[gentoo-dev] Security guidelines for Gentoo

[gentoo-dev] Security guidelines for Gentoo

[kn]

Hello everyone,

I wrote to Drobbins yesterday to ask if someone already has written security
guideline documentation for Gentoo. He had not heard of any projects in that
direction. So I have startet one :) ..

These are the chapters I want to write :

------------------

Step by step guide for Gentoo

Introduction
  Credits

Considerations before installation
  BIOS password
  Services
  Partition scheme
  Root password
  Policies
    Why is policies needed
    Security policy
    Acceptable use policy
    Email policy
    Password policy

Tightening the security after/during installation
  /etc/make.conf
  Grub/Lilo password
  Console restriction
  More logging
    syslogd
    metalog
    syslogd-n
  Mounting of partitions
    -noexec
    -nosuid
    -ro
  User/group limitations
    /etc/security/limits.conf
    /etc/limits
    Quotas
    /etc/login.defs
    /etc/login.access
  File permissions
    World readable
    World writeable
    SUID files
  PAM
  TCP Wrappers

Kernel security
  /proc
  Kernel patches
    Grsecurity
    Kerneli
    Links for more kernel patches
      OpenWall
      LIDS
      More ...

Securing Services
  Using xinetd
  ssh
  X
  Lpd
  FTP
    Pureftpd
    Proftpd
    virtual users
  Apache
    SSL
    PHP
  Mail
    Qmail
      Fighting Spam
      virtual users
  Bind
  Samba
    virtual users
  Chroot

Firewall (Iptables)

Intrusion detection
  Aide
  Snort

Backup
  Full system backup using Systemimager
  Partial backup using tar
  Backing up postgres

Pen-testing
  Remote audits
  Network audits

After a compromise
  How to report an incident
  Forensics analysis
    Creating an image of the system without destroying evidence (Using dd)
    Trap and trace (Using tcpdump)
    .. More to come ..
  Restoring system

FAQ

--------------


If I'm missing some vital aspect/information or someone already has startet
writing, I would sure like to know .. Otherwise I will start writing :)

Best regards
Kim

Re: [gentoo-dev] Security guidelines for Gentoo

[Einar Karttunen]

On 14.03.02 10:11 +0100(+0000), kn@insecurity.dk wrote:
> Considerations before installation
>   BIOS password
If the machine is a server set the bios password only to guard
against modifying the settings i.e. it should not be asked on
startup because of remote reboots. Also make sure the machine
will not boot from floppy/cd/network.

>     Password policy
Gentoo could have a stricter pam config on this
because currently very weak passwords get through.

> Tightening the security after/during installation
>   /etc/make.conf
To this I would like to add signed ebuilds.

>   Grub/Lilo password
Against modifications yes, but not hindering the boot.

>   More Logging
Add log rotation to this

>     -noexec
Noexec is no real solution on linux.

>   PAM
Should be IMHO tighter by default.

> Kernel security
>   /proc
Some form restricting proc i.e. all
users but those belonging to one group
cannot see *anything* they don't need. 

>   Kernel patches
>     Grsecurity
Currently fails against the gentoo kernel
(see some posts this week about it on the 
gentoo-dev list)

>   Using xinetd
Or using no inetd at all. Many servers/home machines 
which run only http, ssh and mail do not imho need
inetd at all. 

>   X
Make sure the default installation does not listen to tcp.

>   Lpd
For home users pdq is more easy.

>   FTP
oftpd

>   Mail
On desktop machines the mail daemon should not accept connections
from outside.

>   Chroot
I have an jail ebuild if someone is interested.

- Einar Karttunen

Re: [gentoo-dev] Security guidelines for Gentoo

[Stefan Boresch]

On Thu, Mar 14, 2002 at 10:11:43AM +0100, kn@insecurity.dk wrote:

> I wrote to Drobbins yesterday to ask if someone already has written security
> guideline documentation for Gentoo. He had not heard of any projects in that
> direction. So I have startet one :) ..

