0395-0398.html

linux-unix130.linux.and.unix.ebooks130 linux and unix ebookslinuxLearning Linux - Collection of 12 E

<HTML>
<HEAD>
<TITLE>Developer.com - Online Reference Library - 0672311739:RED HAT LINUX 2ND EDITION:System Security</TITLE>
<META NAME="ROBOTS" CONTENT="NOINDEX, NOFOLLOW">
<SCRIPT>
<!--
function displayWindow(url, width, height) {
        var Win = window.open(url,"displayWindow",'width=' + width +
',height=' + height + ',resizable=1,scrollbars=yes');
}
//-->
</SCRIPT>
</HEAD>

 -->


<!-- ISBN=0672311739 //-->
<!-- TITLE=RED HAT LINUX 2ND EDITION //-->
<!-- AUTHOR=DAVID PITTS ET AL //-->
<!-- PUBLISHER=MACMILLAN //-->
<!-- IMPRINT=SAMS PUBLISHING //-->
<!-- PUBLICATION DATE=1998 //-->
<!-- CHAPTER=20 //-->
<!-- PAGES=0395-0410 //-->
<!-- UNASSIGNED1 //-->
<!-- UNASSIGNED2 //-->




<P><CENTER>
<a href="../ch19/0393-0394.html">Previous</A> | <a href="../ewtoc.html">Table of Contents</A> | <a href="0399-0400.html">Next</A>
</CENTER></P>

<A NAME="PAGENUM-395"><P>Page 395</P></A>




<H3><A NAME="ch20_ 1">
CHAPTER 20
</A></H3>




<H2>

System Security

</H2>

<B>by David Pitts
</B>




<H3><A NAME="ch20_ 2">
IN THIS CHAPTER
</A></H3>





<UL>
<LI>     Thinking About Security&#151;An Audit

<LI>     Danger, Will Robins, Danger!

<LI>     File and Directory Permissions

<LI>     Passwords&#151;A Second Look

<LI>     Related WWW Sites
</UL>


<A NAME="PAGENUM-396"><P>Page 396</P></A>






<P>Security is one of the hottest topics in any system debate. How do you
make your site more secure? How do you keep hackers out of your system? How do you make sure that your data
is safe from intruders? How do you keep your company's secrets, secret?
</P>




<P>Your system is as secure as its weakest point. This is an old saying, and one that is still true.
I am reminded of an old Andy Griffith TV show in which the town drunk is sleeping off
another episode in the jail. After he is sober, he looks around at the bars on the windows,
the barred walls, and the gate. &quot;A pretty secure jail,&quot; I thought; then the town drunk pushed
open the door, said good-bye to Barney, and left. So much for the security!
</P>




<P>Many times, systems are as secure as that jail. All the bars and locks are in place, but the
door is left open. This chapter takes a look at what some of the bars and locks are, and explains
how to lock the door. More importantly, though, you will learn how to conduct a security
audit and where to go to get more information.
</P>




<P>Security comes in many forms. Passwords and file permissions are your first two lines of
defense. After that, things get difficult. Security breaches take on many forms. To
understand your particular system and the security issues relevant to your system, you should first
develop a security audit.
</P>




<H3><A NAME="ch20_ 3">
Thinking About Security&#151;An Audit
</A></H3>




<P>There are three basic parts of a security audit, each with many things to think about. First,
you need to develop a plan, a set of security aspects to be evaluated. Second, you need to
consider the tools that are available for assisting in evaluating the security aspects and choose ones
that are suitable to your system. The third part of a security audit is knowledge gathering&#151;not
only knowledge of how to use the system, but what the users are doing with the system,
break-in methods for your system, physical security issues, and much more. The following sections
look at each of these three pieces of the audit and offer some direction about where to go for
more information.
</P>




<H4><A NAME="ch20_ 4">


A Plan
</A></H4>




<P>The plan can be as complex as a formal document, or as simple as a few notes scribbled on
the back of a java receipt. Regardless of the complexity, the plan should at least list what aspects
of the system you are going to evaluate, and how. This means asking two questions:
</P>




<UL>
<LI>          What types of security problems could we have?

<LI>          Which ones can we (or should we) attempt to detect or fix?
</UL>




<P>To answer these questions, it might be necessary to ask a few more questions concerning
the following areas:
</P>




<UL>
<LI>          Accountability

<LI>          Change control and tracking
</UL>


<A NAME="PAGENUM-397"><P>Page 397</P></A>





<UL>
<LI>          Data integrity, including backups

<LI>          Physical security

<LI>          Privacy of data

<LI>          System access

<LI>          System availability
</UL>




<P>Based on the discussion of these topics, a more detailed plan can be developed. As always,
there will be trade-offs. For example, privacy of data could mean that only certain people could
log on to the system, which affects system access for the users. System availability is always in
contention with change control. For example, when do you change that failing hard drive on
a 7&#165;24 system? The bottom line is that the detailed plan that is developed should include a set
of goals; a way of tracking the progression of the goals, including changes to the system; and
a knowledge base of what types of tools are needed to do
the job.
</P>




