Table of Contents for
Practical UNIX and Internet Security, 3rd Edition

Version ebook / Retour

Cover image for bash Cookbook, 2nd Edition Practical UNIX and Internet Security, 3rd Edition by Alan Schwartz Published by O'Reilly Media, Inc., 2003
  1. Cover
  2. Practical Unix & Internet Security, 3rd Edition
  3. A Note Regarding Supplemental Files
  4. Preface
  5. Unix “Security”?
  6. Scope of This Book
  7. Which Unix System?
  8. Conventions Used in This Book
  9. Comments and Questions
  10. Acknowledgments
  11. A Note to Would-Be Attackers
  12. I. Computer Security Basics
  13. 1. Introduction: Some Fundamental Questions
  14. What Is Computer Security?
  15. What Is an Operating System?
  16. What Is a Deployment Environment?
  17. Summary
  18. 2. Unix History and Lineage
  19. History of Unix
  20. Security and Unix
  21. Role of This Book
  22. Summary
  23. 3. Policies and Guidelines
  24. Planning Your Security Needs
  25. Risk Assessment
  26. Cost-Benefit Analysis and Best Practices
  27. Policy
  28. Compliance Audits
  29. Outsourcing Options
  30. The Problem with Security Through Obscurity
  31. Summary
  32. II. Security Building Blocks
  33. 4. Users, Passwords, and Authentication
  34. Logging in with Usernames and Passwords
  35. The Care and Feeding of Passwords
  36. How Unix Implements Passwords
  37. Network Account and Authorization Systems
  38. Pluggable Authentication Modules (PAM)
  39. Summary
  40. 5. Users, Groups, and the Superuser
  41. Users and Groups
  42. The Superuser (root)
  43. The su Command: Changing Who You Claim to Be
  44. Restrictions on the Superuser
  45. Summary
  46. 6. Filesystems and Security
  47. Understanding Filesystems
  48. File Attributes and Permissions
  49. chmod: Changing a File’s Permissions
  50. The umask
  51. SUID and SGID
  52. Device Files
  53. Changing a File’s Owner or Group
  54. Summary
  55. 7. Cryptography Basics
  56. Understanding Cryptography
  57. Symmetric Key Algorithms
  58. Public Key Algorithms
  59. Message Digest Functions
  60. Summary
  61. 8. Physical Security for Servers
  62. Planning for the Forgotten Threats
  63. Protecting Computer Hardware
  64. Preventing Theft
  65. Protecting Your Data
  66. Story: A Failed Site Inspection
  67. Summary
  68. 9. Personnel Security
  69. Background Checks
  70. On the Job
  71. Departure
  72. Other People
  73. Summary
  74. III. Network and Internet Security
  75. 10. Modems and Dialup Security
  76. Modems: Theory of Operation
  77. Modems and Security
  78. Modems and Unix
  79. Additional Security for Modems
  80. Summary
  81. 11. TCP/IP Networks
  82. Networking
  83. IP: The Internet Protocol
  84. IP Security
  85. Summary
  86. 12. Securing TCP and UDP Services
  87. Understanding Unix Internet Servers and Services
  88. Controlling Access to Servers
  89. Primary Unix Network Services
  90. Managing Services Securely
  91. Putting It All Together: An Example
  92. Summary
  93. 13. Sun RPC
  94. Remote Procedure Call (RPC)
  95. Secure RPC (AUTH_DES)
  96. Summary
  97. 14. Network-Based Authentication Systems
  98. Sun’s Network Information Service (NIS)
  99. Sun’s NIS+
  100. Kerberos
  101. LDAP
  102. Other Network Authentication Systems
  103. Summary
  104. 15. Network Filesystems
  105. Understanding NFS
  106. Server-Side NFS Security
  107. Client-Side NFS Security
  108. Improving NFS Security
  109. Some Last Comments on NFS
  110. Understanding SMB
  111. Summary
  112. 16. Secure Programming Techniques
  113. One Bug Can Ruin Your Whole Day . . .
  114. Tips on Avoiding Security-Related Bugs
  115. Tips on Writing Network Programs
  116. Tips on Writing SUID/SGID Programs
  117. Using chroot( )
  118. Tips on Using Passwords
  119. Tips on Generating Random Numbers
  120. Summary
  121. IV. Secure Operations
  122. 17. Keeping Up to Date
  123. Software Management Systems
  124. Updating System Software
  125. Summary
  126. 18. Backups
  127. Why Make Backups?
  128. Backing Up System Files
  129. Software for Backups
  130. Summary
  131. 19. Defending Accounts
  132. Dangerous Accounts
  133. Monitoring File Format
  134. Restricting Logins
  135. Managing Dormant Accounts
  136. Protecting the root Account
  137. One-Time Passwords
  138. Administrative Techniques for Conventional Passwords
  139. Intrusion Detection Systems
  140. Summary
  141. 20. Integrity Management
  142. The Need for Integrity
  143. Protecting Integrity
  144. Detecting Changes After the Fact
  145. Integrity-Checking Tools
  146. Summary
  147. 21. Auditing, Logging, and Forensics
  148. Unix Log File Utilities
  149. Process Accounting: The acct/pacct File
  150. Program-Specific Log Files
  151. Designing a Site-Wide Log Policy
  152. Handwritten Logs
  153. Managing Log Files
  154. Unix Forensics
  155. Summary
  156. V. Handling Security Incidents
  157. 22. Discovering a Break-in
  158. Prelude
  159. Discovering an Intruder
  160. Cleaning Up After the Intruder
  161. Case Studies
  162. Summary
  163. 23. Protecting Against Programmed Threats
  164. Programmed Threats: Definitions
  165. Damage
  166. Authors
  167. Entry
  168. Protecting Yourself
  169. Preventing Attacks
  170. Summary
  171. 24. Denial of Service Attacks and Solutions
  172. Types of Attacks
  173. Destructive Attacks
  174. Overload Attacks
  175. Network Denial of Service Attacks
  176. Summary
  177. 25. Computer Crime
  178. Your Legal Options After a Break-in
  179. Criminal Hazards
  180. Criminal Subject Matter
  181. Summary
  182. 26. Who Do You Trust?
