book

Practical UNIX and Internet Security, 3rd Edition

by Simson Garfinkel, Gene Spafford, Alan Schwartz

February 2003

Intermediate to advanced

986 pages

35h 34m

English

O'Reilly Media, Inc.

Read now

Unlock full access

Practical Unix & Internet Security, 3rd Edition
A Note Regarding Supplemental Files
Preface
Unix “Security”?
What This Book IsWhat This Book Is NotThird-Party Security Tools
Scope of This Book
Which Unix System?
Versions Covered in This Book“Secure” Versions of Unix
Conventions Used in This Book
Comments and Questions
Acknowledgments
Third EditionSecond EditionFirst Edition
A Note to Would-Be Attackers

I. Computer Security Basics
1. Introduction: Some Fundamental Questions
What Is Computer Security?
What Is an Operating System?
What Is a Deployment Environment?
Summary
2. Unix History and Lineage
History of Unix
Multics: The Unix PrototypeThe Birth of UnixUnix escapes AT&TUnix goes commercialThe Unix Wars: Why Berkeley 4.2 over System VUnix Wars 2: SVR4 versus OSF/1Free UnixFSF and GNUMinixXinuLinuxNetBSD, FreeBSD, and OpenBSDBusinesses adopt UnixSecond-Generation Commercial Unix SystemsWhat the Future Holds
Security and Unix
ExpectationsSoftware QualityAdd-on Functionality Breeds ProblemsThe Failed P1003.1e/2c Unix Security Standard
Role of This Book
Summary
3. Policies and Guidelines
Planning Your Security Needs
Types of SecurityTrust
Risk Assessment
Steps in Risk AssessmentIdentifying assetsIdentifying threatsReview Your Risks
Cost-Benefit Analysis and Best Practices
The Cost of LossThe Probability of a LossThe Cost of PreventionAdding Up the NumbersBest PracticesConvincing Management
Policy
The Role of PolicyStandardsGuidelinesSome Key Ideas in Developing a Workable PolicyAssign an ownerBe positiveRemember that employees are people tooConcentrate on educationHave authority commensurate with responsibilityBe sure you know your security perimeterPick a basic philosophyDefend in depthRisk Management Means Common Sense
Compliance Audits
Outsourcing Options
Formulating Your Plan of ActionChoosing a VendorGet a referral and insist on referencesBeware of soup-to-nutsInsist on breadth of backgroundPeople“Reformed” hackersMonitoring ServicesFinal Words on Outsourcing
The Problem with Security Through Obscurity
Keeping SecretsResponsible Disclosure
Summary
II. Security Building Blocks
4. Users, Passwords, and Authentication
Logging in with Usernames and Passwords
Unix UsernamesAuthenticating UsersAuthenticating with PasswordsEntering your passwordChanging your passwordVerifying your new passwordChanging another user’s password
The Care and Feeding of Passwords
Bad Passwords: Open DoorsSmoking JoesGood Passwords: Locked DoorsPassword Synchronization: Using the Same Password on Many MachinesWriting Down Passwords
How Unix Implements Passwords
The /etc/passwd FileThe Unix Encrypted Password SystemThe traditional crypt ( ) algorithmUnix saltcrypt16( ), DES Extended, and Modular Crypt FormatThe shadow password and master password filesOne-Time PasswordsPublic Key Authentication
Network Account and Authorization Systems
Using Network Authorization SystemsViewing Accounts in the Network DatabaseNIS and NIS+Kerboros DCENetInfoRADIUSLDAP
Pluggable Authentication Modules (PAM)
Summary
5. Users, Groups, and the Superuser
Users and Groups
The /etc/passwd FileUser Identifiers (UIDs)Groups and Group Identifiers (GIDs)The /etc/group file
The Superuser (root)
What the Superuser Can DoWhat the Superuser Can’t DoAny Username Can Be a SuperuserThe Problem with the Superuser
The su Command: Changing Who You Claim to Be
