Available:*
Library | Item Barcode | Call Number | Material Type | Item Category 1 | Status |
---|---|---|---|---|---|
Searching... | 30000004301234 | QA76.9.A25 H37 2004 | Open Access Book | Book | Searching... |
Searching... | 30000010051046 | QA76.9.A25 T47 2004 | Open Access Book | Book | Searching... |
On Order
Summary
Summary
Shows you how to bullet proof your system before you are hacked. This book also shows you how to secure your Linux system to work securely in the first place.
Author Notes
John H. Terpstra is co-founder of the Samba Team and serves on the Linux Standards Base
Paul Love, CISSP, CISA, CISM, Security+, is technical editor. He manages security at a large utilities service provider, and holds an MS in Network Security
Ronald P. Reck's experience blends linguistics. NLP, and XML with UNIX systems. As a civilian contractor, he tackles tough problems
Tim Scanlon recently worked on computer security for the 2004 Olympic Games. He has been a Common Criteria instructor, and has worked at MCI, TRW, Signal Corporation, and Inter.Net Global. He has worked in the public sector and with Mitre and Mitretek
Table of Contents
Foreword from David Wreski | p. xxi |
Foreword from Corey D. Schou | p. xxiii |
Introduction | p. xxvii |
Part I Do These Seven Things First | |
1 Critical First Steps | p. 3 |
Examine Systems for Evidence of Compromise | p. 4 |
Terminate Unauthorized Users | p. 5 |
Identify and Shut Down Unauthorized Processes | p. 7 |
Check Log Files for Possible Evidence of Intrusion Attempts | p. 9 |
Check for Potential System File Damage | p. 10 |
Check System Stability and Availability | p. 11 |
Validate Hardware Operation | p. 12 |
Make Sure Power Is Stable | p. 12 |
Part II Take It From The Top: The Systematic Hardening Process | |
2 Hardening Network Access: Disable Unnecessary Services | p. 17 |
Step 1 Take the Machine Off the Network | p. 18 |
Step 2 Determine Required Services | p. 20 |
Red Hat Enterprise Linux AS 3.0 Services Baseline | p. 21 |
SLES8 Services Baseline | p. 21 |
Consider Additional Services | p. 22 |
Step 3 Determine Services' Dependencies | p. 27 |
Step 4 Prevent Services from Running | p. 32 |
Use Tools to Alter Startup Scripts | p. 33 |
Turn Off Unnecessary Services: Command Line Tool | p. 40 |
Step 5 Reboot | p. 43 |
Step 6 Check Configuration for Unnecessary Services | p. 44 |
Check Configuration: GUI | p. 44 |
Check Configuration: Manual | p. 44 |
Step 7 Check Configuration for Necessary Services | p. 45 |
Check the Configuration | p. 45 |
Probe the Service | p. 45 |
Look for the Service in Memory | p. 45 |
Step 8 Return the Machine to the Network | p. 46 |
Test Network Connectivity | p. 46 |
3 Installing Firewalls and Filters | p. 47 |
Take Stock | p. 48 |
Check for Existing Firewall Rules | p. 48 |
Understand Network Basics | p. 55 |
Understand Firewall Rules | p. 57 |
Identify Protective Firewall Needs | p. 60 |
Protective Strategy | p. 60 |
Configure the Firewall | p. 61 |
4 Hardening Software Accessibility | p. 79 |
Identify Required Software | p. 80 |
Determine Software Dependencies | p. 86 |
Remove or Restrict Unneeded Software | p. 89 |
Install Software Securely | p. 90 |
Install Trusted Software from Vendors | p. 91 |
Install Software from Trusted Sources | p. 94 |
Monitor Your Systems | p. 102 |
5 Preparing for Disaster | p. 105 |
Understanding Disaster Recovery | p. 106 |
Do Not Build a Custom Kernel | p. 106 |
Document Server Setup and Record Changes | p. 107 |
Prepare Automated Reinstallation | p. 107 |
