Index S | Linux Security Cookbook

[SYMBOL] [A] [B] [C] [D] [E] [F] [G] [H] [I] [J] [K] [L] [M] [N] [O] [P] [Q] [R] [S] [T] [U] [V] [W] [X]

S/MIME
    native support by Mozilla
    support by Evolution mailer
sa -s command (truncating process accounting the log file)
Samhain (integrity checker)
scp command
    mirroring set of files securely between computers
    options for remote file copying
    securely copying files between computers
    syntax
scripts, enabling/disabling network interfaces
search path, testing
    . (period) in
    relative directories in, dangers of
SEC_BIN global variable (Tripwire)
secret keys
    adding to GnuPG keyring
    default key for GnuPG operations
    listing for GnuPG
secret-key encryption
secure integrity checks
    creating bootable CD-ROM securely
    dual-ported disk array, using
Secure Sockets Layer [See SSL]
securetty file, editing to prevent root logins via terminal devices
security policies [See policies]
security tests [See monitoring systems for suspicious activity]
security tools (Insecure.org)
self-signed certificates
    creating
    generating X.509 certificate
    man-in-the-middle attacks, risk of
    setting up your own CA to issue certificates
sending-filters for email (PinePGP)
sendmail
    accepting mail from other hosts
    authentication mechanisms accepted as trusted
    daemons (visible), security risks with
    restriction on accepting connections from only same host, changing
    SSL, using to protect entire SMTP session
sense keyword (PAM, listfile module)
server arguments (inetd.conf file)
server authentication [See Kerberos; PAM; SSH; SSL; trusted-host authentication]
server keyword (xinetd)
server program, OpenSSH
service filter configuration file (logwatch)
service filter executable (logwatch)
service names
    conversion of port numbers to by netstat and lsof
    executable
    modifying to invoke tcpd in /etc/xinetd.d startup file
    PAM 2nd
services file, adding service names to inetd.conf
session protection for mail
setgid bit on directories
setgid/setuid programs
    security checks
setgid/setuid programs, security checks
    finding and interactively fixing
    listing all files
    listing scripts only
    removing setgid/setuid bits from a file
    setuid programs for hostbased authentication
setlogsock (Sys::Syslog)
setuid root, ssh-keysign program
sftp
shadow directive (/etc/pam.d/system-auth)
shadow password file 2nd
sharing files
    prohibiting directory listings
    protecting shared directory
shell command substitution, exceeding command line maximum
shell item (PAM)
shell prompts, standards used
shell scripts
    in your current directory
    writing system log entries 2nd
shell-style wildcard expansion
shells
    bash
    checking for dormant accounts
    invoking MH commands from prompt
    invoking with root privileges by sudo, security risks
    process substitution
    root login shell, running
    root shell vs. root login shell
    terminating SSH agent on logout
    umask command
shosts.equiv file
show command, decrypting email displayed with
shutdowns (system), records of
shutting down network interfaces
signature ID (Snort alerts)
signed cryptographic keys
signing files [See digital signatures]
single computer
    blocking spoofed addresses
    firewall design
single-threaded services (inetd.conf file)
site key (Tripwire)
    creating with twinstall.sh script
    fingerprints, creating in secure integrity checks
    read-only integrity checking
size, file
    /bin/login, changes since last Tripwire check
    verifying for RPM-installed files
SLAC (Stanford Linear Accelerator), Network Monitoring Tools page
SMTP
    blocking requests for mail service from a remote host
    capturing messages from with dsniff program mailsnarf
    protecting dedicated server for smtp services
    requiring authentication by server before relaying mail
    using server from arbitrary clients
snapshots [See Tripwire]
Snort
    decoding alert messages
        nmap port scan detected
        priority levels
        writing alerts to file instead of syslog
    detecting intrusions with
        dumping statistics to the system logger
        promiscuous mode, setting
        running in background as daemon
    packet sniffing with
    partitioning logs into separate files
    upgrading and tuning ruleset
socket type (inetd.conf file)
software packages, risk of Trojan horses in
sort command
    -z option for null filename separators
source address verification
    enabling
    enabling in kernel
    website information on
source addresses
    controlling access by
    limiting server sessions by
source name for remote file copying
source quench, blocking
sources for system messages
spoofed addresses
    blocking access from
    MAC
    source addresses
SquirrelMail
SSH (Secure Shell)
    agents [See ssh-agent]
    authenticating between client/server by trusted host
    authenticating between SSH2 client/OpenSSH server
    authenticating by public key
    changing client defaults
    client configurations in ~/.ssh/config
    connecting via ssh with Kerberos authentication
    cryptographic authentication
    download site for OpenSSH
    fetchmail, use of
    important programs and files
        scp (client program)
        ssh (client program)
    Kerberos, using with
        debugging
        Kerberos-5 support
    permitting only incoming access via SSH with firewall
    protecting dedicated server for ssh services
    public-key and ssh-agent, using with Pine
    public-key authentication between SSH2 client/OpenSSH server
    public/private authentication keys
    remote user access by public key authentication
    restricting access by remote users
    restricting access to server by account
    restricting access to server by host
    running root commands via
    securing POP/IMAP
        with Pine
    sharing root privileges via
    SSH-2 connections, trusted-host authentication
    SSH2 server and OpenSSH client, authenticating between with OpenSSH key
    SSH2 server and OpenSSH client, authenticating between with SSH2 key
    superusers, authentication of
    tailoring per host
