgstr "" #. type:

#: securing-debian-howto.en.sgml:53 en/services.sgml:742 msgid "" "There are different issues that can be tackled in order to secure the Domain " "server daemon, which are similar to the ones considered when securing any " "given service:" msgstr "" #. type:

#: securing-debian-howto.en.sgml:53 en/services.sgml:749 msgid "" "configuring the daemon itself properly so it cannot be misused from the " "outside (see ). This includes limiting possible " "queries from clients: zone transfers and recursive queries." msgstr "" #. type:

#: securing-debian-howto.en.sgml:53 en/services.sgml:754 msgid "" "limit the access of the daemon to the server itself so if it is used to " "break in, the damage to the system is limited. This includes running the " "daemon as a non-privileged user (see ) and chrooting " "it (see )." msgstr "" #. type: #: securing-debian-howto.en.sgml:53 en/services.sgml:758 msgid "Bind configuration to avoid misuse" msgstr "" #. type:

#: securing-debian-howto.en.sgml:53 en/services.sgml:770 msgid "" "You should restrict some of the information that is served from the DNS " "server to outside clients so that it cannot be used to retrieve valuable " "information from your organization that you do not want to give away. This " "includes adding the following options: allow-transfer, " "allow-query, allow-recursion and version. You can " "either limit this on the global section (so it applies to all the zones " "served) or on a per-zone basis. This information is documented in the " "bind-doc package, read more on this on " "/usr/share/doc/bind/html/index.html once the package is " "installed." msgstr "" #. type:

#: securing-debian-howto.en.sgml:53 en/services.sgml:777 msgid "" "Imagine that your server is connected to the Internet and to your internal " "(your internal IP is 192.168.1.2) network (a basic multi-homed server), you " "do not want to give any service to the Internet and you just want to enable " "DNS lookups from your internal hosts. You could restrict it by including in " "/etc/bind/named.conf:" msgstr "" #. type: #: securing-debian-howto.en.sgml:53 en/services.sgml:786 #, no-wrap msgid "" "options {\n" " allow-query { 192.168.1/24; } ;\n" " allow-transfer { none; } ; \n" " allow-recursion { 192.168.1/24; } ;\n" " listen-on { 192.168.1.2; } ;\n" " forward { only; } ;\n" " forwarders { A.B.C.D; } ;\n" "};" msgstr "" #. type:

#: securing-debian-howto.en.sgml:53 en/services.sgml:798 msgid "" "The listen-on option makes the DNS bind to only the interface that " "has the internal address, but, even if this interface is the same as the " "interface that connects to the Internet (if you are using NAT, for example), " "queries will only be accepted if coming from your internal hosts. If the " "system has multiple interfaces and the listen-on is not present, " "only internal users could query, but, since the port would be accessible to " "outside attackers, they could try to crash (or exploit buffer overflow " "attacks) on the DNS server. You could even make it listen only on 127.0.0.1 " "if you are not giving DNS service for any other systems than yourself." msgstr "" #. type:

#: securing-debian-howto.en.sgml:53 en/services.sgml:808 msgid "" "The version.bind record in the chaos class contains the version of the " "currently running bind process. This information is often used by automated " "scanners and malicious individuals who wish to determine if one's " "bind is vulnerable to a specific attack. By providing false or " "no information in the version.bind record, one limits the probability that " "one's server will be attacked based on its published version. To provide " "your own version, use the version directive in the following " "manner:" msgstr "" #. type: #: securing-debian-howto.en.sgml:53 en/services.sgml:801 #, no-wrap msgid "" " options { ... various options here ...\n" "version \"Not available.\"; };" msgstr "" #. type:

#: securing-debian-howto.en.sgml:53 en/services.sgml:813 msgid "" "Changing the version.bind record does not provide actual protection against " "attacks, but it might be considered a useful safeguard." msgstr "" #. type:

#: securing-debian-howto.en.sgml:53 en/services.sgml:818 msgid "A sample named.conf configuration file might be the following:" msgstr "" #. type: #: securing-debian-howto.en.sgml:53 en/services.sgml:877 #, no-wrap msgid "" "acl internal {\n" " 127.0.0.1/32; // localhost\n" " 10.0.0.0/8; // internal\n" " aa.bb.cc.dd; // eth0 IP\n" "};\n" "\n" "acl friendly {\n" " ee.ff.gg.hh; // slave DNS\n" " aa.bb.cc.dd; // eth0 IP\n" " 127.0.0.1/32; // localhost\n" " 10.0.0.0/8; // internal\n" "};\n" "\n" "options {\n" " directory \"/var/cache/bind\";\n" " allow-query { internal; };\n" " allow-recursion { internal; };\n" " allow-transfer { none; };\n" "};\n" "// From here to the mysite.bogus zone \n" "// is basically unmodified from the debian default\n" "logging {\n" " category lame-servers { null; };\n" " category cname { null; }; \n" "};\n" "\n" "zone \".\" {\n" " type hint;\n" " file \"/etc/bind/db.root\";\n" "};\n" "\n" "zone \"localhost\" {\n" " type master;\n" " file \"/etc/bind/db.local\";\n" "};\n" "\n" "zone \"127.in-addr.arpa\" {\n" " type master;\n" " file \"/etc/bind/db.127\";\n" "};\n" "\n" "zone \"0.in-addr.arpa\" {\n" " type master;\n" " file \"/etc/bind/db.0\";\n" "};\n" "\n" "zone \"255.in-addr.arpa\" {\n" " type master;\n" " file \"/etc/bind/db.255\";\n" "};\n" "\n" "// zones I added myself\n" "zone \"mysite.bogus\" {\n" " type master;\n" " file \"/etc/bind/named.mysite\";\n" " allow-query { any; };\n" " allow-transfer { friendly; };\n" "};" msgstr "" #. type:

#: securing-debian-howto.en.sgml:53 en/services.sgml:884 msgid "" "Please (again) check the Bug Tracking System regarding Bind, specifically " ". Feel free to contribute to the bug report if you " "think you can add useful information." msgstr "" #. type: #: securing-debian-howto.en.sgml:53 en/services.sgml:886 msgid "Changing BIND's user" msgstr "" #. type:

#: securing-debian-howto.en.sgml:53 en/services.sgml:897 msgid "" "Regarding limiting BIND's privileges you must be aware that if a non-root " "user runs BIND, then BIND cannot detect new interfaces automatically, for " "example when you put a PCMCIA card into your laptop. Check the " "README.Debian file in your named documentation " "(/usr/share/doc/bind/README.Debian) directory for more " "information about this issue. There have been many recent security problems " "concerning BIND, so switching the user is useful when possible. We will " "detail here the steps needed in order to do this, however, if you want to do " "this in an automatic way you might try the script provided in ." msgstr "" #. type:

#: securing-debian-howto.en.sgml:53 en/services.sgml:904 msgid "" "Notice, in any case, that this only applies to BIND version 8. In the Debian " "packages for BIND version 9 (since the 9.2.1-5 version, available since " "sarge) the bind user is created and used by setting the " "OPTIONS variable in /etc/default/bind9. If you are using BIND " "version 9 and your name server daemon is not running as the bind " "user verify the settings on that file." msgstr "" #. type:

#: securing-debian-howto.en.sgml:53 en/services.sgml:908 msgid "" "To run BIND under a different user, first create a separate user and group " "for it (it is not a good idea to use nobody or nogroup for every " "service not running as root). In this example, the user and group " "named will be used. You can do this by entering:" msgstr "" #. type: #: securing-debian-howto.en.sgml:53 en/services.sgml:912 #, no-wrap msgid "" "addgroup named\n" "adduser --system --home /home/named --no-create-home --ingroup named \\\n" " --disabled-password --disabled-login named" msgstr "" #. type:

#: securing-debian-howto.en.sgml:53 en/services.sgml:916 msgid "" "Notice that the user named will be quite restricted. If you want, " "for whatever reason, to have a less restrictive setup use:" msgstr "" #. type: #: securing-debian-howto.en.sgml:53 en/services.sgml:918 #, no-wrap msgid "adduser --system --ingroup named named" msgstr "" #. type:

#: securing-debian-howto.en.sgml:53 en/services.sgml:923 msgid "" "Now you can either edit /etc/init.d/bind with your favorite " "editor and change the line beginning with" msgstr "" #. type: #: securing-debian-howto.en.sgml:53 en/services.sgml:925 #, no-wrap msgid "start-stop-daemon --start" msgstr "" #. type: #: securing-debian-howto.en.sgml:53 en/services.sgml:931 msgid "" "to

Note that depending on your bind version you might not have " "the -g option, most notably if you are using bind9 in sarge (9.2.4 " "version).

" msgstr "" #. type: #: securing-debian-howto.en.sgml:53 en/services.sgml:933 #, no-wrap msgid "" "start-stop-daemon --start --quiet --exec /usr/sbin/named -- -g named -u " "named" msgstr "" #. type:

#: securing-debian-howto.en.sgml:53 en/services.sgml:939 msgid "" "Or you can change (create it if it does not exit) the default configuration " "file (/etc/default/bind for BIND version 8) and introduce the " "following:" msgstr "" #. type: #: securing-debian-howto.en.sgml:53 en/services.sgml:941 #, no-wrap msgid "OPTIONS=\"-u named -g named\"" msgstr "" #. type:

#: securing-debian-howto.en.sgml:53 en/services.sgml:946 msgid "" "Change the permissions of files that are used by Bind, including " "/etc/bind/rndc.key:" msgstr "" #. type: #: securing-debian-howto.en.sgml:53 en/services.sgml:948 #, no-wrap msgid "-rw-r----- 1 root named 77 Jan 4 01:02 rndc.key" msgstr "" #. type: #: securing-debian-howto.en.sgml:53 en/services.sgml:953 msgid "" "and where bind creates its pidfile, using, for example, " "/var/run/named instead of /var/run:" msgstr "" #. type: #: securing-debian-howto.en.sgml:53 en/services.sgml:962 #, no-wrap msgid "" "$ mkdir /var/run/named\n" "$ chown named.named /var/run/named\n" "$ vi /etc/named.conf\n" "[ ... update the configuration file to use this new location ...]\n" "options { ...\n" " pid-file \"/var/run/named/named.pid\";\n" "};\n" "[ ... ]" msgstr "" #. type:

#: securing-debian-howto.en.sgml:53 en/services.sgml:967 msgid "" "Also, in order to avoid running anything as root, change the reload " "line in the init.d script by substituting:" msgstr "" #. type: #: securing-debian-howto.en.sgml:53 en/services.sgml:970 #, no-wrap msgid "" "reload)\n" " /usr/sbin/ndc reload" msgstr "" #. type:

#: securing-debian-howto.en.sgml:53 en/services.sgml:973 securing-debian-howto.en.sgml:60 en/faq.sgml:299 securing-debian-howto.en.sgml:60 en/faq.sgml:686 msgid "to:" msgstr "" #. type: #: securing-debian-howto.en.sgml:53 en/services.sgml:978 #, no-wrap msgid "" "reload)\n" " $0 stop\n" " sleep 1\n" " $0 start" msgstr "" #. type:

#: securing-debian-howto.en.sgml:53 en/services.sgml:984 msgid "" "Note: Depending on your Debian version you might have to change the " "restart line too. This was fixed in Debian's bind version " "1:8.3.1-2." msgstr "" #. type:

#: securing-debian-howto.en.sgml:53 en/services.sgml:988 msgid "" "All you need to do now is to restart bind via /etc/init.d/bind " "restart, and then check your syslog for two entries like this:" msgstr "" #. type: #: securing-debian-howto.en.sgml:53 en/services.sgml:992 #, no-wrap msgid "" "Sep 4 15:11:08 nexus named[13439]: group = named\n" "Sep 4 15:11:08 nexus named[13439]: user = named" msgstr "" #. type:

#: securing-debian-howto.en.sgml:53 en/services.sgml:1007 msgid "" "Voilà! Your named now does not run as root. If you want to read " "more information on why BIND does not run as non-root user on Debian " "systems, please check the Bug Tracking System regarding Bind, specifically " " and , , , and . Feel free to " "contribute to the bug reports if you think you can add useful information." msgstr "" #. type: #: securing-debian-howto.en.sgml:53 en/services.sgml:1009 msgid "Chrooting the name server" msgstr "" #. type:

#: securing-debian-howto.en.sgml:53 en/services.sgml:1019 msgid "" "To achieve maximum BIND security, now build a chroot jail (see ) around your daemon. There is an easy way to do this: the " "-t option (see the manpage or " "page 100 of ). This will make Bind chroot itself into the given " "directory without you needing to set up a chroot jail and worry about " "dynamic libraries. The only files that need to be in the chroot jail are:" msgstr "" #. type: #: securing-debian-howto.en.sgml:53 en/services.sgml:1029 #, no-wrap msgid "" "dev/null\n" "etc/bind/ - should hold named.conf and all the server zones\n" "sbin/named-xfer - if you do name transfers\n" "var/run/named/ - should hold the PID and the name server cache (if\n" " any) this directory needs to be writable by named user\n" "var/log/named - if you set up logging to a file, needs to be writable\n" " for the named user\n" "dev/log - syslogd should be listening here if named is configured " "to\n" " log through it" msgstr "" #. type:

#: securing-debian-howto.en.sgml:53 en/services.sgml:1039 msgid "" "In order for your Bind daemon to work properly it needs permission in the " "named files. This is an easy task since the configuration files are always " "at /etc/named/. Take into account that it only needs read-only " "access to the zone files, unless it is a secondary or cache name server. If " "this is your case you will have to give read-write permissions to the " "necessary zones (so that zone transfers from the primary server work)." msgstr "" #. type:

#: securing-debian-howto.en.sgml:53 en/services.sgml:1049 msgid "" "Also, you can find more information regarding Bind chrooting in the (regarding Bind 9) and (regarding Bind 8). This same documents should " "be available through the installation of the " "doc-linux-text (text version) or " "doc-linux-html (HTML version). Another useful document is " "." msgstr "" #. type:

#: securing-debian-howto.en.sgml:53 en/services.sgml:1056 msgid "" "If you are setting up a full chroot jail (i.e. not just -t) for " "Bind in Debian, make sure you have the following files in " "it

This setup has not been tested for new release of Bind " "yet.

:" msgstr "" #. type: #: securing-debian-howto.en.sgml:53 en/services.sgml:1070 #, no-wrap msgid "" "dev/log - syslogd should be listening here\n" "dev/null\n" "etc/bind/named.conf \n" "etc/localtime\n" "etc/group - with only a single line: \"named:x:GID:\"\n" "etc/ld.so.cache - generated with ldconfig \n" "lib/ld-2.3.6.so\n" "lib/libc-2.3.6.so\n" "lib/ld-linux.so.2 - symlinked to ld-2.3.6.so\n" "lib/libc.so.6 - symlinked to libc-2.3.6.so\n" "sbin/ldconfig - may be deleted after setting up the chroot\n" "sbin/named-xfer - if you do name transfers\n" "var/run/" msgstr "" #. type:

#: securing-debian-howto.en.sgml:53 en/services.sgml:1075 msgid "" "And modify also syslogd listen on $CHROOT/dev/log so " "the named server can write syslog entries into the local system log." msgstr "" #. type:

#: securing-debian-howto.en.sgml:53 en/services.sgml:1080 msgid "" "If you want to avoid problems with dynamic libraries, you can compile bind " "statically. You can use apt-get for this, with the " "source option. It can even download the packages you need to " "properly compile it. You would need to do something similar to:" msgstr "" #. type: #: securing-debian-howto.en.sgml:53 en/services.sgml:1089 #, no-wrap msgid "" "$ apt-get source bind\n" "# apt-get build-dep bind\n" "$ cd bind-8.2.5-2\n" " (edit src/port/linux/Makefile so CFLAGS includes the '-static'\n" " option)\n" "$ dpkg-buildpackage -rfakeroot -uc -us\n" "$ cd ..\n" "# dpkg -i bind-8.2.5-2*deb" msgstr "" #. type:

#: securing-debian-howto.en.sgml:53 en/services.sgml:1103 msgid "" "After installation, you will need to move around the files to the chroot " "jail

Unless you use the instdir option when calling " "dpkg but then the chroot jail might be a little more " "complex.

 you can keep the init.d scripts in " "/etc/init.d so that the system will automatically start the " "name server, but edit them to add --chroot /location_of_chroot in " "the calls to start-stop-daemon in those scripts or use the " "-t option for BIND by setting it in the OPTIONS argument at the " "/etc/default/bind (for version 8) or " "/etc/default/bind9 (for version 9) configuration file." msgstr "" #. type:

#: securing-debian-howto.en.sgml:53 en/services.sgml:1105 msgid "For more information on how to set up chroots see ." msgstr "" #. type:

#: securing-debian-howto.en.sgml:53 en/services.sgml:1115 msgid "" "FIXME: Merge info from , (Debian-specific), " "and ." msgstr "" #. type: #: securing-debian-howto.en.sgml:53 en/services.sgml:1117 msgid "Securing Apache" msgstr "" #. type:

#: securing-debian-howto.en.sgml:53 en/services.sgml:1121 msgid "" "FIXME: Add content: modules provided with the normal Apache installation " "(under /usr/lib/apache/X.X/mod_*) and modules that can be installed " "separately in libapache-mod-XXX packages." msgstr "" #. type:

#: securing-debian-howto.en.sgml:53 en/services.sgml:1128 msgid "" "You can limit access to the Apache server if you only want to use it " "internally (for testing purposes, to access the " "doc-central archive, etc.) and do not want outsiders to " "access it. To do this use the Listen or BindAddress " "directives in /etc/apache/http.conf." msgstr "" #. type:

#: securing-debian-howto.en.sgml:53 en/services.sgml:1129 msgid "Using Listen:" msgstr "" #. type: #: securing-debian-howto.en.sgml:53 en/services.sgml:1131 #, no-wrap msgid "Listen 127.0.0.1:80" msgstr "" #. type:

#: securing-debian-howto.en.sgml:53 en/services.sgml:1133 msgid "Using BindAddress:" msgstr "" #. type: #: securing-debian-howto.en.sgml:53 en/services.sgml:1135 #, no-wrap msgid "BindAddress 127.0.0.1" msgstr "" #. type:

#: securing-debian-howto.en.sgml:53 en/services.sgml:1140 msgid "" "Then restart apache with /etc/init.d/apache restart and you will " "see that it is only listening on the loopback interface." msgstr "" #. type:

#: securing-debian-howto.en.sgml:53 en/services.sgml:1144 msgid "" "In any case, if you are not using all the functionality provided by Apache, " "you might want to take a look at other web servers provided in Debian like " "dhttpd." msgstr "" #. type:

#: securing-debian-howto.en.sgml:53 en/services.sgml:1156 msgid "" "The provides information regarding security " "measures to be taken on Apache web server (this same information is provided " "in Debian by the apache-doc package)." msgstr "" #. type:

#: securing-debian-howto.en.sgml:53 en/services.sgml:1159 msgid "" "More information on further restricting Apache by setting up a chroot jail " "is provided in ." msgstr "" #. type: #: securing-debian-howto.en.sgml:53 en/services.sgml:1161 msgid "Disabling users from publishing web contents" msgstr "" #. type:

#: securing-debian-howto.en.sgml:53 en/services.sgml:1166 msgid "" "The default Apache installation in Debian permits users to publish content " "under the $HOME/public_html. This content can be retrieved " "remotely using an URL such as: http://your_apache_server/~user." msgstr "" #. type:

#: securing-debian-howto.en.sgml:53 en/services.sgml:1170 msgid "" "If you do not want to permit this you must change the " "/etc/apache/http.conf configuration file commenting out (in " "Apache 1.3) the following module:" msgstr "" #. type: #: securing-debian-howto.en.sgml:53 en/services.sgml:1172 #, no-wrap msgid "LoadModule userdir_module /usr/lib/apache/1.3/mod_userdir.so" msgstr "" #. type:

#: securing-debian-howto.en.sgml:53 en/services.sgml:1178 msgid "" "If you are using Apache 2.0 you must remove the file " "/etc/apache2/mods-enabled/userdir.load or restrict the default " "configuration by modifying " "/etc/apache2/mods-enabled/userdir.conf." msgstr "" #. type:

#: securing-debian-howto.en.sgml:53 en/services.sgml:1182 msgid "" "However, if the module was linked statically (you can list the modules that " "are compiled in running apache -l) you must add the following to " "the Apache configuration file:" msgstr "" #. type: #: securing-debian-howto.en.sgml:53 en/services.sgml:1184 #, no-wrap msgid "Userdir disabled" msgstr "" #. type:

#: securing-debian-howto.en.sgml:53 en/services.sgml:1191 msgid "" "An attacker might still do user enumeration, since the answer of the web " "server will be a 403 Permission Denied and not a 404 Not " "available. You can avoid this if you use the Rewrite module." msgstr "" #. type: #: securing-debian-howto.en.sgml:53 en/services.sgml:1193 msgid "Logfiles permissions" msgstr "" #. type:

#: securing-debian-howto.en.sgml:53 en/services.sgml:1202 msgid "" "Apache logfiles, since 1.3.22-1, are owned by user 'root' and group 'adm' " "with permissions 640. These permissions are changed after rotation. An " "intruder that accessed the system through the web server would not be able " "(without privilege escalation) to remove old log file entries." msgstr "" #. type: #: securing-debian-howto.en.sgml:53 en/services.sgml:1204 msgid "Published web files" msgstr "" #. type:

#: securing-debian-howto.en.sgml:53 en/services.sgml:1214 msgid "" "Apache files are located under /var/www. Just after " "installation the default file provides some information on the system " "(mainly that it's a Debian system running Apache). The default webpages are " "owned by user root and group root by default, while the Apache process runs " "as user www-data and group www-data. This should make attackers that " "compromise the system through the web server harder to deface the site. You " "should, of course, substitute the default web pages (which might provide " "information you do not want to show to outsiders) with your own." msgstr "" #. type: #: securing-debian-howto.en.sgml:53 en/services.sgml:1217 msgid "Securing finger" msgstr "" #. type:

#: securing-debian-howto.en.sgml:53 en/services.sgml:1221 msgid "" "If you want to run the finger service first ask yourself if you need to do " "so. If you do, you will find out that Debian provides many finger daemons " "(output from apt-cache search fingerd):" msgstr "" #. type:

#: securing-debian-howto.en.sgml:53 en/services.sgml:1223 msgid "cfingerd - Configurable finger daemon" msgstr "" #. type:

#: securing-debian-howto.en.sgml:53 en/services.sgml:1225 msgid "" "efingerd - Another finger daemon for unix, capable of fine-tuning your " "output." msgstr "" #. type:

#: securing-debian-howto.en.sgml:53 en/services.sgml:1226 msgid "ffingerd - a secure finger daemon" msgstr "" #. type:

#: securing-debian-howto.en.sgml:53 en/services.sgml:1227 msgid "fingerd - Remote user information server." msgstr "" #. type:

#: securing-debian-howto.en.sgml:53 en/services.sgml:1228 msgid "xfingerd - BSD-like finger daemon with qmail support." msgstr "" #. type:

#: securing-debian-howto.en.sgml:53 en/services.sgml:1244 msgid "" "ffingerd is the recommended finger daemon if you are " "going to use it for a public service. In any case, you are encouraged to, " "when setting it up through inetd, xinetd or tcpserver to: limit the number " "of processes that will be running at the same time, limit access to the " "finger daemon from a given number of hosts (using tcp wrappers) and having " "it only listening to the interface you need it to be in." msgstr "" #. type: #: securing-debian-howto.en.sgml:53 en/services.sgml:1246 msgid "General chroot and suid paranoia" msgstr "" #. type:

#: securing-debian-howto.en.sgml:53 en/services.sgml:1265 msgid "" "chroot is one of the most powerful possibilities to restrict a " "daemon or a user or another service. Just imagine a jail around your target, " "which the target cannot escape from (normally, but there are still a lot of " "conditions that allow one to escape out of such a jail). If you do not trust " "a user or a service, you can create a modified root environment for " "him. This can use quite a bit of disk space as you need to copy all needed " "executables, as well as libraries, into the jail. But then, even if the user " "does something malicious, the scope of the damage is limited to the jail." msgstr "" #. type:

#: securing-debian-howto.en.sgml:53 en/services.sgml:1270 msgid "" "Many services running as daemons could benefit from this sort of " "arrangement. The daemons that you install with your Debian distribution will " "not come, however, chrooted

It does try to run them under " "minimum priviledge which includes running daemons with their own " "users instead of having them run as root.

 per default." msgstr "" #. type:

#: securing-debian-howto.en.sgml:53 en/services.sgml:1279 msgid "" "This includes: name servers (such as bind), web servers (such " "as apache), mail servers (such as sendmail) and " "ftp servers (such as wu-ftpd). It is probably fair to say that " "the complexity of BIND is the reason why it has been exposed to a lot of " "attacks in recent years (see )." msgstr "" #. type:

#: securing-debian-howto.en.sgml:53 en/services.sgml:1282 msgid "" "However, Debian does provide some software that can help set up " "chroot environments. See ." msgstr "" #. type:

#: securing-debian-howto.en.sgml:53 en/services.sgml:1285 msgid "" "Anyway, if you run any service on your system, you should consider running " "them as secure as possible. This includes: revoking root privileges, running " "in a restricted environment (such as a chroot jail) or replacing them with a " "more secure equivalent." msgstr "" #. type:

#: securing-debian-howto.en.sgml:53 en/services.sgml:1299 msgid "" "However, be forewarned that a chroot jail can be broken if the " "user running in it is the superuser. So, you need to make the service run as " "a non-privileged user. By limiting its environment you are limiting the " "world readable/executable files the service can access, thus, you limit the " "possibilities of a privilege escalation by use of local system security " "vulnerabilities. Even in this situation you cannot be completely sure that " "there is no way for a clever attacker to somehow break out of the " "jail. Using only server programs which have a reputation for being secure is " "a good additional safety measure. Even minuscule holes like open file " "handles can be used by a skilled attacker for breaking into the " "system. After all, chroot was not designed as a security tool " "but as a testing tool." msgstr "" #. type: #: securing-debian-howto.en.sgml:53 en/services.sgml:1303 msgid "Making chrooted environments automatically" msgstr "" #. type:

#: securing-debian-howto.en.sgml:53 en/services.sgml:1312 msgid "" "There are several programs to chroot automatically servers and " "services. Debian currently (accepted in May 2002) provides Wietse Venema's " "chrootuid in the chrootuid package, as well " "as compartment and makejail. These " "programs can be used to set up a restricted environment for executing any " "program (chrootuid enables you to even run it as a restricted " "user)." msgstr "" #. type:

#: securing-debian-howto.en.sgml:53 en/services.sgml:1331 msgid "" "Some of these tools can be used to set up the chroot environment easily. The " "makejail program for example, can create and update a chroot " "jail with short configuration files (it provides sample configuration files " "for bind, apache, postgresql and " "mysql). It attempts to guess and install into the jail all " "files required by the daemon using strace, stat " "and Debian's package dependencies. More information at . Jailer is a similar tool " "which can be retrieved from and is also available as a " "Debian package." msgstr "" #. type: #: securing-debian-howto.en.sgml:53 en/services.sgml:1332 msgid "General cleartext password paranoia" msgstr "" #. type:

#: securing-debian-howto.en.sgml:53 en/services.sgml:1337 msgid "" "You should try to avoid any network service which sends and receives " "passwords in cleartext over a net like FTP/Telnet/NIS/RPC. The author " "recommends the use of ssh instead of telnet and ftp to everybody." msgstr "" #. type:

#: securing-debian-howto.en.sgml:53 en/services.sgml:1344 msgid "" "Keep in mind that migrating from telnet to ssh, but using other cleartext " "protocols does not increase your security in ANY way! Best would be to " "remove ftp, telnet, pop, imap, http and to supersede them with their " "respective encrypted services. You should consider moving from these " "services to their SSL versions, ftp-ssl, telnet-ssl, pop-ssl, https ..." msgstr "" #. type:

#: securing-debian-howto.en.sgml:53 en/services.sgml:1348 msgid "" "Most of these above listed hints apply to every Unix system (you will find " "them if reading any other hardening-related document related to Linux and " "other Unices)." msgstr "" #. type: #: securing-debian-howto.en.sgml:53 en/services.sgml:1350 msgid "Disabling NIS" msgstr "" #. type:

#: securing-debian-howto.en.sgml:53 en/services.sgml:1354 msgid "" "You should not use NIS, the Network Information Service, if possible, " "because it allows password sharing. This can be highly insecure if your " "setup is broken." msgstr "" #. type:

#: securing-debian-howto.en.sgml:53 en/services.sgml:1362 msgid "" "If you need password sharing between machines, you might want to consider " "using other alternatives. For example, you can setup an LDAP server and " "configure PAM on your system in order to contact the LDAP server for user " "authentication. You can find a detailed setup in the " "(/usr/share/doc/HOWTO/en-txt/LDAP-HOWTO.txt.gz)." msgstr "" #. type:

#: securing-debian-howto.en.sgml:53 en/services.sgml:1367 msgid "" "You can read more about NIS security in the " "(/usr/share/doc/HOWTO/en-txt/NIS-HOWTO.txt.gz)." msgstr "" #. type:

#: securing-debian-howto.en.sgml:53 en/services.sgml:1370 msgid "FIXME (jfs): Add info on how to set this up in Debian." msgstr "" #. type: #: securing-debian-howto.en.sgml:53 en/services.sgml:1372 msgid "Securing RPC services" msgstr "" #. type:

#: securing-debian-howto.en.sgml:53 en/services.sgml:1374 msgid "You should disable RPC if you do not need it." msgstr "" #. type:

#: securing-debian-howto.en.sgml:53 en/services.sgml:1380 msgid "" "Remote Procedure Call (RPC) is a protocol that programs can use to request " "services from other programs located on different computers. The " "portmap service controls RPC services by mapping RPC program " "numbers into DARPA protocol port numbers; it must be running in order to " "make RPC calls." msgstr "" #. type:

#: securing-debian-howto.en.sgml:53 en/services.sgml:1386 msgid "" "RPC-based services have had a bad record of security holes, although the " "portmapper itself hasn't (but still provides information to a remote " "attacker). Notice that some of the DDoS (distributed denial of service) " "attacks use RPC exploits to get into the system and act as a so called " "agent/handler." msgstr "" #. type:

#: securing-debian-howto.en.sgml:53 en/services.sgml:1393 msgid "" "You only need RPC if you are using an RPC-based service. The most common " "RPC-based services are NFS (Network File System) and NIS (Network " "Information System). See the previous section for more information about " "NIS. The File Alteration Monitor (FAM) provided by the package " "fam is also an RPC service, and thus depends on " "portmap." msgstr "" #. type:

#: securing-debian-howto.en.sgml:53 en/services.sgml:1400 msgid "" "NFS services are quite important in some networks. If that is the case for " "you, then you will need to find a balance of security and usability for your " "network (you can read more about NFS security in the " "(/usr/share/doc/HOWTO/en-txt/NFS-HOWTO.txt.gz))." msgstr "" #. type: #: securing-debian-howto.en.sgml:53 en/services.sgml:1402 msgid "Disabling RPC services completely" msgstr "" #. type:

#: securing-debian-howto.en.sgml:53 en/services.sgml:1410 msgid "" "Disabling portmap is quite simple. There are several different methods. The " "simplest one in a Debian 3.0 system and later releases is to uninstall the " "portmap package. If you are running an older Debian " "version you will have to disable the service as seen in , because the program is part of the " "netbase package (which cannot be de-installed without " "breaking the system)." msgstr "" #. type:

#: securing-debian-howto.en.sgml:53 en/services.sgml:1415 msgid "" "Notice that some desktop environments (notably, GNOME) use RPC services and " "need the portmapper for some of the file management features. If this is " "your case, you can limit the access to RPC services as described below." msgstr "" #. type: #: securing-debian-howto.en.sgml:53 en/services.sgml:1417 msgid "Limiting access to RPC services" msgstr "" #. type:

#: securing-debian-howto.en.sgml:53 en/services.sgml:1423 msgid "" "Unfortunately, in some cases removing RPC services from the system is not an " "option. Some local desktop services (notably SGI's fam) " "are RPC based and thus need a local portmapper. This means that under some " "situations, users installing a desktop environment (like GNOME) will install " "the portmapper too." msgstr "" #. type:

#: securing-debian-howto.en.sgml:53 en/services.sgml:1426 msgid "" "There are several ways to limit access to the portmapper and to RPC " "services:" msgstr "" #. type:

#: securing-debian-howto.en.sgml:53 en/services.sgml:1429 msgid "" "Block access to the ports used by these services with a local firewall (see " ")." msgstr "" #. type:

#: securing-debian-howto.en.sgml:53 en/services.sgml:1434 msgid "" "Block access to these services using tcp wrappers, since the portmapper (and " "some RPC services) are compiled with libwrap (see ). This means that you can block access to them through " "the hosts.allow and hosts.deny tcp wrappers " "configuration." msgstr "" #. type:

#: securing-debian-howto.en.sgml:53 en/services.sgml:1441 msgid "" "Since version 5-5, the portmap package can be configured " "to listen only on the loopback interface. To do this, modify " "/etc/default/portmap, uncomment the following line: " "#OPTIONS=\"-i 127.0.0.1\" and restart the portmapper. This is " "sufficient to allow local RPC services to work while at the same time " "prevents remote systems from accessing them (see, however, )." msgstr "" #. type: #: securing-debian-howto.en.sgml:53 en/services.sgml:1445 msgid "Adding firewall capabilities" msgstr "" #. type:

#: securing-debian-howto.en.sgml:53 en/services.sgml:1460 msgid "" "The Debian GNU/Linux operating system has the built-in capabilities provided " "by the Linux kernel

. If you install a recent " "Debian release (default kernel installed is 2.6) you will have " "iptables (netfilter) firewalling " "available

Available since the kernel version 2.4 (which was the " "default kernel in Debian 3.0). Previous kernel versions (2.2, available in " "even older Debian releases) used ipchains. The main difference " "between ipchains and iptables is that the latter " "is based on stateful packet inspection which provides for more " "secure (and easier to build) filtering configurations. Older (and now " "unsupported) Debian distributions using the 2.0 kernel series needed the " "appropriate kernel patch.

." msgstr "" #. type: #: securing-debian-howto.en.sgml:53 en/services.sgml:1462 msgid "Firewalling the local system" msgstr "" #. type:

#: securing-debian-howto.en.sgml:53 en/services.sgml:1468 msgid "" "You can use firewall rules as a way to secure the access to your local " "system and, even, to limit the outbound communications made by it. Firewall " "rules can also be used to protect processes that cannot be properly " "configured not to provide services to some networks, IP addresses, " "etc." msgstr "" #. type:

#: securing-debian-howto.en.sgml:53 en/services.sgml:1479 msgid "" "However, this step is presented last in this manual basically because it is " "much better not to depend solely on firewalling capabilities in " "order to protect a given system. Security in a system is made up of layers, " "firewalling should be the last to include, once all services have been " "hardened. You can easily imagine a setup in which the system is solely " "protected by a built-in firewall and an administrator blissfully removes the " "firewall rules for whatever reason (problems with the setup, annoyance, " "human error...), this system would be wide open to an attack if there were " "no other hardening in the system to protect from it." msgstr "" #. type:

#: securing-debian-howto.en.sgml:53 en/services.sgml:1490 msgid "" "On the other hand, having firewall rules on the local system also prevents " "some bad things from happening. Even if the services provided are configured " "securely, a firewall can protect from misconfigurations or from fresh " "installed services that have not yet been properly configured. Also, a tight " "configuration will prevent trojans calling home from working unless " "the firewalling code is removed. Note that an intruder does not " "need superuser access to install a trojan locally that could be remotely " "controlled (since binding on ports is allowed if they are not priviledged " "ports and capabilities have not been removed)." msgstr "" #. type:

#: securing-debian-howto.en.sgml:53 en/services.sgml:1493 msgid "" "Thus, a proper firewall setup would be one with a default deny policy, that " "is:" msgstr "" #. type:

#: securing-debian-howto.en.sgml:53 en/services.sgml:1498 msgid "incoming connections are allowed only to local services by allowed machines." msgstr "" #. type:

#: securing-debian-howto.en.sgml:53 en/services.sgml:1506 msgid "" "outgoing connections are only allowed to services used by your system (DNS, " "web browsing, POP, email...).

Unlike personal firewalls in other " "operating systems, Debian GNU/Linux does not (yet) provide firewall " "generation interfaces that can make rules limiting them per process or " "user. However, the iptables code can be configured to do this (see the owner " "module in the " "manpage).

" msgstr "" #. type:

#: securing-debian-howto.en.sgml:53 en/services.sgml:1509 msgid "" "the forward rule denies everything (unless you are protecting other systems, " "see below)." msgstr "" #. type:

#: securing-debian-howto.en.sgml:53 en/services.sgml:1511 msgid "all other incoming or outgoing connections are denied." msgstr "" #. type: #: securing-debian-howto.en.sgml:53 en/services.sgml:1515 msgid "Using a firewall to protect other systems" msgstr "" #. type:

#: securing-debian-howto.en.sgml:53 en/services.sgml:1526 msgid "" "A Debian firewall can also be installed in order to protect, with filtering " "rules, access to systems behind it, limiting their exposure to the " "Internet. A firewall can be configured to prevent access from systems " "outside of the local network to internal services (ports) that are not " "public. For example, on a mail server, only port 25 (where the mail service " "is being given) needs to be accessible from the outside. A firewall can be " "configured to, even if there are other network services besides the public " "ones running in the mail server, throw away packets (this is known as " "filtering) directed towards them." msgstr "" #. type:

#: securing-debian-howto.en.sgml:53 en/services.sgml:1535 msgid "" "You can even set up a Debian GNU/Linux box as a bridge firewall, i.e. a " "filtering firewall completely transparent to the network that lacks an IP " "address and thus cannot be attacked directly. Depending on the kernel you " "have installed, you might need to install the bridge firewall patch and then " "go to 802.1d Ethernet Bridging when configuring the kernel and a " "new option netfilter ( firewalling ) support. See the for more information on how to set this up in a Debian " "GNU/Linux system." msgstr "" #. type: #: securing-debian-howto.en.sgml:53 en/services.sgml:1537 msgid "Setting up a firewall" msgstr "" #. type:

#: securing-debian-howto.en.sgml:53 en/services.sgml:1543 msgid "" "The default Debian installation, unlike other Linux distributions, does not " "yet provide a way for the administrator to setup a firewall configuration " "throughout the default installation but you can install a number of firewall " "configuration packages (see )." msgstr "" #. type:

#: securing-debian-howto.en.sgml:53 en/services.sgml:1551 msgid "" "Of course, the configuration of the firewall is always system and network " "dependant. An administrator must know beforehand what is the network layout " "and the systems he wants to protect, the services that need to be accessed, " "and whether or not other network considerations (like NAT or routing) need " "to be taken into account. Be careful when configuring your firewall, as " "Laurence J. Lane says in the iptables package:" msgstr "" #. type:

#: securing-debian-howto.en.sgml:53 en/services.sgml:1558 msgid "" "The tools can easily be misused, causing enormous amounts of grief by " "completely crippling network access to a system. It is not terribly uncommon " "for a remote system administrator to accidentally lock himself out of a " "system hundreds or thousands of miles away. One can even manage to lock " "himself out of a computer who's keyboard is under his fingers. Please, use " "due caution." msgstr "" #. type:

#: securing-debian-howto.en.sgml:53 en/services.sgml:1563 msgid "" "Remember this: just installing the iptables (or the older " "firewalling code) does not give you any protection, just provides the " "software. In order to have a firewall you need to configure it!" msgstr "" #. type:

#: securing-debian-howto.en.sgml:53 en/services.sgml:1568 msgid "" "If you do not have a clue on how to set up your firewall rules manually " "consult the Packet Filtering HOWTO and NAT HOWTO provided " "by iptables for offline reading at " "/usr/share/doc/iptables/html/." msgstr "" #. type:

#: securing-debian-howto.en.sgml:53 en/services.sgml:1579 msgid "" "If you do not know much about firewalling you should start by reading the " ", install the doc-linux-text " "package if you want to read it offline. If you want to ask questions or need " "help setting up a firewall you can use the debian-firewall mailing list, see " ". Also see for more (general) pointers on firewalls. Another good " "iptables tutorial is ." msgstr "" #. type: #: securing-debian-howto.en.sgml:53 en/services.sgml:1581 msgid "Using firewall packages" msgstr "" #. type:

#: securing-debian-howto.en.sgml:53 en/services.sgml:1589 msgid "" "Setting up manually a firewall can be complicated for novice (and sometimes " "even expert) administrators. However, the free software community has " "created a number of tools that can be used to easily configure a local " "firewall. Be forewarned that some of these tools are oriented more towards " "local-only protection (also known as personal firewall) and some " "are more versatile and can be used to configure complex rules to protect " "whole networks." msgstr "" #. type:

#: securing-debian-howto.en.sgml:53 en/services.sgml:1592 msgid "" "Some software that can be used to set up firewall rules in a Debian system " "is:" msgstr "" #. type:

#: securing-debian-howto.en.sgml:53 en/services.sgml:1595 msgid "For desktop systems:" msgstr "" #. type:

#: securing-debian-howto.en.sgml:53 en/services.sgml:1600 msgid "" "firestarter, a GNOME application oriented towards " "end-users that includes a wizard useful to quickly setup firewall rules. The " "application includes a GUI to be able to monitor when a firewall rule blocks " "traffic." msgstr "" #. type:

#: securing-debian-howto.en.sgml:53 en/services.sgml:1602 msgid "" "guarddog, a KDE based firewall configuration package " "oriented both to novice and advanced users." msgstr "" #. type:

#: securing-debian-howto.en.sgml:53 en/services.sgml:1605 msgid "" "knetfilter, a KDE GUI to manage firewall and NAT rules " "for iptables (alternative/competitor to the guarddog tool although slightly " "oriented towards advanced users)." msgstr "" #. type:

#: securing-debian-howto.en.sgml:53 en/services.sgml:1612 msgid "" "fireflier, an interactive tool to create iptables rules based on traffic " "seen on the system and applications. It has a server-client model so you " "have to install both the server (fireflier-server) and " "one of the available clients, with one client available for different " "desktop environments: fireflier-client-gtk (Gtk+ client), " "fireflier-client-kde (KDE client) and " "fireflier-client-qt (QT client)." msgstr "" #. type:

#: securing-debian-howto.en.sgml:53 en/services.sgml:1616 msgid "For servers (headless) systems:" msgstr "" #. type:

#: securing-debian-howto.en.sgml:53 en/services.sgml:1623 msgid "" "fwbuilder, an object oriented GUI which includes policy " "compilers for various firewall platforms including Linux' netfilter, BSD's " "pf (used in OpenBSD, NetBSD, FreeBSD and MacOS X) as well as router's " "access-lists. It is similar to enterprise firewall management " "software. Complete fwbuilder's functionality is also available from the " "command line." msgstr "" #. type:

#: securing-debian-howto.en.sgml:53 en/services.sgml:1628 msgid "" "shorewall, a firewall configuration tool which provides " "support for IPsec as well as limited support for traffic shaping as well as " "the definition of the firewall rules. Configuration is done through a simple " "set of files that are used to generate the iptables rules." msgstr "" #. type:

#: securing-debian-howto.en.sgml:53 en/services.sgml:1633 msgid "" "bastille, this hardening application is described in . One of the hardening steps that the administrator " "can configure is a definition of the allowed and disallowed network traffic " "that is used to generate a set of firewall rules that the system will " "execute on startup." msgstr "" #. type:

#: securing-debian-howto.en.sgml:53 en/services.sgml:1641 msgid "" "Lots of other iptables frontends come with Debian; an extensive list " "comparing the different packages in Debian is maintained at the ." msgstr "" #. type:

#: securing-debian-howto.en.sgml:53 en/services.sgml:1650 msgid "" "Notice that some of the packages outlined previously will introduce " "firewalling scripts to be run when the system boots. Test them extensively " "before rebooting or you might find yourself locked from the box. If you mix " "different firewalling packages you can have undesired effects, usually, the " "firewalling script that runs last will be the one that configures the system " "(which might not be what you intend). Consult the package documentation and " "use either one of these setups." msgstr "" #. type:

#: securing-debian-howto.en.sgml:53 en/services.sgml:1660 msgid "" "As mentioned before, some programs, like firestarter, " "guarddog and knetfilter, are " "administration GUIs using either GNOME or KDE (last two). These applications " "are much more user-oriented (i.e. for home users) than some of the other " "packages in the list which might be more administrator-oriented. Some of the " "programs mentioned before (like bastille) are focused at " "setting up firewall rules to protect the host they run in but are not " "necessarily designed to setup firewall rules for firewall hosts that protect " "a network (like shorewall or fwbuilder)." msgstr "" #. type:

#: securing-debian-howto.en.sgml:53 en/services.sgml:1682 msgid "" "There is yet another type of firewall application: application proxies. If " "you are looking into setting up an enterprise-level firewall that does " "packet filtering and provides a number of transparent proxies that can do " "fine-grain traffic analysis you should consider using " "zorp, which provides this in a single program. You can " "also manually setup this type of firewall host using the proxies available " "in Debian for different services like for DNS using bind " "(properly configured), dnsmasq, pdnsd " "or totd for FTP using frox or " "ftp-proxy, for X11 using xfwp, for " "IMAP using imapproxy, for mail using " "smtpd, or for POP3 using p3scan. For " "other protocols you can either use a generic TCP proxy like " "simpleproxy or a generic SOCKS proxy like " "dante-server, tsocks or " "socks4-server. Typically, you will also use a web caching " "system (like squid) and a web filtering system (like " "squidguard or dansguardian)." msgstr "" #. type: #: securing-debian-howto.en.sgml:53 en/services.sgml:1683 msgid "Manual init.d configuration" msgstr "" #. type:

#: securing-debian-howto.en.sgml:53 en/services.sgml:1687 msgid "" "Another possibility is to manually configure your firewall rules through an " "init.d script that will run all the iptables commands. Take the " "following steps:" msgstr "" #. type:

#: securing-debian-howto.en.sgml:53 en/services.sgml:1690 msgid "Review the script below and adapt it to your needs." msgstr "" #. type:

#: securing-debian-howto.en.sgml:53 en/services.sgml:1698 msgid "" "Test the script and review the syslog messages to see which traffic is being " "dropped. If you are testing from the network you will want to either run the " "sample shell snippet to remove the firewall (if you don't type anything in " "20 seconds) or you might want to comment out the default deny " "policy definitions (-P INPUT DROP and -P OUTPUT DROP) and " "check that the system will not drop any legitimate traffic." msgstr "" #. type:

#: securing-debian-howto.en.sgml:53 en/services.sgml:1700 msgid "Move the script to /etc/init.d/myfirewall" msgstr "" #. type:

#: securing-debian-howto.en.sgml:53 en/services.sgml:1702 msgid "Configure the system to run the script before any network is configured:" msgstr "" #. type: #: securing-debian-howto.en.sgml:53 en/services.sgml:1704 #, no-wrap msgid "#update-rc.d myfirewall start 40 S . stop 89 0 6 ." msgstr "" #. type:

#: securing-debian-howto.en.sgml:53 en/services.sgml:1710 msgid "This is the sample firewall script:" msgstr "" #. type: #: securing-debian-howto.en.sgml:53 en/services.sgml:1859 #, no-wrap msgid "" "#!/bin/sh\n" "# Simple example firewall configuration.\n" "#\n" "# Caveats:\n" "# - This configuration applies to all network interfaces\n" "# if you want to restrict this to only a given interface use\n" "# '-i INTERFACE' in the iptables calls.\n" "# - Remote access for TCP/UDP services is granted to any host, \n" "# you probably will want to restrict this using '--source'.\n" "#\n" "# chkconfig: 2345 9 91\n" "# description: Activates/Deactivates the firewall at boot time\n" "#\n" "# You can test this script before applying with the following shell\n" "# snippet, if you do not type anything in 10 seconds the firewall\n" "# rules will be cleared.\n" "#---------------------------------------------------------------\n" "# while true; do test=\"\"; read -t 20 -p \"OK? \" test ; \\\n" "# [ -z \"$test\" ] && /etc/init.d/myfirewall clear ; done\n" "#---------------------------------------------------------------\n" "\n" "PATH=/bin:/sbin:/usr/bin:/usr/sbin\n" "\n" "# Services that the system will offer to the network\n" "TCP_SERVICES=\"22\" # SSH only\n" "UDP_SERVICES=\"\"\n" "# Services the system will use from the network\n" "REMOTE_TCP_SERVICES=\"80\" # web browsing\n" "REMOTE_UDP_SERVICES=\"53\" # DNS\n" "# Network that will be used for remote mgmt\n" "# (if undefined, no rules will be setup)\n" "# NETWORK_MGMT=192.168.0.0/24\n" "# Port used for the SSH service, define this is you have setup a\n" "# management network but remove it from TCP_SERVICES\n" "# SSH_PORT=\"22\"\n" "\n" "if ! [ -x /sbin/iptables ]; then \n" " exit 0\n" "fi\n" "\n" "fw_start () {\n" "\n" " # Input traffic:\n" " /sbin/iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT\n" " # Services\n" " if [ -n \"$TCP_SERVICES\" ] ; then\n" " for PORT in $TCP_SERVICES; do\n" " /sbin/iptables -A INPUT -p tcp --dport ${PORT} -j ACCEPT\n" " done\n" " fi\n" " if [ -n \"$UDP_SERVICES\" ] ; then\n" " for PORT in $UDP_SERVICES; do\n" " /sbin/iptables -A INPUT -p udp --dport ${PORT} -j ACCEPT\n" " done\n" " fi\n" " # Remote management\n" " if [ -n \"$NETWORK_MGMT\" ] ; then\n" " /sbin/iptables -A INPUT -p tcp --src ${NETWORK_MGMT} --dport ${SSH_PORT} " "-j ACCEPT\n" " else \n" " /sbin/iptables -A INPUT -p tcp --dport ${SSH_PORT} -j ACCEPT\n" " fi\n" " # Remote testing\n" " /sbin/iptables -A INPUT -p icmp -j ACCEPT\n" " /sbin/iptables -A INPUT -i lo -j ACCEPT\n" " /sbin/iptables -P INPUT DROP\n" " /sbin/iptables -A INPUT -j LOG\n" "\n" " # Output:\n" " /sbin/iptables -A OUTPUT -j ACCEPT -o lo \n" " /sbin/iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT\n" " # ICMP is permitted:\n" " /sbin/iptables -A OUTPUT -p icmp -j ACCEPT\n" " # So are security package updates:\n" " # Note: You can hardcode the IP address here to prevent DNS spoofing\n" " # and to setup the rules even if DNS does not work but then you \n" " # will not \"see\" IP changes for this service:\n" " /sbin/iptables -A OUTPUT -p tcp -d security.debian.org --dport 80 -j " "ACCEPT \n" " # As well as the services we have defined:\n" " if [ -n \"$REMOTE_TCP_SERVICES\" ] ; then\n" " for PORT in $REMOTE_TCP_SERVICES; do\n" " /sbin/iptables -A OUTPUT -p tcp --dport ${PORT} -j ACCEPT\n" " done\n" " fi\n" " if [ -n \"$REMOTE_UDP_SERVICES\" ] ; then\n" " for PORT in $REMOTE_UDP_SERVICES; do\n" " /sbin/iptables -A OUTPUT -p udp --dport ${PORT} -j ACCEPT\n" " done\n" " fi\n" " # All other connections are registered in syslog\n" " /sbin/iptables -A OUTPUT -j LOG\n" " /sbin/iptables -A OUTPUT -j REJECT \n" " /sbin/iptables -P OUTPUT DROP\n" " # Other network protections\n" " # (some will only work with some kernel versions)\n" " echo 1 > /proc/sys/net/ipv4/tcp_syncookies\n" " echo 0 > /proc/sys/net/ipv4/ip_forward \n" " echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts \n" " echo 1 > /proc/sys/net/ipv4/conf/all/log_martians \n" " echo 1 > /proc/sys/net/ipv4/ip_always_defrag\n" " echo 1 > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses\n" " echo 1 > /proc/sys/net/ipv4/conf/all/rp_filter\n" " echo 0 > /proc/sys/net/ipv4/conf/all/send_redirects\n" " echo 0 > /proc/sys/net/ipv4/conf/all/accept_source_route\n" "\n" "}\n" "\n" "fw_stop () {\n" " /sbin/iptables -F\n" " /sbin/iptables -t nat -F\n" " /sbin/iptables -t mangle -F\n" " /sbin/iptables -P INPUT DROP\n" " /sbin/iptables -P FORWARD DROP\n" " /sbin/iptables -P OUTPUT ACCEPT\n" "}\n" "\n" "fw_clear () {\n" " /sbin/iptables -F\n" " /sbin/iptables -t nat -F\n" " /sbin/iptables -t mangle -F\n" " /sbin/iptables -P INPUT ACCEPT\n" " /sbin/iptables -P FORWARD ACCEPT\n" " /sbin/iptables -P OUTPUT ACCEPT\n" "}\n" "\n" "\n" "case \"$1\" in\n" " start|restart)\n" " echo -n \"Starting firewall..\"\n" " fw_stop \n" " fw_start\n" " echo \"done.\"\n" " ;;\n" " stop)\n" " echo -n \"Stopping firewall..\"\n" " fw_stop\n" " echo \"done.\"\n" " ;;\n" " clear)\n" " echo -n \"Clearing firewall rules..\"\n" " fw_clear\n" " echo \"done.\"\n" " ;;\n" " *)\n" " echo \"Usage: $0 {start|stop|restart|clear}\"\n" " exit 1\n" " ;;\n" " esac\n" "exit 0" msgstr "" #. type:

#: securing-debian-howto.en.sgml:53 en/services.sgml:1867 msgid "" "Instead of including all of the iptables rules in the init.d script you can " "use the iptables-restore program to restore the rules saved " "using iptables-save. In order to do this you need to setup your " "rules, save the ruleset under a static location (such as " "/etc/default/firewall)" msgstr "" #. type: #: securing-debian-howto.en.sgml:53 en/services.sgml:1869 msgid "Configuring firewall rules through ifup" msgstr "" #. type:

#: securing-debian-howto.en.sgml:53 en/services.sgml:1873 msgid "" "You can use also the network configuration in " "/etc/network/interfaces to setup your firewall rules. For this " "you will need to:" msgstr "" #. type:

#: securing-debian-howto.en.sgml:53 en/services.sgml:1876 msgid "Create your firewalling ruleset for when the interface is active." msgstr "" #. type:

#: securing-debian-howto.en.sgml:53 en/services.sgml:1879 msgid "" "Save your ruleset with iptables-save to a file in " "/etc, for example /etc/iptables.up.rules" msgstr "" #. type:

#: securing-debian-howto.en.sgml:53 en/services.sgml:1882 msgid "" "Configure /etc/network/interfaces to use the configured " "ruleset:" msgstr "" #. type: #: securing-debian-howto.en.sgml:53 en/services.sgml:1887 #, no-wrap msgid "" "iface eth0 inet static\n" " address x.x.x.x\n" " [.. interface configuration ..]\n" " pre-up iptables-restore < /etc/iptables.up.rules" msgstr "" #. type:

#: securing-debian-howto.en.sgml:53 en/services.sgml:1896 msgid "" "You can optionally also setup a set of rules to be applied when the network " "interface is down creating a set of rules, saving it in " "/etc/iptables.down.rules and adding this directive to the " "interface configuration:" msgstr "" #. type: #: securing-debian-howto.en.sgml:53 en/services.sgml:1898 #, no-wrap msgid " post-down iptables-restore < /etc/iptables.down.rules" msgstr "" #. type:

#: securing-debian-howto.en.sgml:53 en/services.sgml:1906 msgid "" "For more advanced firewall configuration scripts through " "ifupdown you can use the hooks available to each " "interface as in the *.d/ directories called with " "run-parts (see )." msgstr "" #. type: #: securing-debian-howto.en.sgml:53 en/services.sgml:1908 msgid "Testing your firewall configuration" msgstr "" #. type:

#: securing-debian-howto.en.sgml:53 en/services.sgml:1914 msgid "" "Testing your firewall configuration is as easy, and as dangerous, as just " "running your firewall script (or enabling the configuration you defined in " "your firewall configuration application). However, if you are not careful " "enough and you are configuring your firewall remotely (like through an SSH " "connection) you could lock yourself out." msgstr "" #. type:

#: securing-debian-howto.en.sgml:53 en/services.sgml:1918 msgid "" "There are several ways to prevent this. One is running a script in a " "separate terminal that will remove the firewall configuration if you don't " "feed it input. An example of this is:" msgstr "" #. type: #: securing-debian-howto.en.sgml:53 en/services.sgml:1921 #, no-wrap msgid "" "$ while true; do test=\"\"; read -t 20 -p \"OK? \" test ; \\\n" " [ -z \"$test\" ] && /etc/init.d/firewall clear ; done" msgstr "" #. type:

#: securing-debian-howto.en.sgml:53 en/services.sgml:1932 msgid "" "Another one is to introduce a backdoor in your system through an alternate " "mechanism that allows you to either clear the firewall system or punch a " "hole in it if something goes awry. For this you can use " "knockd and configure it so that a certain port connection " "attempt sequence will clear the firewall (or add a temporary rule). Even " "though the packets will be dropped by the firewall, since " "knockd binds to the interface and sees you will be " "able to work around the problem." msgstr "" #. type:

#: securing-debian-howto.en.sgml:54 en/automatic.sgml:3 msgid "" "Testing a firewall that is protecting an internal network is a different " "issue, you will want to look at some of the tools used for remote " "vulnerability assessment (see ) to probe the network " "from the outside in (or from any other direction) to test the effectiveness " "of the firewall configuation." msgstr "" #. type: #: securing-debian-howto.en.sgml:54 en/automatic.sgml:5 msgid "Automatic hardening of Debian systems" msgstr "" #. type:

#: securing-debian-howto.en.sgml:54 en/automatic.sgml:17 msgid "" "After reading through all the information in the previous chapters you might " "be wondering \"I have to do quite a lot of things in order to harden my " "system, couldn't these things be automated?\". The answer is yes, but be " "careful with automated tools. Some people believe, that a hardening tool " "does not eliminate the need for good administration. So do not be fooled to " "think that you can automate the whole process and will fix all the related " "issues. Security is an ever-ongoing process in which the administrator must " "participate and cannot just stand away and let the tools do all the work " "since no single tool can cope with all the possible security policy " "implementations, all the attacks and all the environments." msgstr "" #. type:

#: securing-debian-howto.en.sgml:54 en/automatic.sgml:27 msgid "" "Since woody (Debian 3.0) there are two specific packages that are useful for " "security hardening. The harden package which takes an " "approach based on the package dependencies to quickly install valuable " "security packages and remove those with flaws, configuration of the packages " "must be done by the administrator. The bastille package " "that implements a given security policy on the local system based on " "previous configuration by the administrator (the building of the " "configuration can be a guided process done with simple yes/no questions)." msgstr "" #. type: #: securing-debian-howto.en.sgml:54 en/automatic.sgml:29 msgid "Harden" msgstr "" #. type:

#: securing-debian-howto.en.sgml:54 en/automatic.sgml:40 msgid "" "The harden package tries to make it more easy to install " "and administer hosts that need good security. This package should be used by " "people that want some quick help to enhance the security of the system. It " "automatically installs some tools that should enhance security in some way: " "intrusion detection tools, security analysis tools, etc. Harden installs the " "following virtual packages (i.e. no contents, just dependencies or " "recommendations on others):" msgstr "" #. type:

#: securing-debian-howto.en.sgml:54 en/automatic.sgml:45 msgid "" "harden-tools: tools to enhance system security (integrity " "checkers, intrusion detection, kernel patches...)" msgstr "" #. type:

#: securing-debian-howto.en.sgml:54 en/automatic.sgml:48 msgid "" "harden-environment: helps configure a hardened " "environment (currently empty)." msgstr "" #. type:

#: securing-debian-howto.en.sgml:54 en/automatic.sgml:51 msgid "" "harden-servers: removes servers considered insecure for " "some reason." msgstr "" #. type:

#: securing-debian-howto.en.sgml:54 en/automatic.sgml:54 msgid "" "harden-clients: removes clients considered insecure for " "some reason." msgstr "" #. type:

#: securing-debian-howto.en.sgml:54 en/automatic.sgml:57 msgid "harden-remoteaudit: tools to remotely audit a system." msgstr "" #. type:

#: securing-debian-howto.en.sgml:54 en/automatic.sgml:60 msgid "" "harden-nids: helps to install a network intrusion " "detection system." msgstr "" #. type:

#: securing-debian-howto.en.sgml:54 en/automatic.sgml:63 msgid "" "harden-surveillance: helps to install tools for " "monitoring of networks and services." msgstr "" #. type: #: securing-debian-howto.en.sgml:54 en/automatic.sgml:67 msgid "Useful packages which are not a dependence:" msgstr "" #. type:

#: securing-debian-howto.en.sgml:54 en/automatic.sgml:70 msgid "" "harden-doc: provides this same manual and other " "security-related documentation packages." msgstr "" #. type:

#: securing-debian-howto.en.sgml:54 en/automatic.sgml:72 msgid "" "harden-development: development tools for creating more " "secure programs." msgstr "" #. type:

#: securing-debian-howto.en.sgml:54 en/automatic.sgml:86 msgid "" "Be careful because if you have software you need (and which you do not wish " "to uninstall for some reason) and it conflicts with some of the packages " "above you might not be able to fully use harden. The " "harden packages do not (directly) do a thing. They do have, however, " "intentional package conflicts with known non-secure packages. This way, the " "Debian packaging system will not approve the installation of these " "packages. For example, when you try to install a telnet daemon with " "harden-servers, apt will say:" msgstr "" #. type: #: securing-debian-howto.en.sgml:54 en/automatic.sgml:93 #, no-wrap msgid "" "# apt-get install telnetd \n" "The following packages will be REMOVED:\n" " harden-servers\n" "The following NEW packages will be installed:\n" " telnetd \n" "Do you want to continue? [Y/n]" msgstr "" #. type:

#: securing-debian-howto.en.sgml:54 en/automatic.sgml:99 msgid "" "This should set off some warnings in the administrator head, who should " "reconsider his actions." msgstr "" #. type: #: securing-debian-howto.en.sgml:54 en/automatic.sgml:101 msgid "Bastille Linux" msgstr "" #. type:

#: securing-debian-howto.en.sgml:54 en/automatic.sgml:107 msgid "" " is an " "automatic hardening tool originally oriented towards the RedHat and Mandrake " "Linux distributions. However, the bastille package " "provided in Debian (since woody) is patched in order to provide the same " "functionality for the Debian GNU/Linux system." msgstr "" #. type:

#: securing-debian-howto.en.sgml:54 en/automatic.sgml:111 msgid "" "Bastille can be used with different frontends (all are documented in their " "own manpage in the Debian package) which enables the administrator to:" msgstr "" #. type:

#: securing-debian-howto.en.sgml:54 en/automatic.sgml:116 msgid "" "Answer questions step by step regarding the desired security of your system " "(using )." msgstr "" #. type:

#: securing-debian-howto.en.sgml:54 en/automatic.sgml:121 msgid "" "Use a default setting for security (amongst three: Lax, Moderate or " "Paranoia) in a given setup (server or workstation) and let Bastille decide " "which security policy to implement (using )." msgstr "" #. type:

#: securing-debian-howto.en.sgml:54 en/automatic.sgml:125 msgid "" "Take a predefined configuration file (could be provided by Bastille or made " "by the administrator) and implement a given security policy (using )." msgstr "" #. type: #: securing-debian-howto.en.sgml:55 en/infrastructure.sgml:5 msgid "Debian Security Infrastructure" msgstr "" #. type: #: securing-debian-howto.en.sgml:55 en/infrastructure.sgml:7 msgid "The Debian Security Team" msgstr "" #. type:

#: securing-debian-howto.en.sgml:55 en/infrastructure.sgml:13 msgid "" "Debian has a Security Team, that handles security in the stable " "distribution. Handling security means they keep track of vulnerabilities " "that arise in software (watching forums such as Bugtraq, or vuln-dev) and " "determine if the stable distribution is affected by it." msgstr "" #. type:

#: securing-debian-howto.en.sgml:55 en/infrastructure.sgml:21 msgid "" "Also, the Debian Security Team is the contact point for problems that are " "coordinated by upstream developers or organizations such as which might affect multiple " "vendors. That is, when problems are not Debian-specific. The contact point " "of the Security Team is which only the members of the security " "team read." msgstr "" #. type:

#: securing-debian-howto.en.sgml:55 en/infrastructure.sgml:25 msgid "" "Sensitive information should be sent to the first address and, in some " "cases, should be encrypted with the Debian Security Contact key (as found in " "the Debian keyring)." msgstr "" #. type:

#: securing-debian-howto.en.sgml:55 en/infrastructure.sgml:38 msgid "" "Once a probable problem is received by the Security Team it will investigate " "if the stable distribution is affected and if it is, a fix is made " "for the source code base. This fix will sometimes include backporting the " "patch made upstream (which usually is some versions ahead of the one " "distributed by Debian). After testing of the fix is done, new packages are " "prepared and published in the site " "so they can be retrieved through apt (see ). At the same time a Debian Security " "Advisory (DSA) is published on the web site and sent to public mailing " "lists including and Bugtraq." msgstr "" #. type:

#: securing-debian-howto.en.sgml:55 en/infrastructure.sgml:42 msgid "" "Some other frequently asked questions on the Debian Security Team can be " "found at ." msgstr "" #. type: #: securing-debian-howto.en.sgml:55 en/infrastructure.sgml:44 msgid "Debian Security Advisories" msgstr "" #. type:

#: securing-debian-howto.en.sgml:55 en/infrastructure.sgml:50 msgid "" "Debian Security Advisories (DSAs) are made whenever a security vulnerability " "is discovered that affects a Debian package. These advisories, signed by one " "of the Security Team members, include information of the versions affected " "as well as the location of the updates. This information is:" msgstr "" #. type:

#: securing-debian-howto.en.sgml:55 en/infrastructure.sgml:52 msgid "version number for the fix." msgstr "" #. type:

#: securing-debian-howto.en.sgml:55 en/infrastructure.sgml:53 msgid "problem type." msgstr "" #. type:

#: securing-debian-howto.en.sgml:55 en/infrastructure.sgml:54 msgid "whether it is remote or locally exploitable." msgstr "" #. type:

#: securing-debian-howto.en.sgml:55 en/infrastructure.sgml:55 msgid "short description of the package." msgstr "" #. type:

#: securing-debian-howto.en.sgml:55 en/infrastructure.sgml:56 msgid "description of the problem." msgstr "" #. type:

#: securing-debian-howto.en.sgml:55 en/infrastructure.sgml:57 msgid "description of the exploit." msgstr "" #. type:

#: securing-debian-howto.en.sgml:55 en/infrastructure.sgml:58 msgid "description of the fix." msgstr "" #. type:

#: securing-debian-howto.en.sgml:55 en/infrastructure.sgml:68 msgid "" "DSAs are published both on and in the . Usually this does not happen until the website is rebuilt (every " "four hours) so they might not be present immediately. The preferred channel " "is the debian-security-announce mailing list." msgstr "" #. type:

#: securing-debian-howto.en.sgml:55 en/infrastructure.sgml:76 msgid "" "Interested users can, however (and this is done in some Debian-related " "portals) use the RDF channel to download automatically the DSAs to their " "desktop. Some applications, such as Evolution (an email client " "and personal information assistant) and Multiticker (a GNOME " "applet), can be used to retrieve the advisories automatically. The RDF " "channel is available at ." msgstr "" #. type:

#: securing-debian-howto.en.sgml:55 en/infrastructure.sgml:83 msgid "" "DSAs published on the website might be updated after being sent to the " "public-mailing lists. A common update is adding cross references to security " "vulnerability databases. Also, translations

Translations are " "available in up to ten different languages.

 of DSAs are not " "sent to the security mailing lists but are directly included in the website." msgstr "" #. type: #: securing-debian-howto.en.sgml:55 en/infrastructure.sgml:85 msgid "Vulnerability cross references" msgstr "" #. type:

#: securing-debian-howto.en.sgml:55 en/infrastructure.sgml:93 msgid "" "Debian provides a fully including all the references available for all the advisories " "published since 1998. This table is provided to complement the ." msgstr "" #. type:

#: securing-debian-howto.en.sgml:55 en/infrastructure.sgml:102 msgid "" "You will notice that this table provides references to security databases " "such as , and as well as CVE names (see below). These references are provided " "for convenience use, but only CVE references are periodically reviewed and " "included." msgstr "" #. type:

#: securing-debian-howto.en.sgml:55 en/infrastructure.sgml:105 msgid "Advantages of adding cross references to these vulnerability databases are:" msgstr "" #. type:

#: securing-debian-howto.en.sgml:55 en/infrastructure.sgml:109 msgid "" "it makes it easier for Debian users to see and track which general " "(published) advisories have already been covered by Debian." msgstr "" #. type:

#: securing-debian-howto.en.sgml:55 en/infrastructure.sgml:112 msgid "" "system administrators can learn more about the vulnerability and its impact " "by following the cross references." msgstr "" #. type:

#: securing-debian-howto.en.sgml:55 en/infrastructure.sgml:116 msgid "" "this information can be used to cross-check output from vulnerability " "scanners that include references to CVE to remove false positives (see )." msgstr "" #. type: #: securing-debian-howto.en.sgml:55 en/infrastructure.sgml:121 msgid "CVE compatibility" msgstr "" #. type:

#: securing-debian-howto.en.sgml:55 en/infrastructure.sgml:128 msgid "" "Debian Security Advisories were

The full is available at CVE

 in " "February 24, 2004." msgstr "" #. type:

#: securing-debian-howto.en.sgml:55 en/infrastructure.sgml:136 msgid "" "Debian developers understand the need to provide accurate and up to date " "information of the security status of the Debian distribution, allowing " "users to manage the risk associated with new security vulnerabilities. CVE " "enables us to provide standardized references that allow users to develop a " "." msgstr "" #. type:

#: securing-debian-howto.en.sgml:55 en/infrastructure.sgml:141 msgid "" "The project is maintained by the MITRE Corporation and " "provides a list of standardized names for vulnerabilities and security " "exposures." msgstr "" #. type:

#: securing-debian-howto.en.sgml:55 en/infrastructure.sgml:152 msgid "" "Debian believes that providing users with additional information related to " "security issues that affect the Debian distribution is extremely " "important. The inclusion of CVE names in advisories help users associate " "generic vulnerabilities with specific Debian updates, which reduces the time " "spent handling vulnerabilities that affect our users. Also, it eases the " "management of security in an environment where CVE-enabled security tools " "-such as network or host intrusion detection systems, or vulnerability " "assessment tools- are already deployed regardless of whether or not they are " "based on the Debian distribution." msgstr "" #. type:

#: securing-debian-howto.en.sgml:55 en/infrastructure.sgml:160 msgid "" "Debian provides CVE names for all DSAs released since September 1998. All of " "the advisories can be retrieved on the Debian web site, and announcements " "related to new vulnerabilities include CVE names if available at the time of " "their release. Advisories associated with a given CVE name can be searched " "directly through the Debian Security Tracker (see below)." msgstr "" #. type:

#: securing-debian-howto.en.sgml:55 en/infrastructure.sgml:163 msgid "" "In some cases you might not find a given CVE name in published advisories, " "for example because:" msgstr "" #. type:

#: securing-debian-howto.en.sgml:55 en/infrastructure.sgml:164 msgid "No Debian products are affected by that vulnerability." msgstr "" #. type:

#: securing-debian-howto.en.sgml:55 en/infrastructure.sgml:168 msgid "" "There is not yet an advisory covering that vulnerability (the security issue " "might have been reported as a but a fix has not been tested and uploaded)." msgstr "" #. type:

#: securing-debian-howto.en.sgml:55 en/infrastructure.sgml:171 msgid "" "An advisory was published before a CVE name was assigned to a given " "vulnerability (look for an update at the web site)." msgstr "" #. type: #: securing-debian-howto.en.sgml:55 en/infrastructure.sgml:178 msgid "Security Tracker" msgstr "" #. type:

#: securing-debian-howto.en.sgml:55 en/infrastructure.sgml:189 msgid "" "The central database of what the Debian security teams know about " "vulnerabilities is the . It cross references packages, vulnerable " "and fixed versions for different suites, CVE names, Debian bug numbers, " "DSA's and miscellaneous notes. It can be searched, e.g. by CVE name to see " "which Debian packages are affected or fixed, or by package to show " "unresolved security issues. The only information missing from the tracker is " "confidential information that the security team received under embargo." msgstr "" #. type:

#: securing-debian-howto.en.sgml:55 en/infrastructure.sgml:194 msgid "" "The package debsecan uses the information in the tracker to " "report to the administrator of a system which of the installed packages are " "vulnerable, and for which updates are available to fix security issues." msgstr "" #. type: #: securing-debian-howto.en.sgml:55 en/infrastructure.sgml:196 msgid "Debian Security Build Infrastructure" msgstr "" #. type:

#: securing-debian-howto.en.sgml:55 en/infrastructure.sgml:202 msgid "" "Since Debian is currently supported in a large number of architectures, " "administrators sometimes wonder if a given architecture might take more time " "to receive security updates than another. As a matter of fact, except for " "rare circumstances, updates are available to all architectures at the same " "time." msgstr "" #. type:

#: securing-debian-howto.en.sgml:55 en/infrastructure.sgml:211 msgid "" "Packages in the security archive are autobuilt, just like the regular " "archive. However, security updates are a little more different than normal " "uploads sent by package maintainers since, in some cases, before being " "published they need to wait until they can be tested further, an advisory " "written, or need to wait for a week or more to avoid publicizing the flaw " "until all vendors have had a reasonable chance to fix it." msgstr "" #. type:

#: securing-debian-howto.en.sgml:55 en/infrastructure.sgml:214 msgid "Thus, the security upload archive works with the following procedure:" msgstr "" #. type:

#: securing-debian-howto.en.sgml:55 en/infrastructure.sgml:218 msgid "Someone finds a security problem." msgstr "" #. type:

#: securing-debian-howto.en.sgml:55 en/infrastructure.sgml:225 msgid "" "Someone fixes the problem, and makes an upload to " "security-master.debian.org's incoming (this someone is usually a " "Security Team member but can be also a package maintainer with an " "appropriate fix that has contacted the Security Team previously). The " "Changelog includes a testing-security or stable-security " "as target distribution." msgstr "" #. type:

#: securing-debian-howto.en.sgml:55 en/infrastructure.sgml:230 msgid "" "The upload gets checked and processed by a Debian system and moved into " "queue/accepted, and the buildds are notified. Files in here can be accessed " "by the security team and (somewhat indirectly) by the buildds." msgstr "" #. type:

#: securing-debian-howto.en.sgml:55 en/infrastructure.sgml:234 msgid "" "Security-enabled buildds pick up the source package (prioritized over normal " "builds), build it, and send the logs to the security team." msgstr "" #. type:

#: securing-debian-howto.en.sgml:55 en/infrastructure.sgml:238 msgid "" "The security team reply to the logs, and the newly built packages are " "uploaded to queue/unchecked, where they're processed by a Debian system, and " "moved into queue/accepted." msgstr "" #. type:

#: securing-debian-howto.en.sgml:55 en/infrastructure.sgml:243 msgid "" "When the security team find the source package acceptable (i.e., that it's " "been correctly built for all applicable architectures and that it fixes the " "security hole and doesn't introduce new problems of its own) they run a " "script which:" msgstr "" #. type:

#: securing-debian-howto.en.sgml:55 en/infrastructure.sgml:246 msgid "installs the package into the security archive." msgstr "" #. type:

#: securing-debian-howto.en.sgml:55 en/infrastructure.sgml:250 msgid "" "updates the Packages, Sources and " "Release files of security.debian.org in the usual way " "(dpkg-scanpackages, dpkg-scansources, ...)." msgstr "" #. type:

#: securing-debian-howto.en.sgml:55 en/infrastructure.sgml:253 msgid "sets up a template advisory that the security team can finish off." msgstr "" #. type:

#: securing-debian-howto.en.sgml:55 en/infrastructure.sgml:257 msgid "" "forwards the packages to the appropriate proposed-updates so that it can be " "included in the real archive as soon as possible." msgstr "" #. type:

#: securing-debian-howto.en.sgml:55 en/infrastructure.sgml:268 msgid "" "This procedure, previously done by hand, was tested and put through during " "the freezing stage of Debian 3.0 woody (July 2002). Thanks to this " "infrastructure the Security Team was able to have updated packages ready for " "the apache and OpenSSH issues for all the supported (almost twenty) " "architectures in less than a day." msgstr "" #. type: #: securing-debian-howto.en.sgml:55 en/infrastructure.sgml:270 msgid "Developer's guide to security updates" msgstr "" #. type:

#: securing-debian-howto.en.sgml:55 en/infrastructure.sgml:277 msgid "" "Debian developers that need to coordinate with the security team on fixing " "in issue in their packages, can refer to the Developer's Reference section " "." msgstr "" #. type: #: securing-debian-howto.en.sgml:55 en/infrastructure.sgml:279 msgid "Package signing in Debian" msgstr "" #. type:

#: securing-debian-howto.en.sgml:55 en/infrastructure.sgml:296 msgid "" "This section could also be titled \"how to upgrade/update safely your Debian " "GNU/Linux system\" and it deserves its own section basically because it is " "an important part of the Security Infrastructure. Package signing is an " "important issue since it avoids tampering of packages distributed in mirrors " "and of downloads with man-in-the-middle attacks. Automatic software update " "is an important feature but it's also important to remove security threats " "that could help the distribution of trojans and the compromise of systems " "during updates

Some operating systems have already been plagued " "with automatic-updates problems such as the .

FIXME: probably the Internet " "Explorer vulnerability handling certificate chains has an impact on security " "updates on Microsoft Windows.

." msgstr "" #. type:

#: securing-debian-howto.en.sgml:55 en/infrastructure.sgml:303 msgid "" "Debian does not provide signed packages but provides a mechanism available " "since Debian 4.0 (codename etch) to check for downloaded package's " "integrity

Older releases, such as Debian 3.1 sarge can " "use this feature by using backported versions of this package management " "tool

. For more information, see ." msgstr "" #. type:

#: securing-debian-howto.en.sgml:55 en/infrastructure.sgml:307 msgid "" "This issue is better described in the by V. Alex Brennen." msgstr "" #. type: #: securing-debian-howto.en.sgml:55 en/infrastructure.sgml:309 msgid "The current scheme for package signature checks" msgstr "" #. type:

#: securing-debian-howto.en.sgml:55 en/infrastructure.sgml:312 msgid "The current scheme for package signature checking using apt is:" msgstr "" #. type:

#: securing-debian-howto.en.sgml:55 en/infrastructure.sgml:317 msgid "" "the Release file includes the MD5 sum of " "Packages.gz (which contains the MD5 sums of packages) and will " "be signed. The signature is one of a trusted source." msgstr "" #. type:

#: securing-debian-howto.en.sgml:55 en/infrastructure.sgml:320 msgid "" "This signed Release file is downloaded by 'apt-get update' and " "stored along with Packages.gz." msgstr "" #. type:

#: securing-debian-howto.en.sgml:55 en/infrastructure.sgml:323 msgid "" "When a package is going to be installed, it is first downloaded, then the " "MD5 sum is generated." msgstr "" #. type:

#: securing-debian-howto.en.sgml:55 en/infrastructure.sgml:327 msgid "" "The signed Release file is checked (signature ok) and it " "extracts from it the MD5 sum for the Packages.gz file, the " "Packages.gz checksum is generated and (if ok) the MD5 sum of " "the downloaded package is extracted from it." msgstr "" #. type:

#: securing-debian-howto.en.sgml:55 en/infrastructure.sgml:334 msgid "" "If the MD5 sum from the downloaded package is the same as the one in the " "Packages.gz file the package will be installed, otherwise the " "administrator will be alerted and the package will be left in the cache (so " "the administrator can decide whether to install it or not). If the package " "is not in the Packages.gz and the administrator has configured " "the system to only install checked packages it will not be installed either." msgstr "" #. type:

#: securing-debian-howto.en.sgml:55 en/infrastructure.sgml:341 msgid "" "By following the chain of MD5 sums apt is capable of verifying " "that a package originates from a a specific release. This is less flexible " "than signing each package one by one, but can be combined with that scheme " "too (see below)." msgstr "" #. type:

#: securing-debian-howto.en.sgml:55 en/infrastructure.sgml:353 msgid "" "This scheme is in apt 0.6 and is available since the Debian " "4.0 release. For more information see . Packages that " "provide a front-end to apt need to be modified to adapt to this new feature; " "this is the case of aptitude which was to adapt to this scheme. Front-ends currently known to " "work properly with this feature include aptitude and " "synaptic." msgstr "" #. type:

#: securing-debian-howto.en.sgml:55 en/infrastructure.sgml:358 msgid "" "Package signing has been discussed in Debian for quite some time, for more " "information you can read: and ." msgstr "" #. type: #: securing-debian-howto.en.sgml:55 en/infrastructure.sgml:360 msgid "Secure apt" msgstr "" #. type:

#: securing-debian-howto.en.sgml:55 en/infrastructure.sgml:369 msgid "" "The apt 0.6 release, available since Debian 4.0 etch and later " "releases, includes apt-secure (also known as secure apt) " "which is a tool that will allow a system administrator to test the integrity " "of the packages downloaded through the above scheme. This release includes " "the tool apt-key for adding new keys to apt's keyring, which by " "default includes only the current Debian archive signing key." msgstr "" #. type:

#: securing-debian-howto.en.sgml:55 en/infrastructure.sgml:374 msgid "" "These changes are based on the patch for apt (available in ) which provides this implementation." msgstr "" #. type:

#: securing-debian-howto.en.sgml:55 en/infrastructure.sgml:381 msgid "" "Secure apt works by checking the distribution through the " "Release file, as discussed in . Typically, this process will be transparent to the " "administrator although you will need to intervene every " "year

Until an automatic mechanism is developed.

 " "to add the new archive key when it is rotated, for more information on the " "steps an administrator needs to take a look at ." msgstr "" #. type:

#: securing-debian-howto.en.sgml:55 en/infrastructure.sgml:386 msgid "" "This feature is still under development, if you believe you find bugs in it, " "please, make first sure you are using the latest version (as this package " "might change quite a bit before it is finally released) and, if running the " "latest version, submit a bug against the apt package." msgstr "" #. type:

#: securing-debian-howto.en.sgml:55 en/infrastructure.sgml:392 msgid "" "You can find more information at and the " "official documentation: and ." msgstr "" #. type: #: securing-debian-howto.en.sgml:55 en/infrastructure.sgml:394 msgid "Per distribution release check" msgstr "" #. type:

#: securing-debian-howto.en.sgml:55 en/infrastructure.sgml:398 msgid "" "This section describes how the distribution release check mechanism works, " "it was written by Joey Hess and is also available at the ." msgstr "" #. type: #: securing-debian-howto.en.sgml:55 en/infrastructure.sgml:400 msgid "Basic concepts" msgstr "" #. type:

#: securing-debian-howto.en.sgml:55 en/infrastructure.sgml:403 msgid "" "Here are a few basic concepts that you'll need to understand for the rest of " "this section." msgstr "" #. type:

#: securing-debian-howto.en.sgml:55 en/infrastructure.sgml:408 msgid "" "A checksum is a method of taking a file and boiling it down to a reasonably " "short number that uniquely identifies the content of the file. This is a lot " "harder to do well than it might seem, and the most commonly used type of " "checksum, the MD5 sum, is in the process of being broken." msgstr "" #. type:

#: securing-debian-howto.en.sgml:55 en/infrastructure.sgml:416 msgid "" "Public key cryptography is based on pairs of keys, a public key and a " "private key. The public key is given out to the world; the private key must " "be kept a secret. Anyone possessing the public key can encrypt a message so " "that it can only be read by someone possessing the private key. It's also " "possible to use a private key to sign a file, not encrypt it. If a private " "key is used to sign a file, then anyone who has the public key can check " "that the file was signed by that key. No one who doesn't have the private " "key can forge such a signature." msgstr "" #. type:

#: securing-debian-howto.en.sgml:55 en/infrastructure.sgml:420 msgid "" "These keys are quite long numbers (1024 to 2048 digits or longer), and to " "make them easier to work with they have a key id, which is a shorter, 8 or " "16 digit number that can be used to refer to them." msgstr "" #. type:

#: securing-debian-howto.en.sgml:55 en/infrastructure.sgml:423 msgid "" "gpg is the tool used in secure apt to sign files and check " "their signatures." msgstr "" #. type:

#: securing-debian-howto.en.sgml:55 en/infrastructure.sgml:429 msgid "" "apt-key is a program that is used to manage a keyring of gpg " "keys for secure apt. The keyring is kept in the file " "/etc/apt/trusted.gpg (not to be confused with the related but " "not very interesting " "/etc/apt/trustdb.gpg). apt-key can be used to show " "the keys in the keyring, and to add or remove a key." msgstr "" #. type: #: securing-debian-howto.en.sgml:55 en/infrastructure.sgml:431 msgid "Release checksums" msgstr "" #. type:

#: securing-debian-howto.en.sgml:55 en/infrastructure.sgml:436 msgid "" "A Debian archive contains a Release file, which is updated each " "time any of the packages in the archive change. Among other things, the " "Release file contains some MD5 sums of other files in the " "archive. An excerpt of an example Release file:" msgstr "" #. type: #: securing-debian-howto.en.sgml:55 en/infrastructure.sgml:442 #, no-wrap msgid "" "MD5Sum:\n" " 6b05b392f792ba5a436d590c129de21f 3453 Packages\n" " 1356479a23edda7a69f24eb8d6f4a14b 1131 Packages.gz\n" " 2a5167881adc9ad1a8864f281b1eb959 1715 Sources\n" " 88de3533bf6e054d1799f8e49b6aed8b 658 Sources.gz" msgstr "" #. type:

#: securing-debian-howto.en.sgml:55 en/infrastructure.sgml:447 msgid "" "The Release files also include SHA-1 checksums, which will be " "useful once MD5 sums become fully broken, however apt doesn't use them yet." msgstr "" #. type:

#: securing-debian-howto.en.sgml:55 en/infrastructure.sgml:450 msgid "" "Now if we look inside a Packages file, we'll find more MD5 " "sums, one for each package listed in it. For example:" msgstr "" #. type: #: securing-debian-howto.en.sgml:55 en/infrastructure.sgml:457 #, no-wrap msgid "" " Package: uqm\n" " Priority: optional\n" " ...\n" " Filename: unstable/uqm_0.4.0-1_i386.deb\n" " Size: 580558\n" " MD5sum: 864ec6157c1eea88acfef44d0f34d219" msgstr "" #. type:

#: securing-debian-howto.en.sgml:55 en/infrastructure.sgml:465 msgid "" "These two checksums can be used to verify that you have downloaded a correct " "copy of the Packages file, with a md5sum that matches the one " "in the Release file. And when it downloads an individual " "package, it can also check its md5sum against the content of the " "Packages file. If apt fails at either of these steps, it will " "abort." msgstr "" #. type:

#: securing-debian-howto.en.sgml:55 en/infrastructure.sgml:472 msgid "" "None of this is new in secure apt, but it does provide the " "foundation. Notice that so far there is one file that apt doesn't have a way " "to check: The Release file. Secure apt is all about making apt verify the " "Release file before it does anything else with it, and plugging " "this hole, so that there is a chain of verification from the package that " "you are going to install all the way back to the provider of the package." msgstr "" #. type: #: securing-debian-howto.en.sgml:55 en/infrastructure.sgml:474 msgid "Verification of the Release file" msgstr "" #. type:

#: securing-debian-howto.en.sgml:55 en/infrastructure.sgml:480 msgid "" "To verify the Release file, a gpg signature is added for the " "Release file. This is put in a file named " "Release.gpg that is shipped alongside the Release " "file. It looks something like this

Technically speaking, this " "is an ASCII-armored detached gpg signature.

, although only " "gpg actually looks at its contents normally:" msgstr "" #. type: #: securing-debian-howto.en.sgml:55 en/infrastructure.sgml:488 #, no-wrap msgid "" "-----BEGIN PGP SIGNATURE-----\n" "Version: GnuPG v1.4.1 (GNU/Linux)\n" "\n" "iD8DBQBCqKO1nukh8wJbxY8RAsfHAJ9hu8oGNRAl2MSmP5+z2RZb6FJ8kACfWvEx\n" "UBGPVc7jbHHsg78EhMBlV/U=\n" "=x6og\n" "-----END PGP SIGNATURE-----" msgstr "" #. type: #: securing-debian-howto.en.sgml:55 en/infrastructure.sgml:492 msgid "Check of Release.gpg by apt" msgstr "" #. type:

#: securing-debian-howto.en.sgml:55 en/infrastructure.sgml:498 msgid "" "Secure apt always downloads Release.gpg files when it's " "downloading Release files, and if it cannot download the " "Release.gpg, or if the signature is bad, it will complain, and " "will make note that the Packages files that the " "Release file points to, and all the packages listed therein, " "are from an untrusted source. Here's how it looks during an apt-get " "update:" msgstr "" #. type: #: securing-debian-howto.en.sgml:55 en/infrastructure.sgml:501 #, no-wrap msgid "" "W: GPG error: http://ftp.us.debian.org testing Release: The following " "signatures\n" " couldn't be verified because the public key is not available: NO_PUBKEY " "010908312D230C5F" msgstr "" #. type:

#: securing-debian-howto.en.sgml:55 en/infrastructure.sgml:506 msgid "" "Note that the second half of the long number is the key id of the key that " "apt doesn't know about, in this case that's 2D230C5F." msgstr "" #. type:

#: securing-debian-howto.en.sgml:55 en/infrastructure.sgml:508 msgid "" "If you ignore that warning and try to install a package later, apt will warn " "again:" msgstr "" #. type: #: securing-debian-howto.en.sgml:55 en/infrastructure.sgml:512 #, no-wrap msgid "" "WARNING: The following packages cannot be authenticated!\n" " libglib-perl libgtk2-perl\n" "Install these packages without verification [y/N]?" msgstr "" #. type:

#: securing-debian-howto.en.sgml:55 en/infrastructure.sgml:521 msgid "" "If you say Y here you have no way to know if the file you're getting is the " "package you're supposed to install, or if it's something else entirely that " "somebody that can intercept the communication against the " "server

Or has poisoned your DNS, or is spoofing the server, or " "has replaced the file in the mirror you are using, etc.

 has " "arranged for you, containing a nasty suprise." msgstr "" #. type:

#: securing-debian-howto.en.sgml:55 en/infrastructure.sgml:523 msgid "" "Note that you can disable these checks by running apt with " "--allow-unauthenticated." msgstr "" #. type:

#: securing-debian-howto.en.sgml:55 en/infrastructure.sgml:530 msgid "" "It's also worth noting that newer versions of the Debian installer use the " "same signed Release file mechanism during their debootstrap of " "the Debian base system, before apt is available, and that the installer even " "uses this system to verify pieces of itself that it downloads from the " "net. Also, Debian does not currently sign the Release files on " "its CDs; apt can be configured to always trust packages from CDs so this is " "not a large problem." msgstr "" #. type: #: securing-debian-howto.en.sgml:55 en/infrastructure.sgml:532 msgid "How to tell apt what to trust" msgstr "" #. type:

#: securing-debian-howto.en.sgml:55 en/infrastructure.sgml:539 msgid "" "So the security of the whole system depends on there being a " "Release.gpg file, which signs a Release file, and " "of apt checking that signature using gpg. To check the " "signature, it has to know the public key of the person who signed the " "file. These keys are kept in apt's own keyring " "(/etc/apt/trusted.gpg), and managing the keys is where secure " "apt comes in." msgstr "" #. type:

#: securing-debian-howto.en.sgml:55 en/infrastructure.sgml:541 msgid "" "By default, Debian systems come preconfigured with the Debian archive key in " "the keyring." msgstr "" #. type: #: securing-debian-howto.en.sgml:55 en/infrastructure.sgml:547 #, no-wrap msgid "" "# apt-key list\n" "/etc/apt/trusted.gpg\n" "--------------------\n" "pub 1024D/4F368D5D 2005-01-31 [expires: 2006-01-31]\n" "uid Debian Archive Automatic Signing Key (2005) " "<ftpmaster@debian.org>" msgstr "" #. type:

#: securing-debian-howto.en.sgml:55 en/infrastructure.sgml:553 msgid "" "Here 4F368D5D is the key id, and notice that this key was only valid for a " "one year period. Debian rotates these keys as a last line of defense against " "some sort of security breach breaking a key." msgstr "" #. type:

#: securing-debian-howto.en.sgml:55 en/infrastructure.sgml:559 msgid "" "That will make apt trust the official Debian archive, but if " "you add some other apt repository to /etc/apt/sources.list, " "you'll also have to give apt its key if you want apt to trust " "it. Once you have the key and have verified it, it's a simple matter of " "running apt-key add file to add it. Getting the key and " "verifying it are the trickier parts." msgstr "" #. type: #: securing-debian-howto.en.sgml:55 en/infrastructure.sgml:561 msgid "Finding the key for a repository" msgstr "" #. type:

#: securing-debian-howto.en.sgml:55 en/infrastructure.sgml:565 msgid "" "The debian-archive-keyring package is used to distribute keys to " "apt. Upgrades to this package can add (or remove) gpg keys for " "the main Debian archive." msgstr "" #. type:

#: securing-debian-howto.en.sgml:55 en/infrastructure.sgml:570 msgid "" "For other archives, there is not yet a standard location where you can find " "the key for a given apt repository. There's a rough standard of putting the " "key up on the web page for the repository or as a file in the repository " "itself, but no real standard, so you might have to hunt for it." msgstr "" #. type:

#: securing-debian-howto.en.sgml:55 en/infrastructure.sgml:577 msgid "" "The Debian archive signing key is available at (replace 2006 with " "current year).

\"ziyi\" is the name of the tool used for signing " "on the Debian servers, the name is based on the name of a .

" msgstr "" #. type:

#: securing-debian-howto.en.sgml:55 en/infrastructure.sgml:581 msgid "" "gpg itself has a standard way to distribute keys, using a " "keyserver that gpg can download a key from and add it to its keyring. For " "example:" msgstr "" #. type: #: securing-debian-howto.en.sgml:55 en/infrastructure.sgml:588 #, no-wrap msgid "" "$ gpg --keyserver pgpkeys.mit.edu --recv-key 2D230C5F\n" "gpg: requesting key 2D230C5F from hkp server pgpkeys.mit.edu\n" "gpg: key 2D230C5F: public key \"Debian Archive Automatic Signing Key (2006) " "<ftpm\n" "aster@debian.org>\" imported\n" "gpg: Total number processed: 1\n" "gpg: imported: 1" msgstr "" #. type:

#: securing-debian-howto.en.sgml:55 en/infrastructure.sgml:592 msgid "" "You can then export that key from your own keyring and feed it to " "apt-key:" msgstr "" #. type: #: securing-debian-howto.en.sgml:55 en/infrastructure.sgml:596 #, no-wrap msgid "" "$ gpg -a --export 2D230C5F | sudo apt-key add -\n" "gpg: no ultimately trusted keys found\n" "OK" msgstr "" #. type:

#: securing-debian-howto.en.sgml:55 en/infrastructure.sgml:603 msgid "" "The \"gpg: no ultimately trusted keys found\" warning means that gpg was not " "configured to ultimately trust a specific key. Trust settings are part of " "OpenPGPs Web-of-Trust which does not apply here. So there is no problem with " "this warning. In typical setups the user's own key is ultimately trusted." msgstr "" #. type: #: securing-debian-howto.en.sgml:55 en/infrastructure.sgml:605 msgid "Safely adding a key" msgstr "" #. type:

#: securing-debian-howto.en.sgml:55 en/infrastructure.sgml:614 msgid "" "By adding a key to apt's keyring, you're telling apt to trust everything " "signed by the key, and this lets you know for sure that apt won't install " "anything not signed by the person who possesses the private key. But if " "you're sufficiently paranoid, you can see that this just pushes things up a " "level, now instead of having to worry if a package, or a " "Release file is valid, you can worry about whether you've " "actually gotten the right key. Is the file mentioned above " "really Debian's archive signing key, or has it been modified (or this " "document lies)." msgstr "" #. type:

#: securing-debian-howto.en.sgml:55 en/infrastructure.sgml:627 msgid "" "It's good to be paranoid in security, but verifying things from here is " "harder. gpg has the concept of a chain of trust, which can " "start at someone you're sure of, who signs someone's key, who signs some " "other key, etc., until you get to the archive key. If you're sufficiently " "paranoid you'll want to check that your archive key is signed by a key that " "you can trust, with a trust chain that goes back to someone you know " "personally. If you want to do this, visit a Debian conference or perhaps a " "local LUG for a key signing

Not all apt repository keys are " "signed at all by another key. Maybe the person setting up the repository " "doesn't have another key, or maybe they don't feel comfortable signing such " "a role key with their main key. For information on setting up a key for a " "repository see .

." msgstr "" #. type:

#: securing-debian-howto.en.sgml:55 en/infrastructure.sgml:634 msgid "" "If you can't afford this level of paranoia, do whatever feels appropriate to " "you when adding a new apt source and a new key. Maybe you'll want to mail " "the person providing the key and verify it, or maybe you're willing to take " "your chances with downloading it and assuming you got the real thing. The " "important thing is that by reducing the problem to what archive keys to " "trust, secure apt lets you be as careful and secure as it suits you to be." msgstr "" #. type: #: securing-debian-howto.en.sgml:55 en/infrastructure.sgml:636 msgid "Verifying key integrity" msgstr "" #. type:

#: securing-debian-howto.en.sgml:55 en/infrastructure.sgml:643 msgid "" "You can verify the fingerprint as well as the signatures on the " "key. Retrieving the fingerprint can be done for multiple sources, you can " "check , talk to Debian Developers on IRC, read the " "mailing list where the key change will be announced or any other additional " "means to verify the fingerprint. For example you can do this:" msgstr "" #. type: #: securing-debian-howto.en.sgml:55 en/infrastructure.sgml:661 #, no-wrap msgid "" "$ GET http://ftp-master.debian.org/ziyi_key_2006.asc | gpg --import\n" "gpg: key 2D230C5F: public key \"Debian Archive Automatic Signing Key " "(2006)\n" " <ftpmaster&debian.org>\" imported\n" "gpg: Total number processed: 1\n" "gpg: imported: 1\n" "$ gpg --check-sigs --fingerprint 2D230C5F\n" "pub 1024D/2D230C5F 2006-01-03 [expires: 2007-02-07]\n" " Key fingerprint = 0847 50FC 01A6 D388 A643 D869 0109 0831 2D23 0C5F\n" "uid Debian Archive Automatic Signing Key (2006) " "<ftpmaster@debian.org>\n" "sig!3 2D230C5F 2006-01-03 Debian Archive Automatic Signing Key\n" " (2006) <ftpmaster@debian.org>\n" "sig! 2A4E3EAA 2006-01-03 Anthony Towns " "<aj@azure.humbug.org.au>\n" "sig! 4F368D5D 2006-01-03 Debian Archive Automatic Signing Key\n" " (2005) <ftpmaster@debian.org>\n" "sig! 29982E5A 2006-01-04 Steve Langasek <vorlon@dodds.net>\n" "sig! FD6645AB 2006-01-04 Ryan Murray <rmurray@cyberhqz.com>\n" "sig! AB2A91F5 2006-01-04 James Troup <james@nocrew.org>" msgstr "" #. type: #: securing-debian-howto.en.sgml:55 en/infrastructure.sgml:667 msgid "" "and then from your key (or a key you trust) to at " "least one of the keys used to sign the archive key. If you are sufficiently " "paranoid you will tell apt to trust the key only if you find an acceptable " "path:" msgstr "" #. type: #: securing-debian-howto.en.sgml:55 en/infrastructure.sgml:670 #, no-wrap msgid "" "$ gpg --export -a 2D230C5F | sudo apt-key add -\n" "Ok" msgstr "" #. type:

#: securing-debian-howto.en.sgml:55 en/infrastructure.sgml:675 msgid "" "Note that the key is signed with the previous archive key, so theoretically " "you can just build on your previous trust." msgstr "" #. type: #: securing-debian-howto.en.sgml:55 en/infrastructure.sgml:677 msgid "Debian archive key yearly rotation" msgstr "" #. type:

#: securing-debian-howto.en.sgml:55 en/infrastructure.sgml:681 msgid "" "As mentioned above, the Debian archive signing key is changed each year, in " "January. Since secure apt is young, we don't have a great deal of experience " "with changing the key and there are still rough spots." msgstr "" #. type:

#: securing-debian-howto.en.sgml:55 en/infrastructure.sgml:692 msgid "" "In January 2006, a new key for 2006 was made and the Release " "file began to be signed by it, but to try to avoid breaking systems that had " "the old 2005 key, the Release file was signed by that as " "well. The intent was that apt would accept one signature or the other " "depending on the key it had, but apt turned out to be buggy and refused to " "trust the file unless it had both keys and was able to check both " "signatures. This was fixed in apt version 0.6.43.1. There was also confusion " "about how the key was distributed to users who already had systems using " "secure apt; initially it was uploaded to the web site with no announcement " "and no real way to verify it and users were forced to download it by hand." msgstr "" #. type:

#: securing-debian-howto.en.sgml:55 en/infrastructure.sgml:724 msgid "" "In January 2006, a new key for 2006 was made and the Release file began to " "be signed by it, but to try to avoid breaking systems that had the old 2005 " "key, the Release file was signed by that as well. In order to " "prevent confusion on the best distribution mechanism for users who already " "have systems using secure apt, the debian-archive-keyring package was " "introduced, which manages apt keyring updates." msgstr "" #. type: #: securing-debian-howto.en.sgml:55 en/infrastructure.sgml:726 msgid "Known release checking problems" msgstr "" #. type:

#: securing-debian-howto.en.sgml:55 en/infrastructure.sgml:730 msgid "" "One not so obvious problem is that if your clock is very far off, secure apt " "will not work. If it's set to a date in the past, such as 1999, apt will " "fail with an unhelpful message such as this:" msgstr "" #. type: #: securing-debian-howto.en.sgml:55 en/infrastructure.sgml:732 #, no-wrap msgid "" "W: GPG error: http://archive.progeny.com sid Release: Unknown error " "executing gpg" msgstr "" #. type:

#: securing-debian-howto.en.sgml:55 en/infrastructure.sgml:736 msgid "Although apt-key list will make the problem plain:" msgstr "" #. type: #: securing-debian-howto.en.sgml:55 en/infrastructure.sgml:741 #, no-wrap msgid "" "gpg: key 2D230C5F was created 192324901 seconds in the future (time warp or " "clock problem)\n" "gpg: key 2D230C5F was created 192324901 seconds in the future (time warp or " "clock problem)\n" "pub 1024D/2D230C5F 2006-01-03\n" "uid Debian Archive Automatic Signing Key (2006) " "<ftpmaster@debian.org>" msgstr "" #. type:

#: securing-debian-howto.en.sgml:55 en/infrastructure.sgml:745 msgid "" "If it's set to a date too far in the future, apt will treat the keys as " "expired." msgstr "" #. type:

#: securing-debian-howto.en.sgml:55 en/infrastructure.sgml:750 msgid "" "Another problem you may encouter if using testing or unstable is that if you " "have not run apt-get update lately and apt-get " "install a package, apt might complain that it cannot be authenticated " "(why does it do this?). apt-get update will fix this." msgstr "" #. type: #: securing-debian-howto.en.sgml:55 en/infrastructure.sgml:752 msgid "Manual per distribution release check" msgstr "" #. type:

#: securing-debian-howto.en.sgml:55 en/infrastructure.sgml:765 msgid "" "In case you want to add now the additional security checks and don't want or " "cannot run the latest apt version

Either because you are using " "the stable, sarge, release or an older release or because you don't " "want to use the latest apt version, although we would really appreciate " "testing of it.

 you can use the script below, provided by " "Anthony Towns. This script can automatically do some new security checks to " "allow the user to be sure that the software s/he's downloading matches the " "software Debian's distributing. This stops Debian developers from hacking " "into someone's system without the accountability provided by uploading to " "the main archive, or mirrors mirroring something almost, but not quite like " "Debian, or mirrors providing out of date copies of unstable with known " "security problems." msgstr "" #. type:

#: securing-debian-howto.en.sgml:55 en/infrastructure.sgml:767 msgid "" "This sample code, renamed as apt-check-sigs, should be used in " "the following way:" msgstr "" #. type: #: securing-debian-howto.en.sgml:55 en/infrastructure.sgml:772 #, no-wrap msgid "" "# apt-get update\n" "# apt-check-sigs\n" "(...results...)\n" "# apt-get dist-upgrade" msgstr "" #. type:

#: securing-debian-howto.en.sgml:55 en/infrastructure.sgml:776 msgid "First you need to:" msgstr "" #. type:

#: securing-debian-howto.en.sgml:55 en/infrastructure.sgml:782 msgid "" "get the keys the archive software uses to sign Release files, " " and add them to " "~/.gnupg/trustedkeys.gpg (which is what gpgv uses " "by default)." msgstr "" #. type: #: securing-debian-howto.en.sgml:55 en/infrastructure.sgml:784 #, no-wrap msgid "" " gpg --no-default-keyring --keyring trustedkeys.gpg --import " "ziyi_key_2006.asc" msgstr "" #. type:

#: securing-debian-howto.en.sgml:55 en/infrastructure.sgml:790 msgid "" "remove any /etc/apt/sources.list lines that don't use the " "normal \"dists\" structure, or change the script so that it works with them." msgstr "" #. type:

#: securing-debian-howto.en.sgml:55 en/infrastructure.sgml:794 msgid "" "be prepared to ignore the fact that Debian security updates don't have " "signed Release files, and that Sources files don't " "have appropriate checksums in the Release file (yet)." msgstr "" #. type:

#: securing-debian-howto.en.sgml:55 en/infrastructure.sgml:797 msgid "" "be prepared to check that the appropriate sources are signed by the " "appropriate keys." msgstr "" #. type:

#: securing-debian-howto.en.sgml:55 en/infrastructure.sgml:805 msgid "" "This is the example code for apt-check-sigs, the latest version " "can be retrieved from . This code is currently " "in beta, for more information read ." msgstr "" #. type: #: securing-debian-howto.en.sgml:55 en/infrastructure.sgml:1050 #, no-wrap msgid "" "#!/bin/bash\n" "\n" "# Copyright (c) 2001 Anthony Towns <ajt@debian.org>\n" "#\n" "# This program is free software; you can redistribute it and/or modify\n" "# it under the terms of the GNU General Public License as published by\n" "# the Free Software Foundation; either version 2 of the License, or\n" "# (at your option) any later version.\n" "#\n" "# This program is distributed in the hope that it will be useful,\n" "# but WITHOUT ANY WARRANTY; without even the implied warranty of\n" "# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n" "# GNU General Public License for more details.\n" "\n" "rm -rf /tmp/apt-release-check\n" "mkdir /tmp/apt-release-check || exit 1\n" "cd /tmp/apt-release-check\n" "\n" ">OK\n" ">MISSING\n" ">NOCHECK\n" ">BAD\n" "\n" "arch=`dpkg --print-installation-architecture`\n" "\n" "am_root () {\n" " [ `id -u` -eq 0 ]\n" "}\n" "\n" "get_md5sumsize () {\n" " cat \"$1\" | awk '/^MD5Sum:/,/^SHA1:/' | \n" " MYARG=\"$2\" perl -ne '@f = split /\\s+/; if ($f[3] eq " "$ENV{\"MYARG\"}) {\n" "print \"$f[1] $f[2]\\n\"; exit(0); }'\n" "}\n" "\n" "checkit () {\n" " local FILE=\"$1\"\n" " local LOOKUP=\"$2\"\n" "\n" " Y=\"`get_md5sumsize Release \"$LOOKUP\"`\"\n" " Y=\"`echo \"$Y\" | sed 's/^ *//;s/ */ /g'`\"\n" "\n" " if [ ! -e \"/var/lib/apt/lists/$FILE\" ]; then\n" " if [ \"$Y\" = \"\" ]; then\n" " # No file, but not needed anyway\n" " echo \"OK\"\n" " return\n" " fi\n" " echo \"$FILE\" >>MISSING\n" " echo \"MISSING $Y\"\n" " return\n" " fi\n" " if [ \"$Y\" = \"\" ]; then\n" " echo \"$FILE\" >>NOCHECK\n" " echo \"NOCHECK\"\n" " return\n" " fi\n" " X=\"`md5sum < /var/lib/apt/lists/$FILE | cut -d\\ -f1` `wc -c < " "/var/lib\n" "/apt/lists/$FILE`\"\n" " X=\"`echo \"$X\" | sed 's/^ *//;s/ */ /g'`\"\n" " if [ \"$X\" != \"$Y\" ]; then\n" " echo \"$FILE\" >>BAD\n" " echo \"BAD\"\n" " return\n" " fi\n" " echo \"$FILE\" >>OK\n" " echo \"OK\"\n" "}\n" "\n" "echo\n" "echo \"Checking sources in /etc/apt/sources.list:\"\n" "echo \"~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~\"\n" "echo\n" "(echo \"You should take care to ensure that the distributions you're " "downloading\n" "\"\n" "echo \"are the ones you think you are downloading, and that they are as up " "to\"\n" "echo \"date as you would expect (testing and unstable should be no more " "than\"\n" "echo \"two or three days out of date, stable-updates no more than a few " "weeks\"\n" "echo \"or a month).\"\n" ") | fmt\n" "echo\n" "\n" "cat /etc/apt/sources.list | \n" " sed 's/^ *//' | grep '^[^#]' |\n" " while read ty url dist comps; do\n" " if [ \"${url%%:*}\" = \"http\" -o \"${url%%:*}\" = \"ftp\" ]; then\n" " baseurl=\"${url#*://}\"\n" " else\n" " continue\n" " fi\n" "\n" " echo \"Source: ${ty} ${url} ${dist} ${comps}\"\n" "\n" " rm -f Release Release.gpg\n" " lynx -reload -dump \"${url}/dists/${dist}/Release\" >/dev/null " "2>&1\n" " wget -q -O Release \"${url}/dists/${dist}/Release\"\n" "\n" " if ! grep -q '^' Release; then\n" " echo \" * NO TOP-LEVEL Release FILE\"\n" " >Release\n" " else\n" " origline=`sed -n 's/^Origin: *//p' Release | head -1`\n" " lablline=`sed -n 's/^Label: *//p' Release | head -1`\n" " suitline=`sed -n 's/^Suite: *//p' Release | head -1`\n" " codeline=`sed -n 's/^Codename: *//p' Release | head -1`\n" " dateline=`grep \"^Date:\" Release | head -1`\n" " dscrline=`grep \"^Description:\" Release | head -1`\n" " echo \" o Origin: $origline/$lablline\"\n" " echo \" o Suite: $suitline/$codeline\"\n" " echo \" o $dateline\"\n" " echo \" o $dscrline\"\n" "\n" " if [ \"${dist%%/*}\" != \"$suitline\" -a \"${dist%%/*}\" != " "\"$codeline\" ]; then\n" " echo \" * WARNING: asked for $dist, got " "$suitline/$codeline\"\n" " fi\n" "\n" " lynx -reload -dump \"${url}/dists/${dist}/Release.gpg\" " ">/dev/null 2>&1\n" " wget -q -O Release.gpg " "\"${url}/dists/${dist}/Release.gpg\"\n" "\n" " gpgv --status-fd 3 Release.gpg Release 3>&1 >/dev/null 2>&1 " "| sed -n \"s/^\\[GNUPG:\\] //p\" | (okay=0; err=\"\"; while read gpgcode " "rest; do\n" " if [ \"$gpgcode\" = \"GOODSIG\" ]; then\n" " if [ \"$err\" != \"\" ]; then\n" " echo \" * Signed by ${err# } key: ${rest#* " "}\"\n" " else\n" " echo \" o Signed by: ${rest#* }\"\n" " okay=1\n" " fi\n" " err=\"\"\n" " elif [ \"$gpgcode\" = \"BADSIG\" ]; then\n" " echo \" * BAD SIGNATURE BY: ${rest#* }\"\n" " err=\"\"\n" " elif [ \"$gpgcode\" = \"ERRSIG\" ]; then\n" " echo \" * COULDN'T CHECK SIGNATURE BY KEYID: " "${rest %% *}\"\n" " err=\"\"\n" " elif [ \"$gpgcode\" = \"SIGREVOKED\" ]; then\n" " err=\"$err REVOKED\"\n" " elif [ \"$gpgcode\" = \"SIGEXPIRED\" ]; then\n" " err=\"$err EXPIRED\"\n" " fi\n" " done\n" " if [ \"$okay\" != 1 ]; then\n" " echo \" * NO VALID SIGNATURE\"\n" " >Release\n" " fi)\n" " fi\n" " okaycomps=\"\"\n" " for comp in $comps; do\n" " if [ \"$ty\" = \"deb\" ]; then\n" " X=$(checkit \"`echo " "\"${baseurl}/dists/${dist}/${comp}/binary-${arch}/Release\" | sed " "'s,//*,_,g'`\" \"${comp}/binary-${arch}/Release\")\n" " Y=$(checkit \"`echo " "\"${baseurl}/dists/${dist}/${comp}/binary-${arch}/Packages\" | sed " "'s,//*,_,g'`\" \"${comp}/binary-${arch}/Packages\")\n" " if [ \"$X $Y\" = \"OK OK\" ]; then\n" " okaycomps=\"$okaycomps $comp\"\n" " else\n" " echo \" * PROBLEMS WITH $comp ($X, $Y)\"\n" " fi\n" " elif [ \"$ty\" = \"deb-src\" ]; then\n" " X=$(checkit \"`echo " "\"${baseurl}/dists/${dist}/${comp}/source/Release\" | sed 's,//*,_,g'`\" " "\"${comp}/source/Release\")\n" " Y=$(checkit \"`echo " "\"${baseurl}/dists/${dist}/${comp}/source/Sources\" | sed 's,//*,_,g'`\" " "\"${comp}/source/Sources\")\n" " if [ \"$X $Y\" = \"OK OK\" ]; then\n" " okaycomps=\"$okaycomps $comp\"\n" " else\n" " echo \" * PROBLEMS WITH component $comp " "($X, $Y)\"\n" " fi\n" " fi\n" " done\n" " [ \"$okaycomps\" = \"\" ] || echo \" o Okay:$okaycomps\"\n" " echo\n" " done\n" "\n" "echo \"Results\"\n" "echo \"~~~~~~~\"\n" "echo\n" "\n" "allokay=true\n" "\n" "cd /tmp/apt-release-check\n" "diff <(cat BAD MISSING NOCHECK OK | sort) <(cd /var/lib/apt/lists && find " ". -type f -maxdepth 1 | sed 's,^\\./,,g' | grep '_' | sort) | sed -n 's/^> " "//p' >UNVALIDATED\n" "\n" "cd /tmp/apt-release-check\n" "if grep -q ^ UNVALIDATED; then\n" " allokay=false\n" " (echo \"The following files in /var/lib/apt/lists have not been " "validated.\"\n" " echo \"This could turn out to be a harmless indication that this " "script\"\n" " echo \"is buggy or out of date, or it could let trojaned packages get " "onto\"\n" " echo \"your system.\"\n" " ) | fmt\n" " echo\n" " sed 's/^/ /' < UNVALIDATED\n" " echo\n" "fi\n" "\n" "if grep -q ^ BAD; then\n" " allokay=false\n" " (echo \"The contents of the following files in /var/lib/apt/lists does " "not\"\n" " echo \"match what was expected. This may mean these sources are out of " "date,\"\n" " echo \"that the archive is having problems, or that someone is " "actively\"\n" " echo \"using your mirror to distribute trojans.\"\n" " if am_root; then \n" " echo \"The files have been renamed to have the extension .FAILED " "and\"\n" " echo \"will be ignored by apt.\"\n" " cat BAD | while read a; do\n" " mv /var/lib/apt/lists/$a /var/lib/apt/lists/${a}.FAILED\n" " done\n" " fi) | fmt\n" " echo\n" " sed 's/^/ /' < BAD\n" " echo\n" "fi\n" "\n" "if grep -q ^ MISSING; then\n" " allokay=false\n" " (echo \"The following files from /var/lib/apt/lists were " "missing. This\"\n" " echo \"may cause you to miss out on updates to some vulnerable " "packages.\"\n" " ) | fmt\n" " echo\n" " sed 's/^/ /' < MISSING\n" " echo\n" "fi\n" "\n" "if grep -q ^ NOCHECK; then\n" " allokay=false\n" " (echo \"The contents of the following files in /var/lib/apt/lists could " "not\"\n" " echo \"be validated due to the lack of a signed Release file, or the " "lack\"\n" " echo \"of an appropriate entry in a signed Release file. This " "probably\"\n" " echo \"means that the maintainers of these sources are slack, but may " "mean\"\n" " echo \"these sources are being actively used to distribute trojans.\"\n" " if am_root; then \n" " echo \"The files have been renamed to have the extension .FAILED " "and\"\n" " echo \"will be ignored by apt.\"\n" " cat NOCHECK | while read a; do\n" " mv /var/lib/apt/lists/$a /var/lib/apt/lists/${a}.FAILED\n" " done\n" " fi) | fmt\n" " echo\n" " sed 's/^/ /' < NOCHECK\n" " echo\n" "fi\n" "\n" "if $allokay; then\n" " echo 'Everything seems okay!'\n" " echo\n" "fi\n" "\n" "rm -rf /tmp/apt-release-check" msgstr "" #. type:

#: securing-debian-howto.en.sgml:55 en/infrastructure.sgml:1055 msgid "" "You might need to apply the following patch for sid since " "md5sum adds an '-' after the sum when the input is stdin:" msgstr "" #. type: #: securing-debian-howto.en.sgml:55 en/infrastructure.sgml:1074 #, no-wrap msgid "" "@@ -37,7 +37,7 @@\n" " local LOOKUP=\"$2\"\n" "\n" " Y=\"`get_md5sumsize Release \"$LOOKUP\"`\"\n" "- Y=\"`echo \"$Y\" | sed 's/^ *//;s/ */ /g'`\"\n" "+ Y=\"`echo \"$Y\" | sed 's/-//;s/^ *//;s/ */ /g'`\"\n" "\n" " if [ ! -e \"/var/lib/apt/lists/$FILE\" ]; then\n" " if [ \"$Y\" = \"\" ]; then\n" "@@ -55,7 +55,7 @@\n" " return\n" " fi\n" " X=\"`md5sum < /var/lib/apt/lists/$FILE` `wc -c < " "/var/lib/apt/lists/$FILE`\"\n" "- X=\"`echo \"$X\" | sed 's/^ *//;s/ */ /g'`\"\n" "+ X=\"`echo \"$X\" | sed 's/-//;s/^ *//;s/ */ /g'`\"\n" " if [ \"$X\" != \"$Y\" ]; then\n" " echo \"$FILE\" >>BAD\n" " echo \"BAD\"" msgstr "" #. type: #: securing-debian-howto.en.sgml:55 en/infrastructure.sgml:1078 msgid "Release check of non Debian sources" msgstr "" #. type:

#: securing-debian-howto.en.sgml:55 en/infrastructure.sgml:1087 msgid "" "Notice that, when using the latest apt version (with secure apt) no " "extra effort should be required on your part unless you use non-Debian " "sources, in which case an extra confirmation step will be required by " "apt-get. This is avoided by providing Release and " "Release.gpg files in the non-Debian sources. The " "Release file can be generated with apt-ftparchive " "(available in apt-utils 0.5.0 and later), the " "Release.gpg is just a detached signature. To generate both " "follow this simple procedure:" msgstr "" #. type: #: securing-debian-howto.en.sgml:55 en/infrastructure.sgml:1091 #, no-wrap msgid "" "$ rm -f dists/unstable/Release\n" "$ apt-ftparchive release dists/unstable > dists/unstable/Release\n" "$ gpg --sign -ba -o dists/unstable/Release.gpg dists/unstable/Release" msgstr "" #. type: #: securing-debian-howto.en.sgml:55 en/infrastructure.sgml:1095 msgid "Alternative per-package signing scheme" msgstr "" #. type:

#: securing-debian-howto.en.sgml:55 en/infrastructure.sgml:1101 msgid "" "The additional scheme of signing each and every packages allows packages to " "be checked when they are no longer referenced by an existing " "Packages file, and also third-party packages where no " "Packages ever existed for them can be also used in Debian but " "will not be default scheme." msgstr "" #. type:

#: securing-debian-howto.en.sgml:55 en/infrastructure.sgml:1110 msgid "" "This package signing scheme can be implemented using " "debsig-verify and debsigs. These two " "packages can sign and verify embedded signatures in the .deb itself. Debian " "already has the capability to do this now, but there is no feature plan to " "implement the policy or other tools since the archive signing scheme is " "prefered. These tools are available for users and archive administrators " "that would rather use this scheme instead." msgstr "" #. type:

#: securing-debian-howto.en.sgml:55 en/infrastructure.sgml:1116 msgid "" "Latest dpkg versions (since 1.9.21) incorporate a that provides this functionality as soon as " "debsig-verify is installed." msgstr "" #. type:

#: securing-debian-howto.en.sgml:55 en/infrastructure.sgml:1119 msgid "" "NOTE: Currently /etc/dpkg/dpkg.cfg ships with \"no-debsig\" as " "per default." msgstr "" #. type:

#: securing-debian-howto.en.sgml:56 en/sec-tools.sgml:3 msgid "" "NOTE2: Signatures from developers are currently stripped when they enter off " "the package archive since the currently preferred method is release checks " "as described previously." msgstr "" #. type: #: securing-debian-howto.en.sgml:56 en/sec-tools.sgml:5 msgid "Security tools in Debian" msgstr "" #. type:

#: securing-debian-howto.en.sgml:56 en/sec-tools.sgml:7 msgid "FIXME: More content needed." msgstr "" #. type:

#: securing-debian-howto.en.sgml:56 en/sec-tools.sgml:13 msgid "" "Debian provides also a number of security tools that can make a Debian box " "suited for security purposes. These purposes include protection of " "information systems through firewalls (either packet or application-level), " "intrusion detection (both network and host based), vulnerability assessment, " "antivirus, private networks, etc." msgstr "" #. type:

#: securing-debian-howto.en.sgml:56 en/sec-tools.sgml:22 msgid "" "Since Debian 3.0 (woody), the distribution features cryptographic " "software integrated into the main distribution. OpenSSH and GNU Privacy " "Guard are included in the default install, and strong encryption is now " "present in web browsers and web servers, databases, and so forth. Further " "integration of cryptography is planned for future releases. This software, " "due to export restrictions in the US, was not distributed along with the " "main distribution but included only in non-US sites." msgstr "" #. type: #: securing-debian-howto.en.sgml:56 en/sec-tools.sgml:24 msgid "Remote vulnerability assessment tools" msgstr "" #. type:

#: securing-debian-howto.en.sgml:56 en/sec-tools.sgml:30 msgid "" "The tools provided by Debian to perform remote vulnerability assessment are: " "

Some of them are provided when installing the " "harden-remoteaudit package.

" msgstr "" #. type:

#: securing-debian-howto.en.sgml:56 en/sec-tools.sgml:32 msgid "nessus" msgstr "" #. type:

#: securing-debian-howto.en.sgml:56 en/sec-tools.sgml:33 msgid "raccess" msgstr "" #. type:

#: securing-debian-howto.en.sgml:56 en/sec-tools.sgml:34 msgid "nikto (whisker's replacement)" msgstr "" #. type:

#: securing-debian-howto.en.sgml:56 en/sec-tools.sgml:47 msgid "" "By far, the most complete and up-to-date tools is nessus " "which is composed of a client (nessus) used as a GUI and " "a server (nessusd) which launches the programmed " "attacks. Nessus includes remote vulnerabilities for quite a number of " "systems including network appliances, ftp servers, www servers, etc. The " "latest security plugins are able even to parse a web site and try to " "discover which interactive pages are available which could be " "attacked. There are also Java and Win32 clients (not included in Debian) " "which can be used to contact the management server." msgstr "" #. type:

#: securing-debian-howto.en.sgml:56 en/sec-tools.sgml:53 msgid "" "nikto is a web-only vulnerability assessment scanner " "including anti-IDS tactics (most of which are not anti-IDS " "anymore). It is one of the best cgi-scanners available, being able to detect " "a WWW server and launch only a given set of attacks against it. The database " "used for scanning can be easily modified to provide for new information." msgstr "" #. type: #: securing-debian-howto.en.sgml:56 en/sec-tools.sgml:54 msgid "Network scanner tools" msgstr "" #. type:

#: securing-debian-howto.en.sgml:56 en/sec-tools.sgml:59 msgid "" "Debian does provide some tools used for remote scanning of hosts (but not " "vulnerability assessment). These tools are, in some cases, used by " "vulnerability assessment scanners as the first type of \"attack\" run " "against remote hosts in an attempt to determine remote services " "available. Currently Debian provides:" msgstr "" #. type:

#: securing-debian-howto.en.sgml:56 en/sec-tools.sgml:61 msgid "nmap" msgstr "" #. type:

#: securing-debian-howto.en.sgml:56 en/sec-tools.sgml:62 msgid "xprobe" msgstr "" #. type:

#: securing-debian-howto.en.sgml:56 en/sec-tools.sgml:63 msgid "p0f" msgstr "" #. type:

#: securing-debian-howto.en.sgml:56 en/sec-tools.sgml:64 msgid "knocker" msgstr "" #. type:

#: securing-debian-howto.en.sgml:56 en/sec-tools.sgml:65 msgid "isic" msgstr "" #. type:

#: securing-debian-howto.en.sgml:56 en/sec-tools.sgml:66 msgid "hping2" msgstr "" #. type:

#: securing-debian-howto.en.sgml:56 en/sec-tools.sgml:67 msgid "icmpush" msgstr "" #. type:

#: securing-debian-howto.en.sgml:56 en/sec-tools.sgml:68 msgid "nbtscan (for SMB /NetBIOS audits)" msgstr "" #. type:

#: securing-debian-howto.en.sgml:56 en/sec-tools.sgml:69 msgid "fragrouter" msgstr "" #. type:

#: securing-debian-howto.en.sgml:56 en/sec-tools.sgml:70 msgid "strobe (in the netdiag package)" msgstr "" #. type:

#: securing-debian-howto.en.sgml:56 en/sec-tools.sgml:71 msgid "irpas" msgstr "" #. type:

#: securing-debian-howto.en.sgml:56 en/sec-tools.sgml:84 msgid "" "While xprobe provide only remote operating system " "detection (using TCP/IP fingerprinting, nmap and " "knocker do both operating system detection and port " "scanning of the remote hosts. On the other hand, hping2 " "and icmpush can be used for remote ICMP attack " "techniques." msgstr "" #. type:

#: securing-debian-howto.en.sgml:56 en/sec-tools.sgml:89 msgid "" "Designed specifically for SMB networks, nbtscan can be " "used to scan IP networks and retrieve name information from SMB-enabled " "servers, including: usernames, network names, MAC addresses..." msgstr "" #. type:

#: securing-debian-howto.en.sgml:56 en/sec-tools.sgml:93 msgid "" "On the other hand, fragrouter can be used to test network " "intrusion detection systems and see if the NIDS can be eluded by " "fragmentation attacks." msgstr "" #. type:

#: securing-debian-howto.en.sgml:56 en/sec-tools.sgml:96 msgid "" "FIXME: Check " "(ITP fragrouter) to see if it's included." msgstr "" #. type:

#: securing-debian-howto.en.sgml:56 en/sec-tools.sgml:102 msgid "" "FIXME add information based on which describes how to use " "Debian and a laptop to scan for wireless (803.1) networks (link not there " "any more)." msgstr "" #. type: #: securing-debian-howto.en.sgml:56 en/sec-tools.sgml:103 msgid "Internal audits" msgstr "" #. type:

#: securing-debian-howto.en.sgml:56 en/sec-tools.sgml:108 msgid "" "Currently, only the tiger tool used in Debian can be used " "to perform internal (also called white box) audit of hosts in order to " "determine if the file system is properly set up, which processes are " "listening on the host, etc." msgstr "" #. type: #: securing-debian-howto.en.sgml:56 en/sec-tools.sgml:109 msgid "Auditing source code" msgstr "" #. type:

#: securing-debian-howto.en.sgml:56 en/sec-tools.sgml:112 msgid "" "Debian provides several packages that can be used to audit C/C++ source code " "programs and find programming errors that might lead to potential security " "flaws:" msgstr "" #. type:

#: securing-debian-howto.en.sgml:56 en/sec-tools.sgml:114 msgid "flawfinder" msgstr "" #. type:

#: securing-debian-howto.en.sgml:56 en/sec-tools.sgml:115 msgid "rats" msgstr "" #. type:

#: securing-debian-howto.en.sgml:56 en/sec-tools.sgml:116 msgid "splint" msgstr "" #. type:

#: securing-debian-howto.en.sgml:56 en/sec-tools.sgml:117 msgid "pscan" msgstr "" #. type: #: securing-debian-howto.en.sgml:56 en/sec-tools.sgml:121 msgid "Virtual Private Networks" msgstr "" #. type:

#: securing-debian-howto.en.sgml:56 en/sec-tools.sgml:129 msgid "" "A virtual private network (VPN) is a group of two or more computer systems, " "typically connected to a private network with limited public network access, " "that communicate securely over a public network. VPNs may connect a single " "computer to a private network (client-server), or a remote LAN to a private " "network (server-server). VPNs often include the use of encryption, strong " "authentication of remote users or hosts, and methods for hiding the private " "network's topology." msgstr "" #. type:

#: securing-debian-howto.en.sgml:56 en/sec-tools.sgml:132 msgid "" "Debian provides quite a few packages to set up encrypted virtual private " "networks:" msgstr "" #. type:

#: securing-debian-howto.en.sgml:56 en/sec-tools.sgml:135 msgid "vtun" msgstr "" #. type:

#: securing-debian-howto.en.sgml:56 en/sec-tools.sgml:136 msgid "tunnelv (non-US section)" msgstr "" #. type:

#: securing-debian-howto.en.sgml:56 en/sec-tools.sgml:137 msgid "cipe-source, cipe-common" msgstr "" #. type:

#: securing-debian-howto.en.sgml:56 en/sec-tools.sgml:138 msgid "tinc" msgstr "" #. type:

#: securing-debian-howto.en.sgml:56 en/sec-tools.sgml:139 msgid "secvpn" msgstr "" #. type:

#: securing-debian-howto.en.sgml:56 en/sec-tools.sgml:140 msgid "pptpd" msgstr "" #. type:

#: securing-debian-howto.en.sgml:56 en/sec-tools.sgml:141 msgid "openvpn" msgstr "" #. type:

#: securing-debian-howto.en.sgml:56 en/sec-tools.sgml:143 msgid "openswan ()" msgstr "" #. type:

#: securing-debian-howto.en.sgml:56 en/sec-tools.sgml:150 msgid "" "FIXME: Update the information here since it was written with FreeSWAN in " "mind. Check Bug #237764 and Message-Id: " "<200412101215.04040.rmayr@debian.org>." msgstr "" #. type:

#: securing-debian-howto.en.sgml:56 en/sec-tools.sgml:158 msgid "" "The OpenSWAN package is probably the best choice overall, since it promises " "to interoperate with almost anything that uses the IP security protocol, " "IPsec (RFC 2411). However, the other packages listed above can also help you " "get a secure tunnel up in a hurry. The point to point tunneling protocol " "(PPTP) is a proprietary Microsoft protocol for VPN. It is supported under " "Linux, but is known to have serious security issues." msgstr "" #. type:

#: securing-debian-howto.en.sgml:56 en/sec-tools.sgml:168 msgid "" "For more information see the (covers IPsec and PPTP), (covers " "PPP over SSH), , and ." msgstr "" #. type:

#: securing-debian-howto.en.sgml:56 en/sec-tools.sgml:172 msgid "" "Also worth checking out is , but no Debian packages seem to be available yet." msgstr "" #. type: #: securing-debian-howto.en.sgml:56 en/sec-tools.sgml:174 msgid "Point to Point tunneling" msgstr "" #. type:

#: securing-debian-howto.en.sgml:56 en/sec-tools.sgml:180 msgid "" "If you want to provide a tunneling server for a mixed environment (both " "Microsoft operating systems and Linux clients) and IPsec is not an option " "(since it's only provided for Windows 2000 and Windows XP), you can use " "PoPToP (Point to Point Tunneling Server), provided in the " "pptpd package." msgstr "" #. type:

#: securing-debian-howto.en.sgml:56 en/sec-tools.sgml:184 msgid "" "If you want to use Microsoft's authentication and encryption with the server " "provided in the ppp package, note the following from the " "FAQ:" msgstr "" #. type: #: securing-debian-howto.en.sgml:56 en/sec-tools.sgml:190 #, no-wrap msgid "" "It is only necessary to use PPP 2.3.8 if you want Microsoft compatible\n" "MSCHAPv2/MPPE authentication and encryption. The reason for this is that\n" "the MSCHAPv2/MPPE patch currently supplied (19990813) is against PPP\n" "2.3.8. If you don't need Microsoft compatible authentication/encryption\n" "any 2.3.x PPP source will be fine." msgstr "" #. type:

#: securing-debian-howto.en.sgml:56 en/sec-tools.sgml:196 msgid "" "However, you also have to apply the kernel patch provided by the " "kernel-patch-mppe package, which provides the pp_mppe " "module for pppd." msgstr "" #. type:

#: securing-debian-howto.en.sgml:56 en/sec-tools.sgml:201 msgid "" "Take into account that the encryption in ppptp forces you to store user " "passwords in clear text, and that the MS-CHAPv2 protocol contains ." msgstr "" #. type: #: securing-debian-howto.en.sgml:56 en/sec-tools.sgml:203 msgid "Public Key Infrastructure (PKI)" msgstr "" #. type:

#: securing-debian-howto.en.sgml:56 en/sec-tools.sgml:209 msgid "" "Public Key Infrastructure (PKI) is a security architecture introduced to " "provide an increased level of confidence for exchanging information over " "insecure networks. It makes use of the concept of public and private " "cryptographic keys to verify the identity of the sender (signing) and to " "ensure privacy (encryption)." msgstr "" #. type:

#: securing-debian-howto.en.sgml:56 en/sec-tools.sgml:212 msgid "When considering a PKI, you are confronted with a wide variety of issues:" msgstr "" #. type:

#: securing-debian-howto.en.sgml:56 en/sec-tools.sgml:217 msgid "" "a Certificate Authority (CA) that can issue and verify certificates, and " "that can work under a given hierarchy." msgstr "" #. type:

#: securing-debian-howto.en.sgml:56 en/sec-tools.sgml:219 msgid "a Directory to hold user's public certificates." msgstr "" #. type:

#: securing-debian-howto.en.sgml:56 en/sec-tools.sgml:221 msgid "a Database (?) to maintain Certificate Revocation Lists (CRL)." msgstr "" #. type:

#: securing-debian-howto.en.sgml:56 en/sec-tools.sgml:224 msgid "" "devices that interoperate with the CA in order to print out smart cards/USB " "tokens/whatever to securely store certificates." msgstr "" #. type:

#: securing-debian-howto.en.sgml:56 en/sec-tools.sgml:229 msgid "" "certificate-aware applications that can use certificates issued by a CA to " "enroll in encrypted communication and check given certificates against CRL " "(for authentication and full Single Sign On solutions)." msgstr "" #. type:

#: securing-debian-howto.en.sgml:56 en/sec-tools.sgml:231 msgid "a Time stamping authority to digitally sign documents." msgstr "" #. type:

#: securing-debian-howto.en.sgml:56 en/sec-tools.sgml:234 msgid "" "a management console from which all of this can be properly used " "(certificate generation, revocation list control, etc...)." msgstr "" #. type:

#: securing-debian-howto.en.sgml:56 en/sec-tools.sgml:247 msgid "" "Debian GNU/Linux has software packages to help you with some of these PKI " "issues. They include OpenSSL (for certificate generation), " "OpenLDAP (as a directory to hold the certificates), " "gnupg and openswan (with X.509 standard " "support). However, as of the Woody release (Debian 3.0), Debian does not " "have any of the freely available Certificate Authorities such as pyCA, or the CA samples from " "OpenSSL. For more information read the ." msgstr "" #. type: #: securing-debian-howto.en.sgml:56 en/sec-tools.sgml:249 msgid "SSL Infrastructure" msgstr "" #. type:

#: securing-debian-howto.en.sgml:56 en/sec-tools.sgml:256 msgid "" "Debian does provide some SSL certificates with the distribution so that they " "can be installed locally. They are found in the " "ca-certificates package. This package provides a central " "repository of certificates that have been submitted to Debian and approved " "(that is, verified) by the package maintainer, useful for any OpenSSL " "applications which verify SSL connections." msgstr "" #. type:

#: securing-debian-howto.en.sgml:56 en/sec-tools.sgml:258 msgid "FIXME: read debian-devel to see if there was something added to this." msgstr "" #. type: #: securing-debian-howto.en.sgml:56 en/sec-tools.sgml:260 msgid "Antivirus tools" msgstr "" #. type:

#: securing-debian-howto.en.sgml:56 en/sec-tools.sgml:272 msgid "" "There are not many anti-virus tools included with Debian GNU/Linux, probably " "because GNU/Linux users are not plagued by viruses. The Unix security model " "makes a distinction between privileged (root) processes and user-owned " "processes, therefore a \"hostile\" executable that a non-root user receives " "or creates and then executes cannot \"infect\" or otherwise manipulate the " "whole system. However, GNU/Linux worms and viruses do exist, although there " "has not (yet, hopefully) been any that has spread in the wild over any " "Debian distribution. In any case, administrators might want to build up " "anti-virus gateways that protect against viruses arising on other, more " "vulnerable systems in their network." msgstr "" #. type:

#: securing-debian-howto.en.sgml:56 en/sec-tools.sgml:275 msgid "" "Debian GNU/Linux currently provides the following tools for building " "antivirus environments:" msgstr "" #. type:

#: securing-debian-howto.en.sgml:56 en/sec-tools.sgml:298 msgid "" ", provided since " "Debian sarge (3.1 release). Packages are provided both for the " "virus scanner (clamav) for the scanner daemon " "(clamav-daemon) and for the data files needed for the " "scanner. Since keeping an antivirus up-to-date is critical for it to work " "properly there are two different ways to get this data: " "clamav-freshclam provides a way to update the database " "through the Internet automatically and clamav-data which " "provides the data files directly.

If you use this last package " "and are running an official Debian, the database will not be updated with " "security updates. You should either use clamav-freshclam, " "clamav-getfiles to generate new clamav-data " "packages or update from the maintainers location: deb " "http://people.debian.org/~zugschlus/clamav-data/ / deb-src " "http://people.debian.org/~zugschlus/clamav-data/ /

" msgstr "" #. type:

#: securing-debian-howto.en.sgml:56 en/sec-tools.sgml:303 msgid "" "mailscanner an e-mail gateway virus scanner and spam " "detector. Using sendmail or exim as " "its basis, it can use more than 17 different virus scanning engines " "(including clamav)." msgstr "" #. type:

#: securing-debian-howto.en.sgml:56 en/sec-tools.sgml:307 msgid "" "libfile-scan-perl which provides File::Scan, a Perl " "extension for scanning files for viruses. This modules can be used to make " "platform independent virus scanners." msgstr "" #. type:

#: securing-debian-howto.en.sgml:56 en/sec-tools.sgml:314 msgid "" ", provided in the package amavis-ng and " "available in sarge, which is a mail virus scanner which integrates " "with different MTA (Exim, Sendmail, Postfix, or Qmail) and supports over 15 " "virus scanning engines (including clamav, File::Scan and openantivirus)." msgstr "" #. type:

#: securing-debian-howto.en.sgml:56 en/sec-tools.sgml:319 msgid "" ", a tool " "that uses the procmail package, which can scan email " "attachments for viruses, block attachments based on their filenames, and " "more." msgstr "" #. type:

#: securing-debian-howto.en.sgml:56 en/sec-tools.sgml:324 msgid "" ", a script that provides an interface from a mail " "transport agent to one or more commercial virus scanners (this package is " "built with support for the postfix MTA only)." msgstr "" #. type:

#: securing-debian-howto.en.sgml:56 en/sec-tools.sgml:327 msgid "" "exiscan, an e-mail virus scanner written in Perl that " "works with Exim." msgstr "" #. type:

#: securing-debian-howto.en.sgml:56 en/sec-tools.sgml:329 msgid "" "blackhole-qmail a spam filter for Qmail with built-in " "support for Clamav." msgstr "" #. type:

#: securing-debian-howto.en.sgml:56 en/sec-tools.sgml:338 msgid "" "Some gateway daemons support already tools extensions to build antivirus " "environments including exim4-daemon-heavy (the " "heavy version of the Exim MTA), frox (a " "transparent caching ftp proxy server), messagewall (an " "SMTP proxy daemon) and pop3vscan (a transparent POP3 " "proxy)." msgstr "" #. type:

#: securing-debian-howto.en.sgml:56 en/sec-tools.sgml:343 msgid "" "Debian currently provide clamav as the only antivirus scanning " "software in the main official distribution and it also provides multiple " "interfaces to build gateways with antivirus capabilities for different " "protocols." msgstr "" #. type:

#: securing-debian-howto.en.sgml:56 en/sec-tools.sgml:346 msgid "" "Some other free software antivirus projects which might be included in " "future Debian GNU/Linux releases:" msgstr "" #. type:

#: securing-debian-howto.en.sgml:56 en/sec-tools.sgml:355 msgid "" " (see and " ")." msgstr "" #. type:

#: securing-debian-howto.en.sgml:56 en/sec-tools.sgml:360 msgid "" "FIXME: Is there a package that provides a script to download the latest " "virus signatures from ?" msgstr "" #. type:

#: securing-debian-howto.en.sgml:56 en/sec-tools.sgml:363 msgid "" "FIXME: Check if scannerdaemon is the same as the open antivirus scanner " "daemon (read ITPs)." msgstr "" #. type:

#: securing-debian-howto.en.sgml:56 en/sec-tools.sgml:387 msgid "" "However, Debian will never provide propietary (non-free and " "undistributable) antivirus software such as: Panda Antivirus, NAI Netshield, " ", , or . For more pointers see the " ". This does not mean that this " "software cannot be installed properly in a Debian " "system

Actually, there is an installer package for the " "F-prot antivirus, which is non-free but gratis for home " "users, called f-prot-installer. This installer, however, just " "downloads and installs it in the system.

." msgstr "" #. type:

#: securing-debian-howto.en.sgml:56 en/sec-tools.sgml:392 msgid "" "For more information on how to set up a virus detection system read Dave " "Jones' article ." msgstr "" #. type: #: securing-debian-howto.en.sgml:56 en/sec-tools.sgml:394 msgid "GPG agent" msgstr "" #. type:

#: securing-debian-howto.en.sgml:56 en/sec-tools.sgml:400 msgid "" "It is very common nowadays to digitally sign (and sometimes encrypt) " "e-mail. You might, for example, find that many people participating on " "mailing lists sign their list e-mail. Public key signatures are currently " "the only means to verify that an e-mail was sent by the sender and not by " "some other person." msgstr "" #. type:

#: securing-debian-howto.en.sgml:56 en/sec-tools.sgml:404 msgid "" "Debian GNU/Linux provides a number of e-mail clients with built-in e-mail " "signing capabilities that interoperate either with gnupg " "or pgp:" msgstr "" #. type:

#: securing-debian-howto.en.sgml:56 en/sec-tools.sgml:406 msgid "evolution." msgstr "" #. type:

#: securing-debian-howto.en.sgml:56 en/sec-tools.sgml:407 msgid "mutt." msgstr "" #. type:

#: securing-debian-howto.en.sgml:56 en/sec-tools.sgml:408 msgid "kmail." msgstr "" #. type:

#: securing-debian-howto.en.sgml:56 en/sec-tools.sgml:413 msgid "" "icedove (rebranded version of Mozilla's Thunderbird) " "through the " "plugin. This plugin is provided by the enigmail package." msgstr "" #. type:

#: securing-debian-howto.en.sgml:56 en/sec-tools.sgml:417 msgid "" "sylpheed. Depending on how the stable version of this " "package evolves, you may need to use the bleeding edge version, " "sylpheed-claws." msgstr "" #. type:

#: securing-debian-howto.en.sgml:56 en/sec-tools.sgml:421 msgid "" "gnus, which when installed with the " "mailcrypt package, is an emacs interface to " "gnupg." msgstr "" #. type:

#: securing-debian-howto.en.sgml:56 en/sec-tools.sgml:425 msgid "" "kuvert, which provides this functionality independently " "of your chosen mail user agent (MUA) by interacting with the mail transport " "agent (MTA)." msgstr "" #. type:

#: securing-debian-howto.en.sgml:56 en/sec-tools.sgml:439 msgid "" "Key servers allow you to download published public keys so that you may " "verify signatures. One such key server is . gnupg can automatically " "fetch public keys that are not already in your public keyring. For example, " "to configure gnupg to use the above key server, edit the file " "~/.gnupg/options and add the following line:

For " "more examples of how to configure gnupg check " "/usr/share/doc/mutt/examples/gpg.rc.

" msgstr "" #. type: #: securing-debian-howto.en.sgml:56 en/sec-tools.sgml:441 #, no-wrap msgid "keyserver wwwkeys.pgp.net" msgstr "" #. type:

#: securing-debian-howto.en.sgml:56 en/sec-tools.sgml:450 msgid "" "Most key servers are linked, so that when your public key is added to one " "server, the addition is propagated to all the other public key " "servers. There is also a Debian GNU/Linux package " "debian-keyring, that provides all the public keys of the " "Debian developers. The gnupg keyrings are installed in " "/usr/share/keyrings/." msgstr "" #. type:

#: securing-debian-howto.en.sgml:56 en/sec-tools.sgml:452 msgid "For more information:" msgstr "" #. type:

#: securing-debian-howto.en.sgml:56 en/sec-tools.sgml:456 msgid "." msgstr "" #. type:

#: securing-debian-howto.en.sgml:56 en/sec-tools.sgml:459 msgid "" "." msgstr "" #. type:

#: securing-debian-howto.en.sgml:56 en/sec-tools.sgml:463 msgid "" "." msgstr "" #. type:

#: securing-debian-howto.en.sgml:56 en/sec-tools.sgml:466 msgid "" "." msgstr "" #. type:

#: securing-debian-howto.en.sgml:56 en/sec-tools.sgml:469 msgid "" "." msgstr "" #. type: #: securing-debian-howto.en.sgml:57 en/developer.sgml:8 msgid "Developer's Best Practices for OS Security" msgstr "" #. type:

#: securing-debian-howto.en.sgml:57 en/developer.sgml:15 msgid "" "This chapter introduces some best secure coding practices for developers " "writing Debian packages. If you are really interested in secure coding I " "recommend you read David Wheeler's and by Mark G. Graff and " "Kenneth R. van Wyk (O'Reilly, 2003)." msgstr "" #. type: #: securing-debian-howto.en.sgml:57 en/developer.sgml:16 msgid "Best practices for security review and design" msgstr "" #. type:

#: securing-debian-howto.en.sgml:57 en/developer.sgml:20 msgid "" "Developers that are packaging software should make a best effort to ensure " "that the installation of the software, or its use, does not introduce " "security risks to either the system it is installed on or its users." msgstr "" #. type:

#: securing-debian-howto.en.sgml:57 en/developer.sgml:34 msgid "" "In order to do so, they should make their best to review the source code of " "the package and detect any flaws that might introduce security bugs before " "releasing the software or distributing a new version. It is acknowledged " "that the cost of fixing bugs grows for different stages of its development, " "so it is easier (and cheaper) to fix bugs when designing than when the " "software has been deployed and is in maintenance mode (some studies say that " "the cost in this later phase is sixty times " "higher). Although there are some tools that try to automatically detect " "these flaws, developers should strive to learn about the different kind of " "security flaws in order to understand them and be able to spot them in the " "code they (or others) have written." msgstr "" #. type:

#: securing-debian-howto.en.sgml:57 en/developer.sgml:52 msgid "" "The programming bugs which lead to security bugs typically include: , format string overflows, heap overflows and integer overflows " "(in C/C++ programs), temporary (in scripts), and command injection (in servers) and , and (in the case of web-oriented applications). For " "a more complete information on security bugs review Fortify's ." msgstr "" #. type:

#: securing-debian-howto.en.sgml:57 en/developer.sgml:62 msgid "" "Some of these issues might not be easy to spot unless you are an expert in " "the programming language the software uses, but some security problems are " "easy to detect and fix. For example, finding temporary race conditions due " "to misuse of temporary directories can easily be done just by running " "grep -r \"/tmp/\" .. Those calls can be reviewed and replace the " "hardcoded filenames using temporary directories to calls to either " "mktemp or tempfile in shell scripts, in Perl scripts, or in C/C++." msgstr "" #. type:

#: securing-debian-howto.en.sgml:57 en/developer.sgml:70 msgid "" "There are a set of tools available to assist to the security code review " "phase. These include rats, flawfinder " "and pscan. For more information, read the ." msgstr "" #. type:

#: securing-debian-howto.en.sgml:57 en/developer.sgml:73 msgid "" "When packaging software developers have to make sure that they follow common " "security principles, including:" msgstr "" #. type:

#: securing-debian-howto.en.sgml:57 en/developer.sgml:77 msgid "The software runs with the minimum privileges it needs:" msgstr "" #. type:

#: securing-debian-howto.en.sgml:57 en/developer.sgml:86 msgid "" "The package does install binaries setuid or setgid. Lintian " "will warn of , " " and binaries." msgstr "" #. type:

#: securing-debian-howto.en.sgml:57 en/developer.sgml:89 msgid "" "The daemons the package provide run with a low privilege user (see )" msgstr "" #. type:

#: securing-debian-howto.en.sgml:57 en/developer.sgml:95 msgid "" "Programmed (i.e., cron) tasks running in the system do NOT run " "as root or, if they do, do not implement complex tasks." msgstr "" #. type:

#: securing-debian-howto.en.sgml:57 en/developer.sgml:105 msgid "" "If you have to do any of the above make sure the programs that might run " "with higher privileges have been audited for security bugs. If you are " "unsure, or need help, contact the . In the case of setuid/setgid binaries, follow the Debian policy " "section regarding " msgstr "" #. type:

#: securing-debian-howto.en.sgml:57 en/developer.sgml:113 msgid "" "For more information, specific to secure programming, make sure you read (or " "point your upstream to) and the portal." msgstr "" #. type: #: securing-debian-howto.en.sgml:57 en/developer.sgml:121 msgid "Creating users and groups for software daemons" msgstr "" #. type:

#: securing-debian-howto.en.sgml:57 en/developer.sgml:128 msgid "" "If your software runs a daemon that does not need root privileges, you need " "to create a user for it. There are two kind of Debian users that can be used " "by packages: static uids (assigned by base-passwd, for a " "list of static users in Debian see ) and dynamic " "uids in the range assigned to system users." msgstr "" #. type:

#: securing-debian-howto.en.sgml:57 en/developer.sgml:133 msgid "" "In the first case, you need to ask for a user or group id to the " "base-passwd. Once the user is available there the package " "needs to be distributed including a proper versioned depends to the " "base-passwd package." msgstr "" #. type:

#: securing-debian-howto.en.sgml:57 en/developer.sgml:137 msgid "" "In the second case, you need to create the system user either in the " "preinst or in the postinst and make the package depend on " "adduser (>= 3.11)." msgstr "" #. type:

#: securing-debian-howto.en.sgml:57 en/developer.sgml:140 msgid "" "The following example code creates the user and group the daemon will run as " "when the package is installed or upgraded:" msgstr "" #. type: #: securing-debian-howto.en.sgml:57 en/developer.sgml:203 #, no-wrap msgid "" "[...]\n" "case \"$1\" in\n" " install|upgrade)\n" "\n" " # If the package has default file it could be sourced, so that\n" " # the local admin can overwrite the defaults\n" "\n" " [ -f \"/etc/default/packagename\" ] && " ". /etc/default/packagename\n" "\n" " # Sane defaults:\n" "\n" " [ -z \"$SERVER_HOME\" ] && SERVER_HOME=server_dir\n" " [ -z \"$SERVER_USER\" ] && SERVER_USER=server_user\n" " [ -z \"$SERVER_NAME\" ] && SERVER_NAME=\"Server description\"\n" " [ -z \"$SERVER_GROUP\" ] && SERVER_GROUP=server_group\n" "\n" " # Groups that the user will be added to, if undefined, then none.\n" " ADDGROUP=\"\"\n" "\n" " # create user to avoid running server as root\n" " # 1. create group if not existing\n" " if ! getent group | grep -q \"^$SERVER_GROUP:\" ; then\n" " echo -n \"Adding group $SERVER_GROUP..\"\n" " addgroup --quiet --system $SERVER_GROUP 2>/dev/null ||true\n" " echo \"..done\"\n" " fi\n" " # 2. create homedir if not existing\n" " test -d $SERVER_HOME || mkdir $SERVER_HOME\n" " # 3. create user if not existing\n" " if ! getent passwd | grep -q \"^$SERVER_USER:\"; then\n" " echo -n \"Adding system user $SERVER_USER..\"\n" " adduser --quiet \\\n" " --system \\\n" " --ingroup $SERVER_GROUP \\\n" " --no-create-home \\\n" " --disabled-password \\\n" " $SERVER_USER 2>/dev/null || true\n" " echo \"..done\"\n" " fi\n" " # 4. adjust passwd entry\n" " usermod -c \"$SERVER_NAME\" \\\n" " -d $SERVER_HOME \\\n" " -g $SERVER_GROUP \\\n" " $SERVER_USER\n" " # 5. adjust file and directory permissions\n" " if ! dpkg-statoverride --list $SERVER_HOME >/dev/null\n" " then\n" " chown -R $SERVER_USER:adm $SERVER_HOME\n" " chmod u=rwx,g=rxs,o= $SERVER_HOME\n" " fi\n" " # 6. Add the user to the ADDGROUP group\n" " if test -n $ADDGROUP\n" " then\n" " if ! groups $SERVER_USER | cut -d: -f2 | \\\n" " grep -qw $ADDGROUP; then\n" " adduser $SERVER_USER $ADDGROUP\n" " fi\n" " fi\n" " ;;\n" " configure)\n" "\n" "[...]" msgstr "" #. type:

#: securing-debian-howto.en.sgml:57 en/developer.sgml:207 msgid "You have to make sure that the init.d script file:" msgstr "" #. type:

#: securing-debian-howto.en.sgml:57 en/developer.sgml:213 msgid "" "Starts the daemon dropping privileges: if the software does not do the " " or call itself, you can use the --chuid call of " "start-stop-daemon." msgstr "" #. type:

#: securing-debian-howto.en.sgml:57 en/developer.sgml:217 msgid "" "Stops the daemon only if the user id matches, you can use the " "start-stop-daemon --user option for this." msgstr "" #. type:

#: securing-debian-howto.en.sgml:57 en/developer.sgml:218 msgid "Does not run if either the user or the group do not exist:" msgstr "" #. type: #: securing-debian-howto.en.sgml:57 en/developer.sgml:227 #, no-wrap msgid "" " if ! getent passwd | grep -q \"^server_user:\"; then\n" " echo \"Server user does not exist. Aborting\" >&2\n" " exit 1\n" " fi\n" " if ! getent group | grep -q \"^server_group:\" ; then\n" " echo \"Server group does not exist. Aborting\" >&2\n" " exit 1\n" " fi" msgstr "" #. type:

#: securing-debian-howto.en.sgml:57 en/developer.sgml:243 msgid "" "If the package creates the system user it can remove it when it is purged in " "its postrm. This has some drawbacks, however. For example, files " "created by it will be orphaned and might be taken over by a new system user " "in the future if it is assigned the same uid

Some relevant " "threads discussing these drawbacks include and " "

. " "Consequently, removing system users on purge is not yet mandatory and " "depends on the package needs. If unsure, this action could be handled by " "asking the administrator for the prefered action when the package is " "installed (i.e. through debconf)." msgstr "" #. type:

#: securing-debian-howto.en.sgml:57 en/developer.sgml:251 msgid "" "The following example code

This might eventually be introduced " "as a dh_adduser in debhelper. See , and .

" "removes the user and groups created before only, and only if, the uid is in " "the range of dynamic assigned system uids and the gid is belongs to a system " "group:" msgstr "" #. type: #: securing-debian-howto.en.sgml:57 en/developer.sgml:297 #, no-wrap msgid "" "case \"$1\" in\n" " purge)\n" "[...]\n" " # find first and last SYSTEM_UID numbers\n" " for LINE in `grep SYSTEM_UID /etc/adduser.conf | grep -v \"^#\"`; do\n" " case $LINE in\n" " FIRST_SYSTEM_UID*)\n" " FIST_SYSTEM_UID=`echo $LINE | cut -f2 -d '='`\n" " ;;\n" " LAST_SYSTEM_UID*)\n" " LAST_SYSTEM_UID=`echo $LINE | cut -f2 -d '='`\n" " ;;\n" " *)\n" " ;;\n" " esac\n" " done\n" " # Remove system account if necessary\n" " CREATEDUSER=\"server_user\"\n" " if [ -n \"$FIST_SYSTEM_UID\" ] && [ -n \"$LAST_SYSTEM_UID\" ]; then\n" " if USERID=`getent passwd $CREATEDUSER | cut -f 3 -d ':'`; then\n" " if [ -n \"$USERID\" ]; then\n" " if [ \"$FIST_SYSTEM_UID\" -le \"$USERID\" ] && \\\n" " [ \"$USERID\" -le \"$LAST_SYSTEM_UID\" ]; then\n" " echo -n \"Removing $CREATEDUSER system user..\"\n" " deluser --quiet $CREATEDUSER || true\n" " echo \"..done\"\n" " fi\n" " fi\n" " fi\n" " fi\n" " # Remove system group if necessary\n" " CREATEDGROUP=server_group\n" " FIRST_USER_GID=`grep ^USERS_GID /etc/adduser.conf | cut -f2 -d '='`\n" " if [ -n \"$FIST_USER_GID\" ] then\n" " if GROUPGID=`getent group $CREATEDGROUP | cut -f 3 -d ':'`; then\n" " if [ -n \"$GROUPGID\" ]; then\n" " if [ \"$FIST_USER_GID\" -gt \"$GROUPGID\" ]; then\n" " echo -n \"Removing $CREATEDGROUP group..\"\n" " delgroup --only-if-empty $CREATEDGROUP || true\n" " echo \"..done\"\n" " fi\n" " fi\n" " fi\n" " fi\n" "[...]" msgstr "" #. type:

#: securing-debian-howto.en.sgml:57 en/developer.sgml:309 msgid "" "Running programs with a user with limited privileges makes sure that any " "security issue will not be able to damage the full system. It also follows " "the principle of least privilege. Also consider you can limit " "privileges in programs through other mechanisms besides running as " "non-root

You can even provide a SELinux policy for " "it

. For more information, read the chapter of the Secure Programming for " "Linux and Unix HOWTO book." msgstr "" #. type: #: securing-debian-howto.en.sgml:58 en/before-compromise.sgml:5 msgid "Before the compromise" msgstr "" #. type: #: securing-debian-howto.en.sgml:58 en/before-compromise.sgml:7 msgid "Keep your system secure" msgstr "" #. type:

#: securing-debian-howto.en.sgml:58 en/before-compromise.sgml:18 msgid "" "You should strive to keep your system secure by monitoring its usage and " "also the vulnerabilities that might affect it, patching them as soon as " "patches are available. Even though you might have installed a really secure " "system initially you have to remember that security in a system degrades " "with time, security vulnerabilities might be found for exposed system " "services and users might expose the system security either because of lack " "of understanding (e.g. accessing a system remotely with a clear-text " "protocol or using easy to guess passwords) or because they are actively " "trying to subvert the system's security (e.g. install additional services " "locally on their accounts)." msgstr "" #. type: #: securing-debian-howto.en.sgml:58 en/before-compromise.sgml:20 msgid "Tracking security vulnerabilities" msgstr "" #. type:

#: securing-debian-howto.en.sgml:58 en/before-compromise.sgml:30 msgid "" "Although most administrators are aware of security vulnerabilities affecting " "their systems when they see a patch that is made available you can strive to " "keep ahead of attacks and introduce temporary countermeasures for security " "vulnerabilities by detecting when your system is vulnerable. This is " "specially true when running an exposed system (i.e. connected to the " "Internet) and providing a service. In such case the system's administrators " "should take care to monitor known information sources to be the first to " "know when a vulnerability is detected that might affect a critical service." msgstr "" #. type:

#: securing-debian-howto.en.sgml:58 en/before-compromise.sgml:38 msgid "" "This typically includes subscribing to the announcement mailing lists, " "project websites or bug tracking systems provided by the software developers " "for a specific piece of code. For example, Apache users should regularly " "review Apache's and subscribe to the mailing list." msgstr "" #. type:

#: securing-debian-howto.en.sgml:58 en/before-compromise.sgml:54 msgid "" "In order to track known vulnerabilities affecting the Debian distribution, " "the Debian Testing Security Team provides a that " "lists all the known vulnerabilities which have not been yet fixed in Debian " "packages. The information in that tracker is obtained through different " "public channels and includes known vulnerabilities which are available " "either through security vulnerability databases or . Administrators can search for the known security issues being " "tracked for , , , or ." msgstr "" #. type:

#: securing-debian-howto.en.sgml:58 en/before-compromise.sgml:59 msgid "" "The tracker has searchable interfaces (by name and package name) and some tools (such as " "debsecan, see ) use that database to " "provide information of vulnerabilities affecting a given system which have " "not yet been addressed (i.e. those who are pending a fix)." msgstr "" #. type:

#: securing-debian-howto.en.sgml:58 en/before-compromise.sgml:64 msgid "" "Concious administrators can use that information to determine which security " "bugs might affect the system they are managing, determine the severity of " "the bug and apply (if available) temporary countermeasures before a patch is " "available fixing this issue." msgstr "" #. type:

#: securing-debian-howto.en.sgml:58 en/before-compromise.sgml:72 msgid "" "Security issues tracked for releases supported by the Debian Security Team " "should eventually be handled through Debian Security Advisories (DSA) and " "will be available for all users (see ). Once " "security issues are fixed through an advisory they will not be available in " "the tracker, but you will be able to search security vulnerabilities (by CVE " "name) using the available for published DSAs." msgstr "" #. type:

#: securing-debian-howto.en.sgml:58 en/before-compromise.sgml:80 msgid "" "Notice, however, that the information tracked by the Debian Testing Security " "Team only involves disclosed vulnerabilities (i.e. those already public). In " "some occasions the Debian Security Team might be handling and preparing DSAs " "for packages based on undisclosed information provided to them (for example, " "through closed vendor mailing lists or by upstream maintainers of " "software). So do not be surprised to find security issues that only show up " "as an advisory but never get to show up in the security tracker." msgstr "" #. type: #: securing-debian-howto.en.sgml:58 en/before-compromise.sgml:82 msgid "Continuously update the system" msgstr "" #. type:

#: securing-debian-howto.en.sgml:58 en/before-compromise.sgml:90 msgid "" "You should conduct security updates frequently. The vast majority of " "exploits result from known vulnerabilities that have not been patched in " "time, as this (presented at the 2001 IEEE Symposium on " "Security and Privacy) explains. Updates are described under ." msgstr "" #. type: #: securing-debian-howto.en.sgml:58 en/before-compromise.sgml:92 msgid "Manually checking which security updates are available" msgstr "" #. type:

#: securing-debian-howto.en.sgml:58 en/before-compromise.sgml:96 msgid "" "Debian does have a specific tool to check if a system needs to be updated " "but many users will just want to manually check if any security updates are " "available for their system." msgstr "" #. type:

#: securing-debian-howto.en.sgml:58 en/before-compromise.sgml:99 msgid "" "If you have configured your system as described in you just need to do:" msgstr "" #. type: #: securing-debian-howto.en.sgml:58 en/before-compromise.sgml:106 #, no-wrap msgid "" "# apt-get update\n" "# apt-get upgrade -s\n" "[ ... review packages to be upgraded ... ]\n" "# apt-get upgrade \n" "# checkrestart\n" "[ ... restart services that need to be restarted ... ]" msgstr "" #. type:

#: securing-debian-howto.en.sgml:58 en/before-compromise.sgml:112 msgid "" "And restart those services whose libraries have been updated if any. Note: " "Read for more information on library (and " "kernel) upgrades." msgstr "" #. type:

#: securing-debian-howto.en.sgml:58 en/before-compromise.sgml:118 msgid "" "The first line will download the list of packages available from your " "configured package sources. The -s will do a simulation run, that " "is, it will not download or install the packages but rather tell " "you which ones should be downloaded/installed. From the output you can " "derive which packages have been fixed by Debian and are available as a " "security update. Sample:" msgstr "" #. type: #: securing-debian-howto.en.sgml:58 en/before-compromise.sgml:127 #, no-wrap msgid "" "# apt-get upgrade -s\n" "Reading Package Lists... Done\n" "Building Dependency Tree... Done\n" "2 packages upgraded, 0 newly installed, 0 to remove and 0 not upgraded.\n" "Inst cvs (1.11.1p1debian-8.1 Debian-Security:3.0/stable)\n" "Inst libcupsys2 (1.1.14-4.4 Debian-Security:3.0/stable)\n" "Conf cvs (1.11.1p1debian-8.1 Debian-Security:3.0/stable)\n" "Conf libcupsys2 (1.1.14-4.4 Debian-Security:3.0/stable)" msgstr "" #. type:

#: securing-debian-howto.en.sgml:58 en/before-compromise.sgml:140 msgid "" "In this example, you can see that the system needs to be updated with new " "cvs and cupsys packages which are " "being retrieved from woody's security update archive. If you want " "to understand why these packages are needed, you should go to and check which recent Debian Security " "Advisories have been published related to these packages. In this case, the " "related DSAs are (for cvs) and (for " "cupsys)." msgstr "" #. type:

#: securing-debian-howto.en.sgml:58 en/before-compromise.sgml:143 msgid "" "Notice that you will need to reboot your system if there has been a kernel " "upgrade." msgstr "" #. type: #: securing-debian-howto.en.sgml:58 en/before-compromise.sgml:145 msgid "Checking for updates at the Desktop" msgstr "" #. type:

#: securing-debian-howto.en.sgml:58 en/before-compromise.sgml:151 msgid "" "Since Debian 4.0 lenny Debian provides and installs in a default " "installation update-notifier. This is a GNOME application " "that will startup when you enter your Desktop and can be used to keep track " "of updates available for your system and install them. It uses " "update-manager for this." msgstr "" #. type:

#: securing-debian-howto.en.sgml:58 en/before-compromise.sgml:158 msgid "" "In a stable system updates are only available when a security patch is " "available or at point releases. Consequently, if the system is properly " "configured to receive security updates as described in and you have a cron task running to update the " "package information you will be notified through an icon in the desktop " "notifcation area." msgstr "" #. type:

#: securing-debian-howto.en.sgml:58 en/before-compromise.sgml:163 msgid "" "The notification is not intrusive and users are not forced to install " "updates. From the notification icon a desktop user (with the administrator's " "password) can access a simple GUI to show available updates and install " "them." msgstr "" #. type:

#: securing-debian-howto.en.sgml:58 en/before-compromise.sgml:169 msgid "" "This application works by checking the package database and comparing the " "system with its contents. If the package database is updated periodically " "through a cron task then the contents of the database will be " "newer than the packages installed in the system and the application will " "notify you." msgstr "" #. type:

#: securing-debian-howto.en.sgml:58 en/before-compromise.sgml:175 msgid "" "Apt installs such a task (/etc/cron.d/apt) which " "will run based on Apt's configuration (more specifically " "APT::Periodic). In the GNOME environment this configuration value " "can be adjusted by going to System > Admin > Software origins > " "Updates, or running /usr/bin/software-properties." msgstr "" #. type:

#: securing-debian-howto.en.sgml:58 en/before-compromise.sgml:179 msgid "" "If the system is set to download the packages list daily but not download " "the packages themselves your /etc/apt/apt.conf.d/10periodic " "should look like this:" msgstr "" #. type: #: securing-debian-howto.en.sgml:58 en/before-compromise.sgml:182 #, no-wrap msgid "" "APT::Periodic::Update-Package-Lists \"1\";\n" "APT::Periodic::Download-Upgradeable-Packages \"0\";" msgstr "" #. type:

#: securing-debian-howto.en.sgml:58 en/before-compromise.sgml:188 msgid "" "You can use a different cron task, such as the one installed by " "cron-apt (see ). You can also just " "manually check for upgrades using this application." msgstr "" #. type:

#: securing-debian-howto.en.sgml:58 en/before-compromise.sgml:193 msgid "" "Users of the KDE desktop environment will probably prefer to install " "adept and adept-notifier instead which " "offers a similar functionality but is not part of the standard installation." msgstr "" #. type: #: securing-debian-howto.en.sgml:58 en/before-compromise.sgml:195 msgid "Automatically checking for updates with cron-apt" msgstr "" #. type:

#: securing-debian-howto.en.sgml:58 en/before-compromise.sgml:202 msgid "" "Another method for automatic security updates is the use of " "cron-apt. This package provides a tool to update the " "system at regular intervals (using a cron job), and can also be configured " "to send mails to the system administrator using the local mail transport " "agent. It will just update the package list and download new packages by " "default but it can be configured to automatically install new updates." msgstr "" #. type:

#: securing-debian-howto.en.sgml:58 en/before-compromise.sgml:208 msgid "" "Notice that you might want to check the distribution release, as described " "in , if you intend to automatically updated your " "system (even if only downloading the packages). Otherwise, you cannot be " "sure that the downloaded packages really come from a trusted source." msgstr "" #. type:

#: securing-debian-howto.en.sgml:58 en/before-compromise.sgml:212 msgid "" "More information is available at the ." msgstr "" #. type: #: securing-debian-howto.en.sgml:58 en/before-compromise.sgml:214 msgid "Automatically checking for security issues with debsecan" msgstr "" #. type:

#: securing-debian-howto.en.sgml:58 en/before-compromise.sgml:223 msgid "" "The debsecan program evaluates the security status of by " "reporting both missing security updates and security vulnerabilities. Unlike " "cron-apt, which only provides information related to " "security updates available, but this tool obtains information from the " "security vulnerability database maintained by the Debian Security Team which " "includes also information on vulnerabilities which are not yet fixed through " "a security update. Consequently, it is more efficient at helping " "administrators track security vulnerabilities (as described in )." msgstr "" #. type:

#: securing-debian-howto.en.sgml:58 en/before-compromise.sgml:233 msgid "" "Upon installing the Debian package debsecan, and if the " "administrator consents to it, it will generate a cron task that will make it " "run and send the output to a specific user whenever it finds a vulnerable " "package. It will also download the information from the Internet. The " "location of the security database is also part of the questions ask on " "installation and are later defined /etc/default/debsecan, it " "can be easily adjusted for systems that do not have Internet access so that " "they all pull from a local mirror so that there is a single point that " "access the vulnerability database." msgstr "" #. type:

#: securing-debian-howto.en.sgml:58 en/before-compromise.sgml:240 msgid "" "Notice, however, that the Security Team tracks many vulnerabilities " "including low-risk issues which might not be fixed through a security update " "and some vulnerabilities initially reported as affecting Debian might, later " "on, upon investigation, be dismissed. Debsecan will report on " "all the vulnerabilities, which makes it a quite more verbose than the other " "tools described above." msgstr "" #. type:

#: securing-debian-howto.en.sgml:58 en/before-compromise.sgml:245 msgid "" "More information is available at the ." msgstr "" #. type: #: securing-debian-howto.en.sgml:58 en/before-compromise.sgml:247 msgid "Other methods for security updates" msgstr "" #. type:

#: securing-debian-howto.en.sgml:58 en/before-compromise.sgml:254 msgid "" "There is also the apticron, which, similarly to " "cron-apt will check for updates and send mails to the " "administrator. More information on apticron is available at the ." msgstr "" #. type:

#: securing-debian-howto.en.sgml:58 en/before-compromise.sgml:263 msgid "" "You might also want to take a look at which is an " "unofficial program to do security updates from security.debian.org with " "signature checking written by Fruhwirth Clemens. Or to the Nagios Plugin " " written by Dean Wilson." msgstr "" #. type: #: securing-debian-howto.en.sgml:58 en/before-compromise.sgml:265 msgid "Avoid using the unstable branch" msgstr "" #. type:

#: securing-debian-howto.en.sgml:58 en/before-compromise.sgml:271 msgid "" "Unless you want to dedicate time to patch packages yourself when a " "vulnerability arises, you should not use Debian's unstable branch " "for production-level systems. The main reason for this is that there are no " "security updates for unstable (see )." msgstr "" #. type:

#: securing-debian-howto.en.sgml:58 en/before-compromise.sgml:277 msgid "" "The fact is that some security issues might appear in unstable and " "not in the stable distribution. This is due to new " "functionality constantly being added to the applications provided there, as " "well as new applications being included which might not yet have been " "thoroughly tested." msgstr "" #. type:

#: securing-debian-howto.en.sgml:58 en/before-compromise.sgml:284 msgid "" "In order to do security upgrades in the unstable branch, you might " "have to do full upgrades to new versions (which might update much more than " "just the affected package). Although there have been some exceptions, " "security patches are usually only back ported into the stable " "branch. The main idea being that between updates, no new code " "should be added, just fixes for important issues." msgstr "" #. type:

#: securing-debian-howto.en.sgml:58 en/before-compromise.sgml:288 msgid "" "Notice, however, that you can use the security tracker (as described in ) to track known security vulnerabilities affecting this " "branch." msgstr "" #. type: #: securing-debian-howto.en.sgml:58 en/before-compromise.sgml:290 msgid "Security support for the testing branch" msgstr "" #. type:

#: securing-debian-howto.en.sgml:58 en/before-compromise.sgml:294 msgid "" "If you are using the testing branch, there are some issues that you " "must take into account regarding the availability of security updates:" msgstr "" #. type:

#: securing-debian-howto.en.sgml:58 en/before-compromise.sgml:307 msgid "" "When a security fix is prepared, the Security Team backports the patch to " "stable (since stable is usually some minor or major versions " "behind). Package maintainers are responsible for preparing packages for the " "unstable branch, usually based on a new upstream release. Sometimes " "the changes happen at nearly the same time and sometimes one of the releases " "gets the security fix before. Packages for the stable distribution " "are more thoroughly tested than unstable, since the latter will in " "most cases provide the latest upstream release (which might include new, " "unknown bugs)." msgstr "" #. type:

#: securing-debian-howto.en.sgml:58 en/before-compromise.sgml:312 msgid "" "Security updates are available for the unstable branch usually when " "the package maintainer makes a new package and for the stable " "branch when the Security Team make a new upload and publish a DSA. Notice " "that neither of these change the testing branch." msgstr "" #. type:

#: securing-debian-howto.en.sgml:58 en/before-compromise.sgml:320 msgid "" "If no (new) bugs are detected in the unstable version of the " "package, it moves to testing after several days. The time this " "takes is usually ten days, although that depends on the upload priority of " "the change and whether the package is blocked from entering testing " "by its dependency relationships. Note that if the package is blocked from " "entering testing the upload priority will not change the time it takes to " "enter." msgstr "" #. type:

#: securing-debian-howto.en.sgml:58 en/before-compromise.sgml:326 msgid "" "This behavior might change based on the release state of the " "distribution. When a release is almost imminent, the Security Team or " "package maintainers might provide updates directly to testing." msgstr "" #. type:

#: securing-debian-howto.en.sgml:58 en/before-compromise.sgml:332 msgid "" "Additionally, the can issue Debian Testing Security " "Advisories (DTSAs) for packages in the testing branch if there is " "an inmediate need to fix a security issue in that branch and cannot wait for " "the normal procedure (or the normal procedure is being blocked by some other " "packages)." msgstr "" #. type:

#: securing-debian-howto.en.sgml:58 en/before-compromise.sgml:336 msgid "" "Users willing to take advantage of this support should add the following " "lines to their /etc/apt/sources.list (instead of the lines " "described in ):" msgstr "" #. type: #: securing-debian-howto.en.sgml:58 en/before-compromise.sgml:340 #, no-wrap msgid "" " deb http://security.debian.org testing/updates main contrib non-free\n" "# This line makes it possible to donwload source packages too\n" " deb-src http://security.debian.org testing/updates main contrib " "non-free" msgstr "" #. type:

#: securing-debian-howto.en.sgml:58 en/before-compromise.sgml:345 msgid "" "For additional information on this support please read the . This support officially started in in a separate repository and was later integrated " "into the main security archive." msgstr "" #. type: #: securing-debian-howto.en.sgml:58 en/before-compromise.sgml:349 msgid "Automatic updates in a Debian GNU/Linux system" msgstr "" #. type:

#: securing-debian-howto.en.sgml:58 en/before-compromise.sgml:353 msgid "" "First of all, automatic updates are not fully recommended, since " "administrators should review the DSAs and understand the impact of any given " "security update." msgstr "" #. type:

#: securing-debian-howto.en.sgml:58 en/before-compromise.sgml:355 msgid "If you want to update your system automatically you should:" msgstr "" #. type:

#: securing-debian-howto.en.sgml:58 en/before-compromise.sgml:362 msgid "" "Configure apt so that those packages that you do not want to " "update stay at their current version, either with apt's " "pinning feature or marking them as hold with " "dpkg or dselect." msgstr "" #. type:

#: securing-debian-howto.en.sgml:58 en/before-compromise.sgml:366 msgid "" "To pin the packages under a given release, you must edit " "/etc/apt/preferences (see ) and add:" msgstr "" #. type: #: securing-debian-howto.en.sgml:58 en/before-compromise.sgml:370 #, no-wrap msgid "" " Package: *\n" " Pin: release a=stable\n" " Pin-Priority: 100" msgstr "" #. type:

#: securing-debian-howto.en.sgml:58 en/before-compromise.sgml:373 msgid "FIXME: verify if this configuration is OK." msgstr "" #. type:

#: securing-debian-howto.en.sgml:58 en/before-compromise.sgml:377 msgid "" "Either use cron-apt as described in " "and enable it to install downloaded packages or add a cron " "entry yourself so that the update is run daily, for example:" msgstr "" #. type: #: securing-debian-howto.en.sgml:58 en/before-compromise.sgml:379 #, no-wrap msgid " apt-get update && apt-get -y upgrade" msgstr "" #. type:

#: securing-debian-howto.en.sgml:58 en/before-compromise.sgml:390 msgid "" "The -y option will have apt assume 'yes' for all the " "prompts that might arise during the update. In some cases, you might want to " "use the --trivial-only option instead of the --assume-yes " "(equivalent to -y).

You may also want to use the " "--quiet (-q) option to reduce the output of " "apt-get, which will stop the generation of any output if no " "packages are installed.

" msgstr "" #. type:

#: securing-debian-howto.en.sgml:58 en/before-compromise.sgml:395 msgid "" "Configure debconf so no questions will be asked during " "upgrades, so that they can be done non-interactively.

Note that " "some packages might not use debconf and updates will " "stall due to packages asking for user input during " "configuration.

" msgstr "" #. type:

#: securing-debian-howto.en.sgml:58 en/before-compromise.sgml:399 msgid "" "Check the results of the cron execution, which will be mailed " "to the superuser (unless changed with MAILTO environment variable " "in the script)." msgstr "" #. type:

#: securing-debian-howto.en.sgml:58 en/before-compromise.sgml:406 msgid "" "A safer alternative might be to use the -d (or " "--download-only) option, which will download but not install the " "necessary packages. Then if the cron execution shows that the " "system needs to be updated, it can be done manually." msgstr "" #. type:

#: securing-debian-howto.en.sgml:58 en/before-compromise.sgml:410 msgid "" "In order to accomplish any of these tasks, the system must be properly " "configured to download security updates as discussed in ." msgstr "" #. type:

#: securing-debian-howto.en.sgml:58 en/before-compromise.sgml:419 msgid "" "However, this is not recommended for unstable without careful " "analysis, since you might bring your system into an unusable state if some " "serious bug creeps into an important package and gets installed in your " "system. Testing is slightly more secure with regard to " "this issue, since serious bugs have a better chance of being detected before " "the package is moved into the testing branch (although, you may have " "no security updates available whatsoever)." msgstr "" #. type:

#: securing-debian-howto.en.sgml:58 en/before-compromise.sgml:430 msgid "" "If you have a mixed distribution, that is, a stable installation " "with some packages updated to testing or unstable, you can " "fiddle with the pinning preferences as well as the --target-release " "option in apt-get to update only those packages that " "you have updated.

This is a common issue since many users want " "to maintain a stable system while updating some packages to " "unstable to gain the latest functionality. This need arises due to " "some projects evolving faster than the time between Debian's stable " "releases.

" msgstr "" #. type: #: securing-debian-howto.en.sgml:58 en/before-compromise.sgml:432 msgid "Do periodic integrity checks" msgstr "" #. type:

#: securing-debian-howto.en.sgml:58 en/before-compromise.sgml:438 msgid "" "Based on the baseline information you generated after installation (i.e. the " "snapshot described in ), you should be able to do an " "integrity check from time to time. An integrity check will be able to detect " "filesystem modifications made by an intruder or due to a system " "administrators mistake." msgstr "" #. type:

#: securing-debian-howto.en.sgml:58 en/before-compromise.sgml:450 msgid "" "Integrity checks should be, if possible, done offline.

An easy " "way to do this is using a Live CD, such as which includes both " "the file integrity tools and the integrity database for your " "system.

 That is, without using the operating system of the " "system to review, in order to avoid a false sense of security (i.e. false " "negatives) produced by, for example, installed rootkits. The integrity " "database that the system is checked against should also be used from " "read-only media." msgstr "" #. type:

#: securing-debian-howto.en.sgml:58 en/before-compromise.sgml:457 msgid "" "You can consider doing integrity checks online using any of the filesystem " "integrity tools available (described in ) if taking " "offline the system is not an option. However, precaution should be taken to " "use a read-only integrity database and also assure that the integrity " "checking tool (and the operating system kernel) has not been tampered with." msgstr "" #. type:

#: securing-debian-howto.en.sgml:58 en/before-compromise.sgml:465 msgid "" "Some of the tools mentioned in the integrity tools section, such as " "aide, integrit or samhain are already " "prepared to do periodic reviews (through the crontab in the first two cases " "and through a standalone daemon in samhain) and can warn the " "administrator through different channels (usually e-mail, but " "samhain can also send pages, SNMP traps or syslog alerts) when " "the filesystem changes." msgstr "" #. type:

#: securing-debian-howto.en.sgml:58 en/before-compromise.sgml:469 msgid "" "Of course, if you execute a security update of the system, the snapshot " "taken for the system should be re-taken to accommodate the changes done by " "the security update." msgstr "" #. type: #: securing-debian-howto.en.sgml:58 en/before-compromise.sgml:472 msgid "Set up Intrusion Detection" msgstr "" #. type:

#: securing-debian-howto.en.sgml:58 en/before-compromise.sgml:479 msgid "" "Debian GNU/Linux includes tools for intrusion detection, which is the " "practice of detecting inappropriate or malicious activity on your local " "system, or other systems in your private network. This kind of defense is " "important if the system is very critical or you are truly paranoid. The most " "common approaches to intrusion detection are statistical anomaly detection " "and pattern-matching detection." msgstr "" #. type:

#: securing-debian-howto.en.sgml:58 en/before-compromise.sgml:484 msgid "" "Always be aware that in order to really improve the system's security with " "the introduction of any of these tools, you need to have an alert+response " "mechanism in place. Intrusion detection is a waste of time if you are not " "going to alert anyone." msgstr "" #. type:

#: securing-debian-howto.en.sgml:58 en/before-compromise.sgml:494 msgid "" "When a particular attack has been detected, most intrusion detection tools " "will either log the event with syslogd or send e-mail to the " "root user (the mail recipient is usually configurable). An administrator has " "to properly configure the tools so that false positives do not trigger " "alerts. Alerts may also indicate an ongoing attack and might not be useful, " "say, one day later, since the attack might have already succeeded. So be " "sure that there is a proper policy on handling alerts and that the technical " "mechanisms to implement this policy are in place." msgstr "" #. type:

#: securing-debian-howto.en.sgml:58 en/before-compromise.sgml:498 msgid "" "An interesting source of information is " msgstr "" #. type: #: securing-debian-howto.en.sgml:58 en/before-compromise.sgml:500 msgid "Network based intrusion detection" msgstr "" #. type:

#: securing-debian-howto.en.sgml:58 en/before-compromise.sgml:505 msgid "" "Network based intrusion detection tools monitor the traffic on a network " "segment and use this information as a data source. Specifically, the packets " "on the network are examined, and they are checked to see if they match a " "certain signature." msgstr "" #. type:

#: securing-debian-howto.en.sgml:58 en/before-compromise.sgml:516 msgid "" "snort is a flexible packet sniffer or logger that detects " "attacks using an attack signature dictionary. It detects a variety of " "attacks and probes, such as buffer overflows, stealth port scans, CGI " "attacks, SMB probes, and much more. snort also has real-time " "alerting capability. You can use snort for a range of hosts on " "your network as well as for your own host. This is a tool which should be " "installed on every router to keep an eye on your network. Just install it " "with apt-get install snort, follow the questions, and watch it " "log. For a little broader security framework, see ." msgstr "" #. type:

#: securing-debian-howto.en.sgml:58 en/before-compromise.sgml:521 msgid "" "Debian's snort package has many security checks enabled " "by default. However, you should customize the setup to take into account the " "particular services you run on your system. You may also want to seek " "additional checks specific to these services." msgstr "" #. type:

#: securing-debian-howto.en.sgml:58 en/before-compromise.sgml:528 msgid "" "There are other, simpler tools that can be used to detect network " "attacks. portsentry is an interesting package that can " "tip you off to port scans against your hosts. Other tools like " "ippl or iplogger will also detect some " "IP (TCP and ICMP) attacks, even if they do not provide the kind of advanced " "techniques snort does." msgstr "" #. type:

#: securing-debian-howto.en.sgml:58 en/before-compromise.sgml:532 msgid "" "You can test any of these tools with the Debian package " "idswakeup, a shell script which generates false alarms, " "and includes many common attack signatures." msgstr "" #. type: #: securing-debian-howto.en.sgml:58 en/before-compromise.sgml:534 msgid "Host based intrusion detection" msgstr "" #. type:

#: securing-debian-howto.en.sgml:58 en/before-compromise.sgml:540 msgid "" "Host based intrusion detection involves loading software on the system to be " "monitored which uses log files and/or the systems auditing programs as a " "data source. It looks for suspicious processes, monitors host access, and " "may even monitor changes to critical system files." msgstr "" #. type:

#: securing-debian-howto.en.sgml:58 en/before-compromise.sgml:551 msgid "" "tiger is an older intrusion detection tool which has been " "ported to Debian since the Woody branch. tiger provides checks " "of common issues related to security break-ins, like password strength, file " "system problems, communicating processes, and other ways root might be " "compromised. This package includes new Debian-specific security checks " "including: MD5sums checks of installed files, locations of files not " "belonging to packages, and analysis of local listening processes. The " "default installation sets up tiger to run each day, generating " "a report that is sent to the superuser about possible compromises of the " "system." msgstr "" #. type:

#: securing-debian-howto.en.sgml:58 en/before-compromise.sgml:554 msgid "" "Log analysis tools, such as logcheck can also be used to " "detect intrusion attempts. See ." msgstr "" #. type:

#: securing-debian-howto.en.sgml:58 en/before-compromise.sgml:561 msgid "" "In addition, packages which monitor file system integrity (see ) can be quite useful in detecting anomalies in a secured " "environment. It is most likely that an effective intrusion will modify some " "files in the local file system in order to circumvent local security policy, " "install Trojans, or create users. Such events can be detected with file " "system integrity checkers." msgstr "" #. type: #: securing-debian-howto.en.sgml:58 en/before-compromise.sgml:563 msgid "Avoiding root-kits" msgstr "" #. type: #: securing-debian-howto.en.sgml:58 en/before-compromise.sgml:565 msgid "Loadable Kernel Modules (LKM)" msgstr "" #. type:

#: securing-debian-howto.en.sgml:58 en/before-compromise.sgml:573 msgid "" "Loadable kernel modules are files containing dynamically loadable kernel " "components used to expand the functionality of the kernel. The main benefit " "of using modules is the ability to add additional devices, like an Ethernet " "or sound card, without patching the kernel source and recompiling the entire " "kernel. However, crackers are now using LKMs for root-kits (knark and " "adore), opening up back doors in GNU/Linux systems." msgstr "" #. type:

#: securing-debian-howto.en.sgml:58 en/before-compromise.sgml:581 msgid "" "LKM back doors are more sophisticated and less detectable than traditional " "root-kits. They can hide processes, files, directories and even connections " "without modifying the source code of binaries. For example, a malicious LKM " "can force the kernel into hiding specific processes from " "procfs, so that even a known good copy of the binary " "ps would not list accurate information about the current " "processes on the system." msgstr "" #. type: #: securing-debian-howto.en.sgml:58 en/before-compromise.sgml:583 msgid "Detecting root-kits" msgstr "" #. type:

#: securing-debian-howto.en.sgml:58 en/before-compromise.sgml:588 msgid "" "There are two approaches to defending your system against LKM root-kits, a " "proactive defense and a reactive defense. The detection work can be simple " "and painless, or difficult and tiring, depending on the approach taken." msgstr "" #. type: #: securing-debian-howto.en.sgml:58 en/before-compromise.sgml:590 msgid "Proactive defense" msgstr "" #. type:

#: securing-debian-howto.en.sgml:58 en/before-compromise.sgml:600 msgid "" "The advantage of this kind of defense is that it prevents damage to the " "system in the first place. One such strategy is getting there " "first, that is, loading an LKM designed to protect the system from " "other malicious LKMs. A second strategy is to remove capabilities from the " "kernel itself. For example, you can remove the capability of loadable kernel " "modules entirely. Note, however, that there are rootkits which might work " "even in this case, there are some that tamper with /dev/kmem " "(kernel memory) directly to make themselves undetectable." msgstr "" #. type:

#: securing-debian-howto.en.sgml:58 en/before-compromise.sgml:603 msgid "" "Debian GNU/Linux has a few packages that can be used to mount a proactive " "defense:" msgstr "" #. type:

#: securing-debian-howto.en.sgml:58 en/before-compromise.sgml:653 msgid "" "lcap - A user friendly interface to remove " "capabilities (kernel-based access control) in the kernel, making " "the system more secure. For example, executing lcap CAP_SYS_MODULE " "

There are over 28 capabilities including: CAP_BSET, " "CAP_CHOWN, CAP_FOWNER, CAP_FSETID, " "CAP_FS_MASK, CAP_FULL_SET, CAP_INIT_EFF_SET, " "CAP_INIT_INH_SET, CAP_IPC_LOCK, CAP_IPC_OWNER, " "CAP_KILL, CAP_LEASE, CAP_LINUX_IMMUTABLE, " "CAP_MKNOD, CAP_NET_ADMIN, CAP_NET_BIND_SERVICE, " "CAP_NET_RAW, CAP_SETGID, CAP_SETPCAP, " "CAP_SETUID, CAP_SYS_ADMIN, CAP_SYS_BOOT, " "CAP_SYS_CHROOT, CAP_SYS_MODULE, CAP_SYS_NICE, " "CAP_SYS_PACCT, CAP_SYS_PTRACE, CAP_SYS_RAWIO, " "CAP_SYS_RESOURCE, CAP_SYS_TIME, and " "CAP_SYS_TTY_CONFIG. All of them can be de-activated to harden your " "kernel.

 will remove module loading capabilities (even for the " "root user).

You don't need to install lcap to " "do this, but it's easier than setting " "/proc/sys/kernel/cap-bound by hand.

 There is " "some (old) information on capabilities at Jon Corbet's " "section on LWN (dated December 1999)." msgstr "" #. type:

#: securing-debian-howto.en.sgml:58 en/before-compromise.sgml:664 msgid "" "If you don't really need many kernel features on your GNU/Linux system, you " "may want to disable loadable modules support during kernel configuration. To " "disable loadable module support, just set CONFIG_MODULES=n during the " "configuration stage of building your kernel, or in the .config " "file. This will prevent LKM root-kits, but you lose this powerful feature of " "the Linux kernel. Also, disabling loadable modules can sometimes overload " "the kernel, making loadable support necessary." msgstr "" #. type: #: securing-debian-howto.en.sgml:58 en/before-compromise.sgml:666 msgid "Reactive defense" msgstr "" #. type:

#: securing-debian-howto.en.sgml:58 en/before-compromise.sgml:672 msgid "" "The advantage of a reactive defense is that it does not overload system " "resources. It works by comparing the system call table with a known clean " "copy in a disk file, System.map. Of course, a reactive defense " "will only notify the system administrator after the system has already been " "compromised." msgstr "" #. type:

#: securing-debian-howto.en.sgml:58 en/before-compromise.sgml:677 msgid "" "Detection of some root-kits in Debian can be accomplished with the " "chkrootkit package. The program checks for " "signs of several known root-kits on the target system, but is not a " "definitive test." msgstr "" #. type: #: securing-debian-howto.en.sgml:58 en/before-compromise.sgml:679 msgid "Genius/Paranoia Ideas — what you could do" msgstr "" #. type:

#: securing-debian-howto.en.sgml:58 en/before-compromise.sgml:684 msgid "" "This is probably the most unstable and funny section, since I hope that some " "of the \"duh, that sounds crazy\" ideas might be realized. The following are " "just some ideas for increasing security — maybe genius, paranoid, " "crazy or inspired depending on your point of view." msgstr "" #. type:

#: securing-debian-howto.en.sgml:58 en/before-compromise.sgml:692 msgid "" "Playing around with Pluggable Authentication Modules (PAM). As quoted in the " "Phrack 56 PAM article, the nice thing about PAM is that \"You are limited " "only by what you can think of.\" It is true. Imagine root login only being " "possible with fingerprint or eye scan or cryptocard (why did I use an OR " "conjunction instead of AND?)." msgstr "" #. type:

#: securing-debian-howto.en.sgml:58 en/before-compromise.sgml:698 msgid "" "Fascist Logging. I would refer to all the previous logging discussion above " "as \"soft logging\". If you want to perform real logging, get a printer with " "fanfold paper, and send all logs to it. Sounds funny, but it's reliable and " "it cannot be tampered with or removed." msgstr "" #. type:

#: securing-debian-howto.en.sgml:58 en/before-compromise.sgml:707 msgid "" "CD distribution. This idea is very easy to realize and offers pretty good " "security. Create a hardened Debian distribution, with proper firewall " "rules. Turn it into a boot-able ISO image, and burn it on a CDROM. Now you " "have a read-only distribution, with about 600 MB space for services. Just " "make sure all data that should get written is done over the network. It is " "impossible for intruders to get read/write access on this system, and any " "changes an intruder does make can be disabled with a reboot of the system." msgstr "" #. type:

#: securing-debian-howto.en.sgml:58 en/before-compromise.sgml:712 msgid "" "Switch module capability off. As discussed earlier, when you disable the " "usage of kernel modules at kernel compile time, many kernel based back doors " "are impossible to implement because most are based on installing modified " "kernel modules." msgstr "" #. type:

#: securing-debian-howto.en.sgml:58 en/before-compromise.sgml:725 msgid "" "Logging through serial cable (contributed by Gaby Schilders). As long as " "servers still have serial ports, imagine having one dedicated logging system " "for a number of servers. The logging system is disconnected from the " "network, and connected to the servers via a serial-port multiplexer " "(Cyclades or the like). Now have all your servers log to their serial ports, " "write only. The log-machine only accepts plain text as input on its serial " "ports and only writes to a log file. Connect a CD/DVD-writer, and transfer " "the log file to it when the log file reaches the capacity of the media. Now " "if only they would make CD writers with auto-changers... Not as hard copy as " "direct logging to a printer, but this method can handle larger volumes and " "CD-ROMs use less storage space." msgstr "" #. type:

#: securing-debian-howto.en.sgml:58 en/before-compromise.sgml:736 msgid "" "Change file attributes using chattr (taken from the Tips-HOWTO, " "written by Jim Dennis). After a clean install and initial configuration, use " "the chattr program with the +i attribute to make files " "unmodifiable (the file cannot be deleted, renamed, linked or written " "to). Consider setting this attribute on all the files in /bin, " "/sbin/, /usr/bin, /usr/sbin, " "/usr/lib and the kernel files in root. You can also make a copy " "of all files in /etc/, using tar or the like, and " "mark the archive as immutable." msgstr "" #. type:

#: securing-debian-howto.en.sgml:58 en/before-compromise.sgml:742 msgid "" "This strategy will help limit the damage that you can do when logged in as " "root. You won't overwrite files with a stray redirection operator, and you " "won't make the system unusable with a stray space in a rm -fr " "command (you might still do plenty of damage to your data — but your " "libraries and binaries will be safer)." msgstr "" #. type:

#: securing-debian-howto.en.sgml:58 en/before-compromise.sgml:747 msgid "" "This strategy also makes a variety of security and denial of service (DoS) " "exploits either impossible or more difficult (since many of them rely on " "overwriting a file through the actions of some SETUID program that isn't " "providing an arbitrary shell command)." msgstr "" #. type:

#: securing-debian-howto.en.sgml:58 en/before-compromise.sgml:757 msgid "" "One inconvenience of this strategy arises during building and installing " "various system binaries. On the other hand, it prevents the make " "install from over-writing the files. When you forget to read the " "Makefile and chattr -i the files that are to be overwritten, " "(and the directories to which you want to add files) ‐ the make command " "fails, and you just use the chattr command and rerun it. You " "can also take that opportunity to move your old bin's and libs out of the " "way, into a .old/ directory or tar archive for example." msgstr "" #. type:

#: securing-debian-howto.en.sgml:58 en/before-compromise.sgml:763 msgid "" "Note that this strategy also prevents you from upgrading your system's " "packages, since the files updated packages provide cannot be " "overwritten. You might want to have a script or other mechanism to disable " "the immutable flag on all binaries right before doing an apt-get " "update." msgstr "" #. type:

#: securing-debian-howto.en.sgml:58 en/before-compromise.sgml:768 msgid "" "Play with UTP cabling in a way that you cut 2 or 4 wires and make the cable " "one-way traffic only. Then use UDP packets to send information to the " "destination machine which can act as a secure log server or a credit card " "storage system." msgstr "" #. type: #: securing-debian-howto.en.sgml:58 en/before-compromise.sgml:772 msgid "Building a honeypot" msgstr "" #. type:

#: securing-debian-howto.en.sgml:58 en/before-compromise.sgml:779 msgid "" "A honeypot is a system designed to teach system administrators how crackers " "probe for and exploit a system. It is a system setup with the expectation " "and goal that the system will be probed, attacked and potentially " "exploited. By learning the tools and methods employed by the cracker, a " "system administrator can learn to better protect their own systems and " "network." msgstr "" #. type:

#: securing-debian-howto.en.sgml:58 en/before-compromise.sgml:791 msgid "" "Debian GNU/Linux systems can easily be used to setup a honeynet, if you " "dedicate the time to implement and monitor it. You can easily setup the fake " "honeypot server as well as the firewall

You will typically use a " "bridge firewall so that the firewall itself is not detectable, see .

that controls the honeynet and some sort " "of network intrusion detector, put it on the Internet, and wait. Do take " "care that if the system is exploited, you are alerted in time (see ) so that you can take appropriate measures and terminate " "the compromise when you've seen enough. Here are some of the packages and " "issues to consider when setting up your honeypot:" msgstr "" #. type:

#: securing-debian-howto.en.sgml:58 en/before-compromise.sgml:796 msgid "The firewall technology you will use (provided by the Linux kernel)." msgstr "" #. type:

#: securing-debian-howto.en.sgml:58 en/before-compromise.sgml:799 msgid "" "syslog-ng, useful for sending logs from the honeypot to a " "remote syslog server." msgstr "" #. type:

#: securing-debian-howto.en.sgml:58 en/before-compromise.sgml:802 msgid "" "snort, to set up capture of all the incoming network " "traffic to the honeypot and detect the attacks." msgstr "" #. type:

#: securing-debian-howto.en.sgml:58 en/before-compromise.sgml:805 msgid "" "osh, a SETUID root, security enhanced, restricted shell " "with logging (see Lance Spitzner's article below)." msgstr "" #. type:

#: securing-debian-howto.en.sgml:58 en/before-compromise.sgml:810 msgid "" "Of course, all the daemons you will be using for your fake server " "honeypot. Depending on what type of attacker you want to analyse you will or " "will not harden the honeypot and keep it up to date with security " "patches." msgstr "" #. type:

#: securing-debian-howto.en.sgml:58 en/before-compromise.sgml:813 msgid "" "Integrity checkers (see ) and The Coroner's Toolkit " "(tct) to do post-attack audits." msgstr "" #. type:

#: securing-debian-howto.en.sgml:58 en/before-compromise.sgml:818 msgid "" "honeyd and farpd to setup a honeypot " "that will listen to connections to unused IP addresses and forward them to " "scripts simulating live services. Also check out " "iisemulator." msgstr "" #. type:

#: securing-debian-howto.en.sgml:58 en/before-compromise.sgml:821 msgid "" "tinyhoneypot to setup a simple honeypot server with fake " "services." msgstr "" #. type:

#: securing-debian-howto.en.sgml:58 en/before-compromise.sgml:831 msgid "" "If you cannot use spare systems to build up the honeypots and the network " "systems to protect and control it you can use the virtualisation technology " "available in xen or uml (User-Mode-Linux). If you " "take this route you will need to patch your kernel with either " "kernel-patch-xen or kernel-patch-uml." msgstr "" #. type:

#: securing-debian-howto.en.sgml:59 en/after-compromise.sgml:3 msgid "" "You can read more about building honeypots in Lanze Spitzner's excellent " "article (from the Know your Enemy series). Also, the " " provides " "valuable information about building honeypots and auditing the attacks made " "on them." msgstr "" #. type: #: securing-debian-howto.en.sgml:59 en/after-compromise.sgml:5 msgid "After the compromise (incident response)" msgstr "" #. type: #: securing-debian-howto.en.sgml:59 en/after-compromise.sgml:7 msgid "General behavior" msgstr "" #. type:

#: securing-debian-howto.en.sgml:59 en/after-compromise.sgml:14 msgid "" "If you are physically present when an attack is happening, your first " "response should be to remove the machine from the network by unplugging the " "network card (if this will not adversely affect any business " "transactions). Disabling the network at layer 1 is the only true way to keep " "the attacker out of the compromised box (Phillip Hofmeister's wise advice)." msgstr "" #. type:

#: securing-debian-howto.en.sgml:59 en/after-compromise.sgml:35 msgid "" "However, some tools installed by rootkits, trojans and, even, a rogue user " "connected through a back door, might be capable of detecting this event and " "react to it. Seeing a rm -rf / executed when you unplug the network " "from the system is not really much fun. If you are unwilling to take the " "risk, and you are sure that the system is compromised, you should unplug " "the power cable (all of them if more than one) and cross your " "fingers. This may be extreme but, in fact, will avoid any logic-bomb that " "the intruder might have programmed. In this case, the compromised system " "should not be re-booted. Either the hard disks should be moved to " "another system for analysis, or you should use other media (a CD-ROM) to " "boot the system and analyze it. You should not use Debian's rescue " "disks to boot the system, but you can use the shell provided by the " "installation disks (remember, Alt+F2 will take you to it) to analyze " "

If you are adventurous, you can login to the system and save " "information on all running processes (you'll get a lot from /proc/nnn/). It " "is possible to get the whole executable code from memory, even if the " "attacker has deleted the executable files from disk. Then pull the power " "cord.

 the system." msgstr "" #. type:

#: securing-debian-howto.en.sgml:59 en/after-compromise.sgml:51 msgid "" "The most recommended method for recovering a compromised system is to use a " "live-filesystem on CD-ROM with all the tools (and kernel modules) you might " "need to access the compromised system. You can use the " "mkinitrd-cd package to build such a CD-ROM

In " "fact, this is the tool used to build the CD-ROMs for the project (a firewall on a " "live CD-ROM based on the Debian distribution).

. You might " "find the (previously " "called Biatchux) CD-ROM useful here too, since it's also a live CD-ROM with " "forensic tools useful in these situations. There is not (yet) a Debian-based " "tool such as this, nor an easy way to build the CD-ROM using your own " "selection of Debian packages and mkinitrd-cd (so you'll " "have to read the documentation provided with it to make your own CD-ROMs)." msgstr "" #. type:

#: securing-debian-howto.en.sgml:59 en/after-compromise.sgml:65 msgid "" "If you really want to fix the compromise quickly, you should remove the " "compromised host from your network and re-install the operating system from " "scratch. Of course, this may not be effective because you will not learn how " "the intruder got root in the first place. For that case, you must check " "everything: firewall, file integrity, log host, log files and so on. For " "more information on what to do following a break-in, see or SANS's ." msgstr "" #. type:

#: securing-debian-howto.en.sgml:59 en/after-compromise.sgml:68 msgid "" "Some common questions on how to handle a compromised Debian GNU/Linux system " "are also available in ." msgstr "" #. type: #: securing-debian-howto.en.sgml:59 en/after-compromise.sgml:70 msgid "Backing up the system" msgstr "" #. type:

#: securing-debian-howto.en.sgml:59 en/after-compromise.sgml:75 msgid "" "Remember that if you are sure the system has been compromised you cannot " "trust the installed software or any information that it gives back to " "you. Applications might have been trojanized, kernel modules might be " "installed, etc." msgstr "" #. type:

#: securing-debian-howto.en.sgml:59 en/after-compromise.sgml:84 msgid "" "The best thing to do is a complete file system backup copy (using " "dd) after booting from a safe medium. Debian GNU/Linux CD-ROMs " "can be handy for this since they provide a shell in console 2 when the " "installation is started (jump to it using Alt+2 and pressing Enter). From " "this shell, backup the information to another host if possible (maybe a " "network file server through NFS/FTP). Then any analysis of the compromise or " "re-installation can be performed while the affected system is offline." msgstr "" #. type:

#: securing-debian-howto.en.sgml:59 en/after-compromise.sgml:89 msgid "" "If you are sure that the only compromise is a Trojan kernel module, you can " "try to run the kernel image from the Debian CD-ROM in rescue " "mode. Make sure to startup in single user mode, so no other Trojan " "processes run after the kernel." msgstr "" #. type: #: securing-debian-howto.en.sgml:59 en/after-compromise.sgml:90 msgid "Contact your local CERT" msgstr "" #. type:

#: securing-debian-howto.en.sgml:59 en/after-compromise.sgml:121 msgid "" "The CERT (Computer and Emergency Response Team) is an organization that can " "help you recover from a system compromise. There are CERTs worldwide " "

This is a list of some CERTs, for a full list look at the (FIRST is the Forum of Incident Response and " "Security Teams): " "(Australia), " "(Mexico) " "(Finland), (Germany), " " (Germany), (Italy), (Japan), (Norway), (Croatia) (Poland), (Russia), (Slovenia) (Spain), (Switzerland), (Taiwan), and (US).

 and you " "should contact your local CERT in the event of a security incident which has " "lead to a system compromise. The people at your local CERT can help you " "recover from it." msgstr "" #. type:

#: securing-debian-howto.en.sgml:59 en/after-compromise.sgml:135 msgid "" "Providing your local CERT (or the CERT coordination center) with information " "on the compromise even if you do not seek assistance can also help others " "since the aggregate information of reported incidents is used in order to " "determine if a given vulnerability is in wide spread use, if there is a new " "worm aloft, which new attack tools are being used. This information is used " "in order to provide the Internet community with information on the , and to publish and even . For more " "detailed information read on how (and why) to report an incident read ." msgstr "" #. type:

#: securing-debian-howto.en.sgml:59 en/after-compromise.sgml:144 msgid "" "You can also use less formal mechanisms if you need help for recovering from " "a compromise or want to discuss incident information. This includes the and the ." msgstr "" #. type: #: securing-debian-howto.en.sgml:59 en/after-compromise.sgml:146 msgid "Forensic analysis" msgstr "" #. type:

#: securing-debian-howto.en.sgml:59 en/after-compromise.sgml:157 msgid "" "If you wish to gather more information, the tct (The " "Coroner's Toolkit from Dan Farmer and Wietse Venema) package contains " "utilities which perform a post mortem analysis of a " "system. tct allows the user to collect information about " "deleted files, running processes and more. See the included documentation " "for more information. These same utilities and some others can be found in " " by " "Brian Carrier, which provides a web front-end for forensic analysis of disk " "images. In Debian you can find both sleuthkit (the tools) " "and autopsy (the graphical front-end)." msgstr "" #. type:

#: securing-debian-howto.en.sgml:59 en/after-compromise.sgml:161 msgid "" "Remember that forensics analysis should be done always on the backup copy of " "the data, never on the data itself, in case the data is altered " "during analysis and the evidence is lost." msgstr "" #. type:

#: securing-debian-howto.en.sgml:59 en/after-compromise.sgml:176 msgid "" "You will find more information on forensic analysis in Dan Farmer's and " "Wietse Venema's book (available online), as well as in their " " and their . Brian Carrier's newsletter is also a very good resource on forensic analysis tips. Finally, " "the are an excellent way to hone your forensic analysis skills as " "they include real attacks against honeypot systems and provide challenges " "that vary from forensic analysis of disks to firewall logs and packet " "captures." msgstr "" #. type:

#: securing-debian-howto.en.sgml:59 en/after-compromise.sgml:179 msgid "" "FIXME: This paragraph will hopefully provide more information about " "forensics in a Debian system in the coming future." msgstr "" #. type:

#: securing-debian-howto.en.sgml:59 en/after-compromise.sgml:183 msgid "" "FIXME: Talk on how to do a debsums on a stable system with the MD5sums on CD " "and with the recovered file system restored on a separate partition." msgstr "" #. type:

#: securing-debian-howto.en.sgml:59 en/after-compromise.sgml:187 msgid "" "FIXME: Add pointers to forensic analysis papers (like the Honeynet's reverse " "challenge or )." msgstr "" #. type: #: securing-debian-howto.en.sgml:59 en/after-compromise.sgml:188 msgid "Analysis of malware" msgstr "" #. type:

#: securing-debian-howto.en.sgml:59 en/after-compromise.sgml:191 msgid "" "Some other tools that can be used for forensic analysis provided in the " "Debian distribution are:" msgstr "" #. type:

#: securing-debian-howto.en.sgml:59 en/after-compromise.sgml:193 msgid "strace." msgstr "" #. type:

#: securing-debian-howto.en.sgml:59 en/after-compromise.sgml:194 msgid "ltrace." msgstr "" #. type:

#: securing-debian-howto.en.sgml:59 en/after-compromise.sgml:202 msgid "" "Any of these packages can be used to analyze rogue binaries (such as back " "doors), in order to determine how they work and what they do to the " "system. Some other common tools include ldd (in " "libc6), strings and objdump " "(both in binutils)." msgstr "" #. type:

#: securing-debian-howto.en.sgml:59 en/after-compromise.sgml:211 msgid "" "If you try to do forensic analysis with back doors or suspected binaries " "retrieved from compromised systems, you should do so in a secure environment " "(for example in a bochs or xen image " "or a chroot'ed environment using a user with low " "privileges

Be very careful if using chroots, since if " "the binary uses a kernel-level exploit to increase its privileges it might " "still be able to infect your system

). Otherwise your own " "system can be back doored/r00ted too!" msgstr "" #. type:

#: securing-debian-howto.en.sgml:60 en/faq.sgml:3 msgid "" "If you are interested in malware analysis then you should read the chapter of Dan Farmer's and Wietse " "Venema's forensics book." msgstr "" #. type: #: securing-debian-howto.en.sgml:60 en/faq.sgml:5 msgid "Frequently asked Questions (FAQ)" msgstr "" #. type:

#: securing-debian-howto.en.sgml:60 en/faq.sgml:9 msgid "" "This chapter introduces some of the most common questions from the Debian " "security mailing list. You should read them before posting there or else " "people might tell you to RTFM." msgstr "" #. type: #: securing-debian-howto.en.sgml:60 en/faq.sgml:11 msgid "Security in the Debian operating system" msgstr "" #. type: #: securing-debian-howto.en.sgml:60 en/faq.sgml:13 msgid "Is Debian more secure than X?" msgstr "" #. type:

#: securing-debian-howto.en.sgml:60 en/faq.sgml:20 msgid "" "A system is only as secure as its administrator is capable of making " "it. Debian's default installation of services aims to be secure, " "but may not be as paranoid as some other operating systems which install all " "services disabled by default. In any case, the system administrator " "needs to adapt the security of the system to his local security policy." msgstr "" #. type:

#: securing-debian-howto.en.sgml:60 en/faq.sgml:41 msgid "" "For a collection of data regarding security vulnerabilities for many " "operating systems, see the or " "generate stats using the (formerly ICAT) Is this data " "useful? There are several factors to consider when interpreting the data, " "and it is worth noticing that the data cannot be used to compare the " "vulnerabilities of one operating system versus another.

For " "example, based on some data, it might seem that Windows NT is more secure " "than Linux, which is a questionable assertion. After all, Linux " "distributions usually provide many more applications compared to Microsoft's " "Windows NT. This counting vulnerabilities issues are better " "described in by David A. Wheeler

 Also, keep in mind that some " "reported vulnerabilities regarding Debian apply only to the " "unstable (i.e. unreleased) branch." msgstr "" #. type: #: securing-debian-howto.en.sgml:60 en/faq.sgml:44 msgid "" "Is Debian more secure than other Linux distributions (such as Red Hat, " "SuSE...)?" msgstr "" #. type:

#: securing-debian-howto.en.sgml:60 en/faq.sgml:52 msgid "" "There are not really many differences between Linux distributions, with " "exceptions to the base installation and package management system. Most " "distributions share many of the same applications, with differences mainly " "in the versions of these applications that are shipped with the " "distribution's stable release. For example, the kernel, Bind, Apache, " "OpenSSH, Xorg, gcc, zlib, etc. are all common across Linux distributions." msgstr "" #. type:

#: securing-debian-howto.en.sgml:60 en/faq.sgml:59 msgid "" "For example, Red Hat was unlucky and shipped when foo 1.2.3 was current, " "which was then later found to have a security hole. Debian, on the other " "hand, was lucky enough to ship foo 1.2.4, which incorporated the bug " "fix. That was the case in the big " "problem from a couple years ago." msgstr "" #. type:

#: securing-debian-howto.en.sgml:60 en/faq.sgml:68 msgid "" "There is a lot of collaboration between the respective security teams for " "the major Linux distributions. Known security updates are rarely, if ever, " "left unfixed by a distribution vendor. Knowledge of a security vulnerability " "is never kept from another distribution vendor, as fixes are usually " "coordinated upstream, or by . As a result, necessary security updates are usually released " "at the same time, and the relative security of the different distributions " "is very similar." msgstr "" #. type:

#: securing-debian-howto.en.sgml:60 en/faq.sgml:72 msgid "" "One of Debian's main advantages with regards to security is the ease of " "system updates through the use of apt. Here are some other " "aspects of security in Debian to consider:" msgstr "" #. type:

#: securing-debian-howto.en.sgml:60 en/faq.sgml:77 msgid "" "Debian provides more security tools than other distributions, see ." msgstr "" #. type:

#: securing-debian-howto.en.sgml:60 en/faq.sgml:92 msgid "" "Debian's standard installation is smaller (less functionality), and thus " "more secure. Other distributions, in the name of usability, tend to install " "many services by default, and sometimes they are not properly configured " "(remember the ). Debian's installation is not as limited as OpenBSD (no " "daemons are active per default), but it's a good " "compromise.

Without diminishing the fact that some " "distributions, such as Red Hat or Mandrake, are also taking into account " "security in their standard installations by having the user select " "security profiles, or using wizards to help with configuration of " "personal firewalls.

" msgstr "" #. type:

#: securing-debian-howto.en.sgml:60 en/faq.sgml:95 msgid "Debian documents best security practices in documents like this one." msgstr "" #. type: #: securing-debian-howto.en.sgml:60 en/faq.sgml:100 msgid "" "There are many Debian bugs in Bugtraq. Does this mean that it is very " "vulnerable?" msgstr "" #. type:

#: securing-debian-howto.en.sgml:60 en/faq.sgml:105 msgid "" "The Debian distribution boasts a large and growing number of software " "packages, probably more than provided by many proprietary operating " "systems. The more packages installed, the greater the potential for security " "issues in any given system." msgstr "" #. type:

#: securing-debian-howto.en.sgml:60 en/faq.sgml:111 msgid "" "More and more people are examining source code for flaws. There are many " "advisories related to source code audits of the major software components " "included in Debian. Whenever such source code audits turn up security flaws, " "they are fixed and an advisory is sent to lists such as Bugtraq." msgstr "" #. type:

#: securing-debian-howto.en.sgml:60 en/faq.sgml:115 msgid "" "Bugs that are present in the Debian distribution usually affect other " "vendors and distributions as well. Check the \"Debian specific: yes/no\" " "section at the top of each advisory (DSA)." msgstr "" #. type: #: securing-debian-howto.en.sgml:60 en/faq.sgml:117 msgid "Does Debian have any certification related to security?" msgstr "" #. type:

#: securing-debian-howto.en.sgml:60 en/faq.sgml:119 msgid "Short answer: no." msgstr "" #. type:

#: securing-debian-howto.en.sgml:60 en/faq.sgml:129 msgid "" "Long answer: certification costs money (specially a serious " "security certification), nobody has dedicated the resources in order to " "certify Debian GNU/Linux to any level of, for example, the . If you " "are interested in having a security-certified GNU/Linux distribution, try to " "provide the resources needed to make it possible." msgstr "" #. type:

#: securing-debian-howto.en.sgml:60 en/faq.sgml:136 msgid "" "There are currently at least two linux distributions certified at different " " levels. Notice that some of the CC tests are being integrated " "into the which is available in Debian in the ltp." msgstr "" #. type: #: securing-debian-howto.en.sgml:60 en/faq.sgml:138 msgid "Are there any hardening programs for Debian?" msgstr "" #. type:

#: securing-debian-howto.en.sgml:60 en/faq.sgml:145 msgid "" "Yes. , " "originally oriented toward other Linux distributions (Red Hat and Mandrake), " "currently works for Debian. Steps are being taken to integrate the changes " "made to the upstream version into the Debian package, named " "bastille." msgstr "" #. type:

#: securing-debian-howto.en.sgml:60 en/faq.sgml:148 msgid "" "Some people believe, however, that a hardening tool does not eliminate the " "need for good administration." msgstr "" #. type: #: securing-debian-howto.en.sgml:60 en/faq.sgml:150 msgid "I want to run XYZ service, which one should I choose?" msgstr "" #. type:

#: securing-debian-howto.en.sgml:60 en/faq.sgml:158 msgid "" "One of Debian's great strengths is the wide variety of choice available " "between packages that provide the same functionality (DNS servers, mail " "servers, ftp servers, web servers, etc.). This can be confusing to the " "novice administrator when trying to determine which package is right for " "you. The best match for a given situation depends on a balance between your " "feature and security needs. Here are some questions to ask yourself when " "deciding between similar packages:" msgstr "" #. type:

#: securing-debian-howto.en.sgml:60 en/faq.sgml:162 msgid "Is the software maintained upstream? When was the last release?" msgstr "" #. type:

#: securing-debian-howto.en.sgml:60 en/faq.sgml:166 msgid "" "Is the package mature? The version number really does not tell you " "about its maturity. Try to trace the software's history." msgstr "" #. type:

#: securing-debian-howto.en.sgml:60 en/faq.sgml:169 msgid "" "Is the software bug-ridden? Have there been security advisories related to " "it?" msgstr "" #. type:

#: securing-debian-howto.en.sgml:60 en/faq.sgml:172 msgid "" "Does the software provide all the functionality you need? Does it provide " "more than you really need?" msgstr "" #. type: #: securing-debian-howto.en.sgml:60 en/faq.sgml:177 msgid "How can I make service XYZ more secure in Debian?" msgstr "" #. type:

#: securing-debian-howto.en.sgml:60 en/faq.sgml:185 msgid "" "You will find information in this document to make some services (FTP, Bind) " "more secure in Debian GNU/Linux. For services not covered here, check the " "program's documentation, or general Linux information. Most of the security " "guidelines for Unix systems also apply to Debian. In most cases, securing " "service X in Debian is like securing that service in any other Linux " "distribution (or Un*x, for that matter)." msgstr "" #. type: #: securing-debian-howto.en.sgml:60 en/faq.sgml:187 msgid "How can I remove all the banners for services?" msgstr "" #. type:

#: securing-debian-howto.en.sgml:60 en/faq.sgml:195 msgid "" "If you do not like users connecting to your POP3 daemon, for example, and " "retrieving information about your system, you might want to remove (or " "change) the banner the service shows to users.

Note that this " "is 'security by obscurity', and will probably not be worth the effort in the " "long term.

Doing so depends on the software you are running " "for a given service. For example, in postfix, you can set your " "SMTP banner in /etc/postfix/main.cf:" msgstr "" #. type: #: securing-debian-howto.en.sgml:60 en/faq.sgml:197 #, no-wrap msgid " smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU)" msgstr "" #. type:

#: securing-debian-howto.en.sgml:60 en/faq.sgml:205 msgid "" "Other software is not as easy to change. ssh will need to " "be recompiled in order to change the version that it prints. Take care not " "to remove the first part (SSH-2.0) of the banner, which clients use " "to identify which protocol(s) is supported by your package." msgstr "" #. type: #: securing-debian-howto.en.sgml:60 en/faq.sgml:207 msgid "Are all Debian packages safe?" msgstr "" #. type:

#: securing-debian-howto.en.sgml:60 en/faq.sgml:219 msgid "" "The Debian security team cannot possibly analyze all the packages included " "in Debian for potential security vulnerabilities, since there are just not " "enough resources to source code audit the whole project. However, Debian " "does benefit from the source code audits made by upstream developers." msgstr "" #. type:

#: securing-debian-howto.en.sgml:60 en/faq.sgml:225 msgid "" "As a matter of fact, a Debian developer could distribute a Trojan in a " "package, and there is no possible way to check it out. Even if introduced " "into a Debian branch, it would be impossible to cover all the possible " "situations in which the Trojan would execute. This is why Debian has a " "\"no guarantees\" license clause." msgstr "" #. type:

#: securing-debian-howto.en.sgml:60 en/faq.sgml:234 msgid "" "However, Debian users can take confidence in the fact that the stable code " "has a wide audience and most problems would be uncovered through " "use. Installing untested software is not recommended in a critical system " "(if you cannot provide the necessary code audit). In any case, if there were " "a security vulnerability introduced into the distribution, the process used " "to include packages (using digital signatures) ensures that the problem can " "be ultimately traced back to the developer. The Debian project has not taken " "this issue lightly." msgstr "" #. type: #: securing-debian-howto.en.sgml:60 en/faq.sgml:237 msgid "" "Why are some log files/configuration files world-readable, isn't this " "insecure?" msgstr "" #. type:

#: securing-debian-howto.en.sgml:60 en/faq.sgml:242 msgid "" "Of course, you can change the default Debian permissions on your system. The " "current policy regarding log files and configuration files is that they are " "world readable unless they provide sensitive information." msgstr "" #. type:

#: securing-debian-howto.en.sgml:60 en/faq.sgml:244 msgid "Be careful if you do make changes since:" msgstr "" #. type:

#: securing-debian-howto.en.sgml:60 en/faq.sgml:249 msgid "" "Processes might not be able to write to log files if you restrict their " "permissions." msgstr "" #. type:

#: securing-debian-howto.en.sgml:60 en/faq.sgml:255 msgid "" "Some applications may not work if the configuration file they depend on " "cannot be read. For example, if you remove the world-readable permission " "from /etc/samba/smb.conf, the smbclient program " "will not work when run by a normal user." msgstr "" #. type:

#: securing-debian-howto.en.sgml:60 en/faq.sgml:260 msgid "" "FIXME: Check if this is written in the Policy. Some packages (i.e. ftp " "daemons) seem to enforce different permissions." msgstr "" #. type: #: securing-debian-howto.en.sgml:60 en/faq.sgml:262 msgid "Why does /root/ (or UserX) have 755 permissions?" msgstr "" #. type:

#: securing-debian-howto.en.sgml:60 en/faq.sgml:269 msgid "" "As a matter of fact, the same questions stand for any other user. Since " "Debian's installation does not place any file under that directory, " "there's no sensitive information to protect there. If you feel these " "permissions are too broad for your system, consider tightening them to " "750. For users, read ." msgstr "" #. type:

#: securing-debian-howto.en.sgml:60 en/faq.sgml:273 msgid "" "This Debian security mailing list has more on this issue." msgstr "" #. type: #: securing-debian-howto.en.sgml:60 en/faq.sgml:276 msgid "" "After installing a grsec/firewall, I started receiving many console " "messages! How do I remove them?" msgstr "" #. type:

#: securing-debian-howto.en.sgml:60 en/faq.sgml:281 msgid "" "If you are receiving console messages, and have configured " "/etc/syslog.conf to redirect them to either files or a special " "TTY, you might be seeing messages sent directly to the console." msgstr "" #. type:

#: securing-debian-howto.en.sgml:60 en/faq.sgml:287 msgid "" "The default console log level for any given kernel is 7, which means that " "any message with lower priority will appear in the console. Usually, " "firewalls (the LOG rule) and some other security tools log lower that this " "priority, and thus, are sent directly to the console." msgstr "" #. type:

#: securing-debian-howto.en.sgml:60 en/faq.sgml:293 msgid "" "To reduce messages sent to the console, you can use dmesg " "(-n option, see ), which " "examines and controls the kernel ring buffer. To fix this after the " "next reboot, change /etc/init.d/klogd from:" msgstr "" #. type: #: securing-debian-howto.en.sgml:60 en/faq.sgml:295 #, no-wrap msgid " KLOGD=\"\"" msgstr "" #. type: #: securing-debian-howto.en.sgml:60 en/faq.sgml:301 #, no-wrap msgid " KLOGD=\"-c 4\"" msgstr "" #. type:

#: securing-debian-howto.en.sgml:60 en/faq.sgml:307 msgid "" "Use a lower number for -c if you are still seeing them. A " "description of the different log levels can be found in " "/usr/include/sys/syslog.h:" msgstr "" #. type: #: securing-debian-howto.en.sgml:60 en/faq.sgml:316 #, no-wrap msgid "" " #define LOG_EMERG 0 /* system is unusable */\n" " #define LOG_ALERT 1 /* action must be taken immediately */\n" " #define LOG_CRIT 2 /* critical conditions */\n" " #define LOG_ERR 3 /* error conditions */\n" " #define LOG_WARNING 4 /* warning conditions */\n" " #define LOG_NOTICE 5 /* normal but significant condition */\n" " #define LOG_INFO 6 /* informational */\n" " #define LOG_DEBUG 7 /* debug-level messages */" msgstr "" #. type: #: securing-debian-howto.en.sgml:60 en/faq.sgml:320 msgid "Operating system users and groups" msgstr "" #. type: #: securing-debian-howto.en.sgml:60 en/faq.sgml:322 msgid "Are all system users necessary?" msgstr "" #. type:

#: securing-debian-howto.en.sgml:60 en/faq.sgml:334 msgid "" "Yes and no. Debian comes with some predefined users (user id (UID) < 99 " "as described in or /usr/share/doc/base-passwd/README) " "to ease the installation of some services that require that they run under " "an appropriate user/UID. If you do not intend to install new services, you " "can safely remove those users who do not own any files in your system and do " "not run any services. In any case, the default behavior is that UID's from 0 " "to 99 are reserved in Debian, and UID's from 100 to 999 are created by " "packages on install (and deleted when the package is purged)." msgstr "" #. type:

#: securing-debian-howto.en.sgml:60 en/faq.sgml:341 msgid "" "To easily find users who don't own any files, execute the following " "command

Be careful, as this will traverse your whole system. If " "you have a lot of disk and partitions you might want to reduce it in " "scope.

(run it as root, since a common user might not have " "enough permissions to go through some sensitive directories):" msgstr "" #. type: #: securing-debian-howto.en.sgml:60 en/faq.sgml:344 #, no-wrap msgid "" " cut -f 1 -d : /etc/passwd | \\\n" " while read i; do find / -user \"$i\" | grep -q . || echo \"$i\"; done" msgstr "" #. type:

#: securing-debian-howto.en.sgml:60 en/faq.sgml:351 msgid "" "These users are provided by base-passwd. Look in its " "documentation for more information on how these users are handled in " "Debian. The list of default users (with a corresponding group) follows:" msgstr "" #. type:

#: securing-debian-howto.en.sgml:60 en/faq.sgml:355 msgid "root: Root is (typically) the superuser." msgstr "" #. type:

#: securing-debian-howto.en.sgml:60 en/faq.sgml:362 msgid "" "daemon: Some unprivileged daemons that need to write to files on disk run as " "daemon.daemon (e.g., portmap, atd, probably " "others). Daemons that don't need to own any files can run as nobody.nogroup " "instead, and more complex or security conscious daemons run as dedicated " "users. The daemon user is also handy for locally installed daemons." msgstr "" #. type:

#: securing-debian-howto.en.sgml:60 en/faq.sgml:364 msgid "bin: maintained for historic reasons." msgstr "" #. type:

#: securing-debian-howto.en.sgml:60 en/faq.sgml:367 msgid "" "sys: same as with bin. However, /dev/vcs* and /var/spool/cups " "are owned by group sys." msgstr "" #. type:

#: securing-debian-howto.en.sgml:60 en/faq.sgml:372 msgid "" "sync: The shell of user sync is /bin/sync. Thus, if its " "password is set to something easy to guess (such as \"\"), anyone can sync " "the system at the console even if they have don't have an account." msgstr "" #. type:

#: securing-debian-howto.en.sgml:60 en/faq.sgml:375 msgid "" "games: Many games are SETGID to games so they can write their high score " "files. This is explained in policy." msgstr "" #. type:

#: securing-debian-howto.en.sgml:60 en/faq.sgml:378 msgid "" "man: The man program (sometimes) runs as user man, so it can write cat pages " "to /var/cache/man" msgstr "" #. type:

#: securing-debian-howto.en.sgml:60 en/faq.sgml:380 msgid "lp: Used by printer daemons." msgstr "" #. type:

#: securing-debian-howto.en.sgml:60 en/faq.sgml:384 msgid "" "mail: Mailboxes in /var/mail are owned by group mail, as " "explained in policy. The user and group are used for other purposes by " "various MTA's as well." msgstr "" #. type:

#: securing-debian-howto.en.sgml:60 en/faq.sgml:390 msgid "" "news: Various news servers and other associated programs (such as " "suck) use user and group news in various ways. Files in the " "news spool are often owned by user and group news. Programs such as " "inews that can be used to post news are typically SETGID news." msgstr "" #. type:

#: securing-debian-howto.en.sgml:60 en/faq.sgml:394 msgid "" "uucp: The uucp user and group is used by the UUCP subsystem. It owns spool " "and configuration files. Users in the uucp group may run uucico." msgstr "" #. type:

#: securing-debian-howto.en.sgml:60 en/faq.sgml:399 msgid "" "proxy: Like daemon, this user and group is used by some daemons " "(specifically, proxy daemons) that don't have dedicated user id's and that " "need to own files. For example, group proxy is used by pdnsd, " "and squid runs as user proxy." msgstr "" #. type:

#: securing-debian-howto.en.sgml:60 en/faq.sgml:403 msgid "" "majordom: Majordomo has a statically allocated UID on Debian " "systems for historical reasons. It is not installed on new systems." msgstr "" #. type:

#: securing-debian-howto.en.sgml:60 en/faq.sgml:407 msgid "" "postgres: Postgresql databases are owned by this user and " "group. All files in /var/lib/postgresql are owned by this user " "to enforce proper security." msgstr "" #. type:

#: securing-debian-howto.en.sgml:60 en/faq.sgml:412 msgid "" "www-data: Some web servers run as www-data. Web content should not " "be owned by this user, or a compromised web server would be able to rewrite " "a web site. Data written out by web servers, including log files, will be " "owned by www-data." msgstr "" #. type:

#: securing-debian-howto.en.sgml:60 en/faq.sgml:415 msgid "" "backup: So backup/restore responsibilities can be locally delegated to " "someone without full root permissions." msgstr "" #. type:

#: securing-debian-howto.en.sgml:60 en/faq.sgml:418 msgid "" "operator: Operator is historically (and practically) the only 'user' account " "that can login remotely, and doesn't depend on NIS/NFS." msgstr "" #. type:

#: securing-debian-howto.en.sgml:60 en/faq.sgml:421 msgid "" "list: Mailing list archives and data are owned by this user and group. Some " "mailing list programs may run as this user as well." msgstr "" #. type:

#: securing-debian-howto.en.sgml:60 en/faq.sgml:425 msgid "" "irc: Used by irc daemons. A statically allocated user is needed only because " "of a bug in ircd, which SETUID()s itself to a given UID on " "startup." msgstr "" #. type:

#: securing-debian-howto.en.sgml:60 en/faq.sgml:427 msgid "gnats." msgstr "" #. type:

#: securing-debian-howto.en.sgml:60 en/faq.sgml:431 msgid "" "nobody, nogroup: Daemons that need not own any files run as user nobody and " "group nogroup. Thus, no files on a system should be owned by this user or " "group." msgstr "" #. type:

#: securing-debian-howto.en.sgml:60 en/faq.sgml:435 msgid "Other groups which have no associated user:" msgstr "" #. type:

#: securing-debian-howto.en.sgml:60 en/faq.sgml:443 msgid "" "adm: Group adm is used for system monitoring tasks. Members of this group " "can read many log files in /var/log, and can use " "xconsole. Historically, /var/log was /usr/adm (and " "later /var/adm), thus the name of the group." msgstr "" #. type:

#: securing-debian-howto.en.sgml:60 en/faq.sgml:446 msgid "" "tty: TTY devices are owned by this group. This is used by write and wall to " "enable them to write to other people's TTYs." msgstr "" #. type:

#: securing-debian-howto.en.sgml:60 en/faq.sgml:448 msgid "disk: Raw access to disks. Mostly equivalent to root access." msgstr "" #. type:

#: securing-debian-howto.en.sgml:60 en/faq.sgml:452 msgid "" "kmem: /dev/kmem and similar files are readable by this group. This is mostly " "a BSD relic, but any programs that need direct read access to the system's " "memory can thus be made SETGID kmem." msgstr "" #. type:

#: securing-debian-howto.en.sgml:60 en/faq.sgml:455 msgid "" "dialout: Full and direct access to serial ports. Members of this group can " "reconfigure the modem, dial anywhere, etc." msgstr "" #. type:

#: securing-debian-howto.en.sgml:60 en/faq.sgml:461 msgid "" "dip: The group's name stands for \"Dial-up IP\", and membership in dip " "allows you to use tools like ppp, dip, " "wvdial, etc. to dial up a connection. The users in this group " "cannot configure the modem, but may run the programs that make use of it." msgstr "" #. type:

#: securing-debian-howto.en.sgml:60 en/faq.sgml:463 msgid "fax: Allows members to use fax software to send / receive faxes." msgstr "" #. type:

#: securing-debian-howto.en.sgml:60 en/faq.sgml:466 msgid "voice: Voicemail, useful for systems that use modems as answering machines." msgstr "" #. type:

#: securing-debian-howto.en.sgml:60 en/faq.sgml:469 msgid "" "cdrom: This group can be used locally to give a set of users access to a " "CDROM drive." msgstr "" #. type:

#: securing-debian-howto.en.sgml:60 en/faq.sgml:472 msgid "" "floppy: This group can be used locally to give a set of users access to a " "floppy drive." msgstr "" #. type:

#: securing-debian-howto.en.sgml:60 en/faq.sgml:475 msgid "" "tape: This group can be used locally to give a set of users access to a tape " "drive." msgstr "" #. type:

#: securing-debian-howto.en.sgml:60 en/faq.sgml:479 msgid "" "sudo: Members of this group don't need to type their password when using " "sudo. See /usr/share/doc/sudo/OPTIONS." msgstr "" #. type:

#: securing-debian-howto.en.sgml:60 en/faq.sgml:482 msgid "" "audio: This group can be used locally to give a set of users access to an " "audio device." msgstr "" #. type:

#: securing-debian-howto.en.sgml:60 en/faq.sgml:486 msgid "" "src: This group owns source code, including files in " "/usr/src. It can be used locally to give a user the ability to " "manage system source code." msgstr "" #. type:

#: securing-debian-howto.en.sgml:60 en/faq.sgml:489 msgid "" "shadow: /etc/shadow is readable by this group. Some programs " "that need to be able to access the file are SETGID shadow." msgstr "" #. type:

#: securing-debian-howto.en.sgml:60 en/faq.sgml:493 msgid "" "utmp: This group can write to /var/run/utmp and similar " "files. Programs that need to be able to write to it are SETGID utmp." msgstr "" #. type:

#: securing-debian-howto.en.sgml:60 en/faq.sgml:496 msgid "" "video: This group can be used locally to give a set of users access to a " "video device." msgstr "" #. type:

#: securing-debian-howto.en.sgml:60 en/faq.sgml:501 msgid "" "staff: Allows users to add local modifications to the system " "(/usr/local, /home) without needing root " "privileges. Compare with group \"adm\", which is more related to " "monitoring/security." msgstr "" #. type:

#: securing-debian-howto.en.sgml:60 en/faq.sgml:506 msgid "" "users: While Debian systems use the private user group system by default " "(each user has their own group), some prefer to use a more traditional group " "system, in which each user is a member of this group." msgstr "" #. type: #: securing-debian-howto.en.sgml:60 en/faq.sgml:510 msgid "I removed a system user! How can I recover?" msgstr "" #. type:

#: securing-debian-howto.en.sgml:60 en/faq.sgml:516 msgid "" "If you have removed a system user and have not made a backup of your " "password and group files you can try recovering " "from this issue using update-passwd (see )." msgstr "" #. type: #: securing-debian-howto.en.sgml:60 en/faq.sgml:518 msgid "What is the difference between the adm and the staff group?" msgstr "" #. type:

#: securing-debian-howto.en.sgml:60 en/faq.sgml:524 msgid "" "The 'adm' group are usually administrators, and this group permission allows " "them to read log files without having to su. The 'staff' group " "are usually help-desk/junior sysadmins, allowing them to work in " "/usr/local and create directories in /home." msgstr "" #. type: #: securing-debian-howto.en.sgml:60 en/faq.sgml:527 msgid "" "Why is there a new group when I add a new user? (or Why does Debian give " "each user one group?)" msgstr "" #. type:

#: securing-debian-howto.en.sgml:60 en/faq.sgml:535 msgid "" "The default behavior in Debian is that each user has its own, private " "group. The traditional UN*X scheme assigned all users to the users " "group. Additional groups were created and used to restrict access to shared " "files associated with different project directories. Managing files became " "difficult when a single user worked on multiple projects because when " "someone created a file, it was associated with the primary group to which " "they belong (e.g. 'users')." msgstr "" #. type:

#: securing-debian-howto.en.sgml:60 en/faq.sgml:542 msgid "" "Debian's scheme solves this problem by assigning each user to their own " "group; so that with a proper umask (0002) and the SETGID bit set on a given " "project directory, the correct group is automatically assigned to files " "created in that directory. This makes it easier for people who work on " "multiple projects, because they will not have to change groups or umasks " "when working on shared files." msgstr "" #. type:

#: securing-debian-howto.en.sgml:60 en/faq.sgml:548 msgid "" "You can, however, change this behavior by modifying " "/etc/adduser.conf. Change the USERGROUPS variable to " "'no', so that a new group is not created when a new user is created. Also, " "set USERS_GID to the GID of the users group which all users will " "belong to." msgstr "" #. type: #: securing-debian-howto.en.sgml:60 en/faq.sgml:550 msgid "Questions regarding services and open ports" msgstr "" #. type: #: securing-debian-howto.en.sgml:60 en/faq.sgml:552 msgid "Why are all services activated upon installation?" msgstr "" #. type:

#: securing-debian-howto.en.sgml:60 en/faq.sgml:559 msgid "" "That's just an approach to the problem of being, on one side, security " "conscious and on the other side user friendly. Unlike OpenBSD, which " "disables all services unless activated by the administrator, Debian " "GNU/Linux will activate all installed services unless deactivated (see for more information). After all you installed the " "service, didn't you?" msgstr "" #. type:

#: securing-debian-howto.en.sgml:60 en/faq.sgml:564 msgid "" "There has been much discussion on Debian mailing lists (both at debian-devel " "and at debian-security) regarding which is the better approach for a " "standard installation. However, as of this writing (March 2002), there still " "isn't a consensus." msgstr "" #. type: #: securing-debian-howto.en.sgml:60 en/faq.sgml:566 msgid "Can I remove inetd?" msgstr "" #. type:

#: securing-debian-howto.en.sgml:60 en/faq.sgml:572 msgid "" "Inetd is not easy to remove since netbase " "depends on the package that provides it " "(netkit-inetd). If you want to remove it, you can either " "disable it (see ) or remove the package by using the " "equivs package." msgstr "" #. type: #: securing-debian-howto.en.sgml:60 en/faq.sgml:574 msgid "Why do I have port 111 open?" msgstr "" #. type:

#: securing-debian-howto.en.sgml:60 en/faq.sgml:580 msgid "" "Port 111 is sunrpc's portmapper, and it is installed by default as part of " "Debian's base installation since there is no need to know when a user's " "program might need RPC to work correctly. In any case, it is used mostly for " "NFS. If you do not need it, remove it as explained in ." msgstr "" #. type:

#: securing-debian-howto.en.sgml:60 en/faq.sgml:585 msgid "" "In versions of the portmap package later than 5-5 you can " "actually have the portmapper installed but listening only on localhost (by " "modifying /etc/default/portmap)" msgstr "" #. type: #: securing-debian-howto.en.sgml:60 en/faq.sgml:587 msgid "What use is identd (port 113) for?" msgstr "" #. type:

#: securing-debian-howto.en.sgml:60 en/faq.sgml:595 msgid "" "Identd service is an authentication service that identifies the owner of a " "specific TCP/IP connection to the remote server accepting the " "connection. Typically, when a user connects to a remote host, " "inetd on the remote host sends back a query to port 113 to find " "the owner information. It is often used by mail, FTP and IRC servers, and " "can also be used to track down which user in your local system is attacking " "a remote system." msgstr "" #. type:

#: securing-debian-howto.en.sgml:60 en/faq.sgml:608 msgid "" "There has been extensive discussion on the security of identd " "(See ). In general, identd is more " "helpful on a multi-user system than on a single user workstation. If you " "don't have a use for it, disable it, so that you are not leaving a service " "open to the outside world. If you decide to firewall the identd port, " "please use a reject policy and not a deny policy, otherwise a " "connection to a server utilizing identd will hang until a " "timeout expires (see )." msgstr "" #. type: #: securing-debian-howto.en.sgml:60 en/faq.sgml:611 msgid "I have services using port 1 and 6, what are they and how can I remove them?" msgstr "" #. type:

#: securing-debian-howto.en.sgml:60 en/faq.sgml:613 msgid "If you have run the command netstat -an and receive:" msgstr "" #. type: #: securing-debian-howto.en.sgml:60 en/faq.sgml:621 #, no-wrap msgid "" " Active Internet connections (servers and established)\n" " Proto Recv-Q Send-Q Local Address Foreign Address " "State\n" " PID/Program name\n" " raw 0 0 0.0.0.0:1 0.0.0.0:* 7\n" " -\n" " raw 0 0 0.0.0.0:6 0.0.0.0:* 7\n" " -" msgstr "" #. type:

#: securing-debian-howto.en.sgml:60 en/faq.sgml:632 msgid "" "You are not seeing processes listening on TCP/UDP port 1 and 6. In " "fact, you are seeing a process listening on a raw socket for " "protocols 1 (ICMP) and 6 (TCP). Such behavior is common to both Trojans and " "some intrusion detection systems such as iplogger and " "portsentry. If you have these packages simply remove " "them. If you do not, try netstat's -p (process) option to see which " "process is running these listeners." msgstr "" #. type: #: securing-debian-howto.en.sgml:60 en/faq.sgml:634 msgid "I found the port XYZ open, can I close it?" msgstr "" #. type:

#: securing-debian-howto.en.sgml:60 en/faq.sgml:641 msgid "" "Yes, of course. The ports you are leaving open should adhere to your " "individual site's policy regarding public services available to other " "networks. Check if they are being opened by inetd (see ), or by other installed packages and take the appropriate " "measures (i.e, configure inetd, remove the package, avoid it running on " "boot-up)." msgstr "" #. type: #: securing-debian-howto.en.sgml:60 en/faq.sgml:644 msgid "Will removing services from /etc/services help secure my box?" msgstr "" #. type:

#: securing-debian-howto.en.sgml:60 en/faq.sgml:651 msgid "" "No, /etc/services only provides a mapping between a " "virtual name and a given port number. Removing names from this file will not " "(usually) prevent services from being started. Some daemons may not run if " "/etc/services is modified, but that's not the norm. To properly " "disable the service, see ." msgstr "" #. type: #: securing-debian-howto.en.sgml:60 en/faq.sgml:653 msgid "Common security issues" msgstr "" #. type: #: securing-debian-howto.en.sgml:60 en/faq.sgml:655 msgid "I have lost my password and cannot access the system!" msgstr "" #. type:

#: securing-debian-howto.en.sgml:60 en/faq.sgml:659 msgid "" "The steps you need to take in order to recover from this depend on whether " "or not you have applied the suggested procedure for limiting access to " "lilo and your system's BIOS." msgstr "" #. type:

#: securing-debian-howto.en.sgml:60 en/faq.sgml:664 msgid "" "If you have limited both, you need to disable the BIOS setting that only " "allows booting from the hard disk before proceeding. If you have also " "forgotten your BIOS password, you will have to reset your BIOS by opening " "the system and manually removing the BIOS battery." msgstr "" #. type:

#: securing-debian-howto.en.sgml:60 en/faq.sgml:667 msgid "" "Once you have enabled booting from a CD-ROM or diskette enable, try the " "following:" msgstr "" #. type:

#: securing-debian-howto.en.sgml:60 en/faq.sgml:671 msgid "Boot-up from a rescue disk and start the kernel" msgstr "" #. type:

#: securing-debian-howto.en.sgml:60 en/faq.sgml:673 msgid "Go to the virtual console (Alt+F2)" msgstr "" #. type:

#: securing-debian-howto.en.sgml:60 en/faq.sgml:675 msgid "Mount the hard disk where your /root is" msgstr "" #. type:

#: securing-debian-howto.en.sgml:60 en/faq.sgml:680 msgid "" "Edit (Debian 2.2 rescue disk comes with the editor ae, and " "Debian 3.0 comes with nano-tiny which is similar to " "vi) /etc/shadow and change the line:" msgstr "" #. type: #: securing-debian-howto.en.sgml:60 en/faq.sgml:682 #, no-wrap msgid " root:asdfjl290341274075:XXXX:X:XXXX:X::: (X=any number)" msgstr "" #. type: #: securing-debian-howto.en.sgml:60 en/faq.sgml:688 #, no-wrap msgid " root::XXXX:X:XXXX:X:::" msgstr "" #. type:

#: securing-debian-howto.en.sgml:60 en/faq.sgml:699 msgid "" "This will remove the forgotten root password, contained in the first colon " "separated field after the user name. Save the file, reboot the system and " "login with root using an empty password. Remember to reset the " "password. This will work unless you have configured the system more tightly, " "i.e. if you have not allowed users to have null passwords or not allowed " "root to login from the console." msgstr "" #. type:

#: securing-debian-howto.en.sgml:60 en/faq.sgml:706 msgid "" "If you have introduced these features, you will need to enter into single " "user mode. If LILO has been restricted, you will need to rerun " "lilo just after the root reset above. This is quite tricky " "since your /etc/lilo.conf will need to be tweaked due to the " "root (/) file system being a ramdisk and not the real hard disk." msgstr "" #. type:

#: securing-debian-howto.en.sgml:60 en/faq.sgml:708 msgid "Once LILO is unrestricted, try the following:" msgstr "" #. type:

#: securing-debian-howto.en.sgml:60 en/faq.sgml:713 msgid "" "Press the Alt, shift or Control key just before the system BIOS finishes, " "and you should get the LILO prompt." msgstr "" #. type:

#: securing-debian-howto.en.sgml:60 en/faq.sgml:716 msgid "" "Type linux single, linux init=/bin/sh or linux 1 " "at the prompt." msgstr "" #. type:

#: securing-debian-howto.en.sgml:60 en/faq.sgml:719 msgid "" "This will give you a shell prompt in single-user mode (it will ask for a " "password, but you already know it)" msgstr "" #. type:

#: securing-debian-howto.en.sgml:60 en/faq.sgml:721 msgid "Re-mount read/write the root (/) partition, using the mount command." msgstr "" #. type: #: securing-debian-howto.en.sgml:60 en/faq.sgml:723 #, no-wrap msgid " # mount -o remount,rw /" msgstr "" #. type:

#: securing-debian-howto.en.sgml:60 en/faq.sgml:728 msgid "" "Change the superuser password with passwd (since you are " "superuser it will not ask for the previous password)." msgstr "" #. type: #: securing-debian-howto.en.sgml:60 en/faq.sgml:733 msgid "" "How do I accomplish setting up a service for my users without giving out " "shell accounts?" msgstr "" #. type:

#: securing-debian-howto.en.sgml:60 en/faq.sgml:744 msgid "" "For example, if you want to set up a POP service, you don't need to set up a " "user account for each user accessing it. It's best to set up directory-based " "authentication through an external service (like Radius, LDAP or an SQL " "database). Just install the appropriate PAM library " "(libpam-radius-auth, libpam-ldap, " "libpam-pgsql or libpam-mysql), read " "the documentation (for starters, see ) and configure " "the PAM-enabled service to use the back end you have chosen. This is done by " "editing the files under /etc/pam.d/ for your service and " "modifying the" msgstr "" #. type: #: securing-debian-howto.en.sgml:60 en/faq.sgml:746 #, no-wrap msgid " auth required pam_unix_auth.so shadow nullok use_first_pass" msgstr "" #. type: #: securing-debian-howto.en.sgml:60 en/faq.sgml:748 msgid "to, for example, ldap:" msgstr "" #. type: #: securing-debian-howto.en.sgml:60 en/faq.sgml:750 #, no-wrap msgid " auth required pam_ldap.so" msgstr "" #. type:

#: securing-debian-howto.en.sgml:60 en/faq.sgml:761 msgid "" "In the case of LDAP directories, some services provide LDAP schemas to be " "included in your directory that are required in order to use LDAP " "authentication. If you are using a relational database, a useful trick is to " "use the where clause when configuring the PAM modules. For example, " "if you have a database with the following table attributes:" msgstr "" #. type: #: securing-debian-howto.en.sgml:60 en/faq.sgml:763 #, no-wrap msgid "" " (user_id, user_name, realname, shell, password, UID, GID, homedir, sys, " "pop, imap, ftp)" msgstr "" #. type:

#: securing-debian-howto.en.sgml:60 en/faq.sgml:769 msgid "" "By making the services attributes boolean fields, you can use them to enable " "or disable access to the different services just by inserting the " "appropriate lines in the following files:" msgstr "" #. type:

#: securing-debian-howto.en.sgml:60 en/faq.sgml:773 msgid "/etc/pam.d/imap:where=imap=1." msgstr "" #. type:

#: securing-debian-howto.en.sgml:60 en/faq.sgml:775 msgid "/etc/pam.d/qpopper:where=pop=1." msgstr "" #. type:

#: securing-debian-howto.en.sgml:60 en/faq.sgml:778 msgid "" "/etc/nss-mysql*.conf:users.where_clause = user.sys = " "1;." msgstr "" #. type:

#: securing-debian-howto.en.sgml:60 en/faq.sgml:780 msgid "/etc/proftpd.conf: SQLWhereClause \"ftp=1\"." msgstr "" #. type: #: securing-debian-howto.en.sgml:60 en/faq.sgml:784 msgid "My system is vulnerable! (Are you sure?)" msgstr "" #. type: #: securing-debian-howto.en.sgml:60 en/faq.sgml:787 msgid "Vulnerability assessment scanner X says my Debian system is vulnerable!" msgstr "" #. type:

#: securing-debian-howto.en.sgml:60 en/faq.sgml:795 msgid "" "Many vulnerability assessment scanners give false positives when used on " "Debian systems, since they only use version checks to determine if a given " "software package is vulnerable, but do not really test the security " "vulnerability itself. Since Debian does not change software versions when " "fixing a package (many times the fix made for newer releases is back " "ported), some tools tend to think that an updated Debian system is " "vulnerable when it is not." msgstr "" #. type:

#: securing-debian-howto.en.sgml:60 en/faq.sgml:800 msgid "" "If you think your system is up to date with security patches, you might want " "to use the cross references to security vulnerability databases published " "with the DSAs (see ) to weed out false positives, if the " "tool you are using includes CVE references." msgstr "" #. type: #: securing-debian-howto.en.sgml:60 en/faq.sgml:803 msgid "I've seen an attack in my system's logs. Is my system compromised?" msgstr "" #. type:

#: securing-debian-howto.en.sgml:60 en/faq.sgml:810 msgid "" "A trace of an attack does not always mean that your system has been " "compromised, and you should take the usual steps to determine if the system " "is indeed compromised (see ). Even if your " "system was not vulnerable to the attack that was logged, a determined " "attacker might have used some other vulnerability besides the ones you have " "detected." msgstr "" #. type: #: securing-debian-howto.en.sgml:60 en/faq.sgml:812 msgid "I have found strange 'MARK' lines in my logs: Am I compromised?" msgstr "" #. type:

#: securing-debian-howto.en.sgml:60 en/faq.sgml:814 msgid "You might find the following lines in your system logs:" msgstr "" #. type: #: securing-debian-howto.en.sgml:60 en/faq.sgml:818 #, no-wrap msgid "" " Dec 30 07:33:36 debian -- MARK --\n" " Dec 30 07:53:36 debian -- MARK --\n" " Dec 30 08:13:36 debian -- MARK --" msgstr "" #. type:

#: securing-debian-howto.en.sgml:60 en/faq.sgml:827 msgid "" "This does not indicate any kind of compromise, and users changing between " "Debian releases might find it strange. If your system does not have high " "loads (or many active services), these lines might appear throughout your " "logs. This is an indication that your syslogd daemon is running " "properly. From :" msgstr "" #. type: #: securing-debian-howto.en.sgml:60 en/faq.sgml:833 #, no-wrap msgid "" " -m interval\n" " The syslogd logs a mark timestamp regularly. The\n" " default interval between two -- MARK -- lines is 20\n" " minutes. This can be changed with this option.\n" " Setting the interval to zero turns it off entirely." msgstr "" #. type: #: securing-debian-howto.en.sgml:60 en/faq.sgml:837 msgid "I found users using 'su' in my logs: Am I compromised?" msgstr "" #. type:

#: securing-debian-howto.en.sgml:60 en/faq.sgml:838 msgid "You might find lines in your logs like:" msgstr "" #. type: #: securing-debian-howto.en.sgml:60 en/faq.sgml:841 #, no-wrap msgid "" " Apr 1 09:25:01 server su[30315]: + ??? root-nobody\n" " Apr 1 09:25:01 server PAM_unix[30315]: (su) session opened for user " "nobody by (UID=0)" msgstr "" #. type:

#: securing-debian-howto.en.sgml:60 en/faq.sgml:847 msgid "" "Don't worry too much. Check to see if these entries are due to " "cron jobs (usually /etc/cron.daily/find or " "logrotate):" msgstr "" #. type: #: securing-debian-howto.en.sgml:60 en/faq.sgml:853 #, no-wrap msgid "" " $ grep 25 /etc/crontab\n" " 25 9 * * * root test -e /usr/sbin/anacron || run-parts --report\n" " /etc/cron.daily\n" " $ grep nobody /etc/cron.daily/*\n" " find:cd / && updatedb --localuser=nobody 2>/dev/null" msgstr "" #. type: #: securing-debian-howto.en.sgml:60 en/faq.sgml:858 msgid "I have found 'possible SYN flooding' in my logs: Am I under attack?" msgstr "" #. type:

#: securing-debian-howto.en.sgml:60 en/faq.sgml:860 msgid "If you see entries like these in your logs:" msgstr "" #. type: #: securing-debian-howto.en.sgml:60 en/faq.sgml:865 #, no-wrap msgid "" " May 1 12:35:25 linux kernel: possible SYN flooding on port X. Sending " "cookies.\n" " May 1 12:36:25 linux kernel: possible SYN flooding on port X. Sending " "cookies.\n" " May 1 12:37:25 linux kernel: possible SYN flooding on port X. Sending " "cookies.\n" " May 1 13:43:11 linux kernel: possible SYN flooding on port X. Sending " "cookies." msgstr "" #. type:

#: securing-debian-howto.en.sgml:60 en/faq.sgml:870 msgid "" "Check if there is a high number of connections to the server using " "netstat, for example:" msgstr "" #. type: #: securing-debian-howto.en.sgml:60 en/faq.sgml:873 #, no-wrap msgid "" " linux:~# netstat -ant | grep SYN_RECV | wc -l\n" " 9000" msgstr "" #. type:

#: securing-debian-howto.en.sgml:60 en/faq.sgml:884 msgid "" "This is an indication of a denial of service (DoS) attack against your " "system's X port (most likely against a public service such as a web server " "or mail server). You should activate TCP syncookies in your kernel, see . Note, however, that a DoS attack might flood your " "network even if you can stop it from crashing your systems (due to file " "descriptors being depleted, the system might become unresponsive until the " "TCP connections timeout). The only effective way to stop this attack is to " "contact your network provider." msgstr "" #. type: #: securing-debian-howto.en.sgml:60 en/faq.sgml:887 msgid "I have found strange root sessions in my logs: Am I compromised?" msgstr "" #. type:

#: securing-debian-howto.en.sgml:60 en/faq.sgml:890 msgid "" "You might see these kind of entries in your /var/log/auth.log " "file:" msgstr "" #. type: #: securing-debian-howto.en.sgml:60 en/faq.sgml:896 #, no-wrap msgid "" " May 2 11:55:02 linux PAM_unix[1477]: (cron) session closed for user root\n" " May 2 11:55:02 linux PAM_unix[1476]: (cron) session closed for user root\n" " May 2 12:00:01 linux PAM_unix[1536]: (cron) session opened for user root " "by\n" " (UID=0)\n" " May 2 12:00:02 linux PAM_unix[1536]: (cron) session closed for user root" msgstr "" #. type:

#: securing-debian-howto.en.sgml:60 en/faq.sgml:905 msgid "" "These are due to a cron job being executed (in this example, " "every five minutes). To determine which program is responsible for these " "jobs, check entries under: /etc/crontab, " "/etc/cron.d, /etc/crond.daily and root's " "crontab under /var/spool/cron/crontabs." msgstr "" #. type: #: securing-debian-howto.en.sgml:60 en/faq.sgml:907 msgid "I have suffered a break-in, what do I do?" msgstr "" #. type:

#: securing-debian-howto.en.sgml:60 en/faq.sgml:910 msgid "There are several steps you might want to take in case of a break-in:" msgstr "" #. type:

#: securing-debian-howto.en.sgml:60 en/faq.sgml:921 msgid "" "Check if your system is up to date with security patches for published " "vulnerabilities. If your system is vulnerable, the chances that the system " "is in fact compromised are increased. The chances increase further if the " "vulnerability has been known for a while, since there is usually more " "activity related to older vulnerabilities. Here is a link to ." msgstr "" #. type:

#: securing-debian-howto.en.sgml:60 en/faq.sgml:924 msgid "Read this document, especially the section." msgstr "" #. type:

#: securing-debian-howto.en.sgml:60 en/faq.sgml:927 msgid "" "Ask for assistance. You might use the debian-security mailing list and ask " "for advice on how to recover/patch your system." msgstr "" #. type:

#: securing-debian-howto.en.sgml:60 en/faq.sgml:934 msgid "" "Notify your local (if it " "exists, otherwise you may want to consider contacting CERT directly). This " "might or might not help you, but, at the very least, it will inform CERT of " "ongoing attacks. This information is very valuable in determining which " "tools and attacks are being used by the blackhat community." msgstr "" #. type: #: securing-debian-howto.en.sgml:60 en/faq.sgml:938 msgid "How can I trace an attack?" msgstr "" #. type:

#: securing-debian-howto.en.sgml:60 en/faq.sgml:947 msgid "" "By watching the logs (if they have not been tampered with), using intrusion " "detection systems (see ), " "traceroute, whois and similar tools (including " "forensic analysis), you may be able to trace an attack to the source. The " "way you should react to this information depends solely on your security " "policy, and what you consider is an attack. Is a remote scan an " "attack? Is a vulnerability probe an attack?" msgstr "" #. type: #: securing-debian-howto.en.sgml:60 en/faq.sgml:949 msgid "Program X in Debian is vulnerable, what do I do?" msgstr "" #. type:

#: securing-debian-howto.en.sgml:60 en/faq.sgml:955 msgid "" "First, take a moment to see if the vulnerability has been announced in " "public security mailing lists (like Bugtraq) or other forums. The Debian " "Security Team keeps up to date with these lists, so they may also be aware " "of the problem. Do not take any further actions if you see an announcement " "at ." msgstr "" #. type:

#: securing-debian-howto.en.sgml:60 en/faq.sgml:961 msgid "" "If no information seems to be published, please send e-mail about the " "affected package(s), as well as a detailed description of the vulnerability " "(proof of concept code is also OK), to . This will get you in touch with Debian's " "security team." msgstr "" #. type: #: securing-debian-howto.en.sgml:60 en/faq.sgml:964 securing-debian-howto.en.sgml:60 en/faq.sgml:1089 msgid "" "The version number for a package indicates that I am still running a " "vulnerable version!" msgstr "" #. type:

#: securing-debian-howto.en.sgml:60 en/faq.sgml:974 msgid "" "Instead of upgrading to a new release, Debian backports security fixes to " "the version that was shipped in the stable release. The reason for this is " "to make sure that the stable release changes as little as possible, so that " "things will not change or break unexpectedly as a result of a security " "fix. You can check if you are running a secure version of a package by " "looking at the package changelog, or comparing its exact (upstream version " "-slash- debian release) version number with the version indicated in the " "Debian Security Advisory." msgstr "" #. type: #: securing-debian-howto.en.sgml:60 en/faq.sgml:976 msgid "Specific software" msgstr "" #. type: #: securing-debian-howto.en.sgml:60 en/faq.sgml:979 msgid "proftpd is vulnerable to a Denial of Service attack." msgstr "" #. type:

#: securing-debian-howto.en.sgml:60 en/faq.sgml:982 msgid "" "Add DenyFilter \\*.*/ to your configuration file, and for more " "information see ." msgstr "" #. type: #: securing-debian-howto.en.sgml:60 en/faq.sgml:985 msgid "" "After installing portsentry, there are a lot of ports " "open." msgstr "" #. type:

#: securing-debian-howto.en.sgml:60 en/faq.sgml:988 msgid "" "That's just the way portsentry works. It opens about twenty " "unused ports to try to detect port scans." msgstr "" #. type: #: securing-debian-howto.en.sgml:60 en/faq.sgml:990 msgid "Questions regarding the Debian security team" msgstr "" #. type:

#: securing-debian-howto.en.sgml:60 en/faq.sgml:998 msgid "" "This information is derived from the . It " "includes the information as of January, 2006, and provides answers for some " "other common questions asked in the debian-security mailing list." msgstr "" #. type: #: securing-debian-howto.en.sgml:60 en/faq.sgml:1000 msgid "What is a Debian Security Advisory (DSA)?" msgstr "" #. type:

#: securing-debian-howto.en.sgml:60 en/faq.sgml:1007 msgid "" "It is information sent by the Debian Security Team (see below) regarding the " "discovery and fix for a security related vulnerability in a package " "available in Debian GNU/Linux. Signed DSAs are sent to public mailing lists " "(debian-security-announce) and posted on Debian's web site (both in the " "front page and in the )." msgstr "" #. type:

#: securing-debian-howto.en.sgml:60 en/faq.sgml:1013 msgid "" "DSAs include information on the affected package(s), the security flaw that " "was discovered and where to retrieve the updated packages (and their MD5 " "sums)." msgstr "" #. type: #: securing-debian-howto.en.sgml:60 en/faq.sgml:1015 msgid "The signature on Debian advisories does not verify correctly!" msgstr "" #. type:

#: securing-debian-howto.en.sgml:60 en/faq.sgml:1021 msgid "" "This is most likely a problem on your end. The " "list has a filter that only allows messages with a correct signature from " "one of the security team members to be posted." msgstr "" #. type:

#: securing-debian-howto.en.sgml:60 en/faq.sgml:1026 msgid "" "Most likely some piece of mail software on your end slightly changes the " "message, thus breaking the signature. Make sure your software does not do " "any MIME encoding or decoding, or tab/space conversions." msgstr "" #. type:

#: securing-debian-howto.en.sgml:60 en/faq.sgml:1029 msgid "" "Known culprits fetchmail (with the mimedecode option enabled), formail (from " "procmail 3.14 only) and evolution." msgstr "" #. type: #: securing-debian-howto.en.sgml:60 en/faq.sgml:1031 msgid "How is security handled in Debian?" msgstr "" #. type:

#: securing-debian-howto.en.sgml:60 en/faq.sgml:1040 msgid "" "Once the Security Team receives a notification of an incident, one or more " "members review it and consider its impact on the stable release of Debian " "(i.e. if it's vulnerable or not). If our system is vulnerable, we work on a " "fix for the problem. The package maintainer is contacted as well, if he " "didn't contact the Security Team already. Finally, the fix is tested and new " "packages are prepared, which then are compiled on all stable architectures " "and uploaded afterwards. After all of that is done, an advisory is " "published." msgstr "" #. type: #: securing-debian-howto.en.sgml:60 en/faq.sgml:1042 msgid "Why are you fiddling with an old version of that package?" msgstr "" #. type:

#: securing-debian-howto.en.sgml:60 en/faq.sgml:1050 msgid "" "The most important guideline when making a new package that fixes a security " "problem is to make as few changes as possible. Our users and developers are " "relying on the exact behavior of a release once it is made, so any change we " "make can possibly break someone's system. This is especially true in case of " "libraries: make sure you never change the Application Program Interface " "(API) or Application Binary Interface (ABI), no matter how small the change " "is." msgstr "" #. type:

#: securing-debian-howto.en.sgml:60 en/faq.sgml:1055 msgid "" "This means that moving to a new upstream version is not a good solution, " "instead the relevant changes should be backported. Generally upstream " "maintainers are willing to help if needed, if not the Debian security team " "might be able to help." msgstr "" #. type:

#: securing-debian-howto.en.sgml:60 en/faq.sgml:1060 msgid "" "In some cases it is not possible to backport a security fix, for example " "when large amounts of source code need to be modified or rewritten. If that " "happens it might be necessary to move to a new upstream version, but this " "has to be coordinated with the security team beforehand." msgstr "" #. type: #: securing-debian-howto.en.sgml:60 en/faq.sgml:1062 msgid "What is the policy for a fixed package to appear in security.debian.org?" msgstr "" #. type:

#: securing-debian-howto.en.sgml:60 en/faq.sgml:1070 msgid "" "Security breakage in the stable distribution warrants a package on " "security.debian.org. Anything else does not. The size of a breakage is not " "the real problem here. Usually the security team will prepare packages " "together with the package maintainer. Provided someone (trusted) tracks the " "problem and gets all the needed packages compiled and submit them to the " "security team, even very trivial security problem fixes will make it to " "security.debian.org. Please see below." msgstr "" #. type:

#: securing-debian-howto.en.sgml:60 en/faq.sgml:1074 msgid "" "Security updates serve one purpose: to supply a fix for a security " "vulnerability. They are not a method for sneaking additional changes into " "the stable release without going through normal point release procedure." msgstr "" #. type: #: securing-debian-howto.en.sgml:60 en/faq.sgml:1076 msgid "What does \"local (remote)\" mean?" msgstr "" #. type:

#: securing-debian-howto.en.sgml:60 en/faq.sgml:1083 msgid "" "Some advisories cover vulnerabilities that cannot be identified with the " "classic scheme of local and remote exploitability. Some vulnerabilities " "cannot be exploited from remote, i.e. don't correspond to a daemon listening " "to a network port. If they can be exploited by special files that could be " "provided via the network while the vulnerable service is not permanently " "connected with the network, we write \"local (remote)\" in such cases." msgstr "" #. type:

#: securing-debian-howto.en.sgml:60 en/faq.sgml:1087 msgid "" "Such vulnerabilities are somewhat between local and remote vulnerabilities " "and often cover archives that could be provided through the network, e.g. as " "mail attachment or from a download page." msgstr "" #. type:

#: securing-debian-howto.en.sgml:60 en/faq.sgml:1091 msgid "See ." msgstr "" #. type: #: securing-debian-howto.en.sgml:60 en/faq.sgml:1093 msgid "How is security handled for testing and unstable?" msgstr "" #. type:

#: securing-debian-howto.en.sgml:60 en/faq.sgml:1103 msgid "" "The short answer is: it's not. Testing and unstable are rapidly moving " "targets and the security team does not have the resources needed to properly " "support those. If you want to have a secure (and stable) server you are " "strongly encouraged to stay with stable. However, work is in progress to " "change this, with the formation of a which has begun work to offer security support for testing, and to " "some extent, for unstable. For more information see " msgstr "" #. type:

#: securing-debian-howto.en.sgml:60 en/faq.sgml:1108 msgid "" "In some cases, however, the unstable branch usually gets security fixes " "quite quickly, because those fixes are usually available upstream faster " "(other versions, like those in the stable branch, usually need to be back " "ported)." msgstr "" #. type:

#: securing-debian-howto.en.sgml:60 en/faq.sgml:1114 msgid "" "You can review public vulnerabilities affecting the testing and " "unstable release at the ." msgstr "" #. type: #: securing-debian-howto.en.sgml:60 en/faq.sgml:1116 msgid "" "I use an older version of Debian, is it supported by the Debian Security " "Team?" msgstr "" #. type:

#: securing-debian-howto.en.sgml:60 en/faq.sgml:1122 msgid "" "No. Unfortunately, the Debian Security Team cannot handle both the stable " "release (unofficially, also the unstable) and other older releases. However, " "you can expect security updates for a limited period of time (usually " "several months) immediately following the release of a new Debian " "distribution." msgstr "" #. type: #: securing-debian-howto.en.sgml:60 en/faq.sgml:1124 msgid "How does testing get security updates?" msgstr "" #. type:

#: securing-debian-howto.en.sgml:60 en/faq.sgml:1130 msgid "" "Security updates will migrate into the testing distribution via " "unstable. They are usually uploaded with their priority set to high, which " "will reduce the quarantine time to two days. After this period, the packages " "will migrate into testing automatically, given that they are built for all " "architectures and their dependencies are fulfilled in testing." msgstr "" #. type:

#: securing-debian-howto.en.sgml:60 en/faq.sgml:1134 msgid "" "The also makes security fixes available in their repository " "when the normal migration process is not fast enough." msgstr "" #. type: #: securing-debian-howto.en.sgml:60 en/faq.sgml:1136 msgid "How is security handled for contrib and non-free?" msgstr "" #. type:

#: securing-debian-howto.en.sgml:60 en/faq.sgml:1144 msgid "" "The short answer is: it's not. Contrib and non-free aren't official parts of " "the Debian Distribution and are not released, and thus not supported by the " "security team. Some non-free packages are distributed without source or " "without a license allowing the distribution of modified versions. In those " "cases no security fixes can be made at all. If it is possible to fix the " "problem, and the package maintainer or someone else provides correct updated " "packages, then the security team will generally process them and release an " "advisory." msgstr "" #. type: #: securing-debian-howto.en.sgml:60 en/faq.sgml:1146 msgid "Why are there no official mirrors for security.debian.org?" msgstr "" #. type:

#: securing-debian-howto.en.sgml:60 en/faq.sgml:1150 msgid "" "Actually, there are. There are several official mirrors, implemented through " "DNS aliases. The purpose of security.debian.org is to make security updates " "available as quickly and easily as possible." msgstr "" #. type:

#: securing-debian-howto.en.sgml:60 en/faq.sgml:1154 msgid "" "Encouraging the use of unofficial mirrors would add extra complexity that is " "usually not needed and that can cause frustration if these mirrors are not " "kept up to date." msgstr "" #. type: #: securing-debian-howto.en.sgml:60 en/faq.sgml:1156 msgid "I've seen DSA 100 and DSA 102, now where is DSA 101?" msgstr "" #. type:

#: securing-debian-howto.en.sgml:60 en/faq.sgml:1173 msgid "" "Several vendors (mostly of GNU/Linux, but also of BSD derivatives) " "coordinate security advisories for some incidents and agree to a particular " "timeline so that all vendors are able to release an advisory at the same " "time. This was decided in order to not discriminate against some vendors " "that need more time (e.g. when the vendor has to pass packages through " "lengthy QA tests or has to support several architectures or binary " "distributions). Our own security team also prepares advisories in " "advance. Every now and then, other security issues have to be dealt with " "before the parked advisory could be released, and hence temporarily leaving " "out one or more advisories by number." msgstr "" #. type: #: securing-debian-howto.en.sgml:60 en/faq.sgml:1175 msgid "" "I tried to download a package listed in one of the security advisories, but " "I got a `file not found' error." msgstr "" #. type:

#: securing-debian-howto.en.sgml:60 en/faq.sgml:1180 msgid "" "Whenever a newer bugfix supersedes an older package on security.debian.org, " "chances are high that the old package will be removed by the time the new " "one gets installed. Hence, you'll get this `file not found' error. We don't " "want to distribute packages with known security bugs longer than absolutely " "necessary." msgstr "" #. type:

#: securing-debian-howto.en.sgml:60 en/faq.sgml:1186 msgid "" "Please use the packages from the latest security advisories, which are " "distributed through the . It's best to simply run " "apt-get update before upgrading the package." msgstr "" #. type: #: securing-debian-howto.en.sgml:60 en/faq.sgml:1188 msgid "How can I reach the security team?" msgstr "" #. type:

#: securing-debian-howto.en.sgml:60 en/faq.sgml:1204 msgid "" "Security information can be sent to , which is read by all Debian developers. If " "you have sensitive information please use " "which only the members of the team can read. If desired, email can be " "encrypted with the Debian Security Contact key (key ID ). See also the ." msgstr "" #. type: #: securing-debian-howto.en.sgml:60 en/faq.sgml:1207 msgid "" "What difference is there between security@debian.org and " "debian-security@lists.debian.org?" msgstr "" #. type:

#: securing-debian-howto.en.sgml:60 en/faq.sgml:1220 msgid "" "When you send messages to security@debian.org, they are sent to the " "developers' mailing list (debian-private). All Debian developers are " "subscribed to this list and posts are kept private

There has " "been a declassification decision, voted in , that " "might make some posts available in the future, however.

 " "(i.e. are not archived at the public website). The public mailing list, " "debian-security@lists.debian.org, is open to anyone that wants to , and there " "are searchable archives available ." msgstr "" #. type: #: securing-debian-howto.en.sgml:60 en/faq.sgml:1222 msgid "I guess I found a security problem, what should I do?" msgstr "" #. type:

#: securing-debian-howto.en.sgml:60 en/faq.sgml:1229 msgid "" "If you learn about a security problem, either in one of your own packages or " "in someone else's please always contact the security team. If the Debian " "security team confirms the vulnerability and other vendors are likely to be " "vulnerable as well, they usually contact other vendors as well. If the " "vulnerability is not yet public they will try to coordinate security " "advisories with the other vendors, so all major distributions are in sync." msgstr "" #. type:

#: securing-debian-howto.en.sgml:60 en/faq.sgml:1232 msgid "" "If the vulnerability is already publicly known, be sure to file a bug report " "in the Debian BTS, and tag it security." msgstr "" #. type: #: securing-debian-howto.en.sgml:60 en/faq.sgml:1233 msgid "How can I contribute to the Debian security team?" msgstr "" #. type:

#: securing-debian-howto.en.sgml:60 en/faq.sgml:1241 msgid "" "By contributing to this document, fixing FIXMEs or providing new " "content. Documentation is important and reduces the overhead of answering " "common issues. Translation of this documentation into other languages is " "also of great help." msgstr "" #. type:

#: securing-debian-howto.en.sgml:60 en/faq.sgml:1247 msgid "" "By packaging applications that are useful for checking or enhancing security " "in a Debian GNU/Linux system. If you are not a developer, file a and ask for " "software you think would be useful, but is not currently provided." msgstr "" #. type:

#: securing-debian-howto.en.sgml:60 en/faq.sgml:1250 msgid "" "Audit applications in Debian or help solve security bugs and report issues " "to security@debian.org." msgstr "" #. type:

#: securing-debian-howto.en.sgml:60 en/faq.sgml:1258 msgid "" "In all cases, please review each problem before reporting it to " "security@debian.org. If you are able to provide patches, that would speed up " "the process. Do not simply forward Bugtraq mails, since they are already " "received. Providing additional information, however, is always a good idea." msgstr "" #. type: #: securing-debian-howto.en.sgml:60 en/faq.sgml:1260 msgid "Who is the Security Team composed of?" msgstr "" #. type:

#: securing-debian-howto.en.sgml:60 en/faq.sgml:1264 msgid "" "The Debian security team consists of . The security team itself appoints people to join the team." msgstr "" #. type: #: securing-debian-howto.en.sgml:60 en/faq.sgml:1267 msgid "Does the Debian Security team check every new package in Debian?" msgstr "" #. type:

#: securing-debian-howto.en.sgml:60 en/faq.sgml:1275 msgid "" "No, the Debian security team does not check every new package and there is " "no automatic (lintian) check to detect new packages including malicious " "codes, since those checks are rather impossible to perform " "automatically. Maintainers, however, are fully responsible for the packages " "they introduce into Debian, and all packages are first signed by an " "authorized developer(s). The developer is in charge of analyzing the " "security of all packages that they maintain." msgstr "" #. type: #: securing-debian-howto.en.sgml:60 en/faq.sgml:1277 msgid "How much time will it take Debian to fix vulnerability XXXX?" msgstr "" #. type:

#: securing-debian-howto.en.sgml:60 en/faq.sgml:1287 msgid "" "The Debian security team works quickly to send advisories and produce fixed " "packages for the stable branch once a vulnerability is discovered. A report " " showed that in the " "year 2001, it took the Debian Security Team an average of 35 days to fix " "security-related vulnerabilities. However, over 50% of the vulnerabilities " "where fixed in a 10-day time frame, and over 15% of them where fixed the " "same day the advisory was released." msgstr "" #. type:

#: securing-debian-howto.en.sgml:60 en/faq.sgml:1289 msgid "However, when asking this question people tend to forget that:" msgstr "" #. type:

#: securing-debian-howto.en.sgml:60 en/faq.sgml:1293 msgid "DSAs are not sent until:" msgstr "" #. type:

#: securing-debian-howto.en.sgml:60 en/faq.sgml:1300 msgid "" "packages are available for all architectures supported by Debian " "(which takes some time for packages that are part of the system core, " "especially considering the number of architectures supported in the stable " "release)." msgstr "" #. type:

#: securing-debian-howto.en.sgml:60 en/faq.sgml:1303 msgid "" "new packages are thoroughly tested in order to ensure that no new bugs are " "introduced" msgstr "" #. type:

#: securing-debian-howto.en.sgml:60 en/faq.sgml:1308 msgid "" "Packages might be available before the DSA is sent (in the incoming queue or " "on the mirrors)." msgstr "" #. type:

#: securing-debian-howto.en.sgml:60 en/faq.sgml:1310 msgid "Debian is a volunteer-based project." msgstr "" #. type:

#: securing-debian-howto.en.sgml:60 en/faq.sgml:1312 msgid "Debian is licensed with a \"no guarantees\" clause." msgstr "" #. type:

#: securing-debian-howto.en.sgml:60 en/faq.sgml:1325 msgid "" "If you want more in-depth analysis on the time it takes for the Security " "Team to work on vulnerabilities, you should consider that new DSAs (see ) published on the , and the metadata used to generate them, include " "links to vulnerability databases. You could download the sources from the " "web server (from the ) or use " "the HTML pages to determine the time that it takes for Debian to fix " "vulnerabilities and correlate this data with public databases." msgstr "" #. type: #: securing-debian-howto.en.sgml:60 en/faq.sgml:1327 msgid "How long will security updates be provided?" msgstr "" #. type:

#: securing-debian-howto.en.sgml:60 en/faq.sgml:1332 msgid "" "The security team tries to support a stable distribution for about one year " "after the next stable distribution has been released, except when another " "stable distribution is released within this year. It is not possible to " "support three distributions; supporting two simultaneously is already " "difficult enough." msgstr "" #. type: #: securing-debian-howto.en.sgml:60 en/faq.sgml:1336 msgid "How can I check the integrity of packages?" msgstr "" #. type:

#: securing-debian-howto.en.sgml:60 en/faq.sgml:1345 msgid "" "This process involve checking the Release file signature against the public " "key (available at , substitute 2006 for " "the current year) for the archive. The Release file contains the MD5 " "checksums of Packages and Sources files, which contain MD5 checksums of " "binary and source packages. Detailed instruction on how to check packages " "integrity can be found ." msgstr "" #. type: #: securing-debian-howto.en.sgml:60 en/faq.sgml:1347 msgid "What to do if a random package breaks after a security update?" msgstr "" #. type:

#: securing-debian-howto.en.sgml:61 en/appendix.sgml:3 msgid "" "First of all, you should figure out why the package breaks and how it is " "connected to the security update, then contact the security team if it is " "serious or the stable release manager if it is less serious. We're talking " "about random packages that break after a security update of a different " "package. If you can't figure out what's going wrong but have a correction, " "talk to the security team as well. You may be redirected to the stable " "release manager though." msgstr "" #. type: #: securing-debian-howto.en.sgml:61 en/appendix.sgml:13 msgid "The hardening process step by step" msgstr "" #. type:

#: securing-debian-howto.en.sgml:61 en/appendix.sgml:19 msgid "" "Below is a post-installation, step-by-step procedure for hardening a Debian " "2.2 GNU/Linux system. This is one possible approach to such a procedure and " "is oriented toward the hardening of network services. It is included to show " "the entire process you might use during configuration. Also, see ." msgstr "" #. type:

#: securing-debian-howto.en.sgml:61 en/appendix.sgml:26 msgid "" "Install the system, taking into account the information regarding " "partitioning included earlier in this document. After base installation, go " "into custom install. Do not select task packages. Select shadow passwords." msgstr "" #. type:

#: securing-debian-howto.en.sgml:61 en/appendix.sgml:30 msgid "" "Using dselect, remove all unneeded but selected packages before " "doing [I]nstall. Keep the bare minimum of packages for the system." msgstr "" #. type:

#: securing-debian-howto.en.sgml:61 en/appendix.sgml:34 msgid "" "Update all software from the latest packages available at " "security.debian.org as explained previously in ." msgstr "" #. type:

#: securing-debian-howto.en.sgml:61 en/appendix.sgml:37 msgid "" "Implement the suggestions presented in this manual regarding user quotas, " "login definitions and lilo" msgstr "" #. type:

#: securing-debian-howto.en.sgml:61 en/appendix.sgml:39 msgid "Make a list of services currently running on your system. Try:" msgstr "" #. type: #: securing-debian-howto.en.sgml:61 en/appendix.sgml:43 #, no-wrap msgid "" " $ ps aux\n" " $ netstat -pn -l -A inet \n" " # /usr/sbin/lsof -i | grep LISTEN" msgstr "" #. type:

#: securing-debian-howto.en.sgml:61 en/appendix.sgml:50 msgid "" "You will need to install lsof-2.2 for the third command " "to work (run it as root). You should be aware that lsof can " "translate the word LISTEN to your locale settings." msgstr "" #. type:

#: securing-debian-howto.en.sgml:61 en/appendix.sgml:56 msgid "" "In order to remove unnecessary services, first determine what package " "provides the service and how it is started. This can be accomplished by " "checking the program that listens in the socket. The following shell script, " "which uses the programs lsof and dpkg, does just " "that:" msgstr "" #. type: #: securing-debian-howto.en.sgml:61 en/appendix.sgml:67 #, no-wrap msgid "" "#!/bin/sh\n" "# FIXME: this is quick and dirty; replace with a more robust script " "snippet\n" "for i in `sudo lsof -i | grep LISTEN | cut -d \" \" -f 1 |sort -u` ; do\n" " pack=`dpkg -S $i |grep bin |cut -f 1 -d : | uniq`\n" " echo \"Service $i is installed by $pack\";\n" " init=`dpkg -L $pack |grep init.d/ `\n" " if [ ! -z \"$init\" ]; then\n" " echo \"and is run by $init\"\n" " fi\n" "done" msgstr "" #. type:

#: securing-debian-howto.en.sgml:61 en/appendix.sgml:74 msgid "" "Once you find any unwanted services, remove the associated package (with " "dpkg --purge), or disable the service from starting " "automatically at boot time using update-rc.d (see )." msgstr "" #. type:

#: securing-debian-howto.en.sgml:61 en/appendix.sgml:77 msgid "" "For inetd services (launched by the superdaemon), check which services are " "enabled in /etc/inetd.conf using:" msgstr "" #. type: #: securing-debian-howto.en.sgml:61 en/appendix.sgml:79 #, no-wrap msgid " $ grep -v \"^#\" /etc/inetd.conf | sort -u" msgstr "" #. type:

#: securing-debian-howto.en.sgml:61 en/appendix.sgml:85 msgid "" "Then disable those services that are not needed by commenting out the line " "that includes them in /etc/inetd.conf, removing the package, or " "using update-inetd." msgstr "" #. type:

#: securing-debian-howto.en.sgml:61 en/appendix.sgml:90 msgid "" "If you have wrapped services (those using /usr/sbin/tcpd), " "check that the files /etc/hosts.allow and " "/etc/hosts.deny are configured according to your service " "policy." msgstr "" #. type:

#: securing-debian-howto.en.sgml:61 en/appendix.sgml:96 msgid "" "If the server uses more than one external interface, depending on the " "service, you may want to limit the service to listen on a specific " "interface. For example, if you want internal FTP access only, make the FTP " "daemon listen only on your management interface, not on all interfaces (i.e, " "0.0.0.0:21)." msgstr "" #. type:

#: securing-debian-howto.en.sgml:61 en/appendix.sgml:99 msgid "" "Re-boot the machine, or switch to single user mode and then back to " "multiuser using the commands:" msgstr "" #. type: #: securing-debian-howto.en.sgml:61 en/appendix.sgml:103 #, no-wrap msgid "" " # init 1\n" " (....)\n" " # init 2" msgstr "" #. type:

#: securing-debian-howto.en.sgml:61 en/appendix.sgml:108 msgid "Check the services now available, and, if necessary, repeat the steps above." msgstr "" #. type:

#: securing-debian-howto.en.sgml:61 en/appendix.sgml:111 msgid "" "Now install the needed services, if you have not done so already, and " "configure them properly." msgstr "" #. type:

#: securing-debian-howto.en.sgml:61 en/appendix.sgml:114 msgid "" "Use the following shell command to determine what user each available " "service is running as:" msgstr "" #. type: #: securing-debian-howto.en.sgml:61 en/appendix.sgml:118 #, no-wrap msgid "" " # for i in `/usr/sbin/lsof -i |grep LISTEN |cut -d \" \" -f 1 |sort -u`; " "\\\n" " > do user=`ps ef |grep $i |grep -v grep |cut -f 1 -d \" \"` ; \\\n" " > echo \"Service $i is running as user $user\"; done" msgstr "" #. type:

#: securing-debian-howto.en.sgml:61 en/appendix.sgml:131 msgid "" "Consider changing these services to a specific user/group and maybe " "chroot'ing them for increased security. You can do this by " "changing the /etc/init.d scripts which start the service. Most " "services in Debian use start-stop-daemon, which has options " "(--change-uid and --chroot) for accomplishing this. A word " "of warning regarding the chroot'ing of services: you may need " "to put all the files installed by the package (use dpkg -L) providing the " "service, as well as any packages it depends on, in the " "chroot'ed environment. Information about setting up a " "chroot environment for the ssh program can be " "found in ." msgstr "" #. type:

#: securing-debian-howto.en.sgml:61 en/appendix.sgml:135 msgid "" "Repeat the steps above in order to check that only desired services are " "running and that they are running as the desired user/group combination." msgstr "" #. type:

#: securing-debian-howto.en.sgml:61 en/appendix.sgml:138 msgid "Test the installed services in order to see if they work as expected." msgstr "" #. type:

#: securing-debian-howto.en.sgml:61 en/appendix.sgml:143 msgid "" "Check the system using a vulnerability assessment scanner (like " "nessus), in order to determine vulnerabilities in the " "system (i.e., misconfiguration, old services or unneeded services)." msgstr "" #. type:

#: securing-debian-howto.en.sgml:61 en/appendix.sgml:146 msgid "" "Install network and host intrusion measures like snort " "and logcheck." msgstr "" #. type:

#: securing-debian-howto.en.sgml:61 en/appendix.sgml:149 msgid "" "Repeat the network scanner step and verify that the intrusion detection " "systems are working correctly." msgstr "" #. type:

#: securing-debian-howto.en.sgml:61 en/appendix.sgml:153 msgid "For the truly paranoid, also consider the following:" msgstr "" #. type:

#: securing-debian-howto.en.sgml:61 en/appendix.sgml:159 msgid "" "Add firewalling capabilities to the system, accepting incoming connections " "only to offered services and limiting outgoing connections only to those " "that are authorized." msgstr "" #. type:

#: securing-debian-howto.en.sgml:61 en/appendix.sgml:162 msgid "" "Re-check the installation with a new vulnerability assessment using a " "network scanner." msgstr "" #. type:

#: securing-debian-howto.en.sgml:61 en/appendix.sgml:166 msgid "" "Using a network scanner, check outbound connections from the system to an " "outside host and verify that unwanted connections do not find their way out." msgstr "" #. type:

#: securing-debian-howto.en.sgml:61 en/appendix.sgml:173 msgid "" "FIXME: this procedure considers service hardening but not system hardening " "at the user level, include information regarding checking user permissions, " "SETUID files and freezing changes in the system using the ext2 file system." msgstr "" #. type: #: securing-debian-howto.en.sgml:61 en/appendix.sgml:175 msgid "Configuration checklist" msgstr "" #. type:

#: securing-debian-howto.en.sgml:61 en/appendix.sgml:187 msgid "" "This appendix briefly reiterates points from other sections in this manual " "in a condensed checklist format. This is intended as a quick summary for " "someone who has already read the manual. There are other good checklists " "available, including Kurt Seifried's and ." msgstr "" #. type:

#: securing-debian-howto.en.sgml:61 en/appendix.sgml:189 msgid "FIXME: This is based on v1.4 of the manual and might need to be updated." msgstr "" #. type:

#: securing-debian-howto.en.sgml:61 en/appendix.sgml:190 msgid "Limit physical access and booting capabilities" msgstr "" #. type:

#: securing-debian-howto.en.sgml:61 en/appendix.sgml:192 msgid "Enable a password in the BIOS." msgstr "" #. type:

#: securing-debian-howto.en.sgml:61 en/appendix.sgml:193 msgid "Disable floppy/cdrom/... booting in the system's BIOS." msgstr "" #. type:

#: securing-debian-howto.en.sgml:61 en/appendix.sgml:197 msgid "" "Set a LILO or GRUB password (/etc/lilo.conf or " "/boot/grub/menu.lst, respectively); check that the LILO or GRUB " "configuration file is read-protected." msgstr "" #. type:

#: securing-debian-howto.en.sgml:61 en/appendix.sgml:200 msgid "Partitioning" msgstr "" #. type:

#: securing-debian-howto.en.sgml:61 en/appendix.sgml:205 msgid "" "Separate user-writable data, non-system data, and rapidly changing run-time " "data to their own partitions" msgstr "" #. type:

#: securing-debian-howto.en.sgml:61 en/appendix.sgml:210 msgid "" "Set nosuid,noexec,nodev mount options in /etc/fstab on " "ext2/3 partitions that should not hold binaries such as /home " "or /tmp." msgstr "" #. type:

#: securing-debian-howto.en.sgml:61 en/appendix.sgml:214 msgid "Password hygiene and login security" msgstr "" #. type:

#: securing-debian-howto.en.sgml:61 en/appendix.sgml:216 msgid "Set a good root password" msgstr "" #. type:

#: securing-debian-howto.en.sgml:61 en/appendix.sgml:217 msgid "Enable password shadowing and MD5" msgstr "" #. type:

#: securing-debian-howto.en.sgml:61 en/appendix.sgml:219 msgid "Install and use PAM" msgstr "" #. type:

#: securing-debian-howto.en.sgml:61 en/appendix.sgml:229 msgid "" "Add MD5 support to PAM and make sure that (generally speaking) entries in " "/etc/pam.d/ files which grant access to the machine have the " "second field in the pam.d file set to requisite or " "required." msgstr "" #. type:

#: securing-debian-howto.en.sgml:61 en/appendix.sgml:232 msgid "Tweak /etc/pam.d/login so as to only permit local root logins." msgstr "" #. type:

#: securing-debian-howto.en.sgml:61 en/appendix.sgml:237 msgid "" "Also mark authorized tty:s in /etc/security/access.conf and " "generally set up this file to limit root logins as much as possible." msgstr "" #. type:

#: securing-debian-howto.en.sgml:61 en/appendix.sgml:240 msgid "Add pam_limits.so if you want to set per-user limits" msgstr "" #. type:

#: securing-debian-howto.en.sgml:61 en/appendix.sgml:244 msgid "" "Tweak /etc/pam.d/passwd: set minimum length of passwords higher " "(6 characters maybe) and enable MD5" msgstr "" #. type:

#: securing-debian-howto.en.sgml:61 en/appendix.sgml:248 msgid "" "Add group wheel to /etc/group if desired; add pam_wheel.so " "group=wheel entry to /etc/pam.d/su" msgstr "" #. type:

#: securing-debian-howto.en.sgml:61 en/appendix.sgml:251 msgid "For custom per-user controls, use pam_listfile.so entries where appropriate" msgstr "" #. type:

#: securing-debian-howto.en.sgml:61 en/appendix.sgml:254 msgid "Have an /etc/pam.d/other file and set it up with tight security" msgstr "" #. type:

#: securing-debian-howto.en.sgml:61 en/appendix.sgml:260 msgid "" "Set up limits in /etc/security/limits.conf (note that " "/etc/limits is not used if you are using PAM)" msgstr "" #. type:

#: securing-debian-howto.en.sgml:61 en/appendix.sgml:264 msgid "" "Tighten up /etc/login.defs; also, if you enabled MD5 and/or " "PAM, make sure you make the corresponding changes here, too" msgstr "" #. type:

#: securing-debian-howto.en.sgml:61 en/appendix.sgml:266 msgid "Disable root ftp access in /etc/ftpusers" msgstr "" #. type:

#: securing-debian-howto.en.sgml:61 en/appendix.sgml:271 msgid "" "Disable network root login; use or " ". (consider installing " "sudo)" msgstr "" #. type:

#: securing-debian-howto.en.sgml:61 en/appendix.sgml:273 msgid "Use PAM to enforce additional constraints on logins?" msgstr "" #. type:

#: securing-debian-howto.en.sgml:61 en/appendix.sgml:276 msgid "Other local security issues" msgstr "" #. type:

#: securing-debian-howto.en.sgml:61 en/appendix.sgml:280 msgid "Kernel tweaks (see )" msgstr "" #. type:

#: securing-debian-howto.en.sgml:61 en/appendix.sgml:283 msgid "Kernel patches (see )" msgstr "" #. type:

#: securing-debian-howto.en.sgml:61 en/appendix.sgml:286 msgid "" "Tighten up log file permissions (/var/log/{last,fail}log, " "Apache logs)" msgstr "" #. type:

#: securing-debian-howto.en.sgml:61 en/appendix.sgml:289 msgid "" "Verify that SETUID checking is enabled in " "/etc/checksecurity.conf" msgstr "" #. type:

#: securing-debian-howto.en.sgml:61 en/appendix.sgml:293 msgid "" "Consider making some log files append-only and configuration files immutable " "using chattr (ext2/3 file systems only)" msgstr "" #. type:

#: securing-debian-howto.en.sgml:61 en/appendix.sgml:297 msgid "" "Set up file integrity (see ). Install " "debsums" msgstr "" #. type:

#: securing-debian-howto.en.sgml:61 en/appendix.sgml:299 msgid "Log everything to a local printer?" msgstr "" #. type:

#: securing-debian-howto.en.sgml:61 en/appendix.sgml:302 msgid "Burn your configuration on a boot-able CD and boot off that?" msgstr "" #. type:

#: securing-debian-howto.en.sgml:61 en/appendix.sgml:304 msgid "Disable kernel modules?" msgstr "" #. type:

#: securing-debian-howto.en.sgml:61 en/appendix.sgml:307 msgid "Limit network access" msgstr "" #. type:

#: securing-debian-howto.en.sgml:61 en/appendix.sgml:314 msgid "" "Install and configure ssh (suggest PermitRootLogin No in " "/etc/ssh/sshd_config, PermitEmptyPasswords No; note other " "suggestions in text also)" msgstr "" #. type:

#: securing-debian-howto.en.sgml:61 en/appendix.sgml:316 msgid "Disable or remove in.telnetd, if installed" msgstr "" #. type:

#: securing-debian-howto.en.sgml:61 en/appendix.sgml:321 msgid "" "Generally, disable gratuitous services in /etc/inetd.conf using " "update-inetd --disable (or disable inetd " "altogether, or use a replacement such as xinetd or " "rlinetd)" msgstr "" #. type:

#: securing-debian-howto.en.sgml:61 en/appendix.sgml:327 msgid "" "Disable other gratuitous network services; ftp, DNS, WWW etc should not be " "running if you do not need them and monitor them regularly. In most cases " "mail should be running but configured for local delivery only." msgstr "" #. type:

#: securing-debian-howto.en.sgml:61 en/appendix.sgml:333 msgid "" "For those services which you do need, do not just use the most common " "programs, look for more secure versions shipped with Debian (or from other " "sources). Whatever you end up running, make sure you understand the risks." msgstr "" #. type:

#: securing-debian-howto.en.sgml:61 en/appendix.sgml:336 msgid "Set up chroot jails for outside users and daemons." msgstr "" #. type:

#: securing-debian-howto.en.sgml:61 en/appendix.sgml:340 msgid "" "Configure firewall and tcpwrappers (i.e. ); note trick for /etc/hosts.deny in " "text." msgstr "" #. type:

#: securing-debian-howto.en.sgml:61 en/appendix.sgml:343 msgid "" "If you run ftp, set up your ftpd server to always run chroot'ed " "to the user's home directory" msgstr "" #. type:

#: securing-debian-howto.en.sgml:61 en/appendix.sgml:350 msgid "" "If you run X, disable xhost authentication and go with ssh " "instead; better yet, disable remote X if you can (add -nolisten tcp to the X " "command line and turn off XDMCP in /etc/X11/xdm/xdm-config by " "setting the requestPort to 0)" msgstr "" #. type:

#: securing-debian-howto.en.sgml:61 en/appendix.sgml:352 msgid "Disable remote access to printers" msgstr "" #. type:

#: securing-debian-howto.en.sgml:61 en/appendix.sgml:356 msgid "" "Tunnel any IMAP or POP sessions through SSL or ssh; install " "stunnel if you want to provide this service to remote mail users" msgstr "" #. type:

#: securing-debian-howto.en.sgml:61 en/appendix.sgml:359 msgid "" "Set up a log host and configure other machines to send logs to this host " "(/etc/syslog.conf)" msgstr "" #. type:

#: securing-debian-howto.en.sgml:61 en/appendix.sgml:362 msgid "" "Secure BIND, Sendmail, and other complex daemons (run in a " "chroot jail; run as a non-root pseudo-user)" msgstr "" #. type:

#: securing-debian-howto.en.sgml:61 en/appendix.sgml:363 msgid "Install tiger or a similar network intrusion detection tool." msgstr "" #. type:

#: securing-debian-howto.en.sgml:61 en/appendix.sgml:364 msgid "Install snort or a similar network intrusion detection tool." msgstr "" #. type:

#: securing-debian-howto.en.sgml:61 en/appendix.sgml:366 msgid "Do without NIS and RPC if you can (disable portmap)." msgstr "" #. type:

#: securing-debian-howto.en.sgml:61 en/appendix.sgml:369 msgid "Policy issues" msgstr "" #. type:

#: securing-debian-howto.en.sgml:61 en/appendix.sgml:377 msgid "" "Educate users about the whys and hows of your policies. When you have " "prohibited something which is regularly available on other systems, provide " "documentation which explains how to accomplish similar results using other, " "more secure means." msgstr "" #. type:

#: securing-debian-howto.en.sgml:61 en/appendix.sgml:381 msgid "" "Prohibit use of protocols which use clear-text passwords " "(telnet, rsh and friends; ftp, imap, http, ...)." msgstr "" #. type:

#: securing-debian-howto.en.sgml:61 en/appendix.sgml:383 msgid "Prohibit programs which use SVGAlib." msgstr "" #. type:

#: securing-debian-howto.en.sgml:61 en/appendix.sgml:385 msgid "Use disk quotas." msgstr "" #. type:

#: securing-debian-howto.en.sgml:61 en/appendix.sgml:388 msgid "Keep informed about security issues" msgstr "" #. type:

#: securing-debian-howto.en.sgml:61 en/appendix.sgml:392 msgid "Subscribe to security mailing lists" msgstr "" #. type:

#: securing-debian-howto.en.sgml:61 en/appendix.sgml:397 msgid "" "Configure apt for security updates -- add to " "/etc/apt/sources.list an entry (or entries) for " "http://security.debian.org/" msgstr "" #. type:

#: securing-debian-howto.en.sgml:61 en/appendix.sgml:402 msgid "" "Also remember to periodically run apt-get update ; apt-get " "upgrade (perhaps install as a cron job?) as explained in " "." msgstr "" #. type: #: securing-debian-howto.en.sgml:61 en/appendix.sgml:409 msgid "Setting up a stand-alone IDS" msgstr "" #. type:

#: securing-debian-howto.en.sgml:61 en/appendix.sgml:413 msgid "" "You can easily set up a dedicated Debian system as a stand-alone Intrusion " "Detection System using snort and a web-based interface to " "analyse the intrusion detection alerts:" msgstr "" #. type:

#: securing-debian-howto.en.sgml:61 en/appendix.sgml:417 msgid "Install a base Debian system and select no additional packages." msgstr "" #. type:

#: securing-debian-howto.en.sgml:61 en/appendix.sgml:420 msgid "" "Install one of the Snort versions with database support and configure the " "IDS to log alerts into the database." msgstr "" #. type:

#: securing-debian-howto.en.sgml:61 en/appendix.sgml:424 msgid "" "Download and install BASE (Basic Analysis and Security Engine), or ACID " "(Analysis Console for Intrusion Databases). Configure it to use the same " "database than Snort." msgstr "" #. type:

#: securing-debian-howto.en.sgml:61 en/appendix.sgml:427 msgid "" "Download and install the necessary packages

Typically the needed " "packages will be installed through the dependencies

." msgstr "" #. type:

#: securing-debian-howto.en.sgml:61 en/appendix.sgml:439 msgid "" "BASE is currently packaged for Debian in acidbase and " "ACID is packaged as acidlab

It can also be " "downloaded from , or .

. Both " "provide a graphical WWW interface to Snort's output." msgstr "" #. type:

#: securing-debian-howto.en.sgml:61 en/appendix.sgml:445 msgid "" "Besides the base installation you will also need a web server (such as " "apache), a PHP interpreter and a relational " "database (such postgresql or mysql) " "where Snort will store its alerts." msgstr "" #. type:

#: securing-debian-howto.en.sgml:61 en/appendix.sgml:451 msgid "" "This system should be set up with at least two interfaces: one interface " "connected to a management LAN (for accessing the results and maintaining the " "system), and one interface with no IP address attached to the network " "segment being analyzed. You should configure the web server to listen only " "on the interface connected to the management LAN." msgstr "" #. type:

#: securing-debian-howto.en.sgml:61 en/appendix.sgml:457 msgid "" "You should configure both interfaces in the standard Debian " "/etc/network/interfaces configuration file. One (the management " "LAN) address can be configured as you would normally do. The other interface " "needs to be configured so that it is started up when the system boots, but " "with no interface address. You can use the following interface definition:" msgstr "" #. type: #: securing-debian-howto.en.sgml:61 en/appendix.sgml:464 #, no-wrap msgid "" "auto eth0\n" "iface eth0 inet manual\n" " up ifconfig $IFACE 0.0.0.0 up\n" " up ip link set $IFACE promisc on\n" " down ip link set $IFACE promisc off\n" " down ifconfig $IFACE down" msgstr "" #. type:

#: securing-debian-howto.en.sgml:61 en/appendix.sgml:475 msgid "" "The above configures an interface to read all the traffic on the network in " "a stealth-type configuration. This prevents the NIDS system to be a " "direct target in a hostile network since the sensors have no IP address on " "the network. Notice, however, that there have been known bugs over time in " "sensors part of NIDS (for example see related " "to Snort) and remote buffer overflows might even be triggered by network " "packet processing." msgstr "" #. type:

#: securing-debian-howto.en.sgml:61 en/appendix.sgml:480 msgid "" "You might also want to read the and the documentation available at the ." msgstr "" #. type: #: securing-debian-howto.en.sgml:61 en/appendix.sgml:482 msgid "Setting up a bridge firewall" msgstr "" #. type:

#: securing-debian-howto.en.sgml:61 en/appendix.sgml:518 msgid "" "This information was contributed by Francois Bayart in order to help users " "set up a Linux bridge/firewall with the 2.4.x kernel and " "iptables. Kernel patches are no more needed as the code " "was made standard part of the Linux kernel distribution." msgstr "" #. type:

#: securing-debian-howto.en.sgml:61 en/appendix.sgml:522 msgid "" "To configure the kernel with necessary support, run make menuconfig " "or make xconfig. In the section Networking options, enable " "the following options:" msgstr "" #. type: #: securing-debian-howto.en.sgml:61 en/appendix.sgml:527 #, no-wrap msgid "" "[*] Network packet filtering (replaces ipchains)\n" "[ ] Network packet filtering debugging (NEW)\n" "<*> 802.1d Ethernet Bridging\n" "[*] netfilter (firewalling) support (NEW)" msgstr "" #. type:

#: securing-debian-howto.en.sgml:61 en/appendix.sgml:532 msgid "" "Caution: you must disable this if you want to apply some firewalling rules " "or else iptables will not work:" msgstr "" #. type: #: securing-debian-howto.en.sgml:61 en/appendix.sgml:534 #, no-wrap msgid "[ ] Network packet filtering debugging (NEW)" msgstr "" #. type:

#: securing-debian-howto.en.sgml:61 en/appendix.sgml:544 msgid "" "Next, add the correct options in the section IP: Netfilter " "Configuration. Then, compile and install the kernel. If you want to do " "it the Debian way, install kernel-package and " "run make-kpkg to create a custom Debian kernel package you can " "install on your server using dpkg. Once the new kernel is compiled and " "installed, install the bridge-utils package." msgstr "" #. type:

#: securing-debian-howto.en.sgml:61 en/appendix.sgml:549 msgid "" "Once these steps are complete, you can complete the configuration of your " "bridge. The next section presents two different possible configurations for " "the bridge, each with a hypothetical network map and the necessary commands." msgstr "" #. type: #: securing-debian-howto.en.sgml:61 en/appendix.sgml:551 msgid "A bridge providing NAT and firewall capabilities" msgstr "" #. type:

#: securing-debian-howto.en.sgml:61 en/appendix.sgml:555 msgid "" "The first configuration uses the bridge as a firewall with network address " "translation (NAT) that protects a server and internal LAN clients. A diagram " "of the network configuration is shown below:" msgstr "" #. type: #: securing-debian-howto.en.sgml:61 en/appendix.sgml:563 #, no-wrap msgid "" "Internet ---- router ( 62.3.3.25 ) ---- bridge (62.3.3.26 gw 62.3.3.25 / " "192.168.0.1)\n" " |\n" " |\n" " |---- WWW Server (62.3.3.27 gw " "62.3.3.25)\n" " |\n" " |\n" " LAN --- Zipowz (192.168.0.2 gw " "192.168.0.1)" msgstr "" #. type:

#: securing-debian-howto.en.sgml:61 en/appendix.sgml:567 securing-debian-howto.en.sgml:61 en/appendix.sgml:609 msgid "The following commands show how this bridge can be configured." msgstr "" #. type: #: securing-debian-howto.en.sgml:61 en/appendix.sgml:590 #, no-wrap msgid "" "# Create the interface br0\n" "/usr/sbin/brctl addbr br0\n" "\n" "# Add the Ethernet interface to use with the bridge\n" "/usr/sbin/brctl addif br0 eth0\n" "/usr/sbin/brctl addif br0 eth1\n" "\n" "# Start up the Ethernet interface\n" "/sbin/ifconfig eth0 0.0.0.0\n" "/sbin/ifconfig eth1 0.0.0.0\n" "\n" "# Configure the bridge ethernet\n" "# The bridge will be correct and invisible ( transparent firewall ).\n" "# It's hidden in a traceroute and you keep your real gateway on the \n" "# other computers. Now if you want you can config a gateway on your \n" "# bridge and choose it as your new gateway for the other computers.\n" "\n" "/sbin/ifconfig br0 62.3.3.26 netmask 255.255.255.248 broadcast 62.3.3.31\n" "\n" "# I have added this internal IP to create my NAT \n" "ip addr add 192.168.0.1/24 dev br0\n" "/sbin/route add default gw 62.3.3.25" msgstr "" #. type: #: securing-debian-howto.en.sgml:61 en/appendix.sgml:594 msgid "A bridge providing firewall capabilities" msgstr "" #. type:

#: securing-debian-howto.en.sgml:61 en/appendix.sgml:597 msgid "" "A second possible configuration is a system that is set up as a transparent " "firewall for a LAN with a public IP address space." msgstr "" #. type: #: securing-debian-howto.en.sgml:61 en/appendix.sgml:605 #, no-wrap msgid "" "Internet ---- router (62.3.3.25) ---- bridge (62.3.3.26)\n" " |\n" " |\n" " |---- WWW Server (62.3.3.28 gw " "62.3.3.25)\n" " |\n" " |\n" " |---- Mail Server (62.3.3.27 gw " "62.3.3.25)" msgstr "" #. type: #: securing-debian-howto.en.sgml:61 en/appendix.sgml:628 #, no-wrap msgid "" "# Create the interface br0\n" "/usr/sbin/brctl addbr br0\n" "\n" "# Add the Ethernet interface to use with the bridge\n" "/usr/sbin/brctl addif br0 eth0\n" "/usr/sbin/brctl addif br0 eth1\n" "\n" "# Start up the Ethernet interface\n" "/sbin/ifconfig eth0 0.0.0.0\n" "/sbin/ifconfig eth1 0.0.0.0\n" "\n" "# Configure the bridge Ethernet\n" "# The bridge will be correct and invisible ( transparent firewall ).\n" "# It's hidden in a traceroute and you keep your real gateway on the \n" "# other computers. Now if you want you can config a gateway on your\n" "# bridge and choose it as your new gateway for the other computers.\n" "\n" "/sbin/ifconfig br0 62.3.3.26 netmask 255.255.255.248 broadcast 62.3.3.31" msgstr "" #. type:

#: securing-debian-howto.en.sgml:61 en/appendix.sgml:634 msgid "" "If you traceroute the Linux Mail Server, you won't see the bridge. If you " "want access to the bridge with ssh, you must have a gateway or " "you must first connect to another server, such as the \"Mail Server\", and " "then connect to the bridge through the internal network card." msgstr "" #. type: #: securing-debian-howto.en.sgml:61 en/appendix.sgml:638 msgid "Basic IPtables rules" msgstr "" #. type:

#: securing-debian-howto.en.sgml:61 en/appendix.sgml:641 msgid "" "This is an example of the basic rules that could be used for either of these " "setups." msgstr "" #. type: #: securing-debian-howto.en.sgml:61 en/appendix.sgml:678 #, no-wrap msgid "" "iptables -F FORWARD\n" "iptables -P FORWARD DROP\n" "iptables -A FORWARD -s 0.0.0.0/0.0.0.0 -d 0.0.0.0/0.0.0.0 -m state --state " "INVALID -j DROP\n" "iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT\n" "\n" "# Some funny rules but not in a classic Iptables sorry ...\n" "# Limit ICMP \n" "# iptables -A FORWARD -p icmp -m limit --limit 4/s -j ACCEPT\n" "# Match string, a good simple method to block some VIRUS very quickly\n" "# iptables -I FORWARD -j DROP -p tcp -s 0.0.0.0/0 -m string --string " "\"cmd.exe\"\n" "\n" "# Block all MySQL connection just to be sure\n" "iptables -A FORWARD -p tcp -s 0/0 -d 62.3.3.0/24 --dport 3306 -j DROP\n" "\n" "# Linux Mail Server Rules\n" "\n" "# Allow FTP-DATA (20), FTP (21), SSH (22) \n" "iptables -A FORWARD -p tcp -s 0.0.0.0/0 -d 62.3.3.27/32 --dport 20:22 -j " "ACCEPT\n" "\n" "# Allow the Mail Server to connect to the outside\n" "# Note: This is *not* needed for the previous connections \n" "# (remember: stateful filtering) and could be removed.\n" "iptables -A FORWARD -p tcp -s 62.3.3.27/32 -d 0/0 -j ACCEPT\n" "\n" "# WWW Server Rules\n" "\n" "# Allow HTTP ( 80 ) connections with the WWW server\n" "iptables -A FORWARD -p tcp -s 0.0.0.0/0 -d 62.3.3.28/32 --dport 80 -j " "ACCEPT\n" "\n" "# Allow HTTPS ( 443 ) connections with the WWW server\n" "iptables -A FORWARD -p tcp -s 0.0.0.0/0 -d 62.3.3.28/32 --dport 443 -j " "ACCEPT\n" "\n" "# Allow the WWW server to go out\n" "# Note: This is *not* needed for the previous connections \n" "# (remember: stateful filtering) and could be removed.\n" "iptables -A FORWARD -p tcp -s 62.3.3.28/32 -d 0/0 -j ACCEPT" msgstr "" #. type: #: securing-debian-howto.en.sgml:61 en/appendix.sgml:682 msgid "Sample script to change the default Bind installation." msgstr "" #. type:

#: securing-debian-howto.en.sgml:61 en/appendix.sgml:691 msgid "" "This script automates the procedure for changing the bind " "version 8 name server's default installation so that it does not " "run as the superuser. Notice that bind version 9 in Debian " "already does this by default

Since version 9.2.1-5. That is, " "since Debian release sarge.

 , and you are much " "better using that version than bind version 8." msgstr "" #. type:

#: securing-debian-howto.en.sgml:61 en/appendix.sgml:698 msgid "" "This script is here for historical purposes and to show how you can automate " "this kind of changes system-wide. The script will create the user and groups " "defined for the name server and will modify both " "/etc/default/bind and /etc/init.d/bind so that the " "program will run with that user. Use with extreme care since it has not been " "tested thoroughly." msgstr "" #. type:

#: securing-debian-howto.en.sgml:61 en/appendix.sgml:703 msgid "" "You can also create the users manually and use the patch available for the " "default init.d script attached to ." msgstr "" #. type: #: securing-debian-howto.en.sgml:61 en/appendix.sgml:848 #, no-wrap msgid "" " #!/bin/sh\n" " # Change the default Debian bind v8 configuration to have it run\n" " # with a non-root user and group.\n" " # \n" " # DO NOT USER this with version 9, use debconf for configure this " "instead\n" " #\n" " # WARN: This script has not been tested thoroughly, please\n" " # verify the changes made to the INITD script\n" "\n" " # (c) 2002 Javier Fernández-Sanguino Peña\n" " #\n" " # This program is free software; you can redistribute it and/or " "modify\n" " # it under the terms of the GNU General Public License as published " "by\n" " # the Free Software Foundation; either version 1, or (at your option)\n" " # any later version.\n" " #\n" " # This program is distributed in the hope that it will be useful,\n" " # but WITHOUT ANY WARRANTY; without even the implied warranty of\n" " # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n" " # GNU General Public License for more details.\n" " #\n" " # Please see the file `COPYING' for the complete copyright notice.\n" " #\n" "\n" " restore() {\n" " # Just in case, restore the system if the changes fail\n" " echo \"WARN: Restoring to the previous setup since I'm unable to " "properly change it.\"\n" " echo \"WARN: Please check the $INITDERR script.\"\n" " mv $INITD $INITDERR\n" " cp $INITDBAK $INITD\n" " }\n" "\n" "\n" " USER=named\n" " GROUP=named\n" " INITD=/etc/init.d/bind\n" " DEFAULT=/etc/default/bind\n" " INITDBAK=$INITD.preuserchange\n" " INITDERR=$INITD.changeerror\n" " AWKS=\"awk ' /\\/usr\\/sbin\\/ndc reload/ { print \\\"stop; sleep 2; " "start;\\\"; noprint = 1; } /\\\\\\\\$/ { if ( noprint != 0 ) { noprint = " "noprint + 1;} } /^.*$/ { if ( noprint != 0 ) { noprint = noprint - 1; } else " "{ print \\$0; } } '\"\n" "\n" " [ `id -u` -ne 0 ] && {\n" " echo \"This program must be run by the root user\"\n" " exit 1\n" " }\n" "\n" " RUNUSER=`ps eo user,fname |grep named |cut -f 1 -d \" \"`\n" "\n" " if [ \"$RUNUSER\" = \"$USER\" ] \n" " then\n" " echo \"WARN: The name server running daemon is already running as " "$USER\"\n" " echo \"ERR: This script will not do any changes to your setup.\"\n" " exit 1\n" " fi\n" " if [ ! -f \"$INITD\" ]\n" " then\n" " echo \"ERR: This system does not have $INITD (which this script tries " "to change)\"\n" " RUNNING=`ps eo fname |grep named`\n" " [ -z \"$RUNNING\" ] && \\\n" " echo \"ERR: In fact the name server daemon is not even running (is it " "installed?)\"\n" " echo \"ERR: No changes will be made to your system\"\n" " exit 1\n" " fi\n" "\n" " # Check if there are options already setup \n" " if [ -e \"$DEFAULT\" ]\n" " then\n" " if grep -q ^OPTIONS $DEFAULT; then\n" " echo \"ERR: The $DEFAULT file already has options set.\"\n" " echo \"ERR: No changes will be made to your system\"\n" " fi\n" " fi\n" "\n" " # Check if named group exists\n" " if [ -z \"`grep $GROUP /etc/group`\" ] \n" " then\n" " echo \"Creating group $GROUP:\"\n" " addgroup $GROUP\n" " else\n" " echo \"WARN: Group $GROUP already exists. Will not create it\"\n" " fi\n" " # Same for the user\n" " if [ -z \"`grep $USER /etc/passwd`\" ] \n" " then\n" " echo \"Creating user $USER:\"\n" " adduser --system --home /home/$USER \\\n" " --no-create-home --ingroup $GROUP \\\n" " --disabled-password --disabled-login $USER\n" " else\n" " echo \"WARN: The user $USER already exists. Will not create it\"\n" " fi\n" "\n" " # Change the init.d script\n" "\n" " # First make a backup (check that there is not already\n" " # one there first)\n" " if [ ! -f $INITDBAK ] \n" " then\n" " cp $INITD $INITDBAK\n" " fi\n" "\n" " # Then use it to change it\n" " cat $INITDBAK |\n" " eval $AWKS > $INITD\n" "\n" " # Now put the options in the /etc/default/bind file:\n" " cat >>$DEFAULT <<EOF\n" "# Make bind run with the user we defined\n" "OPTIONS=\"-u $USER -g $GROUP\"\n" "EOF\n" "\n" " echo \"WARN: The script $INITD has been changed, trying to test the " "changes.\"\n" " echo \"Restarting the named daemon (check for errors here).\"\n" "\n" " $INITD restart\n" " if [ $? -ne 0 ] \n" " then\n" " echo \"ERR: Failed to restart the daemon.\"\n" " restore\n" " exit 1\n" " fi\n" "\n" " RUNNING=`ps eo fname |grep named`\n" " if [ -z \"$RUNNING\" ] \n" " then\n" " echo \"ERR: Named is not running, probably due to a problem with the " "changes.\"\n" " restore\n" " exit 1\n" " fi\n" "\n" " # Check if it's running as expected\n" " RUNUSER=`ps eo user,fname |grep named |cut -f 1 -d \" \"`\n" "\n" " if [ \"$RUNUSER\" = \"$USER\" ] \n" " then\n" " echo \"All has gone well, named seems to be running now as $USER.\"\n" " else\n" " echo \"ERR: The script failed to automatically change the system.\"\n" " echo \"ERR: Named is currently running as $RUNUSER.\"\n" " restore\n" " exit 1\n" " fi\n" "\n" " exit 0" msgstr "" #. type:

#: securing-debian-howto.en.sgml:61 en/appendix.sgml:854 msgid "" "The previous script, run on Woody's (Debian 3.0) custom bind " "(version 8), will modify the initd file after creating the 'named' user and " "group and will" msgstr "" #. type: #: securing-debian-howto.en.sgml:61 en/appendix.sgml:856 msgid "Security update protected by a firewall" msgstr "" #. type:

#: securing-debian-howto.en.sgml:61 en/appendix.sgml:862 msgid "" "After a standard installation, a system may still have some security " "vulnerabilities. Unless you can download updates for the vulnerable packages " "on another system (or you have mirrored security.debian.org for local use), " "the system will have to be connected to the Internet for the downloads." msgstr "" #. type:

#: securing-debian-howto.en.sgml:61 en/appendix.sgml:870 msgid "" "However, as soon as you connect to the Internet you are exposing this " "system. If one of your local services is vulnerable, you might be " "compromised even before the update is finished! This may seem paranoid but, " "in fact, analysis from the has shown that systems can be compromised in less " "than three days, even if the system is not publicly known (i.e., not " "published in DNS records)." msgstr "" #. type:

#: securing-debian-howto.en.sgml:61 en/appendix.sgml:878 msgid "" "When doing an update on a system not protected by an external system like a " "firewall, it is possible to properly configure your local firewall to " "restrict connections involving only the security update itself. The example " "below shows how to set up such local firewall capabilities, which allow " "connections from security.debian.org only, logging all others." msgstr "" #. type:

#: securing-debian-howto.en.sgml:61 en/appendix.sgml:882 msgid "" "The following example can be use to setup a restricted firewall ruleset. Run " "this commands from a local console (not a remote one) to reduce the chances " "of locking yourself out of the system." msgstr "" #. type: #: securing-debian-howto.en.sgml:61 en/appendix.sgml:915 #, no-wrap msgid "" " # iptables -F\n" " # iptables -L\n" " Chain INPUT (policy ACCEPT)\n" " target prot opt source destination\n" "\n" " Chain FORWARD (policy ACCEPT)\n" " target prot opt source destination\n" "\n" " Chain OUTPUT (policy ACCEPT)\n" " target prot opt source destination\n" " # iptables -A OUTPUT -d security.debian.org --dport 80 -j ACCEPT\n" " # iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT\n" " # iptables -A INPUT -p icmp -j ACCEPT\n" " # iptables -A INPUT -j LOG\n" " # iptables -A OUTPUT -j LOG\n" " # iptables -P INPUT DROP\n" " # iptables -P FORWARD DROP\n" " # iptables -P OUTPUT DROP\n" " # iptables -L\n" " Chain INPUT (policy DROP)\n" " target prot opt source destination\n" " ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state " "RELATED,ESTABLISHED\n" " ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0\n" " LOG all -- anywhere anywhere LOG level " "warning\n" "\n" " Chain FORWARD (policy DROP)\n" " target prot opt source destination\n" "\n" " Chain OUTPUT (policy DROP)\n" " target prot opt source destination\n" " ACCEPT 80 -- anywhere security.debian.org\n" " LOG all -- anywhere anywhere LOG level " "warning" msgstr "" #. type:

#: securing-debian-howto.en.sgml:61 en/appendix.sgml:953 msgid "" "Note: Using a DROP policy in the INPUT chain is the most correct " "thing to do, but be very careful when doing this after flushing the " "chain from a remote connection. When testing firewall rulesets from a remote " "location it is best if you run a script with the firewall ruleset (instead " "of introducing the ruleset line by line through the command line) and, as a " "precaution, keep a backdoor

Such as " "knockd. Alternatively, you can open a different console and have " "the system ask for confirmation that there is somebody on the other side, " "and reset the firewall chain if no confirmation is given. The following test " "script could be of use: #!/bin/bash while true; do read -n 1 -p " "\"Are you there? \" -t 30 ayt if [ -z \"$ayt\" ] ; then break fi done # " "Reset the firewall chain, user is not available echo echo \"Resetting " "firewall chain!\" iptables -F iptables -P INPUT ACCEPT iptables -P FORWARD " "ACCEPT iptables -P OUTPUT ACCEPT exit 1

Of course, you " "should disable any backdoors before getting the system into " "production.

 configured so that you can re-enable access to " "the system if you make a mistake. That way there would be no need to go to a " "remote location to fix a firewall ruleset that blocks you." msgstr "" #. type:

#: securing-debian-howto.en.sgml:61 en/appendix.sgml:958 msgid "" "FIXME: This needs DNS to be working properly since it is required for " "security.debian.org to work. You can add security.debian.org to /etc/hosts " "but now it is a CNAME to several hosts (there is more than one security " "mirror)" msgstr "" #. type:

#: securing-debian-howto.en.sgml:61 en/appendix.sgml:961 msgid "" "FIXME: this will only work with HTTP URLs since ftp might need the " "ip_conntrack_ftp module, or use passive mode." msgstr "" #. type: #: securing-debian-howto.en.sgml:61 en/appendix.sgml:963 msgid "Chroot environment for SSH" msgstr "" #. type:

#: securing-debian-howto.en.sgml:61 en/appendix.sgml:966 msgid "" "Creating a restricted environment for SSH is a tough job due to " "its dependencies and the fact that, unlike other servers, SSH " "provides a remote shell to users. Thus, you will also have to consider the " "applications users will be allowed to use in the environment." msgstr "" #. type:

#: securing-debian-howto.en.sgml:61 en/appendix.sgml:970 msgid "You have two options to setup a restricted remote shell:" msgstr "" #. type:

#: securing-debian-howto.en.sgml:61 en/appendix.sgml:975 msgid "" "Chrooting the ssh users, by properly configuring the ssh daemon you can ask " "it to chroot a user after authentication just before it is provided a " "shell. Each user can have their own environment." msgstr "" #. type:

#: securing-debian-howto.en.sgml:61 en/appendix.sgml:978 msgid "" "Chrooting the ssh server, since you chroot the ssh application itself all " "users are chrooted to the defined environment." msgstr "" #. type:

#: securing-debian-howto.en.sgml:61 en/appendix.sgml:990 msgid "" "The first option has the advantage of making it possible to have both " "non-chrooted and chrooted users, if you don't introduce any setuid " "application in the user's chroots it is more difficult to break out of " "it. However, you might need to setup individual chroots for each user and it " "is more difficult to setup (as it requires cooperation from the SSH " "server). The second option is more easy to setup, and protects from an " "exploitation of the ssh server itself (since it's also in the chroot) but it " "will have the limitation that all users will share the same chroot " "environment (you cannot setup a per-user chroot environment)." msgstr "" #. type: #: securing-debian-howto.en.sgml:61 en/appendix.sgml:992 msgid "Chrooting the ssh users" msgstr "" #. type:

#: securing-debian-howto.en.sgml:61 en/appendix.sgml:995 msgid "" "You can setup the ssh server so that it will chroot a set of defined users " "into a shell with a limited set of applications available." msgstr "" #. type: #: securing-debian-howto.en.sgml:61 en/appendix.sgml:997 msgid "Using libpam-chroot" msgstr "" #. type:

#: securing-debian-howto.en.sgml:61 en/appendix.sgml:1000 msgid "" "Probably the easiest way is to use the libpam-chroot " "package provided in Debian. Once you install it you need to:" msgstr "" #. type:

#: securing-debian-howto.en.sgml:61 en/appendix.sgml:1005 msgid "" "Modify /etc/pam.d/ssh to use this PAM module, add as its last " "line

You can use the debug option to have it send the " "progress of the module to the authpriv.notice " "facility

:" msgstr "" #. type: #: securing-debian-howto.en.sgml:61 en/appendix.sgml:1007 #, no-wrap msgid "session required pam_chroot.so" msgstr "" #. type:

#: securing-debian-howto.en.sgml:61 en/appendix.sgml:1041 msgid "" "set a proper chroot environment for the user. You can try using the scripts " "available at /usr/share/doc/libpam-chroot/examples/, use the " "makejail

You can create a very limited bash " "environment with the following python definition for makejail, just create " "the directory /var/chroots/users/foo and a file with the " "following contents and call it bash.py: " "chroot=\"/var/chroots/users/foo\" cleanJailFirst=1 " "testCommandsInsideJail=[\"bash ls\"]

And then run " "makejail bash.py to create the user environment at " "/var/chroots/users/foo. To test the environment run: # " "chroot /var/chroots/users/foo/ ls bin dev etc lib proc sbin " "usr

 program or setup a minimum Debian environment " "with debootstrap. Make sure the environment includes the " "needed devices

In some occasions you might need the " "/dev/ptmx and /dev/pty* devices and the " "/dev/pts/ subdirectory. Running MAKEDEV in the " "/dev directory of the chrooted environment should be sufficient " "to create them if they do not exist. If you are using kernels (version 2.6) " "which dynamically create device files you will need to create the /dev/pts/ " "files yourself and grant them the proper privileges.

." msgstr "" #. type:

#: securing-debian-howto.en.sgml:61 en/appendix.sgml:1047 msgid "" "Configure /etc/security/chroot.conf so that the users you " "determine are chrooted to the directory you setup previously. You might want " "to have independent directories for different users so that they will not be " "able to see neither the whole system nor each other's." msgstr "" #. type:

#: securing-debian-howto.en.sgml:61 en/appendix.sgml:1055 msgid "" "Configure SSH: Depending on your OpenSSH version the chroot environment " "might work straight of the box or not. Since 3.6.1p2 the " "do_pam_session() function is called after sshd has dropped " "privileges, since chroot() needs root priviledges it will not work with " "Privilege separation on. In newer OpenSSH versions, however, the PAM code " "has been modified and do_pam_session is called before dropping priviledges " "so it will work even with Privilege separation is on. If you have to disable " "it modify /etc/ssh/sshd_config like this:" msgstr "" #. type: #: securing-debian-howto.en.sgml:61 en/appendix.sgml:1057 #, no-wrap msgid "UsePrivilegeSeparation no" msgstr "" #. type:

#: securing-debian-howto.en.sgml:61 en/appendix.sgml:1069 msgid "" "Notice that this will lower the security of your system since the OpenSSH " "server will then run as root user. This means that if a remote " "attack is found against OpenSSH an attacker will get root " "privileges instead of sshd, thus compromising the whole " "system.

If you are using a kernel that implements Mandatory " "Access Control (RSBAC/SElinux) you can avoid changing this configuration " "just by granting the sshd user privileges to make the chroot() " "system call.

" msgstr "" #. type:

#: securing-debian-howto.en.sgml:61 en/appendix.sgml:1075 msgid "" "If you don't disable Privilege Separation you will need an " "/etc/passwd which includes the user's UID inside the chroot for " "Privilege Separation to work properly." msgstr "" #. type:

#: securing-debian-howto.en.sgml:61 en/appendix.sgml:1080 msgid "" "If you have Privilege Separation set to yes and " "your OpenSSH version does not behave properly you will need to disable " "it. If you don't, users that try to connect to your server and would be " "chrooted by this module will see this:" msgstr "" #. type: #: securing-debian-howto.en.sgml:61 en/appendix.sgml:1085 #, no-wrap msgid "" "$ ssh -l user server\n" "user@server's password:\n" "Connection to server closed by remote host.\n" "Connection to server closed." msgstr "" #. type:

#: securing-debian-howto.en.sgml:61 en/appendix.sgml:1092 msgid "" "This is because the ssh daemon, which is running as 'sshd', is not be able " "to make the chroot() system call. To disable Privilege separation you have " "to modify the /etc/ssh/sshd_config configuration file as " "described above." msgstr "" #. type:

#: securing-debian-howto.en.sgml:61 en/appendix.sgml:1095 msgid "" "Notice that if any of the following is missing the users will not be able to " "logon to the chroot:" msgstr "" #. type:

#: securing-debian-howto.en.sgml:61 en/appendix.sgml:1100 msgid "The /proc filesystem needs to be mounted in the users' chroot." msgstr "" #. type:

#: securing-debian-howto.en.sgml:61 en/appendix.sgml:1104 msgid "" "The necessary /dev/pts/ devices need to exist. If the files are " "generated by your running kernel automatically then you have to manually " "create them on the chroot's /dev/." msgstr "" #. type:

#: securing-debian-howto.en.sgml:61 en/appendix.sgml:1107 msgid "" "The user's home directory has to exist in the chroot, otherwise the ssh " "daemon will not continue." msgstr "" #. type:

#: securing-debian-howto.en.sgml:61 en/appendix.sgml:1113 msgid "" "You can debug all these issues if you use the debug keyword in the " "/etc/pam.d/ssh PAM definition. If you encounter issues you " "might find it useful to enable the debugging mode on the ssh client too." msgstr "" #. type:

#: securing-debian-howto.en.sgml:61 en/appendix.sgml:1117 msgid "" "Note: This information is also available (and maybe more up to date) in " "/usr/share/doc/libpam-chroot/README.Debian.gz, please review it " "for updated information before taking the above steps." msgstr "" #. type: #: securing-debian-howto.en.sgml:61 en/appendix.sgml:1121 msgid "Patching the ssh server" msgstr "" #. type:

#: securing-debian-howto.en.sgml:61 en/appendix.sgml:1142 msgid "" "Debian's sshd does not allow restriction of a user's movement " "through the server, since it lacks the chroot function that the " "commercial program sshd2 includes (using 'ChrootGroups' or " "'ChrootUsers', see ). However, " "there is a patch available to add this functionality available from " "(requested and available in in Debian). The patch may be included in future " "releases of the OpenSSH package. Emmanuel Lacour has ssh deb " "packages for sarge with this feature. They are available at . Notice that those might not be " "up to date so completing the compilation step is recommended." msgstr "" #. type:

#: securing-debian-howto.en.sgml:61 en/appendix.sgml:1146 msgid "" "After applying the patch, modify /etc/passwd by changing the " "home path of the users (with the special /./ token):" msgstr "" #. type: #: securing-debian-howto.en.sgml:61 en/appendix.sgml:1148 #, no-wrap msgid " joeuser:x:1099:1099:Joe Random User:/home/joe/./:/bin/bash" msgstr "" #. type:

#: securing-debian-howto.en.sgml:61 en/appendix.sgml:1153 msgid "" "This will restrict both remote shell access, as well as remote copy " "through the ssh channel." msgstr "" #. type:

#: securing-debian-howto.en.sgml:61 en/appendix.sgml:1158 msgid "" "Make sure to have all the needed binaries and libraries in the " "chroot'ed path for users. These files should be owned by root " "to avoid tampering by the user (so as to exit the chroot'ed " "jailed). A sample might include:" msgstr "" #. type: #: securing-debian-howto.en.sgml:61 en/appendix.sgml:1170 #, no-wrap msgid "" "./bin:\n" "total 660\n" "drwxr-xr-x 2 root root 4096 Mar 18 13:36 .\n" "drwxr-xr-x 8 guest guest 4096 Mar 15 16:53 ..\n" "-r-xr-xr-x 1 root root 531160 Feb 6 22:36 bash\n" "-r-xr-xr-x 1 root root 43916 Nov 29 13:19 ls\n" "-r-xr-xr-x 1 root root 16684 Nov 29 13:19 mkdir\n" "-rwxr-xr-x 1 root root 23960 Mar 18 13:36 more\n" "-r-xr-xr-x 1 root root 9916 Jul 26 2001 pwd\n" "-r-xr-xr-x 1 root root 24780 Nov 29 13:19 rm\n" "lrwxrwxrwx 1 root root 4 Mar 30 16:29 sh -> bash" msgstr "" #. type: #: securing-debian-howto.en.sgml:61 en/appendix.sgml:1180 #, no-wrap msgid "" "./etc:\n" "total 24\n" "drwxr-xr-x 2 root root 4096 Mar 15 16:13 .\n" "drwxr-xr-x 8 guest guest 4096 Mar 15 16:53 ..\n" "-rw-r--r-- 1 root root 54 Mar 15 13:23 group\n" "-rw-r--r-- 1 root root 428 Mar 15 15:56 hosts\n" "-rw-r--r-- 1 root root 44 Mar 15 15:53 passwd\n" "-rw-r--r-- 1 root root 52 Mar 15 13:23 shells" msgstr "" #. type: #: securing-debian-howto.en.sgml:61 en/appendix.sgml:1199 #, no-wrap msgid "" "./lib:\n" "total 1848\n" "drwxr-xr-x 2 root root 4096 Mar 18 13:37 .\n" "drwxr-xr-x 8 guest guest 4096 Mar 15 16:53 ..\n" "-rwxr-xr-x 1 root root 92511 Mar 15 12:49 ld-linux.so.2\n" "-rwxr-xr-x 1 root root 1170812 Mar 15 12:49 libc.so.6\n" "-rw-r--r-- 1 root root 20900 Mar 15 13:01 libcrypt.so.1\n" "-rw-r--r-- 1 root root 9436 Mar 15 12:49 libdl.so.2\n" "-rw-r--r-- 1 root root 248132 Mar 15 12:48 libncurses.so.5\n" "-rw-r--r-- 1 root root 71332 Mar 15 13:00 libnsl.so.1\n" "-rw-r--r-- 1 root root 34144 Mar 15 16:10\n" "libnss_files.so.2\n" "-rw-r--r-- 1 root root 29420 Mar 15 12:57 libpam.so.0\n" "-rw-r--r-- 1 root root 105498 Mar 15 12:51 libpthread.so.0\n" "-rw-r--r-- 1 root root 25596 Mar 15 12:51 librt.so.1\n" "-rw-r--r-- 1 root root 7760 Mar 15 12:59 libutil.so.1\n" "-rw-r--r-- 1 root root 24328 Mar 15 12:57 libwrap.so.0" msgstr "" #. type: #: securing-debian-howto.en.sgml:61 en/appendix.sgml:1207 #, no-wrap msgid "" "./usr:\n" "total 16\n" "drwxr-xr-x 4 root root 4096 Mar 15 13:00 .\n" "drwxr-xr-x 8 guest guest 4096 Mar 15 16:53 ..\n" "drwxr-xr-x 2 root root 4096 Mar 15 15:55 bin\n" "drwxr-xr-x 2 root root 4096 Mar 15 15:37 lib" msgstr "" #. type: #: securing-debian-howto.en.sgml:61 en/appendix.sgml:1219 #, no-wrap msgid "" "./usr/bin:\n" "total 340\n" "drwxr-xr-x 2 root root 4096 Mar 15 15:55 .\n" "drwxr-xr-x 4 root root 4096 Mar 15 13:00 ..\n" "-rwxr-xr-x 1 root root 10332 Mar 15 15:55 env\n" "-rwxr-xr-x 1 root root 13052 Mar 15 13:13 id\n" "-r-xr-xr-x 1 root root 25432 Mar 15 12:40 scp\n" "-rwxr-xr-x 1 root root 43768 Mar 15 15:15 sftp\n" "-r-sr-xr-x 1 root root 218456 Mar 15 12:40 ssh\n" "-rwxr-xr-x 1 root root 9692 Mar 15 13:17 tty" msgstr "" #. type: #: securing-debian-howto.en.sgml:61 en/appendix.sgml:1229 #, no-wrap msgid "" "./usr/lib:\n" "total 852\n" "drwxr-xr-x 2 root root 4096 Mar 15 15:37 .\n" "drwxr-xr-x 4 root root 4096 Mar 15 13:00 ..\n" "-rw-r--r-- 1 root root 771088 Mar 15 13:01\n" "libcrypto.so.0.9.6\n" "-rw-r--r-- 1 root root 54548 Mar 15 13:00 libz.so.1\n" "-rwxr-xr-x 1 root root 23096 Mar 15 15:37 sftp-server" msgstr "" #. type: #: securing-debian-howto.en.sgml:61 en/appendix.sgml:1236 msgid "Chrooting the ssh server" msgstr "" #. type:

#: securing-debian-howto.en.sgml:61 en/appendix.sgml:1240 msgid "" "If you create a chroot which includes the SSH server files in, for example " "/var/chroot/ssh, you would start the ssh server " "chroot'ed with this command:" msgstr "" #. type: #: securing-debian-howto.en.sgml:61 en/appendix.sgml:1242 #, no-wrap msgid " # chroot /var/chroot/ssh /sbin/sshd -f /etc/sshd_config" msgstr "" #. type:

#: securing-debian-howto.en.sgml:61 en/appendix.sgml:1253 msgid "" "That would make startup the sshd daemon inside the chroot. In " "order to do that you have to first prepare the contents of the " "/var/chroot/ssh directory so that it includes both the SSH " "server and all the utilities that the users connecting to that server might " "need. If you are doing this you should make certain that OpenSSH uses " "Privilege Separation (which is the default) having the following " "line in the configuration file /etc/ssh/sshd_config:" msgstr "" #. type: #: securing-debian-howto.en.sgml:61 en/appendix.sgml:1255 #, no-wrap msgid "UsePrivilegeSeparation yes" msgstr "" #. type:

#: securing-debian-howto.en.sgml:61 en/appendix.sgml:1263 msgid "" "That way the remote daemon will do as few things as possible as the root " "user so even if there is a bug in it it will not compromise the " "chroot. Notice that, unlike the case in which you setup a per-user chroot, " "the ssh daemon is running in the same chroot as the users so there is at " "least one potential process running as root which could break out of the " "chroot." msgstr "" #. type:

#: securing-debian-howto.en.sgml:61 en/appendix.sgml:1269 msgid "" "Notice, also, that in order for SSH to work in that location, the partition " "where the chroot directory resides cannot be mounted with the nodev " "option. If you use that option, then you will get the following error: " "PRNG is not seeded, because /dev/urandom does not work " "in the chroot." msgstr "" #. type: #: securing-debian-howto.en.sgml:61 en/appendix.sgml:1271 msgid "Setup a minimal system (the really easy way)" msgstr "" #. type:

#: securing-debian-howto.en.sgml:61 en/appendix.sgml:1282 msgid "" "You can use debootstrap to setup a minimal environment " "that just includes the ssh server. In order to do this you just have to " "create a chroot as described in the document. This method is " "bound to work (you will get all the necessary componentes for the chroot) " "but at the cost of disk space (a minimal installation of Debian will amount " "to several hundred megabytes). This minimal system might also include setuid " "files that a user in the chroot could use to break out of the chroot if any " "of those could be use for a privilege escalation." msgstr "" #. type: #: securing-debian-howto.en.sgml:61 en/appendix.sgml:1286 msgid "Automatically making the environment (the easy way)" msgstr "" #. type:

#: securing-debian-howto.en.sgml:61 en/appendix.sgml:1291 msgid "" "You can easily create a restricted environment with the " "makejail package, since it automatically takes care of " "tracing the server daemon (with strace), and makes it run under " "the restricted environment." msgstr "" #. type:

#: securing-debian-howto.en.sgml:61 en/appendix.sgml:1296 msgid "" "The advantage of programs that automatically generate chroot " "environments is that they are capable of copying any package to the " "chroot environment (even following the package's dependencies " "and making sure it's complete). Thus, providing user applications is easier." msgstr "" #. type:

#: securing-debian-howto.en.sgml:61 en/appendix.sgml:1299 msgid "" "To set up the environment using makejail's provided examples, " "just create /var/chroot/sshd and use the command:" msgstr "" #. type: #: securing-debian-howto.en.sgml:61 en/appendix.sgml:1301 #, no-wrap msgid " # makejail /usr/share/doc/makejail/examples/sshd.py" msgstr "" #. type:

#: securing-debian-howto.en.sgml:61 en/appendix.sgml:1306 msgid "" "This will setup the chroot in the /var/chroot/sshd " "directory. Notice that this chroot will not fully work unless you:" msgstr "" #. type:

#: securing-debian-howto.en.sgml:61 en/appendix.sgml:1310 msgid "" "Mount the procfs filesystem in " "/var/chroot/sshd/proc. Makejail will mount it for " "you but if the system reboots you need to remount it running:" msgstr "" #. type: #: securing-debian-howto.en.sgml:61 en/appendix.sgml:1312 #, no-wrap msgid "# mount -t proc proc /var/chroot/sshd/proc" msgstr "" #. type:

#: securing-debian-howto.en.sgml:61 en/appendix.sgml:1317 msgid "" "You can also have it be mounted automatically by editing " "/etc/fstab and including this line:" msgstr "" #. type: #: securing-debian-howto.en.sgml:61 en/appendix.sgml:1319 #, no-wrap msgid "proc-ssh /var/chroot/sshd/proc proc none 0 0" msgstr "" #. type:

#: securing-debian-howto.en.sgml:61 en/appendix.sgml:1326 msgid "" "Have syslog listen to the device /dev/log inside the chroot. In " "order to do this you have modify /etc/default/syslogd and add " "-a /var/chroot/sshd/dev/log to the SYSLOGD " "variable definition." msgstr "" #. type:

#: securing-debian-howto.en.sgml:61 en/appendix.sgml:1336 msgid "" "Read the sample file to see what other changes need to be made to the " "environment. Some of these changes, such as copying user's home directories, " "cannot be done automatically. Also, limit the exposure of sensitive " "information by only copying the data from a given number of users from the " "files /etc/shadow or /etc/group. Notice that if " "you are using Privilege Separation the sshd user needs to exist in " "those files." msgstr "" #. type:

#: securing-debian-howto.en.sgml:61 en/appendix.sgml:1340 msgid "" "The following sample environment has been (slightly) tested in Debian 3.0 " "and is built with the configuration file provided in the package and " "includes the fileutils package:" msgstr "" #. type: #: securing-debian-howto.en.sgml:61 en/appendix.sgml:1528 #, no-wrap msgid "" ".\n" "|-- bin\n" "| |-- ash\n" "| |-- bash\n" "| |-- chgrp\n" "| |-- chmod\n" "| |-- chown\n" "| |-- cp\n" "| |-- csh -> /etc/alternatives/csh\n" "| |-- dd\n" "| |-- df\n" "| |-- dir\n" "| |-- fdflush\n" "| |-- ksh\n" "| |-- ln\n" "| |-- ls\n" "| |-- mkdir\n" "| |-- mknod\n" "| |-- mv\n" "| |-- rbash -> bash\n" "| |-- rm\n" "| |-- rmdir\n" "| |-- sh -> bash\n" "| |-- sync\n" "| |-- tcsh\n" "| |-- touch\n" "| |-- vdir\n" "| |-- zsh -> /etc/alternatives/zsh\n" "| `-- zsh4\n" "|-- dev\n" "| |-- null\n" "| |-- ptmx\n" "| |-- pts\n" "| |-- ptya0\n" "(...)\n" "| |-- tty\n" "| |-- tty0\n" "(...)\n" "| `-- urandom\n" "|-- etc\n" "| |-- alternatives\n" "| | |-- csh -> /bin/tcsh\n" "| | `-- zsh -> /bin/zsh4\n" "| |-- environment\n" "| |-- hosts\n" "| |-- hosts.allow\n" "| |-- hosts.deny\n" "| |-- ld.so.conf\n" "| |-- localtime -> /usr/share/zoneinfo/Europe/Madrid\n" "| |-- motd\n" "| |-- nsswitch.conf\n" "| |-- pam.conf\n" "| |-- pam.d\n" "| | |-- other\n" "| | `-- ssh\n" "| |-- passwd\n" "| |-- resolv.conf\n" "| |-- security\n" "| | |-- access.conf\n" "| | |-- chroot.conf\n" "| | |-- group.conf\n" "| | |-- limits.conf\n" "| | |-- pam_env.conf\n" "| | `-- time.conf\n" "| |-- shadow\n" "| |-- shells\n" "| `-- ssh\n" "| |-- moduli\n" "| |-- ssh_host_dsa_key\n" "| |-- ssh_host_dsa_key.pub\n" "| |-- ssh_host_rsa_key\n" "| |-- ssh_host_rsa_key.pub\n" "| `-- sshd_config\n" "|-- home\n" "| `-- userX\n" "|-- lib\n" "| |-- ld-2.2.5.so\n" "| |-- ld-linux.so.2 -> ld-2.2.5.so\n" "| |-- libc-2.2.5.so\n" "| |-- libc.so.6 -> libc-2.2.5.so\n" "| |-- libcap.so.1 -> libcap.so.1.10\n" "| |-- libcap.so.1.10\n" "| |-- libcrypt-2.2.5.so\n" "| |-- libcrypt.so.1 -> libcrypt-2.2.5.so\n" "| |-- libdl-2.2.5.so\n" "| |-- libdl.so.2 -> libdl-2.2.5.so\n" "| |-- libm-2.2.5.so\n" "| |-- libm.so.6 -> libm-2.2.5.so\n" "| |-- libncurses.so.5 -> libncurses.so.5.2\n" "| |-- libncurses.so.5.2\n" "| |-- libnsl-2.2.5.so\n" "| |-- libnsl.so.1 -> libnsl-2.2.5.so\n" "| |-- libnss_compat-2.2.5.so\n" "| |-- libnss_compat.so.2 -> libnss_compat-2.2.5.so\n" "| |-- libnss_db-2.2.so\n" "| |-- libnss_db.so.2 -> libnss_db-2.2.so\n" "| |-- libnss_dns-2.2.5.so\n" "| |-- libnss_dns.so.2 -> libnss_dns-2.2.5.so\n" "| |-- libnss_files-2.2.5.so\n" "| |-- libnss_files.so.2 -> libnss_files-2.2.5.so\n" "| |-- libnss_hesiod-2.2.5.so\n" "| |-- libnss_hesiod.so.2 -> libnss_hesiod-2.2.5.so\n" "| |-- libnss_nis-2.2.5.so\n" "| |-- libnss_nis.so.2 -> libnss_nis-2.2.5.so\n" "| |-- libnss_nisplus-2.2.5.so\n" "| |-- libnss_nisplus.so.2 -> libnss_nisplus-2.2.5.so\n" "| |-- libpam.so.0 -> libpam.so.0.72\n" "| |-- libpam.so.0.72\n" "| |-- libpthread-0.9.so\n" "| |-- libpthread.so.0 -> libpthread-0.9.so\n" "| |-- libresolv-2.2.5.so\n" "| |-- libresolv.so.2 -> libresolv-2.2.5.so\n" "| |-- librt-2.2.5.so\n" "| |-- librt.so.1 -> librt-2.2.5.so\n" "| |-- libutil-2.2.5.so\n" "| |-- libutil.so.1 -> libutil-2.2.5.so\n" "| |-- libwrap.so.0 -> libwrap.so.0.7.6\n" "| |-- libwrap.so.0.7.6\n" "| `-- security\n" "| |-- pam_access.so\n" "| |-- pam_chroot.so\n" "| |-- pam_deny.so\n" "| |-- pam_env.so\n" "| |-- pam_filter.so\n" "| |-- pam_ftp.so\n" "| |-- pam_group.so\n" "| |-- pam_issue.so\n" "| |-- pam_lastlog.so\n" "| |-- pam_limits.so\n" "| |-- pam_listfile.so\n" "| |-- pam_mail.so\n" "| |-- pam_mkhomedir.so\n" "| |-- pam_motd.so\n" "| |-- pam_nologin.so\n" "| |-- pam_permit.so\n" "| |-- pam_rhosts_auth.so\n" "| |-- pam_rootok.so\n" "| |-- pam_securetty.so\n" "| |-- pam_shells.so\n" "| |-- pam_stress.so\n" "| |-- pam_tally.so\n" "| |-- pam_time.so\n" "| |-- pam_unix.so\n" "| |-- pam_unix_acct.so -> pam_unix.so\n" "| |-- pam_unix_auth.so -> pam_unix.so\n" "| |-- pam_unix_passwd.so -> pam_unix.so\n" "| |-- pam_unix_session.so -> pam_unix.so\n" "| |-- pam_userdb.so\n" "| |-- pam_warn.so\n" "| `-- pam_wheel.so\n" "|-- sbin\n" "| `-- start-stop-daemon\n" "|-- usr\n" "| |-- bin\n" "| | |-- dircolors\n" "| | |-- du\n" "| | |-- install\n" "| | |-- link\n" "| | |-- mkfifo\n" "| | |-- shred\n" "| | |-- touch -> /bin/touch\n" "| | `-- unlink\n" "| |-- lib\n" "| | |-- libcrypto.so.0.9.6\n" "| | |-- libdb3.so.3 -> libdb3.so.3.0.2\n" "| | |-- libdb3.so.3.0.2\n" "| | |-- libz.so.1 -> libz.so.1.1.4\n" "| | `-- libz.so.1.1.4\n" "| |-- sbin\n" "| | `-- sshd\n" "| `-- share\n" "| |-- locale\n" "| | `-- es\n" "| | |-- LC_MESSAGES\n" "| | | |-- fileutils.mo\n" "| | | |-- libc.mo\n" "| | | `-- sh-utils.mo\n" "| | `-- LC_TIME -> LC_MESSAGES\n" "| `-- zoneinfo\n" "| `-- Europe\n" "| `-- Madrid\n" "`-- var\n" " `-- run\n" " |-- sshd\n" " `-- sshd.pid\n" "\n" "27 directories, 733 files" msgstr "" #. type:

#: securing-debian-howto.en.sgml:61 en/appendix.sgml:1534 msgid "" "For Debian release 3.1 you have to make sure that the environment includes " "also the common files for PAM. The following files need to be copied over to " "the chroot if makejail did not do it for you:" msgstr "" #. type: #: securing-debian-howto.en.sgml:61 en/appendix.sgml:1538 #, no-wrap msgid "" "$ ls /etc/pam.d/common-*\n" "/etc/pam.d/common-account /etc/pam.d/common-password\n" "/etc/pam.d/common-auth /etc/pam.d/common-session" msgstr "" #. type: #: securing-debian-howto.en.sgml:61 en/appendix.sgml:1547 msgid "Manually creating the environment (the hard way)" msgstr "" #. type:

#: securing-debian-howto.en.sgml:61 en/appendix.sgml:1563 msgid "" "It is possible to create an environment, using a trial-and-error method, by " "monitoring the sshd server traces and log files in order to " "determine the necessary files. The following environment, contributed by " "José Luis Ledesma, is a sample listing of files in a chroot " "environment for ssh in Debian woody (3.0):

Notice " "that there are no SETUID files. This makes it more difficult for remote " "users to escape the chroot environment. However, it also " "prevents users from changing their passwords, since the passwd " "program cannot modify the files /etc/passwd or " "/etc/shadow.