Prepare Red Hat Kickstart Install Facility | p. 109 |
Using SUSE YaST Auto-installation Tools | p. 114 |
6 Hardening Access Controls | p. 129 |
Linux File Permissions and Ownership | p. 130 |
Use POSIX Access Control Lists | p. 130 |
Review File and Directory Access Controls | p. 137 |
Verify the Sticky Bit for Temporary Directories | p. 138 |
Record SUID/SGID Files and Directories | p. 139 |
7 Hardening Data Storage | p. 141 |
Understand Legal and Ethical Issues with Cryptography | p. 142 |
Comply with Legal Requirements | p. 142 |
Understand Ethical Issues | p. 143 |
Use Proper Procedures | p. 144 |
Store Data Securely | p. 145 |
Remove Plaintext Copies of Data | p. 146 |
Use GnuPG to Encrypt Files | p. 147 |
Creating Keys in a Secure Manner | p. 148 |
Creating Keys for Use with GnuPG | p. 149 |
Use OpenSSL for File Encryption | p. 159 |
Install and Use a Cryptographic File System | p. 161 |
8 Hardening Authentication and User Identity | p. 169 |
Use Pluggable Authentication Modules (PAM) to Provide Flexible Authentication | p. 170 |
Use PAM Because... | p. 171 |
Enforce Strict Password Requirements | p. 171 |
Enable Wheel Group Access | p. 171 |
Enable the Use of a Centralized Authentication Server | p. 172 |
Correctly Configure PAM to Avoid Compromise | p. 172 |
Remove Obsolete PAM Configuration File | p. 172 |
Configuration File Format | p. 173 |
Backing Up the Configuration Before Making Changes | p. 174 |
Recovering from Catastrophic Errors | p. 175 |
PAM Framework | p. 175 |
Traditional Services | p. 176 |
A BSD-Like wheel Group | p. 178 |
Per-User Temporary Directories | p. 179 |
Require Strong Passwords | p. 179 |
Name Switching Service (NSS) | p. 183 |
9 Restricted Execution Environments | p. 185 |
Restrict Functionality | p. 186 |
Use chroot to Protect a Service | p. 187 |
Understand What Is Protected...and What Isn't | p. 187 |
Build the chroot Directory Structure | p. 188 |
Resolve Dynamic Library Dependencies | p. 190 |
Determine File Dependencies | p. 192 |
Create Devices in the chroot Directory | p. 194 |
Establish Shells and User Environments | p. 195 |
Install the Service(s) to the chroot Directory | p. 198 |
Install from Source | p. 198 |
Install from a Source RPM | p. 199 |
Install a Binary RPM to an Alternate Location | p. 204 |
Configure the Service to Log Activity | p. 205 |
Troubleshoot chroot Environment Problems | p. 206 |
Combine chroot and Your Distribution's Security Capabilities | p. 207 |
pam_chroot and Red Hat Enterprise Linux AS 3.0 | p. 207 |
Monitor File Mode and Permission Settings | p. 209 |
Maintain chroot | p. 210 |
10 Hardening Communications | p. 211 |
Secure Protocols | p. 212 |
Use SSH | p. 213 |
Secure X Connections with SSH | p. 224 |
Use Virtual Private Networks | p. 225 |
IPSec | p. 228 |
Set Up a VPN with FreeS/WAN | p. 229 |
Verify the Connection | p. 234 |
Part III Once Is Never Enough! | |
11 Install Network Monitoring Software | p. 239 |
Install a Network Analyzer | p. 241 |
Install and Use ngrep to Monitor the Network | p. 241 |
Install and Use tcpdump | p. 245 |
Install Ethereal | p. 252 |
Utilize a Network Intrusion Detection System | p. 255 |
Install and Use Snort | p. 256 |
Use Snort in Sniffing Mode | p. 256 |
Use Snort in Packet Capture Mode | p. 258 |
Use Snort in NIDS Mode | p. 261 |
Use Snort Add-ons | p. 265 |
Honeypots/Honeynets | p. 265 |
Other Tools | p. 266 |
12 Automatic Logfile Scanning | p. 267 |
Logfiles at a Personal Level | p. 268 |
Create a Logfile Policy | p. 270 |