Many cheers to you!

[snip]

> Securing Services

[snip]

>   Mail
>     Qmail
>       Fighting Spam
>       virtual users

Since the default mailer in gentoo is now postfix, I think equivalent
sections for postfix would be required as well (Please let's not
start any discussion about the relative merits of qmail vs. postfix)

Best regards,

Stefan

Re: [gentoo-dev] Security guidelines for Gentoo

[kn]

> On Thu, Mar 14, 2002 at 10:11:43AM +0100, kn@insecurity.dk wrote:
>
>>   Mail
>>     Qmail
>>       Fighting Spam
>>       virtual users
>
> Since the default mailer in gentoo is now postfix, I think equivalent
> sections for postfix would be required as well (Please let's not
> start any discussion about the relative merits of qmail vs. postfix)

Great :) .. I'll put that on my list .. and start writing ..

/Kim

Re: [gentoo-dev] Security guidelines for Gentoo

[kn]

> On 14.03.02 10:11 +0100(+0000), kn@insecurity.dk wrote:
[SNIP]

I'm not talking about the default installation .. I think it great .. I just
wanted to document how to make it more secure .. per default Gentoo is mutch
more secure than other linux distributions because if you have any ports
listning its because you installed it ..

/Kim

Re: [gentoo-dev] Security guidelines for Gentoo

[Einar Karttunen]

On 14.03.02 10:46 +0100(+0000), kn@insecurity.dk wrote:
> > On 14.03.02 10:11 +0100(+0000), kn@insecurity.dk wrote:
> [SNIP]
> 
> I'm not talking about the default installation .. I think it great .. I just
> wanted to document how to make it more secure .. per default Gentoo is mutch
> more secure than other linux distributions because if you have any ports
> listning its because you installed it ..
> 

Yes, that's true. First I think it is a great idea to write a securing gentoo
manual. However most users start with a default installation so any potential
security considerations with it could be added to the manual. Are you trying
to make the manual gentoo specific or include more general things as well? 

- Einar Karttunen

Re: [gentoo-dev] Security guidelines for Gentoo

[kn]

> Yes, that's true. First I think it is a great idea to write a securing
> gentoo manual. However most users start with a default installation so
> any potential security considerations with it could be added to the
> manual. Are you trying to make the manual gentoo specific or include
> more general things as well?
>
Well .. A little bit of both .. its going to be gentoo specific but it will
also include chapters like security polices, backup and intrusion detection
since I think new linux users should be aware of this .. I know that Gentoo
is proberly not used by new linux users (But they should since they can
learn a lot) but still think it should be there .. not mutch but proberly
some links and information why it's needed

Best regards
Kim

Re: [gentoo-dev] Security guidelines for Gentoo

[Martin Schlemmer]

On Thu, 2002-03-14 at 11:29, Einar Karttunen wrote:
> On 14.03.02 10:11 +0100(+0000), kn@insecurity.dk wrote:
> > Considerations before installation
> >   BIOS password
> If the machine is a server set the bios password only to guard
> against modifying the settings i.e. it should not be asked on
> startup because of remote reboots. Also make sure the machine
> will not boot from floppy/cd/network.
> 
> >     Password policy
> Gentoo could have a stricter pam config on this
> because currently very weak passwords get through.
> 

Hi, this is in the works with masked pam-0.75-r4 and shadow-4.0.2.
It uses pam_stack.so and libcrack to check for weak passwords.

If you want to help test these, just merge them, update the stuff
in /etc/pam.d and give it a reboot (for libcrack to kick in) and
let me know.