" msgstr "" #. type: #: securing-debian-howto.en.sgml:61 en/appendix.sgml:1804 #, no-wrap msgid "" ".:\n" "total 36\n" "drwxr-xr-x 9 root root 4096 Jun 5 10:05 ./\n" "drwxr-xr-x 11 root root 4096 Jun 3 13:43 ../\n" "drwxr-xr-x 2 root root 4096 Jun 4 12:13 bin/\n" "drwxr-xr-x 2 root root 4096 Jun 4 12:16 dev/\n" "drwxr-xr-x 4 root root 4096 Jun 4 12:35 etc/\n" "drwxr-xr-x 3 root root 4096 Jun 4 12:13 lib/\n" "drwxr-xr-x 2 root root 4096 Jun 4 12:35 sbin/\n" "drwxr-xr-x 2 root root 4096 Jun 4 12:32 tmp/\n" "drwxr-xr-x 2 root root 4096 Jun 4 12:16 usr/\n" "./bin:\n" "total 8368\n" "drwxr-xr-x 2 root root 4096 Jun 4 12:13 ./\n" "drwxr-xr-x 9 root root 4096 Jun 5 10:05 ../\n" "-rwxr-xr-x 1 root root 109855 Jun 3 13:45 a2p*\n" "-rwxr-xr-x 1 root root 387764 Jun 3 13:45 bash*\n" "-rwxr-xr-x 1 root root 36365 Jun 3 13:45 c2ph*\n" "-rwxr-xr-x 1 root root 20629 Jun 3 13:45 dprofpp*\n" "-rwxr-xr-x 1 root root 6956 Jun 3 13:46 env*\n" "-rwxr-xr-x 1 root root 158116 Jun 3 13:45 fax2ps*\n" "-rwxr-xr-x 1 root root 104008 Jun 3 13:45 faxalter*\n" "-rwxr-xr-x 1 root root 89340 Jun 3 13:45 faxcover*\n" "-rwxr-xr-x 1 root root 441584 Jun 3 13:45 faxmail*\n" "-rwxr-xr-x 1 root root 96036 Jun 3 13:45 faxrm*\n" "-rwxr-xr-x 1 root root 107000 Jun 3 13:45 faxstat*\n" "-rwxr-xr-x 1 root root 77832 Jun 4 11:46 grep*\n" "-rwxr-xr-x 1 root root 19597 Jun 3 13:45 h2ph*\n" "-rwxr-xr-x 1 root root 46979 Jun 3 13:45 h2xs*\n" "-rwxr-xr-x 1 root root 10420 Jun 3 13:46 id*\n" "-rwxr-xr-x 1 root root 4528 Jun 3 13:46 ldd*\n" "-rwxr-xr-x 1 root root 111386 Jun 4 11:46 less*\n" "-r-xr-xr-x 1 root root 26168 Jun 3 13:45 login*\n" "-rwxr-xr-x 1 root root 49164 Jun 3 13:45 ls*\n" "-rwxr-xr-x 1 root root 11600 Jun 3 13:45 mkdir*\n" "-rwxr-xr-x 1 root root 24780 Jun 3 13:45 more*\n" "-rwxr-xr-x 1 root root 154980 Jun 3 13:45 pal2rgb*\n" "-rwxr-xr-x 1 root root 27920 Jun 3 13:46 passwd*\n" "-rwxr-xr-x 1 root root 4241 Jun 3 13:45 pl2pm*\n" "-rwxr-xr-x 1 root root 2350 Jun 3 13:45 pod2html*\n" "-rwxr-xr-x 1 root root 7875 Jun 3 13:45 pod2latex*\n" "-rwxr-xr-x 1 root root 17587 Jun 3 13:45 pod2man*\n" "-rwxr-xr-x 1 root root 6877 Jun 3 13:45 pod2text*\n" "-rwxr-xr-x 1 root root 3300 Jun 3 13:45 pod2usage*\n" "-rwxr-xr-x 1 root root 3341 Jun 3 13:45 podchecker*\n" "-rwxr-xr-x 1 root root 2483 Jun 3 13:45 podselect*\n" "-r-xr-xr-x 1 root root 82412 Jun 4 11:46 ps*\n" "-rwxr-xr-x 1 root root 36365 Jun 3 13:45 pstruct*\n" "-rwxr-xr-x 1 root root 7120 Jun 3 13:45 pwd*\n" "-rwxr-xr-x 1 root root 179884 Jun 3 13:45 rgb2ycbcr*\n" "-rwxr-xr-x 1 root root 20532 Jun 3 13:45 rm*\n" "-rwxr-xr-x 1 root root 6720 Jun 4 10:15 rmdir*\n" "-rwxr-xr-x 1 root root 14705 Jun 3 13:45 s2p*\n" "-rwxr-xr-x 1 root root 28764 Jun 3 13:46 scp*\n" "-rwxr-xr-x 1 root root 385000 Jun 3 13:45 sendfax*\n" "-rwxr-xr-x 1 root root 67548 Jun 3 13:45 sendpage*\n" "-rwxr-xr-x 1 root root 88632 Jun 3 13:46 sftp*\n" "-rwxr-xr-x 1 root root 387764 Jun 3 13:45 sh*\n" "-rws--x--x 1 root root 744500 Jun 3 13:46 slogin*\n" "-rwxr-xr-x 1 root root 14523 Jun 3 13:46 splain*\n" "-rws--x--x 1 root root 744500 Jun 3 13:46 ssh*\n" "-rwxr-xr-x 1 root root 570960 Jun 3 13:46 ssh-add*\n" "-rwxr-xr-x 1 root root 502952 Jun 3 13:46 ssh-agent*\n" "-rwxr-xr-x 1 root root 575740 Jun 3 13:46 ssh-keygen*\n" "-rwxr-xr-x 1 root root 383480 Jun 3 13:46 ssh-keyscan*\n" "-rwxr-xr-x 1 root root 39 Jun 3 13:46 ssh_europa*\n" "-rwxr-xr-x 1 root root 107252 Jun 4 10:14 strace*\n" "-rwxr-xr-x 1 root root 8323 Jun 4 10:14 strace-graph*\n" "-rwxr-xr-x 1 root root 158088 Jun 3 13:46 thumbnail*\n" "-rwxr-xr-x 1 root root 6312 Jun 3 13:46 tty*\n" "-rwxr-xr-x 1 root root 55904 Jun 4 11:46 useradd*\n" "-rwxr-xr-x 1 root root 585656 Jun 4 11:47 vi*\n" "-rwxr-xr-x 1 root root 6444 Jun 4 11:45 whoami*\n" "./dev:\n" "total 8\n" "drwxr-xr-x 2 root root 4096 Jun 4 12:16 ./\n" "drwxr-xr-x 9 root root 4096 Jun 5 10:05 ../\n" "crw-r--r-- 1 root root 1, 9 Jun 3 13:43 urandom\n" "./etc:\n" "total 208\n" "drwxr-xr-x 4 root root 4096 Jun 4 12:35 ./\n" "drwxr-xr-x 9 root root 4096 Jun 5 10:05 ../\n" "-rw------- 1 root root 0 Jun 4 11:46 .pwd.lock\n" "-rw-r--r-- 1 root root 653 Jun 3 13:46 group\n" "-rw-r--r-- 1 root root 242 Jun 4 11:33 host.conf\n" "-rw-r--r-- 1 root root 857 Jun 4 12:04 hosts\n" "-rw-r--r-- 1 root root 1050 Jun 4 11:29 ld.so.cache\n" "-rw-r--r-- 1 root root 304 Jun 4 11:28 ld.so.conf\n" "-rw-r--r-- 1 root root 235 Jun 4 11:27 ld.so.conf~\n" "-rw-r--r-- 1 root root 88039 Jun 3 13:46 moduli\n" "-rw-r--r-- 1 root root 1342 Jun 4 11:34 nsswitch.conf\n" "drwxr-xr-x 2 root root 4096 Jun 4 12:02 pam.d/\n" "-rw-r--r-- 1 root root 28 Jun 4 12:00 pam_smb.conf\n" "-rw-r--r-- 1 root root 2520 Jun 4 11:57 passwd\n" "-rw-r--r-- 1 root root 7228 Jun 3 13:48 profile\n" "-rw-r--r-- 1 root root 1339 Jun 4 11:33 protocols\n" "-rw-r--r-- 1 root root 274 Jun 4 11:44 resolv.conf\n" "drwxr-xr-x 2 root root 4096 Jun 3 13:43 security/\n" "-rw-r----- 1 root root 1178 Jun 4 11:51 shadow\n" "-rw------- 1 root root 80 Jun 4 11:45 shadow-\n" "-rw-r----- 1 root root 1178 Jun 4 11:48 shadow.old\n" "-rw-r--r-- 1 root root 161 Jun 3 13:46 shells\n" "-rw-r--r-- 1 root root 1144 Jun 3 13:46 ssh_config\n" "-rw------- 1 root root 668 Jun 3 13:46 ssh_host_dsa_key\n" "-rw-r--r-- 1 root root 602 Jun 3 13:46 ssh_host_dsa_key.pub\n" "-rw------- 1 root root 527 Jun 3 13:46 ssh_host_key\n" "-rw-r--r-- 1 root root 331 Jun 3 13:46 ssh_host_key.pub\n" "-rw------- 1 root root 883 Jun 3 13:46 ssh_host_rsa_key\n" "-rw-r--r-- 1 root root 222 Jun 3 13:46 ssh_host_rsa_key.pub\n" "-rw-r--r-- 1 root root 2471 Jun 4 12:15 sshd_config\n" "./etc/pam.d:\n" "total 24\n" "drwxr-xr-x 2 root root 4096 Jun 4 12:02 ./\n" "drwxr-xr-x 4 root root 4096 Jun 4 12:35 ../\n" "lrwxrwxrwx 1 root root 4 Jun 4 12:02 other -> sshd\n" "-rw-r--r-- 1 root root 318 Jun 3 13:46 passwd\n" "-rw-r--r-- 1 root root 546 Jun 4 11:36 ssh\n" "-rw-r--r-- 1 root root 479 Jun 4 12:02 sshd\n" "-rw-r--r-- 1 root root 370 Jun 3 13:46 su\n" "./etc/security:\n" "total 32\n" "drwxr-xr-x 2 root root 4096 Jun 3 13:43 ./\n" "drwxr-xr-x 4 root root 4096 Jun 4 12:35 ../\n" "-rw-r--r-- 1 root root 1971 Jun 3 13:46 access.conf\n" "-rw-r--r-- 1 root root 184 Jun 3 13:46 chroot.conf\n" "-rw-r--r-- 1 root root 2145 Jun 3 13:46 group.conf\n" "-rw-r--r-- 1 root root 1356 Jun 3 13:46 limits.conf\n" "-rw-r--r-- 1 root root 2858 Jun 3 13:46 pam_env.conf\n" "-rw-r--r-- 1 root root 2154 Jun 3 13:46 time.conf\n" "./lib:\n" "total 8316\n" "drwxr-xr-x 3 root root 4096 Jun 4 12:13 ./\n" "drwxr-xr-x 9 root root 4096 Jun 5 10:05 ../\n" "-rw-r--r-- 1 root root 1024 Jun 4 11:51 cracklib_dict.hwm\n" "-rw-r--r-- 1 root root 214324 Jun 4 11:51 cracklib_dict.pwd\n" "-rw-r--r-- 1 root root 11360 Jun 4 11:51 cracklib_dict.pwi\n" "-rwxr-xr-x 1 root root 342427 Jun 3 13:46 ld-linux.so.2*\n" "-rwxr-xr-x 1 root root 4061504 Jun 3 13:46 libc.so.6*\n" "lrwxrwxrwx 1 root root 15 Jun 4 12:11 libcrack.so -> libcrack.so.2.7*\n" "lrwxrwxrwx 1 root root 15 Jun 4 12:11 libcrack.so.2 -> libcrack.so.2.7*\n" "-rwxr-xr-x 1 root root 33291 Jun 4 11:39 libcrack.so.2.7*\n" "-rwxr-xr-x 1 root root 60988 Jun 3 13:46 libcrypt.so.1*\n" "-rwxr-xr-x 1 root root 71846 Jun 3 13:46 libdl.so.2*\n" "-rwxr-xr-x 1 root root 27762 Jun 3 13:46 libhistory.so.4.0*\n" "lrwxrwxrwx 1 root root 17 Jun 4 12:12 libncurses.so.4 -> " "libncurses.so.4.2*\n" "-rwxr-xr-x 1 root root 503903 Jun 3 13:46 libncurses.so.4.2*\n" "lrwxrwxrwx 1 root root 17 Jun 4 12:12 libncurses.so.5 -> " "libncurses.so.5.0*\n" "-rwxr-xr-x 1 root root 549429 Jun 3 13:46 libncurses.so.5.0*\n" "-rwxr-xr-x 1 root root 369801 Jun 3 13:46 libnsl.so.1*\n" "-rwxr-xr-x 1 root root 142563 Jun 4 11:49 libnss_compat.so.1*\n" "-rwxr-xr-x 1 root root 215569 Jun 4 11:49 libnss_compat.so.2*\n" "-rwxr-xr-x 1 root root 61648 Jun 4 11:34 libnss_dns.so.1*\n" "-rwxr-xr-x 1 root root 63453 Jun 4 11:34 libnss_dns.so.2*\n" "-rwxr-xr-x 1 root root 63782 Jun 4 11:34 libnss_dns6.so.2*\n" "-rwxr-xr-x 1 root root 205715 Jun 3 13:46 libnss_files.so.1*\n" "-rwxr-xr-x 1 root root 235932 Jun 3 13:49 libnss_files.so.2*\n" "-rwxr-xr-x 1 root root 204383 Jun 4 11:33 libnss_nis.so.1*\n" "-rwxr-xr-x 1 root root 254023 Jun 4 11:33 libnss_nis.so.2*\n" "-rwxr-xr-x 1 root root 256465 Jun 4 11:33 libnss_nisplus.so.2*\n" "lrwxrwxrwx 1 root root 14 Jun 4 12:12 libpam.so.0 -> libpam.so.0.72*\n" "-rwxr-xr-x 1 root root 31449 Jun 3 13:46 libpam.so.0.72*\n" "lrwxrwxrwx 1 root root 19 Jun 4 12:12 libpam_misc.so.0 ->\n" "libpam_misc.so.0.72*\n" "-rwxr-xr-x 1 root root 8125 Jun 3 13:46 libpam_misc.so.0.72*\n" "lrwxrwxrwx 1 root root 15 Jun 4 12:12 libpamc.so.0 -> libpamc.so.0.72*\n" "-rwxr-xr-x 1 root root 10499 Jun 3 13:46 libpamc.so.0.72*\n" "-rwxr-xr-x 1 root root 176427 Jun 3 13:46 libreadline.so.4.0*\n" "-rwxr-xr-x 1 root root 44729 Jun 3 13:46 libutil.so.1*\n" "-rwxr-xr-x 1 root root 70254 Jun 3 13:46 libz.a*\n" "lrwxrwxrwx 1 root root 13 Jun 4 12:13 libz.so -> libz.so.1.1.3*\n" "lrwxrwxrwx 1 root root 13 Jun 4 12:13 libz.so.1 -> libz.so.1.1.3*\n" "-rwxr-xr-x 1 root root 63312 Jun 3 13:46 libz.so.1.1.3*\n" "drwxr-xr-x 2 root root 4096 Jun 4 12:00 security/\n" "./lib/security:\n" "total 668\n" "drwxr-xr-x 2 root root 4096 Jun 4 12:00 ./\n" "drwxr-xr-x 3 root root 4096 Jun 4 12:13 ../\n" "-rwxr-xr-x 1 root root 10067 Jun 3 13:46 pam_access.so*\n" "-rwxr-xr-x 1 root root 8300 Jun 3 13:46 pam_chroot.so*\n" "-rwxr-xr-x 1 root root 14397 Jun 3 13:46 pam_cracklib.so*\n" "-rwxr-xr-x 1 root root 5082 Jun 3 13:46 pam_deny.so*\n" "-rwxr-xr-x 1 root root 13153 Jun 3 13:46 pam_env.so*\n" "-rwxr-xr-x 1 root root 13371 Jun 3 13:46 pam_filter.so*\n" "-rwxr-xr-x 1 root root 7957 Jun 3 13:46 pam_ftp.so*\n" "-rwxr-xr-x 1 root root 12771 Jun 3 13:46 pam_group.so*\n" "-rwxr-xr-x 1 root root 10174 Jun 3 13:46 pam_issue.so*\n" "-rwxr-xr-x 1 root root 9774 Jun 3 13:46 pam_lastlog.so*\n" "-rwxr-xr-x 1 root root 13591 Jun 3 13:46 pam_limits.so*\n" "-rwxr-xr-x 1 root root 11268 Jun 3 13:46 pam_listfile.so*\n" "-rwxr-xr-x 1 root root 11182 Jun 3 13:46 pam_mail.so*\n" "-rwxr-xr-x 1 root root 5923 Jun 3 13:46 pam_nologin.so*\n" "-rwxr-xr-x 1 root root 5460 Jun 3 13:46 pam_permit.so*\n" "-rwxr-xr-x 1 root root 18226 Jun 3 13:46 pam_pwcheck.so*\n" "-rwxr-xr-x 1 root root 12590 Jun 3 13:46 pam_rhosts_auth.so*\n" "-rwxr-xr-x 1 root root 5551 Jun 3 13:46 pam_rootok.so*\n" "-rwxr-xr-x 1 root root 7239 Jun 3 13:46 pam_securetty.so*\n" "-rwxr-xr-x 1 root root 6551 Jun 3 13:46 pam_shells.so*\n" "-rwxr-xr-x 1 root root 55925 Jun 4 12:00 pam_smb_auth.so*\n" "-rwxr-xr-x 1 root root 12678 Jun 3 13:46 pam_stress.so*\n" "-rwxr-xr-x 1 root root 11170 Jun 3 13:46 pam_tally.so*\n" "-rwxr-xr-x 1 root root 11124 Jun 3 13:46 pam_time.so*\n" "-rwxr-xr-x 1 root root 45703 Jun 3 13:46 pam_unix.so*\n" "-rwxr-xr-x 1 root root 45703 Jun 3 13:46 pam_unix2.so*\n" "-rwxr-xr-x 1 root root 45386 Jun 3 13:46 pam_unix_acct.so*\n" "-rwxr-xr-x 1 root root 45386 Jun 3 13:46 pam_unix_auth.so*\n" "-rwxr-xr-x 1 root root 45386 Jun 3 13:46 pam_unix_passwd.so*\n" "-rwxr-xr-x 1 root root 45386 Jun 3 13:46 pam_unix_session.so*\n" "-rwxr-xr-x 1 root root 9726 Jun 3 13:46 pam_userdb.so*\n" "-rwxr-xr-x 1 root root 6424 Jun 3 13:46 pam_warn.so*\n" "-rwxr-xr-x 1 root root 7460 Jun 3 13:46 pam_wheel.so*\n" "./sbin:\n" "total 3132\n" "drwxr-xr-x 2 root root 4096 Jun 4 12:35 ./\n" "drwxr-xr-x 9 root root 4096 Jun 5 10:05 ../\n" "-rwxr-xr-x 1 root root 178256 Jun 3 13:46 choptest*\n" "-rwxr-xr-x 1 root root 184032 Jun 3 13:46 cqtest*\n" "-rwxr-xr-x 1 root root 81096 Jun 3 13:46 dialtest*\n" "-rwxr-xr-x 1 root root 1142128 Jun 4 11:28 ldconfig*\n" "-rwxr-xr-x 1 root root 2868 Jun 3 13:46 lockname*\n" "-rwxr-xr-x 1 root root 3340 Jun 3 13:46 ondelay*\n" "-rwxr-xr-x 1 root root 376796 Jun 3 13:46 pagesend*\n" "-rwxr-xr-x 1 root root 13950 Jun 3 13:46 probemodem*\n" "-rwxr-xr-x 1 root root 9234 Jun 3 13:46 recvstats*\n" "-rwxr-xr-x 1 root root 64480 Jun 3 13:46 sftp-server*\n" "-rwxr-xr-x 1 root root 744412 Jun 3 13:46 sshd*\n" "-rwxr-xr-x 1 root root 30750 Jun 4 11:46 su*\n" "-rwxr-xr-x 1 root root 194632 Jun 3 13:46 tagtest*\n" "-rwxr-xr-x 1 root root 69892 Jun 3 13:46 tsitest*\n" "-rwxr-xr-x 1 root root 43792 Jun 3 13:46 typetest*\n" "./tmp:\n" "total 8\n" "drwxr-xr-x 2 root root 4096 Jun 4 12:32 ./\n" "drwxr-xr-x 9 root root 4096 Jun 5 10:05 ../\n" "./usr:\n" "total 8\n" "drwxr-xr-x 2 root root 4096 Jun 4 12:16 ./\n" "drwxr-xr-x 9 root root 4096 Jun 5 10:05 ../\n" "lrwxrwxrwx 1 root root 7 Jun 4 12:14 bin -> ../bin//\n" "lrwxrwxrwx 1 root root 7 Jun 4 11:33 lib -> ../lib//\n" "lrwxrwxrwx 1 root root 8 Jun 4 12:13 sbin -> ../sbin//" msgstr "" #. type: #: securing-debian-howto.en.sgml:61 en/appendix.sgml:1808 msgid "Chroot environment for Apache" msgstr "" #. type:

#: securing-debian-howto.en.sgml:61 en/appendix.sgml:1814 msgid "" "The chroot utility is often used to jail a daemon in a " "restricted tree. You can use it to insulate services from one another, so " "that security issues in a software package do not jeopardize the whole " "server. When using the makejail script, setting up and updating " "the chrooted tree is much easier." msgstr "" #. type:

#: securing-debian-howto.en.sgml:61 en/appendix.sgml:1821 msgid "" "FIXME: Apache can also be chrooted using which is available in " "libapache-mod-security (for Apache 1.x) and " "libapache2-mod-security (for Apache 2.x)." msgstr "" #. type: #: securing-debian-howto.en.sgml:61 en/appendix.sgml:1823 msgid "Licensing" msgstr "" #. type:

#: securing-debian-howto.en.sgml:61 en/appendix.sgml:1830 msgid "" "This document is copyright 2002 Alexandre Ratti. It has been dual-licensed " "and released under the GPL version 2 (GNU General Public License) the " "GNU-FDL 1.2 (GNU Free Documentation Licence) and is included in this manual " "with his explicit permission. (from the )" msgstr "" #. type: #: securing-debian-howto.en.sgml:61 en/appendix.sgml:1835 msgid "Installing the server" msgstr "" #. type:

#: securing-debian-howto.en.sgml:61 en/appendix.sgml:1838 msgid "" "This procedure was tested on Debian GNU/Linux 3.0 (Woody) with " "makejail 0.0.4-1 (in Debian/testing)." msgstr "" #. type:

#: securing-debian-howto.en.sgml:61 en/appendix.sgml:1843 msgid "Log in as root and create a new jail directory:" msgstr "" #. type: #: securing-debian-howto.en.sgml:61 en/appendix.sgml:1845 #, no-wrap msgid "$ mkdir -p /var/chroot/apache" msgstr "" #. type:

#: securing-debian-howto.en.sgml:61 en/appendix.sgml:1853 msgid "" "Create a new user and a new group. The chrooted Apache server will run as " "this user/group, which isn't used for anything else on the system. In this " "example, both user and group are called chrapach." msgstr "" #. type: #: securing-debian-howto.en.sgml:61 en/appendix.sgml:1849 #, no-wrap msgid "" " $ adduser --home /var/chroot/apache --shell /bin/false \\\n" " --no-create-home --system --group chrapach" msgstr "" #. type:

#: securing-debian-howto.en.sgml:61 en/appendix.sgml:1859 msgid "FIXME: is a new user needed? (Apache already runs as the apache user)" msgstr "" #. type:

#: securing-debian-howto.en.sgml:61 en/appendix.sgml:1864 msgid "Install Apache as usual on Debian: apt-get install apache" msgstr "" #. type:

#: securing-debian-howto.en.sgml:61 en/appendix.sgml:1870 msgid "" "Set up Apache (e.g. define your subdomains, etc.). In the " "/etc/apache/httpd.conf configuration file, set the " "Group and User options to chrapach. Restart " "Apache and make sure the server is working correctly. Now, stop the Apache " "daemon." msgstr "" #. type:

#: securing-debian-howto.en.sgml:61 en/appendix.sgml:1875 msgid "" "Install makejail (available in Debian/testing for now). You " "should also install wget and lynx as they will be " "used by makejail to test the chrooted server: apt-get " "install makejail wget lynx" msgstr "" #. type:

#: securing-debian-howto.en.sgml:61 en/appendix.sgml:1878 msgid "" "Copy the sample configuration file for Apache to the " "/etc/makejail directory:" msgstr "" #. type: #: securing-debian-howto.en.sgml:61 en/appendix.sgml:1877 #, no-wrap msgid " # cp /usr/share/doc/makejail/examples/apache.py /etc/makejail/" msgstr "" #. type:

#: securing-debian-howto.en.sgml:61 en/appendix.sgml:1892 msgid "" "Edit /etc/makejail/apache.py. You need to change the " "chroot, users and groups options. To run this " "version of makejail, you can also add a packages " "option. See the . A sample is shown here:" msgstr "" #. type: #: securing-debian-howto.en.sgml:61 en/appendix.sgml:1910 #, no-wrap msgid "" "chroot="/var/chroot/apache"\n" "testCommandsInsideJail=["/usr/sbin/apachectl start"]\n" "processNames=["apache"]\n" "testCommandsOutsideJail=["wget -r --spider http://localhost/",\n" " "lynx --source https://localhost/"]\n" "preserve=["/var/www",\n" " "/var/log/apache",\n" " "/dev/log"]\n" "users=["chrapach"]\n" "groups=["chrapach"]\n" "packages=["apache", "apache-common"]\n" "userFiles=["/etc/password",\n" " "/etc/shadow"]\n" "groupFiles=["/etc/group",\n" " "/etc/gshadow"]\n" "forceCopy=["/etc/hosts",\n" " "/etc/mime.types"]" msgstr "" #. type:

#: securing-debian-howto.en.sgml:61 en/appendix.sgml:1916 msgid "" "FIXME: some options do not seem to work properly. For instance, " "/etc/shadow and /etc/gshadow are not copied, " "whereas /etc/password and /etc/group are fully " "copied instead of being filtered." msgstr "" #. type:

#: securing-debian-howto.en.sgml:61 en/appendix.sgml:1919 msgid "Create the chroot tree: makejail /etc/makejail/apache.py" msgstr "" #. type:

#: securing-debian-howto.en.sgml:61 en/appendix.sgml:1923 msgid "" "If /etc/password and /etc/group were fully copied, " "type:" msgstr "" #. type: #: securing-debian-howto.en.sgml:61 en/appendix.sgml:1925 #, no-wrap msgid "" " $ grep chrapach /etc/passwd > /var/chroot/apache/etc/passwd\n" " $ grep chrapach /etc/group > /var/chroot/apache/etc/group" msgstr "" #. type:

#: securing-debian-howto.en.sgml:61 en/appendix.sgml:1928 msgid "to replace them with filtered copies." msgstr "" #. type:

#: securing-debian-howto.en.sgml:61 en/appendix.sgml:1932 msgid "" "Copy the Web site pages and the logs into the jail. These files are not " "copied automatically (see the preserve option in " "makejail's configuration file)." msgstr "" #. type: #: securing-debian-howto.en.sgml:61 en/appendix.sgml:1934 #, no-wrap msgid "" " # cp -Rp /var/www /var/chroot/apache/var\n" " # cp -Rp /var/log/apache/*.log /var/chroot/apache/var/log/apache" msgstr "" #. type:

#: securing-debian-howto.en.sgml:61 en/appendix.sgml:1944 msgid "" "Edit the startup script for the system logging daemon so that it also listen " "to the /var/chroot/apache/dev/log socket. In " "/etc/default/syslogd, replace: SYSLOGD="" " "with SYSLOGD=" -a /var/chroot/apache/dev/log" and restart " "the daemon (/etc/init.d/sysklogd restart)." msgstr "" #. type:

#: securing-debian-howto.en.sgml:61 en/appendix.sgml:1948 msgid "" "Edit the Apache startup script (/etc/init.d/apache). You might " "need to make some changes to the default startup script for it to run " "properly with a chrooted tree. Such as:" msgstr "" #. type:

#: securing-debian-howto.en.sgml:61 en/appendix.sgml:1950 msgid "set a new CHRDIR variable at the top of the file;" msgstr "" #. type:

#: securing-debian-howto.en.sgml:61 en/appendix.sgml:1952 msgid "edit the start, stop, reload, etc. sections;" msgstr "" #. type:

#: securing-debian-howto.en.sgml:61 en/appendix.sgml:1954 msgid "" "add a line to mount and unmount the /proc filesystem within the " "jail." msgstr "" #. type: #: securing-debian-howto.en.sgml:61 en/appendix.sgml:2038 #, no-wrap msgid "" "#! /bin/bash\n" "#\n" "# apache Start the apache HTTP server.\n" "#\n" "\n" "CHRDIR=/var/chroot/apache\n" "\n" "NAME=apache\n" "PATH=/bin:/usr/bin:/sbin:/usr/sbin\n" "DAEMON=/usr/sbin/apache\n" "SUEXEC=/usr/lib/apache/suexec\n" "PIDFILE=/var/run/$NAME.pid\n" "CONF=/etc/apache/httpd.conf\n" "APACHECTL=/usr/sbin/apachectl \n" "\n" "trap \"\" 1\n" "export LANG=C\n" "export PATH\n" "\n" "test -f $DAEMON || exit 0\n" "test -f $APACHECTL || exit 0\n" "\n" "# ensure we don't leak environment vars into apachectl\n" "APACHECTL=\"env -i LANG=${LANG} PATH=${PATH} chroot $CHRDIR $APACHECTL\"\n" "\n" "if egrep -q -i \"^[[:space:]]*ServerType[[:space:]]+inet\" $CONF\n" "then\n" " exit 0\n" "fi\n" "\n" "case \"$1\" in\n" " start)\n" " echo -n \"Starting web server: $NAME\"\n" " mount -t proc proc /var/chroot/apache/proc\n" " start-stop-daemon --start --pidfile $PIDFILE --exec $DAEMON \\\n" " --chroot $CHRDIR\n" " ;;\n" "\n" " stop)\n" " echo -n \"Stopping web server: $NAME\"\n" " start-stop-daemon --stop --pidfile \"$CHRDIR/$PIDFILE\" --oknodo\n" " umount /var/chroot/apache/proc\n" " ;;\n" "\n" " reload)\n" " echo -n \"Reloading $NAME configuration\"\n" " start-stop-daemon --stop --pidfile \"$CHRDIR/$PIDFILE\" \\\n" " --signal USR1 --startas $DAEMON --chroot $CHRDIR\n" " ;;\n" "\n" " reload-modules)\n" " echo -n \"Reloading $NAME modules\"\n" " start-stop-daemon --stop --pidfile \"$CHRDIR/$PIDFILE\" --oknodo \\\n" " --retry 30\n" " start-stop-daemon --start --pidfile $PIDFILE \\\n" " --exec $DAEMON --chroot $CHRDIR\n" " ;;\n" "\n" " restart)\n" " $0 reload-modules\n" " exit $?\n" " ;;\n" "\n" " force-reload)\n" " $0 reload-modules\n" " exit $?\n" " ;;\n" "\n" " *)\n" " echo \"Usage: /etc/init.d/$NAME " "{start|stop|reload|reload-modules|force-reload|restart}\"\n" " exit 1\n" " ;;\n" "esac\n" "\n" "if [ $? == 0 ]; then\n" " echo .\n" " exit 0\n" "else\n" " echo failed\n" " exit 1\n" "fi" msgstr "" #. type:

#: securing-debian-howto.en.sgml:61 en/appendix.sgml:2042 msgid "" "FIXME: should the first Apache process be run as another user than " "root (i.e. add --chuid chrapach:chrapach)? Cons: chrapach will need write " "access to the logs, which is awkward." msgstr "" #. type:

#: securing-debian-howto.en.sgml:61 en/appendix.sgml:2046 msgid "" "Replace in /etc/logrotate.d/apache " "/var/log/apache/*.log with " "/var/chroot/apache/var/log/apache/*.log" msgstr "" #. type:

#: securing-debian-howto.en.sgml:61 en/appendix.sgml:2057 msgid "" "Start Apache (/etc/init.d/apache start) and check what is it " "reported in the jail log " "(/var/chroot/apache/var/log/apache/error.log). If your setup is " "more complex, (e.g. if you also use PHP and MySQL), files will probably be " "missing. if some files are not copied automatically by " "makejail, you can list them in the forceCopy (to copy " "files directly) or packages (to copy full packages and their " "dependencies) option the /etc/makejail/apache.py configuration " "file." msgstr "" #. type:

#: securing-debian-howto.en.sgml:61 en/appendix.sgml:2061 msgid "" "Type ps aux | grep apache to make sure Apache is running. You " "should see something like:" msgstr "" #. type: #: securing-debian-howto.en.sgml:61 en/appendix.sgml:2063 #, no-wrap msgid "" " root 180 0.0 1.1 2936 1436 ? S 04:03 0:00 /usr/sbin/apache\n" " chrapach 189 0.0 1.1 2960 1456 ? S 04:03 0:00 /usr/sbin/apache\n" " chrapach 190 0.0 1.1 2960 1456 ? S 04:03 0:00 /usr/sbin/apache\n" " chrapach 191 0.0 1.1 2960 1456 ? S 04:03 0:00 /usr/sbin/apache\n" " chrapach 192 0.0 1.1 2960 1456 ? S 04:03 0:00 /usr/sbin/apache\n" " chrapach 193 0.0 1.1 2960 1456 ? S 04:03 0:00 /usr/sbin/apache" msgstr "" #. type:

#: securing-debian-howto.en.sgml:61 en/appendix.sgml:2076 msgid "" "Make sure the Apache processes are running chrooted by looking in the " "/proc filesystem: ls -la " "/proc/process_number/root/. where process_number " "is one of the PID numbers listed above (2nd column; 189 for instance). The " "entries for a restricted tree should be listed:" msgstr "" #. type: #: securing-debian-howto.en.sgml:61 en/appendix.sgml:2078 #, no-wrap msgid "" " drwxr-sr-x 10 root staff 240 Dec 2 16:06 .\n" " drwxrwsr-x 4 root staff 72 Dec 2 08:07 ..\n" " drwxr-xr-x 2 root root 144 Dec 2 16:05 bin\n" " drwxr-xr-x 2 root root 120 Dec 3 04:03 dev\n" " drwxr-xr-x 5 root root 408 Dec 3 04:03 etc\n" " drwxr-xr-x 2 root root 800 Dec 2 16:06 lib\n" " dr-xr-xr-x 43 root root 0 Dec 3 05:03 proc\n" " drwxr-xr-x 2 root root 48 Dec 2 16:06 sbin\n" " drwxr-xr-x 6 root root 144 Dec 2 16:04 usr\n" " drwxr-xr-x 7 root root 168 Dec 2 16:06 var" msgstr "" #. type:

#: securing-debian-howto.en.sgml:61 en/appendix.sgml:2090 msgid "" "To automate this test, you can type:ls -la /proc/`cat " "/var/chroot/apache/var/run/apache.pid`/root/." msgstr "" #. type:

#: securing-debian-howto.en.sgml:61 en/appendix.sgml:2093 msgid "" "FIXME: Add other tests that can be run to make sure the jail is " "closed?" msgstr "" #. type:

#: securing-debian-howto.en.sgml:61 en/appendix.sgml:2100 msgid "" "The reason I like this is because setting up the jail is not very difficult " "and the server can be updated in just two lines:" msgstr "" #. type: #: securing-debian-howto.en.sgml:61 en/appendix.sgml:2103 #, no-wrap msgid "" "apt-get update && apt-get install apache\n" "makejail /etc/makejail/apache.py" msgstr "" #. type: #: securing-debian-howto.en.sgml:61 en/appendix.sgml:2108 msgid "See also" msgstr "" #. type:

#: securing-debian-howto.en.sgml:61 en/appendix.sgml:2110 msgid "" "If you are looking for more information you can consider these sources of " "information in which the information presented is based:" msgstr "" #. type:

#: securing-debian-howto.en.sgml:61 en/appendix.sgml:2113 msgid "" ", this " "program was written by Alain Tesio" msgstr "" harden-doc-3.15.1/howto-source/po4a/po/fr.po0000644000000000000000000570065212014340024015366 0ustar # Copyright (C) 2002-2005, 2008, 2011, 2012 Debian French l10n team # This file is distributed under the same license as the harden-doc package. # # Arnaud Assad , 2002. # Pierre Machard , 2002. # Frédéric Bothamy , 2003-2005. # Simon Valiquette , 2008. # David Prévot , 2011, 2012. msgid "" msgstr "" "Project-Id-Version: harden-doc\n" "POT-Creation-Date: 2012-04-01 15:48-0400\n" "PO-Revision-Date: 2012-08-20 00:30-0400\n" "Last-Translator: David Prévot \n" "Language-Team: French \n" "Language: fr\n" "MIME-Version: 1.0\n" "Content-Type: text/plain; charset=UTF-8\n" "Content-Transfer-Encoding: 8bit\n" "X-Generator: Lokalize 1.4\n" "Plural-Forms: nplurals=2; plural=(n > 1);\n" #. type: definition of entity &language; #, no-wrap msgid "en" msgstr "fr" #. type: definition of entity &docdate; #, no-wrap msgid "Sun, 01 Apr 2012 15:48:10 -0400" msgstr "Sun, 01 Apr 2012 15:48:10 -0400" #. type: definition of entity &docversion; #, no-wrap msgid "CVS" msgstr "CVS" #. type: definition of entity &bookname; #, no-wrap msgid "Anleitung zum Absichern von Debian" msgstr "Anleitung zum Absichern von Debian" #. type: definition of entity &version; #, no-wrap msgid "Version: 3.11" msgstr "Version: 3.11" #. type: definition of entity &bookname; #, no-wrap msgid "Manual de Seguridad de Debian" msgstr "Manual de Seguridad de Debian" #. type: definition of entity &version; #, no-wrap msgid "Version: 2.4 (revisión de traducción 3)" msgstr "Version: 2.4 (revisión de traducción 3)" #. type: definition of entity &bookname; #, no-wrap msgid "Manuel de sécurisation de Debian" msgstr "Manuel de sécurisation de Debian" #. type: definition of entity &version; #, no-wrap msgid "Version: 3.4" msgstr "Version: 3.4" #. type: definition of entity &bookname; #, no-wrap msgid "Securing Debian Manual" msgstr "Securing Debian Manual" #. type: definition of entity &version; #, no-wrap msgid "Version: 3.13" msgstr "Version: 3.13" #. type: definition of entity &version; #, no-wrap msgid "v3.1" msgstr "v3.1" #. type: definition of entity &version; #, no-wrap msgid "v1.1" msgstr "v1.1" #. type: definition of entity &version; #, no-wrap msgid "v3.2" msgstr "v3.2" #. type: definition of entity &bookid; #, no-wrap msgid "HOWTO-Secure-Debian" msgstr "HOWTO-Secure-Debian" #. type: definition of entity &gplhome; #, no-wrap msgid "http://www.gnu.org/copyleft/gpl.html" msgstr "http://www.gnu.org/copyleft/gpl.html" #. type: definition of entity &gplhomev2; #, no-wrap msgid "http://www.gnu.org/licenses/old-licenses/gpl-2.0.html" msgstr "http://www.gnu.org/licenses/old-licenses/gpl-2.0.html" #. type: definition of entity &dochome; #, no-wrap msgid "/usr/share/doc" msgstr "/usr/share/doc" #. type: definition of entity &filehome; #, no-wrap msgid "&dochome;/Debian" msgstr "&dochome;/Debian" #. type: definition of entity &httphome; #, no-wrap msgid "http://www.debian.org/doc/manuals" msgstr "http://www.debian.org/doc/manuals" #. type: definition of entity &httphome2; #, no-wrap msgid "http://www.debian.org/manuals" msgstr "http://www.debian.org/manuals" #. type: definition of entity &ftphome; #, no-wrap msgid "ftp://www.debian.org/doc" msgstr "ftp://www.debian.org/doc" #. type: definition of entity &cdromhome; #, no-wrap msgid "/doc" msgstr "/doc" #. type: definition of entity &manualname; #, no-wrap msgid "manualname" msgstr "manualname" #. type: definition of entity &packagename; #, no-wrap msgid "packagename" msgstr "packagename" #. type: definition of entity &langname; #, no-wrap msgid "LANG" msgstr "LANG" #. type: definition of entity &localename; #, no-wrap msgid "LOCALE" msgstr "LOCALE" #. type: definition of entity &debiandoc2xml; #, no-wrap msgid "http://lists.debian.org/debian-doc/2002/debian-doc-200209/msg00094.html" msgstr "http://lists.debian.org/debian-doc/2002/debian-doc-200209/msg00094.html" #. type: definition of entity &authorname; #, no-wrap msgid "Javier Fernández-Sanguino Peña" msgstr "Javier Fernández-Sanguino Peña" #. type: definition of entity &authoremail; #, no-wrap msgid "jfs@debian.org" msgstr "jfs@debian.org" #. type: #: securing-debian-howto.en.sgml:46 en/titletoc.sgml:7 msgid "&authorname;&authoremail;" msgstr "&authorname;&authoremail;" #. type: #: securing-debian-howto.en.sgml:46 en/titletoc.sgml:13 msgid "&version;, &docdate;" msgstr "&version;, &docdate;" #. type: #: securing-debian-howto.en.sgml:46 en/titletoc.sgml:25 msgid "" "This document describes security in the Debian project and in the Debian " "operating system. Starting with the process of securing and hardening the " "default Debian GNU/Linux distribution installation, it also covers some of " "the common tasks to set up a secure network environment using Debian GNU/" "Linux, gives additional information on the security tools available and " "talks about how security is enforced in Debian by the security and audit " "team." msgstr "" "Ce document décrit la sécurité dans le projet Debian ainsi que dans le " "système d'exploitation Debian. Il commence par la sécurisation et le " "renforcement de l'installation standard d'une distribution Debian GNU/Linux. " "Il couvre quelques tâches courantes telles que la sécurisation d'un réseau " "utilisant Debian GNU/Linux et il donne également des informations " "complémentaires sur les outils de sécurisation disponibles ainsi que sur le " "travail accompli au sein du projet Debian par l'équipe en charge de la " "sécurité et par l'équipe d'audit." #. type: #: securing-debian-howto.en.sgml:47 en/copyleft.sgml:4 msgid "Copyright © 2002-2007 Javier Fernández-Sanguino Peña" msgstr "Copyright © 2002-2008 Javier Fernández-Sanguino Peña" #. type:

#: securing-debian-howto.en.sgml:47 en/copyleft.sgml:6 msgid "Copyright © 2001 Alexander Reelsen, Javier Fernández-Sanguino Peña" msgstr "" "Copyright © 2001 Alexander Reelsen, Javier Fernández-Sanguino Peña" #. type:

#: securing-debian-howto.en.sgml:47 en/copyleft.sgml:7 msgid "Copyright © 2000 Alexander Reelsen" msgstr "Copyright © 2000 Alexander Reelsen" #. type:

#: securing-debian-howto.en.sgml:47 en/copyleft.sgml:10 msgid "" "Some sections are copyright © their respective authors, for details " "please refer to ." msgstr "" "Some sections are copyright © their respective authors, for details " "please refer to ." #. type:

#: securing-debian-howto.en.sgml:47 en/copyleft.sgml:16 msgid "" "Permission is granted to copy, distribute and/or modify this document under " "the terms of the or any published " "by the Free Software Foundation. It is distributed in the hope that it will " "be useful, but WITHOUT ANY WARRANTY." msgstr "" "Permission is granted to copy, distribute and/or modify this document under " "the terms of the or any published " "by the Free Software Foundation. It is distributed in the hope that it will " "be useful, but WITHOUT ANY WARRANTY." #. type:

#: securing-debian-howto.en.sgml:47 en/copyleft.sgml:20 msgid "" "Permission is granted to make and distribute verbatim copies of this " "document provided the copyright notice and this permission notice are " "preserved on all copies." msgstr "" "Permission is granted to make and distribute verbatim copies of this " "document provided the copyright notice and this permission notice are " "preserved on all copies." #. type:

#: securing-debian-howto.en.sgml:47 en/copyleft.sgml:25 msgid "" "Permission is granted to copy and distribute modified versions of this " "document under the conditions for verbatim copying, provided that the entire " "resulting derived work is distributed under the terms of a permission notice " "identical to this one." msgstr "" "Permission is granted to copy and distribute modified versions of this " "document under the conditions for verbatim copying, provided that the entire " "resulting derived work is distributed under the terms of a permission notice " "identical to this one." #. type:

#: securing-debian-howto.en.sgml:47 en/copyleft.sgml:31 msgid "" "Permission is granted to copy and distribute translations of this document " "into another language, under the above conditions for modified versions, " "except that this permission notice may be included in translations approved " "by the Free Software Foundation instead of in the original English." msgstr "" "Permission is granted to copy and distribute translations of this document " "into another language, under the above conditions for modified versions, " "except that this permission notice may be included in translations approved " "by the Free Software Foundation instead of in the original English." #. type: #: securing-debian-howto.en.sgml:49 en/intro.sgml:4 #: securing-debian-howto.en.sgml:61 en/appendix.sgml:1810 msgid "Introduction" msgstr "Introduction" #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:16 msgid "" "One of the hardest things about writing security documents is that every " "case is unique. Two things you have to pay attention to are the threat " "environment and the security needs of the individual site, host, or network. " "For instance, the security needs of a home user are completely different " "from a network in a bank. While the primary threat a home user needs to face " "is the script kiddie type of cracker, a bank network has to worry about " "directed attacks. Additionally, the bank has to protect their customer's " "data with arithmetic precision. In short, every user has to consider the " "trade-off between usability and security/paranoia." msgstr "" "L'une des choses les plus difficiles dans l'écriture de documents liés à la " "sécurité est que chaque cas est unique. Il faut prêter attention à deux " "choses : la menace que constitue l'environnement et les besoins de " "sécurité liés à un site individuel, une machine ou un réseau. Par exemple, " "les exigences que l'on a pour une utilisation familiale n'ont rien de " "comparable aux exigences que l'on retrouve dans le réseau d'une banque. " "Alors que dans le premier cas, l'utilisateur aura à affronter de simples " "scripts d'attaque, le réseau d'une banque sera, lui, sous la menace " "d'attaques directes. De plus, la banque se doit de protéger l'exactitude des " "données de ses clients. Il faudra donc que chaque utilisateur trouve le bon " "compromis entre la facilité d'utilisation et la sécurité poussée à l'extrême." #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:26 msgid "" "Note that this manual only covers issues relating to software. The best " "software in the world can't protect you if someone can physically access the " "machine. You can place it under your desk, or you can place it in a hardened " "bunker with an army in front of it. Nevertheless the desktop computer can be " "much more secure (from a software point of view) than a physically protected " "one if the desktop is configured properly and the software on the protected " "machine is full of security holes. Obviously, you must consider both issues." msgstr "" "Prenez conscience que cet ouvrage traite uniquement des questions liées aux " "logiciels. Le meilleur programme du monde ne pourra pas vous protéger contre " "quelqu'un qui aura un accès physique à la machine. Vous pouvez mettre la " "machine sous le bureau ou dans un bunker protégé par une armée. Pourtant, un " "ordinateur de bureau avec une bonne configuration sera beaucoup plus sûr " "(d'un point de vue logiciel) qu'un ordinateur protégé physiquement si son " "disque dur est truffé de logiciels connus pour avoir des failles de " "sécurité. Bien entendu, vous devez prendre en compte les deux aspects." #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:43 msgid "" "This document just gives an overview of what you can do to increase the " "security of your Debian GNU/Linux system. If you have read other documents " "regarding Linux security, you will find that there are common issues which " "might overlap with this document. However, this document does not try to be " "the ultimate source of information you will be using, it only tries to adapt " "this same information so that it is meaningful to a Debian GNU/Linux system. " "Different distributions do some things in different ways (startup of daemons " "is one example); here, you will find material which is appropriate for " "Debian's procedures and tools." msgstr "" "Ce document donne simplement un aperçu de ce qu'il est possible de faire " "pour accroître la sécurité du système Debian GNU/Linux. Si vous avez déjà lu " "des ouvrages traitant de la sécurité sous Linux, vous trouverez des " "similitudes avec ce document. Ce manuel ne prétend pas être l'ultime source " "d'informations à laquelle vous devez vous référer. Il essaye seulement " "d'adapter ces informations pour le système Debian GNU/Linux. D'autres " "distributions procèdent de manière différente pour certaines questions (le " "démarrage de démons est un exemple courant) ; vous trouverez dans cet " "ouvrage les éléments propres aux procédures et aux outils de Debian." #. type: #: securing-debian-howto.en.sgml:49 en/intro.sgml:45 msgid "Authors" msgstr "Auteurs" #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:50 msgid "" "The current maintainer of this document is . Please forward him any comments, " "additions or suggestions, and they will be considered for inclusion in " "future releases of this manual." msgstr "" "Le responsable actuel de ce document est . Veuillez lui envoyer vos " "commentaires, ajouts et suggestions et ils seront examinés pour une possible " "inclusion dans les prochaines versions de ce manuel." #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:60 msgid "" "This manual was started as a HOWTO by . After it was published on the Internet, " "incorporated it into the . A number of people have contributed to this manual " "(all contributions are listed in the changelog) but the following deserve " "special mention since they have provided significant contributions (full " "sections, chapters or appendices):" msgstr "" "Ce manuel a été lancé en tant que HOWTO par . Après sa publication sur Internet, " " " "l'a incorporé dans le . Un certain nombre de personnes ont contribué à ce " "manuel (la liste de toutes les contributions est dans le journal de " "modifications), mais les personnes suivantes méritent une mention spéciale " "car elles ont fourni des contributions significatives (des sections, " "chapitres ou annexes complets) :" #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:62 msgid "Stefano Canepa" msgstr "Stefano Canepa ;" #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:63 msgid "Era Eriksson" msgstr "Era Eriksson ;" #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:64 msgid "Carlo Perassi" msgstr "Carlo Perassi ;" #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:65 msgid "Alexandre Ratti" msgstr "Alexandre Ratti ;" #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:66 msgid "Jaime Robles" msgstr "Jaime Robles ;" #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:67 msgid "Yotam Rubin" msgstr "Yotam Rubin ;" #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:68 msgid "Frederic Schutz" msgstr "Frederic Schutz ;" #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:69 msgid "Pedro Zorzenon Neto" msgstr "Pedro Zorzenon Neto ;" #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:70 msgid "Oohara Yuuma" msgstr "Oohara Yuuma ;" #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:71 msgid "Davor Ocelic" msgstr "Davor Ocelic." #. type: #: securing-debian-howto.en.sgml:49 en/intro.sgml:74 msgid "Where to get the manual (and available formats)" msgstr "Où récupérer ce manuel (et formats disponibles)" #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:87 msgid "" "You can download or view the latest version of the Securing Debian Manual " "from the . If you are reading a copy from " "another site, please check the primary copy in case it provides new " "information. If you are reading a translation, please review the version the " "translation refers to to the latest version available. If you find that the " "version is behind please consider using the original copy or review the to see what has changed." msgstr "" "Vous pouvez télécharger ou consulter la dernière version du manuel de " "sécurisation Debian sur le site du . Si vous lisez une copie depuis un autre site, veuillez vérifier la " "version d'origine au cas où elle fournirait des informations plus récentes. " "Si vous lisez une traduction, veuillez vérifier que la version à laquelle se " "réfère cette traduction est la dernière version disponible. Si vous notez " "que la version est en retard, veuillez utiliser la version d'origine ou " "consultez le pour voir ce qui a changé." #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:97 msgid "" "If you want a full copy of the manual you can either download the or the from the Debian Documentation Project's site. These versions " "might be more useful if you intend to copy the document over to a portable " "device for offline reading or you want to print it out. Be forewarned, the " "manual is over two hundred pages long and some of the code fragments, due to " "the formatting tools used, are not wrapped in the PDF version and might be " "printed incomplete." msgstr "" "Si vous désirez obtenir une copie complète de ce manuel, vous pouvez " "télécharger le document au " "ou au depuis le site du projet " "de documentation Debian. Ces versions peuvent être plus utiles si vous avez " "l'intention de copier le document vers une machine portable pour lecture " "hors ligne ou si vous voulez l'imprimer. Soyez prévenu que le manuel fait " "plus de deux cents pages et que certains des fragments de code, à cause des " "outils de formatage utilisés, ne sont pas coupés dans la version PDF et " "peuvent donc s'imprimer de façon incomplète." #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:103 msgid "" "The document is also provided in text, html and PDF formats in the package. " "Notice, however, that the package maybe not be completely up to date with " "the document provided on the Debian site (but you can always use the source " "package to build an updated version yourself)." msgstr "" "Le document est également fourni aux formats texte, HTML et PDF dans le " "paquet . Cependant, notez que le paquet peut ne pas être tout à fait à jour par " "rapport au document fourni sur le site Debian (mais vous pouvez toujours " "utiliser le paquet source pour construire vous-même une version à jour)." #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:113 msgid "" "This document is part of the documents distributed by the . " "You can review the changes introduced in the document using a web browser " "and obtaining information from the . You can also checkout the code using SVN with the following call in the " "command line:" msgstr "" "Ce document fait partie des documents distribués par le . " "Les modifications introduites à ce document sont consultables à l'aide d'un " "navigateur web depuis les . Vous pouvez aussi obtenir l'intégralité du code en " "utilisant Subversion :" #. type: #: securing-debian-howto.en.sgml:49 en/intro.sgml:115 #, no-wrap msgid "svn co svn://svn.debian.org/svn/ddp/manuals/trunk/securing-howto/" msgstr "svn co svn://svn.debian.org/svn/ddp/manuals/trunk/securing-howto/" #. type: #: securing-debian-howto.en.sgml:49 en/intro.sgml:118 msgid "Organizational notes/feedback" msgstr "Avis et réactions" #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:125 msgid "" "Now to the official part. At the moment I (Alexander Reelsen) wrote most " "paragraphs of this manual, but in my opinion this should not stay the case. " "I grew up and live with free software, it is part of my everyday use and I " "guess yours, too. I encourage everybody to send me feedback, hints, " "additions or any other suggestions you might have." msgstr "" "Maintenant, la partie officielle. Pour l'instant, c'est Alexander Reelsen " "qui a écrit la plupart des paragraphes de ce manuel mais, selon lui, cela " "devrait évoluer. Il a grandi et vécu avec les logiciels libres : « c'est une " "part de ma vie quotidienne et, j'espère, de la vôtre aussi ». Il encourage " "chacun à lui envoyer ses réactions, astuces, ajouts ou suggestions." #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:132 msgid "" "If you think, you can maintain a certain section or paragraph better, then " "write to the document maintainer and you are welcome to do it. Especially if " "you find a section marked as FIXME, that means the authors did not have the " "time yet or the needed knowledge about the topic. Drop them a mail " "immediately." msgstr "" "Si vous pensez que vous pouvez vous occuper d'une partie en particulier ou " "d'un paragraphe, écrivez au responsable du document. Cela sera " "apprécié ! En particulier, si vous trouvez une section estampillée " "« FIXME Â», qui signifie que les auteurs n'ont pas eu le temps ou " "les connaissances requises pour s'en occuper, envoyez-leur un courrier " "immédiatement." #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:136 msgid "" "The topic of this manual makes it quite clear that it is important to keep " "it up to date, and you can do your part. Please contribute." msgstr "" "Le thème de ce manuel fait clairement comprendre qu'il est important de " "tenir ce manuel à jour ; vous pouvez apporter votre pierre à l'édifice. " "S'il vous plaît, aidez-nous." #. type: #: securing-debian-howto.en.sgml:49 en/intro.sgml:137 msgid "Prior knowledge" msgstr "Connaissances requises" #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:148 msgid "" "The installation of Debian GNU/Linux is not very difficult and you should " "have been able to install it. If you already have some knowledge about Linux " "or other Unices and you are a bit familiar with basic security, it will be " "easier to understand this manual, as this document cannot explain every " "little detail of a feature (otherwise this would have been a book instead of " "a manual). If you are not that familiar, however, you might want to take a " "look at for where to find more in-depth information." msgstr "" "L'installation de Debian GNU/Linux n'est pas très difficile et vous avez " "sans doute été capable de l'installer. Si vous disposez déjà de " "connaissances concernant Linux ou d'autres systèmes UNIX et si vous êtes " "quelque peu familier avec les problèmes élémentaires de sécurité, il vous " "sera plus facile de comprendre ce manuel, car ce document ne peut pas entrer " "dans tous les petits détails (sans quoi cela aurait été un livre plutôt " "qu'un manuel). Si vous n'êtes pas si familier que cela avec ces systèmes, " "vous pouvez consulter pour savoir où trouver des " "informations plus approfondies sur le sujet." #. type: #: securing-debian-howto.en.sgml:49 en/intro.sgml:150 msgid "Things that need to be written (FIXME/TODO)" msgstr "Éléments à écrire (FIXME/TODO)" #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:157 msgid "" "This section describes all the things that need to be fixed in this manual. " "Some paragraphs include FIXME or TODO tags describing what " "content is missing (or what kind of work needs to be done). The purpose of " "this section is to describe all the things that could be included in the " "future in the manual, or enhancements that need to be done (or would be " "interesting to add)." msgstr "" "Cette section décrit toutes les choses à corriger dans ce manuel. Certains " "paragraphes incluent des marques FIXME ou TODO décrivant " "quel contenu est manquant (ou quel type de travail doit être réalisé). Le " "but de cette section est de décrire toutes les choses qui devraient être " "incluses à l'avenir dans le manuel ou les améliorations à faire (ou qu'il " "serait intéressant d'ajouter)." #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:162 msgid "" "If you feel you can provide help in contributing content fixing any element " "of this list (or the inline annotations), contact the main author ()." msgstr "" "Si vous pensez que vous pouvez apporter une contribution au contenu en " "corrigeant tout élément de cette liste (ou des annotations dans le texte lui-" "même), veuillez contacter l'auteur principal ()." #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:168 msgid "" "This document has yet to be updated based on the latest Debian releases. The " "default configuration of some packages need to be adapted as they have been " "modified since this document was written." msgstr "" "Ce document doit encore être mis à jour en fonction des dernières " "publications de Debian. La configuration par défaut de certains paquets doit " "être adaptée car elles ont été modifiées depuis que ce document a été écrit." #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:172 msgid "" "Expand the incident response information, maybe add some ideas derived from " "Red Hat's Security Guide's ." msgstr "" "Développer les informations sur la réponse aux incidents, peut-être ajouter " "quelques idées dérivées du Guide de la sécurité de Red Hat au ." #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:177 msgid "" "Write about remote monitoring tools (to check for system availability) such " "as monit, daemontools and " "mon. See ." msgstr "" "Écrire sur les outils de surveillance à distance (pour vérifier la " "disponibilité du système) tels que monit, " "daemontools et mon. Consultez ." #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:181 msgid "" "Consider writing a section on how to build Debian-based network appliances " "(with information such as the base system, equivs and " "FAI)." msgstr "" "Envisager la rédaction d'une section sur la construction d'applications " "orientées réseau pour Debian (avec des informations telles que le système de " "base, equivs et FAI)." #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:185 msgid "" "Check if has relevant info not yet covered here." msgstr "" "Vérifier si n'a pas d'informations pertinentes non traitées ici." #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:188 msgid "" "Add information on how to set up a laptop with Debian ." msgstr "" "Ajouter des informations sur la manière de configurer un portable avec " "Debian ." #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:193 msgid "" "Add information on how to set up a firewall using Debian GNU/Linux. The " "section regarding firewalling is oriented currently towards a single system " "(not protecting others...) also talk on how to test the setup." msgstr "" "Comment mettre en place un pare-feu en utilisant Debian GNU/Linux. La " "section sur les pare-feu concerne actuellement un système isolé (pas de " "protection d'autres machines, etc.). Comment tester la configuration." #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:205 msgid "" "Add information on setting up a proxy firewall with Debian GNU/Linux stating " "specifically which packages provide proxy services (like xfwp, ftp-proxy, redir, " "smtpd, dnrd, jftpgw, oops, pdnsd, " "perdition, transproxy, " "tsocks). Should point to the manual for any other info. " "Note that zorp is now available as a Debian package and " "is a proxy firewall (they also provide Debian packages upstream)." msgstr "" "Paramétrage d'un serveur mandataire pare-feu avec Debian GNU/Linux et faire " "un état des lieux des paquets fournissant des services proxy (tels " "que xfwp, ftp-proxy, redir, smtpd, dnrd, " "jftpgw, oops, pdnsd, perdition, transproxy, " "tsocks). Renvoi au manuel pour toute autre information. " "Considérer également que zorp est maintenant disponible " "comme paquet Debian et qu'il s'agit d'un mandataire pare-feu (il " "existe également des paquets Debian fournis par les auteurs)." #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:207 msgid "Information on service configuration with file-rc." msgstr "Informations sur la configuration des services avec file-rc." #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:209 msgid "Check all the reference URLs and remove/fix those no longer available." msgstr "" "Vérifier toutes les URLs et supprimer ou corriger celles qui ne sont plus " "disponibles." #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:211 msgid "" "Add information on available replacements (in Debian) for common servers " "which are useful for limited functionality. Examples:" msgstr "" "Ajouter des informations sur les substituts de serveurs typiques " "(disponibles dans Debian) qui fournissent des fonctionnalités restreintes. " "Par exemple :" #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:213 msgid "local lpr with cups (package)?" msgstr "lpr local par CUPS (paquet) ? ;" #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:214 msgid "remote lrp with lpr" msgstr "lrp distant par lpr ;" #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:215 msgid "bind with dnrd/maradns" msgstr "BIND par dnrd/maradns ;" #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:216 msgid "apache with dhttpd/thttpd/wn (tux?)" msgstr "Apache par dhttpd/thttpd/wn (tux?) ;" #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:217 msgid "exim/sendmail with ssmtpd/smtpd/postfix" msgstr "Exim/Sendmail par ssmtpd/smtpd/postfix ;" #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:218 msgid "squid with tinyproxy" msgstr "Squid par tinyproxy ;" #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:219 msgid "ftpd with oftpd/vsftp" msgstr "ftpd par oftpd/vsftpd ;" #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:220 msgid "..." msgstr "etc." #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:225 msgid "" "More information regarding security-related kernel patches in Debian, " "including the ones shown above and specific information on how to enable " "these patches in a Debian system." msgstr "" "De plus amples informations concernant les correctifs spécialisés dans la " "sécurité du noyau dans Debian, incluant ceux montrés ci-dessus et ajouter " "des informations spécifiques sur la façon d'activer ces correctifs dans un " "système Debian." #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:227 msgid "Linux Intrusion Detection (kernel-patch-2.4-lids)" msgstr "" "Linux Intrusion Detection (kernel-patch-2.4-lids) ;" #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:228 msgid "Linux Trustees (in package trustees)" msgstr "Linux Trustees (paquet trustees) ;" #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:230 msgid "linux-patch-openswan" msgstr "linux-patch-openswan." #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:236 msgid "" "Details of turning off unnecessary network services (besides inetd), it is partly in the hardening procedure but could be broadened a bit." msgstr "" "Précisions sur l'arrêt de services réseaux inutiles (outre inetd) ; c'est en partie dans la procédure de consolidation mais " "pourrait être élargi un petit peu." #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:239 msgid "" "Information regarding password rotation which is closely related to policy." msgstr "" "Informations sur le renouvellement des mots de passe ; c'est " "étroitement lié à la politique mise en place." #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:241 msgid "Policy, and educating users about policy." msgstr "Politique de sécurité et formation des utilisateurs." #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:243 msgid "More about tcpwrappers, and wrappers in general?" msgstr "" "Davantage à propos de tcpwrappers, et de l'encapsulation en général ?" #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:245 msgid "hosts.equiv and other major security holes." msgstr "hosts.equiv et d'autres trous de sécurité majeurs." #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:247 msgid "Issues with file sharing servers such as Samba and NFS?" msgstr "" "Problèmes avec les serveurs de partage de fichiers tels que Samba et " "NFS ?" #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:249 msgid "suidmanager/dpkg-statoverrides." msgstr "suidmanager/dpkg-statoverrides." #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:251 msgid "lpr and lprng." msgstr "lpr et lprng." #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:253 msgid "Switching off the GNOME IP things." msgstr "Désactiver les outils GNOME qui utilisent IP." #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:259 msgid "" "Talk about pam_chroot (see ) and its usefulness to " "limit users. Introduce information related to . pdmenu, for example is " "available in Debian (whereas flash is not)." msgstr "" "Parler de pam_chroot (consultez ) et de son utilité " "pour restreindre les utilisateurs. Introduire les informations relatives à " ". pdmenu, par exemple, est disponible dans Debian (alors que flash ne l'est " "pas)." #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:266 msgid "" "Talk about chrooting services, some more info on ." msgstr "" "Parler des services « chrootés Â», plus d'informations sur ." #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:282 msgid "" "Talk about programs to make chroot jails. compartment and " "chrootuid are waiting in incoming. Some others (makejail, " "jailer) could also be introduced." msgstr "" "Parler des programmes pour faire des « prisons Â» chroot. " "compartment et chrootuid sont en " "attente dans incoming. D'autres (makejail, jailer) pourraient aussi être " "présentés." #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:285 msgid "" "More information regarding log analysis software (i.e. logcheck and " "logcolorise)." msgstr "" "Plus d'informations concernant les logiciels d'analyse de journaux (c'est-à-" "dire logcheck et logcolorise)." #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:287 msgid "'advanced' routing (traffic policing is security related)." msgstr "" "Routage « avancé Â» (la politique de trafic concerne la sécurité)." #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:289 msgid "limiting ssh access to running certain commands." msgstr "" "Restreindre SSH pour qu'il puisse uniquement exécuter certaines " "commandes." #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:291 msgid "using dpkg-statoverride." msgstr "Utilisation de dpkg-statoverride." #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:293 msgid "secure ways to share a CD burner among users." msgstr "Moyens sûrs de partager un graveur de CD parmi les utilisateurs." #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:297 msgid "" "secure ways of providing networked sound in addition to network display " "capabilities (so that X clients' sounds are played on the X server's sound " "hardware)." msgstr "" "Moyens sûrs de fournir du son en réseau en plus des possibilités d'affichage " "en réseau (pour que le son des clients X soit envoyé sur le périphérique de " "son du serveur X)." #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:299 msgid "securing web browsers." msgstr "Sécurisation des navigateurs web." #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:301 msgid "setting up ftp over ssh." msgstr "Configurer FTP au travers de SSH." #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:303 msgid "using crypto loopback file systems." msgstr "Utilisation des systèmes de fichiers « loopback Â» chiffrés." #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:305 msgid "encrypting the entire file system." msgstr "Chiffrement entier du système de fichiers." #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:307 msgid "steganographic tools." msgstr "Outils stéganographiques." #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:309 msgid "setting up a PKA for an organization." msgstr "" "Configurer une autorité de clefs publiques (PKA) pour une organisation." #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:312 msgid "" "using LDAP to manage users. There is a HOWTO of ldap+kerberos for Debian at " " written by Turbo Fredrikson." msgstr "" "Utiliser LDAP pour gérer les utilisateurs. Il y a un HOWTO sur ldap+kerberos " "pour Debian écrit par Turbo Fredrikson et disponible à ." #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:315 msgid "" "How to remove information of reduced utility in production systems such as " "/usr/share/doc, /usr/share/man (yes, security by " "obscurity)." msgstr "" "Comment enlever des informations non essentielles sur les systèmes de " "production tels que /usr/share/doc, /usr/share/man " "(oui, sécurité par obscurité)." #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:322 msgid "" "More information on lcap based on the packages README file (well, not there " "yet, see ) and from the article from LWN: ." msgstr "" "Plus d'informations sur lcap basées sur le fichier README des paquets (pas " "encore tout à fait présent, consultez le ) et à partir de " "l'article de LWN : ." #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:325 msgid "" "Add Colin's article on how to setup a chroot environment for a full sid " "system ()." msgstr "" "Ajouter l'article de Colin sur la façon de configurer un environnement " "chroot pour un système Sid complet ()." #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:328 msgid "" "Add information on running multiple snort sensors in a given " "system (check bug reports sent to snort)." msgstr "" "Ajouter des informations sur l'exécution de plusieurs senseurs snort dans un système donné (vérifier les rapports de bogues envoyés à " "snort)." #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:330 msgid "Add information on setting up a honeypot (honeyd)." msgstr "" "Ajouter des informations sur la mise en place d'un pot de miel " "(« honeypot ») avec le paquet honeyd." #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:333 msgid "" "Describe situation wrt to FreeSwan (orphaned) and OpenSwan. VPN section " "needs to be rewritten." msgstr "" "Décrire la situation relative à FreeSwan (abandonné) et OpenSwan. La section " "VPN a besoin d'être récrite." #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:336 msgid "" "Add a specific section about databases, current installation defaults and " "how to secure access." msgstr "" "Ajouter une section spécifique à propos des bases de données, l'installation " "par défaut et sur la façon de sécuriser les accès." #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:338 msgid "Add a section about the usefulness of virtual servers (Xen et al)." msgstr "" "Ajouter une section sur l'utilité des serveurs virtuels (Xen, Vserver, etc.)." #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:342 msgid "" "Explain how to use some integrity checkers (AIDE, integrit or samhain). The " "basics are simple and could even explain some configuration improvements." msgstr "" "Expliquer comment utiliser plusieurs vérificateurs d'intégrité tels que " "aide, integrit ou samhain. La base est très simple à expliquer et permet de personnaliser la " "configuration par défaut." #. type: #: securing-debian-howto.en.sgml:49 en/intro.sgml:346 msgid "Changelog/History" msgstr "Journal des modifications et historique" #. type: #: securing-debian-howto.en.sgml:49 en/intro.sgml:348 msgid "Version 3.16 (March 2011)" msgstr "Version 3.16 (mars 2011)" #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:350 en/intro.sgml:371 #: en/intro.sgml:381 en/intro.sgml:395 en/intro.sgml:412 en/intro.sgml:476 #: en/intro.sgml:493 en/intro.sgml:514 en/intro.sgml:531 en/intro.sgml:541 #: en/intro.sgml:587 en/intro.sgml:609 en/intro.sgml:630 en/intro.sgml:645 #: en/intro.sgml:674 en/intro.sgml:690 en/intro.sgml:698 en/intro.sgml:725 #: en/intro.sgml:733 en/intro.sgml:762 en/intro.sgml:769 en/intro.sgml:781 #: en/intro.sgml:1085 en/intro.sgml:1091 en/intro.sgml:1108 en/intro.sgml:1118 #: en/intro.sgml:1130 en/intro.sgml:1210 en/intro.sgml:1222 en/intro.sgml:1228 #: en/intro.sgml:1235 en/intro.sgml:1248 en/intro.sgml:1258 en/intro.sgml:1269 #: en/intro.sgml:1278 en/intro.sgml:1292 en/intro.sgml:1306 en/intro.sgml:1326 #: en/intro.sgml:1350 en/intro.sgml:1357 msgid "Changes by Javier Fernández-Sanguino Peña." msgstr "Modifications de Javier Fernández-Sanguino Peña." #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:354 msgid "Indicate that the document is not updated with latest versions." msgstr "" "Indication que le document n'est pas mis à jour avec les dernières versions." #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:356 msgid "Update pointers to current location of sources." msgstr "Mise à jour des liens vers l'emplacement actuel des sources." #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:358 msgid "Update information on security updates for newer releases." msgstr "" "Mise à jour des renseignements de sécurité pour les publications les plus " "récentes." #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:361 msgid "" "Point information for Developers to online sources instead of keeping the " "information in the document, to prevent duplication." msgstr "" "Lien vers des renseignements pour les développeurs sur les sources en ligne " "au lieu de les garder dans ce document pour éviter les doublons." #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:363 msgid "Fix shell script example in Appendix." msgstr "Correction de l'exemple de script en annexe." #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:365 msgid "Fix reference errors." msgstr "Correction d'erreurs de référence." #. type: #: securing-debian-howto.en.sgml:49 en/intro.sgml:369 msgid "Version 3.15 (December 2010)" msgstr "Version 3.15 (décembre 2010)" #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:375 msgid "" "Change reference to Log Analysis' website as this is no longer available." msgstr "" "Modification de la référence au site web de Log Analysis car il n'est plus " "disponible." #. type: #: securing-debian-howto.en.sgml:49 en/intro.sgml:379 msgid "Version 3.14 (March 2009)" msgstr "Version 3.14 (mars 2009)" #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:386 msgid "" "Change the section related to choosing a filesystem: note that ext3 is now " "the default." msgstr "" "Modification de la section indiquant comment choisir un système de fichiers. " "ext3 est maintenant le système de fichiers par défaut." #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:389 msgid "" "Change the name of the packages related to enigmail to reflect naming " "changes introduced in Debian." msgstr "" "Modification du nom des paquets relatifs à Enigmail pour correspondre aux " "modifications de nom introduites dans Debian." #. type: #: securing-debian-howto.en.sgml:49 en/intro.sgml:393 msgid "Version 3.13 (Februrary 2008)" msgstr "Version 3.13 (février 2008)" #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:400 msgid "" "Change URLs pointing to Bastille Linux since the domain has been ." msgstr "" "Changement de l'URL pointant sur Bastille Linux car le domaine a été ." #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:402 msgid "Fix pointers to Linux Ramen and Lion worms." msgstr "Correction des liens sur les vers Linux dénommés Ramen et Lion." #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:404 msgid "" "Use linux-image in the examples instead of the (old) kernel-image packages." msgstr "" "Utilisation de linux-image dans les exemples à la place de l'ancien paquet " "kernel-image." #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:406 msgid "Fix typos spotted by Francesco Poli." msgstr "Corrections typographiques indiquées par Francesco Poli." #. type: #: securing-debian-howto.en.sgml:49 en/intro.sgml:410 msgid "Version 3.12 (August 2007)" msgstr "Version 3.12 (août 2007)" #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:418 msgid "" "Update the information related to security updates. Drop the text talking " "about Tiger and include information on the update-notifier and adept tools " "(for Desktops) as well as debsecan. Also include some pointers to other " "tools available." msgstr "" "Mise à jour des informations au sujet des mises à jour de sécurité. Abandon " "du texte parlant de Tiger. Inclusion d'informations sur " "les outils update-notifier et adept " "(pour les stations) ainsi que debsecan. Ajout de quelques " "liens vers d'autres outils disponibles." #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:420 msgid "" "Divide the firewall applications based on target users and add fireflier to " "the Desktop firewall applications list." msgstr "" "Division des applications de pare-feu selon les utilisateurs cibles et ajout " "de fireflier à la liste des applications de pare-feu pour postes de travail." #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:423 msgid "" "Remove references to libsafe, it's not in the archive any longer (was " "removed January 2006)." msgstr "" "Retrait des références à libsafe, un paquet retiré du dépôt de Debian (en " "janvier 2006)." #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:425 msgid "Fix the location of syslog's configuration, thanks to John Talbut." msgstr "" "Correction de l'emplacement du fichier de configuration de syslog. Merci à " "John Talbut." #. type: #: securing-debian-howto.en.sgml:49 en/intro.sgml:429 msgid "Version 3.11 (January 2007)" msgstr "Version 3.11 (janvier 2007)" #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:432 msgid "" "Changes by Javier Fernández-Sanguino Peña. Thanks go to Francesco Poli for " "his extensive review of the document." msgstr "" "Changements par Javier Fernández-Sanguino Peña. Merci à Francesco Poli pour " "sa révision étendue du document." #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:437 msgid "" "Remove most references to the woody release as it is no longer available (in " "the archive) and security support for it is no longer available." msgstr "" "Retrait de la plupart des références à la version Woody car elle n'est plus " "disponible dans le dépôt principal et que le suivi en sécurité n'est plus " "disponible pour celle-ci." #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:438 msgid "Describe how to restrict users so that they can only do file transfers." msgstr "" "Description de la restriction des utilisateurs pour qu'ils ne puissent faire " "que des transferts de fichiers." #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:439 msgid "Added a note regarding the debian-private declasiffication decision." msgstr "" "Ajout d'une note au sujet de la décision de déclassification de debian-" "private." #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:440 msgid "Updated link of incident handling guides." msgstr "Mise à jour du lien sur les guides de gestion des incidents." #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:442 msgid "" "Added a note saying that development tools (compilers, etc.) are not " "installed now in the default 'etch' installation." msgstr "" "Ajout d'une note indiquant que les outils de développement " "(compilateurs, etc.) ne sont plus installés par défaut dans Etch." #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:443 msgid "Fix references to the master security server." msgstr "Correction des références sur le serveur maître de sécurité." #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:444 msgid "Add pointers to additional APT-secure documentation." msgstr "" "Ajout de références vers de la documentation supplémentaire d'apt sécurisé." #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:445 msgid "Improve the description of APT signatures." msgstr "Amélioration de la description des signatures APT." #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:447 msgid "" "Comment out some things which are not yet final related to the mirror's " "official public keys." msgstr "" "Mise en commentaire de points qui ne sont pas encore finalisés au sujet des " "clefs publiques des miroirs officiels." #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:448 msgid "Fixed name of the Debian Testing Security Team." msgstr "" "Correction du nom de l'équipe de sécurité Debian Testing (Debian Testing " "Security Team)." #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:449 msgid "Remove reference to sarge in an example." msgstr "Retrait d'une référence à Sarge dans un exemple." #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:451 msgid "" "Update the antivirus section, clamav is now available on the release. Also " "mention the f-prot installer." msgstr "" "Mise à jour de la section sur les antivirus : clamav est maintenant " "disponible depuis Etch. Mention de l'installateur pour f-prot." #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:452 msgid "Removes all references to freeswan as it is obsolete." msgstr "Retrait de toutes les références à freeswan, car il est désuet." #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:454 msgid "" "Describe issues related to ruleset changes to the firewall if done remotely " "and provide some tips (in footnotes)." msgstr "" "Description des problèmes liés aux changements des règles de firewall à " "distance et quelques conseils en notes de bas de page." #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:456 msgid "" "Update the information related to the IDS installation, mention BASE and the " "need to setup a logging database." msgstr "" "Mise à jour des informations sur l'installation d'IDS, mentionner BASE et la " "nécessité de mettre en place une base de données d'audit." #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:459 msgid "" "Rewrite the \"running bind as a non-root user\" section as this no longer " "applies to Bind9. Also remove the reference to the init.d script since the " "changes need to be done through /etc/default." msgstr "" "Réécriture de la section « lancer bind par un utilisateur non " "superutilisateur » car cela ne s'applique plus à BIND 9. Retrait de la " "référence au script init.d car les configurations doivent être faites à " "l'aide de /etc/default/." #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:461 msgid "" "Remove the obsolete way to setup iptables rulesets as woody is no longer " "supported." msgstr "" "Retrait de la méthode désuète de mise en place des règles d'iptables, car " "Woody n'est plus maintenu." #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:463 msgid "" "Revert the advice regarding LOG_UNKFAIL_ENAB it should be set to 'no' (as " "per default)." msgstr "" "Retrait du conseil à propos de LOG_UNKFAIL_ENAB. Il devrait être positionné " "à 'no' (la valeur par défaut)." #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:466 msgid "" "Added more information related to updating the system with desktop tools " "(including update-notifier) and describe aptitude usage to update the " "system. Also note that dselect is deprecated." msgstr "" "Ajout de plus d'informations au sujet de la mise à jour du système avec les " "outils de station de travail (y compris update-notifier) et description de " "l'utilisation d'aptitude pour mettre le système à jour. Noter aussi que " "dselect est déprécié." #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:467 msgid "Updated the contents of the FAQ and remove redundant paragraphs." msgstr "Mise à jour du contenu de la FAQ et retrait de paragraphes redondants." #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:469 msgid "Review and update the section related to forensic analysis of malware." msgstr "" "Relecture et mise à jour de la section sur les analyses post mortem de " "malwares." #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:470 msgid "Remove or fix some dead links." msgstr "Retrait ou correction de quelques liens morts." #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:472 msgid "Fix many typos and gramatical errors reported by Francesco Poli." msgstr "" "Correction de nombreuses erreurs typographiques et grammaticales mentionnées " "par Francesco Poli." #. type: #: securing-debian-howto.en.sgml:49 en/intro.sgml:475 msgid "Version 3.10 (November 2006)" msgstr "Version 3.10 (novembre 2006)" #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:480 msgid "" "Provide examples using apt-cache's rdepends as suggested by Ozer Sarilar." msgstr "" "Ajout d'exemples d'utilisation de l'option rdepends d'apt-cache " "tel que suggéré par Ozer Sarilar." #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:483 msgid "" "Fix location of Squid's user's manual because of its relocation as notified " "by Oskar Pearson (its maintainer)." msgstr "" "Correction de l'emplacement du manuel de l'utilisateur de Squid après " "qu'Oskar Pearson (son responsable) nous ait informé de son déplacement." #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:488 msgid "" "Fix information regarding umask, it's logins.defs (and not limits.conf) " "where this can be configured for all login connections. Also state what is " "Debian's default and what would be a more restrictive value for both users " "and root. Thanks to Reinhard Tartler for spotting the bug." msgstr "" "Correction des informations au sujet d'umask. C'est dans logins.defs (et non " "pas limits.conf) que cela peut être configuré pour toutes les connexions. " "Préciser les valeurs par défaut de Debian et suggérer des valeurs plus " "restrictives pour les utilisateurs et le superutilisateur. Merci à Reinhard " "Tartler pour avoir détecté cette erreur." #. type: #: securing-debian-howto.en.sgml:49 en/intro.sgml:491 msgid "Version 3.9 (October 2006)" msgstr "Version 3.9 (octobre 2006)" #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:498 msgid "" "Add information on how to track security vulnerabilities and add references " "to the Debian Testing Security Tracker." msgstr "" "Ajout d'informations sur le suivi des vulnérabilités de sécurité et ajout de " "références à propos du système de suivi en sécurité de Debian testing." #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:500 msgid "Add more information on the security support for testing." msgstr "Ajout d'informations sur le suivi en sécurité pour Debian testing." #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:502 msgid "Fix a large number of typos with a patch provided by Simon Brandmair." msgstr "" "Correction d'un grand nombre d'erreurs typographiques à partir de correctifs " "fournis par Simon Brandmair." #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:505 msgid "" "Added section on how to disable root prompt on initramfs provided by Max " "Attems." msgstr "" "Ajout d'une section rédigée par Max Attems sur la façon de désactiver la " "console de superutilisateur avec initramfs." #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:507 msgid "Remove references to queso." msgstr "Retrait des références à queso." #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:509 msgid "Note that testing is now security-supported in the introduction." msgstr "" "Signalement dans l'introduction que testing est maintenant suivie par " "l'équipe de sécurité de Debian." #. type: #: securing-debian-howto.en.sgml:49 en/intro.sgml:512 msgid "Version 3.8 (July 2006)" msgstr "Version 3.8 (juillet 2006)" #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:520 msgid "" "Rewrote the information on how to setup ssh chroots to clarify the different " "options available, thank to Bruce Park for bringing up the different " "mistakes in this appendix." msgstr "" "Réécriture de la mise en place de prisons (chroot) SSH pour clarifier les " "différentes options disponibles. Merci à Bruce Park avoir fait remarquer " "diverses erreurs dans cette annexe." #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:522 msgid "Fix lsof call as suggested by Christophe Sahut." msgstr "" "Correction des appels de lsof tel que suggéré par Christophe " "Sahut." #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:524 msgid "Include patches for typo fixes from Uwe Hermann." msgstr "" "Inclusion des correctifs d'Uwe Hermann corrigeant plusieurs erreurs " "typographiques." #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:526 msgid "Fix typo in reference spotted by Moritz Naumann." msgstr "" "Correction d'une erreur typographique soulignée par Moritz Naumann dans une " "référence." #. type: #: securing-debian-howto.en.sgml:49 en/intro.sgml:529 msgid "Version 3.7 (April 2006)" msgstr "Version 3.7 (avril 2006)" #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:534 msgid "Add a section on Debian Developer's best practices for security." msgstr "" "Ajout d'une section sur les meilleures techniques de sécurité recommandées " "aux développeurs de Debian." #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:536 msgid "Ammended firewall script with comments from WhiteGhost." msgstr "Ajout de commentaires au script d'un pare-feu par WhiteGhost." #. type: #: securing-debian-howto.en.sgml:49 en/intro.sgml:539 msgid "Version 3.6 (March 2006)" msgstr "Version 3.6 (mars 2006)" #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:546 msgid "" "Included a patch from Thomas Sjögren which describes that noexec " "works as expected with \"new\" kernels, adds information regarding tempfile " "handling, and some new pointers to external documentation." msgstr "" "Inclusion de correctifs de Thomas Sjögren qui expliquent que noexec " "fonctionne avec les « nouveau Â» noyaux. Ajout d'informations à " "propos de la gestion des fichiers temporaires ainsi que des liens vers de la " "documentation externe." #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:550 msgid "" "Add a pointer to Dan Farmer's and Wietse Venema's forensic discovery web " "site, as suggested by Freek Dijkstra, and expanded a little bit the forensic " "analysis section with more pointers." msgstr "" "Ajout d'un lien vers le site de Dan Farmer et Wietse Venema sur l'analyse " "post mortem, tel que suggéré par Freek Dijkstra. Ajout de quelques liens " "additionnels sur l'analyse post mortem." #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:552 msgid "Fixed URL of Italy's CERT, thanks to Christoph Auer." msgstr "Correction de l'URL du site italien du CERT. Merci à Christoph Auer." #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:555 msgid "" "Reuse Joey Hess' information at the wiki on secure apt and introduce it in " "the infrastructure section." msgstr "" "Réutilisation des informations du wiki de Joey Hess sur apt sécurisé et " "insertion dans la section sur les infrastructures." #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:557 msgid "Review sections referring to old versions (woody or potato)." msgstr "" "Révision des sections se référant à d'anciennes versions (Woody ou Potato)." #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:559 msgid "Fix some cosmetic issues with patch from Simon Brandmair." msgstr "" "Correction de quelques problèmes esthétiques avec les correctifs proposés " "par Simon Brandmair." #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:565 msgid "" "Included patches from Carlo Perassi: acl patches are obsolete, openwall " "patches are obsolete too, removed fixme notes about 2.2 and 2.4 series " "kernels, hap is obsolete (and not present in WNPP), remove references to " "Immunix (StackGuard is now in Novell's hands), and fix a FIXME about the use " "of bsign or elfsign." msgstr "" "Inclusion des correctifs de Carlo Perassi : les extraits de code sur " "les ACL sont désuets, les correctifs pour Openwall sont également désuets. " "Retrait des notes FIXME à propos des noyaux 2.2 et 2.4, hap est désuet (et absent du WNPP), retrait des références à Immunix " "(StackGuard appartient maintenant à Novell) et résolution d'un FIXME à " "propos de l'utilisation de bsign et elfsign." #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:568 msgid "" "Updated references to SElinux web pages to point to the Wiki (currently the " "most up to date source of information)." msgstr "" "Mise à jour des références au site Internet de SELinux afin qu'elles " "pointent vers le wiki (présentement la source d'informations la plus à jour)." #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:571 msgid "" "Include file tags and make a more consistent use of \"MD5 sum\" with a patch " "from Jens Seidel." msgstr "" "Ajout de balises de fichiers et utilisation plus constante de l'expression " "« somme MD5 Â» avec un correctif de Jens Seidel." #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:574 msgid "" "Patch from Joost van Baal improving the information on the firewall section " "(pointing to the wiki instead of listing all firewall packages available) " "(Closes: #339865)." msgstr "" "Correctifs de Joost van Baal améliorant les informations dans la section sur " "les pare-feu (lien vers le wiki au lieu de faire une liste de tous les " "paquets disponibles sur les pare-feu). Ferme le bogue nº 339865." #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:577 msgid "" "Review the FAQ section on vulnerability stats, thanks to Carlos Galisteo de " "Cabo for pointing out that it was out of date." msgstr "" "Révision de la FAQ sur les statistiques sur les vulnérabilités. Merci à " "Carlos Galisteo de Cabo d'avoir mentionné que l'information n'était plus à " "jour." #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:580 msgid "" "Use the quote from the Social Contract 1.1 instead of 1.0 as suggested by " "Francesco Poli." msgstr "" "Citation d'extraits du Contrat social Debian 1.1 au lieu de 1.0, tel " "que suggéré par Francesco Poli." #. type: #: securing-debian-howto.en.sgml:49 en/intro.sgml:585 msgid "Version 3.5 (November 2005)" msgstr "Version 3.5 (novembre 2005)" #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:592 msgid "" "Note on the SSH section that the chroot will not work if using the nodev " "option in the partition and point to the latest ssh packages with the chroot " "patch, thanks to Lutz Broedel for pointing these issues out." msgstr "" "Note sur la section SSH que le chroot ne fonctionnera pas si vous utilisez " "l'option nodev dans la partition et indication des derniers paquets ssh avec " "le correctif chroot, merci à Lutz Broedel d'avoir signalé ces problèmes." #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:594 msgid "" "Fix typo spotted by Marcos Roberto Greiner (md5sum should be sha1sum in code " "snippet)." msgstr "" "Correction de faute de frappe remarquée par Marcos Roberto Greiner (md5sum " "devrait être sha1sum dans l'extrait de code)." #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:596 msgid "" "Included Jens Seidel's patch fixing a number of package names and typos." msgstr "" "Inclusion du correctif de Jens Seidel corrigeant un certain nombre de noms " "de paquets et de fautes de frappe." #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:599 msgid "" "Slightly update of the tools section, removed tools no longer available and " "added some new ones." msgstr "" "Légère mise à jour de la section d'outils, suppression des outils plus " "disponibles et ajout de nouveaux outils." #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:604 msgid "" "Rewrite parts of the section related to where to find this document and what " "formats are available (the website does provide a PDF version). Also note " "that copies on other sites and translations might be obsolete (many of the " "Google hits for the manual in other sites are actually out of date)." msgstr "" "Réécriture de parties de la section liée à l'endroit où trouver ce document " "et des formats disponibles (le site web fournit une version PDF). Note " "également sur le fait que les copies sur d'autres sites et les traductions " "peuvent être désuètes (la plupart des liens fournis par Google pour le " "manuel sur d'autres sites sont vraiment obsolètes)." #. type: #: securing-debian-howto.en.sgml:49 en/intro.sgml:607 msgid "Version 3.4 (August-September 2005)" msgstr "Version 3.4 (août-septembre 2005)" #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:615 msgid "" "Improved the after installation security enhancements related to kernel " "configuration for network level protection with a sysctl.conf file provided " "by Will Moy." msgstr "" "Amélioration des renforcements de sécurité post-installation liés à la " "configuration du noyau pour la protection au niveau réseau avec un fichier " "sysctl.conf fourni par Will Moy." #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:617 msgid "Improved the gdm section, thanks to Simon Brandmair." msgstr "Amélioration de la section gdm, grâce à Simon Brandmair." #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:619 msgid "Typo fixes from Frédéric Bothamy and Simon Brandmair." msgstr "Corrections de faute de frappe de Frédéric Bothamy et Simon Brandmair." #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:622 msgid "" "Improvements in the after installation sections related to how to generate " "the MD5 (or SHA-1) sums of binaries for periodic review." msgstr "" "Améliorations des sections post-installation liées à la façon de générer les " "sommes MD5 (ou SHA-1) des binaires pour vérification périodique." #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:625 msgid "" "Updated the after installation sections regarding checksecurity " "configuration (was out of date)." msgstr "" "Mise à jour des sections post-installation concernant la configuration " "checksecurity (qui était obsolète)." #. type: #: securing-debian-howto.en.sgml:49 en/intro.sgml:628 msgid "Version 3.3 (June 2005)" msgstr "Version 3.3 (juin 2005)" #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:635 msgid "" "Added a code snippet to use grep-available to generate the list of packages " "depending on Perl. As requested in #302470." msgstr "" "Ajout d'un extrait de code pour utiliser grep-available pour générer la " "liste des paquets dépendant de Perl. Comme demandé dans le bogue nº 302470." #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:638 msgid "" "Rewrite of the section on network services (which ones are installed and how " "to disable them)." msgstr "" "Réécriture de la section sur les services réseau (quels sont les services " "installés et comment les désactiver)." #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:641 msgid "" "Added more information to the honeypot deployment section mentioning useful " "Debian packages." msgstr "" "Ajout de plus d'informations sur la section de déploiement des pots de miel " "mentionnant des paquets Debian utiles." #. type: #: securing-debian-howto.en.sgml:49 en/intro.sgml:644 msgid "Version 3.2 (March 2005)" msgstr "Version 3.2 (mars 2005)" #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:647 msgid "Expanded the PAM configuration limits section." msgstr "Extension de la section sur les limites de la configuration de PAM." #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:649 msgid "" "Added information on how to use pam_chroot for openssh (based on " "pam_chroot's README)." msgstr "" "Ajout d'informations sur la façon d'utiliser pam_chroot pour openSSH (basé " "sur le README de pam_chroot)." #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:650 msgid "Fixed some minor issues reported by Dan Jacobson." msgstr "Correction de problèmes mineurs signalés par Dan Jacobson." #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:653 msgid "" "Updated the kernel patches information partially based on a patch from Carlo " "Perassi and also by adding deprecation notes and new kernel patches " "available (adamantix)." msgstr "" "Mise à jour des informations sur les correctifs du noyau basées sur un " "correctif de Carlo Perassi et également en ajoutant des notes sur les " "programmes obsolètes et les nouveaux correctifs de noyau disponibles " "(Adamantix)." #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:655 msgid "" "Included patch from Simon Brandmair that fixes a sentence related to login " "failures in terminal." msgstr "" "Inclusion d'un correctif de Simon Brandmair qui corrige une phrase liée aux " "échecs de connexion dans un terminal." #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:657 msgid "" "Added Mozilla/Thunderbird to the valid GPG agents as suggested by Kapolnai " "Richard." msgstr "" "Ajout de Mozilla/Thunderbird aux agents GPG valables comme suggéré par " "Kapolnai Richard." #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:659 msgid "" "Expanded the section on security updates mentioning library and kernel " "updates and how to detect when services need to be restarted." msgstr "" "Expansion de la section sur les mises à jour de sécurité en mentionnant les " "mises à jour de bibliothèques et de noyau et sur la façon de détecter quand " "les services doivent être redémarrés." #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:663 msgid "" "Rewrote the firewall section, moved the information that applies to woody " "down and expand the other sections including some information on how to " "manually set the firewall (with a sample script) and how to test the " "firewall configuration." msgstr "" "Réécriture de la section sur les pare-feu, déplacement vers le bas des " "informations qui s'appliquent à Woody et expansion des autres " "sections incluant des informations sur la façon de mettre en place " "manuellement le pare-feu (avec un exemple de script) et sur la façon de " "tester la configuration du pare-feu." #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:664 msgid "Added some information preparing for the 3.1 release." msgstr "Ajout d'informations préparatoires pour la version 3.1 de Debian." #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:666 msgid "" "Added more detailed information on kernel upgrades, specifically targeted at " "those that used the old installation system." msgstr "" "Ajout d'informations plus détaillées sur les mises à jour du noyau, " "particulièrement destinées à ceux qui ont utilisé l'ancien système " "d'installation." #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:669 msgid "" "Added a small section on the experimental apt 0.6 release which provides " "package signing checks. Moved old content to the section and also added a " "pointer to changes made in aptitude." msgstr "" "Ajout d'une petite section sur la version 0.6 d'apt expérimentale qui " "fournit des vérifications de signature de paquets. Déplacement de l'ancien " "contenu dans la section et également ajout d'un pointeur vers les " "changements réalisés dans aptitude." #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:670 msgid "Typo fixes spotted by Frédéric Bothamy." msgstr "Corrections de fautes de frappe signalées par Frédéric Bothamy." #. type: #: securing-debian-howto.en.sgml:49 en/intro.sgml:673 msgid "Version 3.1 (January 2005)" msgstr "Version 3.1 (janvier 2005)" #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:676 msgid "Added clarification to ro /usr with patch from Joost van Baal." msgstr "" "Ajout de clarification sur /usr en lecture seule avec un correctif de Joost " "van Baal." #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:677 msgid "Apply patch from Jens Seidel fixing many typos." msgstr "" "Application d'un correctif de Jens Seidel corrigeant plusieurs fautes de " "frappe." #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:678 msgid "FreeSWAN is dead, long live OpenSWAN." msgstr "FreeSWAN est mort, longue vie à OpenSWAN." #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:680 msgid "" "Added information on restricting access to RPC services (when they cannot be " "disabled) also included patch provided by Aarre Laakso." msgstr "" "Ajout d'informations sur la restriction d'accès aux services RPC (quand ils " "ne peuvent pas être désactivés), également inclusion d'un correctif fourni " "par Aarre Laakso." #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:681 msgid "Update aj's apt-check-sigs script." msgstr "Mise à jour du script apt-check-sigs d'aj." #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:682 msgid "Apply patch Carlo Perassi fixing URLs." msgstr "Application du correctif de Carlo Perassi corrigeant des URL." #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:684 msgid "" "Apply patch from Davor Ocelic fixing many errors, typos, urls, grammar and " "FIXMEs. Also adds some additional information to some sections." msgstr "" "Application du correctif de Davor Ocelic corrigeant beaucoup d'erreurs, de " "fautes de frappe, URL, erreurs de grammaire et FIXME. Ajout également de " "plusieurs informations supplémentaires pour certaines sections." #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:686 msgid "" "Rewrote the section on user auditing, highlight the usage of script which " "does not have some of the issues associated to shell history." msgstr "" "Réécriture de la section sur l'audit utilisateur, mise en évidence de " "l'utilisation de script qui n'a pas certains des problèmes associés à " "l'historique du shell." #. type: #: securing-debian-howto.en.sgml:49 en/intro.sgml:689 msgid "Version 3.0 (December 2004)" msgstr "Version 3.0 (décembre 2004)" #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:693 msgid "" "Rewrote the user-auditing information and include examples on how to use " "script." msgstr "" "Réécriture des informations sur l'audit utilisateur et inclusion d'exemples " "sur la façon d'utiliser script." #. type: #: securing-debian-howto.en.sgml:49 en/intro.sgml:697 msgid "Version 2.99 (March 2004)" msgstr "Version 2.99 (mars 2004)" #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:700 msgid "Added information on references in DSAs and CVE-Compatibility." msgstr "" "Ajout d'informations sur des références dans la compatibilité entre DSA et " "CVE." #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:701 msgid "Added information on apt 0.6 (apt-secure merge in experimental)." msgstr "" "Ajout d'informations sur apt 0.6 (apt sécurisé intégré dans experimental)." #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:702 msgid "Fixed location of Chroot daemons HOWTO as suggested by Shuying Wang." msgstr "" "Correction de l'emplacement du HOWTO Chroot des démons comme suggéré par " "Shuying Wang." #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:704 msgid "" "Changed APACHECTL line in the Apache chroot example (even if its not used at " "all) as suggested by Leonard Norrgard." msgstr "" "Modification de la ligne APACHECTL dans l'exemple de chroot Apache (même si " "elle n'est pas du tout utilisé) comme suggéré par Leonard Norrgard." #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:706 msgid "" "Added a footnote regarding hardlink attacks if partitions are not setup " "properly." msgstr "" "Ajout d'une note concernant les attaques de liens directs (« " "hardlink Â») si les partitions ne sont pas mises en place correctement." #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:708 msgid "" "Added some missing steps in order to run bind as named as provided by " "Jeffrey Prosa." msgstr "" "Ajout de certaines étapes manquantes pour exécuter bind comme named tel que " "fourni par Jeffrey Prosa." #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:710 msgid "" "Added notes about Nessus and Snort out-of-dateness in woody and availability " "of backported packages." msgstr "" "Ajout de notes à propos de l'obsolescence de Nessus et de Snort dans Woody " "et disponibilité de paquets rétroportés." #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:711 msgid "Added a chapter regarding periodic integrity test checks." msgstr "" "Ajout d'un chapitre concernant des vérifications de test d'intégrité " "périodiques." #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:713 msgid "" "Clarified the status of testing regarding security updates (Debian bug " "233955)." msgstr "" "Clarification de l'état de testing concernant les mises à jour de sécurité. " "(bogue Debian nº 233955)." #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:715 msgid "" "Added more information regarding expected contents in securetty (since it's " "kernel specific)." msgstr "" "Ajout d'informations concernant les contenus attendus dans securetty (comme " "c'est spécifique au noyau)." #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:716 msgid "Added pointer to snoopylogger (Debian bug 179409)." msgstr "Ajout de pointeur pour snoopylogger (bogue Debian nº 179409)." #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:717 msgid "Added reference to guarddog (Debian bug 170710)." msgstr "Ajout d'une référence sur guarddog (bogue Debian nº 170710)." #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:719 msgid "" "apt-ftparchive is in apt-utils, not in " "apt (thanks to Emmanuel Chantreau for pointing this out)." msgstr "" "apt-ftparchive est dans apt-utils, pas dans " "apt (merci à Emmanuel Chantreau pour l'avoir signalé)." #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:720 msgid "Removed jvirus from AV list." msgstr "Suppression de jvirus de la liste des antivirus." #. type: #: securing-debian-howto.en.sgml:49 en/intro.sgml:724 msgid "Version 2.98 (December 2003)" msgstr "Version 2.98 (décembre 2003)" #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:727 msgid "Fixed URL as suggested by Frank Lichtenheld." msgstr "Correction de l'URL comme suggéré par Frank Lichtenheld." #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:728 msgid "Fixed PermitRootLogin typo as suggested by Stefan Lindenau." msgstr "" "Correction d'une faute de frappe PermitRootLogin comme suggéré par Stefan " "Lindenau." #. type: #: securing-debian-howto.en.sgml:49 en/intro.sgml:732 msgid "Version 2.97 (September 2003)" msgstr "Version 2.97 (septembre 2003)" #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:739 msgid "" "Added those that have made the most significant contributions to this manual " "(please mail me if you think you should be in the list and are not)." msgstr "" "Ajout des personnes qui ont contribué significativement à ce manuel (merci " "de m'envoyer un message si vous pensez que vous devriez être dans la liste " "et que vous n'y êtes pas)." #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:741 msgid "Added some blurb about FIXME/TODOs." msgstr "Ajout de quelques bla-bla à propos des FIXME/TODO." #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:744 msgid "" "Moved the information on security updates to the beginning of the section as " "suggested by Elliott Mitchell." msgstr "" "Déplacement des informations sur les mises à jour de sécurité au début de la " "section comme suggéré par Elliott Mitchell." #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:748 msgid "" "Added grsecurity to the list of kernel-patches for security but added a " "footnote on the current issues with it as suggested by Elliott Mitchell." msgstr "" "Ajout de grsecurity à la liste des kernel-patches pour la sécurité, mais " "ajout d'une note sur les problèmes actuels avec celui-ci comme suggéré par " "Elliott Mitchell." #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:751 msgid "" "Removed loops (echo to 'all') in the kernel's network security script as " "suggested by Elliott Mitchell." msgstr "" "Suppression de boucles (echo to 'all') dans le script de sécurité réseau du " "noyau comme suggéré par Elliott Mitchell." #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:753 msgid "Added more (up-to-date) information in the antivirus section." msgstr "Ajout de plus d'informations (à jour) dans la section antivirus." #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:757 msgid "" "Rewrote the buffer overflow protection section and added more information on " "patches to the compiler to enable this kind of protection." msgstr "" "Réécriture de la section de protection des dépassements de tampon et ajout " "de plus d'informations sur les correctifs pour le compilateur pour activer " "ce type de protection." #. type: #: securing-debian-howto.en.sgml:49 en/intro.sgml:761 msgid "Version 2.96 (August 2003)" msgstr "Version 2.96 (août 2003)" #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:765 msgid "" "Removed (and then re-added) appendix on chrooting Apache. The appendix is " "now dual-licensed." msgstr "" "Suppression (et nouvel ajout) de l'annexe sur Apache dans un chroot. " "L'annexe est maintenant sous une double licence." #. type: #: securing-debian-howto.en.sgml:49 en/intro.sgml:768 msgid "Version 2.95 (June 2003)" msgstr "Version 2.95 (juin 2003)" #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:771 msgid "Fixed typos spotted by Leonard Norrgard." msgstr "Corrections de fautes signalées par Leonard Norrgard." #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:773 msgid "" "Added a section on how to contact CERT for incident handling ()." msgstr "" "Ajout d'une section sur la façon de contacter le CERT pour la gestion " "d'incident ()." #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:774 msgid "More information on setting up a Squid proxy." msgstr "" "Plus d'informations sur la mise en place d'un serveur mandataire (« " "proxy Â») Squid." #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:775 msgid "Added a pointer and removed a FIXME thanks to Helge H. F." msgstr "Ajout d'un pointeur et suppression d'un FIXME grâce à Helge H. F." #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:776 msgid "Fixed a typo (save_inactive) spotted by Philippe Faes." msgstr "Correction d'une faute (save_inactive) signalée par Philippe Faes." #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:777 msgid "Fixed several typos spotted by Jaime Robles." msgstr "Corrections de plusieurs fautes signalées par Jaime Robles." #. type: #: securing-debian-howto.en.sgml:49 en/intro.sgml:780 msgid "Version 2.94 (April 2003)" msgstr "Version 2.94 (avril 2003)" #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:784 msgid "" "Following Maciej Stachura's suggestions I've expanded the section on " "limiting users." msgstr "" "Selon les suggestions de Maciej Stachura, j'ai développé la section sur les " "limitations pour les utilisateurs." #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:785 msgid "Fixed typo spotted by Wolfgang Nolte." msgstr "Correction d'une faute signalée par Wolfgang Nolte." #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:786 msgid "Fixed links with patch contributed by Ruben Leote Mendes." msgstr "Correction de liens avec un correctif fourni par Ruben Leote Mendes." #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:788 msgid "" "Added a link to David Wheeler's excellent document on the footnote about " "counting security vulnerabilities." msgstr "" "Ajout d'un lien vers l'excellent document de David Wheeler dans la note sur " "le décompte des failles de sécurité." #. type: #: securing-debian-howto.en.sgml:49 en/intro.sgml:791 msgid "Version 2.93 (March 2003)" msgstr "Version 2.93 (mars 2003)" #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:792 msgid "Changes made by Frédéric Schütz." msgstr "Modifications de Frédéric Schütz." #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:795 msgid "rewrote entirely the section of ext2 attributes (lsattr/chattr)." msgstr "" "Réécriture complète de la section sur les attributs ext2 (lsattr/chattr)." #. type: #: securing-debian-howto.en.sgml:49 en/intro.sgml:798 msgid "Version 2.92 (February 2003)" msgstr "Version 2.92 (février 2003)" #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:800 msgid "Changes by Javier Fernández-Sanguino Peña and Frédéric Schütz." msgstr "Modifications de Javier Fernández-Sanguino Peña et Frédéric Schütz." #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:803 msgid "" "Merge section 9.3 (\"useful kernel patches\") into section 4.13 (\"Adding " "kernel patches\"), and added some content." msgstr "" "Fusion de la section 9.3 (« correctifs noyau utiles Â») dans " "la section 4.13 (« Ajouter des correctifs noyau Â») et ajout " "d'un peu de contenu." #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:804 msgid "Added a few more TODOs." msgstr "Ajout de quelques TODO supplémentaires." #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:807 msgid "" "Added information on how to manually check for updates and also about cron-" "apt. That way Tiger is not perceived as the only way to do automatic update " "checks." msgstr "" "Ajout d'informations sur la façon de vérifier manuellement les mises à jour " "et également sur cron-apt. Ainsi Tiger n'est plus vu comme le seul moyen de " "faire des vérifications de mises à jour automatiques." #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:809 msgid "" "Slightly rewrite of the section on executing a security updates due to Jean-" "Marc Ranger comments." msgstr "" "Légère réécriture de la section sur l'exécution des mises à jour de sécurité " "grâce aux commentaires de Jean-Marc Ranger." #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:811 msgid "" "Added a note on Debian's installation (which will suggest the user to " "execute a security update right after installation)." msgstr "" "Ajout d'une note sur l'installation de Debian (qui suggérera à l'utilisateur " "une mise à jour de sécurité juste après l'installation)." #. type: #: securing-debian-howto.en.sgml:49 en/intro.sgml:814 msgid "Version 2.91 (January/February 2003)" msgstr "Version 2.91 (janvier/février 2003)" #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:815 en/intro.sgml:830 #: en/intro.sgml:839 en/intro.sgml:872 msgid "Changes by Javier Fernández-Sanguino Peña (me)." msgstr "Modifications de Javier Fernández-Sanguino Peña (moi)." #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:817 msgid "Added a patch contributed by Frédéric Schütz." msgstr "Ajout d'un correctif proposé par Frédéric Schütz." #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:818 msgid "Added a few more references on capabilities thanks to Frédéric." msgstr "" "Ajout de quelques références supplémentaires sur les capacités grâce à " "Frédéric." #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:820 msgid "" "Slight changes in the bind section adding a reference to BIND's 9 online " "documentation and proper references in the first area (Hi Pedro!)." msgstr "" "Modifications légères sur la section bind par l'ajout d'une référence à la " "documentation en ligne de BIND 9 et de références correctes dans la première " "zone (Salut Pedro !)" #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:821 msgid "Fixed the changelog date - new year :-)." msgstr "" "Correction de la date du journal de modifications Рnouvelle ann̩e :-)." #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:822 msgid "Added a reference to Colin's articles for the TODOs." msgstr "Ajout d'une référence aux articles de Colin pour les TODO." #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:823 msgid "Removed reference to old ssh+chroot patches." msgstr "Suppression de la référence à d'anciens correctifs SSH+chroot." #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:824 msgid "More patches from Carlo Perassi." msgstr "Correctifs additionnels de Carlo Perassi." #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:826 msgid "" "Typo fixes (recursive in Bind is recursion), pointed out by Maik Holtkamp." msgstr "" "Corrections de fautes (récursif dans BIND est récursion) signalées par Maik " "Holtkamp." #. type: #: securing-debian-howto.en.sgml:49 en/intro.sgml:829 msgid "Version 2.9 (December 2002)" msgstr "Version 2.9 (décembre 2002)" #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:833 msgid "" "Reorganized the information on chroot (merged two sections, it didn't make " "much sense to have them separated)." msgstr "" "Réorganisation des informations sur chroot (fusion de deux sections, cela " "n'avait pas de sens de les garder séparées)." #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:834 msgid "Added the notes on chrooting Apache provided by Alexandre Ratti." msgstr "Ajout de notes sur le chroot d'Apache fournies par Alexandre Ratti." #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:835 msgid "Applied patches contributed by Guillermo Jover." msgstr "Application de correctifs proposés par Guillermo Jover." #. type: #: securing-debian-howto.en.sgml:49 en/intro.sgml:838 msgid "Version 2.8 (November 2002)" msgstr "Version 2.8 (novembre 2002)" #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:842 msgid "" "Applied patches from Carlo Perassi, fixes include: re-wrapping the lines, " "URL fixes, and fixed some FIXMEs." msgstr "" "Application des correctifs de Carlo Perassi, corrections incluant : " "modification de la longueur de lignes, correction d'URL, et correction de " "certains FIXME." #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:843 msgid "Updated the contents of the Debian security team FAQ." msgstr "" "Mise à jour du contenu de la FAQ de l'équipe en charge de la sécurité de " "Debian." #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:845 msgid "" "Added a link to the Debian security team FAQ and the Debian Developer's " "reference, the duplicated sections might (just might) be removed in the " "future." msgstr "" "Ajout d'un lien vers la FAQ de l'équipe en charge de la sécurité de Debian " "et la référence du développeur Debian, les sections dupliquées pourraient " "(juste pourraient) être supprimées à l'avenir." #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:846 msgid "" "Fixed the hand-made auditing section with comments from Michal Zielinski." msgstr "" "Correction de la section d'audit manuel avec les commentaires de Michal " "Zielinski." #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:847 msgid "Added links to wordlists (contributed by Carlo Perassi)." msgstr "" "Ajout d'un lien vers des dictionnaires (contribution de Carlo Perassi)." #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:848 msgid "Fixed some typos (still many around)." msgstr "Correction de quelques erreurs de frappe (il en reste encore plein)." #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:849 msgid "Fixed TDP links as suggested by John Summerfield." msgstr "" "Correction des liens TDP conformément à la suggestion de John Summerfield." #. type: #: securing-debian-howto.en.sgml:49 en/intro.sgml:852 msgid "Version 2.7 (October 2002)" msgstr "Version 2.7 (octobre 2002)" #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:855 msgid "" "Changes by Javier Fernández-Sanguino Peña (me). Note: I still have a lot of " "pending changes in my mailbox (which is currently about 5 Mbs in size)." msgstr "" "Modifications de Javier Fernández-Sanguino Peña (moi). Note : j'ai " "encore beaucoup de modifications qui sont stockées dans ma boîte de " "réception (ce qui représente en ce moment environ 5 Mo) à intégrer." #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:858 msgid "" "Some typo fixes contributed by Tuyen Dinh, Bartek Golenko and Daniel K. " "Gebhart." msgstr "" "Correction de quelques fautes qui ont été signalées par Tuyen Dinh, Bartek " "Golenko et Daniel K. Gebhart." #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:859 msgid "Note regarding /dev/kmem rootkits contributed by Laurent Bonnaud." msgstr "" "Note concernant les rootkits utilisant /dev/kmem suggérée par Laurent " "Bonnaud." #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:860 msgid "Fixed typos and FIXMEs contributed by Carlo Perassi." msgstr "Correction de fautes et de FIXME par Carlo Perassi." #. type: #: securing-debian-howto.en.sgml:49 en/intro.sgml:863 msgid "Version 2.6 (September 2002)" msgstr "Version 2.6 (septembre 2002)" #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:864 msgid "Changes by Chris Tillman, tillman@voicetrak.com." msgstr "Modifications de Chris Tillman, tillman@voicetrak.com." #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:866 msgid "Changed around to improve grammar/spelling." msgstr "Modifications pour améliorer la grammaire et l'orthographe." #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:867 msgid "s/host.deny/hosts.deny/ (1 place)." msgstr "s/host.deny/hosts.deny/ (1 endroit)." #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:868 msgid "Applied Larry Holish's patch (quite big, fixes a lot of FIXMEs)." msgstr "" "Application du correctif de Larry Holish (assez gros, corrige de nombreux " "FIXME)." #. type: #: securing-debian-howto.en.sgml:49 en/intro.sgml:871 msgid "Version 2.5 (September 2002)" msgstr "Version 2.5 (septembre 2002)" #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:874 msgid "Fixed minor typos submitted by Thiemo Nagel." msgstr "Corrections de quelques fautes signalées par Thiemo Nagel." #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:875 msgid "Added a footnote suggested by Thiemo Nagel." msgstr "Ajout d'une note de bas de page sur les conseils de Thiemo Nagel." #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:876 msgid "Fixed an URL link." msgstr "Corrige une URL." #. type: #: securing-debian-howto.en.sgml:49 en/intro.sgml:880 msgid "Version 2.5 (August 2002)" msgstr "Version 2.5 (août 2002)" #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:884 msgid "" "Changes by Javier Fernández-Sanguino Peña (me). There were many things " "waiting on my inbox (as far back as February) to be included, so I'm going " "to tag this the back from honeymoon release :)." msgstr "" "Modifications de Javier Fernández-Sanguino Peña (moi). Il y avait beaucoup " "de choses en attente dans ma boîte de réception (depuis février), je vais " "donc appeler cela la version retour de lune de miel :)." #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:889 msgid "" "Applied a patch contributed by Philipe Gaspar regarding the Squid which also " "kills a FIXME." msgstr "" "Application d'un correctif fourni par Philipe Gaspar concernant Squid qui " "supprime aussi un FIXME." #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:893 msgid "" "Yet another FAQ item regarding service banners taken from the debian-" "security mailing list (thread \"Telnet information\" started 26th July 2002)." msgstr "" "Encore une autre FAQ concernant les bannières de services provenant de la " "liste de diffusion debian-security (discussion « Telnet " "information Â» démarrée le 26 juillet 2002)." #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:897 msgid "" "Added a note regarding use of CVE cross references in the How much time " "does the Debian security team... FAQ item." msgstr "" "Ajout d'une note concernant l'utilisation des références croisées CVE dans " "l'élément de la FAQ En combien de temps l'équipe en charge de la " "sécurité de Debian..." #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:900 msgid "" "Added a new section regarding ARP attacks contributed by Arnaud \"Arhuman\" " "Assad." msgstr "" "Ajout d'une nouvelle section concernant les attaques ARP fournie par Arnaud " "« Arhuman Â» Assad." #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:902 msgid "New FAQ item regarding dmesg and console login by the kernel." msgstr "" "Nouvelle FAQ concernant dmesg et le démarrage en mode console par le noyau." #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:905 msgid "" "Small tidbits of information to the signature-checking issues in packages " "(it seems to not have gotten past beta release)." msgstr "" "Petites parcelles d'informations sur les problèmes de vérification de " "signature dans les paquets (il semble qu'ils n'aient pas passé le stade de " "la version bêta)." #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:908 msgid "New FAQ item regarding vulnerability assessment tools false positives." msgstr "" "Nouvelle FAQ concernant les faux positifs des outils d'évaluation de " "vulnérabilité." #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:912 msgid "" "Added new sections to the chapter that contains information on package " "signatures and reorganized it as a new Debian Security Infrastructure chapter." msgstr "" "Ajout de nouvelles sections au chapitre qui contient des informations sur " "les signatures de paquet et réorganisation en un nouveau chapitre " "Infrastructure de sécurité Debian." #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:914 msgid "New FAQ item regarding Debian vs. other Linux distributions." msgstr "" "Nouvel élément de FAQ concernant Debian et les autres distributions Linux." #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:917 msgid "" "New section on mail user agents with GPG/PGP functionality in the security " "tools chapter." msgstr "" "Nouvelle section sur les clients de messagerie avec des fonctionnalités GPG/" "PGP dans le chapitre outils de sécurité." #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:920 msgid "" "Clarified how to enable MD5 passwords in woody, added a pointer to PAM as " "well as a note regarding the max definition in PAM." msgstr "" "Clarification sur la manière d'activer les mots de passe MD5 dans Woody, ajout d'un lien vers PAM ainsi qu'une note concernant la définition de " "max dans PAM." #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:924 msgid "" "Added a new appendix on how to create chroot environments (after fiddling a " "bit with makejail and fixing, as well, some of its bugs), integrated " "duplicate information in all the appendix." msgstr "" "Ajout d'une nouvelle annexe sur la façon de créer des environnements « " "chroot Â» (après avoir joué un peu avec makejail et " "avoir aussi corrigé quelques-uns de ses bogues), intégration des " "informations dupliquées dans toutes les annexes." #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:929 msgid "" "Added some more information regarding SSH chrooting and its " "impact on secure file transfers. Some information has been retrieved from " "the debian-security mailing list (June 2002 thread: secure file " "transfers)." msgstr "" "Ajout d'informations complémentaires concernant le « chrootage Â» " "de SSH et de son impact sur les transferts sécurisés de " "fichiers. Certaines informations ont été récupérées de la liste de diffusion " "debian-security (juin 2002 discussion : Secure file transfers)." #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:932 msgid "" "New sections on how to do automatic updates on Debian systems as well as the " "caveats of using testing or unstable regarding security updates." msgstr "" "Nouvelles sections sur la mise à jour automatique des systèmes Debian ainsi " "que les dangers d'utiliser la distribution « testing Â» ou la " "distribution « unstable Â» du point de vue des mises à jour de " "sécurité." #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:936 msgid "" "New section regarding keeping up to date with security patches in the " "Before compromise section as well as a new section about the debian-" "security-announce mailing list." msgstr "" "Nouvelle section, concernant la manière de rester à jour avec la mise en " "place de correctifs de sécurité, dans la section avant la compromission ainsi qu'une nouvelle section sur la liste de diffusion debian-security-" "announce." #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:938 msgid "Added information on how to automatically generate strong passwords." msgstr "" "Ajouts d'informations sur la manière de créer automatiquement des mots de " "passe sûrs." #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:940 msgid "New section regarding login of idle users." msgstr "" "Nouvelle section relative à la connexion des utilisateurs oisifs (idle)." #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:944 msgid "" "Reorganized the securing mail server section based on the Secure/" "hardened/minimal Debian (or \"Why is the base system the way it is?\") " "thread on the debian-security mailing list (May 2002)." msgstr "" "Réorganisation de la section sécurisation du serveur de mail suite à la " "discussion Secure/hardened/minimal Debian (ou « Why is the base system " "the way it is? » : pourquoi le système de base est-il comme ça ?) sur " "la liste de diffusion debian-security (mai 2002)." #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:948 msgid "" "Reorganized the section on kernel network parameters, with information " "provided in the debian-security mailing list (May 2002, syn flood " "attacked? thread) and added a new FAQ item as well." msgstr "" "Réorganisation de la section sur les paramètres réseau du noyau, avec les " "informations fournies par la liste de diffusion debian-security " "(mai 2002, discussion syn flood attacked?) et ajout d'un " "nouvel élément de FAQ." #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:951 msgid "" "New section on how to check users passwords and which packages to install " "for this." msgstr "" "Nouvelle section sur la manière de vérifier les mots de passe des " "utilisateurs et quels paquets utiliser pour cela." #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:954 msgid "" "New section on PPTP encryption with Microsoft clients discussed in the " "debian-security mailing list (April 2002)." msgstr "" "Nouvelle section sur le chiffrement PPTP avec les clients Microsoft discuté " "sur la liste de diffusion debian-security (avril 2002)." #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:960 msgid "" "Added a new section describing what problems are there when binding any " "given service to a specific IP address, this information was written based " "on the Bugtraq mailing list in the thread: Linux kernel 2.4 \"weak end " "host\" issue (previously discussed on debian-security as \"arp problem\") (started on May 9th 2002 by Felix von Leitner)." msgstr "" "Ajout d'une nouvelle section décrivant les problèmes qui peuvent survenir " "lorsque l'on attribue une adresse IP spécifique pour chaque service, cette " "information a été écrite d'après une discussion qui s'est tenue sur la liste " "de diffusion de Bugtraq : Linux kernel 2.4 \"weak end host\" issue " "(discuté précédemment sur debian-security sous le titre « arp " "problem Â») (démarré le 9 mai 2002 par Felix von Leitner)." #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:962 msgid "Added information on ssh protocol version 2." msgstr "Ajout d'informations sur le protocole SSH version 2." #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:965 msgid "" "Added two subsections related to Apache secure configuration (the things " "specific to Debian, that is)." msgstr "" "Ajout de deux sous-sections relatives à la configuration sécurisée d'Apache " "(c'est-à-dire, les éléments spécifiques à Debian)." #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:969 msgid "" "Added a new FAQ related to raw sockets, one related to /root, an item " "related to users' groups and another one related to log and configuration " "files permissions." msgstr "" "Ajout d'une nouvelle FAQ traitant des « raw sockets Â», une " "relative à /root, une partie traitant des groupes d'utilisateurs et une " "autre traitant des permissions des journaux et des permissions des fichiers " "de configuration." #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:972 msgid "" "Added a pointer to a bug in libpam-cracklib that might still be open... " "(need to check)." msgstr "" "Ajout d'un lien vers un bogue dans libpam-cracklib qui pourrait encore être " "présent... (besoin de vérifier)." #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:975 msgid "" "Added more information regarding forensics analysis (pending more " "information on packet inspection tools such as tcpflow)." msgstr "" "Ajout de plus d'informations sur l'analyse avancée (en attente de plus de " "renseignements sur les outils d'inspection de paquet tels que tcpflow)." #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:978 msgid "" "Changed the \"what should I do regarding compromise\" into a bullet list and " "included some more stuff." msgstr "" "Transformation de « Que dois-je faire concernant la " "compromission Â» en une série d'énumérations et en y ajoutant plus " "d'éléments." #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:981 msgid "" "Added some information on how to set up the Xscreensaver to lock the screen " "automatically after the configured timeout." msgstr "" "Ajout d'informations sur la configuration de Xscreensaver pour verrouiller " "l'écran automatiquement après une durée donnée." #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:986 msgid "" "Added a note related to the utilities you should not install in the system. " "Included a note regarding Perl and why it cannot be easily removed in " "Debian. The idea came after reading Intersect's documents regarding Linux " "hardening." msgstr "" "Ajout d'une note sur les utilitaires que vous ne devriez pas installer sur " "un système. Inclusion d'une note concernant Perl et pourquoi il ne peut pas " "être retiré facilement de Debian. L'idée vient de la lecture des documents " "d'Intersect concernant le renforcement de Linux." #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:989 msgid "" "Added information on lvm and journalling file systems, ext3 recommended. The " "information there might be too generic, however." msgstr "" "Ajout d'informations sur lvm et les systèmes de fichiers journalisés, ext3 " "est préconisé. Les informations pourraient cependant y être trop génériques." #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:991 msgid "Added a link to the online text version (check)." msgstr "Ajout d'un lien sur la version texte disponible en ligne (à vérifier)." #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:994 msgid "" "Added some more stuff to the information on firewalling the local system, " "triggered by a comment made by Hubert Chan in the mailing list." msgstr "" "Ajout d'informations additionnelles sur la protection par pare-feu d'un " "système local, faisant suite à un commentaire d'Hubert Chan sur la liste de " "diffusion." #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:999 msgid "" "Added more information on PAM limits and pointers to Kurt Seifried's " "documents (related to a post by him to Bugtraq on April 4th 2002 answering a " "person that had ``discovered'' a vulnerability in Debian GNU/Linux related " "to resource starvation)." msgstr "" "Ajout d'informations sur les limites de PAM et de liens vers les documents " "de Kurt Seifried (relatifs à un de ses messages sur Bugtraq le 4 " "avril 2002 répondant à une personne qui « découvrit Â» une " "vulnérabilité dans Debian GNU/Linux relative à l'insuffisance de ressources)." #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:1003 msgid "" "As suggested by Julián Muñoz, provided more information on the default " "Debian umask and what a user can access if he has been given a shell in the " "system (scary, huh?)." msgstr "" "Comme suggéré par Julián Muñoz, ajout d'informations supplémentaires sur " "l'umask par défaut de Debian et ce à quoi un utilisateur peut accéder si on " "lui a donné une invite de commande sur le système (effrayant, non ?)" #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:1006 msgid "" "Included a note in the BIOS password section due to a comment from Andreas " "Wohlfeld." msgstr "" "Inclusion d'une note dans la section du mot de passe BIOS suite à un " "commentaire d'Andreas Wohlfeld." #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:1009 msgid "" "Included patches provided by Alfred E. Heggestad fixing many of the typos " "still present in the document." msgstr "" "Inclusion des correctifs fournis par Alfred E. Heggestad corrigeant beaucoup " "de fautes encore présentes dans le document." #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:1012 msgid "" "Added a pointer to the changelog in the Credits section since most people " "who contribute are listed here (and not there)." msgstr "" "Ajout d'un lien vers le journal de modifications dans la section des " "remerciements car la plupart des personnes qui ont contribué sont cités ici " "(et pas là-bas)." #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:1016 msgid "" "Added a few more notes to the chattr section and a new section after " "installation talking about system snapshots. Both ideas were contributed by " "Kurt Pomeroy." msgstr "" "Ajout de quelques notes complémentaires dans la section de chattr et d'une " "nouvelle section après l'installation qui parle des images systèmes. Les " "deux idées sont la contribution de Kurt Pomeroy." #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:1019 msgid "" "Added a new section after installation just to remind users to change the " "boot-up sequence." msgstr "" "Ajout d'une nouvelle section après l'installation juste pour rappeler aux " "utilisateurs de changer la séquence de démarrage." #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:1021 msgid "Added some more TODO items provided by Korn Andras." msgstr "Ajout d'éléments restant à faire (TODO) fournis par Korn Andras." #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:1024 msgid "" "Added a pointer to the NIST's guidelines on how to secure DNS provided by " "Daniel Quinlan." msgstr "" "Ajout d'un lien vers les recommandations du NIST sur la manière de sécuriser " "un DNS. Cette contribution nous est fournie par Daniel Quinlan." #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:1027 msgid "" "Added a small paragraph regarding Debian's SSL certificates infrastructure." msgstr "" "Ajout d'un petit paragraphe concernant l'infrastructure des certificats SSL " "de Debian." #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:1030 msgid "" "Added Daniel Quinlan's suggestions regarding ssh authentication " "and exim's relay configuration." msgstr "" "Ajout des suggestions de Daniel Quinlan concernant l'authentification " "SSH et la configuration d'Exim en relais." #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:1034 msgid "" "Added more information regarding securing bind including changes suggested " "by Daniel Quinlan and an appendix with a script to make some of the changes " "commented on in that section." msgstr "" "Ajout de plus d'informations concernant la sécurisation de BIND incluant les " "modifications suggérées par Daniel Quinlan et une annexe avec un script pour " "faire quelques uns des changements commentés dans cette section." #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:1037 msgid "" "Added a pointer to another item regarding Bind chrooting (needs to be " "merged)." msgstr "" "Ajout d'un lien vers un autre élément concernant le « chrootage Â» " "de BIND (a besoin d'être fusionné)." #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:1040 msgid "" "Added a one liner contributed by Cristian Ionescu-Idbohrn to retrieve " "packages with tcpwrappers support." msgstr "" "Ajout d'une ligne de Cristian Ionescu-Idbohrn pour récupérer les paquets " "avec gestion des tcpwrappers." #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:1042 msgid "Added a little bit more info on Debian's default PAM setup." msgstr "" "Ajout d'un peu plus d'informations sur la configuration PAM par défaut de la " "Debian." #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:1045 msgid "" "Included a FAQ question about using PAM to provide services without shell " "accounts." msgstr "" "Inclusion d'une question dans la FAQ au sujet de l'utilisation de PAM pour " "fournir des services sans compte shell." #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:1048 msgid "" "Moved two FAQ items to another section and added a new FAQ regarding attack " "detection (and compromised systems)." msgstr "" "Déplacement de deux éléments de la FAQ dans une autre section et ajout d'une " "nouvelle FAQ concernant la détection des attaques (et des systèmes " "corrompus)." #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:1052 msgid "" "Included information on how to set up a bridge firewall (including a sample " "Appendix). Thanks to Francois Bayart who sent this to me in March." msgstr "" "Inclusion d'informations sur la configuration d'un pont pare-feu (incluant " "une annexe d'exemple). Merci à François Bayart qui m'a envoyé ça en mars." #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:1056 msgid "" "Added a FAQ regarding the syslogd's MARK heartbeat from a " "question answered by Noah Meyerhans and Alain Tesio in December 2001." msgstr "" "Ajout d'une FAQ concernant les MARK d'heartbeat dans le syslogd " "d'après une question à laquelle Noah Meyerhans et Alain Tesio ont répondu en " "décembre 2001." #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:1059 msgid "" "Included information on buffer overflow protection as well as some " "information on kernel patches." msgstr "" "Inclusion d'informations sur la protection contre les débordements de " "tampons ainsi que quelques informations sur les correctifs du noyau." #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:1063 msgid "" "Added more information (and reorganized) the firewall section. Updated the " "information regarding the iptables package and the firewall generators " "available." msgstr "" "Ajout d'informations supplémentaires (et réorganisation) de la section pare-" "feu. Mise à jour des informations concernant le paquet iptables et les " "générateurs de pare-feu disponibles." #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:1066 msgid "" "Reorganized the information regarding log checking, moved logcheck " "information from host intrusion detection to that section." msgstr "" "Réorganisation des informations concernant la vérification des journaux, " "déplacement des informations de logcheck sur la détection d'intrusion " "machine vers cette section." #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:1069 msgid "" "Added some information on how to prepare a static package for bind for " "chrooting (untested)." msgstr "" "Ajout d'informations sur la manière de préparer un paquet statique pour BIND " "dans l'optique d'un « chrootage Â» (non testé)." #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:1073 msgid "" "Added a FAQ item regarding some specific servers/services (could be expanded " "with some of the recommendations from the debian-security list)." msgstr "" "Ajout d'un élément de FAQ concernant certains serveurs/services spécifiques " "(pourrait être développé avec quelques unes des recommandations de la liste " "de diffusion debian-security)." #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:1075 msgid "Added some information on RPC services (and when it's necessary)." msgstr "" "Ajout d'informations sur les services RPC (et quand ils sont nécessaires)." #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:1079 msgid "" "Added some more information on capabilities (and what lcap does). Is there " "any good documentation on this? I haven't found any documentation on my 2.4 " "kernel." msgstr "" "Ajout de plus d'informations sur les capacités (« capabilities Â») " "en matière de sécurité (et ce que fait lcap). Y a-t-il une bonne " "documentation sur ce sujet ? Je n'ai trouvé aucune documentation sur " "mon noyau 2.4." #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:1081 en/intro.sgml:1372 msgid "Fixed some typos." msgstr "Correction de fautes de frappes." #. type: #: securing-debian-howto.en.sgml:49 en/intro.sgml:1084 msgid "Version 2.4" msgstr "Version 2.4" #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:1087 msgid "Rewritten part of the BIOS section." msgstr "Réécriture d'une partie de la section BIOS." #. type: #: securing-debian-howto.en.sgml:49 en/intro.sgml:1090 en/intro.sgml:1107 msgid "Version 2.3" msgstr "Version 2.3" #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:1093 msgid "Wrapped most file locations with the file tag." msgstr "" "Encadrement de la plupart des emplacements de fichiers par la balise « " "file Â»." #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:1094 msgid "Fixed typo noticed by Edi Stojicevi." msgstr "Correction de fautes signalées par Edi Stojicevi." #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:1095 msgid "Slightly changed the remote audit tools section." msgstr "Légère modification de la section des outils d'audit distant." #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:1096 msgid "Added some todo items." msgstr "Ajout d'éléments à faire." #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:1098 msgid "" "Added more information regarding printers and cups config file (taken from a " "thread on debian-security)." msgstr "" "Ajout d'informations concernant les imprimantes et du fichier de " "configuration de CUPS (tiré d'une discussion sur debian-security)." #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:1100 msgid "" "Added a patch submitted by Jesus Climent regarding access of valid system " "users to Proftpd when configured as anonymous server." msgstr "" "Ajout d'un correctif proposé par Jesus Climent concernant l'accès " "d'utilisateurs valables du système à ProFTPD quand il est configuré en " "serveur anonyme." #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:1102 msgid "Small change on partition schemes for the special case of mail servers." msgstr "" "Petite modification aux schémas de partitionnement dans le cas particulier " "des serveurs de messagerie." #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:1103 msgid "Added Hacking Linux Exposed to the books section." msgstr "" "Ajout du livre « Hacking Linux Exposed Â» à la section des livres." #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:1104 msgid "Fixed directory typo noticed by Eduardo Pérez Ureta." msgstr "" "Correction d'une faute de frappe sur un répertoire signalée par Eduardo " "Pérez Ureta." #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:1105 msgid "Fixed /etc/ssh typo in checklist noticed by Edi Stojicevi." msgstr "" "Correction d'une coquille dans /etc/ssh dans la liste de contrôle signalée " "par Edi Stojicevi." #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:1110 msgid "Fixed location of dpkg conffile." msgstr "Correction de l'emplacement du fichier de configuration de dpkg." #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:1111 msgid "Remove Alexander from contact information." msgstr "Suppression d'Alexander des informations sur les contacts." #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:1112 msgid "Added alternate mail address." msgstr "Ajout d'une autre adresse électronique." #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:1113 msgid "Fixed Alexander mail address (even if commented out)." msgstr "" "Correction de l'adresse électronique d'Alexander (même si elle est " "commentée)." #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:1115 msgid "" "Fixed location of release keys (thanks to Pedro Zorzenon for pointing this " "out)." msgstr "" "Correction de l'emplacement des clefs de versions (merci à Pedro Zorzenon " "pour avoir relevé cette erreur)." #. type: #: securing-debian-howto.en.sgml:49 en/intro.sgml:1117 msgid "Version 2.2" msgstr "Version 2.2" #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:1120 msgid "Fixed typos, thanks to Jamin W. Collins." msgstr "Corrections de fautes, merci à Jamin W. Collins pour ces corrections." #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:1122 msgid "" "Added a reference to apt-extracttemplate manpage (documents the APT::" "ExtractTemplate config)." msgstr "" "Ajout d'une référence à la page de manuel d'apt-extracttemplate " "(documentation sur la configuration de APT::ExtractTemplate)." #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:1125 msgid "" "Added section about restricted SSH. Information based on that posted by Mark " "Janssen, Christian G. Warden and Emmanuel Lacour on the debian-security " "mailing list." msgstr "" "Ajout d'une section concernant la limitation de SSH. Informations basées sur " "celles qui ont été postées par Mark Janssen, Christian G. Warden et Emmanuel " "Lacour sur la liste de diffusion debian-security." #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:1126 msgid "Added information on antivirus software." msgstr "Ajout d'informations sur les logiciels antivirus." #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:1127 msgid "Added a FAQ: su logs due to the cron running as root." msgstr "" "Ajout d'une FAQ : journaux de su provenant du fait que cron fonctionne " "en tant que superutilisateur." #. type: #: securing-debian-howto.en.sgml:49 en/intro.sgml:1129 msgid "Version 2.1" msgstr "Version 2.1" #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:1132 msgid "Changed FIXME from lshell thanks to Oohara Yuuma." msgstr "Modifications du « FIXME Â» de lshell, merci à Oohara Yuuma." #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:1133 msgid "Added package to sXid and removed comment since it *is* available." msgstr "" "Ajout d'un paquet sXid et retrait du commentaire étant donné qu'il est " "disponible." #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:1134 msgid "Fixed a number of typos discovered by Oohara Yuuma." msgstr "De nombreuses fautes relevées par Oohara Yuuma ont été corrigées." #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:1136 msgid "" "ACID is now available in Debian (in the acidlab package) thanks to Oohara " "Yuuma for noticing." msgstr "ACID est maintenant disponible dans Debian (dans le paquet acidlab)." #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:1137 msgid "Fixed LinuxSecurity links (thanks to Dave Wreski for telling)." msgstr "" "Liens de LinuxSecurity corrigés (merci à Dave Wreski de nous l'avoir " "signalé)." #. type: #: securing-debian-howto.en.sgml:49 en/intro.sgml:1139 msgid "Version 2.0" msgstr "Version 2.0" #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:1142 msgid "" "Changes by Javier Fernández-Sanguino Peña. I wanted to change to 2.0 when " "all the FIXMEs were fixed but I ran out of 1.9X numbers :(." msgstr "" "Modifications de Javier Fernández-Sanguino Peña. « Je voulais passer à 2.0 " "quand tous les « FIXME Â» auraient été supprimés mais j'ai manqué " "de numéro dans la série 1.9X :( »." #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:1145 msgid "Converted the HOWTO into a Manual (now I can properly say RTFM)." msgstr "Transformation du HOWTO en Manuel (maintenant je peux dire RTFM)." #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:1149 msgid "" "Added more information regarding tcp wrappers and Debian (now many services " "are compiled with support for them so it's no longer an inetd " "issue)." msgstr "" "Ajout d'informations concernant l'encapsulation TCP et Debian (maintenant " "plusieurs services sont compilés avec la prise en charge adéquate ; " "ainsi cela n'est plus un problème d'inetd)." #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:1152 msgid "" "Clarified the information on disabling services to make it more consistent " "(rpc info still referred to update-rc.d)." msgstr "" "Clarification des informations sur la désactivation des services pour la " "rendre plus cohérente (les informations RPC se réfèrent toujours à update-rc." "d)." #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:1154 msgid "Added small note on lprng." msgstr "Ajout d'une petite note sur lprn." #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:1156 msgid "Added some more info on compromised servers (still very rough)." msgstr "" "Ajout de quelques renseignements sur les serveurs corrompus (toujours très " "approximatif)." #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:1158 msgid "Fixed typos reported by Mark Bucciarelli." msgstr "Corrections des fautes signalées par Mark Bucciarelli." #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:1161 msgid "" "Added some more steps in password recovery to cover the cases when the admin " "has set paranoid-mode=on." msgstr "" "Ajout d'étapes supplémentaires sur la récupération des mots de passe lorsque " "l'administrateur a paramétré paranoid-mode=on." #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:1164 msgid "Added some information to set paranoid-mode=on when login in console." msgstr "" "Ajout d'informations pour paramétrer paranoid-mode=on lorsque l'on se " "connecte en mode console." #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:1166 msgid "New paragraph to introduce service configuration." msgstr "Nouveau paragraphe pour présenter la configuration des services." #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:1169 msgid "" "Reorganized the After installation section so it is more broken up " "into several issues and it's easier to read." msgstr "" "Réorganisation de la section Après l'installation afin de permettre " "une lecture plus aisée du document." #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:1172 msgid "" "Wrote information on how to set up firewalls with the standard Debian 3.0 " "setup (iptables package)." msgstr "" "Informations sur la manière de paramétrer des pare-feu avec l'installation " "standard de Debian 3.0 (paquet iptables)." #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:1175 msgid "" "Small paragraph explaining why installing connected to the Internet is not a " "good idea and how to avoid this using Debian tools." msgstr "" "Petit paragraphe détaillant pourquoi l'installation par le réseau n'est pas " "une bonne idée et comment on peut l'éviter en utilisant les outils Debian." #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:1177 msgid "Small paragraph on timely patching referencing to IEEE paper." msgstr "" "Petit paragraphe sur un article de l'IEEE qui souligne l'importance d'une " "application rapide des correctifs." #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:1180 msgid "" "Appendix on how to set up a Debian snort box, based on what Vladimir sent to " "the debian-security mailing list (September 3rd 2001)." msgstr "" "Annexe sur la manière de paramétrer une machine snort Debian, basé sur ce " "que Vladimir a envoyé à la liste de diffusion debian-security (le 3 " "septembre 2001)." #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:1183 msgid "" "Information on how logcheck is set up in Debian and how it can be used to " "set up HIDS." msgstr "" "Information sur la manière dont est configurée logcheck dans Debian et " "comment il peut être utilisé pour paramétrer HIDS." #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:1185 msgid "Information on user accounting and profile analysis." msgstr "" "Informations sur les comptes utilisateurs et sur les analyses de profils." #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:1188 msgid "" "Included apt.conf configuration for read-only /usr copied from Olaf " "Meeuwissen's post to the debian-security mailing list." msgstr "" "Inclusion de la configuration de apt.conf pour un /usr en lecture " "seule ; copié à partir du courrier d'Olaf Meeuwissen envoyé à la liste " "de diffusion debian-security." #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:1193 msgid "" "New section on VPN with some pointers and the packages available in Debian " "(needs content on how to set up the VPNs and Debian-specific issues), based " "on Jaroslaw Tabor's and Samuli Suonpaa's post to debian-security." msgstr "" "Nouvelle section sur le VPN qui contient quelques liens ainsi que les " "paquets disponibles dans Debian (besoin de contenu concernant l'installation " "de VPN et les problèmes spécifiques à Debian) basé sur les courriers de " "Jaroslaw Tabor et Samuli Suonpaa postés sur la liste de diffusion debian-" "security." #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:1195 msgid "Small note regarding some programs to automatically build chroot jails." msgstr "" "Petite note concernant quelques programmes pour construire automatiquement " "des prisons « chrootées Â»." #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:1198 msgid "" "New FAQ item regarding identd based on a discussion in the debian-security " "mailing list (February 2002, started by Johannes Weiss)." msgstr "" "Nouveau sujet de FAQ concernant identd d'après une discussion sur la liste " "de diffusion debian-security (février 2002, commencé par Johannes " "Weiss)." #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:1201 msgid "" "New FAQ item regarding inetd based on a discussion in the " "debian-security mailing list (February 2002)." msgstr "" "Nouveau sujet de FAQ concernant inetd d'après une discussion " "sur la liste de diffusion debian-security (février 2002)." #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:1203 msgid "Introduced note on rcconf in the \"disabling services\" section." msgstr "" "Note d'introduction sur rcconf dans la section « désactivation de " "services Â»." #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:1205 msgid "Varied the approach regarding LKM, thanks to Philipe Gaspar." msgstr "Diverses approches concernant le LKM. Remerciements à Philipe Gaspar." #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:1206 msgid "Added pointers to CERT documents and Counterpane resources." msgstr "" "Ajouts de liens vers les documents du CERT et les ressources Couterpane." #. type: #: securing-debian-howto.en.sgml:49 en/intro.sgml:1209 msgid "Version 1.99" msgstr "Version 1.99" #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:1212 msgid "Added a new FAQ item regarding time to fix security vulnerabilities." msgstr "" "Ajout d'un nouveau sujet de FAQ concernant le temps de réaction à avoir pour " "corriger les failles de sécurité." #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:1213 msgid "Reorganized FAQ sections." msgstr "Réorganisation des sections de la FAQ." #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:1215 msgid "" "Started writing a section regarding firewalling in Debian GNU/Linux (could " "be broadened a bit)." msgstr "" "Début d'une section concernant les pare-feu dans Debian GNU/Linux (pourrait " "être un peu élargie)." #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:1216 msgid "Fixed typos sent by Matt Kraai." msgstr "Corrections de fautes signalées par Matt Kraai." #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:1217 msgid "Fixed DNS information." msgstr "Correction sur les informations DNS." #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:1218 msgid "Added information on whisker and nbtscan to the auditing section." msgstr "Ajout d'informations sur whisker et nbtscan à la section audit." #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:1219 msgid "Fixed some wrong URLs." msgstr "Correction d'URL erronées." #. type: #: securing-debian-howto.en.sgml:49 en/intro.sgml:1221 msgid "Version 1.98" msgstr "Version 1.98" #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:1224 msgid "Added a new section regarding auditing using Debian GNU/Linux." msgstr "" "Ajout d'une nouvelle section concernant l'utilisation de Debian GNU/Linux " "pour réaliser des audits." #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:1225 msgid "" "Added info regarding finger daemon taken from the security mailing list." msgstr "" "Ajout de renseignements sur le démon finger d'après la liste de diffusion " "debian-security." #. type: #: securing-debian-howto.en.sgml:49 en/intro.sgml:1227 msgid "Version 1.97" msgstr "Version 1.97" #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:1230 msgid "Fixed link for Linux Trustees." msgstr "Correction du lien pour Linux Trustees." #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:1231 msgid "Fixed typos (patches from Oohara Yuuma and Pedro Zorzenon)." msgstr "Correction de fautes (correctifs d'Oohara Yuuma et Pedro Zorzenon)." #. type: #: securing-debian-howto.en.sgml:49 en/intro.sgml:1234 msgid "Version 1.96" msgstr "Version 1.96" #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:1239 msgid "Reorganized service installation and removal and added some new notes." msgstr "" "Réorganisation de la section installation et suppression de services et " "ajout de nouvelles notes." #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:1242 msgid "" "Added some notes regarding using integrity checkers as intrusion detection " "tools." msgstr "" "Ajout de quelques notes concernant l'utilisation d'outils tels que les " "outils de détection d'intrusion." #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:1244 msgid "Added a chapter regarding package signatures." msgstr "Ajout d'un chapitre concernant la signature de paquets." #. type: #: securing-debian-howto.en.sgml:49 en/intro.sgml:1247 msgid "Version 1.95" msgstr "Version 1.95" #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:1252 msgid "Added notes regarding Squid security sent by Philipe Gaspar." msgstr "" "Ajout de notes concernant la sécurité de Squid envoyées par Philipe Gaspar." #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:1254 msgid "Fixed rootkit links thanks to Philipe Gaspar." msgstr "Correction de liens rootkit. Merci à Philipe Gaspar." #. type: #: securing-debian-howto.en.sgml:49 en/intro.sgml:1257 msgid "Version 1.94" msgstr "Version 1.94" #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:1262 msgid "Added some notes regarding Apache and Lpr/lpng." msgstr "Ajout de quelques notes concernant Apache et Lpr/lpng." #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:1264 msgid "Added some information regarding noexec and read-only partitions." msgstr "Ajout d'informations concernant les partitions noexec et readonly." #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:1265 msgid "Rewrote how users can help in Debian security issues (FAQ item)." msgstr "" "Réécriture de la manière dont les utilisateurs peuvent aider aux problèmes " "liés à la sécurité Debian (sujet d'une FAQ)." #. type: #: securing-debian-howto.en.sgml:49 en/intro.sgml:1268 msgid "Version 1.93" msgstr "Version 1.93" #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:1273 msgid "Fixed location of mail program." msgstr "Correction de l'emplacement du programme mail." #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:1274 en/intro.sgml:1288 msgid "Added some new items to the FAQ." msgstr "Ajout de nouveaux sujets à la FAQ." #. type: #: securing-debian-howto.en.sgml:49 en/intro.sgml:1277 msgid "Version 1.92" msgstr "Version 1.92" #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:1282 msgid "Added a small section on how Debian handles security." msgstr "" "Ajout d'une petite section sur la manière dont Debian s'occupe de la " "sécurité." #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:1284 msgid "Clarified MD5 passwords (thanks to `rocky')." msgstr "Clarification sur les mots de passe MD5 (merci à « rocky Â»)." #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:1286 msgid "Added some more information regarding harden-X from Stephen van Egmond." msgstr "" "Ajout d'informations concernant le renforcement de X par Stephen van Egmond." #. type: #: securing-debian-howto.en.sgml:49 en/intro.sgml:1291 msgid "Version 1.91" msgstr "Version 1.91" #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:1296 msgid "Added some forensics information sent by Yotam Rubin." msgstr "Ajout d'informations détaillées envoyées par Yotam Rubin." #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:1298 msgid "Added information on how to build a honeynet using Debian GNU/Linux." msgstr "" "Ajout de renseignements sur la manière de mettre en place un « " "honeynet Â» en utilisant Debian GNU/Linux." #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:1300 msgid "Added some more TODOS." msgstr "Ajout de TODO supplémentaires." #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:1302 msgid "Fixed more typos (thanks Yotam!)." msgstr "Correction de nouvelles fautes (merci Yotam !)." #. type: #: securing-debian-howto.en.sgml:49 en/intro.sgml:1305 msgid "Version 1.9" msgstr "Version 1.9" #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:1311 msgid "" "Added patch to fix misspellings and some new information (contributed by " "Yotam Rubin)." msgstr "" "Correction des « fautes d'orthographe Â» et nouvelles informations " "(contributions de Yotam Rubin)." #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:1314 msgid "" "Added references to other online (and offline) documentation both in a " "section (see ) by itself and inline in some sections." msgstr "" "Ajout de liens vers d'autres documents en ligne (et hors ligne) tous deux " "figurant dans la section (consultez )." #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:1317 msgid "" "Added some information on configuring Bind options to restrict access to the " "DNS server." msgstr "" "Ajout d'informations sur la configuration d'options de BIND pour restreindre " "l'accès au serveur DNS." #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:1320 msgid "" "Added information on how to automatically harden a Debian system (regarding " "the harden package and bastille)." msgstr "" "Ajout d'informations sur la consolidation automatique d'un système Debian " "(par référence aux paquets harden et bastille)." #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:1322 msgid "Removed some done TODOs and added some new ones." msgstr "Suppression de quelques TODO terminés et ajout de nouveaux." #. type: #: securing-debian-howto.en.sgml:49 en/intro.sgml:1325 msgid "Version 1.8" msgstr "Version 1.8" #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:1331 msgid "" "Added the default user/group list provided by Joey Hess to the debian-" "security mailing list." msgstr "" "Ajout de la liste des utilisateurs et des groupes standards, donnée par Joey " "Hess à la liste de discussion debian-security." #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:1334 msgid "" "Added information on LKM root-kits () contributed by Philipe " "Gaspar." msgstr "" "Ajout d'informations sur les « rootkits Â» LKM () " "avec la contribution de Philipe Gaspar." #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:1336 msgid "Added information on Proftp contributed by Emmanuel Lacour." msgstr "" "Ajout d'informations sur ProFTPD avec la contribution d'Emmanuel Lacour." #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:1338 msgid "Recovered the checklist Appendix from Era Eriksson." msgstr "Rajout de l'annexe « pense-bête Â» d'Era Eriksson." #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:1340 msgid "Added some new TODO items and removed other fixed ones." msgstr "Ajout de nouveaux TODO et retrait de ceux terminés." #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:1343 msgid "" "Manually included Era's patches since they were not all included in the " "previous version." msgstr "" "Ajout manuel des correctifs d'Era car ils n'ont pas été inclus dans la " "version précédente." #. type: #: securing-debian-howto.en.sgml:49 en/intro.sgml:1345 msgid "Version 1.7" msgstr "Version 1.7" #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:1346 msgid "Changes by Era Eriksson." msgstr "Modifications d'Era Eriksson." #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:1348 msgid "Typo fixes and wording changes." msgstr "Fautes de frappes et changements de formulation." #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:1353 msgid "" "Minor changes to tags in order to keep on removing the tt tags and " "substitute prgn/package tags for them." msgstr "" "Changements mineurs de balises : supprimer les balises tt et les " "remplacer par les balises prgn/package." #. type: #: securing-debian-howto.en.sgml:49 en/intro.sgml:1356 msgid "Version 1.6" msgstr "Version 1.6" #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:1360 msgid "" "Added pointer to document as published in the DDP (should supersede the " "original in the near future)." msgstr "" "Ajout d'un lien sur le document publié dans le DDP (devrait à terme " "remplacer l'original)." #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:1362 msgid "" "Started a mini-FAQ (should be expanded) with some questions recovered from " "my mailbox." msgstr "" "Démarrage d'une mini-FAQ (qui devrait être élargie) avec quelques questions " "récupérées depuis ma boite de réception." #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:1363 msgid "Added general information to consider while securing." msgstr "Ajout d'informations générales concernant la sécurisation." #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:1364 msgid "Added a paragraph regarding local (incoming) mail delivery." msgstr "Ajout d'un paragraphe au sujet de la distribution de courriers locaux." #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:1365 msgid "Added some pointers to more information." msgstr "Ajout de quelques liens vers d'autres sources d'informations." #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:1366 msgid "Added information regarding the printing service." msgstr "Ajout d'informations sur le service d'impression." #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:1367 msgid "Added a security hardening checklist." msgstr "Ajout d'une liste de tâches sur le renforcement de la sécurité." #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:1368 msgid "Reorganized NIS and RPC information." msgstr "Réorganisation des informations sur NIS et RPC." #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:1370 msgid "Added some notes taken while reading this document on my new Visor :)." msgstr "" "Ajout de quelques notes lors de la lecture de ce document sur mon nouveau " "Visor :)." #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:1371 msgid "Fixed some badly formatted lines." msgstr "Correction de certaines lignes mal formatées." #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:1374 msgid "Added a Genius/Paranoia idea contributed by Gaby Schilders." msgstr "" "Ajout d'une idée Géniale/Paranoïaque avec la contribution de Gaby Schilders." #. type: #: securing-debian-howto.en.sgml:49 en/intro.sgml:1377 msgid "Version 1.5" msgstr "Version 1.5" #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:1379 msgid "Changes by Josip Rodin and Javier Fernández-Sanguino Peña." msgstr "Modifications de Josip Rodin et Javier Fernández-Sanguino Peña." #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:1383 msgid "Added paragraphs related to BIND and some FIXMEs." msgstr "Ajout de paragraphes concernant BIND et quelques FIXME." #. type: #: securing-debian-howto.en.sgml:49 en/intro.sgml:1385 msgid "Version 1.4" msgstr "Version 1.4" #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:1387 msgid "Small setuid check paragraph" msgstr "Petit paragraphe sur la vérification des « setuid Â»" #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:1388 msgid "Various minor cleanups." msgstr "Différents nettoyages mineurs." #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:1390 msgid "Found out how to use sgml2txt -f for the txt version." msgstr "" "Découverte de la manière d'utiliser sgml2txt -f pour la version " "texte." #. type: #: securing-debian-howto.en.sgml:49 en/intro.sgml:1393 msgid "Version 1.3" msgstr "Version 1.3" #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:1396 msgid "Added a security update after installation paragraph." msgstr "" "Ajout de mise à jour de sécurité après le paragraphe « après " "installation Â»." #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:1397 msgid "Added a proftpd paragraph." msgstr "Ajout d'un paragraphe ProFTPD." #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:1398 msgid "This time really wrote something about XDM, sorry for last time." msgstr "" "Cette fois, quelque chose concernant XDM a réellement été écrit. Désolé pour " "la dernière fois." #. type: #: securing-debian-howto.en.sgml:49 en/intro.sgml:1401 msgid "Version 1.2" msgstr "Version 1.2" #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:1405 msgid "Lots of grammar corrections by James Treacy, new XDM paragraph." msgstr "" "Beaucoup de corrections grammaticales de James Treacy, nouveau paragraphe " "XDM." #. type: #: securing-debian-howto.en.sgml:49 en/intro.sgml:1408 msgid "Version 1.1" msgstr "Version 1.1" #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:1411 msgid "Typo fixes, miscellaneous additions." msgstr "Corrections de fautes de frappes, divers ajouts." #. type: #: securing-debian-howto.en.sgml:49 en/intro.sgml:1414 msgid "Version 1.0" msgstr "Version 1.0" #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:1417 msgid "Initial release." msgstr "Première publication." #. type: #: securing-debian-howto.en.sgml:49 en/intro.sgml:1420 msgid "Credits and thanks!" msgstr "Remerciements" #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:1424 msgid "Alexander Reelsen wrote the original document." msgstr "Alexander Reelsen qui a écrit le document original." #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:1426 msgid "Javier Fernández-Sanguino added more info to the original doc." msgstr "" "Javier Fernández-Sanguino qui a ajouté des informations au document original." #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:1428 msgid "" "Robert van der Meulen provided the quota paragraphs and many good ideas." msgstr "" "Robert van der Meulen pour les paragraphes sur les quotas ainsi que de " "nombreuses bonnes idées." #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:1430 msgid "Ethan Benson corrected the PAM paragraph and had some good ideas." msgstr "" "Ethan Benson qui a corrigé le paragraphe sur PAM et qui a eu quelques idées " "de qualité." #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:1433 msgid "Dariusz Puchalak contributed some information to several chapters." msgstr "" "Dariusz Puchalak qui a contribué aux informations de plusieurs chapitres." #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:1435 msgid "Gaby Schilders contributed a nice Genius/Paranoia idea." msgstr "Gaby Schilders qui a eu une idée Géniale/Paranoïaque sympathique." #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:1438 msgid "" "Era Eriksson smoothed out the language in a lot of places and contributed " "the checklist appendix." msgstr "" "Era Eriksson qui a éliminé les fautes de langage et qui a contribué à " "l'annexe « pense-bête Â»." #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:1440 msgid "Philipe Gaspar wrote the LKM information." msgstr "Philipe Gaspar qui a écrit les informations concernant LKM." #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:1443 msgid "" "Yotam Rubin contributed fixes for many typos as well as information " "regarding bind versions and MD5 passwords." msgstr "" "Yotam Rubin qui a contribué des correctifs pour de nombreuses fautes de " "frappe ainsi que les informations liées aux versions de BIND et aux mots de " "passe MD5." #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:1446 msgid "" "Francois Bayart provided the appendix describing how to set up a bridge " "firewall." msgstr "" "François Bayart pour l'annexe décrivant la mise en place d'un pont pare-feu." #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:1449 msgid "" "Joey Hess wrote the section describing how Secure Apt works on the ." msgstr "" "Joey Hess qui rédigea la section décrivant comment apt sécurisé fonctionne " "dans le ." #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:1452 msgid "" "Martin F. Krafft wrote some information on his blog regarding fingerprint " "verification which was also reused for the Secure Apt section." msgstr "" "Martin F. Krafft qui ajouta quelques informations dans son blog à propos de " "la vérification des empreintes digitales (fingerprint) et qui furent " "réutilisées dans la section sur apt sécurisé." #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:1456 msgid "" "Francesco Poli did an extensive review of the manual and provided quite a " "lot of bug reports and typo fixes which improved and helped update the " "document." msgstr "" "Francesco Poli qui fit une révision approfondie du manuel et fournit un " "grand nombre de rapports de bogue et de correctifs typographiques qui ont " "amélioré et aidé à mettre à jour le document." #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:1459 msgid "" "All the people who made suggestions for improvements that (eventually) were " "included here (see )." msgstr "" "Toutes les personnes qui m'ont suggéré des améliorations qui furent " "finalement incluses ici (consultez )." #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:1462 msgid "" "(Alexander) All the folks who encouraged me to write this HOWTO (which was " "later turned into a manual)." msgstr "" "Tous ceux qui m'ont encouragé (Alexander) à écrire ce HOWTO (qui devint plus " "tard ce manuel)." #. type:

#: securing-debian-howto.en.sgml:49 en/intro.sgml:1463 msgid "The whole Debian project." msgstr "Tout le projet Debian." #. type: #: securing-debian-howto.en.sgml:50 en/before-begin.sgml:6 msgid "Before you begin" msgstr "Avant de commencer" #. type: #: securing-debian-howto.en.sgml:50 en/before-begin.sgml:8 msgid "What do you want this system for?" msgstr "Que voulez-vous faire du système ?" #. type:

#: securing-debian-howto.en.sgml:50 en/before-begin.sgml:14 msgid "" "Securing Debian is not very different from securing any other system; in " "order to do it properly, you must first decide what you intend to do with " "it. After this, you will have to consider that the following tasks need to " "be taken care of if you want a really secure system." msgstr "" "Sécuriser un système Debian n'est pas différent de la sécurisation d'un " "autre système. Afin de procéder correctement, vous devez tout d'abord " "décider quelle en sera l'utilisation. Ensuite, vous devez penser aux tâches " "à prendre en compte si vous désirez réellement sécuriser le système." #. type:

#: securing-debian-howto.en.sgml:50 en/before-begin.sgml:19 msgid "" "You will find that this manual is written from the bottom up, that is, you " "will read some information on tasks to do before, during and after you " "install your Debian system. The tasks can also be thought of as:" msgstr "" "Vous constaterez que ce manuel va du début à la fin, c'est-à-dire que vous " "trouverez des informations sur les tâches à réaliser avant, pendant et après " "l'installation du système Debian. Les tâches peuvent être découpées comme " "ceci :" #. type:

#: securing-debian-howto.en.sgml:50 en/before-begin.sgml:25 msgid "" "Decide which services you need and limit your system to those. This includes " "deactivating/uninstalling unneeded services, and adding firewall-like " "filters, or tcpwrappers." msgstr "" "décider quels sont les services dont vous avez besoin et vous limiter à ceux-" "là. Cela comprend la désactivation ou la désinstallation des services " "inutiles et l'ajout de filtres de type pare-feu ou de tcpwrappers ;" #. type:

#: securing-debian-howto.en.sgml:50 en/before-begin.sgml:27 msgid "Limit users and permissions in your system." msgstr "limiter les utilisateurs et les permissions sur le système ;" #. type:

#: securing-debian-howto.en.sgml:50 en/before-begin.sgml:31 msgid "" "Harden offered services so that, in the event of a service compromise, the " "impact to your system is minimized." msgstr "" "consolider les services disponibles ; ainsi, même en cas d'intrusion, " "l'impact sur le système sera minimisé ;" #. type:

#: securing-debian-howto.en.sgml:50 en/before-begin.sgml:34 msgid "" "Use appropriate tools to guarantee that unauthorized use is detected so that " "you can take appropriate measures." msgstr "" "utiliser des outils appropriés pour garantir qu'une utilisation non " "autorisée sera détectée et que vous pourrez prendre des mesures adéquates." #. type: #: securing-debian-howto.en.sgml:50 en/before-begin.sgml:38 msgid "Be aware of general security problems" msgstr "Être conscient des problèmes de sécurité" #. type:

#: securing-debian-howto.en.sgml:50 en/before-begin.sgml:48 msgid "" "The following manual does not (usually) go into the details on why some " "issues are considered security risks. However, you might want to have a " "better background regarding general UNIX and (specific) Linux security. Take " "some time to read over security related documents in order to make informed " "decisions when you are encountered with different choices. Debian GNU/Linux " "is based on the Linux kernel, so much of the information regarding Linux, as " "well as from other distributions and general UNIX security also apply to it " "(even if the tools used, or the programs available, differ)." msgstr "" "Ce manuel n'explique pas pourquoi certains problèmes sont considérés comme " "des risques pour la sécurité. Toutefois, vous pourriez désirer avoir une " "meilleure vision de la sécurité sur les systèmes UNIX et plus " "particulièrement le système Linux. Prenez le temps de consulter les " "documentations relatives à la sécurité afin que, confronté à différents " "choix, vous puissiez prendre des décisions éclairées. Debian GNU/Linux est " "basée sur le noyau Linux ; aussi, la plupart des informations " "concernant Linux, venant d'autres distributions ou d'UNIX en général, " "peuvent être appliquées (même si les outils utilisés ou les programmes " "disponibles diffèrent)." #. type:

#: securing-debian-howto.en.sgml:50 en/before-begin.sgml:50 msgid "Some useful documents include:" msgstr "Quelques documents pratiques." #. type:

#: securing-debian-howto.en.sgml:50 en/before-begin.sgml:57 msgid "" "The (also available at ) is one of the best " "references regarding general Linux security." msgstr "" "Le (aussi disponible sur ) est une des " "meilleures références concernant la sécurité Linux." #. type:

#: securing-debian-howto.en.sgml:50 en/before-begin.sgml:62 msgid "" "The is also a very good starting point " "for novice users (both to Linux and security)." msgstr "" "Le est également une très " "bonne base pour les utilisateurs néophytes (aussi bien de Linux qu'en " "matière de sécurité)." #. type:

#: securing-debian-howto.en.sgml:50 en/before-begin.sgml:75 msgid "" "The is a complete guide that touches all the issues " "related to security in Linux, from kernel security to VPNs. Note that it has " "not been updated since 2001, but some information is still relevant. " "

At a given time it was superseded by the \"Linux Security " "Knowledge Base\". This documentation is also provided in Debian through the " "lskb package. Now it's back as the Lasg again." msgstr "" "Le est un guide complet qui englobe tous les problèmes " "de sécurité Linux, de la sécurité du noyau jusqu'aux VPN. Veuillez noter " "qu'il n'a pas été mis à jour depuis 2001, mais certaines informations " "peuvent encore être pertinentes.

Il a été remplacé à un moment " "donné par le « Linux Security Knowledge Base Â». Cette " "documentation est également disponible dans Debian par l'intermédiaire du " "paquet lskb. Il est à nouveau de retour en tant que le " "Lasg.

" #. type:

#: securing-debian-howto.en.sgml:50 en/before-begin.sgml:79 msgid "" "Kurt Seifried's ." msgstr "" "Le de Kurt Seifried." #. type:

#: securing-debian-howto.en.sgml:50 en/before-begin.sgml:84 msgid "" "In you can find a similar " "document to this manual but related to Red Hat, some of the issues are not " "distribution-specific and also apply to Debian." msgstr "" "Dans vous pouvez trouver un " "document similaire à ce manuel, mais destiné à Red Hat ; certaines " "questions ne sont pas spécifiques à cette distribution et peuvent " "s'appliquer à Debian." #. type:

#: securing-debian-howto.en.sgml:50 en/before-begin.sgml:88 msgid "" "Another Red Hat related document is ." msgstr "" "Un autre document relié à Red Hat est ." #. type:

#: securing-debian-howto.en.sgml:50 en/before-begin.sgml:94 msgid "" "IntersectAlliance has published some documents that can be used as reference " "cards on how to harden Linux servers (and their services), the documents are " "available at ." msgstr "" "IntersectAlliance a publié des documents qui peuvent être utilisés comme " "fiches de référence sur la manière de consolider les serveurs Linux (et " "leurs services) ; ils sont disponibles sur ." #. type:

#: securing-debian-howto.en.sgml:50 en/before-begin.sgml:98 msgid "" "For network administrators, a good reference for building a secure network " "is the ." msgstr "" "Pour les administrateurs réseaux, une bonne référence pour bâtir un réseau " "sécurisé est le ." #. type:

#: securing-debian-howto.en.sgml:50 en/before-begin.sgml:106 msgid "" "If you want to evaluate the programs you are going to use (or want to build " "up some new ones) you should read the (master copy is " "available at , it " "includes slides and talks from the author, David Wheeler)" msgstr "" "Si vous voulez évaluer le programme que vous allez utiliser (ou en créer de " "nouveaux) vous devriez consulter le (le document de " "référence est disponible à , il inclut des présentations et des conférences de l'auteur, David " "Wheeler)." #. type:

#: securing-debian-howto.en.sgml:50 en/before-begin.sgml:113 msgid "" "If you are considering installing firewall capabilities, you should read the " " and the (for kernels previous to 2.4)." msgstr "" "Si vous pensez installer un pare-feu, vous devriez consulter le " "et le (pour les noyaux antérieurs au 2.4)." #. type:

#: securing-debian-howto.en.sgml:50 en/before-begin.sgml:117 msgid "" "Finally, a good card to keep handy is the ." msgstr "" "Finalement, une bonne fiche de référence à avoir sous la main est le ." #. type:

#: securing-debian-howto.en.sgml:50 en/before-begin.sgml:125 msgid "" "In any case, there is more information regarding the services explained here " "(NFS, NIS, SMB...) in many of the HOWTOs of the . Some of these documents " "speak on the security side of a given service, so be sure to take a look " "there too." msgstr "" "Dans tous les cas, vous trouverez plus d'informations concernant les " "services expliqués ici (NFS, NIS, SMB, etc.) dans les nombreux HOWTO du . " "Certains d'entre eux discutent de la sécurité d'un service donné, donc " "n'oubliez pas de jeter un œil là-dessus également." #. type:

#: securing-debian-howto.en.sgml:50 en/before-begin.sgml:133 msgid "" "The HOWTO documents from the Linux Documentation Project are available in " "Debian GNU/Linux through the installation of the doc-linux-text (text version) or doc-linux-html (HTML version). " "After installation these documents will be available at the /usr/share/" "doc/HOWTO/en-txt and /usr/share/doc/HOWTO/en-html " "directories, respectively." msgstr "" "Les documents HOWTO du Projet de documentation Linux sont disponibles dans " "Debian GNU/Linux avec l'installation des paquets doc-linux-text (version texte) ou doc-linux-html (version " "HTML). Après l'installation, ces documents seront respectivement disponibles " "dans les répertoires /usr/share/doc/HOWTO/en-txt et /usr/" "share/doc/HOWTO/en-html. De même, les versions françaises de ces " "documents sont disponibles dans les paquets doc-linux-fr-text (version texte) et doc-linux-fr-html (version " "HTML) qui seront respectivement disponibles dans les répertoires /usr/" "share/doc/HOWTO/fr-txt et /usr/share/doc/HOWTO/fr-html." #. type:

#: securing-debian-howto.en.sgml:50 en/before-begin.sgml:135 msgid "Other recommended Linux books:" msgstr "Autres livres Linux recommandés." #. type:

#: securing-debian-howto.en.sgml:50 en/before-begin.sgml:141 msgid "" "Maximum Linux Security : A Hacker's Guide to Protecting Your Linux Server " "and Network. Anonymous. Paperback - 829 pages. Sams Publishing. ISBN: " "0672313413. July 1999." msgstr "" "Maximum Linux Security : A Hacker's Guide to Protecting Your Linux " "Server and Network. Anonyme. Paperback - 829 pages. Sams Publishing. " "ISBN : 0672313413. Juillet 1999." #. type:

#: securing-debian-howto.en.sgml:50 en/before-begin.sgml:144 msgid "" "Linux Security By John S. Flowers. New Riders; ISBN: 0735700354. March 1999." msgstr "" "Linux Security par John S. Flowers. New Riders ; ISBN : 0735700354. " "Mars 1999." #. type:

#: securing-debian-howto.en.sgml:50 en/before-begin.sgml:148 msgid "" " By Brian Hatch. McGraw-Hill Higher Education. ISBN " "0072127732. April, 2001" msgstr "" " par Brian Hatch. McGraw-Hill Higher Education. ISBN : " "0072127732. Avril 2001." #. type:

#: securing-debian-howto.en.sgml:50 en/before-begin.sgml:153 msgid "" "Other books (which might be related to general issues regarding UNIX and " "security and not Linux specific):" msgstr "" "Livres divers (qui se rapportent à des questions générales concernant UNIX " "et la sécurité, non spécifiques à Linux)." #. type:

#: securing-debian-howto.en.sgml:50 en/before-begin.sgml:160 msgid "" " Garfinkel, Simpson, and " "Spafford, Gene; O'Reilly Associates; ISBN 0-56592-148-8; 1004pp; 1996." msgstr "" " Garfinkel, Simpson et Spafford, " "Gene ; O'Reilly Associates ; ISBN : 0-56592-148-8 ; 1004 pages ; 1996." #. type:

#: securing-debian-howto.en.sgml:50 en/before-begin.sgml:163 msgid "" "Firewalls and Internet Security Cheswick, William R. and Bellovin, Steven " "M.; Addison-Wesley; 1994; ISBN 0-201-63357-4; 320pp." msgstr "" "Firewalls and Internet Security Cheswick, William R. and Bellovin, Steven " "M. ; Addison-Wesley ; 1994 ; ISBN : 0-201-63357-4 ; 320 pages." #. type:

#: securing-debian-howto.en.sgml:50 en/before-begin.sgml:167 msgid "Some useful web sites to keep up to date regarding security:" msgstr "" "Quelques sites Internet utiles pour se tenir informé des questions de " "sécurité." #. type:

#: securing-debian-howto.en.sgml:50 en/before-begin.sgml:172 msgid "" "." msgstr "" "." #. type:

#: securing-debian-howto.en.sgml:50 en/before-begin.sgml:177 msgid "" " the server " "that hosts the Bugtraq vulnerability database and list, and provides general " "security information, news and reports." msgstr "" ", le " "serveur qui héberge la base de données des vulnérabilités Bugtraq ainsi que " "ses listes de discussions. Il fournit également des informations générales " "sur la sécurité ainsi que des actualités et des rapports." #. type:

#: securing-debian-howto.en.sgml:50 en/before-begin.sgml:184 msgid "" ". General " "information regarding Linux security (tools, news...). Most useful is the " " page." msgstr "" ". " "Informations générales concernant la sécurité Linux (outils, " "actualités, etc.). Le plus utile est la page de ." #. type:

#: securing-debian-howto.en.sgml:50 en/before-begin.sgml:189 msgid "" ". General information regarding Linux firewalls " "and tools to control and administrate them." msgstr "" ". Informations générales concernant les pare-" "feu Linux et les outils pour les contrôler et les administrer." #. type: #: securing-debian-howto.en.sgml:50 en/before-begin.sgml:192 msgid "How does Debian handle security?" msgstr "Comment Debian gère la sécurité ?" #. type:

#: securing-debian-howto.en.sgml:50 en/before-begin.sgml:196 msgid "" "Just so you have a general overview of security in Debian GNU/Linux you " "should take note of the different issues that Debian tackles in order to " "provide an overall secure system:" msgstr "" "Tout comme vous avez une vue générale de la sécurité dans Debian GNU/Linux, " "vous devez connaître les différents problèmes auxquels Debian s'attaque afin " "de fournir un système sécurisé." #. type:

#: securing-debian-howto.en.sgml:50 en/before-begin.sgml:205 msgid "" "Debian problems are always handled openly, even security related. Security " "issues are discussed openly on the debian-security mailing list. Debian " "Security Advisories (DSAs) are sent to public mailing lists (both internal " "and external) and are published on the public server. As the " "states:" msgstr "" "Les problèmes Debian sont toujours traités ouvertement, même ceux liés à la " "sécurité. Les problèmes de sécurité sont abordés ouvertement sur la liste de " "discussions debian-security. Les bulletins de sécurité Debian (DSA - Debian " "Security Advisories) sont envoyés sur des listes de discussions publiques " "(internes et externes) et publiés sur des serveurs publics. Tel que déclaré " "dans le  :" #. type:

#: securing-debian-howto.en.sgml:50 en/before-begin.sgml:207 msgid "We will not hide problems" msgstr "Nous ne dissimulerons pas les problèmes." #. type:

#: securing-debian-howto.en.sgml:50 en/before-begin.sgml:211 msgid "" "We will keep our entire bug report database open for public view at all " "times. Reports that people file online will promptly become visible to " "others." msgstr "" "Nous conserverons l'intégralité de notre base de données de rapports de " "bogue accessible au public en tout temps. Les rapports que les utilisateurs " "remplissent en ligne seront rapidement visibles par les autres." #. type:

#: securing-debian-howto.en.sgml:50 en/before-begin.sgml:219 msgid "" "Debian follows security issues closely. The security team checks many " "security related sources, the most important being , on the lookout for " "packages with security issues that might be included in Debian." msgstr "" "Debian suit les problèmes de sécurité de très près. L'équipe en charge de la " "sécurité consulte les sources relatives à la sécurité, la plus importante " "étant , à la recherche de paquets possédant des problèmes de sécurité " "et qui pourraient être inclus dans Debian." #. type:

#: securing-debian-howto.en.sgml:50 en/before-begin.sgml:224 msgid "" "Security updates are the first priority. When a security problem arises in a " "Debian package, the security update is prepared as fast as possible and " "distributed for our stable, testing and unstable releases, including all " "architectures." msgstr "" "Les mises à jour liées à la sécurité sont la première priorité. Lorsqu'un " "problème survient dans un paquet Debian, la mise à jour est réalisée aussi " "vite que possible et elle est intégrée dans nos versions stable, " "testing et unstable pour toutes les architectures." #. type:

#: securing-debian-howto.en.sgml:50 en/before-begin.sgml:227 msgid "" "Information regarding security is centralized in a single point, ." msgstr "" "Les informations concernant la sécurité sont centralisées en un point " "unique, ." #. type:

#: securing-debian-howto.en.sgml:50 en/before-begin.sgml:231 msgid "" "Debian is always trying to improve the overall security of the distribution " "by starting new projects, such as automatic package signature verification " "mechanisms." msgstr "" "Debian essaie toujours d'améliorer la sécurité globale de la distribution en " "lançant de nouveaux projets, comme les vérifications automatiques des " "signatures de paquets." #. type:

#: securing-debian-howto.en.sgml:50 en/before-begin.sgml:238 msgid "" "Debian provides a number of useful security related tools for system " "administration and monitoring. Developers try to tightly integrate these " "tools with the distribution in order to make them a better suite to enforce " "local security policies. Tools include: integrity checkers, auditing tools, " "hardening tools, firewall tools, intrusion detection tools, etc." msgstr "" "Debian fournit de nombreux outils liés à la sécurité pour l'administration " "système et la surveillance. Les développeurs essayent de lier étroitement " "ces outils à la distribution de façon à créer un ensemble améliorant les " "règles locales de sécurité. Les outils disponibles sont : vérificateurs " "d'intégrité, outils d'audit, outils de consolidation, outils pour pare-feu, " "outils de détection d'intrusion, etc." #. type:

#: securing-debian-howto.en.sgml:50 en/before-begin.sgml:247 msgid "" "Package maintainers are aware of security issues. This leads to many " "\"secure by default\" service installations which could impose certain " "restrictions on their normal use. Debian does, however, try to balance " "security and ease of administration - the programs are not de-activated when " "you install them (as it is the case with say, the BSD family of operating " "systems). In any case, prominent security issues (such as setuid " "programs) are part of the ." msgstr "" "Les responsables de paquets sont avertis des problèmes de sécurité. Cela " "conduit à de nombreuses installations de service « sécurisé par " "défaut Â» ; cela peut parfois imposer certaines restrictions à une " "utilisation normale. Toutefois, Debian essaie d'équilibrer les problèmes de " "sécurité et la facilité d'administration : par exemple, les programmes " "ne sont pas installés en mode désactivé (comme c'est le cas avec la " "famille des systèmes d'exploitation BSD). Dans tous les cas, quelques " "problèmes spéciaux, tels les programmes setuid, sont abordés par la " "." #. type:

#: securing-debian-howto.en.sgml:51 en/before-install.sgml:3 msgid "" "By publishing security information specific to Debian and complementing " "other information-security documents related to Debian (see ), this document aims to produce better system installations " "security-wise." msgstr "" "En publiant des informations de sécurité spécifiques à Debian et en " "complétant d'autres documents d'informations sur la sécurité relatifs à " "Debian (consultez ), ce document a pour but de " "favoriser des installations de systèmes beaucoup mieux sécurisées." #. type: #: securing-debian-howto.en.sgml:51 en/before-install.sgml:6 msgid "Before and during the installation" msgstr "Avant et pendant l'installation" #. type: #: securing-debian-howto.en.sgml:51 en/before-install.sgml:7 msgid "Choose a BIOS password" msgstr "Choisir un mot de passe pour le BIOS" #. type:

#: securing-debian-howto.en.sgml:51 en/before-install.sgml:15 msgid "" "Before you install any operating system on your computer, set up a BIOS " "password. After installation (once you have enabled bootup from the hard " "disk) you should go back to the BIOS and change the boot sequence to disable " "booting from floppy, CD-ROM and other devices that shouldn't boot. Otherwise " "a cracker only needs physical access and a boot disk to access your entire " "system." msgstr "" "Avant d'installer un système d'exploitation sur l'ordinateur, créez un mot " "de passe pour le BIOS. Après l'installation (une fois que vous avez rendu " "possible un démarrage à partir du disque dur), retournez dans le BIOS et " "changez la séquence de démarrage afin de rendre impossible le démarrage à " "partir d'une disquette, d'un CD ou de tout autre périphérique. Sinon un " "pirate n'a besoin que d'un accès physique et d'une disquette de démarrage " "pour accéder au système complet." #. type:

#: securing-debian-howto.en.sgml:51 en/before-install.sgml:20 msgid "" "Disabling booting unless a password is supplied is even better. This can be " "very effective if you run a server, because it is not rebooted very often. " "The downside to this tactic is that rebooting requires human intervention " "which can cause problems if the machine is not easily accessible." msgstr "" "Désactiver le démarrage sans mot de passe est une solution encore meilleure. " "Cela peut être très efficace pour un serveur car il n'est pas redémarré très " "souvent. L'inconvénient de cette méthode est que le redémarrage nécessite " "l'intervention d'une personne, ce qui peut poser des problèmes si la machine " "n'est pas facilement accessible." #. type:

#: securing-debian-howto.en.sgml:51 en/before-install.sgml:25 msgid "" "Note: many BIOSes have well known default master passwords, and applications " "also exist to retrieve the passwords from the BIOS. Corollary: don't depend " "on this measure to secure console access to system." msgstr "" "Remarque : certains BIOS ont des mots de passe par défaut bien connus " "et des applications existent également pour récupérer les mots de passe du " "BIOS. Corollaire : ne dépendez pas de cette mesure pour sécuriser " "l'accès console du système." #. type: #: securing-debian-howto.en.sgml:51 en/before-install.sgml:27 msgid "Partitioning the system" msgstr "Partitionner le système" #. type: #: securing-debian-howto.en.sgml:51 en/before-install.sgml:28 msgid "Choose an intelligent partition scheme" msgstr "Choisir un schéma de partitionnement intelligent" #. type:

#: securing-debian-howto.en.sgml:51 en/before-install.sgml:33 msgid "" "An intelligent partition scheme depends on how the machine is used. A good " "rule of thumb is to be fairly liberal with your partitions and to pay " "attention to the following factors:" msgstr "" "Un schéma de partitionnement intelligent dépend de l'utilisation de la " "machine. Une bonne règle est d'être assez large avec vos partitions et de " "faire attention aux facteurs suivants." #. type:

#: securing-debian-howto.en.sgml:51 en/before-install.sgml:57 msgid "" "Any directory tree which a user has write permissions to, such as e.g. " "/home, /tmp and /var/tmp/, should be " "on a separate partition. This reduces the risk of a user DoS by filling up " "your \"/\" mount point and rendering the system unusable (Note: this is not " "strictly true, since there is always some space reserved for root which a " "normal user cannot fill), and it also prevents hardlink attacks. " "

A very good example of this kind of attacks using /tmp is " "detailed in " "and " "(notice that the incident is Debian-related). It is basicly an attack in " "which a local user stashes away a vulnerable setuid application by " "making a hard link to it, effectively avoiding any updates (or removal) of " "the binary itself made by the system administrator. Dpkg was recently fixed " "to prevent this (see ) but other setuid binaries (not controlled by the package " "manager) are at risk if partitions are not setup correctly.

" msgstr "" "Les arborescences de répertoires modifiables par un utilisateur, telles que " "/home, /tmp et /var/tmp, doivent être " "sur des partitions distinctes. Cela réduit le risque qu'un déni de service " "provoqué par un utilisateur ne remplisse le point de montage « / Â» " "rendant ainsi le système inutilisable (remarque : ce n'est pas strictement " "vrai car il existe toujours un espace réservé au superutilisateur qu'un " "utilisateur normal ne pourra pas remplir) et cela empêche les attaques de " "liens directs (hardlinks).

Un très bon exemple de ce " "type d'attaque utilisant /tmp est détaillé dans et (notez que l'incident est lié à Debian). C'est de manière basique une " "attaque dans laquelle un utilisateur local cache profondément une " "application setuid vulnérable en faisant un lien direct sur celle-ci, " "évitant de manière efficace toute mise à jour (ou suppression) du binaire " "lui-même réalisé par l'administrateur du système. dpkg a été récemment " "corrigé pour empêcher cela (consultez le ), mais d'autres binaires setuid (non " "contrôlés par le gestionnaire de paquets) sont risqués si les partitions ne " "sont pas mises en place correctement.

" #. type:

#: securing-debian-howto.en.sgml:51 en/before-install.sgml:65 msgid "" "Any partition which can fluctuate, e.g. /var (especially /" "var/log) should also be on a separate partition. On a Debian system, " "you should create /var a little bit bigger than on other " "systems, because downloaded packages (the apt cache) are stored in /" "var/cache/apt/archives." msgstr "" "Toute partition qui peut fluctuer, par exemple /var (surtout " "/var/log) devrait être également sur une partition distincte. " "Sur un système Debian, vous devriez créer /var un petit peu " "plus grand que la normale car les paquets téléchargés (le cache d'apt) sont " "stockés dans /var/cache/apt/archives." #. type:

#: securing-debian-howto.en.sgml:51 en/before-install.sgml:71 msgid "" "Any partition where you want to install non-distribution software should be " "on a separate partition. According to the File Hierarchy Standard, this is " "/opt or /usr/local. If these are separate " "partitions, they will not be erased if you (have to) reinstall Debian itself." msgstr "" "Toute partition où vous voulez installer des logiciels ne faisant pas partie " "de la distribution devrait être sur une partition distincte. Selon la norme " "de hiérarchie des fichiers (FHS), c'est /opt ou /usr/" "local. Si ce sont des partitions distinctes, elles ne seront pas " "effacées si vous devez réinstaller Debian." #. type:

#: securing-debian-howto.en.sgml:51 en/before-install.sgml:75 msgid "" "From a security point of view, it makes sense to try to move static data to " "its own partition, and then mount that partition read-only. Better yet, put " "the data on read-only media. See below for more details." msgstr "" "D'un point de vue sécurité, il est souhaitable de mettre les données " "statiques sur une partition et de monter celle-ci en lecture seule. Encore " "mieux, mettre les données sur un périphérique en lecture seule. Voir ci-" "dessous pour plus d'informations." #. type:

#: securing-debian-howto.en.sgml:51 en/before-install.sgml:88 msgid "" "In the case of a mail server it is important to have a separate partition " "for the mail spool. Remote users (either knowingly or unknowingly) can fill " "the mail spool (/var/mail and/or /var/spool/mail). " "If the spool is on a separate partition, this situation will not render the " "system unusable. Otherwise (if the spool directory is on the same partition " "as /var) the system might have important problems: log entries " "will not be created, packages cannot be installed, and some programs might " "even have problems starting up (if they use /var/run)." msgstr "" "Dans le cas d'un serveur de courriers, il est important d'avoir une " "partition séparée pour le répertoire des courriers (spool). Les utilisateurs " "distants (soit consciemment, soit inconsciemment) peuvent remplir le " "répertoire des courriers (/var/mail ou /var/spool/mail). Si le répertoire est sur une partition séparée, cette situation ne " "rendra pas le système inutilisable. Sinon (si le répertoire est sur la même " "partition que /var), le système pourrait avoir d'importants " "problèmes : les entrées des journaux ne seront pas créées, aucun paquet " "ne pourra plus être installé et certains programmes pourraient même avoir " "des problèmes à être exécutés (s'ils utilisent /var/run)." #. type:

#: securing-debian-howto.en.sgml:51 en/before-install.sgml:96 msgid "" "Also, for partitions in which you cannot be sure of the needed space, " "installing Logical Volume Manager (lvm-common and the " "needed binaries for your kernel, this might be either lvm10, lvm6, or lvm5). Using " "lvm, you can create volume groups that expand multiple physical " "volumes." msgstr "" "Pour les partitions pour lesquelles vous ne pouvez pas être certain de la " "place nécessaire, installez Logical Volume Manager (lvm-common et les binaires nécessaires pour le noyau qui peuvent être " "lvm10, lvm6 ou lvm5). En utilisant lvm, vous pouvez créer des groupes de " "volumes répartis sur plusieurs volumes physiques." #. type: #: securing-debian-howto.en.sgml:51 en/before-install.sgml:98 msgid "Selecting the appropriate file systems" msgstr "Choisir les systèmes de fichiers appropriés" #. type:

#: securing-debian-howto.en.sgml:51 en/before-install.sgml:107 msgid "" "During the system partitioning you also have to decide which file system you " "want to use. The default file system

Since Debian GNU/Linux 4.0, " "codename etch

selected in the Debian installation " "for Linux partitions is ext3, a journaling file system. It is " "recommended that you always use a journaling file system, such as ext3, reiserfs, jfs or xfs, to minimize the " "problems derived from a system crash in the following cases:" msgstr "" "Pendant le partitionnement du système, vous devez également décider du " "système de fichiers à utiliser. Le système de fichiers choisi par " "défaut

Depuis Debian GNU/Linux 4.0, surnommée Etch. pendant l'installation de Debian pour les partitions Linux est " "ext3, un système de fichiers journalisé. Vous devriez toujours " "utiliser un système de fichiers journalisé comme ext3, " "reiserfs, jfs ou xfs pour réduire les problèmes " "découlant d'un plantage système dans les cas suivants :" #. type:

#: securing-debian-howto.en.sgml:51 en/before-install.sgml:114 msgid "" "for laptops in all the file systems installed. That way if you run out of " "battery unexpectedly or the system freezes due to a hardware issue (such as " "X configuration which is somewhat common) you will be less likely to lose " "data during a hardware reboot." msgstr "" "pour les portables pour tous les systèmes de fichiers installés. Ainsi, si " "la batterie se vide inopinément ou si le système se gèle à cause d'un " "problème matériel (comme pour la configuration de X, ce qui est assez " "courant), vous êtes moins susceptible de perdre des données pendant le " "redémarrage matériel." #. type:

#: securing-debian-howto.en.sgml:51 en/before-install.sgml:120 msgid "" "for production systems which store large amounts of data (like mail servers, " "ftp servers, network file systems...) it is recommended on these partitions. " "That way, in the event of a system crash, the server will take less time to " "recover and check the file systems, and data loss will be less likely." msgstr "" "pour les systèmes de production qui stockent des quantités importantes de " "données (comme les serveurs de courriers, les serveurs FTP, les systèmes de " "fichiers en réseau, etc.), cela est recommandé pour ces partitions. Ainsi, " "en cas de plantage du système, le serveur nécessitera moins de temps pour " "récupérer et vérifier le système de fichiers et une perte de données est " "moins probable." #. type:

#: securing-debian-howto.en.sgml:51 en/before-install.sgml:137 msgid "" "Leaving aside the performance issues regarding journalling file systems " "(since this can sometimes turn into a religious war), it is usually better " "to use the ext3 file system. The reason for this is that it is " "backwards compatible with ext2, so if there are any issues with the " "journalling you can disable it and still have a working file system. Also, " "if you need to recover the system with a bootdisk (or CD-ROM) you do not " "need a custom kernel. If the kernel is 2.4 or 2.6 ext3 support is " "already available, if it is a 2.2 kernel you will be able to boot the file " "system even if you lose journalling capabilities. If you are using other " "journalling file systems you will find that you might not be able to recover " "unless you have a 2.4 or 2.6 kernel with the needed modules built-in. If you " "are stuck with a 2.2 kernel on the rescue disk, it might be even more " "difficult to have it access reiserfs or xfs." msgstr "" "En laissant de côté les problèmes de performance concernant les systèmes de " "fichiers journalisés (cela pouvant parfois tourner à la guerre de religion), " "il est habituellement préférable d'utiliser le système de fichiers ext3. La raison pour cela est qu'il est rétrocompatible avec ext2, " "donc s'il y a un quelconque problème avec la journalisation, vous pouvez la " "désactiver et toujours avoir un système de fichiers fonctionnel. De plus, si " "vous avez besoin de récupérer le système avec une disquette d'amorçage (ou " "un CD), vous n'avez pas besoin d'un noyau personnalisé. Si le noyau est en " "version 2.4 ou 2.6, la prise en charge ext3 est déjà " "disponible, s'il s'agit d'un noyau 2.2, vous pourrez amorcer le système " "de fichiers même si vous n'aurez plus la capacité de journalisation. Si vous " "utilisez d'autres systèmes de fichiers, vous trouverez que vous ne pourrez " "pas effectuer de récupération à moins d'avoir un noyau 2.4 ou 2.6 avec " "les modules nécessaires inclus dans le noyau. Si vous êtes bloqué avec un " "noyau 2.2 sur la disquette de sauvegarde, cela pourrait même être " "encore plus difficile d'accéder à des partitions reiserfs ou " "xfs." #. type:

#: securing-debian-howto.en.sgml:51 en/before-install.sgml:141 msgid "" "In any case, data integrity might be better under ext3 since it " "does file-data journalling while others do only meta-data journalling, see " "." msgstr "" "Dans tous les cas, il est possible que l'intégrité des données soit " "meilleure avec ext3 car il fait de la journalisation des données " "par fichier alors que les autres ne font que de la journalisation par " "métadonnées, consultez ." #. type:

#: securing-debian-howto.en.sgml:51 en/before-install.sgml:147 msgid "" "Notice, however, that there are some partitions that might not benefit from " "using a journaling filesystem. For example, if you are using a separate " "partition for /tmp/ you might be better off using a standard " "ext2 filesystem as it will be cleaned up when the system boots." msgstr "" "Remarquez, néanmoins, que certaines partitions n'ont pas d'intérêt " "particulier à utiliser un système de fichiers journalisé. Par exemple, si " "vous utilisez une partition à part pour /tmp/, vous devriez " "plutôt utiliser un système de fichiers ext2 car elle sera nettoyée " "lors du démarrage du système." #. type: #: securing-debian-howto.en.sgml:51 en/before-install.sgml:149 msgid "Do not plug to the Internet until ready" msgstr "Ne pas se connecter à Internet tant que tout n'est pas prêt" #. type:

#: securing-debian-howto.en.sgml:51 en/before-install.sgml:155 msgid "" "The system should not be immediately connected to the Internet during " "installation. This could sound stupid but network installation is a common " "method. Since the system will install and activate services immediately, if " "the system is connected to the Internet and the services are not properly " "configured you are opening it to attack." msgstr "" "Le système ne devrait pas être connecté à Internet pendant l'installation. " "Cela peut paraître stupide mais il faut savoir que l'installation par le " "réseau est une méthode d'installation habituelle. Étant donné que le système " "va installer et activer les services immédiatement, si le système est " "connecté à Internet et que les services ne sont pas configurés correctement, " "vous les exposez à des attaques." #. type:

#: securing-debian-howto.en.sgml:51 en/before-install.sgml:161 msgid "" "Also note that some services might have security vulnerabilities not fixed " "in the packages you are using for installation. This is usually true if you " "are installing from old media (like CD-ROMs). In this case, the system could " "even be compromised before you finish installation!" msgstr "" "Il faut noter également que certains services peuvent avoir des trous de " "sécurité qui n'ont pas encore été corrigés dans les paquets que vous " "utilisez pour l'installation. C'est généralement vrai si vous installez " "depuis de vieux supports (comme des CD). Dans ce cas, il se peut que le " "système soit compromis avant même la fin de l'installation !" #. type:

#: securing-debian-howto.en.sgml:51 en/before-install.sgml:175 msgid "" "Since Debian installation and upgrades can be done over the Internet you " "might think it is a good idea to use this feature on installation. If the " "system is going to be directly connected to the Internet (and not protected " "by a firewall or NAT), it is best to install without connection to the " "Internet, using a local packages mirror for both the Debian package sources " "and the security updates. You can set up package mirrors by using another " "system connected to the Internet with Debian-specific tools (if it's a " "Debian system) like apt-move or apt-proxy, or other common mirroring tools, to provide the archive to the " "installed system. If you cannot do this, you can set up firewall rules to " "limit access to the system while doing the update (see )." msgstr "" "Étant donné que l'installation et les mises à jour peuvent être faites par " "Internet, vous pourriez penser que c'est une bonne idée d'utiliser cette " "caractéristique lors de l'installation. Si le système va être connecté " "directement à Internet (et pas protégé par un pare-feu ou un NAT), il est " "plus judicieux de l'installer sans connexion à Internet et d'utiliser un " "miroir local de paquets contenant à la fois les paquets source et les mises " "à jour de sécurité. Vous pouvez mettre en place des miroirs de paquets en " "utilisant un autre système connecté à Internet et des outils spécifiques à " "Debian (si c'est un système Debian) tels que apt-move ou " "apt-proxy ou tout autre outil de miroir pour fournir " "l'archive aux systèmes installés. Si vous ne pouvez pas faire cela, vous " "pouvez mettre en place des règles de pare-feu pour limiter l'accès au " "système pendant la mise à jour (consultez )." #. type: #: securing-debian-howto.en.sgml:51 en/before-install.sgml:176 msgid "Set a root password" msgstr "Définir un mot de passe pour le superutilisateur" #. type:

#: securing-debian-howto.en.sgml:51 en/before-install.sgml:183 msgid "" "Setting a good root password is the most basic requirement for having a " "secure system. See for some hints on " "how to create good passwords. You can also use an automatic password " "generation program to do this for you (see )." msgstr "" "Définir un bon mot de passe est la condition de base pour avoir un système " "sécurisé. Consultez pour quelques " "conseils pour créer de bons mots de passe. Vous pouvez également utiliser un " "générateur automatique de mots de passe pour faire cela pour vous (consultez " ")." #. type:

#: securing-debian-howto.en.sgml:51 en/before-install.sgml:194 msgid "" "Plenty of information on choosing good passwords can be found on the " "Internet; two that provide a decent summary and rationale are Eric Wolfram's " " and Walter Belgers' " msgstr "" "Beaucoup d'informations sur le choix de bons mots de passe peuvent être " "trouvées sur Internet ; deux URL qui fournissent un bon résumé et une " "argumentation sont les HOWTO d'Eric Wolfram et de Walter Belgers." #. type: #: securing-debian-howto.en.sgml:51 en/before-install.sgml:195 msgid "Activate shadow passwords and MD5 passwords" msgstr "Activer les mots de passe masqués et les mots de passe MD5" #. type:

#: securing-debian-howto.en.sgml:51 en/before-install.sgml:205 msgid "" "At the end of the installation, you will be asked if shadow passwords should " "be enabled. Answer yes to this question, so passwords will be kept in the " "file /etc/shadow. Only the root user and the group shadow have " "read access to this file, so no users will be able to grab a copy of this " "file in order to run a password cracker against it. You can switch between " "shadow passwords and normal passwords at any time by using shadowconfig." msgstr "" "À la fin de l'installation, il vous sera demandé si les mots de passe " "masqués doivent être activés. Répondez oui à cette question ; ainsi les " "mots de passe seront stockés dans le fichier /etc/shadow. Seul " "le superutilisateur et les membres du groupe shadow peuvent lire ce fichier, " "ainsi aucun utilisateur ne sera en mesure de récupérer une copie de ce " "fichier afin de le passer par un programme craqueur de mots de " "passe. Vous pouvez basculer entre les mots de passe masqués et les mots de " "passe normaux à n'importe quel moment en utilisant shadowconfig." #. type:

#: securing-debian-howto.en.sgml:51 en/before-install.sgml:211 msgid "" "Read more on shadow passwords in (/usr/share/doc/HOWTO/" "en-txt/Shadow-Password.txt.gz)." msgstr "" "Vous pouvez en apprendre davantage sur les mots de passe masqués dans le " " (/usr/share/doc/HOWTO/fr-txt/Shadow-Password.txt." "gz)." #. type:

#: securing-debian-howto.en.sgml:51 en/before-install.sgml:221 msgid "" "Furthermore, the installation uses MD5 hashed passwords per default. This is " "generally a very good idea since it allows longer passwords and better " "encryption. MD5 allows for passwords longer than 8 characters. This, if used " "wisely, can make it more difficult for attackers to brute-force the system's " "passwords. Regarding MD5 passwords, this is the default option when " "installing the latest passwd package. You can recognize " "MD5 passwords in the /etc/shadow file by their $1$ prefix." msgstr "" "De plus, l'installation utilise des mots de passe hachés avec MD5 par " "défaut. C'est généralement une bonne idée étant donné que cela permet des " "mots de passe plus longs et un meilleur chiffrement. MD5 permet des mots de " "passe de plus de 8 caractères. Cela peut, si c'est utilisé à bon escient, " "rendre plus difficiles les attaques par force brute sur les mots de passe " "système. Concernant les mots de passe MD5, il s'agit de l'option par défaut " "quand vous installez le paquet passwd. Vous pouvez " "reconnaître les mots de passe MD5 dans le fichier /etc/shadow " "par leur préfixe $1$." #. type:

#: securing-debian-howto.en.sgml:51 en/before-install.sgml:224 msgid "" "This, as a matter of fact, modifies all files under /etc/pam.d " "by substituting the password line and include md5 in it:" msgstr "" "Ceci modifie tous les fichiers sous /etc/pam.d en modifiant la " "ligne password en insérant md5 dans celle-ci :" #. type: #: securing-debian-howto.en.sgml:51 en/before-install.sgml:226 #, no-wrap msgid " password required pam_unix.so md5 nullok obscure min=6 max=16" msgstr " password required pam_unix.so md5 nullok obscure min=6 max=16" #. type:

#: securing-debian-howto.en.sgml:51 en/before-install.sgml:230 msgid "" "If max is not set over 8 the change will not be useful at all. For " "more information on this read ." msgstr "" "Si max n'est pas positionné à plus de 8, la modification ne sera " "pas utile du tout. Pour plus d'informations sur cela, consultez ." #. type:

#: securing-debian-howto.en.sgml:51 en/before-install.sgml:233 msgid "" "Note: the default configuration in Debian, even when activating MD5 " "passwords, does not modify the previously set max value." msgstr "" "Remarque : même quand les mots de passe MD5 sont activés, la " "configuration par défaut dans Debian ne modifie pas la valeur précédemment " "positionnée de max." #. type: #: securing-debian-howto.en.sgml:51 en/before-install.sgml:235 msgid "Run the minimum number of services required" msgstr "Administrer le nombre minimal de services nécessaires" #. type:

#: securing-debian-howto.en.sgml:51 en/before-install.sgml:241 msgid "" "Services are programs such as ftp servers and web servers. Since they have " "to be listening for incoming connections that request the service, " "external computers can connect to yours. Services are sometimes vulnerable " "(i.e. can be compromised under a given attack) and hence present a security " "risk." msgstr "" "Les services sont des programmes tels que les serveurs FTP et les serveurs " "web. Puisqu'ils doivent écouter les connexions entrantes qui " "demandent le service, des ordinateurs externes peuvent se connecter au " "vôtre. Les services sont parfois vulnérables (entendez par là qu'ils peuvent " "être compromis par certaines attaques) : ils créent des risques pour la " "sécurité." #. type:

#: securing-debian-howto.en.sgml:51 en/before-install.sgml:245 msgid "" "You should not install services which are not needed on your machine. Every " "installed service might introduce new, perhaps not obvious (or known), " "security holes on your computer." msgstr "" "Vous ne devriez pas installer les services dont vous n'avez pas besoin sur " "la machine. Chaque service installé peut introduire de nouveaux trous de " "sécurité, peu évidents ou inconnus, sur l'ordinateur." #. type:

#: securing-debian-howto.en.sgml:51 en/before-install.sgml:262 msgid "" "As you may already know, when you install a given service the default " "behavior is to activate it. In a default Debian installation, with no " "services installed, the number of running services is quite low and the " "number of network-oriented services is even lower. In a default Debian 3.1 " "standard installation you will end up with OpenSSH, Exim (depending on how " "you configured it) and the RPC portmapper available as network " "services

The footprint in Debian 3.0 and earlier releases wasn't " "as tight, since some inetd services were enabled by default. " "Also standard installations of Debian 2.2 installed the NFS server as well " "as the telnet server.

. If you did not go through a standard " "installation but selected an expert installation you can end up with no " "active network services. The RPC portmapper is installed by default because " "it is needed for many services, for example NFS, to run on a given system. " "However, it can be easily removed, see for more information " "on how to secure or disable RPC services." msgstr "" "Comme vous le savez sans doute déjà, lorsque vous installez un service, le " "comportement par défaut est de l'activer. Dans une installation Debian par " "défaut, sans service installé, le nombre de services actifs est assez faible " "et il est même plus faible quand on parle de services réseau. Dans une " "installation standard de Debian 3.1, les seuls services activés par " "défaut sont OpenSSH, Exim (selon la façon dont vous l'avez configuré) et le " "portmapper RPC comme services réseau

L'empreinte dans " "Debian 3.0 et les versions précédentes n'était pas aussi réduite car " "certains services inetd étaient activés par défaut. Les " "installations standard de Debian 2.2 installaient également le serveur " "NFS ainsi que le serveur TELNET.

. Si vous n'avez pas choisi " "l'installation standard, mais que vous avez sélectionné l'installation en " "mode expert, vous obtiendrez une installation avec aucun service réseau " "actif. Le portmapper RPC est installé par défaut car il est nécessaire pour " "beaucoup de services, par exemple NFS. Cependant, il peut facilement être " "retiré, consultez pour plus d'informations sur la façon de " "sécuriser ou de désactiver les services RPC." #. type:

#: securing-debian-howto.en.sgml:51 en/before-install.sgml:273 msgid "" "When you install a new network-related service (daemon) in your Debian GNU/" "Linux system it can be enabled in two ways: through the inetd " "superdaemon (i.e. a line will be added to /etc/inetd.conf) or " "through a standalone program that binds itself to your network interfaces. " "Standalone programs are controlled through the /etc/init.d " "files, which are called at boot time through the SysV mechanism (or an " "alternative one) by using symlinks in /etc/rc?.d/* (for more " "information on how this is done read /usr/share/doc/sysvinit/README." "runlevels.gz)." msgstr "" "Lorsque vous installez un nouveau service réseau (démon) sur le système " "Debian GNU/Linux, il peut être activé de deux façons : avec le " "superdémon inetd (une ligne sera ajoutée à /etc/inetd.conf) ou " "par un programme qui s'attache lui-même aux interfaces réseau. Ces " "programmes sont contrôlés par les fichiers /etc/init.d qui sont " "appelés lors du démarrage au moyen du mécanisme System V (ou un autre) en " "utilisant des liens symboliques dans /etc/rc?.d/* (pour plus " "d'informations sur la manière dont cela est fait, consultez /usr/share/" "doc/sysvinit/README.runlevels.gz)." #. type:

#: securing-debian-howto.en.sgml:51 en/before-install.sgml:285 msgid "" "If you want to keep some services but use them rarely, use the update-" "* commands, e.g. update-inetd and update-rc.d to remove them from the startup process. For more information on how " "to disable network services read . If you want to " "change the default behaviour of starting up services on installation of " "their associated packages

This is desirable if you are setting " "up a development chroot, for example.

 use policy-rc.d, please read /usr/share/doc/sysv-rc/README.policy-rc.d.gz " "for more information." msgstr "" "Si vous voulez garder certains services tout en les utilisant rarement, " "utilisez les commandes update-*, par exemple update-" "inetd et update-rc.d pour les supprimer du processus de " "démarrage. Pour plus d'informations sur la façon de désactiver des services " "réseau, veuillez consulter . Si vous voulez changer " "le comportement par défaut de démarrage des services à l'installation de " "leur paquet associé

C'est pratique si vous mettez en place un " "chroot de développement, par exemple.

, utilisez policy-" "rc.d, veuillez consulter /usr/share/doc/sysv-rc/README.policy-" "rc.d.gz pour obtenir plus de renseignements." #. type:

#: securing-debian-howto.en.sgml:51 en/before-install.sgml:291 msgid "" "invoke-rc.d support is mandatory in Debian, which means that " "for Debian 4.0 etch and later releases you can write a policy-rc.d " "file that forbids starting new daemons before you configure them. Although " "no such scripts are packaged yet, they are quite simple to write. See " "policyrcd-script-zg2." msgstr "" "La prise en charge d'invoke-rc.d est obligatoire dans Debian, " "ce qui veut dire que pour Debian 4.0 Etch et versions suivantes, " "vous pouvez écrire un fichier policy-rc.d qui interdit le démarrage des " "nouveaux démons avant de les avoir configurés. Même si aucun de ces scripts " "n'est encore empaqueté, ils sont plutôt faciles à écrire. Consultez " "policyrcd-script-zg2." #. type: #: securing-debian-howto.en.sgml:51 en/before-install.sgml:293 msgid "Disabling daemon services" msgstr "Désactivation de services démon" #. type:

#: securing-debian-howto.en.sgml:51 en/before-install.sgml:305 msgid "" "Disabling a daemon service is quite simple. You either remove the package " "providing the program for that service or you remove or rename the startup " "links under /etc/rc${runlevel}.d/. If you rename them make sure " "they do not begin with 'S' so that they don't get started by /etc/init." "d/rc. Do not remove all the available links or the package management " "system will regenerate them on package upgrades, make sure you leave at " "least one link (typically a 'K', i.e. kill, link). For more information read " " section of the Debian " "Reference (Chapter 2 - Debian fundamentals)." msgstr "" "La désactivation d'un service démon est relativement simple. Vous pouvez " "soit supprimer le paquet fournissant le programme pour ce service, soit " "supprimer ou renommer les liens de démarrage sous /etc/rc${runlevel}.d/" ". Si vous les renommez, assurez-vous qu'ils ne commencent pas avec un " "« S Â» pour qu'ils ne soient pas démarrés par /etc/init.d/rc. Ne supprimez pas tous les liens disponibles ou le système de gestion " "des paquets les régénérera lors des mises à jour du paquet, assurez-vous de " "laisser au moins un lien (typiquement, un lien « K Â», « " "kill Â» pour tuer). Pour obtenir plus de renseignements, veuillez " "consulter la section de la référence Debian (chapitre 2 - fondamentaux de Debian)." #. type:

#: securing-debian-howto.en.sgml:51 en/before-install.sgml:309 msgid "" "You can remove these links manually or using update-rc.d (see " "). For example, you can disable a " "service from executing in the multi-user runlevels by doing:" msgstr "" "Vous pouvez supprimer ces liens manuellement ou en utilisant update-rc." "d (consultez ). Vous pouvez, " "par exemple, désactiver un service pour les niveaux d'exécution " "multiutilisateurs en faisant :" #. type: #: securing-debian-howto.en.sgml:51 en/before-install.sgml:311 #, no-wrap msgid " # update-rc.d name stop XX 2 3 4 5 ." msgstr " # update-rc.d nom stop XX 2 3 4 5 ." #. type:

#: securing-debian-howto.en.sgml:51 en/before-install.sgml:325 msgid "" "Where XX is a number that determines when the stop action for that " "service will be executed. Please note that, if you are not using " "file-rc, update-rc.d -f service remove will not work properly, since all links are removed, upon re-" "installation or upgrade of the package these links will be re-generated " "(probably not what you wanted). If you think this is not intuitive you are " "probably right (see ). From the manpage:" msgstr "" "Avec XX un nombre qui détermine quand l'action d'arrêt pour ce " "service sera exécutée. Veuillez noter que, si vous n'utilisez pas " "file-rc, update-rc.d -f service remove ne fonctionnera pas correctement car tous les liens sont " "supprimés, lors d'une réinstallation ou d'une mise à jour du paquet, ces " "liens seront régénérés (ce qui n'est probablement pas ce que vous voulez). " "Si vous pensez que cela n'est pas intuitif, vous avez probablement raison " "(consultez le ). D'après les pages de manuel :" #. type: #: securing-debian-howto.en.sgml:51 en/before-install.sgml:330 #, no-wrap msgid "" " If any files /etc/rcrunlevel.d/[SK]??name already exist then\n" " update-rc.d does nothing. This is so that the system administrator \n" " can rearrange the links, provided that they leave at least one\n" " link remaining, without having their configuration overwritten." msgstr "" " Si des fichiers /etc/rcrunlevel.d/[SK]??nom existent déjà,\n" " alors update-rc.d ne fait rien. C'est ainsi fait pour que\n" " l'administrateur système puisse réarranger les liens — à condition\n" " qu'il en reste au moins un — sans que sa configuration ne soit\n" " réécrite." #. type:

#: securing-debian-howto.en.sgml:51 en/before-install.sgml:336 msgid "" "If you are using file-rc all the information regarding " "services bootup is handled by a common configuration file and is maintained " "even if packages are removed from the system." msgstr "" "Si vous utilisez file-rc, toutes les informations " "concernant le démarrage des services sont gérées par un fichier de " "configuration commun et sont conservées même si les paquets sont retirés du " "système." #. type:

#: securing-debian-howto.en.sgml:51 en/before-install.sgml:343 msgid "" "You can use the TUI (Text User Interface) provided by sysv-rc-conf to do all these changes easily (sysv-rc-conf works " "both for file-rc and normal System V runlevels). You will " "also find similar GUIs for desktop systems. You can also use the command " "line interface of sysv-rc-conf:" msgstr "" "Vous pouvez utiliser l'interface texte (TUI, Text User Interface) fournie " "par sysv-rc-conf pour faire tous ces changements " "facilement (sysv-rc-conf fonctionne pour file-rc ainsi que pour les niveaux d'exécution normaux de type System V). " "Vous pouvez également trouver des interfaces graphiques similaires pour les " "systèmes de bureau. Vous pouvez aussi utiliser l'interface en ligne de " "commande de sysv-rc-conf :" #. type: #: securing-debian-howto.en.sgml:51 en/before-install.sgml:345 #, no-wrap msgid " # sysv-rc-conf foobar off" msgstr " # sysv-rc-conf bidule off" #. type:

#: securing-debian-howto.en.sgml:51 en/before-install.sgml:351 msgid "" "The advantage of using this utility is that the rc.d links are returned to " "the status they had before the 'off' call if you re-enable the service with:" msgstr "" "L'avantage, avec cet utilitaire, est que les liens rc.d sont remis dans " "l'état qu'ils avaient avant l'appel « off » si vous réactivez le service " "avec :" #. type: #: securing-debian-howto.en.sgml:51 en/before-install.sgml:353 #, no-wrap msgid " # sysv-rc-conf foobar on" msgstr " # sysv-rc-conf bidule on" #. type:

#: securing-debian-howto.en.sgml:51 en/before-install.sgml:358 msgid "Other (less recommended) methods of disabling services are:" msgstr "" "D'autres méthodes (moins recommandées) pour désactiver les services " "sont :" #. type:

#: securing-debian-howto.en.sgml:51 en/before-install.sgml:363 msgid "" "Removing the /etc/init.d/service_name script and " "removing the startup links using:" msgstr "" "suppression du script /etc/init.d/nom_service et " "suppression des liens de démarrage avec :" #. type: #: securing-debian-howto.en.sgml:51 en/before-install.sgml:365 #, no-wrap msgid " # update-rc.d name remove" msgstr " # update-rc.d nom remove" #. type:

#: securing-debian-howto.en.sgml:51 en/before-install.sgml:374 msgid "" "Move the script file (/etc/init.d/service_name) to " "another name (for example /etc/init.d/OFF.service_name). This will leave dangling symlinks under /etc/rc${runlevel}.d/ and will generate error messages when booting up the system." msgstr "" "déplacement du fichier script (/etc/init.d/nom_service) vers un autre nom (par exemple /etc/init.d/OFF." "nom_service). Cela laissera des liens symboliques non " "valables sous /etc/rc${runlevel}.d/ et générera des messages " "d'erreur au démarrage du système ;" #. type:

#: securing-debian-howto.en.sgml:51 en/before-install.sgml:378 msgid "" "Remove the execute permission from the /etc/init.d/service_name file. That will also generate error messages when booting." msgstr "" "suppression du droit d'exécution du fichier /etc/init.d/" "nom_service. Cela générera également des messages d'erreur " "au démarrage ;" #. type:

#: securing-debian-howto.en.sgml:51 en/before-install.sgml:384 msgid "" "Edit the /etc/init.d/service_name script to have it " "stop immediately once it is executed (by adding an exit 0 line " "at the beginning or commenting out the start-stop-daemon part in " "it). If you do this, you will not be able to use the script to startup the " "service manually later on." msgstr "" "édition du script /etc/init.d/nom_service pour qu'il " "s'arrête immédiatement lorsqu'il est exécuté (en ajoutant une ligne " "exit 0 au début ou en commentant la partie start-stop-" "daemon dans celui-ci). Si vous procédez de cette façon, vous ne pourrez " "plus utiliser le script pour démarrer le service vous-même plus tard." #. type:

#: securing-debian-howto.en.sgml:51 en/before-install.sgml:390 msgid "" "Nevertheless, the files under /etc/init.d are configuration " "files and should not get overwritten due to package upgrades if you have " "made local changes to them." msgstr "" "Cependant, les fichiers sous /etc/init.d sont des fichiers de " "configuration et ne devraient pas être écrasés lors des mises à jour de " "paquet si vous y avez fait des modifications locales." #. type:

#: securing-debian-howto.en.sgml:51 en/before-install.sgml:394 msgid "" "Unlike other (UNIX) operating systems, services in Debian cannot be disabled " "by modifying files in /etc/default/service_name." msgstr "" "Contrairement à d'autres systèmes d'exploitation (UNIX), les services dans " "Debian ne peuvent pas être désactivés en modifiant les fichiers dans /" "etc/default/nom_service." #. type:

#: securing-debian-howto.en.sgml:51 en/before-install.sgml:397 msgid "" "FIXME: Add more information on handling daemons using file-rc." msgstr "" "FIXME : Ajouter des informations sur la gestion des démons par " "file-rc." #. type: #: securing-debian-howto.en.sgml:51 en/before-install.sgml:398 msgid "Disabling inetd or its services" msgstr "Désactivation d'inetd ou de ses services" #. type:

#: securing-debian-howto.en.sgml:51 en/before-install.sgml:408 msgid "" "You should check if you really need the inetd daemon nowadays. " "Inetd was always a way to compensate for kernel deficiencies, but those have " "been taken care of in modern Linux kernels. Denial of Service possibilities " "exist against inetd (which can increase the machine's load " "tremendously), and many people always preferred using stand-alone daemons " "instead of calling services via inetd. If you still want to run " "some kind of inetd service, then at least switch to a more " "configurable Inet daemon like xinetd, rlinetd or " "openbsd-inetd." msgstr "" "Vous devriez vérifier si vous avez vraiment besoin du démon inetd de nos jours. inetd a toujours été un moyen de compenser " "des déficiences du noyau, mais celles-ci ont été corrigées dans les noyaux " "Linux modernes. Des possibilités de déni de service existent avec " "inetd (qui peut augmenter énormément la charge de la machine) " "et de nombreuses personnes préfèrent utiliser des démons indépendants au " "lieu d'appeler des services avec inetd. Si vous voulez toujours " "exécuter un service du genre d'inetd, tournez-vous plutôt vers " "un démon inetd plus configurable comme xinetd, rlinetd ou openbsd-inetd." #. type:

#: securing-debian-howto.en.sgml:51 en/before-install.sgml:416 msgid "" "You should stop all unneeded Inetd services on your system, like echo, chargen, discard, daytime, " "time, talk, ntalk and r-services " "(rsh, rlogin and rcp) which are " "considered HIGHLY insecure (use ssh instead)." msgstr "" "Vous devriez arrêter tous les services inetd non nécessaires sur le système, " "comme echo, chargen, discard, " "daytime, time, talk, ntalk et les r-services (services à distance) (rsh, " "rlogin et rcp) qui sont considérés comme " "EXTRÊMEMENT dangereux (utilisez ssh à la place)." #. type:

#: securing-debian-howto.en.sgml:51 en/before-install.sgml:423 msgid "" "You can disable services by editing /etc/inetd.conf directly, " "but Debian provides a better alternative: update-inetd (which " "comments the services in a way that it can easily be turned on again). You " "could remove the telnet daemon by executing this commands to " "change the config file and to restart the daemon (in this case the " "telnet service is disabled):" msgstr "" "Vous pouvez désactiver les services en modifiant directement /etc/" "inetd.conf, mais Debian offre un meilleur moyen : update-" "inetd (qui commente les services de manière à ce qu'ils puissent être " "facilement réactivés). Vous pouvez supprimer le démon telnet en " "exécutant cette commande pour changer le fichier de configuration et " "redémarrer le démon (dans ce cas le service est désactivé) :" #. type: #: securing-debian-howto.en.sgml:51 en/before-install.sgml:425 #, no-wrap msgid " /usr/sbin/update-inetd --disable telnet" msgstr "/usr/sbin/update-inetd --disable telnet" #. type:

#: securing-debian-howto.en.sgml:51 en/before-install.sgml:434 msgid "" "If you do want services listening, but do not want to have them listen on " "all IP addresses of your host, you might want to use an undocumented feature " "on inetd (replace service name with service@ip syntax) or use " "an alternative inetd daemon like xinetd." msgstr "" "Si vous désirez des services en attente, mais qui n'écoutent pas sur toutes " "les adresses IP de l'hôte, vous voudrez peut-être utiliser des fonctions non " "documentées de inetd (remplacez des noms de service avec la " "syntaxe service@ip) ou utilisez un autre démon tel que xinetd." #. type: #: securing-debian-howto.en.sgml:51 en/before-install.sgml:436 msgid "Install the minimum amount of software required" msgstr "Installer le minimum de logiciels nécessaires" #. type:

#: securing-debian-howto.en.sgml:51 en/before-install.sgml:455 msgid "" "Debian comes with a lot of software, for example the Debian 3.0 " "woody release includes 6 or 7 (depending on architecture) CD-ROMs " "of software and thousands of packages, and the Debian 3.1 sarge " "release ships with around 13 CD-ROMs of software. With so much software, and " "even if the base system installation is quite reduced

For " "example, in Debian woody it is around 400-500 Mbs, try this: $ " "size=0 $ for i in `grep -A 1 -B 1 \"^Section: base\" /var/lib/dpkg/available " "| grep -A 2 \"^Priority: required\" |grep \"^Installed-Size\" |cut -d : -f 2 " "`; do size=$(($size+$i)); done $ echo $size 47762

 " "you might get carried away and install more than is really needed for your " "system." msgstr "" "Debian est fournie avec une grande quantité de logiciels, par " "exemple, Debian 3.0 Woody inclut 6 ou 7 (selon les " "architectures) CD de logiciels et des milliers de paquets et la " "version 3.1 fournit environ 13 CD de logiciels. Avec autant de " "logiciels et même si l'installation du système de base est assez réduite " "

Par exemple, dans Debian Woody, elle est d'environ 400 " "à 500 Mo, essayez ceci : $ size=0 $ for i in `grep -A 1 -" "B 1 \"^Section: base\" /var/lib/dpkg/available | grep -A 2 \"^Priority: " "required\" |grep \"^Installed-Size\" |cut -d : -f 2 `; do size=$(($size+" "$i)); done $ echo $size 47762

 vous pourriez vous " "laisser entraîner et installer plus de logiciels qu'il n'est vraiment " "nécessaire sur le système." #. type:

#: securing-debian-howto.en.sgml:51 en/before-install.sgml:462 msgid "" "Since you already know what the system is for (don't you?) you should only " "install software that is really needed for it to work. Any unnecessary tool " "that is installed might be used by a user that wants to compromise the " "system or by an external intruder that has gotten shell access (or remote " "code execution through an exploitable service)." msgstr "" "Comme vous connaissez déjà l'utilisation du système (n'est-ce pas ?), " "vous ne devez installer que les logiciels qui sont vraiment nécessaires à " "son fonctionnement. Tout outil non nécessaire installé pourrait être utilisé " "par un utilisateur qui voudrait compromettre le système ou par un intrus " "externe qui aurait obtenu un accès à l'interpréteur de commandes (ou par " "exécution de code à distance grâce à un service exploitable)." #. type:

#: securing-debian-howto.en.sgml:51 en/before-install.sgml:467 msgid "" "The presence, for example, of development utilities (a C compiler) or " "interpreted languages (such as perl - but see below -, " "python, tcl...) may help an attacker compromise " "the system even further:" msgstr "" "La présence, par exemple, d'outils de développement (un compilateur C) ou de " "langages interprétés (comme perl – voir ci-" "dessous – python, tcl, etc.) pourrait aider " "un attaquant à compromettre le système un peu plus :" #. type:

#: securing-debian-howto.en.sgml:51 en/before-install.sgml:472 msgid "" "allowing him to do privilege escalation. It's easier, for example, to run " "local exploits in the system if there is a debugger and compiler ready to " "compile and test them!" msgstr "" "lui permettre d'augmenter ses droits. Il est plus facile, par exemple, " "d'exploiter localement le système si un débogueur et un compilateur sont " "prêts à les compiler et à les tester !" #. type:

#: securing-debian-howto.en.sgml:51 en/before-install.sgml:481 msgid "" "providing tools that could help the attacker to use the compromised system " "as a base of attack against other systems.

Many " "intrusions are made just to get access to resources to do illegitimate " "activity (denial of service attacks, spam, rogue ftp servers, dns " "pollution...) rather than to obtain confidential data from the compromised " "system.

" msgstr "" "fournir des outils qui pourraient aider l'attaquant à utiliser le système " "compromis comme une base d'attaque contre d'autres systèmes." "

Beaucoup d'intrusions ne sont faites que pour avoir accès aux " "ressources pour effectuer des activités illégales (attaques de déni de " "service, envoi d'indésirables, serveurs FTP illicites, pollution de " "DNS, etc.) plus que pour obtenir des données confidentielles du système " "compromis.

" #. type:

#: securing-debian-howto.en.sgml:51 en/before-install.sgml:493 msgid "" "Of course, an intruder with local shell access can download his own set of " "tools and execute them, and even the shell itself can be used to make " "complex programs. Removing unnecessary software will not help prevent the problem but will make it slightly more difficult for an attacker to " "proceed (and some might give up in this situation looking for easier " "targets). So, if you leave tools in a production system that could be used " "to remotely attack systems (see ) you can expect an " "intruder to use them too if available." msgstr "" "Bien sûr, un intrus ayant un accès local à l'interpréteur de commandes peut " "télécharger son propre jeu d'outils et les exécuter, et l'interpréteur de " "commandes peut lui-même être utilisé pour créer des programmes complexes. " "Supprimer les logiciels non nécessaires ne va pas aider à prévenir " "le problème, mais cela rendra la tâche un peu plus difficile pour un " "attaquant (et certains pourraient abandonner dans cette situation et aller " "chercher des cibles plus faciles). Ainsi, si vous laissez des outils sur un " "système de production qui peuvent être utilisés pour attaquer des systèmes à " "distance (consultez ), vous pouvez vous attendre à ce " "qu'un intrus les utilise également s'ils sont disponibles." #. type:

#: securing-debian-howto.en.sgml:51 en/before-install.sgml:501 msgid "" "Please notice that a default installation of Debian sarge (i.e. an " "installation where no individual packages are selected) will install a " "number of development packages that are not usually needed. This is because " "some development packages are of Standard priority. If you are not " "going to do any development you can safely remove the following packages " "from your system, which will also help free up some space:" msgstr "" "Veuillez noter qu'une installation par défaut de Debian Sarge " "(c'est-à-dire une installation pour laquelle aucun paquet individuel n'est " "sélectionné) installera un certain nombre d'outils de développement qui ne " "sont habituellement pas nécessaires. Cela vient du fait que certains paquets " "de développement sont de priorité Standard. Si vous ne comptez pas " "faire de développement, vous pouvez supprimer ces paquets du système sans " "inquiétude, ce qui devrait également aider à libérer de la place :" #. type: #: securing-debian-howto.en.sgml:51 en/before-install.sgml:520 #, no-wrap msgid "" "Package Size\n" "------------------------+--------\n" "gdb 2,766,822\n" "gcc-3.3 1,570,284\n" "dpkg-dev 166,800\n" "libc6-dev 2,531,564\n" "cpp-3.3 1,391,346\n" "manpages-dev 1,081,408\n" "flex 257,678\n" "g++ 1,384 (Note: virtual package)\n" "linux-kernel-headers 1,377,022\n" "bin86 82,090\n" "cpp 29,446\n" "gcc 4,896 (Note: virtual package)\n" "g++-3.3 1,778,880\n" "bison 702,830\n" "make 366,138\n" "libstdc++5-3.3-dev 774,982" msgstr "" "Paquet Taille\n" "------------------------+--------\n" "gdb 2,766,822\n" "gcc-3.3 1,570,284\n" "dpkg-dev 166,800\n" "libc6-dev 2,531,564\n" "cpp-3.3 1,391,346\n" "manpages-dev 1,081,408\n" "flex 257,678\n" "g++ 1,384 (Note : paquet virtuel)\n" "linux-kernel-headers 1,377,022\n" "bin86 82,090\n" "cpp 29,446\n" "gcc 4,896 (Note : paquet virtuel)\n" "g++-3.3 1,778,880\n" "bison 702,830\n" "make 366,138\n" "libstdc++5-3.3-dev 774,982" #. type:

#: securing-debian-howto.en.sgml:51 en/before-install.sgml:530 msgid "" "This is something that is fixed in releases post-sarge, see and " ". Due to a bug in the installation system this did not " "happen when installing with the installation system of the Debian 3.0 " "woody release." msgstr "" "Ce problème est corrigé dans les versions après Sarge, consultez le " " et le . À cause d'un " "bogue dans le système d'installation, cela ne se produisait pas lors de " "l'installation de Debian 3.0 Woody." #. type: #: securing-debian-howto.en.sgml:51 en/before-install.sgml:532 msgid "Removing Perl" msgstr "Supprimer Perl" #. type:

#: securing-debian-howto.en.sgml:51 en/before-install.sgml:542 msgid "" "You must take into account that removing perl might not be too " "easy (as a matter of fact it can be quite difficult) in a Debian system " "since it is used by many system utilities. Also, the perl-base is Priority: required (that about says it all). It's still " "doable, but you will not be able to run any perl application in " "the system; you will also have to fool the package management system to " "think that the perl-base is installed even if it's not. " "

You can make (on another system) a dummy package with " "equivs.

" msgstr "" "Vous devez prendre en compte qu'enlever perl peut ne pas être " "très simple (en fait, cela peut être assez difficile) sur un système Debian " "car il est utilisé par beaucoup d'outils système. Le paquet perl-" "base est également Priority: required (ce qui veut tout " "dire). C'est tout de même faisable, mais vous ne pourrez pas exécuter " "d'applications perl sur le système ; vous devrez également " "tromper le système de gestion des paquets pour lui faire croire que le " "paquet perl-base est installé même si ce n'est pas le " "cas.

Vous pouvez créer (sur un autre système) un paquet bidon " "avec equivs.

" #. type:

#: securing-debian-howto.en.sgml:51 en/before-install.sgml:544 msgid "Which utilities use perl? You can see for yourself:" msgstr "" "Quels outils utilisent perl ? Vous pouvez vous en rendre " "compte vous-même :" #. type: #: securing-debian-howto.en.sgml:51 en/before-install.sgml:547 #, no-wrap msgid "" " $ for i in /bin/* /sbin/* /usr/bin/* /usr/sbin/*; do [ -f $i ] && {\n" " type=`file $i | grep -il perl`; [ -n \"$type\" ] && echo $i; }; done" msgstr "" " $ for i in /bin/* /sbin/* /usr/bin/* /usr/sbin/*; do [ -f $i ] && {\n" " type=`file $i | grep -il perl`; [ -n \"$type\" ] && echo $i; }; done" #. type:

#: securing-debian-howto.en.sgml:51 en/before-install.sgml:552 msgid "" "These include the following utilities in packages with priority " "required or important:" msgstr "" "Ceux-ci incluent les outils suivants des paquets de priorité requis " "ou important :" #. type:

#: securing-debian-howto.en.sgml:51 en/before-install.sgml:556 msgid "" "/usr/bin/chkdupexe of package util-linux." msgstr "" "/usr/bin/chkdupexe du paquet util-linux." #. type:

#: securing-debian-howto.en.sgml:51 en/before-install.sgml:559 msgid "/usr/bin/replay of package bsdutils." msgstr "/usr/bin/replay du paquet bsdutils." #. type:

#: securing-debian-howto.en.sgml:51 en/before-install.sgml:562 msgid "/usr/sbin/cleanup-info of package dpkg." msgstr "/usr/sbin/cleanup-info du paquet dpkg." #. type:

#: securing-debian-howto.en.sgml:51 en/before-install.sgml:565 msgid "/usr/sbin/dpkg-divert of package dpkg." msgstr "/usr/sbin/dpkg-divert du paquet dpkg." #. type:

#: securing-debian-howto.en.sgml:51 en/before-install.sgml:568 msgid "" "/usr/sbin/dpkg-statoverride of package dpkg." msgstr "" "/usr/sbin/dpkg-statoverride du paquet dpkg." #. type:

#: securing-debian-howto.en.sgml:51 en/before-install.sgml:571 msgid "/usr/sbin/install-info of package dpkg." msgstr "/usr/sbin/install-info du paquet dpkg." #. type:

#: securing-debian-howto.en.sgml:51 en/before-install.sgml:574 msgid "" "/usr/sbin/update-alternatives of package dpkg." msgstr "" "/usr/sbin/update-alternatives du paquet dpkg." #. type:

#: securing-debian-howto.en.sgml:51 en/before-install.sgml:577 msgid "" "/usr/sbin/update-rc.d of package sysvinit." msgstr "" "/usr/sbin/update-rc.d du paquet sysvinit." #. type:

#: securing-debian-howto.en.sgml:51 en/before-install.sgml:580 msgid "/usr/bin/grog of package groff-base." msgstr "/usr/bin/grog du paquet groff-base." #. type:

#: securing-debian-howto.en.sgml:51 en/before-install.sgml:583 msgid "/usr/sbin/adduser of package adduser." msgstr "/usr/sbin/adduser du paquet adduser." #. type:

#: securing-debian-howto.en.sgml:51 en/before-install.sgml:586 msgid "" "/usr/sbin/debconf-show of package debconf." msgstr "" "/usr/sbin/debconf-show du paquet debconf." #. type:

#: securing-debian-howto.en.sgml:51 en/before-install.sgml:589 msgid "/usr/sbin/deluser of package adduser." msgstr "/usr/sbin/deluser du paquet adduser." #. type:

#: securing-debian-howto.en.sgml:51 en/before-install.sgml:592 msgid "" "/usr/sbin/dpkg-preconfigure of package debconf." msgstr "" "/usr/sbin/dpkg-preconfigure du paquet debconf." #. type:

#: securing-debian-howto.en.sgml:51 en/before-install.sgml:595 msgid "" "/usr/sbin/dpkg-reconfigure of package debconf." msgstr "" "/usr/sbin/dpkg-reconfigure du paquet debconf." #. type:

#: securing-debian-howto.en.sgml:51 en/before-install.sgml:598 msgid "/usr/sbin/exigrep of package exim." msgstr "/usr/sbin/exigrep du paquet exim." #. type:

#: securing-debian-howto.en.sgml:51 en/before-install.sgml:601 msgid "/usr/sbin/eximconfig of package exim." msgstr "/usr/sbin/eximconfig du paquet exim." #. type:

#: securing-debian-howto.en.sgml:51 en/before-install.sgml:604 msgid "/usr/sbin/eximstats of package exim." msgstr "/usr/sbin/eximstats du paquet exim." #. type:

#: securing-debian-howto.en.sgml:51 en/before-install.sgml:607 msgid "" "/usr/sbin/exim-upgrade-to-r3 of package exim." msgstr "" "/usr/sbin/exim-upgrade-to-r3 du paquet exim." #. type:

#: securing-debian-howto.en.sgml:51 en/before-install.sgml:610 msgid "/usr/sbin/exiqsumm of package exim." msgstr "/usr/sbin/exiqsumm du paquet exim." #. type:

#: securing-debian-howto.en.sgml:51 en/before-install.sgml:613 msgid "/usr/sbin/keytab-lilo of package lilo." msgstr "/usr/sbin/keytab-lilo du paquet lilo." #. type:

#: securing-debian-howto.en.sgml:51 en/before-install.sgml:616 msgid "/usr/sbin/liloconfig of package lilo." msgstr "/usr/sbin/liloconfig du paquet lilo." #. type:

#: securing-debian-howto.en.sgml:51 en/before-install.sgml:619 msgid "" "/usr/sbin/lilo_find_mbr of package lilo." msgstr "" "/usr/sbin/lilo_find_mbr du paquet lilo." #. type:

#: securing-debian-howto.en.sgml:51 en/before-install.sgml:622 msgid "" "/usr/sbin/syslogd-listfiles of package sysklogd." msgstr "" "/usr/sbin/syslogd-listfiles du paquet sysklogd." #. type:

#: securing-debian-howto.en.sgml:51 en/before-install.sgml:625 msgid "" "/usr/sbin/syslog-facility of package sysklogd." msgstr "" "/usr/sbin/syslog-facility du paquet sysklogd." #. type:

#: securing-debian-howto.en.sgml:51 en/before-install.sgml:628 msgid "" "/usr/sbin/update-inetd of package netbase." msgstr "" "/usr/sbin/update-inetd du paquet netbase." #. type:

#: securing-debian-howto.en.sgml:51 en/before-install.sgml:635 msgid "" "So, without Perl and, unless you remake these utilities in shell script, you " "will probably not be able to manage any packages (so you will not be able to " "upgrade the system, which is not a Good Thing)." msgstr "" "Donc, sans Perl et à moins que vous ne réécriviez ces outils en script " "shell, vous ne pourrez probablement pas gérer de paquets (vous ne pourrez " "donc pas mettre à jour le système, ce qui n'est pas une Bonne Chose)." #. type:

#: securing-debian-howto.en.sgml:51 en/before-install.sgml:640 msgid "" "If you are determined to remove Perl from the Debian base system, and you " "have spare time, submit bug reports to the previous packages including (as a " "patch) replacements for the utilities above written in shell script." msgstr "" "Si vous êtes déterminé à enlever Perl du système de base Debian et si vous " "avez du temps libre, créez des rapports de bogue sur les paquets précédents " "en incluant un remplacement (sous forme de correctif) écrit en script shell " "aux outils ci-dessus." #. type:

#: securing-debian-howto.en.sgml:51 en/before-install.sgml:642 msgid "" "If you wish to check out which Debian packages depend on Perl you can use" msgstr "" "Si vous désirez vérifier quels paquets Debian dépendent de Perl, vous pouvez " "utiliser :" #. type: #: securing-debian-howto.en.sgml:51 en/before-install.sgml:644 #, no-wrap msgid "$ grep-available -s Package,Priority -F Depends perl" msgstr "$ grep-available -s Package,Priority -F Depends perl" #. type:

#: securing-debian-howto.en.sgml:51 en/before-install.sgml:647 msgid "or" msgstr "ou" #. type: #: securing-debian-howto.en.sgml:51 en/before-install.sgml:649 #, no-wrap msgid "$ apt-cache rdepends perl" msgstr "$ apt-cache rdepends perl" #. type: #: securing-debian-howto.en.sgml:51 en/before-install.sgml:653 msgid "Read the Debian security mailing lists" msgstr "Consulter les listes de discussions Debian sur la sécurité" #. type:

#: securing-debian-howto.en.sgml:51 en/before-install.sgml:659 msgid "" "It is never wrong to take a look at either the debian-security-announce " "mailing list, where advisories and fixes to released packages are announced " "by the Debian security team, or at , where you can participate in discussions about things related " "to Debian security." msgstr "" "Cela ne fait pas de mal de jeter un œil à la liste de discussion " "debian-security-announce, où des alertes et des solutions pour les paquets " "sont annoncés par l'équipe sécurité de Debian, ou sur la liste , où vous pouvez participer aux " "discussions à propos de différentes choses liées à la sécurité Debian." #. type:

#: securing-debian-howto.en.sgml:51 en/before-install.sgml:667 msgid "" "In order to receive important security update alerts, send an email to with the word " "\"subscribe\" in the subject line. You can also subscribe to this moderated " "email list via the web page at ." msgstr "" "De façon à recevoir les alertes importantes concernant les mises à jour " "liées à la sécurité, envoyez un courriel à avec le mot « subscribe Â» dans le " "sujet du courrier. Vous pouvez également vous inscrire à cette liste sur la " "page web sur ." #. type:

#: securing-debian-howto.en.sgml:52 en/after-install.sgml:3 msgid "" "This mailing list has very low volume, and by subscribing to it you will be " "immediately alerted of security updates for the Debian distribution. This " "allows you to quickly download new packages with security bug fixes, which " "is very important in maintaining a secure system (see for details on how to do this)." msgstr "" "Cette liste de discussion a très peu de trafic, et en vous inscrivant vous " "serez tenu au courant des mises à jour pour la distribution Debian. Cela " "vous permet de télécharger rapidement les nouveaux paquets avec correction " "des bogues de sécurité, ce qui est relativement important dans le maintien " "d'un système sécurisé (consultez pour obtenir " "plus de précisions)." #. type: #: securing-debian-howto.en.sgml:52 en/after-install.sgml:5 msgid "After installation" msgstr "Après l'installation" #. type:

#: securing-debian-howto.en.sgml:52 en/after-install.sgml:12 msgid "" "Once the system is installed you can still do more to secure the system; " "some of the steps described in this chapter can be taken. Of course this " "really depends on your setup but for physical access prevention you should " "read ,,, , and ." msgstr "" "Une fois que le système est installé, vous pouvez encore en faire plus pour " "sécuriser le système ; certaines des étapes décrites ci-dessous peuvent " "être effectuées. Bien sûr, cela dépend vraiment de la configuration, mais " "pour prévenir un accès physique, vous devriez consulter , , , et ." #. type:

#: securing-debian-howto.en.sgml:52 en/after-install.sgml:17 msgid "" "Before connecting to any network, especially if it's a public one you " "should, at the very least, execute a security update (see ). Optionally, you could take a snapshot of your system (see )." msgstr "" "Avant de vous connecter à tout réseau, particulièrement s'il s'agit d'un " "réseau public, vous devriez, au minimum, faire une mise à jour de sécurité " "(consultez ). Vous pourriez facultativement " "faire un instantané du système (consultez )." #. type: #: securing-debian-howto.en.sgml:52 en/after-install.sgml:19 msgid "Subscribe to the Debian Security Announce mailing list" msgstr "S'abonner à la liste de diffusion Debian Security Announce" #. type:

#: securing-debian-howto.en.sgml:52 en/after-install.sgml:26 msgid "" "In order to receive information on available security updates you should " "subscribe yourself to the debian-security-announce mailing list in order to " "receive the Debian Security Advisories (DSAs). See for more information on how the Debian security team works. For " "information on how to subscribe to the Debian mailing lists read ." msgstr "" "Pour recevoir des informations sur les mises à jour de sécurité disponibles, " "vous devriez vous abonner à la liste de diffusion debian-security-announce " "pour recevoir les bulletins de sécurité de Debian

Debian " "Security Advisories (DSA).

. Consultez pour plus d'informations sur le fonctionnement de l'équipe en charge " "de la sécurité Debian. Pour des informations sur l'inscription aux listes de " "diffusion Debian, consultez ." #. type:

#: securing-debian-howto.en.sgml:52 en/after-install.sgml:29 msgid "" "DSAs are signed with the Debian Security Team's signature which can be " "retrieved from ." msgstr "" "Les DSA sont signées avec la clef de l'équipe de sécurité Debian qui peut " "être récupérée sur ." #. type:

#: securing-debian-howto.en.sgml:52 en/after-install.sgml:37 msgid "" "You should consider, also, subscribing to the for general " "discussion on security issues in the Debian operating system. You will be " "able to contact other fellow system administrators in the list as well as " "Debian developers and upstream developers of security tools who can answer " "your questions and offer advice." msgstr "" "Vous devriez également envisager de vous abonner à la " "pour des discussions générales sur les problèmes de sécurité dans le système " "d'exploitation Debian. Vous pourrez entrer en contact avec d'autres " "administrateurs système ainsi qu'avec des développeurs Debian et des " "développeurs amont d'outils de sécurité qui pourront répondre à vos " "questions et proposer leurs conseils." #. type:

#: securing-debian-howto.en.sgml:52 en/after-install.sgml:39 msgid "FIXME: Add the key here too?" msgstr "FIXME : Ajouter la clef ici également ?" #. type: #: securing-debian-howto.en.sgml:52 en/after-install.sgml:41 msgid "Execute a security update" msgstr "Faire une mise à jour de sécurité" #. type:

#: securing-debian-howto.en.sgml:52 en/after-install.sgml:46 msgid "" "As soon as new security bugs are detected in packages, Debian maintainers " "and upstream authors generally patch them within days or even hours. After " "the bug is fixed, a new package is provided on ." msgstr "" "Dès que de nouveaux bogues de sécurité sont décelés dans les paquets, les " "responsables Debian et les auteurs amont les corrigent généralement dans les " "journées ou les heures suivantes. Une fois le bogue résolu, un nouveau " "paquet est fourni sur ." #. type:

#: securing-debian-howto.en.sgml:52 en/after-install.sgml:52 msgid "" "If you are installing a Debian release you must take into account that since " "the release was made there might have been security updates after it has " "been determined that a given package is vulnerable. Also, there might have " "been minor releases (there have been four for the Debian 3.0 sarge " "release) which include these package updates." msgstr "" "Si vous installez une version de Debian, vous devez prendre en compte le " "fait qu'il a pu y avoir des mises à jour de sécurité depuis la parution, à " "chaque fois qu'une vulnérabilité a été découverte dans un paquet. Ainsi, des " "révisions mineures (il y en a eu quatre dans la version Debian 3.0 " "Sarge) incluent ces mises à jour de paquets." #. type:

#: securing-debian-howto.en.sgml:52 en/after-install.sgml:58 msgid "" "During installation security updates are configured for your system and " "pending updates downloaded and applied, unless you specifically opt out of " "this or the system was not connected to the Internet. The updates are " "applied even before the first boot, so the new system starts its life as up " "to date as possible." msgstr "" "Pendant l'installation, les mises à jour de sécurité sont configurées sur le " "système, et les mises à jour en attente sont téléchargées et appliquées, " "sauf indication contraire ou si le système n'est pas connecté à Internet. " "Les mises à jour sont appliquées avant même le premier démarrage, de telle " "sorte que le nouveau système commence sa vie aussi à jour que possible." #. type:

#: securing-debian-howto.en.sgml:52 en/after-install.sgml:63 msgid "" "To manually update the system, put the following line in your sources." "list and you will get security updates automatically, whenever you " "update your system. Replace [CODENAME] with the release codename, e." "g. squeeze." msgstr "" "Pour mettre à jour vous-même le système, ajoutez la ligne suivante dans le " "sources.list et vous recevrez les mises à jour de sécurité " "automatiquement quand vous mettrez à jour le système. Remplacez [NOM] par le nom de la version, par exemple squeeze." #. type: #: securing-debian-howto.en.sgml:52 en/after-install.sgml:65 #, no-wrap msgid " deb http://security.debian.org/ [CODENAME]/updates main contrib non-free" msgstr " deb http://security.debian.org/ [NOM]/updates main contrib non-free" #. type:

#: securing-debian-howto.en.sgml:52 en/after-install.sgml:70 msgid "" "Note: If you are using the testing branch use the security " "testing mirror sources as described in ." msgstr "" "Remarque : si vous utilisez la distribution testing, " "utilisez les source du miroir de sécurité de testing conformément à ." #. type:

#: securing-debian-howto.en.sgml:52 en/after-install.sgml:83 msgid "" "Once you've done this you can use multiple tools to upgrade your system. If " "you are running a desktop system you will have

In etch " "and later releases

 an application called update-" "notifier that will make it easy to check if new updates are " "available, by selecting it you can make a system upgrade from the desktop " "(using update-manager). For more information see . In desktop environments you can also use " "synaptic (GNOME), kpackage or " "adept (KDE) for more advanced interfaces. If you are " "running a text-only terminal you can use aptitude, " "apt or dselect (deprecated) to upgrade:" msgstr "" "Après avoir fait cela, plusieurs outils vous permettent de mettre à niveau " "le système. S'il s'agit d'un ordinateur de bureau, une application appelée " "update-notifier

Depuis Etch.

permet de vérifier facilement si de nouvelles mises à niveau sont " "disponibles. En choisissant cela, vous pouvez faire les mises à niveau " "depuis le bureau (en utilisant update-manager). Pour obtenir " "plus de renseignements, veuillez consulter . Dans " "les environnements de bureau, vous pouvez aussi utiliser synaptic (GNOME), kpackage ou adept " "(KDE) pour des interfaces plus avancées. Si le système ne possède qu'un " "terminal texte, vous pouvez utiliser aptitude, " "apt ou dselect (obsolète) pour mettre " "à niveau." #. type:

#: securing-debian-howto.en.sgml:52 en/after-install.sgml:87 msgid "" "If you want to use aptitude's text interface you just " "have to press u (update) followed by g (to upgrade). Or " "just do the following from the command line (as root):" msgstr "" "Si vous voulez utiliser l'interface texte d'aptitude, il " "suffit d'appuyer sur u (mise à jour) suivi de g (pour " "mettre à niveau). Vous pouvez aussi utiliser simplement la ligne de commande " "(en tant que superutilisateur) :" #. type: #: securing-debian-howto.en.sgml:52 en/after-install.sgml:90 #, no-wrap msgid "" "# aptitude update\n" "# aptitude upgrade" msgstr "" "# aptitude update\n" "# aptitude upgrade" #. type:

#: securing-debian-howto.en.sgml:52 en/after-install.sgml:95 msgid "" "If you want to use apt do just like with aptitude but " "substitute the aptitude lines above with apt-get." msgstr "" "Si vous voulez utiliser apt, il suffit de faire comme " "pour aptitude, mais en remplaçant aptitude des " "lignes précédentes par apt-get." #. type:

#: securing-debian-howto.en.sgml:52 en/after-install.sgml:97 msgid "" "If you want to use dselect then first [U]pdate, then [I]" "nstall and finally, [C]onfigure the installed/upgraded packages." msgstr "" "Si vous voulez utiliser dselect, choisissez tout d'abord " "mise à jo[U]r, puis [I]nstaller et enfin [C]onfigurer pour mettre à jour et " "installer les paquets." #. type:

#: securing-debian-howto.en.sgml:52 en/after-install.sgml:103 msgid "" "If you like, you can add the deb-src lines to /etc/apt/sources.list as well. See for further details." msgstr "" "Si vous le voulez, vous pouvez ajouter également les lignes deb-src à /" "etc/apt/sources.list. Consultez " "pour plus de détails." #. type: #: securing-debian-howto.en.sgml:52 en/after-install.sgml:105 msgid "Security update of libraries" msgstr "Mise à jour de sécurité des bibliothèques" #. type:

#: securing-debian-howto.en.sgml:52 en/after-install.sgml:115 msgid "" "Once you have executed a security update you might need to restart some of " "the system services. If you do not do this, some services might still be " "vulnerable after a security upgrade. The reason for this is that daemons " "that are running before an upgrade might still be using the old libraries " "before the upgrade

Even though the libraries have been removed " "from the filesystem the inodes will not be cleared up until no program has " "an open file descriptor pointing to them.

. In order to detect " "which daemons might need to be restarted you can use the checkrestart program (available in the debian-goodies package) " "or use this one liner

Depending on your lsof version you might " "need to use $8 instead of $9

 (as root):" msgstr "" "Une fois que vous avez exécuté une mise à jour de sécurité, il se peut que " "vous deviez redémarrer certains des services système. Si vous ne faites pas " "cela, certains services pourraient encore être vulnérables après une mise à " "jour de sécurité. La raison pour cela est que les démons qui fonctionnent " "avec une mise à jour peuvent encore utiliser les anciennes bibliothèques " "après la mise à jour

Bien que les bibliothèques aient été " "supprimées du système de fichiers, aucun inœud ne sera nettoyé tant qu'un " "programme a encore un descripteur de fichier pointant dessus.

. Pour détecter quels démons peuvent devoir être redémarrés, vous " "pouvez utiliser le programme checkrestart (disponible dans le " "paquet debian-goodies) ou utiliser cette ligne de " "commande

En fonction de la version de lsof, vous pourriez avoir " "besoin de remplacer $9 par $8.

 (en tant que superutilisateur)" " :" #. type: #: securing-debian-howto.en.sgml:52 en/after-install.sgml:117 #, no-wrap msgid "# lsof | grep <the_upgraded_library> | awk '{print $1, $9}' | uniq | sort -k 1" msgstr "" "# lsof | grep <la_bibliothèque_mise_à_niveau> \\\n" " | awk '{print $1, $9}' | uniq | sort -k 1" #. type:

#: securing-debian-howto.en.sgml:52 en/after-install.sgml:125 msgid "" "Some packages (like libc6) will do this check in the " "postinst phase for a limited set of services specially since an upgrade of " "essential libraries might break some applications (until restarted)" "

This happened, for example, in the upgrade from libc6 2.2.x to " "2.3.x due to NSS authentication issues, see .

." msgstr "" "Certains paquets (comme libc6) feront cette vérification " "dans la phase de postinstallation pour un nombre limité de services, en " "particulier car une mise à jour de bibliothèques essentielles peut casser " "certaines applications (avant leur redémarrage)

Cela s'est " "produit, par exemple, dans la mise à jour de la libc6 2.2.x à la 2.3.x " "à cause de problèmes d'authentification NSS, consultez .." #. type:

#: securing-debian-howto.en.sgml:52 en/after-install.sgml:130 msgid "" "Bringing the system to run level 1 (single user) and then back to run level " "3 (multi user) should take care of the restart of most (if not all) system " "services. But this is not an option if you are executing the security " "upgrade from a remote connection (like ssh) since it will be severed." msgstr "" "Faire passer le système en niveau d'exécution 1 (utilisateur seul), " "puis ensuite au niveau d'exécution 3 (multiutilisateur) devrait " "entraîner le redémarrage de la plupart (si ce n'est tous) des services " "système. Mais cela n'est pas envisageable si vous exécutez la mise à jour de " "sécurité depuis une connexion distante (comme SSH) car celle-ci serait alors " "interrompue." #. type:

#: securing-debian-howto.en.sgml:52 en/after-install.sgml:136 msgid "" "Excercise caution when dealing with security upgrades if you are doing them " "over a remote connection like ssh. A suggested procedure for a security " "upgrade that involves a service restart is to restart the SSH daemon and " "then, inmediately, attempt a new ssh connection without breaking the " "previous one. If the connection fails, revert the upgrade and investigate " "the issue." msgstr "" "Apportez le plus grand soin lors des mises à jour de sécurité si vous les " "réalisez depuis une connexion à distance comme SSH. Une procédure suggérée " "pour une mise à jour de sécurité qui implique un redémarrage de services est " "de redémarrer le démon SSH, puis immédiatement de tenter une nouvelle " "connexion SSH sans interrompre la précédente. Si la connexion échoue, " "annulez la mise à jour et analysez le problème." #. type: #: securing-debian-howto.en.sgml:52 en/after-install.sgml:139 msgid "Security update of the kernel" msgstr "Mise à jour de sécurité du noyau" #. type:

#: securing-debian-howto.en.sgml:52 en/after-install.sgml:145 msgid "" "First, make sure your kernel is being managed through the packaging system. " "If you have installed using the installation system from Debian 3.0 or " "previous releases, your kernel is not integrated into the packaging " "system and might be out of date. You can easily confirm this by running:" msgstr "" "Assurez-vous tout d'abord que le noyau est géré par le système de gestion " "des paquets. Si vous l'avez installé en utilisant le système d'installation " "de Debian 3.0 ou de versions précédentes, le noyau n'est pas " "intégré dans le système de gestion des paquets et pourrait être obsolète. " "Vous pouvez facilement confirmer cela en exécutant :" #. type: #: securing-debian-howto.en.sgml:52 en/after-install.sgml:148 #, no-wrap msgid "" "$ dpkg -S `readlink -f /vmlinuz`\n" "linux-image-2.6.18-4-686: /boot/vmlinuz-2.6.18-4-686" msgstr "" "$ dpkg -S `readlink -f /vmlinuz`\n" "linux-image-2.6.18-4-686: /boot/vmlinuz-2.6.18-4-686" #. type:

#: securing-debian-howto.en.sgml:52 en/after-install.sgml:168 msgid "" "If your kernel is not being managed you will see a message saying that the " "package manager did not find the file associated to any package instead of " "the message above, which says that the file associated to the current " "running kernel is being provided by the linux-image-2.6.18-4-686. So first, you will need to manually install a kernel image " "package. The exact kernel image you need to install depends on your " "architecture and your prefered kernel version. Once this is done, you will " "be able to manage the security updates of the kernel just like those of any " "other package. In any case, notice that the kernel updates will only be done for kernel updates of the same kernel version you are using, " "that is, apt will not automatically upgrade your kernel from " "the 2.4 release to the 2.6 release (or from the 2.4.26 release to the 2.4.27 " "release

Unless you have installed a kernel metapackage like " "linux-image-2.6-686 which will always pull in the latest " "kernel minor revision for a kernel release and a given architecture.

)." msgstr "" "Si le noyau n'est pas géré, vous verrez un message indiquant que le " "gestionnaire de paquets n'a pas trouvé le fichier associé à un paquet au " "lieu du message ci-dessus, qui dit que le fichier associé au noyau " "actuellement en fonctionnement est fourni par le paquet linux-" "image-2.6.18-4-686. Dans le premier cas, vous devrez installer " "manuellement un paquet d'image de noyau. L'image exacte du noyau que vous " "devez installer dépend de l'architecture et de la version de noyau préférée. " "Une fois fait, vous pourrez gérer les mises à jour de sécurité du noyau " "comme pour tout autre paquet. Dans tous les cas, notez que les mises à jour " "du noyau ne seront faites que pour la même version du noyau que " "celui que vous utilisez, c'est-à-dire que apt ne va pas mettre " "à jour automatiquement le noyau de la version 2.4 à la version 2.6 " "(ou de la version 2.4.26 à la version 2.4.27

Sauf si " "vous avez installé un métapaquet de noyau comme linux-" "image-2.6-686 qui va toujours tirer la dernière révision mineure " "de noyau pour une version de noyau et une architecture donnée.

)." #. type:

#: securing-debian-howto.en.sgml:52 en/after-install.sgml:172 msgid "" "The installation system of recent Debian releases will handle the selected " "kernel as part of the package system. You can review which kernels you have " "installed by running:" msgstr "" "Le système d'installation des dernières versions de Debian gérera le noyau " "sélectionné comme partie du système de gestion des paquets. Vous pouvez " "vérifier quels noyaux sont installés en exécutant :" #. type: #: securing-debian-howto.en.sgml:52 en/after-install.sgml:174 #, no-wrap msgid "$ COLUMNS=150 dpkg -l 'linux-image*' | awk '$1 ~ /ii/ { print $0 }'" msgstr "$ COLUMNS=150 dpkg -l 'linux-image*' | awk '$1 ~ /ii/ { print $0 }'" #. type:

#: securing-debian-howto.en.sgml:52 en/after-install.sgml:178 msgid "To see if your kernel needs to be updated run:" msgstr "Pour voir si le noyau doit être mis à jour, exécutez :" #. type: #: securing-debian-howto.en.sgml:52 en/after-install.sgml:188 #, no-wrap msgid "" "$ kernfile=`readlink -f /vmlinuz`\n" "$ kernel=`dpkg -S $kernfile | awk -F : '{print $1}'`\n" "$ apt-cache policy $kernel\n" "linux-image-2.6.18-4-686:\n" " Installed: 2.6.18.dfsg.1-12\n" " Candidate: 2.6.18.dfsg.1-12\n" " Version table:\n" " *** 2.6.18.dfsg.1-12 0\n" " 100 /var/lib/dpkg/status" msgstr "" "$ kernfile=`readlink -f /vmlinuz`\n" "$ kernel=`dpkg -S $kernfile | awk -F : '{print $1}'`\n" "$ apt-cache policy $kernel\n" "linux-image-2.6.32-5-686:\n" " Installé : 2.6.32-35\n" " Candidat : 2.6.32-35\n" " Table de version :\n" " *** 2.6.32-35\n" " 100 /var/lib/dpkg/status" #. type:

#: securing-debian-howto.en.sgml:52 en/after-install.sgml:198 msgid "" "If you are doing a security update which includes the kernel image you " "need to reboot the system in order for the security update to be " "useful. Otherwise, you will still be running the old (and vulnerable) kernel " "image." msgstr "" "Si vous effectuez une mise à jour de sécurité incluant l'image du noyau, " "vous devez redémarrer le système pour que la mise à jour de " "sécurité soit utile. Sinon, vous utiliserez encore l'ancienne image de noyau " "(vulnérable)." #. type:

#: securing-debian-howto.en.sgml:52 en/after-install.sgml:222 msgid "" "If you need to do a system reboot (because of a kernel upgrade) you should " "make sure that the kernel will boot up correctly and network connectivity " "will be restored, specially if the security upgrade is done over a remote " "connection like ssh. For the former you can configure your boot loader to " "reboot to the original kernel in the event of a failure (for more detailed " "information read ). For " "the latter you have to introduce a network connectivity test script that " "will check if the kernel has started up the network subsystem properly and " "reboot the system if it did not

A sample script called is available in the article. " "A more elaborate network connectivity testing script is available in the " " article.

. This should prevent nasty " "surprises like updating the kernel and then realizing, after a reboot, that " "it did not detect or configure the network hardware properly and you need to " "travel a long distance to bring the system up again. Of course, having the " "system serial console

Setting up a serial console is beyond the " "scope of this document, for more information read the and the .

 in the system connected to " "a console or terminal server should also help debug reboot issues remotely." msgstr "" "Si vous devez effectuer un redémarrage du système (à cause d'une mise à jour " "du noyau), vous devriez vous assurer que le noyau démarrera correctement et " "que la connectivité réseau sera restaurée, particulièrement si la mise à " "jour de sécurité est réalisée depuis une connexion à distance comme SSH. " "Pour le premier point, vous pouvez configurer le chargeur d'amorçage pour " "redémarrer l'ancien noyau en cas d'échec (pour des informations plus " "détaillées, veuillez consulter (en anglais) ). Pour le second point, vous devez introduire un script de test " "de connectivité réseau qui vérifiera si le noyau a lancé le sous-système " "réseau correctement et qui redémarrera le système si ce n'est pas le " "cas

Un exemple d'un tel script appelé est " "disponible dans l'article . Un " "script de test de connectivité réseau plus élaboré est disponible dans " "l'article .

. Cela devrait éviter des " "surprises désagréables comme une mise à jour du noyau en réalisant après un " "redémarrage qu'il n'a pas détecté ou configuré le matériel réseau " "correctement et que vous devez parcourir une longue distance pour relancer à " "nouveau le système. Bien sûr, avoir la console série

Configurer " "une console série est en dehors du cadre de ce document, pour plus " "d'informations, veuillez consulter le et le .

 du système connectée à une console ou un " "serveur de terminal devrait également aider à déboguer à distance les " "problèmes de redémarrage." #. type: #: securing-debian-howto.en.sgml:52 en/after-install.sgml:228 msgid "Change the BIOS (again)" msgstr "Changer le BIOS (à nouveau)" #. type:

#: securing-debian-howto.en.sgml:52 en/after-install.sgml:235 msgid "" "Remember ? Well, then you should now, once you do " "not need to boot from removable media, to change the default BIOS setup so " "that it only boots from the hard drive. Make sure you will not lose " "the BIOS password, otherwise, in the event of a hard disk failure you will " "not be able to return to the BIOS and change the setup so you can recover it " "using, for example, a CD-ROM." msgstr "" "Vous vous souvenez de  ? Et bien, vous devriez " "maintenant, une fois que vous n'avez plus besoin de démarrer à partir d'un " "support amovible, changer la configuration par défaut du BIOS pour qu'il ne " "puisse démarrer que depuis le disque dur. Assurez-vous de ne pas " "perdre le mot de passe BIOS, sinon, en cas de défaillance du disque dur, " "vous ne pourrez pas retourner dans le BIOS et modifier la configuration pour " "le récupérer en utilisant, par exemple, un CD." #. type:

#: securing-debian-howto.en.sgml:52 en/after-install.sgml:240 msgid "" "Another less secure but more convenient way is to change the setup to have " "the system boot up from the hard disk and, if it fails, try removable media. " "By the way, this is often done because most people don't use the BIOS " "password that often; it's easily forgotten." msgstr "" "Un autre moyen moins sécurisé, mais plus pratique est de changer la " "configuration pour que le système s'amorce depuis le disque dur et, si cela " "échoue, d'essayer un support amovible. À propos, c'est ainsi fait parce que " "la plupart des personnes n'utilisent pas le mot de passe BIOS très " "souvent ; il est facilement oublié." #. type: #: securing-debian-howto.en.sgml:52 en/after-install.sgml:241 msgid "Set a LILO or GRUB password" msgstr "Attribuer un mot de passe à LILO ou GRUB" #. type:

#: securing-debian-howto.en.sgml:52 en/after-install.sgml:248 msgid "" "Anybody can easily get a root-shell and change your passwords by entering " "<name-of-your-bootimage> init=/bin/sh at the boot prompt. " "After changing the passwords and rebooting the system, the person has " "unlimited root-access and can do anything he/she wants to the system. After " "this procedure you will not have root access to your system, as you do not " "know the root password." msgstr "" "N'importe qui peut obtenir facilement une invite de commandes " "superutilisateur et changer les mots de passe en entrant à l'invite " "d'amorçage <nom-de-l-image-d-amorçage> init=/bin/sh. Après le " "changement du mot de passe et le redémarrage du système, la personne a un " "accès superutilisateur illimité et peut faire tout ce qu'elle veut sur le " "système. Après cela, vous n'aurez plus d'accès supertilisateur sur la " "machine, étant donné que vous ne connaîtrez pas le mot de passe." #. type:

#: securing-debian-howto.en.sgml:52 en/after-install.sgml:252 msgid "" "To make sure that this cannot happen, you should set a password for the boot " "loader. You can choose between a global password or a password for a certain " "image." msgstr "" "Pour être sûr que cela ne puisse pas se produire, vous devriez attribuer un " "mot de passe au démarrage. Vous avez le choix entre un mot de passe global " "et un mot de passe par image." #. type:

#: securing-debian-howto.en.sgml:52 en/after-install.sgml:256 msgid "" "For LILO you need to edit the config file /etc/lilo.conf and " "add a password and restricted line as in the example below." msgstr "" "Pour LILO, vous avez besoin d'éditer le fichier /etc/lilo.conf " "et ajouter les lignes password ainsi que restricted comme " "dans l'exemple suivant." #. type: #: securing-debian-howto.en.sgml:52 en/after-install.sgml:262 #, no-wrap msgid "" " image=/boot/2.2.14-vmlinuz\n" " label=Linux\n" " read-only\n" " password=hackme\n" " restricted" msgstr "" " image=/boot/2.2.14-vmlinuz\n" " label=Linux\n" " read-only\n" " password=piratemoi\n" " restricted" #. type:

#: securing-debian-howto.en.sgml:52 en/after-install.sgml:272 msgid "" "Then, make sure that the configuration file is not world readable to prevent " "local users from reading the password. When done, rerun lilo. Omitting the " "restricted line causes lilo to always prompt for a password, " "regardless of whether LILO was passed parameters. The default permissions " "for /etc/lilo.conf grant read and write permissions to root, " "and enable read-only access for lilo.conf's group, root." msgstr "" "Puis, assurez-vous que le fichier de configuration n'est pas lisible par " "tout le monde pour empêcher des utilisateurs locaux de lire le mot de passe. " "Une fois terminé, relancez lilo. Omettre la ligne restricted " "entraîne une attente de mot de passe, en dépit des paramètres passés à LILO. " "Les permissions par défaut pour le fichier /etc/lilo.conf " "accordent au superutilisateur les droits de lecture et d'écriture et " "permettent un accès en lecture seule pour le groupe de configuration de " "lilo.conf, à savoir root." #. type:

#: securing-debian-howto.en.sgml:52 en/after-install.sgml:279 msgid "" "If you use GRUB instead of LILO, edit /boot/grub/menu.lst and " "add the following two lines at the top (substituting, of course hackme with the desired password). This prevents users from editing the boot " "items. timeout 3 specifies a 3 second delay before grub boots the default item." msgstr "" "Si vous utilisez GRUB plutôt que LILO, éditez /boot/grub/menu.lst et ajoutez les deux lignes suivantes en début (en remplaçant, bien " "sûr, piratemoi par le mot de passe désiré). Cela empêche les " "utilisateurs d'éditer les options de démarrage. timeout 3 indique " "un délai de 3 secondes avant que grub démarre l'option par " "défaut." #. type: #: securing-debian-howto.en.sgml:52 en/after-install.sgml:282 #, no-wrap msgid "" " timeout 3\n" " password hackme" msgstr "" " timeout 3\n" " password piratemoi" #. type:

#: securing-debian-howto.en.sgml:52 en/after-install.sgml:290 msgid "" "To further harden the integrity of the password, you may store the password " "in an encrypted form. The utility grub-md5-crypt generates a " "hashed password which is compatible with GRUB's encrypted password algorithm " "(MD5). To specify in grub that an MD5 format password will be " "used, use the following directive:" msgstr "" "Pour aller plus loin dans le durcissement de l'intégrité du mot de passe, " "vous pourriez entreposer le mot de passe sous une forme chiffrée. " "L'utilitaire grub-md5-crypt génère un hachage de mot de passe " "qui est compatible avec l'algorithme du mot de passe GRUB (MD5). Pour " "indiquer à grub qu'un mot de passe au format MD5 va être " "utilisé, utilisez la directive suivante :" #. type: #: securing-debian-howto.en.sgml:52 en/after-install.sgml:293 #, no-wrap msgid "" " timeout 3\n" " password --md5 $1$bw0ez$tljnxxKLfMzmnDVaQWgjP0" msgstr "" " timeout 3\n" " password --md5 $1$T/vfEWUQ$t8xoW.5kp3nbqc1zOwa3W1" #. type:

#: securing-debian-howto.en.sgml:52 en/after-install.sgml:301 msgid "" "The --md5 parameter was added to instruct grub to perform the " "MD5 authentication process. The provided password is the MD5 encrypted " "version of hackme. Using the MD5 password method is preferable to choosing " "its clear-text counterpart. More information about grub " "passwords may be found in the grub-doc package." msgstr "" "Le paramètre --md5 a été ajouté pour informer grub d'effectuer " "la procédure d'authentification md5. Le mot de passe fourni est la version " "MD5 chiffrée de piratemoi. L'utilisation de la méthode MD5 pour le mot de " "passe est préférable à la méthode précédente dont le mot de passe est en " "clair. Plus d'informations concernant les mots de passe grub " "sont disponibles dans le paquet grub-doc." #. type: #: securing-debian-howto.en.sgml:52 en/after-install.sgml:303 msgid "Disable root prompt on the initramfs" msgstr "Désactivation de l'invite superutilisateur de l'initramfs" #. type:

#: securing-debian-howto.en.sgml:52 en/after-install.sgml:306 msgid "" "Note: This applies to the default kernels provided for releases after Debian " "3.1" msgstr "" "Note : cela s'applique aux noyaux fournis par défaut après Debian 3.1." #. type:

#: securing-debian-howto.en.sgml:52 en/after-install.sgml:312 msgid "" "Linux 2.6 kernels provide a way to access a root shell while booting which " "will be presented during loading the initramfs on error. This is helpful to " "permit the administrator to enter a rescue shell with root permissions. This " "shell can be used to manually load modules when autodetection fails. This " "behavior is the default for initramfs-tools generated " "initramfs. The following message will appear:" msgstr "" "Les noyaux Linux 2.6 fournissent un moyen d'accéder à une invite de commande " "de superutilisateur lors de l'amorçage et qui sera présentée pendant le " "chargement de l'initramfs en cas d'erreur. C'est pratique pour permettre à " "l'administrateur d'entrer une invite de commande de secours avec des droits " "du superutilisateur. Cette invite de commande peut être utilisée pour " "charger vous-même des modules quand la détection automatique échoue. Ce " "comportement est celui par défaut pour les initramfs créés par " "initramfs-tools. Le message suivant apparaîtra :" #. type: #: securing-debian-howto.en.sgml:52 en/after-install.sgml:314 #, no-wrap msgid " \"ALERT! /dev/sda1 does not exist. Dropping to a shell!" msgstr " \"ALERT! /dev/sda1 does not exist. Dropping to a shell!" #. type:

#: securing-debian-howto.en.sgml:52 en/after-install.sgml:321 msgid "" "In order to remove this behavior you need to set the following boot argument:" "panic=0. Either add it to the kopt section of /boot/grub/menu." "lst and issue update-grub or to the append section of " "/etc/lilo.conf." msgstr "" "Afin de supprimer ce comportement, vous devez configurer l'argument " "d'amorçage suivant : panic=0. Ajoutez-le soit à la section kopt de " "/boot/grub/menu.lst et exécutez update-grub, soit " "à la section append de /etc/lilo.conf." #. type: #: securing-debian-howto.en.sgml:52 en/after-install.sgml:323 msgid "Remove root prompt on the kernel" msgstr "Enlever l'invite superutilisateur du noyau" #. type:

#: securing-debian-howto.en.sgml:52 en/after-install.sgml:326 msgid "" "Note: This does not apply to the kernels provided for Debian 3.1 as the " "timeout for the kernel delay has been changed to 0." msgstr "" "Note : cela ne s'applique pas aux noyaux fournis par Debian 3.1, " "car le temps d'attente du noyau a été modifié à 0." #. type:

#: securing-debian-howto.en.sgml:52 en/after-install.sgml:332 msgid "" "Linux 2.4 kernels provide a way to access a root shell while booting which " "will be presented just after loading the cramfs file system. A message will " "appear to permit the administrator to enter an executable shell with root " "permissions, this shell can be used to manually load modules when " "autodetection fails. This behavior is the default for initrd's " "linuxrc. The following message will appear:" msgstr "" "Les noyaux Linux 2.4 fournissent un moyen d'accéder à une invite de " "commandes superutilisateur lors de l'amorçage et qui sera présenté juste " "après le chargement du système de fichiers cramfs. Un message apparaîtra " "pour permettre à l'administrateur d'obtenir une invite de commandes " "interactive avec des droits du superutilisateur, cette invite de commandes " "peut être utilisée pour charger manuellement des modules quand la détection " "automatique échoue. Ce comportement est celui par défaut pour linuxrc de l'initrd. Le message suivant apparaîtra :" #. type: #: securing-debian-howto.en.sgml:52 en/after-install.sgml:334 #, no-wrap msgid " Press ENTER to obtain a shell (waits 5 seconds)" msgstr " Press ENTER to obtain a shell (waits 5 seconds)" #. type:

#: securing-debian-howto.en.sgml:52 en/after-install.sgml:338 msgid "" "In order to remove this behavior you need to change /etc/mkinitrd/" "mkinitrd.conf and set:" msgstr "" "Pour supprimer ce comportement, vous devez changer /etc/mkinitrd/" "mkinitrd.conf et positionner :" #. type: #: securing-debian-howto.en.sgml:52 en/after-install.sgml:342 #, no-wrap msgid "" " # DELAY The number of seconds the linuxrc script should wait to\n" " # allow the user to interrupt it before the system is brought up\n" " DELAY=0" msgstr "" " # DELAY Le temps, en seconde que le script linuxrc doit\n" " # attendre pour permettre à l'utilisateur de l'interrompre\n" " # avant que le système ne soit lancé\n" " DELAY=0" #. type:

#: securing-debian-howto.en.sgml:52 en/after-install.sgml:344 msgid "Then regenerate your ramdisk image. You can do this for example with:" msgstr "" "Puis, régénérez l'image de ramdisk. Vous pouvez faire cela ainsi, par " "exemple :" #. type: #: securing-debian-howto.en.sgml:52 en/after-install.sgml:347 #, no-wrap msgid "" " # cd /boot\n" " # mkinitrd -o initrd.img-2.4.18-k7 /lib/modules/2.4.18-k7" msgstr "" " # cd /boot\n" " # mkinitrd -o initrd.img-2.4.18-k7 /lib/modules/2.4.18-k7" #. type:

#: securing-debian-howto.en.sgml:52 en/after-install.sgml:349 msgid "or (preferred):" msgstr "ou (de préférence) :" #. type: #: securing-debian-howto.en.sgml:52 en/after-install.sgml:351 #, no-wrap msgid " # dpkg-reconfigure -plow kernel-image-2.4.x-yz" msgstr " # dpkg-reconfigure -plow kernel-image-2.4.x-yz" #. type: #: securing-debian-howto.en.sgml:52 en/after-install.sgml:356 msgid "Restricting console login access" msgstr "Restreindre les accès aux consoles" #. type:

#: securing-debian-howto.en.sgml:52 en/after-install.sgml:363 msgid "" "Some security policies might force administrators to log in to the system " "through the console with their user/password and then become superuser (with " "su or sudo). This policy is implemented in Debian " "by editing the /etc/login.defs file or /etc/securetty when using PAM. In:" msgstr "" "Certaines règles de sécurité peuvent forcer les administrateurs à se " "connecter au système sur une console avec leur identifiant et mot de passe " "puis devenir superutilisateur (avec su ou sudo). " "Cette règle est appliquée sous Debian en éditant les fichiers /etc/" "login.defs ou /etc/securetty lors de l'utilisation de " "PAM. Dans :" #. type:

#: securing-debian-howto.en.sgml:52 en/after-install.sgml:368 msgid "" "login.defs, editing the CONSOLE variable which defines a file " "or list of terminals on which root logins are allowed" msgstr "" "login.defs, éditez la variable CONSOLE qui définit un fichier " "ou une liste de terminaux sur lesquels la connexion du superutilisateur est " "autorisée ;" #. type:

#: securing-debian-howto.en.sgml:52 en/after-install.sgml:397 msgid "" "securetty

The /etc/securetty is a " "configuration file that belongs to the login package. by adding/removing the terminals to which root access will be " "allowed. If you wish to allow only local console access then you need " "console, ttyX

Or ttyvX in GNU/" "FreeBSD, and ttyE0 in GNU/KNetBSD.

 and vc/X " "(if using devfs devices), you might want to add also ttySX

Or comX in GNU/Hurd, cuaaX in GNU/FreeBSD, " "and ttyXX in GNU/KNetBSD.

 if you are using a serial " "console for local access (where X is an integer, you might want to have " "multiple instances

The default configuration in woody " "includes 12 local tty and vc consoles, as well as the console " "device but does not allow remote logins. In sarge the default " "configuration provides 64 consoles for tty and vc consoles. You can safely " "remove this if you are not using that many consoles.

 " "depending on the number of virtual consoles you have enabled in /etc/" "inittab

Look for the getty calls.

). For more information on terminal devices read the ." msgstr "" "securetty

Le fichier /etc/securetty " "est un fichier de configuration qui appartient au paquet login.

 en ajoutant ou supprimant les terminaux depuis " "lesquels les accès du superutilisateur seront autorisés. Si vous voulez " "n'autoriser que les accès locaux en console, vous avez alors besoin de " "console, ttyX

Ou ttyvX pour GNU/" "FreeBSD et ttyE0 pour GNU/KNetBSD.

 et vc/X " "(si vous utilisez des périphériques devfs), vous pouvez vouloir " "ajouter également ttySX

Ou comX pour GNU/Hurd, " "cuaaX pour GNU/FreeBSD et ttyXX pour GNU/KNetBSD.

si vous utilisez une console série pour l'accès local (où X est un " "nombre entier, vous pouvez vouloir avoir plusieurs instances

La " "configuration par défaut dans Woody inclut 12 consoles locales " "tty et vc, ainsi que le périphérique console, mais ne permet pas " "les connexions distantes. Dans Sarge, la configuration par défaut " "fournit 64 consoles pour les consoles tty et vc. Vous pouvez les " "supprimer en toute sécurité si vous n'en utilisez pas tant.

 " "selon le nombre de consoles virtuelles que vous avez activées dans /" "etc/inittab

Recherchez les appels getty.

). Pour plus d'informations sur les périphériques de terminal, " "veuillez consulter le (ou la )." #. type:

#: securing-debian-howto.en.sgml:52 en/after-install.sgml:406 msgid "" "When using PAM, other changes to the login process, which might include " "restrictions to users and groups at given times, can be configured in /" "etc/pam.d/login. An interesting feature that can be disabled is the " "possibility to login with null (blank) passwords. This feature can be " "limited by removing nullok from the line:" msgstr "" "En cas d'utilisation de PAM d'autres changements au processus de login, qui " "peuvent inclure des restrictions aux utilisateurs et groupes à certains " "moments, peuvent être configurés dans /etc/pam.d/login. Une " "fonctionnalité intéressante qui peut être désactivée est la possibilité de " "se connecter avec des mots de passe nuls (vides). Cette fonctionnalité peut " "être limitée en enlevant nullok de la ligne :" #. type: #: securing-debian-howto.en.sgml:52 en/after-install.sgml:408 #, no-wrap msgid " auth required pam_unix.so nullok" msgstr " auth required pam_unix.so nullok" #. type: #: securing-debian-howto.en.sgml:52 en/after-install.sgml:412 msgid "Restricting system reboots through the console" msgstr "Restreindre les redémarrages système depuis la console" #. type:

#: securing-debian-howto.en.sgml:52 en/after-install.sgml:421 msgid "" "If your system has a keyboard attached to it anyone (yes anyone) " "can reboot the system through it without login to the system. This might, or " "might not, adhere to your security policy. If you want to restrict this, you " "must check the /etc/inittab so that the line that includes " "ctrlaltdel calls shutdown with the -a switch " "(remember to run init q after making any changes to this file). The " "default in Debian includes this switch:" msgstr "" "Si le système dispose d'un clavier attaché, n'importe qui (oui, vraiment " "n'importe qui) peut redémarrer le système avec celui-ci sans se " "connecter au système. Cela peut être en conformité ou non avec vos règles de " "sécurité. Si vous désirez restreindre cela, vous devez vérifier le fichier " "/etc/inittab pour que la ligne incluant ctrlaltdel " "appelle shutdown avec le paramètre -a (rappelez-vous " "d'exécuter init q après avoir fait un changement à ce fichier. La " "valeur par défaut dans Debian inclut ce paramètre :" #. type: #: securing-debian-howto.en.sgml:52 en/after-install.sgml:423 #, no-wrap msgid " ca:12345:ctrlaltdel:/sbin/shutdown -t1 -a -r now" msgstr " ca:12345:ctrlaltdel:/sbin/shutdown -t1 -a -r now" #. type:

#: securing-debian-howto.en.sgml:52 en/after-install.sgml:433 msgid "" "Now, in order to allow some users to shutdown the system, as the " "manpage describes, you must create " "the file /etc/shutdown.allow and include there the name of " "users which can boot the system. When the three finger salute (a.k." "a. ctrl+alt+del) is given the program will check if any of the " "users listed in the file are logged in. If none of them is, shutdown will not reboot the system." msgstr "" "Puis, pour permettre à certains utilisateurs d'arrêter le système, " "comme décrit dans la page de manuel , vous devez créer le fichier /etc/shutdown.allow et inclure " "le nom des utilisateurs qui peuvent redémarrer le système. Quand le " "salut à trois doigts (ou Ctrl+Alt+Suppr) est exécuté, le " "programme va vérifier si l'un des utilisateurs de ce fichier est connecté. " "Si aucun d'entre eux ne l'est, shutdown ne va pas " "redémarrer le système." #. type: #: securing-debian-howto.en.sgml:52 en/after-install.sgml:436 msgid "Mounting partitions the right way" msgstr "Monter correctement les partitions" #. type:

#: securing-debian-howto.en.sgml:52 en/after-install.sgml:442 msgid "" "When mounting an ext2 or ext3 file system, there are " "several additional options you can apply to the mount call or to /etc/" "fstab. For instance, this is my fstab entry for the /tmp " "partition:" msgstr "" "Lorsque vous montez un système de fichiers ext2 or ext3, " "vous avez différentes options additionnelles pour l'appel mount ou pour le " "fichier /etc/fstab. Par exemple, ceci est mon entrée pour la " "partition /tmp :" #. type: #: securing-debian-howto.en.sgml:52 en/after-install.sgml:444 #, no-wrap msgid " /dev/hda7 /tmp ext2 defaults,nosuid,noexec,nodev 0 2" msgstr " /dev/hda7 /tmp ext2 defaults,nosuid,noexec,nodev 0 2" #. type:

#: securing-debian-howto.en.sgml:52 en/after-install.sgml:452 msgid "" "You see the difference in the options sections. The option nosuid " "ignores the setuid and setgid bits completely, while noexec forbids " "execution of any program on that mount point, and nodev ignores " "device files. This sounds great, but it:" msgstr "" "Vous voyez la différence dans la section des options. L'option nosuid ignore complètement les bits setuid et setgid, tandis que noexec interdit l'exécution de tout programme sur ce point de montage et " "nodev ignore les fichiers de périphériques. Cela semble bon mais :" #. type:

#: securing-debian-howto.en.sgml:52 en/after-install.sgml:454 msgid "only applies to ext2 or ext3 file systems" msgstr "" "ne s'applique qu'aux systèmes de fichiers ext2 ou ext3 ;" #. type:

#: securing-debian-howto.en.sgml:52 en/after-install.sgml:455 msgid "can be circumvented easily" msgstr "peut être contourné facilement." #. type:

#: securing-debian-howto.en.sgml:52 en/after-install.sgml:460 msgid "" "The noexec option prevents binaries from being executed directly, " "but was easily circumvented in earlier versions of the kernel:" msgstr "" "L'option noexec évite aux binaires d'être exécutés directement mais " "c'était facilement contournable dans les premières versions du noyau :" #. type: #: securing-debian-howto.en.sgml:52 en/after-install.sgml:467 #, no-wrap msgid "" " alex@joker:/tmp# mount | grep tmp\n" " /dev/hda7 on /tmp type ext2 (rw,noexec,nosuid,nodev)\n" " alex@joker:/tmp# ./date\n" " bash: ./date: Permission denied\n" " alex@joker:/tmp# /lib/ld-linux.so.2 ./date\n" " Sun Dec 3 17:49:23 CET 2000" msgstr "" " alex@joker:/tmp# mount | grep tmp\n" " /dev/hda7 on /tmp type ext2 (rw,noexec,nosuid,nodev)\n" " alex@joker:/tmp# ./date\n" " bash: ./date: Permission non accordée\n" " alex@joker:/tmp# /lib/ld-linux.so.2 ./date\n" " dimanche 3 décembre 2000, 17:49:23 (UTC+0100)" #. type:

#: securing-debian-howto.en.sgml:52 en/after-install.sgml:472 msgid "" "Newer versions of the kernel do however handle the noexec flag " "properly:" msgstr "" "Les versions plus récentes du noyau gèrent cependant l'option noexec correctement :" #. type: #: securing-debian-howto.en.sgml:52 en/after-install.sgml:480 #, no-wrap msgid "" " angrist:/tmp# mount | grep /tmp\n" " /dev/hda3 on /tmp type ext3 (rw,noexec,nosuid,nodev)\n" " angrist:/tmp# ./date\n" " bash: ./tmp: Permission denied \n" " angrist:/tmp# /lib/ld-linux.so.2 ./date \n" " ./date: error while loading shared libraries: ./date: failed to map segment \n" " from shared object: Operation not permitted" msgstr "" " angrist:/tmp# mount | grep /tmp\n" " /dev/hda3 on /tmp type ext3 (rw,noexec,nosuid,nodev)\n" " angrist:/tmp# ./date\n" " bash: ./tmp: Permission non accordée\n" " angrist:/tmp# /lib/ld-linux.so.2 ./date \n" " ./date: error while loading shared libraries: ./date: failed to map segment \n" " from shared object: Operation not permitted" #. type:

#: securing-debian-howto.en.sgml:52 en/after-install.sgml:488 msgid "" "However, many script kiddies have exploits which try to create and execute " "files in /tmp. If they do not have a clue, they will fall into " "this pit. In other words, a user cannot be tricked into executing a " "trojanized binary in /tmp e.g. when he incidentally adds /" "tmp into his PATH." msgstr "" "Toutefois, de nombreux pirates en herbe utilisent des failles qui essayent " "de créer et d'exécuter des fichiers dans /tmp. S'ils ne sont " "pas futés, ils tomberont sur un pépin. En d'autres termes, un utilisateur ne " "peut être abusé en exécutant un binaire compromis (genre cheval de Troie) " "dans /tmp lorsqu'il a accidentellement ajouté /tmp " "dans son PATH." #. type:

#: securing-debian-howto.en.sgml:52 en/after-install.sgml:493 msgid "" "Also be forewarned, some script might depend on /tmp being " "executable. Most notably, Debconf has (had?) some issues regarding this, for " "more information see Bug ." msgstr "" "Soyez aussi vigilant, certains scripts peuvent dépendre du fait que /" "tmp devienne exécutable. Notamment Debconf qui a (avait ?) " "quelques problèmes concernant cela, pour plus d'informations consultez le " "." #. type:

#: securing-debian-howto.en.sgml:52 en/after-install.sgml:502 msgid "" "The following is a more thorough example. A note, though: /var " "could be set noexec, but some software

Some of this includes " "the package manager dpkg since the installation (post," "pre) and removal (post,pre) scripts are at /var/lib/dpkg/ and " "Smartlist

 keeps its programs under in /var. The " "same applies to the nosuid option." msgstr "" "Ce qui suit est un exemple un plus peu poussé. Prenez note que, bien que " "/var peut être mis à noexec, certains " "logiciels

Cela inclut le gestionnaire de paquet dpkg car les scripts d'installation (pre et post) et de suppression (pre " "et post) sont en /var/lib/dpkg/ et aussi Smartlist.

conservent leurs programmes dans /var. Les mêmes conditions " "peuvent être appliquées à l'option nosuid." #. type: #: securing-debian-howto.en.sgml:52 en/after-install.sgml:514 #, no-wrap msgid "" "/dev/sda6 /usr ext3 defaults,ro,nodev 0 2\n" "/dev/sda12 /usr/share ext3 defaults,ro,nodev,nosuid 0 2\n" "/dev/sda7 /var ext3 defaults,nodev,usrquota,grpquota 0 2\n" "/dev/sda8 /tmp ext3 defaults,nodev,nosuid,noexec,usrquota,grpquota 0 2\n" "/dev/sda9 /var/tmp ext3 defaults,nodev,nosuid,noexec,usrquota,grpquota 0 2\n" "/dev/sda10 /var/log ext3 defaults,nodev,nosuid,noexec 0 2\n" "/dev/sda11 /var/account ext3 defaults,nodev,nosuid,noexec 0 2\n" "/dev/sda13 /home ext3 rw,nosuid,nodev,exec,auto,nouser,async,usrquota,grpquota 0 2\n" "/dev/fd0 /mnt/fd0 ext3 defaults,users,nodev,nosuid,noexec 0 0\n" "/dev/fd0 /mnt/floppy vfat defaults,users,nodev,nosuid,noexec 0 0\n" "/dev/hda /mnt/cdrom iso9660 ro,users,nodev,nosuid,noexec 0 0" msgstr "" "/dev/sda6 /usr ext3 defaults,ro,nodev 0 2\n" "/dev/sda12 /usr/share ext3 defaults,ro,nodev,nosuid 0 2\n" "/dev/sda7 /var ext3 defaults,nodev,usrquota,grpquota 0 2\n" "/dev/sda8 /tmp ext3 defaults,nodev,nosuid,noexec,usrquota,grpquota 0 2\n" "/dev/sda9 /var/tmp ext3 defaults,nodev,nosuid,noexec,usrquota,grpquota 0 2\n" "/dev/sda10 /var/log ext3 defaults,nodev,nosuid,noexec 0 2\n" "/dev/sda11 /var/account ext3 defaults,nodev,nosuid,noexec 0 2\n" "/dev/sda13 /home ext3 rw,nosuid,nodev,exec,auto,nouser,async,usrquota,grpquota 0 2\n" "/dev/fd0 /mnt/fd0 ext3 defaults,users,nodev,nosuid,noexec 0 0\n" "/dev/fd0 /mnt/floppy vfat defaults,users,nodev,nosuid,noexec 0 0\n" "/dev/hda /mnt/cdrom iso9660 ro,users,nodev,nosuid,noexec 0 0" #. type: #: securing-debian-howto.en.sgml:52 en/after-install.sgml:517 msgid "Setting /tmp noexec" msgstr "Paramétrer /tmp en noexec" #. type:

#: securing-debian-howto.en.sgml:52 en/after-install.sgml:540 msgid "" "Be careful if setting /tmp noexec when you want to install new " "software, since some programs might use it for installation. apt is one such program (see ) if not configured properly APT::ExtractTemplates::" "TempDir (see ). You " "can set this variable in /etc/apt/apt.conf to another directory " "with exec privileges other than /tmp." msgstr "" "Soyez vigilant si vous mettez /tmp en noexec et que vous voulez " "installer de nouveaux logiciels étant donné que certains peuvent l'utiliser " "pendant l'installation. apt est un programme de ce genre " "(consultez ) si APT::" "ExtractTemplates::TempDir n'est pas configuré correctement (consultez " "). Vous pouvez " "paramétrer cette variable dans le fichier /etc/apt/apt.conf " "vers un autre répertoire que /tmp et qui aura les droits " "d'exécution." #. type: #: securing-debian-howto.en.sgml:52 en/after-install.sgml:541 msgid "Setting /usr read-only" msgstr "Paramétrer /usr en lecture seule" #. type:

#: securing-debian-howto.en.sgml:52 en/after-install.sgml:548 msgid "" "If you set /usr read-only you will not be able to install new " "packages on your Debian GNU/Linux system. You will have to first remount it " "read-write, install the packages and then remount it read-only. " "apt can be configured to run commands before and after " "installing packages, so you might want to configure it properly." msgstr "" "Si vous mettez /usr en lecture seule, vous serez dans " "l'incapacité d'installer de nouveaux paquets sur le système Debian GNU/" "Linux. Vous devrez, avant tout, la remonter en lecture/écriture, puis " "installer les nouveaux paquets et enfin la remonter en lecture seule. " "apt peut être configuré pour lancer des commandes avant " "et après l'installation de paquets, ainsi vous pouvez avoir envie de le " "configurer correctement." #. type:

#: securing-debian-howto.en.sgml:52 en/after-install.sgml:549 msgid "To do this modify /etc/apt/apt.conf and add:" msgstr "" "Pour réaliser cela, modifiez le fichier /etc/apt/apt.conf et " "ajoutez :" #. type: #: securing-debian-howto.en.sgml:52 en/after-install.sgml:555 #, no-wrap msgid "" " DPkg\n" " {\n" " Pre-Invoke { \"mount /usr -o remount,rw\" };\n" " Post-Invoke { \"mount /usr -o remount,ro\" };\n" " };" msgstr "" " DPkg\n" " {\n" " Pre-Invoke { \"mount /usr -o remount,rw\" };\n" " Post-Invoke { \"mount /usr -o remount,ro\" };\n" " };" #. type:

#: securing-debian-howto.en.sgml:52 en/after-install.sgml:560 msgid "" "Note that the Post-Invoke may fail with a \"/usr busy\" error message. This " "happens mainly when you are using files during the update that got updated. " "You can find these programs by running" msgstr "" "Notez que le Post-Invoke peut échouer avec un message d'erreur « /usr " "busy ». Cela survient principalement lorsque vous utilisez des fichiers lors " "de la mise à jour et que ces fichiers sont justement mis à jour. Vous pouvez " "trouver ces programmes en exécutant" #. type: #: securing-debian-howto.en.sgml:52 en/after-install.sgml:562 #, no-wrap msgid "# lsof +L1" msgstr "# lsof +L1" #. type:

#: securing-debian-howto.en.sgml:52 en/after-install.sgml:572 msgid "" "Stop or restart these programs and run the Post-Invoke manually. Beware!" " This means you'll likely need to restart your X session (if you're " "running one) every time you do a major upgrade of your system. You might " "want to reconsider whether a read-only /usr is suitable for " "your system. See also this ." msgstr "" "Arrêtez ou relancez ces programmes et exécutez la commande de Post-Invoke " "vous-même. Attention ! Cela veut dire que vous devrez " "probablement redémarrer la session X (si vous en faites fonctionner une) à " "chaque fois que vous faites une mise à jour majeure du système. Vous " "pourriez aussi vous redemander si paramétrer /usr en lecture " "seule est adapté au système. Consultez également cette ." #. type: #: securing-debian-howto.en.sgml:52 en/after-install.sgml:574 msgid "Providing secure user access" msgstr "Fournir des accès sécurisés aux utilisateurs" #. type: #: securing-debian-howto.en.sgml:52 en/after-install.sgml:576 msgid "User authentication: PAM" msgstr "Authentification utilisateur : PAM" #. type:

#: securing-debian-howto.en.sgml:52 en/after-install.sgml:586 msgid "" "PAM (Pluggable Authentication Modules) allows system administrators to " "choose how applications authenticate users. Note that PAM can do nothing " "unless an application is compiled with support for PAM. Most of the " "applications that are shipped with Debian have this support built in (Debian " "did not have PAM support before 2.2). The current default configuration for " "any PAM-enabled service is to emulate UNIX authentication (read /usr/" "share/doc/libpam0g/Debian-PAM-MiniPolicy.gz for more information on " "how PAM services should work in Debian)." msgstr "" "PAM (Pluggable Authentication Modules) permet aux administrateurs système de " "choisir comment les applications authentifient les utilisateurs. Remarquez " "que PAM ne peut rien faire tant qu'une application n'a pas été compilée avec " "la prise en charge pour PAM. La plupart des applications livrées dans Debian " "ont cette prise en charge intégrée (Debian n'avait pas de prise en charge " "pour PAM avant la version 2.2). La configuration actuelle par défaut pour " "tout service activé avec PAM est d'émuler l'authentification UNIX (consultez " "/usr/share/doc/libpam0g/Debian-PAM-MiniPolicy.gz pour plus " "d'informations sur la façon dont les services devraient fonctionner " "dans Debian)." #. type:

#: securing-debian-howto.en.sgml:52 en/after-install.sgml:589 msgid "" "Each application with PAM support provides a configuration file in /" "etc/pam.d/ which can be used to modify its behavior:" msgstr "" "Chaque application avec la prise en charge de PAM fournit un fichier de " "configuration dans /etc/pam.d qui peut être utilisé pour " "modifier son comportement :" #. type:

#: securing-debian-howto.en.sgml:52 en/after-install.sgml:591 msgid "what backend is used for authentication." msgstr "quelle fonction de base est utilisée pour l'authentification ;" #. type:

#: securing-debian-howto.en.sgml:52 en/after-install.sgml:592 msgid "what backend is used for sessions." msgstr "quelle fonction de base est utilisée pour les sessions ;" #. type:

#: securing-debian-howto.en.sgml:52 en/after-install.sgml:593 msgid "how do password checks behave." msgstr "comment les vérifications de mots de passe se comportent." #. type:

#: securing-debian-howto.en.sgml:52 en/after-install.sgml:604 msgid "" "The following description is far from complete, for more information you " "might want to read the (at the ). This document is also provided in the " "libpam-doc Debian package." msgstr "" "La description qui suit est loin d'être complète, pour plus d'informations " "vous pouvez regarder le (sur le ). Ce document est également fourni " "dans le paquet Debian libpam-doc." #. type:

#: securing-debian-howto.en.sgml:52 en/after-install.sgml:616 msgid "" "PAM offers you the possibility to go through several authentication steps at " "once, without the user's knowledge. You could authenticate against a " "Berkeley database and against the normal passwd file, and the " "user only logs in if he authenticates correct in both. You can restrict a " "lot with PAM, just as you can open your system doors very wide. So be " "careful. A typical configuration line has a control field as its second " "element. Generally it should be set to requisite, which returns a " "login failure if one module fails." msgstr "" "PAM vous offre la possibilité de passer en revue plusieurs étapes " "d'authentification en une seule fois, à l'insu de l'utilisateur. Vous pouvez " "vous authentifier à une base de données Berkeley et à un fichier " "passwd normal, ainsi l'utilisateur pourra se connecter " "seulement si l'authentification est correcte des deux côtés. Vous pouvez " "restreindre beaucoup de choses avec PAM comme vous pouvez laisser libre " "accès au système. Donc soyez prudent. Une ligne de configuration typique a " "un champ de contrôle comme deuxième élément. Généralement, il devrait être " "paramétré sur requisite qui retourne un échec de connexion si un " "module échoue." # NOTE: s/ssh/sshd/ #. type:

#: securing-debian-howto.en.sgml:52 en/after-install.sgml:622 msgid "" "The first thing I like to do, is to add MD5 support to PAM applications, " "since this helps protect against dictionary cracks (passwords can be longer " "if using MD5). The following two lines should be added to all files in " "/etc/pam.d/ that grant access to the machine, like login and ssh." msgstr "" "La première chose que j'aime faire est d'ajouter la prise en charge de MD5 " "aux applications PAM, étant donné que cela protège le système contre les " "tentatives d'attaques par dictionnaire (les mots de passe peuvent être plus " "long en utilisant MD5). Les deux lignes suivantes devraient être ajoutées à " "tous les fichiers de /etc/pam.d/ qui permettent d'allouer " "l'accès à la machine, comme login et sshd." #. type: #: securing-debian-howto.en.sgml:52 en/after-install.sgml:626 #, no-wrap msgid "" " # Be sure to install libpam-cracklib first or you will not be able to log in\n" " password required pam_cracklib.so retry=3 minlen=12 difok=3\n" " password required pam_unix.so use_authtok nullok md5" msgstr "" " # Vérifier que libpam-cracklib soit installé avant sinon vous ne\n" " # pourrez pas vous connecter.\n" " password required pam_cracklib.so retry=3 minlen=12 difok=3\n" " password required pam_unix.so use_authtok nullok md5" #. type:

#: securing-debian-howto.en.sgml:52 en/after-install.sgml:646 msgid "" "So, what does this incantation do? The first line loads the cracklib PAM " "module, which provides password strength-checking, prompts for a new " "password with a minimum length of 12 characters, a difference of at least 3 " "characters from the old password, and allows 3 retries. Cracklib depends on " "a wordlist package (such as wenglish, wspanish, wbritish, ...), so make sure you install one " "that is appropriate for your language or cracklib might not be useful to you " "at all.

This dependency is not fixed, however, in the Debian " "3.0 package. Please see .

 The second line introduces the standard " "authentication module with MD5 passwords and allows a zero length password. " "The use_authtok directive is necessary to hand over the password " "from the previous module." msgstr "" "Que fait cette formule magique ? La première ligne charge le module PAM " "cracklib qui fournit la vérification de la longueur des mots de passe, " "attend un nouveau mot de passe avec au minimum 12 caractères, une différence " "d'au moins 3 caractères par rapport à l'ancien et autorise 3 essais. " "cracklib dépend d'une liste de mots (comme wenglish, " "wfrench, wbritish, etc.), assurez-vous " "donc d'en avoir installé une adaptée à votre langue, sinon, cela peut être " "sans aucune utilité.

Cependant, cette dépendance n'est pas " "fixe. Veuillez consulter le .

 La seconde ligne introduit le module " "d'authentification standard avec MD5 et autorise un mot de passe nul. La " "directive use_authok est nécessaire pour passer le mot de passe du " "module précédent." #. type:

#: securing-debian-howto.en.sgml:52 en/after-install.sgml:650 msgid "" "To make sure that the user root can only log into the system from local " "terminals, the following line should be enabled in /etc/pam.d/login:" msgstr "" "Afin d'être sûr que le superutilisateur peut se connecter uniquement à " "partir des terminaux locaux, la ligne suivante doit être activée dans /" "etc/pam.d/login :" #. type: #: securing-debian-howto.en.sgml:52 en/after-install.sgml:652 #, no-wrap msgid " auth requisite pam_securetty.so" msgstr " auth requisite pam_securetty.so" #. type:

#: securing-debian-howto.en.sgml:52 en/after-install.sgml:663 msgid "" "Then you should modify the list of terminals on which direct root login is " "allowed in /etc/securetty. Alternatively, you could enable the " "pam_access module and modify /etc/security/access.conf " "which allows for a more general and fine-tuned access control, but " "(unfortunately) lacks decent log messages (logging within PAM is not " "standardized and is particularly unrewarding problem to deal with). We'll " "return to access.conf a little later." msgstr "" "Puis, vous devez modifier la liste des terminaux sur lesquels la connexion " "du superutilisateur est autorisée dans le fichier /etc/securetty. Vous pouvez sinon activer le module pam_access et modifier " "/etc/security/access.conf qui permet un contrôle plus général " "et affiné, mais à qui il manque (malheureusement) des messages de " "journalisation décents (la journalisation dans PAM n'est pas standard et est " "un problème particulièrement peu gratifiant à traiter). Nous reviendrons au " "fichier access.conf un peu plus tard." #. type:

#: securing-debian-howto.en.sgml:52 en/after-install.sgml:668 msgid "" "Last but not the least, the following line should be enabled in /etc/" "pam.d/login to set up user resource limits." msgstr "" "Enfin, la ligne suivante devrait être activée dans /etc/pam.d/login pour mettre en place des limites de ressource utilisateur." #. type: #: securing-debian-howto.en.sgml:52 en/after-install.sgml:670 #, no-wrap msgid " session required pam_limits.so" msgstr " session required pam_limits.so" #. type:

#: securing-debian-howto.en.sgml:52 en/after-install.sgml:677 msgid "" "This restricts the system resources that users are allowed (see below in " "). For example, you could restrict the number of " "concurrent logins (of a given group of users, or system-wide), number of " "processes, memory size etc." msgstr "" "Cela restreint les ressources du système auxquelles les utilisateurs sont " "autorisées (consultez ci-après ). Par exemple, vous " "pouvez restreindre le nombre de connexions (d'un groupe d'utilisateurs donné " "ou tout le système), le nombre de processus, la taille de la mémoire, etc." #. type:

#: securing-debian-howto.en.sgml:52 en/after-install.sgml:682 msgid "" "Now edit /etc/pam.d/passwd and change the first line. You " "should add the option \"md5\" to use MD5 passwords, change the minimum " "length of password from 4 to 6 (or more) and set a maximum length, if you " "desire. The resulting line will look something like:" msgstr "" "Maintenant, éditez /etc/pam.d/passwd et changez la première " "ligne. Vous devriez ajouter l'option « md5 Â» pour utiliser les " "mots de passe MD5, modifiez la longueur minimale du mot de passe de 4 à 6 " "(ou plus) et fixez une longueur maximale si vous le désirez. La ligne " "devrait ressembler à quelque chose comme ceci :" #. type: #: securing-debian-howto.en.sgml:52 en/after-install.sgml:684 #, no-wrap msgid " password required pam_unix.so nullok obscure min=6 max=11 md5" msgstr " password required pam_unix.so nullok obscure min=6 max=11 md5" #. type:

#: securing-debian-howto.en.sgml:52 en/after-install.sgml:693 msgid "" "If you want to protect su, so that only some people can use it to become " "root on your system, you need to add a new group \"wheel\" to your system " "(that is the cleanest way, since no file has such a group permission yet). " "Add root and the other users that should be able to su to the " "root user to this group. Then add the following line to /etc/pam.d/su:" msgstr "" "Si vous voulez protéger su, pour que seules quelques personnes puissent " "l'utiliser pour devenir superutilisateur sur le système, vous avez besoin de " "créer un nouveau groupe « wheel Â» (c'est la meilleure façon, étant " "donné qu'aucun fichier n'a ces permissions d'attribuées). Ajoutez root et " "les autres utilisateurs, qui auront la possibilité d'utiliser su pour devenir superutilisateur, à ce groupe. Ensuite, ajoutez la ligne " "suivante dans /etc/pam.d/su :" #. type: #: securing-debian-howto.en.sgml:52 en/after-install.sgml:695 #, no-wrap msgid " auth requisite pam_wheel.so group=wheel debug" msgstr " auth requisite pam_wheel.so group=wheel debug" #. type:

#: securing-debian-howto.en.sgml:52 en/after-install.sgml:702 msgid "" "This makes sure that only people from the group \"wheel\" can use su to become root. Other users will not be able to become root. In fact " "they will get a denied message if they try to become root." msgstr "" "Cela permet d'être sûr que seules les personnes du groupe « " "wheel Â» pourront utiliser su pour devenir " "superutilisateur. Les autres utilisateurs ne seront pas capables de le " "devenir. En fait, ils recevront un message de refus s'ils essayent de " "devenir superutilisateur." #. type:

#: securing-debian-howto.en.sgml:52 en/after-install.sgml:709 msgid "" "If you want only certain users to authenticate at a PAM service, this is " "quite easy to achieve by using files where the users who are allowed to " "login (or not) are stored. Imagine you only want to allow user 'ref' to log " "in via ssh. So you put him into /etc/sshusers-allowed and write the following into /etc/pam.d/ssh:" msgstr "" "Si vous désirez que seulement certains utilisateurs s'authentifient à un " "service PAM, il suffit d'utiliser les fichiers où sont stockés les " "utilisateurs autorisés (ou pas) à se connecter. Imaginons que vous ne " "vouliez autoriser que l'utilisateur « ref Â» à se connecter avec " "ssh. Vous le mettez dans /etc/sshusers-allowed et " "écrivez ce qui suit dans /etc/pam.d/ssh:" #. type: #: securing-debian-howto.en.sgml:52 en/after-install.sgml:711 #, no-wrap msgid " auth required pam_listfile.so item=user sense=allow file=/etc/sshusers-allowed onerr=fail" msgstr " auth required pam_listfile.so item=user sense=allow file=/etc/sshusers-allowed onerr=fail" #. type:

#: securing-debian-howto.en.sgml:52 en/after-install.sgml:720 msgid "" "Since there have been a number of so called insecure tempfile " "vulnerabilities, thttpd is one example (see ), the libpam-tmpdir is a good package to install. All you have to do is add the " "following to /etc/pam.d/common-session:" msgstr "" "Puisqu'il y eu de nombreuses vulnérabilités dites de fichier temporaire non " "sécurisé, dont thttpd est un exemple (consultez ), libpam-tmpdir est un bon paquet à installer. Tout ce que vous avez à faire est " "d'ajouter ceci à /etc/pam.d/common-session :" #. type: #: securing-debian-howto.en.sgml:52 en/after-install.sgml:722 #, no-wrap msgid " session optional pam_tmpdir.so" msgstr " session optional pam_tmpdir.so" #. type:

#: securing-debian-howto.en.sgml:52 en/after-install.sgml:728 msgid "" "There has also been a discussion about adding this by default in etch. See " " for " "more information." msgstr "" "Une discussion a eu lieu à propos de l'ajout par défaut dans Etch. Consultez " " pour " "obtenir plus de renseignements." #. type:

#: securing-debian-howto.en.sgml:52 en/after-install.sgml:731 msgid "" "Last, but not least, create /etc/pam.d/other and enter the " "following lines:" msgstr "" "La dernière étape, mais pas la moindre, est de créer le fichier /etc/" "pam.d/other et d'ajouter les lignes suivantes :" #. type: #: securing-debian-howto.en.sgml:52 en/after-install.sgml:745 #, no-wrap msgid "" " auth required pam_securetty.so\n" " auth required pam_unix_auth.so\n" " auth required pam_warn.so\n" " auth required pam_deny.so\n" " account required pam_unix_acct.so\n" " account required pam_warn.so\n" " account required pam_deny.so\n" " password required pam_unix_passwd.so\n" " password required pam_warn.so\n" " password required pam_deny.so\n" " session required pam_unix_session.so\n" " session required pam_warn.so\n" " session required pam_deny.so" msgstr "" " auth required pam_securetty.so\n" " auth required pam_unix_auth.so\n" " auth required pam_warn.so\n" " auth required pam_deny.so\n" " account required pam_unix_acct.so\n" " account required pam_warn.so\n" " account required pam_deny.so\n" " password required pam_unix_passwd.so\n" " password required pam_warn.so\n" " password required pam_deny.so\n" " session required pam_unix_session.so\n" " session required pam_warn.so\n" " session required pam_deny.so" #. type:

#: securing-debian-howto.en.sgml:52 en/after-install.sgml:751 msgid "" "These lines will provide a good default configuration for all applications " "that support PAM (access is denied by default)." msgstr "" "Ces lignes vont fournir une bonne configuration par défaut pour toutes les " "applications qui gèrent PAM (accès refusé par défaut)." #. type: #: securing-debian-howto.en.sgml:52 en/after-install.sgml:753 msgid "Limiting resource usage: the limits.conf file" msgstr "Restreindre l'utilisation des ressources : le fichier limits.conf" #. type:

#: securing-debian-howto.en.sgml:52 en/after-install.sgml:759 msgid "" "You should really take a serious look into this file. Here you can define " "user resource limits. In old releases this configuration file was /etc/" "limits.conf, but in newer releases (with PAM) the /etc/security/" "limits.conf configuration file should be used instead." msgstr "" "Vous devriez vraiment jeter un sérieux coup d'œil à ce fichier. Vous " "pouvez y définir les limites des ressources par utilisateur. Dans " "d'anciennes versions, ce fichier de configuration était /etc/limits." "conf, mais dans les nouvelles versions (avec PAM), le fichier de " "configuration à utiliser devrait être /etc/security/limits.conf." #. type:

#: securing-debian-howto.en.sgml:52 en/after-install.sgml:765 msgid "" "If you do not restrict resource usage, any user with a valid shell " "in your system (or even an intruder who compromised the system through a " "service or a daemon going awry) can use up as much CPU, memory, stack, etc. " "as the system can provide. This resource exhaustion problem can be " "fixed by the use of PAM." msgstr "" "Si vous ne désirez pas restreindre l'utilisation des ressources, " "n'importe quel utilisateur ayant une invite de commandes valable " "sur le système (ou même un intrus qui aurait compromis le système par un " "service ou un démon devenu fou) pourra utiliser autant de CPU, de mémoire, " "de pile, etc. que le système pourra fournir. Ce problème d'épuisement de " "ressources peut être réglé par l'utilisation de PAM." #. type:

#: securing-debian-howto.en.sgml:52 en/after-install.sgml:773 msgid "" "There is a way to add resource limits to some shells (for example, " "bash has ulimit, see ), but since not all of them provide the same limits and since the " "user can change shells (see ) it is " "better to place the limits on the PAM modules as they will apply regardless " "of the shell used and will also apply to PAM modules that are not shell-" "oriented." msgstr "" "Il existe un moyen d'ajouter des limites de ressources pour certains " "interpréteurs de commandes (par exemple, bash a ulimit, consultez ), mais comme ils ne " "fournissent pas tous les mêmes limites et qu'un utilisateur peut changer " "d'interpréteur (consultez ), il est " "préférable de placer ces limites dans les modules PAM ainsi elles " "s'appliqueront quel que soit l'interpréteur de commandes utilisé et " "également aux modules PAM qui ne sont pas orientés interpréteur." #. type:

#: securing-debian-howto.en.sgml:52 en/after-install.sgml:778 msgid "" "Resource limits are imposed by the kernel, but they need to be configured " "through the limits.conf and the PAM configuration of the " "different services need to load the appropriate PAM. You can check which " "services are enforcing limits by running:" msgstr "" "Les limites de ressources sont imposées par le noyau, mais elles doivent " "être configurées par le fichier limits.conf et la configuration " "PAM des différents services doit charger le module PAM approprié. Vous " "pouvez vérifier quels services imposent des limites en exécutant :" #. type: #: securing-debian-howto.en.sgml:52 en/after-install.sgml:780 #, no-wrap msgid "$ find /etc/pam.d/ \\! -name \"*.dpkg*\" | xargs -- grep limits |grep -v \":#\"" msgstr "$ find /etc/pam.d/ \\! -name \"*.dpkg*\" | xargs -- grep limits |grep -v \":#\"" #. type:

#: securing-debian-howto.en.sgml:52 en/after-install.sgml:788 msgid "" "Commonly, login, ssh and the graphic session " "managers (gdm, kdm or xdm) should " "enforce user limits but you might want to do this in other PAM configuration " "files, such as cron, to prevent system daemons from taking over " "all system resources." msgstr "" "Habituellement, login, ssh et les gestionnaires de " "session graphique (gdm, kdm ou xdm) " "devraient imposer des limites aux utilisateurs, mais vous pouvez vouloir " "faire cela dans d'autres fichiers de configuration de PAM, comme cron, pour empêcher les démons système d'accaparer toutes les ressources " "système.." #. type:

#: securing-debian-howto.en.sgml:52 en/after-install.sgml:790 msgid "" "The specific limits settings you might want to enforce depend on your " "system's resources, that's one of the main reasons why no limits are " "enforced in the default installation." msgstr "" "Les paramètres de limites spécifiques que vous pouvez vouloir imposer " "dépendent des ressources du système, c'est l'une des principales raisons " "pour lesquelles aucune limite n'est imposée dans l'installation par défaut." #. type:

#: securing-debian-howto.en.sgml:52 en/after-install.sgml:799 msgid "" "For example, the configuration example below enforces a 100 process limit " "for all users (to prevent fork bombs) as well as a limit of 10MB of " "memory per process and a limit of 10 simultaneous logins. Users in the " "adm group have higher limits and can produce core files if they " "want to (there is only a soft limit)." msgstr "" "Par exemple, l'exemple de configuration ci-dessous impose une limite de " "100 processus par utilisateur (pour empêcher les bombes de fork) ainsi qu'une limite de 10 Mo de mémoire par processus et une " "limite de 10 connexions simultanées. Les utilisateurs du groupe " "adm ont des limites supérieures et peuvent créer des fichiers core " "s'ils le désirent (c'est simplement une limite douce (soft))." #. type: #: securing-debian-howto.en.sgml:52 en/after-install.sgml:815 #, no-wrap msgid "" "* soft core 0\n" "* hard core 0\n" "* hard rss 1000\n" "* hard memlock 1000\n" "* hard nproc 100\n" "* - maxlogins 1\n" "* hard data 102400\n" "* hard fsize 2048\n" "@adm hard core 100000\n" "@adm hard rss 100000\n" "@adm soft nproc 2000\n" "@adm hard nproc 3000\n" "@adm hard fsize 100000\n" "@adm - maxlogins 10" msgstr "" "* soft core 0\n" "* hard core 0\n" "* hard rss 1000\n" "* hard memlock 1000\n" "* hard nproc 100\n" "* - maxlogins 1\n" "* hard data 102400\n" "* hard fsize 2048\n" "@adm hard core 100000\n" "@adm hard rss 100000\n" "@adm soft nproc 2000\n" "@adm hard nproc 3000\n" "@adm hard fsize 100000\n" "@adm - maxlogins 10" #. type:

#: securing-debian-howto.en.sgml:52 en/after-install.sgml:820 msgid "" "These would be the limits a default user (including system daemons) would " "have:" msgstr "" "Voici les limites qu'un utilisateur standard (y compris les démons système) " "aurait :" #. type: #: securing-debian-howto.en.sgml:52 en/after-install.sgml:833 #, no-wrap msgid "" "$ ulimit -a\n" "core file size (blocks, -c) 0\n" "data seg size (kbytes, -d) 102400\n" "file size (blocks, -f) 2048\n" "max locked memory (kbytes, -l) 10000\n" "max memory size (kbytes, -m) 10000\n" "open files (-n) 1024\n" "pipe size (512 bytes, -p) 8\n" "stack size (kbytes, -s) 8192\n" "cpu time (seconds, -t) unlimited\n" "max user processes (-u) 100\n" "virtual memory (kbytes, -v) unlimited" msgstr "" "$ ulimit -a\n" "core file size (blocks, -c) 0\n" "data seg size (kbytes, -d) 102400\n" "file size (blocks, -f) 2048\n" "max locked memory (kbytes, -l) 10000\n" "max memory size (kbytes, -m) 10000\n" "open files (-n) 1024\n" "pipe size (512 bytes, -p) 8\n" "stack size (kbytes, -s) 8192\n" "cpu time (seconds, -t) unlimited\n" "max user processes (-u) 100\n" "virtual memory (kbytes, -v) unlimited" #. type:

#: securing-debian-howto.en.sgml:52 en/after-install.sgml:837 msgid "And these are the limits for an administrative user:" msgstr "Et voici les limites d'un utilisateur administratif :" #. type: #: securing-debian-howto.en.sgml:52 en/after-install.sgml:850 #, no-wrap msgid "" "$ ulimit -a\n" "core file size (blocks, -c) 0\n" "data seg size (kbytes, -d) 102400\n" "file size (blocks, -f) 100000\n" "max locked memory (kbytes, -l) 100000\n" "max memory size (kbytes, -m) 100000\n" "open files (-n) 1024\n" "pipe size (512 bytes, -p) 8\n" "stack size (kbytes, -s) 8192\n" "cpu time (seconds, -t) unlimited\n" "max user processes (-u) 2000\n" "virtual memory (kbytes, -v) unlimited" msgstr "" "$ ulimit -a\n" "core file size (blocks, -c) 0\n" "data seg size (kbytes, -d) 102400\n" "file size (blocks, -f) 100000\n" "max locked memory (kbytes, -l) 100000\n" "max memory size (kbytes, -m) 100000\n" "open files (-n) 1024\n" "pipe size (512 bytes, -p) 8\n" "stack size (kbytes, -s) 8192\n" "cpu time (seconds, -t) unlimited\n" "max user processes (-u) 2000\n" "virtual memory (kbytes, -v) unlimited" #. type:

#: securing-debian-howto.en.sgml:52 en/after-install.sgml:854 msgid "For more information read:" msgstr "Pour plus d'informations, consultez :" #. type:

#: securing-debian-howto.en.sgml:52 en/after-install.sgml:860 msgid "" "." msgstr "" "le  ;" #. type:

#: securing-debian-howto.en.sgml:52 en/after-install.sgml:864 msgid "" "." msgstr "" "l' ;" #. type:

#: securing-debian-howto.en.sgml:52 en/after-install.sgml:869 msgid "" " on the " "Limiting users overview section." msgstr "" "l'article " "pour la section Limiting users overview ;" #. type:

#: securing-debian-howto.en.sgml:52 en/after-install.sgml:872 msgid "" " in the " "Limiting and monitoring users section." msgstr "" "le pour la " "section Limiting and monitoring users." #. type: #: securing-debian-howto.en.sgml:52 en/after-install.sgml:875 msgid "User login actions: edit /etc/login.defs" msgstr "" "Actions de connexion de l'utilisateur : modification de /etc/login.defs" #. type:

#: securing-debian-howto.en.sgml:52 en/after-install.sgml:884 msgid "" "The next step is to edit the basic configuration and action upon user login. " "Note that this file is not part of the PAM configuration, it's a " "configuration file honored by login and su programs, so it " "doesn't make sense tuning it for cases where neither of the two programs are " "at least indirectly called (the getty program which sits on the " "consoles and offers the initial login prompt does invoke " "login)." msgstr "" "La prochaine étape est d'éditer les configuration et action de base lors de " "la connexion de l'utilisateur. Notez que ce fichier ne fait pas partie de la " "configuration PAM, c'est un fichier de configuration qui est pris en compte " "par les programmes login et su, il n'est pas logique de " "l'adapter aux cas pour lesquels ni l'un ni l'autre des programmes n'est " "appelé au moins indirectement (le programme getty qui gère les " "consoles et offre l'invite de connexion initiale appelle bien " "login)." #. type: #: securing-debian-howto.en.sgml:52 en/after-install.sgml:886 #, no-wrap msgid " FAIL_DELAY 10" msgstr " FAIL_DELAY 10" #. type:

#: securing-debian-howto.en.sgml:52 en/after-install.sgml:896 msgid "" "This variable should be set to a higher value to make it harder to use the " "terminal to log in using brute force. If a wrong password is typed in, the " "possible attacker (or normal user!) has to wait for 10 seconds to get a new " "login prompt, which is quite time consuming when you test passwords. Pay " "attention to the fact that this setting is useless if using program other " "than getty, such as mingetty for example." msgstr "" "Cette variable devrait être configurée à une valeur suffisamment grande de " "façon à rendre plus difficiles les tentatives de connexion en utilisant la " "force brute. Si un mauvais mot de passe est fourni, le pirate potentiel (ou " "le simple utilisateur !) doit attendre 10 secondes avant d'obtenir une " "nouvelle invite de connexion, ce qui prend pas mal de temps quand vous " "testez des mots de passe. Veuillez noter que ce paramètre est inopérant si " "vous utilisez un programme différent de getty, comme par " "exemple mingetty." #. type: #: securing-debian-howto.en.sgml:52 en/after-install.sgml:898 #, no-wrap msgid " FAILLOG_ENAB yes" msgstr " FAILLOG_ENAB yes" #. type: #: securing-debian-howto.en.sgml:52 en/after-install.sgml:903 msgid "" "If you enable this variable, failed logins will be logged. It is important " "to keep track of them to catch someone who tries a brute force attack." msgstr "" "Si vous activez cette variable, les connexions échouées seront enregistrées " "dans un journal. Il est important d'en garder une trace pour repérer si " "quelqu'un tente une attaque par force brute." #. type: #: securing-debian-howto.en.sgml:52 en/after-install.sgml:905 #, no-wrap msgid " LOG_UNKFAIL_ENAB no" msgstr " LOG_UNKFAIL_ENAB no" #. type:

#: securing-debian-howto.en.sgml:52 en/after-install.sgml:915 msgid "" "If you set this variable to 'yes' it will record unknown usernames if the " "login failed. It is best if you use 'no' (the default) since, otherwise, " "user passwords might be inadvertenly logged here (if a user mistypes and " "they enter their password as the username). If you set it to 'yes', make " "sure the logs have the proper permissions (640 for example, with an " "appropriate group setting such as adm)." msgstr "" "En configurant cette variable à « yes », les noms d'utilisateur seront " "enregistrés en cas d'échec de connexion. Laisser la configuration à " "« no » (par défaut) est plus prudent, puisque sinon, les mots de passe " "d'utilisateurs pourraient être enregistrés par erreur (si un utilisateur " "fait une faute de frappe et entre le mot de passe à la place de " "l'identifiant). Si vous configurez à « yes », assurez-vous que les journaux " "ont les droits adéquats (640 par exemple, avec une configuration de groupe " "adéquate comme adm)." #. type: #: securing-debian-howto.en.sgml:52 en/after-install.sgml:917 #, no-wrap msgid " SYSLOG_SU_ENAB yes" msgstr " SYSLOG_SU_ENAB yes" #. type:

#: securing-debian-howto.en.sgml:52 en/after-install.sgml:923 msgid "" "This one enables logging of su attempts to syslog. " "Quite important on serious machines but note that this can create privacy " "issues as well." msgstr "" "Cela va activer l'écriture dans les journaux de syslog des " "tentatives de su. Plutôt important sur des machines sérieuses, " "mais notez que cela peut aussi bien être à la base de problèmes de respect " "de la vie privée." #. type: #: securing-debian-howto.en.sgml:52 en/after-install.sgml:925 #, no-wrap msgid " SYSLOG_SG_ENAB yes" msgstr " SYSLOG_SG_ENAB yes" #. type:

#: securing-debian-howto.en.sgml:52 en/after-install.sgml:930 msgid "" "The same as SYSLOG_SU_ENAB but applies to the sg " "program." msgstr "" "La même chose que SYSLOG_SU_ENAB, mais s'applique au programme sg." #. type: #: securing-debian-howto.en.sgml:52 en/after-install.sgml:932 #, no-wrap msgid " MD5_CRYPT_ENAB yes" msgstr " MD5_CRYPT_ENAB yes" #. type:

#: securing-debian-howto.en.sgml:52 en/after-install.sgml:939 msgid "" "As stated above, MD5 sum passwords greatly reduce the problem of dictionary " "attacks, since you can use longer passwords. If you are using slink, read " "the docs about MD5 before enabling this option. Otherwise this is set in PAM." msgstr "" "Comme mentionné ci-dessus, les mots de passe MD5 réduisent considérablement " "le problème des attaques par dictionnaire étant donné que vous pouvez " "utiliser des mots de passe plus longs. Si vous utilisez Slink, consultez les " "documentations avant d'activer le MD5. Sinon, c'est paramétré dans PAM." #. type: #: securing-debian-howto.en.sgml:52 en/after-install.sgml:941 #, no-wrap msgid " PASS_MAX_LEN 50" msgstr " PASS_MAX_LEN 50" #. type:

#: securing-debian-howto.en.sgml:52 en/after-install.sgml:947 msgid "" "If MD5 passwords are activated in your PAM configuration, then this variable " "should be set to the same value as used there." msgstr "" "Si les mots de passe MD5 sont activés dans la configuration PAM, alors cette " "variable devrait avoir la même valeur que dans celle-là." #. type: #: securing-debian-howto.en.sgml:52 en/after-install.sgml:948 msgid "Restricting ftp: editing /etc/ftpusers" msgstr "Restreindre le FTP : éditer /etc/ftpusers" #. type:

#: securing-debian-howto.en.sgml:52 en/after-install.sgml:955 msgid "" "The /etc/ftpusers file contains a list of users who are not " "allowed to log into the host using ftp. Only use this file if you really " "want to allow ftp (which is not recommended in general, because it uses " "clear-text passwords). If your daemon supports PAM, you can also use that to " "allow and deny users for certain services." msgstr "" "Ce fichier contient une liste d'utilisateurs qui ne sont pas autorisés à se " "connecter à l'hôte en utilisant FTP. Utilisez uniquement ce fichier si vous " "voulez réellement autoriser le FTP (qui n'est, en général, pas recommandé " "car il utilise des mots de passe en clair). Si le démon gère PAM, cela peut " "être utilisé pour permettre ou refuser certains services aux utilisateurs." #. type:

#: securing-debian-howto.en.sgml:52 en/after-install.sgml:959 msgid "" "FIXME (BUG): Is it a bug that the default ftpusers in Debian " "does not include all the administrative users (in base-" "passwd)." msgstr "" "FIXME (bogue) : Est-ce un bogue que le fichier par défaut ftpusers dans Debian ne contienne pas tous les utilisateurs " "d'administration (dans base-passwd) ?" #. type:

#: securing-debian-howto.en.sgml:52 en/after-install.sgml:963 msgid "" "A convenient way to add all system accounts to the /etc/ftpusers is to run" msgstr "" "Un moyen pratique d'ajouter tous les comptes système à /etc/ftpusers est d'exécuter" #. type: #: securing-debian-howto.en.sgml:52 en/after-install.sgml:965 #, no-wrap msgid "$ awk -F : '{if ($3<1000) print $1}' /etc/passwd > /etc/ftpusers" msgstr "$ awk -F : '{if ($3<1000) print $1}' /etc/passwd > /etc/ftpusers" #. type: #: securing-debian-howto.en.sgml:52 en/after-install.sgml:969 msgid "Using su" msgstr "Utilisation de su" #. type:

#: securing-debian-howto.en.sgml:52 en/after-install.sgml:980 msgid "" "If you really need users to become the super user on your system, e.g. for " "installing packages or adding users, you can use the command su " "to change your identity. You should try to avoid any login as user root and " "instead use su. Actually, the best solution is to remove " "su and switch to the sudo mechanism which has a " "broader logic and more features than su. However, su is more common as it is used on many other Unices." msgstr "" "Si vous avez réellement besoin que des utilisateurs deviennent " "superutilisateur sur le système, par exemple pour installer des paquets ou " "ajouter des utilisateurs, vous pouvez utiliser la commande su " "pour changer d'identité. Vous devriez essayer d'éviter toute connexion en " "tant que superutilisateur et d'utiliser à la place su. En " "réalité, la meilleure solution est de supprimer su et de " "changer pour le mécanisme sudo qui a une logique plus large et " "plus de fonctionnalités que su. Cependant, su est " "plus commun étant donné qu'il est utilisé sur beaucoup d'autres UNIX." #. type: #: securing-debian-howto.en.sgml:52 en/after-install.sgml:982 msgid "Using sudo" msgstr "Utilisation de sudo" #. type:

#: securing-debian-howto.en.sgml:52 en/after-install.sgml:991 msgid "" "sudo allows the user to execute defined commands under another " "user's identity, even as root. If the user is added to /etc/sudoers and authenticates himself correctly, he is able to run commands which " "have been defined in /etc/sudoers. Violations, such as " "incorrect passwords or trying to run a program you don't have permission " "for, are logged and mailed to root." msgstr "" "sudo autorise l'utilisateur à exécuter des commandes définies " "sous l'identité d'un autre utilisateur, même en tant que superutilisateur. " "Si l'utilisateur est ajouté à /etc/sudoers et est authentifié " "correctement, il est capable de lancer des commandes qui ont été définies " "dans /etc/sudoers. Les infractions, telles que les mots de " "passe incorrects ou les tentatives de lancement d'un programme pour lequel " "vous n'avez pas les permissions, sont logguées et envoyées au " "superutilisateur." #. type: #: securing-debian-howto.en.sgml:52 en/after-install.sgml:992 msgid "Disallow remote administrative access" msgstr "Désactiver des accès d'administration à distance" #. type:

#: securing-debian-howto.en.sgml:52 en/after-install.sgml:998 msgid "" "You should also modify /etc/security/access.conf to disallow " "remote logins to administrative accounts. This way users need to invoke " "su (or sudo) to use any administrative powers and " "the appropriate audit trace will always be generated." msgstr "" "Vous devriez également modifier /etc/security/access.conf pour " "désactiver la connexion d'administration à distance. Ainsi, les utilisateurs " "doivent exécuter su (ou sudo) pour utiliser des " "pouvoirs administratifs et ainsi la trace d'audit appropriée sera toujours " "générée." #. type:

#: securing-debian-howto.en.sgml:52 en/after-install.sgml:1001 msgid "" "You need to add the following line to /etc/security/access.conf, the default Debian configuration file has a sample line commented out:" msgstr "" "Vous devez ajouter la ligne suivante à /etc/security/access.conf, le fichier de configuration par défaut Debian contient une ligne " "d'exemple commentée :" #. type: #: securing-debian-howto.en.sgml:52 en/after-install.sgml:1003 #, no-wrap msgid " -:wheel:ALL EXCEPT LOCAL" msgstr " -:wheel:ALL EXCEPT LOCAL" #. type:

#: securing-debian-howto.en.sgml:52 en/after-install.sgml:1010 msgid "" "Remember to enable the pam_access module for every service (or " "default configuration) in /etc/pam.d/ if you want your changes " "to /etc/security/access.conf honored." msgstr "" "Rappelez-vous d'activer le module pam_access pour chaque service " "(ou configuration par défaut) dans /etc/pam.d/ si vous voulez " "que vos modifications dans /etc/security/access.conf soient " "prises en compte." #. type: #: securing-debian-howto.en.sgml:52 en/after-install.sgml:1012 msgid "Restricting users's access" msgstr "Restriction des utilisateurs" #. type:

#: securing-debian-howto.en.sgml:52 en/after-install.sgml:1019 msgid "" "Sometimes you might think you need to have users created in your local " "system in order to provide a given service (pop3 mail service or ftp). " "Before doing so, first remember that the PAM implementation in Debian GNU/" "Linux allows you to validate users with a wide variety of external directory " "services (radius, ldap, etc.) provided by the libpam packages." msgstr "" "Parfois, vous pensez avoir besoin d'utilisateurs créés dans le système local " "de façon à fournir un service donné (service courrier POP3 ou FTP). Avant " "tout, rappelez-vous que l'implémentation PAM dans Debian GNU/Linux vous " "autorise à valider les utilisateurs avec une grande variété de répertoires " "de services externes (radius, LDAP, etc.) fournis par les paquets libpam." #. type:

#: securing-debian-howto.en.sgml:52 en/after-install.sgml:1030 msgid "" "If users need to be created and the system can be accessed remotely take " "into account that users will be able to log in to the system. You can fix " "this by giving users a null (/dev/null) shell (it would need to " "be listed in /etc/shells). If you want to allow users to access " "the system but limit their movements, you can use the /bin/rbash, equivalent to adding the -r option in bash " "(RESTRICTED SHELL see ). Please " "note that even with restricted shell, a user that access an interactive " "program (that might allow execution of a subshell) could be able to bypass " "the limits of the shell." msgstr "" "Si des utilisateurs doivent être créés et que le système est accessible à " "distance, prenez en compte que des utilisateurs pourront se connecter au " "système. Cela peut être corrigé en donnant aux utilisateurs un interpréteur " "de commandes vide (/dev/null) (qui doit être dans /etc/" "shells). Si vous voulez autoriser les utilisateurs à accéder au " "système mais limiter leurs mouvements, vous pouvez utiliser le fichier " "/bin/rbash, ce qui est équivalent à l'ajout de l'option -r dans bash (consultez INTERPRÉTEUR RESTREINT dans ). Veuillez noter que même avec un interpréteur " "de commandes restreint, un utilisateur ayant accès à un programme interactif " "(qui peut permettre l'exécution d'un sous-interpréteur) peut être capable de " "passer outre les limites de l'interpréteur de commandes." #. type:

#: securing-debian-howto.en.sgml:52 en/after-install.sgml:1038 msgid "" "Debian currently provides in the unstable release (and might be included in " "the next stable releases) the pam_chroot module (in the " "libpam-chroot). An alternative to it is to chroot the service that provides remote logging (ssh, " "telnet).

libpam-chroot has not " "been yet thoroughly tested, it does work for login but it might " "not be easy to set up the environment for other programs

" msgstr "" "Debian fournit actuellement dans la version unstable le module " "pam_chroot (dans le paquet libpam-chroot) " "(et il pourrait être inclus dans les prochaines versions stables). Une " "alternative à celui-ci est de chrooter le service qui fournit " "la connexion à distance (ssh, telnet). " "

libpam-chroot n'a pas encore été testé en " "profondeur, il fonctionne pour login, mais il est possible " "qu'il ne soit pas facile de mettre en place l'environnement pour d'autres " "programmes.

