OReilly mastering FreeBSD and OpenBSD security mar 2005 ISBN 0596006268
Bạn đang xem bản rút gọn của tài liệu. Xem và tải ngay bản đầy đủ của tài liệu tại đây (4.32 MB, 785 trang )
MasteringFreeBSDandOpenBSDSecurity
ByPacoHope,YanekKorff,BrucePotter
...............................................
Publisher:O'Reilly
PubDate:March2005
ISBN:0-596-00626-8
Pages:464
TableofContents|Index|Errata
FreeBSDandOpenBSDareincreasinglygainingtractionineducationalinstitutions,
non-profits,andcorporationsworldwidebecausetheyprovidesignificantsecurity
advantagesoverLinux.Althoughalotcanbesaidfortherobustness,clean
organization,andstabilityoftheBSDoperatingsystems,securityisoneofthemain
reasonssystemadministratorsusethesetwoplatforms.
ThereareplentyofbookstohelpyougetaFreeBSDorOpenBSDsystemoffthe
ground,andallofthemtouchonsecuritytosomeextent,usuallydedicatingachapter
tothesubject.But,assecurityiscommonlynamedasthekeyconcernfortoday's
systemadministrators,asinglechapteronthesubjectcan'tprovidethedepthof
informationyouneedtokeepyoursystemssecure.
FreeBSDandOpenBSDarerifewithsecurity"buildingblocks"thatyoucanputto
use,andMasteringFreeBSDandOpenBSDSecurityshowsyouhow.Bothoperating
systemshavekerneloptionsandfilesystemfeaturesthatgowellbeyondtraditional
Unixpermissionsandcontrols.Thispowerandflexibilityisvaluable,butthecolossal
rangeofpossibilitiesneedtobetackledonestepatatime.Thisbookwalksyou
throughtheinstallationofahardenedoperatingsystem,theinstallationand
configurationofcriticalservices,andongoingmaintenanceofyourFreeBSDand
OpenBSDsystems.
Usinganapplication-specificapproachthatbuildsonyourexistingknowledge,the
bookprovidessoundtechnicalinformationonFreeBSDandOpen-BSDsecuritywith
plentyofreal-worldexamplestohelpyouconfigureanddeployasecuresystem.By
impartingasolidtechnicalfoundationaswellaspracticalknow-how,itenables
administratorstopushtheirserver'ssecuritytothenextlevel.Evenadministratorsin
otherenvironments--likeLinuxandSolaris--canfindusefulparadigmstoemulate.
Writtenbysecurityprofessionalswithtwodecadesofoperatingsystemexperience,
MasteringFreeBSDandOpenBSDSecurityfeaturesbroadanddeepexplanationsof
howhowtosecureyourmostcriticalsystems.WhereotherbooksonBSDsystems
helpyouachievefunctionality,thisbookwillhelpyoumorethoroughlysecureyour
deployments.
MasteringFreeBSDandOpenBSDSecurity
ByPacoHope,YanekKorff,BrucePotter
...............................................
Publisher:O'Reilly
PubDate:March2005
ISBN:0-596-00626-8
Pages:464
TableofContents|Index|Errata
Copyright
Preface
Audience
AssumptionsThisBookMakes
ContentsofThisBook
ConventionsUsedinThisBook
UsingCodeExamples
CommentsandQuestions
SafariEnabled
Acknowledgments
PartI:SecurityFoundation
Chapter1.TheBigPicture
Section1.1.WhatIsSystemSecurity?
Section1.2.IdentifyingRisks
Section1.3.RespondingtoRisk
Section1.4.SecurityProcessandPrinciples
Section1.5.SystemSecurityPrinciples
Section1.6.WrappingUp
Section1.7.Resources
Chapter2.BSDSecurityBuildingBlocks
Section2.1.FilesystemProtections
Section2.2.TweakingaRunningKernel:sysctl
Section2.3.TheBasicSandbox:chroot
Section2.4.Jail:Beyondchroot
Section2.5.InherentProtections
Section2.6.OSTuning
Section2.7.WrappingUp
Section2.8.Resources
Chapter3.SecureInstallationandHardening
Section3.1.GeneralConcerns
Section3.2.InstallingFreeBSD
Section3.3.FreeBSDHardening:YourFirstSteps
Section3.4.InstallingOpenBSD
Section3.5.OpenBSDHardening:YourFirstSteps
Section3.6.Post-UpgradeHardening
Section3.7.WrappingUp
Section3.8.Resources
Chapter4.SecureAdministrationTechniques
Section4.1.AccessControl
Section4.2.SecurityinEverydayTasks
Section4.3.Upgrading
Section4.4.SecurityVulnerabilityResponse
Section4.5.NetworkServiceSecurity
Section4.6.MonitoringSystemHealth
Section4.7.WrappingUp
Section4.8.Resources
PartII:DeploymentSituations
Chapter5.CreatingaSecureDNSServer
Section5.1.TheCriticalityofDNS
Section5.2.DNSSoftware
Section5.3.InstallingBIND
Section5.4.Installingdjbdns
Section5.5.OperatingBIND
Section5.6.Operatingdjbdns
Section5.7.WrappingUp
Section5.8.Resources
Chapter6.BuildingSecureMailServers
Section6.1.MailServerAttacks
Section6.2.MailArchitecture
Section6.3.MailandDNS
Section6.4.SMTP
Section6.5.MailServerConfigurations
Section6.6.Sendmail
Section6.7.Postfix
Section6.8.qmail
Section6.9.MailAccess
Section6.10.WrappingUp
Section6.11.Resources
Chapter7.BuildingaSecureWebServer
Section7.1.WebServerAttacks
Section7.2.WebArchitecture
Section7.3.Apache
Section7.4.thttpd
Section7.5.AdvancedWebServerswithJails
Section7.6.WrappingUp
Section7.7.Resources
Chapter8.Firewalls
Section8.1.FirewallArchitectures
Section8.2.HostLockdown
Section8.3.TheOptions:IPFWVersusPF
Section8.4.BasicIPFWConfiguration
Section8.5.BasicPFConfiguration
Section8.6.HandlingFailure
Section8.7.WrappingUp
Section8.8.Resources
Chapter9.IntrusionDetection
Section9.1.NoMagicBullets
Section9.2.IDSArchitectures
Section9.3.NIDSonBSD
Section9.4.Snort
Section9.5.ACID
Section9.6.HIDSonBSD
Section9.7.WrappingUp
Section9.8.Resources
PartIII:AuditingandIncidentResponse
Chapter10.ManagingtheAuditTrails
Section10.1.SystemLogging
Section10.2.Loggingviasyslogd
Section10.3.SecuringaLoghost
Section10.4.logfileManagement
Section10.5.AutomatedLogMonitoring
Section10.6.AutomatedAuditingScripts
Section10.7.WrappingUp
Section10.8.Resources
Chapter11.IncidentResponseandForensics
Section11.1.IncidentResponse
Section11.2.ForensicsonBSD
Section11.3.DiggingDeeperwiththeSleuthKit
Section11.4.WrappingUp
Section11.5.Resources
Colophon
Index
Copyright©2005O'ReillyMedia,Inc.Allrightsreserved.
