Table of Contents for
Practical UNIX and Internet Security, 3rd Edition

Version ebook / Retour

Cover image for bash Cookbook, 2nd Edition Practical UNIX and Internet Security, 3rd Edition by Alan Schwartz Published by O'Reilly Media, Inc., 2003
  1. Cover
  2. Practical Unix & Internet Security, 3rd Edition
  3. A Note Regarding Supplemental Files
  4. Preface
  5. Unix “Security”?
  6. Scope of This Book
  7. Which Unix System?
  8. Conventions Used in This Book
  9. Comments and Questions
  10. Acknowledgments
  11. A Note to Would-Be Attackers
  12. I. Computer Security Basics
  13. 1. Introduction: Some Fundamental Questions
  14. What Is Computer Security?
  15. What Is an Operating System?
  16. What Is a Deployment Environment?
  17. Summary
  18. 2. Unix History and Lineage
  19. History of Unix
  20. Security and Unix
  21. Role of This Book
  22. Summary
  23. 3. Policies and Guidelines
  24. Planning Your Security Needs
  25. Risk Assessment
  26. Cost-Benefit Analysis and Best Practices
  27. Policy
  28. Compliance Audits
  29. Outsourcing Options
  30. The Problem with Security Through Obscurity
  31. Summary
  32. II. Security Building Blocks
  33. 4. Users, Passwords, and Authentication
  34. Logging in with Usernames and Passwords
  35. The Care and Feeding of Passwords
  36. How Unix Implements Passwords
  37. Network Account and Authorization Systems
  38. Pluggable Authentication Modules (PAM)
  39. Summary
  40. 5. Users, Groups, and the Superuser
  41. Users and Groups
  42. The Superuser (root)
  43. The su Command: Changing Who You Claim to Be
  44. Restrictions on the Superuser
  45. Summary
  46. 6. Filesystems and Security
  47. Understanding Filesystems
  48. File Attributes and Permissions
  49. chmod: Changing a File’s Permissions
  50. The umask
  51. SUID and SGID
  52. Device Files
  53. Changing a File’s Owner or Group
  54. Summary
  55. 7. Cryptography Basics
  56. Understanding Cryptography
  57. Symmetric Key Algorithms
  58. Public Key Algorithms
  59. Message Digest Functions
  60. Summary
  61. 8. Physical Security for Servers
  62. Planning for the Forgotten Threats
  63. Protecting Computer Hardware
  64. Preventing Theft
  65. Protecting Your Data
  66. Story: A Failed Site Inspection
  67. Summary
  68. 9. Personnel Security
  69. Background Checks
  70. On the Job
  71. Departure
  72. Other People
  73. Summary
  74. III. Network and Internet Security
  75. 10. Modems and Dialup Security
  76. Modems: Theory of Operation
  77. Modems and Security
  78. Modems and Unix
  79. Additional Security for Modems
  80. Summary
  81. 11. TCP/IP Networks
  82. Networking
  83. IP: The Internet Protocol
  84. IP Security
  85. Summary
  86. 12. Securing TCP and UDP Services
  87. Understanding Unix Internet Servers and Services
  88. Controlling Access to Servers
  89. Primary Unix Network Services
  90. Managing Services Securely
  91. Putting It All Together: An Example
  92. Summary
  93. 13. Sun RPC
  94. Remote Procedure Call (RPC)
  95. Secure RPC (AUTH_DES)
  96. Summary
  97. 14. Network-Based Authentication Systems
  98. Sun’s Network Information Service (NIS)
  99. Sun’s NIS+
  100. Kerberos
  101. LDAP
  102. Other Network Authentication Systems
  103. Summary
  104. 15. Network Filesystems
  105. Understanding NFS
  106. Server-Side NFS Security
  107. Client-Side NFS Security
  108. Improving NFS Security
  109. Some Last Comments on NFS
  110. Understanding SMB
  111. Summary
  112. 16. Secure Programming Techniques
  113. One Bug Can Ruin Your Whole Day . . .
  114. Tips on Avoiding Security-Related Bugs
  115. Tips on Writing Network Programs
  116. Tips on Writing SUID/SGID Programs
  117. Using chroot( )
  118. Tips on Using Passwords
  119. Tips on Generating Random Numbers
  120. Summary
  121. IV. Secure Operations
  122. 17. Keeping Up to Date
  123. Software Management Systems
  124. Updating System Software
  125. Summary
  126. 18. Backups
