swift 05/05/23 19:34:03 Modified: xml/htdocs/doc/en gentoo-security.xml Log: Fix spelling mistakes, no content change
Revision Changes Path 1.81 +32 -32 xml/htdocs/doc/en/gentoo-security.xml file : http://www.gentoo.org/cgi-bin/viewcvs.cgi/xml/htdocs/doc/en/gentoo-security.xml?rev=1.81&content-type=text/x-cvsweb-markup&cvsroot=gentoo plain: http://www.gentoo.org/cgi-bin/viewcvs.cgi/xml/htdocs/doc/en/gentoo-security.xml?rev=1.81&content-type=text/plain&cvsroot=gentoo diff : http://www.gentoo.org/cgi-bin/viewcvs.cgi/xml/htdocs/doc/en/gentoo-security.xml.diff?r1=1.80&r2=1.81&cvsroot=gentoo Index: gentoo-security.xml =================================================================== RCS file: /var/cvsroot/gentoo/xml/htdocs/doc/en/gentoo-security.xml,v retrieving revision 1.80 retrieving revision 1.81 diff -u -r1.80 -r1.81 --- gentoo-security.xml 23 May 2005 19:19:58 -0000 1.80 +++ gentoo-security.xml 23 May 2005 19:34:03 -0000 1.81 @@ -1,5 +1,5 @@ <?xml version='1.0' encoding='UTF-8'?> -<!-- $Header: /var/cvsroot/gentoo/xml/htdocs/doc/en/gentoo-security.xml,v 1.80 2005/05/23 19:19:58 swift Exp $ --> +<!-- $Header: /var/cvsroot/gentoo/xml/htdocs/doc/en/gentoo-security.xml,v 1.81 2005/05/23 19:34:03 swift Exp $ --> <!DOCTYPE guide SYSTEM "/dtd/guide.dtd"> <guide link = "/doc/en/gentoo-security.xml"> @@ -168,19 +168,19 @@ <ul> <li> Any directory tree a user should be able to write to (e.g. <path>/home</path>, - <path>/tmp</path>) should be on a seperate partition and use disk quotas. This + <path>/tmp</path>) should be on a separate partition and use disk quotas. This reduces the risk of a user filling up your whole filesystem. Portage uses <path>/var/tmp</path> to compile files, so that partition should be large. </li> <li> Any directory tree where you plan to install non-distribution software on should - be on a seperate partition. According to the <uri link = + be on a separate partition. According to the <uri link = "http://www.pathname.com/fhs/";>File Hierarchy Standard</uri>, this is <path>/opt</path> or <path>/usr/local</path>. If these are separate partitions, they will not be erased if you have to reinstall the system. </li> <li> - For extra security, static data can be put on a seperate partition that is + For extra security, static data can be put on a separate partition that is mounted read-only. For the truly paranoid, try using read-only media like CD-ROM. </li> @@ -275,7 +275,7 @@ <li> A well-documented network and system layout will aid you, as well as law enforcement forensics examiners, if need be, in tracing an intrusion and - idetifying weaknesses after the fact. A security policy "issue" banner, + identifying weaknesses after the fact. A security policy "issue" banner, stating that your system is a private network and all unauthorized access is prohibited, will also help ensure your ability to properly prosecute an intruder, once he is caught. @@ -288,7 +288,7 @@ <p> The policy itself is a document, or several documents, that outlines the network -and system features (such as what services are provided), acceptible use and +and system features (such as what services are provided), acceptable use and forbidden use, security "best practices", and so forth. All users should be made aware of your security policy, as well as changes you make to keep it up to date. It is important that you take the time to help users understand your @@ -334,7 +334,7 @@ <p> Different users may require different levels or types of access, and as such -your policy may vary to accomodate them all. +your policy may vary to accommodate them all. </p> <p> @@ -534,7 +534,7 @@ Syslogd is the most common logger for Linux and Unix in general. It has some log rotation facilities, but using <path>/usr/sbin/logrotate</path> in a cron job (logrotate is configured in -<path>/etc/logrotate.conf</path>) might prove to be more powerfull as +<path>/etc/logrotate.conf</path>) might prove to be more powerful as <c>logrotate</c> has many features. How often log rotation should be done depends on the system load. </p> @@ -1024,7 +1024,7 @@ <p> This step has to be done on every partition where quotas are enabled. After adding and configuring the quota files, we need to add the <c>quota</c> script -to the boot runlevel. +to the boot run level. </p> <pre caption="Adding quota to the boot runlevel"> @@ -1126,7 +1126,7 @@ <p> Normal users should not have access to configuration files or passwords. An -attacker can steal passwords from databases or