Archaic archaic at
Mon Jan 17 09:54:09 PST 2005

On Mon, Jan 17, 2005 at 12:24:32PM -0500, Robert Connolly wrote:
> Where does beyond-hlfs stuff belong? The most convenient place for me is 
> adding a chapter08,09,10. The first packages I have in mind are iptables with 
> the grsecurity patch, tripwire, grsec-admin (acls), and openssl.

iptables and ACL's belong in the base system, IMO. They are a
fundamental part of a hardened system and should not be left out or
marked optional. I want to say tripwire should also be that way, but I
can a least understand someone not using it in favor of a different
method. Openssl is optional depending on what you are doing.

As far as chapters, just start with 8 and continue.

> Iptables, tripwire, and acl, chains/polices would be added to every package 
> after. Even though these three are in different categories they would have to 
> get installed before any other optional packages.

ACL's need to be much earlier, don't they? Won't some of the previously
installed packages need to be patched? If so, move ACL's up as early as

> So maybe call this category (chapter08) "Policy enforcement and intrusion 
> detection"? This could also include a cron daemon and /etc/weekly scripts.

A simple sample-only config would work well being listed with the
package we are configuring. Later, we can digress into more overall
admin practices with perhaps more examples.


[W]hat country can preserve its liberties, if its rulers are not warned
from time to time that [the] people preserve the spirit of resistance?
Let them take arms...The tree of liberty must be refreshed from time to
time, with the blood of patriots and tyrants.

- Thomas Jefferson, letter to Col. William S. Smith, 1787

More information about the hlfs-dev mailing list