" #. type:

#: securing-debian-howto.en.sgml:52 en/after-install.sgml:1042 msgid "" "If you wish to restrict when users can access the system you will " "have to customize /etc/security/access.conf for your needs." msgstr "" "Si vous voulez restreindre quand les utilisateurs peuvent accéder " "au système, vous devrez personnaliser /etc/security/access.conf " "en fonction de vos besoins." #. type:

#: securing-debian-howto.en.sgml:52 en/after-install.sgml:1046 msgid "" "Information on how to chroot users accessing the system through " "the ssh service is described in ." msgstr "" "Des informations sur la façon de chrooter des utilisateurs " "accédant au système par le service ssh sont décrites dans ." #. type: #: securing-debian-howto.en.sgml:52 en/after-install.sgml:1048 msgid "User auditing" msgstr "Audit d'utilisateur" #. type:

#: securing-debian-howto.en.sgml:52 en/after-install.sgml:1052 msgid "" "If you are really paranoid you might want to add a system-wide configuration " "to audit what the users are doing in your system. This sections presents " "some tips using diverse utilities you can use." msgstr "" "Si vous êtes vraiment paranoïaque, vous pourriez configurer l'environnement " "pour superviser ce que les utilisateurs font sur le système. Cette section " "présente quelques conseils avec différents utilitaires que vous pouvez " "utiliser." #. type: #: securing-debian-howto.en.sgml:52 en/after-install.sgml:1054 msgid "Input and output audit with script" msgstr "Audit d'entrée et sortie avec script" #. type:

#: securing-debian-howto.en.sgml:52 en/after-install.sgml:1060 msgid "" "You can use the script command to audit both what the users run " "and what are the results of those commands. You cannot setup script as a shell (even if you add it to /etc/shells). But you " "can have the shell initialization file run the following:" msgstr "" "Vous pouvez utiliser la commande script pour surveiller à la " "fois ce que les utilisateurs exécutent et les résultats de leurs commandes. " "Vous ne pouvez pas configurer script comme un interpréteur de " "commandes (même si vous l'ajoutez à /etc/shells). Mais vous " "pouvez faire en sorte que le fichier d'initialisation de l'interpréteur de " "commandes exécute les commandes suivantes :" #. type: #: securing-debian-howto.en.sgml:52 en/after-install.sgml:1063 #, no-wrap msgid "" "umask 077\n" "exec script -q -a \"/var/log/sessions/$USER\"" msgstr "" "umask 077\n" "exec script -q -a \"/var/log/sessions/$USER\"" #. type:

#: securing-debian-howto.en.sgml:52 en/after-install.sgml:1070 msgid "" "Of course, if you do this system wide it means that the shell would not " "continue reading personal initialization files (since the shell gets " "overwritten by script). An alternative is to do this in the " "user's initialization files (but then the user could remove this, see the " "comments about this below)" msgstr "" "Bien sûr, si vous faites cela pour tout le système, cela veut dire que " "l'interpréteur ne continuerait pas à lire les fichiers d'initialisation " "personnels (car l'interpréteur sera écrasé par script). Une " "solution est de le faire dans les fichiers d'initialisation de l'utilisateur " "(mais l'utilisateur pourrait alors l'enlever, consultez les commentaires sur " "cela ci-dessous)." #. type:

#: securing-debian-howto.en.sgml:52 en/after-install.sgml:1077 msgid "" "You also need to setup the files in the audit directory (in the example " "/var/log/sessions/) so that users can write to it but cannot " "remove the file. This could be done, for example, by creating the user " "session files in advance and setting them with the append-only flag " "using chattr." msgstr "" "Vous devez également configurer les fichiers dans le répertoire d'audit " "(dans l'exemple /var/log/sessions/) pour que les utilisateurs " "puissent y écrire, mais pas supprimer le fichier. Cela pourrait être fait, " "par exemple, en créant les fichiers de session d'utilisateur en avance et en " "positionnant l'option append-only (« append-only Â») en " "utilisant chattr." #. type:

#: securing-debian-howto.en.sgml:52 en/after-install.sgml:1082 msgid "" "A useful alternative for sysadmins, which includes date information would be:" msgstr "" "Une alternative utile pour les administrateurs système, qui inclut des " "informations de date, serait :" #. type: #: securing-debian-howto.en.sgml:52 en/after-install.sgml:1085 #, no-wrap msgid "" "umask 077\n" "exec script -q -a \"/var/log/sessions/$USER-`date +%Y%m%d`\"" msgstr "" "umask 077\n" "exec script -q -a \"/var/log/sessions/$USER-`date +%Y%m%d`\"" #. type: #: securing-debian-howto.en.sgml:52 en/after-install.sgml:1089 msgid "Using the shell history file" msgstr "Utiliser le fichier d'historique de l'interpréteur de commandes" #. type:

#: securing-debian-howto.en.sgml:52 en/after-install.sgml:1096 msgid "" "If you want to review what does the user type in the shell (but not what the " "result of that is) you can setup a system-wide /etc/profile " "that configures the environment so that all commands are saved into a " "history file. The system-wide configuration needs to be setup in such a way " "that users cannot remove audit capabilities from their shell. This is " "somewhat shell specific so make sure that all users are using a shell that " "supports this." msgstr "" "Si vous voulez passer en revue ce que les utilisateurs entrent dans " "l'interpréteur de commandes (mais sans voir le résultat), vous pouvez " "configurer un /etc/profile pour tout le système qui configure " "l'environnement pour que toutes les commandes soient enregistrées dans le " "fichier d'historique. La configuration pour tout le système doit être " "réalisée de telle façon que les utilisateurs ne puissent pas enlever les " "capacités d'audit de leur interpréteur de commandes. C'est plutôt spécifique " "à l'interpréteur de commandes, donc assurez-vous que tous les utilisateurs " "utilisent un interpréteur de commandes qui le permet." #. type:

#: securing-debian-howto.en.sgml:52 en/after-install.sgml:1109 msgid "" "For example, for bash, the /etc/profile could be set as follows " "

Setting HISTSIZE to a very large number can cause issues under " "some shells since the history is kept in memory for every user session. You " "might be safer if you set this to a high-enough value and backup user's " "history files (if you need all of the user's history for some reason)

:" msgstr "" "Par exemple, pour bash, le fichier /etc/profile pourrait être " "paramétré ainsi

Configurer HISTSIZE à une très grande valeur " "peut poser des problèmes avec certains interpréteur de commandes car " "l'historique est gardé en mémoire pour la session de chaque utilisateur. Il " "peut être plus prudent de positionner cela à une valeur assez élevée et de " "sauvegarder les fichiers d'historique des utilisateurs (si vous avez besoin " "de tout l'historique de l'utilisateur pour une raison ou une autre).

 :" #. type: #: securing-debian-howto.en.sgml:52 en/after-install.sgml:1123 #, no-wrap msgid "" " HISTFILE=~/.bash_history\n" " HISTSIZE=10000\n" " HISTFILESIZE=999999\n" " # Don't let the users enter commands that are ignored\n" " # in the history file\n" " HISTIGNORE=\"\"\n" " HISTCONTROL=\"\"\n" " readonly HISTFILE\n" " readonly HISTSIZE\n" " readonly HISTFILESIZE\n" " readonly HISTIGNORE\n" " readonly HISTCONTROL\n" " export HISTFILE HISTSIZE HISTFILESIZE HISTIGNORE HISTCONTROL" msgstr "" " HISTFILE=~/.bash_history\n" " HISTSIZE=10000\n" " HISTFILESIZE=999999\n" " # Empêcher les utilisateurs d'entrer des commandes qui seraient\n" " # ignorées dans le fichier d'historique\n" " HISTIGNORE=\"\"\n" " HISTCONTROL=\"\"\n" " readonly HISTFILE\n" " readonly HISTSIZE\n" " readonly HISTFILESIZE\n" " readonly HISTIGNORE\n" " readonly HISTCONTROL\n" " export HISTFILE HISTSIZE HISTFILESIZE HISTIGNORE HISTCONTROL" #. type:

#: securing-debian-howto.en.sgml:52 en/after-install.sgml:1134 msgid "" "For this to work, the user can only append information to ." "bash_history file. You need also to set the append-only option using chattr program for .bash_history " "for all users.

Without the append-only flag users would be able " "to empty the contents of the history file running > .bash_history." msgstr "" "Afin que cela fonctionne, l'utilisateur doit être seulement capable " "d'ajouter des informations au fichier .bash_history. Vous devez " "aussi positionner l'attribut append-only en utilisant le " "programme chattr sur .bash_history pour tous les " "utilisateurs.

Sans l'attribut append-only les utilisateurs " "seraient capables de vider le contenu du fichier des historiques avec " "> .bash_history.

" #. type:

#: securing-debian-howto.en.sgml:52 en/after-install.sgml:1145 msgid "" "Note that you could introduce the configuration above in the user's ." "profile. But then you would need to setup permissions properly in " "such a way that prevents the user from modifying this file. This includes: " "having the user's home directories not belong to the user (since he " "would be able to remove the file otherwise) but at the same time enable them " "to read the .profile configuration file and write on the ." "bash_history. It would be good to set the immutable flag " "(also using chattr) for .profile too if you do it " "this way." msgstr "" "Notez que vous pouvez introduire la configuration ci-dessus dans le fichier " "utilisateur .profile. Mais alors vous devriez configurer les " "permissions correctement de façon à empêcher à l'utilisateur de modifier ce " "fichier. Cela inclut : les répertoires personnels de l'utilisateur ne " "doivent pas appartenir à l'utilisateur (sinon, il pourrait " "supprimer le fichier), mais en même temps lui permettre de lire le fichier " "de configuration .profile et d'écrire dans .bash_history. Il serait bien de configurer l'attribut immuable (également " "en utilisant chattr) pour le .profile aussi si " "vous procédez ainsi." #. type: #: securing-debian-howto.en.sgml:52 en/after-install.sgml:1147 msgid "Complete user audit with accounting utilities" msgstr "Audit utilisateur complet avec utilitaires de comptabilité" #. type:

#: securing-debian-howto.en.sgml:52 en/after-install.sgml:1154 msgid "" "The previous example is a simple way to configure user auditing but might be " "not useful for complex systems or for those in which users do not run shells " "at all (or exclusively). If this is your case, you need to look at " "acct, the accounting utilities. These utilities will log " "all the commands run by users or processes in the system, at the expense of " "disk space." msgstr "" "L'exemple précédent est une manière simple de configurer l'audit " "utilisateur, mais qui peut ne pas être utile pour des systèmes complexes ou " "pour ceux dans lesquels les utilisateurs ne peuvent pas exécuter " "d'interpréteur de commande du tout (ou exclusivement). Si c'est le cas, vous " "devrez examiner acct, les utilitaires de comptabilité. " "Ces utilitaires archiveront toutes les commandes exécutées par les " "utilisateurs ou processus du système au détriment de l'espace disque." #. type:

#: securing-debian-howto.en.sgml:52 en/after-install.sgml:1160 msgid "" "When activating accounting, all the information on processes and users is " "kept under /var/account/, more specifically in the pacct. The accounting package includes some tools (sa, " "ac and lastcomm) to analyse this data." msgstr "" "Lors de l'activation de la comptabilité, toutes les informations sur les " "processus et utilisateurs sont conservées dans /var/account/, " "plus spécifiquement dans le fichier pacct. Le paquet de " "comptabilité inclut certains outils (sa et ac) " "afin d'analyser ces données." #. type: #: securing-debian-howto.en.sgml:52 en/after-install.sgml:1161 msgid "Other user auditing methods" msgstr "Autres méthodes d'audit utilisateur" #. type:

#: securing-debian-howto.en.sgml:52 en/after-install.sgml:1174 msgid "" "If you are completely paranoid and want to audit every user's command, you " "could take bash source code, edit it and have it send all that " "the user typed into another file. Or have ttysnoop " "constantly monitor any new ttys

Ttys are spawned for local " "logins and remote logins through ssh and telnet

 and dump the " "output into a file. Other useful program is snoopy (see " "also ) which is a user-transparent program that hooks in as a " "library providing a wrapper around execve() calls, any command " "executed is logged to syslogd using the authpriv " "facility (usually stored at /var/log/auth.log)." msgstr "" "Si vous êtes complètement paranoïaque et que vous voulez auditer toutes les " "commandes des utilisateurs, vous pouvez prendre les codes source de " "bash, les modifier et récupérer dans un fichier toutes les " "commandes qu'un utilisateur tape. Vous pourriez aussi avoir " "ttysnoop constamment en attente de nouveaux ttys " "

Les ttys sont créées pour les connexions locales et à distance " "par SSH et TELNET.

 et reverser toutes les sorties dans un " "fichier. Un autre programme utile est snoopy (consultez " "également ) qui est un programme transparent pour l'utilisateur " "qui se positionne comme une bibliothèque fournissant une encapsulation des " "appels execve(), toute commande exécutée est journalisée par " "syslogd en utilisant la fonctionnalité authpriv " "(généralement stockée dans /var/log/auth.log)." #. type: #: securing-debian-howto.en.sgml:52 en/after-install.sgml:1176 msgid "Reviewing user profiles" msgstr "Inspection des profils utilisateurs" #. type:

#: securing-debian-howto.en.sgml:52 en/after-install.sgml:1183 msgid "" "If you want to see what users are actually doing when they logon to " "the system you can use the wtmp database that includes all " "login information. This file can be processed with several utilities, " "amongst them sac which can output a profile on each user " "showing in which timeframe they usually log on to the system." msgstr "" "Si vous désirez voir ce que font vraiment les utilisateurs, comme " "l'heure à laquelle ils se connectent, vous pouvez utiliser la base de " "données wtmp qui contient toutes les informations concernant " "les connexions. Ce fichier peut être employé avec plusieurs utilitaires, " "parmi eux sac peut sortir un profil de chaque utilisateur " "montrant dans quel créneau horaire il se connecte habituellement au système." #. type:

#: securing-debian-howto.en.sgml:52 en/after-install.sgml:1187 msgid "" "In case you have accounting activated, you can also use the tools provided " "by it in order to determine when the users access the system and what do " "they execute." msgstr "" "Dans le cas où vous avez la comptabilité activée, vous pouvez également " "utiliser les outils qu'elle fournit pour déterminer quand les utilisateurs " "accèdent au système et ce qu'ils exécutent." #. type: #: securing-debian-howto.en.sgml:52 en/after-install.sgml:1189 msgid "Setting users umasks" msgstr "Positionner des umasks aux utilisateurs" #. type:

#: securing-debian-howto.en.sgml:52 en/after-install.sgml:1193 msgid "" "Depending on your user policy you might want to change how information is " "shared between users, that is, what the default permissions of new files " "created by users are." msgstr "" "En fonction de la politique d'utilisateur, vous pourriez modifier la façon " "dont les renseignements sont partagés entre utilisateurs, c'est-à-dire quels " "sont les droits de nouveaux fichiers par défaut créés par les utilisateurs." #. type:

#: securing-debian-howto.en.sgml:52 en/after-install.sgml:1199 msgid "" "Debian's default umask setting is 022 this means that " "files (and directories) can be read and accessed by the user's group and by " "any other users in the system. This definition is set in the standard " "configuration file /etc/profile which is used by all shells." msgstr "" "Le paramètre umask par défaut de Debian est 022, cela " "signifie que les fichiers (et les répertoires) peuvent être lus et accédés " "par le groupe de l'utilisateur et par tout autre utilisateur du système. " "Cette définition est configurée dans le fichier de configuration normalisé " "/etc/profile utilisé par tous les interpréteurs de commandes." #. type:

#: securing-debian-howto.en.sgml:52 en/after-install.sgml:1210 msgid "" "If Debian's default value is too permissive for your system you will have to " "change the umask setting for all the shells. More restrictive umask settings " "include 027 (no access is allowed to new files for the other group, " "i.e. to other users in the system) or 077 (no access is allowed to new files " "to the members the user's group). Debian (by default

As defined " "in /etc/adduser.conf (USERGROUPS=yes). You can change this " "behaviour if you set this value to no, although it is not recommended

) creates one group per user so that only the user is included in " "its group. Consequently 027 and 077 are equivalent as the user's group " "contains only the user himself." msgstr "" "Si la valeur par défaut de Debian est trop permissive pour le système, vous " "devrez changer ce paramètre umask pour tous les interpréteurs de commandes. " "Parmi les configurations plus restrictives d'umask, 027 (pas d'accès permis " "aux nouveaux fichiers pour le groupe other, c'est-à-dire aux autres " "utilisateur du système) ou 077 (pas d'accès permis aux nouveaux fichiers " "pour les membres du groupe de l'utilisateur) peuvent être utilisés. Debian " "(par défaut

Tel que défini dans /etc/adduser.conf " "(USERGROUPS=yes). Vous pouvez modifier ce comportement en configurant cette " "valeur à « no », bien que ce ne soit pas recommandé.

) crée un " "groupe par utilisateur de telle sorte que seul l'utilisateur soit inclus " "dans son groupe. Par conséquent, 027 et 077 sont équivalents car le groupe " "de l'utilisateur ne contient que l'utilisateur lui-même." #. type:

#: securing-debian-howto.en.sgml:52 en/after-install.sgml:1225 msgid "" "This change is set by defining a proper umask setting for all " "users. You can change this by introducing an umask call in the " "shell configuration files: /etc/profile (source by all Bourne-" "compatible shells), /etc/csh.cshrc, /etc/csh.login, /etc/zshrc and probably some others (depending on the " "shells you have installed on your system). You can also change the " "UMASK setting in /etc/login.defs, Of all of these " "the last one that gets loaded by the shell takes precedence. The order is: " "the default system configuration for the user's shell (i.e. /etc/" "profile and other system-wide configuration files) and then the " "user's shell (his ~/.profile, ~/.bash_profile, " "etc...). Some shells, however, can be executed with a nologin value " "which might skip sourcing some of those files. See your shell's manpage for " "additional information." msgstr "" "Cette modification est configurée en définissant un réglage correct de " "umask pour tous les utilisateurs. Vous pouvez modifier cela en " "introduisant un appel umask dans les fichiers de configuration " "de l'interpréteur de commandes : /etc/profile (source par tous " "les interpréteurs de commandes compatibles Bourne), /etc/csh.cshrc, /etc/csh.login, /etc/zshrc et probablement " "d'autres (en fonction des interpréteurs de commandes installés sur le " "système). Vous pouvez aussi modifier le réglage de UMASK dans " "/etc/login.defs. De toutes celles-là, la dernière chargée par " "l'interpréteur de commandes est prioritaire. L'ordre est : la configuration " "système par défaut pour l'interpréteur de l'utilisateur (c'est-à-dire /" "etc/profile et les autres fichiers de configuration globaux du " "système) et ensuite ceux de l'utilisateur (ses ~/.profile, " "~/.bash_profile, etc.). Certains interpréteurs, cependant, " "peuvent être exécutés avec une valeur nologin avec laquelle " "certains de ces fichiers pourraient être sautés. Consultez la page de manuel " "de l'interpréteur pour obtenir de plus amples renseignements." #. type:

#: securing-debian-howto.en.sgml:52 en/after-install.sgml:1231 msgid "" "For connections that make use of login the UMASK definition in " "/etc/login.defs is used before any of the others. However, that " "value does not apply to user executed programs that do not use login such as those run through su, cron or " "ssh." msgstr "" "Pour les connexions qui utilisent login, la définition de " "UMASK de /etc/login.defs est utilisée avant toutes " "les autres. Cependant, cette valeur ne s'applique pas aux programmes " "exécutés par l'utilisateur qui n'utilisent pas login comme ceux " "exécutés à travers su, cron ou ssh." #. type:

#: securing-debian-howto.en.sgml:52 en/after-install.sgml:1237 msgid "" "Don't forget to review and maybe modify the dotfiles under /etc/skel/ since these will be new user's defaults when created with the " "adduser command. Debian default dotfiles do not include any " "umask call but if there is any in the dotfiles newly created " "users might a different value." msgstr "" "N'oubliez pas de vérifier et éventuellement modifier les fichiers de " "configuration utilisateur sous /etc/skel/ car ce sont ceux qui " "seront utilisés par défaut quand ils sont créés avec la commande " "adduser. Les fichiers de configuration utilisateur Debian par " "défaut ne contiennent pas d'appel umask mais s'il y en a dans " "n'importe quel fichier de configuration utilisateur, les utilisateurs " "nouvellement créés pourraient avoir une valeur différente." #. type:

#: securing-debian-howto.en.sgml:52 en/after-install.sgml:1241 msgid "" "Note, however that users can modify their own umask setting if they " "want to, making it more permissive or more restricted, by changing their own " "dotfiles." msgstr "" "Notez, cependant, que les utilisateurs peuvent modifier leur propre " "paramètre umask s'ils le désirent, le rendant plus permissif ou " "plus restrictif, en modifiant leurs propres fichiers de configuration " "utilisateur." #. type:

#: securing-debian-howto.en.sgml:52 en/after-install.sgml:1245 msgid "" "The libpam-umask package adjusts the users' default " "umask using PAM. Add the following, after installing the package, " "to /etc/pam.d/common-session:" msgstr "" "Le paquet libpam-umask règle l'umask par défaut " "utilisant PAM. Après l'installation du paquet, ajoutez ceci à /etc/pam." "d/common-session :" #. type: #: securing-debian-howto.en.sgml:52 en/after-install.sgml:1247 #, no-wrap msgid "session optional pam_umask.so umask=077" msgstr "session optional pam_umask.so umask=077" #. type:

#: securing-debian-howto.en.sgml:52 en/after-install.sgml:1255 msgid "" "Finally, you should consider changing root's default 022 umask (as defined " "in /root/.bashrc) to a more strict umask. That will prevent the " "system administrator from inadvertenly dropping sensitive files when working " "as root to world-readable directories (such as /tmp) and having " "them available for your average user." msgstr "" "Enfin, vous pourriez envisager de modifier l'umask par défaut du " "superutilisateur à 022 (tel que défini dans /root/.bashrc) à " "une valeur plus restrictive. Cela évitera à l'administrateur système de " "laisser fuir par inadvertance des fichiers sensibles lorsqu'il travaille en " "tant que superutilisateur dans des répertoires lisibles par tous (comme " "/tmp) et en les rendant lisibles aux autres utilisateurs." #. type: #: securing-debian-howto.en.sgml:52 en/after-install.sgml:1257 msgid "Limiting what users can see/access" msgstr "Limiter ce que les utilisateurs peuvent voir et accéder" #. type:

#: securing-debian-howto.en.sgml:52 en/after-install.sgml:1261 msgid "" "FIXME: Content needed. Describe the consequences of changing packages " "permissions when upgrading (an admin this paranoid should chroot his users BTW) if not using dpkg-statoverride." msgstr "" "FIXME : Besoin de contenu. Indiquer les conséquences de changement des " "permissions des paquets lors d'une mise à jour (un administrateur aussi " "paranoïaque que cela devrait chrooter ses utilisateurs au " "passage) s'il n'utilise pas dpkg-statoverride." #. type:

#: securing-debian-howto.en.sgml:52 en/after-install.sgml:1266 msgid "" "If you need to grant users access to the system with a shell think about it " "very carefully. A user can, by default unless in a severely restricted " "environment (like a chroot jail), retrieve quite a lot of " "information from your system including:" msgstr "" "Si vous avez besoin d'accorder aux utilisateurs un accès au système avec un " "interpréteur de commandes, réfléchissez-y très soigneusement. Un utilisateur " "peut, par défaut à moins d'être dans un environnement extrêmement restreint " "(comme une prison chroot), récupérer un assez grand nombre " "d'informations concernant le système, y compris :" #. type:

#: securing-debian-howto.en.sgml:52 en/after-install.sgml:1275 msgid "" "some configuration files in /etc. However, Debian's default " "permissions for some sensitive files (which might, for example, contain " "passwords), will prevent access to critical information. To see which files " "are only accessible by the root user for example find /etc -type f -a -" "perm 600 -a -uid 0 as superuser." msgstr "" "certains fichiers de configuration dans /etc. Cependant, les " "permissions par défaut de Debian pour certains fichiers sensibles (qui " "peuvent, par exemple, contenir des mots de passe) empêcheront l'accès à des " "informations critiques. Pour voir quels fichiers ne sont accessibles que par " "le superutilisateur, exécutez par exemple find /etc -type f -a -perm 600 " "-a -uid 0 en tant que superutilisateur ;" #. type:

#: securing-debian-howto.en.sgml:52 en/after-install.sgml:1279 msgid "" "your installed packages, either by looking at the package database, at the " "/usr/share/doc directory or by guessing by looking at the " "binaries and libraries installed in your system." msgstr "" "vos paquets installés, soit en consultant la base de données des paquets, " "soit dans le répertoire /usr/share/doc, soit en devinant en " "regardant les binaires et bibliothèques installés sur le système ;" #. type:

#: securing-debian-howto.en.sgml:52 en/after-install.sgml:1285 msgid "" "some log files at /var/log. Note also that some log files are " "only accessible to root and the adm group (try find /var/log -" "type f -a -perm 640) and some are even only available to the root user " "(try find /var/log -type f -a -perm 600 -a -uid 0)." msgstr "" "certains fichiers journaux dans /var/log. Notez également que " "quelques fichiers journaux ne sont accessibles qu'au superutilisateur et au " "groupe adm (essayez find /var/log -type f -a -perm 640) et " "certains ne sont même disponibles que pour le superutilisateur (essayez " "find /var/log -type f -a -perm 600 -a -uid 0)." #. type:

#: securing-debian-howto.en.sgml:52 en/after-install.sgml:1290 msgid "" "What can a user see in your system? Probably quite a lot of things, try this " "(take a deep breath):" msgstr "" "Que peut voir un utilisateur dans le système ? Probablement un assez " "grand nombre de choses, essayez ceci (prenez une profonde respiration) :" #. type: #: securing-debian-howto.en.sgml:52 en/after-install.sgml:1293 #, no-wrap msgid "" " find / -type f -a -perm +006 2>/dev/null \n" " find / -type d -a -perm +007 2>/dev/null" msgstr "" " find / -type f -a -perm +006 2>/dev/null \n" " find / -type d -a -perm +007 2>/dev/null" #. type:

#: securing-debian-howto.en.sgml:52 en/after-install.sgml:1298 msgid "" "The output is the list of files that a user can see and the " "directories to which he has access." msgstr "" "La liste des fichiers qu'un utilisateur peut voir et des " "répertoires auxquels il a accès est affichée." #. type: #: securing-debian-howto.en.sgml:52 en/after-install.sgml:1300 msgid "Limiting access to other user's information" msgstr "Limiter l'accès aux informations d'autres utilisateurs" #. type:

#: securing-debian-howto.en.sgml:52 en/after-install.sgml:1306 msgid "" "If you still grant shell access to users you might want to limit what " "information they can view from other users. Users with shell access have a " "tendency to create quite a number of files under their $HOMEs: mailboxes, " "personal documents, configuration of X/GNOME/KDE applications..." msgstr "" "Si vous accordez toujours un accès d'interpréteur de commandes aux " "utilisateurs, vous pouvez vouloir limiter les informations qu'ils peuvent " "voir des autres utilisateurs. Les utilisateurs ayant un accès d'interpréteur " "de commandes ont tendance à créer un grand nombre de fichiers dans leur " "répertoire $HOME : boîtes aux lettres, documents personnels, " "configuration des applications X/GNOME/KDE, etc." #. type:

#: securing-debian-howto.en.sgml:52 en/after-install.sgml:1314 msgid "" "In Debian each user is created with one associated group, and no two users " "belong to the same group. This is the default behavior: when an user account " "is created, a group of the same name is created too, and the user is " "assigned to it. This avoids the concept of a common users group " "which might make it more difficult for users to hide information from other " "users." msgstr "" "Sous Debian, chaque utilisateur est créé avec un groupe associé et aucun " "utilisateur n'appartient au groupe d'un autre utilisateur. Il s'agit du " "comportement par défaut : quand un compte d'utilisateur est créé, un " "groupe du même nom est créé et l'utilisateur lui est attribué. Cela évite le " "concept d'un groupe users qui peut rendre plus difficile pour les " "utilisateurs de cacher des informations aux autres utilisateurs." #. type:

#: securing-debian-howto.en.sgml:52 en/after-install.sgml:1319 msgid "" "However, users' $HOME directories are created with 0755 " "permissions (group-readable and world-readable). The group permissions is " "not an issue since only the user belongs to the group, however the world " "permissions might (or might not) be an issue depending on your local policy." msgstr "" "Cependant, les répertoires $HOME des utilisateurs sont créés avec " "les permissions 0755 (lisible par le groupe et par tout le monde). Les " "permissions de groupe ne sont pas un problème car seul l'utilisateur " "appartient au groupe, cependant les permissions pour les autres peuvent être " "(ou non) un problème selon vos règles locales." #. type:

#: securing-debian-howto.en.sgml:52 en/after-install.sgml:1324 msgid "" "You can change this behavior so that user creation provides different " "$HOME permissions. To change the behavior for new users when " "they get created, change DIR_MODE in the configuration file /" "etc/adduser.conf to 0750 (no world-readable access)." msgstr "" "Vous pouvez changer ce comportement pour que la création d'utilisateur " "fournisse des permissions sur $HOME différentes. Pour changer ce " "comportement pour les nouveaux utilisateurs quand ils seront créés, " "changez DIR_MODE dans le fichier de configuration /etc/" "adduser.conf à 0750 (pas d'accès en lecture pour tout le monde)." #. type:

#: securing-debian-howto.en.sgml:52 en/after-install.sgml:1327 msgid "" "Users can still share information, but not directly in their $HOME directories unless they change its permissions." msgstr "" "Les utilisateurs peuvent toujours partager des informations, mais pas " "directement dans leur répertoire $HOME à moins qu'ils ne changent " "les permissions de celui-ci." #. type:

#: securing-debian-howto.en.sgml:52 en/after-install.sgml:1341 msgid "" "Note that disabling world-readable home directories will prevent users from " "creating their personal web pages in the ~/public_html " "directory, since the web server will not be able to read one component in " "the path - namely their $HOME directory. If you want to permit " "users to publish HTML pages in their ~/public_html, then change " "DIR_MODE to 0751. This will allow the web server to access the " "final public_html directory (which itself should have a mode of " "0755) and provide the content published by users. Of course, we are only " "talking about a default configuration here; users can generally tune modes " "of their own files completely to their liking, or you could keep content " "intended for the web in a separate location which is not a subdirectory of " "user's $HOME directory." msgstr "" "Notez que désactiver les répertoires utilisateur lisibles par tout le monde " "empêchera les utilisateurs de créer leurs pages personnelles dans le " "répertoire ~/public_html car le serveur web ne pourra pas lire " "un composant du chemin — leur répertoire $HOME. Si vous " "voulez permettre aux utilisateurs de publier des pages HTML dans leur " "~/public_html, changez DIR_MODE en 0751. Cela " "permettra au serveur web d'accéder à ce répertoire (qui devrait lui-même " "avoir le mode 0755) et de fournir le contenu publié par les utilisateurs. " "Bien sûr, nous ne parlons ici que d'une configuration par défaut ; les " "utilisateurs peuvent généralement ajuster les permissions de leurs fichiers " "comme ils le désirent, ou vous pouvez conserver le contenu destiné au web " "dans un emplacement séparé qui n'est pas un sous-répertoire du répertoire " "$HOME de chaque utilisateur." #. type: #: securing-debian-howto.en.sgml:52 en/after-install.sgml:1343 msgid "Generating user passwords" msgstr "Générer des mots de passe utilisateur" #. type:

#: securing-debian-howto.en.sgml:52 en/after-install.sgml:1359 msgid "" "There are many cases when an administrator needs to create many user " "accounts and provide passwords for all of them. Of course, the administrator " "could easily just set the password to be the same as the user's account " "name, but that would not be very sensitive security-wise. A better approach " "is to use a password generating program. Debian provides " "makepasswd, apg and pwgen packages which provide programs (the name is the same as the " "package) that can be used for this purpose. Makepasswd will " "generate true random passwords with an emphasis on security over " "pronounceability while pwgen will try to make meaningless but " "pronounceable passwords (of course this might depend on your mother " "language). Apg has algorithms to provide for both (there is a " "client/server version for this program but it is not included in the Debian " "package)." msgstr "" "Il y a plusieurs cas dans lesquels un utilisateur a besoin de créer un grand " "nombre de comptes utilisateur et de fournir des mots de passe pour tous ceux-" "ci. Bien sûr, l'administrateur peut facilement positionner le mot de passe " "pour être le même que le nom du compte utilisateur, mais cela n'est pas très " "conseillé sur le plan de la sécurité. Une meilleure approche est d'utiliser " "un programme de génération de mots de passe. Debian fournit les paquets " "makepasswd, apg et pwgen qui contiennent des programmes (dont le nom est le même que celui " "du paquet) qui peuvent être utilisés dans ce but. makepasswd " "génère des mots de passe vraiment aléatoires avec un accent sur la sécurité " "plus que la prononçabilité tandis que pwgen essaie de créer des " "mots de passe sans signification, mais prononçables (bien sûr, cela dépend " "de votre langue maternelle). apg dispose d'algorithmes pour les " "deux (il y a une version client/serveur pour ce programme, mais elle n'est " "pas incluse dans le paquet Debian)." #. type:

#: securing-debian-howto.en.sgml:52 en/after-install.sgml:1374 msgid "" "Passwd does not allow non-interactive assignation of passwords " "(since it uses direct tty access). If you want to change passwords when " "creating a large number of users you can create them using adduser with the --disabled-login option and then use usermod or chpasswd

Chpasswd cannot " "handle MD5 password generation so it needs to be given the password in " "encrypted form before using it, with the -e option.

 " "(both from the passwd package so you already have them " "installed). If you want to use a file with all the information to make users " "as a batch process you might be better off using newusers." msgstr "" "passwd ne permet pas une attribution non interactive des mots " "de passe (car il utilise un accès direct au terminal tty). Si vous désirez " "changer des mots de passe lors de la création d'un grand nombre " "d'utilisateurs, vous pouvez les créer en utilisant adduser avec " "l'option --disabled-login, puis utiliser usermod ou " "chpasswd

chpasswd ne sait pas gérer " "la génération de mots de passe MD5, il faut donc lui donner le mot de passe " "sous sa forme chiffrée avant de l'utiliser avec l'option -e.

(tous les deux dans le paquet passwd, ils sont " "donc déjà installés). Si vous voulez utiliser un fichier avec toutes les " "informations pour créer les utilisateurs comme un processus batch, il sera " "probablement préférable d'utiliser newusers." #. type: #: securing-debian-howto.en.sgml:52 en/after-install.sgml:1376 msgid "Checking user passwords" msgstr "Vérifier les mots de passe utilisateur" #. type:

#: securing-debian-howto.en.sgml:52 en/after-install.sgml:1388 msgid "" "User passwords can sometimes become the weakest link in the " "security of a given system. This is due to some users choosing weak " "passwords for their accounts (and the more of them that have access to it " "the greater the chances of this happening). Even if you established checks " "with the cracklib PAM module and password limits as described in users will still be able to use weak passwords. Since user " "access might include remote shell access (over ssh, hopefully) " "it's important to make password guessing as hard as possible for the remote " "attackers, especially if they were somehow able to collect important " "information such as usernames or even the passwd and " "shadow files themselves." msgstr "" "Les mots de passe des utilisateurs peuvent parfois devenir le maillon " "faible de la sécurité d'un système donné. Cela provient du fait que " "quelques utilisateurs choisissent des mots de passe faibles pour leur compte " "(et plus il y a d'utilisateurs, plus grandes sont les chances que cela se " "produise). Même si vous mettez en place des vérifications avec le module PAM " "cracklib et les limitations sur les mots de passe comme décrites dans , les utilisateurs pourront toujours utiliser des mots de " "passe faibles. Comme l'accès utilisateur peut inclure un accès à une invite " "de commandes à distance (en espérant que ce soit avec ssh), il " "est important de rendre les mots de passe aussi difficile à deviner que " "possible pour les attaquants à distance, particulièrement s'ils ont pu " "récupérer des informations importantes comme les noms d'utilisateur ou même " "les fichiers passwd et shadow eux-mêmes." #. type:

#: securing-debian-howto.en.sgml:52 en/after-install.sgml:1393 msgid "" "A system administrator must, given a big number of users, check if the " "passwords they have are consistent with the local security policy. How to " "check? Try to crack them as an attacker would if he had access to the hashed " "passwords (the /etc/shadow file)." msgstr "" "Un administrateur système doit, suivant le nombre d'utilisateurs, vérifier " "si les mots de passe sont cohérents avec la règle locale de sécurité. " "Comment vérifier ? Essayez de les casser comme le ferait un attaquant " "s'il avait accès aux mots de passe hachés (le fichier /etc/shadow)." #. type:

#: securing-debian-howto.en.sgml:52 en/after-install.sgml:1403 msgid "" "An administrator can use john or crack " "(both are brute force password crackers) together with an appropriate " "wordlist to check users' passwords and take appropriate action when a weak " "password is detected. You can search for Debian GNU packages that contain " "word lists using apt-cache search wordlist, or visit the " "classic Internet wordlist sites such as or ." msgstr "" "Un administrateur peut utiliser john ou crack (tous deux utilisent la force brute) ensemble avec une liste de " "mots appropriés pour vérifier les mots de passe utilisateurs et prendre des " "mesures appropriées si un mot de passe faible est détecté. Vous pouvez " "rechercher des paquets Debian contenant des listes de mots en utilisant " "apt-cache search wordlist ou vous pouvez également visiter des " "sites de listes de mots sur Internet classique comme ou ." #. type: #: securing-debian-howto.en.sgml:52 en/after-install.sgml:1405 msgid "Logging off idle users" msgstr "Déconnecter les utilisateurs inactifs (idle)" #. type:

#: securing-debian-howto.en.sgml:52 en/after-install.sgml:1410 msgid "" "Idle users are usually a security problem, a user might be idle maybe " "because he's out to lunch or because a remote connection hung and was not re-" "established. For whatever the reason, idle users might lead to a compromise:" msgstr "" "L'inactivité des utilisateurs pose habituellement un problème de sécurité, " "un utilisateur peut être inactif parce qu'il est parti déjeuner ou parce " "qu'une connexion à distance s'est bloquée et n'a pas été rétablie. Quelqu'en " "soit la raison, les utilisateurs inactifs peuvent amener à une " "compromission :" #. type:

#: securing-debian-howto.en.sgml:52 en/after-install.sgml:1414 msgid "" "because the user's console might be unlocked and can be accessed by an " "intruder." msgstr "" "car la console de l'utilisateur peut être débloquée et peut être accédée par " "un intrus ;" #. type:

#: securing-debian-howto.en.sgml:52 en/after-install.sgml:1418 msgid "" "because an attacker might be able to re-attach himself to a closed network " "connection and send commands to the remote shell (this is fairly easy if the " "remote shell is not encrypted as in the case of telnet)." msgstr "" "car un attaquant peut être capable de se rattacher lui-même à une connexion " "réseau fermée et envoyer des commandes à l'invite de commandes distante " "(c'est assez facile si l'invite de commandes distante n'est pas chiffrée " "comme avec telnet)." #. type:

#: securing-debian-howto.en.sgml:52 en/after-install.sgml:1423 msgid "" "Some remote systems have even been compromised through an idle (and " "detached) screen." msgstr "" "Certains systèmes à distance ont même été compromis à travers un " "screen inactif (et détaché)." #. type:

#: securing-debian-howto.en.sgml:52 en/after-install.sgml:1426 msgid "" "Automatic disconnection of idle users is usually a part of the local " "security policy that must be enforced. There are several ways to do this:" msgstr "" "La déconnexion automatique des utilisateurs inactifs est habituellement une " "partie qui doit être imposée par les règles de sécurité locales. Plusieurs " "moyens existent pour cela :" #. type:

#: securing-debian-howto.en.sgml:52 en/after-install.sgml:1433 msgid "" "If bash is the user shell, a system administrator can set a " "default TMOUT value (see ) " "which will make the shell automatically log off remote idle users. Note that " "it must be set with the -o option or users will be able to change " "(or unset) it." msgstr "" "si bash est l'interpréteur de commandes de l'utilisateur, un " "administrateur système peut positionner une valeur TMOUT par défaut " "(consultez ) qui entraînera la " "déconnexion automatique des utilisateurs distants inactifs. Notez que cela " "doit être configuré avec l'option -o ou les utilisateurs pourront " "la changer (ou la désactiver) ;" #. type:

#: securing-debian-howto.en.sgml:52 en/after-install.sgml:1440 msgid "" "Install timeoutd and configure /etc/timeouts " "according to your local security policy. The daemon will watch for idle " "users and time out their shells accordingly." msgstr "" "installez timeoutd et configurez /etc/timeouts selon vos règles de sécurité locales. Le démon regardera les " "utilisateurs inactifs et mettra un terme à leur invite de commandes en " "fonction ;" #. type:

#: securing-debian-howto.en.sgml:52 en/after-install.sgml:1442 msgid "" "Install autolog and configure it to remove idle users." msgstr "" "installez autolog et configurez-le pour enlever les " "utilisateurs inactifs." #. type:

#: securing-debian-howto.en.sgml:52 en/after-install.sgml:1450 msgid "" "The timeoutd or autolog daemons are the preferred " "method since, after all, users can change their default shell or can, after " "running their default shell, switch to another (uncontrolled) shell." msgstr "" "Les démons timeoutd et autolog sont les méthodes " "préférées car, après tout, les utilisateurs peuvent changer d'interpréteur " "de commandes par défaut ou peuvent, après avoir exécuté leur interpréteur de " "commandes par défaut, basculer sur un autre interpréteur de commandes (non " "contrôlé)." #. type: #: securing-debian-howto.en.sgml:52 en/after-install.sgml:1452 msgid "Using tcpwrappers" msgstr "Utilisation de tcpwrappers" #. type:

#: securing-debian-howto.en.sgml:52 en/after-install.sgml:1461 msgid "" "TCP wrappers were developed when there were no real packet filters available " "and access control was needed. Nevertheless, they're still very interesting " "and useful. The TCP wrappers allow you to allow or deny a service for a host " "or a domain and define a default allow or deny rule (all performed on the " "application level). If you want more information take a look at ." msgstr "" "L'encapsulation TCP a été développée quand il n'y avait pas de réels filtres " "de paquets disponibles et que les contrôles d'accès étaient nécessaires. " "Toutefois, ils sont toujours très intéressants et utiles. L'encapsulation " "TCP vous permet d'autoriser ou de refuser un service à un hôte ou à un " "domaine et de définir une règle par défaut pour les autorisations et les " "refus (toutes réalisées au niveau applicatif). Pour plus de détails, jetez " "un œil à ." #. type:

#: securing-debian-howto.en.sgml:52 en/after-install.sgml:1463 msgid "Many services installed in Debian are either:" msgstr "De nombreux services installés dans Debian sont soit :" #. type:

#: securing-debian-howto.en.sgml:52 en/after-install.sgml:1465 msgid "launched through the tcpwrapper service (tcpd)" msgstr "lancés par le service tcpwrapper (tcpd) ;" #. type:

#: securing-debian-howto.en.sgml:52 en/after-install.sgml:1466 msgid "compiled with libwrapper support built-in." msgstr "compilés avec la prise en charge de libwrapper." #. type:

#: securing-debian-howto.en.sgml:52 en/after-install.sgml:1481 msgid "" "On the one hand, for services configured in /etc/inetd.conf " "(this includes telnet, ftp, netbios, " "swat and finger) you will see that the " "configuration file executes /usr/sbin/tcpd first. On the other " "hand, even if a service is not launched by the inetd " "superdaemon, support for the tcp wrappers rules can be compiled into it. " "Services compiled with tcp wrappers in Debian include ssh, " "portmap, in.talk, rpc.statd, " "rpc.mountd, gdm, oaf (the GNOME " "activator daemon), nessus and many others." msgstr "" "D'un côté, pour des services configurés dans /etc/inetd.conf, " "cela comprend telnet, ftp, netbios, " "swat et finger), vous observerez que le fichier de " "configuration exécute avant tout /usr/sbin/tcpd. D'un autre " "côté, même si un service n'est pas lancé par le super démon inetd, il peut être compilé avec la prise en charge pour les règles " "d'encapsulation TCP. Les services suivant sont compilés avec prise en charge " "d'encapsulation TCP dans Debian : ssh, portmap, " "in.talk, rpc.statd, rpc.mountd, " "gdm, oaf (le démon d'activation GNOME), " "nessus et beaucoup d'autres." #. type:

#: securing-debian-howto.en.sgml:52 en/after-install.sgml:1491 msgid "" "To see which packages use tcpwrappers

On older Debian releases " "you might need to do this: $ apt-cache showpkg libwrap0 | egrep '^" "[[:space:]]' | sort -u | \\ sed 's/,libwrap0$//;s/^[[:space:]]\\+//'

 try:" msgstr "" "Pour voir quels paquets utilisent tcpwrappers

Pour les " "anciennes versions de Debian, vous pourriez devoir utiliser : $ " "apt-cache showpkg libwrap0 | egrep '^[[:space:]]' | sort -u | \\ sed 's/," "libwrap0$//;s/^[[:space:]]\\+//'

, essayez :" #. type: #: securing-debian-howto.en.sgml:52 en/after-install.sgml:1493 #, no-wrap msgid " $ apt-cache rdepends libwrap0" msgstr " $ apt-cache rdepends libwrap0" #. type:

#: securing-debian-howto.en.sgml:52 en/after-install.sgml:1504 msgid "" "Take this into account when running tcpdchk (a very useful TCP " "wrappers config file rule and syntax checker). When you add stand-alone " "services (that are directly linked with the wrapper library) into the " "hosts.deny and hosts.allow files, tcpdchk will warn you that it is not able to find the mentioned services since " "it only looks for them in /etc/inetd.conf (the manpage is not " "totally accurate here)." msgstr "" "Tenez compte de cela quand vous utilisez tcpdchk (un " "vérificateur très utile de règles et syntaxe de fichier de configuration " "d'encapsulation TCP). Quand vous pouvez ajouter des services indépendants " "(qui sont liés à la bibliothèque d'encapsulation) dans les fichiers " "host.deny et hosts.allow, tcpdchk " "vous informera qu'il ne peut pas trouver les services mentionnés étant donné " "qu'il les cherche dans /etc/inetd.conf (la page de manuel n'est " "pas totalement précise ici)." #. type:

#: securing-debian-howto.en.sgml:52 en/after-install.sgml:1512 msgid "" "Now, here comes a small trick, and probably the smallest intrusion detection " "system available. In general, you should have a decent firewall policy as a " "first line, and tcp wrappers as the second line of defense. One little trick " "is to set up a SPAWN

be sure to use uppercase here " "since spawn will not work

 command in /etc/" "hosts.deny that sends mail to root whenever a denied service triggers " "wrappers:" msgstr "" "À présent, voici une petite astuce et probablement le plus petit système de " "détection d'intrusions disponible. Généralement, vous devriez disposer d'une " "politique correcte concernant le pare-feu en première ligne, puis disposer " "de l'encapsulation TCP en seconde ligne de défense. Un petit truc est de " "mettre en place une commande SPAWN

Assurez-vous d'utiliser des " "majuscules sinon spawn ne fonctionnera pas.

 dans /" "etc/hosts.deny qui enverra un courrier au superutilisateur quand un service " "refusé déclenche l'encapsulation :" #. type: #: securing-debian-howto.en.sgml:52 en/after-install.sgml:1522 #, no-wrap msgid "" " ALL: ALL: SPAWN ( \\\n" " echo -e \"\\n\\\n" " TCP Wrappers\\: Connection refused\\n\\\n" " By\\: $(uname -n)\\n\\\n" " Process\\: %d (pid %p)\\n\\\n" " User\\: %u\\n\\\n" " Host\\: %c\\n\\\n" " Date\\: $(date)\\n\\\n" " \" | /usr/bin/mail -s \"Connection to %d blocked\" root) &" msgstr "" " ALL: ALL: SPAWN ( \\\n" " echo -e \"\\n\\\n" " Encapsulation TCP \\: Connexion refusée\\n\\\n" " Par \\: $(uname -n)\\n\\\n" " Processus \\: %d (pid %p)\\n\\\n" " Utilisateur \\: %u\\n\\\n" " Hôte \\: %c\\n\\\n" " Date \\: $(date)\\n\\\n" " \" | /usr/bin/mail -s \"Connexion à %d bloquée\" root) &" #. type:

#: securing-debian-howto.en.sgml:52 en/after-install.sgml:1556 msgid "" "Beware: The above printed example is open to a DoS attack by making " "many connections in a short period of time. Many emails mean a lot of file I/" "O by sending only a few packets." msgstr "" "Attention : L'exemple ci-dessus peut-être facilement sujet à " "une attaque par déni de service en soumettant énormément de connexions dans " "une période très courte. De nombreux courriers signifient de nombreuses E/S " "en envoyant uniquement quelques paquets." #. type: #: securing-debian-howto.en.sgml:52 en/after-install.sgml:1558 msgid "The importance of logs and alerts" msgstr "L'importance des journaux et des alertes" #. type:

#: securing-debian-howto.en.sgml:52 en/after-install.sgml:1564 msgid "" "It is easy to see that the treatment of logs and alerts is an important " "issue in a secure system. Suppose a system is perfectly configured and 99% " "secure. If the 1% attack occurs, and there are no security measures in place " "to, first, detect this and, second, raise alarms, the system is not secure " "at all." msgstr "" "Il est facile de voir que le traitement de journaux et alertes est un " "problème sérieux sur un système sécurisé. Supposons qu'un système est " "parfaitement configuré et sécurisé à 99 %. Si l'attaque représentant le 1 % " "vient à arriver et qu'il n'y a pas de mesures de sécurité mises en place " "pour, dans un premier temps, détecter cela et, dans un deuxième temps, " "lancer l'alerte, le système n'est pas sécurisé du tout." #. type:

#: securing-debian-howto.en.sgml:52 en/after-install.sgml:1576 msgid "" "Debian GNU/Linux provides some tools to perform log analysis, most notably " "swatch,

there's a very good article on it " "written by

logcheck or log-" "analysis (all will need some customisation to remove unnecessary " "things from the report). It might also be useful, if the system is nearby, " "to have the system logs printed on a virtual console. This is useful since " "you can (from a distance) see if the system is behaving properly. Debian's " "/etc/syslog.conf comes with a commented default configuration; " "to enable it uncomment the lines and restart syslogd (/etc/" "init.d/syslogd restart):" msgstr "" "Debian GNU/Linux fournit quelques outils pour effectuer des analyses de " "journaux, notamment swatch

Il y a un très bon " "article sur celui-ci écrit par .

, logcheck ou " "log-analysis (tous ont besoin d'être personnalisés pour " "enlever les choses non nécessaires des comptes-rendus). Il peut être " "également utile, si le système est proche, d'avoir les journaux du système " "affichés sur une console virtuelle. C'est utile car vous pouvez (de loin) " "voir si le système se comporte correctement. Le fichier /etc/syslog." "conf de Debian est fourni avec une configuration commentée par " "défaut ; pour l'activer, décommenter les lignes et redémarrez " "syslogd (/etc/init.d/syslogd restart) :" #. type: #: securing-debian-howto.en.sgml:52 en/after-install.sgml:1581 #, no-wrap msgid "" " daemon,mail.*;\\\n" " news.=crit;news.=err;news.=notice;\\\n" " *.=debug;*.=info;\\\n" " *.=notice;*.=warn /dev/tty8" msgstr "" " daemon,mail.*;\\\n" " news.=crit;news.=err;news.=notice;\\\n" " *.=debug;*.=info;\\\n" " *.=notice;*.=warn /dev/tty8" #. type:

#: securing-debian-howto.en.sgml:52 en/after-install.sgml:1619 msgid "" "To colorize the logs, you could take a look at colorize, " "ccze or glark. There is a lot to log " "analysis that cannot be fully covered here, so a good information resource " "would be books should as . In any case, even automated tools are no match for the best " "analysis tool: your brain." msgstr "" "Pour colorer les journaux, vous pouvez jeter un œil à " "colorize, ccze ou glark. Une grande partie de l'analyse des journaux ne peut pas être " "couverte ici, une bonne ressource d'informations est disponible dans les " "livres comme . Dans tous les cas, même des outils automatiques ne peuvent " "rivaliser avec le meilleur outil d'analyse : votre cerveau." #. type: #: securing-debian-howto.en.sgml:52 en/after-install.sgml:1621 msgid "Using and customizing logcheck" msgstr "Utiliser et personnaliser logcheck" #. type:

#: securing-debian-howto.en.sgml:52 en/after-install.sgml:1629 msgid "" "The logcheck package in Debian is divided into the three " "packages logcheck (the main program), logcheck-" "database (a database of regular expressions for the program) and " "logtail (prints loglines that have not yet been read). " "The Debian default (in /etc/cron.d/logcheck) is that " "logcheck is run every hour and after reboots." msgstr "" "Le paquet logcheck dans Debian est divisé en trois paquets " "logcheck (le programme principal), logcheck-" "database (une base de données d'expressions rationnelles pour le " "programme) et logtail (affiche les lignes du journal qui " "n'ont pas encore été lues). Le comportement par défaut sous Debian (dans " "/etc/cron.d/logcheck) est que logcheck est exécuté " "toutes les heures et une fois après le démarrage." #. type:

#: securing-debian-howto.en.sgml:52 en/after-install.sgml:1650 msgid "" "This tool can be quite useful if properly customized to alert the " "administrator of unusual system events. Logcheck can be fully " "customized so that it sends mails based on events found in the logs and " "worthy of attention. The default installation includes profiles for ignored " "events and policy violations for three different setups (workstation, server " "and paranoid). The Debian package includes a configuration file /etc/" "logcheck/logcheck.conf, sourced by the program, that defines which " "user the checks are sent to. It also provides a way for packages that " "provide services to implement new policies in the directories: /etc/" "logcheck/cracking.d/_packagename_, /etc/logcheck/violations.d/" "_packagename_, /etc/logcheck/violations.ignore.d/_packagename_, /etc/logcheck/ignore.d.paranoid/_packagename_, /" "etc/logcheck/ignore.d.server/_packagename_, and /etc/logcheck/" "ignore.d.workstation/_packagename_. However, not many packages " "currently do so. If you have a policy that can be useful for other users, " "please send it as a bug report for the appropriate package (as a " "wishlist bug). For more information read /usr/share/doc/" "logcheck/README.Debian." msgstr "" "Cet outil peut être assez utile s'il est personnalisé correctement pour " "alerter l'administrateur d'événements système inhabituels. logcheck peut être complètement personnalisé pour envoyer des courriers selon " "les événements récupérés des journaux et qui sont dignes d'attention. " "L'installation par défaut inclut des profils pour des événements ignorés et " "des violations de règles pour trois configurations différentes (station de " "travail, serveur et paranoïaque). Le paquet Debian contient un fichier de " "configuration /etc/logcheck/logcheck.conf, qui définit à quel " "utilisateur sont envoyés les vérifications. Il permet également aux paquets " "qui fournissent des services d'implémenter de nouvelles règles dans les " "répertoires : /etc/logcheck/cracking.d/_paquet_, /" "etc/logcheck/violations.d/_paquet_, /etc/logcheck/violations." "ignore.d/_paquet_, /etc/logcheck/ignore.d.paranoid/_paquet_, /etc/logcheck/ignore.d.server/_paquet_ et /etc/" "logcheck/ignore.d.workstation/_paquet_. Cependant, peu de paquets le " "font actuellement. Si vous avez une règle qui peut être utile à d'autres " "utilisateurs, veuillez l'envoyer comme un rapport de bogue sur le paquet " "approprié (comme un bogue de gravité wishlist). Pour obtenir plus " "de renseignements, veuillez consulter /usr/share/doc/logcheck/README." "Debian." #. type:

#: securing-debian-howto.en.sgml:52 en/after-install.sgml:1663 msgid "" "The best way to configure logcheck is to edit its main " "configuration file /etc/logcheck/logcheck.conf after " "installation. Change the default user (root) to whom reports should be " "mailed. You should set the reportlevel in there, too. logcheck-" "database has three report levels of increasing verbosity: " "workstation, server, paranoid. \"server\" being the default level, paranoid " "is only recommended for high-security machines running as few services as " "possible and workstation for relatively sheltered, non-critical machines. If " "you wish to add new log files just add them to /etc/logcheck/logcheck." "logfiles. It is tuned for default syslog install." msgstr "" "Le meilleur moyen de configurer logcheck est d'éditer son " "fichier de configuration principal /etc/logcheck/logcheck.conf " "après l'avoir installé. Modifiez l'utilisateur par défaut (root) à qui " "seront envoyés par courrier les comptes-rendus. Vous devriez également y " "positionner le niveau de compte-rendu. logcheck-database " "a trois niveaux de compte-rendu de verbosité croissante : station de " "travail, serveur, paranoïaque. « serveur Â» étant le niveau par " "défaut, « paranoïaque Â» n'est recommandé que pour les machines de " "haute sécurité ne faisant fonctionner qu'aussi peu de services que possible " "et « station de travail Â» est pour les machines relativement " "protégés et non critiques. Si vous désirez ajouter de nouveaux fichiers " "journaux, ajoutez-les simplement à /etc/logcheck/logcheck.logfiles. Celui-ci est configuré pour une installation de syslog par défaut." #. type:

#: securing-debian-howto.en.sgml:52 en/after-install.sgml:1678 msgid "" "Once this is done you might want to check the mails that are sent, for the " "first few days/weeks/months. If you find you are sent messages you do not " "wish to receive, just add the regular expressions (see and ) that correspond " "to these messages to the /etc/logcheck/ignore.d.reportlevel/" "local. Try to match the whole logline. Details on howto write rules " "are explained in /usr/share/doc/logcheck-database/README.logcheck-" "database.gz. It's an ongoing tuning process; once the messages that " "are sent are always relevant you can consider the tuning finished. Note that " "if logcheck does not find anything relevant in your system it " "will not mail you even if it does run (so you might get a mail only once a " "week, if you are lucky)." msgstr "" "Une fois fait, vous pouvez vouloir vérifier les courriers envoyés, pour les " "quelques premiers jours, semaines ou mois. Si estimez recevoir des messages " "indésirables, ajoutez simplement l'expression rationnelle (consultez et ) qui " "correspond à ces messages au fichier /etc/logcheck/ignore.d." "niveau_de_compte-rendu /local. Essayez de faire " "correspondre à la ligne entière du journal. Des détails sur l'écriture des " "règles sont expliqués dans /usr/share/doc/logcheck-database/README." "logcheck-database.gz. C'est un processus d'affinement " "perpétuel ; une fois que les messages envoyés sont toujours pertinents, " "vous pouvez considérer que l'affinement est terminé. Notez que si " "logcheck ne trouve rien de pertinent dans le système, il ne " "vous enverra pas de courrier même s'il fonctionne (donc, vous pouvez ne " "recevoir de courrier qu'une fois par semaine si vous êtes chanceux)." #. type: #: securing-debian-howto.en.sgml:52 en/after-install.sgml:1680 msgid "Configuring where alerts are sent" msgstr "Configurer l'endroit où les alertes sont envoyées" #. type:

#: securing-debian-howto.en.sgml:52 en/after-install.sgml:1687 msgid "" "Debian comes with a standard syslog configuration (in /etc/" "syslog.conf) that logs messages to the appropriate files depending on " "the system facility. You should be familiar with this; have a look at the " "syslog.conf file and the documentation if not. If you intend to " "maintain a secure system you should be aware of where log messages are sent " "so they do not go unnoticed." msgstr "" "Debian livre une configuration standard de syslog (dans /etc/syslog." "conf) qui archive les messages dans les fichiers appropriés en " "fonction de la facilité du système. Vous devriez être familier avec " "cela ; jetez un œil au fichier syslog.conf et à la " "documentation si vous ne l'êtes pas. Si vous avez l'intention de maintenir " "un système sécurisé, vous devriez être conscient de l'endroit où les " "journaux sont envoyées ainsi ils ne sont pas perdus dans la nature." #. type:

#: securing-debian-howto.en.sgml:52 en/after-install.sgml:1692 msgid "" "For example, sending messages to the console also is an interesting setup " "useful for many production-level systems. But for many such systems it is " "also important to add a new machine that will serve as loghost (i.e. it " "receives logs from all other systems)." msgstr "" "Par exemple, envoyer des messages à la console est également utile pour de " "nombreux systèmes de production. Mais pour de nombreux systèmes semblables " "il est également important d'ajouter une nouvelle machine qui servira de " "serveur de journalisation (il reçoit les journaux de tous les autres " "systèmes)." #. type:

#: securing-debian-howto.en.sgml:52 en/after-install.sgml:1699 msgid "" "Root's mail should be considered also, many security controls (like " "snort) send alerts to root's mailbox. This mailbox " "usually points to the first user created in the system (check /etc/" "aliases). Take care to send root's mail to some place where it will " "be read (either locally or remotely)." msgstr "" "Le courrier du superutilisateur devrait être pris en considération " "également, de nombreux contrôles de sécurité (comme snort) envoient des alertes dans la boîte aux lettres du " "superutilisateur. Celle-ci pointe généralement sur le premier utilisateur " "créé sur le système (vérifiez /etc/aliases). Veillez à envoyer " "le courrier du superutilisateur à un endroit où il sera lu (soit localement " "soit à distance)." #. type:

#: securing-debian-howto.en.sgml:52 en/after-install.sgml:1704 msgid "" "There are other role accounts and aliases on your system. On a small system, " "it's probably simplest to make sure that all such aliases point to the root " "account, and that mail to root is forwarded to the system administrator's " "personal mailbox." msgstr "" "Il y a d'autres comptes et alias « rôles Â» sur le système. Sur un " "petit système, le plus simple est probablement de s'assurer que tous ces " "alias pointent vers le compte du superutilisateur, et que les messages à " "destination du superutilisateur sont retransmis vers la boîte aux lettres " "personnelle de l'administrateur système." #. type:

#: securing-debian-howto.en.sgml:52 en/after-install.sgml:1710 msgid "" "FIXME: It would be interesting to tell how a Debian system can send/receive " "SNMP traps related to security problems (jfs). Check: snmptrapfmt, snmp and snmpd." msgstr "" "FIXME : Il serait intéressant de dire comment un système Debian peut envoyer/" "recevoir des messages SNMP relatifs à des problèmes de sécurité (jfs). " "Voir : snmptragfmt, snmp et " "snmpd." #. type: #: securing-debian-howto.en.sgml:52 en/after-install.sgml:1712 msgid "Using a loghost" msgstr "Utilisation d'un hôte d'archivage (loghost)" #. type:

#: securing-debian-howto.en.sgml:52 en/after-install.sgml:1727 msgid "" "A loghost is a host which collects syslog data remotely over the network. If " "one of your machines is cracked, the intruder is not able to cover his " "tracks, unless he hacks the loghost as well. So, the loghost should be " "especially secure. Making a machine a loghost is simple. Just start the " "syslogd with syslogd -r and a new loghost is born. In " "order to do this permanently in Debian, edit /etc/default/syslogd and change the line" msgstr "" "Un loghost est un hôte qui recueille les données des syslog à travers le " "réseau. Si l'une de vos machines est piratée, l'intrus n'est pas capable de " "dissimuler ses traces, à moins qu'il ne pirate également le loghost. Par " "conséquent, le loghost devrait être particulièrement sécurisé. Faire d'une " "machine un loghost est simple. Il suffit juste de démarrer le syslogd avec syslogd -r et un nouveau loghost est né. De façon à " "rendre cela permanent dans Debian, éditez /etc/default/syslogd " "et changez la ligne" #. type: #: securing-debian-howto.en.sgml:52 en/after-install.sgml:1729 #, no-wrap msgid "SYSLOGD=\"\"" msgstr "SYSLOGD=\"\"" #. type: #: securing-debian-howto.en.sgml:52 en/after-install.sgml:1731 msgid "to" msgstr "par" #. type: #: securing-debian-howto.en.sgml:52 en/after-install.sgml:1733 #, no-wrap msgid "SYSLOGD=\"-r\"" msgstr "SYSLOGD=\"-r\"" #. type: #: securing-debian-howto.en.sgml:52 en/after-install.sgml:1738 msgid "" "Next, configure the other machines to send data to the loghost. Add an entry " "like the following to /etc/syslog.conf:" msgstr "" "Ensuite, configurez les autres machines afin qu'elles envoient les données " "au loghost. Ajoutez une entrée comme celle qui suit dans /etc/syslog." "conf :" #. type: #: securing-debian-howto.en.sgml:52 en/after-install.sgml:1740 #, no-wrap msgid " facility.level @your_loghost" msgstr " facilité.niveau @votre_loghost" #. type: #: securing-debian-howto.en.sgml:52 en/after-install.sgml:1746 msgid "" "See the documentation for what to use in place of facility and " "level (they should not be entered verbatim like this). If you want " "to log everything remotely, just write:" msgstr "" "Consultez la documentation pour savoir ce qu'on peut utiliser à la place de " "facilité et niveau (ils ne devraient pas être mot pour mot " "comme cela). Si vous voulez tout archiver à distance, il suffit " "d'écrire :" #. type: #: securing-debian-howto.en.sgml:52 en/after-install.sgml:1748 #, no-wrap msgid " *.* @your_loghost" msgstr " *.* @votre_loghost" #. type:

#: securing-debian-howto.en.sgml:52 en/after-install.sgml:1757 msgid "" "into your syslog.conf. Logging remotely as well as locally is " "the best solution (the attacker might presume to have covered his tracks " "after deleting the local log files). See the , and manpages for additional information." msgstr "" "dans syslog.conf. Archiver à distance ainsi que localement est " "la meilleure solution (le pirate peut estimer avoir couvert ses traces après " "la suppression des fichiers de journalisation locaux). Consultez les pages " "de manuel , et pour toutes " "informations complémentaires." #. type: #: securing-debian-howto.en.sgml:52 en/after-install.sgml:1759 msgid "Log file permissions" msgstr "Permissions du fichier de journalisation" #. type:

#: securing-debian-howto.en.sgml:52 en/after-install.sgml:1770 msgid "" "It is not only important to decide how alerts are used, but also who has " "read/modify access to the log files (if not using a remote loghost). " "Security alerts which the attacker can change or disable are not worth much " "in the event of an intrusion. Also, you have to take into account that log " "files might reveal quite a lot of information about your system to an " "intruder if he has access to them." msgstr "" "Il est important de décider non seulement comment les alertes sont " "utilisées, mais aussi qui y accède, c'est-à-dire qui peut lire ou modifier " "les fichiers de journalisation (en absence d'hôte d'archivage). Les alertes " "de sécurité que l'attaquant peut modifier ou désactiver sont de peu de " "valeur en cas d'intrusion. Vous devez également prendre en compte que les " "fichiers de journalisation peuvent révéler un grand nombre d'informations à " "propos du système à un intrus s'il y a accès." #. type:

#: securing-debian-howto.en.sgml:52 en/after-install.sgml:1780 msgid "" "Some log file permissions are not perfect after the installation (but of " "course this really depends on your local security policy). First /var/" "log/lastlog and /var/log/faillog do not need to be " "readable by normal users. In the lastlog file you can see who " "logged in recently, and in the faillog you see a summary of " "failed logins. The author recommends chmod 660 for both. Take a " "brief look at your log files and decide very carefully which log files to " "make readable/writable for a user with a UID other than 0 and a group other " "than 'adm' or 'root'. You can easily check this in your system with:" msgstr "" "Certaines permissions de fichiers de journalisation ne sont pas parfaites " "après l'installation (mais, bien sûr, cela dépend vraiment de vos règles de " "sécurité locales). Premièrement /var/log/lastlog et /var/" "log/faillog n'ont pas besoin d'être lisibles par les utilisateurs " "normaux. Dans lastlog, vous pouvez voir qui s'est connecté " "récemment, et dans faillog, vous voyez un résumé des connexions " "qui ont échouées. L'auteur recommande de faire un chmod 660 sur " "les deux fichiers. Faites un tour rapide des fichiers de journalisation et " "décidez avec beaucoup d'attention quels fichiers de journalisation vous " "rendez lisible ou modifiable par un utilisateur avec un UID différent de 0 " "et un autre groupe que « adm Â» ou « root Â». Vous pouvez " "facilement vérifier cela sur le système avec :" #. type: #: securing-debian-howto.en.sgml:52 en/after-install.sgml:1789 #, no-wrap msgid "" " # find /var/log -type f -exec ls -l {} \\; | cut -c 17-35 |sort -u\n" " (see to what users do files in /var/log belong)\n" " # find /var/log -type f -exec ls -l {} \\; | cut -c 26-34 |sort -u\n" " (see to what groups do files in /var/log belong)\n" " # find /var/log -perm +004\n" " (files which are readable by any user)\n" " # find /var/log \\! -group root \\! -group adm -exec ls -ld {} \\;\n" " (files which belong to groups not root or adm)" msgstr "" " # find /var/log -type f -exec ls -l {} \\; | cut -c 17-35 |sort -u\n" " (voir à quels utilisateurs appartiennent les fichiers de /var/log)\n" " # find /var/log -type f -exec ls -l {} \\; | cut -c 26-34 |sort -u\n" " (voir à quels groups appartiennent les fichiers de /var/log)\n" " # find /var/log -perm +004\n" " (fichiers lisibles par tout utilisateur)\n" " # find /var/log \\! -group root \\! -group adm -exec ls -ld {} \\;\n" " (fichiers appartenant à des groupes autres que root ou adm)" #. type:

#: securing-debian-howto.en.sgml:52 en/after-install.sgml:1803 msgid "" "To customize how log files are created you will probably have to customize " "the program that generates them. If the log file gets rotated, however, you " "can customize the behavior of creation and rotation." msgstr "" "Pour personnaliser la façon dont les fichiers de journalisation sont créés, " "vous devez probablement personnaliser le programme qui les génère. " "Cependant, si le fichier de journalisation est archivé, vous pouvez " "personnaliser le comportement de la création et de l'archivage." #. type: #: securing-debian-howto.en.sgml:52 en/after-install.sgml:1805 msgid "Adding kernel patches" msgstr "Les utilitaires pour ajouter des correctifs au noyau" #. type:

#: securing-debian-howto.en.sgml:52 en/after-install.sgml:1808 msgid "" "Debian GNU/Linux provides some of the patches for the Linux kernel that " "enhance its security. These include:" msgstr "" "Debian GNU/Linux fournit quelques correctifs pour le noyau Linux qui " "améliorent sa sécurité du système. En voici quelques-uns." #. type:

#: securing-debian-howto.en.sgml:52 en/after-install.sgml:1819 msgid "" " provided " "in the kernel-patch-2.4-lids package. This kernel patch " "makes the process of hardening your Linux system easier by allowing you to " "restrict, hide and protect processes, even from root. It implements " "mandatory access control capabilities." msgstr "" "LIDS — fourni dans le paquet kernel-patch-2.4-lids. Ce " "correctif du noyau rend le processus de renforcement d'un système Linux plus " "facile en vous permettant de restreindre, cacher et protéger des processus, " "même par rapport au superutilisateur. Elle implémente des fonctionnalités de " "contrôle d'accès obligatoire (« Mandatory Access Control Â»)." #. type:

#: securing-debian-howto.en.sgml:52 en/after-install.sgml:1825 msgid "" ", " "provided in package trustees. This patch adds a decent " "advanced permissions management system to your Linux kernel. Special objects " "(called trustees) are bound to every file or directory, and are stored in " "kernel memory, which allows fast lookup of all permissions." msgstr "" " fourni " "dans le paquet trustees. Ce correctif ajoute un système " "avancé décent de gestion des permissions au noyau Linux. Des objets spéciaux " "(les « trustees ») sont associés à chaque fichier ou répertoire et ils sont " "stockés dans la mémoire noyau, ce qui permet un accès rapide pour toutes les " "permissions." #. type:

#: securing-debian-howto.en.sgml:52 en/after-install.sgml:1837 msgid "" "NSA Enhanced Linux (in package selinux). Backports of the " "SElinux-enabled packages are available at . More information available at , at and SElinux websites." msgstr "" "NSA Enhanced Linux (du paquet selinux). Des rétroportages " "des paquets avec SElinux activé sont disponibles en . Plus de renseignements sont disponibles sur la , " "et sur les sites web de et ." #. type:

#: securing-debian-howto.en.sgml:52 en/after-install.sgml:1842 msgid "" "The provided in the kernel-patch-exec-shield " "package. This patch provides protection against some buffer overflows (stack " "smashing attacks)." msgstr "" "Le fourni dans le paquet kernel-patch-exec-shield. Ce correctif fournit une protection contre plusieurs dépassements " "de tampon (attaques par écrasement de pile)." #. type:

#: securing-debian-howto.en.sgml:52 en/after-install.sgml:1873 msgid "" "The , " "provided by the kernel-patch-2.4-grsecurity and " "kernel-patch-grsecurity2 packages

Notice " "that this patch conflicts with patches already included in Debian's 2.4 " "kernel source package. You will need to use the stock vanilla kernel. You " "can do this with the following steps: # apt-get install kernel-" "source-2.4.22 kernel-patch-debian-2.4.22 # tar xjf /usr/src/kernel-" "source-2.4.22.tar.bz2 # cd kernel-source-2.4.22 # /usr/src/kernel-patches/" "all/2.4.22/unpatch/debian

For more information see , , , , , , " ", and the

implements Mandatory " "Access Control through RBAC, provides buffer overflow protection through " "PaX, ACLs, network randomness (to make OS fingerprinting more difficult) and " "." msgstr "" "Le " "fourni par les paquets kernel-patch-2.4-grsecurity et " "kernel-patch-grsecurity2

Notez que ce " "correctif entre en conflit avec des correctifs déjà inclus dans le paquet de " "source du noyau Debian. Vous devrez utiliser le noyau d'origine (sans " "correctifs Debian). Vous pouvez faire cela en suivant les étapes " "suivantes : # apt-get install kernel-source-2.4.22 kernel-" "patch-debian-2.4.22 # tar xjf /usr/src/kernel-source-2.4.22.tar.bz2 # cd " "kernel-source-2.4.22 # /usr/src/kernel-patches/all/2.4.22/unpatch/debian

Pour plus d'informations, consultez les bogues , , , , , , et la . implémente le contrôle d'accès obligatoire (Mandatory " "Access Control) grâce à RBAC, fournit une protection de dépassement de " "tampon grâce à PaX, des ACL, un caractère aléatoire du réseau (pour rendre " "la reconnaissance de système d'exploitation plus difficile) et ." #. type:

#: securing-debian-howto.en.sgml:52 en/after-install.sgml:1885 msgid "" "The kernel-patch-adamantix provides the patches developed " "for , a Debian-" "based distribution. This kernel patch for the 2.4.x kernel releases " "introduces some security features such as a non-executable stack through the " "use of and " "mandatory access control based on . Other features include: , AES encrypted loop device, MPPE " "support and an IPSEC v2.6 backport." msgstr "" "Le kernel-patch-adamantix fournit les correctifs " "développés pour , " "une distribution basée sur Debian. Le correctif noyau pour les versions 2.4." "x du noyau introduit des fonctionnalités de sécurité comme une pile non " "exécutable grâce à l'utilisation de et du contrôle d'accès obligatoire basé sur . Parmi les autres fonctionnalités, " "on trouve : , le périphérique boucle chiffré AES, la gestion " "MPPE et un rétroportage de la version 2.6 d'IPsec." #. type:

#: securing-debian-howto.en.sgml:52 en/after-install.sgml:1889 msgid "" "cryptoloop-source. This patches allows you to use the " "functions of the kernel crypto API to create encrypted filesystems using the " "loopback device." msgstr "" "cryptoloop-source. Ce correctif vous permet d'utiliser " "les fonctions de l'API de chiffrement du noyau pour créer des systèmes de " "fichiers chiffrés en utilisant le périphérique « loopback Â»." #. type:

#: securing-debian-howto.en.sgml:52 en/after-install.sgml:1900 msgid "" "IPSEC kernel support (in package linux-patch-openswan). " "If you want to use the IPsec protocol with Linux, you need this patch. You " "can create VPNs with this quite easily, even to Windows machines, as IPsec " "is a common standard. IPsec capabilities have been added to the 2.5 " "development kernel, so this feature will be present by default in the future " "Linux Kernel 2.6. Homepage: . FIXME: The latest 2.4 kernels provided in Debian include a backport of the " "IPSEC code from 2.5. Comment on this." msgstr "" "Prise en charge d'IPsec par le noyau (du paquet linux-patch-" "openswan). Si vous voulez utiliser le protocole IPsec avec Linux, " "vous avez besoin de ce correctif. Vous pouvez ainsi créer des VPN très " "facilement, même vers les machines Windows, puisque IPsec est une norme " "courante. Des fonctionnalités IPsec ont été ajoutées au noyau de " "développement 2.5, cette fonctionnalité sera donc présente par défaut dans " "le futur noyau Linux 2.6. Site Internet : . FIXME : les derniers noyaux 2.4 fournis dans " "Debian incluent un rétroportage du code IPsec du noyau 2.5. Commentaire " "sur cela." #. type:

#: securing-debian-howto.en.sgml:52 en/after-install.sgml:1905 msgid "" "The following security kernel patches are only available for old kernel " "versions in woody and are deprecated:" msgstr "" "Les correctifs de sécurité du noyau suivants ne sont disponibles que pour " "d'anciennes versions du noyau dans Woody et ils sont " "obsolètes :" #. type:

#: securing-debian-howto.en.sgml:52 en/after-install.sgml:1912 msgid "" " " "(ACLs) for Linux provided in the package kernel-patch-acl. This kernel patch adds access control lists, an advanced method " "for restricting access to files. It allows you to control fine-grain access " "to files and directory." msgstr "" " " "(ACL) pour Linux fourni dans le paquet kernel-patch-acl. " "Ce correctif du noyau ajoute les listes de contrôle d'accès, une méthode " "avancée pour restreindre l'accès aux fichiers, par le noyau Linux. Cela vous " "permet de contrôler finement l'accès aux fichiers et répertoires." #. type:

#: securing-debian-howto.en.sgml:52 en/after-install.sgml:1922 msgid "" "The linux " "kernel patch by Solar Designer, provided in the kernel-patch-2.2.18-" "openwall package. This is a useful set of kernel restrictions, " "like restricted links, FIFOs in /tmp, a restricted /proc file system, special file descriptor handling, non-executable user " "stack area and other features. Note: This package applies to the 2.2 " "release, no packages are available for the 2.4 release patches provided by " "Solar." msgstr "" " par Solar " "Designer, fourni dans le paquet kernel-patch-2.2.18-openwall. C'est un ensemble utile de restrictions pour le noyau, comme la " "restriction de liens, FIFO dans /tmp, une restriction de /" "proc, une gestion de descripteur de fichiers spéciaux, une pile de " "l'utilisateur non exécutable et bien plus. Note : ce paquet s'applique " "à la version 2.2, aucun paquet n'est disponible pour les correctifs de " "la version 2.4 fournie par Solar." #. type:

#: securing-debian-howto.en.sgml:52 en/after-install.sgml:1928 msgid "" "kernel-patch-int. This patch also adds cryptographic " "capabilities to the Linux kernel, and was useful with Debian releases up to " "Potato. It doesn't work with Woody, and if you are using Sarge or a newer " "version, you should use a more recent kernel which includes these features " "already." msgstr "" "kernel-patch-int. Ce correctif vous permet également " "d'ajouter des fonctionnalités de cryptographie au noyau Linux et était utile " "pour les versions de Debian jusqu'à Potato. Il ne fonctionne pas avec Woody " "et si vous utilisez Sarge ou une version plus récente, vous devriez utiliser " "un noyau plus récent qui inclut déjà ces fonctionnalités." #. type:

#: securing-debian-howto.en.sgml:52 en/after-install.sgml:1938 msgid "" "However, some patches have not been provided in Debian yet. If you feel that " "some of these should be included please ask for it at the ." msgstr "" "Cependant, certains correctifs ne sont pas encore fournis dans Debian. Si " "vous croyez que certains devraient être inclus, veuillez le demander sur la " "page des ." #. type: #: securing-debian-howto.en.sgml:52 en/after-install.sgml:1940 msgid "Protecting against buffer overflows" msgstr "Se protéger contre les dépassements de tampon" #. type:

#: securing-debian-howto.en.sgml:52 en/after-install.sgml:1953 msgid "" "Buffer overflow is the name of a common attack to software " "

So common, in fact, that they have been the basis of 20% of the " "reported security vulnerabilities every year, as determined by

which makes use of " "insufficient boundary checking (a programming error, most commonly in the C " "language) in order to execute machine code through program inputs. These " "attacks, against server software which listen to connections remotely and " "against local software which grant higher privileges to users (setuid or setgid) can result in the compromise of any given system." msgstr "" "Dépassement de tampon est le nom d'une attaque courante sur un " "logiciel

Si commune, en fait, qu'elles ont été la base de " "20 % des failles de sécurité signalés cette année, d'après les .

 qui utilise " "insuffisamment des vérifications de limites (une erreur de programmation " "courante, plus particulièrement en langage C) pour exécuter du code machine " "par des entrées de programme. Ces attaques, contre des logiciels serveur qui " "attendent des connexions distantes et contre des logiciels locaux qui " "autorisent des droits élevés aux utilisateurs (setuid ou " "setgid) peuvent avoir pour conséquence la compromission de tout un " "système." #. type:

#: securing-debian-howto.en.sgml:52 en/after-install.sgml:1955 msgid "There are mainly four methods to protect against buffer overflows:" msgstr "" "Quatre méthodes en particulier permettent de se protéger contre les " "dépassement de tampon :" #. type:

#: securing-debian-howto.en.sgml:52 en/after-install.sgml:1961 msgid "" "patch the kernel to prevent stack execution. You can use either: Exec-" "shield, OpenWall or PaX (included in the Grsecurity and Adamantix patches)." msgstr "" "appliquer un correctif au noyau pour empêcher l'exécution de la pile. Vous " "pouvez utiliser Exec-shield, OpenWall ou PaX (incluant les correctifs " "Grsecurity et Adamantix) ;" #. type:

#: securing-debian-howto.en.sgml:52 en/after-install.sgml:1964 msgid "" "fix the source code by using tools to find fragments of it that might " "introduce this vulnerability." msgstr "" "corriger le code source en utilisant des outils pour trouver des fragments " "qui pourraient introduire cette faille ;" #. type:

#: securing-debian-howto.en.sgml:52 en/after-install.sgml:1970 msgid "" "recompile the source code to introduce proper checks that prevent overflows, " "using the patch for GCC (which is used by " ")" msgstr "" "recompiler le code pour introduire des vérifications qui empêchent les " "dépassements en utilisant le correctif pour GCC (qui est utilisé par )." #. type:

#: securing-debian-howto.en.sgml:52 en/after-install.sgml:1977 msgid "" "Debian GNU/Linux, as of the 3.0 release, provides software to introduce all " "of these methods except for the protection on source code compilation (but " "this has been requested in )." msgstr "" "Debian GNU/Linux, dans sa version 3.0, fournit des logiciels pour " "implémenter toutes ces méthodes à l'exception de la protection de la " "compilation du code source (mais cela a été demandé dans le )." #. type:

#: securing-debian-howto.en.sgml:52 en/after-install.sgml:1984 msgid "" "Notice that even if Debian provided a compiler which featured stack/buffer " "overflow protection all packages would need to be recompiled in order to " "introduce this feature. This is, in fact, what the Adamantix distribution " "does (among other features). The effect of this new feature on the stability " "of software is yet to be determined (some programs or some processor " "architectures might break due to it)." msgstr "" "Notez que même si Debian fournissait un compilateur qui fournit cette " "fonction de protection de dépassement de tampon/pile, tous les paquets " "auraient besoin d'être recompilés pour introduire cette fonctionnalité. " "C'est, en fait, ce que fait Adamantix (entre autres fonctionnalités). " "L'effet de cette nouvelle fonctionnalité sur la stabilité des logiciels doit " "encore être déterminée (certains programmes ou architectures de processeur " "pourraient être cassés à cause d'elle)." #. type:

#: securing-debian-howto.en.sgml:52 en/after-install.sgml:1992 msgid "" "In any case, be aware that even these workarounds might not prevent buffer " "overflows since there are ways to circumvent these, as described in phrack's " "magazine or in CORE's Advisory ." msgstr "" "Dans tous les cas, soyez conscient que même ces contournement peuvent ne pas " "prévenir les dépassements de tampon car il existe des moyens de circonvenir " "ceux-ci, comme décrit dans l' du magazine phrack ou dans " "l'alerte du CORE ." #. type:

#: securing-debian-howto.en.sgml:52 en/after-install.sgml:1996 msgid "" "If you want to test out your buffer overflow protection once you have " "implemented it (regardless of the method) you might want to install the " "paxtest and run the tests it provides." msgstr "" "Si vous voulez tester la protection contre les dépassements de tampon une " "fois que vous l'avez mise en place (quelque que soit la méthode), vous " "pouvez vouloir installer le paxtest et exécuter les tests " "qu'il fournit." #. type: #: securing-debian-howto.en.sgml:52 en/after-install.sgml:1998 msgid "Kernel patch protection for buffer overflows" msgstr "Correctif du noyau de protection pour les dépassements de tampon" #. type:

#: securing-debian-howto.en.sgml:52 en/after-install.sgml:2007 msgid "" "Kernel patches related to buffer overflows include the Openwall patch " "provides protection against buffer overflows in 2.2 linux kernels. For 2.4 " "or newer kernels, you need to use the Exec-shield implementation, or the PaX " "implementation (provided in the grsecurity patch, kernel-patch-2.4-" "grsecurity, and in the Adamantix patch, kernel-patch-" "adamantix). For more information on using these patches read the " "the section ." msgstr "" "Des correctifs du noyau liés aux dépassements de tampon incluant le " "correctif Openwall fournissent une protection contre les dépassements de " "tampon dans les noyaux Linux 2.2. Pour les noyaux 2.4 et plus " "récents, vous devrez utiliser l'implémentation Exec-shield ou " "l'implémentation PaX (fournies dans le correctif grsecurity, kernel-" "patch-2.4-grsecurity et dans le correctif Adamantix, " "kernel-patch-adamantix). Pour plus d'informations sur " "l'utilisation de ces correctifs, veuillez consulter la section ." #. type: #: securing-debian-howto.en.sgml:52 en/after-install.sgml:2009 msgid "Testing programs for overflows" msgstr "Tester des programmes pour les dépassements" #. type:

#: securing-debian-howto.en.sgml:52 en/after-install.sgml:2018 msgid "" "The use of tools to detect buffer overflows requires, in any case, of " "programming experience in order to fix (and recompile) the code. Debian " "provides, for example: bfbtester (a buffer overflow " "tester that brute-forces binaries through command line and environment " "overflows). Other packages of interest would also be rats, pscan, flawfinder and " "splint." msgstr "" "L'utilisation d'outils pour détecter des dépassements de tampon nécessitent " "dans tous les cas une expérience de programmation pour corriger (et " "recompiler) le code. Debian fournit par exemple : bfbtester (un testeur de dépassement de tampon qui brutalise des binaires par " "la force par des dépassements de ligne de commande et d'environnement). " "D'autres paquets intéressants pourraient aussi être rats, " "pscan, flawfinder et splint." #. type: #: securing-debian-howto.en.sgml:52 en/after-install.sgml:2020 msgid "Secure file transfers" msgstr "Sécurisation des transferts de fichiers" #. type:

#: securing-debian-howto.en.sgml:52 en/after-install.sgml:2027 msgid "" "During normal system administration one usually needs to transfer files in " "and out from the installed system. Copying files in a secure manner from a " "host to another can be achieved by using the ssh server " "package. Another possibility is the use of ftpd-ssl, a " "ftp server which uses the Secure Socket Layer to encrypt the " "transmissions." msgstr "" "Pendant l'administration normale du système, il est habituellement " "nécessaire de transférer des fichiers à partir et vers le système installé. " "La copie des fichiers de façon sécurisée d'un hôte vers un autre peut être " "effectuée en utilisant le paquet serveur ssh. Une autre " "possibilité est d'utiliser ftpd-ssl, un serveur FTP qui " "utilise Secure Socket Layer pour chiffrer les transmissions." #. type:

#: securing-debian-howto.en.sgml:52 en/after-install.sgml:2037 msgid "" "Any of these methods need special clients. Debian does provide client " "software, such as scp from the ssh package, " "which works like rcp but is encrypted completely, so the " "bad guys cannot even find out WHAT you copy. There is also a " "ftp-ssl package for the equivalent server. You can find " "clients for these software even for other operating systems (non-UNIX), " "putty and winscp provide secure copy " "implementations for any version of Microsoft's operating system." msgstr "" "Toutes ces méthodes nécessitent des clients spécifiques. Debian fournit des " "clients logiciels, comme scp du paquet ssh, " "qui fonctionne comme rcp, mais est complètement chiffré, donc " "les méchants ne peuvent même pas savoir CE QUE vous copiez. Il " "existe également un paquet client ftp-ssl pour le serveur " "équivalent. Vous pouvez trouver des clients pour ces logiciels, même pour " "d'autres systèmes d'exploitation (non UNIX), putty et " "winscp fournissent des implémentations de copie sécurisée pour " "toutes les versions des systèmes d'exploitation de Microsoft." #. type:

#: securing-debian-howto.en.sgml:52 en/after-install.sgml:2046 msgid "" "Note that using scp provides access to the users to all the " "file system unless chroot'ed as described in . FTP access can be chroot'ed, probably easier " "depending on you chosen daemon, as described in . If " "you are worried about users browsing your local files and want to have " "encrypted communication you can either use an ftp daemon with SSL support or " "combine clear-text ftp and a VPN setup (see )." msgstr "" "Notez qu'utiliser scp fournit un accès pour tous les " "utilisateurs à tout le système de fichiers à moins de faire un chroot comme décrit dans . L'accès FTP peut être " "chrooté, c'est probablement plus facile selon le démon que vous " "choisissez, comme décrit dans . Si vous vous " "inquiétez d'utilisateurs locaux pouvant parcourir les fichiers locaux et que " "vous voulez avoir une communication chiffrée, vous pouvez soit utiliser un " "démon FTP avec la prise en charge SSL, soit combiner un FTP sans chiffrement " "avec une configuration VPN (consultez )." #. type: #: securing-debian-howto.en.sgml:52 en/after-install.sgml:2048 msgid "File system limits and control" msgstr "Limites et contrôle des systèmes de fichiers" #. type: #: securing-debian-howto.en.sgml:52 en/after-install.sgml:2050 msgid "Using quotas" msgstr "Utilisation de quotas" #. type:

#: securing-debian-howto.en.sgml:52 en/after-install.sgml:2053 msgid "" "Having a good quota policy is important, as it keeps users from filling up " "the hard disk(s)." msgstr "" "Avoir une bonne politique relative aux quotas est important, vu qu'elle " "empêche les utilisateurs de remplir les disques durs." #. type:

#: securing-debian-howto.en.sgml:52 en/after-install.sgml:2059 msgid "" "You can use two different quota systems: user quota and group quota. As you " "probably figured out, user quota limits the amount of space a user can take " "up, group quota does the equivalent for groups. Keep this in mind when " "you're working out quota sizes." msgstr "" "Vous pouvez utiliser deux systèmes de quotas différents : les quotas " "utilisateur et les quotas groupe. Comme vous l'avez probablement deviné, les " "quotas utilisateur limitent la quantité d'espace qu'un utilisateur peut " "avoir, les quotas groupe quant à eux font la même chose pour les groupes. " "Retenez cela quand vous calculerez les tailles des quotas." #. type:

#: securing-debian-howto.en.sgml:52 en/after-install.sgml:2062 msgid "" "There are a few important points to think about in setting up a quota system:" msgstr "" "Il y a quelques points importants auxquels il faut penser dans la mise en " "place d'un système de quotas :" #. type:

#: securing-debian-howto.en.sgml:52 en/after-install.sgml:2066 msgid "Keep the quotas small enough, so users do not eat up your disk space." msgstr "" "garder les quotas suffisamment petits, ainsi les utilisateurs ne dévoreront " "pas l'espace disque ;" #. type:

#: securing-debian-howto.en.sgml:52 en/after-install.sgml:2069 msgid "" "Keep the quotas big enough, so users do not complain or their mail quota " "keeps them from accepting mail over a longer period." msgstr "" "garder les quotas suffisamment grands, ainsi les utilisateurs ne se " "plaindront pas et leur quota de courrier leur permettra d'accepter des " "courriers pendant une longue période ;" #. type:

#: securing-debian-howto.en.sgml:52 en/after-install.sgml:2071 msgid "" "Use quotas on all user-writable areas, on /home as well as on " "/tmp." msgstr "" "utiliser des quotas sur tous les espaces accessibles en écriture par les " "utilisateurs, aussi bien sur /home que /tmp." #. type:

#: securing-debian-howto.en.sgml:52 en/after-install.sgml:2077 msgid "" "Every partition or directory to which users have full write access should be " "quota enabled. Calculate and assign a workable quota size for those " "partitions and directories which combines usability and security." msgstr "" "Tous les répertoires et partitions auxquels les utilisateurs ont accès en " "écriture complet devraient avoir les quotas activés. Recherchez ces " "partitions et répertoires et calculez une taille adaptée qui combine " "disponibilité et sécurité." #. type:

#: securing-debian-howto.en.sgml:52 en/after-install.sgml:2084 msgid "" "So, now you want to use quotas. First of all you need to check whether you " "enabled quota support in your kernel. If not, you will need to recompile it. " "After this, control whether the package quota is " "installed. If not you will need this one as well." msgstr "" "Bon, maintenant vous désirez utiliser les quotas. Avant tout, vous avez " "besoin de vérifier si vous avez activé la prise en charge des quotas dans le " "noyau. Si non, vous devrez le recompiler. Après cela, contrôlez si le paquet " "quota est installé. Si non, vous en aurez également besoin." #. type:

#: securing-debian-howto.en.sgml:52 en/after-install.sgml:2093 msgid "" "Enabling quota for the respective file systems is as easy as modifying the " "defaults setting to defaults,usrquota in your /etc/" "fstab file. If you need group quota, substitute usrquota to " "grpquota. You can also use them both. Then create empty quota.user " "and quota.group files in the roots of the file systems you want to use " "quotas on (e.g. touch /home/quota.user /home/quota.group for a " "/home file system)." msgstr "" "L'activation des quotas pour des systèmes de fichiers différents est aussi " "facile que la modification du paramètre defaults en defaults," "usrquota dans le fichier /etc/fstab. Si vous avez besoin " "des quotas par groupe, remplacez usrquota par grpquota. " "Vous pouvez également utiliser les deux. Ensuite, créez des fichiers vides " "quota.user et quota.group à la racine du système de fichiers sur lequel vous " "voulez utiliser les quotas (touch /home/quota.user /home/quota.group pour un système de fichiers /home)." #. type:

#: securing-debian-howto.en.sgml:52 en/after-install.sgml:2097 msgid "" "Restart quota by doing /etc/init.d/quota stop;/etc/init.d/" "quota start. Now quota should be running, and quota sizes can be set." msgstr "" "Redémarrez quota en faisant /etc/init.d/quota stop;/etc/" "init.d/quota start. Maintenant les quotas devraient être en fonction et " "leurs tailles peuvent être configurées." #. type:

#: securing-debian-howto.en.sgml:52 en/after-install.sgml:2104 msgid "" "Editing quotas for a specific user can be done by edquota -u <user>" ". Group quotas can be modified with edquota -g <group>. " "Then set the soft and hard quota and/or inode quotas as needed." msgstr "" "L'édition de quotas pour un utilisateur spécifique peut être réalisée en " "faisant edquota -u <user>. Les quotas par groupes peuvent " "être modifiés avec edquota -g <group>. Ensuite, paramétrez " "les quotas soft et hard ou les quotas pour inœuds selon vos besoins." #. type:

#: securing-debian-howto.en.sgml:52 en/after-install.sgml:2109 msgid "" "For more information about quotas, read the quota man page, and the quota " "mini-howto (/usr/share/doc/HOWTO/en-html/mini/Quota.html). You " "may also want to look at pam_limits.so." msgstr "" "Pour plus d'informations concernant les quotas, consultez la page de manuel " "de la commande quota et le quota mini-howto (/usr/share/doc/HOWTO/fr-" "html/Quota.html). Vous pouvez également vouloir étudier " "pam_limits.so." #. type: #: securing-debian-howto.en.sgml:52 en/after-install.sgml:2112 msgid "The ext2 filesystem specific attributes (chattr/lsattr)" msgstr "Les attributs spécifiques du système de fichiers ext2 (chattr/lsattr)" #. type:

#: securing-debian-howto.en.sgml:52 en/after-install.sgml:2125 msgid "" "In addition to the usual Unix permissions, the ext2 and ext3 filesystems " "offer a set of specific attributes that give you more control over the files " "on your system. Unlike the basic permissions, these attributes are not " "displayed by the usual ls -l command or changed using " "chmod, and you need two other utilities, lsattr " "and chattr (in package e2fsprogs) to manage " "them. Note that this means that these attributes will usually not be saved " "when you backup your system, so if you change any of them, it may be worth " "saving the successive chattr commands in a script so that you " "can set them again later if you have to restore a backup." msgstr "" "En plus des permissions standards UNIX, les systèmes de fichiers ext2 et " "ext3 offrent un ensemble d'attributs spécifiques qui donnent plus de " "contrôle sur les fichiers du système. À la différence des permissions de " "base, ces attributs ne sont pas affichés par la commande standard ls -" "l, ni changés par la commande chmod et vous avez besoin " "de deux autres utilitaires, lsattr et chattr (du " "paquet e2fsprogs) pour les gérer. Notez que cela veut " "dire que ces attributs ne sont habituellement pas enregistrés quand vous " "sauvegardez le système, donc si vous modifiez l'un d'entre eux, il peut être " "utile d'enregistrer les commandes chattr successives dans un " "script pour pouvoir les repositionner plus tard si vous avez à récupérer une " "sauvegarde." #. type:

#: securing-debian-howto.en.sgml:52 en/after-install.sgml:2130 msgid "" "Among all available attributes, the two that are most important for " "increasing security are referenced by the letters 'i' and 'a', and they can " "only be set (or removed) by the superuser:" msgstr "" "Parmi tous les attributs disponibles, les deux plus importants pour " "améliorer la sécurité sont référencés par les lettres « i Â» et " "« a Â» et ils ne peuvent être positionnés (ou enlevés) que par le " "superutilisateur :" #. type:

#: securing-debian-howto.en.sgml:52 en/after-install.sgml:2135 msgid "" "The 'i' attribute ('immutable'): a file with this attribute can neither be " "modified nor deleted or renamed and no link can be created to it, even by " "the superuser." msgstr "" "l'attribut « i Â» (inchangeable, « immutable Â») : un " "fichier ayant cet attribut ne peut-être ni modifié ni effacé ou encore " "renommé et aucun lien ne peut le référencer, même par le superutilisateur ;" #. type:

#: securing-debian-howto.en.sgml:52 en/after-install.sgml:2142 msgid "" "The 'a' attribute ('append'): this attribute has the same effect that the " "immutable attribute, except that you can still open the file in append mode. " "This means that you can still add more content to it but it is impossible to " "modify previous content. This attribute is especially useful for the log " "files stored in /var/log/, though you should consider that they " "get moved sometimes due to the log rotation scripts." msgstr "" "l'attribut « a Â» (ajout, « append Â») : cet attribut " "a le même effet que l'attribut « immutable Â», excepté que vous " "pouvez encore ouvrir le fichier en mode ajout. Cela veut dire que vous " "pouvez encore ajouter plus de contenu au fichier, mais qu'il est impossible " "de modifier un contenu précédent. Cet attribut est particulièrement utile " "pour les fichiers de journalisation stockés dans /var/log/, " "bien que vous devez considérer qu'ils sont parfois déplacés à cause des " "scripts d'archivage." #. type:

#: securing-debian-howto.en.sgml:52 en/after-install.sgml:2150 msgid "" "These attributes can also be set for directories, in which case everyone is " "denied the right to modify the contents of a directory list (e.g. rename or " "remove a file, ...). When applied to a directory, the append attribute only " "allows file creation." msgstr "" "Ces attributs peuvent également être positionnés pour les répertoires, dans " "ce cas, le droit de modifier le contenu de la liste d'un répertoire est " "refusé (par exemple, renommer ou supprimer un fichier, etc.) Quand il est " "appliqué à un répertoire, l'attribut d'ajout ne permet que la création de " "fichiers." #. type:

#: securing-debian-howto.en.sgml:52 en/after-install.sgml:2167 msgid "" "It is easy to see how the 'a' attribute improves security, by giving to " "programs that are not running as the superuser the ability to add data to a " "file without modifying its previous content. On the other hand, the 'i' " "attribute seems less interesting: after all, the superuser can already use " "the basic Unix permissions to restrict access to a file, and an intruder " "that would get access to the superuser account could always use the " "chattr program to remove the attribute. Such an intruder may " "first be confused when he sees that he is not able to remove a file, but you " "should not assume that he is blind - after all, he got into your system! " "Some manuals (including a previous version of this document) suggest to " "simply remove the chattr and lsattr programs from " "the system to increase security, but this kind of strategy, also known as " "\"security by obscurity\", is to be absolutely avoided, since it provides a " "false sense of security." msgstr "" "Il est aisé de voir que l'attribut « a Â» améliore la sécurité, en " "donnant aux programmes qui ne sont pas exécutés par le superutilisateur, la " "possibilité d'ajouter des données à un fichier sans pouvoir modifier son " "précédent contenu. D'un autre côté, l'attribut « i Â» semble moins " "intéressant : après tout, le superutilisateur peut déjà utiliser les " "permissions standards UNIX pour restreindre l'accès à un fichier et un " "intrus qui aurait accès au compte superutilisateur peut toujours utiliser le " "programme chattr pour supprimer l'attribut. Un tel intrus peut " "tout d'abord être perplexe quand il se rendra compte qu'il ne peut pas " "supprimer un fichier, mais vous ne devriez pas supposer qu'il est aveugle " "&mdash après tout, il est entré dans le système ! Certains manuels " "(y compris une précédente version de ce document) suggèrent de supprimer " "simplement les programmes chattr et lsattr du " "système pour améliorer la sécurité, mais ce genre de stratégie, aussi connu " "comme « sécurité par l'obscurité Â», doit être absolument évitée, " "car elle donne un sentiment trompeur de sécurité." #. type:

#: securing-debian-howto.en.sgml:52 en/after-install.sgml:2176 msgid "" "A secure way to solve this problem is to use the capabilities of the Linux " "kernel, as described in . The capability of interest " "here is called CAP_LINUX_IMMUTABLE: if you remove it from the " "capabilities bounding set (using for example the command lcap " "CAP_LINUX_IMMUTABLE) it won't be possible to change any 'a' or 'i' " "attribute on your system anymore, even by the superuser ! A complete " "strategy could be as follows:" msgstr "" "Une façon sûre de résoudre ce problème est d'utiliser les fonctionnalités du " "noyau Linux, comme décrit dans . La fonctionnalité " "intéressante est appelée ici CAP_LINUX_IMMUTABLE : si vous la " "supprimez de l'ensemble des fonctionnalités (en utilisant par exemple la " "commande lcap CAP_LINUX_IMMUTABLE), il ne sera plus possible de " "modifier les attributs « a Â» ou « i Â» sur le système, " "même pour le superutilisateur ! Une stratégie complète serait alors la " "suivante :" #. type:

#: securing-debian-howto.en.sgml:52 en/after-install.sgml:2177 msgid "Set the attributes 'a' and 'i' on any file you want;" msgstr "" "positionner les attributs « a Â» et « i Â» sur tous les " "fichiers voulus ;" #. type:

#: securing-debian-howto.en.sgml:52 en/after-install.sgml:2182 msgid "" "Add the command lcap CAP_LINUX_IMMUTABLE (as well as lcap " "CAP_SYS_MODULE, as suggested in ) to one of the " "startup scripts;" msgstr "" "ajouter la commande lcap CAP_LINUX_IMMUTABLE (ainsi que lcap " "CAP_SYS_MODULE, comme suggéré dans ) à l'un des " "scripts de démarrage ;" #. type:

#: securing-debian-howto.en.sgml:52 en/after-install.sgml:2184 msgid "" "Set the 'i' attribute on this script and other startup files, as well as on " "the lcap binary itself;" msgstr "" "positionner l'attribut « i Â» sur ce script et les autres fichiers " "de démarrage, ainsi que sur le binaire lcap lui-même ;" #. type:

#: securing-debian-howto.en.sgml:52 en/after-install.sgml:2187 msgid "" "Execute the above command manually (or reboot your system to make sure " "everything works as planned)." msgstr "" "exécuter la commande ci-dessus vous-même (ou réamorcer le système pour vous " "assurer que tout fonctionne comme prévu)." #. type:

#: securing-debian-howto.en.sgml:52 en/after-install.sgml:2201 msgid "" "Now that the capability has been removed from the system, an intruder cannot " "change any attribute on the protected files, and thus cannot change or " "remove the files. If he forces the machine to reboot (which is the only way " "to restore the capabilities bounding set), it will easily be detected, and " "the capability will be removed again as soon as the system restarts anyway. " "The only way to change a protected file would be to boot the system in " "single-user mode or using another bootdisk, two operations that require " "physical access to the machine !" msgstr "" "Maintenant que la fonctionnalité a été enlevée du système, un intrus ne peut " "plus changer aucun attribut des fichiers protégés et donc, il ne peut pas " "changer ou supprimer les fichiers. S'il force la machine à redémarrer (ce " "qui est la seule façon de récupérer le jeu de fonctionnalités), cela sera " "facile à détecter et la fonctionnalité sera de toute façon enlevée à nouveau " "dès que le redémarrage du système. La seule façon de changer un fichier " "protégé serait de réamorcer le système en mode utilisateur seul (single-user " "mode) ou d'utiliser une autre image d'amorçage, deux opérations qui " "nécessitent un accès physique à la machine !" #. type: #: securing-debian-howto.en.sgml:52 en/after-install.sgml:2203 msgid "Checking file system integrity" msgstr "Vérifier l'intégrité des systèmes de fichiers" #. type:

#: securing-debian-howto.en.sgml:52 en/after-install.sgml:2208 msgid "" "Are you sure /bin/login on your hard drive is still the binary " "you installed there some months ago? What if it is a hacked version, which " "stores the entered password in a hidden file or mails it in clear-text " "version all over the Internet?" msgstr "" "Êtes-vous sûr que le /bin/login présent sur le disque dur est le même que " "celui que vous aviez installé il y a de cela quelques mois ? Que faire " "si c'est une version piratée, qui enregistre les mots de passe entrés dans " "un fichier caché ou les envoie en clair sur Internet ?" #. type:

#: securing-debian-howto.en.sgml:52 en/after-install.sgml:2220 msgid "" "The only method to have some kind of protection is to check your files every " "hour/day/month (I prefer daily) by comparing the actual and the old md5sum " "of this file. Two files cannot have the same md5sum (the MD5 digest is 128 " "bits, so the chance that two different files will have the same md5sum is " "roughly one in 3.4e3803), so you're on the safe site here, unless someone " "has also hacked the algorithm that creates md5sums on that machine. This is, " "well, extremely difficult and very unlikely. You really should consider this " "auditing of your binaries as very important, since it is an easy way to " "recognize changes at your binaries." msgstr "" "La seule méthode pour avoir un semblant de protection est de vérifier vos " "fichiers tous les heures/jours/mois (je préfère quotidiennement) en " "comparant l'actuel et l'ancien md5sum de ce fichier. Deux fichiers ne " "peuvent avoir le même md5sum (le MD5 est basé sur 128 bits, ainsi la chance " "que deux fichiers différents aient le même md5sum est approximativement de " "un sur 3.4e3803), donc de ce côté tout est bon, à moins que quelqu'un ait " "piraté également l'algorithme qui crée les md5sums sur cette machine. C'est " "extrêmement difficile et très improbable. Vous devriez vraiment prendre en " "compte que la vérification de vos binaires est très importante étant donné " "que c'est un moyen facile de reconnaître des changements sur vos binaires." #. type:

#: securing-debian-howto.en.sgml:52 en/after-install.sgml:2231 msgid "" "Common tools used for this are sxid, aide (Advanced Intrusion Detection Environment), tripwire, integrit and samhain. " "Installing debsums will also help you to check the file system " "integrity, by comparing the md5sums of every file against the md5sums used " "in the Debian package archive. But beware: those files can easily be changed " "by an attacker and not all packages provide md5sums listings for the " "binaries they provided. For more information please read and ." msgstr "" "Les outils couramment utilisés pour cela sont sxid, " "aide (Advanced Intrusion Detection Environment), " "tripwire, integrit et " "samhain. Installer debsums vous aidera également " "à vérifier l'intégrité du système de fichiers en comparant le md5sum de " "chaque fichier avec celui utilisé dans l'archive des paquets Debian. Mais " "faites attention : ces fichiers peuvent facilement être modifiés par un " "attaquant et tous les paquets ne fournissent pas de listes de md5sum pour " "les binaires qu'ils fournissent. Pour plus d'informations, veuillez " "consulter et ." #. type:

#: securing-debian-howto.en.sgml:52 en/after-install.sgml:2250 msgid "" "You might want to use locate to index the whole filesystem, if " "so, consider the implications of that. The Debian findutils package contains locate which runs as user nobody, and " "so it only indexes files which are visible to everybody. However, if you " "change it's behaviour you will make all file locations visible to all users. " "If you want to index all the filesystem (not the bits that the user nobody " "can see) you can replace locate with the package " "slocate. slocate is labeled as a security enhanced " "version of GNU locate, but it actually provides additional file-locating " "functionality. When using slocate, the user only sees the files " "he really has access to and you can exclude any files or directories on the " "system. The slocate package runs its update process with " "higher privledges than locate, and indexes every file. Users are then able " "to quickly search for every file which they are able to see. slocate doesn't let them see new files; it filters the output based on your " "UID." msgstr "" "Vous pouvez vouloir utiliser locate pour indexer le système de " "fichiers en entier ; si vous faites cela, envisagez les implications de " "cette action. Le paquet findutils de Debian contient " "locate qui s'exécute en tant qu'utilisateur nobody, ainsi, il " "indexe les fichiers qui sont visibles à tous les utilisateurs. Cependant, si " "vous changez son comportement, vous rendrez les emplacements de tous les " "fichiers visibles à tous les utilisateurs. Si vous voulez indexer tout le " "système de fichiers (pas les parties que l'utilisateur nobody peut voir), " "vous pouvez remplacer locate par slocate. " "slocate est étiqueté comme une version améliorée au niveau sécurité de GNU " "locate, mais il fournit en fait une fonctionnalité de localisation de " "fichier supplémentaire. Quand il utilise slocate, l'utilisateur " "ne peut voir que les fichiers auxquels il a vraiment accès et vous pouvez " "exclure tout fichier ou répertoire du système. Le paquet slocate exécute le processus de mise à jour avec des privilèges augmentés " "par rapport à locate et il indexe tous les fichiers. Les utilisateurs " "peuvent alors rechercher rapidement tout fichier qu'ils peuvent voir. " "slocate ne leur laisse pas voir les nouveaux fichiers ; il " "filtre la sortie selon l'UID." #. type:

#: securing-debian-howto.en.sgml:52 en/after-install.sgml:2258 msgid "" "You might want to use bsign or elfsign. elfsign provides an utility to add a digital " "signature to an ELF binary and a second utility to verify that signature. " "The current implementation uses PKI to sign the checksum of the binary. The " "benefits of doing this are that it enables one to determine if a binary has " "been modified and who created it. bsign uses GPG, " "elfsign uses PKI (X.509) certificates (OpenSSL)." msgstr "" "Vous pourriez utiliser bsign ou elfsign. elfsign fournit un utilitaire pour ajouter une " "signature numérique à un binaire ELF et un autre pour vérifier cette " "signature. L'actuelle implémentation utilise PKI pour signer la somme de " "contrôle du binaire. L'avantage de faire cela est que ceux qui le veulent " "peuvent déterminer si un binaire a été modifié et qui l'a créé. " "bsign utilise GPG, elfsign utilise les " "certificats PKI (X.509, OpenSSL)." #. type: #: securing-debian-howto.en.sgml:52 en/after-install.sgml:2260 msgid "Setting up setuid check" msgstr "Mise en place de la vérification setuid" #. type:

#: securing-debian-howto.en.sgml:52 en/after-install.sgml:2270 msgid "" "The Debian checksecurity package provides a cron job that runs daily in /etc/cron.daily/checksecurity " "

In previous releases, checksecurity was integrated into cron " "and the file was /etc/cron.daily/standard

. This " "cron job will run the /usr/sbin/checksecurity " "script that will store information of this changes." msgstr "" "Le paquet Debian checksecurity fournit une tâche " "cron qui s'exécute tous les jours dans /etc/cron.daily/" "checksecurity

Dans les versions précédentes, " "checksecurity était intégré dans cron et le fichier était /etc/cron." "daily/standard.

. Cette tâche cron " "exécutera le script /usr/sbin/checksecurity qui sauvegardera " "les renseignements sur les modifications." #. type:

#: securing-debian-howto.en.sgml:52 en/after-install.sgml:2277 msgid "" "The default behavior does not send this information to the superuser but, " "instead keeps daily copies of the changes in /var/log/setuid.changes. You should set the MAILTO variable (in /etc/checksecurity.conf) to 'root' to have this information mailed to him. See for more configuration info." msgstr "" "Le comportement par défaut est de ne pas envoyer cette information au " "superutilisateur mais à la place de garder une copie quotidienne des " "modifications dans /var/log/setuid.changes. Vous devrez " "positionner la variable MAILTO (dans /etc/checksecurity.conf) à " "« root Â» pour que ces renseignements lui soient envoyés. Consultez " " pour plus d'informations sur " "la configuration." #. type: #: securing-debian-howto.en.sgml:52 en/after-install.sgml:2279 msgid "Securing network access" msgstr "Sécurisation des accès réseau" #. type:

#: securing-debian-howto.en.sgml:52 en/after-install.sgml:2281 msgid "FIXME: More (Debian-specific) content needed." msgstr "FIXME : Besoin de plus de contenu (spécifique à Debian)." #. type: #: securing-debian-howto.en.sgml:52 en/after-install.sgml:2283 msgid "Configuring kernel network features" msgstr "Configuration des options réseau du noyau" #. type:

#: securing-debian-howto.en.sgml:52 en/after-install.sgml:2294 msgid "" "Many features of the kernel can be modified while running by echoing " "something into the /proc file system or by using sysctl. By entering /sbin/sysctl -A you can see what you can " "configure and what the options are, and it can be modified running /sbin/" "sysctl -w variable=value (see ). " "Only in rare cases do you need to edit something here, but you can increase " "security that way as well. For example:" msgstr "" "Beaucoup de fonctionnalités du noyau peuvent être modifiées en cours de " "fonctionnement en envoyant quelque chose (par la commande echo) " "dans le système de fichiers /proc ou en utilisant sysctl. En entrant sysctl -A, vous pouvez voir ce que vous pouvez " "configurer et quelles sont les options, elles peuvent être modifiées en " "exécutant /sbin/sysctl -w variable=valeur (consultez ). Vous aurez seulement en de rares occasions " "à éditer quelque chose ici, mais vous pouvez augmenter la sécurité de cette " "manière aussi. Par exemple :" #. type: #: securing-debian-howto.en.sgml:52 en/after-install.sgml:2296 #, no-wrap msgid "net/ipv4/icmp_echo_ignore_broadcasts = 1" msgstr "net/ipv4/icmp_echo_ignore_broadcasts = 1" #. type:

#: securing-debian-howto.en.sgml:52 en/after-install.sgml:2303 msgid "" "This is a Windows emulator because it acts like Windows on " "broadcast ping if this option is set to 1. That is, ICMP echo requests sent " "to the broadcast address will be ignored. Otherwise, it does nothing." msgstr "" "C'est un « Ã©mulateur Windows Â» parce que ça agit comme Windows sur " "les ping de broadcast si celui-ci est positionné à 1. C'est-à-dire que les " "requêtes d'echo ICMP envoyées à l'adresse broadcast seront ignorées. Sinon, " "cela ne fait rien." #. type:

#: securing-debian-howto.en.sgml:52 en/after-install.sgml:2306 msgid "" "If you want to prevent you system from answering ICMP echo requests, just " "enable this configuration option:" msgstr "" "Si vous voulez empêcher le système de répondre aux requêtes d'echo ICMP, " "activez cette option de configuration :" #. type: #: securing-debian-howto.en.sgml:52 en/after-install.sgml:2308 #, no-wrap msgid "net/ipv4/icmp_echo_ignore_all = 1" msgstr "net/ipv4/icmp_echo_ignore_all = 1" #. type:

#: securing-debian-howto.en.sgml:52 en/after-install.sgml:2313 msgid "" "To log packets with impossible addresses (due to wrong routes) on your " "network use:" msgstr "" "Pour enregistrer les paquets avec des adresses impossibles (à cause de " "routes erronées) sur le réseau, utilisez :" #. type: #: securing-debian-howto.en.sgml:52 en/after-install.sgml:2315 #, no-wrap msgid "/proc/sys/net/ipv4/conf/all/log_martians = 1" msgstr "/proc/sys/net/ipv4/conf/all/log_martians = 1" #. type:

#: securing-debian-howto.en.sgml:52 en/after-install.sgml:2327 msgid "" "For more information on what things can be done with /proc/sys/net/" "ipv4/* read /usr/src/linux/Documentation/filesystems/proc.txt. All the options are described thoroughly under /usr/src/linux/" "Documentation/networking/ip-sysctl.txt

In Debian the " "kernel-source-version packages copy the " "sources to /usr/src/kernel-source-version.tar.bz2, " "just substitute version to whatever kernel version sources you " "have installed

." msgstr "" "Pour plus d'informations sur ce qui peut être fait avec /proc/sys/net/" "ipv4/*, consultez /usr/src/linux/Documentation/filesystems/proc." "txt. Toutes les options sont décrites de façon complète sous /" "usr/src/linux/Documentation/networking/ip-sysctl.txt " "

Dans Debian, les paquets kernel-source-version copient les sources sous /usr/src/kernel-source-" "version.tar.bz2, remplacez simplement version " "par la version des sources du noyau installé.

." #. type: #: securing-debian-howto.en.sgml:52 en/after-install.sgml:2330 msgid "Configuring syncookies" msgstr "Configurer syncookies" #. type:

#: securing-debian-howto.en.sgml:52 en/after-install.sgml:2339 msgid "" "This option is a double-edged sword. On the one hand it protects your system " "against syn packet flooding; on the other hand it violates defined standards " "(RFCs)." msgstr "" "Cette option est à double tranchant. D'un côté, elle protège le système " "contre le syn packet flooding ; d'un autre côté, elle viole les " "standards définis (RFCs)." #. type: #: securing-debian-howto.en.sgml:52 en/after-install.sgml:2341 #, no-wrap msgid "net/ipv4/tcp_syncookies = 1" msgstr "net/ipv4/tcp_syncookies = 1" #. type:

#: securing-debian-howto.en.sgml:52 en/after-install.sgml:2349 msgid "" "If you want to change this option each time the kernel is working you need " "to change it in /etc/network/options by setting syncookies=yes. This will take effect when ever /etc/init.d/networking is run " "(which is typically done at boot time) while the following will have a one-" "time effect until the reboot:" msgstr "" "Si vous voulez changer cette option à chaque fois que le noyau fonctionne, " "vous devez le faire dans /etc/network/options en positionnant " "syncookies=yes. Cela prendra effet à chaque fois que /etc/init." "d/networking est exécuté (ce qui est habituellement fait lors du " "démarrage) tandis que la commande suivante aura un effet unique jusqu'au " "prochain redémarrage :" #. type: #: securing-debian-howto.en.sgml:52 en/after-install.sgml:2351 #, no-wrap msgid "echo 1 > /proc/sys/net/ipv4/tcp_syncookies" msgstr "echo 1 > /proc/sys/net/ipv4/tcp_syncookies" #. type:

#: securing-debian-howto.en.sgml:52 en/after-install.sgml:2357 msgid "" "This option will only be available if the kernel is compiled with the " "CONFIG_SYNCOOKIES. All Debian kernels are compiled with this option " "builtin but you can verify it running:" msgstr "" "Cette option n'est dispobile que si vous avez compilé le noyau avec " "CONFIG_SYNCOOKIES. Tous les noyaux Debian sont compilés avec cette " "option incluse, mais vous pouvez le vérifier en exécutant :" #. type: #: securing-debian-howto.en.sgml:52 en/after-install.sgml:2360 #, no-wrap msgid "" "$ sysctl -A |grep syncookies\n" "net/ipv4/tcp_syncookies = 1" msgstr "" "$ sysctl -A |grep syncookies\n" "net/ipv4/tcp_syncookies = 1" #. type:

#: securing-debian-howto.en.sgml:52 en/after-install.sgml:2365 msgid "" "For more information on TCP syncookies read ." msgstr "" "Pour plus d'informations sur les syncookies TCP, consultez ." #. type: #: securing-debian-howto.en.sgml:52 en/after-install.sgml:2367 msgid "Securing the network on boot-time" msgstr "Sécurisation du réseau pendant l'amorçage" #. type:

#: securing-debian-howto.en.sgml:52 en/after-install.sgml:2372 msgid "" "When setting configuration options for the kernel networking you need " "configure it so that it's loaded every time the system is restarted. The " "following example enables many of the previous options as well as other " "useful options." msgstr "" "Quand vous positionnez des options de configuration de réseau du noyau, vous " "devez le configurer pour que ce soit chargé à chaque fois que le système est " "redémarré. L'exemple suivant active un grand nombre des options précédentes " "ainsi que d'autres options utiles." #. type:

#: securing-debian-howto.en.sgml:52 en/after-install.sgml:2379 msgid "" "There are actually two ways to configure your network at boot time. You can " "configure /etc/sysctl.conf (see: ) or introduce a script that is called when the interface is " "enabled. The first option will be applied to all interfaces, whileas the " "second option allows you to configure this on a per-interface basis." msgstr "" "Il y a en fait deux façons de configurer le réseau au démarrage. Vous pouvez " "configurer /etc/sysctl.conf (consultez ) ou introduire un script qui est appelé quand " "l'interface est activée. La première option sera appliquée à toutes les " "interfaces alors que la seconde option vous permettra de configurer cela " "interface par interface." #. type:

#: securing-debian-howto.en.sgml:52 en/after-install.sgml:2382 msgid "" "An example of a /etc/sysctl.conf configuration that will secure " "some network options at the kernel level is shown below. Notice the comment " "in it, /etc/network/options might override some values if they " "contradict those in this file when the /etc/init.d/networking " "is run (which is later than procps on the startup sequence)." msgstr "" "Un exemple de fichier de configuration /etc/sysctl.conf qui " "sécurisera quelques options de réseau au niveau du noyau est présenté ci-" "dessous. Notez les commentaires dans ce fichier, /etc/network/options peut forcer certaines options si elles sont en contradiction avec " "celles de ce fichier lors de l'exécution de /etc/init.d/networking (ce qui a lieu après procps dans la séquence de " "démarrage)." #. type: #: securing-debian-howto.en.sgml:52 en/after-install.sgml:2435 #, no-wrap msgid "" "#\n" "# /etc/sysctl.conf - Configuration file for setting system variables\n" "# See sysctl.conf (5) for information. Also see the files under\n" "# Documentation/sysctl/, Documentation/filesystems/proc.txt, and\n" "# Documentation/networking/ip-sysctl.txt in the kernel sources \n" "# (/usr/src/kernel-$version if you have a kernel-package installed)\n" "# for more information of the values that can be defined here.\n" "\n" "#\n" "# Be warned that /etc/init.d/procps is executed to set the following\n" "# variables. However, after that, /etc/init.d/networking sets some\n" "# network options with builtin values. These values may be overridden\n" "# using /etc/network/options.\n" "#\n" "#kernel.domainname = example.com\n" "\n" "# Additional settings - adapted from the script contributed\n" "# by Dariusz Puchala (see below)\n" "# Ignore ICMP broadcasts\n" "net/ipv4/icmp_echo_ignore_broadcasts = 1\n" "#\n" "# Ignore bogus ICMP errors\n" "net/ipv4/icmp_ignore_bogus_error_responses = 1\n" "# \n" "# Do not accept ICMP redirects (prevent MITM attacks)\n" "net/ipv4/conf/all/accept_redirects = 0\n" "# _or_\n" "# Accept ICMP redirects only for gateways listed in our default\n" "# gateway list (enabled by default)\n" "# net/ipv4/conf/all/secure_redirects = 1\n" "#\n" "# Do not send ICMP redirects (we are not a router)\n" "net/ipv4/conf/all/send_redirects = 0\n" "#\n" "# Do not forward IP packets (we are not a router)\n" "# Note: Make sure that /etc/network/options has 'ip_forward=no'\n" "net/ipv4/conf/all/forwarding = 0\n" "#\n" "# Enable TCP Syn Cookies\n" "# Note: Make sure that /etc/network/options has 'syncookies=yes'\n" "net/ipv4/tcp_syncookies = 1\n" "#\n" "# Log Martian Packets\n" "net/ipv4/conf/all/log_martians = 1\n" "#\n" "# Turn on Source Address Verification in all interfaces to\n" "# prevent some spoofing attacks\n" "# Note: Make sure that /etc/network/options has 'spoofprotect=yes'\n" "net/ipv4/conf/all/rp_filter = 1\n" "#\n" "# Do not accept IP source route packets (we are not a router)\n" "net/ipv4/conf/all/accept_source_route = 0" msgstr "" "#\n" "# /etc/sysctl.conf - Fichier de configuration pour positionner les\n" "# variables système\n" "# Consultez sysctl.conf(5) pour plus de renseignements. Consultez\n" "# également les fichiers sous Documentation/sysctl/,\n" "# Documentation/filesystems/proc.txt et\n" "# Documentation/networking/ip-sysctl.txt dans les sources du noyau\n" "# (/usr/src/kernel-$version si vous avez installé un paquet de noyau) \n" "# pour plus d'informations sur les valeurs qui peuvent être définies ici.\n" "\n" "#\n" "# Attention : /etc/init.d/procps est exécuté pour positionner les\n" "# variables suivantes. Cependant, après cela, /etc/init.d/networking\n" "# positionne certaines options réseau avec des valeurs intrinsèques. Ces\n" "# valeurs peuvent être forcées en utilisant /etc/network/options.\n" "#\n" "#kernel.domainname = example.com\n" "\n" "# Paramètres supplémentaires - adapté du script fourni\n" "# par Dariusz Puchala (voir ci-dessous)\n" "# Ignorer les broadcasts ICMP\n" "net/ipv4/icmp_echo_ignore_broadcasts = 1\n" "#\n" "# Ignorer les erreurs ICMP erronées\n" "net/ipv4/icmp_ignore_bogus_error_responses = 1\n" "# \n" "# Ne pas accepter les redirections ICMP (empêche les attaques en\n" "# homme au milieu)\n" "net/ipv4/conf/all/accept_redirects = 0\n" "# _ou_\n" "# N'accepter les redirections ICMP que pour les passerelles\n" "# de notre liste de passerelles par défaut (activé par défaut)\n" "# net/ipv4/conf/all/secure_redirects = 1\n" "#\n" "# Ne pas accepter les redirections ICMP (ce n'est pas un routeur)\n" "net/ipv4/conf/all/send_redirects = 0\n" "#\n" "# Ne pas faire suivre les paquets IP (ce n'est pas un routeur)\n" "# Remarque : assurez-vous que /etc/network/options contient\n" "# « ip_forward=no »\n" "anet/ipv4/conf/all/forwarding = 0\n" "#\n" "# Activer les TCP Syn Cookies\n" "# Remarque : assurez-vous que /etc/network/options contient\n" "# « syncookies=yes »\n" "net/ipv4/tcp_syncookies = 1\n" "#\n" "# Enregistrer les paquets martiens\n" "net/ipv4/conf/all/log_martians = 1\n" "#\n" "# Activer la vérification d'adresse source pour toutes les\n" "# interfaces pour empêcher certaines attaques par usurpation\n" "# Remarque : assurez-vous que /etc/network/options contient\n" "# « spoofprotect=yes »\n" "net/ipv4/conf/all/rp_filter = 1\n" "#\n" "# Ne pas accepter les paquets de routage source IP\n" "# (ce n'est pas un routeur)\n" "net/ipv4/conf/all/accept_source_route = 0" #. type:

#: securing-debian-howto.en.sgml:52 en/after-install.sgml:2442 msgid "" "To use the script you need to first create the script, for example, in " "/etc/network/interface-secure (the name is given as an example) " "and call it from /etc/network/interfaces like this:" msgstr "" "Pour utiliser le script, vous devez tout d'abord le créer, par exemple, dans " "/etc/network/interface-secure (le nom est donné comme exemple) " "et l'appeler à partir de /etc/network/interfaces comme " "ceci :" #. type: #: securing-debian-howto.en.sgml:52 en/after-install.sgml:2450 #, no-wrap msgid "" "auto eth0\n" "iface eth0 inet static\n" " address xxx.xxx.xxx.xxx\n" " netmask 255.255.255.xxx\n" " broadcast xxx.xxx.xxx.xxx\n" " gateway xxx.xxx.xxx.xxx\n" " pre-up /etc/network/interface-secure" msgstr "" "auto eth0\n" "iface eth0 inet static\n" " address xxx.xxx.xxx.xxx\n" " netmask 255.255.255.xxx\n" " broadcast xxx.xxx.xxx.xxx\n" " gateway xxx.xxx.xxx.xxx\n" " pre-up /etc/network/interface-secure" #. type:

#: securing-debian-howto.en.sgml:52 en/after-install.sgml:2455 msgid "" "In this example, before the interface eth0 is enabled the script will be " "called to secure all network interfaces as shown below." msgstr "" "Dans cet exemple, avant que l'interface eth0 ne soit activée, le script sera " "appelé pour sécuriser toutes les interfaces réseau comme montré ci-dessous." #. type: #: securing-debian-howto.en.sgml:52 en/after-install.sgml:2486 #, no-wrap msgid "" "#!/bin/sh -e\n" "# Script-name: /etc/network/interface-secure\n" "#\n" "# Modifies some default behavior in order to secure against \n" "# some TCP/IP spoofing & attacks for all interfaces.\n" "#\n" "# Contributed by Dariusz Puchalak.\n" "#\n" "echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts \n" " # Broadcast echo protection enabled.\n" "echo 0 > /proc/sys/net/ipv4/conf/all/forwarding\n" " # IP forwarding disabled.\n" "echo 1 > /proc/sys/net/ipv4/tcp_syncookies # TCP syn cookies protection enabled.\n" "echo 1 >/proc/sys/net/ipv4/conf/all/log_martians # Log strange packets.\n" "# (this includes spoofed packets, source routed packets, redirect packets)\n" "# but be careful with this on heavy loaded web servers.\n" "echo 1 > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses \n" " # Bad error message protection enabled.\n" "\n" "# IP spoofing protection.\n" "echo 1 > /proc/sys/net/ipv4/conf/all/rp_filter\n" "\n" "# Disable ICMP redirect acceptance.\n" "echo 0 > /proc/sys/net/ipv4/conf/all/accept_redirects\n" "echo 0 > /proc/sys/net/ipv4/conf/all/send_redirects\n" "\n" "# Disable source routed packets.\n" "echo 0 > /proc/sys/net/ipv4/conf/all/accept_source_route\n" "\n" "exit 0" msgstr "" "#!/bin/sh -e\n" "# Nom du script : /etc/network/interface-secure\n" "#\n" "# Modification de plusieurs comportements par défaut pour sécuriser contre\n" "# certaines attaques et usurpations IP pour toutes les interfaces.\n" "#\n" "# Fourni par Dariusz Puchalak.\n" "#\n" "\n" "# Activation de la protection broadcast echo.\n" "echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts\n" "\n" "# Désactivation de l'IP forwarding.\n" "echo 0 > /proc/sys/net/ipv4/conf/all/forwarding\n" "\n" "# Activation de la protection TCP syn cookies.\n" "echo 1 > /proc/sys/net/ipv4/tcp_syncookies\n" "\n" "\n" "# Enregistrement des paquets avec des adresses impossibles\n" "# (cela comprend les paquets usurpés (spoofed), les paquets routés\n" "# source, les paquets redirigés), mais faites attention à cela\n" "# sur les serveurs web très chargés.\n" "echo 1 >/proc/sys/net/ipv4/conf/all/log_martians \n" "\n" "# Activation de la protection sur les mauvais messages d'erreur.\n" "echo 1 > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses\n" "\n" "# Protection d'usurpation IP.\n" "echo 1 > /proc/sys/net/ipv4/conf/all/rp_filter\n" "\n" "# Désactivation des redirections ICMP.\n" "echo 0 > /proc/sys/net/ipv4/conf/all/accept_redirects\n" "echo 0 > /proc/sys/net/ipv4/conf/all/send_redirects\n" "\n" "# Désactivation des paquets source routés.\n" "echo 0 > /proc/sys/net/ipv4/conf/all/accept_source_route\n" "\n" "exit 0" #. type:

#: securing-debian-howto.en.sgml:52 en/after-install.sgml:2492 msgid "" "Notice that you can actually have per-interface scripts that will enable " "different network options for different interfaces (if you have more than " "one), just change the pre-up line to:" msgstr "" "Remarquez que vous pouvez en fait avoir des scripts par interface qui " "activeront différentes options réseau pour différentes interfaces (si vous " "en avez plus d'une), il vous suffit de changer la ligne pre-up en :" #. type: #: securing-debian-howto.en.sgml:52 en/after-install.sgml:2494 #, no-wrap msgid "pre-up /etc/network/interface-secure $IFACE" msgstr "pre-up /etc/network/interface-secure $IFACE" #. type:

#: securing-debian-howto.en.sgml:52 en/after-install.sgml:2501 msgid "" "And use a script which will only apply changes to a specific interface, not " "to all of the interfaces available. Notice that some networking options can " "only be enabled globally, however. A sample script is this one:" msgstr "" "et utiliser un script qui n'applique les changements qu'à une interface " "spécifique et non à toutes les interfaces disponibles. Notez cependant que " "certaines options réseau ne peuvent être appliquées que globalement. Un " "exemple de script est celui-ci :" #. type: #: securing-debian-howto.en.sgml:52 en/after-install.sgml:2539 #, no-wrap msgid "" "#!/bin/sh -e\n" "# Script-name: /etc/network/interface-secure\n" "#\n" "# Modifies some default behavior in order to secure against \n" "# some TCP/IP spoofing & attacks for a given interface.\n" "#\n" "# Contributed by Dariusz Puchalak.\n" "#\n" "\n" "IFACE=$1\n" "if [ -z \"$IFACE\" ] ; then\n" " echo \"$0: Must give an interface name as argument!\"\n" " echo \"Usage: $0 <interface>\"\n" " exit 1\n" "fi\n" "\n" "if [ ! -e /proc/sys/net/ipv4/conf/$IFACE/ ]; then\n" " echo \"$0: Interface $IFACE does not exit (cannot find /proc/sys/net/ipv4/conf/)\"\n" " exit 1\n" "fi\n" "\n" "echo 0 > /proc/sys/net/ipv4/conf/$IFACE/forwarding # IP forwarding disabled.\n" "echo 1 >/proc/sys/net/ipv4/conf/$IFACE/log_martians # Log strange packets.\n" "# (this includes spoofed packets, source routed packets, redirect packets)\n" "# but be careful with this on heavy loaded web servers.\n" "\n" "# IP spoofing protection.\n" "echo 1 > /proc/sys/net/ipv4/conf/$IFACE/rp_filter\n" "\n" "# Disable ICMP redirect acceptance.\n" "echo 0 > /proc/sys/net/ipv4/conf/$IFACE/accept_redirects\n" "echo 0 > /proc/sys/net/ipv4/conf/$IFACE/send_redirects\n" "\n" "# Disable source routed packets.\n" "echo 0 > /proc/sys/net/ipv4/conf/$IFACE/accept_source_route\n" "\n" "exit 0" msgstr "" "#!/bin/sh -e\n" "# Nom du script : /etc/network/interface-secure\n" "#\n" "# Modifie plusieurs comportements par défaut pour sécuriser contre\n" "# certaines attaques et usurpations TCP/IP pour une interface donnée.\n" "#\n" "# Fourni par Dariusz Puchalak.\n" "#\n" "\n" "IFACE=$1\n" "if [ -z \"$IFACE\" ] ; then\n" " echo \"$0 : un nom d'interface doit être fourni en argument\"\n" " echo \"Utilisation : $0 <interface>\"\n" " exit 1\n" "fi\n" "\n" "if [ ! -e /proc/sys/net/ipv4/conf/$IFACE/ ]; then\n" " echo \"$0 : l'interface $IFACE n'existe pas \"\n" " echo \"(impossible de trouver /proc/sys/net/ipv4/conf/)\"\n" " exit 1\n" "fi\n" "\n" "# Désactivation de l'IP forwarding.\n" "echo 0 > /proc/sys/net/ipv4/conf/$IFACE/forwarding\n" "\n" "# Enregistrement des paquets avec des adresses impossibles\n" "# (cela inclut les paquets usurpés (spoofed), les paquets routés\n" "# source, les paquets redirigés), mais faites attention à cela\n" "# sur les serveurs web très chargés.\n" "echo 1 >/proc/sys/net/ipv4/conf/$IFACE/log_martians\n" "\n" "# Protection d'usurpation IP.\n" "echo 1 > /proc/sys/net/ipv4/conf/$IFACE/rp_filter\n" "\n" "# Désactivation des redirections ICMP.\n" "echo 0 > /proc/sys/net/ipv4/conf/$IFACE/accept_redirects\n" "echo 0 > /proc/sys/net/ipv4/conf/$IFACE/send_redirects\n" "\n" "# Désactivation des paquets source routés.\n" "echo 0 > /proc/sys/net/ipv4/conf/$IFACE/accept_source_route\n" "\n" "exit 0" #. type:

#: securing-debian-howto.en.sgml:52 en/after-install.sgml:2546 msgid "" "An alternative solution is to create an init.d script and have it " "run on bootup (using update-rc.d to create the appropriate " "rc.d links)." msgstr "" "Vous pouvez également créer un script init.d et le faire exécuter " "au démarrage (en utilisant update-rc.d pour créer les liens " "rc.d appropriés)." #. type: #: securing-debian-howto.en.sgml:52 en/after-install.sgml:2548 msgid "Configuring firewall features" msgstr "Configuration des fonctionnalités de pare-feu" #. type:

#: securing-debian-howto.en.sgml:52 en/after-install.sgml:2555 msgid "" "In order to have firewall capabilities, either to protect the local system " "or others behind it, the kernel needs to be compiled with firewall " "capabilities. The standard Debian 2.2 kernel (Linux 2.2) provides the packet " "filter ipchains firewall, Debian 3.0 standard kernel (Linux " "2.4) provides the stateful packet filter iptables " "(netfilter) firewall." msgstr "" "De façon à avoir des privilèges de pare-feu, soit pour protéger le système " "local ou d'autres derrière lui, le noyau doit être compilé avec les " "options correspondant aux pare-feu. Le noyau standard de Debian 2.2 " "(Linux 2.2) fournit ipchains qui est un pare-feu pour filtrer " "les paquets, le noyau standard de Debian 3.0 (Linux 2.4) fournit lui le pare-" "feu iptables (netfilter)." #. type:

#: securing-debian-howto.en.sgml:52 en/after-install.sgml:2562 msgid "" "In any case, it is pretty easy to use a kernel different from the one " "provided by Debian. You can find pre-compiled kernels as packages you can " "easily install in the Debian system. You can also download the kernel " "sources using the kernel-source-X and build " "custom kernel packages using make-kpkg from the kernel-" "package package." msgstr "" "Dans tous les cas, il est relativement facile d'utiliser un noyau différent " "de celui fourni par Debian. Vous pouvez trouver des noyaux précompilés sous " "forme de paquets que vous pouvez facilement installer sur le système Debian. " "Vous pouvez également télécharger les sources du noyau en utilisant " "kernel-source-X et construire des paquets de " "noyau personnalisé en utilisant make-kpkg du paquet " "kernel-package." #. type:

#: securing-debian-howto.en.sgml:52 en/after-install.sgml:2566 msgid "" "Setting up firewalls in Debian is discussed more thoroughly in ." msgstr "" "La mise en place de pare-feu dans Debian est abordée plus en détail dans " "." #. type: #: securing-debian-howto.en.sgml:52 en/after-install.sgml:2570 msgid "Disabling weak-end hosts issues" msgstr "Désactiver les problèmes d'hôtes weak-end" #. type:

#: securing-debian-howto.en.sgml:52 en/after-install.sgml:2594 msgid "" "Systems with more than one interface on different networks can have services " "configured so that they will bind only to a given IP address. This usually " "prevents access to services when requested through any other address. " "However, this does not mean (although it is a common misconception) that the " "service is bound to a given hardware address (interface card). " "

To reproduce this (example provided by Felix von Leitner on the " "Bugtraq mailing list): host a (eth0 connected to eth0 of host b): " "ifconfig eth0 10.0.0.1 ifconfig eth1 23.0.0.1 tcpserver -RHl localhost " "23.0.0.1 8000 echo fnord host b: ifconfig eth0 10.0.0.2 route add 23.0.0.1 " "gw 10.0.0.1 telnet 23.0.0.1 8000

It seems, however, not to " "work with services bound to 127.0.0.1, you might need to write the tests " "using raw sockets.

" msgstr "" "Les systèmes avec plus d'une interface sur différents réseaux peuvent avoir " "des services configurés pour qu'ils ne puissent s'associer qu'à une adresse " "IP donnée. Cela prévient habituellement les accès aux services quand ils " "sont interrogés par une adresse donnée. Cependant, cela ne veut pas dire " "(bien qu'il s'agisse d'une erreur classique) que le service est lié à une " "adresse matérielle donnée (carte interface).

Pour " "reproduire cela (exemple fourni par Felix von Leitner sur la liste de " "diffusion Bugtraq) : hôte a (eth0 connecté sur l'eth0 de " "l'hôte b) : ifconfig eth0 10.0.0.1 ifconfig eth1 23.0.0.1 tcpserver -RHl " "localhost 23.0.0.1 8000 echo fnord hôte b : ifconfig eth0 10.0.0.2 route add " "23.0.0.1 gw 10.0.0.1 telnet 23.0.0.1 8000

Cela semble, " "cependant, ne pas fonctionner avec les services liés à 127.0.0.1, vous " "pourriez devoir écrire des tests utilisant des sockets bruts.

" #. type:

#: securing-debian-howto.en.sgml:52 en/after-install.sgml:2600 msgid "" "This is not an ARP issue and it's not an RFC violation (it's called weak " "end host in , section 3.3.4.2). Remember, IP addresses have nothing to do " "with physical interfaces." msgstr "" "Ce n'est pas un problème ARP et ce n'est pas une violation de RFC (c'est ce " "que l'on appelle le weak end host dans la , section 3.3.4.2). Rappelez-" "vous que les adresses IP n'ont rien à voir avec les interfaces physiques." #. type:

#: securing-debian-howto.en.sgml:52 en/after-install.sgml:2601 msgid "On 2.2 (and previous) kernels this can be fixed with:" msgstr "Sur les noyaux 2.2 (et antérieurs), cela peut être corrigé avec :" #. type: #: securing-debian-howto.en.sgml:52 en/after-install.sgml:2606 #, no-wrap msgid "" "# echo 1 > /proc/sys/net/ipv4/conf/all/hidden\n" "# echo 1 > /proc/sys/net/ipv4/conf/eth0/hidden\n" "# echo 1 > /proc/sys/net/ipv4/conf/eth1/hidden\n" "....." msgstr "" "# echo 1 > /proc/sys/net/ipv4/conf/all/hidden\n" "# echo 1 > /proc/sys/net/ipv4/conf/eth0/hidden\n" "# echo 1 > /proc/sys/net/ipv4/conf/eth1/hidden\n" "..." #. type:

#: securing-debian-howto.en.sgml:52 en/after-install.sgml:2608 msgid "On later kernels this can be fixed either with:" msgstr "Sur les noyaux suivants, cela peut être corrigé avec :" #. type:

#: securing-debian-howto.en.sgml:52 en/after-install.sgml:2610 msgid "iptables rules." msgstr "des règles iptables ;" #. type:

#: securing-debian-howto.en.sgml:52 en/after-install.sgml:2625 msgid "" "properly configured routing.

The fact that this behavior can be " "changed through routing was described by Matthew G. Marsh in the Bugtraq " "thread: eth0 = 1.1.1.1/24 eth1 = 2.2.2.2/24 ip rule add from " "1.1.1.1/32 dev lo table 1 prio 15000 ip rule add from 2.2.2.2/32 dev lo " "table 2 prio 16000 ip route add default dev eth0 table 1 ip route add " "default dev eth1 table 2

" msgstr "" "un routage correctement configuré

Le fait que ce comportement " "puisse être changé par le routage a été décrit par Matthew G. Marsh dans " "l'enfilade sur Bugtraq : eth0 = 1.1.1.1/24 eth1 = 2.2.2.2/24 " "ip rule add from 1.1.1.1/32 dev lo table 1 prio 15000 ip rule add from " "2.2.2.2/32 dev lo table 2 prio 16000 ip route add default dev eth0 table 1 " "ip route add default dev eth1 table 2

 ;" #. type:

#: securing-debian-howto.en.sgml:52 en/after-install.sgml:2632 msgid "" "kernel patching.

There are some patches available for this " "behavior as described in Bugtraq's thread at and .

" msgstr "" "des correctifs du noyau

Il existe des correctifs disponibles " "pour ce comportement comme décrit dans l'enfilade sur Bugtraq à et .

." #. type:

#: securing-debian-howto.en.sgml:52 en/after-install.sgml:2647 msgid "" "Along this text there will be many occasions in which it is shown how to " "configure some services (sshd server, apache, printer service...) in order " "to have them listening on any given address, the reader should take into " "account that, without the fixes given here, the fix would not prevent " "accesses from within the same (local) network.

An attacker " "might have many problems pulling the access through after configuring the IP-" "address binding if he is not on the same broadcast domain (same network) as " "the attacked host. If the attack goes through a router it might be quite " "difficult for the answers to return somewhere.

" msgstr "" "Tout au long de ce texte, il y aura plusieurs occasions pour lesquelles il " "est affiché comment configurer certains services (serveur SSH, Apache, " "service d'impression, etc.) pour les avoir en attente sur une adresse " "donnée, le lecteur devra prendre en compte que, sans les correctifs donnés " "ici, le correctif n'empêchera pas les accès depuis le même réseau (local). " "

Un attaquant peut avoir beaucoup de problèmes à transférer un " "accès après une configuration de l'adresse IP s'il n'est pas le domaine de " "broadcast (même réseau) que l'hôte attaqué. Si l'attaque passe par un " "routeur, il peut être assez difficile pour les réponses de retourner quelque " "part.

" #. type:

#: securing-debian-howto.en.sgml:52 en/after-install.sgml:2650 msgid "" "FIXME: Comments on Bugtraq indicate there is a Linux specific method to bind " "to a given interface." msgstr "" "FIXME : Commentaires sur Bugtraq indiquant qu'il existe une méthode " "spécifique à Linux pour associer à une interface donnée." #. type:

#: securing-debian-howto.en.sgml:52 en/after-install.sgml:2653 msgid "" "FIXME: Submit a bug against netbase so that the routing fix is standard " "behavior in Debian?" msgstr "" "FIXME : Créer un bogue sur netbase pour que le correctif de routage soit le " "comportement standard dans Debian ?" #. type: #: securing-debian-howto.en.sgml:52 en/after-install.sgml:2655 msgid "Protecting against ARP attacks" msgstr "Protéger contre les attaques ARP" #. type:

#: securing-debian-howto.en.sgml:52 en/after-install.sgml:2659 msgid "" "When you don't trust the other boxes on your LAN (which should always be the " "case, because it's the safest attitude) you should protect yourself from the " "various existing ARP attacks." msgstr "" "Quand vous ne faites pas confiance aux autres machines du réseau (ce qui " "devrait toujours être le cas parce que c'est l'attitude la plus sûre), vous " "devriez vous protéger contre les différentes attaques ARP existantes." #. type:

#: securing-debian-howto.en.sgml:52 en/after-install.sgml:2670 msgid "" "As you know the ARP protocol is used to link IP addresses to MAC addresses " "(see for " "all the details). Every time you send a packet to an IP address an ARP " "resolution is done (first by looking into the local ARP cache then if the IP " "isn't present in the cache by broadcasting an ARP query) to find the " "target's hardware address. All the ARP attacks aim to fool your box into " "thinking that box B's IP address is associated to the intruder's box's MAC " "address; Then every packet that you want to send to the IP associated to box " "B will be send to the intruder's box..." msgstr "" "Comme vous le savez, le protocole ARP est utilisé pour lier des adresses IP " "à des adresses MAC (consultez la pour tous les détails). À chaque fois que vous " "envoyez un paquet à une adresse IP, une résolution ARP est effectuée (en " "regardant en premier dans le cache local ARP, puis si l'adresse IP n'est pas " "présente dans le cache, en diffusant une requête ARP) pour trouver l'adresse " "matérielle de la cible. Toutes les attaques ARP ont pour but d'amener la " "machine à croire que l'adresse IP de la machine B est associée à l'adresse " "MAC de la machine de l'intrus ; puis tous les paquets que vous voudrez " "envoyer à l'adresse IP associée à la machine B seront envoyée à la machine " "de l'intrus, etc." #. type:

#: securing-debian-howto.en.sgml:52 en/after-install.sgml:2678 msgid "" "Those attacks (ARP cache poisoning, ARP spoofing...) allow the attacker to " "sniff the traffic even on switched networks, to easily hijack connections, " "to disconnect any host from the network... ARP attacks are powerful and " "simple to implement, and several tools exists, such as arpspoof " "from the dsniff package or ." msgstr "" "Ces attaques (empoisonnement du cache, falsification ARP, etc.) permettent à " "l'attaquant de renifler le trafic même sur des réseaux utilisant des " "switchs, pour pirater facilement des connexions, pour déconnecter tout hôte " "du réseau, etc. Les attaques ARP sont puissantes et simples à implémenter et " "plusieurs outils existent comme arpspoof du paquet " "dsniff ou ." #. type:

#: securing-debian-howto.en.sgml:52 en/after-install.sgml:2680 msgid "However, there is always a solution:" msgstr "Cependant, il existe toujours une solution :" #. type:

#: securing-debian-howto.en.sgml:52 en/after-install.sgml:2685 msgid "" "Use a static ARP cache. You can set up \"static\" entries in your ARP cache " "with:" msgstr "" "utiliser un cache ARP statique. Vous pouvez mettre en place des entrées " "« statiques Â» dans le cache ARP avec :" #. type: #: securing-debian-howto.en.sgml:52 en/after-install.sgml:2687 #, no-wrap msgid " arp -s host_name hdwr_addr" msgstr " arp -s nom_d_hôte adresse_matérielle" #. type:

#: securing-debian-howto.en.sgml:52 en/after-install.sgml:2695 msgid "" "By setting static entries for each important host in your network you ensure " "that nobody will create/modify a (fake) entry for these hosts (static " "entries don't expire and can't be modified) and spoofed ARP replies will be " "ignored." msgstr "" "En plaçant des entrées statiques pour chaque hôte important du réseau, vous " "garantissez que personne ne pourra créer ou modifier une entrée (dissimulée) " "pour ces hôtes (les entrées statiques n'expirent pas et elles ne peuvent pas " "être modifiées) et les réponses ARP falsifiées seront ignorées ;" #. type:

#: securing-debian-howto.en.sgml:52 en/after-install.sgml:2701 msgid "" "Detect suspicious ARP traffic. You can use arpwatch, " "karpski or more general IDS that can also detect " "suspicious ARP traffic (snort, ...)." msgstr "" "détecter le trafic ARP suspect. Vous pouvez utiliser arpwatch, karpski ou des IDS plus généraux qui peuvent " "également détecter le trafic ARP suspect (snort, , etc.) ;" #. type:

#: securing-debian-howto.en.sgml:52 en/after-install.sgml:2702 msgid "Implement IP traffic filtering validating the MAC address." msgstr "implémenter un filtrage de trafic IP validant l'adresse MAC." #. type: #: securing-debian-howto.en.sgml:52 en/after-install.sgml:2707 msgid "Taking a snapshot of the system" msgstr "Prendre un instantané (« snapshot Â») du système" #. type:

#: securing-debian-howto.en.sgml:52 en/after-install.sgml:2713 msgid "" "Before putting the system into production system you could take a snapshot " "of the whole system. This snapshot could be used in the event of a " "compromise (see ). You should remake this " "upgrade whenever the system is upgraded, especially if you upgrade to a new " "Debian release." msgstr "" "Avant de mettre le système en production, vous pouvez prendre un instantané " "du système entier. Cet instantané pourrait être utilisé en cas de " "compromission (consultez ). Vous devriez " "refaire cette mise à jour à chaque fois que le système est mis à jour, " "particulièrement si vous mettez à jour vers une nouvelle version de Debian." #. type:

#: securing-debian-howto.en.sgml:52 en/after-install.sgml:2719 msgid "" "For this you can use a writable removable-media that can be set up read-" "only, this could be a floppy disk (read protected after use), a CD on a CD-" "ROM unit (you could use a rewritable CD-ROM so you could even keep backups " "of md5sums in different dates), or a USB disk or MMC card (if your system " "can access those and they can be write protected)." msgstr "" "Pour cela, vous pouvez utiliser un support inscriptible et amovible qui peut " "être positionné en lecture seule, ce peut être une disquette (en lecture " "seule après utilisation), un CD d'une unité de CD (vous pourriez utiliser un " "CD réinscriptible, ainsi vous pourriez même garder des sauvegardes des " "md5sums à différentes dates), ou un disque USB ou une carte MMC (si le " "système peut accéder à ceux-ci et qu'ils peuvent être protégés en écriture)." #. type:

#: securing-debian-howto.en.sgml:52 en/after-install.sgml:2721 msgid "The following script creates such a snapshot:" msgstr "Le script suivant crée un tel instantané :" #. type: #: securing-debian-howto.en.sgml:52 en/after-install.sgml:2751 #, no-wrap msgid "" "#!/bin/bash\n" "/bin/mount /dev/fd0 /mnt/floppy\n" "trap \"/bin/umount /dev/fd0\" 0 1 2 3 9 13 15\n" "if [ ! -f /usr/bin/md5sum ] ; then\n" "\techo \"Cannot find md5sum. Aborting.\"\n" "\texit 1\n" "fi\n" "/bin/cp /usr/bin/md5sum /mnt/floppy\n" "echo \"Calculating md5 database\"\n" ">/mnt/floppy/md5checksums.txt\n" "for dir in /bin/ /sbin/ /usr/bin/ /usr/sbin/ /lib/ /usr/lib/\n" "do\n" " find $dir -type f | xargs /usr/bin/md5sum >>/mnt/floppy/md5checksums-lib.txt\n" "done\n" "echo \"post installation md5 database calculated\"\n" "if [ ! -f /usr/bin/sha1sum ] ; then\n" "\techo \"Cannot find sha1sum\"\n" " echo \"WARNING: Only md5 database will be stored\"\n" "else\n" "\t/bin/cp /usr/bin/sha1sum /mnt/floppy\n" "\techo \"Calculating SHA-1 database\"\n" "\t>/mnt/floppy/sha1checksums.txt\n" "\tfor dir in /bin/ /sbin/ /usr/bin/ /usr/sbin/ /lib/ /usr/lib/\n" "\tdo\n" "\t find $dir -type f | xargs /usr/bin/sha1sum >>/mnt/floppy/sha1checksums-lib.txt\n" "\tdone\n" "\techo \"post installation sha1 database calculated\"\n" "fi\n" "exit 0" msgstr "" "#!/bin/bash\n" "/bin/mount /dev/fd0 /mnt/floppy\n" "trap \"/bin/umount /dev/fd0\" 0 1 2 3 9 13 15\n" "if [ ! -f /usr/bin/md5sum ] ; then\n" " echo \"Impossible de trouver md5sum. Échec.\"\n" " exit 1\n" "fi\n" "/bin/cp /usr/bin/md5sum /mnt/floppy\n" "echo \"Calcul de la base de données md5\"\n" ">/mnt/floppy/md5checksums.txt\n" "for dir in /bin/ /sbin/ /usr/bin/ /usr/sbin/ /lib/ /usr/lib/\n" "do\n" " find $dir -type f | xargs /usr/bin/md5sum\\\n" "\t >>/mnt/floppy/md5checksums-lib.txt\n" "done\n" "echo \"Base de données md5 de post-installation calculée\"\n" "if [ ! -f /usr/bin/sha1sum ] ; then\n" " echo \"Impossible de trouver sha1sum\"\n" " echo \"Attention : seule la base de données MD5 sera gardée\"\n" "else\n" " /bin/cp /usr/bin/sha1sum /mnt/floppy\n" " echo \"Calcul de la base de données SHA-1\"\n" " >/mnt/floppy/sha1checksums.txt\n" " for dir in /bin/ /sbin/ /usr/bin/ /usr/sbin/ /lib/ /usr/lib/\n" " do\n" " find $dir -type f | xargs /usr/bin/sha1sum\\\n" " >>/mnt/floppy/sha1checksums-lib.txt\n" " done\n" " echo \"Base de données SHA-1 de post-installation calculée\"\n" "fi\n" "exit 0" #. type:

#: securing-debian-howto.en.sgml:52 en/after-install.sgml:2765 msgid "" "Note that the md5sum binary (and sha1sum, if available) is placed on the " "floppy drive so it can be used later on to check the binaries of the system " "(just in case it gets trojaned). However, if you want to make sure that you " "are running a legitimate binary, you might want to either compile a static " "copy of the md5sum binary and use that one (to prevent a trojaned libc " "library from interfering with the binary) or to use the snapshot of md5sums " "only from a clean environment such as a rescue CD-ROM or a Live-CD (to " "prevent a trojaned kernel from interfering). I cannot stress this enough: if " "you are on a compromised system you cannot trust its output, see ." msgstr "" "Notez que le binaire md5sum (et le binaire sha1sum, s'il est disponible) est " "placé sur la disquette pour pouvoir être utilisé plus tard pour vérifier les " "binaires du système (juste au cas où il serait aussi corrompu). Cependant, " "si vous voulez vous assurer que vous exécutez bien un binaire légitime, vous " "pouvez vouloir, soit compiler une copie statique du binaire md5sum et " "utiliser celui-ci (pour empêcher une bibliothèque libc corrompue " "d'interférer avec le binaire), soit utiliser des instantanés de md5sums " "depuis un environnement propre exclusivement comme un CD de récupération ou " "un CD autonome (pour empêcher un noyau corrompu d'interférer). Je ne peux " "insister assez sur ce point : si vous êtes sur un système compromis, " "vous ne pouvez pas faire confiance à ce qui s'affiche, consultez ." #. type:

#: securing-debian-howto.en.sgml:52 en/after-install.sgml:2770 msgid "" "The snapshot does not include the files under /var/lib/dpkg/info which includes the MD5 hashes of installed packages (in files ending " "with .md5sums). You could copy this information along too, " "however you should notice:" msgstr "" "L'instantané n'inclut pas les fichiers sous /var/lib/dpkg/info " "qui incluent les sommes de hachage MD5 des paquets installés (dans les " "fichiers se terminant par .md5sums). Vous pourriez également y " "copier ces renseignements, veuillez cependant noter que :" #. type:

#: securing-debian-howto.en.sgml:52 en/after-install.sgml:2779 msgid "" "the md5sums files include the md5sum of all files provided by the Debian " "packages, not just system binaries. As a consequence, that database is " "bigger (5 Mb versus 600 Kb in a Debian GNU/Linux system with a graphical " "system and around 2.5 Gb of software installed) and will not fit in small " "removable media (like a single floppy disk, but would probably fit in a " "removable USB memory)." msgstr "" "les fichiers md5sums incluent les md5sums de tous les fichiers fournis par " "les paquets Debian, pas seulement les binaires système. Par conséquent, la " "base de données est plus importante (5 Mo contre 600 ko dans un " "système Debian GNU/Linux avec un système graphique et environ 2,5 Go de " "logiciels installés) et elle ne tiendra sur un petit support amovible (comme " "une simple disquette, mais tiendra sans doute sur une clef USB) ;" #. type:

#: securing-debian-howto.en.sgml:52 en/after-install.sgml:2783 msgid "" "not all Debian packages provide md5sums for the files installed since it is " "not (currently) mandated policy. Notice, however, that you can generate the " "md5sums for all packages using debsums after you've " "finished the system installation:" msgstr "" "tous les paquets Debian ne fournissent pas les md5sums pour les fichiers " "installé car ce n'est pas (actuellement) imposé par la Charte. Notez, " "cependant, que vous pouvez générer les md5sums pour tous les paquets en " "utilisant debsums après avoir fini l'installation du " "système :" #. type: #: securing-debian-howto.en.sgml:52 en/after-install.sgml:2785 #, no-wrap msgid "# debsums --generate=missing,keep" msgstr "# debsums --generate=missing,keep" #. type:

#: securing-debian-howto.en.sgml:52 en/after-install.sgml:2794 msgid "" "Once the snapshot is done you should make sure to set the medium read-only. " "You can then store it for backup or place it in the drive and use it to " "drive a cron check nightly comparing the original md5sums " "against those on the snapshot." msgstr "" "Une fois que l'instantané est fait, vous devriez vous assurer de placer le " "support en lecture seule. Vous pouvez ensuite le stocker pour archivage ou " "le placer dans le lecteur et utiliser une vérification cron " "toutes les nuits en comparant les md5sums d'origine avec ceux de " "l'instantané." #. type:

#: securing-debian-howto.en.sgml:52 en/after-install.sgml:2798 msgid "" "If you do not want to setup a manual check you can always use any of the " "integrity systems available that will do this and more, for more information " "please read ." msgstr "" "Si vous ne voulez pas configurer de vérification manuelle, vous pouvez " "toujours utiliser n'importe quel système d'intégrité disponible qui fera " "cela et plus, pour de plus amples renseignements, veuillez consulter ." #. type: #: securing-debian-howto.en.sgml:52 en/after-install.sgml:2802 msgid "Other recommendations" msgstr "Autres recommandations" #. type: #: securing-debian-howto.en.sgml:52 en/after-install.sgml:2804 msgid "Do not use software depending on svgalib" msgstr "N'utilisez pas de logiciels dépendant de svgalib" #. type:

#: securing-debian-howto.en.sgml:53 en/services.sgml:3 msgid "" "SVGAlib is very nice for console lovers like me, but in the past it has been " "proven several times that it is very insecure. Exploits against zgv were released, and it was simple to become root. Try to prevent using " "SVGAlib programs wherever possible." msgstr "" "SVGAlib est très bien pour les amoureux de la console mais s'est montrée " "très peu sûre par le passé. Des exploitations de failles de zgv " "ont été diffusées et il était facile de devenir superutilisateur. Essayez " "d'éviter l'utilisation de programmes utilisant la SVGAlib chaque fois que " "c'est possible." #. type: #: securing-debian-howto.en.sgml:53 en/services.sgml:5 msgid "Securing services running on your system" msgstr "Sécurisation des services du système" #. type:

#: securing-debian-howto.en.sgml:53 en/services.sgml:7 msgid "Services can be secured in a running system in two ways:" msgstr "" "Les services présents sur un système peuvent être sécurisés de deux " "façons :" #. type:

#: securing-debian-howto.en.sgml:53 en/services.sgml:12 msgid "" "Making them only accessible at the access points (interfaces) they need to " "be in." msgstr "" "les rendre accessibles uniquement aux points d'accès (interfaces) " "nécessaires ;" #. type:

#: securing-debian-howto.en.sgml:53 en/services.sgml:15 msgid "" "Configuring them properly so that they can only be used by legitimate users " "in an authorized manner." msgstr "" "les configurer correctement ainsi seuls les utilisateurs habilités pourront " "les utiliser." #. type:

#: securing-debian-howto.en.sgml:53 en/services.sgml:24 msgid "" "Restricting services so that they can only be accessed from a given place " "can be done by restricting access to them at the kernel (i.e. firewall) " "level, configure them to listen only on a given interface (some services " "might not provide this feature) or using some other methods, for example the " "Linux vserver patch (for 2.4.16) can be used to force processes to use only " "one interface." msgstr "" "Restreindre les services pour qu'ils ne soient accessibles que depuis un " "endroit bien spécifique peut être fait au niveau du noyau (pare-feu), " "configurez les services pour écouter uniquement sur une interface définie " "(certains services ne fournissent peut-être pas cette fonctionnalité) ou " "utilisez tout autre méthode, par exemple le correctif vserver pour Linux " "(2.4.16) peut être utilisé pour forcer les processus à n'utiliser qu'une " "interface." #. type:

#: securing-debian-howto.en.sgml:53 en/services.sgml:35 msgid "" "Regarding the services running from inetd (telnet, " "ftp, finger, pop3...) it is worth " "noting that inetd can be configured so that services only " "listen on a given interface (using service@ip syntax) but that's an " "undocumented feature. One of its substitutes, the xinetd meta-" "daemon includes a bind option just for this matter. See ." msgstr "" "Concernant les services lancés par inetd (telnet, " "ftp, finger, pop3, etc.), il est à " "noter que inetd peut être configuré pour que les services n'écoutent que sur " "une interface précise (en utilisant la syntaxe service@ip), mais " "c'est une fonctionnalité non documentée. L'un de ses remplaçants, le " "métadémon xinetd, inclut une option bind pour faire " "cela. Consultez ." #. type: #: securing-debian-howto.en.sgml:53 en/services.sgml:48 #, no-wrap msgid "" "service nntp\n" "{\n" " socket_type = stream\n" " protocol = tcp\n" " wait = no\n" " user = news\n" " group = news\n" " server = /usr/bin/env\n" " server_args = POSTING_OK=1 PATH=/usr/sbin/:/usr/bin:/sbin/:/bin\n" "+/usr/sbin/snntpd logger -p news.info\n" " bind = 127.0.0.1\n" "}" msgstr "" "service nntp\n" "{\n" " socket_type = stream\n" " protocol = tcp\n" " wait = no\n" " user = news\n" " group = news\n" " server = /usr/bin/env\n" " server_args = POSTING_OK=1 PATH=/usr/sbin/:/usr/bin:/sbin/:/bin\n" "+/usr/sbin/snntpd logger -p news.info\n" " bind = 127.0.0.1\n" "}" #. type:

#: securing-debian-howto.en.sgml:53 en/services.sgml:54 msgid "" "The following sections detail how specific individual services can be " "configured properly depending on their intended use." msgstr "" "Les paragraphes suivants détaillent comment déterminer les services qui " "peuvent être configurés correctement en fonction de leur utilisation." #. type: #: securing-debian-howto.en.sgml:53 en/services.sgml:55 msgid "Securing ssh" msgstr "Sécurisation de SSH" #. type:

#: securing-debian-howto.en.sgml:53 en/services.sgml:63 msgid "" "If you are still running telnet instead of ssh, you should take a break from " "this manual and change this. Ssh should be used for all remote logins " "instead of telnet. In an age where it is easy to sniff Internet traffic and " "get clear-text passwords, you should use only protocols which use " "cryptography. So, perform an apt-get install ssh on your system now." msgstr "" "Si vous utilisez toujours TELNET au lieu de SSH, vous devriez prendre une " "pause dans la lecture de ce manuel pour remédier à cela. SSH devrait être " "utilisé pour toutes les connexions distantes à la place de TELNET. À une " "époque où il est facile de scruter le trafic Internet et d'obtenir les mots " "de passe en clair, vous devriez utiliser uniquement les protocoles qui " "utilisent la cryptographie. Par conséquent, effectuez maintenant un apt-" "get install ssh sur le système." #. type:

#: securing-debian-howto.en.sgml:53 en/services.sgml:71 msgid "" "Encourage all the users on your system to use ssh instead of telnet, or even " "better, uninstall telnet/telnetd. In addition you should avoid logging into " "the system using ssh as root and use alternative methods to become root " "instead, like su or sudo. Finally, the " "sshd_config file, in /etc/ssh, should be modified " "to increase security as well:" msgstr "" "Encourager tous les utilisateurs du système à utiliser SSH au lieu de " "TELNET, ou mieux encore, désinstallez telnet/telnetd. De plus, vous devriez " "éviter de vous connecter au système en utilisant SSH en tant que " "superutilisateur et préférer l'utilisation de méthodes alternatives pour " "devenir superutilisateur comme su ou sudo. Enfin, le " "fichier sshd_config, dans /etc/ssh, devrait être " "modifié comme suit pour accroître la sécurité." #. type:

#: securing-debian-howto.en.sgml:53 en/services.sgml:71 msgid "ListenAddress 192.168.0.1" msgstr "ListenAddress 192.168.0.1" #. type:

#: securing-debian-howto.en.sgml:53 en/services.sgml:77 msgid "" "Have ssh listen only on a given interface, just in case you have more than " "one (and do not want ssh available on it) or in the future add a new network " "card (and don't want ssh connections from it)." msgstr "" "Ne faîtes écouter SSH que sur une interface donnée, juste au cas où vous en " "ayez plus d'une (et ne voulez pas que SSH y soit disponible) ou si vous " "ajoutez, dans le futur, une nouvelle carte réseau (et ne voulez pas de " "connexions SSH dessus)." #. type:

#: securing-debian-howto.en.sgml:53 en/services.sgml:79 msgid "PermitRootLogin no" msgstr "PermitRootLogin no" #. type:

#: securing-debian-howto.en.sgml:53 en/services.sgml:83 msgid "" "Try not to permit Root Login wherever possible. If anyone wants to become " "root via ssh, now two logins are needed and the root password cannot be " "brute forced via SSH." msgstr "" "Essayez autant que possible de ne pas autoriser de connexion en tant que " "superutilisateur. Si quelqu'un veut devenir superutilisateur par SSH, deux " "connexions sont maintenant nécessaires et le mot de passe du " "superutilisateur ne peut être attaqué par force brute par SSH." #. type:

#: securing-debian-howto.en.sgml:53 en/services.sgml:85 msgid "Port 666 or ListenAddress 192.168.0.1:666" msgstr "Port 666 ou ListenAddress 192.168.0.1:666" #. type:

#: securing-debian-howto.en.sgml:53 en/services.sgml:89 msgid "" "Change the listen port, so the intruder cannot be completely sure whether a " "sshd daemon runs (be forewarned, this is security by obscurity)." msgstr "" "Change le port d'écoute, ainsi l'intrus ne peut être complètement sûr de " "l'exécution d'un démon sshd (soyez prévenus, c'est de la sécurité par " "l'obscurité)." #. type:

#: securing-debian-howto.en.sgml:53 en/services.sgml:90 msgid "PermitEmptyPasswords no" msgstr "PermitEmptyPasswords no" #. type:

#: securing-debian-howto.en.sgml:53 en/services.sgml:92 msgid "Empty passwords make a mockery of system security." msgstr "Les mots de passe vides sont un affront au système de sécurité." #. type:

#: securing-debian-howto.en.sgml:53 en/services.sgml:93 msgid "AllowUsers alex ref me@somewhere" msgstr "AllowUsers alex ref" #. type:

#: securing-debian-howto.en.sgml:53 en/services.sgml:97 msgid "" "Allow only certain users to have access via ssh to this machine. " "user@host can also be used to restrict a given user from accessing " "only at a given host." msgstr "" "Autorise seulement certains utilisateurs à avoir accès par SSH à cette " "machine. user@host peut également être utilisé pour n'autoriser " "l'accès qu'à un utilisateur donné depuis un hôte donné." #. type:

#: securing-debian-howto.en.sgml:53 en/services.sgml:98 msgid "AllowGroups wheel admin" msgstr "AllowGroups wheel admin" #. type:

#: securing-debian-howto.en.sgml:53 en/services.sgml:103 msgid "" "Allow only certain group members to have access via ssh to this machine. " "AllowGroups and AllowUsers have equivalent directives for denying access to " "a machine. Not surprisingly they are called \"DenyUsers\" and \"DenyGroups\"." msgstr "" "Autorise seulement certains membres de groupes à avoir accès par SSH à cette " "machine. AllowGroups et AllowUsers ont des directives équivalentes pour " "interdire l'accès à la machine. Sans surprise elles s'appellent « " "DenyUsers Â» et « DenyGroups Â»." #. type:

#: securing-debian-howto.en.sgml:53 en/services.sgml:105 msgid "PasswordAuthentication yes" msgstr "PasswordAuthentication yes" #. type:

#: securing-debian-howto.en.sgml:53 en/services.sgml:117 msgid "" "It is completely your choice what you want to do. It is more secure to only " "allow access to the machine from users with ssh-keys placed in the ~/." "ssh/authorized_keys file. If you want so, set this one to \"no\"." msgstr "" "Il vous appartient complètement de décider ce que vous voulez faire. Il est " "plus sûr d'autoriser l'accès à la machine uniquement aux utilisateurs avec " "des clefs SSH placées dans le fichier ~/.ssh/authorized_keys. " "Si c'est ce que vous voulez, positionnez cette option à « no »." #. type:

#: securing-debian-howto.en.sgml:53 en/services.sgml:124 msgid "" "Disable any form of authentication you do not really need, if you do not " "use, for example RhostsRSAAuthentication, " "HostbasedAuthentication, KerberosAuthentication or " "RhostsAuthentication you should disable them, even if they are " "already by default (see the manpage )." msgstr "" "Désactiver toute forme d'autorisation dont vous n'avez pas réellement " "besoin  si vous n'utilisez pas, par exemple, " "RhostsRSAAuthentication, HostbasedAuthentication, " "KerberosAuthentication ou RhostsAuthentication, vous " "devriez les désactiver même s'ils le sont déjà par défaut (consultez la page " "de manuel )." #. type:

#: securing-debian-howto.en.sgml:53 en/services.sgml:125 msgid "Protocol 2" msgstr "Protocole 2" #. type:

#: securing-debian-howto.en.sgml:53 en/services.sgml:131 msgid "" "Disable the protocol version 1, since it has some design flaws that make it " "easier to crack passwords. For more information read or the ." msgstr "" "Désactiver le protocole version 1, car il a des défauts de conception qui " "facilitent le piratage de mots de passe. Pour obtenir de plus amples " "renseignements, consultez ou le ." #. type:

#: securing-debian-howto.en.sgml:53 en/services.sgml:132 msgid "Banner /etc/some_file" msgstr "Bannière /etc/un_fichier" #. type:

#: securing-debian-howto.en.sgml:53 en/services.sgml:137 msgid "" "Add a banner (it will be retrieved from the file) to users connecting to the " "ssh server. In some countries sending a warning before access to a given " "system about unauthorized access or user monitoring should be added to have " "legal protection." msgstr "" "Ajouter une bannière (elle sera récupérée du fichier) pour les utilisateurs " "se connectant au serveur SSH. Dans certains pays, envoyer un avertissement " "avant l'accès à un système donné avertissant des accès non autorisés ou du " "suivi des utilisateurs devrait être ajouté pour avoir une protection légale." #. type:

#: securing-debian-howto.en.sgml:53 en/services.sgml:145 msgid "" "You can also restrict access to the ssh server using pam_listfile " "or pam_wheel in the PAM control file. For example, you could keep " "anyone not listed in /etc/loginusers away by adding this line " "to /etc/pam.d/ssh:" msgstr "" "Vous pouvez également restreindre l'accès au serveur ssh en utilisant " "pam_listfile ou pam_wheel dans le fichier de contrôle PAM. " "Par exemple, vous pourriez bloquer tous les utilisateurs qui ne sont pas " "dans /etc/loginusers en ajoutant cette ligne à /etc/pam.d/" "ssh :" #. type: #: securing-debian-howto.en.sgml:53 en/services.sgml:147 #, no-wrap msgid "auth required pam_listfile.so sense=allow onerr=fail item=user file=/etc/loginusers" msgstr "auth required pam_listfile.so sense=allow onerr=fail item=user file=/etc/loginusers" #. type:

#: securing-debian-howto.en.sgml:53 en/services.sgml:159 msgid "" "As a final note, be aware that these directives are from a OpenSSH " "configuration file. Right now, there are three commonly used SSH daemons, " "ssh1, ssh2, and OpenSSH by the OpenBSD people. Ssh1 was the first ssh daemon " "available and it is still the most commonly used (there are rumors that " "there is even a Windows port). Ssh2 has many advantages over ssh1 except it " "is released under a closed-source license. OpenSSH is completely free ssh " "daemon, which supports both ssh1 and ssh2. OpenSSH is the version installed " "on Debian when the package ssh is chosen." msgstr "" "Pour finir, soyez conscient que ces directives proviennent d'un fichier de " "configuration OpenSSH. Actuellement, trois démons SSH sont couramment " "utilisés, ssh1, ssh2, et OpenSSH par les gens d'OpenBSD. ssh1 était le " "premier démon SSH disponible et est toujours le plus couramment utilisé (il " "y a même des rumeurs à propos d'un portage pour Windows). ssh2 a beaucoup " "d'avantages par rapport à ssh1 sauf qu'il est diffusé sous une licence non " "libre. OpenSSH est un démon SSH complètement libre, qui gère à la fois ssh1 " "et ssh2. OpenSSH est la version installée sur Debian quand le paquet " "ssh est choisi." #. type:

#: securing-debian-howto.en.sgml:53 en/services.sgml:164 msgid "" "You can read more information on how to set up SSH with PAM support in the " "." msgstr "" "Vous pouvez obtenir plus d'informations concernant la mise en place de SSH " "avec la prise en charge PAM dans les ." #. type: #: securing-debian-howto.en.sgml:53 en/services.sgml:165 msgid "Chrooting ssh" msgstr "Chrooter SSH" #. type:

#: securing-debian-howto.en.sgml:53 en/services.sgml:176 msgid "" "Currently OpenSSH does not provide a way to chroot automatically users upon " "connection (the commercial version does provide this functionality). However " "there is a project to provide this functionality for OpenSSH too, see , it is not currently packaged for " "Debian, though. You could use, however, the pam_chroot module " "as described in ." msgstr "" "OpenSSH ne fournit pas de moyen à l'heure actuelle pour chrooter " "automatiquement les utilisateurs lors de la connexion (la version " "commerciale fournit cette fonctionnalité). Cependant, il existe un projet " "ayant pour but de fournir cette fonctionnalité pour OpenSSH également, " "consultez , il n'est cependant " "pas empaqueté pour Debian actuellement. Vous pourriez cependant utiliser le " "module pam_chroot module comme décrit dans ." #. type:

#: securing-debian-howto.en.sgml:53 en/services.sgml:179 msgid "" "In you can find several options to make a chroot " "environment for SSH." msgstr "" "Dans , vous pouvez trouver plusieurs options pour " "créer un environnement chroot pour SSH." #. type: #: securing-debian-howto.en.sgml:53 en/services.sgml:181 msgid "Ssh clients" msgstr "Clients SSH" #. type:

#: securing-debian-howto.en.sgml:53 en/services.sgml:187 msgid "" "If you are using an SSH client against the SSH server you must make sure " "that it supports the same protocols that are enforced on the server. For " "example, if you use the mindterm package, it only " "supports protocol version 1. However, the sshd server is, by default, " "configured to only accept version 2 (for security reasons)." msgstr "" "Si vous utilisez un client SSH pour se connecter au serveur SSH, vous devez " "vous assurer qu'il prend en charge les mêmes protocoles que ceux utilisés " "sur le serveur. Par exemple, si vous utilisez le paquet mindterm, il ne prend en charge que le protocole version 1. Cependant, le " "serveur sshd est, par défaut, configuré pour n'accepter que la version 2 " "(pour des raisons de sécurité)." #. type: #: securing-debian-howto.en.sgml:53 en/services.sgml:189 msgid "Disallowing file transfers" msgstr "Interdire les transferts de fichiers" #. type:

#: securing-debian-howto.en.sgml:53 en/services.sgml:195 msgid "" "If you do not want users to transfer files to and from the ssh " "server you need to restrict access to the sftp-server and the scp access. You can restrict sftp-server " "by configuring the proper Subsystem in the /etc/ssh/" "sshd_config." msgstr "" "Si vous ne voulez pas que les utilisateurs transfèrent des fichiers " "depuis et vers le serveur ssh, vous devez restreindre l'accès au sftp-" "server et l'accès scp. Vous pouvez restreindre " "sftp-server en configurant le bon Subsystem dans " "/etc/ssh/sshd_config." #. type:

#: securing-debian-howto.en.sgml:53 en/services.sgml:199 msgid "" "You can also chroot users (using libpam-chroot so that, " "even if file transfer is allowed, they are limited to an environment which " "does not include any system files." msgstr "" "Vous pouvez aussi cloisonner les utilisateurs dans un chroot (en utilisant " "libpam-chroot de telle sorte que même si le transfert de " "fichiers est autorisé, ils soient limités à un environnement qui ne contient " "aucun fichier système." #. type: #: securing-debian-howto.en.sgml:53 en/services.sgml:201 msgid "Restricing access to file transfer only" msgstr "Restriction d'accès au seul transfert de fichiers" #. type:

#: securing-debian-howto.en.sgml:53 en/services.sgml:205 msgid "" "You might want to restrict access to users so that they can only do file " "transfers and cannot have interactive shells. In order to do this you can " "either:" msgstr "" "Vous pourriez restreindre l'accès aux utilisateurs pour leur permettre " "seulement le transfert de fichiers sans interpréteur de commandes " "interactif. Pour faire cela, vous pouvez :" #. type:

#: securing-debian-howto.en.sgml:53 en/services.sgml:210 msgid "" "disallow users from login to the ssh server (as described above either " "through the configuration file or PAM configuration)." msgstr "" "soit interdire les connexions d'utilisateurs au serveur SSH (comme décrit ci-" "dessus par le fichier de configuration ou par la configuration PAM) ;" #. type:

#: securing-debian-howto.en.sgml:53 en/services.sgml:215 msgid "" "give users a restricted shell such as scponly or " "rssh. These shells restrict the commands available to the " "users so that they are not provided any remote execution priviledges." msgstr "" "soit donner aux utilisateurs un interpréteur de commandes restreint comme " "scponly ou rssh. Ces interpréteurs de " "commandes restreignent les commandes disponibles pour les utilisateurs afin " "de ne pas leur donner de droits d'exécution à distance." #. type: #: securing-debian-howto.en.sgml:53 en/services.sgml:219 msgid "Securing Squid" msgstr "Sécurisation de Squid" #. type:

#: securing-debian-howto.en.sgml:53 en/services.sgml:242 msgid "" "Squid is one of the most popular proxy/cache server, and there are some " "security issues that should be taken into account. Squid's default " "configuration file denies all users requests. However the Debian package " "allows access from 'localhost', you just need to configure your browser " "properly. You should configure Squid to allow access to trusted users, hosts " "or networks defining an Access Control List on /etc/squid/squid.conf, see the for more information about defining ACLs " "rules. Notice that Debian provides a minimum configuration for Squid that " "will prevent anything, except from localhost to connect to your " "proxy server (which will run in the default port 3128). You will need to " "customize your /etc/squid/squid.conf as needed. The recommended " "minimum configuration (provided with the package) is shown below:" msgstr "" "Squid est l'un des plus populaires serveurs mandataire (« proxy Â») " "et cache et certains problèmes de sécurité sont à prendre en compte. Le " "fichier de configuration par défaut de Squid refuse toutes les requêtes " "d'utilisateurs. Cependant, le paquet Debian permet l'accès depuis « " "localhost Â», il est simplement nécessaire de configurer le navigateur " "correctement. Vous devriez configurer Squid pour permettre l'accès aux " "utilisateurs, hôtes ou réseaux de confiance en définissant une liste de " "contrôle d'accès (ACL) dans /etc/squid/squid.conf. Consultez le " " pour plus d'informations à propos des règles ACL. " "Veuillez noter que Debian fournit une configuration minimale pour Squid qui " "empêche tout, à l'exception de la connexion de localhost au serveur " "mandataire (qui fonctionnera sur le port 3128 par défaut). Vous devrez " "personnaliser le fichier/etc/squid/squid.conf comme nécessaire. " "La configuration minimale recommandée (fournie avec le paquet) est indiquée " "ci-dessous :" #. type: #: securing-debian-howto.en.sgml:53 en/services.sgml:282 #, no-wrap msgid "" "acl all src 0.0.0.0/0.0.0.0\n" "acl manager proto cache_object\n" "acl localhost src 127.0.0.1/255.255.255.255\n" "acl SSL_ports port 443 563\n" "acl Safe_ports port 80 # http\n" "acl Safe_ports port 21 # ftp\n" "acl Safe_ports port 443 563 # https, snews\n" "acl Safe_ports port 70 # gopher\n" "acl Safe_ports port 210 # wais\n" "acl Safe_ports port 1025-65535 # unregistered ports\n" "acl Safe_ports port 280 # http-mgmt\n" "acl Safe_ports port 488 # gss-http\n" "acl Safe_ports port 591 # filemaker\n" "acl Safe_ports port 777 # multiling http\n" "acl Safe_ports port 901 # SWAT\n" "acl purge method PURGE\n" "acl CONNECT method CONNECT\n" "(...)\n" "# Only allow cachemgr access from localhost\n" "http_access allow manager localhost\n" "http_access deny manager\n" "# Only allow purge requests from localhost\n" "http_access allow purge localhost\n" "http_access deny purge\n" "# Deny requests to unknown ports\n" "http_access deny !Safe_ports\n" "# Deny CONNECT to other than SSL ports\n" "http_access deny CONNECT !SSL_ports\n" "#\n" "# INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS\n" "#\n" "http_access allow localhost\n" "# And finally deny all other access to this proxy\n" "http_access deny all\n" "#Default:\n" "# icp_access deny all\n" "#\n" "#Allow ICP queries from everyone\n" "icp_access allow all" msgstr "" "acl all src 0.0.0.0/0.0.0.0\n" "acl manager proto cache_object\n" "acl localhost src 127.0.0.1/255.255.255.255\n" "acl SSL_ports port 443 563\n" "acl Safe_ports port 80 # http\n" "acl Safe_ports port 21 # ftp\n" "acl Safe_ports port 443 563 # https, snews\n" "acl Safe_ports port 70 # gopher\n" "acl Safe_ports port 210 # wais\n" "acl Safe_ports port 1025-65535 # ports non enregistrés\n" "acl Safe_ports port 280 # http-mgmt\n" "acl Safe_ports port 488 # gss-http\n" "acl Safe_ports port 591 # filemaker\n" "acl Safe_ports port 777 # multiling http\n" "acl Safe_ports port 901 # SWAT\n" "acl purge method PURGE\n" "acl CONNECT method CONNECT\n" "(...)\n" "# Ne permet l'accès à cachemgr que depuis localhost\n" "http_access allow manager localhost\n" "http_access deny manager\n" "# Ne permet des requêtes de purge que depuis localhost\n" "http_access allow purge localhost\n" "http_access deny purge\n" "# Interdit les requêtes sur des ports inconnus\n" "http_access deny !Safe_ports\n" "# Interdit CONNECT sur tout autre port que SSL\n" "http_access deny CONNECT !SSL_ports\n" "#\n" "# INSÉRER VOS PROPRES RÈGLES ICI POUR PERMETTRE L'ACCÈS\n" "# DEPUIS LES CLIENTS\n" "#\n" "http_access allow localhost\n" "# Et enfin, interdit tout autre accès à ce mandataire\n" "http_access deny all\n" "# Par défaut :\n" "# icp_access deny all\n" "#\n" "# Permet les requêtes ICP à tout le monde\n" "icp_access allow all" #. type:

#: securing-debian-howto.en.sgml:53 en/services.sgml:288 msgid "" "You should also configure Squid based on your system resources, including " "cache memory (option cache_mem), location of the cached files and " "the amount of space they will take up on disk (option cache_dir)." msgstr "" "Vous pouvez également configurer Squid selon vos ressources système, en " "incluant la mémoire cache (option cache_mem), l'emplacement de vos " "fichiers du cache et la quantité d'espace qu'ils prendront sur disque " "(option cache_dir)." #. type:

#: securing-debian-howto.en.sgml:53 en/services.sgml:294 msgid "" "Notice that, if not properly configured, someone may relay a mail message " "through Squid, since the HTTP and SMTP protocols are designed similarly. " "Squid's default configuration file denies access to port 25. If you wish to " "allow connections to port 25 just add it to Safe_ports lists. However, this " "is NOT recommended." msgstr "" "Notez que, s'il n'est pas configuré correctement, n'importe qui peut relayer " "un message par l'intermédiaire de Squid, puisque les protocoles HTTP et SMTP " "sont conçus de façon similaire. Le fichier de configuration par défaut " "interdit l'accès au port 25. Si vous voulez autoriser les connexions sur ce " "port, il vous faudra l'ajouter dans la liste des Safe_ports (ports " "autorisés). Cependant, ce n'est PAS recommandé." #. type:

#: securing-debian-howto.en.sgml:53 en/services.sgml:301 msgid "" "Setting and configuring the proxy/cache server properly is only part of " "keeping your site secure. Another necessary task is to analyze Squid's logs " "to assure that all things are working as they should be working. There are " "some packages in Debian GNU/Linux that can help an administrator to do this. " "The following packages are available in Debian 3.0 and Debian 3.1 (sarge):" msgstr "" "Installer et configurer le serveur mandataire et le cache correctement ne " "représente qu'une partie de la sécurisation du site. Une autre tâche " "nécessaire réside dans l'analyse des journaux de Squid pour s'assurer que " "tout fonctionne comme prévu. Quelques paquets dans Debian GNU/Linux peuvent " "aider l'administrateur dans cette tâche. Les paquets suivant sont " "disponibles dans Debian 3.0 et Debian 3.1 (Sarge)  :" #. type:

#: securing-debian-howto.en.sgml:53 en/services.sgml:304 msgid "" "calamaris - Log analyzer for Squid or Oops proxy log " "files." msgstr "" "calamaris - Analyseur des journaux pour serveurs " "mandataires Squid ou Oops" #. type:

#: securing-debian-howto.en.sgml:53 en/services.sgml:305 msgid "modlogan - A modular logfile analyzer." msgstr "modlogan - Analyseur modulaire de journaux" #. type:

#: securing-debian-howto.en.sgml:53 en/services.sgml:306 msgid "sarg - Squid Analysis Report Generator." msgstr "sarg - Création de compte-rendu d'analyse de Squid" #. type:

#: securing-debian-howto.en.sgml:53 en/services.sgml:307 msgid "squidtaild - Squid log monitoring program." msgstr "" "squidtaild - Programme de surveillance des journaux de " "Squid" #. type:

#: securing-debian-howto.en.sgml:53 en/services.sgml:318 msgid "" "When using Squid in Accelerator Mode it acts as a web server too. Turning on " "this option increases code complexity, making it less reliable. By default " "Squid is not configured to act as a web server, so you don't need to worry " "about this. Note that if you want to use this feature be sure that it is " "really necessary. To find more information about Accelerator Mode on Squid " "see the " msgstr "" "Quand vous utilisez Squid en Accelerator Mode, il se comporte également " "comme un serveur web. Activer cette option augmente la complexité du code, " "le rendant moins fiable. Par défaut, Squid n'est pas configuré pour se " "comporter comme un serveur web, donc vous n'avez pas besoin de vous " "tracasser à cause de cela. Notez que si vous désirez utiliser cette " "fonctionnalité, assurez-vous qu'elle est vraiment nécessaire. Pour trouver " "plus d'informations à propos de l'Accelerator Mode de Squid, consultez le " "." #. type: #: securing-debian-howto.en.sgml:53 en/services.sgml:320 msgid "Securing FTP" msgstr "Sécurisation de FTP" #. type:

#: securing-debian-howto.en.sgml:53 en/services.sgml:329 msgid "" "If you really have to use FTP (without wrapping it with sslwrap or inside a " "SSL or SSH tunnel), you should chroot ftp into the ftp users' home " "directory, so that the user is unable to see anything else than their own " "directory. Otherwise they could traverse your root file system just like if " "they had a shell in it. You can add the following line in your proftpd." "conf in your global section to enable this chroot feature:" msgstr "" "Si vous avez réellement besoin d'utiliser FTP (sans l'emballer avec sslwrap " "ou à l'intérieur d'un tunnel SSL ou SSH), vous devriez « " "chrooter Â» FTP dans le répertoire personnel de l'utilisateur, ainsi " "l'utilisateur ne pourra rien voir d'autre que ses propres répertoires. " "Autrement, il pourrait parcourir le système comme s'il disposait d'un " "interpréteur de commandes. Vous pouvez ajouter la ligne suivante dans la " "section global de proftpd.conf pour activer ce chroot :" #. type: #: securing-debian-howto.en.sgml:53 en/services.sgml:331 #, no-wrap msgid "DefaultRoot ~" msgstr "DefaultRoot ~" #. type:

#: securing-debian-howto.en.sgml:53 en/services.sgml:336 msgid "" "Restart ProFTPd by /etc/init.d/proftpd restart and check whether " "you can escape from your homedir now." msgstr "" "Redémarrez ProFTPD par /etc/init.d/proftpd restart et vérifiez si " "vous pouvez sortir de votre propre répertoire personnel." #. type:

#: securing-debian-howto.en.sgml:53 en/services.sgml:341 msgid "" "To prevent ProFTPd DoS attacks using ../../.., add the following line in " "/etc/proftpd.conf: DenyFilter \\*.*/" msgstr "" "Pour prévenir ProFTPD d'attaques par déni de service avec l'utilisation " "de ../../.., ajoutez la ligne suivante dans /etc/proftpd.conf : DenyFilter \\*.*/" #. type:

#: securing-debian-howto.en.sgml:53 en/services.sgml:351 msgid "" "Always remember that FTP sends login and authentication passwords in clear " "text (this is not an issue if you are providing an anonymous public service) " "and there are better alternatives in Debian for this. For example, " "sftp (provided by ssh). There are also free " "implementations of SSH for other operating systems: and for example." msgstr "" "Rappelez-vous toujours que FTP envoie les identifiants et les mots de passe " "d'authentification en clair (ce n'est pas un problème si vous fournissez un " "service public anonyme) et il existe de meilleures alternatives dans Debian " "pour cela. Par exemple, sftp (fourni par ssh). Il existe également d'autres implémentations de SSH pour d'autres " "systèmes d'exploitation : et par exemple." #. type:

#: securing-debian-howto.en.sgml:53 en/services.sgml:363 msgid "" "However, if you still maintain the FTP server while making users access " "through SSH you might encounter a typical problem. Users accessing anonymous " "FTP servers inside SSH-secured systems might try to log in the FTP " "server. While the access will be refused, the password will " "nevertheless be sent through the net in clear form. To avoid that, ProFTPd " "developer TJ Saunders has created a patch that prevents users feeding the " "anonymous FTP server with valid SSH accounts. More information and patch " "available at: . This patch has been reported to Debian too, see ." msgstr "" "Cependant, si vous maintenez encore le serveur FTP tout en donnant un accès " "par SSH aux utilisateurs, vous pouvez rencontrer un problème courant. Les " "utilisateurs accédant aux serveurs FTP anonymes à l'intérieur des systèmes " "sécurisés par SSH peuvent essayer de se connecter dans le serveur FTP. Bien que l'accès sera refusé, le mot de passe sera tout de même envoyé " "en clair sur le réseau. Pour éviter cela, le développeur de ProFTPD, TJ " "Saunders, a créé un correctif pour empêcher des utilisateurs de fournir au " "serveur FTP anonyme des comptes SSH valables. Plus d'informations et le " "correctif sont disponibles, consultez . Ce correctif a été " "également indiqué pour Debian, consultez le ." #. type: #: securing-debian-howto.en.sgml:53 en/services.sgml:364 msgid "Securing access to the X Window System" msgstr "Sécurisation de l'accès au système X Window" #. type:

#: securing-debian-howto.en.sgml:53 en/services.sgml:375 msgid "" "Today, X terminals are used by more and more companies where one server is " "needed for a lot of workstations. This can be dangerous, because you need to " "allow the file server to connect to the clients (X server from the X point " "of view. X switches the definition of client and server). If you follow the " "(very bad) suggestion of many docs, you type xhost + on your " "machine. This allows any X client to connect to your system. For slightly " "better security, you can use the command xhost +hostname instead to " "only allow access from specific hosts." msgstr "" "Actuellement, les terminaux X sont de plus en plus utilisés dans les " "entreprises où un seul serveur est nécessaire pour un grand nombre de " "stations de travail. Cela peut être dangereux car vous devez autoriser le " "serveur de fichiers à se connecter aux clients (le serveur X d'un point de " "vue X. X intervertit la notion de client et de serveur). Si vous suivez les " "(très mauvaises) suggestions de nombreuses documentations, vous tapez " "xhost + sur la machine. Cela autorise tout client X à se connecter " "au système. Pour une sécurité légèrement meilleure, vous pouvez utiliser la " "commande xhost +hostname à la place, ce qui permet de n'autoriser " "les accès que depuis certains hôtes." #. type:

#: securing-debian-howto.en.sgml:53 en/services.sgml:398 msgid "" "A much more secure solution, though, is to use ssh to tunnel X and encrypt " "the whole session. This is done automatically when you ssh to another " "machine. For this to work, you have to configure both the ssh client and the " "ssh server. On the ssh client, ForwardX11 should be set to yes in /etc/ssh/ssh_config. On the ssh server, " "X11Forwarding should be set to yes in /etc/ssh/" "sshd_config and the package xbase-clients should " "be installed because the ssh server uses /usr/X11R6/bin/xauth " "(/usr/bin/xauth on Debian unstable) when setting up the pseudo " "X display. In times of SSH, you should drop the xhost based access control " "completely." msgstr "" "Une solution encore meilleure serait d'utiliser un tunnel SSH pour X et de " "chiffrer toute la session. C'est fait automatiquement lors de l'utilisation " "de SSH pour se connecter sur une autre machine. Pour que cela fonctionne, " "vous devez configurer à la fois le client SSH et le serveur SSH. Sur le " "client SSH, ForwardX11 doit être positionné à yes dans " "/etc/ssh/ssh_config. Sur le serveur SSH, X11Forwarding " "doit être positionné à yes dans /etc/ssh/sshd_config " "et le paquet xbase-clients doit être installé car le " "serveur SSH utilise /usr/X11R6/bin/xauth (/usr/bin/xauth sur Debian unstable) pour mettre en place le pseudoaffichage X. À " "l'heure de SSH, vous devriez abandonner complètement le contrôle d'accès " "basé sur xhost." #. type:

#: securing-debian-howto.en.sgml:53 en/services.sgml:402 msgid "" "For best security, if you do not need X access from other machines, switch " "off the binding on TCP port 6000 simply by typing:" msgstr "" "Pour une sécurité accrue, si vous n'avez pas besoin d'accéder à X depuis " "d'autres machines, désactivez l'écoute sur le port TCP 6000 en tapant " "simplement :" #. type: #: securing-debian-howto.en.sgml:53 en/services.sgml:404 #, no-wrap msgid "$ startx -- -nolisten tcp" msgstr "$ startx -- -nolisten tcp" #. type:

#: securing-debian-howto.en.sgml:53 en/services.sgml:411 msgid "" "This is the default behavior in Xfree 4.1.0 (the Xserver provided in Debian " "3.0 and 3.1). If you are running Xfree 3.3.6 (i.e. you have Debian 2.2 " "installed) you can edit /etc/X11/xinit/xserverrc to have it " "something along the lines of:" msgstr "" "C'est le comportement par défaut dans XFree 4.1.0 (le serveur X fourni " "dans Debian 3.0 et 3.1). Si vous utilisez XFree 3.3.6 (vous avez " "donc Debian 2.2 installée), vous pouvez éditer /etc/X11/xinit/" "xserverrc afin d'avoir quelque chose ressemblant à ceci :" #. type: #: securing-debian-howto.en.sgml:53 en/services.sgml:414 #, no-wrap msgid "" "#!/bin/sh\n" "exec /usr/bin/X11/X -dpi 100 -nolisten tcp" msgstr "" "#!/bin/sh\n" "exec /usr/bin/X11/X -dpi 100 -nolisten tcp" #. type:

#: securing-debian-howto.en.sgml:53 en/services.sgml:427 msgid "" "If you are using XDM set /etc/X11/xdm/Xservers to: :0 " "local /usr/bin/X11/X vt7 -dpi 100 -nolisten tcp. If you are using Gdm " "make sure that the DisallowTCP=true option is set in the /etc/" "gdm/gdm.conf (which is the default in Debian). This will basically " "append -nolisten tcp to every X command line

Gdm will " "not append -nolisten tcp if it finds a -query or " "-indirect on the command line since the query wouldn't work.

." msgstr "" "Si vous utilisez XDM, mettez /etc/X11/xdm/Xservers à : " ":0 local /usr/bin/X11/X vt7 -dpi 100 -nolisten tcp. Si vous " "utilisez GDM, assurez-vous que l'option DisallowTCP=true est " "positionnée dans /etc/gdm/gdm.conf (qui est par défaut dans " "Debian). Cela va basiquement ajouter -nolisten tcp à chaque ligne " "de commande X

GDM n'ajoutera pas -nolisten tcp s'il trouve -query ou -indirect sur la ligne de " "commande car cela ne pourrait pas fonctionner.

." #. type:

#: securing-debian-howto.en.sgml:53 en/services.sgml:431 msgid "" "You can also set the default's system timeout for xscreensaver " "locks. Even if the user can override it, you should edit the /etc/X11/" "app-defaults/XScreenSaver configuration file and change the lock line:" msgstr "" "Vous pouvez également positionner l'expiration de délai système par défaut " "pour les blocages xscreensaver. Même si l'utilisateur peut " "annuler cela, vous devriez éditer le fichier de configuration /etc/X11/" "app-defaults/XScreenSaver et changer la ligne de blocage :" #. type: #: securing-debian-howto.en.sgml:53 en/services.sgml:433 #, no-wrap msgid "*lock: False" msgstr "*lock: False" #. type:

#: securing-debian-howto.en.sgml:53 en/services.sgml:435 msgid "(which is the default in Debian) to:" msgstr "(qui est par défaut dans Debian) à :" #. type: #: securing-debian-howto.en.sgml:53 en/services.sgml:437 #, no-wrap msgid "*lock: True" msgstr "*lock: True" #. type:

#: securing-debian-howto.en.sgml:53 en/services.sgml:442 msgid "" "FIXME: Add information on how to disable the screensavers which show the " "user desktop (which might have sensitive information)." msgstr "" "FIXME : Ajouter des informations sur comment désactiver les économiseurs " "d'écran qui affichent l'écran de l'utilisateur (qui peuvent avoir des " "informations sensibles)." #. type:

#: securing-debian-howto.en.sgml:53 en/services.sgml:448 msgid "" "Read more on X Window security in (/usr/share/doc/" "HOWTO/en-txt/XWindow-User-HOWTO.txt.gz)." msgstr "" "Plus de renseignements sur la sécurité X Window dans " "(/usr/share/doc/HOWTO/en-txt/XWindow-User-HOWTO.txt.gz)." #. type:

#: securing-debian-howto.en.sgml:53 en/services.sgml:451 msgid "" "FIXME: Add info on thread of debian-security on how to change config files " "of XFree 3.3.6 to do this." msgstr "" "FIXME : Ajouter des informations d'une discussion de debian-security pour " "avoir les modifications des fichiers de configuration de XFree 3.3.6 pour " "faire cela." #. type: #: securing-debian-howto.en.sgml:53 en/services.sgml:452 msgid "Check your display manager" msgstr "Vérifiez le gestionnaire d'affichage" #. type:

#: securing-debian-howto.en.sgml:53 en/services.sgml:458 msgid "" "If you only want to have a display manager installed for local usage (having " "a nice graphical login, that is), make sure the XDMCP (X Display Manager " "Control Protocol) stuff is disabled. In XDM you can do this with this line " "in /etc/X11/xdm/xdm-config:" msgstr "" "Si vous ne voulez un gestionnaire d'affichage installé que pour une " "utilisation locale (avec une jolie connexion graphique, tout de même), " "assurez-vous que le XDMCP (X Display Manager Control Protocol) est " "désactivé. Dans XDM, vous pouvez faire cela avec cette ligne dans /etc/" "X11/xdm/xdm-config :" #. type: #: securing-debian-howto.en.sgml:53 en/services.sgml:460 #, no-wrap msgid "DisplayManager.requestPort: 0" msgstr "DisplayManager.requestPort: 0" #. type:

#: securing-debian-howto.en.sgml:53 en/services.sgml:464 msgid "For GDM there should be in your gdm.conf:" msgstr "Pour GDM, il devrait y avoir dans le fichier gdm.conf :" #. type: #: securing-debian-howto.en.sgml:53 en/services.sgml:467 #, no-wrap msgid "" "[xdmcp]\n" "Enable=false" msgstr "" "[xdmcp]\n" "Enable=false" #. type:

#: securing-debian-howto.en.sgml:53 en/services.sgml:473 msgid "" "Normally, all display managers are configured not to start XDMCP services " "per default in Debian." msgstr "" "Normalement, tous les gestionnaires d'affichages sont configurés par défaut " "pour ne pas démarrer les services XDMCP dans Debian." #. type: #: securing-debian-howto.en.sgml:53 en/services.sgml:475 msgid "Securing printing access (the lpd and lprng issue)" msgstr "Sécurisation de l'accès à l'impression (le problème lpd et lprng)" #. type:

#: securing-debian-howto.en.sgml:53 en/services.sgml:480 msgid "" "Imagine, you arrive at work, and the printer is spitting out endless amounts " "of paper because someone is DoSing your line printer daemon. Nasty, isn't it?" msgstr "" "Imaginez, vous arrivez au travail et l'imprimante crache une quantité " "infinie de papier car quelqu'un est en train de provoquer un déni de service " "sur le démon d'impression. Méchant, n'est ce pas ?" #. type:

#: securing-debian-howto.en.sgml:53 en/services.sgml:485 msgid "" "In any UNIX printing architecture, there has to be a way to get the client's " "data to the host's print server. In traditional lpr and " "lp, the client command copies or symlinks the data into the " "spool directory (which is why these programs are usually SUID or SGID)." msgstr "" "Dans toute architecture d'impression UNIX, il y a un moyen de fournir les " "données du client vers le serveur d'impression de l'hôte. Dans les " "traditionnels lpr et lp, la commande du client " "copie ou crée un lien symbolique pour les données dans le répertoire de " "spool (c'est pour cela que ces programmes sont habituellement SUID ou SGID)." #. type:

#: securing-debian-howto.en.sgml:53 en/services.sgml:491 msgid "" "In order to avoid any issues you should keep your printer servers especially " "secure. This means you need to configure your printer service so it will " "only allow connections from a set of trusted servers. In order to do this, " "add the servers you want to allow printing to your /etc/hosts.lpd." msgstr "" "Pour éviter tout problème, vous devriez garder vos serveurs d'impression " "particulièrement sûrs. Cela veut dire qu'il est nécessaire de configurer le " "service d'impression pour qu'il autorise seulement les connexions d'un " "ensemble de serveurs de confiance. Pour ce faire, ajoutez les serveurs " "auxquels vous voulez autoriser l'impression à /etc/hosts.lpd." #. type:

#: securing-debian-howto.en.sgml:53 en/services.sgml:504 msgid "" "However, even if you do this, the lpr daemon accepts incoming " "connections on port 515 of any interface. You should consider firewalling " "connections from networks/hosts which are not allowed printing (the " "lpr daemon cannot be limited to listen only on a given IP " "address)." msgstr "" "Cependant, même si vous faites cela, le démon lpr accepte les " "connexions entrantes sur le port 515 de n'importe quelle interface. Vous " "devriez réfléchir au filtrage par un pare-feu des connexions provenant de " "réseaux ou hôtes qui ne sont pas autorisés à imprimer (le démon lpr ne peut être limité que pour écouter sur une adresse IP donnée)." #. type:

#: securing-debian-howto.en.sgml:53 en/services.sgml:511 msgid "" "Lprng should be preferred over lpr since it can be " "configured to do IP access control. And you can specify which interface to " "bind to (although somewhat weirdly)." msgstr "" "lprng doit être préféré à lpr car il peut être " "configuré pour faire du contrôle d'accès basé sur l'adresse IP. Vous pouvez " "indiquer l'interface sur laquelle se lier (cependant d'une manière un peu " "bizarre)" #. type:

#: securing-debian-howto.en.sgml:53 en/services.sgml:518 msgid "" "If you are using a printer in your system, but only locally, you will not " "want to share this service over a network. You can consider using other " "printing systems, like the one provided by cups or which is based on user " "permissions of the /dev/lp0 device." msgstr "" "Si vous utilisez une imprimante sur le système, mais seulement localement, " "vous ne voulez pas partager ce service sur le réseau. Vous pouvez considérer " "l'utilisation d'autres systèmes d'impression, comme celui fourni par " "cups ou qui est basé sur les permissions utilisateurs du périphérique /dev/" "lp0." #. type:

#: securing-debian-howto.en.sgml:53 en/services.sgml:523 msgid "" "In cups, the print data is transferred to the server via " "the HTTP protocol. This means the client program doesn't need any special " "privileges, but does require that the server is listening on a port " "somewhere." msgstr "" "Dans cups, les données d'impression sont transférées vers " "le serveur par le protocole HTTP. Cela veut dire que le programme client n'a " "pas besoin de privilèges spéciaux, mais cela nécessite que le serveur écoute " "sur un port quelque part." #. type:

#: securing-debian-howto.en.sgml:53 en/services.sgml:527 msgid "" "However, if you want to use cups, but only locally, you can " "configure it to bind to the loopback interface by changing /etc/cups/" "cupsd.conf:" msgstr "" "Cependant, si vous voulez utiliser cups, mais seulement " "localement, vous pouvez le configurer pour se lier à l'interface de bouclage " "(loopback) en modifiant /etc/cups/cupsd.conf :" #. type: #: securing-debian-howto.en.sgml:53 en/services.sgml:529 #, no-wrap msgid "Listen 127.0.0.1:631" msgstr "Listen 127.0.0.1:631" #. type:

#: securing-debian-howto.en.sgml:53 en/services.sgml:538 msgid "" "There are many other security options like allowing or denying networks and " "hosts in this config file. However, if you do not need them you might be " "better off just limiting the listening port. Cups also serves " "documentation through the HTTP port, if you do not want to disclose " "potential useful information to outside attackers (and the port is open) add " "also:" msgstr "" "Il y a plusieurs autres options de sécurité comme autoriser ou interdire des " "réseaux et hôtes dans le fichier de configuration. Cependant, si vous n'en " "avez pas besoin, il peut être préférable de simplement limiter le port " "d'écoute. cups fournit également la documentation par le port " "HTTP, si vous ne voulez pas dévoiler des informations potentiellement utiles " "aux attaquants extérieurs (et que le port est ouvert), ajoutez " "également :" #. type: #: securing-debian-howto.en.sgml:53 en/services.sgml:544 #, no-wrap msgid "" "<Location />\n" " Order Deny,Allow\n" " Deny From All\n" " Allow From 127.0.0.1\n" "</Location>" msgstr "" "<Location />\n" " Order Deny,Allow\n" " Deny From All\n" " Allow From 127.0.0.1\n" "</Location>" #. type:

#: securing-debian-howto.en.sgml:53 en/services.sgml:550 msgid "" "This configuration file can be modified to add some more features including " "SSL/TLS certificates and crypto. The manuals are available at http://" "localhost:631/ or at ." msgstr "" "Ce fichier de configuration peut être modifié pour ajouter plus de " "fonctionnalités y compris des certificats SSL/TLS et du chiffrement. Les " "manuels sont disponibles sur http://localhost:631/ ou à ." #. type:

#: securing-debian-howto.en.sgml:53 en/services.sgml:554 msgid "" "FIXME: Add more content (the article on provides some very interesting views)." msgstr "" "FIXME : Ajouter plus de contenu (l'article sur fournit certains points " "de vues très intéressants)." #. type:

#: securing-debian-howto.en.sgml:53 en/services.sgml:557 msgid "" "FIXME: Check if PDG is available in Debian, and if so, suggest this as the " "preferred printing system." msgstr "" "FIXME : Vérifier la disponibilité de PDG dans Debian, et s'il l'est, le " "suggérer comme le système d'impression préféré." #. type:

#: securing-debian-howto.en.sgml:53 en/services.sgml:560 msgid "" "FIXME: Check if Farmer/Wietse has a replacement for printer daemon and if " "it's available in Debian." msgstr "" "FIXME : Vérifier si Farmer/Wietse a une alternative pour le démon " "d'imprimante et si il est disponible dans Debian." #. type: #: securing-debian-howto.en.sgml:53 en/services.sgml:562 msgid "Securing the mail service" msgstr "Sécurisation du service de courrier" #. type:

#: securing-debian-howto.en.sgml:53 en/services.sgml:567 msgid "" "If your server is not a mailing system, you do not really need to have a " "mail daemon listening for incoming connections, but you might want local " "mail delivered in order, for example, to receive mail for the root user from " "any alert systems you have in place." msgstr "" "Si le serveur n'est pas un système d'envoi de courrier, vous n'avez pas " "réellement besoin d'un démon de courrier écoutant les connexions entrantes, " "mais vous pourriez vouloir que le courrier local soit distribué pour, par " "exemple, recevoir le courrier du superutilisateur en provenance d'un des " "systèmes d'alerte en place." #. type:

#: securing-debian-howto.en.sgml:53 en/services.sgml:571 msgid "" "If you have exim you do not need the daemon to be working in " "order to do this since the standard cron job flushes the mail " "queue. See on how to do this." msgstr "" "Si vous avez exim, vous n'avez pas besoin que le démon tourne " "pour le faire car la tâche standard cron vide la file des " "messages. Consultez pour le façon de faire cela." #. type: #: securing-debian-howto.en.sgml:53 en/services.sgml:573 msgid "Configuring a Nullmailer" msgstr "Configurer un Nullmailer" #. type:

#: securing-debian-howto.en.sgml:53 en/services.sgml:580 msgid "" "You might want to have a local mailer daemon so that it can relay the mails " "sent locally to another system. This is common when you have to administer a " "number of systems and do not want to connect to each of them to read the " "mail sent locally. Just as all logging of each individual system can be " "centralized by using a central syslog server, mail can be sent to a central " "mailserver." msgstr "" "Vous pouvez vouloir avoir un démon local de courrier pour qu'il puisse " "relayer les courriers envoyés localement à un autre système. C'est courant " "quand vous devez administrer un certain nombre de systèmes et que vous ne " "voulez pas vous connecter à chacun d'entre eux pour lire le courrier envoyé " "localement. Comme toute la journalisation de chaque système individuel peut " "être centralisée en utilisant un serveur de journalisation système " "centralisé, les courriers peuvent être envoyés à un serveur de courriers " "central." #. type:

#: securing-debian-howto.en.sgml:53 en/services.sgml:584 msgid "" "Such a relay-only system should be configured properly for this. " "The daemon could, as well, be configured to only listen on the loopback " "address." msgstr "" "Un tel système relais seulement devrait être configuré correctement " "pour cela. Le démon pourrait également être configuré pour n'écouter que sur " "l'adresse de bouclage." #. type:

#: securing-debian-howto.en.sgml:53 en/services.sgml:592 msgid "" "The following configuration steps only need to be taken to configure the " "exim package in the Debian 3.0 release. If you are using " "a later release (such as 3.1 which uses exim4) the " "installation system has been improved so that if the mail transport agent is " "configured to only deliver local mail it will automatically only allow " "connections from the local host and will not permit remote connections." msgstr "" "Les étapes de configuration suivantes ne doivent être suivies que si vous " "configurez le paquet exim dans la version 3.0 de " "Debian. Si vous utilisez une version ultérieure (comme la version 3.1 " "qui utilise exim4), le système d'installation a été " "amélioré afin, si le MTA est configuré pour ne délivrer que des messages " "locaux, de n'autoriser des connexions que depuis l'hôte local et interdire " "toute connexion distante." #. type:

#: securing-debian-howto.en.sgml:53 en/services.sgml:594 msgid "" "In a Debian 3.0 system using exim, you will have to " "remove the SMTP daemon from inetd:" msgstr "" "Sur un système Debian 3.0 utilisant exim, vous " "devrez retirer le démon SMTP d'inetd :" #. type: #: securing-debian-howto.en.sgml:53 en/services.sgml:596 #, no-wrap msgid "$ update-inetd --disable smtp" msgstr "$ update-inetd --disable smtp" #. type:

#: securing-debian-howto.en.sgml:53 en/services.sgml:603 msgid "" "and configure the mailer daemon to only listen on the loopback interface. In " "exim (the default MTA) you can do this by editing the file " "/etc/exim.conf and adding the following line:" msgstr "" "et configurer le démon de courrier pour écouter seulement sur l'interface de " "bouclage. Dans exim (le MTA par défaut) vous pouvez faire ça en " "éditant le fichier /etc/exim.conf et en ajoutant la ligne " "suivante :" #. type: #: securing-debian-howto.en.sgml:53 en/services.sgml:605 #, no-wrap msgid "local_interfaces = \"127.0.0.1\"" msgstr "local_interfaces = \"127.0.0.1\"" #. type:

#: securing-debian-howto.en.sgml:53 en/services.sgml:612 msgid "" "Restart both daemons (inetd and exim) and you will have exim listening on " "the 127.0.0.1:25 socket only. Be careful, and first disable inetd, " "otherwise, exim will not start since the inetd daemon is already handling " "incoming connections." msgstr "" "Redémarrez les deux démons (inetd et exim) et Exim n'écoutera que sur la " "socket 127.0.0.1:25. Faites attention, et avant tout désactivez inetd, sinon " "Exim ne démarrera pas étant donné que le démon inetd est déjà en attente de " "connexions entrantes." #. type:

#: securing-debian-howto.en.sgml:53 en/services.sgml:614 msgid "For postfix edit /etc/postfix/main.conf:" msgstr "" "Pour postfix éditez /etc/postfix/main.conf :" #. type: #: securing-debian-howto.en.sgml:53 en/services.sgml:616 #, no-wrap msgid "inet_interfaces = localhost" msgstr "inet_interfaces = localhost" #. type:

#: securing-debian-howto.en.sgml:53 en/services.sgml:628 msgid "" "If you only want local mail, this approach is better than tcp-wrapping the " "mailer daemon or adding firewalling rules to limit anybody accessing it. " "However, if you do need it to listen on other interfaces, you might consider " "launching it from inetd and adding a tcp wrapper so incoming connections are " "checked against /etc/hosts.allow and /etc/hosts.deny. Also, you will be aware of when an unauthorized access is attempted " "against your mailer daemon, if you set up proper logging for any of the " "methods above." msgstr "" "Si vous voulez seulement le courrier local, cette approche est meilleure que " "l'encapsulation TCP du démon de courrier ou l'ajout de règles de pare-feu " "pour limiter les personnes qui y accèdent. Cependant, si vous n'avez pas " "besoin d'écouter sur d'autres interfaces, vous pourriez envisager de le " "lancer à partir d'inetd et ajouter une encapsulation TCP pour que les " "connexions entrantes soient vérifiées par rapport à /etc/hosts.allow et /etc/hosts.deny. De plus, vous serez au courant quand " "un accès non autorisé est tenté sur le démon de courrier, si vous mettez en " "place correctement la journalisation pour n'importe laquelle des méthodes " "décrites plus haut." #. type:

#: securing-debian-howto.en.sgml:53 en/services.sgml:631 msgid "" "In any case, to reject mail relay attempts at the SMTP level, you can change " "/etc/exim/exim.conf to include:" msgstr "" "En tout cas, pour rejeter les tentatives de relais de courrier au niveau " "SMTP, vous pouvez modifier /etc/exim/exim.conf pour " "inclure :" #. type: #: securing-debian-howto.en.sgml:53 en/services.sgml:633 #, no-wrap msgid "receiver_verify = true" msgstr "receiver_verify = true" #. type:

#: securing-debian-howto.en.sgml:53 en/services.sgml:640 msgid "" "Even if your mail server will not relay the message, this kind of " "configuration is needed for the relay tester at to determine that your server is not relay " "capable." msgstr "" "Même si le serveur de courrier ne relaiera pas le message, ce genre de " "configuration est nécessaire au testeur de relais à pour déterminer que le serveur ne peut pas " "faire de relais." #. type:

#: securing-debian-howto.en.sgml:53 en/services.sgml:657 msgid "" "If you want a relay-only setup, however, you can consider changing the " "mailer daemon to programs that can only be configured to forward " "the mail to a remote mail server. Debian provides currently both " "ssmtp and nullmailer for this purpose. " "In any case, you can evaluate for yourself any of the mail transport agents " "

To retrieve the list of mailer daemons available in Debian try: " "$ apt-cache search mail-transport-agent

The list " "will not include qmail, which is distributed only as source " "code in the qmail-src package.

 provided by " "Debian and see which one suits best to the system's purposes." msgstr "" "Si vous voulez une configuration relais seulement, cependant, vous pouvez " "vouloir changer le démon de courrier pour des programmes qui ne peuvent être " "configurés que pour faire suivre le courrier à un serveur de " "courrier distant. Debian fournit actuellement les paquets ssmtp et nullmailer dans ce but. En tout cas, vous " "pouvez évaluer pour vous-même l'un de ces deux agents de transport de " "courrier

Pour récupérer la liste des démons de courrier " "disponibles dans Debian, essayez : $ apt-cache search mail-" "transport-agent

La liste n'inclura pas qmail, " "qui est distribué seulement comme code source dans le paquet qmail-" "src.

 fournis par Debian et voir lequel correspond " "le mieux aux buts du système." #. type: #: securing-debian-howto.en.sgml:53 en/services.sgml:659 msgid "Providing secure access to mailboxes" msgstr "Fournir un accès sécurisé aux boîtes à lettres" #. type:

#: securing-debian-howto.en.sgml:53 en/services.sgml:673 msgid "" "If you want to give remote access to mailboxes there are a number of POP3 " "and IMAP daemons available.

A list of servers/daemons which " "support these protocols in Debian can be retrieved with: $ apt-" "cache search pop3-server $ apt-cache search imap-server

However, if you provide IMAP access note that it is a general file " "access protocol, it can become the equivalent of a shell access because " "users might be able to retrieve any file that they can through it." msgstr "" "Si vous désirez donner un accès à distance aux boîtes à lettres, il y a un " "certain nombre de démons POP3 et IMAP disponibles

Une liste des " "serveurs et démons prenant ces protocoles en charge dans Debian peut être " "récupérée avec : $ apt-cache search pop3-server $ apt-cache " "search imap-server

 Cependant, si vous fournissez un " "accès IMAP, notez qu'il s'agit d'un protocole générique d'accès aux " "fichiers, il peut devenir l'équivalent d'un accès à l'interpréteur de " "commandes car les utilisateurs peuvent être capables de récupérer n'importe " "quel fichier par celle-ci." #. type:

#: securing-debian-howto.en.sgml:53 en/services.sgml:677 msgid "" "Try, for example, to configure as your inbox path {server.com}/etc/" "passwd if it succeeds your IMAP daemon is not properly configured to " "prevent this kind of access." msgstr "" "Essayez, par exemple, de configurer comme chemin de votre boîte de réception " "{server.com}/etc/passwd, si cela réussit, votre démon IMAP n'est " "pas configuré correctement pour empêcher ce genre d'accès." #. type:

#: securing-debian-howto.en.sgml:53 en/services.sgml:686 msgid "" "Of the IMAP servers in Debian the cyrus server (in the " "cyrus-imapd package) gets around this by having all " "access to a database in a restricted part of the file system. Also, uw-" "imapd (either install the uw-imapd or better, if " "your IMAP clients support it, uw-imapd-ssl) can be " "configured to chroot the users mail directory but this is not enabled by " "default. The documentation provided gives more information on how to " "configure it." msgstr "" "Parmi les serveurs IMAP dans Debian, le serveur cyrus (dans le " "paquet cyrus-imapd) contourne cela en ayant tous les " "accès sur une base de données dans une partie restreinte du système de " "fichiers. Également, uw-imapd (installez soit uw-" "imapd ou mieux, si votre client IMAP le gère, uw-imapd-" "ssl) peut être configuré pour « chrooter Â» les " "répertoires de courrier des utilisateurs, mais cela n'est pas activé par " "défaut. La documentation fournie donne plus d'informations sur la façon de " "le configurer." #. type:

#: securing-debian-howto.en.sgml:53 en/services.sgml:697 msgid "" "Also, you might want to run an IMAP server that does not need valid users to " "be created on the local system (which would grant shell access too), " "courier-imap (for IMAP) and courier-pop, teapop (for POP3) and cyrus-imapd (for both POP3 and IMAP) provide servers with authentication " "methods beside the local user accounts. cyrus can use any " "authentication method that can be configured through PAM while teapop might use databases (such as postgresql and " "mysql) for user authentication." msgstr "" "Vous pouvez également vouloir faire fonctionner un serveur IMAP qui n'ait " "pas besoin que des utilisateurs valables soient créés sur le système local " "(ce qui donnerait également un accès à l'interpréteur de commande), les " "paquets courier-imap (pour IMAP), courier-pop teapop (pour POP3) et cyrus-imapd (pour POP3 et IMAP) fournissent des serveurs avec des méthodes " "d'authentification en plus des comptes utilisateur locaux. cyrus peut utiliser toute méthode d'authentification qui peut être " "configurée par PAM tandis que teapop peut utiliser des bases de " "données (comme postgresql et mysql) " "pour l'authentification des utilisateurs." #. type:

#: securing-debian-howto.en.sgml:53 en/services.sgml:700 msgid "" "FIXME: Check: uw-imapd might be configured with user " "authentication through PAM too." msgstr "" "FIXME : Vérifier : uw-imapd peut être configuré avec " "l'authentification utilisateur grâce à PAM également." #. type: #: securing-debian-howto.en.sgml:53 en/services.sgml:701 msgid "Receiving mail securely" msgstr "Réception du courrier de manière sûre" #. type:

#: securing-debian-howto.en.sgml:53 en/services.sgml:710 msgid "" "Reading/receiving mail is the most common clear-text protocol. If you use " "either POP3 or IMAP to get your mail, you send your clear-text password " "across the net, so almost anyone can read your mail from now on. Instead, " "use SSL (Secure Sockets Layer) to receive your mail. The other alternative " "is SSH, if you have a shell account on the box which acts as your POP or " "IMAP server. Here is a basic fetchmailrc to demonstrate this:" msgstr "" "La lecture et réception du courrier sont des protocoles en texte clair parmi " "les plus courants. Si vous utilisez POP3 ou IMAP pour récupérer le courrier, " "vous envoyez votre mot de passe en clair à travers le réseau, et donc " "presque tout le monde peut lire votre courrier à partir de maintenant. À la " "place, utilisez SSL (Secure Sockets Layer) pour recevoir votre courrier. " "L'autre alternative est SSH, si vous avez un compte avec interpréteur de " "commandes sur la machine qui sert de serveur POP ou IMAP. Voici un " "fetchmailrc simple décrivant cela :" #. type: #: securing-debian-howto.en.sgml:53 en/services.sgml:718 #, no-wrap msgid "" "poll my-imap-mailserver.org via \"localhost\"\n" " with proto IMAP port 1236\n" " user \"ref\" there with password \"hackme\" is alex here warnings 3600\n" " folders\n" " .Mail/debian\n" " preconnect 'ssh -f -P -C -L 1236:my-imap-mailserver.org:143 -l ref\n" " my-imap-mailserver.org sleep 15 </dev/null > /dev/null'" msgstr "" "poll mon-serveur-imap.org via \"localhost\"\n" " with proto IMAP port 1236\n" " user \"ref\" there with password \"hackme\" is alex here warnings 3600\n" " folders\n" " .Mail/debian\n" " preconnect 'ssh -f -P -C -L 1236:my-imap-mailserver.org:143 -l ref\n" " mon-serveur-imap.org sleep 15 </dev/null > /dev/null'" #. type:

#: securing-debian-howto.en.sgml:53 en/services.sgml:725 msgid "" "The preconnect is the important line. It fires up an ssh session and creates " "the necessary tunnel, which automatically forwards connections to localhost " "port 1236 to the IMAP mail server, but encrypted. Another possibility would " "be to use fetchmail with the SSL feature." msgstr "" "Le preconnect est la ligne importante. Il lance une session SSH et crée le " "tunnel nécessaire, qui relaie automatiquement les connexions au port local " "1236 vers le port IMAP du serveur de mail, mais chiffrées. Une autre " "possibilité serait d'utiliser fetchmail avec la fonctionnalité " "SSL." #. type:

#: securing-debian-howto.en.sgml:53 en/services.sgml:728 msgid "" "If you want to provide encrypted mail services like POP and IMAP, apt-" "get install stunnel and start your daemons this way:" msgstr "" "Si vous désirez fournir des services de courrier comme POP et IMAP chiffrés, " "apt-get install stunnel et démarrez vos démons ainsi :" #. type: #: securing-debian-howto.en.sgml:53 en/services.sgml:730 #, no-wrap msgid "stunnel -p /etc/ssl/certs/stunnel.pem -d pop3s -l /usr/sbin/popd" msgstr "stunnel -p /etc/ssl/certs/stunnel.pem -d pop3s -l /usr/sbin/popd" #. type:

#: securing-debian-howto.en.sgml:53 en/services.sgml:736 msgid "" "This command wraps the provided daemon (-l) to the port (-d) and uses the " "specified SSL certificate (-p)." msgstr "" "Cette commande encapsule le démon fourni (-l) au port (-d) et utilise le " "certificat SSL indiqué (-p)." #. type: #: securing-debian-howto.en.sgml:53 en/services.sgml:738 msgid "Securing BIND" msgstr "Sécurisation de BIND" #. type:

#: securing-debian-howto.en.sgml:53 en/services.sgml:742 msgid "" "There are different issues that can be tackled in order to secure the Domain " "server daemon, which are similar to the ones considered when securing any " "given service:" msgstr "" "Il y a différents problèmes qui peuvent être traités pour sécuriser le démon " "de serveur de domaine; problèmes similaires à ceux étudiés quand on sécurise " "n'importe quel service donné :" #. type:

#: securing-debian-howto.en.sgml:53 en/services.sgml:749 msgid "" "configuring the daemon itself properly so it cannot be misused from the " "outside (see ). This includes limiting possible " "queries from clients: zone transfers and recursive queries." msgstr "" "configurer le démon lui-même pour qu'il ne puisse pas être mal utilisé de " "l'extérieur (consultez ). Cela inclut limiter les " "requêtes possibles pour les clients : transferts de zones et requêtes " "récursives ;" #. type:

#: securing-debian-howto.en.sgml:53 en/services.sgml:754 msgid "" "limit the access of the daemon to the server itself so if it is used to " "break in, the damage to the system is limited. This includes running the " "daemon as a non-privileged user (see ) and chrooting " "it (see )." msgstr "" "limiter l'accès du démon au serveur lui-même, ainsi s'il est utilisé pour " "s'introduire, les dommages au système sont limités. Cela inclut d'exécuter " "le démon en tant qu'utilisateur non privilégié (consultez ) et le chrooter (consultez )." #. type: #: securing-debian-howto.en.sgml:53 en/services.sgml:758 msgid "Bind configuration to avoid misuse" msgstr "Configuration de BIND pour éviter de mauvaises utilisations" #. type:

#: securing-debian-howto.en.sgml:53 en/services.sgml:770 msgid "" "You should restrict some of the information that is served from the DNS " "server to outside clients so that it cannot be used to retrieve valuable " "information from your organization that you do not want to give away. This " "includes adding the following options: allow-transfer, allow-" "query, allow-recursion and version. You can either " "limit this on the global section (so it applies to all the zones served) or " "on a per-zone basis. This information is documented in the bind-" "doc package, read more on this on /usr/share/doc/bind/html/" "index.html once the package is installed." msgstr "" "Vous devriez restreindre certains renseignements donnés par le serveur DNS " "aux clients extérieurs pour l'empêcher d'être utilisé pour obtenir des " "informations de valeur sur votre organisation que vous ne voudriez pas " "divulguer. Cela inclut l'ajout des options suivantes : allow-" "transfer, allow-query, allow-recursive et " "version. Vous pouvez soit limiter cela dans la section globale " "(pour que cela s'applique à toutes les zones servies) ou individuellement " "par zone. Cette information est documentée dans le paquet bind-doc, consultez /usr/share/doc/bind/html/index.html en plus " "à ce sujet une fois que le paquet est installé." #. type:

#: securing-debian-howto.en.sgml:53 en/services.sgml:777 msgid "" "Imagine that your server is connected to the Internet and to your internal " "(your internal IP is 192.168.1.2) network (a basic multi-homed server), you " "do not want to give any service to the Internet and you just want to enable " "DNS lookups from your internal hosts. You could restrict it by including in " "/etc/bind/named.conf:" msgstr "" "Imaginez que votre serveur (un serveur avec plusieurs adresses de base) est " "connecté à Internet et à votre réseau interne (votre adresse IP interne est " "192.168.1.2), vous ne voulez fournir aucun service à Internet et vous voulez " "juste autoriser les consultations DNS à partir de vos hôtes internes. Vous " "pourriez le restreindre en incluant dans /etc/bind/named.conf:" #. type: #: securing-debian-howto.en.sgml:53 en/services.sgml:786 #, no-wrap msgid "" "options {\n" " allow-query { 192.168.1/24; } ;\n" " allow-transfer { none; } ; \n" " allow-recursion { 192.168.1/24; } ;\n" " listen-on { 192.168.1.2; } ;\n" " forward { only; } ;\n" " forwarders { A.B.C.D; } ;\n" "};" msgstr "" "options {\n" " allow-query { 192.168.1/24; } ;\n" " allow-transfer { none; } ; \n" " allow-recursion { 192.168.1/24; } ;\n" " listen-on { 192.168.1.2; } ;\n" " forward { only; } ;\n" " forwarders { A.B.C.D; } ;\n" "};" #. type:

#: securing-debian-howto.en.sgml:53 en/services.sgml:798 msgid "" "The listen-on option makes the DNS bind to only the interface that " "has the internal address, but, even if this interface is the same as the " "interface that connects to the Internet (if you are using NAT, for example), " "queries will only be accepted if coming from your internal hosts. If the " "system has multiple interfaces and the listen-on is not present, " "only internal users could query, but, since the port would be accessible to " "outside attackers, they could try to crash (or exploit buffer overflow " "attacks) on the DNS server. You could even make it listen only on 127.0.0.1 " "if you are not giving DNS service for any other systems than yourself." msgstr "" "L'option listen-on lie uniquement le DNS à l'interface ayant une " "adresse interne, mais, même si cette interface est la même que l'interface " "qui permet la connexion à Internet (par l'utilisation de NAT, par exemple), " "les requêtes ne seront acceptées que si celles-ci proviennent d'hôtes " "internes. Si le système est constitué de plusieurs interfaces et que le " "listen-on n'est pas présent, seuls les utilisateurs internes " "pourront émettre des requêtes, mais, puisque le port restera accessible à " "des attaquants externes, ils pourront essayer de faire tomber (ou exploiter " "une attaque de débordement de tampon sur) le serveur DNS. Vous pouvez même " "le mettre uniquement en écoute sur l'adresse 127.0.0.1 si vous ne désirez " "offrir le service à personne d'autre que vous même." #. type:

#: securing-debian-howto.en.sgml:53 en/services.sgml:808 msgid "" "The version.bind record in the chaos class contains the version of the " "currently running bind process. This information is often used by automated " "scanners and malicious individuals who wish to determine if one's " "bind is vulnerable to a specific attack. By providing false or " "no information in the version.bind record, one limits the probability that " "one's server will be attacked based on its published version. To provide " "your own version, use the version directive in the following manner:" msgstr "" "L'enregistrement version.bind dans la classe chaos contient la version du " "processus bind actuellement en cours d'exécution. Cette information est " "souvent utilisée par des scanners automatisés et des individus malveillants " "qui souhaitent déterminer si un bind est vulnérable à une " "attaque spécifique. En fournissant des informations fausses ou pas " "d'informations du tout, on limite la probabilité qu'un serveur soit attaqué " "sur la base de la version qu'il publie. Pour fournir votre propre version, " "utilisez la directive version de la manière suivante :" #. type: #: securing-debian-howto.en.sgml:53 en/services.sgml:801 #, no-wrap msgid "" " options { ... various options here ...\n" "version \"Not available.\"; };" msgstr "" "options {\n" " ... diverses options ici ...\n" " version \"Not available.\";\n" " };" #. type:

#: securing-debian-howto.en.sgml:53 en/services.sgml:813 msgid "" "Changing the version.bind record does not provide actual protection against " "attacks, but it might be considered a useful safeguard." msgstr "" "Changer l'enregistrement version.bind ne fournit pas actuellement de " "protection contre les attaques, mais cela devrait être considéré comme une " "protection utile." #. type:

#: securing-debian-howto.en.sgml:53 en/services.sgml:818 msgid "" "A sample named.conf configuration file might be the following:" msgstr "" "Un fichier de configuration named.conf d'exemple pourrait être " "me suivant :" #. type: #: securing-debian-howto.en.sgml:53 en/services.sgml:877 #, no-wrap msgid "" "acl internal {\n" " 127.0.0.1/32; // localhost\n" " 10.0.0.0/8; // internal\n" " aa.bb.cc.dd; // eth0 IP\n" "};\n" "\n" "acl friendly {\n" " ee.ff.gg.hh; // slave DNS\n" " aa.bb.cc.dd; // eth0 IP\n" " 127.0.0.1/32; // localhost\n" " 10.0.0.0/8; // internal\n" "};\n" "\n" "options {\n" " directory \"/var/cache/bind\";\n" " allow-query { internal; };\n" " allow-recursion { internal; };\n" " allow-transfer { none; };\n" "};\n" "// From here to the mysite.bogus zone \n" "// is basically unmodified from the debian default\n" "logging {\n" " category lame-servers { null; };\n" " category cname { null; }; \n" "};\n" "\n" "zone \".\" {\n" " type hint;\n" " file \"/etc/bind/db.root\";\n" "};\n" "\n" "zone \"localhost\" {\n" " type master;\n" " file \"/etc/bind/db.local\";\n" "};\n" "\n" "zone \"127.in-addr.arpa\" {\n" " type master;\n" " file \"/etc/bind/db.127\";\n" "};\n" "\n" "zone \"0.in-addr.arpa\" {\n" " type master;\n" " file \"/etc/bind/db.0\";\n" "};\n" "\n" "zone \"255.in-addr.arpa\" {\n" " type master;\n" " file \"/etc/bind/db.255\";\n" "};\n" "\n" "// zones I added myself\n" "zone \"mysite.bogus\" {\n" " type master;\n" " file \"/etc/bind/named.mysite\";\n" " allow-query { any; };\n" " allow-transfer { friendly; };\n" "};" msgstr "" "acl internal {\n" " 127.0.0.1/32; // localhost\n" " 10.0.0.0/8; // interne\n" " aa.bb.cc.dd; // IP eth0\n" "};\n" "\n" "acl friendly {\n" " ee.ff.gg.hh; // DNS escalve\n" " aa.bb.cc.dd; // IP eth0\n" " 127.0.0.1/32; // localhost\n" " 10.0.0.0/8; // interne\n" "};\n" "\n" "options {\n" " directory \"/var/cache/bind\";\n" " allow-query { internal; };\n" " allow-recursion { internal; };\n" " allow-transfer { none; };\n" "};\n" "// À partir d'ici jusqu'à la zone mysite.bogus\n" "// est dans l'ensemble non modifié des valeurs par défaut Debian\n" "logging {\n" " category lame-servers { null; };\n" " category cname { null; }; \n" "};\n" "\n" "zone \".\" {\n" " type hint;\n" " file \"/etc/bind/db.root\";\n" "};\n" "\n" "zone \"localhost\" {\n" " type master;\n" " file \"/etc/bind/db.local\";\n" "};\n" "\n" "zone \"127.in-addr.arpa\" {\n" " type master;\n" " file \"/etc/bind/db.127\";\n" "};\n" "\n" "zone \"0.in-addr.arpa\" {\n" " type master;\n" " file \"/etc/bind/db.0\";\n" "};\n" "\n" "zone \"255.in-addr.arpa\" {\n" " type master;\n" " file \"/etc/bind/db.255\";\n" "};\n" "\n" "// Zones ajoutées moi-même\n" "zone \"mysite.bogus\" {\n" " type master;\n" " file \"/etc/bind/named.mysite\";\n" " allow-query { any; };\n" " allow-transfer { friendly; };\n" "};" #. type:

#: securing-debian-howto.en.sgml:53 en/services.sgml:884 msgid "" "Please (again) check the Bug Tracking System regarding Bind, specifically " ". Feel free to contribute to the bug report if you " "think you can add useful information." msgstr "" "Veuillez vérifier (de nouveau) le système de suivi des bogues (BTS) à propos " "de BIND, en particulier le . Vous " "pouvez contribuer si vous le désirez au rapport de bogue si vous pensez " "pouvoir ajouter des informations utiles." #. type: #: securing-debian-howto.en.sgml:53 en/services.sgml:886 msgid "Changing BIND's user" msgstr "Changer l'utilisateur de BIND" #. type:

#: securing-debian-howto.en.sgml:53 en/services.sgml:897 msgid "" "Regarding limiting BIND's privileges you must be aware that if a non-root " "user runs BIND, then BIND cannot detect new interfaces automatically, for " "example when you put a PCMCIA card into your laptop. Check the README." "Debian file in your named documentation (/usr/share/doc/bind/" "README.Debian) directory for more information about this issue. There " "have been many recent security problems concerning BIND, so switching the " "user is useful when possible. We will detail here the steps needed in order " "to do this, however, if you want to do this in an automatic way you might " "try the script provided in ." msgstr "" "Concernant la limitation des privilèges de BIND vous devez être conscient " "que si un utilisateur différent du superutilisateur exécute BIND, alors BIND " "ne peut pas détecter de nouvelles interfaces automatiquement, par exemple, " "quand vous insérez une carte PCMCIA dans un portable. Consultez le fichier " "README.Debian du répertoire de documentation de named (/" "usr/share/doc/bind/README.Debian) pour plus d'informations sur ce " "problème. De nombreux problèmes de sécurité concernant BIND ont été " "récemment découverts, donc le changement d'utilisateur est utile si " "possible, cependant si vous désirez le faire de façon automatique, vous " "pouvez essayer le script fourni dans ." #. type:

#: securing-debian-howto.en.sgml:53 en/services.sgml:904 msgid "" "Notice, in any case, that this only applies to BIND version 8. In the Debian " "packages for BIND version 9 (since the 9.2.1-5 version, available since " "sarge) the bind user is created and used by setting the " "OPTIONS variable in /etc/default/bind9. If you are using BIND " "version 9 and your name server daemon is not running as the bind " "user verify the settings on that file." msgstr "" "Remarquez, de toute façon, que cela ne concerne que la version 8 de BIND. " "Dans les paquets Debian de la version 9 (depuis la version 9.2.1-5, " "disponible avec Sarge), l'utilisateur bind est créé et utilisé en " "configurant la variable OPTIONS de /etc/default/bind9. Si vous " "utilisez BIND version 9 et que le démon de serveur de noms ne fonctionne pas " "avec l'utilisateur bind, vérifiez les configurations de ce fichier." #. type:

#: securing-debian-howto.en.sgml:53 en/services.sgml:908 msgid "" "To run BIND under a different user, first create a separate user and group " "for it (it is not a good idea to use nobody or nogroup for every " "service not running as root). In this example, the user and group named will be used. You can do this by entering:" msgstr "" "Pour démarrer BIND sous un autre utilisateur, tout d'abord créez un " "utilisateur et un groupe séparé (ce n'est pas une bonne idée " "d'utiliser nobody ou nogroup pour chaque service ne devant pas tourner en " "tant que superutilisateur). Dans cet exemple, l'utilisateur et le groupe " "named seront utilisés. Vous pouvez faire cela en tapant :" #. type: #: securing-debian-howto.en.sgml:53 en/services.sgml:912 #, no-wrap msgid "" "addgroup named\n" "adduser --system --home /home/named --no-create-home --ingroup named \\\n" " --disabled-password --disabled-login named" msgstr "" "addgroup named\n" "adduser --system --home /home/named --no-create-home --ingroup named \\\n" " --disabled-password --disabled-login named" #. type:

#: securing-debian-howto.en.sgml:53 en/services.sgml:916 msgid "" "Notice that the user named will be quite restricted. If you want, " "for whatever reason, to have a less restrictive setup use:" msgstr "" "Notez que l'utilisateur named sera très restreint. Si vous désirez, " "pout toute raison, avoir une configuration moins restrictive, utilisez :" #. type: #: securing-debian-howto.en.sgml:53 en/services.sgml:918 #, no-wrap msgid "adduser --system --ingroup named named" msgstr "" "addgroup named\n" "adduser --system --ingroup named named" #. type:

#: securing-debian-howto.en.sgml:53 en/services.sgml:923 msgid "" "Now you can either edit /etc/init.d/bind with your favorite " "editor and change the line beginning with" msgstr "" "Maintenant vous pouvez soit éditer, à l'aide de votre éditeur favori, /" "etc/init.d/bind et modifiez les lignes commençant par" #. type: #: securing-debian-howto.en.sgml:53 en/services.sgml:925 #, no-wrap msgid "start-stop-daemon --start" msgstr "start-stop-daemon --start" #. type: #: securing-debian-howto.en.sgml:53 en/services.sgml:931 msgid "" "to

Note that depending on your bind version you might not have " "the -g option, most notably if you are using bind9 in sarge (9.2.4 " "version).

" msgstr "" "en

Notez que selon la version de BIND, l'option -g " "risque de ne pas être disponible, en particulier si vous utilisez bind9 avec " "Sarge (version 9.2.4).

" #. type: #: securing-debian-howto.en.sgml:53 en/services.sgml:933 #, no-wrap msgid "start-stop-daemon --start --quiet --exec /usr/sbin/named -- -g named -u named" msgstr "start-stop-daemon --start --quiet --exec /usr/sbin/named -- -g named -u named" #. type:

#: securing-debian-howto.en.sgml:53 en/services.sgml:939 msgid "" "Or you can change (create it if it does not exit) the default configuration " "file (/etc/default/bind for BIND version 8) and introduce the " "following:" msgstr "" "soit modifier (créez-le s'il n'existe pas) le fichier de configuration par " "défaut (/etc/default/bind pour BIND en version 8) et " "introduisez ceci :" #. type: #: securing-debian-howto.en.sgml:53 en/services.sgml:941 #, no-wrap msgid "OPTIONS=\"-u named -g named\"" msgstr "OPTIONS=\"-u named -g named\"" #. type:

#: securing-debian-howto.en.sgml:53 en/services.sgml:946 msgid "" "Change the permissions of files that are used by Bind, including /etc/" "bind/rndc.key:" msgstr "" "Modifiez les permissions des fichiers utilisés par BIND, y compris /" "etc/bind/rndc.key :" #. type: #: securing-debian-howto.en.sgml:53 en/services.sgml:948 #, no-wrap msgid "-rw-r----- 1 root named 77 Jan 4 01:02 rndc.key" msgstr "-rw-r----- 1 root named 77 Jan 4 01:02 rndc.key" #. type: #: securing-debian-howto.en.sgml:53 en/services.sgml:953 msgid "" "and where bind creates its pidfile, using, for example, /var/run/" "named instead of /var/run:" msgstr "" "et l'endroit où BIND crée son fichier pid en utilisant, par exemple /" "var/run/named au lieu de /var/run :" #. type: #: securing-debian-howto.en.sgml:53 en/services.sgml:962 #, no-wrap msgid "" "$ mkdir /var/run/named\n" "$ chown named.named /var/run/named\n" "$ vi /etc/named.conf\n" "[ ... update the configuration file to use this new location ...]\n" "options { ...\n" " pid-file \"/var/run/named/named.pid\";\n" "};\n" "[ ... ]" msgstr "" "$ mkdir /var/run/named\n" "$ chown named.named /var/run/named\n" "$ vi /etc/named.conf\n" "[ ... mettez le fichier de configuration à jour en utilisant ce nouvel\n" "emplacement ...]\n" "options { ...\n" " pid-file \"/var/run/named/named.pid\";\n" "};\n" "[ ... ]" #. type:

#: securing-debian-howto.en.sgml:53 en/services.sgml:967 msgid "" "Also, in order to avoid running anything as root, change the reload " "line in the init.d script by substituting:" msgstr "" "Pour éviter également d'exécuter quoi que ce soit en tant que " "superutilisateur, modifiez la ligne reload du script init.d en " "substituant :" #. type: #: securing-debian-howto.en.sgml:53 en/services.sgml:970 #, no-wrap msgid "" "reload)\n" " /usr/sbin/ndc reload" msgstr "" "reload)\n" " /usr/sbin/ndc reload" #. type:

#: securing-debian-howto.en.sgml:53 en/services.sgml:973 #: securing-debian-howto.en.sgml:60 en/faq.sgml:299 en/faq.sgml:686 msgid "to:" msgstr "par :" #. type: #: securing-debian-howto.en.sgml:53 en/services.sgml:978 #, no-wrap msgid "" "reload)\n" " $0 stop\n" " sleep 1\n" " $0 start" msgstr "" "reload)\n" " $0 stop\n" " sleep 1\n" " $0 start" #. type:

#: securing-debian-howto.en.sgml:53 en/services.sgml:984 msgid "" "Note: Depending on your Debian version you might have to change the " "restart line too. This was fixed in Debian's bind version " "1:8.3.1-2." msgstr "" "Remarque : selon la version de Debian, vous pouvez devoir changer la ligne " "restart également. Cela a été corrigé dans la " "version 1:8.3.1-2 de BIND pour Debian." #. type:

#: securing-debian-howto.en.sgml:53 en/services.sgml:988 msgid "" "All you need to do now is to restart bind via /etc/init.d/bind restart, and then check your syslog for two entries like this:" msgstr "" "Il ne reste plus qu'à redémarrer BIND à l'aide de /etc/init.d/bind " "restart, puis rechercher dans le journal système les deux entrées " "suivantes :" #. type: #: securing-debian-howto.en.sgml:53 en/services.sgml:992 #, no-wrap msgid "" "Sep 4 15:11:08 nexus named[13439]: group = named\n" "Sep 4 15:11:08 nexus named[13439]: user = named" msgstr "" "Sep 4 15:11:08 nexus named[13439]: group = named\n" "Sep 4 15:11:08 nexus named[13439]: user = named" #. type:

#: securing-debian-howto.en.sgml:53 en/services.sgml:1007 msgid "" "Voilà! Your named now does not run as root. If you want to read " "more information on why BIND does not run as non-root user on Debian " "systems, please check the Bug Tracking System regarding Bind, specifically " " and , , , and . Feel free to contribute to the bug " "reports if you think you can add useful information." msgstr "" "Voilà ! Maintenant named ne s'exécute plus en tant que " "superutilisateur. Si vous voulez lire plus d'informations sur pourquoi BIND " "ne fonctionne pas en tant qu'utilisateur non superutilisateur sur les " "systèmes Debian, veuillez vérifier le système de suivi des bogues concernant " "BIND, en particulier les bogues , , , et . Vous pouvez contribuer à ces " "rapports de bogue si vous le désirez si vous pensez pouvoir ajouter des " "informations utiles." #. type: #: securing-debian-howto.en.sgml:53 en/services.sgml:1009 msgid "Chrooting the name server" msgstr "Chrooter le serveur de domaine" #. type:

#: securing-debian-howto.en.sgml:53 en/services.sgml:1019 msgid "" "To achieve maximum BIND security, now build a chroot jail (see ) around your daemon. There is an easy way to do this: the -" "t option (see the manpage or page " "100 of ). This will make Bind chroot itself " "into the given directory without you needing to set up a chroot jail and " "worry about dynamic libraries. The only files that need to be in the chroot " "jail are:" msgstr "" "Pour atteindre une sécurité de BIND maximale, construisez maintenant une " "prison chroot (consultez ) autour du démon. Il y a un " "moyen facile de faire cela : l'option -t (consultez la page de " "manuel ou la page 100 de la ). Cela fera que BIND se chrootera lui-" "même dans le répertoire donné sans que vous ayez besoin de configurer une " "prison chroot et de vous inquiéter au sujet des bibliothèques dynamiques. " "Les seuls fichiers qui doivent être dans cette prison chroot :" #. type: #: securing-debian-howto.en.sgml:53 en/services.sgml:1029 #, no-wrap msgid "" "dev/null\n" "etc/bind/ - should hold named.conf and all the server zones\n" "sbin/named-xfer - if you do name transfers\n" "var/run/named/ - should hold the PID and the name server cache (if\n" " any) this directory needs to be writable by named user\n" "var/log/named - if you set up logging to a file, needs to be writable\n" " for the named user\n" "dev/log - syslogd should be listening here if named is configured to\n" " log through it" msgstr "" "dev/null\n" "etc/bind/ - doit contenir named.conf et toutes les zones du serveur\n" "sbin/named-xfer - si vous faites du transfert de nom\n" "var/run/named/ - devrait contenir le PID et le cache du serveur de nom\n" " (s'il existe), ce répertoire doit être accessible en\n" " écriture à l'utilisateur named\n" "var/log/named - si vous configurez le journal vers un fichier, doit\n" " être accessible en écriture à l'utilisateur named\n" "dev/log - syslogd devrait écouter ici si named est configuré\n" " pour journaliser en l'utilisant" #. type:

#: securing-debian-howto.en.sgml:53 en/services.sgml:1039 msgid "" "In order for your Bind daemon to work properly it needs permission in the " "named files. This is an easy task since the configuration files are always " "at /etc/named/. Take into account that it only needs read-only " "access to the zone files, unless it is a secondary or cache name server. If " "this is your case you will have to give read-write permissions to the " "necessary zones (so that zone transfers from the primary server work)." msgstr "" "Pour que le démon BIND fonctionne correctement il a besoin de permissions " "dans les fichiers named. C'est une tâche facile car les fichiers de " "configuration sont toujours dans /etc/named. Prenez en compte qu'il " "n'a besoin que d'un accès en lecture seule aux fichiers de zone, sauf s'il " "s'agit un serveur de nom secondaire ou serveur cache. Si c'est le cas vous " "devrez permettre la lecture et l'écriture aux zones nécessaires (pour que " "les transferts de zone à partir du serveur primaire fonctionnent)." #. type:

#: securing-debian-howto.en.sgml:53 en/services.sgml:1049 msgid "" "Also, you can find more information regarding Bind chrooting in the (regarding Bind 9) and (regarding Bind 8). This same " "documents should be available through the installation of the doc-" "linux-text (text version) or doc-linux-html " "(HTML version). Another useful document is ." msgstr "" "De plus, vous pouvez trouver plus d'informations concernant le chrootage de " "BIND dans le (au sujet de BIND 9) et " "(au sujet de BIND 8). Ces mêmes documents devraient être disponibles par " "l'installation de doc-linux-text (version texte) ou " "doc-linux-html (version HTML). Un autre document utile " "est ." #. type:

#: securing-debian-howto.en.sgml:53 en/services.sgml:1056 msgid "" "If you are setting up a full chroot jail (i.e. not just -t) for " "Bind in Debian, make sure you have the following files in " "it

This setup has not been tested for new release of Bind yet.:" msgstr "" "Si vous configurez une véritable prison chroot (c'est-à-dire pas seulement " "l'option -t) pour BIND dans Debian, assurez-vous qu'elle contient " "les fichiers suivants

Cette configuration n'a pas encore été " "essayée pour les nouvelles versions de BIND.

 :" #. type: #: securing-debian-howto.en.sgml:53 en/services.sgml:1070 #, no-wrap msgid "" "dev/log - syslogd should be listening here\n" "dev/null\n" "etc/bind/named.conf \n" "etc/localtime\n" "etc/group - with only a single line: \"named:x:GID:\"\n" "etc/ld.so.cache - generated with ldconfig \n" "lib/ld-2.3.6.so\n" "lib/libc-2.3.6.so\n" "lib/ld-linux.so.2 - symlinked to ld-2.3.6.so\n" "lib/libc.so.6 - symlinked to libc-2.3.6.so\n" "sbin/ldconfig - may be deleted after setting up the chroot\n" "sbin/named-xfer - if you do name transfers\n" "var/run/" msgstr "" "dev/log - syslogd devrait écouter ici\n" "dev/null\n" "etc/bind/named.conf \n" "etc/localtime\n" "etc/group - avec une seule ligne: \"named:x:GID:\"\n" "etc/ld.so.cache - généré avec ldconfig\n" "lib/ld-2.3.6.so\n" "lib/libc-2.3.6.so\n" "lib/ld-linux.so.2 - lié symboliquement à ld-2.3.6.so \n" "lib/libc.so.6 - lié symboliquement à libc-2.3.6.so\n" "sbin/ldconfig - pourra être effacé après la configuration du chroot\n" "sbin/named-xfer - si vous faites des transferts de nom\n" "var/run/" #. type:

#: securing-debian-howto.en.sgml:53 en/services.sgml:1075 msgid "" "And modify also syslogd listen on $CHROOT/dev/log so " "the named server can write syslog entries into the local system log." msgstr "" "Modifiez aussi l'écoute de syslogd sur $CHROOT/dev/log " "pour que le serveur de nom puisse écrire des entrées de journalisation " "système dans le journal du système local." #. type:

#: securing-debian-howto.en.sgml:53 en/services.sgml:1080 msgid "" "If you want to avoid problems with dynamic libraries, you can compile bind " "statically. You can use apt-get for this, with the source option. It can even download the packages you need to properly compile " "it. You would need to do something similar to:" msgstr "" "Pour éviter des problèmes avec les bibliothèques dynamiques, vous pouvez " "compiler BIND statiquement. Vous pouvez utiliser apt-get pour " "cela avec l'option source. Il peut même récupérer les paquets dont " "vous avez besoin pour le compiler correctement. Il vous faudrait faire " "quelque chose comme :" #. type: #: securing-debian-howto.en.sgml:53 en/services.sgml:1089 #, no-wrap msgid "" "$ apt-get source bind\n" "# apt-get build-dep bind\n" "$ cd bind-8.2.5-2\n" " (edit src/port/linux/Makefile so CFLAGS includes the '-static'\n" " option)\n" "$ dpkg-buildpackage -rfakeroot -uc -us\n" "$ cd ..\n" "# dpkg -i bind-8.2.5-2*deb" msgstr "" "$ apt-get source bind\n" "# apt-get build-dep bind\n" "$ cd bind-8.2.5-2\n" " (modifier src/port/linux/Makefile pour que CFLAGS contienne\n" " l'option « -static »)\n" "$ dpkg-buildpackage -rfakeroot -uc -us\n" "$ cd ..\n" "# dpkg -i bind-8.2.5-2*deb" #. type:

#: securing-debian-howto.en.sgml:53 en/services.sgml:1103 msgid "" "After installation, you will need to move around the files to the chroot " "jail

Unless you use the instdir option when calling " "dpkg but then the chroot jail might be a little more complex. you can keep the init.d scripts in /etc/init.d so that the system will automatically start the name server, but edit " "them to add --chroot /location_of_chroot in the calls to " "start-stop-daemon in those scripts or use the -t " "option for BIND by setting it in the OPTIONS argument at the /etc/" "default/bind (for version 8) or /etc/default/bind9 (for " "version 9) configuration file." msgstr "" "Après l'installation, vous devrez déplacer des fichiers dans la prison " "chroot

Sauf si vous utilisez l'option instdir lors de " "l'appel à dpkg mais alors la prison chroot peut être un petit " "peu plus complexe.

 vous pouvez conserver les scripts init." "d dans /etc/init.d pour que le système lance " "automatiquement le serveur de domaine, mais éditez les pour ajouter --" "chroot /location_of_chroot dans les appels à start-stop-daemon dans ces scripts ou utilisez l'option -t de BIND en la " "configurant dans l'argument OPTIONS du fichier de configuration /etc/" "default/bind (pour la version 8) ou /etc/default/bind9 " "(pour la version 9)." #. type:

#: securing-debian-howto.en.sgml:53 en/services.sgml:1105 msgid "For more information on how to set up chroots see ." msgstr "" "Pour plus d'informations sur la mise en place de chroots, consultez ." #. type:

#: securing-debian-howto.en.sgml:53 en/services.sgml:1115 msgid "" "FIXME: Merge info from , " "(Debian-specific), and ." msgstr "" "FIXME : Inclure les informations provenant de , (spécifique Debian), , ." #. type: #: securing-debian-howto.en.sgml:53 en/services.sgml:1117 msgid "Securing Apache" msgstr "Sécurisation d'Apache" #. type:

#: securing-debian-howto.en.sgml:53 en/services.sgml:1121 msgid "" "FIXME: Add content: modules provided with the normal Apache installation " "(under /usr/lib/apache/X.X/mod_*) and modules that can be installed " "separately in libapache-mod-XXX packages." msgstr "" "FIXME : Ajout de contenu : modules fournis par l'installation normale " "d'Apache (sous /usr/lib/apache/X.X/mod_*) et modules qui peuvent être " "installés séparément dans les paquets libapache-mod-XXX." #. type:

#: securing-debian-howto.en.sgml:53 en/services.sgml:1128 msgid "" "You can limit access to the Apache server if you only want to use it " "internally (for testing purposes, to access the doc-central archive, etc.) and do not want outsiders to access it. To do this " "use the Listen or BindAddress directives in /etc/" "apache/http.conf." msgstr "" "Vous pouvez limiter l'accès au serveur Apache si vous voulez uniquement " "l'utiliser en interne (dans un but d'essai, pour accéder à l'archive " "doc-central, etc.) et si vous ne voulez pas que des " "intrus y accèdent. Pour réaliser cela, utilisez les directives Listen ou BindAddress dans /etc/apache/http.conf." #. type:

#: securing-debian-howto.en.sgml:53 en/services.sgml:1129 msgid "Using Listen:" msgstr "En utilisant Listen :" #. type: #: securing-debian-howto.en.sgml:53 en/services.sgml:1131 #, no-wrap msgid "Listen 127.0.0.1:80" msgstr "Listen 127.0.0.1:80" #. type:

#: securing-debian-howto.en.sgml:53 en/services.sgml:1133 msgid "Using BindAddress:" msgstr "En utilisant BindAddress :" #. type: #: securing-debian-howto.en.sgml:53 en/services.sgml:1135 #, no-wrap msgid "BindAddress 127.0.0.1" msgstr "BindAddress 127.0.0.1" #. type:

#: securing-debian-howto.en.sgml:53 en/services.sgml:1140 msgid "" "Then restart apache with /etc/init.d/apache restart and you will " "see that it is only listening on the loopback interface." msgstr "" "Ensuite, redémarrez apache avec /etc/init.d/apache restart et vous " "observerez qu'il écoute uniquement l'interface loopback." #. type:

#: securing-debian-howto.en.sgml:53 en/services.sgml:1144 msgid "" "In any case, if you are not using all the functionality provided by Apache, " "you might want to take a look at other web servers provided in Debian like " "dhttpd." msgstr "" "Dans tous les cas, si vous n'utilisez pas toutes les fonctionnalités " "fournies par Apache, vous pouvez jeter un œil aux autres serveurs web " "fournis dans Debian comme dhttpd." #. type:

#: securing-debian-howto.en.sgml:53 en/services.sgml:1156 msgid "" "The provides information regarding security measures " "to be taken on Apache web server (this same information is provided in " "Debian by the apache-doc package)." msgstr "" "La fournit des informations concernant les mesures " "de sécurité à prendre pour les serveurs web Apache (ces mêmes informations " "sont fournies dans Debian par le paquet apache-doc)." #. type:

#: securing-debian-howto.en.sgml:53 en/services.sgml:1159 msgid "" "More information on further restricting Apache by setting up a chroot jail " "is provided in ." msgstr "" "Plus d'informations sur des restrictions supplémentaires d'Apache en mettant " "en place une prison chrooté sont disponibles en ." #. type: #: securing-debian-howto.en.sgml:53 en/services.sgml:1161 msgid "Disabling users from publishing web contents" msgstr "Désactiver la publication de contenu sur le web par les utilisateurs" #. type:

#: securing-debian-howto.en.sgml:53 en/services.sgml:1166 msgid "" "The default Apache installation in Debian permits users to publish content " "under the $HOME/public_html. This content can be retrieved " "remotely using an URL such as: http://your_apache_server/~user." msgstr "" "L'installation par défaut d'Apache dans Debian permet aux utilisateurs de " "publier du contenu dans leur répertoire $HOME/public_html. Ce " "contenu peut être récupéré à distance en utilisant une URL comme : " "http://serveur_apache/~utilisateur." #. type:

#: securing-debian-howto.en.sgml:53 en/services.sgml:1170 msgid "" "If you do not want to permit this you must change the /etc/apache/http." "conf configuration file commenting out (in Apache 1.3) the following " "module:" msgstr "" "Pour empêcher cela, veuillez modifier le fichier de configuration /etc/" "apache/http.conf en commentant (pour Apache 1.3) le module suivant :" #. type: #: securing-debian-howto.en.sgml:53 en/services.sgml:1172 #, no-wrap msgid "LoadModule userdir_module /usr/lib/apache/1.3/mod_userdir.so" msgstr "LoadModule userdir_module /usr/lib/apache/1.3/mod_userdir.so" #. type:

#: securing-debian-howto.en.sgml:53 en/services.sgml:1178 msgid "" "If you are using Apache 2.0 you must remove the file /etc/apache2/mods-" "enabled/userdir.load or restrict the default configuration by " "modifying /etc/apache2/mods-enabled/userdir.conf." msgstr "" "Avec Apache 2.0, il faut supprimer le fichier /etc/apache2/mods-" "enabled/userdir.load ou restreindre la configuration par défaut en " "modifiant /etc/apache2/mods-enabled/userdir.conf." #. type:

#: securing-debian-howto.en.sgml:53 en/services.sgml:1182 msgid "" "However, if the module was linked statically (you can list the modules that " "are compiled in running apache -l) you must add the following to " "the Apache configuration file:" msgstr "" "Cependant, si le module a été lié statiquement (vous pouvez obtenir la liste " "des modules compilés en exécutant apache -l), vous devez ajouter la " "ligne suivante au fichier de configuration d'Apache :" #. type: #: securing-debian-howto.en.sgml:53 en/services.sgml:1184 #, no-wrap msgid "Userdir disabled" msgstr "Userdir disabled" #. type:

#: securing-debian-howto.en.sgml:53 en/services.sgml:1191 msgid "" "An attacker might still do user enumeration, since the answer of the web " "server will be a 403 Permission Denied and not a 404 Not " "available. You can avoid this if you use the Rewrite module." msgstr "" "Un attaquant peut encore faire de l'énumération d'utilisateur, car la " "réponse du serveur web sera un 403 Permission Denied et non un " "404 Not available. Vous pouvez éviter cela en utilisant le module " "Rewrite." #. type: #: securing-debian-howto.en.sgml:53 en/services.sgml:1193 msgid "Logfiles permissions" msgstr "Permissions des fichiers de journalisation" #. type:

#: securing-debian-howto.en.sgml:53 en/services.sgml:1202 msgid "" "Apache logfiles, since 1.3.22-1, are owned by user 'root' and group 'adm' " "with permissions 640. These permissions are changed after rotation. An " "intruder that accessed the system through the web server would not be able " "(without privilege escalation) to remove old log file entries." msgstr "" "Les fichiers de journalisation d'Apache, depuis la version 1.3.22-1, " "ont pour propriétaire l'utilisateur « root Â» et pour groupe « " "adm Â» avec les permissions 640. Ces permissions sont changées après la " "rotation. Un intrus qui peut accéder au système par le serveur web ne pourra " "pas (sans augmentation de droits) enlever d'anciennes entrées de fichiers de " "log." #. type: #: securing-debian-howto.en.sgml:53 en/services.sgml:1204 msgid "Published web files" msgstr "Fichiers web publiés" #. type:

#: securing-debian-howto.en.sgml:53 en/services.sgml:1214 msgid "" "Apache files are located under /var/www. Just after " "installation the default file provides some information on the system " "(mainly that it's a Debian system running Apache). The default webpages are " "owned by user root and group root by default, while the Apache process runs " "as user www-data and group www-data. This should make attackers that " "compromise the system through the web server harder to deface the site. You " "should, of course, substitute the default web pages (which might provide " "information you do not want to show to outsiders) with your own." msgstr "" "Les fichiers d'Apache sont situés sous /var/www. Juste après " "l'installation, le fichier par défaut fournit quelques informations sur le " "système (principalement qu'il s'agit d'un système Debian exécutant Apache). " "Les pages web par défaut appartiennent à l'utilisateur root et au groupe " "root par défaut alors que le processus Apache s'exécute avec l'utilisateur " "www-data et le groupe www-data. Cela devrait rendre plus difficile aux " "attaquants qui compromettent le système par le site web de le défigurer. " "Vous devriez, bien sûr, remplacer les pages web par défaut (qui peuvent " "fournir des informations que vous ne voulez pas donner aux visiteurs) avec " "les vôtres." #. type: #: securing-debian-howto.en.sgml:53 en/services.sgml:1217 msgid "Securing finger" msgstr "Sécurisation de finger" #. type:

#: securing-debian-howto.en.sgml:53 en/services.sgml:1221 msgid "" "If you want to run the finger service first ask yourself if you need to do " "so. If you do, you will find out that Debian provides many finger daemons " "(output from apt-cache search fingerd):" msgstr "" "Si vous désirez utiliser le service finger, demandez-vous si vous en avez " "réellement besoin. Si oui, vous découvrirez que Debian fournit de nombreux " "démons finger (sortie d'un apt-cache search fingerd):" #. type:

#: securing-debian-howto.en.sgml:53 en/services.sgml:1223 msgid "cfingerd - Configurable finger daemon" msgstr "cfingerd - démon finger configurable" #. type:

#: securing-debian-howto.en.sgml:53 en/services.sgml:1225 msgid "" "efingerd - Another finger daemon for unix, capable of fine-tuning your " "output." msgstr "" "efingerd - autre démon finger pour UNIX capable de syntoniser précisément la " "sortie" #. type:

#: securing-debian-howto.en.sgml:53 en/services.sgml:1226 msgid "ffingerd - a secure finger daemon" msgstr "ffingerd - démon finger sécurisé" #. type:

#: securing-debian-howto.en.sgml:53 en/services.sgml:1227 msgid "fingerd - Remote user information server." msgstr "fingerd - serveur distant pour informations d'utilisateurs" #. type:

#: securing-debian-howto.en.sgml:53 en/services.sgml:1228 msgid "xfingerd - BSD-like finger daemon with qmail support." msgstr "xfingerd - démon finger de type BSD avec la prise en charge de qmail" #. type:

#: securing-debian-howto.en.sgml:53 en/services.sgml:1244 msgid "" "ffingerd is the recommended finger daemon if you are " "going to use it for a public service. In any case, you are encouraged to, " "when setting it up through inetd, xinetd or tcpserver to: limit the number " "of processes that will be running at the same time, limit access to the " "finger daemon from a given number of hosts (using tcp wrappers) and having " "it only listening to the interface you need it to be in." msgstr "" "ffingerd est le démon finger recommandé si vous comptez " "l'utiliser pour un service public. Dans tous les cas, vous devriez, lors de " "la mise en place par inetd, xinetd ou tcpserver, limiter le nombre de " "processus qui seront lancés en même temps, limiter les accès au démon finger " "depuis un nombre d'hôtes donné (en utilisant l'encapsulation TCP) et l'avoir " "en écoute uniquement sur une interface bien définie." #. type: #: securing-debian-howto.en.sgml:53 en/services.sgml:1246 msgid "General chroot and suid paranoia" msgstr "Paranoïa généralisée du suid et du chroot" #. type:

#: securing-debian-howto.en.sgml:53 en/services.sgml:1265 msgid "" "chroot is one of the most powerful possibilities to restrict a " "daemon or a user or another service. Just imagine a jail around your target, " "which the target cannot escape from (normally, but there are still a lot of " "conditions that allow one to escape out of such a jail). If you do not trust " "a user or a service, you can create a modified root environment for him. " "This can use quite a bit of disk space as you need to copy all needed " "executables, as well as libraries, into the jail. But then, even if the user " "does something malicious, the scope of the damage is limited to the jail." msgstr "" "chroot est l'une des plus puissantes possibilités pour " "restreindre un démon, un utilisateur ou un autre service. Imaginez " "simplement une prison autour de votre cible, de laquelle votre cible ne peut " "s'échapper (normalement, mais il y a encore beaucoup de conditions qui " "peuvent permettre de s'échapper d'une telle prison). Si vous ne faites pas " "confiance à l'utilisateur ou au service, vous pouvez créer un environnement " "racine modifié pour lui. Cela peut utiliser pas mal d'espace disque car vous " "devez copier tous les exécutables nécessaires, ainsi que des bibliothèques, " "dans la prison. Mais alors, même si l'utilisateur fait quelque chose de " "malveillant, l'étendue des dommages est limitée à la prison." #. type:

#: securing-debian-howto.en.sgml:53 en/services.sgml:1270 msgid "" "Many services running as daemons could benefit from this sort of " "arrangement. The daemons that you install with your Debian distribution will " "not come, however, chrooted

It does try to run them under " "minimum priviledge which includes running daemons with their own " "users instead of having them run as root.

 per default." msgstr "" "Un grand nombre de services fonctionnant en démons pourraient bénéficier de " "ce type d'arrangement. Les démons que vous installez dans votre distribution " "Debian ne seront cependant pas fournis chrootés

Elle essaie de " "les faire fonctionner avec le minimum de droits, y compris exécuter " "les démons avec leur propre utilisateur au lieu de les exécuter en tant que " "superutilisateur.

 par défaut." #. type:

#: securing-debian-howto.en.sgml:53 en/services.sgml:1279 msgid "" "This includes: name servers (such as bind), web servers (such " "as apache), mail servers (such as sendmail) and " "ftp servers (such as wu-ftpd). It is probably fair to say that " "the complexity of BIND is the reason why it has been exposed to a lot of " "attacks in recent years (see )." msgstr "" "Exemples : serveurs de noms de domaine (comme bind), serveurs " "web (comme apache), serveurs de courrier (comme sendmail) et serveurs FTP (comme wu-ftpd). La complexité de BIND " "est probablement la raison pour laquelle il a été exposé à de nombreuses " "attaques ces dernières années (consultez )." #. type:

#: securing-debian-howto.en.sgml:53 en/services.sgml:1282 msgid "" "However, Debian does provide some software that can help set up " "chroot environments. See ." msgstr "" "Cependant, Debian fournit des logiciels qui peuvent vous aider à mettre en " "place des environnements chroot. Consultez ." #. type:

#: securing-debian-howto.en.sgml:53 en/services.sgml:1285 msgid "" "Anyway, if you run any service on your system, you should consider running " "them as secure as possible. This includes: revoking root privileges, running " "in a restricted environment (such as a chroot jail) or replacing them with a " "more secure equivalent." msgstr "" "De toute façon, si vous exécutez un quelconque service sur votre système, " "vous devriez considérer de le faire fonctionner de la façon la plus " "sécurisée possible. Cela comprend : révoquer les droits du " "superutilisateur, le faire fonctionner dans un environnement restreint " "(comme une prison chroot) ou le remplacer par un équivalent plus sécurisé." #. type:

#: securing-debian-howto.en.sgml:53 en/services.sgml:1299 msgid "" "However, be forewarned that a chroot jail can be broken if the " "user running in it is the superuser. So, you need to make the service run as " "a non-privileged user. By limiting its environment you are limiting the " "world readable/executable files the service can access, thus, you limit the " "possibilities of a privilege escalation by use of local system security " "vulnerabilities. Even in this situation you cannot be completely sure that " "there is no way for a clever attacker to somehow break out of the jail. " "Using only server programs which have a reputation for being secure is a " "good additional safety measure. Even minuscule holes like open file handles " "can be used by a skilled attacker for breaking into the system. After all, " "chroot was not designed as a security tool but as a testing " "tool." msgstr "" "Cependant, soyez prévenu qu'une prison chroot peut être cassée " "si l'utilisateur fonctionnant dedans est le superutilisateur. Vous devez " "donc faire fonctionner le service avec un utilisateur sans droits élevés. En " "limitant son environnement, vous limitez les fichiers lisibles et " "exécutables par tout le monde auxquels le service peut accéder, vous limitez " "donc aussi les possibilités d'une augmentation de droits en utilisant des " "failles de sécurité sur le système local. Même dans une situation où vous ne " "pouvez pas être complètement certain qu'il n'y a pas de moyen pour un " "attaquant intelligent de sortir de la prison d'une manière ou d'une autre. " "Utiliser seulement des programmes serveur ayant une réputation de sécurité " "est une bonne mesure de sécurité additionnelle. Même des trous minuscules " "comme des descripteurs de fichier peuvent être utilisés par un attaquant " "doué pour s'introduire dans le système. Après tout, chroot n'a " "pas été conçu pour être un outil de sécurité, mais un outil de test." #. type: #: securing-debian-howto.en.sgml:53 en/services.sgml:1303 msgid "Making chrooted environments automatically" msgstr "Créer des environnements chrooté automatiquement" #. type:

#: securing-debian-howto.en.sgml:53 en/services.sgml:1312 msgid "" "There are several programs to chroot automatically servers and services. " "Debian currently (accepted in May 2002) provides Wietse Venema's " "chrootuid in the chrootuid package, as well " "as compartment and makejail. These " "programs can be used to set up a restricted environment for executing any " "program (chrootuid enables you to even run it as a restricted " "user)." msgstr "" "Plusieurs programmes permettent de chrooter automatiquement des serveurs et " "services. Debian fournit actuellement (accepté en mai 2002) chrootuid de Wietse Venema dans le paquet chrootuid, ainsi " "que compartment et makejail. Ces " "programmes peuvent être utilisés pour mettre en place un environnement " "restreint pour exécuter tout programme (chrootuid vous permet " "même de l'exécuter avec un utilisateur restreint)." #. type:

#: securing-debian-howto.en.sgml:53 en/services.sgml:1331 msgid "" "Some of these tools can be used to set up the chroot environment easily. The " "makejail program for example, can create and update a chroot " "jail with short configuration files (it provides sample configuration files " "for bind, apache, postgresql and " "mysql). It attempts to guess and install into the jail all " "files required by the daemon using strace, stat " "and Debian's package dependencies. More information at . Jailer is a similar tool which can be " "retrieved from and is " "also available as a Debian package." msgstr "" "Certains de ces outils peuvent être utilisés pour mettre en place " "l'environnement chrooté facilement. Le programme makejail, par " "exemple, peut créer et mettre à jour une prison chroot avec de petits " "fichiers de configuration (il fournit des fichiers de configuration exemple " "pour bind, apache, postgresql et " "mysql). Il tente de deviner et d'installer dans la prison tous " "les fichiers nécessaires au démon en utilisant strace, " "stat et les dépendances du paquet Debian. De plus amples " "renseignements sont disponibles à . Jailer est un outil semblable disponible à et en paquet Debian." #. type: #: securing-debian-howto.en.sgml:53 en/services.sgml:1332 msgid "General cleartext password paranoia" msgstr "Paranoïa généralisée du mot de passe en texte clair" #. type:

#: securing-debian-howto.en.sgml:53 en/services.sgml:1337 msgid "" "You should try to avoid any network service which sends and receives " "passwords in cleartext over a net like FTP/Telnet/NIS/RPC. The author " "recommends the use of ssh instead of telnet and ftp to everybody." msgstr "" "Vous devriez essayer d'éviter tout service réseau qui envoie et reçoit des " "mots de passe en texte clair par le net comme FTP/TELNET/NIS/RPC. L'auteur " "recommande l'utilisation de SSH à la place de TELNET et FTP pour tout le " "monde." #. type:

#: securing-debian-howto.en.sgml:53 en/services.sgml:1344 msgid "" "Keep in mind that migrating from telnet to ssh, but using other cleartext " "protocols does not increase your security in ANY way! Best would be to " "remove ftp, telnet, pop, imap, http and to supersede them with their " "respective encrypted services. You should consider moving from these " "services to their SSL versions, ftp-ssl, telnet-ssl, pop-ssl, https ..." msgstr "" "Gardez à l'esprit que la migration de TELNET vers SSH, en conservant " "l'utilisation d'autres protocoles à texte non chiffrés n'augmente votre " "sécurité en AUCUNE manière ! Le mieux serait de retirer FTP, TELNET, " "POP, IMAP, HTTP et de les remplacer par leurs services chiffrés respectifs. " "Vous devriez considérer la migration de ces services vers leurs versions " "SSL, ftp-ssl, telnet-ssl, pop-ssl, HTTPS, etc." #. type:

#: securing-debian-howto.en.sgml:53 en/services.sgml:1348 msgid "" "Most of these above listed hints apply to every Unix system (you will find " "them if reading any other hardening-related document related to Linux and " "other Unices)." msgstr "" "La plupart des astuces ci-dessus s'appliquent à tout système UNIX (vous les " "trouverez dans des documents de durcissement liés à Linux et autres UNIX)." #. type: #: securing-debian-howto.en.sgml:53 en/services.sgml:1350 msgid "Disabling NIS" msgstr "Désactivation du NIS" #. type:

#: securing-debian-howto.en.sgml:53 en/services.sgml:1354 msgid "" "You should not use NIS, the Network Information Service, if possible, " "because it allows password sharing. This can be highly insecure if your " "setup is broken." msgstr "" "Si possible, évitez d'utiliser NIS, le service d'informations réseau " "(« Network Information Service »), car il autorise le partage de mot de " "passe. Cela peut être fortement dangereux si votre installation est cassée." #. type:

#: securing-debian-howto.en.sgml:53 en/services.sgml:1362 msgid "" "If you need password sharing between machines, you might want to consider " "using other alternatives. For example, you can setup an LDAP server and " "configure PAM on your system in order to contact the LDAP server for user " "authentication. You can find a detailed setup in the (/usr/share/doc/" "HOWTO/en-txt/LDAP-HOWTO.txt.gz)." msgstr "" "Si vous avez besoin de partager les mots de passe entre machines, pensez à " "d'autres alternatives. Par exemple, mettre en place un serveur LDAP et " "configurer PAM sur votre système afin de contacter le serveur LDAP pour " "l'authentification des utilisateurs. Une installation détaillée est " "disponible dans le (/usr/share/doc/HOWTO/en-txt/LDAP-HOWTO.txt.gz)." #. type:

#: securing-debian-howto.en.sgml:53 en/services.sgml:1367 msgid "" "You can read more about NIS security in the (/usr/share/doc/HOWTO/en-" "txt/NIS-HOWTO.txt.gz)." msgstr "" "Des informations supplémentaires sur la sécurité de NIS sont disponibles à " "l'adresse (/usr/share/doc/HOWTO/fr-txt/NIS-HOWTO.txt.gz)." #. type:

#: securing-debian-howto.en.sgml:53 en/services.sgml:1370 msgid "FIXME (jfs): Add info on how to set this up in Debian." msgstr "" "FIXME (jfs) : Ajouter des renseignements sur la façon de configurer " "cela dans Debian." #. type: #: securing-debian-howto.en.sgml:53 en/services.sgml:1372 msgid "Securing RPC services" msgstr "Sécurisation des services RPC" #. type:

#: securing-debian-howto.en.sgml:53 en/services.sgml:1374 msgid "You should disable RPC if you do not need it." msgstr "Vous devriez désactiver RPC si vous n'en avez pas besoin." #. type:

#: securing-debian-howto.en.sgml:53 en/services.sgml:1380 msgid "" "Remote Procedure Call (RPC) is a protocol that programs can use to request " "services from other programs located on different computers. The " "portmap service controls RPC services by mapping RPC program " "numbers into DARPA protocol port numbers; it must be running in order to " "make RPC calls." msgstr "" "Les appels de procédure à distance (« Remote Procedure Call Â» ou " "RPC) sont un protocole que les programmes peuvent utiliser pour demander des " "services de la part d'autres programmes liées sur différents ordinateurs. Le " "service portmap contrôle les services RPC en convertissant les " "numéros de programme RPC en numéros de port du protocole DARPA ; il " "doit fonctionner pour pouvoir faire des appels RPC." #. type:

#: securing-debian-howto.en.sgml:53 en/services.sgml:1386 msgid "" "RPC-based services have had a bad record of security holes, although the " "portmapper itself hasn't (but still provides information to a remote " "attacker). Notice that some of the DDoS (distributed denial of service) " "attacks use RPC exploits to get into the system and act as a so called agent/" "handler." msgstr "" "Les services basés sur RPC ont eu un mauvaise historique de trous de " "sécurité, bien que le portmapper lui-même n'en a pas (mais il fournit des " "informations à un attaquant distant). Notez que certaines des attaques DDoS " "(déni de service distribué) exploitent RPC pour entrer dans le système et " "agir en tant qu'agent ou gestionnaire." #. type:

#: securing-debian-howto.en.sgml:53 en/services.sgml:1393 msgid "" "You only need RPC if you are using an RPC-based service. The most common RPC-" "based services are NFS (Network File System) and NIS (Network Information " "System). See the previous section for more information about NIS. The File " "Alteration Monitor (FAM) provided by the package fam is " "also an RPC service, and thus depends on portmap." msgstr "" "Vous n'avez besoin de RPC que si vous utilisez un service basé sur RPC. Les " "services basés sur RPC les plus communs sont NFS (Network File System) et " "NIS (Network Information System). Consultez la section précédente pour plus " "d'informations à propos de NIS. Le File Alteration Monitor (FAM) fourni par " "le paquet fam est également un service RPC et dépend donc " "de portmap." #. type:

#: securing-debian-howto.en.sgml:53 en/services.sgml:1400 msgid "" "NFS services are quite important in some networks. If that is the case for " "you, then you will need to find a balance of security and usability for your " "network (you can read more about NFS security in the (/usr/share/doc/" "HOWTO/en-txt/NFS-HOWTO.txt.gz))." msgstr "" "Les services NFS sont assez importants dans certains réseaux. Si c'est le " "cas pour vous, vous aurez alors besoin de trouver un équilibre entre la " "sécurité et l'utilisabilité du réseau (plus de renseignements à propos de la " "sécurité NFS sont disponibles dans le ou /usr/share/doc/HOWTO/fr-txt/" "NFS-HOWTO.txt.gz)." #. type: #: securing-debian-howto.en.sgml:53 en/services.sgml:1402 msgid "Disabling RPC services completely" msgstr "Désactivation des services RPC" #. type:

#: securing-debian-howto.en.sgml:53 en/services.sgml:1410 msgid "" "Disabling portmap is quite simple. There are several different methods. The " "simplest one in a Debian 3.0 system and later releases is to uninstall the " "portmap package. If you are running an older Debian " "version you will have to disable the service as seen in , because the program is part of the netbase package " "(which cannot be de-installed without breaking the system)." msgstr "" "La désactivation de portmap est assez simple. Il y a différentes méthodes. " "La plus simple sur un système Debian 3.0 et versions supérieures est de " "désinstaller le paquet portmap. Si vous exécutez une " "version plus ancienne, vous devrez désactiver le service comme expliqué dans " ", cela est dû au fait que le programme fait partie " "du paquet netbase (qui ne peut être désinstallé sans " "endommager le système)." #. type:

#: securing-debian-howto.en.sgml:53 en/services.sgml:1415 msgid "" "Notice that some desktop environments (notably, GNOME) use RPC services and " "need the portmapper for some of the file management features. If this is " "your case, you can limit the access to RPC services as described below." msgstr "" "Notez que certains environnements de bureau (notamment, GNOME) utilisent des " "services RPC et ont besoin du portmapper pour certaines fonctionnalités de " "gestion de fichiers. Si c'est votre cas, vous pouvez limiter l'accès aux " "services RPC comme décrit ci-dessous." #. type: #: securing-debian-howto.en.sgml:53 en/services.sgml:1417 msgid "Limiting access to RPC services" msgstr "Limiter l'accès aux services RPC" #. type:

#: securing-debian-howto.en.sgml:53 en/services.sgml:1423 msgid "" "Unfortunately, in some cases removing RPC services from the system is not an " "option. Some local desktop services (notably SGI's fam) " "are RPC based and thus need a local portmapper. This means that under some " "situations, users installing a desktop environment (like GNOME) will install " "the portmapper too." msgstr "" "Malheureusement, dans certains cas, supprimer les services RPC du système " "n'est pas une option. Certains services de bureau local (notamment " "fam de SGI) sont basés sur RPC et ont donc besoin d'un " "portmapper local. Cela veut dire que dans certains circonstances, des " "utilisateurs installant un environnement de bureau (comme GNOME) installera " "également le portmapper." #. type:

#: securing-debian-howto.en.sgml:53 en/services.sgml:1426 msgid "" "There are several ways to limit access to the portmapper and to RPC services:" msgstr "" "Il y a différentes façons de limiter l'accès au portmapper et aux services " "RPC :" #. type:

#: securing-debian-howto.en.sgml:53 en/services.sgml:1429 msgid "" "Block access to the ports used by these services with a local firewall (see " ")." msgstr "" "bloquer l'accès aux ports utilisés par ces services avec un pare-feu local " "(consultez ) ;" #. type:

#: securing-debian-howto.en.sgml:53 en/services.sgml:1434 msgid "" "Block access to these services using tcp wrappers, since the portmapper (and " "some RPC services) are compiled with libwrap (see ). This means that you can block access to them through the " "hosts.allow and hosts.deny tcp wrappers " "configuration." msgstr "" "bloquer l'accès à ces services en utilisant l'encapsulation TCP, car le " "portmapper (et certains services RPC) sont compilés avec libwrap (consultez ). Cela veut dire que vous pouvez " "en bloquer l'accès par la configuration des fichiers hosts.allow et hosts.deny de l'encapsulation TCP ;" #. type:

#: securing-debian-howto.en.sgml:53 en/services.sgml:1441 msgid "" "Since version 5-5, the portmap package can be configured " "to listen only on the loopback interface. To do this, modify /etc/" "default/portmap, uncomment the following line: #OPTIONS=\"-i " "127.0.0.1\" and restart the portmapper. This is sufficient to allow " "local RPC services to work while at the same time prevents remote systems " "from accessing them (see, however, )." msgstr "" "depuis la version 5-5, le paquet portmap peut être " "configuré pour n'écouter que sur l'interface loopback. Pour faire cela, " "modifiez /etc/default/portmap, décommentez la ligne " "suivante : #OPTIONS=\"-i 127.0.0.1\" et redémarrez le " "portmapper. Cela est suffisant pour autorisez les services locaux et en même " "temps pour prévenir les systèmes distants à y accéder (consultez, cependant, " ")." #. type: #: securing-debian-howto.en.sgml:53 en/services.sgml:1445 msgid "Adding firewall capabilities" msgstr "Ajouter des capacités au pare-feu" #. type:

#: securing-debian-howto.en.sgml:53 en/services.sgml:1460 msgid "" "The Debian GNU/Linux operating system has the built-in capabilities provided " "by the Linux kernel

. If you install a recent " "Debian release (default kernel installed is 2.6) you will have " "iptables (netfilter) firewalling " "available

Available since the kernel version 2.4 (which was the " "default kernel in Debian 3.0). Previous kernel versions (2.2, available in " "even older Debian releases) used ipchains. The main difference " "between ipchains and iptables is that the latter " "is based on stateful packet inspection which provides for more " "secure (and easier to build) filtering configurations. Older (and now " "unsupported) Debian distributions using the 2.0 kernel series needed the " "appropriate kernel patch.

." msgstr "" "Le système d'exploitation Debian GNU/Linux possède les capacités intégrées " "fournies par le noyau Linux

. Si vous installez " "une version récente de Debian (le noyau installé par défaut est le 2.6) vous " "aurez la fonctionnalité pare-feu iptables (netfilter) " "disponible

Disponible depuis le noyau 2.4 (qui était le noyau " "par défaut de Debian 3.0). Les versions de noyau précédentes (2.2, " "disponibles dans les versions encore plus anciennes de Debian) utilisaient " "ipchains. La principale différence entre ipchains " "et iptables est que ce dernier est basé sur une inspection " "des paquets en fonction de l'état (stateful packet inspection) qui " "fournit des configurations de filtrage plus sécurisées (et plus faciles à " "construire). Les distributions Debian plus anciennes (qui ne sont plus " "prises en charge) utilisant un noyau 2.0 ont besoin du correctif de noyau " "correspondant.

." #. type: #: securing-debian-howto.en.sgml:53 en/services.sgml:1462 msgid "Firewalling the local system" msgstr "Protéger le système local avec un pare-feu" #. type:

#: securing-debian-howto.en.sgml:53 en/services.sgml:1468 msgid "" "You can use firewall rules as a way to secure the access to your local " "system and, even, to limit the outbound communications made by it. Firewall " "rules can also be used to protect processes that cannot be properly " "configured not to provide services to some networks, IP addresses, " "etc." msgstr "" "Vous pouvez utiliser des règles de pare-feu comme façon de sécuriser l'accès " "à votre système local et, même, de limiter les connexions sortantes " "effectuées par celui-ci. Des règles de pare-feu peuvent être également " "utilisées pour protéger des processus qui ne peuvent être proprement " "configurés pour ne pas fournir certains services à certains " "réseaux, certaines adresses IP, etc." #. type:

#: securing-debian-howto.en.sgml:53 en/services.sgml:1479 msgid "" "However, this step is presented last in this manual basically because it is " "much better not to depend solely on firewalling capabilities in " "order to protect a given system. Security in a system is made up of layers, " "firewalling should be the last to include, once all services have been " "hardened. You can easily imagine a setup in which the system is solely " "protected by a built-in firewall and an administrator blissfully removes the " "firewall rules for whatever reason (problems with the setup, annoyance, " "human error...), this system would be wide open to an attack if there were " "no other hardening in the system to protect from it." msgstr "" "Toutefois, cette étape est présentée en dernier dans ce manuel car il est " "largement préférable de ne pas dépendre exclusivement des capacités " "d'un pare-feu pour protéger un système donné. La sécurité dans un système " "est réalisée par couches, le filtrage devrait être la dernière, une fois que " "tous les services ont été renforcés. Vous pouvez facilement imaginer une " "installation dans laquelle le système est uniquement protégé par le pare-feu " "et que l'administrateur enlève bêtement les règles pour n'importe quelle " "raison (problèmes avec l'installation, exaspération, erreur humaine, etc.), " "ce système pourrait être grand ouvert à une attaque s'il n'y avait aucun " "autre renforcement dans le système pour le protéger." #. type:

#: securing-debian-howto.en.sgml:53 en/services.sgml:1490 msgid "" "On the other hand, having firewall rules on the local system also prevents " "some bad things from happening. Even if the services provided are configured " "securely, a firewall can protect from misconfigurations or from fresh " "installed services that have not yet been properly configured. Also, a tight " "configuration will prevent trojans calling home from working unless " "the firewalling code is removed. Note that an intruder does not " "need superuser access to install a trojan locally that could be remotely " "controlled (since binding on ports is allowed if they are not priviledged " "ports and capabilities have not been removed)." msgstr "" "D'un autre côté, avoir des règles de pare-feu sur le système local prévient " "également quelques mauvaises choses de se produire. Même si les services " "fournis sont configurés avec sécurité, un pare-feu peut protéger des erreurs " "de configuration ou des services fraîchement installés qui n'ont pas encore " "été configurés correctement. Une configuration serrée préviendra également " "un cheval de Troie appelant à la maison de fonctionner sauf si le " "code de pare-feu est enlevé. Notez qu'un intrus n'a pas besoin de " "l'accès superutilisateur pour installer un cheval de Troie qui pourrait être " "contrôlé à distance (car l'ouverture sur des ports est autorisée si le port " "n'est pas privilégié et si des capacités n'ont pas été supprimées)." #. type:

#: securing-debian-howto.en.sgml:53 en/services.sgml:1493 msgid "" "Thus, a proper firewall setup would be one with a default deny policy, that " "is:" msgstr "" "Une configuration correcte de pare-feu serait donc une règle de refus par " "défaut, c'est-à-dire :" #. type:

#: securing-debian-howto.en.sgml:53 en/services.sgml:1498 msgid "" "incoming connections are allowed only to local services by allowed machines." msgstr "" "les connexions entrantes ne sont autorisés que pour des services locaux par " "des machines autorisées ;" #. type:

#: securing-debian-howto.en.sgml:53 en/services.sgml:1506 msgid "" "outgoing connections are only allowed to services used by your system (DNS, " "web browsing, POP, email...).

Unlike personal firewalls in other " "operating systems, Debian GNU/Linux does not (yet) provide firewall " "generation interfaces that can make rules limiting them per process or user. " "However, the iptables code can be configured to do this (see the owner " "module in the manpage).

" msgstr "" "les connexions sortantes ne sont autorisés que pour les services utilisés " "par votre système (DNS, navigation web, POP, courrier, etc.)

À " "la différence des pare-feu personnels d'autres systèmes d'exploitation, " "Debian GNU/Linux ne fournit pas (encore) d'interface de génération de " "pare-feu qui puisse créer des règles les limitant par processus ou par " "utilisateur. Cependant, le code iptables peut être configuré pour faire cela " "(consultez le module propriétaire (owner) dans la page de manuel ).

 ;" #. type:

#: securing-debian-howto.en.sgml:53 en/services.sgml:1509 msgid "" "the forward rule denies everything (unless you are protecting other systems, " "see below)." msgstr "" "la règle forward interdit tout (à moins que vous ne protégiez d'autres " "systèmes, voir ci-dessous) ;" #. type:

#: securing-debian-howto.en.sgml:53 en/services.sgml:1511 msgid "all other incoming or outgoing connections are denied." msgstr "toutes les autres connexions entrantes et sortantes sont interdites." #. type: #: securing-debian-howto.en.sgml:53 en/services.sgml:1515 msgid "Using a firewall to protect other systems" msgstr "Utiliser un pare-feu pour protéger d'autres systèmes" #. type:

#: securing-debian-howto.en.sgml:53 en/services.sgml:1526 msgid "" "A Debian firewall can also be installed in order to protect, with filtering " "rules, access to systems behind it, limiting their exposure to the " "Internet. A firewall can be configured to prevent access from systems " "outside of the local network to internal services (ports) that are not " "public. For example, on a mail server, only port 25 (where the mail service " "is being given) needs to be accessible from the outside. A firewall can be " "configured to, even if there are other network services besides the public " "ones running in the mail server, throw away packets (this is known as " "filtering) directed towards them." msgstr "" "Un pare-feu Debian peut aussi être installé de façon à protéger, selon des " "règles de filtrage, l'accès aux systèmes derrière lui, limitant " "leur exposition à Internet. Un pare-feu peut être configuré pour interdire " "l'accès de systèmes en dehors de votre réseau local à des services internes " "(ports) qui ne sont pas publics. Par exemple, sur un serveur de messagerie, " "seul le port 25 (où le service de courrier est fourni) doit être accessible " "depuis l'extérieur. Un pare-feu peut être configuré pour, même s'il y a " "d'autres services en plus des services publics, rejeter les paquets (c'est " "connu sous le nom defiltrage) dirigés vers eux." #. type:

#: securing-debian-howto.en.sgml:53 en/services.sgml:1535 msgid "" "You can even set up a Debian GNU/Linux box as a bridge firewall, i.e. a " "filtering firewall completely transparent to the network that lacks an IP " "address and thus cannot be attacked directly. Depending on the kernel you " "have installed, you might need to install the bridge firewall patch and then " "go to 802.1d Ethernet Bridging when configuring the kernel and a " "new option netfilter ( firewalling ) support. See the for more information on how to set this up in a Debian GNU/" "Linux system." msgstr "" "Vous pouvez même installer une machine Debian GNU/Linux en tant que pont " "pare-feu, c'est-à-dire un pare-feu filtrant complètement transparent pour le " "réseau qui est dépourvu d'adresse IP et donc ne peut pas être attaqué " "directement. Selon le noyau que vous avez installé, vous pouvez avoir besoin " "d'installer le correctif pare-feu pour pont, puis aller à 802.1d " "Ethernet Bridging lors de la configuration du noyau et une nouvelle " "option netfilter (firewalling) support. Consultez pour plus d'informations sur la façon de faire cela dans un système " "Debian GNU/Linux." #. type: #: securing-debian-howto.en.sgml:53 en/services.sgml:1537 msgid "Setting up a firewall" msgstr "Mettre en place un pare-feu" #. type:

#: securing-debian-howto.en.sgml:53 en/services.sgml:1543 msgid "" "The default Debian installation, unlike other Linux distributions, does not " "yet provide a way for the administrator to setup a firewall configuration " "throughout the default installation but you can install a number of firewall " "configuration packages (see )." msgstr "" "L'installation Debian par défaut, à la différence d'autres distributions " "Linux, ne fournit pas encore de moyen pour l'administrateur de mettre une " "configuration de pare-feu lors de l'installation, mais vous pouvez installer " "un certain nombre de paquets de configuration de pare-feu (consultez )." #. type:

#: securing-debian-howto.en.sgml:53 en/services.sgml:1551 msgid "" "Of course, the configuration of the firewall is always system and network " "dependant. An administrator must know beforehand what is the network layout " "and the systems he wants to protect, the services that need to be accessed, " "and whether or not other network considerations (like NAT or routing) need " "to be taken into account. Be careful when configuring your firewall, as " "Laurence J. Lane says in the iptables package:" msgstr "" "Bien sûr, la configuration du pare-feu dépend toujours du système et du " "réseau. Un administrateur doit connaître auparavant quelle est la " "disposition du réseau, les systèmes qu'il désire protéger et si d'autres " "considérations réseau (comme le NAT ou le routage) doivent être prises en " "compte ou non. Soyez prudent quand vous configurez votre pare-feu, comme le " "dit Laurence J. Lane dans son paquet iptables :" #. type:

#: securing-debian-howto.en.sgml:53 en/services.sgml:1558 msgid "" "The tools can easily be misused, causing enormous amounts of grief by " "completely crippling network access to a system. It is not terribly uncommon " "for a remote system administrator to accidentally lock himself out of a " "system hundreds or thousands of miles away. One can even manage to lock " "himself out of a computer who's keyboard is under his fingers. Please, use " "due caution." msgstr "" "Les outils peuvent facilement être mal utilisés, entraînant d'énormes " "quantités de maux en paralysant complètement l'accès au réseau pour un " "système d'ordinateur. Il n'est pas très inhabituel pour un administrateur " "système de se bloquer lui-même en dehors du système situé à quelques " "centaines ou milliers de kilomètres de là. Il est même possible de se " "bloquer en dehors d'un ordinateur dont le clavier est sous ses doigts. " "Veuillez s'il vous plaît l'utiliser avec précaution." #. type:

#: securing-debian-howto.en.sgml:53 en/services.sgml:1563 msgid "" "Remember this: just installing the iptables (or the older " "firewalling code) does not give you any protection, just provides the " "software. In order to have a firewall you need to configure it!" msgstr "" "Rappelez-vous de cela : installer simplement le paquet " "iptables (ou l'ancien code de pare-feu) ne vous fournit " "pas de protection, mais seulement les logiciels. Pour avoir un pare-feu, " "vous devez le configurer !" #. type:

#: securing-debian-howto.en.sgml:53 en/services.sgml:1568 msgid "" "If you do not have a clue on how to set up your firewall rules manually " "consult the Packet Filtering HOWTO and NAT HOWTO provided " "by iptables for offline reading at /usr/share/doc/" "iptables/html/." msgstr "" "Si vous ne savez pas comment configurer les règles de votre pare-feu " "manuellement, veuillez consulter le Packet Filtering HOWTO et le " "NAT HOWTO fournis par iptables pour une lecture " "hors ligne à /usr/share/doc/iptables/html/." #. type:

#: securing-debian-howto.en.sgml:53 en/services.sgml:1579 msgid "" "If you do not know much about firewalling you should start by reading the " ", install the doc-linux-text " "package if you want to read it offline. If you want to ask questions or need " "help setting up a firewall you can use the debian-firewall mailing list, see " ". Also see for more (general) pointers on firewalls. Another good " "iptables tutorial is ." msgstr "" "Si vous ne connaissez pas grand chose sur les pare-feu, vous devriez " "commencer par lire le , installez le paquet " "doc-linux-text si vous voulez le lire hors ligne. Si vous " "désirez poser des questions ou demander de l'aide pour configurer un pare-" "feu, vous pouvez utiliser la liste de diffusion debian-firewall, consultez " ". Consultez également " " pour plus de pointeurs (généraux) sur les pare-feu. " "Un autre bon tutoriel d'iptables est ." #. type: #: securing-debian-howto.en.sgml:53 en/services.sgml:1581 msgid "Using firewall packages" msgstr "Paquets pare-feu" #. type:

#: securing-debian-howto.en.sgml:53 en/services.sgml:1589 msgid "" "Setting up manually a firewall can be complicated for novice (and sometimes " "even expert) administrators. However, the free software community has " "created a number of tools that can be used to easily configure a local " "firewall. Be forewarned that some of these tools are oriented more towards " "local-only protection (also known as personal firewall) and some " "are more versatile and can be used to configure complex rules to protect " "whole networks." msgstr "" "Configurer manuellement un pare-feu peut être compliqué pour un " "administrateur débutant (et même parfois pour un expert). Cependant, la " "communauté des logiciels libres a créé un certain nombre d'outils pouvant " "être utilisés pour configurer facilement un pare-feu local. Soyez prévenu " "que certains de ces outils sont plus orientés vers de la protection locale " "seulement (également connu sous le nom de pare-feu personnel) et " "d'autres sont plus versatiles et peuvent être utilisés pour configurer des " "règles complexes pour protéger des réseaux entiers." #. type:

#: securing-debian-howto.en.sgml:53 en/services.sgml:1592 msgid "" "Some software that can be used to set up firewall rules in a Debian system " "is:" msgstr "" "Plusieurs logiciels peuvent être utilisés pour configurer des règles de pare-" "feu dans un système Debian." #. type:

#: securing-debian-howto.en.sgml:53 en/services.sgml:1595 msgid "For desktop systems:" msgstr "Pour les systèmes de bureau :" #. type:

#: securing-debian-howto.en.sgml:53 en/services.sgml:1600 msgid "" "firestarter, a GNOME application oriented towards end-" "users that includes a wizard useful to quickly setup firewall rules. The " "application includes a GUI to be able to monitor when a firewall rule blocks " "traffic." msgstr "" "firestarter, une application GNOME orientée vers les " "utilisateurs finaux et incluant un assistant utile pour définir rapidement " "des règles de pare-feu. L'application inclut une interface utilisateur pour " "pouvoir surveiller quand une règle de pare-feu bloque le trafic ;" #. type:

#: securing-debian-howto.en.sgml:53 en/services.sgml:1602 msgid "" "guarddog, a KDE based firewall configuration package " "oriented both to novice and advanced users." msgstr "" "guarddog, un paquet de configuration de pare-feu basé sur " "KDE orienté à la fois vers les utilisateurs novices et avancés ;" #. type:

#: securing-debian-howto.en.sgml:53 en/services.sgml:1605 msgid "" "knetfilter, a KDE GUI to manage firewall and NAT rules " "for iptables (alternative/competitor to the guarddog tool although slightly " "oriented towards advanced users)." msgstr "" "knetfilter, une interface graphique KDE pour gérer un " "pare-feu et des règles NAT pour iptables (alternative ou concurrent à " "l'outil guarddog bien que légèrement plus orienté vers les utilisateurs " "avancés) ;" #. type:

#: securing-debian-howto.en.sgml:53 en/services.sgml:1612 msgid "" "fireflier, an interactive tool to create iptables rules based on traffic " "seen on the system and applications. It has a server-client model so you " "have to install both the server (fireflier-server) and " "one of the available clients, with one client available for different " "desktop environments: fireflier-client-gtk (Gtk+ client), " "fireflier-client-kde (KDE client) and fireflier-" "client-qt (QT client)." msgstr "" "fireflier, un outil interactif pour créer des règles iptables à partir du " "trafic vu sur le système et les applications. Il possède un modèle client " "serveur donc vous devez installer à la fois le serveur (fireflier-" "server) et un des clients disponibles, avec un client disponible " "pour chaque environnement de bureau : fireflier-client-gtk (client GTK+), fireflier-client-kde (client KDE) " "et fireflier-client-qt (client QT)." #. type:

#: securing-debian-howto.en.sgml:53 en/services.sgml:1616 msgid "For servers (headless) systems:" msgstr "Pour les systèmes serveurs (sans interface graphique) :" #. type:

#: securing-debian-howto.en.sgml:53 en/services.sgml:1623 msgid "" "fwbuilder, an object oriented GUI which includes policy " "compilers for various firewall platforms including Linux' netfilter, BSD's " "pf (used in OpenBSD, NetBSD, FreeBSD and MacOS X) as well as router's access-" "lists. It is similar to enterprise firewall management software. Complete " "fwbuilder's functionality is also available from the command line." msgstr "" "fwbuilder, une interface graphique orientée objet qui " "inclut des compilateurs de règles pour diverses plates-formes de pare-feu " "incluant netfilter de Linux, pf de BSD (utilisé dans OpenBSD, NetBSD, " "FreeBSD et Mac OS X) ainsi que des listes d'accès du routeur. La " "fonctionnalité de fwbuilder complète est également disponible depuis la " "ligne de commande ;" #. type:

#: securing-debian-howto.en.sgml:53 en/services.sgml:1628 msgid "" "shorewall, a firewall configuration tool which provides " "support for IPsec as well as limited support for traffic shaping as well as " "the definition of the firewall rules. Configuration is done through a simple " "set of files that are used to generate the iptables rules." msgstr "" "shorewall, un outil de configuration de pare-feu qui " "fournit une prise en charge IPsec ainsi qu'une prise en charge limitée pour " "le dimensionnement du trafic (« traffic shaping ») et la définition des " "règles du pare-feu. La configuration est effectuée par un simple jeu de " "fichiers qui sont utilisés pour générer les règles iptables ;" #. type:

#: securing-debian-howto.en.sgml:53 en/services.sgml:1633 msgid "" "bastille, this hardening application is described in . One of the hardening steps that the administrator " "can configure is a definition of the allowed and disallowed network traffic " "that is used to generate a set of firewall rules that the system will " "execute on startup." msgstr "" "bastille, l'application de durcissement est décrit dans " ". L'une des étapes de durcissement que " "l'administrateur peut configurer est une définition du trafic autorisé et " "interdit qui est utilisée pour générer un ensemble de règles de pare-feu que " "le système exécutera au démarrage." #. type:

#: securing-debian-howto.en.sgml:53 en/services.sgml:1641 msgid "" "Lots of other iptables frontends come with Debian; an extensive list " "comparing the different packages in Debian is maintained at the ." msgstr "" "De nombreuses autres interfaces à iptables sont disponibles dans Debian ; " "une liste exhaustive de comparaison des différents paquets dans Debian est " "tenue à jour sur la ." #. type:

#: securing-debian-howto.en.sgml:53 en/services.sgml:1650 msgid "" "Notice that some of the packages outlined previously will introduce " "firewalling scripts to be run when the system boots. Test them extensively " "before rebooting or you might find yourself locked from the box. If you mix " "different firewalling packages you can have undesired effects, usually, the " "firewalling script that runs last will be the one that configures the system " "(which might not be what you intend). Consult the package documentation and " "use either one of these setups." msgstr "" "Remarquez que certains des paquets cités ci-dessus introduiront probablement " "des scripts de pare-feu à exécuter lors de l'amorçage du système. Testez-les " "de manière exhaustive avant de redémarrer le système ou vous pourriez vous " "retrouver bloqué en dehors de la machine. Si vous mélangez différents " "paquets de pare-feu, vous pouvez obtenir des effets indésirables. " "Habituellement, le script de pare-feu qui s'exécute en dernier sera celui " "qui configurera le système (qui peut ne pas être ce que vous voulez). " "Consultez la documentation du paquet et utilisez l'un d'entre eux pour ces " "configurations." #. type:

#: securing-debian-howto.en.sgml:53 en/services.sgml:1660 msgid "" "As mentioned before, some programs, like firestarter, " "guarddog and knetfilter, are " "administration GUIs using either GNOME or KDE (last two). These applications " "are much more user-oriented (i.e. for home users) than some of the other " "packages in the list which might be more administrator-oriented. Some of the " "programs mentioned before (like bastille) are focused at " "setting up firewall rules to protect the host they run in but are not " "necessarily designed to setup firewall rules for firewall hosts that protect " "a network (like shorewall or fwbuilder)." msgstr "" "Comme mentionné précédemment, certains programmes comme " "firestarter, guarddog ou " "knetfilter sont des interfaces graphiques pour " "l'administration qui utilisent soit GNOME, soit KDE (les deux derniers). Ces " "applications sont plus orientées utilisateur (c'est-à-dire utilisation " "« familiale Â») tandis que certains des autres paquets de la liste " "sont plus orientés administrateur. Certains des programmes mentionnés " "auparavant (comme bastille) sont ciblés sur la mise en place de " "règles de pare-feu qui protègent l'hôte sur lequel ils fonctionnent, mais " "ils ne sont pas nécessairement conçus pour mettre en place des règles de " "pare-feu pour des hôtes de pare-feu qui protègent un réseau (comme " "shorewall ou fwbuilder)." #. type:

#: securing-debian-howto.en.sgml:53 en/services.sgml:1682 msgid "" "There is yet another type of firewall application: application proxies. If " "you are looking into setting up an enterprise-level firewall that does " "packet filtering and provides a number of transparent proxies that can do " "fine-grain traffic analysis you should consider using zorp, which provides this in a single program. You can also manually " "setup this type of firewall host using the proxies available in Debian for " "different services like for DNS using bind (properly " "configured), dnsmasq, pdnsd or " "totd for FTP using frox or " "ftp-proxy, for X11 using xfwp, for " "IMAP using imapproxy, for mail using smtpd, or for POP3 using p3scan. For other protocols " "you can either use a generic TCP proxy like simpleproxy " "or a generic SOCKS proxy like dante-server, " "tsocks or socks4-server. Typically, " "you will also use a web caching system (like squid) and a " "web filtering system (like squidguard or " "dansguardian)." msgstr "" "Il existe encore un autre type d'application de pare-feu : les serveurs " "mandataires (proxy) applicatifs. Si vous cherchez à mettre en place " "un tel pare-feu de niveau d'entreprise qui effectue du filtrage de paquets " "et fournit un certain nombre de serveurs mandataires transparents qui " "peuvent faire une analyse fine du trafic, vous devriez considérer " "l'utilisation de zorp, qui fournit cela dans un seul " "programme. Vous pouvez également mettre en place ce type de pare-feu " "manuellement en utilisant les serveurs mandataires disponibles dans Debian " "pour différents services comme pour le DNS en utilisant bind (correctement configuré), dnsmasq, " "pdnsd ou totd pour le FTP en utilisant " "frox ou ftp-proxy, pour X11 en " "utilisant xfwp, pour IMAP en utilisant " "imapproxy, pour le courrier en utilisant smtpd, ou pour POP3 en utilisant p3scan. Pour d'autres " "protocoles, vous devriez soit utiliser un serveur mandataire TCP générique " "comme simpleproxy, soit un serveur mandataire SOCKS comme " "dante-server, tsocks ou " "socks4-server. Vous devrez également typiquement utiliser " "un système de cache web (comme squid) et un système de " "filtrage web (comme squidguard ou dansguardian)." #. type: #: securing-debian-howto.en.sgml:53 en/services.sgml:1683 msgid "Manual init.d configuration" msgstr "Configuration manuelle init.d" #. type:

#: securing-debian-howto.en.sgml:53 en/services.sgml:1687 msgid "" "Another possibility is to manually configure your firewall rules through an " "init.d script that will run all the iptables commands. Take the " "following steps:" msgstr "" "Une autre possibilité est de configurer manuellement vos règles de pare-feu " "par un script init.d qui exécutera toutes les commandes iptables. Suivez les étapes ci-dessous." #. type:

#: securing-debian-howto.en.sgml:53 en/services.sgml:1690 msgid "Review the script below and adapt it to your needs." msgstr "Consultez le script ci-dessous et adaptez-le à vos besoins." #. type:

#: securing-debian-howto.en.sgml:53 en/services.sgml:1698 msgid "" "Test the script and review the syslog messages to see which traffic is being " "dropped. If you are testing from the network you will want to either run the " "sample shell snippet to remove the firewall (if you don't type anything in " "20 seconds) or you might want to comment out the default deny " "policy definitions (-P INPUT DROP and -P OUTPUT DROP) and " "check that the system will not drop any legitimate traffic." msgstr "" "Testez le script et vérifiez les messages du journal système pour voir le " "trafic qui est rejeté. Si vous testez depuis le réseau, vous voudrez soit " "exécuter le script shell en exemple qui enlève le pare-feu (si vous ne tapez " "rien pendant 20 secondes), soit commenter les définitions de règle " "default deny (-P INPUT DROP et -P OUTPUT DROP) et " "vérifier que le système ne rejette pas de trafic légitime." #. type:

#: securing-debian-howto.en.sgml:53 en/services.sgml:1700 msgid "Move the script to /etc/init.d/myfirewall" msgstr "Déplacez le script dans /etc/init.d/parefeu." #. type:

#: securing-debian-howto.en.sgml:53 en/services.sgml:1702 msgid "" "Configure the system to run the script before any network is configured:" msgstr "" "Configurez le système pour exécuter le script avant que le réseau ne soit " "configuré :" #. type: #: securing-debian-howto.en.sgml:53 en/services.sgml:1704 #, no-wrap msgid "#update-rc.d myfirewall start 40 S . stop 89 0 6 ." msgstr "#update-rc.d parefeu start 40 S . stop 89 0 6 ." #. type:

#: securing-debian-howto.en.sgml:53 en/services.sgml:1710 msgid "This is the sample firewall script:" msgstr "Voici l'exemple de script de pare-feu :" #. type: #: securing-debian-howto.en.sgml:53 en/services.sgml:1859 #, no-wrap msgid "" "#!/bin/sh\n" "# Simple example firewall configuration.\n" "#\n" "# Caveats:\n" "# - This configuration applies to all network interfaces\n" "# if you want to restrict this to only a given interface use\n" "# '-i INTERFACE' in the iptables calls.\n" "# - Remote access for TCP/UDP services is granted to any host, \n" "# you probably will want to restrict this using '--source'.\n" "#\n" "# chkconfig: 2345 9 91\n" "# description: Activates/Deactivates the firewall at boot time\n" "#\n" "# You can test this script before applying with the following shell\n" "# snippet, if you do not type anything in 10 seconds the firewall\n" "# rules will be cleared.\n" "#---------------------------------------------------------------\n" "# while true; do test=\"\"; read -t 20 -p \"OK? \" test ; \\\n" "# [ -z \"$test\" ] && /etc/init.d/myfirewall clear ; done\n" "#---------------------------------------------------------------\n" "\n" "PATH=/bin:/sbin:/usr/bin:/usr/sbin\n" "\n" "# Services that the system will offer to the network\n" "TCP_SERVICES=\"22\" # SSH only\n" "UDP_SERVICES=\"\"\n" "# Services the system will use from the network\n" "REMOTE_TCP_SERVICES=\"80\" # web browsing\n" "REMOTE_UDP_SERVICES=\"53\" # DNS\n" "# Network that will be used for remote mgmt\n" "# (if undefined, no rules will be setup)\n" "# NETWORK_MGMT=192.168.0.0/24\n" "# Port used for the SSH service, define this is you have setup a\n" "# management network but remove it from TCP_SERVICES\n" "# SSH_PORT=\"22\"\n" "\n" "if ! [ -x /sbin/iptables ]; then \n" " exit 0\n" "fi\n" "\n" "fw_start () {\n" "\n" " # Input traffic:\n" " /sbin/iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT\n" " # Services\n" " if [ -n \"$TCP_SERVICES\" ] ; then\n" " for PORT in $TCP_SERVICES; do\n" " /sbin/iptables -A INPUT -p tcp --dport ${PORT} -j ACCEPT\n" " done\n" " fi\n" " if [ -n \"$UDP_SERVICES\" ] ; then\n" " for PORT in $UDP_SERVICES; do\n" " /sbin/iptables -A INPUT -p udp --dport ${PORT} -j ACCEPT\n" " done\n" " fi\n" " # Remote management\n" " if [ -n \"$NETWORK_MGMT\" ] ; then\n" " /sbin/iptables -A INPUT -p tcp --src ${NETWORK_MGMT} --dport ${SSH_PORT} -j ACCEPT\n" " else \n" " /sbin/iptables -A INPUT -p tcp --dport ${SSH_PORT} -j ACCEPT\n" " fi\n" " # Remote testing\n" " /sbin/iptables -A INPUT -p icmp -j ACCEPT\n" " /sbin/iptables -A INPUT -i lo -j ACCEPT\n" " /sbin/iptables -P INPUT DROP\n" " /sbin/iptables -A INPUT -j LOG\n" "\n" " # Output:\n" " /sbin/iptables -A OUTPUT -j ACCEPT -o lo \n" " /sbin/iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT\n" " # ICMP is permitted:\n" " /sbin/iptables -A OUTPUT -p icmp -j ACCEPT\n" " # So are security package updates:\n" " # Note: You can hardcode the IP address here to prevent DNS spoofing\n" " # and to setup the rules even if DNS does not work but then you \n" " # will not \"see\" IP changes for this service:\n" " /sbin/iptables -A OUTPUT -p tcp -d security.debian.org --dport 80 -j ACCEPT \n" " # As well as the services we have defined:\n" " if [ -n \"$REMOTE_TCP_SERVICES\" ] ; then\n" " for PORT in $REMOTE_TCP_SERVICES; do\n" " /sbin/iptables -A OUTPUT -p tcp --dport ${PORT} -j ACCEPT\n" " done\n" " fi\n" " if [ -n \"$REMOTE_UDP_SERVICES\" ] ; then\n" " for PORT in $REMOTE_UDP_SERVICES; do\n" " /sbin/iptables -A OUTPUT -p udp --dport ${PORT} -j ACCEPT\n" " done\n" " fi\n" " # All other connections are registered in syslog\n" " /sbin/iptables -A OUTPUT -j LOG\n" " /sbin/iptables -A OUTPUT -j REJECT \n" " /sbin/iptables -P OUTPUT DROP\n" " # Other network protections\n" " # (some will only work with some kernel versions)\n" " echo 1 > /proc/sys/net/ipv4/tcp_syncookies\n" " echo 0 > /proc/sys/net/ipv4/ip_forward \n" " echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts \n" " echo 1 > /proc/sys/net/ipv4/conf/all/log_martians \n" " echo 1 > /proc/sys/net/ipv4/ip_always_defrag\n" " echo 1 > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses\n" " echo 1 > /proc/sys/net/ipv4/conf/all/rp_filter\n" " echo 0 > /proc/sys/net/ipv4/conf/all/send_redirects\n" " echo 0 > /proc/sys/net/ipv4/conf/all/accept_source_route\n" "\n" "}\n" "\n" "fw_stop () {\n" " /sbin/iptables -F\n" " /sbin/iptables -t nat -F\n" " /sbin/iptables -t mangle -F\n" " /sbin/iptables -P INPUT DROP\n" " /sbin/iptables -P FORWARD DROP\n" " /sbin/iptables -P OUTPUT ACCEPT\n" "}\n" "\n" "fw_clear () {\n" " /sbin/iptables -F\n" " /sbin/iptables -t nat -F\n" " /sbin/iptables -t mangle -F\n" " /sbin/iptables -P INPUT ACCEPT\n" " /sbin/iptables -P FORWARD ACCEPT\n" " /sbin/iptables -P OUTPUT ACCEPT\n" "}\n" "\n" "\n" "case \"$1\" in\n" " start|restart)\n" " echo -n \"Starting firewall..\"\n" " fw_stop \n" " fw_start\n" " echo \"done.\"\n" " ;;\n" " stop)\n" " echo -n \"Stopping firewall..\"\n" " fw_stop\n" " echo \"done.\"\n" " ;;\n" " clear)\n" " echo -n \"Clearing firewall rules..\"\n" " fw_clear\n" " echo \"done.\"\n" " ;;\n" " *)\n" " echo \"Usage: $0 {start|stop|restart|clear}\"\n" " exit 1\n" " ;;\n" " esac\n" "exit 0" msgstr "" "#!/bin/sh\n" "# Exemple de configuration de pare-feu.\n" "#\n" "# Mises en garde\n" "# - Cette configuration s'applique à toutes les interfaces réseau.\n" "# Si vous voulez ne restreindre cela qu'à une interface donnée,\n" "# utilisez « -i INTERFACE » dans les appels iptables ;\n" "# - L'accès à distance pour les services TCP/UDP est accordé à tout\n" "# hôte, vous voudrez probablement restreindre cela en utilisant\n" "# « --source ».\n" "#\n" "# chkconfig : 2345 9 91\n" "# description : activer ou désactiver le pare-feu au démarrage\n" "#\n" "# Vous pouvez tester ce script avant de l'appliquer avec l'extrait\n" "# de script shell suivant, si vous ne tapez rien pendant\n" "# 20 secondes, les règles de pare-feu seront effacées.\n" "#---------------------------------------------------------------\n" "# while true; do test=\"\"; read -t 20 -p \"OK ? \" test ; \\\n" "# [ -z \"$test\" ] && /etc/init.d/parefeu clear ; done\n" "#---------------------------------------------------------------\n" "\n" "PATH=/bin:/sbin:/usr/bin:/usr/sbin\n" "\n" "# Services que le système offrira au réseau\n" "TCP_SERVICES=\"22\" # seulement SSH\n" "UDP_SERVICES=\"\"\n" "# Services que le système utilisera du réseau\n" "REMOTE_TCP_SERVICES=\"80\" # navigation web\n" "REMOTE_UDP_SERVICES=\"53\" # DNS\n" "# Réseau qui sera utilisé pour la gestion à distance\n" "# (si non défini, aucune règle ne sera mise en place)\n" "# NETWORK_MGMT=192.168.0.0/24\n" "# Port utilisé pour le service SSH, à définir si vous avez configuré\n" "# une gestion de réseau mais l'avez enlevé de TCP_SERVICES\n" "# SSH_PORT=\"22\"\n" "\n" "if ! [ -x /sbin/iptables ]; then \n" " exit 0\n" "fi\n" "\n" "fw_start () {\n" "\n" " # Trafic d'entrée :\n" " /sbin/iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT\n" " # Services\n" " if [ -n \"$TCP_SERVICES\" ] ; then\n" " for PORT in $TCP_SERVICES; do\n" " /sbin/iptables -A INPUT -p tcp --dport ${PORT} -j ACCEPT\n" " done\n" " fi\n" " if [ -n \"$UDP_SERVICES\" ] ; then\n" " for PORT in $UDP_SERVICES; do\n" " /sbin/iptables -A INPUT -p udp --dport ${PORT} -j ACCEPT\n" " done\n" " fi\n" " # Gestion à distance\n" " if [ -n \"$NETWORK_MGMT\" ] ; then\n" " /sbin/iptables -A INPUT -p tcp --src ${NETWORK_MGMT} --dport ${SSH_PORT} -j ACCEPT\n" " else \n" " /sbin/iptables -A INPUT -p tcp --dport ${SSH_PORT} -j ACCEPT\n" " fi\n" " # Test à distance\n" " /sbin/iptables -A INPUT -p icmp -j ACCEPT\n" " /sbin/iptables -A INPUT -i lo -j ACCEPT\n" " /sbin/iptables -P INPUT DROP\n" " /sbin/iptables -A INPUT -j LOG\n" "\n" " # Sortie :\n" " /sbin/iptables -A OUTPUT -j ACCEPT -o lo \n" " /sbin/iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT\n" " # ICMP est permis :\n" " /sbin/iptables -A OUTPUT -p icmp -j ACCEPT\n" " # Ainsi que les mises à jour de sécurité :\n" " # Remarque : vous pouvez indiquer en dur l'adresse IP ici afin de prévenir une\n" " # usurpation DNS et configurer les règles même si le DNS ne fonctionne pas mais\n" " # dans ce cas vous ne « verrez » pas les modifications d'IP pour ce service :\n" " /sbin/iptables -A OUTPUT -p tcp -d security.debian.org --dport 80 -j ACCEPT \n" " # Ainsi que pour tous les services définis :\n" " if [ -n \"$REMOTE_TCP_SERVICES\" ] ; then\n" " for PORT in $REMOTE_TCP_SERVICES; do\n" " /sbin/iptables -A OUTPUT -p tcp --dport ${PORT} -j ACCEPT\n" " done\n" " fi\n" " if [ -n \"$REMOTE_UDP_SERVICES\" ] ; then\n" " for PORT in $REMOTE_UDP_SERVICES; do\n" " /sbin/iptables -A OUTPUT -p udp --dport ${PORT} -j ACCEPT\n" " done\n" " fi\n" " # Toutes les autres connexions sont enregistrées dans syslog\n" " /sbin/iptables -A OUTPUT -j LOG\n" " /sbin/iptables -A OUTPUT -j REJECT \n" " /sbin/iptables -P OUTPUT DROP\n" " # Autres protections réseau\n" " # (certaines ne fonctionneront que pour certaines versions de noyau)\n" " echo 1 > /proc/sys/net/ipv4/tcp_syncookies\n" " echo 0 > /proc/sys/net/ipv4/ip_forward \n" " echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts \n" " echo 1 > /proc/sys/net/ipv4/conf/all/log_martians \n" " echo 1 > /proc/sys/net/ipv4/ip_always_defrag\n" " echo 1 > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses\n" " echo 1 > /proc/sys/net/ipv4/conf/all/rp_filter\n" " echo 0 > /proc/sys/net/ipv4/conf/all/send_redirects\n" " echo 0 > /proc/sys/net/ipv4/conf/all/accept_source_route\n" "\n" "}\n" "\n" "fw_stop () {\n" " /sbin/iptables -F\n" " /sbin/iptables -t nat -F\n" " /sbin/iptables -t mangle -F\n" " /sbin/iptables -P INPUT DROP\n" " /sbin/iptables -P FORWARD DROP\n" " /sbin/iptables -P OUTPUT ACCEPT\n" "}\n" "\n" "fw_clear () {\n" " /sbin/iptables -F\n" " /sbin/iptables -t nat -F\n" " /sbin/iptables -t mangle -F\n" " /sbin/iptables -P INPUT ACCEPT\n" " /sbin/iptables -P FORWARD ACCEPT\n" " /sbin/iptables -P OUTPUT ACCEPT\n" "}\n" "\n" "\n" "case \"$1\" in\n" " start|restart)\n" " echo -n \"Démarrage du pare-feu…\"\n" " fw_stop \n" " fw_start\n" " echo \"done.\"\n" " ;;\n" " stop)\n" " echo -n \"Arrêt du pare-feu…\"\n" " fw_stop\n" " echo \"done.\"\n" " ;;\n" " clear)\n" " echo -n \"Effacement des règles de pare-feu…\"\n" " fw_clear\n" " echo \"done.\"\n" " ;;\n" " *)\n" " echo \"Utilisation : $0 {start|stop|restart|clear}\"\n" " exit 1\n" " ;;\n" " esac\n" "exit 0" #. type:

#: securing-debian-howto.en.sgml:53 en/services.sgml:1867 msgid "" "Instead of including all of the iptables rules in the init.d script you can " "use the iptables-restore program to restore the rules saved " "using iptables-save. In order to do this you need to setup your " "rules, save the ruleset under a static location (such as /etc/default/" "firewall)" msgstr "" "Au lieu d'intégrer toutes les règles iptables dans un script init.d, vous " "pouvez utiliser le programme iptables-restore pour restaurer " "les règles sauvées avec iptables-save. Pour faire cela, vous " "devez configurer les règles et sauver le jeu de règles dans un endroit " "statique (comme /etc/default/firewall)." #. type: #: securing-debian-howto.en.sgml:53 en/services.sgml:1869 msgid "Configuring firewall rules through ifup" msgstr "Configurer les règles du réseau par ifup" #. type:

#: securing-debian-howto.en.sgml:53 en/services.sgml:1873 msgid "" "You can use also the network configuration in /etc/network/interfaces to setup your firewall rules. For this you will need to:" msgstr "" "Vous pouvez également utiliser la configuration du réseau dans /etc/" "network/interfaces pour mettre en place les règles de pare-feu. Pour " "cela, vous devez :" #. type:

#: securing-debian-howto.en.sgml:53 en/services.sgml:1876 msgid "Create your firewalling ruleset for when the interface is active." msgstr "" "créer le jeu de règles de pare-feu à appliquer quand l'interface sera " "active ;" #. type:

#: securing-debian-howto.en.sgml:53 en/services.sgml:1879 msgid "" "Save your ruleset with iptables-save to a file in /etc, for example /etc/iptables.up.rules" msgstr "" "sauver le jeu de règles avec iptables-save dans un fichier de " "/etc, par exemple /etc/iptables.up.rules ;" #. type:

#: securing-debian-howto.en.sgml:53 en/services.sgml:1882 msgid "" "Configure /etc/network/interfaces to use the configured ruleset:" msgstr "" "configurer /etc/network/interfaces pour utiliser le jeu de " "règles configurées :" #. type: #: securing-debian-howto.en.sgml:53 en/services.sgml:1887 #, no-wrap msgid "" "iface eth0 inet static\n" " address x.x.x.x\n" " [.. interface configuration ..]\n" " pre-up iptables-restore < /etc/iptables.up.rules" msgstr "" "iface eth0 inet static\n" " address x.x.x.x\n" " [… configuration de l'interface …]\n" " pre-up iptables-restore < /etc/iptables.up.rules" #. type:

#: securing-debian-howto.en.sgml:53 en/services.sgml:1896 msgid "" "You can optionally also setup a set of rules to be applied when the network " "interface is down creating a set of rules, saving it in /etc/" "iptables.down.rules and adding this directive to the interface " "configuration:" msgstr "" "Optionnellement, vous pouvez mettre en place un jeu de règles à appliquer " "quand l'interface est inactivée en créant un jeu de règles, en le " "sauvant dans /etc/iptables.down.rules et en ajoutant la " "directive suivante à la configuration de l'interface :" #. type: #: securing-debian-howto.en.sgml:53 en/services.sgml:1898 #, no-wrap msgid " post-down iptables-restore < /etc/iptables.down.rules" msgstr " post-down iptables-restore < /etc/iptables.down.rules" #. type:

#: securing-debian-howto.en.sgml:53 en/services.sgml:1906 msgid "" "For more advanced firewall configuration scripts through ifupdown you can use the hooks available to each interface as in the *." "d/ directories called with run-parts (see )." msgstr "" "Pour des scripts de configuration de pare-feu plus avancés avec " "ifupdown, vous pouvez utiliser les accroches (hooks) disponibles pour chaque interface dans les répertoires *.d/ appelés avec run-parts (consultez )." #. type: #: securing-debian-howto.en.sgml:53 en/services.sgml:1908 msgid "Testing your firewall configuration" msgstr "Tester la configuration de pare-feu" #. type:

#: securing-debian-howto.en.sgml:53 en/services.sgml:1914 msgid "" "Testing your firewall configuration is as easy, and as dangerous, as just " "running your firewall script (or enabling the configuration you defined in " "your firewall configuration application). However, if you are not careful " "enough and you are configuring your firewall remotely (like through an SSH " "connection) you could lock yourself out." msgstr "" "Tester la configuration de pare-feu est aussi facile et aussi dangereux que " "d'exécuter simplement le script de pare-feu (ou d'activer la configuration " "que vous avez définie dans l'application de configuration de pare-feu). " "Cependant, si vous n'êtes pas assez prudent et que vous configurez le pare-" "feu à distance (comme à travers une connexion SSH), vous pourriez vous " "enfermer dehors." #. type:

#: securing-debian-howto.en.sgml:53 en/services.sgml:1918 msgid "" "There are several ways to prevent this. One is running a script in a " "separate terminal that will remove the firewall configuration if you don't " "feed it input. An example of this is:" msgstr "" "Plusieurs moyens permettent d'empêcher cela. L'un est d'exécuter un script " "dans un terminal séparé qui va enlever la configuration de pare-feu si vous " "ne faites pas d'entrée clavier. Un exemple de cela est :" #. type: #: securing-debian-howto.en.sgml:53 en/services.sgml:1921 #, no-wrap msgid "" "$ while true; do test=\"\"; read -t 20 -p \"OK? \" test ; \\\n" " [ -z \"$test\" ] && /etc/init.d/firewall clear ; done" msgstr "" "$ while true; do test=\"\"; read -t 20 -p \"OK? \" test ; \\\n" " [ -z \"$test\" ] && /etc/init.d/firewall clear ; done" #. type:

#: securing-debian-howto.en.sgml:53 en/services.sgml:1932 msgid "" "Another one is to introduce a backdoor in your system through an alternate " "mechanism that allows you to either clear the firewall system or punch a " "hole in it if something goes awry. For this you can use knockd and configure it so that a certain port connection attempt sequence " "will clear the firewall (or add a temporary rule). Even though the packets " "will be dropped by the firewall, since knockd binds to the " "interface and sees you will be able to work around the problem." msgstr "" "Un autre moyen est d'introduire une porte dérobée dans le système par un " "mécanisme alternatif qui vous permet soit d'enlever le système de pare-feu, " "soit de percer un trou dedans si quelque chose déraille. Pour cela, vous " "pouvez utiliser knockd et le configurer pour qu'une " "tentative de connexion sur un certain port enlève le pare-feu (ou ajoute une " "règle temporaire). Bien que les paquets soient rejetés par le pare-feu, " "comme knockd se lie à l'interface et les voit, vous " "pourrez contourner le problème." #. type:

#: securing-debian-howto.en.sgml:54 en/automatic.sgml:3 msgid "" "Testing a firewall that is protecting an internal network is a different " "issue, you will want to look at some of the tools used for remote " "vulnerability assessment (see ) to probe the network " "from the outside in (or from any other direction) to test the effectiveness " "of the firewall configuation." msgstr "" "Tester un pare-feu qui protège un réseau interne est un problème différent, " "vous voudrez étudier certains des outils utilisés pour le test de failles à " "distance (consultez ) pour sonder le réseau depuis " "l'extérieur (ou dans toute autre direction) pour tester l'efficacité de la " "configuration du pare-feu." #. type: #: securing-debian-howto.en.sgml:54 en/automatic.sgml:5 msgid "Automatic hardening of Debian systems" msgstr "Sécurisation automatique d'un système Debian" #. type:

#: securing-debian-howto.en.sgml:54 en/automatic.sgml:17 msgid "" "After reading through all the information in the previous chapters you might " "be wondering \"I have to do quite a lot of things in order to harden my " "system, couldn't these things be automated?\". The answer is yes, but be " "careful with automated tools. Some people believe, that a hardening tool " "does not eliminate the need for good administration. So do not be fooled to " "think that you can automate the whole process and will fix all the related " "issues. Security is an ever-ongoing process in which the administrator must " "participate and cannot just stand away and let the tools do all the work " "since no single tool can cope with all the possible security policy " "implementations, all the attacks and all the environments." msgstr "" "Après la lecture de toutes les informations des précédents chapitres, vous " "vous demanderez probablement : « Il y a de nombreuses choses à " "faire afin de sécuriser mon système, mais tout cela ne peut-il pas être " "automatisé ? Â» La réponse est oui, mais soyez prudent avec les " "outils automatisés. Certaines personnes pensent qu'un outil de renforcement " "n'élimine pas la nécessité d'une bonne administration. Donc, ne pensez pas " "que vous pouvez automatiser toutes les procédures et que vous arriverez à " "résoudre tous les problèmes. La sécurité est un processus évoluant " "constamment dans lequel l'administrateur doit participer et ne peut pas " "rester à l'écart et laisser les outils se débrouiller tout seul avec toutes " "les implémentations des politiques de sécurité, toutes les attaques et tous " "les environnements." #. type:

#: securing-debian-howto.en.sgml:54 en/automatic.sgml:27 msgid "" "Since woody (Debian 3.0) there are two specific packages that are useful for " "security hardening. The harden package which takes an " "approach based on the package dependencies to quickly install valuable " "security packages and remove those with flaws, configuration of the packages " "must be done by the administrator. The bastille package " "that implements a given security policy on the local system based on " "previous configuration by the administrator (the building of the " "configuration can be a guided process done with simple yes/no questions)." msgstr "" "Depuis Woody (Debian 3.0), il existe deux paquets spécifiques qui sont " "utiles pour le durcissement de la sécurité. Le paquet harden qui base son approche sur les dépendances des paquets pour " "installer rapidement des paquets sûrs et retirer ceux avec des " "imperfections, la configuration devant être faite par l'administrateur. Le " "paquet bastille implémente une politique de sécurité " "donnée pour le système basée sur une configuration antérieure de " "l'administrateur (la configuration peut être faite à l'aide de simples " "questions à répondre par oui ou non)." #. type: #: securing-debian-howto.en.sgml:54 en/automatic.sgml:29 msgid "Harden" msgstr "Harden" #. type:

#: securing-debian-howto.en.sgml:54 en/automatic.sgml:40 msgid "" "The harden package tries to make it more easy to install " "and administer hosts that need good security. This package should be used by " "people that want some quick help to enhance the security of the system. It " "automatically installs some tools that should enhance security in some way: " "intrusion detection tools, security analysis tools, etc. Harden installs the " "following virtual packages (i.e. no contents, just dependencies or " "recommendations on others):" msgstr "" "Le paquet harden essaie de rendre plus facile " "l'installation et l'administration d'hôtes qui ont besoin d'une bonne " "sécurité. Ce paquet devrait être utilisé par ceux qui veulent une aide " "rapide afin d'améliorer la sécurité de leur système. Il installe " "automatiquement des outils pour accroître la sécurité : outils de " "détection d'intrusions, outils d'analyse de sécurité, etc. Harden installe " "les paquets virtuels suivants (c'est-à-dire, pas de contenu, juste " "des dépendances ou des recommandations vers d'autres paquets) :" #. type:

#: securing-debian-howto.en.sgml:54 en/automatic.sgml:45 msgid "" "harden-tools: tools to enhance system security (integrity " "checkers, intrusion detection, kernel patches...)" msgstr "" "harden-tools : outils pour améliorer la sécurité du " "système (vérificateur d'intégrité, détection d'intrusions, correctifs pour " "noyau, etc.) ;" #. type:

#: securing-debian-howto.en.sgml:54 en/automatic.sgml:48 msgid "" "harden-environment: helps configure a hardened " "environment (currently empty)." msgstr "" "harden-environment : aide à configurer un " "durcissement d'environnement (actuellement vide) ;" #. type:

#: securing-debian-howto.en.sgml:54 en/automatic.sgml:51 msgid "" "harden-servers: removes servers considered insecure for " "some reason." msgstr "" "harden-servers : retire les serveurs considérés " "comme douteux pour certaines raisons ;" #. type:

#: securing-debian-howto.en.sgml:54 en/automatic.sgml:54 msgid "" "harden-clients: removes clients considered insecure for " "some reason." msgstr "" "harden-clients : retire les clients considérés comme " "douteux pour certaines raisons ;" #. type:

#: securing-debian-howto.en.sgml:54 en/automatic.sgml:57 msgid "" "harden-remoteaudit: tools to remotely audit a system." msgstr "" "harden-remoteaudit : outils pour auditer un système " "à distance ;" #. type:

#: securing-debian-howto.en.sgml:54 en/automatic.sgml:60 msgid "" "harden-nids: helps to install a network intrusion " "detection system." msgstr "" "harden-nids : outils pour installer un système de " "détection d'intrusions ;" #. type:

#: securing-debian-howto.en.sgml:54 en/automatic.sgml:63 msgid "" "harden-surveillance: helps to install tools for " "monitoring of networks and services." msgstr "" "harden-surveillance : outils pour surveiller les " "réseaux et les services." #. type: #: securing-debian-howto.en.sgml:54 en/automatic.sgml:67 msgid "Useful packages which are not a dependence:" msgstr "Paquets utiles qui ne sont pas une dépendance :" #. type:

#: securing-debian-howto.en.sgml:54 en/automatic.sgml:70 msgid "" "harden-doc: provides this same manual and other security-" "related documentation packages." msgstr "" "harden-doc : fournit ce même manuel et d'autres " "paquets de documentation liés à la sécurité ;" #. type:

#: securing-debian-howto.en.sgml:54 en/automatic.sgml:72 msgid "" "harden-development: development tools for creating more " "secure programs." msgstr "" "harden-development : outils de développement pour " "créer des programmes plus sécurisés." #. type:

#: securing-debian-howto.en.sgml:54 en/automatic.sgml:86 msgid "" "Be careful because if you have software you need (and which you do not wish " "to uninstall for some reason) and it conflicts with some of the packages " "above you might not be able to fully use harden. The " "harden packages do not (directly) do a thing. They do have, however, " "intentional package conflicts with known non-secure packages. This way, the " "Debian packaging system will not approve the installation of these packages. " "For example, when you try to install a telnet daemon with harden-" "servers, apt will say:" msgstr "" "Prenez garde dans le cas où vous avez besoin d'un logiciel (et que vous ne " "voulez pas désinstaller) et qu'il soit en contradiction avec certains " "paquets ci-dessus, vous ne serez peut-être pas capable d'utiliser pleinement " "harden. Les paquets harden ne font rien " "directement. Cependant, ils entrent en conflit avec des paquets reconnus " "comme étant risqués. De cette façon, le système de paquets de Debian " "n'approuvera pas automatiquement l'installation de ces paquets. Par exemple, " "si vous tentez d'installer un serveur TELNET alors que harden-" "servers est installé, apt vous dira :" #. type: #: securing-debian-howto.en.sgml:54 en/automatic.sgml:93 #, no-wrap msgid "" "# apt-get install telnetd \n" "The following packages will be REMOVED:\n" " harden-servers\n" "The following NEW packages will be installed:\n" " telnetd \n" "Do you want to continue? [Y/n]" msgstr "" "# apt-get install telnetd\n" "Les paquets suivants seront ENLEVÉS :\n" " harden-servers\n" "Les NOUVEAUX paquets suivants seront installés :\n" " telnetd\n" "Souhaitez-vous continuer ? [O/n]" #. type:

#: securing-debian-howto.en.sgml:54 en/automatic.sgml:99 msgid "" "This should set off some warnings in the administrator head, who should " "reconsider his actions." msgstr "" "Cela devrait alerter l'administrateur, qui devrait reconsidérer ses actions." #. type: #: securing-debian-howto.en.sgml:54 en/automatic.sgml:101 msgid "Bastille Linux" msgstr "Bastille Linux" #. type:

#: securing-debian-howto.en.sgml:54 en/automatic.sgml:107 msgid "" " is an " "automatic hardening tool originally oriented towards the RedHat and Mandrake " "Linux distributions. However, the bastille package " "provided in Debian (since woody) is patched in order to provide the same " "functionality for the Debian GNU/Linux system." msgstr "" " est un " "outil de durcissement automatique originellement orienté vers les " "distributions Linux RedHat et Mandrake. Toutefois, le paquet " "bastille fourni dans Debian (depuis Woody) a été modifié " "de façon à fournir les mêmes fonctionnalités pour le système Debian GNU/" "Linux." #. type:

#: securing-debian-howto.en.sgml:54 en/automatic.sgml:111 msgid "" "Bastille can be used with different frontends (all are documented in their " "own manpage in the Debian package) which enables the administrator to:" msgstr "" "Bastille peut être utilisé avec différentes interfaces (toutes sont " "documentées dans leur propre page de manuel dans le paquet Debian) qui " "permettent à l'administrateur de :" #. type:

#: securing-debian-howto.en.sgml:54 en/automatic.sgml:116 msgid "" "Answer questions step by step regarding the desired security of your system " "(using )." msgstr "" "répondre aux questions, étape par étape, concernant le niveau de sécurité " "désiré de votre système (en utilisant ) ;" #. type:

#: securing-debian-howto.en.sgml:54 en/automatic.sgml:121 msgid "" "Use a default setting for security (amongst three: Lax, Moderate or " "Paranoia) in a given setup (server or workstation) and let Bastille decide " "which security policy to implement (using )." msgstr "" "utiliser un paramétrage par défaut pour la sécurité (parmi trois : " "relachée, modérée ou paranoïaque) dans une installation définie (serveur ou " "poste de travail) et laisser Bastille décider quelle politique de sécurité " "appliquer (en utilisant ) ;" #. type:

#: securing-debian-howto.en.sgml:54 en/automatic.sgml:125 msgid "" "Take a predefined configuration file (could be provided by Bastille or made " "by the administrator) and implement a given security policy (using )." msgstr "" "prendre un fichier de configuration prédéfini (qui peut être fourni par " "Bastille ou créé par l'administrateur) et implémenter une politique de " "sécurité donnée (en utilisant )." #. type: #: securing-debian-howto.en.sgml:55 en/infrastructure.sgml:5 msgid "Debian Security Infrastructure" msgstr "Infrastructure de sécurité Debian" #. type: #: securing-debian-howto.en.sgml:55 en/infrastructure.sgml:7 msgid "The Debian Security Team" msgstr "L'équipe de sécurité Debian" #. type:

#: securing-debian-howto.en.sgml:55 en/infrastructure.sgml:13 msgid "" "Debian has a Security Team, that handles security in the stable " "distribution. Handling security means they keep track of vulnerabilities " "that arise in software (watching forums such as Bugtraq, or vuln-dev) and " "determine if the stable distribution is affected by it." msgstr "" "Debian possède une équipe de sécurité, qui assure la sécurité dans la " "distribution stable. Assurer la sécurité veut dire suivre les " "failles qui surviennent dans les logiciels (en surveillant des forums comme " "Bugtraq ou vuln-dev) et déterminer si la distribution stable est " "concernée par ces failles." #. type:

#: securing-debian-howto.en.sgml:55 en/infrastructure.sgml:21 msgid "" "Also, the Debian Security Team is the contact point for problems that are " "coordinated by upstream developers or organizations such as which might affect multiple vendors. That is, " "when problems are not Debian-specific. The contact point of the Security " "Team is which only the members of the security team read." msgstr "" "L'équipe de sécurité Debian est également le point de contact pour les " "problèmes qui sont coordonnés par les développeurs amont ou des " "organisations comme le , qui " "peuvent toucher de multiples distributeurs, c'est-à-dire quand les problèmes " "ne sont pas spécifiques à Debian. Le point de contact avec l'équipe de " "sécurité est qui n'est lu que par les membres de l'équipe " "de sécurité." #. type:

#: securing-debian-howto.en.sgml:55 en/infrastructure.sgml:25 msgid "" "Sensitive information should be sent to the first address and, in some " "cases, should be encrypted with the Debian Security Contact key (as found in " "the Debian keyring)." msgstr "" "Les informations secrètes devraient être envoyées à la première adresse et, " "dans certains cas, devraient être chiffrées avec la clef du contact de " "l'équipe de sécurité (disponible dans le trousseau Debian)." #. type:

#: securing-debian-howto.en.sgml:55 en/infrastructure.sgml:38 msgid "" "Once a probable problem is received by the Security Team it will investigate " "if the stable distribution is affected and if it is, a fix is made " "for the source code base. This fix will sometimes include backporting the " "patch made upstream (which usually is some versions ahead of the one " "distributed by Debian). After testing of the fix is done, new packages are " "prepared and published in the site " "so they can be retrieved through apt (see ). At the same time a Debian Security Advisory (DSA) is " "published on the web site and sent to public mailing lists including and Bugtraq." msgstr "" "Dès qu'un problème probable est reçu par l'équipe de sécurité, elle " "recherchera si la distribution stable est affectée et si c'est le " "cas, un correctif sera créé pour la base de code source. Ce correctif " "contiendra parfois un rétroportage du correctif effectué en amont (qui est " "habituellement en avance de plusieurs versions par rapport à la version " "distribuée par Debian). Après qu'un test du correctif ait été effectué, les " "nouveaux paquets sont préparés et publiés sur le site pour pouvoir être récupérés par apt " "(consultez ). En même temps, une alerte de " "sécurité Debian (Debian Security Advisory ou DSA) est publiée sur le " "site web et envoyée aux listes de diffusion publiques y compris et Bugtraq." #. type:

#: securing-debian-howto.en.sgml:55 en/infrastructure.sgml:42 msgid "" "Some other frequently asked questions on the Debian Security Team can be " "found at ." msgstr "" "D'autres questions souvent posées sur l'équipe de sécurité Debian peuvent " "être trouvées en ." #. type: #: securing-debian-howto.en.sgml:55 en/infrastructure.sgml:44 msgid "Debian Security Advisories" msgstr "Alertes de sécurité Debian" #. type:

#: securing-debian-howto.en.sgml:55 en/infrastructure.sgml:50 msgid "" "Debian Security Advisories (DSAs) are made whenever a security vulnerability " "is discovered that affects a Debian package. These advisories, signed by one " "of the Security Team members, include information of the versions affected " "as well as the location of the updates. This information is:" msgstr "" "Les alertes de sécurité Debian (DSA) sont effectuées à chaque fois qu'une " "faille affectant un paquet Debian est découverte. Ces alertes, signées par " "l'un des membres de l'équipe de sécurité, contiennent des renseignements sur " "les versions touchées ainsi que l'emplacement des mises à jour. Ces " "informations sont :" #. type:

#: securing-debian-howto.en.sgml:55 en/infrastructure.sgml:52 msgid "version number for the fix." msgstr "numéro de version pour le correctif ;" #. type:

#: securing-debian-howto.en.sgml:55 en/infrastructure.sgml:53 msgid "problem type." msgstr "type de problème ;" #. type:

#: securing-debian-howto.en.sgml:55 en/infrastructure.sgml:54 msgid "whether it is remote or locally exploitable." msgstr "s'il est exploitable à distance ou localement ;" #. type:

#: securing-debian-howto.en.sgml:55 en/infrastructure.sgml:55 msgid "short description of the package." msgstr "description courte du paquet ;" #. type:

#: securing-debian-howto.en.sgml:55 en/infrastructure.sgml:56 msgid "description of the problem." msgstr "description du problème ;" #. type:

#: securing-debian-howto.en.sgml:55 en/infrastructure.sgml:57 msgid "description of the exploit." msgstr "description du stratagème ;" #. type:

#: securing-debian-howto.en.sgml:55 en/infrastructure.sgml:58 msgid "description of the fix." msgstr "description du correctif." #. type:

#: securing-debian-howto.en.sgml:55 en/infrastructure.sgml:68 msgid "" "DSAs are published both on and in the . Usually this does not happen until the " "website is rebuilt (every four hours) so they might not be present " "immediately. The preferred channel is the debian-security-announce mailing " "list." msgstr "" "Les DSA sont publiées sur et dans les . Cela ne se produit habituellement pas " "avant que le site web ne soit reconstruit (toutes les quatre heures), elles " "peuvent donc ne pas être immédiatement présentes. Le canal préféré est la " "liste de diffusion debian-security-announce." #. type:

#: securing-debian-howto.en.sgml:55 en/infrastructure.sgml:76 msgid "" "Interested users can, however (and this is done in some Debian-related " "portals) use the RDF channel to download automatically the DSAs to their " "desktop. Some applications, such as Evolution (an email client " "and personal information assistant) and Multiticker (a GNOME " "applet), can be used to retrieve the advisories automatically. The RDF " "channel is available at ." msgstr "" "Les utilisateurs intéressés peuvent, cependant (et c'est fait sur quelques " "portails relatifs à Debian) utiliser le flux RDF pour télécharger " "automatiquement les DSA sur leur bureau. Certaines applications, comme " "Evolution (un client de messagerie et assistant d'informations " "personnelles) et Multiticker (une applette GNOME) peuvent être " "utilisées pour récupérer les alertes automatiquement. Le flux RDF est " "disponible à ." #. type:

#: securing-debian-howto.en.sgml:55 en/infrastructure.sgml:83 msgid "" "DSAs published on the website might be updated after being sent to the " "public-mailing lists. A common update is adding cross references to security " "vulnerability databases. Also, translations

Translations are " "available in up to ten different languages.

 of DSAs are not " "sent to the security mailing lists but are directly included in the website." msgstr "" "Les DSA publiées sur le site web peuvent être mises à jour après avoir été " "envoyées sur les listes de diffusion publiques. Une mise à jour courante est " "d'ajouter des références croisées vers les bases de données des failles de " "sécurité. Les traductions

Des traductions sont disponibles " "jusqu'en dix langues.

 des DSA ne sont pas envoyées aux listes " "de diffusion de sécurité, mais elles sont directement intégrées au site web." #. type: #: securing-debian-howto.en.sgml:55 en/infrastructure.sgml:85 msgid "Vulnerability cross references" msgstr "Références croisées des failles" #. type:

#: securing-debian-howto.en.sgml:55 en/infrastructure.sgml:93 msgid "" "Debian provides a fully including all the " "references available for all the advisories published since 1998. This table " "is provided to complement the ." msgstr "" "Debian fournit une complète comprenant toutes les " "références disponibles pour toutes les alertes publiées depuis 1998. " "Cette table est fournie en complément de la ." #. type:

#: securing-debian-howto.en.sgml:55 en/infrastructure.sgml:102 msgid "" "You will notice that this table provides references to security databases " "such as , and as well as CVE names (see below). These references are provided " "for convenience use, but only CVE references are periodically reviewed and " "included." msgstr "" "Vous remarquerez que cette table fournit des références vers des bases de " "données de sécurité comme , les et la ainsi que les noms CVE (voir ci-" "dessous). Ces références sont fournies pour faciliter l'utilisation, mais " "seules les références CVE sont périodiquement vérifiées et intégrées." #. type:

#: securing-debian-howto.en.sgml:55 en/infrastructure.sgml:105 msgid "" "Advantages of adding cross references to these vulnerability databases are:" msgstr "" "Les avantages d'ajouter les références croisées vers ces bases de données de " "failles sont que :" #. type:

#: securing-debian-howto.en.sgml:55 en/infrastructure.sgml:109 msgid "" "it makes it easier for Debian users to see and track which general " "(published) advisories have already been covered by Debian." msgstr "" "cela permet plus facilement aux utilisateurs de Debian de voir et de suivre " "quelles alertes générales (publiées) ont déjà été couvertes par Debian ;" #. type:

#: securing-debian-howto.en.sgml:55 en/infrastructure.sgml:112 msgid "" "system administrators can learn more about the vulnerability and its impact " "by following the cross references." msgstr "" "les administrateurs système peuvent en apprendre plus sur la faille et ses " "impacts en suivant les références croisées ;" #. type:

#: securing-debian-howto.en.sgml:55 en/infrastructure.sgml:116 msgid "" "this information can be used to cross-check output from vulnerability " "scanners that include references to CVE to remove false positives (see )." msgstr "" "ces renseignements peuvent être utilisés pour vérifier les sorties de " "scanneurs de failles qui contiennent des références à CVE pour supprimer des " "faux positifs (consultez )." #. type: #: securing-debian-howto.en.sgml:55 en/infrastructure.sgml:121 msgid "CVE compatibility" msgstr "Compatibilité CVE" #. type:

#: securing-debian-howto.en.sgml:55 en/infrastructure.sgml:128 msgid "" "Debian Security Advisories were

The full " " is available at CVE

 in February " "24, 2004." msgstr "" "Les alertes de sécurité Debian ont été

Le complet est " "disponible au CVE.

 le 24 février 2004." #. type:

#: securing-debian-howto.en.sgml:55 en/infrastructure.sgml:136 msgid "" "Debian developers understand the need to provide accurate and up to date " "information of the security status of the Debian distribution, allowing " "users to manage the risk associated with new security vulnerabilities. CVE " "enables us to provide standardized references that allow users to develop a " "." msgstr "" "Les développeurs Debian comprennent la nécessité de fournir une information " "précise et à jour de l'état de sécurité de la distribution Debian, " "permettant aux utilisateurs de gérer le risque associé aux nouvelles failles " "de sécurité. CVE nous permet de fournir des références standardisées qui " "permettent aux utilisateurs de développer un ." #. type:

#: securing-debian-howto.en.sgml:55 en/infrastructure.sgml:141 msgid "" "The project is maintained by the MITRE Corporation and " "provides a list of standardized names for vulnerabilities and security " "exposures." msgstr "" "Le projet est maintenu par la société MITRE et fournit une liste " "des noms standardisés pour les failles et expositions de sécurité." #. type:

#: securing-debian-howto.en.sgml:55 en/infrastructure.sgml:152 msgid "" "Debian believes that providing users with additional information related to " "security issues that affect the Debian distribution is extremely important. " "The inclusion of CVE names in advisories help users associate generic " "vulnerabilities with specific Debian updates, which reduces the time spent " "handling vulnerabilities that affect our users. Also, it eases the " "management of security in an environment where CVE-enabled security tools -" "such as network or host intrusion detection systems, or vulnerability " "assessment tools- are already deployed regardless of whether or not they are " "based on the Debian distribution." msgstr "" "Debian estime que fournir aux utilisateurs des informations supplémentaires " "liées aux problèmes de sécurité qui touchent la distribution Debian est " "extrêmement important. L'inclusion des noms CVE dans les alertes aide les " "utilisateurs à associer des failles génériques avec les mises à jour " "spécifiques de Debian, ce qui réduit le temps passé à gérer les failles qui " "concernent nos utilisateurs. Cela facilite également la gestion du risque " "dans un environnement où sont déployés des outils de sécurité gérant CVE " "— comme des systèmes de détection d'intrusion d'hôte ou de réseau ou " "des outils de vérification de failles — qu'ils soient ou non basés sur " "la distribution Debian." #. type:

#: securing-debian-howto.en.sgml:55 en/infrastructure.sgml:160 msgid "" "Debian provides CVE names for all DSAs released since September 1998. All of " "the advisories can be retrieved on the Debian web site, and announcements " "related to new vulnerabilities include CVE names if available at the time of " "their release. Advisories associated with a given CVE name can be searched " "directly through the Debian Security Tracker (see below)." msgstr "" "Debian fournit maintenant les noms CVE pour toutes les DSA publiées depuis " "septembre 1998. Toutes les alertes peuvent être récupérées sur le site " "web Debian et les annonces liées aux nouvelles failles contiennent les noms " "CVS quand ils sont disponibles lors de leur publication. Les alertes liées à " "un nom CVE donné peuvent être cherchées directement avec le système de suivi " "en sécurité Debian (voir ci-après)." #. type:

#: securing-debian-howto.en.sgml:55 en/infrastructure.sgml:163 msgid "" "In some cases you might not find a given CVE name in published advisories, " "for example because:" msgstr "" "Dans certains cas, vous pouvez ne pas trouver un nom CVE donné dans les " "alertes publiées par exemple parce que :" #. type:

#: securing-debian-howto.en.sgml:55 en/infrastructure.sgml:164 msgid "No Debian products are affected by that vulnerability." msgstr "aucun produit Debian n'est concerné par cette faille ;" #. type:

#: securing-debian-howto.en.sgml:55 en/infrastructure.sgml:168 msgid "" "There is not yet an advisory covering that vulnerability (the security issue " "might have been reported as a but a fix has not been " "tested and uploaded)." msgstr "" "il n'y a pas encore eu d'alerte couvrant cette faille (le problème de " "sécurité peut avoir été signalé comme un , mais " "aucune correction n'a encore été testée et envoyée) ;" #. type:

#: securing-debian-howto.en.sgml:55 en/infrastructure.sgml:171 msgid "" "An advisory was published before a CVE name was assigned to a given " "vulnerability (look for an update at the web site)." msgstr "" "une alerte a été publiée avant qu'un nom CVE ait été attribué à une faille " "donnée (chercher une mise à jour sur le site web)." #. type: #: securing-debian-howto.en.sgml:55 en/infrastructure.sgml:178 msgid "Security Tracker" msgstr "Système de suivi en sécurité" #. type:

#: securing-debian-howto.en.sgml:55 en/infrastructure.sgml:189 msgid "" "The central database of what the Debian security teams know about " "vulnerabilities is the . It cross references packages, vulnerable and " "fixed versions for different suites, CVE names, Debian bug numbers, DSA's " "and miscellaneous notes. It can be searched, e.g. by CVE name to see which " "Debian packages are affected or fixed, or by package to show unresolved " "security issues. The only information missing from the tracker is " "confidential information that the security team received under embargo." msgstr "" "La base de donnée centralisée de ce que les équipes de sécurité Debian " "connaissent des vulnérabilités est le . Elle rassemble " "les références de paquets, les versions vulnérables et corrigées pour chaque " "suite, les noms CVE, les numéros de bogue Debian, les notes de DSA et " "autres. Elle peut être consultée, par exemple, à l'aide du nom CVE pour voir " "les paquets Debian affectés ou corrigés, ou par paquet pour montrer les " "problèmes de sécurité non résolus. Les seuls renseignements manquants au " "système de suivi sont les informations confidentielles que l'équipe de " "sécurité reçoit sous embargo." #. type:

#: securing-debian-howto.en.sgml:55 en/infrastructure.sgml:194 msgid "" "The package debsecan uses the information in the tracker to " "report to the administrator of a system which of the installed packages are " "vulnerable, and for which updates are available to fix security issues." msgstr "" "Le paquet debsecan utilise les renseignements du système de " "suivi pour signaler à l'administrateur d'un système les paquets installés " "vulnérables, et ceux pour lesquels des mises à jour corrigeant les problèmes " "de sécurité sont disponibles." #. type: #: securing-debian-howto.en.sgml:55 en/infrastructure.sgml:196 msgid "Debian Security Build Infrastructure" msgstr "Infrastructure de construction de sécurité Debian" #. type:

#: securing-debian-howto.en.sgml:55 en/infrastructure.sgml:202 msgid "" "Since Debian is currently supported in a large number of architectures, " "administrators sometimes wonder if a given architecture might take more time " "to receive security updates than another. As a matter of fact, except for " "rare circumstances, updates are available to all architectures at the same " "time." msgstr "" "Comme Debian prend actuellement en charge un grand nombre d'architectures, " "les administrateurs se demandent parfois si une architecture donnée pourrait " "prendre plus de temps pour recevoir des mises à jour de sécurité qu'une " "autre. En fait, à part dans de rares circonstances, les mises à jour sont " "disponibles pour toutes les architectures en même temps." #. type:

#: securing-debian-howto.en.sgml:55 en/infrastructure.sgml:211 msgid "" "Packages in the security archive are autobuilt, just like the regular " "archive. However, security updates are a little more different than normal " "uploads sent by package maintainers since, in some cases, before being " "published they need to wait until they can be tested further, an advisory " "written, or need to wait for a week or more to avoid publicizing the flaw " "until all vendors have had a reasonable chance to fix it." msgstr "" "Les paquets de l'archive de sécurité sont construits automatiquement, tout " "comme l'archive classique. Cependant, les mises à jour de sécurité sont un " "petit peu différentes des envois normaux par les responsables de paquets " "car, dans certains cas, avant d'être publiées, elles doivent attendre de " "pouvoir être plus testées, qu'une alerte soit rédigée ou attendre une " "semaine ou plus pour éviter de publier le défaut jusqu'à ce que tous les " "distributeurs aient eu une chance raisonnable de le corriger." #. type:

#: securing-debian-howto.en.sgml:55 en/infrastructure.sgml:214 msgid "Thus, the security upload archive works with the following procedure:" msgstr "L'archive d'envoi de sécurité fonctionne donc de la façon suivante :" #. type:

#: securing-debian-howto.en.sgml:55 en/infrastructure.sgml:218 msgid "Someone finds a security problem." msgstr "quelqu'un trouve un problème de sécurité ;" #. type:

#: securing-debian-howto.en.sgml:55 en/infrastructure.sgml:225 msgid "" "Someone fixes the problem, and makes an upload to security-master.debian." "org's incoming (this someone is usually a Security Team member but " "can be also a package maintainer with an appropriate fix that has contacted " "the Security Team previously). The Changelog includes a testing-" "security or stable-security as target distribution." msgstr "" "quelqu'un corrige le problème et fait un envoi vers incoming de " "security-master.debian.org (ce quelqu'un est habituellement un " "membre de l'équipe de sécurité, mais ce peut aussi être un responsable de " "paquet avec un correctif approprié qui a contacté l'équipe de sécurité " "auparavant). Le journal de modifications contient une cible de distribution " "testing-security ou stable-security ;" #. type:

#: securing-debian-howto.en.sgml:55 en/infrastructure.sgml:230 msgid "" "The upload gets checked and processed by a Debian system and moved into " "queue/accepted, and the buildds are notified. Files in here can be accessed " "by the security team and (somewhat indirectly) by the buildds." msgstr "" "l'envoi est vérifié et traité par un système Debian et déplacé dans queue/" "accepted et le service d'empaquetage est prévenu. Les fichiers à cet endroit " "sont accessibles par l'équipe de sécurité et (de façon un peu indirecte) par " "les service d'empaquetage ;" #. type:

#: securing-debian-howto.en.sgml:55 en/infrastructure.sgml:234 msgid "" "Security-enabled buildds pick up the source package (prioritized over normal " "builds), build it, and send the logs to the security team." msgstr "" "les serveurs d'empaquetage activés pour la sécurité récupèrent le paquet " "source (en priorité par rapport aux constructions courantes), le " "construisent et envoient les journaux à l'équipe de sécurité ;" #. type:

#: securing-debian-howto.en.sgml:55 en/infrastructure.sgml:238 msgid "" "The security team reply to the logs, and the newly built packages are " "uploaded to queue/unchecked, where they're processed by a Debian system, and " "moved into queue/accepted." msgstr "" "l'équipe de sécurité répond aux journaux et les paquets nouvellement " "construits sont envoyés vers queue/unchecked, où ils sont traités par un " "système Debian et déplacés dans queue/accepted ;" #. type:

#: securing-debian-howto.en.sgml:55 en/infrastructure.sgml:243 msgid "" "When the security team find the source package acceptable (i.e., that it's " "been correctly built for all applicable architectures and that it fixes the " "security hole and doesn't introduce new problems of its own) they run a " "script which:" msgstr "" "quand l'équipe de sécurité trouve les paquets acceptables (c'est-à-dire " "qu'ils sont correctement construits pour toutes les architectures " "pertinentes et corrigent le trou de sécurité sans introduire de nouveau " "problème par eux-mêmes), un script est exécuté qui :" #. type:

#: securing-debian-howto.en.sgml:55 en/infrastructure.sgml:246 msgid "installs the package into the security archive." msgstr "installe le paquet dans l'archive de sécurité ;" #. type:

#: securing-debian-howto.en.sgml:55 en/infrastructure.sgml:250 msgid "" "updates the Packages, Sources and Release files of security.debian.org in the usual way (dpkg-" "scanpackages, dpkg-scansources, ...)." msgstr "" "met à jour les fichiers Packages, Sources et " "Release de security.debian.org de la façon habituelle " "(dpkg-scanpackages, dpkg-scansources, etc.) ;" #. type:

#: securing-debian-howto.en.sgml:55 en/infrastructure.sgml:253 msgid "sets up a template advisory that the security team can finish off." msgstr "" "met en place un modèle d'alerte que l'équipe de sécurité peut compléter ;" #. type:

#: securing-debian-howto.en.sgml:55 en/infrastructure.sgml:257 msgid "" "forwards the packages to the appropriate proposed-updates so that it can be " "included in the real archive as soon as possible." msgstr "" "fait suivre les paquets vers le proposed-updates approprié pour qu'il soit " "intégré à l'archive réelle dès que possible." #. type:

#: securing-debian-howto.en.sgml:55 en/infrastructure.sgml:268 msgid "" "This procedure, previously done by hand, was tested and put through during " "the freezing stage of Debian 3.0 woody (July 2002). Thanks to this " "infrastructure the Security Team was able to have updated packages ready for " "the apache and OpenSSH issues for all the supported (almost twenty) " "architectures in less than a day." msgstr "" "Cette procédure, auparavant réalisée à la main, a été testée et mise en " "place pendant l'étape de gel de Debian 3.0 Woody (juillet 2002). Grâce à " "cette architecture, l'équipe de sécurité a pu avoir des paquets mis à jour " "pour les problèmes d'Apache et d'OpenSSH pour toutes les architectures " "prises en charge (presque vingt) en moins d'un jour." #. type: #: securing-debian-howto.en.sgml:55 en/infrastructure.sgml:270 msgid "Developer's guide to security updates" msgstr "Le guide du développeur pour les mises à jour de sécurité" #. type:

#: securing-debian-howto.en.sgml:55 en/infrastructure.sgml:277 msgid "" "Debian developers that need to coordinate with the security team on fixing " "in issue in their packages, can refer to the Developer's Reference section " "." msgstr "" "Les développeurs Debian qui doivent se coordonner avec l'équipe en charge de " "la sécurité pour corriger un problème avec leurs paquets, peuvent consulter " "la référence du développeur section ." #. type: #: securing-debian-howto.en.sgml:55 en/infrastructure.sgml:279 msgid "Package signing in Debian" msgstr "La signature de paquet dans Debian" #. type:

#: securing-debian-howto.en.sgml:55 en/infrastructure.sgml:296 msgid "" "This section could also be titled \"how to upgrade/update safely your Debian " "GNU/Linux system\" and it deserves its own section basically because it is " "an important part of the Security Infrastructure. Package signing is an " "important issue since it avoids tampering of packages distributed in mirrors " "and of downloads with man-in-the-middle attacks. Automatic software update " "is an important feature but it's also important to remove security threats " "that could help the distribution of trojans and the compromise of systems " "during updates

Some operating systems have already been plagued " "with automatic-updates problems such as the .

