1 files changed, 0 insertions, 209 deletions
diff --git a/doc/book-enea-nfv-access-user-hardening-guide/doc/intro_hardentools_tech.xml b/doc/book-enea-nfv-access-user-hardening-guide/doc/intro_hardentools_tech.xml
deleted file mode 100644
index 294d67e..0000000
--- a/doc/book-enea-nfv-access-user-hardening-guide/doc/intro_hardentools_tech.xml
+++ /dev/null
@@ -1,209 +0,0 @@
-<?xml version="1.0" encoding="ISO-8859-1"?>
-<chapter id="intro_hardentools_tech">
-  <title>A Brief Introduction to Hardening Tools and Technologies</title>
-  <para>Linux by default, is not a secure operating system however, it has
-  many features and tools that can help secure it thoroughly. Detailed below
-  are several useful tools and features available for Linux which can help
-  harden the Linux system to really high degrees.</para>
-  <section id="namespaces">
-    <title>Namespaces</title>
-    <para>Namespaces are a feature of the Linux kernel that isolate and
-    virtualize system resources for a collection of processes. Examples of
-    resources that can be virtualized are:</para>
-    <itemizedlist>
-      <listitem>
-        <para>Process IDs</para>
-      </listitem>
-      <listitem>
-        <para>Hostnames</para>
-      </listitem>
-      <listitem>
-        <para>User IDs</para>
-      </listitem>
-      <listitem>
-        <para>Network access</para>
-      </listitem>
-      <listitem>
-        <para>UTS</para>
-      </listitem>
-      <listitem>
-        <para>Control Group (cgroup)</para>
-      </listitem>
-      <listitem>
-        <para>Interprocess communication (IPC)</para>
-      </listitem>
-      <listitem>
-        <para>Filesystems (mnt)</para>
-      </listitem>
-    </itemizedlist>
-    <para>Namespaces are a fundamental aspect of containers on Linux. Tools
-    like Docker make isolating Linux processes into their own little system
-    environments easy. This makes it possible to run a whole range of
-    applications on a single real Linux machine and ensure that no processes
-    can interfere with each other, without having to resort to using virtual
-    machines. </para>
-  </section>
-  <section id="intrusion_prev_dev">
-    <title>Linux Intrusion Prevention/Detection Systems</title>
-    <para>An Intrusion Prevention System (IPS) and an Intrusion Detection
-    System (IDS) provide an effective layer of security. The Linux Intrusion
-    Detection System (LIDS) is a patch to the Linux kernel and associated
-    administrative tools, and enhances the kernel's security by implementing
-    Mandatory Access Control (MAC).</para>
-    <para>When a LIDS system is booted, file restrictions are enforced
-    immediately. Once the system has come on, the <command>lidsadm
-    -I</command> command will seal off the kernel, preventing any additional
-    kernel modules from affecting it.</para>
-  </section>
-  <section id="kernel_hardening">
-    <title>Kernel Hardening</title>
-    <para>Kernel hardening is primarily about the kernel protecting itself,
-    eliminating classes of exploits, and reducing its attack surface. Two
-    approaches to hardening the standard Linux kernel are: </para>
-    <itemizedlist>
-      <listitem>
-        <para>Address space (memory) protection</para>
-      </listitem>
-      <listitem>
-        <para>Advance Access Control System</para>
-      </listitem>
-    </itemizedlist>
-    <para>Buffer overflows (in languages such as C) are one of the leading
-    vulnerabilities exploited to gain control of a system. The problem arises
-    when a user can insert more data into a buffer than it was originally
-    allocated for. Restrictions however, on an application's address space
-    prevent many types of buffer overflows attacks.</para>
-  </section>
-  <section id="lsm">
-    <title>Linux Security Modules (LSM)</title>
-    <para>LSM is a framework part of the Linux kernel. LSM API implements
-    hooks at all security-critical points within the kernel. The modules
-    currently accepted in the official kernel are:</para>
-    <itemizedlist>
-      <listitem>
-        <para>AppArmor</para>
-      </listitem>
-      <listitem>
-        <para>SELinux</para>
-      </listitem>
-      <listitem>
-        <para>Smack</para>
-      </listitem>
-      <listitem>
-        <para>TOMOYO Linux</para>
-      </listitem>
-      <listitem>
-        <para>Yama</para>
-      </listitem>
-    </itemizedlist>
-    <section id="selinux">
-      <title>SELinux</title>
-      <para><emphasis role="bold">SELinux, Security Enhanced Linux</emphasis>
-      is a Kernel security mechanism for the supporting access control
-      security policy. SELinux has three configuration modes:</para>
