Configuring TCP wrappers (tcpd) using /etc/hosts.allow and /etc/hosts.deny can enhance security for daemons controlled by inetd.
tcpd is often configured to deny access to all systems for all services (a blanket deny), then specific systems are specified for legitimate access to services (limited allow).
tcpd logs using syslog, commonly to /var/log/secure.
24.9.1.2 Finding executable SUID files
find can perform searches for file attributes such as SUID using the -perm option.
24.9.1.3 Verifying packages
RPM packages are verified using the Verify mode, enabled using the -V (capital) option.
The output for each package contains a string of eight characters that are set to dots when the attribute has not changed. The columns represent each of eight different attributes: MD5 checksum, file size, symlink attributes, the file's mtime, device file change, user/owner change, group change, and mode change.
24.9.1.4 SGID workgroups
The SGID bit can be applied to directories to enforce a policy whereby new files created within the directory are assigned the same group ownership as the directory itself.
24.9.1.5 The Secure Shell
The Secure Shell, or SSH, can be used as an alternative to Telnet for secure communications.
SSH can also protect FTP and other data streams, including X sessions.
The Secure Shell daemon is sshd.
24.9.2 Objective 2: Set Up Host Security
24.9.2.1 Shadow passwords
Enabling the use of shadow passwords can enhance local security by making encrypted passwords harder to steal.
The use of shadow passwords causes the removal of password information from the publicly readable passwd file and places it in shadow, readable only by root.
A similar system is implemented for shadow groups, using the gshadow file.
24.9.3 Objective 3: Set Up User-Level Security
Limits can be placed on users by using the ulimit command in the bash shell. This command allows enforcement of limitations on soft and hard limits on processes and memory usage.