FIXME: probably the Internet Explorer vulnerability " "handling certificate chains has an impact on security updates on Microsoft " "Windows.

." msgstr "" "Ce chapitre pourrait également être intitulé « comment mettre à jour et " "à niveau un système Debian GNU/Linux en sécurité Â» et mérite d'avoir " "son propre chapitre car c'est une partie importante de l'infrastructure de " "sécurité. La signature des paquets est un point important car elle évite " "l'altération de paquets distribués sur les miroirs et des téléchargements " "avec des attaques en homme au milieu (« man-in-the-middle Â»). Les " "mises à jour de logiciels automatiques sont une fonctionnalité importante, " "mais il est également important d'enlever les menaces de sécurité qui " "pourraient favoriser la propagation de chevaux de Troie et la compromission " "de systèmes lors des mises à jour

Certains systèmes " "d'exploitation ont déjà été touchés par des problèmes de mises à jour " "automatiques comme la .

FIXME : la faille d'Internet Explorer sur la gestion des chaînes de " "certificat a probablement eu un impact sur les mises à jour de sécurité de " "Microsoft Windows.

." #. type:

#: securing-debian-howto.en.sgml:55 en/infrastructure.sgml:303 msgid "" "Debian does not provide signed packages but provides a mechanism available " "since Debian 4.0 (codename etch) to check for downloaded package's " "integrity

Older releases, such as Debian 3.1 sarge can " "use this feature by using backported versions of this package management " "tool

. For more information, see ." msgstr "" "Debian ne fournit pas de paquets signés, mais fournit un mécanisme " "disponible depuis Debian 4.0 Etch pour vérifier l'intégrité des " "paquets téléchargés

Les versions plus anciennes, comme " "Debian 3.1 Sarge peuvent utiliser cette fonctionnalité en utilisant " "les versions rétroportées de cet outil de gestion de paquets.

. Pour obtenir plus de renseignements, consultez ." #. type:

#: securing-debian-howto.en.sgml:55 en/infrastructure.sgml:307 msgid "" "This issue is better described in the by V. Alex " "Brennen." msgstr "" "Ce problème est mieux décrit dans le par V. Alex " "Brennen." #. type: #: securing-debian-howto.en.sgml:55 en/infrastructure.sgml:309 msgid "The current scheme for package signature checks" msgstr "Le schéma actuel pour la vérification de paquet" #. type:

#: securing-debian-howto.en.sgml:55 en/infrastructure.sgml:312 msgid "" "The current scheme for package signature checking using apt is:" msgstr "" "Le schéma actuel pour la vérification de signatures de paquet en utilisant " "apt est :" #. type:

#: securing-debian-howto.en.sgml:55 en/infrastructure.sgml:317 msgid "" "the Release file includes the MD5 sum of Packages.gz (which contains the MD5 sums of packages) and will be signed. The " "signature is one of a trusted source." msgstr "" "le fichier Release contient la somme de contrôle MD5 de " "Packages.gz (qui contient les sommes de contrôle MD5 des " "paquets) et sera signé. La signature est celle d'une source sûre ;" #. type:

#: securing-debian-howto.en.sgml:55 en/infrastructure.sgml:320 msgid "" "This signed Release file is downloaded by 'apt-get update' and " "stored along with Packages.gz." msgstr "" "ce fichier Release est téléchargé par « apt-get " "update Â» et stocké sur le disque dur avec Packages.gz ;" #. type:

#: securing-debian-howto.en.sgml:55 en/infrastructure.sgml:323 msgid "" "When a package is going to be installed, it is first downloaded, then the " "MD5 sum is generated." msgstr "" "quand un paquet est sur le point d'être installé, il est d'abord téléchargé, " "puis la somme MD5 est calculée ;" #. type:

#: securing-debian-howto.en.sgml:55 en/infrastructure.sgml:327 msgid "" "The signed Release file is checked (signature ok) and it " "extracts from it the MD5 sum for the Packages.gz file, the " "Packages.gz checksum is generated and (if ok) the MD5 sum of " "the downloaded package is extracted from it." msgstr "" "le fichier Release signé est vérifié (la signature est bonne) " "et la somme MD5 en est extraite pour le fichier Packages.gz, la " "somme de contrôle de Packages.gz est calculée et (si elle est " "bonne) la somme de contrôle MD5 du paquet téléchargé en est extraite ;" #. type:

#: securing-debian-howto.en.sgml:55 en/infrastructure.sgml:334 msgid "" "If the MD5 sum from the downloaded package is the same as the one in the " "Packages.gz file the package will be installed, otherwise the " "administrator will be alerted and the package will be left in the cache (so " "the administrator can decide whether to install it or not). If the package " "is not in the Packages.gz and the administrator has configured " "the system to only install checked packages it will not be installed either." msgstr "" "si la somme de contrôle MD5 du paquet téléchargé est la même que celle " "contenue dans le fichier Packages.gz, le paquet sera installé " "sinon l'administrateur sera averti et le paquet sera laissé dans le cache " "(ainsi l'administrateur décidera de l'installer ou non). Si le paquet n'est " "pas dans Packages.gz et que l'administrateur a configuré le " "système pour installer uniquement les paquets vérifiés, il ne sera pas " "installé non plus." # NOTE: s/ a a / a / #. type:

#: securing-debian-howto.en.sgml:55 en/infrastructure.sgml:341 msgid "" "By following the chain of MD5 sums apt is capable of verifying " "that a package originates from a a specific release. This is less flexible " "than signing each package one by one, but can be combined with that scheme " "too (see below)." msgstr "" "En suivant la chaîne des sommes MD5, apt est capable de " "vérifier qu'un paquet est originaire d'une version bien spécifique. C'est " "moins souple que de signer chaque paquet un par un, mais ce peut être " "combiné également avec ce schéma (voir ci-dessous)." #. type:

#: securing-debian-howto.en.sgml:55 en/infrastructure.sgml:353 msgid "" "This scheme is in apt 0.6 and is " "available since the Debian 4.0 release. For more information see . Packages that provide a front-end to apt need to be modified " "to adapt to this new feature; this is the case of aptitude " "which was to adapt to this scheme. Front-ends currently " "known to work properly with this feature include aptitude and " "synaptic." msgstr "" "Ce schéma est dans " "apt 0.6 et disponible depuis la publication de Debian 4.0. Pour obtenir " "plus de renseignements, consultez . Les paquets " "fournissant une interface à apt doivent être modifiés pour s'adapter à cette " "nouvelle fonctionnalité, c'est le cas d'aptitude qui a été pour être adapté à ce schéma. aptitude et " "synaptic font partie des interfaces déjà connues pour " "fonctionner correctement avec cette fonctionnalité." #. type:

#: securing-debian-howto.en.sgml:55 en/infrastructure.sgml:358 msgid "" "Package signing has been discussed in Debian for quite some time, for more " "information you can read: and ." msgstr "" "La signature de paquets a été abordée dans Debian depuis pas mal de temps " "déjà, pour plus d'informations vous pouvez lire : et ." #. type: #: securing-debian-howto.en.sgml:55 en/infrastructure.sgml:360 msgid "Secure apt" msgstr "apt sécurisé" #. type:

#: securing-debian-howto.en.sgml:55 en/infrastructure.sgml:369 msgid "" "The apt 0.6 release, available since Debian 4.0 etch and later " "releases, includes apt-secure (also known as secure apt) " "which is a tool that will allow a system administrator to test the integrity " "of the packages downloaded through the above scheme. This release includes " "the tool apt-key for adding new keys to apt's keyring, which by " "default includes only the current Debian archive signing key." msgstr "" "La version 0.6 d'apt, disponible depuis Debian 4.0 Etch, et " "les versions plus récentes, intègrent apt-secure (aussi connu sous " "le nom d'apt sécurisé) qui est un outil permettant à " "l'administrateur système de tester l'intégrité des paquets téléchargés " "conformément au schéma ci-dessus. Cette version contient l'outil apt-" "key pour ajouter de nouvelles clefs au trousseau d'apt qui ne " "contient par défaut que la clef actuelle de signature de l'archive Debian." #. type:

#: securing-debian-howto.en.sgml:55 en/infrastructure.sgml:374 msgid "" "These changes are based on the patch for apt (available in ) which provides this implementation." msgstr "" "Ces modifications sont basées sur un correctif pour apt " "(disponible dans le ) qui fournit cette " "implémentation." #. type:

#: securing-debian-howto.en.sgml:55 en/infrastructure.sgml:381 msgid "" "Secure apt works by checking the distribution through the Release file, as discussed in . Typically, this " "process will be transparent to the administrator although you will need to " "intervene every year

Until an automatic mechanism is developed. to add the new archive key when it is rotated, for more " "information on the steps an administrator needs to take a look at ." msgstr "" "apt sécurisé fonctionne en vérifiant la distribution à l'aide du fichier " "Release, conformément à . " "Typiquement, ce processus sera transparent pour l'administrateur bien qu'il " "faudra intervenir chaque année

Jusqu'à ce qu'un mécanisme " "automatique ne soit développé.

 pour ajouter la nouvelle clef " "de l'archive quand elle est modifiée. Pour obtenir plus de renseignements " "sur les étapes qu'un administrateur doit accomplir, consultez ." #. type:

#: securing-debian-howto.en.sgml:55 en/infrastructure.sgml:386 msgid "" "This feature is still under development, if you believe you find bugs in it, " "please, make first sure you are using the latest version (as this package " "might change quite a bit before it is finally released) and, if running the " "latest version, submit a bug against the apt package." msgstr "" "Cette fonctionnalité est encore en développement, donc si vous pensez avoir " "trouvé des bogues dans ce paquet, veuillez d'abord vérifier que vous " "utilisez la dernière version (car ce paquet peut évoluer beaucoup avant " "d'être diffusé) et si vous utilisez la dernière version, soumettez un " "rapport de bogue sur le paquet apt." #. type:

#: securing-debian-howto.en.sgml:55 en/infrastructure.sgml:392 msgid "" "You can find more information at and the official documentation: and " "." msgstr "" "Plus de renseignements sont disponibles sur et dans la documentation " "officielle : et ." #. type: #: securing-debian-howto.en.sgml:55 en/infrastructure.sgml:394 msgid "Per distribution release check" msgstr "Vérification par version de distribution" #. type:

#: securing-debian-howto.en.sgml:55 en/infrastructure.sgml:398 msgid "" "This section describes how the distribution release check mechanism works, " "it was written by Joey Hess and is also available at the ." msgstr "" "Cette section décrit le mode de fonctionnement du mécanisme de vérification " "par version de distribution, elle a été écrite par Joey Hess et est " "également disponible dans le ." #. type: #: securing-debian-howto.en.sgml:55 en/infrastructure.sgml:400 msgid "Basic concepts" msgstr "Concepts de base" #. type:

#: securing-debian-howto.en.sgml:55 en/infrastructure.sgml:403 msgid "" "Here are a few basic concepts that you'll need to understand for the rest of " "this section." msgstr "" "Voici quelque concepts de base que vous devrez comprendre pour la suite de " "cette section." #. type:

#: securing-debian-howto.en.sgml:55 en/infrastructure.sgml:408 msgid "" "A checksum is a method of taking a file and boiling it down to a reasonably " "short number that uniquely identifies the content of the file. This is a lot " "harder to do well than it might seem, and the most commonly used type of " "checksum, the MD5 sum, is in the process of being broken." msgstr "" "Une somme de contrôle est une méthode permettant de prendre un fichier et de " "le réduire en un nombre suffisamment petit qui identifie son contenu de " "façon unique. C'est beaucoup plus compliqué qu'il n'y parait de faire ça " "bien, et le type de sommes de contrôle le plus fréquemment utilisé, MD5, est " "en passe d'être cassé." #. type:

#: securing-debian-howto.en.sgml:55 en/infrastructure.sgml:416 msgid "" "Public key cryptography is based on pairs of keys, a public key and a " "private key. The public key is given out to the world; the private key must " "be kept a secret. Anyone possessing the public key can encrypt a message so " "that it can only be read by someone possessing the private key. It's also " "possible to use a private key to sign a file, not encrypt it. If a private " "key is used to sign a file, then anyone who has the public key can check " "that the file was signed by that key. No one who doesn't have the private " "key can forge such a signature." msgstr "" "La cryptographie à clef publique est basée sur une paire de clefs: une " "publique et une privée. La clef publique est distribuée partout ; la clef " "privée doit être gardée secrète. Tous ceux qui possèdent la clef publique " "peuvent chiffrer un message qui ne pourra être lu que par un possesseur de " "la clef privée. La clef privée permet elle de signer un fichier, pas de le " "chiffrer. Si une clef privée est utilisée pour signer un fichier, alors tous " "ceux qui ont la clef publique peuvent vérifier que le fichier était signé " "par cette clef. Une personne ne possédant pas la clef privée ne peut pas " "contrefaire une telle signature." #. type:

#: securing-debian-howto.en.sgml:55 en/infrastructure.sgml:420 msgid "" "These keys are quite long numbers (1024 to 2048 digits or longer), and to " "make them easier to work with they have a key id, which is a shorter, 8 or " "16 digit number that can be used to refer to them." msgstr "" "Ces clefs sont des nombres assez grands (de 1024 à 2048 chiffres, ou plus) " "et pour les rendre plus facile à utiliser, ils ont un identifiant de clef, " "plus court (un nombre de 8 ou 16 chiffres), qui peut être utilisé pour y " "référer." #. type:

#: securing-debian-howto.en.sgml:55 en/infrastructure.sgml:423 msgid "" "gpg is the tool used in secure apt to sign files and check " "their signatures." msgstr "" "gpg est l'outil utilisé par apt sécurisé pour signer les " "fichiers et vérifier leurs signatures." #. type:

#: securing-debian-howto.en.sgml:55 en/infrastructure.sgml:429 msgid "" "apt-key is a program that is used to manage a keyring of gpg " "keys for secure apt. The keyring is kept in the file /etc/apt/trusted." "gpg (not to be confused with the related but not very interesting " "/etc/apt/trustdb.gpg). apt-key can be used to show " "the keys in the keyring, and to add or remove a key." msgstr "" "apt-key est un programme qui permet de gérer un trousseau de " "clefs GPG pour apt sécurisé. Le trousseau est gardé dans le fichier /" "etc/apt/trusted.gpg (à ne pas confondre avec le fichier /etc/" "apt/trustdb.gpg relatif, mais pas très intéressant). apt-key permet de montrer les clefs du trousseau, et d'ajouter ou enlever une " "clef." #. type: #: securing-debian-howto.en.sgml:55 en/infrastructure.sgml:431 msgid "Release checksums" msgstr "Sommes de contrôle de Release" #. type:

#: securing-debian-howto.en.sgml:55 en/infrastructure.sgml:436 msgid "" "A Debian archive contains a Release file, which is updated each " "time any of the packages in the archive change. Among other things, the " "Release file contains some MD5 sums of other files in the " "archive. An excerpt of an example Release file:" msgstr "" "Une archive Debian contient un fichier Release, qui est mis à " "jour à chaque fois qu'un paquet de l'archive est modifié. Entre autres, le " "fichier Release contient les sommes MD5 d'autres fichiers de " "l'archives. Exemple d'extrait de fichier Release :" #. type: #: securing-debian-howto.en.sgml:55 en/infrastructure.sgml:442 #, no-wrap msgid "" "MD5Sum:\n" " 6b05b392f792ba5a436d590c129de21f 3453 Packages\n" " 1356479a23edda7a69f24eb8d6f4a14b 1131 Packages.gz\n" " 2a5167881adc9ad1a8864f281b1eb959 1715 Sources\n" " 88de3533bf6e054d1799f8e49b6aed8b 658 Sources.gz" msgstr "" "MD5Sum:\n" " 6b05b392f792ba5a436d590c129de21f 3453 Packages\n" " 1356479a23edda7a69f24eb8d6f4a14b 1131 Packages.gz\n" " 2a5167881adc9ad1a8864f281b1eb959 1715 Sources\n" " 88de3533bf6e054d1799f8e49b6aed8b 658 Sources.gz" #. type:

#: securing-debian-howto.en.sgml:55 en/infrastructure.sgml:447 msgid "" "The Release files also include SHA-1 checksums, which will be " "useful once MD5 sums become fully broken, however apt doesn't use them yet." msgstr "" "Les fichiers Release contiennent aussi des sommes de contrôle " "SHA-1, ce qui sera utile quand les sommes de contrôle MD5 seront " "complètement cassées, toutefois, apt ne les utilise pas encore." #. type:

#: securing-debian-howto.en.sgml:55 en/infrastructure.sgml:450 msgid "" "Now if we look inside a Packages file, we'll find more MD5 " "sums, one for each package listed in it. For example:" msgstr "" "Maintenant, à l'intérieur d'un fichier Packages, d'autres " "sommes de contrôle MD5 sont disponibles : une pour chaque paquet de la " "liste. Par exemple :" #. type: #: securing-debian-howto.en.sgml:55 en/infrastructure.sgml:457 #, no-wrap msgid "" " Package: uqm\n" " Priority: optional\n" " ...\n" " Filename: unstable/uqm_0.4.0-1_i386.deb\n" " Size: 580558\n" " MD5sum: 864ec6157c1eea88acfef44d0f34d219" msgstr "" " Package: uqm\n" " Priority: optional\n" " ...\n" " Filename: unstable/uqm_0.4.0-1_i386.deb\n" " Size: 580558\n" " MD5sum: 864ec6157c1eea88acfef44d0f34d219" #. type:

#: securing-debian-howto.en.sgml:55 en/infrastructure.sgml:465 msgid "" "These two checksums can be used to verify that you have downloaded a correct " "copy of the Packages file, with a md5sum that matches the one " "in the Release file. And when it downloads an individual " "package, it can also check its md5sum against the content of the " "Packages file. If apt fails at either of these steps, it will " "abort." msgstr "" "Ces deux sommes de contrôle permettent de vérifier que la copie du fichier " "Packages téléchargé est correcte, avec une somme de contrôle " "MD5 qui correspond à celle du fichier Release. Lorsqu'un paquet " "est téléchargé individuellement, la vérification de la somme de contrôle MD5 " "avec le contenu du fichier Packages est aussi possible. Si apt " "échoue à l'une de ces étapes, il abandonnera." #. type:

#: securing-debian-howto.en.sgml:55 en/infrastructure.sgml:472 msgid "" "None of this is new in secure apt, but it does provide the foundation. " "Notice that so far there is one file that apt doesn't have a way to check: " "The Release file. Secure apt is all about making apt verify the " "Release file before it does anything else with it, and plugging " "this hole, so that there is a chain of verification from the package that " "you are going to install all the way back to the provider of the package." msgstr "" "Rien de nouveau pour apt sécurisé, mais cela fournit les bases. Remarquez " "qu'un seul fichier n'a pas pu être vérifié par apt : le fichier " "Release. apt sécurisé a justement pour but de faire vérifier " "Release par apt avant de faire quoi que ce soit d'autre avec, " "et de combler ce trou, afin de rendre la chaîne de vérification complète, du " "paquet qui va être installé jusqu'au fournisseur du paquet." #. type: #: securing-debian-howto.en.sgml:55 en/infrastructure.sgml:474 msgid "Verification of the Release file" msgstr "Vérification du fichier Release" #. type:

#: securing-debian-howto.en.sgml:55 en/infrastructure.sgml:480 msgid "" "To verify the Release file, a gpg signature is added for the " "Release file. This is put in a file named Release.gpg that is shipped alongside the Release file. It looks " "something like this

Technically speaking, this is an ASCII-" "armored detached gpg signature.

 , although only gpg actually " "looks at its contents normally:" msgstr "" "Pour vérifier le fichier Release, une signature gpg est ajoutée " "dans le fichier Release.gpg, distribué à ses côtés. Il " "ressemble à ceci

D'un point de vue technique, c'est une " "signature ASCII-armored détachée.

, bien que seul gpg accède à " "son contenu normalement :" #. type: #: securing-debian-howto.en.sgml:55 en/infrastructure.sgml:488 #, no-wrap msgid "" "-----BEGIN PGP SIGNATURE-----\n" "Version: GnuPG v1.4.1 (GNU/Linux)\n" "\n" "iD8DBQBCqKO1nukh8wJbxY8RAsfHAJ9hu8oGNRAl2MSmP5+z2RZb6FJ8kACfWvEx\n" "UBGPVc7jbHHsg78EhMBlV/U=\n" "=x6og\n" "-----END PGP SIGNATURE-----" msgstr "" "-----BEGIN PGP SIGNATURE-----\n" "Version: GnuPG v1.4.1 (GNU/Linux)\n" "\n" "iD8DBQBCqKO1nukh8wJbxY8RAsfHAJ9hu8oGNRAl2MSmP5+z2RZb6FJ8kACfWvEx\n" "UBGPVc7jbHHsg78EhMBlV/U=\n" "=x6og\n" "-----END PGP SIGNATURE-----" #. type: #: securing-debian-howto.en.sgml:55 en/infrastructure.sgml:492 msgid "Check of Release.gpg by apt" msgstr "Vérification du fichier Release.gpg par apt" #. type:

#: securing-debian-howto.en.sgml:55 en/infrastructure.sgml:498 msgid "" "Secure apt always downloads Release.gpg files when it's " "downloading Release files, and if it cannot download the " "Release.gpg, or if the signature is bad, it will complain, and " "will make note that the Packages files that the Release file points to, and all the packages listed therein, are from an " "untrusted source. Here's how it looks during an apt-get update:" msgstr "" "apt sécurisé télécharge les fichiers Release.gpg en même temps " "que les fichiers Release, et s'il ne peut pas télécharger " "Release.gpg, ou si la signature n'est pas correcte, il se " "plaindra, et fera remarquer que les fichiers Packages pointés " "par le fichier Release, et tous les paquets contenus dedans, ne " "proviennent pas d'une source de confiance. Voici à quoi cela ressemble lors " "d'un apt-get update :" #. type: #: securing-debian-howto.en.sgml:55 en/infrastructure.sgml:501 #, no-wrap msgid "" "W: GPG error: http://ftp.us.debian.org testing Release: The following signatures\n" " couldn't be verified because the public key is not available: NO_PUBKEY 010908312D230C5F" msgstr "" "W: Erreur de GPG : http://ftp.us.debian.org testing Release :\n" "Les signatures suivantes n'ont pas pu être vérifiées car la\n" "clé publique n'est pas disponible : NO_PUBKEY 010908312D230C5F" #. type:

#: securing-debian-howto.en.sgml:55 en/infrastructure.sgml:506 msgid "" "Note that the second half of the long number is the key id of the key that " "apt doesn't know about, in this case that's 2D230C5F." msgstr "" "Remarquez que la seconde partie du grand nombre est l'identifiant de la clef " "qu'apt ne connaît pas, c'est-à-dire 2D230C5F ici." #. type:

#: securing-debian-howto.en.sgml:55 en/infrastructure.sgml:508 msgid "" "If you ignore that warning and try to install a package later, apt will warn " "again:" msgstr "" "Si vous ignorez cet avertissement et essayez d'installer un paquet ensuite, " "apt avertira de nouveau :" #. type: #: securing-debian-howto.en.sgml:55 en/infrastructure.sgml:512 #, no-wrap msgid "" "WARNING: The following packages cannot be authenticated!\n" " libglib-perl libgtk2-perl\n" "Install these packages without verification [y/N]?" msgstr "" "ATTENTION : les paquets suivants n'ont pas été authentifiés.\n" " libglib-perl libgtk2-perl\n" "Faut-il installer ces paquets sans vérification (o/N) ?" #. type:

#: securing-debian-howto.en.sgml:55 en/infrastructure.sgml:521 msgid "" "If you say Y here you have no way to know if the file you're getting is the " "package you're supposed to install, or if it's something else entirely that " "somebody that can intercept the communication against the " "server

Or has poisoned your DNS, or is spoofing the server, or " "has replaced the file in the mirror you are using, etc.

 has " "arranged for you, containing a nasty suprise." msgstr "" "Si vous acceptez ici, vous n'avez aucun moyen de savoir si le fichier que " "vous obtenez est le paquet que vous voulez installer, ou s'il s'agit d'autre " "chose que quelqu'un pouvant intercepter la communication avec le " "serveur

Ou ayant empoisonné le DNS, ou usurpant le serveur, ou " "ayant remplacé le fichier sur le miroir utilisé, etc.

 a " "préparé pour vous, avec une mauvaise surprise." #. type:

#: securing-debian-howto.en.sgml:55 en/infrastructure.sgml:523 msgid "" "Note that you can disable these checks by running apt with --allow-" "unauthenticated." msgstr "" "Remarquez que vous pouvez désactiver ces vérifications en exécutant apt avec " "--allow-unauthenticated." #. type:

#: securing-debian-howto.en.sgml:55 en/infrastructure.sgml:530 msgid "" "It's also worth noting that newer versions of the Debian installer use the " "same signed Release file mechanism during their debootstrap of " "the Debian base system, before apt is available, and that the installer even " "uses this system to verify pieces of itself that it downloads from the net. " "Also, Debian does not currently sign the Release files on its " "CDs; apt can be configured to always trust packages from CDs so this is not " "a large problem." msgstr "" "Remarquez également que les nouvelles versions de l'installateur Debian " "utilisent le même mécanisme de fichier Release lors du " "debootstrap du système de base Debian, avant qu'apt ne soit disponible, et " "que l'installateur utilise même ce système pour vérifier ses morceaux qu'il " "télécharge. Enfin, Debian ne signe pour l'instant pas les fichiers " "Release de ses CD ; apt peut être configuré pour faire toujours " "confiance aux fichiers des CD de sorte que ce ne soit pas un gros problème." #. type: #: securing-debian-howto.en.sgml:55 en/infrastructure.sgml:532 msgid "How to tell apt what to trust" msgstr "Comment expliquer à apt en quoi avoir confiance" #. type:

#: securing-debian-howto.en.sgml:55 en/infrastructure.sgml:539 msgid "" "So the security of the whole system depends on there being a Release." "gpg file, which signs a Release file, and of apt checking that signature using gpg. To check the signature, it has to " "know the public key of the person who signed the file. These keys are kept " "in apt's own keyring (/etc/apt/trusted.gpg), and managing the " "keys is where secure apt comes in." msgstr "" "La sécurité de l'intégralité du système dépend de l'existence d'un fichier " "Release.gpg, qui signe un fichier Release et de la " "vérification d'apt à l'aide de gpg. Pour vérifier la signature, " "il doit connaître la clef publique de la personne qui a signé le fichier. " "Ces clefs sont gardées dans le trousseau spécifique à apt (/etc/apt/" "trusted.gpg) et apt sécurisé arrive avec la gestion des clefs." #. type:

#: securing-debian-howto.en.sgml:55 en/infrastructure.sgml:541 msgid "" "By default, Debian systems come preconfigured with the Debian archive key in " "the keyring." msgstr "" "Par défaut, les systèmes Debian sont fournis préconfigurés avec la clef " "d'archive Debian du trousseau." #. type: #: securing-debian-howto.en.sgml:55 en/infrastructure.sgml:547 #, no-wrap msgid "" "# apt-key list\n" "/etc/apt/trusted.gpg\n" "--------------------\n" "pub 1024D/4F368D5D 2005-01-31 [expires: 2006-01-31]\n" "uid Debian Archive Automatic Signing Key (2005) <ftpmaster@debian.org>" msgstr "" "# apt-key list\n" "/etc/apt/trusted.gpg\n" "--------------------\n" "pub 1024D/4F368D5D 2005-01-31 [expire: 2006-01-31]\n" "uid Debian Archive Automatic Signing Key (2005) <ftpmaster@debian.org>" #. type:

#: securing-debian-howto.en.sgml:55 en/infrastructure.sgml:553 msgid "" "Here 4F368D5D is the key id, and notice that this key was only valid for a " "one year period. Debian rotates these keys as a last line of defense against " "some sort of security breach breaking a key." msgstr "" "Ici 4F368D5D est l'identifiant de clef, et remarquez que la clef n'est " "valable que pour une période d'un an. Debian permute ces clefs comme " "dernière ligne de défense contre une quelconque brèche de sécurité de " "cassage de clef." #. type:

#: securing-debian-howto.en.sgml:55 en/infrastructure.sgml:559 msgid "" "That will make apt trust the official Debian archive, but if " "you add some other apt repository to /etc/apt/sources.list, " "you'll also have to give apt its key if you want apt to trust " "it. Once you have the key and have verified it, it's a simple matter of " "running apt-key add file to add it. Getting the key and " "verifying it are the trickier parts." msgstr "" "apt aura ainsi confiance en l'archive Debian officielle, mais " "si vous ajoutez d'autres dépôts apt à /etc/apt/sources.list, il " "vous faudra également donner à apt sa clef si vous voulez qu'il " "ait confiance en ce dépôt. Une fois que vous possédez la clef et que vous " "l'avez vérifiée, il suffit d'exécuter apt-key add fichier pour " "l'ajouter. Obtenir la clef et la vérifier sont les parties les plus " "délicates." #. type: #: securing-debian-howto.en.sgml:55 en/infrastructure.sgml:561 msgid "Finding the key for a repository" msgstr "Trouver la clef d'un dépôt" #. type:

#: securing-debian-howto.en.sgml:55 en/infrastructure.sgml:565 msgid "" "The debian-archive-keyring package is used to distribute keys to apt. Upgrades to this package can add (or remove) gpg keys for the main " "Debian archive." msgstr "" "Le paquet debian-archive-keyring est utilisé pour distribuer les clefs à " "apt. Les mises à niveau de ce paquet peuvent ajouter (ou " "retirer) des clefs gpg pour l'archive Debian principale." #. type:

#: securing-debian-howto.en.sgml:55 en/infrastructure.sgml:570 msgid "" "For other archives, there is not yet a standard location where you can find " "the key for a given apt repository. There's a rough standard of putting the " "key up on the web page for the repository or as a file in the repository " "itself, but no real standard, so you might have to hunt for it." msgstr "" "Pour les autres archives, il n'y a pas encore d'endroit normalisé pour " "trouver la clef d'un dépôt apt donné. La clef est souvent liée depuis la " "page web du dépôt ou placée dans le dépôt directement, mais il vous faudra " "parfois la chercher." #. type:

#: securing-debian-howto.en.sgml:55 en/infrastructure.sgml:577 msgid "" "The Debian archive signing key is available at (replace 2006 with current year)." "

\"ziyi\" is the name of the tool used for signing on the Debian " "servers, the name is based on the name of a .

" msgstr "" "La clef de signature de l'archive Debian est disponible en (remplacez 2006 par l'année en " "cours).

« ziyi » est le nom de l'outil utilisé pour signer sur " "les serveurs Debian, le nom vient du nom d'une .

" #. type:

#: securing-debian-howto.en.sgml:55 en/infrastructure.sgml:581 msgid "" "gpg itself has a standard way to distribute keys, using a " "keyserver that gpg can download a key from and add it to its keyring. For " "example:" msgstr "" "gpg a lui même un moyen normalisé de distribuer les clefs, " "utilisant un servent de clefs, d'où gpg peut télécharger une clef pour " "l'ajouter à son trousseau. Par exemple :" #. type: #: securing-debian-howto.en.sgml:55 en/infrastructure.sgml:588 #, no-wrap msgid "" "$ gpg --keyserver pgpkeys.mit.edu --recv-key 2D230C5F\n" "gpg: requesting key 2D230C5F from hkp server pgpkeys.mit.edu\n" "gpg: key 2D230C5F: public key \"Debian Archive Automatic Signing Key (2006) <ftpm\n" "aster@debian.org>\" imported\n" "gpg: Total number processed: 1\n" "gpg: imported: 1" msgstr "" "$ gpg --keyserver pgpkeys.mit.edu --recv-key 2D230C5F\n" "gpg: requête de la clé 2D230C5F du serveur hkp pgpkeys.mit.edu\n" "gpg: clé 2D230C5F: clé publique « Debian Archive Automatic Signing Key (2006)\n" "<ftpmaster@debian.org> » importée\n" "gpg: Quantité totale traitée: 1\n" "gpg: importée: 1" #. type:

#: securing-debian-howto.en.sgml:55 en/infrastructure.sgml:592 msgid "" "You can then export that key from your own keyring and feed it to apt-" "key:" msgstr "" "Vous pouvez alors exporter cette clef depuis votre propre trousseau et la " "fournir à apt-key :" #. type: #: securing-debian-howto.en.sgml:55 en/infrastructure.sgml:596 #, no-wrap msgid "" "$ gpg -a --export 2D230C5F | sudo apt-key add -\n" "gpg: no ultimately trusted keys found\n" "OK" msgstr "" "$ gpg -a --export 2D230C5F | sudo apt-key add -\n" "gpg: aucune clé de confiance ultime n'a été trouvée\n" "OK" #. type:

#: securing-debian-howto.en.sgml:55 en/infrastructure.sgml:603 msgid "" "The \"gpg: no ultimately trusted keys found\" warning means that gpg was not " "configured to ultimately trust a specific key. Trust settings are part of " "OpenPGPs Web-of-Trust which does not apply here. So there is no problem with " "this warning. In typical setups the user's own key is ultimately trusted." msgstr "" "L'avertissement « gpg: aucune clé de confiance ultime n'a été trouvée » " "signifie que gpg n'était pas configuré pour faire confiance de façon ultime " "à une clef en particulier. Les réglages de confiance font partie du réseau " "de confiance d'OpenPGP qui ne s'applique pas ici. Cet avertissement n'est " "donc pas un problème ici. Dans les configurations typiques, seule la propre " "clef de l'utilisateur est de confiance ultime." #. type: #: securing-debian-howto.en.sgml:55 en/infrastructure.sgml:605 msgid "Safely adding a key" msgstr "Ajout de clef en sécurité" #. type:

#: securing-debian-howto.en.sgml:55 en/infrastructure.sgml:614 msgid "" "By adding a key to apt's keyring, you're telling apt to trust everything " "signed by the key, and this lets you know for sure that apt won't install " "anything not signed by the person who possesses the private key. But if " "you're sufficiently paranoid, you can see that this just pushes things up a " "level, now instead of having to worry if a package, or a Release file is valid, you can worry about whether you've actually gotten the " "right key. Is the file mentioned above really Debian's archive signing key, or has it been " "modified (or this document lies)." msgstr "" "En ajoutant une clef au trousseau d'apt, vous lui dite de faire confiance à " "tout ce qui est signé par cette clef, et cela vous permet de savoir avec " "certitude qu'apt n'installera rien de non signé par la personne qui possède " "la clef privée. Si vous êtes suffisamment paranoïaque, vous pouvez voir que " "cela ne fait que déplacer les choses d'un niveau : maintenant au lieu de " "vous inquiéter de la validité d'un paquet ou d'un fichier Release, il suffit de s'inquiéter d'avoir vraiment la bonne clef ; est-ce que " "le fichier " "mentionné ci-dessous est vraiment la clef de signature de l'archive, ou a-t-" "il été modifié (ou ce document ment-il) ?" # NOTE: the person […] they […] their #. type:

#: securing-debian-howto.en.sgml:55 en/infrastructure.sgml:627 msgid "" "It's good to be paranoid in security, but verifying things from here is " "harder. gpg has the concept of a chain of trust, which can " "start at someone you're sure of, who signs someone's key, who signs some " "other key, etc., until you get to the archive key. If you're sufficiently " "paranoid you'll want to check that your archive key is signed by a key that " "you can trust, with a trust chain that goes back to someone you know " "personally. If you want to do this, visit a Debian conference or perhaps a " "local LUG for a key signing

Not all apt repository keys are " "signed at all by another key. Maybe the person setting up the repository " "doesn't have another key, or maybe they don't feel comfortable signing such " "a role key with their main key. For information on setting up a key for a " "repository see .

." msgstr "" "Être paranoïaque est une bonne attitude en sécurité, mais vérifier les " "choses à partir d'ici est plus difficile. gpg connaît le " "concept de chaîne de confiance, qui peut commencer à partir de quelqu'un " "dont vous être sûr, qui signe la clef de quelqu'un, qui signe une autre " "clef, etc. jusqu'à atteindre la clef de l'archive. Si vous êtes suffisamment " "paranoïaque, vous voudrez vérifier que la clef de l'archive est signée par " "une clef en laquelle vous pouvez avoir confiance, avec une chaîne de " "confiance qui remonte jusqu'à quelqu'un que vous connaissez personnellement. " "Si vous voulez faire cela, rendez vous à une conférence Debian ou peut-être " "à un groupe (LUG) local pour une signature de clef

Toutes les " "clefs de dépôt apt ne sont pas encore signées par une autre clef. Peut-être " "que la personne qui a mis en place le dépôt n'a pas d'autre clef, ou peut-" "être que ça ne lui plaît pas de signer une telle clef de rôle avec sa clef " "principale. Pour des renseignements au sujet de la mise en place d'une clef " "de dépôt, consultez .

." #. type:

#: securing-debian-howto.en.sgml:55 en/infrastructure.sgml:634 msgid "" "If you can't afford this level of paranoia, do whatever feels appropriate to " "you when adding a new apt source and a new key. Maybe you'll want to mail " "the person providing the key and verify it, or maybe you're willing to take " "your chances with downloading it and assuming you got the real thing. The " "important thing is that by reducing the problem to what archive keys to " "trust, secure apt lets you be as careful and secure as it suits you to be." msgstr "" "Si vous ne pouvez pas vous permettre ce niveau de paranoïa, faites le " "nécessaire suffisant de votre point de vue quand vous ajoutez une nouvelle " "source apt et une nouvelle clef. Peut-être voudrez vous échanger un courrier " "électronique avec la personne fournissant la clef et la vérifier, ou peut-" "être préférerez vous tenter votre chance en téléchargeant la clef en " "supposant que c'est la bonne. Ce qui est important est qu'en réduisant le " "problème au niveau de confiance des clefs de l'archive, apt sécurisé vous " "laisse être aussi prudent et sécurisé que vous désirez l'être." #. type: #: securing-debian-howto.en.sgml:55 en/infrastructure.sgml:636 msgid "Verifying key integrity" msgstr "Vérification de l'intégrité des clefs" #. type:

#: securing-debian-howto.en.sgml:55 en/infrastructure.sgml:643 msgid "" "You can verify the fingerprint as well as the signatures on the key. " "Retrieving the fingerprint can be done for multiple sources, you can check " ", talk to Debian Developers on IRC, read the " "mailing list where the key change will be announced or any other additional " "means to verify the fingerprint. For example you can do this:" msgstr "" "Vous pouvez aussi bien vérifier l'empreinte digitale de la clef que ses " "signatures. La récupération de l'empreinte digitale peut se faire depuis de " "nombreuses sources : vous pouvez vérifier , " "parler avec des développeurs Debian sur IRC, lire la liste de diffusion où " "la modification de clef sera annoncée ou n'importe quel moyen supplémentaire " "pour vérifier l'empreinte digitale. Par exemple en faisant :" #. type: #: securing-debian-howto.en.sgml:55 en/infrastructure.sgml:661 #, no-wrap msgid "" "$ GET http://ftp-master.debian.org/ziyi_key_2006.asc | gpg --import\n" "gpg: key 2D230C5F: public key \"Debian Archive Automatic Signing Key (2006)\n" " <ftpmaster&debian.org>\" imported\n" "gpg: Total number processed: 1\n" "gpg: imported: 1\n" "$ gpg --check-sigs --fingerprint 2D230C5F\n" "pub 1024D/2D230C5F 2006-01-03 [expires: 2007-02-07]\n" " Key fingerprint = 0847 50FC 01A6 D388 A643 D869 0109 0831 2D23 0C5F\n" "uid Debian Archive Automatic Signing Key (2006) <ftpmaster@debian.org>\n" "sig!3 2D230C5F 2006-01-03 Debian Archive Automatic Signing Key\n" " (2006) <ftpmaster@debian.org>\n" "sig! 2A4E3EAA 2006-01-03 Anthony Towns <aj@azure.humbug.org.au>\n" "sig! 4F368D5D 2006-01-03 Debian Archive Automatic Signing Key\n" " (2005) <ftpmaster@debian.org>\n" "sig! 29982E5A 2006-01-04 Steve Langasek <vorlon@dodds.net>\n" "sig! FD6645AB 2006-01-04 Ryan Murray <rmurray@cyberhqz.com>\n" "sig! AB2A91F5 2006-01-04 James Troup <james@nocrew.org>" msgstr "" "$ GET http://ftp-master.debian.org/keys/archive-key-6.0.asc | gpg --import\n" "gpg: clé 473041FA: clé publique « Debian Archive Automatic Signing Key (6.0/squeeze)\n" " <ftpmaster@debian.org> » importée\n" "gpg: Quantité totale traitée: 1\n" "gpg: importée: 1 (RSA: 1)\n" "gpg: 3 marginale(s) nécessaires, 1 complète(s) nécessaires, modèle\n" " de confiance PGP\n" "gpg: profondeur: 0 valide: 1 signé: 0\n" "confiance: 0-. 0g. 0n. 0m. 0f. 1u\n" "$ gpg --check-sigs --fingerprint 473041FA\n" "pub 4096R/473041FA 2010-08-27 [expire: 2018-03-05]\n" " Empreinte de la clé = 9FED 2BCB DCD2 9CDF 7626 78CB AED4 B06F 4730 41FA\n" "uid Debian Archive Automatic Signing Key (6.0/squeeze) <ftpmaster@debian.org>\n" "sig!3 473041FA 2010-08-27 Debian Archive Automatic Signing Key (6.0/squeeze)\n" " <ftpmaster@debian.org>\n" "sig! 7E7B8AC9 2010-08-27 Joerg Jaspert <joerg@debian.org>\n" "sig! P B12525C4 2010-08-27 Joerg Jaspert <joerg@debian.org>\n" "sig! D0EC0723 2010-08-27 Mark Hymers <mhy@debian.org>\n" "sig! 8AEA8FEE 2010-08-27 Stephen Gran <steve@lobefin.net>\n" "sig! A3AE44A4 2010-08-28 Michael O'Connor (stew) <stew@vireo.org>\n" "sig! 00D8CD16 2010-08-28 Alexander Reichle-Schmehl <alexander@reichle.schmehl.info>\n" "sig! CD15A883 2010-08-28 Alexander Schmehl (privat) <alexander@schmehl.info>\n" "sig! 672C8B12 2010-08-28 Alexander Reichle-Schmehl <tolimar@debian.org>\n" "sig!2 C4CF8EC3 2010-08-28 Torsten Werner <twerner@debian.org>\n" "sig!2 D628A5CA 2010-08-28 Torsten Werner <mail.twerner@googlemail.com>" # NOTE: External link #. type: #: securing-debian-howto.en.sgml:55 en/infrastructure.sgml:667 msgid "" "and then from your key " "(or a key you trust) to at least one of the keys used to sign the archive " "key. If you are sufficiently paranoid you will tell apt to trust the key " "only if you find an acceptable path:" msgstr "" "puis en vérifiant la chaîne de confiance (consultez ) de votre clef (ou d'une clef de confiance) vers au moins une des clefs " "utilisées pour signer la clef de l'archive. Si vous êtes suffisamment " "paranoïaque, vous ne direz à apt de ne faire confiance à la clef que si vous " "êtes satisfait de la chaîne de confiance :" #. type: #: securing-debian-howto.en.sgml:55 en/infrastructure.sgml:670 #, no-wrap msgid "" "$ gpg --export -a 2D230C5F | sudo apt-key add -\n" "Ok" msgstr "" "$ gpg --export -a 473041FA | sudo apt-key add -\n" "OK" #. type:

#: securing-debian-howto.en.sgml:55 en/infrastructure.sgml:675 msgid "" "Note that the key is signed with the previous archive key, so theoretically " "you can just build on your previous trust." msgstr "" "Remarquez que la clef est signée par la clef de l'archive précédente, donc " "vous pouvez en théorie vous appuyer simplement sur votre confiance " "précédente." #. type: #: securing-debian-howto.en.sgml:55 en/infrastructure.sgml:677 msgid "Debian archive key yearly rotation" msgstr "Rotation annuelle de la clef de l'archive Debian" #. type:

#: securing-debian-howto.en.sgml:55 en/infrastructure.sgml:681 msgid "" "As mentioned above, the Debian archive signing key is changed each year, in " "January. Since secure apt is young, we don't have a great deal of experience " "with changing the key and there are still rough spots." msgstr "" "Comme signalé précédemment, la clef de l'archive Debian est modifiée tous " "les ans, en janvier. Comme apt sécurisé est encore jeune, nous manquons " "encore d'expérience pour modifier la clef et des passages sont un peu " "abrupts." #. type:

#: securing-debian-howto.en.sgml:55 en/infrastructure.sgml:692 msgid "" "In January 2006, a new key for 2006 was made and the Release " "file began to be signed by it, but to try to avoid breaking systems that had " "the old 2005 key, the Release file was signed by that as well. " "The intent was that apt would accept one signature or the other depending on " "the key it had, but apt turned out to be buggy and refused to trust the file " "unless it had both keys and was able to check both signatures. This was " "fixed in apt version 0.6.43.1. There was also confusion about how the key " "was distributed to users who already had systems using secure apt; initially " "it was uploaded to the web site with no announcement and no real way to " "verify it and users were forced to download it by hand." msgstr "" "En janvier 2006, une nouvelle clef à été préparée pour 2006 et le fichier " "Release a commencé à être signé par cette clef, mais pour " "éviter de casser les systèmes qui utilisaient encore l'ancienne clef de " "2005, le fichier Release était aussi signé par cette dernière. " "Le but était qu'apt accepte les deux signatures, indépendamment de la clef " "qu'il possède, mais à cause d'un bogue d'apt, il refusait de faire confiance " "au fichier s'il n'avait pas les deux clefs et n'était pas capable de " "vérifier les deux signatures. Cela a été corrigé dans la version 0.6.43.1 " "d'apt. Une confusion existait aussi sur la façon de distribuer la clef aux " "utilisateurs qui utilisaient déjà des systèmes avec apt sécurisé ; elle " "avait été envoyée sur le site web sans annonce et sans réel moyen de la " "vérifier, et les utilisateurs ont été obligés de la télécharger eux-mêmes." # NOTE: Double entry #. type:

#: securing-debian-howto.en.sgml:55 en/infrastructure.sgml:724 msgid "" "In January 2006, a new key for 2006 was made and the Release file began to " "be signed by it, but to try to avoid breaking systems that had the old 2005 " "key, the Release file was signed by that as well. In order to " "prevent confusion on the best distribution mechanism for users who already " "have systems using secure apt, the debian-archive-keyring package was " "introduced, which manages apt keyring updates." msgstr "" "En janvier 2006, une nouvelle clef à été préparée pour 2006 et le fichier " "Release a commencé à être signé par cette clef, mais pour " "éviter de casser les systèmes qui utilisaient encore l'ancienne clef de " "2005, le fichier Release était aussi signé par cette dernière. " "Pour éviter les confusions sur le meilleur mécanisme de distribution pour " "les utilisateurs qui utilisent déjà des systèmes avec apt sécurisé, le " "paquet debian-archive-keyring a été introduit, pour " "gérer les mises à jour du trousseau de clefs d'apt." #. type: #: securing-debian-howto.en.sgml:55 en/infrastructure.sgml:726 msgid "Known release checking problems" msgstr "Problèmes connus de vérification de la publication" #. type:

#: securing-debian-howto.en.sgml:55 en/infrastructure.sgml:730 msgid "" "One not so obvious problem is that if your clock is very far off, secure apt " "will not work. If it's set to a date in the past, such as 1999, apt will " "fail with an unhelpful message such as this:" msgstr "" "Un autre problème évident est que si l'horloge est très décalée, apt " "sécurisé ne fonctionnera pas. Si la date est configurée dans le passée, " "comme en 1999, apt échouera avec un message peu compréhensible comme :" #. type: #: securing-debian-howto.en.sgml:55 en/infrastructure.sgml:732 #, no-wrap msgid "W: GPG error: http://archive.progeny.com sid Release: Unknown error executing gpg" msgstr "W: GPG error: http://ftp.us.debian.org sid Release: Unknown error executing gpg" #. type:

#: securing-debian-howto.en.sgml:55 en/infrastructure.sgml:736 msgid "Although apt-key list will make the problem plain:" msgstr "Pourtant apt-key list expliquera le problème :" #. type: #: securing-debian-howto.en.sgml:55 en/infrastructure.sgml:741 #, no-wrap msgid "" "gpg: key 2D230C5F was created 192324901 seconds in the future (time warp or clock problem)\n" "gpg: key 2D230C5F was created 192324901 seconds in the future (time warp or clock problem)\n" "pub 1024D/2D230C5F 2006-01-03\n" "uid Debian Archive Automatic Signing Key (2006) <ftpmaster@debian.org>" msgstr "" "gpg: la clé 473041FA a été créée 367773259 secondes dans le futur (rupture\n" "spatio-temporelle ou problème d'horloge)\n" "pub 4096R/473041FA 2010-08-27 [expire: 2018-03-05]\n" "uid Debian Archive Automatic Signing Key (6.0/squeeze) <ftpmaster@debian.org>" #. type:

#: securing-debian-howto.en.sgml:55 en/infrastructure.sgml:745 msgid "" "If it's set to a date too far in the future, apt will treat the keys as " "expired." msgstr "" "Si elle est configurée à une date trop dans le futur, apt considérera la " "clef expirée." # NOTE: s/encouter/encounter/ #. type:

#: securing-debian-howto.en.sgml:55 en/infrastructure.sgml:750 msgid "" "Another problem you may encouter if using testing or unstable is that if you " "have not run apt-get update lately and apt-get install a package, apt might complain that it cannot be authenticated (why " "does it do this?). apt-get update will fix this." msgstr "" "Un autre problème que vous pourriez rencontrer en utilisant testing ou " "unstable, est que si vous n'avez pas exécuté apt-get update " "récemment et apt-get install un paquet, apt risque de se " "plaindre qu'il ne peut pas être authentifié. apt-get update " "corrigera cela." #. type: #: securing-debian-howto.en.sgml:55 en/infrastructure.sgml:752 msgid "Manual per distribution release check" msgstr "Vérification manuelle par version de distribution" #. type:

#: securing-debian-howto.en.sgml:55 en/infrastructure.sgml:765 msgid "" "In case you want to add now the additional security checks and don't want or " "cannot run the latest apt version

Either because you are using " "the stable, sarge, release or an older release or because you don't " "want to use the latest apt version, although we would really appreciate " "testing of it.

 you can use the script below, provided by " "Anthony Towns. This script can automatically do some new security checks to " "allow the user to be sure that the software s/he's downloading matches the " "software Debian's distributing. This stops Debian developers from hacking " "into someone's system without the accountability provided by uploading to " "the main archive, or mirrors mirroring something almost, but not quite like " "Debian, or mirrors providing out of date copies of unstable with known " "security problems." msgstr "" "Au cas où vous voudriez ajouter des vérifications de sécurité " "supplémentaires et que vous ne vouliez pas ou pouviez pas utiliser la " "dernière version d'apt

Soit parce que vous utilisez la version " "stable Sarge ou une version plus ancienne, soit parce que vous ne " "voulez pas utiliser la dernière version d'apt, bien que nous apprécierions " "qu'elle soit testée

 vous pouvez utiliser le script ci-dessous " "fourni par Anthony Towns. Ce script peut automatiquement faire certaines " "nouvelles vérifications de sécurité qui permettent à l'utilisateur d'être " "sûr que le logiciel qu'il télécharge correspond à celui de la distribution " "de logiciels Debian. Cela empêche les développeurs Debian d'intégrer des " "nouveautés au système de quelqu'un en outrepassant les responsabilités qui " "incombent au chargement vers l'archive principale, ou encore cela empêche " "une duplication similaire mais pas exactement identique, ou pour finir cela " "empêche l'utilisation de miroirs fournissant des copies anciennes de la " "version unstable ou connaissant des problèmes de sécurité." #. type:

#: securing-debian-howto.en.sgml:55 en/infrastructure.sgml:767 msgid "" "This sample code, renamed as apt-check-sigs, should be used in " "the following way:" msgstr "" "Ce code exemple, renommé en apt-release-check, devrait être " "utilisé de la manière suivante :" #. type: #: securing-debian-howto.en.sgml:55 en/infrastructure.sgml:772 #, no-wrap msgid "" "# apt-get update\n" "# apt-check-sigs\n" "(...results...)\n" "# apt-get dist-upgrade" msgstr "" "# apt-get update\n" "# apt-check-sigs\n" "(...résultats...)\n" "# apt-get dist-upgrade" #. type:

#: securing-debian-howto.en.sgml:55 en/infrastructure.sgml:776 msgid "First you need to:" msgstr "Avant tout, vous avez besoin de :" #. type:

#: securing-debian-howto.en.sgml:55 en/infrastructure.sgml:782 msgid "" "get the keys the archive software uses to sign Release files, " " and add them to " "~/.gnupg/trustedkeys.gpg (which is what gpgv uses " "by default)." msgstr "" "récupérer les clefs que les logiciels de l'archive utilisent pour signer les " "fichiers Release, , et les ajouter à ~/.gnupg/trustedkeys.gpg " "(c'est ce que gpgv utilise par défaut) ;" #. type: #: securing-debian-howto.en.sgml:55 en/infrastructure.sgml:784 #, no-wrap msgid " gpg --no-default-keyring --keyring trustedkeys.gpg --import ziyi_key_2006.asc" msgstr " gpg --no-default-keyring --keyring trustedkeys.gpg --import ziyi_key_2006.asc" #. type:

#: securing-debian-howto.en.sgml:55 en/infrastructure.sgml:790 msgid "" "remove any /etc/apt/sources.list lines that don't use the " "normal \"dists\" structure, or change the script so that it works with them." msgstr "" "retirer toutes les lignes de /etc/apt/sources.list qui " "n'utilisent pas la structure normale « dists Â» ou modifier le " "script afin qu'il fonctionne avec elles ;" #. type:

#: securing-debian-howto.en.sgml:55 en/infrastructure.sgml:794 msgid "" "be prepared to ignore the fact that Debian security updates don't have " "signed Release files, and that Sources files don't " "have appropriate checksums in the Release file (yet)." msgstr "" "être prêt à ignorer le fait que les mises à jour de sécurité Debian n'ont " "pas de fichiers Release signés et que les fichiers " "Sources n'ont pas (encore) les sommes de contrôle (« " "checksums Â») appropriées dans le fichier Release ;" #. type:

#: securing-debian-howto.en.sgml:55 en/infrastructure.sgml:797 msgid "" "be prepared to check that the appropriate sources are signed by the " "appropriate keys." msgstr "" "être prêt à vérifier que les sources appropriées soient signées par les " "clefs appropriées." #. type:

#: securing-debian-howto.en.sgml:55 en/infrastructure.sgml:805 msgid "" "This is the example code for apt-check-sigs, the latest version " "can be retrieved from . This code is currently in beta, for more information read ." msgstr "" "C'est le code exemple pour apt-check-sigs, la dernière version " "peut être récupérée depuis . Ce code est actuellement en bêta, pour de plus amples " "renseignements, consultez ." #. type: #: securing-debian-howto.en.sgml:55 en/infrastructure.sgml:1050 #, no-wrap msgid "" "#!/bin/bash\n" "\n" "# Copyright (c) 2001 Anthony Towns <ajt@debian.org>\n" "#\n" "# This program is free software; you can redistribute it and/or modify\n" "# it under the terms of the GNU General Public License as published by\n" "# the Free Software Foundation; either version 2 of the License, or\n" "# (at your option) any later version.\n" "#\n" "# This program is distributed in the hope that it will be useful,\n" "# but WITHOUT ANY WARRANTY; without even the implied warranty of\n" "# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n" "# GNU General Public License for more details.\n" "\n" "rm -rf /tmp/apt-release-check\n" "mkdir /tmp/apt-release-check || exit 1\n" "cd /tmp/apt-release-check\n" "\n" ">OK\n" ">MISSING\n" ">NOCHECK\n" ">BAD\n" "\n" "arch=`dpkg --print-installation-architecture`\n" "\n" "am_root () {\n" " [ `id -u` -eq 0 ]\n" "}\n" "\n" "get_md5sumsize () {\n" " cat \"$1\" | awk '/^MD5Sum:/,/^SHA1:/' | \n" " MYARG=\"$2\" perl -ne '@f = split /\\s+/; if ($f[3] eq $ENV{\"MYARG\"}) {\n" "print \"$f[1] $f[2]\\n\"; exit(0); }'\n" "}\n" "\n" "checkit () {\n" " local FILE=\"$1\"\n" " local LOOKUP=\"$2\"\n" "\n" " Y=\"`get_md5sumsize Release \"$LOOKUP\"`\"\n" " Y=\"`echo \"$Y\" | sed 's/^ *//;s/ */ /g'`\"\n" "\n" " if [ ! -e \"/var/lib/apt/lists/$FILE\" ]; then\n" " if [ \"$Y\" = \"\" ]; then\n" " # No file, but not needed anyway\n" " echo \"OK\"\n" " return\n" " fi\n" " echo \"$FILE\" >>MISSING\n" " echo \"MISSING $Y\"\n" " return\n" " fi\n" " if [ \"$Y\" = \"\" ]; then\n" " echo \"$FILE\" >>NOCHECK\n" " echo \"NOCHECK\"\n" " return\n" " fi\n" " X=\"`md5sum < /var/lib/apt/lists/$FILE | cut -d\\ -f1` `wc -c < /var/lib\n" "/apt/lists/$FILE`\"\n" " X=\"`echo \"$X\" | sed 's/^ *//;s/ */ /g'`\"\n" " if [ \"$X\" != \"$Y\" ]; then\n" " echo \"$FILE\" >>BAD\n" " echo \"BAD\"\n" " return\n" " fi\n" " echo \"$FILE\" >>OK\n" " echo \"OK\"\n" "}\n" "\n" "echo\n" "echo \"Checking sources in /etc/apt/sources.list:\"\n" "echo \"~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~\"\n" "echo\n" "(echo \"You should take care to ensure that the distributions you're downloading\n" "\"\n" "echo \"are the ones you think you are downloading, and that they are as up to\"\n" "echo \"date as you would expect (testing and unstable should be no more than\"\n" "echo \"two or three days out of date, stable-updates no more than a few weeks\"\n" "echo \"or a month).\"\n" ") | fmt\n" "echo\n" "\n" "cat /etc/apt/sources.list | \n" " sed 's/^ *//' | grep '^[^#]' |\n" " while read ty url dist comps; do\n" " if [ \"${url%%:*}\" = \"http\" -o \"${url%%:*}\" = \"ftp\" ]; then\n" " baseurl=\"${url#*://}\"\n" " else\n" " continue\n" " fi\n" "\n" " echo \"Source: ${ty} ${url} ${dist} ${comps}\"\n" "\n" " rm -f Release Release.gpg\n" " lynx -reload -dump \"${url}/dists/${dist}/Release\" >/dev/null 2>&1\n" " wget -q -O Release \"${url}/dists/${dist}/Release\"\n" "\n" " if ! grep -q '^' Release; then\n" " echo \" * NO TOP-LEVEL Release FILE\"\n" " >Release\n" " else\n" " origline=`sed -n 's/^Origin: *//p' Release | head -1`\n" " lablline=`sed -n 's/^Label: *//p' Release | head -1`\n" " suitline=`sed -n 's/^Suite: *//p' Release | head -1`\n" " codeline=`sed -n 's/^Codename: *//p' Release | head -1`\n" " dateline=`grep \"^Date:\" Release | head -1`\n" " dscrline=`grep \"^Description:\" Release | head -1`\n" " echo \" o Origin: $origline/$lablline\"\n" " echo \" o Suite: $suitline/$codeline\"\n" " echo \" o $dateline\"\n" " echo \" o $dscrline\"\n" "\n" " if [ \"${dist%%/*}\" != \"$suitline\" -a \"${dist%%/*}\" != \"$codeline\" ]; then\n" " echo \" * WARNING: asked for $dist, got $suitline/$codeline\"\n" " fi\n" "\n" " lynx -reload -dump \"${url}/dists/${dist}/Release.gpg\" >/dev/null 2>&1\n" " wget -q -O Release.gpg \"${url}/dists/${dist}/Release.gpg\"\n" "\n" " gpgv --status-fd 3 Release.gpg Release 3>&1 >/dev/null 2>&1 | sed -n \"s/^\\[GNUPG:\\] //p\" | (okay=0; err=\"\"; while read gpgcode rest; do\n" " if [ \"$gpgcode\" = \"GOODSIG\" ]; then\n" " if [ \"$err\" != \"\" ]; then\n" " echo \" * Signed by ${err# } key: ${rest#* }\"\n" " else\n" " echo \" o Signed by: ${rest#* }\"\n" " okay=1\n" " fi\n" " err=\"\"\n" " elif [ \"$gpgcode\" = \"BADSIG\" ]; then\n" " echo \" * BAD SIGNATURE BY: ${rest#* }\"\n" " err=\"\"\n" " elif [ \"$gpgcode\" = \"ERRSIG\" ]; then\n" " echo \" * COULDN'T CHECK SIGNATURE BY KEYID: ${rest %% *}\"\n" " err=\"\"\n" " elif [ \"$gpgcode\" = \"SIGREVOKED\" ]; then\n" " err=\"$err REVOKED\"\n" " elif [ \"$gpgcode\" = \"SIGEXPIRED\" ]; then\n" " err=\"$err EXPIRED\"\n" " fi\n" " done\n" " if [ \"$okay\" != 1 ]; then\n" " echo \" * NO VALID SIGNATURE\"\n" " >Release\n" " fi)\n" " fi\n" " okaycomps=\"\"\n" " for comp in $comps; do\n" " if [ \"$ty\" = \"deb\" ]; then\n" " X=$(checkit \"`echo \"${baseurl}/dists/${dist}/${comp}/binary-${arch}/Release\" | sed 's,//*,_,g'`\" \"${comp}/binary-${arch}/Release\")\n" " Y=$(checkit \"`echo \"${baseurl}/dists/${dist}/${comp}/binary-${arch}/Packages\" | sed 's,//*,_,g'`\" \"${comp}/binary-${arch}/Packages\")\n" " if [ \"$X $Y\" = \"OK OK\" ]; then\n" " okaycomps=\"$okaycomps $comp\"\n" " else\n" " echo \" * PROBLEMS WITH $comp ($X, $Y)\"\n" " fi\n" " elif [ \"$ty\" = \"deb-src\" ]; then\n" " X=$(checkit \"`echo \"${baseurl}/dists/${dist}/${comp}/source/Release\" | sed 's,//*,_,g'`\" \"${comp}/source/Release\")\n" " Y=$(checkit \"`echo \"${baseurl}/dists/${dist}/${comp}/source/Sources\" | sed 's,//*,_,g'`\" \"${comp}/source/Sources\")\n" " if [ \"$X $Y\" = \"OK OK\" ]; then\n" " okaycomps=\"$okaycomps $comp\"\n" " else\n" " echo \" * PROBLEMS WITH component $comp ($X, $Y)\"\n" " fi\n" " fi\n" " done\n" " [ \"$okaycomps\" = \"\" ] || echo \" o Okay:$okaycomps\"\n" " echo\n" " done\n" "\n" "echo \"Results\"\n" "echo \"~~~~~~~\"\n" "echo\n" "\n" "allokay=true\n" "\n" "cd /tmp/apt-release-check\n" "diff <(cat BAD MISSING NOCHECK OK | sort) <(cd /var/lib/apt/lists && find . -type f -maxdepth 1 | sed 's,^\\./,,g' | grep '_' | sort) | sed -n 's/^> //p' >UNVALIDATED\n" "\n" "cd /tmp/apt-release-check\n" "if grep -q ^ UNVALIDATED; then\n" " allokay=false\n" " (echo \"The following files in /var/lib/apt/lists have not been validated.\"\n" " echo \"This could turn out to be a harmless indication that this script\"\n" " echo \"is buggy or out of date, or it could let trojaned packages get onto\"\n" " echo \"your system.\"\n" " ) | fmt\n" " echo\n" " sed 's/^/ /' < UNVALIDATED\n" " echo\n" "fi\n" "\n" "if grep -q ^ BAD; then\n" " allokay=false\n" " (echo \"The contents of the following files in /var/lib/apt/lists does not\"\n" " echo \"match what was expected. This may mean these sources are out of date,\"\n" " echo \"that the archive is having problems, or that someone is actively\"\n" " echo \"using your mirror to distribute trojans.\"\n" " if am_root; then \n" " echo \"The files have been renamed to have the extension .FAILED and\"\n" " echo \"will be ignored by apt.\"\n" " cat BAD | while read a; do\n" " mv /var/lib/apt/lists/$a /var/lib/apt/lists/${a}.FAILED\n" " done\n" " fi) | fmt\n" " echo\n" " sed 's/^/ /' < BAD\n" " echo\n" "fi\n" "\n" "if grep -q ^ MISSING; then\n" " allokay=false\n" " (echo \"The following files from /var/lib/apt/lists were missing. This\"\n" " echo \"may cause you to miss out on updates to some vulnerable packages.\"\n" " ) | fmt\n" " echo\n" " sed 's/^/ /' < MISSING\n" " echo\n" "fi\n" "\n" "if grep -q ^ NOCHECK; then\n" " allokay=false\n" " (echo \"The contents of the following files in /var/lib/apt/lists could not\"\n" " echo \"be validated due to the lack of a signed Release file, or the lack\"\n" " echo \"of an appropriate entry in a signed Release file. This probably\"\n" " echo \"means that the maintainers of these sources are slack, but may mean\"\n" " echo \"these sources are being actively used to distribute trojans.\"\n" " if am_root; then \n" " echo \"The files have been renamed to have the extension .FAILED and\"\n" " echo \"will be ignored by apt.\"\n" " cat NOCHECK | while read a; do\n" " mv /var/lib/apt/lists/$a /var/lib/apt/lists/${a}.FAILED\n" " done\n" " fi) | fmt\n" " echo\n" " sed 's/^/ /' < NOCHECK\n" " echo\n" "fi\n" "\n" "if $allokay; then\n" " echo 'Everything seems okay!'\n" " echo\n" "fi\n" "\n" "rm -rf /tmp/apt-release-check" msgstr "" "#!/bin/bash\n" "\n" "# Copyright (c) 2001 Anthony Towns <ajt@debian.org>\n" "#\n" "# This program is free software; you can redistribute it and/or modify\n" "# it under the terms of the GNU General Public License as published by\n" "# the Free Software Foundation; either version 2 of the License, or\n" "# (at your option) any later version.\n" "#\n" "# This program is distributed in the hope that it will be useful,\n" "# but WITHOUT ANY WARRANTY; without even the implied warranty of\n" "# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n" "# GNU General Public License for more details.\n" "\n" "rm -rf /tmp/apt-release-check\n" "mkdir /tmp/apt-release-check || exit 1\n" "cd /tmp/apt-release-check\n" "\n" ">OK\n" ">MISSING\n" ">NOCHECK\n" ">BAD\n" "\n" "arch=`dpkg --print-installation-architecture`\n" "\n" "am_root () {\n" " [ `id -u` -eq 0 ]\n" "}\n" "\n" "get_md5sumsize () {\n" " cat \"$1\" | awk '/^MD5Sum:/,/^SHA1:/' | \n" " MYARG=\"$2\" perl -ne '@f = split /\\s+/; if ($f[3] eq $ENV{\"MYARG\"}) { \n" "print \"$f[1] $f[2]\\n\"; exit(0); }'\n" "}\n" "\n" "checkit () {\n" " local FILE=\"$1\"\n" " local LOOKUP=\"$2\"\n" "\n" " Y=\"`get_md5sumsize Release \"$LOOKUP\"`\"\n" " Y=\"`echo \"$Y\" | sed 's/^ *//;s/ */ /g'`\"\n" "\n" " if [ ! -e \"/var/lib/apt/lists/$FILE\" ]; then\n" " if [ \"$Y\" = \"\" ]; then\n" " # No file, but not needed anyway\n" " echo \"Succès\"\n" " return\n" " fi\n" " echo \"$FILE\" >>MISSING\n" " echo \"$Y manquant\"\n" " return\n" " fi\n" " if [ \"$Y\" = \"\" ]; then\n" " echo \"$FILE\" >>NOCHECK\n" " echo \"Pas de vérification\"\n" " return\n" " fi\n" " X=\"`md5sum < /var/lib/apt/lists/$FILE | cut -d\\ -f1` `wc -c < /var/lib\n" "/apt/lists/$FILE`\"\n" " X=\"`echo \"$X\" | sed 's/^ *//;s/ */ /g'`\"\n" " if [ \"$X\" != \"$Y\" ]; then\n" " echo \"$FILE\" >>BAD\n" " echo \"Problème\"\n" " return\n" " fi\n" " echo \"$FILE\" >>OK\n" " echo \"Succès\"\n" "}\n" "\n" "echo\n" "echo \"Vérification des sources dans /etc/apt/sources.list :\"\n" "echo \"~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~\"\n" "echo\n" "(echo \"Vous devriez vous assurer que les distributions que vous téléchargez\"\n" "echo \"sont bien celles que vous pensez télécharger, et qu'elle sont aussi à\"\n" "echo \"jour que vous pourriez l'espérer (testing et unstable ne devraient pas\"\n" "echo \"être désynchronisées de plus d'un jour ou deux, stable-updates pas plus\"\n" "echo \"de quelques semaines ou un mois).\"\n" ") | fmt\n" "echo\n" "\n" "cat /etc/apt/sources.list | \n" " sed 's/^ *//' | grep '^[^#]' |\n" " while read ty url dist comps; do\n" " if [ \"${url%%:*}\" = \"http\" -o \"${url%%:*}\" = \"ftp\" ]; then\n" " baseurl=\"${url#*://}\"\n" " else\n" " continue\n" " fi\n" "\n" " echo \"Source : ${ty} ${url} ${dist} ${comps}\"\n" "\n" " rm -f Release Release.gpg\n" " lynx -reload -dump \"${url}/dists/${dist}/Release\" >/dev/null 2>&1\n" " wget -q -O Release \"${url}/dists/${dist}/Release\"\n" "\n" " if ! grep -q '^' Release; then\n" " echo \" * Pas de fichier Release au premier niveau\"\n" " >Release\n" " else\n" " origline=`sed -n 's/^Origin: *//p' Release | head -1`\n" " lablline=`sed -n 's/^Label: *//p' Release | head -1`\n" " suitline=`sed -n 's/^Suite: *//p' Release | head -1`\n" " codeline=`sed -n 's/^Codename: *//p' Release | head -1`\n" " dateline=`grep \"^Date:\" Release | head -1`\n" " dscrline=`grep \"^Description:\" Release | head -1`\n" " echo \" o Origine : $origline/$lablline\"\n" " echo \" o Suite : $suitline/$codeline\"\n" " echo \" o $dateline\"\n" " echo \" o $dscrline\"\n" "\n" " if [ \"${dist%%/*}\" != \"$suitline\" -a \"${dist%%/*}\" != \"$codeline\" ]; then\n" " echo \" * Attention : $dist était demandée, $suitline/$codeline a été obtenue\"\n" " fi\n" "\n" " lynx -reload -dump \"${url}/dists/${dist}/Release.gpg\" >/dev/null 2>&1\n" " wget -q -O Release.gpg \"${url}/dists/${dist}/Release.gpg\"\n" "\n" " gpgv --status-fd 3 Release.gpg Release 3>&1 >/dev/null 2>&1 | sed -n \"s/^\\[GNUPG:\\] //p\" | (okay=0; err=\"\"; while read gpgcode rest; do\n" " if [ \"$gpgcode\" = \"GOODSIG\" ]; then\n" " if [ \"$err\" != \"\" ]; then\n" " echo \" * Signé par ${err# } clef : ${rest#* }\"\n" " else\n" " echo \" o Signé par : ${rest#* }\"\n" " okay=1\n" " fi\n" " err=\"\"\n" " elif [ \"$gpgcode\" = \"BADSIG\" ]; then\n" " echo \" * Mauvaise signature par : ${rest#* }\"\n" " err=\"\"\n" " elif [ \"$gpgcode\" = \"ERRSIG\" ]; then\n" " echo \" * Impossible de vérifier la signature par identifiant de clef : ${rest %% *}\"\n" " err=\"\"\n" " elif [ \"$gpgcode\" = \"SIGREVOKED\" ]; then\n" " err=\"$err Révoquée\"\n" " elif [ \"$gpgcode\" = \"SIGEXPIRED\" ]; then\n" " err=\"$err Expirée\"\n" " fi\n" " done\n" " if [ \"$okay\" != 1 ]; then\n" " echo \" * Pas de signature valable\"\n" " >Release\n" " fi)\n" " fi\n" " okaycomps=\"\"\n" " for comp in $comps; do\n" " if [ \"$ty\" = \"deb\" ]; then\n" " X=$(checkit \"`echo \"${baseurl}/dists/${dist}/${comp}/binary-${arch}/Release\" | sed 's,//*,_,g'`\" \"${comp}/binary-${arch}/Release\")\n" " Y=$(checkit \"`echo \"${baseurl}/dists/${dist}/${comp}/binary-${arch}/Packages\" | sed 's,//*,_,g'`\" \"${comp}/binary-${arch}/Packages\")\n" " if [ \"$X $Y\" = \"OK OK\" ]; then\n" " okaycomps=\"$okaycomps $comp\"\n" " else\n" " echo \" * Problèmes avec $comp ($X, $Y)\"\n" " fi\n" " elif [ \"$ty\" = \"deb-src\" ]; then\n" " X=$(checkit \"`echo \"${baseurl}/dists/${dist}/${comp}/source/Release\" | sed 's,//*,_,g'`\" \"${comp}/source/Release\")\n" " Y=$(checkit \"`echo \"${baseurl}/dists/${dist}/${comp}/source/Sources\" | sed 's,//*,_,g'`\" \"${comp}/source/Sources\")\n" " if [ \"$X $Y\" = \"OK OK\" ]; then\n" " okaycomps=\"$okaycomps $comp\"\n" " else\n" " echo \" * Problèmes avec le composant $comp ($X, $Y)\"\n" " fi\n" " fi\n" " done\n" " [ \"$okaycomps\" = \"\" ] || echo \" o Okay:$okaycomps\"\n" " echo\n" " done\n" "\n" "echo \"Résultat\"\n" "echo \"~~~~~~~~\"\n" "echo\n" "\n" "allokay=true\n" "\n" "cd /tmp/apt-release-check\n" "diff <(cat BAD MISSING NOCHECK OK | sort) <(cd /var/lib/apt/lists && find . -type f -maxdepth 1 | sed 's,^\\./,,g' | grep '_' | sort) | sed -n 's/^> //p' >UNVALIDATED\n" "\n" "cd /tmp/apt-release-check\n" "if grep -q ^ UNVALIDATED; then\n" " allokay=false\n" " (echo \"Les fichiers suivants de /var/lib/apt/lists n'ont pas été validés.\"\n" " echo \"Cela peut soit être une simple indication inoffensive que ce script\"\n" " echo \"est bogué ou pas à jour, soit un indicateur de porte ouverte aux\"\n" " echo \"paquets de type chevaux de Troie sur le système.\"\n" " ) | fmt\n" " echo\n" " sed 's/^/ /' < UNVALIDATED\n" " echo\n" "fi\n" "\n" "if grep -q ^ BAD; then\n" " allokay=false\n" " (echo \"Les contenus des fichiers suivants de /var/lib/apt/lists ne\"\n" " echo \"correspondent pas à ce qui était attendu. Cela peut signifier que\"\n" " echo \"ces sources ne sont pas à jour, qu'il y a un problème d'archive,\"\n" " echo \"ou que quelqu'un est en train d'utiliser le miroir pour distribuer\"\n" " echo \"des chevaux de Troie.\"\n" " if am_root; then \n" " echo \"Les fichiers ont été renommés avec l'extension .FAILED et\"\n" " echo \"seront ignorés par apt.\"\n" " cat BAD | while read a; do\n" " mv /var/lib/apt/lists/$a /var/lib/apt/lists/${a}.FAILED\n" " done\n" " fi) | fmt\n" " echo\n" " sed 's/^/ /' < BAD\n" " echo\n" "fi\n" "\n" "if grep -q ^ MISSING; then\n" " allokay=false\n" " (echo \"Les fichiers suivants de /var/lib/apt/lists manquaient. Cela\"\n" " echo \"pourrait vous faire manquer des mises à jours de paquets vulnérables.\"\n" " ) | fmt\n" " echo\n" " sed 's/^/ /' < MISSING\n" " echo\n" "fi\n" "\n" "if grep -q ^ NOCHECK; then\n" " allokay=false\n" " (echo \"Les contenus des fichiers suivants de /var/lib/apt/lists n'ont pas\"\n" " echo \"pu être validés à cause d'un manque de fichier Release signé, ou\"\n" " echo \"d'un manque d'entrée appropriée dans un fichier Release signé. Cela\"\n" " echo \"signifie probablement que les mainteneurs de ces sources sont\"\n" " echo \"négligents, mais pourrait signifier que ces sources sont en cours\"\n" " echo \"d'utilisation pour distribuer des chevaux de Troie.\"\n" " if am_root; then \n" " echo \"Les fichiers ont été renommés avec l'extension .FAILED et\"\n" " echo \"seront ignorés par apt.\"\n" " cat NOCHECK | while read a; do\n" " mv /var/lib/apt/lists/$a /var/lib/apt/lists/${a}.FAILED\n" " done\n" " fi) | fmt\n" " echo\n" " sed 's/^/ /' < NOCHECK\n" " echo\n" "fi\n" "\n" "if $allokay; then\n" " echo 'Tout semble se passer correctement !'\n" " echo\n" "fi\n" "\n" "rm -rf /tmp/apt-release-check" #. type:

#: securing-debian-howto.en.sgml:55 en/infrastructure.sgml:1055 msgid "" "You might need to apply the following patch for sid since " "md5sum adds an '-' after the sum when the input is stdin:" msgstr "" "Vous pourriez devoir ajouter le correctif suivant pour Sid car " "md5sum ajoute un « - » après la somme quand l'entrée provient " "de l'entrée standard :" #. type: #: securing-debian-howto.en.sgml:55 en/infrastructure.sgml:1074 #, no-wrap msgid "" "@@ -37,7 +37,7 @@\n" " local LOOKUP=\"$2\"\n" "\n" " Y=\"`get_md5sumsize Release \"$LOOKUP\"`\"\n" "- Y=\"`echo \"$Y\" | sed 's/^ *//;s/ */ /g'`\"\n" "+ Y=\"`echo \"$Y\" | sed 's/-//;s/^ *//;s/ */ /g'`\"\n" "\n" " if [ ! -e \"/var/lib/apt/lists/$FILE\" ]; then\n" " if [ \"$Y\" = \"\" ]; then\n" "@@ -55,7 +55,7 @@\n" " return\n" " fi\n" " X=\"`md5sum < /var/lib/apt/lists/$FILE` `wc -c < /var/lib/apt/lists/$FILE`\"\n" "- X=\"`echo \"$X\" | sed 's/^ *//;s/ */ /g'`\"\n" "+ X=\"`echo \"$X\" | sed 's/-//;s/^ *//;s/ */ /g'`\"\n" " if [ \"$X\" != \"$Y\" ]; then\n" " echo \"$FILE\" >>BAD\n" " echo \"BAD\"" msgstr "" "@@ -37,7 +37,7 @@\n" " local LOOKUP=\"$2\"\n" "\n" " Y=\"`get_md5sumsize Release \"$LOOKUP\"`\"\n" "- Y=\"`echo \"$Y\" | sed 's/^ *//;s/ */ /g'`\"\n" "+ Y=\"`echo \"$Y\" | sed 's/-//;s/^ *//;s/ */ /g'`\"\n" "\n" " if [ ! -e \"/var/lib/apt/lists/$FILE\" ]; then\n" " if [ \"$Y\" = \"\" ]; then\n" "@@ -55,7 +55,7 @@\n" " return\n" " fi\n" " X=\"`md5sum < /var/lib/apt/lists/$FILE` `wc -c < /var/lib/apt/lists/$FILE`\"\n" "- X=\"`echo \"$X\" | sed 's/^ *//;s/ */ /g'`\"\n" "+ X=\"`echo \"$X\" | sed 's/-//;s/^ *//;s/ */ /g'`\"\n" " if [ \"$X\" != \"$Y\" ]; then\n" " echo \"$FILE\" >>BAD\n" " echo \"Problème\"" #. type: #: securing-debian-howto.en.sgml:55 en/infrastructure.sgml:1078 msgid "Release check of non Debian sources" msgstr "Vérification de distribution pour les sources non Debian" #. type:

#: securing-debian-howto.en.sgml:55 en/infrastructure.sgml:1087 msgid "" "Notice that, when using the latest apt version (with secure apt) no " "extra effort should be required on your part unless you use non-Debian " "sources, in which case an extra confirmation step will be required by apt-" "get. This is avoided by providing Release and Release." "gpg files in the non-Debian sources. The Release file " "can be generated with apt-ftparchive (available in apt-" "utils 0.5.0 and later), the Release.gpg is just a " "detached signature. To generate both follow this simple procedure:" msgstr "" "Notez que, lors de l'utilisation de la dernière version d'apt (avec apt " "sécurisé), aucun effort supplémentaire ne devrait être nécessaire de votre " "part sauf si vous utilisez des sources non Debian, auquel cas une étape de " "confirmation supplémentaire sera imposée par apt-get. C'est évité en " "fournissant les fichiers Release et Release.gpg " "dans les sources non Debian. Le fichier Release peut être " "généré avec apt-ftparchive (disponible dans apt-utils 0.5.0 et ultérieur), le fichier Release.gpg est " "simplement une signature détachée. Pour générer les deux fichiers, suivez " "cette procédure simple :" #. type: #: securing-debian-howto.en.sgml:55 en/infrastructure.sgml:1091 #, no-wrap msgid "" "$ rm -f dists/unstable/Release\n" "$ apt-ftparchive release dists/unstable > dists/unstable/Release\n" "$ gpg --sign -ba -o dists/unstable/Release.gpg dists/unstable/Release" msgstr "" "$ rm -f dists/unstable/Release\n" "$ apt-ftparchive release dists/unstable > dists/unstable/Release\n" "$ gpg --sign -ba -o dists/unstable/Release.gpg dists/unstable/Release" #. type: #: securing-debian-howto.en.sgml:55 en/infrastructure.sgml:1095 msgid "Alternative per-package signing scheme" msgstr "Schéma alternatif de signature par paquet" #. type:

#: securing-debian-howto.en.sgml:55 en/infrastructure.sgml:1101 msgid "" "The additional scheme of signing each and every packages allows packages to " "be checked when they are no longer referenced by an existing Packages file, and also third-party packages where no Packages " "ever existed for them can be also used in Debian but will not be default " "scheme." msgstr "" "Le schéma supplémentaire de signature de chacun des paquets permet aux " "paquets d'être vérifiés quand ils ne sont plus référencés par un fichier " "Packages existant, et également pour les paquets de tierce " "partie dont aucun Packages n'a jamais existé, pour qu'ils " "puissent être utilisés dans Debian, mais ce ne sera pas le schéma par défaut." # NOTE: s/prefered/preferred/ #. type:

#: securing-debian-howto.en.sgml:55 en/infrastructure.sgml:1110 msgid "" "This package signing scheme can be implemented using debsig-verify and debsigs. These two packages can sign and " "verify embedded signatures in the .deb itself. Debian already has the " "capability to do this now, but there is no feature plan to implement the " "policy or other tools since the archive signing scheme is prefered. These " "tools are available for users and archive administrators that would rather " "use this scheme instead." msgstr "" "Ce schéma de signature des paquets peut être implémenté en utilisant " "debsig-verify et debsigs. Ces deux " "paquets peuvent signer et vérifier des signatures intégrées au .deb lui-" "même. Debian a déjà la capacité de faire cela actuellement, mais il n'y a " "aucun projet de mettre en place une charte ou d'autres outils puisque la " "signature de l'archive est préférée. Ces outils sont disponibles aux " "utilisateurs et aux administrateurs d'archive qui pourraient préférer " "utiliser ce schéma." #. type:

#: securing-debian-howto.en.sgml:55 en/infrastructure.sgml:1116 msgid "" "Latest dpkg versions (since 1.9.21) incorporate a that provides this functionality as soon as " "debsig-verify is installed." msgstr "" "Les dernières versions de dpkg (à partir de la " "version 1.9.21) contiennent un qui fournit " "cette fonctionnalité dès que debsig-verify est installé." #. type:

#: securing-debian-howto.en.sgml:55 en/infrastructure.sgml:1119 msgid "" "NOTE: Currently /etc/dpkg/dpkg.cfg ships with \"no-debsig\" as " "per default." msgstr "" "Note : actuellement, /etc/dpkg/dpkg.cfg est livré avec " "« no-debsig Â» par défaut." #. type:

#: securing-debian-howto.en.sgml:56 en/sec-tools.sgml:3 msgid "" "NOTE2: Signatures from developers are currently stripped when they enter off " "the package archive since the currently preferred method is release checks " "as described previously." msgstr "" "Seconde note : les signatures des développeurs sont actuellement enlevées " "lors de l'entrée du paquet dans l'archive car la méthode actuellement " "préférée est par vérification de distribution comme décrit précédemment." #. type: #: securing-debian-howto.en.sgml:56 en/sec-tools.sgml:5 msgid "Security tools in Debian" msgstr "Outils de sécurité dans Debian" #. type:

#: securing-debian-howto.en.sgml:56 en/sec-tools.sgml:7 msgid "FIXME: More content needed." msgstr "FIXME : Besoin de plus de contenu." #. type:

#: securing-debian-howto.en.sgml:56 en/sec-tools.sgml:13 msgid "" "Debian provides also a number of security tools that can make a Debian box " "suited for security purposes. These purposes include protection of " "information systems through firewalls (either packet or application-level), " "intrusion detection (both network and host based), vulnerability assessment, " "antivirus, private networks, etc." msgstr "" "Debian fournit un certain nombre d'outils qui peuvent rendre un système " "Debian apte à une utilisation sécurisée, y compris la protection des " "systèmes d'information au travers de pare-feu (qui agissent au niveau des " "paquets ou de la couche application), de systèmes de détection d'intrusions " "(basés sur le réseau ou sur l'hôte), d'évaluation des vulnérabilités, " "d'antivirus, de réseaux privés, etc." #. type:

#: securing-debian-howto.en.sgml:56 en/sec-tools.sgml:22 msgid "" "Since Debian 3.0 (woody), the distribution features cryptographic " "software integrated into the main distribution. OpenSSH and GNU Privacy " "Guard are included in the default install, and strong encryption is now " "present in web browsers and web servers, databases, and so forth. Further " "integration of cryptography is planned for future releases. This software, " "due to export restrictions in the US, was not distributed along with the " "main distribution but included only in non-US sites." msgstr "" "Depuis Debian 3.0 (Woody), la distribution propose des " "logiciels de chiffrement intégrés à la distribution principale (main). OpenSSH et GNU Privacy Guard font partie de l'installation par défaut " "et le chiffrement fort est maintenant présent dans les navigateurs web, les " "serveurs web, les bases de données, etc. Une intégration plus poussée du " "chiffrement est prévue pour les versions ultérieures. Ces logiciels, à cause " "de restrictions d'exportation aux États-Unis, n'étaient pas distribués avec " "la distribution principale, mais inclus seulement dans les sites hors des " "États-Unis." #. type: #: securing-debian-howto.en.sgml:56 en/sec-tools.sgml:24 msgid "Remote vulnerability assessment tools" msgstr "Outils d'évaluation des vulnérabilités à distance" #. type:

#: securing-debian-howto.en.sgml:56 en/sec-tools.sgml:30 msgid "" "The tools provided by Debian to perform remote vulnerability assessment are: " "

Some of them are provided when installing the harden-" "remoteaudit package.

" msgstr "" "Les outils fournis dans Debian pour effectuer une évaluation des " "vulnérabilités à distance sont :

Certains d'entre eux sont " "fournis en installant le paquet harden-remoteaudit.

" #. type:

#: securing-debian-howto.en.sgml:56 en/sec-tools.sgml:32 msgid "nessus" msgstr "nessus ;" #. type:

#: securing-debian-howto.en.sgml:56 en/sec-tools.sgml:33 msgid "raccess" msgstr "raccess ;" #. type:

#: securing-debian-howto.en.sgml:56 en/sec-tools.sgml:34 msgid "nikto (whisker's replacement)" msgstr "nikto (en remplacement de whisker)." #. type:

#: securing-debian-howto.en.sgml:56 en/sec-tools.sgml:47 msgid "" "By far, the most complete and up-to-date tools is nessus " "which is composed of a client (nessus) used as a GUI and " "a server (nessusd) which launches the programmed attacks. " "Nessus includes remote vulnerabilities for quite a number of systems " "including network appliances, ftp servers, www servers, etc. The latest " "security plugins are able even to parse a web site and try to discover which " "interactive pages are available which could be attacked. There are also Java " "and Win32 clients (not included in Debian) which can be used to contact the " "management server." msgstr "" "De loin l'outil le plus complet et mis à jour, nessus est " "composé d'un client (nessus) utilisé comme une interface " "graphique et d'un serveur (nessusd) qui lance les " "attaques programmées. Nessus connait des vulnérabilités à distance pour un " "grand nombre de systèmes y compris les appareils réseaux, les serveurs FTP, " "les serveurs HTTP, etc. Les dernières versions sont même capables de " "parcourir un site web et d'essayer de découvrir les pages interactives qui " "sont susceptibles d'être attaquées. Il existe également des clients Java et " "Win32 (non fournis dans Debian) qui peuvent être utilisés pour contacter le " "serveur de gestion." #. type:

#: securing-debian-howto.en.sgml:56 en/sec-tools.sgml:53 msgid "" "nikto is a web-only vulnerability assessment scanner " "including anti-IDS tactics (most of which are not anti-IDS " "anymore). It is one of the best cgi-scanners available, being able to detect " "a WWW server and launch only a given set of attacks against it. The database " "used for scanning can be easily modified to provide for new information." msgstr "" "nikto est un scanner pour évaluer les vulnérabilités d'un " "serveur HTTP et qui utilise des stratégies afin de contrer les systèmes de " "détection d'intrusions (IDS). Les IDS évoluant également, la plupart de ces " "techniques finissent par ne plus être efficace à titre d'anti-IDS). " "C'est tout de même l'un des meilleurs scanners disponibles pour tester les " "CGI et il est capable de détecter le serveur web utilisé afin de ne lancer " "les attaques que si elles ont des chances de fonctionner. De plus, la base " "de données utilisée pour scanner peut être facilement modifiée afin " "d'ajouter de nouveaux tests." #. type: #: securing-debian-howto.en.sgml:56 en/sec-tools.sgml:54 msgid "Network scanner tools" msgstr "Outils pour parcourir le réseau" #. type:

#: securing-debian-howto.en.sgml:56 en/sec-tools.sgml:59 msgid "" "Debian does provide some tools used for remote scanning of hosts (but not " "vulnerability assessment). These tools are, in some cases, used by " "vulnerability assessment scanners as the first type of \"attack\" run " "against remote hosts in an attempt to determine remote services available. " "Currently Debian provides:" msgstr "" "Debian fournit quelques outils pour parcourir des hôtes distants (toutefois " "en n'examinant pas les vulnérabilités). Ces outils sont, dans certains cas, " "utilisés comme des scanners de vulnérabilités. C'est le premier type " "d'« attaques » lancées contre des hôtes distants afin de tenter de " "déterminer les services disponibles. À l'heure actuelle, Debian " "fournit :" #. type:

#: securing-debian-howto.en.sgml:56 en/sec-tools.sgml:61 msgid "nmap" msgstr "nmap ;" #. type:

#: securing-debian-howto.en.sgml:56 en/sec-tools.sgml:62 msgid "xprobe" msgstr "xprobe ;" #. type:

#: securing-debian-howto.en.sgml:56 en/sec-tools.sgml:63 msgid "p0f" msgstr "p0f ;" #. type:

#: securing-debian-howto.en.sgml:56 en/sec-tools.sgml:64 msgid "knocker" msgstr "knocker ;" #. type:

#: securing-debian-howto.en.sgml:56 en/sec-tools.sgml:65 msgid "isic" msgstr "isic ;" #. type:

#: securing-debian-howto.en.sgml:56 en/sec-tools.sgml:66 msgid "hping2" msgstr "hping3 ;" #. type:

#: securing-debian-howto.en.sgml:56 en/sec-tools.sgml:67 msgid "icmpush" msgstr "icmpush ;" #. type:

#: securing-debian-howto.en.sgml:56 en/sec-tools.sgml:68 msgid "nbtscan (for SMB /NetBIOS audits)" msgstr "nbtscan (pour audits SMB ou NetBIOS) ;" #. type:

#: securing-debian-howto.en.sgml:56 en/sec-tools.sgml:69 msgid "fragrouter" msgstr "fragrouter ;" #. type:

#: securing-debian-howto.en.sgml:56 en/sec-tools.sgml:70 msgid "strobe (in the netdiag package)" msgstr "strobe (dans le paquet netdiag) ;" #. type:

#: securing-debian-howto.en.sgml:56 en/sec-tools.sgml:71 msgid "irpas" msgstr "irpas." #. type:

#: securing-debian-howto.en.sgml:56 en/sec-tools.sgml:84 msgid "" "While xprobe provide only remote operating system " "detection (using TCP/IP fingerprinting, nmap and " "knocker do both operating system detection and port " "scanning of the remote hosts. On the other hand, hping2 " "and icmpush can be used for remote ICMP attack techniques." msgstr "" "Même si xprobe ne permet que la détection des systèmes " "d'exploitation (en utilisant des empreintes TCP/IP), nmap " "et knocker font les deux : la détection du système " "d'exploitation et la détection de l'état des ports sur un système distant. " "D'un autre côté, hping3 et icmpush " "peuvent être utilisés dans le cadre d'attaques à distance par ICMP." #. type:

#: securing-debian-howto.en.sgml:56 en/sec-tools.sgml:89 msgid "" "Designed specifically for SMB networks, nbtscan can be " "used to scan IP networks and retrieve name information from SMB-enabled " "servers, including: usernames, network names, MAC addresses..." msgstr "" "Conçu spécifiquement pour les réseaux SMB, nbtscan peut " "être utilisé pour scanner les réseaux IP et obtenir des informations sur les " "noms des serveurs ayant activé la prise en charge de NetBIOS, y compris " "l'adresse IP, le nom NetBIOS de l'ordinateur, les noms des utilisateurs " "connectés, les noms des réseaux, les adresses MAC, etc." #. type:

#: securing-debian-howto.en.sgml:56 en/sec-tools.sgml:93 msgid "" "On the other hand, fragrouter can be used to test network " "intrusion detection systems and see if the NIDS can be eluded by " "fragmentation attacks." msgstr "" "D'un autre côté, fragrouter peut être utilisé pour tester " "des systèmes de détection d'intrusion réseau et voir si le NIDS peut être " "éludé par des attaques par fragmentation (de paquets)." #. type:

#: securing-debian-howto.en.sgml:56 en/sec-tools.sgml:96 msgid "" "FIXME: Check " "(ITP fragrouter) to see if it's included." msgstr "" "FIXME : Vérifier le (ITP fragrouter) pour voir s'il est inclus." #. type:

#: securing-debian-howto.en.sgml:56 en/sec-tools.sgml:102 msgid "" "FIXME add information based on " "which describes how to use Debian and a laptop to scan for wireless (803.1) " "networks (link not there any more)." msgstr "" "FIXME : Ajouter des informations basées sur qui décrit comment utiliser Debian et un ordinateur " "portable pour parcourir les réseaux sans fil (803.1)." #. type: #: securing-debian-howto.en.sgml:56 en/sec-tools.sgml:103 msgid "Internal audits" msgstr "Audits internes" #. type:

#: securing-debian-howto.en.sgml:56 en/sec-tools.sgml:108 msgid "" "Currently, only the tiger tool used in Debian can be used " "to perform internal (also called white box) audit of hosts in order to " "determine if the file system is properly set up, which processes are " "listening on the host, etc." msgstr "" "De nos jours, seul l'outil tiger utilisé dans Debian peut " "être utilisé pour effectuer un audit interne (également appelé boîte " "blanche, « white box ») d'hôtes de façon à déterminer si le système de " "fichiers est installé correctement, les processus à l'écoute sur l'hôte, etc." #. type: #: securing-debian-howto.en.sgml:56 en/sec-tools.sgml:109 msgid "Auditing source code" msgstr "Contrôle du code source" #. type:

#: securing-debian-howto.en.sgml:56 en/sec-tools.sgml:112 msgid "" "Debian provides several packages that can be used to audit C/C++ source code " "programs and find programming errors that might lead to potential security " "flaws:" msgstr "" "Debian fournit plusieurs paquets qui peuvent être utilisés afin de contrôler " "le code source de programmes écrits en C ou C++ et d'identifier des erreurs " "de programmation qui pourraient conduire à des failles de sécurité " "exploitables :" #. type:

#: securing-debian-howto.en.sgml:56 en/sec-tools.sgml:114 msgid "flawfinder" msgstr "flawfinder ;" #. type:

#: securing-debian-howto.en.sgml:56 en/sec-tools.sgml:115 msgid "rats" msgstr "rats ;" #. type:

#: securing-debian-howto.en.sgml:56 en/sec-tools.sgml:116 msgid "splint" msgstr "splint ;" #. type:

#: securing-debian-howto.en.sgml:56 en/sec-tools.sgml:117 msgid "pscan" msgstr "pscan." #. type: #: securing-debian-howto.en.sgml:56 en/sec-tools.sgml:121 msgid "Virtual Private Networks" msgstr "Réseaux Privés Virtuels" #. type:

#: securing-debian-howto.en.sgml:56 en/sec-tools.sgml:129 msgid "" "A virtual private network (VPN) is a group of two or more computer systems, " "typically connected to a private network with limited public network access, " "that communicate securely over a public network. VPNs may connect a single " "computer to a private network (client-server), or a remote LAN to a private " "network (server-server). VPNs often include the use of encryption, strong " "authentication of remote users or hosts, and methods for hiding the private " "network's topology." msgstr "" "Un réseau privé virtuel (VPN) est un groupe d'au moins deux ordinateurs, " "habituellement reliés à un réseau privé offrant un accès réseau public " "limité, qui communiquent de façon sécurisée par l'intermédiaire d'un réseau " "public. Les VPN peuvent connecter un seul ordinateur à un réseau privé " "(client serveur) ou un réseau local (LAN) distant à un réseau privé (serveur " "serveur). Les VPN incluent souvent l'utilisation du chiffrement, une " "authentification forte des utilisateurs ou hôtes distants et des méthodes " "pour cacher la topologie du réseau privé." #. type:

#: securing-debian-howto.en.sgml:56 en/sec-tools.sgml:132 msgid "" "Debian provides quite a few packages to set up encrypted virtual private " "networks:" msgstr "" "Debian fournit un nombre assez important de paquets pour mettre en place des " "réseaux privés virtuels chiffrés :" #. type:

#: securing-debian-howto.en.sgml:56 en/sec-tools.sgml:135 msgid "vtun" msgstr "vtun ;" #. type:

#: securing-debian-howto.en.sgml:56 en/sec-tools.sgml:136 msgid "tunnelv (non-US section)" msgstr "tunnelv (section non-US) ;" #. type:

#: securing-debian-howto.en.sgml:56 en/sec-tools.sgml:137 msgid "cipe-source, cipe-common" msgstr "cipe-source, cipe-common ;" #. type:

#: securing-debian-howto.en.sgml:56 en/sec-tools.sgml:138 msgid "tinc" msgstr "tinc ;" #. type:

#: securing-debian-howto.en.sgml:56 en/sec-tools.sgml:139 msgid "secvpn" msgstr "secvpn ;" #. type:

#: securing-debian-howto.en.sgml:56 en/sec-tools.sgml:140 msgid "pptpd" msgstr "pptp ;" #. type:

#: securing-debian-howto.en.sgml:56 en/sec-tools.sgml:141 msgid "openvpn" msgstr "openvpn ;" #. type:

#: securing-debian-howto.en.sgml:56 en/sec-tools.sgml:143 msgid "openswan ()" msgstr "openswan ()." #. type:

#: securing-debian-howto.en.sgml:56 en/sec-tools.sgml:150 msgid "" "FIXME: Update the information here since it was written with FreeSWAN in " "mind. Check Bug #237764 and Message-Id: <200412101215.04040.rmayr@debian." "org>." msgstr "" "FIXME : Mettre à jour cette information car elle a été écrite en pensant à " "FreeSWAN. Vérifier le bogue nº 237764 et le Message-Id: " "<200412101215.04040.rmayr@debian.org>." #. type:

#: securing-debian-howto.en.sgml:56 en/sec-tools.sgml:158 msgid "" "The OpenSWAN package is probably the best choice overall, since it promises " "to interoperate with almost anything that uses the IP security protocol, " "IPsec (RFC 2411). However, the other packages listed above can also help you " "get a secure tunnel up in a hurry. The point to point tunneling protocol " "(PPTP) is a proprietary Microsoft protocol for VPN. It is supported under " "Linux, but is known to have serious security issues." msgstr "" "Le paquet OpenSWAN est probablement le meilleur choix dans l'ensemble étant " "donné qu'il promet d'être fonctionnel avec tout matériel gérant le protocole " "de sécurité d'IP, IPsec (RFC 2411). Mais, les autres paquets peuvent " "vous aider à obtenir un tunnel sécurisé rapidement. Le protocole de tunnel " "point à point (PPTP) est le protocole propriétaire Microsoft pour les VPN. " "Il est pris en charge sous Linux mais il est connu pour avoir de sérieux " "problèmes de sécurité." #. type:

#: securing-debian-howto.en.sgml:56 en/sec-tools.sgml:168 msgid "" "For more information see the (covers IPsec and " "PPTP), (covers PPP over SSH), , and ." msgstr "" "Pour plus d'informations, lire le (couvre IPsec " "et PPTP), le (couvre PPP à travers SSH), le et le " "." #. type:

#: securing-debian-howto.en.sgml:56 en/sec-tools.sgml:172 msgid "" "Also worth checking out is , but no Debian packages seem to be available yet." msgstr "" "Cela vaut également le coup de vérifier , mais aucun paquet Debian ne semble être disponible " "pour l'instant." #. type: #: securing-debian-howto.en.sgml:56 en/sec-tools.sgml:174 msgid "Point to Point tunneling" msgstr "Le tunnel point à point" #. type:

#: securing-debian-howto.en.sgml:56 en/sec-tools.sgml:180 msgid "" "If you want to provide a tunneling server for a mixed environment (both " "Microsoft operating systems and Linux clients) and IPsec is not an option " "(since it's only provided for Windows 2000 and Windows XP), you can use " "PoPToP (Point to Point Tunneling Server), provided in the " "pptpd package." msgstr "" "Si vous désirez fournir un serveur de tunnel pour un environnement mixte (à " "la fois pour les systèmes d'exploitation Microsoft et les clients Linux) et " "qu'IPsec n'est pas une option (car il n'est fourni que pour Windows 2000 et " "Windows XP), vous pouvez utiliser PoPToP (serveur de tunnel point à " "point), fourni dans le paquet pptpd." #. type:

#: securing-debian-howto.en.sgml:56 en/sec-tools.sgml:184 msgid "" "If you want to use Microsoft's authentication and encryption with the server " "provided in the ppp package, note the following from the " "FAQ:" msgstr "" "Si vous voulez utiliser l'authentification et le chiffrage de Microsoft avec " "le serveur fourni dans le paquet ppp, veuillez noter la " "remarque suivante de la FAQ :" #. type: #: securing-debian-howto.en.sgml:56 en/sec-tools.sgml:190 #, no-wrap msgid "" "It is only necessary to use PPP 2.3.8 if you want Microsoft compatible\n" "MSCHAPv2/MPPE authentication and encryption. The reason for this is that\n" "the MSCHAPv2/MPPE patch currently supplied (19990813) is against PPP\n" "2.3.8. If you don't need Microsoft compatible authentication/encryption\n" "any 2.3.x PPP source will be fine." msgstr "" "Utiliser PPP 2.3.8 n'est nécessaire que si vous voulez une\n" "authentification et un chiffrement compatible Microsoft MSCHAPv2/MPPE.\n" "La raison est que le correctif MSCHAPv2/MPPE actuellement fourni\n" "(19990813) est relatif à PPP 2.3.8. Si vous n'avez pas besoin de\n" "l'authentification ou du chiffrement compatible Microsoft, n'importe\n" "quelle source PPP 2.3.x fera l'affaire." #. type:

#: securing-debian-howto.en.sgml:56 en/sec-tools.sgml:196 msgid "" "However, you also have to apply the kernel patch provided by the " "kernel-patch-mppe package, which provides the pp_mppe " "module for pppd." msgstr "" "Vous devez cependant appliquer le correctif noyau fourni par le paquet " "kernel-patch-mppe qui fournit le module pp_mppe pour pppd." #. type:

#: securing-debian-howto.en.sgml:56 en/sec-tools.sgml:201 msgid "" "Take into account that the encryption in ppptp forces you to store user " "passwords in clear text, and that the MS-CHAPv2 protocol contains ." msgstr "" "N'oubliez pas que le chiffrement dans ppptp vous oblige à stocker les mots " "de passe utilisateur en clair et que le protocole MS-CHAPv2 contient des " "." #. type: #: securing-debian-howto.en.sgml:56 en/sec-tools.sgml:203 msgid "Public Key Infrastructure (PKI)" msgstr "Infrastructure de clefs publiques (PKI)" #. type:

#: securing-debian-howto.en.sgml:56 en/sec-tools.sgml:209 msgid "" "Public Key Infrastructure (PKI) is a security architecture introduced to " "provide an increased level of confidence for exchanging information over " "insecure networks. It makes use of the concept of public and private " "cryptographic keys to verify the identity of the sender (signing) and to " "ensure privacy (encryption)." msgstr "" "L'infrastructure de clefs publiques (PKI) est une architecture de sécurité " "introduite pour fournir un niveau de confiance amélioré lors de l'échange " "d'informations sur des réseaux non sécurisés. Elle utilise le concept de " "clefs de chiffrement publique et privée pour vérifier l'identité de " "l'expéditeur (signature) et garantir la confidentialité (chiffrement)." #. type:

#: securing-debian-howto.en.sgml:56 en/sec-tools.sgml:212 msgid "" "When considering a PKI, you are confronted with a wide variety of issues:" msgstr "" "Lorsque vous vous intéressez aux PKI, vous vous trouvez confronté à une " "grande variété d'outils :" #. type:

#: securing-debian-howto.en.sgml:56 en/sec-tools.sgml:217 msgid "" "a Certificate Authority (CA) that can issue and verify certificates, and " "that can work under a given hierarchy." msgstr "" "une autorité de certification (Certificate Authority – CA) qui peut " "vous fournir des certificats extérieurs et travailler sous une hiérarchie " "donnée ;" #. type:

#: securing-debian-howto.en.sgml:56 en/sec-tools.sgml:219 msgid "a Directory to hold user's public certificates." msgstr "" "un répertoire pour conserver les certificats publics des utilisateurs ;" #. type:

#: securing-debian-howto.en.sgml:56 en/sec-tools.sgml:221 msgid "a Database (?) to maintain Certificate Revocation Lists (CRL)." msgstr "" "une base de données pour maintenir une liste des certificats révoqués " "(Certificate Revocation Lists – CRL) ;" #. type:

#: securing-debian-howto.en.sgml:56 en/sec-tools.sgml:224 msgid "" "devices that interoperate with the CA in order to print out smart cards/USB " "tokens/whatever to securely store certificates." msgstr "" "des périphériques interopérants avec le CA pour éditer des cartes à puce, " "jetons USB ou n'importe quoi d'autre pour stocker les certificats en " "sécurité ;" #. type:

#: securing-debian-howto.en.sgml:56 en/sec-tools.sgml:229 msgid "" "certificate-aware applications that can use certificates issued by a CA to " "enroll in encrypted communication and check given certificates against CRL " "(for authentication and full Single Sign On solutions)." msgstr "" "les applications prévues pour fonctionner avec des certificats de confiance " "peuvent utiliser des certificats distribués par des CA pour engager une " "communication chiffrée et vérifier les certificats délivrés contre un CRL " "(pour l'authentification et les solutions de signature complète unique) ;" #. type:

#: securing-debian-howto.en.sgml:56 en/sec-tools.sgml:231 msgid "a Time stamping authority to digitally sign documents." msgstr "" "une autorité pour certifier les dates et signer numériquement des documents ;" #. type:

#: securing-debian-howto.en.sgml:56 en/sec-tools.sgml:234 msgid "" "a management console from which all of this can be properly used " "(certificate generation, revocation list control, etc...)." msgstr "" "une console de gestion permettant une gestion correcte de tout cela " "(génération de certificats, contrôle de listes de révocation, etc.)" #. type:

#: securing-debian-howto.en.sgml:56 en/sec-tools.sgml:247 msgid "" "Debian GNU/Linux has software packages to help you with some of these PKI " "issues. They include OpenSSL (for certificate generation), " "OpenLDAP (as a directory to hold the certificates), " "gnupg and openswan (with X.509 standard support). " "However, as of the Woody release (Debian 3.0), Debian does not have any of " "the freely available Certificate Authorities such as pyCA, or the CA samples from OpenSSL. For more " "information read the ." msgstr "" "Debian GNU/Linux contient des paquets logiciels pour vous aider à résoudre " "ces problèmes de PKI, y compris OpenSSL (pour la génération de " "certificats), OpenLDAP (comme répertoire pour maintenir les " "certificats), gnupg et openswan (avec la prise en " "charge de la norme X.509). Cependant, le système d'exploitation ne fournit " "pas (depuis la version Woody, Debian 3.0) d'autorité de délivrance de " "certificat librement disponible comme pyCA, ou les exemples CA d'OpenSSL. Pour plus d'informations, " "reportez-vous au ." #. type: #: securing-debian-howto.en.sgml:56 en/sec-tools.sgml:249 msgid "SSL Infrastructure" msgstr "Infrastructure SSL" #. type:

#: securing-debian-howto.en.sgml:56 en/sec-tools.sgml:256 msgid "" "Debian does provide some SSL certificates with the distribution so that they " "can be installed locally. They are found in the ca-certificates package. This package provides a central repository of certificates " "that have been submitted to Debian and approved (that is, verified) by the " "package maintainer, useful for any OpenSSL applications which verify SSL " "connections." msgstr "" "Debian fournit quelques certificats SSL avec la distribution pour qu'ils " "puissent être installés localement. Ils sont disponibles dans le paquet " "ca-certificates. Ce paquet fournit un dépôt central des " "certificats qui ont été soumis à Debian et approuvé (c'est-à-dire vérifiés) " "par le responsable du paquet, cela est utile pour toutes les applications " "OpenSSL qui vérifient des connexion SSL." #. type:

#: securing-debian-howto.en.sgml:56 en/sec-tools.sgml:258 msgid "FIXME: read debian-devel to see if there was something added to this." msgstr "" "FIXME : Lire debian-devel pour voir s'il y a quelque chose à ajouter à cela." #. type: #: securing-debian-howto.en.sgml:56 en/sec-tools.sgml:260 msgid "Antivirus tools" msgstr "Outils antivirus" #. type:

#: securing-debian-howto.en.sgml:56 en/sec-tools.sgml:272 msgid "" "There are not many anti-virus tools included with Debian GNU/Linux, probably " "because GNU/Linux users are not plagued by viruses. The Unix security model " "makes a distinction between privileged (root) processes and user-owned " "processes, therefore a \"hostile\" executable that a non-root user receives " "or creates and then executes cannot \"infect\" or otherwise manipulate the " "whole system. However, GNU/Linux worms and viruses do exist, although there " "has not (yet, hopefully) been any that has spread in the wild over any " "Debian distribution. In any case, administrators might want to build up anti-" "virus gateways that protect against viruses arising on other, more " "vulnerable systems in their network." msgstr "" "Il n'y a pas beaucoup d'antivirus fournis avec Debian, probablement parce " "que c'est un problème qui affecte très peu les utilisateurs de Linux. En " "fait, la plupart des antivirus disponibles sous Linux servent à protéger des " "ordinateurs fonctionnant sous un autre système d'exploitation. Cela " "s'explique par le modèle de sécurité UNIX qui fait une distinction entre les " "processus privilégiés (root) et les processus appartenant aux utilisateurs. " "Ainsi, un programme exécutable « hostile Â» qu'un utilisateur non " "privilégié a reçu ou créé et ensuite exécuté ne peut pas infecter ou d'une " "autre façon manipuler le système d'exploitation lui-même. Cependant, " "quelques virus et vers affectant Linux existent, même si aucun n'a jamais " "réussi à se répandre de façon significative sous Debian. Dans tous les cas, " "les administrateurs peuvent vouloir mettre en place des passerelles " "antivirus pour se protéger contre les virus affectant d'autres systèmes plus " "vulnérables dans leur réseau." #. type:

#: securing-debian-howto.en.sgml:56 en/sec-tools.sgml:275 msgid "" "Debian GNU/Linux currently provides the following tools for building " "antivirus environments:" msgstr "" "Debian GNU/Linux fournit à l'heure actuelle les outils suivants pour mettre " "en place des environnements antivirus." #. type:

#: securing-debian-howto.en.sgml:56 en/sec-tools.sgml:298 msgid "" ", provided since " "Debian sarge (3.1 release). Packages are provided both for the " "virus scanner (clamav) for the scanner daemon " "(clamav-daemon) and for the data files needed for the " "scanner. Since keeping an antivirus up-to-date is critical for it to work " "properly there are two different ways to get this data: clamav-" "freshclam provides a way to update the database through the " "Internet automatically and clamav-data which provides the " "data files directly.

If you use this last package and are " "running an official Debian, the database will not be updated with security " "updates. You should either use clamav-freshclam, " "clamav-getfiles to generate new clamav-data " "packages or update from the maintainers location: deb http://" "people.debian.org/~zugschlus/clamav-data/ / deb-src http://people.debian.org/" "~zugschlus/clamav-data/ /

" msgstr "" ", fourni depuis " "Debian Sarge (version 3.1). Des paquets sont fournis à la fois " "pour le scanneur de virus (clamav), pour le démon de scan " "(clamav-daemon) et pour les fichiers de données " "nécessaires au scanneur. Puisqu'un antivirus doit être à jour afin d'être " "vraiment utile, il y a trois moyens différents pour récupérer ces " "données : clamav-freshclam fournit un moyen de " "mettre à jour la base de données automatiquement par Internet, " "clamav-data fournit les fichiers de données directement." "

Si vous utilisez ce dernier paquet et que vous utilisez une " "Debian officielle, la base de données ne sera pas mise à jour avec les mises " "à jour de sécurité. Vous devrez soit utiliser clamav-getfiles " "du paquet clamav-freshclam pour générer de nouveaux " "clamav-data ou mettre à jour depuis le dépôt des " "responsables : deb http://people.debian.org/~zugschlus/clamav-" "data/ / deb-src http://people.debian.org/~zugschlus/clamav-data/ /

" #. type:

#: securing-debian-howto.en.sgml:56 en/sec-tools.sgml:303 msgid "" "mailscanner an e-mail gateway virus scanner and spam " "detector. Using sendmail or exim as " "its basis, it can use more than 17 different virus scanning engines " "(including clamav)." msgstr "" "mailscanner un scanneur de virus pour passerelle de " "courriels et un détecteur de pourriels. Fonctionnant avec sendmail, postfix ou exim, il peut " "utiliser plus de 17 types de scanneurs de virus différents dont " "clamav." #. type:

#: securing-debian-howto.en.sgml:56 en/sec-tools.sgml:307 msgid "" "libfile-scan-perl which provides File::Scan, a Perl " "extension for scanning files for viruses. This modules can be used to make " "platform independent virus scanners." msgstr "" "libfile-scan-perl qui fournit File::Scan, une extension " "Perl pour scanner des fichiers à la recherche de virus. Ce module peut être " "utilisé pour créer un scanneur de virus indépendant de la plate-forme." #. type:

#: securing-debian-howto.en.sgml:56 en/sec-tools.sgml:314 msgid "" ", provided in the package amavis-ng and " "available in sarge, which is a mail virus scanner which integrates " "with different MTA (Exim, Sendmail, Postfix, or Qmail) and supports over 15 " "virus scanning engines (including clamav, File::Scan and openantivirus)." msgstr "" ", fourni par le paquet amavis-ng et " "disponible dans Sarge, est un scanneur de virus de courriel qui " "s'intègre avec différents serveurs de courriers (Exim, Sendmail, Postfix ou " "Qmail) et qui gère plus de 15 moteurs de recherche de virus (y compris " "clamav, File::Scan et openantivirus)." #. type:

#: securing-debian-howto.en.sgml:56 en/sec-tools.sgml:319 msgid "" ", a tool " "that uses the procmail package, which can scan email " "attachments for viruses, block attachments based on their filenames, and " "more." msgstr "" ", un " "outil qui utilise le paquet procmail, qui peut filtrer " "les attachements de courrier, bloquer les attachements selon leurs noms de " "fichier et plus." #. type:

#: securing-debian-howto.en.sgml:56 en/sec-tools.sgml:324 msgid "" ", a script that provides an interface from a mail transport agent to one " "or more commercial virus scanners (this package is built with support for " "the postfix MTA only)." msgstr "" ", un script qui fournit une interface depuis un MTA vers un ou plusieurs " "scanners commerciaux de virus (ce paquet est seulement construit pour le MTA " "postfix)." #. type:

#: securing-debian-howto.en.sgml:56 en/sec-tools.sgml:327 msgid "" "exiscan, an e-mail virus scanner written in Perl that " "works with Exim." msgstr "" "exiscan, un scanneur de virus de courriel écrit en Perl " "qui fonctionne avec Exim." #. type:

#: securing-debian-howto.en.sgml:56 en/sec-tools.sgml:329 msgid "" "blackhole-qmail a spam filter for Qmail with built-in " "support for Clamav." msgstr "" "blackhole-qmail, un filtre de pourriel pour Qmail avec " "prise en charge intégrée pour Clamav." #. type:

#: securing-debian-howto.en.sgml:56 en/sec-tools.sgml:338 msgid "" "Some gateway daemons support already tools extensions to build antivirus " "environments including exim4-daemon-heavy (the heavy version of the Exim MTA), frox (a transparent caching " "ftp proxy server), messagewall (an SMTP proxy daemon) and " "pop3vscan (a transparent POP3 proxy)." msgstr "" "Certains démons de passerelle proposent déjà des extensions d'outils pour " "construire des environnements antivirus, y compris exim4-daemon-" "heavy (la version lourde du MTA Exim), frox (un serveur mandataire FTP de cache transparent), " "messagewall (un démon mandataire SMTP) et " "pop3vscan (un mandataire POP3 transparent)." #. type:

#: securing-debian-howto.en.sgml:56 en/sec-tools.sgml:343 msgid "" "Debian currently provide clamav as the only antivirus scanning " "software in the main official distribution and it also provides multiple " "interfaces to build gateways with antivirus capabilities for different " "protocols." msgstr "" "Présentement, clamav est l'unique scanneur d'antivirus " "inclus dans la branche officielle de Debian. En revanche, de nombreuses " "interfaces qui permettent d'utiliser l'antivirus avec des passerelles gérant " "différents protocoles sont offertes." #. type:

#: securing-debian-howto.en.sgml:56 en/sec-tools.sgml:346 msgid "" "Some other free software antivirus projects which might be included in " "future Debian GNU/Linux releases:" msgstr "" "D'autres projets de logiciels libres d'antivirus qui pourraient être inclus " "dans une future version de Debian GNU/Linux :" #. type:

#: securing-debian-howto.en.sgml:56 en/sec-tools.sgml:355 msgid "" " (see and )." msgstr "" " (consultez les bogues et )." #. type:

#: securing-debian-howto.en.sgml:56 en/sec-tools.sgml:360 msgid "" "FIXME: Is there a package that provides a script to download the latest " "virus signatures from ?" msgstr "" "FIXME : Y a-t-il un paquet fournissant un script qui télécharge les " "dernières signatures de virus depuis  ?" #. type:

#: securing-debian-howto.en.sgml:56 en/sec-tools.sgml:363 msgid "" "FIXME: Check if scannerdaemon is the same as the open antivirus scanner " "daemon (read ITPs)." msgstr "" "FIXME : Vérifier si scannerdaemon est le même que le démon scanner antivirus " "open (consultez les ITP)." #. type:

#: securing-debian-howto.en.sgml:56 en/sec-tools.sgml:387 msgid "" "However, Debian will never provide propietary (non-free and " "undistributable) antivirus software such as: Panda Antivirus, NAI Netshield, " ", , or . For more pointers see the . This does not mean that this software cannot " "be installed properly in a Debian system

Actually, there is an " "installer package for the F-prot antivirus, which is non-free but " "gratis for home users, called f-prot-installer. This " "installer, however, just downloads and installs it in the system." "

." msgstr "" "Cependant, Debian ne fournira jamais de logiciels antivirus " "propriétaires et impossibles à redistribuer tels que : Panda Antivirus, " "NAI Netshield, , " " ou . Cela ne veut évidemment " "pas dire que ces logiciels ne peuvent pas être installés correctement sur un " "système Debian

Un paquet nommé f-prot-installer est " "en fait un programme d'installation qui téléchargera le logiciel pour " "l'installer sur le système. F-prot lui-même n'est pas libre, mais " "il est gratuit pour l'utilisation personnelle.

." #. type:

#: securing-debian-howto.en.sgml:56 en/sec-tools.sgml:392 msgid "" "For more information on how to set up a virus detection system read Dave " "Jones' article ." msgstr "" "Pour plus d'informations sur la façon de mettre en place un système de " "détection des virus, veuillez lire l'article de Dave Jones ." #. type: #: securing-debian-howto.en.sgml:56 en/sec-tools.sgml:394 msgid "GPG agent" msgstr "Agent GPG" #. type:

#: securing-debian-howto.en.sgml:56 en/sec-tools.sgml:400 msgid "" "It is very common nowadays to digitally sign (and sometimes encrypt) e-mail. " "You might, for example, find that many people participating on mailing lists " "sign their list e-mail. Public key signatures are currently the only means " "to verify that an e-mail was sent by the sender and not by some other person." msgstr "" "Il est très courant de nos jours de signer numériquement (et parfois de " "chiffrer) des courriels. Vous pouvez, par exemple, trouver que de nombreuses " "personnes participant sur des listes de diffusion signent leur courriel de " "la liste. Les signatures numériques sont actuellement le seul moyen de " "vérifier qu'un message a été envoyé par l'expéditeur et non par une autre " "personne." #. type:

#: securing-debian-howto.en.sgml:56 en/sec-tools.sgml:404 msgid "" "Debian GNU/Linux provides a number of e-mail clients with built-in e-mail " "signing capabilities that interoperate either with gnupg " "or pgp:" msgstr "" "Debian GNU/Linux fournit un certain nombre de clients de messagerie avec des " "fonctionnalité de signature de courriels intégrés qui interagissent soit " "avec gnupg ou avec pgp :" #. type:

#: securing-debian-howto.en.sgml:56 en/sec-tools.sgml:406 msgid "evolution." msgstr "evolution ;" #. type:

#: securing-debian-howto.en.sgml:56 en/sec-tools.sgml:407 msgid "mutt." msgstr "mutt ;" #. type:

#: securing-debian-howto.en.sgml:56 en/sec-tools.sgml:408 msgid "kmail." msgstr "kmail ;" #. type:

#: securing-debian-howto.en.sgml:56 en/sec-tools.sgml:413 msgid "" "icedove (rebranded version of Mozilla's Thunderbird) " "through the " "plugin. This plugin is provided by the enigmail package." msgstr "" "icedove (version sans marque de Mozilla Thunderbird) avec " "le greffon . Ce " "greffon est fourni par le paquet enigmail ;" #. type:

#: securing-debian-howto.en.sgml:56 en/sec-tools.sgml:417 msgid "" "sylpheed. Depending on how the stable version of this " "package evolves, you may need to use the bleeding edge version, " "sylpheed-claws." msgstr "" "sylpheed. Selon la façon dont évolue la version stable de " "ce paquet, vous pouvez avoir besoin d'utiliser la version dernier cri, sylpheed-claws ;" #. type:

#: securing-debian-howto.en.sgml:56 en/sec-tools.sgml:421 msgid "" "gnus, which when installed with the mailcrypt package, is an emacs interface to gnupg." msgstr "" "gnus, qui, lorsqu'il est installé avec le paquet " "mailcrypt, est une interface emacs à " "gnupg ;" #. type:

#: securing-debian-howto.en.sgml:56 en/sec-tools.sgml:425 msgid "" "kuvert, which provides this functionality independently " "of your chosen mail user agent (MUA) by interacting with the mail transport " "agent (MTA)." msgstr "" "kuvert, qui fournit cette fonctionnalité indépendamment " "du client de messagerie choisi en interagissant avec l'agent de transport de " "courrier (MTA)." #. type:

#: securing-debian-howto.en.sgml:56 en/sec-tools.sgml:439 msgid "" "Key servers allow you to download published public keys so that you may " "verify signatures. One such key server is . gnupg can automatically fetch public keys that are " "not already in your public keyring. For example, to configure gnupg to use the above key server, edit the file ~/.gnupg/options and add the following line:

For more examples of how to " "configure gnupg check /usr/share/doc/mutt/examples/gpg." "rc.

" msgstr "" "Les serveurs de clefs permettent de télécharger des clefs publiques publiées " "pour pouvoir vérifier des signatures. Un tel serveur est . gnupg peut récupérer automatiquement " "des clefs publics qui ne sont pas déjà dans votre trousseau (keyring) " "public. Par exemple, pour configurer gnupg pour utiliser le " "serveur de clefs ci-dessus, modifiez le fichier ~/.gnupg/options en ajoutant la ligne suivante :

Pour plus d'exemples " "sur la façon de configurer gnupg, consultez /usr/share/" "doc/mutt/examples/gpg.rc.

" #. type: #: securing-debian-howto.en.sgml:56 en/sec-tools.sgml:441 #, no-wrap msgid "keyserver wwwkeys.pgp.net" msgstr "keyserver wwwkeys.pgp.net" #. type:

#: securing-debian-howto.en.sgml:56 en/sec-tools.sgml:450 msgid "" "Most key servers are linked, so that when your public key is added to one " "server, the addition is propagated to all the other public key servers. " "There is also a Debian GNU/Linux package debian-keyring, " "that provides all the public keys of the Debian developers. The gnupg keyrings are installed in /usr/share/keyrings/." msgstr "" "La plupart des serveurs de clefs sont liés de tel sorte que, lorsqu'une clef " "publique est ajoutée à un serveur, l'addition soit propagée à tous les " "autres serveurs de clefs publiques. Le paquet debian-keyring fournit aussi les clefs publiques des développeurs Debian. Les " "trousseaux gnupg sont installés dans /usr/share/keyrings/" "." #. type:

#: securing-debian-howto.en.sgml:56 en/sec-tools.sgml:452 msgid "For more information:" msgstr "Pour de plus amples renseignements :" #. type:

#: securing-debian-howto.en.sgml:56 en/sec-tools.sgml:456 msgid "." msgstr "" " ;" #. type:

#: securing-debian-howto.en.sgml:56 en/sec-tools.sgml:459 msgid "" "." msgstr "" " ;" #. type:

#: securing-debian-howto.en.sgml:56 en/sec-tools.sgml:463 msgid "" "." msgstr "" " ;" #. type:

#: securing-debian-howto.en.sgml:56 en/sec-tools.sgml:466 msgid "" "." msgstr "" " ;" #. type:

#: securing-debian-howto.en.sgml:56 en/sec-tools.sgml:469 msgid "" "." msgstr "" "." #. type: #: securing-debian-howto.en.sgml:57 en/developer.sgml:8 msgid "Developer's Best Practices for OS Security" msgstr "Meilleures pratiques de sécurité pour les développeurs" #. type:

#: securing-debian-howto.en.sgml:57 en/developer.sgml:15 msgid "" "This chapter introduces some best secure coding practices for developers " "writing Debian packages. If you are really interested in secure coding I " "recommend you read David Wheeler's and by Mark G. Graff and Kenneth R. van Wyk (O'Reilly, 2003)." msgstr "" "Ce chapitre introduit certaines des meilleures pratiques de code sécurisé " "pour les développeurs écrivant des paquets Debian. Si vous êtes vraiment " "intéressé par le code sécurisé, vous devriez lire le de David Wheeler et de Mark G. Graff et " "Kenneth R. van Wyk (O'Reilly, 2003)." #. type: #: securing-debian-howto.en.sgml:57 en/developer.sgml:16 msgid "Best practices for security review and design" msgstr "Meilleures pratiques de vérification et conception sécurisées" # NOTE: s/that/who/ #. type:

#: securing-debian-howto.en.sgml:57 en/developer.sgml:20 msgid "" "Developers that are packaging software should make a best effort to ensure " "that the installation of the software, or its use, does not introduce " "security risks to either the system it is installed on or its users." msgstr "" "Les développeurs qui empaquettent des logiciels devraient faire de leur " "mieux pour s'assurer que l'installation du logiciel, ou son utilisation, " "n'introduit pas de risques en matière de sécurité à la fois au système où il " "est installé et à ses utilisateurs." #. type:

#: securing-debian-howto.en.sgml:57 en/developer.sgml:34 msgid "" "In order to do so, they should make their best to review the source code of " "the package and detect any flaws that might introduce security bugs before " "releasing the software or distributing a new version. It is acknowledged " "that the cost of fixing bugs grows for different stages of its development, " "so it is easier (and cheaper) to fix bugs when designing than when the " "software has been deployed and is in maintenance mode (some studies say that " "the cost in this later phase is sixty times higher). " "Although there are some tools that try to automatically detect these flaws, " "developers should strive to learn about the different kind of security flaws " "in order to understand them and be able to spot them in the code they (or " "others) have written." msgstr "" "Pour ce faire, ils devraient faire de leur mieux pour examiner le code " "source du paquet et détecter tous les défauts qui pourraient introduire des " "bogues de sécurité avant de publier le programme ou de distribuer une " "nouvelle version. Il est reconnu que le coût de correction de bogues " "augmente aux différentes étapes de son développement, il est donc plus " "facile (et moins coûteux) de corriger les bogues lors de la conception " "qu'une fois le logiciel déployé et en mode maintenance (plusieurs études " "disent que le coût dans cette dernière phase est soixante " "fois plus élevé). Bien que plusieurs outils essayent de détecter " "automatiquement ces défauts, les développeurs devraient faire leur possible " "pour se tenir au courant des différents types de défauts de sécurité afin de " "les comprendre et être capable de les remarquer dans le code qu'ils (ou " "d'autres) ont écrit." #. type:

#: securing-debian-howto.en.sgml:57 en/developer.sgml:52 msgid "" "The programming bugs which lead to security bugs typically include: , " "format string overflows, heap overflows and integer overflows (in C/C++ " "programs), temporary (in scripts), and " "command injection (in servers) and , and (in the " "case of web-oriented applications). For a more complete information on " "security bugs review Fortify's ." msgstr "" "Parmi les bogues de programmation qui conduisent à des bogues de sécurité, " "les plus typiques sont les , les dépassements " "de chaîne de formatage, les dépassements de tas et les dépassements d'entier " "(dans les programmes en C ou C++), les temporaires (dans les scripts), les " "et les injections de commande (sur les serveurs) et , et " "les (dans le cas des applications orientées web). Pour de " "plus amples renseignements sur les bogues de sécurité, consultez la de Fortify." #. type:

#: securing-debian-howto.en.sgml:57 en/developer.sgml:62 msgid "" "Some of these issues might not be easy to spot unless you are an expert in " "the programming language the software uses, but some security problems are " "easy to detect and fix. For example, finding temporary race conditions due " "to misuse of temporary directories can easily be done just by running " "grep -r \"/tmp/\" .. Those calls can be reviewed and replace the " "hardcoded filenames using temporary directories to calls to either " "mktemp or tempfile in shell scripts, in Perl scripts, or in C/C++." msgstr "" "Certains de ces problèmes pourraient ne pas être faciles à repérer à moins " "d'être un expert dans le langage de programmation utilisé par le logiciel, " "mais certains problèmes sont faciles à détecter et à corriger. Par exemple, " "trouver des conditions de situation de compétitions temporaires à cause " "d'une mauvaise utilisation de répertoires temporaires peut se faire " "facilement en exécutant « grep -r \"/tmp/\" . ». Ces appels peuvent " "être examinés et les noms de fichiers écrits en dur, utilisant des " "répertoires temporaires, remplacés par des appels à mktemp ou " "tempfile dans les scripts d'interpréteur, dans les scripts Perl ou en C ou C++." #. type:

#: securing-debian-howto.en.sgml:57 en/developer.sgml:70 msgid "" "There are a set of tools available to assist to the security code review " "phase. These include rats, flawfinder " "and pscan. For more information, read the ." msgstr "" "Certains outils permettent d'aider à l'examen de sécurité du code, comme " "rats, flawfinder et pscan. Pour de plus amples renseignements, consultez la ." #. type:

#: securing-debian-howto.en.sgml:57 en/developer.sgml:73 msgid "" "When packaging software developers have to make sure that they follow common " "security principles, including:" msgstr "" "Lors de l'empaquetage, les développeurs de logiciel doivent s'assurer de " "suivre les principes de sécurité habituels, y compris :" #. type:

#: securing-debian-howto.en.sgml:57 en/developer.sgml:77 msgid "The software runs with the minimum privileges it needs:" msgstr "le logiciel s'exécute avec le minimum de droits nécessaires :" #. type:

#: securing-debian-howto.en.sgml:57 en/developer.sgml:86 msgid "" "The package does install binaries setuid or setgid. Lintian " "will warn of , and binaries." msgstr "" "le paquet installe des binaires setuid or setgid. Lintian " "avertira des binaires , ou  ;" #. type:

#: securing-debian-howto.en.sgml:57 en/developer.sgml:89 msgid "" "The daemons the package provide run with a low privilege user (see )" msgstr "" "les démons fournis par le paquet s'exécutent avec un utilisateur aux droits " "restreints (consultez ) ;" #. type:

#: securing-debian-howto.en.sgml:57 en/developer.sgml:95 msgid "" "Programmed (i.e., cron) tasks running in the system do NOT run " "as root or, if they do, do not implement complex tasks." msgstr "" "les tâches programmées (c'est-à-dire cron) s'exécutant sur le " "système ne le sont pas en tant que superutilisateur, et si " "elle le sont, elles n'implémentent pas de tâches complexes." # NOTE: EANCHOR #s-permissions-owners #. type:

#: securing-debian-howto.en.sgml:57 en/developer.sgml:105 msgid "" "If you have to do any of the above make sure the programs that might run " "with higher privileges have been audited for security bugs. If you are " "unsure, or need help, contact the . In the case of setuid/setgid " "binaries, follow the Debian policy section regarding " msgstr "" "Si vous devez faire l'un des deux, assurez-vous que les programmes qui " "pourraient s'exécuter avec des privilèges plus élevés ont été contrôlés pour " "les bogues de sécurité. En cas de doute, ou pour obtenir de l'aide, " "contactez l'. Pour les binaires setuid ou setgid, suivez la " "section de la charte Debian sur les ." #. type:

#: securing-debian-howto.en.sgml:57 en/developer.sgml:113 msgid "" "For more information, specific to secure programming, make sure you read (or " "point your upstream to) and the " "portal." msgstr "" "Pour de plus amples renseignements, spécifiques à la programmation " "sécurisée, assurez vous de lire (ou d'indiquer en amont) le et le portail ." #. type: #: securing-debian-howto.en.sgml:57 en/developer.sgml:121 msgid "Creating users and groups for software daemons" msgstr "Création d'utilisateurs et de groupes pour les démons logiciels" #. type:

#: securing-debian-howto.en.sgml:57 en/developer.sgml:128 msgid "" "If your software runs a daemon that does not need root privileges, you need " "to create a user for it. There are two kind of Debian users that can be used " "by packages: static uids (assigned by base-passwd, for a " "list of static users in Debian see ) and dynamic " "uids in the range assigned to system users." msgstr "" "Si le logiciel exécute un démon qui n'a pas besoin des droits du " "superutilisateur, vous devez lui créer un utilisateur. Deux types " "d'utilisateurs Debian peuvent être utilisés par les paquets : avec " "identifiant (UID) statique (attribué par base-passwd ; " "consultez pour une liste des utilisateurs " "statiques dans Debian) et avec identifiant dynamique dans l'intervalle " "dévolu aux utilisateurs système." #. type:

#: securing-debian-howto.en.sgml:57 en/developer.sgml:133 msgid "" "In the first case, you need to ask for a user or group id to the " "base-passwd. Once the user is available there the package " "needs to be distributed including a proper versioned depends to the " "base-passwd package." msgstr "" "Dans le premier cas, il faut demander un identifiant de groupe ou " "d'utilisateur à base-passwd. Une fois l'utilisateur " "disponible, le paquet doit être distribué avec une dépendance sur la version " "adéquate du paquet base-passwd." #. type:

#: securing-debian-howto.en.sgml:57 en/developer.sgml:137 msgid "" "In the second case, you need to create the system user either in the " "preinst or in the postinst and make the package depend on " "adduser (>= 3.11)." msgstr "" "Dans le second cas, il faut créer un utilisateur système en preinst " "ou en postinst et rendre le paquet dépendant de adduser " "(>= 3.11)." #. type:

#: securing-debian-howto.en.sgml:57 en/developer.sgml:140 msgid "" "The following example code creates the user and group the daemon will run as " "when the package is installed or upgraded:" msgstr "" "L'exemple de code suivant crée les utilisateur et groupe utilisés par le " "démon pour s'exécuter quand le paquet est installé ou mis à niveau :" #. type: #: securing-debian-howto.en.sgml:57 en/developer.sgml:203 #, no-wrap msgid "" "[...]\n" "case \"$1\" in\n" " install|upgrade)\n" "\n" " # If the package has default file it could be sourced, so that\n" " # the local admin can overwrite the defaults\n" "\n" " [ -f \"/etc/default/packagename\" ] && . /etc/default/packagename\n" "\n" " # Sane defaults:\n" "\n" " [ -z \"$SERVER_HOME\" ] && SERVER_HOME=server_dir\n" " [ -z \"$SERVER_USER\" ] && SERVER_USER=server_user\n" " [ -z \"$SERVER_NAME\" ] && SERVER_NAME=\"Server description\"\n" " [ -z \"$SERVER_GROUP\" ] && SERVER_GROUP=server_group\n" "\n" " # Groups that the user will be added to, if undefined, then none.\n" " ADDGROUP=\"\"\n" "\n" " # create user to avoid running server as root\n" " # 1. create group if not existing\n" " if ! getent group | grep -q \"^$SERVER_GROUP:\" ; then\n" " echo -n \"Adding group $SERVER_GROUP..\"\n" " addgroup --quiet --system $SERVER_GROUP 2>/dev/null ||true\n" " echo \"..done\"\n" " fi\n" " # 2. create homedir if not existing\n" " test -d $SERVER_HOME || mkdir $SERVER_HOME\n" " # 3. create user if not existing\n" " if ! getent passwd | grep -q \"^$SERVER_USER:\"; then\n" " echo -n \"Adding system user $SERVER_USER..\"\n" " adduser --quiet \\\n" " --system \\\n" " --ingroup $SERVER_GROUP \\\n" " --no-create-home \\\n" " --disabled-password \\\n" " $SERVER_USER 2>/dev/null || true\n" " echo \"..done\"\n" " fi\n" " # 4. adjust passwd entry\n" " usermod -c \"$SERVER_NAME\" \\\n" " -d $SERVER_HOME \\\n" " -g $SERVER_GROUP \\\n" " $SERVER_USER\n" " # 5. adjust file and directory permissions\n" " if ! dpkg-statoverride --list $SERVER_HOME >/dev/null\n" " then\n" " chown -R $SERVER_USER:adm $SERVER_HOME\n" " chmod u=rwx,g=rxs,o= $SERVER_HOME\n" " fi\n" " # 6. Add the user to the ADDGROUP group\n" " if test -n $ADDGROUP\n" " then\n" " if ! groups $SERVER_USER | cut -d: -f2 | \\\n" " grep -qw $ADDGROUP; then\n" " adduser $SERVER_USER $ADDGROUP\n" " fi\n" " fi\n" " ;;\n" " configure)\n" "\n" "[...]" msgstr "" "[...]\n" "case \"$1\" in\n" " install|upgrade)\n" "\n" " # Si le paquet a un fichier « default » permettant à\n" " # l'administrateur local d'écraser les valeurs par défaut\n" "\n" " [ -f \"/etc/default/nompaquet\" ] && . /etc/default/nompaquet\n" "\n" " # Valeurs par défaut correctes :\n" "\n" " [ -z \"$SERVER_HOME\" ] && SERVER_HOME=rép_serveur\n" " [ -z \"$SERVER_USER\" ] && SERVER_USER=utilisateur_serveur\n" " [ -z \"$SERVER_NAME\" ] && SERVER_NAME=\"Description du serveur\"\n" " [ -z \"$SERVER_GROUP\" ] && SERVER_GROUP=groupe_serveur\n" "\n" " # Groupes auxquels l'utilisateur sera ajouté ; aucun si non défini.\n" " ADDGROUP=\"\"\n" "\n" " # créer un utilisateur pour éviter d'exécuter le serveur en tant\n" " # que superutilisateur\n" " # 1. Créer le groupe s'il n'existe pas\n" " if ! getent group | grep -q \"^$SERVER_GROUP:\" ; then\n" " echo -n \"Ajout du groupe $SERVER_GROUP..\"\n" " addgroup --quiet --system $SERVER_GROUP 2>/dev/null ||true\n" " echo \"fait\"\n" " fi\n" " # 2. Créer un répertoire personnel s'il n'existe pas\n" " test -d $SERVER_HOME || mkdir $SERVER_HOME\n" " # 3. Créer un utilisateur s'il n'existe pas\n" " if ! getent passwd | grep -q \"^$SERVER_USER:\"; then\n" " echo -n \"Ajout de l'utilisateur système $SERVER_USER..\"\n" " adduser --quiet \\\n" " --system \\\n" " --ingroup $SERVER_GROUP \\\n" " --no-create-home \\\n" " --disabled-password \\\n" " $SERVER_USER 2>/dev/null || true\n" " echo \"fait\"\n" " fi\n" " # 4. Ajuster l'entrée de mot de passe\n" " usermod -c \"$SERVER_NAME\" \\\n" " -d $SERVER_HOME \\\n" " -g $SERVER_GROUP \\\n" " $SERVER_USER\n" " # 5. Ajuster les droits des fichiers et répertoires\n" " if ! dpkg-statoverride --list $SERVER_HOME >/dev/null\n" " then\n" " chown -R $SERVER_USER:adm $SERVER_HOME\n" " chmod u=rwx,g=rxs,o= $SERVER_HOME\n" " fi\n" " # 6. Ajouter l'utilisateur au groupe ADDGROUP\n" " if test -n $ADDGROUP\n" " then\n" " if ! groups $SERVER_USER | cut -d: -f2 | \\\n" " grep -qw $ADDGROUP; then\n" " adduser $SERVER_USER $ADDGROUP\n" " fi\n" " fi\n" " ;;\n" " configure)\n" "\n" "[...]" #. type:

#: securing-debian-howto.en.sgml:57 en/developer.sgml:207 msgid "You have to make sure that the init.d script file:" msgstr "Assurez-vous que le fichier de script init.d :" # NOTE: s/call/option/ #. type:

#: securing-debian-howto.en.sgml:57 en/developer.sgml:213 msgid "" "Starts the daemon dropping privileges: if the software does not do the " " or call itself, you can use the --chuid call of " "start-stop-daemon." msgstr "" "démarre le démon en abandonnant les droits du superutilisateur : si le " "logiciel ne fait pas l'appel ou " " lui-même, l'option --chuid " "de start-stop-daemon est utilisable." #. type:

#: securing-debian-howto.en.sgml:57 en/developer.sgml:217 msgid "" "Stops the daemon only if the user id matches, you can use the start-" "stop-daemon --user option for this." msgstr "" "n'arrête le démon que si l'identifiant utilisateur correspond, l'option " "--user de start-stop-daemon permet de faire cela." #. type:

#: securing-debian-howto.en.sgml:57 en/developer.sgml:218 msgid "Does not run if either the user or the group do not exist:" msgstr "ne s'exécute pas si l'utilisateur ou le groupe n'existent pas :" #. type: #: securing-debian-howto.en.sgml:57 en/developer.sgml:227 #, no-wrap msgid "" " if ! getent passwd | grep -q \"^server_user:\"; then\n" " echo \"Server user does not exist. Aborting\" >&2\n" " exit 1\n" " fi\n" " if ! getent group | grep -q \"^server_group:\" ; then\n" " echo \"Server group does not exist. Aborting\" >&2\n" " exit 1\n" " fi" msgstr "" " if ! getent passwd | grep -q \"^utilisateur_serveur:\"; then\n" " echo \"L'utilisateur du serveur n'existe pas. Abandon\" >&2\n" " exit 1\n" " fi\n" " if ! getent group | grep -q \"^groupe_serveur:\" ; then\n" " echo \"Le groupe du serveur n'existe pas. Abandon\" >&2\n" " exit 1\n" " fi" #. type:

#: securing-debian-howto.en.sgml:57 en/developer.sgml:243 msgid "" "If the package creates the system user it can remove it when it is purged in " "its postrm. This has some drawbacks, however. For example, files " "created by it will be orphaned and might be taken over by a new system user " "in the future if it is assigned the same uid

Some relevant " "threads discussing these drawbacks include and

. Consequently, " "removing system users on purge is not yet mandatory and depends on the " "package needs. If unsure, this action could be handled by asking the " "administrator for the prefered action when the package is installed (i.e. " "through debconf)." msgstr "" "Si le paquet crée l'utilisateur système, il peut le retirer lors de la purge " "en postrm. Cela a cependant quelques inconvénients. Par exemple les " "fichiers créés par cet utilisateur seront orphelins et pourraient être " "repris par un nouvel utilisateur système plus tard si le même identifiant " "utilisateur lui est attribué

Plusieurs discussions à propos de " "ces inconvénients ont déjà eu lieu comme et .

. Par conséquent, " "retirer les utilisateurs système lors de la purge n'est pas encore " "obligatoire et dépend des besoins du paquet. En cas de doute, cette action " "pourrait être faite en demandant à l'administrateur sa préfèrence lors du " "retrait du paquet (c'est-à-dire avec debconf)." #. type:

#: securing-debian-howto.en.sgml:57 en/developer.sgml:251 msgid "" "The following example code

This might eventually be introduced " "as a dh_adduser in debhelper. See , and ." "

removes the user and groups created before only, and only " "if, the uid is in the range of dynamic assigned system uids and the gid is " "belongs to a system group:" msgstr "" "Le code exemple suivant

Cela pourrait éventuellement être " "introduit en tant que dh_adduser dans debhelper. Consultez les " "bogues , et .

 retire " "l'utilisateur et les groupes créés auparavant seulement, et seulement si, " "l'identifiant utilisateur est dans l'intervalle des identifiants utilisateur " "dynamiques attribués pour le système et que l'identifiant de groupe " "appartient à un groupe système :" #. type: #: securing-debian-howto.en.sgml:57 en/developer.sgml:297 #, no-wrap msgid "" "case \"$1\" in\n" " purge)\n" "[...]\n" " # find first and last SYSTEM_UID numbers\n" " for LINE in `grep SYSTEM_UID /etc/adduser.conf | grep -v \"^#\"`; do\n" " case $LINE in\n" " FIRST_SYSTEM_UID*)\n" " FIST_SYSTEM_UID=`echo $LINE | cut -f2 -d '='`\n" " ;;\n" " LAST_SYSTEM_UID*)\n" " LAST_SYSTEM_UID=`echo $LINE | cut -f2 -d '='`\n" " ;;\n" " *)\n" " ;;\n" " esac\n" " done\n" " # Remove system account if necessary\n" " CREATEDUSER=\"server_user\"\n" " if [ -n \"$FIST_SYSTEM_UID\" ] && [ -n \"$LAST_SYSTEM_UID\" ]; then\n" " if USERID=`getent passwd $CREATEDUSER | cut -f 3 -d ':'`; then\n" " if [ -n \"$USERID\" ]; then\n" " if [ \"$FIST_SYSTEM_UID\" -le \"$USERID\" ] && \\\n" " [ \"$USERID\" -le \"$LAST_SYSTEM_UID\" ]; then\n" " echo -n \"Removing $CREATEDUSER system user..\"\n" " deluser --quiet $CREATEDUSER || true\n" " echo \"..done\"\n" " fi\n" " fi\n" " fi\n" " fi\n" " # Remove system group if necessary\n" " CREATEDGROUP=server_group\n" " FIRST_USER_GID=`grep ^USERS_GID /etc/adduser.conf | cut -f2 -d '='`\n" " if [ -n \"$FIST_USER_GID\" ] then\n" " if GROUPGID=`getent group $CREATEDGROUP | cut -f 3 -d ':'`; then\n" " if [ -n \"$GROUPGID\" ]; then\n" " if [ \"$FIST_USER_GID\" -gt \"$GROUPGID\" ]; then\n" " echo -n \"Removing $CREATEDGROUP group..\"\n" " delgroup --only-if-empty $CREATEDGROUP || true\n" " echo \"..done\"\n" " fi\n" " fi\n" " fi\n" " fi\n" "[...]" msgstr "" "case \"$1\" in\n" " purge)\n" "[...]\n" " # trouver les premier et dernier numéros de SYSTEM_UID\n" " for LINE in `grep SYSTEM_UID /etc/adduser.conf | grep -v \"^#\"`; do\n" " case $LINE in\n" " FIRST_SYSTEM_UID*)\n" " FIST_SYSTEM_UID=`echo $LINE | cut -f2 -d '='`\n" " ;;\n" " LAST_SYSTEM_UID*)\n" " LAST_SYSTEM_UID=`echo $LINE | cut -f2 -d '='`\n" " ;;\n" " *)\n" " ;;\n" " esac\n" " done\n" " # supprimer le compte système si nécessaire\n" " CREATEDUSER=\"utilisateur_serveur\"\n" " if [ -n \"$FIST_SYSTEM_UID\" ] && [ -n \"$LAST_SYSTEM_UID\" ]; then\n" " if USERID=`getent passwd $CREATEDUSER | cut -f 3 -d ':'`; then\n" " if [ -n \"$USERID\" ]; then\n" " if [ \"$FIST_SYSTEM_UID\" -le \"$USERID\" ] && \\\n" " [ \"$USERID\" -le \"$LAST_SYSTEM_UID\" ]; then\n" " echo -n \"Suppression de l'utilisateur système $CREATEDUSER\"\n" " deluser --quiet $CREATEDUSER || true\n" " echo \"fait\"\n" " fi\n" " fi\n" " fi\n" " fi\n" " # supprimer le groupe système si nécessaire\n" " CREATEDGROUP=groupe_serveur\n" " FIRST_USER_GID=`grep ^USERS_GID /etc/adduser.conf | cut -f2 -d '='`\n" " if [ -n \"$FIST_USER_GID\" ] then\n" " if GROUPGID=`getent group $CREATEDGROUP | cut -f 3 -d ':'`; then\n" " if [ -n \"$GROUPGID\" ]; then\n" " if [ \"$FIST_USER_GID\" -gt \"$GROUPGID\" ]; then\n" " echo -n \"Suppression du groupe $CREATEDGROUP\"\n" " delgroup --only-if-empty $CREATEDGROUP || true\n" " echo \"fait\"\n" " fi\n" " fi\n" " fi\n" " fi\n" "[...]" #. type:

#: securing-debian-howto.en.sgml:57 en/developer.sgml:309 msgid "" "Running programs with a user with limited privileges makes sure that any " "security issue will not be able to damage the full system. It also follows " "the principle of least privilege. Also consider you can limit " "privileges in programs through other mechanisms besides running as non-" "root

You can even provide a SELinux policy for it

. For more information, read the chapter of the Secure Programming for Linux and " "Unix HOWTO book." msgstr "" "L'exécution de programmes avec un utilisateur ayant des droits restreints " "assure qu'aucun problème de sécurité ne pourra endommager tout le système. " "Cela suit aussi le principe du minimum de droits. Songez aussi à " "limiter les droits dans les programmes avec d'autres mécanismes que " "l'exécution en tant que non superutilisateur

Vous pouvez même " "fournir une politique SELinux pour cela.

. Pour de plus amples " "renseignements, consultez le chapitre du livre HOWTO de programmation sécurisée pour " "Linux et UNIX." #. type: #: securing-debian-howto.en.sgml:58 en/before-compromise.sgml:5 msgid "Before the compromise" msgstr "Avant la compromission" #. type: #: securing-debian-howto.en.sgml:58 en/before-compromise.sgml:7 msgid "Keep your system secure" msgstr "Maintenez le système sécurisé" #. type:

#: securing-debian-howto.en.sgml:58 en/before-compromise.sgml:18 msgid "" "You should strive to keep your system secure by monitoring its usage and " "also the vulnerabilities that might affect it, patching them as soon as " "patches are available. Even though you might have installed a really secure " "system initially you have to remember that security in a system degrades " "with time, security vulnerabilities might be found for exposed system " "services and users might expose the system security either because of lack " "of understanding (e.g. accessing a system remotely with a clear-text " "protocol or using easy to guess passwords) or because they are actively " "trying to subvert the system's security (e.g. install additional services " "locally on their accounts)." msgstr "" "Vous devriez faire tous les efforts nécessaires pour maintenir votre système " "sécurisé en surveillant son utilisation ainsi que les vulnérabilités qui " "pourraient l'affecter, en ajoutant les correctifs dès qu'ils sont " "disponibles. Même si vous avez installé un système vraiment sécurisé, vous " "devez garder à l'esprit que la sécurité d'un système se dégrade avec le " "temps. Des failles de sécurité peuvent être découvertes pour les services " "offerts et les utilisateurs peuvent affaiblir la sécurité du système soit à " "cause d'une incompréhension (par exemple, en accédant au système à distance " "à l'aide d'un protocole non chiffré, ou en utilisant des mots de passe " "faciles à deviner), ou parce qu'ils essaient activement de corrompre la " "sécurité du système (c'est-à-dire installer des services supplémentaires " "dans leur compte local)." #. type: #: securing-debian-howto.en.sgml:58 en/before-compromise.sgml:20 msgid "Tracking security vulnerabilities" msgstr "Surveillance des failles de sécurité" #. type:

#: securing-debian-howto.en.sgml:58 en/before-compromise.sgml:30 msgid "" "Although most administrators are aware of security vulnerabilities affecting " "their systems when they see a patch that is made available you can strive to " "keep ahead of attacks and introduce temporary countermeasures for security " "vulnerabilities by detecting when your system is vulnerable. This is " "specially true when running an exposed system (i.e. connected to the " "Internet) and providing a service. In such case the system's administrators " "should take care to monitor known information sources to be the first to " "know when a vulnerability is detected that might affect a critical service." msgstr "" "Bien que la plupart des administrateurs ne soient conscients des failles de " "sécurité affectant leur système que lorsqu'un correctif est rendu " "disponible, vous pouvez être proactif et tenter de prévenir les attaques en " "introduisant des contre-mesures temporaires contre ces vulnérabilités dès " "que vous détectez qu'elles peuvent affecter le système. C'est " "particulièrement vrai sur un système exposé (c'est-à-dire connecté à " "Internet) et qui fournit un service. Dans ce cas, les administrateurs " "système devraient surveiller attentivement les sources d'informations " "connues pour être les premiers informés lorsqu'une faille pouvant affecter " "un service critique est détectée." #. type:

#: securing-debian-howto.en.sgml:58 en/before-compromise.sgml:38 msgid "" "This typically includes subscribing to the announcement mailing lists, " "project websites or bug tracking systems provided by the software developers " "for a specific piece of code. For example, Apache users should regularly " "review Apache's and subscribe to the mailing list." msgstr "" "Cela signifie habituellement au moins s'abonner à la liste de diffusion des " "annonces, au site web du projet ou au système de suivi des bogues fourni par " "les développeurs pour les applications à surveiller. Par exemple, les " "utilisateurs d'Apache devraient surveiller régulièrement la et s'inscrire à la liste de diffusion des ." #. type:

#: securing-debian-howto.en.sgml:58 en/before-compromise.sgml:54 msgid "" "In order to track known vulnerabilities affecting the Debian distribution, " "the Debian Testing Security Team provides a that lists all the known " "vulnerabilities which have not been yet fixed in Debian packages. The " "information in that tracker is obtained through different public channels " "and includes known vulnerabilities which are available either through " "security vulnerability databases or . Administrators can search for the " "known security issues being tracked for , , , or ." msgstr "" "Pour suivre les failles de sécurité connues affectant Debian, l'équipe de " "sécurité de Debian de la version testing maintient un qui contient toutes les vulnérabilités connues avant même d'être " "corrigées dans les paquets Debian. L'information est obtenue depuis " "plusieurs sources publiques et contient les failles connues disponibles à " "l'aide des bases de données de vulnérabilité ou du . Les " "administrateurs peuvent chercher les problèmes de sécurité connus suivis " "pour , , ou ." #. type:

#: securing-debian-howto.en.sgml:58 en/before-compromise.sgml:59 msgid "" "The tracker has searchable interfaces (by name and package name) and some tools (such as " "debsecan, see ) use that database to " "provide information of vulnerabilities affecting a given system which have " "not yet been addressed (i.e. those who are pending a fix)." msgstr "" "Le système de suivi fournit des interfaces avec moteur de recherche (par nom " " et nom de paquet) et d'autres " "outils (comme debsecan, consultez ) " "utilisent ces bases de données pour fournir des informations sur les " "vulnérabilités qui n'ont pas encore été résolues pour un système donné." #. type:

#: securing-debian-howto.en.sgml:58 en/before-compromise.sgml:64 msgid "" "Concious administrators can use that information to determine which security " "bugs might affect the system they are managing, determine the severity of " "the bug and apply (if available) temporary countermeasures before a patch is " "available fixing this issue." msgstr "" "Les administrateurs consciencieux peuvent utiliser ces renseignements pour " "déterminer les failles de sécurité pouvant affecter le système qu'ils " "gèrent, déterminer la sévérité du bogue et appliquer (si possible) des " "contre-mesures temporaires avant qu'un correctif soit disponible pour " "résoudre le problème." #. type:

#: securing-debian-howto.en.sgml:58 en/before-compromise.sgml:72 msgid "" "Security issues tracked for releases supported by the Debian Security Team " "should eventually be handled through Debian Security Advisories (DSA) and " "will be available for all users (see ). Once " "security issues are fixed through an advisory they will not be available in " "the tracker, but you will be able to search security vulnerabilities (by CVE " "name) using the available for published DSAs." msgstr "" "Les problèmes de sécurité des versions suivies par l'équipe de sécurité de " "Debian devraient être traitées par une annonce de sécurité Debian (DSA) et " "seront disponibles pour tous les utilisateurs (consultez ). Une fois que les problèmes de sécurité sont résolus et " "annoncés, ils ne seront plus affichés par le système de suivi, mais vous " "pourrez encore chercher les vulnérabilités par leur nom CVE en utilisant la " " disponible pour les DSA publiées." #. type:

#: securing-debian-howto.en.sgml:58 en/before-compromise.sgml:80 msgid "" "Notice, however, that the information tracked by the Debian Testing Security " "Team only involves disclosed vulnerabilities (i.e. those already public). In " "some occasions the Debian Security Team might be handling and preparing DSAs " "for packages based on undisclosed information provided to them (for example, " "through closed vendor mailing lists or by upstream maintainers of software). " "So do not be surprised to find security issues that only show up as an " "advisory but never get to show up in the security tracker." msgstr "" "Remarquez cependant que les renseignements suivis par l'équipe de suivi en " "sécurité de testing ne concernent que les failles connues (c'est-à-dire déjà " "rendues publiques). Parfois, l'équipe de sécurité Debian peut gérer et " "préparer des DSA pour des paquets en fonction de renseignements non publics " "qu'ils ont obtenus sur des listes de diffusions restreintes, par le " "découvreur de la faille ou par les développeurs du logiciel. Ainsi, ne vous " "étonnez pas de découvrir des problèmes de sécurité dans une annonce qui ne " "sont jamais apparus dans le système de suivi des vulnérabilités." #. type: #: securing-debian-howto.en.sgml:58 en/before-compromise.sgml:82 msgid "Continuously update the system" msgstr "Mettre à jour le système en permanence" #. type:

#: securing-debian-howto.en.sgml:58 en/before-compromise.sgml:90 msgid "" "You should conduct security updates frequently. The vast majority of " "exploits result from known vulnerabilities that have not been patched in " "time, as this (presented at the 2001 IEEE Symposium on Security " "and Privacy) explains. Updates are described under ." msgstr "" "Vous devriez effectuer des mises à jour de sécurité régulièrement. La " "plupart des stratagèmes sont basés sur des failles connues qui n'ont pas été " "corrigées à temps, comme l'explique ce (présenté lors du " "Symposium 2001 IEEE sur la sécurité et la confidentialité). Les mises à jour " "sont décrites dans ." #. type: #: securing-debian-howto.en.sgml:58 en/before-compromise.sgml:92 msgid "Manually checking which security updates are available" msgstr "Vérification par soi-même la disponibilité de mises à jour de sécurité" #. type:

#: securing-debian-howto.en.sgml:58 en/before-compromise.sgml:96 msgid "" "Debian does have a specific tool to check if a system needs to be updated " "but many users will just want to manually check if any security updates are " "available for their system." msgstr "" "Debian dispose d'un outil spécifique pour déterminer si un système a besoin " "d'être mis à jour, mais beaucoup d'utilisateurs veulent simplement vérifier " "si des mises à jour de sécurité sont disponibles pour leur système." #. type:

#: securing-debian-howto.en.sgml:58 en/before-compromise.sgml:99 msgid "" "If you have configured your system as described in you just need to do:" msgstr "" "Si vous avez configuré le système comme décrit en , il suffit de faire :" #. type: #: securing-debian-howto.en.sgml:58 en/before-compromise.sgml:106 #, no-wrap msgid "" "# apt-get update\n" "# apt-get upgrade -s\n" "[ ... review packages to be upgraded ... ]\n" "# apt-get upgrade \n" "# checkrestart\n" "[ ... restart services that need to be restarted ... ]" msgstr "" "# apt-get update\n" "# apt-get upgrade -s\n" "[ … passer en revue les paquets à mettre à jour… ]\n" "# apt-get upgrade \n" "# checkrestart\n" "[ … redémarrer les services qui doivent être redémarrés… ]" #. type:

#: securing-debian-howto.en.sgml:58 en/before-compromise.sgml:112 msgid "" "And restart those services whose libraries have been updated if any. Note: " "Read for more information on library (and " "kernel) upgrades." msgstr "" "Redémarrez ensuite les services dont les bibliothèques ont été mises à jour " "si c'est le cas. Remarque : consultez pour " "de plus amples renseignements sur les mises à jour de bibliothèques (et de " "noyau)." #. type:

#: securing-debian-howto.en.sgml:58 en/before-compromise.sgml:118 msgid "" "The first line will download the list of packages available from your " "configured package sources. The -s will do a simulation run, that " "is, it will not download or install the packages but rather tell " "you which ones should be downloaded/installed. From the output you can " "derive which packages have been fixed by Debian and are available as a " "security update. Sample:" msgstr "" "La première ligne téléchargera la liste des paquets disponibles depuis les " "sources de paquets configurées. L'option -s effectuera une " "simulation d'exécution, c'est-à-dire qu'elle ne va pas télécharger " "ou installer de paquets, mais qu'elle va plutôt signaler les paquets à " "télécharger ou installer. À partir de ce résultat, vous pouvez en déduire " "les paquets corrigés dans Debian et disponibles en mise à jour de sécurité. " "Par exemple :" #. type: #: securing-debian-howto.en.sgml:58 en/before-compromise.sgml:127 #, no-wrap msgid "" "# apt-get upgrade -s\n" "Reading Package Lists... Done\n" "Building Dependency Tree... Done\n" "2 packages upgraded, 0 newly installed, 0 to remove and 0 not upgraded.\n" "Inst cvs (1.11.1p1debian-8.1 Debian-Security:3.0/stable)\n" "Inst libcupsys2 (1.1.14-4.4 Debian-Security:3.0/stable)\n" "Conf cvs (1.11.1p1debian-8.1 Debian-Security:3.0/stable)\n" "Conf libcupsys2 (1.1.14-4.4 Debian-Security:3.0/stable)" msgstr "" "# apt-get upgrade -s\n" "Lecture des listes de paquets... Fait\n" "Construction de l'arbre des dépendances... Fait\n" "Calcul de la mise à jour... Fait\n" "Les paquets suivants seront mis à jour :\n" " cvs libcupsys2\n" "2 mis à jour, 0 nouvellement installés, 0 à enlever et 0 non mis à jour.\n" "Inst cvs (1.11.1p1debian-8.1 Debian-Security:3.0/stable)\n" "Inst libcupsys2 (1.1.14-4.4 Debian-Security:3.0/stable)\n" "Conf cvs (1.11.1p1debian-8.1 Debian-Security:3.0/stable)\n" "Conf libcupsys2 (1.1.14-4.4 Debian-Security:3.0/stable)" #. type:

#: securing-debian-howto.en.sgml:58 en/before-compromise.sgml:140 msgid "" "In this example, you can see that the system needs to be updated with new " "cvs and cupsys packages which are " "being retrieved from woody's security update archive. If you want " "to understand why these packages are needed, you should go to and check which recent Debian Security " "Advisories have been published related to these packages. In this case, the " "related DSAs are (for cvs) and (for cupsys)." msgstr "" "Dans cet exemple, vous pouvez constater que le système a besoin d'être mis à " "jour avec les nouveaux paquets cvs et cupsys qui sont récupérés depuis l'archive de mises à jour de sécurité de " "Woody. Si vous voulez comprendre pourquoi ces paquets sont " "nécessaires, vous devriez aller en " "et vérifier les alertes de sécurité Debian (DSA) récemment publiées " "concernant ces paquets. Dans ce cas, les DSA concernées sont (pour " "cvs) et (pour cupsys)." #. type:

#: securing-debian-howto.en.sgml:58 en/before-compromise.sgml:143 msgid "" "Notice that you will need to reboot your system if there has been a kernel " "upgrade." msgstr "" "Remarquez que le système doit être redémarré après une mise à jour du noyau." #. type: #: securing-debian-howto.en.sgml:58 en/before-compromise.sgml:145 msgid "Checking for updates at the Desktop" msgstr "Vérification de mises à jour sur station de travail" #. type:

#: securing-debian-howto.en.sgml:58 en/before-compromise.sgml:151 msgid "" "Since Debian 4.0 lenny Debian provides and installs in a default " "installation update-notifier. This is a GNOME application " "that will startup when you enter your Desktop and can be used to keep track " "of updates available for your system and install them. It uses " "update-manager for this." msgstr "" "Depuis Debian 4.0 Lenny, Debian fournit et installe par défaut " "update-notifier. C'est une application GNOME qui est " "lancée lors de l'ouverture de la session et qui peut être utilisée pour " "faire le suivi des mises à jour disponibles pour le système et les " "installer. C'est fait en utilisant le paquet update-manager." #. type:

#: securing-debian-howto.en.sgml:58 en/before-compromise.sgml:158 msgid "" "In a stable system updates are only available when a security patch is " "available or at point releases. Consequently, if the system is properly " "configured to receive security updates as described in and you have a cron task running to update the package information " "you will be notified through an icon in the desktop notifcation area." msgstr "" "Pour un système stable, les mises à jour sont seulement disponibles quand un " "correctif de sécurité est disponible ou pour les versions intermédiaires. " "Par conséquent, si le système est configuré correctement pour recevoir les " "mises à jour de sécurité comme décrit en et " "qu'une tâche cron met à jour les informations sur les paquets, vous serez " "averti par une icône dans l'espace de notification du bureau." #. type:

#: securing-debian-howto.en.sgml:58 en/before-compromise.sgml:163 msgid "" "The notification is not intrusive and users are not forced to install " "updates. From the notification icon a desktop user (with the administrator's " "password) can access a simple GUI to show available updates and install them." msgstr "" "La notification n'est pas intrusive et les utilisateurs ne sont pas forcés " "d'installer les mises à jour. Depuis l'icône de notification, un utilisateur " "du bureau (avec le mot de passe administrateur) peut accéder à une interface " "simple et voir les mises à jour disponibles puis de les installer." #. type:

#: securing-debian-howto.en.sgml:58 en/before-compromise.sgml:169 msgid "" "This application works by checking the package database and comparing the " "system with its contents. If the package database is updated periodically " "through a cron task then the contents of the database will be " "newer than the packages installed in the system and the application will " "notify you." msgstr "" "Cette application fonctionne en consultant la base de données des paquets et " "en la comparant avec le système. Si cette base de données est mise à jour " "régulièrement par une tâche cron, alors son contenu sera plus " "récent que les paquets installés sur le système et l'application pourra vous " "avertir." #. type:

#: securing-debian-howto.en.sgml:58 en/before-compromise.sgml:175 msgid "" "Apt installs such a task (/etc/cron.d/apt) which " "will run based on Apt's configuration (more specifically APT::Periodic). In the GNOME environment this configuration value can be adjusted by " "going to System > Admin > Software origins > Updates, or running " "/usr/bin/software-properties." msgstr "" "Apt installe une telle tâche cron (/etc/cron.d/apt) qui s'exécutera selon la configuration d'APT (plus spécifiquement " "APT::Periodic). Dans l'environnement GNOME, la valeur de la " "configuration peut être ajustée dans le menu Système > Administration " "> Sources de mise à jour > Mises à jour, ou en exécutant /usr/" "bin/software-properties." #. type:

#: securing-debian-howto.en.sgml:58 en/before-compromise.sgml:179 msgid "" "If the system is set to download the packages list daily but not download " "the packages themselves your /etc/apt/apt.conf.d/10periodic " "should look like this:" msgstr "" "Si le système télécharge quotidiennement la liste des paquets, mais ne " "télécharge pas les paquets eux-mêmes, le fichier /etc/apt/apt.conf." "d/10periodic devrait ressembler à ceci :" #. type: #: securing-debian-howto.en.sgml:58 en/before-compromise.sgml:182 #, no-wrap msgid "" "APT::Periodic::Update-Package-Lists \"1\";\n" "APT::Periodic::Download-Upgradeable-Packages \"0\";" msgstr "" "APT::Periodic::Update-Package-Lists \"1\";\n" "APT::Periodic::Download-Upgradeable-Packages \"0\";" #. type:

#: securing-debian-howto.en.sgml:58 en/before-compromise.sgml:188 msgid "" "You can use a different cron task, such as the one installed by " "cron-apt (see ). You can also just " "manually check for upgrades using this application." msgstr "" "Vous pouvez utiliser une tâche cron différente, comme celle installée par " "cron-apt (consultez ). Vous pouvez " "aussi simplement vérifier vous-même les mises à jour en utilisant cette " "application." #. type:

#: securing-debian-howto.en.sgml:58 en/before-compromise.sgml:193 msgid "" "Users of the KDE desktop environment will probably prefer to install " "adept and adept-notifier instead which " "offers a similar functionality but is not part of the standard installation." msgstr "" "Les utilisateurs de l'environnement KDE préféreront probablement installer " "adept et adept-notifier. Ils " "fournissent des fonctionnalités similaires, mais ne sont pas installés par " "défaut." #. type: #: securing-debian-howto.en.sgml:58 en/before-compromise.sgml:195 msgid "Automatically checking for updates with cron-apt" msgstr "Vérification automatique des mises à jour avec cron-apt" #. type:

#: securing-debian-howto.en.sgml:58 en/before-compromise.sgml:202 msgid "" "Another method for automatic security updates is the use of cron-" "apt. This package provides a tool to update the system at regular " "intervals (using a cron job), and can also be configured to send mails to " "the system administrator using the local mail transport agent. It will just " "update the package list and download new packages by default but it can be " "configured to automatically install new updates." msgstr "" "Une autre méthode pour des mises à jour de sécurité automatiques est " "l'utilisation de cron-apt. Ce paquet fournit un outil " "pour mettre à jour le système à intervalles réguliers (en utilisant une " "tâche cron). Par défaut, il va simplement mettre à jour la liste des paquets " "et télécharger les nouveaux paquets. Il peut également être configuré pour " "envoyer un courrier à l'administrateur système." #. type:

#: securing-debian-howto.en.sgml:58 en/before-compromise.sgml:208 msgid "" "Notice that you might want to check the distribution release, as described " "in , if you intend to automatically updated your " "system (even if only downloading the packages). Otherwise, you cannot be " "sure that the downloaded packages really come from a trusted source." msgstr "" "Remarquez que vous pourriez vérifier la version de distribution comme décrit " "en pour mettre à jour automatiquement le système " "(même si vous ne téléchargez que les paquets). Sinon, vous ne pouvez pas " "être certain que les paquets téléchargés proviennent réellement d'une source " "de confiance." #. type:

#: securing-debian-howto.en.sgml:58 en/before-compromise.sgml:212 msgid "" "More information is available at the ." msgstr "" "Pour de plus amples renseignements, consultez le ." #. type: #: securing-debian-howto.en.sgml:58 en/before-compromise.sgml:214 msgid "Automatically checking for security issues with debsecan" msgstr "Vérification automatique des problèmes de sécurité avec debsecan" #. type:

#: securing-debian-howto.en.sgml:58 en/before-compromise.sgml:223 msgid "" "The debsecan program evaluates the security status of by " "reporting both missing security updates and security vulnerabilities. Unlike " "cron-apt, which only provides information related to " "security updates available, but this tool obtains information from the " "security vulnerability database maintained by the Debian Security Team which " "includes also information on vulnerabilities which are not yet fixed through " "a security update. Consequently, it is more efficient at helping " "administrators track security vulnerabilities (as described in )." msgstr "" "Le programme debsecan évalue l'état de la sécurité par rapport " "aux mises à jour de sécurité non effectuées et aux vulnérabilités sans " "correctif alors que cron-apt ne fournit qu'un rapport sur " "les mises à jour non effectuées. debsecan obtient les " "renseignements sur les failles qui ne sont pas corrigées à l'aide de la base " "de données des vulnérabilités qui est gérée par l'équipe de sécurité de " "Debian. Par conséquent, comme décrit en , il aide " "plus efficacement les administrateurs à suivre les failles de sécurité." #. type:

#: securing-debian-howto.en.sgml:58 en/before-compromise.sgml:233 msgid "" "Upon installing the Debian package debsecan, and if the " "administrator consents to it, it will generate a cron task that will make it " "run and send the output to a specific user whenever it finds a vulnerable " "package. It will also download the information from the Internet. The " "location of the security database is also part of the questions ask on " "installation and are later defined /etc/default/debsecan, it " "can be easily adjusted for systems that do not have Internet access so that " "they all pull from a local mirror so that there is a single point that " "access the vulnerability database." msgstr "" "En installant le paquet debsecan, et si l'administrateur " "l'accepte, une tâche cron exécutera périodiquement debsecan et " "notifiera l'utilisateur choisi lorsqu'un paquet vulnérable est détecté. " "L'emplacement de la base de données des vulnérabilités est aussi " "paramétrable lors de l'installation et peut ensuite être modifié dans le " "fichier /etc/default/debsecan. C'est pratique pour les systèmes " "sans accès direct à Internet qui doivent télécharger les nouvelles " "informations depuis un miroir local pour avoir un seul chemin de mise à jour " "de la base de données des vulnérabilités." #. type:

#: securing-debian-howto.en.sgml:58 en/before-compromise.sgml:240 msgid "" "Notice, however, that the Security Team tracks many vulnerabilities " "including low-risk issues which might not be fixed through a security update " "and some vulnerabilities initially reported as affecting Debian might, later " "on, upon investigation, be dismissed. Debsecan will report on " "all the vulnerabilities, which makes it a quite more verbose than the other " "tools described above." msgstr "" "Remarquez toutefois que l'équipe de sécurité suit beaucoup de failles, y " "compris des problèmes peu dangereux qui pourraient ne pas être corrigés lors " "des mises à jour de sécurité. De plus, certaines failles initialement " "considérées comme affectant Debian peuvent, plus tard et après enquête, être " "abandonnées. debsecan indiquera toutes les failles, ce qui peut " "en faire un outil plus verbeux que les autres outils décrits précédemment." #. type:

#: securing-debian-howto.en.sgml:58 en/before-compromise.sgml:245 msgid "" "More information is available at the ." msgstr "" "Pour plus d'informations, veuillez consulter le ." #. type: #: securing-debian-howto.en.sgml:58 en/before-compromise.sgml:247 msgid "Other methods for security updates" msgstr "Autres méthodes de mises à jour de sécurité" #. type:

#: securing-debian-howto.en.sgml:58 en/before-compromise.sgml:254 msgid "" "There is also the apticron, which, similarly to " "cron-apt will check for updates and send mails to the " "administrator. More information on apticron is available at the ." msgstr "" "Le paquet apticron, comme apt-cron, " "vérifiera les mises à jour et enverra des messages à l'administrateur. Pour " "plus d'informations, veuillez consulter le ." #. type:

#: securing-debian-howto.en.sgml:58 en/before-compromise.sgml:263 msgid "" "You might also want to take a look at which is an unofficial program to do security " "updates from security.debian.org with signature checking written by " "Fruhwirth Clemens. Or to the Nagios Plugin written by Dean Wilson." msgstr "" "Vous pourriez également jeter un œil à , un programme non officiel pour effectuer " "des mises à jour de sécurité depuis security.debian.org écrit par Fruhwirth " "Clemens, qui vérifie les signatures ou encore le module d'extension Nagios " " écrit par Dean Wilson." #. type: #: securing-debian-howto.en.sgml:58 en/before-compromise.sgml:265 msgid "Avoid using the unstable branch" msgstr "Évitez la branche unstable" #. type:

#: securing-debian-howto.en.sgml:58 en/before-compromise.sgml:271 msgid "" "Unless you want to dedicate time to patch packages yourself when a " "vulnerability arises, you should not use Debian's unstable branch " "for production-level systems. The main reason for this is that there are no " "security updates for unstable (see )." msgstr "" "À moins de vouloir passer du temps à corriger les paquets vous-même quand " "une faille survient, vous ne devriez pas utiliser la branche " "unstable de Debian pour des systèmes en production. La raison principale est " "l'absence de mises à jour de sécurité pour unstable (consultez )." #. type:

#: securing-debian-howto.en.sgml:58 en/before-compromise.sgml:277 msgid "" "The fact is that some security issues might appear in unstable and not in the stable distribution. This is due to new functionality " "constantly being added to the applications provided there, as well as new " "applications being included which might not yet have been thoroughly tested." msgstr "" "Certains problèmes de sécurité peuvent en fait apparaître dans unstable et " "pas dans la distribution stable. Cela est dû aux nouvelles " "fonctionnalités ajoutées constamment aux applications fournies, ainsi qu'aux " "nouvelles applications qui peuvent ne pas encore avoir été testées en " "profondeur." #. type:

#: securing-debian-howto.en.sgml:58 en/before-compromise.sgml:284 msgid "" "In order to do security upgrades in the unstable branch, you might " "have to do full upgrades to new versions (which might update much more than " "just the affected package). Although there have been some exceptions, " "security patches are usually only back ported into the stable " "branch. The main idea being that between updates, no new code " "should be added, just fixes for important issues." msgstr "" "Pour effectuer des mises à jour de sécurité dans la branche unstable, vous risquez de devoir faire des mises à jour complètes vers de " "nouvelles versions (ce qui peut mettre à jour beaucoup plus que les paquets " "touchés). Bien qu'il y ait des exceptions, les correctifs de sécurité sont " "habituellement rétroportés dans la branche stable. L'idée " "principale étant qu'entre les mises à jour, aucun nouveau code ne " "doit être ajouté, seulement des correctifs aux problèmes importants." #. type:

#: securing-debian-howto.en.sgml:58 en/before-compromise.sgml:288 msgid "" "Notice, however, that you can use the security tracker (as described in ) to track known security vulnerabilities affecting this " "branch." msgstr "" "Remarquez que vous pouvez utiliser le système de suivi de sécurité (décrit " "en ) pour suivre les failles de sécurité affectant " "cette branche." #. type: #: securing-debian-howto.en.sgml:58 en/before-compromise.sgml:290 msgid "Security support for the testing branch" msgstr "Suivi en sécurité de la branche testing" #. type:

#: securing-debian-howto.en.sgml:58 en/before-compromise.sgml:294 msgid "" "If you are using the testing branch, there are some issues that you " "must take into account regarding the availability of security updates:" msgstr "" "Si vous utilisez la branche testing, plusieurs problèmes sont à " "prendre en compte concernant la disponibilité des mises à jour de sécurité." #. type:

#: securing-debian-howto.en.sgml:58 en/before-compromise.sgml:307 msgid "" "When a security fix is prepared, the Security Team backports the patch to " "stable (since stable is usually some minor or major versions " "behind). Package maintainers are responsible for preparing packages for the " "unstable branch, usually based on a new upstream release. Sometimes " "the changes happen at nearly the same time and sometimes one of the releases " "gets the security fix before. Packages for the stable distribution " "are more thoroughly tested than unstable, since the latter will in " "most cases provide the latest upstream release (which might include new, " "unknown bugs)." msgstr "" "Quand un correctif de sécurité est préparé, l'équipe de sécurité rétroporte " "le correctif pour stable (car stable est habituellement en retard " "de quelques versions mineures ou majeures). Le responsable du paquet " "s'occupe de préparer les paquets pour unstable, habituellement basé " "sur une nouvelle version amont. Parfois, les modifications se produisent en " "même temps et parfois l'une des distributions reçoit le correctif de " "sécurité avant. Les paquets de la distribution stable sont testés " "plus en profondeur que ceux d'unstable car ces derniers peuvent " "fournir la dernière version amont (qui pourrait ajouter de nouveaux bogues " "inconnus)." #. type:

#: securing-debian-howto.en.sgml:58 en/before-compromise.sgml:312 msgid "" "Security updates are available for the unstable branch usually when " "the package maintainer makes a new package and for the stable " "branch when the Security Team make a new upload and publish a DSA. Notice " "that neither of these change the testing branch." msgstr "" "Les mises à jour de sécurité sont disponibles pour la branche unstable quand le responsable du paquet crée une nouvelle version du paquet et " "pour stable quand l'équipe de sécurité effectue un envoi et publie " "une DSA. Veuillez noter que ni l'un, ni l'autre ne modifie testing." #. type:

#: securing-debian-howto.en.sgml:58 en/before-compromise.sgml:320 msgid "" "If no (new) bugs are detected in the unstable version of the " "package, it moves to testing after several days. The time this " "takes is usually ten days, although that depends on the upload priority of " "the change and whether the package is blocked from entering testing " "by its dependency relationships. Note that if the package is blocked from " "entering testing the upload priority will not change the time it takes to " "enter." msgstr "" "Si aucun (nouveau) bogue n'est détecté dans la version unstable de " "paquet, il est déplacé dans testing après plusieurs jours. Le délai " "est habituellement de dix jours, bien que cela dépende de la priorité de " "l'envoi des modifications et si l'entrée du paquet dans testing est " "bloquée par ses relations de dépendances. Notez que si l'entrée du paquet " "dans testing est bloquée, la priorité d'envoi ne changera pas le " "temps nécessaire pour y entrer." #. type:

#: securing-debian-howto.en.sgml:58 en/before-compromise.sgml:326 msgid "" "This behavior might change based on the release state of the distribution. " "When a release is almost imminent, the Security Team or package maintainers " "might provide updates directly to testing." msgstr "" "Ce comportement peut changer selon l'état de publication de la distribution. " "Quand une nouvelle version est imminente, l'équipe de sécurité ou les " "responsables de paquet peuvent fournir des mises à jour directement dans " "testing." # NOTE: typo in inmediate #. type:

#: securing-debian-howto.en.sgml:58 en/before-compromise.sgml:332 msgid "" "Additionally, the can issue Debian Testing Security " "Advisories (DTSAs) for packages in the testing branch if there is " "an inmediate need to fix a security issue in that branch and cannot wait for " "the normal procedure (or the normal procedure is being blocked by some other " "packages)." msgstr "" "De plus, l' peut publier des annonces de " "sécurité de testing (« Debian Testing Security Advisories » ou DTSA) pour " "les paquets de la branche testing si un problème de sécurité doit " "être immédiatement corrigé dans cette branche sans attendre la procédure " "normale (ou que la procédure normale est bloquée par d'autres paquets)." #. type:

#: securing-debian-howto.en.sgml:58 en/before-compromise.sgml:336 msgid "" "Users willing to take advantage of this support should add the following " "lines to their /etc/apt/sources.list (instead of the lines " "described in ):" msgstr "" "Les utilisateurs voulant tirer partie de ce suivi devraient ajouter les " "lignes suivante à /etc/apt/sources.list (au lieu des lignes " "indiqué en ) :" #. type: #: securing-debian-howto.en.sgml:58 en/before-compromise.sgml:340 #, no-wrap msgid "" " deb http://security.debian.org testing/updates main contrib non-free\n" "# This line makes it possible to donwload source packages too\n" " deb-src http://security.debian.org testing/updates main contrib non-free" msgstr "" " deb http://security.debian.org testing/updates main contrib non-free\n" "# Cette ligne permet de télécharger aussi les paquets source\n" " deb-src http://security.debian.org testing/updates main contrib non-free" #. type:

#: securing-debian-howto.en.sgml:58 en/before-compromise.sgml:345 msgid "" "For additional information on this support please read the . This support officially started in in a separate repository and was later integrated into the main " "security archive." msgstr "" "Pour de plus amples renseignements sur ce suivi, veuillez lire l'. Ce suivi a officiellement commencé en dans un dépôt séparé avant d'être intégré à l'archive de " "sécurité principale." #. type: #: securing-debian-howto.en.sgml:58 en/before-compromise.sgml:349 msgid "Automatic updates in a Debian GNU/Linux system" msgstr "Mises à jour automatiques dans un système Debian GNU/Linux" #. type:

#: securing-debian-howto.en.sgml:58 en/before-compromise.sgml:353 msgid "" "First of all, automatic updates are not fully recommended, since " "administrators should review the DSAs and understand the impact of any given " "security update." msgstr "" "Tout d'abord, les mises à jour automatiques ne sont pas vraiment " "recommandées car les administrateurs devraient vérifier les DSA et " "comprendre l'impact de toute mise à jour de sécurité donnée." #. type:

#: securing-debian-howto.en.sgml:58 en/before-compromise.sgml:355 msgid "If you want to update your system automatically you should:" msgstr "" "Si vous voulez mettre à jour le système automatiquement, vous devriez suivre " "les conseils suivants." #. type:

#: securing-debian-howto.en.sgml:58 en/before-compromise.sgml:362 msgid "" "Configure apt so that those packages that you do not want to " "update stay at their current version, either with apt's " "pinning feature or marking them as hold with dpkg or dselect." msgstr "" "Configurer apt pour interdire la mise à jour des paquets à " "garder dans leur version actuelle, soit avec la fonctionnalité d'étiquetage " "(pinning) d'apt, soit en les marquant comme hold (à garder) avec dpkg ou dselect." #. type:

#: securing-debian-howto.en.sgml:58 en/before-compromise.sgml:366 msgid "" "To pin the packages under a given release, you must edit /etc/apt/" "preferences (see ) and " "add:" msgstr "" "Pour conserver les paquets à une version donnée, vous devez éditer /" "etc/apt/preferences (consultez ) et ajouter :" #. type: #: securing-debian-howto.en.sgml:58 en/before-compromise.sgml:370 #, no-wrap msgid "" " Package: *\n" " Pin: release a=stable\n" " Pin-Priority: 100" msgstr "" " Package: *\n" " Pin: release a=stable\n" " Pin-Priority: 100" #. type:

#: securing-debian-howto.en.sgml:58 en/before-compromise.sgml:373 msgid "FIXME: verify if this configuration is OK." msgstr "FIXME : Vérifier si cette configuration est correcte." #. type:

#: securing-debian-howto.en.sgml:58 en/before-compromise.sgml:377 msgid "" "Either use cron-apt as described in " "and enable it to install downloaded packages or add a cron " "entry yourself so that the update is run daily, for example:" msgstr "" "Utiliser soit cron-apt comme décrit dans et l'activer " "pour installer les paquets récupérés, soit ajouter une entrée cron vous-même pour exécuter la mise à jour quotidiennement, par " "exemple :" #. type: #: securing-debian-howto.en.sgml:58 en/before-compromise.sgml:379 #, no-wrap msgid " apt-get update && apt-get -y upgrade" msgstr " apt-get update && apt-get -y upgrade" #. type:

#: securing-debian-howto.en.sgml:58 en/before-compromise.sgml:390 msgid "" "The -y option will have apt assume 'yes' for all the " "prompts that might arise during the update. In some cases, you might want to " "use the --trivial-only option instead of the --assume-yes " "(equivalent to -y).

You may also want to use the --" "quiet (-q) option to reduce the output of apt-get, which will stop the generation of any output if no packages are " "installed.

" msgstr "" "L'option -y forcera apt à répondre automatiquement oui " "aux questions lors de la mise à jour. Dans certains cas, vous pourriez " "préférer l'option --trivial-only à --assume-yes (qui est " "équivalent de -y).

Vous pourriez aussi utiliser " "l'option --quiet (-q) pour réduire la sortie d'apt-" "get, ce qui évitera la génération de message si aucun paquet n'est " "installé.

" #. type:

#: securing-debian-howto.en.sgml:58 en/before-compromise.sgml:395 msgid "" "Configure debconf so no questions will be asked during " "upgrades, so that they can be done non-interactively.

Note that " "some packages might not use debconf and updates will " "stall due to packages asking for user input during configuration.

" msgstr "" "Configurer cron pour que debconf ne pose pas de " "question pendant les mises à jour, qui pourront ainsi être faites de façon " "non interactive.

Remarquez que certains paquets pourraient " "ne pas utiliser debconf et les mises à jour seront " "bloquées car les paquets attendront une réponse de l'administrateur pendant " "la configuration.

" #. type:

#: securing-debian-howto.en.sgml:58 en/before-compromise.sgml:399 msgid "" "Check the results of the cron execution, which will be mailed " "to the superuser (unless changed with MAILTO environment variable " "in the script)." msgstr "" "Vérifier les résultats de l'exécution de cron envoyées au " "superutilisateur (sauf si la variable d'environnement MAILTO est " "modifiée dans le script)." #. type:

#: securing-debian-howto.en.sgml:58 en/before-compromise.sgml:406 msgid "" "A safer alternative might be to use the -d (or --download-only) option, which will download but not install the necessary packages. " "Then if the cron execution shows that the system needs to be " "updated, it can be done manually." msgstr "" "Une alternative plus sûre peut être d'utiliser l'option -d (ou " "--download-only) pour télécharger les paquets nécessaires sans les " "installer. Puis, si l'exécution de cron indique que le système " "doit être mis à jour, cela peut être fait par l'administrateur." #. type:

#: securing-debian-howto.en.sgml:58 en/before-compromise.sgml:410 msgid "" "In order to accomplish any of these tasks, the system must be properly " "configured to download security updates as discussed in ." msgstr "" "Pour accomplir ces tâches, le système doit être configuré correctement pour " "télécharger les mises à jour de sécurité comme décrit en ." #. type:

#: securing-debian-howto.en.sgml:58 en/before-compromise.sgml:419 msgid "" "However, this is not recommended for unstable without careful " "analysis, since you might bring your system into an unusable state if some " "serious bug creeps into an important package and gets installed in your " "system. Testing is slightly more secure with regard to " "this issue, since serious bugs have a better chance of being detected before " "the package is moved into the testing branch (although, you may have no security updates available whatsoever)." msgstr "" "Cependant, cela n'est pas recommandé pour unstable sans analyse " "attentive, car vous pourriez placer le système dans un état inutilisable si " "un bogue sérieux s'introduit dans un paquet important et est installé sur le " "système. testing est un peu plus sûre de ce côté car les " "bogues sérieux ont une meilleure chance d'être détectés avant que le paquet " "n'entre dans la branche testing (cependant, vous pourriez n'avoir " "aucune mise à jour de sécurité disponible)." #. type:

#: securing-debian-howto.en.sgml:58 en/before-compromise.sgml:430 msgid "" "If you have a mixed distribution, that is, a stable installation " "with some packages updated to testing or unstable, you can " "fiddle with the pinning preferences as well as the --target-release " "option in apt-get to update only those packages that " "you have updated.

This is a common issue since many users want " "to maintain a stable system while updating some packages to unstable to gain the latest functionality. This need arises due to some projects " "evolving faster than the time between Debian's stable releases." msgstr "" "Si vous utilisez une distribution mixte, c'est-à-dire, une installation de " "stable avec des paquets mis à jour de testing ou " "d'unstable, vous pouvez jouer avec les préférences d'étiquetage et " "avec l'option --target-release d'apt-get pour ne " "mettre à jour que les paquets que de la nouvelle distribution." "

C'est un problème courant car beaucoup d'utilisateurs veulent " "conserver un système stable tout en mettant à jour certains paquets avec " "unstable pour obtenir les dernières fonctionnalités. Ce besoin " "provient de l'évolution plus rapide de certains projets que le temps mis par " "Debian pour publier une nouvelle version stable de sa distribution." "

" #. type: #: securing-debian-howto.en.sgml:58 en/before-compromise.sgml:432 msgid "Do periodic integrity checks" msgstr "Tests d'intégrité périodiques" #. type:

#: securing-debian-howto.en.sgml:58 en/before-compromise.sgml:438 msgid "" "Based on the baseline information you generated after installation (i.e. the " "snapshot described in ), you should be able to do an " "integrity check from time to time. An integrity check will be able to detect " "filesystem modifications made by an intruder or due to a system " "administrators mistake." msgstr "" "En vous basant sur les informations de base générées après l'installation " "(c'est-à-dire l'instantané décrit dans ), vous pourriez " "effectuez un test d'intégrité de temps en temps. Un test d'intégrité pourra " "détecter des modifications du système de fichiers réalisées par un intrus ou " "dues à une erreur de l'administrateur système." #. type:

#: securing-debian-howto.en.sgml:58 en/before-compromise.sgml:450 msgid "" "Integrity checks should be, if possible, done offline.

An easy " "way to do this is using a Live CD, such as which includes both the file integrity tools " "and the integrity database for your system.

 That is, without " "using the operating system of the system to review, in order to avoid a " "false sense of security (i.e. false negatives) produced by, for example, " "installed rootkits. The integrity database that the system is checked " "against should also be used from read-only media." msgstr "" "Les tests d'intégrité devraient, si possible, être réalisés non connectés." "

Une façon aisée de faire cela est d'utiliser un CD autonome " "(Live CD), comme contenant à la fois les outils d'intégrité de fichier et la base de " "donnée du système.

 C'est-à-dire, sans utiliser le système " "d'exploitation du système à contrôler, pour éviter un sentiment de sécurité " "erroné (c'est-à-dire des faux négatifs) produit, par exemple, par des " "rootkits installés. La base de données d'intégrité par rapport à laquelle le " "système est vérifiée devrait également être utilisée depuis un support en " "lecture seule." #. type:

#: securing-debian-howto.en.sgml:58 en/before-compromise.sgml:457 msgid "" "You can consider doing integrity checks online using any of the filesystem " "integrity tools available (described in ) if taking " "offline the system is not an option. However, precaution should be taken to " "use a read-only integrity database and also assure that the integrity " "checking tool (and the operating system kernel) has not been tampered with." msgstr "" "Vous pouvez envisager de faire des vérifications d'intégrité en ligne en " "utilisant l'un des outils d'intégrité de système de fichiers disponibles " "(décrits dans ) s'il n'est pas possible de " "déconnecter le système. Cependant, des précautions devraient être prises " "pour utiliser une base de données d'intégrité en lecture seule et également " "pour assurer que les outils de vérification d'intégrité (et le noyau du " "système d'exploitation) n'ont pas été falsifiés." #. type:

#: securing-debian-howto.en.sgml:58 en/before-compromise.sgml:465 msgid "" "Some of the tools mentioned in the integrity tools section, such as " "aide, integrit or samhain are already " "prepared to do periodic reviews (through the crontab in the first two cases " "and through a standalone daemon in samhain) and can warn the " "administrator through different channels (usually e-mail, but samhain can also send pages, SNMP traps or syslog alerts) when the filesystem " "changes." msgstr "" "Certains des outils mentionnés dans la section des outils d'intégrité, comme " "aide, integrit ou samhain, sont déjà " "préparés pour faire des vérifications périodiques (en utilisant la crontab " "dans les deux premiers cas et en utilisant un démon indépendant pour " "samhain) et ils peuvent avertir l'administrateur par différents " "moyens (habituellement par courriel, mais samhain peut " "également envoyer des pages, des alertes SNMP ou des alertes syslog) quand " "le système de fichiers est modifié." #. type:

#: securing-debian-howto.en.sgml:58 en/before-compromise.sgml:469 msgid "" "Of course, if you execute a security update of the system, the snapshot " "taken for the system should be re-taken to accommodate the changes done by " "the security update." msgstr "" "Bien sûr, si vous exécutez une mise à jour de sécurité du système, " "l'instantané pris pour le système devrait être régénéré pour prendre en " "compte les modifications réalisées par la mise à jour de sécurité." #. type: #: securing-debian-howto.en.sgml:58 en/before-compromise.sgml:472 msgid "Set up Intrusion Detection" msgstr "Mise en place de détection d'intrusion" #. type:

#: securing-debian-howto.en.sgml:58 en/before-compromise.sgml:479 msgid "" "Debian GNU/Linux includes tools for intrusion detection, which is the " "practice of detecting inappropriate or malicious activity on your local " "system, or other systems in your private network. This kind of defense is " "important if the system is very critical or you are truly paranoid. The most " "common approaches to intrusion detection are statistical anomaly detection " "and pattern-matching detection." msgstr "" "Debian contient certains outils pour la détection d'intrusion qui permettent " "de défendre le système local ou d'autres systèmes du même réseau. Ce type de " "défense est important si le système est très critique ou si vous êtes " "vraiment paranoïaque. Les approches de détection d'intrusion les plus " "communes sont la détection statistique d'anomalies et la détection de " "correspondance de modèle." #. type:

#: securing-debian-howto.en.sgml:58 en/before-compromise.sgml:484 msgid "" "Always be aware that in order to really improve the system's security with " "the introduction of any of these tools, you need to have an alert+response " "mechanism in place. Intrusion detection is a waste of time if you are not " "going to alert anyone." msgstr "" "Soyez toujours aux aguets de manière à réellement améliorer la sécurité du " "système avec n'importe lequel de ces outils, vous devez avoir un mécanisme " "d'alerte et réaction. Un système de détection d'intrusion est inutile si " "personne n'est prévenu." #. type:

#: securing-debian-howto.en.sgml:58 en/before-compromise.sgml:494 msgid "" "When a particular attack has been detected, most intrusion detection tools " "will either log the event with syslogd or send e-mail to the " "root user (the mail recipient is usually configurable). An administrator has " "to properly configure the tools so that false positives do not trigger " "alerts. Alerts may also indicate an ongoing attack and might not be useful, " "say, one day later, since the attack might have already succeeded. So be " "sure that there is a proper policy on handling alerts and that the technical " "mechanisms to implement this policy are in place." msgstr "" "Quand une attaque particulière est détectée, la plupart des outils de " "détection d'intrusion vont soit journaliser l'événement avec syslogd, soit envoyer des courriers au superutilisateur (le destinataire du " "courrier est habituellement configurable). Un administrateur doit configurer " "convenablement les outils pour éviter les fausses alertes. Les alertes " "peuvent également indiquer une attaque en cours et ne seraient pas très " "utiles un jour plus tard, puisque l'attaque pourrait déjà avoir été " "couronnée de succès. Assurez-vous donc qu'une règle de sécurité correcte a " "été mise en place vis-à-vis des alertes et que les mécanismes techniques " "pour l'implémenter sont en place." #. type:

#: securing-debian-howto.en.sgml:58 en/before-compromise.sgml:498 msgid "" "An interesting source of information is " msgstr "" "Une source d'informations intéressante est la ." #. type: #: securing-debian-howto.en.sgml:58 en/before-compromise.sgml:500 msgid "Network based intrusion detection" msgstr "Détection d'intrusion provenant du réseau" #. type:

#: securing-debian-howto.en.sgml:58 en/before-compromise.sgml:505 msgid "" "Network based intrusion detection tools monitor the traffic on a network " "segment and use this information as a data source. Specifically, the packets " "on the network are examined, and they are checked to see if they match a " "certain signature." msgstr "" "Les outils de détection d'intrusions provenant du réseau scrutent le trafic " "sur un segment de réseau et utilisent cette information comme source de " "données. Spécifiquement, les paquets du réseau sont examinés et ils sont " "vérifiés pour voir s'ils correspondent à une certaine signature." #. type:

#: securing-debian-howto.en.sgml:58 en/before-compromise.sgml:516 msgid "" "snort is a flexible packet sniffer or logger that detects " "attacks using an attack signature dictionary. It detects a variety of " "attacks and probes, such as buffer overflows, stealth port scans, CGI " "attacks, SMB probes, and much more. snort also has real-time " "alerting capability. You can use snort for a range of hosts on " "your network as well as for your own host. This is a tool which should be " "installed on every router to keep an eye on your network. Just install it " "with apt-get install snort, follow the questions, and watch it log. " "For a little broader security framework, see ." msgstr "" "snort est un renifleur flexible de paquets ou un " "journaliseur qui détecte les attaques selon un dictionnaire de signatures " "d'attaque. Il détecte diverses attaques et sondes, comme des débordements de " "capacité, des scans dissimulés de ports, des attaques CGI, des sondes " "SMB, etc. snort dispose également d'une capacité d'alerte en " "temps réel. Vous pouvez utiliser snort pour un certain nombre " "d'hôtes du réseau ainsi que pour l'hôte local. Cet outil peut être installé " "sur n'importe quel routeur pour garder un œil sur le réseau. Installez-le " "simplement avec apt-get install snort, suivez les questions et " "surveillez ses journaux. Pour une infrastructure de sécurité un peu plus " "large, regardez ." #. type:

#: securing-debian-howto.en.sgml:58 en/before-compromise.sgml:521 msgid "" "Debian's snort package has many security checks enabled " "by default. However, you should customize the setup to take into account the " "particular services you run on your system. You may also want to seek " "additional checks specific to these services." msgstr "" "Le paquet snort de Debian est installé avec de nombreuses " "vérifications de sécurité activées par défaut. Toutefois, vous devriez " "prendre le temps de personnaliser l'installation pour prendre en compte les " "services utilisés sur le système. Vous pourriez rechercher des vérifications " "supplémentaires spécifiques à ces services." #. type:

#: securing-debian-howto.en.sgml:58 en/before-compromise.sgml:528 msgid "" "There are other, simpler tools that can be used to detect network attacks. " "portsentry is an interesting package that can tip you off " "to port scans against your hosts. Other tools like ippl " "or iplogger will also detect some IP (TCP and ICMP) " "attacks, even if they do not provide the kind of advanced techniques " "snort does." msgstr "" "D'autres outils plus simples peuvent être utilisés pour détecter les " "attaques réseaux. portsentry est un paquet intéressant " "pour informer lorsqu'un scan du réseau est effectué sur site. D'autres " "outils comme ippl ou iplogger " "permettent de détecter certaines attaques IP (TCP et ICMP), même s'ils ne " "fournissent pas de techniques avancées pour détecter les attaques réseaux " "(comme le ferait snort)." #. type:

#: securing-debian-howto.en.sgml:58 en/before-compromise.sgml:532 msgid "" "You can test any of these tools with the Debian package idswakeup, a shell script which generates false alarms, and includes many " "common attack signatures." msgstr "" "Vous pouvez essayer chacun de ces outils avec le paquet Debian " "idswakeup, un générateur de fausses alertes et qui inclut " "un grand nombre de signature d'attaques communes." #. type: #: securing-debian-howto.en.sgml:58 en/before-compromise.sgml:534 msgid "Host based intrusion detection" msgstr "Détection d'intrusion fondée sur l'hôte" #. type:

#: securing-debian-howto.en.sgml:58 en/before-compromise.sgml:540 msgid "" "Host based intrusion detection involves loading software on the system to be " "monitored which uses log files and/or the systems auditing programs as a " "data source. It looks for suspicious processes, monitors host access, and " "may even monitor changes to critical system files." msgstr "" "La détection d'intrusion fondée sur l'hôte implique d'activer, sur le " "système à étudier, un logiciel qui utilise les journaux ou les programmes " "d'audit du système comme source de données. Il scrute les processus " "suspects, scrute les accès d'hôtes et peut même scruter les changements aux " "fichiers critiques du système." #. type:

#: securing-debian-howto.en.sgml:58 en/before-compromise.sgml:551 msgid "" "tiger is an older intrusion detection tool which has been " "ported to Debian since the Woody branch. tiger provides checks " "of common issues related to security break-ins, like password strength, file " "system problems, communicating processes, and other ways root might be " "compromised. This package includes new Debian-specific security checks " "including: MD5sums checks of installed files, locations of files not " "belonging to packages, and analysis of local listening processes. The " "default installation sets up tiger to run each day, generating " "a report that is sent to the superuser about possible compromises of the " "system." msgstr "" "tiger est un ancien outil de détection d'intrusion qui a " "été porté sous Debian depuis la distribution Woody. tiger " "fournit un ensemble de vérifications de problèmes communs liés aux failles " "de sécurité, il vérifie la robustesse des mots de passe, les problèmes de " "système de fichiers, les processus de communications et d'autres façons de " "compromettre le compte du superutilisateur. Ce paquet contient de nouvelles " "vérifications de sécurité spécifiques à Debian, y compris les vérifications " "de sommes de contrôle MD5 des fichiers installés, les emplacements de " "fichiers n'appartenant pas aux paquets et l'analyse des processus locaux à " "l'écoute. L'installation par défaut configure tiger pour être " "exécuté quotidiennement, en générant un compte-rendu envoyé au " "superutilisateur à propos des compromissions possibles du système." #. type:

#: securing-debian-howto.en.sgml:58 en/before-compromise.sgml:554 msgid "" "Log analysis tools, such as logcheck can also be used to " "detect intrusion attempts. See ." msgstr "" "Des outils d'analyse de journaux comme logcheck peuvent " "également être utilisés pour détecter des tentatives d'intrusions. Consultez " "." #. type:

#: securing-debian-howto.en.sgml:58 en/before-compromise.sgml:561 msgid "" "In addition, packages which monitor file system integrity (see ) can be quite useful in detecting anomalies in a secured " "environment. It is most likely that an effective intrusion will modify some " "files in the local file system in order to circumvent local security policy, " "install Trojans, or create users. Such events can be detected with file " "system integrity checkers." msgstr "" "De plus, des paquets scrutant l'intégrité du système de fichiers (consultez " ") peuvent être utiles dans la détection d'anomalies " "dans un environnement sécurisé. Une intrusion effective modifiera " "probablement certains fichiers du système de fichiers local pour court-" "circuiter les règles de sécurité locales, installer un cheval de Troie ou " "créer des utilisateurs. De tels événements peuvent être détectés avec les " "vérificateurs d'intégrité du système de fichiers." #. type: #: securing-debian-howto.en.sgml:58 en/before-compromise.sgml:563 msgid "Avoiding root-kits" msgstr "Éviter les rootkits" #. type: #: securing-debian-howto.en.sgml:58 en/before-compromise.sgml:565 msgid "Loadable Kernel Modules (LKM)" msgstr "Loadable Kernel Modules (LKM)" #. type:

#: securing-debian-howto.en.sgml:58 en/before-compromise.sgml:573 msgid "" "Loadable kernel modules are files containing dynamically loadable kernel " "components used to expand the functionality of the kernel. The main benefit " "of using modules is the ability to add additional devices, like an Ethernet " "or sound card, without patching the kernel source and recompiling the entire " "kernel. However, crackers are now using LKMs for root-kits (knark and " "adore), opening up back doors in GNU/Linux systems." msgstr "" "Les LKM (Loadable Kernel Modules ou modules de noyau chargeables) " "sont des fichiers contenant des composants de noyau chargeables " "dynamiquement utilisés pour étendre les fonctionnalités de noyau. Le " "principal avantage d'utiliser des modules est la possibilité d'ajouter des " "périphériques additionnels comme une carte réseau ou une carte son sans " "avoir à recompiler le noyau entièrement. Cependant certains pirates peuvent " "utiliser les LKM pour les rootkits (knark et adore) afin d'installer des " "portes dérobées sur des systèmes GNU/Linux." #. type:

#: securing-debian-howto.en.sgml:58 en/before-compromise.sgml:581 msgid "" "LKM back doors are more sophisticated and less detectable than traditional " "root-kits. They can hide processes, files, directories and even connections " "without modifying the source code of binaries. For example, a malicious LKM " "can force the kernel into hiding specific processes from procfs, so that even a known good copy of the binary ps would " "not list accurate information about the current processes on the system." msgstr "" "Les portes dérobées des LKM peuvent être plus sophistiquées et moins " "détectables que des rootkits traditionnels. Ils peuvent cacher des " "processus, des fichiers, des répertoires et même des connexions sans " "modifier les codes source des binaires. Par exemple, un LKM peut forcer le " "noyau à cacher des processus spécifiques dans procps pour que " "même une bonne copie du binaire ps ne puisse donner des " "informations exactes à propos des processus actuels du système." #. type: #: securing-debian-howto.en.sgml:58 en/before-compromise.sgml:583 msgid "Detecting root-kits" msgstr "Détection des rootkits" #. type:

#: securing-debian-howto.en.sgml:58 en/before-compromise.sgml:588 msgid "" "There are two approaches to defending your system against LKM root-kits, a " "proactive defense and a reactive defense. The detection work can be simple " "and painless, or difficult and tiring, depending on the approach taken." msgstr "" "Il existe deux approches pour défendre le système contre les rootkits LKM, " "une défense proactive et une défense réactive. La détection peut être simple " "et sans douleur ou difficile et fatigante selon la mesure que vous " "choisissez." #. type: #: securing-debian-howto.en.sgml:58 en/before-compromise.sgml:590 msgid "Proactive defense" msgstr "Défense proactive" #. type:

#: securing-debian-howto.en.sgml:58 en/before-compromise.sgml:600 msgid "" "The advantage of this kind of defense is that it prevents damage to the " "system in the first place. One such strategy is getting there first, that is, loading an LKM designed to protect the system from other " "malicious LKMs. A second strategy is to remove capabilities from the kernel " "itself. For example, you can remove the capability of loadable kernel " "modules entirely. Note, however, that there are rootkits which might work " "even in this case, there are some that tamper with /dev/kmem " "(kernel memory) directly to make themselves undetectable." msgstr "" "L'avantage de ce type de défense est qu'elle prévient des dommages que " "pourrait entraîner un rootkit au système. Une telle stratégie est de les " "attraper en premier, c'est-à-dire de charger un LKM bien défini pour " "protéger le système d'autres LKM infectés. Une deuxième stratégie consiste à " "retirer la fonctionnalité de chargement des modules du noyau lui-même. " "Notez, cependant, qu'il existe des rootkits qui peuvent fonctionner même " "dans ce cas, certains altèrent même directement /dev/kmem (la " "mémoire du noyau) pour se rendre indétectables." #. type:

#: securing-debian-howto.en.sgml:58 en/before-compromise.sgml:603 msgid "" "Debian GNU/Linux has a few packages that can be used to mount a proactive " "defense:" msgstr "" "Debian GNU/Linux fournit quelques paquets à utiliser pour mettre en place " "une défense proactive :" #. type:

#: securing-debian-howto.en.sgml:58 en/before-compromise.sgml:653 msgid "" "lcap - A user friendly interface to remove " "capabilities (kernel-based access control) in the kernel, making " "the system more secure. For example, executing lcap CAP_SYS_MODULE " "

There are over 28 capabilities including: CAP_BSET, " "CAP_CHOWN, CAP_FOWNER, CAP_FSETID, " "CAP_FS_MASK, CAP_FULL_SET, CAP_INIT_EFF_SET, " "CAP_INIT_INH_SET, CAP_IPC_LOCK, CAP_IPC_OWNER, " "CAP_KILL, CAP_LEASE, CAP_LINUX_IMMUTABLE, " "CAP_MKNOD, CAP_NET_ADMIN, CAP_NET_BIND_SERVICE, " "CAP_NET_RAW, CAP_SETGID, CAP_SETPCAP, " "CAP_SETUID, CAP_SYS_ADMIN, CAP_SYS_BOOT, " "CAP_SYS_CHROOT, CAP_SYS_MODULE, CAP_SYS_NICE, " "CAP_SYS_PACCT, CAP_SYS_PTRACE, CAP_SYS_RAWIO, " "CAP_SYS_RESOURCE, CAP_SYS_TIME, and " "CAP_SYS_TTY_CONFIG. All of them can be de-activated to harden your " "kernel.

 will remove module loading capabilities (even for the " "root user).

You don't need to install lcap to " "do this, but it's easier than setting /proc/sys/kernel/cap-bound by hand.

 There is some (old) information on " "capabilities at Jon Corbet's section on LWN (dated December 1999)." msgstr "" "lcap — interface utilisateur agréable pour retirer les " "fonctionnalités (contrôle d'accès basé sur le noyau) dans le noyau, " "rendant le système plus sécurisé. Par exemple, exécuter lcap " "CAP_SYS_MODULE

28 fonctionnalités existent, y " "compris : CAP_BSET, CAP_CHOWN, CAP_FOWNER, " "CAP_FSETID, CAP_FS_MASK, CAP_FULL_SET, " "CAP_INIT_EFF_SET, CAP_INIT_INH_SET, CAP_IPC_LOCK, " "CAP_IPC_OWNER, CAP_KILL, CAP_LEASE, " "CAP_LINUX_IMMUTABLE, CAP_MKNOD, CAP_NET_ADMIN, " "CAP_NET_BIND_SERVICE, CAP_NET_RAW, CAP_SETGID, " "CAP_SETPCAP, CAP_SETUID, CAP_SYS_ADMIN, " "CAP_SYS_BOOT, CAP_SYS_CHROOT, CAP_SYS_MODULE, " "CAP_SYS_NICE, CAP_SYS_PACCT, CAP_SYS_PTRACE, " "CAP_SYS_RAWIO, CAP_SYS_RESOURCE, CAP_SYS_TIME et " "CAP_SYS_TTY_CONFIG. Elles peuvent être toutes désactivées pour " "renforcer le noyau.

 enlèvera des fonctionnalités de " "chargement des modules (même pour le superutilisateur).

Vous " "n'avez pas besoin d'installer lcap pour faire cela, mais " "c'est plus facile que de configurer /proc/sys/kernel/cap-bound " "soi-même.

 De vieilles informations sur ces fonctionnalités " "sont dans la section de Jon Corbet sur LWN datant de décembre 1999." #. type:

#: securing-debian-howto.en.sgml:58 en/before-compromise.sgml:664 msgid "" "If you don't really need many kernel features on your GNU/Linux system, you " "may want to disable loadable modules support during kernel configuration. To " "disable loadable module support, just set CONFIG_MODULES=n during the " "configuration stage of building your kernel, or in the .config " "file. This will prevent LKM root-kits, but you lose this powerful feature of " "the Linux kernel. Also, disabling loadable modules can sometimes overload " "the kernel, making loadable support necessary." msgstr "" "Si vous n'avez pas besoin de toutes ces fonctionnalités de noyau sur un " "système GNU/Linux, vous pourriez désactiver la prise en charge des modules " "chargeables lors de la configuration du noyau. Pour désactiver la prise en " "charge des modules chargeables, positionnez simplement CONFIG_MODULES=n lors " "de l'étape de configuration de construction du noyau ou dans le fichier " ".config. Cela prévient des rootkits LKM mais vous ne pourrez " "plus utiliser les modules avec le noyau GNU/Linux. La désactivation des " "modules peut surcharger le noyau, rendant la gestion du chargement " "nécessaire." #. type: #: securing-debian-howto.en.sgml:58 en/before-compromise.sgml:666 msgid "Reactive defense" msgstr "Défense réactive" #. type:

#: securing-debian-howto.en.sgml:58 en/before-compromise.sgml:672 msgid "" "The advantage of a reactive defense is that it does not overload system " "resources. It works by comparing the system call table with a known clean " "copy in a disk file, System.map. Of course, a reactive defense " "will only notify the system administrator after the system has already been " "compromised." msgstr "" "L'avantage d'une défense réactive est qu'elle représente une faible " "surcharge au niveau des ressources systèmes. Elle fonctionne en comparant la " "table des appels systèmes avec une copie sûre d'un fichier du disque, " "System.map. Bien sûr, une défense réactive n'avertira " "l'administrateur qu'après la compromission du système." #. type:

#: securing-debian-howto.en.sgml:58 en/before-compromise.sgml:677 msgid "" "Detection of some root-kits in Debian can be accomplished with the " "chkrootkit package. The program checks for signs of several known root-" "kits on the target system, but is not a definitive test." msgstr "" "La détection des rootkits dans Debian peut être accomplie avec le paquet " "chkrootkit. Le programme cherche des signes de présence de plusieurs " "rootkits connus sur le système local, mais ce n'est pas un test définitif." #. type: #: securing-debian-howto.en.sgml:58 en/before-compromise.sgml:679 msgid "Genius/Paranoia Ideas — what you could do" msgstr "Idées géniales ou paranoïaques — ce que vous pourriez faire" #. type:

#: securing-debian-howto.en.sgml:58 en/before-compromise.sgml:684 msgid "" "This is probably the most unstable and funny section, since I hope that some " "of the \"duh, that sounds crazy\" ideas might be realized. The following are " "just some ideas for increasing security — maybe genius, paranoid, " "crazy or inspired depending on your point of view." msgstr "" "C'est probablement la section la plus instable et la plus amusante, car " "j'espère que quelques unes des idées « bah, ça semble dingue Â» " "pourraient être réalisées. Vous trouverez ci-dessous certaines idées pour " "améliorer la sécurité — suivant votre point de vue vous les " "qualifierez de géniales, paranoïaques, folles ou inspirées." #. type:

#: securing-debian-howto.en.sgml:58 en/before-compromise.sgml:692 msgid "" "Playing around with Pluggable Authentication Modules (PAM). As quoted in the " "Phrack 56 PAM article, the nice thing about PAM is that \"You are limited " "only by what you can think of.\" It is true. Imagine root login only being " "possible with fingerprint or eye scan or cryptocard (why did I use an OR " "conjunction instead of AND?)." msgstr "" "S'amuser avec PAM (Pluggable Authentication Modules). Conformément à " "l'article PAM du phrack 56, ce qui est bien avec PAM, c'est qu'« il n'est " "limité que par votre imagination ». C'est vrai. Imaginez une connexion de " "superutilisateur seulement possible avec empreinte digitale ou un scan de " "l'œil ou une cryptocarte (pourquoi ai-je fait une conjonction de OU et " "pas de ET ici ?)." #. type:

#: securing-debian-howto.en.sgml:58 en/before-compromise.sgml:698 msgid "" "Fascist Logging. I would refer to all the previous logging discussion above " "as \"soft logging\". If you want to perform real logging, get a printer with " "fanfold paper, and send all logs to it. Sounds funny, but it's reliable and " "it cannot be tampered with or removed." msgstr "" "Journalisation fasciste. Je voudrais dire que tout ce dont nous avons " "discuté plus haut est de la « journalisation douce Â». Si vous " "voulez effectuer une vraie journalisation, procurez-vous une imprimante avec " "du papier listing et journalisez tout en l'imprimant. Cela semble amusant, " "mais c'est fiable et ne peut être supprimé, ni altéré." #. type:

#: securing-debian-howto.en.sgml:58 en/before-compromise.sgml:707 msgid "" "CD distribution. This idea is very easy to realize and offers pretty good " "security. Create a hardened Debian distribution, with proper firewall rules. " "Turn it into a boot-able ISO image, and burn it on a CDROM. Now you have a " "read-only distribution, with about 600 MB space for services. Just make sure " "all data that should get written is done over the network. It is impossible " "for intruders to get read/write access on this system, and any changes an " "intruder does make can be disabled with a reboot of the system." msgstr "" "Distribution CD. Cette idée est très simple à réaliser et offre une assez " "bonne sécurité. Créez une distribution Debian durcie, avec les règles de " "pare-feu adéquate, faites-en une image ISO amorçable et gravez-la sur un CD. " "Vous avez maintenant une bonne distribution en lecture seule avec environ " "600 Mo d'espace pour les services. Assurez-vous juste que toutes les " "données qui devraient être écrites soient écrites sur le réseau. Il est " "impossible pour des intrus d'obtenir un accès en lecture et écriture sur ce " "système et toute modification réalisée par un intrus sera désactivée avec un " "redémarrage du système." #. type:

#: securing-debian-howto.en.sgml:58 en/before-compromise.sgml:712 msgid "" "Switch module capability off. As discussed earlier, when you disable the " "usage of kernel modules at kernel compile time, many kernel based back doors " "are impossible to implement because most are based on installing modified " "kernel modules." msgstr "" "Désactiver la prise en charge des modules. Comme décrit auparavant, une fois " "désactivée l'utilisation des modules du noyau à la compilation, beaucoup de " "portes dérobées basées sur le noyau sont impossibles à implémenter car la " "plupart d'entre elles sont basées sur l'installation de modules du noyau " "modifiés." #. type:

#: securing-debian-howto.en.sgml:58 en/before-compromise.sgml:725 msgid "" "Logging through serial cable (contributed by Gaby Schilders). As long as " "servers still have serial ports, imagine having one dedicated logging system " "for a number of servers. The logging system is disconnected from the " "network, and connected to the servers via a serial-port multiplexer " "(Cyclades or the like). Now have all your servers log to their serial ports, " "write only. The log-machine only accepts plain text as input on its serial " "ports and only writes to a log file. Connect a CD/DVD-writer, and transfer " "the log file to it when the log file reaches the capacity of the media. Now " "if only they would make CD writers with auto-changers... Not as hard copy as " "direct logging to a printer, but this method can handle larger volumes and " "CD-ROMs use less storage space." msgstr "" "Journalisation par câble série (contribution de Gaby Schilders). Tant que " "les serveurs ont des ports série, imaginez une machine dédiée à la " "journalisation pour un certain nombre de serveurs. Le système de " "journalisation serait déconnecté du réseau, et connecté aux serveurs par un " "multiplexeur de ports série (cyclades ou similaire). Maintenant faites " "journaliser vos serveurs par leurs ports série en écriture seule. La machine " "de journalisation n'accepterait que du texte en clair en entrée sur ses " "ports séries et n'écrirait que sur un fichier journal. Branchez un graveur " "de CD ou DVD et transférez-y les fichiers journaux quand le fichier journal " "atteint la capacité du support. Maintenant il ne manque plus qu'un graveur " "avec chargeur de CD automatique… Pas autant « copie en dur » que la " "journalisation directe vers l'imprimante, mais cette méthode peut gérer de " "larges volumes et les CD prennent moins d'espace de stockage." #. type:

#: securing-debian-howto.en.sgml:58 en/before-compromise.sgml:736 msgid "" "Change file attributes using chattr (taken from the Tips-HOWTO, " "written by Jim Dennis). After a clean install and initial configuration, use " "the chattr program with the +i attribute to make files " "unmodifiable (the file cannot be deleted, renamed, linked or written to). " "Consider setting this attribute on all the files in /bin, " "/sbin/, /usr/bin, /usr/sbin, /" "usr/lib and the kernel files in root. You can also make a copy of all " "files in /etc/, using tar or the like, and mark " "the archive as immutable." msgstr "" "Modifiez les attributs de tous les fichiers avec chattr (tiré " "du Tips-HOWTO écrit par Jim Dennis). Tout de suite après avoir installé et " "configuré initialement le système, utilisez le programme chattr " "avec l'attribut +i pour rendre les fichiers non-modifiables (le " "fichier ne peut être supprimé, renommé, lié ou réécrit). Envisagez de " "positionner cet attribut sur tous les fichiers de /bin, /" "sbin/, /usr/bin, /usr/sbin, /usr/lib et tous les fichiers noyau de la racine. Vous pouvez également faire " "une copie de tous les fichiers de /etc/, en utilisant " "tar, et marquer l'archive comme immuable." #. type:

#: securing-debian-howto.en.sgml:58 en/before-compromise.sgml:742 msgid "" "This strategy will help limit the damage that you can do when logged in as " "root. You won't overwrite files with a stray redirection operator, and you " "won't make the system unusable with a stray space in a rm -fr " "command (you might still do plenty of damage to your data — but your " "libraries and binaries will be safer)." msgstr "" "Cette stratégie permettra de limiter les dégâts possibles une fois connecté " "en superutilisateur. Cela empêchera d'écraser des fichiers avec un opérateur " "de redirection mal placé, de rendre le système inutilisable avec une espace " "mal placée dans une commande rm -rf (il est toujours possible " "de faire pas mal de dégâts aux données, mais les bibliothèques et binaires " "seront mieux protégés)." #. type:

#: securing-debian-howto.en.sgml:58 en/before-compromise.sgml:747 msgid "" "This strategy also makes a variety of security and denial of service (DoS) " "exploits either impossible or more difficult (since many of them rely on " "overwriting a file through the actions of some SETUID program that isn't " "providing an arbitrary shell command)." msgstr "" "Cela limite aussi la réalisation d'un grand nombre d'exploitations de faille " "de sécurité et de dénis de service (car beaucoup d'entre eux dépendent de " "l'écrasement d'un fichier par les actions d'un programme SETUID qui ne " "fournit aucune invite de commandes)." #. type:

#: securing-debian-howto.en.sgml:58 en/before-compromise.sgml:757 msgid "" "One inconvenience of this strategy arises during building and installing " "various system binaries. On the other hand, it prevents the make " "install from over-writing the files. When you forget to read the " "Makefile and chattr -i the files that are to be overwritten, " "(and the directories to which you want to add files) ‐ the make command " "fails, and you just use the chattr command and rerun it. You " "can also take that opportunity to move your old bin's and libs out of the " "way, into a .old/ directory or tar archive for example." msgstr "" "Le seul inconvénient de cette stratégie survient lorsque vous compilez et " "installez divers binaires systèmes. D'un autre côté, cela empêche aussi le " "make install d'écraser les fichiers. Quand vous oubliez de lire " "le Makefile et de faire un chattr -i, les fichiers qui vont " "être réécrits (et les répertoires auxquels vous voulez ajouter des fichiers) " "‐ la commande make échoue, utilisez juste la commande chattr et relancez-le. Vous pouvez aussi profiter de l'occasion pour déplacer " "vos vieux binaires et bibliothèques dans un répertoire .old/ ou dans une " "archive tar par exemple." #. type:

#: securing-debian-howto.en.sgml:58 en/before-compromise.sgml:763 msgid "" "Note that this strategy also prevents you from upgrading your system's " "packages, since the files updated packages provide cannot be overwritten. " "You might want to have a script or other mechanism to disable the immutable " "flag on all binaries right before doing an apt-get update." msgstr "" "Remarquez que cette stratégie empêche aussi de mettre à jour les paquets du " "système car les fichiers existants ne peuvent être remplacés, vous pourriez " "donc avoir un mécanisme pour désactiver l'attribut immuable sur tous les " "binaires juste avant de faire un apt-get update." #. type:

#: securing-debian-howto.en.sgml:58 en/before-compromise.sgml:768 msgid "" "Play with UTP cabling in a way that you cut 2 or 4 wires and make the cable " "one-way traffic only. Then use UDP packets to send information to the " "destination machine which can act as a secure log server or a credit card " "storage system." msgstr "" "Couper 2 ou 4 fils du câble réseau afin de rendre les communications UDP " "unidirectionnelles. Ensuite, utilisez des paquets UDP pour envoyer des " "informations à la machine destinatrice qui peut agir en tant que serveur de " "journalisation sécurisé ou système de stockage de carte de crédit." #. type: #: securing-debian-howto.en.sgml:58 en/before-compromise.sgml:772 msgid "Building a honeypot" msgstr "Construction d'un pot de miel" #. type:

#: securing-debian-howto.en.sgml:58 en/before-compromise.sgml:779 msgid "" "A honeypot is a system designed to teach system administrators how crackers " "probe for and exploit a system. It is a system setup with the expectation " "and goal that the system will be probed, attacked and potentially exploited. " "By learning the tools and methods employed by the cracker, a system " "administrator can learn to better protect their own systems and network." msgstr "" "Un pot de miel est un système conçu pour apprendre aux administrateurs " "système les techniques de sondage et d'exploitation des attaquants. Il " "s'agit d'une configuration système qui a pour but d'être sondée, attaquée et " "potentiellement exploitée. En apprenant les outils et méthodes utilisées par " "l'attaquant, un administrateur système peut apprendre à mieux protéger ses " "propres systèmes et son réseau." #. type:

#: securing-debian-howto.en.sgml:58 en/before-compromise.sgml:791 msgid "" "Debian GNU/Linux systems can easily be used to setup a honeynet, if you " "dedicate the time to implement and monitor it. You can easily setup the fake " "honeypot server as well as the firewall

You will typically use a " "bridge firewall so that the firewall itself is not detectable, see .

 that controls the honeynet and some sort of " "network intrusion detector, put it on the Internet, and wait. Do take care " "that if the system is exploited, you are alerted in time (see ) so that you can take appropriate measures and terminate the " "compromise when you've seen enough. Here are some of the packages and issues " "to consider when setting up your honeypot:" msgstr "" "Un système Debian GNU/Linux peut facilement être configuré comme un pot de " "miel, si vous y consacrez le temps de l'implémenter et de le surveiller. " "Vous pouvez facilement mettre en place le serveur de pot de miel factice " "ainsi que le pare-feu

Vous utiliserez généralement un pare-feu " "pont pour que le pare-feu lui-même ne soit pas détectable, consultez .

 qui contrôle le pot de miel et un certain " "type de détecteur d'intrusion réseau, placez-le sur Internet et attendez. " "Prenez soin de vous assurer d'être averti à temps (consultez ) si le système est victime d'une exploitation pour que vous " "puissiez prendre des mesures appropriées et mettre un terme à la " "compromission après en avoir assez vu. Voici quelques paquets et problèmes à " "considérer lors de la configuration de pot de miel :" #. type:

#: securing-debian-howto.en.sgml:58 en/before-compromise.sgml:796 msgid "The firewall technology you will use (provided by the Linux kernel)." msgstr "" "la technologie pare-feu dont vous aurez besoin (fournie par les noyaux " "Linux) ;" #. type:

#: securing-debian-howto.en.sgml:58 en/before-compromise.sgml:799 msgid "" "syslog-ng, useful for sending logs from the honeypot to a " "remote syslog server." msgstr "" "syslog-ng pour envoyer les journaux du pot de miel vers " "un serveur de journalisation système distant ;" #. type:

#: securing-debian-howto.en.sgml:58 en/before-compromise.sgml:802 msgid "" "snort, to set up capture of all the incoming network " "traffic to the honeypot and detect the attacks." msgstr "" "snort pour configurer la capture de tout le trafic réseau " "arrivant sur le pot de miel et détecter les attaques ;" #. type:

#: securing-debian-howto.en.sgml:58 en/before-compromise.sgml:805 msgid "" "osh, a SETUID root, security enhanced, restricted shell " "with logging (see Lance Spitzner's article below)." msgstr "" "osh, un interpréteur de commande restreint à sécurité " "améliorée et SETUID root avec journalisation (consultez l'article de Lance " "Spitzner référencé ci-dessous) ;" #. type:

#: securing-debian-howto.en.sgml:58 en/before-compromise.sgml:810 msgid "" "Of course, all the daemons you will be using for your fake server honeypot. " "Depending on what type of attacker you want to analyse you will or will " "not harden the honeypot and keep it up to date with security " "patches." msgstr "" "tous les démons à utiliser pour le serveur factice pot de miel. Selon le " "type d'attaque que vous voulez analyser, vous renforcerez ou non le " "pot de miel et vous le conserverez ou non à jour avec les mises à jour de " "sécurité ;" #. type:

#: securing-debian-howto.en.sgml:58 en/before-compromise.sgml:813 msgid "" "Integrity checkers (see ) and The Coroner's Toolkit " "(tct) to do post-attack audits." msgstr "" "des vérificateurs d'intégrité (consultez ) et la " "boîte à outils du légiste (The Coroner's Toolkit (tct)) " "pour faire des audits après l'attaque ;" #. type:

#: securing-debian-howto.en.sgml:58 en/before-compromise.sgml:818 msgid "" "honeyd and farpd to setup a honeypot " "that will listen to connections to unused IP addresses and forward them to " "scripts simulating live services. Also check out iisemulator." msgstr "" "honeyd et farpd pour mettre en place " "un pot de miel qui écoutera les connexions vers des adresses IP non " "utilisées et les fera suivre vers des scripts simulant des services actifs. " "Regardez également iisemulator ;" #. type:

#: securing-debian-howto.en.sgml:58 en/before-compromise.sgml:821 msgid "" "tinyhoneypot to setup a simple honeypot server with fake " "services." msgstr "" "tinyhoneypot pour mettre en place un serveur pot de miel " "simple avec des services factices." #. type:

#: securing-debian-howto.en.sgml:58 en/before-compromise.sgml:831 msgid "" "If you cannot use spare systems to build up the honeypots and the network " "systems to protect and control it you can use the virtualisation technology " "available in xen or uml (User-Mode-Linux). If you " "take this route you will need to patch your kernel with either " "kernel-patch-xen or kernel-patch-uml." msgstr "" "Si vous ne pouvez pas utiliser des systèmes de réserve pour construire les " "pots de miel et les systèmes réseau pour le protéger et le contrôler, vous " "pouvez utiliser la technologie de virtualisation disponible dans xen ou uml (User-Mode-Linux). Si vous choisissez cette route, " "vous devrez modifier le noyau soit avec kernel-patch-xen, " "soit avec kernel-patch-uml, ou encore installer l'un des " "noyaux précompilés disponibles depuis Debian Lenny." #. type:

#: securing-debian-howto.en.sgml:59 en/after-compromise.sgml:3 msgid "" "You can read more about building honeypots in Lanze Spitzner's excellent " "article (from the Know your Enemy " "series). Also, the provides valuable information about building honeypots and " "auditing the attacks made on them." msgstr "" "Vous pouvez en lire plus sur la construction des pots de miel dans " "l'excellent article de Lance " "Spizner (dans la série des « connaissez votre ennemi »). De même, le fournit des " "informations utiles sur la façon de configurer un pot de miel et de " "contrôler les résultats d'une attaque." #. type: #: securing-debian-howto.en.sgml:59 en/after-compromise.sgml:5 msgid "After the compromise (incident response)" msgstr "Après la compromission (la réponse à l'incident)" #. type: #: securing-debian-howto.en.sgml:59 en/after-compromise.sgml:7 msgid "General behavior" msgstr "Comportement général" #. type:

#: securing-debian-howto.en.sgml:59 en/after-compromise.sgml:14 msgid "" "If you are physically present when an attack is happening, your first " "response should be to remove the machine from the network by unplugging the " "network card (if this will not adversely affect any business transactions). " "Disabling the network at layer 1 is the only true way to keep the attacker " "out of the compromised box (Phillip Hofmeister's wise advice)." msgstr "" "Si vous êtes physiquement présent quand l'attaque se déroule et que faire ce " "qui suit n'a pas d'effet fâcheux sur vos transactions commerciales, la " "première réaction devrait être de débrancher simplement la machine du réseau " "en débranchant la carte réseau. La désactivation du réseau à la première " "couche est le seul vrai moyen de garder un attaquant en dehors d'une machine " "compromise (conseil avisé de Phillip Hofmeister)." #. type:

#: securing-debian-howto.en.sgml:59 en/after-compromise.sgml:35 msgid "" "However, some tools installed by rootkits, trojans and, even, a rogue user " "connected through a back door, might be capable of detecting this event and " "react to it. Seeing a rm -rf / executed when you unplug the network " "from the system is not really much fun. If you are unwilling to take the " "risk, and you are sure that the system is compromised, you should unplug " "the power cable (all of them if more than one) and cross your fingers. " "This may be extreme but, in fact, will avoid any logic-bomb that the " "intruder might have programmed. In this case, the compromised system " "should not be re-booted. Either the hard disks should be moved to " "another system for analysis, or you should use other media (a CD-ROM) to " "boot the system and analyze it. You should not use Debian's rescue " "disks to boot the system, but you can use the shell provided by the " "installation disks (remember, Alt+F2 will take you to it) to analyze " "

If you are adventurous, you can login to the system and save " "information on all running processes (you'll get a lot from /proc/nnn/). It " "is possible to get the whole executable code from memory, even if the " "attacker has deleted the executable files from disk. Then pull the power " "cord.

 the system." msgstr "" "Cependant, certains outils installés à l'aide d'un rootkit, d'un " "cheval de Troie ou même d'un utilisateur malhonnête connecté par une porte " "dérobée (backdoor), pourraient être capables de détecter cet évènement et " "d'y réagir. Voir un rm -rf / s'exécuter au moment de débrancher le " "réseau du système n'est pas vraiment très drôle. Si vous ne désirez pas " "prendre ce risque et que vous êtes certain que le système est compromis, " "vous devriez débrancher le câble d'alimentation (voire tous, s'il y " "en a plusieurs) et croiser les doigts. Cela peut sembler extrême, mais en " "fait cela désamorcera toute bombe à retardement que l'intrus pourrait avoir " "programmé. Dans ce cas, le système compromis ne doit pas être redémarré. Soit le disque dur devrait être déplacé sur un autre système pour " "analyse, soit vous devriez utiliser un autre support (un CD) pour amorcer le " "système et pour l'analyser. Vous ne devriez pas utiliser les " "disquettes de récupération de Debian pour amorcer le système, mais vous " "pouvez utiliser l'invite de commande fournie par les disquettes " "d'installation (Alt+F2 pour l'atteindre) pour analyser

Si vous " "êtes aventureux, vous pouvez vous connecter au système et sauver les " "informations sur tous les processus en fonctionnement (vous en aurez " "beaucoup dans /proc/nnn/). Il est possible d'avoir l'intégralité du code " "exécutable depuis la mémoire, même si l'attaquant a supprimé les fichiers " "exécutables du disque. Puis tirez sur le cordon d'alimentation.

le système." #. type:

#: securing-debian-howto.en.sgml:59 en/after-compromise.sgml:51 msgid "" "The most recommended method for recovering a compromised system is to use a " "live-filesystem on CD-ROM with all the tools (and kernel modules) you might " "need to access the compromised system. You can use the mkinitrd-cd package to build such a CD-ROM

In fact, this is the " "tool used to build the CD-ROMs for the project (a firewall on a live CD-ROM based on the Debian " "distribution).

. You might find the (previously called Biatchux) CD-ROM useful here " "too, since it's also a live CD-ROM with forensic tools useful in these " "situations. There is not (yet) a Debian-based tool such as this, nor an easy " "way to build the CD-ROM using your own selection of Debian packages and " "mkinitrd-cd (so you'll have to read the documentation " "provided with it to make your own CD-ROMs)." msgstr "" "La méthode recommandée pour récupérer un système compromis est d'utiliser un " "CD autonome avec tous les outils (et les modules du noyau) dont vous pouvez " "avoir besoin pour accéder au système compromis. Vous pouvez utiliser le " "paquet mkinitrd-cd pour construire un tel " "CD

En fait, c'est l'outil utilisé pour construire les CD pour le " "projet (un pare-feu " "sur un CD autonome basé sur la distribution Debian).

. Vous " "pourriez également trouver le CD (anciennement appelé Biatchux) utile ici, car il s'agit d'un CD " "autonome avec des outils d'analyse post mortem utiles dans ces situations. " "Il n'y a pas (encore) d'outil basé sur Debian comme celui-ci, ni de moyen " "simple de construire un CD en utilisant sa propre sélection de paquets " "Debian et mkinitrd-cd (vous devrez donc lire la " "documentation fournie avec celui-ci pour faire vos propres CD)." #. type:

#: securing-debian-howto.en.sgml:59 en/after-compromise.sgml:65 msgid "" "If you really want to fix the compromise quickly, you should remove the " "compromised host from your network and re-install the operating system from " "scratch. Of course, this may not be effective because you will not learn how " "the intruder got root in the first place. For that case, you must check " "everything: firewall, file integrity, log host, log files and so on. For " "more information on what to do following a break-in, see or SANS's ." msgstr "" "Si vous voulez colmater la brèche de sécurité vraiment rapidement, vous " "devriez retirer l'hôte compromis du réseau et réinstaller le système " "d'exploitation à partir de zéro. Cela pourrait n'avoir aucun effet si vous " "ne savez pas comment l'intrus a obtenu les droits du superutilisateur. Dans " "ce cas vous devez tout vérifier : pare-feu, intégrité des fichiers, les " "différents journaux de l'hôte de journalisation, etc. Pour plus " "d'informations sur la marche à suivre après une intrusion, reportez-vous aux " "documents ou ." #. type:

#: securing-debian-howto.en.sgml:59 en/after-compromise.sgml:68 msgid "" "Some common questions on how to handle a compromised Debian GNU/Linux system " "are also available in ." msgstr "" "Certaines questions générales sur la façon de gérer un système Debian GNU/" "Linux compromis sont également disponibles dans ." #. type: #: securing-debian-howto.en.sgml:59 en/after-compromise.sgml:70 msgid "Backing up the system" msgstr "Copies de sauvegarde du système" #. type:

#: securing-debian-howto.en.sgml:59 en/after-compromise.sgml:75 msgid "" "Remember that if you are sure the system has been compromised you cannot " "trust the installed software or any information that it gives back to you. " "Applications might have been trojanized, kernel modules might be installed, " "etc." msgstr "" "Rappelez-vous que si vous êtes certain que le système a été compromis, vous " "ne pouvez pas faire confiance aux logiciels qui s'y trouvent ou à n'importe " "quelle autre information qu'il vous donne. Les applications pourraient " "dissimuler un cheval de Troie, des modules pourraient être installés dans le " "noyau, etc." #. type:

#: securing-debian-howto.en.sgml:59 en/after-compromise.sgml:84 msgid "" "The best thing to do is a complete file system backup copy (using dd) after booting from a safe medium. Debian GNU/Linux CD-ROMs can be " "handy for this since they provide a shell in console 2 when the installation " "is started (jump to it using Alt+2 and pressing Enter). From this shell, " "backup the information to another host if possible (maybe a network file " "server through NFS/FTP). Then any analysis of the compromise or re-" "installation can be performed while the affected system is offline." msgstr "" "La meilleure chose à faire est une sauvegarde complète du système de " "fichiers (en utilisant dd) après avoir démarré depuis un " "support sûr. Les CD Debian GNU/Linux peuvent être utiles pour cela, car une " "console en mode texte est disponible dans le deuxième terminal une fois " "l'installateur démarré (allez-y en pressant CTRL+ALT+F2 suivi de la touche " "« Entrée Â»). À partir de cette console, sauvegardez les " "informations ailleurs si possible (éventuellement sur un serveur de fichiers " "par NFS ou FTP). Par la suite, vous pourrez analyser les informations " "pendant que le système compromis est hors-ligne ou réinstallé." #. type:

#: securing-debian-howto.en.sgml:59 en/after-compromise.sgml:89 msgid "" "If you are sure that the only compromise is a Trojan kernel module, you can " "try to run the kernel image from the Debian CD-ROM in rescue mode. " "Make sure to startup in single user mode, so no other Trojan " "processes run after the kernel." msgstr "" "Si vous êtes certain que la seule compromission est un cheval de Troie dans " "l'un des modules du noyau, vous pouvez tenter d'exécuter le noyau à partir " "du CD en mode rescue. Assurez-vous aussi de démarrer en mode " "single user de façon à ce qu'aucun autre cheval de Troie ne " "s'exécute après le redémarrage." #. type: #: securing-debian-howto.en.sgml:59 en/after-compromise.sgml:90 msgid "Contact your local CERT" msgstr "Contacter le CERT local" #. type:

#: securing-debian-howto.en.sgml:59 en/after-compromise.sgml:121 msgid "" "The CERT (Computer and Emergency Response Team) is an organization that can " "help you recover from a system compromise. There are CERTs worldwide " "

This is a list of some CERTs, for a full list look at the (FIRST is the Forum of Incident Response and " "Security Teams): " "(Australia), " "(Mexico) " "(Finland), (Germany), " " (Germany), (Italy), (Japan), (Norway), (Croatia) (Poland), " "(Russia), " "(Slovenia) " "(Spain), " "(Switzerland), " "(Taiwan), and (US).

and you should contact your local CERT in the event of a security " "incident which has lead to a system compromise. The people at your local " "CERT can help you recover from it." msgstr "" "Le CERT (Computer and Emergency Response Team) est une organisation " "qui peut vous aider à récupérer un système compromis. Il y a des CERT " "partout dans le monde

Voici une liste de quelques CERT. Pour la " "liste complète, consultez le " "(FIRST est le Forum of Incident Response and Security Teams) : " " (Australie), (Mexique) (Finlande), (Allemagne), (Allemagne), (Italie), (Japon), (Norvège), (Croatie) " "(Pologne), (Russie), (Slovénie) (Espagne), (Suisse), (Taïwan) et (États-Unis).

 et vous " "devriez contacter le CERT local en cas d'incident de sécurité qui a conduit " "à une compromission système. Les personnes du CERT local peuvent vous aider " "à le récupérer." #. type:

#: securing-debian-howto.en.sgml:59 en/after-compromise.sgml:135 msgid "" "Providing your local CERT (or the CERT coordination center) with information " "on the compromise even if you do not seek assistance can also help others " "since the aggregate information of reported incidents is used in order to " "determine if a given vulnerability is in wide spread use, if there is a new " "worm aloft, which new attack tools are being used. This information is used " "in order to provide the Internet community with information on the , and to publish and even . For more detailed information read on how (and why) to " "report an incident read ." msgstr "" "Fournir au CERT (ou au centre de coordination CERT) des informations sur la " "compromission, même si vous ne demandez pas d'aide, peut également aider " "d'autres personnes car les informations agrégées des incidents reportés sont " "utilisées pour déterminer si une faille donnée est répandue, s'il y a un " "nouveau ver dans la nature, les nouveaux outils d'attaque utilisés. Ces " "renseignements sont utilisés pour fournir à la communauté Internet des " "informations sur les et pour publier des et " "même des . Pour " "des informations plus détaillées sur la façon (et les raisons) de rendre " "compte d'un incident, veuillez consulter les ." #. type:

#: securing-debian-howto.en.sgml:59 en/after-compromise.sgml:144 msgid "" "You can also use less formal mechanisms if you need help for recovering from " "a compromise or want to discuss incident information. This includes the and the ." msgstr "" "Vous pouvez également utiliser un mécanisme moins formel si vous avez besoin " "d'aide pour récupérer un système compromis ou si vous voulez discuter " "d'informations d'incident, comme la et la ." #. type: #: securing-debian-howto.en.sgml:59 en/after-compromise.sgml:146 msgid "Forensic analysis" msgstr "Analyse post mortem" #. type:

#: securing-debian-howto.en.sgml:59 en/after-compromise.sgml:157 msgid "" "If you wish to gather more information, the tct (The " "Coroner's Toolkit from Dan Farmer and Wietse Venema) package contains " "utilities which perform a post mortem analysis of a system. " "tct allows the user to collect information about deleted " "files, running processes and more. See the included documentation for more " "information. These same utilities and some others can be found in by Brian " "Carrier, which provides a web front-end for forensic analysis of disk " "images. In Debian you can find both sleuthkit (the tools) " "and autopsy (the graphical front-end)." msgstr "" "Si vous souhaitez rassembler plus d'informations, le paquet tct (The Coroner's Toolkit de Dan Farmer et Wietse Venema) contient des " "utilitaires pour effectuer une analyse post mortem d'un système. " "tct permet à l'utilisateur de collecter des informations " "sur les fichiers effacés, les processus qui s'exécutent et plus. Consultez " "la documentation fournie pour plus d'informations. Ces utilitaires, ainsi " "que quelques autres, sont disponibles dans de Brian Carrier. Ils permettent " "l'analyse post mortem d'une image des disques par une interface Web. Dans " "Debian, vous trouverez les paquets sleuthkit (les outils) " "et autopsy (l'interface graphique)." #. type:

#: securing-debian-howto.en.sgml:59 en/after-compromise.sgml:161 msgid "" "Remember that forensics analysis should be done always on the backup copy of " "the data, never on the data itself, in case the data is altered " "during analysis and the evidence is lost." msgstr "" "N'oubliez pas que l'analyse post mortem devrait toujours être faite sur une " "copie des données et jamais sur les données elles-mêmes. Si ces " "dernières sont altérées par cette analyse, vous pourriez perdre des indices " "importants pour comprendre ce qui s'est passé exactement, en plus de rendre " "les preuves potentiellement non recevables en cour." #. type:

#: securing-debian-howto.en.sgml:59 en/after-compromise.sgml:176 msgid "" "You will find more information on forensic analysis in Dan Farmer's and " "Wietse Venema's book (available online), as well " "as in their and their . Brian Carrier's newsletter is also a very good resource " "on forensic analysis tips. Finally, the are an excellent way to hone " "your forensic analysis skills as they include real attacks against honeypot " "systems and provide challenges that vary from forensic analysis of disks to " "firewall logs and packet captures." msgstr "" "Vous trouverez plus d'informations sur les analyses post mortem dans le " "livre (disponible en ligne) de Dan Farmer's et Wietse " "Venema, ainsi que leur et leur . Le bulletin de Brian Carrier, , est " "également une très bonne source d'astuces pour les analyses post mortem. " "Finalement, le est une excellente façon de peaufiner vos " "compétences en analyse post mortem puisqu'ils contiennent des attaques " "réelles contre des pots de miel et procurent des défis qui vont de " "l'analyse post mortem de disques durs à l'analyse des journaux des pare-feu " "et la capture de paquets." #. type:

#: securing-debian-howto.en.sgml:59 en/after-compromise.sgml:179 msgid "" "FIXME: This paragraph will hopefully provide more information about " "forensics in a Debian system in the coming future." msgstr "" "FIXME : Ce paragraphe fournira, dans un avenir proche je l'espère, plus " "d'informations sur l'analyse post mortem d'un système Debian." #. type:

#: securing-debian-howto.en.sgml:59 en/after-compromise.sgml:183 msgid "" "FIXME: Talk on how to do a debsums on a stable system with the MD5sums on CD " "and with the recovered file system restored on a separate partition." msgstr "" "FIXME : Décrire comment utiliser debsums sur un système stable avec les " "md5sums sur un CD et le système de fichiers récupéré restauré sur une " "partition séparée." #. type:

#: securing-debian-howto.en.sgml:59 en/after-compromise.sgml:187 msgid "" "FIXME: Add pointers to forensic analysis papers (like the Honeynet's reverse " "challenge or )." msgstr "" "FIXME : Ajouter des liens vers des articles d'analyse post mortem (tel que " "le défi inversé de Honeynet ou les )." #. type: #: securing-debian-howto.en.sgml:59 en/after-compromise.sgml:188 msgid "Analysis of malware" msgstr "Analyse des programmes malveillants (malware)" #. type:

#: securing-debian-howto.en.sgml:59 en/after-compromise.sgml:191 msgid "" "Some other tools that can be used for forensic analysis provided in the " "Debian distribution are:" msgstr "" "D'autres outils permettant l'analyse post mortem sont disponibles pour la " "distribution Debian :" #. type:

#: securing-debian-howto.en.sgml:59 en/after-compromise.sgml:193 msgid "strace." msgstr "strace ;" #. type:

#: securing-debian-howto.en.sgml:59 en/after-compromise.sgml:194 msgid "ltrace." msgstr "ltrace." #. type:

#: securing-debian-howto.en.sgml:59 en/after-compromise.sgml:202 msgid "" "Any of these packages can be used to analyze rogue binaries (such as back " "doors), in order to determine how they work and what they do to the system. " "Some other common tools include ldd (in libc6), strings and objdump (both in " "binutils)." msgstr "" "L'un de ces paquets peut être utilisé pour analyser des binaires dangereux " "(comme des portes dérobées) afin de déterminer comment ils fonctionnent et " "ce qu'ils font au système. ldd (dans libc6), " "strings et objdump (tous deux dans " "binutils) font aussi partie des outils fréquemment " "utilisés." #. type:

#: securing-debian-howto.en.sgml:59 en/after-compromise.sgml:211 msgid "" "If you try to do forensic analysis with back doors or suspected binaries " "retrieved from compromised systems, you should do so in a secure environment " "(for example in a bochs or xen image " "or a chroot'ed environment using a user with low " "privileges

Be very careful if using chroots, since if " "the binary uses a kernel-level exploit to increase its privileges it might " "still be able to infect your system

). Otherwise your own " "system can be back doored/r00ted too!" msgstr "" "Pour faire l'autopsie de binaires suspects ou contenant des portes dérobées " "récupérés d'un système compromis, vous devriez utiliser un environnement " "sécurisé (par exemple, dans une image bochs, " "xen ou un environnement chrooté en utilisant " "un compte ayant peu de droits

Faites très attention si " "vous utilisez chroot, car si le programme utilise une faille de " "sécurité au niveau du noyau afin d'accroître ses droits, il pourrait tout de " "même réussir à compromettre le système.

). Le système pourrait " "être victime de la porte dérobée et compromis à son tour si vous ne prenez " "pas garde !" #. type:

#: securing-debian-howto.en.sgml:60 en/faq.sgml:3 msgid "" "If you are interested in malware analysis then you should read the chapter of Dan Farmer's and Wietse Venema's " "forensics book." msgstr "" "Si vous êtes intéressé par les programmes malveillants, alors vous devriez " "lire le chapitre du livre de Dan Farmer et Wietse Venema." #. type: #: securing-debian-howto.en.sgml:60 en/faq.sgml:5 msgid "Frequently asked Questions (FAQ)" msgstr "Foire Aux Questions (FAQ)" #. type:

#: securing-debian-howto.en.sgml:60 en/faq.sgml:9 msgid "" "This chapter introduces some of the most common questions from the Debian " "security mailing list. You should read them before posting there or else " "people might tell you to RTFM." msgstr "" "Ce chapitre introduit quelques questions qui reviennent souvent sur la liste " "de diffusion de sécurité. Vous devriez les consulter avant de poster sur la " "liste ou certains pourraient vous dire d'aller RTFM." #. type: #: securing-debian-howto.en.sgml:60 en/faq.sgml:11 msgid "Security in the Debian operating system" msgstr "La sécurité dans le système d'exploitation Debian" #. type: #: securing-debian-howto.en.sgml:60 en/faq.sgml:13 msgid "Is Debian more secure than X?" msgstr "Debian est-elle plus sûre que X ?" #. type:

#: securing-debian-howto.en.sgml:60 en/faq.sgml:20 msgid "" "A system is only as secure as its administrator is capable of making it. " "Debian's default installation of services aims to be secure, but " "may not be as paranoid as some other operating systems which install all " "services disabled by default. In any case, the system administrator " "needs to adapt the security of the system to his local security policy." msgstr "" "Un système est aussi sûr que l'administrateur est capable de le rendre. " "Debian essaie d'installer les services d'une façon sûre par défaut, " "mais elle n'est peut-être pas aussi paranoïaque que d'autres systèmes " "d'exploitation qui installent tous les services désactivés par défaut. Toutefois, l'administrateur système a besoin d'adapter la sécurité du " "système à la politique de sécurité locale." # NOTE: s/ICAT\)/ICAT)./ #. type:

#: securing-debian-howto.en.sgml:60 en/faq.sgml:41 msgid "" "For a collection of data regarding security vulnerabilities for many " "operating systems, see the or generate stats using the " "(formerly ICAT) Is this data useful? There are several factors to consider " "when interpreting the data, and it is worth noticing that the data cannot be " "used to compare the vulnerabilities of one operating system versus another." "

For example, based on some data, it might seem that Windows NT " "is more secure than Linux, which is a questionable assertion. After all, " "Linux distributions usually provide many more applications compared to " "Microsoft's Windows NT. This counting vulnerabilities issues are " "better described in by David A. Wheeler

 Also, keep in " "mind that some reported vulnerabilities regarding Debian apply only to the " "unstable (i.e. unreleased) branch." msgstr "" "Pour une liste des données concernant les failles de sécurité pour plusieurs " "systèmes d'exploitation, consultez les ou générez des " "statistiques en utilisant la (anciennement ICAT). " "Est-ce que ces données sont utiles ? Plusieurs facteurs sont à " "considérer pour l'interprétation des données, mais remarquez qu'elles ne " "permettent pas de comparer les failles d'un système d'exploitation par " "rapport à un autre.

Par exemple, à partir de certaines données, " "Windows NT semblerait plus sûr que Linux, ce qui est une assertion " "discutable. Après tout, les distributions Linux fournissent habituellement " "beaucoup plus d'applications par rapport à Windows NT de Microsoft. Ces " "problèmes de failles comptabilisées sont mieux décrits dans de David A. Wheeler.

Rappelez-vous également que certaines failles signalées concernant " "Debian ne s'appliquent qu'à la branche unstable (c'est-à-dire non " "publiée)." #. type: #: securing-debian-howto.en.sgml:60 en/faq.sgml:44 msgid "" "Is Debian more secure than other Linux distributions (such as Red Hat, " "SuSE...)?" msgstr "" "Debian est-elle mieux sécurisée que d'autres distributions Linux (comme Red " "Hat, SuSE, etc.) ?" #. type:

#: securing-debian-howto.en.sgml:60 en/faq.sgml:52 msgid "" "There are not really many differences between Linux distributions, with " "exceptions to the base installation and package management system. Most " "distributions share many of the same applications, with differences mainly " "in the versions of these applications that are shipped with the " "distribution's stable release. For example, the kernel, Bind, Apache, " "OpenSSH, Xorg, gcc, zlib, etc. are all common across Linux distributions." msgstr "" "Peu de grandes différences existent entre les distributions Linux, à " "l'exception de l'installation de base et du système de gestion des paquets. " "La plupart des distributions partagent une grande partie des mêmes " "applications, les différences étant seulement dans les versions de ces " "applications livrées avec la version stable de la distribution. Par exemple, " "le noyau, BIND, Apache, OpenSSH, Xorg, gcc, zlib, etc. sont tous communs " "entre les distributions Linux." #. type:

#: securing-debian-howto.en.sgml:60 en/faq.sgml:59 msgid "" "For example, Red Hat was unlucky and shipped when foo 1.2.3 was current, " "which was then later found to have a security hole. Debian, on the other " "hand, was lucky enough to ship foo 1.2.4, which incorporated the bug fix. " "That was the case in the big problem from a couple years ago." msgstr "" "Par exemple, Red Hat a joué de malchance et a livré une version stable quand " "truc était en version 1.2.3, où une faille sécurité a été découverte plus " "tard. Debian, d'un autre côté, a été plus chanceuse de livrer truc 1.2.4, " "qui contient la correction du bogue. Cela a été le cas avec le gros problème " "de il y quelques années." #. type:

#: securing-debian-howto.en.sgml:60 en/faq.sgml:68 msgid "" "There is a lot of collaboration between the respective security teams for " "the major Linux distributions. Known security updates are rarely, if ever, " "left unfixed by a distribution vendor. Knowledge of a security vulnerability " "is never kept from another distribution vendor, as fixes are usually " "coordinated upstream, or by . " "As a result, necessary security updates are usually released at the same " "time, and the relative security of the different distributions is very " "similar." msgstr "" "Beaucoup de collaboration existe entre les équipes de sécurité respectives " "des distributions Linux majeures. Les mises à jour de sécurité connues sont " "rarement, voire jamais, laissées non corrigées par un distributeur. La " "connaissance d'une faille de sécurité n'est jamais cachée à un autre " "distributeur, tout comme les corrections sont habituellement coordonnées en " "amont ou par le . Par " "conséquent, les mises à jour de sécurité nécessaires sont habituellement " "diffusés en même temps et la sécurité relative des différentes distributions " "est très semblable." #. type:

#: securing-debian-howto.en.sgml:60 en/faq.sgml:72 msgid "" "One of Debian's main advantages with regards to security is the ease of " "system updates through the use of apt. Here are some other " "aspects of security in Debian to consider:" msgstr "" "L'un des principaux avantages de Debian concernant la sécurité est la " "facilité des mises à jour du système par l'utilisation d'apt. " "Voici quelques autres aspects de la sécurité dans Debian à considérer." #. type:

#: securing-debian-howto.en.sgml:60 en/faq.sgml:77 msgid "" "Debian provides more security tools than other distributions, see ." msgstr "" "Debian fournit plus d'outils de sécurité que les autres distributions, " "consultez ." #. type:

#: securing-debian-howto.en.sgml:60 en/faq.sgml:92 msgid "" "Debian's standard installation is smaller (less functionality), and thus " "more secure. Other distributions, in the name of usability, tend to install " "many services by default, and sometimes they are not properly configured " "(remember the ). Debian's installation is not as limited " "as OpenBSD (no daemons are active per default), but it's a good compromise. " "

Without diminishing the fact that some distributions, such as " "Red Hat or Mandrake, are also taking into account security in their standard " "installations by having the user select security profiles, or using " "wizards to help with configuration of personal firewalls.

" msgstr "" "L'installation standard de Debian est plus petite (moins de fonctionnalités) " "et donc plus sûre. Les autres distributions, au nom de l'utilisabilité, ont " "tendance à installer plusieurs services par défaut et parfois, ils ne sont " "pas configurés correctement (rappelez-vous de et ). " "L'installation de Debian n'est pas aussi limitée que celle d'OpenBSD (aucun " "démon n'est activé par défaut), mais c'est un bon compromis." "

Sans diminuer le fait que d'autres distributions, comme Red Hat " "ou Mandrake, prennent aussi en compte la sécurité dans leurs installations " "standard en demandant à l'utilisateur de sélectionner des profils de " "sécurité ou en utilisant des assistants pour configurer des pare-" "feu personnels.

" #. type:

#: securing-debian-howto.en.sgml:60 en/faq.sgml:95 msgid "Debian documents best security practices in documents like this one." msgstr "" "Debian documente les meilleures pratiques de sécurité dans des documents " "comme celui-ci." #. type: #: securing-debian-howto.en.sgml:60 en/faq.sgml:100 msgid "" "There are many Debian bugs in Bugtraq. Does this mean that it is very " "vulnerable?" msgstr "" "De nombreux bogues Debian sont dans Bugtraq, cela la rend-elle plus " "vulnérable ?" #. type:

#: securing-debian-howto.en.sgml:60 en/faq.sgml:105 msgid "" "The Debian distribution boasts a large and growing number of software " "packages, probably more than provided by many proprietary operating systems. " "The more packages installed, the greater the potential for security issues " "in any given system." msgstr "" "Debian distribue un grand nombre, en augmentation constante, de paquets " "logiciels, probablement plus que la plupart des systèmes d'exploitation " "propriétaires. Par conséquent le risque est plus grand de trouver des " "logiciels victimes de failles de sécurité exploitables que sur les systèmes " "contenant moins de logiciels." #. type:

#: securing-debian-howto.en.sgml:60 en/faq.sgml:111 msgid "" "More and more people are examining source code for flaws. There are many " "advisories related to source code audits of the major software components " "included in Debian. Whenever such source code audits turn up security flaws, " "they are fixed and an advisory is sent to lists such as Bugtraq." msgstr "" "De plus en plus de personnes examinent le code source à la recherche de " "failles. De nombreux annonces sont liées à des audits de code source " "effectués sur des composants logiciels majeurs livrés dans Debian. Lorsqu'un " "de ces audits de code source fait ressortir une faille majeur, elle est " "réparée et une alerte est envoyée aux listes comme celle de BugTraq." #. type:

#: securing-debian-howto.en.sgml:60 en/faq.sgml:115 msgid "" "Bugs that are present in the Debian distribution usually affect other " "vendors and distributions as well. Check the \"Debian specific: yes/no\" " "section at the top of each advisory (DSA)." msgstr "" "Les bogues présents dans la distribution Debian affectent également d'autres " "distributeurs et distributions. Vérifiez la partie « Debian specific: yes/" "no » en haut de chaque annonce (DSA)." #. type: #: securing-debian-howto.en.sgml:60 en/faq.sgml:117 msgid "Does Debian have any certification related to security?" msgstr "Debian possède-t-elle une certification relative à la sécurité ?" #. type:

#: securing-debian-howto.en.sgml:60 en/faq.sgml:119 msgid "Short answer: no." msgstr "Réponse courte : non." #. type:

#: securing-debian-howto.en.sgml:60 en/faq.sgml:129 msgid "" "Long answer: certification costs money (specially a serious " "security certification), nobody has dedicated the resources in order to " "certify Debian GNU/Linux to any level of, for example, the . If you are " "interested in having a security-certified GNU/Linux distribution, try to " "provide the resources needed to make it possible." msgstr "" "Réponse longue : la certification coûte de l'argent (particulièrement, " "une certification de sécurité sérieuse et personne n'a attribué de " "ressources pour faire certifier la distribution Debian GNU/Linux à n'importe " "quel niveau que ce soit, par exemple, la Common Criteria. Si vous êtes " "intéressé par l'obtention d'une distribution GNU/Linux certifiée, essayez de " "fournir les ressources pour que cela devienne possible." #. type:

#: securing-debian-howto.en.sgml:60 en/faq.sgml:136 msgid "" "There are currently at least two linux distributions certified at different " " levels. Notice that some of the CC tests are being integrated into " "the " "which is available in Debian in the ltp." msgstr "" "Au moins deux distributions Linux sont actuellement certifiées à différents " "niveaux . Remarquez que certains des tests CC sont en cours " "d'intégration dans le disponible dans le paquet Debian ltp." #. type: #: securing-debian-howto.en.sgml:60 en/faq.sgml:138 msgid "Are there any hardening programs for Debian?" msgstr "Existe-t-il un programme de durcissement pour Debian ?" #. type:

#: securing-debian-howto.en.sgml:60 en/faq.sgml:145 msgid "" "Yes. , " "originally oriented toward other Linux distributions (Red Hat and Mandrake), " "currently works for Debian. Steps are being taken to integrate the changes " "made to the upstream version into the Debian package, named " "bastille." msgstr "" "Oui. , " "orienté à la base vers certaines distributions Linux (Red Hat et Mandrake), " "fonctionne actuellement sur Debian. Des étapes sont prévues pour intégrer " "les changements de la version amont dans le paquet Debian nommé " "bastille." #. type:

#: securing-debian-howto.en.sgml:60 en/faq.sgml:148 msgid "" "Some people believe, however, that a hardening tool does not eliminate the " "need for good administration." msgstr "" "Certains pensent, cependant, qu'un outil de durcissement n'élimine pas la " "nécessité d'une bonne administration." #. type: #: securing-debian-howto.en.sgml:60 en/faq.sgml:150 msgid "I want to run XYZ service, which one should I choose?" msgstr "Je veux fournir le service XYZ, lequel dois-je choisir ?" #. type:

#: securing-debian-howto.en.sgml:60 en/faq.sgml:158 msgid "" "One of Debian's great strengths is the wide variety of choice available " "between packages that provide the same functionality (DNS servers, mail " "servers, ftp servers, web servers, etc.). This can be confusing to the " "novice administrator when trying to determine which package is right for " "you. The best match for a given situation depends on a balance between your " "feature and security needs. Here are some questions to ask yourself when " "deciding between similar packages:" msgstr "" "L'une des grandes forces de Debian est la grande variété de choix " "disponibles entre les paquets fournissant la même fonctionnalité (serveurs " "DNS, serveurs de messagerie, serveurs FTP, serveurs web, etc.). Cela peut " "être déroutant pour l'administrateur débutant lorsqu'il essaie de déterminer " "l'outil adapté à son besoin. Le meilleur choix dans une situation donnée " "dépend d'un équilibre entre les fonctionnalités et la sécurité nécessaires. " "Voici quelques questions à se poser pour choisir parmi des paquets " "semblables." #. type:

#: securing-debian-howto.en.sgml:60 en/faq.sgml:162 msgid "Is the software maintained upstream? When was the last release?" msgstr "" "Est-ce que le logiciel est maintenu en amont ? De quand date la " "dernière version ?" #. type:

#: securing-debian-howto.en.sgml:60 en/faq.sgml:166 msgid "" "Is the package mature? The version number really does not tell you " "about its maturity. Try to trace the software's history." msgstr "" "Le paquet est-il mûr ? Le numéro de version n'indiquera vraiment " "rien concernant sa maturité. Essayez de tracer l'histoire du " "logiciel." #. type:

#: securing-debian-howto.en.sgml:60 en/faq.sgml:169 msgid "" "Is the software bug-ridden? Have there been security advisories related to " "it?" msgstr "" "Est-ce que le logiciel est truffé de bogues ? Y a-t-il eu des alertes " "de sécurité liées au logiciel ?" #. type:

#: securing-debian-howto.en.sgml:60 en/faq.sgml:172 msgid "" "Does the software provide all the functionality you need? Does it provide " "more than you really need?" msgstr "" "Est-ce que le logiciel fournit toutes les fonctionnalités nécessaires ? " "Fournit-il plus que le nécessaire ?" #. type: #: securing-debian-howto.en.sgml:60 en/faq.sgml:177 msgid "How can I make service XYZ more secure in Debian?" msgstr "Comment mieux sécuriser le service XYZ dans Debian ?" #. type:

#: securing-debian-howto.en.sgml:60 en/faq.sgml:185 msgid "" "You will find information in this document to make some services (FTP, Bind) " "more secure in Debian GNU/Linux. For services not covered here, check the " "program's documentation, or general Linux information. Most of the security " "guidelines for Unix systems also apply to Debian. In most cases, securing " "service X in Debian is like securing that service in any other Linux " "distribution (or Un*x, for that matter)." msgstr "" "Les informations disponibles dans ce document vous permettront de rendre " "certains services (FTP, BIND) plus sécurisés dans Debian GNU/Linux. " "Toutefois, pour les services non abordés ici, vous pouvez vérifier la " "documentation des programmes ou les informations générales sur Linux. La " "plupart des directives concernant la sécurité des systèmes UNIX peut " "également s'appliquer à Debian. Ainsi, la sécurisation d'un service X dans " "Debian revient, la plupart du temps, à sécuriser un service dans n'importe " "quelle autre distribution Linux (ou UNIX, peu importe)." #. type: #: securing-debian-howto.en.sgml:60 en/faq.sgml:187 msgid "How can I remove all the banners for services?" msgstr "" "Comment supprimer toutes les informations de version pour les services ?" #. type:

#: securing-debian-howto.en.sgml:60 en/faq.sgml:195 msgid "" "If you do not like users connecting to your POP3 daemon, for example, and " "retrieving information about your system, you might want to remove (or " "change) the banner the service shows to users.

Note that this " "is 'security by obscurity', and will probably not be worth the effort in the " "long term.

 Doing so depends on the software you are running " "for a given service. For example, in postfix, you can set your " "SMTP banner in /etc/postfix/main.cf:" msgstr "" "Si vous ne voulez pas que des utilisateurs se connectent au démon POP3, par " "exemple, et récupèrent des renseignements sur le système, vous pourriez " "supprimer (ou modifier) les versions affichées aux utilisateurs. " "

Notez que c'est de la « sécurité par l'obscurité Â» et " "ne vaudra probablement pas l'effort à long terme.

 Faire cela " "dépend du logiciel que vous utilisez pour un service donné. Par exemple, " "dans postfix, vous pouvez placer la bannière SMTP suivante ans " "/etc/postfix/main.cf :" #. type: #: securing-debian-howto.en.sgml:60 en/faq.sgml:197 #, no-wrap msgid " smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU)" msgstr " smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU)" #. type:

#: securing-debian-howto.en.sgml:60 en/faq.sgml:205 msgid "" "Other software is not as easy to change. ssh will need to " "be recompiled in order to change the version that it prints. Take care not " "to remove the first part (SSH-2.0) of the banner, which clients use " "to identify which protocol(s) is supported by your package." msgstr "" "D'autres logiciels ne sont pas aussi faciles à modifier. SSH devra être recompilé pour pouvoir modifier la version affichée. " "Prenez garde à ne pas supprimer la première partie (SSH-2.0) de la " "bannière, car les clients l'utilisent pour identifier les protocoles pris en " "charge par le paquet." #. type: #: securing-debian-howto.en.sgml:60 en/faq.sgml:207 msgid "Are all Debian packages safe?" msgstr "Les paquets Debian sont-ils tous sûrs ?" #. type:

#: securing-debian-howto.en.sgml:60 en/faq.sgml:219 msgid "" "The Debian security team cannot possibly analyze all the packages included " "in Debian for potential security vulnerabilities, since there are just not " "enough resources to source code audit the whole project. However, Debian " "does benefit from the source code audits made by upstream developers." msgstr "" "L'équipe de sécurité Debian ne peut pas analyser tous les paquets inclus " "dans Debian pour tester des potentielles failles de sécurité, simplement à " "cause du manque de ressources pour contrôler le code source de l'ensemble du " "projet. Cependant Debian bénéficie des audits de code source réalisés par " "des développeurs amont." #. type:

#: securing-debian-howto.en.sgml:60 en/faq.sgml:225 msgid "" "As a matter of fact, a Debian developer could distribute a Trojan in a " "package, and there is no possible way to check it out. Even if introduced " "into a Debian branch, it would be impossible to cover all the possible " "situations in which the Trojan would execute. This is why Debian has a " "\"no guarantees\" license clause." msgstr "" "De fait, un développeur Debian pourrait distribuer un cheval de Troie dans " "un paquet sans moyen de le vérifier. Même s'il était introduit dans une " "branche Debian, il serait impossible de couvrir toutes les situations " "imaginables dans lesquelles le cheval de Troie pourrait agir. C'est pourquoi " "Debian a une clause de licence de « non garantie Â»." #. type:

#: securing-debian-howto.en.sgml:60 en/faq.sgml:234 msgid "" "However, Debian users can take confidence in the fact that the stable code " "has a wide audience and most problems would be uncovered through use. " "Installing untested software is not recommended in a critical system (if you " "cannot provide the necessary code audit). In any case, if there were a " "security vulnerability introduced into the distribution, the process used to " "include packages (using digital signatures) ensures that the problem can be " "ultimately traced back to the developer. The Debian project has not taken " "this issue lightly." msgstr "" "Cependant, les utilisateurs Debian peuvent être assurés que le code stable " "rassemble une large audience et que la plupart des problèmes seront " "découverts pendant l'utilisation. Installer des logiciels non testés dans un " "système critique n'est pas recommandé (si vous ne pouvez pas fournir l'audit " "de code nécessaire). Dans tous les cas, si des failles de sécurité étaient " "intégrées à la distribution, le processus permettant d'inclure les paquets " "(utilisation de signature numérique) assure que le problème pourra être " "remonté jusqu'au développeur, et que le projet Debian ne prend pas cela à la " "légère." #. type: #: securing-debian-howto.en.sgml:60 en/faq.sgml:237 msgid "" "Why are some log files/configuration files world-readable, isn't this " "insecure?" msgstr "" "Pourquoi certains fichiers journaux ou fichiers de configuration sont-ils " "lisibles par tous les utilisateurs, est-ce que c'est sûr ?" #. type:

#: securing-debian-howto.en.sgml:60 en/faq.sgml:242 msgid "" "Of course, you can change the default Debian permissions on your system. The " "current policy regarding log files and configuration files is that they are " "world readable unless they provide sensitive information." msgstr "" "Vous pouvez bien sûr modifier les permissions Debian par défaut du système. " "La règle actuelle concernant les fichiers journaux et les fichiers de " "configuration est qu'ils doivent être lisibles par tous les utilisateurs " "sauf s'ils fournissent des informations sensibles." #. type:

#: securing-debian-howto.en.sgml:60 en/faq.sgml:244 msgid "Be careful if you do make changes since:" msgstr "Soyez attentifs si vous faites des modifications car :" #. type:

#: securing-debian-howto.en.sgml:60 en/faq.sgml:249 msgid "" "Processes might not be able to write to log files if you restrict their " "permissions." msgstr "" "des processus pourraient ne plus pouvoir écrire dans des fichiers journaux " "si leurs permissions ont été restreintes ;" #. type:

#: securing-debian-howto.en.sgml:60 en/faq.sgml:255 msgid "" "Some applications may not work if the configuration file they depend on " "cannot be read. For example, if you remove the world-readable permission " "from /etc/samba/smb.conf, the smbclient program " "will not work when run by a normal user." msgstr "" "certains applications peuvent ne pas fonctionner si le fichier de " "configuration dont elles dépendent est illisible. Par exemple, si vous " "supprimez la permission en lecture pour tous les utilisateurs de /etc/" "samba/smb.conf, le programme smbclient ne pourra pas " "fonctionner pour un utilisateur normal." #. type:

#: securing-debian-howto.en.sgml:60 en/faq.sgml:260 msgid "" "FIXME: Check if this is written in the Policy. Some packages (i.e. ftp " "daemons) seem to enforce different permissions." msgstr "" "FIXME : Vérifier si c'est écrit dans la Charte. Certains paquets (par " "exemple, les démons FTP) semblent nécessiter différentes permissions." #. type: #: securing-debian-howto.en.sgml:60 en/faq.sgml:262 msgid "Why does /root/ (or UserX) have 755 permissions?" msgstr "Pourquoi est-ce que /root/ (ou UserX) a 755 comme permissions ?" #. type:

#: securing-debian-howto.en.sgml:60 en/faq.sgml:269 msgid "" "As a matter of fact, the same questions stand for any other user. Since " "Debian's installation does not place any file under that directory, " "there's no sensitive information to protect there. If you feel these " "permissions are too broad for your system, consider tightening them to 750. " "For users, read ." msgstr "" "De fait, la même question s'applique pour tout autre utilisateur. Comme " "l'installation de Debian ne place aucun fichier dans ce répertoire, " "il n'y a aucune information sensible à y protéger. Si vous pensez que ces " "permissions sont trop laxistes pour le système, vous pouvez les renforcer en " "750. Pour les utilisateurs, veuillez lire ." #. type:

#: securing-debian-howto.en.sgml:60 en/faq.sgml:273 msgid "" "This Debian security mailing list has more on " "this issue." msgstr "" "Ce de la liste de diffusion de sécurité Debian " "contient plus d'informations sur ce problème." #. type: #: securing-debian-howto.en.sgml:60 en/faq.sgml:276 msgid "" "After installing a grsec/firewall, I started receiving many console " "messages! How do I remove them?" msgstr "" "Après l'installation de grsec ou d'un pare-feu, j'ai commencé à recevoir " "beaucoup de messages de console ! Comment les supprimer ?" #. type:

#: securing-debian-howto.en.sgml:60 en/faq.sgml:281 msgid "" "If you are receiving console messages, and have configured /etc/syslog." "conf to redirect them to either files or a special TTY, you might be " "seeing messages sent directly to the console." msgstr "" "Si vous recevez des messages en console et que /etc/syslog.conf " "est configuré pour les rediriger dans des fichiers ou dans un TTY spécial, " "vous pourriez voir des messages envoyés directement en console." #. type:

#: securing-debian-howto.en.sgml:60 en/faq.sgml:287 msgid "" "The default console log level for any given kernel is 7, which means that " "any message with lower priority will appear in the console. Usually, " "firewalls (the LOG rule) and some other security tools log lower that this " "priority, and thus, are sent directly to the console." msgstr "" "Le niveau de journalisation en console par défaut est 7 quel que soit le " "noyau, donc tous les messages avec une priorité inférieure apparaîtront dans " "la console. En général, les pare-feu (la règle LOG) et d'autres outils de " "sécurité journalisent à des priorités inférieures donc les messages sont " "envoyés directement en console." #. type:

#: securing-debian-howto.en.sgml:60 en/faq.sgml:293 msgid "" "To reduce messages sent to the console, you can use dmesg (-" "n option, see ), which examines " "and controls the kernel ring buffer. To fix this after the next " "reboot, change /etc/init.d/klogd from:" msgstr "" "Pour réduire les messages envoyés en console, vous pouvez utiliser " "dmesg (l'option -n, consultez ), qui examine et contrôle le tampon anneau du " "noyau. Pour corriger cela après le prochain redémarrage, modifiez /etc/" "init.d/klogd en substituant :" #. type: #: securing-debian-howto.en.sgml:60 en/faq.sgml:295 #, no-wrap msgid " KLOGD=\"\"" msgstr " KLOGD=\"\"" #. type: #: securing-debian-howto.en.sgml:60 en/faq.sgml:301 #, no-wrap msgid " KLOGD=\"-c 4\"" msgstr " KLOGD=\"-c 4\"" #. type:

#: securing-debian-howto.en.sgml:60 en/faq.sgml:307 msgid "" "Use a lower number for -c if you are still seeing them. A " "description of the different log levels can be found in /usr/include/" "sys/syslog.h:" msgstr "" "Utilisez un nombre plus petit pour -c si vous les voyez toujours. " "Une description des différents niveaux de journalisation est disponible dans " "/usr/include/sys/syslog.h :" #. type: #: securing-debian-howto.en.sgml:60 en/faq.sgml:316 #, no-wrap msgid "" " #define LOG_EMERG 0 /* system is unusable */\n" " #define LOG_ALERT 1 /* action must be taken immediately */\n" " #define LOG_CRIT 2 /* critical conditions */\n" " #define LOG_ERR 3 /* error conditions */\n" " #define LOG_WARNING 4 /* warning conditions */\n" " #define LOG_NOTICE 5 /* normal but significant condition */\n" " #define LOG_INFO 6 /* informational */\n" " #define LOG_DEBUG 7 /* debug-level messages */" msgstr "" " #define LOG_EMERG 0 /* le système est inutilisable */\n" " #define LOG_ALERT 1 /* une action doit être entreprise immédiatement */\n" " #define LOG_CRIT 2 /* conditions critiques */\n" " #define LOG_ERR 3 /* conditions d'erreur */\n" " #define LOG_WARNING 4 /* conditions d'avertissement */\n" " #define LOG_NOTICE 5 /* normal, mais conditions significatives */\n" " #define LOG_INFO 6 /* informatif */\n" " #define LOG_DEBUG 7 /* messages de débogage */" #. type: #: securing-debian-howto.en.sgml:60 en/faq.sgml:320 msgid "Operating system users and groups" msgstr "Les utilisateurs et les groupes du système d'exploitation" #. type: #: securing-debian-howto.en.sgml:60 en/faq.sgml:322 msgid "Are all system users necessary?" msgstr "Tous les utilisateurs systèmes sont-ils nécessaires ?" #. type:

#: securing-debian-howto.en.sgml:60 en/faq.sgml:334 msgid "" "Yes and no. Debian comes with some predefined users (user id (UID) < 99 " "as described in or /usr/share/doc/base-passwd/README) to " "ease the installation of some services that require that they run under an " "appropriate user/UID. If you do not intend to install new services, you can " "safely remove those users who do not own any files in your system and do not " "run any services. In any case, the default behavior is that UID's from 0 to " "99 are reserved in Debian, and UID's from 100 to 999 are created by packages " "on install (and deleted when the package is purged)." msgstr "" "Oui et non. Debian est livrée avec certains utilisateurs prédéfinis " "(identifiant utilisateur (UID) < 99 comme décrit dans la ou /usr/" "share/doc/base-passwd/README) afin de faciliter l'installation de " "certains services qui imposent d'être lancés par un utilisateur ayant un UID " "approprié. Si vous n'avez pas l'intention d'installer de nouveaux services, " "vous pouvez supprimer sans problème ces utilisateurs qui ne possèdent aucun " "fichier sur le système et n'exécutent aucun service. Dans tous les cas, le " "comportement par défaut est que les UID de 0 à 99 sont réservées dans Debian " "et les UID de 100 à 999 sont crées par des paquets lors de l'installation " "(et supprimées quand le paquet est purgé)." #. type:

#: securing-debian-howto.en.sgml:60 en/faq.sgml:341 msgid "" "To easily find users who don't own any files, execute the following " "command

Be careful, as this will traverse your whole system. If " "you have a lot of disk and partitions you might want to reduce it in scope. (run it as root, since a common user might not have enough " "permissions to go through some sensitive directories):" msgstr "" "Vous pouvez facilement trouver les utilisateurs ne possédant aucun fichier " "en exécutant la commande suivante

Prenez garde, car cela " "parcourt tout le système. Si vous avez beaucoup de disques et partitions, " "vous pourriez réduire sa portée.