-      <itemizedlist>
-        <listitem>
-          <para>Disabled: Turned-off</para>
-        </listitem>
-        <listitem>
-          <para>Permissive: Prints warnings</para>
-        </listitem>
-        <listitem>
-          <para>Enforcing: Policy is enforced</para>
-        </listitem>
-      </itemizedlist>
-      <para>Edit the selinux config file to change the
-      configuration:<programlisting># /etc/selinux/config
-SELINUX=enforcing</programlisting></para>
-    </section>
-  </section>
-  <section id="acl">
-    <title>POSIX Access Control Lists (ACL)</title>
-    <para>In addition to the file owner, the file group etc., additional users
-    and groups can be granted or denied access by using POSIX ACLs. For a
-    file, ACLs can be configured:</para>
-    <itemizedlist>
-      <listitem>
-        <para>Per user </para>
-      </listitem>
-      <listitem>
-        <para>Per group</para>
-      </listitem>
-      <listitem>
-        <para>Via the effective right mask</para>
-      </listitem>
-      <listitem>
-        <para>For users not in the user group, for the file</para>
-      </listitem>
-    </itemizedlist>
-  </section>
-  <section id="log_audit">
-    <title>Logging and Auditing</title>
-    <para>Audit logs are useful for analyzing system behavior, and may help
-    detect attempts at compromising the system. Enea Linux distributions have
-    logging mechanisms that record all system activities. The syslog service
-    manages the logs in <command>/var/log/</command>. These logs are critical
-    for troubleshooting purposes.</para>
-  </section>
-  <section id="secure_net_coms">
-    <title>Secure Network Communication</title>
-    <para>Encrypt and authenticate network communication using IPsec.</para>
-  </section>
-  <section id="hd_encrypting">
-    <title>Hard Disk Encryption and Disk Protection</title>
-    <para>Encrypt the disks before they are installed. This is a crucial step
-    as it will prevent unauthorized access to data even when the hard disk is
-    connected to a different machine.</para>
-    <para>Disk protection is a key step in securing data. Make sure that you
-    backup data so that situations such as a damaged system and bugs in the OS
-    updates won't affect them. The backup must be transferred offsite
-    for major servers to keep data secure during unforeseen disasters. Backup
-    management must also be well-defined.</para>
-  </section>
-</chapter>
-\ No newline at end of file

diff --git a/doc/book-enea-nfv-access-user-hardening-guide/doc/intro_hardentools_tech.xml b/doc/book-enea-nfv-access-user-hardening-guide/doc/intro_hardentools_tech.xml deleted file mode 100644 index 294d67e..0000000 --- a/doc/book-enea-nfv-access-user-hardening-guide/doc/intro_hardentools_tech.xml +++ /dev/null
@@ -1,209 +0,0 @@
1	<?xml version="1.0" encoding="ISO-8859-1"?>
2	<chapter id="intro_hardentools_tech">
3	<title>A Brief Introduction to Hardening Tools and Technologies</title>
4
5	<para>Linux by default, is not a secure operating system however, it has
6	many features and tools that can help secure it thoroughly. Detailed below
7	are several useful tools and features available for Linux which can help
8	harden the Linux system to really high degrees.</para>
9
10	<section id="namespaces">
11	<title>Namespaces</title>
12
13	<para>Namespaces are a feature of the Linux kernel that isolate and
14	virtualize system resources for a collection of processes. Examples of
15	resources that can be virtualized are:</para>
16
17	<itemizedlist>
18	<listitem>
19	<para>Process IDs</para>
20	</listitem>
21
22	<listitem>
23	<para>Hostnames</para>
24	</listitem>
25
26	<listitem>
27	<para>User IDs</para>
28	</listitem>
29
30	<listitem>
31	<para>Network access</para>
32	</listitem>
33
34	<listitem>
35	<para>UTS</para>
36	</listitem>
37
38	<listitem>
39	<para>Control Group (cgroup)</para>
40	</listitem>
41
42	<listitem>
43	<para>Interprocess communication (IPC)</para>
44	</listitem>
45
46	<listitem>
47	<para>Filesystems (mnt)</para>
48	</listitem>
49	</itemizedlist>
50
51	<para>Namespaces are a fundamental aspect of containers on Linux. Tools
52	like Docker make isolating Linux processes into their own little system
53	environments easy. This makes it possible to run a whole range of
54	applications on a single real Linux machine and ensure that no processes
55	can interfere with each other, without having to resort to using virtual
56	machines. </para>
57	</section>
58
59	<section id="intrusion_prev_dev">
60	<title>Linux Intrusion Prevention/Detection Systems</title>
61
62	<para>An Intrusion Prevention System (IPS) and an Intrusion Detection
