Résumé
System administrators: Learn the specifics for making your system secure, whether it's an organization-wide network or a standalone workstation. Expert author Peter Gregory has managed security for everything from top-secret corporate research facilities to casinos. Take advantage of his expertise to build a secure, reliable system of your own.
Solaris Security looks at the physical, logical, and human factors that affect security, including :
- PROMS, physical security, bootpaths, permissions, auditing tools, system logs, passwords and more
- Secure network interfaces and services for remote and Internet access, intrusion detection, access control, e-mail, and printing.
- Enhanced security for NIS, NIS+, DNS, and NFS
- A concise guide to maintaining secure systems in the Solaris environment
- Standalone and networked systems running Solaris
- A special section on disaster preparations and recovery operations
Every chapter opens with a checklist of key topics and their significance, so you can quickly find the information you need. Whether you are a security manager, information technology/systems manager or a network security administrator, Solaris Security is the single resource to answer all your questions and get your systems in shape now and for the future.
Table of contents
- List of Figures
- List of Tables
- Foreword
- Preface
- Part One: Introduction
- Chapter 1: The Security Problem
- Causes of Security Weaknesses
- Growth of Network Connectivity
- Software Vulnerabilities
- Employees and Contractors
- Motivated and Resourceful Hackers
- Site Policies
- Chapter 2: The Security Paradigm
- Principle 1: The Hacker Who Breaks Into Your System Will Probably Be Someone You Know
- Principle 2: Trust No One, or Be Careful About Whom You Are Required to Trust
- Principle 2a: Don't Trust Yourself, or Verify Everything You Do
- Principle 3: Make Would-Be Intruders Believe They Will Be Caught
- Principle 4: Protect In Layers
- Principle 5: While Planning Your Security Strategy, Presume the Complete Failure of Any Single Security Layer
- Principle 6: Make Security a Part of the Initial Design
- Principle 7: Disable Unneeded Services, Packages, and Features
- Principle 8: Before Connecting, Understand and Secure
- Principle 9: Prepare for the Worst
- The Nine Principles: A Way of Life
- Part Two: The Standalone System
- Chapter 3: The PROM, OpenBoot, and Physical Security
- What is PROM?
- What Is OpenBoot?
- Why Users Must be Kept Out of OpenBoot
- Protecting OpenBoot by Setting Security Parameters
- Procedures for Changing OpenBoot Security Levels
- All Passwords Lost -- Partial Recovery Procedure
- Boot Device Recommendations
- Change the OpenBoot Banner
- Recover a Lost Root Password
- Physical Security Considerations
- Theft and Access Prevention
- Audit PROMs
- OpenBoot Passwords
- CD-ROM Drives
- Backup Media
- OS Release Media
- Where to Go for Additional Information
- Chapter 4: The Filesystem
- What Is the Filesystem?
- Some Applications Require Open Permissions
- Understanding File and Directory Permissions
- Who: User, Group, and Other
- Permission Summary: Read, Write, Execute, SetUID, SetGID, Sticky Bit
- Putting It All Together: The Who and the What
- How to View File and Directory Permissions
- Permissions: Numeric Form
- Setting File and Directory Permissions -- Numeric
- Setting File and Directory Permissions -- Symbolic
- umask and How It Works
- Default File Permissions and umask
- Root User umask
- Default Directory Permissions and umask
- How to Find Files with Specific Permission Settings
- System Device Access Permissions