 (assurez-vous de l'exécuter " "en tant que superutilisateur, étant donné qu'un utilisateur ordinaire " "pourrait ne pas avoir les droits nécessaires pour accéder à certains " "répertoires sensibles) :" #. type: #: securing-debian-howto.en.sgml:60 en/faq.sgml:344 #, no-wrap msgid "" " cut -f 1 -d : /etc/passwd | \\\n" " while read i; do find / -user \"$i\" | grep -q . || echo \"$i\"; done" msgstr "" "cut -f 1 -d : /etc/passwd |\n" "while read i; do find / -user \"$i\" | grep -q . || echo \"$i\"; done" #. type:

#: securing-debian-howto.en.sgml:60 en/faq.sgml:351 msgid "" "These users are provided by base-passwd. Look in its " "documentation for more information on how these users are handled in Debian. " "The list of default users (with a corresponding group) follows:" msgstr "" "Ces utilisateurs sont fournis par base-passwd. Vous " "trouverez dans sa documentation plus d'informations sur la manière dont ces " "utilisateurs sont gérés dans Debian. Voici la liste des utilisateurs par " "défaut (avec un groupe correspondant)." #. type:

#: securing-debian-howto.en.sgml:60 en/faq.sgml:355 msgid "root: Root is (typically) the superuser." msgstr "root : c'est (typiquement) le superutilisateur." #. type:

#: securing-debian-howto.en.sgml:60 en/faq.sgml:362 msgid "" "daemon: Some unprivileged daemons that need to write to files on disk run as " "daemon.daemon (e.g., portmap, atd, probably " "others). Daemons that don't need to own any files can run as nobody.nogroup " "instead, and more complex or security conscious daemons run as dedicated " "users. The daemon user is also handy for locally installed daemons." msgstr "" "daemon : quelques démons sans droit ont besoin de pouvoir écrire " "certains fichiers du disque en tant que daemon:daemon (par exemple, " "portmap, atd, et probablement d'autres). Les " "démons qui n'ont besoin d'aucune appartenance de fichier peuvent tourner en " "tant que nobody:nogroup, et des démons plus complexes ou plus consciencieux " "de la sécurité tournent en tant qu'utilisateurs spécifiques. L'utilisateur " "daemon est aussi utile pour les démons installés localement." #. type:

#: securing-debian-howto.en.sgml:60 en/faq.sgml:364 msgid "bin: maintained for historic reasons." msgstr "bin : maintenu pour des raisons historiques." #. type:

#: securing-debian-howto.en.sgml:60 en/faq.sgml:367 msgid "" "sys: same as with bin. However, /dev/vcs* and /var/spool/cups " "are owned by group sys." msgstr "" "sys : comme bin. Toutefois, /dev/vcs* et /var/spool/cups " "appartiennent au groupe sys." #. type:

#: securing-debian-howto.en.sgml:60 en/faq.sgml:372 msgid "" "sync: The shell of user sync is /bin/sync. Thus, if its " "password is set to something easy to guess (such as \"\"), anyone can sync " "the system at the console even if they have don't have an account." msgstr "" "sync : l'interpréteur de commandes de l'utilisateur sync est /bin/sync. " "Donc, si son mot de passe est quelque chose de facile à deviner (comme " "«  »), n'importe qui peut synchroniser le système depuis la console même " "sans compte sur le système." #. type:

#: securing-debian-howto.en.sgml:60 en/faq.sgml:375 msgid "" "games: Many games are SETGID to games so they can write their high score " "files. This is explained in policy." msgstr "" "games : de nombreux jeux sont SETGID à games pour pouvoir écrire dans " "les fichiers des meilleurs scores. C'est expliqué dans la Charte." #. type:

#: securing-debian-howto.en.sgml:60 en/faq.sgml:378 msgid "" "man: The man program (sometimes) runs as user man, so it can write cat pages " "to /var/cache/man" msgstr "" "man : le programme man est (parfois) lancé en tant qu'utilisateur man, " "il peut alors écrire les pages cat vers /var/cache/man." #. type:

#: securing-debian-howto.en.sgml:60 en/faq.sgml:380 msgid "lp: Used by printer daemons." msgstr "lp : utilisé par les démons d'impression." #. type:

#: securing-debian-howto.en.sgml:60 en/faq.sgml:384 msgid "" "mail: Mailboxes in /var/mail are owned by group mail, as " "explained in policy. The user and group are used for other purposes by " "various MTA's as well." msgstr "" "mail : les boîtes aux lettres de /var/mail appartiennent " "au groupe mail, comme décrit dans la Charte. L'utilisateur et le groupe sont " "également utilisés à d'autres fins par différents MTA." #. type:

#: securing-debian-howto.en.sgml:60 en/faq.sgml:390 msgid "" "news: Various news servers and other associated programs (such as " "suck) use user and group news in various ways. Files in the " "news spool are often owned by user and group news. Programs such as " "inews that can be used to post news are typically SETGID news." msgstr "" "news : plusieurs serveurs de nouvelles et autres programmes associés " "(comme suck) utilisent l'utilisateur et le groupe news de " "différentes façons. Les fichiers dans la file d'attente des nouvelles " "appartiennent souvent à l'utilisateur et au groupe news. Les programmes " "comme inews qui peuvent être utilisés pour envoyer des " "nouvelles sont typiquement SETGID news." #. type:

#: securing-debian-howto.en.sgml:60 en/faq.sgml:394 msgid "" "uucp: The uucp user and group is used by the UUCP subsystem. It owns spool " "and configuration files. Users in the uucp group may run uucico." msgstr "" "uucp : l'utilisateur et le groupe uucp sont utilisés par le sous-" "système UUCP. Les fichiers de file d'attente et de configuration lui " "appartiennent. Les utilisateurs du groupe uucp peuvent exécuter " "uucico." #. type:

#: securing-debian-howto.en.sgml:60 en/faq.sgml:399 msgid "" "proxy: Like daemon, this user and group is used by some daemons " "(specifically, proxy daemons) that don't have dedicated user id's and that " "need to own files. For example, group proxy is used by pdnsd, " "and squid runs as user proxy." msgstr "" "proxy : comme daemon, cet utilisateur et ce groupe sont utilisés par " "certains démons (en particulier les démons de mandataire) qui ne possèdent " "pas d'identifiant utilisateur et qui n'ont pas besoin de posséder des " "fichiers. Par exemple, le groupe proxy est utilisé par pdnsd et " "squid est exécuté en tant qu'utilisateur proxy." #. type:

#: securing-debian-howto.en.sgml:60 en/faq.sgml:403 msgid "" "majordom: Majordomo has a statically allocated UID on Debian " "systems for historical reasons. It is not installed on new systems." msgstr "" "majordom : majordomo a un identifiant utilisateur alloué " "statiquement sur les systèmes Debian pour des raisons historiques. Il n'est " "plus installé sur les nouveaux systèmes." #. type:

#: securing-debian-howto.en.sgml:60 en/faq.sgml:407 msgid "" "postgres: Postgresql databases are owned by this user and " "group. All files in /var/lib/postgresql are owned by this user " "to enforce proper security." msgstr "" "postgres : les bases de données postgresql appartiennent à " "cet utilisateur et ce groupe. Tous les fichiers dans /var/lib/" "postgresql appartiennent à cet utilisateur afin d'imposer un niveau " "de sécurité convenable." #. type:

#: securing-debian-howto.en.sgml:60 en/faq.sgml:412 msgid "" "www-data: Some web servers run as www-data. Web content should not " "be owned by this user, or a compromised web server would be able to rewrite " "a web site. Data written out by web servers, including log files, will be " "owned by www-data." msgstr "" "www-data : certains serveurs web tournent en tant que www-data. Le " "contenu web ne devrait pas appartenir à cet utilisateur, sinon un " "serveur Internet compromis serait en mesure de réécrire un site web. Les " "données transférées par les serveurs web, incluant les fichiers journaux, " "seront la propriété de www-data." #. type:

#: securing-debian-howto.en.sgml:60 en/faq.sgml:415 msgid "" "backup: So backup/restore responsibilities can be locally delegated to " "someone without full root permissions." msgstr "" "backup : de cette manière la responsabilité de sauvegarde ou " "restauration peut être localement déléguée à quelqu'un sans avoir à lui " "donner tous les droits du superutilisateur." #. type:

#: securing-debian-howto.en.sgml:60 en/faq.sgml:418 msgid "" "operator: Operator is historically (and practically) the only 'user' account " "that can login remotely, and doesn't depend on NIS/NFS." msgstr "" "operator : c'est historiquement (et pratiquement) le seul compte « " "utilisateur Â» qui peut se connecter à distance, sans dépendre de NIS ou " "NFS." #. type:

#: securing-debian-howto.en.sgml:60 en/faq.sgml:421 msgid "" "list: Mailing list archives and data are owned by this user and group. Some " "mailing list programs may run as this user as well." msgstr "" "list : les archives des listes de diffusion et les données " "appartiennent à cet utilisateur et à son groupe. Certains programmes de " "listes de diffusion utilisent aussi cet utilisateur." #. type:

#: securing-debian-howto.en.sgml:60 en/faq.sgml:425 msgid "" "irc: Used by irc daemons. A statically allocated user is needed only because " "of a bug in ircd, which SETUID()s itself to a given UID on " "startup." msgstr "" "irc : utilisé par les démons IRC. Un utilisateur alloué statiquement " "est nécessaire à cause d'un bogue dans ircd, il se SETUID lui-" "même vers un UID donné au démarrage." #. type:

#: securing-debian-howto.en.sgml:60 en/faq.sgml:427 msgid "gnats." msgstr "gnats." #. type:

#: securing-debian-howto.en.sgml:60 en/faq.sgml:431 msgid "" "nobody, nogroup: Daemons that need not own any files run as user nobody and " "group nogroup. Thus, no files on a system should be owned by this user or " "group." msgstr "" "nobody, nogroup : les démons qui n'ont pas besoin d'être propriétaires " "de fichiers devraient fonctionner sous l'utilisateur nobody et le groupe " "nogroup. Donc, aucun fichier sur un système ne devrait appartenir à cet " "utilisateur ou à ce groupe." #. type:

#: securing-debian-howto.en.sgml:60 en/faq.sgml:435 msgid "Other groups which have no associated user:" msgstr "Les autres groupes suivants n'ont pas d'utilisateur associé." #. type:

#: securing-debian-howto.en.sgml:60 en/faq.sgml:443 msgid "" "adm: Group adm is used for system monitoring tasks. Members of this group " "can read many log files in /var/log, and can use xconsole. " "Historically, /var/log was /usr/adm (and later " "/var/adm), thus the name of the group." msgstr "" "adm : utilisé pour les tâches de surveillance du système. Les membres " "de ce groupe peuvent lire de nombreux journaux d'événements dans /var/" "log et peuvent utiliser xconsole. Historiquement, /var/log était /usr/adm (et plus tard /var/adm) d'où " "le nom du groupe." #. type:

#: securing-debian-howto.en.sgml:60 en/faq.sgml:446 msgid "" "tty: TTY devices are owned by this group. This is used by write and wall to " "enable them to write to other people's TTYs." msgstr "" "tty : les périphériques TTY appartiennent à ce groupe. C'est utilisé " "par write et wall pour leur permettre d'écrire sur " "les TTY d'autres personnes." #. type:

#: securing-debian-howto.en.sgml:60 en/faq.sgml:448 msgid "disk: Raw access to disks. Mostly equivalent to root access." msgstr "" "disk : accès brut aux disques. Quasiment équivalent à l'accès " "superutilisateur." #. type:

#: securing-debian-howto.en.sgml:60 en/faq.sgml:452 msgid "" "kmem: /dev/kmem and similar files are readable by this group. This is mostly " "a BSD relic, but any programs that need direct read access to the system's " "memory can thus be made SETGID kmem." msgstr "" "kmem : /dev/kmem et les fichiers similaires sont lisibles " "par ce groupe. C'est la plupart du temps un reste de BSD, mais certains " "programmes en ont besoin pour un accès direct en lecture sur la mémoire du " "système ce qui peut ainsi être fait par SETGID kmem." #. type:

#: securing-debian-howto.en.sgml:60 en/faq.sgml:455 msgid "" "dialout: Full and direct access to serial ports. Members of this group can " "reconfigure the modem, dial anywhere, etc." msgstr "" "dialout : accès direct et total aux ports séries. Les membres de ce " "groupe peuvent reconfigurer les modems, téléphoner n'importe où, etc." #. type:

#: securing-debian-howto.en.sgml:60 en/faq.sgml:461 msgid "" "dip: The group's name stands for \"Dial-up IP\", and membership in dip " "allows you to use tools like ppp, dip, " "wvdial, etc. to dial up a connection. The users in this group " "cannot configure the modem, but may run the programs that make use of it." msgstr "" "dip : le nom du groupe signifie « Dialup IP Â». Être dans le " "groupe dip permet d'utiliser des outils comme ppp, dip, wvdial, etc. pour établir une connexion. Les " "utilisateurs de ce groupe ne peuvent pas configurer le modem, ils peuvent " "juste utiliser les programmes qui en font usage." #. type:

#: securing-debian-howto.en.sgml:60 en/faq.sgml:463 msgid "fax: Allows members to use fax software to send / receive faxes." msgstr "" "fax : autorise les membres à utiliser les logiciels de fax pour envoyer " "et recevoir des faxes." #. type:

#: securing-debian-howto.en.sgml:60 en/faq.sgml:466 msgid "" "voice: Voicemail, useful for systems that use modems as answering machines." msgstr "" "voice : boîte vocale, utile pour les systèmes qui utilisent les modems " "comme répondeurs." #. type:

#: securing-debian-howto.en.sgml:60 en/faq.sgml:469 msgid "" "cdrom: This group can be used locally to give a set of users access to a " "CDROM drive." msgstr "" "cdrom : utilisé localement pour donner à certains utilisateurs un accès " "aux lecteurs de CD." #. type:

#: securing-debian-howto.en.sgml:60 en/faq.sgml:472 msgid "" "floppy: This group can be used locally to give a set of users access to a " "floppy drive." msgstr "" "floppy : utilisé localement pour donner à certains utilisateurs un " "accès aux lecteurs de disquettes." #. type:

#: securing-debian-howto.en.sgml:60 en/faq.sgml:475 msgid "" "tape: This group can be used locally to give a set of users access to a tape " "drive." msgstr "" "tape : utilisé localement pour donner à certains utilisateurs un accès " "aux lecteurs de bandes." #. type:

#: securing-debian-howto.en.sgml:60 en/faq.sgml:479 msgid "" "sudo: Members of this group don't need to type their password when using " "sudo. See /usr/share/doc/sudo/OPTIONS." msgstr "" "sudo : les membres de ce groupe n'ont pas besoin de fournir un mot de " "passe lors de l'utilisation de sudo. Consultez /usr/share/" "doc/sudo/OPTIONS." #. type:

#: securing-debian-howto.en.sgml:60 en/faq.sgml:482 msgid "" "audio: This group can be used locally to give a set of users access to an " "audio device." msgstr "" "audio : utilisé localement pour donner à certains utilisateurs un accès " "aux périphériques audio." #. type:

#: securing-debian-howto.en.sgml:60 en/faq.sgml:486 msgid "" "src: This group owns source code, including files in /usr/src. " "It can be used locally to give a user the ability to manage system source " "code." msgstr "" "src : ce groupe possède les codes source, y compris les fichiers de " "/usr/src. Il peut être utilisé pour permettre à un utilisateur " "de manipuler les codes source du système." #. type:

#: securing-debian-howto.en.sgml:60 en/faq.sgml:489 msgid "" "shadow: /etc/shadow is readable by this group. Some programs " "that need to be able to access the file are SETGID shadow." msgstr "" "shadow : /etc/shadow est lisible par ce groupe. Certains " "programmes ayant besoin d'accéder à ce fichier sont SETGID shadow." #. type:

#: securing-debian-howto.en.sgml:60 en/faq.sgml:493 msgid "" "utmp: This group can write to /var/run/utmp and similar files. " "Programs that need to be able to write to it are SETGID utmp." msgstr "" "utmp : les membres de ce groupe peuvent écrire dans /var/run/" "utmp et dans fichiers similaires. Les programmes qui nécessitent " "l'écriture sont SETGID utmp." #. type:

#: securing-debian-howto.en.sgml:60 en/faq.sgml:496 msgid "" "video: This group can be used locally to give a set of users access to a " "video device." msgstr "" "video : utilisé localement pour donner à certains utilisateurs un accès " "aux périphériques vidéo." #. type:

#: securing-debian-howto.en.sgml:60 en/faq.sgml:501 msgid "" "staff: Allows users to add local modifications to the system (/usr/" "local, /home) without needing root privileges. Compare " "with group \"adm\", which is more related to monitoring/security." msgstr "" "staff : autorise les utilisateurs à ajouter des modifications au " "système local (/usr/local, /home) sans avoir les " "droits du superutilisateur. À comparer au groupe « adm Â» plus " "apparenté à la surveillance et la sécurité." #. type:

#: securing-debian-howto.en.sgml:60 en/faq.sgml:506 msgid "" "users: While Debian systems use the private user group system by default " "(each user has their own group), some prefer to use a more traditional group " "system, in which each user is a member of this group." msgstr "" "users : alors que les systèmes Debian utilisent le système de groupe " "privé par utilisateur par défaut (chaque utilisateur a son propre groupe), " "certains préfèrent d'utiliser un système de groupes plus traditionnel. Dans " "ce système, chaque utilisateur est un membre de ce groupe." #. type: #: securing-debian-howto.en.sgml:60 en/faq.sgml:510 msgid "I removed a system user! How can I recover?" msgstr "" "J'ai supprimé un utilisateur système ! Comment puis-je le " "récupérer ?" #. type:

#: securing-debian-howto.en.sgml:60 en/faq.sgml:516 msgid "" "If you have removed a system user and have not made a backup of your " "password and group files you can try recovering " "from this issue using update-passwd (see )." msgstr "" "Si vous avez supprimé un utilisateur système et que vous n'avez pas de " "sauvegardes des fichiers password et group, vous " "pouvez essayez de récupérer de ce problème en utilisant update-passwd (consultez )." #. type: #: securing-debian-howto.en.sgml:60 en/faq.sgml:518 msgid "What is the difference between the adm and the staff group?" msgstr "Quelle est la différence entre les groupes adm et staff ?" #. type:

#: securing-debian-howto.en.sgml:60 en/faq.sgml:524 msgid "" "The 'adm' group are usually administrators, and this group permission allows " "them to read log files without having to su. The 'staff' group " "are usually help-desk/junior sysadmins, allowing them to work in /usr/" "local and create directories in /home." msgstr "" "Le groupe « adm Â» est normalement celui des administrateurs et " "leur permet de lire les journaux d'activités sans utiliser su. " "Le groupe « staff Â» est généralement pour les administrateurs " "système secondaires afin de faire des choses dans /usr/local et " "de créer des répertoires dans home." #. type: #: securing-debian-howto.en.sgml:60 en/faq.sgml:527 msgid "" "Why is there a new group when I add a new user? (or Why does Debian give " "each user one group?)" msgstr "" "Pourquoi y a-t-il un nouveau groupe à chaque ajout de nouvel utilisateur (ou " "pourquoi Debian attribue-t-elle un groupe à chaque utilisateur) ?" #. type:

#: securing-debian-howto.en.sgml:60 en/faq.sgml:535 msgid "" "The default behavior in Debian is that each user has its own, private group. " "The traditional UN*X scheme assigned all users to the users group. " "Additional groups were created and used to restrict access to shared files " "associated with different project directories. Managing files became " "difficult when a single user worked on multiple projects because when " "someone created a file, it was associated with the primary group to which " "they belong (e.g. 'users')." msgstr "" "Le comportement par défaut dans Debian est que chaque utilisateur a son " "propre groupe privé. Le schéma traditionnel UNIX place tous les utilisateurs " "dans le groupe users. Des groupes supplémentaires étaient créés et " "utilisés pour restreindre l'accès à des fichiers partagés associés aux " "différents répertoires de projets. La gestion des fichiers devenait " "difficile quand un seul utilisateur travaillait sur plusieurs projets car " "quand quelqu'un créait un fichier, ce dernier était associé au groupe " "primaire auquel il appartenait (c'est-à-dire « users Â»)." #. type:

#: securing-debian-howto.en.sgml:60 en/faq.sgml:542 msgid "" "Debian's scheme solves this problem by assigning each user to their own " "group; so that with a proper umask (0002) and the SETGID bit set on a given " "project directory, the correct group is automatically assigned to files " "created in that directory. This makes it easier for people who work on " "multiple projects, because they will not have to change groups or umasks " "when working on shared files." msgstr "" "Le schéma Debian résout ce problème en attribuant à chaque utilisateur son " "propre groupe ; ainsi avec un umask correct (0002) et le bit SETGID " "positionné dans un répertoire de projet donné, le groupe correct est " "automatiquement attribué aux fichiers créés dans ce répertoire. Cela " "facilite le travail sur plusieurs projets sans modifier les groupes ou les " "umask pour travailler sur des fichiers partagés." #. type:

#: securing-debian-howto.en.sgml:60 en/faq.sgml:548 msgid "" "You can, however, change this behavior by modifying /etc/adduser.conf. Change the USERGROUPS variable to 'no', so that a new group " "is not created when a new user is created. Also, set USERS_GID to " "the GID of the users group which all users will belong to." msgstr "" "Vous pouvez, cependant, changer ce comportement en modifiant /etc/" "adduser.conf. Changez la variable USERGROUPS à « " "no Â», pour qu'aucun nouveau groupe ne soit créé quand un nouvel " "utilisateur est créé. Positionnez également USERS_GID au GID du " "groupe users auquel appartiennent tous les utilisateurs." #. type: #: securing-debian-howto.en.sgml:60 en/faq.sgml:550 msgid "Questions regarding services and open ports" msgstr "Questions concernant les services et les ports ouverts" #. type: #: securing-debian-howto.en.sgml:60 en/faq.sgml:552 msgid "Why are all services activated upon installation?" msgstr "" "Pourquoi tous les services sont-ils activés lors de l'installation ?" #. type:

#: securing-debian-howto.en.sgml:60 en/faq.sgml:559 msgid "" "That's just an approach to the problem of being, on one side, security " "conscious and on the other side user friendly. Unlike OpenBSD, which " "disables all services unless activated by the administrator, Debian GNU/" "Linux will activate all installed services unless deactivated (see for more information). After all you installed the service, " "didn't you?" msgstr "" "C'est un compromis entre la présence de sécurité et la facilité " "d'utilisation. Contrairement à OpenBSD, qui désactive tous les services non " "activés par l'administrateur, Debian GNU/Linux activera tous les services " "installés à moins de les désactiver (consultez pour " "plus de renseignements). Après tout, vous avez installé ces services de " "votre propre chef, n'est-ce pas ?" #. type:

#: securing-debian-howto.en.sgml:60 en/faq.sgml:564 msgid "" "There has been much discussion on Debian mailing lists (both at debian-devel " "and at debian-security) regarding which is the better approach for a " "standard installation. However, as of this writing (March 2002), there still " "isn't a consensus." msgstr "" "De nombreuses discussions sur les listes de diffusion Debian (sur debian-" "devel et debian-security) ont eu lieu sur l'installation standard. " "Cependant, il n'y a pas de consensus à ce jour (mars 2002) sur la solution à " "adopter." #. type: #: securing-debian-howto.en.sgml:60 en/faq.sgml:566 msgid "Can I remove inetd?" msgstr "Puis-je retirer inetd ?" #. type:

#: securing-debian-howto.en.sgml:60 en/faq.sgml:572 msgid "" "Inetd is not easy to remove since netbase " "depends on the package that provides it (netkit-inetd). " "If you want to remove it, you can either disable it (see ) or remove the package by using the equivs package." msgstr "" "inetd n'est pas aisé à retirer étant donné que " "netbase dépend du paquet qui le fournit (netkit-" "inetd). Si vous voulez le retirer, vous pouvez soit le désactiver " "(consultez ), soit retirer le paquet en utilisant " "equivs." #. type: #: securing-debian-howto.en.sgml:60 en/faq.sgml:574 msgid "Why do I have port 111 open?" msgstr "Pourquoi le port 111 est-il ouvert ?" #. type:

#: securing-debian-howto.en.sgml:60 en/faq.sgml:580 msgid "" "Port 111 is sunrpc's portmapper, and it is installed by default as part of " "Debian's base installation since there is no need to know when a user's " "program might need RPC to work correctly. In any case, it is used mostly for " "NFS. If you do not need it, remove it as explained in ." msgstr "" "Le port 111 est le mappeur de port sunrpc, il est installé par défaut dans " "toutes les installations de base d'un système Debian puisqu'il est " "nécessaire pour savoir quand le programme d'un utilisateur a besoin de RPC " "pour fonctionner correctement. Dans tous les cas, il est principalement " "utilisé pour NFS. Si vous n'en avez pas besoin, retirez-le comme décrit en " "." #. type:

#: securing-debian-howto.en.sgml:60 en/faq.sgml:585 msgid "" "In versions of the portmap package later than 5-5 you can " "actually have the portmapper installed but listening only on localhost (by " "modifying /etc/default/portmap)" msgstr "" "Dans les versions du paquet portmap ultérieures à 5-5, le " "portmapper peut être en fait installé en n'écoutant que localhost (en " "modifiant /etc/default/portmap)." #. type: #: securing-debian-howto.en.sgml:60 en/faq.sgml:587 msgid "What use is identd (port 113) for?" msgstr "À quoi sert identd (port 113) ?" #. type:

#: securing-debian-howto.en.sgml:60 en/faq.sgml:595 msgid "" "Identd service is an authentication service that identifies the owner of a " "specific TCP/IP connection to the remote server accepting the connection. " "Typically, when a user connects to a remote host, inetd on the " "remote host sends back a query to port 113 to find the owner information. It " "is often used by mail, FTP and IRC servers, and can also be used to track " "down which user in your local system is attacking a remote system." msgstr "" "Le service identd est un service d'authentification du propriétaire d'une " "connexion TCP/IP spécifique au serveur distant acceptant la connexion. Par " "exemple, quand un utilisateur se connecte sur un hôte distant, inetd de l'hôte distant va envoyer une demande sur le port 113 pour " "déterminer les informations du propriétaire. C'est souvent utilisé pour les " "serveurs de courriers, FTP et IRC et peut également être utilisé pour " "remonter la trace de l'utilisateur qui attaque un système distant par " "l'intermédiaire de votre machine." #. type:

#: securing-debian-howto.en.sgml:60 en/faq.sgml:608 msgid "" "There has been extensive discussion on the security of identd " "(See ). In " "general, identd is more helpful on a multi-user system than on " "a single user workstation. If you don't have a use for it, disable it, so " "that you are not leaving a service open to the outside world. If you decide " "to firewall the identd port, please use a reject policy and not a " "deny policy, otherwise a connection to a server utilizing identd will hang until a timeout expires (see )." msgstr "" "Des discussions complètes ont eu lieu sur la sécurité d'identd " "(consultez les ). En règle générale, identd est plus utile sur un système " "multiutilisateur que sur un poste de travail mono-utilisateur. Si vous n'en " "avez pas l'utilité, désactivez-le, pour ne pas laisser un service ouvert au " "monde extérieur. Mais si vous le bloquez par un pare-feu, s'il vous " "plaît, créez une règle de rejet et non une règle de déni, sinon la " "communication à un serveur utilisant identd pourrait être en " "attente jusqu'à l'expiration d'un délai (consultez les )." #. type: #: securing-debian-howto.en.sgml:60 en/faq.sgml:611 msgid "" "I have services using port 1 and 6, what are they and how can I remove them?" msgstr "" "Des services utilisent les ports 1 et 6, quels sont ces services et comment " "les enlever ?" #. type:

#: securing-debian-howto.en.sgml:60 en/faq.sgml:613 msgid "If you have run the command netstat -an and receive:" msgstr "Si la commande netstat -an affiche :" #. type: #: securing-debian-howto.en.sgml:60 en/faq.sgml:621 #, no-wrap msgid "" " Active Internet connections (servers and established)\n" " Proto Recv-Q Send-Q Local Address Foreign Address State\n" " PID/Program name\n" " raw 0 0 0.0.0.0:1 0.0.0.0:* 7\n" " -\n" " raw 0 0 0.0.0.0:6 0.0.0.0:* 7\n" " -" msgstr "" " Active Internet connections (servers and established)\n" " Proto Recv-Q Send-Q Local Address Foreign Address State\n" " PID/Program name\n" " raw 0 0 0.0.0.0:1 0.0.0.0:* 7\n" " -\n" " raw 0 0 0.0.0.0:6 0.0.0.0:* 7\n" " -" #. type:

#: securing-debian-howto.en.sgml:60 en/faq.sgml:632 msgid "" "You are not seeing processes listening on TCP/UDP port 1 and 6. In " "fact, you are seeing a process listening on a raw socket for " "protocols 1 (ICMP) and 6 (TCP). Such behavior is common to both Trojans and " "some intrusion detection systems such as iplogger and " "portsentry. If you have these packages simply remove " "them. If you do not, try netstat's -p (process) option to see which " "process is running these listeners." msgstr "" "Aucun processus n'écoute sur les ports 1 et 6. En fait, un " "processus écoute sur une socket raw (brut) pour les protocoles 1 " "(ICMP) et 6 (TCP). Un tel comportement est courant pour les chevaux de Troie " "et pour certains systèmes de détection d'intrusions comme iplogger et portsentry. Si ces paquets sont installés, " "supprimez-les simplement. Sinon, essayez l'option -p (processus) de " "netstat pour voir le processus à l'écoute." #. type: #: securing-debian-howto.en.sgml:60 en/faq.sgml:634 msgid "I found the port XYZ open, can I close it?" msgstr "Le port XYZ est ouvert, puis-je le fermer ?" #. type:

#: securing-debian-howto.en.sgml:60 en/faq.sgml:641 msgid "" "Yes, of course. The ports you are leaving open should adhere to your " "individual site's policy regarding public services available to other " "networks. Check if they are being opened by inetd (see ), or by other installed packages and take the appropriate " "measures (i.e, configure inetd, remove the package, avoid it running on boot-" "up)." msgstr "" "Bien sûr que vous pouvez, les ports laissés ouverts doivent adhérer à la " "politique de sécurité du site concernant les services publiques disponibles " "pour les autres systèmes. Vérifiez s'ils sont ouvert par inetd " "(consultez ) ou par d'autres paquets installés et prenez " "les mesures adéquates (par exemple, configuration d'inetd, suppression du " "paquet, éviter qu'il démarre au démarrage)." #. type: #: securing-debian-howto.en.sgml:60 en/faq.sgml:644 msgid "" "Will removing services from /etc/services help secure my box?" msgstr "" "Est-ce que la suppression de services de /etc/services va aider à sécuriser " "la machine ?" #. type:

#: securing-debian-howto.en.sgml:60 en/faq.sgml:651 msgid "" "No, /etc/services only provides a mapping between a " "virtual name and a given port number. Removing names from this file will not " "(usually) prevent services from being started. Some daemons may not run if " "/etc/services is modified, but that's not the norm. To properly " "disable the service, see ." msgstr "" "Non, le fichier /etc/services fournit juste une " "cartographie d'un nom virtuel à un numéro de port donné. La suppression des " "noms ne va pas (en général) empêcher les services d'être lancées. Certains " "démons ne se lanceront peut-être pas si /etc/services est " "modifié mais ce n'est pas la norme. Pour désactiver correctement les " "services, consultez ." #. type: #: securing-debian-howto.en.sgml:60 en/faq.sgml:653 msgid "Common security issues" msgstr "Problèmes courants de sécurité" #. type: #: securing-debian-howto.en.sgml:60 en/faq.sgml:655 msgid "I have lost my password and cannot access the system!" msgstr "" "J'ai perdu mon mot de passe et je ne peux plus accéder au système !" #. type:

#: securing-debian-howto.en.sgml:60 en/faq.sgml:659 msgid "" "The steps you need to take in order to recover from this depend on whether " "or not you have applied the suggested procedure for limiting access to " "lilo and your system's BIOS." msgstr "" "Les démarches pour récupérer le système dépendent des différentes procédures " "appliquées pour limiter l'accès à lilo et au BIOS." #. type:

#: securing-debian-howto.en.sgml:60 en/faq.sgml:664 msgid "" "If you have limited both, you need to disable the BIOS setting that only " "allows booting from the hard disk before proceeding. If you have also " "forgotten your BIOS password, you will have to reset your BIOS by opening " "the system and manually removing the BIOS battery." msgstr "" "Si les deux accès sont limités, vous devez désactiver les fonctionnalités du " "BIOS (démarrer uniquement depuis le disque dur) avant de commencer. Si vous " "avez également oublié le mot de passe du BIOS, vous devrez ouvrir le système " "et retirer manuellement la pile du BIOS." #. type:

#: securing-debian-howto.en.sgml:60 en/faq.sgml:667 msgid "" "Once you have enabled booting from a CD-ROM or diskette enable, try the " "following:" msgstr "" "Une fois activé l'amorçage depuis un CD ou une disquette, vous pouvez " "essayer de :" #. type:

#: securing-debian-howto.en.sgml:60 en/faq.sgml:671 msgid "Boot-up from a rescue disk and start the kernel" msgstr "" "démarrer depuis une disquette de secours (rescue) et démarrer le noyau ;" #. type:

#: securing-debian-howto.en.sgml:60 en/faq.sgml:673 msgid "Go to the virtual console (Alt+F2)" msgstr "accéder aux consoles virtuelles (Alt+F2) ;" #. type:

#: securing-debian-howto.en.sgml:60 en/faq.sgml:675 msgid "Mount the hard disk where your /root is" msgstr "monter le disque dur où est placé la partition /root ;" #. type:

#: securing-debian-howto.en.sgml:60 en/faq.sgml:680 msgid "" "Edit (Debian 2.2 rescue disk comes with the editor ae, and " "Debian 3.0 comes with nano-tiny which is similar to vi) /etc/shadow and change the line:" msgstr "" "éditer (la disquette de secours de Debian 2.2 est livrée avec ae, Debian 3.0 est livrée avec nano-tiny qui est " "similaire à vi) /etc/shadow et modifier la " "ligne :" #. type: #: securing-debian-howto.en.sgml:60 en/faq.sgml:682 #, no-wrap msgid " root:asdfjl290341274075:XXXX:X:XXXX:X::: (X=any number)" msgstr "root:asdfjl290341274075:XXXX:X:XXXX:X::: (X=n'importe quel nombre)" #. type: #: securing-debian-howto.en.sgml:60 en/faq.sgml:688 #, no-wrap msgid " root::XXXX:X:XXXX:X:::" msgstr "root::XXXX:X:XXXX:X:::" #. type:

#: securing-debian-howto.en.sgml:60 en/faq.sgml:699 msgid "" "This will remove the forgotten root password, contained in the first colon " "separated field after the user name. Save the file, reboot the system and " "login with root using an empty password. Remember to reset the password. " "This will work unless you have configured the system more tightly, i.e. if " "you have not allowed users to have null passwords or not allowed root to " "login from the console." msgstr "" "Cela retirera le mot de passe superutilisateur oublié, contenu dans le " "premier champ séparé par deux points après le nom d'utilisateur. Enregistrez " "le fichier, redémarrer le système et connectez-vous en tant que " "superutilisateur (avec un mot de passe vide). Cela fonctionnera sauf si le " "système est configuré plus strictement, par exemple sans autorisation des " "connexions avec mot de passe vide ou des connexions du superutilisateur à " "partir de la console." #. type:

#: securing-debian-howto.en.sgml:60 en/faq.sgml:706 msgid "" "If you have introduced these features, you will need to enter into single " "user mode. If LILO has been restricted, you will need to rerun lilo just after the root reset above. This is quite tricky since your " "/etc/lilo.conf will need to be tweaked due to the root (/) file " "system being a ramdisk and not the real hard disk." msgstr "" "Si ces caractéristiques ont été introduites, vous devrez passer en mode " "utilisateur unique. Si LILO a été restreint, vous devrez relancer " "lilo après la réinitialisation du superutlisateur précédente. " "C'est assez rusé puisque /etc/lilo.conf devra être modifié car " "le système de fichiers racine est alors un disque virtuel et non le vrai " "disque dur." #. type:

#: securing-debian-howto.en.sgml:60 en/faq.sgml:708 msgid "Once LILO is unrestricted, try the following:" msgstr "Une fois que LILO n'est plus restreint, vous pouvez :" #. type:

#: securing-debian-howto.en.sgml:60 en/faq.sgml:713 msgid "" "Press the Alt, shift or Control key just before the system BIOS finishes, " "and you should get the LILO prompt." msgstr "" "presser l'une des touches Alt, Maj ou Ctrl juste avant que le BIOS système " "ne finisse, pour obtenir l'invite de LILO ;" #. type:

#: securing-debian-howto.en.sgml:60 en/faq.sgml:716 msgid "" "Type linux single, linux init=/bin/sh or linux 1 " "at the prompt." msgstr "" "entrer linux single, linux init=/bin/sh ou linux 1 à l'invite ;" #. type:

#: securing-debian-howto.en.sgml:60 en/faq.sgml:719 msgid "" "This will give you a shell prompt in single-user mode (it will ask for a " "password, but you already know it)" msgstr "" "cela donnera accès à une invite de commandes un mode utilisateur unique (un " "mot de passe sera demandé, mais vous le connaissez déjà) ;" #. type:

#: securing-debian-howto.en.sgml:60 en/faq.sgml:721 msgid "Re-mount read/write the root (/) partition, using the mount command." msgstr "" "remonter en lecture/écriture la partition racine (/), en utilisant la " "commande de montage :" #. type: #: securing-debian-howto.en.sgml:60 en/faq.sgml:723 #, no-wrap msgid " # mount -o remount,rw /" msgstr "mount -o remount,rw /" #. type:

#: securing-debian-howto.en.sgml:60 en/faq.sgml:728 msgid "" "Change the superuser password with passwd (since you are " "superuser it will not ask for the previous password)." msgstr "" "modifier le mot de passe du superutilisateur avec passwd (étant " "superutilisateur, l'ancien mot de passe ne sera pas demandé)." #. type: #: securing-debian-howto.en.sgml:60 en/faq.sgml:733 msgid "" "How do I accomplish setting up a service for my users without giving out " "shell accounts?" msgstr "" "Comment mettre en place un service pour les utilisateurs sans leur donner un " "compte avec invite de commande ?" #. type:

#: securing-debian-howto.en.sgml:60 en/faq.sgml:744 msgid "" "For example, if you want to set up a POP service, you don't need to set up a " "user account for each user accessing it. It's best to set up directory-based " "authentication through an external service (like Radius, LDAP or an SQL " "database). Just install the appropriate PAM library (libpam-radius-" "auth, libpam-ldap, libpam-pgsql or libpam-mysql), read the documentation (for " "starters, see ) and configure the PAM-enabled service " "to use the back end you have chosen. This is done by editing the files under " "/etc/pam.d/ for your service and modifying the" msgstr "" "Par exemple, si vous voulez mettre en place un service POP, vous n'avez pas " "besoin de configurer un compte d'utilisateur pour chaque utilisateur y " "accédant. Il est préférable de mettre en place une authentification basé sur " "un répertoire grâce à un service externe (comme Radius, LDAP ou une base de " "données SQL). Installez simplement la bibliothèque PAM appropriée " "(libpam-radius-auth, libpam-ldap, " "libpam-pgsql ou libpam-mysql), " "consultez la documentation (pour commencer, consultez ) " "et configurez le service en activant PAM pour utiliser la méthode que vous " "avez choisi. C'est fait en éditant les fichiers de /etc/pam.d/ " "pour les services et en modifiant :" #. type: #: securing-debian-howto.en.sgml:60 en/faq.sgml:746 #, no-wrap msgid " auth required pam_unix_auth.so shadow nullok use_first_pass" msgstr " auth required pam_unix_auth.so shadow nullok use_first_pass" #. type: #: securing-debian-howto.en.sgml:60 en/faq.sgml:748 msgid "to, for example, ldap:" msgstr "en, par exemple pour ldap :" #. type: #: securing-debian-howto.en.sgml:60 en/faq.sgml:750 #, no-wrap msgid " auth required pam_ldap.so" msgstr " auth required pam_ldap.so" #. type:

#: securing-debian-howto.en.sgml:60 en/faq.sgml:761 msgid "" "In the case of LDAP directories, some services provide LDAP schemas to be " "included in your directory that are required in order to use LDAP " "authentication. If you are using a relational database, a useful trick is to " "use the where clause when configuring the PAM modules. For example, " "if you have a database with the following table attributes:" msgstr "" "Dans le cas de répertoires LDAP, certains services fournissent des schémas " "LDAP à inclure dans le répertoire et qui sont nécessaires pour utiliser " "l'authentification LDAP. Si vous utilisez une base de données relationnelle, " "une astuce utile est d'utiliser la clause where en configurant les " "modules PAM. Par exemple, avec une base de données contenant les attributs " "de table suivants :" #. type: #: securing-debian-howto.en.sgml:60 en/faq.sgml:763 #, no-wrap msgid " (user_id, user_name, realname, shell, password, UID, GID, homedir, sys, pop, imap, ftp)" msgstr " (user_id, user_name, realname, shell, password, UID, GID, homedir, sys, pop, imap, ftp)" #. type:

#: securing-debian-howto.en.sgml:60 en/faq.sgml:769 msgid "" "By making the services attributes boolean fields, you can use them to enable " "or disable access to the different services just by inserting the " "appropriate lines in the following files:" msgstr "" "En modifiant les attributs de service en champs booléens, vous pouvez les " "utiliser pour permettre ou interdire l'accès aux différents services avec " "simplement les lignes appropriées dans les fichiers suivants :" #. type:

#: securing-debian-howto.en.sgml:60 en/faq.sgml:773 msgid "/etc/pam.d/imap:where=imap=1." msgstr "/etc/pam.d/imap : where=imap=1 ;" #. type:

#: securing-debian-howto.en.sgml:60 en/faq.sgml:775 msgid "/etc/pam.d/qpopper:where=pop=1." msgstr "/etc/pam.d/qpopper : where=pop=1 ;" #. type:

#: securing-debian-howto.en.sgml:60 en/faq.sgml:778 msgid "" "/etc/nss-mysql*.conf:users.where_clause = user.sys = 1;." msgstr "" "/etc/nss-mysql*.conf : users.where_clause = user.sys = " "1; ;" #. type:

#: securing-debian-howto.en.sgml:60 en/faq.sgml:780 msgid "/etc/proftpd.conf: SQLWhereClause \"ftp=1\"." msgstr "" "/etc/proftpd.conf : SQLWhereClause \"ftp=1\"." #. type: #: securing-debian-howto.en.sgml:60 en/faq.sgml:784 msgid "My system is vulnerable! (Are you sure?)" msgstr "Le système est vulnérable ! (En êtes-vous certain ?)" #. type: #: securing-debian-howto.en.sgml:60 en/faq.sgml:787 msgid "Vulnerability assessment scanner X says my Debian system is vulnerable!" msgstr "" "Le scanneur X de vérification des failles indique que le système Debian est " "vulnérable !" #. type:

#: securing-debian-howto.en.sgml:60 en/faq.sgml:795 msgid "" "Many vulnerability assessment scanners give false positives when used on " "Debian systems, since they only use version checks to determine if a given " "software package is vulnerable, but do not really test the security " "vulnerability itself. Since Debian does not change software versions when " "fixing a package (many times the fix made for newer releases is back " "ported), some tools tend to think that an updated Debian system is " "vulnerable when it is not." msgstr "" "Plusieurs scanneurs de vérification de failles renvoient des faux positifs " "quand ils sont utilisés sur des systèmes Debian, car ils n'utilisent que le " "numéro de version pour déterminer si un paquet donné de logiciel est " "vulnérable, mais ils ne testent pas réellement la faille de sécurité elle-" "même. Comme Debian ne change de numéros de version lors de la correction " "d'un paquet (il est courant que la correction effectuée pour des versions " "plus récentes soit rétroportée), certains outils ont tendance à croire qu'un " "système Debian mis à jour est vulnérable alors qu'il ne l'est pas." #. type:

#: securing-debian-howto.en.sgml:60 en/faq.sgml:800 msgid "" "If you think your system is up to date with security patches, you might want " "to use the cross references to security vulnerability databases published " "with the DSAs (see ) to weed out false positives, if the " "tool you are using includes CVE references." msgstr "" "Si vous pensez que le système est à jour des correctifs de sécurité, vous " "pourriez utiliser les références croisées des bases de données des failles " "de sécurité publiées avec les DSA (consultez ) pour éliminer " "les faux positifs, si l'outil utilisé inclut des références CVE." #. type: #: securing-debian-howto.en.sgml:60 en/faq.sgml:803 msgid "I've seen an attack in my system's logs. Is my system compromised?" msgstr "" "Une attaque apparaît dans les fichiers journaux du système. Le système est-" "il compromis ?" #. type:

#: securing-debian-howto.en.sgml:60 en/faq.sgml:810 msgid "" "A trace of an attack does not always mean that your system has been " "compromised, and you should take the usual steps to determine if the system " "is indeed compromised (see ). Even if your " "system was not vulnerable to the attack that was logged, a determined " "attacker might have used some other vulnerability besides the ones you have " "detected." msgstr "" "Une trace d'une attaque ne veut pas toujours dire que le système a été " "compromis et vous devriez effectuer les étapes habituelles pour déterminer " "si le système est vraiment compromis (consultez ). Même si le système n'était pas vulnérable à l'attaque journalisée, un " "attaquant déterminé pourrait avoir utilisé une autre faille en plus de " "celles détectées." #. type: #: securing-debian-howto.en.sgml:60 en/faq.sgml:812 msgid "I have found strange 'MARK' lines in my logs: Am I compromised?" msgstr "" "D'étranges lignes « MARK Â» apparaissent dans les journaux : " "le système est-il compromis ?" #. type:

#: securing-debian-howto.en.sgml:60 en/faq.sgml:814 msgid "You might find the following lines in your system logs:" msgstr "" "Les lignes suivantes pourraient apparaître dans les fichiers journaux du " "système :" #. type: #: securing-debian-howto.en.sgml:60 en/faq.sgml:818 #, no-wrap msgid "" " Dec 30 07:33:36 debian -- MARK --\n" " Dec 30 07:53:36 debian -- MARK --\n" " Dec 30 08:13:36 debian -- MARK --" msgstr "" " Dec 30 07:33:36 debian -- MARK --\n" " Dec 30 07:53:36 debian -- MARK --\n" " Dec 30 08:13:36 debian -- MARK --" #. type:

#: securing-debian-howto.en.sgml:60 en/faq.sgml:827 msgid "" "This does not indicate any kind of compromise, and users changing between " "Debian releases might find it strange. If your system does not have high " "loads (or many active services), these lines might appear throughout your " "logs. This is an indication that your syslogd daemon is running " "properly. From :" msgstr "" "Cela n'indique pas un type de compromission et les utilisateurs changeant de " "versions de Debian peuvent trouver cela étrange. Si le système n'a pas une " "charge importante (ou beaucoup de services actifs), ces lignes peuvent " "apparaître dans les journaux. C'est pour indiquer que le démon " "syslogd fonctionne correctement. De  :" #. type: #: securing-debian-howto.en.sgml:60 en/faq.sgml:833 #, no-wrap msgid "" " -m interval\n" " The syslogd logs a mark timestamp regularly. The\n" " default interval between two -- MARK -- lines is 20\n" " minutes. This can be changed with this option.\n" " Setting the interval to zero turns it off entirely." msgstr "" " -m interval\n" " Syslogd garde dans un journal une marque d'horodatage\n" " régulièrement. L'intervalle par défaut entre deux lignes\n" " -- MARK -- est de 20 minutes. Cela peut être modifié\n" " par cette option. Positionner l'intervalle à 0 le\n" " désactive complètement." #. type: #: securing-debian-howto.en.sgml:60 en/faq.sgml:837 msgid "I found users using 'su' in my logs: Am I compromised?" msgstr "" "Des utilisateurs utilisant « su Â» apparaissent dans les " "journaux : le système est-il compromis ?" #. type:

#: securing-debian-howto.en.sgml:60 en/faq.sgml:838 msgid "You might find lines in your logs like:" msgstr "Vous pouvez trouver ce genre de lignes dans les journaux :" #. type: #: securing-debian-howto.en.sgml:60 en/faq.sgml:841 #, no-wrap msgid "" " Apr 1 09:25:01 server su[30315]: + ??? root-nobody\n" " Apr 1 09:25:01 server PAM_unix[30315]: (su) session opened for user nobody by (UID=0)" msgstr "" " Apr 1 09:25:01 server su[30315]: + ??? root-nobody\n" " Apr 1 09:25:01 server PAM_unix[30315]: (su) session opened for user nobody by (UID=0)" #. type:

#: securing-debian-howto.en.sgml:60 en/faq.sgml:847 msgid "" "Don't worry too much. Check to see if these entries are due to cron jobs (usually /etc/cron.daily/find or logrotate):" msgstr "" "Ne vous inquiétez pas trop. Vérifiez que ces entrées sont dues à des tâches " "cron (habituellement, /etc/cron.daily/find ou " "logrotate) :" #. type: #: securing-debian-howto.en.sgml:60 en/faq.sgml:853 #, no-wrap msgid "" " $ grep 25 /etc/crontab\n" " 25 9 * * * root test -e /usr/sbin/anacron || run-parts --report\n" " /etc/cron.daily\n" " $ grep nobody /etc/cron.daily/*\n" " find:cd / && updatedb --localuser=nobody 2>/dev/null" msgstr "" " $ grep 25 /etc/crontab\n" " 25 9 * * * root test -e /usr/sbin/anacron || run-parts --report\n" " /etc/cron.daily\n" " $ grep nobody /etc/cron.daily/*\n" " find:cd / && updatedb --localuser=nobody 2>/dev/null" #. type: #: securing-debian-howto.en.sgml:60 en/faq.sgml:858 msgid "I have found 'possible SYN flooding' in my logs: Am I under attack?" msgstr "" "« possible SYN flooding Â» apparaît dans les journaux : le " "système est-il attaqué ?" #. type:

#: securing-debian-howto.en.sgml:60 en/faq.sgml:860 msgid "If you see entries like these in your logs:" msgstr "Si vous voyez ce genre d'entrées dans les fichiers journaux :" #. type: #: securing-debian-howto.en.sgml:60 en/faq.sgml:865 #, no-wrap msgid "" " May 1 12:35:25 linux kernel: possible SYN flooding on port X. Sending cookies.\n" " May 1 12:36:25 linux kernel: possible SYN flooding on port X. Sending cookies.\n" " May 1 12:37:25 linux kernel: possible SYN flooding on port X. Sending cookies.\n" " May 1 13:43:11 linux kernel: possible SYN flooding on port X. Sending cookies." msgstr "" " May 1 12:35:25 linux kernel: possible SYN flooding on port X. Sending cookies.\n" " May 1 12:36:25 linux kernel: possible SYN flooding on port X. Sending cookies.\n" " May 1 12:37:25 linux kernel: possible SYN flooding on port X. Sending cookies.\n" " May 1 13:43:11 linux kernel: possible SYN flooding on port X. Sending cookies." #. type:

#: securing-debian-howto.en.sgml:60 en/faq.sgml:870 msgid "" "Check if there is a high number of connections to the server using " "netstat, for example:" msgstr "" "Vérifiez le nombre de connexions au serveur en utilisant netstat, par exemple :" #. type: #: securing-debian-howto.en.sgml:60 en/faq.sgml:873 #, no-wrap msgid "" " linux:~# netstat -ant | grep SYN_RECV | wc -l\n" " 9000" msgstr "" " linux:~# netstat -ant | grep SYN_RECV | wc -l\n" " 9000" #. type:

#: securing-debian-howto.en.sgml:60 en/faq.sgml:884 msgid "" "This is an indication of a denial of service (DoS) attack against your " "system's X port (most likely against a public service such as a web server " "or mail server). You should activate TCP syncookies in your kernel, see . Note, however, that a DoS attack might flood your " "network even if you can stop it from crashing your systems (due to file " "descriptors being depleted, the system might become unresponsive until the " "TCP connections timeout). The only effective way to stop this attack is to " "contact your network provider." msgstr "" "Cela peut indiquer une attaque par déni de service (DoS) sur le port X du " "système (très certainement sur un service public comme un serveur web ou un " "serveur de courrier). Vous devriez activer TCP syncookies dans le noyau, " "consultez . Cependant, notez qu'une attaque par " "déni de service peut inonder le réseau même si vous pouvez l'empêcher de " "planter les systèmes (à cause de la raréfaction de descripteurs de fichiers, " "le système peut ne plus répondre avant que les connexions TCP expirent). Le " "seul moyen efficace pour arrêter cette attaque est de contacter le " "fournisseur d'accès réseau." #. type: #: securing-debian-howto.en.sgml:60 en/faq.sgml:887 msgid "I have found strange root sessions in my logs: Am I compromised?" msgstr "" "Des sessions superutilisateur étranges apparaissent dans les journaux : " "le système est-il compromis ?" #. type:

#: securing-debian-howto.en.sgml:60 en/faq.sgml:890 msgid "" "You might see these kind of entries in your /var/log/auth.log " "file:" msgstr "" "Ce genre d'entrées peut apparaître dans le fichier /var/log/auth.log :" #. type: #: securing-debian-howto.en.sgml:60 en/faq.sgml:896 #, no-wrap msgid "" " May 2 11:55:02 linux PAM_unix[1477]: (cron) session closed for user root\n" " May 2 11:55:02 linux PAM_unix[1476]: (cron) session closed for user root\n" " May 2 12:00:01 linux PAM_unix[1536]: (cron) session opened for user root by\n" " (UID=0)\n" " May 2 12:00:02 linux PAM_unix[1536]: (cron) session closed for user root" msgstr "" " May 2 11:55:02 linux PAM_unix[1477]: (cron) session closed for user root\n" " May 2 11:55:02 linux PAM_unix[1476]: (cron) session closed for user root\n" " May 2 12:00:01 linux PAM_unix[1536]: (cron) session opened for user root by\n" " (UID=0)\n" " May 2 12:00:02 linux PAM_unix[1536]: (cron) session closed for user root" #. type:

#: securing-debian-howto.en.sgml:60 en/faq.sgml:905 msgid "" "These are due to a cron job being executed (in this example, " "every five minutes). To determine which program is responsible for these " "jobs, check entries under: /etc/crontab, /etc/cron.d, /etc/crond.daily and root's crontab under " "/var/spool/cron/crontabs." msgstr "" "Elles sont dues à l'exécution d'une tâche cron (dans cet " "exemple, toutes les cinq minutes). Pour déterminer le programme responsable " "de ces tâches, vérifiez les entrées dans : /etc/crontab, " "/etc/cron.d, /etc/crond.daily et la crontab du superutilisateur dans /var/spool/cron/crontabs." #. type: #: securing-debian-howto.en.sgml:60 en/faq.sgml:907 msgid "I have suffered a break-in, what do I do?" msgstr "Le système a été victime d'une intrusion, que faire ?" #. type:

#: securing-debian-howto.en.sgml:60 en/faq.sgml:910 msgid "There are several steps you might want to take in case of a break-in:" msgstr "Plusieurs étapes sont à prendre en compte en cas d'intrusion." #. type:

#: securing-debian-howto.en.sgml:60 en/faq.sgml:921 msgid "" "Check if your system is up to date with security patches for published " "vulnerabilities. If your system is vulnerable, the chances that the system " "is in fact compromised are increased. The chances increase further if the " "vulnerability has been known for a while, since there is usually more " "activity related to older vulnerabilities. Here is a link to ." msgstr "" "Vérifiez que le système est à jour avec les correctifs de sécurité pour les " "failles publiées. Si le système est vulnérable, les risques de compromission " "réelle du système augmentent. Les risques augmentent encore plus si la " "faille est connue depuis un certain temps, car il y a habituellement plus " "d'activité en lien avec d'anciennes failles. Voici un lien vers les ." #. type:

#: securing-debian-howto.en.sgml:60 en/faq.sgml:924 msgid "" "Read this document, especially the section." msgstr "" "Consultez ce document, en particulier la section ." #. type:

#: securing-debian-howto.en.sgml:60 en/faq.sgml:927 msgid "" "Ask for assistance. You might use the debian-security mailing list and ask " "for advice on how to recover/patch your system." msgstr "" "Demandez de l'aide. La liste de diffusion debian-security permet de demander " "conseil sur la manière de récupérer ou corriger le système." #. type:

#: securing-debian-howto.en.sgml:60 en/faq.sgml:934 msgid "" "Notify your local (if it " "exists, otherwise you may want to consider contacting CERT directly). This " "might or might not help you, but, at the very least, it will inform CERT of " "ongoing attacks. This information is very valuable in determining which " "tools and attacks are being used by the blackhat community." msgstr "" "Informez le local (s'il " "existe, sinon vous pourriez contacter le CERT directement). Cela peut ou non " "vous aider, mais au minimum, cela informera le CERT des attaques en cours. " "Cette information est très précieuse pour déterminer les outils et attaques " "utilisés par la communauté blackhat." #. type: #: securing-debian-howto.en.sgml:60 en/faq.sgml:938 msgid "How can I trace an attack?" msgstr "Comment pister une attaque ?" #. type:

#: securing-debian-howto.en.sgml:60 en/faq.sgml:947 msgid "" "By watching the logs (if they have not been tampered with), using intrusion " "detection systems (see ), traceroute, whois and similar tools (including forensic analysis), " "you may be able to trace an attack to the source. The way you should react " "to this information depends solely on your security policy, and what " "you consider is an attack. Is a remote scan an attack? Is a " "vulnerability probe an attack?" msgstr "" "En regardant les journaux (s'ils n'ont pas été modifiés), en utilisant un " "système de détection d'intrusions (consultez ), " "traceroute, whois et outils similaires (y compris " "des analyses post-mortem) vous pourriez trouver la source de l'attaque. La " "réaction face à ces informations dépend uniquement des règles de sécurité, " "et de ce que vous considérez comme une attaque Un scan distant est-" "il une attaque ? Un test de failles de sécurité est-il une " "attaque ?" #. type: #: securing-debian-howto.en.sgml:60 en/faq.sgml:949 msgid "Program X in Debian is vulnerable, what do I do?" msgstr "Le programme X dans Debian est vulnérable, que faire ?" #. type:

#: securing-debian-howto.en.sgml:60 en/faq.sgml:955 msgid "" "First, take a moment to see if the vulnerability has been announced in " "public security mailing lists (like Bugtraq) or other forums. The Debian " "Security Team keeps up to date with these lists, so they may also be aware " "of the problem. Do not take any further actions if you see an announcement " "at ." msgstr "" "Tout d'abord, vérifiez si la vulnérabilité a été annoncée sur les listes de " "diffusion publiques de sécurité (comme Bugtraq) ou autre forums. L'équipe de " "sécurité Debian se met à jour à l'aide de ces listes, elle peut donc déjà " "être consciente du problème. Ne lancez pas d'autres actions si l'annonce est " "sur ." #. type:

#: securing-debian-howto.en.sgml:60 en/faq.sgml:961 msgid "" "If no information seems to be published, please send e-mail about the " "affected package(s), as well as a detailed description of the vulnerability " "(proof of concept code is also OK), to . This will get you in touch with " "Debian's security team." msgstr "" "Si rien n'a été publié, veuillez envoyer un message à propos des paquets " "concernés avec une description aussi détaillée que possible de la " "vulnérabilité rencontrée (la preuve par un code d'exploitation est aussi " "bienvenue) à . Cela vous mettra en rapport avec l'équipe de " "sécurité Debian." #. type: #: securing-debian-howto.en.sgml:60 en/faq.sgml:964 en/faq.sgml:1089 msgid "" "The version number for a package indicates that I am still running a " "vulnerable version!" msgstr "" "Le numéro de version pour un paquet indique une version vulnérable !" #. type:

#: securing-debian-howto.en.sgml:60 en/faq.sgml:974 msgid "" "Instead of upgrading to a new release, Debian backports security fixes to " "the version that was shipped in the stable release. The reason for this is " "to make sure that the stable release changes as little as possible, so that " "things will not change or break unexpectedly as a result of a security fix. " "You can check if you are running a secure version of a package by looking at " "the package changelog, or comparing its exact (upstream version -slash- " "debian release) version number with the version indicated in the Debian " "Security Advisory." msgstr "" "Au lieu de mettre à jour vers une nouvelle version, Debian rétroporte le " "correctif de sécurité dans la version de la distribution stable. La raison " "d'agir ainsi est simple : cela permet d'assurer qu'une version a le moins de " "modifications possible, de cette manière les choses ne changeront pas ou ne " "se briseront pas à cause d'une mise à jour de sécurité. Vous pouvez vérifier " "qu'une version sécurisée du paquet est utilisée en regardant le journal de " "modifications du paquet ou en comparant le numéro exact de version (version " "amont et révision Debian) avec celui indiqué dans l'alerte de sécurité " "Debian (« Debian Security Advisory »)." #. type: #: securing-debian-howto.en.sgml:60 en/faq.sgml:976 msgid "Specific software" msgstr "Logiciels spécifiques" #. type: #: securing-debian-howto.en.sgml:60 en/faq.sgml:979 msgid "proftpd is vulnerable to a Denial of Service attack." msgstr "ProFTPD est vulnérable à une attaque de déni de service" #. type:

#: securing-debian-howto.en.sgml:60 en/faq.sgml:982 msgid "" "Add DenyFilter \\*.*/ to your configuration file, and for more " "information see ." msgstr "" "Ajoutez DenyFilter \\*.*/ au fichier de configuration, pour plus " "d'informations, consultez ." #. type: #: securing-debian-howto.en.sgml:60 en/faq.sgml:985 msgid "" "After installing portsentry, there are a lot of ports " "open." msgstr "Après l'installation de portsentry, de nombreux ports sont ouverts." #. type:

#: securing-debian-howto.en.sgml:60 en/faq.sgml:988 msgid "" "That's just the way portsentry works. It opens about twenty " "unused ports to try to detect port scans." msgstr "" "Il s'agit simplement du mode de fonctionnement de portsentry. " "Il ouvre environ 20 ports non utilisés pour tenter de détecter les scans de " "ports." #. type: #: securing-debian-howto.en.sgml:60 en/faq.sgml:990 msgid "Questions regarding the Debian security team" msgstr "Questions concernant l'équipe de sécurité Debian" #. type:

#: securing-debian-howto.en.sgml:60 en/faq.sgml:998 msgid "" "This information is derived from the . It includes the information as " "of January, 2006, and provides answers for some other common questions asked " "in the debian-security mailing list." msgstr "" "Cette information est tirée de la . Elle inclut les " "informations jusqu'à janvier 2006 et fournit des réponses à d'autres " "questions souvent posées sur la liste de diffusion debian-security." #. type: #: securing-debian-howto.en.sgml:60 en/faq.sgml:1000 msgid "What is a Debian Security Advisory (DSA)?" msgstr "" "Qu'est ce qu'une alerte de sécurité Debian (Debian Security Advisory, DSA)" " ?" #. type:

#: securing-debian-howto.en.sgml:60 en/faq.sgml:1007 msgid "" "It is information sent by the Debian Security Team (see below) regarding the " "discovery and fix for a security related vulnerability in a package " "available in Debian GNU/Linux. Signed DSAs are sent to public mailing lists " "(debian-security-announce) and posted on Debian's web site (both in the " "front page and in the )." msgstr "" "C'est le bulletin d'informations envoyé par l'équipe de sécurité Debian " "(voir ci-dessous) informant qu'une mise à jour de sécurité concernant une " "vulnérabilité d'un paquet de Debian GNU/Linux est disponible. Les DSA signés " "sont envoyées aux listes de diffusion publiques (debian-security-announce) " "et postées sur le site Debian (sur la page de garde et dans la )." #. type:

#: securing-debian-howto.en.sgml:60 en/faq.sgml:1013 msgid "" "DSAs include information on the affected package(s), the security flaw that " "was discovered and where to retrieve the updated packages (and their MD5 " "sums)." msgstr "" "Les DSA incluent des informations sur les paquets concernés, la faille de " "sécurité découverte et l'endroit où récupérer les paquets mis à jour (ainsi " "que leurs sommes MD5)." #. type: #: securing-debian-howto.en.sgml:60 en/faq.sgml:1015 msgid "The signature on Debian advisories does not verify correctly!" msgstr "La signature des alertes Debian ne se vérifie pas correctement!" #. type:

#: securing-debian-howto.en.sgml:60 en/faq.sgml:1021 msgid "" "This is most likely a problem on your end. The list has a filter that " "only allows messages with a correct signature from one of the security team " "members to be posted." msgstr "" "C'est la plupart du temps un problème de votre côté. La liste a " "un filtre qui autorise uniquement l'envoi de messages ayant une signature " "correcte appartenant à un des membres de l'équipe de sécurité." #. type:

#: securing-debian-howto.en.sgml:60 en/faq.sgml:1026 msgid "" "Most likely some piece of mail software on your end slightly changes the " "message, thus breaking the signature. Make sure your software does not do " "any MIME encoding or decoding, or tab/space conversions." msgstr "" "Le plus probable est qu'un logiciel de courrier de votre côté change " "légèrement le message, ce qui rompt la signature. Assurez-vous pour cela que " "le logiciel ne fait aucun encodage ou décodage MIME, ou de conversion de " "tabulation ou espace." #. type:

#: securing-debian-howto.en.sgml:60 en/faq.sgml:1029 msgid "" "Known culprits fetchmail (with the mimedecode option enabled), formail (from " "procmail 3.14 only) and evolution." msgstr "" "Des coupables connus sont fetchmail (avec l'option mimedecode activée), " "formail (pour procmail 3.14 uniquement) et evolution." #. type: #: securing-debian-howto.en.sgml:60 en/faq.sgml:1031 msgid "How is security handled in Debian?" msgstr "Comment la sécurité est-elle gérée chez Debian ?" #. type:

#: securing-debian-howto.en.sgml:60 en/faq.sgml:1040 msgid "" "Once the Security Team receives a notification of an incident, one or more " "members review it and consider its impact on the stable release of Debian (i." "e. if it's vulnerable or not). If our system is vulnerable, we work on a fix " "for the problem. The package maintainer is contacted as well, if he didn't " "contact the Security Team already. Finally, the fix is tested and new " "packages are prepared, which then are compiled on all stable architectures " "and uploaded afterwards. After all of that is done, an advisory is published." msgstr "" "Dès que l'équipe de sécurité reçoit une notification d'un incident, un ou " "plusieurs membres l'inspecte et étudie si la distribution stable de Debian y " "est vulnérable ou pas. Si notre système est vulnérable, un travail est " "entrepris pour résoudre le problème. Le responsable du paquet est également " "contacté s'il n'a pas déjà contacté l'équipe de sécurité. Finalement, la " "solution est testée et de nouveaux paquets sont préparés qui sont ensuite " "compilés sur toutes les architectures stables et mis à disposition ensuite. " "Après que toutes ces tâches sont terminées, une alerte de sécurité est " "publiée." #. type: #: securing-debian-howto.en.sgml:60 en/faq.sgml:1042 msgid "Why are you fiddling with an old version of that package?" msgstr "" "Pourquoi vous embêtez-vous avec une vieille version de tel paquet ?" #. type:

#: securing-debian-howto.en.sgml:60 en/faq.sgml:1050 msgid "" "The most important guideline when making a new package that fixes a security " "problem is to make as few changes as possible. Our users and developers are " "relying on the exact behavior of a release once it is made, so any change we " "make can possibly break someone's system. This is especially true in case of " "libraries: make sure you never change the Application Program Interface " "(API) or Application Binary Interface (ABI), no matter how small the change " "is." msgstr "" "La règle la plus importante lors de la création d'un nouveau paquet qui " "corrige un problème de sécurité est de faire le moins de changements " "possible. Nos utilisateurs et développeurs comptent sur le comportement " "exact d'une distribution une fois qu'elle est stable, donc tout changement " "que nous faisons peut peut-être casser le système de quelqu'un. C'est " "particulièrement vrai dans le cas de bibliothèques : assurez-vous de ne " "jamais changer l'interface de programmation d'applications (API) ou " "l'interface binaire d'applications (ABI), quelque petit que soit le " "changement." #. type:

#: securing-debian-howto.en.sgml:60 en/faq.sgml:1055 msgid "" "This means that moving to a new upstream version is not a good solution, " "instead the relevant changes should be backported. Generally upstream " "maintainers are willing to help if needed, if not the Debian security team " "might be able to help." msgstr "" "Cela veut dire que passer à une nouvelle version amont n'est pas une bonne " "solution. Au lieu de cela, les modifications pertinentes devraient être " "rétroportées. Habituellement, les responsables amont veulent bien aider. " "Sinon l'équipe de sécurité Debian peut peut-être aider." #. type:

#: securing-debian-howto.en.sgml:60 en/faq.sgml:1060 msgid "" "In some cases it is not possible to backport a security fix, for example " "when large amounts of source code need to be modified or rewritten. If that " "happens it might be necessary to move to a new upstream version, but this " "has to be coordinated with the security team beforehand." msgstr "" "Dans certains cas, il n'est pas possible de rétroporter un correctif de " "sécurité, par exemple quand de grandes quantités de code source doivent être " "modifiées ou réécrites. Si cela arrive, il peut être nécessaire de passer à " "une nouvelle version amont, mais cela doit obligatoirement être coordonné " "avec l'équipe de sécurité auparavant." #. type: #: securing-debian-howto.en.sgml:60 en/faq.sgml:1062 msgid "" "What is the policy for a fixed package to appear in security.debian.org?" msgstr "" "Quelle est la règle pour qu'un paquet fixé apparaisse sur security.debian." "org ?" #. type:

#: securing-debian-howto.en.sgml:60 en/faq.sgml:1070 msgid "" "Security breakage in the stable distribution warrants a package on security." "debian.org. Anything else does not. The size of a breakage is not the real " "problem here. Usually the security team will prepare packages together with " "the package maintainer. Provided someone (trusted) tracks the problem and " "gets all the needed packages compiled and submit them to the security team, " "even very trivial security problem fixes will make it to security.debian." "org. Please see below." msgstr "" "Les problèmes de sécurité dans la distribution stable garantisse qu'un " "paquet ira sur security.debian.org. Rien d'autre ne le peut. La taille du " "problème n'est pas un problème réel ici. Habituellement, l'équipe de " "sécurité va préparer des paquets avec le responsable du paquet. Pourvu que " "quelqu'un (de confiance) suive le problème, compile tous les paquets " "nécessaires et les propose à l'équipe de sécurité, même des problèmes de " "sécurité très triviaux peuvent faire aller le paquet sur security.debian." "org. Voir ci-dessous." #. type:

#: securing-debian-howto.en.sgml:60 en/faq.sgml:1074 msgid "" "Security updates serve one purpose: to supply a fix for a security " "vulnerability. They are not a method for sneaking additional changes into " "the stable release without going through normal point release procedure." msgstr "" "Les mises à jour de sécurité ont un but : fournir un correctif à une faille " "de sécurité. Elles ne permettent pas d'ajouter des modifications " "supplémentaires dans la publication stable sans passer par la procédure " "normale de mise à jour de publication." #. type: #: securing-debian-howto.en.sgml:60 en/faq.sgml:1076 msgid "What does \"local (remote)\" mean?" msgstr "Que signifie « local (remote) » ?" #. type:

#: securing-debian-howto.en.sgml:60 en/faq.sgml:1083 msgid "" "Some advisories cover vulnerabilities that cannot be identified with the " "classic scheme of local and remote exploitability. Some vulnerabilities " "cannot be exploited from remote, i.e. don't correspond to a daemon listening " "to a network port. If they can be exploited by special files that could be " "provided via the network while the vulnerable service is not permanently " "connected with the network, we write \"local (remote)\" in such cases." msgstr "" "Certaines annonces couvrent des vulnérabilités qui ne peuvent pas être " "identifiées par le schéma habituel d'exploitation local ou à distance. " "Certaines vulnérabilités ne peuvent pas être exploitées à distance, c'est-à-" "dire ne correspondent pas à un démon qui écoute sur un port réseau. Si elles " "peuvent être exploitées par des fichiers particuliers qui pourraient être " "fournis par le réseau alors que le service vulnérable n'est pas connecté en " "permanence au réseau, « local (remote) » est alors écrit." #. type:

#: securing-debian-howto.en.sgml:60 en/faq.sgml:1087 msgid "" "Such vulnerabilities are somewhat between local and remote vulnerabilities " "and often cover archives that could be provided through the network, e.g. as " "mail attachment or from a download page." msgstr "" "De telles vulnérabilités sont en quelque sorte à la fois locale et à " "distance, et concernent souvent des archives qui pourraient être fournies " "par le réseau, par exemple en tant que pièce jointe à un courrier " "électronique ou depuis une page de téléchargement." #. type:

#: securing-debian-howto.en.sgml:60 en/faq.sgml:1091 msgid "See ." msgstr "Consultez ." #. type: #: securing-debian-howto.en.sgml:60 en/faq.sgml:1093 msgid "How is security handled for testing and unstable?" msgstr "" "Comment est assurée la sécurité pour les versions testing et unstable ?" # NOTE: Missing final period #. type:

#: securing-debian-howto.en.sgml:60 en/faq.sgml:1103 msgid "" "The short answer is: it's not. Testing and unstable are rapidly moving " "targets and the security team does not have the resources needed to properly " "support those. If you want to have a secure (and stable) server you are " "strongly encouraged to stay with stable. However, work is in progress to " "change this, with the formation of a which has begun work to offer " "security support for testing, and to some extent, for unstable. For more " "information see " msgstr "" "La réponse courte est : il n'y en a pas. testing et " "unstable évoluent très rapidement et l'équipe de sécurité n'a pas " "les ressources nécessaires pour les suivre correctement. Si vous désirez un " "serveur sécurisé (et stable), nous vous encourageons fortement à rester sur " "une version stable. Cependant, il y a du travail de fait dans cette " "direction, avec la formation d'une qui a " "commencé à offrir un suivi en sécurité pour testing, et d'une certaine " "façon, pour unstable. Pour de plus amples renseignements, veuillez consulter " "." #. type:

#: securing-debian-howto.en.sgml:60 en/faq.sgml:1108 msgid "" "In some cases, however, the unstable branch usually gets security fixes " "quite quickly, because those fixes are usually available upstream faster " "(other versions, like those in the stable branch, usually need to be back " "ported)." msgstr "" "Dans certains cas, cependant, la branche unstable récupère les correctifs de " "sécurité très rapidement puisque les mises à jour de sécurité sont " "généralement disponibles en amont plus rapidement (pour les autres versions, " "comme celles introduites dans la branche stable, il est nécessaire de faire " "un rétroportage)." #. type:

#: securing-debian-howto.en.sgml:60 en/faq.sgml:1114 msgid "" "You can review public vulnerabilities affecting the testing and " "unstable release at the ." msgstr "" "Vous pouvez consulter les vulnérabilités publique concernant les " "publications testing et unstable sur le ." #. type: #: securing-debian-howto.en.sgml:60 en/faq.sgml:1116 msgid "" "I use an older version of Debian, is it supported by the Debian Security " "Team?" msgstr "" "Je possède un ancienne version de Debian, est-elle suivie par l'équipe de " "sécurité Debian ?" #. type:

#: securing-debian-howto.en.sgml:60 en/faq.sgml:1122 msgid "" "No. Unfortunately, the Debian Security Team cannot handle both the stable " "release (unofficially, also the unstable) and other older releases. However, " "you can expect security updates for a limited period of time (usually " "several months) immediately following the release of a new Debian " "distribution." msgstr "" "Malheureusement non. L'équipe de sécurité Debian ne peut pas gérer à la fois " "la version stable (officieusement elle ne gère pas non plus la version " "unstable) et d'autres anciennes versions. Cependant, vous pouvez " "espérer des mises à jour de sécurité pour une période limitée juste " "(habituellement plusieurs mois) après la sortie d'une nouvelle distribution " "Debian." #. type: #: securing-debian-howto.en.sgml:60 en/faq.sgml:1124 msgid "How does testing get security updates?" msgstr "Comment testing reçoit-elle les mises à jour de sécurité ?" #. type:

#: securing-debian-howto.en.sgml:60 en/faq.sgml:1130 msgid "" "Security updates will migrate into the testing distribution via unstable. " "They are usually uploaded with their priority set to high, which will reduce " "the quarantine time to two days. After this period, the packages will " "migrate into testing automatically, given that they are built for all " "architectures and their dependencies are fulfilled in testing." msgstr "" "Les mises à jour de sécurité migrerons de la distribution unstable " "vers testing. Elles sont généralement envoyées avec une priorité " "haute, ce qui réduit le temps d'attente à deux jours. Après cette période, " "les paquets migreront automatiquement vers testing, étant données " "qu'ils sont construits pour toutes les architectures et que leurs " "dépendances sont disponibles dans testing." #. type:

#: securing-debian-howto.en.sgml:60 en/faq.sgml:1134 msgid "" "The also makes security fixes available in their repository " "when the normal migration process is not fast enough." msgstr "" "L' prépare aussi des correctifs de sécurité " "disponibles dans leur dépôt quand un processus de migration normal n'est pas " "assez rapide." #. type: #: securing-debian-howto.en.sgml:60 en/faq.sgml:1136 msgid "How is security handled for contrib and non-free?" msgstr "Comment la sécurité est-elle gérée pour contrib et non-free ?" #. type:

#: securing-debian-howto.en.sgml:60 en/faq.sgml:1144 msgid "" "The short answer is: it's not. Contrib and non-free aren't official parts of " "the Debian Distribution and are not released, and thus not supported by the " "security team. Some non-free packages are distributed without source or " "without a license allowing the distribution of modified versions. In those " "cases no security fixes can be made at all. If it is possible to fix the " "problem, and the package maintainer or someone else provides correct updated " "packages, then the security team will generally process them and release an " "advisory." msgstr "" "La réponse courte est : elle ne l'est pas. contrib et non-free ne font pas " "officiellement partie de la distribution Debian et ne sont pas publiés, et " "ne sont de fait pas suivis par l'équipe en charge de la sécurité. Certains " "paquets de non-free sont distribués dans source ou sans licence permettant " "le distribution de versions modifiées. Dans ces cas, aucun correctif de " "sécurité ne peut être réalisé. S'il est possible de corriger le problème, et " "que le mainteneur du paquet ou quelqu'un d'autre fournit des paquets " "correctement mis à jour, alors l'équipe de sécurité les traitera normalement " "et publiera une annonce." #. type: #: securing-debian-howto.en.sgml:60 en/faq.sgml:1146 msgid "Why are there no official mirrors for security.debian.org?" msgstr "" "Pourquoi n'y a-t-il pas de miroirs officiels de security.debian.org ?" #. type:

#: securing-debian-howto.en.sgml:60 en/faq.sgml:1150 msgid "" "Actually, there are. There are several official mirrors, implemented through " "DNS aliases. The purpose of security.debian.org is to make security updates " "available as quickly and easily as possible." msgstr "" "En fait il y en a. Plusieurs miroirs officiels existent, implémentés à " "l'aide d'alias DNS. Le but de security.debian.org est de mettre à " "disposition les mises à jour de sécurité le plus rapidement et facilement " "possible." #. type:

#: securing-debian-howto.en.sgml:60 en/faq.sgml:1154 msgid "" "Encouraging the use of unofficial mirrors would add extra complexity that is " "usually not needed and that can cause frustration if these mirrors are not " "kept up to date." msgstr "" "Encourager l'utilisation de miroirs non officiels ajouterait un niveau de " "complexité qui n'est généralement pas nécessaire et qui pourrait provoquer " "une certaine frustration si ces miroirs ne sont pas gardés à jour." #. type: #: securing-debian-howto.en.sgml:60 en/faq.sgml:1156 msgid "I've seen DSA 100 and DSA 102, now where is DSA 101?" msgstr "J'ai vu la DSA 100 et la DSA 102, mais où est la DSA 101 ?" #. type:

#: securing-debian-howto.en.sgml:60 en/faq.sgml:1173 msgid "" "Several vendors (mostly of GNU/Linux, but also of BSD derivatives) " "coordinate security advisories for some incidents and agree to a particular " "timeline so that all vendors are able to release an advisory at the same " "time. This was decided in order to not discriminate against some vendors " "that need more time (e.g. when the vendor has to pass packages through " "lengthy QA tests or has to support several architectures or binary " "distributions). Our own security team also prepares advisories in advance. " "Every now and then, other security issues have to be dealt with before the " "parked advisory could be released, and hence temporarily leaving out one or " "more advisories by number." msgstr "" "Plusieurs vendeurs (la plupart pour GNU/Linux, mais aussi des dérivés BSD) " "coordonnent les alertes de sécurité pour certains incidents et se mettent " "d'accord pour un calendrier particulier pour que tous les vendeurs puissent " "diffuser l'alerte en même temps. Cela a été décidé afin de ne pas " "discriminer un vendeur en particulier qui aurait besoin de plus de temps " "(par exemple si le vendeur doit faire passer ses paquets par de longs tests " "de QA ou doit prendre en charge plusieurs architectures ou distributions " "binaires). Notre propre équipe de sécurité prépare également les alertes à " "l'avance. De temps en temps, d'autres problèmes de sécurité doivent être " "traités avant que l'alerte en attente puisse être diffusée, cela laisse donc " "temporairement vide un ou plusieurs numéros d'alerte." #. type: #: securing-debian-howto.en.sgml:60 en/faq.sgml:1175 msgid "" "I tried to download a package listed in one of the security advisories, but " "I got a `file not found' error." msgstr "" "J'ai essayé de télécharger un paquet faisant partie d'une annonce de " "sécurité, mais j'obtiens une erreur « fichier non trouvé »." #. type:

#: securing-debian-howto.en.sgml:60 en/faq.sgml:1180 msgid "" "Whenever a newer bugfix supersedes an older package on security.debian.org, " "chances are high that the old package will be removed by the time the new " "one gets installed. Hence, you'll get this `file not found' error. We don't " "want to distribute packages with known security bugs longer than absolutely " "necessary." msgstr "" "Si une correction de bogue plus récente remplace un paquet plus ancien de " "security.debian.org, il y a de fortes chances que l'ancien paquet soit " "retiré pendant que le nouveau est installé. Par conséquent, vous obtiendrez " "cette erreur de « fichier non trouvé ». Nous ne voulons pas distribuer de " "paquets avec des bogues de sécurité plus longtemps qu'absolument nécessaire." #. type:

#: securing-debian-howto.en.sgml:60 en/faq.sgml:1186 msgid "" "Please use the packages from the latest security advisories, which are " "distributed through the . It's best to " "simply run apt-get update before upgrading the package." msgstr "" "Veuillez utiliser les paquets de la dernière annonce de sécurité, qui sont " "annoncés sur la . Il vaut mieux " "simplement exécuter apt-get update avant de mettre à jour le paquet." #. type: #: securing-debian-howto.en.sgml:60 en/faq.sgml:1188 msgid "How can I reach the security team?" msgstr "Comment joindre l'équipe de sécurité ?" #. type:

#: securing-debian-howto.en.sgml:60 en/faq.sgml:1204 msgid "" "Security information can be sent to , which is read by all Debian developers. If " "you have sensitive information please use which only the members of " "the team can read. If desired, email can be encrypted with the Debian " "Security Contact key (key ID ). See also the " "." msgstr "" "Les informations de sécurité peuvent être envoyées à , qui est lue par tous " "les développeurs Debian. Si vous disposez d'informations sensibles, veuillez " "utiliser qui n'est lue que par les membres de l'équipe de sécurité. Si " "vous le désirez, le message peut être chiffré à l'aide de la clef de contact " "de la sécurité Debian (identifiant de clef ). " "Consultez également ." #. type: #: securing-debian-howto.en.sgml:60 en/faq.sgml:1207 msgid "" "What difference is there between security@debian.org and debian-" "security@lists.debian.org?" msgstr "" "Quelles différence existe-t-il entre security@debian.org et debian-" "security@lists.debian.org ?" #. type:

#: securing-debian-howto.en.sgml:60 en/faq.sgml:1220 msgid "" "When you send messages to security@debian.org, they are sent to the " "developers' mailing list (debian-private). All Debian developers are " "subscribed to this list and posts are kept private

There has " "been a declassification decision, voted in , that might make some posts " "available in the future, however.

 (i.e. are not archived at " "the public website). The public mailing list, debian-security@lists.debian." "org, is open to anyone that wants to , and there are searchable archives " "available ." msgstr "" "Lorsque vous envoyez des messages à security@debian.org, ceux-ci sont " "envoyés aux listes de diffusion des développeurs (debian-private). Tous les " "développeurs Debian sont inscrits à cette liste et tous les envois à cette " "liste sont tenus confidentiels

La a cependant été votée en 2005, ce qui pourrait rendre certains " "messages publiques à l'avenir.

 (c'est-à-dire ne sont pas " "archivés sur le site web public). La liste de diffusion publique debian-" "security@lists.debian.org est ouverte à tous ceux qui désirent s'y , et des archives " "sont disponible pour la recherche à partir du site Internet ." #. type: #: securing-debian-howto.en.sgml:60 en/faq.sgml:1222 msgid "I guess I found a security problem, what should I do?" msgstr "Je crois avoir trouvé un problème de sécurité, que dois-je faire ?" #. type:

#: securing-debian-howto.en.sgml:60 en/faq.sgml:1229 msgid "" "If you learn about a security problem, either in one of your own packages or " "in someone else's please always contact the security team. If the Debian " "security team confirms the vulnerability and other vendors are likely to be " "vulnerable as well, they usually contact other vendors as well. If the " "vulnerability is not yet public they will try to coordinate security " "advisories with the other vendors, so all major distributions are in sync." msgstr "" "Si vous vous rendez-compte d'un problème de sécurité, dans un paquets que " "vous maintenez ou non, veillez contacter l'équipe de sécurité. Si l'équipe " "de sécurité confirme la vulnérabilité et que d'autres distributeurs sont " "aussi potentiellement vulnérables, ils seront contactés. Si la vulnérabilité " "n'est pas encore publique, l'équipe essayera de coordonner l'annonce avec " "les autres distributeurs, de telle sorte que les distributions principales " "soient synchronisées." #. type:

#: securing-debian-howto.en.sgml:60 en/faq.sgml:1232 msgid "" "If the vulnerability is already publicly known, be sure to file a bug report " "in the Debian BTS, and tag it security." msgstr "" "Si la vulnérabilité est déjà publiquement connue, n'oubliez pas de soumettre " "un rapport de bogue dans le système de suivi de bogue Debian, et de " "l'étiqueter security." #. type: #: securing-debian-howto.en.sgml:60 en/faq.sgml:1233 msgid "How can I contribute to the Debian security team?" msgstr "Comment puis-je aider l'équipe de sécurité Debian ?" #. type:

#: securing-debian-howto.en.sgml:60 en/faq.sgml:1241 msgid "" "By contributing to this document, fixing FIXMEs or providing new content. " "Documentation is important and reduces the overhead of answering common " "issues. Translation of this documentation into other languages is also of " "great help." msgstr "" "En contribuant à ce document, en résolvant les FIXME ou en fournissant un " "nouveau contenu. La documentation est importante et réduit le nombre de " "réponses aux problèmes courants. La traduction de ce document dans d'autres " "langues est également un bonne contribution." #. type:

#: securing-debian-howto.en.sgml:60 en/faq.sgml:1247 msgid "" "By packaging applications that are useful for checking or enhancing security " "in a Debian GNU/Linux system. If you are not a developer, file a and ask for " "software you think would be useful, but is not currently provided." msgstr "" "En empaquetant des applications utiles pour vérifier ou améliorer la " "sécurité d'un système Debian GNU/Linux. Si vous n'êtes pas un développeur, " "remplissez un et proposez des logiciels que vous pensez utiles et qui ne " "sont pas encore disponibles." #. type:

#: securing-debian-howto.en.sgml:60 en/faq.sgml:1250 msgid "" "Audit applications in Debian or help solve security bugs and report issues " "to security@debian.org." msgstr "" "Contrôler les applications dans Debian ou aider à résoudre des bogues de " "sécurité et signaler les problèmes à security@debian.org." #. type:

#: securing-debian-howto.en.sgml:60 en/faq.sgml:1258 msgid "" "In all cases, please review each problem before reporting it to " "security@debian.org. If you are able to provide patches, that would speed up " "the process. Do not simply forward Bugtraq mails, since they are already " "received. Providing additional information, however, is always a good idea." msgstr "" "Dans tous les cas, s'il vous plaît, passez en revue chaque problème avant de " "les signaler à security@debian.org. Si vous êtes capable de fournir des " "correctifs, cela accélérera le processus. Ne faites pas simplement suivre le " "courrier de Bugtraq étant donné qu'ils l'ont déjà reçu. Fournir des " "informations supplémentaires est cependant toujours une bonne idée." #. type: #: securing-debian-howto.en.sgml:60 en/faq.sgml:1260 msgid "Who is the Security Team composed of?" msgstr "Qui compose l'équipe de sécurité ?" # NOTE: s/secretaries/assistants/ #. type:

#: securing-debian-howto.en.sgml:60 en/faq.sgml:1264 msgid "" "The Debian security team consists of . The security team " "itself appoints people to join the team." msgstr "" "L'équipe de sécurité Debian est constituée de . L'équipe " "de sécurité elle-même invite tout le monde à se joindre à l'équipe." #. type: #: securing-debian-howto.en.sgml:60 en/faq.sgml:1267 msgid "Does the Debian Security team check every new package in Debian?" msgstr "" "L'équipe de sécurité Debian vérifie-t-elle chaque nouveau paquet dans " "Debian ?" #. type:

#: securing-debian-howto.en.sgml:60 en/faq.sgml:1275 msgid "" "No, the Debian security team does not check every new package and there is " "no automatic (lintian) check to detect new packages including malicious " "codes, since those checks are rather impossible to perform automatically. " "Maintainers, however, are fully responsible for the packages they introduce " "into Debian, and all packages are first signed by an authorized developer" "(s). The developer is in charge of analyzing the security of all packages " "that they maintain." msgstr "" "Non, l'équipe de sécurité Debian ne vérifie pas tous les paquets et il " "n'existe pas de vérification automatique (lintian) afin de déceler de " "nouveaux paquets contenant du code malveillant, étant donné que ces " "vérifications sont plutôt impossibles à réaliser automatiquement. Toutefois, " "les développeurs sont complètement responsables du logiciel qu'ils " "introduisent dans Debian et tout logiciel est d'abord signé par un " "développeur habilité. Celui-ci a la responsabilité d'analyser la sécurité du " "paquet qu'il maintient." #. type: #: securing-debian-howto.en.sgml:60 en/faq.sgml:1277 msgid "How much time will it take Debian to fix vulnerability XXXX?" msgstr "" "Combien de temps faudra-t-il à Debian pour résoudre la vulnérabilité XXXX ?" #. type:

#: securing-debian-howto.en.sgml:60 en/faq.sgml:1287 msgid "" "The Debian security team works quickly to send advisories and produce fixed " "packages for the stable branch once a vulnerability is discovered. A report " " showed that in the year 2001, it took the Debian Security " "Team an average of 35 days to fix security-related vulnerabilities. However, " "over 50% of the vulnerabilities where fixed in a 10-day time frame, and over " "15% of them where fixed the same day the advisory was released." msgstr "" "L'équipe de sécurité Debian travaille rapidement pour envoyer les alertes et " "produire des paquets corrigés pour la branche stable une fois que la " "vulnérabilité a été découverte. Un rapport a montré que durant l'année " "2001, il a fallu un temps moyen de 35 jours à l'équipe de sécurité Debian " "pour corriger les vulnérabilités découvertes. Cependant, plus de 50 % " "de ces vulnérabilités ont été réparées dans une durée de dix jours, et plus " "de 15 % de celles-ci ont été réparées le jour même de la " "sortie de l'alerte." #. type:

#: securing-debian-howto.en.sgml:60 en/faq.sgml:1289 msgid "However, when asking this question people tend to forget that:" msgstr "" "Cependant, quand ils posent cette question, les gens ont tendance à oublier " "que :" #. type:

#: securing-debian-howto.en.sgml:60 en/faq.sgml:1293 msgid "DSAs are not sent until:" msgstr "Les DSA ne sont pas envoyées avant que :" #. type:

#: securing-debian-howto.en.sgml:60 en/faq.sgml:1300 msgid "" "packages are available for all architectures supported by Debian " "(which takes some time for packages that are part of the system core, " "especially considering the number of architectures supported in the stable " "release)." msgstr "" "les paquets soient disponibles pour toutes les architectures prises " "en charge par Debian (ce qui prend du temps pour les paquets qui font partie " "intégrante du système de base, spécialement si l'on considère le nombre " "d'architectures prises en charge dans la version stable) ;" #. type:

#: securing-debian-howto.en.sgml:60 en/faq.sgml:1303 msgid "" "new packages are thoroughly tested in order to ensure that no new bugs are " "introduced" msgstr "" "les nouveaux paquets sont ensuite testés pour s'assurer qu'aucun nouveau bug " "n'est introduit." #. type:

#: securing-debian-howto.en.sgml:60 en/faq.sgml:1308 msgid "" "Packages might be available before the DSA is sent (in the incoming queue or " "on the mirrors)." msgstr "" "Les paquets peuvent être disponibles avant que la DSA ne soit envoyée (dans " "la file d'arrivée ou sur les miroirs)." #. type:

#: securing-debian-howto.en.sgml:60 en/faq.sgml:1310 msgid "Debian is a volunteer-based project." msgstr "Debian est un projet basé sur le volontariat." #. type:

#: securing-debian-howto.en.sgml:60 en/faq.sgml:1312 msgid "Debian is licensed with a \"no guarantees\" clause." msgstr "" "La licence de Debian comprend une clause de « non garantie Â»." #. type:

#: securing-debian-howto.en.sgml:60 en/faq.sgml:1325 msgid "" "If you want more in-depth analysis on the time it takes for the Security " "Team to work on vulnerabilities, you should consider that new DSAs (see ) published on the , and the metadata used to generate them, include links " "to vulnerability databases. You could download the sources from the web " "server (from the ) or use the " "HTML pages to determine the time that it takes for Debian to fix " "vulnerabilities and correlate this data with public databases." msgstr "" "Si vous désirez une analyse plus poussée du temps que cela prend à l'équipe " "de sécurité Debian de travailler sur les vulnérabilités, vous devriez " "considérer que les nouvelles DSA (consultez ) publiées sur " "le et " "les métadonnées utilisées pour les générer incluent des liens vers les bases " "de données de vulnérabilités. Vous pouvez télécharger les sources depuis le " "serveur web (depuis le ) ou " "utiliser les pages HTML pour déterminer le temps que cela prend à Debian " "pour corriger les vulnérabilités et corréler cette donnée avec les bases de " "données publiques." #. type: #: securing-debian-howto.en.sgml:60 en/faq.sgml:1327 msgid "How long will security updates be provided?" msgstr "" "Pendant combien de temps les mises à jour de sécurité sont-elles fournies ?" #. type:

#: securing-debian-howto.en.sgml:60 en/faq.sgml:1332 msgid "" "The security team tries to support a stable distribution for about one year " "after the next stable distribution has been released, except when another " "stable distribution is released within this year. It is not possible to " "support three distributions; supporting two simultaneously is already " "difficult enough." msgstr "" "L'équipe de sécurité essaye de suivre la distribution stable pendant environ " "un an après la publication de la distribution stable suivante, sauf si une " "autre distribution stable a été publié dans l'année. Ce n'est pas possible " "de suivre trois distributions, c'est déjà bien assez difficile avec deux." #. type: #: securing-debian-howto.en.sgml:60 en/faq.sgml:1336 msgid "How can I check the integrity of packages?" msgstr "Comment puis-je contrôler l'intégrité des paquets ?" #. type:

#: securing-debian-howto.en.sgml:60 en/faq.sgml:1345 msgid "" "This process involve checking the Release file signature against the public " "key (available at , substitute 2006 for the current year) for the archive. The Release file " "contains the MD5 checksums of Packages and Sources files, which contain MD5 " "checksums of binary and source packages. Detailed instruction on how to " "check packages integrity can be found ." msgstr "" "Ce processus consiste à contrôler la signature du fichier Release à l'aide " "de la clef publique (disponible en , en remplaçant 2006 par l'année en cours) utilisée pour " "l'archive. Le fichier Release contient les sommes de contrôle MD5 des " "fichiers Packages et Sources qui contiennent respectivement les sommes de " "contrôle MD5 des paquets binaires et des paquets source. Des instructions " "détaillées sur la façon de contrôler l'intégrité des paquets peuvent être " "obtenues en ." #. type: #: securing-debian-howto.en.sgml:60 en/faq.sgml:1347 msgid "What to do if a random package breaks after a security update?" msgstr "Que faire si un paquet est cassé suite à une mise à jour de sécurité ?" #. type:

#: securing-debian-howto.en.sgml:61 en/appendix.sgml:3 msgid "" "First of all, you should figure out why the package breaks and how it is " "connected to the security update, then contact the security team if it is " "serious or the stable release manager if it is less serious. We're talking " "about random packages that break after a security update of a different " "package. If you can't figure out what's going wrong but have a correction, " "talk to the security team as well. You may be redirected to the stable " "release manager though." msgstr "" "Premièrement, vous devez essayer de comprendre pourquoi le paquet est " "défaillant et comment il interagit avec la mise à jour de sécurité. Ensuite, " "prenez contact avec l'équipe en charge de la sécurité s'il s'agit de quelque " "chose de sérieux ou bien le responsable de la distribution stable s'il " "s'agit de quelque chose de moins grave. Nous parlons ici de paquets " "quelconques qui cessent de fonctionner après une mise à jour de sécurité " "d'un autre paquet. Si vous ne parvenez pas à identifier la cause du " "problème, mais que vous connaissez le correctif, parlez-en également à " "l'équipe en charge de la sécurité. Il est toutefois possible qu'on vous " "renvoie vers le responsable de la distribution stable." #. type: #: securing-debian-howto.en.sgml:61 en/appendix.sgml:13 msgid "The hardening process step by step" msgstr "La procédure de durcissement étape par étape" #. type:

#: securing-debian-howto.en.sgml:61 en/appendix.sgml:19 msgid "" "Below is a post-installation, step-by-step procedure for hardening a Debian " "2.2 GNU/Linux system. This is one possible approach to such a procedure and " "is oriented toward the hardening of network services. It is included to show " "the entire process you might use during configuration. Also, see ." msgstr "" "Vous trouverez ci-dessous une procédure post-installation pour durcir un " "système Debian 2.2 GNU/Linux. Il s'agit d'une approche possible pour une " "telle procédure et celle-ci est orientée sur le renforcement des services " "réseaux. Elle est incluse pour présenter le processus entier que vous pouvez " "utiliser pendant la configuration. Veuillez également consultez ." #. type:

#: securing-debian-howto.en.sgml:61 en/appendix.sgml:26 msgid "" "Install the system, taking into account the information regarding " "partitioning included earlier in this document. After base installation, go " "into custom install. Do not select task packages. Select shadow passwords." msgstr "" "Faire une installation du système (tenez compte des informations dans ce " "manuel concernant le partitionnement). Après l'installation du système de " "base, allez dans l'installation personnalisée, ne sélectionnez pas de " "paquets par tâches (task). Sélectionnez les mots de passe cachés " "(shadow)." #. type:

#: securing-debian-howto.en.sgml:61 en/appendix.sgml:30 msgid "" "Using dselect, remove all unneeded but selected packages before " "doing [I]nstall. Keep the bare minimum of packages for the system." msgstr "" "Passer les paquets en revue avec dselect et retirer les paquets " "non nécessaires mais sélectionnés auparavant avant de faire [I]nstall. " "Laisser le strict minimum de logiciels sur le système." #. type:

#: securing-debian-howto.en.sgml:61 en/appendix.sgml:34 msgid "" "Update all software from the latest packages available at security.debian." "org as explained previously in ." msgstr "" "Actualiser tous les logiciels à partir des paquets les plus récents " "disponibles sur security.debian.org comme décrit précédemment dans ." #. type:

#: securing-debian-howto.en.sgml:61 en/appendix.sgml:37 msgid "" "Implement the suggestions presented in this manual regarding user quotas, " "login definitions and lilo" msgstr "" "Appliquer les suggestions présentées dans ce manuel concernant les quotas " "par utilisateur, les définitions des connexions et lilo." #. type:

#: securing-debian-howto.en.sgml:61 en/appendix.sgml:39 msgid "Make a list of services currently running on your system. Try:" msgstr "" "Faire une liste de services actifs sur le système. Exécuter ceci :" #. type: #: securing-debian-howto.en.sgml:61 en/appendix.sgml:43 #, no-wrap msgid "" " $ ps aux\n" " $ netstat -pn -l -A inet \n" " # /usr/sbin/lsof -i | grep LISTEN" msgstr "" " $ ps aux\n" " $ netstat -pn -l -A inet \n" " # /usr/sbin/lsof -i | grep LISTEN" #. type:

#: securing-debian-howto.en.sgml:61 en/appendix.sgml:50 msgid "" "You will need to install lsof-2.2 for the third command " "to work (run it as root). You should be aware that lsof can " "translate the word LISTEN to your locale settings." msgstr "" "Vous devrez installer lsof-2.2 pour que la troisième " "commande fonctionne (à exécuter en tant que superutilisateur). Vous devriez " "faire attention car lsof peut traduire le mot LISTEN en " "fonction des paramètres régionaux." #. type:

#: securing-debian-howto.en.sgml:61 en/appendix.sgml:56 msgid "" "In order to remove unnecessary services, first determine what package " "provides the service and how it is started. This can be accomplished by " "checking the program that listens in the socket. The following shell script, " "which uses the programs lsof and dpkg, does just " "that:" msgstr "" "Afin de retirer les services non nécessaires, déterminer avant tout les " "paquets fournissant ces services et la façon de les démarrer. Cette tâche " "peut être facilement réalisée en vérifiant le programme qui écoute la « " "socket Â», l'exemple suivant le montre en utilisant ces outils et " "dpkg :" #. type: #: securing-debian-howto.en.sgml:61 en/appendix.sgml:67 #, no-wrap msgid "" "#!/bin/sh\n" "# FIXME: this is quick and dirty; replace with a more robust script snippet\n" "for i in `sudo lsof -i | grep LISTEN | cut -d \" \" -f 1 |sort -u` ; do\n" " pack=`dpkg -S $i |grep bin |cut -f 1 -d : | uniq`\n" " echo \"Service $i is installed by $pack\";\n" " init=`dpkg -L $pack |grep init.d/ `\n" " if [ ! -z \"$init\" ]; then\n" " echo \"and is run by $init\"\n" " fi\n" "done" msgstr "" "#!/bin/sh\n" "# FIXME : c'est du vite fait, mal fait ; à remplacer par un bout\n" "# de script plus robuste\n" "for i in `sudo lsof -i | grep LISTEN | cut -d \" \" -f 1 |sort -u` ; do\n" " pack=`dpkg -S $i |grep bin |cut -f 1 -d : | uniq`\n" " echo \"Le service $i est installé par $pack\";\n" " init=`dpkg -L $pack |grep init.d/ `\n" " if [ ! -z \"$init\" ]; then\n" " echo \"et démarré par $init\"\n" " fi\n" "done" #. type:

#: securing-debian-howto.en.sgml:61 en/appendix.sgml:74 msgid "" "Once you find any unwanted services, remove the associated package (with " "dpkg --purge), or disable the service from starting " "automatically at boot time using update-rc.d (see )." msgstr "" "Une fois les services indésirables trouvés, supprimer le paquet (avec " "dpkg --purge) ou utiliser update-rc.d (consultez " ") de façon à le retirer du système de démarrage." #. type:

#: securing-debian-howto.en.sgml:61 en/appendix.sgml:77 msgid "" "For inetd services (launched by the superdaemon), check which services are " "enabled in /etc/inetd.conf using:" msgstr "" "Pour les services inetd (démarrés par le superdémon), vérifier les services " "activés dans /etc/inetd.conf avec :" #. type: #: securing-debian-howto.en.sgml:61 en/appendix.sgml:79 #, no-wrap msgid " $ grep -v \"^#\" /etc/inetd.conf | sort -u" msgstr " $ grep -v \"^#\" /etc/inetd.conf | sort -u" #. type:

#: securing-debian-howto.en.sgml:61 en/appendix.sgml:85 msgid "" "Then disable those services that are not needed by commenting out the line " "that includes them in /etc/inetd.conf, removing the package, or " "using update-inetd." msgstr "" "et désactiver ceux qui ne sont pas nécessaires en commentant la ligne qui " "les inclut dans /etc/inetd.conf, en supprimant le paquet ou en " "utilisant update-inetd." #. type:

#: securing-debian-howto.en.sgml:61 en/appendix.sgml:90 msgid "" "If you have wrapped services (those using /usr/sbin/tcpd), " "check that the files /etc/hosts.allow and /etc/hosts." "deny are configured according to your service policy." msgstr "" "Si des services sont « encapsulés » (« wrapped Â») (ceux utilisant " "/usr/sbin/tcpd), vérifier que les fichiers /etc/hosts." "allow et /etc/hosts.deny sont configurés d'après les " "règles de services." #. type:

#: securing-debian-howto.en.sgml:61 en/appendix.sgml:96 msgid "" "If the server uses more than one external interface, depending on the " "service, you may want to limit the service to listen on a specific " "interface. For example, if you want internal FTP access only, make the FTP " "daemon listen only on your management interface, not on all interfaces (i.e, " "0.0.0.0:21)." msgstr "" "Si le serveur utilise plus d'une interface externe, vous pourriez limiter " "les services pour n'en écouter qu'une seule. Par exemple, pour un accès FTP " "interne, paramétrez le démon FTP pour n'écouter que sur l'interface désirée " "et non toutes les interfaces (c'est-à-dire 0.0.0.0:21)." #. type:

#: securing-debian-howto.en.sgml:61 en/appendix.sgml:99 msgid "" "Re-boot the machine, or switch to single user mode and then back to " "multiuser using the commands:" msgstr "" "Redémarrez la machine ou passez en mode utilisateur unique puis revenez en " "mode multiutilisateur avec :" #. type: #: securing-debian-howto.en.sgml:61 en/appendix.sgml:103 #, no-wrap msgid "" " # init 1\n" " (....)\n" " # init 2" msgstr "" " # init 1\n" " (...)\n" " # init 2" #. type:

#: securing-debian-howto.en.sgml:61 en/appendix.sgml:108 msgid "" "Check the services now available, and, if necessary, repeat the steps above." msgstr "" "Vérifiez que les services sont maintenant disponibles et, si nécessaire, " "répétez les étapes ci-dessus." #. type:

#: securing-debian-howto.en.sgml:61 en/appendix.sgml:111 msgid "" "Now install the needed services, if you have not done so already, and " "configure them properly." msgstr "" "Installez maintenant les services nécessaires si ce n'est pas encore fait et " "configurez les correctement." #. type:

#: securing-debian-howto.en.sgml:61 en/appendix.sgml:114 msgid "" "Use the following shell command to determine what user each available " "service is running as:" msgstr "" "Utilisez la commande d'interpréteur suivante pour déterminer l'utilisateur " "utilisé pour exécuter chaque service disponible :" #. type: #: securing-debian-howto.en.sgml:61 en/appendix.sgml:118 #, no-wrap msgid "" " # for i in `/usr/sbin/lsof -i |grep LISTEN |cut -d \" \" -f 1 |sort -u`; \\\n" " > do user=`ps ef |grep $i |grep -v grep |cut -f 1 -d \" \"` ; \\\n" " > echo \"Service $i is running as user $user\"; done" msgstr "" " # for i in `/usr/sbin/lsof -i |grep LISTEN |cut -d \" \" -f 1 |sort -u`;\\\n" " > do user=`ps ef |grep $i |grep -v grep |cut -f 1 -d \" \"` ;\\\n" " > echo \"Le service $i a été démarré en tant qu'utilisateur $user\"; done" #. type:

#: securing-debian-howto.en.sgml:61 en/appendix.sgml:131 msgid "" "Consider changing these services to a specific user/group and maybe " "chroot'ing them for increased security. You can do this by " "changing the /etc/init.d scripts which start the service. Most " "services in Debian use start-stop-daemon, which has options " "(--change-uid and --chroot) for accomplishing this. A word " "of warning regarding the chroot'ing of services: you may need " "to put all the files installed by the package (use dpkg -L) providing the " "service, as well as any packages it depends on, in the chroot'ed environment. Information about setting up a chroot " "environment for the ssh program can be found in ." msgstr "" "Pensez à modifier les utilisateur et groupe lançant ces services pour un " "couple utilisateur et groupe donné, et utilisez éventuellement chroot pour augmenter le niveau de sécurité. Vous pouvez procéder en " "changeant les scripts de démarrage de services de /etc/init.d. " "La plupart des services dans Debian utilisent start-stop-daemon " "qui propose des options (--change-uid et --chroot) pour " "faire cela. Un petit avertissement concernant l'utilisation de chroot pour des services est nécessaire : tous les fichiers installés " "par le paquet (consultez la sortie de dpkg -L) fournissant le service ainsi " "que les paquets dont il dépend peuvent être nécessaires dans l'environnement " "chroot. Des renseignements sur la mise en place d'un " "environnement chroot pour le programme ssh sont " "disponibles en ." #. type:

#: securing-debian-howto.en.sgml:61 en/appendix.sgml:135 msgid "" "Repeat the steps above in order to check that only desired services are " "running and that they are running as the desired user/group combination." msgstr "" "Répéter les étapes ci-dessus afin de vérifier que seuls les services désirés " "sont en cours d'exécution et qu'ils fonctionnent avec une combinaison " "utilisateur et groupe désirée." #. type:

#: securing-debian-howto.en.sgml:61 en/appendix.sgml:138 msgid "Test the installed services in order to see if they work as expected." msgstr "" "Tester les services installés afin de voir si leur fonctionnement est bien " "celui souhaité." #. type:

#: securing-debian-howto.en.sgml:61 en/appendix.sgml:143 msgid "" "Check the system using a vulnerability assessment scanner (like " "nessus), in order to determine vulnerabilities in the " "system (i.e., misconfiguration, old services or unneeded services)." msgstr "" "Vérifier le système en utilisant un scanner de vulnérabilités (comme " "nessus) de façon à déterminer les vulnérabilités du " "système (mauvaise configuration, services vieux ou non nécessaires)." #. type:

#: securing-debian-howto.en.sgml:61 en/appendix.sgml:146 msgid "" "Install network and host intrusion measures like snort " "and logcheck." msgstr "" "Mettre en place des mesures contre les intrusions de réseau et d'hôte comme " "snort et logcheck." #. type:

#: securing-debian-howto.en.sgml:61 en/appendix.sgml:149 msgid "" "Repeat the network scanner step and verify that the intrusion detection " "systems are working correctly." msgstr "" "Répéter l'étape du scanner de réseau et vérifier que le système de détection " "d'intrusion fonctionne correctement." #. type:

#: securing-debian-howto.en.sgml:61 en/appendix.sgml:153 msgid "For the truly paranoid, also consider the following:" msgstr "" "Pour les personnes vraiment paranoïaques, les considérations suivantes sont " "à envisager." #. type:

#: securing-debian-howto.en.sgml:61 en/appendix.sgml:159 msgid "" "Add firewalling capabilities to the system, accepting incoming connections " "only to offered services and limiting outgoing connections only to those " "that are authorized." msgstr "" "Ajouter au système des possibilités de pare-feu, acceptant les connexions " "entrantes uniquement pour les services définis et limitant les connexions " "sortantes à celles autorisées." #. type:

#: securing-debian-howto.en.sgml:61 en/appendix.sgml:162 msgid "" "Re-check the installation with a new vulnerability assessment using a " "network scanner." msgstr "" "Revérifier l'installation avec une nouvelle évaluation de vulnérabilité à " "l'aide d'un scanner de réseaux." #. type:

#: securing-debian-howto.en.sgml:61 en/appendix.sgml:166 msgid "" "Using a network scanner, check outbound connections from the system to an " "outside host and verify that unwanted connections do not find their way out." msgstr "" "Vérifier les connexions sortantes en utilisant un scanner de réseaux depuis " "le système jusqu'à un hôte à l'extérieur et vérifier que les connexions non " "voulues ne trouvent pas leur sortie." #. type:

#: securing-debian-howto.en.sgml:61 en/appendix.sgml:173 msgid "" "FIXME: this procedure considers service hardening but not system hardening " "at the user level, include information regarding checking user permissions, " "SETUID files and freezing changes in the system using the ext2 file system." msgstr "" "FIXME : Cette procédure considère le durcissement de service, mais pas le " "renforcement du système au niveau utilisateur, incluant des informations à " "propos de la vérification des droits d'utilisateurs, les fichiers setuid et " "le gel des changements dans le système en utilisant le système de fichiers " "ext2." #. type: #: securing-debian-howto.en.sgml:61 en/appendix.sgml:175 msgid "Configuration checklist" msgstr "Liste des contrôles de configuration" #. type:

#: securing-debian-howto.en.sgml:61 en/appendix.sgml:187 msgid "" "This appendix briefly reiterates points from other sections in this manual " "in a condensed checklist format. This is intended as a quick summary for " "someone who has already read the manual. There are other good checklists " "available, including Kurt Seifried's and ." msgstr "" "Cette annexe récapitule brièvement les points des autres sections de ce " "manuel sous une forme condensée de liste de contrôles. C'est un petit résumé " "pour ceux qui ont déjà lu le manuel. D'autres listes de contrôles sont " "disponibles, y compris la de Kurt Seifried et la ." #. type:

#: securing-debian-howto.en.sgml:61 en/appendix.sgml:189 msgid "" "FIXME: This is based on v1.4 of the manual and might need to be updated." msgstr "" "FIXME : C'est basé sur la version 1.4 du manuel et a peut-être besoin d'une " "mise à jour." #. type:

#: securing-debian-howto.en.sgml:61 en/appendix.sgml:190 msgid "Limit physical access and booting capabilities" msgstr "Limiter les accès physiques et les possibilités de démarrage." #. type:

#: securing-debian-howto.en.sgml:61 en/appendix.sgml:192 msgid "Enable a password in the BIOS." msgstr "Activer un mot de passe pour le BIOS." #. type:

#: securing-debian-howto.en.sgml:61 en/appendix.sgml:193 msgid "Disable floppy/cdrom/... booting in the system's BIOS." msgstr "" "Désactiver le démarrage depuis disquette, CD, etc. dans le BIOS du système." #. type:

#: securing-debian-howto.en.sgml:61 en/appendix.sgml:197 msgid "" "Set a LILO or GRUB password (/etc/lilo.conf or /boot/grub/" "menu.lst, respectively); check that the LILO or GRUB configuration " "file is read-protected." msgstr "" "Mettre un mot de passe à LILO ou GRUB (respectivement /etc/lilo.conf ou /boot/grub/menu.lst) ; vérifier que le fichier de " "configuration de LILO ou de GRUB est en lecture seule." #. type:

#: securing-debian-howto.en.sgml:61 en/appendix.sgml:200 msgid "Partitioning" msgstr "Partitionnement." #. type:

#: securing-debian-howto.en.sgml:61 en/appendix.sgml:205 msgid "" "Separate user-writable data, non-system data, and rapidly changing run-time " "data to their own partitions" msgstr "" "Séparer les données que les utilisateurs peuvent écrire, les données non " "système et les données d'exécution qui changent rapidement dans leurs " "propres partitions." #. type:

#: securing-debian-howto.en.sgml:61 en/appendix.sgml:210 msgid "" "Set nosuid,noexec,nodev mount options in /etc/fstab on " "ext2/3 partitions that should not hold binaries such as /home " "or /tmp." msgstr "" "Mettre les options de montage nosuid,noexec,nodev dans /etc/" "fstab pour les partitions ext2 ou ext3 telles que /home " "ou /tmp." #. type:

#: securing-debian-howto.en.sgml:61 en/appendix.sgml:214 msgid "Password hygiene and login security" msgstr "Hygiène pour les mots de passe et la sécurité des connexions." #. type:

#: securing-debian-howto.en.sgml:61 en/appendix.sgml:216 msgid "Set a good root password" msgstr "Choisir un bon mot de passe pour le superutilisateur." #. type:

#: securing-debian-howto.en.sgml:61 en/appendix.sgml:217 msgid "Enable password shadowing and MD5" msgstr "Activer les mots de passe cachés et MD5." #. type:

#: securing-debian-howto.en.sgml:61 en/appendix.sgml:219 msgid "Install and use PAM" msgstr "Installer et utiliser PAM." #. type:

#: securing-debian-howto.en.sgml:61 en/appendix.sgml:229 msgid "" "Add MD5 support to PAM and make sure that (generally speaking) entries in " "/etc/pam.d/ files which grant access to the machine have the " "second field in the pam.d file set to requisite or required." msgstr "" "Ajouter la prise en charge de MD5 à PAM et s'assurer (de manière générale) " "que les entrées dans les fichiers /etc/pam.d/ qui autorisent " "l'accès à la machine ont un second champ dans le fichier pam.d positionné à " "requisite ou required." #. type:

#: securing-debian-howto.en.sgml:61 en/appendix.sgml:232 msgid "" "Tweak /etc/pam.d/login so as to only permit local root logins." msgstr "" "Modifier /etc/pam.d/login pour que seul le superutilisateur " "puisse se connecter localement." #. type:

#: securing-debian-howto.en.sgml:61 en/appendix.sgml:237 msgid "" "Also mark authorized tty:s in /etc/security/access.conf and " "generally set up this file to limit root logins as much as possible." msgstr "" "Indiquer également les consoles (ttys) autorisées dans /etc/" "security/access.conf et configurer généralement ce fichier pour " "limiter au maximum les connexions du superutilisateur." #. type:

#: securing-debian-howto.en.sgml:61 en/appendix.sgml:240 msgid "Add pam_limits.so if you want to set per-user limits" msgstr "Ajouter pam_limits.so pour définir des limites par utilisateur." #. type:

#: securing-debian-howto.en.sgml:61 en/appendix.sgml:244 msgid "" "Tweak /etc/pam.d/passwd: set minimum length of passwords higher " "(6 characters maybe) and enable MD5" msgstr "" "Modifier /etc/pam.d/passwd : augmenter la taille minimale " "du mot de passe (6 caractères par exemple) et activer MD5." #. type:

#: securing-debian-howto.en.sgml:61 en/appendix.sgml:248 msgid "" "Add group wheel to /etc/group if desired; add pam_wheel.so " "group=wheel entry to /etc/pam.d/su" msgstr "" "Ajouter éventuellement le groupe wheel à /etc/group ; ajouter " "l'entrée pam_wheel.so group=wheel au fichier /etc/pam.d/su." #. type:

#: securing-debian-howto.en.sgml:61 en/appendix.sgml:251 msgid "" "For custom per-user controls, use pam_listfile.so entries where appropriate" msgstr "" "Pour les contrôles personnalisés par utilisateur, utiliser les entrées " "appropriées de pam_listfile.so." #. type:

#: securing-debian-howto.en.sgml:61 en/appendix.sgml:254 msgid "" "Have an /etc/pam.d/other file and set it up with tight security" msgstr "" "Avoir un fichier /etc/pam.d/other et mettre en place une " "sécurité resserrée." #. type:

#: securing-debian-howto.en.sgml:61 en/appendix.sgml:260 msgid "" "Set up limits in /etc/security/limits.conf (note that /" "etc/limits is not used if you are using PAM)" msgstr "" "Définir des limites dans /etc/security/limits.conf (remarquez " "que /etc/limits n'est pas utilisé si vous utilisez PAM)." #. type:

#: securing-debian-howto.en.sgml:61 en/appendix.sgml:264 msgid "" "Tighten up /etc/login.defs; also, if you enabled MD5 and/or " "PAM, make sure you make the corresponding changes here, too" msgstr "" "Resserrer /etc/login.defs ; de même, si vous activez MD5 " "ou PAM, assurez-vous de faire également les modifications dans ce fichier." #. type:

#: securing-debian-howto.en.sgml:61 en/appendix.sgml:266 msgid "Disable root ftp access in /etc/ftpusers" msgstr "" "Désactiver l'accès FTP au superutilisateur dans le fichier /etc/" "ftpusers." #. type:

#: securing-debian-howto.en.sgml:61 en/appendix.sgml:271 msgid "" "Disable network root login; use or " ". (consider installing sudo)" msgstr "" "Désactiver la connexion réseau du superutilisateur ; utiliser ou " "(considérer l'installation du paquet sudo)." #. type:

#: securing-debian-howto.en.sgml:61 en/appendix.sgml:273 msgid "Use PAM to enforce additional constraints on logins?" msgstr "" "Utiliser PAM pour imposer des contraintes supplémentaires sur les " "connexions ?" #. type:

#: securing-debian-howto.en.sgml:61 en/appendix.sgml:276 msgid "Other local security issues" msgstr "Autres problèmes locaux de sécurité." #. type:

#: securing-debian-howto.en.sgml:61 en/appendix.sgml:280 msgid "Kernel tweaks (see )" msgstr "Modifications du noyau (consultez )." #. type:

#: securing-debian-howto.en.sgml:61 en/appendix.sgml:283 msgid "Kernel patches (see )" msgstr "Correctifs du noyau (consultez )." #. type:

#: securing-debian-howto.en.sgml:61 en/appendix.sgml:286 msgid "" "Tighten up log file permissions (/var/log/{last,fail}log, " "Apache logs)" msgstr "" "Resserrer les permissions sur les fichiers journaux (/var/log/{last," "fail}log, journaux d'Apache)." #. type:

#: securing-debian-howto.en.sgml:61 en/appendix.sgml:289 msgid "" "Verify that SETUID checking is enabled in /etc/checksecurity.conf" msgstr "" "Vérifier que la vérification de setuid est activée dans /etc/" "checksecurity.conf." #. type:

#: securing-debian-howto.en.sgml:61 en/appendix.sgml:293 msgid "" "Consider making some log files append-only and configuration files immutable " "using chattr (ext2/3 file systems only)" msgstr "" "Penser à créer des fichiers journaux avec uniquement le droit d'ajout et des " "fichiers de configuration invariants en utilisant chattr (systèmes de " "fichiers ext2 ou ext3 uniquement)." #. type:

#: securing-debian-howto.en.sgml:61 en/appendix.sgml:297 msgid "" "Set up file integrity (see ). Install " "debsums" msgstr "" "Mettre en place une vérification d'intégrité des fichiers (consultez ). Installer debsums." #. type:

#: securing-debian-howto.en.sgml:61 en/appendix.sgml:299 msgid "Log everything to a local printer?" msgstr "" "Impression de tous les fichiers journaux sur une imprimante locale ?" #. type:

#: securing-debian-howto.en.sgml:61 en/appendix.sgml:302 msgid "Burn your configuration on a boot-able CD and boot off that?" msgstr "Graver la configuration sur un CD amorçable et démarrer dessus ?" #. type:

#: securing-debian-howto.en.sgml:61 en/appendix.sgml:304 msgid "Disable kernel modules?" msgstr "Désactiver les modules pour le noyau ?" #. type:

#: securing-debian-howto.en.sgml:61 en/appendix.sgml:307 msgid "Limit network access" msgstr "Restreindre les accès réseaux." #. type:

#: securing-debian-howto.en.sgml:61 en/appendix.sgml:314 msgid "" "Install and configure ssh (suggest PermitRootLogin No in /" "etc/ssh/sshd_config, PermitEmptyPasswords No; note other suggestions " "in text also)" msgstr "" "Installer et configurer ssh (considérer « PermitRootLogin No » " "dans /etc/ssh et « PermitEmptyPasswords No » ; d'autres " "suggestions sont également dans le texte)." #. type:

#: securing-debian-howto.en.sgml:61 en/appendix.sgml:316 msgid "Disable or remove in.telnetd, if installed" msgstr "Désactiver ou supprimer in.telnetd s'il est installé." #. type:

#: securing-debian-howto.en.sgml:61 en/appendix.sgml:321 msgid "" "Generally, disable gratuitous services in /etc/inetd.conf using " "update-inetd --disable (or disable inetd " "altogether, or use a replacement such as xinetd or " "rlinetd)" msgstr "" "Généralement, désactiver les services inutiles dans le fichier /etc/" "inetd.conf en utilisant update-inetd --disable (ou " "désactiver inetd complètement, ou utiliser une solution de rechange comme " "xinetd ou rlinetd)." #. type:

#: securing-debian-howto.en.sgml:61 en/appendix.sgml:327 msgid "" "Disable other gratuitous network services; ftp, DNS, WWW etc should not be " "running if you do not need them and monitor them regularly. In most cases " "mail should be running but configured for local delivery only." msgstr "" "Désactiver les autres services inutiles ; FTP, DNS, HTTP, etc. ne " "devraient pas être démarrés si vous n'en avez pas besoin et être surveillés " "régulièrement sinon. Dans la plupart des cas, les courriers électroniques " "devraient être fonctionnels, mais configurés uniquement pour la livraison " "locale." #. type:

#: securing-debian-howto.en.sgml:61 en/appendix.sgml:333 msgid "" "For those services which you do need, do not just use the most common " "programs, look for more secure versions shipped with Debian (or from other " "sources). Whatever you end up running, make sure you understand the risks." msgstr "" "Pour les services nécessaires, n'utilisez pas simplement les programmes " "usuels, recherchez des versions plus sécurisées disponibles dans Debian (ou " "depuis tout autre source). Peu importe celle choisie, assurez-vous de bien " "comprendre les risques induits." #. type:

#: securing-debian-howto.en.sgml:61 en/appendix.sgml:336 msgid "Set up chroot jails for outside users and daemons." msgstr "" "Mettre en place des prisons chroot pour les utilisateurs et " "démons extérieurs." #. type:

#: securing-debian-howto.en.sgml:61 en/appendix.sgml:340 msgid "" "Configure firewall and tcpwrappers (i.e. ); note trick for /etc/hosts.deny in text." msgstr "" "Configurer un pare-feu et l'encapsulation TCP (consulter ) ; considérer l'astuce pour /etc/" "hosts.deny dans le texte." #. type:

#: securing-debian-howto.en.sgml:61 en/appendix.sgml:343 msgid "" "If you run ftp, set up your ftpd server to always run chroot'ed " "to the user's home directory" msgstr "" "Si FTP est disponible, mettre en place un serveur FTP qui sera toujours " "démarré dans un environnement chroot dans le répertoire " "personnel de l'utilisateur." #. type:

#: securing-debian-howto.en.sgml:61 en/appendix.sgml:350 msgid "" "If you run X, disable xhost authentication and go with ssh " "instead; better yet, disable remote X if you can (add -nolisten tcp to the X " "command line and turn off XDMCP in /etc/X11/xdm/xdm-config by " "setting the requestPort to 0)" msgstr "" "Si X est disponible, désactiver l'authentification xhost et utiliser plutôt " "ssh ; de façon encore plus sécurisée, désactiver X à " "distance si possible (ajouter -nolisten tcp à la ligne de commande de X et " "désactiver XDMCP dans le fichier /etc/X11/xdm/xdm-config en " "affectant la valeur 0 à requestPort)." #. type:

#: securing-debian-howto.en.sgml:61 en/appendix.sgml:352 msgid "Disable remote access to printers" msgstr "Désactiver l'accès distant aux imprimantes." #. type:

#: securing-debian-howto.en.sgml:61 en/appendix.sgml:356 msgid "" "Tunnel any IMAP or POP sessions through SSL or ssh; install " "stunnel if you want to provide this service to remote mail users" msgstr "" "Chiffrer toute session IMAP ou POP par SSL ou ssh ; " "installer éventuellement stunnel pour fournir ce service aux utilisateurs de " "courrier à distance." #. type:

#: securing-debian-howto.en.sgml:61 en/appendix.sgml:359 msgid "" "Set up a log host and configure other machines to send logs to this host " "(/etc/syslog.conf)" msgstr "" "Mettre en place un hôte de journaux et configurer les autres machines pour " "qu'elles envoient les journaux à cet hôte (/etc/syslog.conf)." #. type:

#: securing-debian-howto.en.sgml:61 en/appendix.sgml:362 msgid "" "Secure BIND, Sendmail, and other complex daemons (run in a chroot jail; run as a non-root pseudo-user)" msgstr "" "Sécuriser BIND, Sendmail et tout autre démon complexe (exécuter dans une " "prison chroot ; exécuter en tant que peudo-utilisateur non " "superutilisateur)." #. type:

#: securing-debian-howto.en.sgml:61 en/appendix.sgml:363 msgid "Install tiger or a similar network intrusion detection tool." msgstr "Installer tiger ou un outil similaire de détection d'intrusion réseau." #. type:

#: securing-debian-howto.en.sgml:61 en/appendix.sgml:364 msgid "Install snort or a similar network intrusion detection tool." msgstr "Installer snort ou un outil similaire de détection d'intrusion réseau." #. type:

#: securing-debian-howto.en.sgml:61 en/appendix.sgml:366 msgid "Do without NIS and RPC if you can (disable portmap)." msgstr "Faire sans NIS et RPC si possible (désactiver portmap)." #. type:

#: securing-debian-howto.en.sgml:61 en/appendix.sgml:369 msgid "Policy issues" msgstr "Problèmes de règlement." #. type:

#: securing-debian-howto.en.sgml:61 en/appendix.sgml:377 msgid "" "Educate users about the whys and hows of your policies. When you have " "prohibited something which is regularly available on other systems, provide " "documentation which explains how to accomplish similar results using other, " "more secure means." msgstr "" "Expliquer aux utilisateurs les tenants et aboutissants des règles. Lorsque " "vous interdisez quelque chose habituellement disponible sur d'autres " "systèmes, fournissez-leur une documentation qui explique comment arriver aux " "mêmes résultats de façon plus sécurisée." #. type:

#: securing-debian-howto.en.sgml:61 en/appendix.sgml:381 msgid "" "Prohibit use of protocols which use clear-text passwords (telnet, rsh and friends; ftp, imap, http, ...)." msgstr "" "Interdire l'utilisation de protocoles qui utilisent des mots de passe en " "clair (telnet, rsh et similaire ; FTP, IMAP, " "HTTP, etc.)" #. type:

#: securing-debian-howto.en.sgml:61 en/appendix.sgml:383 msgid "Prohibit programs which use SVGAlib." msgstr "Interdire les programmes qui utilisent la SVGAlib." #. type:

#: securing-debian-howto.en.sgml:61 en/appendix.sgml:385 msgid "Use disk quotas." msgstr "Utiliser les quotas de disque." #. type:

#: securing-debian-howto.en.sgml:61 en/appendix.sgml:388 msgid "Keep informed about security issues" msgstr "Rester informé des problèmes de sécurité." #. type:

#: securing-debian-howto.en.sgml:61 en/appendix.sgml:392 msgid "Subscribe to security mailing lists" msgstr "S'abonner aux listes de discussions liées à la sécurité." #. type:

#: securing-debian-howto.en.sgml:61 en/appendix.sgml:397 msgid "" "Configure apt for security updates -- add to /etc/" "apt/sources.list an entry (or entries) for http://security.debian.org/" msgstr "" "Configurer apt pour les mises à jour de sécurité — " "ajouter une entrée (ou plusieurs entrées) à /etc/apt/sources.list pour http://security.debian.org/." #. type:

#: securing-debian-howto.en.sgml:61 en/appendix.sgml:402 msgid "" "Also remember to periodically run apt-get update ; apt-get upgrade (perhaps install as a cron job?) as explained in ." msgstr "" "Se rappeler périodiquement d'exécuter apt-get update ; apt-get " "upgrade (mettre en place peut-être une tâche cron ?) comme expliqué dans ." #. type: #: securing-debian-howto.en.sgml:61 en/appendix.sgml:409 msgid "Setting up a stand-alone IDS" msgstr "Paramétrage d'un IDS autonome" #. type:

#: securing-debian-howto.en.sgml:61 en/appendix.sgml:413 msgid "" "You can easily set up a dedicated Debian system as a stand-alone Intrusion " "Detection System using snort and a web-based interface to " "analyse the intrusion detection alerts:" msgstr "" "Un système Debian autonome peut être facilement configuré en tant que " "système de détection d'intrusion (IDS) avec snort et une " "interface web pour analyser les alertes de détection d'intrusion :" #. type:

#: securing-debian-howto.en.sgml:61 en/appendix.sgml:417 msgid "Install a base Debian system and select no additional packages." msgstr "" "installer un système de base Debian sans sélectionner de paquets " "supplémentaires ;" #. type:

#: securing-debian-howto.en.sgml:61 en/appendix.sgml:420 msgid "" "Install one of the Snort versions with database support and configure the " "IDS to log alerts into the database." msgstr "" "installer une version de Snort avec prise en charge de base de données et " "configurer l'IDS pour journaliser les alertes dans la base de données ;" #. type:

#: securing-debian-howto.en.sgml:61 en/appendix.sgml:424 msgid "" "Download and install BASE (Basic Analysis and Security Engine), or ACID " "(Analysis Console for Intrusion Databases). Configure it to use the same " "database than Snort." msgstr "" "télécharger et installer BASE (Basic Analysis and Security Engine) ou ACID " "(Analysis Console for Intrusion Databases). Le configurer pour utiliser la " "même base de données que Snort ;" #. type:

#: securing-debian-howto.en.sgml:61 en/appendix.sgml:427 msgid "" "Download and install the necessary packages

Typically the needed " "packages will be installed through the dependencies

." msgstr "" "télécharger et installer les paquets nécessaires

Typiquement les " "paquets nécessaires seront installés par l'intermédiaire des dépendances.." #. type:

#: securing-debian-howto.en.sgml:61 en/appendix.sgml:439 msgid "" "BASE is currently packaged for Debian in acidbase and " "ACID is packaged as acidlab

It can also be " "downloaded from , or .

. Both provide a graphical WWW interface to Snort's " "output." msgstr "" "BASE est actuellement empaqueté pour Debian dans acidbase " "et ACID est empaqueté sous le nom d'acidlab

Il est aussi disponible au téléchargement depuis , et .

. Les deux paquets fournissent une interface web graphique à la " "sortie de Snort." #. type:

#: securing-debian-howto.en.sgml:61 en/appendix.sgml:445 msgid "" "Besides the base installation you will also need a web server (such as " "apache), a PHP interpreter and a relational " "database (such postgresql or mysql) " "where Snort will store its alerts." msgstr "" "À part l'installation de base, vous aurez aussi besoin d'un serveur web " "(comme apache), un interpréteur PHP et une " "base de données relationnelle (comme postgresql ou " "mysql) où Snort enregistrera ses alertes." #. type:

#: securing-debian-howto.en.sgml:61 en/appendix.sgml:451 msgid "" "This system should be set up with at least two interfaces: one interface " "connected to a management LAN (for accessing the results and maintaining the " "system), and one interface with no IP address attached to the network " "segment being analyzed. You should configure the web server to listen only " "on the interface connected to the management LAN." msgstr "" "Le système devrait être mis en place avec au moins deux interfaces : " "l'une connectée à un réseau de gestion (pour accéder aux résultats et " "maintenir le système), l'autre sans adresse IP liée au secteur du réseau à " "analyser. Le serveur web devrait être configuré pour n'écouter que sur " "l'interface connectée au réseau de gestion." #. type:

#: securing-debian-howto.en.sgml:61 en/appendix.sgml:457 msgid "" "You should configure both interfaces in the standard Debian /etc/" "network/interfaces configuration file. One (the management LAN) " "address can be configured as you would normally do. The other interface " "needs to be configured so that it is started up when the system boots, but " "with no interface address. You can use the following interface definition:" msgstr "" "Les deux interfaces devraient être configurées dans le fichier de " "configuration standard Debian /etc/network/interfaces. Une " "adresse (sur le réseau de gestion) peut être configurée normalement. L'autre " "interface doit être configurée pour être démarrée lorsque le système " "démarre, mais sans adresse d'interface. La définition d'interface suivante " "peut être utilisée :" #. type: #: securing-debian-howto.en.sgml:61 en/appendix.sgml:464 #, no-wrap msgid "" "auto eth0\n" "iface eth0 inet manual\n" " up ifconfig $IFACE 0.0.0.0 up\n" " up ip link set $IFACE promisc on\n" " down ip link set $IFACE promisc off\n" " down ifconfig $IFACE down" msgstr "" "auto eth0\n" "iface eth0 inet manual\n" " up ifconfig $IFACE 0.0.0.0 up\n" " up ip link set $IFACE promisc on\n" " down ip link set $IFACE promisc off\n" " down ifconfig $IFACE down" #. type:

#: securing-debian-howto.en.sgml:61 en/appendix.sgml:475 msgid "" "The above configures an interface to read all the traffic on the network in " "a stealth-type configuration. This prevents the NIDS system to be a " "direct target in a hostile network since the sensors have no IP address on " "the network. Notice, however, that there have been known bugs over time in " "sensors part of NIDS (for example see related to Snort) and remote " "buffer overflows might even be triggered by network packet processing." msgstr "" "Ce qui précède configure une interface pour lire tout le trafic du réseau " "dans une configuration dissimulée (stealth). Cela empêche " "le système NIDS d'être une cible directe dans un réseau hostile car les " "détecteurs n'ont pas d'adresse IP sur ce réseau. Remarquez cependant que " "certains bogues ont existé sur la partie détecteurs de NIDS (consultez par " "exemple sur Snort) et des dépassements de tampon distants pourraient " "même être déclenchés par le traitement de paquet réseau." #. type:

#: securing-debian-howto.en.sgml:61 en/appendix.sgml:480 msgid "" "You might also want to read the and the " "documentation available at the ." msgstr "" "Vous pouvez aussi consulter le " "et la documentation disponible sur le ." #. type: #: securing-debian-howto.en.sgml:61 en/appendix.sgml:482 msgid "Setting up a bridge firewall" msgstr "Configuration d'un pare-feu pont" #. type:

#: securing-debian-howto.en.sgml:61 en/appendix.sgml:518 msgid "" "This information was contributed by Francois Bayart in order to help users " "set up a Linux bridge/firewall with the 2.4.x kernel and iptables. Kernel patches are no more needed as the code was made standard " "part of the Linux kernel distribution." msgstr "" "Ces informations sont fournies par Francois Bayart pour aider les " "utilisateurs à mettre en place un pare-feu pont avec le noyau 2.4.x et " "iptables. Des correctifs de noyau ne sont plus " "nécessaires car le code est maintenant une partie standard de la " "distribution du noyau Linux." #. type:

#: securing-debian-howto.en.sgml:61 en/appendix.sgml:522 msgid "" "To configure the kernel with necessary support, run make menuconfig " "or make xconfig. In the section Networking options, enable " "the following options:" msgstr "" "Pour configurer le noyau avec la prise en charge nécessaire, exécutez " "make menuconfig ou make xconfig. Dans la section " "Networking options, activez les options suivantes :" #. type: #: securing-debian-howto.en.sgml:61 en/appendix.sgml:527 #, no-wrap msgid "" "[*] Network packet filtering (replaces ipchains)\n" "[ ] Network packet filtering debugging (NEW)\n" "<*> 802.1d Ethernet Bridging\n" "[*] netfilter (firewalling) support (NEW)" msgstr "" "[*] Network packet filtering (replaces ipchains)\n" "[ ] Network packet filtering debugging (NEW)\n" "<*> 802.1d Ethernet Bridging\n" "[*] netfilter (firewalling) support (NEW)" #. type:

#: securing-debian-howto.en.sgml:61 en/appendix.sgml:532 msgid "" "Caution: you must disable this if you want to apply some firewalling rules " "or else iptables will not work:" msgstr "" "Avertissement : vous devez désactiver ceci si vous voulez appliquer des " "règles de pare-feu ou sinon iptables ne fonctionnera pas :" #. type: #: securing-debian-howto.en.sgml:61 en/appendix.sgml:534 #, no-wrap msgid "[ ] Network packet filtering debugging (NEW)" msgstr "[ ] Network packet filtering debugging (NEW)" #. type:

#: securing-debian-howto.en.sgml:61 en/appendix.sgml:544 msgid "" "Next, add the correct options in the section IP: Netfilter " "Configuration. Then, compile and install the kernel. If you want to do " "it the Debian way, install kernel-package and " "run make-kpkg to create a custom Debian kernel package you can " "install on your server using dpkg. Once the new kernel is compiled and " "installed, install the bridge-utils package." msgstr "" "Ensuite, ajoutez les options correctes dans la section IP: Netfilter " "Configuration. Puis, compilez et installez le noyau. Si vous désirez le " "faire à la sauce Debian, installez kernel-package et exécutez make-kpkg pour créer un paquet noyau " "personnalisé Debian à installer sur le serveur en utilisant dpkg. Une fois " "le nouveau noyau compilé et installé, installez le paquet bridge-" "utils." #. type:

#: securing-debian-howto.en.sgml:61 en/appendix.sgml:549 msgid "" "Once these steps are complete, you can complete the configuration of your " "bridge. The next section presents two different possible configurations for " "the bridge, each with a hypothetical network map and the necessary commands." msgstr "" "Une fois ces étapes achevées, vous pouvez terminer la configuration du pont. " "La section suivante présente deux configurations différentes possibles pour " "le pont, chacune avec une carte réseau hypothétique et les commandes " "nécessaires." #. type: #: securing-debian-howto.en.sgml:61 en/appendix.sgml:551 msgid "A bridge providing NAT and firewall capabilities" msgstr "" "Un pont fournissant des fonctionnalités de traduction d'adresse (NAT) et de " "pare-feu" #. type:

#: securing-debian-howto.en.sgml:61 en/appendix.sgml:555 msgid "" "The first configuration uses the bridge as a firewall with network address " "translation (NAT) that protects a server and internal LAN clients. A diagram " "of the network configuration is shown below:" msgstr "" "La première configuration utilise le pont comme un pare-feu avec traduction " "d'adresse réseau (NAT) qui protège un serveur et les clients du réseau " "interne. Voici ci-dessous un diagramme de la configuration du réseau :" #. type: #: securing-debian-howto.en.sgml:61 en/appendix.sgml:563 #, no-wrap msgid "" "Internet ---- router ( 62.3.3.25 ) ---- bridge (62.3.3.26 gw 62.3.3.25 / 192.168.0.1)\n" " |\n" " |\n" " |---- WWW Server (62.3.3.27 gw 62.3.3.25)\n" " |\n" " |\n" " LAN --- Zipowz (192.168.0.2 gw 192.168.0.1)" msgstr "" "Internet ---- routeur ---- pont\n" " (62.3.3.25) (62.3.3.26 gw 62.3.3.25 / 192.168.0.1)\n" " |\n" " |\n" " |---- serveur web\n" " | (62.3.3.27 gw 62.3.3.25)\n" " |\n" " réseau ---- Zipowz\n" " (192.168.0.2 gw 192.168.0.1)" #. type:

#: securing-debian-howto.en.sgml:61 en/appendix.sgml:567 en/appendix.sgml:609 msgid "The following commands show how this bridge can be configured." msgstr "Les commandes suivantes présentent une façon de configurer ce pont." #. type: #: securing-debian-howto.en.sgml:61 en/appendix.sgml:590 #, no-wrap msgid "" "# Create the interface br0\n" "/usr/sbin/brctl addbr br0\n" "\n" "# Add the Ethernet interface to use with the bridge\n" "/usr/sbin/brctl addif br0 eth0\n" "/usr/sbin/brctl addif br0 eth1\n" "\n" "# Start up the Ethernet interface\n" "/sbin/ifconfig eth0 0.0.0.0\n" "/sbin/ifconfig eth1 0.0.0.0\n" "\n" "# Configure the bridge ethernet\n" "# The bridge will be correct and invisible ( transparent firewall ).\n" "# It's hidden in a traceroute and you keep your real gateway on the \n" "# other computers. Now if you want you can config a gateway on your \n" "# bridge and choose it as your new gateway for the other computers.\n" "\n" "/sbin/ifconfig br0 62.3.3.26 netmask 255.255.255.248 broadcast 62.3.3.31\n" "\n" "# I have added this internal IP to create my NAT \n" "ip addr add 192.168.0.1/24 dev br0\n" "/sbin/route add default gw 62.3.3.25" msgstr "" "# Créer l'interface br0\n" "/usr/sbin/brctl addbr br0\n" "\n" "# Ajouter l'interface Ethernet à utiliser avec le pont\n" "/usr/sbin/brctl addif br0 eth0\n" "/usr/sbin/brctl addif br0 eth1\n" "\n" "# Activer l'interface Ethernet\n" "/sbin/ifconfig eth0 0.0.0.0\n" "/sbin/ifconfig eth1 0.0.0.0\n" "\n" "# Configurer le pont Ethernet\n" "# Le pont sera correct et invisible (pare-feu transparent).\n" "# Il est invisible à traceroute et la passerelle réelle est\n" "# conservée sur les autres machines. La passerelle pourrait aussi\n" "# être configurée sur le pont et être choisie comme nouvelle\n" "# passerelle pour les autres machines.\n" "\n" "/sbin/ifconfig br0 62.3.3.26 netmask 255.255.255.248 broadcast 62.3.3.31\n" "\n" "# Cette IP interne est ajoutée pour créer la traduction d'adresse\n" "ip addr add 192.168.0.1/24 dev br0\n" "/sbin/route add default gw 62.3.3.25" #. type: #: securing-debian-howto.en.sgml:61 en/appendix.sgml:594 msgid "A bridge providing firewall capabilities" msgstr "Un pont fournissant des fonctionnalités de pare-feu" #. type:

#: securing-debian-howto.en.sgml:61 en/appendix.sgml:597 msgid "" "A second possible configuration is a system that is set up as a transparent " "firewall for a LAN with a public IP address space." msgstr "" "Une seconde possibilité est un système mis en place comme un pare-feu " "transparent pour un réseau avec un espace d'adresses IP publiques." #. type: #: securing-debian-howto.en.sgml:61 en/appendix.sgml:605 #, no-wrap msgid "" "Internet ---- router (62.3.3.25) ---- bridge (62.3.3.26)\n" " |\n" " |\n" " |---- WWW Server (62.3.3.28 gw 62.3.3.25)\n" " |\n" " |\n" " |---- Mail Server (62.3.3.27 gw 62.3.3.25)" msgstr "" "Internet ---- routeur ---- pont\n" " (62.3.3.25) (62.3.3.26)\n" " |\n" " |\n" " |---- serveur web\n" " | (62.3.3.28 gw 62.3.3.25)\n" " |\n" " |---- serveur de courriers\n" " (62.3.3.27 gw 62.3.3.25)" #. type: #: securing-debian-howto.en.sgml:61 en/appendix.sgml:628 #, no-wrap msgid "" "# Create the interface br0\n" "/usr/sbin/brctl addbr br0\n" "\n" "# Add the Ethernet interface to use with the bridge\n" "/usr/sbin/brctl addif br0 eth0\n" "/usr/sbin/brctl addif br0 eth1\n" "\n" "# Start up the Ethernet interface\n" "/sbin/ifconfig eth0 0.0.0.0\n" "/sbin/ifconfig eth1 0.0.0.0\n" "\n" "# Configure the bridge Ethernet\n" "# The bridge will be correct and invisible ( transparent firewall ).\n" "# It's hidden in a traceroute and you keep your real gateway on the \n" "# other computers. Now if you want you can config a gateway on your\n" "# bridge and choose it as your new gateway for the other computers.\n" "\n" "/sbin/ifconfig br0 62.3.3.26 netmask 255.255.255.248 broadcast 62.3.3.31" msgstr "" "# Créer l'interface br0\n" "/usr/sbin/brctl addbr br0\n" "\n" "# Ajouter l'interface Ethernet à utiliser avec le pont\n" "/usr/sbin/brctl addif br0 eth0\n" "/usr/sbin/brctl addif br0 eth1\n" "\n" "# Activer l'interface Ethernet\n" "/sbin/ifconfig eth0 0.0.0.0\n" "/sbin/ifconfig eth1 0.0.0.0\n" "\n" "# Configurer le pont Ethernet\n" "# Le pont sera correct et invisible (pare-feu transparent).\n" "# Il est invisible à traceroute et la passerelle réelle est\n" "# conservée sur les autres machines. La passerelle pourrait aussi\n" "# être configurée sur le pont et être choisie comme nouvelle\n" "# passerelle pour les autres machines.\n" "\n" "/sbin/ifconfig br0 62.3.3.26 netmask 255.255.255.248 broadcast 62.3.3.31" #. type:

#: securing-debian-howto.en.sgml:61 en/appendix.sgml:634 msgid "" "If you traceroute the Linux Mail Server, you won't see the bridge. If you " "want access to the bridge with ssh, you must have a gateway or " "you must first connect to another server, such as the \"Mail Server\", and " "then connect to the bridge through the internal network card." msgstr "" "Si vous exécutez un traceroute vers le serveur de courriers Linux, vous ne " "verrez pas le pont. Si vous voulez accéder au pont avec ssh, " "vous devez utiliser une passerelle ou d'abord vous connecter sur un autre " "serveur comme le « serveur de courriers Â», puis ensuite vous " "connecter sur le pont par la carte réseau interne." #. type: #: securing-debian-howto.en.sgml:61 en/appendix.sgml:638 msgid "Basic IPtables rules" msgstr "Règles de base d'iptables" #. type:

#: securing-debian-howto.en.sgml:61 en/appendix.sgml:641 msgid "" "This is an example of the basic rules that could be used for either of these " "setups." msgstr "" "Voici un exemple des règles de base qui pourraient être utilisées pour l'une " "ou l'autre des configurations." #. type: #: securing-debian-howto.en.sgml:61 en/appendix.sgml:678 #, no-wrap msgid "" "iptables -F FORWARD\n" "iptables -P FORWARD DROP\n" "iptables -A FORWARD -s 0.0.0.0/0.0.0.0 -d 0.0.0.0/0.0.0.0 -m state --state INVALID -j DROP\n" "iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT\n" "\n" "# Some funny rules but not in a classic Iptables sorry ...\n" "# Limit ICMP \n" "# iptables -A FORWARD -p icmp -m limit --limit 4/s -j ACCEPT\n" "# Match string, a good simple method to block some VIRUS very quickly\n" "# iptables -I FORWARD -j DROP -p tcp -s 0.0.0.0/0 -m string --string \"cmd.exe\"\n" "\n" "# Block all MySQL connection just to be sure\n" "iptables -A FORWARD -p tcp -s 0/0 -d 62.3.3.0/24 --dport 3306 -j DROP\n" "\n" "# Linux Mail Server Rules\n" "\n" "# Allow FTP-DATA (20), FTP (21), SSH (22) \n" "iptables -A FORWARD -p tcp -s 0.0.0.0/0 -d 62.3.3.27/32 --dport 20:22 -j ACCEPT\n" "\n" "# Allow the Mail Server to connect to the outside\n" "# Note: This is *not* needed for the previous connections \n" "# (remember: stateful filtering) and could be removed.\n" "iptables -A FORWARD -p tcp -s 62.3.3.27/32 -d 0/0 -j ACCEPT\n" "\n" "# WWW Server Rules\n" "\n" "# Allow HTTP ( 80 ) connections with the WWW server\n" "iptables -A FORWARD -p tcp -s 0.0.0.0/0 -d 62.3.3.28/32 --dport 80 -j ACCEPT\n" "\n" "# Allow HTTPS ( 443 ) connections with the WWW server\n" "iptables -A FORWARD -p tcp -s 0.0.0.0/0 -d 62.3.3.28/32 --dport 443 -j ACCEPT\n" "\n" "# Allow the WWW server to go out\n" "# Note: This is *not* needed for the previous connections \n" "# (remember: stateful filtering) and could be removed.\n" "iptables -A FORWARD -p tcp -s 62.3.3.28/32 -d 0/0 -j ACCEPT" msgstr "" "iptables -F FORWARD\n" "iptables -P FORWARD DROP\n" "iptables -A FORWARD -s 0.0.0.0/0.0.0.0 -d 0.0.0.0/0.0.0.0 -m state \\\n" " --state INVALID -j DROP\n" "iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT\n" "\n" "# Quelques règles amusantes, mais pas pour un iptables classique,\n" "# désolé...\n" "# Limite ICMP \n" "# iptables -A FORWARD -p icmp -m limit --limit 4/s -j ACCEPT\n" "# Correspond à une chaîne de caractères, une bonne méthode simple pour\n" "# bloquer certains VIRUS très rapidement\n" "# iptables -I FORWARD -j DROP -p tcp -s 0.0.0.0/0 -m string \\\n" " --string \"cmd.exe\"\n" "\n" "# Bloquer toutes les connexions MySQL simplement pour être sûr\n" "iptables -A FORWARD -p tcp -s 0/0 -d 62.3.3.0/24 --dport 3306 -j DROP\n" "\n" "# Règles du serveur de courriers Linux\n" "\n" "# Autoriser FTP-DATA (20), FTP (21), SSH (22)\n" "iptables -A FORWARD -p tcp -s 0.0.0.0/0 -d 62.3.3.27/32 --dport 20:22 \\\n" " -j ACCEPT\n" "\n" "# Autoriser le serveur de courriers à se connecter à l'extérieur\n" "# Remarque : ce n'est *pas* nécessaire pour les connexions précédentes\n" "# (rappel : filtrage à état) et peut être supprimé.\n" "iptables -A FORWARD -p tcp -s 62.3.3.27/32 -d 0/0 -j ACCEPT\n" "\n" "# Règles pour le serveur WWW\n" "\n" "# Autoriser les connexions HTTP (80) avec le serveur web\n" "iptables -A FORWARD -p tcp -s 0.0.0.0/0 -d 62.3.3.28/32 --dport 80 \\\n" " -j ACCEPT\n" "\n" "# Autoriser les connexions HTTPS (443) avec le serveur web\n" "iptables -A FORWARD -p tcp -s 0.0.0.0/0 -d 62.3.3.28/32 --dport 443 \\\n" " -j ACCEPT\n" "\n" "# Autoriser les connexions sortantes du serveur web\n" "# Remarque : ce n'est *pas* nécessaire pour les connexions précédentes\n" "# (rappel : filtrage à état) et peut être supprimé.\n" "iptables -A FORWARD -p tcp -s 62.3.3.28/32 -d 0/0 -j ACCEPT" #. type: #: securing-debian-howto.en.sgml:61 en/appendix.sgml:682 msgid "Sample script to change the default Bind installation." msgstr "Exemple de script pour changer l'installation par défaut de BIND" #. type:

#: securing-debian-howto.en.sgml:61 en/appendix.sgml:691 msgid "" "This script automates the procedure for changing the bind " "version 8 name server's default installation so that it does not " "run as the superuser. Notice that bind version 9 in Debian " "already does this by default

Since version 9.2.1-5. That is, " "since Debian release sarge.

 , and you are much " "better using that version than bind version 8." msgstr "" "Ce script automatise la procédure de modification d'installation par défaut " "du serveur de noms bind version 8 pour qu'il ne fonctionne " "pas en tant que superutilisateur. Remarquez que bind " "version 9 dans Debian fait déjà cela par défaut

Depuis la " "version 9.2.1-5. C'est-à-dire depuis Debian Sarge.

, " "et que vous devriez plutôt l'utiliser que bind version 8." #. type:

#: securing-debian-howto.en.sgml:61 en/appendix.sgml:698 msgid "" "This script is here for historical purposes and to show how you can automate " "this kind of changes system-wide. The script will create the user and groups " "defined for the name server and will modify both /etc/default/bind and /etc/init.d/bind so that the program will run with " "that user. Use with extreme care since it has not been tested thoroughly." msgstr "" "Ce script est laissé pour des raisons historiques et montre comment " "automatiser ce type de modifications globales du système. Le script créera " "les utilisateur et groupe définis pour le serveur de noms et modifiera à la " "fois /etc/default/bind et /etc/init.d/bind pour " "que le programme soit exécuté en tant que cet utilisateur. Utilisez-le avec " "la plus grande attention car il n'a pas été testé rigoureusement." #. type:

#: securing-debian-howto.en.sgml:61 en/appendix.sgml:703 msgid "" "You can also create the users manually and use the patch available for the " "default init.d script attached to ." msgstr "" "Vous pouvez aussi créer l'utilisateur vous-même et utiliser le correctif " "disponible pour le script d'initialisation par défaut attaché au ." #. type: #: securing-debian-howto.en.sgml:61 en/appendix.sgml:848 #, no-wrap msgid "" " #!/bin/sh\n" " # Change the default Debian bind v8 configuration to have it run\n" " # with a non-root user and group.\n" " # \n" " # DO NOT USER this with version 9, use debconf for configure this instead\n" " #\n" " # WARN: This script has not been tested thoroughly, please\n" " # verify the changes made to the INITD script\n" "\n" " # (c) 2002 Javier Fernández-Sanguino Peña\n" " #\n" " # This program is free software; you can redistribute it and/or modify\n" " # it under the terms of the GNU General Public License as published by\n" " # the Free Software Foundation; either version 1, or (at your option)\n" " # any later version.\n" " #\n" " # This program is distributed in the hope that it will be useful,\n" " # but WITHOUT ANY WARRANTY; without even the implied warranty of\n" " # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n" " # GNU General Public License for more details.\n" " #\n" " # Please see the file `COPYING' for the complete copyright notice.\n" " #\n" "\n" " restore() {\n" " # Just in case, restore the system if the changes fail\n" " echo \"WARN: Restoring to the previous setup since I'm unable to properly change it.\"\n" " echo \"WARN: Please check the $INITDERR script.\"\n" " mv $INITD $INITDERR\n" " cp $INITDBAK $INITD\n" " }\n" "\n" "\n" " USER=named\n" " GROUP=named\n" " INITD=/etc/init.d/bind\n" " DEFAULT=/etc/default/bind\n" " INITDBAK=$INITD.preuserchange\n" " INITDERR=$INITD.changeerror\n" " AWKS=\"awk ' /\\/usr\\/sbin\\/ndc reload/ { print \\\"stop; sleep 2; start;\\\"; noprint = 1; } /\\\\\\\\$/ { if ( noprint != 0 ) { noprint = noprint + 1;} } /^.*$/ { if ( noprint != 0 ) { noprint = noprint - 1; } else { print \\$0; } } '\"\n" "\n" " [ `id -u` -ne 0 ] && {\n" " echo \"This program must be run by the root user\"\n" " exit 1\n" " }\n" "\n" " RUNUSER=`ps eo user,fname |grep named |cut -f 1 -d \" \"`\n" "\n" " if [ \"$RUNUSER\" = \"$USER\" ] \n" " then\n" " echo \"WARN: The name server running daemon is already running as $USER\"\n" " echo \"ERR: This script will not do any changes to your setup.\"\n" " exit 1\n" " fi\n" " if [ ! -f \"$INITD\" ]\n" " then\n" " echo \"ERR: This system does not have $INITD (which this script tries to change)\"\n" " RUNNING=`ps eo fname |grep named`\n" " [ -z \"$RUNNING\" ] && \\\n" " echo \"ERR: In fact the name server daemon is not even running (is it installed?)\"\n" " echo \"ERR: No changes will be made to your system\"\n" " exit 1\n" " fi\n" "\n" " # Check if there are options already setup \n" " if [ -e \"$DEFAULT\" ]\n" " then\n" " if grep -q ^OPTIONS $DEFAULT; then\n" " echo \"ERR: The $DEFAULT file already has options set.\"\n" " echo \"ERR: No changes will be made to your system\"\n" " fi\n" " fi\n" "\n" " # Check if named group exists\n" " if [ -z \"`grep $GROUP /etc/group`\" ] \n" " then\n" " echo \"Creating group $GROUP:\"\n" " addgroup $GROUP\n" " else\n" " echo \"WARN: Group $GROUP already exists. Will not create it\"\n" " fi\n" " # Same for the user\n" " if [ -z \"`grep $USER /etc/passwd`\" ] \n" " then\n" " echo \"Creating user $USER:\"\n" " adduser --system --home /home/$USER \\\n" " --no-create-home --ingroup $GROUP \\\n" " --disabled-password --disabled-login $USER\n" " else\n" " echo \"WARN: The user $USER already exists. Will not create it\"\n" " fi\n" "\n" " # Change the init.d script\n" "\n" " # First make a backup (check that there is not already\n" " # one there first)\n" " if [ ! -f $INITDBAK ] \n" " then\n" " cp $INITD $INITDBAK\n" " fi\n" "\n" " # Then use it to change it\n" " cat $INITDBAK |\n" " eval $AWKS > $INITD\n" "\n" " # Now put the options in the /etc/default/bind file:\n" " cat >>$DEFAULT <<EOF\n" "# Make bind run with the user we defined\n" "OPTIONS=\"-u $USER -g $GROUP\"\n" "EOF\n" "\n" " echo \"WARN: The script $INITD has been changed, trying to test the changes.\"\n" " echo \"Restarting the named daemon (check for errors here).\"\n" "\n" " $INITD restart\n" " if [ $? -ne 0 ] \n" " then\n" " echo \"ERR: Failed to restart the daemon.\"\n" " restore\n" " exit 1\n" " fi\n" "\n" " RUNNING=`ps eo fname |grep named`\n" " if [ -z \"$RUNNING\" ] \n" " then\n" " echo \"ERR: Named is not running, probably due to a problem with the changes.\"\n" " restore\n" " exit 1\n" " fi\n" "\n" " # Check if it's running as expected\n" " RUNUSER=`ps eo user,fname |grep named |cut -f 1 -d \" \"`\n" "\n" " if [ \"$RUNUSER\" = \"$USER\" ] \n" " then\n" " echo \"All has gone well, named seems to be running now as $USER.\"\n" " else\n" " echo \"ERR: The script failed to automatically change the system.\"\n" " echo \"ERR: Named is currently running as $RUNUSER.\"\n" " restore\n" " exit 1\n" " fi\n" "\n" " exit 0" msgstr "" "#!/bin/sh\n" "# Modifier la configuration par défaut du BIND v8 de Debian pour qu'il\n" "# s'exécute en tant qu'utilisateur et groupe non superutilisateur.\n" "#\n" "# Ne pas utiliser cela avec la version 9, utiliser plutôt debconf pour le\n" "# configurer.\n" "#\n" "# Attention : ce script n'a pas été testé rigoureusement, veuillez\n" "# vérifier les modifications effectuées sur les scripts d'initialisation.\n" "\n" "# (c) 2002 Javier Fernández-Sanguino Peña\n" "#\n" "# This program is free software; you can redistribute it and/or modify\n" "# it under the terms of the GNU General Public License as published by\n" "# the Free Software Foundation; either version 1, or (at your option)\n" "# any later version.\n" "#\n" "# This program is distributed in the hope that it will be useful,\n" "# but WITHOUT ANY WARRANTY; without even the implied warranty of\n" "# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n" "# GNU General Public License for more details.\n" "#\n" "# Please see the file `COPYING' for the complete copyright notice.\n" "#\n" "\n" "restore() {\n" "# Au cas où, restaurer le système si la modification échoue\n" " echo \"Attention : restauration de la configuration précédente car il\"\n" " echo \" est impossible de la modifier correctement.\"\n" " echo \"Attention : veuillez vérifier le script $INITDERR.\"\n" " mv $INITD $INITDERR\n" " cp $INITDBAK $INITD\n" "}\n" "\n" "\n" "USER=named\n" "GROUP=named\n" "INITD=/etc/init.d/bind\n" "DEFAULT=/etc/default/bind\n" "INITDBAK=$INITD.preuserchange\n" "INITDERR=$INITD.changeerror\n" "AWKS=\"awk ' /\\/usr\\/sbin\\/ndc reload/ { print \\\"stop; sleep 2; start;\\\"; noprint = 1; } /\\\\\\\\$/ { if ( noprint != 0 ) { noprint = noprint + 1;} } /^.*$/ { if ( noprint != 0 ) { noprint = noprint - 1; } else { print \\$0; } } '\"\n" "\n" "[ `id -u` -ne 0 ] && {\n" " echo \"Ce script doit être exécuté en tant que superutilisateur\"\n" " exit 1\n" "}\n" "\n" "RUNUSER=`ps eo user,fname |grep named |cut -f 1 -d \" \"`\n" "\n" "if [ \"$RUNUSER\" = \"$USER\" ] \n" "then\n" " echo \"Attention : le démon de serveur de noms est déjà exécuté en tant\"\n" " echo \" que $USER.\"\n" " echo \"Erreur : ce script ne modifiera pas la configuration.\"\n" " exit 1\n" "fi\n" "if [ ! -f \"$INITD\" ]\n" "then\n" " echo \"Erreur : ce système n'a pas de $INITD (ce que ce script tente de\"\n" " echo \" modifier)\"\n" " RUNNING=`ps eo fname |grep named`\n" " [ -z \"$RUNNING\" ] && \\\n" " echo \"Erreur : en fait, le démon de serveur de noms n'est même pas en\"\n" " echo \" cours d'exécution (est-il installé ?)\"\n" " echo \"Erreur : aucune modification ne sera apportée au système.\"\n" " exit 1\n" "fi\n" "\n" "# Vérifier si les options sont déjà configurées\n" "if [ -e \"$DEFAULT\" ]\n" "then\n" " if grep -q ^OPTIONS $DEFAULT; then\n" " echo \"Erreur : le fichier $DEFAULT a déjà des options configurées.\"\n" " echo \"Erreur : aucune modification ne sera apportée au système.\"\n" " fi\n" "fi\n" "# Vérifier si le groupe named existe\n" "if [ -z \"`grep $GROUP /etc/group`\" ] \n" "then\n" " echo \"Création du groupe $GROUP :\"\n" " addgroup $GROUP\n" "else\n" " echo \"Attention : le groupe $GROUP existe déjà. Il ne sera pas créé.\"\n" "fi\n" "# Pareil pour l'utilisateur\n" "if [ -z \"`grep $USER /etc/passwd`\" ] \n" "then\n" " echo \"Création de l'utilisateur $USER :\"\n" " adduser --system --home /home/$USER \\\n" " --no-create-home --ingroup $GROUP \\\n" " --disabled-password --disabled-login $USER\n" "else\n" " echo \"Attention : l'utilisateur $USER existe déjà. Il ne sera pas créé.\"\n" "fi\n" "\n" "# Modifier le script init.d\n" "\n" "# D'abord faire une sauvegarde (vérifier qu'il n'y en a pas déjà une)\n" "if [ ! -f $INITDBAK ] \n" "then\n" " cp $INITD $INITDBAK\n" "fi\n" "\n" "# Puis l'utiliser pour la modifier\n" "cat $INITDBAK |\n" "eval $AWKS > $INITD\n" "\n" "# Enfin placer les options dans le fichier /etc/default/bind\n" "cat >>$DEFAULT <<EOF\n" "# Utiliser l'utilisateur défini pour exécuter bind\n" "OPTIONS=\"-u $USER -g $GROUP\"\n" "EOF\n" "echo \"Attention : le script $INITD a été modifié, tentative de test des\"\n" "echo \" modifications.\"\n" "echo \"Redémarrage du démon named (vérification des erreurs en cours).\"\n" "\n" "$INITD restart\n" "if [ $? -ne 0 ]\n" "then\n" " echo \"Erreur : échec du redémarrage du démon.\"\n" " restore\n" " exit 1\n" "fi\n" "\n" "RUNNING=`ps eo fname |grep named`\n" "if [ -z \"$RUNNING\" ] \n" "then\n" " echo \"Erreur : named n'est pas en cours d'exécution, c'est sans doute\"\n" " echo \" dû à un problème avec les modifications.\"\n" " restore\n" " exit 1\n" " fi\n" "\n" "# Vérifier que named fonctionne comme prévu\n" "RUNUSER=`ps eo user,fname |grep named |cut -f 1 -d \" \"`\n" "\n" "if [ \"$RUNUSER\" = \"$USER\" ] \n" "then\n" " echo \"Tout s'est bien passé, named semble maintenant fonctionner en tant\"\n" " echo \" que $USER.\"\n" "else\n" " echo \"Erreur : le script a échoué à modifier automatiquement le système.\"\n" " echo \"Erreur : named fonctionne actuellement en tant que $RUNUSER.\"\n" " restore\n" " exit 1\n" "fi\n" "\n" "exit 0" #. type:

#: securing-debian-howto.en.sgml:61 en/appendix.sgml:854 msgid "" "The previous script, run on Woody's (Debian 3.0) custom bind " "(version 8), will modify the initd file after creating the 'named' user and " "group and will" msgstr "" "Le script précédent, exécuté sur le bind (version 8) " "personnalisé de Woody (Debian 3.0), modifiera le fichier initd après " "création de l'utilisateur et du groupe « named Â»." #. type: #: securing-debian-howto.en.sgml:61 en/appendix.sgml:856 msgid "Security update protected by a firewall" msgstr "Mise à jour de sécurité protégée par un pare-feu" #. type:

#: securing-debian-howto.en.sgml:61 en/appendix.sgml:862 msgid "" "After a standard installation, a system may still have some security " "vulnerabilities. Unless you can download updates for the vulnerable packages " "on another system (or you have mirrored security.debian.org for local use), " "the system will have to be connected to the Internet for the downloads." msgstr "" "Après une installation standard, un système peut toujours avoir des failles " "de sécurité. À moins de pouvoir télécharger les mises à jour pour les " "paquets vulnérables depuis un autre système (ou si vous avez fait un miroir " "de security.debian.org pour utilisation en local), le système devra être " "connecté à Internet pour les téléchargements." #. type:

#: securing-debian-howto.en.sgml:61 en/appendix.sgml:870 msgid "" "However, as soon as you connect to the Internet you are exposing this " "system. If one of your local services is vulnerable, you might be " "compromised even before the update is finished! This may seem paranoid but, " "in fact, analysis from the has shown that systems can be compromised in less than " "three days, even if the system is not publicly known (i.e., not published in " "DNS records)." msgstr "" "Cependant, dès que vous vous connecter à Internet, vous exposez le système. " "Si l'un des services locaux est vulnérable, votre système peut même être " "compromis avant la fin de la mise à jour ! Cela peut sembler paranoïaque, " "mais une analyse du a démontré que les systèmes peuvent être compromis en moins de " "trois jours, même si le système n'est pas connu publiquement (c'est-à-dire, " "non publié dans les enregistrements DNS)." #. type:

#: securing-debian-howto.en.sgml:61 en/appendix.sgml:878 msgid "" "When doing an update on a system not protected by an external system like a " "firewall, it is possible to properly configure your local firewall to " "restrict connections involving only the security update itself. The example " "below shows how to set up such local firewall capabilities, which allow " "connections from security.debian.org only, logging all others." msgstr "" "Lorsque vous faites une mise à jour sur un système non protégé par un " "système externe comme un pare-feu, il est possible de configurer " "correctement votre pare-feu pour restreindre les connexions n'impliquant que " "la mise à jour de sécurité elle-même. L'exemple ci-dessous montre comment " "mettre en place des telles fonctionnalités de pare-feu, ne permettant que " "les connexions à security.debian.org et en journalisant toutes les autres." #. type:

#: securing-debian-howto.en.sgml:61 en/appendix.sgml:882 msgid "" "The following example can be use to setup a restricted firewall ruleset. Run " "this commands from a local console (not a remote one) to reduce the chances " "of locking yourself out of the system." msgstr "" "L'exemple suivant permet de configurer un jeu de règles de pare-feu " "restreint. Exécutez ces commandes depuis une console locale (pas à distance) " "pour limiter les risques de vous enfermer hors du système." #. type: #: securing-debian-howto.en.sgml:61 en/appendix.sgml:915 #, no-wrap msgid "" " # iptables -F\n" " # iptables -L\n" " Chain INPUT (policy ACCEPT)\n" " target prot opt source destination\n" "\n" " Chain FORWARD (policy ACCEPT)\n" " target prot opt source destination\n" "\n" " Chain OUTPUT (policy ACCEPT)\n" " target prot opt source destination\n" " # iptables -A OUTPUT -d security.debian.org --dport 80 -j ACCEPT\n" " # iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT\n" " # iptables -A INPUT -p icmp -j ACCEPT\n" " # iptables -A INPUT -j LOG\n" " # iptables -A OUTPUT -j LOG\n" " # iptables -P INPUT DROP\n" " # iptables -P FORWARD DROP\n" " # iptables -P OUTPUT DROP\n" " # iptables -L\n" " Chain INPUT (policy DROP)\n" " target prot opt source destination\n" " ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED\n" " ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0\n" " LOG all -- anywhere anywhere LOG level warning\n" "\n" " Chain FORWARD (policy DROP)\n" " target prot opt source destination\n" "\n" " Chain OUTPUT (policy DROP)\n" " target prot opt source destination\n" " ACCEPT 80 -- anywhere security.debian.org\n" " LOG all -- anywhere anywhere LOG level warning" msgstr "" "# iptables -F\n" "# iptables -L\n" "Chain INPUT (policy ACCEPT)\n" "target prot opt source destination\n" "\n" "Chain FORWARD (policy ACCEPT)\n" "target prot opt source destination\n" "\n" "Chain OUTPUT (policy ACCEPT)\n" "target prot opt source destination\n" "# iptables -A OUTPUT -d security.debian.org --dport 80 -j ACCEPT\n" "# iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT\n" "# iptables -A INPUT -p icmp -j ACCEPT\n" "# iptables -A INPUT -j LOG\n" "# iptables -A OUTPUT -j LOG\n" "# iptables -P INPUT DROP\n" "# iptables -P FORWARD DROP\n" "# iptables -P OUTPUT DROP\n" "# iptables -L\n" "Chain INPUT (policy DROP)\n" "target prot opt source destination\n" "ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED\n" "ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0\n" "LOG all -- anywhere anywhere LOG level warning\n" "\n" "Chain FORWARD (policy DROP)\n" "target prot opt source destination\n" "\n" "Chain OUTPUT (policy DROP)\n" "target prot opt source destination\n" "ACCEPT 80 -- anywhere security.debian.org\n" "LOG all -- anywhere anywhere LOG level warning" #. type:

#: securing-debian-howto.en.sgml:61 en/appendix.sgml:953 msgid "" "Note: Using a DROP policy in the INPUT chain is the most correct " "thing to do, but be very careful when doing this after flushing the " "chain from a remote connection. When testing firewall rulesets from a remote " "location it is best if you run a script with the firewall ruleset (instead " "of introducing the ruleset line by line through the command line) and, as a " "precaution, keep a backdoor

Such as knockd. " "Alternatively, you can open a different console and have the system ask for " "confirmation that there is somebody on the other side, and reset the " "firewall chain if no confirmation is given. The following test script could " "be of use: #!/bin/bash while true; do read -n 1 -p \"Are you there? " "\" -t 30 ayt if [ -z \"$ayt\" ] ; then break fi done # Reset the firewall " "chain, user is not available echo echo \"Resetting firewall chain!\" " "iptables -F iptables -P INPUT ACCEPT iptables -P FORWARD ACCEPT iptables -P " "OUTPUT ACCEPT exit 1

Of course, you should disable any " "backdoors before getting the system into production.

 " "configured so that you can re-enable access to the system if you make a " "mistake. That way there would be no need to go to a remote location to fix a " "firewall ruleset that blocks you." msgstr "" "Remarque : l'utilisation d'une règle DROP dans la chaîne INPUT est " "la chose la plus correcte à faire, mais soyez particulièrement " "attentif lorsque c'est fait après avoir nettoyé la chaîne depuis une " "connexion distante. Lors d'un test des jeux de règles de pare-feu à " "distance, il est préférable d'exécuter un script avec le jeu de règles de " "pare-feu (au lieu d'introduire les règles une à une depuis la ligne de " "commande) et, par précaution, de garder une porte dérobée

Par " "exemple knockd. Sinon, il est possible d'ouvrir une autre console " "et forcer le système à confirmer que quelqu'un est présent de l'autre côté, " "et réinitialiser la chaîne de pare-feu en absence de confirmation. Le script " "de test suivant pourrait servir : #!/bin/bash while true; do read -" "n 1 -p \"Y a-t-il quelqu'un ? \" -t 30 ayt if [ -z \"$ayt\" ] ; then break " "fi done # Réinitialiser la chaîne de pare-feu, l'utilisateur n'est pas " "disponible echo echo \"Réinitialisation de la chaîne de pare-feu\" iptables -" "F iptables -P INPUT ACCEPT iptables -P FORWARD ACCEPT iptables -P OUTPUT " "ACCEPT exit 1

Bien sûr, toutes les portes dérobées devraient " "être désactivées avant de placer le système en production.

 " "configurée pour pouvoir réactiver l'accès au système en cas d'erreur. Ainsi, " "il ne sera pas nécessaire de se déplacer pour corriger un jeu de règles de " "pare-feu bloquant." #. type:

#: securing-debian-howto.en.sgml:61 en/appendix.sgml:958 msgid "" "FIXME: This needs DNS to be working properly since it is required for " "security.debian.org to work. You can add security.debian.org to /etc/hosts " "but now it is a CNAME to several hosts (there is more than one security " "mirror)" msgstr "" "FIXME : cela nécessite un DNS opérationnel puisqu'il est nécessaire pour " "résoudre security.debian.org. security.debian.org pourrait être ajouté à /" "etc/hosts mais c'est un nom canonique pour plusieurs hôtes (il y a plus d'un " "miroir de sécurité)." #. type:

#: securing-debian-howto.en.sgml:61 en/appendix.sgml:961 msgid "" "FIXME: this will only work with HTTP URLs since ftp might need the " "ip_conntrack_ftp module, or use passive mode." msgstr "" "FIXME : cela ne fonctionnera qu'avec les URL HTTP car FTP peut avoir besoin " "du module ip_conntrack_ftp ou d'utiliser le mode passif." #. type: #: securing-debian-howto.en.sgml:61 en/appendix.sgml:963 msgid "Chroot environment for SSH" msgstr "Environnement de chroot pour SSH" #. type:

#: securing-debian-howto.en.sgml:61 en/appendix.sgml:966 msgid "" "Creating a restricted environment for SSH is a tough job due to " "its dependencies and the fact that, unlike other servers, SSH " "provides a remote shell to users. Thus, you will also have to consider the " "applications users will be allowed to use in the environment." msgstr "" "Créer un environnement restreint pour SSH est un travail " "difficile à cause de ses dépendances et du fait que, à la différence " "d'autres serveurs, SSH fournit un interpréteur de commande " "distant pour les utilisateurs. C'est pourquoi vous devrez également " "considérer les applications que les utilisateurs auront le droit d'utiliser " "dans l'environnement." #. type:

#: securing-debian-howto.en.sgml:61 en/appendix.sgml:970 msgid "You have two options to setup a restricted remote shell:" msgstr "" "Deux options existent pour configurer une invite de commande à distance " "restreinte :" #. type:

#: securing-debian-howto.en.sgml:61 en/appendix.sgml:975 msgid "" "Chrooting the ssh users, by properly configuring the ssh daemon you can ask " "it to chroot a user after authentication just before it is provided a shell. " "Each user can have their own environment." msgstr "" "chrooter les utilisateurs SSH, en configurant correctement le démon SSH pour " "chrooter un utilisateur après l'authentification juste avant de lui fournir " "une invite de commande. Chaque utilisateur peut avoir son propre " "environnement ;" #. type:

#: securing-debian-howto.en.sgml:61 en/appendix.sgml:978 msgid "" "Chrooting the ssh server, since you chroot the ssh application itself all " "users are chrooted to the defined environment." msgstr "" "chrooter le serveur SSH, puisque l'application SSH est elle même chrootée, " "tous les utilisateurs sont chrootés dans l'environnement défini." #. type:

#: securing-debian-howto.en.sgml:61 en/appendix.sgml:990 msgid "" "The first option has the advantage of making it possible to have both non-" "chrooted and chrooted users, if you don't introduce any setuid application " "in the user's chroots it is more difficult to break out of it. However, you " "might need to setup individual chroots for each user and it is more " "difficult to setup (as it requires cooperation from the SSH server). The " "second option is more easy to setup, and protects from an exploitation of " "the ssh server itself (since it's also in the chroot) but it will have the " "limitation that all users will share the same chroot environment (you cannot " "setup a per-user chroot environment)." msgstr "" "La première option a l'avantage de permettre d'avoir à la fois des " "utilisateurs chrootés ou non, en absence d'application setuid dans les " "chroots de l'utilisateur, il est plus difficile de s'en échapper. Cependant, " "vous pourriez configurer des chroots spécifiques à chaque utilisateur ce qui " "est plus délicat (car cela nécessite une coopération de la part du serveur " "SSH). La seconde option est plus facile à configurer, et protège d'une " "exploitation du serveur SH lui-même (puisqu'il est également dans le chroot) " "mais il sera limité de telle sorte que tous les utilisateurs partageront le " "même environnement chroot (impossible de configurer un environnement chroot " "par utilisateur)." #. type: #: securing-debian-howto.en.sgml:61 en/appendix.sgml:992 msgid "Chrooting the ssh users" msgstr "Chrooter les utilisateur SSH" #. type:

#: securing-debian-howto.en.sgml:61 en/appendix.sgml:995 msgid "" "You can setup the ssh server so that it will chroot a set of defined users " "into a shell with a limited set of applications available." msgstr "" "Le serveur SSH peut être configuré pour chrooter un ensemble d'utilisateurs " "définis dans une invite de commande possédant un jeu d'applications " "disponibles limité." #. type: #: securing-debian-howto.en.sgml:61 en/appendix.sgml:997 msgid "Using libpam-chroot" msgstr "Utilisation de libpam_chroot" #. type:

#: securing-debian-howto.en.sgml:61 en/appendix.sgml:1000 msgid "" "Probably the easiest way is to use the libpam-chroot " "package provided in Debian. Once you install it you need to:" msgstr "" "La façon probablement la plus facile est d'utiliser le paquet " "libpam_chroot fourni dans Debian. Une fois que vous " "l'avez installé, vous devez :" #. type:

#: securing-debian-howto.en.sgml:61 en/appendix.sgml:1005 msgid "" "Modify /etc/pam.d/ssh to use this PAM module, add as its last " "line

You can use the debug option to have it send the " "progress of the module to the authpriv.notice facility

:" msgstr "" "modifier /etc/pam.d/ssh pour utiliser ce module PAM, ajouter " "cette ligne à la fin du fichier

L'option debug permet " "d'envoyer la progression du module à la facilité authpriv.notice. :" #. type: #: securing-debian-howto.en.sgml:61 en/appendix.sgml:1007 #, no-wrap msgid "session required pam_chroot.so" msgstr "session required pam_chroot.so" #. type:

#: securing-debian-howto.en.sgml:61 en/appendix.sgml:1041 msgid "" "set a proper chroot environment for the user. You can try using the scripts " "available at /usr/share/doc/libpam-chroot/examples/, use the " "makejail

You can create a very limited bash " "environment with the following python definition for makejail, just create " "the directory /var/chroots/users/foo and a file with the " "following contents and call it bash.py: chroot=\"/var/" "chroots/users/foo\" cleanJailFirst=1 testCommandsInsideJail=[\"bash ls\"]

And then run makejail bash.py to create the user " "environment at /var/chroots/users/foo. To test the environment " "run: # chroot /var/chroots/users/foo/ ls bin dev etc lib proc sbin " "usr

 program or setup a minimum Debian environment " "with debootstrap. Make sure the environment includes the " "needed devices

In some occasions you might need the /dev/" "ptmx and /dev/pty* devices and the /dev/pts/ subdirectory. Running MAKEDEV in the /dev directory of " "the chrooted environment should be sufficient to create them if they do not " "exist. If you are using kernels (version 2.6) which dynamically create " "device files you will need to create the /dev/pts/ files yourself and grant " "them the proper privileges.

." msgstr "" "configurer un environnement de chroot correct. Vous pouvez essayer " "d'utiliser les scripts disponibles en /usr/share/doc/libpam-chroot/" "examples/, utiliser le programme makejail

Vous pouvez créer un environnement bash très limité avc " "les définitions Python suivante pour makejail, en créant simplement le " "répertoire /var/chroots/users/truc et un fichier bash.py avec le contenu suivant : chroot=\"/var/chroots/users/truc\" " "cleanJailFirst=1 testCommandsInsideJail=[\"bash ls\"]

Exécuter ensuite makejail bash.py pour créer l'environnement " "de l'utilisateur en /var/chroots/users/truc. Pour tester " "l'environnement, exécuter : # chroot /var/chroots/users/truc/ ls " "bin dev etc lib proc sbin usr.

 ou mettre en place " "un environnement Debian minimal avec debootstrap. Assurez-" "vous que l'environnement contient les périphériques " "nécessaires

Dans certains cas, les périphériques /dev/" "ptmx et /dev/pty* et le sous-répertoire /dev/pts/. Exécuter MAKEDEV dans le répertoire /dev de " "l'environnement chrooté devrait suffire pour les créer s'ils n'existent pas. " "Avec les noyaux (version 2.6) qui créent dynamiquement les fichiers de " "périphérique, vous devrez créer les fichiers /dev/pts/ vous-" "même et leur attribuer les droits nécessaires.

 ;" #. type:

#: securing-debian-howto.en.sgml:61 en/appendix.sgml:1047 msgid "" "Configure /etc/security/chroot.conf so that the users you " "determine are chrooted to the directory you setup previously. You might want " "to have independent directories for different users so that they will not be " "able to see neither the whole system nor each other's." msgstr "" "configurer /etc/security/chroot.conf pour que les utilisateurs " "que vous déterminez soient chrootés dans le répertoire que vous avez mis en " "place auparavant. Vous pouvez vouloir ajouter des répertoires indépendants " "pour différents utilisateurs afin qu'ils ne puissent voir ni le système " "complet, ni les uns les autres ;" # NOTE: s/priviledges/privileges/g #. type:

#: securing-debian-howto.en.sgml:61 en/appendix.sgml:1055 msgid "" "Configure SSH: Depending on your OpenSSH version the chroot environment " "might work straight of the box or not. Since 3.6.1p2 the do_pam_session()" " function is called after sshd has dropped privileges, since chroot() " "needs root priviledges it will not work with Privilege separation on. In " "newer OpenSSH versions, however, the PAM code has been modified and " "do_pam_session is called before dropping priviledges so it will work even " "with Privilege separation is on. If you have to disable it modify /etc/" "ssh/sshd_config like this:" msgstr "" "configurer SSH : suivant la version d'OpenSSH, l'environnement chroot " "pourrait fonctionner directement sans effort, ou non. Depuis 3.6.1p2 la " "fonction do_pam_session() est appelée après que sshd ait abandonné " "ses droits, mais puisque chroot() a besoin des droits du superutilisateur, " "il ne fonctionnera pas avec la séparation de droits activés. Dans les " "versions plus récentes d'OpenSSH, cependant, le code PAM a été modifié et " "do_pam_session est appelé avant l'abandon des droits donc il fonctionnera " "même avec la séparation de droits activée. Si vous devez le désactiver, " "modifiez /etc/ssh/sshd_config ce cette façon :" #. type: #: securing-debian-howto.en.sgml:61 en/appendix.sgml:1057 #, no-wrap msgid "UsePrivilegeSeparation no" msgstr "UsePrivilegeSeparation no" #. type:

#: securing-debian-howto.en.sgml:61 en/appendix.sgml:1069 msgid "" "Notice that this will lower the security of your system since the OpenSSH " "server will then run as root user. This means that if a remote " "attack is found against OpenSSH an attacker will get root " "privileges instead of sshd, thus compromising the whole system. " "

If you are using a kernel that implements Mandatory Access " "Control (RSBAC/SElinux) you can avoid changing this configuration just by " "granting the sshd user privileges to make the chroot() system call." "

" msgstr "" "Notez que cela réduira la sécurité de votre système car le serveur OpenSSH " "fonctionnera avec l'utilisateur root. Cela veut dire que si une " "attaque à distance est trouvée sur OpenSSH, un attaquant obtiendra les " "droits de root au lieu de ceux de sshd, ce qui " "compromettra le système en entier.

Si vous utilisez un noyau " "implémentant le contrôle d'accès obligatoire (« Mandatory Access " "Control Â» ou MAC) (RSBAC/SElinux), vous pouvez éviter de changer cette " "configuration en autorisant simplement l'utilisateur sshd à " "exécuter l'appel système chroot().

" #. type:

#: securing-debian-howto.en.sgml:61 en/appendix.sgml:1075 msgid "" "If you don't disable Privilege Separation you will need an /" "etc/passwd which includes the user's UID inside the chroot for " "Privilege Separation to work properly." msgstr "" "Sans désactiver la séparation de droits, un /etc/passwd qui intègre l'UID de l'utilisateur dans le chroot sera nécessaire pour " "faire fonctionner correctement la séparation de droits." #. type:

#: securing-debian-howto.en.sgml:61 en/appendix.sgml:1080 msgid "" "If you have Privilege Separation set to yes and " "your OpenSSH version does not behave properly you will need to disable it. " "If you don't, users that try to connect to your server and would be chrooted " "by this module will see this:" msgstr "" "Si la séparation de droits est définie à yes est " "que la version d'OpenSSH ne se comporte pas correctement, il faudra la " "désactiver. Si non, les utilisateurs qui essayent de se connecter au serveur " "et en étant chrootés par ce module verront ceci :" #. type: #: securing-debian-howto.en.sgml:61 en/appendix.sgml:1085 #, no-wrap msgid "" "$ ssh -l user server\n" "user@server's password:\n" "Connection to server closed by remote host.\n" "Connection to server closed." msgstr "" "$ ssh -l user server\n" "user@server's password:\n" "Connection to server closed by remote host.\n" "Connection to server closed." #. type:

#: securing-debian-howto.en.sgml:61 en/appendix.sgml:1092 msgid "" "This is because the ssh daemon, which is running as 'sshd', is not be able " "to make the chroot() system call. To disable Privilege separation you have " "to modify the /etc/ssh/sshd_config configuration file as " "described above." msgstr "" "C'est parce que le démon SSH, qui est exécuté en tant que « sshd », n'est " "pas capable de faire l'appel système chroot(). Pour désactiver la séparation " "de droits, il faut modifier les fichier de configuration /etc/ssh/" "sshd_config comme décrit précédemment." #. type:

#: securing-debian-howto.en.sgml:61 en/appendix.sgml:1095 msgid "" "Notice that if any of the following is missing the users will not be able to " "logon to the chroot:" msgstr "" "Remarquez qu'en absence d'un des éléments suivants, les utilisateurs ne " "pourront pas se connecter au chroot :" #. type:

#: securing-debian-howto.en.sgml:61 en/appendix.sgml:1100 msgid "" "The /proc filesystem needs to be mounted in the users' chroot." msgstr "" "le système de fichiers /proc doit être monté dans le chroot des " "utilisateurs ;" #. type:

#: securing-debian-howto.en.sgml:61 en/appendix.sgml:1104 msgid "" "The necessary /dev/pts/ devices need to exist. If the files are " "generated by your running kernel automatically then you have to manually " "create them on the chroot's /dev/." msgstr "" "les périphériques /dev/pts/ nécessaires doivent exister. Si les " "fichiers sont créés automatiquement par le noyau utilisé, il faut les créer " "vous-même dans le /dev/ du chroot ;" #. type:

#: securing-debian-howto.en.sgml:61 en/appendix.sgml:1107 msgid "" "The user's home directory has to exist in the chroot, otherwise the ssh " "daemon will not continue." msgstr "" "le répertoire personnel de l'utilisateur doit exister dans le chroot, sinon " "le démon SSH s'arrêtera." #. type:

#: securing-debian-howto.en.sgml:61 en/appendix.sgml:1113 msgid "" "You can debug all these issues if you use the debug keyword in the " "/etc/pam.d/ssh PAM definition. If you encounter issues you " "might find it useful to enable the debugging mode on the ssh client too." msgstr "" "Tous ses problèmes peuvent être débogués en utilisant le mot-clef debug dans la définition PAM de /etc/pam.d/ssh. En cas de " "problème, il peut être utile d'activer aussi le mode de débogage sur le " "client." #. type:

#: securing-debian-howto.en.sgml:61 en/appendix.sgml:1117 msgid "" "Note: This information is also available (and maybe more up to date) in " "/usr/share/doc/libpam-chroot/README.Debian.gz, please review it " "for updated information before taking the above steps." msgstr "" "Note : ces renseignements sont également disponibles (et peut-être plus " "à jour) dans /usr/share/doc/libpam-chroot/README.Debian.gz, " "veuillez consulter ce fichier pour obtenir des renseignements à jour avant " "d'entreprendre les étapes ci-dessus." #. type: #: securing-debian-howto.en.sgml:61 en/appendix.sgml:1121 msgid "Patching the ssh server" msgstr "Appliquer des correctifs au serveur SSH" #. type:

#: securing-debian-howto.en.sgml:61 en/appendix.sgml:1142 msgid "" "Debian's sshd does not allow restriction of a user's movement " "through the server, since it lacks the chroot function that the " "commercial program sshd2 includes (using 'ChrootGroups' or " "'ChrootUsers', see ). However, " "there is a patch available to add this functionality available from (requested " "and available in in Debian). The patch may be included in future releases of the " "OpenSSH package. Emmanuel Lacour has ssh deb packages for " "sarge with this feature. They are available at . Notice that those might not be up to date " "so completing the compilation step is recommended." msgstr "" "Le serveur sshd de Debian ne vous autorisera pas à restreindre " "les mouvements des utilisateurs par le serveur étant donné que celui-ci est " "dépourvu de la fonction chroot que le programme commerciale " "sshd2 possède (utilisation de « ChrootGroups Â» ou " "« ChrootUsers Â», consultez ). Toutefois, un correctif est disponible pour le faire sur " "le . Il sera peut-être appliquée au paquet OpenSSH dans le futur. " "Emmanuel Lacour dispose de paquets Debian ssh pour Sarge avec cette fonctionnalité. Ils sont disponibles à . Notez que ceux-ci peuvent ne pas être à " "jour, effectuer l'étape de compilation est donc recommandé." #. type:

#: securing-debian-howto.en.sgml:61 en/appendix.sgml:1146 msgid "" "After applying the patch, modify /etc/passwd by changing the " "home path of the users (with the special /./ token):" msgstr "" "Après avoir appliqué le correctif, modifiez /etc/passwd en " "changeant le chemin du répertoire des utilisateurs (avec l'indicateur " "spécial /./) :" #. type: #: securing-debian-howto.en.sgml:61 en/appendix.sgml:1148 #, no-wrap msgid " joeuser:x:1099:1099:Joe Random User:/home/joe/./:/bin/bash" msgstr " utilisateurjean:x:1099:1099:Jean Dupont Utilisateur:/home/michel/./:/bin/bash" #. type:

#: securing-debian-howto.en.sgml:61 en/appendix.sgml:1153 msgid "" "This will restrict both remote shell access, as well as remote copy " "through the ssh channel." msgstr "" "Cela restreindra à la fois les accès distants au shell, ainsi que " "la copie par le tunnel ssh." #. type:

#: securing-debian-howto.en.sgml:61 en/appendix.sgml:1158 msgid "" "Make sure to have all the needed binaries and libraries in the chroot'ed path for users. These files should be owned by root to avoid " "tampering by the user (so as to exit the chroot'ed jailed). A " "sample might include:" msgstr "" "Assurez-vous que tous les programmes et bibliothèques sont bien présents " "dans le chemin chrooté pour les utilisateurs. Ces fichiers " "devraient appartenir à root pour éviter les fraudes de l'utilisateur (tel la " "sortie d'une prison chrooté). Un échantillon pourrait inclure " "ceci :" #. type: #: securing-debian-howto.en.sgml:61 en/appendix.sgml:1170 #, no-wrap msgid "" "./bin:\n" "total 660\n" "drwxr-xr-x 2 root root 4096 Mar 18 13:36 .\n" "drwxr-xr-x 8 guest guest 4096 Mar 15 16:53 ..\n" "-r-xr-xr-x 1 root root 531160 Feb 6 22:36 bash\n" "-r-xr-xr-x 1 root root 43916 Nov 29 13:19 ls\n" "-r-xr-xr-x 1 root root 16684 Nov 29 13:19 mkdir\n" "-rwxr-xr-x 1 root root 23960 Mar 18 13:36 more\n" "-r-xr-xr-x 1 root root 9916 Jul 26 2001 pwd\n" "-r-xr-xr-x 1 root root 24780 Nov 29 13:19 rm\n" "lrwxrwxrwx 1 root root 4 Mar 30 16:29 sh -> bash" msgstr "" "./bin:\n" "total 660\n" "drwxr-xr-x 2 root root 4096 mars 18 13:36 .\n" "drwxr-xr-x 8 guest guest 4096 mars 15 16:53 ..\n" "-r-xr-xr-x 1 root root 531160 févr. 6 22:36 bash\n" "-r-xr-xr-x 1 root root 43916 nov. 29 13:19 ls\n" "-r-xr-xr-x 1 root root 16684 nov. 29 13:19 mkdir\n" "-rwxr-xr-x 1 root root 23960 mars 18 13:36 more\n" "-r-xr-xr-x 1 root root 9916 juil. 26 2001 pwd\n" "-r-xr-xr-x 1 root root 24780 nov. 29 13:19 rm\n" "lrwxrwxrwx 1 root root 4 mars 30 16:29 sh -> bash" #. type: #: securing-debian-howto.en.sgml:61 en/appendix.sgml:1180 #, no-wrap msgid "" "./etc:\n" "total 24\n" "drwxr-xr-x 2 root root 4096 Mar 15 16:13 .\n" "drwxr-xr-x 8 guest guest 4096 Mar 15 16:53 ..\n" "-rw-r--r-- 1 root root 54 Mar 15 13:23 group\n" "-rw-r--r-- 1 root root 428 Mar 15 15:56 hosts\n" "-rw-r--r-- 1 root root 44 Mar 15 15:53 passwd\n" "-rw-r--r-- 1 root root 52 Mar 15 13:23 shells" msgstr "" "./etc:\n" "total 24\n" "drwxr-xr-x 2 root root 4096 mars 15 16:13 .\n" "drwxr-xr-x 8 guest guest 4096 mars 15 16:53 ..\n" "-rw-r--r-- 1 root root 54 mars 15 13:23 group\n" "-rw-r--r-- 1 root root 428 mars 15 15:56 hosts\n" "-rw-r--r-- 1 root root 44 mars 15 15:53 passwd\n" "-rw-r--r-- 1 root root 52 mars 15 13:23 shells" # NOTE: libnss_files.so.2 disaligned #. type: #: securing-debian-howto.en.sgml:61 en/appendix.sgml:1199 #, no-wrap msgid "" "./lib:\n" "total 1848\n" "drwxr-xr-x 2 root root 4096 Mar 18 13:37 .\n" "drwxr-xr-x 8 guest guest 4096 Mar 15 16:53 ..\n" "-rwxr-xr-x 1 root root 92511 Mar 15 12:49 ld-linux.so.2\n" "-rwxr-xr-x 1 root root 1170812 Mar 15 12:49 libc.so.6\n" "-rw-r--r-- 1 root root 20900 Mar 15 13:01 libcrypt.so.1\n" "-rw-r--r-- 1 root root 9436 Mar 15 12:49 libdl.so.2\n" "-rw-r--r-- 1 root root 248132 Mar 15 12:48 libncurses.so.5\n" "-rw-r--r-- 1 root root 71332 Mar 15 13:00 libnsl.so.1\n" "-rw-r--r-- 1 root root 34144 Mar 15 16:10\n" "libnss_files.so.2\n" "-rw-r--r-- 1 root root 29420 Mar 15 12:57 libpam.so.0\n" "-rw-r--r-- 1 root root 105498 Mar 15 12:51 libpthread.so.0\n" "-rw-r--r-- 1 root root 25596 Mar 15 12:51 librt.so.1\n" "-rw-r--r-- 1 root root 7760 Mar 15 12:59 libutil.so.1\n" "-rw-r--r-- 1 root root 24328 Mar 15 12:57 libwrap.so.0" msgstr "" "./lib:\n" "total 1848\n" "drwxr-xr-x 2 root root 4096 mars 18 13:37 .\n" "drwxr-xr-x 8 guest guest 4096 mars 15 16:53 ..\n" "-rwxr-xr-x 1 root root 92511 mars 15 12:49 ld-linux.so.2\n" "-rwxr-xr-x 1 root root 1170812 mars 15 12:49 libc.so.6\n" "-rw-r--r-- 1 root root 20900 mars 15 13:01 libcrypt.so.1\n" "-rw-r--r-- 1 root root 9436 mars 15 12:49 libdl.so.2\n" "-rw-r--r-- 1 root root 248132 mars 15 12:48 libncurses.so.5\n" "-rw-r--r-- 1 root root 71332 mars 15 13:00 libnsl.so.1\n" "-rw-r--r-- 1 root root 34144 mars 15 16:10 libnss_files.so.2\n" "-rw-r--r-- 1 root root 29420 mars 15 12:57 libpam.so.0\n" "-rw-r--r-- 1 root root 105498 mars 15 12:51 libpthread.so.0\n" "-rw-r--r-- 1 root root 25596 mars 15 12:51 librt.so.1\n" "-rw-r--r-- 1 root root 7760 mars 15 12:59 libutil.so.1\n" "-rw-r--r-- 1 root root 24328 mars 15 12:57 libwrap.so.0" #. type: #: securing-debian-howto.en.sgml:61 en/appendix.sgml:1207 #, no-wrap msgid "" "./usr:\n" "total 16\n" "drwxr-xr-x 4 root root 4096 Mar 15 13:00 .\n" "drwxr-xr-x 8 guest guest 4096 Mar 15 16:53 ..\n" "drwxr-xr-x 2 root root 4096 Mar 15 15:55 bin\n" "drwxr-xr-x 2 root root 4096 Mar 15 15:37 lib" msgstr "" "./usr:\n" "total 16\n" "drwxr-xr-x 4 root root 4096 mars 15 13:00 .\n" "drwxr-xr-x 8 guest guest 4096 mars 15 16:53 ..\n" "drwxr-xr-x 2 root root 4096 mars 15 15:55 bin\n" "drwxr-xr-x 2 root root 4096 mars 15 15:37 lib" #. type: #: securing-debian-howto.en.sgml:61 en/appendix.sgml:1219 #, no-wrap msgid "" "./usr/bin:\n" "total 340\n" "drwxr-xr-x 2 root root 4096 Mar 15 15:55 .\n" "drwxr-xr-x 4 root root 4096 Mar 15 13:00 ..\n" "-rwxr-xr-x 1 root root 10332 Mar 15 15:55 env\n" "-rwxr-xr-x 1 root root 13052 Mar 15 13:13 id\n" "-r-xr-xr-x 1 root root 25432 Mar 15 12:40 scp\n" "-rwxr-xr-x 1 root root 43768 Mar 15 15:15 sftp\n" "-r-sr-xr-x 1 root root 218456 Mar 15 12:40 ssh\n" "-rwxr-xr-x 1 root root 9692 Mar 15 13:17 tty" msgstr "" "./usr/bin:\n" "total 340\n" "drwxr-xr-x 2 root root 4096 mars 15 15:55 .\n" "drwxr-xr-x 4 root root 4096 mars 15 13:00 ..\n" "-rwxr-xr-x 1 root root 10332 mars 15 15:55 env\n" "-rwxr-xr-x 1 root root 13052 mars 15 13:13 id\n" "-r-xr-xr-x 1 root root 25432 mars 15 12:40 scp\n" "-rwxr-xr-x 1 root root 43768 mars 15 15:15 sftp\n" "-r-sr-xr-x 1 root root 218456 mars 15 12:40 ssh\n" "-rwxr-xr-x 1 root root 9692 mars 15 13:17 tty" # NOTE: libcrypto.so.0.9.6 disaligned #. type: #: securing-debian-howto.en.sgml:61 en/appendix.sgml:1229 #, no-wrap msgid "" "./usr/lib:\n" "total 852\n" "drwxr-xr-x 2 root root 4096 Mar 15 15:37 .\n" "drwxr-xr-x 4 root root 4096 Mar 15 13:00 ..\n" "-rw-r--r-- 1 root root 771088 Mar 15 13:01\n" "libcrypto.so.0.9.6\n" "-rw-r--r-- 1 root root 54548 Mar 15 13:00 libz.so.1\n" "-rwxr-xr-x 1 root root 23096 Mar 15 15:37 sftp-server" msgstr "" "./usr/lib:\n" "total 852\n" "drwxr-xr-x 2 root root 4096 mars 15 15:37 .\n" "drwxr-xr-x 4 root root 4096 mars 15 13:00 ..\n" "-rw-r--r-- 1 root root 771088 mars 15 13:01 libcrypto.so.0.9.6\n" "-rw-r--r-- 1 root root 54548 mars 15 13:00 libz.so.1\n" "-rwxr-xr-x 1 root root 23096 mars 15 15:37 sftp-server" #. type: #: securing-debian-howto.en.sgml:61 en/appendix.sgml:1236 msgid "Chrooting the ssh server" msgstr "Chrooter le serveur SSH" #. type:

#: securing-debian-howto.en.sgml:61 en/appendix.sgml:1240 msgid "" "If you create a chroot which includes the SSH server files in, for example " "/var/chroot/ssh, you would start the ssh server " "chroot'ed with this command:" msgstr "" "Si un chroot est créé pour inclure les fichiers du serveur SSH, par exemple " "/var/chroot/ssh, le serveur SSH chrooté serait " "démarré avec cette commande :" #. type: #: securing-debian-howto.en.sgml:61 en/appendix.sgml:1242 #, no-wrap msgid " # chroot /var/chroot/ssh /sbin/sshd -f /etc/sshd_config" msgstr " # chroot /var/chroot/ssh /sbin/sshd -f /etc/sshd_config" #. type:

#: securing-debian-howto.en.sgml:61 en/appendix.sgml:1253 msgid "" "That would make startup the sshd daemon inside the chroot. In " "order to do that you have to first prepare the contents of the /var/" "chroot/ssh directory so that it includes both the SSH server and all " "the utilities that the users connecting to that server might need. If you " "are doing this you should make certain that OpenSSH uses Privilege " "Separation (which is the default) having the following line in the " "configuration file /etc/ssh/sshd_config:" msgstr "" "Cela ferait démarrer le démon sshd dans le chroot. Pour faire " "cela, il faut d'abord préparer le contenu du répertoire /var/chroot/" "ssh pour inclure à la fois le serveur SSH et tous les utilitaires " "dont les utilisateurs se connectant à ce serveur pourraient avoir besoin. " "Dans ce cas, vous devez vous assurer qu'OpenSSH utilise la séparation de " "droits (ce qui est le cas par défaut) en ayant la ligne suivante dans " "le fichier de configuration /etc/ssh/sshd_config :" #. type: #: securing-debian-howto.en.sgml:61 en/appendix.sgml:1255 #, no-wrap msgid "UsePrivilegeSeparation yes" msgstr "UsePrivilegeSeparation yes" #. type:

#: securing-debian-howto.en.sgml:61 en/appendix.sgml:1263 msgid "" "That way the remote daemon will do as few things as possible as the root " "user so even if there is a bug in it it will not compromise the chroot. " "Notice that, unlike the case in which you setup a per-user chroot, the ssh " "daemon is running in the same chroot as the users so there is at least one " "potential process running as root which could break out of the chroot." msgstr "" "De cette façon, le démon distant fera aussi peu de choses que possible de " "même que le superutilisateur donc même en cas de bogue, le chroot ne sera " "pas compromis. Remarquez que, contrairement au cas de la configuration d'un " "chroot par utilisateur, le démon SSH est exécuté dans le même chroot que les " "utilisateurs, donc il y a au moins un processus potentiel exécuté en tant " "que superutilisateur qui pourrait s'échapper du chroot." #. type:

#: securing-debian-howto.en.sgml:61 en/appendix.sgml:1269 msgid "" "Notice, also, that in order for SSH to work in that location, the partition " "where the chroot directory resides cannot be mounted with the nodev " "option. If you use that option, then you will get the following error: " "PRNG is not seeded, because /dev/urandom does not work " "in the chroot." msgstr "" "Remarquez aussi que pour permettre à SSH de fonctionner à cet endroit, la " "partition où le répertoire du chroot existe ne doit pas être montée avec " "l'option nodev. Avec cette option, l'erreur suivante se produira : " "PRNG is not seeded car /dev/urandom ne fonctionne pas " "dans le chroot." #. type: #: securing-debian-howto.en.sgml:61 en/appendix.sgml:1271 msgid "Setup a minimal system (the really easy way)" msgstr "Configuration d'un système minimal (la manière vraiment simple)" # NOTE : s/componentes/components/ #. type:

#: securing-debian-howto.en.sgml:61 en/appendix.sgml:1282 msgid "" "You can use debootstrap to setup a minimal environment " "that just includes the ssh server. In order to do this you just have to " "create a chroot as described in the document. This method is bound to work (you will get all the " "necessary componentes for the chroot) but at the cost of disk space (a " "minimal installation of Debian will amount to several hundred megabytes). " "This minimal system might also include setuid files that a user in the " "chroot could use to break out of the chroot if any of those could be use for " "a privilege escalation." msgstr "" "Utilisez debootstrap pour configurer un environnement " "minimal qui n'inclut que le serveur SSH. Pour faire cela, il suffit de créer " "un chroot comme décrit dans la . Cette méthode est sûre de fonctionner (tous les " "composants nécessaires seront dans le chroot) mais coûtera de l'espace " "disque (une installation minimale de Debian représente plusieurs milliers de " "mégaoctets). Ce système minimal pourrait aussi intégrer des fichiers setuid " "qu'un utilisateur dans le chroot pourrait utiliser pour s'en échapper si " "l'un d'entre eux peut être utiliser pour une augmentation de droits." #. type: #: securing-debian-howto.en.sgml:61 en/appendix.sgml:1286 msgid "Automatically making the environment (the easy way)" msgstr "Créer l'environnement automatiquement (la manière simple)" #. type:

#: securing-debian-howto.en.sgml:61 en/appendix.sgml:1291 msgid "" "You can easily create a restricted environment with the makejail package, since it automatically takes care of tracing the server " "daemon (with strace), and makes it run under the restricted " "environment." msgstr "" "Vous pouvez facilement créer un environnement restreint avec le paquet " "makejail puisqu'il prend automatiquement soin de tracer " "le démon serveur (avec strace), et l'exécute dans " "l'environnement restreint." #. type:

#: securing-debian-howto.en.sgml:61 en/appendix.sgml:1296 msgid "" "The advantage of programs that automatically generate chroot " "environments is that they are capable of copying any package to the " "chroot environment (even following the package's dependencies " "and making sure it's complete). Thus, providing user applications is easier." msgstr "" "L'avantage de programmes qui génèrent automatiquement l'environnement de " "chroot est qu'ils sont capables de copier tout paquet vers " "l'environnement de chroot (en suivant même les dépendances de " "paquet et en s'assurant qu'il est complet). Fournir les applications aux " "utilisateurs est donc plus facile." #. type:

#: securing-debian-howto.en.sgml:61 en/appendix.sgml:1299 msgid "" "To set up the environment using makejail's provided examples, " "just create /var/chroot/sshd and use the command:" msgstr "" "Pour mettre en place l'environnement en utilisant les exemples fournis par " "makejail, créez simplement /var/chroot/sshd et " "exécutez la commande suivante :" #. type: #: securing-debian-howto.en.sgml:61 en/appendix.sgml:1301 #, no-wrap msgid " # makejail /usr/share/doc/makejail/examples/sshd.py" msgstr " # makejail /usr/share/doc/makejail/examples/sshd.py" #. type:

#: securing-debian-howto.en.sgml:61 en/appendix.sgml:1306 msgid "" "This will setup the chroot in the /var/chroot/sshd directory. " "Notice that this chroot will not fully work unless you:" msgstr "" "Cela configurera la chroot dans le répertoire /var/chroot/sshd. " "Remarquez que ce chroot ne sera pas complètement fonctionnel avant de :" #. type:

#: securing-debian-howto.en.sgml:61 en/appendix.sgml:1310 msgid "" "Mount the procfs filesystem in /var/chroot/sshd/proc. " "Makejail will mount it for you but if the system reboots you " "need to remount it running:" msgstr "" "monter le système de fichiers procfs dans /var/chroot/sshd/" "proc. makejail le montera tout seul, mais si le système " "redémarre, il faudra le remonter en exécutant :" #. type: #: securing-debian-howto.en.sgml:61 en/appendix.sgml:1312 #, no-wrap msgid "# mount -t proc proc /var/chroot/sshd/proc" msgstr "# mount -t proc proc /var/chroot/sshd/proc" #. type:

#: securing-debian-howto.en.sgml:61 en/appendix.sgml:1317 msgid "" "You can also have it be mounted automatically by editing /etc/fstab and including this line:" msgstr "" "Il peut aussi être monté automatiquement en modifiant /etc/fstab pour ajouter cette ligne :" #. type: #: securing-debian-howto.en.sgml:61 en/appendix.sgml:1319 #, no-wrap msgid "proc-ssh /var/chroot/sshd/proc proc none 0 0" msgstr "proc-ssh /var/chroot/sshd/proc proc none 0 0" #. type:

#: securing-debian-howto.en.sgml:61 en/appendix.sgml:1326 msgid "" "Have syslog listen to the device /dev/log inside the chroot. In " "order to do this you have modify /etc/default/syslogd and add " "-a /var/chroot/sshd/dev/log to the SYSLOGD " "variable definition." msgstr "" "faire écouter syslog sur le périphérique /dev/log dans le " "chroot. Pour faire cela, il faut modifier /etc/default/syslogd " "pour ajouter -a /var/chroot/sshd/dev/log à la définition de la " "variable SYSLOGD." #. type:

#: securing-debian-howto.en.sgml:61 en/appendix.sgml:1336 msgid "" "Read the sample file to see what other changes need to be made to the " "environment. Some of these changes, such as copying user's home directories, " "cannot be done automatically. Also, limit the exposure of sensitive " "information by only copying the data from a given number of users from the " "files /etc/shadow or /etc/group. Notice that if " "you are using Privilege Separation the sshd user needs to exist in " "those files." msgstr "" "Consultez le fichier d'exemple pour savoir quels autres modifications " "doivent être réalisées dans l'environnement. Certaines de ces modifications, " "comme la copie des répertoires personnels des utilisateurs, ne peuvent être " "réalisés automatiquement. Limitez également l'exposition des informations " "sensibles en ne copiant que les données d'un nombre donné d'utilisateurs des " "fichiers /etc/shadow ou /etc/group. Remarquez " "qu'en utilisant la séparation de droits, l'utilisateur sshd doit exister dans ces fichiers." #. type:

#: securing-debian-howto.en.sgml:61 en/appendix.sgml:1340 msgid "" "The following sample environment has been (slightly) tested in Debian 3.0 " "and is built with the configuration file provided in the package and " "includes the fileutils package:" msgstr "" "L'environnement d'exemple suivant a été (légèrement) testé dans Debian 3.0 " "et est construit avec le fichier de configuration fourni par le paquet et " "inclut le paquet fileutils :" #. type: #: securing-debian-howto.en.sgml:61 en/appendix.sgml:1528 #, no-wrap msgid "" ".\n" "|-- bin\n" "| |-- ash\n" "| |-- bash\n" "| |-- chgrp\n" "| |-- chmod\n" "| |-- chown\n" "| |-- cp\n" "| |-- csh -> /etc/alternatives/csh\n" "| |-- dd\n" "| |-- df\n" "| |-- dir\n" "| |-- fdflush\n" "| |-- ksh\n" "| |-- ln\n" "| |-- ls\n" "| |-- mkdir\n" "| |-- mknod\n" "| |-- mv\n" "| |-- rbash -> bash\n" "| |-- rm\n" "| |-- rmdir\n" "| |-- sh -> bash\n" "| |-- sync\n" "| |-- tcsh\n" "| |-- touch\n" "| |-- vdir\n" "| |-- zsh -> /etc/alternatives/zsh\n" "| `-- zsh4\n" "|-- dev\n" "| |-- null\n" "| |-- ptmx\n" "| |-- pts\n" "| |-- ptya0\n" "(...)\n" "| |-- tty\n" "| |-- tty0\n" "(...)\n" "| `-- urandom\n" "|-- etc\n" "| |-- alternatives\n" "| | |-- csh -> /bin/tcsh\n" "| | `-- zsh -> /bin/zsh4\n" "| |-- environment\n" "| |-- hosts\n" "| |-- hosts.allow\n" "| |-- hosts.deny\n" "| |-- ld.so.conf\n" "| |-- localtime -> /usr/share/zoneinfo/Europe/Madrid\n" "| |-- motd\n" "| |-- nsswitch.conf\n" "| |-- pam.conf\n" "| |-- pam.d\n" "| | |-- other\n" "| | `-- ssh\n" "| |-- passwd\n" "| |-- resolv.conf\n" "| |-- security\n" "| | |-- access.conf\n" "| | |-- chroot.conf\n" "| | |-- group.conf\n" "| | |-- limits.conf\n" "| | |-- pam_env.conf\n" "| | `-- time.conf\n" "| |-- shadow\n" "| |-- shells\n" "| `-- ssh\n" "| |-- moduli\n" "| |-- ssh_host_dsa_key\n" "| |-- ssh_host_dsa_key.pub\n" "| |-- ssh_host_rsa_key\n" "| |-- ssh_host_rsa_key.pub\n" "| `-- sshd_config\n" "|-- home\n" "| `-- userX\n" "|-- lib\n" "| |-- ld-2.2.5.so\n" "| |-- ld-linux.so.2 -> ld-2.2.5.so\n" "| |-- libc-2.2.5.so\n" "| |-- libc.so.6 -> libc-2.2.5.so\n" "| |-- libcap.so.1 -> libcap.so.1.10\n" "| |-- libcap.so.1.10\n" "| |-- libcrypt-2.2.5.so\n" "| |-- libcrypt.so.1 -> libcrypt-2.2.5.so\n" "| |-- libdl-2.2.5.so\n" "| |-- libdl.so.2 -> libdl-2.2.5.so\n" "| |-- libm-2.2.5.so\n" "| |-- libm.so.6 -> libm-2.2.5.so\n" "| |-- libncurses.so.5 -> libncurses.so.5.2\n" "| |-- libncurses.so.5.2\n" "| |-- libnsl-2.2.5.so\n" "| |-- libnsl.so.1 -> libnsl-2.2.5.so\n" "| |-- libnss_compat-2.2.5.so\n" "| |-- libnss_compat.so.2 -> libnss_compat-2.2.5.so\n" "| |-- libnss_db-2.2.so\n" "| |-- libnss_db.so.2 -> libnss_db-2.2.so\n" "| |-- libnss_dns-2.2.5.so\n" "| |-- libnss_dns.so.2 -> libnss_dns-2.2.5.so\n" "| |-- libnss_files-2.2.5.so\n" "| |-- libnss_files.so.2 -> libnss_files-2.2.5.so\n" "| |-- libnss_hesiod-2.2.5.so\n" "| |-- libnss_hesiod.so.2 -> libnss_hesiod-2.2.5.so\n" "| |-- libnss_nis-2.2.5.so\n" "| |-- libnss_nis.so.2 -> libnss_nis-2.2.5.so\n" "| |-- libnss_nisplus-2.2.5.so\n" "| |-- libnss_nisplus.so.2 -> libnss_nisplus-2.2.5.so\n" "| |-- libpam.so.0 -> libpam.so.0.72\n" "| |-- libpam.so.0.72\n" "| |-- libpthread-0.9.so\n" "| |-- libpthread.so.0 -> libpthread-0.9.so\n" "| |-- libresolv-2.2.5.so\n" "| |-- libresolv.so.2 -> libresolv-2.2.5.so\n" "| |-- librt-2.2.5.so\n" "| |-- librt.so.1 -> librt-2.2.5.so\n" "| |-- libutil-2.2.5.so\n" "| |-- libutil.so.1 -> libutil-2.2.5.so\n" "| |-- libwrap.so.0 -> libwrap.so.0.7.6\n" "| |-- libwrap.so.0.7.6\n" "| `-- security\n" "| |-- pam_access.so\n" "| |-- pam_chroot.so\n" "| |-- pam_deny.so\n" "| |-- pam_env.so\n" "| |-- pam_filter.so\n" "| |-- pam_ftp.so\n" "| |-- pam_group.so\n" "| |-- pam_issue.so\n" "| |-- pam_lastlog.so\n" "| |-- pam_limits.so\n" "| |-- pam_listfile.so\n" "| |-- pam_mail.so\n" "| |-- pam_mkhomedir.so\n" "| |-- pam_motd.so\n" "| |-- pam_nologin.so\n" "| |-- pam_permit.so\n" "| |-- pam_rhosts_auth.so\n" "| |-- pam_rootok.so\n" "| |-- pam_securetty.so\n" "| |-- pam_shells.so\n" "| |-- pam_stress.so\n" "| |-- pam_tally.so\n" "| |-- pam_time.so\n" "| |-- pam_unix.so\n" "| |-- pam_unix_acct.so -> pam_unix.so\n" "| |-- pam_unix_auth.so -> pam_unix.so\n" "| |-- pam_unix_passwd.so -> pam_unix.so\n" "| |-- pam_unix_session.so -> pam_unix.so\n" "| |-- pam_userdb.so\n" "| |-- pam_warn.so\n" "| `-- pam_wheel.so\n" "|-- sbin\n" "| `-- start-stop-daemon\n" "|-- usr\n" "| |-- bin\n" "| | |-- dircolors\n" "| | |-- du\n" "| | |-- install\n" "| | |-- link\n" "| | |-- mkfifo\n" "| | |-- shred\n" "| | |-- touch -> /bin/touch\n" "| | `-- unlink\n" "| |-- lib\n" "| | |-- libcrypto.so.0.9.6\n" "| | |-- libdb3.so.3 -> libdb3.so.3.0.2\n" "| | |-- libdb3.so.3.0.2\n" "| | |-- libz.so.1 -> libz.so.1.1.4\n" "| | `-- libz.so.1.1.4\n" "| |-- sbin\n" "| | `-- sshd\n" "| `-- share\n" "| |-- locale\n" "| | `-- es\n" "| | |-- LC_MESSAGES\n" "| | | |-- fileutils.mo\n" "| | | |-- libc.mo\n" "| | | `-- sh-utils.mo\n" "| | `-- LC_TIME -> LC_MESSAGES\n" "| `-- zoneinfo\n" "| `-- Europe\n" "| `-- Madrid\n" "`-- var\n" " `-- run\n" " |-- sshd\n" " `-- sshd.pid\n" "\n" "27 directories, 733 files" msgstr "" ".\n" "|-- bin\n" "| |-- ash\n" "| |-- bash\n" "| |-- chgrp\n" "| |-- chmod\n" "| |-- chown\n" "| |-- cp\n" "| |-- csh -> /etc/alternatives/csh\n" "| |-- dd\n" "| |-- df\n" "| |-- dir\n" "| |-- fdflush\n" "| |-- ksh\n" "| |-- ln\n" "| |-- ls\n" "| |-- mkdir\n" "| |-- mknod\n" "| |-- mv\n" "| |-- rbash -> bash\n" "| |-- rm\n" "| |-- rmdir\n" "| |-- sh -> bash\n" "| |-- sync\n" "| |-- tcsh\n" "| |-- touch\n" "| |-- vdir\n" "| |-- zsh -> /etc/alternatives/zsh\n" "| `-- zsh4\n" "|-- dev\n" "| |-- null\n" "| |-- ptmx\n" "| |-- pts\n" "| |-- ptya0\n" "(...)\n" "| |-- tty\n" "| |-- tty0\n" "(...)\n" "| `-- urandom\n" "|-- etc\n" "| |-- alternatives\n" "| | |-- csh -> /bin/tcsh\n" "| | `-- zsh -> /bin/zsh4\n" "| |-- environment\n" "| |-- hosts\n" "| |-- hosts.allow\n" "| |-- hosts.deny\n" "| |-- ld.so.conf\n" "| |-- localtime -> /usr/share/zoneinfo/Europe/Madrid\n" "| |-- motd\n" "| |-- nsswitch.conf\n" "| |-- pam.conf\n" "| |-- pam.d\n" "| | |-- other\n" "| | `-- ssh\n" "| |-- passwd\n" "| |-- resolv.conf\n" "| |-- security\n" "| | |-- access.conf\n" "| | |-- chroot.conf\n" "| | |-- group.conf\n" "| | |-- limits.conf\n" "| | |-- pam_env.conf\n" "| | `-- time.conf\n" "| |-- shadow\n" "| |-- shells\n" "| `-- ssh\n" "| |-- moduli\n" "| |-- ssh_host_dsa_key\n" "| |-- ssh_host_dsa_key.pub\n" "| |-- ssh_host_rsa_key\n" "| |-- ssh_host_rsa_key.pub\n" "| `-- sshd_config\n" "|-- home\n" "| `-- userX\n" "|-- lib\n" "| |-- ld-2.2.5.so\n" "| |-- ld-linux.so.2 -> ld-2.2.5.so\n" "| |-- libc-2.2.5.so\n" "| |-- libc.so.6 -> libc-2.2.5.so\n" "| |-- libcap.so.1 -> libcap.so.1.10\n" "| |-- libcap.so.1.10\n" "| |-- libcrypt-2.2.5.so\n" "| |-- libcrypt.so.1 -> libcrypt-2.2.5.so\n" "| |-- libdl-2.2.5.so\n" "| |-- libdl.so.2 -> libdl-2.2.5.so\n" "| |-- libm-2.2.5.so\n" "| |-- libm.so.6 -> libm-2.2.5.so\n" "| |-- libncurses.so.5 -> libncurses.so.5.2\n" "| |-- libncurses.so.5.2\n" "| |-- libnsl-2.2.5.so\n" "| |-- libnsl.so.1 -> libnsl-2.2.5.so\n" "| |-- libnss_compat-2.2.5.so\n" "| |-- libnss_compat.so.2 -> libnss_compat-2.2.5.so\n" "| |-- libnss_db-2.2.so\n" "| |-- libnss_db.so.2 -> libnss_db-2.2.so\n" "| |-- libnss_dns-2.2.5.so\n" "| |-- libnss_dns.so.2 -> libnss_dns-2.2.5.so\n" "| |-- libnss_files-2.2.5.so\n" "| |-- libnss_files.so.2 -> libnss_files-2.2.5.so\n" "| |-- libnss_hesiod-2.2.5.so\n" "| |-- libnss_hesiod.so.2 -> libnss_hesiod-2.2.5.so\n" "| |-- libnss_nis-2.2.5.so\n" "| |-- libnss_nis.so.2 -> libnss_nis-2.2.5.so\n" "| |-- libnss_nisplus-2.2.5.so\n" "| |-- libnss_nisplus.so.2 -> libnss_nisplus-2.2.5.so\n" "| |-- libpam.so.0 -> libpam.so.0.72\n" "| |-- libpam.so.0.72\n" "| |-- libpthread-0.9.so\n" "| |-- libpthread.so.0 -> libpthread-0.9.so\n" "| |-- libresolv-2.2.5.so\n" "| |-- libresolv.so.2 -> libresolv-2.2.5.so\n" "| |-- librt-2.2.5.so\n" "| |-- librt.so.1 -> librt-2.2.5.so\n" "| |-- libutil-2.2.5.so\n" "| |-- libutil.so.1 -> libutil-2.2.5.so\n" "| |-- libwrap.so.0 -> libwrap.so.0.7.6\n" "| |-- libwrap.so.0.7.6\n" "| `-- security\n" "| |-- pam_access.so\n" "| |-- pam_chroot.so\n" "| |-- pam_deny.so\n" "| |-- pam_env.so\n" "| |-- pam_filter.so\n" "| |-- pam_ftp.so\n" "| |-- pam_group.so\n" "| |-- pam_issue.so\n" "| |-- pam_lastlog.so\n" "| |-- pam_limits.so\n" "| |-- pam_listfile.so\n" "| |-- pam_mail.so\n" "| |-- pam_mkhomedir.so\n" "| |-- pam_motd.so\n" "| |-- pam_nologin.so\n" "| |-- pam_permit.so\n" "| |-- pam_rhosts_auth.so\n" "| |-- pam_rootok.so\n" "| |-- pam_securetty.so\n" "| |-- pam_shells.so\n" "| |-- pam_stress.so\n" "| |-- pam_tally.so\n" "| |-- pam_time.so\n" "| |-- pam_unix.so\n" "| |-- pam_unix_acct.so -> pam_unix.so\n" "| |-- pam_unix_auth.so -> pam_unix.so\n" "| |-- pam_unix_passwd.so -> pam_unix.so\n" "| |-- pam_unix_session.so -> pam_unix.so\n" "| |-- pam_userdb.so\n" "| |-- pam_warn.so\n" "| `-- pam_wheel.so\n" "|-- sbin\n" "| `-- start-stop-daemon\n" "|-- usr\n" "| |-- bin\n" "| | |-- dircolors\n" "| | |-- du\n" "| | |-- install\n" "| | |-- link\n" "| | |-- mkfifo\n" "| | |-- shred\n" "| | |-- touch -> /bin/touch\n" "| | `-- unlink\n" "| |-- lib\n" "| | |-- libcrypto.so.0.9.6\n" "| | |-- libdb3.so.3 -> libdb3.so.3.0.2\n" "| | |-- libdb3.so.3.0.2\n" "| | |-- libz.so.1 -> libz.so.1.1.4\n" "| | `-- libz.so.1.1.4\n" "| |-- sbin\n" "| | `-- sshd\n" "| `-- share\n" "| |-- locale\n" "| | `-- es\n" "| | |-- LC_MESSAGES\n" "| | | |-- fileutils.mo\n" "| | | |-- libc.mo\n" "| | | `-- sh-utils.mo\n" "| | `-- LC_TIME -> LC_MESSAGES\n" "| `-- zoneinfo\n" "| `-- Europe\n" "| `-- Madrid\n" "`-- var\n" " `-- run\n" " |-- sshd\n" " `-- sshd.pid\n" "\n" "27 répertoire, 733 fichiers" #. type:

#: securing-debian-howto.en.sgml:61 en/appendix.sgml:1534 msgid "" "For Debian release 3.1 you have to make sure that the environment includes " "also the common files for PAM. The following files need to be copied over to " "the chroot if makejail did not do it for you:" msgstr "" "Avec Debian 3.1, il faut s'assurer que l'environnement inclus aussi les " "fichiers communs pour PAM. Les fichiers suivants doivent être copiés dans le " "chroot si makejail ne l'a pas fait:" #. type: #: securing-debian-howto.en.sgml:61 en/appendix.sgml:1538 #, no-wrap msgid "" "$ ls /etc/pam.d/common-*\n" "/etc/pam.d/common-account /etc/pam.d/common-password\n" "/etc/pam.d/common-auth /etc/pam.d/common-session" msgstr "" "$ ls /etc/pam.d/common-*\n" "/etc/pam.d/common-account /etc/pam.d/common-password\n" "/etc/pam.d/common-auth /etc/pam.d/common-session" #. type: #: securing-debian-howto.en.sgml:61 en/appendix.sgml:1547 msgid "Manually creating the environment (the hard way)" msgstr "Créer soi-même l'environnement (la manière difficile)" #. type:

#: securing-debian-howto.en.sgml:61 en/appendix.sgml:1563 msgid "" "It is possible to create an environment, using a trial-and-error method, by " "monitoring the sshd server traces and log files in order to " "determine the necessary files. The following environment, contributed by " "José Luis Ledesma, is a sample listing of files in a chroot " "environment for ssh in Debian woody (3.0):

Notice " "that there are no SETUID files. This makes it more difficult for remote " "users to escape the chroot environment. However, it also " "prevents users from changing their passwords, since the passwd " "program cannot modify the files /etc/passwd or /etc/" "shadow.

" msgstr "" "Il est possible de créer un environnement, en utilisant une méthode d'essai-" "et-d'erreur, en surveillant les traces du serveur sshd et les " "fichiers journaux pour déterminer les fichiers nécessaires. L'environnement " "suivant, fourni par José Luis Ledesma, est un listing exemple des fichiers " "dans un environnement de chroot pour ssh dans " "Debian Woody (3.0) :

Remarquez qu'il n'y a pas de fichiers " "SETUID. Cela rend plus difficile pour les utilisateurs distants de " "s'échapper de l'environnement de chroot. Cependant, il empêche " "également les utilisateurs de changer leurs mots de passe, car le programme " "passwd ne peut pas modifier les fichiers /etc/passwd ou /etc/shadow.

" #. type: #: securing-debian-howto.en.sgml:61 en/appendix.sgml:1804 #, no-wrap msgid "" ".:\n" "total 36\n" "drwxr-xr-x 9 root root 4096 Jun 5 10:05 ./\n" "drwxr-xr-x 11 root root 4096 Jun 3 13:43 ../\n" "drwxr-xr-x 2 root root 4096 Jun 4 12:13 bin/\n" "drwxr-xr-x 2 root root 4096 Jun 4 12:16 dev/\n" "drwxr-xr-x 4 root root 4096 Jun 4 12:35 etc/\n" "drwxr-xr-x 3 root root 4096 Jun 4 12:13 lib/\n" "drwxr-xr-x 2 root root 4096 Jun 4 12:35 sbin/\n" "drwxr-xr-x 2 root root 4096 Jun 4 12:32 tmp/\n" "drwxr-xr-x 2 root root 4096 Jun 4 12:16 usr/\n" "./bin:\n" "total 8368\n" "drwxr-xr-x 2 root root 4096 Jun 4 12:13 ./\n" "drwxr-xr-x 9 root root 4096 Jun 5 10:05 ../\n" "-rwxr-xr-x 1 root root 109855 Jun 3 13:45 a2p*\n" "-rwxr-xr-x 1 root root 387764 Jun 3 13:45 bash*\n" "-rwxr-xr-x 1 root root 36365 Jun 3 13:45 c2ph*\n" "-rwxr-xr-x 1 root root 20629 Jun 3 13:45 dprofpp*\n" "-rwxr-xr-x 1 root root 6956 Jun 3 13:46 env*\n" "-rwxr-xr-x 1 root root 158116 Jun 3 13:45 fax2ps*\n" "-rwxr-xr-x 1 root root 104008 Jun 3 13:45 faxalter*\n" "-rwxr-xr-x 1 root root 89340 Jun 3 13:45 faxcover*\n" "-rwxr-xr-x 1 root root 441584 Jun 3 13:45 faxmail*\n" "-rwxr-xr-x 1 root root 96036 Jun 3 13:45 faxrm*\n" "-rwxr-xr-x 1 root root 107000 Jun 3 13:45 faxstat*\n" "-rwxr-xr-x 1 root root 77832 Jun 4 11:46 grep*\n" "-rwxr-xr-x 1 root root 19597 Jun 3 13:45 h2ph*\n" "-rwxr-xr-x 1 root root 46979 Jun 3 13:45 h2xs*\n" "-rwxr-xr-x 1 root root 10420 Jun 3 13:46 id*\n" "-rwxr-xr-x 1 root root 4528 Jun 3 13:46 ldd*\n" "-rwxr-xr-x 1 root root 111386 Jun 4 11:46 less*\n" "-r-xr-xr-x 1 root root 26168 Jun 3 13:45 login*\n" "-rwxr-xr-x 1 root root 49164 Jun 3 13:45 ls*\n" "-rwxr-xr-x 1 root root 11600 Jun 3 13:45 mkdir*\n" "-rwxr-xr-x 1 root root 24780 Jun 3 13:45 more*\n" "-rwxr-xr-x 1 root root 154980 Jun 3 13:45 pal2rgb*\n" "-rwxr-xr-x 1 root root 27920 Jun 3 13:46 passwd*\n" "-rwxr-xr-x 1 root root 4241 Jun 3 13:45 pl2pm*\n" "-rwxr-xr-x 1 root root 2350 Jun 3 13:45 pod2html*\n" "-rwxr-xr-x 1 root root 7875 Jun 3 13:45 pod2latex*\n" "-rwxr-xr-x 1 root root 17587 Jun 3 13:45 pod2man*\n" "-rwxr-xr-x 1 root root 6877 Jun 3 13:45 pod2text*\n" "-rwxr-xr-x 1 root root 3300 Jun 3 13:45 pod2usage*\n" "-rwxr-xr-x 1 root root 3341 Jun 3 13:45 podchecker*\n" "-rwxr-xr-x 1 root root 2483 Jun 3 13:45 podselect*\n" "-r-xr-xr-x 1 root root 82412 Jun 4 11:46 ps*\n" "-rwxr-xr-x 1 root root 36365 Jun 3 13:45 pstruct*\n" "-rwxr-xr-x 1 root root 7120 Jun 3 13:45 pwd*\n" "-rwxr-xr-x 1 root root 179884 Jun 3 13:45 rgb2ycbcr*\n" "-rwxr-xr-x 1 root root 20532 Jun 3 13:45 rm*\n" "-rwxr-xr-x 1 root root 6720 Jun 4 10:15 rmdir*\n" "-rwxr-xr-x 1 root root 14705 Jun 3 13:45 s2p*\n" "-rwxr-xr-x 1 root root 28764 Jun 3 13:46 scp*\n" "-rwxr-xr-x 1 root root 385000 Jun 3 13:45 sendfax*\n" "-rwxr-xr-x 1 root root 67548 Jun 3 13:45 sendpage*\n" "-rwxr-xr-x 1 root root 88632 Jun 3 13:46 sftp*\n" "-rwxr-xr-x 1 root root 387764 Jun 3 13:45 sh*\n" "-rws--x--x 1 root root 744500 Jun 3 13:46 slogin*\n" "-rwxr-xr-x 1 root root 14523 Jun 3 13:46 splain*\n" "-rws--x--x 1 root root 744500 Jun 3 13:46 ssh*\n" "-rwxr-xr-x 1 root root 570960 Jun 3 13:46 ssh-add*\n" "-rwxr-xr-x 1 root root 502952 Jun 3 13:46 ssh-agent*\n" "-rwxr-xr-x 1 root root 575740 Jun 3 13:46 ssh-keygen*\n" "-rwxr-xr-x 1 root root 383480 Jun 3 13:46 ssh-keyscan*\n" "-rwxr-xr-x 1 root root 39 Jun 3 13:46 ssh_europa*\n" "-rwxr-xr-x 1 root root 107252 Jun 4 10:14 strace*\n" "-rwxr-xr-x 1 root root 8323 Jun 4 10:14 strace-graph*\n" "-rwxr-xr-x 1 root root 158088 Jun 3 13:46 thumbnail*\n" "-rwxr-xr-x 1 root root 6312 Jun 3 13:46 tty*\n" "-rwxr-xr-x 1 root root 55904 Jun 4 11:46 useradd*\n" "-rwxr-xr-x 1 root root 585656 Jun 4 11:47 vi*\n" "-rwxr-xr-x 1 root root 6444 Jun 4 11:45 whoami*\n" "./dev:\n" "total 8\n" "drwxr-xr-x 2 root root 4096 Jun 4 12:16 ./\n" "drwxr-xr-x 9 root root 4096 Jun 5 10:05 ../\n" "crw-r--r-- 1 root root 1, 9 Jun 3 13:43 urandom\n" "./etc:\n" "total 208\n" "drwxr-xr-x 4 root root 4096 Jun 4 12:35 ./\n" "drwxr-xr-x 9 root root 4096 Jun 5 10:05 ../\n" "-rw------- 1 root root 0 Jun 4 11:46 .pwd.lock\n" "-rw-r--r-- 1 root root 653 Jun 3 13:46 group\n" "-rw-r--r-- 1 root root 242 Jun 4 11:33 host.conf\n" "-rw-r--r-- 1 root root 857 Jun 4 12:04 hosts\n" "-rw-r--r-- 1 root root 1050 Jun 4 11:29 ld.so.cache\n" "-rw-r--r-- 1 root root 304 Jun 4 11:28 ld.so.conf\n" "-rw-r--r-- 1 root root 235 Jun 4 11:27 ld.so.conf~\n" "-rw-r--r-- 1 root root 88039 Jun 3 13:46 moduli\n" "-rw-r--r-- 1 root root 1342 Jun 4 11:34 nsswitch.conf\n" "drwxr-xr-x 2 root root 4096 Jun 4 12:02 pam.d/\n" "-rw-r--r-- 1 root root 28 Jun 4 12:00 pam_smb.conf\n" "-rw-r--r-- 1 root root 2520 Jun 4 11:57 passwd\n" "-rw-r--r-- 1 root root 7228 Jun 3 13:48 profile\n" "-rw-r--r-- 1 root root 1339 Jun 4 11:33 protocols\n" "-rw-r--r-- 1 root root 274 Jun 4 11:44 resolv.conf\n" "drwxr-xr-x 2 root root 4096 Jun 3 13:43 security/\n" "-rw-r----- 1 root root 1178 Jun 4 11:51 shadow\n" "-rw------- 1 root root 80 Jun 4 11:45 shadow-\n" "-rw-r----- 1 root root 1178 Jun 4 11:48 shadow.old\n" "-rw-r--r-- 1 root root 161 Jun 3 13:46 shells\n" "-rw-r--r-- 1 root root 1144 Jun 3 13:46 ssh_config\n" "-rw------- 1 root root 668 Jun 3 13:46 ssh_host_dsa_key\n" "-rw-r--r-- 1 root root 602 Jun 3 13:46 ssh_host_dsa_key.pub\n" "-rw------- 1 root root 527 Jun 3 13:46 ssh_host_key\n" "-rw-r--r-- 1 root root 331 Jun 3 13:46 ssh_host_key.pub\n" "-rw------- 1 root root 883 Jun 3 13:46 ssh_host_rsa_key\n" "-rw-r--r-- 1 root root 222 Jun 3 13:46 ssh_host_rsa_key.pub\n" "-rw-r--r-- 1 root root 2471 Jun 4 12:15 sshd_config\n" "./etc/pam.d:\n" "total 24\n" "drwxr-xr-x 2 root root 4096 Jun 4 12:02 ./\n" "drwxr-xr-x 4 root root 4096 Jun 4 12:35 ../\n" "lrwxrwxrwx 1 root root 4 Jun 4 12:02 other -> sshd\n" "-rw-r--r-- 1 root root 318 Jun 3 13:46 passwd\n" "-rw-r--r-- 1 root root 546 Jun 4 11:36 ssh\n" "-rw-r--r-- 1 root root 479 Jun 4 12:02 sshd\n" "-rw-r--r-- 1 root root 370 Jun 3 13:46 su\n" "./etc/security:\n" "total 32\n" "drwxr-xr-x 2 root root 4096 Jun 3 13:43 ./\n" "drwxr-xr-x 4 root root 4096 Jun 4 12:35 ../\n" "-rw-r--r-- 1 root root 1971 Jun 3 13:46 access.conf\n" "-rw-r--r-- 1 root root 184 Jun 3 13:46 chroot.conf\n" "-rw-r--r-- 1 root root 2145 Jun 3 13:46 group.conf\n" "-rw-r--r-- 1 root root 1356 Jun 3 13:46 limits.conf\n" "-rw-r--r-- 1 root root 2858 Jun 3 13:46 pam_env.conf\n" "-rw-r--r-- 1 root root 2154 Jun 3 13:46 time.conf\n" "./lib:\n" "total 8316\n" "drwxr-xr-x 3 root root 4096 Jun 4 12:13 ./\n" "drwxr-xr-x 9 root root 4096 Jun 5 10:05 ../\n" "-rw-r--r-- 1 root root 1024 Jun 4 11:51 cracklib_dict.hwm\n" "-rw-r--r-- 1 root root 214324 Jun 4 11:51 cracklib_dict.pwd\n" "-rw-r--r-- 1 root root 11360 Jun 4 11:51 cracklib_dict.pwi\n" "-rwxr-xr-x 1 root root 342427 Jun 3 13:46 ld-linux.so.2*\n" "-rwxr-xr-x 1 root root 4061504 Jun 3 13:46 libc.so.6*\n" "lrwxrwxrwx 1 root root 15 Jun 4 12:11 libcrack.so -> libcrack.so.2.7*\n" "lrwxrwxrwx 1 root root 15 Jun 4 12:11 libcrack.so.2 -> libcrack.so.2.7*\n" "-rwxr-xr-x 1 root root 33291 Jun 4 11:39 libcrack.so.2.7*\n" "-rwxr-xr-x 1 root root 60988 Jun 3 13:46 libcrypt.so.1*\n" "-rwxr-xr-x 1 root root 71846 Jun 3 13:46 libdl.so.2*\n" "-rwxr-xr-x 1 root root 27762 Jun 3 13:46 libhistory.so.4.0*\n" "lrwxrwxrwx 1 root root 17 Jun 4 12:12 libncurses.so.4 -> libncurses.so.4.2*\n" "-rwxr-xr-x 1 root root 503903 Jun 3 13:46 libncurses.so.4.2*\n" "lrwxrwxrwx 1 root root 17 Jun 4 12:12 libncurses.so.5 -> libncurses.so.5.0*\n" "-rwxr-xr-x 1 root root 549429 Jun 3 13:46 libncurses.so.5.0*\n" "-rwxr-xr-x 1 root root 369801 Jun 3 13:46 libnsl.so.1*\n" "-rwxr-xr-x 1 root root 142563 Jun 4 11:49 libnss_compat.so.1*\n" "-rwxr-xr-x 1 root root 215569 Jun 4 11:49 libnss_compat.so.2*\n" "-rwxr-xr-x 1 root root 61648 Jun 4 11:34 libnss_dns.so.1*\n" "-rwxr-xr-x 1 root root 63453 Jun 4 11:34 libnss_dns.so.2*\n" "-rwxr-xr-x 1 root root 63782 Jun 4 11:34 libnss_dns6.so.2*\n" "-rwxr-xr-x 1 root root 205715 Jun 3 13:46 libnss_files.so.1*\n" "-rwxr-xr-x 1 root root 235932 Jun 3 13:49 libnss_files.so.2*\n" "-rwxr-xr-x 1 root root 204383 Jun 4 11:33 libnss_nis.so.1*\n" "-rwxr-xr-x 1 root root 254023 Jun 4 11:33 libnss_nis.so.2*\n" "-rwxr-xr-x 1 root root 256465 Jun 4 11:33 libnss_nisplus.so.2*\n" "lrwxrwxrwx 1 root root 14 Jun 4 12:12 libpam.so.0 -> libpam.so.0.72*\n" "-rwxr-xr-x 1 root root 31449 Jun 3 13:46 libpam.so.0.72*\n" "lrwxrwxrwx 1 root root 19 Jun 4 12:12 libpam_misc.so.0 ->\n" "libpam_misc.so.0.72*\n" "-rwxr-xr-x 1 root root 8125 Jun 3 13:46 libpam_misc.so.0.72*\n" "lrwxrwxrwx 1 root root 15 Jun 4 12:12 libpamc.so.0 -> libpamc.so.0.72*\n" "-rwxr-xr-x 1 root root 10499 Jun 3 13:46 libpamc.so.0.72*\n" "-rwxr-xr-x 1 root root 176427 Jun 3 13:46 libreadline.so.4.0*\n" "-rwxr-xr-x 1 root root 44729 Jun 3 13:46 libutil.so.1*\n" "-rwxr-xr-x 1 root root 70254 Jun 3 13:46 libz.a*\n" "lrwxrwxrwx 1 root root 13 Jun 4 12:13 libz.so -> libz.so.1.1.3*\n" "lrwxrwxrwx 1 root root 13 Jun 4 12:13 libz.so.1 -> libz.so.1.1.3*\n" "-rwxr-xr-x 1 root root 63312 Jun 3 13:46 libz.so.1.1.3*\n" "drwxr-xr-x 2 root root 4096 Jun 4 12:00 security/\n" "./lib/security:\n" "total 668\n" "drwxr-xr-x 2 root root 4096 Jun 4 12:00 ./\n" "drwxr-xr-x 3 root root 4096 Jun 4 12:13 ../\n" "-rwxr-xr-x 1 root root 10067 Jun 3 13:46 pam_access.so*\n" "-rwxr-xr-x 1 root root 8300 Jun 3 13:46 pam_chroot.so*\n" "-rwxr-xr-x 1 root root 14397 Jun 3 13:46 pam_cracklib.so*\n" "-rwxr-xr-x 1 root root 5082 Jun 3 13:46 pam_deny.so*\n" "-rwxr-xr-x 1 root root 13153 Jun 3 13:46 pam_env.so*\n" "-rwxr-xr-x 1 root root 13371 Jun 3 13:46 pam_filter.so*\n" "-rwxr-xr-x 1 root root 7957 Jun 3 13:46 pam_ftp.so*\n" "-rwxr-xr-x 1 root root 12771 Jun 3 13:46 pam_group.so*\n" "-rwxr-xr-x 1 root root 10174 Jun 3 13:46 pam_issue.so*\n" "-rwxr-xr-x 1 root root 9774 Jun 3 13:46 pam_lastlog.so*\n" "-rwxr-xr-x 1 root root 13591 Jun 3 13:46 pam_limits.so*\n" "-rwxr-xr-x 1 root root 11268 Jun 3 13:46 pam_listfile.so*\n" "-rwxr-xr-x 1 root root 11182 Jun 3 13:46 pam_mail.so*\n" "-rwxr-xr-x 1 root root 5923 Jun 3 13:46 pam_nologin.so*\n" "-rwxr-xr-x 1 root root 5460 Jun 3 13:46 pam_permit.so*\n" "-rwxr-xr-x 1 root root 18226 Jun 3 13:46 pam_pwcheck.so*\n" "-rwxr-xr-x 1 root root 12590 Jun 3 13:46 pam_rhosts_auth.so*\n" "-rwxr-xr-x 1 root root 5551 Jun 3 13:46 pam_rootok.so*\n" "-rwxr-xr-x 1 root root 7239 Jun 3 13:46 pam_securetty.so*\n" "-rwxr-xr-x 1 root root 6551 Jun 3 13:46 pam_shells.so*\n" "-rwxr-xr-x 1 root root 55925 Jun 4 12:00 pam_smb_auth.so*\n" "-rwxr-xr-x 1 root root 12678 Jun 3 13:46 pam_stress.so*\n" "-rwxr-xr-x 1 root root 11170 Jun 3 13:46 pam_tally.so*\n" "-rwxr-xr-x 1 root root 11124 Jun 3 13:46 pam_time.so*\n" "-rwxr-xr-x 1 root root 45703 Jun 3 13:46 pam_unix.so*\n" "-rwxr-xr-x 1 root root 45703 Jun 3 13:46 pam_unix2.so*\n" "-rwxr-xr-x 1 root root 45386 Jun 3 13:46 pam_unix_acct.so*\n" "-rwxr-xr-x 1 root root 45386 Jun 3 13:46 pam_unix_auth.so*\n" "-rwxr-xr-x 1 root root 45386 Jun 3 13:46 pam_unix_passwd.so*\n" "-rwxr-xr-x 1 root root 45386 Jun 3 13:46 pam_unix_session.so*\n" "-rwxr-xr-x 1 root root 9726 Jun 3 13:46 pam_userdb.so*\n" "-rwxr-xr-x 1 root root 6424 Jun 3 13:46 pam_warn.so*\n" "-rwxr-xr-x 1 root root 7460 Jun 3 13:46 pam_wheel.so*\n" "./sbin:\n" "total 3132\n" "drwxr-xr-x 2 root root 4096 Jun 4 12:35 ./\n" "drwxr-xr-x 9 root root 4096 Jun 5 10:05 ../\n" "-rwxr-xr-x 1 root root 178256 Jun 3 13:46 choptest*\n" "-rwxr-xr-x 1 root root 184032 Jun 3 13:46 cqtest*\n" "-rwxr-xr-x 1 root root 81096 Jun 3 13:46 dialtest*\n" "-rwxr-xr-x 1 root root 1142128 Jun 4 11:28 ldconfig*\n" "-rwxr-xr-x 1 root root 2868 Jun 3 13:46 lockname*\n" "-rwxr-xr-x 1 root root 3340 Jun 3 13:46 ondelay*\n" "-rwxr-xr-x 1 root root 376796 Jun 3 13:46 pagesend*\n" "-rwxr-xr-x 1 root root 13950 Jun 3 13:46 probemodem*\n" "-rwxr-xr-x 1 root root 9234 Jun 3 13:46 recvstats*\n" "-rwxr-xr-x 1 root root 64480 Jun 3 13:46 sftp-server*\n" "-rwxr-xr-x 1 root root 744412 Jun 3 13:46 sshd*\n" "-rwxr-xr-x 1 root root 30750 Jun 4 11:46 su*\n" "-rwxr-xr-x 1 root root 194632 Jun 3 13:46 tagtest*\n" "-rwxr-xr-x 1 root root 69892 Jun 3 13:46 tsitest*\n" "-rwxr-xr-x 1 root root 43792 Jun 3 13:46 typetest*\n" "./tmp:\n" "total 8\n" "drwxr-xr-x 2 root root 4096 Jun 4 12:32 ./\n" "drwxr-xr-x 9 root root 4096 Jun 5 10:05 ../\n" "./usr:\n" "total 8\n" "drwxr-xr-x 2 root root 4096 Jun 4 12:16 ./\n" "drwxr-xr-x 9 root root 4096 Jun 5 10:05 ../\n" "lrwxrwxrwx 1 root root 7 Jun 4 12:14 bin -> ../bin//\n" "lrwxrwxrwx 1 root root 7 Jun 4 11:33 lib -> ../lib//\n" "lrwxrwxrwx 1 root root 8 Jun 4 12:13 sbin -> ../sbin//" msgstr "" ".:\n" "total 36\n" "drwxr-xr-x 9 root root 4096 Jun 5 10:05 ./\n" "drwxr-xr-x 11 root root 4096 Jun 3 13:43 ../\n" "drwxr-xr-x 2 root root 4096 Jun 4 12:13 bin/\n" "drwxr-xr-x 2 root root 4096 Jun 4 12:16 dev/\n" "drwxr-xr-x 4 root root 4096 Jun 4 12:35 etc/\n" "drwxr-xr-x 3 root root 4096 Jun 4 12:13 lib/\n" "drwxr-xr-x 2 root root 4096 Jun 4 12:35 sbin/\n" "drwxr-xr-x 2 root root 4096 Jun 4 12:32 tmp/\n" "drwxr-xr-x 2 root root 4096 Jun 4 12:16 usr/\n" "./bin:\n" "total 8368\n" "drwxr-xr-x 2 root root 4096 Jun 4 12:13 ./\n" "drwxr-xr-x 9 root root 4096 Jun 5 10:05 ../\n" "-rwxr-xr-x 1 root root 109855 Jun 3 13:45 a2p*\n" "-rwxr-xr-x 1 root root 387764 Jun 3 13:45 bash*\n" "-rwxr-xr-x 1 root root 36365 Jun 3 13:45 c2ph*\n" "-rwxr-xr-x 1 root root 20629 Jun 3 13:45 dprofpp*\n" "-rwxr-xr-x 1 root root 6956 Jun 3 13:46 env*\n" "-rwxr-xr-x 1 root root 158116 Jun 3 13:45 fax2ps*\n" "-rwxr-xr-x 1 root root 104008 Jun 3 13:45 faxalter*\n" "-rwxr-xr-x 1 root root 89340 Jun 3 13:45 faxcover*\n" "-rwxr-xr-x 1 root root 441584 Jun 3 13:45 faxmail*\n" "-rwxr-xr-x 1 root root 96036 Jun 3 13:45 faxrm*\n" "-rwxr-xr-x 1 root root 107000 Jun 3 13:45 faxstat*\n" "-rwxr-xr-x 1 root root 77832 Jun 4 11:46 grep*\n" "-rwxr-xr-x 1 root root 19597 Jun 3 13:45 h2ph*\n" "-rwxr-xr-x 1 root root 46979 Jun 3 13:45 h2xs*\n" "-rwxr-xr-x 1 root root 10420 Jun 3 13:46 id*\n" "-rwxr-xr-x 1 root root 4528 Jun 3 13:46 ldd*\n" "-rwxr-xr-x 1 root root 111386 Jun 4 11:46 less*\n" "-r-xr-xr-x 1 root root 26168 Jun 3 13:45 login*\n" "-rwxr-xr-x 1 root root 49164 Jun 3 13:45 ls*\n" "-rwxr-xr-x 1 root root 11600 Jun 3 13:45 mkdir*\n" "-rwxr-xr-x 1 root root 24780 Jun 3 13:45 more*\n" "-rwxr-xr-x 1 root root 154980 Jun 3 13:45 pal2rgb*\n" "-rwxr-xr-x 1 root root 27920 Jun 3 13:46 passwd*\n" "-rwxr-xr-x 1 root root 4241 Jun 3 13:45 pl2pm*\n" "-rwxr-xr-x 1 root root 2350 Jun 3 13:45 pod2html*\n" "-rwxr-xr-x 1 root root 7875 Jun 3 13:45 pod2latex*\n" "-rwxr-xr-x 1 root root 17587 Jun 3 13:45 pod2man*\n" "-rwxr-xr-x 1 root root 6877 Jun 3 13:45 pod2text*\n" "-rwxr-xr-x 1 root root 3300 Jun 3 13:45 pod2usage*\n" "-rwxr-xr-x 1 root root 3341 Jun 3 13:45 podchecker*\n" "-rwxr-xr-x 1 root root 2483 Jun 3 13:45 podselect*\n" "-r-xr-xr-x 1 root root 82412 Jun 4 11:46 ps*\n" "-rwxr-xr-x 1 root root 36365 Jun 3 13:45 pstruct*\n" "-rwxr-xr-x 1 root root 7120 Jun 3 13:45 pwd*\n" "-rwxr-xr-x 1 root root 179884 Jun 3 13:45 rgb2ycbcr*\n" "-rwxr-xr-x 1 root root 20532 Jun 3 13:45 rm*\n" "-rwxr-xr-x 1 root root 6720 Jun 4 10:15 rmdir*\n" "-rwxr-xr-x 1 root root 14705 Jun 3 13:45 s2p*\n" "-rwxr-xr-x 1 root root 28764 Jun 3 13:46 scp*\n" "-rwxr-xr-x 1 root root 385000 Jun 3 13:45 sendfax*\n" "-rwxr-xr-x 1 root root 67548 Jun 3 13:45 sendpage*\n" "-rwxr-xr-x 1 root root 88632 Jun 3 13:46 sftp*\n" "-rwxr-xr-x 1 root root 387764 Jun 3 13:45 sh*\n" "-rws--x--x 1 root root 744500 Jun 3 13:46 slogin*\n" "-rwxr-xr-x 1 root root 14523 Jun 3 13:46 splain*\n" "-rws--x--x 1 root root 744500 Jun 3 13:46 ssh*\n" "-rwxr-xr-x 1 root root 570960 Jun 3 13:46 ssh-add*\n" "-rwxr-xr-x 1 root root 502952 Jun 3 13:46 ssh-agent*\n" "-rwxr-xr-x 1 root root 575740 Jun 3 13:46 ssh-keygen*\n" "-rwxr-xr-x 1 root root 383480 Jun 3 13:46 ssh-keyscan*\n" "-rwxr-xr-x 1 root root 39 Jun 3 13:46 ssh_europa*\n" "-rwxr-xr-x 1 root root 107252 Jun 4 10:14 strace*\n" "-rwxr-xr-x 1 root root 8323 Jun 4 10:14 strace-graph*\n" "-rwxr-xr-x 1 root root 158088 Jun 3 13:46 thumbnail*\n" "-rwxr-xr-x 1 root root 6312 Jun 3 13:46 tty*\n" "-rwxr-xr-x 1 root root 55904 Jun 4 11:46 useradd*\n" "-rwxr-xr-x 1 root root 585656 Jun 4 11:47 vi*\n" "-rwxr-xr-x 1 root root 6444 Jun 4 11:45 whoami*\n" "./dev:\n" "total 8\n" "drwxr-xr-x 2 root root 4096 Jun 4 12:16 ./\n" "drwxr-xr-x 9 root root 4096 Jun 5 10:05 ../\n" "crw-r--r-- 1 root root 1, 9 Jun 3 13:43 urandom\n" "./etc:\n" "total 208\n" "drwxr-xr-x 4 root root 4096 Jun 4 12:35 ./\n" "drwxr-xr-x 9 root root 4096 Jun 5 10:05 ../\n" "-rw------- 1 root root 0 Jun 4 11:46 .pwd.lock\n" "-rw-r--r-- 1 root root 653 Jun 3 13:46 group\n" "-rw-r--r-- 1 root root 242 Jun 4 11:33 host.conf\n" "-rw-r--r-- 1 root root 857 Jun 4 12:04 hosts\n" "-rw-r--r-- 1 root root 1050 Jun 4 11:29 ld.so.cache\n" "-rw-r--r-- 1 root root 304 Jun 4 11:28 ld.so.conf\n" "-rw-r--r-- 1 root root 235 Jun 4 11:27 ld.so.conf~\n" "-rw-r--r-- 1 root root 88039 Jun 3 13:46 moduli\n" "-rw-r--r-- 1 root root 1342 Jun 4 11:34 nsswitch.conf\n" "drwxr-xr-x 2 root root 4096 Jun 4 12:02 pam.d/\n" "-rw-r--r-- 1 root root 28 Jun 4 12:00 pam_smb.conf\n" "-rw-r--r-- 1 root root 2520 Jun 4 11:57 passwd\n" "-rw-r--r-- 1 root root 7228 Jun 3 13:48 profile\n" "-rw-r--r-- 1 root root 1339 Jun 4 11:33 protocols\n" "-rw-r--r-- 1 root root 274 Jun 4 11:44 resolv.conf\n" "drwxr-xr-x 2 root root 4096 Jun 3 13:43 security/\n" "-rw-r----- 1 root root 1178 Jun 4 11:51 shadow\n" "-rw------- 1 root root 80 Jun 4 11:45 shadow-\n" "-rw-r----- 1 root root 1178 Jun 4 11:48 shadow.old\n" "-rw-r--r-- 1 root root 161 Jun 3 13:46 shells\n" "-rw-r--r-- 1 root root 1144 Jun 3 13:46 ssh_config\n" "-rw------- 1 root root 668 Jun 3 13:46 ssh_host_dsa_key\n" "-rw-r--r-- 1 root root 602 Jun 3 13:46 ssh_host_dsa_key.pub\n" "-rw------- 1 root root 527 Jun 3 13:46 ssh_host_key\n" "-rw-r--r-- 1 root root 331 Jun 3 13:46 ssh_host_key.pub\n" "-rw------- 1 root root 883 Jun 3 13:46 ssh_host_rsa_key\n" "-rw-r--r-- 1 root root 222 Jun 3 13:46 ssh_host_rsa_key.pub\n" "-rw-r--r-- 1 root root 2471 Jun 4 12:15 sshd_config\n" "./etc/pam.d:\n" "total 24\n" "drwxr-xr-x 2 root root 4096 Jun 4 12:02 ./\n" "drwxr-xr-x 4 root root 4096 Jun 4 12:35 ../\n" "lrwxrwxrwx 1 root root 4 Jun 4 12:02 other -> sshd\n" "-rw-r--r-- 1 root root 318 Jun 3 13:46 passwd\n" "-rw-r--r-- 1 root root 546 Jun 4 11:36 ssh\n" "-rw-r--r-- 1 root root 479 Jun 4 12:02 sshd\n" "-rw-r--r-- 1 root root 370 Jun 3 13:46 su\n" "./etc/security:\n" "total 32\n" "drwxr-xr-x 2 root root 4096 Jun 3 13:43 ./\n" "drwxr-xr-x 4 root root 4096 Jun 4 12:35 ../\n" "-rw-r--r-- 1 root root 1971 Jun 3 13:46 access.conf\n" "-rw-r--r-- 1 root root 184 Jun 3 13:46 chroot.conf\n" "-rw-r--r-- 1 root root 2145 Jun 3 13:46 group.conf\n" "-rw-r--r-- 1 root root 1356 Jun 3 13:46 limits.conf\n" "-rw-r--r-- 1 root root 2858 Jun 3 13:46 pam_env.conf\n" "-rw-r--r-- 1 root root 2154 Jun 3 13:46 time.conf\n" "./lib:\n" "total 8316\n" "drwxr-xr-x 3 root root 4096 Jun 4 12:13 ./\n" "drwxr-xr-x 9 root root 4096 Jun 5 10:05 ../\n" "-rw-r--r-- 1 root root 1024 Jun 4 11:51 cracklib_dict.hwm\n" "-rw-r--r-- 1 root root 214324 Jun 4 11:51 cracklib_dict.pwd\n" "-rw-r--r-- 1 root root 11360 Jun 4 11:51 cracklib_dict.pwi\n" "-rwxr-xr-x 1 root root 342427 Jun 3 13:46 ld-linux.so.2*\n" "-rwxr-xr-x 1 root root 4061504 Jun 3 13:46 libc.so.6*\n" "lrwxrwxrwx 1 root root 15 Jun 4 12:11 libcrack.so -> libcrack.so.2.7*\n" "lrwxrwxrwx 1 root root 15 Jun 4 12:11 libcrack.so.2 -> libcrack.so.2.7*\n" "-rwxr-xr-x 1 root root 33291 Jun 4 11:39 libcrack.so.2.7*\n" "-rwxr-xr-x 1 root root 60988 Jun 3 13:46 libcrypt.so.1*\n" "-rwxr-xr-x 1 root root 71846 Jun 3 13:46 libdl.so.2*\n" "-rwxr-xr-x 1 root root 27762 Jun 3 13:46 libhistory.so.4.0*\n" "lrwxrwxrwx 1 root root 17 Jun 4 12:12 libncurses.so.4 -> libncurses.so.4.2*\n" "-rwxr-xr-x 1 root root 503903 Jun 3 13:46 libncurses.so.4.2*\n" "lrwxrwxrwx 1 root root 17 Jun 4 12:12 libncurses.so.5 -> libncurses.so.5.0*\n" "-rwxr-xr-x 1 root root 549429 Jun 3 13:46 libncurses.so.5.0*\n" "-rwxr-xr-x 1 root root 369801 Jun 3 13:46 libnsl.so.1*\n" "-rwxr-xr-x 1 root root 142563 Jun 4 11:49 libnss_compat.so.1*\n" "-rwxr-xr-x 1 root root 215569 Jun 4 11:49 libnss_compat.so.2*\n" "-rwxr-xr-x 1 root root 61648 Jun 4 11:34 libnss_dns.so.1*\n" "-rwxr-xr-x 1 root root 63453 Jun 4 11:34 libnss_dns.so.2*\n" "-rwxr-xr-x 1 root root 63782 Jun 4 11:34 libnss_dns6.so.2*\n" "-rwxr-xr-x 1 root root 205715 Jun 3 13:46 libnss_files.so.1*\n" "-rwxr-xr-x 1 root root 235932 Jun 3 13:49 libnss_files.so.2*\n" "-rwxr-xr-x 1 root root 204383 Jun 4 11:33 libnss_nis.so.1*\n" "-rwxr-xr-x 1 root root 254023 Jun 4 11:33 libnss_nis.so.2*\n" "-rwxr-xr-x 1 root root 256465 Jun 4 11:33 libnss_nisplus.so.2*\n" "lrwxrwxrwx 1 root root 14 Jun 4 12:12 libpam.so.0 -> libpam.so.0.72*\n" "-rwxr-xr-x 1 root root 31449 Jun 3 13:46 libpam.so.0.72*\n" "lrwxrwxrwx 1 root root 19 Jun 4 12:12 libpam_misc.so.0 ->\n" "libpam_misc.so.0.72*\n" "-rwxr-xr-x 1 root root 8125 Jun 3 13:46 libpam_misc.so.0.72*\n" "lrwxrwxrwx 1 root root 15 Jun 4 12:12 libpamc.so.0 -> libpamc.so.0.72*\n" "-rwxr-xr-x 1 root root 10499 Jun 3 13:46 libpamc.so.0.72*\n" "-rwxr-xr-x 1 root root 176427 Jun 3 13:46 libreadline.so.4.0*\n" "-rwxr-xr-x 1 root root 44729 Jun 3 13:46 libutil.so.1*\n" "-rwxr-xr-x 1 root root 70254 Jun 3 13:46 libz.a*\n" "lrwxrwxrwx 1 root root 13 Jun 4 12:13 libz.so -> libz.so.1.1.3*\n" "lrwxrwxrwx 1 root root 13 Jun 4 12:13 libz.so.1 -> libz.so.1.1.3*\n" "-rwxr-xr-x 1 root root 63312 Jun 3 13:46 libz.so.1.1.3*\n" "drwxr-xr-x 2 root root 4096 Jun 4 12:00 security/\n" "./lib/security:\n" "total 668\n" "drwxr-xr-x 2 root root 4096 Jun 4 12:00 ./\n" "drwxr-xr-x 3 root root 4096 Jun 4 12:13 ../\n" "-rwxr-xr-x 1 root root 10067 Jun 3 13:46 pam_access.so*\n" "-rwxr-xr-x 1 root root 8300 Jun 3 13:46 pam_chroot.so*\n" "-rwxr-xr-x 1 root root 14397 Jun 3 13:46 pam_cracklib.so*\n" "-rwxr-xr-x 1 root root 5082 Jun 3 13:46 pam_deny.so*\n" "-rwxr-xr-x 1 root root 13153 Jun 3 13:46 pam_env.so*\n" "-rwxr-xr-x 1 root root 13371 Jun 3 13:46 pam_filter.so*\n" "-rwxr-xr-x 1 root root 7957 Jun 3 13:46 pam_ftp.so*\n" "-rwxr-xr-x 1 root root 12771 Jun 3 13:46 pam_group.so*\n" "-rwxr-xr-x 1 root root 10174 Jun 3 13:46 pam_issue.so*\n" "-rwxr-xr-x 1 root root 9774 Jun 3 13:46 pam_lastlog.so*\n" "-rwxr-xr-x 1 root root 13591 Jun 3 13:46 pam_limits.so*\n" "-rwxr-xr-x 1 root root 11268 Jun 3 13:46 pam_listfile.so*\n" "-rwxr-xr-x 1 root root 11182 Jun 3 13:46 pam_mail.so*\n" "-rwxr-xr-x 1 root root 5923 Jun 3 13:46 pam_nologin.so*\n" "-rwxr-xr-x 1 root root 5460 Jun 3 13:46 pam_permit.so*\n" "-rwxr-xr-x 1 root root 18226 Jun 3 13:46 pam_pwcheck.so*\n" "-rwxr-xr-x 1 root root 12590 Jun 3 13:46 pam_rhosts_auth.so*\n" "-rwxr-xr-x 1 root root 5551 Jun 3 13:46 pam_rootok.so*\n" "-rwxr-xr-x 1 root root 7239 Jun 3 13:46 pam_securetty.so*\n" "-rwxr-xr-x 1 root root 6551 Jun 3 13:46 pam_shells.so*\n" "-rwxr-xr-x 1 root root 55925 Jun 4 12:00 pam_smb_auth.so*\n" "-rwxr-xr-x 1 root root 12678 Jun 3 13:46 pam_stress.so*\n" "-rwxr-xr-x 1 root root 11170 Jun 3 13:46 pam_tally.so*\n" "-rwxr-xr-x 1 root root 11124 Jun 3 13:46 pam_time.so*\n" "-rwxr-xr-x 1 root root 45703 Jun 3 13:46 pam_unix.so*\n" "-rwxr-xr-x 1 root root 45703 Jun 3 13:46 pam_unix2.so*\n" "-rwxr-xr-x 1 root root 45386 Jun 3 13:46 pam_unix_acct.so*\n" "-rwxr-xr-x 1 root root 45386 Jun 3 13:46 pam_unix_auth.so*\n" "-rwxr-xr-x 1 root root 45386 Jun 3 13:46 pam_unix_passwd.so*\n" "-rwxr-xr-x 1 root root 45386 Jun 3 13:46 pam_unix_session.so*\n" "-rwxr-xr-x 1 root root 9726 Jun 3 13:46 pam_userdb.so*\n" "-rwxr-xr-x 1 root root 6424 Jun 3 13:46 pam_warn.so*\n" "-rwxr-xr-x 1 root root 7460 Jun 3 13:46 pam_wheel.so*\n" "./sbin:\n" "total 3132\n" "drwxr-xr-x 2 root root 4096 Jun 4 12:35 ./\n" "drwxr-xr-x 9 root root 4096 Jun 5 10:05 ../\n" "-rwxr-xr-x 1 root root 178256 Jun 3 13:46 choptest*\n" "-rwxr-xr-x 1 root root 184032 Jun 3 13:46 cqtest*\n" "-rwxr-xr-x 1 root root 81096 Jun 3 13:46 dialtest*\n" "-rwxr-xr-x 1 root root 1142128 Jun 4 11:28 ldconfig*\n" "-rwxr-xr-x 1 root root 2868 Jun 3 13:46 lockname*\n" "-rwxr-xr-x 1 root root 3340 Jun 3 13:46 ondelay*\n" "-rwxr-xr-x 1 root root 376796 Jun 3 13:46 pagesend*\n" "-rwxr-xr-x 1 root root 13950 Jun 3 13:46 probemodem*\n" "-rwxr-xr-x 1 root root 9234 Jun 3 13:46 recvstats*\n" "-rwxr-xr-x 1 root root 64480 Jun 3 13:46 sftp-server*\n" "-rwxr-xr-x 1 root root 744412 Jun 3 13:46 sshd*\n" "-rwxr-xr-x 1 root root 30750 Jun 4 11:46 su*\n" "-rwxr-xr-x 1 root root 194632 Jun 3 13:46 tagtest*\n" "-rwxr-xr-x 1 root root 69892 Jun 3 13:46 tsitest*\n" "-rwxr-xr-x 1 root root 43792 Jun 3 13:46 typetest*\n" "./tmp:\n" "total 8\n" "drwxr-xr-x 2 root root 4096 Jun 4 12:32 ./\n" "drwxr-xr-x 9 root root 4096 Jun 5 10:05 ../\n" "./usr:\n" "total 8\n" "drwxr-xr-x 2 root root 4096 Jun 4 12:16 ./\n" "drwxr-xr-x 9 root root 4096 Jun 5 10:05 ../\n" "lrwxrwxrwx 1 root root 7 Jun 4 12:14 bin -> ../bin//\n" "lrwxrwxrwx 1 root root 7 Jun 4 11:33 lib -> ../lib//\n" "lrwxrwxrwx 1 root root 8 Jun 4 12:13 sbin -> ../sbin//" #. type: #: securing-debian-howto.en.sgml:61 en/appendix.sgml:1808 msgid "Chroot environment for Apache" msgstr "Environnement de chroot pour Apache" #. type:

#: securing-debian-howto.en.sgml:61 en/appendix.sgml:1814 msgid "" "The chroot utility is often used to jail a daemon in a " "restricted tree. You can use it to insulate services from one another, so " "that security issues in a software package do not jeopardize the whole " "server. When using the makejail script, setting up and updating " "the chrooted tree is much easier." msgstr "" "L'utilitaire chroot est souvent utilisé pour emprisonner un " "démon dans une arborescence restreint. Vous pouvez l'utiliser pour isoler " "des services d'autres services, pour que les problèmes de sécurité d'un " "paquet logiciel ne mettent pas en péril le serveur tout entier. Quand vous " "utiliser le script makejail, mettre en place et mettre à jour " "l'arborescence chrooté est beaucoup plus facile." #. type:

#: securing-debian-howto.en.sgml:61 en/appendix.sgml:1821 msgid "" "FIXME: Apache can also be chrooted using which is available in libapache-mod-security (for " "Apache 1.x) and libapache2-mod-security (for Apache 2.x)." msgstr "" "FIXME : Apache peut aussi être chrooté en utilisant qui est disponible dans libapache-mod-security (pour Apache 1.x) et libapache2-mod-security " "(pour Apache 2.x)." #. type: #: securing-debian-howto.en.sgml:61 en/appendix.sgml:1823 msgid "Licensing" msgstr "Licence" #. type:

#: securing-debian-howto.en.sgml:61 en/appendix.sgml:1830 msgid "" "This document is copyright 2002 Alexandre Ratti. It has been dual-licensed " "and released under the GPL version 2 (GNU General Public License) the GNU-" "FDL 1.2 (GNU Free Documentation Licence) and is included in this manual with " "his explicit permission. (from the )" msgstr "" "Ce document est copyright 2002 Alexandre Ratti. Il est publié sous une " "double licence, la GPL version 2 (GNU General Public License) et la GNU-" "FDL 1.2 (GNU Free Documentation Licence) et est inclus dans ce manuel " "avec sa permission explicite (depuis le )." #. type: #: securing-debian-howto.en.sgml:61 en/appendix.sgml:1835 msgid "Installing the server" msgstr "Installer le serveur" #. type:

#: securing-debian-howto.en.sgml:61 en/appendix.sgml:1838 msgid "" "This procedure was tested on Debian GNU/Linux 3.0 (Woody) with " "makejail 0.0.4-1 (in Debian/testing)." msgstr "" "Cette procédure a été testée sur Debian GNU/Linux 3.0 (Woody) avec " "makejail 0.0.4-1 (de Debian/testing)." #. type:

#: securing-debian-howto.en.sgml:61 en/appendix.sgml:1843 msgid "Log in as root and create a new jail directory:" msgstr "" "Connectez-vous en tant que root et créez le nouveau répertoire " "prison :" #. type: #: securing-debian-howto.en.sgml:61 en/appendix.sgml:1845 #, no-wrap msgid "$ mkdir -p /var/chroot/apache" msgstr "$ mkdir -p /var/chroot/apache" #. type:

#: securing-debian-howto.en.sgml:61 en/appendix.sgml:1853 msgid "" "Create a new user and a new group. The chrooted Apache server will run as " "this user/group, which isn't used for anything else on the system. In this " "example, both user and group are called chrapach." msgstr "" "Créez un nouvel utilisateur et un nouveau groupe. Le serveur Apache chrooté " "fonctionnera sous cet utilisateur et groupe, qui n'est utilisé pour rien " "d'autre sur le système. Dans cet exemple, l'utilisateur et le groupe sont " "appelés chrapach." #. type: #: securing-debian-howto.en.sgml:61 en/appendix.sgml:1849 #, no-wrap msgid "" " $ adduser --home /var/chroot/apache --shell /bin/false \\\n" " --no-create-home --system --group chrapach" msgstr "" " $ adduser --home /var/chroot/apache --shell /bin/false \\\n" " --no-create-home --system --group chrapach" #. type:

#: securing-debian-howto.en.sgml:61 en/appendix.sgml:1859 msgid "FIXME: is a new user needed? (Apache already runs as the apache user)" msgstr "" "FIXME : Est-ce qu'un nouvel utilisateur est nécessaire ? (Apache " "fonctionne déjà sous l'utilisateur apache)" #. type:

#: securing-debian-howto.en.sgml:61 en/appendix.sgml:1864 msgid "Install Apache as usual on Debian: apt-get install apache" msgstr "" "Installez Apache comme d'habitude sous Debian : apt-get install " "apache" #. type:

#: securing-debian-howto.en.sgml:61 en/appendix.sgml:1870 msgid "" "Set up Apache (e.g. define your subdomains, etc.). In the /etc/apache/" "httpd.conf configuration file, set the Group and User options to chrapach. Restart Apache and make sure the server is " "working correctly. Now, stop the Apache daemon." msgstr "" "Configurez Apache (par exemple définissez les sous-domaines, etc.). Dans le " "fichier de configuration /etc/apache/httpd.conf, positionnez " "les options Group et User à chrapach. Redémarrez " "Apache et assurez-vous que le serveur fonctionne correctement. Maintenant, " "stoppez le démon Apache." #. type:

#: securing-debian-howto.en.sgml:61 en/appendix.sgml:1875 msgid "" "Install makejail (available in Debian/testing for now). You " "should also install wget and lynx as they will be " "used by makejail to test the chrooted server: apt-get " "install makejail wget lynx" msgstr "" "Installez makejail (disponible dans Debian/testing " "actuellement). Vous devriez également installer wget et " "lynx car ils sont utilisés par makejail pour " "tester le serveur chrooté : apt-get install makejail wget lynx" #. type:

#: securing-debian-howto.en.sgml:61 en/appendix.sgml:1878 msgid "" "Copy the sample configuration file for Apache to the /etc/makejail directory:" msgstr "" "Copiez le fichier de configuration exemple pour Apache dans le répertoire " "/etc/makejail :" #. type: #: securing-debian-howto.en.sgml:61 en/appendix.sgml:1877 #, no-wrap msgid " # cp /usr/share/doc/makejail/examples/apache.py /etc/makejail/" msgstr " # cp /usr/share/doc/makejail/examples/apache.py /etc/makejail/" #. type:

#: securing-debian-howto.en.sgml:61 en/appendix.sgml:1892 msgid "" "Edit /etc/makejail/apache.py. You need to change the " "chroot, users and groups options. To run this " "version of makejail, you can also add a packages " "option. See the . A sample is shown here:" msgstr "" "Éditez /etc/makejail/apache.py. Vous devez changer les options " "chroot, users et groups. Pour exécuter cette " "version de makejail, vous pouvez également ajouter une option " "packages. Consultez la . Un exemple est fourni " "ici :" #. type: #: securing-debian-howto.en.sgml:61 en/appendix.sgml:1910 #, no-wrap msgid "" "chroot="/var/chroot/apache"\n" "testCommandsInsideJail=["/usr/sbin/apachectl start"]\n" "processNames=["apache"]\n" "testCommandsOutsideJail=["wget -r --spider http://localhost/",\n" " "lynx --source https://localhost/"]\n" "preserve=["/var/www",\n" " "/var/log/apache",\n" " "/dev/log"]\n" "users=["chrapach"]\n" "groups=["chrapach"]\n" "packages=["apache", "apache-common"]\n" "userFiles=["/etc/password",\n" " "/etc/shadow"]\n" "groupFiles=["/etc/group",\n" " "/etc/gshadow"]\n" "forceCopy=["/etc/hosts",\n" " "/etc/mime.types"]" msgstr "" "chroot="/var/chroot/apache"\n" "testCommandsInsideJail=["/usr/sbin/apachectl start"]\n" "processNames=["apache"]\n" "testCommandsOutsideJail=["wget -r --spider http://localhost/",\n" " "lynx --source https://localhost/"]\n" "preserve=["/var/www",\n" " "/var/log/apache",\n" " "/dev/log"]\n" "users=["chrapach"]\n" "groups=["chrapach"]\n" "packages=["apache", "apache-common"]\n" "userFiles=["/etc/password",\n" " "/etc/shadow"]\n" "groupFiles=["/etc/group",\n" " "/etc/gshadow"]\n" "forceCopy=["/etc/hosts",\n" " "/etc/mime.types"]" #. type:

#: securing-debian-howto.en.sgml:61 en/appendix.sgml:1916 msgid "" "FIXME: some options do not seem to work properly. For instance, " "/etc/shadow and /etc/gshadow are not copied, " "whereas /etc/password and /etc/group are fully " "copied instead of being filtered." msgstr "" "FIXME : Certaines options semblent ne pas fonctionner correctement. " "Par exemple, /etc/shadow et /etc/gshadow ne sont " "pas copiés, alors que /etc/password et /etc/group " "sont intégralement copiés au lieu d'être filtrés." #. type:

#: securing-debian-howto.en.sgml:61 en/appendix.sgml:1919 msgid "Create the chroot tree: makejail /etc/makejail/apache.py" msgstr "" "Créez l'arborescence de chroot : makejail /etc/makejail/apache.py" #. type:

#: securing-debian-howto.en.sgml:61 en/appendix.sgml:1923 msgid "" "If /etc/password and /etc/group were fully copied, " "type:" msgstr "" "Si les fichiers /etc/password et /etc/group ont " "été intégralement copiés, entrez :" #. type: #: securing-debian-howto.en.sgml:61 en/appendix.sgml:1925 #, no-wrap msgid "" " $ grep chrapach /etc/passwd > /var/chroot/apache/etc/passwd\n" " $ grep chrapach /etc/group > /var/chroot/apache/etc/group" msgstr "" " $ grep chrapach /etc/passwd > /var/chroot/apache/etc/passwd\n" " $ grep chrapach /etc/group > /var/chroot/apache/etc/group" #. type:

#: securing-debian-howto.en.sgml:61 en/appendix.sgml:1928 msgid "to replace them with filtered copies." msgstr "pour les remplacer avec des copies filtrées." #. type:

#: securing-debian-howto.en.sgml:61 en/appendix.sgml:1932 msgid "" "Copy the Web site pages and the logs into the jail. These files are not " "copied automatically (see the preserve option in makejail's configuration file)." msgstr "" "Copiez les pages du site web et les journaux dans la prison. Ces fichiers ne " "sont pas copiés automatiquement (consultez l'option preserve du " "fichier de configuration de makejail)." #. type: #: securing-debian-howto.en.sgml:61 en/appendix.sgml:1934 #, no-wrap msgid "" " # cp -Rp /var/www /var/chroot/apache/var\n" " # cp -Rp /var/log/apache/*.log /var/chroot/apache/var/log/apache" msgstr "" " # cp -Rp /var/www /var/chroot/apache/var\n" " # cp -Rp /var/log/apache/*.log /var/chroot/apache/var/log/apache" #. type:

#: securing-debian-howto.en.sgml:61 en/appendix.sgml:1944 msgid "" "Edit the startup script for the system logging daemon so that it also listen " "to the /var/chroot/apache/dev/log socket. In /etc/default/" "syslogd, replace: SYSLOGD="" with " "SYSLOGD=" -a /var/chroot/apache/dev/log" and restart the " "daemon (/etc/init.d/sysklogd restart)." msgstr "" "Éditez le script de démarrage pour le démon de journaux système pour qu'il " "écoute également sur la socket /var/chroot/apache/dev/log. Dans " "/etc/default/syslogd, remplacez : SYSLOGD=""" " par SYSLOGD=" -a /var/chroot/apache/dev/log" et " "redémarrez le démon (/etc/init.d/sysklogd restart)." #. type:

#: securing-debian-howto.en.sgml:61 en/appendix.sgml:1948 msgid "" "Edit the Apache startup script (/etc/init.d/apache). You might " "need to make some changes to the default startup script for it to run " "properly with a chrooted tree. Such as:" msgstr "" "Éditez le script de démarrage d'Apache (/etc/init.d/apache). " "Vous pouvez avoir besoin d'effectuer certaines changements au script de " "démarrage par défaut pour qu'il fonctionne correctement dans une " "arborescence chrooté. Comme :" #. type:

#: securing-debian-howto.en.sgml:61 en/appendix.sgml:1950 msgid "set a new CHRDIR variable at the top of the file;" msgstr "" "configurer une nouvelle variable CHRDIR au début du fichier ;" #. type:

#: securing-debian-howto.en.sgml:61 en/appendix.sgml:1952 msgid "edit the start, stop, reload, etc. sections;" msgstr "" "éditer les sections start, stop, reload, etc." " ;" #. type:

#: securing-debian-howto.en.sgml:61 en/appendix.sgml:1954 msgid "" "add a line to mount and unmount the /proc filesystem within the " "jail." msgstr "" "ajouter une ligne pour monter et démonter le système de fichiers /" "proc dans la prison." #. type: #: securing-debian-howto.en.sgml:61 en/appendix.sgml:2038 #, no-wrap msgid "" "#! /bin/bash\n" "#\n" "# apache Start the apache HTTP server.\n" "#\n" "\n" "CHRDIR=/var/chroot/apache\n" "\n" "NAME=apache\n" "PATH=/bin:/usr/bin:/sbin:/usr/sbin\n" "DAEMON=/usr/sbin/apache\n" "SUEXEC=/usr/lib/apache/suexec\n" "PIDFILE=/var/run/$NAME.pid\n" "CONF=/etc/apache/httpd.conf\n" "APACHECTL=/usr/sbin/apachectl \n" "\n" "trap \"\" 1\n" "export LANG=C\n" "export PATH\n" "\n" "test -f $DAEMON || exit 0\n" "test -f $APACHECTL || exit 0\n" "\n" "# ensure we don't leak environment vars into apachectl\n" "APACHECTL=\"env -i LANG=${LANG} PATH=${PATH} chroot $CHRDIR $APACHECTL\"\n" "\n" "if egrep -q -i \"^[[:space:]]*ServerType[[:space:]]+inet\" $CONF\n" "then\n" " exit 0\n" "fi\n" "\n" "case \"$1\" in\n" " start)\n" " echo -n \"Starting web server: $NAME\"\n" " mount -t proc proc /var/chroot/apache/proc\n" " start-stop-daemon --start --pidfile $PIDFILE --exec $DAEMON \\\n" " --chroot $CHRDIR\n" " ;;\n" "\n" " stop)\n" " echo -n \"Stopping web server: $NAME\"\n" " start-stop-daemon --stop --pidfile \"$CHRDIR/$PIDFILE\" --oknodo\n" " umount /var/chroot/apache/proc\n" " ;;\n" "\n" " reload)\n" " echo -n \"Reloading $NAME configuration\"\n" " start-stop-daemon --stop --pidfile \"$CHRDIR/$PIDFILE\" \\\n" " --signal USR1 --startas $DAEMON --chroot $CHRDIR\n" " ;;\n" "\n" " reload-modules)\n" " echo -n \"Reloading $NAME modules\"\n" " start-stop-daemon --stop --pidfile \"$CHRDIR/$PIDFILE\" --oknodo \\\n" " --retry 30\n" " start-stop-daemon --start --pidfile $PIDFILE \\\n" " --exec $DAEMON --chroot $CHRDIR\n" " ;;\n" "\n" " restart)\n" " $0 reload-modules\n" " exit $?\n" " ;;\n" "\n" " force-reload)\n" " $0 reload-modules\n" " exit $?\n" " ;;\n" "\n" " *)\n" " echo \"Usage: /etc/init.d/$NAME {start|stop|reload|reload-modules|force-reload|restart}\"\n" " exit 1\n" " ;;\n" "esac\n" "\n" "if [ $? == 0 ]; then\n" " echo .\n" " exit 0\n" "else\n" " echo failed\n" " exit 1\n" "fi" msgstr "" "#! /bin/bash\n" "#\n" "# apache Start the apache HTTP server.\n" "#\n" "\n" "CHRDIR=/var/chroot/apache\n" "\n" "NAME=apache\n" "PATH=/bin:/usr/bin:/sbin:/usr/sbin\n" "DAEMON=/usr/sbin/apache\n" "SUEXEC=/usr/lib/apache/suexec\n" "PIDFILE=/var/run/$NAME.pid\n" "CONF=/etc/apache/httpd.conf\n" "APACHECTL=/usr/sbin/apachectl \n" "\n" "trap \"\" 1\n" "export LANG=C\n" "export PATH\n" "\n" "test -f $DAEMON || exit 0\n" "test -f $APACHECTL || exit 0\n" "\n" "# ensure we don't leak environment vars into apachectl\n" "APACHECTL=\"env -i LANG=${LANG} PATH=${PATH} chroot $CHRDIR $APACHECTL\"\n" "\n" "if egrep -q -i \"^[[:space:]]*ServerType[[:space:]]+inet\" $CONF\n" "then\n" " exit 0\n" "fi\n" "\n" "case \"$1\" in\n" " start)\n" " echo -n \"Starting web server: $NAME\"\n" " mount -t proc proc /var/chroot/apache/proc\n" " start-stop-daemon --start --pidfile $PIDFILE --exec $DAEMON \\\n" " --chroot $CHRDIR\n" " ;;\n" "\n" " stop)\n" " echo -n \"Stopping web server: $NAME\"\n" " start-stop-daemon --stop --pidfile \"$CHRDIR/$PIDFILE\" --oknodo\n" " umount /var/chroot/apache/proc\n" " ;;\n" "\n" " reload)\n" " echo -n \"Reloading $NAME configuration\"\n" " start-stop-daemon --stop --pidfile \"$CHRDIR/$PIDFILE\" \\\n" " --signal USR1 --startas $DAEMON --chroot $CHRDIR\n" " ;;\n" "\n" " reload-modules)\n" " echo -n \"Reloading $NAME modules\"\n" " start-stop-daemon --stop --pidfile \"$CHRDIR/$PIDFILE\" --oknodo \\\n" " --retry 30\n" " start-stop-daemon --start --pidfile $PIDFILE \\\n" " --exec $DAEMON --chroot $CHRDIR\n" " ;;\n" "\n" " restart)\n" " $0 reload-modules\n" " exit $?\n" " ;;\n" "\n" " force-reload)\n" " $0 reload-modules\n" " exit $?\n" " ;;\n" "\n" " *)\n" " echo \"Usage: /etc/init.d/$NAME {start|stop|reload|reload-modules|force-reload|restart}\"\n" " exit 1\n" " ;;\n" "esac\n" "\n" "if [ $? == 0 ]; then\n" " echo .\n" " exit 0\n" "else\n" " echo failed\n" " exit 1\n" "fi" #. type:

#: securing-debian-howto.en.sgml:61 en/appendix.sgml:2042 msgid "" "FIXME: should the first Apache process be run as another user than " "root (i.e. add --chuid chrapach:chrapach)? Cons: chrapach will need write " "access to the logs, which is awkward." msgstr "" "FIXME : Est-ce que le premier processus Apache devrait être lancé " "avec un autre utilisateur que root (c'est-à-dire ajouter --chuid chrapach:" "chrapach) ? Désavantage : chrapach devra avoir un accès en " "écriture aux journaux, ce qui est étrange." #. type:

#: securing-debian-howto.en.sgml:61 en/appendix.sgml:2046 msgid "" "Replace in /etc/logrotate.d/apache /var/log/apache/*.log with /var/chroot/apache/var/log/apache/*.log" msgstr "" "Remplacez dans /etc/logrotate.d/apache /var/log/apache/*." "log par /var/chroot/apache/var/log/apache/*.log" #. type:

#: securing-debian-howto.en.sgml:61 en/appendix.sgml:2057 msgid "" "Start Apache (/etc/init.d/apache start) and check what is it " "reported in the jail log (/var/chroot/apache/var/log/apache/error.log). If your setup is more complex, (e.g. if you also use PHP and MySQL), " "files will probably be missing. if some files are not copied automatically " "by makejail, you can list them in the forceCopy (to " "copy files directly) or packages (to copy full packages and their " "dependencies) option the /etc/makejail/apache.py configuration " "file." msgstr "" "Démarrez Apache (/etc/init.d/apache start) et vérifiez ce qui " "est indiqué dans les journaux de la prison (/var/chroot/apache/var/log/" "apache/error.log). Si votre configuration est plus complexe (e.g. si " "vous utilisez également PHP et MySQL), des fichiers seront probablement " "manquants. Si certains fichiers ne sont pas copiés automatiquement par " "makejail, vous pouvez les indiquer dans les options " "forceCopy (pour copier les fichiers directement) ou packages (pour copier les paquets en entier et leurs dépendances) du fichier de " "configuration /etc/makejail/apache.py." #. type:

#: securing-debian-howto.en.sgml:61 en/appendix.sgml:2061 msgid "" "Type ps aux | grep apache to make sure Apache is running. You " "should see something like:" msgstr "" "Entrez ps aux | grep apache pour vous assurer qu'Apache fonctionne. " "Vous devriez voir quelque chose comme :" #. type: #: securing-debian-howto.en.sgml:61 en/appendix.sgml:2063 #, no-wrap msgid "" " root 180 0.0 1.1 2936 1436 ? S 04:03 0:00 /usr/sbin/apache\n" " chrapach 189 0.0 1.1 2960 1456 ? S 04:03 0:00 /usr/sbin/apache\n" " chrapach 190 0.0 1.1 2960 1456 ? S 04:03 0:00 /usr/sbin/apache\n" " chrapach 191 0.0 1.1 2960 1456 ? S 04:03 0:00 /usr/sbin/apache\n" " chrapach 192 0.0 1.1 2960 1456 ? S 04:03 0:00 /usr/sbin/apache\n" " chrapach 193 0.0 1.1 2960 1456 ? S 04:03 0:00 /usr/sbin/apache" msgstr "" " root 180 0.0 1.1 2936 1436 ? S 04:03 0:00 /usr/sbin/apache\n" " chrapach 189 0.0 1.1 2960 1456 ? S 04:03 0:00 /usr/sbin/apache\n" " chrapach 190 0.0 1.1 2960 1456 ? S 04:03 0:00 /usr/sbin/apache\n" " chrapach 191 0.0 1.1 2960 1456 ? S 04:03 0:00 /usr/sbin/apache\n" " chrapach 192 0.0 1.1 2960 1456 ? S 04:03 0:00 /usr/sbin/apache\n" " chrapach 193 0.0 1.1 2960 1456 ? S 04:03 0:00 /usr/sbin/apache" #. type:

#: securing-debian-howto.en.sgml:61 en/appendix.sgml:2076 msgid "" "Make sure the Apache processes are running chrooted by looking in the /" "proc filesystem: ls -la /proc/process_number/root/. where process_number is one of the PID numbers listed above " "(2nd column; 189 for instance). The entries for a restricted tree should be " "listed:" msgstr "" "Assurez-vous que les processus Apache fonctionnent bien dans le chroot en " "observant le système de fichiers /proc : ls -la /proc/" "numero_processus/root/. où numero_processus est " "l'un des numéros de PID de la liste ci-dessus (2e colonne ; 189 par " "exemple). La liste des entrées pour une arborescence restreinte devraient " "être ainsi :" #. type: #: securing-debian-howto.en.sgml:61 en/appendix.sgml:2078 #, no-wrap msgid "" " drwxr-sr-x 10 root staff 240 Dec 2 16:06 .\n" " drwxrwsr-x 4 root staff 72 Dec 2 08:07 ..\n" " drwxr-xr-x 2 root root 144 Dec 2 16:05 bin\n" " drwxr-xr-x 2 root root 120 Dec 3 04:03 dev\n" " drwxr-xr-x 5 root root 408 Dec 3 04:03 etc\n" " drwxr-xr-x 2 root root 800 Dec 2 16:06 lib\n" " dr-xr-xr-x 43 root root 0 Dec 3 05:03 proc\n" " drwxr-xr-x 2 root root 48 Dec 2 16:06 sbin\n" " drwxr-xr-x 6 root root 144 Dec 2 16:04 usr\n" " drwxr-xr-x 7 root root 168 Dec 2 16:06 var" msgstr "" " drwxr-sr-x 10 root staff 240 Dec 2 16:06 .\n" " drwxrwsr-x 4 root staff 72 Dec 2 08:07 ..\n" " drwxr-xr-x 2 root root 144 Dec 2 16:05 bin\n" " drwxr-xr-x 2 root root 120 Dec 3 04:03 dev\n" " drwxr-xr-x 5 root root 408 Dec 3 04:03 etc\n" " drwxr-xr-x 2 root root 800 Dec 2 16:06 lib\n" " dr-xr-xr-x 43 root root 0 Dec 3 05:03 proc\n" " drwxr-xr-x 2 root root 48 Dec 2 16:06 sbin\n" " drwxr-xr-x 6 root root 144 Dec 2 16:04 usr\n" " drwxr-xr-x 7 root root 168 Dec 2 16:06 var" #. type:

#: securing-debian-howto.en.sgml:61 en/appendix.sgml:2090 msgid "" "To automate this test, you can type:ls -la /proc/`cat /var/chroot/apache/" "var/run/apache.pid`/root/." msgstr "" "Pour automatiser ce test, vous pouvez entrer :ls -la /proc/`cat /" "var/chroot/apache/var/run/apache.pid`/root/." #. type:

#: securing-debian-howto.en.sgml:61 en/appendix.sgml:2093 msgid "" "FIXME: Add other tests that can be run to make sure the jail is " "closed?" msgstr "" "FIXME : Ajouter d'autres tests qui peuvent être exécuter pour " "s'assurer que la prison est fermées ?" #. type:

#: securing-debian-howto.en.sgml:61 en/appendix.sgml:2100 msgid "" "The reason I like this is because setting up the jail is not very difficult " "and the server can be updated in just two lines:" msgstr "" "La raison pour laquelle j'aime cela est que la mise en place d'une prison " "n'est pas très difficile et que le serveur peut être mis à jour avec " "seulement deux lignes :" #. type: #: securing-debian-howto.en.sgml:61 en/appendix.sgml:2103 #, no-wrap msgid "" "apt-get update && apt-get install apache\n" "makejail /etc/makejail/apache.py" msgstr "" "apt-get update && apt-get install apache\n" "makejail /etc/makejail/apache.py" #. type: #: securing-debian-howto.en.sgml:61 en/appendix.sgml:2108 msgid "See also" msgstr "Consultez également" #. type:

#: securing-debian-howto.en.sgml:61 en/appendix.sgml:2110 msgid "" "If you are looking for more information you can consider these sources of " "information in which the information presented is based:" msgstr "" "Si vous recherchez plus d'informations, vous pouvez envisager ces sources " "d'informations sur lesquelles les informations présentées sont basées :" #. type:

#: securing-debian-howto.en.sgml:61 en/appendix.sgml:2113 msgid "" ", this " "program was written by Alain Tesio" msgstr "" ", ce programme a été écrit par Alain Tesio" #~ msgid "" #~ "You can also check out the changes introduced in the document by " #~ "reviewing its version control logs through its ." #~ msgstr "" #~ "Vous pouvez également vérifier les changements introduits dans le " #~ "document en consultant le gestionnaire de versions de Debian." #~ msgid "Mon, 20 Jun 2011 23:53:53 -0400" #~ msgstr "Mon, 20 Jun 2011 23:54:17 -0400" #~ msgid "Version 3.14 (November 2008)" #~ msgstr "Version 3.14 (novembre 2008)" #~ msgid "Changes by Javier Fernández-Sanguino Peña" #~ msgstr "" #~ "#-#-#-#-# securing-debian-howto.fr.sgml:49 fr/intro.sgml:364 securing-" #~ "debian-howto.fr.sgml:49 fr/intro.sgml:462 securing-debian-howto.fr." #~ "sgml:49 fr/intro.sgml:481 securing-debian-howto.fr.sgml:49 fr/intro." #~ "sgml:505 securing-debian-howto.fr.sgml:49 fr/intro.sgml:524 securing-" #~ "debian-howto.fr.sgml:49 fr/intro.sgml:535 securing-debian-howto.fr." #~ "sgml:49 fr/intro.sgml:585 securing-debian-howto.fr.sgml:49 fr/intro." #~ "sgml:612 securing-debian-howto.fr.sgml:49 fr/intro.sgml:634 securing-" #~ "debian-howto.fr.sgml:49 fr/intro.sgml:650 securing-debian-howto.fr." #~ "sgml:49 fr/intro.sgml:685 #-#-#-#-#\n" #~ "Changements par Javier Fernández-Sanguino Peña\n" #~ "#-#-#-#-# securing-debian-howto.fr.sgml:49 fr/intro.sgml:704 securing-" #~ "debian-howto.fr.sgml:49 fr/intro.sgml:712 securing-debian-howto.fr." #~ "sgml:49 fr/intro.sgml:741 securing-debian-howto.fr.sgml:49 fr/intro." #~ "sgml:750 securing-debian-howto.fr.sgml:49 fr/intro.sgml:777 #-#-#-#-#\n" #~ "Modifications par Javier Fernández-Sanguino Peña\n" #~ "#-#-#-#-# securing-debian-howto.fr.sgml:49 fr/intro.sgml:704 securing-" #~ "debian-howto.fr.sgml:49 fr/intro.sgml:712 securing-debian-howto.fr." #~ "sgml:49 fr/intro.sgml:741 securing-debian-howto.fr.sgml:49 fr/intro." #~ "sgml:750 securing-debian-howto.fr.sgml:49 fr/intro.sgml:777 #-#-#-#-#\n" #~ "Modifications par Javier Fernández-Sanguino Peña\n" #~ "#-#-#-#-# securing-debian-howto.fr.sgml:49 fr/intro.sgml:704 securing-" #~ "debian-howto.fr.sgml:49 fr/intro.sgml:712 securing-debian-howto.fr." #~ "sgml:49 fr/intro.sgml:741 securing-debian-howto.fr.sgml:49 fr/intro." #~ "sgml:750 securing-debian-howto.fr.sgml:49 fr/intro.sgml:777 #-#-#-#-#\n" #~ "Modifications par Javier Fernández-Sanguino Peña\n" #~ "#-#-#-#-# securing-debian-howto.fr.sgml:49 fr/intro.sgml:704 securing-" #~ "debian-howto.fr.sgml:49 fr/intro.sgml:712 securing-debian-howto.fr." #~ "sgml:49 fr/intro.sgml:741 securing-debian-howto.fr.sgml:49 fr/intro." #~ "sgml:750 securing-debian-howto.fr.sgml:49 fr/intro.sgml:777 #-#-#-#-#\n" #~ "Modifications par Javier Fernández-Sanguino Peña\n" #~ "#-#-#-#-# securing-debian-howto.fr.sgml:49 fr/intro.sgml:704 securing-" #~ "debian-howto.fr.sgml:49 fr/intro.sgml:712 securing-debian-howto.fr." #~ "sgml:49 fr/intro.sgml:741 securing-debian-howto.fr.sgml:49 fr/intro." #~ "sgml:750 securing-debian-howto.fr.sgml:49 fr/intro.sgml:777 #-#-#-#-#\n" #~ "Modifications par Javier Fernández-Sanguino Peña\n" #~ "#-#-#-#-# securing-debian-howto.fr.sgml:49 fr/intro.sgml:784 securing-" #~ "debian-howto.fr.sgml:49 fr/intro.sgml:797 #-#-#-#-#\n" #~ "Modifications de Javier Fernández-Sanguino Peña\n" #~ "#-#-#-#-# securing-debian-howto.fr.sgml:49 fr/intro.sgml:784 securing-" #~ "debian-howto.fr.sgml:49 fr/intro.sgml:797 #-#-#-#-#\n" #~ "Modifications de Javier Fernández-Sanguino Peña" #~ msgid "Added some new items to the FAQ" #~ msgstr "Ajout de nouveaux sujets à la FAQ." #~ msgid "" #~ "You need to note down the date the removable media (if you are using it) " #~ "was made and check the security site in order to see if there are " #~ "security updates. If there are and you cannot download the packages from " #~ "the security site on another system (you are not connected to the " #~ "Internet yet? are you?) before connecting to the network you could " #~ "consider (if not protected by a firewall for example) adding firewall " #~ "rules so that your system could only connect to security.debian.org and " #~ "then run the update. A sample configuration is shown in ." #~ msgstr "" #~ "Vous devez noter la date à laquelle votre support amovible (si vous en " #~ "utilisez un) a été créé et vérifier le site de sécurité pour savoir s'il " #~ "y a eu des mises à jour de sécurité. S'il y en a eu et que vous ne pouvez " #~ "pas télécharger les paquets du site de sécurité sur un autre système " #~ "(vous n'êtes pas encore connecté à l'Internet, n'est-ce pas ?) avant " #~ "de vous connecter au réseau, vous devriez envisager (si vous n'êtes pas " #~ "protégé par un pare-feu par exemple) d'ajouter des règles de pare-feu " #~ "pour que votre système ne puisse se connecter qu'à security.debian.org et " #~ "ensuite réaliser la mise à jour. Une configuration exemple est donnée " #~ "dans ." #~ msgid "" #~ "Note:Since Debian woody 3.0, after installation you are given " #~ "the opportunity to add security updates to the system. If you say 'yes' " #~ "to this, the installation system will take the appropriate steps to add " #~ "the source for security updates to your package sources and your system, " #~ "if you have an Internet connection, will download and install any " #~ "security updates that might have been produced after your media was " #~ "created. If you are upgrading a previous version of Debian, or you asked " #~ "the installation system not to do this, you should take the steps " #~ "described here." #~ msgstr "" #~ "Remarque : Depuis Debian Woody 3.0, après " #~ "l'installation, il vous est donné la possibilité d'ajouter les mises à " #~ "jour de sécurité au système. Si vous répondez « oui Â» (yes) à cette question, le système d'installation fera les démarches " #~ "nécessaires pour ajouter la source pour les mises à jour de sécurité aux " #~ "sources de paquets et votre système, si vous êtes connecté à l'Internet, " #~ "téléchargera et installera toutes les mises à jour de sécurité qui auront " #~ "pu être produites depuis la création de votre support. Si vous mettez à " #~ "niveau depuis une version précédente de Debian ou si vous demandez au " #~ "système de ne pas faire cela, vous devriez suivre les étapes décrites ici." #~ msgid "" #~ "Once you've done this you can either use apt or " #~ "dselect to upgrade:" #~ msgstr "" #~ "Une fois ceci fait, vous pouvez utiliser soit apt, " #~ "soit dselect pour les mises à jour :" #~ msgid "If you want to use apt just do (as root):" #~ msgstr "" #~ "Si vous voulez utiliser apt, exécutez simplement (en " #~ "tant que superutilisateur) :" #~ msgid "Note: You do not need to add the following line:" #~ msgstr "" #~ "Remarque : vous n'avez pas besoin d'ajouter la ligne " #~ "suivante :" #~ msgid "" #~ " deb http://security.debian.org/debian-non-US stable/non-US main contrib " #~ "non-free" #~ msgstr "" #~ " deb http://security.debian.org/debian-non-US stable/non-US main contrib " #~ "non-free" #~ msgid "" #~ "this is because security.debian.org is hosted in a non-US location and " #~ "doesn't have a separate non-US archive." #~ msgstr "" #~ "car security.debian.org est hébergé à un emplacement hors des États-Unis " #~ "et n'a donc pas d'archive non-US séparée." #~ msgid "" #~ "Note that Debian 3.0 woody allows users to install 2.4 kernels " #~ "(selecting flavors), however the default kernel is 2.2 " #~ "(save for some architectures for which kernel 2.2 was not ported). If you " #~ "think this is a bug, see before reporting it." #~ msgstr "" #~ "Notez que Debian 3.0 Woody permet aux utilisateurs " #~ "d'installer des noyaux 2.4 (en sélectionnant des saveurs), " #~ "cependant le noyau par défaut est un 2.2 (excepté pour " #~ "certaines architectures pour lesquelles le noyau 2.2 n'a pas été " #~ "porté). Si vous pensez que cela est un bogue, veuillez consulter le avant " #~ "d'envoyer un rapport de bogue." #~ msgid "Disallow floppy booting" #~ msgstr "Interdire le démarrage sur disquette" #~ msgid "" #~ "The default MBR in Debian before version 2.2 did not act as a usual " #~ "master boot record and left open a method to easily break into a system:" #~ msgstr "" #~ "Le MBR par défaut dans Debian avant la version 2.2 ne fonctionnait pas " #~ "comme le master boot record habituel et laissait un moyen facile de " #~ "pénétrer un système :" #~ msgid "Press shift at boot time, and an MBR prompt appears" #~ msgstr "Appuyez sur shift lors du démarrage et le prompt du MBR apparaît" #~ msgid "" #~ "Then press F, and your system will boot from floppy disk. This can be " #~ "used to get root access to the system." #~ msgstr "" #~ "Ensuite appuyez sur F, et votre système démarrera à partir d'une " #~ "disquette de démarrage. Ceci peut être utilisé pour obtenir un accès root " #~ "au système." #~ msgid "This behavior can be changed by entering:" #~ msgstr "Ce comportement peut être modifié en entrant :" #~ msgid " lilo -b /dev/hda" #~ msgstr " lilo -b /dev/hda" #~ msgid "" #~ "Now LILO is put into the MBR. This can also be achieved by adding " #~ "boot=/dev/hda to lilo.conf. There is another " #~ "solution which will disable the MBR prompt completely:" #~ msgstr "" #~ "Maintenant LILO est mis dans le MBR. Ceci peut être fait également en " #~ "ajoutant boot=/dev/hda au fichier lilo.conf. Il y a " #~ "encore une autre solution qui désactivera complètement le prompt " #~ "MBR :" #~ msgid " install-mbr -i n /dev/hda" #~ msgstr " install-mbr -i n /dev/hda" #~ msgid "" #~ "On the other hand, this \"back door\", of which many people are just not " #~ "aware, may save your skin as well if you run into deep trouble with your " #~ "installation for whatever reasons." #~ msgstr "" #~ "D'un autre côté, cette « porte dérobée Â», dont de nombreuses " #~ "personnes ne sont pas au courant, peut aussi bien vous sauver la peau si " #~ "vous rencontrez de gros problèmes, quelque soient les raisons, avec votre " #~ "installation." #~ msgid "" #~ "FIXME check whether this really is true as of 2.2 or was it 2.1? INFO: " #~ "The bootdisks as of Debian 2.2 do NOT install the mbr, but only LILO." #~ msgstr "" #~ "FIXME vérifier si cela touche réellement la 2.2 ou seulement la 2.1? " #~ "INFO: Les disques de démarrage de la 2.2 n'installe pas le mbr, mais " #~ "seulement LILO." #~ msgid "" #~ "Regarding noexec, please be aware that it might not offer you that much " #~ "security. Consider this:" #~ msgstr "" #~ "Concernant noexec, prenez conscience qu'il peut ne pas offrir le niveau " #~ "de sécurité désiré. Observons ceci :" #~ msgid "" #~ " $ cp /bin/date /tmp\n" #~ " $ /tmp/date\n" #~ " (does not execute due to noexec)\n" #~ " $/lib/ld-linux.so.2 /tmp/date\n" #~ " (works since date is not executed directly)" #~ msgstr "" #~ " $ cp /bin/date /tmp\n" #~ " $ /tmp/date\n" #~ " (n'est pas exécuté pas à cause de noexec)\n" #~ " $/lib/ld-linux.so.2 /tmp/date\n" #~ " (fonctionne correctement car date n'est pas exécuté directement)" #~ msgid "" #~ "If you set the variable FAILLOG_ENAB to yes, then you should " #~ "also set this variable to yes. This will record unknown usernames if the " #~ "login failed. If you do this, make sure the logs have the proper " #~ "permissions (640 for example, with an appropriate group setting such as " #~ "adm), because users often accidentally enter their password as the " #~ "username and you do not want others to see it." #~ msgstr "" #~ "Si vous mettez la variable FAILLOG_ENAB à yes, alors il faudra " #~ "mettre cette variable également à yes. Ceci sauvegardera les noms " #~ "d'utilisateurs inconnus si la connexion échoue. Si vous faites cela, " #~ "assurez-vous que les journaux de connexion ont les bonnes permissions " #~ "(640 par exemple avec un groupe adéquat comme adm), car souvent les " #~ "utilisateurs entrent accidentellement leur mot de passe au lieu du nom " #~ "d'utilisateur et vous ne voulez pas permettre aux autres utilisateurs de " #~ "le voir." #~ msgid "" #~ "Depending on your user policy you might want to change how information is " #~ "shared between users, that is, what the default permissions of new files " #~ "created by users are. This change is set by defining a proper umask setting for all users. You can change the UMASK setting in " #~ "/etc/limits.conf, /etc/profile, /etc/csh." #~ "cshrc, /etc/csh.login, /etc/zshrc and " #~ "probably some others (depending on the shells you have installed on your " #~ "system). Of all of these the last one that gets loaded takes precedence. " #~ "The order is: PAM's limits.conf, the default system " #~ "configuration for the user's shell, the user's shell (his ~/." #~ "profile, ~/.bash_profile...)" #~ msgstr "" #~ "Selon vos règles d'utilisation, vous pouvez vouloir changer comment les " #~ "utilisateurs peuvent partager des informations, c'est-à-dire, quelles " #~ "sont les permissions par défaut des fichiers nouvellements créés par les " #~ "utilisateurs. Ce changement est effectué en définissant un paramètre " #~ "umask correct pour tous les utilisateurs. Vous pouvez changer le " #~ "paramètre UMASK dans /etc/limits.conf, /etc/" #~ "profile, /etc/csh.cshrc, /etc/csh.login, " #~ "/etc/zshrc et probablement dans d'autres fichiers (selon les " #~ "shells que vous avez installé sur votre système). Parmi ceux-ci, le " #~ "dernier à être chargé prendra précédence sur les autres. L'ordre " #~ "est : le limits.conf de PAM, la configuration système " #~ "par défaut du shell de l'utilisateur, le shell de l'utilisateur (son " #~ "~/.profile, ~/.bash_profile, etc.)." #~ msgid "To see which packages use tcpwrappers try:" #~ msgstr "Pour voir quels paquets utilisent tcpwrappers, essayez ceci :" #~ msgid "" #~ " $ apt-cache showpkg libwrap0 | egrep '^[[:space:]]' | sort -u | \\\n" #~ " sed 's/,libwrap0$//;s/^[[:space:]]\\+//'" #~ msgstr "" #~ " $ apt-cache showpkg libwrap0 | egrep '^[[:space:]]' | sort -u | \\\n" #~ " sed 's/,libwrap0$//;s/^[[:space:]]\\+//'" #~ msgid "" #~ "NSA Enhanced Linux (in package selinux also available " #~ "from )" #~ msgstr "" #~ "NSA Enhanced Linux (du paquet selinux, également " #~ "disponible depuis )" #~ msgid "" #~ "FIXME: add more content, explain how these specific patches can be " #~ "installed in Debian using the kernel-2.x.x-patch-XXX packages." #~ msgstr "" #~ "FIXME : ajouter plus de contenu, expliquer comment ces " #~ "correctifs spécifiques peuvent être installés dans Debian en utilisant " #~ "les paquets kernel-2.x.x-patch-XXX." #~ msgid "" #~ "FIXME: Divide patches that apply only to 2.2 kernels, patches that apply " #~ "to 2.4 kernels and those that work with both." #~ msgstr "" #~ "FIXME : séparer les correctifs qui ne s'appliquent qu'aux " #~ "noyaux 2.2, les correctifs qui s'appliquent aux noyaux 2.4 est ceux qui " #~ "fonctionent avec les deux." #~ msgid "" #~ " (HAP stands for Hank Approved Paranoid Linux). A collection " #~ "of security patches to the 2.2.x kernels." #~ msgstr "" #~ " (HAP veut dire Hank Approved Paranoid Linux). Une " #~ "collection de correctifs de sécurité pour les noyaux 2.2." #~ msgid "" #~ "using a library, such as , to overwrite vulnerable functions " #~ "and introduce proper checking (for information on how to install " #~ "libsafe read )." #~ msgstr "" #~ "utiliser une bibliothèque, comme , pour ré-écrire des fonctions " #~ "vulnérables et introduire une vérification correcte (pour des " #~ "informations sur l'installation de libsafe, veuillez " #~ "lire ) ;" #~ msgid "Libsafe protection" #~ msgstr "Protection Libsafe" #~ msgid "" #~ "Protecting a Debian GNU/Linux system with libsafe is " #~ "rather easy. Just install the package and say Yes to have the " #~ "library preloaded globally. Be careful, however, since this might break " #~ "software (notably, programs linked with the old libc5), so " #~ "make sure to read the first and test the most critical programs in " #~ "your system first with the libsafe wrapper program." #~ msgstr "" #~ "Protéger un système Debian GNU/Linux avec libsafe est " #~ "plutôt facile. Installez simplement le paquet et répondez Yes " #~ "pour avoir la bibliothèque préchargée globalement. Soyez attentif, " #~ "cependant, car cela peut casser des logiciels (notamment, des programmes " #~ "liés avec l'ancienne libc5), donc assurez-vous de lire les " #~ " en premier et testez d'abord les programmes les plus " #~ "critiques dans votre logiciel avec le programme d'enveloppement " #~ "libsafe." #~ msgid "" #~ "Important Note: Libsafe protection might not be " #~ "effective currently as describe in . Consider testing it thoroughly before " #~ "using it in a production environment and don't depend exclusively on it " #~ "to protect your system." #~ msgstr "" #~ "Note importante : la protection Libsafe peut " #~ "ne pas être actuellement effective comme décrit dans . Considérez de le tester de " #~ "manière approfondie avant de l'utiliser dans un environnement de " #~ "production et ne dépendez pas exclusivement dessus pour protéger votre " #~ "système." #~ msgid "FIXME: Mention signed binaries using say, bsign or elfsign" #~ msgstr "FIXME: mentionner les binaires signés utilisant bsign ou elfsign" #~ msgid "" #~ "do not give valid shells to users which are not allowed secure transfers. " #~ "The shells provided, however, should be programs that would make " #~ "connecting to the ssh server useful at all, such as menu programs (ala " #~ "BBS). Otherwise the previous option is preferred." #~ msgstr "" #~ "soit ne pas donner de shells valides aux utilisateurs qui ne sont pas " #~ "autorisés à faire des transferts sécurités. Cependant, les shells fournis " #~ "devraient être des programmes qui justifieraient la connexion au serveur " #~ "ssh par eux-même, comme des programmes de menus (ala BBS). Sinon, " #~ "l'option précédente est préférée." #~ msgid "And change it to:" #~ msgstr "Et changez cela en " #~ msgid "" #~ "Note: The disabled keyword is only available in Apache 1.3 and " #~ "above. If you are using older versions of Apache, you need to change the " #~ "configuration file and add:" #~ msgstr "" #~ "Remarque : Le mot-clé disabled n'est disponible que dans " #~ "Apache 1.3 et supérieur. Si vous utilisez d'anciennes versions " #~ "d'Apache, vous devez changer le fichier de configuration et ajouter :" #~ msgid "" #~ "<Directory /home/*/public_html>\n" #~ " AllowOverride None\n" #~ " Order deny,allow\n" #~ " Deny from all\n" #~ "</Directory>" #~ msgstr "" #~ "<Directory /home/*/public_html>\n" #~ " AllowOverride None\n" #~ " Order deny,allow\n" #~ " Deny from all\n" #~ "</Directory>" #~ msgid "" #~ "mason, an application which can propose firewall rules " #~ "based on the network traffic your system \"sees\"." #~ msgstr "" #~ "mason, une application qui peut suggérer des règles de " #~ "pare-feu basées sur le trafic réseau que votre système « voit Â»." #~ msgid "ferm" #~ msgstr "ferm," #~ msgid "lokkit or gnome-lokkit" #~ msgstr "lokkit ou gnome-lokkit." #~ msgid "" #~ "ipac-ng, helps setup not traditional firewall rules " #~ "but network traffic classification rules." #~ msgstr "" #~ "ipac-ng, aide à configurer non pas des règles de pare-" #~ "feu traditionnel, mais des règles de classement du trafic réseau." #~ msgid "filtergen" #~ msgstr "filtergen" #~ msgid "fiaif" #~ msgstr "fiaif" #~ msgid "hlfl" #~ msgstr "hlfl" #~ msgid "kmyfirewall" #~ msgstr "kmyfirewall" #~ msgid "netscript-2.4" #~ msgstr "netscript-2.4" #~ msgid "Doing it the (obsolete) Debian way" #~ msgstr "Le faire à la manière (obsolète) Debian" #~ msgid "" #~ "NOTE: This information only applies to iptables in " #~ "woody. Versions later than 1.2.7-8 don't any longer have the " #~ "init.d script described here. Users of Debian 3.1 or later releases " #~ "should either setup firewalling rules manually or use any of the firewall " #~ "generation programs described previously." #~ msgstr "" #~ "NOTE : Cette information ne s'applique qu'à " #~ "iptables de Woody. Les versions ultérieures à la " #~ "version 1.2.7-8 n'ont plus le script init.d décrit ici. Les " #~ "utilisateurs des versions 3.1 et ultérieures de Debian devraient " #~ "soit mettre en place les règles de pare-feu manuellement, soit utiliser " #~ "l'un des programmes de génération de pare-feu décrits précédemment." #~ msgid "" #~ "If you are using Debian 3.0 or later, you will notice that you have the " #~ "iptables package installed. This is the support for " #~ "the 2.4.4+ kernels netfilter implementation. Since just after " #~ "installation the system cannot know any firewall rules (firewall " #~ "rules are too system-specific) you have to enable iptables. However, the " #~ "scripts have been configured so that the administrator can set up " #~ "firewall rules and then have the init scripts learn them and use " #~ "them always as the setup for the firewall." #~ msgstr "" #~ "Si vous utilisez Debian 3.0, vous remarquerez que le paquet " #~ "iptables est déjà installé. Il s'agit du support pour " #~ "l'implémentation de netfilter des noyaux 2.4.4 et plus. Comme, juste " #~ "après l'installation, le système ne peut pas connaître de règles " #~ "de pare-feu (toute règle de pare-feu est trop dépendante du système), " #~ "vous devez activer iptables. Cependant, les scripts ont été configurés " #~ "pour que l'administrateur puisse configurer des règles de pare-feu, puis " #~ "que les scripts d'initialisation les apprennent et les utilisent " #~ "toujours pour la configuration du pare-feu." #~ msgid "In order to do so you must:" #~ msgstr "Pour faire cela, vous devez :" #~ msgid "" #~ "Configure the package so that it starts with the system. On newer " #~ "versions (since 1.2.6a-1) this is asked for when the package is " #~ "installed. You can configure it afterwards with dpkg-reconfigure -" #~ "plow iptables. Note: on older versions this was done by " #~ "editing /etc/default/iptables so that the variable " #~ "enable_iptables_initd was set to true." #~ msgstr "" #~ "configurer le paquet pour qu'il se lance avec le système. Sur les " #~ "versions plus récentes (depuis 1.2.6a-1), cela est demandé quand le " #~ "paquet est installé. Vous pouvez le configurer par la suite avec dpkg-" #~ "reconfigure -plow iptables. Note : sur les systèmes " #~ "plus anciens, cela était fait par l'édition du fichier /etc/default/" #~ "iptables pour que la variable enable_iptables_initd soit " #~ "positionnée à true." #~ msgid "" #~ "create a firewall setup using iptables, you can use the command line (see " #~ ") or some of the tools provided " #~ "by the Debian firewall packages (see ). You " #~ "need to create one set of firewall rules to be used when the firewall is " #~ "in active state and another to be used when the firewall is in " #~ "inactive state (these can be just empty rules)." #~ msgstr "" #~ "créer une configuration de pare-feu en utilisant iptables, vous pouvez " #~ "utiliser la ligne de commande (voir ) ou certains des outils fournis par les paquets de pare-feu de Debian " #~ "(voir ). Vous devez créer un jeu de règles de " #~ "pare-feu à utiliser quand le pare-feu est dans l'état actif et " #~ "un autre à utiliser quand le pare-feu est dans l'état inactif " #~ "(celles-ci peuvent être simplement des règles vides)." #~ msgid "" #~ "save the rules you created using /etc/init.d/iptables save active and /etc/init.d/iptables save inactive by running these " #~ "scripts with the firewall rules you want enabled." #~ msgstr "" #~ "sauver les règles que vous avez créé en utilisant /etc/init.d/" #~ "iptables save active et /etc/init.d/iptables save inactive " #~ "en exécutant ces scripts avec les règles de pare-feu que vous voulez " #~ "activées." #~ msgid "" #~ "Once this is done your firewall setup is saved in the /var/lib/" #~ "iptables/ directory and will be executed when the system boots (or " #~ "when running the initd script with start and stop " #~ "arguments). Please notice that the default Debian setups starts the " #~ "firewalling code in the multiuser runlevels (2 to 5) pretty soon (10). " #~ "Also, it is stopped in singleuser runlevel (1), change this if it does " #~ "not mach your local policy." #~ msgstr "" #~ "Une fois que ceci est fait, votre configuration de pare-feu est sauvée " #~ "dans le répertoire /var/lib/iptables/ et elle sera exécutée " #~ "lors de l'amorçage du système (ou lors de l'exécution du script d'initd " #~ "avec les paramètres start et stop). Veuillez noter que " #~ "les configurations Debian par défaut lance le code de pare-feu dans les " #~ "niveaux d'exécution multi-utilisateurs (2 à 5) assez tôt (10). Il est " #~ "stoppé dans le mode utilisateur seul (1), changez cela si cela ne " #~ "correspond pas à vos règles locales." #~ msgid "" #~ "Please read the inline comments in the /etc/default/iptables " #~ "configuration file for more information on the issues regarding this " #~ "package." #~ msgstr "" #~ "Veuillez lire les commentaires insérés dans le fichier de configuration " #~ "/etc/default/iptables pour plus d'informations concernant " #~ "les problèmes relatifs à ce paquet." #~ msgid "" #~ " which only the members of the security team read." #~ msgstr "" #~ " qui n'est lu que par les membres de l'équipe de sécurité." #~ msgid "" #~ " " #~ "which is read by all Debian developers (including the security team). " #~ "Mails sent to this list are not published in the Internet (it's not a " #~ "public mailing list)." #~ msgstr "" #~ " qui " #~ "est lu par tous les développeurs Debian (y compris l'équipe de sécurité). " #~ "Les messages envoyés sur cette liste ne sont pas publiés sur l'Internet " #~ "(ce n'est pas une liste publique)." #~ msgid "" #~ "Users who want to search for a particular CVE name can use the web search " #~ "engine available in debian.org to retrieve advisories available (in " #~ "English and translated to other languages) associated with CVE names. A " #~ "search can be made for a specific name (like advisory ) or for partial names (like all the 2002 " #~ "candidates included in advisories search for ). Notice that you need to enter the word advisory together " #~ "with the CVE name in order to retrieve only security advisories." #~ msgstr "" #~ "Les utilisateurs désirant chercher un nom particulier de CVE peuvent " #~ "utiliser le moteur de recherche disponible sur debian.org pour récupérer " #~ "les alertes disponibles (en anglais et traduites dans d'autres langues) " #~ "associées aux noms CVE. Une recherche peut être faite avec un nom " #~ "spécifique (comme alerte ) ou pour des noms partiels (comme une recherche de " #~ "tous les candidats 2002 inclus dans des alertes pour ). Notez que vous devez entrer lie mot clé alerte " #~ "(« advisory Â» en anglais) avec le nom CVE pour ne récupérer que " #~ "les alertes de sécurité." #~ msgid "" #~ "While previously the task to build security updates was done by hand, it " #~ "is currently not (as Anthony Towns describes in sent to the debian-devel-announce " #~ "mailing list dated 8th June 2002.)" #~ msgstr "" #~ "Alors que précédemment la tâche de construction des mises à jour de " #~ "sécurité était faite à la main, ce n'est plus actuellement le cas (comme " #~ "le décrit Anthony Towns dans envoyé à la liste de diffusion debian-devel-announce " #~ "daté du 8 juin 2002)." #~ msgid "" #~ "This mail was sent by Wichert Akkerman to the in order to " #~ "describe Debian developer's behavior for handling security problems in " #~ "their packages. It is published here both for the benefit of developers " #~ "as well as for users to understand better how security is handled in " #~ "Debian." #~ msgstr "" #~ "Ce message a été envoyé par Wichert Akkerman à la pour " #~ "décrire le comportement des développeurs Debian pour la gestion des " #~ "problèmes de sécurité dans leurs paquets. Il est publié ici à la fois " #~ "pour le bénéfice des développeurs ainsi que pour que les utilisateurs " #~ "comprennent mieux comment est gérée la sécurité dans Debian." #~ msgid "" #~ "Please note that the uptodate reference for this information is the , this section will be " #~ "removed in the near future." #~ msgstr "" #~ "Veuillez noter que la référence à jour pour cette information est la , cette section sera " #~ "supprimée dans un avenir proche." #~ msgid "Coordinating with the security team" #~ msgstr "Se coordonner avec l'équipe de sécurité" #~ msgid "" #~ "If a developer learns of a security problem, either in his package or " #~ "someone else's he should always contact the security team (at " #~ "team@security.debian.org). They keep track of outstanding security " #~ "problems, can help maintainers with security problems or fix them " #~ "themselves, are responsible for sending security advisories and " #~ "maintaining security.debian.org." #~ msgstr "" #~ "Si un développeur apprend un problème de sécurité soit dans son paquet ou " #~ "dans celui de quelqu'un d'autre, il devrait toujours contacter l'équipe " #~ "de sécurité (à team@security.debian.org). Il suivent les problèmes de " #~ "sécurité existants, ils peuvent aider les responsables avec des problèmes " #~ "de sécurité ou les corriger eux-même, ils sont responsables de l'envoi " #~ "des alertes de sécurité et maintiennent security.debian.org." #~ msgid "" #~ "Please note that security advisories are only done for release " #~ "distributions, not for testing, unstable (see ) " #~ "or older distributions (see )." #~ msgstr "" #~ "Veuillez noter que les alertes de sécurité ne sont effectuées que pour " #~ "des distributions stables, pas pour testing, unstable (voir ) ou d'anciennes distributions (voir )." #~ msgid "Learning of security problems" #~ msgstr "Prendre connaissance des problèmes de sécurité" #~ msgid "There are a few ways a developer can learn of a security problem:" #~ msgstr "" #~ "Il existe plusieurs façons pour un développeur de prendre connaissance " #~ "d'un problème de sécurité :" #~ msgid "he notices it on a public forum (mailing list, website, etc.):" #~ msgstr "" #~ "il le remarque sur un forum public (liste de diffusion, site web, etc.)," #~ msgid "" #~ "someone files a bugreport (the Security tag should be used, or " #~ "added by the developer)" #~ msgstr "" #~ "quelqu'un remplit un rapport de bogue, (la marque Security " #~ "devrait être utilisée ou ajoutée par le développeur)" #~ msgid "someone informs him via private email." #~ msgstr "quelqu'un l'informe par courrier privé." #~ msgid "" #~ "In the first two cases the information is public and it is important to " #~ "have a fix as soon as possible. In the last case however it might not be " #~ "public information. In that case there are a few possible options for " #~ "dealing with the problem:" #~ msgstr "" #~ "Dans les deux premiers cas, l'information est publique et il est " #~ "important d'avoir une solution le plus vite possible. Dans le dernier " #~ "cas, cependant, ce n'est peut-être pas une information publique. Dans ce " #~ "cas, il existe quelques options possibles pour traiter le problème :" #~ msgid "" #~ "if it is a trivial problem (like insecure temporary files) there is no " #~ "need to keep the problem a secret and a fix should be made and released." #~ msgstr "" #~ "si le problème est trivial (comme des fichiers temporaires non " #~ "sécurisés), il n'y a pas besoin de garder le secret sur le problème et " #~ "une correction devrait être effectuée et diffusée," #~ msgid "" #~ "if the problem is severe (remote exploitable, possibility to gain root " #~ "privileges) it is preferable to share the information with other vendors " #~ "and coordinate a release. The security team keeps contacts with the " #~ "various organizations and individuals and can take care of that." #~ msgstr "" #~ "si le problème est grave (exploitable à distance, possibilité d'obtenir " #~ "les privilèges root), il est préférable de partager cette information " #~ "avec d'autres vendeurs et de coordonner une diffusion. L'équipe de " #~ "sécurité garde des contacts avec les différentes organisations et " #~ "individus et peut prendre soin des actions à mener." #~ msgid "" #~ "In all cases if the person who reports the problem asks to not disclose " #~ "the information that should be respected, with the obvious exception of " #~ "informing the security team (the developer should make sure he tells the " #~ "security team that the information cannot be disclosed)." #~ msgstr "" #~ "Dans tous les cas, si la personne qui indique le problème demande à ce " #~ "que l'information ne soit pas diffusée, cela devrait être respecté avec " #~ "l'évidente exception d'informer l'équipe de sécurité (le développeur " #~ "devrait s'assurer de dire à l'équipe de sécurité que l'information ne " #~ "peut être dévoilée)." #~ msgid "" #~ "Please note that if secrecy is needed the developer can also not upload a " #~ "fix to unstable (or anywhere else), since the changelog information for " #~ "unstable is public information." #~ msgstr "" #~ "Veuillez noter que si le secret est nécessaire, vous ne pourrez pas " #~ "envoyer un correctif vers unstable (ou ailleurs) puisque les informations " #~ "de changelog sont publiques." #~ msgid "" #~ "There are two reasons for releasing information even though secrecy is " #~ "requested/required: the problem has been known for too long, or the " #~ "information becomes public." #~ msgstr "" #~ "Il existe deux raisons pour diffuser l'information même si le secret est " #~ "demandé : le problème est connu depuis un certain temps ou le " #~ "problème est devenu public." #~ msgid "Building a package" #~ msgstr "Construire le paquet" #~ msgid "" #~ "The most important guideline when making a new package that fixes a " #~ "security problem is to make as few changes as possible. People are " #~ "relying on the exact behavior of a release once it is made, so any change " #~ "made to it can possibly break someone's system. This is especially true " #~ "of libraries: the developer must make sure he never changes the API or " #~ "ABI, no matter how small the change." #~ msgstr "" #~ "La règle la plus important lors de la construction d'un nouveau paquet " #~ "corrigeant un problème de sécurité est de faire aussi peu de " #~ "modifications que possible. Les personnes s'attendent à un comportement " #~ "identique dans une version lorsque celle-ci est diffusée, donc tout " #~ "changement qui est fait est susceptible de casser le système de " #~ "quelqu'un. Ceci est spécialement vrai pour les bibliothèques : " #~ "assurez-vous de ne jamais changer l'API ou l'ABI, quelque minimal que " #~ "soit le changement." #~ msgid "" #~ "In some cases it is not possible to backport a security fix, for example " #~ "when large amounts of source code need to be modified or rewritten. If " #~ "that happens it might be necessary to move to a new upstream version, but " #~ "it should always be coordinated with the security team beforehand." #~ msgstr "" #~ "Dans certains cas, il n'est pas possible de rétroporter un correctif de " #~ "sécurité, par exemple, quand de grandes quantités de code source doivent " #~ "être modifiées ou réécrites. Si cela se produit, il peut être nécessaire " #~ "de passer à une nouvelle version amont, mais vous devez toujours " #~ "coordonner cela avec l'équipe de sécurité au préalable." #~ msgid "" #~ "Related to this is another import aspect: developers must always test " #~ "your change. If there is an exploit the developer should try if it indeed " #~ "succeeds on the unpatched package and fails on the fixed package. The " #~ "developer should try normal usage as well, sometimes a security fix can " #~ "break normal use subtly." #~ msgstr "" #~ "Il existe une autre règle de conduite liée à cela : les développeurs " #~ "doivent toujours tester leurs changements. Si une exploitation du " #~ "problème existe, essayez-la et vérifiez qu'elle réussit sur le paquet non " #~ "corrigé et échoue sur le paquet corrigé. Testez aussi les autres actions " #~ "normales car parfois un correctif de sécurité peut casser de manière " #~ "subtile des fonctionnalités normales." #~ msgid "Finally a few technical things for developers to keep in mind:" #~ msgstr "" #~ "Enfin, quelques points techniques que les développeurs doivent garder à " #~ "l'esprit :" #~ msgid "" #~ "Make sure you target the right distribution in your debian/changelog. For " #~ "stable this is stable-security and for testing this is testing-security. " #~ "Do not target <codename>-proposed-updates." #~ msgstr "" #~ "Assurez-vous que vous avez pour cible la bonne distribution dans votre " #~ "fichier debian/changelog. Pour stable, il s'agit de stable-security et " #~ "pour testing, c'est testing-security. Ne ciblez ni <nomdecode>-" #~ "proposed-updates." #~ msgid "" #~ "Make sure the version number is proper. It has to be higher than the " #~ "current package, but lower than package versions in later distributions. " #~ "For testing this means there has to be a higher version in unstable. If " #~ "there is none yet (testing and unstable have the same version for " #~ "example) upload a new version to unstable first." #~ msgstr "" #~ "Assurez-vous que le numéro de version est correct. Il doit être plus " #~ "élevé que celui du paquet actuel, mais moins que ceux des paquets des " #~ "versions des distributions suivantes. Pour testing, il doit y avoir un " #~ "numéro de version supérieur dans unstable. S'il n'y en a pas encore (par " #~ "exemple, si testing et unstable ont la même version), vous devez envoyer " #~ "une nouvelle version vers unstable en premier." #~ msgid "" #~ "Do not make source-only uploads if your package has any binary-all " #~ "packages. The buildd infrastructure will not build those." #~ msgstr "" #~ "Ne faites pas d'envoi de source seul si votre paquet possède un ou " #~ "plusieurs paquets binary-all. L'infrastructure buildd ne " #~ "construira pas ceux-ci." #~ msgid "" #~ "Make sure when compiling a package you compile on a clean system which " #~ "only has package installed from the distribution you are building for. If " #~ "you do not have such a system yourself you can try a debian.org machine " #~ "(see http://db.debian.org/machines.cgi) or set up a chroot (the " #~ "pbuilder and debootstrap packages " #~ "can be helpful in that case)." #~ msgstr "" #~ "Assurez-vous de compiler sur un système propre, dont tous les paquets " #~ "appartiennent à la distribution pour laquelle vous construisez le paquet. " #~ "Si vous n'avez pas un tel système, vous pouvez utiliser l'une des " #~ "machines de debian.org (voir http://db.debian.org/machines.cgi) ou mettez " #~ "en place un chroot (les paquets pbuilder et " #~ "debootstrap peuvent s'avérer utiles dans ce cas)." #~ msgid "Uploading security fixes" #~ msgstr "Envoyer les correctifs de sécurité" #~ msgid "" #~ "After the developer has created and tested the new package it needs to be " #~ "uploaded so it can be installed in the archives. For security uploads the " #~ "place to upload to is ftp://security.debian.org/pub/SecurityUploadQueue/ ." #~ msgstr "" #~ "Une fois que le développeur a créé et testé le nouveau paquet, il doit " #~ "être envoyé pour être installé dans l'archive. Pour les envois de " #~ "sécurité, l'adresse d'envoi est ftp://security.debian.org/pub/" #~ "SecurityUploadQueue/." #~ msgid "" #~ "Once an upload to the security queue has been accepted the package will " #~ "automatically be rebuilt for all architectures and stored for " #~ "verification by the security team." #~ msgstr "" #~ "Une fois que l'envoi vers la file d'attente de sécurité a été accepté, le " #~ "paquet sera automatiquement recompilé pour toutes les architectures et " #~ "stocké pour vérification par l'équipe de sécurité." #~ msgid "" #~ "Uploads waiting for acceptance or verification are only accessible by the " #~ "security team. This is necessary since there might be fixes for security " #~ "problems that cannot be disclosed yet." #~ msgstr "" #~ "Les envois en attente d'acceptation ou de vérification ne sont " #~ "accessibles que par l'équipe de sécurité. C'est nécessaire car il " #~ "pourrait y avoir des correctifs pour des problèmes de sécurité qui ne " #~ "peuvent pas encore être diffusés." #~ msgid "" #~ "If a member of the security team accepts a package it will be installed " #~ "on security.debian.org as well as the proper <codename>-proposed-" #~ "updates in ftp-master or non-US archive." #~ msgstr "" #~ "Si une personne de l'équipe de sécurité accepte un paquet, il sera " #~ "installé sur security.debian.org ainsi que dans le répertoire <" #~ "nomdecode>-proposed-updates qui convient sur ftp-master ou dans " #~ "l'archive non-US." #~ msgid "The security advisory" #~ msgstr "Alertes de sécurité" #~ msgid "" #~ "Security advisories are written and posted by the security team. However " #~ "they certainly do not mind if a maintainer can supply (part of) the text " #~ "for them. Information that should be in an advisory is described in ." #~ msgstr "" #~ "Les alertes de sécurité sont écrites et envoyées par l'équipe de " #~ "sécurité. Cependant, ils ne verront aucun inconvénient à qu'un " #~ "responsable fournisse (une partie) du texte pour eux. Les informations " #~ "qui devraient être présentes dans une alerte sont décrites dans ." #~ msgid "" #~ "As of today (May 2005) Debian does not provide signed packages for the " #~ "distribution and the woody or sarge releases (3.0 or " #~ "3.1) do not integrate that feature. There is a solution for signed " #~ "packages which will be, hopefully, provided in the next release (codename " #~ "etch). This new feature is available in apt 0.6 (currently " #~ "available in the sid distribution, see )." #~ msgstr "" #~ "À ce jour (mai 2005), Debian ne fournit pas de paquets signés pour " #~ "la distribution et les versions Woody (3.0) et Sarge " #~ "(3.1) n'intègrent pas cette fonctionnalité. Il existe une solution pour " #~ "les paquets signés qui sera, espérons-le, fournie dans la prochaine " #~ "version (Etch). Cette nouvelle fonctionnalité sera disponible " #~ "dans apt 0.6 (actuellement disponible dans la distribution sid, voir )." #~ msgid "Apt-secure" #~ msgstr "Apt-secure" #~ msgid "" #~ "Instead of upgrading to a new release we backport security fixes to the " #~ "version that was shipped in the stable release. The reason we do this is " #~ "to make sure that a release changes as little as possible so things will " #~ "not change or break unexpectedly as a result of a security fix. You can " #~ "check if you are running a secure version of a package by looking at the " #~ "package changelog, or comparing its exact version number with the version " #~ "indicated in the Debian Security Advisory." #~ msgstr "" #~ "Au lieu de mettre à jour vers une nouvelle version, nous appliquons la " #~ "rustine de sécurité à la version présente dans la distribution stable. La " #~ "raison pour laquelle nous agissons ainsi est simple. Elle permet " #~ "d'assurer qu'une version a le moins de changements possible, de cette " #~ "manière les choses ne changeront pas ou ne se briseront pas à cause d'une " #~ "mise à jour de sécurité. Vous pouvez vérifier que vous utilisez une " #~ "version sécurisée de votre paquet en regardant le changelog du paquet ou " #~ "en comparant le numéro exact de version avec celui indiqué dans l'alerte " #~ "de sécurité Debian (Debian Security Advisory)." #~ msgid "" #~ "Audit applications in Debian or help solve security bugs and report " #~ "issues to security@debian.org. Other projects' work like the or the increase the security of Debian GNU/Linux, " #~ "since contributions will eventually help here, too." #~ msgstr "" #~ "Contrôlez les applications dans Debian ou aidez à résoudre les bogues et " #~ "rapportez les problèmes à security@debian.org. Le travail d'autres " #~ "projets tels que ou accroît la sécurité de Debian " #~ "GNU/Linux car les contributions apporteront peut-être une aide " #~ "supplémentaire." #~ msgid "" #~ "Disallow MBR floppy booting back door by overwriting the MBR (maybe not?)" #~ msgstr "" #~ "Interdire le démarrage par disquette sur le MBR en récrivant par dessus " #~ "le MBR (peut-être pas ?)" #~ msgid "Some guidelines:" #~ msgstr "Quelques lignes de conduite :" #~ msgid "" #~ "Download and manually (with dpkg) install necessary packages (see " #~ "installed packages list below)." #~ msgstr "" #~ "Télécharger et installer manuellement (avec dpkg) les paquets nécessaire " #~ "(voir la liste de paquets installée ci-dessous)." #~ msgid "" #~ "Download and install ACID (Analysis Console for Intrusion Databases)." #~ msgstr "" #~ "Télécharger et installer ACID (Analysis Console for Intrusion " #~ "Databases)." #~ msgid "" #~ "The standard Debian /etc/network/interfaces file normally " #~ "used to configure network cards cannot be used, since the ifup and ifdown programs expect an IP address. Instead, " #~ "simply use ifconfig eth0 up." #~ msgstr "" #~ "Le fichier standard Debian /etc/network/interfaces " #~ "normalement utilisé pour configurer les cartes réseau ne peut pas être " #~ "utilisé étant donné que les programmes ifup et ifdown attendent une adresse IP. Vous devez faire, simplement, " #~ "ifconfig eth0 up." #~ msgid "" #~ "Besides the base installation, acidlab also depends on " #~ "the packages php4 and apache among " #~ "others. Download the following packages (Note: the versions might vary " #~ "depending on which Debian distribution you are using, this list is from " #~ "Debian woody September 2001):" #~ msgstr "" #~ "En plus de l'installation standard Debian, acidlab " #~ "dépend également des paquets php4 et apache entre autres. Téléchargez les paquets suivants (note : les " #~ "versions peuvent différer en fonction de la distribution Debian que vous " #~ "utilisez, cette liste est pour Debian Woody de " #~ "septembre 2001) :" #~ msgid "" #~ "ACID-0.9.5b9.tar.gz\n" #~ "adduser_3.39_all.deb\n" #~ "apache-common_1.3.20-1_i386.deb\n" #~ "apache_1.3.20-1_i386.deb\n" #~ "debconf_0.9.77_all.deb\n" #~ "dialog_0.9a-20010527-1_i386.deb\n" #~ "fileutils_4.1-2_i386.deb\n" #~ "klogd_1.4.1-2_i386.deb\n" #~ "libbz2-1.0_1.0.1-10_i386.deb\n" #~ "libc6_2.2.3-6_i386.deb\n" #~ "libdb2_2.7.7-8_i386.deb\n" #~ "libdbd-mysql-perl_1.2216-2_i386.deb\n" #~ "libdbi-perl_1.18-1_i386.deb\n" #~ "libexpat1_1.95.1-5_i386.deb\n" #~ "libgdbmg1_1.7.3-27_i386.deb\n" #~ "libmm11_1.1.3-4_i386.deb\n" #~ "libmysqlclient10_3.23.39-3_i386.deb\n" #~ "libncurses5_5.2.20010318-2_i386.deb\n" #~ "libpcap0_0.6.2-1_i386.deb\n" #~ "libpcre3_3.4-1_i386.deb\n" #~ "libreadline4_4.2-3_i386.deb \n" #~ "libstdc++2.10-glibc2.2_2.95.4-0.010703_i386.deb\n" #~ "logrotate_3.5.4-2_i386.deb\n" #~ "mime-support_3.11-1_all.deb\n" #~ "mysql-client_3.23.39-3_i386.deb\n" #~ "mysql-common_3.23.39-3.1_all.deb\n" #~ "mysql-server_3.23.39-3_i386.deb\n" #~ "perl-base_5.6.1-5_i386.deb\n" #~ "perl-modules_5.6.1-5_all.deb\n" #~ "perl_5.6.1-5_i386.deb\n" #~ "php4-mysql_4.0.6-4_i386.deb\n" #~ "php4_4.0.6-1_i386.deb\n" #~ "php4_4.0.6-4_i386.deb\n" #~ "snort_1.7-9_i386.deb\n" #~ "sysklogd_1.4.1-2_i386.deb\n" #~ "zlib1g_1.1.3-15_i386.deb" #~ msgstr "" #~ "ACID-0.9.5b9.tar.gz\n" #~ "adduser_3.39_all.deb\n" #~ "apache-common_1.3.20-1_i386.deb\n" #~ "apache_1.3.20-1_i386.deb\n" #~ "debconf_0.9.77_all.deb\n" #~ "dialog_0.9a-20010527-1_i386.deb\n" #~ "fileutils_4.1-2_i386.deb\n" #~ "klogd_1.4.1-2_i386.deb\n" #~ "libbz2-1.0_1.0.1-10_i386.deb\n" #~ "libc6_2.2.3-6_i386.deb\n" #~ "libdb2_2.7.7-8_i386.deb\n" #~ "libdbd-mysql-perl_1.2216-2_i386.deb\n" #~ "libdbi-perl_1.18-1_i386.deb\n" #~ "libexpat1_1.95.1-5_i386.deb\n" #~ "libgdbmg1_1.7.3-27_i386.deb\n" #~ "libmm11_1.1.3-4_i386.deb\n" #~ "libmysqlclient10_3.23.39-3_i386.deb\n" #~ "libncurses5_5.2.20010318-2_i386.deb\n" #~ "libpcap0_0.6.2-1_i386.deb\n" #~ "libpcre3_3.4-1_i386.deb\n" #~ "libreadline4_4.2-3_i386.deb \n" #~ "libstdc++2.10-glibc2.2_2.95.4-0.010703_i386.deb\n" #~ "logrotate_3.5.4-2_i386.deb\n" #~ "mime-support_3.11-1_all.deb\n" #~ "mysql-client_3.23.39-3_i386.deb\n" #~ "mysql-common_3.23.39-3.1_all.deb\n" #~ "mysql-server_3.23.39-3_i386.deb\n" #~ "perl-base_5.6.1-5_i386.deb\n" #~ "perl-modules_5.6.1-5_all.deb\n" #~ "perl_5.6.1-5_i386.deb\n" #~ "php4-mysql_4.0.6-4_i386.deb\n" #~ "php4_4.0.6-1_i386.deb\n" #~ "php4_4.0.6-4_i386.deb\n" #~ "snort_1.7-9_i386.deb\n" #~ "sysklogd_1.4.1-2_i386.deb\n" #~ "zlib1g_1.1.3-15_i386.deb" #~ msgid "Installed packages (dpkg -l):" #~ msgstr "Paquets installés (dpkg -l) :" #~ msgid "" #~ "ii adduser 3.39\n" #~ "ii ae 962-26\n" #~ "ii apache 1.3.20-1\n" #~ "ii apache-common 1.3.20-1\n" #~ "ii apt 0.3.19\n" #~ "ii base-config 0.33.2\n" #~ "ii base-files 2.2.0\n" #~ "ii base-passwd 3.1.10\n" #~ "ii bash 2.03-6\n" #~ "ii bsdutils 2.10f-5.1\n" #~ "ii console-data 1999.08.29-11.\n" #~ "ii console-tools 0.2.3-10.3\n" #~ "ii console-tools- 0.2.3-10.3\n" #~ "ii cron 3.0pl1-57.2\n" #~ "ii debconf 0.9.77\n" #~ "ii debianutils 1.13.3\n" #~ "ii dialog 0.9a-20010527-\n" #~ "ii diff 2.7-21\n" #~ "ii dpkg 1.6.15\n" #~ "ii e2fsprogs 1.18-3.0\n" #~ "ii elvis-tiny 1.4-11\n" #~ "ii fbset 2.1-6\n" #~ "ii fdflush 1.0.1-5\n" #~ "ii fdutils 5.3-3 \n" #~ "ii fileutils 4.1-2 \n" #~ "ii findutils 4.1-40\n" #~ "ii ftp 0.10-3.1\n" #~ "ii gettext-base 0.10.35-13\n" #~ "ii grep 2.4.2-1\n" #~ "ii gzip 1.2.4-33\n" #~ "ii hostname 2.07\n" #~ "ii isapnptools 1.21-2\n" #~ "ii joe 2.8-15.2 \n" #~ "ii klogd 1.4.1-2 \n" #~ "ii ldso 1.9.11-9 \n" #~ "ii libbz2-1.0 1.0.1-10\n" #~ "ii libc6 2.2.3-6\n" #~ "ii libdb2 2.7.7-8\n" #~ "ii libdbd-mysql-p 1.2216-2\n" #~ "ii libdbi-perl 1.18-1\n" #~ "ii libexpat1 1.95.1-5\n" #~ "ii libgdbmg1 1.7.3-27\n" #~ "ii libmm11 1.1.3-4\n" #~ "ii libmysqlclient 3.23.39-3\n" #~ "ii libncurses5 5.2.20010318-2\n" #~ "ii libnewt0 0.50-7 \n" #~ "ii libpam-modules 0.72-9\n" #~ "ii libpam-runtime 0.72-9 \n" #~ "ii libpam0g 0.72-9\n" #~ "ii libpcap0 0.6.2-1\n" #~ "ii libpcre3 3.4-1 \n" #~ "ii libpopt0 1.4-1.1\n" #~ "ii libreadline4 4.2-3 \n" #~ "ii libssl09 0.9.4-5 \n" #~ "ii libstdc++2.10 2.95.2-13 \n" #~ "ii libstdc++2.10- 2.95.4-0.01070\n" #~ "ii libwrap0 7.6-4 \n" #~ "ii lilo 21.4.3-2\n" #~ "ii locales 2.1.3-18\n" #~ "ii login 19990827-20\n" #~ "ii makedev 2.3.1-46.2\n" #~ "ii mawk 1.3.3-5\n" #~ "ii mbr 1.1.2-1 \n" #~ "ii mime-support 3.11-1 \n" #~ "ii modutils 2.3.11-13.1\n" #~ "ii mount 2.10f-5.1\n" #~ "ii mysql-client 3.23.39-3\n" #~ "ii mysql-common 3.23.39-3.1\n" #~ "ii mysql-server 3.23.39-3\n" #~ "ii ncurses-base 5.0-6.0potato1\n" #~ "ii ncurses-bin 5.0-6.0potato1\n" #~ "ii netbase 3.18-4 \n" #~ "ii passwd 19990827-20\n" #~ "ii pciutils 2.1.2-2\n" #~ "ii perl 5.6.1-5 \n" #~ "ii perl-base 5.6.1-5 \n" #~ "ii perl-modules 5.6.1-5\n" #~ "ii php4 4.0.6-4 \n" #~ "ii php4-mysql 4.0.6-4 \n" #~ "ii ppp 2.3.11-1.4\n" #~ "ii pppconfig 2.0.5\n" #~ "ii procps 2.0.6-5 \n" #~ "ii psmisc 19-2 \n" #~ "ii pump 0.7.3-2 \n" #~ "ii sed 3.02-5 \n" #~ "ii setserial 2.17-16\n" #~ "ii shellutils 2.0-7\n" #~ "ii slang1 1.3.9-1 \n" #~ "ii snort 1.7-9\n" #~ "ii ssh 1.2.3-9.3\n" #~ "ii sysklogd 1.4.1-2\n" #~ "ii syslinux 1.48-2\n" #~ "ii sysvinit 2.78-4 \n" #~ "ii tar 1.13.17-2 \n" #~ "ii tasksel 1.0-10 \n" #~ "ii tcpd 7.6-4 \n" #~ "ii telnet 0.16-4potato.1\n" #~ "ii textutils 2.0-2 \n" #~ "ii update 2.11-1 \n" #~ "ii util-linux 2.10f-5.1\n" #~ "ii zlib1g 1.1.3-15" #~ msgstr "" #~ "ii adduser 3.39\n" #~ "ii ae 962-26\n" #~ "ii apache 1.3.20-1\n" #~ "ii apache-common 1.3.20-1\n" #~ "ii apt 0.3.19\n" #~ "ii base-config 0.33.2\n" #~ "ii base-files 2.2.0\n" #~ "ii base-passwd 3.1.10\n" #~ "ii bash 2.03-6\n" #~ "ii bsdutils 2.10f-5.1\n" #~ "ii console-data 1999.08.29-11.\n" #~ "ii console-tools 0.2.3-10.3\n" #~ "ii console-tools- 0.2.3-10.3\n" #~ "ii cron 3.0pl1-57.2\n" #~ "ii debconf 0.9.77\n" #~ "ii debianutils 1.13.3\n" #~ "ii dialog 0.9a-20010527-\n" #~ "ii diff 2.7-21\n" #~ "ii dpkg 1.6.15\n" #~ "ii e2fsprogs 1.18-3.0\n" #~ "ii elvis-tiny 1.4-11\n" #~ "ii fbset 2.1-6\n" #~ "ii fdflush 1.0.1-5\n" #~ "ii fdutils 5.3-3 \n" #~ "ii fileutils 4.1-2 \n" #~ "ii findutils 4.1-40\n" #~ "ii ftp 0.10-3.1\n" #~ "ii gettext-base 0.10.35-13\n" #~ "ii grep 2.4.2-1\n" #~ "ii gzip 1.2.4-33\n" #~ "ii hostname 2.07\n" #~ "ii isapnptools 1.21-2\n" #~ "ii joe 2.8-15.2 \n" #~ "ii klogd 1.4.1-2 \n" #~ "ii ldso 1.9.11-9 \n" #~ "ii libbz2-1.0 1.0.1-10\n" #~ "ii libc6 2.2.3-6\n" #~ "ii libdb2 2.7.7-8\n" #~ "ii libdbd-mysql-p 1.2216-2\n" #~ "ii libdbi-perl 1.18-1\n" #~ "ii libexpat1 1.95.1-5\n" #~ "ii libgdbmg1 1.7.3-27\n" #~ "ii libmm11 1.1.3-4\n" #~ "ii libmysqlclient 3.23.39-3\n" #~ "ii libncurses5 5.2.20010318-2\n" #~ "ii libnewt0 0.50-7 \n" #~ "ii libpam-modules 0.72-9\n" #~ "ii libpam-runtime 0.72-9 \n" #~ "ii libpam0g 0.72-9\n" #~ "ii libpcap0 0.6.2-1\n" #~ "ii libpcre3 3.4-1 \n" #~ "ii libpopt0 1.4-1.1\n" #~ "ii libreadline4 4.2-3 \n" #~ "ii libssl09 0.9.4-5 \n" #~ "ii libstdc++2.10 2.95.2-13 \n" #~ "ii libstdc++2.10- 2.95.4-0.01070\n" #~ "ii libwrap0 7.6-4 \n" #~ "ii lilo 21.4.3-2\n" #~ "ii locales 2.1.3-18\n" #~ "ii login 19990827-20\n" #~ "ii makedev 2.3.1-46.2\n" #~ "ii mawk 1.3.3-5\n" #~ "ii mbr 1.1.2-1 \n" #~ "ii mime-support 3.11-1 \n" #~ "ii modutils 2.3.11-13.1\n" #~ "ii mount 2.10f-5.1\n" #~ "ii mysql-client 3.23.39-3\n" #~ "ii mysql-common 3.23.39-3.1\n" #~ "ii mysql-server 3.23.39-3\n" #~ "ii ncurses-base 5.0-6.0potato1\n" #~ "ii ncurses-bin 5.0-6.0potato1\n" #~ "ii netbase 3.18-4 \n" #~ "ii passwd 19990827-20\n" #~ "ii pciutils 2.1.2-2\n" #~ "ii perl 5.6.1-5 \n" #~ "ii perl-base 5.6.1-5 \n" #~ "ii perl-modules 5.6.1-5\n" #~ "ii php4 4.0.6-4 \n" #~ "ii php4-mysql 4.0.6-4 \n" #~ "ii ppp 2.3.11-1.4\n" #~ "ii pppconfig 2.0.5\n" #~ "ii procps 2.0.6-5 \n" #~ "ii psmisc 19-2 \n" #~ "ii pump 0.7.3-2 \n" #~ "ii sed 3.02-5 \n" #~ "ii setserial 2.17-16\n" #~ "ii shellutils 2.0-7\n" #~ "ii slang1 1.3.9-1 \n" #~ "ii snort 1.7-9\n" #~ "ii ssh 1.2.3-9.3\n" #~ "ii sysklogd 1.4.1-2\n" #~ "ii syslinux 1.48-2\n" #~ "ii sysvinit 2.78-4 \n" #~ "ii tar 1.13.17-2 \n" #~ "ii tasksel 1.0-10 \n" #~ "ii tcpd 7.6-4 \n" #~ "ii telnet 0.16-4potato.1\n" #~ "ii textutils 2.0-2 \n" #~ "ii update 2.11-1 \n" #~ "ii util-linux 2.10f-5.1\n" #~ "ii zlib1g 1.1.3-15" #~ msgid "" #~ " #!/bin/sh\n" #~ "\n" #~ " PATH=/sbin:/bin:/usr/sbin:/usr/bin\n" #~ "\n" #~ " test -x /usr/sbin/named || exit 0\n" #~ "\n" #~ " start () {\n" #~ " echo -n \"Starting domain name service: named\"\n" #~ " start-stop-daemon --start --quiet \\\n" #~ " --pidfile /var/run/named.pid --exec /usr/sbin/named \n" #~ " echo \".\"\n" #~ " }\n" #~ "\n" #~ " stop () {\n" #~ " echo -n \"Stopping domain name service: named\"\n" #~ " # --exec doesn't catch daemons running deleted instances of named,\n" #~ " # as in an upgrade. Fortunately, --pidfile is only going to hit\n" #~ " # things from the pidfile.\n" #~ " start-stop-daemon --stop --quiet \\\n" #~ " --pidfile /var/run/named.pid --name named\n" #~ " echo \".\"\n" #~ " }\n" #~ "\n" #~ " case \"$1\" in\n" #~ " start)\n" #~ " start\n" #~ " ;;\n" #~ "\n" #~ " stop)\n" #~ " stop\n" #~ " ;;\n" #~ "\n" #~ " restart|force-reload)\n" #~ " stop\n" #~ " sleep 2\n" #~ " start\n" #~ " ;;\n" #~ "\n" #~ " reload)\n" #~ " /usr/sbin/ndc reload\n" #~ " ;;\n" #~ "\n" #~ " *)\n" #~ " echo \"Usage: /etc/init.d/bind {start|stop|reload|restart|force-" #~ "reload}\" >&2\n" #~ " exit 1\n" #~ " ;;\n" #~ " esac\n" #~ "\n" #~ " exit 0" #~ msgstr "" #~ " #!/bin/sh\n" #~ "\n" #~ " PATH=/sbin:/bin:/usr/sbin:/usr/bin\n" #~ "\n" #~ " test -x /usr/sbin/named || exit 0\n" #~ "\n" #~ " start () {\n" #~ " echo -n \"Starting domain name service: named\"\n" #~ " start-stop-daemon --start --quiet \\\n" #~ " --pidfile /var/run/named.pid --exec /usr/sbin/named \n" #~ " echo \".\" \n" #~ " }\n" #~ "\n" #~ " stop () {\n" #~ " echo -n \"Stopping domain name service: named\"\n" #~ " # --exec doesn't catch daemons running deleted instances of named,\n" #~ " # as in an upgrade. Fortunately, --pidfile is only going to hit\n" #~ " # things from the pidfile.\n" #~ " start-stop-daemon --stop --quiet \\\n" #~ " --pidfile /var/run/named.pid --name named\n" #~ " echo \".\" \n" #~ " }\n" #~ "\n" #~ " case \"$1\" in\n" #~ " start)\n" #~ " start\n" #~ " ;;\n" #~ "\n" #~ " stop)\n" #~ " stop\n" #~ " ;;\n" #~ "\n" #~ " restart|force-reload)\n" #~ " stop\n" #~ " sleep 2\n" #~ " start\n" #~ " ;;\n" #~ "\n" #~ " reload)\n" #~ " /usr/sbin/ndc reload\n" #~ " ;;\n" #~ "\n" #~ " *)\n" #~ " echo \"Usage: /etc/init.d/bind {start|stop|reload|restart|force-" #~ "reload}\" >&2\n" #~ " exit 1\n" #~ " ;;\n" #~ " esac\n" #~ "\n" #~ " exit 0" #~ msgid "" #~ "FIXME: add IP address for security.debian.org (since otherwise you need " #~ "DNS up to work) on /etc/hosts." #~ msgstr "" #~ "FIXME: ajouter l'adresse IP pour security.debian.org dans /etc/hosts (car " #~ "sinon vous avez besoin que le DNS fonctionne)." #~ msgid "FIXME: test this setup to see if it works properly" #~ msgstr "" #~ "FIXME: tester cette configuration pour voir si cela fonctionne " #~ "correctement" #~ msgid "" #~ "Modify /etc/pam.d/ssh to use this PAM module, add as its " #~ "last line:" #~ msgstr "" #~ "modifier /etc/pam.d/ssh pour utiliser ce module PAM, ajouter " #~ "cette ligne à la fin du fichier :" #~ msgid "" #~ "set a proper chroot environment. You can either review /usr/share/" #~ "doc/libpam-chroot/examples/, use makejail or " #~ "setup a minimum Debian environment with debootstrap. " #~ "Make sure the environment includes the needed /dev/ptmx and " #~ "/dev/pty* devices and the /dev/pts/ " #~ "subdirectory (running MAKEDEV in the /dev directory of the " #~ "chrooted environment should be sufficient)." #~ msgstr "" #~ "positionner l'environnement de chroot correct. Vous pouvez soit consulter " #~ "/usr/share/doc/libpam-chroot/examples/, utiliser " #~ "makejail et mettre en place un environnement Debian " #~ "minimal avec debootstrap. Assurez-vous que " #~ "l'environnement inclut les périphériques nécessaires /dev/ptmx et /dev/pty* et le sous-répertoire /dev/pts/ (exécuter MAKEDEV dans le répertoire /dev devrait être " #~ "suffisant)." #~ msgid "" #~ "Configure SSH: If you are running a newer (post-3.4) version of OpenSSH " #~ "that uses Privilege Separation you need to disable it:" #~ msgstr "" #~ "configurer SSH : si vous utilisez une version plus récente " #~ "(après 3.4) d'OpenSSH qui utilise la séparation de privilèges, vous " #~ "devrez le désactiver avec :" #~ msgid "" #~ "Patching SSH to enable chroot functionality" #~ msgstr "Modifier SSH pour activer la fonctionnalité de chroot" #~ msgid "" #~ "A description of all the necessary steps can be found at (though it is aimed at RedHat 7.2 " #~ "users, almost all of them are applicable to Debian). After applying the " #~ "patch, modify /etc/passwd by changing the home path of the " #~ "users (with the special /./ token):" #~ msgstr "" #~ "Une description de toutes les étapes nécessaires peut-être trouvée sur " #~ " (pratiquement " #~ "tout est applicable à Debian même s'il est question de la RedHat 7.2). " #~ "Après l'application de la rustine, vous devez simplement modifier le " #~ "/etc/passwd en changeant le chemin personnel des " #~ "utilisateurs (avec le jeton spécial /./) :" #~ msgid "" #~ "./bin:\n" #~ "total 660\n" #~ "drwxr-xr-x 2 root root 4096 Mar 18 13:36 .\n" #~ "drwxr-xr-x 8 guest guest 4096 Mar 15 16:53 ..\n" #~ "-r-xr-xr-x 1 root root 531160 Feb 6 22:36 bash\n" #~ "-r-xr-xr-x 1 root root 43916 Nov 29 13:19 ls\n" #~ "-r-xr-xr-x 1 root root 16684 Nov 29 13:19 mkdir\n" #~ "-rwxr-xr-x 1 root root 23960 Mar 18 13:36 more\n" #~ "-r-xr-xr-x 1 root root 9916 Jul 26 2001 pwd\n" #~ "-r-xr-xr-x 1 root root 24780 Nov 29 13:19 rm\n" #~ "lrwxrwxrwx 1 root root 4 Mar 30 16:29 sh -> bash\n" #~ "\n" #~ "./etc:\n" #~ "total 24\n" #~ "drwxr-xr-x 2 root root 4096 Mar 15 16:13 .\n" #~ "drwxr-xr-x 8 guest guest 4096 Mar 15 16:53 ..\n" #~ "-rw-r--r-- 1 root root 54 Mar 15 13:23 group\n" #~ "-rw-r--r-- 1 root root 428 Mar 15 15:56 hosts\n" #~ "-rw-r--r-- 1 root root 44 Mar 15 15:53 passwd\n" #~ "-rw-r--r-- 1 root root 52 Mar 15 13:23 shells\n" #~ "\n" #~ "./lib:\n" #~ "total 1848\n" #~ "drwxr-xr-x 2 root root 4096 Mar 18 13:37 .\n" #~ "drwxr-xr-x 8 guest guest 4096 Mar 15 16:53 ..\n" #~ "-rwxr-xr-x 1 root root 92511 Mar 15 12:49 ld-linux.so.2\n" #~ "-rwxr-xr-x 1 root root 1170812 Mar 15 12:49 libc.so.6\n" #~ "-rw-r--r-- 1 root root 20900 Mar 15 13:01 libcrypt.so.1\n" #~ "-rw-r--r-- 1 root root 9436 Mar 15 12:49 libdl.so.2\n" #~ "-rw-r--r-- 1 root root 248132 Mar 15 12:48 libncurses.so.5\n" #~ "-rw-r--r-- 1 root root 71332 Mar 15 13:00 libnsl.so.1\n" #~ "-rw-r--r-- 1 root root 34144 Mar 15 16:10\n" #~ "libnss_files.so.2\n" #~ "-rw-r--r-- 1 root root 29420 Mar 15 12:57 libpam.so.0\n" #~ "-rw-r--r-- 1 root root 105498 Mar 15 12:51 libpthread.so.0\n" #~ "-rw-r--r-- 1 root root 25596 Mar 15 12:51 librt.so.1\n" #~ "-rw-r--r-- 1 root root 7760 Mar 15 12:59 libutil.so.1\n" #~ "-rw-r--r-- 1 root root 24328 Mar 15 12:57 libwrap.so.0\n" #~ "\n" #~ "./usr:\n" #~ "total 16\n" #~ "drwxr-xr-x 4 root root 4096 Mar 15 13:00 .\n" #~ "drwxr-xr-x 8 guest guest 4096 Mar 15 16:53 ..\n" #~ "drwxr-xr-x 2 root root 4096 Mar 15 15:55 bin\n" #~ "drwxr-xr-x 2 root root 4096 Mar 15 15:37 lib\n" #~ "\n" #~ "./usr/bin:\n" #~ "total 340\n" #~ "drwxr-xr-x 2 root root 4096 Mar 15 15:55 .\n" #~ "drwxr-xr-x 4 root root 4096 Mar 15 13:00 ..\n" #~ "-rwxr-xr-x 1 root root 10332 Mar 15 15:55 env\n" #~ "-rwxr-xr-x 1 root root 13052 Mar 15 13:13 id\n" #~ "-r-xr-xr-x 1 root root 25432 Mar 15 12:40 scp\n" #~ "-rwxr-xr-x 1 root root 43768 Mar 15 15:15 sftp\n" #~ "-r-sr-xr-x 1 root root 218456 Mar 15 12:40 ssh\n" #~ "-rwxr-xr-x 1 root root 9692 Mar 15 13:17 tty\n" #~ "\n" #~ "./usr/lib:\n" #~ "total 852\n" #~ "drwxr-xr-x 2 root root 4096 Mar 15 15:37 .\n" #~ "drwxr-xr-x 4 root root 4096 Mar 15 13:00 ..\n" #~ "-rw-r--r-- 1 root root 771088 Mar 15 13:01\n" #~ "libcrypto.so.0.9.6\n" #~ "-rw-r--r-- 1 root root 54548 Mar 15 13:00 libz.so.1\n" #~ "-rwxr-xr-x 1 root root 23096 Mar 15 15:37 sftp-server" #~ msgstr "" #~ "./bin:\n" #~ "total 660\n" #~ "drwxr-xr-x 2 root root 4096 Mar 18 13:36 .\n" #~ "drwxr-xr-x 8 guest guest 4096 Mar 15 16:53 ..\n" #~ "-r-xr-xr-x 1 root root 531160 Feb 6 22:36 bash\n" #~ "-r-xr-xr-x 1 root root 43916 Nov 29 13:19 ls\n" #~ "-r-xr-xr-x 1 root root 16684 Nov 29 13:19 mkdir\n" #~ "-rwxr-xr-x 1 root root 23960 Mar 18 13:36 more\n" #~ "-r-xr-xr-x 1 root root 9916 Jul 26 2001 pwd\n" #~ "-r-xr-xr-x 1 root root 24780 Nov 29 13:19 rm\n" #~ "lrwxrwxrwx 1 root root 4 Mar 30 16:29 sh -> bash\n" #~ "\n" #~ "./etc:\n" #~ "total 24\n" #~ "drwxr-xr-x 2 root root 4096 Mar 15 16:13 .\n" #~ "drwxr-xr-x 8 guest guest 4096 Mar 15 16:53 ..\n" #~ "-rw-r--r-- 1 root root 54 Mar 15 13:23 group\n" #~ "-rw-r--r-- 1 root root 428 Mar 15 15:56 hosts\n" #~ "-rw-r--r-- 1 root root 44 Mar 15 15:53 passwd\n" #~ "-rw-r--r-- 1 root root 52 Mar 15 13:23 shells\n" #~ "\n" #~ "./lib:\n" #~ "total 1848\n" #~ "drwxr-xr-x 2 root root 4096 Mar 18 13:37 .\n" #~ "drwxr-xr-x 8 guest guest 4096 Mar 15 16:53 ..\n" #~ "-rwxr-xr-x 1 root root 92511 Mar 15 12:49 ld-linux.so.2\n" #~ "-rwxr-xr-x 1 root root 1170812 Mar 15 12:49 libc.so.6\n" #~ "-rw-r--r-- 1 root root 20900 Mar 15 13:01 libcrypt.so.1\n" #~ "-rw-r--r-- 1 root root 9436 Mar 15 12:49 libdl.so.2\n" #~ "-rw-r--r-- 1 root root 248132 Mar 15 12:48 libncurses.so.5\n" #~ "-rw-r--r-- 1 root root 71332 Mar 15 13:00 libnsl.so.1\n" #~ "-rw-r--r-- 1 root root 34144 Mar 15 16:10\n" #~ "libnss_files.so.2\n" #~ "-rw-r--r-- 1 root root 29420 Mar 15 12:57 libpam.so.0\n" #~ "-rw-r--r-- 1 root root 105498 Mar 15 12:51 libpthread.so.0\n" #~ "-rw-r--r-- 1 root root 25596 Mar 15 12:51 librt.so.1\n" #~ "-rw-r--r-- 1 root root 7760 Mar 15 12:59 libutil.so.1\n" #~ "-rw-r--r-- 1 root root 24328 Mar 15 12:57 libwrap.so.0\n" #~ "\n" #~ "./usr:\n" #~ "total 16\n" #~ "drwxr-xr-x 4 root root 4096 Mar 15 13:00 .\n" #~ "drwxr-xr-x 8 guest guest 4096 Mar 15 16:53 ..\n" #~ "drwxr-xr-x 2 root root 4096 Mar 15 15:55 bin\n" #~ "drwxr-xr-x 2 root root 4096 Mar 15 15:37 lib\n" #~ "\n" #~ "./usr/bin:\n" #~ "total 340\n" #~ "drwxr-xr-x 2 root root 4096 Mar 15 15:55 .\n" #~ "drwxr-xr-x 4 root root 4096 Mar 15 13:00 ..\n" #~ "-rwxr-xr-x 1 root root 10332 Mar 15 15:55 env\n" #~ "-rwxr-xr-x 1 root root 13052 Mar 15 13:13 id\n" #~ "-r-xr-xr-x 1 root root 25432 Mar 15 12:40 scp\n" #~ "-rwxr-xr-x 1 root root 43768 Mar 15 15:15 sftp\n" #~ "-r-sr-xr-x 1 root root 218456 Mar 15 12:40 ssh\n" #~ "-rwxr-xr-x 1 root root 9692 Mar 15 13:17 tty\n" #~ "\n" #~ "./usr/lib:\n" #~ "total 852\n" #~ "drwxr-xr-x 2 root root 4096 Mar 15 15:37 .\n" #~ "drwxr-xr-x 4 root root 4096 Mar 15 13:00 ..\n" #~ "-rw-r--r-- 1 root root 771088 Mar 15 13:01\n" #~ "libcrypto.so.0.9.6\n" #~ "-rw-r--r-- 1 root root 54548 Mar 15 13:00 libz.so.1\n" #~ "-rwxr-xr-x 1 root root 23096 Mar 15 15:37 sftp-server" #~ msgid "Handmade environment (the hard way)" #~ msgstr "Environnement créé manuellement (la manière difficile)" #~ msgid "" #~ " by Jonathan, Network " #~ "Dweebs, 21/10/2002" #~ msgstr "" #~ " par Jonathan, Network " #~ "Dweebs, 21/10/2002" harden-doc-3.15.1/howto-source/README.translators0000644000000000000000000000737311770642147016407 0ustar KEEPING UP TO DATE ------------------ The "Securing Debian Manual" has been splitted into multiple files to make it easier for translators to track when a given section of the document is changed. There is a script (bin/doc-check) that can automate the process of checking if a given translation is update. Just run 'bin/doc-check XX' where XX is your language. In order for the script to check you need to introduce translation-specific headers in your files. It's the same idea as in Debian's webwml (Web), you have to add a comment in the header of your sgml translations indicating which english version you did translate. All the sgml files in the english directory have specific headers that give the version number. These headers are as follows: If this was the header of a given sgml file (for example faq.sgml) You will then need to modify the appropiate sgml file in your language subdirectory (XX/faq.sgml) and write: When you run bin/doc-check it will provide you with the changes, if any, introduced when the original version changes to a new version, for example, 1.3. TRANSLATOR's LIST ----------------- This is the list of the translators that currently active with this document (just so nobody steps on somebody else's shoes): If you do not see advances/updates in a given language try to contact them and the debian translation team (debian-l10n-_AT_lists.debian.org). Keep in mind that these are the people that said "can I translate it to X" and I said "ok go ahead". It does not mean that they will get the job done. Translators for: - Japanese: (current version available 2.4) Oohara Yuma (he is the first who started translating this HOWTO, in january 2002) - Spanish: (current version available 2.3) Manuel Movilla Conchado , April 2004 Jaime Robles and Javier Fernández-Sanguino, June 2003 (previously) Héctor García Álvarez 2 April 2002. Translation is done also by Igor Támara Patiño - Italian: (current version available 2.97) Stefano Canepa June 2003 (previously) Ferdinando Ferranti (previously) Tommaso Moroni 11 June 2002 - German: (current version available is 3.8) Simon Brandmair March 2005, (previously) Alexander Schmehl 25 June 2003 - Russian: (current version available 1.1) ilgiz kalmetev 21 March 2002 - Brazilian Portuguese: (current version available 3.1) Philipe Gaspar , 11 March 2005 (previously) Alex Risicato Fagundes 21 March 2002 (previously) Michelle Ribeiro 10 October 2002 (previously) André Luís Lopes 26 December 2002 - French: (current version available is generated with po4a) David Prévot 21 June 2012 (previously) Simon Valiquette , 8 October 2006 (previously) Frédéric Bothamy 14 October 2004 (previously) Pierre Machard (previously) ASSAD Arnaud 26 March 2002 - Simplified Chinese: etony , 11 march 2005 (current version available is 3.2) - Swedish: Erik Johansson 17 April 2002 (not yet available) - Catalan: Pau Montero Pares 17 April 2002 (not yet available) -- Javier Fernández-Sanguino Peña Thu, 12 Oct 2006 12:42:13 +0200 harden-doc-3.15.1/howto-source/default.ent0000644000000000000000000000554611141702740015274 0ustar ]]> ]]> ]]> ]]> ]]> ]]> ]]> manualname"> packagename"> LANG"> LOCALE"> harden-doc-3.15.1/howto-source/de/0000755000000000000000000000000012015435302013514 5ustar harden-doc-3.15.1/howto-source/de/sec-tools.sgml0000644000000000000000000005273310643704617016337 0ustar Sicherheitswerkzeuge in Debian

FIXME: More content needed.

