📄 106-108.html
字号:
<option value="/reference/dir.webmasterskills1.html">Webmaster
<option value="/reference/dir.y2k1.html">Y2K
<option value="">-----------
<option value="/reference/whatsnew.html">New Titles
<option value="">-----------
<option value="/reference/dir.archive1.html">Free Archive
</SELECT>
</font></td>
</tr>
</table>
</form>
<!-- LEFT NAV SEARCH END -->
</td>
<!-- PUB PARTNERS END -->
<!-- END LEFT NAV -->
<td rowspan="8" align="right" valign="top"><img src="/images/iswbls.gif" width=1 height=400 alt="" border="0"></td>
<td><img src="/images/white.gif" width="5" height="1" alt="" border="0"></td>
<!-- end of ITK left NAV -->
<!-- begin main content -->
<td width="100%" valign="top" align="left">
<!-- END SUB HEADER -->
<!--Begin Content Column -->
<FONT FACE="Arial,Helvetica" SIZE="-1">
To access the contents, click the chapter and section titles.
</FONT>
<P>
<B>Intrusion Detection: Network Security beyond the Firewall</B>
<FONT SIZE="-1">
<BR>
<I>(Publisher: John Wiley & Sons, Inc.)</I>
<BR>
Author(s): Terry Escamilla
<BR>
ISBN: 0471290009
<BR>
Publication Date: 11/01/98
</FONT>
<P>
<form name="Search" method="GET" action="http://search.earthweb.com/search97/search_redir.cgi">
<INPUT TYPE="hidden" NAME="Action" VALUE="Search">
<INPUT TYPE="hidden" NAME="SearchPage" VALUE="http://search.earthweb.com/search97/samples/forms/srchdemo.htm">
<INPUT TYPE="hidden" NAME="Collection" VALUE="ITK">
<INPUT TYPE="hidden" NAME="ResultTemplate" VALUE="itk-full.hts">
<INPUT TYPE="hidden" NAME="ViewTemplate" VALUE="view.hts">
<font face="arial, helvetica" size=2><b>Search this book:</b></font><br>
<INPUT NAME="queryText" size=50 VALUE=""> <input type="submit" name="submitbutton" value="Go!">
<INPUT type=hidden NAME="section_on" VALUE="on">
<INPUT type=hidden NAME="section" VALUE="http://www.itknowledge.com/reference/standard/0471290009/">
</form>
<!-- Empty Reference Subhead -->
<!--ISBN=0471290009//-->
<!--TITLE=Intrusion Detection: Network Security Beyond the Firewall//-->
<!--AUTHOR=Terry Escamilla//-->
<!--PUBLISHER=John Wiley & Sons, Inc.//-->
<!--IMPRINT=Wiley Computer Publishing//-->
<!--CHAPTER=3//-->
<!--PAGES=106-108//-->
<!--UNASSIGNED1//-->
<!--UNASSIGNED2//-->
<CENTER>
<TABLE BORDER>
<TR>
<TD><A HREF="103-106.html">Previous</A></TD>
<TD><A HREF="../ewtoc.html">Table of Contents</A></TD>
<TD><A HREF="108-111.html">Next</A></TD>
</TR>
</TABLE>
</CENTER>
<P><BR></P>
<P>The commonly used terms in SeOS are subject (or <I>accessor</I>) and resource. Access control features include the following:</P>
<DL>
<DD><B>•</B> Login limits varying time of day, day of week, source network address, or physical terminal.
<DD><B>•</B> Limits on which programs can be killed, <I>even by root</I>.
<DD><B>•</B> TCP/IP packet filtering by services, host, host-groups, network address, hostname patterns, or port number (firewall-like services).
<DD><B>•</B> TCP/IP access control by user or group combined with the preceding variables, including inbound and outbound connections where applicable. (Joe cannot telnet out; Joe cannot accept a connection.)
<DD><B>•</B> For almost every access control constraint, one can specify time of day, day of week, and controlling terminal. (Joe can run /bin/vi but only on Wednesday from 9–11 and when logged in from IP address 1.2.3.4.)
<DD><B>•</B> Trusted computing base (Tripwire type) protection for SUID/SGID programs that the administrator defines; if the TCB signature changes, the program is no longer trusted and cannot be run until <I>retrusted</I> by the SeOS administrator.
<DD><B>•</B> Division of privileges so that root cannot tamper with auditing or audit files.
<DD><B>•</B> Watchdog daemon that ensures SeOS daemons are running.
<DD><B>•</B> <I>Program pathing</I> that limits access to a resource only when the user is doing so from a particular program name. (Joe can change /etc/hosts but only when done through the /bin/trustme editor.)
<DD><B>•</B> Password quality rules.
<DD><B>•</B> SUDO for root privilege granularity, giving unprivileged users the ability to run a subset of administrative commands (start/stop printers or user management, for example).
<DD><B>•</B> Locking of idle terminals or <I>X</I>-stations after <I>N</I>-minutes of inactivity.
<DD><B>•</B> Full CLI or GUI.
<DD><B>•</B> Resource protection, such as files and directories, even from the root user.