Real and Effective UIDs with the su CommandSaved IDsOther IDsBecoming the SuperuserUse su with CautionUsing su to Run Commands from ScriptsRestricting suThe su LogThe sulog under SolarisThe sulog under Berkeley UnixThe sulog under Red Hat LinuxFinal cautionsudo: A More Restrictive su
Restrictions on the Superuser
Secure Terminals: Limiting Where the Superuser Can Log InBSD Kernel Security LevelsLinux Capabilities
Summary
6. Filesystems and Security
Understanding Filesystems
UFS and the Fast File SystemFile contentsInodesDirectories and linksThe Virtual Filesystem InterfaceCurrent Directory and Paths
File Attributes and Permissions
Exploring with the ls CommandFile TimesFile PermissionsA file permissions exampleDirectory Permissions
chmod: Changing a File’s Permissions
Setting a File’s PermissionsCalculating octal file permissionsUsing octal file permissionsAccess Control Lists
The umask
The umask CommandCommon umask Values
SUID and SGID
Sticky BitsSGID and Sticky Bits on DirectoriesSGID Bit on Files (System V-Derived Unix Only): Mandatory Record LockingProblems with SUIDSUID ScriptsAn example of a SUID attack: IFS and the /usr/lib/preserve holeFinding All of the SUID and SGID FilesThe Solaris ncheck commandTurning Off SUID and SGID in Mounted Filesystems
Device Files
Unauthorized Device Files
Changing a File’s Owner or Group
chown: Changing a File’s OwnerOld and new chown behaviorUse chown with cautionchgrp: Changing a File’s Group
Summary
7. Cryptography Basics
Understanding Cryptography
Roots of CryptographyCryptography as a Dual-Use TechnologyA Cryptographic ExampleCryptographic Algorithms and Functions
Symmetric Key Algorithms
Cryptographic Strength of Symmetric AlgorithmsKey Length with Symmetric Key AlgorithmsCommon Symmetric Key AlgorithmsAttacks on Symmetric Encryption AlgorithmsKey search (brute force) attacksCryptanalysisSystems-based attacks
Public Key Algorithms
Uses for Public Key EncryptionEncrypted messagingDigital signaturesAttacks on Public Key AlgorithmsKey search attacksAnalytic attacksKnown versus published methods
Message Digest Functions
Message Digest Algorithms at WorkUses of Message Digest FunctionsHMACAttacks on Message Digest Functions
Summary
8. Physical Security for Servers
Planning for the Forgotten Threats
The Physical Security PlanThe Disaster Recovery PlanOther Contingencies
Protecting Computer Hardware
Protecting Against Environmental DangersFireSmokeDustEarthquakesExplosionsExtreme temperaturesBugs (biological)Electrical noiseLightningVibrationHumidityWaterEnvironmental monitoringPreventing AccidentsFood and drinkControlling Physical AccessRaised floors and dropped ceilingsEntrance through air ductsGlass wallsDefending Against VandalismVentilation holesNetwork cablesNetwork connectorsUtility connectionsDefending Against Acts of War and Terrorism
Preventing Theft
Understanding Computer TheftLaptops and Portable ComputersLocksTaggingLaptop Recovery Software and ServicesRAM TheftEncryption
Protecting Your Data
EavesdroppingWiretappingEavesdropping over local area networks (Ethernet and twisted pairs)Eavesdropping on 802.11 wireless LANsEavesdropping by radio and using TEMPESTFiber optic cableKeyboard monitorsProtecting BackupsVerify your backupsProtect your backupsSanitizing Media Before DisposalSanitizing Printed MediaProtecting Local StoragePrinter buffersPrinter outputX terminalsFunction keysUnattended TerminalsBuilt-in shell autologoutScreensaversKey Switches
Story: A Failed Site Inspection
What We FoundFire hazardsPotential for eavesdropping and data theftEasy pickingsPhysical access to critical computersPossibilities for sabotageNothing to Lose?
Summary
9. Personnel Security
Background Checks
Intensive InvestigationsRechecks
On the Job
Initial TrainingOngoing Training and AwarenessPerformance Reviews and MonitoringAuditing AccessLeast Privilege and Separation of Duties