  127. Why Make Backups?
  128. Backing Up System Files
  129. Software for Backups
  130. Summary
  131. 19. Defending Accounts
  132. Dangerous Accounts
  133. Monitoring File Format
  134. Restricting Logins
  135. Managing Dormant Accounts
  136. Protecting the root Account
  137. One-Time Passwords
  138. Administrative Techniques for Conventional Passwords
  139. Intrusion Detection Systems
  140. Summary
  141. 20. Integrity Management
  142. The Need for Integrity
  143. Protecting Integrity
  144. Detecting Changes After the Fact
  145. Integrity-Checking Tools
  146. Summary
  147. 21. Auditing, Logging, and Forensics
  148. Unix Log File Utilities
  149. Process Accounting: The acct/pacct File
  150. Program-Specific Log Files
  151. Designing a Site-Wide Log Policy
  152. Handwritten Logs
  153. Managing Log Files
  154. Unix Forensics
  155. Summary
  156. V. Handling Security Incidents
  157. 22. Discovering a Break-in
  158. Prelude
  159. Discovering an Intruder
  160. Cleaning Up After the Intruder
  161. Case Studies
  162. Summary
  163. 23. Protecting Against Programmed Threats
  164. Programmed Threats: Definitions
  165. Damage
  166. Authors
  167. Entry
  168. Protecting Yourself
  169. Preventing Attacks
  170. Summary
  171. 24. Denial of Service Attacks and Solutions
  172. Types of Attacks
  173. Destructive Attacks
  174. Overload Attacks
  175. Network Denial of Service Attacks
  176. Summary
  177. 25. Computer Crime
  178. Your Legal Options After a Break-in
  179. Criminal Hazards
  180. Criminal Subject Matter
  181. Summary
  182. 26. Who Do You Trust?
  183. Can You Trust Your Computer?
  184. Can You Trust Your Suppliers?
  185. Can You Trust People?
  186. Summary
  187. VI. Appendixes
  188. A. Unix Security Checklist
  189. Preface
  190. Chapter 1: Introduction: Some Fundamental Questions
  191. Chapter 2: Unix History and Lineage
  192. Chapter 3: Policies and Guidelines
  193. Chapter 4: Users, Passwords, and Authentication
  194. Chapter 5: Users, Groups, and the Superuser
  195. Chapter 6: Filesystems and Security
  196. Chapter 7: Cryptography Basics
  197. Chapter 8: Physical Security for Servers
  198. Chapter 9: Personnel Security
  199. Chapter 10: Modems and Dialup Security
  200. Chapter 11: TCP/IP Networks
  201. Chapter 12: Securing TCP and UDP Services
  202. Chapter 13: Sun RPC
  203. Chapter 14: Network-Based Authentication Systems
  204. Chapter 15: Network Filesystems
  205. Chapter 16: Secure Programming Techniques
  206. Chapter 17: Keeping Up to Date
  207. Chapter 18: Backups
  208. Chapter 19: Defending Accounts
  209. Chapter 20: Integrity Management
  210. Chapter 21: Auditing, Logging, and Forensics
  211. Chapter 22: Discovering a Break-In
  212. Chapter 23: Protecting Against Programmed Threats
  213. Chapter 24: Denial of Service Attacks and Solutions
  214. Chapter 25: Computer Crime
  215. Chapter 26: Who Do You Trust?
  216. Appendix A: Unix Security Checklist
  217. Appendix B: Unix Processes
  218. Appendixes C, D, and E: Paper Sources, Electronic Sources, and Organizations
  219. B. Unix Processes
  220. About Processes
  221. Signals
  222. Controlling and Examining Processes
  223. Starting Up Unix and Logging In
  224. C. Paper Sources
  225. Unix Security References
  226. Other Computer References
  227. D. Electronic Resources
  228. Mailing Lists
  229. Web Sites
  230. Usenet Groups
  231. Software Resources
  232. E. Organizations
  233. Professional Organizations
  234. U.S. Government Organizations
  235. Emergency Response Organizations
  236. Index
  237. Index
  238. Index
  239. Index
  240. Index
  241. Index
  242. Index
  243. Index
  244. Index
  245. Index
  246. Index
  247. Index
  248. Index
  249. Index
  250. Index
  251. Index
  252. Index
  253. Index
  254. Index
  255. Index
  256. Index
  257. Index
  258. Index
  259. Index
  260. Index
  261. Index
  262. Index
  263. About the Authors
  264. Colophon
  265. Copyright

