You are previewing Practical UNIX and Internet Security, 3rd Edition.
O'Reilly logo
Practical UNIX and Internet Security, 3rd Edition

Book Description

When Practical Unix Security was first published more than a decade ago, it became an instant classic. Crammed with information about host security, it saved many a Unix system administrator from disaster. The second edition added much-needed Internet security coverage and doubled the size of the original volume. The third edition is a comprehensive update of this very popular book - a companion for the Unix/Linux system administrator who needs to secure his or her organization's system, networks, and web presence in an increasingly hostile world. Focusing on the four most popular Unix variants today--Solaris, Mac OS X, Linux, and FreeBSD--this book contains new information on PAM (Pluggable Authentication Modules), LDAP, SMB/Samba, anti-theft technologies, embedded systems, wireless and laptop issues, forensics, intrusion detection, chroot jails, telephone scanners and firewalls, virtual and cryptographic filesystems, WebNFS, kernel security levels, outsourcing, legal issues, new Internet protocols and cryptographic algorithms, and much more. Practical Unix & Internet Security consists of six parts:

  • Computer security basics: introduction to security problems and solutions, Unix history and lineage, and the importance of security policies as a basic element of system security.

  • Security building blocks: fundamentals of Unix passwords, users, groups, the Unix filesystem, cryptography, physical security, and personnel security.

  • Network security: a detailed look at modem and dialup security, TCP/IP, securing individual network services, Sun's RPC, various host and network authentication systems (e.g., NIS, NIS+, and Kerberos), NFS and other filesystems, and the importance of secure programming.

  • Secure operations: keeping up to date in today's changing security world, backups, defending against attacks, performing integrity management, and auditing.

  • Handling security incidents: discovering a break-in, dealing with programmed threats and denial of service attacks, and legal aspects of computer security.

  • Appendixes: a comprehensive security checklist and a detailed bibliography of paper and electronic references for further reading and research.

Packed with 1000 pages of helpful text, scripts, checklists, tips, and warnings, this third edition remains the definitive reference for Unix administrators and anyone who cares about protecting their systems and data from today's threats.

Table of Contents

