diff options
| author | Benedict Reuschling <bcr@FreeBSD.org> | 2022-01-29 14:10:27 +0000 |
|---|---|---|
| committer | Benedict Reuschling <bcr@FreeBSD.org> | 2022-01-29 14:10:27 +0000 |
| commit | 1ae23eb218c254fa95febf1b2591ff5eea53ab23 (patch) | |
| tree | 6e36bf1605fa0d1105ed065512dd47b111288aa3 /documentation/content/en/books/handbook/security | |
| parent | 4d19b8b2fa264d896da60a6737594b1e6bff6aab (diff) | |
| download | doc-1ae23eb218c254fa95febf1b2591ff5eea53ab23.tar.gz doc-1ae23eb218c254fa95febf1b2591ff5eea53ab23.zip | |
Spell 'availability' correctly.
Diffstat (limited to 'documentation/content/en/books/handbook/security')
| -rw-r--r-- | documentation/content/en/books/handbook/security/_index.adoc | 14 |
1 files changed, 7 insertions, 7 deletions
diff --git a/documentation/content/en/books/handbook/security/_index.adoc b/documentation/content/en/books/handbook/security/_index.adoc index 371ddf908e..2725174d23 100644 --- a/documentation/content/en/books/handbook/security/_index.adoc +++ b/documentation/content/en/books/handbook/security/_index.adoc @@ -87,7 +87,7 @@ A weak entry point in any system could allow intruders to gain access to critica One of the core principles of information security is the CIA triad, which stands for the Confidentiality, Integrity, and Availability of information systems. The CIA triad is a bedrock concept of computer security as customers and users expect their data to be protected. -For example, a customer expects that their credit card information is securely stored (confidentiality), that their orders are not changed behind the scenes (integrity), and that they have access to their order information at all times (availablility). +For example, a customer expects that their credit card information is securely stored (confidentiality), that their orders are not changed behind the scenes (integrity), and that they have access to their order information at all times (availability). To provide CIA, security professionals apply a defense in depth strategy. The idea of defense in depth is to add several layers of security to prevent one single layer failing and the entire security system collapsing. @@ -175,7 +175,7 @@ Blowfish is not part of AES and is not considered compliant with any Federal Inf Its use may not be permitted in some environments. ==== -To determine which hash algorithm is used to encrypt a user's password, the superuser can view the hash for the user in the FreeBSD password database. +To determine which hash algorithm is used to encrypt a user's password, the superuser can view the hash for the user in the FreeBSD password database. Each hash starts with a symbol which indicates the type of hash mechanism used to encrypt the password. If DES is used, there is no beginning symbol. For MD5, the symbol is `$`. @@ -293,7 +293,7 @@ For more information, see man:pw[8]. A _rootkit_ is any unauthorized software that attempts to gain `root` access to a system. Once installed, this malicious software will normally open up another avenue of entry for an attacker. -Realistically, once a system has been compromised by a rootkit and an investigation has been performed, the system should be reinstalled from scratch. +Realistically, once a system has been compromised by a rootkit and an investigation has been performed, the system should be reinstalled from scratch. There is tremendous risk that even the most prudent security or systems engineer will miss something an attacker left behind. A rootkit does do one thing useful for administrators: once detected, it is a sign that a compromise happened at some point. @@ -441,7 +441,7 @@ Source routing is a method for detecting and accessing non-routable addresses on This should be disabled as non-routable addresses are normally not routable on purpose. To disable this feature, set `net.inet.ip.sourceroute` and `net.inet.ip.accept_sourceroute` to `0`. -When a machine on the network needs to send messages to all hosts on a subnet, an ICMP echo request message is sent to the broadcast address. +When a machine on the network needs to send messages to all hosts on a subnet, an ICMP echo request message is sent to the broadcast address. However, there is no reason for an external host to perform such an action. To reject all external broadcast requests, set `net.inet.icmp.bmcastecho` to `0`. @@ -565,7 +565,7 @@ FreeBSD/i386 (example.com) (ttypa) login: <username> otp-md5 498 gr4269 ext -Password: +Password: .... The OPIE prompts provides a useful feature. @@ -1510,7 +1510,7 @@ Foreground mode. 2006-01-30 01:36:18: INFO: IPsec-SA established: ESP/Tunnel 172.16.5.4[0]->192.168.1.12[0] spi=175852902(0xa7b4d66) .... -To ensure the tunnel is working properly, switch to another console and use man:tcpdump[1] to view network traffic using the following command. +To ensure the tunnel is working properly, switch to another console and use man:tcpdump[1] to view network traffic using the following command. Replace `em0` with the network interface card as required: [source,shell] @@ -1836,7 +1836,7 @@ This will start sshd, the daemon program for OpenSSH, the next time the system b # service sshd start .... -The first time sshd starts on a FreeBSD system, the system's host keys will be automatically created and the fingerprint will be displayed on the console. +The first time sshd starts on a FreeBSD system, the system's host keys will be automatically created and the fingerprint will be displayed on the console. Provide users with the fingerprint so that they can verify it the first time they connect to the server. Refer to man:sshd[8] for the list of available options when starting sshd and a more complete discussion about authentication, the login process, and the various configuration files. |