Debian stellt außerdem einige Sicherheitswerkzeuge zur Verfügung, die eine Debian-Maschine zum Zweck der Sicherheit passend einrichten können. Diese Zielsetzung schließt die Sicherung von Systeminformationen durch Firewalls (sowohl auf Paket- als auch auf Anwendungsebene), Eindringlingserkennung (netzwerk- und hostbasiert), Einschätzung der Verwundbarkeit, Antivirus, private Netzwerke und vieles mehr ein.

Seit Debian 3.0 (woody ist kryptographische Software in der Hauptdistribution integriert. OpenSSH und GNU Privacy Guard sind in der Standardinstallation enthalten. Außerdem befinden sich jetzt in Web-Browsern und Web-Servern, Datenbanken usw. starke Verschlüsselungsmechanismen. Eine weitergehende Eingliederung von Kryptographie ist für zukünftige Veröffentlichungen geplant. Aufgrund von Exportbeschränkungen in den USA wurde diese Software nicht mit der Hauptdistribution ausgeliefert, sondern war nur auf Seiten außerhalb der USA erhältlich. Programme zur Fernprüfung der Verwundbarkeit

Die Werkzeuge, um Fernprüfungen der Verwundbarkeit durchzuführen, sind unter Debian: Manche von ihnen sind erhältlich, wenn Sie das Paket harden-remoteaudit installieren. nessus raccess nikto (Ersatz für whisker)

Das weitaus vollständigste und aktuellste Werkzeug ist nessus, welches aus einem Client (nessus) mit graphischer Benutzungsschnittstelle und einem Server (nessusd), der die programmierten Attacken startet, besteht. Nessus kennt verschiedene entfernten Verwundbarkeiten für einige Systeme, einschließlich Netzwerkanwendungen, FTP-Servern, WWW-Servern, usw. Die neusten Sicherheitsplugins sind sogar in der Lage, eine Web-Seite zu analysieren und zu versuchen, interaktive Inhalte zu entdecken, die zu einem Angriff genutzt werden können. Es existieren auch Java- und Win32-Clients, die benutzt werden können, um sich mit dem Nessus-Server zu verbinden. Diese sind jedoch in Debian nicht enthalten.

nikto ist ein Scanner zur Aufdeckung von Schwachstellen bei Webservern und kennt auch einige Anti-IDS-Taktiken (die meisten davon sind keine Anti-IDS-Taktiken mehr). Er ist einer der besten verfügbaren CGI-Scanner zur Erkennung von WWW-Servern und kann nur bestimmte Angriffe gegen ihn starten. Die Datenbank, die zum Scannen benutzt wird, kann sehr leicht geändert werden, um neue Informationen einzufügen. Werkzeuge zum Scannen von Netzwerken

Debian bietet Ihnen einige Werkzeuge zum Scannen von Hosts (aber nicht zur Gefahrenabschätzung). Diese Programme werden in manchen Fällen von Scannern zur Gefahrenabschätzung zu einem ersten "Angriff" gegen entfernte Rechner genutzt, um festzustellen, welche Dienste angeboten werden. Unter Debian sind im Moment verfügbar: nmap xprobe p0f knocker isic hping2 icmpush nbtscan (für die Prüfung von NetBIOS) fragrouter strobe (aus dem Paket netdiag) irpas

Während xprobe lediglich aus der Ferne das Betriebssystem erkennen kann (indem es TCP/IP-Fingerabdrücke benutzt, machen nmap und knocker beides: das Betriebssystem erkennen und die Ports eines entfernten Rechners scannen. Andererseits können hping2 und icmpush für ICMP-Angriffstechniken benutzt werden.

Nbtscan, das speziell für SMB-Netzwerke entworfen wurde, kann benutzt werden, um IP-Netzwerke zu scannen und diverse Informationen von SMB-Servern zu ermitteln einschließlich der Nutzernamen, Netzwerknamen, MAC-Adressen, ...

Dagegen kann fragrouter dazu verwendet werden, um Systeme zur Eindringlingserkennung zu testen und um zu sehen, ob das NIDS mit fragmentierten Angriffen umgangen werden kann.

FIXME: Check (ITP fragrouter) to see if it's included.

FIXME: add information based on which describes how to use Debian and a laptop to scan for wireless (803.1) networks (link not there any more). Interne Prüfungen

Derzeit kann lediglich das Programm tiger benutzt werden, um interne Prüfungen (auch "white box" genannt) eines Rechners vorzunehmen. Dabei wird festgestellt, ob das Dateisystem richtig aufgesetzt ist, welche Prozesse auf dem Rechner horchen, usw. Testen des Quellcodes

Debian bietet einige Pakete an, die C/C++-Quellcode prüfen und Programmierfehler finden, die zu möglichen Sicherheitsmängeln führen können: flawfinder rats splint pscan Virtual Private Networks (virtuelle private Netzwerke)

Ein virtuelles privates Netzwerk (VPN) ist eine Gruppe von zwei oder mehreren Computern, die typischerweise zu einem privaten Netzwerk mit begrenztem öffentlichen Netzwerkzugang verbunden sind und gesichert über ein öffentliches Netzwerk kommunizieren. VPNs können einen einzelnen Rechner mit einem privaten Netzwerk verbinden (Client-Server) oder ein entferntes LAN mit einem privaten Netzwerk (Server-Server). VPNs verwenden Verschlüsselung, starke Authentifikation von entfernten Nutzern oder Hosts und Methoden, um Struktur des privaten Netzwerks zu verstecken.

Debian enthält einige Pakete, die zum Aufsetzen von verschlüsselten virtuellen privaten Netzwerken verwendet werden können: vtun tunnelv (Abschnitt non-US) cipe-source, cipe-common tinc secvpn pptpd openvpn openswan ()

FIXME: Update the information here since it was written with FreeSWAN in mind. Check Bug #237764 and Message-Id: <200412101215.04040.rmayr@debian.org>.

Das OpenSWAN-Paket ist wahrscheinlich die beste Wahl, da es nahezu mit allem zusammenarbeiten kann, das das IP-Security-Protokoll IPsec (RFC 2411) benutzt. Aber auch die anderen oben aufgeführten Pakete können Ihnen helfen, möglichst schnell einen sicheren Tunnel aufzusetzen. Das Point-to-Point-Tunneling-Protocol (PPTP) ist ein urheberrechtlich geschütztes Protokoll von Microsoft für VPN. Es wird unter Linux unterstützt, aber es sind einige schwere Sicherheitsprobleme bekannt.

Für weitere Informationen über IPsec und PPTP lesen Sie bitte das , über PPP über SSH das , das und das .

Es kann sich auch lohnen, sich anzusehen. Allerdings scheinen noch keine Pakete für Debian verfügbar zu sein. Point-to-Point-Tunneling

Wenn Sie einen tunnelnden Server für eine gemischte Umgebung (sowohl Microsofts Betriebssystem als auch Linux-Clients) zur Verfügung stellen wollen und IPsec keine Möglichkeit ist (da es nur in Windows 2000 und Windows XP enthalten ist), können Sie PoPToP (Point to Point Tunneling Server) verwenden. Er wird vom Paket pptpd bereitgestellt.

Wenn Sie Microsofts Authentifikation und Verschlüsselung mit dem Server verwenden wollen, die im Paket ppp enthalten sind, sollten Sie Folgendes aus der FAQ beachten: Sie müssen nur dann PPP 2.3.8 einsetzen, wenn Sie zu Microsoft kompatible MSCHAPv2/MPPE-Authentifikation und Verschlüsselung haben wollen. Der Grund dafür ist, dass der aktuelle MSCHAPv2/MPPE-Patch (19990813) gegen PPP 2.3.8 erstellt wurde. Wenn Sie keine zu Microsoft kompatible Authentifikation und Verschlüsselung brauchen, können Sie jede PPP-Quelle mit der Version 2.3.x verwenden.

Allerdings müssen Sie auf den Kernel einen Patch anwenden, der im Paket kernel-patch-mppe enthalten ist. Er stellt das Module pp_mppe für den pppd zur Verfügung.

Beachten Sie, dass Verschlüsselung in ppptp erfordert, dass Sie die Nutzerpasswörter in Klartext speichern. Außerdem sind für das MS-CHAPv2-Protokoll . Infrastruktur für öffentliche Schlüssel (Public Key Infrastructure, PKI)

Mit der Infrastruktur für öffentliche Schlüssel (PKI) wurde eine Sicherheitsarchitektur eingeführt, um den Grad der Vertrauenswürdigkeit von Informationen, die über unsichere Netzwerke ausgetauscht werden, zu erhöhen. Sie beruht auf dem Konzept von öffentlichen und privaten kryptographischen Schlüsseln, um die Identität des Absenders (Signierung) zu überprüfen und die Geheimhaltung zu sichern (Verschlüsselung).

Wenn Sie über die Einrichtung einer PKI nachdenken, sehen Sie sich mit einer breiten Palette von Problemen konfrontiert: eine Zertifizierungsstelle (Certification Authority, CA), die Zertifikate ausgeben und bestätigen und unter einer bestimmten Hierarchie arbeiten kann ein Verzeichnis, das die öffentlichen Zertifikate der Benutzer enthält eine Datenbank (?), um eine List von Widerrufen von Zertifikaten (Certificate Revocation Lists, CRL) zu verwalten Geräte, die mit der CA zusammenarbeiten, um Smartcards/USB-Token oder ähnliches zu erzeugen und die Zertifikate sicher zu speichern Anwendungen, die die von einer CA ausgestellten Zertifikate benutzen können, um verschlüsselte Kommunikation zu aufzubauen und bestimmte Zertifikate gegen die CRL zu prüfen (zur Authentifizierung und so genannte "full Single Sign On solutions") eine Zeitstempel-Autorität, um Dokumente digital zu signieren eine Verwaltungskonsole, von der aus dies alles vernünftig benutzt werden kann (Erstellung von Zertifikaten, Kontrolle der Widerruflisten, usw., ...)

Debian GNU/Linux beinhaltet Softwarepaket, die Ihnen bei einigen dieser PKI-Probleme helfen können. Dazu gehört OpenSSL (zur Erstellung von Zertifikaten), OpenLDAP (für ein Verzeichnis, um die Zertifikate zu speichern) gnupg und openswan (mit X.509 Unterstützung). Jedoch stellt Debian zum Zeitpunkt der Veröffentlichung von Woody (Debian 3.0) keine der frei verfügbaren Certificate Authorities wie zum Beispiel pyCA, oder die CA-Muster von OpenSSL zur Verfügung. Für weitere Informationen lesen Sie bitte das . SSL Infrastruktur

Debian stellt einige SSL-Zertifikate innerhalb der Distribution zur Verfügung, so dass Sie sie lokal installieren können. Sie befinden sich im Paket ca-certificates. Dieses Paket stellt eine zentrale Sammelstelle für Zertifikate dar, die an Debian übermittelt und vom Paketverwalter gebilligt (das heißt, verifiziert) wurden. Sie können für alle OpenSSL-Anwendungen, die SSL-Verbindungen verifizieren, nützlich sein.

FIXME: read debian-devel to see if there was something added to this. Antiviren-Programme

Es gibt nicht viele Antiviren-Programme in Debian, wahrscheinlich weil die Benutzer von GNU/Linux nicht von Viren betroffen sind. Das Sicherheitsmodell von Unix trifft eine Unterscheidung zwischen privilegierten Prozessen (Root) und den Prozessen der Benutzer. Daher kann ein "feindliches" Programm, das ein Benutzer empfängt oder erstellt und dann ausführt, nicht das System "infizieren" oder daran Veränderungen vornehmen. Es existieren dennoch Würmer und Viren für GNU/Linux, auch wenn es (bisher) keinen Virus gab, der sich im Freien weit über eine Debian-Distribution verbreitet hat. Wie dem auch sei, Administratoren sollten vielleicht Antiviren-Gateways aufbauen, um verwundbarere Systeme in ihrem Netzwerk vor Viren zu schützen.

Debian GNU/Linux bietet derzeit die folgenden Werkzeuge zum Erstellen von Antiviren-Umgebungen an: , das in Debian seit Sarge (der 3.1-Veröffentlichung) enthalten ist. Es sind Pakete sowohl für den Virusscanner (clamav) des Scanner-Daemons (clamav-daemon) als auch für die Daten, die der Scanner benötigt, verfügbar. Da es für die richtig Arbeit eines Antivirus-Programms entscheidend ist, dass seine Daten auf dem neusten Stand sind, gibt es zwei verschiedene Weg, um diese Daten aktuell zu halten: clamav-freshclam eröffnet die Möglichkeit, die Datenbank automatisch über das Internet zu aktualisieren, und clamav-data stellt die Daten unmittelbar zur Verfügung. Wenn Sie das letztere Paket verwenden und ein offizielles Debian betreiben, wird die Datenbank nicht im Zuge von Sicherheitsaktualisierung auf den neusten Stand gebracht. Sie sollten entweder clamav-freshclam, clamav-getfiles verwenden, um neue clamav-data-Pakete zu erstellen, oder die Datenbank über die Seite der Betreuer aktuell halten: deb http://people.debian.org/~zugschlus/clamav-data/ / deb-src http://people.debian.org/~zugschlus/clamav-data/ / mailscanner ist ein Gateway-Scanner, der in E-Mails Viren und Spam entdeckt. Er arbeitet auf der Grundlage von sendmail oder exim und kann mehr als 17 verschiedene Virensuch-Engines (einschließlich clamav) verwenden. libfile-scan-perl, welches File::Scan liefert. Das ist eine Erweiterung von Perl, mit der Dateien nach Viren durchsucht werden können. Mit diesem Modul können plattformunabhängige Virenscanner realisiert werden. ist im Paket amavis-ng enthalten und in Sarge verfügbar. Es ist ein Virusscanner, der in verschiedene MTAs (Exim, Sendmail, Postfix oder Qmail) integriert werden kann. Er unterstützt mehr als 15 Virensuch-Engines (einschließlich clamav, File::Scan und openantivirus). , ein Werkzeug, das das Paket procmail verwendet. Es kann den Anhang von E-Mails nach Viren durchsuchen, Anhänge aufgrund ihres Dateinamens abweisen und vieles mehr. , ein Skript, das eine Schnittstelle vom Mail-Transport-Agent zu einem oder mehreren kommerziellen Viren-Scannern anbietet (dieses Paket ist lediglich für den MTA postfix bestimmt). exiscan, ein Virusscanner für E-Mails, der in Perl geschrieben wurde. Er arbeitet mit Exim zusammen. blackhole-qmail ist ein Spamfilter für Qmail mit eingebauter Unterstützung von Clamav.

Einige Gateway-Daemons bieten schon Programmerweiterungen an, um Antiviren-Umgebungen zu erstellen. Dazu gehören exim4-daemon-heavy (die heavy Version des Exim MTAs), frox, ein transparenter caching FTP-Proxyserver), messagewall (ein SMTP-Proxyserver) und pop3vscan (ein transparenter POP3-Proxy).

Zur Zeit ist als einziges Programm zum Auffinden von Viren clamav in der Hauptdistribution enthalten. Daneben bietet Debian verschiedene Schnittstellen an, mit denen Gateways mit Antivirus-Fähigkeiten für unterschiedliche Protokolle erstellt werden können.

Im Folgenden einige andere freie Antiviren-Projekte, die in der Zukunft in Debian GNU/Linux enthalten sein könnten: (siehe und ).

FIXME: Is there a package that provides a script to download the latest virus signatures from ?

FIXME: Check if scannerdaemon is the same as the open antivirus scanner daemon (read ITPs).

Allerdings wird Debian niemals proprietäre (unfreie und unverbreitbare) Antiviren-Software anbieten. Dazu zählen Panda Antivirus NAI Netshield, , oder . Weitere Hinweise finden Sie im . Das bedeutet nicht, dass diese Software nicht richtig auf einem Debian-System installiert werden kann.Tatsächlich gibt es für das Antivirus-Programm F-prot das Installationspaket f-prot-installer, das zwar nicht frei, aber für Heimanwender kostenlos ist. Allerdings lädt dieser Installer nur herunter und installiert sie.

Zusätzliche Informationen über das Aufsetzen eines Systems zur Virenerkennung erhalten Sie im Artikel von Dave Jones. GPG-Agent

Es ist heutzutage weit verbreitet, E-Mails digital zu unterschreiben (manchmal auch zu verschlüsseln). Sie können z.B. feststellen, dass viele Menschen auf Mailinglisten ihre E-Mails signieren. Signaturen von öffentlichen Schlüsseln ist im Moment die einzige Möglichkeit um festzustellen, ob eine E-Mail vom Absender geschickt wurden und nicht von jemand anderem.

Debian GNU/Linux enthält eine Anzahl von E-Mail-Clients mit der eingebauten Fähigkeit, E-Mails zu signieren. Sie arbeiten entweder mit gnupg oder pgp zusammen: evolution. mutt. kmail. mozilla oder Thunderbird (im Paket mozilla-thunderbird enthalten), falls das -Plugin installiert ist, was durch das Paket mozilla-enigmail und mozilla-thunderbird-enigmail bereitgestellt wird. sylpheed. Abhängig davon wie sich die stabile Version dieses Pakets entwickelt, müssen Sie die bleeding edge Version, sylpheed-claws, verwenden. gnus wird mit dem Paket mailcrypt installiert und ist eine Schnittstelle für emacs zu gnupg. kuvert stellt diese Funktion unabhängig von Ihrem Mail-User-Agent (MUA) zur Verfügung, indem es mit dem Mail-Transport-Agent (MTA) arbeitet.

Key-Server ermöglichen es Ihnen, veröffentlichte öffentliche Schlüssel herunterzuladen, damit Sie Signaturen überprüfen können. Einer diese Key-Server ist . gnupg kann automatisch öffentliche Schlüssel holen, die sich nicht schon in Ihrem öffentlichen Schlüsselbund befinden. Um beispielsweise gnupg so einzurichten, dass es den oben genannten Key-Server verwendet, müssen Sie die Datei ~/.gnupg/options bearbeiten und folgende Zeile hinzufügen: Weitere Beispiele wie Sie gnupg konfigurieren können, finden Sie in /usr/share/doc/mutt/examples/gpg.rc. keyserver wwwkeys.pgp.net

Die meisten Key-Server sind miteinander verbunden. Wenn Sie also Ihren öffentlichen Schlüssel einem hinzufügen, wird er an alle anderen Key-Server weitergereicht. Da wäre auch noch das Debian GNU/Linux Paket debian-keyring, das die öffentlichen Schlüssel aller Debian-Entwickler enthält. Der Schlüsselbund von gnupg wird in /usr/share/keyrings/ installiert.

Weitere Informationen: . . . . . harden-doc-3.15.1/howto-source/de/before-compromise.sgml0000644000000000000000000013037310643704617020041 0ustar Vor der Kompromittierung Halten Sie Ihr System sicher

Sie sollten bestrebt sein, Ihr System sicher zu halten, indem Sie seine Verwendung und die es betreffenden Verwundbarkeiten im Auge behalten. Sobald Patches verfügbar sind, sollte Sie diese auch einspielen. Denn auch wenn Sie zu Beginn ein sehr sicheres System eingerichtet haben, sollten Sie sich erinnern, dass die Sicherheit eines Systems mit der Zeit nachlässt. Das liegt daran, dass Sicherheitslücken in Systemdiensten entdeckt werden können. Außerdem können Benutzer die Sicherheit untergraben, wenn ihnen das notwendige Verständnis fehlt (z.B. wenn sie entfernt auf ein System mit einem Klartextpasswort oder einem einfach zu erratenden Passwort zugreifen) oder gar weil sie aktiv versuchen, die Sicherheit des Systems auszuschalten (indem Sie z.B. zusätzliche Dienste lokal in ihren Konten installieren). Beobachtung von Sicherheitslücken

Die meisten Administratoren werden sich Sicherheitslücken, die ihr System betreffen, bewusst, wenn sie den dazugehörigen Patch sehen. Sie können aber Angriffen schon im Vorfeld begegnen und vorübergehende Abwehrmaßnahmen einleiten, sobald Sie festgestellt haben, dass Ihr System verwundbar ist. Dies gilt besonders für exponierte Systeme (sind z.B. mit dem Internet verbunden), die Dienste anbieten. In diesem Fall sollte der Systemadministrator einen Blick auf die bekannten Informationsquellen werfen, um als erster zu wissen, wenn eine Sicherheitslücke für einen kritischen Dienst entdeckt wird.

Typischerweise abonniert man eine Mailingliste für Ankündigungen und beobachtet Webseiten oder Fehlerverfolgungssysteme der Software-Entwickler eines bestimmten Programms. So sollten beispielsweise Apache-Benutzer regelmäßig Apaches durchsehen und die Mailingliste abonnieren.

Um bekannte Sicherheitslücken, die die Debian-Distribution betreffen, zu verfolgen, bietet das Testing-Security-Team von Debian einen an. Dieser führt alle bekannten Sicherheitslücken auf, die in Paketen von Debian noch nicht ausgebessert wurden. Die Informationen im Tracker stammen aus öffentlich zugänglichen Quellen. Dazu zählen Datenbanken über Sicherheitslücken und die . Administratoren können nach bekannten Sicherheitsmängeln für , , oder suchen.

Der Tracker kann mittels einer Benutzerschnittstelle durchsucht werden (nach -Namen und dem Paketnamen). Einige Werkzeuge (wie zum Beispiel ) setzen diese Datenbank ein, um auf Verwundbarkeiten des betreffenden Systems hinzuweisen, die noch nicht ausgebessert wurden (d.h. für die eine Ausbesserung bevorsteht).

Sicherheitsbewusste Administratoren können mit diesen Informationen feststellen, welche Sicherheitslücken das System, das sie verwalten, betreffen könnten, wie schwer das Risiko der Lücke wiegt und ob vorübergehend Gegenmaßnahmen zu treffen sind (falls möglich), bis ein Patch verfügbar ist, der das Problem löst.

Sicherheitsprobleme in Veröffentlichungen, die vom Sicherheitsteam von Debian unterstützt werden, sollten irgendwann in Debian-Sicherheits-Ankündigungen (DSA) behandelt werden, die allen Benutzern zur Verfügung gestellt werden (vergleiche ). Sobald ein Sicherheitsproblem ausgebessert wurde und die Lösung in einer Ankündigung enthalten ist, wird es nicht mehr im Tracker aufgeführt. Sie können es aber immer noch mit einer Suchanfrage (nach dem CVE-Namen) finden, indem Sie verwenden.

Beachten Sie aber, dass die Informationen im Tracker des Debian-Testing-Sicherheitsteams nur bekannte Sicherheitslücken (d.h. solche, die öffentlich sind) beinhalten. In einigen Fällen gibt das Debian-Sicherheitsteam DSA für Pakete heraus, die auf vertraulichen Informationen beruhen, die das Team erhalten hat (z.B. über nicht-öffentliche Mailinglisten der Distributionen oder von Programmautoren). Seien Sie also nicht überrascht, in Sicherheitsankündigungen Sicherheitsprobleme zu entdecken, die nicht im Tracker enthalten sind. Fortlaufende Aktualisierung des Systems

Sie sollten regelmäßig Sicherheitsaktualisierungen durchführen. Der ganz überwiegende Anteil der Exploits nutzt bekannte Sicherheitslücken aus, die nicht rechtzeitig ausgebessert wurden. Dies wird in der dargestellt, die 2001 auf dem IEEE Symposium on Security and Privacy vorgestellt wurde. Das Durchführen einer Aktualisierung wird unter beschrieben. Überprüfung von Hand, welche Sicherheitsaktualisierungen verfügbar sind

Debian besitzt ein Werkzeug, um zu überprüfen, ob ein System aktualisiert werden muss (siehe Tiger unten). Viele Nutzer wollen aber einfach von Hand überprüfen, ob Sicherheitsaktualisierungen für ihr System zur Verfügung stehen.

Wenn Sie Ihr System nach der Beschreibung unter eingerichtet haben, müssen Sie nur Folgendes tun: # apt-get update # apt-get upgrade -s [ ... überprüfen der zu aktualisierenden Pakete ... ] # apt-get upgrade # checkrestart [ ... Neustart der Dienste, die neu gestartet werden müssen ... ]

Weiter müssen alle Dienste, deren Bibliotheken aktualisiert wurden, neu gestartet werden. Bemerkung: Lesen Sie für weitere Informationen zu Bibliotheks- (und Kernel-)Aktualisierungen.

Die erste Zeile wird die Liste der verfügbaren Pakete von den festgelegten Paketquellen herunterladen. Die Option -s wird eine Simulation durchführen, d.h. es werden keine Pakete heruntergeladen oder installiert. Vielmehr teilt es Ihnen mit, welche heruntergeladen und installiert werden sollen. Durch dieses Ergebnis könnten Sie erfahren, welche Pakete von Debian ausgebessert wurden und als Sicherheitsaktualisierung verfügbar sind. Zum Beispiel: # apt-get upgrade -s Reading Package Lists... Done Building Dependency Tree... Done 2 packages upgraded, 0 newly installed, 0 to remove and 0 not upgraded. Inst cvs (1.11.1p1debian-8.1 Debian-Security:3.0/stable) Inst libcupsys2 (1.1.14-4.4 Debian-Security:3.0/stable) Conf cvs (1.11.1p1debian-8.1 Debian-Security:3.0/stable) Conf libcupsys2 (1.1.14-4.4 Debian-Security:3.0/stable)

In diesem Beispiel können Sie erkennen, dass auf dem System cvs und cupsys mit neuen Versionen aus Woodys Sicherheitsarchiv aktualisiert werden müssen. Um herauszufinden, warum eine Aktualisierung notwendig ist, sollten Sie besuchen und sich ansehen, welche aktuellen Debian-Sicherheits-Ankündigungen zu diesen Paketen veröffentlicht wurden. In unserem Fall sind die zugehörigen DSA (für cvs) und (für cupsys).

Es ist zu beachten, dass der Rechner neugestartet werden muss, wenn der Kernel aktualisiert wurde. Automatisches Überprüfung von Aktualisierungen mit cron-apt

Eine andere Methode für automatische Sicherheitsaktualisierungen ist die Verwendung von cron-apt. Dieses Paket stellt ein Werkzeug zur Verfügung, mit dem das System in regelmäßigen Abständen (mit einem Cronjob) aktualisiert wird. Standardmäßig wird es die Paketliste aktualisieren und neue Pakete herunterladen. Es kann auch so konfiguriert werden, dass es Mails an den Systemadministrator schickt.

Hinweis: Wenn Sie vorhaben, Ihr System automatisch zu aktualisieren (auch wenn Sie sich nur die Pakete herunterladen), sollten Sie sich vielleicht die Distributionsversion ansehen, wie in beschrieben wird. Anderenfalls können Sie sich nicht sicher sein, dass die heruntergeladenen Pakete wirklich aus einer vertrauenswürdigen Quelle stammen. Verwendung von Tiger, um automatisch Sicherheitsaktualisierungen zu überprüfen

Wenn Sie nach einem Programm suchen, das schnell die Verwundbarkeit des Systems überprüft und gefundene Sicherheitslücken meldet, sollten Sie das Paket tiger ausprobieren. Das Paket besteht aus einer Anzahl von Skripten für die Bourne-Shell, C-Programmen und Datendateien, die dazu verwendet werden, um Sicherheitsaudits durchzuführen. Das Paket in Debian GNU/Linux beinhaltet zusätzliche Erweiterungen, die auf die Debian-Distribution abgestimmt sind. Damit stehen mehr Funktionen zur Verfügung als in den Tigerskripten von TAMU (oder sogar von TARA, eine Tigerversion, die von ARSC vertrieben wird). Lesen Sie für weitere Informationen die Datei README.Debian und die Handbuchseite .

Eine dieser Verbesserungen ist das Skript deb_checkadvisories. Diese Skript verwendet eine Liste von DSAs und gleicht sie mit den installierten Paketen ab. Es meldete dann alle Pakete, die laut dem Debian Security Team verwundbar sind. Dies ist eine etwas andere, allgemeinere Herangehensweise als im Tigerskript check_signatures, das die MD5-Summen von Programmen mit bekannten Lücken testet.

Da Debian im Moment keine Liste der MD5-Summen von Programmen mit bekannten Lücken liefert (wie sie von anderen Betriebssystemen wie Sun Solaris verwendet wird), wird die Überprüfung-der-DSAs-Herangehensweise verwendet. Das Problem sowohl der Herangehensweise mit DSAs als auch der mit MD5-Summen ist, dass die Signaturen regelmäßig aktualisiert werden müssen.

Im Moment wird das dadurch gelöst, indem einen neue Version des Tigerpakets erstellt wird. Aber es steht nicht fest, dass der Paketbetreuer jedes Mal eine neue Version erstellt, wenn ein DSA bekannt gegeben wird. Eine nette Erweiterung, die aber noch nicht implementiert ist, wäre es, wenn das eigenständig durchgeführt wird. Das umfasst, dass die DSAs aus dem Netz heruntergeladen werden, eine Liste erstellt wird und dann die Prüfung durchgeführt wird. Die DSAs werden im Moment aus der lokalen CVS-Aktualisierung der WML-Quellen des Betreuers aktualisiert, die dazu verwendet werden, (der Webserver) zu erstellen.

Ein Programm wäre wünschenswert, das die DSAs, die per E-Mail empfangen wurden oder auf security.debian.org verfügbar sind, analysiert und dann die Datei erstellt, die von deb_checkadvisories verwendet wird, um Verwundbarkeiten zu bestätigen. Schicken Sie es als einen Fehlerbericht von tiger.

Die erwähnte Überprüfung wird über die Standardkonfiguration des Programms ausgeführt, wenn sie einmal eingerichtet wurde (siehe /etc/tiger/cronrc): # Check for Debian security measures every day at 1 AM # 1 * * deb_checkmd5sums deb_nopackfiles deb_checkadvisories #

Es gibt noch eine zusätzliche Überprüfung, die Sie vielleicht hinzufügen sollten, und welche noch kein Bestandteil des Standard-Cron-Skripts ist. Diese Überprüfung ist das Skript check_patches, das auf folgende Art und Weise funktioniert: führt apt-get update aus. überprüft, ob neue Pakete verfügbar sind.

Wenn Sie ein Stable-System betreiben und Sie die Apt-Quellen security.debian.org in Ihre /etc/apt/sources.list eingetragen haben (wie in beschrieben), wird dieses Skript Ihnen mitteilen können, ob neue Pakete verfügbar sind, die Sie installieren sollten. Da die einzigen Pakete, die sich bei dieser Einstellung verändern, Sicherheitsaktualisierungen sind, bekommen Sie genau das, was Sie wollen.

Das funktioniert natürlich nicht, wenn Sie Testing oder Sid/Unstable am Laufen haben, da wahrscheinlich neue Pakete zahlreicher sind als Sicherheitsaktualisierungen.

Sie können dieses Skript den Überprüfungen hinzufügen, die vom Cron-Job durchgeführt werden (in der obigen Konfigurationsdatei). Dadurch würde tigercron Mails mit neuen Paketen verschicken (an denjenigen, der von Tiger_Mail_RCPT in /etc/tiger/tigerrc bezeichnet wurde). # Check for Debian security measures every day at 1 am # 1 * * deb_checkmd5sums deb_nopackfiles check_patches # Andere Methoden für Sicherheitsaktualisierungen

Sie sollten auch einen Blick auf werfen. Es ist ein inoffizielles Programm, um Sicherheitsaktualisierungen von security.debian.org mit Prüfung der Signatur durchzuführen. Es wurde von Fruhwirth Clemens geschrieben. Vermeiden Sie den Unstable-Zweig

Falls Sie nicht Zeit darauf verwenden wollen, selbst Pakete zu patchen, wenn Verwundbarkeiten entdeckt werden, sollten Sie auf produktiven Systemen nicht Debians Unstable-Zweig verwenden. Der Hauptgrund dafür ist, dass es für Unstable keine Sicherheitsaktualisierungen gibt (siehe ).

Es ist eine Tatsache, dass manche Sicherheitsprobleme nur in Unstable auftreten und nicht in Stable. Das rührt daher, dass dort ständig neue Funktionen zu den Anwendungen hinzugefügt werden und auch neue Anwendungen aufgenommen werden, die unter Umständen noch nicht vollständig getestet wurden.

Um im Unstable-Zweig Sicherheitsaktualisierungen durchzuführen, müssen Sie vielleicht eine vollständige Aktualisierung mit einer neuen Version durchführen (was viel mehr als nur das betroffene Pakete aktualisieren könnte). Sicherheitsaktualisierungen wurden - mit Ausnahmen - nur in den Stable-Zweig zurückportiert. Die Grundidee ist, dass zwischen den Aktualisierungen kein neuer Code hinzugefügt werden sollte, sondern nur Beseitigungen von wichtigen Problemen.

Denken Sie daran, dass Sie allerdings den Sicherheitstracker verwenden können (wie unter beschrieben), um bekannte Sicherheitsprobleme für diesen Zweig nachzuvollziehen. Sicherheitsunterstützung für den Testing-Zweig

Wenn Sie den Testing-Zweig verwenden, müssen Sie einige Problemkreise hinsichtlich der Verfügbarkeit von Sicherheitsaktualisierungen in Betracht ziehen: Wenn eine Sicherheitslücke geschlossen wurde, portiert das Security Team den Patch nach Stable zurück (da Stable normalerweise einige Minor- oder Majorversionen zurückliegt). Die Paketbetreuer sind dafür verantwortlich, Pakete für den Unstable-Zweig vorzubereiten. Grundlage dafür ist normalerweise eine neue Veröffentlichung des Originalprogramms. Manchmal ereignen sich die Änderungen fast zur selben Zeit, und manchmal enthält eine der Veröffentlichungen eine Ausbesserung einer Sicherheitslücke vor einer anderen. Pakete in Stable werden gründlicher getestet als die in Unstable, da letztere in den meisten Fällen die neueste Veröffentlichung des Originalprogramms enthält (welches neue, unbekannte Fehler enthalten könnte). Gewöhnlich sind Sicherheitsaktualisierungen für den Unstable-Zweig verfügbar, wenn der Paketbetreuer ein neues Paket baut, und für den Stable-Zweig, wenn das Security Team eine neue Version hochlädt und ein DSA veröffentlicht. Beachten Sie, dass beides nicht des Testing-Zweig verändert. Wenn keine (neuen) Fehler in der Unstable-Version des Pakets entdeckt werden, wandert es nach ein paar Tagen nach Testing. Das dauert normalerweise zehn Tage. Es hängt allerdings von der Priorität des Hochladens der Veränderung ab und davon, ob das Paket von Testing zurückgehalten wird, da Abhängigkeiten nicht aufgelöst werden können. Beachten Sie, dass wenn das Paket daran gehindert ist, nach Testing zu wandern, auch die Priorität des Hochladens daran nichts ändern kann.

Dieses Verhalten könnte sich je nach dem Status der Veröffentlichung der Distribution verändern. Wenn eine Veröffentlichung unmittelbar bevorsteht, werden auch das Sicherheitsteam oder die Paketbetreuer direkt Aktualisierungen für Testing zur Verfügung stellen.

Zusätzlich kann auch das Debian-Testing-Sicherheitsankündigungen (DTSA) für Pakete im Testing-Zweig herausgeben, wenn sofort eine Lücke in diesem Zweig geschlossen werden muss und die normale Vorgehensweise nicht abgewartet werden kann (oder die übliche Vorgehensweise durch andere Pakete blockiert ist).

Benutzer, die von diesem Angebot Gebrauch machen wollen, müssen folgende Zeilen ihrer /etc/apt/sources.list (anstatt der Zeilen, die unter dargestellt wurden) hinzufügen: deb http://secure-testing.debian.net/debian-secure-testing etch/security-updates main contrib non-free # Diese Zeile macht es möglich, auch Quellpakete herunterzuladen # FIXME: donwload deb-src http://secure-testing.debian.net/debian-secure-testing etch/security-updates main contrib non-free

Für weitere Informationen zu diesem Angebot können Sie die entsprechende lesen. Dieses Angebot startete offiziell im September 2005. Automatische Aktualisierungen in einem Debian GNU/Linux System

Es sei vorweggeschickt, dass automatische Aktualisierungen nicht vollständig empfohlen werden, da Administratoren die DSAs durchsehen und die Bedeutung einer bestimmten Sicherheitsaktualisierung verstehen sollten.

Wenn Sie Ihr System automatisch aktualisieren wollen, sollten Sie Folgendes durchführen: Konfigurieren Sie apt so, dass Pakete, die Sie nicht aktualisieren wollen, ihrer momentane Version beibehalten. Das können Sie entweder mit einer Eigenschaft von apt, dem pinning (festheften), erreichen, oder Sie kennzeichnen sie mit dpkg oder dselect als hold (festgehalten).

Um Pakete einer bestimmten Veröffentlichung mit pinning festzuheften, müssen Sie /etc/apt/preferences bearbeiten (siehe ) und Folgendes hinzufügen: Package: * Pin: release a=stable Pin-Priority: 100

FIXME: verify if this configuration is OK. Entweder setzen Sie cron-apt ein, wie in beschrieben wird, und erlauben ihm, heruntergeladene Pakete zu installieren. Oder Sie fügen selbst einen Eintrag für cron hinzu, damit die Aktualisierung täglich ausgeführt wird. Ein Beispiel: apt-get update && apt-get -y upgrade

Die Option -y veranlasst apt, für alle Fragen, die während der Aktualisierung auftreten können, 'yes' anzunehmen. In manchen Fällen sollten Sie die Option --trivial-only (nur Bagatellen) der Option --assume-yes (ist gleichbedeutend mit -y) vorziehen. Sie können auch die Option --quiet (-q) verwenden. Sie verringert die Ausgabe von apt-get und wird keine Ausgabe produzieren, wenn keine Pakete installiert werden. Richten Sie debconf so ein, dass während der Aktualisierung keine Eingabe verlangt wird. Auf diese Weise können Aktualisierungen nicht-interaktiv durchgeführt werden. Beachten Sie, dass einige Pakete nicht debconf verwenden könnten. Die Aktualisierung könnte dann hängen bleiben, da Pakete während ihrer Konfiguration Eingaben des Nutzers verlangen. Überprüfen Sie die Ergebnisse der Ausführung von cron, die an den Superuser gemailt werden (sofern nicht die Umgebungsvariable MAILTO im Skript geändert wurde).

Eine sichere Alternative könnte es sein, die Option -d (oder --download-only) zu verwenden. Das hat zur Folge, dass die benötigten Pakete nur heruntergeladen, aber nicht installiert werden. Und wenn dann die Ausführung von cron zeigt, dass das System aktualisiert werden muss, kann das von Hand vorgenommen werden.

Um diese Aufgaben zu erfüllen, muss das System korrekt konfiguriert sein, um Sicherheitsaktualisierungen herunterzuladen. Dies wurde in diskutiert.

Allerdings wird dieses Vorgehen ohne eine genaue Analyse nicht für Unstable empfohlen, da Sie Ihr System in einen unbrauchbaren Zustand bringen können, wenn sich ein gravierender Fehler in ein wichtiges Paket eingeschlichen hat und auf Ihrem System installiert wird. Testing ist vor diesem Problem etwas besser geschützt, da gravierende Fehler eine bessere Chance haben entdeckt zu werden, bevor das Paket in den Testing-Zweig wandert (obwohl Ihnen trotzdem keine Sicherheitsaktualisierungen zur Verfügung stehen).

Wenn Sie eine gemischte Distribution haben, also eine Installation von Stable mit einige Pakete aus Testing oder Unstable, können Sie mit den Pinning-Eigenschaften oder der Option --target-release von apt-get herumspielen, um nur die Pakete zu aktualisieren, die Sie früher aktualisiert haben. Dies ist ein verbreitetes Problem, da viele Nutzer ein stabiles System betreiben wollen, aber einige Pakete aus Unstable einsetzen, um die neusten Funktionen zu haben. Das kommt daher, dass sich manche Projekte schneller entwickeln als die Veröffentlichungen von Debians Stable. Periodische Überprüfung der Integrität

Mit Hilfe der Basisinformationen, die Sie nach der Installation erstellt haben (also mit dem Schnappschuss, der in beschrieben wird, sollte es Ihnen möglich sein, von Zeit zu Zeit die Integrität des Systems zu überprüfen. Eine Integritätsprüfung kann Veränderungen am Dateisystem entdecken, die durch einen Eindringling oder einen Fehler des Systemadministrators entstanden sind.

Überprüfungen der Integrität sollen, wenn möglich, von außerhalb durchgeführt werden. Ein leichter Weg, das ist tun, ist die Verwendung einer Live-CD wie , die sowohl die Programme zur Integritätsprüfung als auch die dazugehörige Datenbank enthält. Das bedeutet, dass das Betriebssystem des überprüften Systems nicht verwendet wird, um den falschen Eindruck von Sicherheit (also falsche Negative) zu verhindern, der z.B. durch installierte Rootkits entstehen könnte. Die Datenbank, mit der das System verglichen wird, sollte sich daher auf einem nur-lesbaren Medium befinden.

Falls der Einsatz eines außenstehenden Systems keine Möglichkeit ist, sollten Sie in Betracht ziehen, die Integritätsprüfung mit den verfügbaren Werkzeugen zur Prüfung der Integrität des Dateisystem durchzuführen. Allerdings sollten Vorsichtsmaßnahmen getroffen werden: Die Datenbank für die Integritätsprüfung sollte nur-lesbar sein, und Sie sollten auch sicherstellen, dass das Programm, das die Integrität überprüft, (und der Kernel des Betriebssystems) nicht manipuliert wurde.

Einige Werkzeuge, die im Abschnitt über Programme zur Integritätsprüfung beschrieben wurden, wie z.B. aide, integrit und samhain, sind schon so eingerichtet, dass sie regelmäßige Nachprüfungen durchführen (mittels crontab in den ersten beiden Fällen und mittels eines eigenständigen Daemons bei samhain). Sie können den Administrator auf verschiedenen Wegen warnen (normalerweise E-Mail, aber samhain kann auch Seiten, SNMP-Traps oder einen Alarm an syslog schicken), wenn sich das Dateisystem verändert.

Wenn Sie eine Sicherheitsaktualisierung des System vorgenommen haben, müssen Sie natürlich den Schnappschuss des Systems neu aufzeichnen, um ihn an die Änderungen durch die Sicherheitsaktualisierung anzupassen. Aufsetzen einer Eindringlingserkennung

Debian GNU/Linux enthält Programme zur Erkennung von Eindringlingen. Das sind Programme, die unpassende oder bösartige Aktivitäten auf Ihrem lokalen System oder auf anderen System in Ihrem lokalen Netzwerk entdecken. Diese Art von Verteidigung ist wichtig, wenn das System sehr entscheidend ist oder Sie wirklich unter Verfolgungswahn leiden. Die gebräuchlichsten Herangehensweisen sind die statistische Entdeckung von Unregelmäßigkeiten und die Entdeckung bestimmter Muster.

Beachten Sie immer, dass Sie einen Alarm-und-Antwort-Mechanismus brauchen, um Ihre Systemsicherheit mit einer dieser Werkzeuge wirklich zu verbessern. Eindringlingserkennung ist Zeitverschwendung, wenn Sie niemanden alarmieren werden.

Wenn ein bestimmter Angriff entdeckt worden ist, werden die meisten Programme zur Eindringlingserkennung entweder den Vorfall mit syslog protokollieren oder E-Mails an Root schicken (der Empfänger der E-Mails kann normalerweise eingestellt werden). Ein Administrator muss die Programme passend konfigurieren, so dass falsche Positivmeldungen keinen Alarm auslösen. Alarme können auf einen laufenden Angriff hindeuten und wären später – sagen wir mal am nächsten Tag – nicht mehr nützlich, da der Angriff dann bereits erfolgreich beendet worden sein könnte. Stellen Sie also sicher, dass es eine passende Regelung über die Handhabung von Alarmen gibt, und dass technische Maßnahmen zur Umsetzung dieser Regelung vorhanden sind.

Eine interessante Quelle für Information ist Netzwerk basierende Eindringlingserkennung

Programme, die der Netzwerk basierende Eindringlingserkennung dienen, überwachen den Verkehr eines Netzwerkabschnitts und arbeiten auf Grundlage dieser Daten. Genauer ausgedrückt, es werden die Pakete im Netzwerk untersucht, um festzustellen, ob sie mit bestimmten Merkmalen übereinstimmen.

snort ist ein vielseitiger Paketschnüffler oder -logger, der Angriffe mit Hilfe einer Bibliothek von Angriffssignaturen erkennt. Es erkennt eine breite Palette von Angriffen und Tests, wie zum Beispiel Pufferüberläufe, verdecktes Abtasten von Ports (stealth port scans), CGI Angriffe, SMB Tests und vieles mehr. snort hat auch die Fähigkeit, einen zeitnahen Alarm auszulösen. Dies ist ein Werkzeug, das auf jedem Router installiert werden sollte, um ein Auge auf Ihr Netzwerk zu haben. Installieren Sie es einfach mit apt-get install snort, beantworten Sie die Fragen und beobachten Sie die Protokolle. Für einen etwas breiteren Sicherheitsrahmen sollten Sie sich ansehen.

Debians Paket snort hat viele Sicherheitstests standardmäßig eingeschaltet. Jedoch sollten Sie die Konfiguration anpassen, um die Dienste, die auf Ihrem System laufen, zu berücksichtigen. Sie können auch zusätzliche Tests speziell für diese Dienste nutzen.

Es gibt noch andere, einfachere Werkzeuge, die dazu benutzt werden können, Angriffe auf das Netzwerk zu erkennen. portsentry ist ein interessantes Paket, dass Sie warnen kann, wenn jemand Ihre Rechner scannt. Auch andere Programme wie ippl oder iplogger erkennen bestimmte IP (TCP und ICMP) Angriffe, auch wenn sie nicht so fortgeschrittene Techniken zur Erkennung von Netzwerkangriffen wie snort bieten.

Sie können jedes dieser Werkzeuge mit dem Paket idswakeup testen. Das ist ein Shell-Skript, das falsche Alarme verursacht und Signaturen vieler gebräuchlicher Angriffe enthält. Host basierende Eindringlingserkennung

Eine Eindringlingserkennung, die auf einem Host basiert, beruht darauf, Software auf dem zu überwachenden System zu laden, die Log-Dateien und die Auditing-Programme des Systems als Datengrundlage verwendet. Sie sucht nach verdächtigen Prozessen, kontrolliert den Zugang zum Host und überwacht u.U. auch Änderungen an kritischen Systemdateien.

tiger ist ein älteres Programm zur Eindringlingserkennung, dass seit der Woody-Distribution auf Debian portiert wurde. tiger bietet Tests von verbreiteten Problemen in Zusammenhang mit Einbrüchen, wie der Stärke von Passwörtern, Problemen mit dem Dateisystem, kommunizierenden Prozessen und anderen Möglichkeiten, mit denen Root kompromittiert werden könnte. Dieses Paket umfasst neue, debianspezifische Sicherheitstests, einschließlich der MD5-Summen von installierten Programmen, des Orts von Dateien, die zu keinem Paket gehören und einer Analyse von lokalen, lauschenden Prozessen. Die Standardinstallation lässt tiger einmal am Tag laufen und einen Bericht erstellen, der an den Superuser geschickt wird und Informationen zu möglichen Kompromittierungen enthält.

Programme zur Protokollanalyse, wie zum Beispiel logcheck können zusätzliche benutzt werden, um Einbruchsversuche zu erkennen. Siehe .

Daneben können Pakete, die die Integrität des Dateisystems überwachen (siehe ), sehr nützlich sein, um Anomalien in einer abgesicherten Umgebung zu erkennen. Ein erfolgreicher Einbruch wird höchstwahrscheinlich Dateien auf dem lokalen Dateisystem verändern, um die lokalen Sicherheitsregelungen zu umgehen, Trojaner zu installieren oder Nutzer zu erstellen. Solche Ereignisse können mit Prüfwerkzeugen der Dateisystemintegrität erkannt werden. Vermeiden von Root-Kits Ladbare Kernel-Module (LKM)

Ladbare Kernel-Module sind Dateien, die nachladbare Teile des Kernels enthalten. Sie werden dazu verwendet, die Funktionalität des Kernel zu erweitern. Der Hauptnutzen des Einsatzes von Modulen liegt darin, dass Sie zusätzliche Geräte wie eine Ethernet- oder Soundkarte hinzuzufügen können, ohne dass die Kernelquelle gepatcht und der gesamte Kernel neu übersetzt werden müsste. Allerdings können Cracker LKMs für Root-Kits (knark und adore) benutzen, um auf GNU/Linux Systemen Hintertüren zu öffnen.

LKM-Hintertüren sind ausgeklügelter und schwere zu entdecken als traditionelle Root-Kits. Sie können Prozesse, Dateien, Verzeichnisse und sogar Verbindungen verstecken, ohne den Quellcode der Programme verändern zu müssen. Zum Beispiel kann ein bösartiges LKM den Kernel dazu zwingen, bestimmte Prozesses vor procfs zu verstecken, so dass nicht einmal eine bekanntermaßen gute Kopie des Programms ps alle Informationen über die aktuellen Prozesse korrekt auflisten. Erkennen von Root-Kits

Es gibt zwei Herangehensweisen, um Ihr System gegen LKM-Root-Kits zu verteidigen: die aktive Verteidigung und die reaktive Verteidigung. Die Sucharbeit kann einfach und schmerzlos sein, oder schwierig und ermüdend, ganz abhängig von der Maßnahme, die Sie ergreifen. Aktive Verteidigung

Der Vorteil dieser Art der Verteidigung ist, dass schon verhindert wird, dass das System Schaden nimmt. Eine mögliche Strategie ist das Ziel zuerst zu erreichen, also ein LKM zu laden, das dazu da ist, das System vor anderen böswilligen LKMs zu schützen. Eine andere Maßnahme ist es, dem Kernel Fähigkeiten zu entziehen. Zum Beispiel können Sie aus dem Kernel vollständig die Fähigkeit von ladbaren Kernel-Modulen entfernen. Beachten Sie allerdings, dass es Root-Kits gibt, die selbst in diesen Fällen funktionieren. Es gibt auch welche, die direkt /dev/kmem (Kernelspeicher) manipulieren, um sich zu verstecken.

Debian GNU/Linux hat ein paar Pakete, die dazu verwendet werden können, eine aktive Verteidigung aufzusetzen: lcap - eine benutzerfreundliche Schnittstelle, um dem Kernel Fähigkeiten zu entziehen (kernelbasierte Zugriffskontrolle), um das System sicherer zu machen. Beispielsweise wird das Ausführen von lcap CAP_SYS_MODULE Es gibt über 28 Fähigkeiten einschließlich CAP_BSET, CAP_CHOWN, CAP_FOWNER, CAP_FSETID, CAP_FS_MASK, CAP_FULL_SET, CAP_INIT_EFF_SET, CAP_INIT_INH_SET, CAP_IPC_LOCK, CAP_IPC_OWNER, CAP_KILL, CAP_LEASE, CAP_LINUX_IMMUTABLE, CAP_MKNOD, CAP_NET_ADMIN, CAP_NET_BIND_SERVICE, CAP_NET_RAW, CAP_SETGID, CAP_SETPCAP, CAP_SETUID, CAP_SYS_ADMIN, CAP_SYS_BOOT, CAP_SYS_CHROOT, CAP_SYS_MODULE, CAP_SYS_NICE, CAP_SYS_PACCT, CAP_SYS_PTRACE, CAP_SYS_RAWIO, CAP_SYS_RESOURCE, CAP_SYS_TIME und CAP_SYS_TTY_CONFIG. Alle können deaktiviert werden, um Ihren Kernel abzuhärten. die Fähigkeit der ladbaren Module entfernen (sogar für Root). Um dies tun zu können, müssen Sie nicht lcap installieren, aber damit ist es einfacher, als von Hand /proc/sys/kernel/cap-bound anzupassen. Weitere (etwas ältere) Informationen zu Kernelfähigkeiten finden Sie in Jon Corbets Abschnitt auf LWN vom Dezember 1999.

Wenn Sie diese vielen Möglichkeiten auf Ihrem GNU/Linux System nicht wirklich brauchen, sollten Sie die Unterstützung für ladbare Module während der Konfiguration des Kernels abschalten. Das erreichen Sie, indem Sie einfach CONFIG_MODULES=n während des Konfiguration Ihres Kernels oder in der Datei .config festsetzen. So werden LKM Root-Kits vermieden, aber Sie verlieren eine leistungsfähige Eigenschaft des Linux-Kernels. Außerdem kann das Abschalten der nachladbaren Module den Kernel überladen, so dass die Unterstützung ladbarer Module notwendig wird. Reaktive Verteidigung

Der Vorteil reaktiver Verteidigung ist, dass sie die Systemressourcen nicht überlädt. Sie funktioniert durch das Vergleichen von einer Tabelle der Systemaufrufe mit einer bekanntermaßen sauberen Kopie (System.map). Eine reaktive Verteidigung kann den Systemadministrator natürlich nur benachrichtigen, wenn das System bereits kompromittiert wurde.

Die Entdeckung von Root-Kits vollbringt unter Debian chkrootkit. Das Programm prüft Anzeichen von bekannten Root-Kits auf dem Zielsystem. Es ist aber kein völlig sicherer Test. Geniale/paranoide Ideen — was Sie tun können

Dies ist wahrscheinlich der unsicherste und lustigste Abschnitt, da ich hoffe, dass manche der "Wow, das klingt verrückt"-Ideen umgesetzt werden. Im folgenden werden nur ein paar Ideen vorgestellt, wie Sie Ihre Sicherheit erhöhen können — abhängig von Ihrem Standpunkt aus können Sie sie für genial, paranoid, verrückt oder sicher halten, Mit Pluggable Authentication Modules (PAM) herum spielen. Wie in einem phrack 56 Artikel geschrieben wurde, ist das schöne an PAM, dass "Ihrer Fantasie keine Grenzen gesetzt sind." Das stimmt. Stellen Sie sich vor, Root kann sich nur mit einen Fingerabdruck oder Abtastung des Auges oder einer Kryptokarte einloggen (warum habe ich hier nur "oder" und nicht "und" gesagt?). Faschistisches Logging. Ich würde sagen, dass alles, was wir bisher über Logging besprochen haben, unter "weiches Loggen" fällt. Wenn Sie echtes Logging betreiben wollen, besorgen Sie sich einen Drucker mit Endlos-Papier und schicken ihm alle Logs. Hört sich lustig an, ist aber zuverlässig und kann nicht manipuliert oder entfernt werden. CD-Distribution. Diese Idee ist sehr leicht zu realisieren und bewirkt ganz gute Sicherheit. Erstellen Sie eine abgesicherte Debian Distribution mit passenden Firewall-Regeln. Erstellen Sie davon ein bootbares ISO-Image und brennen Sie es auf eine CD-ROM. Jetzt haben Sie eine nur lesbare Distribution mit etwa 600 MB Speicherplatz für Dienste. Stellen Sie lediglich sicher, dass alle Daten, die geschrieben werden sollen, übers Netz geschrieben werden. Für einem Eindringling ist es unmöglich, Schreibzugriff auf diesem System zu erhalten. Alle Änderungen, die ein Eindringling vornimmt, werden mit einem Reboot des Systems rückgängig gemacht. Schalten Sie die Modul-Fähigkeiten des Kernels ab. Wenn Sie die Nutzung von Kernel-Modulen während der Kernel-Kompilierung abschalten, werden viele Kernel basierende Hintertüren nicht einsetzbar, da die meisten von ihnen darauf basieren, modifizierte Kernel-Module zu installieren (siehe oben). Loggen über ein serielles Kabel (von Gaby Schilders). So lange Server immer noch serielle Schnittstellen haben: Stellen Sie sich vor, Sie ein Log-System für eine Anzahl von Servern. Es ist vom Netz abgeschnitten und mit den Servern über einen Multiplexer für serielle Schnittstellen (Cyclades oder ähnliches) verbunden. Jetzt sollen alle Ihre Server über ihre serielle Schnittstelle loggen. Einfach nur hinschreiben. Die Log-Maschine akzeptiert nur einfachen Text als Eingabe auf ihrer seriellen Schnittstelle und schreibt ihn lediglich in eine Log-Datei. Schließen Sie einen CD- oder DVD-Brenner an. Brennen Sie die Log-Datei, wenn sie die Größe des Mediums erreicht hat. Wenn es jetzt nur noch CD-Brenner mit automatischem Medien-Wechsel gäbe ... Nicht so dauerhaft gespeichert wie ein Ausdruck, aber mit dieser Methode kann man größere Mengen handhaben, und die CD-ROMs nehmen nicht so viel Platz weg. Ändern Sie die Dateiattribute mit chattr (dem Tipps-HOWTO von Jim Dennis entnommen). Nachdem Sie Ihr System sauber installiert und konfiguriert haben, verwenden Sie das Programm chattr mit dem Attribut +i, um Dateien unveränderbar zu machen (die Datei kann nicht gelöscht, umbenannt, verlinkt oder beschrieben werden). Sie sollten dieses Attribut für alle Dateien in /bin, /sbin/, /usr/bin, /usr/sbin, /usr/lib und den Kerneldateien in root. Sie können auch eine Kopie aller Dateien in /etc/ mit tar oder dergleichen erstellen und das Archiv als unveränderbar kennzeichnen.

Mit dieser Vorgehensweise können Sie den Schaden zu begrenzen, den Sie anrichten können, wenn Sie als Root eingeloggt sind. Sie können keine Dateien mit einer fehlgeleiteten Umleitung überschreiben, und Sie werden Ihr System nicht durch ein fehlplatziertes Leerzeichen im Kommando rm -fr unbenutzbar machen (Sie können aber Ihren Daten immer noch einigen Schaden zufügen — aber Ihre Bibliotheken und Programme sind sicherer).

Dies macht auch verschiedene Sicherheits- und Denial-of-Service (DoS) Exploits entweder unmöglich oder weitaus schwieriger (da viele von ihnen darauf beruhen, Dateien durch Aktionen eines SETUID-Programms zu überschreiben, das keinen frei wählbaren Shellbefehl zur Verfügung stellt.

Eine Unbequemlichkeit dieser Vorgehensweise macht sich bemerkbar, wenn Sie verschiedene Systemprogramme bauen und installieren. Auf der anderen Seite verhindert dies auch, dass make install die Dateien überschreibt. Wenn Sie vergessen, das Makefile zu lesen, und die Dateien, die überschrieben werden sollen, mit chattr -i behandelt haben (und die Verzeichnisse, in denen Sie neue Dateien erstellen wollen), schlägt der make-Befehl fehl. Sie müssen nur das Kommando chattr ausführen und make neu aufrufen. Sie können diese Gelegenheit gleich dazu benutzen, Ihre alten bin's und libs auszumisten und sie z.B. in ein .old/-Verzeichnis oder Tar-Archiv zu verschieben.

Beachten Sie, dass dies Sie auch daran hindert, die Pakete Ihres Systems zu aktualisieren, da die Dateien aus den Paketen nicht überschrieben werden können. Also sollten Sie vielleicht ein Skript oder einen anderen Mechanismus haben, der das immutable-Flag auf allen Dateien deaktiviert, bevor Sie ein apt-get update ausführen.

Spielen Sie mit der UTP-Verkabelung herum. Schneiden Sie dazu zwei oder vier Kabel durch und stellen ein Kabel her, das nur Verkehr in eine Richtung zulässt. Verwenden Sie dann UDP-Pakete, um Informationen an die Zielmaschine zu schicken, die ein sicherer Log-Server oder ein System zur Speicherung von Kreditkartennummern sein kann. Aufstellen eines Honigtopfes (honeypot)

Ein Honigtopf ist ein System, das darauf ausgelegt ist, Systemadministratoren beizubringen, wie Cracker ein System abtasten und darin einbrechen. Es ist eine Systemeinstellung mit der Erwartung und dem Zweck, dass das System abgetastet und angegriffen und möglicherweise darin eingebrochen wird. Wenn Systemadministratoren erfahren, welche Werkzeuge und Methoden Cracker anwenden, können sie daraus lernen, wie sie ihr System und Netzwerk besser schützen.

Debian GNU/Linux-Systeme können leicht als Honigtopf eingerichtet werden, wenn Sie Zeit opfern, sie aufzusetzen und zu überwachen. Sie können leicht den gefälschten Server, die FirewallSie sollten typischerweise eine Bridge-Firewall einsetzen, damit die Firewall selbst nicht entdeckt werden kann. Lesen Sie mehr dazu unter ., die den Honigtopf überwacht, und ein Programm, das Eindringling ins Netzwerk entdecken kann, einrichten. Verbinden Sie den Honigtopf mit dem Internet und warten Sie ab. Stellen Sie sicher, dass Sie rechtzeitig alarmiert werden (siehe ), wenn in das System eingedrungen wird, damit Sie geeignete Schritte einleiten und den Angriff beenden können, wenn Sie genug gesehen haben. Hier folgen einige Pakete und Probleme, die Sie in Betracht ziehen sollten, wenn Sie einen Honigtopf einrichten: Die Firewall-Technologie, die Sie verwenden (verfügbar durch den Linux-Kernel). syslog-ng. Nützlich, um Logs des Honigtopfs zu einem entfernen Syslog-Server zu schicken. snort, um allen eingehenden Netzwerkverkehr auf den Honigtopf mitzuschneiden und die Angriffe zu erkennen. osh, eine eingeschränkte Shell mit Logging, die unter SETUID-Root läuft und verbesserte Sicherheit hat (siehe den Artikel von Lance Spitzner weiter unten). Natürlich alle Daemons, die Sie auf dem falschen Honigtopfserver verwenden wollen. Je nachdem, welche Art von Angreifer Sie analysieren wollen, können Sie den Honigtopf abhärten und die Sicherheitsaktualisierungen einspielen (oder eben nicht). Integritätsprüfer (siehe ) und das Coroner's Toolkit (tct), um nach dem Angriff eine Analyse durchzuführen. honeyd und farpd, um einen Honigtopf einzurichten, der auf Verbindungen zu ungenutzten IP-Adressen lauscht und diese an Skripte weiterleitet, die echte Dienste simulieren. Sehen Sie sich auch iisemulator an. tinyhoneypot, um einen einfachen Honigtopf-Server mit gefälschten Diensten einzurichten.

Falls Sie kein System übrig haben, um die Honigtöpfe und Systeme, die das Netzwerk schützen und kontrollieren, zu bauen, können Sie die Technologie zur Virtualisierung einsetzen, die in xen oder uml (User-Mode-Linux) enthalten ist. Wenn Sie diesen Weg wählen, müssen Sie Ihren Kernel entweder mit kernel-patch-xen oder kernel-patch-uml patchen.

Sie können mehr über das Aufstellen eines Honigtopfs in Lanze Spitzners exzellentem Artikel (aus der Know your Enemy Serie). Außerdem stellt das wertvolle Informationen über das Aufstellen von Honigtöpfen und der Analyse von Angriffen auf sie zur Verfügung. harden-doc-3.15.1/howto-source/de/after-install.sgml0000644000000000000000000041703310643704617017172 0ustar Nach der Installation

Wenn das System installiert ist, können Sie es noch weiter absichern, indem Sie einige der in diesem Kapitel beschriebenen Schritte ausführen. Natürlich hängt dies vor allem von Ihrem Setup ab, aber um physischen Zugriff zu verhindern, sollten Sie , , , und lesen.

Bevor Sie sich mit einem Netzwerk verbinden, insbesondere wenn es sich um ein öffentliches Netzwerk handelt, sollten Sie wenigstens eine Sicherheitsaktualisierung (siehe ) durchführen. Optional können Sie auch einen Schnappschuss Ihres Systems machen (siehe ). Abonnement der Security-Announce-Mailingliste von Debian

Um Informationen zu verfügbaren Sicherheitsaktualisierungen und die Debian-Sicherheits-Ankündigungen (DSA) zu erhalten, sollten Sie Debians Security-Announce-Mailingliste abonnieren. Lesen Sie für weitere Informationen, wie das Sicherheitsteam von Debian arbeitet. Hinweise, wie man die Mailinglisten von Debian abonniert, finden Sie unter .

DSAs werden mit der Signatur des Sicherheitsteams von Debian unterschrieben, die unter erhältlich ist.

Sie sollten in Betracht ziehen, auch die zu abonnieren. Dort finden allgemeine Diskussionen zu Sicherheitsthemen im Betriebssystem Debian statt. Sie können auf der Liste sowohl mit gleichgesinnten Systemadministratoren als auch mit Entwicklern von Debian und Programmautoren in Kontakt treten. Diese werden Ihre Fragen beantworten und Ihnen Ratschläge geben.

FIXME: Add the key here too? Ausführen von Sicherheitsupdates

Sobald neue Sicherheitslöcher in einem Paket entdeckt wurden, reparieren sie Debians Paketbetreuer und Originalautoren im Allgemeinen innerhalb von Tagen oder sogar Stunden. Nachdem das Loch gestopft wurde, werden neue Pakete unter bereit gestellt.

Wenn Sie ein Debian-Release installieren, müssen Sie berücksichtigen, dass es seit der Veröffentlichung Sicherheitsaktualisierungen gegeben haben könnte, nachdem entdeckt wurde, dass ein bestimmtes Paket verwundbar ist. Ebenso könnte es kleinere Releases gegeben haben. Es gab vier kleinere Veröffentlichungen von Debian 3.1 Sarge, die diese Paketaktualisierungen enthalten.

Sie müssen sich das Erstellungsdatum Ihres CD-Sets (wenn Sie ein solches benutzen) notieren und auf der Sicherheitsseite nachprüfen, ob es Sicherheitsaktualisierungen gegeben hat. Wenn es solche gibt, und Sie die Pakete nicht von der Sicherheitsseite mit einem anderen System herunterladen können (Ihr System ist doch nicht schon mit dem Internet verbunden, oder?), könnten Sie es in Erwähnung ziehen (falls Sie nicht beispielsweise durch eine Firewall, geschützt sind), Firewall-Regeln zu aktivieren, so dass Ihr System ausschließlich mit security.debian.org Verbindung aufnehmen kann, und dann ein Update ausführen. Eine Beispielkonfiguration finden Sie unter .

Anmerkung:Seit Debian Woody 3.0 wird Ihnen nach der Installation die Möglichkeit eingeräumt, Sicherheitsaktualisierungen Ihrem System hinzuzufügen. Wenn Sie hier 'ja' sagen, wird das Installationssystem die passenden Schritte unternehmen, um die Quellen der Sicherheitsaktualisierungen Ihren Paketquellen hinzuzufügen. Falls Sie nun eine Internetverbindung haben, wird Ihr System alle Sicherheitsaktualisierungen herunterladen, die seit Entstehung Ihres Installationsmediums erzeugt wurden. Falls Sie ein Upgrade von einer älteren Version von Debian durchführen, oder Sie das Installationssystem anweisen, dies nicht zu tun, sollten Sie die hier vorgestellten Schritte unternehmen.

Um Ihr System manuell zu aktualisieren, fügen Sie die folgende Zeile in Ihre /etc/apt/sources.list ein. So werden Sie Sicherheitsaktualisierungen automatisch erhalten, wann immer Sie Ihr System aktualisieren. deb http://security.debian.org/debian-security stable/updates main contrib non-free

Hinweis: Falls Sie den Testing-Zweig einsetzen, sollten Sie die Sicherheitsspiegel für Testing verwenden. Das wird unter beschrieben.

Wenn Sie dies erledigt haben, stehen Ihnen zahlreiche Werkzeuge zur Verfügung, mit denen Sie Ihr System aktualisieren können. Wenn Sie ein Desktop-System einsetzen, können Sie eine Anwendung mit dem Namen update-notifier verwendenAb Etch und den folgenden Veröffentlichungen., die Sie auf neue Aktualisierungen aufmerksam macht. Damit können Sie Ihr System auch über den Desktop auf den neusten Stand bringen (mit update-manager). Für den Desktop können Sie auch synaptic, kpackage oder adept einsetzen, die einen größeren Funktionsumfang aufweisen. Wenn Sie auf einem textbasierten Terminal arbeiten, stehen Ihnen aptitude, apt und dselect, wobei letzteres veraltet ist, zur Verfügung: Falls Sie die textbasierte Oberfläche von aptitude verwenden wollen, müssen Sie zunächst u (für Update) und dann g (für Upgrade) eingeben. Oder Sie führen auf der Befehlszeile Folgendes als Root aus: # aptitude update # aptitude upgrade Falls Sie apt einsetzen möchten, müssen Sie obige Zeilen von aptitude nur mit apt-get ersetzen. Falls Sie dselect verwenden wollen, müssen Sie zuerst aktualisieren ([U] für Update), dann installieren ([I] für Install) und schließlich die installieren/aktualisierten Pakete konfigurieren ([C] für Configure).

Wenn Sie möchten, können Sie ebenfalls eine deb-src Zeile hinzufügen. Weitere Details finden Sie unter .

Anmerkung: Sie brauchen folgende Zeile nicht hinzufügen: deb http://security.debian.org/debian-non-US stable/non-US main contrib non-free

Das liegt daran, dass sich der Server, der security.debian.org hostet, außerhalb der USA befindet und somit kein getrenntes Archiv für Non-US hat. Sicherheitsaktualisierungen von Bibliotheken

Wenn Sie eine Sicherheitsaktualisierung durchgeführt haben, müssen Sie gegebenenfalls einige Dienste des Systems neu starten. Wenn Sie das nicht tun, könnten Dienste auch nach der Sicherheitsaktualisierung immer noch verwundbar sein. Das liegt daran, dass Daemonen, die schon vor einem Upgrade liefen, immer noch die alten Bibliotheken vor dem Upgrade verwenden könnten. Selbst wenn die Bibliotheken aus dem Dateisystem entfernt wurden, werden die Inodes nicht beseitigt, bis kein Programm mehr einen offenen Dateideskriptor mit Verweis auf sie hat. Um herauszufinden, welche Daemonen neu gestartet werden müssen, können Sie das Programm checkrestart (ist im Paket debian-goodies enthalten) oder diesen Einzeiler (als Root) verwenden:Je nach der Version von lsof müssen Sie $8 statt $9 verwenden. # lsof | grep <aktualisierte_Bibliothek> | awk '{print $1, $9}' | uniq | sort +0

Einige Pakete (wie libc6) werden diesen Test in der Postinst-Phase für eine begrenzte Anzahl von Diensten durchführen, da ein Upgrade von notwendigen Bibliotheken einige Anwendungen unbrauchbar machen kann, wenn sie nicht neu gestartet werden Das passierte z.B. beim Upgrade von libc6 2.2.x zu 2.3.x wegen Problemen mit der NSS-Authentifizierung, siehe . .

Indem das System auf Runlevel 1 (Single User) und dann zurück auf Runlevel 3 (Multi User) gebracht wird, sollten die meisten (wenn nicht alle) Systemdienste neu gestartet werden. Dies ist aber keine Möglichkeit, wenn Sie die Sicherheitsaktualisierung über eine entfernte Verbindung (z.B. mit ssh) vornehmen, da sie getrennt werden würde.

Lassen Sie Vorsicht walten, wenn Sie es mit Sicherheitsaktualisierungen über eine entfernte Verbindung wie mit ssh zu tun haben. Die empfohlene Vorgehensweise für Sicherheitsaktualisierungen, die Dienste betreffen, ist, den SSH-Daemon neu zu starten und sofort zu versuchen, eine neue SSH-Verbindung herzustellen, ohne die alten zu beenden. Falls der Verbindungsversuch scheitern sollte, machen Sie die Aktualisierung rückgängig und untersuchen Sie das Problem. Sicherheitsaktualisierung des Kernels

Stellen Sie zunächst sicher, dass Ihr Kernel durch das Paketsystem verwaltet wird. Wenn Sie die Installation mit dem Installationssystem von Debian 3.0 oder früher durchgeführt haben, ist Ihr Kernel nicht in das Paketsystem integriert und könnte veraltet sein. Sie können das leicht überprüfen, indem Sie Folgendes ausführen: $ dpkg -S `readlink -f /vmlinuz` kernel-image-2.4.27-2-686: /boot/vmlinuz-2.4.27-2-686

Wenn Ihr Kernel nicht vom Paketsystem verwaltet wird, werden Sie anstatt der obigen Nachricht die Rückmeldung bekommen, dass das Paketverwaltungsprogramm kein Paket finden konnte, das mit der Datei verbunden ist. Die obige Meldung besagt, dass die Datei, die mit dem laufenden Kernel verbunden ist, vom Paket kernel-image-2.4.27-2-686 zur Verfügung gestellt wird. Sie müssen also zuerst ein Paket mit einem Kernel-Image von Hand installieren. Das genaue Kernel-Image, das Sie installieren sollten, hängt von Ihrer Architektur und Ihrer bevorzugten Kernelversion ab. Wenn Sie das einmal erledigt haben, können Sie die Sicherheitsaktualisierungen des Kernels wie die jedes anderen Pakets durchführen. Beachten Sie allerdings, dass Kernelaktualisierungen nur für Aktualisierungen der gleichen Kernelversion wie der Ihrigen durchgeführt werden. D.h. apt wird nicht automatisch Ihren Kernel von 2.4 auf 2.6 aktualisieren (oder von 2.4.26 auf 2.4.27 Es sei denn, Sie haben ein Kernel-Metapaket wie kernel-image-2.4-686 installiert, welches immer die neueste Minor-Version des Kernels einer Architektur installieren wird. ).

Das Installationssystem von Debian 3.1 wird den gewählten Kernel (2.4 oder 2.6) als Teil des Paketsystems behandeln. Sie können überprüfen, welche Kernel Sie installiert haben: $ COLUMNS=150 dpkg -l 'kernel-image*' | awk '$1 ~ /ii/ { print $0 }'

Um festzustellen, ob Ihr Kernel aktualisiert werden muss, führen Sie Folgendes aus: $ kernfile=`readlink -f /vmlinuz` $ kernel=`dpkg -S $kernfile | awk -F : '{print $1}'` $ apt-cache policy $kernel kernel-image-2.4.27-2-686: Installed: 2.4.27-9 Candidate: 2.4.27-9 Version Table: *** 2.4.27-9 0 (...)

Wenn Sie eine Sicherheitsaktualisierung durchführen, die auch das Kernel-Image umfasst, müssen Sie das System neu starten, damit die Sicherheitsaktualisierung Wirkung zeigen kann. Anderenfalls lassen Sie immer noch das alte (und verwundbare) Kernel-Image laufen.

Wenn Sie das System neu starten müssen (wegen eines Kernel-Upgrades), sollten Sie sicherstellen, dass der Kernel fehlerfrei booten wird und die Netzwerkverbindungen hergestellt werden, besonders wenn die Sicherheitsaktualisierung über eine entfernte Verbindung wie mit ssh durchgeführt wird. Für den ersten Fall können Sie Ihren Boot-Loader so konfigurieren, dass er den Originalkernel lädt, wenn ein Fehler auftritt (für weiterführende Informationen sollten Sie lesen). Im zweiten Fall müssen Sie ein Skript verwenden, das die Netzwerkverbindungen testen kann und überprüft, ob der Kernel das Netzwerksystem korrekt gestartet hat, und, wenn das nicht geschehen ist, das System neu startet Ein Beispielskript mit dem Namen ist im Artikel enthalten. Ein ausgereifteres Testskript befindet sich im Artikel . Dies sollte böse Überraschungen verhindern, wie wenn man den Kernel aktualisiert und dann nach einem Reboot merkt, dass die Netzwerkhardware nicht richtig erkannt oder konfiguriert wurde, und man daher eine weite Strecke zurücklegen muss, um das System wieder hoch zu bringen. Natürlich hilft es beim Debuggen von Reboot-Problemen aus der Ferne, wenn die serielle Konsole des Systems Das Einrichten einer seriellen Konsole würde den Rahmen dieses Dokuments sprengen. Informationen dazu finden Sie im und im . mit einem Konsolen- oder Terminalserver verbunden ist.

Änderungen im BIOS (noch einmal)

Erinnern Sie sich an ? Nun, jetzt sollten Sie, nachdem Sie nicht mehr von austauschbaren Datenträgern booten müssen, die Standard-BIOS-Einstellung so umändern, dass es ausschließlich von der Festplatte bootet. Gehen Sie sicher, dass Sie Ihr BIOS-Passwort nicht verlieren, oder Sie werden nicht mehr ins BIOS zurückkehren können, um die Einstellung wieder zu ändern, so dass Sie im Falle eines Festplattenfehlers Ihr System wiederherstellen können, indem Sie zum Beispiel eine CD-ROM benutzen.

Eine andere, weniger sichere, aber bequemere Möglichkeit ist es, das BIOS so einzustellen, dass es von der Festplatte bootet, und nur falls dies fehlschlägt versucht, von austauschbaren Datenträgern zu booten. Übrigens wird dies oft so gemacht, weil viele Leute ihr BIOS-Passwort nur selten benutzen, so dass sie es zu leicht vergessen. Ein Passwort für LILO oder GRUB einstellen

Jeder kann sehr einfach eine root-Shell auf Ihrem System bekommen, indem er einfach <Name-Ihres-Bootimages> init=/bin/sh am Bootprompt eingibt. Nachdem die Passwörter geändert und das System neu gestartet wurde, hat die Person uneingeschränkten Root-Zugang und kann nach Belieben alles auf Ihrem System machen. Nach dieser Prozedur haben Sie keinen Root-Zugang mehr zu Ihrem System, weil Sie das Root-Passwort nicht kennen.

Um sicher zu stellen, dass dies nicht passieren kann, sollten Sie den Boot-Loader mit einem Passwort schützen. Sie können zwischen einem globalen Passwort und Passwörtern für bestimmte Images wählen.

Für LILO müssen Sie die Konfigurationsdatei /etc/lilo.conf editieren und eine password und restricted Zeile, wie im folgenden Beispiel, einfügen: image=/boot/2.2.14-vmlinuz label=Linux read-only password=hackmich restricted

Gehen Sie danach sicher, dass die Konfigurationsdatei nicht für alle lesbar ist, um zu verhindern, dass lokale Nutzer das Passwort lesen können. Haben Sie dies getan, rufen Sie lilo auf. Wenn Sie die restricted-Zeile weglassen, wird lilo immer nach dem Passwort fragen, egal ob LILO Parameter übergeben wurden oder nicht. Die Standard-Zugriffsrechte auf /etc/lilo.conf erlauben root das Lesen und Schreiben, und der Gruppe von lilo.conf, ebenfalls root, das Lesen.

Wenn Sie GRUB anstelle von LILO verwenden, editieren Sie /boot/grub/menu.lst und fügen die folgenden zwei Zeilen am Anfang an (dabei ersetzen Sie natürlich hackmich mit dem vorgesehenen Passwort). Dies verhindert, dass Benutzer die Booteinträge verändern können. timeout 3 legt eine Wartedauer von 3 Sekunden fest, bevor grub den Standard-Eintrag bootet. timeout 3 password hackmich

Um die Integrität Ihres Passwortes zusätzlich abzusichern, sollten Sie Ihr Passwort verschlüsselt ablegen. Das Dienstprogramm grub-md5-crypt erzeugt ein gehashtes Passwort, das kompatibel mit GRUBs Verschlüsselungsalgorithmus (MD5) ist. Um grub mitzuteilen, dass ein Passwort im MD5-Format verwendet wird, benutzen Sie die folgende Anweisung: timeout 3 password --md5 $1$arPydhOM$bIgEKjMW5kxeEuvE1Rah4/ Der Parameter --md5 wurde hinzugefügt, um bei grub einen MD5-Authentifizierungsprozess zu erzwingen. Das angegebene Passwort ist die MD5 verschlüsselte Version von "hackmich". MD5-Passwörter sind Klartext-Passwörtern vorzuziehen. Weitere Informationen über grub-Passwörter können Sie im grub-doc-Paket finden. Entfernen des Root-Prompts von Initramfs

Hinweis: Dies betrifft alle Standard-Kernel, die nach Debian 3.1 veröffentlicht wurden.

Die Linux-Kernel 2.6 enthalten die Möglichkeit, während des Bootvorgangs eine Root-Shell zu erhalten. Dies geschieht, wenn beim Laden von initramfs ein Fehler auftritt. Dadurch kann der Administrator auf eine Rettungsshell mit Root-Rechten zugreifen. Mit dieser Shell können von Hand Module geladen werden, falls eine automatische Erkennung scheitern sollte. Diese Verhalten ist Standard für ein von initramfs-tools erzeugtes Initramfs. Folgende Fehlermeldung wird auftreten: "ALERT! /dev/sda1 does not exist. Dropping to a shell!

Um dieses Verhalten abzuschalten, müssen Sie folgenden Boot-Parameter setzen: panic=0. Sie können ihn entweder in den Abschnitt kopt in /boot/grub/menu.lst eintragen und update-grub ausführen oder ihn dem Abschnitt append von /etc/lilo.conf hinzufügen. Entfernen des Root-Promptes aus dem Kernel

Hinweis: Dies trifft nicht auf Kernel zu, die in Debian 3.1 enthalten sind, da die Wartezeit auf Null verändert wurde.

Linux 2.4 Kernel bieten kurz nach dem Laden des cramfs einen Weg Zugriff auf eine Root-Shell zu bekommen, also während das System bootet. Es erscheint eine Meldung, die dem Administrator erlaubt, eine auszuführende Shell mit Root-Privilegien zu öffnen. Diese Shell kann dazu benutzt werden, manuell Module zu laden, falls die automatische Erkennung fehlschlägt. Dies ist das Standard-Verhalten bei initrd's linuxrc. Die folgende Meldung wird erscheinen: Press ENTER to obtain a shell (waits 5 seconds)

Um dieses Verhalten zu entfernen, müssen Sie /etc/mkinitrd/mkinitrd.conf editieren und den Eintrag # DELAY Anzahl Sekunden, die das linuxrc Skript warten soll, # um den Nutzer Eingriffe zu erlauben, bevor das System hochgefahren # wird DELAY=0 setzen.

Erstellen Sie anschließend Ihr Ramdisk-Image neu. Dies können Sie zum Beispiel so tun: # cd /boot # mkinitrd -o initrd.img-2.4.18-k7 /lib/modules/2.4.18-k7

oder (vorzugsweise) so: # dpkg-reconfigure kernel-image-2.4.x-yz Einschränkender Konsolen-Zugang

Manche Sicherheitsregelwerke könnten Administratoren dazu zwingen, sich erst als Benutzer mit ihrem Passwort auf dem System einzuloggen, und dann Superuser zu werden (mit su oder sudo). Solche eine Policy ist in Debian in der Datei /etc/login.defs oder /etc/securetty (falls Sie PAM verwenden) implementiert. In login.defs ändern Sie die CONSOLE-Variable, die eine Datei oder eine Liste von Terminals definiert, an denen sich Root einloggen darf. In securetty Die Datei /etc/securetty ist eine Konfigurationsdatei, die zum Paket login gehört. entfernen Sie oder fügen Sie Terminals hinzu, auf die Root zugreifen darf. Falls Sie nur lokalen Zugang zur Konsole erlauben wollen, benötigen Sie console, ttyX Oder ttyvX in GNU/FreeBSD und ttyE0 in GNU/KNetBSD. und vc/X (falls Sie die devfs-Schnittstelle verwenden). Sie sollten auch ttySX Oder comX in GNU/Hurd, cuaaX in GNU/FreeBSD und ttyXX in GNU/KNetBSD. hinzufügen, wenn Sie eine serielle Konsole für den lokalen Zugang verwenden. (Wenn X eine ganze Zahl (Integer) ist, sollten Sie mehrere Instanzen Die Standardeinstellung in Woody beinhaltet zwölf lokale tty- und vc-Konsolen und die console-Schnittstelle. Anmeldungen von entfernten Orten sind nicht erlaubt. In Sarge stellt die Standardeinstellung 64 Konsolen für tty- und vc-Konsolen zu Verfügung. Sie können das ohne Probleme entfernen, wenn Sie nicht derartige viele Konsolen benutzen. haben, abhängig von der Anzahl der virtuellen Konsolen, die Sie in /etc/inittab aktiviert haben Achten Sie auf die getty Einträge. ). Weiterführende Informationen zu Terminal-Schnittstellen finden Sie im .

Wenn Sie PAM benutzen, können Sie auch andere Änderungen am Login-Prozess, die auch Einschränkungen für einzelne Benutzer oder Gruppen zu bestimmten Zeiten enthalten können, durch Konfiguration der Datei /etc/pam.d/login vornehmen. Eine interessante Eigenschaft, die man auch abschalten kann, ist die Möglichkeit, sich mit einem leeren Passwort (Null Passwort) einzuloggen. Diese Eigenschaft kann eingeschränkt werden, indem sie nullok aus der Zeile auth required pam_unix.so nullok entfernen. System-Neustart von der Konsole aus einschränken

Wenn an Ihr System eine Tastatur angeschlossen ist, kann jeder (ja wirklich jeder) Ihr System neu starten, ohne sich in Ihr System einloggen zu müssen. Dies könnte gegen Ihre Sicherheitsrichtlinien verstoßen (oder auch nicht). Wenn Sie dies einschränken wollen, müssen Sie in /etc/inittab prüfen, ob die Zeile, die enthält, dass ctrlaltdel shutdown aufruft, den -a Schalter enthält (vergessen Sie nicht, init q auszuführen, nachdem Sie diese Datei irgendwie verändert haben). Standardmäßig enthält Debian diesen Schalter: ca:12345:ctrlaltdel:/sbin/shutdown -t1 -a -r now

Jetzt müssen Sie, um es manchen Benutzern zu erlauben, Ihr System neu zu starten, eine Datei /etc/shutdown.allow erstellen, wie es die Handbuchseite beschreibt. Dort müssen die Namen der Benutzer, die das System neu booten dürfen, aufgeführt sein. Wenn der drei Finger Salut (auch bekannt als Strg+Alt+Entf und Affengriff) ausgeführt wird, wird geprüft, ob irgendeiner der Benutzer, die in der Datei aufgelistet sind, eingeloggt sind. Wenn es keiner von ihnen ist, wird shutdown das System nicht neu starten. Partitionen auf die richtige Art einbinden

Wenn Sie eine ext2-Partition einbinden, können Sie verschiedene Optionen mit dem mount-Befehl oder in /etc/fstab verwenden. Dies ist zum Beispiel mein fstab-Eintrag für meine /tmp-Partition: /dev/hda7 /tmp ext2 defaults,nosuid,noexec,nodev 0 2

Sie sehen den Unterschied in der Spalte mit den Optionen. Die Option nosuid ignoriert komplett alle setuid- und setgid-Bits, während noexec das Ausführen von Programmen unterhalb des Einhängepunkts verbietet und nodev Gerätedateien ignoriert. Das hört sich toll an, aber: dies ist nur auf ext2-Dateisysteme anwendbar kann leicht umgangen werden

Die noexec-Option, die verhindert, dass Binarys ausgeführt werden können, ließe sich in früheren Kernelversionen leicht umgehen: alex@joker:/tmp# mount | grep tmp /dev/hda7 on /tmp type ext2 (rw,noexec,nosuid,nodev) alex@joker:/tmp# ./date bash: ./date: Permission denied alex@joker:/tmp# /lib/ld-linux.so.2 ./date Sun Dec 3 17:49:23 CET 2000

Neuere Versionen des Kernels verarbeiten aber die Option noexec richtig: angrist:/tmp# mount | grep /tmp /dev/hda3 on /tmp type ext3 (rw,noexec,nosuid,nodev) angrist:/tmp# ./date bash: ./tmp: Keine Berechtigung angrist:/tmp# /lib/ld-linux.so.2 ./date ./date: error while loading shared libraries: ./date: failed to map segment from shared object: Operation not permitted

Wie auch immer, viele Skript-Kiddies haben Exploits, die versuchen eine Datei in /tmp zu erstellen und auszuführen. Wenn sie keine Ahnung haben, werden sie in dieser Grube hängen bleiben. Mit anderen Worten: Ein Benutzer kann nicht hereingelegt werden, einen ausführbaren Trojaner in /tmp laufen zu lassen, zum Beispiel indem er zufällig /tmp in seinen Suchpfad aufnimmt.

Seien Sie sich auch bewusst, dass manche Skripte darauf aufbauen, dass /tmp ausführbare Rechte hat. Bemerkenswerterweise hatte (oder hat?) Debconf Probleme bei dieser Sache, weitere Informationen enthält Fehler .

Nachfolgend ein gründlicheres Beispiel. Eine Anmerkung dazu: /var könnte auch noexec enthalten, aber manche Software Einiges davon trifft auf den Paketverwalter dpkg zu, da die Installations- oder Deinstallationsanweisungen (post, pre) unter /var/lib/dpkg/ liegen, und auch auf Smartlist. verwahrt ihre Programme unterhalb von /var. Dasselbe gilt für die nosuid-Option. /dev/sda6 /usr ext3 defaults,ro,nodev 0 2 /dev/sda12 /usr/share ext3 defaults,ro,nodev,nosuid 0 2 /dev/sda7 /var ext3 defaults,nodev,usrquota,grpquota 0 2 /dev/sda8 /tmp ext3 defaults,nodev,nosuid,noexec,usrquota,grpquota 0 2 /dev/sda9 /var/tmp ext3 defaults,nodev,nosuid,noexec,usrquota,grpquota 0 2 /dev/sda10 /var/log ext3 defaults,nodev,nosuid,noexec 0 2 /dev/sda11 /var/account ext3 defaults,nodev,nosuid,noexec 0 2 /dev/sda13 /home ext3 rw,nosuid,nodev,exec,auto,nouser,async,usrquota,grpquota 0 2 /dev/fd0 /mnt/fd0 ext3 defaults,users,nodev,nosuid,noexec 0 0 /dev/fd0 /mnt/floppy vfat defaults,users,nodev,nosuid,noexec 0 0 /dev/hda /mnt/cdrom iso9660 ro,users,nodev,nosuid,noexec 0 0 /tmp noexec setzen

Seien Sie vorsichtig, wenn Sie /tmp noexec setzen und neue Software installieren wollen, da manche Software es während der Installation benutzt. apt ist ein solches Programm (siehe ), wenn nicht APT::ExtractTemplates::TempDir (siehe ) passend konfiguriert wurde. Sie können diese Variable in /etc/apt/apt.conf auf ein anderes Verzeichnis als /tmp mit exec-Privilegien setzen. Setzen von /usr auf nur-lesen

Wenn Sie auf /usr nur lesenden Zugriff erlauben, werden Sie nicht in der Lage sein, neue Pakete auf Ihrem Debian GNU/Linux System zu installieren. Sie werden es erst mit Schreibzugriff erneut mounten müssen, die Pakete installieren und dann wieder nur mit lesendem Zugriff mounten. apt kann so konfiguriert werden, dass Befehle vor und nach dem Installieren von Paketen ausgeführt werden. Vielleicht sollten Sie es passend konfigurieren.

Dazu öffnen Sie /etc/apt/apt.conf und fügen Sie Folgendes ein: DPkg { Pre-Invoke { "mount /usr -o remount,rw" }; Post-Invoke { "mount /usr -o remount,ro" }; };

Beachten Sie, dass das Post-Invoke mit einer "/usr busy" Fehlermeldung scheitern wird. Dies passiert vorwiegend, wenn Sie eine Datei benutzen, die aktualisiert wurde. Sie können diese Programme finden, indem Sie # lsof +L1 ausführen.

Halten Sie diese Programme an oder starten Sie sie erneut und rufen dann Post-Invoke manuell auf. Achtung! Das bedeutet, dass Sie wahrscheinlich jedes Mal Ihre Sitzung von X (falls Sie eine laufen haben) neu starten müssen, wenn Sie ein größeres Upgrade Ihres Systems durchführen. Sie müssen entscheiden, ob ein nur lesbares /usr zu Ihrem System passt. Vergleichen Sie auch diese . Den Benutzern einen sicheren Zugang bereitstellen Nutzerauthentifizierung: PAM

PAM (Pluggable Authentication Modules) erlauben dem Systemadministrator auszuwählen, wie eine Anwendung Benutzer authentifiziert. Beachten Sie, dass PAM nichts machen kann, solange die Anwendung nicht mit Unterstützung für PAM kompiliert wurde. Die meisten Anwendungen, die mit Debian geliefert werden, haben diese Unterstützung eingebaut. Vor Version 2.2 hatte Debian keine Unterstützung für PAM. Die derzeitige Standardkonfiguration für jeden Dienst, der PAM benutzt, ist es, UNIX-Authentifizierung zu emulieren (lesen Sie /usr/share/doc/libpam0g/Debian-PAM-MiniPolicy.gz, um mehr darüber zu erfahren, wie PAM-Dienste unter Debian arbeiten sollten).

Jede Anwendung mit PAM-Unterstützung stellt eine Konfigurationsdatei unter /etc/pam.d/ zur Verfügung, in welcher Sie ihr Verhalten einstellen können: welches Verfahren zur Authentifizierung benutzt wird. welches Verfahren innerhalb einer Sitzung benutzt wird. wie Passwörter überprüft werden.

Die folgende Beschreibung ist weit davon entfernt, komplett zu sein. Für weitere Informationen können Sie (auf der ) lesen, diese Dokumentation ist auch in dem Paket libpam-doc enthalten.

PAM bieten Ihnen die Möglichkeit, durch mehrere Authentifizierungsschritte auf einmal zu gehen, ohne dass der Benutzer es weiß. Sie können gegen eine Berkeley Datenbank und gegen die normale passwd Datei authentifizieren, und der Benutzer kann sich nur einloggen, wenn er beide Male korrekt authentifiziert wurde. Sie können viel einschränken mit PAM, genauso wie Sie Ihr System weit öffnen können. Seien Sie also vorsichtig. Eine typische Konfigurationszeile hat ein Kontrollfeld als zweites Element. Generell sollte es auf requisite gesetzt werden, so wird ein Loginfehler erzeugt, wenn eines der Module versagt.

Die erste Sache, die ich gerne mache, ist, MD5-Unterstützung zu den PAM-Anwendungen hinzuzufügen, da dies gegen lexikalische Attacken hilft (da Passwörter länger sein können, wenn sie MD5 benutzen). Die folgenden zwei Zeilen sollten Sie in allen Dateien unterhalb von /etc/pam.d/ hinzufügen, die Zugriff auf Ihre Maschine gewähren, wie zum Beispiel login und ssh. # Gehen Sie sicher, dass Sie libpam-cracklib zuerst installiert haben, # sonst werden Sie sich nicht einloggen können password required pam_cracklib.so retry=3 minlen=12 difok=3 password required pam_unix.so use_authtok nullok md5

Also, was macht diese Beschwörungsformel nun genau? Die erste Zeile lädt das cracklib PAM-Modul, welches einen Passwort-Sicherheitscheck bereitstellt. Es fragt nach einem neuen Passwort mit mindestens 12 Zeichen, einer Differenz von mindestens 3 Zeichen zum alten Passwort, und erlaubt 3 Versuche. Cracklib benötigt ein Paket mit Wörterlisten (wie wngerman, wenglish, wspanish, ...). Stellen Sie also sicher, dass Sie ein passendes Paket für Ihre Sprache installiert haben. Ansonsten ist cracklib nicht verwendbar. Diese Abhängigkeit ist allerdings im Debian 3.0 Paket nicht gelöst. Lesen Sie dazu . Die zweite Zeile führt das Standardauthentifizierungsmodul mit MD5-Passwörtern aus und erlaubt Passwörter mit einer Länge von Null. Die use_authtok-Anweisung ist notwendig, um das Passwort von dem vorherigen Modul übergeben zu bekommen.

Um sicher zu stellen, dass sich der Benutzer root nur von lokalen Terminals einloggen kann, sollten Sie die folgende Zeile in /etc/pam.d/login eingefügt werden: auth requisite pam_securetty.so

Danach sollten die Liste der Terminal in /etc/securetty ändern, auf denen sich Root unmittelbar anmelden darf. Alternativ dazu können Sie auch das pam_access-Modul aktivieren und /etc/security/access.conf bearbeiten. Dieses Vorgehen erlaubt eine allgemeinere und feiner abgestimmte Zugangskontrolle, leider fehlen aber vernünftige Protokollmeldungen (diese sind in PAM nicht standardisiert und sind ein besonders unbefriedigendes Problem). Wir werden zu access.conf in Kürze zurückkehren.

Zu guter Letzt sollte die folgende Zeile in /etc/pam.d/login aktiviert werden, um den Benutzern Grenzen ihrer Systemressourcen zu setzen. session required pam_limits.so

Dies schränkt die Systemressourcen ein, die ein Benutzer nutzen darf (siehe ). Sie können zum Beispiel die Anzahl der Logins, die man haben kann, einschränken (für eine Gruppe von Nutzern oder systemweit), die Anzahl der Prozesse, den belegten Speicher etc.

Editieren Sie nun /etc/pam.d/passwd und ändern Sie die erste Zeile. Sie sollten die Option "md5" zufügen, um MD5-Passwörter zu benutzen, ändern Sie die minimale Passwort-Länge von 4 auf 6 (oder mehr) und setzen Sie eine Maximallänge, wenn Sie möchten. Die resultierende Zeile wird in etwa so aussehen: password required pam_unix.so nullok obscure min=6 max=11 md5

Wenn Sie su schützen möchten, so dass nur manche Leute es benutzen können, um root auf Ihrem System zu werden, müssen Sie eine neue Gruppe "wheel" zu Ihrem System hinzufügen (das ist der sauberste Weg, da keine Datei solche Gruppenrechte bisher benutzt). Fügen Sie root und die anderen Benutzer, die zu root suen können sollen, zu dieser Gruppe. Fügen Sie anschließend die folgende Zeile zu /etc/pam.d/su/ hinzu: auth requisite pam_wheel.so group=wheel debug

Dies stellt sicher, dass nur Personen aus der Gruppe "wheel" su benutzen können, um root zu werden. Andere Benutzer wird es nicht möglich sein, root zu werden. Tatsächlich werden Sie eine ablehnende Nachricht bekommen, wenn Sie versuchen root zu werden.

Wenn Sie es nur bestimmten Nutzern erlauben wollen, sich bei einem PAM-Dienst zu authentifizieren, ist dies sehr leicht zu erreichen, indem Sie Dateien benutzen, in denen die Nutzer, denen es erlaubt ist, sich einzuloggen (oder nicht), gespeichert sind. Stellen Sie sich vor, Sie möchten lediglich dem Nutzer 'ref' erlauben, sich mittels ssh einzuloggen. Sie schreiben ihn also in eine Datei /etc/ssh-users-allowed und schreiben das Folgende in /etc/pam.d/ssh: auth required pam_listfile.so item=user sense=allow file=/etc/sshusers-allowed onerr=fail

Da es eine Reihe von Sicherheitslücken mit so genannten unsicheren temporären Dateien zum Beispiel in thttpd (vgl. ) gab, lohnt es sich, das Paket libpam-tmpdir zu installieren. Alles, was Sie machen müssen, ist, Folgendes zu /etc/pam.d/common-session hinzuzufügen: session optional pam_tmpdir.so

Es gab auch eine Diskussion, dies standardmäßig in Etch einzufügen. Sehen Sie sich für weitere Informationen an.

Zuletzt, aber nicht am unwichtigsten, erstellen Sie /etc/pam.d/other mit den folgenden Zeilen: auth required pam_securetty.so auth required pam_unix_auth.so auth required pam_warn.so auth required pam_deny.so account required pam_unix_acct.so account required pam_warn.so account required pam_deny.so password required pam_unix_passwd.so password required pam_warn.so password required pam_deny.so session required pam_unix_session.so session required pam_warn.so session required pam_deny.so

Diese Zeilen stellen für alle Anwendungen, die PAM unterstützen, eine gute Standard-Konfiguration dar (Zugriff wird standardmäßig verweigert). Ressourcen-Nutzung limitieren: Die Datei limits.conf

Sie sollten sich wirklich ernsthaft mit dieser Datei beschäftigen. Hier können Sie Ihren Benutzern Ressourcen-Limits definieren. In alten Veröffentlichungen war die Konfigurationsdatei /etc/limits.conf. Aber in neueren Versionen (mit PAM) sollte stattdessen die Konfigurationsdatei /etc/security/limits.conf benutzt werden.

Wenn Sie die Ressourcennutzung nicht einschränken, kann jeder Nutzer mit einer gültigen Shell auf Ihrem System (oder sogar ein Einbrecher, der das System durch einen Dienst kompromittierte, oder ein außer Kontrolle geratener Daemon) so viel CPU, Speicher, Stack etc. benutzen, wie das System zur Verfügung stellen kann. Dieses Problem der Überbeanspruchung von Ressourcen kann mit der Nutzung von PAM gelöst werden.

Es gibt einen Weg, Ressourcen-Limits zu manchen Shells hinzuzufügen (zum Beispiel hat bash ulimit, siehe ). Aber da nicht alle die gleichen Limits zur Verfügung stellen, und da der Nutzer seine Shell ändern kann (siehe ), ist es besser, die Limits in den PAM-Modulen zu platzieren, da diese unabhängig von der verwendeten Shell Anwendung finden und auch PAM-Module betreffen, die nicht shellorientiert sind.

Ressourcen-Limits werden vom Kernel verhängt, aber sie müssen durch limits.conf konfiguriert werden, und die PAM-Konfiguration der verschiedenen Dienste muss das passende PAM laden. Sie können herausfinden, welche Dienste Limits durchsetzen, indem Sie Folgendes ausführen: $ find /etc/pam.d/ \! -name "*.dpkg*" | xargs -- grep limits |grep -v ":#"

Für gewöhnlich nehmen login, ssh und die grafischen Sitzungsmanager (gdm, kdm und xdm) Nutzerlimits in Anspruch, aber Sie sollte dies auch in anderen Konfigurationsdateien für PAM wie für cron tun, um zu verhindern, dass Systemdaemonen alle Systemressourcen aufbrauchen.

Die konkreten Begrenzungen, die Sie festlegen wollen, hängt von den Ressourcen Ihres Systems ab. Das ist einer der Hauptgründe, warum keine Limits in der Standardinstallation enthalten sind.

Zum Beispiel nimmt die Konfiguration im Beispiel unten eine Begrenzung von 100 Prozessen für alle Nutzer vor (um Fork-Bomben Programme, die immer mehr Prozesse erzeugen, um so das System zum Absturz zu bringen, d.Ü. zu vermeiden) und eine Begrenzung auf 10MB Speicher pro Prozess und ein Limit von 10 gleichzeitigen Logins. Benutzer in der Gruppe adm haben höhere Begrenzungen und können Dateien mit einem Speicherabbild schreiben, wenn sie das wollen (es gibt also nur eine weiche Begrenzung).

* soft core 0 * hard core 0 * hard rss 1000 * hard memlock 1000 * hard nproc 100 * - maxlogins 1 * hard data 102400 * hard fsize 2048 @adm hard core 100000 @adm hard rss 100000 @adm soft nproc 2000 @adm hard nproc 3000 @adm hard fsize 100000 @adm - maxlogins 10

Dies könnten die Limits eines Standardnutzers (einschließlich der Systemdaemonen) sein: $ ulimit -a core file size (blocks, -c) 0 data seg size (kbytes, -d) 102400 file size (blocks, -f) 2048 max locked memory (kbytes, -l) 10000 max memory size (kbytes, -m) 10000 open files (-n) 1024 pipe size (512 bytes, -p) 8 stack size (kbytes, -s) 8192 cpu time (seconds, -t) unlimited max user processes (-u) 100 virtual memory (kbytes, -v) unlimited

Und dies die Limits für einen Administrator: $ ulimit -a core file size (blocks, -c) 0 data seg size (kbytes, -d) 102400 file size (blocks, -f) 100000 max locked memory (kbytes, -l) 100000 max memory size (kbytes, -m) 100000 open files (-n) 1024 pipe size (512 bytes, -p) 8 stack size (kbytes, -s) 8192 cpu time (seconds, -t) unlimited max user processes (-u) 2000 virtual memory (kbytes, -v) unlimited

Für mehr Informationen hierzu lesen Sie: . in dem Limiting users overview Abschnitt. in dem Limiting and monitoring users Abschnitt. Aktionen bei der Benutzeranmeldung: Editieren von /etc/login.defs

Der nächste Schritt ist es, die grundlegende Konfiguration und die Aktionen bei User-Login zu editieren. Beachten Sie, dass diese Datei kein Bestandteil der PAM-Konfiguration ist. Sie ist eine Konfigurationsdatei, die von den Programmen login- und su berücksichtigt wird. Es ist also wenig sinnvoll, sie auf Fälle abzustimmen, in denen keines der beiden Programme wenigstens indirekt aufgerufen wird (Das Programm getty, welches auf der Konsole läuft und die anfängliche Loginaufforderung zu Verfügung stellt, ruft login auf). FAIL_DELAY 10

Diese Variable sollte auf einen höheren Wert gesetzt werden, um es schwerer zu machen, mittels Brute Force (roher Gewalt, stures Durchprobieren, Anm. d. Übers.) auf einem Terminal einzuloggen. Wenn ein falsches Passwort eingegeben wird, muss der potenzielle Angreifer (aber auch der normale Benutzer!) 10 Sekunden warten, um einen neuen login Prompt zu bekommen, was auf die Dauer viel Zeit kostet, wenn sie Passwörter durch testen. Beachten Sie jedoch die Tatsache, dass diese Einstellung nutzlos ist, wenn Sie ein anderes Programm als getty benutzen, wie zum Beispiel mingetty. FAILLOG_ENAB yes

Wenn Sie diese Variable einschalten, werden fehlgeschlagene Logins protokolliert. Es ist wichtig, hier auf dem Laufendem zu bleiben, um jemanden zu fassen, der eine Brute-Force-Attacke versucht. LOG_UNKFAIL_ENAB no

Wenn Sie diese Variable auf 'yes' setzen, werden auch unbekannte Benutzernamen protokolliert, wenn eine Anmeldung scheitert. Es ist zu empfehlen, sie auf 'no' (den Standard) zu belassen, da anderenfalls das Passwort eines Benutzers aufgezeichnet werden könnte (falls er nämlich versehentlich anstatt seines Benutzernames sein Passwort eingibt). Falls Sie sie dennoch auf 'yes' setzen, müssen Sie sicher gehen, dass die Protokolldateien angemessene Zugriffsrechte haben (zum Beispiel 640, mit einer passenden Gruppen-Zugehörigkeit wie adm). SYSLOG_SU_ENAB yes

Dies schaltet das Mitprotokollieren von su-Versuchen im Syslog ein. Sehr wichtig auf ernsthaften Maschinen, aber beachten Sie, dass dies auch die Privatsphäre verletzen kann. SYSLOG_SG_ENAB yes

Das gleiche wie bei SYSLOG_SU_ENAB, jedoch für das Programm sg. MD5_CRYPT_ENAB yes

Wie bereits erklärt, reduzieren MD5-Summen-Passwörter großartig das Problem lexikalischer Attacken, da Sie längere Passwörter benutzen können. Wenn Sie slink benutzen, lesen Sie die Dokumentation zu MD5, bevor Sie diese Option einschalten. Ansonsten wird dies in PAM gesetzt. PASS_MAX_LEN 50

Wenn Sie MD5-Passwörter in Ihrer PAM Konfiguration aktiviert haben, dann sollten Sie diese Variable auf denselben Wert setzen, den Sie dort benutzt haben. ftp Einschränken: Editieren von /etc/ftpusers

Die Datei /etc/ftpusers enthält eine Liste von allen Nutzern, denen es nicht erlaubt ist, sich auf dem Rechner mit ftp einzuloggen. Benutzen Sie diese Datei nur, wenn Sie wirklich ftp erlauben wollen (wozu im Allgemeinen nicht geraten wird, da es Klartext-Passwörter benutzt). Wenn Ihr ftp-Daemon PAM unterstützt, können Sie dies ebenfalls benutzen, um Nutzern bestimmte Dienste zu erlauben oder zu verbieten.

FIXME (FEHLER): Ist es ein Fehler, dass ftpusers in Debian standardmäßig nicht die Benutzer mit Administratorenrecht (in base-passwd) beinhaltet?

Folgender Befehl ist ein einfacher Weg, alle Systemkonten zu /etc/ftpusers hinzuzufügen: $ awk -F : '{if ($3<1000) print $1}' /etc/passwd > /etc/ftpusers Verwendung von su

Wenn es wirklich benötigt wird, dass Nutzer der Super-User (also Root, d.Ü.) auf Ihrem System werden, zum Beispiel um Pakete zu installieren oder neue Benutzer anzulegen, können Sie das Programm su benutzen, um Ihre Identität zu wechseln. Sie sollten jeden Login als Nutzer Root vermeiden und stattdessen das Programm su benutzen. Eigentlich ist die beste Lösung, su zu entfernen und zu sudo zu wechseln, da es eine feinere Steuerung und mehr Möglichkeiten bietet als su. Wie auch immer, su ist verbreiteter und wird auf vielen Unices benutzt. Verwendung von sudo

Das sudo erlaubt es dem Benutzer, ein definiertes Kommando unter einer anderen Nutzeridentität auszuführen, sogar als Root. Wenn der Nutzer zu /etc/sudoers hinzugefügt ist und sich korrekt authentifiziert, ist er in der Lage, Kommandos, die in /etc/sudoers definiert wurden, auszuführen. Sicherheitsverletzungen, wie ein inkorrektes Passwort oder der Versuch ein Programm auszuführen, für das Ihre Rechte nicht ausreichen, werden protokolliert und an root gemailt. Administrativen Fernzugriff verweigern

Sie sollten /etc/security/access.conf ebenfalls so verändern, dass ein Login aus der Ferne in ein administratives Konto nicht erlaubt wird. Auf diese Weise müssen die Nutzer das Programm su (oder sudo) aufrufen, um Administratorenrechte zu bekommen, so dass es immer eine nachprüfbare Spur gibt.

Sie müssen die folgende Zeile zu Ihrer /etc/security/access.conf hinzufügen, die Debians Standardkonfigurationsdatei hat ein Beispiel auskommentiert: -:wheel:ALL EXCEPT LOCAL

Vergessen Sie nicht, in /etc/pam.d/ das pam_access-Module für jeden Dienst (oder jede Standardkonfiguration) anzuschalten, wenn Sie wollen, dass Ihre Änderungen an /etc/security/access.conf berücksichtigt werden. Den Nutzerzugang einschränken

Manchmal werden Sie vielleicht denken, dass Sie einen Nutzer auf Ihrem System erstellen müssen, um einen bestimmten Dienst (pop3 E-Mail Server oder ftp) anzubieten. Bevor Sie dies tun, erinnern Sie sich zuerst daran, dass die PAM Implementierung in Debian GNU/Linux Ihnen erlaubt, Nutzer mit einer breiten Auswahl von externen Verzeichnisdiensten (radius, ldap, etc.) zu bestätigen. Dies wird vom libpam-Paket bewerkstelligt.

Wenn Sie einen Nutzer anlegen müssen, und auf Ihr System aus der Ferne zugegriffen werden kann, beachten Sie, dass es Nutzern möglich sein wird, sich einzuloggen. Sie können dies beheben, indem Sie diesen Nutzern eine Null (/dev/null) als Shell (sie müsste in /etc/shells aufgelistet sein) zuweisen. Wenn Sie den Nutzern erlauben wollen, auf das System zuzugreifen, aber ihre Bewegungen einschränken wollen, können Sie /bin/rbash benutzen. Dies hat das gleiche Ergebnis, wie wenn Sie die -r Option der Bash (RESTRICTED SHELL, siehe ) verwendet hätten. Beachten Sie bitte, dass sogar mit einer beschränkten Shell ein Nutzer, der auf ein interaktives Programm zugreifen kann (das ihm erlaubt, eine Subshell auszuführen), diese Limitierung der Shell umgehen kann.

Debian bietet zurzeit in seiner Unstable-Veröffentlichung (und wird es vielleicht der nächsten Stable-Veröffentlichung hinzufügen) das pam_chroot-Modul (in libpam-chroot) an. Eine Alternative hierzu ist es, die Dienste, die eine Fernanmeldung ermöglichen (ssh und telnet), in einer chroot-Umgebung laufen zu lassen. libpam-chroot wurden noch nicht vollständig getestet. Es funktioniert mit login, aber es dürfte nicht leicht sein, diese Umgebung für andere Programme einzurichten.

Wenn Sie einschränken wollen, wann ein Nutzer auf das System zugreifen kann, müssen sie /etc/security/access.conf an Ihre Bedürfnisse anpassen.

Informationen, wie man Benutzer, die auf das System mittels dem ssh-Dienst zugreifen, in eine chroot-Umgebung einsperrt, wird in beschrieben. Überprüfen der Nutzer

Wenn Sie wirklich paranoid sind, sollten Sie vielleicht eine systemweite Einrichtung verwenden, um zu überwachen, was die Benutzer auf Ihrem System tun. In diesem Abschnitt werden eine Tipps vorgestellt, wie Sie verschiedene Werkzeuge verwenden. Überwachung von Ein- und Ausgabe mittels eines Skripts

Um sowohl die von den Nutzern ausführten Programme als auch deren Ergebnisse zu überwachen, können Sie den Befehl script verwenden. Sie können script nicht als eine Shell einsetzen (auch dann nicht, wenn Sie es zu /etc/shells hinzufügen). Aber Sie können in die Datei, welche den Startvorgang der Shell steuert, folgendes eintragen: umask 077 exec script -q -a "/var/log/sessions/$USER" Die History-Datei der Shell benutzen

Wenn Sie auswerten wollen, was die Benutzer in die Shell eingeben (aber nicht was das Ergebnis ist), können Sie eine systemweite /etc/profile so einrichten, dass alle Befehle in der History-Datei (Verlaufsdatei) gespeichert werden. Die systemweite Einstellung muss so eingerichtet werden, dass Benutzer die Auditmöglichkeit nicht aus ihrer Shell entfernen können. Ob dies möglich ist, hängt von der Art der Shell ab. Sie müssen also sicherstellen, dass alle Benutzer eine Shell verwenden, die das unterstützt.

Für die Bash zum Beispiel könnte /etc/profile folgendermaßen aufgebaut werden Wenn HISTSIZE eine sehr große Zahl zugewiesen wird, kann dies bei einigen Shells zu Problemen führen, da der Verlauf für jede Sitzung eines Nutzers im Speicher abgelegt wird. Sie sind auf der sichereren Seite, wenn Sie HISTSIZE auf einen ausreichend großen Wert setzen und eine Kopie der History-Datei des Benutzers anlegen (falls Sie aus irgendwelchen Gründen den ganzen Verlauf von einem Nutzer benötigen). : HISTFILE=~/.bash_history HISTSIZE=10000 HISTFILESIZE=999999 # Don't let the users enter commands that are ignored # in the history file HISTIGNORE="" HISTCONTROL="" readonly HISTFILE readonly HISTSIZE readonly HISTFILESIZE readonly HISTIGNORE readonly HISTCONTROL export HISTFILE HISTSIZE HISTFILESIZE HISTIGNORE HISTCONTROL

Damit dies funktioniert, dürfen die Nutzer nur Informationen zur .bash_history-Datei hinzufügen. Sie müssen daher zusätzlich die append-only-Option (nur-anfügen) mittels des Programms chattr für die .bash_history aller Nutzer setzen Ohne das Append-Only-Flag wäre es den Nutzern möglich, den Inhalt des Verlaufs zu löschen, indem sie > .bash_history ausführen. .

Beachten Sie, dass Sie obige Konfiguration auch in .profile des Benutzers eintragen können. Dann müssten Sie aber die Rechte korrekt vergeben, so dass der Benutzer daran gehindert ist, diese Datei zu verändern. Dies schließt ein, dass das Home-Verzeichnis der Benutzers diesem nicht gehört (sonst könnte er die Datei einfach löschen). Gleichzeitig müsste ihm ermöglicht werden, die Konfigurationsdatei .profile zu lesen und in .bash_history zu schreiben. Falls Sie diesen Weg gehen wollen, wäre es auch gut, das immutable-Flag (unveränderbar) für .profile zu setzen (auch dazu verwenden Sie chattr). Vervollständigung der Nutzerüberwachung durch Accounting-Werkzeuge

Die vorherigen Beispiele sind ein einfacher Weg, um die Überwachung von Nutzern einzurichten. Sie eignen sich aber nicht unbedingt für komplexe Systeme oder für solche, auf denen die Nutzer überhaupt keine (oder ausschließlich) Shells am Laufen haben. Sollte dies der Fall sein, schauen Sie sich das Paket acct an, das Werkzeuge zur Bilanzierung (accounting utilities) enthält. Diese werden alle Kommandos, die ein Nutzer oder ein Prozess auf dem System ausführt, auf die Kosten von Plattenplatz aufzeichnen.

Wenn Sie diese Bilanzierung aktivieren, werden alle Informationen über Prozesse und Nutzer unter /var/account/ gespeichert, genauer gesagt in pacct. Das Accounting-Paket schließt einige Werkzeuge (sa, ac und lastcomm) zur Analyse dieser Daten ein. Andere Methoden zur Benutzerüberwachung

Wenn Sie wirklich paranoid sind und jedes Kommando des Nutzers protokollieren wollen, könnten Sie den Quellcode der Bash so ändern, dass sie alles, das der Nutzer eingibt in einer anderen Datei ablegt. Oder Sie lassen ttysnoop ununterbrochen jedes neue tty Ttys werden für lokal Logins und entfernte Logins mit ssh und telnet erzeugt. überwachen und die Ausgaben in einer Datei speichern. Ein anderes nützliches Programm ist snoopy (vergleichen Sie auch ). Dies ist ein für den Nutzer transparentes Programm, das sich als eine Bibliothek einhängt und eine Hülle um execve()-Aufrufe bildet. Jedes ausgeführte Kommando wird im syslogd aufgezeichnet, indem die authpriv-Möglichkeit benutzt wird (üblicherweise wird dies unter /var/log/auth.log gespeichert). Nachprüfung der Nutzerprofile

Wenn Sie sehen wollen, was Nutzer tatsächlich tun, wenn sie sich beim System anmelden, können Sie die wtmp-Datenbank benutzen, die alle Login-Informationen enthält. Diese Datei kann mit verschiedenen Werkzeugen weiterverarbeitet werden, unter ihnen sac, das ein Profil für jeden Nutzer ausgeben kann und zeigt, in welchem Zeitfenster sie sich für gewöhnlich auf dem System einloggen.

Für den Fall, dass Sie Accounting aktiviert haben, können Sie auch die mitgelieferten Werkzeuge verwenden, um festzustellen, wann Nutzer auf das System zugreifen und was sie ausführen. umasks der Nutzer einstellen

Abhängig von Ihren Richtlinien möchten Sie vielleicht ändern, wie Nutzer Informationen teilen können. Dabei geht es um die Standardrechte von neu erstellten Dateien.

Wenn die Standardwerte von Debian für Ihr System zu großzügig sind, müssen Sie die umask-Einstellungen für alle Shells ändern. Strengere Umask-Einstellungen sind 027 (kein Zugriff der Gruppe other auf neue Dateien, dazu zählen andere Benutzer auf dem System) oder 077 (kein Zugriff der Mitglieder der Gruppe des Benutzers). Debian erzeugt (standardmäßigWird in /etc/adduser.conf festgelegt (USERGROUPS=yes). Sie ändern dieses Verhalten, wenn Sie den Wert auf no setzen. Dies wird aber nicht empfohlen.) für jeden Benutzer eine eigene Gruppe, so dass das einzige Gruppenmitglied der Benutzer selbst ist. Daher ergibt sich zwischen 027 und 077 kein Unterschied, da die Benutzergruppe nur den Benutzer selbst enthält.

Dies ändern Sie, indem Sie eine passende umask für alle Benutzer einstellen. Dazu müssen Sie einen umask-Aufruf in den Konfigurationsdateien aller Shells einfügen: /etc/profile (wird von allen Shells beachtet, die kompatibel mit Bourne sind), /etc/csh.cshrc, /etc/csh.login, /etc/zshrc und wahrscheinlich noch ein paar andere (je nachdem, welche Shells Sie auf Ihrem System installiert haben). Sie können auch die UMASK-Einstellung in /etc/login.defs verändern. Von all diesen Dateien erlangt die letzte, die von der Shell geladen wird, Vorrang. Die Reihenfolge lautet: die Standard-System-Konfiguration für die Shell des Benutzers (d.h. /etc/profile und andere systemweite Konfigurationsdateien) und dann die Shell des Benutzers (seine ~/.profile) und ~/.bash_profile etc.). Allerdings können einige Shells mit dem nologin-Wert ausgeführt werden, was verhindern kann, dass einige dieser Dateien ausgewertet werden. Sehen Sie in der Handbuchseite Ihrer Shell für weitere Informationen nach.

Bei Anmeldungen, die von login Gebrauch machen, erhält die UMASK-Festlegung in /etc/login.defs Vorrang vor allen anderen Einstellungen. Dieser Wert wird aber nicht von Anwendungen des Benutzers beachtet, die nicht login verwenden, wie z.B. solche, die durch su, cron oder ssh ausgeführt werden.

Vergessen Sie nicht, die Dateien unter /etc/skel/ zu überprüfen und gegebenenfalls anzupassen, da dort die Standards für Benutzer festgelegt werden, die mit dem Befehl adduser erstellt werden. Standardmäßig enthalten die Dateien in Debian keinen Aufruf von umask. Wenn sich aber ein solcher in Konfigurationsdateien befindet, sind neue Benutzer eher geneigt, ihn ihren Bedürfnissen anzupassen.

Beachten Sie allerdings, dass ein Nutzer seine umask-Einstellung abändern kann, wenn er es möchte, um sie großzügiger oder einschränkender zu machen, indem er seine Konfigurationsdateien verändert.

Das Paket libpam-umask passt die Standard-umask eines Benutzers mit Hilfe von PAM an. Nachdem Sie das Paket installiert haben, tragen Sie Folgendes in /etc/pam.d/common-session ein: session optional pam_umask.so umask=077

Zu guter Letzt sollte Sie in Betracht ziehen, die Standard-Umask von Root (022, wird in /root/.bashrc festgelegt) auf einen strengeren Wert zu verändern. Damit kann verhindert werden, dass der Systemadministrator als Root sensible Dateien in von allen lesbaren Verzeichnissen (wie z.B. /tmp) ablegt und sie so dem Durchschnittsbenutzer zugänglich macht. Nutzer Sicht/Zugriff limitieren

FIXME: Inhalt benötigt. Aufzeigen der Folgen beim Upgraden, wenn die Paketrechte verändert werden, falls nicht dpkg-statoverride verwendet wird (übrigens sollte ein derartig paranoider Administrator seine Nutzer in eine chroot-Umgebung einsperren).

Wenn Sie einem Nutzer Zugriff auf das System mit einer Shell gewähren müssen, sollten Sie vorsichtig sein. Ein Nutzer kann normalerweise, wenn er sich nicht in einer streng abgeschirmten Umgebung befindet (z.B. in einem chroot-Gefängnis), ziemlich viel Informationen über Ihr System sammeln. Darunter fallen: einige Konfigurationsdateien unter /etc. Jedoch werden Debians Standardrechte für sensible Dateien (die zum Beispiel Passwörter enthalten könnten) den Zugriff auf kritische Informationen verhindern. Um zu sehen, auf welche Dateien nur der root Nutzer zugreifen kann, führen Sie zum Beispiel find /etc -type f -a -perm 600 -a -uid 0 als Superuser aus. Ihre installierten Pakete. Indem man die Paket-Datenbank und das /usr/share/doc-Verzeichnis ansieht, oder indem man mit Hilfe der auf Ihrem System installierten Binaries und Bibliotheken versucht zu raten. einige Protokolle unter /var/log. Beachten Sie, dass auf einige Protokolle nur Root und die adm-Gruppe zugreifen kann (versuchen Sie find /var/log -type f -a -perm 640). Manche sind sogar ausschließlich für Root verfügbar (sehen Sie sich find /var/log -type f -a -perm 600 -a -uid 0 an).

Was kann ein Nutzer von Ihrem System sehen? Wahrscheinlich ziemlich viele Sachen, versuchen Sie mal Folgendes (und jetzt tief durchatmen): find / -type f -a -perm +006 2>/dev/null find / -type d -a -perm +007 2>/dev/null

Was Sie sehen, ist eine Liste von allen Dateien, die ein Nutzer einsehen kann, und die Verzeichnisse, auf die er Zugriff hat. Begrenzung des Zugangs zu Informationen anderer Nutzer

Wenn Sie immer noch Benutzern einen Shellzugang zur Verfügung stellen wollen, sollten Sie vielleicht die Informationen begrenzen, die man über anderen Nutzern einholen kann. Nutzer mit einer Shell haben die Neigung, eine ziemlich große Anzahl von Dateien in ihrem $HOME zu erstellen: Mailboxen, persönliche Daten, Konfigurationen für X/GNOME/KDE-Anwendungen ...

In Debian wird jeder Nutzer mit einer zugehörigen Gruppe erstellt. Verschiedene Nutzer gehören dabei nie zur selben Gruppe. Folgendes ist das Standardverhalten: Wenn ein Benutzerkonto angelegt wird, wird auch eine Gruppe mit dem gleichen Namen erstellt. Dieser Gruppe wird der Nutzer zugewiesen. Damit wird die Idee einer allgemeinen users-Gruppe überflüssig, die es Nutzern erschweren könnte, Informationen vor anderen Nutzern zu verstecken.

Allerdings wird das $HOME-Verzeichnis der Benutzer mit 0755-Rechten (lesbar von der Gruppe, lesbar von der Welt) erstellt. Die Rechte Für die Gruppe sind kein Thema, da nur der Nutzer zu dieser Gruppe gehört. Allerdings könnten die Rechte für die Welt ein Problem darstellen, wobei dies von Ihren lokalen Grundsätzen abhängt.

Sie können dieses Verhalten so abändern, dass das Erstellen eines Nutzers andere Rechte für $HOME liefert. Um dieses Verhalten für neue Nutzer zu ändern, wenn sie erstellt werden, ändern Sie in der Konfigurationsdatei /etc/adduser.conf DIR_MODE auf 0750 (nicht lesbar für die Welt) ab.

Benutzer können immer noch Informationen austauschen, aber nicht mehr unmittelbar in ihrem $HOME-Verzeichnis, es sei denn, dass sie dessen Recht verändert haben.

Wenn Sie den Lesezugriff auf die Home-Verzeichnisse für die Welt verhindert, sollten Sie beachten, dass dann Nutzer ihre persönlichen Webseiten nicht unter ~/public_html erstellen können, da der Webserver einen Teil des Pfads nicht lesen kann – und zwar das $HOME-Verzeichnis. Wenn Sie es Nutzern erlauben wollen, ihre HTML-Seiten in ihrem ~/public_html zu veröffentlichen, sollten Sie DIR_MODE auf 0751 setzen. Das ermöglicht dem Webserver Zugang zum public_html-Verzeichnis (welches selber die Rechte 0755 haben sollte). So kann er den von den Nutzern veröffentlichten Inhalt anbieten. Natürlich sprechen wir hier nur über die Standardeinstellung. Benutzer können grundsätzlich die Rechte für ihre eigenen Dateien nach ihrem Gutdünken vergeben. Oder Sie können die Dinge, die für das Web bestimmt sind, in einem getrennten Ort ablegen, der kein Unterverzeichnis vom $HOME-Verzeichnis des Nutzers ist. Erstellen von Benutzerpasswörtern

In vielen Fällen muss ein Administrator viele Benutzerkonten erstellen und alle mit Passwörtern ausstatten. Der Administrator könnte natürlich einfach als Passwort den Namen des Nutzerkontos vergeben. Dies wäre aber unter Sicherheitsgesichtspunkten nicht sehr klug. Ein besseres Vorgehen ist es, ein Programm zur Erzeugung von Passwörtern zu verwenden. Debian stellt die Pakete makepasswd, apg und pwgen zur Verfügung, die Programme liefern (deren Name ist der gleiche wie der des Pakets), die zu diesem Zweck verwendet werden können. Makepasswd erzeugt wirklich zufällige Passwörter, gibt also der Sicherheit gegenüber der Aussprechbarkeit den Vorzug. Dagegen versucht pwgen, bedeutungslose, aber aussprechbare Passwörter herzustellen (dies hängt natürlich auch von Ihrer Muttersprache ab). Apg liefert Algorithmen für beide Möglichkeiten (Es gibt auch eine Client/Server-Version dieses Programms. Diese befindet sich aber nicht im Debian-Paket).

Passwd erlaubt nur die interaktive Zuweisung von Passwörtern (da es direkt den tty-Zugang benutzt). Wenn Sie Passwörter ändern wollen, wenn Sie eine große Anzahl von Benutzern erstellen, können Sie diese unter der Verwendung von adduser mit der --disabled-login-Option erstellen, und danach usermod oder chpasswd Chpasswd kann keine MD5-Passwörter erzeugen. Daher muss ihm das Passwort in verschlüsselter Form übergeben werden, bevor es mit der -e-Option verwendet werden kann. benutzen (beide Programme stammen aus dem passwd-Paket. Sie haben sie also schon installiert). Wenn Sie lieber eine Datei verwenden, die alle Informationen zur Erstellung von Nutzern als Batch-Prozess enthält, sind Sie vielleicht mit newusers besser dran. Kontrolle der Benutzerpasswörter

Die Passwörter der Nutzer sind manchmal die schwächste Stelle der Sicherheit eines Systems. Das liegt daran, dass manche Nutzer schwache Passwörter für ihr Konto wählen (und je mehr Nutzer Zugang zum System haben, umso größer die Chance, dass das passiert). Selbst wenn Sie Überprüfungen mit dem PAM-Module cracklib und Grenzen für Passwörter einsetzen, wie in beschrieben wird, ist es Nutzern immer noch möglich, schwache Passwörter zu verwenden. Da der Zugang der Nutzer auch den Zugang aus der Ferne (hoffentlich über ssh) umfassen kann, ist es wichtig, dass das Erraten von Passwörtern für entfernte Angreifer so schwierig wie möglich ist. Dies gilt insbesondere dann, wenn es ihnen gelungen sein sollte, Zugang zu wichtigen Informationen wie den Benutzernamen oder sogar den Dateien passwd und shadow selbst zu bekommen.

Ein Systemadministrator muss bei einer großen Anzahl von Nutzern überprüfen, ob deren Passwörter mit den lokalen Sicherheitsmaßstäben in Einklang stehen. Und wie überprüft man das? Indem man versucht, sie wie ein Angreifer zu knacken, der Zugriff auf die gehashten Passwörter hat (also auf die Datei /etc/shadow).

Ein Administrator kann john oder crack (beide benutzen Brute-Force (Rohe Gewalt) zum Knacken von Passwörtern) zusammen mit einer passenden Wörterliste verwenden, um die Passwörter der Nutzer zu überprüfen, und falls ein schlechtes Passwort entdeckt wird, geeignete Schritte unternehmen. Sie können mit apt-cache search wordlist nach Debian/GNU-Paketen suchen, die Wörterlisten enthalten, oder Sie besuchen die klassischen Internetseiten mit Wörterlisten wie oder . Ausloggen von untätigen Nutzern

Untätige (idle) Nutzer stellen für gewöhnlich ein Sicherheitsproblem dar. Ein Nutzer kann untätig sein, da er Mittagessen ist, oder weil eine entfernte Verbindung hängen blieb und nicht wieder hergestellt wurde. Unabhängig von den Gründen können untätige Benutzer zu einer Kompromittierung führen: weil die Konsole des Benutzers vielleicht nicht verriegelt ist und damit ein Eindringling darauf zugreifen kann. weil ein Angreifer an eine schon beendete Netzwerkverbindung anknüpfen und Befehle an die entfernte Shell schicken kann (das ist ziemlich einfach, wenn die entfernte Shell, wie bei telnet, nicht verschlüsselt ist).

In einige entfernte System wurde sogar schon durch ein untätiges (und abgelöstes) screen eingedrungen.

Die automatische Trennung von untätigen Benutzern ist gewöhnlich ein Teil der lokalen Sicherheitsregeln, die durchgesetzt werden müssen. Es gibt mehrere Wege, dies zu tun: Wenn die Shell des Benutzers die Bash ist, kann ein Systemadministrator TMOUT einen Standardwert zuweisen (vergleich ). Das hat zur Folge, dass die Shell automatisch entferne, untätige Nutzer ausloggt. Beachten Sie, dass der Wert mit der -o-Option gesetzt werden muss. Ansonsten wäre es den Nutzern möglich, ihn zu verändern (oder zu löschen).

Installieren Sie timeoutd und konfigurieren Sie /etc/timeouts passend zu Ihren lokalen Sicherheitsrichtlinien. Der Daemon achtet auch untätige Nutzer und beendet ihre Shells gegebenenfalls. Installieren Sie autolog und richten Sie es so ein, dass es untätige Nutzer entfernt.

Vorzugswürdige Methoden sind die Daemonen timeoutd und autolog, da letzten Endes die Nutzer ihre Standardshell ändern können oder zu einer anderen (unbeschränkten) Shell wechseln können, nachdem sie ihre Standardshell gestartet haben. Die Nutzung von tcpwrappers

TCP-Wrapper (Schutzumschläge für TCP) wurden entwickelt, als es noch keine echten Paketfilter gab, aber Zugangskontrollen notwendig waren. Trotzdem sind sie immer noch hoch interessant und nützlich. Ein TCP-Wrapper erlaubt Ihnen, einem Host oder einer Domain einen Dienst anzubieten oder zu verweigern, und standardmäßig Zugriff zu erlauben oder zu verweigern (das alles wird auf der Anwendungsebene durchgeführt). Wenn Sie mehr Informationen haben möchten, sehen Sie sich an.

Viele der unter Debian installierten Dienste werden entweder durch den TCP-Wrapper Service (tcpd) aufgerufen, oder wurden mit libwrapper (Bibliothek für TCP-Wrapper) Unterstützung kompiliert.

Einerseits werden Sie bei manchen Diensten (einschließlich telnet, ftp, netbios, swat und finger), die in /etc/inetd.conf konfiguriert werden, sehen, dass die Konfigurationsdatei zuerst /usr/sbin/tcpd aufruft. Andererseits, selbst wenn ein Dienst nicht über den inetd-Superdaemon ausgeführt wird, kann die Unterstützung von Tcp-Wrapper einkompiliert werden. Dienste, die unter Debian mit TCP-Wrappern kompiliert wurden, sind ssh, portmap, in.talk, rpc.statd, rpc.mountd, gdm, oaf (der GNOME-Aktivierungs-Daemon), nessus und viele andere.

Um herauszufinden, welche Pakete TCP-Wrapper benutzenBei älteren Veröffentlichungen von Debian sollte Sie Folgendes ausführen: $ apt-cache showpkg libwrap0 | egrep '^[[:space:]]' | sort -u | \ sed 's/,libwrap0$//;s/^[[:space:]]\+//' , versuchen Sie Folgendes: $ apt-cache rdepends libwrap0

Beachten Sie bitte Folgendes, wenn Sie tcpchk (ein sehr nützliches Programm zur Überprüfung der TCP-Wrapper-Konfiguration und -Syntax) laufen lassen. Wenn Sie Stand-Alone-Dienste (alleinstehende Dienste, also solche, die direkt mit der Wrapper-Bibliothek verbunden sind) der host.deny- oder host.allow-Datei hinzufügen, wird tcpchk Sie warnen, dass er sie nicht finden kann, da er sie nur in /etc/inetd.conf sucht (die Handbuchseite ist an dieser Stelle nicht sehr genau).

Jetzt kommt ein kleiner Trick und vielleicht die kleinste Alarmanlage zur Erkennung von Eindringlingen: Im Allgemeinen sollten Sie eine anständige Firewall als erste und TCP-Wrapper als zweite Verteidigungslinie haben. Der Trick besteht nun darin, ein SPAWN-Kommando Beachten Sie hier die Schreibweise, da spawn nicht funktionieren wird. in /etc/hosts.deny einzutragen, das immer dann eine Mail an Root schickt, wenn ein Dienst abgewiesen wurde: ALL: ALL: SPAWN ( \ echo -e "\n\ TCP Wrappers\: Verbindungsaufbau abgelehnt\n\ By\: $(uname -n)\n\ Prozess\: %d (pid %p)\n\ Nutzer\: %u\n\ Host\: %c\n\ Datum\: $(date)\n\ " | /usr/bin/mail -s "Verbindung zu %d blockiert" root) &

Achtung: Das obige Beispiel kann sehr leicht zu DoS (Denial of Service, Verbindungsaufbau abgelehnt) führen, indem man versucht, sehr viele Verbindungen in kurzer Zeit aufzubauen. Viele E-Mails bedeuten viel Dateiaktivität, die lediglich durch das Senden von ein paar Paketen erreicht wird. Die Wichtigkeit von Logs und Alarmen

Es ist leicht einzusehen, dass die Behandlung von Logs (Protokolldateien) und Alarmen eine wichtige Angelegenheit in einem sicheren System ist. Stellen Sie sich vor, ein System ist perfekt konfiguriert und zu 99% sicher. Wenn ein Angriff unter dieses 1% fällt, und es keine Sicherheitsmaßnahmen gibt, dies erstens zu erkennen und zweitens einen Alarm auszulösen, so ist das System überhaupt nicht sicher.

Debian GNU/Linux stellt Werkzeuge zur Verfügung, die die Analyse von Log-Dateien übernehmen. Am beachtenswertesten sind swatch Es gibt darüber einen ziemlich guten Artikel von . , logcheck oder loganalysis (alle Pakete werden ein wenig Anpassung benötigen, um unnötige Dinge aus den Reports zu entfernen). Wenn sich das System in Ihrer Nähe befindet, könnte es nützlich sein, das System-Log auf einer virtuellen Konsole auszugeben. Die ist nützlich, da Sie so (auch von weiter weg oder im Vorbeigehen) sehen können, ob sich das System richtig verhält. Debians /etc/syslog.conf wird mit einer auskommentierten Standardkonfiguration ausgeliefert. Um diese Ausgabe einzuschalten, entfernen Sie die Kommentarzeichen vor den entsprechenden Zeilen und starten syslog neu (/etc/init.d/syslogd restart): daemon,mail.*;\ news.=crit;news.=err;news.=notice;\ *.=debug;*.=info;\ *.=notice;*.=warn /dev/tty8

Um die Logs farbig zu gestalten sollten einen Blick auf colorize, ccze oder glark werfen. Es gibt da noch eine Menge über die Analyse von Logs zusagen, das hier nicht behandelt werden kann. Eine gute Quelle für weiter Informationen ist die Webseite . In jedem Fall sind selbst automatische Werkzeuge dem besten Analysewerkzeug nicht gewachsen: Ihrem Gehirn. Nutzung und Anpassung von logcheck

Das Paket logcheck ist in Debian auf drei Pakete verteilt: logcheck (das Hauptprogramm), logcheck-database (eine Datenbank regulärer Ausdrücke für das Programm) und logtail (gibt Logzeilen aus, die noch nicht gelesen wurden). Der Standard unter Debian (in /etc/cron.d/logcheck) ist, dass logcheck jede Stunde und nach jedem Neustart ausgeführt wird.

Wenn dieses Werkzeug in geeigneter Weise angepasst wurde, kann es sehr nützlich sein, um den Administrator zu alarmieren, wenn etwas ungewöhnliches auf dem System passiert. Logcheck kann vollständig angepasst werden, so dass es Mails über Ereignisse aus den Logs sendet, die Ihrer Aufmerksamkeit bedürfen. Die Standard-Installation umfasst Profile zum ignorieren von Ereignissen und Rechtswidrigkeiten für drei unterschiedliche Setups (Workstation, Server und paranoid). Das Debian-Paket umfasst die Konfigurationsdatei /etc/logcheck/logcheck.conf, die vom Programm eingelesen wird, und die definiert, an welchen Nutzer die Testergebnisse geschickt werden sollen. Es stellt außerdem einen Weg für Pakete zur Verfügung, um neue Regeln in folgenden Verzeichnisses zu erstellen: /etc/logcheck/cracking.d/_packagename_ /etc/logcheck/violations.d/_packagename_, /etc/logcheck/violations.ignore.d/_packagename_, /etc/logcheck/ignore.d.paranoid/_packagename_, /etc/logcheck/ignore.d.server/_packagename_, und /etc/logcheck/ignore.d.workstation/_packagename_. Leider benutzen das noch nicht viele Pakete. Wenn Sie ein Regelwerk entwickelt haben, dass für andere Nutzer nützlich sein könnte, schicken Sie bitte einen Fehlerbericht für das entsprechende Paket (als ein wishlist-Fehler). Mehr Informationen finden Sie unter /usr/share/doc/logcheck/README.Debian.

logcheck konfiguriert man am besten, indem man nach der Installation seine Hauptkonfigurationsdatei /etc/logcheck/logcheck.conf bearbeitet. Verändern Sie den Benutzer, an den die Berichte geschickt werden (standardmäßig ist das Root). Außerdem sollten Sie auch den Schwellenwert für Berichte festlegen. logcheck-database hat drei Schwellenwerte mit steigender Ausführlichkeit: Workstation (Arbeitsplatz), Server und paranoid. "server" ist der Standardwert, "paranoid" wird nur für Hochsicherheitsmaschinen empfohlen, auf denen so wenig Dienste wie möglich laufen. "workstation" eignet sich für relativ geschützte, nicht kritische Maschinen. Wenn Sie neue Log-Dateien hinzufügen wollen, müssen Sie diese nur zu /etc/logcheck/logcheck.logfiles hinzufügen. Es ist für die standardmäßige Sysloginstallation eingerichtet.

Wenn Sie dies geschafft haben, sollten Sie die nächsten Tage/Wochen/Monate die verschickten Mails überprüfen. Falls Sie Nachrichten finden, die Sie nicht erhalten wollen, fügen Sie die regulären Ausdrücke (regular expressions, vergleiche und ), die zu diesen Nachrichten passen, in /etc/logcheck/ignore.d.reportlevel/local ein. Versuchen Sie, dass der reguläre Ausdruck mit der gesamten Logzeile übereinstimmt. Details, wie man Regeln schreibt, finden Sie in /usr/share/doc/logcheck-database/README.logcheck-database.gz. Das ist ein andauernder Prozess der Abstimmung. Wenn nur noch relevante Meldungen verschickt werden, können Sie davon ausgehen, dass dieser Prozess beendet ist. Beachten Sie, dass logcheck, selbst wenn er läuft, Ihnen keine Mail schickt, wenn er nichts Relevantes auf Ihrem System findet (so bekommen Sie höchstens eine Mail pro Woche, wenn Sie Glück haben). Konfiguration, wohin Alarmmeldungen geschickt werden

Debian wird mit einer Standardkonfiguration für Syslog (in /etc/syslog.conf) ausgeliefert, so dass Meldungen je nach System in die passenden Dateien geschrieben werden. Das sollte Ihnen bereits bekannt sein. Falls nicht, werfen Sie einen Blick auf die Datei syslog.conf und deren Dokumentation. Wenn Sie ein sicheres System betreuen wollen, sollten Ihnen bekannt sein, wohin Log-Meldungen geschickt werden, so dass sie nicht unbeachtet bleiben.

Zum Beispiel ist es für viele Produktiv-Systeme sinnvoll, Meldungen auch auf der Konsole auszugeben. Aber bei vielen solcher Systeme ist es sehr wichtig, auch eine neue Maschine zu haben, die für die anderen als ein Loghost fungiert (d.h. sie empfängt die Logs aller anderen Systeme).

Sie sollten auch an Mails für Root denken, da viele Sicherheits-Kontrollen (wie snort) ihre Alarme an die Mailbox von root senden. Diese Mailbox zeigt normalerweise auf den ersten Nutzer, der auf dem System erstellt wurde (prüfen Sie dazu /etc/aliases). Sorgen Sie dafür, dass roots Mails irgendwo hin geschickt werden, wo sie auch gelesen werden (lokal oder ferngesteuert).

Es gibt noch andere Accounts mit besonderer Funktion und andere Aliase auf Ihrem System. Auf einem kleinen System ist es wohl am einfachsten, sicherzustellen, dass alle Aliase auf den Root-Account zeigen, und dass Mails an root in das persönliche Postfach des System-Administrator weiter geleitet werden.

FIXME: It would be interesting to tell how a Debian system can send/receive SNMP traps related to security problems (jfs). Check: snmptrapfmt, snmp and snmpd. Nutzen eines loghosts

Ein Loghost ist ein Host der die syslog-Daten über ein Netzwerk sammelt. Wenn eine Ihrer Maschinen geknackt wird, kann der Eindringling seine Spuren nicht verwischen, solange er den Loghost nicht ebenfalls geknackt hat. Demzufolge muss der Loghost also besonders sicher sein. Aus einer Maschinen einen Loghost zu machen ist relativ einfach: Starten Sie den syslogd einfach mit syslogd -r, und ein neuer Loghost ist geboren. Um dies unter Debian dauerhaft zu machen, editieren Sie /etc/init.d/sysklogd und ändern Sie die Zeile SYSLOGD="" in SYSLOGD="-r" Als nächstes konfigurieren Sie die anderen Maschinen, Ihre Daten an den Loghost zu senden. Fügen Sie einen Eintrag, ähnlich dem folgenden zu der /etc/syslog.conf hinzu: facility.level @Ihr_Loghost Schauen Sie in die Dokumentation um zu erfahren, wodurch Sie facility und level ersetzen können (Sie sollten nicht wörtlich übernommen werden). Wenn Sie alles fern mit loggen wollen, schreiben Sie einfach: *.* @Ihr_Loghost in Ihre syslog.conf. Sowohl lokal als auch entfernt mitzuloggen ist die beste Lösung (ein Angreifer könnte davon ausgehen, dass er seine Spuren verwischt hat, nachdem er die lokale Log-Datei gelöscht hat). Für weitere Informationen sehen Sie sich die Handbuch-Seiten , und an. Zugriffsrechte auf Log-Dateien

Es ist nicht nur wichtig zu entscheiden, wie Warnungen genutzt werden, sondern auch, wer hierauf Zugriff hat, d.h. wer Log-Dateien (falls Sie nicht einen Log-Host verwenden) lesen oder verändern kann. Sicherheits-Alarme, die ein Angreifer verändern oder abschalten kann, sind im Falle eines Eindringens nicht viel wert. Außerdem sollten Sie berücksichtigen, dass Log-Dateien einem Eindringling ziemlich viel Informationen über Ihr System verraten, wenn er auf sie Zugriff hat.

Einige Zugriffsrechte auf Log-Dateien sind nach der Installation nicht gerade perfekt (aber das hängt natürlich von Ihren lokalen Sicherheitsmaßstäben ab). Zuerst einmal müssen /var/log/lastlog und /var/log/faillog nicht für normale Nutzer lesbar sein. In der lastlog-Datei können Sie sehen, wer sich zuletzt eingeloggt hat. In faillog befindet sich eine Zusammenfassung fehlgeschlagener Logins. Der Autor empfiehlt, die Rechte von beiden auf 660 zu setzen (mit chmod 660). Werfen Sie einen kurzen Blick auf Ihre Log-Dateien, und entscheiden Sie sehr vorsichtig, welche Log-Dateien Sie les- oder schreibbar für einen Nutzer mit einer anderen UID als 0 und einer anderen Gruppe als 'adm' oder 'root' machen. Sie können dies sehr leicht auf Ihrem System überprüfen: # find /var/log -type f -exec ls -l {} \; | cut -c 17-35 |sort -u (see to what users do files in /var/log belong) # find /var/log -type f -exec ls -l {} \; | cut -c 26-34 |sort -u (see to what groups do files in /var/log belong) # find /var/log -perm +004 (files which are readable by any user) # find /var/log \! -group root \! -group adm -exec ls -ld {} \; (files which belong to groups not root or adm)

Um anzupassen, wie neue Log-Dateien erstellt werden, müssen Sie wahrscheinlich das Programm anpassen, das sie erstellt. Wenn die Log-Dateien rotiert werden, können Sie das Verhalten der Erstellung und Rotation anpassen. Den Kernel patchen

Debian GNU/Linux stellt verschiedene Patches für den Linux-Kernel zur Verfügung, die die Sicherheit erhöhen: Erkennung von Eindringlingen für Linux (, enthalten im Paket lids-2.2.19). Dieser Kernelpatch erleichtert Ihnen, Ihr Linuxsystem abzuhärten, indem er Ihnen ermöglicht, Prozesse einzuschränken, zu verstecken und zu schützten, sogar vor Root. Er führt Fähigkeiten für eine zwingende Zugangskontrolle ein. (im Paket trustees). Dieser Patch fügt ein ordentliches, fortgeschrittenes Rechtemanagement Ihrem Linux-Kernel hinzu. Besondere Objekte, die "trustees" (Treuhänder) genannt werden, sind mit jeder Datei oder Verzeichnis verbunden. Sie werden im Speicher des Kernels abgelegt und erlauben so eine schnelle Abfrage aller Rechte. NSA Enhanced Linux (im Paket selinux. Backports von Paketen, die SElinux unterstützen, sind unter erhältlich. Weiterführende Informationen können Sie auf der und auf und SElinux-Webseiten finden. Der aus dem Paket kernel-patch-exec-shield. Dieser Patch schützt vor einigen Pufferüberläufen (stack smashing attacks). Der aus den Paketen kernel-patch-2.4-grsecurity und kernel-patch-grsecurity2 Beachten Sie, dass ein Konflikt zwischen diesem Patch und den Patches besteht, die schon im Quellpaket des Kernels 2.4 von Debian enthalten sind. Sie werden den Vanilla-Kernel verwenden müssen. Dazu führen Sie folgende Schritte durch: # apt-get install kernel-source-2.4.22 kernel-patch-debian-2.4.22 # tar xjf /usr/src/kernel-source-2.4.22.tar.bz2 # cd kernel-source-2.4.22 # /usr/src/kernel-patches/all/2.4.22/unpatch/debian

Für weitere Informationen siehe , , , , , , und die . verwirklicht Mandatory Access Control durch RBAC und stellt Schutz vor Pufferüberläufen durch PaX, ACLs, Zufälligkeit im Netzwerk (um die Erkennung von Spuren des OS zu erschweren) und zur Verfügung. kernel-patch-adamantix bietet die Patches an, die für die Debian-Distribution entwickelt wurden. Dieser Patch für den Kernel 2.4.x führt einige Sicherheitsfähigkeiten wie nichtausführbaren Speicher durch den Einsatz von und Mandatory Access Control auf Grundlage von ein. Andere Features sind , ein mit AES verschlüsseltes Loop-Gerät, Unterstützung von MPPE und eine Zurückportierung von IPSEC v2.6. cryptoloop-source. Dieser Patch erlaubt Ihnen, die Fähigkeiten der Crypto-API des Kernels zu verwenden, um verschlüsselte Dateisysteme mit dem Loopback-Gerät zu erstellen. Kernel-Unterstützung von IPSEC (im Paket kernel-patch-openswan). Wenn Sie das IPsec-Protokoll mit Linux verwenden wollen, benötigen Sie diesen Patch. Damit können Sie ziemlich leicht VPNs erstellen, sogar mit Windows-Rechnern, da IPsec ein verbreiteter Standard ist. IPsec-Fähigkeiten wurden in den Entwicklungskernel 2.5 eingefügt, so dass dieses Feature standardmäßig im zukünftigen Kernel 2.6 enthalten sein wird. Homepage: . FIXME: Der neuste Kernel 2.4 in Debian enthält eine Rückeinbindung des IPSEC-Codes aus 2.5. Kommentar dazu.

Die folgenden Sicherheitspatches für den Kernel sind nur noch für alte Kernelversionen in Woody verfügbar und werden nicht mehr weiterentwickelt: (ACLs, Listen zur Zugangskontrolle) für Linux im Paket kernel-patch-acl. Dieser Kernelpatch stellt Listen zur Zugangskontrolle zur Verfügung. Das ist eine fortgeschrittene Methode, um den Zugang zu Dateien einzuschränken. Es ermöglicht Ihnen, den Zugang zu Dateien und Verzeichnisses fein abzustimmen. Der Patch für den Linux-Kernel von Solar Designer, der im Paket kernel-patch-2.2.18-openwall enthalten ist. Er enthält eine nützliche Anzahl von Beschränkungen des Kernels wie eingeschränkte Verweise, FIFOs in /tmp, ein begrenztes /proc-Dateisystem, besondere Handhabung von Dateideskriptoren, einen nichtausführbaren Bereich des Stapelspeichers des Nutzers und andere Fähigkeiten. Hinweis: Dieser Patch ist nur auf die Kernelversion 2.2 anwendbar, für 2.4 werden von Solar keine Pakete angeboten. kernel-patch-int. Auch dieser Patch fügt kryptographische Fähigkeiten zum Linux-Kernel hinzu. Er war bis zu den Debian-Releases bis Potato nützlich. Er funktioniert nicht mehr mit Woody. Falls Sie Sarge oder eine neuere Version verwenden, sollten Sie einen aktuelleren Kernel einsetzen, in dem diese Features bereits enthalten sind.

Wie auch immer, einige Patches werden von Debian noch nicht zur Verfügung gestellt. Wenn Sie denken, dass manche von ihnen hinzugefügt werden sollten, fragen Sie danach auf . Schutz vor Pufferüberläufen

Pufferüberlauf (buffer overflow) wird eine verbreitete Art von Angriffen auf Software Sie sind in der Tat so verbreitet, dass sie die Grundlage für 20% aller gemeldeten Sicherheitsmängel pro Jahr darstellen, wie von herausgefunden wurde. genannt, die die unzureichende Überprüfung von Eingabegrenzen ausnutzen (ein Programmierfehler, der häufig bei der Programmiersprache C auftritt), um durch Programmeingaben Befehle auf der Maschine auszuführen. Diese Attacken über Server, die auf Verbindungen warten, oder über lokal installierte Software, die einem Nutzer größere Privilegien gewährt (setuid oder setgid) kann zu einem kompromittierten System führen.

Es gibt hauptsächlich vier Methoden, um sich gegen Pufferüberläufe zu schützen: Patchen Sie den Kernel, um das Ausführen des Stapelspeichers zu verhindern. Sie können entweder Exec-Shield, OpenWall oder PaX (ist in den Grsecurity- und Adamantixpatches enthalten) verwenden. Benutzen Sie eine Bibliothek wie , um verwundbare Funktionen zu überschreiben und ordentliche Prüfungen einzuführen (Informationen wie man libsafe installiert finden Sie ). Verbessern Sie den Quellcode, indem Sie Werkzeuge einsetzen, die Teile finden, die zu dieser Verwundbarkeit führen könnten. Übersetzen Sie den Quellcode neu, um vernünftige Prüfungen einzuführen, um Überläufe zu verhindern. Benutzen Sie dazu den Patch für GCC (der von verwendet wird).

Debian GNU/Linux liefert bis einschließlich der Release 3.0 Software, um alle dieser Methoden bis auf den Schutz bei der Übersetzung des Quellcodes (das wurde aber schon in nachgefragt) zu implementieren.

Beachten Sie, dass selbst wenn Debian einen Compiler zur Verfügung stellen würde, der Schutz vor Stapel- und Pufferüberläufen bieten würde, so doch alle Pakete neu übersetzt werden müssten, um diese Eigenschaft einzuführen. Tatsächlich ist das die Aufgabe der Distribution Adamantix (unter anderen Fähigkeiten). Die Auswirkungen dieses neuen Features auf die Stabilität der Software muss aber noch ermittelt werden (einige Programme und einige Prozessoren werden vielleicht deswegen nicht mehr funktionieren).

Seien Sie auf jeden Fall gewarnt, dass selbst diese Umgehungen des Problems nicht vor Pufferüberläufen schützen können, da es Möglichkeiten gibt, diese zu überlisten, wie in des phrack-Magazins oder in COREs Advisory beschrieben.

Wenn Sie Ihren Schutz gegen Pufferüberläufe (unabhängig von der gewählten Methode) testen wollen, können Sie paxtest installieren und die angebotenen Tests laufen lassen. Kernelpatch zum Schutz vor Pufferüberläufen

Ein Kernelpatch, der Schutz vor Pufferüberläufen bietet, ist der Openwall-Patch, der diese im Linux-Kernel 2.2 verhindern soll. Für 2.4 oder neuere Kernel müssen Sie die Umsetzung von Exec-Shield oder die von PaX (ist im Grsecurity-Patch kernel-patch-2.4-grsecurity und im Adamantix-Patch kernel-patch-adamantix enthalten) benutzen. Für weitere Informationen zum Einsatz dieser Patches lesen Sie den Abschnitt . Schutz durch libsafe

Es ist ziemlich einfach, ein Debian GNU/Linux-System mit libsafe zu schützen. Sie müssen nur das Paket installieren und Ja sagen, damit die Bibliothek global geladen wird. Seien Sie dennoch vorsichtig, da das Software unbrauchbar machen kann (besonders Programme, die mit der alten libc5 verknüpft sind). Sie sollten also zuerst die lesen und die kritischsten Programme auf Ihrem System mit dem Programm zum Einhüllen von libsafe testen.

Wichtiger Hinweis: Der Schutz durch libsafe könnte im Moment nicht wirkungsvoll sein, wie es in beschrieben wird. Testen Sie es gründlich, bevor Sie es in einer produktiven Umgebung einsetzen, und verlassen Sie sich nicht ausschließlich darauf, um Ihr System zu schützen. Prüfprogramme für Pufferüberläufe

Zur Nutzung von Werkzeugen zum Aufspüren von Pufferüberläufen benötigen Sie in jedem Fall Programmiererfahrung, um den Quellcode zu reparieren (und neu zu kompilieren). Debian stellt beispielsweise bfbtester (einen Überlauftester, der Programme per Brute-Force (durch Testen aller Möglichkeiten) nach Überläufen der Kommandozeile und von Umgebungsvariablen durchtestet) bereit. Andere interessante Pakete sind auch rats, pscan, flawfinder und splint. Sichere Übertragung von Dateien

Während der normalen Systemadministration müssen Sie immer mal wieder Dateien auf Ihr System spielen oder von diesem holen. Auf sichere Art und Weise Dateien von einem Host zu einem anderen zu kopieren, wird durch die Benutzung des Paketes ssh erreicht. Eine andere Möglichkeit ist die Nutzung von ftpd-ssl, einem ftp-Server der Secure Socket Layer benutzt, um Übertragungen zu verschlüsseln.

Jede dieser Methoden benötigt natürlich einen speziellen Client. Debian stellt Ihnen solche zur Verfügung, zum Beispiel enthält das Paket ssh das Programm scp. Es arbeitet wie rcp, aber ist komplett verschlüsselt, so dass die bösen Jungs noch nicht einmal herausbekommen können, WAS Sie kopieren. Wie es den Server gibt, so gibt es natürlich auch ein ftp-ssl Client-Paket. Sie können Clients für diese Software sogar für andere (nicht-UNIXoide) Betriebssysteme finden. putty und winscp stellen eine secure-copy-Implementierung für jede Version von Microsoft-Betriebssystemen zur Verfügung.

Beachten Sie, dass die Verwendung von scp den Nutzern Zugang zum gesamten Dateisystem ermöglicht, es sei denn, dass es in eine chroot-Umgebung eingesperrt ist, wie es in beschrieben wird. Wahrscheinlich sogar leichter (abhängig vom verwendeten Daemon) kann auch der FTP in eine chroot-Umgebung eingesperrt werden. Das wird in beschrieben. Falls Sie sich sorgen, dass Nutzer Ihre lokalen Dateien durchsehen, und Sie verschlüsselte Kommunikation wünschen, können Sie einen FTP-Daemon mit Unterstützung für SSL einrichten oder FTP mit Klartext und VPN verbinden (siehe . Einschränkung und Kontrolle des Dateisystems Benutzung von Quotas

Es ist wichtig, eine gute Quota-Regelung zu haben, da es die Nutzer daran hindert, die Festplatten zu füllen.

Sie können zwei Arten von Quota-Systemen benutzen: Nutzer-Quota und Gruppen-Quota. Wie Sie sicher denken können, limitiert User-Quota den Plattenplatz, den ein Nutzer belegen kann, und Gruppen-Quota macht dasselbe für ganze Gruppen. Beachten Sie dies, wenn Sie die Größe der Quotas festlegen.

Es gibt ein paar wichtige Punkte, über die Sie nachdenken sollten, wenn Sie ein Quota-System aufsetzen: Halten Sie die Quotas klein genug, so dass die Nutzer Ihre Festplatte nicht aufzehren können. Halten Sie die Quotas groß genug, so dass Nutzer sich nicht beschweren oder dass Ihr Mail-Quota Sie daran hindert, nach einer Weile Mails anzunehmen. Nutzen Sie Quotas auf allen Bereichen, die Nutzer beschreiben können, auf /home ebenso wie auf /tmp.

Für jede Partition und jedes Verzeichnis, auf das Nutzer Schreibzugriff haben, sollte ein Quota eingerichtet werden. Berechnen Sie eine sinnvolle Quota-Größe, die Benutzerfreundlichkeit und Sicherheit kombiniert, und weisen Sie diese zu.

So, nun wollen Sie Quotas benutzen. Zuerst müssen Sie prüfen, ob Ihr Kernel Quota unterstützt. Wenn nicht, müssen Sie ihn neu kompilieren. Prüfen Sie anschließend, ob das Paket quota installiert ist. Wenn nicht, installieren Sie es.

Um Quota für die entsprechenden Dateisysteme einzuschalten, müssen Sie nur die Einstellung defaults in Ihrer /etc/fstab zu defaults,usrquota ändern. Wenn Sie Gruppen-Quotas benötigen, ersetzen Sie usrquota durch grpquota. Sie können auch beides verwenden. Erstellen Sie dann leere quota.user und quota.group in den Hauptverzeichnissen der Dateisysteme, auf denen Sie Quotas einführen möchten (d.h. touch /home/quota.user /home/quota.group für das Dateisystem /home).

Starten Sie quota neu, indem Sie /etc/init.d/quota stop;/etc/init.d/quota start ausführen. Nun sollte quota laufen, und die Größen können festgelegt werden.

Bearbeiten der Quotas eines bestimmten Nutzer wird mit edquota -u <user> gemacht. Gruppen-Quotas können mit edquota -g <group> geändert werden. Setzen Sie dann die weiche und die harte Grenze und inode-Quotas, falls Sie es benötigen.

Mehr Informationen über Quotas finden Sie im Handbuch von quot und im Mini-Howto von quota (/usr/share/doc/HOWTO/de-html/mini/DE-Quota-HOWTO.html). Sie sollten auch einen Blick auf pam_limits.so werfen. Die für das ext2-Dateisystem spezifischen Attribute (chattr/lsattr)

Zusätzlich zu den normalen Unix-Rechten bieten die ext2- und ext3-Dateisysteme eine Anzahl von besonderen Attributen, die Ihnen mehr Kontrolle über die Dateien auf Ihrem System erlauben. Im Gegensatz zu den gewöhnlichen Rechten werden diese Attribute nicht vom gebräuchlichen Befehl ls -l angezeigt und können auch nicht mit chmod geändert werden. Um sie zu verwalten, brauchen Sie zwei weitere Programme, nämlich lsattr und chattr (im Paket e2fsprogs). Beachten Sie, dass das bedeutet, dass diese Attribute normalerweise bei einem Backup des Systems nicht gespeichert werden. Wenn Sie also eines verändern, könnte es sich lohnen, die aufeinander folgenden chattr-Befehle in einem Skript zu speichern, damit Sie sie später wieder zuweisen können, falls Sie ein Backup zurückspielen müssen.

Unter allen Attributen werden die zwei, die für die Erhöhung der Sicherheit am bedeutendsten sind, mit den Buchstaben 'i' und 'a' bezeichnet. Sie können nur vom Superuser vergeben (oder entfernt) werden: Das Attribut 'i' ('immutable', unveränderlich): Eine Datei mit diesem Attribut kann weder verändert noch gelöscht oder umbenannt werden, nicht einmal vom Superuser. Auch ein Link auf sie kann nicht angelegt werden. Das Attribut 'a' ('append', anfügen): Dieses Attribut hat den gleichen Effekt für das Attribut immutable, allerdings mit der Ausnahme, dass Sie immer noch die Datei im Anfügen-Modus öffnen können. Das bedeutet, dass Sie ihr immer noch Inhalt hinzufügen, aber den vorhanden Inhalt nicht verändern können. Dieses Attribut ist besonders für die Protokolldateien nützlich, die unter /var/log/ gespeichert werden. Beachten Sie aber, dass sie durch Log-Rotations-Skripte manchmal verschoben werden.

Diese Attribute können auch für Verzeichnisse vergeben werden. In diesem Fall ist es jedem unmöglich gemacht, den Inhalt des Verzeichnisses zu verändern, also beispielsweise eine Datei umzubenennen oder zu löschen. Wenn das append-Attribut einem Verzeichnis zugewiesen wird, können nur noch Dateien erstellt werden.

Es ist leicht einzusehen, wie das 'a' Attribut die Sicherheit verbessert, indem es Programmen, die nicht vom Superuser ausgeführt werden, die Fähigkeit einräumt, Daten hinzuzufügen, aber verhindert, dass älterer Inhalt verändert wird. Dem gegenüber erscheint das 'i' Attribut uninteressanter. Schließlich kann der Superuser ja schon die normalen Unix-Rechte verwenden, um den Zugang zu Dateien einzuschränken. Und ein Angreifer, der Zugang zum Konto des Superusers hat, könnte immer das Programm chattr benutzen, um die Attribute zu entfernen. Ein solcher Eindringlich ist vielleicht zunächst verwirrt, wenn er feststellt, dass er eine Datei nicht löschen kann. Aber Sie sollten nicht davon ausgehen, dass er blind ist – immerhin hat er es geschafft, in Ihr System einzudringen! Einige Handbücher (einschließlich früherer Versionen dieses Dokuments) empfehlen, einfach die Programme chattr und lsattr vom System zu entfernen, um die Sicherheit zu erhöhen. Aber diese Strategie, die auch als "security by obscurity" (Sicherheit durch Verschleierung) bekannt ist, sollte unter allen Umständen vermieden werden, da sie ein falsches Gefühl von Sicherheit vermittelt.

Dieses Problem lösen Sie auf sichere Art und Weise, indem Sie die Fähigkeiten des Linux-Kernel verwenden, wie es in beschrieben wird. Die hier interessante Fähigkeit heißt CAP_LINUX_IMMUTABLE: Wenn Sie es vom Satz der Fähigkeiten entfernen (indem Sie zum Beispiel den Befehl lcap CAP_LINUX_IMMUTABLE verwenden, ist es nicht mehr möglich, irgendwelche 'a' oder 'i' Attribute auf Ihrem System zu verändern, auch nicht dem Superuser! Ein vollständige Strategie könnte also folgendermaßen aussehen: Vergeben Sie die Attribute 'a' und 'i' an von Ihnen gewünschte Dateien. Fügen Sie den Befehl lcap CAP_LINUX_IMMUTABLE einem der Skripten, die den Start des Systems steuern (startup scripts), hinzu. Setzen Sie das Attribut 'i' für dieses Skript, andere Startdateien und auch das Programm lcap selbst. Führen Sie den oben genannten Befehl per Hand aus (oder starten Sie Ihr System neu, um sicherzustellen, dass alles wie gewünscht funktioniert). Prüfung der Integrität des Dateisystems

Sind Sie sich sicher, dass /bin/login auf Ihrer Festplatte immer noch dasselbe Programm ist, das Sie vor ein paar Monaten installiert haben? Was wäre, wenn es sich um eine gehackte Version handelt, die eingegebene Passwörter in einer versteckten Datei ablegt oder sie als Klartext im ganzen Internet herummailt?

Die einzige Methode einen gewissen Schutz dafür zu haben ist es, die Dateien jede(n) Stunde/Tag/Monat (ich ziehe täglich vor) zu prüfen, indem man deren aktuelle und alte MD5-Summe vergleicht. Zwei unterschiedliche Dateien können keine gleichen MD5-Summen haben (die MD5-Summe umfasst 128 Bits, so ist die Wahrscheinlichkeit, dass zwei unterschiedliche Dateien eine gleiche MD5-Summe haben etwa 1 zu 3,4e3803). So sind Sie sicher, solange niemand den Algorithmus gehackt hat, der die MD5-Summen auf Ihrer Maschine erstellt. Dies ist, nun ja, extrem schwer und sehr unwahrscheinlich. Sie sollten diese Überprüfung Ihrer Programme als sehr wichtig ansehen.

Weit verbreitete Tools hierfür sind sxid, aide (Advanced Intrusion Detection Environment, fortgeschrittene Umgebung zur Erkennung von Eindringlingen), tripwire, integrit und samhain. Das Installieren von debsums wird Ihnen helfen, die Integrität des Dateisystems zu überprüfen, indem Sie die MD5-Summen jeder Datei gegen die MD5-Summe aus dem Debian-Archiv-Paket vergleichen. Seien Sie aber gewarnt, dass diese Dateien sehr leicht von einem Angreifer geändert werden können. Außerdem stellen nicht alle Pakete MD5-Summen für die in ihnen enthaltenen Programme zur Verfügung. Weitere Informationen finden Sie unter und .

Sie benutzen vielleicht locate, um das gesamte Dateisystem zu indizieren. Wenn das so ist, sollten Sie die Auswirkungen davon berücksichtigen. Das Debianpaket findutils enthält locate, das als Nutzer nobody läuft. Daher indiziert es nur Dateien, die von jedermann eingesehen werden können. Wenn Sie dieses Verhalten verändern, werden allerdings alle Orte von Dateien für alle Nutzer sichtbar. Wenn Sie das gesamte Dateisystem indizieren wollen (und nicht nur die Stückchen, die der Nutzer nobody sehen kann), können Sie locate durch das Paket slocate ersetzen. slocate wird als eine um Sicherheit erweiterte Version von GNU locate bezeichnet, hat aber tatsächlich weitere Funktionen zum Auffinden von Dateien. Wenn Sie slocate benutzen, sieht ein Benutzer nur Dateien, auf die er auch Zugriff hat, während Sie Dateien und Verzeichnisse des gesamten Systems ausschließen können. Das Paket slocate führt seinen Aktualisierungsprozess mit höheren Rechten aus als locate. Außerdem indiziert es jede Datei. Nutzern wird es dadurch ermöglicht, schnell nach jeder Datei zu suchen, die sie sehen können. slocate zeigt ihnen keine neuen Dateien an; es filtert die Ausgabe auf Grundlage der UID.

Sie sollten auch bsign oder elfsign einsetzen. elfsign bietet die Möglichkeit, digitale Signaturen an ELF-Binaries anzufügen und diese Signaturen zu überprüfen. Die aktuelle Fassung verwendet PKI, um die Checksummen der Binaries zu signieren. Dies hat den Vorteil, dass festgestellt werden kann, ob das Binary verändert wurde und wer es erstellt hat. bsign verwendet GPG, elfsign benutzt PKI-(X.509)-Zertifikate (OpenSSL). Aufsetzen einer Überprüfung von setuid

Das Debian-Paket checksecurity enthält einen Cron-Job, der täglich in /etc/cron.daily/checksecurity ausgeführt wird. In älteren Veröffentlichungen war checksecurity in cron integriert und die Datei hieß /etc/cron.daily/standard. . Dieser Cron-Job führt das Skript /usr/sbin/checksecurity aus, das Informationen über Änderungen sichert.

Das Standard-Verhalten sendet diese Informationen nicht an den Superuser. Stattdessen erstellt es eine tägliche Kopie dieser Änderungen unter /var/log/setuid.changes. Sie sollten die Variable MAILTO (in /etc/checksecurity.conf) auf 'root' setzen, damit diese Informationen an ihn gemailt werden. Sehen Sie sich auch für weitere Konfigurations-Informationen an. Absicherung des Netzwerkzugangs

FIXME: Mehr (für Debian spezifischer) Inhalt benötigt. Konfiguration der Netzwerkfähigkeiten des Kernels

Viele Fähigkeiten des Kernels können während des Betriebs verändert werden, indem etwas an das /proc-Dateisystem geschickt wird, oder indem sysctl benutzt wird. Wenn Sie /sbin/sysctl -A eingeben, können Sie sehen, was Sie einstellen können und was die Optionen sind. Veränderungen werden vorgenommen, indem /sbin/sysctl -w variable=value ausgeführt wird (vergleiche ). Nur in seltenen Fällen müssen Sie hier etwas bearbeiten. Aber auch hier können Sie die Sicherheit erhöhen. Zum Beispiel: net/ipv4/icmp_echo_ignore_broadcasts = 1

Dies ist ein Windows Emulator, weil es sich wie Windows bei Rundrufen (Broadcast-Ping) verhält, wenn es auf 1 gesetzt wird. Das bedeutet, dass ICMP-Echo-Anfragen, die an die Rundrufadresse geschickt werden, ignoriert werden. Anderenfalls macht es gar nichts.

Falls Sie verhindern wollen, dass Ihr System auf ICMP-Echo-Anfragen antwortet, müssen Sie nur diese Konfigurationsoption anschalten: net/ipv4/icmp_echo_ignore_all = 1

Verwenden Sie Folgendes, um Pakete mit unmöglichen Adressen (erzeugt durch falsche Routen) in Ihrem Netzwerk zu protokollieren: /proc/sys/net/ipv4/conf/all/log_martians = 1

Für weiterführende Informationen dazu, welche Sachen mit /proc/sys/net/ipv4/* angestellt werden können, sollten Sie /usr/src/linux/Documentation/filesystems/proc.txt lesen. Alle Optionen werden gründlich in /usr/src/linux/Documentation/networking/ip-sysctl.txt In Debian kopiert das Paket kernel-source-version die Kernelquellen nach /usr/src/kernel-source-version.tar.bz2. Ersetzen Sie einfach version mit der installierten Kernelversion. beschrieben. Konfiguration von Syncookies

Diese Option ist ein zweischneidiges Schwert. Auf der einen Seite schützt es Ihr System vor dem Überfluten mit syn-Paketen. Auf der anderen Seite verletzt es definierte Standards (RFCs). net/ipv4/tcp_syncookies = 1

Wenn Sie das dauerhaft für den Kernel festlegen wollen, müssen Sie in /etc/network/options syncookies=yes festlegen. Jedes Mal, wenn /etc/init.d/networking ausgeführt wird (was typischerweise beim Booten geschieht), wird diese Option wirksam. Dagegen wird folgendes nur eine einmalige Wirkung bis zum nächsten Neustart haben: echo 1 > /proc/sys/net/ipv4/tcp_syncookies

Diese Option ist nur verfügbar, wenn der Kernel mit CONFIG_SYNCOOKIES übersetzt wurde. Alle Kernel von Debian wurden mit dieser Option kompiliert. Sie können das folgendermaßen überprüfen: $ sysctl -A |grep syncookies net/ipv4/tcp_syncookies = 1

Weitere Informationen zu TCP-Syncookies finden Sie unter . Absicherung des Netzwerks beim Hochfahren

Wenn Sie die Netzwerkoptionen des Kernels konfigurieren, müssen Sie dafür sorgen, dass sie bei jedem Neustart des Systems geladen werden. Das nachfolgende Beispiel aktiviert neben vielen der oben vorgestellten Optionen auch noch ein paar andere nützliche Optionen.

Tatsächlich gibt es zwei Möglichkeiten, Ihr Netzwerk beim Booten einzurichten. Sie können entweder /etc/sysctl.conf konfigurieren (siehe ) oder ein Skript einsetzen, das beim Aktivieren der Netzwerkschnittstellen aufgerufen wird. Die erste Möglichkeit wird auf alle Schnittstellen angewendet, die zweite erlaubt es Ihnen, die Konfiguration für jede Schnittstelle separat zu wählen.

Ein Beispiel einer Konfiguration von /etc/sysctl.conf, die einige Netzwerkoptionen auf der Kernelebene absichert, wird unten gezeigt. Beachten Sie darin den Kommentar, dass /etc/network/options beim Ausführen von /etc/init.d/networking (dies ist in der Startsequenz nach procps) einige Werte überschreiben könnte, wenn sich Werte in dieser Datei widersprechen. # # /etc/sysctl.conf - Configuration file for setting system variables # See sysctl.conf (5) for information. Also see the files under # Documentation/sysctl/, Documentation/filesystems/proc.txt, and # Documentation/networking/ip-sysctl.txt in the kernel sources # (/usr/src/kernel-$version if you have a kernel-package installed) # for more information of the values that can be defined here. # # Be warned that /etc/init.d/procps is executed to set the following # variables. However, after that, /etc/init.d/networking sets some # network options with builtin values. These values may be overridden # using /etc/network/options. # #kernel.domainname = example.com # Additional settings - adapted from the script contributed # by Dariusz Puchala (see below) # Ignore ICMP broadcasts net/ipv4/icmp_echo_ignore_broadcasts = 1 # # Ignore bogus ICMP errors net/ipv4/icmp_ignore_bogus_error_responses = 1 # # Do not accept ICMP redirects (prevent MITM attacks) net/ipv4/conf/all/accept_redirects = 0 # _or_ # Accept ICMP redirects only for gateways listed in our default # gateway list (enabled by default) # net/ipv4/conf/all/secure_redirects = 1 # # Do not send ICMP redirects (we are not a router) net/ipv4/conf/all/send_redirects = 0 # # Do not forward IP packets (we are not a router) # Note: Make sure that /etc/network/options has 'ip_forward=no' net/ipv4/conf/all/forwarding = 0 # # Enable TCP Syn Cookies # Note: Make sure that /etc/network/options has 'syncookies=yes' net/ipv4/tcp_syncookies = 1 # # Log Martian Packets net/ipv4/conf/all/log_martians = 1 # # Turn on Source Address Verification in all interfaces to # prevent some spoofing attacks # Note: Make sure that /etc/network/options has 'spoofprotect=yes' net/ipv4/conf/all/rp_filter = 1 # # Do not accept IP source route packets (we are not a router) net/ipv4/conf/all/accept_source_route = 0

Um dieses Skript verwenden zu können, müssen Sie es zuerst unter z.B. /etc/network/interface-secure (der Name ist nur ein Beispiel) erstellen und es wie folgt aus /etc/network/interfaces aufrufen: auto eth0 iface eth0 inet static address xxx.xxx.xxx.xxx netmask 255.255.255.xxx broadcast xxx.xxx.xxx.xxx gateway xxx.xxx.xxx.xxx pre-up /etc/network/interface-secure

In diesem Beispiel wird das Skript aufgerufen, um alle Netzwerkschnittstellen abzusichern, wie unten gezeigt wird, bevor die Schnittstelle eth0 aktiviert wird. #!/bin/sh -e # Skriptname: /etc/network/interface-secure # # Verändert das Standardverhalten für alle Schnittstellen in einigen Bereichen, # um vor TCP/IP-Spoofing und Angriffen zu schützen # # Wurde von Dariusz Puchalak beigesteuert # # Broadcast echo protection enabled echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts # IP forwarding disabled echo 0 > /proc/sys/net/ipv4/conf/all/forwarding # TCP syn cookies protection enabled echo 1 > /proc/sys/net/ipv4/tcp_syncookies # Log strange packets (this includes spoofed packets, source routed packets, # redirect packets) but be careful with this on heavy loaded web servers echo 1 >/proc/sys/net/ipv4/conf/all/log_martians # Bad error message protection enabled echo 1 > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses # IP spoofing protection echo 1 > /proc/sys/net/ipv4/conf/all/rp_filter # Disable ICMP redirect acceptance echo 0 > /proc/sys/net/ipv4/conf/all/accept_redirects echo 0 > /proc/sys/net/ipv4/conf/all/send_redirects # Disable source routed packets echo 0 > /proc/sys/net/ipv4/conf/all/accept_source_route exit 0

Beachten Sie, dass Sie auch verschiedene Netzwerkoptionen für verschiedene Schnittstellen (falls Sie mehr als eine haben) haben können, indem Sie die pre-up-Zeile verändern: pre-up /etc/network/interface-secure $IFACE

Zusätzlich müssen Sie ein Skript verwenden, das Änderungen nur auf eine bestimmte Schnittstelle anwendet und nicht auf alle Schnittstellen. Beachten Sie aber, dass einige Netzwerkoptionen nur global gesetzt werden können. Dies ist ein Beispielsskript: #!/bin/sh -e # Skriptname: /etc/network/interface-secure # # Verändert das Standardverhalten für alle Schnittstellen in einigen Bereichen, # um vor TCP/IP-Spoofing und Angriffen zu schützen # # Wurde von Dariusz Puchalak beigesteuert IFACE=$1 if [ -z "$IFACE" ] ; then echo "$0: Must give an interface name as argument!" echo "Usage: $0 <interface>" exit 1 fi if [ ! -e /proc/sys/net/ipv4/conf/$IFACE/ ]; then echo "$0: Interface $IFACE does not exit (cannot find /proc/sys/net/ipv4/conf/)" exit 1 fi # IP forwarding disabled echo 0 > /proc/sys/net/ipv4/conf/$IFACE/forwarding # Log strange packets (this includes spoofed packets, source routed packets, # redirect packets) but be careful with this on heavy loaded web servers echo 1 >/proc/sys/net/ipv4/conf/$IFACE/log_martians # IP spoofing protection echo 1 > /proc/sys/net/ipv4/conf/$IFACE/rp_filter # Disable ICMP redirect acceptance echo 0 > /proc/sys/net/ipv4/conf/$IFACE/accept_redirects echo 0 > /proc/sys/net/ipv4/conf/$IFACE/send_redirects # Disable source routed packets echo 0 > /proc/sys/net/ipv4/conf/$IFACE/accept_source_route exit 0

Eine andere Lösungsmöglichkeit ist es, ein init.d-Skript zu erstellen und es beim Booten auszuführen (verwenden Sie update-rc.d, um die passenden rc.d-Links herzustellen). Konfiguration der Firewall

Um die Möglichkeiten einer Firewall zu haben, damit entweder das lokale System oder andere dahinter beschützt werden, muss der Kernel mit Firewall-Unterstützung kompiliert worden sein. Der Standardkernel von Debian 2.2 (Linux 2.2) stellt die Paketfilter-Firewall ipchains zur Verfügung. Der Standardkernel von Debian 3.0 (Linux 2.4) enthält die stateful Paketfilter-Firewall iptables (netfilter).

In jedem Fall ist es recht einfach, einen anderen als den mit Debian gelieferten Kernel zu benutzen. Sie finden vorkompilierte Kernel als Pakete vor, die Sie leicht auf Ihrem Debian-System installieren können. Mit Hilfe des Pakets kernel-source-X können Sie auch die Kernelquellen herunterladen und einen maßgeschneiderten Kernel kompilieren, indem Sie make-kpkg aus dem Paket kernel-package benutzen.

Auf das Aufsetzen einer Firewall unter Debian wird unter ausführlich eingegangen. Lösung des Problems der Weak-End-Hosts

Auf Systemen mit mehr als einer Schnittstelle zu verschiedenen Netzwerken können Dienste so eingerichtet werden, dass sie Verbindungen nur zu einer bestimmte IP-Adresse zulassen. Normalerweise verhindert das Zugang zu diesen Diensten, wenn an sie Anfragen über andere Adressen gestellt werden. Allerdings bedeutet das nicht, dass der Dienst an eine bestimmte Hardware-Adresse (Netzwerkkarte) gebunden ist (ein verbreiteter Irrtum). Um das nachzuvollziehen folgendes Beispiel, das von Felix von Leitner auf der Bugtraq-Mailingliste vorgestellt wurde: host a (eth0 connected to eth0 of host b): ifconfig eth0 10.0.0.1 ifconfig eth1 23.0.0.1 tcpserver -RHl localhost 23.0.0.1 8000 echo fnord host b: ifconfig eth0 10.0.0.2 route add 23.0.0.1 gw 10.0.0.1 telnet 23.0.0.1 8000

Das scheint allerdings nicht mit Diensten zu funktionieren, die mit 127.0.0.1 verbunden sind. Sie sollten vielleicht für die Tests raw sockets verwenden.

Das ist kein Problem von ARP und auch keine Verletzung eines RFCs (es wird in , Abschnitt 3.3.4.2 als weak end host bezeichnet). Vergessen Sie nicht, dass IP-Adressen nichts mit dem physischen Schnittstellen zu tun haben.

Im Kernel 2.2 (und davor) könnte dieses Problem so gelöst werden: # echo 1 > /proc/sys/net/ipv4/conf/all/hidden # echo 1 > /proc/sys/net/ipv4/conf/eth0/hidden # echo 1 > /proc/sys/net/ipv4/conf/eth1/hidden .....

Bei späteren Kernel kann das folgendermaßen gelöst werden: Regeln für iptables. Richtig konfiguriertes Routing. Die Tatsache, dass dieses Verhalten durch Routing geändert werden kann, wurde von Matthew G. Marsh in dem Bugtraq-Thread beschrieben: eth0 = 1.1.1.1/24 eth1 = 2.2.2.2/24 ip rule add from 1.1.1.1/32 dev lo table 1 prio 15000 ip rule add from 2.2.2.2/32 dev lo table 2 prio 16000 ip route add default dev eth0 table 1 ip route add default dev eth1 table 2 Oder: Patchen des Kernels. Wie im Bugtraq-Thread beschrieben, gibt es dafür einige Patches auf und .

In diesem Text finden sich viele Fälle, in denen gezeigt wird, wie man einige Dienste (sshd-Server, apache, Druckserver, ...) so konfiguriert, dass sie nur auf einer bestimmten Adresse lauschen. Der Leser sollte in Betracht ziehen, dass das den Zugang aus dem gleichen (lokalen) Netzwerk nicht verhindern kann, wenn nicht die in diesem Abschnitt vorgeschlagenen Schritte ergriffen werden. Ein Angreifer, der nicht in der gleichen Broadcast-Domain (also dem gleichen Netzwerk) wie der angegriffene Host ist, kann auf viele Probleme bei Zugang stoßen, nachdem die Anbindung der IP-Adressen konfiguriert wurde. Wenn der Angriff über einen Router läuft, kann es sich als ziemlich schwer herausstellen, die Antworten zurückzubekommen.

FIXME: Comments on Bugtraq indicate there is a Linux specific method to bind to a given interface.

FIXME: Submit a bug against netbase so that the routing fix is standard behavior in Debian? Schutz vor ARP-Angriffen

Wenn Sie den anderen Kisten in Ihrem LAN nicht trauen (das sollte immer so sein, da es die sicherste Einstellung ist), sollten Sie sich vor den verschiedenen ARP-Angriffen schützen.

Wie Sie wissen, wird das ARP-Protokoll dazu verwendet, IP-Adressen mit MAC-Adressen zu verknüpfen (für alle Details siehe ). Jedes Mal, wenn Sie ein Paket an eine IP-Adresse schicken, wird eine ARP-Auflösung vorgenommen (zuerst wird in den lokalen ARP-Speicher geschaut, und falls die IP nicht im Speicher ist, wird ein Rundruf (Broadcast) mit der ARP-Anfrage verschickt), um die Hardware-Adresse des Ziels zu finden. Alle ARP-Angriffe zielen darauf ab, Ihrem Rechner vorzugaukeln, dass die IP-Adresse des Rechners B mit der MAC-Adresse des Computers des Angreifers verbunden ist. Dadurch wird jedes Paket, das Sie an den Rechner B, der mit der IP-Adresse verbunden ist, schicken wollen, an den Computer des Eindringlings umgeleitet ...

Diese Angriffe (Verfälschung des ARP-Speichers, ARP-Spoofing, ...) ermöglichen dem Angreifer, auf Netzwerken den Verkehr abzuhören (selbst bei Netzwerken, die über einen Switch laufen). Er kann sich leicht in eine Verbindung einschleusen oder einen Host vom Netzwerk nehmen oder ... ARP-Angriffe sind leistungsfähig und einfach durchzuführen. Es gibt dafür auch einige Werkzeuge wie arpspoof aus dem Paket dsniff oder .

Allerdings gibt es immer eine Lösung: Verwenden Sie einen statischen ARP-Speicher. So erstellen Sie "statische" Einträge in Ihrem ARP-Speicher: arp -s host_name hdwr_addr

Indem Sie statische Einträge für jeden wichtigen Host in Ihrem Netzwerk vergeben, stellen Sie sicher, dass niemand einen (falschen) Eintrag für diese Hosts erstellen oder verändern kann (statische Einträge verfallen nicht und können nicht verändert werden). Auch gefälschte ARP-Antworten werden ignoriert. Entdecken Sie verdächtigen ARP-Verkehr. Sie können dazu arpwatch, karpski oder allgemeinere IDS, die auch verdächtigen ARP-Verkehr entdecken können wie snort oder , einsetzen. Verwirklichen Sie einen IP-Filter, der die MAC-Adressen überprüft. Einen Schnappschuss des Systems erstellen

Bevor Sie das System in eine produktive Umgebung stellen, können Sie einen Schnappschuss des gesamten Systems machen. Diesen Schnappschuss können Sie im Falle einer Kompromittierung (siehe ) benutzen. Sie sollten so einen Schnappschuss immer dann erneuern, wenn Sie das System aktualisieren, insbesondere wenn Sie auf eine neue Debian Release upgraden.

Hierfür können Sie beschreibbare, austauschbare Datenträger benutzen, die Sie schreibschützen können. Dies kann eine Diskette (die nach der Benutzung schreibgeschützt wird), eine CD in einem CD-ROM-Laufwerk (Sie können auch wiederbeschreibbare CD-ROMs benutzen, so können Sie sogar alte Sicherheitskopien Ihrer MD5-Summen behalten), eine USB-Platte oder eine MMC-Karte (wenn Ihr System auf diese zugreifen kann und sie schreibgeschützt werden können) sein.

Das folgende Skript erstellt einen solchen Schnappschuss: #!/bin/bash /bin/mount /dev/fd0 /mnt/floppy if [ ! -f /usr/bin/md5sum ] ; then echo "Kann nicht md5sum finden. Breche ab." exit 1 fi /bin/cp /usr/bin/md5sum /mnt/floppy echo "Erstelle MD5-Datenbank" >/mnt/floppy/md5checksums.txt for dir in /bin/ /sbin/ /usr/bin/ /usr/sbin/ /lib/ /usr/lib/ do find $dir -type f | xargs /usr/bin/md5sum >>/mnt/floppy/md5checksums-lib.txt done echo "MD5-Datenbank (nach der Installation) erstellt" if [ ! -f /usr/bin/sha1sum ] ; then echo "Kann nicht sha1sum finden" else /bin/cp /usr/bin/sha1sum /mnt/floppy echo "Erstelle SHA-1-Datenbank" >/mnt/floppy/sha1checksums.txt for dir in /bin/ /sbin/ /usr/bin/ /usr/sbin/ /lib/ /usr/lib/ do find $dir -type f | xargs /usr/bin/sha1sum >>/mnt/floppy/sha1checksums-lib.txt done echo "SHA-1-Datenbank (nach der Installation) erstellt" fi /bin/umount /dev/fd0 exit 0

Beachten Sie, dass das Programm md5sum (und sha1sum, falls verfügbar) auch auf der Diskette gesichert werden muss, so dass Sie es später benutzen können, um die anderen Programme Ihres Systems zu prüfen (für den Fall, dass md5sum oder sha1sum einen Trojaner enthalten). Wenn Sie aber sicher sein wollen, dass Sie eine gültige Kopie von md5sum verwenden, sollten Sie eine statische Kopie von md5sum erstellen und diese verwenden (damit wird verhindert, dass eine manipulierte libc-Bibliothek das Programm beeinträchtigt) oder md5sum nur in einer sauberen Umgebung einsetzen, die Sie etwa mit einer Rettungs-CD-ROM oder einer Live-CD erzeugen können (damit wird verhindert, dass ein manipulierter Kernel das Programm beeinflusst). Ich kann es nicht genug betonen: Wenn Sie ein System haben, in das eingebrochen wurde, können Sie den Ausgaben nicht vertrauen. Sehen Sie sich auch an.

Dieser Schnappschuss enthält nicht die Dateien unterhalb von /var/lib/dpkg/info, wo MD5-Summen installierter Pakete enthalten sind (die Dateien enden mit .md5sums). Sie können diese Informationen zusätzlich kopieren, aber Sie sollten Folgendes beachten: die Dateien mit den MD5-Summen enthalten die MD5-Summen aller Dateien, die ein Debian-Paket enthält, nicht nur die der Systemprogramme. Das hat zur Folge, dass diese Datenbank viel größer ist (5 MB statt 600 KB auf einem Debian GNU/Linux System mit graphischen Subsystem und etwa 2,5 GB Software installiert) und nicht auf ein kleines, transportables Medium wie eine Diskette passt, aber wohl auf einen tragbaren USB-Speicher. nicht alle Debian-Pakete stellen MD5-Summen der installierten Dateien zur Verfügung, da es (derzeit) nicht in der Policy verlangt wird. Sie können allerdings nach der Installation die MD5-Summen aller Pakete mit debsums erstellen: # debsums --generate=missing,keep

Sobald der Schnappschuss erstellt wurde, sollten Sie sicherstellen, dass das entsprechende Medium schreibgeschützt ist. Sie können es dann als Sicherheitskopie verwenden oder in ein Laufwerk stecken, um jede Nacht mit cron die MD5-Summen des Systems mit Ihrem Schnappschuss zu vergleichen.

Wenn Sie keine Überprüfung von Hand einrichten wollen, können Sie immer eines der Integritätssysteme verwenden, die diese Aufgabe und noch vieles mehr für Sie erledigen werden. Weitere Informationen finden Sie unter . Andere Empfehlungen Benutzen Sie keine Software, die von svgalib abhängt

SVGAlib ist ganz nett für Konsolen-Liebhaber wie mich, aber in der Vergangenheit wurde mehrfach gezeigt, dass es ziemlich unsicher ist. Exploits durch zgv wurden veröffentlicht, und es war einfach root zu werden. Versuchen Sie die Nutzung von SVGAlib Programmen wann immer nur möglich zu verhindern. harden-doc-3.15.1/howto-source/de/automatic.sgml0000644000000000000000000001352111051523717016377 0ustar Automatisches Abhärten von Debian-Systemen

Nachdem Sie nun all die Informationen aus den vorherigen Kapiteln gelesen haben, fragen Sie sich vielleicht: "Ich habe sehr viele Dinge zu erledigen, um mein System abzusichern. Könnte man das nicht automatisieren?" Die Antwort lautet: "Ja, aber seien Sie vorsichtig mit automatischen Werkzeugen." Manche Leute denken, dass ein Absicherungswerkzeug nicht die Notwendigkeit einer guten Systemadministration abschafft. Täuschen Sie sich also nicht selbst, indem Sie denken, dass Sie all die Prozesse automatisieren könnten, und sich alle betreffenden Angelegenheiten von selbst erledigen würden. Sicherheit ist ein andauernder Prozess, an dem der Administrator teilnehmen muss. Er kann nicht einfach wegbleiben und irgendwelche Werkzeuge die Arbeit erledigen lassen, weil kein einzelnes Werkzeug die Umsetzung aller Sicherheitsrichtlinien, aller Angriffe oder aller Umgebungen bewältigen kann.

Seit Woody (Debian 3.0) gibt es zwei unterschiedliche Pakete, die zur Erhöhung der Sicherheit nützlich sind. Das Paket harden versucht auf Basis der Paket-Abhängigkeiten schnell, wertvolle Sicherheitspakete zu installieren und Pakete mit Mängeln zu entfernen. Die Konfiguration der Pakete muss der Administrator erledigen. Das Paket bastille implementiert gegebene Sicherheitsregeln für das lokale System, die auf einer vorhergehenden Konfiguration durch den Administrator basieren (Sie können auch mit einfachen Ja/Nein-Fragen durch die Konfiguration geführt werden). Harden

Das Paket harden versucht es einfacher zu machen, Rechner, die gute Sicherheit benötigen, zu installieren und zu administrieren. Dieses Paket sollte von Leuten benutzt werden, die eine schnelle Hilfe bei der Erhöhung der Systemsicherheit haben wollen. Es installiert automatisch einige Werkzeuge, die die Sicherheit auf unterschiedliche Art und Weise erhöhen: Werkzeuge zur Eindringlingserkennung, Werkzeuge zur Sicherheitsanalyse und mehr. harden installiert die folgenden virtuellen Pakete (d.h. sie enthalten nichts, hängen aber von anderen Paketen ab oder empfehlen diese): harden-tools: Werkzeuge, die die Sicherheit des Systems erhöhen (Integritätsprüfung, Eindringlingserkennung, Kernel-Patches, ...) harden-environment: Hilft eine abgesicherte Umgebung zu konfigurieren (derzeit leer) harden-servers: entfernt Server, die aus irgendeinem Grund als unsicher gelten harden-clients: entfernt Clients, die aus irgendeinem Grund als unsicher gelten harden-remoteaudit: Werkzeuge, um Systeme aus der Ferne zu überprüfen. harden-nids: hilft bei der Installation eines Systems zur Entdeckung von Netzwerkeindringlingen. harden-surveillance: hilft bei der Installation von Werkzeugen zum Überwachen von Netzwerken und Diensten. Nützliche Pakete, für die keine Abhängigkeit besteht: harden-doc: Stellt dieses und andere sicherheitsrelevante Dokumente zur Verfügung. harden-development: Entwicklungswerkzeuge, um sicherere Programme zu erstellen.

Seien Sie vorsichtig, wenn Sie Software installiert haben, die Sie brauchen (und aus bestimmten Gründen nicht deinstallieren wollen), und die aufgrund eines Konflikts mit einem der oben aufgeführten Pakete nicht installiert werden kann. In diesem Fall können Sie harden nicht vollständig nutzen.

Die harden Pakete machen eigentlich gar nichts. Zumindest nicht unmittelbar. Sie haben jedoch absichtliche Paketkonflikte mit bekannten, unsicheren Paketen. Auf diese Art wird die Paketverwaltung von Debian die Installation dieser Paketen nicht erlauben. Wenn Sie zum Beispiel bei installiertem harden-servers-Paket versuchen, einen telnet-Daemon zu installieren, wird Ihnen apt Folgendes sagen: # apt-get install telnetd Die folgenden Pakete werden ENTFERNT: harden-servers Die folgenden NEUEN Pakete werden installiert: telnetd Möchten Sie fortfahren? [J/n]

Dies sollte im Kopf des Administrators eine Alarmglocke auslösen, der sein Vorgehen überdenken sollte. Bastille Linux

ist ein Werkzeug zur automatischen Abhärtung, das ursprünglich für die Linux-Distributionen Red Hat und Mandrake gedacht war. Wie auch immer: Das Paket bastille aus Debian (seit Woody) ist durch Patches angepasst, um dieselbe Funktionalität unter Debian GNU/Linux Systemen zur Verfügung zu stellen.

Bastille kann mit verschiedenen Oberflächen bedient werden (alle sind in ihrem eigenen Handbuch dokumentiert), die dem Administrator erlauben: Schritt für Schritt Fragen zur erwünschten Sicherheit Ihres Systems zu beantworten (siehe ), Standardeinstellungen zur Sicherheit (zwischen locker, moderat und paranoid) für eine bestimmte Einrichtung (Server oder Arbeitsplatz-Rechner) zu benutzen, und Bastille entscheiden zu lassen, welche Sicherheitsregelungen eingeführt werden sollen (siehe ), eine vorgefertigte Konfigurationsdatei (von Bastille oder vom Administrator) zu nehmen und eine vorgegebene Sicherheitsregelung zu benutzen (siehe ). harden-doc-3.15.1/howto-source/de/infrastructure.sgml0000644000000000000000000017471611144547733017516 0ustar Die Infrastruktur für Sicherheit in Debian Das Sicherheitsteam von Debian

Debian hat ein Sicherheitsteam, das aus fünf Mitgliedern und zwei Sekretären besteht. Es ist für die Sicherheit in der Stable-Veröffentlichung verantwortlich. Das bedeutet, dass es Sicherheitslücken nachgeht, die in Software auftauchen (indem es Foren wie Bugtraq oder vuln-dev beobachtet), und ermittelt, ob davon die Stable-Veröffentlichung betroffen ist.

Das Sicherheitsteam von Debian ist auch der Ansprechpartner für Probleme, die von den Programmautoren oder Organisationen wie behandelt werden und die mehrere Linux-Anbieter betreffen können. Das gilt für alle Probleme, die nicht debianspezifisch sind. Es gibt zwei Möglichkeiten, um mit dem Sicherheitsteam in Verbindung zu treten: , die nur die Mitglieder des Sicherheitsteams lesen. , die von allen Debian-Entwicklern gelesen wird (einschließlich des Sicherheitsteams). E-Mails, die an diese Liste geschickt werden, werden nicht im Internet veröffentlicht (es handelt sich also nicht um eine öffentliche Mailingliste).

Heikle Informationen sollten an die erste Adresse geschickt werden und unter Umständen mit dem Schlüssel von Debian Security Contact (Schlüssel-ID 363CCD95) verschlüsselt werden.

Wenn das Sicherheitsteam ein mögliches Problem erhält, wird es untersuchen, ob die Stable-Veröffentlichung davon betroffen ist. Wenn dies der Fall ist, wird eine Ausbesserungen des Quellcodes vorgenommen. Diese Ausbesserung schließt manchmal ein, dass Patches der Programmautoren zurückportiert werden (da das Originalprogramm gewöhnlich eine Versionen weiter ist als das in Debian). Nachdem die Ausbesserung getestet wurde, werden neue Pakete vorbereitet und auf der Seite veröffentlicht, damit sie mit apt abgerufen werden können (siehe ). Zur gleichen Zeit wird eine Debian-Sicherheits-Ankündigung (DSA) auf der Webseite veröffentlicht und an öffentliche Mailinglisten einschließlich und Bugtraq geschickt.

Einige andere häufige Fragen zum Sicherheitsteam von Debian können unter gefunden werden. Debian-Sicherheits-Ankündigungen

Debian-Sicherheits-Ankündigungen (DSA) werden erstellt, sobald eine Sicherheitslücke entdeckt wird, die ein Debian-Paket berührt. Diese Anweisungen, die von einem Mitglied des Sicherheitsteams signiert sind, enthalten Informationen zu den betroffenen Versionen und den Orten der Aktualisierungen und ihrer MD5-Summen. Die Informationen sind: Versionsnummer der Ausbesserung. Art des Problems. Ob es aus der Ferne oder lokal ausnutzbar ist. Kurze Beschreibung des Pakets. Beschreibung des Problems. Beschreibung des Exploits. Beschreibung der Ausbesserung.

DSAs werden sowohl auf der als auch auf den veröffentlicht. Das passiert normalerweise nicht bis die Website neu erstellt wurde (alle vier Stunden). Daher könnten sie nicht sofort vorhanden sein. Somit ist die vorzugswürdige Informationsquelle die Mailingliste debian-security-announce.

DSAs, die auf der Webseite veröffentlicht wurden, können aktualisiert werden, nachdem sie an öffentliche Mailinglisten verschickt wurden. Eine typische Aktualisierung ist, einen Querverweis auf Datenbanken mit Sicherheitslücken hinzuzufügen. Auch Übersetzungen der DSAs Übersetzungen sind in bis zu zehn verschiedenen Sprachen verfügbar. werden nicht an die Sicherheitsmailinglisten geschickt, sondern sind direkt auf der Webseite enthalten. Querverweise der Verwundbarkeiten

Debian stellt eine vollständige zur Verfügung, die alle verfügbaren Verweise für die Anweisungen seit 1998 enthält. Diese Tabelle soll die ergänzen.

Sie werden bemerkt haben, dass die Tabelle Verweise auf Sicherheitsdatenbanken wie , und und auf die CVE-Bezeichnungen (siehe unten) enthält. Diese Verweise werden zur Nutzerfreundlichkeit angeboten, aber nur der CVE-Verweise werden regelmäßig überprüft und eingefügt. Dieses Feature wurde im Juni 2002 der Webseite hinzugefügt.

Das Hinzufügen von Querverweisen auf diese Sicherheitsdatenbanken hat folgende Vorteile: Es erleichtert Benutzern von Debian zu erkennen und nachzuvollziehen, welche allgemeinen (veröffentlichten) Anweisungen schon von Debian abgedeckt wurden. Systemadministratoren können mehr über die Verwundbarkeit und ihre Auswirkungen lernen, wenn sie den Querverweisen folgen. Diese Informationen können benutzt werden, um Ausgaben von Verwundbarkeitsscannern, die Verweise auf CVE enthalten, zu überprüfen, um falsche Positivmeldungen auszusortieren (vergleichen Sie ). CVE-Kompatibilität

Debians Sicherheitsankündigungen wurden am 24. Februar 2004 Der vollständige ist bei CVE erhältlich. .

Die Entwickler von Debian verstehen die Notwendigkeit, genaue und aktuelle Informationen über den Lage der Sicherheit in der Debian-Distribution zur Verfügung zu stellen. Dies ermöglicht es den Benutzern, mit den Risiken durch neue Sicherheitslücken umzugehen. CVE versetzt uns in die Lage, standardisierte Verweise anzubieten, die es Nutzern ermöglicht, einen zu entwickeln.

Das Projekt wird von der MITRE Corporation betreut und stellt eine Liste von standardisierten Bezeichnungen für Verwundbarkeiten und Sicherheitslücken zur Verfügung.

Debian ist überzeugt, dass es außerordentlich wichtig ist, die Nutzer mit zusätzlichen Informationen im Zusammenhang mit Sicherheitsproblemen, die die Debian-Distribution betreffen, zu versorgen. Indem CVE-Bezeichnungen in den Anweisungen enthalten sind, können Nutzer leichter allgemeine Verwundbarkeiten mit bestimmten Aktualisierungen von Debian in Verbindung bringen. Dies verringert die Zeit, die benötigt wird, um Verwundbarkeiten, die unsere Nutzer betreffen, abzuarbeiten. Außerdem vereinfacht es die Organisation der Sicherheit in einer Umgebung, in der schon Sicherheitswerkzeuge, die CVE verwenden, wie Erkennungssysteme von Eindringlingen in Netzwerk oder Host oder Werkzeuge zur Bewertung der Sicherheit eingesetzt werden, unabhängig davon, ob sie auf der Debian-Distribution beruhen.

Debian begann im Juni 2002, CVE-Bezeichnung zu den DSAs hinzuzufügen. Jetzt sind CVE-Bezeichnungen in allen DSAs seit September 1998 enthalten, nachdem die Nachprüfungsphase im August 2002 begonnen wurde. Alle Anweisungen können auf der Webseite von Debian abgerufen werden. Auch Ankündigungen von neuen Verwundbarkeiten enthalten CVE-Bezeichnungen, wenn sie zum Zeitpunkt ihrer Veröffentlichung verfügbar waren. Anweisungen, die mit einer bestimmten CVE-Bezeichnung verbunden sind, können direkt über die gesucht werden.

Benutzer, die nach einer bestimmten CVE-Bezeichnung suchen wollen, können auch die Suchmaschine verwenden, die auf debian.org verfügbar ist, um die verfügbaren Anweisungen (auf Englisch und Übersetzungen in andere Sprachen), die mit den CVE-Bezeichnungen verbunden sind, abzurufen. Eine Suche kann nach einem bestimmten Begriff (z.B. nach der Anweisung ) oder nach einem Teilbegriff (z.B. alle Kandidaten von 2002, die in Anweisungen enthalten sind, finden Sie mit der Suche nach ) durchgeführt werden. Beachten Sie, dass Sie das Wort "advisory" zusammen mit der CVE-Bezeichnung eingeben müssen, um nur die Sicherheitsankündigungen zu erhalten.

In einige Fällen finden Sie eine bestimmte CVE-Bezeichnung in veröffentlichten Anweisungen nicht. Beispiele dafür sind: Keine Produkte von Debian sind von der Verwundbarkeit betroffen. Es gibt noch keine Anweisung, die die Verwundbarkeit abdeckt. Das Sicherheitsproblem wurde vielleicht als gemeldet, aber eine Ausbesserung wurde noch nicht getestet und hochgeladen. Eine Anweisung wurde veröffentlicht, bevor eine CVE-Bezeichnung einer bestimmten Verwundbarkeit zugewiesen wurde (sehen Sie auf der Webseite nach einer Aktualisierung). Die Infrastruktur der Sicherheit bei der Paketerstellung in Debian

Da Debian im Moment eine große Anzahl von Architekturen unterstützt, fragen Administratoren manchmal, ob es bei einer bestimmten Architektur bis zu einer Sicherheitsaktualisierung länger dauert als bei einer anderen. Tatsächlich sind Aktualisierungen auf allen Architekturen zur selben Zeit verfügbar, abgesehen von seltenen Umständen.

Während früher die Sicherheitsaktualisierungen von Hand erstellt wurden, so gilt das heute nicht mehr, wie Anthony Towns in beschreibt, die am 8. Juni 2002 an die Mailingliste debian-devel-announce geschickt wurde.

Pakete, die vom Sicherheitsteam mit einem passenden Patch (auf oder ) hochgeladen werden, werden innerhalb von 15 Minuten nach dem Hochladen auf Signaturen überprüft. Danach werden sie zu der Liste der Autobuilder hinzugefügt (diese führen nicht mehr einen tägliche Durchgang durch das Archiv durch). Dadurch können die Pakete automatisch für alle Architekturen 30 Minuten oder eine Stunde oder so nach dem Hochladen erstellt werden. Allerdings werden Sicherheitsaktualisierungen etwas anderes behandelt als normale Aktualisierungen, die von den Paketbetreuern vorgenommen werden, da in manchen Fällen vor einer Veröffentlichung die Aktualisierungen nochmals getestet werden müssen, eine Anweisung geschrieben werden muss oder eine Woche oder mehr gewartet werden muss, um zu verhindern, dass der Fehler veröffentlicht wird, bevor nicht alle Linux-Anbieter eine vernünftige Chance hatten, ihn zu beheben.

Folglich arbeitet das Archiv der Sicherheitsuploads nach dem folgenden Ablauf (dieser wird "Accepted-Autobuilding" genannt): Jemand findet ein Sicherheitsproblem. Jemand löst das Problem und lädt die Lösung in den Eingang von security-master.debian.org hoch (dieser jemand ist normalerweise ein Mitglied des Sicherheitsteams, kann aber auch ein Paketbetreuer mit einer passenden Verbesserung sein, der sich zuvor mit dem Sicherheitsteam in Verbindung gesetzt hat). Die Änderungsübersicht (changelog) beinhaltet ein testing-security oder stable-security als Zieldistribution. Die hochgeladenen Dateien werden von einem Debian-System überprüft, verarbeitet und in die Warteschleife der angenommenen Dateien weitergeleitet. Danach werden die Buildds benachrichtigt. Auf die Dateien in der Warteschleife kann das Sicherheitsteam und (auf indirektem Wege) die Buildds zugreifen. Buildds, die Sicherheit unterstützen, holen sich das Quellpaket (mit einer höheren Priorität als normale Paketerstellungen), erstellen Pakete und schicken die Logs ans Sicherheitsteam. Das Sicherheitsteam antwortet auf die Logs und die neu erstellten Pakete werden in die Warteschleife der ungeprüften Dateien hochgeladen, wo sie von einem Debian-System verarbeitet und in die Warteschleife der angenommenen Dateien verschoben werden. Wenn das Sicherheitsteam ein Quellpaket akzeptiert (d.h. dass es für alle Architekturen korrekt Pakete erstellt, und dass es die Sicherheitslücke schließt und keine neuen Probleme hervorruft), führen sie ein Skript aus, das das Paket im Sicherheitsarchiv installiert, die Paket-, Quell- und Veröffentlichungsdateien von security.debian.org auf dem gewöhnlichen Weg aktualisiert (dpkg-scanpackages, dpkg-scansources, ...), eine Vorlage einer Anweisung erstellt, die das Sicherheitsteam fertig stellen kann und (wahlweise) die Pakete zu den vorgeschlagenen Aktualisierungen weiterleitet, so dass sie sobald wie möglich in die echten Archive eingefügt werden können.

Dieser Ablauf, der früher per Hand durchgeführt wurde, wurde während des Freezing-Abschnitts von Debian 3.0 Woody (Juli 2002) getestet und umgesetzt. Dank dieser Infrastruktur war es dem Sicherheitsteam möglich, aktualisierte Pakete für Apache- und OpenSSH-Probleme für alle unterstützen Architekturen (fast 20) in weniger als einem Tag bereitzustellen. Leitfaden über Sicherheitsaktualisierungen für Entwickler

Diese Mail wurde von Wichert Akkerman an die geschickt, um zu beschreiben, wie Entwickler von Debian Sicherheitsprobleme in ihren Paketen handhaben. Sie wird hier veröffentlicht, sowohl um Entwicklern zu helfen als auch um Nutzern zu verdeutlichen, wie mit Sicherheit in Debian umgegangen wird.

FIXME: Beachten Sie, dass die aktuelle Referenz für diese Informationen die ist und dieser Abschnitt demnächst entfernt wird. Zusammenarbeit mit dem Sicherheitsteam

Wenn ein Entwickler von einem Sicherheitsproblem erfährt, egal ob in seinem Paket oder in einem anderen, sollte er das immer dem Sicherheitsteam melden (unter team@security.debian.org). Sie gehen ungelösten Sicherheitsproblemen nach, können Paketbetreuern mit Sicherheitsproblemen helfen oder sie selber lösen, sind für den Versand von Sicherheitsankündigungen verantwortlich und betreuen security.debian.org.

Beachten Sie bitte, dass Sicherheitsankündigungen nur für veröffentlichte Distributionen erteilt werden, nicht für Testing, Unstable (siehe ) und ältere Distributionen (siehe ). Erkennen von Sicherheitsproblemen

Es gibt einige Möglichkeiten, wie ein Entwickler von Sicherheitsproblemen erfahren kann: Er bemerkt sie in einem öffentlichem Forum (Mailingliste, Webseite, etc.). Jemand reicht einen Fehlerbericht ein. Es sollte dann das Security-Tag verwendet oder vom Entwickler hinzugefügt werden. Jemand informiert ihn in einer privaten E-Mail.

In den ersten beiden Fällen ist die Information öffentlich verfügbar und es ist daher wichtig, dass eine Ausbesserung so schnell wie möglich vorhanden ist. Im letzten Fall könnte keine öffentliche Information vorliegen. In diesem Fall gibt es ein paar Möglichkeiten, wie mit dem Problem umzugehen ist: Wenn es ein triviales Problem ist (wie unsichere temporäre Dateien), gibt es keine Notwendigkeit, das Problem geheim zu halten, und eine Ausbesserung sollte erstellt und veröffentlicht werden. Wenn es sich um ein ernst zunehmendes Problem handelt (aus der Ferne ausnutzbar, Möglichkeit, Root-Rechte zu bekommen), ist es vorzugwürdig, die Information mit anderen Linux-Anbietern zu teilen und eine Veröffentlichung zu koordinieren. Das Sicherheitsteam hat Kontakte zu verschiedenen Organisationen und Individuen und kann das erledigen.

Wenn die Person, die das Problem gemeldet hat, darum bittet, die Informationen nicht bekanntzugeben, sollte das respektiert werden, mit der offensichtlichen Ausnahme der Mitteilung an das Sicherheitsteam (der Entwickler sollte sichergehen, dass er dem Sicherheitsteam mitteilt, dass die Informationen nicht bekanntgegeben werden sollen).

Beachten Sie, dass in Fällen der Geheimhaltung der Entwickler auch keine Ausbesserung nach Unstable (oder sonst irgendwo hin) hochladen darf, da die Änderungsübersicht für Unstable öffentlich zugänglich ist.

Es gibt zwei Gründe, um Informationen zu veröffentlichen, selbst wenn um Geheimhalten gebeten wurde oder diese notwendig ist: Das Problem ist schon zu lange bekannt oder es wurde öffentlich bekannt. Erstellen eines Pakets

Wenn ein neues Paket erstellt wird, das ein Sicherheitsproblem löst, ist die wichtigste Richtlinie, so wenige Änderungen wie möglich vorzunehmen. Menschen hängen von demselben Verhalten einer Veröffentlichung ab. Jede Veränderung könnte also das System von jemanden unbenutzbar machen. Dies gilt besonders für Bibliotheken: Der Entwickler muss sichergehen, dass er niemals die API oder ABI verändert, egal wie klein die Änderungen sind.

Das bedeutet, dass das Verwenden einer neuen Version des Originalprogramms keine gute Lösung ist. Stattdessen sollten die relevanten Veränderung zurückportiert werden. Gewöhnlich werden die Programmautoren dabei gegebenenfalls behilflich sein, wenn Debians Sicherheitsteam nicht helfen kann.

In einigen Fällen ist es nicht möglich, Sicherheitsverbesserungen zurückzuportieren, z.B. wenn große Mengen des Quellcodes verändert oder neu geschrieben werden müssten. Wenn das eintritt, kann es notwendig werden, eine neue Version des Originalprogramms zu verwenden. Das sollte aber immer im Voraus mit dem Sicherheitsteam abgestimmt werden.

Damit hängt ein anderer wichtiger Punkt zusammen: Entwickler müssen immer ihre Änderungen testen. Wenn es einen Exploit gibt, sollte der Entwickler versuchen, ob er tatsächlich mit dem ungepatchten Paket gelingt und im ausgebesserten Paket scheitert. Der Entwickler sollte auch den gewöhnlichen Gebrauch ausprobieren, da manchmal eine Sicherheitsausbesserung fast unmerklich den normalen Gebrauch beeinträchtigt.

Zu guter Letzt ein paar technische Dinge, die Entwickler bedenken sollten: Stellen Sie sicher, dass Sie sich in Ihrer Debian-Änderungsübersicht auf die richtige Distribution beziehen. Für Stable ist das stable-security und für Testing testing-security. Beziehen Sie sich nicht auf <codename>-proposed-updates. Stellen Sie sicher, dass die Versionsnummer korrekt ist. Sie muss größer als die des aktuellen Pakets sein, aber niedriger als die Paketversionen in späteren Distributionen. Für Testing bedeutet das, dass es eine höhere Version als in Unstable sein muss. Falls es dort keine gibt (Testing und Unstable haben z.B. die gleichen Versionen), laden Sie zuerst die neue Version nach Unstable hoch. Laden Sie nicht nur die Quellen hoch (source-only upload), wenn Ihr Paket nur binäre Pakete enthält (binary-all). Die Buildd-Infrastruktur wird diese nicht erstellen. Wenn Sie ein Paket kompilieren, stellen Sie sicher, dass Sie es auf einem reinen System kompilieren, auf dem nur Pakete aus der Distribution installiert sind, für die Sie das Paket erstellen. Wenn Sie selbst ein solches System nicht haben, können Sie es mit einer Maschine von debian.org versuchen (siehe http://db.debian.org/machines.cgi) oder setzen Sie chroot ein (die Pakete pbuilder und debootstrap können dafür hilfreich sein). Hochladen von Sicherheitsausbesserungen

Nachdem der Entwickler ein neues Paket erstellt und getestet hat, muss es hochgeladen werden, damit es in den Archiven installiert werden kann. Sicherheitsrelevante Dateien werden nach ftp://security-master.debian.org/pub/SecurityUploadQueue/ hochgeladen.

Wenn eine in die Sicherheitswarteschleife hochgeladene Datei akzeptiert wurde, wird das Paket automatisch für alle Architekturen neu erstellt und zur Überprüfung durch das Sicherheitsteam abgelegt.

Nur das Sicherheitsteam kann auf hochgeladene Dateien, die auf Annahme oder Überprüfung warten, zugreifen. Das ist notwendig, da es Ausbesserungen für Sicherheitsprobleme geben könnte, die noch nicht offengelegt werden dürfen.

Wenn ein Mitglied des Sicherheitsteams ein Paket akzeptiert, wird es auf security.debian.org und als passendes <codename>-proposed-updates auf ftp-master oder im Non-US-Archiv installiert. Die Sicherheitsankündigung

Sicherheitsankündigungen werden vom Sicherheitsteam geschrieben und veröffentlicht. Allerdings macht es ihnen gewiss nichts aus, wenn ein Paketbetreuer den Text (teilweise) für sie erstellt. Informationen, die in einer Anweisung enthalten seien sollten, werden in beschrieben. Paketsignierung in Debian

Dieser Abschnitt könnte auch mit "Wie man sein Debian GNU/Linux-System sicher upgraded/aktualisiert" überschrieben werden. Es verdient hauptsächlich deshalb einen eigenen Abschnitt, weil es einen wichtigen Teil der Infrastruktur der Sicherheit darstellt. Die Signierung von Paketen ist ein wichtiges Thema, da es die Manipulation von Paketen in Spiegel und von heruntergeladenen Dateien durch Man-in-the-Middle-Angriffen verhindert. Die automatische Aktualisierung von Software ist eine wichtige Fähigkeit, aber es ist auch wichtig, Gefahren für die Sicherheit zu entfernen, die die Verbreitung von Trojanern und den Einbruch ins System während der Aktualisierung fördern können. Einige Betriebssystem wurden schon von Problemen mit automatischen Aktualisierungen heimgesucht, wie z.B. die .

FIXME: probably the Internet Explorer vulnerability handling certificate chains has an impact on security updates on Microsoft Windows.

Debian stellt keine signierten Pakete zur Verfügung. Es gibt aber seit Debian 4.0 (Codename Etch) eine Verfahrensweise, mit der die Integrität von heruntergeladenen Paketen überprüft werden kann.Ältere Veröffentlichungen wie Debian 3.1 (Sarge) können mit zurückportierten Versionen des Paketmanagers auf diese Methode zugreifen. Weiterführende Hinweise können Sie unter finden.

Dieses Problem wird besser im von V. Alex Brennen beschrieben. Die aktuelle Methode zur Prüfung von Paketsignaturen

Die aktuelle Methode zur Prüfung von Paketsignaturen mit apt ist: Die Release-Datei enthält die MD5-Summe von Packages.gz (die die MD5-Summen der Pakete enthält) und wird signiert. Die Signatur stammt aus einer vertrauenswürdigen Quelle. Diese signierte Release-Datei wird beim "apt-get update" herunter geladen und zusammen mit Packages.gz gespeichert. Wenn ein Paket installiert werden soll, wird es zuerst herunter geladen, und dann wird die MD5-Summe erstellt. Die signierte Release-Datei wird überprüft (ob die Signatur in Ordnung ist) und die MD5-Summe der Packages.gz-Datei extrahiert. Die MD5-Summe der Packages.gz-Datei wird erstellt und geprüft, und - wenn sie übereinstimmt - wird die MD5-Summe des heruntergeladenen Paketes aus ihr extrahiert. Wenn die MD5-Summe des heruntergeladenen Paketes die gleiche ist wie in der Packages.gz-Datei, wird das Paket installiert. Andernfalls wird der Administrator alarmiert, und das Paket wird im Zwischenspeicher gehalten (so dass der Administrator entscheiden kann, ob es installiert werden soll oder nicht). Wenn das Paket nicht in Packages.gz enthalten ist, und der Administrator das System so konfiguriert hat, dass nur geprüfte Pakete installiert werden können, wird das Paket ebenfalls nicht installiert.

Durch diese Kette von MD5-Summen ist apt in der Lage, zu verifizieren, dass ein Paket aus einer bestimmten Veröffentlichung stammt. Dies ist zwar unflexibler als jedes Paket einzeln zu signieren, kann aber auch mit den unten aufgeführten Plänen kombiniert werden.

Diese Vorgehensweise ist seit der Veröffentlichung von Debian 4.0 verfügbar und vollständig in apt 0.6 ; weitere Informationen finden Sie unter . Pakete, die ein Frontend für apt anbieten, müssen verändert werden, um an diese neue Fähigkeit angepasst zu werden. Das gilt für aptitude, das wurde, um zu dieser Vorgehensweise zu passen. Frontends, die bekanntermaßen zurzeit mit dieser Fähigkeit umgehen können, sind aptitude und synaptic.

Die Signierung von Paketen wurde innerhalb des Debian-Projekts ausführlich diskutiert. Mehr Informationen hierzu finden Sie unter und . Secure Apt

Die Veröffentlichung von apt 0.6, das seit Debian 4.0 (Etch) verfügbar ist, enthält apt-secure (auch als Secure Apt bekannt), das ein Werkzeug ist, mit dem ein Systemadministrator die Integrität von heruntergeladenen Paketen mit dem oben dargestellten Verfahren überprüfen kann. Diese Veröffentlichung enthält das Werkzeug apt-key, um neue Schlüssel zum Schlüsselbund von apt hinzuzufügen, welcher standardmäßig nur den aktuellen Signierungsschlüssel des Debian-Archivs enthält.

Diese Veränderungen basieren auf dem Patch für apt (verfügbar in ), der diese Erweiterung zur Verfügung stellt.

Secure Apt überprüft die Distribution mit der Release-Datei. Dies wurde schon unter dargestellt. Typischerweise erfordert dieser Vorgang kein Mitwirken des Administrators. Aber jedes Jahr müssen Sie eingreifenBis ein automatischer Mechanismus entwickelt wurde., um den neuen Schlüssel des Archivs hinzuzufügen, wenn dieser ausgewechselt wurde. Weitere Informationen zu den dazu notwendigen Schritten finden Sie unter .

Diese Fähigkeit befindet sich noch im Entwicklungsstadium. Wenn Sie glauben, dass Sie Fehler gefunden haben, stellen Sie zuerst sicher, dass Sie die neuste Version verwenden (da dieses Paket vor seiner endgültigen Veröffentlichung noch ziemlich verändern werden kann). Falls Sie die aktuelle Version benutzen, schicken Sie einen Fehlerbericht für das Paket apt.

Weiterführende Informationen finden Sie im und in der offiziellen Dokumentation unter und . Überprüfung der Distribution mit der Release-Datei

Dieser Abschnitt beschreibt, wie die Überprüfung der Distribution mit Hilfe der Release-Datei funktioniert. Dies wurde von Joey Hess geschrieben und ist auch im abrufbar. Grundlegende Konzepte

Es gibt ein paar grundlegende Konzepte, die Sie brauchen, um den Rest dieses Abschnitts verstehen zu können.

Eine Prüfsumme ist eine Methode, bei der eine Datei auf eine relativ kurze Zahl heruntergekocht wird, mit der der Inhalt der Datei eindeutig identifiziert werden kann. Dies ist wesentlich schwieriger, als es zunächst erscheinen mag. Der am weitesten verbreitetste Typ von Prüfsummen, MD5, ist gerade dabei, unbrauchbar zu werden.

Verschlüsselung mit öffentlichen Schlüsseln fußt auf einem Schlüsselpaar: einem öffentlichen Schlüssel und einem privaten Schlüssel. Der öffentliche Schlüssel wird an die Allgemeinheit verteilt. Der private muss ein Geheimnis bleiben. Jeder der den öffentlichen Schlüssel hat, kann eine Nachricht verschlüsseln, so dass sie nur noch der Besitzer des privaten Schlüssels lesen kann. Es besteht deneben die Möglichkeit, mit einem privaten Schlüssel eine Datei zu signieren. Wenn eine Datei mit einer digitalen Unterschrift versehen wurde, kann jeder, der den öffentlichen Schlüssel hat, überprüfen, ob die Datei mit diesem Schlüssel unterschrieben wurde. Ohne den privaten Schlüssel lässt sich eine solche Signatur nicht nachmachen.

Diese Schlüssel bestehen aus ziemlich langen Zahlen (1024 oder 2048 Ziffern oder sogar länger). Damit sie leichter zu verwenden sind, haben sie eine kürzere Schlüssel-ID (eine Zahl mit nur acht oder 16 Stellen), mit der sie bezeichnet werden können.

Secure Apt verwendet gpg, um Dateien zu unterschreiben und ihre Unterschriften zu überprüfen.

Mit dem Programm apt-key wird der Schlüsselbund von GPG für Secure Apt verwaltet. Der Schlüsselbund befindet sich in der Datei /etc/apt/trusted.gpg (nicht zu verwechseln mit der verwandten, aber nicht sehr interessanten Datei /etc/apt/trustdb.gpg). apt-key kann dazu verwendet werden, die Schlüssel im Schlüsselbund anzuzeigen oder um Schlüssel hinzuzufügen oder zu entfernen. Prüfsummen der Release-Datei

Jedes Archiv von Debian enthält eine Release-Datei, die jedesmal aktualisiert wird, wenn ein Paket im Archiv geändert wird. Unter anderem enthält die Release-Datei MD5-Summen von anderen Dateien, die sich im Archiv befinden. Ein Auszug einer Release-Datei: MD5Sum: 6b05b392f792ba5a436d590c129de21f 3453 Packages 1356479a23edda7a69f24eb8d6f4a14b 1131 Packages.gz 2a5167881adc9ad1a8864f281b1eb959 1715 Sources 88de3533bf6e054d1799f8e49b6aed8b 658 Sources.gz

Die Release-Datei enthält auch SHA1-Prüfsummen, was nützlich ist, wenn MD5-Summen vollständig unbrauchbar sind. Allerdings unterstützt apt SHA1 noch nicht.

Werfen wir einen Blick in eine Paketdatei: wir sehen weitere MD5-Summen, eine für jedes darin aufgeführte Paket. Beispiel: Package: uqm Priority: optional ... Filename: unstable/uqm_0.4.0-1_i386.deb Size: 580558 MD5sum: 864ec6157c1eea88acfef44d0f34d219

Mit diesen beiden Prüfsummen kann überprüft werden, ob Sie eine getreue Kopie der Paketdatei, also mit einer MD5-Summe, die mit der in der Release-Datei übereinstimmt, heruntergeladen haben. Und wenn ein einzelnes Paket heruntergeladen wird, kann auch die MD5-Summe mit dem Inhalt der Paketdatei verglichen werden. Wenn bei einem dieser Schritte ein Fehler auftauchen sollte, bricht Apt den Vorgang ab.

Nichts davon ist neu in Secure Apt, aber es bietet die Grundlage dafür. Beachten Sie, dass es bis jetzt eine Datei gibt, die Apt nicht überprüfen kann: die Release-Datei. Bei Secure Apt dreht sich alles darum, dass Apt die Release-Datei überprüft, bevor es irgendetwas anderes damit macht. Wenn man das schafft, besteht eine lückenlose Authentifizierungskette von dem Paket, das Sie installieren möchten, bis zum Anbieter des Pakets. Überprüfung der Release-Datei

Damit die Release-Datei überprüft werden kann, wird sie mit GPG signiert. Diese Unterschrift kommt in die Datei Release.gpg, die mit der Release-Datei abgerufen werden kann. Sie sieht in etwa soGenau genommen handelt es sich um eine ASCII-armored abgetrennte GPG-Signatur. aus, obwohl sich für gewöhnlich nur GPG ihren Inhalt ansieht: -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.1 (GNU/Linux) iD8DBQBCqKO1nukh8wJbxY8RAsfHAJ9hu8oGNRAl2MSmP5+z2RZb6FJ8kACfWvEx UBGPVc7jbHHsg78EhMBlV/U= =x6og -----END PGP SIGNATURE----- Release.gpg mit Apt überprüfen

Wenn Secure Apt eine Release-Datei herunterlädt, lädt es auch immer die Release.gpg-Datei herunter. Falls dies misslingen sollte oder die Signatur nicht stimmt, wird es eine Rückmeldung machen und hinweisen, dass die Paketdateien, auf die die Release-Datei verweist, und alle darin enthaltenen Pakete von einer nicht vertrauenswürdigen Quelle stammen. So würde dies während apt-get update aussehen: W: GPG error: http://ftp.us.debian.org testing Release: The following signatures couldn't be verified because the public key is not available: NO_PUBKEY 010908312D230C5F

Beachten Sie, dass die zweite Hälfte der langen Nummer die Schlüssel-ID des Schlüssels ist, von dem Apt nichts weiß. Im Beispiel ist sie 2D230C5F.

Falls Sie diese Warnung ignorieren und später versuchen, ein Paket zu installieren, wird Sie Apt nochmals warnen: WARNUNG: Die folgenden Pakete können nicht authentifiziert werden! libglib-perl libgtk2-perl Diese Pakete ohne Überprüfung installieren [j/N]?

Wenn Sie nun J drücken, haben Sie keine Möglichkeit festzustellen, ob die Datei, die Sie bekommen, wirklich diejenige ist, die Sie auch installieren möchten, oder ob sie eine ganz andere ist, die Ihnen jemand, der die Verbindung mit dem Server abgefangen hat Oder Ihren DNS vergiftet hat oder den Server spooft oder die Datei auf einem Spiegel platziert hat, den Sie verwenden, oder ... mit einer gemeinen Überraschung, unterschieben will.

Sie können diese Abfragen abschalten, indem Sie apt mit --allow-unauthenticated laufen lassen.

Es lohnt sich auch noch darauf hinzuweisen, dass der Installer von Debian während des Debootstraps des Basissystems, solange Apt noch nicht verfügbar ist, denselben Mechanismus mit signierten Release-Dateien verwendet. Der Installer benutzt sogar dieses Verfahren, um Teile von sich selbst zu überprüfen, die er aus dem Netz gezogen hat. Debian signiert im Moment nicht die Release-Dateien auf den CDs. Apt kann aber so eingerichtet werden, dass es immer den Paketen von CDs vertraut, so dass dies nicht ein so großes Problem darstellt. Wie man Apt sagt, wem es vertrauen soll

Die ganze Sicherheit des Verfahrens beruht also darauf, dass es eine Release.gpg-Datei gibt, die eine Release-Datei signiert, und dass diese Signatur von apt mit Hilfe von GPG überprüft wird. Dazu muss es den öffentlichen Schlüssel der Person kennen, die die Datei unterschrieben hat. Diese Schlüssel werden in Apts eigenem Schlüsselbund (/etc/apt/trusted.gpg) gespeichert. Bei der Verwaltung dieser Schlüssel kommt Secure Apt ins Spiel.

Standardmäßig befindet sich bei Debian-Systemen der Schlüssel des Debian-Archivs im Schlüsselbund. # apt-key list /etc/apt/trusted.gpg -------------------- pub 1024D/4F368D5D 2005-01-31 [expires: 2006-01-31] uid Debian Archive Automatic Signing Key (2005) <ftpmaster@debian.org>

Im Beispiel ist 4F368D5D die Schlüssel-ID. Beachten Sie, dass dieser Schlüssel nur für ein Jahr gültig ist. Debian tauscht die Schlüssel als letzte Verteidigungslinie gegen Sicherheitsrisiken, die das Knacken eines Schlüssels umfassen, regelmäßig aus.

Mit dem Schlüssel des Archivs wird apt dem offiziellen Archiv von Debian vertrauen. Wenn Sie aber weitere Paketdepots zu /etc/apt/sources.list hinzufügen wollen, müssen Sie Apt Ihre Schlüssel mitteilen, wenn Sie wollen, dass Apt ihnen vertraut. Sobald Sie den Schlüssel haben und ihn überprüft haben, müssen Sie nur apt-key add Datei laufen lassen, um den Schlüssel hinzuzufügen. Der schwierigste Teil dabei ist, den Schlüssel zu bekommen und ihn zu überprüfen. Den Schlüssel für Paketdepots finden

Mit dem Paket debian-archive-keyring werden Schlüssel für apt bereitgestellt. Aktualisierungen dieses Pakets führen dazu, dass GPG-Schlüssel für das von Debian-Hauptarchiv hinzugefügt (oder gelöscht) werden.

Für die übrigen Archive gibt noch keinen standardisierten Ort, wo sich der Schlüssel für ein Paketdepot befinden soll. Es besteht die grobe Übereinkunft, dass der Schlüssel auf der Webseite des Paketdepots oder im Depot selbst zu finden sein sollte. Wie gesagt ist dies kein echter Standard, so dass Sie den Schlüssel unter Umständen suchen müssen.

Der Schlüssel des Debian-Archivs ist unter (ersetzen Sie 2006 mit dem aktuellen Jahr) erhältlich."Ziyi" ist der Name des Werkzeugs, mit dem die Debian-Server signiert werden, und beruht auf dem Namen einer .

gpg besitzt mit den Schlüsselservern eine standardisierte Möglichkeit, Schlüssel zu verbreiten. Damit kann GPG einen Schlüssel herunterladen und ihn zum Schlüsselbund hinzufügen. Beispiel: $ gpg --keyserver pgpkeys.mit.edu --recv-key 2D230C5F gpg: requesting key 2D230C5F from hkp server pgpkeys.mit.edu gpg: key 2D230C5F: public key "Debian Archive Automatic Signing Key (2006) <ftpm aster@debian.org>" imported gpg: Anzahl insgesamt bearbeiteter Schlüssel: 1 gpg: importiert: 1

Sie können dann den Schlüssel aus Ihrem Schlüsselbund exportieren und ihn an apt-key weiterreichen: $ gpg -a --export 2D230C5F | sudo apt-key add - gpg: kein uneingeschränkt vertrauenswürdiger Schlüssel 080F67F4 gefunden OK

Die Warnung »gpg: kein uneingeschränkt vertrauenswürdiger Schlüssel 080F67F4 gefunden« bedeutet, dass GPG nicht so konfiguriert wurde, um einem Schlüssel vollständig zu vertrauen. Das Zuweisen von Vertrauensstufen ist Teil des Web-of-Trust von OpenPGP, was hier nicht Gegenstand ist. Daher ist die Warnung unproblematisch. Für gewöhnlich wird dem eignen Schlüssel eines Benutzers vollständig vertraut. Auf sichere Weise einen Schlüssel hinzufügen

Indem Sie einen Schlüssel zu Apts Schlüsselbund hinzufügen, lassen Sie Apt wissen, dass es allem vertrauen soll, was mit diesem Schlüssel signiert wurde. Dadurch stellen Sie sicher, dass Apt nichts installiert, was nicht vom Inhaber des privaten Schlüssels signiert wurde. Mit ausreichender Paranoia erkennen Sie aber, dass dies das Problem nur um eine Stufe verlagert: Anstatt sich nun darum Sorgen zu machen, ob ein Paket oder eine Release-Datei korrekt ist, müssen Sie überprüfen, ob Sie tatsächlich den richtigen Schlüssel haben. Ist die Datei , die oben erwähnt wird, wirklich der Signierungsschlüssel des Debian-Archivs oder wurde sie verändert (oder wird gar in diesem Dokument gelogen)?

Es ist gut, in Sicherheitsfragen Vorsicht walten zu lassen. Aber ab hier wird es schwieriger, Dinge zu überprüfen. gpg arbeitet mit dem Konzept der Kette des Vertrauens (chain of trust), die bei jemandem beginnt, dem Sie vertrauen und der einen anderen Schlüssel unterschreibt usw., bis Sie beim Schlüssel des Archivs sind. Wenn Sie vorsichtig sind, wollen Sie nachprüfen, dass Ihr Archivschlüssel von einem Schlüssel unterschrieben wurde, dem Sie vertrauen können, weil seine Kette des Vertrauens zu jemandem zurückgeht, den Sie persönlich kennen. Dazu sollten Sie eine Debian-Konferenz oder eine lokale LUG zum Unterschreiben der Schlüssel besuchen Nicht alle Schlüssel der Apt-Depots sind überhaupt mit einem anderen Schlüssel unterschrieben. Vielleicht hat derjenige, der das Depot einrichtet, keinen anderen Schlüssel zur Verfügung, oder vielleicht ist es ihm unangenehm, einen Schlüssel mit einer derartig wichtigen Funktion mit seinem Hauptschlüssel zu unterschreiben. Hinweise, wie man einen Schlüssel für ein Depot einrichtet, finden Sie unter . .

Wenn Sie diese Sicherheitsbedenken nicht teilen (können), unternehmen Sie was auch immer Sie passend finden, wenn Sie eine neue Apt-Quelle oder einen neuen Schlüssel verwenden. Sie könnten demjenigen, der den Schlüssel anbietet, eine Mail schreiben, um den Schlüssel zu überprüfen. Oder Sie vertrauen auf Ihr Glück und gehen davon aus, dass Sie den richten heruntergeladen haben. Das wichtige ist, dass Secure Apt, indem es das Problem darauf reduziert, welchen Archivschlüsseln Sie vertrauen, Sie so vorsichtig und sicher vorgehen lässt, wie es Ihnen passend und notwendig erscheint. Die Integrität eines Schlüssels überprüfen

Sie können dazu sowohl den Fingerabdruck als auch die Unterschriften des Schlüssels überprüfen. Den Fingerabdruck kann man aus verschiedenen Quellen erhalten. Sie können im Buch nachsehen, im IRC mit Debian-Entwicklern reden oder Mailinglisten lesen, wo ein Wechsel des Schlüssel angekündigt werden wird, oder jede andere erdenkliche Methode verwenden, um den Fingerabdruck zu überprüfen. Zum Beispiel können Sie auch Folgendes machen: $ GET http://ftp-master.debian.org/ziyi_key_2006.asc | gpg --import gpg: key 2D230C5F: public key "Debian Archive Automatic Signing Key (2006) <ftpmaster&debian.org>" imported gpg: Anzahl insgesamt bearbeiteter Schlüssel: 1 gpg: unverändert: 1 $ gpg --check-sigs --fingerprint 2D230C5F pub 1024D/2D230C5F 2006-01-03 [expires: 2007-02-07] Key fingerprint = 0847 50FC 01A6 D388 A643 D869 0109 0831 2D23 0C5F uid Debian Archive Automatic Signing Key (2006) <ftpmaster@debian.org> sig!3 2D230C5F 2006-01-03 Debian Archive Automatic Signing Key (2006) <ftpmaster@debian.org> sig! 2A4E3EAA 2006-01-03 Anthony Towns <aj@azure.humbug.org.au> sig! 4F368D5D 2006-01-03 Debian Archive Automatic Signing Key (2005) <ftpmaster@debian.org> sig! 29982E5A 2006-01-04 Steve Langasek <vorlon@dodds.net> sig! FD6645AB 2006-01-04 Ryan Murray <rmurray@cyberhqz.com> sig! AB2A91F5 2006-01-04 James Troup <james@nocrew.org>

und dann von Ihrem Schlüssel (oder einem Schlüssel, dem Sie vertrauen) den zu wenigstens einem der Schlüssel, der verwendet wurde, um den Archivschlüssel zu unterschreiben, überprüfen. Wenn Sie vorsichtig sein wollen, sollten Sie Apt mitteilen, dass es dem Schlüssel nur vertrauen darf, wenn es einen passenden Pfad gefunden hat: $ gpg --export -a 2D230C5F | sudo apt-key add - Ok

Der aktuelle Schlüssel ist mit dem vorhergehenden Archivschlüssel unterschrieben, so dass Sie theoretisch auf Ihrem alten Vertrauen aufbauen können. Der jährliche Austausch des Archivschlüssels von Debian

Wie schon oben erwähnt wird der Schlüssel, mit dem das Debian-Archiv signiert wird, jedes Jahr im Januar ausgetauscht. Da Secure Apt noch jung ist, haben wir noch nicht sehr viel Erfahrung damit und es gibt noch ein paar haarige Stellen.

Im Januar 2006 wurde ein neuer Schlüssel für 2006 erstellt und die Release-Datei wurde damit unterschrieben. Um aber zu vermeiden, dass Systeme, die noch den alten Schlüssel von 2005 verwenden, nicht mehr korrekt arbeiten, wurde die Release-Datei auch mit dem alten Schlüssel unterschrieben. Es war geplant, dass Apt je nach dem verfügbaren Schlüssel eine der beiden Unterschriften akzeptieren würde. Aber es zeigte sich ein Fehler in Apt, da es sich weigerte, der Datei zu vertrauen, wenn es nicht beide Schlüssel hatte und somit beide Unterschriften überprüfen konnte. Dies wurde in der Version 0.6.43.1 ausgebessert. Es gab auch Verwirrung darüber, wie der Schlüssel an Benutzer verteilt wird, die bereits Secure Apt auf ihrem System laufen lassen. Am Anfang wurde er auf die Webseite hochgeladen, ohne Ankündigung und ohne eine echte Möglichkeit, ihn zu überprüfen, und die Benutzer mussten ihn per Hand herunterladen. Bekannte Probleme bei der Prüfung

Ein nicht offensichtliches Problem ist, dass Secure Apt nicht funktioniert, wenn Ihre Uhr sehr verstellt ist. Wenn sie auf ein Datum in der Vergangenheit wie 1999 eingestellt ist, wird Apt mit einer nichts sagenden Ausgabe wie dieser abbrechen: W: GPG error: http://archive.progeny.com sid Release: Unknown error executing gpg

Dagegen macht apt-key das Problem deutlich: gpg: key 2D230C5F was created 192324901 seconds in the future (time warp or clock problem) gpg: key 2D230C5F was created 192324901 seconds in the future (time warp or clock problem) pub 1024D/2D230C5F 2006-01-03 uid Debian Archive Automatic Signing Key (2006) <ftpmaster@debian.org>

Falls die Uhr nicht zu weit vorgeht, behandelt Apt die Schlüssel als abgelaufen.

Wenn Sie Testing oder Unstable verwenden, gibt es ein Problem, wenn Sie in letzter Zeit nicht apt-get update ausgeführt haben und mit apt-get ein Paket installieren möchten. Apt könnte sich darüber beschweren, dass es nicht authentifiziert werden konnte (Warum passiert das bloß?). apt-get update löst das Problem. Prüfung von Hand

Für den Fall, dass Sie nun zusätzliche Sicherheitsprüfungen einführen wollen, aber nicht die neuste Version von apt einsetzen wollen oder können Entweder weil Sie Stable (Sarge) oder eine ältere Veröffentlichung verwenden, oder weil Sie nicht die neuste Version von Apt einsetzen wollen, obwohl wir das Testen wirklich schätzen würden. , können Sie das folgende Skript von Anthony Towns benutzen. Dieses Skript führt automatisch neue Sicherheitsüberprüfungen durch, damit ein Nutzer sicher gehen kann, dass die Software, die er herunterlädt, die gleiche ist wie die, die von Debian bereitgestellt wird. Das verhindert, dass sich Debian-Entwickler in ein fremdes System einhacken können, ohne dass eine Zurechnung und Rückverfolgung möglich wäre, die durch das Hochladen eines Pakets auf das Hauptarchiv gewährleistet werden. Es kann auch verhindern, dass ein Spiegel etwas fast genau abbildet, das aber eben doch nicht ganz wie in Debian, oder dass veraltete Versionen von instabilen Paketen mit bekannten Sicherheitslücken zur Verfügung gestellt werden.

Dieser Beispielscode, umbenannt nach apt-check sigs, sollte auf die folgende Art benutzt werden: # apt-get update # apt-check-sigs (... Ergebnisse ...) # apt-get dist-upgrade

Zuerst müssen Sie jedoch Folgendes tun: Holen Sie sich den Schlüssel, den die Archiv-Software verwendet, um Release-Dateien zu signieren, und fügen Sie ihn ~/.gnupg/trustedkeys.gpg hinzu (was standardmäßig von gpgv benutzt wird). gpg --no-default-keyring --keyring trustedkeys.gpg --import ziyi_key_2006.asc Entfernen Sie alle Zeilen aus /etc/apt/sources.list, die nicht die normale "dists"-Struktur benutzen, oder ändern Sie das Skript, so dass es auch mit denen funktioniert. Ignorieren Sie die Tatsache, dass Sicherheitsaktualisierungen von Debian keine signierten Release-Dateien haben, und das Quelldateien (noch) keine richtigen Prüfsummen in der Release-Datei haben. Bereiten Sie sich darauf vor, zu prüfen, dass die richtigen Quellen durch den richtigen Schlüssel signiert wurden.

Dies ist der Beispielscode für apt-check-sigs. Die neuste Fassung ist unter erhältlich. Dieser Code befindet sich im Moment noch im Beta-Stadium. Für weitere Informationen sollten Sie lesen. #!/bin/bash # Copyright (c) 2001 Anthony Towns <ajt@debian.org> # # This program is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by # the Free Software Foundation; either version 2 of the License, or # (at your option) any later version. # # This program is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. rm -rf /tmp/apt-release-check mkdir /tmp/apt-release-check || exit 1 cd /tmp/apt-release-check >OK >MISSING >NOCHECK >BAD arch=`dpkg --print-installation-architecture` am_root () { [ `id -u` -eq 0 ] } get_md5sumsize () { cat "$1" | awk '/^MD5Sum:/,/^SHA1:/' | MYARG="$2" perl -ne '@f = split /\s+/; if ($f[3] eq $ENV{"MYARG"}) { print "$f[1] $f[2]\n"; exit(0); }' } checkit () { local FILE="$1" local LOOKUP="$2" Y="`get_md5sumsize Release "$LOOKUP"`" Y="`echo "$Y" | sed 's/^ *//;s/ */ /g'`" if [ ! -e "/var/lib/apt/lists/$FILE" ]; then if [ "$Y" = "" ]; then # No file, but not needed anyway echo "OK" return fi echo "$FILE" >>MISSING echo "MISSING $Y" return fi if [ "$Y" = "" ]; then echo "$FILE" >>NOCHECK echo "NOCHECK" return fi X="`md5sum < /var/lib/apt/lists/$FILE | cut -d\ -f1` `wc -c < /var/lib /apt/lists/$FILE`" X="`echo "$X" | sed 's/^ *//;s/ */ /g'`" if [ "$X" != "$Y" ]; then echo "$FILE" >>BAD echo "BAD" return fi echo "$FILE" >>OK echo "OK" } echo echo "Checking sources in /etc/apt/sources.list:" echo "~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~" echo (echo "You should take care to ensure that the distributions you're downloading " echo "are the ones you think you are downloading, and that they are as up to" echo "date as you would expect (testing and unstable should be no more than" echo "two or three days out of date, stable-updates no more than a few weeks" echo "or a month)." ) | fmt echo cat /etc/apt/sources.list | sed 's/^ *//' | grep '^[^#]' | while read ty url dist comps; do if [ "${url%%:*}" = "http" -o "${url%%:*}" = "ftp" ]; then baseurl="${url#*://}" else continue fi echo "Source: ${ty} ${url} ${dist} ${comps}" rm -f Release Release.gpg lynx -reload -dump "${url}/dists/${dist}/Release" >/dev/null 2>&1 wget -q -O Release "${url}/dists/${dist}/Release" if ! grep -q '^' Release; then echo " * NO TOP-LEVEL Release FILE" >Release else origline=`sed -n 's/^Origin: *//p' Release | head -1` lablline=`sed -n 's/^Label: *//p' Release | head -1` suitline=`sed -n 's/^Suite: *//p' Release | head -1` codeline=`sed -n 's/^Codename: *//p' Release | head -1` dateline=`grep "^Date:" Release | head -1` dscrline=`grep "^Description:" Release | head -1` echo " o Origin: $origline/$lablline" echo " o Suite: $suitline/$codeline" echo " o $dateline" echo " o $dscrline" if [ "${dist%%/*}" != "$suitline" -a "${dist%%/*}" != "$codeline" ]; then echo " * WARNING: asked for $dist, got $suitline/$codeline" fi lynx -reload -dump "${url}/dists/${dist}/Release.gpg" >/dev/null 2>&1 wget -q -O Release.gpg "${url}/dists/${dist}/Release.gpg" gpgv --status-fd 3 Release.gpg Release 3>&1 >/dev/null 2>&1 | sed -n "s/^\[GNUPG:\] //p" | (okay=0; err=""; while read gpgcode rest; do if [ "$gpgcode" = "GOODSIG" ]; then if [ "$err" != "" ]; then echo " * Signed by ${err# } key: ${rest#* }" else echo " o Signed by: ${rest#* }" okay=1 fi err="" elif [ "$gpgcode" = "BADSIG" ]; then echo " * BAD SIGNATURE BY: ${rest#* }" err="" elif [ "$gpgcode" = "ERRSIG" ]; then echo " * COULDN'T CHECK SIGNATURE BY KEYID: ${rest %% *}" err="" elif [ "$gpgcode" = "SIGREVOKED" ]; then err="$err REVOKED" elif [ "$gpgcode" = "SIGEXPIRED" ]; then err="$err EXPIRED" fi done if [ "$okay" != 1 ]; then echo " * NO VALID SIGNATURE" >Release fi) fi okaycomps="" for comp in $comps; do if [ "$ty" = "deb" ]; then X=$(checkit "`echo "${baseurl}/dists/${dist}/${comp}/binary-${arch}/Release" | sed 's,//*,_,g'`" "${comp}/binary-${arch}/Release") Y=$(checkit "`echo "${baseurl}/dists/${dist}/${comp}/binary-${arch}/Packages" | sed 's,//*,_,g'`" "${comp}/binary-${arch}/Packages") if [ "$X $Y" = "OK OK" ]; then okaycomps="$okaycomps $comp" else echo " * PROBLEMS WITH $comp ($X, $Y)" fi elif [ "$ty" = "deb-src" ]; then X=$(checkit "`echo "${baseurl}/dists/${dist}/${comp}/source/Release" | sed 's,//*,_,g'`" "${comp}/source/Release") Y=$(checkit "`echo "${baseurl}/dists/${dist}/${comp}/source/Sources" | sed 's,//*,_,g'`" "${comp}/source/Sources") if [ "$X $Y" = "OK OK" ]; then okaycomps="$okaycomps $comp" else echo " * PROBLEMS WITH component $comp ($X, $Y)" fi fi done [ "$okaycomps" = "" ] || echo " o Okay:$okaycomps" echo done echo "Results" echo "~~~~~~~" echo allokay=true cd /tmp/apt-release-check diff <(cat BAD MISSING NOCHECK OK | sort) <(cd /var/lib/apt/lists && find . -type f -maxdepth 1 | sed 's,^\./,,g' | grep '_' | sort) | sed -n 's/^> //p' >UNVALIDATED cd /tmp/apt-release-check if grep -q ^ UNVALIDATED; then allokay=false (echo "The following files in /var/lib/apt/lists have not been validated." echo "This could turn out to be a harmless indication that this script" echo "is buggy or out of date, or it could let trojaned packages get onto" echo "your system." ) | fmt echo sed 's/^/ /' < UNVALIDATED echo fi if grep -q ^ BAD; then allokay=false (echo "The contents of the following files in /var/lib/apt/lists does not" echo "match what was expected. This may mean these sources are out of date," echo "that the archive is having problems, or that someone is actively" echo "using your mirror to distribute trojans." if am_root; then echo "The files have been renamed to have the extension .FAILED and" echo "will be ignored by apt." cat BAD | while read a; do mv /var/lib/apt/lists/$a /var/lib/apt/lists/${a}.FAILED done fi) | fmt echo sed 's/^/ /' < BAD echo fi if grep -q ^ MISSING; then allokay=false (echo "The following files from /var/lib/apt/lists were missing. This" echo "may cause you to miss out on updates to some vulnerable packages." ) | fmt echo sed 's/^/ /' < MISSING echo fi if grep -q ^ NOCHECK; then allokay=false (echo "The contents of the following files in /var/lib/apt/lists could not" echo "be validated due to the lack of a signed Release file, or the lack" echo "of an appropriate entry in a signed Release file. This probably" echo "means that the maintainers of these sources are slack, but may mean" echo "these sources are being actively used to distribute trojans." if am_root; then echo "The files have been renamed to have the extension .FAILED and" echo "will be ignored by apt." cat NOCHECK | while read a; do mv /var/lib/apt/lists/$a /var/lib/apt/lists/${a}.FAILED done fi) | fmt echo sed 's/^/ /' < NOCHECK echo fi if $allokay; then echo 'Everything seems okay!' echo fi rm -rf /tmp/apt-release-check

Sie müssen vielleicht bei Sid diesen Patch verwenden, da md5sum ein '-' an die Summe anfügt, wenn die Ausgabe auf stdin erfolgt: @@ -37,7 +37,7 @@ local LOOKUP="$2" Y="`get_md5sumsize Release "$LOOKUP"`" - Y="`echo "$Y" | sed 's/^ *//;s/ */ /g'`" + Y="`echo "$Y" | sed 's/-//;s/^ *//;s/ */ /g'`" if [ ! -e "/var/lib/apt/lists/$FILE" ]; then if [ "$Y" = "" ]; then @@ -55,7 +55,7 @@ return fi X="`md5sum < /var/lib/apt/lists/$FILE` `wc -c < /var/lib/apt/lists/$FILE`" - X="`echo "$X" | sed 's/^ *//;s/ */ /g'`" + X="`echo "$X" | sed 's/-//;s/^ *//;s/ */ /g'`" if [ "$X" != "$Y" ]; then echo "$FILE" >>BAD echo "BAD" Prüfung von Debian-fremden Quellen

Beachten Sie, dass, wenn Sie die neuste Version von Apt (mit Secure Apt) einsetzen, kein zusätzlicher Aufwand auf Ihrer Seite notwendig sein sollte, wenn Sie keine Debian-fremden Quellen verwenden. In diesen Fällen erfordert apt-get eine zusätzliche Bestätigung. Dies wird verhindert, wenn Release- und Release.gpg-Dateien in den Debian-fremden Quellen zur Verfügung stehen. Die Release-Datei kann mit apt-ftparchive (ist in apt-utils 0.5.0 und später enthalten) erstellt werden, die Release.gpg ist nur die abgetrennte Signatur. Beide können mit folgender einfacher Prozedur erstellt werden: $ rm -f dists/unstable/Release $ apt-ftparchive release dists/unstable > dists/unstable/Release $ gpg --sign -ba -o dists/unstable/Release.gpg dists/unstable/Release Alternativer Entwurf zur Einzelsignierung von Paketen

Dieser zusätzliche Entwurf, jedes Paket einzeln zu signieren, erlaubt es, Pakete zu prüfen, selbst wenn sie nicht mehr in irgendeiner Packages-Datei erwähnt werden. Und so können auch Pakete von Dritten, für die es nie eine Packages-Datei gab, unter Debian installiert werden. Dies wird aber kein Standard werden.

Dieser Entwurf zur Paketsignierung kann mit debsig-verify und debsigs umgesetzt werden. Diese beiden Pakete können in einer .deb-Datei eingebettete Unterschriften erstellen und prüfen. Debian hat bereits jetzt die Möglichkeiten, dies zu tun. Aber es gibt keine Planung, dieses Regelwerk oder ähnliche Werkzeuge umzusetzen, da nunmehr das Schema mit der Signierung des Archivs bevorzugt wird. Die Werkzeuge werden dennoch für Benutzer und Administratoren von Archiven zur Verfügung gestellt, wenn sie diese Vorgehensweise bevorzugen.

Die aktuellen Versionen von dpkg (seit 1.9.21) beinhalten einen , der diese Funktionen zur Verfügung stellt, sobald debsig-verify installiert ist.

HINWEIS: Derzeit wird /etc/dpkg/dpkg.cfg standardmäßig mit der Option "no-debsig" ausgeliefert.

HINWEIS 2: Unterschriften von Entwicklern werden im Moment entfernt, wenn sie in das Paketarchiv gelangen, da die derzeit vorzugswürdige Methode die Überprüfung der Release-Datei ist, wie es oben beschrieben wurde. harden-doc-3.15.1/howto-source/de/faq.sgml0000644000000000000000000020355110714670004015161 0ustar Häufig gestellte Fragen / Frequently asked Questions (FAQ)

Dieses Kapitel führt Sie in ein paar der am häufigsten gestellten Fragen in der Security-Mailingliste von Debian ein. Sie sollten sie lesen, bevor Sie dort etwas posten, oder die Leute werden Ihnen "RTFM!" sagen. Sicherheit im Debian Betriebssystem Ist Debian sicherer als X?

Ein System ist so sicher, wie der Administrator fähig ist, es sicher zu machen. Debians Standardinstallation von Diensten zielt darauf ab, sicher zu sein. Sie ist aber nicht so paranoid wie andere Betriebssysteme, die Dienste standardmäßig abgeschaltet. In jedem Fall muss der Systemadministrator die Sicherheit des System den lokalen Sicherheitsmaßstäben anpassen.

Für eine Übersicht der Sicherheitslücken von vielen Betriebssystemen sollten Sie sich die ansehen oder sich selber Statistiken mit der (früher ICAT) erstellen. Sind diese Daten nützlich? Es müssen verschiedene Faktoren berücksichtigt werden, wenn die Daten interpretiert werden sollen. Man sollte beachten, dass diese Daten nicht dazu verwendet werden können, um die Verwundbarkeit eines Betriebssystems mit der eines anderen zu vergleichen. Zum Beispiel könnte es auf Grundlage einiger Daten scheinen, dass Windows NT sicherer ist als Linux. Dies wäre eine fragwürdige Annahme. Das liegt daran, dass Linux-Distributionen normalerweise viel mehr Anwendungen zur Verfügung stellen als Microsofts Windows NT. Dieses Problem des Abzählens von Sicherheitslücken wird besser in von David A. Wheeler beschrieben. Bedenken Sie außerdem, dass sich einige registrierte Sicherheitslücken im Zusammenhang mit Debian nur auf den Unstable-Zweig, also den nicht offiziell veröffentlichten Zweig, beziehen. Ist Debian sicherer als andere Linux-Distributionen (wie Red Hat, SuSE, ...)?

Der Unterschied zwischen den Linux-Distributionen ist nicht sehr groß mit Ausnahme der Basisinstallation und der Paketverwaltung. Die meisten Distributionen beinhalten zum Großteil die gleichen Anwendungen. Der Hauptunterschied besteht in den Versionen dieser Programme, die mit der stabilen Veröffentlichung der Distribution ausgeliefert werden. Zum Beispiel sind der Kernel, Bind, Apache, OpenSSH, Xorg, gcc, zlib, etc. in allen Linux-Distributionen vorhanden.

Ein Beispiel: Red Hat hatte Pech und wurde veröffentlicht, als foo 1.2.3 aktuell war. Später wurde darin eine Sicherheitslücke entdeckt. Dagegen hatte Debian das Glück, dass es mit foo 1.2.4 ausgeliefert wurde, in dem der Fehler schon behoben war. Das war der Fall beim großen Problem mit vor ein paar Jahren.

Es besteht eine weitgehende Zusammenarbeit zwischen den jeweiligen Sicherheitsteams der großen Linux-Distributionen. Bekannte Sicherheitsaktualisierungen werden selten (wenn nicht sogar nie) von den Anbietern der Distribution nicht eingespielt. Das Wissen um eine Sicherheitslücke wird niemals vor anderen Anbietern von Distributionen geheim gehalten, da die Ausbesserungen gewöhnlich vom Programmautor oder von koordiniert werden. Das hat zur Folge, dass notwendige Sicherheitsaktualisierungen üblicherweise zur selben Zeit veröffentlicht werden. Damit ist die relative Sicherheit der verschiedenen Distributionen ziemlich ähnlich.

Einer großen Vorteile von Debian in Hinblick auf die Sicherheit ist die Leichtigkeit von Systemaktualisierungen mit apt. Hier sind ein paar andere Aspekte über die Sicherheit in Debian, die Sie berücksichtigen sollten: Debian bietet mehr Sicherheitswerkzeuge an als andere Distributionen. Vergleichen Sie dazu . Debians Standardinstallation ist kleiner (weniger Funktionen) und daher sicherer. Andere Distributionen tendieren im Namen der Benutzerfreundlichkeit dazu, standardmäßig viele Dienst zu installieren, und manchmal sind diese nicht ordentlich konfiguriert (denken Sie an oder ). Debians Installation ist nicht so streng wie OpenBSD (dort laufen Daemonen standardmäßig nicht), aber es ist ein guter Kompromiss. Ohne die Tatsache in Abrede zu stellen, dass einige Distributionen wie Red Hat oder Mandrake auch die Sicherheit bei ihrer Standardinstallation berücksichtigen, indem der Nutzer Sicherheitsprofile auswählen kann, oder Wizards verwendet werden, um beim Einrichten einer Personal Firewall zu helfen. Debian stellt die besten Verfahren zur Sicherheit in Dokumenten wie diesem vor. In Bugtraq gibt es viele Debian-Fehler. Heißt das, dass es sehr gefährdet ist?

Die Debian-Distribution enthält eine große und wachsende Zahl von Softwarepaketen, wahrscheinlich sogar mehr als mit vielen proprietären Betriebssystem geliefert wird. Je mehr Pakete installiert sind, desto größer ist die Möglichkeit von Sicherheitslücken in einem System.

Immer mehr Menschen untersuchen den Quellcode, um Fehler zu entdecken. Es gibt viele Anweisungen im Zusammenhang mit Audits des Quellcodes von großen Softwarekomponenten, die in Debian enthalten sind. Immer wenn ein solcher Audit Sicherheitslücken aufdeckt, werden sie ausgebessert und eine Anweisung wird an Listen wie Bugtraq geschickt.

Fehler, die in der Debian-Distribution vorhanden sind, betreffen normalerweise auch andere Anbieter und Distributionen. Prüfen Sie einfach den "Debian specific: yes/no"-Abschnitt am Anfang jeder Anweisung (DSA). Hat Debian irgendein Zertifikat für Sicherheit?

Die kurze Antwort: Nein.

Die lange Antwort: Zertifikate kosten Geld (besonders ein seriöses Sicherheitszertifikat). Niemand hat die Ressourcen aufgebracht, um Debian GNU/Linux beispielsweise mit irgendeinem Level des zertifizieren zu lassen. Wenn Sie daran interessiert sind, eine GNU/Linux-Distribution mit Sicherheitszertifikaten zu haben, stellen Sie uns die Ressourcen zur Verfügung, um dies möglich zu machen.

Es gibt im Moment mindestens zwei Linux-Distributionen, die mit verschiedenen Levels zertifiziert sind. Beachten Sie, dass einige CC-Tests im vorhanden sind, welche in Debian durch ltp angeboten wird. Gibt es irgendein Abhärtungsprogramm für Debian?

Ja. , das sich ursprünglich an anderen Linux-Distributionen (Red Hat und Mandrake) orientierte, funktioniert derzeit auch mit Debian. Es sind Maßnahmen eingeleitet, um Änderungen am Originalprogramm auch in das Debianpaket bastille einfließen zu lassen.

Manche Leute glauben jedoch, dass ein Absicherungsprogramm nicht die Notwendigkeit einer guten Administration ersetzt. Ich möchte einen XYZ-Dienst laufen lassen. Welchen sollte ich benutzen?

Einer der größten Stärken von Debian ist die große Vielfalt von Paketen, die die gleichen Funktionen erfüllen (DNS-Server, Mail-Server, FTP-Server, Web-Server etc.). Das kann einen unerfahrenen Administrator verwirren, wenn er herausfinden will, welches Paket das richtige für ihn ist. Die beste Wahl hängt in der Balance zwischen Ihrem Bedürfnis nach Funktionalität und dem nach Sicherheit in der jeweiligen Situation ab. Im folgenden einige Fragen, die Sie sich stellen sollten, wenn Sie zwischen ähnlichen Paketen entscheiden müssen: Wird es noch vom Originalautor betreut? Wann war die letzte Veröffentlichung? Ist das Paket ausgereift? Die Versionsnummer sagt nichts darüber aus, wie ausgereift es ist. Versuchen Sie seine Geschichte nachzuvollziehen. Ist es von Fehlern durchsetzt? Gab es Sicherheits-Ankündigungen im Zusammenhang mit ihm? Stellt die Software die ganze Funktionalität zur Verfügung, die Sie benötigen? Bietet es mehr, als Sie wirklich brauchen? Wie mache ich den Dienst XYZ unter Debian sicherer?

Sie werden in diesem Dokument Informationen über das Absichern von einigen Diensten (FTP, Bind) unter Debian GNU/Linux finden. Für Dienste die hier nicht abgedeckt werden, prüfen Sie die Programm-Dokumentation oder allgemeine Linux-Informationen. Die meisten Sicherheitshinweise für Unix-Systeme sind auch auf Debian anwendbar. So wird Dienst X unter Debian in den meisten Fällen wie in einer anderen Linux-Distribution (oder Un*x, was das betrifft) abgesichert. Wie kann ich die Banner der Dienste entfernen?

Wenn Sie z.B. nicht wollen, dass Nutzer sich mit Ihrem POP3-Daemon verbinden und dadurch Informationen über Ihr System erlangen, sollten Sie das Banner, das der Dienst den Nutzern zeigt, entfernen (oder verändern). Beachten Sie, dass das 'security by obscurity' ist und daher auf lange Sicht gesehen wahrscheinlich nicht der Mühe wert ist. Wie Sie das anstellen können. hängt von der Software ab, mit der Sie einen bestimmten Dienst betreiben. Für postfix stellen Sie beispielsweise das SMTP-Banner in /etc/postfix/main.cf ein: smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU)

Andere Software kann nicht so leicht verändert werden. ssh muss neu kompiliert werden, um die angezeigte Version zu ändern. Stellen Sie sicher, dass sie nicht den ersten Teil des Banners (SSH-2.0) entfernen, da Clients ihn verwenden, um die von Ihrem Paket unterstützten Protokolle zu identifizieren. Sind alle Debian Pakete sicher?

Das Sicherheitsteam von Debian kann nicht alle Pakete aus Debian auf potenzielle Sicherheitslücken hin analysieren, da es einfach nicht genug Ressourcen gibt, um für das gesamte Projekt ein Quellcodeaudit durchzuführen. Allerdings profitiert Debian von den Quellcode-Prüfungen durch die Originalautoren.

Tatsächlich könnte ein Debian-Entwickler in einem Paket einen Trojaner verbreiten, und es gibt keine Möglichkeit das nachzuprüfen. Sogar wenn es in einen Zweig von Debian eingeführt werden würde, wäre es unmöglich, alle möglichen Situationen abzudecken, in denen der Trojaner ausgeführt werden würde. Das ist der Grund, warum Debian eine "Keine Gewährleistung"-Klausel in seiner Lizenz hat.

Allerdings können Debian-Benutzer insofern Vertrauen fassen, dass der stabile Quellcode eine breite Prüfung hinter sich hat. Die meisten Probleme würden dabei durch Benutzung entdeckt. Es ist zu empfehlen, ungetestete Software auf kritischen Systemen zu installieren, wenn Sie nicht die notwendige Code-Prüfung vornehmen können. In jedem Fall gewährleistet der Aufnahmeprozess in die Distribution (mit digitalen Signaturen), dass im Falle von in die Distribution eingeschleusten Sicherheitsproblemen das Problem letztendlich zum Entwickler zurückgeführt werden kann. Das Debian-Projekt hat diese Angelegenheiten nie auf die leichte Schulter genommen. Warum sind einige Log- und Konfigurationsdateien für die Welt lesbar? Ist das nicht unsicher?

Natürlich können Sie die Standardrecht von Debian auf Ihrem System abändern. Der aktuelle Grundsatz in Bezug auf Log- und Konfigurationsdateien besagt, dass sie für die Welt lesbar sind, es sei denn, sie enthalten sensible Informationen.

Seien Sie vorsichtig, wenn Sie Änderungen vornehmen: Prozesse könnten nicht mehr in der Lage sein, in Log-Dateien zu schreiben, wenn Sie ihre Rechte einschränken. Einige Anwendungen könnten nicht mehr funktionieren, wenn sie ihre Konfigurationsdatei nicht mehr lesen können. Wenn Sie zum Beispiel das Recht, für die Welt lesbar zu sein, von /etc/samba/smb.conf entfernen, kann das Programm smbclient nicht funktionieren, wenn es von einem normalen Nutzer ausgeführt wird.

FIXME: Check if this is written in the Policy. Some packages (i.e. ftp daemons) seem to enforce different permissions. Warum hat /root/ (oder NutzerX) die Rechte 755?

Tatsächlich kann die gleiche Frage auch für jeden anderen Nutzer gestellt werden. Da Debians Standardinstallation keine Dateien unter diesem Verzeichnis abgelegt, sind keine sensiblen Informationen vorhanden, die geschützt werden müssten. Wenn Sie denken, dass diese Rechte für Ihr System zu locker sind, können Sie sie auf 750 einschränken. Für Nutzer sollten Sie lesen.

Dieser der Sicherheitsmailingliste von Debian hat weitere Ausführungen zu diesem Thema. Nach der Installation von grsec oder einer Firewall bekomme ich viele Nachrichten auf der Konsole. Wie entferne ich sie?

Wenn Sie Nachrichten auf der Konsole empfangen und /etc/syslog.conf so eingerichtet haben, dass sie in Dateien oder auf ein spezielles TTY umgeleitet werden, sehen Sie vielleicht Nachrichten, die direkt an die Konsole geschickt werden.

Der Standardloglevel der Konsole ist bei jeden Kernel sieben, was bedeutet, dass alle Nachrichten mit einer niedrigeren Priorität auf der Konsole erscheinen werden. Für gewöhnlich haben Firewalls (die LOG-Regel) und einige andere Sicherheitswerkzeuge eine niedrigere Log-Priorität. Daher werden ihre Logs direkt an die Konsole geschickt.

Um die Nachrichten, die an die Konsole geschickt werden, nicht verringern, können Sie dmesg (Option -n, vergleichen Sie ) verwenden, das den Ringspeicher des Kernel untersucht und steuert. Damit das nach dem nächsten Neustart in Ordnung ist, ändern Sie in /etc/init.d/klogd KLOGD=""

zu KLOGD="-c 4"

ab.

Verwenden Sie eine niedrigere Nummer für -c, wenn Sie immer noch unerwünschte Nachrichten sehen. Eine Beschreibung der verschiedenen Loglevels befindet sich in /usr/include/sys/syslog.h: #define LOG_EMERG 0 /* system is unusable */ #define LOG_ALERT 1 /* action must be taken immediately */ #define LOG_CRIT 2 /* critical conditions */ #define LOG_ERR 3 /* error conditions */ #define LOG_WARNING 4 /* warning conditions */ #define LOG_NOTICE 5 /* normal but significant condition */ #define LOG_INFO 6 /* informational */ #define LOG_DEBUG 7 /* debug-level messages */ Benutzer und Gruppen des Betriebssystems Sind alle Systemnutzer notwendig?

Ja und nein. Debian wird mit einigen vordefinierten Nutzern (User-ID (UID) < 99, beschrieben in der oder in /usr/share/doc/base-passwd/README) geliefert. Dadurch wird die Installation einiger Dienste erleichtert, für die es notwendig ist, unter einem passenden Nutzer/UID zu laufen. Wenn Sie nicht vorhaben, neue Dienste zu installieren, können Sie die Nutzer entfernen, denen keine Dateien auf Ihrem System gehören und die keine Dienste laufen lassen. Unabhängig davon ist das Standardverhalten in Debian, dass UIDs von 0 bis 99 reserviert sind und UIDs von 100 bis 999 von Paketen bei der Installation erstellt werden und gelöscht werden, wenn das Pakete vollständig gelöscht wird (purge) wird.

Benutzer, denen keine Dateien gehören, finden Sie leicht mit dem folgenden KommandoBedenken Sie, dass damit Ihr gesamtes System durchsucht wird. Falls Sie viele Festplatten und Partitionen haben, sollten Sie u.U. den Suchrahmen einschränken. (führen Sie es als Root aus, da ein normaler Benutzer nicht genügend Zugriffsrechte haben könnte, um einige sensible Verzeichnisse zu durchsuchen): cut -f 1 -d : /etc/passwd | \ while read i; do find / -user "$i" | grep -q . || echo "$i"; done

Diese Nutzer kommen aus dem Paket base-passwd. Sie finden Informationen über die Behandlung dieser Nutzer unter Debian in der Dokumentation des Pakets. Es folgt nun eine Liste der Standardnutzer (mit einer entsprechenden Gruppe): root: Root ist (typischerweise) der Superuser. daemon: Einige unprivilegierte Daemonen, die Dateien auf die Festplatte schreiben müssen, laufen als daemon.daemon (z.B. portmap, atd, wahrscheinlich noch andere). Daemonen, die keine eigenen Dateien besitzen müssen, können stattdessen als nobody.nogroup laufen. Komplexere oder sicherheitsbewusste Daemonen laufen als eigenständige Nutzer. Der Nutzer daemon ist auch praktisch für lokal installierte Daemons. bin: aus historischen Gründen beibehalten. sys: das gleiche wie bei bin. Jedoch gehören /dev/vcs* und /var/spool/cups der Gruppe sys. sync: Die Shell des Nutzers sync ist /bin/sync. Wenn das Passwort auf etwas leicht zu ratendes gesetzt wurde (zum Beispiel ""), kann jeder das System von der Konsole aus synchronisieren lassen, auch wenn er kein Konto hat. games: Viele Spiele sind SETGID games, so dass sie ihre Highscore-Dateien schreiben können. Dies wird in der Policy erklärt. man: Das Programm man läuft (manchmal) als Nutzer man, damit es Cat-Seiten nach /var/cache/man schreiben kann. lp: Wird von Druck-Daemonen benutzt. mail: Mailboxen unter /var/mail gehören der Gruppe mail, wie in der Policy erklärt wird. Der Nutzer und die Gruppe werden auch von verschiedene MTAs zu anderen Zwecken benutzt. news: Verschiedene News-Server und ähnliche Programme (zum Beispiel suck) benutzen den Nutzer und die Gruppe news auf unterschiedliche Weise. Dateien im news-Spool gehören häufig dem Nutzer und der Gruppe news. Programme wie inews, die man benutzen kann, um News zu posten, sind normalerweise SETGID news. uucp: Der Nutzer uucp und die Gruppe uucp werden vom UUCP-Subsystem benutzt. Ihnen gehören Spool- und Konfigurationsdateien. Nutzer in der Gruppe uucp können uucico aufrufen. proxy: Wie Daemon wird dieser Nutzer und diese Gruppe von manchen Daemonen (insbesondere Proxy-Daemonen) verwendet, die keine spezielle User-ID haben, aber eigene Dateien besitzen müssen. Zum Beispiel wird die Gruppe proxy von pdnsd benutzt, und squid läuft als Nutzer proxy. majordom: Majordomo hat auf Debian-Systemen aus historischen Gründen eine statisch zugewiesene UID. Auf neuen Systemen wird sie nicht installiert. postgres: Postgresql-Datenbanken gehören diesem Nutzer und dieser Gruppe. Alle Dateien in /var/lib/postgresql gehören diesem Nutzer, um anständige Sicherheit zu gewährleisten. www-data: Einige Web-Server laufen als www-data. Web-Inhalte sollten nicht diesem Nutzer gehören, andernfalls wäre ein kompromittierter Web-Server in der Lage, eine Web-Seite zu überschreiben. Daten, die der Web-Server schreibt, einschließlich Log-Dateien, gehören www-data. backup: So können Backup-/Wiederherstellungszuständigkeiten lokal an irgendjemanden ohne volle Root-Zugriff delegiert werden. operator: operator ist historisch (und praktisch) das einzige 'Nutzer'-Konto, in das man sich entfernt einloggen kann, und das nicht von NIS/NFS abhängt. list: Mailinglisten-Archive und Daten gehören diesem Nutzer und dieser Gruppe. Manche Mailinglisten-Programme laufen auch unter diesem Nutzer. irc: Wird von irc-Daemonen benutzt. Ein statisch zugewiesener Nutzer wird nur wegen eines Fehlers in ircd benötigt, das beim Start SETUID() auf sich selbst für eine bestimmte UID ausführt. gnats. nobody, nogroup: Daemonen die keine eigenen Dateien haben laufen als Nutzer nobody und Gruppe nogroup. Demzufolge sollten keine Dateien auf dem gesamten System diesem Nutzer oder dieser Gruppe gehören.

Andere Gruppe, die keinen dazugehörigen Benutzer haben: adm: Die Gruppe adm wird zu Zwecken der Überwachung benutzt. Mitglieder dieser Gruppe können viele Dateien in /var/log lesen und die xconsole benutzen. /var/log war früher einmal /usr/adm (und später /var/adm), daher der Name dieser Gruppe. tty: TTY-Geräte gehören dieser Gruppe. Die Befehle write und wall benutzen dies, um auf die TTYs anderer Leute zu schreiben. disk: Roh-Zugriff auf Festplatten. Größtenteils äquivalent zum Root-Zugriff. kmem: /dev/kmem und ähnliche Dateien sind von dieser Gruppe lesbar. Dies ist größtenteils ein Relikt aus BSD. Aber jedes Programm, dass Lese-Zugriff auf den Systemspeicher braucht, kann so SETGID kmem gemacht werden. dialout: Voller und direkter Zugriff auf serielle Schnittstellen. Mitglieder dieser Gruppen können Modems rekonfigurieren, sich irgendwo einwählen, usw. dip: Der Name der Gruppe steht für "Dial-up IP". Mitglied der Gruppe dip zu sein erlaubt Ihnen Programme wie ppp, dip, wvdial usw. zu benutzen, um eine Verbindung herzustellen. Die Nutzer in dieser Gruppe können das Modem nicht konfigurieren. Sie können lediglich Programme aufrufen, die es benutzen. fax: Erlaubt es den Mitgliedern, Fax-Software zu benutzen, um Faxe zu senden und zu empfangen. voice: Voicemail, nützlich für Systeme, die Modems als Anrufbeantworter benutzen. cdrom: Diese Gruppe kann dazu benutzt werden, einer bestimmen Menge von Nutzern Zugriff auf CD-ROM-Laufwerke zu geben. floppy: Diese Gruppe kann dazu benutzt werden, einer bestimmen Menge von Nutzern Zugriff auf Diskettenlaufwerke zu geben. tape: Diese Gruppe kann dazu benutzt werden, einer bestimmen Menge von Nutzern Zugriff auf Bandlaufwerke zu geben. sudo: Mitglieder dieser Gruppe müssen ihr Passwort nicht eingeben, wenn sie sudo benutzen. Siehe /usr/share/doc/sudo/OPTIONS. audio: Diese Gruppe kann dazu benutzt werden, einer bestimmen Menge von Nutzern Zugriff auf jedes Audiogerät zu geben. src: Dieser Gruppe gehören die Quellcodes, einschließlich der Dateien in /usr/src. Sie kann benutzt werden, um einem bestimmten Nutzern die Möglichkeit zu bieten, Quellcode des Systems zu verwalten. shadow: /etc/shadow ist von dieser Gruppe lesbar. Einige Programme, die auf diese Datei zugreifen müssen, sind SETGID shadow. utmp: Diese Gruppe kann nach /var/run/utmp und ähnlichen Dateien schreiben. Programme, die darin schreiben können müssen, sind SETGID utmp. video: Diese Gruppe kann dazu benutzt werden, einer bestimmen Menge von Nutzern Zugriff auf ein Videogerät zu geben. staff: Erlaubt Nutzern lokale Modifikationen am System vorzunehmen (/usr/local, /home), ohne dass sie Root-Privilegien bräuchten. Vergleichen Sie sie mit "adm", die sich mehr auf Überwachung/Sicherheit bezieht. users: Während Debian-Systeme standardmäßig das System einer privaten Nutzergruppe (jeder Nutzer hat seine eigene Gruppe) benutzen, ziehen es manche vor, ein traditionelleres Gruppen-System zu verwenden. In diesem System ist jeder Nutzer Mitglied dieser Gruppe. Ich entfernte einen Systembenutzer! Wie kann ich dies rückgängig machen?

Wenn Sie einen Systembenutzer entfernt und kein Backup Ihrer password- und group-Dateien haben, können Sie versuchen, diesen mittels update-passwd (vergleichen Sie ) wiederherzustellen. Was ist der Unterschied zwischen den Gruppen adm und staff?

Die Gruppe 'adm' besteht üblicherweise aus Administratoren. Die Rechte dieser Gruppe erlauben es ihnen, Log-Dateien zu lesen, ohne su benutzen zu müssen. Die Gruppe 'staff' ist gewöhnlich für Kundendienst- und Junioradministratoren bestimmt und gibt ihnen die Möglichkeit, Dinge in /usr/local zu erledigen und Verzeichnisse in /home anzulegen. Warum gibt es eine neue Gruppe, wenn ich einen neuen Nutzer anlege? (Oder warum gibt Debian jedem Nutzer eine eigene Gruppe?)

Das Standardverhalten von Debian ist, dass jeder Nutzer seine eigene, persönliche Gruppe hat. Das traditionelle UN*X-Modell weist alle Benutzer der Gruppe users zu. Zusätzliche Gruppe werden erstellt, um den Zugang zu gemeinsam genutzten Dateien, die mit verschiedenen Projektverzeichnissen verbunden sind, einzuschränken. Die Dateiverwaltung wurde schwierig, wenn ein einzelner Nutzer an verschiedenen Projekten arbeitete, da, wenn jemand eine Datei erstellte, diese mit der primären Gruppe des Erstellers (z.B. 'users') verbunden war.

Das Modell von Debian löst dieses Problem, indem es jedem Nutzer seine eigene Gruppe zuweist. So wird mit einer korrekten Umask (0002) und mit dem SETGID-Bit für ein Projektverzeichnis den Dateien, die in diesem Verzeichnis erstellt werden, automatisch die richtige Gruppe zugewiesen. Das erleichtert die Arbeit von Menschen, die an verschiedenen Projekten arbeiten, da sie nicht die Gruppe oder Umasks ändern müssen, wenn sie mit gemeinsam genutzten Dateien arbeiten.

Sie können allerdings dieses Verhalten verändern, indem Sie /etc/adduser.conf modifizieren. Ändern Sie die Variable USERGROUPS auf 'no' ab. Dadurch wird keine neue Gruppe erstellt, wenn ein neuer Nutzer angelegt wird. Sie sollten auch USERS_GID die GID der Gruppe zuweisen, der alle Nutzer angehören. Fragen über Dienste und offene Ports Warum werden Dienste während der Installation aktiviert?

Das ist der Annäherung an das Problem, auf der einen Seite sicherheitsbewusst und auf der anderen Seite benutzerfreundlich zu sein. Anders als OpenBSD, das alle Dienste abschaltet, bis sie vom Administrator aktiviert werden, aktiviert Debian GNU/Linux alle installierten Dienste, bis sie abgeschaltet werden (siehe dazu ). Immerhin haben Sie den Dienst installiert, oder?

Es gab viele Diskussionen auf Debian-Mailinglisten (sowohl auf debian-devel als auch auf debian-security) darüber, welches die bessere Vorgehensweise für eine Standardinstallation ist. Jedoch gab es bisher (10. März 2002) keinen Konsens. Kann ich inetd entfernen?

Inetd ist nicht leicht zu entfernen, da netbase von dem Paket abhängt, das es enthält (netkit-inetd). Wenn Sie es entfernen wollen, können Sie es entweder abschalten (siehe ) oder das Paket entfernen, indem Sie das Paket equivs benutzen. Warum muss ich Port 111 offen haben?

Port 111 ist sunrpcs Portmapper und wird standardmäßig bei der Grundinstallationen eines Debian-Systems eingerichtet, da es keine Möglichkeit gibt herauszubekommen, wann ein Programm eines Nutzers RPC gebrauchen könnte, um korrekt zu arbeiten. Jedenfalls wird es meistens von NFS benutzt. Wenn Sie kein NFS benutzen, entfernen Sie es, wie in erklärt.

In Versionen des Pakets portmap später als 5-5 können Sie sogar den Portmapper installieren, aber ihn nur auf dem Localhost lauschen lassen (dazu müssen Sie /etc/default/portmap verändern). Wozu ist der identd (Port 113) da?

Der Dienst Identd ist ein Authentisierungdienst, der den Besitzer einer bestimmten TCP/IP-Verbindung zu einem entfernten Server, der die Verbindung annimmt, identifiziert. Wenn ein Benutzer sich mit einem entfernten Host verbindet, schickt inetd auf dem entfernten Host üblicherweise eine Anfrage an Port 113 zurück, um Informationen über den Besitzer herauszufinden. Er wird häufig von Mail-, FTP- und IRC-Servern eingesetzt. Er kann auch dazu verwendet werden, um einen Nutzer Ihres lokalen Systems, der ein entferntes System angreift, aufzuspüren.

Es gab ausführliche Diskussionen über die Sicherheit von identd (siehe in den . Im Allgemeinen ist identd auf Multi-User-Systemen nützlicher als auch einer Workstation mit nur einem Benutzer. Wenn Sie keine Verwendung von ihn haben, sollten Sie ihn abschalten, damit Sie keinen Dienst für die Außenwelt offen lassen. Wenn Sie sich entscheiden, den identd-Port mit einer Firewall zu blockieren, benutzen Sie bitte die Regel 'reject' und nicht die Regel 'deny', da andernfalls eine Verbindung zu einem Server, die identd verwendet, bis zu einer Zeitüberschreitung hängen bleiben wird (lesen Sie dazu ). Ich habe Dienste, die die Ports 1 und 6 verwenden. Welche sind das und wie kann ich sie entfernen?

Sie führen den Befehl netstat -an aus und erhalten Folgendes: Active Internet connections (servers and established) Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name raw 0 0 0.0.0.0:1 0.0.0.0:* 7 - raw 0 0 0.0.0.0:6 0.0.0.0:* 7 -

Sie sehen nicht Prozesse, die auf dem TCP/UDP-Port 1 und 6 lauschen. Tatsächlich sehen Sie einen Prozess, der auf einem Raw-Socket für Protokoll 1 (ICMP) und 6 (TCP) lauscht. Ein solches Verhalten ist für Trojaner und einige Systeme zur Eindringlingserkennung wie iplogger und portsentry üblich. Wenn Sie diese Pakete besitzen, löschen Sie sie einfach. Falls nicht, versuchen Sie mit netcats Option -p (Prozess) herauszufinden, welcher Prozess diese Lauscher betreibt. Ich habe festgestellt, dass ich den folgenden Port (XYZ) offen habe. Kann ich ihn schließen?

Ja, natürlich. Die Ports, die Sie offen lassen, hängen von Ihrem individuellen Regelwerk bezüglich öffentlich zugänglicher Dienste ab. Prüfen Sie, ob sie von inetd (siehe ) oder von anderen installierten Paketen geöffnet werden, und leiten Sie passende Maßnahmen ein (d.h. konfigurieren Sie inetd, entfernen Sie das Paket, verhindern Sie, dass der Dienst beim Booten gestartet wird). Hilft das Löschen von Diensten aus /etc/services, um meinen Rechner abzusichern.

Nein, /etc/services stellt nur eine Verbindung zwischen virtuellem Namen und Portnummer her. Das Entfernen von Namen aus dieser Datei verhindert (üblicherweise) nicht, dass ein Dienst gestartet wird. Manche Daemonen starten vielleicht nicht, wenn /etc/services verändert wurde, aber das ist nicht die Norm. Um einen Dienst richtig abzuschalten, sehen Sie sich an. Allgemeine Sicherheitsfragen Ich habe mein Passwort vergessen und kann auf das System nicht mehr zugreifen!

Die nötigen Schritte, um wieder Zugriff erhalten, hängen davon ab, ob Sie die vorgeschlagene Prozedur zum Absichern von lilo und BIOS durchgeführt haben oder nicht.

Wenn Sie beides eingeschränkt haben, müssen Sie im BIOS erlauben, von anderen Medien als der Festplatte zu booten, bevor Sie weitermachen können. Wenn Sie auch Ihr BIOS-Passwort vergessen haben, müssen Sie Ihr BIOS zurücksetzen. Dazu öffnen Sie das PC-Gehäuse und entfernen die BIOS-Batterie.

Sobald Sie das Booten von CD-ROM oder Diskette eingeschaltet haben, sollten Sie Folgendes ausprobieren: Booten Sie von eine Rettungsdiskette und starten den Kernel. Wechseln Sie mit Alt+F2 auf eine virtuelle Konsole. Mounten Sie die Partition, auf der sich Ihr /root befindet. Editieren Sie (auf der Rettungsdiskette von Debian 2.2 befindet sich ae, Debian 3.0 enthält nano-tiny, der vi ähnelt) die Datei /etc/shadow und ändern Sie die Zeile: root:asdfjl290341274075:XXXX:X:XXXX:X::: (X=irgendeine Ziffer)

in: root::XXXX:X:XXXX:X:::

Dies entfernt das vergessene Root-Passwort, das sich im ersten durch Doppelpunkte abgetrennten Feld nach dem Nutzernamen befand. Speichern Sie die Datei ab, starten Sie das System neu und melden Sie sich als Root mit einem leeren Passwort an. Dies wird funktionieren, außer wenn Sie Ihr System etwas sicherer eingestellt haben, d.h. wenn Sie nicht erlauben, dass Nutzer leere Passwörter haben, oder dass Root sich auf einer Konsole einloggen kann.

Falls Sie derartige Maßnahmen getroffen haben, müssen Sie im Single-User-Modus starten. Wenn Sie LILO eingeschränkt haben, müssen lilo erneut ausführen, nachdem Sie das Root-Passwort zurückgesetzt haben. Das ist ziemlich verzwickt, da Ihre /etc/lilo.conf verändert werden muss, da das Root-Dateisystem (/) eine RAM-Disk und keine echte Festplatte ist.

Sobald LILO nicht mehr eingeschränkt ist, versuchen Sie Folgendes: Drücken Sie Alt, Shift oder Steuerung (Control), kurz bevor das BIOS seine Arbeit beendet hat, und Sie sollten nun einen LILO-Prompt erhalten. Geben Sie am Prompt linux single, linux init=/bin/sh oder linux 1 ein. Sie erhalten einen Shell-Prompt im Single-User-Modus (Sie werden nach dem Passwort gefragt, aber das kennen Sie jetzt ja) Binden Sie die Root-Partition (/) im Schreib/Lese-Modus neu ein, indem Sie den Befehl mount verwenden: mount -o remount,rw / Ändern Sie das Superuser-Passwort mit passwd (da Sie der Superuser sind, werden Sie nicht nach dem alten Passwort gefragt). Wie muss ich vorgehen, wenn ich meinen Nutzern einen Dienst anbieten möchte, ihnen aber kein Shell-Konto geben will?

Wenn Sie zum Beispiel einen POP-Dienst anbieten wollen, müssen Sie nicht für jeden zugreifenden Benutzer ein Konto anlegen. Am besten setzen Sie hierzu eine Authentifizierung, die auf Verzeichnisses basiert, durch einen externen Dienst (wie Radius, LDAP oder eine SQL-Datenbank) ein. Installieren Sie einfach die gewünschte PAM-Bibliothek (libpam-radius-auth, libpam-ldap, libpam-pgsql oder libpam-mysql), lesen Sie die Dokumentation (Einsteiger sehen bitte unter nach) und konfigurieren Sie den PAM-nutzenden Dienst, so dass er Ihren Backend benutzt. Bearbeiten Sie dazu die dem Dienst entsprechenden Dateien unter /etc/pam.d/ und ändern die folgenden Zeile von auth required pam_unix_auth.so shadow nullok use_first_pass beispielsweise für ldap zu: auth required pam_ldap.so

Im Fall von LDAP-Verzeichnissen liefern manche Dienste LDAP-Schemata mit, die Sie Ihrem Verzeichnis hinzufügen können, um eine LDAP-Authentifizierung zu benutzen. Wenn Sie relationale Datenbanken benutzen, gibt es einen nützlichen Trick: Benutzen Sie die Klausel where, wenn Sie die PAM-Module konfigurieren. Wenn Sie beispielsweise eine Datenbank mit der folgenden Tabelle haben: (user_id,user_name,realname,shell,password,uid,gid,homedir,sys,pop,imap,ftp)

Wenn Sie die Attribute der Dienste zu Boolean-Feldern machen, können Sie sie verwenden, um den Zugang zu den verschiedenen Diensten zu erlauben oder zu verbieten. Sie müssen dazu nur die geeigneten Zeilen in folgende Dateien einfügen: /etc/pam.d/imap:where=imap=1. /etc/pam.d/qpopper:where=pop=1. /etc/nss-mysql*.conf:users.where_clause = user.sys = 1;. /etc/proftpd.conf: SQLWhereClause "ftp=1" . Mein System ist angreifbar! (Sind Sie sich sicher?) Der Scanner X zur Einschätzung der Verwundbarkeit sagt, dass mein Debian-System verwundbar wäre?

Viele Scanner zur Einschätzung der Verwundbarkeit liefern falsche Positivmeldungen, wenn sie auf Debian-Systemen verwendet werden. Das liegt daran, dass sie nur die Version eines Softwarepakets überprüfen, um herauszufinden, ob es verwundbar ist. Sie prüfen nicht, ob tatsächlich eine Sicherheitslücke vorhanden ist. Da Debian nicht die Version einer Software ändert, wenn ein Paket repariert wird (häufig werden Ausbesserungen an neueren Veröffentlichungen zurückportiert), neigen einige Werkzeuge dazu zu denken, dass ein aktualisiertes Debian-System verwundbar ist, auch wenn das nicht der Fall ist.

Wenn Sie denken, dass Ihr System auf dem aktuellen Stand der Sicherheitsaktualisierungen ist, sollten Sie die Querverweise zu den Datenbanken mit Sicherheitslücken, in denen die DSAs veröffentlicht sind (vergleichen Sie dazu ), verwenden, um falsche Positive auszusondern, wenn das Programm, das Sie verwenden, CVE-Referenzen enthält. Ich habe in meinen Logfiles einen Angriff gesehen: Ist mein System kompromittiert?

Ein Hinweis auf einen Angriff heißt nicht notwendigerweise, dass Ihr System gehackt wurde. Leiten Sie die üblichen Schritte ein, um festzustellen, ob das System kompromittiert wurde (siehe ). Selbst wenn Ihr System hinsichtlich des protokollierten Angriffs nicht verwundbar ist, könnte ein entschlossener Angreifer neben der von Ihnen entdeckten Sicherheitslücke auch eine andere ausgenutzt haben. Ich habe in meinen Logs merkwürdige "MARK"-Einträge gefunden. Wurde ich gehackt?

Sie können die folgenden Zeilen in Ihren System-Logs finden: Dec 30 07:33:36 debian -- MARK -- Dec 30 07:53:36 debian -- MARK -- Dec 30 08:13:36 debian -- MARK --

Dies stellt keinen Hinweis auf eine Kompromittierung dar, obwohl Nutzer, die von einer Debian-Release wechseln, es vielleicht merkwürdig finden. Wenn Ihr System keine große Last (oder nicht viele aktive Dienste) hat, können diese Zeilen in alle Logs auftauchen. Dies ist ein Hinweis, dass Ihr syslogd-Daemon richtig läuft. Aus : -m interval Der Syslogd protokolliert regelmäßig einen Zeitstempel. Der voreingestellte Abstand zwischen zwei -- MARK -- Zeilen ist 20 Minuten. Er kann mit dieser Option geändert werden. Setzen Sie den Abstand auf Null, um die Zeitstempel komplett abzuschalten. Ich habe Nutzer gefunden, die laut meinen Logfiles 'su' benutzen: Bin ich kompromittiert?

Sie könnten in Ihren Logdateien Zeilen wie die folgenden finden: Apr 1 09:25:01 server su[30315]: + ??? root-nobody Apr 1 09:25:01 server PAM_unix[30315]: (su) session opened for user nobody by (uid=0)

Seien Sie nicht zu besorgt. Prüfen Sie, ob dies durch einen Cron-Job hervorgerufen wird (normalerweise /etc/cron.daily/find oder logrotate): $ grep 25 /etc/crontab 25 6 * * * root test -e /usr/sbin/anacron || run-parts --report /etc/cron.daily $ grep nobody /etc/cron.daily/* find:cd / && updatedb --localuser=nobody 2>/dev/null Ich habe 'possible SYN flooding' in meinen Logs entdeckt: Werde ich angegriffen?

Sie sehen Einträge wie diese in Ihren Logs: May 1 12:35:25 linux kernel: possible SYN flooding on port X. Sending cookies. May 1 12:36:25 linux kernel: possible SYN flooding on port X. Sending cookies. May 1 12:37:25 linux kernel: possible SYN flooding on port X. Sending cookies. May 1 13:43:11 linux kernel: possible SYN flooding on port X. Sending cookies.

Überprüfen Sie mit netstat, ob es eine große Anzahl von Verbindungen zum Server gibt. Zum Beispiel: linux:~# netstat -ant | grep SYN_RECV | wc -l 9000

Dies ist ein Anzeichen, dass ein Denial-of-Service-Angriff (DoS) auf den Port X Ihres Systems (am wahrscheinlichsten gegen einen öffentlichen Dienst wie Ihr Web- oder Mailserver). Sie sollten TCP-Syncookies in Ihrem Kernel einschalten, siehe . Beachten Sie, dass ein DoS-Angriff Ihr Netzwerk überfluten kann, auch wenn Sie verhindern können, dass er Ihr System zum Absturz bringt. Da keine Datei-Deskriptoren mehr vorhanden sind, könnte das System nicht mehr antworten, bis das Zeitlimit der TCP-Verbindungen überschritten wurde. Der einzige effektive Weg, diesen Angriff abzuwehren, ist, mit Ihrem Netzprovider in Verbindung zu treten. Ich habe seltsame Root-Sessions in meinen Logs entdeckt: Wurde ich gehackt?

Sie sehen folgende Art von Einträgen in der Datei /var/log/auth.log: May 2 11:55:02 linux PAM_unix[1477]: (cron) session closed for user root May 2 11:55:02 linux PAM_unix[1476]: (cron) session closed for user root May 2 12:00:01 linux PAM_unix[1536]: (cron) session opened for user root by (UID=0) May 2 12:00:02 linux PAM_unix[1536]: (cron) session closed for user root

Sie kommen von einem ausgeführten Cron-Job (in unserem Beispiel alle fünf Minuten). Um herauszufinden, welches Programm für diese Jobs verantwortlich ist, überprüfen Sie die Einträge in /etc/crontab, /etc/cron.d, /etc/crond.daily und Roots crontab in /var/spool/cron/crontabs. Ich bin Opfer eines Einbruchs, was soll ich jetzt tun?

Es gibt mehrere Schritte, die Sie bei einem Einbruch durchführen sollten: Prüfen Sie, ob Ihr System auf dem aktuellen Stand der Sicherheitsaktualisierungen für veröffentlichte Verwundbarkeiten ist. Wenn Ihr System verwundbar ist, hat die die Möglichkeit, dass Ihr System tatsächlich gehackt wurde, erhöht. Die Wahrscheinlichkeit steigt weiter an, wenn die Sicherheitslücke schon eine Zeit lang bekannt ist, da üblicherweise mehr Tätigkeit mit älteren Verwundbarkeiten besteht. Hier ist ein Link zu . Lesen Sie dieses Dokument, besonders den Abschnitt . Fragen Sie nach Hilfe. Sie können die Mailingliste debian-security benutzen und um Rat fragen, wie Sie Ihr System wiederherstellen oder patchen. Benachrichtigen Sie Ihren lokalen (wenn einer existiert, ansonsten sollten Sie sich vielleicht direkt mit CERT in Verbindung setzen). Das könnte Ihnen helfen (vielleicht aber auch nicht), aber wenigstens wird CERT über laufende Angriffe informiert. Diese Information ist sehr wertvoll, um herauszufinden, welche Werkzeuge und Angriffsarten von der Blackhat-Community verwendet werden. Wie verfolge ich einen Angriff zurück?

Sie können einen Angriff zu seinem Ursprung zurückverfolgen, indem Sie die Logs (wenn sie nicht geändert wurden) mit Hilfe eines Systems zur Eindringlingserkennung (siehe ), traceroute, whois oder ähnlicher Werkzeuge (einschließlich forensischer Analyse) durchsehen. Wie Sie auf diese Informationen reagieren und was Sie als Angriff betrachten, hängt ausschließlich von Ihren Sicherheitsrichtlinien ab. Ist ein einfacher Scan ein Angriff? Ist die Prüfung auf eine Verwundbarkeit ein Angriff? Das Programm X in Debian ist angreifbar – was soll ich tun?

Nehmen Sie sich zuerst einen Augenblick Zeit, um zu schauen, ob die Sicherheitslücke in öffentlichen Sicherheitsmailinglisten (wie Bugtraq) oder anderen Foren bekannt gemacht wurde. Das Sicherheitsteam von Debian ist hinsichtlich dieser Listen auf dem Laufenden, daher könnte ihm dieses Problem bereits bekannt sein. Leiten Sie keine weiteren Maßnahmen ein, wenn Sie schon eine Bekanntmachung auf sehen.

Wenn anscheinend keine Informationen veröffentlicht wurden, schicken Sie bitte eine E-Mail zu den betroffenen Paketen mit einer detaillierten Beschreibung der Verwundbarkeit (Code, der dies bestätigt, ist auch in Ordnung) an . Dort erreichen Sie das Sicherheitsteam von Debian. Laut der Versionsnummer eines Paketes läuft bei mir immer noch eine angreifbare Version!

Statt auf neue Veröffentlichung zu aktualisieren, portiert Debian sicherheitsrelevante Korrekturen zu der Version zurück, die in der Stable-Veröffentlichung enthalten ist. Der Grund dafür ist, dass sicher gegangen werden soll, dass die Stable-Veröffentlichung so wenig wie möglich verändert wird. Damit wird verhindert, dass sich Dinge als Folge einer Sicherheitskorrektur unerwartet ändern oder kaputt gehen. Ob Sie eine sichere Version eines Paketes benutzen, stellen Sie fest, indem Sie das Changelog des Paketes durchsehen, oder indem Sie die exakte Versionsnummer (ursprüngliche Version -slash- Debian-Release) mit der Nummer aus der Debian-Sicherheits-Ankündigung (DSA) vergleichen. Spezielle Software Proftpd ist für einen Denial-of-Service-Angriff anfällig.

Fügen Sie Ihrer Konfigurationsdatei DenyFilter \*.*/ hinzu. Mehr Informationen entnehmen Sie . Nach der Installation von portsentry sind viele Ports offen.

Dies ist nur die Art und Weise, wie portsentry arbeitet. Es öffnet etwas zwanzig ungenutzte Ports und versucht so, Port-Scans zu entdecken. Fragen zum Sicherheitsteam von Debian

Diese Informationen stammen aus dem . Es umfasst Informationen bis zum Januar 2006 und beantwortet auch andere häufige Fragen aus der Mailingliste debian-security. Was ist eine Debian-Sicherheits-Ankündigung (Debian Security Advisory, DSA)?

Das Debian-Sicherheitsteam (siehe unten) weist darin auf die Entdeckung und Korrektur von sicherheitsrelevanten Verwundbarkeiten in einem Paket von Debian GNU/Linux hin. Digital unterschriebene DSAs werden an öffentliche Mailinglisten gesendet und auf der Webseite von Debian veröffentlicht (sowohl auf der Hauptseite als auch unter ).

DSAs enthalten Informationen über die beeinträchtigten Pakete, den entdeckten Sicherheitsmangel und wo man die aktualisierten Pakete bekommt (und ihre MD5-Summen). Die digitale Signatur eines Debian-Anweisung wird nicht korrekt verifiziert!

Dies ist wahrscheinlich ein Problem auf Ihrer Seite. Die Liste besitzt einen Filter, der es nur erlaubt, Nachrichten mit einer korrekten Signatur eines Mitglieds des Sicherheitsteams zu versenden.

Die häufigste Ursache dafür ist zumeist ein Mail-Programm auf Ihrer Seite, das die Nachricht leicht verändert und dadurch die Signatur ungültig macht. Versichern Sie sich, dass Ihre Software keine MIME-Entschlüsselung oder -Verschlüsselung durchführt und auch keine Tabulator/Leerzeichen-Konvertierungen vornimmt.

Bekannte Übeltäter sind fetchmail (mit der Option mimedecode), formail (nur von procmail 3.14) und evolution. Wie wird die Sicherheit in Debian gehandhabt?

Sobald das Sicherheitsteam auf einen Vorfall aufmerksam wird, überprüfen ihn ein oder mehrere Mitglieder und überlegen seinen Einfluss auf die Stable-Veröffentlichung von Debian (z.B. ob es verwundbar ist oder nicht). Wenn unser System verwundbar ist, arbeiten wir an einer Problembehebung. Der Paketbetreuer wird ebenfalls kontaktiert, wenn dieser nicht bereits selbst das Sicherheits-Team kontaktiert hat. Schlussendlich wird die Behebung des Problems getestet und neue Pakete vorbereitet, die dann auf allen Stable-Architekturen übersetzt und anschließend hochgeladen wird. Nachdem das alles geschehen ist, wird eine Anweisung veröffentlicht. Wieso spielen Sie mit einer alten Version des Pakets herum?

Die wichtigste Regel beim Erstellen eines neuen Pakets, das ein Sicherheitsproblem behebt, ist, so wenig Änderungen wie möglich vorzunehmen. Unsere Benutzer und Entwickler vertrauen auf das genaue Verhalten einer Veröffentlichung nach dessen Freigabe. Daher kann jede Änderung, die wir durchführen, möglicherweise das System von jemandem zerstören. Dies gilt insbesondere für Bibliotheken: Es muss darauf geachtet werden, dass sich das Anwendungs-Programm-Interface (API) oder Anwendungs-Binär-Interface (ABI) niemals ändert, egal wie klein die Änderung ist.

Dies bedeutet, dass das Umsteigen auf eine neue Version der Originalprogramms keine gute Lösung ist und stattdessen die relevanten Änderungen zurückportiert werden sollten. Üblicherweise sind die Betreuer des Originalprogramms, wenn notwendig, bereit zu helfen, falls das Debian-Sicherheitsteam nicht helfen kann.

In einigen Fällen ist es nicht möglich, eine Sicherheitsreparatur zurückzuportieren, zum Beispiel, wenn ein großer Teil des Quellcodes modifiziert oder neu geschrieben werden muss. Wenn dies passiert, kann es notwendig sein, auf eine neue Version des Originalprogramms umzusteigen, aber dies muss zuvor mit dem Sicherheits-Team koordiniert werden. Was sind die Richtlinien für ein repariertes Paket, um auf security.debian.org zu erscheinen?

Sicherheitslücken in der Stable-Distribution garantieren, dass ein Paket zu security.debian.org hinzugefügt wird. Alles andere tut das nicht. Die Größe der Lücke ist hier nicht das wirkliche Problem. Üblicherweise bereitet das Sicherheitsteam die Pakete gemeinsam mit dem Paketbetreuer vor. Sofern jemand (ein Vertrauenswürdiger) das Problem analysiert, alle benötigten Pakete übersetzt und diese an das Sicherheitsteam übermittelt, dann können auch sehr kleine Sicherheitsreparaturen auf security.debian.org erscheinen. Lesen Sie dazu bitte auch unten weiter.

Sicherheitsaktualisierungen dienen einem Zweck: Eine Behebung für eine Sicherheitsverwundbarkeit zu bieten. Sie sind keine Methode, um zusätzliche Änderungen in das Stable-Release einzubringen, ohne diese die normale Point-Release-Prozedur durchmachen zu lassen. Was bedeutet lokal (aus der Ferne)?

Einige Ankündigungen decken Verwundbarkeiten ab, die nicht mit dem klassischen Schema von lokalen und Verwundbarkeiten aus der Ferne identifiziert werden können. Einige Verwundbarkeiten können nicht aus der Ferne ausgenutzt werden, d.h. sie entsprechen nicht einem Daemon, der auf einer Netzschnittstelle horcht. Falls sie durch spezielle Dateien ausgenutzt werden können, die über das Netz bereit gestellt werden, während der verwundbare Dienst nicht permanent mit dem Netz verbunden ist, schreiben wir in diesen Fällen lokal (aus der Ferne).

Diese Verwundbarkeiten liegen irgendwo zwischen lokalen und solchen aus der Ferne und decken oft Archive ab, die über das Netz bereitgestellt werden könnten, z.B. E-Mail-Anhänge oder von einer Download-Seite. Die Versionsnummer für ein Paket zeigt an, dass ich immer noch eine verwundbare Version verwende!

Siehe Sie sich dazu an. Wie wird die Sicherheit für Testing und Unstable gehandhabt?

Die kurze Antwort ist: gar nicht. Testing und Unstable sind starken Änderungen unterworfen und das Sicherheitsteam hat nicht die Mittel, die benötigt würden, um diese entsprechend zu unterstützen. Wenn Sie einen sicheren (und stabilen) Server benötigen, wird Ihnen dringend empfohlen, bei Stable zu bleiben. Jedoch wird daran gearbeitet, dies zu ändern: Das wurde gegründet, das Unterstützung der Sicherheit für Testing, teilweise auch für Unstable, anbietet.

In einigen Fällen bekommt allerdings der Unstable-Zweig Sicherheitsreparaturen ziemlich schnell, da diese Reparaturen im Originalprogramm schneller verfügbar sind (dagegen müssen andere Versionen, wie die im Stable-Zweig, normalerweise zurückportiert werden).

Sie können veröffentlichte Verwundbarkeiten für Testing und Unstable im einsehen. Ich verwende eine ältere Version von Debian. Wird sie vom Debian-Sicherheitsteam unterstützt?

Nein. Unglücklicherweise kann das Sicherheitsteam von Debian nicht sowohl die Stable-Veröffentlichung (und inoffiziell auch Unstable) als auch andere, ältere Veröffentlichungen handhaben. Sie können allerdings Sicherheitsaktualisierungen für eine bestimmte Zeitspanne (normalerweise einige Monate) nach der Veröffentlichung einer neuen Debian-Distribution erwarten. Wie bekommt Testing Sicherheitsaktualisierungen?

Sicherheitsaktualisierungen gelangen über Unstable in die Testing-Distribution. Normalerweise werden sie mit einer hohen Priorität hochgeladen, wodurch sich die Quarantäne auf zwei Tage reduziert. Nach dieser Zeit gelangen die Pakete automatisch nach Testing, wenn sie für alle Architekturen gebaut worden sind und ihre Abhängigkeiten in Testing erfüllt werden können.

Das stellt ebenfalls Sicherheitsaktualisierungen in seinem Depot zur Verfügung, wenn der normale Migrationsprozess nicht schnell genug ist. Wie wird die Sicherheit für contrib und non-free gehandhabt?

Die kurze Antwort ist: gar nicht. Contrib und non-free sind nicht offizieller Bestandteil der Debian-Distribution und werden nicht freigegeben und daher nicht vom Sicherheits-Team unterstützt. Einige non-free Pakete werden ohne Quellcode oder ohne eine Lizenz vertrieben, die die Verteilung von geänderten Versionen erlaubt. In diesen Fällen ist es überhaupt nicht möglich, Sicherheitsreparaturen durchzuführen. Falls es möglich ist, das Problem zu beheben und der Paketbetreuer oder jemand anderes korrekte, aktualisierte Pakete zur Verfügung stellt, wird das Security-Team diese normalerweise bearbeiten und eine Ankündigung veröffentlichen. Warum gibt es keinen offiziellen Mirror von security.debian.org?

Tatsächlich gibt es dieses. Es existieren mehrere offizielle Spiegel, die über DNS-Aliase implementiert sind. Der Zweck von security.debian.org ist es, Sicherheitsaktualisierungen möglichst schnell und einfach zur Verfügung zu stellen.

Die Verwendung von inoffiziellen Spiegeln zu empfehlen, würde zusätzliche Komplexität hinzufügen, die üblicherweise nicht benötigt wird und frustrierend sein kann, wenn diese Spiegel nicht aktuell gehalten werden. Offizielle Spiegel sind jedoch für die Zukunft geplant. Ich habe DSA 100 und DSA 102 gesehen, doch wo ist DSA 101?

Verschiedene Distributoren (zumeist von GNU/Linux, aber auch von BSD-Derivaten) koordinieren Sicherheits-Ankündigung für verschiedene Vorfälle und haben vereinbart, einen bestimmten Zeitplan einzuhalten, so dass alle Distributoren in der Lage sind, eine Anweisung zur selben Zeit zu veröffentlichen. Dadurch soll verhindert werden, dass ein Anbieter diskriminiert wird, der mehr Zeit benötigt (z.B. falls der Hersteller längere Qualitätssicherungstests für die Pakete durchführt oder mehrere Architekturen bzw. Binär-Distributionen unterstützt). Unser eigenes Sicherheitsteam bereitet ebenfalls Anweisungen im Vorhinein vor. Es passiert immer wieder mal, dass andere Sicherheitsprobleme früher abgearbeitet werden müssen, als vorbereitete Gutachten veröffentlicht werden können, und daher wird temporär eine oder mehrere Anweisungen der Nummer nach ausgelassen. Ich habe versucht, ein Paket herunterzuladen, das in einem der Sicherheitsankündigungen aufgeführt war, aber ich bekomme dabei einen 'file not found'-Fehler.

Immer, wenn eine neuere Fehlerbehebung ein älteres Paket auf security.debian.org ersetzt, stehen die Chancen gut, dass das ältere Paket gelöscht wird, wenn das neue installiert wird. Daher erhalten Sie diesen 'file not found'-Fehler. Wir wollen Pakete mit bekannten Sicherheitslücken nicht länger als absolut notwendig verbreiten.

Bitte benutzen Sie die Pakete von den neuesten Sicherheitsankündigungen, die über die verteilt werden. Am besten rufen Sie einfach apt-get update auf, bevor Sie das Paket aktualisieren. Wie kann ich das Sicherheitsteam erreichen?

Sicherheitsinformationen können an geschickt werden, damit sie von allen Debian-Entwicklern gelesen werden. Wenn Sie sensible Informationen haben, benutzen Sie bitte , die nur vom Sicherheitsteam gelesen wird. Wenn Sie es wünschen, kann die E-Mail auch mit dem Kontaktschlüssel von Debian-Security (Key-ID ) verschlüsselt werden. Sehen Sie sich auch die an. Was ist der Unterschied zwischen security@debian.org und debian-security@lists.debian.org?

Wenn Sie eine Nachricht an security@debian.org schicken, wird diese an die Developer-Mailingliste geschickt (debian-private), die alle Entwickler von Debian abonniert haben. Nachrichten an diese Liste werden vertraulich behandelt (d.h. sie werden nicht auf einer öffentlichen Webseite archiviert).Allerdings wurden durch die diese Nachrichten neu eingestuft, so dass in der Zukunft einige Nachrichten veröffentlicht werden könne. debian-security@lists.debian.org ist eine öffentliche Mail-Liste, offen für jeden, der Sie möchte, und es gibt ein durchsuchbares Archiv. Ich glaube, ich habe ein Sicherheitsproblem entdeckt, was soll ich tun?

Wenn Sie von einem Sicherheitsproblem erfahren, entweder in Ihren eigenen Paketen oder in denen eines anderen Entwicklers, dann kontaktieren Sie bitte immer das Sicherheits-Team. Wenn das Debian-Sicherheits-Team die Verwundbarkeit bestätigt und andere Distributoren höchstwahrscheinlich ebenfalls davon betroffen sind, kontaktiert es diese üblicherweise auch. Wenn die Verwundbarkeit noch nicht öffentlich bekannt ist, wird es versuchen, die Sicherheitsankündigungen mit den anderen Distributoren zu koordinieren, damit alle Haupt-Distributionen synchron sind.

Falls die Verwundbarkeit bereits öffentlich bekannt ist, schreiben Sie bitte unbedingt einen Fehlerbericht für das Debian-Fehlerverfolgungssystem und markieren Sie ihn mit dem Tag security. Wie kann ich das Debian-Sicherheitsteam unterstützen?

Indem Sie etwas zu diesem Dokument beitragen, FIXMEs bearbeiten oder neuen Inhalt beisteuern. Dokumentation ist wichtig und reduziert die Last durch Beantworten allgemeiner Fragen. Übersetzen dieses Dokuments in andere Sprachen ist auch ein großartiger Beitrag (Anm.d.Ü.: Fehler bereinigen in der Übersetzung auch). Indem Sie Pakete von Programmen erstellen, mit denen sich die Sicherheit eines Debian-Systems erhöhen oder prüfen lässt. Wenn Sie kein Entwickler sind, reichen Sie einen ein und fragen nach Software, die Sie für nützlich halten, die aber noch nicht zur Verfügung steht. Testen Sie Anwendungen in Debian oder helfen Sie Sicherheitslücken zu schließen. Teilen Sie Probleme security@debian.org mit.

Prüfen Sie bitte in jedem Fall ein Problem nach, bevor Sie es an security@debian.org melden. Wenn Sie Patches beifügen, beschleunigt das den Prozess natürlich. Leiten Sie nicht einfach Mails von Bugtraq weiter, da diese bereits empfangen wurden. Es ist aber eine gute Idee, zusätzliche Informationen zu schicken. Aus wem setzt sich das Sicherheitsteam zusammen?

Das Debian-Sicherheitsteam besteht aus . Das Sicherheitsteam bestimmt selbst, wen es neu ins Team aufnehmen will. Prüft das Debian-Sicherheitsteam jedes Paket in Debian?

Nein, weder prüft das Sicherheitsteam jedes neue Paket noch gibt es einen automatischen (lintian) Test, um neue Pakete mit bösartigem Inhalt zu entdecken, da solche Dinge praktisch unmöglich automatisch durchgeführt werden können. Paket-Verwalter sind jedoch voll und ganz verantwortlich für die Software, die sie in Debian einführen. Keine Software wird eingeführt, die nicht zuerst von einem autorisierten Entwickler signiert wurde. Die Entwickler sind dafür verantwortlich, die Sicherheit aller Pakete, die sie betreuen, zu analysieren. Wie lange braucht Debian, um die Angriffs-Möglichkeit XXXX zu reparieren?

Das Sicherheitsteam von Debian arbeitet schnell, um Anweisungen zu verschicken und korrigierte Pakete für den Stable-Zweig zu erstellen, sobald eine Sicherheitslücke entdeckt wurde. Ein Bericht, der , zeigt, dass das Debian-Sicherheitsteam im Jahr 2001 durchschnittlich 35 Tage gebraucht hat, um Sicherheitslücken auszubessern. Allerdings wurden über 50% der Verwundbarkeiten innerhalb von zehn Tagen beseitigt und über 15% wurden am gleichen Tag repariert, an dem die Anweisung veröffentlicht wurde.

Oft vergessen Leute, die diese Frage stellen, dass: DSAs nicht verschickt werden bis: Pakete für alle von Debian unterstützten Architekturen verfügbar sind (dies braucht etwas Zeit, wenn es sich um Pakete handelt, die Teil des Systemkerns sind, besonders wenn man die Anzahl der in der stabilen Veröffentlichung unterstützten Architekturen berücksichtigt). Neue Pakete gründlich getestet werden, um sicher zu stellen, dass sich keine neuen Fehler eingeschlichen haben. Pakete möglicherweise schon verfügbar sind, bevor das DSA verschickt wird (in der Incoming-Warteschlange oder auf den Mirror-Servern). Debian ein Projekt auf freiwilligen Basis ist. Es eine "keine Garantie"-Klausel gibt, die Teil der Lizenz ist, der Debian unterliegt.

Wenn Sie eine tiefergehende Analyse wünschen, wie lange das Sicherheitsteam an Sicherheitslücken arbeitet, sollten Sie wissen, dass neue DSAs (vergleichen Sie ) auf der veröffentlicht werden. Daneben finden sich dort auch die Metadaten, die verwendetet werden, um die DSAs zu erstellen, und Links zur Datenbank mit den Sicherheitslücken. Sie können die Quellen vom Webserver herunterladen (aus dem ) oder die HTML-Seiten benutzen, um zu bestimmen, wie lange Debian braucht, um Verwundbarkeiten auszubessern, und um diese Daten mit öffentlichen Datenbanken zu vergleichen. Wie lange sind Sicherheitsaktualisierungen vorgesehen?

Das Sicherheits-Team versucht eine stabile Distribution für in etwa ein Jahr zu unterstützen, nachdem die nächste stabile Distribution freigegeben wurde; außer, eine weitere stabile Distribution wird innerhalb dieser Zeitspanne freigegeben. Es ist nicht möglich, drei Distributionen zu unterstützen; die gleichzeitige Unterstützung für zwei ist bereits schwierig genug. Wie kann ich die Integrität der Pakete prüfen?

Dieser Prozess umfasst das Prüfen der Release-Datei-Signatur gegen den öffentlichen Schlüssel (erhältlich unter ), der für die Archive verwendet wird. Die Release-Datei enthält die MD5-Prüfsummen der Packages- und Sources-Dateien, die MD5-Prüfsummen der Binär- und Quellcodepakete enthalten. Ausführlichere Anweisungen, wie man die Paket-Integrität prüfen kann, können nachgelesen werden. Was soll ich tun, wenn ein zufälliges Paket nach einer Sicherheitsaktualisierung nicht mehr funktioniert?

Zuerst sollten Sie herausfinden, warum dieses Paket nicht mehr funktioniert und wie es mit der Sicherheitsaktualisierung zusammenhängt. Danach sollten Sie sich an das Sicherheits-Team wenden, wenn es ein schwerwiegendes Problem ist, oder an den Stable-Release-Betreuer, wenn es weniger schwerwiegend ist. Es geht hier um zufällige Pakete, die nach der Aktualisierung eines anderen Paketes nicht mehr funktionieren. Wenn Sie nicht herausfinden können, was schief geht, aber eine Lösung gefunden haben, wenden Sie sich auch an das Sicherheits-Team. Es könnte jedoch sein, dass man Sie an den Stable-Release-Betreuer weiterleitet. harden-doc-3.15.1/howto-source/de/intro.sgml0000644000000000000000000014365710643704617015570 0ustar Einleitung

Eines der schwierigsten Dinge beim Schreiben über Sicherheit ist, dass jeder Fall einzigartig ist. Sie müssen zwei Dinge beachten: Die Gefahr aus der Umgebung und das Bedürfnis an Sicherheit Ihrer Seite, Ihres Hosts oder Ihres Netzwerkes. So unterscheiden sich zum Beispiel die Sicherheitsbedürfnisse eines Heimanwenders komplett von den Sicherheitsbedürfnissen des Netzwerkes einer Bank. Während die Hauptgefahr eines Heimanwenders von "Script-Kiddies" ausgeht, muss sich das Netzwerk einer Bank um direkte Angriffe sorgen. Zusätzlich muss eine Bank die Daten ihrer Kunden mit mathematischer Präzision beschützen. Um es kurz zu machen: Jeder Nutzer muss selbst zwischen Benutzerfreundlichkeit und Sicherheit/Paranoia abwägen.

Beachten Sie bitte, dass diese Anleitung nur Software-Themen behandelt. Die beste Software der Welt kann Sie nicht schützen, wenn jemand direkten Zugang zu Ihrem Rechner hat. Sie können ihn unter Ihren Schreibtisch stellen, oder Sie können ihn in einen starken Bunker mit einer ganzen Armee davor stellen. Trotzdem kann der Rechner unter Ihrem Schreibtisch weitaus sicherer sein – von der Software-Seite aus gesehen – als der eingebunkerte, wenn Ihr Schreibtisch-Rechner richtig konfiguriert und die Software des eingebunkerten Rechners voller Sicherheitslöcher ist. Sie müssen beide Möglichkeiten betrachten.

Dieses Dokument gibt Ihnen lediglich einen kleinen Überblick, was Sie tun können, um die Sicherheit Ihres Debian GNU/Linux Systems zu erhöhen. Wenn Sie bereits andere Dokumente über Sicherheit unter Linux gelesen haben, werden Sie feststellen, dass es einige Überschneidungen geben wird. Wie auch immer: Dieses Dokument versucht nicht, die ultimative Informationsquelle zu sein, es versucht nur, die gleichen Informationen so zu adaptieren, dass sie gut auf ein Debian GNU/Linux System passen. Unterschiedliche Distributionen erledigen manche Dinge auf unterschiedliche Art (zum Beispiel den Aufruf von Daemons); hier finden Sie Material, das zu Debians Prozeduren und Werkzeugen passt. Autoren

Der aktuelle Betreuer dieses Dokuments ist . Falls Sie Kommentare, Ergänzungen oder Vorschläge haben, schicken Sie ihm diese bitte. Sie werden dann in künftigen Ausgaben dieses Handbuchs berücksichtigt werden.

Dieses Handbuch wurde als HOWTO von ins Leben gerufen. Nachdem es im Internet veröffentlicht wurde, gliederte es in das ein. Zahlreiche Menschen haben etwas zu diesem Handbuch beigesteuert (alle Beiträge sind im Changelog aufgeführt), aber die folgenden haben gesonderte Erwähnung verdient, da sie bedeutende Beiträge geleistet haben (ganze Abschnitte, Kapitel oder Anhänge): Stefano Canepa Era Eriksson Carlo Perassi Alexandre Ratti Jaime Robles Yotam Rubin Frederic Schutz Pedro Zorzenon Neto Oohara Yuuma Davor Ocelic

Bei Fehlern in dieser Übersetzung wenden Sie sich bitte an den aktuellen deutschen Übersetzer oder (wenn dieser nicht erreichbar ist) an die .Es würde eine Menge Arbeit ersparen, wenn die Verbesserungen in die SGML-Dateien eingearbeitet werden. Diese sind mittels CVS abrufbar und können auch über die abgerufen werden. d.Ü. Wo Sie diese Anleitung bekommen (und verfügbare Formate)

Sie können sich die neueste Version der "Anleitung zum Absichern von Debian" beim herunterladen oder anschauen. Wenn Sie eine Kopie von einer anderen Seite lesen, überprüfen Sie bitte die Hauptversion, ob sie neue Informationen enthält. Wenn Sie eine Übersetzung lesen (was Sie im Moment tun, d.Ü.), vergleichen Sie bitte die Version der Übersetzung mit der neuesten Version. Falls Sie feststellen, dass die Übersetzung veraltet ist, sollten Sie in Betracht ziehen, die Originalversion zu verwenden oder zumindest die durchsehen, um zu wissen, was geändert wurde.

Wenn Sie eine vollständige Kopie des Handbuchs wollen, können Sie die oder die von der Seite des Debian-Dokumentationsprojektes herunterladen. Diese Versionen können sinnvoller sein, wenn Sie das Dokument auf ein tragbares Medium kopieren oder ausdrucken wollen. Seien Sie aber gewarnt, das Dokument ist über 200 Seiten lang und einige Abschnitte von Code ist in der PDF-Version wegen den eingesetzten Formatierungswerkzeugen nicht richtig umgebrochen und könnte daher nur unvollständig ausgedruckt werden.

Das Dokument ist auch in den Formaten HTML, txt und PDF im Paket enthalten. Beachten Sie allerdings, dass das Paket nicht genauso aktuell sein muss wie das Dokument, das Sie auf der Debian-Seite finden (Sie können sich aber immer eine aktuelle Version aus dem Quellpaket bauen).

Sie können auch die Veränderungen durchforsten, die am Dokument vorgenommen wurden, indem Sie die Protokolle der Versionskontrolle mit dem durchsehen. Organisatorisches / Feedback

Nun kommt der offizielle Teil. Derzeit sind die meisten Teile dieser Anleitung noch von mir (Alexander Reelsen) geschrieben, aber meiner Meinung nach sollte dies nicht so bleiben. Ich wuchs mit freier Software auf und lebe mit ihr, sie ist ein Teil meiner alltäglichen Arbeit und ich denke, auch von Ihrer. Ich ermutige jedermann, mir Feedback, Tipps für Ergänzungen oder andere Vorschläge, die Sie haben könnten, zuzuschicken.

Wenn Sie denken, dass Sie einen bestimmten Abschnitt oder Paragraphen besser pflegen können, dann schreiben Sie dem Dokumenten-Betreuer und Sie dürfen es gerne erledigen. Insbesondere, wenn Sie eine Stelle finden, die mit "FIXME" markiert wurde – was bedeutet, dass die Autoren noch nicht die Zeit hatten oder sich noch Wissen über das Thema aneignen müssen – schicken Sie ihnen sofort eine E-Mail.

Für diese Anleitung ist es natürlich äußerst wichtig, dass sie weiter gepflegt und auf dem neusten Stand gehalten wird. Auch Sie können Ihren Teil dazu beitragen. Bitte unterstützen Sie uns. Vorwissen

Die Installation von Debian GNU/Linux ist nicht wirklich schwer, und Sie sollten in der Lage gewesen sein, es zu installieren. Wenn Ihnen andere Linux-Distributionen, Unixe oder die grundsätzliche Sicherheitskonzepte ein wenig vertraut sind, wird es Ihnen leichter fallen, diese Anleitung zu verstehen, da nicht auf jedes winzige Detail eingegangen werden kann (oder dies wäre ein Buch geworden und keine Anleitung). Wenn Sie jedoch mit diesen Dingen noch nicht so vertraut sind, sollten Sie vielleicht einen Blick in die für tiefer gehende Informationen werfen. Dinge, die noch geschrieben werden müssen (FIXME/TODO)

Dieses Kapitel beschreibt die Dinge, welche in diesem Handbuch noch verbessert werden müssen. Einige Abschnitte beinhalten FIXME- oder TODO-Markierungen, in denen beschrieben wird, welche Dinge fehlen (oder welche Aufgaben erledigt werden müssen). Der Zweck dieses Kapitels ist es, die Dinge, die zukünftig in dieses Handbuch aufgenommen werden könnten, und die Verbesserungen, die durchgeführt werden müssen (oder bei denen es interessant wäre, sie einzufügen) zu beschreiben.