  1. Practical Unix & Internet Security, 3rd Edition
  2. A Note Regarding Supplemental Files
  3. Preface
    1. Unix “Security”?
      1. What This Book Is
      2. What This Book Is Not
      3. Third-Party Security Tools
    2. Scope of This Book
    3. Which Unix System?
      1. Versions Covered in This Book
      2. “Secure” Versions of Unix
    4. Conventions Used in This Book
    5. Comments and Questions
    6. Acknowledgments
      1. Third Edition
      2. Second Edition
      3. First Edition
    7. A Note to Would-Be Attackers
  4. I. Computer Security Basics
    1. 1. Introduction: Some Fundamental Questions
      1. What Is Computer Security?
      2. What Is an Operating System?
      3. What Is a Deployment Environment?
      4. Summary
    2. 2. Unix History and Lineage
      1. History of Unix
        1. Multics: The Unix Prototype
        2. The Birth of Unix
          1. Unix escapes AT&T
          2. Unix goes commercial
          3. The Unix Wars: Why Berkeley 4.2 over System V
          4. Unix Wars 2: SVR4 versus OSF/1
        3. Free Unix
          1. FSF and GNU
          2. Minix
          3. Xinu
          4. Linux
          5. NetBSD, FreeBSD, and OpenBSD
          6. Businesses adopt Unix
        4. Second-Generation Commercial Unix Systems
        5. What the Future Holds
      2. Security and Unix
        1. Expectations
        2. Software Quality
        3. Add-on Functionality Breeds Problems
        4. The Failed P1003.1e/2c Unix Security Standard
      3. Role of This Book
      4. Summary
    3. 3. Policies and Guidelines
      1. Planning Your Security Needs
        1. Types of Security
        2. Trust
      2. Risk Assessment
        1. Steps in Risk Assessment
          1. Identifying assets
          2. Identifying threats
        2. Review Your Risks
      3. Cost-Benefit Analysis and Best Practices
        1. The Cost of Loss
        2. The Probability of a Loss
        3. The Cost of Prevention
        4. Adding Up the Numbers
        5. Best Practices
        6. Convincing Management
      4. Policy
        1. The Role of Policy
        2. Standards
        3. Guidelines
        4. Some Key Ideas in Developing a Workable Policy
          1. Assign an owner
          2. Be positive
          3. Remember that employees are people too
          4. Concentrate on education
          5. Have authority commensurate with responsibility
          6. Be sure you know your security perimeter
          7. Pick a basic philosophy
          8. Defend in depth
        5. Risk Management Means Common Sense
      5. Compliance Audits
      6. Outsourcing Options
        1. Formulating Your Plan of Action
        2. Choosing a Vendor
          1. Get a referral and insist on references
          2. Beware of soup-to-nuts
          3. Insist on breadth of background
          4. People
          5. “Reformed” hackers
        3. Monitoring Services
        4. Final Words on Outsourcing
      7. The Problem with Security Through Obscurity
        1. Keeping Secrets
        2. Responsible Disclosure
      8. Summary
  5. II. Security Building Blocks
    1. 4. Users, Passwords, and Authentication
      1. Logging in with Usernames and Passwords
        1. Unix Usernames
        2. Authenticating Users
        3. Authenticating with Passwords
          1. Entering your password
          2. Changing your password
          3. Verifying your new password
          4. Changing another user’s password
      2. The Care and Feeding of Passwords
        1. Bad Passwords: Open Doors
        2. Smoking Joes
        3. Good Passwords: Locked Doors
        4. Password Synchronization: Using the Same Password on Many Machines
        5. Writing Down Passwords
      3. How Unix Implements Passwords
        1. The /etc/passwd File
        2. The Unix Encrypted Password System
          1. The traditional crypt ( ) algorithm
          2. Unix salt
          3. crypt16( ), DES Extended, and Modular Crypt Format
          4. The shadow password and master password files
        3. One-Time Passwords
        4. Public Key Authentication
      4. Network Account and Authorization Systems
        1. Using Network Authorization Systems
        2. Viewing Accounts in the Network Database
          1. NIS and NIS+
          2. Kerboros DCE
          3. NetInfo
          4. RADIUS
          5. LDAP
      5. Pluggable Authentication Modules (PAM)
      6. Summary
    2. 5. Users, Groups, and the Superuser
      1. Users and Groups
        1. The /etc/passwd File
        2. User Identifiers (UIDs)
        3. Groups and Group Identifiers (GIDs)
          1. The /etc/group file
      2. The Superuser (root)
        1. What the Superuser Can Do
        2. What the Superuser Can’t Do
        3. Any Username Can Be a Superuser
        4. The Problem with the Superuser
      3. The su Command: Changing Who You Claim to Be
        1. Real and Effective UIDs with the su Command
          1. Saved IDs
          2. Other IDs
        2. Becoming the Superuser
        3. Use su with Caution
        4. Using su to Run Commands from Scripts
        5. Restricting su
        6. The su Log
          1. The sulog under Solaris
          2. The sulog under Berkeley Unix
          3. The sulog under Red Hat Linux
          4. Final caution