<H4><A NAME="ch20_ 5">


Tools
</A></H4>




<P>Having the right tools always makes the job easier. That is especially true when you are
dealing with security issues. A number of tools are available on the Internet, including tools to
check passwords, check system security, and protect your system. Some major UNIX-oriented
security organizations assist the UNIX/Red Hat Linux user groups in discussing, testing, and
describing tools available for use. CERT, CIAC, and the Linux Emergency Response Team
are excellent sources of information for both the beginner and advanced system administrator.
</P>




<P>The following list introduces many of the available tools. This should be a good excuse,
though, to surf the Net and see what else is available!
</P>

<TABLE WIDTH="360">
<TR><TD>
cops
</TD><TD>
A set of programs; each checks a different aspect of security
on a UNIX system. If any potential security holes do exist,
the results are either mailed or saved to a report file.
</TD></TR>
<TR><TD>
crack
</TD><TD>
A program designed to find standard UNIX
eight-character DES-encrypted passwords by standard guessing techniques.
</TD></TR>
<TR><TD>
deslogin
</TD><TD>
A remote login program that can be used safely across
insecure networks.
</TD></TR>
<TR><TD>
findsuid.tar.Z
</TD><TD>
Finds changes in setuid (set user ID) and
setgid (set group ID) files.
</TD></TR>
<TR><TD>
finger daemon
</TD><TD>
Secure finger daemon for UNIX. Should compile
out-of-the-box nearly anywhere.
</TD></TR>
<TR><TD>
freestone
</TD><TD>
A portable, fully functional firewall implementation.
</TD></TR>
<TR><TD>
gabriel
</TD><TD>
A satan detector. gabriel gives the system administrator
an early warning of possible network intrusions by detecting
and identifying satan's network probing.
</TD></TR>
</TABLE>


<A NAME="PAGENUM-398"><P>Page 398</P></A>


<TABLE WIDTH="360">
<TR><TD>
ipfilter
</TD><TD>
A free packet filter that can be incorporated into any of
the supported operating systems, providing IP
packet-level filtering per interface.
</TD></TR>
<TR><TD>
ipfirewall
</TD><TD>
An IP packet filtering tool, similar to the packet
filtering facilities provided by most commercial routers.
</TD></TR>
<TR><TD>
kerberos
</TD><TD>
A network authentication system for use on physically
insecure networks. It allows entities communicating over networks
to prove their identities to each other while preventing
eavesdropping or replay attacks.
</TD></TR>
<TR><TD>
merlin
</TD><TD>
Takes a popular security tool (such as
tiger, tripwire, cops, crack, or spi) and provides it with an easy-to-use,
consistent graphical interface, simplifying and enhancing its capabilities.
</TD></TR>
<TR><TD>
npasswd
</TD><TD>
passwd replacement with password sanity check.
</TD></TR>
<TR><TD>
obvious-pw.tar.Z
</TD><TD>
An obvious password detector.
</TD></TR>
<TR><TD>
opie
</TD><TD>
Provides a one-time password system for
POSIX-compliant, UNIX-like operating systems.
</TD></TR>
<TR><TD>
pcheck.tar.Z
</TD><TD>
Checks format of /etc/passwd; verifies root default
shell and passwd fields.
</TD></TR>
<TR><TD>
Plugslot Ltd.
</TD><TD>
PCP/PSP UNIX network security and configuration monitor.
</TD></TR>
<TR><TD>
rsaeuro
</TD><TD>
A cryptographic toolkit providing various functions for the
use of digital signatures, data encryption, and supporting
areas (PEM encoding, random number generation, and so on).
</TD></TR>
<TR><TD>
rscan
</TD><TD>
Allows system administrators to execute complex (or
simple) scanner scripts on one (or many) machines and create
clean, formatted reports in either ASCII or HTML.
</TD></TR>
<TR><TD>
satan
</TD><TD>
The security analysis tool for auditing networks. In its
simplest (and default) mode, it gathers as much information
about remote hosts and networks as possible by examining
such network services as finger, NFS, NIS, ftp and
tftp, rexd, and others.
</TD></TR>
<TR><TD>
ssh
</TD><TD>
Secure shell&#151;a remote login program.
</TD></TR>
<TR><TD>
tcp wrappers
</TD><TD>
Monitor and control remote access to your local
tftp, exec, ftp, rsh, telnet, rlogin, finger, and
systat daemon.
</TD></TR>
<TR><TD>
tiger
</TD><TD>
Scans a system for potential security problems.
</TD></TR>
<TR><TD>
tis firewall toolkit
</TD><TD>
Includes enhancements and bug fixes from V1.2, and
new proxies for HTTP/Gopher and X11.
</TD></TR>
<TR><TD>
tripwire
</TD><TD>
Monitors system for security break-in attempts.
</TD></TR>
</TABLE>



<P><CENTER>
<a href="../ch19/0393-0394.html">Previous</A> | <a href="../ewtoc.html">Table of Contents</A> | <a href="0399-0400.html">Next</A>
</CENTER></P>





</td>
</tr>
</table>
<!-- begin footer information -->



</body></html>