- Filesystem Auditing Tools
- ASET
- COPS
- Tiger
- Tripwire
- lsof (list open files)
- Other Security Tools and Techniques
- Check /etc Permissions
- Ensure Proper utmp and utmpx Permissions
- Use Fix-modes Tool to Enhance Security
- Use the fuser Command
- Use the ls Command to Show Hidden Files and Hidden Characters in File names
- Alias the rm Command
- Randomize Filesystem Inode Numbers with fsirand
- Filesystem Quotas
- Filesystem Access Control Lists
- Where to Go for Additional Information
- Chapter 5: User Accounts and Environments
- Introduction
- User Account Security
- The Root Account
- Other Administrative Accounts and Groups
- User Accounts
- When Users Need Root Privileges
- PATH and LD_LIBRARY_PATH
- The Password, Shadow, and Group Files
- Password File
- Shadow File
- Password Security
- UNIX Groups
- The /etc/default/passwd File
- Root Access
- Direct Root Login
- The su Command
- Shell and Application Security
- Forced Application Startup
- Include System Name in Root Shell Prompt
- Restricted Shell
- Default Login Environment
- Writing Directly to the Console
- Program Buffer Overflow
- Additional Process Information
- X-Windows Security
- X-Windows Screen Lock, Manual
- X-Windows Screen Lock, Auto
- X-Windows Display Permissions
- Auditing Tools
- COPS
- Crack
- Where to Go for Additional Information
- Chapter 6: System Startup and Shutdown
- System Run Levels
- Determining Current Run Level
- System Startup
- PROM
- init
- Multiuser Mode
- The rc Mechanism
- System Shutdown
- init
- uadmin
- More Information on rc Files
- An Example rc File Examined
- Auditing Startup and Shutdown Mechanisms
- COPS
- Tripwire
- Modifying Startup and Shutdown Mechanisms
- Adding Startup and Shutdown Scripts
- Changing Startup and Shutdown Scripts
- Disabling Startup and Shutdown Scripts
- More on Linked Startup Files
- Where to Go For Additional Information
- Chapter 7: cron and at
- cron
- What is cron?
- How cron Works
- How cron Is Configured
- cron User Configuration
- User Access to cron System
- at
- What Is at?
- How at Works
- User Access to a System
- Common Mistakes to Avoid
- Failure to Adequately Conceal Programs Launched by cron
- Leaving crontab Files Lying Around for All to See
- Unsecure PATH Elements in Scripts Launched by cron
- Indeterminate PATH Elements in Scripts Launched by cron
- Use of stdin and stdout in cron and at Jobs
- Auditing Tools
- Tripwire
- COPS
- Where to Go for Additional Information
- Chapter 8: System Logs
- What is a System Log
- syslog
- syslog Facilities and Severity Levels
- syslog Message Classification Notation
- syslog Configuration
- Debugging syslog
- loginlog
- sulong
- Last Log
- Volume Manager Log
- Install Log
- sysidtool Log
- Tools to Help with Logging
- Logcheck
- Where to Go for Additional Information
- Part Three: The Network-Connected System
- Chapter 9: Network Interfaces and Services
- Networks
- Network Interfaces
- Network Interface Characteristics
- Network Interface Configuration
- ifconfig
- ndd
- Turn Off IP Forwarding with /etc/notrouter
- netstat
- /etc/inet/hosts
- /etc/inet/netmasks
- /etc/defaultrouter
- /etc/nodename
- /etc/hostname.interface
- How Adaptors Are Configured
- Promiscuous Mode
- Network Services
- Unnecessary Services
- Network Service Numbers
- Network Service Configuration
- How Network Services Are Started
- Daemon Network Services Not Started with inetd
- Routing
- Adding Static Routes
- Adding Dynamic Routes
- Using snoop
- Where to Go For Additional Information
- Chapter 10: Network/System Architecture
- What is an Architecture?