        7. sudo: A More Restrictive su
      4. Restrictions on the Superuser
        1. Secure Terminals: Limiting Where the Superuser Can Log In
        2. BSD Kernel Security Levels
        3. Linux Capabilities
      5. Summary
    3. 6. Filesystems and Security
      1. Understanding Filesystems
        1. UFS and the Fast File System
          1. File contents
          2. Inodes
          3. Directories and links
        2. The Virtual Filesystem Interface
        3. Current Directory and Paths
      2. File Attributes and Permissions
        1. Exploring with the ls Command
        2. File Times
        3. File Permissions
          1. A file permissions example
        4. Directory Permissions
      3. chmod: Changing a File’s Permissions
        1. Setting a File’s Permissions
          1. Calculating octal file permissions
          2. Using octal file permissions
        2. Access Control Lists
      4. The umask
        1. The umask Command
        2. Common umask Values
      5. SUID and SGID
        1. Sticky Bits
        2. SGID and Sticky Bits on Directories
        3. SGID Bit on Files (System V-Derived Unix Only): Mandatory Record Locking
        4. Problems with SUID
        5. SUID Scripts
          1. An example of a SUID attack: IFS and the /usr/lib/preserve hole
        6. Finding All of the SUID and SGID Files
          1. The Solaris ncheck command
        7. Turning Off SUID and SGID in Mounted Filesystems
      6. Device Files
        1. Unauthorized Device Files
      7. Changing a File’s Owner or Group
        1. chown: Changing a File’s Owner
          1. Old and new chown behavior
          2. Use chown with caution
        2. chgrp: Changing a File’s Group
      8. Summary
    4. 7. Cryptography Basics
      1. Understanding Cryptography
        1. Roots of Cryptography
        2. Cryptography as a Dual-Use Technology
        3. A Cryptographic Example
        4. Cryptographic Algorithms and Functions
      2. Symmetric Key Algorithms
        1. Cryptographic Strength of Symmetric Algorithms
        2. Key Length with Symmetric Key Algorithms
        3. Common Symmetric Key Algorithms
        4. Attacks on Symmetric Encryption Algorithms
          1. Key search (brute force) attacks
          2. Cryptanalysis
          3. Systems-based attacks
      3. Public Key Algorithms
        1. Uses for Public Key Encryption
          1. Encrypted messaging
          2. Digital signatures
        2. Attacks on Public Key Algorithms
          1. Key search attacks
          2. Analytic attacks
          3. Known versus published methods
      4. Message Digest Functions
        1. Message Digest Algorithms at Work
        2. Uses of Message Digest Functions
        3. HMAC
        4. Attacks on Message Digest Functions
      5. Summary
    5. 8. Physical Security for Servers
      1. Planning for the Forgotten Threats
        1. The Physical Security Plan
        2. The Disaster Recovery Plan
        3. Other Contingencies
      2. Protecting Computer Hardware
        1. Protecting Against Environmental Dangers
          1. Fire
          2. Smoke
          3. Dust
          4. Earthquakes
          5. Explosions
          6. Extreme temperatures
          7. Bugs (biological)
          8. Electrical noise
          9. Lightning
          10. Vibration
          11. Humidity
          12. Water
          13. Environmental monitoring
        2. Preventing Accidents
          1. Food and drink
        3. Controlling Physical Access
          1. Raised floors and dropped ceilings
          2. Entrance through air ducts
          3. Glass walls
        4. Defending Against Vandalism
          1. Ventilation holes
          2. Network cables
          3. Network connectors
          4. Utility connections
        5. Defending Against Acts of War and Terrorism
      3. Preventing Theft
        1. Understanding Computer Theft
        2. Laptops and Portable Computers
          1. Locks
          2. Tagging
        3. Laptop Recovery Software and Services
        4. RAM Theft
        5. Encryption
      4. Protecting Your Data
        1. Eavesdropping
          1. Wiretapping
          2. Eavesdropping over local area networks (Ethernet and twisted pairs)
          3. Eavesdropping on 802.11 wireless LANs
          4. Eavesdropping by radio and using TEMPEST
          5. Fiber optic cable
          6. Keyboard monitors
        2. Protecting Backups
          1. Verify your backups
          2. Protect your backups
        3. Sanitizing Media Before Disposal
        4. Sanitizing Printed Media
        5. Protecting Local Storage
          1. Printer buffers
          2. Printer output
          3. X terminals
          4. Function keys
        6. Unattended Terminals
          1. Built-in shell autologout
          2. Screensavers
        7. Key Switches
      5. Story: A Failed Site Inspection
        1. What We Found
          1. Fire hazards
          2. Potential for eavesdropping and data theft
          3. Easy pickings
          4. Physical access to critical computers
          5. Possibilities for sabotage
        2. Nothing to Lose?
      6. Summary
    6. 9. Personnel Security
      1. Background Checks
        1. Intensive Investigations
        2. Rechecks
      2. On the Job
        1. Initial Training
        2. Ongoing Training and Awareness
