diff options
author | dannyboy <dannyboy@FreeBSD.org> | 2004-05-18 17:50:08 +0000 |
---|---|---|
committer | dannyboy <dannyboy@FreeBSD.org> | 2004-05-18 17:50:08 +0000 |
commit | 569bfe2ef081e9c509b0d6ec3c530ac17fede525 (patch) | |
tree | dd4073eb627a3b1db6ae1b5c3cd32dfadda0bb5f /share | |
parent | 014551a39fadb5a57908960ce0a0c8b9dc2deec6 (diff) | |
download | FreeBSD-src-569bfe2ef081e9c509b0d6ec3c530ac17fede525.zip FreeBSD-src-569bfe2ef081e9c509b0d6ec3c530ac17fede525.tar.gz |
Effect the correct use of "affect".
Use em dashes instead of " - ".
Use .Em instead of *emphasis*.
Note that securing root indirectly (by securing staff accounts) works
only if direct root access has been limited. [1]
s/hacker/attacker, as done in the handbook. (inspired by [1])
PR: 52878 [1]
Submitted by: Brian Minard <bminard@flatfoot.ca> [1]
Diffstat (limited to 'share')
-rw-r--r-- | share/man/man7/security.7 | 55 |
1 files changed, 29 insertions, 26 deletions
diff --git a/share/man/man7/security.7 b/share/man/man7/security.7 index 3c1ad0e..cb21256 100644 --- a/share/man/man7/security.7 +++ b/share/man/man7/security.7 @@ -24,7 +24,7 @@ with the human necessity for convenience. .Ux systems, in general, are capable of running a huge number of simultaneous processes -and many of these processes operate as servers - meaning that external entities +and many of these processes operate as servers \(em meaning that external entities can connect and talk to them. As yesterday's mini-computers and mainframes become today's desktops, and as computers become networked and internetworked, security becomes an ever bigger issue. @@ -40,9 +40,9 @@ flags (see .Xr chflags 1 ) on every system binary because while this may temporarily protect the -binaries, it prevents a hacker who has broken in from making an +binaries, it prevents an attacker who has broken in from making an easily detectable change that may result in your security mechanisms not -detecting the hacker at all. +detecting the attacker at all. .Pp System security also pertains to dealing with various forms of attack, including attacks that attempt to crash or otherwise make a system unusable @@ -103,10 +103,10 @@ program that allows the attacker to break root once he has broken into a user's account. If an attacker has found a way to break root on a machine, the attacker may not have a need to install a backdoor. Many of the root holes found and closed to date involve a considerable amount -of work by the hacker to cleanup after himself, so most hackers do install -backdoors. This gives you a convenient way to detect the hacker. Making -it impossible for a hacker to install a backdoor may actually be detrimental -to your security because it will not close off the hole the hacker found to +of work by the attacker to cleanup after himself, so most attackers do install +backdoors. This gives you a convenient way to detect the attacker. Making +it impossible for an attacker to install a backdoor may actually be detrimental +to your security because it will not close off the hole the attacker found to break in the first place. .Pp Security remedies should always be implemented with a multi-layered @@ -116,7 +116,7 @@ approach and can be categorized as follows: .It Securing root and staff accounts .It -Securing root - root-run servers and suid/sgid binaries +Securing root \(em root-run servers and suid/sgid binaries .It Securing user accounts .It @@ -145,7 +145,7 @@ in the file so that direct root logins via telnet or rlogin are disallowed. If using other login services such as sshd, make sure that direct root logins are -disabled there as well. Consider every access method - services such as +disabled there as well. Consider every access method \(em services such as ftp often fall through the cracks. Direct root logins should only be allowed via the system console. .Pp @@ -180,8 +180,9 @@ option. An indirect way to secure the root account is to secure your staff accounts by using an alternative login access method and *'ing out the crypted password for the staff accounts. This way an intruder may be able to steal the password -file but will not be able to break into any staff accounts (or, indirectly, -root, even if root has a crypted password associated with it). Staff members +file but will not be able to break into any staff accounts or root, even if +root has a crypted password associated with it (assuming, of course, that +you've limited root access to the console). Staff members get into their staff accounts through a secure login mechanism such as .Xr kerberos 1 or @@ -218,7 +219,7 @@ servers. .Pp Using something like kerberos also gives you the ability to disable or change the password for a staff account in one place and have it immediately -effect all the machines the staff member may have an account on. If a staff +affect all the machines the staff member may have an account on. If a staff member's account gets compromised, the ability to instantly change his password on all machines should not be underrated. With discrete passwords, changing a password on N machines can be a mess. You can also impose @@ -226,7 +227,7 @@ re-passwording restrictions with kerberos: not only can a kerberos ticket be made to timeout after a while, but the kerberos system can require that the user choose a new password after a certain period of time (say, once a month). -.Sh SECURING ROOT - ROOT-RUN SERVERS AND SUID/SGID BINARIES +.Sh SECURING ROOT \(em ROOT-RUN SERVERS AND SUID/SGID BINARIES The prudent sysadmin only runs the servers he needs to, no more, no less. Be aware that third party servers are often the most bug-prone. For example, running an old version of imapd or popper is like giving a universal root @@ -352,7 +353,7 @@ will be enforced. You