    transferring email from another ISP over tunnel
    tunneling NNTP with
    tunneling TCP connection through
    web site
ssh command
    -t option (for pseudo-tty)
    -X option (for X forwarding)
    using with rsync to mirror set of files between computers
ssh file
ssh-add
ssh-agent
    automatic authentication (without password)
    invoking between backticks (` `)
    public-key authentication without passphrase
    terminating on logout
ssh-keygen
    conversion of SSH2 private key into OpenSSH private key with -i (import) option
ssh-keysign
    setuid root on client
ssh_config file
    ~/.ssh file, using instead of
    client configuration keywords
    HostbasedAuthentication, enabling
ssh_known_hosts file
    OpenSSH client, using ~/.ssh file instead of
sshd
    AllowUsers keyword
    authorizing users to restart
    restricting access from specific remote hosts
    TCP wrappers support
sshd_config file
    AllowUsers keyword
    HostbasedAuthentication, enabling
    HostbasedUsesNameFromPacketOnly
    KerberosTgtPassing, enabling
    ListenAddress statements, adding
    PermitRootLogin, setting
    PublicAuthentication, permitting
    X11Forwarding setting
SSL (Secure Sockets Layer)
    connection problems, server-side debugging
    converting certificates from DER to PEM
    creating self-signed certificate
    decoding SSL certificates
    generating Certificate Signing Request (CSR)
    installing new certificate
    OpenSSL
        web site
    POP/IMAP security
        mail server, running with
        mail sessions for Evolution
        mutt mail client, using with
        stunnel, using
        with pine mail client
    setting up CA and issuing certificates
    STARTTLS command (IMAP), negotiating protection for mail
    STLS command (POP), negotiating protection for email
    validating a certificate
    verifying connection to secure POP or IMAP server
SSL-port
    on mail servers
    POP or IMAP connections for mutt client
    testing use in pine mail client
standard input, redirecting from /dev/null
Stanford Linear Accelerator (SLAC) Network Monitoring Tools page
starting network interfaces
STARTTLS command (IMAP)
    mail server support for SSL
    mutt client connection over IMAP, testing
    testing use in pine mail client
startup scripts (bootable CD-ROM), disabling networking
stateful
stateless
sticky bit
    set on world-writable directories
    setting on world-writable directory
STLS command (POP) 2nd
strace command 2nd
strings
    matching with fgrep command
    searching network traffic for
strings command
strong authentication for email sessions
strong session protection for mail (by SSL)
stunnel, securing POP/IMAP with SSL
su command
    invoking with root privileges by sudo, security risks
    ksu (Kerberized su)
        authentication via Kerberos
        sharing root privileges via
    su -, running root login shell
su configuration (PAM)
subject (certificates)
    components of certificate subject name
    self-signed
sudo command
    bypassing password authentication
    careful practices for using
    forcing password authentication
    killing processes via
    listing invocations
    logging remotely
    password changes, authorizing via
    prohibiting command-line arguments for command run via
    read-only access to shared file
    running any program in a directory
    running commands as another user
    starting/stopping daemons
    user authorization privileges, allowing per host
sudoers file
    argument lists for each command, specifying meticulously
    editing with visudo program
    listing permissible commands for root privileges
    running commands as another user
    timestamp_timeout variable
    user authorization to kill certain processes
superdaemons
    inetd [See inetd]
    xinetd [See xinetd]
superuser 2nd [See also root]
    assigning privileges via ssh without disclosing root password
    finding all accounts on system
    ksu (Kerberized su)
    processes owned by others, examining
SuSE Linux
    firewall rules, building
    Heimdal Kerberos
    inetd superdaemon
    loading firewall rules at boot time
    process accounting RPM
    script allowing users to start/stop daemons
    Snort, starting automatically at boot
    SSL certificates 2nd
    TCP wrappers 2nd
switched networks
    packet sniffers and
    simulated attacks with dsniff
symbolic links
    for encrypted files on separate system
    inability to verify with manual integrity check
    permission bits, ignoring
    scp command and
symmetric encryption
    file encryption with gpg -c
    files encrypted with GnuPG, decrypting
    problems with
    single encrypted file containing all files in directory
SYN_RECV state, large numbers of network connections in
synchronizing files on two machines (rsync)
    integrity checking with
Sys::Lastlog and Sys::Utmp modules (Perl)
Sys::Syslog module
syslog function
    using in C program
syslog-ng (Ònew generationÓ)
syslog.conf file
    directing messages to different log files by facility and priority
    remote logging, configuring 2nd
    RPM-installed, verifying with Tripwire
    setting up for local logging
    signaling system logger about changes in
    tracing configuration errors in
syslogd
    -r flag to receive remote messages
    signaling to pick up changes in syslog.conf
system accounts, login activity on 2nd
system calls, tracing on network
system logger
    combining log files
    debugging SSL connections
    directing system messages to log files
    log files created by, permissions and
    logging messages remotely
    programs not using
    scanning log files for problem reports
    sending messages to
    signaling changes in syslog.conf
    standard API, functions provided by
    testing and monitoring
    writing system log entries
        in C 2nd
        in Perl
        in shell scripts
    xinetd, logging to
system-wide authentication (Kerberos with PAM)
system_auth (/etc/pam.d startup file)
    forbidding local password validation
    Kerberos in
systems
    authentication methods and policies (authconfig)
    security tests on [See monitoring systems for suspicious activity]