        3. Performance Reviews and Monitoring
        4. Auditing Access
        5. Least Privilege and Separation of Duties
      3. Departure
      4. Other People
      5. Summary
  6. III. Network and Internet Security
    1. 10. Modems and Dialup Security
      1. Modems: Theory of Operation
        1. Serial Interfaces
        2. The RS-232 Serial Protocol
        3. Originate and Answer
        4. Baud and bps
      2. Modems and Security
        1. Banners
        2. Caller-ID and Automatic Number Identification
        3. One-Way Phone Lines
        4. Protecting Against Eavesdropping
          1. Kinds of eavesdropping
          2. Eavesdropping countermeasures
        5. Managing Unauthorized Modems with Telephone Scanning and Telephone Firewalls
          1. Telephone scanning
          2. Telephone firewalls
          3. Limitations of scanning and firewalls
      3. Modems and Unix
        1. Connecting a Modem to Your Computer
        2. Setting Up the Unix Device
        3. Checking Your Modem
          1. Originate testing
          2. Answer testing
          3. Privilege testing
        4. Protection of Modems and Lines
      4. Additional Security for Modems
      5. Summary
    2. 11. TCP/IP Networks
      1. Networking
        1. The Internet
          1. Today’s Internet
          2. Who’s on the Internet?
        2. Networking and Unix
      2. IP: The Internet Protocol
        1. Internet Addresses
          1. IP networks
          2. Classical network addresses
          3. CIDR addresses
        2. Routing
        3. Hostnames
          1. Format of the hostname
          2. The /etc/hosts file
        4. Packets and Protocols
          1. ICMP
          2. TCP
          3. UDP
        5. Clients and Servers
        6. Name Service
          1. DNS under Unix
          2. Other naming services
      3. IP Security
        1. Using Encryption to Protect IP Networks from Eavesdropping
        2. Hardening Against Attacks
        3. Firewalls and Physical Isolation
        4. Improving Authentication
          1. Authentication and DNS
          2. Authentication and email
          3. ¡April Fools! authentication and Netnews
          4. Adding authentication to TCP/IP with ident
        5. Decoy Systems
      4. Summary
    3. 12. Securing TCP and UDP Services
      1. Understanding Unix Internet Servers and Services
        1. The /etc/services File
          1. Calling getservbyname( )
          2. Ports cannot be trusted
        2. Starting the Servers
          1. Startup on different Unix systems
          2. Startup examples
        3. The inetd Program
      2. Controlling Access to Servers
        1. Access Control Lists with TCP Wrappers
          1. What TCP Wrappers does
          2. The TCP Wrappers configuration language
          3. Making sense of your TCP Wrappers configuration files
        2. Using a Host-Based Packet Firewall
          1. The ipfw host-based firewall
          2. An ipfw example
      3. Primary Unix Network Services
        1. echo and chargen (TCP and UDP Ports 7 and 19)
        2. systat (TCP Port 11)
        3. FTP: File Transfer Protocol (TCP Ports 20 and 21)
          1. Anonymous FTP
          2. FTP active mode
          3. FTP passive mode
          4. Setting up an FTP server
          5. Restricting FTP with the standard Berkeley FTP server
          6. Setting up anonymous FTP with the standard Unix FTP server
          7. Allowing only FTP access
        4. SSH: The Secure Shell (TCP Port 22)
          1. Host authentication with SSH
          2. Client authentication with SSH
        5. Telnet (TCP Port 23)
        6. SMTP: Simple Mail Transfer Protocol (TCP Port 25)
          1. Configuration files
          2. Security concerns with SMTP banners and commands
          3. SMTP relaying and bulk email (a.k.a. spam)
          4. Overflowing system mailboxes
          5. Delivery to programs
          6. Overall security of Berkeley sendmail versus other MTAs
        7. TACACS and TACACS+ (UDP Port 49)
        8. Domain Name System (DNS) (TCP and UDP Port 53)
          1. DNS zone transfers
          2. DNS nameserver attacks
          3. DNSSEC
          4. DNS best practices
        9. BOOTP: Bootstrap Protocol, and DHCP: Dynamic Host Configuration Protocol (UDP Ports 67 and 68)
        10. TFTP: Trivial File Transfer Protocol (UDP Port 69)
        11. finger (TCP Port 79)
          1. The .plan and .project files
          2. Disabling finger
        12. HTTP, HTTPS: HyperText Transfer Protocol (TCP Ports 80, 443)
        13. POP, POPS: Post Office Protocol, and IMAP, IMAPS: Internet Message Access Protocol (TCP Ports 109, 110, 143, 993, 995)
        14. Sun RPC’s portmapper (UDP and TCP Ports 111)
        15. Identification Protocol (TCP Port 113)
        16. NNTP: Network News Transport Protocol (TCP Port 119)
        17. NTP: Network Time Protocol (UDP Port 123)
          1. Sudden changes in time
          2. An NTP example
        18. SNMP: Simple Network Management Protocol (UDP Ports 161 and 162)
        19. rexec (TCP Port 512)
        20. rlogin and rsh (TCP Ports 513 and 514)
          1. Trusted hosts and users
          2. Specifying trusted hosts with /etc/hosts.equiv and ~/.rhosts
          3. /etc/hosts.lpd file