- Simple vs. Complex Architectures
- Architecture Principles
- Principle 1: Minimize the Number of Failure Points (or Shorten the Critical Path)
- Principle 2: Keep Services Close to Those Being Served
- Principle 3: Vertically Align Services with Their Applications
- Principle 4: Prepare for Increasing Network Partitioning
- Chapter 11: Electronic Mail
- Overview of E-Mail
- Transport Agent
- Delivery Agent
- User Agent
- Types of E-Mail Security Weaknesses
- Auth (or Identd) Protocol
- Message Brokering
- Message Source Routing
- Privacy
- Authenticity
- Mitigating E-Mail Security Weaknesses
- Run Sendmail Only on Mail Servers
- Disconnect Inside Mail Server(s) from the Internet
- Prevent Message Source Routing
- Implement Mail Encryption and Digital Signatures
- Replace Sendmail
- Remove Unnecessary E-Mail Aliases
- Implement Smrsh
- Implement ForwardPath
- Where to Go for Additional Information
- Chapter 12: Printing
- Printing Architectures
- Print Subsystem Directories
- Auditing Print Subsystem Directories
- Local Printing
- Local Print Devices
- How to Determine Which Device a Specific Printer Uses
- Print Device Permissions
- Auditing Print Device Permissions
- Restricting Access to Printers and Print Servers
- Direct Access to Network Printers
- Where to Go for Additional Information
- Chapter 13: Network Access Control
- Network Access Control Principles
- Unnecessary Network Access Points Are Security Risks
- Unguarded Network Access Points Are Security Risks
- Necessary and Unnecessary Services
- How to Disable Unnecessary Services
- Strengthening Network Access Control
- inetd Connection Tracing
- TCP Wrappers
- Public-Domain rpcbind
- .rhosts File -- Gateway to the r-Commands
- /etc/hosts.equiv File
- Auditing .rhosts and hosts.equiv Files
- Secure Replacement for telnet, rsh, and rlogin
- ftp
- tftp
- X-Windows Is Unsecure
- Firewalls
- Testing System Accessibility
- Satan
- ISS
- Intrusion Detection
- Syn
- Klaxon
- Courtney
- Tocsin
- Gabriel
- Intrusion Detection: Staying Current
- Authentication
- System Authentication
- DES (Diffie-Hellman) Authentication
- Kerberos Authentication
- Virtual Private Networks
- SKIP
- IPsec
- Where to Go for Additional Information
- Chapter 14: Name Services
- Domain Name Service (DNS)
- /etc/nsswitch.conf
- /etc/resolv.conf
- DNS Security Weaknesses and Solutions
- Too Much Information Visible to the Internet
- Illicit Zone Transfers from DNS Servers
- Differences Between nslookup and Actual DNS Queries
- Public-Domain DNS (BIND)
- DIG Public-Domain Tool
- Disable nscd Caching
- Know Your BIND Version
- NIS
- Obtaining and Installing NISKIT
- NIS Security Weaknesses and Solutions
- Move NIS Maps out of /etc Directory
- Protect NIS Maps Directory
- Use a Hard-to-Guess NIS Domain Name
- Implement /var/yp/securenets
- Hide Shadow Fields
- Avoid Illicit NIS Servers
- Keep Root and Other Administrative Accounts out of NIS
- Disable nscd Caching
- Other NIS Weaknesses
- NIS+
- NIS+ Default Access Rights
- Access Rights for Principal nobody
- NIS+ Security Level
- Administering NIS+
- Back Up NIS+ Tables
- Flush NIS+ Transactions
- Keep Root and Other Administrative Accounts of NIS+
- Disable nscd Caching
- Name Service Switch
- nscd
- Where to Go for Additional Information
- Chapter 15: NFS and the Automounter
- NFS
- NFS Operations
- Improving Security with NFS Share
- Improving Security with NFS Mount
- Improving Security by Setting NFS Portman
- NFS Authentication
- Servers as NFS Clients
- NFS and Access Control Lists
- NFS on the Network
- Disabling NFS
- Automounter
- Indirect Automounter Maps
- Direct Automounter Maps
- Automounter Browsing
- Automounter and the Name Service Switch
- Disabling Automounter
- Where to Go for Additional Information
- Part Four: Disaster and Recovery
- Chapter 16: System Recovery Preparation
- What Can and Will Go Wrong
- Natural Disaster
- Man-Made Disaster
- Inside Utility Failure
- Hardware Failure
- UNIX Administrator Error
- Documentation Error
- Programmer Error
- User Error