must also ensure that the .Sq schg flag is set on critical startup binaries, directories, and -script files - everything that gets run up to the point where the securelevel +script files \(em everything that gets run up to the point where the securelevel is set. This might be overdoing it, and upgrading the system is much more difficult when you operate at a higher secure level. You may compromise and run the system at a higher secure level but not set the schg flag for every @@ -366,7 +367,7 @@ configuration and control files so much before the convenience factor rears its ugly head. For example, using chflags to set the schg bit on most of the files in / and /usr is probably counterproductive because while it may protect the files, it also closes a detection window. The -last layer of your security onion is perhaps the most important - detection. +last layer of your security onion is perhaps the most important \(em detection. The rest of your security is pretty much useless (or, worse, presents you with a false sense of safety) if you cannot detect potential incursions. Half the job of the onion is to slow down the attacker rather than stop him @@ -378,13 +379,13 @@ unexpected files. The best way to look for modified files is from another (often centralized) limited-access system. Writing your security scripts on the extra-secure limited-access system -makes them mostly invisible to potential hackers, and this is important. +makes them mostly invisible to potential attackers, and this is important. In order to take maximum advantage you generally have to give the limited-access box significant access to the other machines in the business, usually either by doing a read-only NFS export of the other machines to the limited-access box, or by setting up ssh keypairs to allow the limit-access box to ssh to the other machines. Except for its network traffic, NFS is -the least visible method - allowing you to monitor the file systems on each +the least visible method \(em allowing you to monitor the file systems on each client box virtually undetected. If your limited-access server is connected to the client boxes through a switch, the NFS method is often the better choice. If your limited-access server @@ -453,7 +454,7 @@ actually broken into a system, assuming the file is still intact after the break-in occurs. .Pp Finally, security scripts should process the log files and the logs themselves -should be generated in as secure a manner as possible - remote syslog can be +should be generated in as secure a manner as possible \(em remote syslog can be very useful. An intruder tries to cover his tracks, and log files are critical to the sysadmin trying to track down the time and method of the initial break-in. One way to keep a permanent record of the log files is to run @@ -461,12 +462,12 @@ the system console to a serial port and collect the information on a continuing basis through a secure machine monitoring the consoles. .Sh PARANOIA A little paranoia never hurts. As a rule, a sysadmin can add any number -of security features as long as they do not effect convenience, and -can add security features that do effect convenience with some added +of security features as long as they do not affect convenience, and +can add security features that do affect convenience with some added thought. Even more importantly, a security administrator should mix it up -a bit - if you use recommendations such as those given by this manual +a bit \(em if you use recommendations such as those given by this manual page verbatim, you give away your methodologies to the prospective -hacker who also has access to this manual page. +attacker who also has access to this manual page. .Sh SPECIAL SECTION ON D.O.S. ATTACKS This section covers Denial of Service attacks. A DOS attack is typically a packet attack. While there isn't much you can do about modern spoofed @@ -541,7 +542,9 @@ saturation attacks from outside your LAN, not so much to protect internal services from network-based root compromise. Always configure an exclusive firewall, i.e.\& .So -firewall everything *except* ports A, B, C, D, and M-Z +firewall everything +.Em except +ports A, B, C, D, and M-Z .Sc . This way you can firewall off all of your low ports except for certain specific @@ -550,7 +553,7 @@ services such as named ntalkd, sendmail, and other internet-accessible services. If you try to configure the firewall the other -way - as an inclusive or permissive firewall, there is a good chance that you +way \(em as an inclusive or permissive firewall, there is a good chance that you will forget to .Sq close a couple of services or that you will add a new internal @@ -569,7 +572,7 @@ block everything under 4000 off in my firewall (except for certain specific internet-accessible ports, of course). .Pp -Another common DOS attack is called a springboard attack - to attack a server +Another common DOS attack is called a springboard attack \(em to attack a server in a manner that causes the server to generate responses which then overload the server, the local network, or some other machine. The most common attack of this nature is the ICMP PING BROADCAST attack. The attacker spoofs ping @@ -633,7 +636,7 @@ What this means is that if you have a secure workstation holding keys that give you access to the rest of the system, and you ssh to an unsecure machine, your keys become exposed. The actual keys themselves are not exposed, but ssh installs a forwarding port for the duration of your -login and if a hacker has broken root on the unsecure machine he can utilize +login and if an attacker has broken root on the unsecure machine he can utilize that port to use your keys to gain access to any other machine that your keys unlock. .Pp |