        21. RIP Routed: Routing Internet Protocol (UDP Port 520)
        22. The X Window System (TCP Ports 6000-6063)
          1. /etc/logindevperm
          2. X security
          3. The xhost facility
          4. Using Xauthority magic cookies
          5. Tunneling X with SSH
        23. RPC rpc.rexd (TCP Port 512)
        24. Communicating with MUDs, Internet Relay Chat (IRC), and Instant Messaging
      4. Managing Services Securely
        1. Monitoring Your Host with netstat
          1. Limitation of netstat and lsof
        2. Monitoring Your Network with tcpdump
        3. Network Scanning
      5. Putting It All Together: An Example
      6. Summary
    4. 13. Sun RPC
      1. Remote Procedure Call (RPC)
        1. Sun’s portmap/rpcbind
        2. RPC Authentication
          1. AUTH_NONE
          2. AUTH_UNIX
          3. AUTH_DES
          4. AUTH_KERB
      2. Secure RPC (AUTH_DES)
        1. Secure RPC Authentication
          1. Proving your identity
          2. Using Secure RPC services
          3. Setting the window
        2. Setting Up Secure RPC with NIS
          1. Creating passwords for users
          2. Creating passwords for hosts
          3. Making sure Secure RPC support is running on every workstation
        3. Using Secure RPC
        4. Limitations of Secure RPC
      3. Summary
    5. 14. Network-Based Authentication Systems
      1. Sun’s Network Information Service (NIS)
        1. NIS Fundamentals
          1. Including or excluding specific accounts
          2. Importing accounts without really importing accounts
        2. NIS Domains
        3. NIS Netgroups
          1. Setting up netgroups
          2. Using netgroups to limit the importing of accounts
          3. Limitations of NIS
          4. Spoofing RPC
          5. Spoofing NIS
          6. NIS is confused about “+”
        4. Unintended Disclosure of Site Information with NIS
      2. Sun’s NIS+
        1. What NIS+ Does
        2. NIS+ Tables and Other Objects
        3. Using NIS+
          1. Changing your password
          2. When a user’s passwords don’t match
        4. NIS+ Limitations
      3. Kerberos
        1. Kerberos Authentication
          1. Initial login
          2. Using the ticket-granting ticket
          3. Authentication, data integrity, and secrecy
          4. Kerberos 4 versus Kerberos 5
        2. Getting Kerberos
        3. Using Kerberos
        4. Kerberos Limitations
      4. LDAP
        1. LDAP: The Protocol
        2. LDAP Integrity and Reliability
        3. Authentication with LDAP
          1. nss_ldap
          2. pam_ldap
        4. Configuring Authentication with nss_ldap
          1. Setting up the LDAP server
          2. Setting up the LDAP clients
      5. Other Network Authentication Systems
        1. DCE
        2. SESAME
      6. Summary
    6. 15. Network Filesystems
      1. Understanding NFS
        1. NFS History
        2. File Handles
        3. The MOUNT Protocol
        4. The NFS Protocol
          1. How NFS creates a reliable filesystem from a best-effort protocol
          2. Hard, soft, and spongy mounts
          3. Connectionless and stateless
          4. NFS and root
        5. NFS Version 3
      2. Server-Side NFS Security
        1. Limiting Client Access: /etc/exports and /etc/dfs/dfstab
          1. /etc/exports
          2. /usr/etc/exportfs
          3. Exporting NFS directories under System V: share and dfstab
        2. The showmount Command
      3. Client-Side NFS Security
      4. Improving NFS Security
        1. Limit Exported and Mounted Filesystems
          1. The example explained
        2. Export Read-Only
        3. Use Root Ownership
        4. Remove Group-Write Permission for Files and Directories
        5. Do Not Export Server Executables
        6. Do Not Export Home Directories
        7. Do Not Allow Users to Log into the Server
        8. Use fsirand
        9. Set the portmon Variable
        10. Use showmount -e
        11. Use Secure NFS
      5. Some Last Comments on NFS
        1. Well-Known Bugs
        2. For Real Security, Don’t Use NFS
      6. Understanding SMB
        1. SMB History
        2. Protocols
          1. Name service
          2. Authentication
          3. File access
        3. Configuring the Samba Server
        4. Samba Server Security
          1. Connecting to the server
          2. User authentication
          3. Authorization
          4. Data integrity and privacy
        5. Samba Client Security
        6. Improving Samba Security
      7. Summary
    7. 16. Secure Programming Techniques
      1. One Bug Can Ruin Your Whole Day . . .
        1. The Lesson of the Internet Worm
        2. An Empirical Study of the Reliability of Unix Utilities
          1. What he found
          2. Where’s the beef?
      2. Tips on Avoiding Security-Related Bugs
        1. Design Principles
        2. Coding Standards
        3. Things to Avoid
        4. Before You Finish
      3. Tips on Writing Network Programs
        1. Things to Do
        2. Things to Avoid
      4. Tips on Writing SUID/SGID Programs
      5. Using chroot( )
      6. Tips on Using Passwords
      7. Tips on Generating Random Numbers
        1. Unix Pseudorandom Functions
          1. rand( )
          2. random( )
          3. drand48( ), lrand48( ), and mrand48( )