Departure
Other People
Summary
III. Network and Internet Security
10. Modems and Dialup Security
Modems: Theory of Operation
Serial InterfacesThe RS-232 Serial ProtocolOriginate and AnswerBaud and bps
Modems and Security
BannersCaller-ID and Automatic Number IdentificationOne-Way Phone LinesProtecting Against EavesdroppingKinds of eavesdroppingEavesdropping countermeasuresManaging Unauthorized Modems with Telephone Scanning and Telephone FirewallsTelephone scanningTelephone firewallsLimitations of scanning and firewalls
Modems and Unix
Connecting a Modem to Your ComputerSetting Up the Unix DeviceChecking Your ModemOriginate testingAnswer testingPrivilege testingProtection of Modems and Lines
Additional Security for Modems
Summary
11. TCP/IP Networks
Networking
The InternetToday’s InternetWho’s on the Internet?Networking and Unix
IP: The Internet Protocol
Internet AddressesIP networksClassical network addressesCIDR addressesRoutingHostnamesFormat of the hostnameThe /etc/hosts filePackets and ProtocolsICMPTCPUDPClients and ServersName ServiceDNS under UnixOther naming services
IP Security
Using Encryption to Protect IP Networks from EavesdroppingHardening Against AttacksFirewalls and Physical IsolationImproving AuthenticationAuthentication and DNSAuthentication and email¡April Fools! authentication and NetnewsAdding authentication to TCP/IP with identDecoy Systems
Summary
12. Securing TCP and UDP Services
Understanding Unix Internet Servers and Services
The /etc/services FileCalling getservbyname( )Ports cannot be trustedStarting the ServersStartup on different Unix systemsStartup examplesThe inetd Program
Controlling Access to Servers
Access Control Lists with TCP WrappersWhat TCP Wrappers doesThe TCP Wrappers configuration languageMaking sense of your TCP Wrappers configuration filesUsing a Host-Based Packet FirewallThe ipfw host-based firewallAn ipfw example
Primary Unix Network Services
echo and chargen (TCP and UDP Ports 7 and 19)systat (TCP Port 11)FTP: File Transfer Protocol (TCP Ports 20 and 21)Anonymous FTPFTP active modeFTP passive modeSetting up an FTP serverRestricting FTP with the standard Berkeley FTP serverSetting up anonymous FTP with the standard Unix FTP serverAllowing only FTP accessSSH: The Secure Shell (TCP Port 22)Host authentication with SSHClient authentication with SSHTelnet (TCP Port 23)SMTP: Simple Mail Transfer Protocol (TCP Port 25)Configuration filesSecurity concerns with SMTP banners and commandsSMTP relaying and bulk email (a.k.a. spam)Overflowing system mailboxesDelivery to programsOverall security of Berkeley sendmail versus other MTAsTACACS and TACACS+ (UDP Port 49)Domain Name System (DNS) (TCP and UDP Port 53)DNS zone transfersDNS nameserver attacksDNSSECDNS best practicesBOOTP: Bootstrap Protocol, and DHCP: Dynamic Host Configuration Protocol (UDP Ports 67 and 68)TFTP: Trivial File Transfer Protocol (UDP Port 69)finger (TCP Port 79)The .plan and .project filesDisabling fingerHTTP, HTTPS: HyperText Transfer Protocol (TCP Ports 80, 443)POP, POPS: Post Office Protocol, and IMAP, IMAPS: Internet Message Access Protocol (TCP Ports 109, 110, 143, 993, 995)Sun RPC’s portmapper (UDP and TCP Ports 111)Identification Protocol (TCP Port 113)NNTP: Network News Transport Protocol (TCP Port 119)NTP: Network Time Protocol (UDP Port 123)Sudden changes in timeAn NTP exampleSNMP: Simple Network Management Protocol (UDP Ports 161 and 162)rexec (TCP Port 512)rlogin and rsh (TCP Ports 513 and 514)Trusted hosts and usersSpecifying trusted hosts with /etc/hosts.equiv and ~/.rhosts/etc/hosts.lpd fileRIP Routed: Routing Internet Protocol (UDP Port 520)The X Window System (TCP Ports 6000-6063)/etc/logindevpermX securityThe xhost facilityUsing Xauthority magic cookiesTunneling X with SSHRPC rpc.rexd (TCP Port 512)Communicating with MUDs, Internet Relay Chat (IRC), and Instant Messaging