Configure the syslog Daemon | p. 271 |
The Selector Component | p. 271 |
The Activity Component | p. 273 |
Set Up a Centralized Server | p. 275 |
Ensure Centralized Logging Dependencies Are Met | p. 275 |
Configure the Centralized Server | p. 275 |
Configure Clients for the Centralized Server | p. 276 |
Create a Centralized Server with syslog-ng and stunnel | p. 277 |
SUSE: Download and Install stunnel 4.04 | p. 277 |
Download and Install syslog-ng | p. 277 |
Create Certificates for Your Machines | p. 278 |
Copy Certificates to /etc/stunnel | p. 279 |
Check Certificate Permissions | p. 279 |
Create stunnel Configuration on the Server | p. 279 |
Create stunnel Configuration on the Client | p. 280 |
Create syslog-ng Configuration on the Server | p. 280 |
Create syslog-ng Configuration File on the Client Machines | p. 280 |
Start stunnel and syslog-ng Manually | p. 281 |
Check for Activity on the Server | p. 281 |
Use the logger Command to Send Messages Directly to the syslog Daemon | p. 283 |
Use Perl's Sys:Syslog to Send Messages to the syslog Daemon | p. 284 |
Manage Logfiles | p. 284 |
Finding Logfiles | p. 285 |
Other System Logfiles | p. 285 |
Search Logfiles | p. 286 |
Strategy for Searching Logfiles | p. 286 |
Searching Logfiles Manually | p. 287 |
Search Logfiles with logwatch | p. 288 |
Search Logfiles with logsurfer | p. 289 |
Search Logfiles with swatch | p. 291 |
Modify swatch Configuration to Detect an Attack on the SSH Daemon | p. 293 |
Respond to Attacks and Abnormalities | p. 294 |
13 Patch Management and Monitoring | p. 295 |
Apply Updates | p. 296 |
Update and Patch SUSE Software | p. 296 |
Update and Patch Red Hat Software | p. 303 |
Use a Central Patch Server | p. 318 |
Patch Monitoring and Management | p. 319 |
Create a Change Process | p. 320 |
Monitor the Patch Process | p. 321 |
14 Self-Monitoring Tools | p. 323 |
Install and Run a Host-Based Intrusion Detection System | p. 324 |
Install and Use Tripwire | p. 324 |
Use RPM for File Integrity Checking | p. 335 |
Other Tools | p. 336 |
Install and Run a Password Checker | p. 336 |
Use John the Ripper to Audit Passwords | p. 337 |
Set Up Network Monitoring | p. 340 |
Configure and Run Nmap | p. 340 |
Configure and Run Nessus | p. 344 |
Part IV How to Succeed at Hardening Linux | |
15 Budget Acquisition and Corporate Commitment to Security | p. 355 |
Obtain Management Support | p. 356 |
Show the Need for the Security Program | p. 356 |
Perform a Risk Assessment | p. 357 |
Determine Scope | p. 358 |
Select the Team | p. 358 |
Gather Issues and Determine Impact and Probability | p. 359 |
Prioritize Risks | p. 361 |
Quantitative Risk Assessment Overview | p. 362 |
Report to Management and Obtain Guidance | p. 363 |
Executive Summary | p. 364 |
Determine Return on Investment (ROI) | p. 365 |
Perform Fact Finding | p. 365 |
Show Return on Investment | p. 369 |
Seek Outside Help and References | p. 369 |
Involve Management in Creation of Security Policies and Spending | p. 372 |
16 Establishing a Security Campaign | p. 373 |
Establish the Security Campaign | p. 374 |
Determine Goals | p. 374 |
Identify What Is Needed to Accomplish Goals | p. 375 |
Create Policies | p. 376 |
Example Company Encrypted Protocols Policy | p. 381 |
Gain User Acceptance and Support | p. 382 |
Evaluate Program | p. 385 |
Maintain the Program | p. 385 |
A Additional Linux Security Resources | p. 387 |
General Linux | p. 388 |
General Security | p. 388 |
General Linux Security | p. 388 |
Linux Security Programs | p. 389 |
Index | p. 391 |