> > Tightening the security after/during installation
> >   /etc/make.conf
> To this I would like to add signed ebuilds.
> 
> >   Grub/Lilo password
> Against modifications yes, but not hindering the boot.
> 
> >   More Logging
> Add log rotation to this
> 
> >     -noexec
> Noexec is no real solution on linux.
> 
> >   PAM
> Should be IMHO tighter by default.
> 
> > Kernel security
> >   /proc
> Some form restricting proc i.e. all
> users but those belonging to one group
> cannot see *anything* they don't need. 
> 
> >   Kernel patches
> >     Grsecurity
> Currently fails against the gentoo kernel
> (see some posts this week about it on the 
> gentoo-dev list)
> 
> >   Using xinetd
> Or using no inetd at all. Many servers/home machines 
> which run only http, ssh and mail do not imho need
> inetd at all. 
> 
> >   X
> Make sure the default installation does not listen to tcp.
> 
> >   Lpd
> For home users pdq is more easy.
> 
> >   FTP
> oftpd
> 
> >   Mail
> On desktop machines the mail daemon should not accept connections
> from outside.
> 
> >   Chroot
> I have an jail ebuild if someone is interested.
> 
> - Einar Karttunen
> _______________________________________________
> gentoo-dev mailing list
> gentoo-dev@gentoo.org
> http://lists.gentoo.org/mailman/listinfo/gentoo-dev
-- 
Martin Schlemmer
Gentoo Linux Developer, Desktop Team
Cape Town, South Africa

Re: [gentoo-dev] Security guidelines for Gentoo

[Joachim Blaabjerg]

On Thu, 2002-03-14 at 10:29, Einar Karttunen wrote:
> On 14.03.02 10:11 +0100(+0000), kn@insecurity.dk wrote:
> > Considerations before installation
> >   BIOS password
> If the machine is a server set the bios password only to guard
> against modifying the settings i.e. it should not be asked on
> startup because of remote reboots. Also make sure the machine
> will not boot from floppy/cd/network.
> 
> >     Password policy
> Gentoo could have a stricter pam config on this
> because currently very weak passwords get through.

I think pam_passwdqc (http://www.openwall.com/passwdqc/) is the best
option for this job. I could make an ebuild (if there isn't one
already).

> >   Kernel patches
> >     Grsecurity
> Currently fails against the gentoo kernel
> (see some posts this week about it on the 
> gentoo-dev list)

It doesn't apply cleanly, but it's no problem to fix it by hand. 

> >   Using xinetd
> Or using no inetd at all. Many servers/home machines 
> which run only http, ssh and mail do not imho need
> inetd at all.
> 
> >   FTP
> oftpd

I personally prefer vsftpd. _Very_ fast, written with security and
performance as top priorities.

-- 
Joachim Blaabjerg
styx@SuxOS.org
www.SuxOS.org

Re: [gentoo-dev] Security guidelines for Gentoo

[Joachim Blaabjerg]

On Thu, 2002-03-14 at 10:11, kn@insecurity.dk wrote:
> Hello everyone,
> 
> I wrote to Drobbins yesterday to ask if someone already has written security
> guideline documentation for Gentoo. He had not heard of any projects in that
> direction. So I have startet one :) ..

Hi,

Great initiative! Maybe we could work together a bit on this (I'm the
guy who's supposed to get started on Secure Gentoo ;]). Feel free to
contact me (on- or off-list).

-- 
Joachim Blaabjerg
styx@SuxOS.org
www.SuxOS.org

Re: [gentoo-dev] Security guidelines for Gentoo

[Einar Karttunen]

On 14.03.02 12:09 +0100(+0000), Joachim Blaabjerg wrote:
> > >     Grsecurity
> > Currently fails against the gentoo kernel
> > (see some posts this week about it on the 
> > gentoo-dev list)
> 
> It doesn't apply cleanly, but it's no problem to fix it by hand. 

Could you send the patch somewhere, this would be great for those
of us with little kernel knowledge. What about grsecurity vs. posix
acls?

