1275695 – MIscellaneous errors in Security Guide

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1275695 - MIscellaneous errors in Security Guide

Summary: MIscellaneous errors in Security Guide

Keywords:
Status:	CLOSED CURRENTRELEASE
Alias:	None
Product:	Red Hat Enterprise Linux 7
Classification:	Red Hat
Component:	doc-Security_Guide
Sub Component:
Version:	7.3
Hardware:	Unspecified
OS:	Linux
Priority:	high
Severity:	low
Target Milestone:	rc
Target Release:	---
Assignee:	Robert Krátký
QA Contact:	ecs-bugs
Docs Contact:
URL:
Whiteboard:
Depends On:	1279970 1279974
Blocks:
TreeView+	depends on / blocked

Reported:	2015-10-27 13:51 UTC by Kwan Lowe
Modified:	2019-03-06 02:13 UTC (History)
CC List:	2 users (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2016-04-13 14:48:21 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Description Kwan Lowe 2015-10-27 13:51:09 UTC

Document URL:
https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7-Beta/html/Security_Guide/index.html

Section Number and Name:
Multiple, please see attachment

Describe the issue:
Miscellaneous typos

Suggestions for improvement:
Please see Additional Information

Additional information:

RHEL7 Security Guide Errata

2.2
Layout - Widowed title in PDF view

2.2
/home not listed.

OLD: ...creating separate partitions for /boot,/, /tmp and /var/tmp
NEW: creating separate partitions for /, /boot, /home, /tmp and /var/tmp

3.1.2.1 Verifying Signed Packages
Subj/verb agreement

OLD:
for an automatic verification of all packages it install or upgrades
NEW:
for an automatic verification of all packages it installs or upgrades

3.1.3
Layout: Applications header widowed

Typo in KVM section
OLD:
Then use the modprove -r command to

NEW:
Then use the modprobe -r command to

3.2.3
Typo

OLD:
that, every security issues is rated using …

NEW:
that, every security issue is rated using

3.3
Widowed "Online Documentation" header in PDF

3.3
Yum command capitalized

OLD:
documents the use of the Yum and rpm programs
NEW:
documents the use of the yum and rpm programs

Red Hat Customer Portal
List parallelism - Incomplete sentences/non-parallel format in list entries

See Also

OLD:
describes how to configuring your system securely
NEW:
describes how to configure your system securely

4.1 Desktop Security

Word choice

OLD:
Of course, if the cracker starts an attack
NEW:
Of course, if the attacker starts an attack

4.1.1.2
maxrepeat is unclear

OLD: In this example, the password entered cannot contain more than 3 consecutive characters, such as "abcd" or "1234". Additionally, the number of identical consecutive characters is limited to 3.

The example text implies that "abcd" or "1234" is disallowed by the maxrepeat entry. Based on the magpage for pam, these would be allowed. The maxrepeat entry appears to disallow passwords such as "aaaa".

4.1.1.2
Gender neutral language is preferable.

4.1.1.3
Recommendation to use 99999 is contrary to documentation and can be confusing.

OLD: To disable password expiration, it is traditional to use a value of 99999 after the -M option

NEW: To disable password expiration, use a value of -1.

4.1.1.3
Null password example is given then immediately warned not to use. From a readability standpoint, may be better to skip the bad example entirely.

OLD:
Set up an initial password. There are two common approaches to this step: you can either assign a default password, or you can use a null password. To assign a default password, type the following at a shell prompt as root.

NEW:
Set up an initial password using the passwd utility: Run the following command as root to assign default password:

passwd username

Warning: The passwd utility has the option to set a null password. While convenient, this is a highly insecure practice.

4.2.2

Even without root, malicious attachments can pose a threat. This section should probably be re-written to reinforce that running as root is not best-practice.

4.2.4
The method of installing screen to enforce session timeouts, though convenient, is not necessarily best-practice. A similar effect can be had with setting the bash or login shell TMOUT variable and setting the variable as read-only. E.g., readonly TMOUT in the system-wide bash profile.

4,2,5
Typo in spacing. Also, the DOS example is probably not optimal. At the very least, reinforce that all these configurations are close to moot if someone has physical access and/or console access.

OLD: operating system at boot time ,for example DOS, which
NEW: operating system at boot time, for example DOS, which

4.3.9.1
See 4.4.1.1. Explicitly notes that prepending with 220 is not necessary. This example should be fixed in the section rather than calling it out in a note.