Managing Services Securely
Monitoring Your Host with netstatLimitation of netstat and lsofMonitoring Your Network with tcpdumpNetwork Scanning
Putting It All Together: An Example
Summary
13. Sun RPC
Remote Procedure Call (RPC)
Sun’s portmap/rpcbindRPC AuthenticationAUTH_NONEAUTH_UNIXAUTH_DESAUTH_KERB
Secure RPC (AUTH_DES)
Secure RPC AuthenticationProving your identityUsing Secure RPC servicesSetting the windowSetting Up Secure RPC with NISCreating passwords for usersCreating passwords for hostsMaking sure Secure RPC support is running on every workstationUsing Secure RPCLimitations of Secure RPC
Summary
14. Network-Based Authentication Systems
Sun’s Network Information Service (NIS)
NIS FundamentalsIncluding or excluding specific accountsImporting accounts without really importing accountsNIS DomainsNIS NetgroupsSetting up netgroupsUsing netgroups to limit the importing of accountsLimitations of NISSpoofing RPCSpoofing NISNIS is confused about “+”Unintended Disclosure of Site Information with NIS
Sun’s NIS+
What NIS+ DoesNIS+ Tables and Other ObjectsUsing NIS+Changing your passwordWhen a user’s passwords don’t matchNIS+ Limitations
Kerberos
Kerberos AuthenticationInitial loginUsing the ticket-granting ticketAuthentication, data integrity, and secrecyKerberos 4 versus Kerberos 5Getting KerberosUsing KerberosKerberos Limitations
LDAP
LDAP: The ProtocolLDAP Integrity and ReliabilityAuthentication with LDAPnss_ldappam_ldapConfiguring Authentication with nss_ldapSetting up the LDAP serverSetting up the LDAP clients
Other Network Authentication Systems
DCESESAME
Summary
15. Network Filesystems
Understanding NFS
NFS HistoryFile HandlesThe MOUNT ProtocolThe NFS ProtocolHow NFS creates a reliable filesystem from a best-effort protocolHard, soft, and spongy mountsConnectionless and statelessNFS and rootNFS Version 3
Server-Side NFS Security
Limiting Client Access: /etc/exports and /etc/dfs/dfstab/etc/exports/usr/etc/exportfsExporting NFS directories under System V: share and dfstabThe showmount Command
Client-Side NFS Security
Improving NFS Security
Limit Exported and Mounted FilesystemsThe example explainedExport Read-OnlyUse Root OwnershipRemove Group-Write Permission for Files and DirectoriesDo Not Export Server ExecutablesDo Not Export Home DirectoriesDo Not Allow Users to Log into the ServerUse fsirandSet the portmon VariableUse showmount -eUse Secure NFS
Some Last Comments on NFS
Well-Known BugsFor Real Security, Don’t Use NFS
Understanding SMB
SMB HistoryProtocolsName serviceAuthenticationFile accessConfiguring the Samba ServerSamba Server SecurityConnecting to the serverUser authenticationAuthorizationData integrity and privacySamba Client SecurityImproving Samba Security
Summary
16. Secure Programming Techniques
One Bug Can Ruin Your Whole Day . . .
The Lesson of the Internet WormAn Empirical Study of the Reliability of Unix UtilitiesWhat he foundWhere’s the beef?
Tips on Avoiding Security-Related Bugs
Design PrinciplesCoding StandardsThings to AvoidBefore You Finish
Tips on Writing Network Programs
Things to DoThings to Avoid
Tips on Writing SUID/SGID Programs
Using chroot( )
Tips on Using Passwords
Tips on Generating Random Numbers
Unix Pseudorandom Functionsrand( )random( )drand48( ), lrand48( ), and mrand48( )Picking a Random SeedA Good Random Seed Generator
Summary
IV. Secure Operations
17. Keeping Up to Date
Software Management Systems
Package-Based SystemsSource-Based SystemsSource code and patchesCVS
Updating System Software