- Einar Karttunen

Re: [gentoo-dev] Security guidelines for Gentoo

[Joachim Blaabjerg]

On Thu, 2002-03-14 at 12:17, Einar Karttunen wrote:
> On 14.03.02 12:09 +0100(+0000), Joachim Blaabjerg wrote:
> > > >     Grsecurity
> > > Currently fails against the gentoo kernel
> > > (see some posts this week about it on the 
> > > gentoo-dev list)
> > 
> > It doesn't apply cleanly, but it's no problem to fix it by hand. 
> 
> Could you send the patch somewhere, this would be great for those
> of us with little kernel knowledge. What about grsecurity vs. posix
> acls?

I'll make a patch right away, haven't thought much about the POSIX ACLs,
but I *think* we'll be fine.

-- 
Joachim Blaabjerg
styx@SuxOS.org
www.SuxOS.org

Re: [gentoo-dev] Security guidelines for Gentoo

[Morten Liebach]

On 2002-03-14 11:29:14 +0200, Einar Karttunen wrote:
> On 14.03.02 10:11 +0100(+0000), kn@insecurity.dk wrote:
> >   Chroot
> I have an jail ebuild if someone is interested.

As in FreeBSD jail(8)? Sounds very very interesting.

Have a nice day
                                 Morten

-- 
Morten Liebach <m@kallisti.dk>, webpages at http://kallisti.dk/
PGP-key: http://kallisti.dk/ml.asc or Key-ID 0xD796A4EB on keyserver.net

Re: [gentoo-dev] Security guidelines for Gentoo

[Einar Karttunen]

On 14.03.02 13:34 +0100(+0000), Morten Liebach wrote:
> On 2002-03-14 11:29:14 +0200, Einar Karttunen wrote:
> > On 14.03.02 10:11 +0100(+0000), kn@insecurity.dk wrote:
> > >   Chroot
> > I have an jail ebuild if someone is interested.
> 
> As in FreeBSD jail(8)? Sounds very very interesting.
> 

No, as in jail chroot project, see 
http://www.gsyc.inf.uc3m.es/~assman/jail/

The biggest problem is proc, which some apps
need but leaks too much info even with grsecurity.
Now if only it would be possible to have
two different proc filesystems mounted:
one normal, and one with only the data necessary to
run apps.

- Einar Karttunen

Re: [gentoo-dev] Security guidelines for Gentoo

[Chuck Haines]

[-- Attachment #1: Type: text/plain, Size: 2902 bytes --]

I would be very interested in this manual.   Keep us posted on its
progress.

On Thu, 2002-03-14 at 04:11, kn@insecurity.dk wrote:
> Hello everyone,
> 
> I wrote to Drobbins yesterday to ask if someone already has written security
> guideline documentation for Gentoo. He had not heard of any projects in that
> direction. So I have startet one :) ..
> 
> These are the chapters I want to write :
> 
> ------------------
> 
> Step by step guide for Gentoo
> 
> Introduction
>   Credits
> 
> Considerations before installation
>   BIOS password
>   Services
>   Partition scheme
>   Root password
>   Policies
>     Why is policies needed
>     Security policy
>     Acceptable use policy
>     Email policy
>     Password policy
> 
> Tightening the security after/during installation
>   /etc/make.conf
>   Grub/Lilo password
>   Console restriction
>   More logging
>     syslogd
>     metalog
>     syslogd-n
>   Mounting of partitions
>     -noexec
>     -nosuid
>     -ro
>   User/group limitations
>     /etc/security/limits.conf
>     /etc/limits
>     Quotas
>     /etc/login.defs
>     /etc/login.access
>   File permissions
>     World readable
>     World writeable
>     SUID files
>   PAM
>   TCP Wrappers
> 
> Kernel security
>   /proc
>   Kernel patches
>     Grsecurity
>     Kerneli
>     Links for more kernel patches
>       OpenWall
>       LIDS
>       More ...
> 
> Securing Services
>   Using xinetd
>   ssh
>   X
>   Lpd
>   FTP
>     Pureftpd
>     Proftpd
>     virtual users
>   Apache
>     SSL
>     PHP
>   Mail
>     Qmail
>       Fighting Spam
>       virtual users
>   Bind
>   Samba
>     virtual users
>   Chroot
> 
> Firewall (Iptables)
> 
> Intrusion detection
>   Aide
>   Snort
> 
> Backup
>   Full system backup using Systemimager
>   Partial backup using tar
>   Backing up postgres
> 
> Pen-testing
>   Remote audits
>   Network audits
> 
> After a compromise
>   How to report an incident
>   Forensics analysis
>     Creating an image of the system without destroying evidence (Using dd)
>     Trap and trace (Using tcpdump)
>     .. More to come ..
>   Restoring system
> 
> FAQ
> 
> --------------
> 
> 
> If I'm missing some vital aspect/information or someone already has startet
> writing, I would sure like to know .. Otherwise I will start writing :)
> 
> Best regards
> Kim
> 
> 
> 
> _______________________________________________
> gentoo-dev mailing list
> gentoo-dev@gentoo.org
> http://lists.gentoo.org/mailman/listinfo/gentoo-dev
-- 
---------------------------------------------
| Chuck Haines        | AIM: CyberGrex      |
| GDC Webmaster       | ICQ: 3707881        |
| WPI Class of 2005   | MSN: CyberGrex      |
| chaines@wpi.edu     | Yahoo: CyberGrex_27 |
---------------------------------------------