  183. Can You Trust Your Computer?
  184. Can You Trust Your Suppliers?
  185. Can You Trust People?
  186. Summary
  187. VI. Appendixes
  188. A. Unix Security Checklist
  189. Preface
  190. Chapter 1: Introduction: Some Fundamental Questions
  191. Chapter 2: Unix History and Lineage
  192. Chapter 3: Policies and Guidelines
  193. Chapter 4: Users, Passwords, and Authentication
  194. Chapter 5: Users, Groups, and the Superuser
  195. Chapter 6: Filesystems and Security
  196. Chapter 7: Cryptography Basics
  197. Chapter 8: Physical Security for Servers
  198. Chapter 9: Personnel Security
  199. Chapter 10: Modems and Dialup Security
  200. Chapter 11: TCP/IP Networks
  201. Chapter 12: Securing TCP and UDP Services
  202. Chapter 13: Sun RPC
  203. Chapter 14: Network-Based Authentication Systems
  204. Chapter 15: Network Filesystems
  205. Chapter 16: Secure Programming Techniques
  206. Chapter 17: Keeping Up to Date
  207. Chapter 18: Backups
  208. Chapter 19: Defending Accounts
  209. Chapter 20: Integrity Management
  210. Chapter 21: Auditing, Logging, and Forensics
  211. Chapter 22: Discovering a Break-In
  212. Chapter 23: Protecting Against Programmed Threats
  213. Chapter 24: Denial of Service Attacks and Solutions
  214. Chapter 25: Computer Crime
  215. Chapter 26: Who Do You Trust?
  216. Appendix A: Unix Security Checklist
  217. Appendix B: Unix Processes
  218. Appendixes C, D, and E: Paper Sources, Electronic Sources, and Organizations
  219. B. Unix Processes
  220. About Processes
  221. Signals
  222. Controlling and Examining Processes
  223. Starting Up Unix and Logging In
  224. C. Paper Sources
  225. Unix Security References
  226. Other Computer References
  227. D. Electronic Resources
  228. Mailing Lists
  229. Web Sites
  230. Usenet Groups
  231. Software Resources
  232. E. Organizations
  233. Professional Organizations
  234. U.S. Government Organizations
  235. Emergency Response Organizations
  236. Index
  237. Index
  238. Index
  239. Index
  240. Index
  241. Index
  242. Index
  243. Index
  244. Index
  245. Index
  246. Index
  247. Index
  248. Index
  249. Index
  250. Index
  251. Index
  252. Index
  253. Index
  254. Index
  255. Index
  256. Index
  257. Index
  258. Index
  259. Index
  260. Index
  261. Index
  262. Index
  263. About the Authors
  264. Colophon
  265. Copyright

D

DAC (Discretionary Access Controls), Groups and Group Identifiers (GIDs)
Daemen, Joan, Common Symmetric Key Algorithms
daemon user, Users and Groups
daemons, Clients and Servers
Dalheimer, Mattias K. (Running Linux), Unix Programming and System Administration
Dalton, Chris I., “Secure” Versions of Unix
DARPA, History of Unix (see ARPA)
data, Types of Security, Identifying assets, Identifying assets, Network-Based Authentication Systems, Legal Issues
(see also data protection; information)
backing up, Legal Issues (see backups)
confidentiality of, Network-Based Authentication Systems (see confidentiality)
encryption of, Identifying assets (see encryption)
integrity of, Types of Security (see integrity)
data bits, Baud and bps
Data Carrier Detect (DCD), The RS-232 Serial Protocol
data communication equipment (DCE), The RS-232 Serial Protocol
Data Encryption Algorithm (DEA), A Cryptographic Example
Data Encryption Standard, The traditional crypt ( ) algorithm (see DES)
data protection, Encryption, Protecting Your DataKey Switches, EavesdroppingKeyboard monitors, Sanitizing Media Before DisposalSanitizing Printed Media, Protecting Local StorageFunction keys, Unattended Terminals, Potential for eavesdropping and data theft, Why Make Backups?