- Sabotage
- Preparing for Recovery
- Create an Incident Response Team
- System Filesystem Design
- Filesystem Geometry
- Tape Backups
- System Recovery Testing
- Release Media
- System Event Logbooks
- Solaris and Tool Patches
- CD-ROM Drives
- Hardware and Software Services Agreements
- Keep Hardware Spares
- Copies of Critical Server PROMs
- Disk Space to Spare
- Recovery Documentation
- Contacts and Cross-Training
- Partner with Inside Suppliers
- Partner with Outside Suppliers
- Where to Go for Additional Information
- Part Five: Appendices
- Appendix A: Online Sources for Security Information
- Security Web Sites
- Hacker Web Sites
- Security Mailing Lists
- Patches
- Appendix B: Online Sources for Public-Domain Security
Tools
- TCP/IP Security Tools
- ISS (Internet security scan)
- Satan (Security Administrator's Tool for Analyzing Networks)
- cpm (check promiscuous mode)
- tcpdump (network monitoring and data acquisition)
- Access Control Security Tools
- TCP Wrappers
- rpcbind
- Ssh (secure shell)
- Kerberos
- crack (password cracker)
- fwtk (firewall toolkit)
- S/Key
- Intrusion Detection Tools
- Klaxon
- Courtney
- Tocsin
- Gabriel
- syn
- Filesystem Security Tools
- Tiger
- Tripwire
- COPS
- Encryption Tools
- PGP
- MD5
- E-Mail Security Tools
- SMAP (sendmail wrapper)
- sendmail V8 (public domain sendmail)
- Postfix (formerly Vmailer)
- smrsh
- DNS Tools
- Public-Domain BIND
- Dig
- Other DNS Tools
- Other Tools and Sources
- logcheck
- lsof (list open files)
- Patchdiag
- fix-modes
- perl
- Washington University ftpd
- Security Tools Site
- CERT Tools
- CIAC Tools
- COAST Tools
- Doug's Tools
- LIST (Laboratory for Information Security Technology)
- Security Tools
- Sun Freeware Site
- Wietse Venema's UNIX Security Tools Collection
- Hacker Tools Sites
- Appendix C: Obtaining and Applying Solaris Patches
- Sources for Patch Information
- Understanding Solaris Patches
- Understanding Solaris Patch Clusters
- Sources for Patches
- Patch Installation Strategies
- Before Installing Patches
- Which Patches to Install
- Testing Patches
- For Patches Requiring System Reboot
- The patchdiag Program
- Patch Installation Procedure, Solaris 2.x -- 2.5.1
- Patch Installation Procedures for Solaris 2.6 and Solaris 7
- Solaris OS Upgrades
- Where to Go for Additional Information
- Appendix D: Suggested Reading
- Books
- Publications and Articles Available Online
- SunSolve Publications
- Periodicals Online
- Internet RFCs
- Appendix E: Solaris Security Products
- SunScreen EFS
- SunScreen SPF
- SunScreen SKIP
- Sun Security Manager
- SunScreen SecureNet
- Trusted Solaris
- Where to Go for Additional Information
- Appendix F: Implementing C2 Security
- What is C2 Security?
- Implications of C2 Security
- Enabling C2 Security
- Disabling C2 Security
- Managing C2 Security
- Configuration of C2 Audit Capture
- Management of C2 Logs
- Management of Performance
- Audit Events
- Audit Trail Analysis
- Removable Media Management
- Device Allocation
- Recommendations
- Where to Go for Additional Information
- Appendix G: Verifying the Integrity of Public-Domain
Software
- Verification Using PGP
- Verification Using MD5
- Where to Go for Additional Information
- Appendix H: Glossary of Attacks
- Appendix I: Secure System Checklist
- Index
L'auteur - Peter H Gregory
Peter Gregory is the author of two books on Solaris security.
Caractéristiques techniques
PAPIER | |
Éditeur(s) | Prentice Hall |
Auteur(s) | Peter H Gregory |
Parution | 15/08/1999 |
Nb. de pages | 290 |
Format | 18 x 23,5 |
Poids | 650g |
EAN13 | 9780130960535 |
Avantages Eyrolles.com
Consultez aussi
- Les meilleures ventes en Graphisme & Photo
- Les meilleures ventes en Informatique
- Les meilleures ventes en Construction
- Les meilleures ventes en Entreprise & Droit
- Les meilleures ventes en Sciences
- Les meilleures ventes en Littérature
- Les meilleures ventes en Arts & Loisirs
- Les meilleures ventes en Vie pratique
- Les meilleures ventes en Voyage et Tourisme
- Les meilleures ventes en BD et Jeunesse