[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 232 bytes --]

Re: [gentoo-dev] Security guidelines for Gentoo

[Andreas Waschbuesch]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

electrogramma tua profluit verbis:
>
> Well .. A little bit of both .. its going to be gentoo specific but it will
> also include chapters like security polices, backup and intrusion detection
> since I think new linux users should be aware of this .. I know that Gentoo
> is proberly not used by new linux users (But they should since they can
> learn a lot) but still think it should be there .. not mutch but proberly
> some links and information why it's needed

Would U mind including some hints on naming conventions? It's a very easy 
step to make footprinting a little harder ... ;-)

Andrew 

- -- 
Andreas Waschbuesch, GAUniversity KG MA FNZ FK01
eMail: awaschb@gwdg.de

In the long run we are all dead.
		-- John Maynard Keynes
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org

iD8DBQE8kRLd2s5UCjOaQbYRAsJUAJsFi3P4lLxRftBZI+35K6i70hd9pgCfbOLb
8xcNQZuPXV153waWWHktA8U=
=fmDZ
-----END PGP SIGNATURE-----

Re: [gentoo-dev] Security guidelines for Gentoo

[Zach Forrest]

One of the most comprehensive guides for securing linux can be found at 
the TrinityOS homepage found here: 
http://www.ecst.csuchico.edu/~dranch/LINUX/index-linux.html

It starts at the BIOS and works its way up. There is also a script to 
help you configure your system. At the *very* least this is a great 
starting point.

Zach (see below for some details)

 From the website --->

Here is TrinityOS's current feature set..

----------------------------------------------------------------------

TrinityOS is a step by step, example driven, HOWTO on building a very 
functional Linux box with strong security in mind.


Current
Features:
=========

Master References and Recommended Guidelines
--------------------------------------------
     + An extensive URL library and current version list for all
       installed and recommended Linux tools and applications
     + Example guidelines on documenting the hardware and partition
       layout of your specific hardware

Linux Distribution Thoughts:
----------------------------
     + Thoughts and recommendations on picking a Linux distribution
     + A common "Search & Replace" key to customize this doc to YOUR
       specific environment

Core OS setup:
--------------
     + Configuring, compiling, installing, and booting both a 2.2.x &
       2.0.x kernel
     + Lilo configuration and security
     + PCMCIA / CARDBUS PC-Card Services
     + Software RAID 0 (striping) hard drives
     + 7-CD SCSI CD-ROM changer system
     + Automated Patching via RPM notifiers
     + EXT2 file system tuning
     + IDE hard drive performance optimization
     + Dual printing system support for both UNIX and Windows/Samba hosts