Wenn Sie glauben, dass Sie Hilfe leisten könnten, den auf dieser Liste aufgeführten Punkten (oder solchem im Text) abzuhelfen, setzen Sie sich mit dem Hauptautor () in Verbindung. Erweiterung der Informationen zur Reaktion auf einen Zwischenfall, unter Umständen auch mit einigen Vorschlägen von Red Hats Sicherheitsanleitung . Vorstellen von entfernten Überwachungswerkzeugen (um die Erreichbarkeit des Systems zu überprüfen) wie monit, daemontools und mon. Vergleiche . Überprüfung, ob wichtige Informationen hat, die hier noch nicht behandelt werden. Informationen, wie man einen Laptop mit Debian einrichtet . Informationen, wie man unter Debian GNU/Linux eine Firewall aufsetzt. Der Firewalls betreffende Abschnitt orientiert sich derzeit an Einzelplatz-Systemen (die keine anderen System schützen müssen); auch auf das Testen des Setups eingehen. Wie man eine Proxy-Firewall unter Debian GNU/Linux aufsetzt, unter der Angabe, welche Pakete Proxy-Dienste anbieten (zum Beispiel xfwp, ftp-proxy, redir, smtpd, dnrd, jftpgw, oops, pdnsd, perdition, transproxy, tsocks). Sollte zu einer Anleitung mit weiteren Informationen verweisen. Erwähnenswert ist, dass zorp jetzt Teil von Debian ist und eine Proxy-Firewall ist (und auch der Programmautor Debian-Pakete zur Verfügung stellt.) Informationen über die Service-Konfiguration mit file-rc Alle Referenzen und URLs prüfen und die nicht mehr verfügbaren aktualisieren oder entfernen Informationen über möglichen Ersatz (unter Debian) für häufig eingesetzte Server, die bei eingeschränktem Funktionsumfang nützlich sind. Beispiele: lokaler lpr mit cups (Paket)? remote lrp mit lpr bind mit dnrd/maradns apache mit dhttpd/thttpd/wn (tux?) exim/sendmail mit ssmtpd/smtpd/postfix squid mit tinyproxy ftpd mit oftpd/vsftp ... Mehr Informationen über die sicherheitsrelevanten Patches des Kernels unter Debian einschließlich der oben aufgeführten, und insbesondere wie man diese Patches unter einem Debian-System benutzt. Erkennung von Eindringlingen (Linux Intrusion Detection kernel-patch-2.4-lids) Linux Trustees (im Paket trustees) linux-patch-openswan Details, wie man unnötige Netzwerkdienste deaktiviert (abgesehen von inetd), dies ist teilweise Teil des Abhärtungsprozesses, könnte aber etwas ausgeweitet werden. Informationen über Passwort-Rotation, was sehr nah an grundsätzliche Regeln (Policies) herankommt Policies und die Aufklärung der Nutzer über die Policy Mehr über tcpwrapper und wrapper im Allgemeinen? hosts.equiv und andere wichtige Sicherheitslöcher mögliche Probleme bei der Dateifreigabe, wie Samba und NFS? suidmanager/dpkg-statoverrides. lpr und lprng. Abschalten der GNOME-IP-Dinge. Erwähnen von pam_chroot (siehe ) und seine Nützlichkeit, um Nutzer einzuschränken. Einführende Informationen in Verbindung mit . pdmenu sind zum Beispiel bereits unter Debian verfügbar (während flash das nicht ist). Darüber reden, Dienste mit einer chroot-Umgebung zu versehen, mehr Informationen dazu unter , und . Programme erwähnen, die Chroot-Gefängnisse (chroot jails) herstellen. compartment und chrootuid warten noch in incoming. Einige andere (makejail, jailer) könnten ebenfalls eingeführt werden. Mehr Informationen über Software zur Analyse von Protokoll-Dateien (log-Dateien, logs; zum Beispiel logcheck und logcolorise). "Fortgeschrittenes" Routing (Traffic-Regelungen sind sicherheitsrelevant) Zugang über SSH so einschränken, dass man nur bestimmte Kommandos ausführen kann Die Benutzung von dpkg-statoverride. Sichere Wege, mehreren Nutzern den Zugriff auf CD-Brenner zu erlauben Sichere Wege, um Sound zusammen mit einem Display über ein Netzwerk zu leiten (so dass die Sounds eines X-Clients über die Hardware eines X-Servers abgespielt werden) Absichern von Web-Browsern Aufsetzen von ftp über ssh Die Benutzung von verschlüsselten Loopback-Dateisystemen Verschlüsselung eines ganzen Dateisystems Steganographie-Tools Aufsetzen eines PKA für eine Organisation LDAP benutzen zur Verwaltung der User. Es gibt ein HOWTO zu ldap+kerberos für Debian auf von Turbo Fredrikson. Wie man Informationen mit begrenztem Nutzen wie z.B. /usr/share/doc oder /usr/share/man auf Produktivsystemen entfernt (jawohl, security by obscurity). Mehr Informationen über lcap, die sich auf die README-Datei des Pakets stützen (gut, die Datei ist noch nicht vorhaben, vergleiche ) und diesen Artikel von LWN: . Füge Colins Artikel hinzu, wie man eine Chroot-Umgebung für ein komplettes Sid-System aufsetzt (). Informationen darüber, wie man mehrere snort-Sensoren in einem System betreibt (beachte die Fehlerberichte zu snort). Informationen, wie man einen Honigtopf (honeypot) einrichtet (honeyd) Darstellung der Situation von FreeSwan (verwaist) und OpenSwan. Der Abschnitt über VPN muss überarbeitet werden. Füge einen gesonderten Abschnitt über Datenbanken hinzu, ihre Standardwerte und, wie man den Zugriff absichert. Füge einen Abschnitt über den Nutzen von virtuellen Servern (wie Xen u.a.) hinzu. Erkläre, wie Programme zur Überprüfung der Integrität verwendet werden (AIDE, integrit oder samhain). Die Grundlagen sind einfach und könnten auch einige Verbesserungen der Konfiguration enthalten. Änderungsübersicht/Changelog/Geschichte Version 3.11 (Januar 2007)

Änderung von Javier Fernández-Sanguino Peña. Vielen Dank an Francesco Poli für die umfangreiche Durchsicht dieses Dokuments. Entfernte die meisten Verweise auf Woody, da es nicht länger im Archiv verfügbar ist und es dafür auch keine Unterstützung der Sicherheit mehr gibt. Beschrieb, wie Benutzer eingeschränkt werden, so dass sie nur Dateiübertragungen durchführen können. Fügte einen Hinweis auf die Entscheidung zur Umstufung vertraulicher Meldungen an Debian ein. Aktualisierte den Verweis auf die Anleitung zum Umgang mit Vorfällen. Fügte einen Hinweis darauf ein, dass Entwicklerwerkzeuge (wie Compiler) nicht mehr standardmäßig in Etch installiert werden. Korrigierte den Verweis auf den Master-Security-Server. Fügte einen Hinweis auf die Dokumentation zu APT-secure ein. Verbesserte die Erläuterung der APT-Signaturen Kommentierte einige Stellen aus, die auf noch nicht fertig gestellte Abschnitte der offiziellen öffentlichen Schlüssel von Spiegelservern bezogen. Korrigierte den Namen des Debian-Testing-Sicherheitsteams. Entfernte in einem Beispiel den Verweis auf Sarge. Aktualisierte die Abschnitt über Antivirus: clamav ist jetzt in der Veröffentlichung enthalten. Erwähne auch den Installer für f-prot. Entfernte alle Verweise auf freeswan, da es veraltet ist. Beschrieb Probleme, die beim Verändern der Firewall-Regeln aus der Ferne auftreten können, und gab einige Tipps (in Fußnoten). Schrieb den Abschnitt "Bind nicht als Root laufen lassen" neu, da dies nicht mehr auf Bind9 zutrifft. Entfernte auch Verweise auf das init.d-Skript, da die Änderungen in /etc/default vorgenommen werden müssen. Entfernte eine veraltete Möglichkeit, Regeln für die Firewall einzurichten, da Woody nicht länger unterstützt wird. Kehrte zu dem früheren Hinweis bezüglich LOG_UNKFAIL_ENAB zurück, nämlich dass es auf 'no' (wie es standardmäßig ist) gesetzt werden sollte. Fügte Informationen hinzu, wie das System mit Werkzeugen für den Desktop (einschließlich update-notifier) aktualisiert wird, und beschrieb, wie man mit aptitude das System aktualisiert. Aktualisierte das FAQ und entfernte überflüssige Abschnitte. Überarbeitete und aktualisierte den Abschnitt über die forensische Analyse von Malware. Entfernte oder korrigierte einige tote Links. Verbesserte viele Tipp- und Grammatikfehler, die von Francesco Poli mitgeteilt wurden. Version 3.10 (November 2006)

Änderung von Javier Fernández-Sanguino Peña Gab Beispiele, wie rdepends von apt-cache verwendet wird. Wurde von Ozer Sarilar vorgeschlagen. Korrigierte den Verweis auf das Benutzerhandbuch von Squid auf Grund seines Umzugs. Wurde von Oskar Pearson (dem Herausgeber) mitgeteilt. Korrigierte Informationen über umask, seine logins.defs (nicht limits.conf), wo dies für einen Anmeldungen konfiguriert werden kann. Stellte den Standard von Debian und strengere Werte für Benutzer und Root dar. Vielen Dank an Reinhard Tartler für das Auffinden des Fehlers. Version 3.9 (Oktober 2006)

Änderung von Javier Fernández-Sanguino Peña Fügte Informationen hinzu, wie man Sicherheitslücken verfolgt. Hinweis auf den Debian-Testing-Sicherheits-Tracker. Fügte weitere Informationen über die Sicherheitsunterstützung für Testing hinzu. Korrigierte eine große Anzahl von Tippfehlern mit einem Patch von Simon Brandmair. Fügte einen Abschnitt hinzu, wie das Root-Prompt bei initramfs abgestellt wird. Wurde von Max Attems beigesteuert. Entfernte Verweise auf queso. Hinweis in der Einleitung, dass nun auch Testing vom Sicherheitsteam unterstützt wird. Version 3.8 (Juli 2006)

Änderung von Javier Fernández-Sanguino Peña Schrieb die Hinweise neu, wie man SSH in einer Chroot-Umgebung einsperrt, um die verschiedenen Optionen deutlicher herauszustellen. Vielen Dank an Bruce Park, der auf verschiedene Fehler in diesem Anhang hinwies. Verbesserte den Aufruf von lsof, wie es von Christophe Sahut vorgeschlagen wurde. Fügte einen Patch von Uwe Hermann zur Verbesserung von Tippfehlern ein. Verbesserte einen Tippfehler, der von Moritz Naumann entdeckt wurde. Version 3.7 (April 2006)

Änderung von Javier Fernández-Sanguino Peña Fügte einen Abschnitt über den besten Umgang der Entwickler von Debian mit Sicherheitsfragen hinzu. Fügte eine Firewall-Skript mit Kommentaren von WhiteGhost an. Version 3.6 (März 2006)

Änderung von Javier Fernández-Sanguino Peña Fügte einen Patch von Thomas Sjögren ein, der beschreibt, dass noexec wie erwartet mit »neuen« Kernel arbeitet, der Informationen über den Umgang mit temporären Dateien hinzufügt und einige Verweise auf externe Dokumentationen. Fügte nach einem Vorschlag von Freek Dijkstra einen Verweis auf Dan Farmers und Wietse Venemas Webseite über forensische Entdeckungen ein und erweiterte den Abschnitt über forensische Analyse etwas mit weiteren Verweisen. Verbesserte dank Christoph Auer die URL des italienischen CERT. Verwendete wieder Joey Hess' Informationen aus dem Wiki über Secure Apt und fügte sie in den Infrastrukturabschnitt ein. Version 3.5 (November 2005)

Änderung von Javier Fernández-Sanguino Peña Hinweis im SSH-Abschnitt, dass chroot nicht funktioniert, wenn die Option nodev mit der Partition verwendet wird, und auf das aktuelle ssh-Paket mit dem chroot-Patch. Vielen Dank an Lutz Broedel für diese Hinweise. Ausbesserung eines Tippfehlers, der von Marcos Roberto Greiner entdeckt wurde (md5sum sollte sha1sum im Code-Schnipsel sein) Fügte Jens Seidels Patch ein, der eine Anzahl von Paketnamen und Tippfehlern verbesserte. Kleine Aktualisierung des Werkzeugabschnitts, entfernte Werkzeuge, die nicht länger verfügbar sind, und fügte einige neue hinzu. Schrieb Teile des Abschnitts neu, in dem es darum geht, wo und in welchen Formaten dieses Dokument erhältlich ist (die Webseite stellt eine PDF-Version zur Verfügung). Merkte auch an, dass Kopien auf anderen Seiten und Übersetzungen veraltet sein könnten (viele der Treffer auf Google für dieses Handbuch auf anderen Seiten sind veraltet). Version 3.4 (August-September 2005)

Änderung von Javier Fernández-Sanguino Peña Verbesserte die Erhöhung der Sicherheit nach der Installation im Zusammenhang mit der Kernelkonfiguration für den Schutz der Netzwerkebene mit der Datei sysctl.conf. Wurde von Will Moy zur Verfügung gestellt. Verbesserte den Abschnitt über gdm mit Hilfe von Simon Brandmair. Ausbesserungen von Tippfehlern, die von Frédéric Bothamy und Simon Brandmair entdeckt wurden. Verbesserungen im Abschnitt "Nach der Installation" im Zusammenhang, wie MD5-Summen (oder SHA-1-Summen) für periodische Überprüfungen erstellt werden. Aktualisierte den Abschnitt "Nach der Installation" in Hinblick auf die Konfiguration von checksecurity (war veraltet). Version 3.3 (Juni 2005)

Änderung von Javier Fernández-Sanguino Peña Fügte einen Code-Fetzen hinzu, um mit grep-available eine Liste von Paketen zu erstellen, die von Perl abhängen. Wurde in #302470 nachgefragt. Schrieb den Abschnitt über Netzwerkdienste neu (welche installiert sind und wie man sie abschaltet). Fügte weitere Informationen zum Abschnitt über die Entwicklung eines Honigtopfs hinzu, indem nützliche Debian-Pakete erwähnt werden. Version 3.2 (März 2005)

Änderung von Javier Fernández-Sanguino Peña Erweiterte den Abschnitt über die Konfiguration von Limits mit PAM. Fügte Informationen hinzu, wie pam_chroot für openssh eingesetzt wird (auf Grundlage der README von pam_chroot). Verbesserte einige kleinere Dinge, die von Dan Jacobson gemeldet wurden. Aktualisierte die Informationen über Kernelpatches, basiert teilweise auf einem Patch von Carlo Perassi, auf den Anmerkungen zu aufgegebenen Teilen des Kernels und auf den neuen Kernelpatches (adamantix). Fügte einen Patch von Simon Brandmair ein, der einen Satz im Zusammenhang mit Login-Fehlern auf dem Terminal ausbesserte. Fügte Mozilla/Thunderbird zu den gültigen GPG-Agenten hinzu, wie von Kapolnai Richard vorgeschlagen wurde. Erweiterte den Abschnitt über Sicherheitsaktualisierungen, die Aktualisierung von Bibliotheken und des Kernels betreffen, und wie man herausfindet, ob Dienste neu gestartet werden müssen. Schrieb den Abschnitt über die Firewall neu, habe die Informationen, die Woody betreffen, nach unten verschoben und die übrigen Abschnitte erweitert, einschließlich Hinweisen dazu, wie man von Hand eine Firewall einrichtet (mit einem Beispielsskript) und wie man die Konfiguration der Firewall testen kann. Fügte einige Informationen hinzu bezüglich der Veröffentlichung von Debian 3.1. Fügte ausführlichere Hinweise zu Kernelupgrades hinzu, die sich besonders an diejenigen richten, die das alte Installationssystem verwenden. Fügte einen kurzen Abschnitt über die experimentelle Veröffentlichung von apt 0.6, die die Überprüfung von Paketsignaturen enthält. Verschob den alten Inhalt in den Abschnitt und fügte auch einen Verweis auf die Veränderungen, die in aptitude vorgenommen wurden, hinzu. Ausbesserungen von Tippfehlern, die von Frédéric Bothamy entdeckt wurden. Version 3.1 (January 2005)

Changes by Javier Fernández-Sanguino Peña Added clarification to ro /usr with patch from Joost van Baal Apply patch from Jens Seidel fixing many typos. FreeSWAN is dead, long live OpenSWAN. Added information on restricting access to RPC services (when they cannot be disabled) also included patch provided by Aarre Laakso. Update aj's apt-check-sigs script. Apply patch Carlo Perassi fixing URLs. Apply patch from Davor Ocelic fixing many errors, typos, urls, grammar and FIXMEs. Also adds some additional information to some sections. Rewrote the section on user auditing, highlight the usage of script which does not have some of the issues associated to shell history. Version 3.0 (December 2004)

Changes by Javier Fernández-Sanguino Peña Rewrote the user-auditing information and include examples on how to use script. Version 2.99 (March 2004)

Changes by Javier Fernández-Sanguino Peña Added information on references in DSAs and CVE-Compatibility. Added information on apt 0.6 (apt-secure merge in experimental) Fixed location of Chroot daemons HOWTO as suggested by Shuying Wang. Changed APACHECTL line in the Apache chroot example (even if its not used at all) as suggested by Leonard Norrgard. Added a footnote regarding hardlink attacks if partitions are not setup properly. Added some missing steps in order to run bind as named as provided by Jeffrey Prosa. Added notes about Nessus and Snort out-of-dateness in woody and availability of backported packages. Added a chapter regarding periodic integrity test checks. Clarified the status of testing regarding security updates. (Debian bug 233955) Added more information regarding expected contents in securetty (since it's kernel specific). Added pointer to snoopylogger (Debian bug 179409) Added reference to guarddog (Debian bug 170710) Apt-ftparchive is in apt-utils, not in apt (thanks to Emmanuel Chantreau for pointing this out) Removed jvirus from AV list. Version 2.98 (December 2003)

Changes by Javier Fernández-Sanguino Peña Fixed URL as suggested by Frank Lichtenheld. Fixed PermitRootLogin typo as suggested by Stefan Lindenau. Version 2.97 (September 2003)

Changes by Javier Fernández-Sanguino Peña Added those that have made the most significant contributions to this manual (please mail me if you think you should be in the list and are not). Added some blurb about FIXME/TODOs Moved the information on security updates to the beginning of the section as suggested by Elliott Mitchell. Added grsecurity to the list of kernel-patches for security but added a footnote on the current issues with it as suggested by Elliott Mitchell. Removed loops (echo to 'all') in the kernel's network security script as suggested by Elliott Mitchell. Added more (up-to-date) information in the antivirus section. Rewrote the buffer overflow protection section and added more information on patches to the compiler to enable this kind of protection. Version 2.96 (august 2003)

Changes by Javier Fernández-Sanguino Peña Removed (and then re-added) appendix on chrooting Apache. The appendix is now dual-licensed. Version 2.95 (June 2003)

Changes by Javier Fernández-Sanguino Peña Fixed typos spotted by Leonard Norrgard. Added a section on how to contact CERT for incident handling () More information on setting up a Squid proxy. Added a pointer and removed a FIXME thanks to Helge H. F. Fixed a typo (save_inactive) spotted by Philippe Faes. Fixed several typos spotted by Jaime Robles. Version 2.94 (April 2003)

Changes by Javier Fernández-Sanguino Peña Following Maciej Stachura's suggestions I've expanded the section on limiting users. Fixed typo spotted by Wolfgang Nolte. Fixed links with patch contributed by Ruben Leote Mendes. Added a link to David Wheeler's excellent document on the footnote about counting security vulnerabilities. Version 2.93 (march 2003)

Changes made by Frédéric Schütz. rewrote entirely the section of ext2 attributes (lsattr/chattr) Version 2.92 (February 2003)

Changes by Javier Fernández-Sanguino Peña and Frédéric Schütz. Merge section 9.3 ("useful kernel patches") into section 4.13 ("Adding kernel patches"), and added some content. Added a few more TODOs Added information on how to manually check for updates and also about cron-apt. That way Tiger is not perceived as the only way to do automatic update checks. Slightly rewrite of the section on executing a security updates due to Jean-Marc Ranger comments. Added a note on Debian's installation (which will suggest the user to execute a security update right after installation) Version 2.91 (January/February 2003)

Changes by Javier Fernández-Sanguino Peña (me). Added a patch contributed by Frédéric Schütz. Added a few more references on capabilities thanks to Frédéric. Slight changes in the bind section adding a reference to BIND's 9 online documentation and proper references in the first area (Hi Pedro!) Fixed the changelog date - new year :-) Added a reference to Colin's articles for the TODOs. Removed reference to old ssh+chroot patches. More patches from Carlo Perassi. Typo fixes (recursive in Bind is recursion), pointed out by Maik Holtkamp. Version 2.9 (December 2002)

Changes by Javier Fernández-Sanguino Peña (me). Reorganized the information on chroot (merged two sections, it didn't make much sense to have them separated) Added the notes on chrooting Apache provided by Alexandre Ratti. Applied patches contributed by Guillermo Jover. Version 2.8 (November 2002)

Changes by Javier Fernández-Sanguino Peña (me). Applied patches from Carlo Perassi, fixes include: re-wrapping the lines, URL fixes, and fixed some FIXMEs Updated the contents of the Debian security team FAQ. Added a link to the Debian security team FAQ and the Debian Developer's reference, the duplicated sections might (just might) be removed in the future. Fixed the hand-made auditing section with comments from Michal Zielinski. Added links to wordlists (contributed by Carlo Perassi) Fixed some typos (still many around). Fixed TDP links as suggested by John Summerfield. Version 2.7 (October 2002)

Changes by Javier Fernández-Sanguino Peña (me). Note: I still have a lot of pending changes in my mailbox (which is currently about 5 Mbs in size). Some typo fixes contributed by Tuyen Dinh, Bartek Golenko and Daniel K. Gebhart. Note regarding /dev/kmem rootkits contributed by Laurent Bonnaud Fixed typos and FIXMEs contributed by Carlo Perassi. Version 2.6 (September 2002)

Changes by Chris Tillman, tillman@voicetrak.com. Changed around to improve grammar/spelling. s/host.deny/hosts.deny/ (1 place) Applied Larry Holish's patch (quite big, fixes a lot of FIXMEs) Version 2.5 (September 2002)

Changes by Javier Fernández-Sanguino Peña (me). Fixed minor typos submitted by Thiemo Nagel. Added a footnote suggested by Thiemo Nagel. Fixed an URL link. Version 2.5 (August 2002)

Changes by Javier Fernández-Sanguino Peña (me). There were many things waiting on my inbox (as far back as february) to be included, so I'm going to tag this the back from honeymoon release :) Added some information on how to setup the Xscreensaver to lock automatically the screen after the configured timeout. Add a note related to the utilities you should not install in the system. Including a note regarding Perl and why it cannot be easily removed in Debian. The idea came after reading Intersect's documents regarding Linux hardening. Added information on lvm and journaling filesystems, ext3 recommended. The information there might be too generic, however. Added a link to the online text version (check). Added some more stuff to the information on firewalling the local system triggered by a comment made by Hubert Chan in the mailing list. Added more information on PAM limits and pointers to Kurt Seifried's documents (related to a post by him to Bugtraq on April 4th 2002 answering a person that had ``discovered'' a vulnerability in Debian GNU/Linux related to resource starvation) As suggested by Julián Muñoz, provided more information on the default Debian umask and what a user can access if he has been given a shell in the system (scary, huh?) Included a note in the BIOS password section due to a comment from from Andreas Wohlfeld. Included patches provided by Alfred E. Heggestad fixing many of the typos still present in the document. Added a pointer to the changelog in the Credits section since most people who contribute are listed here (and not there) Added a few more notes to the chattr section and a new section after installation talking about system snapshots. Both ideas were contributed by Kurt Pomeroy. Added a new section after installation just to remember users to change the boot-up sequence. Added some more TODO items provided by Korn Andras. Added a pointer to the NIST's guidelines on how to secure DNS provided by Daniel Quinlan. Added a small paragraph regarding Debian's SSL certificates infrastructure. Added Daniel Quinlan's suggestions regarding ssh authentication and exim's relay configuration. Added more information regarding securing bind including changes suggested by Daniel Quinlan and an appendix with a script to make some of the changes commented on that section. Added a pointer to another item regarding Bind chrooting (needs to be merged) Added a one liner contributed by Cristian Ionescu-Idbohrn to retrieve packages with tcpwrappers support. Added a little bit more info on Debian's default PAM setup. Included a FAQ question about using PAM to give services w/o shell accounts. Moved two FAQ items to another section and added a new FAQ regarding attack detection (and compromised systems). Included information on how to setup a bridge firewall (including a sample Appendix). Thanks to Francois Bayart who sent me this on march. Added a FAQ regarding the syslogd's MARK heartbeat from a question answered by Noah Meyerhans and Alain Tesio on December 2001. Included information on buffer overflow protection as well as some information on kernel patches. Added more information (and reorganised) the firewall section. Updated the information regarding the iptables package and the firewall generators available. Reorganized the information regarding logchecking, moved logcheck information from host intrusion detection to that section. Added some information on how to prepare a static package for bind for chrooting (untested). Added a FAQ item (could be expanded with some of the recomendations from the debian-security list regarding some specific servers/services). Added some information on RPC services (and when it's necessary). Added some more information on capabilities (and what lcap does). Is there any good documentation on this? I haven't found any on my 2.4 kernel. Fixed some typos. Version 2.4

Changes by Javier Fernández-Sanguino Peña. Rewritten part of the BIOS section. Version 2.3

Changes by Javier Fernández-Sanguino Peña. Wrapped most file locations with the file tag. Fixed typo noticed by Edi Stojicevi. Slightly changed the remote audit tools section. Added some todo items. Added more information regarding printers and cups config file (taken from a thread on debian-security). Added a patch submitted by Jesus Climent regarding access of valid system users to Proftpd when configured as anonymous server. Small change on partition schemes for the special case of mail servers. Added Hacking Linux Exposed to the books section. Fixed directory typo noticed by Eduardo Pérez Ureta. Fixed /etc/ssh typo in checklist noticed by Edi Stojicevi. Version 2.3

Changes by Javier Fernández-Sanguino Peña. Fixed location of dpkg conffile. Remove Alexander from contact information. Added alternate mail address. Fixed Alexander mail address (even if commented out). Fixed location of release keys (thanks to Pedro Zorzenon for pointing this out). Version 2.2

Changes by Javier Fernández-Sanguino Peña. Fixed typos, thanks to Jamin W. Collins. Added a reference to apt-extracttemplate manpage (documents the APT::ExtractTemplate config). Added section about restricted SSH. Information based on that posted by Mark Janssen, Christian G. Warden and Emmanuel Lacour on the debian-security mailing list. Added information on anti-virus software. Added a FAQ: su logs due to the cron running as root. Version 2.1

Changes by Javier Fernández-Sanguino Peña. Changed FIXME from lshell thanks to Oohara Yuuma. Added package to sXid and removed comment since it *is* available. Fixed a number of typos discovered by Oohara Yuuma. ACID is now available in Debian (in the acidlab package) thanks to Oohara Yuuma for noticing. Fixed LinuxSecurity links (thanks to Dave Wreski for telling). Version 2.0

Changes by Javier Fernández-Sanguino Peña. I wanted to change to 2.0 when all the FIXMEs were, er, fixed but I run out of 1.9X numbers :( Converted the HOWTO into a Manual (now I can properly say RTFM) Added more information regarding tcp wrappers and Debian (now many services are compiled with support for them so it's no longer an inetd issue). Clarified the information on disabling services to make it more consistent (rpc info still referred to update-rc.d) Added small note on lprng. Added some more info on compromised servers (still very rough) Fixed typos reported by Mark Bucciarelli. Added some more steps in password recovery to cover the cases when the admin has set paranoid-mode=on. Added some information to set paranoid-mode=on when login in console. New paragraph to introduce service configuration. Reorganised the After installation section so it is more broken up into several issues and it's easier to read. Written information on howto setup firewalls with the standard Debian 3.0 setup (iptables package). Small paragraph explaining why installing connected to the Internet is not a good idea and how to avoid this using Debian tools. Small paragraph on timely patching referencing to IEEE paper. Appendix on how to setup a Debian snort box, based on what Vladimir sent to the debian-security mailing list (September 3rd 2001) Information on how logcheck is setup in Debian and how it can be used to setup HIDS. Information on user accounting and profile analysis. Included apt.conf configuration for read-only /usr copied from Olaf Meeuwissen's post to the debian-security mailing list New section on VPN with some pointers and the packages available in Debian (needs content on how to setup the VPNs and Debian-specific issues), based on Jaroslaw Tabor's and Samuli Suonpaa's post to debian-security. Small note regarding some programs to automatically build chroot jails New FAQ item regarding identd based on a discussion in the debian-security mailing list (February 2002, started by Johannes Weiss). New FAQ item regarding inetd based on a discussion in the debian-security mailing list (February 2002). Introduced note on rcconf in the "disabling services" section. Varied the approach regarding LKM, thanks to Philipe Gaspar Added pointers to CERT documents and Counterpane resources Version 1.99

Changes by Javier Fernández-Sanguino Peña. Added a new FAQ item regarding time to fix security vulnerabilities. Reorganised FAQ sections. Started writing a section regarding firewalling in Debian GNU/Linux (could be broadened a bit) Fixed typos sent by Matt Kraai Fixed DNS information Added information on whisker and nbtscan to the auditing section. Fixed some wrong URLs Version 1.98

Changes by Javier Fernández-Sanguino Peña. Added a new section regarding auditing using Debian GNU/Linux. Added info regarding finger daemon taken from the security mailing list. Version 1.97

Changes by Javier Fernández-Sanguino Peña. Fixed link for Linux Trustees Fixed typos (patches from Oohara Yuuma and Pedro Zorzenon) Version 1.96

Changes by Javier Fernández-Sanguino Peña. Reorganized service installation and removal and added some new notes. Added some notes regarding using integrity checkers as intrusion detection tools. Added a chapter regarding package signatures. Version 1.95

Changes by Javier Fernández-Sanguino Peña. Added notes regarding Squid security sent by Philipe Gaspar. Fixed rootkit links thanks to Philipe Gaspar. Version 1.94

Changes by Javier Fernández-Sanguino Peña. Added some notes regarding Apache and Lpr/lpng. Added some information regarding noexec and read-only partitions. Rewritten how can users help in Debian security issues (FAQ item). Version 1.93

Changes by Javier Fernández-Sanguino Peña. Fixed location of mail program. Added some new items to the FAQ. Version 1.92

Changes by Javier Fernández-Sanguino Peña. Added a small section on how Debian handles security Clarified MD5 passwords (thanks to `rocky') Added some more information regarding harden-X from Stephen van Egmond Added some new items to the FAQ Version 1.91

Changes by Javier Fernández-Sanguino Peña. Added some forensics information sent by Yotam Rubin. Added information on how to build a honeynet using Debian GNU/Linux. Added some more TODOS. Fixed more typos (thanks Yotam!) Version 1.9

Changes by Javier Fernández-Sanguino Peña. Added patch to fix misspellings and some new information (contributed by Yotam Rubin) Added references to other online (and offline) documentation both in a section (see ) by itself and inline in some sections. Added some information on configuring Bind options to restrict access to the DNS server. Added information on how to automatically harden a Debian system (regarding the harden package and bastille). Removed some done TODOs and added some new ones. Version 1.8

Changes by Javier Fernández-Sanguino Peña. Added the default user/group list provided by Joey Hess to the debian-security mailing list. Added information on LKM root-kits () contributed by Philipe Gaspar. Added information on Proftp contributed by Emmanuel Lacour. Recovered the checklist Appendix from Era Eriksson. Added some new TODO items and removed other fixed ones. Manually included Era's patches since they were not all included in the previous version. Version 1.7

Changes by Era Eriksson. Typo fixes and wording changes

Changes by Javier Fernández-Sanguino Peña. Minor changes to tags in order to keep on removing the tt tags and substitute them for prgn/package tags. Version 1.6

Changes by Javier Fernández-Sanguino Peña. Added pointer to document as published in the DDP (should supersede the original in the near future) Started a mini-FAQ (should be expanded) with some questions recovered from my mailbox. Added general information to consider while securing. Added a paragraph regarding local (incoming) mail delivery. Added some pointers to more information. Added information regarding the printing service. Added a security hardening checklist. Reorganized NIS and RPC information. Added some notes taken while reading this document on my new Visor :) Fixed some badly formatted lines. Fixed some typos. Added a Genius/Paranoia idea contributed by Gaby Schilders. Version 1.5

Changes by Josip Rodin and Javier Fernández-Sanguino Peña. Added paragraphs related to BIND and some FIXMEs. Version 1.4

Small setuid check paragraph Various minor cleanups Found out how to use sgml2txt -f for the txt version Version 1.3

Added a security update after installation paragraph Added a proftpd paragraph This time really wrote something about XDM, sorry for last time Version 1.2

Lots of grammar corrections by James Treacy, new XDM paragraph Version 1.1

Typo fixes, miscellaneous additions Version 1.0

Initial release Danksagungen

Alexander Reelsen schrieb die ursprüngliche Version. Javier Fernández-Sanguino fügte der Originalversion einiges an Informationen hinzu. Robert van der Meulen stellte den Abschnitt über Quota und viele seiner guten Ideen zur Verfügung. Ethan Benson korrigierte den PAM-Abschnitt und hatte einige gute Ideen. Dariusz Puchalak trug Information zu verschiedenen Kapiteln bei. Gaby Schilders trug eine nette Genius/Paranoia Idee bei. Era Eriksson gab dem Ganzen an vielen Stellen den sprachlichen Feinschliff und trug zur Checkliste im Anhang bei. Philipe Gaspar schrieb die LKM-Informationen. Yotam Rubin trug sowohl Korrekturen für viele Tippfehler bei als auch Informationen über die Versionen von Bind und MD5-Passwörter. Francois Bayart stellte den Anhang zur Verfügung, in dem beschrieben wird, wie man eine Bridge-Firewall aufsetzt. Joey Hess schrieb im den Abschnitt, der erklärt, wie Secure Apt funktioniert. Martin F. Krafft schrieb in seinem Blog etwas darüber, wie die Verifizierung von Fingerprints funktioniert. Dies wurde im Abschnitt über Secure Apt verwendet. All den Leuten, die Verbesserungen vorschlugen, die (letzten Endes) eingeflossen sind (siehe ). Francesco Poli sah dieses Dokument umfassend durch und stellte eine große Anzahl von Fehlerberichten und Tippfehlern zur Verfügung, mit denen dieses Dokument verbessert und aktualisiert werden konnte. (Alexander) All den Leuten, die mich ermutigten dieses HOWTO zu schreiben (die später zu einer ganzen Anleitung wurde). Dem ganzen Debian-Projekt. Danksagungen des Übersetzers

Auch der Übersetzer Simon Brandmair (sbrandmair@gmx.net) hat einigen Leuten zu danken, die mit Verbesserungen, Korrekturen und Ratschlägen zum Gelingen der Übersetzung beigetragen haben: Christoph Haas Mirko Jahn Frank Loeffler Andreas Marc Klingler Elisabeth Bauer Jens Kubieziel Uli Martens Jens Schuessler Marcel Schaal Jens Seidel Constantin Hagemeier

Besonders möchte ich Alexander Schmehl danken, der die erste deutsche Übersetzung angefertigt hat.

Insbesondere sei den Mitglieder der Mailingliste gedankt, für gute Ideen und fruchtbare Diskussionen.

VIELEN DANK! Ohne euch hätte ich zwar nur halb so viel Arbeit gehabt, aber viel mehr Leute könnten sich jetzt über meine mangelhaften Orthographiekenntnisse amüsieren! harden-doc-3.15.1/howto-source/de/before-begin.sgml0000644000000000000000000002640710550105724016741 0ustar Bevor Sie beginnen ... Wofür möchten Sie dieses System benutzen?

Das Absichern von Debian ist nicht viel anders als das Absichern von irgendeinem anderen System. Um es richtig zu machen müssen Sie zunächst entscheiden, was Sie damit machen möchten. Anschließend müssen Sie sich klarmachen, dass Sie die folgenden Schritte sorgfältig ausgeführt werden müssen, um ein wirklich sicheres System zu bekommen.

Sie werden feststellen, dass diese Anleitung von der Pike auf geschrieben ist. Sie werden die Informationen zu einer Aufgabe, die Sie vor, während und nach der Debian-Installation ausführen sollten, in der entsprechenden Reihenfolge vorgestellt bekommen. Die einzelnen Aufgaben können wie folgt beschrieben werden: Entscheiden Sie, welche Dienste Sie benötigen, und beschränken Sie Ihr System auf selbige. Dies schließt das Deaktivieren / Deinstallieren von nicht benötigten Diensten und das Installieren von Firewall-ähnlichen Filtern oder TCP-Wrappern ein. Einschränken der Nutzer- und Zugriffsrechte auf Ihrem System. Abhärten der angebotenen Dienste, damit der Einfluss auf Ihr System im Falle einer Kompromittierung möglichst gering ist. Benutzen Sie die passenden Tools, um sicherzustellen, dass ein unautorisierter Zugriff auf Ihrem System entdeckt wird, so dass Sie geeignete Gegenmaßnahmen ergreifen können. Seien Sie wachsam gegenüber generellen Sicherheitsproblemen!

Diese Anleitung geht (normalerweise) nicht im Detail darauf ein, warum bestimmte Sachen als Sicherheitsrisiko betrachtet werden. Es wäre aber sicherlich von Vorteil, wenn Sie mehr Hintergrundwissen von der Sicherheit in Unix im Allgemeinen und von der in Linux im Besonderen haben. Nehmen Sie sich die Zeit, um sicherheitsrelevante Dokumente zu lesen, um Entscheidungen informiert treffen zu können, wenn Sie eine Auswahl treffen müssen. Debian GNU/Linux basiert auf dem Linux-Kernel, so dass viele Informationen über Linux, und sogar über andere Distributionen und allgemeine UNIX-Sicherheit, auch hierauf zutreffen (sogar wenn sich die benutzten Werkzeuge oder die verfügbaren Programme unterscheiden).

Ein Paar nützliche Dokumente sind: Das (auch unter verfügbar) ist eine der besten Referenzen über allgemeine Linux-Sicherheit. Das ist ein sehr guter Anfang für unerfahrene Nutzer (sowohl über Linux als auch zum Thema Sicherheit). Der ist eine komplette Anleitung, die alle Sicherheitsangelegenheiten von Linux behandelt, von Sicherheit im Kernel bis hin zu VPNs. Beachten Sie bitte, dass er seit 2001 nicht mehr aktualisiert wurde, trotzdem sind einige Informationen immer noch sachdienlich. Irgendwann wurde er von der "Linux Security Knowledge Base" abgelöst. Dieses Dokument wird ebenfalls durch das Paket lasg zur Verfügung gestellt. Jetzt wird der Guide wieder unter dem Namen Lasg verbreitet. Kurt Seifried's . In finden Sie eine Dokumentation ähnlich zu dieser, bezogen auf Red Hat. Manche behandelten Sachen sind nicht distributionsspezifisch, passen also auch auf Debian. Ein anderes Red Hat bezogenes Dokument ist der . IntersectAlliance hat einige Dokumente veröffentlicht, die als Referenz benutzt werden können, wie man einen Linux-Server (und seine Dienste) abhärtet. Diese Dokumente sind auf verfügbar. Für Netzwerk-Administratoren ist das ein gutes Handbuch, wie man sein Netzwerk absichert. Wenn Sie die Programme, die Sie benutzen möchten (oder die Sie neu schreiben wollen), bezüglich Sicherheit auswerten wollen, sollten Sie das durchlesen (die Vorlage ist unter verfügbar. Es beinhaltet Präsentationen und Kommentare des Autors David Wheeler. Wenn Sie es in Betracht ziehen, eine Firewall zu installieren, sollten Sie das und das (bei Kerneln vor Version 2.4) lesen. Schließlich ist die eine gute Kurzübersicht, um in Sachen Sicherheit auf dem aktuellen Stand zu bleiben.

In jedem Fall gibt es mehr Informationen über die hier behandelten Dienste (NFS, NIS, SMB, ...) in den vielen HOWTOs, die Sie beim finden. Manche dieser Dokumente gehen auf die Sicherheitsaspekte von bestimmten Diensten ein. Gehen Sie sicher, dass Sie auch hierauf einen Blick werfen.

Die HOWTO-Dokumente des Linux-Dokumentations-Projektes sind unter Debian GNU/Linux durch Installation der Pakete doc-linux-text (englische Text-Version) oder doc-linux-de (HTML-Version) verfügbar. Nach der Installation sind diese Dokumente in den Verzeichnissen /usr/share/doc/HOWTO/en-txt beziehungsweise /usr/share/doc/HOWTO/de-html vorhanden.

Andere empfohlene Linux-Bücher: Maximum Linux Security : A Hacker's Guide to Protecting Your Linux Server and Network. Anonymous. Paperback - 829 pages. Sams Publishing. ISBN: 0672313413. July 1999. Linux Security By John S. Flowers. New Riders; ISBN: 0735700354. March 1999 By Brian Hatch. McGraw-Hill Higher Education. ISBN 0072127732. April, 2001

Andere Bücher (auch über allgemeine Aspekte von Sicherheit unter Unix, nicht nur Linuxspezifisch): Garfinkel, Simpson, and Spafford, Gene; O'Reilly Associates; ISBN 0-56592-148-8; 1004pp; 1996. Firewalls and Internet Security Cheswick, William R. and Bellovin, Steven M.; Addison-Wesley; 1994; ISBN 0-201-63357-4; 320pp.

Andere nützliche Webseiten, um sich bezüglich Sicherheit auf dem Laufenden zu halten: . Dort wird die Bugtraq-Schwachstellen-Datenbank und Mailingliste bereitgestellt und es gibt allgemeine sicherheitsrelevante Informationen, Neuigkeiten und Berichte. . Allgemeine Informationen zu Sicherheit von Linux (Tools, Neuigkeiten ...). Die Seite ist sehr nützlich. . Allgemeine Informationen zu Linux Firewalls und Tools, diese zu kontrollieren und zu administrieren. Wie geht Debian mit der Sicherheit um?

Um einen allgemeinen Überblick über die Sicherheit unter Debian GNU/Linux zu bekommen, sollten Sie sich ansehen, was Debian tut, um ein sicheres System zu gewährleisten. Debians Probleme werden immer öffentlich behandelt, sogar wenn sie die Sicherheit betreffen. Sicherheitsfragen werden öffentlich auf der debian-security-Mailingliste diskutiert. Debian-Sicherheits-Ankündigungen (DSA) werden an öffentliche Mailinglisten (sowohl intern als auch extern) versendet und auf öffentlichen Servern bekannt gegeben. Wie der sagt:

Wir werden Probleme nicht verbergen.

Wir werden unsere Fehlerdatenbank immer öffentlich betreiben. Fehlermeldungen, die von Personen online abgeschickt werden, sind augenblicklich für andere sichtbar. Debian verfolgt Sicherheitsangelegenheiten sehr aufmerksam. Das Sicherheits-Team prüft viele sicherheitsrelevante Quellen, die wichtigste davon , während es Pakete mit Sicherheitsproblemen sucht, die ein Teil von Debian sein können. Sicherheits-Aktualisierungen genießen höchste Priorität. Wenn ein Sicherheitsproblem in einem Debian-Paket entdeckt wird, wird eine Sicherheits-Aktualisierung so schnell wie möglich vorbereitet und für den Stabile-, Testing- und Unstabile-Zweig, einschließlich aller Architekturen, veröffentlicht. Alle Informationen über Sicherheit sind an einer zentralen Stelle zu finden: . Debian versucht immer, die gesamte Sicherheit seiner Distribution zu verbessern, beispielsweise durch automatische Paket-Signierungs- und Verifikations-Mechanismen. Debian stellt eine brauchbare Anzahl von sicherheitsrelevanten Werkzeugen für System-Administratoren und zur Überwachung zur Verfügung. Entwickler versuchen, diese Werkzeuge fest mit der Distribution zu verbinden, um Sie anpassbarer zur Durchsetzung lokaler Sicherheits-Regelungen zu machen. Diese Werkzeuge schließen Folgendes mit ein: integritätsprüfende Programme, allgemeine Prüfwerkzeuge, Werkzeuge zum Abhärten, Werkzeuge für Firewalls, Eindringlings-Erkennungs-Tools und vieles andere. Paketbetreuer sind sich der Sicherheits-Probleme bewusst. Dies führt oft zu "voreingestellt sicheren" Installationen von Diensten, die sie manchmal in ihrer normalen Benutzung etwas einschränken können. Dennoch versucht Debian, Sicherheitsaspekte und Einfachheit der Administration abzuwägen, zum Beispiel werden Dienste nicht inaktiv installiert (wie es bei den Betriebssystemen der BSD-Familie üblich ist). Auf jeden Fall sind bedeutende Sicherheitsaspekte, wie zum Beispiel setuid-Programme, Teil der .

Dieses Dokument versucht, eine bessere Installation von Computersystemen hinsichtlich der Sicherheit zu erzielen, indem es Informationen über Sicherheit veröffentlicht, die auf Debian zugeschnitten sind, und diese durch andere Dokumente ergänzt, die sicherheitsspezifische Angelegenheiten im Zusammenhang mit Debian behandeln (vergleiche ). harden-doc-3.15.1/howto-source/de/copyleft.sgml0000644000000000000000000000317010643704617016243 0ustar Copyright © 2002-2007 Javier Fernández-Sanguino Peña

Copyright © 2001 Alexander Reelsen, Javier Fernández-Sanguino Peña

Copyright © 2000 Alexander Reelsen

An manchen Abschnitten besteht ein Copyright © der jeweiligen Autoren. Genaueres erfahren Sie unter .

Es ist erlaubt, dieses Dokument unter den Bedingungen der oder jeder späteren Version, die von der Free Software Foundation veröffentlicht wird, zu kopieren, zu verbreiten und/oder zu verändern. Es wird in der Hoffnung veröffentlicht, dass es sich als nützlich erweisen könnte, aber OHNE JEDE GEWÄHRLEISTUNG.

Es ist erlaubt, unveränderte Kopien dieses Dokuments zu erstellen und zu vertreiben, vorausgesetzt der Copyright-Hinweis und diese Genehmigung bleiben auf allen Kopien erhalten.

Es ist erlaubt, veränderte Kopien dieses Dokuments unter den Voraussetzungen für unverändertes Kopieren, zu erstellen und zu vertreiben, sofern die gesamte resultierende Arbeit unter den Bedingungen einer Genehmigung identisch zu dieser, vertrieben wird.

Es ist erlaubt, Übersetzungen dieses Dokuments in eine andere Sprache, unter den obigen Bedingungen für veränderte Versionen zu kopieren und zu verteilen, mit der Ausnahme, dass diese Genehmigung übersetzt, statt im ursprünglichem Englisch, eingebunden werden kann, sofern diese Übersetzung (des Copyrights) von der Free Software Foundation genehmigt ist. harden-doc-3.15.1/howto-source/de/developer.sgml0000644000000000000000000003220211051553224016367 0ustar Der gute Umgang von Entwicklern mit der Sicherheit des OS

Dieses Kapitel handelt von einigen der anerkannten Vorgehensweisen, wenn Entwickler Pakete für Debian erstellen. Wenn Sie sehr an sicherheitsbewusster Programmierung interessiert sind, sollten Sie David Wheelers und von Mark G. Graff und Kenneth R. van Wyk (O'Reilly, 2003) lesen. Das richtige Vorgehen für die Nachprüfung der Sicherheit und Gestaltung

Entwickler, die Software in Pakete packen, sollten größte Anstrengung darauf verwenden sicherzustellen, dass die Installation der Software und ihre Verwendung keine Sicherheitsrisiken für das System oder seine Benutzer eröffnet.

Dazu sollten sie vor der Veröffentlichung der Software oder einer neuen Version den Quellcode des Pakets nachprüfen, um Fehler zu finden, die zu Sicherheitslücken führen können. Bekanntermaßen ist der Aufwand für die Fehlerbehebung in verschiedenen Stadien der Entwicklung unterschiedlich. So ist es leichter (und billiger), Fehler während der Entwicklung auszubessern als später, wenn die Software schon herausgegeben wurde und nur noch gewartet wird (einige Studien behaupten, dass die Kosten in dieser Phase 60 Mal höher sind). Es gibt Hilfsmittel, die versuchen, Fehler automatisch zu entdecken. Entwickler sollten dennoch die verschiedenen Sicherheitsfehler kennen, damit sie sie verstehen und sie so in eigenen (oder fremden) Programmcode entdecken können.

Programmierfehler, die typischerweise zu Sicherheitsproblemen führen, sind insbesondere: , Format-String-Überläufe, Heap-Überläufe und Integer-Überläufe (in C/C++-Programmen), vorübergehende (in Skripten), , die Einschleusung von Befehlen (auf Servern) und sowie (bei web-orientierten Anwendungen). Eine ausführliche Liste von Sicherheitsfehlern finden Sie in Fortifys .

Einige dieser Probleme können Sie nur erkennen, wenn Sie ein Experte in der verwendeten Programmiersprache sind. Aber andere können leicht entdeckt und behoben werden. Zum Beispiel kann eine Symlink-Schwachstelle auf Grund einer falschen Verwendung von temporären Verzeichnissen ohne Weiteres entdeckt werden, indem Sie grep -r "/tmp/" . ausführen. Diese Verweise sollten überprüft werden und fest einprogrammierte Dateinamen in temporären Verzeichnissen in Shell-Skripten mit mktemp oder tempfile, in Perl-Skripten mit und in C/C++ mit ersetzt werden.

Es stehen Ihnen einige Werkzeuge zur Verfügung, die Sie dabei unterstützen, den Quellcode auf Sicherheitsprobleme hin zu überprüfen. Dazu zählen rats, flawfinder und pscan. Weitere Informationen finden Sie in der .

Beim Paketieren von Software sollten Entwickler darauf achten, dass sie allgemein anerkannte Sicherheitsprinzipien einhalten. Dazu gehören: Die Software sollte mit so geringen Rechten wie möglich laufen Falls das Paket Binaries mit setuid oder setgid enthält, wird Lintian vor -, - und -Binaries warnen. Die Daemons, die in einem Paket enthalten sind, sollten mit den Rechten eines Benutzers laufen, der nur geringe Privilegien besitzt (vergleichen Sie dazu ). Automatisierte Aufgaben (also mit cron) sollten NICHT mit Root-Rechten laufen. Zumindest sollten mit Root-Rechten keine komplizierten Aufgaben erledigt werden.

Falls Sie diese Prinzipien nicht einhalten können, sollten Sie sichergehen, dass das Programm, das mit umfangreicheren Rechten läuft, auf Sicherheitsprobleme überprüft wurde. Wenn Sie sich nicht sicher sind oder Hilfe benötigen, sollten Sie sich mit dem in Verbindung setzen. Wenn Binaries setuid/setgid verwenden, sollten Sie die Richtlinie von Debian zu beachten.

Für weitere Informationen, insbesondere hinsichtlich Sicherheitsfragen, sollten Sie das und das Portal lesen (oder den Programmautor darauf hinweisen). Benutzer und Gruppen für Daemons erstellen

Wenn Ihre Software als Daemon läuft, der keine Root-Rechte benötigt, müssen Sie für ihn einen Benutzer erstellen. Es gibt zwei Arten von Benutzern in Debian, die für Pakete verwendet werden können: statische UIDs (werden von base-passwd vergeben, eine Liste der statischen Benutzern in Debian finden Sie bei ) und dynamisches UIDs, die in einem zugewiesenen Bereich liegen.

Im ersten Fall müssen Sie mit base-passwd eine Benutzer- oder Gruppen-ID erstellen. Wenn der Benutzer verfügbar ist, muss das Paket, das Sie anbieten möchten, eine Abhängigkeit vom Paket base-passwd enthalten.

Im zweiten Fall müssen Sie den Systembenutzer entweder entweder preinst oder postinst erstellen und dafür sorgen, dass das Paket von adduser (>= 3.11) abhängt.

Im folgenden Programmbeispiel soll gezeigt werden, wie der Benutzer oder Gruppe, mit deren Rechten der Daemon laufen wird, bei der Installation oder Aktualisierung des Pakets erstellt wird. [...] case "$1" in install|upgrade) # If the package has default file it could be sourced, so that # the local admin can overwrite the defaults [ -f "/etc/default/packagename" ] && . /etc/default/packagename # Sane defaults: [ -z "$SERVER_HOME" ] && SERVER_HOME=server_dir [ -z "$SERVER_USER" ] && SERVER_USER=server_user [ -z "$SERVER_NAME" ] && SERVER_NAME="Server description" [ -z "$SERVER_GROUP" ] && SERVER_GROUP=server_group # Groups that the user will be added to, if undefined, then none. ADDGROUP="" # create user to avoid running server as root # 1. create group if not existing if ! getent group | grep -q "^$SERVER_GROUP:" ; then echo -n "Adding group $SERVER_GROUP.." addgroup --quiet --system $SERVER_GROUP 2>/dev/null ||true echo "..done" fi # 2. create homedir if not existing test -d $SERVER_HOME || mkdir $SERVER_HOME # 3. create user if not existing if ! getent passwd | grep -q "^$SERVER_USER:"; then echo -n "Adding system user $SERVER_USER.." adduser --quiet \ --system \ --ingroup $SERVER_GROUP \ --no-create-home \ --disabled-password \ $SERVER_USER 2>/dev/null || true echo "..done" fi # 4. adjust passwd entry usermod -c "$SERVER_NAME" \ -d $SERVER_HOME \ -g $SERVER_GROUP \ $SERVER_USER # 5. adjust file and directory permissions if ! dpkg-statoverride --list $SERVER_HOME >/dev/null then chown -R $SERVER_USER:adm $SERVER_HOME chmod u=rwx,g=rxs,o= $SERVER_HOME fi # 6. Add the user to the ADDGROUP group if test -n $ADDGROUP then if ! groups $SERVER_USER | cut -d: -f2 | \ grep -qw $ADDGROUP; then adduser $SERVER_USER $ADDGROUP fi fi ;; configure) [...]

Außerdem müssen Sie für das Init.d-Skript sicherstellen, dass der Daemon beim Starten seine Rechte ablegt: Wenn die Software nicht selbst den oder Aufruf absetzt, sollten Sie die Option --chuid für start-stop-daemon verwenden. dass der Daemon nur angehalten wird, wenn die Benutzer-IDs übereinstimmen. Dafür ist die Option --user von start-stop-daemon hilfreich. dass der Daemon nicht gestartet wird, wenn sein Benutzer oder Gruppe nicht existiert: if ! getent passwd | grep -q "^server_user:"; then echo "Server user does not exist. Aborting" >&2 exit 1 fi if ! getent group | grep -q "^server_group:" ; then echo "Server group does not exist. Aborting" >&2 exit 1 fi

Wenn das Paket einen Systembenutzer erstellt, kann er wieder in postrm entfernt werden, wenn das Paket vollständig gelöscht wird (purge). Dabei gibt es allerdings einen Nachteil. Zum Beispiel werden Dateien, die von dem Benutzer des Daemons erstellt wurden, benutzerlos und können später einem neuen Benutzer gehören, dem die gleiche UID zugewiesen wurde Interessante Diskussionen zu diesem Thema finden sich in und .. Daher ist nicht zwingend notwendig, dass Benutzer beim vollständigen Löschen eines Pakets entfernt werden. Dies hängt vielmehr vom jeweiligen Paket ab. Im Zweifelsfall sollte der Administrator gefragt werden (mit debconf), was passieren soll, wenn ein Paket gelöscht wird.

Sehen Sie sich folgenden Code an Unter Umständen wird er als dh_adduser in debhelper enthalten sein. Sehen Sie sich dazu , und an., der zuvor erstellte Benutzer und Gruppen entfernt. Dies geschieht aber nur dann, wenn die UID im Bereich der dynamisch zugewiesenen System-UIDs liegt und die GID einer Systemgruppe angehört: case "$1" in purge) [...] # find first and last SYSTEM_UID numbers for LINE in `grep SYSTEM_UID /etc/adduser.conf \ | grep -v "^#"`; do case $LINE in FIRST_SYSTEM_UID*) FIST_SYSTEM_UID=`echo $LINE | cut -f2 -d '='` ;; LAST_SYSTEM_UID*) LAST_SYSTEM_UID=`echo $LINE | cut -f2 -d '='` ;; *) ;; esac done # Remove system account if necessary CREATEDUSER="server_user" if [ -n "$FIST_SYSTEM_UID" ] && [ -n "$LAST_SYSTEM_UID" ]; then if USERID=`getent passwd $CREATEDUSER | cut -f 3 -d ':'`; then if [ -n "$USERID" ]; then if [ "$FIST_SYSTEM_UID" -le "$USERID" ] && \ [ "$USERID" -le "$LAST_SYSTEM_UID" ]; then echo -n "Removing $CREATEDUSER system user.." deluser --quiet $CREATEDUSER || true echo "..done" fi fi fi fi # Remove system group if necessary CREATEDGROUP=server_group FIRST_USER_GID=`grep ^USERS_GID /etc/adduser.conf \ | cut -f2 -d '='` if [ -n "$FIST_USER_GID" ] then if GROUPGID=`getent group $CREATEDGROUP \ | cut -f 3 -d ':'`; then if [ -n "$GROUPGID" ]; then if [ "$FIST_USER_GID" -gt "$GROUPGID" ]; then echo -n "Removing $CREATEDGROUP group.." delgroup --only-if-empty $CREATEDGROUP || true echo "..done" fi fi fi fi [...]

Wenn ein Programm unter einem Benutzer mit beschränkten Rechten läuft, wird sichergestellt, dass Sicherheitsprobleme nicht das gesamte System beschädigen können. Dieses Vorgehen beachtet auch das Prinzip der geringst möglichen Privilegien. Denken Sie daran, dass Sie die Rechte eines Programms auch noch durch andere Methoden als beschränkte Benutzerrechte weiter einschränken können Sie können sogar eine SELinux-Richtlinie erstellen.. Weitere Informationen finden Sie im Abschnitt des Buchs Secure Programming for Linux and Unix HOWTO. harden-doc-3.15.1/howto-source/de/services.sgml0000644000000000000000000025715011051565425016246 0ustar Absichern von Diensten, die auf Ihrem System laufen

Dienste können auf zwei Arten in einem laufenden System abgesichert werden: Sie so einstellen, dass auf sie nur von Zugangspunkten (Interfaces) zugegriffen werden kann, von denen es nötig ist. Sie so konfigurieren, dass sie nur von legitimierten Nutzern auf autorisierte Art und Weise benutzt werden können.

Dienste können durch Zugriffsbeschränkungen auf Kernel-Ebene (durch eine Firewall) eingeschränkt werden, so dass auf sie nur von bestimmten Orten aus zugegriffen werden kann. Konfigurieren Sie sie, so dass sie nur auf eine bestimmte Schnittstelle horchen (einige Dienste bieten diese Fähigkeiten vielleicht nicht). Oder verwenden Sie eine andere Methode, zum Beispiel den Linux-vserver-Patch (für 2.4.16), mit dem Prozesse auf eine bestimmte Schnittstelle gebunden werden können.

Was die Dienste angeht, die von inetd aufgerufen werden (telnet, ftp, finger, pop3, ...), so ist es wert zu erwähnen, dass inetd so konfiguriert werden kann, dass er nur auf eine bestimmte Schnittstelle reagiert (unter Verwendung der service@ip-Syntax). Dies ist jedoch eine nicht dokumentierte Eigenschaft. Ein Ersatz, der Meta-Daemon xinetd, kennt eine bind-Option nur für diesen Zweck. Lesen Sie dazu bitte . service nntp { socket_type = stream protocol = tcp wait = no user = news group = news server = /usr/bin/env server_args = POSTING_OK=1 PATH=/usr/sbin/:/usr/bin:/sbin/:/bin +/usr/sbin/snntpd logger -p news.info bind = 127.0.0.1 }

Die folgenden Abschnitte gehen detaillierter darauf ein, wie bestimmte Dienste abhängig von der beabsichtigten Benutzung passend konfiguriert werden. Absichern von ssh

Wenn Sie immer noch telnet statt ssh benutzen, sollten Sie dieses Handbuch kurz beiseite legen, und dies ändern. Ssh sollte anstelle von telnet für alle Fern-Logins benutzt werden. In einer Zeit, in der es leicht ist, Internet-Verkehr mitzuschnüffeln und an Klartext-Passwörter heranzukommen, sollten Sie lediglich Protokolle verwenden, die Kryptographie benutzen. Also führen Sie sofort ein apt-get install ssh auf Ihrem System aus.

Ermuntern Sie alle Nutzer Ihres Systems, ssh anstelle von telnet zu benutzen, oder noch besser: Deinstallieren Sie telnet/telnetd. Zusätzlich sollten Sie es vermeiden, sich mit ssh als root einzuloggen und lieber andere Methoden benutzen, um root zu werden. Wie zum Beispiel su oder sudo. Schließlich sollten Sie noch die Datei /etc/ssh/sshd_config für mehr Sicherheit modifizieren: ListenAddress 192.168.0.1

Lassen Sie ssh nur auf eine bestimmte Schnittstelle hören, falls Sie mehrere haben (und ssh nicht auf allen verfügbar sein soll) oder Sie in Zukunft eine neue Netzwerkkarte einbauen werden (und keine ssh-Verbindungen auf ihr erlauben wollen). PermitRootLogin no

Versuchen Sie so wenige Logins als Root wie möglich zu erlauben. Wenn nun jemand Root werden will, benötigt er zwei Logins. So kann das Root-Passwort nicht so leicht ausgetestet werden. Port 666 oder ListenAddress 192.168.0.1:666

Verändern Sie den Listen-Port, so dass ein Eindringling nicht wirklich sicher sein kann, ob ein sshd-Daemon läuft (aber beachten Sie, dass dies lediglich "Sicherheit durch Verschleierung" ist). PermitEmptyPasswords no

Nicht gesetzte Passwörter verspotten jegliche System-Sicherheit. AllowUsers alex ref ich@irgendwo

Erlauben Sie nur bestimmten Nutzern sich via ssh auf der Maschine einzuloggen. user@host kann auch verwendet werden, um einen bestimmten Benutzer user dazu zu zwingen, nur von einem bestimmten Rechner host aus zuzugreifen. AllowGroups wheel admin

Erlauben Sie nur bestimmten Gruppenmitgliedern sich via ssh auf der Maschine einzuloggen. AllowGroups und AllowUsers haben äquivalente Verfahrensweisen, um den Zugang zu der Maschine zu verwehren. Es wird nicht überraschen, dass es sich hierbei um "DenyUsers" und "DenyGroups" handelt. PasswordAuthentication yes

Es ist allein Ihre Wahl, was Sie hier eintragen. Es ist sicherer, Zugriff nur Nutzern zu erlauben, die ssh-Schlüssel in der ~/.ssh/authorized_keys-Datei haben. Wenn Sie dies wollen, setzen Sie es auf "no". Schalten Sie jedwede Art der Authentifizierung ab, die Sie nicht wirklich benötigen, zum Beispiel RhostsRSAAuthentication, HostbasedAuthentication, KerberosAuthentication oder RhostsAuthentication. Sie sollten sie abschalten, auch wenn sie es standardmäßig bereits sind (siehe dazu die Handbuch-Seite ). Protocol 2

Deaktivieren Sie die Protokollversion 1, da diese einige Designschwächen hat, die es einfacher zu machen, Passwörter zu knacken. Für weitere Informationen lesen Sie oder das . Banner /etc/eine_Datei

Fügen Sie einen Bannertext (er wird aus der Datei bezogen) für Benutzer, die sich mit dem ssh-Server verbinden, hinzu. In einigen Ländern sollte das Senden einer Warnung über unautorisierten Zugriff oder Benutzerüberwachung vor dem Zugriff zu einem bestimmten System erfolgen, um sich rechtlich abzusichern.

Sie können den Zugriff auf den ssh-Server auch mittels pam_listfile oder pam_wheel in der PAM-Kontrolldatei beschränken. Zum Beispiel können Sie jeden abhalten, der nicht in der Datei /etc/loginusers aufgelistet ist, durch Hinzufügen folgender Zeile zu /etc/pam.d/ssh: auth required pam_listfile.so sense=allow onerr=fail item=user file=/etc/loginusers

Abschließend beachten Sie bitte, dass diese Direktiven von einer OpenSSH-Konfigurationsdatei stammen. Derzeit gibt es drei weit verbreitete ssh-Daemonen: ssh1, ssh2 und OpenSSH von den OpenBSD-Leuten. Ssh1 war der erste verfügbare ssh-Daemon und er ist noch der weit verbreitetste (Gerüchten zufolge gibt es sogar eine Windows-Version). Ssh2 hat gegenüber ssh1 viele Vorteile, abgesehen davon, dass es unter einer unfreien Lizenz veröffentlicht wurde. OpenSSH ist ein völlig freier ssh-Daemon, der sowohl ssh1 als auch ssh2 unterstützt. OpenSSH ist die Version, die installiert wird, wenn Sie auf Debian das Paket ssh auswählen.

Mehr Informationen, wie Sie SSH mit Unterstützung für PAM aufsetzen, finden Sie hier: . SSH in ein Chroot-Gefängnis einsperren

Zurzeit bietet OpenSSH keine Möglichkeit, automatisch Benutzer bei der Verbindung in ein Chroot-Gefängnis einzusperren (die kommerzielle Version bietet diese Funktionalität). Wie dem auch sei, es gibt auch ein Projekt, das diese Funktionalität für OpenSSH anbietet, vergleiche . Es ist aber aktuell noch nicht für Debian paketiert. Sie sollten stattdessen das pam_chroot-Modul, wie in in beschrieben, verwenden.

In können Sie verschiedene Optionen finden, um Chroot-Umgebungen für SSH zu erstellen. Ssh-Clients

Wenn Sie einen SSH-Client mit einem SSH-Server verwenden, müssen Sie sicherstellen, dass er die selben Protokolle, die vom Server erzwungen werden, unterstützt. Wenn Sie beispielsweise das Paket mindterm verwenden, unterstützt dies nur Protokollversion 1. Jedoch ist der sshd-Server standardmäßig so konfiguriert, nur Version 2 (aus Sicherheitsgründen) zu akzeptieren. Verbieten von Dateitransfers

Wenn Sie nicht möchten, das Benutzer Dateien zum und vom ssh-Server übertragen, müssen Sie den Zugang zu sftp-server und zu scp einschränken. Sie können dies für sftp-server tun, indem Sie den korrekten Subsystem-Wert in /etc/ssh/sshd_config eintragen.

Sie können auch Benutzer mittels libpam-chroot in eine Chroot-Umgebung einsperren, so dass sie, selbst wenn Dateitransfers erlaubt sind, auf eine bestimmte Umgebung festgelegt sind, die keine Systemdateien enthält. Beschränkung des Zugangs auf Dateitransfers

Sie können den Zugang von Benutzern der Gestalt beschränken, dass sie nur Dateien übertragen können, aber keine interaktive Shell erhalten. Dies können Sie mit den folgenden Methoden erreichen: den Benutzern verbieten, sich auf dem ssh-Server einzuloggen (wie oben beschrieben entweder durch die Konfigurationsdatei oder die PAM-Konfiguration), oder den Benutzern nur eine eingeschränkte Shell wie scponly oder rssh zuweisen. Diese Shells schränken die Befehle ein, die den Benutzern zur Verfügung stehen, so dass sie auf dem entfernten Rechner keine Befehle ausführen können. Absichern von Squid

Squid ist einer der verbreitetsten Proxy/Cache-Server und es gibt ein paar Sicherheitsaspekte, die Sie beachten sollten. Squids Standard-Konfiguration lehnt alle Anfragen von Benutzern ab. Dennoch erlaubt das Debian-Paket Zugriff von 'localhost', Sie müssen nur Ihren Browser richtig konfigurieren. Sie sollten Squid so konfigurieren, dass er Zugriffe von vertrauenswürdigen Nutzern, Computern oder Netzwerken erlaubt, indem Sie eine Zugriffs-Kontroll-Liste (ACL, Access Control List) in /etc/squid/squid.conf definieren. Mehr Informationen, wie Sie ACLs definieren, finden Sie im . Ein gute deutsche Dokumentation ist das . Beachten Sie, dass Debian eine minimale Konfiguration für Squid bereitstellt, die alles verhindert, mit der Ausnahme, dass localhost sich mit Ihrem Proxy-Server (der standardmäßig mit dem Port 3128 läuft) verbinden kann. Sie müssen Ihre /etc/squid/squid.conf-Datei wie gewünscht anpassen. Die empfohlene minimale Konfiguration (mit dem Paket vertrieben) sieht wie folgt aus: acl all src 0.0.0.0/0.0.0.0 acl manager proto cache_object acl localhost src 127.0.0.1/255.255.255.255 acl SSL_ports port 443 563 acl Safe_ports port 80 # http acl Safe_ports port 21 # ftp acl Safe_ports port 443 563 # https, snews acl Safe_ports port 70 # gopher acl Safe_ports port 210 # wais acl Safe_ports port 1025-65535 # unregistered ports acl Safe_ports port 280 # http-mgmt acl Safe_ports port 488 # gss-http acl Safe_ports port 591 # filemaker acl Safe_ports port 777 # multiling http acl Safe_ports port 901 # SWAT acl purge method PURGE acl CONNECT method CONNECT (...) # Erlaube nur cachemgr Zugriff von localhost http_access allow manager localhost http_access deny manager # Erlaube nur purge Anfragen von localhost http_access allow purge localhost http_access deny purge # Verbiete Anfragen zu unbekannten Ports http_access deny !Safe_ports # Verbiete CONNECT zu anderen als SSL-Ports http_access deny CONNECT !SSL_ports # # INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS # http_access allow localhost # And finally deny all other access to this proxy http_access deny all #Default: # icp_access deny all # #Allow ICP queries from everyone icp_access allow all

Sie sollten Squid auch entsprechend Ihren System-Ressourcen konfigurieren, inklusive Cache-Speicher (Option cache_mem), Lage der gecachten Dateien und der verwendeten Speichermenge auf der Platte (Option cache_dir).

Man beachte, dass es bei ungeeigneter Konfiguration vorkommen kann, dass jemand eine Mail über Squid weiterleitet, da die Protokolle HTTP und SMTP ein ähnliches Design haben. Squids Standardkonfiguration verweigert Zugriffe auf Port 25. Wenn Sie Verbindungen an Port 25 erlauben wollen, fügen Sie ihn einfach zu der Safe_ports-Liste hinzu. Aber dies ist NICHT empfohlen.

Passendes Aufsetzen und Konfigurieren des Proxy/Cache-Servers ist nur ein Teil der Absicherung Ihrer Seite. Eine andere notwendige Aufgabe ist es, Squids Log-Dateien zu analysieren, um sicher zu gehen, dass alles so arbeitet, wie es sollte. Es gibt ein paar Pakete in Debian GNU/Linux, die einem Administrator hierbei helfen können. Die folgenden Pakete sind in Debian 3.0 (Woody) und Debian 3.1 (Sarge) verfügbar: calamaris - Log-Datei-Analysator für Squid oder Oops-Proxy-Log-Dateien. modlogan - Ein modularer Log-Datei-Analysator. sarg - Squid Analysis Report Generator. squidtaild - Squid-Log-Beobachtungsprogramm.

Wenn Squid im »Accelerator Mode« betrieben wird, agiert er auch als Web-Server. Aktivieren dieser Option erhöht die Komplexität des Codes, was ihn weniger vertrauenswürdig macht. Standardmäßig ist Squid nicht dazu konfiguriert, als Web-Server zu arbeiten, Sie müssen sich darüber also keine Gedanken machen. Sie müssen sicher stellen, dass es wirklich nötig ist, wenn Sie diese Eigenschaft nutzen wollen. Weitere Informationen über den »Accelerator Mode« in Squid finden Sie im . Absichern von FTP

Wenn Sie wirklich FTP benutzen müssen (ohne ihn mit sslwrap zu umhüllen oder innerhalb eines SSL- oder SSH-Tunnels), sollten Sie ftp in das Home-Verzeichnis der FTP-Nutzer mit chroot einsperren, so dass sie nichts anderes sehen können als ihr eigenes Verzeichnis. Andernfalls können sie Ihr Root-Dateisystem durchlaufen, als hätten sie Shell-Zugriff darauf. Sie können die folgende Zeile in Ihre proftpd.conf-Datei im globalen Abschnitt hinzufügen, um die chroot-Fähigkeiten zu nutzen: DefaultRoot ~

Starten Sie ProFTPd neu, indem Sie /etc/init.d/proftpd restart eingeben, und prüfen Sie, ob Sie noch aus Ihrem Home-Verzeichnis heraus kommen können.

Um ProFTPd-DoS-Angriffe durch ../../../ zu verhindern, fügen Sie die folgende Zeile Ihrer /etc/proftpd.conf hinzu: DenyFilter \*.*/

Vergessen Sie nicht, dass FTP Login- und Authentifizierungs-Passwort als Klartext sendet (dies ist kein Problem, wenn Sie einen anonymen, öffentlichen Dienst anbieten) und es gibt bessere Alternativen in Debian hierzu. Zum Beispiel sftp (aus dem Paket ssh). Es gibt auch freie Implementierungen von SSH für andere Betriebssysteme, zum Beispiel oder .

Wenn Sie dennoch einen FTP-Server verwalten, während Sie den Nutzern Zugriff via SSH gewähren, könnten Sie auf ein typisches Problem stoßen. Benutzer, die innerhalb eines mit SSH abgesicherten Systems auf einen anonymen FTP-Server zugreifen wollen, können versuchen, sich auf dem FTP-Server einzuloggen. Während der Zugriff verweigert werden wird, wird das Passwort trotzdem als Klartext über das Netz gesendet. Um dies zu verhindern, hat der ProFTPd-Entwickler TJ Saunders einen Patch erstellt, der verhindert, dass Nutzer den anonymen FTP-Server mit gültigen SSH-Zugangsdaten füttern. Mehr Informationen und den Patch finden Sie unter: . Dieser Patch wurde auch an Debian gesandt, vergleiche . Zugriff auf das X-Window-System absichern

Heutzutage werden X-Terminals in immer mehr Firmen benutzt, wo ein Server für viele Arbeitsplätze benötigt wird. Dies kann gefährlich sein, weil Sie dem Datei-Server erlauben müssen, sich mit den X-Clients zu verbinden (X-Server aus Sicht von X. X vertauscht die Definition von Client und Server). Wenn Sie dem (sehr schlechten) Vorschlag von vielen Dokumentationen folgen, geben Sie auf Ihrer Maschine xhost + ein. Dies erlaubt jedem X-Client, sich mit Ihrem System zu verbinden. Für etwas bessere Sicherheit können Sie stattdessen das Kommando xhost +Rechnername verwenden, um den Zugriff auf bestimmte Rechner zu begrenzen.

Allerdings ist es eine viel sicherere Lösung, SSH zu benutzen, um X zu tunneln und die gesamte Sitzung zu verschlüsseln. Dies geschieht automatisch, wenn Sie sich auf eine andere Maschine via ssh einloggen. Damit dies funktioniert, müssen Sie den ssh-Client und den ssh-Server konfigurieren. Auf dem ssh-Client sollte ForwardX11 in /etc/ssh/ssh_config auf yes gesetzt sein. Auf dem ssh-Server sollte X11Forwarding in /etc/ssh/sshd_config auf yes gesetzt sein und das Paket xbase-clients sollte installiert sein. Letzteres liegt daran, dass der SSH-Server /usr/X11R6/bin/xauth (bei Debian-Unstable (/usr/bin/xauth) verwendet, wenn er das Pseudo-X-Display aufsetzt. In den Zeiten von SSH sollten Sie die xhost-basierte Zugriffskontrolle komplett über Bord werfen.

Wenn Sie keinen X-Zugriff von anderen Maschinen benötigen, ist es für die Sicherheit am besten, die Bindung auf dem TCP-Port 6000 abzuschalten, indem Sie einfach Folgendes eingeben: $ startx -- -nolisten tcp

Dies ist das Standard-Verhalten unter XFree 4.1.0 (der Xserver aus Debian 3.0 und 3.1). Wenn Sie XFree 3.3.6 laufen lassen (d.h. wenn Sie Debian 2.2 benutzen), können Sie /etc/X11/xinit/xserverrc editieren, damit Sie etwas erhalten wie: #!/bin/sh exec /usr/bin/X11/X -dpi 100 -nolisten tcp

Wenn Sie XDM benutzen, setzen Sie /etc/X11/xdm/Xservers auf :0 local /usr/bin/X11/X vt7 -dpi 100 -nolisten tcp. Wenn Sie GDM benutzen, stellen Sie sicher, dass die Option DisallowTCP=true in /etc/gdm/gdm.conf eingetragen ist (was standardmäßig unter Debian der Fall ist). Dies wird grundsätzlich an jede X-Befehlszeile -nolisten tcp anhängen GDM wird -nolisten tcp nicht anhängen, wenn es -query oder -indirect in der Befehlszeile findet, da sonst die Anfrage nicht funktionieren würde. .

Sie können außerdem die standardmäßige Zeitgrenze für die xscreensaver-Bildschirmsperre setzen. Auch wenn der Nutzer sie aufheben kann, sollten Sie die Konfigurationsdatei /etc/X11/app-defaults/XScreenSaver editieren, und die lock-Zeile von *lock: False

(das ist der Standardwert unter Debian) auf *lock: True ändern.

FIXME: Add information on how to disable the screensavers which show the user desktop (which might have sensitive information).

Lesen Sie mehr zur Sicherheit von X Window in (/usr/share/doc/HOWTO/en-txt/XWindow-User-HOWTO.txt.gz).

FIXME: Add info on thread of debian-security on how to change config files of XFree 3.3.6 to do this. Überprüfen Ihres Display-Managers

Wenn Sie einen Display-Manager lediglich zur lokalen Nutzung (um einen schönen graphischen Login zu haben) haben wollen, gehen Sie sicher, dass der XDMCP (X Display Manager Control Protocol) Krempel abgeschaltet ist. Unter XDM können Sie dies mit der folgenden Zeile in /etc/X11/xdm/xdm-config erreichen: DisplayManager.requestPort: 0

Für GDM müssen Sie in Ihre gdm.conf Folgendes eintragen: [xdmcp] Enable=false

Normalerweise sind unter Debian alle Display-Manager so konfiguriert, dass sie standardmäßig keine XDMCP-Dienste starten. Absichern des Druckerzugriffs (die lpd- und lprng-Problematik)

Stellen Sie sich vor, Sie kommen zur Arbeit, und der Drucker spuckt endlose Mengen von Papier aus, weil jemand eine DoS-Attacke gegen Ihren Drucker-Daemon durchführt. Unangenehm, oder?

In jeder UNIX-Druck-Architektur muss es einen Weg geben, um die Daten des Clients auf den Druck-Server zu bekommen. Traditionell machen dies lpr und lp so, dass das Client-Kommando die Daten in das Spool-Verzeichnis kopiert oder symbolisch verlinkt (weshalb diese Programme normalerweise SUID oder SGID sind).

Um jede Gefahr zu vermeiden, sollen Sie Ihren Druck-Server besonders sicher halten. Dies heißt, dass Sie Ihren Druck-Dienst so konfigurieren müssen, dass er nur Aufträge von vertrauenswürdigen Rechnern annimmt. Hierzu müssen Sie die Rechner, von denen Sie Druckaufträge entgegennehmen möchten, in die Datei /etc/hosts.lpd eintragen.

Allerdings akzeptiert der lpr-Daemon auch, wenn Sie dies getan haben, Verbindungen auf Port 515 auf jeder Schnittstelle. Sie sollten sich überlegen, ob Sie Verbindungen von Netzwerken/Rechnern, die nicht drucken dürfen, mittels Firewall abblocken wollen (der lpr-Daemon kann nicht so konfiguriert werden, dass er nur auf eine bestimmte IP-Adresse hört).

Sie sollten Lprng gegenüber lpr vorziehen, da er so konfiguriert werden kann, dass er Zugangskontrolle über IP beherrscht. Und Sie können spezifizieren, auf welche Schnittstelle er sich binden soll (wenn auch etwas sonderbar).

Wenn Sie Ihren Drucker nur lokal auf Ihrem System benutzen, werden Sie diesen Dienst nicht über ein Netzwerk teilen wollen. Sie sollten dann überlegen, ein anderes Druck-System, wie zum Beispiel das aus dem Paket cups oder , das auf den Zugriffsrechten des Gerätes /dev/lp0 beruht, einzusetzen.

Bei cups werden die Druckaufträge mit dem HTTP-Protokoll zum Server übertragen. Dadurch muss der Client nicht über spezielle Privilegien verfügen, aber dies erfordert, dass der Server auf irgendeinem Port lauscht.

Wie auch immer: Wenn Sie cups nur lokal benutzen möchten, können Sie ihn so konfigurieren, dass er nur auf die lokale Schleife (loopback interface) hört, indem Sie Folgendes in Ihrer /etc/cups/cupsd.conf ändern: Listen 127.0.0.1:631

Es gibt noch andere Sicherheitsoptionen in dieser Konfigurationsdatei, wie zum Beispiel das Erlauben oder Verweigern von Netzwerken oder Rechnern. Wenn Sie sie allerdings nicht benötigen, belassen Sie es am besten dabei, einfach nur den Port, auf dem gehört wird, einzuschränken. Cups liefert auch Dokumentation über den HTTP-Port. Wenn Sie diese potenziell nützlichen Informationen einem Angreifer von außerhalb nicht enthüllen wollen (und der Port offen ist), fügen Sie außerdem Folgendes hinzu: <Location /> Order Deny,Allow Deny From All Allow From 127.0.0.1 </Location>

Die Konfigurationsdatei kann so angepasst werden, dass zusätzliche Fähigkeiten einschließlich SSL- und TLS-Zertifikate oder Verschlüsselung möglich werden. Die Handbücher finden Sie unter http://localhost:631/ oder .

FIXME: Add more content (the article on provides some very interesting views).

FIXME: Check if PDG is available in Debian, and if so, suggest this as the preferred printing system.

FIXME: Check if Farmer/Wietse has a replacement for printer daemon and if it's available in Debian. Absichern des Mail-Dienstes

Wenn Ihr Server kein Mail-System ist, müssen Sie wirklich keinen Mail-Daemon haben, der auf eingehende Verbindungen reagiert. Aber Sie wollen lokale Mails ausliefern, um beispielsweise Mails an den Root-User von irgendwelchen Alarmsystemen zu erhalten.

Wenn Sie exim haben, müssen Sie den Daemon nicht laufen lassen, um dies zu erreichen, da der Standard-cron-Job die Mails abarbeitet. Sehen Sie in wie man dies erledigt. Konfiguration eines Nullmailers

Sie mögen einen lokalen Mail-Daemon wollen, so dass er die Mails, die vom lokalen Rechner zu einem anderen System geschickt wurden, versenden kann. Dies ist üblich, wenn Sie eine Anzahl von Systemen zu administrieren haben und nicht zu jedem von diesen eine Verbindung aufbauen wollen, um die dort lokal verschickten Mails zu lesen. Genau wie all das Protokollieren eines jeden individuellen Systems durch einen zentralen syslog-Server zentralisiert werden kann, so kann auch Mail zu einem zentralen Mail-Server gesandt werden.

Solch ein nur sendendes System sollte sorgfältig dafür eingerichtet werden. Der Daemon kann ebenso konfiguriert werden, nur an der Loopback-Adresse zu lauschen.

Die folgenden Konfigurationsschritte müssen nur zur Konfiguration des exim-Pakets in der Debian 3.0 Version vorgenommen werden. Wenn Sie eine neuere Version verwenden (wie z.B. 3.1, das exim4 verwendet), so wurde das Installationssystem verbessert, so dass, wenn der Mail-Transport-Agent konfiguriert wurde nur lokale Mails zu versenden, es automatisch nur Verbindungen vom lokalen Rechner und keine entfernten Verbindungen zulässt.

In einem Debian 3.0 System mit exim muss man den SMTP-Daemon aus inetd wie folgt entfernen: $ update-inetd --disable smtp

und den Mail-Daemon so konfigurieren, dass er nur auf die lokale Schleife achtet. In exim (dem Standard-Mail-Transport-Agent (MTA) unter Debian) tun Sie dies, indem Sie in der Datei /etc/exim.conf die Zeile local_interfaces = "127.0.0.1" hinzufügen.

Starten Sie beide Daemonen neu (inetd und exim) und exim wird lediglich auf den Socket 127.0.0.1:25 lauschen. Seien Sie vorsichtig und deaktivieren Sie erst inetd, oder exim wird nicht neu starten, da der inetd-Daemon bereits eingehende Verbindungen behandelt.

Bei postfix editieren Sie /etc/postfix/main.conf: inet_interfaces = localhost

Wenn Sie lediglich lokale Mails wollen, ist dieses Herangehen besser als den Mailer-Daemon in einen tcp-Wrapper zu hüllen oder Firewall-Regeln einzufügen, die den Zugang für alle limitieren. Wenn Sie jedoch auch auf andere Schnittstellen reagieren müssen, sollten Sie überlegen, ihn vom inetd aufrufen zu lassen und einen tcp-Wrapper einzusetzen, so dass eingehende Verbindungen gegen /etc/hosts.allow und /etc/hosts.deny geprüft werden. Außerdem werden Sie vor unautorisierten Zugriffsversuchen gegen Ihren Mail-Daemon durch angemessenes Protokollieren gewarnt werden wollen.

In jedem Fall können Sie Mail-Zustellversuche auf dem SMTP-Level ablehnen, indem Sie die /etc/exim/exim.conf abändern, damit Sie Folgendes enthält: receiver_verify = true

Auch wenn Ihr Mail-Server keine Mails zustellen wird, ist diese Konfiguration für den Relay-Tester auf nötig, um festzustellen, dass Ihr Server nicht relaisfähig ist.

Wenn Sie Mails nur weiterleiten möchten, können Sie in Erwägung ziehen, den Mail-Daemon durch Programme zu ersetzen, die nur zum Weiterleiten der Mail zu einem entfernten Mail-Server konfiguriert werden können. Debian stellt zurzeit ssmtp und nullmailer für diese Zwecke zur Verfügung. Auf jeden Fall können Sie für sich selbst alle von Debian angebotenen Mail-Transport-Agents testen Die Liste der in Debian verfügbaren Mail-Daemons erhalten Sie wie folgt: $ apt-cache search mail-transport-agent

Die Liste wird qmail nicht enthalten, da dies nur im Quellcode im Paket qmail-src vertrieben wird. und sehen, welcher davon am besten auf Ihr System zugeschnitten ist. Anbieten von sicherem Zugang zu Mailboxen

Wenn Sie entfernten Zugriff auf Mailboxen erlauben wollen, gibt es eine Anzahl von möglichen POP3- und IMAP-Daemonen. Eine Liste von Servern/Daemonen die diese Protokolle in Debian anbieten, kann wie folgt erhalten werden: $ apt-cache search pop3-server $ apt-cache search imap-server Wenn Sie IMAP-Zugriff anbieten, beachten Sie jedoch, dass es ein allgemeines Dateizugriffsprotokoll ist. Es kann das Äquivalent zu einem Shell-Zugang werden, da Benutzer in der Lage sein könnten, Zugang zu beliebigen Dateien zu erhalten, auf die sie durch ihn zugreifen können.

Versuchen Sie beispielsweise, {server.com}/etc/passwd als Ihren Eingabepfad zu konfigurieren. Wenn dies gelingt, ist Ihr IMAP-Daemon nicht richtig konfiguriert, um diese Art von Zugriff zu verhindern.

Unter den IMAP-Servern in Debian vermeidet der cyrus-Server (im Paket cyrus-imapd) dies, indem er den gesamten Zugriff zu einer Datenbasis in einem beschränkten Teil des Dateisystems limitiert. Auch uw-imapd (installieren Sie entweder das uw-imapd- oder besser, wenn Ihre IMAP-Clients es unterstützen, das uw-imapd-ssl-Paket) kann konfiguriert werden, das Mailverzeichnis der Benutzer in ein Chroot-Gefängnis einzusperren, dies ist jedoch nicht standardmäßig aktiviert. Die angebotene Dokumentation enthält mehr Informationen, wie man dies konfiguriert.

Es ist ebenso empfehlenswert, einen IMAP-Server laufen zu haben, der keine neuen Benutzer im lokalen System erfordert (dies würde auch einen Shell-Zugang ermöglichen). Sowohl courier-imap (für IMAP) und courier-pop, teapop (für POP3) und cyrus-imapd (für POP3 und IMAP) bieten Server mit Authentifizierungsmethoden neben den lokalen Benutzerkonten. cyrus kann alle Authentifizierungsmethoden, die mittels PAM konfiguriert werden können, verwenden, währenddessen teapop Datenbanken (wie postgresql und mysql) für die Benutzerauthentifizierung nutzen kann.

FIXME: Check: uw-imapd might be configured with user authentication through PAM too. Sicherer Empfang von Mails

Das Lesen und Empfangen von Mails ist das gebräuchlichste Klartext-Protokoll. Wenn Sie POP3 oder IMAP benutzen, um Ihre Mails zu erhalten, senden Sie ein Klartext-Passwort über das gesamte Netz, so dass ziemlich jeder Ihre Mails von nun an lesen kann. Benutzen Sie stattdessen SSL (Secure Sockets Layer), um Ihre Mails zu empfangen. Wenn Sie einen Shell-Account auf dem Rechner, der als POP oder IMAP-Server agiert, haben, ist die andere Alternative SSH. Hier ist eine beispielhafte fetchmailrc um dies zu zeigen: poll mein-imap-mailserver.org via "localhost" with proto IMAP port 1236 user "ref" there with password "hackmich" is alex here warnings 3600 folders .Mail/debian preconnect 'ssh -f -P -C -L 1236:my-imap-mailserver.org:143 -l ref mein-imap-mailserver.org sleep 15 </dev/null > /dev/null'

Die wichtige Zeile ist die preconnect-Zeile. Sie startet eine SSH-Verbindung und erstellt den notwendigen Tunnel, durch den automatisch alle Verbindungen zum lokalen Port 1236 verschlüsselt an den IMAP-Mail-Server weitergeleitet werden. Eine andere Möglichkeit wäre es, fetchmail mit SSL-Unterstützung zu benutzen.

Wenn Sie verschlüsselte Mail-Dienste wie POP oder IMAP anbieten möchten, apt-get install stunnel und starten Sie Ihren Daemon auf diese Weise: stunnel -p /etc/ssl/certs/stunnel.pem -d pop3s -l /usr/sbin/popd

Dieses Kommando umhüllt den angegebenen Daemon (-l) an den Port (-d) und nutzt ein bestimmtes SSL-Zertifikat (-p). Sichern von BIND

Es gibt verschiedene Dinge, mit denen Sie sich auseinander setzen sollten, um einen Domain-Server-Daemon abzusichern, die ähnlich zu den Überlegungen sind, wie man einen anderen Dienst absichert: Konfigurieren Sie den Daemon selbst, so dass er von außen nicht missbraucht werden kann (siehe auch ). Dies schließt das Einschränken von Abfragen durch Clients ein: Zonen-Transfers und rekursive Abfragen. Einschränken des Zugriffs des Daemon auf den Server selbst, so dass dem Schaden für das System im Falle eines Einbruchs Grenzen gesetzt sind. Hierzu gehört auch, den Daemon als nicht-privilegierten Benutzer laufen zu lassen (siehe ) und ihn in ein Chroot-Gefängnis einzusperren (siehe ). Bind-Konfiguration um Missbrauch zu verhindern

Sie sollten einige Informationen, die von außen über den DNS-Server abgefragt werden können, zurückhalten, so dass man nicht wertvolle Informationen über Ihre Organisation, die Sie nicht herausgeben wollen, abfragen kann. Dies schließt die folgenden Optionen mit ein: allow-transfer, allow-query, allow-recursion und version. Sie können dies in dem globalen Abschnitt tun (so wird es auf alle Zonen angewandt) oder jeweils pro Zone. Dies ist im Paket bind-doc dokumentiert. Sobald das Paket installiert ist, können Sie hierzu mehr in /usr/share/doc/bind/html/index.html lesen.

Stellen Sie sich vor, Ihr Server ist mit dem Internet und Ihrem internen Netzwerk (Ihre interne IP ist 192.168.1.2) verbunden – ein einfacher Server im heimischen Netzwerk. Sie möchten keinen Dienst im Internet anbieten und lediglich DNS-Abfragen von Ihren internen Rechnern erlauben. Sie können dies einschränken, indem Sie Folgendes in Ihre /etc/bind/named.conf aufnehmen: options { allow-query { 192.168.1/24; } ; allow-transfer { none; } ; allow-recursion { 192.168.1/24; } ; listen-on { 192.168.1.2; } ; forward { only; } ; forwarders { A.B.C.D; } ; };

Die Option listen-on bewirkt, dass sich DNS nur auf die Schnittstelle bindet, die die interne Adresse hat. Aber sogar wenn diese Schnittstelle Verbindung zum Internet hat (zum Beispiel weil Sie NAT benutzen), werden Abfragen nur akzeptiert, wenn sie von internen Hosts kommen. Wenn das System mehrere Schnittstellen hat und Sie kein listen-on gesetzt haben, könnten zwar nur interne Nutzer Abfragen starten, aber, da der Port für Angreifer von außen ansprechbar ist, könnten sie versuchen, den DNS zum Absturz zu bringen (oder durch Speicher-Überlauf-Attacken auszunutzen). Sie könnten ihn sogar dazu bringen, lediglich auf 127.0.0.1 zu hören, wenn Sie den DNS-Service nicht für ein anderes System anbieten wollen.

Der version.bind-Eintrag in der chaos class enthält die Version des derzeit laufenden Bind-Prozesses. Diese Information wird oft von automatischen Scannern und bösartigen Individuen dazu verwendet herauszufinden, ob ein bind für eine bestimmte Attacke verwundbar ist. Indem Sie falsche oder gar keine Informationen im version.bind-Eintrag zur Verfügung stellen, minimieren Sie die Wahrscheinlichkeit, dass jemand Ihren Server aufgrund der publizierten Version attackieren wird. Um Ihre eigene Version anzugeben, benutzen Sie die Version-Direktive in der folgenden Art: options { ... verschiedene andere Optionen ... version "Nicht verfuegbar."; };

Das Ändern des version.bind-Eintrags schützt eigentlich nicht gegen Attacken, aber Sie können es als sinnvolle Schutzvorrichtung ansehen.

Eine beispielhafte named.conf-Konfigurationsdatei könnte so aussehen: acl internal { 127.0.0.1/32; // localhost 10.0.0.0/8; // intern aa.bb.cc.dd; // eth0 IP }; acl friendly { ee.ff.gg.hh; // slave DNS aa.bb.cc.dd; // eth0 IP 127.0.0.1/32; // localhost 10.0.0.0/8; // intern }; options { directory "/var/cache/bind"; allow-query { internal; }; allow-recursion { internal; }; allow-transfer { none; }; }; // Ab hier bis zur meineseite.bogus Zone // ist alles im Grunde die unveränderte Debian-Standardeinstellung logging { category lame-servers { null; }; category cname { null; }; }; zone "." { type hint; file "/etc/bind/db.root"; }; zone "localhost" { type master; file "/etc/bind/db.local"; }; zone "127.in-addr.arpa" { type master; file "/etc/bind/db.127"; }; zone "0.in-addr.arpa" { type master; file "/etc/bind/db.0"; }; zone "255.in-addr.arpa" { type master; file "/etc/bind/db.255"; }; // Zone, die ich selbst hinzugefügt habe zone "meineseite.bogus" { type master; file "/etc/bind/named.meineseite"; allow-query { any; }; allow-transfer { friendly; }; };

Bitte prüfen Sie (erneut) die Debian-Fehler-Datenbank (BTS) bezüglich Bind, insbesondere . Fühlen Sie sich ruhig dazu ermutigt, zu diesem Bugreport beizutragen, wenn Sie glauben, nützliche Informationen hinzufügen zu können. Ändern des BIND-Benutzers

Bezüglich der Beschränkung von BINDs Privilegien müssen Sie beachten, dass, wenn Sie BIND als nicht-root Benutzer laufen lassen, BIND neue Netzwerk-Schnittstellen nicht automatisch entdecken kann, zum Beispiel wenn Sie eine PCMCIA-Karte in Ihr Notebook stecken. Lesen Sie die Datei README.Debian in Ihrer named-Dokumentation (/usr/share/doc/bind/README.Debian) für mehr Informationen hierzu. Es gab in letzter Zeit viele Sicherheitsprobleme mit BIND, so dass es nützlich ist, den Benutzer zu wechseln, wenn es möglich ist. Wir werden die Schritte, die dazu nötig sind, detailliert aufführen. Wenn Sie dies automatisch machen lassen wollen, können Sie das Skript in ausprobieren.

Beachten Sie, dass dies nur auf die BIND-Version 8 zutrifft. In den Debian-Paketen für die BIND-Version 9 wird der Benutzer bind erstellt (seit Version 9.2.1-5, ist in Sarge enthalten) und mit der Variable OPTIONS in /etc/default/bind9 verwendet. Wenn Sie BIND 9 einsetzen und Ihr Nameserver nicht als Benutzer bind läuft, sollten Sie die Einstellungen in dieser Datei überprüfen.

Um BIND unter einem anderen Benutzer laufen zu lassen, müssen Sie zunächst einen zusätzlichen Benutzer und eine zusätzlich Gruppe dafür erstellen (es ist keine gute Idee, für alle Dienste, die Sie nicht als Root laufen lassen, den Benutzer nobody und die Gruppe nogroup zu benutzen). In diesem Beispiel wird der Benutzer und die Gruppe named verwendet. Sie können diese anlegen, indem Sie die folgenden Kommandos eingeben: addgroup named adduser --system --home /home/named --no-create-home \ --ingroup named --disabled-password --disabled-login named

Beachten Sie, dass der Benutzer named sehr eingeschränkt ist. Wenn Sie – aus welchen Gründen auch immer – ein weniger eingeschränktes Setup haben möchten, benutzen Sie: adduser --system --ingroup named named

Editieren Sie nun /etc/init.d/bind mit Ihrem Lieblingseditor und ändern Sie die Zeile, die mit start-stop-daemon --start anfängt zuBeachten Sie, dass Sie abhängig von Ihrer Bind-Version die Option -g nicht haben, höchstwahrscheinlich wenn Sie bind9 von Sarge (9.2.4) installiert haben.: start-stop-daemon --start --quiet \ --exec /usr/sbin/named -- -g named -u named

Alternativ dazu können Sie auch die Standardkonfigurationsdatei (bei BIND 8 /etc/default/bind) bearbeiten (und erstellen, falls sie nicht vorhanden ist) und Folgendes einfügen: OPTIONS="-u named -g named"

Ändern Sie die Rechte der Dateien, die von Bind verwendet werden, inklusive /etc/bind/rndc.key: -rw-r----- 1 root named 77 Jan 4 01:02 rndc.key und wo bind seine PID-Datei erzeugt, z.B. indem Sie /var/run/named anstatt von /var/run verwenden: $ mkdir /var/run/named $ chown named.named /var/run/named $ vi /etc/named.conf [ ... ändern Sie die Konfigurationsdatei, um diesen neuen Pfad zu verwenden ...] options { ... pid-file "/var/run/named/named.pid"; }; [ ... ]

Außerdem müssen Sie, um zu verhindern, dass irgendetwas als Root läuft, im Init.d-Skript die reload-Zeile von: reload) /usr/sbin/ndc reload

in Folgendes ändern: reload) $0 stop sleep 1 $0 start

Beachten Sie: Abhängig von Ihrer Debian-Version, müssen Sie vielleicht auch die restart-Zeile ändern. Dies wurde in der Version 1:8.3.1-2 von Debians BIND-Paket repariert.

Alles, was Sie jetzt noch tun müssen, ist, bind mittels /etc/init.d/bind restart neu zu starten und dann Ihr Syslog auf zwei Einträge wie die folgenden zu prüfen:

Sep 4 15:11:08 nexus named[13439]: group = named Sep 4 15:11:08 nexus named[13439]: user = named

Voilà! Ihr named läuft nicht mehr als root. Wenn Sie mehr Informationen darüber lesen wollen, warum BIND nicht als nicht-root Benutzer auf Debian-Systemen läuft, sehen Sie bitte in der Fehlerdatenbank zu Bind nach, insbesondere und , , und . Fühlen Sie sich ruhig dazu ermuntert, etwas zu den Fehlerbeschreibungen beizutragen, wenn Sie denken, nützliche Informationen hinzufügen zu können. Chroot-Gefängnis für Name-Server

Um die größtmögliche BIND-Sicherheit zu erreichen, müssen Sie nun ein Chroot-Gefängnis (siehe ) um Ihren Daemon herum bauen. Es gibt einen einfachen Weg, dies zu erreichen: Die Option -t (siehe die Handbuchseite oder Seite 100 von ). Dies wird Bind selbst in ein bestimmtes Verzeichnis chrooten lassen, ohne dass Sie ein eigenes Chroot-Gefängnis aufsetzen und sich Sorgen um dynamische Bibliotheken machen müssen. Die einzigen Dateien, die in diesem Chroot-Gefängnis benötigt werden, sind: dev/null etc/bind/ - sollte die named.conf und alle Server-Zonen enthalten sbin/named-xfer - wenn Sie Namen transferieren var/run/named/ - sollte die PID und den Cache des Name-Servers (falls es ihn gibt) enthalten. Dieses Verzeichnis muss für den named-User schreibbar sein. var/log/named - Wenn Sie in eine Datei protokollieren, muss dies für den named-User schreibbar sein. dev/log - syslogd sollte hierauf hören, wenn named so konfiguriert ist, dass er darüber protokolliert.

Damit Ihr Bind-Daemon vernünftig läuft, braucht er bestimmte Zugriffsrechte auf die named-Dateien. Dies ist eine einfache Angelegenheit, da die Konfigurationsdateien immer in /etc/named/ liegen. Beachten Sie, dass er lediglich Lesezugriff benötigt, es sei denn, es handelt sich um einen sekundären oder zwischenspeichernden (Cache) Name-Server. Wenn dies der Fall ist, müssen Sie ihm Lese- und Schreibzugriff auf die notwendigen Zonen gewähren (damit Zonen-Transfers vom primären Server funktionieren).

Mehr Informationen über das Chrooten von Bind finden Sie unter (betrifft Bind 9) und (betrifft Bind 8). Diese Dokumente sollten auch nach der Installation des Paketes doc-linux-text (Text-Version) oder doc-linux-html (HTML-Version) verfügbar sein. Ein anderes nützliches Dokument ist .

Wenn Sie für Bind ein komplettes Chroot-Gefängnis aufsetzen (d.h. Sie benutzen nicht nur -t), stellen Sie sicher, dass Sie die folgenden Dateien darin haben: Diese Einstellungen wurden für die neueren Veröffentlichung von Bind noch nicht getestet. dev/log - syslogd sollte hierauf hören dev/null etc/bind/named.conf etc/localtime etc/group - mit einer einzigen Zeile: "named:x:GID:" etc/ld.so.cache - mit ldconfig erstellt lib/ld-2.3.6.so lib/libc-2.3.6.so lib/ld-linux.so.2 - symbolischer Link auf ld-2.3.6.so lib/libc.so.6 - symbolischer Link auf libc-2.3.6.so sbin/ldconfig - kann gelöscht werden, nachdem Chroot aufgesetzt wurde sbin/named-xfer - wenn Sie Namen transferieren var/run/

Sorgen Sie auch dafür, dass syslogd auf $CHROOT/dev/log achtet, so dass der Name-Server seine syslog-Einträge in das lokale System-Protokoll schreiben lassen kann.

Wenn Sie Probleme mit dynamischen Bibliotheken vermeiden wollen, können Sie Bind statisch kompilieren. Sie können hierzu apt-get mit der source Option benutzen. Es kann sogar die Pakete herunterladen, die Sie zum Kompilieren benötigen. Sie müssten etwas ähnliches wie das Folgende tun: $ apt-get source bind # apt-get build-dep bind $ cd bind-8.2.5-2 (editieren Sie src/port/linux/Makefile, so dass CFLAGS die Option '-static' beinhaltet) $ dpkg-buildpackage -rfakeroot -uc -us $ cd .. # dpkg -i bind-8.2.5-2*deb

Nach der Installation werden Sie die Dateien in das Chroot-Gefängnis verschieben müssen.Es sei denn, Sie benutzen die instdir-Option, wenn Sie dpkg aufrufen, aber dann könnte das chroot-Gefängnis etwas komplizierter werden. Sie können die init.d-Skripte in /etc/init.d lassen, so dass das System automatisch den Name-Server starten wird, aber editieren Sie sie, indem Sie bei den start-stop-daemon-Aufrufen in diesen Skripten --chroot /location_of_chroot hinzufügen. Oder verwenden Sie für BIND die Option -t, indem Sie sie in das OPTION-Argument in der Konfigurationsdatei /etc/default/bind (für Version 8) oder /etc/default/bind9 (für Version 9) eintragen.

Für weitere Informationen wie man Chroot-Gefängnisse aufsetzt, siehe .

FIXME: Füge Informationen aus folgenden Quellen ein: , (Debian-spezifisch), und . Absichern von Apache

FIXME: Add content: modules provided with the normal Apache installation (under /usr/lib/apache/X.X/mod_*) and modules that can be installed separately in libapache-mod-XXX packages.

Sie können den Zugriff auf Ihren Apache-Server einschränken, wenn Sie ihn nur intern benutzen wollen (zum Beispiel zu Testzwecken, oder um auf die doc-central-Archive zuzugreifen, etc.) und nicht wollen, dass von außen auf ihn zugegriffen werden kann. Um dies zu tun, benutzen Sie die Listen oder BindAddress Direktiven in der Datei /etc/apache/http.conf.

Benutzen von Listen: Listen 127.0.0.1:80

Benutzen von BindAddress: BindAddress 127.0.0.1

Starten Sie anschließend Apache mit /etc/init.d/apache restart neu, und Sie werden sehen, dass er nur auf die lokale Schleife achtet.

In jedem Fall sollten Sie, wenn Sie nicht die ganze Funktionalität, die Apache zur Verfügung stellt, benutzen wollen, mal einen Blick auf die anderen Web-Server aus Debian werfen, zum Beispiel dhttpd.

Die stellt viele Informationen zu Sicherheitsmaßnahmen, die Sie auf einem Apache Web-Server anwenden können, bereit (die gleichen Informationen erhalten Sie unter Debian auch durch das Paket apache-doc).

Mehr Informationen zu weiteren Restriktionen von Apache durch Einrichten chroot-Gefängnisses wird in bereitgestellt. Verhindern, dass Benutzer Web-Inhalte veröffentlichen

Die Standard-Apache-Installation in Debian erlaubt Benutzern Inhalt unter $HOME/public_html bereitzustellen. Dieser Inhalt kann aus aus der Ferne mit einer URL wie http://Ihr_Apache_Server/~benutzer abgegriffen werden.

Wenn Sie dies nicht erlauben wollen, müssen Sie in der Konfigurationsdatei /etc/apache/http.conf (von Apache 1.3) folgendes Module auskommentieren: LoadModule userdir_module /usr/lib/apache/1.3/mod_userdir.so

Wenn Sie Apache 2.0 verwenden, müssen Sie die Datei /etc/apache2/mods-enabled/userdir.load entfernen oder die Standardkonfiguration einschränken, indem Sie /etc/apache2/mods-enabled/userdir.conf bearbeiten.

Falls allerdings das Modul statisch verlinkt wurde (Sie können die Module, die einkompiliert wurden, mittels apache -l überprüfen), müssen Sie das Folgende der Konfigurationsdatei von Apache hinzufügen: Userdir disabled

Ein Angreifer kann immer noch die Benutzer herausfinden, da die Antwort des Web-Servers 403 Permission Denied und nicht 404 Not available lautet. Mit dem Rewrite-Modul können Sie das verhindern. Rechte von Log-Datei

Apache-Log-Dateien gehören seit 1.3.22-1 dem Benutzer 'root' und der Gruppe 'adm' mit den Rechtebits 640. Diese Rechte ändern sich nach einer Rotation. Ein Eindringling, der das System über den Web-Server erreicht hat, kann so alte Log-Datei-Einträge nicht (ohne Rechteerweiterung) entfernen. Veröffentlichte Web-Dateien

Apache-Dateien befinden sich unterhalb von /var/www. Direkt nach der Installation bietet die Standardseite einige Informationen zu dem System (hauptsächlich dass es ein Debian-System ist, auf welchem Apache läuft). Die Standard-Webseiten gehören standardmäßig dem Benutzer root und der Gruppe root, währenddessen der Apache-Prozess als Benutzer www-data und Gruppe www-data läuft. Dies sollte es Angreifern, die in das System durch den Web-Server eindringen, schwerer machen, die Site zu verunstalten. Sie sollten natürlich die Standard-Webseiten (die Informationen, die Sie der Außenwelt vorenthalten wollen, enthalten können) durch Ihre eigenen ersetzen. Absichern von Finger

Wenn Sie den Finger-Dienst laufen lassen wollen, fragen Sie sich bitte zuerst, ob Sie das auch wirklich tun müssen. Wenn Sie es müssen, werden Sie feststellen, dass Debian viele Finger-Daemonen zur Verfügung stellt (hier die Ausgabe von apt-cache search fingerd): cfingerd - Konfigurierbarer finger-Daemon efingerd - Ein weiterer Unix-finger-Daemon mit anpassbarer Ausgabe ffingerd - Ein sicherer finger-Daemon fingerd - Remote-User Informationsserver xfingerd - BSD-ähnlicher finger-Daemon mit qmail-Unterstützung

ffingerd ist der empfohlene finger-Daemon, wenn Sie vorhaben, einen öffentlichen Dienst anzubieten. In jedem Fall sind Sie dazu angespornt, wenn Sie ihn über inetd, xinetd oder tcpserver laufend aufzusetzen: Schränken Sie die Anzahl der Prozesse die gleichzeitig laufen dürfen ein. Schränken Sie den Zugriff auf den Finger-Daemon von bestimmten Hosts ein (indem Sie tcp-wrapper benutzen) und lassen Sie ihn nur auf die Schnittstellen lauschen, auf die er achten muss. Allgemeine chroot- und suid-Paranoia

chroot ist eine der mächtigsten Möglichkeiten, einen Daemon oder einen Benutzer oder einen anderen Dienst zu beschränken. Denken Sie einfach an ein Gefängnis um Ihr Ziel, das das Ziel nicht verlassen kann (normalerweise, es gibt aber einige Bedingungen, die einem einen Ausbruch aus solch einem Gefängnis gestatten). Wenn Sie einem Benutzer oder einem Dienst nicht trauen, können Sie eine modifizierte root-Umgebung für ihn erzeugen. Dies kann einiges an Plattenplatz benötigen, da Sie alle benötigten Programme ebenso wie Bibliotheken in das Gefängnis kopieren müssen. Aber danach ist die Wirkung des Schadens, selbst wenn der Benutzer etwas bösartiges macht, auf das Gefängnis beschränkt.

Viele Dienste, die als Daemonen laufen, können von dieser Vorgehensweise profitieren. Die Daemonen, die Sie mit Ihrer Debian-Distribution installieren, laufen jedoch nicht standardmäßig in einem chroot-Gefängnis.Es wird versucht, diese mit minimalen Rechten laufen zu lassen, was beinhaltet, Daemonen unter ihren eigenen Benutzern, anstatt unter root, laufen zu lassen.

Dies beinhaltet: Name-Server (wie bind), Web-Server (wie apache), Mail-Server (wie sendmail) und FTP-Server (wie wu-ftpd). Wahrscheinlich ist es nur fair zu sagen, dass die Komplexität von BIND der Grund dafür ist, warum er in den letzten Jahren so oft für Attacken verwundbar war (vergleiche ).

Jedoch bietet Debian einige Software an, die helfen kann, chroot-Umgebungen aufzubauen. Sehen Sie .

Wenn Sie irgendwelche Dienste in Ihrem System laufen lassen, sollten Sie dies so sicher wie nur möglich tun. Dies beinhaltet: Entziehen von root-Privilegien, Starten in beschränkten Umgebungen (wie ein chroot-Gefängnis) oder Ersetzen durch ein sichereres Äquivalent.

Seien Sie jedoch gewarnt, dass aus einem chroot-Gefängnis ausgebrochen werden kann, wenn der Benutzer, der im Inneren läuft, der Superuser ist. Sie müssen also sicherstellen, dass der Dienst als nicht privilegierter Benutzer läuft. Durch Einschränken seiner Umgebung schränken Sie die Welt-lesbaren/ausführbaren Dateien, auf die der Dienst zugreifen kann, ein. Auf diese Weise limitieren Sie die Möglichkeiten einer Rechteerweiterung durch lokale Sicherheitsverwundbarkeiten des Systems. Selbst in dieser Situation können Sie nicht völlig sicher sein, dass es für einen cleveren Angreifer keinen Weg gibt, irgendwie aus dem Gefängnis auszubrechen. Verwenden von nur sicheren Server-Programmen, die einen guten Ruf bezüglich Sicherheit haben, ist eine zusätzliche gute Sicherheitsmaßnahme. Selbst kleinste Löcher wie offene Datei-Handle können von einem versierten Angreifer zum Einbruch in das System verwendet werden. Schließlich war chroot nicht als Sicherheitstool gedacht, sondern als ein Testwerkzeug.

Automatisches Erstellen von Chroot-Umgebungen

Es gibt verschiedene Programme, um Server und Dienste automatisch in ein Chroot-Gefängnis einzusperren. Debian bietet zurzeit (akzeptiert im Mai 2002) Wietse Venemas chrootuid im Paket chrootuid, ebenso wie compartment und makejail an. Diese Programme können verwendet werden, um eine eingeschränkte Umgebung zum Ausführen beliebiger Programme aufzusetzen (chrootuid erlaubt es Ihnen sogar, es unter einem eingeschränkten Benutzer laufen zu lassen).

Einige dieser Werkzeuge können verwendet werden, um das Chroot-Gefängnis leicht aufzusetzen. Zum Beispiel kann das makejail-Programm ein chroot-Gefängnis mit kurzen Konfigurationsdateien erzeugen und aktualisieren. (Es bietet Beispielskonfigurationsdateien für bind, apache, postgresql und mysql.) Es versucht alle Dateien, die vom Daemon benötigt werden, mittels strace, stat und Debians Paketabhängigkeiten zu bestimmen und in das Gefängnis zu installieren. Weitere Information gibt es unter . Jailer ist ein ähnliches Werkzeug und kann von heruntergeladen werden und ist auch als Debian-Paket verfügbar. Allgemeine Klartextpasswort-Paranoia

Sie sollten versuchen, jeden Netzwerk-Dienst, der seine Passworte als Klartext über das Netz sendet oder empfängt, wie zum Beispiel FTP/Telnet/NIS/RPC, vermeiden. Der Autor empfiehlt jedem, ssh anstelle von telnet und ftp zu verwenden.

Vergessen Sie jedoch nicht, dass die Migration von telnet zu ssh die Sicherheit in keinster Weise erhöht, wenn Sie weiterhin Klartext-Protokolle verwenden. Am besten wäre es ftp, telnet, pop, imap und http zu entfernen und durch ihre entsprechenden verschlüsselten Dienste zu ersetzen. Sie sollten in Erwägung ziehen von diesen Diensten zu deren SSL-Versionen zu wechseln: ftp-ssl, telnet-ssl, pop-ssl, https, ...

Die meisten der oben aufgelisteten Tipps gelten für jedes Unix-System (Sie werden sie in jedem anderen sicherheitsrelevanten Dokument, das Sie jemals lesen, wiederfinden, wenn es sich auf Linux und andere Unices bezieht). NIS deaktivieren

Sie sollten, wenn möglich, nicht NIS, den Network Information Service, benutzen, da er das gemeinsame Nutzen von Passwörtern erlaubt. Dies kann sehr unsicher sein, wenn Ihr Setup fehlerhaft ist.

Wenn Sie Passwörter zwischen verschiedenen Maschinen teilen müssen, sollten Sie andere Alternativen in Erwägung ziehen. Zum Beispiel können Sie einen LDAP-Server aufsetzen und PAM auf Ihrem System so konfigurieren, dass es den LDAP-Server zur Benutzer-Authentifizierung kontaktiert. Sie finden ein detailliertes Setup in dem (/usr/share/doc/HOWTO/en-txt/LDAP-HOWTO.txt.gz).

Sie können mehr über NIS-Sicherheit in dem (/usr/share/doc/HOWTO/en-txt/NIS-HOWTO.txt.gz) lesen.

FIXME (jfs): Add info on how to set this up in Debian. Sichern von RPC-Diensten

Sie sollten RPC abschalten, wenn Sie es nicht benötigen.

Remote Procedure Call (RPC, etwa »Entfernter Funktionsaufruf«) ist ein Protokoll, das von Programmen verwendet werden kann, um Dienste von anderen Programmen, die auf anderen Computern laufen, anzufordern. Der portmap-Dienst kontrolliert RPC-Dienste durch Abbilden von RPC-Programmnummern auf DARPA-Protokoll-Portnummern. Er muss laufen, um RPC-Aufrufe ausführen zu können.

RPC-basierte Dienste hatten eine unrühmliche Geschichte, was Sicherheitslücken betrifft, obwohl dies für den Portmapper an sich nicht gilt (dieser bietet aber nach wie vor entfernten Angreifern Informationen). Es ist zu beachten, dass einige DDoS-(distributed denial of service, verteilte Dienstverweigerungen)-Angriffe RPC-Löcher benutzen, um in das System einzudringen und als so genannter Agent/Handler zu fungieren.

Sie benötigen RPC nur dann, wenn Sie einen RPC-basierten Dienst verwenden. Die bekanntesten RPC-basierten Dienste sind NFS (Network File System) und NIS (Network Information System). Vergleichen Sie mit dem vorherigen Abschnitt für weitere Information über NIS. Der File Alteration Monitor (FAM), der vom Paket fam bereitgestellt wird, ist ebenso ein RPC-Dienst und hängt deshalb von portmap ab.

NFS-Dienste sind in einigen Netzwerken ziemlich wichtig. Wenn dies für Sie der Fall ist, müssen Sie einen Ausgleich finden, zwischen Sicherheit und Nutzbarkeit für Ihr Netzwerk. Sie können mehr über NFS-Sicherheit im (/usr/share/doc/HOWTO/en-txt/NFS-HOWTO.txt.gz) finden. Vollständiges Deaktivieren von RPC-Diensten

Das Abschalten von portmap ist relativ einfach. Es gibt verschiedene Methoden. Die einfachste in einem Debian 3.0 oder neueren System ist das Paket portmap zu deinstallieren. Wenn Sie eine ältere Version von Debian laufen haben, werden Sie den Dienst, wie in beschrieben, abschalten müssen, weil das Programm Teil des Pakets netbase (das nicht deinstalliert werden kann, ohne das System kaputt zu machen) ist.

Beachten Sie, dass einige Desktop-Umgebungen (hauptsächlich GNOME) RPC-Dienste verwenden und den Portmapper für einige der Dateimanager-Eigenschaften benötigen. Wenn dies bei Ihnen der Fall ist, können Sie den Zugang zu RPC-Diensten, wie weiter unter beschrieben, beschränken. Einschränken des Zugriffs auf RPC-Dienste

Unglücklicherweise ist es in manchen Fällen nicht möglich, RPC-Dienste vom System zu entfernen. Einige lokale Desktop-Dienste (hauptsächlich SGIs fam) sind RPC-basiert und benötigen deshalb einen lokalen Portmapper. Dies bedeutet, dass unter bestimmten Umständen Benutzer die eine Desktop-Umgebung (wie GNOME) installieren, den Portmapper auch installieren werden.

Es gibt einige Wege den Zugriff auf den Portmapper und RPC-Dienste zu beschränken: Blockieren des Zugangs zu den Ports, die von diesen Diensten verwendet werden, mit einer lokalen Firewall (vergleiche ). Blockieren des Zugangs zu diesen Diensten mittels TCP-Wrappers, da der Portmapper (und einige RPC-Dienste) mit libwrap (siehe ) kompiliert worden. Dies bedeutet, dass Sie Zugang zu diesen durch die hosts.allow und hosts.deny TCP-Wrapper-Konfiguration blockieren. Seit Version 5-5 kann das Paket portmap so konfiguriert werden, dass es nur noch an der lokalen Schleifenschnittstelle lauscht. Um dies zu erreichen, kommentieren Sie die folgende Zeile in der Datei /etc/default/portmap aus: #OPTIONS="-i 127.0.0.1" und starten Sie den Portmapper neu. Dies ist ausreichend, um lokale RPC-Dienste laufen zu lassen, während zur selben Zeit entfernte Systeme am Zugang gehindert werden (lesen Sie dazu auch ). Hinzufügen von Firewall-Fähigkeiten

Das Debian-GNU/Linux-Betriebssystem hat die eingebauten Fähigkeiten des Linux-Kernels. Wenn Sie eine aktuelle Veröffentlichung von Debian (mit dem Standardkernel 2.6) installiert haben, steht Ihnen als Firewall iptables (netfilter) zur VerfügungIst seit Kernel 2.4 verfügbar (was der Standardkernel für Debian 3.0 war). Ältere Kernelversionen (wie 2.2, der in älteren Debian-Veröffentlichungen enthalten war) verwendeten ipchains. Der Hauptunterschied zwischen ipchains und iptables ist, dass letzteres auf stateful packet inspection (zustandsbehaftete Paketuntersuchung) beruht, so dass Ihnen sicherere (und einfacher zu erstellende) Filterkonfigurationen zur Verfügung stehen. Ältere (und nun nicht länger unterstützte) Debian-Veröffentlichungen, die den Kernel 2.0 einsetzen, benötigten einen geeigneten Kernel-Patch. . Firewallen des lokalen Systems

Sie können eine Firewall dazu benutzen, den Zugriff auf Ihr lokales System abzusichern und sogar um die Kommunikation von ihm nach Außen zu beschränken. Firewall-Regeln können auch dazu benutzt werden, Prozesse zu sichern, die nicht vernünftig konfiguriert werden können, um Dienste nicht einigen Netzwerken, IP-Adressen, etc. zur Verfügung zu stellen.

Dieser Schritt ist aber hauptsächlich deshalb als letzter in dieser Anleitung, weil es viel besser ist, sich nicht alleine auf die Fähigkeiten der Firewall zu verlassen, um ein System zu schützen. Die Sicherheit eines Systems setzt sich aus mehreren Ebenen zusammen; eine Firewall sollte die letzte sein, wenn bereits alle Dienste abgehärtet worden sind. Sie können sich sicherlich leicht eine Konfiguration vorstellen, bei der ein System lediglich von einer eingebauten Firewall geschützt wird, und der Administrator glückselig die Firewall-Regeln aus irgendwelchen Gründen (Probleme mit dem Setup, Verdruss, Denkfehler, ...) entfernt. Dieses System wäre weit geöffnet für Angriffe, wenn es keine anderen Schutzmaßnahmen auf dem System gibt.

Andererseits können Firewall-Regeln auf dem lokalen System dafür sorgen, dass böse Dinge nicht passieren. Sogar wenn die bereitgestellten Dienste sicher konfiguriert sind, kann eine Firewall vor Misskonfigurationen oder frisch installierten Diensten, die noch nicht passend konfiguriert sind, schützen. Außerdem wird eine strenge Konfiguration nach Hause telefonierende Trojaner am Funktionieren hindern, es sei denn, der Firewall-Code wird entfernt. Beachten Sie, dass ein Eindringling keinen Superuser-Zugriff benötigt, um ferngesteuerte Trojaner zu installieren (da es erlaubt ist, sich an Ports zu binden, wenn es sich nicht um einen privilegierten Port handelt und die Fähigkeiten (Capabilities) noch vorhanden sind).

Demzufolge wäre ein passendes Firewall-Setup, eines mit einer standardmäßigen Deny-Policy (was also alles ablehnt, was nicht ausdrücklich erlaubt ist), und weiterhin: Eingehende Verbindungen werden nur zu lokalen Diensten von erlaubten Maschinen gestattet. Ausgehende Verbindungen werden nur von Diensten erlaubt, die auf Ihrem System benutzt werden (DNS, Web-Surfen, POP, E-Mail, ...).Im Gegensatz zu persönlichen Firewalls für andere Betriebssysteme, stellt Debian GNU/Linux (noch) keine Firewall-Erstellungs-Schnittstelle zur Verfügung, die Regeln erstellen kann, die einzelne Prozesse oder Benutzer einschränken. Jedoch kann der Iptables-Code so konfiguriert werden, dass er dies kann (siehe dazu das "owner"-Modul in der Handbuchseite ). Die Forward-Regel verbietet alles; es sei denn, andere Systeme werden geschützt (siehe dazu unten). Alle anderen eingehenden und ausgehenden Verbindungen werden abgelehnt. Schützen anderer Systeme durch eine Firewall

Eine Debian-Firewall kann auch so installiert werden, dass sie mit Firewall-Regeln Systeme hinter ihr beschützt, indem sie die Angriffsfläche zum Internet hin einschränkt. Eine Firewall kann so konfiguriert werden, dass ein Zugriff von Systemen außerhalb des lokalen Netzwerks auf interne Dienste (Ports) unterbunden wird. Zum Beispiel muss auf einem Mail-Server lediglich Port 25 (auf dem der Mail-Dienst aufsetzt) von außen zugänglich sein. Eine Firewall kann so konfiguriert werden, dass sogar, wenn es neben den öffentlich zugänglichen noch andere Netzwerkdienste gibt, direkt an diese gesendete Pakete verworfen werden (dies nennt man filtern).

Sie können eine Debian GNU/Linux Maschine sogar so konfigurieren, dass sie als Bridge-Firewall (überbrückender Schutzwall) fungiert, d.h. als eine filternde Firewall, die komplett transparent zum gesamten Netzwerk erscheint, ohne IP-Adresse auskommt und daher nicht direkt attackiert werden kann. Abhängig von dem installierten Kernel müssen Sie vielleicht den Bridge-Firewall-Patch installieren und dann 802.1d Ethernet Bridging in der Kernel-Konfiguration und die neue Option netfilter ( firewalling ) Support auswählen. Sehen Sie dazu , um zu erfahren, wie man dies auf einem Debian GNU/Linux System aufsetzt. Aufsetzen einer Firewall

Die Debian-Standardinstallation bietet im Gegensatz zu vielen anderen Linux-Distributionen noch keine Methode für den Administrator, eine Firewall-Konfiguration mit der Standardinstallation einzurichten, aber Sie können eine Anzahl von Firewall-Konfigurationspaketen (siehe ) installieren.

Natürlich ist die Konfiguration einer Firewall immer vom System und dem Netzwerk abhängig. Ein Administrator muss vorher das Netzwerklayout und die Systeme, die er beschützen will, kennen, die Dienste, auf die zugegriffen werden können muss, und ob andere netzwerkspezifischen Erwägungen (wie NAT oder Routing) berücksichtigt werden müssen. Seien Sie vorsichtig, wenn Sie Ihre Firewall konfigurieren. Wie Laurence J. Lane im iptables-Paket sagt:

Die Werkzeuge können leicht falsch verwendet werden und eine Menge Ärger verursachen, indem sie den gesamten Zugang zu einem Computernetzwerk stilllegen. Es ist nicht völlig ungewöhnlich, dass sich ein Systemadministrator, der ein System verwaltet, das hunderte oder tausende von Kilometern entfernt ist, irrtümlicherweise selbst davon ausgeschlossen hat. Man kann es sogar schaffen, sich von dem Computer auszusperren, dessen Tastatur unter seinen Fingern liegt. Lassen Sie daher die gebotene Vorsicht walten.

Vergessen Sie nicht: Das bloße Installieren von iptables (oder dem älteren Firewallcode) gibt Ihnen keine Sicherheit, es stellt lediglich die Software zur Verfügung. Um eine Firewall zu haben, müssen Sie sie konfigurieren!

Wenn Sie keine Ahnung haben, wie Sie Ihre Firewall-Regeln manuell aufsetzen sollen, sehen Sie in dem Packet Filtering HOWTO und NAT HOWTO aus dem Paket iptables, zu finden unter /usr/share/doc/iptables/html/ nach.

Wenn Sie nicht viel über Firewalls wissen, sollten Sie beginnen, indem Sie das lesen. Installieren Sie das Paket doc-linux-text, wenn Sie es offline lesen wollen. Wenn Sie Fragen stellen wollen oder Hilfe beim Einrichten einer Firewall benötigen, können Sie sich an die debian-firewall-Mailingliste wenden, siehe . Sehen Sie auch für weitere (allgemeinere) Verweise zu Firewalls. Ein weiterer guter Leitfaden für Iptables ist . Nutzen von Firewall-Paketen

Das manuelle Aufsetzen einer Firewall kann für neue (und manchmal auch für erfahrene) Administratoren kompliziert sein. Hierfür hat die Freie-Software-Gemeinschaft eine große Zahl von Werkzeugen erstellt, die zur einfachen Konfiguration einer lokalen Firewall benutzt werden können. Seien Sie gewarnt, dass einige dieser Werkzeuge sich mehr auf lokalen Schutz konzentrieren (auch personal firewall genannt), während andere vielseitiger sind und dazu benutzt werden können, komplexere Regelwerke zum Schutz ganzer Netzwerke zu erstellen.

Einige Programme, die unter Debian zum Aufsetzen von Firewall-Regeln benutzt werden können, sind: Für Desktop-Systeme: firestarter, eine GNOME-Anwendung, die sich an Endanwender richtet, die einen Wizard enthält, der nützlich ist, um schnell Firewall-Regeln aufzustellen. Die Anwendung enthält eine graphische Oberfläche zum Beobachten, ob eine Firewall-Regel Daten blockiert. guarddog ist ein auf KDE beruhendes Paket zur Erstellung von Firewall-Regeln. Es richtet sich sowohl an Neulinge wie auch an Fortgeschrittene. knetfilter ist ein KDE-Programm mit grafischer Oberfläche, um Firewall- und NAT-Regeln für iptables zu verwalten. Es ist eine Alternative zu guarddog, es ist jedoch etwas mehr auf fortgeschrittenere Benutzer ausgelegt. fireflier ist ein interaktives Werkzeug, um Firewall-Regeln zu erstellen. Dazu analysiert es den Netzwerkverkehr und Anwendungen. Es basiert auf einem Client-Server-Modell, daher müssen Sie sowohl den Server (fireflier-server) als auch einen der zahlreichen Clients (fireflier-client-gtk (Gtk+-Client), fireflier-client-kde (KDE-Client) oder fireflier-client-qt (QT-Client)) installieren. Für Server-Systeme (textbasiert): fwbuilder, eine objektorientierte graphische Oberfläche, die Richtlinien-Compiler für verschiedene Firewall-Plattformen inklusive Linux' netfilter, BSDs pf (verwendet in OpenBSD, NetBSD, FreeBSD und MacOS X) ebenso wie Zugriffslisten von Routern enthält. Es ist ähnlich zu Enterprise-Firewall-Management-Software. Die vollständige Funktionalität von fwbuilder ist auch von der Kommandozeile verfügbar. shorewall, ein Firewall-Konfigurationswerkzeug, das Unterstützung für IPsec sowie beschränkte Unterstützung für Traffic Shaping und die Definition der Firewall-Regeln bietet. Die Konfiguration geschieht durch eine einfache Menge von Dateien, die verwendet werden, um die iptables-Regeln aufzustellen. bastille, diese Härtungsanwendung ist in beschrieben. Einer der Härtungsschritte, die der Administrator konfigurieren kann, ist eine Definition des erlaubten und verbotenen Netzwerkverkehrs, der verwendet wird, eine Anzahl von Firewall-Regeln, die das System am Start ausführt, zu generieren.

Es gibt in Debian auch noch eine Menge anderer Frontends für Iptables. Eine vollständige Liste kann auf der , die auch einen Vergleich der verschiedenen Pakete enthält, abgerufen werden.

Seien Sie gewarnt, dass manche der zuvor skizzierten Pakete Firewall-Skripte einführen, die beim Systemstart ausgeführt werden. Testen Sie diese ausführlich, bevor Sie neustarten, oder Sie finden sich selbst ausgesperrt vor Ihrem Rechner wieder. Wenn Sie verschiedene Firewall-Pakete mischen, kann dies zu unerwünschten Nebeneffekten führen. Gewöhnlich wird das Firewall-Skript, das zuletzt ausgeführt wird, das System konfigurieren (was Sie so vielleicht nicht vorhatten). Sehen Sie hierzu in der Paketdokumentation nach und benutzen Sie nur eines dieser Setups.

Wie bereits zuvor erläutert, sind einige Programme wie firestarter, guarddog und knetfilter graphische Administrations-Schnittstellen, die entweder GNOME oder KDE (die letzte beiden) benutzen. Diese sind viel benutzerorientierter (z.B. für Heimanwender) als einige der anderen Pakete in der Liste, die sich eher an Administratoren richten. Einige der Programme die zuvor aufgeführt wurden (wie bastille) fokussieren auf dem Erstellen von Firewall-Regeln zum Schützen des Rechners, auf dem sie laufen, sind aber nicht notwendigerweise dafür geschaffen, Firewall-Regeln für Rechner zu erstellen, die ein Netzwerk schützen (wie shorewall oder fwbuilder).

Es gibt einen weiteren Typ von Firewall-Anwendungen: Anwendungs-Proxys. Wenn Sie eine Möglichkeit suchen, eine Unternehmenslösung aufzusetzen, die Pakete filtert und eine Anzahl von transparenten Proxys bietet, die feinabgestimmte Verkehrsanalysen bieten, so sollten Sie zorp genauer betrachten. Dies bietet alles in einem einzelnen Programm. Sie können diese Art von Firewall-Rechner auch manuell aufsetzen, indem Sie die Proxys, die in Debian vorhanden sind, für verschiedene Dienste verwenden. Zum Beispiel für DNS bind (richtig konfiguriert), dnsmasq, pdnsd oder totd für FTP frox oder ftp-proxy, für X11 xfwp, für IMAP imapproxy, für Mail smtpd oder für POP3 p3scan. Für andere Protokolle können Sie entweder einen allgemeinen TCP-Proxy wie simpleproxy oder einen allgemeinen SOCKS-Proxy wie dante-server, tsocks oder socks4-server verwenden. Typischerweise werden Sie auch ein Web-Cache-System (wie squid) und ein Web-Filtersystem (wie squidguard oder dansguardian) nutzen. Manuelle init.d-Konfiguration

Eine andere Möglichkeit ist die manuelle Konfiguration Ihrer Firewall-Regeln durch ein init.d-Skript, das die iptables-Befehle ausführt. Befolgen Sie diese Schritte: Sehen Sie das unten aufgeführte Skript durch und passen Sie es Ihren Anforderungen an. Testen Sie das Skript und überprüfen Sie die Syslog-Meldungen nach unterdrückten Netzverkehr. Wenn Sie vom Netzwerk aus testen, werden Sie entweder den Beispielshellcode starten wollen, um die Firewall zu entfernen (wenn Sie nichts innerhalb von 20 Sekunden eingeben) oder Sie sollten die default deny-Richtliniendefinition auskommentieren (-P INPUT DROP und -P OUTPUT DROP) und überprüfen, dass das System keine gültigen Daten verworfen hat. Verschieben Sie das Skript nach /etc/init.d/meineFirewall Konfigurieren Sie das System das Skript zu starten, bevor irgendein Netzwerk konfiguriert wird: #update-rc.d meineFirewall start 40 S . stop 89 0 6 .

Dies ist das Beispiel-Firewallskript: #!/bin/sh # Simple example firewall configuration. # # Caveats: # - This configuration applies to all network interfaces # if you want to restrict this to only a given # interface use '-i INTERFACE' in the # iptables calls. # - Remote access for TCP/UDP services is granted # to any host, you probably want to restrict # this using '--source'. # # chkconfig: 2345 9 91 # description: Activates/Deactivates the firewall at boot time # # You can test this script before applying with the # following shell snippet, if you do not type anything # in 10 seconds the firewall rules will be cleared. #--------------------------------------------------------------- # while true; do test=""; read -t 20 -p "OK? " test ; \ # [ -z "$test" ] && /etc/init.d/meineFirewall clear ; done #--------------------------------------------------------------- PATH=/bin:/sbin:/usr/bin:/usr/sbin # Services that the system will offer to the network TCP_SERVICES="22" # SSH only UDP_SERVICES="" # Services the system will use from the network REMOTE_TCP_SERVICES="80" # web browsing REMOTE_UDP_SERVICES="53" # DNS # Network that will be used for remote mgmt # (if undefined, no rules will be setup) # NETWORK_MGMT=192.168.0.0/24 # Port used for the SSH service, define this is you have setup a # management network but remove it from TCP_SERVICES # SSH_PORT="22" if ! [ -x /sbin/iptables ]; then exit 0 fi fw_start () { # Input traffic: /sbin/iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT # Services if [ -n "$TCP_SERVICES" ] ; then for PORT in $TCP_SERVICES; do /sbin/iptables -A INPUT -p tcp --dport ${PORT} -j ACCEPT done fi if [ -n "$UDP_SERVICES" ] ; then for PORT in $UDP_SERVICES; do /sbin/iptables -A INPUT -p udp --dport ${PORT} -j ACCEPT done fi # Remote management if [ -n "$NETWORK_MGMT" ] ; then /sbin/iptables -A INPUT -p tcp --src ${NETWORK_MGMT} --dport ${SSH_PORT} -j ACCEPT else /sbin/iptables -A INPUT -p tcp --dport ${SSH_PORT} -j ACCEPT fi # Remote testing /sbin/iptables -A INPUT -p icmp -j ACCEPT /sbin/iptables -A INPUT -i lo -j ACCEPT /sbin/iptables -P INPUT DROP /sbin/iptables -A INPUT -j LOG # Output: /sbin/iptables -A OUTPUT -j ACCEPT -o lo /sbin/iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT # ICMP is permitted: /sbin/iptables -A OUTPUT -p icmp -j ACCEPT # So are security package updates: # Note: You can hardcode the IP address here to prevent DNS spoofing # and to setup the rules even if DNS does not work but then you # will not "see" IP changes for this service: /sbin/iptables -A OUTPUT -p tcp -d security.debian.org --dport 80 -j ACCEPT # As well as the services we have defined: if [ -n "$REMOTE_TCP_SERVICES" ] ; then for PORT in $REMOTE_TCP_SERVICES; do /sbin/iptables -A OUTPUT -p tcp --dport ${PORT} -j ACCEPT done fi if [ -n "$REMOTE_UDP_SERVICES" ] ; then for PORT in $REMOTE_UDP_SERVICES; do /sbin/iptables -A OUTPUT -p udp --dport ${PORT} -j ACCEPT done fi # All other connections are registered in syslog /sbin/iptables -A OUTPUT -j LOG /sbin/iptables -A OUTPUT -j REJECT /sbin/iptables -P OUTPUT DROP # Other network protections # (some will only work with some kernel versions) echo 1 > /proc/sys/net/ipv4/tcp_syncookies echo 0 > /proc/sys/net/ipv4/ip_forward echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts echo 1 > /proc/sys/net/ipv4/conf/all/log_martians echo 1 > /proc/sys/net/ipv4/ip_always_defrag echo 1 > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses echo 1 > /proc/sys/net/ipv4/conf/all/rp_filter echo 0 > /proc/sys/net/ipv4/conf/all/send_redirects echo 0 > /proc/sys/net/ipv4/conf/all/accept_source_route } fw_stop () { /sbin/iptables -F /sbin/iptables -t nat -F /sbin/iptables -t mangle -F /sbin/iptables -P INPUT DROP /sbin/iptables -P FORWARD DROP /sbin/iptables -P OUTPUT ACCEPT } fw_clear () { /sbin/iptables -F /sbin/iptables -t nat -F /sbin/iptables -t mangle -F /sbin/iptables -P INPUT ACCEPT /sbin/iptables -P FORWARD ACCEPT /sbin/iptables -P OUTPUT ACCEPT } case "$1" in start|restart) echo -n "Starting firewall.." fw_stop fw_start echo "done." ;; stop) echo -n "Stopping firewall.." fw_stop echo "done." ;; clear) echo -n "Clearing firewall rules.." fw_clear echo "done." ;; *) echo "Usage: $0 {start|stop|restart|clear}" exit 1 ;; esac exit 0

Um nicht alle Iptables-Regeln in das Init.d-Skript einfügen zu müssen, können Sie auch das Programm iptables-restore verwenden, um die Regeln zu laden, die zuvor mit iptables-save gespeichert wurden. Um dies zu tun, müssen Sie Ihre Regeln erstellen und das Regelwerk statisch speichern (z.B. in /etc/default/firewall). Konfiguration von Firewall-Regeln mittels ifup

Sie können auch die Netzwerkkonfiguration in /etc/network/interfaces verwenden, um Ihre Firewall-Regeln einzurichten. Dafür müssen Sie Folgendes tun: Erstellen Sie Ihre Firewall-Regeln für die aktivierte Schnittstelle. Sichern Sie Ihre Regeln mit iptables-save in eine Datei in /etc, zum Beispiel /etc/iptables.up.rules Konfigurieren Sie /etc/network/interfaces, diese Regeln zu verwenden: iface eth0 inet static address x.x.x.x [.. interface configuration ..] pre-up iptables-restore < /etc/iptables.up.rules

Wahlweise können Sie auch Regeln erstellen, die beim Herunterfahren der Netzwerkschnittstelle ausgeführt werden. Dazu erzeugen Sie diese, speichern sie in /etc/iptables.down.rules und fügen diese Anweisung zur Schnittstellenkonfiguration hinzu: post-down iptables-restore < /etc/iptables.down.rules

Für weitergehende Firewall-Konfigurationsskripte durch ifupdown können Sie die zu jeder Schnittstelle verfügbaren Hooks (Einspringpunkte) wie in den *.d/-Verzeichnissen verwenden, die mit run-parts aufgerufen werden (vergleiche ). Testen Ihrer Firewall-Konfiguration

Testen Ihrer Firewall-Konfiguration ist so einfach und so schwierig, wie das Starten Ihres Firewall-Skripts (oder die Aktivierung der Konfiguration, die Sie in Ihrer Firewall-Konfigurationsanwendung definierten). Wenn Sie jedoch nicht sorgfältig genug sind und Sie Ihre Firewall aus der Ferne konfigurieren (z.B. durch eine SSH-Verbindung), könnten Sie sich selbst aussperren.

Es gibt mehrere Möglichkeiten, dies zu verhindern. Eine ist das Starten eines Skriptes in einem separaten Terminal, das Ihre Firewall-Konfiguration entfernt, wenn es keine Eingabe von Ihnen erhält. Ein Beispiel dafür ist: $ while true; do test=""; read -t 20 -p "OK? " test ; \ [ -z "$test" ] && /etc/init.d/firewall clear ; done

Eine andere Möglichkeit ist das Einführen einer Hintertür in Ihr System durch einen alternativen Mechanismus, der es Ihnen erlaubt, das Firewall-System entweder zurückzusetzen oder ein Loch in es schlägt, wenn irgendetwas krumm läuft. Dafür können Sie knockd verwenden und es so konfigurieren, dass eine spezielle Portverbindungsversuchssequenz die Firewall zurücksetzt (oder eine temporäre Regel hinzufügt). Selbst wenn die Pakete von der Firewall zurückgewiesen werden, werden Sie Ihr Problem lösen können, da knockd auf der Schnittstelle lauscht und Sie sieht.

Das Testen einer Firewall, die ein internen Netz schützt, ist eine andere Aufgabe. Schauen Sie sich dafür einige Werkzeuge an, die es für entfernte Ausnutzbarkeitsbewertungen gibt (siehe ), um das Netzwerk von außerhalb nach innen (oder aus einer beliebig anderen Richtung) bezüglich der Effektivität der Firewall-Konfiguration zu testen. harden-doc-3.15.1/howto-source/de/appendix.sgml0000644000000000000000000024765211464363437016250 0ustar Der Abhärtungsprozess Schritt für Schritt

Eine Anleitung, die Schritt für Schritt darstellt, wie ein Debian 2.2 GNU/Linux-System nach der Installation abgehärtet wird, ist unten aufgeführt. Das ist nur eine denkbare Herangehensweise von einem solchen Vorgang. Sie ist am Absichern von Netzwerkdiensten orientiert und stellt den gesamten Anlauf der Konfiguration vor. Vergleichen Sie auch . Installieren Sie das System. Beachten Sie dabei die Informationen dieses HOWTOs bezüglich der Partitionierung. Nach der Basis-Installation nehmen Sie eine angepasste Installation vor. Wählen Sie keine Task-Pakete aus. Aktivieren Sie shadow passwords. Entfernen Sie mit dselect alle nicht benötigten aber ausgewählten Pakete, bevor Sie [I]nstallation wählen. Behalten Sie nur die absolut notwendige Software auf dem System. Aktualisieren Sie die ganze Software mit den aktuellen Paketen von security.debian.org, wie bereits unter beschrieben. Implementieren Sie die in dieser Anleitung vorgeschlagenen Maßnahmen zu User-Quotas, Ausgestaltung des Logins und Lilo. Machen Sie sich eine Liste von allen Diensten, die derzeit auf Ihrem System laufen. Versuchen Sie dazu Folgendes: $ ps aux $ netstat -pn -l -A inet # /usr/sbin/lsof -i | grep LISTEN Damit das dritte Kommando funktioniert, werden Sie lsof-2.2 installieren müssen (und es als Root laufen lassen). Beachten Sie, dass lsof das Wort LISTEN passend zu Ihrer Lokalisation übersetzen kann. Um einen unnötigen Dienst zu entfernen, stellen Sie zunächst fest, wie er gestartet wird, und welches Paket ihn zur Verfügung stellt. Sie können dies ganz einfach machen, indem Sie das Programm prüfen, das auf dem Socket lauscht. Das nachfolgende Shell-Skript, das die Programme lsof und dpkg verwendet, macht genau das: #!/bin/sh # FIXME: this is quick and dirty; replace with a more robust script snippet for i in `sudo lsof -i | grep LISTEN | cut -d " " -f 1 |sort -u` ; do pack=`dpkg -S $i |grep bin |cut -f 1 -d : | uniq` echo "Service $i is installed by $pack"; init=`dpkg -L $pack |grep init.d/ ` if [ ! -z "$init" ]; then echo "and is run by $init" fi done Wenn Sie einen unerwünschten Dienst finden, entfernen Sie das Paket (mit dpkg --purge). Oder benutzen Sie update-rc.d (siehe ), um ihn aus dem Start-Prozess zu entfernen. Überprüfen Sie bei inetd-Diensten (werden durch den Superdaemon gestartet), welche Dienste in /etc/inetd.conf aktiviert sind. Verwenden Sie dazu Folgendes: $ grep -v "^#" /etc/inetd.conf | sort -u Deaktivieren Sie dann diejenigen Dienste, die Sie nicht benötigen, indem Sie die Zeile in /etc/inetd.conf auskommentieren, das Paket entfernen, oder indem Sie update-inetd benutzen. Wenn Sie Dienste eingehüllt haben (und /usr/sbin/tcpd benutzen) prüfen Sie, ob die Dateien /etc/hosts.allow und /etc/hosts.deny passend zu Ihren Richtlinien für die Dienste konfiguriert sind. Wenn der Server mehr als eine externe Schnittstelle benutzt, sollten Sie vielleicht Dienste darauf beschränken, auf bestimmten Schnittstellen zu lauschen. Ob das möglich ist, hängt aber von den Diensten ab. Wenn Sie zum Beispiel internen FTP-Zugriff erlauben wollen, lassen Sie den FTP-Daemon nur auf der internen Schnittstelle lauschen, nicht auf allen (d.h. 0.0.0.0:21). Booten Sie die Maschine neu, oder wechseln Sie in den Single-User-Modus und zurück in den Multi-User-Modus mit: # init 1 (....) # init 2 Prüfen Sie die nun angebotenen Dienste und wiederholen Sie gegebenenfalls die letzten Schritte. Installieren Sie jetzt die benötigten Dienste, falls es noch nicht geschehen ist, und konfigurieren Sie sie passend. Prüfen Sie mit folgendem Shell-Befehl, unter welchem Nutzer die verfügbaren Dienste laufen: # for i in `/usr/sbin/lsof -i |grep LISTEN |cut -d " " -f 1 |sort -u`; \ > do user=`ps ef |grep $i |grep -v grep |cut -f 1 -d " "` ; \ > echo "Service $i is running as user $user"; done Überlegen Sie, ob Sie diese Dienste einem bestimmten Benutzer oder Gruppe zuweisen wollen und sie vielleicht auch in einer chroot-Umgebung einsperren wollen, um die Sicherheit zu erhöhen. Sie können dies tun, indem Sie die /etc/init.d-Skripte ändern, die den Dienst starten. Die meisten Dienste benutzen unter Debian start-stop-daemon, der die dafür Optionen (--change-uid und --chroot) zur Verfügung stellen. Ein paar warnende Worte zum Einsperren in eine chroot-Umgebung: Sie müssen alle Dateien, die durch das Paket des Dienstes installiert wurden (verwenden Sie dpkg -L), und alle Pakete, von denen es abhängt, in die Chroot-Umgebung legen. Informationen, wie das Programm ssh in eine chroot-Umgebung eingesperrt wird, finden Sie unter . Wiederholen Sie die Schritte oben um zu prüfen, ob nur die gewünschten Dienste laufen, und ob sie unter der gewünschten Nutzer/Gruppen-Kombination laufen. Testen Sie die installierten Dienste, um festzustellen, ob sie wie erwartet arbeiten. Überprüfen Sie das System, indem Sie einen Scanner zur Abschätzung der Verwundbarkeit (zum Beispiel nessus) benutzen, um Angriffsmöglichkeiten (Fehlkonfigurationen, alte oder nicht benötigte Dienste) zu finden. Installieren Sie Instrumente zur Entdeckung von Eindringlingen in Netzwerk und Hosts (wie snort und logcheck). Wiederholen Sie den Netzwerk-Scan und prüfen Sie, ob das System zur Erkennung von Eindringlingen funktioniert. Die richtig Paranoiden überlegen sich auch das Folgende: Fügen Sie dem System Firewall-Fähigkeiten hinzu, die eingehende Verbindungen nur zu angebotenen Diensten erlauben und ungenehmigte ausgehende Verbindungen verhindern. Überprüfen Sie erneut die Installation auf Angriffspunkte mit einem Netzwerk-Scanner. Prüfen Sie ausgehende Verbindungen vom System zu Hosts außerhalb mit einem Netzwerk-Scanner, um sicherzustellen, dass ungewollte Verbindungen keinen Weg nach draußen finden.

FIXME: this procedure considers service hardening but not system hardening at the user level, include information regarding checking user permissions, SETUID files and freezing changes in the system using the ext2 file system. Checkliste der Konfiguration

Dieser Anhang wiederholt kurz Punkte aus anderen Abschnitten dieser Anleitung in einem verdichteten Checklisten-Format. Er ist als schnelle Zusammenfassung für Leute gedacht, die bereits diese Anleitung gelesen haben. Es gibt auch andere gute Checklisten, zum Beispiel Kurt Seifrieds und .

FIXME: This is based on v1.4 of the manual and might need to be updated. Schränken Sie physischen Zugriff und Boot-Fähigkeiten ein. Setzen Sie im BIOS ein Passwort. Schalten Sie im BIOS das Booten von Diskette, CD-ROM, ... ab. Setzen Sie ein LILO- bzw. GRUB-Passwort (/etc/lilo.conf bzw. /boot/grub/menu.lst); stellen Sie sicher, dass die LILO- oder GRUB-Konfigurationen nicht einsehbar sind. Partitionierung: Legen Sie Daten, die von Nutzern geschrieben wurden, Daten, die nicht zum System gehören, und sich ständig ändernde Laufzeitdaten auf eigenen, getrennten Partitionen ab. Setzen Sie die Mount-Optionen nosuid,noexec,nodev in /etc/fstab bei ext2/3-Partitionen, die keine ausführbaren Programme enthalten sollten, wie zum Beispiel /home oder /tmp. Passwort-Hygiene und Login-Sicherheit: Wählen Sie ein gutes Root-Passwort. Benutzen Sie Shadow- und MD5-Passwörter. Installieren und benutzen Sie PAM: Fügen Sie die Unterstützung von PAM-MD5 hinzu, und stellen Sie sicher (allgemein gesprochen), dass die Einträge in den /etc/pam.d/-Dateien, die Zugriff auf die Maschine gewähren, das zweite Feld in der pam.d-Datei auf requisite oder required gesetzt haben. Ändern Sie /etc/pam.d/login, so dass nur lokale Root-Logins erlaubt werden. Markieren Sie außerdem autorisierte ttys in /etc/security/access.conf und richten Sie diese Datei überhaupt so ein, dass Root-Logins so weit wie möglich eingeschränkt werden. Fügen Sie pam_limits.so hinzu, wenn Sie Einschränkungen pro Benutzer vornehmen wollen. Ändern Sie /etc/pam.d/passwd: Erhöhen Sie die minimale Länge von Passwörtern (vielleicht sechs Zeichen) und schalten Sie MD5 ein. Wenn Sie es wünschen, fügen Sie /etc/group die Gruppe wheel hinzu; fügen Sie /etc/pam.d/su pam_wheel.so group=wheel hinzu. Für angepasste Kontrollen der einzelnen Nutzer nehmen Sie pam_listfile.so-Einträge an den passenden Stellen vor. Erstellen Sie eine Datei /etc/pam.d/other und setzen Sie sie mit strenger Sicherheit auf. Setzen Sie in /etc/security/limits.conf Schranken (beachten Sie, dass /etc/limits nicht benutzt wird, wenn Sie PAM verwenden). Nehmen Sie Einschränkungen in /etc/login.defs vor; wenn Sie MD5 oder PAM einschalten, machen Sie auch hier ebenfalls die gleichbedeutenden Änderungen. Schalten Sie FTP-Zugriff von Root in /etc/ftpusers ab. Schalten Sie Root-Logins übers Netzwerk ab; benutzen Sie oder (denken Sie die Installation von sudo nach). Benutzen Sie PAM, um zusätzliche Auflagen auf Logins zu ermöglichen. Andere lokale Sicherheitsangelegenheiten: Kernel-Tweaks (siehe ). Kernel-Patches (siehe ). Schränken Sie die Zugriffsrechte auf Log-Dateien (/var/log/{last,fail}log, Apache-Logs) ein. Stellen Sie sicher, dass in /etc/checksecurity.conf SETUID-Checks eingeschaltet sind. Überlegen Sie sich, an Log-Dateien nur anhängen zu lassen (append-only) und Konfigurationsdateien unveränderbar (immutable) zu machen, indem Sie chattr benutzen (nur ext2/3-Dateisystem). Setzen Sie eine Integritätsprüfung des Dateisystems auf (siehe ). Installieren Sie debsums. Überlegen Sie, locate durch slocate zu ersetzen. Alles auf einem lokalen Drucker mitloggen? Brennen Sie Ihre Konfiguration auf eine bootbare CD und booten Sie hiervon? Abschalten von Kernel-Modulen? Einschränkung des Netzwerkzugriffs: Installieren und konfigurieren Sie ssh (Vorschlag: PermitRootLogin No in /etc/ssh/sshd_config, PermitEmptyPasswords No; beachten Sie auch die anderen Vorschläge im Text). Schalten Sie in.telnetd ab oder entfernen Sie ihn, falls er installiert ist. Deaktivieren Sie ganz allgemein alle überflüssigen Dienste in /etc/inetd.conf. Benutzen Sie dazu update-inetd --disable (oder Sie schalten inetd ganz ab oder benutzen einen Ersatz wie xinetd oder rlinetd). Schalten Sie andere überflüssige Netzwerkdienste ab. ftp, DNS, www, usw. sollten nicht laufen, wenn Sie sie nicht brauchen und nicht regelmäßig überwachen. In den meisten Fällen muss ein Mail-Server betrieben werden, sollte aber so konfiguriert sein, dass er nur lokal Mails zustellt. Installieren Sie von den Diensten, die Sie brauchen, nicht einfach das weit verbreitetste Programm, sondern schauen Sie nach sichereren Versionen, die Debian liefert (oder aus anderen Quellen). Was auch immer Sie schließlich benutzen: Stellen Sie sicher, dass Sie die Risiken verstanden haben. Setzen Sie Chroot-Gefängnisse für auswärtige Nutzer und Daemonen auf. Konfigurieren Sie die Firewall und die tcp-Wrapper (d.h. ); beachten Sie den Trick für /etc/hosts.deny im Text. Wenn Sie FTP laufen lassen, setzen Sie den ftpd-Server so auf, dass er immer in einer chroot-Umgebung im Home-Verzeichnis des Nutzers läuft. Wenn Sie X laufen lassen, schalten Sie xhost-Authentifizierung ab und benutzen Sie stattdessen ssh. Oder noch besser: Deaktivieren Sie die Weiterleitung von X komplett, falls das möglich ist (fügen Sie -nolisten tcp zu der X-Kommando-Zeile hinzu und schalten Sie XDMCP in /etc/X11/xdm/xdm-config ab, indem Sie den requestPort auf 0 setzen). Schalten Sie Zugriff von außerhalb auf den Drucker ab. Tunneln Sie alle IMAP- oder POP-Sitzungen durch SSL oder ssh. Installieren Sie stunnel, wenn Sie diesen Dienst anderen Mail-Nutzern anbieten wollen. Setzen Sie einen Log-Host auf, und konfigurieren Sie andere Maschinen, ihre Logs an diesen Host zu senden (/etc/syslog.conf) Sichern Sie BIND, Sendmail und andere komplexe Daemonen ab (starten Sie sie in einer chroot-Umgebung und als nicht-Root Pseudonutzer). Installieren Sie tiger oder ein ähnliches Werkzeug zur Erkennung von Eindringlingen in Ihr Netzwerk. Installieren Sie snort oder ein ähnliches Werkzeug zur Erkennung von Eindringlingen in Ihr Netzwerk. Verzichten Sie, falls möglich, auf NIS und RPC (Abschalten von portmap). Angelegenheiten mit Richtlinien: Klären Sie die Nutzer über das Wie und Warum Ihrer Richtlinien auf. Wenn Sie etwas verboten haben, das auf anderen Systemen normalerweise verfügbar ist, stellen Sie Dokumentation bereit, die erklärt, wie man die gleichen Resultate erreicht, indem man andere, sichere Mittel anwendet. Verbieten Sie die Nutzung von Protokollen, die Klartext-Passwörter benutzen (telnet, rsh und Freunde, ftp, imap, pop, http, ...). Verbieten Sie Programme, die SVGAlib benutzen. Benutzen Sie Disk-Quotas. Bleiben Sie über Sicherheitsangelegenheiten informiert: Abonnieren Sie sicherheitsrelevante Mailinglisten. Richten Sie Sicherheitsaktualisierungen für apt ein – fügen Sie /etc/apt/sources.list einen Eintrag (oder Einträge) für http://security.debian.org/ hinzu. Vergessen Sie auch nicht, regelmäßig apt-get update ; apt-get upgrade (vielleicht als Cron-Job?) laufen zu lassen, wie unter beschrieben. Aufsetzen eines autonomen IDS

Sie können sehr leicht eine Debian-Box als eigenständiges Eindringlings-Erkennungs-System (Intrusion Detection System, IDS) aufsetzen, indem Sie snort benutzen und eine webbasierte Schnittstelle zur Überwachung der Alarme über Eindringlinge einrichten: Installieren Sie ein Debian-Basis-System ohne zusätzliche Pakete. Installieren Sie eine Version von Snort, die Datenbanken unterstützt, und richten Sie Snort so ein, dass die Alarme in der Datenbank protokolliert werden. Laden Sie BASE (Basic Analysis and Security Engine) oder ACID (Analysis Console for Intrusion Databases, Konsole zur Analyse für Eindringling-Datenbanken) herunter und installieren Sie es. Konfigurieren Sie es so, dass es die gleiche Datenbank wie Snort verwendet. Installieren Sie die notwendigen Pakete.Normalerweise werden alle benötigten Pakete installiert, um Abhängigkeiten aufzulösen.

BASE wird derzeit für Debian im Paket acidbase geliefert, ACID im Paket acidlab.Es kann auch von , oder heruntergeladen werden. Beide stellen eine graphische WWW-Schnittstelle zur Ausgabe von Snort zur Verfügung.

Neben der Grundinstallationen benötigen Sie auch einen Webserver (wie apache), einen PHP-Interpreter und eine relationale Datenbank (wie postgresql oder mysql), wo Snort seine Alarme ablegen kann.

Dieses System sollte mit wenigstens zwei Netzwerk-Schnittstellen ausgestattet sein: Eine verbunden mit einem Verwaltungs-LAN (um die Resultate abzufragen und das System zu verwalten), und eine ohne IP-Adresse, das an mit dem zu beobachtenden Abschnitt des Netzwerks verbunden ist. Sie sollten den Webserver so einrichten, dass er nur auf der Schnittstelle lauscht, die mit dem Verwaltungs-LAN verbunden ist.

Sie sollten beide Schnittstellen in der Standardkonfigurationsdatei von Debian /etc/network/interfaces einrichten. Eine Adresse, nämlich die des Verwaltungs-LANs, sollten Sie wie gewöhnlich einrichten. Die andere Schnittstelle muss so konfiguriert werden, dass sie aktiviert wird, wenn das System startet, ihr darf aber keine Interface-Adresse zugewiesen sein. Eine Konfiguration der Schnittstelle könnte folgendermaßen aussehen: auto eth0 iface eth0 inet manual up ifconfig $IFACE 0.0.0.0 up up ip link set $IFACE promisc on down ip link set $IFACE promisc off down ifconfig $IFACE down

Diese Konfiguration führt dazu, dass die Schnittstelle den gesamten Netzwerkverkehr heimlich mitliest. Damit wird verhindert, dass das NIDS in einem feindlichen Netzwerk direkt angegriffen werden kann, da die Sensoren im Netzwerk keine IP-Adresse haben. Beachten Sie aber, dass es im Lauf der Zeit Fehler im Sensorenteil des NIDS gab (z.B. im Zusammenhang mit Snort), und dass Pufferüberläufe auch entfernt durch die Verarbeitung von Netzwerkpaketen ausgelöst werden können.

Sie sollten auch einen Blick in das und in die Dokumentation auf der werfen. Aufsetzen einer überbrückenden Firewall (bridge Firewall)

Diese Informationen trug Francois Bayart bei, um Benutzern zu helfen, eine Linux Bridge/Firewall mit 2.4.x Kernel und iptables aufzusetzen. Ein Kernelpatch wird nicht mehr benötigt, da der Code Standardinhalt der Linux-Kernel-Distribution wurde.

Um die notwendigen Einstellungen im Kernel vorzunehmen, rufen Sie make menuconfig oder make xconfig auf. Aktivieren Sie im Abschnitt Networking options folgende Optionen: [*] Network packet filtering (replaces ipchains) [ ] Network packet filtering debugging (NEW) <*> 802.1d Ethernet Bridging [*] netfilter (firewalling) support (NEW)

Passen Sie auf, dass Sie dieses hier deaktiviert haben, wenn Sie Firewall-Regeln anwenden wollen. Anderenfalls wird iptables nicht funktioniert. [ ] Network packet filtering debugging (NEW)

Anschließend müssen Sie die korrekten Optionen im Abschnitt IP: Netfilter Configuration setzen. Dann kompilieren und installieren Sie den Kernel. Wenn Sie dies auf die Debian-Art machen wollen, installieren Sie kernel-package und benutzen Sie make-kpkg um ein maßgeschneidertes Debian-Kernelpaket zu erstellen, das Sie mit dpkg auf Ihrem Server installieren können. Sobald der neue Kernel kompiliert und installiert ist, müssen Sie das Paket bridge-utils installieren.

Wenn Sie diesen Schritt abgeschlossen haben, können Sie die Konfiguration Ihrer Bridge fertigstellen. Im nächsten Abschnitt werden Ihnen zwei verschiedene mögliche Konfigurationen einer Bridge vorgestellt. Beide sind mit einer Übersicht eines hypothetischen Netzwerks und den notwendigen Befehlen versehen. Eine Bridge mit NAT- und Firewall-Fähigkeiten

Die erste Konfigurationsmöglichkeit benutzt die Bridge als Firewall mit Network Address Translation (NAT, Übersetzung der Netzwerkadressen), die einen Server und interne LAN-Clienten schützt. Unten wird eine Darstellung der Anordnung des Netzwerks gezeigt: Internet ---- router ( 62.3.3.25 ) ---- bridge (62.3.3.26 gw 62.3.3.25 / 192.168.0.1) | | |---- WWW Server (62.3.3.27 gw 62.3.3.25) | | LAN --- Zipowz (192.168.0.2 gw 192.168.0.1)

Die folgenden Befehle zeigen, wie diese Bridge konfiguriert werden kann: # So wird die Schnittstelle br0 erstellt: /usr/sbin/brctl addbr br0 # Hinzufügen der Ethernet-Schnittstelle, die die Bridge benutzen # soll /usr/sbin/brctl addif br0 eth0 /usr/sbin/brctl addif br0 eth1 # Starten der Ethernet-Schnittstelle /sbin/ifconfig eth0 0.0.0.0 /sbin/ifconfig eth1 0.0.0.0 # Konfigurieren der Ethernet-Bridge # Die Bridge wird korrekt und unsichtbar (transparente Firewall) sein. # In einem traceroute ist sie versteckt, und Sie behalten Ihr echtes # Gateway auf Ihren anderen Computern. Jetzt können Sie ein Gateway # auf Ihrer Bridge konfigurieren und es auf Ihren anderen Computern als # neues Gateway einsetzen /sbin/ifconfig br0 62.3.3.26 netmask 255.255.255.248 broadcast 62.3.3.32 # Ich habe diese internen IPs für mein NAT benutzt ip addr add 192.168.0.1/24 dev br0 /sbin/route add default gw 62.3.3.25 Eine Bridge mit Firewall-Fähigkeiten

Eine zweite denkbare Konfiguration ist ein System, das als transparente Firewall für ein LAN mit einer öffentlichen IP-Adresse aufgesetzt ist. Internet ---- router (62.3.3.25) ---- bridge (62.3.3.26) | | |---- WWW Server (62.3.3.28 gw 62.3.3.25) | | |---- Mail Server (62.3.3.27 gw 62.3.3.25)

Die folgenden Kommandos zeigen, wie diese Bridge konfiguriert werden kann: # So wird die Schnittstelle br0 erstellt: /usr/sbin/brctl addbr br0 # Hinzufügen der Ethernet-Schnittstelle, die die Bridge benutzen # soll /usr/sbin/brctl addif br0 eth0 /usr/sbin/brctl addif br0 eth1 # Starten der Schnittstelle /sbin/ifconfig eth0 0.0.0.0 /sbin/ifconfig eth1 0.0.0.0 # Konfigurieren der Ethernet-Bridge # Die Bridge wird korrekt und unsichtbar (transparente Firewall) sein. # In einem traceroute ist sie versteckt, und Sie behalten Ihr echtes # Gateway auf Ihren anderen Computern. Jetzt können Sie ein Gateway # auf Ihrer Bridge konfigurieren und es auf Ihren anderen Computern als # neues Gateway einsetzen /sbin/ifconfig br0 62.3.3.26 netmask 255.255.255.248 broadcast 62.3.3.32

Wenn Sie mit traceroute die Route des Linux-Mail-Servers verfolgen, sehen Sie die Bridge nicht. Wenn Sie mit ssh auf die Bridge zugreifen wollen, müssen Sie ein Gateway haben oder erst auf einen anderen Server wie den "Mail Server" zugreifen, um dann über die interne Netzwerkkarte auf die Bridge zuzugreifen. Grundlegende Iptables-Regeln

Dies ist ein Beispiel für grundlegende Regeln, die für beide Einstellungen benutzt werden können: iptables -F FORWARD iptables -P FORWARD DROP iptables -A FORWARD -s 0.0.0.0/0.0.0.0 -d 0.0.0.0/0.0.0.0 -m state --state INVALID -j DROP iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT # Zwei lustige Regeln, aber nicht bei klassischen Iptables. Sorry ... # Limit ICMP # iptables -A FORWARD -p icmp -m limit --limit 4/s -j ACCEPT # Übereinstimmende Strings, eine gute, einfache Methode, um Viren sehr # schnell abzublocken # iptables -I FORWARD -j DROP -p tcp -s 0.0.0.0/0 -m string --string "cmd.exe" # Abblocken aller MySQL-Verbindungen, nur um ganz sicher zu gehen iptables -A FORWARD -p tcp -s 0/0 -d 62.3.3.0/24 --dport 3306 -j DROP # Regeln für den Linux Mail Server # # Erlaube FTP-DATA (20), FTP (21), SSH (22) iptables -A FORWARD -p tcp -s 0.0.0.0/0 -d 62.3.3.27/32 --dport 20:22 -j ACCEPT # Dem Mail-Server erlauben, sich mit der Außenwelt zu verbinden # Beachten Sie: Dies ist *nicht* für die vorherigen Verbindungen # notwendig (erinnern Sie sich: stateful filtering) und könnte entfernt # werden: iptables -A FORWARD -p tcp -s 62.3.3.27/32 -d 0/0 -j ACCEPT # Regeln für den WWW-Server # # Erlaube HTTP ( 80 ) Verbindungen mit dem WWW-Server iptables -A FORWARD -p tcp -s 0.0.0.0/0 -d 62.3.3.28/32 --dport 80 -j ACCEPT # Erlaube HTTPS ( 443 ) Verbindungen mit dem WWW-Server iptables -A FORWARD -p tcp -s 0.0.0.0/0 -d 62.3.3.28/32 --dport 443 -j ACCEPT # Dem WWW-Server erlauben, sich mit der Außenwelt zu verbinden # Beachten Sie: Dies ist *nicht* für die vorherigen Verbindungen # notwendig (erinnern Sie sich: stateful filtering) und könnte entfernt # werden: iptables -A FORWARD -p tcp -s 62.3.3.28/32 -d 0/0 -j ACCEPT Beispielskript, um die Standard-Installation von Bind zu ändern

Dieses Skript automatisiert den Vorgang, die Standardinstallation des Name-Servers bind in der Version 8 zu ändern, so dass er nicht als Root läuft. Bei bind in der Version 9 in Debian ist dies standardmäßig so.Ab der Version 9.2.1-5, also seit der Veröffentlichung von Sarge. Diese Version ist demnach der Version 8 von bind vorzuziehen.

Dieses Skript ist hier aus historischen Gründen aufgeführt und soll zeigen, wie man diese Art von Veränderungen systemweit automatisieren kann. Das Skript wird den Benutzer und die Gruppe für den Name-Server erstellen und /etc/default/bind und /etc/init.d/bind so ändern, dass das Programm unter diesem Benutzer läuft. Benutzen Sie es äußerst vorsichtig, da es nicht ausreichend getestet wurde.

Sie können die Benutzer auch von Hand erstellen und dann den Patch für das Standard-Init.d-Skript verwenden, der im enthalten ist. #!/bin/sh # Change the default Debian bind v8 configuration to have it run # with a non-root user and group. # # DO NOT USE this with version 9, use debconf for configure this instead # # WARN: This script has not been tested thoroughly, please # verify the changes made to the INITD script # (c) 2002 Javier Fernández-Sanguino Peña # # This program is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by # the Free Software Foundation; either version 1, or (at your option) # any later version. # # This program is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # Please see the file `COPYING' for the complete copyright notice. # restore() { # Just in case, restore the system if the changes fail echo "WARN: Restoring to the previous setup since I'm unable to properly change it." echo "WARN: Please check the $INITDERR script." mv $INITD $INITDERR cp $INITDBAK $INITD } USER=named GROUP=named INITD=/etc/init.d/bind DEFAULT=/etc/default/bind INITDBAK=$INITD.preuserchange INITDERR=$INITD.changeerror AWKS="awk ' /\/usr\/sbin\/ndc reload/ { print \"stop; sleep 2; start;\"; noprint = 1; } /\\\\$/ { if ( noprint != 0 ) { noprint = noprint + 1;} } /^.*$/ { if ( noprint != 0 ) { noprint = noprint - 1; } else { print \$0; } } '" [ `id -u` -ne 0 ] && { echo "This program must be run by the root user" exit 1 } RUNUSER=`ps eo user,fname |grep named |cut -f 1 -d " "` if [ "$RUNUSER" = "$USER" ] then echo "WARN: The name server running daemon is already running as $USER" echo "ERR: This script will not do any changes to your setup." exit 1 fi if [ ! -f "$INITD" ] then echo "ERR: This system does not have $INITD (which this script tries to change)" RUNNING=`ps eo fname |grep named` [ -z "$RUNNING" ] && \ echo "ERR: In fact the name server daemon is not even running (is it installed?)" echo "ERR: No changes will be made to your system" exit 1 fi # Check if there are options already setup if [ -e "$DEFAULT" ] then if grep -q ^OPTIONS $DEFAULT; then echo "ERR: The $DEFAULT file already has options set." echo "ERR: No changes will be made to your system" fi fi # Check if named group exists if [ -z "`grep $GROUP /etc/group`" ] then echo "Creating group $GROUP:" addgroup $GROUP else echo "WARN: Group $GROUP already exists. Will not create it" fi # Same for the user if [ -z "`grep $USER /etc/passwd`" ] then echo "Creating user $USER:" adduser --system --home /home/$USER \ --no-create-home --ingroup $GROUP \ --disabled-password --disabled-login $USER else echo "WARN: The user $USER already exists. Will not create it" fi # Change the init.d script # First make a backup (check that there is not already # one there first) if [ ! -f $INITDBAK ] then cp $INITD $INITDBAK fi # Then use it to change it cat $INITDBAK | eval $AWKS > $INITD # Now put the options in the /etc/default/bind file: cat >>$DEFAULT <<EOF # Make bind run with the user we defined OPTIONS="-u $USER -g $GROUP" EOF echo "WARN: The script $INITD has been changed, trying to test the changes." echo "Restarting the named daemon (check for errors here)." $INITD restart if [ $? -ne 0 ] then echo "ERR: Failed to restart the daemon." restore exit 1 fi RUNNING=`ps eo fname |grep named` if [ -z "$RUNNING" ] then echo "ERR: Named is not running, probably due to a problem with the changes." restore exit 1 fi # Check if it's running as expected RUNUSER=`ps eo user,fname |grep named |cut -f 1 -d " "` if [ "$RUNUSER" = "$USER" ] then echo "All has gone well, named seems to be running now as $USER." else echo "ERR: The script failed to automatically change the system." echo "ERR: Named is currently running as $RUNUSER." restore exit 1 fi exit 0

Dieses Skript, wenn es auf Woodys (Debian 3.0) angepassten bind (Version 8) angewendet wird, wird die initd-Datei verändern, nachdem der Benutzer und die Gruppe "named" erstellt wurde. Schutz der Sicherheitsaktualisierung durch eine Firewall

Nach einer Standard-Installation könnten immer noch Sicherheitslücken auf dem System vorhanden sein. Falls Sie die Aktualisierungen für die verwundbaren Paket nicht auf einem anderen System herunterladen können (oder security.debian.org zu lokalen Zwecken spiegeln können), müssen Sie sich mit dem Internet verbinden, um die Pakete herunterzuladen.

Wenn Sie sich jedoch mit dem Internet verbinden, setzen Sie Ihr System einer Gefahr aus. Wenn einer Ihrer lokalen Dienste angreifbar ist, könnten Sie kompromittiert sein, noch bevor die Aktualisierung beendet ist! Sie mögen dies paranoid finden, aber eine Analyse vom zeigt tatsächlich, dass ein System in weniger als drei Tagen kompromittiert werden kann, sogar wenn das System gar nicht der Öffentlichkeit bekannt ist (d.h. nicht in DNS-Einträgen auftaucht).

Wenn Sie eine Aktualisierung Ihres Systems durchführen, das nicht von einem externen System (z.B. einer Firewall) geschützt ist, können Sie trotzdem eine lokale Firewall so konfigurieren, dass Sie nur die Sicherheitsaktualisierung selbst erlaubt. Das Beispiel unten zeigt, wie die lokalen Firewall-Fähigkeiten aufgesetzt werden müssen, um ein eingeschränktes Setup zu erreichen, in dem nur Verbindungen zu security.debian.org erlaubt werden, während der Rest geloggt wird.

Im nachfolgenden Beispiel wird ein strenges Regelwerk für eine Firewall dargestellt. Führen Sie diese Befehle auf einer lokalen Konsole aus (und nicht auf einer entfernten), um das Risiko zu verringern, sich aus Ihrem System auszusperren. # iptables -F # iptables -L Chain INPUT (policy ACCEPT) target prot opt source destination Chain FORWARD (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination # iptables -A OUTPUT -d security.debian.org --dport 80 -j ACCEPT # iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT # iptables -A INPUT -p icmp -j ACCEPT # iptables -A INPUT -j LOG # iptables -A OUTPUT -j LOG # iptables -P INPUT DROP # iptables -P FORWARD DROP # iptables -P OUTPUT DROP # iptables -L Chain INPUT (policy DROP) target prot opt source destination ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 LOG all -- anywhere anywhere LOG level warning Chain FORWARD (policy DROP) target prot opt source destination Chain OUTPUT (policy DROP) target prot opt source destination ACCEPT 80 -- anywhere security.debian.org LOG all -- anywhere anywhere LOG level warning

Hinweis: Es ist die vorzugswürdige Verfahrensweise, die Policy-Regel DROP für die Input-Kette zu verwenden. Seien Sie aber äußerst vorsichtig, wenn Sie dies bei einer entfernten Verbindung unternehmen. Wenn Sie das Regelwerk Ihrer Firewall aus der Ferne testen, ist es am besten, wenn Sie ein Skript mit dem Regelwerk laufen lassen (anstatt jede Regel Zeile für Zeile von der Befehlszeile aus einzugeben) und sich vorsorglich eine HintertürWie z.B. knockd. Alternativ dazu können Sie auch eine separate Konsole öffnen und das System nachfragen lassen, ob sich jemand auf der Gegenseite befindet. Wenn keine Eingabe erfolgt, werden die Firewall-Regeln zurückgesetzt. Ein Beispiel dafür ist: #!/bin/bash while true; do read -n 1 -p "Are you there? " -t 30 ayt if [ -z "$ayt" ] ; then break fi done # Reset the firewall chain, user is not available echo echo "Resetting firewall chain!" iptables -F iptables -P INPUT ACCEPT iptables -P FORWARD ACCEPT iptables -P OUTPUT ACCEPT exit 1

Selbstverständlich müssen Sie alle Hintertüren abschalten, ehe Sie Ihr System in Betrieb nehmen. offen halten, so dass Sie wieder Zugriff auf Ihr System bekommen, wenn Sie einen Fehler gemacht haben. Auf diese Weise müssen Sie sich nicht auf den Weg zum entfernten Rechner machen, um die Firewall-Regel, mit der Sie sich ausgeschlossen haben, zu korrigieren.

FIXME: This needs DNS to be working properly since it is required for security.debian.org to work. You can add security.debian.org to /etc/hosts but now it is a CNAME to several hosts (there is more than one security mirror)

FIXME: this will only work with HTTP URLs since ftp might need the ip_conntrack_ftp module, or use passive mode. Chroot-Umgebung für SSH

Es ist eine schwere Aufgabe, eine eingeschränkte Umgebung für SSH zu erstellen. Das liegt zum einen an seinen Abhängigkeiten und zum anderen daran, dass SSH im Gegensatz zu anderen Servern den Benutzern eine entfernte Shell zur Verfügung stellt. Daher müssen Sie sich überlegen, welche Programme Benutzer in der Umgebung verwenden sollen.

Sie haben zwei Möglichkeiten, eine beschränkte entfernte Shell einzurichten: die SSH-Benutzer in ein Chroot-Gefängnis einsperren: Dazu müssen Sie den SSH-Daemon so konfigurieren, dass er Benutzer nach der Authentifizierung in ein Chroot-Gefängnis einsperrt, bevor sie eine Shell bekommen. Jeder Benutzer kann seine eigene Umgebung haben. den SSH-Server in ein Chroot-Gefängnis einsperren: Wenn die SSH-Anwendung sich selbst in einer Chroot-Umgebung befindet, sind auch alle Benutzer in diese Umgebung eingesperrt.

Die erste Möglichkeit hat den Vorteil, dass es möglich ist, sowohl unbeschränkte als auch beschränkte Benutzer zu haben. Falls Sie keine Setuid-Anwendungen in der Chroot-Umgebung zur Verfügung stellen, wird es schwieriger, aus dem Gefängnis auszubrechen. Allerdings müssen Sie gegebenenfalls Chroot-Umgebungen für jeden Benutzer einzeln einrichten. Außerdem ist die Konfiguration schwieriger, da es Zusammenarbeit mit dem SSH-Server erfordert. Die zweite Möglichkeit ist leichter zu verwirklichen und schützt vor dem Ausnutzen eines Exploits des SSH-Servers, da auch dieser im Chroot-Gefängnis ist. Jedoch müssen alle Benutzer die gleiche Chroot-Umgebung verwenden. Verschiedene Umgebungen für verschiedene Benutzer sind nicht möglich. SSH-Benutzer in ein Chroot-Gefängnis einsperren

Sie können den SSH-Server so einrichten, dass er bestimmte Benutzer in eine Chroot-Umgebung einsperrt, so dass sie eine Shell mit nur einer beschränkten Anzahl von Anwendungen zur Verfügung haben. Einsatz von libpam-chroot

Der wahrscheinlich leichteste Weg ist, das Paket libpam-chroot, das in Debian vorhanden ist, zu verwenden. Wenn Sie es installiert haben, müssen Sie: /etc/pam.d/ssh verändern, um dieses PAM-Modul zu verwenden. Fügen Sie dazu als letzte Zeile Folgendes einSie können die Option debug verwenden. Damit wird der Fortschritt des Moduls unter authpriv.notice protokolliert.: session required pam_chroot.so eine passende Chroot-Umgebung für die Benutzer einrichten. Sie können versuchen, die Skripte unter /usr/share/doc/libpam-chroot/examples/ zu verwenden, das Programm makejail benutzenMit folgendem Python-Aufruf können Sie eine sehr eingeschränkte Bash-Umgebung für makejail erstellen. Erstellen Sie das Verzeichnis /var/chroots/users/foo und eine Datei mit dem Namen bash.py und folgendem Inhalt: chroot="/var/chroots/user/foo" cleanJailFirst=1 testCommandsInsideJail=["bash ls"] Führen Sie dann makejail bash.py aus, um eine Benutzer-Umgebung unter /var/chroots/user/foo zu erstellen. So testen Sie die Umgebung: # chroot /var/chroots/user/foo/ ls bin dev etc lib proc sbin usr oder eine minimale Debian-Umgebung mit debootstrap aufsetzen. Stellen Sie sicher, dass die Umgebung die notwendigen Geräte enthält. Unter Umständen benötigen Sie die Geräte /dev/ptmx und /dev/pty* und das Unterverzeichnis /dev/pts/. Es sollte ausreichen, MAKEDEV im /dev-Verzeichnis der Chroot-Umgebung auszuführen, um sie zu erstellen, falls sie nicht existieren. Wenn Sie einen Kernel einsetzen, der die Gerätedateien dynamisch erstellt (Version 2.6), müssen Sie die Dateien /dev/pts/ selbst erstellen und mit den passenden Rechten ausstatten. /etc/security/chroot.conf bearbeiten, damit die ausgewählten Nutzer in das Verzeichnis eingesperrt werden, das Sie zuvor eingerichtet haben. Sie sollten unabhängige Verzeichnisse für verschiedene Nutzer haben, damit sie weder das ganze System noch sich gegenseitig sehen können. SSH konfigurieren: Je nach der eingesetzten OpenSSH-Version funktioniert die Chroot-Umgebung sofort. Seit 3.6.1p2 wird die Funktion do_pam_session() aufgerufen, nachdem sshd seine Rechte abgelegt hat. Da chroot() Root-Rechte benötigt, wird es mit Rechtetrennung nicht funktionieren. Allerdings wurde in neueren OpenSSH-Versionen der PAM-Code verändert, so dass do_pam_session vor dem Ablegen der Rechte aufgerufen wird. Daher funktioniert es auch mit aktivierter Rechtetrennung. Falls Sie sie abschalten müssen, müssen Sie /etc/ssh/sshd_config so verändern: UsePrivilegeSeparation no

Beachten Sie, dass das die Sicherheit Ihres Systems verringern wird, da dann der OpenSSH-Server als Root laufen wird. Das bedeutet, dass wenn eine Angriffsmöglichkeit aus der Ferne gegen OpenSSH entdeckt wird, ein Angreifer Root-Rechte anstatt nur Sshd-Rechte erlangen wird und somit das gesamte System kompromittiert. Wenn Sie einen Kernel verwenden, der Mandatory-Access-Control (RSBAC/SElinux) unterstützt, müssen Sie die Konfiguration nicht ändern, wenn Sie dem Sshd-Benutzer die notwendigen Rechte einräumen, um den Systemaufruf chroot() ausführen zu können.

Wenn Sie die Rechtetrennung nicht deaktivieren, brauchen Sie im Chroot-Gefängnis /etc/passwd, welches die Benutzer-UID enthält, damit die Rechtetrennung funktioniert.

Wenn Sie die Option Rechtetrennung auf yes gesetzt haben und Ihre Version von OpenSSH nicht richtig läuft, müssen Sie sie abschalten. Wenn Sie das unterlassen, werden Benutzer, die sich mit Ihrem Server verbinden wollen und von diesem Modul in eine Chroot-Umgebung eingesperrt werden sollen, Folgendes zu sehen bekommen: $ ssh -l user server user@server's password: Connection to server closed by remote host. Connection to server closed.

Dies geschieht, weil der SSH-Daemon, der als 'sshd' läuft, nicht den Systemaufruf chroot() ausführen kann. Um die Rechtetrennung abzuschalten, müssen Sie die Konfigurationsdatei /etc/ssh/sshd_config wie oben beschrieben verändern.

Beachten Sie, dass, wenn Folgendes fehlt, sich die Benutzer nicht in der Chroot-Umgebung anmelden können: Das Dateisystem /proc muss in der Chroot-Umgebung des Benutzers gemountet sein. Die notwendigen Geräte unter /dev/pts/ müssen vorliegen. Falls diese Dateien automatisch vom Kernel erstellt werden, müssen Sie sie von Hand unter /dev/ in der Chroot-Umgebung erstellen. Das Home-Verzeichnis des Benutzers muss in der Chroot-Umgebung existieren. Ansonsten wird der SSH-Daemon nicht fortfahren.

Sie können diese Probleme mit dem Schlüsselwort debug in der PAM-Konfiguration /etc/pam.d/ssh debuggen. Falls Sie auf Probleme stoßen, kann es sich als nützlich erweisen, auch den Debugging-Modus des SSH-Clients zu aktivieren.

Hinweis: Diese Informationen sind auch in /usr/share/doc/libpam-chroot/README.Debian.gz enthalten (und vielleicht aktueller). Bitte überprüfen Sie, ob dort aktualisierte Informationen vorhanden sind, bevor Sie die oben aufgezeigten Schritte ausführen. Patchen des ssh-Servers

Debians sshd gestattet nicht, die Bewegungen eines Benutzer durch den Server zu beschränken, da er keine Chroot-Funktionalität besitzt. Diese ist im Gegensatz dazu Bestandteil des kommerziellen Programms sshd2 (es verwendet 'ChrootGroups' oder 'ChrootUsers', siehe ). Allerdings gibt es einen Patch, der sshd um diese Funktion erweitert. Den Patch erhalten Sie unter (wurde in nachgefragt). Der Patch könnte Bestandteil von zukünftigen Veröffentlichungen des OpenSSH-Pakets werden. Emmanuel Lacour bietet ssh-Pakete als Debs mit diesen Fähigkeiten für Sarge an. Sie sind unter verfügbar. Beachten Sie aber, dass sie nicht aktuell sein müssen, daher wird empfohlen, den Weg der Kompilierung zu gehen.

Nachdem Sie den Patch angewendet haben, müssen Sie /etc/passwd anpassen und darin das Home-Verzeichnis der Benutzer ändern (mit dem speziellen /./ Kürzel). joeuser:x:1099:1099:Joe Random User:/home/joe/./:/bin/bash

Dies wird sowohl den Fernzugriff auf die Shell als auch Fernkopien über den ssh-Kanal einschränken.

Gehen Sie sicher, dass Sie alle benötigten Programme und Bibliotheken in den Chroot-Pfaden der Benutzer haben. Diese Dateien sollten Root als Eigentümer haben, um Manipulationen durch den Benutzer zu verhindern (zum Beispiel um das chroot-Gefängnis zu verlassen). Ein Beispiel könnte so aussehen: ./bin: total 660 drwxr-xr-x 2 root root 4096 Mar 18 13:36 . drwxr-xr-x 8 guest guest 4096 Mar 15 16:53 .. -r-xr-xr-x 1 root root 531160 Feb 6 22:36 bash -r-xr-xr-x 1 root root 43916 Nov 29 13:19 ls -r-xr-xr-x 1 root root 16684 Nov 29 13:19 mkdir -rwxr-xr-x 1 root root 23960 Mar 18 13:36 more -r-xr-xr-x 1 root root 9916 Jul 26 2001 pwd -r-xr-xr-x 1 root root 24780 Nov 29 13:19 rm lrwxrwxrwx 1 root root 4 Mar 30 16:29 sh -> bash ./etc: total 24 drwxr-xr-x 2 root root 4096 Mar 15 16:13 . drwxr-xr-x 8 guest guest 4096 Mar 15 16:53 .. -rw-r--r-- 1 root root 54 Mar 15 13:23 group -rw-r--r-- 1 root root 428 Mar 15 15:56 hosts -rw-r--r-- 1 root root 44 Mar 15 15:53 passwd -rw-r--r-- 1 root root 52 Mar 15 13:23 shells ./lib: total 1848 drwxr-xr-x 2 root root 4096 Mar 18 13:37 . drwxr-xr-x 8 guest guest 4096 Mar 15 16:53 .. -rwxr-xr-x 1 root root 92511 Mar 15 12:49 ld-linux.so.2 -rwxr-xr-x 1 root root 1170812 Mar 15 12:49 libc.so.6 -rw-r--r-- 1 root root 20900 Mar 15 13:01 libcrypt.so.1 -rw-r--r-- 1 root root 9436 Mar 15 12:49 libdl.so.2 -rw-r--r-- 1 root root 248132 Mar 15 12:48 libncurses.so.5 -rw-r--r-- 1 root root 71332 Mar 15 13:00 libnsl.so.1 -rw-r--r-- 1 root root 34144 Mar 15 16:10 libnss_files.so.2 -rw-r--r-- 1 root root 29420 Mar 15 12:57 libpam.so.0 -rw-r--r-- 1 root root 105498 Mar 15 12:51 libpthread.so.0 -rw-r--r-- 1 root root 25596 Mar 15 12:51 librt.so.1 -rw-r--r-- 1 root root 7760 Mar 15 12:59 libutil.so.1 -rw-r--r-- 1 root root 24328 Mar 15 12:57 libwrap.so.0 ./usr: total 16 drwxr-xr-x 4 root root 4096 Mar 15 13:00 . drwxr-xr-x 8 guest guest 4096 Mar 15 16:53 .. drwxr-xr-x 2 root root 4096 Mar 15 15:55 bin drwxr-xr-x 2 root root 4096 Mar 15 15:37 lib ./usr/bin: total 340 drwxr-xr-x 2 root root 4096 Mar 15 15:55 . drwxr-xr-x 4 root root 4096 Mar 15 13:00 .. -rwxr-xr-x 1 root root 10332 Mar 15 15:55 env -rwxr-xr-x 1 root root 13052 Mar 15 13:13 id -r-xr-xr-x 1 root root 25432 Mar 15 12:40 scp -rwxr-xr-x 1 root root 43768 Mar 15 15:15 sftp -r-sr-xr-x 1 root root 218456 Mar 15 12:40 ssh -rwxr-xr-x 1 root root 9692 Mar 15 13:17 tty ./usr/lib: total 852 drwxr-xr-x 2 root root 4096 Mar 15 15:37 . drwxr-xr-x 4 root root 4096 Mar 15 13:00 .. -rw-r--r-- 1 root root 771088 Mar 15 13:01 libcrypto.so.0.9.6 -rw-r--r-- 1 root root 54548 Mar 15 13:00 libz.so.1 -rwxr-xr-x 1 root root 23096 Mar 15 15:37 sftp-server Einsperren des SSH-Servers in einem Chroot-Gefängnis

Wenn Sie eine Chroot-Umgebung erstellen, welche die Dateien des SSH-Servers enthält, z.B. unter /var/chroot/ssh, sollten Sie den im chroot-Gefängnis eingesperrten ssh-Server mit diesem Befehl starten: # chroot /var/chroot/ssh /sbin/sshd -f /etc/sshd_config

Das führt dazu, dass der sshd-Daemon innerhalb des Chroot-Gefängnisses gestartet wird. Dazu müssen Sie zunächst dafür sorgen, dass das Verzeichnis /var/chroot/ssh den SSH-Server und die Werkzeuge enthält, die Benutzer benötigen, die mit dem Server verbunden sind. Wenn Sie das vorhaben, sollten Sie sicherstellen, dass OpenSSH Rechtetrennung (Privilege Separation) einsetzt (was standardmäßig so ist). Dazu muss in der Konfigurationsdatei /etc/ssh/sshd_config folgende Zeile enthalten sein: UsePrivilegeSeparation yes

Dadurch wird der entfernte Daemon so wenig Dinge wie möglich als Root ausführen. Wenn er also einen Fehler enthalten sollte, kann damit nicht aus dem Chroot-Gefängnis ausgebrochen werden. Beachten Sie, dass, anders als wenn Sie eine Chroot-Umgebung für jeden Benutzer einzeln einrichten, in diesem Fall der SSH-Daemon im selben Chroot-Gefängnis wie die Benutzer läuft. Es gibt also mindestens einen Prozess in der Chroot-Umgebung, der als Root läuft. Mit ihm ist es möglich, aus dem Chroot-Gefängnis auszubrechen.

Beachten Sie auch, dass SSH nur funktioniert, wenn die Partition, auf der die Chroot-Umgebung eingerichtet wurde, nicht mit der Option nodev gemountet wurde. Wenn Sie diese Option verwenden, bekommen Sie folgende Fehlermeldung: PRNG is not seeded, weil /dev/urandom nicht in der Chroot-Umgebung funktioniert. Einrichten eines minimalen Systems (der wirklich leichte Weg)

Sie können mit debootstrap eine minimale Umgebung einrichten, die ausschließlich den SSH-Server enthält. Dafür müssen Sie nur eine Chroot-Umgebung einrichten, wie es im beschrieben wird. Diese Vorgehensweise ist idiotensicher (Sie werden alle für die Chroot-Umgebung notwendigen Bestandteile erhalten), aber dies geht auf Kosten von Plattenspeicher. Eine minimale Installation von Debian benötigt einige hundert Megabyte. Dieses minimale System könnte auch Setuid-Dateien enthalten, mit denen ein Benutzer aus dem Chroot-Gefängnis ausbrechen könnte, wenn sie eine Rechteerweiterung zulassen. Automatisches Erstellen der Umgebung (der leichte Weg)

Mit dem Paket makejail können Sie leicht eine eingeschränkte Umgebung erstellen, da es automatisch den Trace des Server-Daemons verfolgt (mit strace) und dafür sorgt, dass er in der eingeschränkten Umgebung läuft.

Der Vorteil von Programmen, die automatisch die chroot-Umgebung einrichten, liegt darin, dass sie im Stande sind, Pakete in die chroot-Umgebung zu kopieren (und verfolgen sogar die Abhängigkeiten der Pakete, um sicherzustellen, dass sie vollständig sind). Dadurch wird das Bereitstellen von Anwendungen für Benutzer leichter.

Um ein Chroot-Gefängnis aus den von makejail zur Verfügung gestellten Beispielen einzurichten, müssen Sie /var/chroot/sshd erstellen und folgenden Befehl ausführen: # makejail /usr/share/doc/makejail/examples/sshd.py

Dies wird eine Chroot-Umgebung im Verzeichnis /var/chroot/sshd erstellen. Beachten Sie, dass diese Chroot-Umgebung nicht voll funktionstüchtig ist, bis Sie:

Das Dateisystem procfs in /var/chroot/sshd/proc eingebunden haben. Makejail wird es für Sie einbinden. Aber nach einem Neustart werden Sie es erneut einbinden müssen: # mount -t proc proc /var/chroot/sshd/proc

Es kann auch automatisch eingebunden werden. Dazu müssen Sie /etc/fstab bearbeiten und folgende Zeile eintragen: proc-ssh /var/chroot/sshd/proc proc none 0 0 Syslog auf das Geräte /dev/log in der Chroot-Umgebung horchen lassen. Dazu müssen Sie /etc/default/syslogd ändern und -a /var/chroot/sshd/dev/log zur Definition der Variablen SYSLOGD hinzufügen.

Sehen Sie sich die Beispielsdatei an, um herauszufinden, welche Änderungen an der Umgebung vorgenommen werden müssen. Einige diese Änderungen können nicht automatisch vorgenommen werden, wie z.B. das Kopieren des Home-Verzeichnisses eines Benutzers. Außerdem sollten Sie die Gefährdung von sensiblen Informationen begrenzen, indem Sie nur die Daten bestimmter Benutzer aus den Dateien /etc/shadow und /etc/group kopieren. Beachten Sie, dass, falls Sie Rechtetrennung verwenden, der Benutzer sshd in diesen Dateien vorhanden sein muss.

Die folgende Beispielumgebung wurde (ein wenig) unter Debian 3.0 getestet. Sie basiert auf der Konfigurationsdatei, die mit dem Paket geliefert wird, und beinhaltet das Paket fileutils. . |-- bin | |-- ash | |-- bash | |-- chgrp | |-- chmod | |-- chown | |-- cp | |-- csh -> /etc/alternatives/csh | |-- dd | |-- df | |-- dir | |-- fdflush | |-- ksh | |-- ln | |-- ls | |-- mkdir | |-- mknod | |-- mv | |-- rbash -> bash | |-- rm | |-- rmdir | |-- sh -> bash | |-- sync | |-- tcsh | |-- touch | |-- vdir | |-- zsh -> /etc/alternatives/zsh | `-- zsh4 |-- dev | |-- null | |-- ptmx | |-- pts | |-- ptya0 (...) | |-- tty | |-- tty0 (...) | `-- urandom |-- etc | |-- alternatives | | |-- csh -> /bin/tcsh | | `-- zsh -> /bin/zsh4 | |-- environment | |-- hosts | |-- hosts.allow | |-- hosts.deny | |-- ld.so.conf | |-- localtime -> /usr/share/zoneinfo/Europe/Madrid | |-- motd | |-- nsswitch.conf | |-- pam.conf | |-- pam.d | | |-- other | | `-- ssh | |-- passwd | |-- resolv.conf | |-- security | | |-- access.conf | | |-- chroot.conf | | |-- group.conf | | |-- limits.conf | | |-- pam_env.conf | | `-- time.conf | |-- shadow | |-- shells | `-- ssh | |-- moduli | |-- ssh_host_dsa_key | |-- ssh_host_dsa_key.pub | |-- ssh_host_rsa_key | |-- ssh_host_rsa_key.pub | `-- sshd_config |-- home | `-- userX |-- lib | |-- ld-2.2.5.so | |-- ld-linux.so.2 -> ld-2.2.5.so | |-- libc-2.2.5.so | |-- libc.so.6 -> libc-2.2.5.so | |-- libcap.so.1 -> libcap.so.1.10 | |-- libcap.so.1.10 | |-- libcrypt-2.2.5.so | |-- libcrypt.so.1 -> libcrypt-2.2.5.so | |-- libdl-2.2.5.so | |-- libdl.so.2 -> libdl-2.2.5.so | |-- libm-2.2.5.so | |-- libm.so.6 -> libm-2.2.5.so | |-- libncurses.so.5 -> libncurses.so.5.2 | |-- libncurses.so.5.2 | |-- libnsl-2.2.5.so | |-- libnsl.so.1 -> libnsl-2.2.5.so | |-- libnss_compat-2.2.5.so | |-- libnss_compat.so.2 -> libnss_compat-2.2.5.so | |-- libnss_db-2.2.so | |-- libnss_db.so.2 -> libnss_db-2.2.so | |-- libnss_dns-2.2.5.so | |-- libnss_dns.so.2 -> libnss_dns-2.2.5.so | |-- libnss_files-2.2.5.so | |-- libnss_files.so.2 -> libnss_files-2.2.5.so | |-- libnss_hesiod-2.2.5.so | |-- libnss_hesiod.so.2 -> libnss_hesiod-2.2.5.so | |-- libnss_nis-2.2.5.so | |-- libnss_nis.so.2 -> libnss_nis-2.2.5.so | |-- libnss_nisplus-2.2.5.so | |-- libnss_nisplus.so.2 -> libnss_nisplus-2.2.5.so | |-- libpam.so.0 -> libpam.so.0.72 | |-- libpam.so.0.72 | |-- libpthread-0.9.so | |-- libpthread.so.0 -> libpthread-0.9.so | |-- libresolv-2.2.5.so | |-- libresolv.so.2 -> libresolv-2.2.5.so | |-- librt-2.2.5.so | |-- librt.so.1 -> librt-2.2.5.so | |-- libutil-2.2.5.so | |-- libutil.so.1 -> libutil-2.2.5.so | |-- libwrap.so.0 -> libwrap.so.0.7.6 | |-- libwrap.so.0.7.6 | `-- security | |-- pam_access.so | |-- pam_chroot.so | |-- pam_deny.so | |-- pam_env.so | |-- pam_filter.so | |-- pam_ftp.so | |-- pam_group.so | |-- pam_issue.so | |-- pam_lastlog.so | |-- pam_limits.so | |-- pam_listfile.so | |-- pam_mail.so | |-- pam_mkhomedir.so | |-- pam_motd.so | |-- pam_nologin.so | |-- pam_permit.so | |-- pam_rhosts_auth.so | |-- pam_rootok.so | |-- pam_securetty.so | |-- pam_shells.so | |-- pam_stress.so | |-- pam_tally.so | |-- pam_time.so | |-- pam_unix.so | |-- pam_unix_acct.so -> pam_unix.so | |-- pam_unix_auth.so -> pam_unix.so | |-- pam_unix_passwd.so -> pam_unix.so | |-- pam_unix_session.so -> pam_unix.so | |-- pam_userdb.so | |-- pam_warn.so | `-- pam_wheel.so |-- sbin | `-- start-stop-daemon |-- usr | |-- bin | | |-- dircolors | | |-- du | | |-- install | | |-- link | | |-- mkfifo | | |-- shred | | |-- touch -> /bin/touch | | `-- unlink | |-- lib | | |-- libcrypto.so.0.9.6 | | |-- libdb3.so.3 -> libdb3.so.3.0.2 | | |-- libdb3.so.3.0.2 | | |-- libz.so.1 -> libz.so.1.1.4 | | `-- libz.so.1.1.4 | |-- sbin | | `-- sshd | `-- share | |-- locale | | `-- es | | |-- LC_MESSAGES | | | |-- fileutils.mo | | | |-- libc.mo | | | `-- sh-utils.mo | | `-- LC_TIME -> LC_MESSAGES | `-- zoneinfo | `-- Europe | `-- Madrid `-- var `-- run |-- sshd `-- sshd.pid 27 directories, 733 files

Bei Debian 3.1 müssen Sie sicherstellen, dass das Gefängnis auch die Dateien für PAM enthält. Falls es nicht schon makejail für Sie erledigt hat, müssen Sie folgende Dateien in die Chroot-Umgebung kopiert: $ ls /etc/pam.d/common-* /etc/pam.d/common-account /etc/pam.d/common-password /etc/pam.d/common-auth /etc/pam.d/common-session Die Chroot-Umgebung von Hand erstellen (der schwierige Weg)

Es ist möglich, eine Umgebung mit der Trial-and-Error-Methode zu erstellen. Dazu müssen Sie die Traces und die Logdateien des sshd-Servers überwachen, um die notwendigen Dateien herauszufinden. Die folgende Umgebung, die von José Luis Ledesma zur Verfügung gestellt wurde, ist eine beispielhafte Auflistung der Dateien in einer chroot-Umgebung für ssh unter Debian 3.0: Beachten Sie, dass keine SETUID-Dateien vorhanden sind. Das erschwert es entfernten Benutzern, aus der chroot-Umgebung auszubrechen. Es verhindert allerdings auch, dass Nutzer ihr Passwort ändern, da passwd nicht die Dateien /etc/passwd und /etc/shadow verändern kann. .: total 36 drwxr-xr-x 9 root root 4096 Jun 5 10:05 ./ drwxr-xr-x 11 root root 4096 Jun 3 13:43 ../ drwxr-xr-x 2 root root 4096 Jun 4 12:13 bin/ drwxr-xr-x 2 root root 4096 Jun 4 12:16 dev/ drwxr-xr-x 4 root root 4096 Jun 4 12:35 etc/ drwxr-xr-x 3 root root 4096 Jun 4 12:13 lib/ drwxr-xr-x 2 root root 4096 Jun 4 12:35 sbin/ drwxr-xr-x 2 root root 4096 Jun 4 12:32 tmp/ drwxr-xr-x 2 root root 4096 Jun 4 12:16 usr/ ./bin: total 8368 drwxr-xr-x 2 root root 4096 Jun 4 12:13 ./ drwxr-xr-x 9 root root 4096 Jun 5 10:05 ../ -rwxr-xr-x 1 root root 109855 Jun 3 13:45 a2p* -rwxr-xr-x 1 root root 387764 Jun 3 13:45 bash* -rwxr-xr-x 1 root root 36365 Jun 3 13:45 c2ph* -rwxr-xr-x 1 root root 20629 Jun 3 13:45 dprofpp* -rwxr-xr-x 1 root root 6956 Jun 3 13:46 env* -rwxr-xr-x 1 root root 158116 Jun 3 13:45 fax2ps* -rwxr-xr-x 1 root root 104008 Jun 3 13:45 faxalter* -rwxr-xr-x 1 root root 89340 Jun 3 13:45 faxcover* -rwxr-xr-x 1 root root 441584 Jun 3 13:45 faxmail* -rwxr-xr-x 1 root root 96036 Jun 3 13:45 faxrm* -rwxr-xr-x 1 root root 107000 Jun 3 13:45 faxstat* -rwxr-xr-x 1 root root 77832 Jun 4 11:46 grep* -rwxr-xr-x 1 root root 19597 Jun 3 13:45 h2ph* -rwxr-xr-x 1 root root 46979 Jun 3 13:45 h2xs* -rwxr-xr-x 1 root root 10420 Jun 3 13:46 id* -rwxr-xr-x 1 root root 4528 Jun 3 13:46 ldd* -rwxr-xr-x 1 root root 111386 Jun 4 11:46 less* -r-xr-xr-x 1 root root 26168 Jun 3 13:45 login* -rwxr-xr-x 1 root root 49164 Jun 3 13:45 ls* -rwxr-xr-x 1 root root 11600 Jun 3 13:45 mkdir* -rwxr-xr-x 1 root root 24780 Jun 3 13:45 more* -rwxr-xr-x 1 root root 154980 Jun 3 13:45 pal2rgb* -rwxr-xr-x 1 root root 27920 Jun 3 13:46 passwd* -rwxr-xr-x 1 root root 4241 Jun 3 13:45 pl2pm* -rwxr-xr-x 1 root root 2350 Jun 3 13:45 pod2html* -rwxr-xr-x 1 root root 7875 Jun 3 13:45 pod2latex* -rwxr-xr-x 1 root root 17587 Jun 3 13:45 pod2man* -rwxr-xr-x 1 root root 6877 Jun 3 13:45 pod2text* -rwxr-xr-x 1 root root 3300 Jun 3 13:45 pod2usage* -rwxr-xr-x 1 root root 3341 Jun 3 13:45 podchecker* -rwxr-xr-x 1 root root 2483 Jun 3 13:45 podselect* -r-xr-xr-x 1 root root 82412 Jun 4 11:46 ps* -rwxr-xr-x 1 root root 36365 Jun 3 13:45 pstruct* -rwxr-xr-x 1 root root 7120 Jun 3 13:45 pwd* -rwxr-xr-x 1 root root 179884 Jun 3 13:45 rgb2ycbcr* -rwxr-xr-x 1 root root 20532 Jun 3 13:45 rm* -rwxr-xr-x 1 root root 6720 Jun 4 10:15 rmdir* -rwxr-xr-x 1 root root 14705 Jun 3 13:45 s2p* -rwxr-xr-x 1 root root 28764 Jun 3 13:46 scp* -rwxr-xr-x 1 root root 385000 Jun 3 13:45 sendfax* -rwxr-xr-x 1 root root 67548 Jun 3 13:45 sendpage* -rwxr-xr-x 1 root root 88632 Jun 3 13:46 sftp* -rwxr-xr-x 1 root root 387764 Jun 3 13:45 sh* -rws--x--x 1 root root 744500 Jun 3 13:46 slogin* -rwxr-xr-x 1 root root 14523 Jun 3 13:46 splain* -rws--x--x 1 root root 744500 Jun 3 13:46 ssh* -rwxr-xr-x 1 root root 570960 Jun 3 13:46 ssh-add* -rwxr-xr-x 1 root root 502952 Jun 3 13:46 ssh-agent* -rwxr-xr-x 1 root root 575740 Jun 3 13:46 ssh-keygen* -rwxr-xr-x 1 root root 383480 Jun 3 13:46 ssh-keyscan* -rwxr-xr-x 1 root root 39 Jun 3 13:46 ssh_europa* -rwxr-xr-x 1 root root 107252 Jun 4 10:14 strace* -rwxr-xr-x 1 root root 8323 Jun 4 10:14 strace-graph* -rwxr-xr-x 1 root root 158088 Jun 3 13:46 thumbnail* -rwxr-xr-x 1 root root 6312 Jun 3 13:46 tty* -rwxr-xr-x 1 root root 55904 Jun 4 11:46 useradd* -rwxr-xr-x 1 root root 585656 Jun 4 11:47 vi* -rwxr-xr-x 1 root root 6444 Jun 4 11:45 whoami* ./dev: total 8 drwxr-xr-x 2 root root 4096 Jun 4 12:16 ./ drwxr-xr-x 9 root root 4096 Jun 5 10:05 ../ crw-r--r-- 1 root root 1, 9 Jun 3 13:43 urandom ./etc: total 208 drwxr-xr-x 4 root root 4096 Jun 4 12:35 ./ drwxr-xr-x 9 root root 4096 Jun 5 10:05 ../ -rw------- 1 root root 0 Jun 4 11:46 .pwd.lock -rw-r--r-- 1 root root 653 Jun 3 13:46 group -rw-r--r-- 1 root root 242 Jun 4 11:33 host.conf -rw-r--r-- 1 root root 857 Jun 4 12:04 hosts -rw-r--r-- 1 root root 1050 Jun 4 11:29 ld.so.cache -rw-r--r-- 1 root root 304 Jun 4 11:28 ld.so.conf -rw-r--r-- 1 root root 235 Jun 4 11:27 ld.so.conf~ -rw-r--r-- 1 root root 88039 Jun 3 13:46 moduli -rw-r--r-- 1 root root 1342 Jun 4 11:34 nsswitch.conf drwxr-xr-x 2 root root 4096 Jun 4 12:02 pam.d/ -rw-r--r-- 1 root root 28 Jun 4 12:00 pam_smb.conf -rw-r--r-- 1 root root 2520 Jun 4 11:57 passwd -rw-r--r-- 1 root root 7228 Jun 3 13:48 profile -rw-r--r-- 1 root root 1339 Jun 4 11:33 protocols -rw-r--r-- 1 root root 274 Jun 4 11:44 resolv.conf drwxr-xr-x 2 root root 4096 Jun 3 13:43 security/ -rw-r----- 1 root root 1178 Jun 4 11:51 shadow -rw------- 1 root root 80 Jun 4 11:45 shadow- -rw-r----- 1 root root 1178 Jun 4 11:48 shadow.old -rw-r--r-- 1 root root 161 Jun 3 13:46 shells -rw-r--r-- 1 root root 1144 Jun 3 13:46 ssh_config -rw------- 1 root root 668 Jun 3 13:46 ssh_host_dsa_key -rw-r--r-- 1 root root 602 Jun 3 13:46 ssh_host_dsa_key.pub -rw------- 1 root root 527 Jun 3 13:46 ssh_host_key -rw-r--r-- 1 root root 331 Jun 3 13:46 ssh_host_key.pub -rw------- 1 root root 883 Jun 3 13:46 ssh_host_rsa_key -rw-r--r-- 1 root root 222 Jun 3 13:46 ssh_host_rsa_key.pub -rw-r--r-- 1 root root 2471 Jun 4 12:15 sshd_config ./etc/pam.d: total 24 drwxr-xr-x 2 root root 4096 Jun 4 12:02 ./ drwxr-xr-x 4 root root 4096 Jun 4 12:35 ../ lrwxrwxrwx 1 root root 4 Jun 4 12:02 other -> sshd -rw-r--r-- 1 root root 318 Jun 3 13:46 passwd -rw-r--r-- 1 root root 546 Jun 4 11:36 ssh -rw-r--r-- 1 root root 479 Jun 4 12:02 sshd -rw-r--r-- 1 root root 370 Jun 3 13:46 su ./etc/security: total 32 drwxr-xr-x 2 root root 4096 Jun 3 13:43 ./ drwxr-xr-x 4 root root 4096 Jun 4 12:35 ../ -rw-r--r-- 1 root root 1971 Jun 3 13:46 access.conf -rw-r--r-- 1 root root 184 Jun 3 13:46 chroot.conf -rw-r--r-- 1 root root 2145 Jun 3 13:46 group.conf -rw-r--r-- 1 root root 1356 Jun 3 13:46 limits.conf -rw-r--r-- 1 root root 2858 Jun 3 13:46 pam_env.conf -rw-r--r-- 1 root root 2154 Jun 3 13:46 time.conf ./lib: total 8316 drwxr-xr-x 3 root root 4096 Jun 4 12:13 ./ drwxr-xr-x 9 root root 4096 Jun 5 10:05 ../ -rw-r--r-- 1 root root 1024 Jun 4 11:51 cracklib_dict.hwm -rw-r--r-- 1 root root 214324 Jun 4 11:51 cracklib_dict.pwd -rw-r--r-- 1 root root 11360 Jun 4 11:51 cracklib_dict.pwi -rwxr-xr-x 1 root root 342427 Jun 3 13:46 ld-linux.so.2* -rwxr-xr-x 1 root root 4061504 Jun 3 13:46 libc.so.6* lrwxrwxrwx 1 root root 15 Jun 4 12:11 libcrack.so -> libcrack.so.2.7* lrwxrwxrwx 1 root root 15 Jun 4 12:11 libcrack.so.2 -> libcrack.so.2.7* -rwxr-xr-x 1 root root 33291 Jun 4 11:39 libcrack.so.2.7* -rwxr-xr-x 1 root root 60988 Jun 3 13:46 libcrypt.so.1* -rwxr-xr-x 1 root root 71846 Jun 3 13:46 libdl.so.2* -rwxr-xr-x 1 root root 27762 Jun 3 13:46 libhistory.so.4.0* lrwxrwxrwx 1 root root 17 Jun 4 12:12 libncurses.so.4 -> libncurses.so.4.2* -rwxr-xr-x 1 root root 503903 Jun 3 13:46 libncurses.so.4.2* lrwxrwxrwx 1 root root 17 Jun 4 12:12 libncurses.so.5 -> libncurses.so.5.0* -rwxr-xr-x 1 root root 549429 Jun 3 13:46 libncurses.so.5.0* -rwxr-xr-x 1 root root 369801 Jun 3 13:46 libnsl.so.1* -rwxr-xr-x 1 root root 142563 Jun 4 11:49 libnss_compat.so.1* -rwxr-xr-x 1 root root 215569 Jun 4 11:49 libnss_compat.so.2* -rwxr-xr-x 1 root root 61648 Jun 4 11:34 libnss_dns.so.1* -rwxr-xr-x 1 root root 63453 Jun 4 11:34 libnss_dns.so.2* -rwxr-xr-x 1 root root 63782 Jun 4 11:34 libnss_dns6.so.2* -rwxr-xr-x 1 root root 205715 Jun 3 13:46 libnss_files.so.1* -rwxr-xr-x 1 root root 235932 Jun 3 13:49 libnss_files.so.2* -rwxr-xr-x 1 root root 204383 Jun 4 11:33 libnss_nis.so.1* -rwxr-xr-x 1 root root 254023 Jun 4 11:33 libnss_nis.so.2* -rwxr-xr-x 1 root root 256465 Jun 4 11:33 libnss_nisplus.so.2* lrwxrwxrwx 1 root root 14 Jun 4 12:12 libpam.so.0 -> libpam.so.0.72* -rwxr-xr-x 1 root root 31449 Jun 3 13:46 libpam.so.0.72* lrwxrwxrwx 1 root root 19 Jun 4 12:12 libpam_misc.so.0 -> libpam_misc.so.0.72* -rwxr-xr-x 1 root root 8125 Jun 3 13:46 libpam_misc.so.0.72* lrwxrwxrwx 1 root root 15 Jun 4 12:12 libpamc.so.0 -> libpamc.so.0.72* -rwxr-xr-x 1 root root 10499 Jun 3 13:46 libpamc.so.0.72* -rwxr-xr-x 1 root root 176427 Jun 3 13:46 libreadline.so.4.0* -rwxr-xr-x 1 root root 44729 Jun 3 13:46 libutil.so.1* -rwxr-xr-x 1 root root 70254 Jun 3 13:46 libz.a* lrwxrwxrwx 1 root root 13 Jun 4 12:13 libz.so -> libz.so.1.1.3* lrwxrwxrwx 1 root root 13 Jun 4 12:13 libz.so.1 -> libz.so.1.1.3* -rwxr-xr-x 1 root root 63312 Jun 3 13:46 libz.so.1.1.3* drwxr-xr-x 2 root root 4096 Jun 4 12:00 security/ ./lib/security: total 668 drwxr-xr-x 2 root root 4096 Jun 4 12:00 ./ drwxr-xr-x 3 root root 4096 Jun 4 12:13 ../ -rwxr-xr-x 1 root root 10067 Jun 3 13:46 pam_access.so* -rwxr-xr-x 1 root root 8300 Jun 3 13:46 pam_chroot.so* -rwxr-xr-x 1 root root 14397 Jun 3 13:46 pam_cracklib.so* -rwxr-xr-x 1 root root 5082 Jun 3 13:46 pam_deny.so* -rwxr-xr-x 1 root root 13153 Jun 3 13:46 pam_env.so* -rwxr-xr-x 1 root root 13371 Jun 3 13:46 pam_filter.so* -rwxr-xr-x 1 root root 7957 Jun 3 13:46 pam_ftp.so* -rwxr-xr-x 1 root root 12771 Jun 3 13:46 pam_group.so* -rwxr-xr-x 1 root root 10174 Jun 3 13:46 pam_issue.so* -rwxr-xr-x 1 root root 9774 Jun 3 13:46 pam_lastlog.so* -rwxr-xr-x 1 root root 13591 Jun 3 13:46 pam_limits.so* -rwxr-xr-x 1 root root 11268 Jun 3 13:46 pam_listfile.so* -rwxr-xr-x 1 root root 11182 Jun 3 13:46 pam_mail.so* -rwxr-xr-x 1 root root 5923 Jun 3 13:46 pam_nologin.so* -rwxr-xr-x 1 root root 5460 Jun 3 13:46 pam_permit.so* -rwxr-xr-x 1 root root 18226 Jun 3 13:46 pam_pwcheck.so* -rwxr-xr-x 1 root root 12590 Jun 3 13:46 pam_rhosts_auth.so* -rwxr-xr-x 1 root root 5551 Jun 3 13:46 pam_rootok.so* -rwxr-xr-x 1 root root 7239 Jun 3 13:46 pam_securetty.so* -rwxr-xr-x 1 root root 6551 Jun 3 13:46 pam_shells.so* -rwxr-xr-x 1 root root 55925 Jun 4 12:00 pam_smb_auth.so* -rwxr-xr-x 1 root root 12678 Jun 3 13:46 pam_stress.so* -rwxr-xr-x 1 root root 11170 Jun 3 13:46 pam_tally.so* -rwxr-xr-x 1 root root 11124 Jun 3 13:46 pam_time.so* -rwxr-xr-x 1 root root 45703 Jun 3 13:46 pam_unix.so* -rwxr-xr-x 1 root root 45703 Jun 3 13:46 pam_unix2.so* -rwxr-xr-x 1 root root 45386 Jun 3 13:46 pam_unix_acct.so* -rwxr-xr-x 1 root root 45386 Jun 3 13:46 pam_unix_auth.so* -rwxr-xr-x 1 root root 45386 Jun 3 13:46 pam_unix_passwd.so* -rwxr-xr-x 1 root root 45386 Jun 3 13:46 pam_unix_session.so* -rwxr-xr-x 1 root root 9726 Jun 3 13:46 pam_userdb.so* -rwxr-xr-x 1 root root 6424 Jun 3 13:46 pam_warn.so* -rwxr-xr-x 1 root root 7460 Jun 3 13:46 pam_wheel.so* ./sbin: total 3132 drwxr-xr-x 2 root root 4096 Jun 4 12:35 ./ drwxr-xr-x 9 root root 4096 Jun 5 10:05 ../ -rwxr-xr-x 1 root root 178256 Jun 3 13:46 choptest* -rwxr-xr-x 1 root root 184032 Jun 3 13:46 cqtest* -rwxr-xr-x 1 root root 81096 Jun 3 13:46 dialtest* -rwxr-xr-x 1 root root 1142128 Jun 4 11:28 ldconfig* -rwxr-xr-x 1 root root 2868 Jun 3 13:46 lockname* -rwxr-xr-x 1 root root 3340 Jun 3 13:46 ondelay* -rwxr-xr-x 1 root root 376796 Jun 3 13:46 pagesend* -rwxr-xr-x 1 root root 13950 Jun 3 13:46 probemodem* -rwxr-xr-x 1 root root 9234 Jun 3 13:46 recvstats* -rwxr-xr-x 1 root root 64480 Jun 3 13:46 sftp-server* -rwxr-xr-x 1 root root 744412 Jun 3 13:46 sshd* -rwxr-xr-x 1 root root 30750 Jun 4 11:46 su* -rwxr-xr-x 1 root root 194632 Jun 3 13:46 tagtest* -rwxr-xr-x 1 root root 69892 Jun 3 13:46 tsitest* -rwxr-xr-x 1 root root 43792 Jun 3 13:46 typetest* ./tmp: total 8 drwxr-xr-x 2 root root 4096 Jun 4 12:32 ./ drwxr-xr-x 9 root root 4096 Jun 5 10:05 ../ ./usr: total 8 drwxr-xr-x 2 root root 4096 Jun 4 12:16 ./ drwxr-xr-x 9 root root 4096 Jun 5 10:05 ../ lrwxrwxrwx 1 root root 7 Jun 4 12:14 bin -> ../bin// lrwxrwxrwx 1 root root 7 Jun 4 11:33 lib -> ../lib// lrwxrwxrwx 1 root root 8 Jun 4 12:13 sbin -> ../sbin// Chroot-Umgebung für Apache Einleitung

Das Programm chroot wird häufig dazu benutzt, einen Daemon in einen beschränkten Verzeichnisbaum einzusperren. Sie können es dazu verwenden, um Dienste von anderen abzuschirmen, so dass Sicherheitsprobleme mit einem Softwarepaket den ganzen Server gefährden können. Durch die Verwendung des Skripts makejail wird es viel leichter, einen Verzeichnisbaum in einer chroot-Umgebung einzurichten und zu aktualisieren.

FIXME: Apache can also be chrooted using which is available in libapache-mod-security (for Apache 1.x) and libapache2-mod-security (for Apache 2.x). Lizenz

Dieses Dokument ist urheberrechtlich von Alexandre Ratti (2002) geschützt. Es steht unter einer doppelten Lizenz, nämlich der GPL Version 2 (GNU General Public License) und der GNU-FDL 1.2 (GNU Free Documentation Licence). Es wurde in dieses Handbuch mit seiner ausdrücklichen Genehmigung aufgenommen. (Siehe auch das ) Installation des Servers

Diese Vorgehensweise wurde auf Debian GNU/Linux 3.0 (Woody) mit makejail 0.0.4-1 (in Debian/Testing) getestet.

Melden Sie sich als Root an und erstellen Sie ein neues Verzeichnis für das Gefängnis: $ mkdir -p /var/chroot/apache

Erstellen Sie einen neuen Nutzer und eine neue Gruppe. Der Apache in der chroot-Umgebung wird als dieser Nutzer und Gruppe laufen, die für nichts anderes auf dem System verwendet wird. In dem Beispiel heißen sowohl Nutzer als auch Gruppe chrapach. $ adduser --home /var/chroot/apache --shell /bin/false \ --no-create-home --system --group chrapach

FIXME: is a new user needed? (Apache already runs as the apache user)

Installieren Sie ganz normal Apache auf Debian: apt-get install apache Richten Sie Apache ein (z.B. definieren Sie Ihrer Subdomains usw.). Weisen Sie in der Konfigurationsdatei /etc/apache/httpd.conf den Optionen Group und User chrapach zu. Starten Sie Apache neu und stellen Sie sicher, dass der Server korrekt funktioniert. Danach halten Sie den Server wieder an. Installieren Sie makejail (ist fürs Erste in Debian/Testing vorhanden). Sie sollten auch wget und lynx installieren, da sie von makejail benutzt werden, um den Server in der chroot-Umgebung zu testen: apt-get install makejail wget lynx. Kopieren Sie die Beispielkonfigurationsdatei für Apache ins Verzeichnis /etc/makejail: # cp /usr/share/doc/makejail/examples/apache.py /etc/makejail/ Bearbeiten Sie /etc/makejail/apache.py. Sie müssen die Optionen chroot, users und groups verändern. Um diese Version von makejail laufen zu lassen, können Sie auch die Option packages hinzufügen. Vergleichen Sie die . Die Konfigurationsdatei könnte beispielsweise so aussehen: chroot="/var/chroot/apache" testCommandsInsideJail=["/usr/sbin/apachectl start"] processNames=["apache"] testCommandsOutsideJail=["wget -r --spider http://localhost/", "lynx --source https://localhost/"] preserve=["/var/www", "/var/log/apache", "/dev/log"] users=["chrapach"] groups=["chrapach"] packages=["apache", "apache-common"] userFiles=["/etc/password", "/etc/shadow"] groupFiles=["/etc/group", "/etc/gshadow"] forceCopy=["/etc/hosts", "/etc/mime.types"]

FIXME: some options do not seem to work properly. For instance, /etc/shadow and /etc/gshadow are not copied, whereas /etc/password and /etc/group are fully copied instead of being filtered.

 Erstellen Sie den Verzeichnisbaum für chroot: makejail /etc/makejail/apache.py. Falls /etc/password und /etc/group vollständig kopiert wurden, geben Sie Folgendes ein, um sie mit gefilterten Fassungen zu ersetzen: $ grep chrapach /etc/passwd > /var/chroot/apache/etc/passwd $ grep chrapach /etc/group > /var/chroot/apache/etc/group Kopieren Sie die Webseiten und die Logs ins Gefängnis. Diese Dateien werden nicht automatisch mitkopiert (sehen Sie sich dazu die Option preserve in der Konfigurationsdatei von makejail an). # cp -Rp /var/www /var/chroot/apache/var # cp -Rp /var/log/apache/*.log /var/chroot/apache/var/log/apache Editieren Sie das Startskript für den Logging-Daemon des Systems so, dass er auch den Socket /var/chroot/apache/dev/log beobachtet. Ersetzen Sie in /etc/init.d/sysklogd SYSLOGD="" mit SYSLOGD=" -a /var/chroot/apache/dev/log" und starten Sie den Daemon neu (/etc/init.d/sysklogd restart). Editieren Sie das Startskript von Apache (/etc/init.d/apache). Sie müssen vielleicht ein paar Änderung am Standardstartskript vornehmen, damit des richtig in einem Verzeichnisbaum in einer chroot-Umgebung läuft. Da wäre: Legen Sie die Variable CHRDIR am Anfang der Datei neu fest. Bearbeiten Sie die Abschnitte start, stop, reload etc. Fügen Sie eine Zeile hinzu, um das /proc-Dateisystem innerhalb des Gefängnisses zu mounten und abzumounten. #! /bin/bash # # apache Start the apache HTTP server. # CHRDIR=/var/chroot/apache NAME=apache PATH=/bin:/usr/bin:/sbin:/usr/sbin DAEMON=/usr/sbin/apache SUEXEC=/usr/lib/apache/suexec PIDFILE=/var/run/$NAME.pid CONF=/etc/apache/httpd.conf APACHECTL=/usr/sbin/apachectl trap "" 1 export LANG=C export PATH test -f $DAEMON || exit 0 test -f $APACHECTL || exit 0 # ensure we don't leak environment vars into apachectl APACHECTL="env -i LANG=${LANG} PATH=${PATH} chroot $CHRDIR $APACHECTL" if egrep -q -i "^[[:space:]]*ServerType[[:space:]]+inet" $CONF then exit 0 fi case "$1" in start) echo -n "Starting web server: $NAME" mount -t proc proc /var/chroot/apache/proc start-stop-daemon --start --pidfile $PIDFILE --exec $DAEMON \ --chroot $CHRDIR ;; stop) echo -n "Stopping web server: $NAME" start-stop-daemon --stop --pidfile "$CHRDIR/$PIDFILE" --oknodo umount /var/chroot/apache/proc ;; reload) echo -n "Reloading $NAME configuration" start-stop-daemon --stop --pidfile "$CHRDIR/$PIDFILE" \ --signal USR1 --startas $DAEMON --chroot $CHRDIR ;; reload-modules) echo -n "Reloading $NAME modules" start-stop-daemon --stop --pidfile "$CHRDIR/$PIDFILE" --oknodo \ --retry 30 start-stop-daemon --start --pidfile $PIDFILE \ --exec $DAEMON --chroot $CHRDIR ;; restart) $0 reload-modules exit $? ;; force-reload) $0 reload-modules exit $? ;; *) echo "Usage: /etc/init.d/$NAME {start|stop|reload|reload-modules|force-reload|restart}" exit 1 ;; esac if [ $? == 0 ]; then echo . exit 0 else echo failed exit 1 fi

FIXME: should the first Apache process be run as another user than root (i.e. add --chuid chrapach:chrapach)? Cons: chrapach will need write access to the logs, which is awkward.

 Ersetzen Sie in /etc/logrotate.d/apache /var/log/apache/*.log durch /var/chroot/apache/var/log/apache/*.log. Starten Sie Apache (/etc/init.d/apache start) und überprüfen Sie, was im Protokoll des Gefängnisses gemeldet wird (/var/chroot/apache/var/log/apache/error.log). Wenn Ihre Einstellung komplexer sein sollte (z.B. wenn Sie auch PHP und MySQL einsetzen), werden wahrscheinlich Dateien fehlen. Wenn einige Dateien nicht automatisch von makejail kopiert werden, können Sie diese in den Optionen forceCopy (um Dateien direkt zu kopieren) oder packages (um ganze Pakete mit ihren Abhängigkeiten zu kopieren) in der Konfigurationsdatei /etc/makejail/apache.py aufführen.

Geben Sie ps aux | grep apache ein, um sicherzustellen, dass Apache läuft. Sie sollten etwas in dieser Art sehen: root 180 0.0 1.1 2936 1436 ? S 04:03 0:00 /usr/sbin/apache chrapach 189 0.0 1.1 2960 1456 ? S 04:03 0:00 /usr/sbin/apache chrapach 190 0.0 1.1 2960 1456 ? S 04:03 0:00 /usr/sbin/apache chrapach 191 0.0 1.1 2960 1456 ? S 04:03 0:00 /usr/sbin/apache chrapach 192 0.0 1.1 2960 1456 ? S 04:03 0:00 /usr/sbin/apache chrapach 193 0.0 1.1 2960 1456 ? S 04:03 0:00 /usr/sbin/apache Stellen Sie sicher, dass die Apache-Prozesse in einer chroot-Umgebung laufen. Betrachten Sie dazu das /proc-Dateisystem: ls -la /proc/process_number/root/., wobei process_number einer der PID-Nummern ist, die oben aufgeführt wurden (z.B. 189 in der zweiten Reihe). Die Einträge des eingeschränkten Verzeichnisbaums sollten Sie sich auflisten lassen: drwxr-sr-x 10 root staff 240 Dec 2 16:06 . drwxrwsr-x 4 root staff 72 Dec 2 08:07 .. drwxr-xr-x 2 root root 144 Dec 2 16:05 bin drwxr-xr-x 2 root root 120 Dec 3 04:03 dev drwxr-xr-x 5 root root 408 Dec 3 04:03 etc drwxr-xr-x 2 root root 800 Dec 2 16:06 lib dr-xr-xr-x 43 root root 0 Dec 3 05:03 proc drwxr-xr-x 2 root root 48 Dec 2 16:06 sbin drwxr-xr-x 6 root root 144 Dec 2 16:04 usr drwxr-xr-x 7 root root 168 Dec 2 16:06 var

Um diesen Test zu automatisieren, geben Sie ls -la /proc/`cat /var/chroot/apache/var/run/apache.pid`/root/. ein.

FIXME: Add other tests that can be run to make sure the jail is closed?

Ich mag das, da es so nicht sehr schwierig ist, das Gefängnis einzurichten, und der Server mit nur zwei Zeilen aktualisiert werden kann: apt-get update && apt-get install apache makejail /etc/makejail/apache.py Weiterführende Informationen

Wenn Sie nach weiteren Informationen suchen, sehen Sie sich die Quellen an, auf denen diese Anleitung beruht: Die . Diese Programm wurde von Alain Tesio geschrieben. Das von Jonathan A. Zdziarski, 12/03/2003 harden-doc-3.15.1/howto-source/de/before-install.sgml0000644000000000000000000007721010643704617017332 0ustar Vor und während der Installation Setzen Sie ein Passwort im BIOS

Bevor Sie irgendein Betriebssystem auf Ihrem Computer installieren, setzen Sie ein Passwort im BIOS. Nach der Installation (sobald Sie von der Festplatte booten können) sollten Sie zurück ins BIOS gehen und die Boot-Reihenfolge ändern, so dass Sie nicht von Diskette, CD-ROM oder sonstigen Geräten booten können, von denen dies nicht gehen sollte. Andernfalls benötigt ein Cracker nur physischen Zugang und eine Bootdiskette, um Zugriff auf Ihr ganzes System zu bekommen.

Es ist noch besser, wenn das System beim Booten immer ein Passwort verlangt. Dies kann sehr effektiv sein, wenn Sie einen Server laufen lassen, der selten neu gestartet wird. Der Nachteil dieser Vorgehensweise ist, dass das Neustarten einen menschlichen Eingriff benötigt, was zu Problemen führen kann, wenn das System nicht leicht zugänglich ist.

Beachten Sie: Viele BIOS-Varianten haben bekannte Master-Passwörter und es gibt sogar Programme, um Passwörter aus dem BIOS wieder auszulesen. Folglich können Sie sich nicht auf diese Maßnahme verlassen, um den Zugriff auf das Systems zu beschränken. Partitionieren des Systems Wählen Sie eine sinnvolle Partitionierung

Was eine sinnvolle Partitionierung ist, hängt davon ab, wie die Maschine benutzt wird. Eine gute Faustregel ist, mit Ihren Partitionen eher großzügig zu sein und die folgenden Faktoren zu berücksichtigen: Jeder Verzeichnisbaum, auf den ein Nutzer Schreibzugriff hat (wie zum Beispiel /home, /tmp und /var/tmp/) sollte auf einer separaten Partition liegen. Dies reduziert das Risiko eines DoS durch einen Nutzer, indem er Ihren "/"-Mountpoint vollschreibt und so das gesamte System unbenutzbar macht. Eigentlich ist das so nicht ganz richtig, da immer etwas Platz für Root reserviert wird, den ein normaler Nutzer nicht belegen kann. Außerdem verhindert dieses Vorgehen Hardlink-Angriffe. Ein sehr gutes Beispiel dieser Art von Angriff, der das /tmp-Verzeichnis benutzt, ist ausführlich auf und auf beschrieben (beachten Sie, dass dieser Vorfall in einem Zusammenhang mit Debian steht). Im Prinzip ist das ein Angriff, bei dem ein lokaler Benutzer eine angreifbare Setuid-Anwendung versteckt, indem einer einen harten Link zu ihr einrichtet. So kann er wirksam verhindern, dass diese Anwendung vom Systemadministrator aktualisiert (oder entfernt) wird. Dpkg wurde kürzlich verbessert, um das zu verhindern (vergleiche ). Aber andere Setuid-Anwendungen, die nicht vom Paketverwaltungsprogramm kontrolliert werden, bleiben ein Risiko, wenn Partitionen nicht richtig eingerichtet werden. Außerdem sollte jeder Verzeichnisbaum, dessen Größe schwanken kann, zum Beispiel /var (insbesondere /var/log) eine separate Partition bekommen. Auf einem Debian-System sollten Sie der /var-Partition etwas mehr Platz als auf anderen Systemen geben, da heruntergeladene Pakete (der Zwischenspeicher von apt) unter /var/cache/apt/archives gespeichert werden. Jeder Teil, in dem Sie Nicht-Distributions-Software installieren wollen, sollte eine separate Partition erhalten. Nach dem File-Hierarchy-Standard wären dies /opt oder /usr/local. Wenn dies separate Partitionen sind, werden sie nicht gelöscht, falls Sie einmal Ihr Debian neu installieren (müssen). Rein sicherheitstechnisch ist es sinnvoll zu versuchen, statische Daten auf eine eigene Partition zu legen und diese dann als nur-lesbar einzuhängen (mounten). Oder noch besser: legen Sie diese Daten auf einem nicht beschreibbares Medium ab. Lesen Sie dazu die Ausführungen weiter unten.

Im Falle eines Mailservers ist es wichtig, eine separate Partition für die Mail-Warteschlange (mail spool) anzulegen. Nicht-Lokale Nutzer können (wissentlich oder unwissentlich) diese Verzeichnisse (/var/mail oder /var/spool/mail) überfüllen. Liegt dieses Verzeichnis auf einer separaten Partition, würde dies das System nicht sofort unbenutzbar machen. Anderenfalls (wenn das Verzeichnis auch auf der /var-Partition liegt) hat das System ein großes Problem: Protokoll-Einträge (logs) können nicht erstellt werden, Pakete können nicht installiert werden und es könnten sogar ein paar Programme Probleme mit dem Starten haben (wenn Sie /var/run benutzen).

Außerdem sollten Sie für Partitionen, deren Platzbedarf Sie noch nicht abschätzen können, den Logical-Volume-Manager (lvm-common und die benötigten ausführbaren Programme, entweder lvm10 oder lvm2) installieren. Durch Benutzen von lvm können Sie Datenträger-Gruppen erstellen, die über mehrere Festplatten verteilt sind. Auswahl eines passenden Dateisystems

Während der Partitionierung des Systems müssen Sie sich ebenfalls entscheiden, welche Dateisysteme Sie benutzen möchten. Als Standard-Dateisystem wird während der Installation für Linux Partitionen ext2 ausgewählt. Dennoch ist es ratsam, ein "journaling filesystem" (ein Dateisystem, das Änderungen mitprotokolliert) zu nehmen, wie zum Beispiel ext3, reiserfs, jfs oder xfs. Dadurch verringern Sie Probleme nach einen Absturz des Systems in folgenden Fällen: Auf Laptops auf allen Dateisystemen. Auf diese Art reduzieren Sie die Wahrscheinlichkeit eines Datenverlustes, wenn beispielsweise unerwartet Ihr Akku leer wird oder das System aufgrund eines Hardware-Problems (etwa durch die X-Konfiguration, was relativ häufig auftritt) neu gestartet werden muss. Auf produktiven Systemen, die große Mengen von Daten speichern (zum Beispiel Mail-Server, FTP-Server, Netzwerk-Fileserver, ...), ist es empfehlenswert, ein Journaling-Dateisystem auf diesen Partitionen einzusetzen. Wenn das System abstürzt, benötigt der Server so weniger Zeit, um das Dateisystem wieder herzustellen und zu prüfen, und die Wahrscheinlichkeit eines Datenverlustes wird verringert.

Lassen wir mal die Betrachtung der Leistung von Journaling-Dateisystemen beiseite (da dies oft in quasi-religiöse Glaubenskriege ausartet). In der Regel ist es besser, das ext3-Dateisystem zu benutzen. Der Grund dafür ist die Abwärtskompatibilität zu ext2. So können Sie, wenn es Probleme mit dem Journal gibt, dieses einfach abschalten und haben immer noch ein funktionierendes Dateisystem. Außerdem müssen Sie, wenn Sie das System mal mit einer Boot-Diskette (oder CD-ROM) wiederherstellen müssen, keinen speziellen Kernel benutzen. Wenn es sich um einen 2.4er oder 2.6er Kernel handelt, ist Unterstützung für ext3 bereits vorhanden. Wenn es sich um einen 2.2er-Kernel handelt, können Sie trotzdem Ihr Dateisystem booten, auch wenn Sie die Journaling-Fähigkeiten einbüßen. Wenn Sie ein anderes Journaling-Dateisystem benutzen, werden Sie feststellen, dass eine Wiederherstellung nicht möglich ist, bis Sie einen 2.4er oder 2.6er Kernel mit den benötigten Modulen haben. Wenn Sie einen 2.2er Kernel auf der Rettungsdiskette verwenden müssen, kann es sich als noch schwerer erweisen, auf reiserfs oder xfs zuzugreifen.

Auf jeden Fall ist die Datenintegrität unter ext3 besser, da es auch Datei-Daten protokolliert, während andere Dateisysteme lediglich Meta-Daten protokollieren (siehe auch ). Gehen Sie nicht ins Internet, bevor Sie nicht bereit sind

Während der Installation sollten Sie das System nicht sofort mit dem Internet verbinden. Dies hört sich vielleicht komisch an, aber die Installation über das Netzwerk ist eine gängige Methode. Da das System einige Dienste installiert und diese sofort aktiviert werden, könnten Sie Ihr System für Angriffe öffnen, wenn das System mit dem Internet verbunden ist und die Dienste nicht geeignet konfiguriert sind.

Außerdem sollten Sie beachten, dass manche Pakete noch Sicherheitsprobleme haben können, weil das Installationsmedium nicht auf dem aktuellen Stand ist. Dies ist für gewöhnlich dann der Fall, wenn Sie von älteren Medien (wie CD-ROMs) installieren. In diesem Fall könnte Ihr System bereits kompromittiert sein, bevor Sie mit der Installation fertig sind!

Da die Debian-Installation und das Aktualisieren über das Internet durchgeführt werden können, denken Sie vielleicht, es sei eine gute Idee, dies gleich während der Installation zu nutzen. Wenn das System direkt mit dem Internet verbunden ist (und nicht von einer Firewall oder NAT geschützt wird), ist es besser, das System ohne Internet-Verbindung zu installieren. Benutzen Sie sowohl für die zu installierenden Pakete als auch für die Sicherheits-Updates eine lokale Quelle (mirror). Sie können einen Paket-Mirror aufsetzen, indem Sie ein anderes System nutzen, dass mit dem Internet verbunden ist und für Debian spezifische Werkzeuge (falls es sich um ein Debian-System handelt) wie apt-move oder apt-proxy oder andere gebräuchliche Werkzeuge zur Erstellung von Quellen verwendet. Damit kann das Archiv für das installierte System zur Verfügung gestellt werden. Sollte dies nicht möglich sein, sollten Sie Firewall-Regeln aufsetzen, die den Zugriff auf Ihr System beschränken, während Sie das Update durchführen (siehe ). Setzen Sie ein Passwort für root

Die wichtigste Grundlage für ein sicheres System ist ein gutes Root-Passwort. Siehe für einige Tipps, wie man gute Passwörter auswählt. Sie können auch automatische Passwort-Generatoren verwenden (siehe ).

Im Internet gibt es zahlreiche Hinweise dazu, wie man gute Passwörter wählt. Zwei Seiten, die eine angemessene Übersicht und Ausführung bieten, sind Eric Wolframs und Walter Belgers . Aktivieren Sie Shadow-Passwörter und MD5-Passwörter

Gegen Ende der Installation werden Sie gefragt, ob "shadow passwords" eingeschaltet werden sollen. Beantworten Sie diese Frage mit "yes", dann werden Passwörter in der Datei /etc/shadow gespeichert. Nur root und die Gruppe shadow haben Lesezugriff auf diese Datei. So ist es keinem Nutzer möglich, sich eine Kopie dieser Datei zu besorgen, um einen Passwort-Cracker auf sie loszulassen. Sie können mit dem Befehl shadowconfig jederzeit zwischen "shadow passwords" und normalen Passwörtern wechseln.

Mehr zum Thema Shadow-Passwörter finden Sie unter (/usr/share/doc/HOWTO/en-txt/Shadow-Password.txt.gz).

Des Weiteren verwendet die Installation standardmäßig Passwörter, welche als MD5-Hashwerte gespeichert werden. Dies ist im Allgemeinen eine sehr gute Idee, da es längere Passwörter und bessere Verschlüsselung erlaubt. Mit MD5 sind Passwörter möglich, die länger als 8 Zeichen sind. Auf diese Weise kann man es einem Angreifer schwieriger machen, mit Brute-Force-Methoden an die Passwörter heranzukommen. Dies ist die Standardeinstellung in den neuesten Versionen des Pakets passwd. Sie erkennen MD5-Passwörter übrigens in der /etc/shadow an dem Anfang $1$.

Dies verändert allerdings alle Dateien im Verzeichnis /etc/pam.d und ergänzt in der "password"-Zeile den Eintrag "md5". password required pam_unix.so md5 nullok obscure min=6 max=16

Wird für max nicht ein Wert größer als 8 gewählt, ist diese Änderung ziemlich sinnlos. Weitere Informationen dazu finden Sie unter .

Beachten Sie: Die Standardeinstellung in Debian verändert nicht den vorher gewählten max-Wert, auch dann nicht, wenn MD5 aktiviert wird. Lassen Sie so wenige Dienste wie möglich laufen

Dienste sind Programme wie FTP- und Web-Server. Da sie nach eingehenden Verbindungen, die den Dienst anfordern, horchen müssen, können sich externe Computer mit Ihrem Computer verbinden. Dienste sind manchmal verwundbar (zum Beispiel durch einen bestimmten Angriff kompromittierbar) und stellen dadurch ein Sicherheitsrisiko dar.

Sie sollten keine Dienste installieren, die Sie nicht unbedingt auf dem System brauchen. Jeder installierte Dienst könnte neue, vielleicht nicht gerade offensichtliche (oder bekannte) Sicherheitslöcher auf Ihrem Computer öffnen.

Wie Sie vielleicht schon wissen, wird ein Dienst, sobald er installiert wird, auch gleich automatisch aktiviert. Bei einer Standardinstallation ohne weitere installierte Dienste ist die Anzahl der laufenden Dienste ziemlich gering. Und die Anzahl der Dienste, die im Netzwerk angeboten werden, ist noch niedriger. In einer Standardinstallation von Debian 3.1 werden Sie mit OpenSSH, Exim (abhängig davon, wie Sie ihn konfiguriert haben) und dem RPC-Portmapper als Netzwerkdienste auskommen.Die Zahl war bei Debian 3.0 und davor nicht so niedrig, da einige inetd-Dienste standardmäßig aktiviert waren. Außerdem war in Debian 2.2 der NFS-Server wie auch der Telnet-Server Bestandteil der Standardinstallation. Der RPC-Portmapper ist standardmäßig installiert, da er für viele Dienste wie zum Beispiel NFS benötigt wird. Er kann allerdings sehr leicht entfernt werden. Weitere Informationen, wie Sie RPC-Dienste absichern oder abschalten, finden Sie unter .

Wenn Sie einen neuen Netzwerkdienst (Daemon) auf Ihrem Debian GNU/Linux System installieren, kann er auf zwei Arten gestartet werden: durch den inetd-Superdaemon (d. h. eine Zeile wird zu der /etc/inetd.conf hinzugefügt) oder durch ein eigenständiges Programm, dass sich selbst an die Netzwerkschnittstelle bindet. Eigenständige Programme werden durch /etc/init.d gesteuert. Sie werden beim Hochfahren durch den Sys-V-Mechanismus gestartet, der die symbolischen Links in /etc/rc?.d/* benutzt. (Mehr Informationen dazu finden Sie in /usr/share/doc/sysvinit/README.runlevels.gz).

Wenn Sie trotzdem Dienste installieren möchten, diese aber selten benutzen, entfernen Sie sie mit den update-Befehlen wie update-inetd oder update-rc.d aus dem Startvorgang. Weitere Informationen, wie Sie Netzwerkdienste abschalten, finden Sie unter . Wenn Sie das Standardverhalten des Startens von Diensten nach der Installation von ihren Paketen ändern wollenDies ist z.B. wünschenswert, wenn Sie eine Chroot-Umgebung zur Entwicklung einrichten., lesen Sie bitte für weiterführende Informationen /usr/share/doc/sysv-rc/README.policy-rc.d.gz.

Die Unterstützung von invoke-rc.d ist bei Debian nun zwingend. Dies bedeutet, dass Sie bei Sid und Etch eine policy-rc.d-Datei anlegen können, die das Starten von Daemons verbietet, bevor Sie sie konfiguriert haben. Zwar sind derartige Skripte noch nicht in Paketen enthalten, sie sind aber ziemlich leicht zu schreiben. Sehen Sie sich auch policyrcd-script-zg2 an. Daemons abschalten

Das Abschalten eines Daemons ist sehr einfach. Entweder Sie entfernen das Paket, das das Programm für diesen Dienst anbietet, oder Sie entfernen oder benennen die Startlinks unter /etc/rc${runlevel}.d/ um. Wenn Sie sie umbenennen, stellen Sie sicher, dass sie nicht mehr mit einem 'S' beginnen, damit sie nicht von /etc/init.d/rc ausgeführt werden. Entfernen Sie nicht alle verfügbaren Links, denn sonst wird das Paketverwaltungssystem sie bei der nächsten Paketaktualisierung wieder herstellen. Gehen Sie also sicher, dass zumindest ein Link übrig bleibt (typischerweise ein 'K'-Link, 'K' steht für 'kill'). Zusätzliche Informationen finden Sie im Abschnitt der Debian-Referenz (2. Kapitel - Debian-Grundlagen).

Sie können diese Links manuell entfernen oder Sie benutzen update-rc.d (siehe auch ). So können Sie zum Beispiel einen Dienst in den Multi-User-Runleveln abschalten: # update-rc.d stop XX 2 3 4 5 .

Wobei XX eine Zahl ist, die bestimmt, wann die Stop-Aktion für diesen Dienst ausgeführt wird. Bitte beachten Sie, dass update-rc.d -f Dienst remove nicht korrekt arbeiten wird, wenn Sie nicht file-rc benutzen, da alle Verknüpfungen entfernt werden. Nach einer Neuinstallation oder einem Upgrade dieses Paketes werden diese Verknüpfungen neu angelegt (was Sie vermutlich nicht wollen). Wenn Sie denken, dass dies nicht sehr intuitiv ist, haben Sie wahrscheinlich recht (siehe ). Aus der Manpage: If any files /etc/rcrunlevel.d/[SK]??name already exist then update-rc.d does nothing. This is so that the system administrator can rearrange the links, provided that they leave at least one link remaining, without having their configuration overwritten.

Wenn Sie file-rc benutzen, werden alle Informationen über das Starten von Diensten durch eine gemeinsame Konfigurationsdatei verarbeitet und sogar nach der Deinstallation von Paketen beibehalten.

Sie können das TUI (Text User Interface, textbasierte Benutzungsoberfläche) des Paketes sysv-rc-conf benutzen, um all diese Änderungen einfach zu erledigen (sysv-rc-conf arbeitet sowohl mit file-rc als auch mit normalen System-V-Runleveln). Es gibt auch vergleichbare GUIs für Desktop-Systeme. Sie können auch die Befehlszeile von sysv-rc-conf verwenden: # sysv-rc-conf foobar off

Der Vorteil dieses Werkzeugs ist, dass die rc.d-Links wieder auf den Status zurückgesetzt werden, die sie vor dem Aufruf von »off« hatten, wenn Sie den Dienst wieder aktivieren mit: # sysv-rc-conf foobar on

Andere (nicht empfohlene) Methoden zum Abschalten eines Dienstes sind: Benennen Sie die Skriptdatei (/etc/init.d/Dienst) um (zum Beispiel in /etc/init.d/OFF.Dienst). Da das Verweise, die auf kein Ziel verweisen (dangling symlinks), erzeugt, werden beim Booten Fehlermeldungen erzeugt werden. Entfernen Sie das Ausführungsrecht von der Datei /etc/init.d/Dienst. Auch das wird beim Booten Fehlermeldungen verursachen. Editieren der Datei /etc/init.d/Dienst, so dass sich das Skript sofort beendet, sobald es gestartet wird, indem Sie die Zeile exit 0 am Anfang einfügen oder den start-stop-daemon-Abschnitt auskommentieren. Falls Sie dies tun, können Sie das Skript nicht später dazu verwenden, den Dienst von Hand zu starten.

Jedoch handelt es sich bei allen Dateien unter /etc/init.d um Konfigurationsdateien und sollten daher bei einer Paketaktualisierung nicht überschrieben werden.

Sie können im Gegensatz zu anderen (UNIX-)Betriebssystemen Dienste unter Debian nicht abschalten, indem Sie die Dateien unter /etc/default/Dienst modifizieren.

FIXME: Add more information on handling daemons using file-rc Abschalten von inetd oder seinen Diensten

Sie sollten überprüfen, ob Sie heutzutage den inetd-Daemon überhaupt brauchen. Inetd war früher eine Möglichkeit, Unzulänglichkeiten des Kernels auszugleichen. Diese sind aber in modernen Linux-Kerneln nicht mehr vorhanden. Gegen inetd gibt es die Möglichkeit von Angriffen, die zur Dienstverweigerung führen (Denial of Service), welche die Last des Rechners unglaublich erhöhen. Viele Leute ziehen es vor, einzelne Daemonen zu benutzen, anstatt einen Dienst über inetd zu starten. Wenn Sie immer noch einen inetd-Dienst laufen lassen wollen, wechseln Sie wenigstens zu einem besser zu konfigurierenden Inet-Daemonen wie xinetd oder rlinetd.

Sie sollten alle nicht benötigten Inetd-Dienste auf Ihrem System abschalten, wie zum Beispiel echo, chargen, discard, daytime, time, talk, ntalk und die r-Dienste (rsh, rlogin und rcp), die als SEHR unsicher gelten (benutzen Sie stattdessen ssh).

Sie können Dienste abschalten, indem Sie direkt /etc/inetd.conf editieren, aber Debian stellt Ihnen einen besseren Weg zur Verfügung: update-inetd (was die Dienste auf eine Art herauskommentiert, so dass sie leicht wieder eingeschaltet werden können). Sie können den Telnet-Daemon sehr leicht mit dem folgenden Kommando abschalten, so dass die Konfigurationsdateien angepasst und der Daemon neu gestartet wird: /usr/sbin/update-inetd --disable telnet

Wenn Sie Dienste starten wollen, aber nur auf bestimmten IP-Adressen Ihres Systems, müssen Sie eventuell auf eine undokumentierte Funktion des inetd zurückgreifen (Austausch des Namens des Dienstes durch dienst@ip). Alternativ können Sie einen Daemon wie xinetd benutzen. Installieren Sie möglichst wenig Software

Debian bietet sehr viel Software an. Debian 3.0 (Woody) enthält sechs oder sieben (je nach Architektur) CDs mit Software und tausenden Paketen. Debian 3.1 Sarge wird mit etwa 13 CD-ROMs ausgeliefert werden. Bei so viel Software, selbst wenn Sie die Installation auf das Basis-System reduzieren Unter Debian-Woody ist das Basis-System etwa 400-500MB groß. Probieren Sie Folgendes: , $ size=0 $ for i in `grep -A 1 -B 1 "^Section: base" /var/lib/dpkg/available | grep -A 2 "^Priority: required" |grep "^Installed-Size" |cut -d : -f 2 `; do size=$(($size+$i)); done $ echo $size 47762 , könnten Sie auf Abwege geraten und mehr installieren, als Sie wirklich benötigen.

Da Sie bereits wissen, was Sie mit Ihrem System machen wollen (oder etwa nicht?), sollten Sie nur Software installieren, die Sie wirklich für den Betrieb benötigen. Jedes unnötig installierte Programm könnte von einem Nutzer, der Ihr System kompromittieren will, genutzt werden – oder von einem externen Eindringling, der Shell-Zugriff bekommen hat (oder der Code von außerhalb durch einen fehlerhaften Dienst ausführen kann).

Zum Beispiel kann das Vorhandensein von Hilfsprogrammen für Programmierer (ein C-Compiler) oder Interpretern (wie Perl s.u., Python, tcl, ...) einem Angreifer helfen, das System weiter zu kompromittieren: Der Angreifer kann seine Privilegien auf dem System erweitern. Es ist beispielsweise leichter, eine lokale Sicherheitslücke des Systems auszunutzen, wenn man einen Debugger und Compiler zur Verfügung hat, um den eigenen Exploit (ein Programm, das eine Sicherheitslücke ausnutzt) zu kompilieren und zu testen. Man könnte dem Angreifer Werkzeuge zur Verfügung stellen, die ihm helfen könnten, das kompromittierte System als Basis für Angriffe auf andere Systeme zu benutzen. Häufig werden fremde Systeme nur deshalb gehackt, weil Sie zu weiteren illegitimen Aktivitäten benutzt werden sollen (DoS-Attacken, Spam, geheime FTP-Server, DNS-Schweinereien, ...). Der Angreifer möchte meist gar nicht an die vertraulichen Daten auf dem kompromittierten System herankommen.

Natürlich kann ein Eindringling mit lokalem Shell-Zugriff seine eigenen Programme herunterladen und ausführen. Und sogar die Shell selbst kann benutzt werden, um komplexere Programme zu schreiben. Das Entfernen unnötiger Programme wird also nicht helfen, das Problem zu verhindern. Jedoch wird es für den Angreifer wesentlich schwieriger werden, das System zu kompromittieren (und manchmal wird er in dieser Situation aufgeben und sich ein leichteres Ziel suchen). Wenn Sie also auf einem produktivem System Werkzeuge lassen, die benutzt werden können, um andere Systeme anzugreifen (siehe ), müssen Sie auch davon ausgehen, dass ein Angreifer sie auch benutzen wird.

Beachten Sie bitte, dass eine Standardinstallation von Debian Sarge (d.h. eine Installation, bei der nicht individuell Pakete ausgewählt werden) einige Pakete zur Softwareentwicklung installieren wird, die normalerweise nicht benötigt werden. Das liegt daran, dass einige Pakete zur Softwareentwicklung die Priorität Standard haben. Wenn Sie keine Software entwickeln, können Sie ohne Bedenken die folgenden Pakete von Ihrem System entfernen, was nebenbei auch etwas Platz schafft: Paket Größe ------------------------+-------- gdb 2.766.822 gcc-3.3 1.570.284 dpkg-dev 166.800 libc6-dev 2.531.564 cpp-3.3 1.391.346 manpages-dev 1.081.408 flex 257.678 g++ 1.384 (Hinweis: virtuelles Paket) linux-kernel-headers 1.377.022 bin86 82.090 cpp 29.446 gcc 4.896 (Hinweis: virtuelles Paket) g++-3.3 1.778.880 bison 702.830 make 366.138 libstdc++5-3.3-dev 774.982

Dieses Verhalten wurde in den Veröffentlichungen nach Sarge verändert. Für weitere Informationen sehen Sie sich und an. Wegen eines Fehlers im Installationssystem ist dies nicht geschehen, wenn mit dem Installationssystem von Debian 3.0 Woody installiert wird. Entfernen von Perl

Sie müssen bedenken, dass es nicht gerade einfach ist, Perl von einem Debian-System zu entfernen (in der Tat kann es ziemlich schwierig werden), da es von vielen Dienstprogrammen benutzt wird. perl-base hat außerdem Priority: required (und das sagt eigentlich schon alles). Es ist aber trotzdem machbar. Allerdings können Sie auf diesem System keine Perl-Anwendung mehr laufen lassen. Außerdem müssen Sie auch das Paket-Management-System hereinlegen, damit es weiterhin denkt, dass perl-base installiert ist, auch wenn es das nicht mehr ist. Sie können (auf einem anderen System) eine Paket-Attrappe mit equivs erstellen.

Welche Dienstprogramme benutzen Perl? Sie können es selbst herausfinden: $ for i in /bin/* /sbin/* /usr/bin/* /usr/sbin/*; do [ -f $i ] && { type=`file $i | grep -il perl`; [ -n "$type" ] && echo $i; }; done

Diese Liste schließt die folgenden Dienstprogramme mit der Priorität required oder important ein: /usr/bin/chkdupexe aus dem Paket util-linux. /usr/bin/replay aus dem Paket bsdutils. /usr/sbin/cleanup-info aus dem Paket dpkg. /usr/sbin/dpkg-divert aus dem Paket dpkg. /usr/sbin/dpkg-statoverride aus dem Paket dpkg. /usr/sbin/install-info aus dem Paket dpkg. /usr/sbin/update-alternatives aus dem Paket dpkg. /usr/sbin/update-rc.d aus dem Paket sysvinit. /usr/bin/grog aus dem Paket groff-base. /usr/sbin/adduser aus dem Paket adduser. /usr/sbin/debconf-show aus dem Paket debconf. /usr/sbin/deluser aus dem Paket adduser. /usr/sbin/dpkg-preconfigure aus dem Paket debconf. /usr/sbin/dpkg-reconfigure aus dem Paket debconf. /usr/sbin/exigrep aus dem Paket exim. /usr/sbin/eximconfig aus dem Paket exim. /usr/sbin/eximstats aus dem Paket exim. /usr/sbin/exim-upgrade-to-r3 aus dem Paket exim. /usr/sbin/exiqsumm aus dem Paket exim. /usr/sbin/keytab-lilo aus dem Paket lilo. /usr/sbin/liloconfig aus dem Paket lilo. /usr/sbin/lilo_find_mbr aus dem Paket lilo. /usr/sbin/syslogd-listfiles aus dem Paket sysklogd. /usr/sbin/syslog-facility aus dem Paket sysklogd. /usr/sbin/update-inetd aus dem Paket netbase.

Ohne Perl und solange Sie diese Dienstprogramme nicht in einem Shell-Skript neu schreiben, werden Sie also wahrscheinlich keine Pakete mehr verwalten können (und so das System nicht upgraden können, und das ist keine gute Idee).

Wenn Sie sich dazu entschlossen haben, Perl aus dem Debian-Basis-System zu entfernen und ein wenig Freizeit haben, schicken Sie uns doch Fehlerberichte zu den aufgezählten Paketen, die (als ein Patch) einen Ersatz dieser Dienstprogramme als Shell-Skript enthalten.

Wenn Sie wissen wollen, welche Debian-Pakete von Perl abhängen, können Sie Folgendes verwenden: $ grep-available -s Package,Priority -F Depends perl

oder $ apt-cache rdepends perl Lesen Sie Debians Sicherheits-Mailinglisten

Es ist niemals falsch, einen Blick in die debian-security-announce Mailingliste zu werfen, wo Anleitungen und Problemlösungen durch das Debian-Sicherheits-Team bekannt gemacht werden, oder sich an zu beteiligen, wo Sie an Diskussionen zu allen sicherheitsrelevanten Fragen teilnehmen können.

Um wichtige Warnungen zu Sicherheitsaktualisierungen zu erhalten, senden Sie eine E-Mail an mit dem Wort "subscribe" in der Betreffzeile. Sie können diese moderierte E-Mail-Liste unter auch über das Web abonnieren.

Diese Mailingliste hat ein sehr geringes Aufkommen, und indem Sie sie abonnieren, werden Sie sofort über Sicherheitsaktualisierungen der Debian-Distribution informiert. Dies erlaubt Ihnen sehr schnell, neue Pakete mit Sicherheitsaktualisierungen herunterzuladen, was sehr wichtig ist, um ein sicheres System zu verwalten (siehe für weitere Details, wie Sie dies machen). harden-doc-3.15.1/howto-source/de/after-compromise.sgml0000644000000000000000000003053410643704617017676 0ustar Nach einer Kompromittierung (Reaktion auf einem Vorfall) Allgemeines Verhalten

Wenn Sie während eines Angriffs physisch anwesend sind, sollte Ihre erste Reaktion sein, den Rechner vom Netzwerk zu trennen, indem Sie das Kabel aus der Netzwerkkarte ziehen (wenn das keinen nachteiligen Einfluss auf Ihre Geschäfte hat). Das Netzwerk auf Schicht 1 abzuschalten ist der einzig wirklich erfolgreiche Weg, um den Angreifer aus dem gehackten Rechner herauszuhalten (weiser Ratschlag von Phillip Hofmeister).

Allerdings können einige Werkzeuge, die durch Rootkits, Trojaner oder sogar unehrlichen Benutzern über eine Hintertür installiert wurden, diesen Vorgang erkennen und auf ihn reagieren. Es ist nicht wirklich lustig, wenn Sie sehen, dass rm -rf / ausgeführt wird, wenn Sie das Netzwerkkabel ziehen. Wenn Sie nicht bereit sind, dieses Risiko einzugehen, und Sie sich sicher sind, dass in das System eingebrochen wurde, sollten Sie das Stromkabel herausziehen (alle, wenn es mehr als eines gibt) und Ihre Daumen drücken. Das hört sich zwar extrem an, verhindert aber tatsächlich eine Logikbombe, die ein Eindringling programmiert haben könnte. Auf jeden Fall sollte ein kompromittiertes System nicht neugestartet werden. Entweder sollten die Festplatten in einem anderen System analysiert werden, oder Sie sollten ein anderen Medium (eine CD-ROM) benutzen, um das System zu booten und analysieren. Sie sollten nicht die Rettungsdisk von Debian verwenden, um das System zu starten. Sie können aber die Shell auf der Installationsdisk benutzen (wie Sie wissen, erreichen Sie sie mit Alt+F2), um das System zu analysieren. Wenn Sie abenteuerlustig sind, sollten Sie sich am System anmelden und die Informationen aller laufenden Prozesse speichern (Sie bekommen eine Menge aus /proc/nnn/). Es ist möglich, den gesamten ausführbaren Code aus dem Arbeitsspeicher zu ziehen, sogar dann, wenn der Angreifer die ausführbaren Dateien von der Festplatte gelöscht hat. Ziehen Sie danach das Stromkabel.

Die beste Methode, um ein gehacktes System wiederherzustellen, ist, ein Live-Dateisystem auf einer CD-ROM mit allen Programmen (und Kernel-Modulen) verwenden, die Sie brauchen, um auf das eingebrochene System zugreifen zu können. Sie können das Paket mkinitrd-cd benutzen, um eine solche CD-ROM zu erstellen Das ist auch das Werkzeug, mit dem die CD-ROMs für das Projekt erstellt werden. Das ist eine Firewall auf einer Live-CD-ROM, die auf der Debian-Distribution beruht. . Auch die CD-ROM von (früher als Biatchux bekannt) könnte hilfreich sein, da diese Live-CD-ROM forensische Werkzeuge enthält, die in solchen Situationen nützlich sind. Es gibt (noch) kein Programm wie dieses, das auf Debian basiert. Es gibt auch keinen leichten Weg, eine CD-ROM mit Ihrer Auswahl von Debian-Paketen und mkinitrd-cd zu erstellen. Daher werden Sie die Dokumentation lesen müssen, wie Sie Ihre eigenen CD-ROMs machen.

Wenn Sie eine Kompromittierung wirklich schnell reparieren wollen, sollten Sie den kompromittierten Rechner aus dem Netzwerk entfernen und das Betriebssystem von Grund auf neu installieren. Dies könnte natürlich nicht sehr wirkungsvoll sein, da Sie nicht erfahren, wie der Eindringling zuvor Root-Rechte bekommen hat. Um das herauszufinden, müssen Sie alles prüfen: Firewall, Integrität der Dateien, Log-Host, Log-Dateien und so weiter. Weitere Informationen, was Sie nach einem Einbruch unternehmen sollten, finden Sie in oder in Sans' .

Einige häufige Fragen, wie mit einem gehackten Debian-GNU/Linux-System umzugehen ist, sind unter zu finden. Anlegen von Sicherheitskopien Ihres Systems

wenn Sie sich sicher sind, dass das System kompromittiert wurde, vergessen Sie nicht, dass Sie weder der installierten Software noch irgendwelchen Informationen, die es an Sie liefert, vertrauen können. Anwendungen könnten von einem Trojaner befallen sein, Kernel-Module könnten installiert worden sein, usw.

Am besten ist es, eine komplette Sicherheitskopie Ihres Dateisystems (mittels dd) zu erstellen, nachdem Sie von einem sicheren Medium gebootet haben. Debian GNU/Linux CD-ROMs können dazu nützlich sein, da sie auf Konsole zwei eine Shell anbieten, nachdem die Installation gestartet wurde (mit Alt+2 und Enter aktivieren Sie sie). Von dieser Shell aus sollten Sie eine Sicherheitskopie möglichst auf einem anderen Host erstellen (vielleicht auf einen Netzwerk-File-Server über NFS/FTP). Dadurch kann eine Analyse des Einbruchs oder eine Neuinstallation durchgeführt werden, während das betroffene System offline ist.

Wenn Sie sich sicher sind, dass es sich lediglich um ein trojanisiertes Kernel-Modul handelt, können Sie versuchen, das Kernel-Image von der Debian-CD-ROM im rescue-Modus zu laden. Stellen Sie sicher, dass Sie im single-Modus starten, so dass nach dem Kernel keine weiteren Trojaner-Prozesse gestartet werden. Setzen Sie sich mit dem lokal CERT in Verbindung

Das CERT (Computer and Emergency Response Team) ist eine Organisation, die Ihnen helfen kann, Ihr System nach einem Einbruch wiederherzustellen. Es gibt CERTs weltweit Dies ist eine Liste einiger CERTs. Ein vollständige Liste erhalten Sie unter (FIRST ist das Forum von Incident Response and Security Teams): (Australien), (Mexiko) (Finnland), (Deutschland), (Deutschland), (Italien), (Japan), (Norwegen), (Kroatien) (Polen), (Russland), (Slowenien) (Spanien), (Schweiz), (Taiwan), und (USA). . Sie sollten mit dem lokalen CERT Verbindung aufnehmen, wenn sich ein sicherheitsrelevanter Vorfall ereignet hat, der zu einem Einbruch in Ihr System geführt hat. Die Menschen in der lokalen CERT können Ihnen helfen, Ihr System wiederherzustellen.

Selbst wenn Sie keine Hilfe benötigen, kann es anderen helfen, wenn Sie dem lokalen CERT (oder dem Koordinationszentrum des CERTs) Informationen des Einbruchs zur Verfügung stellen. Die gesammelten Informationen von gemeldeten Vorfällen werden verwendet, um herauszufinden, ob eine bestimmte Verwundbarkeit weit verbreitet ist, ob sich ein neuer Wurm ausbreitet oder welche neuen Angriffswerkzeuge eingesetzt werden. Diese Informationen werden benutzt, um die Internet-Gemeinschaft mit Informationen über die zu versorgen und um und sogar zu veröffentlichen. Ausführliche Informationen, wie (und warum) ein Vorfall gemeldet wird, können Sie auf nachlesen.

Sie können auch weniger formale Einrichtungen verwenden, wenn Sie Hilfe brauchen, um Ihr System wiederherzustellen, oder wenn Sie Informationen des Vorfalls diskutieren wollen. Dazu zählen die und die . Forensische Analyse

Wenn Sie mehr Informationen sammeln wollen, enthält das Paket tct (The Coroner's Toolkit von Dan Farmer und Wietse Venema) Werkzeuge für eine post mortem-Analyse des Systems. tct erlaubt es dem Benutzer, Informationen über gelöschte Dateien, laufende Prozesse und mehr zu sammeln. Sehen Sie bitte für weitere Informationen in die mitgelieferte Dokumentation. Diese und andere Werkzeuge können auch auf von Brian Carrier, welches ein Web-Frontend zur forensischen Analyse von Disk-Images zur Verfügung stellt, gefunden werden. In Debian befindet sich sowohl sleuthkit (die Werkzeuge) und autopsy (die grafische Oberfläche).

Forensische Analysen sollten immer auf einer Sicherheitskopie der Daten angewendet werden, niemals auf die Daten selbst, da sie durch diese Analyse beeinflusst werden könnten und so Beweismittel zerstört werden würden.

Weiterführende Informationen über forensische Analyse können Sie in Dan Farmers und Wietse Venemas Buch (online verfügbar), in ihrer und in ihrem finden. Eine weitere, sehr gute Quelle für Tipps zur forensischen Analyse ist Brian Carriers Newsletter . Auch die sind eine ausgezeichnete Möglichkeit, Ihre forensischen Fähigkeiten zu verbessern, da sie echte Angriffe auf Honigtopfsysteme umfassen und Herausforderungen bieten, die von der forensischen Analyse von Festplatten bis zu Protokollen der Firewall und Paketerfassung alles beinhalten.

FIXME: This paragraph will hopefully provide more information about forensics in a Debian system in the coming future.

FIXME: Talk on how to do a debsums on a stable system with the MD5sums on CD and with the recovered file system restored on a separate partition.

FIXME: Add pointers to forensic analysis papers (like the Honeynet's reverse challenge or ). Analyse der Malware

Einige andere Programme aus der Debian-Distribution, die für forensische Analyse verwendet werden können, sind: strace. ltrace.

Alle diese Pakete können dazu benutzt werden, um Schurkenprogramme (wie z.B. Hintertüren) zu analysieren, um herauszufinden, wie sie arbeiten und was sie mit dem System anstellen. Einige andere gebräuchliche Werkzeuge sind ldd (in libc6), strings und objdump (beide in binutils).

Wenn Sie eine forensische Analyse von Hintertüren oder verdächtigen Programmen durchführen, die Sie von gehackten Systemen haben, sollten Sie dies in einer sicheren Umgebung durchführen, z.B. in einem bochs-, oder xen-Image oder in einer chroot-Umgebung eines Benutzers mit geringen Rechten.Seien Sie äußerst vorsichtig, wenn sie Chroots einsetzen wollen, da das Binary durch Ausnutzung eines Kernel-Exploits seine Rechte erweitern und es ihm darüber gelingen könnte, Ihr System zu infizieren. Andernfalls könnte auch auf Ihrem eigenen System eine Hintertür eingerichtet oder Root-Rechte erlangt werden.

Falls Sie an der Analyse von Malware interessiert sind, sollten Sie das Kapitel aus dem Forensik-Buch vom Dan Farmer und Wietse Venema lesen. harden-doc-3.15.1/howto-source/de/titletoc.sgml0000644000000000000000000000157610505477573016262 0ustar &bookname; &authorname; &authoremail; &version;, &docdate; Dieses Dokument handelt von der Sicherheit im Debian-Projekt und im Betriebssystem Debian. Es beginnt mit dem Prozess, eine Standardinstallation der Debian GNU/Linux-Distribution abzusichern und abzuhärten. Es deckt die gewöhnliche Arbeit ab, eine sichere Netzwerkumgebung mit Debian GNU/Linux zu schaffen, und liefert zusätzliche Informationen über die verfügbaren Sicherheitswerkzeuge. Es befasst sich auch damit, wie die Sicherheit in Debian vom Sicherheits- und Auditteam gewährleistet wird. harden-doc-3.15.1/howto-source/en/0000755000000000000000000000000012015435301013525 5ustar harden-doc-3.15.1/howto-source/en/sec-tools.sgml0000644000000000000000000004601011161265521016330 0ustar Security tools in Debian

FIXME: More content needed.

Debian provides also a number of security tools that can make a Debian box suited for security purposes. These purposes include protection of information systems through firewalls (either packet or application-level), intrusion detection (both network and host based), vulnerability assessment, antivirus, private networks, etc.

Since Debian 3.0 (woody), the distribution features cryptographic software integrated into the main distribution. OpenSSH and GNU Privacy Guard are included in the default install, and strong encryption is now present in web browsers and web servers, databases, and so forth. Further integration of cryptography is planned for future releases. This software, due to export restrictions in the US, was not distributed along with the main distribution but included only in non-US sites. Remote vulnerability assessment tools

The tools provided by Debian to perform remote vulnerability assessment are: Some of them are provided when installing the harden-remoteaudit package. nessus raccess nikto (whisker's replacement)

By far, the most complete and up-to-date tools is nessus which is composed of a client (nessus) used as a GUI and a server (nessusd) which launches the programmed attacks. Nessus includes remote vulnerabilities for quite a number of systems including network appliances, ftp servers, www servers, etc. The latest security plugins are able even to parse a web site and try to discover which interactive pages are available which could be attacked. There are also Java and Win32 clients (not included in Debian) which can be used to contact the management server.

nikto is a web-only vulnerability assessment scanner including anti-IDS tactics (most of which are not anti-IDS anymore). It is one of the best cgi-scanners available, being able to detect a WWW server and launch only a given set of attacks against it. The database used for scanning can be easily modified to provide for new information. Network scanner tools

Debian does provide some tools used for remote scanning of hosts (but not vulnerability assessment). These tools are, in some cases, used by vulnerability assessment scanners as the first type of "attack" run against remote hosts in an attempt to determine remote services available. Currently Debian provides: nmap xprobe p0f knocker isic hping2 icmpush nbtscan (for SMB /NetBIOS audits) fragrouter strobe (in the netdiag package) irpas

While xprobe provide only remote operating system detection (using TCP/IP fingerprinting, nmap and knocker do both operating system detection and port scanning of the remote hosts. On the other hand, hping2 and icmpush can be used for remote ICMP attack techniques.

Designed specifically for SMB networks, nbtscan can be used to scan IP networks and retrieve name information from SMB-enabled servers, including: usernames, network names, MAC addresses...

On the other hand, fragrouter can be used to test network intrusion detection systems and see if the NIDS can be eluded by fragmentation attacks.

FIXME: Check (ITP fragrouter) to see if it's included.

FIXME add information based on which describes how to use Debian and a laptop to scan for wireless (803.1) networks (link not there any more). Internal audits

Currently, only the tiger tool used in Debian can be used to perform internal (also called white box) audit of hosts in order to determine if the file system is properly set up, which processes are listening on the host, etc. Auditing source code

Debian provides several packages that can be used to audit C/C++ source code programs and find programming errors that might lead to potential security flaws: flawfinder rats splint pscan Virtual Private Networks

A virtual private network (VPN) is a group of two or more computer systems, typically connected to a private network with limited public network access, that communicate securely over a public network. VPNs may connect a single computer to a private network (client-server), or a remote LAN to a private network (server-server). VPNs often include the use of encryption, strong authentication of remote users or hosts, and methods for hiding the private network's topology.

Debian provides quite a few packages to set up encrypted virtual private networks: vtun tunnelv (non-US section) cipe-source, cipe-common tinc secvpn pptpd openvpn openswan ()

FIXME: Update the information here since it was written with FreeSWAN in mind. Check Bug #237764 and Message-Id: <200412101215.04040.rmayr@debian.org>.

The OpenSWAN package is probably the best choice overall, since it promises to interoperate with almost anything that uses the IP security protocol, IPsec (RFC 2411). However, the other packages listed above can also help you get a secure tunnel up in a hurry. The point to point tunneling protocol (PPTP) is a proprietary Microsoft protocol for VPN. It is supported under Linux, but is known to have serious security issues.

For more information see the (covers IPsec and PPTP), (covers PPP over SSH), , and .

Also worth checking out is , but no Debian packages seem to be available yet. Point to Point tunneling

If you want to provide a tunneling server for a mixed environment (both Microsoft operating systems and Linux clients) and IPsec is not an option (since it's only provided for Windows 2000 and Windows XP), you can use PoPToP (Point to Point Tunneling Server), provided in the pptpd package.

If you want to use Microsoft's authentication and encryption with the server provided in the ppp package, note the following from the FAQ: It is only necessary to use PPP 2.3.8 if you want Microsoft compatible MSCHAPv2/MPPE authentication and encryption. The reason for this is that the MSCHAPv2/MPPE patch currently supplied (19990813) is against PPP 2.3.8. If you don't need Microsoft compatible authentication/encryption any 2.3.x PPP source will be fine.

However, you also have to apply the kernel patch provided by the kernel-patch-mppe package, which provides the pp_mppe module for pppd.

Take into account that the encryption in ppptp forces you to store user passwords in clear text, and that the MS-CHAPv2 protocol contains . Public Key Infrastructure (PKI)

Public Key Infrastructure (PKI) is a security architecture introduced to provide an increased level of confidence for exchanging information over insecure networks. It makes use of the concept of public and private cryptographic keys to verify the identity of the sender (signing) and to ensure privacy (encryption).

When considering a PKI, you are confronted with a wide variety of issues: a Certificate Authority (CA) that can issue and verify certificates, and that can work under a given hierarchy. a Directory to hold user's public certificates. a Database (?) to maintain Certificate Revocation Lists (CRL). devices that interoperate with the CA in order to print out smart cards/USB tokens/whatever to securely store certificates. certificate-aware applications that can use certificates issued by a CA to enroll in encrypted communication and check given certificates against CRL (for authentication and full Single Sign On solutions). a Time stamping authority to digitally sign documents. a management console from which all of this can be properly used (certificate generation, revocation list control, etc...).

Debian GNU/Linux has software packages to help you with some of these PKI issues. They include OpenSSL (for certificate generation), OpenLDAP (as a directory to hold the certificates), gnupg and openswan (with X.509 standard support). However, as of the Woody release (Debian 3.0), Debian does not have any of the freely available Certificate Authorities such as pyCA, or the CA samples from OpenSSL. For more information read the . SSL Infrastructure

Debian does provide some SSL certificates with the distribution so that they can be installed locally. They are found in the ca-certificates package. This package provides a central repository of certificates that have been submitted to Debian and approved (that is, verified) by the package maintainer, useful for any OpenSSL applications which verify SSL connections.

FIXME: read debian-devel to see if there was something added to this. Antivirus tools

There are not many anti-virus tools included with Debian GNU/Linux, probably because GNU/Linux users are not plagued by viruses. The Unix security model makes a distinction between privileged (root) processes and user-owned processes, therefore a "hostile" executable that a non-root user receives or creates and then executes cannot "infect" or otherwise manipulate the whole system. However, GNU/Linux worms and viruses do exist, although there has not (yet, hopefully) been any that has spread in the wild over any Debian distribution. In any case, administrators might want to build up anti-virus gateways that protect against viruses arising on other, more vulnerable systems in their network.

Debian GNU/Linux currently provides the following tools for building antivirus environments: , provided since Debian sarge (3.1 release). Packages are provided both for the virus scanner (clamav) for the scanner daemon (clamav-daemon) and for the data files needed for the scanner. Since keeping an antivirus up-to-date is critical for it to work properly there are two different ways to get this data: clamav-freshclam provides a way to update the database through the Internet automatically and clamav-data which provides the data files directly. If you use this last package and are running an official Debian, the database will not be updated with security updates. You should either use clamav-freshclam, clamav-getfiles to generate new clamav-data packages or update from the maintainers location: deb http://people.debian.org/~zugschlus/clamav-data/ / deb-src http://people.debian.org/~zugschlus/clamav-data/ / mailscanner an e-mail gateway virus scanner and spam detector. Using sendmail or exim as its basis, it can use more than 17 different virus scanning engines (including clamav). libfile-scan-perl which provides File::Scan, a Perl extension for scanning files for viruses. This modules can be used to make platform independent virus scanners. , provided in the package amavis-ng and available in sarge, which is a mail virus scanner which integrates with different MTA (Exim, Sendmail, Postfix, or Qmail) and supports over 15 virus scanning engines (including clamav, File::Scan and openantivirus). , a tool that uses the procmail package, which can scan email attachments for viruses, block attachments based on their filenames, and more. , a script that provides an interface from a mail transport agent to one or more commercial virus scanners (this package is built with support for the postfix MTA only). exiscan, an e-mail virus scanner written in Perl that works with Exim. blackhole-qmail a spam filter for Qmail with built-in support for Clamav.

Some gateway daemons support already tools extensions to build antivirus environments including exim4-daemon-heavy (the heavy version of the Exim MTA), frox (a transparent caching ftp proxy server), messagewall (an SMTP proxy daemon) and pop3vscan (a transparent POP3 proxy).

Debian currently provide clamav as the only antivirus scanning software in the main official distribution and it also provides multiple interfaces to build gateways with antivirus capabilities for different protocols.

Some other free software antivirus projects which might be included in future Debian GNU/Linux releases: (see and ).

FIXME: Is there a package that provides a script to download the latest virus signatures from ?

FIXME: Check if scannerdaemon is the same as the open antivirus scanner daemon (read ITPs).

However, Debian will never provide propietary (non-free and undistributable) antivirus software such as: Panda Antivirus, NAI Netshield, , , or . For more pointers see the . This does not mean that this software cannot be installed properly in a Debian system Actually, there is an installer package for the F-prot antivirus, which is non-free but gratis for home users, called f-prot-installer. This installer, however, just downloads and installs it in the system..

For more information on how to set up a virus detection system read Dave Jones' article . GPG agent

It is very common nowadays to digitally sign (and sometimes encrypt) e-mail. You might, for example, find that many people participating on mailing lists sign their list e-mail. Public key signatures are currently the only means to verify that an e-mail was sent by the sender and not by some other person.

Debian GNU/Linux provides a number of e-mail clients with built-in e-mail signing capabilities that interoperate either with gnupg or pgp: evolution. mutt. kmail. icedove (rebranded version of Mozilla's Thunderbird) through the plugin. This plugin is provided by the enigmail package. sylpheed. Depending on how the stable version of this package evolves, you may need to use the bleeding edge version, sylpheed-claws. gnus, which when installed with the mailcrypt package, is an emacs interface to gnupg. kuvert, which provides this functionality independently of your chosen mail user agent (MUA) by interacting with the mail transport agent (MTA).

Key servers allow you to download published public keys so that you may verify signatures. One such key server is . gnupg can automatically fetch public keys that are not already in your public keyring. For example, to configure gnupg to use the above key server, edit the file ~/.gnupg/options and add the following line: For more examples of how to configure gnupg check /usr/share/doc/mutt/examples/gpg.rc. keyserver wwwkeys.pgp.net

Most key servers are linked, so that when your public key is added to one server, the addition is propagated to all the other public key servers. There is also a Debian GNU/Linux package debian-keyring, that provides all the public keys of the Debian developers. The gnupg keyrings are installed in /usr/share/keyrings/.

For more information: . . . . . harden-doc-3.15.1/howto-source/en/before-compromise.sgml0000644000000000000000000011636610675457730020067 0ustar Before the compromise Keep your system secure

You should strive to keep your system secure by monitoring its usage and also the vulnerabilities that might affect it, patching them as soon as patches are available. Even though you might have installed a really secure system initially you have to remember that security in a system degrades with time, security vulnerabilities might be found for exposed system services and users might expose the system security either because of lack of understanding (e.g. accessing a system remotely with a clear-text protocol or using easy to guess passwords) or because they are actively trying to subvert the system's security (e.g. install additional services locally on their accounts). Tracking security vulnerabilities

Although most administrators are aware of security vulnerabilities affecting their systems when they see a patch that is made available you can strive to keep ahead of attacks and introduce temporary countermeasures for security vulnerabilities by detecting when your system is vulnerable. This is specially true when running an exposed system (i.e. connected to the Internet) and providing a service. In such case the system's administrators should take care to monitor known information sources to be the first to know when a vulnerability is detected that might affect a critical service.

This typically includes subscribing to the announcement mailing lists, project websites or bug tracking systems provided by the software developers for a specific piece of code. For example, Apache users should regularly review Apache's and subscribe to the mailing list.

In order to track known vulnerabilities affecting the Debian distribution, the Debian Testing Security Team provides a that lists all the known vulnerabilities which have not been yet fixed in Debian packages. The information in that tracker is obtained through different public channels and includes known vulnerabilities which are available either through security vulnerability databases or . Administrators can search for the known security issues being tracked for , , , or .

The tracker has searchable interfaces (by name and package name) and some tools (such as debsecan, see ) use that database to provide information of vulnerabilities affecting a given system which have not yet been addressed (i.e. those who are pending a fix).

Concious administrators can use that information to determine which security bugs might affect the system they are managing, determine the severity of the bug and apply (if available) temporary countermeasures before a patch is available fixing this issue.

Security issues tracked for releases supported by the Debian Security Team should eventually be handled through Debian Security Advisories (DSA) and will be available for all users (see ). Once security issues are fixed through an advisory they will not be available in the tracker, but you will be able to search security vulnerabilities (by CVE name) using the available for published DSAs.

Notice, however, that the information tracked by the Debian Testing Security Team only involves disclosed vulnerabilities (i.e. those already public). In some occasions the Debian Security Team might be handling and preparing DSAs for packages based on undisclosed information provided to them (for example, through closed vendor mailing lists or by upstream maintainers of software). So do not be surprised to find security issues that only show up as an advisory but never get to show up in the security tracker. Continuously update the system

You should conduct security updates frequently. The vast majority of exploits result from known vulnerabilities that have not been patched in time, as this (presented at the 2001 IEEE Symposium on Security and Privacy) explains. Updates are described under . Manually checking which security updates are available

Debian does have a specific tool to check if a system needs to be updated but many users will just want to manually check if any security updates are available for their system.

If you have configured your system as described in you just need to do: # apt-get update # apt-get upgrade -s [ ... review packages to be upgraded ... ] # apt-get upgrade # checkrestart [ ... restart services that need to be restarted ... ]

And restart those services whose libraries have been updated if any. Note: Read for more information on library (and kernel) upgrades.

The first line will download the list of packages available from your configured package sources. The -s will do a simulation run, that is, it will not download or install the packages but rather tell you which ones should be downloaded/installed. From the output you can derive which packages have been fixed by Debian and are available as a security update. Sample: # apt-get upgrade -s Reading Package Lists... Done Building Dependency Tree... Done 2 packages upgraded, 0 newly installed, 0 to remove and 0 not upgraded. Inst cvs (1.11.1p1debian-8.1 Debian-Security:3.0/stable) Inst libcupsys2 (1.1.14-4.4 Debian-Security:3.0/stable) Conf cvs (1.11.1p1debian-8.1 Debian-Security:3.0/stable) Conf libcupsys2 (1.1.14-4.4 Debian-Security:3.0/stable)

In this example, you can see that the system needs to be updated with new cvs and cupsys packages which are being retrieved from woody's security update archive. If you want to understand why these packages are needed, you should go to and check which recent Debian Security Advisories have been published related to these packages. In this case, the related DSAs are (for cvs) and (for cupsys).

Notice that you will need to reboot your system if there has been a kernel upgrade. Checking for updates at the Desktop

Since Debian 4.0 lenny Debian provides and installs in a default installation update-notifier. This is a GNOME application that will startup when you enter your Desktop and can be used to keep track of updates available for your system and install them. It uses update-manager for this.

In a stable system updates are only available when a security patch is available or at point releases. Consequently, if the system is properly configured to receive security updates as described in and you have a cron task running to update the package information you will be notified through an icon in the desktop notifcation area.

The notification is not intrusive and users are not forced to install updates. From the notification icon a desktop user (with the administrator's password) can access a simple GUI to show available updates and install them.

This application works by checking the package database and comparing the system with its contents. If the package database is updated periodically through a cron task then the contents of the database will be newer than the packages installed in the system and the application will notify you.

Apt installs such a task (/etc/cron.d/apt) which will run based on Apt's configuration (more specifically APT::Periodic). In the GNOME environment this configuration value can be adjusted by going to System > Admin > Software origins > Updates, or running /usr/bin/software-properties.

If the system is set to download the packages list daily but not download the packages themselves your /etc/apt/apt.conf.d/10periodic should look like this: APT::Periodic::Update-Package-Lists "1"; APT::Periodic::Download-Upgradeable-Packages "0";

You can use a different cron task, such as the one installed by cron-apt (see ). You can also just manually check for upgrades using this application.

Users of the KDE desktop environment will probably prefer to install adept and adept-notifier instead which offers a similar functionality but is not part of the standard installation. Automatically checking for updates with cron-apt

Another method for automatic security updates is the use of cron-apt. This package provides a tool to update the system at regular intervals (using a cron job), and can also be configured to send mails to the system administrator using the local mail transport agent. It will just update the package list and download new packages by default but it can be configured to automatically install new updates.

Notice that you might want to check the distribution release, as described in , if you intend to automatically updated your system (even if only downloading the packages). Otherwise, you cannot be sure that the downloaded packages really come from a trusted source.

More information is available at the . Automatically checking for security issues with debsecan

The debsecan program evaluates the security status of by reporting both missing security updates and security vulnerabilities. Unlike cron-apt, which only provides information related to security updates available, but this tool obtains information from the security vulnerability database maintained by the Debian Security Team which includes also information on vulnerabilities which are not yet fixed through a security update. Consequently, it is more efficient at helping administrators track security vulnerabilities (as described in ).

Upon installing the Debian package debsecan, and if the administrator consents to it, it will generate a cron task that will make it run and send the output to a specific user whenever it finds a vulnerable package. It will also download the information from the Internet. The location of the security database is also part of the questions ask on installation and are later defined /etc/default/debsecan, it can be easily adjusted for systems that do not have Internet access so that they all pull from a local mirror so that there is a single point that access the vulnerability database.

Notice, however, that the Security Team tracks many vulnerabilities including low-risk issues which might not be fixed through a security update and some vulnerabilities initially reported as affecting Debian might, later on, upon investigation, be dismissed. Debsecan will report on all the vulnerabilities, which makes it a quite more verbose than the other tools described above.

More information is available at the . Other methods for security updates

There is also the apticron, which, similarly to cron-apt will check for updates and send mails to the administrator. More information on apticron is available at the .

You might also want to take a look at which is an unofficial program to do security updates from security.debian.org with signature checking written by Fruhwirth Clemens. Or to the Nagios Plugin written by Dean Wilson. Avoid using the unstable branch

Unless you want to dedicate time to patch packages yourself when a vulnerability arises, you should not use Debian's unstable branch for production-level systems. The main reason for this is that there are no security updates for unstable (see ).

The fact is that some security issues might appear in unstable and not in the stable distribution. This is due to new functionality constantly being added to the applications provided there, as well as new applications being included which might not yet have been thoroughly tested.

In order to do security upgrades in the unstable branch, you might have to do full upgrades to new versions (which might update much more than just the affected package). Although there have been some exceptions, security patches are usually only back ported into the stable branch. The main idea being that between updates, no new code should be added, just fixes for important issues.

Notice, however, that you can use the security tracker (as described in ) to track known security vulnerabilities affecting this branch. Security support for the testing branch

If you are using the testing branch, there are some issues that you must take into account regarding the availability of security updates: When a security fix is prepared, the Security Team backports the patch to stable (since stable is usually some minor or major versions behind). Package maintainers are responsible for preparing packages for the unstable branch, usually based on a new upstream release. Sometimes the changes happen at nearly the same time and sometimes one of the releases gets the security fix before. Packages for the stable distribution are more thoroughly tested than unstable, since the latter will in most cases provide the latest upstream release (which might include new, unknown bugs). Security updates are available for the unstable branch usually when the package maintainer makes a new package and for the stable branch when the Security Team make a new upload and publish a DSA. Notice that neither of these change the testing branch. If no (new) bugs are detected in the unstable version of the package, it moves to testing after several days. The time this takes is usually ten days, although that depends on the upload priority of the change and whether the package is blocked from entering testing by its dependency relationships. Note that if the package is blocked from entering testing the upload priority will not change the time it takes to enter.

This behavior might change based on the release state of the distribution. When a release is almost imminent, the Security Team or package maintainers might provide updates directly to testing.

Additionally, the can issue Debian Testing Security Advisories (DTSAs) for packages in the testing branch if there is an inmediate need to fix a security issue in that branch and cannot wait for the normal procedure (or the normal procedure is being blocked by some other packages).

Users willing to take advantage of this support should add the following lines to their /etc/apt/sources.list (instead of the lines described in ): deb http://security.debian.org testing/updates main contrib non-free # This line makes it possible to donwload source packages too deb-src http://security.debian.org testing/updates main contrib non-free

For additional information on this support please read the . This support officially started in in a separate repository and was later integrated into the main security archive.

Automatic updates in a Debian GNU/Linux system

First of all, automatic updates are not fully recommended, since administrators should review the DSAs and understand the impact of any given security update.

If you want to update your system automatically you should: Configure apt so that those packages that you do not want to update stay at their current version, either with apt's pinning feature or marking them as hold with dpkg or dselect.

To pin the packages under a given release, you must edit /etc/apt/preferences (see ) and add: Package: * Pin: release a=stable Pin-Priority: 100

FIXME: verify if this configuration is OK. Either use cron-apt as described in and enable it to install downloaded packages or add a cron entry yourself so that the update is run daily, for example: apt-get update && apt-get -y upgrade

The -y option will have apt assume 'yes' for all the prompts that might arise during the update. In some cases, you might want to use the --trivial-only option instead of the --assume-yes (equivalent to -y).You may also want to use the --quiet (-q) option to reduce the output of apt-get, which will stop the generation of any output if no packages are installed. Configure debconf so no questions will be asked during upgrades, so that they can be done non-interactively. Note that some packages might not use debconf and updates will stall due to packages asking for user input during configuration. Check the results of the cron execution, which will be mailed to the superuser (unless changed with MAILTO environment variable in the script).

A safer alternative might be to use the -d (or --download-only) option, which will download but not install the necessary packages. Then if the cron execution shows that the system needs to be updated, it can be done manually.

In order to accomplish any of these tasks, the system must be properly configured to download security updates as discussed in .

However, this is not recommended for unstable without careful analysis, since you might bring your system into an unusable state if some serious bug creeps into an important package and gets installed in your system. Testing is slightly more secure with regard to this issue, since serious bugs have a better chance of being detected before the package is moved into the testing branch (although, you may have no security updates available whatsoever).

If you have a mixed distribution, that is, a stable installation with some packages updated to testing or unstable, you can fiddle with the pinning preferences as well as the --target-release option in apt-get to update only those packages that you have updated.This is a common issue since many users want to maintain a stable system while updating some packages to unstable to gain the latest functionality. This need arises due to some projects evolving faster than the time between Debian's stable releases. Do periodic integrity checks

Based on the baseline information you generated after installation (i.e. the snapshot described in ), you should be able to do an integrity check from time to time. An integrity check will be able to detect filesystem modifications made by an intruder or due to a system administrators mistake.

Integrity checks should be, if possible, done offline. An easy way to do this is using a Live CD, such as which includes both the file integrity tools and the integrity database for your system. That is, without using the operating system of the system to review, in order to avoid a false sense of security (i.e. false negatives) produced by, for example, installed rootkits. The integrity database that the system is checked against should also be used from read-only media.

You can consider doing integrity checks online using any of the filesystem integrity tools available (described in ) if taking offline the system is not an option. However, precaution should be taken to use a read-only integrity database and also assure that the integrity checking tool (and the operating system kernel) has not been tampered with.

Some of the tools mentioned in the integrity tools section, such as aide, integrit or samhain are already prepared to do periodic reviews (through the crontab in the first two cases and through a standalone daemon in samhain) and can warn the administrator through different channels (usually e-mail, but samhain can also send pages, SNMP traps or syslog alerts) when the filesystem changes.

Of course, if you execute a security update of the system, the snapshot taken for the system should be re-taken to accommodate the changes done by the security update. Set up Intrusion Detection

Debian GNU/Linux includes tools for intrusion detection, which is the practice of detecting inappropriate or malicious activity on your local system, or other systems in your private network. This kind of defense is important if the system is very critical or you are truly paranoid. The most common approaches to intrusion detection are statistical anomaly detection and pattern-matching detection.

Always be aware that in order to really improve the system's security with the introduction of any of these tools, you need to have an alert+response mechanism in place. Intrusion detection is a waste of time if you are not going to alert anyone.

When a particular attack has been detected, most intrusion detection tools will either log the event with syslogd or send e-mail to the root user (the mail recipient is usually configurable). An administrator has to properly configure the tools so that false positives do not trigger alerts. Alerts may also indicate an ongoing attack and might not be useful, say, one day later, since the attack might have already succeeded. So be sure that there is a proper policy on handling alerts and that the technical mechanisms to implement this policy are in place.

An interesting source of information is Network based intrusion detection

Network based intrusion detection tools monitor the traffic on a network segment and use this information as a data source. Specifically, the packets on the network are examined, and they are checked to see if they match a certain signature.

snort is a flexible packet sniffer or logger that detects attacks using an attack signature dictionary. It detects a variety of attacks and probes, such as buffer overflows, stealth port scans, CGI attacks, SMB probes, and much more. snort also has real-time alerting capability. You can use snort for a range of hosts on your network as well as for your own host. This is a tool which should be installed on every router to keep an eye on your network. Just install it with apt-get install snort, follow the questions, and watch it log. For a little broader security framework, see .

Debian's snort package has many security checks enabled by default. However, you should customize the setup to take into account the particular services you run on your system. You may also want to seek additional checks specific to these services.

There are other, simpler tools that can be used to detect network attacks. portsentry is an interesting package that can tip you off to port scans against your hosts. Other tools like ippl or iplogger will also detect some IP (TCP and ICMP) attacks, even if they do not provide the kind of advanced techniques snort does.

You can test any of these tools with the Debian package idswakeup, a shell script which generates false alarms, and includes many common attack signatures. Host based intrusion detection

Host based intrusion detection involves loading software on the system to be monitored which uses log files and/or the systems auditing programs as a data source. It looks for suspicious processes, monitors host access, and may even monitor changes to critical system files.

tiger is an older intrusion detection tool which has been ported to Debian since the Woody branch. tiger provides checks of common issues related to security break-ins, like password strength, file system problems, communicating processes, and other ways root might be compromised. This package includes new Debian-specific security checks including: MD5sums checks of installed files, locations of files not belonging to packages, and analysis of local listening processes. The default installation sets up tiger to run each day, generating a report that is sent to the superuser about possible compromises of the system.

Log analysis tools, such as logcheck can also be used to detect intrusion attempts. See .

In addition, packages which monitor file system integrity (see ) can be quite useful in detecting anomalies in a secured environment. It is most likely that an effective intrusion will modify some files in the local file system in order to circumvent local security policy, install Trojans, or create users. Such events can be detected with file system integrity checkers. Avoiding root-kits Loadable Kernel Modules (LKM)

Loadable kernel modules are files containing dynamically loadable kernel components used to expand the functionality of the kernel. The main benefit of using modules is the ability to add additional devices, like an Ethernet or sound card, without patching the kernel source and recompiling the entire kernel. However, crackers are now using LKMs for root-kits (knark and adore), opening up back doors in GNU/Linux systems.

LKM back doors are more sophisticated and less detectable than traditional root-kits. They can hide processes, files, directories and even connections without modifying the source code of binaries. For example, a malicious LKM can force the kernel into hiding specific processes from procfs, so that even a known good copy of the binary ps would not list accurate information about the current processes on the system. Detecting root-kits

There are two approaches to defending your system against LKM root-kits, a proactive defense and a reactive defense. The detection work can be simple and painless, or difficult and tiring, depending on the approach taken. Proactive defense

The advantage of this kind of defense is that it prevents damage to the system in the first place. One such strategy is getting there first, that is, loading an LKM designed to protect the system from other malicious LKMs. A second strategy is to remove capabilities from the kernel itself. For example, you can remove the capability of loadable kernel modules entirely. Note, however, that there are rootkits which might work even in this case, there are some that tamper with /dev/kmem (kernel memory) directly to make themselves undetectable.

Debian GNU/Linux has a few packages that can be used to mount a proactive defense: lcap - A user friendly interface to remove capabilities (kernel-based access control) in the kernel, making the system more secure. For example, executing lcap CAP_SYS_MODULE There are over 28 capabilities including: CAP_BSET, CAP_CHOWN, CAP_FOWNER, CAP_FSETID, CAP_FS_MASK, CAP_FULL_SET, CAP_INIT_EFF_SET, CAP_INIT_INH_SET, CAP_IPC_LOCK, CAP_IPC_OWNER, CAP_KILL, CAP_LEASE, CAP_LINUX_IMMUTABLE, CAP_MKNOD, CAP_NET_ADMIN, CAP_NET_BIND_SERVICE, CAP_NET_RAW, CAP_SETGID, CAP_SETPCAP, CAP_SETUID, CAP_SYS_ADMIN, CAP_SYS_BOOT, CAP_SYS_CHROOT, CAP_SYS_MODULE, CAP_SYS_NICE, CAP_SYS_PACCT, CAP_SYS_PTRACE, CAP_SYS_RAWIO, CAP_SYS_RESOURCE, CAP_SYS_TIME, and CAP_SYS_TTY_CONFIG. All of them can be de-activated to harden your kernel. will remove module loading capabilities (even for the root user). You don't need to install lcap to do this, but it's easier than setting /proc/sys/kernel/cap-bound by hand. There is some (old) information on capabilities at Jon Corbet's section on LWN (dated December 1999).

If you don't really need many kernel features on your GNU/Linux system, you may want to disable loadable modules support during kernel configuration. To disable loadable module support, just set CONFIG_MODULES=n during the configuration stage of building your kernel, or in the .config file. This will prevent LKM root-kits, but you lose this powerful feature of the Linux kernel. Also, disabling loadable modules can sometimes overload the kernel, making loadable support necessary. Reactive defense

The advantage of a reactive defense is that it does not overload system resources. It works by comparing the system call table with a known clean copy in a disk file, System.map. Of course, a reactive defense will only notify the system administrator after the system has already been compromised.

Detection of some root-kits in Debian can be accomplished with the chkrootkit package. The program checks for signs of several known root-kits on the target system, but is not a definitive test. Genius/Paranoia Ideas — what you could do

This is probably the most unstable and funny section, since I hope that some of the "duh, that sounds crazy" ideas might be realized. The following are just some ideas for increasing security — maybe genius, paranoid, crazy or inspired depending on your point of view. Playing around with Pluggable Authentication Modules (PAM). As quoted in the Phrack 56 PAM article, the nice thing about PAM is that "You are limited only by what you can think of." It is true. Imagine root login only being possible with fingerprint or eye scan or cryptocard (why did I use an OR conjunction instead of AND?). Fascist Logging. I would refer to all the previous logging discussion above as "soft logging". If you want to perform real logging, get a printer with fanfold paper, and send all logs to it. Sounds funny, but it's reliable and it cannot be tampered with or removed. CD distribution. This idea is very easy to realize and offers pretty good security. Create a hardened Debian distribution, with proper firewall rules. Turn it into a boot-able ISO image, and burn it on a CDROM. Now you have a read-only distribution, with about 600 MB space for services. Just make sure all data that should get written is done over the network. It is impossible for intruders to get read/write access on this system, and any changes an intruder does make can be disabled with a reboot of the system. Switch module capability off. As discussed earlier, when you disable the usage of kernel modules at kernel compile time, many kernel based back doors are impossible to implement because most are based on installing modified kernel modules. Logging through serial cable (contributed by Gaby Schilders). As long as servers still have serial ports, imagine having one dedicated logging system for a number of servers. The logging system is disconnected from the network, and connected to the servers via a serial-port multiplexer (Cyclades or the like). Now have all your servers log to their serial ports, write only. The log-machine only accepts plain text as input on its serial ports and only writes to a log file. Connect a CD/DVD-writer, and transfer the log file to it when the log file reaches the capacity of the media. Now if only they would make CD writers with auto-changers... Not as hard copy as direct logging to a printer, but this method can handle larger volumes and CD-ROMs use less storage space. Change file attributes using chattr (taken from the Tips-HOWTO, written by Jim Dennis). After a clean install and initial configuration, use the chattr program with the +i attribute to make files unmodifiable (the file cannot be deleted, renamed, linked or written to). Consider setting this attribute on all the files in /bin, /sbin/, /usr/bin, /usr/sbin, /usr/lib and the kernel files in root. You can also make a copy of all files in /etc/, using tar or the like, and mark the archive as immutable.

This strategy will help limit the damage that you can do when logged in as root. You won't overwrite files with a stray redirection operator, and you won't make the system unusable with a stray space in a rm -fr command (you might still do plenty of damage to your data — but your libraries and binaries will be safer).

This strategy also makes a variety of security and denial of service (DoS) exploits either impossible or more difficult (since many of them rely on overwriting a file through the actions of some SETUID program that isn't providing an arbitrary shell command).

One inconvenience of this strategy arises during building and installing various system binaries. On the other hand, it prevents the make install from over-writing the files. When you forget to read the Makefile and chattr -i the files that are to be overwritten, (and the directories to which you want to add files) ‐ the make command fails, and you just use the chattr command and rerun it. You can also take that opportunity to move your old bin's and libs out of the way, into a .old/ directory or tar archive for example.

Note that this strategy also prevents you from upgrading your system's packages, since the files updated packages provide cannot be overwritten. You might want to have a script or other mechanism to disable the immutable flag on all binaries right before doing an apt-get update. Play with UTP cabling in a way that you cut 2 or 4 wires and make the cable one-way traffic only. Then use UDP packets to send information to the destination machine which can act as a secure log server or a credit card storage system. Building a honeypot

A honeypot is a system designed to teach system administrators how crackers probe for and exploit a system. It is a system setup with the expectation and goal that the system will be probed, attacked and potentially exploited. By learning the tools and methods employed by the cracker, a system administrator can learn to better protect their own systems and network.

Debian GNU/Linux systems can easily be used to setup a honeynet, if you dedicate the time to implement and monitor it. You can easily setup the fake honeypot server as well as the firewallYou will typically use a bridge firewall so that the firewall itself is not detectable, see . that controls the honeynet and some sort of network intrusion detector, put it on the Internet, and wait. Do take care that if the system is exploited, you are alerted in time (see ) so that you can take appropriate measures and terminate the compromise when you've seen enough. Here are some of the packages and issues to consider when setting up your honeypot: The firewall technology you will use (provided by the Linux kernel). syslog-ng, useful for sending logs from the honeypot to a remote syslog server. snort, to set up capture of all the incoming network traffic to the honeypot and detect the attacks. osh, a SETUID root, security enhanced, restricted shell with logging (see Lance Spitzner's article below). Of course, all the daemons you will be using for your fake server honeypot. Depending on what type of attacker you want to analyse you will or will not harden the honeypot and keep it up to date with security patches. Integrity checkers (see ) and The Coroner's Toolkit (tct) to do post-attack audits. honeyd and farpd to setup a honeypot that will listen to connections to unused IP addresses and forward them to scripts simulating live services. Also check out iisemulator. tinyhoneypot to setup a simple honeypot server with fake services.

If you cannot use spare systems to build up the honeypots and the network systems to protect and control it you can use the virtualisation technology available in xen or uml (User-Mode-Linux). If you take this route you will need to patch your kernel with either kernel-patch-xen or kernel-patch-uml.

You can read more about building honeypots in Lanze Spitzner's excellent article (from the Know your Enemy series). Also, the provides valuable information about building honeypots and auditing the attacks made on them. harden-doc-3.15.1/howto-source/en/after-install.sgml0000644000000000000000000035433111724003313017167 0ustar After installation

Once the system is installed you can still do more to secure the system; some of the steps described in this chapter can be taken. Of course this really depends on your setup but for physical access prevention you should read ,,, , and .

Before connecting to any network, especially if it's a public one you should, at the very least, execute a security update (see ). Optionally, you could take a snapshot of your system (see ). Subscribe to the Debian Security Announce mailing list

In order to receive information on available security updates you should subscribe yourself to the debian-security-announce mailing list in order to receive the Debian Security Advisories (DSAs). See for more information on how the Debian security team works. For information on how to subscribe to the Debian mailing lists read .

DSAs are signed with the Debian Security Team's signature which can be retrieved from .

You should consider, also, subscribing to the for general discussion on security issues in the Debian operating system. You will be able to contact other fellow system administrators in the list as well as Debian developers and upstream developers of security tools who can answer your questions and offer advice.

FIXME: Add the key here too? Execute a security update

As soon as new security bugs are detected in packages, Debian maintainers and upstream authors generally patch them within days or even hours. After the bug is fixed, a new package is provided on .

If you are installing a Debian release you must take into account that since the release was made there might have been security updates after it has been determined that a given package is vulnerable. Also, there might have been minor releases (there have been four for the Debian 3.0 sarge release) which include these package updates.

During installation security updates are configured for your system and pending updates downloaded and applied, unless you specifically opt out of this or the system was not connected to the Internet. The updates are applied even before the first boot, so the new system starts its life as up to date as possible.

To manually update the system, put the following line in your sources.list and you will get security updates automatically, whenever you update your system. Replace [CODENAME] with the release codename, e.g. squeeze. deb http://security.debian.org/ [CODENAME]/updates main contrib non-free

Note: If you are using the testing branch use the security testing mirror sources as described in .

Once you've done this you can use multiple tools to upgrade your system. If you are running a desktop system you will haveIn etch and later releases an application called update-notifier that will make it easy to check if new updates are available, by selecting it you can make a system upgrade from the desktop (using update-manager). For more information see . In desktop environments you can also use synaptic (GNOME), kpackage or adept (KDE) for more advanced interfaces. If you are running a text-only terminal you can use aptitude, apt or dselect (deprecated) to upgrade: If you want to use aptitude's text interface you just have to press u (update) followed by g (to upgrade). Or just do the following from the command line (as root): # aptitude update # aptitude upgrade If you want to use apt do just like with aptitude but substitute the aptitude lines above with apt-get. If you want to use dselect then first [U]pdate, then [I]nstall and finally, [C]onfigure the installed/upgraded packages.

If you like, you can add the deb-src lines to /etc/apt/sources.list as well. See for further details. Security update of libraries

Once you have executed a security update you might need to restart some of the system services. If you do not do this, some services might still be vulnerable after a security upgrade. The reason for this is that daemons that are running before an upgrade might still be using the old libraries before the upgrade Even though the libraries have been removed from the filesystem the inodes will not be cleared up until no program has an open file descriptor pointing to them.. In order to detect which daemons might need to be restarted you can use the checkrestart program (available in the debian-goodies package) or use this one liner

Depending on your lsof version you might need to use $8 instead of $9

(as root): # lsof | grep <the_upgraded_library> | awk '{print $1, $9}' | uniq | sort -k 1

Some packages (like libc6) will do this check in the postinst phase for a limited set of services specially since an upgrade of essential libraries might break some applications (until restarted)This happened, for example, in the upgrade from libc6 2.2.x to 2.3.x due to NSS authentication issues, see ..

Bringing the system to run level 1 (single user) and then back to run level 3 (multi user) should take care of the restart of most (if not all) system services. But this is not an option if you are executing the security upgrade from a remote connection (like ssh) since it will be severed.

Excercise caution when dealing with security upgrades if you are doing them over a remote connection like ssh. A suggested procedure for a security upgrade that involves a service restart is to restart the SSH daemon and then, inmediately, attempt a new ssh connection without breaking the previous one. If the connection fails, revert the upgrade and investigate the issue. Security update of the kernel

First, make sure your kernel is being managed through the packaging system. If you have installed using the installation system from Debian 3.0 or previous releases, your kernel is not integrated into the packaging system and might be out of date. You can easily confirm this by running: $ dpkg -S `readlink -f /vmlinuz` linux-image-2.6.18-4-686: /boot/vmlinuz-2.6.18-4-686

If your kernel is not being managed you will see a message saying that the package manager did not find the file associated to any package instead of the message above, which says that the file associated to the current running kernel is being provided by the linux-image-2.6.18-4-686. So first, you will need to manually install a kernel image package. The exact kernel image you need to install depends on your architecture and your prefered kernel version. Once this is done, you will be able to manage the security updates of the kernel just like those of any other package. In any case, notice that the kernel updates will only be done for kernel updates of the same kernel version you are using, that is, apt will not automatically upgrade your kernel from the 2.4 release to the 2.6 release (or from the 2.4.26 release to the 2.4.27 releaseUnless you have installed a kernel metapackage like linux-image-2.6-686 which will always pull in the latest kernel minor revision for a kernel release and a given architecture.).

The installation system of recent Debian releases will handle the selected kernel as part of the package system. You can review which kernels you have installed by running: $ COLUMNS=150 dpkg -l 'linux-image*' | awk '$1 ~ /ii/ { print $0 }'

To see if your kernel needs to be updated run: $ kernfile=`readlink -f /vmlinuz` $ kernel=`dpkg -S $kernfile | awk -F : '{print $1}'` $ apt-cache policy $kernel linux-image-2.6.18-4-686: Installed: 2.6.18.dfsg.1-12 Candidate: 2.6.18.dfsg.1-12 Version table: *** 2.6.18.dfsg.1-12 0 100 /var/lib/dpkg/status

If you are doing a security update which includes the kernel image you need to reboot the system in order for the security update to be useful. Otherwise, you will still be running the old (and vulnerable) kernel image.

If you need to do a system reboot (because of a kernel upgrade) you should make sure that the kernel will boot up correctly and network connectivity will be restored, specially if the security upgrade is done over a remote connection like ssh. For the former you can configure your boot loader to reboot to the original kernel in the event of a failure (for more detailed information read ). For the latter you have to introduce a network connectivity test script that will check if the kernel has started up the network subsystem properly and reboot the system if it did notA sample script called is available in the article. A more elaborate network connectivity testing script is available in the article.. This should prevent nasty surprises like updating the kernel and then realizing, after a reboot, that it did not detect or configure the network hardware properly and you need to travel a long distance to bring the system up again. Of course, having the system serial console Setting up a serial console is beyond the scope of this document, for more information read the and the . in the system connected to a console or terminal server should also help debug reboot issues remotely.

Change the BIOS (again)

Remember ? Well, then you should now, once you do not need to boot from removable media, to change the default BIOS setup so that it only boots from the hard drive. Make sure you will not lose the BIOS password, otherwise, in the event of a hard disk failure you will not be able to return to the BIOS and change the setup so you can recover it using, for example, a CD-ROM.

Another less secure but more convenient way is to change the setup to have the system boot up from the hard disk and, if it fails, try removable media. By the way, this is often done because most people don't use the BIOS password that often; it's easily forgotten. Set a LILO or GRUB password

Anybody can easily get a root-shell and change your passwords by entering <name-of-your-bootimage> init=/bin/sh at the boot prompt. After changing the passwords and rebooting the system, the person has unlimited root-access and can do anything he/she wants to the system. After this procedure you will not have root access to your system, as you do not know the root password.

To make sure that this cannot happen, you should set a password for the boot loader. You can choose between a global password or a password for a certain image.

For LILO you need to edit the config file /etc/lilo.conf and add a password and restricted line as in the example below. image=/boot/2.2.14-vmlinuz label=Linux read-only password=hackme restricted

Then, make sure that the configuration file is not world readable to prevent local users from reading the password. When done, rerun lilo. Omitting the restricted line causes lilo to always prompt for a password, regardless of whether LILO was passed parameters. The default permissions for /etc/lilo.conf grant read and write permissions to root, and enable read-only access for lilo.conf's group, root.

If you use GRUB instead of LILO, edit /boot/grub/menu.lst and add the following two lines at the top (substituting, of course hackme with the desired password). This prevents users from editing the boot items. timeout 3 specifies a 3 second delay before grub boots the default item. timeout 3 password hackme

To further harden the integrity of the password, you may store the password in an encrypted form. The utility grub-md5-crypt generates a hashed password which is compatible with GRUB's encrypted password algorithm (MD5). To specify in grub that an MD5 format password will be used, use the following directive: timeout 3 password --md5 $1$bw0ez$tljnxxKLfMzmnDVaQWgjP0 The --md5 parameter was added to instruct grub to perform the MD5 authentication process. The provided password is the MD5 encrypted version of hackme. Using the MD5 password method is preferable to choosing its clear-text counterpart. More information about grub passwords may be found in the grub-doc package. Disable root prompt on the initramfs

Note: This applies to the default kernels provided for releases after Debian 3.1

Linux 2.6 kernels provide a way to access a root shell while booting which will be presented during loading the initramfs on error. This is helpful to permit the administrator to enter a rescue shell with root permissions. This shell can be used to manually load modules when autodetection fails. This behavior is the default for initramfs-tools generated initramfs. The following message will appear: "ALERT! /dev/sda1 does not exist. Dropping to a shell!

In order to remove this behavior you need to set the following boot argument:panic=0. Either add it to the kopt section of /boot/grub/menu.lst and issue update-grub or to the append section of /etc/lilo.conf. Remove root prompt on the kernel

Note: This does not apply to the kernels provided for Debian 3.1 as the timeout for the kernel delay has been changed to 0.

Linux 2.4 kernels provide a way to access a root shell while booting which will be presented just after loading the cramfs file system. A message will appear to permit the administrator to enter an executable shell with root permissions, this shell can be used to manually load modules when autodetection fails. This behavior is the default for initrd's linuxrc. The following message will appear: Press ENTER to obtain a shell (waits 5 seconds)

In order to remove this behavior you need to change /etc/mkinitrd/mkinitrd.conf and set: # DELAY The number of seconds the linuxrc script should wait to # allow the user to interrupt it before the system is brought up DELAY=0

Then regenerate your ramdisk image. You can do this for example with: # cd /boot # mkinitrd -o initrd.img-2.4.18-k7 /lib/modules/2.4.18-k7

or (preferred): # dpkg-reconfigure -plow kernel-image-2.4.x-yz Restricting console login access

Some security policies might force administrators to log in to the system through the console with their user/password and then become superuser (with su or sudo). This policy is implemented in Debian by editing the /etc/login.defs file or /etc/securetty when using PAM. In: login.defs, editing the CONSOLE variable which defines a file or list of terminals on which root logins are allowed securetty The /etc/securetty is a configuration file that belongs to the login package. by adding/removing the terminals to which root access will be allowed. If you wish to allow only local console access then you need console, ttyX Or ttyvX in GNU/FreeBSD, and ttyE0 in GNU/KNetBSD. and vc/X (if using devfs devices), you might want to add also ttySX Or comX in GNU/Hurd, cuaaX in GNU/FreeBSD, and ttyXX in GNU/KNetBSD. if you are using a serial console for local access (where X is an integer, you might want to have multiple instances The default configuration in woody includes 12 local tty and vc consoles, as well as the console device but does not allow remote logins. In sarge the default configuration provides 64 consoles for tty and vc consoles. You can safely remove this if you are not using that many consoles. depending on the number of virtual consoles you have enabled in /etc/inittab Look for the getty calls.). For more information on terminal devices read the .

When using PAM, other changes to the login process, which might include restrictions to users and groups at given times, can be configured in /etc/pam.d/login. An interesting feature that can be disabled is the possibility to login with null (blank) passwords. This feature can be limited by removing nullok from the line: auth required pam_unix.so nullok Restricting system reboots through the console

If your system has a keyboard attached to it anyone (yes anyone) can reboot the system through it without login to the system. This might, or might not, adhere to your security policy. If you want to restrict this, you must check the /etc/inittab so that the line that includes ctrlaltdel calls shutdown with the -a switch (remember to run init q after making any changes to this file). The default in Debian includes this switch: ca:12345:ctrlaltdel:/sbin/shutdown -t1 -a -r now

Now, in order to allow some users to shutdown the system, as the manpage describes, you must create the file /etc/shutdown.allow and include there the name of users which can boot the system. When the three finger salute (a.k.a. ctrl+alt+del) is given the program will check if any of the users listed in the file are logged in. If none of them is, shutdown will not reboot the system. Mounting partitions the right way

When mounting an ext2 or ext3 file system, there are several additional options you can apply to the mount call or to /etc/fstab. For instance, this is my fstab entry for the /tmp partition: /dev/hda7 /tmp ext2 defaults,nosuid,noexec,nodev 0 2

You see the difference in the options sections. The option nosuid ignores the setuid and setgid bits completely, while noexec forbids execution of any program on that mount point, and nodev ignores device files. This sounds great, but it: only applies to ext2 or ext3 file systems can be circumvented easily

The noexec option prevents binaries from being executed directly, but was easily circumvented in earlier versions of the kernel: alex@joker:/tmp# mount | grep tmp /dev/hda7 on /tmp type ext2 (rw,noexec,nosuid,nodev) alex@joker:/tmp# ./date bash: ./date: Permission denied alex@joker:/tmp# /lib/ld-linux.so.2 ./date Sun Dec 3 17:49:23 CET 2000

Newer versions of the kernel do however handle the noexec flag properly: angrist:/tmp# mount | grep /tmp /dev/hda3 on /tmp type ext3 (rw,noexec,nosuid,nodev) angrist:/tmp# ./date bash: ./tmp: Permission denied angrist:/tmp# /lib/ld-linux.so.2 ./date ./date: error while loading shared libraries: ./date: failed to map segment from shared object: Operation not permitted

However, many script kiddies have exploits which try to create and execute files in /tmp. If they do not have a clue, they will fall into this pit. In other words, a user cannot be tricked into executing a trojanized binary in /tmp e.g. when he incidentally adds /tmp into his PATH.

Also be forewarned, some script might depend on /tmp being executable. Most notably, Debconf has (had?) some issues regarding this, for more information see Bug .

The following is a more thorough example. A note, though: /var could be set noexec, but some software Some of this includes the package manager dpkg since the installation (post,pre) and removal (post,pre) scripts are at /var/lib/dpkg/ and Smartlist keeps its programs under in /var. The same applies to the nosuid option. /dev/sda6 /usr ext3 defaults,ro,nodev 0 2 /dev/sda12 /usr/share ext3 defaults,ro,nodev,nosuid 0 2 /dev/sda7 /var ext3 defaults,nodev,usrquota,grpquota 0 2 /dev/sda8 /tmp ext3 defaults,nodev,nosuid,noexec,usrquota,grpquota 0 2 /dev/sda9 /var/tmp ext3 defaults,nodev,nosuid,noexec,usrquota,grpquota 0 2 /dev/sda10 /var/log ext3 defaults,nodev,nosuid,noexec 0 2 /dev/sda11 /var/account ext3 defaults,nodev,nosuid,noexec 0 2 /dev/sda13 /home ext3 rw,nosuid,nodev,exec,auto,nouser,async,usrquota,grpquota 0 2 /dev/fd0 /mnt/fd0 ext3 defaults,users,nodev,nosuid,noexec 0 0 /dev/fd0 /mnt/floppy vfat defaults,users,nodev,nosuid,noexec 0 0 /dev/hda /mnt/cdrom iso9660 ro,users,nodev,nosuid,noexec 0 0 Setting /tmp noexec

Be careful if setting /tmp noexec when you want to install new software, since some programs might use it for installation. apt is one such program (see ) if not configured properly APT::ExtractTemplates::TempDir (see ). You can set this variable in /etc/apt/apt.conf to another directory with exec privileges other than /tmp. Setting /usr read-only

If you set /usr read-only you will not be able to install new packages on your Debian GNU/Linux system. You will have to first remount it read-write, install the packages and then remount it read-only. apt can be configured to run commands before and after installing packages, so you might want to configure it properly.

To do this modify /etc/apt/apt.conf and add: DPkg { Pre-Invoke { "mount /usr -o remount,rw" }; Post-Invoke { "mount /usr -o remount,ro" }; };

Note that the Post-Invoke may fail with a "/usr busy" error message. This happens mainly when you are using files during the update that got updated. You can find these programs by running # lsof +L1

Stop or restart these programs and run the Post-Invoke manually. Beware! This means you'll likely need to restart your X session (if you're running one) every time you do a major upgrade of your system. You might want to reconsider whether a read-only /usr is suitable for your system. See also this . Providing secure user access User authentication: PAM

PAM (Pluggable Authentication Modules) allows system administrators to choose how applications authenticate users. Note that PAM can do nothing unless an application is compiled with support for PAM. Most of the applications that are shipped with Debian have this support built in (Debian did not have PAM support before 2.2). The current default configuration for any PAM-enabled service is to emulate UNIX authentication (read /usr/share/doc/libpam0g/Debian-PAM-MiniPolicy.gz for more information on how PAM services should work in Debian).

Each application with PAM support provides a configuration file in /etc/pam.d/ which can be used to modify its behavior: what backend is used for authentication. what backend is used for sessions. how do password checks behave.

The following description is far from complete, for more information you might want to read the (at the ). This document is also provided in the libpam-doc Debian package.

PAM offers you the possibility to go through several authentication steps at once, without the user's knowledge. You could authenticate against a Berkeley database and against the normal passwd file, and the user only logs in if he authenticates correct in both. You can restrict a lot with PAM, just as you can open your system doors very wide. So be careful. A typical configuration line has a control field as its second element. Generally it should be set to requisite, which returns a login failure if one module fails.

The first thing I like to do, is to add MD5 support to PAM applications, since this helps protect against dictionary cracks (passwords can be longer if using MD5). The following two lines should be added to all files in /etc/pam.d/ that grant access to the machine, like login and ssh. # Be sure to install libpam-cracklib first or you will not be able to log in password required pam_cracklib.so retry=3 minlen=12 difok=3 password required pam_unix.so use_authtok nullok md5

So, what does this incantation do? The first line loads the cracklib PAM module, which provides password strength-checking, prompts for a new password with a minimum length of 12 characters, a difference of at least 3 characters from the old password, and allows 3 retries. Cracklib depends on a wordlist package (such as wenglish, wspanish, wbritish, ...), so make sure you install one that is appropriate for your language or cracklib might not be useful to you at all. This dependency is not fixed, however, in the Debian 3.0 package. Please see . The second line introduces the standard authentication module with MD5 passwords and allows a zero length password. The use_authtok directive is necessary to hand over the password from the previous module.

To make sure that the user root can only log into the system from local terminals, the following line should be enabled in /etc/pam.d/login: auth requisite pam_securetty.so

Then you should modify the list of terminals on which direct root login is allowed in /etc/securetty. Alternatively, you could enable the pam_access module and modify /etc/security/access.conf which allows for a more general and fine-tuned access control, but (unfortunately) lacks decent log messages (logging within PAM is not standardized and is particularly unrewarding problem to deal with). We'll return to access.conf a little later.

Last but not the least, the following line should be enabled in /etc/pam.d/login to set up user resource limits. session required pam_limits.so

This restricts the system resources that users are allowed (see below in ). For example, you could restrict the number of concurrent logins (of a given group of users, or system-wide), number of processes, memory size etc.

Now edit /etc/pam.d/passwd and change the first line. You should add the option "md5" to use MD5 passwords, change the minimum length of password from 4 to 6 (or more) and set a maximum length, if you desire. The resulting line will look something like: password required pam_unix.so nullok obscure min=6 max=11 md5

If you want to protect su, so that only some people can use it to become root on your system, you need to add a new group "wheel" to your system (that is the cleanest way, since no file has such a group permission yet). Add root and the other users that should be able to su to the root user to this group. Then add the following line to /etc/pam.d/su: auth requisite pam_wheel.so group=wheel debug

This makes sure that only people from the group "wheel" can use su to become root. Other users will not be able to become root. In fact they will get a denied message if they try to become root.

If you want only certain users to authenticate at a PAM service, this is quite easy to achieve by using files where the users who are allowed to login (or not) are stored. Imagine you only want to allow user 'ref' to log in via ssh. So you put him into /etc/sshusers-allowed and write the following into /etc/pam.d/ssh: auth required pam_listfile.so item=user sense=allow file=/etc/sshusers-allowed onerr=fail

Since there have been a number of so called insecure tempfile vulnerabilities, thttpd is one example (see ), the libpam-tmpdir is a good package to install. All you have to do is add the following to /etc/pam.d/common-session: session optional pam_tmpdir.so There has also been a discussion about adding this by default in etch. See for more information.

Last, but not least, create /etc/pam.d/other and enter the following lines: auth required pam_securetty.so auth required pam_unix_auth.so auth required pam_warn.so auth required pam_deny.so account required pam_unix_acct.so account required pam_warn.so account required pam_deny.so password required pam_unix_passwd.so password required pam_warn.so password required pam_deny.so session required pam_unix_session.so session required pam_warn.so session required pam_deny.so

These lines will provide a good default configuration for all applications that support PAM (access is denied by default). Limiting resource usage: the limits.conf file

You should really take a serious look into this file. Here you can define user resource limits. In old releases this configuration file was /etc/limits.conf, but in newer releases (with PAM) the /etc/security/limits.conf configuration file should be used instead.

If you do not restrict resource usage, any user with a valid shell in your system (or even an intruder who compromised the system through a service or a daemon going awry) can use up as much CPU, memory, stack, etc. as the system can provide. This resource exhaustion problem can be fixed by the use of PAM.

There is a way to add resource limits to some shells (for example, bash has ulimit, see ), but since not all of them provide the same limits and since the user can change shells (see ) it is better to place the limits on the PAM modules as they will apply regardless of the shell used and will also apply to PAM modules that are not shell-oriented.

Resource limits are imposed by the kernel, but they need to be configured through the limits.conf and the PAM configuration of the different services need to load the appropriate PAM. You can check which services are enforcing limits by running: $ find /etc/pam.d/ \! -name "*.dpkg*" | xargs -- grep limits |grep -v ":#"

Commonly, login, ssh and the graphic session managers (gdm, kdm or xdm) should enforce user limits but you might want to do this in other PAM configuration files, such as cron, to prevent system daemons from taking over all system resources.

The specific limits settings you might want to enforce depend on your system's resources, that's one of the main reasons why no limits are enforced in the default installation.

For example, the configuration example below enforces a 100 process limit for all users (to prevent fork bombs) as well as a limit of 10MB of memory per process and a limit of 10 simultaneous logins. Users in the adm group have higher limits and can produce core files if they want to (there is only a soft limit).

* soft core 0 * hard core 0 * hard rss 1000 * hard memlock 1000 * hard nproc 100 * - maxlogins 1 * hard data 102400 * hard fsize 2048 @adm hard core 100000 @adm hard rss 100000 @adm soft nproc 2000 @adm hard nproc 3000 @adm hard fsize 100000 @adm - maxlogins 10

These would be the limits a default user (including system daemons) would have: $ ulimit -a core file size (blocks, -c) 0 data seg size (kbytes, -d) 102400 file size (blocks, -f) 2048 max locked memory (kbytes, -l) 10000 max memory size (kbytes, -m) 10000 open files (-n) 1024 pipe size (512 bytes, -p) 8 stack size (kbytes, -s) 8192 cpu time (seconds, -t) unlimited max user processes (-u) 100 virtual memory (kbytes, -v) unlimited

And these are the limits for an administrative user: $ ulimit -a core file size (blocks, -c) 0 data seg size (kbytes, -d) 102400 file size (blocks, -f) 100000 max locked memory (kbytes, -l) 100000 max memory size (kbytes, -m) 100000 open files (-n) 1024 pipe size (512 bytes, -p) 8 stack size (kbytes, -s) 8192 cpu time (seconds, -t) unlimited max user processes (-u) 2000 virtual memory (kbytes, -v) unlimited

For more information read: . on the Limiting users overview section. in the Limiting and monitoring users section. User login actions: edit /etc/login.defs

The next step is to edit the basic configuration and action upon user login. Note that this file is not part of the PAM configuration, it's a configuration file honored by login and su programs, so it doesn't make sense tuning it for cases where neither of the two programs are at least indirectly called (the getty program which sits on the consoles and offers the initial login prompt does invoke login). FAIL_DELAY 10

This variable should be set to a higher value to make it harder to use the terminal to log in using brute force. If a wrong password is typed in, the possible attacker (or normal user!) has to wait for 10 seconds to get a new login prompt, which is quite time consuming when you test passwords. Pay attention to the fact that this setting is useless if using program other than getty, such as mingetty for example. FAILLOG_ENAB yes If you enable this variable, failed logins will be logged. It is important to keep track of them to catch someone who tries a brute force attack. LOG_UNKFAIL_ENAB no

If you set this variable to 'yes' it will record unknown usernames if the login failed. It is best if you use 'no' (the default) since, otherwise, user passwords might be inadvertenly logged here (if a user mistypes and they enter their password as the username). If you set it to 'yes', make sure the logs have the proper permissions (640 for example, with an appropriate group setting such as adm). SYSLOG_SU_ENAB yes

This one enables logging of su attempts to syslog. Quite important on serious machines but note that this can create privacy issues as well. SYSLOG_SG_ENAB yes

The same as SYSLOG_SU_ENAB but applies to the sg program. MD5_CRYPT_ENAB yes

As stated above, MD5 sum passwords greatly reduce the problem of dictionary attacks, since you can use longer passwords. If you are using slink, read the docs about MD5 before enabling this option. Otherwise this is set in PAM. PASS_MAX_LEN 50

If MD5 passwords are activated in your PAM configuration, then this variable should be set to the same value as used there. Restricting ftp: editing /etc/ftpusers

The /etc/ftpusers file contains a list of users who are not allowed to log into the host using ftp. Only use this file if you really want to allow ftp (which is not recommended in general, because it uses clear-text passwords). If your daemon supports PAM, you can also use that to allow and deny users for certain services.

FIXME (BUG): Is it a bug that the default ftpusers in Debian does not include all the administrative users (in base-passwd).

A convenient way to add all system accounts to the /etc/ftpusers is to run $ awk -F : '{if ($3<1000) print $1}' /etc/passwd > /etc/ftpusers Using su

If you really need users to become the super user on your system, e.g. for installing packages or adding users, you can use the command su to change your identity. You should try to avoid any login as user root and instead use su. Actually, the best solution is to remove su and switch to the sudo mechanism which has a broader logic and more features than su. However, su is more common as it is used on many other Unices. Using sudo

sudo allows the user to execute defined commands under another user's identity, even as root. If the user is added to /etc/sudoers and authenticates himself correctly, he is able to run commands which have been defined in /etc/sudoers. Violations, such as incorrect passwords or trying to run a program you don't have permission for, are logged and mailed to root. Disallow remote administrative access

You should also modify /etc/security/access.conf to disallow remote logins to administrative accounts. This way users need to invoke su (or sudo) to use any administrative powers and the appropriate audit trace will always be generated.

You need to add the following line to /etc/security/access.conf, the default Debian configuration file has a sample line commented out: -:wheel:ALL EXCEPT LOCAL

Remember to enable the pam_access module for every service (or default configuration) in /etc/pam.d/ if you want your changes to /etc/security/access.conf honored. Restricting users's access

Sometimes you might think you need to have users created in your local system in order to provide a given service (pop3 mail service or ftp). Before doing so, first remember that the PAM implementation in Debian GNU/Linux allows you to validate users with a wide variety of external directory services (radius, ldap, etc.) provided by the libpam packages.

If users need to be created and the system can be accessed remotely take into account that users will be able to log in to the system. You can fix this by giving users a null (/dev/null) shell (it would need to be listed in /etc/shells). If you want to allow users to access the system but limit their movements, you can use the /bin/rbash, equivalent to adding the -r option in bash (RESTRICTED SHELL see ). Please note that even with restricted shell, a user that access an interactive program (that might allow execution of a subshell) could be able to bypass the limits of the shell.

Debian currently provides in the unstable release (and might be included in the next stable releases) the pam_chroot module (in the libpam-chroot). An alternative to it is to chroot the service that provides remote logging (ssh, telnet). libpam-chroot has not been yet thoroughly tested, it does work for login but it might not be easy to set up the environment for other programs

If you wish to restrict when users can access the system you will have to customize /etc/security/access.conf for your needs.

Information on how to chroot users accessing the system through the ssh service is described in . User auditing

If you are really paranoid you might want to add a system-wide configuration to audit what the users are doing in your system. This sections presents some tips using diverse utilities you can use. Input and output audit with script

You can use the script command to audit both what the users run and what are the results of those commands. You cannot setup script as a shell (even if you add it to /etc/shells). But you can have the shell initialization file run the following: umask 077 exec script -q -a "/var/log/sessions/$USER"

Of course, if you do this system wide it means that the shell would not continue reading personal initialization files (since the shell gets overwritten by script). An alternative is to do this in the user's initialization files (but then the user could remove this, see the comments about this below)

You also need to setup the files in the audit directory (in the example /var/log/sessions/) so that users can write to it but cannot remove the file. This could be done, for example, by creating the user session files in advance and setting them with the append-only flag using chattr.

A useful alternative for sysadmins, which includes date information would be: umask 077 exec script -q -a "/var/log/sessions/$USER-`date +%Y%m%d`" Using the shell history file

If you want to review what does the user type in the shell (but not what the result of that is) you can setup a system-wide /etc/profile that configures the environment so that all commands are saved into a history file. The system-wide configuration needs to be setup in such a way that users cannot remove audit capabilities from their shell. This is somewhat shell specific so make sure that all users are using a shell that supports this.

For example, for bash, the /etc/profile could be set as follows Setting HISTSIZE to a very large number can cause issues under some shells since the history is kept in memory for every user session. You might be safer if you set this to a high-enough value and backup user's history files (if you need all of the user's history for some reason) : HISTFILE=~/.bash_history HISTSIZE=10000 HISTFILESIZE=999999 # Don't let the users enter commands that are ignored # in the history file HISTIGNORE="" HISTCONTROL="" readonly HISTFILE readonly HISTSIZE readonly HISTFILESIZE readonly HISTIGNORE readonly HISTCONTROL export HISTFILE HISTSIZE HISTFILESIZE HISTIGNORE HISTCONTROL

For this to work, the user can only append information to .bash_history file. You need also to set the append-only option using chattr program for .bash_history for all users. Without the append-only flag users would be able to empty the contents of the history file running > .bash_history .

Note that you could introduce the configuration above in the user's .profile. But then you would need to setup permissions properly in such a way that prevents the user from modifying this file. This includes: having the user's home directories not belong to the user (since he would be able to remove the file otherwise) but at the same time enable them to read the .profile configuration file and write on the .bash_history. It would be good to set the immutable flag (also using chattr) for .profile too if you do it this way. Complete user audit with accounting utilities

The previous example is a simple way to configure user auditing but might be not useful for complex systems or for those in which users do not run shells at all (or exclusively). If this is your case, you need to look at acct, the accounting utilities. These utilities will log all the commands run by users or processes in the system, at the expense of disk space.

When activating accounting, all the information on processes and users is kept under /var/account/, more specifically in the pacct. The accounting package includes some tools (sa, ac and lastcomm) to analyse this data. Other user auditing methods

If you are completely paranoid and want to audit every user's command, you could take bash source code, edit it and have it send all that the user typed into another file. Or have ttysnoop constantly monitor any new ttys Ttys are spawned for local logins and remote logins through ssh and telnet and dump the output into a file. Other useful program is snoopy (see also ) which is a user-transparent program that hooks in as a library providing a wrapper around execve() calls, any command executed is logged to syslogd using the authpriv facility (usually stored at /var/log/auth.log). Reviewing user profiles

If you want to see what users are actually doing when they logon to the system you can use the wtmp database that includes all login information. This file can be processed with several utilities, amongst them sac which can output a profile on each user showing in which timeframe they usually log on to the system.

In case you have accounting activated, you can also use the tools provided by it in order to determine when the users access the system and what do they execute. Setting users umasks

Depending on your user policy you might want to change how information is shared between users, that is, what the default permissions of new files created by users are.

Debian's default umask setting is 022 this means that files (and directories) can be read and accessed by the user's group and by any other users in the system. This definition is set in the standard configuration file /etc/profile which is used by all shells.

If Debian's default value is too permissive for your system you will have to change the umask setting for all the shells. More restrictive umask settings include 027 (no access is allowed to new files for the other group, i.e. to other users in the system) or 077 (no access is allowed to new files to the members the user's group). Debian (by default

As defined in /etc/adduser.conf (USERGROUPS=yes). You can change this behaviour if you set this value to no, although it is not recommended

) creates one group per user so that only the user is included in its group. Consequently 027 and 077 are equivalent as the user's group contains only the user himself.

This change is set by defining a proper umask setting for all users. You can change this by introducing an umask call in the shell configuration files: /etc/profile (source by all Bourne-compatible shells), /etc/csh.cshrc, /etc/csh.login, /etc/zshrc and probably some others (depending on the shells you have installed on your system). You can also change the UMASK setting in /etc/login.defs, Of all of these the last one that gets loaded by the shell takes precedence. The order is: the default system configuration for the user's shell (i.e. /etc/profile and other system-wide configuration files) and then the user's shell (his ~/.profile, ~/.bash_profile, etc...). Some shells, however, can be executed with a nologin value which might skip sourcing some of those files. See your shell's manpage for additional information.

For connections that make use of login the UMASK definition in /etc/login.defs is used before any of the others. However, that value does not apply to user executed programs that do not use login such as those run through su, cron or ssh.

Don't forget to review and maybe modify the dotfiles under /etc/skel/ since these will be new user's defaults when created with the adduser command. Debian default dotfiles do not include any umask call but if there is any in the dotfiles newly created users might a different value.

Note, however that users can modify their own umask setting if they want to, making it more permissive or more restricted, by changing their own dotfiles.

The libpam-umask package adjusts the users' default umask using PAM. Add the following, after installing the package, to /etc/pam.d/common-session: session optional pam_umask.so umask=077

Finally, you should consider changing root's default 022 umask (as defined in /root/.bashrc) to a more strict umask. That will prevent the system administrator from inadvertenly dropping sensitive files when working as root to world-readable directories (such as /tmp) and having them available for your average user. Limiting what users can see/access

FIXME: Content needed. Describe the consequences of changing packages permissions when upgrading (an admin this paranoid should chroot his users BTW) if not using dpkg-statoverride.

If you need to grant users access to the system with a shell think about it very carefully. A user can, by default unless in a severely restricted environment (like a chroot jail), retrieve quite a lot of information from your system including: some configuration files in /etc. However, Debian's default permissions for some sensitive files (which might, for example, contain passwords), will prevent access to critical information. To see which files are only accessible by the root user for example find /etc -type f -a -perm 600 -a -uid 0 as superuser. your installed packages, either by looking at the package database, at the /usr/share/doc directory or by guessing by looking at the binaries and libraries installed in your system. some log files at /var/log. Note also that some log files are only accessible to root and the adm group (try find /var/log -type f -a -perm 640) and some are even only available to the root user (try find /var/log -type f -a -perm 600 -a -uid 0).

What can a user see in your system? Probably quite a lot of things, try this (take a deep breath): find / -type f -a -perm +006 2>/dev/null find / -type d -a -perm +007 2>/dev/null

The output is the list of files that a user can see and the directories to which he has access. Limiting access to other user's information

If you still grant shell access to users you might want to limit what information they can view from other users. Users with shell access have a tendency to create quite a number of files under their $HOMEs: mailboxes, personal documents, configuration of X/GNOME/KDE applications...

In Debian each user is created with one associated group, and no two users belong to the same group. This is the default behavior: when an user account is created, a group of the same name is created too, and the user is assigned to it. This avoids the concept of a common users group which might make it more difficult for users to hide information from other users.

However, users' $HOME directories are created with 0755 permissions (group-readable and world-readable). The group permissions is not an issue since only the user belongs to the group, however the world permissions might (or might not) be an issue depending on your local policy.

You can change this behavior so that user creation provides different $HOME permissions. To change the behavior for new users when they get created, change DIR_MODE in the configuration file /etc/adduser.conf to 0750 (no world-readable access).

Users can still share information, but not directly in their $HOME directories unless they change its permissions.

Note that disabling world-readable home directories will prevent users from creating their personal web pages in the ~/public_html directory, since the web server will not be able to read one component in the path - namely their $HOME directory. If you want to permit users to publish HTML pages in their ~/public_html, then change DIR_MODE to 0751. This will allow the web server to access the final public_html directory (which itself should have a mode of 0755) and provide the content published by users. Of course, we are only talking about a default configuration here; users can generally tune modes of their own files completely to their liking, or you could keep content intended for the web in a separate location which is not a subdirectory of user's $HOME directory. Generating user passwords

There are many cases when an administrator needs to create many user accounts and provide passwords for all of them. Of course, the administrator could easily just set the password to be the same as the user's account name, but that would not be very sensitive security-wise. A better approach is to use a password generating program. Debian provides makepasswd, apg and pwgen packages which provide programs (the name is the same as the package) that can be used for this purpose. Makepasswd will generate true random passwords with an emphasis on security over pronounceability while pwgen will try to make meaningless but pronounceable passwords (of course this might depend on your mother language). Apg has algorithms to provide for both (there is a client/server version for this program but it is not included in the Debian package).

Passwd does not allow non-interactive assignation of passwords (since it uses direct tty access). If you want to change passwords when creating a large number of users you can create them using adduser with the --disabled-login option and then use usermod or chpasswd Chpasswd cannot handle MD5 password generation so it needs to be given the password in encrypted form before using it, with the -e option. (both from the passwd package so you already have them installed). If you want to use a file with all the information to make users as a batch process you might be better off using newusers. Checking user passwords

User passwords can sometimes become the weakest link in the security of a given system. This is due to some users choosing weak passwords for their accounts (and the more of them that have access to it the greater the chances of this happening). Even if you established checks with the cracklib PAM module and password limits as described in users will still be able to use weak passwords. Since user access might include remote shell access (over ssh, hopefully) it's important to make password guessing as hard as possible for the remote attackers, especially if they were somehow able to collect important information such as usernames or even the passwd and shadow files themselves.

A system administrator must, given a big number of users, check if the passwords they have are consistent with the local security policy. How to check? Try to crack them as an attacker would if he had access to the hashed passwords (the /etc/shadow file).

