031-034.html

入侵检测的相关教程

			<option value="/reference/dir.middleware.html">Middleware
			<option value="/reference/dir.multimediaandgraphicdesign1.html">Multimedia
			<option value="/reference/dir.networkservices1.html">Networks 
			<option value="/reference/dir.operatingsystems.html">OS
			<option value="/reference/dir.productivityapplications1.html">Prod Apps
			<option value="/reference/dir.programminglanguages.html">Programming
			<option value="/reference/dir.security1.html">Security	
			<!-- <option value="/reference/dir.ewtraining1.html">Training Guides -->
			<option value="/reference/dir.userinterfaces.html">UI
			<option value="/reference/dir.webservices.html">Web Services
			<option value="/reference/dir.webmasterskills1.html">Webmaster
			<option value="/reference/dir.y2k1.html">Y2K
			<option value="">-----------
			<option value="/reference/whatsnew.html">New Titles
			<option value="">-----------
			<option value="/reference/dir.archive1.html">Free Archive		
			</SELECT>
			</font></td>
	</tr>
	</table>
	</form>
<!-- LEFT NAV SEARCH END -->

		</td>
		
<!-- PUB PARTNERS END -->
<!-- END LEFT NAV -->

<td rowspan="8" align="right" valign="top"><img src="/images/iswbls.gif" width=1 height=400 alt="" border="0"></td>
<td><img src="/images/white.gif" width="5" height="1" alt="" border="0"></td>
<!-- end of ITK left NAV -->

<!-- begin main content -->
<td width="100%" valign="top" align="left">


<!-- END SUB HEADER -->

<!--Begin Content Column -->

<FONT FACE="Arial,Helvetica" SIZE="-1">
To access the contents, click the chapter and section titles.
</FONT>
<P>
<B>Intrusion Detection: Network Security beyond the Firewall</B>
<FONT SIZE="-1">
<BR>
<I>(Publisher: John Wiley & Sons, Inc.)</I>
<BR>
Author(s): Terry Escamilla
<BR>
ISBN: 0471290009
<BR>
Publication Date: 11/01/98
</FONT>
<P>
<form name="Search" method="GET" action="http://search.earthweb.com/search97/search_redir.cgi">

<INPUT TYPE="hidden" NAME="Action" VALUE="Search">
<INPUT TYPE="hidden" NAME="SearchPage" VALUE="http://search.earthweb.com/search97/samples/forms/srchdemo.htm">
<INPUT TYPE="hidden" NAME="Collection" VALUE="ITK">
<INPUT TYPE="hidden" NAME="ResultTemplate" VALUE="itk-full.hts">
<INPUT TYPE="hidden" NAME="ViewTemplate" VALUE="view.hts">

<font face="arial, helvetica" size=2><b>Search this book:</b></font><br>
<INPUT NAME="queryText" size=50 VALUE="">&nbsp;<input type="submit" name="submitbutton" value="Go!">
<INPUT type=hidden NAME="section_on" VALUE="on">
<INPUT type=hidden NAME="section" VALUE="http://www.itknowledge.com/reference/standard/0471290009/">

</form>


<!-- Empty Reference Subhead -->

<!--ISBN=0471290009//-->
<!--TITLE=Intrusion Detection: Network Security Beyond the Firewall//-->
<!--AUTHOR=Terry Escamilla//-->
<!--PUBLISHER=John Wiley & Sons, Inc.//-->
<!--IMPRINT=Wiley Computer Publishing//-->
<!--CHAPTER=2//-->
<!--PAGES=031-034//-->
<!--UNASSIGNED1//-->
<!--UNASSIGNED2//-->