        2. Picking a Random Seed
        3. A Good Random Seed Generator
      8. Summary
  7. IV. Secure Operations
    1. 17. Keeping Up to Date
      1. Software Management Systems
        1. Package-Based Systems
        2. Source-Based Systems
          1. Source code and patches
          2. CVS
      2. Updating System Software
        1. Learning About Patches
        2. Upgrading Distributed Applications
        3. Sensitive Upgrades
      3. Summary
    2. 18. Backups
      1. Why Make Backups?
        1. The Role of Backups
        2. What Should You Back Up?
        3. Types of Backups
        4. Guarding Against Media Failure
          1. Replace tapes as needed
          2. Keep your tape drives clean
          3. Verify the backup
        5. How Long Should You Keep a Backup?
        6. Security for Backups
          1. Physical security for backups
          2. Write-protect your backups
          3. Data security for backups
        7. Legal Issues
        8. Deciding Upon a Backup Strategy
        9. Individual Workstation
          1. Backup plan
          2. Retention schedule
        10. Small Network of Workstations and a Server
          1. Backup plan
          2. Retention schedule
        11. Large Service-Based Network with Small Budget
          1. Backup plan
          2. Retention schedule
        12. Large Service-Based Networks with Large Budget
          1. Backup plan
          2. Retention schedule
      2. Backing Up System Files
        1. Which Files to Back Up?
        2. Building an Automatic Backup System
      3. Software for Backups
        1. Simple Local Copies
        2. Simple Archives
        3. Specialized Backup Programs
        4. Network Backup Systems
        5. Encrypting Your Backups
      4. Summary
    3. 19. Defending Accounts
      1. Dangerous Accounts
        1. Accounts Without Passwords
        2. Default Accounts
          1. The superuser account
          2. Other accounts
        3. Accounts That Run a Single Command
        4. Open Accounts
          1. Restricted shells
          2. How to set up a restricted account with rsh
          3. Potential problems with restricted shells
        5. Restricted Filesystem with the chroot( ) Jail
          1. Setting up the chroot( ) environment
          2. Limiting network servers
          3. Limiting users
          4. Checking new software
        6. Group Accounts
      2. Monitoring File Format
      3. Restricting Logins
      4. Managing Dormant Accounts
        1. Disabling an Account by Changing the Account’s Password
        2. Changing the Account’s Login Shell
        3. Finding Dormant Accounts
      5. Protecting the root Account
        1. Secure Terminals
        2. The wheel Group
        3. The sudo Program
        4. Trusted Path and Trusted Computing Base
          1. Trusted path
          2. Trusted computing base
      6. One-Time Passwords
        1. Integrating One-Time Passwords with Unix
        2. Token Cards
        3. Codebooks
      7. Administrative Techniques for Conventional Passwords
        1. Assigning Passwords to Users
        2. Constraining Passwords
        3. Password Generators
        4. Shadow Password Files
        5. Password Aging and Expiration
        6. Cracking Your Own Passwords
          1. Joetest: a simple password cracker
          2. The dilemma of password crackers
        7. Algorithm and Library Changes
        8. Account Names Revisited: Using Aliases for Increased Security
      8. Intrusion Detection Systems
      9. Summary
    4. 20. Integrity Management
      1. The Need for Integrity
      2. Protecting Integrity
        1. Immutable and Append-Only Files
          1. The chflags command
          2. Kernel security level
        2. Read-Only Filesystems
      3. Detecting Changes After the Fact
        1. The Achilles Heel of Integrity Management Systems
        2. Comparison Copies
          1. Local copies
          2. Remote copies
          3. rdist
        3. Checklists and Metadata
          1. Simple listing
          2. Ancestor directories
        4. Checksums and Signatures
      4. Integrity-Checking Tools
        1. BSD’s mtree and Periodic Security Scans
        2. Packaging Tools
          1. Integrity checking with RPM under Linux
          2. Integrity checking with the BSD pkg_info command
        3. Tripwire
          1. Building Tripwire
          2. Running Tripwire
      5. Summary
    5. 21. Auditing, Logging, and Forensics
      1. Unix Log File Utilities
        1. Essential Log Files
        2. Unix syslog
          1. The syslog message
          2. The syslog.conf configuration file
          3. Using syslog in a networked environment
          4. Incorporating syslog into your own programs
          5. Beware false syslog log entries
        3. Rotating Logs with newsyslog
        4. Swatch: A Log File Analysis Tool
          1. Running Swatch
          2. The Swatch configuration file
        5. lastlog File
        6. utmp and wtmp Files
          1. Examining the utmp and wtmp files
          2. The su command and the utmp and wtmp files
          3. last program
          4. Pruning the wtmp file
        7. loginlog File
      2. Process Accounting: The acct/pacct File
        1. Accounting with System V
        2. Accounting with BSD and Linux
        3. messages Log File
      3. Program-Specific Log Files
        1. aculog Log File
        2. sulog Log File
        3. xferlog Log File
