Proposal regarding security chapter

Tillman Hodgson tillman at seekingfire.com
Mon Nov 22 14:47:29 UTC 2004 

On Sun, Nov 21, 2004 at 04:51:12PM -0800, Murray Stokely wrote:
> On Fri, Nov 19, 2004 at 09:00:01PM -0600, Tillman Hodgson wrote:
> > V System Administration -> MAC -> Biba
> > V System Administration -> Firewalls -> PF
> > V System Administration -> Kerberos5
> 
> I think you mean 'Security' here.  As in a new Security <part>, rather
> than two <parts> named 'System Administration'.

Yes.

> > Basically putting all of the security topics on equal footing. This
> > highlights the importance of security, makes individual topics easier to
> > find (and less "deep" in level), 
> 
> Adding a new part and pushing the total chapter count to 30 is going
> to remove some of "easier to find" justification.

I find that a finely-grained ToC is generally more useful, *especially*
in a reference manual.

> This would also move content about SSH and MAC away from chapters
> about NIS, Unix accounts, other network services, etc.

I don't have a problem with that.

MAC has its own chapter and there's a proposal to make Firewalls its own
chapter. I think that this trend will continue as more detailed
documentation is written about the various security topics.

As a hypothetical end user looking for Security information, if I look
in III System Administration -> Security I'm no longer getting the whole
picture. It's become a "Where's Waldo?" adventure :-)

> I like the original suggestion best: moving the firewall (and OpenSSH
> sections) out of security and into the Network Services <part>.
> Network Services is our newest part, and the System Admin part has
> twice as many chapters as the Network Services <part>.  We should just
> continue the work that began this summer of moving the network bits
> out of the general System Administration part and into the Network
> Services part.  That's what it was created for.

iI agree with you as far as network services are concerned. However, I
think that Security is a different topic than network services (albeit
with some overlap).

I guess my concern boils down to this: A hypothetical user who wants to
learn about security w.r.t FreeBSD *but doesn't yet know the right
buzzwords* doesn't have a place to look. They might be able to pick it
up by osmosis if they read two of the largest sections of the Handbook,
but I don't consider that a good solution.

I admit to bit of bias in this area. In another of my aspects I'm a
security consultant so I tend to advocate making security information
as prominent and accessible as possible.

> I don't think adding another <part> for Security issues is a logical
> division point with just two candidate chapters at this point.

Perhaps poor communication on my part, as I wasn't proposing to create a
new <part> for only two chapters.

Most of the sub-chapters within the existing Security chapter could
easily be promoted to full chapters. For example, I have a patch for
Kerberos5 being reviewed (hopefully ;-)) that will, as a by-product of
covering more sub-topics, expand the sub-chapter by a noticable amount.
My plan is to next write a second patch to cover the use of OpenSSH in a
Kerberos environment. At that point it'll be almost unwieldy as a
sub-chapter.

I believe that it would be much better organized if it was a chapter
rather than a subchapter -- it's now organized into broad section that
would work well in that format, and when I see headings like
"14.8.1.2.1" it's starting to resemble SNMP OIDs ;-)

> Security topics are integral to both System Administration and Network
> Services, and we shouldn't remove security information from those
> parts to make a new one.

Or, from a security guys point of view, security topics transcends both
system administration and network services and we shouldn't be burying
the security information ;-)

> All of these proposals seem to have two things in common :
> 
> 1. The security chapter is too big.
> 2. The firewalls information should go into a separate chapter.

I'd add:

3. Some of the security chapter sub-chapters are getting awfully large
   for the format
4. Making security information prominent and detailed is a worthwhile
   goal for the Handbook

> Moving a chapter between parts is easy.  So how about splitting out
> the firewall content into a new 'firewalls/chapter.sgml' file, and
> then temporarily adding this into the Network Services part.
>
> If it turns out that people do feel there is enough content for a
> whole new <part> dedicated to security, then it will just be a one
> line diff to move the firewalls chapter from the network <part> to a
> new security <part>.

Sure, I have no problems with interim solutions. It's the same work
either way, and "results trump theory" :-)

- Tillman


-- 
 | <- You must be smarter than this stick to ride the Internet 
    -- Mike Handler, paraphrased from Bev White

More information about the freebsd-doc mailing list