(see also backups)
eavesdropping, EavesdroppingKeyboard monitors
local storage, Protecting Local StorageFunction keys
real-world example, Potential for eavesdropping and data theft
sanitizing media before disposal, Sanitizing Media Before DisposalSanitizing Printed Media
theft, from, Encryption
unattended terminals, Unattended Terminals
Data Set Ready (DSR), The RS-232 Serial Protocol
data spoofing, IP Security
data terminal equipment (DTE), The RS-232 Serial Protocol
Data Terminal Ready (DTR), The RS-232 Serial Protocol
databases, What Is an Operating System?, Viewing Accounts in the Network Database, Viewing Accounts in the Network Database
(see also network authentication systems)
network, Viewing Accounts in the Network Database
system, What Is an Operating System?
date account, Accounts That Run a Single Command
Dawson, Terry (Running Linux), Unix Programming and System Administration
day-zero backup, Types of Backups (see level-zero backup)
daytime service, TCP, UDP
dbx debugger, gdb: Controlling a Processgcore: Dumping Core
DCD (Data Carrier Detect), The RS-232 Serial Protocol
DCE (data communication equipment), The RS-232 Serial Protocol
DCE (Distributed Computing Environment), Unix Wars 2: SVR4 versus OSF/1, Kerboros DCE, Other naming services, Remote Procedure Call (RPC), DCE, Codebooks
dd command, Simple Local Copies, Preserving the Evidence
DDoS (Distributed Denial of Service) attacks, Service Overloading
DEA (Data Encryption Algorithm), A Cryptographic Example
deadlock, Design Principles
DEBUG command, SMTP, Security concerns with SMTP banners and commands
debugfs command, File Times, File Times, Tree structure attacks
DECnet, Adding authentication to TCP/IP with ident
decode aliases, Delivery to programs
decoy systems, Decoy Systems
decryption, Understanding Cryptography
default accounts, Default AccountsOther accounts
default domain, Format of the hostname
defense in depth, Preface, Defend in depth (see multilevel security)
demo accounts, Other accounts
denial of service attacks, Role of This Book, Entering your password, IP Security, The inetd Program, The syslog.conf configuration file, Using syslog in a networked environment, Types of Attacks, Types of Attacks, Types of Attacks, Types of Attacks, Destructive Attacks, Overload Attacks, Soft Process Limits: Preventing Accidental Denial of Service, Network Denial of Service AttacksPing of Death and Other Malformed Traffic Attacks, Service Overloading, Chapter 24: Denial of Service Attacks and Solutions
accidental, Soft Process Limits: Preventing Accidental Denial of Service
automatic account lockout, Entering your password
causes of, Types of Attacks
destructive, Types of Attacks, Destructive Attacks
distributed (DDoS), Service Overloading
internal inetd services, The inetd Program
logging to /dev/console causing, The syslog.conf configuration file
on networks, Network Denial of Service AttacksPing of Death and Other Malformed Traffic Attacks
overload, Types of Attacks, Overload Attacks
security checklist for, Chapter 24: Denial of Service Attacks and Solutions
syslog causing, Using syslog in a networked environment
types of, Types of Attacks
Denning, Dorothy E. R. (Cryptography and Data Security), Cryptography Books
Denning, Peter J. (Computers Under Attack: Intruders, Worms, and Viruses), Computer Viruses and Programmed Threats
Department of Justic (DOJ), Department of Justice (DOJ)
deployment environments, What Is a Deployment Environment?What Is a Deployment Environment?
depository directories, FTP, Setting up anonymous FTP with the standard Unix FTP server
DES (Data Encryption Standard), The traditional crypt ( ) algorithm, A Cryptographic Example, A Cryptographic Example, Key Length with Symmetric Key Algorithms, Common Symmetric Key Algorithms, Using NIS+, Kerberos Authentication
example of, A Cryptographic Example
Kerberos using, Kerberos Authentication
key length of, Key Length with Symmetric Key Algorithms
NIS+, Using NIS+
weakness of, A Cryptographic Example
des command, A Cryptographic Example, A Cryptographic Example
DES Extended format, crypt16( ), DES Extended, and Modular Crypt Format
The Design and Implementation of the 4.4 BSD UNIX Operating System (McKusick, Marshall Kirk; Bostic, Keith; Karels, Michael; Quarterman, John), Unix Programming and System Administration
The Design of the UNIX Operating System (Bach, Maurice), Unix Programming and System Administration
destroying media, Sanitizing Media Before Disposal
destructive denial of service attacks, Types of Attacks, Destructive Attacks
detectors, Fire, Smoke, Smoke, Extreme temperatures, Humidity, Water, Environmental monitoring, Entrance through air ducts, Wiretapping, Exception and activity reports
cable tampering, Wiretapping
carbon monoxide, Smoke
fire alarms, Fire
humidity, Humidity
logging alarm systems, Exception and activity reports
motion, Entrance through air ducts
placement and monitoring of, Environmental monitoring
smoke, Smoke
temperature alarms, Extreme temperatures
water sensors, Water
/dev directory, SGID and Sticky Bits on Directories, Device Files, Device Files, Device Files, Picking a Random Seed, Picking a Random Seed, Picking a Random Seed, Back Doors and Trap Doors
/dev/audio device, Picking a Random Seed
/dev/console device, Device Files
/dev/kmem device, Device Files, Back Doors and Trap Doors
/dev/null device, Device Files
/dev/random device, Picking a Random Seed
/dev/swap device, SGID and Sticky Bits on Directories
/dev/urandom device, Picking a Random Seed
device files, Device FilesUnauthorized Device Files
devices, What the Superuser Can Do, Setting Up the Unix Device, BOOTP: Bootstrap Protocol, and DHCP: Dynamic Host Configuration Protocol (UDP Ports 67 and 68), SNMP: Simple Network Management Protocol (UDP Ports 161 and 162), Picking a Random Seed, Informational material, Back Doors and Trap Doors, World-readable backup devices, Access Devices and Copyrighted Software
access, legal definition of, Access Devices and Copyrighted Software
back door in, Back Doors and Trap Doors
backup, world-readable, World-readable backup devices
configuring on local area network, BOOTP: Bootstrap Protocol, and DHCP: Dynamic Host Configuration Protocol (UDP Ports 67 and 68)
logging information about, Informational material
managing with SNMP, SNMP: Simple Network Management Protocol (UDP Ports 161 and 162)
modem control, Setting Up the Unix Device
random number sources, Picking a Random Seed
superuser control of, What the Superuser Can Do
Devices file, Connecting a Modem to Your Computer
df -i command, inode problems
dfstab file, The example explained, Which Files to Back Up?
dfstab script, Exporting NFS directories under System V: share and dfstab
DHCP protocol, BOOTP: Bootstrap Protocol, and DHCP: Dynamic Host Configuration Protocol (UDP Ports 67 and 68)
dictionary attack, The traditional crypt ( ) algorithm
diff program, Source code and patches
differential backup, Types of Backups
differential cryptanalysis, Cryptanalysis
differential fault analysis, Cryptanalysis
differential power analysis, Cryptanalysis
differential timing analysis, Cryptanalysis
Diffie, Whitfield, Attacks on Symmetric Encryption Algorithms, Public Key Algorithms, Cryptography Papers and Other Publications, Cryptography Papers and Other Publications
“New Directions in Cryptography”, Cryptography Papers and Other Publications
“The First Ten Years of Public-Key Cryptography”, Cryptography Papers and Other Publications
Diffie-Hellman exponential key exchange system, Public Key Algorithms, Secure RPC (AUTH_DES), Secure RPC (AUTH_DES), Secure RPC Authentication, Secure RPC Authentication, Limitations of Secure RPC
Digital Millennium Copyright Act (DMCA), Copyrighted Works
Digital Signature Algorithm (DSA), Public Key Algorithms
Digital Signature Standard (DSS), Public Key Algorithms, Message Digest Functions
digital signatures, Cryptographic Algorithms and Functions, Public Key Algorithms, Public Key Algorithms, Public Key Algorithms, Uses for Public Key Encryption, Digital signatures, Message Digest Functions, Message Digest Algorithms at Work, Uses of Message Digest Functions, HMAC, Software Management Systems, Upgrading Distributed Applications
(see also signatures, data)
distributed with software, Software Management Systems
DSA (Digital Signature Algorithm), Public Key Algorithms
DSS (Digital Signature Standard), Public Key Algorithms, Message Digest Functions
HMAC as alternative to, HMAC
message digest algorithms used for, Message Digest Algorithms at Work, Uses of Message Digest Functions
public key cryptography used with, Uses for Public Key Encryption, Digital signatures
RSA as basis for, Public Key Algorithms
directories, Directories and linksDirectories and links, Directories and links, Current Directory and Paths, Current Directory and Paths, Current Directory and Paths, Directory Permissions, Calculating octal file permissions, SGID and Sticky Bits on Directories, Turning Off SUID and SGID in Mounted Filesystems, Primary Unix Network Services, Setting up anonymous FTP with the standard Unix FTP server, Sun RPC, Read-Only Filesystems, Ancestor directories, Hidden files and directories, World-writable user files and directories, Tree structure attacksTree structure attacks
(see also files)
ancestor, detecting changes to, Ancestor directories
CDFs (context-dependent files), Hidden files and directories
current, Current Directory and Paths
FTP depositories, Setting up anonymous FTP with the standard Unix FTP server
home, Current Directory and Paths, Primary Unix Network Services
security of, Primary Unix Network Services
links to, Directories and links
mounted, Turning Off SUID and SGID in Mounted Filesystems
nested, tree structure attacks on, Tree structure attacksTree structure attacks
NFS, Sun RPC (see NFS)
permissions for, Directory Permissions, Calculating octal file permissions
SGID and sticky bits on, SGID and Sticky Bits on Directories
world-writable, World-writable user files and directories
directory services, LDAP (see Kerberos system LDAP NIS NIS+)
dired mode, GNU Emacs, Hidden files and directories
Disappearing Cryptography (Wayner, Peter), Cryptography Books
disaster planning, Planning for the Forgotten Threats, The Disaster Recovery Plan
Disaster Recovery Journal, Security Periodicals
discard service, TCP, UDP
Discretionary Access Controls (DAC), Groups and Group Identifiers (GIDs)
disk drives, Sanitizing Media Before Disposal, Types of Backups, Read-Only Filesystems, Read-Only Filesystems, Local copies, Informational material, Destructive Attacks, Destructive Attacks, Disk AttacksTree structure attacks, Using partitions to protect your users, Using quotas, Reserved space, Hidden space
(see also media)
destructive attacks to, Destructive Attacks
difficulty of sanitizing, Sanitizing Media Before Disposal
filling up, as overload attack, Disk AttacksTree structure attacks
Firewire-based, Local copies
hidden space on, Hidden space
logging information about, Informational material
partitioning, Using partitions to protect your users
partitions, backups by, Types of Backups
quotas for, Using quotas
reserved space on, Reserved space
write-protect switches for, Read-Only Filesystems, Read-Only Filesystems
Distributed Computing Environment, Other naming services, Remote Procedure Call (RPC) (see DCE)
Distributed Denial of Service (DDoS) attacks, Service Overloading
DMCA (Digital Millennium Copyright Act), Copyrighted Works
DNS (Domain Name System), Name ServiceOther naming services, Authentication and DNSAuthentication and DNS, Authentication and DNS, Authentication and DNS, Authentication and DNS, Authentication and DNS, Domain Name System (DNS) (TCP and UDP Port 53)DNS best practices, Domain Name System (DNS) (TCP and UDP Port 53), DNS zone transfers, DNS zone transfersDNS best practices, DNS nameserver attacksDNS nameserver attacks, DNS nameserver attacks, DNSSEC, DNS best practices
attacks on, Authentication and DNS
client flooding, Authentication and DNS
dynamic, DNS nameserver attacks
nameserver attacks, DNS nameserver attacksDNS nameserver attacks
nameserver cache poisoning, Authentication and DNS
Public Key Infrastructure (PKI), DNSSEC
rogue servers, Authentication and DNS
security and, Authentication and DNSAuthentication and DNS, DNS zone transfersDNS best practices
security precautions for, DNS best practices
zone transfers, Domain Name System (DNS) (TCP and UDP Port 53), DNS zone transfers
DNS and BIND (Albitz, Paul and Liu, Cricket), Unix Programming and System Administration
DNSSEC, DNSSEC
Dobbertin, Hans, Tripwire
documentation, What This Book Is, The Problem with Security Through Obscurity, Design Principles, Logging to a printer, Handwritten LogsInformational material, Rule #2: Document, Never Trust Anything Except Hardcopy
of break-in, Rule #2: Document
log books, Handwritten LogsInformational material
log files, hardcopy of, Logging to a printer, Never Trust Anything Except Hardcopy
manuals, What This Book Is, The Problem with Security Through Obscurity
software, Design Principles
DOJ (Department of Justice), Department of Justice (DOJ)
dollar sign ($), as Unix Bourne or Korn shell prompt, Conventions Used in This Book
domain name, Format of the hostname, Looking up information by domain
Domain Name System, Name Service (see DNS)
domain service, TCP, UDP
domain socket, Unix syslog
domainname command, NIS Domains
domains (NIS), NIS Domains
dormant accounts, Managing Dormant AccountsFinding Dormant Accounts, Disabling an Account by Changing the Account’s Password, Finding Dormant AccountsFinding Dormant Accounts, Finding Dormant Accounts
disabling automatically, Finding Dormant Accounts
disabling by changing password, Disabling an Account by Changing the Account’s Password
finding, Finding Dormant AccountsFinding Dormant Accounts
dot (.) directory, Directories and links, Exploring with the ls Command
dot-dot (..) directory, Directories and links, Exploring with the ls Command
double reverse lookup, Authentication and DNS
downtime, logging, Exception and activity reports
dpkg package management system, Source code and patches
drand48() system call, drand48( ), lrand48( ), and mrand48( )
Dreyfus, Suelette (Underground), Understanding the Computer Security “Culture”
drinks, effects on hardware, Food and drink
DSA (Digital Signature Algorithm), Public Key Algorithms
DSR (Data Set Ready), The RS-232 Serial Protocol
DSS (Digital Signature Standard), Public Key Algorithms, Message Digest Functions
DTE (data terminal equipment), The RS-232 Serial Protocol
DTR (Data Terminal Ready), The RS-232 Serial Protocol
du command, Disk-full attacks
due care, Best Practices (see best practices)
dump program, Specialized Backup Programs, Encrypting Your Backups, Preserving the Evidence
DUMP request, The MOUNT Protocol
dumpster diving, Sanitizing Printed Media
duress code, Token Cards
dust, effects on hardware, Dust
DVD, mounted read-only, Read-Only Filesystems
dynamic DNS, DNS nameserver attacks