Network Connectivity:
---------------------
     + Strong, comfigrable, and well commented IPCHAINS and IPFWADM
       packet firewall rule sets with a complete intro on how Packet and
       Stateful Inspected firewalls work
     + Automated rollback script for the loading of rc.firewall rule sets
       so that if you make an error in the firewall rule set and the rule
       set doesn't complete, a backup
       rule set will be automatically loaded to restore connectivity.
     + Full LAN masquerading (NAT or Network Address Translation) using
       private IP addressing
     + Masq IP port forwarding support (IPportfw)
     + Dual 10Mb/s Ethernet network card support setup and TCP/IP
       Performance optimization (modem and cable modem users)
     + How to setup fully authoritative primary and secondary DNS servers
       (Bind v8.x) in a CHROOTed and and SPLIT Zone configuration
     + Full Sendmail e-mail system support w/ domain masquerading &
       Anti-SPAM measures with support for more than one Internet domain
       on one EMAIL server
     + IMAP4 / POP3 remote email service
     + Masq IP port forwarding support (IPportfw)
     + DHCP server for other LAN machines (laptops, etc)
     + DHCP client setup for TCP/IP addresses
     + Samba : Full Microsoft Windows file & printing support
     + NFS: Full Sun RPC-based Network File System support
     + IPSEC (Swan) VPN [Almost Complete]
     + Apache WWW server
     + PPP connectivity for primary PPP connectivity AND backup PPP
       connections
     + Dial-on-Demand (Diald) Internet connections (modem users) -
       Automatic Internet connections every 15 minutes (modem users)
     + Direct dial-in terminal / PPP access via a modem
     + How to apply for a full Internet domain name via Network Solutions
     + Full documentation on how understand and FIGHT all that SPAM email
     + NTP time calibration
     + Full UNIX (SMB) printing

Security:
---------
     + Complete physical and OS-level security recommendations and
       guidelines
     + Full SSH telnet support [Future: X-windows encrypted tunnels]
     + Actively Updated Linux system security and patching (Shadow
       passwords, etc)
     + Advanced SYSLOG logging and nightly filtered reports emailed to
       the root user
     + TrinityOS "CRITICALITY" rating in the CHANGELOG section to gauge
       the level of urgency of security vulnerabilities, system
       mis-configurations, etc.
     + Tripwire Security Breech monitoring [not completed yet]
     + NMAP port scanning to test your packet firewall
     + Figuring out if you have been hacked.. Confirm it!
     + Prioritized ChangeLog to let users know what changes are and are
       NOT too important
     + Anonymized Sendmail Banners

System backup:
--------------
     + Minimum backups to floppy
     + Full tape backup via BRU with emergency restore diskette creation
     + Full APC SmartUPS power down support (APCUPSd) w/ paging support
     + Backing up the server to a CD-R [not completed yet]

More Extensive Guides:
----------------------
     + How to fix LILO, HD partitioning, and file system corruption
     + How to obtain an Internet domain(s)
     + How to successfully move Internet domains across DNS servers
       and/or TCP/IP addresses
     + How to recover from your box being hacked into and how to
       RE-secure it
     + How to understand and fight SPAM email
     + SSH encrypted tunnels for email, etc


Future
Features:
=========

(Won't be implemented in any particular order)

* TrinityOS TO-DOs:
-------------------
     + Add more "Configuration via GUI tools" sections