Learning About PatchesUpgrading Distributed ApplicationsSensitive Upgrades
Summary
18. Backups
Why Make Backups?
The Role of BackupsWhat Should You Back Up?Types of BackupsGuarding Against Media FailureReplace tapes as neededKeep your tape drives cleanVerify the backupHow Long Should You Keep a Backup?Security for BackupsPhysical security for backupsWrite-protect your backupsData security for backupsLegal IssuesDeciding Upon a Backup StrategyIndividual WorkstationBackup planRetention scheduleSmall Network of Workstations and a ServerBackup planRetention scheduleLarge Service-Based Network with Small BudgetBackup planRetention scheduleLarge Service-Based Networks with Large BudgetBackup planRetention schedule
Backing Up System Files
Which Files to Back Up?Building an Automatic Backup System
Software for Backups
Simple Local CopiesSimple ArchivesSpecialized Backup ProgramsNetwork Backup SystemsEncrypting Your Backups
Summary
19. Defending Accounts
Dangerous Accounts
Accounts Without PasswordsDefault AccountsThe superuser accountOther accountsAccounts That Run a Single CommandOpen AccountsRestricted shellsHow to set up a restricted account with rshPotential problems with restricted shellsRestricted Filesystem with the chroot( ) JailSetting up the chroot( ) environmentLimiting network serversLimiting usersChecking new softwareGroup Accounts
Monitoring File Format
Restricting Logins
Managing Dormant Accounts
Disabling an Account by Changing the Account’s PasswordChanging the Account’s Login ShellFinding Dormant Accounts
Protecting the root Account
Secure TerminalsThe wheel GroupThe sudo ProgramTrusted Path and Trusted Computing BaseTrusted pathTrusted computing base
One-Time Passwords
Integrating One-Time Passwords with UnixToken CardsCodebooks
Administrative Techniques for Conventional Passwords
Assigning Passwords to UsersConstraining PasswordsPassword GeneratorsShadow Password FilesPassword Aging and ExpirationCracking Your Own PasswordsJoetest: a simple password crackerThe dilemma of password crackersAlgorithm and Library ChangesAccount Names Revisited: Using Aliases for Increased Security
Intrusion Detection Systems
Summary
20. Integrity Management
The Need for Integrity
Protecting Integrity
Immutable and Append-Only FilesThe chflags commandKernel security levelRead-Only Filesystems
Detecting Changes After the Fact
The Achilles Heel of Integrity Management SystemsComparison CopiesLocal copiesRemote copiesrdistChecklists and MetadataSimple listingAncestor directoriesChecksums and Signatures
Integrity-Checking Tools
BSD’s mtree and Periodic Security ScansPackaging ToolsIntegrity checking with RPM under LinuxIntegrity checking with the BSD pkg_info commandTripwireBuilding TripwireRunning Tripwire
Summary
21. Auditing, Logging, and Forensics
Unix Log File Utilities
Essential Log FilesUnix syslogThe syslog messageThe syslog.conf configuration fileUsing syslog in a networked environmentIncorporating syslog into your own programsBeware false syslog log entriesRotating Logs with newsyslogSwatch: A Log File Analysis ToolRunning SwatchThe Swatch configuration filelastlog Fileutmp and wtmp FilesExamining the utmp and wtmp filesThe su command and the utmp and wtmp fileslast programPruning the wtmp fileloginlog File
Process Accounting: The acct/pacct File
Accounting with System VAccounting with BSD and Linuxmessages Log File
Program-Specific Log Files
aculog Log Filesulog Log Filexferlog Log Fileaccess_log Log FileLogging Network ServicesOther Logs
Designing a Site-Wide Log Policy
Where to LogLogging to a printerLogging across the networkLogging everything everywhere
Handwritten Logs
Per-Site LogsException and activity reportsInformational materialPer-Machine LogsException and activity reportsInformational material