4.3.11.1
Typo in filename, multiple instances

OLD: ~/.ssh/authorized_key
NEW: ~/.ssh/authorized_keys

4.3.11.3
Unclear language:

OLD: By default, the sshd daemon listens on the 22 network port.
NEW: By default, the sshd daemon listens on TCP port 22.

4.4.1.1
Example code adds 220 to beginning of each line. This is confusing to users and specifically mentioned as unnecessary in other parts of the guide.

4.4.2
Output listing spans more than a single page is difficult to read. Suggest editing the output to only relevant lines that illustrate the concept. A better example may be to pass the LISTEN directive to netstat by passing the -l option: For example: netstat -tlnw. Additionally, the ss utility (part of iproute) may be a better tool overall for this task.

4.4.2
Section needs to be rewritten as is calls out tools that are not previously discussed. It also refers to iptables which probably should be referenced as firewalld in keeping with the rest of the guide.Also a typo.

OLD:
Review the output of the command with the services needed on the system, turn off what is not specifically required or authorized, repeat the check. Proceed then to make external checks using nmap from another system connected via the network to the first system. This can be used verify the rules in iptables. Make a scan for every IP address shown in the ss output (except for localhost 127.0.0.0 or ::1 range) from an external system.

[add ss usage examples]
Make a scan for every IP address shown in the ss output (except for localhost 127.0.0.0 or ::1 range) from an external system.

Comment 3 Robert Krátký 2015-11-10 16:54:27 UTC

(In reply to Kwan Lowe from comment #0)

Hi Kwan,

Thank you for taking the time file his bug. I fixed the mistakes, provided explanation about other issues below, and finally opened other bugs to track the work on two of the more time-demanding issues.

> Layout - Widowed title in PDF view

Unfortunately, this is a known bug in our publishing tool. It cannot be helped from the content side. This applies to all widows in PDF.

> 4.1 Desktop Security
> 
> Word choice
> 
> OLD: Of course, if the cracker starts an attack
> NEW: Of course, if the attacker starts an attack

In this context, this is the correct term. See https://en.wikipedia.org/wiki/Hacker_%28computer_security%29

> 4.2.4
> The method of installing screen to enforce session timeouts, though convenient,
> is not necessarily best-practice. A similar effect can be had with setting the
> bash or login shell TMOUT variable and setting the variable as read-only.
> E.g., readonly TMOUT  in the system-wide bash profile.

Tracked in a separate bug:
https://bugzilla.redhat.com/show_bug.cgi?id=1279970

> 4,2,5
> Typo in spacing. Also, the DOS example is probably not optimal. At the very
> least, reinforce that all these configurations are close to moot if someone
> has physical access and/or console access.

What 'configurations'? The section talks about password-protecting GRUB. Is that what you mean?

> 4.3.9.1
> See 4.4.1.1. Explicitly notes that prepending with 220 is not necessary.
> This example should be fixed in the section rather than calling it out in a
> note.

The example is not wrong. 220 is the standard FTP response code for "Service ready for new user." I believe it makes sense to have it in the example as it is the custom, while mentioning that it's not required.

> 4.4.1.1
> Example code adds 220 to beginning of each line. This is confusing to users
> and specifically mentioned as unnecessary in other parts of the guide.

See above.
 
> 4.4.2
> Output listing spans more than a single page is difficult to read. Suggest
> editing the output to only relevant lines that illustrate the concept. A
> better example may be to pass the LISTEN directive to netstat by passing the
> -l option:  For example:  netstat -tlnw.  Additionally, the ss utility (part
> of iproute) may be a better tool overall for this task.

> [add ss usage examples]

Tracked in a separate bug:
https://bugzilla.redhat.com/show_bug.cgi?id=1279974

Comment 4 Kwan Lowe 2015-11-11 01:45:40 UTC

Hello Robert:
   Thanks for taking care of these. 

   I debated the attacker/cracker for a bit, but agree that it's valid.

   For 4.2.5, I'm not sure what I was reporting :).  I recall that there was a section on setting up a configuration to disable booting into DOS which would require console access. With console access, there's not much the system can do especially if the user can boot into an alternate OS.  

All the best,
Kwan

Comment 5 Robert Krátký 2016-04-13 14:48:21 UTC

Closing. The separate bugs (#1279970, #1279974) will be used to track the outstanding issues.

Note You need to log in before you can comment on or make changes to this bug.