I l @ ve RuBoard |
The whole area of security is a huge subject. Entire books are dedicated to security alone. Security is usually broken down into two categories: network security and host-based security. This section focuses on host-based (or system) security, so that you can monitor and detect activities that could compromise system, application, or data availability. Host-based security intrusions usually are the most problematic . As a system administrator, you should monitor the system for activities that would prevent the system from doing what it is intended to do. Security OverviewThe level of security needed for your system depends on what you are trying to protect. Both the US government and European Information Technology Security Evaluation Criteria (ITSEC) have defined sets of security levels. The most common level is C2, which is the de facto standard for secure UNIX systems. Level B1 security, which is more secure than C2, is often required in government, military, and commercial applications. HP-UX, for example, operates in two modes of security: standard mode, which has no security, and trusted mode, which is C2-level compliant. Each level of security has different requirements. Regardless of the level of security you are trying to provide in your environment, several categories for system security apply to all levels. The requirements in each category are more restrictive as you increase the security level. These categories are authentication, authorization, access control, data security, and physical security. Before describing each of these categories, you need to know that implementing a host-based security plan will include defining policies for preventing intrusions and for monitoring to detect intrusions. Password policies are an example of the many policies that should be defined and enforced to try to prevent intrusions. When monitoring to detect intrusions, detection systems need to be told what to monitor. After you implement intrusion-prevention policies, you need to put security monitoring and intrusion-detection monitors in place. You want these monitors to tell you when an intrusion was attempted, is occurring, or has occurred. The following are the system security categories that apply to all security levels, along with a description of what can be done to prevent and detect intrusions:
Security Monitoring ToolsAuditing is a way to log security-related events on a per-user basis. It can be set up to monitor system calls, specific users, password policies, logins, superuser logins, failed login attempts, and so forth. Because auditing incurs lots of system overhead, you should try to limit it to the most critical security- related events. On HP-UX, auditing is available only in trusted mode. Auditing can be enabled on HP-UX using SAM. Although the system itself provides the library routines for auditing, data reduction and analysis tools are useful for extracting relevant information from audit logs. Some of the common tools for looking at audit logs are:
MEMCO Software provides SeOS Access Control, which provides more granular root capabilities. Narrow capabilities can be granted to users to perform specific tasks. This means that you don't need to grant a user full root capabilities, which can be dangerous, just to perform system backups, for example. You can make some simple checks to help protect your system. Check the /etc/ hosts .equiv and /.rhosts files to ensure that the remote host systems listed are authorized to access the sys tem. Also, the optional file /var/adm/inetd.sec can be used to explicitly deny or allow access to specific network services, so you should verify that this file is configured correctly. |
I l @ ve RuBoard |