Criminal Subject Matter

Possession and/or distribution of some kinds of information is criminal under U.S. law. If you see suspicious information on your computer, you should take note. If you believe that the information may be criminal in nature, you should contact an attorney first—do not immediately contact a law enforcement officer, as you may indirectly admit to involvement with a crime merely by asking for advice.

Access Devices and Copyrighted Software

Federal law (18 USC 1029) makes it a felony to manufacture or possess 15 or more access devices that can be used to obtain fraudulent service. The term access devices is broadly defined and is usually interpreted as including cellular telephone activation codes, account passwords, credit card numbers, and physical devices that can be used to obtain access.

Federal law also makes software piracy a crime, as well as possession of unlicensed copyrighted software with the intent to defraud. The rental of software without the permission of the copyright holder is also illegal.

Pornography, Indecency, and Obscenity

Pornography thrives on the Internet. With millions of customers and billions of dollars transferred every year, pornography is currently one of the main drivers of e-commerce and broadband residential connections. Pornography has stimulated the development of age verification systems, credit card verification systems, and even forms of electronic currency. Today, pornography is one of the main sources of revenue on the Internet for some businesses.

The Internet is a global network. By design, the Internet’s content can be accessed from anywhere on the network. But this global feature is at odds with the way that pornography and prostitution have traditionally been regulated in human societies—through local regulation, zoning, and registration. Stories, photographs, sounds, and movies that are considered pornographic or obscene in some communities have long been socially accepted in others, and distributed only to adults in still others.

Thus, there is a tension between the Internet’s global nature and the global availability of pornography.

Amateur Action

In 1993, Robert and Carleen Thomas were operating a bulletin board system called the Amateur Action Bulletin Board System (AABBS) in Milpitas, California. The system was accessed by telephone, not the Internet. The BBS contained a wide range of adult fare, and had numerous login screens and banners that clearly indicated that the information the system contained was sexually explicit. To gain access to the system, potential subscribers needed to send AABBS a photocopy of their driver’s licenses (to prove their ages) and pay a membership fee of $55 for six months.

In July 1993, a Tennessee postal inspector named Dirmeyer downloaded a number of sexually explicit files from AABBS, after first registering (using an assumed name) and paying the membership fee. The postal inspector was apparently responding to a complaint from a person in his jurisdiction. On the basis of the information that he downloaded, the Thomases were charged with a violation of 18 USC 1465, “knowingly transport[ing] in interstate or foreign commerce for the purpose of sale or distribution . . . any obscene . . . book, pamphlet, picture, film . . . or any other matter.”

The outcome of the trial hinged on whether the information that the postal inspector had downloaded was actually obscene or merely sexually explicit. But the standard for obscenity is not defined in U.S. law. In 1973, the United States Supreme Court instead said that obscenity was best judged by local “community standards.” And while the information distributed by AABBS may not have violated the community standards of Milpitas, California, or the standards of the community of dial-up bulletin board systems, on July 29, 1994, a jury in the Federal District Court for Western Tennessee ruled that the downloaded images did violate the community standards of Western Tennessee.[356] (As it turns out, the Thomas’ BBS had been previously raided by the San Jose Police Department in 1991; following that investigation, local law enforcement had concluded that the BBS had been acting in a legal manner—at least in California.)

Communications Decency Act

In 1996, the U.S. Congress passed the Communications Decency Act (CDA) as an amendment to the Telecommunications Act of 1996. The purpose of the act was allegedly to protect minors from harmful material on the Internet. But civil libertarians complained that the act was overly broad and that it would actually result in significant limitations for adult users of the network.

Shortly after the act was passed, a coalition of civil liberties groups filed suit against Attorney General Janet Reno, asking the court to enjoin Reno from enforcing the law. The case, American Civil Liberties Union v. Reno , was “fast tracked” to a special three-judge court in Philadelphia. That court ruled that two key provisions of the law were an unconstitutional abridgment of rights protected under the First and Fifth Amendments. The first provision struck down was a part of the law that criminalized the “knowing” transmission of “obscene or indecent” messages to any recipient under 18 years of age. The second was a provision that prohibited the “knowin[g],” sending, or displaying to a person under 18 of any message “that, in context, depicts or describes, in terms patently offensive as measured by contemporary community standards, sexual or excretory activities or organs.”

The Clinton Administration appealed the ruling in the case Reno v. ACLU. The case went to the U.S. Supreme Court, which ruled against the Clinton Administration and the law.[357] At the time of the ruling, one of the key issues that the Court focused on was the increasing availability of filtering software that could be used to prevent children from accessing pornography. The argument was that if parents wanted to “protect” their children from pornography, all they had to do was equip their computers with the requisite software; there was no need to restrict everybody else who used the Internet.

Realizing that it could not regulate the Internet itself, Congress subsequently passed a law requiring that federally supported schools and libraries install filtering software on computers to prevent children from accessing pornography at these places. That law has been challenged in some jurisdictions as overly broad. The overall issue is likely to be a topic of legislation and litigation for years to come.