Managing Log Files
Unix Forensics
Shell HistoryMailcronNetwork Setup
Summary
V. Handling Security Incidents
22. Discovering a Break-in
Prelude
Rule #1: Don’t PanicRule #2: DocumentRule #3: Plan Ahead
Discovering an Intruder
Catching One in the ActMonitoring commandsOther tip-offsWhat to Do When You Catch SomebodyContacting the IntruderMonitoring the IntruderTracing a ConnectionHow to Contact the System Administrator of a Computer You Don’t KnowLooking up information by domainLooking up information by IP addressContacting a site’s ISPAlternative contact strategiesGetting Rid of the Intruder
Cleaning Up After the Intruder
Analyzing the Log FilesPreserving the EvidenceAssessing the DamageNew accountsChanges in file contentsChanges in file and directory protectionsNew SUID and SGID filesChanges in .rhosts filesChanges to .ssh/authorized_keys filesChanges to the /etc/hosts.equiv fileChanges to startup filesHidden files and directoriesUnowned filesNew network servicesNever Trust Anything Except HardcopyResuming OperationDamage Control
Case Studies
RootkitWarezThe follow-upfaxsurvey
Summary
23. Protecting Against Programmed Threats
Programmed Threats: Definitions
Security Scanners and Other ToolsBack Doors and Trap DoorsLogic BombsTrojan HorsesTrojan horses in mobile codeTerminal-based Trojan horsesAvoiding Trojan horsesVirusesWormsBacteria and Rabbits
Damage
Authors
Entry
Protecting Yourself
Shell FeaturesPATH attacksIFS attacks$HOME attacksFilename attacksStartup File Attacks.login, .profile, /etc/profile.cshrc, .kshrc, .tcshrc.emacs.exrc, .nexrc.forward, .procmailrcOther filesOther initializationsAbusing Automatic Mechanismscrontab entriesinetd.conf/etc/mail/aliases, aliases.dir, aliases.pag, and aliases.dbThe at programSystem initialization filesOther filesIssues with NFS
Preventing Attacks
File ProtectionsWorld-writable user files and directoriesWritable system files and directoriesGroup-writable filesWorld-readable backup devicesShared Libraries
Summary
24. Denial of Service Attacks and Solutions
Types of Attacks
Destructive Attacks
Overload Attacks
Process and CPU Overload ProblemsToo many processesRecovering from too many processes“No more processes”Safely halting the systemCPU overload attacksSwap Space ProblemsSwapping to filesDisk AttacksDisk-full attacksquot commandinode problemsUsing partitions to protect your usersUsing quotasReserved spaceHidden spaceTree structure attacks/tmp ProblemsSoft Process Limits: Preventing Accidental Denial of Service
Network Denial of Service Attacks
Service OverloadingMessage FloodingSignal Grounding and JammingClogging (SYN Flood Attacks)Ping of Death and Other Malformed Traffic Attacks
Summary
25. Computer Crime
Your Legal Options After a Break-in
Filing a Criminal ComplaintChoosing jurisdictionLocal jurisdictionFederal jurisdictionFederal Computer Crime LawsHazards of Criminal ProsecutionThe Responsibility to Report Crime
Criminal Hazards
Criminal Subject Matter
Access Devices and Copyrighted SoftwarePornography, Indecency, and ObscenityAmateur ActionCommunications Decency ActMandatory blockingChild pornographyCopyrighted WorksCryptographic Programs and Export Controls
Summary
26. Who Do You Trust?
Can You Trust Your Computer?
Harry’s CompilerTrusting TrustWhat the Superuser Can and Cannot Do
Can You Trust Your Suppliers?
Hardware BugsViruses on the Distribution DiskBuggy SoftwareHacker ChallengesSecurity Bugs That Never Get FixedNetwork Providers That Network Too Well
Can You Trust People?
Your Employees?Your System Administrator?Your Vendor?Your Consultants?Response Personnel?
Summary
VI. Appendixes
A. Unix Security Checklist
Preface
Chapter 1: Introduction: Some Fundamental Questions