<CENTER>
<TABLE BORDER>
<TR>
<TD><A HREF="029-031.html">Previous</A></TD>
<TD><A HREF="../ewtoc.html">Table of Contents</A></TD>
<TD><A HREF="034-036.html">Next</A></TD>
</TR>
</TABLE>
</CENTER>
<P><BR></P>
</P>
<P>The /etc/passwd file can be read by any user on the system. Because password information is stored in this file, someone may be able to guess or crack passwords. For increased security, most modern UNIX variants rely on a <I>shadow</I> password file that is stored in a directory which only certain users can read&#151;notably root and perhaps a security administrator. The system then would rely on both /etc/passwd and another file, such as /etc/security/passwd in IBM&#146;s AIX version of UNIX. In this shadow configuration, passwords are stored in the shadow password file and the other user information from Table 2.1 remains in /etc/passwd. Technically, user information for AIX is stored in /etc/passwd, /etc/security/user, and /etc/security/passwd. UNIX operating systems may depend on many different files for user and group data, but /etc/passwd is always present.</P>
<H4 ALIGN="LEFT"><A NAME="Heading4"></A><FONT COLOR="#000077">Superuser</FONT></H4>
<P>Most UNIX systems ship with a default set of usernames and UIDs. These accounts have special privileges throughout the system. Of particular interest is UID zero (0) which identifies the <I>superuser</I>. On most UNIX operating systems, this UID is associated with the username <I>root</I>. With the exception of a few operations, the root user is given complete control over the machine and operating system.</P>
<P>The preceding comments assume that the version of UNIX you are using has not been modified in a special way that prevents root from controlling the entire system. Some UNIX variants implement a security model based on <I>privileges</I> that can be used to more tightly constrain the root user&#146;s actions. UNIX derivatives that have the majority of the market share implement only <I>discretionary access control</I> (DAC) at best, and as a result, suffer from the <I>root problem</I>. If a person can gain root access to a system, that person then can do almost anything on the system. This problem will be analyzed in more detail when you learn about access control in Chapter 3, &#147;The Role of Access Control in Your Environment.&#148;</P>
<H4 ALIGN="LEFT"><A NAME="Heading5"></A><FONT COLOR="#000077">What Are the Subjects in UNIX?</FONT></H4>
<P>Although users and groups are important entities in the UNIX security model, the main subject in the model is the <I>process</I>. A process is a program running within the context of the operating system. Every process is associated with a UID and one or more GIDs. Technically, several UIDs and GIDs for each process are available, but it is better to momentarily consider a simpler model in which a process is associated with a single UID and with one or more GIDs. Each process also is assigned an integer process ID or <I>PID</I> to uniquely differentiate it from other processes. When the login phase is complete for a user, the operating system constructs a process to <I>execute on behalf of</I> that user. This user process is <I>tagged</I> with the UID and GIDs assigned to that user in /etc/passwd and /etc/group.</P>
<P>If the I&#38;A step succeeds, the operating system will know both your UID and GIDs. To create a process, the operating system initializes several data structures in the kernel and starts a program for the user who is requesting access. The program started after I&#38;A is the <I>shell</I> defined for the user in /etc/passwd. From the shell a user can start other programs or exit the system. Notice that the operating system assigns the initial UID and GIDs, or the <I>credentials</I>, for the shell process.</P>
<P>The operating system also provides interfaces for changing the UID and primary GID of a process. Because the UID and GIDs are used in access control decisions made by the operating system, changing your UID or GID can give you additional (or fewer) privileges on the system. As such, the mechanisms for changing credentials in an operating system must be tightly controlled. Numerous attacks have been made on systems as a result of implementation problems in this area. Briefly, here is what happens.</P>
<P>By design, a program with special privileges can be executed by arbitrary users. The program needs special privileges because it must access some portion of the file system or a device that a normal user cannot. Due to a bug in its implementation, the privileged program can be diverted into doing something that it was not supposed to do. In many cases, the program is tricked into giving the normal user enough power to become the root user on the system. If such a flaw exists and if local users can take advantage of that flaw, you have a serious security problem. If a remote user can exploit this weakness <I>without a login account on your system</I>, such as by supplying data to a form on your Web server, you have a catastrophic problem!</P>
<H4 ALIGN="LEFT"><A NAME="Heading6"></A><FONT COLOR="#000077">UNIX Login</FONT></H4>
<P>UNIX processes are related hierarchically. As part of the initial boot sequence, the UNIX kernel starts the <I>init</I> process, which is the parent of all other processes on the system. To enable logins into the system, init will start a <I>getty</I> program for each terminal (TTY) attached to the system. The getty program performs several tasks unrelated to I&#38;A (setting terminal line speed, for example) and then displays a login prompt. Both init and getty run with root privileges. In other words, they have a UID of 0.</P>
<P>When a person finishes typing in a username at the terminal login prompt and then presses the Enter or Return key, getty will overlay itself with the login program and pass to it the username just captured. The login program <I>inherits</I> root privileges because it is started as a child of getty. One of the defining characteristics of UNIX is this notion of <I>process inheritance</I>. When a parent process starts a child process, as a default behavior in UNIX, the child inherits many of the data structures being used by the parent, including the parent&#146;s security credentials.</P>
<P>Login next prompts the user to enter a password. Any keystrokes made by the user are not echoed to the screen to prevent <I>shoulder surfing</I>&#151;an old hacker attack. If the password entered is correct, the login program then adds the following:</P>
<DL>
<DD><B>&#149;</B>&nbsp;&nbsp;A record into /etc/utmp that contains the list of currently logged-in users
<DD><B>&#149;</B>&nbsp;&nbsp;A record into /etc/wtmp that is used to keep track of login histories
</DL>
<P><BR></P>
<CENTER>
<TABLE BORDER>
<TR>
<TD><A HREF="029-031.html">Previous</A></TD>
<TD><A HREF="../ewtoc.html">Table of Contents</A></TD>
<TD><A HREF="034-036.html">Next</A></TD>
</TR>
</TABLE>
</CENTER>


<!-- all of the reference materials (books) have the footer and subfoot reveresed -->
<!-- reference_subfoot = footer -->
<!-- reference_footer = subfoot -->

<!-- BEGIN SUB FOOTER -->
		<br><br>
		</TD>
    </TR>
	</TABLE>

		
	<table width="640" border=0 cellpadding=0 cellspacing=0>
		<tr>
		<td align="left" width=135><img src="/images/white.gif" width=100 height="1" alt="" border="0"></td>
		
		
<!-- END SUB FOOTER -->

<!-- all of the books have the footer and subfoot reveresed -->
<!-- reference_subfoot = footer -->
<!-- reference_footer = subfoot -->

<!-- FOOTER -->
			
		<td width="515" align="left" bgcolor="#FFFFFF">
<font face="arial, helvetica" size="1"><b><a href="/products.html"><font color="#006666">Products</font></a>&nbsp;|&nbsp; <a href="/contactus.html"><font color="#006666">Contact Us</font></a>&nbsp;|&nbsp; <a href="/aboutus.html"><font color="#006666">About Us</font></a>&nbsp;|&nbsp; <a href="http://www.earthweb.com/corporate/privacy.html" target="_blank"><font color="#006666">Privacy</font></a> &nbsp;|&nbsp; <a href="http://www.itmarketer.com/" target="_blank"><font color="#006666">Ad Info</font></a> &nbsp;|&nbsp; <a href="/"><font color="#006666">Home</font></a></b>
		<br><br>
		
		Use of this site is subject to certain <a href="/agreement.html">Terms &amp; Conditions</a>, <a href="/copyright.html">Copyright &copy; 1996-1999 EarthWeb Inc.</a><br> 
All rights reserved.  Reproduction whole or in part in any form or medium without express written permision of EarthWeb is prohibited.</font><p>
</td>
		</tr>
</table>
</BODY>
</HTML>

<!-- END FOOTER -->