* Network stuff
---------------
     + Modularize the rc.firewall rulset so updates can be transparent
       and not require additional tailoring for each update.
     + Add a single interface IPCHAINS rc.firewall for eth0/1/2 and
       ppp0/1/2 users
     + Remove LPR and replace it with LPRng or CUPS
     + Mail Backup: Setup high cost MX records and ETRN email backup
     + IPv6: Configure and setup IPv6 and possibly setup a IPv6 tunnel
       via the 6Bone
     + Dial Backup: Add automatic analog modem dial backup when the
       ADSL/Cable modem goes down
     + CODA: Replace NFS support with CODA
     + Implement IMAP4 for a complete email subsystem
     + Add a CACHING only setup for 8.1.x DNS
     + Setup a email list server (MajorDomo, Petidomo, dunno yet)
     + Email sent dynamic IP address exception requests for access
       through the TCP Wrappers and the IPFWADM rule sets
     + DHCPc client setup for Cablemodems
     + 128-bit encrypted Apache SSL WWW server
     + Move over to xinetd for better DoS protection
     + WWW Proxy services
     + WWW banner add filtering

* Security Stuff
----------------
     + Replace the Sendlogs script to use either Swatch or LogSentry
     + Automate the firewall hits logging for trend analysis
     + Install PGP / GPG for secure and/or verified communications to:
       other users, Internic, binaries/source code verification, etc.
     + SATAN / SAINT / Nessus / COPS / ISS security testing

* Application stuff
-------------------
     + Implement Procmail to do local email filtering
     + Setup fetchmail to get remote email vs. setting up a
       remote .forward
     + Full SVGA X-Windows support w/ the WindowMaker window Manager
       (Xfree)

* Administration stuff
----------------------
     + Up the logging time on the UPS to 1 second increments and then
       plot all the stuff with GNU Plot to then be emailed via "Sendlogs"
     + Rotate the UPS logs
     + Implement automatic weekly incremental tape backups to the TR4
       tape drive.
     + BZip2 compression w/ tar patches

* System Stuff
--------------
     + Iomega parallel ZIP drive support

Andreas Waschbuesch wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> electrogramma tua profluit verbis:
> 
>>Well .. A little bit of both .. its going to be gentoo specific but it will
>>also include chapters like security polices, backup and intrusion detection
>>since I think new linux users should be aware of this .. I know that Gentoo
>>is proberly not used by new linux users (But they should since they can
>>learn a lot) but still think it should be there .. not mutch but proberly
>>some links and information why it's needed
> 
> 
> Would U mind including some hints on naming conventions? It's a very easy 
> step to make footprinting a little harder ... ;-)
> 
> Andrew 
> 
> - -- 
> Andreas Waschbuesch, GAUniversity KG MA FNZ FK01
> eMail: awaschb@gwdg.de
> 
> In the long run we are all dead.
> 		-- John Maynard Keynes
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.0.6 (GNU/Linux)
> Comment: For info see http://www.gnupg.org
> 
> iD8DBQE8kRLd2s5UCjOaQbYRAsJUAJsFi3P4lLxRftBZI+35K6i70hd9pgCfbOLb
> 8xcNQZuPXV153waWWHktA8U=
> =fmDZ
> -----END PGP SIGNATURE-----
> _______________________________________________
> gentoo-dev mailing list
> gentoo-dev@gentoo.org
> http://lists.gentoo.org/mailman/listinfo/gentoo-dev
> 

Re: [gentoo-dev] Security guidelines for Gentoo

[kn]

> One of the most comprehensive guides for securing linux can be found at
>  the TrinityOS homepage found here:
> http://www.ecst.csuchico.edu/~dranch/LINUX/index-linux.html

[SNIP]

I will try to read it .. But my guide will not be about tuning linux .. that
should be in a different guide because security and performance do not
always agreed on settings

Best regards
Kim

ps. I have startet writing the guide and a preview can be found at:
http://www.insecurity.dk/gentoo/secure-guide/security-guidelines.html

Re: [gentoo-dev] Security guidelines for Gentoo

[kn]

>
> Would U mind including some hints on naming conventions? It's a very
> easy  step to make footprinting a little harder ... ;-)
>
I'll do everything that I can to make this the best guide

/Kim