Chapter 2: Unix History and Lineage
Chapter 3: Policies and Guidelines
Chapter 4: Users, Passwords, and Authentication
Chapter 5: Users, Groups, and the Superuser
Chapter 6: Filesystems and Security
Chapter 7: Cryptography Basics
Chapter 8: Physical Security for Servers
Chapter 9: Personnel Security
Chapter 10: Modems and Dialup Security
Chapter 11: TCP/IP Networks
Chapter 12: Securing TCP and UDP Services
Chapter 13: Sun RPC
Chapter 14: Network-Based Authentication Systems
Chapter 15: Network Filesystems
Chapter 16: Secure Programming Techniques
Chapter 17: Keeping Up to Date
Chapter 18: Backups
Chapter 19: Defending Accounts
Chapter 20: Integrity Management
Chapter 21: Auditing, Logging, and Forensics
Chapter 22: Discovering a Break-In
Chapter 23: Protecting Against Programmed Threats
Chapter 24: Denial of Service Attacks and Solutions
Chapter 25: Computer Crime
Chapter 26: Who Do You Trust?
Appendix A: Unix Security Checklist
Appendix B: Unix Processes
Appendixes C, D, and E: Paper Sources, Electronic Sources, and Organizations
B. Unix Processes
About Processes
Processes and ProgramsThe ps CommandListing processes with Solaris and other Unix systems derived from System VListing processes with versions of Unix derived from BSD, including LinuxProcess PropertiesProcess identification numbers (PIDs)Process real and effective UIDsProcess priority and nicenessProcess groups and sessionsCreating Processes
Signals
Unix Signals and the kill CommandKilling Multiple Processes at the Same TimeCatching SignalsKilling Rogue or Questionable Processes
Controlling and Examining Processes
gdb: Controlling a Processgcore: Dumping Corelsof: Examining a Process/proc: Examining a Process Directlypstree: Viewing the Process Tree
Starting Up Unix and Logging In
Process #1: /etc/initLogging InRunning the User’s Shell
C. Paper Sources
Unix Security References
Other Computer References
Computer Crime and LawComputer-Related RisksComputer Viruses and Programmed ThreatsCryptography BooksCryptography Papers and Other PublicationsGeneral Computer SecurityNetwork Technology and SecuritySecurity Products and Services InformationUnderstanding the Computer Security “Culture”Unix Programming and System AdministrationMiscellaneous ReferencesSecurity Periodicals
D. Electronic Resources
Mailing Lists
Response Teams and VendorsA Big Problem with Mailing ListsMajor Mailing ListsBugtraqCERT-advisoryComputer underground digestFirewallsFirewall-WizardsRISKSSANS Security Alert Consensus
Web Sites
CIACCERIASFIRSTNIST CSRCInsecure.orgNIH
Usenet Groups
Software Resources
chrootuidCOPS (Computer Oracle and Password System)ISS (Internet Security Scanner)KerberosnmapNessusOpenSSHOpenSSLportmapportsentrySATANSnortSwatchTCP WrappersTigertrimlogTripwirewuarchive ftpd
E. Organizations
Professional Organizations
Association for Computing Machinery (ACM)American Society for Industrial Security (ASIS)Computer Security Institute (CSI)Electronic Frontier Foundation (EFF)Electronic Privacy Information Center (EPIC)High Technology Crimes Investigation Association (HTCIA)Information Systems Security Association (ISSA)International Information Systems Security Certification Consortium, Inc.The Internet SocietyIEEE Computer SocietyIFIP, Technical Committee 11Systems Administration and Network Security (SANS)USENIX/SAGE
U.S. Government Organizations
National Institute of Standards and Technology (NIST)National Security Agency (NSA)
Emergency Response Organizations
Department of Justice (DOJ)Federal Bureau of Investigation (FBI)U.S. Secret Service (USSS)Forum of Incident and Response Security Teams (FIRST)Computer Emergency Response Team Coordination Center (CERT/CC)
Index
About the Authors
Colophon
Copyright