Mandatory blocking

Numerous laws now require that schools and libraries install mandatory filtering software on their Internet connections. Of these, the most important is the Children’s Internet Protection Act (Pub. L. 106-554), which requires that schools receiving discounted communications services have in place technology that prevents access through computers to visual depictions that are “(I) obscene, (II) child pornography, or (III) harmful to minors.”

Child pornography

Today, the harshest punishments in the U.S. legal system for possession of contraband information are reserved for pornography that involves the sexual depiction of children or pornography that uses children in its creation. The prohibition against child pornography is based on the need to protect children from sexual exploitation. Because the child pornography regulations criminalize the mere possession of child pornography, you can be in serious legal trouble simply by receiving by email an image of a naked minor, even if you don’t know what the image is at the time you fetch it.

Child pornography laws are often applied selectively. In several cases, individuals have been arrested for downloading child pornography from several major online service providers. Yet the online service providers themselves have not been harassed by law enforcement, even though the same child pornography resides on the online services’ systems.

In recent years, there has been a move to expand the definition of child pornography to include simulated acts of child pornography, computer animations of child pornography, and even textual descriptions of child pornography. Proponents of these expansions argue that besides any harm that may be caused to children in the creation of child pornography, the mere existence of child pornography is harmful and should therefore be criminal.

Copyrighted Works

Passed in 1999, the Digital Millennium Copyright Act (DMCA) makes it a crime to circumvent technical measures that are used to control access to copyrighted works. It also makes it a crime to distribute certain kinds of technical information that may be used to disable copyright control mechanisms.

The DMCA was pushed through the U.S. Congress very quickly by the Clinton Administration at the request of the publishing and entertainment industry, which has long argued that copyright control systems are needed to prevent piracy, and that information regarding the disabling of these systems should be controlled.

But the result of the DMCA’s passage means that there is now a whole class of contraband programs—programs that, in many cases, simply allow people to exercise their rights to access copyrighted material under the “fair use” provisions of copyright law. For example, if you rent a copy of The Matrix on DVD, take it home, and play it on a Mac or on a PC running the Windows operating system, you are not in violation of any law. But if you play it on a PC running the Linux operating system, you are breaking the law. Operating the Linux DVD player is a violation of the DMCA because it was not licensed by the Motion Picture Association of America (MPAA) to decrypt the encrypted bitstream on the DVD that decrypts to the MPEG-2 files that contain The Matrix. Not only is it a violation of the DMCA to run the Linux DVD player, but it may also be a violation to have the program on your hard disk or to distribute it on a web page. And in 2000, a federal court prohibited the magazine 2600 from posting a link on its web site to a second web site that may have had a copy of the program.

The Chilling Effects Clearinghouse (http://www.chillingeffects.org) archives a wide variety of “cease and desist” letters received by web sites pertaining to the DMCA.

It’s hard to believe that the DMCA won’t be found to be a violation of the U.S. Constitution’s First Amendment. But until it is, the DMCA is the law of the land. Be careful about the anticopyright programs that are on your web server.

Note

The DMCA is not the last word in silly, overbroad laws being enacted to satisfy the entertainment industry. As the third edition of this book goes to press, there are several pieces of legislation proposed and under consideration by Congressional committees. One, the Consumer Broadband and Digital Television Promotion Act (CDBPTA), would effectively outlaw the use of any noncommercial operating system. Another pending bill would allow content providers to hack into your computer system and disable it if they suspect it is being used to exchange or store copyrighted material.

Until the courts and the general public assert themselves, the money behind the lobbyists all but ensures that the various companies making up the entertainment and commercial software industries will continue to dictate the legislative initiatives. Thus, you need to be aware of the pending and current laws in this general realm. We suggest the ACM’s U.S. Public Policy Committee as one informed, relatively nonpartisan source of information; check out http://www.acm.org/usacm/.

Cryptographic Programs and Export Controls

Although U.S. policy on cryptography was liberalized in 1999 and again (less dramatically) in 2002, export of cryptographic technology to certain countries is prohibited for reasons of U.S. national security. As of September 2002, these countries consisted of Cuba, Iran, Iraq, Libya, North Korea, Sudan, and Syria.

Some cryptographic technologies (including open source cryptographic source code) can now be exported after notifying the Bureau of Industry and Security (BIS) of the URL where the code is available. Many other technologies can be legally exported after review by BIS (and possibly “other agencies”). For the gory details, visit http://www.bxa.doc.gov.


[356] More details about the Amateur Action case can be found at http://www.eff.org/Legal/Cases/AABBS_Thomases_Memphis/Old/aa_eff_vbrief.html, http://www.spectacle.org/795/amateur.html, and http://www.loundy.com/CDLB/AABBS.html.

[357] For details on the CDA, see http://www.epic.org/cda/ and http://www.eff.org/Censorship/Internet_censorship_bills/.