63	System (IDS) provide an effective layer of security. The Linux Intrusion
64	Detection System (LIDS) is a patch to the Linux kernel and associated
65	administrative tools, and enhances the kernel's security by implementing
66	Mandatory Access Control (MAC).</para>
67
68	<para>When a LIDS system is booted, file restrictions are enforced
69	immediately. Once the system has come on, the <command>lidsadm
70	-I</command> command will seal off the kernel, preventing any additional
71	kernel modules from affecting it.</para>
72	</section>
73
74	<section id="kernel_hardening">
75	<title>Kernel Hardening</title>
76
77	<para>Kernel hardening is primarily about the kernel protecting itself,
78	eliminating classes of exploits, and reducing its attack surface. Two
79	approaches to hardening the standard Linux kernel are: </para>
80
81	<itemizedlist>
82	<listitem>
83	<para>Address space (memory) protection</para>
84	</listitem>
85
86	<listitem>
87	<para>Advance Access Control System</para>
88	</listitem>
89	</itemizedlist>
90
91	<para>Buffer overflows (in languages such as C) are one of the leading
92	vulnerabilities exploited to gain control of a system. The problem arises
93	when a user can insert more data into a buffer than it was originally
94	allocated for. Restrictions however, on an application's address space
95	prevent many types of buffer overflows attacks.</para>
96	</section>
97
98	<section id="lsm">
99	<title>Linux Security Modules (LSM)</title>
100
101	<para>LSM is a framework part of the Linux kernel. LSM API implements
102	hooks at all security-critical points within the kernel. The modules
103	currently accepted in the official kernel are:</para>
104
105	<itemizedlist>
106	<listitem>
107	<para>AppArmor</para>
108	</listitem>
109
110	<listitem>
111	<para>SELinux</para>
112	</listitem>
113
114	<listitem>
115	<para>Smack</para>
116	</listitem>
117
118	<listitem>
119	<para>TOMOYO Linux</para>
120	</listitem>
121
122	<listitem>
123	<para>Yama</para>
124	</listitem>
125	</itemizedlist>
126
127	<section id="selinux">
128	<title>SELinux</title>
129
130	<para><emphasis role="bold">SELinux, Security Enhanced Linux</emphasis>
131	is a Kernel security mechanism for the supporting access control
132	security policy. SELinux has three configuration modes:</para>
133
134	<itemizedlist>
135	<listitem>
136	<para>Disabled: Turned-off</para>
137	</listitem>
138
139	<listitem>
140	<para>Permissive: Prints warnings</para>
141	</listitem>
142
143	<listitem>
144	<para>Enforcing: Policy is enforced</para>
145	</listitem>
146	</itemizedlist>
147
148	<para>Edit the selinux config file to change the
149	configuration:<programlisting># /etc/selinux/config
150	SELINUX=enforcing</programlisting></para>
151	</section>
152	</section>
153
154	<section id="acl">
155	<title>POSIX Access Control Lists (ACL)</title>
156
157	<para>In addition to the file owner, the file group etc., additional users
158	and groups can be granted or denied access by using POSIX ACLs. For a
159	file, ACLs can be configured:</para>
160
161	<itemizedlist>
162	<listitem>
163	<para>Per user </para>
164	</listitem>
165
166	<listitem>
167	<para>Per group</para>
168	</listitem>
169
170	<listitem>
171	<para>Via the effective right mask</para>
172	</listitem>
173
174	<listitem>
175	<para>For users not in the user group, for the file</para>
176	</listitem>
177	</itemizedlist>
178	</section>
179
180	<section id="log_audit">
181	<title>Logging and Auditing</title>
182
183	<para>Audit logs are useful for analyzing system behavior, and may help
184	detect attempts at compromising the system. Enea Linux distributions have
185	logging mechanisms that record all system activities. The syslog service
186	manages the logs in <command>/var/log/</command>. These logs are critical
187	for troubleshooting purposes.</para>
188	</section>
189
190	<section id="secure_net_coms">
191	<title>Secure Network Communication</title>
192
193	<para>Encrypt and authenticate network communication using IPsec.</para>
194	</section>
195
196	<section id="hd_encrypting">
197	<title>Hard Disk Encryption and Disk Protection</title>
198
199	<para>Encrypt the disks before they are installed. This is a crucial step
200	as it will prevent unauthorized access to data even when the hard disk is
201	connected to a different machine.</para>
202
203	<para>Disk protection is a key step in securing data. Make sure that you
204	backup data so that situations such as a damaged system and bugs in the OS
205	updates won't affect them. The backup must be transferred offsite
206	for major servers to keep data secure during unforeseen disasters. Backup
207	management must also be well-defined.</para>
208	</section>
209	</chapter> \ No newline at end of file