        4. access_log Log File
        5. Logging Network Services
        6. Other Logs
      4. Designing a Site-Wide Log Policy
        1. Where to Log
          1. Logging to a printer
          2. Logging across the network
          3. Logging everything everywhere
      5. Handwritten Logs
        1. Per-Site Logs
          1. Exception and activity reports
          2. Informational material
        2. Per-Machine Logs
          1. Exception and activity reports
          2. Informational material
      6. Managing Log Files
      7. Unix Forensics
        1. Shell History
        2. Mail
        3. cron
        4. Network Setup
      8. Summary
  8. V. Handling Security Incidents
    1. 22. Discovering a Break-in
      1. Prelude
        1. Rule #1: Don’t Panic
        2. Rule #2: Document
        3. Rule #3: Plan Ahead
      2. Discovering an Intruder
        1. Catching One in the Act
          1. Monitoring commands
          2. Other tip-offs
        2. What to Do When You Catch Somebody
        3. Contacting the Intruder
        4. Monitoring the Intruder
        5. Tracing a Connection
        6. How to Contact the System Administrator of a Computer You Don’t Know
          1. Looking up information by domain
          2. Looking up information by IP address
          3. Contacting a site’s ISP
          4. Alternative contact strategies
        7. Getting Rid of the Intruder
      3. Cleaning Up After the Intruder
        1. Analyzing the Log Files
        2. Preserving the Evidence
        3. Assessing the Damage
          1. New accounts
          2. Changes in file contents
          3. Changes in file and directory protections
          4. New SUID and SGID files
          5. Changes in .rhosts files
          6. Changes to .ssh/authorized_keys files
          7. Changes to the /etc/hosts.equiv file
          8. Changes to startup files
          9. Hidden files and directories
          10. Unowned files
          11. New network services
        4. Never Trust Anything Except Hardcopy
        5. Resuming Operation
        6. Damage Control
      4. Case Studies
        1. Rootkit
        2. Warez
          1. The follow-up
        3. faxsurvey
      5. Summary
    2. 23. Protecting Against Programmed Threats
      1. Programmed Threats: Definitions
        1. Security Scanners and Other Tools
        2. Back Doors and Trap Doors
        3. Logic Bombs
        4. Trojan Horses
          1. Trojan horses in mobile code
          2. Terminal-based Trojan horses
          3. Avoiding Trojan horses
        5. Viruses
        6. Worms
        7. Bacteria and Rabbits
      2. Damage
      3. Authors
      4. Entry
      5. Protecting Yourself
        1. Shell Features
          1. PATH attacks
          2. IFS attacks
          3. $HOME attacks
          4. Filename attacks
        2. Startup File Attacks
          1. .login, .profile, /etc/profile
          2. .cshrc, .kshrc, .tcshrc
          3. .emacs
          4. .exrc, .nexrc
          5. .forward, .procmailrc
          6. Other files
          7. Other initializations
        3. Abusing Automatic Mechanisms
          1. crontab entries
          2. inetd.conf
          3. /etc/mail/aliases, aliases.dir, aliases.pag, and aliases.db
          4. The at program
          5. System initialization files
          6. Other files
          7. Issues with NFS
      6. Preventing Attacks
        1. File Protections
          1. World-writable user files and directories
          2. Writable system files and directories
          3. Group-writable files
          4. World-readable backup devices
        2. Shared Libraries
      7. Summary
    3. 24. Denial of Service Attacks and Solutions
      1. Types of Attacks
      2. Destructive Attacks
      3. Overload Attacks
        1. Process and CPU Overload Problems
          1. Too many processes
          2. Recovering from too many processes
          3. “No more processes”
          4. Safely halting the system
          5. CPU overload attacks
        2. Swap Space Problems
          1. Swapping to files
        3. Disk Attacks
          1. Disk-full attacks
          2. quot command
          3. inode problems
          4. Using partitions to protect your users
          5. Using quotas
          6. Reserved space
          7. Hidden space
          8. Tree structure attacks
        4. /tmp Problems
        5. Soft Process Limits: Preventing Accidental Denial of Service
      4. Network Denial of Service Attacks
        1. Service Overloading
        2. Message Flooding
        3. Signal Grounding and Jamming
        4. Clogging (SYN Flood Attacks)
        5. Ping of Death and Other Malformed Traffic Attacks
      5. Summary
    4. 25. Computer Crime
      1. Your Legal Options After a Break-in
        1. Filing a Criminal Complaint
          1. Choosing jurisdiction
          2. Local jurisdiction
          3. Federal jurisdiction
        2. Federal Computer Crime Laws
        3. Hazards of Criminal Prosecution
        4. The Responsibility to Report Crime
      2. Criminal Hazards
      3. Criminal Subject Matter
        1. Access Devices and Copyrighted Software
        2. Pornography, Indecency, and Obscenity
          1. Amateur Action
          2. Communications Decency Act
          3. Mandatory blocking
          4. Child pornography
        3. Copyrighted Works
        4. Cryptographic Programs and Export Controls
      4. Summary
    5. 26. Who Do You Trust?