An administrator can use john or crack (both are brute force password crackers) together with an appropriate wordlist to check users' passwords and take appropriate action when a weak password is detected. You can search for Debian GNU packages that contain word lists using apt-cache search wordlist, or visit the classic Internet wordlist sites such as or . Logging off idle users

Idle users are usually a security problem, a user might be idle maybe because he's out to lunch or because a remote connection hung and was not re-established. For whatever the reason, idle users might lead to a compromise: because the user's console might be unlocked and can be accessed by an intruder. because an attacker might be able to re-attach himself to a closed network connection and send commands to the remote shell (this is fairly easy if the remote shell is not encrypted as in the case of telnet).

Some remote systems have even been compromised through an idle (and detached) screen.

Automatic disconnection of idle users is usually a part of the local security policy that must be enforced. There are several ways to do this: If bash is the user shell, a system administrator can set a default TMOUT value (see ) which will make the shell automatically log off remote idle users. Note that it must be set with the -o option or users will be able to change (or unset) it. Install timeoutd and configure /etc/timeouts according to your local security policy. The daemon will watch for idle users and time out their shells accordingly. Install autolog and configure it to remove idle users.

The timeoutd or autolog daemons are the preferred method since, after all, users can change their default shell or can, after running their default shell, switch to another (uncontrolled) shell. Using tcpwrappers

TCP wrappers were developed when there were no real packet filters available and access control was needed. Nevertheless, they're still very interesting and useful. The TCP wrappers allow you to allow or deny a service for a host or a domain and define a default allow or deny rule (all performed on the application level). If you want more information take a look at .

Many services installed in Debian are either: launched through the tcpwrapper service (tcpd) compiled with libwrapper support built-in.

On the one hand, for services configured in /etc/inetd.conf (this includes telnet, ftp, netbios, swat and finger) you will see that the configuration file executes /usr/sbin/tcpd first. On the other hand, even if a service is not launched by the inetd superdaemon, support for the tcp wrappers rules can be compiled into it. Services compiled with tcp wrappers in Debian include ssh, portmap, in.talk, rpc.statd, rpc.mountd, gdm, oaf (the GNOME activator daemon), nessus and many others.

To see which packages use tcpwrappers

On older Debian releases you might need to do this: $ apt-cache showpkg libwrap0 | egrep '^[[:space:]]' | sort -u | \ sed 's/,libwrap0$//;s/^[[:space:]]\+//' try: $ apt-cache rdepends libwrap0

Take this into account when running tcpdchk (a very useful TCP wrappers config file rule and syntax checker). When you add stand-alone services (that are directly linked with the wrapper library) into the hosts.deny and hosts.allow files, tcpdchk will warn you that it is not able to find the mentioned services since it only looks for them in /etc/inetd.conf (the manpage is not totally accurate here).

Now, here comes a small trick, and probably the smallest intrusion detection system available. In general, you should have a decent firewall policy as a first line, and tcp wrappers as the second line of defense. One little trick is to set up a SPAWN be sure to use uppercase here since spawn will not work command in /etc/hosts.deny that sends mail to root whenever a denied service triggers wrappers: ALL: ALL: SPAWN ( \ echo -e "\n\ TCP Wrappers\: Connection refused\n\ By\: $(uname -n)\n\ Process\: %d (pid %p)\n\ User\: %u\n\ Host\: %c\n\ Date\: $(date)\n\ " | /usr/bin/mail -s "Connection to %d blocked" root) &

Beware: The above printed example is open to a DoS attack by making many connections in a short period of time. Many emails mean a lot of file I/O by sending only a few packets. The importance of logs and alerts

It is easy to see that the treatment of logs and alerts is an important issue in a secure system. Suppose a system is perfectly configured and 99% secure. If the 1% attack occurs, and there are no security measures in place to, first, detect this and, second, raise alarms, the system is not secure at all.

Debian GNU/Linux provides some tools to perform log analysis, most notably swatch, there's a very good article on it written by logcheck or log-analysis (all will need some customisation to remove unnecessary things from the report). It might also be useful, if the system is nearby, to have the system logs printed on a virtual console. This is useful since you can (from a distance) see if the system is behaving properly. Debian's /etc/syslog.conf comes with a commented default configuration; to enable it uncomment the lines and restart syslogd (/etc/init.d/syslogd restart): daemon,mail.*;\ news.=crit;news.=err;news.=notice;\ *.=debug;*.=info;\ *.=notice;*.=warn /dev/tty8

To colorize the logs, you could take a look at colorize, ccze or glark. There is a lot to log analysis that cannot be fully covered here, so a good information resource would be books should as . In any case, even automated tools are no match for the best analysis tool: your brain. Using and customizing logcheck

The logcheck package in Debian is divided into the three packages logcheck (the main program), logcheck-database (a database of regular expressions for the program) and logtail (prints loglines that have not yet been read). The Debian default (in /etc/cron.d/logcheck) is that logcheck is run every hour and after reboots.

This tool can be quite useful if properly customized to alert the administrator of unusual system events. Logcheck can be fully customized so that it sends mails based on events found in the logs and worthy of attention. The default installation includes profiles for ignored events and policy violations for three different setups (workstation, server and paranoid). The Debian package includes a configuration file /etc/logcheck/logcheck.conf, sourced by the program, that defines which user the checks are sent to. It also provides a way for packages that provide services to implement new policies in the directories: /etc/logcheck/cracking.d/_packagename_, /etc/logcheck/violations.d/_packagename_, /etc/logcheck/violations.ignore.d/_packagename_, /etc/logcheck/ignore.d.paranoid/_packagename_, /etc/logcheck/ignore.d.server/_packagename_, and /etc/logcheck/ignore.d.workstation/_packagename_. However, not many packages currently do so. If you have a policy that can be useful for other users, please send it as a bug report for the appropriate package (as a wishlist bug). For more information read /usr/share/doc/logcheck/README.Debian.

The best way to configure logcheck is to edit its main configuration file /etc/logcheck/logcheck.conf after installation. Change the default user (root) to whom reports should be mailed. You should set the reportlevel in there, too. logcheck-database has three report levels of increasing verbosity: workstation, server, paranoid. "server" being the default level, paranoid is only recommended for high-security machines running as few services as possible and workstation for relatively sheltered, non-critical machines. If you wish to add new log files just add them to /etc/logcheck/logcheck.logfiles. It is tuned for default syslog install.

Once this is done you might want to check the mails that are sent, for the first few days/weeks/months. If you find you are sent messages you do not wish to receive, just add the regular expressions (see and ) that correspond to these messages to the /etc/logcheck/ignore.d.reportlevel/local. Try to match the whole logline. Details on howto write rules are explained in /usr/share/doc/logcheck-database/README.logcheck-database.gz. It's an ongoing tuning process; once the messages that are sent are always relevant you can consider the tuning finished. Note that if logcheck does not find anything relevant in your system it will not mail you even if it does run (so you might get a mail only once a week, if you are lucky). Configuring where alerts are sent

Debian comes with a standard syslog configuration (in /etc/syslog.conf) that logs messages to the appropriate files depending on the system facility. You should be familiar with this; have a look at the syslog.conf file and the documentation if not. If you intend to maintain a secure system you should be aware of where log messages are sent so they do not go unnoticed.

For example, sending messages to the console also is an interesting setup useful for many production-level systems. But for many such systems it is also important to add a new machine that will serve as loghost (i.e. it receives logs from all other systems).

Root's mail should be considered also, many security controls (like snort) send alerts to root's mailbox. This mailbox usually points to the first user created in the system (check /etc/aliases). Take care to send root's mail to some place where it will be read (either locally or remotely).

There are other role accounts and aliases on your system. On a small system, it's probably simplest to make sure that all such aliases point to the root account, and that mail to root is forwarded to the system administrator's personal mailbox.

FIXME: It would be interesting to tell how a Debian system can send/receive SNMP traps related to security problems (jfs). Check: snmptrapfmt, snmp and snmpd. Using a loghost

A loghost is a host which collects syslog data remotely over the network. If one of your machines is cracked, the intruder is not able to cover his tracks, unless he hacks the loghost as well. So, the loghost should be especially secure. Making a machine a loghost is simple. Just start the syslogd with syslogd -r and a new loghost is born. In order to do this permanently in Debian, edit /etc/default/syslogd and change the line SYSLOGD="" to SYSLOGD="-r" Next, configure the other machines to send data to the loghost. Add an entry like the following to /etc/syslog.conf: facility.level @your_loghost See the documentation for what to use in place of facility and level (they should not be entered verbatim like this). If you want to log everything remotely, just write: *.* @your_loghost into your syslog.conf. Logging remotely as well as locally is the best solution (the attacker might presume to have covered his tracks after deleting the local log files). See the , and manpages for additional information. Log file permissions

It is not only important to decide how alerts are used, but also who has read/modify access to the log files (if not using a remote loghost). Security alerts which the attacker can change or disable are not worth much in the event of an intrusion. Also, you have to take into account that log files might reveal quite a lot of information about your system to an intruder if he has access to them.

Some log file permissions are not perfect after the installation (but of course this really depends on your local security policy). First /var/log/lastlog and /var/log/faillog do not need to be readable by normal users. In the lastlog file you can see who logged in recently, and in the faillog you see a summary of failed logins. The author recommends chmod 660 for both. Take a brief look at your log files and decide very carefully which log files to make readable/writable for a user with a UID other than 0 and a group other than 'adm' or 'root'. You can easily check this in your system with: # find /var/log -type f -exec ls -l {} \; | cut -c 17-35 |sort -u (see to what users do files in /var/log belong) # find /var/log -type f -exec ls -l {} \; | cut -c 26-34 |sort -u (see to what groups do files in /var/log belong) # find /var/log -perm +004 (files which are readable by any user) # find /var/log \! -group root \! -group adm -exec ls -ld {} \; (files which belong to groups not root or adm)

To customize how log files are created you will probably have to customize the program that generates them. If the log file gets rotated, however, you can customize the behavior of creation and rotation. Adding kernel patches

Debian GNU/Linux provides some of the patches for the Linux kernel that enhance its security. These include: provided in the kernel-patch-2.4-lids package. This kernel patch makes the process of hardening your Linux system easier by allowing you to restrict, hide and protect processes, even from root. It implements mandatory access control capabilities. , provided in package trustees. This patch adds a decent advanced permissions management system to your Linux kernel. Special objects (called trustees) are bound to every file or directory, and are stored in kernel memory, which allows fast lookup of all permissions. NSA Enhanced Linux (in package selinux). Backports of the SElinux-enabled packages are available at . More information available at , at and SElinux websites. The provided in the kernel-patch-exec-shield package. This patch provides protection against some buffer overflows (stack smashing attacks). The , provided by the kernel-patch-2.4-grsecurity and kernel-patch-grsecurity2 packages Notice that this patch conflicts with patches already included in Debian's 2.4 kernel source package. You will need to use the stock vanilla kernel. You can do this with the following steps: # apt-get install kernel-source-2.4.22 kernel-patch-debian-2.4.22 # tar xjf /usr/src/kernel-source-2.4.22.tar.bz2 # cd kernel-source-2.4.22 # /usr/src/kernel-patches/all/2.4.22/unpatch/debian

For more information see , , , , , , , and the implements Mandatory Access Control through RBAC, provides buffer overflow protection through PaX, ACLs, network randomness (to make OS fingerprinting more difficult) and . The kernel-patch-adamantix provides the patches developed for , a Debian-based distribution. This kernel patch for the 2.4.x kernel releases introduces some security features such as a non-executable stack through the use of and mandatory access control based on . Other features include: , AES encrypted loop device, MPPE support and an IPSEC v2.6 backport. cryptoloop-source. This patches allows you to use the functions of the kernel crypto API to create encrypted filesystems using the loopback device. IPSEC kernel support (in package linux-patch-openswan). If you want to use the IPsec protocol with Linux, you need this patch. You can create VPNs with this quite easily, even to Windows machines, as IPsec is a common standard. IPsec capabilities have been added to the 2.5 development kernel, so this feature will be present by default in the future Linux Kernel 2.6. Homepage: . FIXME: The latest 2.4 kernels provided in Debian include a backport of the IPSEC code from 2.5. Comment on this.

The following security kernel patches are only available for old kernel versions in woody and are deprecated: (ACLs) for Linux provided in the package kernel-patch-acl. This kernel patch adds access control lists, an advanced method for restricting access to files. It allows you to control fine-grain access to files and directory. The linux kernel patch by Solar Designer, provided in the kernel-patch-2.2.18-openwall package. This is a useful set of kernel restrictions, like restricted links, FIFOs in /tmp, a restricted /proc file system, special file descriptor handling, non-executable user stack area and other features. Note: This package applies to the 2.2 release, no packages are available for the 2.4 release patches provided by Solar. kernel-patch-int. This patch also adds cryptographic capabilities to the Linux kernel, and was useful with Debian releases up to Potato. It doesn't work with Woody, and if you are using Sarge or a newer version, you should use a more recent kernel which includes these features already.

However, some patches have not been provided in Debian yet. If you feel that some of these should be included please ask for it at the . Protecting against buffer overflows

Buffer overflow is the name of a common attack to software So common, in fact, that they have been the basis of 20% of the reported security vulnerabilities every year, as determined by which makes use of insufficient boundary checking (a programming error, most commonly in the C language) in order to execute machine code through program inputs. These attacks, against server software which listen to connections remotely and against local software which grant higher privileges to users (setuid or setgid) can result in the compromise of any given system.

There are mainly four methods to protect against buffer overflows: patch the kernel to prevent stack execution. You can use either: Exec-shield, OpenWall or PaX (included in the Grsecurity and Adamantix patches). fix the source code by using tools to find fragments of it that might introduce this vulnerability. recompile the source code to introduce proper checks that prevent overflows, using the patch for GCC (which is used by )

Debian GNU/Linux, as of the 3.0 release, provides software to introduce all of these methods except for the protection on source code compilation (but this has been requested in ).

Notice that even if Debian provided a compiler which featured stack/buffer overflow protection all packages would need to be recompiled in order to introduce this feature. This is, in fact, what the Adamantix distribution does (among other features). The effect of this new feature on the stability of software is yet to be determined (some programs or some processor architectures might break due to it).

In any case, be aware that even these workarounds might not prevent buffer overflows since there are ways to circumvent these, as described in phrack's magazine or in CORE's Advisory .

If you want to test out your buffer overflow protection once you have implemented it (regardless of the method) you might want to install the paxtest and run the tests it provides. Kernel patch protection for buffer overflows

Kernel patches related to buffer overflows include the Openwall patch provides protection against buffer overflows in 2.2 linux kernels. For 2.4 or newer kernels, you need to use the Exec-shield implementation, or the PaX implementation (provided in the grsecurity patch, kernel-patch-2.4-grsecurity, and in the Adamantix patch, kernel-patch-adamantix). For more information on using these patches read the the section . Testing programs for overflows

The use of tools to detect buffer overflows requires, in any case, of programming experience in order to fix (and recompile) the code. Debian provides, for example: bfbtester (a buffer overflow tester that brute-forces binaries through command line and environment overflows). Other packages of interest would also be rats, pscan, flawfinder and splint. Secure file transfers

During normal system administration one usually needs to transfer files in and out from the installed system. Copying files in a secure manner from a host to another can be achieved by using the ssh server package. Another possibility is the use of ftpd-ssl, a ftp server which uses the Secure Socket Layer to encrypt the transmissions.

Any of these methods need special clients. Debian does provide client software, such as scp from the ssh package, which works like rcp but is encrypted completely, so the bad guys cannot even find out WHAT you copy. There is also a ftp-ssl package for the equivalent server. You can find clients for these software even for other operating systems (non-UNIX), putty and winscp provide secure copy implementations for any version of Microsoft's operating system.

Note that using scp provides access to the users to all the file system unless chroot'ed as described in . FTP access can be chroot'ed, probably easier depending on you chosen daemon, as described in . If you are worried about users browsing your local files and want to have encrypted communication you can either use an ftp daemon with SSL support or combine clear-text ftp and a VPN setup (see ). File system limits and control Using quotas

Having a good quota policy is important, as it keeps users from filling up the hard disk(s).

You can use two different quota systems: user quota and group quota. As you probably figured out, user quota limits the amount of space a user can take up, group quota does the equivalent for groups. Keep this in mind when you're working out quota sizes.

There are a few important points to think about in setting up a quota system: Keep the quotas small enough, so users do not eat up your disk space. Keep the quotas big enough, so users do not complain or their mail quota keeps them from accepting mail over a longer period. Use quotas on all user-writable areas, on /home as well as on /tmp.

Every partition or directory to which users have full write access should be quota enabled. Calculate and assign a workable quota size for those partitions and directories which combines usability and security.

So, now you want to use quotas. First of all you need to check whether you enabled quota support in your kernel. If not, you will need to recompile it. After this, control whether the package quota is installed. If not you will need this one as well.

Enabling quota for the respective file systems is as easy as modifying the defaults setting to defaults,usrquota in your /etc/fstab file. If you need group quota, substitute usrquota to grpquota. You can also use them both. Then create empty quota.user and quota.group files in the roots of the file systems you want to use quotas on (e.g. touch /home/quota.user /home/quota.group for a /home file system).

Restart quota by doing /etc/init.d/quota stop;/etc/init.d/quota start. Now quota should be running, and quota sizes can be set.

Editing quotas for a specific user can be done by edquota -u <user>. Group quotas can be modified with edquota -g <group>. Then set the soft and hard quota and/or inode quotas as needed.

For more information about quotas, read the quota man page, and the quota mini-howto (/usr/share/doc/HOWTO/en-html/mini/Quota.html). You may also want to look at pam_limits.so. The ext2 filesystem specific attributes (chattr/lsattr)

In addition to the usual Unix permissions, the ext2 and ext3 filesystems offer a set of specific attributes that give you more control over the files on your system. Unlike the basic permissions, these attributes are not displayed by the usual ls -l command or changed using chmod, and you need two other utilities, lsattr and chattr (in package e2fsprogs) to manage them. Note that this means that these attributes will usually not be saved when you backup your system, so if you change any of them, it may be worth saving the successive chattr commands in a script so that you can set them again later if you have to restore a backup.

Among all available attributes, the two that are most important for increasing security are referenced by the letters 'i' and 'a', and they can only be set (or removed) by the superuser: The 'i' attribute ('immutable'): a file with this attribute can neither be modified nor deleted or renamed and no link can be created to it, even by the superuser. The 'a' attribute ('append'): this attribute has the same effect that the immutable attribute, except that you can still open the file in append mode. This means that you can still add more content to it but it is impossible to modify previous content. This attribute is especially useful for the log files stored in /var/log/, though you should consider that they get moved sometimes due to the log rotation scripts.

These attributes can also be set for directories, in which case everyone is denied the right to modify the contents of a directory list (e.g. rename or remove a file, ...). When applied to a directory, the append attribute only allows file creation.

It is easy to see how the 'a' attribute improves security, by giving to programs that are not running as the superuser the ability to add data to a file without modifying its previous content. On the other hand, the 'i' attribute seems less interesting: after all, the superuser can already use the basic Unix permissions to restrict access to a file, and an intruder that would get access to the superuser account could always use the chattr program to remove the attribute. Such an intruder may first be confused when he sees that he is not able to remove a file, but you should not assume that he is blind - after all, he got into your system! Some manuals (including a previous version of this document) suggest to simply remove the chattr and lsattr programs from the system to increase security, but this kind of strategy, also known as "security by obscurity", is to be absolutely avoided, since it provides a false sense of security.

A secure way to solve this problem is to use the capabilities of the Linux kernel, as described in . The capability of interest here is called CAP_LINUX_IMMUTABLE: if you remove it from the capabilities bounding set (using for example the command lcap CAP_LINUX_IMMUTABLE) it won't be possible to change any 'a' or 'i' attribute on your system anymore, even by the superuser ! A complete strategy could be as follows: Set the attributes 'a' and 'i' on any file you want; Add the command lcap CAP_LINUX_IMMUTABLE (as well as lcap CAP_SYS_MODULE, as suggested in ) to one of the startup scripts; Set the 'i' attribute on this script and other startup files, as well as on the lcap binary itself; Execute the above command manually (or reboot your system to make sure everything works as planned).

Now that the capability has been removed from the system, an intruder cannot change any attribute on the protected files, and thus cannot change or remove the files. If he forces the machine to reboot (which is the only way to restore the capabilities bounding set), it will easily be detected, and the capability will be removed again as soon as the system restarts anyway. The only way to change a protected file would be to boot the system in single-user mode or using another bootdisk, two operations that require physical access to the machine ! Checking file system integrity

Are you sure /bin/login on your hard drive is still the binary you installed there some months ago? What if it is a hacked version, which stores the entered password in a hidden file or mails it in clear-text version all over the Internet?

The only method to have some kind of protection is to check your files every hour/day/month (I prefer daily) by comparing the actual and the old md5sum of this file. Two files cannot have the same md5sum (the MD5 digest is 128 bits, so the chance that two different files will have the same md5sum is roughly one in 3.4e3803), so you're on the safe site here, unless someone has also hacked the algorithm that creates md5sums on that machine. This is, well, extremely difficult and very unlikely. You really should consider this auditing of your binaries as very important, since it is an easy way to recognize changes at your binaries.

Common tools used for this are sxid, aide (Advanced Intrusion Detection Environment), tripwire, integrit and samhain. Installing debsums will also help you to check the file system integrity, by comparing the md5sums of every file against the md5sums used in the Debian package archive. But beware: those files can easily be changed by an attacker and not all packages provide md5sums listings for the binaries they provided. For more information please read and .

You might want to use locate to index the whole filesystem, if so, consider the implications of that. The Debian findutils package contains locate which runs as user nobody, and so it only indexes files which are visible to everybody. However, if you change it's behaviour you will make all file locations visible to all users. If you want to index all the filesystem (not the bits that the user nobody can see) you can replace locate with the package slocate. slocate is labeled as a security enhanced version of GNU locate, but it actually provides additional file-locating functionality. When using slocate, the user only sees the files he really has access to and you can exclude any files or directories on the system. The slocate package runs its update process with higher privledges than locate, and indexes every file. Users are then able to quickly search for every file which they are able to see. slocate doesn't let them see new files; it filters the output based on your UID.

You might want to use bsign or elfsign. elfsign provides an utility to add a digital signature to an ELF binary and a second utility to verify that signature. The current implementation uses PKI to sign the checksum of the binary. The benefits of doing this are that it enables one to determine if a binary has been modified and who created it. bsign uses GPG, elfsign uses PKI (X.509) certificates (OpenSSL). Setting up setuid check

The Debian checksecurity package provides a cron job that runs daily in /etc/cron.daily/checksecurity In previous releases, checksecurity was integrated into cron and the file was /etc/cron.daily/standard. This cron job will run the /usr/sbin/checksecurity script that will store information of this changes.

The default behavior does not send this information to the superuser but, instead keeps daily copies of the changes in /var/log/setuid.changes. You should set the MAILTO variable (in /etc/checksecurity.conf) to 'root' to have this information mailed to him. See for more configuration info. Securing network access

FIXME: More (Debian-specific) content needed. Configuring kernel network features

Many features of the kernel can be modified while running by echoing something into the /proc file system or by using sysctl. By entering /sbin/sysctl -A you can see what you can configure and what the options are, and it can be modified running /sbin/sysctl -w variable=value (see ). Only in rare cases do you need to edit something here, but you can increase security that way as well. For example: net/ipv4/icmp_echo_ignore_broadcasts = 1

This is a Windows emulator because it acts like Windows on broadcast ping if this option is set to 1. That is, ICMP echo requests sent to the broadcast address will be ignored. Otherwise, it does nothing.

If you want to prevent you system from answering ICMP echo requests, just enable this configuration option: net/ipv4/icmp_echo_ignore_all = 1

To log packets with impossible addresses (due to wrong routes) on your network use: /proc/sys/net/ipv4/conf/all/log_martians = 1

For more information on what things can be done with /proc/sys/net/ipv4/* read /usr/src/linux/Documentation/filesystems/proc.txt. All the options are described thoroughly under /usr/src/linux/Documentation/networking/ip-sysctl.txt In Debian the kernel-source-version packages copy the sources to /usr/src/kernel-source-version.tar.bz2, just substitute version to whatever kernel version sources you have installed. Configuring syncookies

This option is a double-edged sword. On the one hand it protects your system against syn packet flooding; on the other hand it violates defined standards (RFCs). net/ipv4/tcp_syncookies = 1

If you want to change this option each time the kernel is working you need to change it in /etc/network/options by setting syncookies=yes. This will take effect when ever /etc/init.d/networking is run (which is typically done at boot time) while the following will have a one-time effect until the reboot: echo 1 > /proc/sys/net/ipv4/tcp_syncookies

This option will only be available if the kernel is compiled with the CONFIG_SYNCOOKIES. All Debian kernels are compiled with this option builtin but you can verify it running: $ sysctl -A |grep syncookies net/ipv4/tcp_syncookies = 1

For more information on TCP syncookies read . Securing the network on boot-time

When setting configuration options for the kernel networking you need configure it so that it's loaded every time the system is restarted. The following example enables many of the previous options as well as other useful options.

There are actually two ways to configure your network at boot time. You can configure /etc/sysctl.conf (see: ) or introduce a script that is called when the interface is enabled. The first option will be applied to all interfaces, whileas the second option allows you to configure this on a per-interface basis.

An example of a /etc/sysctl.conf configuration that will secure some network options at the kernel level is shown below. Notice the comment in it, /etc/network/options might override some values if they contradict those in this file when the /etc/init.d/networking is run (which is later than procps on the startup sequence). # # /etc/sysctl.conf - Configuration file for setting system variables # See sysctl.conf (5) for information. Also see the files under # Documentation/sysctl/, Documentation/filesystems/proc.txt, and # Documentation/networking/ip-sysctl.txt in the kernel sources # (/usr/src/kernel-$version if you have a kernel-package installed) # for more information of the values that can be defined here. # # Be warned that /etc/init.d/procps is executed to set the following # variables. However, after that, /etc/init.d/networking sets some # network options with builtin values. These values may be overridden # using /etc/network/options. # #kernel.domainname = example.com # Additional settings - adapted from the script contributed # by Dariusz Puchala (see below) # Ignore ICMP broadcasts net/ipv4/icmp_echo_ignore_broadcasts = 1 # # Ignore bogus ICMP errors net/ipv4/icmp_ignore_bogus_error_responses = 1 # # Do not accept ICMP redirects (prevent MITM attacks) net/ipv4/conf/all/accept_redirects = 0 # _or_ # Accept ICMP redirects only for gateways listed in our default # gateway list (enabled by default) # net/ipv4/conf/all/secure_redirects = 1 # # Do not send ICMP redirects (we are not a router) net/ipv4/conf/all/send_redirects = 0 # # Do not forward IP packets (we are not a router) # Note: Make sure that /etc/network/options has 'ip_forward=no' net/ipv4/conf/all/forwarding = 0 # # Enable TCP Syn Cookies # Note: Make sure that /etc/network/options has 'syncookies=yes' net/ipv4/tcp_syncookies = 1 # # Log Martian Packets net/ipv4/conf/all/log_martians = 1 # # Turn on Source Address Verification in all interfaces to # prevent some spoofing attacks # Note: Make sure that /etc/network/options has 'spoofprotect=yes' net/ipv4/conf/all/rp_filter = 1 # # Do not accept IP source route packets (we are not a router) net/ipv4/conf/all/accept_source_route = 0

To use the script you need to first create the script, for example, in /etc/network/interface-secure (the name is given as an example) and call it from /etc/network/interfaces like this: auto eth0 iface eth0 inet static address xxx.xxx.xxx.xxx netmask 255.255.255.xxx broadcast xxx.xxx.xxx.xxx gateway xxx.xxx.xxx.xxx pre-up /etc/network/interface-secure

In this example, before the interface eth0 is enabled the script will be called to secure all network interfaces as shown below. #!/bin/sh -e # Script-name: /etc/network/interface-secure # # Modifies some default behavior in order to secure against # some TCP/IP spoofing & attacks for all interfaces. # # Contributed by Dariusz Puchalak. # echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts # Broadcast echo protection enabled. echo 0 > /proc/sys/net/ipv4/conf/all/forwarding # IP forwarding disabled. echo 1 > /proc/sys/net/ipv4/tcp_syncookies # TCP syn cookies protection enabled. echo 1 >/proc/sys/net/ipv4/conf/all/log_martians # Log strange packets. # (this includes spoofed packets, source routed packets, redirect packets) # but be careful with this on heavy loaded web servers. echo 1 > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses # Bad error message protection enabled. # IP spoofing protection. echo 1 > /proc/sys/net/ipv4/conf/all/rp_filter # Disable ICMP redirect acceptance. echo 0 > /proc/sys/net/ipv4/conf/all/accept_redirects echo 0 > /proc/sys/net/ipv4/conf/all/send_redirects # Disable source routed packets. echo 0 > /proc/sys/net/ipv4/conf/all/accept_source_route exit 0

Notice that you can actually have per-interface scripts that will enable different network options for different interfaces (if you have more than one), just change the pre-up line to: pre-up /etc/network/interface-secure $IFACE

And use a script which will only apply changes to a specific interface, not to all of the interfaces available. Notice that some networking options can only be enabled globally, however. A sample script is this one: #!/bin/sh -e # Script-name: /etc/network/interface-secure # # Modifies some default behavior in order to secure against # some TCP/IP spoofing & attacks for a given interface. # # Contributed by Dariusz Puchalak. # IFACE=$1 if [ -z "$IFACE" ] ; then echo "$0: Must give an interface name as argument!" echo "Usage: $0 <interface>" exit 1 fi if [ ! -e /proc/sys/net/ipv4/conf/$IFACE/ ]; then echo "$0: Interface $IFACE does not exit (cannot find /proc/sys/net/ipv4/conf/)" exit 1 fi echo 0 > /proc/sys/net/ipv4/conf/$IFACE/forwarding # IP forwarding disabled. echo 1 >/proc/sys/net/ipv4/conf/$IFACE/log_martians # Log strange packets. # (this includes spoofed packets, source routed packets, redirect packets) # but be careful with this on heavy loaded web servers. # IP spoofing protection. echo 1 > /proc/sys/net/ipv4/conf/$IFACE/rp_filter # Disable ICMP redirect acceptance. echo 0 > /proc/sys/net/ipv4/conf/$IFACE/accept_redirects echo 0 > /proc/sys/net/ipv4/conf/$IFACE/send_redirects # Disable source routed packets. echo 0 > /proc/sys/net/ipv4/conf/$IFACE/accept_source_route exit 0

An alternative solution is to create an init.d script and have it run on bootup (using update-rc.d to create the appropriate rc.d links). Configuring firewall features

In order to have firewall capabilities, either to protect the local system or others behind it, the kernel needs to be compiled with firewall capabilities. The standard Debian 2.2 kernel (Linux 2.2) provides the packet filter ipchains firewall, Debian 3.0 standard kernel (Linux 2.4) provides the stateful packet filter iptables (netfilter) firewall.

In any case, it is pretty easy to use a kernel different from the one provided by Debian. You can find pre-compiled kernels as packages you can easily install in the Debian system. You can also download the kernel sources using the kernel-source-X and build custom kernel packages using make-kpkg from the kernel-package package.

Setting up firewalls in Debian is discussed more thoroughly in . Disabling weak-end hosts issues

Systems with more than one interface on different networks can have services configured so that they will bind only to a given IP address. This usually prevents access to services when requested through any other address. However, this does not mean (although it is a common misconception) that the service is bound to a given hardware address (interface card). To reproduce this (example provided by Felix von Leitner on the Bugtraq mailing list): host a (eth0 connected to eth0 of host b): ifconfig eth0 10.0.0.1 ifconfig eth1 23.0.0.1 tcpserver -RHl localhost 23.0.0.1 8000 echo fnord host b: ifconfig eth0 10.0.0.2 route add 23.0.0.1 gw 10.0.0.1 telnet 23.0.0.1 8000

It seems, however, not to work with services bound to 127.0.0.1, you might need to write the tests using raw sockets.

This is not an ARP issue and it's not an RFC violation (it's called weak end host in , section 3.3.4.2). Remember, IP addresses have nothing to do with physical interfaces.

On 2.2 (and previous) kernels this can be fixed with: # echo 1 > /proc/sys/net/ipv4/conf/all/hidden # echo 1 > /proc/sys/net/ipv4/conf/eth0/hidden # echo 1 > /proc/sys/net/ipv4/conf/eth1/hidden .....

On later kernels this can be fixed either with: iptables rules. properly configured routing. The fact that this behavior can be changed through routing was described by Matthew G. Marsh in the Bugtraq thread: eth0 = 1.1.1.1/24 eth1 = 2.2.2.2/24 ip rule add from 1.1.1.1/32 dev lo table 1 prio 15000 ip rule add from 2.2.2.2/32 dev lo table 2 prio 16000 ip route add default dev eth0 table 1 ip route add default dev eth1 table 2 kernel patching. There are some patches available for this behavior as described in Bugtraq's thread at and .

Along this text there will be many occasions in which it is shown how to configure some services (sshd server, apache, printer service...) in order to have them listening on any given address, the reader should take into account that, without the fixes given here, the fix would not prevent accesses from within the same (local) network. An attacker might have many problems pulling the access through after configuring the IP-address binding if he is not on the same broadcast domain (same network) as the attacked host. If the attack goes through a router it might be quite difficult for the answers to return somewhere.

FIXME: Comments on Bugtraq indicate there is a Linux specific method to bind to a given interface.

FIXME: Submit a bug against netbase so that the routing fix is standard behavior in Debian? Protecting against ARP attacks

When you don't trust the other boxes on your LAN (which should always be the case, because it's the safest attitude) you should protect yourself from the various existing ARP attacks.

As you know the ARP protocol is used to link IP addresses to MAC addresses (see for all the details). Every time you send a packet to an IP address an ARP resolution is done (first by looking into the local ARP cache then if the IP isn't present in the cache by broadcasting an ARP query) to find the target's hardware address. All the ARP attacks aim to fool your box into thinking that box B's IP address is associated to the intruder's box's MAC address; Then every packet that you want to send to the IP associated to box B will be send to the intruder's box...

Those attacks (ARP cache poisoning, ARP spoofing...) allow the attacker to sniff the traffic even on switched networks, to easily hijack connections, to disconnect any host from the network... ARP attacks are powerful and simple to implement, and several tools exists, such as arpspoof from the dsniff package or .

However, there is always a solution: Use a static ARP cache. You can set up "static" entries in your ARP cache with: arp -s host_name hdwr_addr

By setting static entries for each important host in your network you ensure that nobody will create/modify a (fake) entry for these hosts (static entries don't expire and can't be modified) and spoofed ARP replies will be ignored. Detect suspicious ARP traffic. You can use arpwatch, karpski or more general IDS that can also detect suspicious ARP traffic (snort, ...). Implement IP traffic filtering validating the MAC address. Taking a snapshot of the system

Before putting the system into production system you could take a snapshot of the whole system. This snapshot could be used in the event of a compromise (see ). You should remake this upgrade whenever the system is upgraded, especially if you upgrade to a new Debian release.

For this you can use a writable removable-media that can be set up read-only, this could be a floppy disk (read protected after use), a CD on a CD-ROM unit (you could use a rewritable CD-ROM so you could even keep backups of md5sums in different dates), or a USB disk or MMC card (if your system can access those and they can be write protected).

The following script creates such a snapshot: #!/bin/bash /bin/mount /dev/fd0 /mnt/floppy trap "/bin/umount /dev/fd0" 0 1 2 3 9 13 15 if [ ! -f /usr/bin/md5sum ] ; then echo "Cannot find md5sum. Aborting." exit 1 fi /bin/cp /usr/bin/md5sum /mnt/floppy echo "Calculating md5 database" >/mnt/floppy/md5checksums.txt for dir in /bin/ /sbin/ /usr/bin/ /usr/sbin/ /lib/ /usr/lib/ do find $dir -type f | xargs /usr/bin/md5sum >>/mnt/floppy/md5checksums-lib.txt done echo "post installation md5 database calculated" if [ ! -f /usr/bin/sha1sum ] ; then echo "Cannot find sha1sum" echo "WARNING: Only md5 database will be stored" else /bin/cp /usr/bin/sha1sum /mnt/floppy echo "Calculating SHA-1 database" >/mnt/floppy/sha1checksums.txt for dir in /bin/ /sbin/ /usr/bin/ /usr/sbin/ /lib/ /usr/lib/ do find $dir -type f | xargs /usr/bin/sha1sum >>/mnt/floppy/sha1checksums-lib.txt done echo "post installation sha1 database calculated" fi exit 0

Note that the md5sum binary (and sha1sum, if available) is placed on the floppy drive so it can be used later on to check the binaries of the system (just in case it gets trojaned). However, if you want to make sure that you are running a legitimate binary, you might want to either compile a static copy of the md5sum binary and use that one (to prevent a trojaned libc library from interfering with the binary) or to use the snapshot of md5sums only from a clean environment such as a rescue CD-ROM or a Live-CD (to prevent a trojaned kernel from interfering). I cannot stress this enough: if you are on a compromised system you cannot trust its output, see .

The snapshot does not include the files under /var/lib/dpkg/info which includes the MD5 hashes of installed packages (in files ending with .md5sums). You could copy this information along too, however you should notice: the md5sums files include the md5sum of all files provided by the Debian packages, not just system binaries. As a consequence, that database is bigger (5 Mb versus 600 Kb in a Debian GNU/Linux system with a graphical system and around 2.5 Gb of software installed) and will not fit in small removable media (like a single floppy disk, but would probably fit in a removable USB memory). not all Debian packages provide md5sums for the files installed since it is not (currently) mandated policy. Notice, however, that you can generate the md5sums for all packages using debsums after you've finished the system installation: # debsums --generate=missing,keep

Once the snapshot is done you should make sure to set the medium read-only. You can then store it for backup or place it in the drive and use it to drive a cron check nightly comparing the original md5sums against those on the snapshot.

If you do not want to setup a manual check you can always use any of the integrity systems available that will do this and more, for more information please read . Other recommendations Do not use software depending on svgalib

SVGAlib is very nice for console lovers like me, but in the past it has been proven several times that it is very insecure. Exploits against zgv were released, and it was simple to become root. Try to prevent using SVGAlib programs wherever possible. harden-doc-3.15.1/howto-source/en/automatic.sgml0000644000000000000000000001177310714670004016415 0ustar Automatic hardening of Debian systems

After reading through all the information in the previous chapters you might be wondering "I have to do quite a lot of things in order to harden my system, couldn't these things be automated?". The answer is yes, but be careful with automated tools. Some people believe, that a hardening tool does not eliminate the need for good administration. So do not be fooled to think that you can automate the whole process and will fix all the related issues. Security is an ever-ongoing process in which the administrator must participate and cannot just stand away and let the tools do all the work since no single tool can cope with all the possible security policy implementations, all the attacks and all the environments.

Since woody (Debian 3.0) there are two specific packages that are useful for security hardening. The harden package which takes an approach based on the package dependencies to quickly install valuable security packages and remove those with flaws, configuration of the packages must be done by the administrator. The bastille package that implements a given security policy on the local system based on previous configuration by the administrator (the building of the configuration can be a guided process done with simple yes/no questions). Harden

The harden package tries to make it more easy to install and administer hosts that need good security. This package should be used by people that want some quick help to enhance the security of the system. It automatically installs some tools that should enhance security in some way: intrusion detection tools, security analysis tools, etc. Harden installs the following virtual packages (i.e. no contents, just dependencies or recommendations on others): harden-tools: tools to enhance system security (integrity checkers, intrusion detection, kernel patches...) harden-environment: helps configure a hardened environment (currently empty). harden-servers: removes servers considered insecure for some reason. harden-clients: removes clients considered insecure for some reason. harden-remoteaudit: tools to remotely audit a system. harden-nids: helps to install a network intrusion detection system. harden-surveillance: helps to install tools for monitoring of networks and services. Useful packages which are not a dependence: harden-doc: provides this same manual and other security-related documentation packages. harden-development: development tools for creating more secure programs.

Be careful because if you have software you need (and which you do not wish to uninstall for some reason) and it conflicts with some of the packages above you might not be able to fully use harden. The harden packages do not (directly) do a thing. They do have, however, intentional package conflicts with known non-secure packages. This way, the Debian packaging system will not approve the installation of these packages. For example, when you try to install a telnet daemon with harden-servers, apt will say: # apt-get install telnetd The following packages will be REMOVED: harden-servers The following NEW packages will be installed: telnetd Do you want to continue? [Y/n]

This should set off some warnings in the administrator head, who should reconsider his actions. Bastille Linux

is an automatic hardening tool originally oriented towards the RedHat and Mandrake Linux distributions. However, the bastille package provided in Debian (since woody) is patched in order to provide the same functionality for the Debian GNU/Linux system.

Bastille can be used with different frontends (all are documented in their own manpage in the Debian package) which enables the administrator to: Answer questions step by step regarding the desired security of your system (using ). Use a default setting for security (amongst three: Lax, Moderate or Paranoia) in a given setup (server or workstation) and let Bastille decide which security policy to implement (using ). Take a predefined configuration file (could be provided by Bastille or made by the administrator) and implement a given security policy (using ). harden-doc-3.15.1/howto-source/en/infrastructure.sgml0000644000000000000000000013753711643653207017526 0ustar Debian Security Infrastructure The Debian Security Team

Debian has a Security Team, that handles security in the stable distribution. Handling security means they keep track of vulnerabilities that arise in software (watching forums such as Bugtraq, or vuln-dev) and determine if the stable distribution is affected by it.

Also, the Debian Security Team is the contact point for problems that are coordinated by upstream developers or organizations such as which might affect multiple vendors. That is, when problems are not Debian-specific. The contact point of the Security Team is which only the members of the security team read.

Sensitive information should be sent to the first address and, in some cases, should be encrypted with the Debian Security Contact key (as found in the Debian keyring).

Once a probable problem is received by the Security Team it will investigate if the stable distribution is affected and if it is, a fix is made for the source code base. This fix will sometimes include backporting the patch made upstream (which usually is some versions ahead of the one distributed by Debian). After testing of the fix is done, new packages are prepared and published in the site so they can be retrieved through apt (see ). At the same time a Debian Security Advisory (DSA) is published on the web site and sent to public mailing lists including and Bugtraq.

Some other frequently asked questions on the Debian Security Team can be found at . Debian Security Advisories

Debian Security Advisories (DSAs) are made whenever a security vulnerability is discovered that affects a Debian package. These advisories, signed by one of the Security Team members, include information of the versions affected as well as the location of the updates. This information is: version number for the fix. problem type. whether it is remote or locally exploitable. short description of the package. description of the problem. description of the exploit. description of the fix.

DSAs are published both on and in the . Usually this does not happen until the website is rebuilt (every four hours) so they might not be present immediately. The preferred channel is the debian-security-announce mailing list.

Interested users can, however (and this is done in some Debian-related portals) use the RDF channel to download automatically the DSAs to their desktop. Some applications, such as Evolution (an email client and personal information assistant) and Multiticker (a GNOME applet), can be used to retrieve the advisories automatically. The RDF channel is available at .

DSAs published on the website might be updated after being sent to the public-mailing lists. A common update is adding cross references to security vulnerability databases. Also, translationsTranslations are available in up to ten different languages. of DSAs are not sent to the security mailing lists but are directly included in the website. Vulnerability cross references

Debian provides a fully including all the references available for all the advisories published since 1998. This table is provided to complement the .

You will notice that this table provides references to security databases such as , and as well as CVE names (see below). These references are provided for convenience use, but only CVE references are periodically reviewed and included.

Advantages of adding cross references to these vulnerability databases are: it makes it easier for Debian users to see and track which general (published) advisories have already been covered by Debian. system administrators can learn more about the vulnerability and its impact by following the cross references. this information can be used to cross-check output from vulnerability scanners that include references to CVE to remove false positives (see ). CVE compatibility

Debian Security Advisories were The full is available at CVE in February 24, 2004.

Debian developers understand the need to provide accurate and up to date information of the security status of the Debian distribution, allowing users to manage the risk associated with new security vulnerabilities. CVE enables us to provide standardized references that allow users to develop a .

The project is maintained by the MITRE Corporation and provides a list of standardized names for vulnerabilities and security exposures.

Debian believes that providing users with additional information related to security issues that affect the Debian distribution is extremely important. The inclusion of CVE names in advisories help users associate generic vulnerabilities with specific Debian updates, which reduces the time spent handling vulnerabilities that affect our users. Also, it eases the management of security in an environment where CVE-enabled security tools -such as network or host intrusion detection systems, or vulnerability assessment tools- are already deployed regardless of whether or not they are based on the Debian distribution.

Debian provides CVE names for all DSAs released since September 1998. All of the advisories can be retrieved on the Debian web site, and announcements related to new vulnerabilities include CVE names if available at the time of their release. Advisories associated with a given CVE name can be searched directly through the Debian Security Tracker (see below).

In some cases you might not find a given CVE name in published advisories, for example because: No Debian products are affected by that vulnerability. There is not yet an advisory covering that vulnerability (the security issue might have been reported as a but a fix has not been tested and uploaded). An advisory was published before a CVE name was assigned to a given vulnerability (look for an update at the web site). Security Tracker

The central database of what the Debian security teams know about vulnerabilities is the . It cross references packages, vulnerable and fixed versions for different suites, CVE names, Debian bug numbers, DSA's and miscellaneous notes. It can be searched, e.g. by CVE name to see which Debian packages are affected or fixed, or by package to show unresolved security issues. The only information missing from the tracker is confidential information that the security team received under embargo.

The package debsecan uses the information in the tracker to report to the administrator of a system which of the installed packages are vulnerable, and for which updates are available to fix security issues. Debian Security Build Infrastructure

Since Debian is currently supported in a large number of architectures, administrators sometimes wonder if a given architecture might take more time to receive security updates than another. As a matter of fact, except for rare circumstances, updates are available to all architectures at the same time.

Packages in the security archive are autobuilt, just like the regular archive. However, security updates are a little more different than normal uploads sent by package maintainers since, in some cases, before being published they need to wait until they can be tested further, an advisory written, or need to wait for a week or more to avoid publicizing the flaw until all vendors have had a reasonable chance to fix it.

Thus, the security upload archive works with the following procedure: Someone finds a security problem. Someone fixes the problem, and makes an upload to security-master.debian.org's incoming (this someone is usually a Security Team member but can be also a package maintainer with an appropriate fix that has contacted the Security Team previously). The Changelog includes a testing-security or stable-security as target distribution. The upload gets checked and processed by a Debian system and moved into queue/accepted, and the buildds are notified. Files in here can be accessed by the security team and (somewhat indirectly) by the buildds. Security-enabled buildds pick up the source package (prioritized over normal builds), build it, and send the logs to the security team. The security team reply to the logs, and the newly built packages are uploaded to queue/unchecked, where they're processed by a Debian system, and moved into queue/accepted. When the security team find the source package acceptable (i.e., that it's been correctly built for all applicable architectures and that it fixes the security hole and doesn't introduce new problems of its own) they run a script which: installs the package into the security archive. updates the Packages, Sources and Release files of security.debian.org in the usual way (dpkg-scanpackages, dpkg-scansources, ...). sets up a template advisory that the security team can finish off. forwards the packages to the appropriate proposed-updates so that it can be included in the real archive as soon as possible.

This procedure, previously done by hand, was tested and put through during the freezing stage of Debian 3.0 woody (July 2002). Thanks to this infrastructure the Security Team was able to have updated packages ready for the apache and OpenSSH issues for all the supported (almost twenty) architectures in less than a day. Developer's guide to security updates

Debian developers that need to coordinate with the security team on fixing in issue in their packages, can refer to the Developer's Reference section . Package signing in Debian

This section could also be titled "how to upgrade/update safely your Debian GNU/Linux system" and it deserves its own section basically because it is an important part of the Security Infrastructure. Package signing is an important issue since it avoids tampering of packages distributed in mirrors and of downloads with man-in-the-middle attacks. Automatic software update is an important feature but it's also important to remove security threats that could help the distribution of trojans and the compromise of systems during updates

Some operating systems have already been plagued with automatic-updates problems such as the .

FIXME: probably the Internet Explorer vulnerability handling certificate chains has an impact on security updates on Microsoft Windows. .

Debian does not provide signed packages but provides a mechanism available since Debian 4.0 (codename etch) to check for downloaded package's integrity

Older releases, such as Debian 3.1 sarge can use this feature by using backported versions of this package management tool

. For more information, see .

This issue is better described in the by V. Alex Brennen. The current scheme for package signature checks

The current scheme for package signature checking using apt is: the Release file includes the MD5 sum of Packages.gz (which contains the MD5 sums of packages) and will be signed. The signature is one of a trusted source. This signed Release file is downloaded by 'apt-get update' and stored along with Packages.gz. When a package is going to be installed, it is first downloaded, then the MD5 sum is generated. The signed Release file is checked (signature ok) and it extracts from it the MD5 sum for the Packages.gz file, the Packages.gz checksum is generated and (if ok) the MD5 sum of the downloaded package is extracted from it. If the MD5 sum from the downloaded package is the same as the one in the Packages.gz file the package will be installed, otherwise the administrator will be alerted and the package will be left in the cache (so the administrator can decide whether to install it or not). If the package is not in the Packages.gz and the administrator has configured the system to only install checked packages it will not be installed either.

By following the chain of MD5 sums apt is capable of verifying that a package originates from a a specific release. This is less flexible than signing each package one by one, but can be combined with that scheme too (see below).

This scheme is in apt 0.6 and is available since the Debian 4.0 release. For more information see . Packages that provide a front-end to apt need to be modified to adapt to this new feature; this is the case of aptitude which was to adapt to this scheme. Front-ends currently known to work properly with this feature include aptitude and synaptic.

Package signing has been discussed in Debian for quite some time, for more information you can read: and . Secure apt

The apt 0.6 release, available since Debian 4.0 etch and later releases, includes apt-secure (also known as secure apt) which is a tool that will allow a system administrator to test the integrity of the packages downloaded through the above scheme. This release includes the tool apt-key for adding new keys to apt's keyring, which by default includes only the current Debian archive signing key.

These changes are based on the patch for apt (available in ) which provides this implementation.

Secure apt works by checking the distribution through the Release file, as discussed in . Typically, this process will be transparent to the administrator although you will need to intervene every yearUntil an automatic mechanism is developed. to add the new archive key when it is rotated, for more information on the steps an administrator needs to take a look at .

This feature is still under development, if you believe you find bugs in it, please, make first sure you are using the latest version (as this package might change quite a bit before it is finally released) and, if running the latest version, submit a bug against the apt package.

You can find more information at and the official documentation: and . Per distribution release check

This section describes how the distribution release check mechanism works, it was written by Joey Hess and is also available at the . Basic concepts

Here are a few basic concepts that you'll need to understand for the rest of this section.

A checksum is a method of taking a file and boiling it down to a reasonably short number that uniquely identifies the content of the file. This is a lot harder to do well than it might seem, and the most commonly used type of checksum, the MD5 sum, is in the process of being broken.

Public key cryptography is based on pairs of keys, a public key and a private key. The public key is given out to the world; the private key must be kept a secret. Anyone possessing the public key can encrypt a message so that it can only be read by someone possessing the private key. It's also possible to use a private key to sign a file, not encrypt it. If a private key is used to sign a file, then anyone who has the public key can check that the file was signed by that key. No one who doesn't have the private key can forge such a signature.

These keys are quite long numbers (1024 to 2048 digits or longer), and to make them easier to work with they have a key id, which is a shorter, 8 or 16 digit number that can be used to refer to them.

gpg is the tool used in secure apt to sign files and check their signatures.

apt-key is a program that is used to manage a keyring of gpg keys for secure apt. The keyring is kept in the file /etc/apt/trusted.gpg (not to be confused with the related but not very interesting /etc/apt/trustdb.gpg). apt-key can be used to show the keys in the keyring, and to add or remove a key. Release checksums

A Debian archive contains a Release file, which is updated each time any of the packages in the archive change. Among other things, the Release file contains some MD5 sums of other files in the archive. An excerpt of an example Release file: MD5Sum: 6b05b392f792ba5a436d590c129de21f 3453 Packages 1356479a23edda7a69f24eb8d6f4a14b 1131 Packages.gz 2a5167881adc9ad1a8864f281b1eb959 1715 Sources 88de3533bf6e054d1799f8e49b6aed8b 658 Sources.gz

The Release files also include SHA-1 checksums, which will be useful once MD5 sums become fully broken, however apt doesn't use them yet.

Now if we look inside a Packages file, we'll find more MD5 sums, one for each package listed in it. For example: Package: uqm Priority: optional ... Filename: unstable/uqm_0.4.0-1_i386.deb Size: 580558 MD5sum: 864ec6157c1eea88acfef44d0f34d219

These two checksums can be used to verify that you have downloaded a correct copy of the Packages file, with a md5sum that matches the one in the Release file. And when it downloads an individual package, it can also check its md5sum against the content of the Packages file. If apt fails at either of these steps, it will abort.

None of this is new in secure apt, but it does provide the foundation. Notice that so far there is one file that apt doesn't have a way to check: The Release file. Secure apt is all about making apt verify the Release file before it does anything else with it, and plugging this hole, so that there is a chain of verification from the package that you are going to install all the way back to the provider of the package. Verification of the Release file

To verify the Release file, a gpg signature is added for the Release file. This is put in a file named Release.gpg that is shipped alongside the Release file. It looks something like this Technically speaking, this is an ASCII-armored detached gpg signature. , although only gpg actually looks at its contents normally: -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.1 (GNU/Linux) iD8DBQBCqKO1nukh8wJbxY8RAsfHAJ9hu8oGNRAl2MSmP5+z2RZb6FJ8kACfWvEx UBGPVc7jbHHsg78EhMBlV/U= =x6og -----END PGP SIGNATURE----- Check of Release.gpg by apt

Secure apt always downloads Release.gpg files when it's downloading Release files, and if it cannot download the Release.gpg, or if the signature is bad, it will complain, and will make note that the Packages files that the Release file points to, and all the packages listed therein, are from an untrusted source. Here's how it looks during an apt-get update: W: GPG error: http://ftp.us.debian.org testing Release: The following signatures couldn't be verified because the public key is not available: NO_PUBKEY 010908312D230C5F

Note that the second half of the long number is the key id of the key that apt doesn't know about, in this case that's 2D230C5F.

If you ignore that warning and try to install a package later, apt will warn again: WARNING: The following packages cannot be authenticated! libglib-perl libgtk2-perl Install these packages without verification [y/N]?

If you say Y here you have no way to know if the file you're getting is the package you're supposed to install, or if it's something else entirely that somebody that can intercept the communication against the serverOr has poisoned your DNS, or is spoofing the server, or has replaced the file in the mirror you are using, etc. has arranged for you, containing a nasty suprise.

Note that you can disable these checks by running apt with --allow-unauthenticated.

It's also worth noting that newer versions of the Debian installer use the same signed Release file mechanism during their debootstrap of the Debian base system, before apt is available, and that the installer even uses this system to verify pieces of itself that it downloads from the net. Also, Debian does not currently sign the Release files on its CDs; apt can be configured to always trust packages from CDs so this is not a large problem. How to tell apt what to trust

So the security of the whole system depends on there being a Release.gpg file, which signs a Release file, and of apt checking that signature using gpg. To check the signature, it has to know the public key of the person who signed the file. These keys are kept in apt's own keyring (/etc/apt/trusted.gpg), and managing the keys is where secure apt comes in.

By default, Debian systems come preconfigured with the Debian archive key in the keyring. # apt-key list /etc/apt/trusted.gpg -------------------- pub 1024D/4F368D5D 2005-01-31 [expires: 2006-01-31] uid Debian Archive Automatic Signing Key (2005) <ftpmaster@debian.org>

Here 4F368D5D is the key id, and notice that this key was only valid for a one year period. Debian rotates these keys as a last line of defense against some sort of security breach breaking a key.

That will make apt trust the official Debian archive, but if you add some other apt repository to /etc/apt/sources.list, you'll also have to give apt its key if you want apt to trust it. Once you have the key and have verified it, it's a simple matter of running apt-key add file to add it. Getting the key and verifying it are the trickier parts. Finding the key for a repository

The debian-archive-keyring package is used to distribute keys to apt. Upgrades to this package can add (or remove) gpg keys for the main Debian archive.

For other archives, there is not yet a standard location where you can find the key for a given apt repository. There's a rough standard of putting the key up on the web page for the repository or as a file in the repository itself, but no real standard, so you might have to hunt for it.

The Debian archive signing key is available at (replace 2006 with current year)."ziyi" is the name of the tool used for signing on the Debian servers, the name is based on the name of a .

gpg itself has a standard way to distribute keys, using a keyserver that gpg can download a key from and add it to its keyring. For example: $ gpg --keyserver pgpkeys.mit.edu --recv-key 2D230C5F gpg: requesting key 2D230C5F from hkp server pgpkeys.mit.edu gpg: key 2D230C5F: public key "Debian Archive Automatic Signing Key (2006) <ftpm aster@debian.org>" imported gpg: Total number processed: 1 gpg: imported: 1

You can then export that key from your own keyring and feed it to apt-key: $ gpg -a --export 2D230C5F | sudo apt-key add - gpg: no ultimately trusted keys found OK

The "gpg: no ultimately trusted keys found" warning means that gpg was not configured to ultimately trust a specific key. Trust settings are part of OpenPGPs Web-of-Trust which does not apply here. So there is no problem with this warning. In typical setups the user's own key is ultimately trusted. Safely adding a key

By adding a key to apt's keyring, you're telling apt to trust everything signed by the key, and this lets you know for sure that apt won't install anything not signed by the person who possesses the private key. But if you're sufficiently paranoid, you can see that this just pushes things up a level, now instead of having to worry if a package, or a Release file is valid, you can worry about whether you've actually gotten the right key. Is the file mentioned above really Debian's archive signing key, or has it been modified (or this document lies).

It's good to be paranoid in security, but verifying things from here is harder. gpg has the concept of a chain of trust, which can start at someone you're sure of, who signs someone's key, who signs some other key, etc., until you get to the archive key. If you're sufficiently paranoid you'll want to check that your archive key is signed by a key that you can trust, with a trust chain that goes back to someone you know personally. If you want to do this, visit a Debian conference or perhaps a local LUG for a key signing Not all apt repository keys are signed at all by another key. Maybe the person setting up the repository doesn't have another key, or maybe they don't feel comfortable signing such a role key with their main key. For information on setting up a key for a repository see . .

If you can't afford this level of paranoia, do whatever feels appropriate to you when adding a new apt source and a new key. Maybe you'll want to mail the person providing the key and verify it, or maybe you're willing to take your chances with downloading it and assuming you got the real thing. The important thing is that by reducing the problem to what archive keys to trust, secure apt lets you be as careful and secure as it suits you to be. Verifying key integrity

You can verify the fingerprint as well as the signatures on the key. Retrieving the fingerprint can be done for multiple sources, you can check , talk to Debian Developers on IRC, read the mailing list where the key change will be announced or any other additional means to verify the fingerprint. For example you can do this: $ GET http://ftp-master.debian.org/ziyi_key_2006.asc | gpg --import gpg: key 2D230C5F: public key "Debian Archive Automatic Signing Key (2006) <ftpmaster&debian.org>" imported gpg: Total number processed: 1 gpg: imported: 1 $ gpg --check-sigs --fingerprint 2D230C5F pub 1024D/2D230C5F 2006-01-03 [expires: 2007-02-07] Key fingerprint = 0847 50FC 01A6 D388 A643 D869 0109 0831 2D23 0C5F uid Debian Archive Automatic Signing Key (2006) <ftpmaster@debian.org> sig!3 2D230C5F 2006-01-03 Debian Archive Automatic Signing Key (2006) <ftpmaster@debian.org> sig! 2A4E3EAA 2006-01-03 Anthony Towns <aj@azure.humbug.org.au> sig! 4F368D5D 2006-01-03 Debian Archive Automatic Signing Key (2005) <ftpmaster@debian.org> sig! 29982E5A 2006-01-04 Steve Langasek <vorlon@dodds.net> sig! FD6645AB 2006-01-04 Ryan Murray <rmurray@cyberhqz.com> sig! AB2A91F5 2006-01-04 James Troup <james@nocrew.org> and then from your key (or a key you trust) to at least one of the keys used to sign the archive key. If you are sufficiently paranoid you will tell apt to trust the key only if you find an acceptable path: $ gpg --export -a 2D230C5F | sudo apt-key add - Ok

Note that the key is signed with the previous archive key, so theoretically you can just build on your previous trust. Debian archive key yearly rotation

As mentioned above, the Debian archive signing key is changed each year, in January. Since secure apt is young, we don't have a great deal of experience with changing the key and there are still rough spots.

In January 2006, a new key for 2006 was made and the Release file began to be signed by it, but to try to avoid breaking systems that had the old 2005 key, the Release file was signed by that as well. The intent was that apt would accept one signature or the other depending on the key it had, but apt turned out to be buggy and refused to trust the file unless it had both keys and was able to check both signatures. This was fixed in apt version 0.6.43.1. There was also confusion about how the key was distributed to users who already had systems using secure apt; initially it was uploaded to the web site with no announcement and no real way to verify it and users were forced to download it by hand.

In January 2006, a new key for 2006 was made and the Release file began to be signed by it, but to try to avoid breaking systems that had the old 2005 key, the Release file was signed by that as well. In order to prevent confusion on the best distribution mechanism for users who already have systems using secure apt, the debian-archive-keyring package was introduced, which manages apt keyring updates. Known release checking problems

One not so obvious problem is that if your clock is very far off, secure apt will not work. If it's set to a date in the past, such as 1999, apt will fail with an unhelpful message such as this: W: GPG error: http://archive.progeny.com sid Release: Unknown error executing gpg

Although apt-key list will make the problem plain: gpg: key 2D230C5F was created 192324901 seconds in the future (time warp or clock problem) gpg: key 2D230C5F was created 192324901 seconds in the future (time warp or clock problem) pub 1024D/2D230C5F 2006-01-03 uid Debian Archive Automatic Signing Key (2006) <ftpmaster@debian.org>

If it's set to a date too far in the future, apt will treat the keys as expired.

Another problem you may encouter if using testing or unstable is that if you have not run apt-get update lately and apt-get install a package, apt might complain that it cannot be authenticated (why does it do this?). apt-get update will fix this. Manual per distribution release check

In case you want to add now the additional security checks and don't want or cannot run the latest apt versionEither because you are using the stable, sarge, release or an older release or because you don't want to use the latest apt version, although we would really appreciate testing of it. you can use the script below, provided by Anthony Towns. This script can automatically do some new security checks to allow the user to be sure that the software s/he's downloading matches the software Debian's distributing. This stops Debian developers from hacking into someone's system without the accountability provided by uploading to the main archive, or mirrors mirroring something almost, but not quite like Debian, or mirrors providing out of date copies of unstable with known security problems.

This sample code, renamed as apt-check-sigs, should be used in the following way: # apt-get update # apt-check-sigs (...results...) # apt-get dist-upgrade

First you need to: get the keys the archive software uses to sign Release files, and add them to ~/.gnupg/trustedkeys.gpg (which is what gpgv uses by default). gpg --no-default-keyring --keyring trustedkeys.gpg --import ziyi_key_2006.asc remove any /etc/apt/sources.list lines that don't use the normal "dists" structure, or change the script so that it works with them. be prepared to ignore the fact that Debian security updates don't have signed Release files, and that Sources files don't have appropriate checksums in the Release file (yet). be prepared to check that the appropriate sources are signed by the appropriate keys.

This is the example code for apt-check-sigs, the latest version can be retrieved from . This code is currently in beta, for more information read . #!/bin/bash # Copyright (c) 2001 Anthony Towns <ajt@debian.org> # # This program is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by # the Free Software Foundation; either version 2 of the License, or # (at your option) any later version. # # This program is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. rm -rf /tmp/apt-release-check mkdir /tmp/apt-release-check || exit 1 cd /tmp/apt-release-check >OK >MISSING >NOCHECK >BAD arch=`dpkg --print-installation-architecture` am_root () { [ `id -u` -eq 0 ] } get_md5sumsize () { cat "$1" | awk '/^MD5Sum:/,/^SHA1:/' | MYARG="$2" perl -ne '@f = split /\s+/; if ($f[3] eq $ENV{"MYARG"}) { print "$f[1] $f[2]\n"; exit(0); }' } checkit () { local FILE="$1" local LOOKUP="$2" Y="`get_md5sumsize Release "$LOOKUP"`" Y="`echo "$Y" | sed 's/^ *//;s/ */ /g'`" if [ ! -e "/var/lib/apt/lists/$FILE" ]; then if [ "$Y" = "" ]; then # No file, but not needed anyway echo "OK" return fi echo "$FILE" >>MISSING echo "MISSING $Y" return fi if [ "$Y" = "" ]; then echo "$FILE" >>NOCHECK echo "NOCHECK" return fi X="`md5sum < /var/lib/apt/lists/$FILE | cut -d\ -f1` `wc -c < /var/lib /apt/lists/$FILE`" X="`echo "$X" | sed 's/^ *//;s/ */ /g'`" if [ "$X" != "$Y" ]; then echo "$FILE" >>BAD echo "BAD" return fi echo "$FILE" >>OK echo "OK" } echo echo "Checking sources in /etc/apt/sources.list:" echo "~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~" echo (echo "You should take care to ensure that the distributions you're downloading " echo "are the ones you think you are downloading, and that they are as up to" echo "date as you would expect (testing and unstable should be no more than" echo "two or three days out of date, stable-updates no more than a few weeks" echo "or a month)." ) | fmt echo cat /etc/apt/sources.list | sed 's/^ *//' | grep '^[^#]' | while read ty url dist comps; do if [ "${url%%:*}" = "http" -o "${url%%:*}" = "ftp" ]; then baseurl="${url#*://}" else continue fi echo "Source: ${ty} ${url} ${dist} ${comps}" rm -f Release Release.gpg lynx -reload -dump "${url}/dists/${dist}/Release" >/dev/null 2>&1 wget -q -O Release "${url}/dists/${dist}/Release" if ! grep -q '^' Release; then echo " * NO TOP-LEVEL Release FILE" >Release else origline=`sed -n 's/^Origin: *//p' Release | head -1` lablline=`sed -n 's/^Label: *//p' Release | head -1` suitline=`sed -n 's/^Suite: *//p' Release | head -1` codeline=`sed -n 's/^Codename: *//p' Release | head -1` dateline=`grep "^Date:" Release | head -1` dscrline=`grep "^Description:" Release | head -1` echo " o Origin: $origline/$lablline" echo " o Suite: $suitline/$codeline" echo " o $dateline" echo " o $dscrline" if [ "${dist%%/*}" != "$suitline" -a "${dist%%/*}" != "$codeline" ]; then echo " * WARNING: asked for $dist, got $suitline/$codeline" fi lynx -reload -dump "${url}/dists/${dist}/Release.gpg" >/dev/null 2>&1 wget -q -O Release.gpg "${url}/dists/${dist}/Release.gpg" gpgv --status-fd 3 Release.gpg Release 3>&1 >/dev/null 2>&1 | sed -n "s/^\[GNUPG:\] //p" | (okay=0; err=""; while read gpgcode rest; do if [ "$gpgcode" = "GOODSIG" ]; then if [ "$err" != "" ]; then echo " * Signed by ${err# } key: ${rest#* }" else echo " o Signed by: ${rest#* }" okay=1 fi err="" elif [ "$gpgcode" = "BADSIG" ]; then echo " * BAD SIGNATURE BY: ${rest#* }" err="" elif [ "$gpgcode" = "ERRSIG" ]; then echo " * COULDN'T CHECK SIGNATURE BY KEYID: ${rest %% *}" err="" elif [ "$gpgcode" = "SIGREVOKED" ]; then err="$err REVOKED" elif [ "$gpgcode" = "SIGEXPIRED" ]; then err="$err EXPIRED" fi done if [ "$okay" != 1 ]; then echo " * NO VALID SIGNATURE" >Release fi) fi okaycomps="" for comp in $comps; do if [ "$ty" = "deb" ]; then X=$(checkit "`echo "${baseurl}/dists/${dist}/${comp}/binary-${arch}/Release" | sed 's,//*,_,g'`" "${comp}/binary-${arch}/Release") Y=$(checkit "`echo "${baseurl}/dists/${dist}/${comp}/binary-${arch}/Packages" | sed 's,//*,_,g'`" "${comp}/binary-${arch}/Packages") if [ "$X $Y" = "OK OK" ]; then okaycomps="$okaycomps $comp" else echo " * PROBLEMS WITH $comp ($X, $Y)" fi elif [ "$ty" = "deb-src" ]; then X=$(checkit "`echo "${baseurl}/dists/${dist}/${comp}/source/Release" | sed 's,//*,_,g'`" "${comp}/source/Release") Y=$(checkit "`echo "${baseurl}/dists/${dist}/${comp}/source/Sources" | sed 's,//*,_,g'`" "${comp}/source/Sources") if [ "$X $Y" = "OK OK" ]; then okaycomps="$okaycomps $comp" else echo " * PROBLEMS WITH component $comp ($X, $Y)" fi fi done [ "$okaycomps" = "" ] || echo " o Okay:$okaycomps" echo done echo "Results" echo "~~~~~~~" echo allokay=true cd /tmp/apt-release-check diff <(cat BAD MISSING NOCHECK OK | sort) <(cd /var/lib/apt/lists && find . -type f -maxdepth 1 | sed 's,^\./,,g' | grep '_' | sort) | sed -n 's/^> //p' >UNVALIDATED cd /tmp/apt-release-check if grep -q ^ UNVALIDATED; then allokay=false (echo "The following files in /var/lib/apt/lists have not been validated." echo "This could turn out to be a harmless indication that this script" echo "is buggy or out of date, or it could let trojaned packages get onto" echo "your system." ) | fmt echo sed 's/^/ /' < UNVALIDATED echo fi if grep -q ^ BAD; then allokay=false (echo "The contents of the following files in /var/lib/apt/lists does not" echo "match what was expected. This may mean these sources are out of date," echo "that the archive is having problems, or that someone is actively" echo "using your mirror to distribute trojans." if am_root; then echo "The files have been renamed to have the extension .FAILED and" echo "will be ignored by apt." cat BAD | while read a; do mv /var/lib/apt/lists/$a /var/lib/apt/lists/${a}.FAILED done fi) | fmt echo sed 's/^/ /' < BAD echo fi if grep -q ^ MISSING; then allokay=false (echo "The following files from /var/lib/apt/lists were missing. This" echo "may cause you to miss out on updates to some vulnerable packages." ) | fmt echo sed 's/^/ /' < MISSING echo fi if grep -q ^ NOCHECK; then allokay=false (echo "The contents of the following files in /var/lib/apt/lists could not" echo "be validated due to the lack of a signed Release file, or the lack" echo "of an appropriate entry in a signed Release file. This probably" echo "means that the maintainers of these sources are slack, but may mean" echo "these sources are being actively used to distribute trojans." if am_root; then echo "The files have been renamed to have the extension .FAILED and" echo "will be ignored by apt." cat NOCHECK | while read a; do mv /var/lib/apt/lists/$a /var/lib/apt/lists/${a}.FAILED done fi) | fmt echo sed 's/^/ /' < NOCHECK echo fi if $allokay; then echo 'Everything seems okay!' echo fi rm -rf /tmp/apt-release-check

You might need to apply the following patch for sid since md5sum adds an '-' after the sum when the input is stdin: @@ -37,7 +37,7 @@ local LOOKUP="$2" Y="`get_md5sumsize Release "$LOOKUP"`" - Y="`echo "$Y" | sed 's/^ *//;s/ */ /g'`" + Y="`echo "$Y" | sed 's/-//;s/^ *//;s/ */ /g'`" if [ ! -e "/var/lib/apt/lists/$FILE" ]; then if [ "$Y" = "" ]; then @@ -55,7 +55,7 @@ return fi X="`md5sum < /var/lib/apt/lists/$FILE` `wc -c < /var/lib/apt/lists/$FILE`" - X="`echo "$X" | sed 's/^ *//;s/ */ /g'`" + X="`echo "$X" | sed 's/-//;s/^ *//;s/ */ /g'`" if [ "$X" != "$Y" ]; then echo "$FILE" >>BAD echo "BAD" Release check of non Debian sources

Notice that, when using the latest apt version (with secure apt) no extra effort should be required on your part unless you use non-Debian sources, in which case an extra confirmation step will be required by apt-get. This is avoided by providing Release and Release.gpg files in the non-Debian sources. The Release file can be generated with apt-ftparchive (available in apt-utils 0.5.0 and later), the Release.gpg is just a detached signature. To generate both follow this simple procedure: $ rm -f dists/unstable/Release $ apt-ftparchive release dists/unstable > dists/unstable/Release $ gpg --sign -ba -o dists/unstable/Release.gpg dists/unstable/Release Alternative per-package signing scheme

The additional scheme of signing each and every packages allows packages to be checked when they are no longer referenced by an existing Packages file, and also third-party packages where no Packages ever existed for them can be also used in Debian but will not be default scheme.

This package signing scheme can be implemented using debsig-verify and debsigs. These two packages can sign and verify embedded signatures in the .deb itself. Debian already has the capability to do this now, but there is no feature plan to implement the policy or other tools since the archive signing scheme is prefered. These tools are available for users and archive administrators that would rather use this scheme instead.

Latest dpkg versions (since 1.9.21) incorporate a that provides this functionality as soon as debsig-verify is installed.

NOTE: Currently /etc/dpkg/dpkg.cfg ships with "no-debsig" as per default.

NOTE2: Signatures from developers are currently stripped when they enter off the package archive since the currently preferred method is release checks as described previously. harden-doc-3.15.1/howto-source/en/faq.sgml0000644000000000000000000016142411644267516015212 0ustar Frequently asked Questions (FAQ)

This chapter introduces some of the most common questions from the Debian security mailing list. You should read them before posting there or else people might tell you to RTFM. Security in the Debian operating system Is Debian more secure than X?

A system is only as secure as its administrator is capable of making it. Debian's default installation of services aims to be secure, but may not be as paranoid as some other operating systems which install all services disabled by default. In any case, the system administrator needs to adapt the security of the system to his local security policy.

For a collection of data regarding security vulnerabilities for many operating systems, see the or generate stats using the (formerly ICAT) Is this data useful? There are several factors to consider when interpreting the data, and it is worth noticing that the data cannot be used to compare the vulnerabilities of one operating system versus another.For example, based on some data, it might seem that Windows NT is more secure than Linux, which is a questionable assertion. After all, Linux distributions usually provide many more applications compared to Microsoft's Windows NT. This counting vulnerabilities issues are better described in by David A. Wheeler Also, keep in mind that some reported vulnerabilities regarding Debian apply only to the unstable (i.e. unreleased) branch. Is Debian more secure than other Linux distributions (such as Red Hat, SuSE...)?

There are not really many differences between Linux distributions, with exceptions to the base installation and package management system. Most distributions share many of the same applications, with differences mainly in the versions of these applications that are shipped with the distribution's stable release. For example, the kernel, Bind, Apache, OpenSSH, Xorg, gcc, zlib, etc. are all common across Linux distributions.

For example, Red Hat was unlucky and shipped when foo 1.2.3 was current, which was then later found to have a security hole. Debian, on the other hand, was lucky enough to ship foo 1.2.4, which incorporated the bug fix. That was the case in the big problem from a couple years ago.

There is a lot of collaboration between the respective security teams for the major Linux distributions. Known security updates are rarely, if ever, left unfixed by a distribution vendor. Knowledge of a security vulnerability is never kept from another distribution vendor, as fixes are usually coordinated upstream, or by . As a result, necessary security updates are usually released at the same time, and the relative security of the different distributions is very similar.

One of Debian's main advantages with regards to security is the ease of system updates through the use of apt. Here are some other aspects of security in Debian to consider: Debian provides more security tools than other distributions, see . Debian's standard installation is smaller (less functionality), and thus more secure. Other distributions, in the name of usability, tend to install many services by default, and sometimes they are not properly configured (remember the ). Debian's installation is not as limited as OpenBSD (no daemons are active per default), but it's a good compromise. Without diminishing the fact that some distributions, such as Red Hat or Mandrake, are also taking into account security in their standard installations by having the user select security profiles, or using wizards to help with configuration of personal firewalls. Debian documents best security practices in documents like this one. There are many Debian bugs in Bugtraq. Does this mean that it is very vulnerable?

The Debian distribution boasts a large and growing number of software packages, probably more than provided by many proprietary operating systems. The more packages installed, the greater the potential for security issues in any given system.

More and more people are examining source code for flaws. There are many advisories related to source code audits of the major software components included in Debian. Whenever such source code audits turn up security flaws, they are fixed and an advisory is sent to lists such as Bugtraq.

Bugs that are present in the Debian distribution usually affect other vendors and distributions as well. Check the "Debian specific: yes/no" section at the top of each advisory (DSA). Does Debian have any certification related to security?

Short answer: no.

Long answer: certification costs money (specially a serious security certification), nobody has dedicated the resources in order to certify Debian GNU/Linux to any level of, for example, the . If you are interested in having a security-certified GNU/Linux distribution, try to provide the resources needed to make it possible.

There are currently at least two linux distributions certified at different levels. Notice that some of the CC tests are being integrated into the which is available in Debian in the ltp. Are there any hardening programs for Debian?

Yes. , originally oriented toward other Linux distributions (Red Hat and Mandrake), currently works for Debian. Steps are being taken to integrate the changes made to the upstream version into the Debian package, named bastille.

Some people believe, however, that a hardening tool does not eliminate the need for good administration. I want to run XYZ service, which one should I choose?

One of Debian's great strengths is the wide variety of choice available between packages that provide the same functionality (DNS servers, mail servers, ftp servers, web servers, etc.). This can be confusing to the novice administrator when trying to determine which package is right for you. The best match for a given situation depends on a balance between your feature and security needs. Here are some questions to ask yourself when deciding between similar packages: Is the software maintained upstream? When was the last release? Is the package mature? The version number really does not tell you about its maturity. Try to trace the software's history. Is the software bug-ridden? Have there been security advisories related to it? Does the software provide all the functionality you need? Does it provide more than you really need? How can I make service XYZ more secure in Debian?

You will find information in this document to make some services (FTP, Bind) more secure in Debian GNU/Linux. For services not covered here, check the program's documentation, or general Linux information. Most of the security guidelines for Unix systems also apply to Debian. In most cases, securing service X in Debian is like securing that service in any other Linux distribution (or Un*x, for that matter). How can I remove all the banners for services?

If you do not like users connecting to your POP3 daemon, for example, and retrieving information about your system, you might want to remove (or change) the banner the service shows to users. Note that this is 'security by obscurity', and will probably not be worth the effort in the long term. Doing so depends on the software you are running for a given service. For example, in postfix, you can set your SMTP banner in /etc/postfix/main.cf: smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU)

Other software is not as easy to change. ssh will need to be recompiled in order to change the version that it prints. Take care not to remove the first part (SSH-2.0) of the banner, which clients use to identify which protocol(s) is supported by your package. Are all Debian packages safe?

The Debian security team cannot possibly analyze all the packages included in Debian for potential security vulnerabilities, since there are just not enough resources to source code audit the whole project. However, Debian does benefit from the source code audits made by upstream developers.

As a matter of fact, a Debian developer could distribute a Trojan in a package, and there is no possible way to check it out. Even if introduced into a Debian branch, it would be impossible to cover all the possible situations in which the Trojan would execute. This is why Debian has a "no guarantees" license clause.

However, Debian users can take confidence in the fact that the stable code has a wide audience and most problems would be uncovered through use. Installing untested software is not recommended in a critical system (if you cannot provide the necessary code audit). In any case, if there were a security vulnerability introduced into the distribution, the process used to include packages (using digital signatures) ensures that the problem can be ultimately traced back to the developer. The Debian project has not taken this issue lightly. Why are some log files/configuration files world-readable, isn't this insecure?

Of course, you can change the default Debian permissions on your system. The current policy regarding log files and configuration files is that they are world readable unless they provide sensitive information.

Be careful if you do make changes since: Processes might not be able to write to log files if you restrict their permissions. Some applications may not work if the configuration file they depend on cannot be read. For example, if you remove the world-readable permission from /etc/samba/smb.conf, the smbclient program will not work when run by a normal user.

FIXME: Check if this is written in the Policy. Some packages (i.e. ftp daemons) seem to enforce different permissions. Why does /root/ (or UserX) have 755 permissions?

As a matter of fact, the same questions stand for any other user. Since Debian's installation does not place any file under that directory, there's no sensitive information to protect there. If you feel these permissions are too broad for your system, consider tightening them to 750. For users, read .

This Debian security mailing list has more on this issue. After installing a grsec/firewall, I started receiving many console messages! How do I remove them?

If you are receiving console messages, and have configured /etc/syslog.conf to redirect them to either files or a special TTY, you might be seeing messages sent directly to the console.

The default console log level for any given kernel is 7, which means that any message with lower priority will appear in the console. Usually, firewalls (the LOG rule) and some other security tools log lower that this priority, and thus, are sent directly to the console.

To reduce messages sent to the console, you can use dmesg (-n option, see ), which examines and controls the kernel ring buffer. To fix this after the next reboot, change /etc/init.d/klogd from: KLOGD=""

to: KLOGD="-c 4"

Use a lower number for -c if you are still seeing them. A description of the different log levels can be found in /usr/include/sys/syslog.h: #define LOG_EMERG 0 /* system is unusable */ #define LOG_ALERT 1 /* action must be taken immediately */ #define LOG_CRIT 2 /* critical conditions */ #define LOG_ERR 3 /* error conditions */ #define LOG_WARNING 4 /* warning conditions */ #define LOG_NOTICE 5 /* normal but significant condition */ #define LOG_INFO 6 /* informational */ #define LOG_DEBUG 7 /* debug-level messages */ Operating system users and groups Are all system users necessary?

Yes and no. Debian comes with some predefined users (user id (UID) < 99 as described in or /usr/share/doc/base-passwd/README) to ease the installation of some services that require that they run under an appropriate user/UID. If you do not intend to install new services, you can safely remove those users who do not own any files in your system and do not run any services. In any case, the default behavior is that UID's from 0 to 99 are reserved in Debian, and UID's from 100 to 999 are created by packages on install (and deleted when the package is purged).

To easily find users who don't own any files, execute the following commandBe careful, as this will traverse your whole system. If you have a lot of disk and partitions you might want to reduce it in scope. (run it as root, since a common user might not have enough permissions to go through some sensitive directories): cut -f 1 -d : /etc/passwd | \ while read i; do find / -user "$i" | grep -q . || echo "$i"; done

These users are provided by base-passwd. Look in its documentation for more information on how these users are handled in Debian. The list of default users (with a corresponding group) follows: root: Root is (typically) the superuser. daemon: Some unprivileged daemons that need to write to files on disk run as daemon.daemon (e.g., portmap, atd, probably others). Daemons that don't need to own any files can run as nobody.nogroup instead, and more complex or security conscious daemons run as dedicated users. The daemon user is also handy for locally installed daemons. bin: maintained for historic reasons. sys: same as with bin. However, /dev/vcs* and /var/spool/cups are owned by group sys. sync: The shell of user sync is /bin/sync. Thus, if its password is set to something easy to guess (such as ""), anyone can sync the system at the console even if they have don't have an account. games: Many games are SETGID to games so they can write their high score files. This is explained in policy. man: The man program (sometimes) runs as user man, so it can write cat pages to /var/cache/man lp: Used by printer daemons. mail: Mailboxes in /var/mail are owned by group mail, as explained in policy. The user and group are used for other purposes by various MTA's as well. news: Various news servers and other associated programs (such as suck) use user and group news in various ways. Files in the news spool are often owned by user and group news. Programs such as inews that can be used to post news are typically SETGID news. uucp: The uucp user and group is used by the UUCP subsystem. It owns spool and configuration files. Users in the uucp group may run uucico. proxy: Like daemon, this user and group is used by some daemons (specifically, proxy daemons) that don't have dedicated user id's and that need to own files. For example, group proxy is used by pdnsd, and squid runs as user proxy. majordom: Majordomo has a statically allocated UID on Debian systems for historical reasons. It is not installed on new systems. postgres: Postgresql databases are owned by this user and group. All files in /var/lib/postgresql are owned by this user to enforce proper security. www-data: Some web servers run as www-data. Web content should not be owned by this user, or a compromised web server would be able to rewrite a web site. Data written out by web servers, including log files, will be owned by www-data. backup: So backup/restore responsibilities can be locally delegated to someone without full root permissions. operator: Operator is historically (and practically) the only 'user' account that can login remotely, and doesn't depend on NIS/NFS. list: Mailing list archives and data are owned by this user and group. Some mailing list programs may run as this user as well. irc: Used by irc daemons. A statically allocated user is needed only because of a bug in ircd, which SETUID()s itself to a given UID on startup. gnats. nobody, nogroup: Daemons that need not own any files run as user nobody and group nogroup. Thus, no files on a system should be owned by this user or group.

Other groups which have no associated user: adm: Group adm is used for system monitoring tasks. Members of this group can read many log files in /var/log, and can use xconsole. Historically, /var/log was /usr/adm (and later /var/adm), thus the name of the group. tty: TTY devices are owned by this group. This is used by write and wall to enable them to write to other people's TTYs. disk: Raw access to disks. Mostly equivalent to root access. kmem: /dev/kmem and similar files are readable by this group. This is mostly a BSD relic, but any programs that need direct read access to the system's memory can thus be made SETGID kmem. dialout: Full and direct access to serial ports. Members of this group can reconfigure the modem, dial anywhere, etc. dip: The group's name stands for "Dial-up IP", and membership in dip allows you to use tools like ppp, dip, wvdial, etc. to dial up a connection. The users in this group cannot configure the modem, but may run the programs that make use of it. fax: Allows members to use fax software to send / receive faxes. voice: Voicemail, useful for systems that use modems as answering machines. cdrom: This group can be used locally to give a set of users access to a CDROM drive. floppy: This group can be used locally to give a set of users access to a floppy drive. tape: This group can be used locally to give a set of users access to a tape drive. sudo: Members of this group don't need to type their password when using sudo. See /usr/share/doc/sudo/OPTIONS. audio: This group can be used locally to give a set of users access to an audio device. src: This group owns source code, including files in /usr/src. It can be used locally to give a user the ability to manage system source code. shadow: /etc/shadow is readable by this group. Some programs that need to be able to access the file are SETGID shadow. utmp: This group can write to /var/run/utmp and similar files. Programs that need to be able to write to it are SETGID utmp. video: This group can be used locally to give a set of users access to a video device. staff: Allows users to add local modifications to the system (/usr/local, /home) without needing root privileges. Compare with group "adm", which is more related to monitoring/security. users: While Debian systems use the private user group system by default (each user has their own group), some prefer to use a more traditional group system, in which each user is a member of this group. I removed a system user! How can I recover?

If you have removed a system user and have not made a backup of your password and group files you can try recovering from this issue using update-passwd (see ). What is the difference between the adm and the staff group?

The 'adm' group are usually administrators, and this group permission allows them to read log files without having to su. The 'staff' group are usually help-desk/junior sysadmins, allowing them to work in /usr/local and create directories in /home. Why is there a new group when I add a new user? (or Why does Debian give each user one group?)

The default behavior in Debian is that each user has its own, private group. The traditional UN*X scheme assigned all users to the users group. Additional groups were created and used to restrict access to shared files associated with different project directories. Managing files became difficult when a single user worked on multiple projects because when someone created a file, it was associated with the primary group to which they belong (e.g. 'users').

Debian's scheme solves this problem by assigning each user to their own group; so that with a proper umask (0002) and the SETGID bit set on a given project directory, the correct group is automatically assigned to files created in that directory. This makes it easier for people who work on multiple projects, because they will not have to change groups or umasks when working on shared files.

You can, however, change this behavior by modifying /etc/adduser.conf. Change the USERGROUPS variable to 'no', so that a new group is not created when a new user is created. Also, set USERS_GID to the GID of the users group which all users will belong to. Questions regarding services and open ports Why are all services activated upon installation?

That's just an approach to the problem of being, on one side, security conscious and on the other side user friendly. Unlike OpenBSD, which disables all services unless activated by the administrator, Debian GNU/Linux will activate all installed services unless deactivated (see for more information). After all you installed the service, didn't you?

There has been much discussion on Debian mailing lists (both at debian-devel and at debian-security) regarding which is the better approach for a standard installation. However, as of this writing (March 2002), there still isn't a consensus. Can I remove inetd?

Inetd is not easy to remove since netbase depends on the package that provides it (netkit-inetd). If you want to remove it, you can either disable it (see ) or remove the package by using the equivs package. Why do I have port 111 open?

Port 111 is sunrpc's portmapper, and it is installed by default as part of Debian's base installation since there is no need to know when a user's program might need RPC to work correctly. In any case, it is used mostly for NFS. If you do not need it, remove it as explained in .

In versions of the portmap package later than 5-5 you can actually have the portmapper installed but listening only on localhost (by modifying /etc/default/portmap) What use is identd (port 113) for?

Identd service is an authentication service that identifies the owner of a specific TCP/IP connection to the remote server accepting the connection. Typically, when a user connects to a remote host, inetd on the remote host sends back a query to port 113 to find the owner information. It is often used by mail, FTP and IRC servers, and can also be used to track down which user in your local system is attacking a remote system.

There has been extensive discussion on the security of identd (See ). In general, identd is more helpful on a multi-user system than on a single user workstation. If you don't have a use for it, disable it, so that you are not leaving a service open to the outside world. If you decide to firewall the identd port, please use a reject policy and not a deny policy, otherwise a connection to a server utilizing identd will hang until a timeout expires (see ). I have services using port 1 and 6, what are they and how can I remove them?

If you have run the command netstat -an and receive: Active Internet connections (servers and established) Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name raw 0 0 0.0.0.0:1 0.0.0.0:* 7 - raw 0 0 0.0.0.0:6 0.0.0.0:* 7 -

You are not seeing processes listening on TCP/UDP port 1 and 6. In fact, you are seeing a process listening on a raw socket for protocols 1 (ICMP) and 6 (TCP). Such behavior is common to both Trojans and some intrusion detection systems such as iplogger and portsentry. If you have these packages simply remove them. If you do not, try netstat's -p (process) option to see which process is running these listeners. I found the port XYZ open, can I close it?

Yes, of course. The ports you are leaving open should adhere to your individual site's policy regarding public services available to other networks. Check if they are being opened by inetd (see ), or by other installed packages and take the appropriate measures (i.e, configure inetd, remove the package, avoid it running on boot-up). Will removing services from /etc/services help secure my box?

No, /etc/services only provides a mapping between a virtual name and a given port number. Removing names from this file will not (usually) prevent services from being started. Some daemons may not run if /etc/services is modified, but that's not the norm. To properly disable the service, see . Common security issues I have lost my password and cannot access the system!

The steps you need to take in order to recover from this depend on whether or not you have applied the suggested procedure for limiting access to lilo and your system's BIOS.

If you have limited both, you need to disable the BIOS setting that only allows booting from the hard disk before proceeding. If you have also forgotten your BIOS password, you will have to reset your BIOS by opening the system and manually removing the BIOS battery.

Once you have enabled booting from a CD-ROM or diskette enable, try the following: Boot-up from a rescue disk and start the kernel Go to the virtual console (Alt+F2) Mount the hard disk where your /root is Edit (Debian 2.2 rescue disk comes with the editor ae, and Debian 3.0 comes with nano-tiny which is similar to vi) /etc/shadow and change the line: root:asdfjl290341274075:XXXX:X:XXXX:X::: (X=any number)

to: root::XXXX:X:XXXX:X:::

This will remove the forgotten root password, contained in the first colon separated field after the user name. Save the file, reboot the system and login with root using an empty password. Remember to reset the password. This will work unless you have configured the system more tightly, i.e. if you have not allowed users to have null passwords or not allowed root to login from the console.

If you have introduced these features, you will need to enter into single user mode. If LILO has been restricted, you will need to rerun lilo just after the root reset above. This is quite tricky since your /etc/lilo.conf will need to be tweaked due to the root (/) file system being a ramdisk and not the real hard disk.

Once LILO is unrestricted, try the following: Press the Alt, shift or Control key just before the system BIOS finishes, and you should get the LILO prompt. Type linux single, linux init=/bin/sh or linux 1 at the prompt. This will give you a shell prompt in single-user mode (it will ask for a password, but you already know it) Re-mount read/write the root (/) partition, using the mount command. # mount -o remount,rw / Change the superuser password with passwd (since you are superuser it will not ask for the previous password). How do I accomplish setting up a service for my users without giving out shell accounts?

For example, if you want to set up a POP service, you don't need to set up a user account for each user accessing it. It's best to set up directory-based authentication through an external service (like Radius, LDAP or an SQL database). Just install the appropriate PAM library (libpam-radius-auth, libpam-ldap, libpam-pgsql or libpam-mysql), read the documentation (for starters, see ) and configure the PAM-enabled service to use the back end you have chosen. This is done by editing the files under /etc/pam.d/ for your service and modifying the auth required pam_unix_auth.so shadow nullok use_first_pass to, for example, ldap: auth required pam_ldap.so

In the case of LDAP directories, some services provide LDAP schemas to be included in your directory that are required in order to use LDAP authentication. If you are using a relational database, a useful trick is to use the where clause when configuring the PAM modules. For example, if you have a database with the following table attributes: (user_id, user_name, realname, shell, password, UID, GID, homedir, sys, pop, imap, ftp)

By making the services attributes boolean fields, you can use them to enable or disable access to the different services just by inserting the appropriate lines in the following files: /etc/pam.d/imap:where=imap=1. /etc/pam.d/qpopper:where=pop=1. /etc/nss-mysql*.conf:users.where_clause = user.sys = 1;. /etc/proftpd.conf: SQLWhereClause "ftp=1". My system is vulnerable! (Are you sure?) Vulnerability assessment scanner X says my Debian system is vulnerable!

Many vulnerability assessment scanners give false positives when used on Debian systems, since they only use version checks to determine if a given software package is vulnerable, but do not really test the security vulnerability itself. Since Debian does not change software versions when fixing a package (many times the fix made for newer releases is back ported), some tools tend to think that an updated Debian system is vulnerable when it is not.

If you think your system is up to date with security patches, you might want to use the cross references to security vulnerability databases published with the DSAs (see ) to weed out false positives, if the tool you are using includes CVE references. I've seen an attack in my system's logs. Is my system compromised?

A trace of an attack does not always mean that your system has been compromised, and you should take the usual steps to determine if the system is indeed compromised (see ). Even if your system was not vulnerable to the attack that was logged, a determined attacker might have used some other vulnerability besides the ones you have detected. I have found strange 'MARK' lines in my logs: Am I compromised?

You might find the following lines in your system logs: Dec 30 07:33:36 debian -- MARK -- Dec 30 07:53:36 debian -- MARK -- Dec 30 08:13:36 debian -- MARK --

This does not indicate any kind of compromise, and users changing between Debian releases might find it strange. If your system does not have high loads (or many active services), these lines might appear throughout your logs. This is an indication that your syslogd daemon is running properly. From : -m interval The syslogd logs a mark timestamp regularly. The default interval between two -- MARK -- lines is 20 minutes. This can be changed with this option. Setting the interval to zero turns it off entirely. I found users using 'su' in my logs: Am I compromised?

You might find lines in your logs like: Apr 1 09:25:01 server su[30315]: + ??? root-nobody Apr 1 09:25:01 server PAM_unix[30315]: (su) session opened for user nobody by (UID=0)

Don't worry too much. Check to see if these entries are due to cron jobs (usually /etc/cron.daily/find or logrotate): $ grep 25 /etc/crontab 25 9 * * * root test -e /usr/sbin/anacron || run-parts --report /etc/cron.daily $ grep nobody /etc/cron.daily/* find:cd / && updatedb --localuser=nobody 2>/dev/null I have found 'possible SYN flooding' in my logs: Am I under attack?

If you see entries like these in your logs: May 1 12:35:25 linux kernel: possible SYN flooding on port X. Sending cookies. May 1 12:36:25 linux kernel: possible SYN flooding on port X. Sending cookies. May 1 12:37:25 linux kernel: possible SYN flooding on port X. Sending cookies. May 1 13:43:11 linux kernel: possible SYN flooding on port X. Sending cookies.

Check if there is a high number of connections to the server using netstat, for example: linux:~# netstat -ant | grep SYN_RECV | wc -l 9000

This is an indication of a denial of service (DoS) attack against your system's X port (most likely against a public service such as a web server or mail server). You should activate TCP syncookies in your kernel, see . Note, however, that a DoS attack might flood your network even if you can stop it from crashing your systems (due to file descriptors being depleted, the system might become unresponsive until the TCP connections timeout). The only effective way to stop this attack is to contact your network provider. I have found strange root sessions in my logs: Am I compromised?

You might see these kind of entries in your /var/log/auth.log file: May 2 11:55:02 linux PAM_unix[1477]: (cron) session closed for user root May 2 11:55:02 linux PAM_unix[1476]: (cron) session closed for user root May 2 12:00:01 linux PAM_unix[1536]: (cron) session opened for user root by (UID=0) May 2 12:00:02 linux PAM_unix[1536]: (cron) session closed for user root

These are due to a cron job being executed (in this example, every five minutes). To determine which program is responsible for these jobs, check entries under: /etc/crontab, /etc/cron.d, /etc/crond.daily and root's crontab under /var/spool/cron/crontabs. I have suffered a break-in, what do I do?

There are several steps you might want to take in case of a break-in: Check if your system is up to date with security patches for published vulnerabilities. If your system is vulnerable, the chances that the system is in fact compromised are increased. The chances increase further if the vulnerability has been known for a while, since there is usually more activity related to older vulnerabilities. Here is a link to . Read this document, especially the section. Ask for assistance. You might use the debian-security mailing list and ask for advice on how to recover/patch your system. Notify your local (if it exists, otherwise you may want to consider contacting CERT directly). This might or might not help you, but, at the very least, it will inform CERT of ongoing attacks. This information is very valuable in determining which tools and attacks are being used by the blackhat community. How can I trace an attack?

By watching the logs (if they have not been tampered with), using intrusion detection systems (see ), traceroute, whois and similar tools (including forensic analysis), you may be able to trace an attack to the source. The way you should react to this information depends solely on your security policy, and what you consider is an attack. Is a remote scan an attack? Is a vulnerability probe an attack? Program X in Debian is vulnerable, what do I do?

First, take a moment to see if the vulnerability has been announced in public security mailing lists (like Bugtraq) or other forums. The Debian Security Team keeps up to date with these lists, so they may also be aware of the problem. Do not take any further actions if you see an announcement at .

If no information seems to be published, please send e-mail about the affected package(s), as well as a detailed description of the vulnerability (proof of concept code is also OK), to . This will get you in touch with Debian's security team. The version number for a package indicates that I am still running a vulnerable version!

Instead of upgrading to a new release, Debian backports security fixes to the version that was shipped in the stable release. The reason for this is to make sure that the stable release changes as little as possible, so that things will not change or break unexpectedly as a result of a security fix. You can check if you are running a secure version of a package by looking at the package changelog, or comparing its exact (upstream version -slash- debian release) version number with the version indicated in the Debian Security Advisory. Specific software proftpd is vulnerable to a Denial of Service attack.

Add DenyFilter \*.*/ to your configuration file, and for more information see . After installing portsentry, there are a lot of ports open.

That's just the way portsentry works. It opens about twenty unused ports to try to detect port scans. Questions regarding the Debian security team

This information is derived from the . It includes the information as of January, 2006, and provides answers for some other common questions asked in the debian-security mailing list. What is a Debian Security Advisory (DSA)?

It is information sent by the Debian Security Team (see below) regarding the discovery and fix for a security related vulnerability in a package available in Debian GNU/Linux. Signed DSAs are sent to public mailing lists (debian-security-announce) and posted on Debian's web site (both in the front page and in the ).

DSAs include information on the affected package(s), the security flaw that was discovered and where to retrieve the updated packages (and their MD5 sums). The signature on Debian advisories does not verify correctly!

This is most likely a problem on your end. The list has a filter that only allows messages with a correct signature from one of the security team members to be posted.

Most likely some piece of mail software on your end slightly changes the message, thus breaking the signature. Make sure your software does not do any MIME encoding or decoding, or tab/space conversions.

Known culprits fetchmail (with the mimedecode option enabled), formail (from procmail 3.14 only) and evolution. How is security handled in Debian?

Once the Security Team receives a notification of an incident, one or more members review it and consider its impact on the stable release of Debian (i.e. if it's vulnerable or not). If our system is vulnerable, we work on a fix for the problem. The package maintainer is contacted as well, if he didn't contact the Security Team already. Finally, the fix is tested and new packages are prepared, which then are compiled on all stable architectures and uploaded afterwards. After all of that is done, an advisory is published. Why are you fiddling with an old version of that package?

The most important guideline when making a new package that fixes a security problem is to make as few changes as possible. Our users and developers are relying on the exact behavior of a release once it is made, so any change we make can possibly break someone's system. This is especially true in case of libraries: make sure you never change the Application Program Interface (API) or Application Binary Interface (ABI), no matter how small the change is.

This means that moving to a new upstream version is not a good solution, instead the relevant changes should be backported. Generally upstream maintainers are willing to help if needed, if not the Debian security team might be able to help.

In some cases it is not possible to backport a security fix, for example when large amounts of source code need to be modified or rewritten. If that happens it might be necessary to move to a new upstream version, but this has to be coordinated with the security team beforehand. What is the policy for a fixed package to appear in security.debian.org?

Security breakage in the stable distribution warrants a package on security.debian.org. Anything else does not. The size of a breakage is not the real problem here. Usually the security team will prepare packages together with the package maintainer. Provided someone (trusted) tracks the problem and gets all the needed packages compiled and submit them to the security team, even very trivial security problem fixes will make it to security.debian.org. Please see below.

Security updates serve one purpose: to supply a fix for a security vulnerability. They are not a method for sneaking additional changes into the stable release without going through normal point release procedure. What does "local (remote)" mean?

Some advisories cover vulnerabilities that cannot be identified with the classic scheme of local and remote exploitability. Some vulnerabilities cannot be exploited from remote, i.e. don't correspond to a daemon listening to a network port. If they can be exploited by special files that could be provided via the network while the vulnerable service is not permanently connected with the network, we write "local (remote)" in such cases.

Such vulnerabilities are somewhat between local and remote vulnerabilities and often cover archives that could be provided through the network, e.g. as mail attachment or from a download page. The version number for a package indicates that I am still running a vulnerable version!

See . How is security handled for testing and unstable?

The short answer is: it's not. Testing and unstable are rapidly moving targets and the security team does not have the resources needed to properly support those. If you want to have a secure (and stable) server you are strongly encouraged to stay with stable. However, work is in progress to change this, with the formation of a which has begun work to offer security support for testing, and to some extent, for unstable. For more information see

In some cases, however, the unstable branch usually gets security fixes quite quickly, because those fixes are usually available upstream faster (other versions, like those in the stable branch, usually need to be back ported).

You can review public vulnerabilities affecting the testing and unstable release at the . I use an older version of Debian, is it supported by the Debian Security Team?

No. Unfortunately, the Debian Security Team cannot handle both the stable release (unofficially, also the unstable) and other older releases. However, you can expect security updates for a limited period of time (usually several months) immediately following the release of a new Debian distribution. How does testing get security updates?

Security updates will migrate into the testing distribution via unstable. They are usually uploaded with their priority set to high, which will reduce the quarantine time to two days. After this period, the packages will migrate into testing automatically, given that they are built for all architectures and their dependencies are fulfilled in testing.

The also makes security fixes available in their repository when the normal migration process is not fast enough. How is security handled for contrib and non-free?

The short answer is: it's not. Contrib and non-free aren't official parts of the Debian Distribution and are not released, and thus not supported by the security team. Some non-free packages are distributed without source or without a license allowing the distribution of modified versions. In those cases no security fixes can be made at all. If it is possible to fix the problem, and the package maintainer or someone else provides correct updated packages, then the security team will generally process them and release an advisory. Why are there no official mirrors for security.debian.org?

Actually, there are. There are several official mirrors, implemented through DNS aliases. The purpose of security.debian.org is to make security updates available as quickly and easily as possible.

Encouraging the use of unofficial mirrors would add extra complexity that is usually not needed and that can cause frustration if these mirrors are not kept up to date. I've seen DSA 100 and DSA 102, now where is DSA 101?

Several vendors (mostly of GNU/Linux, but also of BSD derivatives) coordinate security advisories for some incidents and agree to a particular timeline so that all vendors are able to release an advisory at the same time. This was decided in order to not discriminate against some vendors that need more time (e.g. when the vendor has to pass packages through lengthy QA tests or has to support several architectures or binary distributions). Our own security team also prepares advisories in advance. Every now and then, other security issues have to be dealt with before the parked advisory could be released, and hence temporarily leaving out one or more advisories by number. I tried to download a package listed in one of the security advisories, but I got a `file not found' error.

Whenever a newer bugfix supersedes an older package on security.debian.org, chances are high that the old package will be removed by the time the new one gets installed. Hence, you'll get this `file not found' error. We don't want to distribute packages with known security bugs longer than absolutely necessary.

Please use the packages from the latest security advisories, which are distributed through the . It's best to simply run apt-get update before upgrading the package. How can I reach the security team?

Security information can be sent to , which is read by all Debian developers. If you have sensitive information please use which only the members of the team can read. If desired, email can be encrypted with the Debian Security Contact key (key ID ). See also the . What difference is there between security@debian.org and debian-security@lists.debian.org?

When you send messages to security@debian.org, they are sent to the developers' mailing list (debian-private). All Debian developers are subscribed to this list and posts are kept private There has been a declassification decision, voted in , that might make some posts available in the future, however. (i.e. are not archived at the public website). The public mailing list, debian-security@lists.debian.org, is open to anyone that wants to , and there are searchable archives available . I guess I found a security problem, what should I do?

If you learn about a security problem, either in one of your own packages or in someone else's please always contact the security team. If the Debian security team confirms the vulnerability and other vendors are likely to be vulnerable as well, they usually contact other vendors as well. If the vulnerability is not yet public they will try to coordinate security advisories with the other vendors, so all major distributions are in sync.

If the vulnerability is already publicly known, be sure to file a bug report in the Debian BTS, and tag it security. How can I contribute to the Debian security team?

By contributing to this document, fixing FIXMEs or providing new content. Documentation is important and reduces the overhead of answering common issues. Translation of this documentation into other languages is also of great help. By packaging applications that are useful for checking or enhancing security in a Debian GNU/Linux system. If you are not a developer, file a and ask for software you think would be useful, but is not currently provided. Audit applications in Debian or help solve security bugs and report issues to security@debian.org.

In all cases, please review each problem before reporting it to security@debian.org. If you are able to provide patches, that would speed up the process. Do not simply forward Bugtraq mails, since they are already received. Providing additional information, however, is always a good idea. Who is the Security Team composed of?

The Debian security team consists of . The security team itself appoints people to join the team. Does the Debian Security team check every new package in Debian?

No, the Debian security team does not check every new package and there is no automatic (lintian) check to detect new packages including malicious codes, since those checks are rather impossible to perform automatically. Maintainers, however, are fully responsible for the packages they introduce into Debian, and all packages are first signed by an authorized developer(s). The developer is in charge of analyzing the security of all packages that they maintain. How much time will it take Debian to fix vulnerability XXXX?

The Debian security team works quickly to send advisories and produce fixed packages for the stable branch once a vulnerability is discovered. A report showed that in the year 2001, it took the Debian Security Team an average of 35 days to fix security-related vulnerabilities. However, over 50% of the vulnerabilities where fixed in a 10-day time frame, and over 15% of them where fixed the same day the advisory was released.

However, when asking this question people tend to forget that: DSAs are not sent until: packages are available for all architectures supported by Debian (which takes some time for packages that are part of the system core, especially considering the number of architectures supported in the stable release). new packages are thoroughly tested in order to ensure that no new bugs are introduced Packages might be available before the DSA is sent (in the incoming queue or on the mirrors). Debian is a volunteer-based project. Debian is licensed with a "no guarantees" clause.

If you want more in-depth analysis on the time it takes for the Security Team to work on vulnerabilities, you should consider that new DSAs (see ) published on the , and the metadata used to generate them, include links to vulnerability databases. You could download the sources from the web server (from the ) or use the HTML pages to determine the time that it takes for Debian to fix vulnerabilities and correlate this data with public databases. How long will security updates be provided?

The security team tries to support a stable distribution for about one year after the next stable distribution has been released, except when another stable distribution is released within this year. It is not possible to support three distributions; supporting two simultaneously is already difficult enough. How can I check the integrity of packages?

This process involve checking the Release file signature against the public key (available at , substitute 2006 for the current year) for the archive. The Release file contains the MD5 checksums of Packages and Sources files, which contain MD5 checksums of binary and source packages. Detailed instruction on how to check packages integrity can be found . What to do if a random package breaks after a security update?

First of all, you should figure out why the package breaks and how it is connected to the security update, then contact the security team if it is serious or the stable release manager if it is less serious. We're talking about random packages that break after a security update of a different package. If you can't figure out what's going wrong but have a correction, talk to the security team as well. You may be redirected to the stable release manager though. harden-doc-3.15.1/howto-source/en/intro.sgml0000644000000000000000000015076411734156774015606 0ustar Introduction

One of the hardest things about writing security documents is that every case is unique. Two things you have to pay attention to are the threat environment and the security needs of the individual site, host, or network. For instance, the security needs of a home user are completely different from a network in a bank. While the primary threat a home user needs to face is the script kiddie type of cracker, a bank network has to worry about directed attacks. Additionally, the bank has to protect their customer's data with arithmetic precision. In short, every user has to consider the trade-off between usability and security/paranoia.

Note that this manual only covers issues relating to software. The best software in the world can't protect you if someone can physically access the machine. You can place it under your desk, or you can place it in a hardened bunker with an army in front of it. Nevertheless the desktop computer can be much more secure (from a software point of view) than a physically protected one if the desktop is configured properly and the software on the protected machine is full of security holes. Obviously, you must consider both issues.

This document just gives an overview of what you can do to increase the security of your Debian GNU/Linux system. If you have read other documents regarding Linux security, you will find that there are common issues which might overlap with this document. However, this document does not try to be the ultimate source of information you will be using, it only tries to adapt this same information so that it is meaningful to a Debian GNU/Linux system. Different distributions do some things in different ways (startup of daemons is one example); here, you will find material which is appropriate for Debian's procedures and tools. Authors

The current maintainer of this document is . Please forward him any comments, additions or suggestions, and they will be considered for inclusion in future releases of this manual.

This manual was started as a HOWTO by . After it was published on the Internet, incorporated it into the . A number of people have contributed to this manual (all contributions are listed in the changelog) but the following deserve special mention since they have provided significant contributions (full sections, chapters or appendices): Stefano Canepa Era Eriksson Carlo Perassi Alexandre Ratti Jaime Robles Yotam Rubin Frederic Schutz Pedro Zorzenon Neto Oohara Yuuma Davor Ocelic Where to get the manual (and available formats)

You can download or view the latest version of the Securing Debian Manual from the . If you are reading a copy from another site, please check the primary copy in case it provides new information. If you are reading a translation, please review the version the translation refers to to the latest version available. If you find that the version is behind please consider using the original copy or review the to see what has changed.

If you want a full copy of the manual you can either download the or the from the Debian Documentation Project's site. These versions might be more useful if you intend to copy the document over to a portable device for offline reading or you want to print it out. Be forewarned, the manual is over two hundred pages long and some of the code fragments, due to the formatting tools used, are not wrapped in the PDF version and might be printed incomplete.

The document is also provided in text, html and PDF formats in the package. Notice, however, that the package maybe not be completely up to date with the document provided on the Debian site (but you can always use the source package to build an updated version yourself).

This document is part of the documents distributed by the . You can review the changes introduced in the document using a web browser and obtaining information from the . You can also checkout the code using SVN with the following call in the command line: svn co svn://svn.debian.org/svn/ddp/manuals/trunk/securing-howto/ Organizational notes/feedback

Now to the official part. At the moment I (Alexander Reelsen) wrote most paragraphs of this manual, but in my opinion this should not stay the case. I grew up and live with free software, it is part of my everyday use and I guess yours, too. I encourage everybody to send me feedback, hints, additions or any other suggestions you might have.

If you think, you can maintain a certain section or paragraph better, then write to the document maintainer and you are welcome to do it. Especially if you find a section marked as FIXME, that means the authors did not have the time yet or the needed knowledge about the topic. Drop them a mail immediately.

The topic of this manual makes it quite clear that it is important to keep it up to date, and you can do your part. Please contribute. Prior knowledge

The installation of Debian GNU/Linux is not very difficult and you should have been able to install it. If you already have some knowledge about Linux or other Unices and you are a bit familiar with basic security, it will be easier to understand this manual, as this document cannot explain every little detail of a feature (otherwise this would have been a book instead of a manual). If you are not that familiar, however, you might want to take a look at for where to find more in-depth information. Things that need to be written (FIXME/TODO)

This section describes all the things that need to be fixed in this manual. Some paragraphs include FIXME or TODO tags describing what content is missing (or what kind of work needs to be done). The purpose of this section is to describe all the things that could be included in the future in the manual, or enhancements that need to be done (or would be interesting to add).

If you feel you can provide help in contributing content fixing any element of this list (or the inline annotations), contact the main author (). This document has yet to be updated based on the latest Debian releases. The default configuration of some packages need to be adapted as they have been modified since this document was written. Expand the incident response information, maybe add some ideas derived from Red Hat's Security Guide's . Write about remote monitoring tools (to check for system availability) such as monit, daemontools and mon. See . Consider writing a section on how to build Debian-based network appliances (with information such as the base system, equivs and FAI). Check if has relevant info not yet covered here. Add information on how to set up a laptop with Debian . Add information on how to set up a firewall using Debian GNU/Linux. The section regarding firewalling is oriented currently towards a single system (not protecting others...) also talk on how to test the setup. Add information on setting up a proxy firewall with Debian GNU/Linux stating specifically which packages provide proxy services (like xfwp, ftp-proxy, redir, smtpd, dnrd, jftpgw, oops, pdnsd, perdition, transproxy, tsocks). Should point to the manual for any other info. Note that zorp is now available as a Debian package and is a proxy firewall (they also provide Debian packages upstream). Information on service configuration with file-rc. Check all the reference URLs and remove/fix those no longer available. Add information on available replacements (in Debian) for common servers which are useful for limited functionality. Examples: local lpr with cups (package)? remote lrp with lpr bind with dnrd/maradns apache with dhttpd/thttpd/wn (tux?) exim/sendmail with ssmtpd/smtpd/postfix squid with tinyproxy ftpd with oftpd/vsftp ... More information regarding security-related kernel patches in Debian, including the ones shown above and specific information on how to enable these patches in a Debian system. Linux Intrusion Detection (kernel-patch-2.4-lids) Linux Trustees (in package trustees) linux-patch-openswan Details of turning off unnecessary network services (besides inetd), it is partly in the hardening procedure but could be broadened a bit. Information regarding password rotation which is closely related to policy. Policy, and educating users about policy. More about tcpwrappers, and wrappers in general? hosts.equiv and other major security holes. Issues with file sharing servers such as Samba and NFS? suidmanager/dpkg-statoverrides. lpr and lprng. Switching off the GNOME IP things. Talk about pam_chroot (see ) and its usefulness to limit users. Introduce information related to . pdmenu, for example is available in Debian (whereas flash is not). Talk about chrooting services, some more info on . Talk about programs to make chroot jails. compartment and chrootuid are waiting in incoming. Some others (makejail, jailer) could also be introduced. More information regarding log analysis software (i.e. logcheck and logcolorise). 'advanced' routing (traffic policing is security related). limiting ssh access to running certain commands. using dpkg-statoverride. secure ways to share a CD burner among users. secure ways of providing networked sound in addition to network display capabilities (so that X clients' sounds are played on the X server's sound hardware). securing web browsers. setting up ftp over ssh. using crypto loopback file systems. encrypting the entire file system. steganographic tools. setting up a PKA for an organization. using LDAP to manage users. There is a HOWTO of ldap+kerberos for Debian at written by Turbo Fredrikson. How to remove information of reduced utility in production systems such as /usr/share/doc, /usr/share/man (yes, security by obscurity). More information on lcap based on the packages README file (well, not there yet, see ) and from the article from LWN: . Add Colin's article on how to setup a chroot environment for a full sid system (). Add information on running multiple snort sensors in a given system (check bug reports sent to snort). Add information on setting up a honeypot (honeyd). Describe situation wrt to FreeSwan (orphaned) and OpenSwan. VPN section needs to be rewritten. Add a specific section about databases, current installation defaults and how to secure access. Add a section about the usefulness of virtual servers (Xen et al). Explain how to use some integrity checkers (AIDE, integrit or samhain). The basics are simple and could even explain some configuration improvements. Changelog/History Version 3.16 (March 2011)

Changes by Javier Fernández-Sanguino Peña. Indicate that the document is not updated with latest versions. Update pointers to current location of sources. Update information on security updates for newer releases. Point information for Developers to online sources instead of keeping the information in the document, to prevent duplication. Fix shell script example in Appendix. Fix reference errors. Version 3.15 (December 2010)

Changes by Javier Fernández-Sanguino Peña. Change reference to Log Analysis' website as this is no longer available. Version 3.14 (March 2009)

Changes by Javier Fernández-Sanguino Peña. Change the section related to choosing a filesystem: note that ext3 is now the default. Change the name of the packages related to enigmail to reflect naming changes introduced in Debian. Version 3.13 (Februrary 2008)

Changes by Javier Fernández-Sanguino Peña. Change URLs pointing to Bastille Linux since the domain has been . Fix pointers to Linux Ramen and Lion worms. Use linux-image in the examples instead of the (old) kernel-image packages. Fix typos spotted by Francesco Poli. Version 3.12 (August 2007)

Changes by Javier Fernández-Sanguino Peña. Update the information related to security updates. Drop the text talking about Tiger and include information on the update-notifier and adept tools (for Desktops) as well as debsecan. Also include some pointers to other tools available. Divide the firewall applications based on target users and add fireflier to the Desktop firewall applications list. Remove references to libsafe, it's not in the archive any longer (was removed January 2006). Fix the location of syslog's configuration, thanks to John Talbut. Version 3.11 (January 2007)

Changes by Javier Fernández-Sanguino Peña. Thanks go to Francesco Poli for his extensive review of the document. Remove most references to the woody release as it is no longer available (in the archive) and security support for it is no longer available. Describe how to restrict users so that they can only do file transfers. Added a note regarding the debian-private declasiffication decision. Updated link of incident handling guides. Added a note saying that development tools (compilers, etc.) are not installed now in the default 'etch' installation. Fix references to the master security server. Add pointers to additional APT-secure documentation. Improve the description of APT signatures. Comment out some things which are not yet final related to the mirror's official public keys. Fixed name of the Debian Testing Security Team. Remove reference to sarge in an example. Update the antivirus section, clamav is now available on the release. Also mention the f-prot installer. Removes all references to freeswan as it is obsolete. Describe issues related to ruleset changes to the firewall if done remotely and provide some tips (in footnotes). Update the information related to the IDS installation, mention BASE and the need to setup a logging database. Rewrite the "running bind as a non-root user" section as this no longer applies to Bind9. Also remove the reference to the init.d script since the changes need to be done through /etc/default. Remove the obsolete way to setup iptables rulesets as woody is no longer supported. Revert the advice regarding LOG_UNKFAIL_ENAB it should be set to 'no' (as per default). Added more information related to updating the system with desktop tools (including update-notifier) and describe aptitude usage to update the system. Also note that dselect is deprecated. Updated the contents of the FAQ and remove redundant paragraphs. Review and update the section related to forensic analysis of malware. Remove or fix some dead links. Fix many typos and gramatical errors reported by Francesco Poli. Version 3.10 (November 2006)

Changes by Javier Fernández-Sanguino Peña. Provide examples using apt-cache's rdepends as suggested by Ozer Sarilar. Fix location of Squid's user's manual because of its relocation as notified by Oskar Pearson (its maintainer). Fix information regarding umask, it's logins.defs (and not limits.conf) where this can be configured for all login connections. Also state what is Debian's default and what would be a more restrictive value for both users and root. Thanks to Reinhard Tartler for spotting the bug. Version 3.9 (October 2006)

Changes by Javier Fernández-Sanguino Peña. Add information on how to track security vulnerabilities and add references to the Debian Testing Security Tracker. Add more information on the security support for testing. Fix a large number of typos with a patch provided by Simon Brandmair. Added section on how to disable root prompt on initramfs provided by Max Attems. Remove references to queso. Note that testing is now security-supported in the introduction. Version 3.8 (July 2006)

Changes by Javier Fernández-Sanguino Peña. Rewrote the information on how to setup ssh chroots to clarify the different options available, thank to Bruce Park for bringing up the different mistakes in this appendix. Fix lsof call as suggested by Christophe Sahut. Include patches for typo fixes from Uwe Hermann. Fix typo in reference spotted by Moritz Naumann. Version 3.7 (April 2006)

Changes by Javier Fernández-Sanguino Peña. Add a section on Debian Developer's best practices for security. Ammended firewall script with comments from WhiteGhost. Version 3.6 (March 2006)

Changes by Javier Fernández-Sanguino Peña. Included a patch from Thomas Sjögren which describes that noexec works as expected with "new" kernels, adds information regarding tempfile handling, and some new pointers to external documentation. Add a pointer to Dan Farmer's and Wietse Venema's forensic discovery web site, as suggested by Freek Dijkstra, and expanded a little bit the forensic analysis section with more pointers. Fixed URL of Italy's CERT, thanks to Christoph Auer. Reuse Joey Hess' information at the wiki on secure apt and introduce it in the infrastructure section. Review sections referring to old versions (woody or potato). Fix some cosmetic issues with patch from Simon Brandmair. Included patches from Carlo Perassi: acl patches are obsolete, openwall patches are obsolete too, removed fixme notes about 2.2 and 2.4 series kernels, hap is obsolete (and not present in WNPP), remove references to Immunix (StackGuard is now in Novell's hands), and fix a FIXME about the use of bsign or elfsign. Updated references to SElinux web pages to point to the Wiki (currently the most up to date source of information). Include file tags and make a more consistent use of "MD5 sum" with a patch from Jens Seidel. Patch from Joost van Baal improving the information on the firewall section (pointing to the wiki instead of listing all firewall packages available) (Closes: #339865). Review the FAQ section on vulnerability stats, thanks to Carlos Galisteo de Cabo for pointing out that it was out of date. Use the quote from the Social Contract 1.1 instead of 1.0 as suggested by Francesco Poli. Version 3.5 (November 2005)

Changes by Javier Fernández-Sanguino Peña. Note on the SSH section that the chroot will not work if using the nodev option in the partition and point to the latest ssh packages with the chroot patch, thanks to Lutz Broedel for pointing these issues out. Fix typo spotted by Marcos Roberto Greiner (md5sum should be sha1sum in code snippet). Included Jens Seidel's patch fixing a number of package names and typos. Slightly update of the tools section, removed tools no longer available and added some new ones. Rewrite parts of the section related to where to find this document and what formats are available (the website does provide a PDF version). Also note that copies on other sites and translations might be obsolete (many of the Google hits for the manual in other sites are actually out of date). Version 3.4 (August-September 2005)

Changes by Javier Fernández-Sanguino Peña. Improved the after installation security enhancements related to kernel configuration for network level protection with a sysctl.conf file provided by Will Moy. Improved the gdm section, thanks to Simon Brandmair. Typo fixes from Frédéric Bothamy and Simon Brandmair. Improvements in the after installation sections related to how to generate the MD5 (or SHA-1) sums of binaries for periodic review. Updated the after installation sections regarding checksecurity configuration (was out of date). Version 3.3 (June 2005)

Changes by Javier Fernández-Sanguino Peña. Added a code snippet to use grep-available to generate the list of packages depending on Perl. As requested in #302470. Rewrite of the section on network services (which ones are installed and how to disable them). Added more information to the honeypot deployment section mentioning useful Debian packages. Version 3.2 (March 2005)

Changes by Javier Fernández-Sanguino Peña. Expanded the PAM configuration limits section. Added information on how to use pam_chroot for openssh (based on pam_chroot's README). Fixed some minor issues reported by Dan Jacobson. Updated the kernel patches information partially based on a patch from Carlo Perassi and also by adding deprecation notes and new kernel patches available (adamantix). Included patch from Simon Brandmair that fixes a sentence related to login failures in terminal. Added Mozilla/Thunderbird to the valid GPG agents as suggested by Kapolnai Richard. Expanded the section on security updates mentioning library and kernel updates and how to detect when services need to be restarted. Rewrote the firewall section, moved the information that applies to woody down and expand the other sections including some information on how to manually set the firewall (with a sample script) and how to test the firewall configuration. Added some information preparing for the 3.1 release. Added more detailed information on kernel upgrades, specifically targeted at those that used the old installation system. Added a small section on the experimental apt 0.6 release which provides package signing checks. Moved old content to the section and also added a pointer to changes made in aptitude. Typo fixes spotted by Frédéric Bothamy. Version 3.1 (January 2005)

Changes by Javier Fernández-Sanguino Peña. Added clarification to ro /usr with patch from Joost van Baal. Apply patch from Jens Seidel fixing many typos. FreeSWAN is dead, long live OpenSWAN. Added information on restricting access to RPC services (when they cannot be disabled) also included patch provided by Aarre Laakso. Update aj's apt-check-sigs script. Apply patch Carlo Perassi fixing URLs. Apply patch from Davor Ocelic fixing many errors, typos, urls, grammar and FIXMEs. Also adds some additional information to some sections. Rewrote the section on user auditing, highlight the usage of script which does not have some of the issues associated to shell history. Version 3.0 (December 2004)

Changes by Javier Fernández-Sanguino Peña. Rewrote the user-auditing information and include examples on how to use script. Version 2.99 (March 2004)

Changes by Javier Fernández-Sanguino Peña. Added information on references in DSAs and CVE-Compatibility. Added information on apt 0.6 (apt-secure merge in experimental). Fixed location of Chroot daemons HOWTO as suggested by Shuying Wang. Changed APACHECTL line in the Apache chroot example (even if its not used at all) as suggested by Leonard Norrgard. Added a footnote regarding hardlink attacks if partitions are not setup properly. Added some missing steps in order to run bind as named as provided by Jeffrey Prosa. Added notes about Nessus and Snort out-of-dateness in woody and availability of backported packages. Added a chapter regarding periodic integrity test checks. Clarified the status of testing regarding security updates (Debian bug 233955). Added more information regarding expected contents in securetty (since it's kernel specific). Added pointer to snoopylogger (Debian bug 179409). Added reference to guarddog (Debian bug 170710). apt-ftparchive is in apt-utils, not in apt (thanks to Emmanuel Chantreau for pointing this out). Removed jvirus from AV list. Version 2.98 (December 2003)

Changes by Javier Fernández-Sanguino Peña. Fixed URL as suggested by Frank Lichtenheld. Fixed PermitRootLogin typo as suggested by Stefan Lindenau. Version 2.97 (September 2003)

Changes by Javier Fernández-Sanguino Peña. Added those that have made the most significant contributions to this manual (please mail me if you think you should be in the list and are not). Added some blurb about FIXME/TODOs. Moved the information on security updates to the beginning of the section as suggested by Elliott Mitchell. Added grsecurity to the list of kernel-patches for security but added a footnote on the current issues with it as suggested by Elliott Mitchell. Removed loops (echo to 'all') in the kernel's network security script as suggested by Elliott Mitchell. Added more (up-to-date) information in the antivirus section. Rewrote the buffer overflow protection section and added more information on patches to the compiler to enable this kind of protection. Version 2.96 (August 2003)

Changes by Javier Fernández-Sanguino Peña. Removed (and then re-added) appendix on chrooting Apache. The appendix is now dual-licensed. Version 2.95 (June 2003)

Changes by Javier Fernández-Sanguino Peña. Fixed typos spotted by Leonard Norrgard. Added a section on how to contact CERT for incident handling (). More information on setting up a Squid proxy. Added a pointer and removed a FIXME thanks to Helge H. F. Fixed a typo (save_inactive) spotted by Philippe Faes. Fixed several typos spotted by Jaime Robles. Version 2.94 (April 2003)

Changes by Javier Fernández-Sanguino Peña. Following Maciej Stachura's suggestions I've expanded the section on limiting users. Fixed typo spotted by Wolfgang Nolte. Fixed links with patch contributed by Ruben Leote Mendes. Added a link to David Wheeler's excellent document on the footnote about counting security vulnerabilities. Version 2.93 (March 2003)

Changes made by Frédéric Schütz. rewrote entirely the section of ext2 attributes (lsattr/chattr). Version 2.92 (February 2003)

Changes by Javier Fernández-Sanguino Peña and Frédéric Schütz. Merge section 9.3 ("useful kernel patches") into section 4.13 ("Adding kernel patches"), and added some content. Added a few more TODOs. Added information on how to manually check for updates and also about cron-apt. That way Tiger is not perceived as the only way to do automatic update checks. Slightly rewrite of the section on executing a security updates due to Jean-Marc Ranger comments. Added a note on Debian's installation (which will suggest the user to execute a security update right after installation). Version 2.91 (January/February 2003)

Changes by Javier Fernández-Sanguino Peña (me). Added a patch contributed by Frédéric Schütz. Added a few more references on capabilities thanks to Frédéric. Slight changes in the bind section adding a reference to BIND's 9 online documentation and proper references in the first area (Hi Pedro!). Fixed the changelog date - new year :-). Added a reference to Colin's articles for the TODOs. Removed reference to old ssh+chroot patches. More patches from Carlo Perassi. Typo fixes (recursive in Bind is recursion), pointed out by Maik Holtkamp. Version 2.9 (December 2002)

Changes by Javier Fernández-Sanguino Peña (me). Reorganized the information on chroot (merged two sections, it didn't make much sense to have them separated). Added the notes on chrooting Apache provided by Alexandre Ratti. Applied patches contributed by Guillermo Jover. Version 2.8 (November 2002)

Changes by Javier Fernández-Sanguino Peña (me). Applied patches from Carlo Perassi, fixes include: re-wrapping the lines, URL fixes, and fixed some FIXMEs. Updated the contents of the Debian security team FAQ. Added a link to the Debian security team FAQ and the Debian Developer's reference, the duplicated sections might (just might) be removed in the future. Fixed the hand-made auditing section with comments from Michal Zielinski. Added links to wordlists (contributed by Carlo Perassi). Fixed some typos (still many around). Fixed TDP links as suggested by John Summerfield. Version 2.7 (October 2002)

Changes by Javier Fernández-Sanguino Peña (me). Note: I still have a lot of pending changes in my mailbox (which is currently about 5 Mbs in size). Some typo fixes contributed by Tuyen Dinh, Bartek Golenko and Daniel K. Gebhart. Note regarding /dev/kmem rootkits contributed by Laurent Bonnaud. Fixed typos and FIXMEs contributed by Carlo Perassi. Version 2.6 (September 2002)

Changes by Chris Tillman, tillman@voicetrak.com. Changed around to improve grammar/spelling. s/host.deny/hosts.deny/ (1 place). Applied Larry Holish's patch (quite big, fixes a lot of FIXMEs). Version 2.5 (September 2002)

Changes by Javier Fernández-Sanguino Peña (me). Fixed minor typos submitted by Thiemo Nagel. Added a footnote suggested by Thiemo Nagel. Fixed an URL link. Version 2.5 (August 2002)

Changes by Javier Fernández-Sanguino Peña (me). There were many things waiting on my inbox (as far back as February) to be included, so I'm going to tag this the back from honeymoon release :). Applied a patch contributed by Philipe Gaspar regarding the Squid which also kills a FIXME. Yet another FAQ item regarding service banners taken from the debian-security mailing list (thread "Telnet information" started 26th July 2002). Added a note regarding use of CVE cross references in the How much time does the Debian security team... FAQ item. Added a new section regarding ARP attacks contributed by Arnaud "Arhuman" Assad. New FAQ item regarding dmesg and console login by the kernel. Small tidbits of information to the signature-checking issues in packages (it seems to not have gotten past beta release). New FAQ item regarding vulnerability assessment tools false positives. Added new sections to the chapter that contains information on package signatures and reorganized it as a new Debian Security Infrastructure chapter. New FAQ item regarding Debian vs. other Linux distributions. New section on mail user agents with GPG/PGP functionality in the security tools chapter. Clarified how to enable MD5 passwords in woody, added a pointer to PAM as well as a note regarding the max definition in PAM. Added a new appendix on how to create chroot environments (after fiddling a bit with makejail and fixing, as well, some of its bugs), integrated duplicate information in all the appendix. Added some more information regarding SSH chrooting and its impact on secure file transfers. Some information has been retrieved from the debian-security mailing list (June 2002 thread: secure file transfers). New sections on how to do automatic updates on Debian systems as well as the caveats of using testing or unstable regarding security updates. New section regarding keeping up to date with security patches in the Before compromise section as well as a new section about the debian-security-announce mailing list. Added information on how to automatically generate strong passwords. New section regarding login of idle users. Reorganized the securing mail server section based on the Secure/hardened/minimal Debian (or "Why is the base system the way it is?") thread on the debian-security mailing list (May 2002). Reorganized the section on kernel network parameters, with information provided in the debian-security mailing list (May 2002, syn flood attacked? thread) and added a new FAQ item as well. New section on how to check users passwords and which packages to install for this. New section on PPTP encryption with Microsoft clients discussed in the debian-security mailing list (April 2002). Added a new section describing what problems are there when binding any given service to a specific IP address, this information was written based on the Bugtraq mailing list in the thread: Linux kernel 2.4 "weak end host" issue (previously discussed on debian-security as "arp problem") (started on May 9th 2002 by Felix von Leitner). Added information on ssh protocol version 2. Added two subsections related to Apache secure configuration (the things specific to Debian, that is). Added a new FAQ related to raw sockets, one related to /root, an item related to users' groups and another one related to log and configuration files permissions. Added a pointer to a bug in libpam-cracklib that might still be open... (need to check). Added more information regarding forensics analysis (pending more information on packet inspection tools such as tcpflow). Changed the "what should I do regarding compromise" into a bullet list and included some more stuff. Added some information on how to set up the Xscreensaver to lock the screen automatically after the configured timeout. Added a note related to the utilities you should not install in the system. Included a note regarding Perl and why it cannot be easily removed in Debian. The idea came after reading Intersect's documents regarding Linux hardening. Added information on lvm and journalling file systems, ext3 recommended. The information there might be too generic, however. Added a link to the online text version (check). Added some more stuff to the information on firewalling the local system, triggered by a comment made by Hubert Chan in the mailing list. Added more information on PAM limits and pointers to Kurt Seifried's documents (related to a post by him to Bugtraq on April 4th 2002 answering a person that had ``discovered'' a vulnerability in Debian GNU/Linux related to resource starvation). As suggested by Julián Muñoz, provided more information on the default Debian umask and what a user can access if he has been given a shell in the system (scary, huh?). Included a note in the BIOS password section due to a comment from Andreas Wohlfeld. Included patches provided by Alfred E. Heggestad fixing many of the typos still present in the document. Added a pointer to the changelog in the Credits section since most people who contribute are listed here (and not there). Added a few more notes to the chattr section and a new section after installation talking about system snapshots. Both ideas were contributed by Kurt Pomeroy. Added a new section after installation just to remind users to change the boot-up sequence. Added some more TODO items provided by Korn Andras. Added a pointer to the NIST's guidelines on how to secure DNS provided by Daniel Quinlan. Added a small paragraph regarding Debian's SSL certificates infrastructure. Added Daniel Quinlan's suggestions regarding ssh authentication and exim's relay configuration. Added more information regarding securing bind including changes suggested by Daniel Quinlan and an appendix with a script to make some of the changes commented on in that section. Added a pointer to another item regarding Bind chrooting (needs to be merged). Added a one liner contributed by Cristian Ionescu-Idbohrn to retrieve packages with tcpwrappers support. Added a little bit more info on Debian's default PAM setup. Included a FAQ question about using PAM to provide services without shell accounts. Moved two FAQ items to another section and added a new FAQ regarding attack detection (and compromised systems). Included information on how to set up a bridge firewall (including a sample Appendix). Thanks to Francois Bayart who sent this to me in March. Added a FAQ regarding the syslogd's MARK heartbeat from a question answered by Noah Meyerhans and Alain Tesio in December 2001. Included information on buffer overflow protection as well as some information on kernel patches. Added more information (and reorganized) the firewall section. Updated the information regarding the iptables package and the firewall generators available. Reorganized the information regarding log checking, moved logcheck information from host intrusion detection to that section. Added some information on how to prepare a static package for bind for chrooting (untested). Added a FAQ item regarding some specific servers/services (could be expanded with some of the recommendations from the debian-security list). Added some information on RPC services (and when it's necessary). Added some more information on capabilities (and what lcap does). Is there any good documentation on this? I haven't found any documentation on my 2.4 kernel. Fixed some typos. Version 2.4

Changes by Javier Fernández-Sanguino Peña. Rewritten part of the BIOS section. Version 2.3

Changes by Javier Fernández-Sanguino Peña. Wrapped most file locations with the file tag. Fixed typo noticed by Edi Stojicevi. Slightly changed the remote audit tools section. Added some todo items. Added more information regarding printers and cups config file (taken from a thread on debian-security). Added a patch submitted by Jesus Climent regarding access of valid system users to Proftpd when configured as anonymous server. Small change on partition schemes for the special case of mail servers. Added Hacking Linux Exposed to the books section. Fixed directory typo noticed by Eduardo Pérez Ureta. Fixed /etc/ssh typo in checklist noticed by Edi Stojicevi. Version 2.3

Changes by Javier Fernández-Sanguino Peña. Fixed location of dpkg conffile. Remove Alexander from contact information. Added alternate mail address. Fixed Alexander mail address (even if commented out). Fixed location of release keys (thanks to Pedro Zorzenon for pointing this out). Version 2.2

Changes by Javier Fernández-Sanguino Peña. Fixed typos, thanks to Jamin W. Collins. Added a reference to apt-extracttemplate manpage (documents the APT::ExtractTemplate config). Added section about restricted SSH. Information based on that posted by Mark Janssen, Christian G. Warden and Emmanuel Lacour on the debian-security mailing list. Added information on antivirus software. Added a FAQ: su logs due to the cron running as root. Version 2.1

Changes by Javier Fernández-Sanguino Peña. Changed FIXME from lshell thanks to Oohara Yuuma. Added package to sXid and removed comment since it *is* available. Fixed a number of typos discovered by Oohara Yuuma. ACID is now available in Debian (in the acidlab package) thanks to Oohara Yuuma for noticing. Fixed LinuxSecurity links (thanks to Dave Wreski for telling). Version 2.0

Changes by Javier Fernández-Sanguino Peña. I wanted to change to 2.0 when all the FIXMEs were fixed but I ran out of 1.9X numbers :(. Converted the HOWTO into a Manual (now I can properly say RTFM). Added more information regarding tcp wrappers and Debian (now many services are compiled with support for them so it's no longer an inetd issue). Clarified the information on disabling services to make it more consistent (rpc info still referred to update-rc.d). Added small note on lprng. Added some more info on compromised servers (still very rough). Fixed typos reported by Mark Bucciarelli. Added some more steps in password recovery to cover the cases when the admin has set paranoid-mode=on. Added some information to set paranoid-mode=on when login in console. New paragraph to introduce service configuration. Reorganized the After installation section so it is more broken up into several issues and it's easier to read. Wrote information on how to set up firewalls with the standard Debian 3.0 setup (iptables package). Small paragraph explaining why installing connected to the Internet is not a good idea and how to avoid this using Debian tools. Small paragraph on timely patching referencing to IEEE paper. Appendix on how to set up a Debian snort box, based on what Vladimir sent to the debian-security mailing list (September 3rd 2001). Information on how logcheck is set up in Debian and how it can be used to set up HIDS. Information on user accounting and profile analysis. Included apt.conf configuration for read-only /usr copied from Olaf Meeuwissen's post to the debian-security mailing list. New section on VPN with some pointers and the packages available in Debian (needs content on how to set up the VPNs and Debian-specific issues), based on Jaroslaw Tabor's and Samuli Suonpaa's post to debian-security. Small note regarding some programs to automatically build chroot jails. New FAQ item regarding identd based on a discussion in the debian-security mailing list (February 2002, started by Johannes Weiss). New FAQ item regarding inetd based on a discussion in the debian-security mailing list (February 2002). Introduced note on rcconf in the "disabling services" section. Varied the approach regarding LKM, thanks to Philipe Gaspar. Added pointers to CERT documents and Counterpane resources. Version 1.99

Changes by Javier Fernández-Sanguino Peña. Added a new FAQ item regarding time to fix security vulnerabilities. Reorganized FAQ sections. Started writing a section regarding firewalling in Debian GNU/Linux (could be broadened a bit). Fixed typos sent by Matt Kraai. Fixed DNS information. Added information on whisker and nbtscan to the auditing section. Fixed some wrong URLs. Version 1.98

Changes by Javier Fernández-Sanguino Peña. Added a new section regarding auditing using Debian GNU/Linux. Added info regarding finger daemon taken from the security mailing list. Version 1.97

Changes by Javier Fernández-Sanguino Peña. Fixed link for Linux Trustees. Fixed typos (patches from Oohara Yuuma and Pedro Zorzenon). Version 1.96

Changes by Javier Fernández-Sanguino Peña. Reorganized service installation and removal and added some new notes. Added some notes regarding using integrity checkers as intrusion detection tools. Added a chapter regarding package signatures. Version 1.95

Changes by Javier Fernández-Sanguino Peña. Added notes regarding Squid security sent by Philipe Gaspar. Fixed rootkit links thanks to Philipe Gaspar. Version 1.94

Changes by Javier Fernández-Sanguino Peña. Added some notes regarding Apache and Lpr/lpng. Added some information regarding noexec and read-only partitions. Rewrote how users can help in Debian security issues (FAQ item). Version 1.93

Changes by Javier Fernández-Sanguino Peña. Fixed location of mail program. Added some new items to the FAQ. Version 1.92

Changes by Javier Fernández-Sanguino Peña. Added a small section on how Debian handles security. Clarified MD5 passwords (thanks to `rocky'). Added some more information regarding harden-X from Stephen van Egmond. Added some new items to the FAQ. Version 1.91

Changes by Javier Fernández-Sanguino Peña. Added some forensics information sent by Yotam Rubin. Added information on how to build a honeynet using Debian GNU/Linux. Added some more TODOS. Fixed more typos (thanks Yotam!). Version 1.9

Changes by Javier Fernández-Sanguino Peña. Added patch to fix misspellings and some new information (contributed by Yotam Rubin). Added references to other online (and offline) documentation both in a section (see ) by itself and inline in some sections. Added some information on configuring Bind options to restrict access to the DNS server. Added information on how to automatically harden a Debian system (regarding the harden package and bastille). Removed some done TODOs and added some new ones. Version 1.8

Changes by Javier Fernández-Sanguino Peña. Added the default user/group list provided by Joey Hess to the debian-security mailing list. Added information on LKM root-kits () contributed by Philipe Gaspar. Added information on Proftp contributed by Emmanuel Lacour. Recovered the checklist Appendix from Era Eriksson. Added some new TODO items and removed other fixed ones. Manually included Era's patches since they were not all included in the previous version. Version 1.7

Changes by Era Eriksson. Typo fixes and wording changes.

Changes by Javier Fernández-Sanguino Peña. Minor changes to tags in order to keep on removing the tt tags and substitute prgn/package tags for them. Version 1.6

Changes by Javier Fernández-Sanguino Peña. Added pointer to document as published in the DDP (should supersede the original in the near future). Started a mini-FAQ (should be expanded) with some questions recovered from my mailbox. Added general information to consider while securing. Added a paragraph regarding local (incoming) mail delivery. Added some pointers to more information. Added information regarding the printing service. Added a security hardening checklist. Reorganized NIS and RPC information. Added some notes taken while reading this document on my new Visor :). Fixed some badly formatted lines. Fixed some typos. Added a Genius/Paranoia idea contributed by Gaby Schilders. Version 1.5

Changes by Josip Rodin and Javier Fernández-Sanguino Peña. Added paragraphs related to BIND and some FIXMEs. Version 1.4

Small setuid check paragraph Various minor cleanups. Found out how to use sgml2txt -f for the txt version. Version 1.3

Added a security update after installation paragraph. Added a proftpd paragraph. This time really wrote something about XDM, sorry for last time. Version 1.2

Lots of grammar corrections by James Treacy, new XDM paragraph. Version 1.1

Typo fixes, miscellaneous additions. Version 1.0

Initial release. Credits and thanks!

Alexander Reelsen wrote the original document. Javier Fernández-Sanguino added more info to the original doc. Robert van der Meulen provided the quota paragraphs and many good ideas. Ethan Benson corrected the PAM paragraph and had some good ideas. Dariusz Puchalak contributed some information to several chapters. Gaby Schilders contributed a nice Genius/Paranoia idea. Era Eriksson smoothed out the language in a lot of places and contributed the checklist appendix. Philipe Gaspar wrote the LKM information. Yotam Rubin contributed fixes for many typos as well as information regarding bind versions and MD5 passwords. Francois Bayart provided the appendix describing how to set up a bridge firewall. Joey Hess wrote the section describing how Secure Apt works on the . Martin F. Krafft wrote some information on his blog regarding fingerprint verification which was also reused for the Secure Apt section. Francesco Poli did an extensive review of the manual and provided quite a lot of bug reports and typo fixes which improved and helped update the document. All the people who made suggestions for improvements that (eventually) were included here (see ). (Alexander) All the folks who encouraged me to write this HOWTO (which was later turned into a manual). The whole Debian project. harden-doc-3.15.1/howto-source/en/before-begin.sgml0000644000000000000000000002331510513421627016750 0ustar Before you begin What do you want this system for?

Securing Debian is not very different from securing any other system; in order to do it properly, you must first decide what you intend to do with it. After this, you will have to consider that the following tasks need to be taken care of if you want a really secure system.

You will find that this manual is written from the bottom up, that is, you will read some information on tasks to do before, during and after you install your Debian system. The tasks can also be thought of as: Decide which services you need and limit your system to those. This includes deactivating/uninstalling unneeded services, and adding firewall-like filters, or tcpwrappers. Limit users and permissions in your system. Harden offered services so that, in the event of a service compromise, the impact to your system is minimized. Use appropriate tools to guarantee that unauthorized use is detected so that you can take appropriate measures. Be aware of general security problems

The following manual does not (usually) go into the details on why some issues are considered security risks. However, you might want to have a better background regarding general UNIX and (specific) Linux security. Take some time to read over security related documents in order to make informed decisions when you are encountered with different choices. Debian GNU/Linux is based on the Linux kernel, so much of the information regarding Linux, as well as from other distributions and general UNIX security also apply to it (even if the tools used, or the programs available, differ).

Some useful documents include: The (also available at ) is one of the best references regarding general Linux security. The is also a very good starting point for novice users (both to Linux and security). The is a complete guide that touches all the issues related to security in Linux, from kernel security to VPNs. Note that it has not been updated since 2001, but some information is still relevant. At a given time it was superseded by the "Linux Security Knowledge Base". This documentation is also provided in Debian through the lskb package. Now it's back as the Lasg again. Kurt Seifried's . In you can find a similar document to this manual but related to Red Hat, some of the issues are not distribution-specific and also apply to Debian. Another Red Hat related document is . IntersectAlliance has published some documents that can be used as reference cards on how to harden Linux servers (and their services), the documents are available at . For network administrators, a good reference for building a secure network is the . If you want to evaluate the programs you are going to use (or want to build up some new ones) you should read the (master copy is available at , it includes slides and talks from the author, David Wheeler) If you are considering installing firewall capabilities, you should read the and the (for kernels previous to 2.4). Finally, a good card to keep handy is the .

In any case, there is more information regarding the services explained here (NFS, NIS, SMB...) in many of the HOWTOs of the . Some of these documents speak on the security side of a given service, so be sure to take a look there too.

The HOWTO documents from the Linux Documentation Project are available in Debian GNU/Linux through the installation of the doc-linux-text (text version) or doc-linux-html (HTML version). After installation these documents will be available at the /usr/share/doc/HOWTO/en-txt and /usr/share/doc/HOWTO/en-html directories, respectively.

Other recommended Linux books: Maximum Linux Security : A Hacker's Guide to Protecting Your Linux Server and Network. Anonymous. Paperback - 829 pages. Sams Publishing. ISBN: 0672313413. July 1999. Linux Security By John S. Flowers. New Riders; ISBN: 0735700354. March 1999. By Brian Hatch. McGraw-Hill Higher Education. ISBN 0072127732. April, 2001

Other books (which might be related to general issues regarding UNIX and security and not Linux specific): Garfinkel, Simpson, and Spafford, Gene; O'Reilly Associates; ISBN 0-56592-148-8; 1004pp; 1996. Firewalls and Internet Security Cheswick, William R. and Bellovin, Steven M.; Addison-Wesley; 1994; ISBN 0-201-63357-4; 320pp.

Some useful web sites to keep up to date regarding security: . the server that hosts the Bugtraq vulnerability database and list, and provides general security information, news and reports. . General information regarding Linux security (tools, news...). Most useful is the page. . General information regarding Linux firewalls and tools to control and administrate them. How does Debian handle security?

Just so you have a general overview of security in Debian GNU/Linux you should take note of the different issues that Debian tackles in order to provide an overall secure system: Debian problems are always handled openly, even security related. Security issues are discussed openly on the debian-security mailing list. Debian Security Advisories (DSAs) are sent to public mailing lists (both internal and external) and are published on the public server. As the states:

We will not hide problems

We will keep our entire bug report database open for public view at all times. Reports that people file online will promptly become visible to others.

Debian follows security issues closely. The security team checks many security related sources, the most important being , on the lookout for packages with security issues that might be included in Debian. Security updates are the first priority. When a security problem arises in a Debian package, the security update is prepared as fast as possible and distributed for our stable, testing and unstable releases, including all architectures. Information regarding security is centralized in a single point, . Debian is always trying to improve the overall security of the distribution by starting new projects, such as automatic package signature verification mechanisms. Debian provides a number of useful security related tools for system administration and monitoring. Developers try to tightly integrate these tools with the distribution in order to make them a better suite to enforce local security policies. Tools include: integrity checkers, auditing tools, hardening tools, firewall tools, intrusion detection tools, etc. Package maintainers are aware of security issues. This leads to many "secure by default" service installations which could impose certain restrictions on their normal use. Debian does, however, try to balance security and ease of administration - the programs are not de-activated when you install them (as it is the case with say, the BSD family of operating systems). In any case, prominent security issues (such as setuid programs) are part of the .

By publishing security information specific to Debian and complementing other information-security documents related to Debian (see ), this document aims to produce better system installations security-wise. harden-doc-3.15.1/howto-source/en/copyleft.sgml0000644000000000000000000000275611141703021016244 0ustar Copyright © 2002-2007 Javier Fernández-Sanguino Peña

Copyright © 2001 Alexander Reelsen, Javier Fernández-Sanguino Peña

Copyright © 2000 Alexander Reelsen

Some sections are copyright © their respective authors, for details please refer to .

Permission is granted to copy, distribute and/or modify this document under the terms of the or any published by the Free Software Foundation. It is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY.

Permission is granted to make and distribute verbatim copies of this document provided the copyright notice and this permission notice are preserved on all copies.

Permission is granted to copy and distribute modified versions of this document under the conditions for verbatim copying, provided that the entire resulting derived work is distributed under the terms of a permission notice identical to this one.

Permission is granted to copy and distribute translations of this document into another language, under the above conditions for modified versions, except that this permission notice may be included in translations approved by the Free Software Foundation instead of in the original English. harden-doc-3.15.1/howto-source/en/developer.sgml0000644000000000000000000002777410513421053016417 0ustar Developer's Best Practices for OS Security

This chapter introduces some best secure coding practices for developers writing Debian packages. If you are really interested in secure coding I recommend you read David Wheeler's and by Mark G. Graff and Kenneth R. van Wyk (O'Reilly, 2003). Best practices for security review and design

Developers that are packaging software should make a best effort to ensure that the installation of the software, or its use, does not introduce security risks to either the system it is installed on or its users.

In order to do so, they should make their best to review the source code of the package and detect any flaws that might introduce security bugs before releasing the software or distributing a new version. It is acknowledged that the cost of fixing bugs grows for different stages of its development, so it is easier (and cheaper) to fix bugs when designing than when the software has been deployed and is in maintenance mode (some studies say that the cost in this later phase is sixty times higher). Although there are some tools that try to automatically detect these flaws, developers should strive to learn about the different kind of security flaws in order to understand them and be able to spot them in the code they (or others) have written.

The programming bugs which lead to security bugs typically include: , format string overflows, heap overflows and integer overflows (in C/C++ programs), temporary (in scripts), and command injection (in servers) and , and (in the case of web-oriented applications). For a more complete information on security bugs review Fortify's .

Some of these issues might not be easy to spot unless you are an expert in the programming language the software uses, but some security problems are easy to detect and fix. For example, finding temporary race conditions due to misuse of temporary directories can easily be done just by running grep -r "/tmp/" .. Those calls can be reviewed and replace the hardcoded filenames using temporary directories to calls to either mktemp or tempfile in shell scripts, in Perl scripts, or in C/C++.

There are a set of tools available to assist to the security code review phase. These include rats, flawfinder and pscan. For more information, read the .

When packaging software developers have to make sure that they follow common security principles, including: The software runs with the minimum privileges it needs: The package does install binaries setuid or setgid. Lintian will warn of , and binaries. The daemons the package provide run with a low privilege user (see ) Programmed (i.e., cron) tasks running in the system do NOT run as root or, if they do, do not implement complex tasks.

If you have to do any of the above make sure the programs that might run with higher privileges have been audited for security bugs. If you are unsure, or need help, contact the . In the case of setuid/setgid binaries, follow the Debian policy section regarding

For more information, specific to secure programming, make sure you read (or point your upstream to) and the portal.

Creating users and groups for software daemons

If your software runs a daemon that does not need root privileges, you need to create a user for it. There are two kind of Debian users that can be used by packages: static uids (assigned by base-passwd, for a list of static users in Debian see ) and dynamic uids in the range assigned to system users.

In the first case, you need to ask for a user or group id to the base-passwd. Once the user is available there the package needs to be distributed including a proper versioned depends to the base-passwd package.

In the second case, you need to create the system user either in the preinst or in the postinst and make the package depend on adduser (>= 3.11).

The following example code creates the user and group the daemon will run as when the package is installed or upgraded: [...] case "$1" in install|upgrade) # If the package has default file it could be sourced, so that # the local admin can overwrite the defaults [ -f "/etc/default/packagename" ] && . /etc/default/packagename # Sane defaults: [ -z "$SERVER_HOME" ] && SERVER_HOME=server_dir [ -z "$SERVER_USER" ] && SERVER_USER=server_user [ -z "$SERVER_NAME" ] && SERVER_NAME="Server description" [ -z "$SERVER_GROUP" ] && SERVER_GROUP=server_group # Groups that the user will be added to, if undefined, then none. ADDGROUP="" # create user to avoid running server as root # 1. create group if not existing if ! getent group | grep -q "^$SERVER_GROUP:" ; then echo -n "Adding group $SERVER_GROUP.." addgroup --quiet --system $SERVER_GROUP 2>/dev/null ||true echo "..done" fi # 2. create homedir if not existing test -d $SERVER_HOME || mkdir $SERVER_HOME # 3. create user if not existing if ! getent passwd | grep -q "^$SERVER_USER:"; then echo -n "Adding system user $SERVER_USER.." adduser --quiet \ --system \ --ingroup $SERVER_GROUP \ --no-create-home \ --disabled-password \ $SERVER_USER 2>/dev/null || true echo "..done" fi # 4. adjust passwd entry usermod -c "$SERVER_NAME" \ -d $SERVER_HOME \ -g $SERVER_GROUP \ $SERVER_USER # 5. adjust file and directory permissions if ! dpkg-statoverride --list $SERVER_HOME >/dev/null then chown -R $SERVER_USER:adm $SERVER_HOME chmod u=rwx,g=rxs,o= $SERVER_HOME fi # 6. Add the user to the ADDGROUP group if test -n $ADDGROUP then if ! groups $SERVER_USER | cut -d: -f2 | \ grep -qw $ADDGROUP; then adduser $SERVER_USER $ADDGROUP fi fi ;; configure) [...]

You have to make sure that the init.d script file: Starts the daemon dropping privileges: if the software does not do the or call itself, you can use the --chuid call of start-stop-daemon. Stops the daemon only if the user id matches, you can use the start-stop-daemon --user option for this. Does not run if either the user or the group do not exist: if ! getent passwd | grep -q "^server_user:"; then echo "Server user does not exist. Aborting" >&2 exit 1 fi if ! getent group | grep -q "^server_group:" ; then echo "Server group does not exist. Aborting" >&2 exit 1 fi

If the package creates the system user it can remove it when it is purged in its postrm. This has some drawbacks, however. For example, files created by it will be orphaned and might be taken over by a new system user in the future if it is assigned the same uidSome relevant threads discussing these drawbacks include and . Consequently, removing system users on purge is not yet mandatory and depends on the package needs. If unsure, this action could be handled by asking the administrator for the prefered action when the package is installed (i.e. through debconf).

The following example code

This might eventually be introduced as a dh_adduser in debhelper. See , and .

removes the user and groups created before only, and only if, the uid is in the range of dynamic assigned system uids and the gid is belongs to a system group: case "$1" in purge) [...] # find first and last SYSTEM_UID numbers for LINE in `grep SYSTEM_UID /etc/adduser.conf | grep -v "^#"`; do case $LINE in FIRST_SYSTEM_UID*) FIST_SYSTEM_UID=`echo $LINE | cut -f2 -d '='` ;; LAST_SYSTEM_UID*) LAST_SYSTEM_UID=`echo $LINE | cut -f2 -d '='` ;; *) ;; esac done # Remove system account if necessary CREATEDUSER="server_user" if [ -n "$FIST_SYSTEM_UID" ] && [ -n "$LAST_SYSTEM_UID" ]; then if USERID=`getent passwd $CREATEDUSER | cut -f 3 -d ':'`; then if [ -n "$USERID" ]; then if [ "$FIST_SYSTEM_UID" -le "$USERID" ] && \ [ "$USERID" -le "$LAST_SYSTEM_UID" ]; then echo -n "Removing $CREATEDUSER system user.." deluser --quiet $CREATEDUSER || true echo "..done" fi fi fi fi # Remove system group if necessary CREATEDGROUP=server_group FIRST_USER_GID=`grep ^USERS_GID /etc/adduser.conf | cut -f2 -d '='` if [ -n "$FIST_USER_GID" ] then if GROUPGID=`getent group $CREATEDGROUP | cut -f 3 -d ':'`; then if [ -n "$GROUPGID" ]; then if [ "$FIST_USER_GID" -gt "$GROUPGID" ]; then echo -n "Removing $CREATEDGROUP group.." delgroup --only-if-empty $CREATEDGROUP || true echo "..done" fi fi fi fi [...]

Running programs with a user with limited privileges makes sure that any security issue will not be able to damage the full system. It also follows the principle of least privilege. Also consider you can limit privileges in programs through other mechanisms besides running as non-root

You can even provide a SELinux policy for it

. For more information, read the chapter of the Secure Programming for Linux and Unix HOWTO book. harden-doc-3.15.1/howto-source/en/services.sgml0000644000000000000000000023333010662644475016264 0ustar Securing services running on your system

Services can be secured in a running system in two ways: Making them only accessible at the access points (interfaces) they need to be in. Configuring them properly so that they can only be used by legitimate users in an authorized manner.

Restricting services so that they can only be accessed from a given place can be done by restricting access to them at the kernel (i.e. firewall) level, configure them to listen only on a given interface (some services might not provide this feature) or using some other methods, for example the Linux vserver patch (for 2.4.16) can be used to force processes to use only one interface.

Regarding the services running from inetd (telnet, ftp, finger, pop3...) it is worth noting that inetd can be configured so that services only listen on a given interface (using service@ip syntax) but that's an undocumented feature. One of its substitutes, the xinetd meta-daemon includes a bind option just for this matter. See . service nntp { socket_type = stream protocol = tcp wait = no user = news group = news server = /usr/bin/env server_args = POSTING_OK=1 PATH=/usr/sbin/:/usr/bin:/sbin/:/bin +/usr/sbin/snntpd logger -p news.info bind = 127.0.0.1 }

The following sections detail how specific individual services can be configured properly depending on their intended use. Securing ssh

If you are still running telnet instead of ssh, you should take a break from this manual and change this. Ssh should be used for all remote logins instead of telnet. In an age where it is easy to sniff Internet traffic and get clear-text passwords, you should use only protocols which use cryptography. So, perform an apt-get install ssh on your system now.

Encourage all the users on your system to use ssh instead of telnet, or even better, uninstall telnet/telnetd. In addition you should avoid logging into the system using ssh as root and use alternative methods to become root instead, like su or sudo. Finally, the sshd_config file, in /etc/ssh, should be modified to increase security as well: ListenAddress 192.168.0.1

Have ssh listen only on a given interface, just in case you have more than one (and do not want ssh available on it) or in the future add a new network card (and don't want ssh connections from it). PermitRootLogin no

Try not to permit Root Login wherever possible. If anyone wants to become root via ssh, now two logins are needed and the root password cannot be brute forced via SSH. Port 666 or ListenAddress 192.168.0.1:666

Change the listen port, so the intruder cannot be completely sure whether a sshd daemon runs (be forewarned, this is security by obscurity). PermitEmptyPasswords no

Empty passwords make a mockery of system security. AllowUsers alex ref me@somewhere

Allow only certain users to have access via ssh to this machine. user@host can also be used to restrict a given user from accessing only at a given host. AllowGroups wheel admin

Allow only certain group members to have access via ssh to this machine. AllowGroups and AllowUsers have equivalent directives for denying access to a machine. Not surprisingly they are called "DenyUsers" and "DenyGroups". PasswordAuthentication yes

It is completely your choice what you want to do. It is more secure to only allow access to the machine from users with ssh-keys placed in the ~/.ssh/authorized_keys file. If you want so, set this one to "no". Disable any form of authentication you do not really need, if you do not use, for example RhostsRSAAuthentication, HostbasedAuthentication, KerberosAuthentication or RhostsAuthentication you should disable them, even if they are already by default (see the manpage ). Protocol 2

Disable the protocol version 1, since it has some design flaws that make it easier to crack passwords. For more information read or the . Banner /etc/some_file

Add a banner (it will be retrieved from the file) to users connecting to the ssh server. In some countries sending a warning before access to a given system about unauthorized access or user monitoring should be added to have legal protection.

You can also restrict access to the ssh server using pam_listfile or pam_wheel in the PAM control file. For example, you could keep anyone not listed in /etc/loginusers away by adding this line to /etc/pam.d/ssh: auth required pam_listfile.so sense=allow onerr=fail item=user file=/etc/loginusers

As a final note, be aware that these directives are from a OpenSSH configuration file. Right now, there are three commonly used SSH daemons, ssh1, ssh2, and OpenSSH by the OpenBSD people. Ssh1 was the first ssh daemon available and it is still the most commonly used (there are rumors that there is even a Windows port). Ssh2 has many advantages over ssh1 except it is released under a closed-source license. OpenSSH is completely free ssh daemon, which supports both ssh1 and ssh2. OpenSSH is the version installed on Debian when the package ssh is chosen.

You can read more information on how to set up SSH with PAM support in the . Chrooting ssh

Currently OpenSSH does not provide a way to chroot automatically users upon connection (the commercial version does provide this functionality). However there is a project to provide this functionality for OpenSSH too, see , it is not currently packaged for Debian, though. You could use, however, the pam_chroot module as described in .

In you can find several options to make a chroot environment for SSH. Ssh clients

If you are using an SSH client against the SSH server you must make sure that it supports the same protocols that are enforced on the server. For example, if you use the mindterm package, it only supports protocol version 1. However, the sshd server is, by default, configured to only accept version 2 (for security reasons). Disallowing file transfers

If you do not want users to transfer files to and from the ssh server you need to restrict access to the sftp-server and the scp access. You can restrict sftp-server by configuring the proper Subsystem in the /etc/ssh/sshd_config.

You can also chroot users (using libpam-chroot so that, even if file transfer is allowed, they are limited to an environment which does not include any system files. Restricing access to file transfer only

You might want to restrict access to users so that they can only do file transfers and cannot have interactive shells. In order to do this you can either: disallow users from login to the ssh server (as described above either through the configuration file or PAM configuration). give users a restricted shell such as scponly or rssh. These shells restrict the commands available to the users so that they are not provided any remote execution priviledges. Securing Squid

Squid is one of the most popular proxy/cache server, and there are some security issues that should be taken into account. Squid's default configuration file denies all users requests. However the Debian package allows access from 'localhost', you just need to configure your browser properly. You should configure Squid to allow access to trusted users, hosts or networks defining an Access Control List on /etc/squid/squid.conf, see the for more information about defining ACLs rules. Notice that Debian provides a minimum configuration for Squid that will prevent anything, except from localhost to connect to your proxy server (which will run in the default port 3128). You will need to customize your /etc/squid/squid.conf as needed. The recommended minimum configuration (provided with the package) is shown below: acl all src 0.0.0.0/0.0.0.0 acl manager proto cache_object acl localhost src 127.0.0.1/255.255.255.255 acl SSL_ports port 443 563 acl Safe_ports port 80 # http acl Safe_ports port 21 # ftp acl Safe_ports port 443 563 # https, snews acl Safe_ports port 70 # gopher acl Safe_ports port 210 # wais acl Safe_ports port 1025-65535 # unregistered ports acl Safe_ports port 280 # http-mgmt acl Safe_ports port 488 # gss-http acl Safe_ports port 591 # filemaker acl Safe_ports port 777 # multiling http acl Safe_ports port 901 # SWAT acl purge method PURGE acl CONNECT method CONNECT (...) # Only allow cachemgr access from localhost http_access allow manager localhost http_access deny manager # Only allow purge requests from localhost http_access allow purge localhost http_access deny purge # Deny requests to unknown ports http_access deny !Safe_ports # Deny CONNECT to other than SSL ports http_access deny CONNECT !SSL_ports # # INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS # http_access allow localhost # And finally deny all other access to this proxy http_access deny all #Default: # icp_access deny all # #Allow ICP queries from everyone icp_access allow all

You should also configure Squid based on your system resources, including cache memory (option cache_mem), location of the cached files and the amount of space they will take up on disk (option cache_dir).

Notice that, if not properly configured, someone may relay a mail message through Squid, since the HTTP and SMTP protocols are designed similarly. Squid's default configuration file denies access to port 25. If you wish to allow connections to port 25 just add it to Safe_ports lists. However, this is NOT recommended.

Setting and configuring the proxy/cache server properly is only part of keeping your site secure. Another necessary task is to analyze Squid's logs to assure that all things are working as they should be working. There are some packages in Debian GNU/Linux that can help an administrator to do this. The following packages are available in Debian 3.0 and Debian 3.1 (sarge): calamaris - Log analyzer for Squid or Oops proxy log files. modlogan - A modular logfile analyzer. sarg - Squid Analysis Report Generator. squidtaild - Squid log monitoring program.

When using Squid in Accelerator Mode it acts as a web server too. Turning on this option increases code complexity, making it less reliable. By default Squid is not configured to act as a web server, so you don't need to worry about this. Note that if you want to use this feature be sure that it is really necessary. To find more information about Accelerator Mode on Squid see the Securing FTP

If you really have to use FTP (without wrapping it with sslwrap or inside a SSL or SSH tunnel), you should chroot ftp into the ftp users' home directory, so that the user is unable to see anything else than their own directory. Otherwise they could traverse your root file system just like if they had a shell in it. You can add the following line in your proftpd.conf in your global section to enable this chroot feature: DefaultRoot ~

Restart ProFTPd by /etc/init.d/proftpd restart and check whether you can escape from your homedir now.

To prevent ProFTPd DoS attacks using ../../.., add the following line in /etc/proftpd.conf: DenyFilter \*.*/

Always remember that FTP sends login and authentication passwords in clear text (this is not an issue if you are providing an anonymous public service) and there are better alternatives in Debian for this. For example, sftp (provided by ssh). There are also free implementations of SSH for other operating systems: and for example.

However, if you still maintain the FTP server while making users access through SSH you might encounter a typical problem. Users accessing anonymous FTP servers inside SSH-secured systems might try to log in the FTP server. While the access will be refused, the password will nevertheless be sent through the net in clear form. To avoid that, ProFTPd developer TJ Saunders has created a patch that prevents users feeding the anonymous FTP server with valid SSH accounts. More information and patch available at: . This patch has been reported to Debian too, see . Securing access to the X Window System

Today, X terminals are used by more and more companies where one server is needed for a lot of workstations. This can be dangerous, because you need to allow the file server to connect to the clients (X server from the X point of view. X switches the definition of client and server). If you follow the (very bad) suggestion of many docs, you type xhost + on your machine. This allows any X client to connect to your system. For slightly better security, you can use the command xhost +hostname instead to only allow access from specific hosts.

A much more secure solution, though, is to use ssh to tunnel X and encrypt the whole session. This is done automatically when you ssh to another machine. For this to work, you have to configure both the ssh client and the ssh server. On the ssh client, ForwardX11 should be set to yes in /etc/ssh/ssh_config. On the ssh server, X11Forwarding should be set to yes in /etc/ssh/sshd_config and the package xbase-clients should be installed because the ssh server uses /usr/X11R6/bin/xauth (/usr/bin/xauth on Debian unstable) when setting up the pseudo X display. In times of SSH, you should drop the xhost based access control completely.

For best security, if you do not need X access from other machines, switch off the binding on TCP port 6000 simply by typing: $ startx -- -nolisten tcp

This is the default behavior in Xfree 4.1.0 (the Xserver provided in Debian 3.0 and 3.1). If you are running Xfree 3.3.6 (i.e. you have Debian 2.2 installed) you can edit /etc/X11/xinit/xserverrc to have it something along the lines of: #!/bin/sh exec /usr/bin/X11/X -dpi 100 -nolisten tcp

If you are using XDM set /etc/X11/xdm/Xservers to: :0 local /usr/bin/X11/X vt7 -dpi 100 -nolisten tcp. If you are using Gdm make sure that the DisallowTCP=true option is set in the /etc/gdm/gdm.conf (which is the default in Debian). This will basically append -nolisten tcp to every X command line Gdm will not append -nolisten tcp if it finds a -query or -indirect on the command line since the query wouldn't work. .

You can also set the default's system timeout for xscreensaver locks. Even if the user can override it, you should edit the /etc/X11/app-defaults/XScreenSaver configuration file and change the lock line: *lock: False

(which is the default in Debian) to: *lock: True

FIXME: Add information on how to disable the screensavers which show the user desktop (which might have sensitive information).

Read more on X Window security in (/usr/share/doc/HOWTO/en-txt/XWindow-User-HOWTO.txt.gz).

FIXME: Add info on thread of debian-security on how to change config files of XFree 3.3.6 to do this. Check your display manager

If you only want to have a display manager installed for local usage (having a nice graphical login, that is), make sure the XDMCP (X Display Manager Control Protocol) stuff is disabled. In XDM you can do this with this line in /etc/X11/xdm/xdm-config: DisplayManager.requestPort: 0

For GDM there should be in your gdm.conf: [xdmcp] Enable=false

Normally, all display managers are configured not to start XDMCP services per default in Debian. Securing printing access (the lpd and lprng issue)

Imagine, you arrive at work, and the printer is spitting out endless amounts of paper because someone is DoSing your line printer daemon. Nasty, isn't it?

In any UNIX printing architecture, there has to be a way to get the client's data to the host's print server. In traditional lpr and lp, the client command copies or symlinks the data into the spool directory (which is why these programs are usually SUID or SGID).

In order to avoid any issues you should keep your printer servers especially secure. This means you need to configure your printer service so it will only allow connections from a set of trusted servers. In order to do this, add the servers you want to allow printing to your /etc/hosts.lpd.

However, even if you do this, the lpr daemon accepts incoming connections on port 515 of any interface. You should consider firewalling connections from networks/hosts which are not allowed printing (the lpr daemon cannot be limited to listen only on a given IP address).

Lprng should be preferred over lpr since it can be configured to do IP access control. And you can specify which interface to bind to (although somewhat weirdly).

If you are using a printer in your system, but only locally, you will not want to share this service over a network. You can consider using other printing systems, like the one provided by cups or which is based on user permissions of the /dev/lp0 device.

In cups, the print data is transferred to the server via the HTTP protocol. This means the client program doesn't need any special privileges, but does require that the server is listening on a port somewhere.

However, if you want to use cups, but only locally, you can configure it to bind to the loopback interface by changing /etc/cups/cupsd.conf: Listen 127.0.0.1:631

There are many other security options like allowing or denying networks and hosts in this config file. However, if you do not need them you might be better off just limiting the listening port. Cups also serves documentation through the HTTP port, if you do not want to disclose potential useful information to outside attackers (and the port is open) add also: <Location /> Order Deny,Allow Deny From All Allow From 127.0.0.1 </Location>

This configuration file can be modified to add some more features including SSL/TLS certificates and crypto. The manuals are available at http://localhost:631/ or at .

FIXME: Add more content (the article on provides some very interesting views).

FIXME: Check if PDG is available in Debian, and if so, suggest this as the preferred printing system.

FIXME: Check if Farmer/Wietse has a replacement for printer daemon and if it's available in Debian. Securing the mail service

If your server is not a mailing system, you do not really need to have a mail daemon listening for incoming connections, but you might want local mail delivered in order, for example, to receive mail for the root user from any alert systems you have in place.

If you have exim you do not need the daemon to be working in order to do this since the standard cron job flushes the mail queue. See on how to do this. Configuring a Nullmailer

You might want to have a local mailer daemon so that it can relay the mails sent locally to another system. This is common when you have to administer a number of systems and do not want to connect to each of them to read the mail sent locally. Just as all logging of each individual system can be centralized by using a central syslog server, mail can be sent to a central mailserver.

Such a relay-only system should be configured properly for this. The daemon could, as well, be configured to only listen on the loopback address.

The following configuration steps only need to be taken to configure the exim package in the Debian 3.0 release. If you are using a later release (such as 3.1 which uses exim4) the installation system has been improved so that if the mail transport agent is configured to only deliver local mail it will automatically only allow connections from the local host and will not permit remote connections.

In a Debian 3.0 system using exim, you will have to remove the SMTP daemon from inetd: $ update-inetd --disable smtp

and configure the mailer daemon to only listen on the loopback interface. In exim (the default MTA) you can do this by editing the file /etc/exim.conf and adding the following line: local_interfaces = "127.0.0.1"

Restart both daemons (inetd and exim) and you will have exim listening on the 127.0.0.1:25 socket only. Be careful, and first disable inetd, otherwise, exim will not start since the inetd daemon is already handling incoming connections.

For postfix edit /etc/postfix/main.conf: inet_interfaces = localhost

If you only want local mail, this approach is better than tcp-wrapping the mailer daemon or adding firewalling rules to limit anybody accessing it. However, if you do need it to listen on other interfaces, you might consider launching it from inetd and adding a tcp wrapper so incoming connections are checked against /etc/hosts.allow and /etc/hosts.deny. Also, you will be aware of when an unauthorized access is attempted against your mailer daemon, if you set up proper logging for any of the methods above.

In any case, to reject mail relay attempts at the SMTP level, you can change /etc/exim/exim.conf to include: receiver_verify = true

Even if your mail server will not relay the message, this kind of configuration is needed for the relay tester at to determine that your server is not relay capable.

If you want a relay-only setup, however, you can consider changing the mailer daemon to programs that can only be configured to forward the mail to a remote mail server. Debian provides currently both ssmtp and nullmailer for this purpose. In any case, you can evaluate for yourself any of the mail transport agents To retrieve the list of mailer daemons available in Debian try: $ apt-cache search mail-transport-agent

The list will not include qmail, which is distributed only as source code in the qmail-src package. provided by Debian and see which one suits best to the system's purposes. Providing secure access to mailboxes

If you want to give remote access to mailboxes there are a number of POP3 and IMAP daemons available. A list of servers/daemons which support these protocols in Debian can be retrieved with: $ apt-cache search pop3-server $ apt-cache search imap-server However, if you provide IMAP access note that it is a general file access protocol, it can become the equivalent of a shell access because users might be able to retrieve any file that they can through it.

Try, for example, to configure as your inbox path {server.com}/etc/passwd if it succeeds your IMAP daemon is not properly configured to prevent this kind of access.

Of the IMAP servers in Debian the cyrus server (in the cyrus-imapd package) gets around this by having all access to a database in a restricted part of the file system. Also, uw-imapd (either install the uw-imapd or better, if your IMAP clients support it, uw-imapd-ssl) can be configured to chroot the users mail directory but this is not enabled by default. The documentation provided gives more information on how to configure it.

Also, you might want to run an IMAP server that does not need valid users to be created on the local system (which would grant shell access too), courier-imap (for IMAP) and courier-pop, teapop (for POP3) and cyrus-imapd (for both POP3 and IMAP) provide servers with authentication methods beside the local user accounts. cyrus can use any authentication method that can be configured through PAM while teapop might use databases (such as postgresql and mysql) for user authentication.

FIXME: Check: uw-imapd might be configured with user authentication through PAM too. Receiving mail securely

Reading/receiving mail is the most common clear-text protocol. If you use either POP3 or IMAP to get your mail, you send your clear-text password across the net, so almost anyone can read your mail from now on. Instead, use SSL (Secure Sockets Layer) to receive your mail. The other alternative is SSH, if you have a shell account on the box which acts as your POP or IMAP server. Here is a basic fetchmailrc to demonstrate this: poll my-imap-mailserver.org via "localhost" with proto IMAP port 1236 user "ref" there with password "hackme" is alex here warnings 3600 folders .Mail/debian preconnect 'ssh -f -P -C -L 1236:my-imap-mailserver.org:143 -l ref my-imap-mailserver.org sleep 15 </dev/null > /dev/null'

The preconnect is the important line. It fires up an ssh session and creates the necessary tunnel, which automatically forwards connections to localhost port 1236 to the IMAP mail server, but encrypted. Another possibility would be to use fetchmail with the SSL feature.

If you want to provide encrypted mail services like POP and IMAP, apt-get install stunnel and start your daemons this way: stunnel -p /etc/ssl/certs/stunnel.pem -d pop3s -l /usr/sbin/popd

This command wraps the provided daemon (-l) to the port (-d) and uses the specified SSL certificate (-p). Securing BIND

There are different issues that can be tackled in order to secure the Domain server daemon, which are similar to the ones considered when securing any given service: configuring the daemon itself properly so it cannot be misused from the outside (see ). This includes limiting possible queries from clients: zone transfers and recursive queries. limit the access of the daemon to the server itself so if it is used to break in, the damage to the system is limited. This includes running the daemon as a non-privileged user (see ) and chrooting it (see ). Bind configuration to avoid misuse

You should restrict some of the information that is served from the DNS server to outside clients so that it cannot be used to retrieve valuable information from your organization that you do not want to give away. This includes adding the following options: allow-transfer, allow-query, allow-recursion and version. You can either limit this on the global section (so it applies to all the zones served) or on a per-zone basis. This information is documented in the bind-doc package, read more on this on /usr/share/doc/bind/html/index.html once the package is installed.

Imagine that your server is connected to the Internet and to your internal (your internal IP is 192.168.1.2) network (a basic multi-homed server), you do not want to give any service to the Internet and you just want to enable DNS lookups from your internal hosts. You could restrict it by including in /etc/bind/named.conf: options { allow-query { 192.168.1/24; } ; allow-transfer { none; } ; allow-recursion { 192.168.1/24; } ; listen-on { 192.168.1.2; } ; forward { only; } ; forwarders { A.B.C.D; } ; };

The listen-on option makes the DNS bind to only the interface that has the internal address, but, even if this interface is the same as the interface that connects to the Internet (if you are using NAT, for example), queries will only be accepted if coming from your internal hosts. If the system has multiple interfaces and the listen-on is not present, only internal users could query, but, since the port would be accessible to outside attackers, they could try to crash (or exploit buffer overflow attacks) on the DNS server. You could even make it listen only on 127.0.0.1 if you are not giving DNS service for any other systems than yourself.

The version.bind record in the chaos class contains the version of the currently running bind process. This information is often used by automated scanners and malicious individuals who wish to determine if one's bind is vulnerable to a specific attack. By providing false or no information in the version.bind record, one limits the probability that one's server will be attacked based on its published version. To provide your own version, use the version directive in the following manner: options { ... various options here ... version "Not available."; };

Changing the version.bind record does not provide actual protection against attacks, but it might be considered a useful safeguard.

A sample named.conf configuration file might be the following: acl internal { 127.0.0.1/32; // localhost 10.0.0.0/8; // internal aa.bb.cc.dd; // eth0 IP }; acl friendly { ee.ff.gg.hh; // slave DNS aa.bb.cc.dd; // eth0 IP 127.0.0.1/32; // localhost 10.0.0.0/8; // internal }; options { directory "/var/cache/bind"; allow-query { internal; }; allow-recursion { internal; }; allow-transfer { none; }; }; // From here to the mysite.bogus zone // is basically unmodified from the debian default logging { category lame-servers { null; }; category cname { null; }; }; zone "." { type hint; file "/etc/bind/db.root"; }; zone "localhost" { type master; file "/etc/bind/db.local"; }; zone "127.in-addr.arpa" { type master; file "/etc/bind/db.127"; }; zone "0.in-addr.arpa" { type master; file "/etc/bind/db.0"; }; zone "255.in-addr.arpa" { type master; file "/etc/bind/db.255"; }; // zones I added myself zone "mysite.bogus" { type master; file "/etc/bind/named.mysite"; allow-query { any; }; allow-transfer { friendly; }; };

Please (again) check the Bug Tracking System regarding Bind, specifically . Feel free to contribute to the bug report if you think you can add useful information. Changing BIND's user

Regarding limiting BIND's privileges you must be aware that if a non-root user runs BIND, then BIND cannot detect new interfaces automatically, for example when you put a PCMCIA card into your laptop. Check the README.Debian file in your named documentation (/usr/share/doc/bind/README.Debian) directory for more information about this issue. There have been many recent security problems concerning BIND, so switching the user is useful when possible. We will detail here the steps needed in order to do this, however, if you want to do this in an automatic way you might try the script provided in .

Notice, in any case, that this only applies to BIND version 8. In the Debian packages for BIND version 9 (since the 9.2.1-5 version, available since sarge) the bind user is created and used by setting the OPTIONS variable in /etc/default/bind9. If you are using BIND version 9 and your name server daemon is not running as the bind user verify the settings on that file.

To run BIND under a different user, first create a separate user and group for it (it is not a good idea to use nobody or nogroup for every service not running as root). In this example, the user and group named will be used. You can do this by entering: addgroup named adduser --system --home /home/named --no-create-home --ingroup named \ --disabled-password --disabled-login named

Notice that the user named will be quite restricted. If you want, for whatever reason, to have a less restrictive setup use: adduser --system --ingroup named named

Now you can either edit /etc/init.d/bind with your favorite editor and change the line beginning with start-stop-daemon --start toNote that depending on your bind version you might not have the -g option, most notably if you are using bind9 in sarge (9.2.4 version). start-stop-daemon --start --quiet --exec /usr/sbin/named -- -g named -u named

Or you can change (create it if it does not exit) the default configuration file (/etc/default/bind for BIND version 8) and introduce the following: OPTIONS="-u named -g named"

Change the permissions of files that are used by Bind, including /etc/bind/rndc.key: -rw-r----- 1 root named 77 Jan 4 01:02 rndc.key and where bind creates its pidfile, using, for example, /var/run/named instead of /var/run: $ mkdir /var/run/named $ chown named.named /var/run/named $ vi /etc/named.conf [ ... update the configuration file to use this new location ...] options { ... pid-file "/var/run/named/named.pid"; }; [ ... ]

Also, in order to avoid running anything as root, change the reload line in the init.d script by substituting: reload) /usr/sbin/ndc reload

to: reload) $0 stop sleep 1 $0 start

Note: Depending on your Debian version you might have to change the restart line too. This was fixed in Debian's bind version 1:8.3.1-2.

All you need to do now is to restart bind via /etc/init.d/bind restart, and then check your syslog for two entries like this:

Sep 4 15:11:08 nexus named[13439]: group = named Sep 4 15:11:08 nexus named[13439]: user = named

Voilà! Your named now does not run as root. If you want to read more information on why BIND does not run as non-root user on Debian systems, please check the Bug Tracking System regarding Bind, specifically and , , , and . Feel free to contribute to the bug reports if you think you can add useful information. Chrooting the name server

To achieve maximum BIND security, now build a chroot jail (see ) around your daemon. There is an easy way to do this: the -t option (see the manpage or page 100 of ). This will make Bind chroot itself into the given directory without you needing to set up a chroot jail and worry about dynamic libraries. The only files that need to be in the chroot jail are: dev/null etc/bind/ - should hold named.conf and all the server zones sbin/named-xfer - if you do name transfers var/run/named/ - should hold the PID and the name server cache (if any) this directory needs to be writable by named user var/log/named - if you set up logging to a file, needs to be writable for the named user dev/log - syslogd should be listening here if named is configured to log through it

In order for your Bind daemon to work properly it needs permission in the named files. This is an easy task since the configuration files are always at /etc/named/. Take into account that it only needs read-only access to the zone files, unless it is a secondary or cache name server. If this is your case you will have to give read-write permissions to the necessary zones (so that zone transfers from the primary server work).

Also, you can find more information regarding Bind chrooting in the (regarding Bind 9) and (regarding Bind 8). This same documents should be available through the installation of the doc-linux-text (text version) or doc-linux-html (HTML version). Another useful document is .

If you are setting up a full chroot jail (i.e. not just -t) for Bind in Debian, make sure you have the following files in itThis setup has not been tested for new release of Bind yet.: dev/log - syslogd should be listening here dev/null etc/bind/named.conf etc/localtime etc/group - with only a single line: "named:x:GID:" etc/ld.so.cache - generated with ldconfig lib/ld-2.3.6.so lib/libc-2.3.6.so lib/ld-linux.so.2 - symlinked to ld-2.3.6.so lib/libc.so.6 - symlinked to libc-2.3.6.so sbin/ldconfig - may be deleted after setting up the chroot sbin/named-xfer - if you do name transfers var/run/

And modify also syslogd listen on $CHROOT/dev/log so the named server can write syslog entries into the local system log.

If you want to avoid problems with dynamic libraries, you can compile bind statically. You can use apt-get for this, with the source option. It can even download the packages you need to properly compile it. You would need to do something similar to: $ apt-get source bind # apt-get build-dep bind $ cd bind-8.2.5-2 (edit src/port/linux/Makefile so CFLAGS includes the '-static' option) $ dpkg-buildpackage -rfakeroot -uc -us $ cd .. # dpkg -i bind-8.2.5-2*deb

After installation, you will need to move around the files to the chroot jailUnless you use the instdir option when calling dpkg but then the chroot jail might be a little more complex. you can keep the init.d scripts in /etc/init.d so that the system will automatically start the name server, but edit them to add --chroot /location_of_chroot in the calls to start-stop-daemon in those scripts or use the -t option for BIND by setting it in the OPTIONS argument at the /etc/default/bind (for version 8) or /etc/default/bind9 (for version 9) configuration file.

For more information on how to set up chroots see .

FIXME: Merge info from , (Debian-specific), and . Securing Apache

FIXME: Add content: modules provided with the normal Apache installation (under /usr/lib/apache/X.X/mod_*) and modules that can be installed separately in libapache-mod-XXX packages.

You can limit access to the Apache server if you only want to use it internally (for testing purposes, to access the doc-central archive, etc.) and do not want outsiders to access it. To do this use the Listen or BindAddress directives in /etc/apache/http.conf.

Using Listen: Listen 127.0.0.1:80

Using BindAddress: BindAddress 127.0.0.1

Then restart apache with /etc/init.d/apache restart and you will see that it is only listening on the loopback interface.

In any case, if you are not using all the functionality provided by Apache, you might want to take a look at other web servers provided in Debian like dhttpd.

The provides information regarding security measures to be taken on Apache web server (this same information is provided in Debian by the apache-doc package).

More information on further restricting Apache by setting up a chroot jail is provided in . Disabling users from publishing web contents

The default Apache installation in Debian permits users to publish content under the $HOME/public_html. This content can be retrieved remotely using an URL such as: http://your_apache_server/~user.

If you do not want to permit this you must change the /etc/apache/http.conf configuration file commenting out (in Apache 1.3) the following module: LoadModule userdir_module /usr/lib/apache/1.3/mod_userdir.so

If you are using Apache 2.0 you must remove the file /etc/apache2/mods-enabled/userdir.load or restrict the default configuration by modifying /etc/apache2/mods-enabled/userdir.conf.

However, if the module was linked statically (you can list the modules that are compiled in running apache -l) you must add the following to the Apache configuration file: Userdir disabled

An attacker might still do user enumeration, since the answer of the web server will be a 403 Permission Denied and not a 404 Not available. You can avoid this if you use the Rewrite module. Logfiles permissions

Apache logfiles, since 1.3.22-1, are owned by user 'root' and group 'adm' with permissions 640. These permissions are changed after rotation. An intruder that accessed the system through the web server would not be able (without privilege escalation) to remove old log file entries. Published web files

Apache files are located under /var/www. Just after installation the default file provides some information on the system (mainly that it's a Debian system running Apache). The default webpages are owned by user root and group root by default, while the Apache process runs as user www-data and group www-data. This should make attackers that compromise the system through the web server harder to deface the site. You should, of course, substitute the default web pages (which might provide information you do not want to show to outsiders) with your own.

Securing finger

If you want to run the finger service first ask yourself if you need to do so. If you do, you will find out that Debian provides many finger daemons (output from apt-cache search fingerd): cfingerd - Configurable finger daemon efingerd - Another finger daemon for unix, capable of fine-tuning your output. ffingerd - a secure finger daemon fingerd - Remote user information server. xfingerd - BSD-like finger daemon with qmail support.

ffingerd is the recommended finger daemon if you are going to use it for a public service. In any case, you are encouraged to, when setting it up through inetd, xinetd or tcpserver to: limit the number of processes that will be running at the same time, limit access to the finger daemon from a given number of hosts (using tcp wrappers) and having it only listening to the interface you need it to be in. General chroot and suid paranoia

chroot is one of the most powerful possibilities to restrict a daemon or a user or another service. Just imagine a jail around your target, which the target cannot escape from (normally, but there are still a lot of conditions that allow one to escape out of such a jail). If you do not trust a user or a service, you can create a modified root environment for him. This can use quite a bit of disk space as you need to copy all needed executables, as well as libraries, into the jail. But then, even if the user does something malicious, the scope of the damage is limited to the jail.

Many services running as daemons could benefit from this sort of arrangement. The daemons that you install with your Debian distribution will not come, however, chrootedIt does try to run them under minimum priviledge which includes running daemons with their own users instead of having them run as root. per default.

This includes: name servers (such as bind), web servers (such as apache), mail servers (such as sendmail) and ftp servers (such as wu-ftpd). It is probably fair to say that the complexity of BIND is the reason why it has been exposed to a lot of attacks in recent years (see ).

However, Debian does provide some software that can help set up chroot environments. See .

Anyway, if you run any service on your system, you should consider running them as secure as possible. This includes: revoking root privileges, running in a restricted environment (such as a chroot jail) or replacing them with a more secure equivalent.

However, be forewarned that a chroot jail can be broken if the user running in it is the superuser. So, you need to make the service run as a non-privileged user. By limiting its environment you are limiting the world readable/executable files the service can access, thus, you limit the possibilities of a privilege escalation by use of local system security vulnerabilities. Even in this situation you cannot be completely sure that there is no way for a clever attacker to somehow break out of the jail. Using only server programs which have a reputation for being secure is a good additional safety measure. Even minuscule holes like open file handles can be used by a skilled attacker for breaking into the system. After all, chroot was not designed as a security tool but as a testing tool.

Making chrooted environments automatically

There are several programs to chroot automatically servers and services. Debian currently (accepted in May 2002) provides Wietse Venema's chrootuid in the chrootuid package, as well as compartment and makejail. These programs can be used to set up a restricted environment for executing any program (chrootuid enables you to even run it as a restricted user).

Some of these tools can be used to set up the chroot environment easily. The makejail program for example, can create and update a chroot jail with short configuration files (it provides sample configuration files for bind, apache, postgresql and mysql). It attempts to guess and install into the jail all files required by the daemon using strace, stat and Debian's package dependencies. More information at . Jailer is a similar tool which can be retrieved from and is also available as a Debian package. General cleartext password paranoia

You should try to avoid any network service which sends and receives passwords in cleartext over a net like FTP/Telnet/NIS/RPC. The author recommends the use of ssh instead of telnet and ftp to everybody.

Keep in mind that migrating from telnet to ssh, but using other cleartext protocols does not increase your security in ANY way! Best would be to remove ftp, telnet, pop, imap, http and to supersede them with their respective encrypted services. You should consider moving from these services to their SSL versions, ftp-ssl, telnet-ssl, pop-ssl, https ...

Most of these above listed hints apply to every Unix system (you will find them if reading any other hardening-related document related to Linux and other Unices). Disabling NIS

You should not use NIS, the Network Information Service, if possible, because it allows password sharing. This can be highly insecure if your setup is broken.

If you need password sharing between machines, you might want to consider using other alternatives. For example, you can setup an LDAP server and configure PAM on your system in order to contact the LDAP server for user authentication. You can find a detailed setup in the (/usr/share/doc/HOWTO/en-txt/LDAP-HOWTO.txt.gz).

You can read more about NIS security in the (/usr/share/doc/HOWTO/en-txt/NIS-HOWTO.txt.gz).

FIXME (jfs): Add info on how to set this up in Debian. Securing RPC services

You should disable RPC if you do not need it.

Remote Procedure Call (RPC) is a protocol that programs can use to request services from other programs located on different computers. The portmap service controls RPC services by mapping RPC program numbers into DARPA protocol port numbers; it must be running in order to make RPC calls.

RPC-based services have had a bad record of security holes, although the portmapper itself hasn't (but still provides information to a remote attacker). Notice that some of the DDoS (distributed denial of service) attacks use RPC exploits to get into the system and act as a so called agent/handler.

You only need RPC if you are using an RPC-based service. The most common RPC-based services are NFS (Network File System) and NIS (Network Information System). See the previous section for more information about NIS. The File Alteration Monitor (FAM) provided by the package fam is also an RPC service, and thus depends on portmap.

NFS services are quite important in some networks. If that is the case for you, then you will need to find a balance of security and usability for your network (you can read more about NFS security in the (/usr/share/doc/HOWTO/en-txt/NFS-HOWTO.txt.gz)). Disabling RPC services completely

Disabling portmap is quite simple. There are several different methods. The simplest one in a Debian 3.0 system and later releases is to uninstall the portmap package. If you are running an older Debian version you will have to disable the service as seen in , because the program is part of the netbase package (which cannot be de-installed without breaking the system).

Notice that some desktop environments (notably, GNOME) use RPC services and need the portmapper for some of the file management features. If this is your case, you can limit the access to RPC services as described below. Limiting access to RPC services

Unfortunately, in some cases removing RPC services from the system is not an option. Some local desktop services (notably SGI's fam) are RPC based and thus need a local portmapper. This means that under some situations, users installing a desktop environment (like GNOME) will install the portmapper too.

There are several ways to limit access to the portmapper and to RPC services: Block access to the ports used by these services with a local firewall (see ). Block access to these services using tcp wrappers, since the portmapper (and some RPC services) are compiled with libwrap (see ). This means that you can block access to them through the hosts.allow and hosts.deny tcp wrappers configuration. Since version 5-5, the portmap package can be configured to listen only on the loopback interface. To do this, modify /etc/default/portmap, uncomment the following line: #OPTIONS="-i 127.0.0.1" and restart the portmapper. This is sufficient to allow local RPC services to work while at the same time prevents remote systems from accessing them (see, however, ). Adding firewall capabilities

The Debian GNU/Linux operating system has the built-in capabilities provided by the Linux kernel

. If you install a recent Debian release (default kernel installed is 2.6) you will have iptables (netfilter) firewalling available Available since the kernel version 2.4 (which was the default kernel in Debian 3.0). Previous kernel versions (2.2, available in even older Debian releases) used ipchains. The main difference between ipchains and iptables is that the latter is based on stateful packet inspection which provides for more secure (and easier to build) filtering configurations. Older (and now unsupported) Debian distributions using the 2.0 kernel series needed the appropriate kernel patch.. Firewalling the local system

You can use firewall rules as a way to secure the access to your local system and, even, to limit the outbound communications made by it. Firewall rules can also be used to protect processes that cannot be properly configured not to provide services to some networks, IP addresses, etc.

However, this step is presented last in this manual basically because it is much better not to depend solely on firewalling capabilities in order to protect a given system. Security in a system is made up of layers, firewalling should be the last to include, once all services have been hardened. You can easily imagine a setup in which the system is solely protected by a built-in firewall and an administrator blissfully removes the firewall rules for whatever reason (problems with the setup, annoyance, human error...), this system would be wide open to an attack if there were no other hardening in the system to protect from it.

On the other hand, having firewall rules on the local system also prevents some bad things from happening. Even if the services provided are configured securely, a firewall can protect from misconfigurations or from fresh installed services that have not yet been properly configured. Also, a tight configuration will prevent trojans calling home from working unless the firewalling code is removed. Note that an intruder does not need superuser access to install a trojan locally that could be remotely controlled (since binding on ports is allowed if they are not priviledged ports and capabilities have not been removed).

Thus, a proper firewall setup would be one with a default deny policy, that is: incoming connections are allowed only to local services by allowed machines. outgoing connections are only allowed to services used by your system (DNS, web browsing, POP, email...). Unlike personal firewalls in other operating systems, Debian GNU/Linux does not (yet) provide firewall generation interfaces that can make rules limiting them per process or user. However, the iptables code can be configured to do this (see the owner module in the manpage). the forward rule denies everything (unless you are protecting other systems, see below). all other incoming or outgoing connections are denied. Using a firewall to protect other systems

A Debian firewall can also be installed in order to protect, with filtering rules, access to systems behind it, limiting their exposure to the Internet. A firewall can be configured to prevent access from systems outside of the local network to internal services (ports) that are not public. For example, on a mail server, only port 25 (where the mail service is being given) needs to be accessible from the outside. A firewall can be configured to, even if there are other network services besides the public ones running in the mail server, throw away packets (this is known as filtering) directed towards them.

You can even set up a Debian GNU/Linux box as a bridge firewall, i.e. a filtering firewall completely transparent to the network that lacks an IP address and thus cannot be attacked directly. Depending on the kernel you have installed, you might need to install the bridge firewall patch and then go to 802.1d Ethernet Bridging when configuring the kernel and a new option netfilter ( firewalling ) support. See the for more information on how to set this up in a Debian GNU/Linux system. Setting up a firewall

The default Debian installation, unlike other Linux distributions, does not yet provide a way for the administrator to setup a firewall configuration throughout the default installation but you can install a number of firewall configuration packages (see ).

Of course, the configuration of the firewall is always system and network dependant. An administrator must know beforehand what is the network layout and the systems he wants to protect, the services that need to be accessed, and whether or not other network considerations (like NAT or routing) need to be taken into account. Be careful when configuring your firewall, as Laurence J. Lane says in the iptables package:

The tools can easily be misused, causing enormous amounts of grief by completely crippling network access to a system. It is not terribly uncommon for a remote system administrator to accidentally lock himself out of a system hundreds or thousands of miles away. One can even manage to lock himself out of a computer who's keyboard is under his fingers. Please, use due caution.

Remember this: just installing the iptables (or the older firewalling code) does not give you any protection, just provides the software. In order to have a firewall you need to configure it!

If you do not have a clue on how to set up your firewall rules manually consult the Packet Filtering HOWTO and NAT HOWTO provided by iptables for offline reading at /usr/share/doc/iptables/html/.

If you do not know much about firewalling you should start by reading the , install the doc-linux-text package if you want to read it offline. If you want to ask questions or need help setting up a firewall you can use the debian-firewall mailing list, see . Also see for more (general) pointers on firewalls. Another good iptables tutorial is . Using firewall packages

Setting up manually a firewall can be complicated for novice (and sometimes even expert) administrators. However, the free software community has created a number of tools that can be used to easily configure a local firewall. Be forewarned that some of these tools are oriented more towards local-only protection (also known as personal firewall) and some are more versatile and can be used to configure complex rules to protect whole networks.

Some software that can be used to set up firewall rules in a Debian system is: For desktop systems: firestarter, a GNOME application oriented towards end-users that includes a wizard useful to quickly setup firewall rules. The application includes a GUI to be able to monitor when a firewall rule blocks traffic. guarddog, a KDE based firewall configuration package oriented both to novice and advanced users. knetfilter, a KDE GUI to manage firewall and NAT rules for iptables (alternative/competitor to the guarddog tool although slightly oriented towards advanced users). fireflier, an interactive tool to create iptables rules based on traffic seen on the system and applications. It has a server-client model so you have to install both the server (fireflier-server) and one of the available clients, with one client available for different desktop environments: fireflier-client-gtk (Gtk+ client), fireflier-client-kde (KDE client) and fireflier-client-qt (QT client). For servers (headless) systems: fwbuilder, an object oriented GUI which includes policy compilers for various firewall platforms including Linux' netfilter, BSD's pf (used in OpenBSD, NetBSD, FreeBSD and MacOS X) as well as router's access-lists. It is similar to enterprise firewall management software. Complete fwbuilder's functionality is also available from the command line. shorewall, a firewall configuration tool which provides support for IPsec as well as limited support for traffic shaping as well as the definition of the firewall rules. Configuration is done through a simple set of files that are used to generate the iptables rules. bastille, this hardening application is described in . One of the hardening steps that the administrator can configure is a definition of the allowed and disallowed network traffic that is used to generate a set of firewall rules that the system will execute on startup.

Lots of other iptables frontends come with Debian; an extensive list comparing the different packages in Debian is maintained at the .

Notice that some of the packages outlined previously will introduce firewalling scripts to be run when the system boots. Test them extensively before rebooting or you might find yourself locked from the box. If you mix different firewalling packages you can have undesired effects, usually, the firewalling script that runs last will be the one that configures the system (which might not be what you intend). Consult the package documentation and use either one of these setups.

As mentioned before, some programs, like firestarter, guarddog and knetfilter, are administration GUIs using either GNOME or KDE (last two). These applications are much more user-oriented (i.e. for home users) than some of the other packages in the list which might be more administrator-oriented. Some of the programs mentioned before (like bastille) are focused at setting up firewall rules to protect the host they run in but are not necessarily designed to setup firewall rules for firewall hosts that protect a network (like shorewall or fwbuilder).

There is yet another type of firewall application: application proxies. If you are looking into setting up an enterprise-level firewall that does packet filtering and provides a number of transparent proxies that can do fine-grain traffic analysis you should consider using zorp, which provides this in a single program. You can also manually setup this type of firewall host using the proxies available in Debian for different services like for DNS using bind (properly configured), dnsmasq, pdnsd or totd for FTP using frox or ftp-proxy, for X11 using xfwp, for IMAP using imapproxy, for mail using smtpd, or for POP3 using p3scan. For other protocols you can either use a generic TCP proxy like simpleproxy or a generic SOCKS proxy like dante-server, tsocks or socks4-server. Typically, you will also use a web caching system (like squid) and a web filtering system (like squidguard or dansguardian). Manual init.d configuration

Another possibility is to manually configure your firewall rules through an init.d script that will run all the iptables commands. Take the following steps: Review the script below and adapt it to your needs. Test the script and review the syslog messages to see which traffic is being dropped. If you are testing from the network you will want to either run the sample shell snippet to remove the firewall (if you don't type anything in 20 seconds) or you might want to comment out the default deny policy definitions (-P INPUT DROP and -P OUTPUT DROP) and check that the system will not drop any legitimate traffic. Move the script to /etc/init.d/myfirewall Configure the system to run the script before any network is configured: #update-rc.d myfirewall start 40 S . stop 89 0 6 .

This is the sample firewall script: #!/bin/sh # Simple example firewall configuration. # # Caveats: # - This configuration applies to all network interfaces # if you want to restrict this to only a given interface use # '-i INTERFACE' in the iptables calls. # - Remote access for TCP/UDP services is granted to any host, # you probably will want to restrict this using '--source'. # # chkconfig: 2345 9 91 # description: Activates/Deactivates the firewall at boot time # # You can test this script before applying with the following shell # snippet, if you do not type anything in 10 seconds the firewall # rules will be cleared. #--------------------------------------------------------------- # while true; do test=""; read -t 20 -p "OK? " test ; \ # [ -z "$test" ] && /etc/init.d/myfirewall clear ; done #--------------------------------------------------------------- PATH=/bin:/sbin:/usr/bin:/usr/sbin # Services that the system will offer to the network TCP_SERVICES="22" # SSH only UDP_SERVICES="" # Services the system will use from the network REMOTE_TCP_SERVICES="80" # web browsing REMOTE_UDP_SERVICES="53" # DNS # Network that will be used for remote mgmt # (if undefined, no rules will be setup) # NETWORK_MGMT=192.168.0.0/24 # Port used for the SSH service, define this is you have setup a # management network but remove it from TCP_SERVICES # SSH_PORT="22" if ! [ -x /sbin/iptables ]; then exit 0 fi fw_start () { # Input traffic: /sbin/iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT # Services if [ -n "$TCP_SERVICES" ] ; then for PORT in $TCP_SERVICES; do /sbin/iptables -A INPUT -p tcp --dport ${PORT} -j ACCEPT done fi if [ -n "$UDP_SERVICES" ] ; then for PORT in $UDP_SERVICES; do /sbin/iptables -A INPUT -p udp --dport ${PORT} -j ACCEPT done fi # Remote management if [ -n "$NETWORK_MGMT" ] ; then /sbin/iptables -A INPUT -p tcp --src ${NETWORK_MGMT} --dport ${SSH_PORT} -j ACCEPT else /sbin/iptables -A INPUT -p tcp --dport ${SSH_PORT} -j ACCEPT fi # Remote testing /sbin/iptables -A INPUT -p icmp -j ACCEPT /sbin/iptables -A INPUT -i lo -j ACCEPT /sbin/iptables -P INPUT DROP /sbin/iptables -A INPUT -j LOG # Output: /sbin/iptables -A OUTPUT -j ACCEPT -o lo /sbin/iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT # ICMP is permitted: /sbin/iptables -A OUTPUT -p icmp -j ACCEPT # So are security package updates: # Note: You can hardcode the IP address here to prevent DNS spoofing # and to setup the rules even if DNS does not work but then you # will not "see" IP changes for this service: /sbin/iptables -A OUTPUT -p tcp -d security.debian.org --dport 80 -j ACCEPT # As well as the services we have defined: if [ -n "$REMOTE_TCP_SERVICES" ] ; then for PORT in $REMOTE_TCP_SERVICES; do /sbin/iptables -A OUTPUT -p tcp --dport ${PORT} -j ACCEPT done fi if [ -n "$REMOTE_UDP_SERVICES" ] ; then for PORT in $REMOTE_UDP_SERVICES; do /sbin/iptables -A OUTPUT -p udp --dport ${PORT} -j ACCEPT done fi # All other connections are registered in syslog /sbin/iptables -A OUTPUT -j LOG /sbin/iptables -A OUTPUT -j REJECT /sbin/iptables -P OUTPUT DROP # Other network protections # (some will only work with some kernel versions) echo 1 > /proc/sys/net/ipv4/tcp_syncookies echo 0 > /proc/sys/net/ipv4/ip_forward echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts echo 1 > /proc/sys/net/ipv4/conf/all/log_martians echo 1 > /proc/sys/net/ipv4/ip_always_defrag echo 1 > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses echo 1 > /proc/sys/net/ipv4/conf/all/rp_filter echo 0 > /proc/sys/net/ipv4/conf/all/send_redirects echo 0 > /proc/sys/net/ipv4/conf/all/accept_source_route } fw_stop () { /sbin/iptables -F /sbin/iptables -t nat -F /sbin/iptables -t mangle -F /sbin/iptables -P INPUT DROP /sbin/iptables -P FORWARD DROP /sbin/iptables -P OUTPUT ACCEPT } fw_clear () { /sbin/iptables -F /sbin/iptables -t nat -F /sbin/iptables -t mangle -F /sbin/iptables -P INPUT ACCEPT /sbin/iptables -P FORWARD ACCEPT /sbin/iptables -P OUTPUT ACCEPT } case "$1" in start|restart) echo -n "Starting firewall.." fw_stop fw_start echo "done." ;; stop) echo -n "Stopping firewall.." fw_stop echo "done." ;; clear) echo -n "Clearing firewall rules.." fw_clear echo "done." ;; *) echo "Usage: $0 {start|stop|restart|clear}" exit 1 ;; esac exit 0

Instead of including all of the iptables rules in the init.d script you can use the iptables-restore program to restore the rules saved using iptables-save. In order to do this you need to setup your rules, save the ruleset under a static location (such as /etc/default/firewall) Configuring firewall rules through ifup

You can use also the network configuration in /etc/network/interfaces to setup your firewall rules. For this you will need to: Create your firewalling ruleset for when the interface is active. Save your ruleset with iptables-save to a file in /etc, for example /etc/iptables.up.rules Configure /etc/network/interfaces to use the configured ruleset: iface eth0 inet static address x.x.x.x [.. interface configuration ..] pre-up iptables-restore < /etc/iptables.up.rules

You can optionally also setup a set of rules to be applied when the network interface is down creating a set of rules, saving it in /etc/iptables.down.rules and adding this directive to the interface configuration: post-down iptables-restore < /etc/iptables.down.rules

For more advanced firewall configuration scripts through ifupdown you can use the hooks available to each interface as in the *.d/ directories called with run-parts (see ). Testing your firewall configuration

Testing your firewall configuration is as easy, and as dangerous, as just running your firewall script (or enabling the configuration you defined in your firewall configuration application). However, if you are not careful enough and you are configuring your firewall remotely (like through an SSH connection) you could lock yourself out.

There are several ways to prevent this. One is running a script in a separate terminal that will remove the firewall configuration if you don't feed it input. An example of this is: $ while true; do test=""; read -t 20 -p "OK? " test ; \ [ -z "$test" ] && /etc/init.d/firewall clear ; done

Another one is to introduce a backdoor in your system through an alternate mechanism that allows you to either clear the firewall system or punch a hole in it if something goes awry. For this you can use knockd and configure it so that a certain port connection attempt sequence will clear the firewall (or add a temporary rule). Even though the packets will be dropped by the firewall, since knockd binds to the interface and sees you will be able to work around the problem.

Testing a firewall that is protecting an internal network is a different issue, you will want to look at some of the tools used for remote vulnerability assessment (see ) to probe the network from the outside in (or from any other direction) to test the effectiveness of the firewall configuation. harden-doc-3.15.1/howto-source/en/appendix.sgml0000644000000000000000000023242511464363437016252 0ustar The hardening process step by step

Below is a post-installation, step-by-step procedure for hardening a Debian 2.2 GNU/Linux system. This is one possible approach to such a procedure and is oriented toward the hardening of network services. It is included to show the entire process you might use during configuration. Also, see . Install the system, taking into account the information regarding partitioning included earlier in this document. After base installation, go into custom install. Do not select task packages. Select shadow passwords. Using dselect, remove all unneeded but selected packages before doing [I]nstall. Keep the bare minimum of packages for the system. Update all software from the latest packages available at security.debian.org as explained previously in . Implement the suggestions presented in this manual regarding user quotas, login definitions and lilo Make a list of services currently running on your system. Try: $ ps aux $ netstat -pn -l -A inet # /usr/sbin/lsof -i | grep LISTEN You will need to install lsof-2.2 for the third command to work (run it as root). You should be aware that lsof can translate the word LISTEN to your locale settings. In order to remove unnecessary services, first determine what package provides the service and how it is started. This can be accomplished by checking the program that listens in the socket. The following shell script, which uses the programs lsof and dpkg, does just that: #!/bin/sh # FIXME: this is quick and dirty; replace with a more robust script snippet for i in `sudo lsof -i | grep LISTEN | cut -d " " -f 1 |sort -u` ; do pack=`dpkg -S $i |grep bin |cut -f 1 -d : | uniq` echo "Service $i is installed by $pack"; init=`dpkg -L $pack |grep init.d/ ` if [ ! -z "$init" ]; then echo "and is run by $init" fi done Once you find any unwanted services, remove the associated package (with dpkg --purge), or disable the service from starting automatically at boot time using update-rc.d (see ). For inetd services (launched by the superdaemon), check which services are enabled in /etc/inetd.conf using: $ grep -v "^#" /etc/inetd.conf | sort -u Then disable those services that are not needed by commenting out the line that includes them in /etc/inetd.conf, removing the package, or using update-inetd. If you have wrapped services (those using /usr/sbin/tcpd), check that the files /etc/hosts.allow and /etc/hosts.deny are configured according to your service policy. If the server uses more than one external interface, depending on the service, you may want to limit the service to listen on a specific interface. For example, if you want internal FTP access only, make the FTP daemon listen only on your management interface, not on all interfaces (i.e, 0.0.0.0:21). Re-boot the machine, or switch to single user mode and then back to multiuser using the commands: # init 1 (....) # init 2 Check the services now available, and, if necessary, repeat the steps above. Now install the needed services, if you have not done so already, and configure them properly. Use the following shell command to determine what user each available service is running as: # for i in `/usr/sbin/lsof -i |grep LISTEN |cut -d " " -f 1 |sort -u`; \ > do user=`ps ef |grep $i |grep -v grep |cut -f 1 -d " "` ; \ > echo "Service $i is running as user $user"; done Consider changing these services to a specific user/group and maybe chroot'ing them for increased security. You can do this by changing the /etc/init.d scripts which start the service. Most services in Debian use start-stop-daemon, which has options (--change-uid and --chroot) for accomplishing this. A word of warning regarding the chroot'ing of services: you may need to put all the files installed by the package (use dpkg -L) providing the service, as well as any packages it depends on, in the chroot'ed environment. Information about setting up a chroot environment for the ssh program can be found in . Repeat the steps above in order to check that only desired services are running and that they are running as the desired user/group combination. Test the installed services in order to see if they work as expected. Check the system using a vulnerability assessment scanner (like nessus), in order to determine vulnerabilities in the system (i.e., misconfiguration, old services or unneeded services). Install network and host intrusion measures like snort and logcheck. Repeat the network scanner step and verify that the intrusion detection systems are working correctly.

For the truly paranoid, also consider the following: Add firewalling capabilities to the system, accepting incoming connections only to offered services and limiting outgoing connections only to those that are authorized. Re-check the installation with a new vulnerability assessment using a network scanner. Using a network scanner, check outbound connections from the system to an outside host and verify that unwanted connections do not find their way out.

FIXME: this procedure considers service hardening but not system hardening at the user level, include information regarding checking user permissions, SETUID files and freezing changes in the system using the ext2 file system. Configuration checklist

This appendix briefly reiterates points from other sections in this manual in a condensed checklist format. This is intended as a quick summary for someone who has already read the manual. There are other good checklists available, including Kurt Seifried's and .

FIXME: This is based on v1.4 of the manual and might need to be updated. Limit physical access and booting capabilities Enable a password in the BIOS. Disable floppy/cdrom/... booting in the system's BIOS. Set a LILO or GRUB password (/etc/lilo.conf or /boot/grub/menu.lst, respectively); check that the LILO or GRUB configuration file is read-protected. Partitioning Separate user-writable data, non-system data, and rapidly changing run-time data to their own partitions Set nosuid,noexec,nodev mount options in /etc/fstab on ext2/3 partitions that should not hold binaries such as /home or /tmp. Password hygiene and login security Set a good root password Enable password shadowing and MD5 Install and use PAM Add MD5 support to PAM and make sure that (generally speaking) entries in /etc/pam.d/ files which grant access to the machine have the second field in the pam.d file set to requisite or required. Tweak /etc/pam.d/login so as to only permit local root logins. Also mark authorized tty:s in /etc/security/access.conf and generally set up this file to limit root logins as much as possible. Add pam_limits.so if you want to set per-user limits Tweak /etc/pam.d/passwd: set minimum length of passwords higher (6 characters maybe) and enable MD5 Add group wheel to /etc/group if desired; add pam_wheel.so group=wheel entry to /etc/pam.d/su For custom per-user controls, use pam_listfile.so entries where appropriate Have an /etc/pam.d/other file and set it up with tight security Set up limits in /etc/security/limits.conf (note that /etc/limits is not used if you are using PAM) Tighten up /etc/login.defs; also, if you enabled MD5 and/or PAM, make sure you make the corresponding changes here, too Disable root ftp access in /etc/ftpusers Disable network root login; use or . (consider installing sudo) Use PAM to enforce additional constraints on logins? Other local security issues Kernel tweaks (see ) Kernel patches (see ) Tighten up log file permissions (/var/log/{last,fail}log, Apache logs) Verify that SETUID checking is enabled in /etc/checksecurity.conf Consider making some log files append-only and configuration files immutable using chattr (ext2/3 file systems only) Set up file integrity (see ). Install debsums Log everything to a local printer? Burn your configuration on a boot-able CD and boot off that? Disable kernel modules? Limit network access Install and configure ssh (suggest PermitRootLogin No in /etc/ssh/sshd_config, PermitEmptyPasswords No; note other suggestions in text also) Disable or remove in.telnetd, if installed Generally, disable gratuitous services in /etc/inetd.conf using update-inetd --disable (or disable inetd altogether, or use a replacement such as xinetd or rlinetd) Disable other gratuitous network services; ftp, DNS, WWW etc should not be running if you do not need them and monitor them regularly. In most cases mail should be running but configured for local delivery only. For those services which you do need, do not just use the most common programs, look for more secure versions shipped with Debian (or from other sources). Whatever you end up running, make sure you understand the risks. Set up chroot jails for outside users and daemons. Configure firewall and tcpwrappers (i.e. ); note trick for /etc/hosts.deny in text. If you run ftp, set up your ftpd server to always run chroot'ed to the user's home directory If you run X, disable xhost authentication and go with ssh instead; better yet, disable remote X if you can (add -nolisten tcp to the X command line and turn off XDMCP in /etc/X11/xdm/xdm-config by setting the requestPort to 0) Disable remote access to printers Tunnel any IMAP or POP sessions through SSL or ssh; install stunnel if you want to provide this service to remote mail users Set up a log host and configure other machines to send logs to this host (/etc/syslog.conf) Secure BIND, Sendmail, and other complex daemons (run in a chroot jail; run as a non-root pseudo-user) Install tiger or a similar network intrusion detection tool. Install snort or a similar network intrusion detection tool. Do without NIS and RPC if you can (disable portmap). Policy issues Educate users about the whys and hows of your policies. When you have prohibited something which is regularly available on other systems, provide documentation which explains how to accomplish similar results using other, more secure means. Prohibit use of protocols which use clear-text passwords (telnet, rsh and friends; ftp, imap, http, ...). Prohibit programs which use SVGAlib. Use disk quotas. Keep informed about security issues Subscribe to security mailing lists Configure apt for security updates -- add to /etc/apt/sources.list an entry (or entries) for http://security.debian.org/ Also remember to periodically run apt-get update ; apt-get upgrade (perhaps install as a cron job?) as explained in . Setting up a stand-alone IDS

You can easily set up a dedicated Debian system as a stand-alone Intrusion Detection System using snort and a web-based interface to analyse the intrusion detection alerts: Install a base Debian system and select no additional packages. Install one of the Snort versions with database support and configure the IDS to log alerts into the database. Download and install BASE (Basic Analysis and Security Engine), or ACID (Analysis Console for Intrusion Databases). Configure it to use the same database than Snort. Download and install the necessary packagesTypically the needed packages will be installed through the dependencies.

BASE is currently packaged for Debian in acidbase and ACID is packaged as acidlab It can also be downloaded from , or . . Both provide a graphical WWW interface to Snort's output.

Besides the base installation you will also need a web server (such as apache), a PHP interpreter and a relational database (such postgresql or mysql) where Snort will store its alerts.

This system should be set up with at least two interfaces: one interface connected to a management LAN (for accessing the results and maintaining the system), and one interface with no IP address attached to the network segment being analyzed. You should configure the web server to listen only on the interface connected to the management LAN.

You should configure both interfaces in the standard Debian /etc/network/interfaces configuration file. One (the management LAN) address can be configured as you would normally do. The other interface needs to be configured so that it is started up when the system boots, but with no interface address. You can use the following interface definition: auto eth0 iface eth0 inet manual up ifconfig $IFACE 0.0.0.0 up up ip link set $IFACE promisc on down ip link set $IFACE promisc off down ifconfig $IFACE down

The above configures an interface to read all the traffic on the network in a stealth-type configuration. This prevents the NIDS system to be a direct target in a hostile network since the sensors have no IP address on the network. Notice, however, that there have been known bugs over time in sensors part of NIDS (for example see related to Snort) and remote buffer overflows might even be triggered by network packet processing.

You might also want to read the and the documentation available at the . Setting up a bridge firewall

This information was contributed by Francois Bayart in order to help users set up a Linux bridge/firewall with the 2.4.x kernel and iptables. Kernel patches are no more needed as the code was made standard part of the Linux kernel distribution.

To configure the kernel with necessary support, run make menuconfig or make xconfig. In the section Networking options, enable the following options: [*] Network packet filtering (replaces ipchains) [ ] Network packet filtering debugging (NEW) <*> 802.1d Ethernet Bridging [*] netfilter (firewalling) support (NEW)

Caution: you must disable this if you want to apply some firewalling rules or else iptables will not work: [ ] Network packet filtering debugging (NEW)

Next, add the correct options in the section IP: Netfilter Configuration. Then, compile and install the kernel. If you want to do it the Debian way, install kernel-package and run make-kpkg to create a custom Debian kernel package you can install on your server using dpkg. Once the new kernel is compiled and installed, install the bridge-utils package.

Once these steps are complete, you can complete the configuration of your bridge. The next section presents two different possible configurations for the bridge, each with a hypothetical network map and the necessary commands. A bridge providing NAT and firewall capabilities

The first configuration uses the bridge as a firewall with network address translation (NAT) that protects a server and internal LAN clients. A diagram of the network configuration is shown below: Internet ---- router ( 62.3.3.25 ) ---- bridge (62.3.3.26 gw 62.3.3.25 / 192.168.0.1) | | |---- WWW Server (62.3.3.27 gw 62.3.3.25) | | LAN --- Zipowz (192.168.0.2 gw 192.168.0.1)

The following commands show how this bridge can be configured. # Create the interface br0 /usr/sbin/brctl addbr br0 # Add the Ethernet interface to use with the bridge /usr/sbin/brctl addif br0 eth0 /usr/sbin/brctl addif br0 eth1 # Start up the Ethernet interface /sbin/ifconfig eth0 0.0.0.0 /sbin/ifconfig eth1 0.0.0.0 # Configure the bridge ethernet # The bridge will be correct and invisible ( transparent firewall ). # It's hidden in a traceroute and you keep your real gateway on the # other computers. Now if you want you can config a gateway on your # bridge and choose it as your new gateway for the other computers. /sbin/ifconfig br0 62.3.3.26 netmask 255.255.255.248 broadcast 62.3.3.31 # I have added this internal IP to create my NAT ip addr add 192.168.0.1/24 dev br0 /sbin/route add default gw 62.3.3.25 A bridge providing firewall capabilities

A second possible configuration is a system that is set up as a transparent firewall for a LAN with a public IP address space. Internet ---- router (62.3.3.25) ---- bridge (62.3.3.26) | | |---- WWW Server (62.3.3.28 gw 62.3.3.25) | | |---- Mail Server (62.3.3.27 gw 62.3.3.25)

The following commands show how this bridge can be configured. # Create the interface br0 /usr/sbin/brctl addbr br0 # Add the Ethernet interface to use with the bridge /usr/sbin/brctl addif br0 eth0 /usr/sbin/brctl addif br0 eth1 # Start up the Ethernet interface /sbin/ifconfig eth0 0.0.0.0 /sbin/ifconfig eth1 0.0.0.0 # Configure the bridge Ethernet # The bridge will be correct and invisible ( transparent firewall ). # It's hidden in a traceroute and you keep your real gateway on the # other computers. Now if you want you can config a gateway on your # bridge and choose it as your new gateway for the other computers. /sbin/ifconfig br0 62.3.3.26 netmask 255.255.255.248 broadcast 62.3.3.31

If you traceroute the Linux Mail Server, you won't see the bridge. If you want access to the bridge with ssh, you must have a gateway or you must first connect to another server, such as the "Mail Server", and then connect to the bridge through the internal network card.

Basic IPtables rules

This is an example of the basic rules that could be used for either of these setups. iptables -F FORWARD iptables -P FORWARD DROP iptables -A FORWARD -s 0.0.0.0/0.0.0.0 -d 0.0.0.0/0.0.0.0 -m state --state INVALID -j DROP iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT # Some funny rules but not in a classic Iptables sorry ... # Limit ICMP # iptables -A FORWARD -p icmp -m limit --limit 4/s -j ACCEPT # Match string, a good simple method to block some VIRUS very quickly # iptables -I FORWARD -j DROP -p tcp -s 0.0.0.0/0 -m string --string "cmd.exe" # Block all MySQL connection just to be sure iptables -A FORWARD -p tcp -s 0/0 -d 62.3.3.0/24 --dport 3306 -j DROP # Linux Mail Server Rules # Allow FTP-DATA (20), FTP (21), SSH (22) iptables -A FORWARD -p tcp -s 0.0.0.0/0 -d 62.3.3.27/32 --dport 20:22 -j ACCEPT # Allow the Mail Server to connect to the outside # Note: This is *not* needed for the previous connections # (remember: stateful filtering) and could be removed. iptables -A FORWARD -p tcp -s 62.3.3.27/32 -d 0/0 -j ACCEPT # WWW Server Rules # Allow HTTP ( 80 ) connections with the WWW server iptables -A FORWARD -p tcp -s 0.0.0.0/0 -d 62.3.3.28/32 --dport 80 -j ACCEPT # Allow HTTPS ( 443 ) connections with the WWW server iptables -A FORWARD -p tcp -s 0.0.0.0/0 -d 62.3.3.28/32 --dport 443 -j ACCEPT # Allow the WWW server to go out # Note: This is *not* needed for the previous connections # (remember: stateful filtering) and could be removed. iptables -A FORWARD -p tcp -s 62.3.3.28/32 -d 0/0 -j ACCEPT Sample script to change the default Bind installation.

This script automates the procedure for changing the bind version 8 name server's default installation so that it does not run as the superuser. Notice that bind version 9 in Debian already does this by default Since version 9.2.1-5. That is, since Debian release sarge. , and you are much better using that version than bind version 8.

This script is here for historical purposes and to show how you can automate this kind of changes system-wide. The script will create the user and groups defined for the name server and will modify both /etc/default/bind and /etc/init.d/bind so that the program will run with that user. Use with extreme care since it has not been tested thoroughly.

You can also create the users manually and use the patch available for the default init.d script attached to . #!/bin/sh # Change the default Debian bind v8 configuration to have it run # with a non-root user and group. # # DO NOT USER this with version 9, use debconf for configure this instead # # WARN: This script has not been tested thoroughly, please # verify the changes made to the INITD script # (c) 2002 Javier Fernández-Sanguino Peña # # This program is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by # the Free Software Foundation; either version 1, or (at your option) # any later version. # # This program is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # Please see the file `COPYING' for the complete copyright notice. # restore() { # Just in case, restore the system if the changes fail echo "WARN: Restoring to the previous setup since I'm unable to properly change it." echo "WARN: Please check the $INITDERR script." mv $INITD $INITDERR cp $INITDBAK $INITD } USER=named GROUP=named INITD=/etc/init.d/bind DEFAULT=/etc/default/bind INITDBAK=$INITD.preuserchange INITDERR=$INITD.changeerror AWKS="awk ' /\/usr\/sbin\/ndc reload/ { print \"stop; sleep 2; start;\"; noprint = 1; } /\\\\$/ { if ( noprint != 0 ) { noprint = noprint + 1;} } /^.*$/ { if ( noprint != 0 ) { noprint = noprint - 1; } else { print \$0; } } '" [ `id -u` -ne 0 ] && { echo "This program must be run by the root user" exit 1 } RUNUSER=`ps eo user,fname |grep named |cut -f 1 -d " "` if [ "$RUNUSER" = "$USER" ] then echo "WARN: The name server running daemon is already running as $USER" echo "ERR: This script will not do any changes to your setup." exit 1 fi if [ ! -f "$INITD" ] then echo "ERR: This system does not have $INITD (which this script tries to change)" RUNNING=`ps eo fname |grep named` [ -z "$RUNNING" ] && \ echo "ERR: In fact the name server daemon is not even running (is it installed?)" echo "ERR: No changes will be made to your system" exit 1 fi # Check if there are options already setup if [ -e "$DEFAULT" ] then if grep -q ^OPTIONS $DEFAULT; then echo "ERR: The $DEFAULT file already has options set." echo "ERR: No changes will be made to your system" fi fi # Check if named group exists if [ -z "`grep $GROUP /etc/group`" ] then echo "Creating group $GROUP:" addgroup $GROUP else echo "WARN: Group $GROUP already exists. Will not create it" fi # Same for the user if [ -z "`grep $USER /etc/passwd`" ] then echo "Creating user $USER:" adduser --system --home /home/$USER \ --no-create-home --ingroup $GROUP \ --disabled-password --disabled-login $USER else echo "WARN: The user $USER already exists. Will not create it" fi # Change the init.d script # First make a backup (check that there is not already # one there first) if [ ! -f $INITDBAK ] then cp $INITD $INITDBAK fi # Then use it to change it cat $INITDBAK | eval $AWKS > $INITD # Now put the options in the /etc/default/bind file: cat >>$DEFAULT <<EOF # Make bind run with the user we defined OPTIONS="-u $USER -g $GROUP" EOF echo "WARN: The script $INITD has been changed, trying to test the changes." echo "Restarting the named daemon (check for errors here)." $INITD restart if [ $? -ne 0 ] then echo "ERR: Failed to restart the daemon." restore exit 1 fi RUNNING=`ps eo fname |grep named` if [ -z "$RUNNING" ] then echo "ERR: Named is not running, probably due to a problem with the changes." restore exit 1 fi # Check if it's running as expected RUNUSER=`ps eo user,fname |grep named |cut -f 1 -d " "` if [ "$RUNUSER" = "$USER" ] then echo "All has gone well, named seems to be running now as $USER." else echo "ERR: The script failed to automatically change the system." echo "ERR: Named is currently running as $RUNUSER." restore exit 1 fi exit 0

The previous script, run on Woody's (Debian 3.0) custom bind (version 8), will modify the initd file after creating the 'named' user and group and will Security update protected by a firewall

After a standard installation, a system may still have some security vulnerabilities. Unless you can download updates for the vulnerable packages on another system (or you have mirrored security.debian.org for local use), the system will have to be connected to the Internet for the downloads.

However, as soon as you connect to the Internet you are exposing this system. If one of your local services is vulnerable, you might be compromised even before the update is finished! This may seem paranoid but, in fact, analysis from the has shown that systems can be compromised in less than three days, even if the system is not publicly known (i.e., not published in DNS records).

When doing an update on a system not protected by an external system like a firewall, it is possible to properly configure your local firewall to restrict connections involving only the security update itself. The example below shows how to set up such local firewall capabilities, which allow connections from security.debian.org only, logging all others.

The following example can be use to setup a restricted firewall ruleset. Run this commands from a local console (not a remote one) to reduce the chances of locking yourself out of the system. # iptables -F # iptables -L Chain INPUT (policy ACCEPT) target prot opt source destination Chain FORWARD (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination # iptables -A OUTPUT -d security.debian.org --dport 80 -j ACCEPT # iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT # iptables -A INPUT -p icmp -j ACCEPT # iptables -A INPUT -j LOG # iptables -A OUTPUT -j LOG # iptables -P INPUT DROP # iptables -P FORWARD DROP # iptables -P OUTPUT DROP # iptables -L Chain INPUT (policy DROP) target prot opt source destination ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 LOG all -- anywhere anywhere LOG level warning Chain FORWARD (policy DROP) target prot opt source destination Chain OUTPUT (policy DROP) target prot opt source destination ACCEPT 80 -- anywhere security.debian.org LOG all -- anywhere anywhere LOG level warning

Note: Using a DROP policy in the INPUT chain is the most correct thing to do, but be very careful when doing this after flushing the chain from a remote connection. When testing firewall rulesets from a remote location it is best if you run a script with the firewall ruleset (instead of introducing the ruleset line by line through the command line) and, as a precaution, keep a backdoorSuch as knockd. Alternatively, you can open a different console and have the system ask for confirmation that there is somebody on the other side, and reset the firewall chain if no confirmation is given. The following test script could be of use: #!/bin/bash while true; do read -n 1 -p "Are you there? " -t 30 ayt if [ -z "$ayt" ] ; then break fi done # Reset the firewall chain, user is not available echo echo "Resetting firewall chain!" iptables -F iptables -P INPUT ACCEPT iptables -P FORWARD ACCEPT iptables -P OUTPUT ACCEPT exit 1

Of course, you should disable any backdoors before getting the system into production. configured so that you can re-enable access to the system if you make a mistake. That way there would be no need to go to a remote location to fix a firewall ruleset that blocks you.

FIXME: This needs DNS to be working properly since it is required for security.debian.org to work. You can add security.debian.org to /etc/hosts but now it is a CNAME to several hosts (there is more than one security mirror)

FIXME: this will only work with HTTP URLs since ftp might need the ip_conntrack_ftp module, or use passive mode. Chroot environment for SSH

Creating a restricted environment for SSH is a tough job due to its dependencies and the fact that, unlike other servers, SSH provides a remote shell to users. Thus, you will also have to consider the applications users will be allowed to use in the environment.

You have two options to setup a restricted remote shell: Chrooting the ssh users, by properly configuring the ssh daemon you can ask it to chroot a user after authentication just before it is provided a shell. Each user can have their own environment. Chrooting the ssh server, since you chroot the ssh application itself all users are chrooted to the defined environment.

The first option has the advantage of making it possible to have both non-chrooted and chrooted users, if you don't introduce any setuid application in the user's chroots it is more difficult to break out of it. However, you might need to setup individual chroots for each user and it is more difficult to setup (as it requires cooperation from the SSH server). The second option is more easy to setup, and protects from an exploitation of the ssh server itself (since it's also in the chroot) but it will have the limitation that all users will share the same chroot environment (you cannot setup a per-user chroot environment). Chrooting the ssh users

You can setup the ssh server so that it will chroot a set of defined users into a shell with a limited set of applications available. Using libpam-chroot

Probably the easiest way is to use the libpam-chroot package provided in Debian. Once you install it you need to: Modify /etc/pam.d/ssh to use this PAM module, add as its last line

You can use the debug option to have it send the progress of the module to the authpriv.notice facility

: session required pam_chroot.so set a proper chroot environment for the user. You can try using the scripts available at /usr/share/doc/libpam-chroot/examples/, use the makejail

You can create a very limited bash environment with the following python definition for makejail, just create the directory /var/chroots/users/foo and a file with the following contents and call it bash.py: chroot="/var/chroots/users/foo" cleanJailFirst=1 testCommandsInsideJail=["bash ls"]

And then run makejail bash.py to create the user environment at /var/chroots/users/foo. To test the environment run: # chroot /var/chroots/users/foo/ ls bin dev etc lib proc sbin usr

program or setup a minimum Debian environment with debootstrap. Make sure the environment includes the needed devices

In some occasions you might need the /dev/ptmx and /dev/pty* devices and the /dev/pts/ subdirectory. Running MAKEDEV in the /dev directory of the chrooted environment should be sufficient to create them if they do not exist. If you are using kernels (version 2.6) which dynamically create device files you will need to create the /dev/pts/ files yourself and grant them the proper privileges.

. Configure /etc/security/chroot.conf so that the users you determine are chrooted to the directory you setup previously. You might want to have independent directories for different users so that they will not be able to see neither the whole system nor each other's. Configure SSH: Depending on your OpenSSH version the chroot environment might work straight of the box or not. Since 3.6.1p2 the do_pam_session() function is called after sshd has dropped privileges, since chroot() needs root priviledges it will not work with Privilege separation on. In newer OpenSSH versions, however, the PAM code has been modified and do_pam_session is called before dropping priviledges so it will work even with Privilege separation is on. If you have to disable it modify /etc/ssh/sshd_config like this: UsePrivilegeSeparation no

Notice that this will lower the security of your system since the OpenSSH server will then run as root user. This means that if a remote attack is found against OpenSSH an attacker will get root privileges instead of sshd, thus compromising the whole system. If you are using a kernel that implements Mandatory Access Control (RSBAC/SElinux) you can avoid changing this configuration just by granting the sshd user privileges to make the chroot() system call.

If you don't disable Privilege Separation you will need an /etc/passwd which includes the user's UID inside the chroot for Privilege Separation to work properly.

If you have Privilege Separation set to yes and your OpenSSH version does not behave properly you will need to disable it. If you don't, users that try to connect to your server and would be chrooted by this module will see this: $ ssh -l user server user@server's password: Connection to server closed by remote host. Connection to server closed.

This is because the ssh daemon, which is running as 'sshd', is not be able to make the chroot() system call. To disable Privilege separation you have to modify the /etc/ssh/sshd_config configuration file as described above.

Notice that if any of the following is missing the users will not be able to logon to the chroot: The /proc filesystem needs to be mounted in the users' chroot. The necessary /dev/pts/ devices need to exist. If the files are generated by your running kernel automatically then you have to manually create them on the chroot's /dev/. The user's home directory has to exist in the chroot, otherwise the ssh daemon will not continue.

You can debug all these issues if you use the debug keyword in the /etc/pam.d/ssh PAM definition. If you encounter issues you might find it useful to enable the debugging mode on the ssh client too.

Note: This information is also available (and maybe more up to date) in /usr/share/doc/libpam-chroot/README.Debian.gz, please review it for updated information before taking the above steps. Patching the ssh server

Debian's sshd does not allow restriction of a user's movement through the server, since it lacks the chroot function that the commercial program sshd2 includes (using 'ChrootGroups' or 'ChrootUsers', see ). However, there is a patch available to add this functionality available from (requested and available in in Debian). The patch may be included in future releases of the OpenSSH package. Emmanuel Lacour has ssh deb packages for sarge with this feature. They are available at . Notice that those might not be up to date so completing the compilation step is recommended.

After applying the patch, modify /etc/passwd by changing the home path of the users (with the special /./ token): joeuser:x:1099:1099:Joe Random User:/home/joe/./:/bin/bash

This will restrict both remote shell access, as well as remote copy through the ssh channel.

Make sure to have all the needed binaries and libraries in the chroot'ed path for users. These files should be owned by root to avoid tampering by the user (so as to exit the chroot'ed jailed). A sample might include: ./bin: total 660 drwxr-xr-x 2 root root 4096 Mar 18 13:36 . drwxr-xr-x 8 guest guest 4096 Mar 15 16:53 .. -r-xr-xr-x 1 root root 531160 Feb 6 22:36 bash -r-xr-xr-x 1 root root 43916 Nov 29 13:19 ls -r-xr-xr-x 1 root root 16684 Nov 29 13:19 mkdir -rwxr-xr-x 1 root root 23960 Mar 18 13:36 more -r-xr-xr-x 1 root root 9916 Jul 26 2001 pwd -r-xr-xr-x 1 root root 24780 Nov 29 13:19 rm lrwxrwxrwx 1 root root 4 Mar 30 16:29 sh -> bash ./etc: total 24 drwxr-xr-x 2 root root 4096 Mar 15 16:13 . drwxr-xr-x 8 guest guest 4096 Mar 15 16:53 .. -rw-r--r-- 1 root root 54 Mar 15 13:23 group -rw-r--r-- 1 root root 428 Mar 15 15:56 hosts -rw-r--r-- 1 root root 44 Mar 15 15:53 passwd -rw-r--r-- 1 root root 52 Mar 15 13:23 shells ./lib: total 1848 drwxr-xr-x 2 root root 4096 Mar 18 13:37 . drwxr-xr-x 8 guest guest 4096 Mar 15 16:53 .. -rwxr-xr-x 1 root root 92511 Mar 15 12:49 ld-linux.so.2 -rwxr-xr-x 1 root root 1170812 Mar 15 12:49 libc.so.6 -rw-r--r-- 1 root root 20900 Mar 15 13:01 libcrypt.so.1 -rw-r--r-- 1 root root 9436 Mar 15 12:49 libdl.so.2 -rw-r--r-- 1 root root 248132 Mar 15 12:48 libncurses.so.5 -rw-r--r-- 1 root root 71332 Mar 15 13:00 libnsl.so.1 -rw-r--r-- 1 root root 34144 Mar 15 16:10 libnss_files.so.2 -rw-r--r-- 1 root root 29420 Mar 15 12:57 libpam.so.0 -rw-r--r-- 1 root root 105498 Mar 15 12:51 libpthread.so.0 -rw-r--r-- 1 root root 25596 Mar 15 12:51 librt.so.1 -rw-r--r-- 1 root root 7760 Mar 15 12:59 libutil.so.1 -rw-r--r-- 1 root root 24328 Mar 15 12:57 libwrap.so.0 ./usr: total 16 drwxr-xr-x 4 root root 4096 Mar 15 13:00 . drwxr-xr-x 8 guest guest 4096 Mar 15 16:53 .. drwxr-xr-x 2 root root 4096 Mar 15 15:55 bin drwxr-xr-x 2 root root 4096 Mar 15 15:37 lib ./usr/bin: total 340 drwxr-xr-x 2 root root 4096 Mar 15 15:55 . drwxr-xr-x 4 root root 4096 Mar 15 13:00 .. -rwxr-xr-x 1 root root 10332 Mar 15 15:55 env -rwxr-xr-x 1 root root 13052 Mar 15 13:13 id -r-xr-xr-x 1 root root 25432 Mar 15 12:40 scp -rwxr-xr-x 1 root root 43768 Mar 15 15:15 sftp -r-sr-xr-x 1 root root 218456 Mar 15 12:40 ssh -rwxr-xr-x 1 root root 9692 Mar 15 13:17 tty ./usr/lib: total 852 drwxr-xr-x 2 root root 4096 Mar 15 15:37 . drwxr-xr-x 4 root root 4096 Mar 15 13:00 .. -rw-r--r-- 1 root root 771088 Mar 15 13:01 libcrypto.so.0.9.6 -rw-r--r-- 1 root root 54548 Mar 15 13:00 libz.so.1 -rwxr-xr-x 1 root root 23096 Mar 15 15:37 sftp-server Chrooting the ssh server

If you create a chroot which includes the SSH server files in, for example /var/chroot/ssh, you would start the ssh server chroot'ed with this command: # chroot /var/chroot/ssh /sbin/sshd -f /etc/sshd_config

That would make startup the sshd daemon inside the chroot. In order to do that you have to first prepare the contents of the /var/chroot/ssh directory so that it includes both the SSH server and all the utilities that the users connecting to that server might need. If you are doing this you should make certain that OpenSSH uses Privilege Separation (which is the default) having the following line in the configuration file /etc/ssh/sshd_config: UsePrivilegeSeparation yes

That way the remote daemon will do as few things as possible as the root user so even if there is a bug in it it will not compromise the chroot. Notice that, unlike the case in which you setup a per-user chroot, the ssh daemon is running in the same chroot as the users so there is at least one potential process running as root which could break out of the chroot.

Notice, also, that in order for SSH to work in that location, the partition where the chroot directory resides cannot be mounted with the nodev option. If you use that option, then you will get the following error: PRNG is not seeded, because /dev/urandom does not work in the chroot. Setup a minimal system (the really easy way)

You can use debootstrap to setup a minimal environment that just includes the ssh server. In order to do this you just have to create a chroot as described in the document. This method is bound to work (you will get all the necessary componentes for the chroot) but at the cost of disk space (a minimal installation of Debian will amount to several hundred megabytes). This minimal system might also include setuid files that a user in the chroot could use to break out of the chroot if any of those could be use for a privilege escalation. Automatically making the environment (the easy way)

You can easily create a restricted environment with the makejail package, since it automatically takes care of tracing the server daemon (with strace), and makes it run under the restricted environment.

The advantage of programs that automatically generate chroot environments is that they are capable of copying any package to the chroot environment (even following the package's dependencies and making sure it's complete). Thus, providing user applications is easier.

To set up the environment using makejail's provided examples, just create /var/chroot/sshd and use the command: # makejail /usr/share/doc/makejail/examples/sshd.py

This will setup the chroot in the /var/chroot/sshd directory. Notice that this chroot will not fully work unless you:

Mount the procfs filesystem in /var/chroot/sshd/proc. Makejail will mount it for you but if the system reboots you need to remount it running: # mount -t proc proc /var/chroot/sshd/proc

You can also have it be mounted automatically by editing /etc/fstab and including this line: proc-ssh /var/chroot/sshd/proc proc none 0 0 Have syslog listen to the device /dev/log inside the chroot. In order to do this you have modify /etc/default/syslogd and add -a /var/chroot/sshd/dev/log to the SYSLOGD variable definition.

Read the sample file to see what other changes need to be made to the environment. Some of these changes, such as copying user's home directories, cannot be done automatically. Also, limit the exposure of sensitive information by only copying the data from a given number of users from the files /etc/shadow or /etc/group. Notice that if you are using Privilege Separation the sshd user needs to exist in those files.

The following sample environment has been (slightly) tested in Debian 3.0 and is built with the configuration file provided in the package and includes the fileutils package: . |-- bin | |-- ash | |-- bash | |-- chgrp | |-- chmod | |-- chown | |-- cp | |-- csh -> /etc/alternatives/csh | |-- dd | |-- df | |-- dir | |-- fdflush | |-- ksh | |-- ln | |-- ls | |-- mkdir | |-- mknod | |-- mv | |-- rbash -> bash | |-- rm | |-- rmdir | |-- sh -> bash | |-- sync | |-- tcsh | |-- touch | |-- vdir | |-- zsh -> /etc/alternatives/zsh | `-- zsh4 |-- dev | |-- null | |-- ptmx | |-- pts | |-- ptya0 (...) | |-- tty | |-- tty0 (...) | `-- urandom |-- etc | |-- alternatives | | |-- csh -> /bin/tcsh | | `-- zsh -> /bin/zsh4 | |-- environment | |-- hosts | |-- hosts.allow | |-- hosts.deny | |-- ld.so.conf | |-- localtime -> /usr/share/zoneinfo/Europe/Madrid | |-- motd | |-- nsswitch.conf | |-- pam.conf | |-- pam.d | | |-- other | | `-- ssh | |-- passwd | |-- resolv.conf | |-- security | | |-- access.conf | | |-- chroot.conf | | |-- group.conf | | |-- limits.conf | | |-- pam_env.conf | | `-- time.conf | |-- shadow | |-- shells | `-- ssh | |-- moduli | |-- ssh_host_dsa_key | |-- ssh_host_dsa_key.pub | |-- ssh_host_rsa_key | |-- ssh_host_rsa_key.pub | `-- sshd_config |-- home | `-- userX |-- lib | |-- ld-2.2.5.so | |-- ld-linux.so.2 -> ld-2.2.5.so | |-- libc-2.2.5.so | |-- libc.so.6 -> libc-2.2.5.so | |-- libcap.so.1 -> libcap.so.1.10 | |-- libcap.so.1.10 | |-- libcrypt-2.2.5.so | |-- libcrypt.so.1 -> libcrypt-2.2.5.so | |-- libdl-2.2.5.so | |-- libdl.so.2 -> libdl-2.2.5.so | |-- libm-2.2.5.so | |-- libm.so.6 -> libm-2.2.5.so | |-- libncurses.so.5 -> libncurses.so.5.2 | |-- libncurses.so.5.2 | |-- libnsl-2.2.5.so | |-- libnsl.so.1 -> libnsl-2.2.5.so | |-- libnss_compat-2.2.5.so | |-- libnss_compat.so.2 -> libnss_compat-2.2.5.so | |-- libnss_db-2.2.so | |-- libnss_db.so.2 -> libnss_db-2.2.so | |-- libnss_dns-2.2.5.so | |-- libnss_dns.so.2 -> libnss_dns-2.2.5.so | |-- libnss_files-2.2.5.so | |-- libnss_files.so.2 -> libnss_files-2.2.5.so | |-- libnss_hesiod-2.2.5.so | |-- libnss_hesiod.so.2 -> libnss_hesiod-2.2.5.so | |-- libnss_nis-2.2.5.so | |-- libnss_nis.so.2 -> libnss_nis-2.2.5.so | |-- libnss_nisplus-2.2.5.so | |-- libnss_nisplus.so.2 -> libnss_nisplus-2.2.5.so | |-- libpam.so.0 -> libpam.so.0.72 | |-- libpam.so.0.72 | |-- libpthread-0.9.so | |-- libpthread.so.0 -> libpthread-0.9.so | |-- libresolv-2.2.5.so | |-- libresolv.so.2 -> libresolv-2.2.5.so | |-- librt-2.2.5.so | |-- librt.so.1 -> librt-2.2.5.so | |-- libutil-2.2.5.so | |-- libutil.so.1 -> libutil-2.2.5.so | |-- libwrap.so.0 -> libwrap.so.0.7.6 | |-- libwrap.so.0.7.6 | `-- security | |-- pam_access.so | |-- pam_chroot.so | |-- pam_deny.so | |-- pam_env.so | |-- pam_filter.so | |-- pam_ftp.so | |-- pam_group.so | |-- pam_issue.so | |-- pam_lastlog.so | |-- pam_limits.so | |-- pam_listfile.so | |-- pam_mail.so | |-- pam_mkhomedir.so | |-- pam_motd.so | |-- pam_nologin.so | |-- pam_permit.so | |-- pam_rhosts_auth.so | |-- pam_rootok.so | |-- pam_securetty.so | |-- pam_shells.so | |-- pam_stress.so | |-- pam_tally.so | |-- pam_time.so | |-- pam_unix.so | |-- pam_unix_acct.so -> pam_unix.so | |-- pam_unix_auth.so -> pam_unix.so | |-- pam_unix_passwd.so -> pam_unix.so | |-- pam_unix_session.so -> pam_unix.so | |-- pam_userdb.so | |-- pam_warn.so | `-- pam_wheel.so |-- sbin | `-- start-stop-daemon |-- usr | |-- bin | | |-- dircolors | | |-- du | | |-- install | | |-- link | | |-- mkfifo | | |-- shred | | |-- touch -> /bin/touch | | `-- unlink | |-- lib | | |-- libcrypto.so.0.9.6 | | |-- libdb3.so.3 -> libdb3.so.3.0.2 | | |-- libdb3.so.3.0.2 | | |-- libz.so.1 -> libz.so.1.1.4 | | `-- libz.so.1.1.4 | |-- sbin | | `-- sshd | `-- share | |-- locale | | `-- es | | |-- LC_MESSAGES | | | |-- fileutils.mo | | | |-- libc.mo | | | `-- sh-utils.mo | | `-- LC_TIME -> LC_MESSAGES | `-- zoneinfo | `-- Europe | `-- Madrid `-- var `-- run |-- sshd `-- sshd.pid 27 directories, 733 files

For Debian release 3.1 you have to make sure that the environment includes also the common files for PAM. The following files need to be copied over to the chroot if makejail did not do it for you: $ ls /etc/pam.d/common-* /etc/pam.d/common-account /etc/pam.d/common-password /etc/pam.d/common-auth /etc/pam.d/common-session

Manually creating the environment (the hard way)

It is possible to create an environment, using a trial-and-error method, by monitoring the sshd server traces and log files in order to determine the necessary files. The following environment, contributed by José Luis Ledesma, is a sample listing of files in a chroot environment for ssh in Debian woody (3.0): Notice that there are no SETUID files. This makes it more difficult for remote users to escape the chroot environment. However, it also prevents users from changing their passwords, since the passwd program cannot modify the files /etc/passwd or /etc/shadow. .: total 36 drwxr-xr-x 9 root root 4096 Jun 5 10:05 ./ drwxr-xr-x 11 root root 4096 Jun 3 13:43 ../ drwxr-xr-x 2 root root 4096 Jun 4 12:13 bin/ drwxr-xr-x 2 root root 4096 Jun 4 12:16 dev/ drwxr-xr-x 4 root root 4096 Jun 4 12:35 etc/ drwxr-xr-x 3 root root 4096 Jun 4 12:13 lib/ drwxr-xr-x 2 root root 4096 Jun 4 12:35 sbin/ drwxr-xr-x 2 root root 4096 Jun 4 12:32 tmp/ drwxr-xr-x 2 root root 4096 Jun 4 12:16 usr/ ./bin: total 8368 drwxr-xr-x 2 root root 4096 Jun 4 12:13 ./ drwxr-xr-x 9 root root 4096 Jun 5 10:05 ../ -rwxr-xr-x 1 root root 109855 Jun 3 13:45 a2p* -rwxr-xr-x 1 root root 387764 Jun 3 13:45 bash* -rwxr-xr-x 1 root root 36365 Jun 3 13:45 c2ph* -rwxr-xr-x 1 root root 20629 Jun 3 13:45 dprofpp* -rwxr-xr-x 1 root root 6956 Jun 3 13:46 env* -rwxr-xr-x 1 root root 158116 Jun 3 13:45 fax2ps* -rwxr-xr-x 1 root root 104008 Jun 3 13:45 faxalter* -rwxr-xr-x 1 root root 89340 Jun 3 13:45 faxcover* -rwxr-xr-x 1 root root 441584 Jun 3 13:45 faxmail* -rwxr-xr-x 1 root root 96036 Jun 3 13:45 faxrm* -rwxr-xr-x 1 root root 107000 Jun 3 13:45 faxstat* -rwxr-xr-x 1 root root 77832 Jun 4 11:46 grep* -rwxr-xr-x 1 root root 19597 Jun 3 13:45 h2ph* -rwxr-xr-x 1 root root 46979 Jun 3 13:45 h2xs* -rwxr-xr-x 1 root root 10420 Jun 3 13:46 id* -rwxr-xr-x 1 root root 4528 Jun 3 13:46 ldd* -rwxr-xr-x 1 root root 111386 Jun 4 11:46 less* -r-xr-xr-x 1 root root 26168 Jun 3 13:45 login* -rwxr-xr-x 1 root root 49164 Jun 3 13:45 ls* -rwxr-xr-x 1 root root 11600 Jun 3 13:45 mkdir* -rwxr-xr-x 1 root root 24780 Jun 3 13:45 more* -rwxr-xr-x 1 root root 154980 Jun 3 13:45 pal2rgb* -rwxr-xr-x 1 root root 27920 Jun 3 13:46 passwd* -rwxr-xr-x 1 root root 4241 Jun 3 13:45 pl2pm* -rwxr-xr-x 1 root root 2350 Jun 3 13:45 pod2html* -rwxr-xr-x 1 root root 7875 Jun 3 13:45 pod2latex* -rwxr-xr-x 1 root root 17587 Jun 3 13:45 pod2man* -rwxr-xr-x 1 root root 6877 Jun 3 13:45 pod2text* -rwxr-xr-x 1 root root 3300 Jun 3 13:45 pod2usage* -rwxr-xr-x 1 root root 3341 Jun 3 13:45 podchecker* -rwxr-xr-x 1 root root 2483 Jun 3 13:45 podselect* -r-xr-xr-x 1 root root 82412 Jun 4 11:46 ps* -rwxr-xr-x 1 root root 36365 Jun 3 13:45 pstruct* -rwxr-xr-x 1 root root 7120 Jun 3 13:45 pwd* -rwxr-xr-x 1 root root 179884 Jun 3 13:45 rgb2ycbcr* -rwxr-xr-x 1 root root 20532 Jun 3 13:45 rm* -rwxr-xr-x 1 root root 6720 Jun 4 10:15 rmdir* -rwxr-xr-x 1 root root 14705 Jun 3 13:45 s2p* -rwxr-xr-x 1 root root 28764 Jun 3 13:46 scp* -rwxr-xr-x 1 root root 385000 Jun 3 13:45 sendfax* -rwxr-xr-x 1 root root 67548 Jun 3 13:45 sendpage* -rwxr-xr-x 1 root root 88632 Jun 3 13:46 sftp* -rwxr-xr-x 1 root root 387764 Jun 3 13:45 sh* -rws--x--x 1 root root 744500 Jun 3 13:46 slogin* -rwxr-xr-x 1 root root 14523 Jun 3 13:46 splain* -rws--x--x 1 root root 744500 Jun 3 13:46 ssh* -rwxr-xr-x 1 root root 570960 Jun 3 13:46 ssh-add* -rwxr-xr-x 1 root root 502952 Jun 3 13:46 ssh-agent* -rwxr-xr-x 1 root root 575740 Jun 3 13:46 ssh-keygen* -rwxr-xr-x 1 root root 383480 Jun 3 13:46 ssh-keyscan* -rwxr-xr-x 1 root root 39 Jun 3 13:46 ssh_europa* -rwxr-xr-x 1 root root 107252 Jun 4 10:14 strace* -rwxr-xr-x 1 root root 8323 Jun 4 10:14 strace-graph* -rwxr-xr-x 1 root root 158088 Jun 3 13:46 thumbnail* -rwxr-xr-x 1 root root 6312 Jun 3 13:46 tty* -rwxr-xr-x 1 root root 55904 Jun 4 11:46 useradd* -rwxr-xr-x 1 root root 585656 Jun 4 11:47 vi* -rwxr-xr-x 1 root root 6444 Jun 4 11:45 whoami* ./dev: total 8 drwxr-xr-x 2 root root 4096 Jun 4 12:16 ./ drwxr-xr-x 9 root root 4096 Jun 5 10:05 ../ crw-r--r-- 1 root root 1, 9 Jun 3 13:43 urandom ./etc: total 208 drwxr-xr-x 4 root root 4096 Jun 4 12:35 ./ drwxr-xr-x 9 root root 4096 Jun 5 10:05 ../ -rw------- 1 root root 0 Jun 4 11:46 .pwd.lock -rw-r--r-- 1 root root 653 Jun 3 13:46 group -rw-r--r-- 1 root root 242 Jun 4 11:33 host.conf -rw-r--r-- 1 root root 857 Jun 4 12:04 hosts -rw-r--r-- 1 root root 1050 Jun 4 11:29 ld.so.cache -rw-r--r-- 1 root root 304 Jun 4 11:28 ld.so.conf -rw-r--r-- 1 root root 235 Jun 4 11:27 ld.so.conf~ -rw-r--r-- 1 root root 88039 Jun 3 13:46 moduli -rw-r--r-- 1 root root 1342 Jun 4 11:34 nsswitch.conf drwxr-xr-x 2 root root 4096 Jun 4 12:02 pam.d/ -rw-r--r-- 1 root root 28 Jun 4 12:00 pam_smb.conf -rw-r--r-- 1 root root 2520 Jun 4 11:57 passwd -rw-r--r-- 1 root root 7228 Jun 3 13:48 profile -rw-r--r-- 1 root root 1339 Jun 4 11:33 protocols -rw-r--r-- 1 root root 274 Jun 4 11:44 resolv.conf drwxr-xr-x 2 root root 4096 Jun 3 13:43 security/ -rw-r----- 1 root root 1178 Jun 4 11:51 shadow -rw------- 1 root root 80 Jun 4 11:45 shadow- -rw-r----- 1 root root 1178 Jun 4 11:48 shadow.old -rw-r--r-- 1 root root 161 Jun 3 13:46 shells -rw-r--r-- 1 root root 1144 Jun 3 13:46 ssh_config -rw------- 1 root root 668 Jun 3 13:46 ssh_host_dsa_key -rw-r--r-- 1 root root 602 Jun 3 13:46 ssh_host_dsa_key.pub -rw------- 1 root root 527 Jun 3 13:46 ssh_host_key -rw-r--r-- 1 root root 331 Jun 3 13:46 ssh_host_key.pub -rw------- 1 root root 883 Jun 3 13:46 ssh_host_rsa_key -rw-r--r-- 1 root root 222 Jun 3 13:46 ssh_host_rsa_key.pub -rw-r--r-- 1 root root 2471 Jun 4 12:15 sshd_config ./etc/pam.d: total 24 drwxr-xr-x 2 root root 4096 Jun 4 12:02 ./ drwxr-xr-x 4 root root 4096 Jun 4 12:35 ../ lrwxrwxrwx 1 root root 4 Jun 4 12:02 other -> sshd -rw-r--r-- 1 root root 318 Jun 3 13:46 passwd -rw-r--r-- 1 root root 546 Jun 4 11:36 ssh -rw-r--r-- 1 root root 479 Jun 4 12:02 sshd -rw-r--r-- 1 root root 370 Jun 3 13:46 su ./etc/security: total 32 drwxr-xr-x 2 root root 4096 Jun 3 13:43 ./ drwxr-xr-x 4 root root 4096 Jun 4 12:35 ../ -rw-r--r-- 1 root root 1971 Jun 3 13:46 access.conf -rw-r--r-- 1 root root 184 Jun 3 13:46 chroot.conf -rw-r--r-- 1 root root 2145 Jun 3 13:46 group.conf -rw-r--r-- 1 root root 1356 Jun 3 13:46 limits.conf -rw-r--r-- 1 root root 2858 Jun 3 13:46 pam_env.conf -rw-r--r-- 1 root root 2154 Jun 3 13:46 time.conf ./lib: total 8316 drwxr-xr-x 3 root root 4096 Jun 4 12:13 ./ drwxr-xr-x 9 root root 4096 Jun 5 10:05 ../ -rw-r--r-- 1 root root 1024 Jun 4 11:51 cracklib_dict.hwm -rw-r--r-- 1 root root 214324 Jun 4 11:51 cracklib_dict.pwd -rw-r--r-- 1 root root 11360 Jun 4 11:51 cracklib_dict.pwi -rwxr-xr-x 1 root root 342427 Jun 3 13:46 ld-linux.so.2* -rwxr-xr-x 1 root root 4061504 Jun 3 13:46 libc.so.6* lrwxrwxrwx 1 root root 15 Jun 4 12:11 libcrack.so -> libcrack.so.2.7* lrwxrwxrwx 1 root root 15 Jun 4 12:11 libcrack.so.2 -> libcrack.so.2.7* -rwxr-xr-x 1 root root 33291 Jun 4 11:39 libcrack.so.2.7* -rwxr-xr-x 1 root root 60988 Jun 3 13:46 libcrypt.so.1* -rwxr-xr-x 1 root root 71846 Jun 3 13:46 libdl.so.2* -rwxr-xr-x 1 root root 27762 Jun 3 13:46 libhistory.so.4.0* lrwxrwxrwx 1 root root 17 Jun 4 12:12 libncurses.so.4 -> libncurses.so.4.2* -rwxr-xr-x 1 root root 503903 Jun 3 13:46 libncurses.so.4.2* lrwxrwxrwx 1 root root 17 Jun 4 12:12 libncurses.so.5 -> libncurses.so.5.0* -rwxr-xr-x 1 root root 549429 Jun 3 13:46 libncurses.so.5.0* -rwxr-xr-x 1 root root 369801 Jun 3 13:46 libnsl.so.1* -rwxr-xr-x 1 root root 142563 Jun 4 11:49 libnss_compat.so.1* -rwxr-xr-x 1 root root 215569 Jun 4 11:49 libnss_compat.so.2* -rwxr-xr-x 1 root root 61648 Jun 4 11:34 libnss_dns.so.1* -rwxr-xr-x 1 root root 63453 Jun 4 11:34 libnss_dns.so.2* -rwxr-xr-x 1 root root 63782 Jun 4 11:34 libnss_dns6.so.2* -rwxr-xr-x 1 root root 205715 Jun 3 13:46 libnss_files.so.1* -rwxr-xr-x 1 root root 235932 Jun 3 13:49 libnss_files.so.2* -rwxr-xr-x 1 root root 204383 Jun 4 11:33 libnss_nis.so.1* -rwxr-xr-x 1 root root 254023 Jun 4 11:33 libnss_nis.so.2* -rwxr-xr-x 1 root root 256465 Jun 4 11:33 libnss_nisplus.so.2* lrwxrwxrwx 1 root root 14 Jun 4 12:12 libpam.so.0 -> libpam.so.0.72* -rwxr-xr-x 1 root root 31449 Jun 3 13:46 libpam.so.0.72* lrwxrwxrwx 1 root root 19 Jun 4 12:12 libpam_misc.so.0 -> libpam_misc.so.0.72* -rwxr-xr-x 1 root root 8125 Jun 3 13:46 libpam_misc.so.0.72* lrwxrwxrwx 1 root root 15 Jun 4 12:12 libpamc.so.0 -> libpamc.so.0.72* -rwxr-xr-x 1 root root 10499 Jun 3 13:46 libpamc.so.0.72* -rwxr-xr-x 1 root root 176427 Jun 3 13:46 libreadline.so.4.0* -rwxr-xr-x 1 root root 44729 Jun 3 13:46 libutil.so.1* -rwxr-xr-x 1 root root 70254 Jun 3 13:46 libz.a* lrwxrwxrwx 1 root root 13 Jun 4 12:13 libz.so -> libz.so.1.1.3* lrwxrwxrwx 1 root root 13 Jun 4 12:13 libz.so.1 -> libz.so.1.1.3* -rwxr-xr-x 1 root root 63312 Jun 3 13:46 libz.so.1.1.3* drwxr-xr-x 2 root root 4096 Jun 4 12:00 security/ ./lib/security: total 668 drwxr-xr-x 2 root root 4096 Jun 4 12:00 ./ drwxr-xr-x 3 root root 4096 Jun 4 12:13 ../ -rwxr-xr-x 1 root root 10067 Jun 3 13:46 pam_access.so* -rwxr-xr-x 1 root root 8300 Jun 3 13:46 pam_chroot.so* -rwxr-xr-x 1 root root 14397 Jun 3 13:46 pam_cracklib.so* -rwxr-xr-x 1 root root 5082 Jun 3 13:46 pam_deny.so* -rwxr-xr-x 1 root root 13153 Jun 3 13:46 pam_env.so* -rwxr-xr-x 1 root root 13371 Jun 3 13:46 pam_filter.so* -rwxr-xr-x 1 root root 7957 Jun 3 13:46 pam_ftp.so* -rwxr-xr-x 1 root root 12771 Jun 3 13:46 pam_group.so* -rwxr-xr-x 1 root root 10174 Jun 3 13:46 pam_issue.so* -rwxr-xr-x 1 root root 9774 Jun 3 13:46 pam_lastlog.so* -rwxr-xr-x 1 root root 13591 Jun 3 13:46 pam_limits.so* -rwxr-xr-x 1 root root 11268 Jun 3 13:46 pam_listfile.so* -rwxr-xr-x 1 root root 11182 Jun 3 13:46 pam_mail.so* -rwxr-xr-x 1 root root 5923 Jun 3 13:46 pam_nologin.so* -rwxr-xr-x 1 root root 5460 Jun 3 13:46 pam_permit.so* -rwxr-xr-x 1 root root 18226 Jun 3 13:46 pam_pwcheck.so* -rwxr-xr-x 1 root root 12590 Jun 3 13:46 pam_rhosts_auth.so* -rwxr-xr-x 1 root root 5551 Jun 3 13:46 pam_rootok.so* -rwxr-xr-x 1 root root 7239 Jun 3 13:46 pam_securetty.so* -rwxr-xr-x 1 root root 6551 Jun 3 13:46 pam_shells.so* -rwxr-xr-x 1 root root 55925 Jun 4 12:00 pam_smb_auth.so* -rwxr-xr-x 1 root root 12678 Jun 3 13:46 pam_stress.so* -rwxr-xr-x 1 root root 11170 Jun 3 13:46 pam_tally.so* -rwxr-xr-x 1 root root 11124 Jun 3 13:46 pam_time.so* -rwxr-xr-x 1 root root 45703 Jun 3 13:46 pam_unix.so* -rwxr-xr-x 1 root root 45703 Jun 3 13:46 pam_unix2.so* -rwxr-xr-x 1 root root 45386 Jun 3 13:46 pam_unix_acct.so* -rwxr-xr-x 1 root root 45386 Jun 3 13:46 pam_unix_auth.so* -rwxr-xr-x 1 root root 45386 Jun 3 13:46 pam_unix_passwd.so* -rwxr-xr-x 1 root root 45386 Jun 3 13:46 pam_unix_session.so* -rwxr-xr-x 1 root root 9726 Jun 3 13:46 pam_userdb.so* -rwxr-xr-x 1 root root 6424 Jun 3 13:46 pam_warn.so* -rwxr-xr-x 1 root root 7460 Jun 3 13:46 pam_wheel.so* ./sbin: total 3132 drwxr-xr-x 2 root root 4096 Jun 4 12:35 ./ drwxr-xr-x 9 root root 4096 Jun 5 10:05 ../ -rwxr-xr-x 1 root root 178256 Jun 3 13:46 choptest* -rwxr-xr-x 1 root root 184032 Jun 3 13:46 cqtest* -rwxr-xr-x 1 root root 81096 Jun 3 13:46 dialtest* -rwxr-xr-x 1 root root 1142128 Jun 4 11:28 ldconfig* -rwxr-xr-x 1 root root 2868 Jun 3 13:46 lockname* -rwxr-xr-x 1 root root 3340 Jun 3 13:46 ondelay* -rwxr-xr-x 1 root root 376796 Jun 3 13:46 pagesend* -rwxr-xr-x 1 root root 13950 Jun 3 13:46 probemodem* -rwxr-xr-x 1 root root 9234 Jun 3 13:46 recvstats* -rwxr-xr-x 1 root root 64480 Jun 3 13:46 sftp-server* -rwxr-xr-x 1 root root 744412 Jun 3 13:46 sshd* -rwxr-xr-x 1 root root 30750 Jun 4 11:46 su* -rwxr-xr-x 1 root root 194632 Jun 3 13:46 tagtest* -rwxr-xr-x 1 root root 69892 Jun 3 13:46 tsitest* -rwxr-xr-x 1 root root 43792 Jun 3 13:46 typetest* ./tmp: total 8 drwxr-xr-x 2 root root 4096 Jun 4 12:32 ./ drwxr-xr-x 9 root root 4096 Jun 5 10:05 ../ ./usr: total 8 drwxr-xr-x 2 root root 4096 Jun 4 12:16 ./ drwxr-xr-x 9 root root 4096 Jun 5 10:05 ../ lrwxrwxrwx 1 root root 7 Jun 4 12:14 bin -> ../bin// lrwxrwxrwx 1 root root 7 Jun 4 11:33 lib -> ../lib// lrwxrwxrwx 1 root root 8 Jun 4 12:13 sbin -> ../sbin// Chroot environment for Apache Introduction

The chroot utility is often used to jail a daemon in a restricted tree. You can use it to insulate services from one another, so that security issues in a software package do not jeopardize the whole server. When using the makejail script, setting up and updating the chrooted tree is much easier.

FIXME: Apache can also be chrooted using which is available in libapache-mod-security (for Apache 1.x) and libapache2-mod-security (for Apache 2.x). Licensing

This document is copyright 2002 Alexandre Ratti. It has been dual-licensed and released under the GPL version 2 (GNU General Public License) the GNU-FDL 1.2 (GNU Free Documentation Licence) and is included in this manual with his explicit permission. (from the ) Installing the server

This procedure was tested on Debian GNU/Linux 3.0 (Woody) with makejail 0.0.4-1 (in Debian/testing).

Log in as root and create a new jail directory: $ mkdir -p /var/chroot/apache

Create a new user and a new group. The chrooted Apache server will run as this user/group, which isn't used for anything else on the system. In this example, both user and group are called chrapach. $ adduser --home /var/chroot/apache --shell /bin/false \ --no-create-home --system --group chrapach

FIXME: is a new user needed? (Apache already runs as the apache user)

 Install Apache as usual on Debian: apt-get install apache Set up Apache (e.g. define your subdomains, etc.). In the /etc/apache/httpd.conf configuration file, set the Group and User options to chrapach. Restart Apache and make sure the server is working correctly. Now, stop the Apache daemon. Install makejail (available in Debian/testing for now). You should also install wget and lynx as they will be used by makejail to test the chrooted server: apt-get install makejail wget lynx Copy the sample configuration file for Apache to the /etc/makejail directory: # cp /usr/share/doc/makejail/examples/apache.py /etc/makejail/ Edit /etc/makejail/apache.py. You need to change the chroot, users and groups options. To run this version of makejail, you can also add a packages option. See the . A sample is shown here: chroot="/var/chroot/apache" testCommandsInsideJail=["/usr/sbin/apachectl start"] processNames=["apache"] testCommandsOutsideJail=["wget -r --spider http://localhost/", "lynx --source https://localhost/"] preserve=["/var/www", "/var/log/apache", "/dev/log"] users=["chrapach"] groups=["chrapach"] packages=["apache", "apache-common"] userFiles=["/etc/password", "/etc/shadow"] groupFiles=["/etc/group", "/etc/gshadow"] forceCopy=["/etc/hosts", "/etc/mime.types"]

FIXME: some options do not seem to work properly. For instance, /etc/shadow and /etc/gshadow are not copied, whereas /etc/password and /etc/group are fully copied instead of being filtered.

 Create the chroot tree: makejail /etc/makejail/apache.py If /etc/password and /etc/group were fully copied, type: $ grep chrapach /etc/passwd > /var/chroot/apache/etc/passwd $ grep chrapach /etc/group > /var/chroot/apache/etc/group to replace them with filtered copies. Copy the Web site pages and the logs into the jail. These files are not copied automatically (see the preserve option in makejail's configuration file). # cp -Rp /var/www /var/chroot/apache/var # cp -Rp /var/log/apache/*.log /var/chroot/apache/var/log/apache Edit the startup script for the system logging daemon so that it also listen to the /var/chroot/apache/dev/log socket. In /etc/default/syslogd, replace: SYSLOGD="" with SYSLOGD=" -a /var/chroot/apache/dev/log" and restart the daemon (/etc/init.d/sysklogd restart). Edit the Apache startup script (/etc/init.d/apache). You might need to make some changes to the default startup script for it to run properly with a chrooted tree. Such as: set a new CHRDIR variable at the top of the file; edit the start, stop, reload, etc. sections; add a line to mount and unmount the /proc filesystem within the jail. #! /bin/bash # # apache Start the apache HTTP server. # CHRDIR=/var/chroot/apache NAME=apache PATH=/bin:/usr/bin:/sbin:/usr/sbin DAEMON=/usr/sbin/apache SUEXEC=/usr/lib/apache/suexec PIDFILE=/var/run/$NAME.pid CONF=/etc/apache/httpd.conf APACHECTL=/usr/sbin/apachectl trap "" 1 export LANG=C export PATH test -f $DAEMON || exit 0 test -f $APACHECTL || exit 0 # ensure we don't leak environment vars into apachectl APACHECTL="env -i LANG=${LANG} PATH=${PATH} chroot $CHRDIR $APACHECTL" if egrep -q -i "^[[:space:]]*ServerType[[:space:]]+inet" $CONF then exit 0 fi case "$1" in start) echo -n "Starting web server: $NAME" mount -t proc proc /var/chroot/apache/proc start-stop-daemon --start --pidfile $PIDFILE --exec $DAEMON \ --chroot $CHRDIR ;; stop) echo -n "Stopping web server: $NAME" start-stop-daemon --stop --pidfile "$CHRDIR/$PIDFILE" --oknodo umount /var/chroot/apache/proc ;; reload) echo -n "Reloading $NAME configuration" start-stop-daemon --stop --pidfile "$CHRDIR/$PIDFILE" \ --signal USR1 --startas $DAEMON --chroot $CHRDIR ;; reload-modules) echo -n "Reloading $NAME modules" start-stop-daemon --stop --pidfile "$CHRDIR/$PIDFILE" --oknodo \ --retry 30 start-stop-daemon --start --pidfile $PIDFILE \ --exec $DAEMON --chroot $CHRDIR ;; restart) $0 reload-modules exit $? ;; force-reload) $0 reload-modules exit $? ;; *) echo "Usage: /etc/init.d/$NAME {start|stop|reload|reload-modules|force-reload|restart}" exit 1 ;; esac if [ $? == 0 ]; then echo . exit 0 else echo failed exit 1 fi

FIXME: should the first Apache process be run as another user than root (i.e. add --chuid chrapach:chrapach)? Cons: chrapach will need write access to the logs, which is awkward.

 Replace in /etc/logrotate.d/apache /var/log/apache/*.log with /var/chroot/apache/var/log/apache/*.log Start Apache (/etc/init.d/apache start) and check what is it reported in the jail log (/var/chroot/apache/var/log/apache/error.log). If your setup is more complex, (e.g. if you also use PHP and MySQL), files will probably be missing. if some files are not copied automatically by makejail, you can list them in the forceCopy (to copy files directly) or packages (to copy full packages and their dependencies) option the /etc/makejail/apache.py configuration file.

Type ps aux | grep apache to make sure Apache is running. You should see something like: root 180 0.0 1.1 2936 1436 ? S 04:03 0:00 /usr/sbin/apache chrapach 189 0.0 1.1 2960 1456 ? S 04:03 0:00 /usr/sbin/apache chrapach 190 0.0 1.1 2960 1456 ? S 04:03 0:00 /usr/sbin/apache chrapach 191 0.0 1.1 2960 1456 ? S 04:03 0:00 /usr/sbin/apache chrapach 192 0.0 1.1 2960 1456 ? S 04:03 0:00 /usr/sbin/apache chrapach 193 0.0 1.1 2960 1456 ? S 04:03 0:00 /usr/sbin/apache Make sure the Apache processes are running chrooted by looking in the /proc filesystem: ls -la /proc/process_number/root/. where process_number is one of the PID numbers listed above (2nd column; 189 for instance). The entries for a restricted tree should be listed: drwxr-sr-x 10 root staff 240 Dec 2 16:06 . drwxrwsr-x 4 root staff 72 Dec 2 08:07 .. drwxr-xr-x 2 root root 144 Dec 2 16:05 bin drwxr-xr-x 2 root root 120 Dec 3 04:03 dev drwxr-xr-x 5 root root 408 Dec 3 04:03 etc drwxr-xr-x 2 root root 800 Dec 2 16:06 lib dr-xr-xr-x 43 root root 0 Dec 3 05:03 proc drwxr-xr-x 2 root root 48 Dec 2 16:06 sbin drwxr-xr-x 6 root root 144 Dec 2 16:04 usr drwxr-xr-x 7 root root 168 Dec 2 16:06 var

To automate this test, you can type:ls -la /proc/`cat /var/chroot/apache/var/run/apache.pid`/root/.

FIXME: Add other tests that can be run to make sure the jail is closed?

The reason I like this is because setting up the jail is not very difficult and the server can be updated in just two lines: apt-get update && apt-get install apache makejail /etc/makejail/apache.py See also

If you are looking for more information you can consider these sources of information in which the information presented is based: , this program was written by Alain Tesio harden-doc-3.15.1/howto-source/en/before-install.sgml0000644000000000000000000007102311362605672017340 0ustar Before and during the installation Choose a BIOS password

Before you install any operating system on your computer, set up a BIOS password. After installation (once you have enabled bootup from the hard disk) you should go back to the BIOS and change the boot sequence to disable booting from floppy, CD-ROM and other devices that shouldn't boot. Otherwise a cracker only needs physical access and a boot disk to access your entire system.

Disabling booting unless a password is supplied is even better. This can be very effective if you run a server, because it is not rebooted very often. The downside to this tactic is that rebooting requires human intervention which can cause problems if the machine is not easily accessible.

Note: many BIOSes have well known default master passwords, and applications also exist to retrieve the passwords from the BIOS. Corollary: don't depend on this measure to secure console access to system. Partitioning the system Choose an intelligent partition scheme

An intelligent partition scheme depends on how the machine is used. A good rule of thumb is to be fairly liberal with your partitions and to pay attention to the following factors: Any directory tree which a user has write permissions to, such as e.g. /home, /tmp and /var/tmp/, should be on a separate partition. This reduces the risk of a user DoS by filling up your "/" mount point and rendering the system unusable (Note: this is not strictly true, since there is always some space reserved for root which a normal user cannot fill), and it also prevents hardlink attacks. A very good example of this kind of attacks using /tmp is detailed in and (notice that the incident is Debian-related). It is basicly an attack in which a local user stashes away a vulnerable setuid application by making a hard link to it, effectively avoiding any updates (or removal) of the binary itself made by the system administrator. Dpkg was recently fixed to prevent this (see ) but other setuid binaries (not controlled by the package manager) are at risk if partitions are not setup correctly. Any partition which can fluctuate, e.g. /var (especially /var/log) should also be on a separate partition. On a Debian system, you should create /var a little bit bigger than on other systems, because downloaded packages (the apt cache) are stored in /var/cache/apt/archives. Any partition where you want to install non-distribution software should be on a separate partition. According to the File Hierarchy Standard, this is /opt or /usr/local. If these are separate partitions, they will not be erased if you (have to) reinstall Debian itself. From a security point of view, it makes sense to try to move static data to its own partition, and then mount that partition read-only. Better yet, put the data on read-only media. See below for more details.

In the case of a mail server it is important to have a separate partition for the mail spool. Remote users (either knowingly or unknowingly) can fill the mail spool (/var/mail and/or /var/spool/mail). If the spool is on a separate partition, this situation will not render the system unusable. Otherwise (if the spool directory is on the same partition as /var) the system might have important problems: log entries will not be created, packages cannot be installed, and some programs might even have problems starting up (if they use /var/run).

Also, for partitions in which you cannot be sure of the needed space, installing Logical Volume Manager (lvm-common and the needed binaries for your kernel, this might be either lvm10, lvm6, or lvm5). Using lvm, you can create volume groups that expand multiple physical volumes. Selecting the appropriate file systems

During the system partitioning you also have to decide which file system you want to use. The default file systemSince Debian GNU/Linux 4.0, codename etch selected in the Debian installation for Linux partitions is ext3, a journaling file system. It is recommended that you always use a journaling file system, such as ext3, reiserfs, jfs or xfs, to minimize the problems derived from a system crash in the following cases: for laptops in all the file systems installed. That way if you run out of battery unexpectedly or the system freezes due to a hardware issue (such as X configuration which is somewhat common) you will be less likely to lose data during a hardware reboot. for production systems which store large amounts of data (like mail servers, ftp servers, network file systems...) it is recommended on these partitions. That way, in the event of a system crash, the server will take less time to recover and check the file systems, and data loss will be less likely.

Leaving aside the performance issues regarding journalling file systems (since this can sometimes turn into a religious war), it is usually better to use the ext3 file system. The reason for this is that it is backwards compatible with ext2, so if there are any issues with the journalling you can disable it and still have a working file system. Also, if you need to recover the system with a bootdisk (or CD-ROM) you do not need a custom kernel. If the kernel is 2.4 or 2.6 ext3 support is already available, if it is a 2.2 kernel you will be able to boot the file system even if you lose journalling capabilities. If you are using other journalling file systems you will find that you might not be able to recover unless you have a 2.4 or 2.6 kernel with the needed modules built-in. If you are stuck with a 2.2 kernel on the rescue disk, it might be even more difficult to have it access reiserfs or xfs.

In any case, data integrity might be better under ext3 since it does file-data journalling while others do only meta-data journalling, see .

Notice, however, that there are some partitions that might not benefit from using a journaling filesystem. For example, if you are using a separate partition for /tmp/ you might be better off using a standard ext2 filesystem as it will be cleaned up when the system boots. Do not plug to the Internet until ready

The system should not be immediately connected to the Internet during installation. This could sound stupid but network installation is a common method. Since the system will install and activate services immediately, if the system is connected to the Internet and the services are not properly configured you are opening it to attack.

Also note that some services might have security vulnerabilities not fixed in the packages you are using for installation. This is usually true if you are installing from old media (like CD-ROMs). In this case, the system could even be compromised before you finish installation!

Since Debian installation and upgrades can be done over the Internet you might think it is a good idea to use this feature on installation. If the system is going to be directly connected to the Internet (and not protected by a firewall or NAT), it is best to install without connection to the Internet, using a local packages mirror for both the Debian package sources and the security updates. You can set up package mirrors by using another system connected to the Internet with Debian-specific tools (if it's a Debian system) like apt-move or apt-proxy, or other common mirroring tools, to provide the archive to the installed system. If you cannot do this, you can set up firewall rules to limit access to the system while doing the update (see ). Set a root password

Setting a good root password is the most basic requirement for having a secure system. See for some hints on how to create good passwords. You can also use an automatic password generation program to do this for you (see ).

Plenty of information on choosing good passwords can be found on the Internet; two that provide a decent summary and rationale are Eric Wolfram's and Walter Belgers' Activate shadow passwords and MD5 passwords

At the end of the installation, you will be asked if shadow passwords should be enabled. Answer yes to this question, so passwords will be kept in the file /etc/shadow. Only the root user and the group shadow have read access to this file, so no users will be able to grab a copy of this file in order to run a password cracker against it. You can switch between shadow passwords and normal passwords at any time by using shadowconfig.

Read more on shadow passwords in (/usr/share/doc/HOWTO/en-txt/Shadow-Password.txt.gz).

Furthermore, the installation uses MD5 hashed passwords per default. This is generally a very good idea since it allows longer passwords and better encryption. MD5 allows for passwords longer than 8 characters. This, if used wisely, can make it more difficult for attackers to brute-force the system's passwords. Regarding MD5 passwords, this is the default option when installing the latest passwd package. You can recognize MD5 passwords in the /etc/shadow file by their $1$ prefix.

This, as a matter of fact, modifies all files under /etc/pam.d by substituting the password line and include md5 in it: password required pam_unix.so md5 nullok obscure min=6 max=16

If max is not set over 8 the change will not be useful at all. For more information on this read .

Note: the default configuration in Debian, even when activating MD5 passwords, does not modify the previously set max value. Run the minimum number of services required

Services are programs such as ftp servers and web servers. Since they have to be listening for incoming connections that request the service, external computers can connect to yours. Services are sometimes vulnerable (i.e. can be compromised under a given attack) and hence present a security risk.

You should not install services which are not needed on your machine. Every installed service might introduce new, perhaps not obvious (or known), security holes on your computer.

As you may already know, when you install a given service the default behavior is to activate it. In a default Debian installation, with no services installed, the number of running services is quite low and the number of network-oriented services is even lower. In a default Debian 3.1 standard installation you will end up with OpenSSH, Exim (depending on how you configured it) and the RPC portmapper available as network servicesThe footprint in Debian 3.0 and earlier releases wasn't as tight, since some inetd services were enabled by default. Also standard installations of Debian 2.2 installed the NFS server as well as the telnet server.. If you did not go through a standard installation but selected an expert installation you can end up with no active network services. The RPC portmapper is installed by default because it is needed for many services, for example NFS, to run on a given system. However, it can be easily removed, see for more information on how to secure or disable RPC services.

When you install a new network-related service (daemon) in your Debian GNU/Linux system it can be enabled in two ways: through the inetd superdaemon (i.e. a line will be added to /etc/inetd.conf) or through a standalone program that binds itself to your network interfaces. Standalone programs are controlled through the /etc/init.d files, which are called at boot time through the SysV mechanism (or an alternative one) by using symlinks in /etc/rc?.d/* (for more information on how this is done read /usr/share/doc/sysvinit/README.runlevels.gz).

If you want to keep some services but use them rarely, use the update-* commands, e.g. update-inetd and update-rc.d to remove them from the startup process. For more information on how to disable network services read . If you want to change the default behaviour of starting up services on installation of their associated packagesThis is desirable if you are setting up a development chroot, for example. use policy-rc.d, please read /usr/share/doc/sysv-rc/README.policy-rc.d.gz for more information.

invoke-rc.d support is mandatory in Debian, which means that for Debian 4.0 etch and later releases you can write a policy-rc.d file that forbids starting new daemons before you configure them. Although no such scripts are packaged yet, they are quite simple to write. See policyrcd-script-zg2. Disabling daemon services

Disabling a daemon service is quite simple. You either remove the package providing the program for that service or you remove or rename the startup links under /etc/rc${runlevel}.d/. If you rename them make sure they do not begin with 'S' so that they don't get started by /etc/init.d/rc. Do not remove all the available links or the package management system will regenerate them on package upgrades, make sure you leave at least one link (typically a 'K', i.e. kill, link). For more information read section of the Debian Reference (Chapter 2 - Debian fundamentals).

You can remove these links manually or using update-rc.d (see ). For example, you can disable a service from executing in the multi-user runlevels by doing: # update-rc.d name stop XX 2 3 4 5 .

Where XX is a number that determines when the stop action for that service will be executed. Please note that, if you are not using file-rc, update-rc.d -f service remove will not work properly, since all links are removed, upon re-installation or upgrade of the package these links will be re-generated (probably not what you wanted). If you think this is not intuitive you are probably right (see ). From the manpage: If any files /etc/rcrunlevel.d/[SK]??name already exist then update-rc.d does nothing. This is so that the system administrator can rearrange the links, provided that they leave at least one link remaining, without having their configuration overwritten.

If you are using file-rc all the information regarding services bootup is handled by a common configuration file and is maintained even if packages are removed from the system.

You can use the TUI (Text User Interface) provided by sysv-rc-conf to do all these changes easily (sysv-rc-conf works both for file-rc and normal System V runlevels). You will also find similar GUIs for desktop systems. You can also use the command line interface of sysv-rc-conf: # sysv-rc-conf foobar off

The advantage of using this utility is that the rc.d links are returned to the status they had before the 'off' call if you re-enable the service with: # sysv-rc-conf foobar on

Other (less recommended) methods of disabling services are: Removing the /etc/init.d/service_name script and removing the startup links using: # update-rc.d name remove Move the script file (/etc/init.d/service_name) to another name (for example /etc/init.d/OFF.service_name). This will leave dangling symlinks under /etc/rc${runlevel}.d/ and will generate error messages when booting up the system. Remove the execute permission from the /etc/init.d/service_name file. That will also generate error messages when booting. Edit the /etc/init.d/service_name script to have it stop immediately once it is executed (by adding an exit 0 line at the beginning or commenting out the start-stop-daemon part in it). If you do this, you will not be able to use the script to startup the service manually later on.

Nevertheless, the files under /etc/init.d are configuration files and should not get overwritten due to package upgrades if you have made local changes to them.

Unlike other (UNIX) operating systems, services in Debian cannot be disabled by modifying files in /etc/default/service_name.

FIXME: Add more information on handling daemons using file-rc. Disabling inetd or its services

You should check if you really need the inetd daemon nowadays. Inetd was always a way to compensate for kernel deficiencies, but those have been taken care of in modern Linux kernels. Denial of Service possibilities exist against inetd (which can increase the machine's load tremendously), and many people always preferred using stand-alone daemons instead of calling services via inetd. If you still want to run some kind of inetd service, then at least switch to a more configurable Inet daemon like xinetd, rlinetd or openbsd-inetd.

You should stop all unneeded Inetd services on your system, like echo, chargen, discard, daytime, time, talk, ntalk and r-services (rsh, rlogin and rcp) which are considered HIGHLY insecure (use ssh instead).

You can disable services by editing /etc/inetd.conf directly, but Debian provides a better alternative: update-inetd (which comments the services in a way that it can easily be turned on again). You could remove the telnet daemon by executing this commands to change the config file and to restart the daemon (in this case the telnet service is disabled): /usr/sbin/update-inetd --disable telnet

If you do want services listening, but do not want to have them listen on all IP addresses of your host, you might want to use an undocumented feature on inetd (replace service name with service@ip syntax) or use an alternative inetd daemon like xinetd. Install the minimum amount of software required

Debian comes with a lot of software, for example the Debian 3.0 woody release includes 6 or 7 (depending on architecture) CD-ROMs of software and thousands of packages, and the Debian 3.1 sarge release ships with around 13 CD-ROMs of software. With so much software, and even if the base system installation is quite reduced For example, in Debian woody it is around 400-500 Mbs, try this: $ size=0 $ for i in `grep -A 1 -B 1 "^Section: base" /var/lib/dpkg/available | grep -A 2 "^Priority: required" |grep "^Installed-Size" |cut -d : -f 2 `; do size=$(($size+$i)); done $ echo $size 47762 you might get carried away and install more than is really needed for your system.

Since you already know what the system is for (don't you?) you should only install software that is really needed for it to work. Any unnecessary tool that is installed might be used by a user that wants to compromise the system or by an external intruder that has gotten shell access (or remote code execution through an exploitable service).

The presence, for example, of development utilities (a C compiler) or interpreted languages (such as perl - but see below -, python, tcl...) may help an attacker compromise the system even further: allowing him to do privilege escalation. It's easier, for example, to run local exploits in the system if there is a debugger and compiler ready to compile and test them! providing tools that could help the attacker to use the compromised system as a base of attack against other systems. Many intrusions are made just to get access to resources to do illegitimate activity (denial of service attacks, spam, rogue ftp servers, dns pollution...) rather than to obtain confidential data from the compromised system.

Of course, an intruder with local shell access can download his own set of tools and execute them, and even the shell itself can be used to make complex programs. Removing unnecessary software will not help prevent the problem but will make it slightly more difficult for an attacker to proceed (and some might give up in this situation looking for easier targets). So, if you leave tools in a production system that could be used to remotely attack systems (see ) you can expect an intruder to use them too if available.

Please notice that a default installation of Debian sarge (i.e. an installation where no individual packages are selected) will install a number of development packages that are not usually needed. This is because some development packages are of Standard priority. If you are not going to do any development you can safely remove the following packages from your system, which will also help free up some space: Package Size ------------------------+-------- gdb 2,766,822 gcc-3.3 1,570,284 dpkg-dev 166,800 libc6-dev 2,531,564 cpp-3.3 1,391,346 manpages-dev 1,081,408 flex 257,678 g++ 1,384 (Note: virtual package) linux-kernel-headers 1,377,022 bin86 82,090 cpp 29,446 gcc 4,896 (Note: virtual package) g++-3.3 1,778,880 bison 702,830 make 366,138 libstdc++5-3.3-dev 774,982

This is something that is fixed in releases post-sarge, see and . Due to a bug in the installation system this did not happen when installing with the installation system of the Debian 3.0 woody release. Removing Perl

You must take into account that removing perl might not be too easy (as a matter of fact it can be quite difficult) in a Debian system since it is used by many system utilities. Also, the perl-base is Priority: required (that about says it all). It's still doable, but you will not be able to run any perl application in the system; you will also have to fool the package management system to think that the perl-base is installed even if it's not. You can make (on another system) a dummy package with equivs.

Which utilities use perl? You can see for yourself: $ for i in /bin/* /sbin/* /usr/bin/* /usr/sbin/*; do [ -f $i ] && { type=`file $i | grep -il perl`; [ -n "$type" ] && echo $i; }; done

These include the following utilities in packages with priority required or important: /usr/bin/chkdupexe of package util-linux. /usr/bin/replay of package bsdutils. /usr/sbin/cleanup-info of package dpkg. /usr/sbin/dpkg-divert of package dpkg. /usr/sbin/dpkg-statoverride of package dpkg. /usr/sbin/install-info of package dpkg. /usr/sbin/update-alternatives of package dpkg. /usr/sbin/update-rc.d of package sysvinit. /usr/bin/grog of package groff-base. /usr/sbin/adduser of package adduser. /usr/sbin/debconf-show of package debconf. /usr/sbin/deluser of package adduser. /usr/sbin/dpkg-preconfigure of package debconf. /usr/sbin/dpkg-reconfigure of package debconf. /usr/sbin/exigrep of package exim. /usr/sbin/eximconfig of package exim. /usr/sbin/eximstats of package exim. /usr/sbin/exim-upgrade-to-r3 of package exim. /usr/sbin/exiqsumm of package exim. /usr/sbin/keytab-lilo of package lilo. /usr/sbin/liloconfig of package lilo. /usr/sbin/lilo_find_mbr of package lilo. /usr/sbin/syslogd-listfiles of package sysklogd. /usr/sbin/syslog-facility of package sysklogd. /usr/sbin/update-inetd of package netbase.

So, without Perl and, unless you remake these utilities in shell script, you will probably not be able to manage any packages (so you will not be able to upgrade the system, which is not a Good Thing).

If you are determined to remove Perl from the Debian base system, and you have spare time, submit bug reports to the previous packages including (as a patch) replacements for the utilities above written in shell script.

If you wish to check out which Debian packages depend on Perl you can use $ grep-available -s Package,Priority -F Depends perl

or $ apt-cache rdepends perl Read the Debian security mailing lists

It is never wrong to take a look at either the debian-security-announce mailing list, where advisories and fixes to released packages are announced by the Debian security team, or at , where you can participate in discussions about things related to Debian security.

In order to receive important security update alerts, send an email to with the word "subscribe" in the subject line. You can also subscribe to this moderated email list via the web page at .

This mailing list has very low volume, and by subscribing to it you will be immediately alerted of security updates for the Debian distribution. This allows you to quickly download new packages with security bug fixes, which is very important in maintaining a secure system (see for details on how to do this). harden-doc-3.15.1/howto-source/en/after-compromise.sgml0000644000000000000000000002543710551670322017707 0ustar After the compromise (incident response) General behavior

If you are physically present when an attack is happening, your first response should be to remove the machine from the network by unplugging the network card (if this will not adversely affect any business transactions). Disabling the network at layer 1 is the only true way to keep the attacker out of the compromised box (Phillip Hofmeister's wise advice).

However, some tools installed by rootkits, trojans and, even, a rogue user connected through a back door, might be capable of detecting this event and react to it. Seeing a rm -rf / executed when you unplug the network from the system is not really much fun. If you are unwilling to take the risk, and you are sure that the system is compromised, you should unplug the power cable (all of them if more than one) and cross your fingers. This may be extreme but, in fact, will avoid any logic-bomb that the intruder might have programmed. In this case, the compromised system should not be re-booted. Either the hard disks should be moved to another system for analysis, or you should use other media (a CD-ROM) to boot the system and analyze it. You should not use Debian's rescue disks to boot the system, but you can use the shell provided by the installation disks (remember, Alt+F2 will take you to it) to analyze If you are adventurous, you can login to the system and save information on all running processes (you'll get a lot from /proc/nnn/). It is possible to get the whole executable code from memory, even if the attacker has deleted the executable files from disk. Then pull the power cord. the system.

The most recommended method for recovering a compromised system is to use a live-filesystem on CD-ROM with all the tools (and kernel modules) you might need to access the compromised system. You can use the mkinitrd-cd package to build such a CD-ROMIn fact, this is the tool used to build the CD-ROMs for the project (a firewall on a live CD-ROM based on the Debian distribution).. You might find the (previously called Biatchux) CD-ROM useful here too, since it's also a live CD-ROM with forensic tools useful in these situations. There is not (yet) a Debian-based tool such as this, nor an easy way to build the CD-ROM using your own selection of Debian packages and mkinitrd-cd (so you'll have to read the documentation provided with it to make your own CD-ROMs).

If you really want to fix the compromise quickly, you should remove the compromised host from your network and re-install the operating system from scratch. Of course, this may not be effective because you will not learn how the intruder got root in the first place. For that case, you must check everything: firewall, file integrity, log host, log files and so on. For more information on what to do following a break-in, see or SANS's .

Some common questions on how to handle a compromised Debian GNU/Linux system are also available in . Backing up the system

Remember that if you are sure the system has been compromised you cannot trust the installed software or any information that it gives back to you. Applications might have been trojanized, kernel modules might be installed, etc.

The best thing to do is a complete file system backup copy (using dd) after booting from a safe medium. Debian GNU/Linux CD-ROMs can be handy for this since they provide a shell in console 2 when the installation is started (jump to it using Alt+2 and pressing Enter). From this shell, backup the information to another host if possible (maybe a network file server through NFS/FTP). Then any analysis of the compromise or re-installation can be performed while the affected system is offline.

If you are sure that the only compromise is a Trojan kernel module, you can try to run the kernel image from the Debian CD-ROM in rescue mode. Make sure to startup in single user mode, so no other Trojan processes run after the kernel. Contact your local CERT

The CERT (Computer and Emergency Response Team) is an organization that can help you recover from a system compromise. There are CERTs worldwide This is a list of some CERTs, for a full list look at the (FIRST is the Forum of Incident Response and Security Teams): (Australia), (Mexico) (Finland), (Germany), (Germany), (Italy), (Japan), (Norway), (Croatia) (Poland), (Russia), (Slovenia) (Spain), (Switzerland), (Taiwan), and (US). and you should contact your local CERT in the event of a security incident which has lead to a system compromise. The people at your local CERT can help you recover from it.

Providing your local CERT (or the CERT coordination center) with information on the compromise even if you do not seek assistance can also help others since the aggregate information of reported incidents is used in order to determine if a given vulnerability is in wide spread use, if there is a new worm aloft, which new attack tools are being used. This information is used in order to provide the Internet community with information on the , and to publish and even . For more detailed information read on how (and why) to report an incident read .

You can also use less formal mechanisms if you need help for recovering from a compromise or want to discuss incident information. This includes the and the . Forensic analysis

If you wish to gather more information, the tct (The Coroner's Toolkit from Dan Farmer and Wietse Venema) package contains utilities which perform a post mortem analysis of a system. tct allows the user to collect information about deleted files, running processes and more. See the included documentation for more information. These same utilities and some others can be found in by Brian Carrier, which provides a web front-end for forensic analysis of disk images. In Debian you can find both sleuthkit (the tools) and autopsy (the graphical front-end).

Remember that forensics analysis should be done always on the backup copy of the data, never on the data itself, in case the data is altered during analysis and the evidence is lost.

You will find more information on forensic analysis in Dan Farmer's and Wietse Venema's book (available online), as well as in their and their . Brian Carrier's newsletter is also a very good resource on forensic analysis tips. Finally, the are an excellent way to hone your forensic analysis skills as they include real attacks against honeypot systems and provide challenges that vary from forensic analysis of disks to firewall logs and packet captures.

FIXME: This paragraph will hopefully provide more information about forensics in a Debian system in the coming future.

FIXME: Talk on how to do a debsums on a stable system with the MD5sums on CD and with the recovered file system restored on a separate partition.

FIXME: Add pointers to forensic analysis papers (like the Honeynet's reverse challenge or ). Analysis of malware

Some other tools that can be used for forensic analysis provided in the Debian distribution are: strace. ltrace.

Any of these packages can be used to analyze rogue binaries (such as back doors), in order to determine how they work and what they do to the system. Some other common tools include ldd (in libc6), strings and objdump (both in binutils).

If you try to do forensic analysis with back doors or suspected binaries retrieved from compromised systems, you should do so in a secure environment (for example in a bochs or xen image or a chroot'ed environment using a user with low privilegesBe very careful if using chroots, since if the binary uses a kernel-level exploit to increase its privileges it might still be able to infect your system). Otherwise your own system can be back doored/r00ted too!

If you are interested in malware analysis then you should read the chapter of Dan Farmer's and Wietse Venema's forensics book. harden-doc-3.15.1/howto-source/en/titletoc.sgml0000644000000000000000000000152310457023365016254 0ustar &bookname; &authorname; &authoremail; &version;, &docdate; This document describes security in the Debian project and in the Debian operating system. Starting with the process of securing and hardening the default Debian GNU/Linux distribution installation, it also covers some of the common tasks to set up a secure network environment using Debian GNU/Linux, gives additional information on the security tools available and talks about how security is enforced in Debian by the security and audit team. harden-doc-3.15.1/howto-source/securing-debian-howto.sgml0000644000000000000000000000404710432377155020226 0ustar %dynamic; %custom; %default; ]> &titletoc; ©left; &ch-intro; &ch-bbegin; &ch-binstall; &ch-ainstall; &ch-services; &ch-auto; &ch-infrastructure; &ch-tools; &ch-developer; &ch-bcompromise; &ch-acompromise; &ch-faq; &ch-append; harden-doc-3.15.1/howto-source/custom.ent0000644000000000000000000000026310060133130015137 0ustar harden-doc-3.15.1/howto-source/Makefile0000644000000000000000000001707111740132500014570 0ustar # # Based Makefile Template from Osamu Aoki # # Build html(multi-page), txt, ps, pdf, and other formats. # # Should work both for a manual in the Debian Documentation Project # manuals.sgml tree, and for the package build. # ------------------------------------------------------------------- # # WARNING # # Use with caution, aimed at Woody system # # "ps" and "pdf" tends to break in some ill-configured systems # # ------------------------------------------------------------------- # # Read local texmf.cnf file .SUFFIXES: # Following default shall be edited by the coordinator for the entire # set of languages. If a subsection owner wishes to override settings, # they can be overridden by running make with "make 'LANGS1=fi'" etc.. # =================================================================== # # Default configuration part: Customize # # =================================================================== # # The directory in which this makefile resides must also contain a file # called .[.]sgml, which is the top-level file # for the manual in this directory. # Basename for language-dependent SGML (DDP default, generated) MANUAL := securing-debian-howto # Basename for language-independent SGML-template. MANUAL0 := $(MANUAL) # Build type: Possible values are BUILD_TYPE = web|package BUILD_TYPE := web # Publish directory # This can and will be overridden by a higher level makefile PUBLISHDIR := ~/public_html/manuals.html # List of languages not being handled with po4a: LANGSNOPO := en de es it pt-br ru ja zh-cn # List of languages handled with po4a: LANGSPO := fr # List of languages built for "publish" target for DDP LANGS := en de fr pt-br # Files which affect SGML generation (excluding *.sgml) SGMLENTS := custom.ent default.ent # All SGML source files SGMLSRCS := $(foreach lang, $(LANGS), $(MANUAL).$(lang).sgml) \ $(foreach lang, $(LANGS), $(wildcard $(lang)/*.sgml ) ) \ $(SGMLENTS) # All SGML targets not being handled with po4a: SGMLNOPOSRCS := $(foreach lang, $(LANGSNOPO), $(MANUAL).$(lang).sgml) # All SGML targets handled with po4a: SGMLPOSRCS := $(foreach lang, $(LANGSPO), $(MANUAL).$(lang).sgml) # =================================================================== # # Build target default part: Routine # # =================================================================== # # If some languages have problems building, filter-out in here. # define $(locale) for the following targets $(MANUAL).%.html.stamp $(MANUAL).%.txt $(MANUAL).%.ps $(MANUAL).%.pdf: \ locale=$(subst pt-br,pt_BR,\ $(subst zh-cn,zh_CN,\ $(subst fr,fr.UTF-8,\ $*))) ### Full guide # List of html stamp files to be built HTMLS := $(foreach lang,$(LANGS),$(MANUAL).$(lang).html.stamp) # List of txt to be built TXTS := $(foreach lang,$(LANGS),$(MANUAL).$(lang).txt) # List of ps to be built PSS := $(foreach lang,$(LANGS),$(MANUAL).$(lang).ps) # List of pdf to be built PDFS := $(foreach lang,$(LANGS),$(MANUAL).$(lang).pdf) # =================================================================== # # Build target part: Customize # # =================================================================== # # If some languages have problems building, filter-out in here. all: html txt ps pdf html: $(HTMLS) text txt: $(TXTS) ps: $(PSS) pdf: $(PDFS) publish: publish-html publish-txt publish-ps publish-pdf # =================================================================== # # Build rule part: If not package build # # =================================================================== # $(MANUAL).%.ent: echo "" > $@ echo "" >> $@ echo "" >> $@ echo "" >> $@ # =================================================================== # # Build rule part: Routine # # =================================================================== # # SGML # Create starting SGML for each language from the template. Actual # contents reside in language-segregated subdirectories. $(SGMLNOPOSRCS): $(MANUAL).%.sgml: $(MANUAL0).sgml sed -e "s/@@LANGS@@/$*/g" \ -e "s/@@DIRS@@/$*/g" \ -e "s/@@NAME@@/$(MANUAL)/g" \ $< > $(MANUAL).$*.sgml # Create starting SGML for each language handled with po4a $(SGMLPOSRCS): $(MANUAL).%.sgml: $(MANUAL).en.sgml $(MANUAL).en.ent po4a/po/%.po po4a po4a/po4a.cfg # HTML $(MANUAL).%.html.stamp: $(MANUAL).%.sgml $(MANUAL).%.ent $(SGMLSRCS) debiandoc2html -l $(locale) -C $< # since $(MANUAL).%.html/index.%.html cannot be a target file @for file in `ls $(MANUAL).$*.html/*` ; do \ newfile=`echo $$file|\ sed 's/$(shell echo $*|\ sed 'y/ABCDEFGHIJKLMNOPQRSTUVWXYZ_/abcdefghijklmnopqrstuvwxyz-/'\ )\.html/$*\.html/'`; \ if [ $$file != $$newfile ] ; then \ mv $$file $$newfile; \ echo "Rename $$file --> $$newfile"; \ fi \ done touch $(MANUAL).$*.html.stamp # TXT $(MANUAL).%.txt: $(MANUAL).%.sgml $(MANUAL).%.ent $(SGMLSRCS) debiandoc2text -l $(locale) $< # PS $(MANUAL).%.ps: $(MANUAL).%.sgml $(MANUAL).%.ent $(SGMLSRCS) debiandoc2latexps -l $(locale) $< # PDF $(MANUAL).%.pdf: $(MANUAL).%.sgml $(MANUAL).%.ent $(SGMLSRCS) debiandoc2latexpdf -l $(locale) $< # DVI $(MANUAL).%.dvi: $(MANUAL).%.sgml $(MANUAL).%.ent $(SGMLSRCS) debiandoc2dvi $< # =================================================================== # # Build rule part: Web publish # # =================================================================== # publish-html: html test -d $(PUBLISHDIR)/$(MANUAL) \ || install -d -m 755 $(PUBLISHDIR)/$(MANUAL) rm -f $(PUBLISHDIR)/$(MANUAL)/*.html # install all html $(foreach lang,$(LANGS),\ install -p -m 644 $(MANUAL).$(lang).html/*.html \ $(PUBLISHDIR)/$(MANUAL)/ ;\ ) publish-txt: txt test -d $(PUBLISHDIR)/$(MANUAL) \ || install -d -m 755 $(PUBLISHDIR)/$(MANUAL) rm -f $(PUBLISHDIR)/$(MANUAL)/*.txt # install all txt @$(foreach lang,$(LANGS),\ install -p -m 644 $(MANUAL).$(lang).txt \ $(PUBLISHDIR)/$(MANUAL)/ ;\ ) publish-ps: ps test -d $(PUBLISHDIR)/$(MANUAL) \ || install -d -m 755 $(PUBLISHDIR)/$(MANUAL) rm -f $(PUBLISHDIR)/$(MANUAL)/*.ps # install all ps @$(foreach lang,$(LANGS),\ install -p -m 644 $(MANUAL).$(lang).ps \ $(PUBLISHDIR)/$(MANUAL)/ ;\ ) publish-pdf: pdf test -d $(PUBLISHDIR)/$(MANUAL) \ || install -d -m 755 $(PUBLISHDIR)/$(MANUAL) rm -f $(PUBLISHDIR)/$(MANUAL)/*.pdf # install all pdf1 @$(foreach lang,$(LANGS),\ install -p -m 644 $(MANUAL).$(lang).pdf \ $(PUBLISHDIR)/$(MANUAL)/ ;\ ) #====[ validating SGML ]======================================================= validate: set -x; for i in $(LANGS); do $(MAKE) validate1-$$i ; done validate1-%: $(SGMLSRCS) $(MANUAL)-%.ent nsgmls -gues -wall $(MANUAL)-$*.sgml #====[ cleaning up ]=========================================================== distclean: clean rm -Rf $(PUBLISHDIR)/$(MANUAL) rm -f *.error $(MANUAL).*.sgml clean: rm -f $(MANUAL)*.{txt,ps,dvi,pdf,info*,log,tex,aux,toc,sasp*,out,tov} rm -f *~ prior.aux pprior.aux body.tmp head.tmp tar.gz.log rm -f *.error $(MANUAL).*.ent $(MANUAL).*.sgml date.ent $(MANUAL).*.tpt rm -rf $(MANUAL)*.html *stamp .PHONY: all html text txt ps pdf \ publish publish-html publish-tst publish-ps publish-pdf \ clean distclean validate harden-doc-3.15.1/debian/0000755000000000000000000000000012015443215011712 5ustar harden-doc-3.15.1/debian/clean0000755000000000000000000000005107410402314012714 0ustar #!/bin/sh (cd howto-source; make clean) harden-doc-3.15.1/debian/harden-doc.dirs0000644000000000000000000000003607351464200014604 0ustar usr/share/doc/harden-doc/html harden-doc-3.15.1/debian/control.all-langs0000644000000000000000000000162711252374441015202 0ustar Source: harden-doc Section: doc Priority: extra Maintainer: Javier Fernandez-Sanguino Pen~a Build-Depends-Indep: debhelper (>> 3.0.0), dpsyco-devel, debiandoc-sgml (>=1.1.86), perl, texinfo, tetex-bin, tetex-extra, gs-gpl | gs-esp, latex-cjk-common, latex-cjk-chinese-arphic-gkai00mp | tfm-arphic-gkai00mp Standards-Version: 3.5.8 Homepage: http://www.debian.org/doc/manuals/securing-debian-howto/ Package: harden-doc Architecture: all Description: Useful documentation to secure a Debian system Harden-doc will install documentation an administrator can use to make a Debian system more secure. It currently provides the 'Securing Debian Manual' from the Debian Documentation Project. . The manual is provided both in English and in all available translations, which might not be, however fully up-to-date. Available translations include: French, German, Japanese and Simplified Chinese. harden-doc-3.15.1/debian/dhelp0000644000000000000000000000044010551674045012741 0ustar system Securing Debian Manual html/securing-debian-howto/index.en.html This manual describes the security of the Debian GNU/Linux operating system and how security is handled within the Debian project. harden-doc-3.15.1/debian/rules0000755000000000000000000000233311436703415013002 0ustar #!/usr/bin/make -f # Sample debian/rules that uses debhelper. # GNU copyright 1997 to 1999 by Joey Hess. # Uncomment this to turn on verbose mode. #export DH_VERBOSE=1 # This is the debhelper compatability version to use. # export DH_COMPAT=5 configure: configure-stamp configure-stamp: dh_testdir touch configure-stamp build: configure-stamp build-stamp build-stamp: dh_testdir $(MAKE) touch build-stamp clean: dh_testdir dh_testroot -rm -f build-stamp configure-stamp -$(MAKE) clean dh_clean install: build dh_testdir dh_testroot dh_clean -k dh_installdirs $(MAKE) install dpsch-cvsclean # Build architecture-independent files here. binary-arch: # Build architecture-independent files here. binary-indep: build install dh_testdir -i dh_testroot -i dh_installdebconf -i # Note: dh_dhelp is no longer available (deprecated) so we just ship # the doc-base files: dh_installdocs -i # dh_installexamples -i dh_installinfo -i dh_installchangelogs -i dh_link -i dh_compress -i dh_fixperms -i dh_installdeb -i dh_shlibdeps -i dh_gencontrol -i dh_md5sums -i dh_builddeb -i binary: binary-indep update: cd howto-source && svn update .PHONY: build clean binary-indep binary-arch binary install configure harden-doc-3.15.1/debian/harden-doc.doc-base0000644000000000000000000000176511252376240015333 0ustar Document: securing-debian-howto Title: Securing Debian HOWTO Author: Javier Fernández-Sanguino Peña, Alexander Reelsen Abstract: This manual describes the security of the Debian GNU/Linux operating system and within the Debian project. It starts with the process of securing and hardening the default Debian GNU/Linux installation (both manually and automatically), covers some of the common tasks involved in setting up a secure user and network environment, gives information on the security tools available, steps to take before and after a compromise and also describes how security is enforced in Debian by the security team. The document includes a step by step hardening guide and within the appendix there is detailed information on how to setup an intrusion detection system and a bridge firewall with Debian GNU/Linux. Section: debian Format: HTML Index: /usr/share/doc/harden-doc/html/securing-debian-howto/index.en.html Files: /usr/share/doc/harden-doc/html/securing-debian-howto/*.html harden-doc-3.15.1/debian/compat0000644000000000000000000000000211322720313013105 0ustar 5 harden-doc-3.15.1/debian/TODO.Debian0000644000000000000000000000021407727337610013577 0ustar - Consider dividing it into binary packages based on languages - The package should provide the SGML source and only update it if needed harden-doc-3.15.1/debian/changelog0000644000000000000000000006563612015443215013604 0ustar harden-doc (3.15.1) unstable; urgency=low * Team upload. * Allow po4a to handle translations. (Closes: #666786) * Update French translation via PO file. -- David Prévot Thu, 23 Aug 2012 11:04:36 -0400 harden-doc (3.15) unstable; urgency=low * Update the package with the latest sources - Fix broken links (Closes: 636582) * Apply patch provided by Jari Aalto that adds the DEBIANDOC2LATEXPS_FLAGS to help debug build issues (Closes: 579902) -- Javier Fernandez-Sanguino Pen~a Mon, 26 Mar 2012 23:18:08 +0200 harden-doc (3.13.3) unstable; urgency=high * Fix RC-bug (FTBFS) due to a bug in debiandoc-sgml generation of the TeX for French by working around it and removing the tags in the section header of the French documentation. (Closes:#571429) * Replace dependency with gs-gpl | gs-eps to ghostscript since the previous packages are obsolete (Closes: #575656) * Remove CVS subdirs from the local copy of the sources and use SVN instead. * Update debian/control to add references to the location of the SVN sources at Alioth. * Update to latest content in DDP SVN. * Add an 'update' target in debian/rules to update the sources -- Javier Fernandez-Sanguino Pen~a Mon, 30 Aug 2010 06:16:39 +0200 harden-doc (3.13.2) unstable; urgency=low * Fix FTBFS by changing Build-Depends-Indep tetex-bin and tetex-extra dependencies to texlive and texlive-latex-extra (Closes: #562376) * Update to debhelper compatibility version 5 in debian/compat, comment out the definition of DH_COMPAT in debian/rules -- Javier Fernandez-Sanguino Pen~a Mon, 11 Jan 2010 22:57:00 +0100 harden-doc (3.13.1) unstable; urgency=low * Drop hbf-kanji48 Build-Dependency, as this package's removal has been requested (see #503506). The Build-Dependency was required for the japanese translation but we do not provide it currently. * Fix lintian-error doc-base-file-uses-obsolete-national-encoding by converting debian/harden-doc.doc-base from ISO-8859-1 to UTF-8 * Update debian/control since it claimed that the package included Japanese and Traditional Chinese translations when it actually does not. * Move over the Build-Dependencies for languages that we do not provide to a new debian/control.all-langs, in this file: - Replace cjk-latex with latex-cjk-common, as the former is a dummy package -- Javier Fernandez-Sanguino Pen~a Fri, 11 Sep 2009 08:55:18 +0200 harden-doc (3.13) unstable; urgency=low * Fix encoding in debian/changelog and debian/copyright (Closes: #454001) * Move Homepage to package header * Make it Build-Depend on latex-cjk-chinese-arphic-gkai00mp instead of on tfm-arphic-gkai00mp * Update to latest CVS version: - Fix references to Lion and Ramen worm (Closes: #396387) - Fix location of testing-security repositories (Closes: #416560) - Update documentation to refer to linux-image in the examples instead of kernel-image (Closes: #419483) - Fix typos spotted by Francesco Poli (Closes: #420378) - Fix minor bugs in Snort appendix (Closes: #402637) - Fix location of syslog options (Closes: 412482) -- Javier Fernandez-Sanguino Pen~a Mon, 11 Feb 2008 21:56:37 +0100 harden-doc (3.11) unstable; urgency=high * Added an emtpy binary-arch target, following Policy requirements and and the Etch release standards (Closes: #395608) * Added a dhelp file (for the english document only) although the doc-base files should be sufficient (Closes: #344879) * Updated to the latest CVS release, this release includes many changes to make the document more current and up-to-date: - Remove most references to the woody release as it is no longer available (in the archived) and security support for it is no longer available. (Closes: #385420) - Describe how to restrict users so that they can only do file transfers (Closes: #385431) - Added a note regarding the debian-private declasiffication decission (Closes: #401234) - Updated link of incident handling guides (Closes: #395385) - Added a note saying that development tools (compilers, etc.) are not installed now in the default 'etch' installation. - Fix references to the master security server (Closes: #398656) - Add pointers to additional APT-secure documentation - Improve the description of APT signatures - Comment out some things which are not yet final related to the mirror's official public keys. - Fixed name of the Debian Testing Security Team (Closes: #393986) - Remove reference to sarge in an example (Closes: #393760) - Update the antivirus section, clamav is now available on the release. Also mention the f-prot installer (Closes: #392822) - Removes all references to freeswan as it is obsolete - Describe issues related to ruleset changes to the firewall if done remotely and provide some tips (in footnotes) (Closes: #383404) - Update the information related to the IDS installation (Closes: #402637) - Rewrite the "running bind as a non-root user" section as this no longer applies to Bind9. Also remove the reference to the init.d script since the changes need to be done through /etc/default (Closes: #402966) - Remove the obsolete way to setup iptables rulesets as woody is no longer supported. - Revert the advice regarding LOG_UNKFAIL_ENAB it should be set to 'no' (as per default) (Closes: #385422) - Added more information related to updating the system with desktop tools (including update-notifier) and describe aptitude usage to update the system. Also note that dselect is deprecated (Closes: #394151) - Updated the contents of the FAQ and removed redundant paragraphs (Closes: #355765, #400938) - Review and update the section related to forensic analysis of malware (Closes: #396271) - Remove or fix some dead links (Closes: #399943, #401602, #404225, #403829, #396387) - Fix many typos and gramatical errors reported by Francesco Poli (Closes: #397376, #398674, #400126, #401235, #401752, #401926, #402966, #403950, #403951, #404126, #404224, #392700, #393759, #393761, #397377, #397990, #399942, #394157) * Use debhelper compatibility version 4 -- Javier Fernandez-Sanguino Pen~a Fri, 12 Jan 2007 12:07:31 +0100 harden-doc (3.9) unstable; urgency=low * Updated to latest CVS version (3.9) - Add information on how to track security vulnerabilities and add references to the Debian Testing Security Tracker. - Add more information on the security support for testing. - Fix a large number of typos with a patch provided by Simon Brandmair. - Added section on how to disable root prompt on initramfs provided by Max Attems (Closes: #387736) - Remove references to queso (Closes: #391262) - Note that testing is now security-supported (Close: #331560) - Update German translation (now in version 3.8) -- Javier Fernandez-Sanguino Pen~a Thu, 12 Oct 2006 13:10:07 +0200 harden-doc (3.8) unstable; urgency=low * Updated to latest CVS version (3.8) - Rewrote the information on how to setup ssh chroots to clarify the different options available, thank to Bruce Park for bringing up the different mistakes in this appendix. - Fix lsof call as suggested by Christophe Sahut. (Closes: #375312) - Include patches for typo fixes from Uwe Hermann (Closes: #369460, #369695) - Fix typo in reference spotted by Moritz Naumann. (Closes: #376395) (Version 3.7 changes): - Add a section on Debian Developer's best practices for security. - Ammended firewall script with comments from WhiteGhost. * Fix changelog for 3.5 as it did not mention the 3.5 changes (but actually those from version 3.6) -- Javier Fernandez-Sanguino Pen~a Fri, 18 Aug 2006 18:09:58 +0200 harden-doc (3.5) unstable; urgency=medium * Updated to latest CVS version (3.6 and 3.5): (Version 3.6 changes): - Patch from Joost van Baal improving the information on the firewall section (pointing to the wiki instead of listing all firewall packages available) (Closes: #339865) - Fix some typos (Closes: #342152, #340535) - Provides new Makefile which builds with latest make version (Closes: #359840) - Use the quote from the Social Contract 1.1 instead of 1.0 as suggested by Francesco Poli. (Closes: #335104) - Included a patch from Thomas Sjögren which describes that 'noexec' works as expected with "new" kernels, adds information regarding tempfile handling, and some new pointers to external documentation. - Add a pointer to Dan Farmer's and Wietse Venema's forensic discovery web site, as suggested by Freek Dijkstra, and expanded a little bit the forensic analysis section with more pointers. - Fixed URL of Italy's CERT, thanks to Christoph Auer. - Reuse Joey Hess' information at the wiki on secure apt and introduce it in the infrastructure section. - Review sections refering to old versions (woody or potato) - Fix some cosmetic issues with patch from Simon Brandmair. - Included patches from Carlo Perassi: acl patches are obsolete, openwall patches are obsolete too, removed fixme notes about 2.2 and 2.4 series kernels, hap is obsolete (and not present in WNPP), remove references to Immunix (StackGuard is now in Novell's hands), and fix a FIXME - Updated references to SElinux web pages to point to the Wiki (currently the most up to date source of information) - Include file tags and make a more consistent use of "MD5 sum" with a patch from Jens Seidel. - Review the FAQ section on vulnerability stats, thanks to Carlos Galisteo de Cabo for pointing out that it was out of date. (Closes: #348851) (Version 3.5 changes): - Note on the SSH section that the chroot will not work if using the nodev option in the partition and point to the latest ssh packages with the chroot patch, thanks to Lutz Broedel for pointing these issues out. - Fix typo spotted by Marcos Roberto Greiner (md5sum should be sha1sum in code snippet) - Included Jens Seidel's patch fixing a number of package names and typos. - Slightly update of the tools section, removed tools no longer available and added some new ones. - Rewrite parts of the section related to where to find this document and what formats are available (the website does provide a PDF version). Also note that copies on other sites and translations might be obsolete (many of the Google hits for the manual in other sites are actually out of date). * Translation updates: - German translation update - French translation update -- Javier Fernandez-Sanguino Pen~a Thu, 30 Mar 2006 23:42:12 +0200 harden-doc (3.4) unstable; urgency=low * Updated to latest CVS version (3.4): * Improved the after installation security enhancements related to kernel configuration for network level protection with a sysctl.conf file provided by Will Moy. * Improved the gdm section, thanks to Simon Brandmair. * Typo fixes from Frederic Bothamy and Simon Brandmair. * Improvements in the after installation sections related to how to generate the MD5 (or SHA-1) sums of binaries for periodic review. * Updated the after installation sections regarding checksecurity configuration (was out of date). - German translation update by Simon Brandmair, proofread by Jens Seidel - French translation update by Frederic Bothamy * Clarify licensing in debian/copyright (Closes: #333453) * Updated the FSF address * Removed out of date languages: Spanish, Russian, Italian and Chinese * Fix encoding in debian/changelog -- Javier Fernandez-Sanguino Pen~a Wed, 19 Oct 2005 10:01:19 +0200 harden-doc (3.3) unstable; urgency=low * Updated to latest CVS version (3.3) - Rewrite section on services (default ones installed, how to remove them or deactive them, etc.) (Closes: #312811) - Add a sample code using grep-status to output the list of packages that Depend on perl (Closes: #302470) - French translation update by Frederic Bothamy - German translation update by Simon Brandmair, Jens Seidel - Minor fixes from Jens Seidel * Added zh-cn to the build * debian/control: Added to Build-Depends-Indep: - gs-gpl | gs-esp: required for PDF's thumbnail generation. - tfm-arphic-gkai00mp: zh_CN Kai TeX font metric files, depends on truetype font package - added versioned dependency (>= 1.1.86) on debiandoc-sgml * Removed Italian, Russian and Spanish version from the build as they are not being kept up to date. -- Javier Fernandez-Sanguino Pen~a Sat, 18 Jun 2005 23:58:48 +0200 harden-doc (3.2.4) unstable; urgency=low * Update to latest CVS: - Fix revision tracking issues and typos found by Jens Seidel - French translation update by Frederic Bothamy - German translation update by Jens Seidel - Minor revision of Portuguese translation by Philipe Gaspar and fixes to build by Jens Seidel -- Javier Fernandez-Sanguino Pen~a Sat, 14 May 2005 22:04:58 +0200 harden-doc (3.2.3) unstable; urgency=low * Updated to latest CVS: - French translation update by Frederic Bothamy * Fixed ISO-8859-1 chars in debian/changelog -- Javier Fernandez-Sanguino Pen~a Wed, 11 May 2005 21:13:12 +0200 harden-doc (3.2.2) unstable; urgency=medium * Updated to latest CVS in preparation for the sarge release: - French translation update by Frederic Bothamy - Minor fixes from Jens Seidel - Typo fixes spotted by Frederic Bothamy - Updated some information refering to the imminent release and note that some changes only apply to the old (3.1) Debian release - Added more information on kernel upgrades specially for those that might upgrade from older installs (which were not packaged-based) - Moved the apt 0.6 information to its own section. -- Javier Fernandez-Sanguino Pen~a Wed, 11 May 2005 00:45:58 +0200 harden-doc (3.2.1) unstable; urgency=medium * Updated to latest CVS with some improvements in the documentation including typo fixes. More specifically includes: - Rewrote the firewall section, moved the information that applies to woody down and expand the other sections including some information on how to manually set the firewall (with a sample script) and how to test the firewall configuration. (Closes: #297746) - Expanded the section on security updates mentioning library and kernel updates and how to detect when services need to be restarted. (Closes: #306502) - Fixed license name (Closes: #304770) The firewall section change is important so that 'sarge' users are aware of how they should tackle the issue, thus the medium priority. * Removed some stale CVS files from the sources * Added warning notes to the spanish, russian and japanese translations since they are _very_ out of date and might contain innacurate information. -- Javier Fernandez-Sanguino Pen~a Fri, 6 May 2005 21:06:55 +0200 harden-doc (3.2) unstable; urgency=low * Updated to latest CVS sources (version 3.2) with some improvements Also - Fixes call to ps (Closes: #302468) - Adds a FAQ item on how to recover from removing system users (Closes: #302442) - German translation update by Simon Brandmair -- Javier Fernandez-Sanguino Pen~a Fri, 15 Apr 2005 00:44:24 +0200 harden-doc (3.0.1.4) unstable; urgency=low * Removed the Recommends on 'lskb' as it is no longer updated * Re-added the PDF generation once I've added the Build-Depends for cjk-latex and hbf-kanji48 necessary for Japanese PDF generation (I can't get zh-cn to build, however, probably because of a mis-configuration in my local system) * Added a note in debian/control regarding the language files provided in this package. -- Javier Fernandez-Sanguino Pen~a Sun, 13 Mar 2005 12:59:25 +0100 harden-doc (3.0.1.3) unstable; urgency=low * Updated from CVS -- Javier Fernandez-Sanguino Pen~a Fri, 11 Mar 2005 01:55:30 +0100 harden-doc (3.0.1.2) unstable; urgency=low * Updated from CVS, many changes including: - Clarify comments on ro /usr (Closes: #287522) - Clarification on RPC section (Closes: #256523) * Fix doc-base script, removed postscript, text and PDF versions since doc-base only handles HTML files at present. (Closes: #285664) -- Javier Fernandez-Sanguino Pen~a Sun, 16 Jan 2005 03:55:22 +0100 harden-doc (3.0.1.1) unstable; urgency=medium * Readded english translation which was lost because the Makefile structure changed. Also added Italian and German translations, which were missing too. (Closes: #283977) -- Javier Fernandez-Sanguino Pen~a Fri, 3 Dec 2004 12:28:32 +0100 harden-doc (3.0.1) unstable; urgency=low * Updated to latest CVS version, mostly included updated translations (Closes: #281926) * Removed debian/harden-doc.info since no info targets are built -- Javier Fernandez-Sanguino Pen~a Sat, 20 Nov 2004 01:48:05 +0100 harden-doc (3.0) unstable; urgency=low * Updated to latest CVS version. -- Javier Fernandez-Sanguino Pen~a Fri, 4 Jun 2004 20:14:45 +0200 harden-doc (2.100) unstable; urgency=low * Updated to latest CVS version which includes: - Proper translation of the Debian Social Contract (Closes: #246104, #246107) -- Javier Fernandez-Sanguino Pen~a Tue, 1 Jun 2004 01:22:23 +0200 harden-doc (2.99) unstable; urgency=low * Removed lasg from Suggests * Updated to latest CVS version which includes: - More information regarding testing security support (Closes: #233955) - Correct links to the snoopy sourceforge project (Closes: #179409) - Guarddog is now listed as part of the firewall configuration packages (Closes: #170710) -- Javier Fernandez-Sanguino Pen~a Fri, 5 Mar 2004 09:17:06 +0100 harden-doc (2.98) unstable; urgency=low * Updated to the latest version and included the french translation. * Fixed maintainer e-mail address -- Javier Fernandez-Sanguino Pen~a Sat, 14 Feb 2004 20:55:55 +0100 harden-doc (2.96) unstable; urgency=low * This is a new source package (harden-doc) based on Ola's harden-* packages. I'm keeping the changelog of all the previous harden source packages changes (since some apply to changes previously done with this new version) * Updated the Manual from CVS (version 2.96) * This package now provides also the italian, german and japanese translation which are fairly up-to-date. * Fixed the makefile which entered into an endless loop if the sources were not available. * The package now provides the SGML sources, fresh from CVS, it will still work if the CVS sources are not available and will retrieve them first. -- Javier Fernandez-Sanguino Pen~a Tue, 9 Sep 2003 13:47:11 +0200 harden (0.1.9) unstable; urgency=low * Split out harden-*flaws to its separate package. * Fixed descrioptions so that they do not contain a full stop. * Fixed other description issues. * Updated standards version to 3.5.8. * Updated securing debian howto from cvs. * Added depend on nagios, closes: #167624. * Fixed remoteaudit suggestion, closes: #175284. * Added suggestion of libsafe, closes: #144124. -- Ola Lundqvist Thu, 17 Apr 2003 17:32:58 +0200 harden (0.1.8) unstable; urgency=low * Fixed doc-base problem, closes: #167361. -- Ola Lundqvist Mon, 4 Nov 2002 15:03:55 +0100 harden (0.1.7) unstable; urgency=medium * Fixed doc-base problem, closes: #151883. Thanks to Adam Byrtek for the fix. * Updated with the latest cvs, closes: #159467. -- Ola Lundqvist Wed, 11 Sep 2002 09:11:46 +0200 harden (0.1.6) unstable; urgency=medium * Updated with new security issues. -- Ola Lundqvist Thu, 29 Aug 2002 07:32:17 +0200 harden (0.1.5) unstable; urgency=low * Fixed build failure, closes: #146083. Thanks to: Junichi Uekawa . * Licq is ok for unstable, closes: #144994. * Updated build structure. * Changed /etc/dpkg/dpkg.conf to /etc/dpkg/dpkg.cfg in howto, closes: #145002. -- Ola Lundqvist Tue, 7 May 2002 08:37:13 +0200 harden (0.1.4) unstable; urgency=critical * Updated flaw conflicts from woody security roundup. -- Ola Lundqvist Sat, 27 Apr 2002 23:48:36 +0200 harden (0.1.3) unstable; urgency=medium * Updated because of new dsa information. -- Ola Lundqvist Wed, 17 Apr 2002 18:35:24 +0200 harden (0.1.2) unstable; urgency=low * Fixed conflict on phpgroupware, closes: #143057. * Added some new dsa from security.debian.org. * Conflicts with pidentd, closes: #143116. -- Ola Lundqvist Tue, 16 Apr 2002 23:12:41 +0200 harden (0.1.1) unstable; urgency=low * Fixed spelling error, closes: #141717. -- Ola Lundqvist Mon, 8 Apr 2002 20:51:11 +0200 harden (0.1.0) unstable; urgency=low * Updated security manual from cvs, closes: #141339. * Fixed build dependency, closes: #141263. * Fixed preconfigure problem, closes: #141285. * Added conflict with mtr, closes: #140146. * Conflict with buggy webmin, closes: #140370. * Fixed fetchmail problem by adding debconf question instead, closes: #94472. * Decided that the debconf questions is good enough for a new middle revision. -- Ola Lundqvist Fri, 5 Apr 2002 21:09:37 +0200 harden (0.0.15) unstable; urgency=low * Created a harden development package, closes: #113963. * No longer conflict with xvncviewer because it can be used in ssh-tunnel mode, closes: #136238. * Can not see any problems with the .dhelp file. Must be a old error, closes: #138636. * Started to use debconf to guide the installation, closes: #111322. -- Ola Lundqvist Fri, 22 Mar 2002 19:44:39 +0100 harden (0.0.14) unstable; urgency=low * Fixed dob-base problem in a better way. -- Ola Lundqvist Wed, 6 Mar 2002 16:48:56 +0100 harden (0.0.13) unstable; urgency=low * Updated howto. * Fix build dependency, closes: #133160. * Fixed postinst problem, closes: #130674. * Updated the documentation description, on what to read, closes: #133981. * Fixed long description line in harden-tools, closes: #130991. -- Ola Lundqvist Sun, 17 Feb 2002 11:43:05 +0100 harden (0.0.12) unstable; urgency=low * Fixed info file issues, closes: #127045, #127437. * Updated the harden howto, removing japan translation becuase of build errors. -- Ola Lundqvist Sat, 19 Jan 2002 12:20:11 +0100 harden (0.0.11) unstable; urgency=low * Fixed critical issue with net build assumption. * Fixed caffeine underrun problem in harden-doc. Doc-base, closes: #124259. * Changed priority, closes: #124131. * Fixed spelling error in harden-tools, closes: #124728. * Fixed spelling error in harden-servers, closes: #124727. * Fixed spelling error in harden-remoteflaws, closes: #124726. * Fixed spelling error in harden-environment, closes: #124723. * Fixed spelling error in harden-localflaws, closes: #124724. * Fixed spelling error in harden-doc, closes: #124722. * Fixed spelling error in harden-clients, closes: #124721. * Fixed spelling error in harden, closes: #124720. * Fixed spelling error in harden-remoteaudit: #124725. * Added some more suggestions to remoteaudit. -- Ola Lundqvist Thu, 20 Dec 2001 16:34:23 +0100 harden (0.0.10) unstable; urgency=low * Fix info problem in harden-doc, closes: #124145. -- Ola Lundqvist Sun, 16 Dec 2001 16:10:13 +0100 harden (0.0.9) unstable; urgency=low * Fixed document download, closes: #114777, #111723, #111722. * Only suggest non-free package lasg, closes: #123085. * Copyright fixed, closes: #111725. * Fixed override, closes: #122861. * Spellfix upstream, closes: #111104. -- Ola Lundqvist Sat, 15 Dec 2001 13:18:37 +0100 harden (0.0.8) unstable; urgency=low * Move conflict of lynx to harden-localflaws, closes: #118976. * Close bug from 0.0.7, closes: #111728. * Fixed build depends to indep. -- Ola Lundqvist Mon, 13 Nov 2001 22:54:47 +0100 harden (0.0.7) unstable; urgency=low * Lowering the priority of bastille. Not good enough to be depended. Now just suggested. * Lowering the priority of tiger. Now suggested. It may be higher in the future. * Changed the priority to extra. * Fixed harden-doc description, closes: #111728. * Harden-clients now conflicts with lynx. -- Ola Lundqvist Thu, 27 Sep 2001 10:29:13 +0200 harden (0.0.6) unstable; urgency=low * Renamed to harden. * Fixed missing docs, closes: #105330. * Fixed unnecessary dirs, closes: #109995. * Fixed incorrect description of the client package, closes: #111390, #111729. * Added integrit and samhain as an alternative to tripwire, closes: #111724, #111529. * Added tiger and bastille, closes: #111726. * Created remoteaudit package and fixed apropriate things, closes: #111730, #111878. * Added lskb | lasg to harden-doc dependency, closes: #111876. * Fixed typo in harden-environment, closes: #111731. -- Ola Lundqvist Mon, 17 Sep 2001 22:54:53 +0200 task-harden (0.0.5) unstable; urgency=low * Added lids packages. * Added some ftp servers that should be avoided. * Removed nfs-common. Nfs is not insecure on the client side. * Added bwnfsd on the conflicts line instead. * Changed to the proper name for build depends on mirrortool -> omt. -- Ola Lundqvist Fri, 13 Jul 2001 23:10:27 +0200 task-harden (0.0.4) unstable; urgency=low * Fixed c&p error in description, closes: #94588. * Fixed fingerd conflict error in harden-servers, closes: #94591. * Added some more things to conflict. -- Ola Lundqvist Fri, 20 Apr 2001 11:56:55 +0200 task-harden (0.0.3) unstable; urgency=low * Splitted the package in several subpackages. * No longer conflicts with ftp-server, closes: #93512. -- Ola Lundqvist Mon, 2 Apr 2001 17:39:12 +0200 task-harden (0.0.2) unstable; urgency=low * Now conflicts some more packages. * Fixed description, closes: #92952. -- Ola Lundqvist Mon, 2 Apr 2001 17:39:12 +0200 task-harden (0.0.1) unstable; urgency=low * Initial Release, closes: #92431. -- Ola Lundqvist Sun, 1 Apr 2001 18:02:13 +0200 harden-doc-3.15.1/debian/control0000644000000000000000000000171012015440506013314 0ustar Source: harden-doc Section: doc Priority: extra Maintainer: Javier Fernandez-Sanguino Pen~a Build-Depends-Indep: debhelper (>> 3.0.0), dpsyco-devel, debiandoc-sgml (>=1.1.86), perl, texinfo, texlive, texlive-latex-extra, ghostscript, po4a Standards-Version: 3.5.8 Homepage: http://www.debian.org/doc/manuals/securing-debian-howto/ Vcs-Svn: svn://svn.debian.org/svn/ddp/manuals/trunk/securing-howto/ Vcs-Browser: http://svn.debian.org/viewsvn/ddp/manuals/trunk/securing-howto/ Package: harden-doc Architecture: all Description: Useful documentation to secure a Debian system Harden-doc will install documentation an administrator can use to make a Debian system more secure. It currently provides the 'Securing Debian Manual' from the Debian Documentation Project. . The manual is provided both in English and in all available translations, which might not be, however, fully up-to-date. Available translations include: French and German. harden-doc-3.15.1/debian/copyright0000644000000000000000000000363210754137703013663 0ustar This package was originally debianized by Ola Lundqvist on Sun, 1 Apr 2001 18:02:13 +0200. It provides the "Securing Debian Manual" written by Alexander Reelsen and Javier Fernández-Sanguino Peña Copyright (c) 2002-2005 Javier Fernández-Sanguino Peña (c) 2001 Alexander Reelsen, Javier Fernández-Sanguino Peña (c) 2000 Alexander Reelsen The "Securing Debian Manual" is free documentation; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation; either version 2, or (at your option) any later version with the following three additional provisions: 1.-Permission is granted to make and distribute verbatim copies of this document provided the copyright notice and this permission notice are preserved on all copies. 2.-Permission is granted to copy and distribute modified versions of this document under the conditions for verbatim copying, provided that the entire resulting derived work is distributed under the terms of a permission notice identical to this one. 3.-Permission is granted to copy and distribute translations of this document into another language, under the above conditions for modified versions, except that this permission notice may be included in translations approved by the Free Software Foundation instead of in the original English. The "Securing Debian Manual" is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received a copy of the GNU General Public License with your Debian GNU system, in /usr/share/common-licenses/GPL, or with the Debian GNU gnupg source package as the file COPYING. If not, write to the Free Software Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA harden-doc-3.15.1/Makefile0000644000000000000000000000254710325377505012152 0ustar CVSROOT=:pserver:anonymous@cvs.debian.org:/cvs/debian-doc DESTDOC=$(CURDIR)/debian/harden-doc/usr/share/doc/harden-doc # These are the current languages that compile cleanly # and are sufficiently up to date VALIDLANGS=en de fr all: build build: build-howto build-howto: howto-source (cd howto-source && make EXTS="txt ps pdf" LANGS="$(VALIDLANGS)") touch build-howto install: install-howto install-howto: build-howto (cd howto-source && make publish PUBLISHDIR=$(DESTDOC) EXTS="txt ps pdf" LNPUBDIRMAN="" LANGS="$(VALIDLANGS)") mv $(DESTDOC)/securing-debian-howto/*.ps $(DESTDOC) mv $(DESTDOC)/securing-debian-howto/*.txt $(DESTDOC) mv $(DESTDOC)/securing-debian-howto/*.pdf $(DESTDOC) # mkdir -p tmp-info # mv $(DESTDOC)/securing-debian-howto/*.info* tmp-info # ./fixinfo mv $(DESTDOC)/securing-debian-howto $(DESTDOC)/html clean: howto-clean -rm -Rf tmp-info -rm -f build-howto howto-clean: howto-source -(cd howto-source && make clean) howto-source: howto-source/securing-debian-howto.sgml howto-source/securing-debian-howto.sgml: if echo "$(CVSROOT)" | grep pserver ; then cvs -d $(CVSROOT) login ; fi cvs -d $(CVSROOT) -z3 checkout -d howto-source \ ddp/manuals.sgml/securing-howto force-update: if echo "$(CVSROOT)" | grep pserver ; then cvs -d $(CVSROOT) login ; fi cvs -d $(CVSROOT) -z3 checkout -d howto-source \ ddp/manuals.sgml/securing-howto