</DL>
<H4 ALIGN="LEFT"><A NAME="Heading22"></A><FONT COLOR="#000077">APIs</FONT></H4>
<P>Program APIs are provided for nearly all of the functions SeOS contains. An arbitrary resource can be defined; access control rules for this resource can be declared; and access requests can be queried by the resource controller using these APIs. Note that this is very much like DCE in that it represents a general-purpose access control framework and is not limited to UNIX semantics like “file on a disk.” In other words, a resource’s controlling program may view different parts of a normal UNIX file as different access control regions, and SeOS can be used to regulate which users (or other accessors) are permitted to access various regions of the file independent of its UNIX permission bits. The resource has a dual identity: (1) as a file with UNIX permission bits and SeOS access control constraints and (2) as a resource whose contents are subdivided into SeOS access control regions that are only meaningful to the program subsystem which <I>owns</I> the file. This idea is <I>very</I> powerful because access control can be applied to concepts that are more granular than traditional UNIX or NT resources.</P>
<H4 ALIGN="LEFT"><A NAME="Heading23"></A><FONT COLOR="#000077">Impact of SeOS on Base Operating System Security</FONT></H4>
<P>Because the system call that SeOS intercepts is eventually executed when access control is permitted, the base operating system’s auditing features are generally unaffected by SeOS. One exception to this occurs with root privilege division.
</P>
<P>Most UNIX systems do not support a standard mechanism for dividing root privileges among multiple users. SeOS includes a program that executes as a root process but performs tasks on behalf of unprivileged users. The SeOS database is configured to control which users are permitted to run special privileged programs. Here, a <I>privileged program</I> means one that is usually not accessible by the ordinary user because it is in a protected directory or because its permission bits do not allow access. This definition does not necessarily include SUID or SGID programs that are addressed separately by SeOS.</P>
<P>Privilege granularity, in which ordinary users can be given limited root privileges, is an exception to base system auditing in that the audit record shows UIDs (real, effective, and audit) that represent <I>root</I> rather than the login user. The UIDs belong to root because SeOS is executing a process on behalf of a requesting user. In other words, this <I>new</I> function is not normally available in UNIX systems. For a monitoring system to assign accountability for a behavior that occurred during privilege delegation, the monitor would need to look at SeOS audit logs as well as the operating system logs.</P>
<P>IDSs are affected in other ways by SeOS and other software products that intercept system calls. You’ll learn more about this concept as you dig into intrusion detection in Part 2, “Intrusion Detection: Beyond Traditional Security,” of this book.</P>
<H4 ALIGN="LEFT"><A NAME="Heading24"></A><FONT COLOR="#000077">SeOS Auditing</FONT></H4>
<P>SeOS emits its own audit trail for security tracking. Even without a security policy, SeOS reports on important activities, such as login, logout, password changes, fork, exec, and so on. The types of events reported include the following:
</P>
<DL>
<DD><B>•</B> Access control success and failures
<DD><B>•</B> Additions, deletions, and changes for the SeOS database
<DD><B>•</B> Individual commands run at the SeOS console window (that exists on each managed node)
<DD><B>•</B> Logins (failures and successes)
<DD><B>•</B> System startup and shutdown
<DD><B>•</B> Audit startup and shutdown
</DL>
<P>Like the base operating system audit services, an audit ID (AUID) is added to each audit record.
</P>
<P>Audit records are logged in either binary or text form based on the configuration. Logs can be consolidated to a central audit server based on scheduled parameters. The audit server consolidates the distributed audit logs into a single file by adding the hostname to the beginning of each record. This consolidation enables the user to be able to filter based on hostname at the audit server. On each audited node, one can configure audit filters that determine the types of audit events forwarded to the audit server. This feature can help reduce bandwidth on the network and reporting time at the audit server because unimportant records are not forwarded.</P><P><BR></P>
<CENTER>
<TABLE BORDER>
<TR>
<TD><A HREF="103-106.html">Previous</A></TD>
<TD><A HREF="../ewtoc.html">Table of Contents</A></TD>
<TD><A HREF="108-111.html">Next</A></TD>
</TR>
</TABLE>
</CENTER>
<!-- all of the reference materials (books) have the footer and subfoot reveresed -->
<!-- reference_subfoot = footer -->
<!-- reference_footer = subfoot -->
<!-- BEGIN SUB FOOTER -->
<br><br>
</TD>
</TR>
</TABLE>
<table width="640" border=0 cellpadding=0 cellspacing=0>
<tr>
<td align="left" width=135><img src="/images/white.gif" width=100 height="1" alt="" border="0"></td>
<!-- END SUB FOOTER -->
<!-- all of the books have the footer and subfoot reveresed -->
<!-- reference_subfoot = footer -->
<!-- reference_footer = subfoot -->
<!-- FOOTER -->
<td width="515" align="left" bgcolor="#FFFFFF">
<font face="arial, helvetica" size="1"><b><a href="/products.html"><font color="#006666">Products</font></a> | <a href="/contactus.html"><font color="#006666">Contact Us</font></a> | <a href="/aboutus.html"><font color="#006666">About Us</font></a> | <a href="http://www.earthweb.com/corporate/privacy.html" target="_blank"><font color="#006666">Privacy</font></a> | <a href="http://www.itmarketer.com/" target="_blank"><font color="#006666">Ad Info</font></a> | <a href="/"><font color="#006666">Home</font></a></b>
<br><br>
Use of this site is subject to certain <a href="/agreement.html">Terms & Conditions</a>, <a href="/copyright.html">Copyright © 1996-1999 EarthWeb Inc.</a><br>
All rights reserved. Reproduction whole or in part in any form or medium without express written permision of EarthWeb is prohibited.</font><p>
</td>
</tr>
</table>
</BODY>
</HTML>
<!-- END FOOTER -->
⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -