Cover image for Hardening linux
Title:
Hardening linux
Publication Information:
New York : McGraw-Hill/Osborne, 2004
ISBN:
9780072254976
Added Author:

Available:*

Library
Item Barcode
Call Number
Material Type
Item Category 1
Status
Searching...
30000004301234 QA76.9.A25 H37 2004 Open Access Book Book
Searching...
Searching...
30000010051046 QA76.9.A25 T47 2004 Open Access Book Book
Searching...

On Order

Summary

Summary

Shows you how to bullet proof your system before you are hacked. This book also shows you how to secure your Linux system to work securely in the first place.


Author Notes

John H. Terpstra is co-founder of the Samba Team and serves on the Linux Standards Base
Paul Love, CISSP, CISA, CISM, Security+, is technical editor. He manages security at a large utilities service provider, and holds an MS in Network Security
Ronald P. Reck's experience blends linguistics. NLP, and XML with UNIX systems. As a civilian contractor, he tackles tough problems
Tim Scanlon recently worked on computer security for the 2004 Olympic Games. He has been a Common Criteria instructor, and has worked at MCI, TRW, Signal Corporation, and Inter.Net Global. He has worked in the public sector and with Mitre and Mitretek


Table of Contents

Foreword from David Wreskip. xxi
Foreword from Corey D. Schoup. xxiii
Introductionp. xxvii
Part I Do These Seven Things First
1 Critical First Stepsp. 3
Examine Systems for Evidence of Compromisep. 4
Terminate Unauthorized Usersp. 5
Identify and Shut Down Unauthorized Processesp. 7
Check Log Files for Possible Evidence of Intrusion Attemptsp. 9
Check for Potential System File Damagep. 10
Check System Stability and Availabilityp. 11
Validate Hardware Operationp. 12
Make Sure Power Is Stablep. 12
Part II Take It From The Top: The Systematic Hardening Process
2 Hardening Network Access: Disable Unnecessary Servicesp. 17
Step 1 Take the Machine Off the Networkp. 18
Step 2 Determine Required Servicesp. 20
Red Hat Enterprise Linux AS 3.0 Services Baselinep. 21
SLES8 Services Baselinep. 21
Consider Additional Servicesp. 22
Step 3 Determine Services' Dependenciesp. 27
Step 4 Prevent Services from Runningp. 32
Use Tools to Alter Startup Scriptsp. 33
Turn Off Unnecessary Services: Command Line Toolp. 40
Step 5 Rebootp. 43
Step 6 Check Configuration for Unnecessary Servicesp. 44
Check Configuration: GUIp. 44
Check Configuration: Manualp. 44
Step 7 Check Configuration for Necessary Servicesp. 45
Check the Configurationp. 45
Probe the Servicep. 45
Look for the Service in Memoryp. 45
Step 8 Return the Machine to the Networkp. 46
Test Network Connectivityp. 46
3 Installing Firewalls and Filtersp. 47
Take Stockp. 48
Check for Existing Firewall Rulesp. 48
Understand Network Basicsp. 55
Understand Firewall Rulesp. 57
Identify Protective Firewall Needsp. 60
Protective Strategyp. 60
Configure the Firewallp. 61
4 Hardening Software Accessibilityp. 79
Identify Required Softwarep. 80
Determine Software Dependenciesp. 86
Remove or Restrict Unneeded Softwarep. 89
Install Software Securelyp. 90
Install Trusted Software from Vendorsp. 91
Install Software from Trusted Sourcesp. 94
Monitor Your Systemsp. 102
5 Preparing for Disasterp. 105
Understanding Disaster Recoveryp. 106
Do Not Build a Custom Kernelp. 106
Document Server Setup and Record Changesp. 107
Prepare Automated Reinstallationp. 107
Prepare Red Hat Kickstart Install Facilityp. 109
Using SUSE YaST Auto-installation Toolsp. 114
6 Hardening Access Controlsp. 129
Linux File Permissions and Ownershipp. 130
Use POSIX Access Control Listsp. 130
Review File and Directory Access Controlsp. 137
Verify the Sticky Bit for Temporary Directoriesp. 138
Record SUID/SGID Files and Directoriesp. 139
7 Hardening Data Storagep. 141
Understand Legal and Ethical Issues with Cryptographyp. 142
Comply with Legal Requirementsp. 142
Understand Ethical Issuesp. 143
Use Proper Proceduresp. 144
Store Data Securelyp. 145
Remove Plaintext Copies of Datap. 146
Use GnuPG to Encrypt Filesp. 147
Creating Keys in a Secure Mannerp. 148
Creating Keys for Use with GnuPGp. 149
Use OpenSSL for File Encryptionp. 159
Install and Use a Cryptographic File Systemp. 161
8 Hardening Authentication and User Identityp. 169
Use Pluggable Authentication Modules (PAM) to Provide Flexible Authenticationp. 170
Use PAM Because...p. 171
Enforce Strict Password Requirementsp. 171
Enable Wheel Group Accessp. 171
Enable the Use of a Centralized Authentication Serverp. 172
Correctly Configure PAM to Avoid Compromisep. 172
Remove Obsolete PAM Configuration Filep. 172
Configuration File Formatp. 173
Backing Up the Configuration Before Making Changesp. 174
Recovering from Catastrophic Errorsp. 175
PAM Frameworkp. 175
Traditional Servicesp. 176
A BSD-Like wheel Groupp. 178
Per-User Temporary Directoriesp. 179
Require Strong Passwordsp. 179
Name Switching Service (NSS)p. 183
9 Restricted Execution Environmentsp. 185
Restrict Functionalityp. 186
Use chroot to Protect a Servicep. 187
Understand What Is Protected...and What Isn'tp. 187
Build the chroot Directory Structurep. 188
Resolve Dynamic Library Dependenciesp. 190
Determine File Dependenciesp. 192
Create Devices in the chroot Directoryp. 194
Establish Shells and User Environmentsp. 195
Install the Service(s) to the chroot Directoryp. 198
Install from Sourcep. 198
Install from a Source RPMp. 199
Install a Binary RPM to an Alternate Locationp. 204
Configure the Service to Log Activityp. 205
Troubleshoot chroot Environment Problemsp. 206
Combine chroot and Your Distribution's Security Capabilitiesp. 207
pam_chroot and Red Hat Enterprise Linux AS 3.0p. 207
Monitor File Mode and Permission Settingsp. 209
Maintain chrootp. 210
10 Hardening Communicationsp. 211
Secure Protocolsp. 212
Use SSHp. 213
Secure X Connections with SSHp. 224
Use Virtual Private Networksp. 225
IPSecp. 228
Set Up a VPN with FreeS/WANp. 229
Verify the Connectionp. 234
Part III Once Is Never Enough!
11 Install Network Monitoring Softwarep. 239
Install a Network Analyzerp. 241
Install and Use ngrep to Monitor the Networkp. 241
Install and Use tcpdumpp. 245
Install Etherealp. 252
Utilize a Network Intrusion Detection Systemp. 255
Install and Use Snortp. 256
Use Snort in Sniffing Modep. 256
Use Snort in Packet Capture Modep. 258
Use Snort in NIDS Modep. 261
Use Snort Add-onsp. 265
Honeypots/Honeynetsp. 265
Other Toolsp. 266
12 Automatic Logfile Scanningp. 267
Logfiles at a Personal Levelp. 268
Create a Logfile Policyp. 270
Configure the syslog Daemonp. 271
The Selector Componentp. 271
The Activity Componentp. 273
Set Up a Centralized Serverp. 275
Ensure Centralized Logging Dependencies Are Metp. 275
Configure the Centralized Serverp. 275
Configure Clients for the Centralized Serverp. 276
Create a Centralized Server with syslog-ng and stunnelp. 277
SUSE: Download and Install stunnel 4.04p. 277
Download and Install syslog-ngp. 277
Create Certificates for Your Machinesp. 278
Copy Certificates to /etc/stunnelp. 279
Check Certificate Permissionsp. 279
Create stunnel Configuration on the Serverp. 279
Create stunnel Configuration on the Clientp. 280
Create syslog-ng Configuration on the Serverp. 280
Create syslog-ng Configuration File on the Client Machinesp. 280
Start stunnel and syslog-ng Manuallyp. 281
Check for Activity on the Serverp. 281
Use the logger Command to Send Messages Directly to the syslog Daemonp. 283
Use Perl's Sys:Syslog to Send Messages to the syslog Daemonp. 284
Manage Logfilesp. 284
Finding Logfilesp. 285
Other System Logfilesp. 285
Search Logfilesp. 286
Strategy for Searching Logfilesp. 286
Searching Logfiles Manuallyp. 287
Search Logfiles with logwatchp. 288
Search Logfiles with logsurferp. 289
Search Logfiles with swatchp. 291
Modify swatch Configuration to Detect an Attack on the SSH Daemonp. 293
Respond to Attacks and Abnormalitiesp. 294
13 Patch Management and Monitoringp. 295
Apply Updatesp. 296
Update and Patch SUSE Softwarep. 296
Update and Patch Red Hat Softwarep. 303
Use a Central Patch Serverp. 318
Patch Monitoring and Managementp. 319
Create a Change Processp. 320
Monitor the Patch Processp. 321
14 Self-Monitoring Toolsp. 323
Install and Run a Host-Based Intrusion Detection Systemp. 324
Install and Use Tripwirep. 324
Use RPM for File Integrity Checkingp. 335
Other Toolsp. 336
Install and Run a Password Checkerp. 336
Use John the Ripper to Audit Passwordsp. 337
Set Up Network Monitoringp. 340
Configure and Run Nmapp. 340
Configure and Run Nessusp. 344
Part IV How to Succeed at Hardening Linux
15 Budget Acquisition and Corporate Commitment to Securityp. 355
Obtain Management Supportp. 356
Show the Need for the Security Programp. 356
Perform a Risk Assessmentp. 357
Determine Scopep. 358
Select the Teamp. 358
Gather Issues and Determine Impact and Probabilityp. 359
Prioritize Risksp. 361
Quantitative Risk Assessment Overviewp. 362
Report to Management and Obtain Guidancep. 363
Executive Summaryp. 364
Determine Return on Investment (ROI)p. 365
Perform Fact Findingp. 365
Show Return on Investmentp. 369
Seek Outside Help and Referencesp. 369
Involve Management in Creation of Security Policies and Spendingp. 372
16 Establishing a Security Campaignp. 373
Establish the Security Campaignp. 374
Determine Goalsp. 374
Identify What Is Needed to Accomplish Goalsp. 375
Create Policiesp. 376
Example Company Encrypted Protocols Policyp. 381
Gain User Acceptance and Supportp. 382
Evaluate Programp. 385
Maintain the Programp. 385
A Additional Linux Security Resourcesp. 387
General Linuxp. 388
General Securityp. 388
General Linux Securityp. 388
Linux Security Programsp. 389
Indexp. 391