websites and use them to +attacker can steal passwords from databases or web sites and use them to deface--or even worse, delete--data. This is why it is important that your file permissions are correct. If you are sure that a file is only used by root, assign it with the permissions <c>0600</c> and assign the file to the correct @@ -1225,7 +1225,7 @@ </body> </section> <section> -<title>SUID/SGID binaries and Hardlinks</title> +<title>SUID/SGID binaries and Hard links</title> <body> <p> @@ -1239,13 +1239,13 @@ <p> If your users have access to a partition that isn't mounted with <c>nosuid</c> or <c>noexec</c> (for example, if <path>/tmp</path>, <path>/home</path>, or -<path>/var/tmp</path> are not seperate partitions) you should take care to -ensure your users don't create hardlinks to SUID or SGID binaries, so that +<path>/var/tmp</path> are not separate partitions) you should take care to +ensure your users don't create hard links to SUID or SGID binaries, so that after Portage updates they still have access to the old versions. </p> <warn> -if you have received a warning from portage about remaining hardlinks, and your +if you have received a warning from portage about remaining hard links, and your users can write to a partition that allows executing SUID/SGID files, you should read this section carefully. One of your users may be attempting to circumvent your update by keeping an outdated version of a program. If your @@ -1571,7 +1571,7 @@ Recent <c>grsec-sources</c> provide the 2.* version of Grsecurity. For more information on this improved Grsecurity patch set, please consult the documentation available on the <uri link="http://www.grsecurity.net/";>Grsecurity -homepage</uri>. +home page</uri>. </p> </body> @@ -2024,7 +2024,7 @@ </pre> <p> -And type in a passphrase. +And type in a pass phrase. </p> <pre caption="Output of ssh-keygen"> @@ -2056,7 +2056,7 @@ <p> For more information go to the <uri -link="http://www.openssh.org";>OpenSSH</uri> website. +link="http://www.openssh.org";>OpenSSH</uri> web site. </p> </body> @@ -2067,7 +2067,7 @@ <p> xinetd is a replacement for <c>inetd</c> (which Gentoo does not have), -the internet services daemon. It supports access control based on the address of +the Internet services daemon. It supports access control based on the address of the remote host and the time of access. It also provide extensive logging capabilities, including server start time, remote host address, remote user name, server run time, and actions requested. @@ -2409,7 +2409,7 @@ <li>Simple and easy to implement</li> <li> Can give warnings of a possible attack before it happens (ie. by detecting - portscans) + port scans) </li> <li>Good for stopping SYN attacks</li> </ul> @@ -2574,7 +2574,7 @@ (since the packet filter itself does not do connection tracking). With stateful packet filtering it is possible to drop such packets, as they are not part of an already established connection. This will also stop the possibility of -"stealth scans", a type of portscan in which the scanner sends packets +"stealth scans", a type of port scan in which the scanner sends packets with flags that are far less likely to be logged by a firewall than ordinary SYN packets. </p> @@ -2600,7 +2600,7 @@ source IP address because it does not need a reply. The server-side system will add an entry to a queue of half-open connections when it receives the SYN packet and then wait for the final ACK packet before deleting the entry from -the queue. The queue has a limitied number of slots and if all the slots are +the queue. The queue has a limited number of slots and if all the slots are filled it is unable to open any further connections. If the ACK packet is not received before a specified timeout period the entry will automatically be deleted from the queue. The timeout settings vary but will typically be 30-60 @@ -2621,7 +2621,7 @@ <note> Another option for preventing SYN floods are <uri link = "http://cr.yp.to/syncookies.html";>SYN cookies</uri>, which allow your computer -to respond to SYN packetes without filling space in the connection queue. SYN +to respond to SYN packets without filling space in the connection queue. SYN cookies can be enabled in the Linux kernel configuration, but they are considered experimental at this time. </note> @@ -2711,11 +2711,11 @@ </tr> <tr> <ti>-i</ti> - <ti>Input name (ethernet name)</ti> + <ti>Input name (Ethernet name)</ti> </tr> <tr> <ti>-o</ti> <<Truncated>> -- [email protected] mailing list