      1. Can You Trust Your Computer?
        1. Harry’s Compiler
        2. Trusting Trust
        3. What the Superuser Can and Cannot Do
      2. Can You Trust Your Suppliers?
        1. Hardware Bugs
        2. Viruses on the Distribution Disk
        3. Buggy Software
        4. Hacker Challenges
        5. Security Bugs That Never Get Fixed
        6. Network Providers That Network Too Well
      3. Can You Trust People?
        1. Your Employees?
        2. Your System Administrator?
        3. Your Vendor?
        4. Your Consultants?
        5. Response Personnel?
      4. Summary
  9. VI. Appendixes
    1. A. Unix Security Checklist
      1. Preface
      2. Chapter 1: Introduction: Some Fundamental Questions
      3. Chapter 2: Unix History and Lineage
      4. Chapter 3: Policies and Guidelines
      5. Chapter 4: Users, Passwords, and Authentication
      6. Chapter 5: Users, Groups, and the Superuser
      7. Chapter 6: Filesystems and Security
      8. Chapter 7: Cryptography Basics
      9. Chapter 8: Physical Security for Servers
      10. Chapter 9: Personnel Security
      11. Chapter 10: Modems and Dialup Security
      12. Chapter 11: TCP/IP Networks
      13. Chapter 12: Securing TCP and UDP Services
      14. Chapter 13: Sun RPC
      15. Chapter 14: Network-Based Authentication Systems
      16. Chapter 15: Network Filesystems
      17. Chapter 16: Secure Programming Techniques
      18. Chapter 17: Keeping Up to Date
      19. Chapter 18: Backups
      20. Chapter 19: Defending Accounts
      21. Chapter 20: Integrity Management
      22. Chapter 21: Auditing, Logging, and Forensics
      23. Chapter 22: Discovering a Break-In
      24. Chapter 23: Protecting Against Programmed Threats
      25. Chapter 24: Denial of Service Attacks and Solutions
      26. Chapter 25: Computer Crime
      27. Chapter 26: Who Do You Trust?
      28. Appendix A: Unix Security Checklist
      29. Appendix B: Unix Processes
      30. Appendixes C, D, and E: Paper Sources, Electronic Sources, and Organizations
    2. B. Unix Processes
      1. About Processes
        1. Processes and Programs
        2. The ps Command
          1. Listing processes with Solaris and other Unix systems derived from System V
          2. Listing processes with versions of Unix derived from BSD, including Linux
        3. Process Properties
          1. Process identification numbers (PIDs)
          2. Process real and effective UIDs
          3. Process priority and niceness
          4. Process groups and sessions
        4. Creating Processes
      2. Signals
        1. Unix Signals and the kill Command
        2. Killing Multiple Processes at the Same Time
        3. Catching Signals
        4. Killing Rogue or Questionable Processes
      3. Controlling and Examining Processes
        1. gdb: Controlling a Process
        2. gcore: Dumping Core
        3. lsof: Examining a Process
        4. /proc: Examining a Process Directly
        5. pstree: Viewing the Process Tree
      4. Starting Up Unix and Logging In
        1. Process #1: /etc/init
        2. Logging In
        3. Running the User’s Shell
    3. C. Paper Sources
      1. Unix Security References
      2. Other Computer References
        1. Computer Crime and Law
        2. Computer-Related Risks
        3. Computer Viruses and Programmed Threats
        4. Cryptography Books
        5. Cryptography Papers and Other Publications
        6. General Computer Security
        7. Network Technology and Security
        8. Security Products and Services Information
        9. Understanding the Computer Security “Culture”
        10. Unix Programming and System Administration
        11. Miscellaneous References
        12. Security Periodicals
    4. D. Electronic Resources
      1. Mailing Lists
        1. Response Teams and Vendors
        2. A Big Problem with Mailing Lists
        3. Major Mailing Lists
          1. Bugtraq
          2. CERT-advisory
          3. Computer underground digest
          4. Firewalls
          5. Firewall-Wizards
          6. RISKS
          7. SANS Security Alert Consensus
      2. Web Sites
        1. CIAC
        2. CERIAS
        3. FIRST
        4. NIST CSRC
        5. Insecure.org
        6. NIH
      3. Usenet Groups
      4. Software Resources
        1. chrootuid
        2. COPS (Computer Oracle and Password System)
        3. ISS (Internet Security Scanner)
        4. Kerberos
        5. nmap
        6. Nessus
        7. OpenSSH
        8. OpenSSL
        9. portmap
        10. portsentry
        11. SATAN
        12. Snort
        13. Swatch
        14. TCP Wrappers
        15. Tiger
        16. trimlog
        17. Tripwire
        18. wuarchive ftpd
    5. E. Organizations
      1. Professional Organizations
        1. Association for Computing Machinery (ACM)
        2. American Society for Industrial Security (ASIS)
        3. Computer Security Institute (CSI)
        4. Electronic Frontier Foundation (EFF)
        5. Electronic Privacy Information Center (EPIC)
        6. High Technology Crimes Investigation Association (HTCIA)
        7. Information Systems Security Association (ISSA)
        8. International Information Systems Security Certification Consortium, Inc.
        9. The Internet Society
        10. IEEE Computer Society
        11. IFIP, Technical Committee 11
        12. Systems Administration and Network Security (SANS)
        13. USENIX/SAGE
      2. U.S. Government Organizations
        1. National Institute of Standards and Technology (NIST)
        2. National Security Agency (NSA)
      3. Emergency Response Organizations
        1. Department of Justice (DOJ)
        2. Federal Bureau of Investigation (FBI)
        3. U.S. Secret Service (USSS)
        4. Forum of Incident and Response Security Teams (FIRST)
        5. Computer Emergency Response Team Coordination Center (CERT/CC)
  10. Index
  11. About the Authors
  12. Colophon
  13. Copyright