Content preview from Practical UNIX and Internet Security, 3rd Edition

Chapter 21: Auditing, Logging, and Forensics

Consider installing a dedicated PC or other non-Unix machine as a network log host.
Have your users check the last login time each time they log in to make sure that nobody else is using their accounts.
Consider installing a simple cron task to save copies of the lastlog file to track logins.
Evaluate whether C2 logging on your system is practical and appropriate. If so, install it.
Determine if there is an intrusion detection and/or audit reduction tool available to use with your C2 logs.
Make sure that your utmp file is not world-writable.
Turn on whatever accounting mechanism you may have that logs command usage.
Run last periodically to see who has been using the system. Use this program on a regular basis.
Review your specialized log files on a regular basis. This review should include loginlog, sulog, aculog, xferlog, and others (if they exist on your system).
Consider adding an automatic log monitor such as Swatch.
Make sure that your log files are on your daily backups before they are reset.
If you have syslog, configure it so that all auth messages are logged to a special file. If you can, also have these messages logged to a special hardcopy printer and to another computer on your network.
Be aware that log file entries may be forged and misleading in the event of a carefully crafted attack.
Keep a paper log on a per-site and per-machine basis.
If you process your logs in an automated fashion, craft your filters so that they exclude the ...

Become an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
and much more.

Read now

Unlock full access

More than 5,000 organizations count on O’Reilly

O’Reilly covers everything we've got, with content to help us build a world-class technology community, upgrade the capabilities and competencies of our teams, and improve overall team performance as well as their engagement.

Julian F.

Head of Cybersecurity

I wanted to learn C and C++, but it didn't click for me until I picked up an O'Reilly book. When I went on the O’Reilly platform, I was astonished to find all the books there, plus live events and sandboxes so you could play around with the technology.

Addison B.

Field Engineer

I’ve been on the O’Reilly platform for more than eight years. I use a couple of learning platforms, but I'm on O'Reilly more than anybody else. When you're there, you start learning. I'm never disappointed.

Amir M.

Data Platform Tech Lead

I'm always learning. So when I got on to O'Reilly, I was like a kid in a candy store. There are playlists. There are answers. There's on-demand training. It's worth its weight in gold, in terms of what it allows me to do.

Mark W.

Embedded Software Engineer

Linux Security and Hardening, The Practical Security Guide

Publisher Resources

ISBN: 0596003234Errata Page

Cloud Computing

Data Engineering

Data Science

AI & ML

Programming Languages

Software Architecture

IT/Ops

Security

Design

Business

Soft Skills

Practical UNIX and Internet Security, 3rd Edition

by Simson Garfinkel, Gene Spafford, Alan Schwartz

Chapter 21: Auditing, Logging, and Forensics

Become an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
and much more.

More than 5,000 organizations count on O’Reilly

Julian F.

Addison B.

Amir M.

Mark W.

You might also like

Linux Security and Hardening, The Practical Security Guide

Computer Security Basics, 2nd Edition

Practical Linux Security Cookbook - Second Edition

Computer and Information Security Handbook, 3rd Edition

Publisher Resources