From owner-svn-doc-all@freebsd.org Sun Aug 19 11:58:48 2018 Return-Path: Delivered-To: svn-doc-all@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id AD070108A9D8; Sun, 19 Aug 2018 11:58:48 +0000 (UTC) (envelope-from bcr@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "mxrelay.nyi.freebsd.org", Issuer "Let's Encrypt Authority X3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 5EA7772F84; Sun, 19 Aug 2018 11:58:48 +0000 (UTC) (envelope-from bcr@FreeBSD.org) Received: from repo.freebsd.org (repo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 3F70825F26; Sun, 19 Aug 2018 11:58:48 +0000 (UTC) (envelope-from bcr@FreeBSD.org) Received: from repo.freebsd.org ([127.0.1.37]) by repo.freebsd.org (8.15.2/8.15.2) with ESMTP id w7JBwm5f076402; Sun, 19 Aug 2018 11:58:48 GMT (envelope-from bcr@FreeBSD.org) Received: (from bcr@localhost) by repo.freebsd.org (8.15.2/8.15.2/Submit) id w7JBwmrj076401; Sun, 19 Aug 2018 11:58:48 GMT (envelope-from bcr@FreeBSD.org) Message-Id: <201808191158.w7JBwmrj076401@repo.freebsd.org> X-Authentication-Warning: repo.freebsd.org: bcr set sender to bcr@FreeBSD.org using -f From: Benedict Reuschling Date: Sun, 19 Aug 2018 11:58:48 +0000 (UTC) To: doc-committers@freebsd.org, svn-doc-all@freebsd.org, svn-doc-head@freebsd.org Subject: svn commit: r52158 - head/en_US.ISO8859-1/books/handbook/security X-SVN-Group: doc-head X-SVN-Commit-Author: bcr X-SVN-Commit-Paths: head/en_US.ISO8859-1/books/handbook/security X-SVN-Commit-Revision: 52158 X-SVN-Commit-Repository: doc MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: svn-doc-all@freebsd.org X-Mailman-Version: 2.1.27 Precedence: list List-Id: "SVN commit messages for the entire doc trees \(except for " user" , " projects" , and " translations" \)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 19 Aug 2018 11:58:49 -0000 Author: bcr Date: Sun Aug 19 11:58:47 2018 New Revision: 52158 URL: https://svnweb.freebsd.org/changeset/doc/52158 Log: Properly wrap overlong lines reported by textproc/igor. Modified: head/en_US.ISO8859-1/books/handbook/security/chapter.xml Modified: head/en_US.ISO8859-1/books/handbook/security/chapter.xml ============================================================================== --- head/en_US.ISO8859-1/books/handbook/security/chapter.xml Sun Aug 19 11:58:01 2018 (r52157) +++ head/en_US.ISO8859-1/books/handbook/security/chapter.xml Sun Aug 19 11:58:47 2018 (r52158) @@ -419,8 +419,8 @@ Enter new password: the most prudent security or systems engineer will miss something an attacker left behind. - A rootkit does do one thing useful for administrators: once - detected, it is a sign that a compromise happened at some + A rootkit does do one thing useful for administrators: + once detected, it is a sign that a compromise happened at some point. But, these types of applications tend to be very well hidden. This section demonstrates a tool that can be used to detect rootkits, security/rkhunter. @@ -2127,9 +2127,10 @@ Connection closed by foreign host. information on the IPsec subsystem in &os;. - IPsec support is enabled by default on &os; 11 and later. - For previous versions of &os;, add these options to a custom kernel - configuration file and rebuild the kernel using the instructions in IPsec support is enabled by default on + &os; 11 and later. For previous versions of &os;, add + these options to a custom kernel configuration file and rebuild + the kernel using the instructions in : @@ -3986,16 +3987,16 @@ jail:httpd:memoryuse:deny=2G/jail is no reason to provide such access to end users because tools exist to manage this exact requirement. - Up to this point, the security chapter has covered permitting - access to authorized users and attempting to prevent unauthorized - access. Another problem arises once authorized users have access - to the system resources. In many cases, some users may need - access to application startup scripts, or a team of - administrators need to maintain the system. Traditionally, the - standard users and groups, file permissions, and even the - &man.su.1; command would manage this access. And as applications - required more access, as more users needed to use system - resources, a better solution was required. The most used + Up to this point, the security chapter has covered + permitting access to authorized users and attempting to prevent + unauthorized access. Another problem arises once authorized + users have access to the system resources. In many cases, some + users may need access to application startup scripts, or a team + of administrators need to maintain the system. Traditionally, + the standard users and groups, file permissions, and even the + &man.su.1; command would manage this access. And as + applications required more access, as more users needed to use + system resources, a better solution was required. The most used application is currently Sudo. Sudo allows administrators @@ -4051,8 +4052,8 @@ jail:httpd:memoryuse:deny=2G/jail %webteam ALL=(ALL) /usr/sbin/service webservice * - Unlike &man.su.1;, Sudo - only requires the end user password. This adds an advantage where + Unlike &man.su.1;, Sudo only + requires the end user password. This adds an advantage where users will not need shared passwords, a finding in most security audits and just bad all the way around. @@ -4066,13 +4067,12 @@ jail:httpd:memoryuse:deny=2G/jail Most organizations are moving or have moved toward a two - factor authentication model. In these cases, the user may - not have a password to enter. Sudo + factor authentication model. In these cases, the user may not + have a password to enter. Sudo provides for these cases with the NOPASSWD - variable. Adding it to the configuration above - will allow all members of the webteam - group to manage the service without the password - requirement: + variable. Adding it to the configuration above will allow all + members of the webteam group to + manage the service without the password requirement: %webteam ALL=(ALL) NOPASSWD: /usr/sbin/service webservice * @@ -4098,17 +4098,17 @@ jail:httpd:memoryuse:deny=2G/jail This directory will be created automatically after the logging is configured. It is best to let the system create directory with default permissions just to be safe. In - addition, this entry will also log administrators who use the - sudoreplay command. To change - this behavior, read and uncomment the logging options inside - sudoers. + addition, this entry will also log administrators who use + the sudoreplay command. To + change this behavior, read and uncomment the logging options + inside sudoers. Once this directive has been added to the - sudoers file, any user configuration - can be updated with the request to log access. In the - example shown, the updated webteam - entry would have the following additional changes: + sudoers file, any user configuration can + be updated with the request to log access. In the example + shown, the updated webteam entry + would have the following additional changes: %webteam ALL=(ALL) NOPASSWD: LOG_INPUT: LOG_OUTPUT: /usr/sbin/service webservice * @@ -4120,20 +4120,20 @@ jail:httpd:memoryuse:deny=2G/jail &prompt.root; sudoreplay -l - In the output, to replay a specific session, search for the - TSID= entry, and pass that to + In the output, to replay a specific session, search for + the TSID= entry, and pass that to sudoreplay with no other options to replay the session at normal speed. For example: &prompt.root; sudoreplay user1/00/00/02 - While sessions are logged, any administrator is - able to remove sessions and leave only a question of why they - had done so. It is worthwhile to add a daily check - through an intrusion detection system (IDS) - or similar software so that other administrators are alerted - to manual alterations. + While sessions are logged, any administrator is able to + remove sessions and leave only a question of why they had + done so. It is worthwhile to add a daily check through an + intrusion detection system (IDS) or + similar software so that other administrators are alerted to + manual alterations. The sudoreplay is extremely extendable.