PrintedintheUnitedStatesofAmerica.
PublishedbyO'ReillyMedia,Inc.,1005GravensteinHighwayNorth,
Sebastopol,CA95472.
O'Reillybooksmaybepurchasedforeducational,business,orsalespromotional
use.Onlineeditionsarealsoavailableformosttitles().
Formoreinformation,contactourcorporate/institutionalsalesdepartment:(800)
998-9938or
NutshellHandbook,theNutshellHandbooklogo,andtheO'Reillylogoare
registeredtrademarksofO'ReillyMedia,Inc.MasteringFreeBSDandOpenBSD
Security,theimageofthefencers,andrelatedtradedressaretrademarksof
O'ReillyMedia,Inc.
Manyofthedesignationsusedbymanufacturersandsellerstodistinguishtheir
productsareclaimedastrademarks.Wherethosedesignationsappearinthis
book,andO'ReillyMedia,Inc.wasawareofatrademarkclaim,thedesignations
havebeenprintedincapsorinitialcaps.
Whileeveryprecautionhasbeentakeninthepreparationofthisbook,the
publisherandauthorsassumenoresponsibilityforerrorsoromissions,orfor
damagesresultingfromtheuseoftheinformationcontainedherein.
Preface
BeforeIbuiltawallI'dasktoknow
WhatIwaswallinginorwallingout,
AndtowhomIwasliketogiveoffence.
Somethingthereisthatdoesn'tloveawall,
Thatwantsitdown.
RobertFrost
"MendingWall"
FreeBSDandOpenBSDareoftenconsideredthe"other"freeoperatingsystems
besidesLinux.However,inrecentNetcraftsurveys,thefivemostreliableweb
sitesontheplanetrunFreeBSD.OpenBSD,too,isdeployedonthousandsof
securityserversaroundtheworld.ThesetwoBSD-basedoperatingsystemsare
rapidlygainingtractionineducationalinstitutions,non-profits,andcorporations
worldwide.
PlentyofbooksexisttohelpyougetaFreeBSDorOpenBSDsystemoffthe
ground.Allofthemtouchonsecurity,butmostonlydedicateachaptertoit.In
sharpcontrast,wethinkit'sworthspendinganentirebookonthesubject.
FreeBSDandOpenBSDarerifewithsecurity"buildingblocks"thatyoucanuse
toreallytakesecurityand"kickitupanotch."
Theseoperatingsystemshavekerneloptionsandfilesystemfeaturesthatgowell
beyondtraditionalUnixpermissionsandcontrols.Thispowerandflexibilityis
valuable,butthecolossalrangeofpossibilitieswillleaveyoudizzyifyoudon't
takethingsonestepatatime.MasteringFreeBSDandOpenBSDSecurity
complementsexistingbooksonFreeBSDandOpenBSDadministration.Where
othershelpyouachievefunctionality,wehelpyoubuildsecurity-minded
deployments.Thisbookwalksyouthroughtheinstallationofahardened
operatingsystem,theinstallationandconfigurationofcriticalservices,and
ongoingmaintenanceofyourFreeBSDandOpenBSDsystems.
Audience
Thisbookiswrittenbysystemadministratorsforsystemadministrators.If
you'relookingforacompleteidiotordummyguide,thisbookisnotforyou.
We'retalkingtoadministratorswhohaveinstalledaUnix-likeoperatingsystem
before.Almostanywilldo,butthisbookisallaboutwhatsetsFreeBSDand
OpenBSDapartfromotherUnices.You'llgetthemostoutofthisbookifyou're
comfortableadministeringBSDoperatingsystemsandwanttotakeyour
experienceonestepfarther.
Administratorsatvariousskilllevelsandinorganizationsofanysizecanbenefit
fromsecureBSDsystems.JunioradministratorswhoknowhowtogetaUnix
systemoffthegroundcanusethisbooktodevelopasoundfoundationin
systemssecurity.Experiencedadministrators,likeexperiencedcooks,willfind
newrecipesthattheycanaddtotheirexistingrepertoire.Ifyou'repartof(orall
of)asmallstaffthatrunsonlyahandfulofservers,you'llseehowchoosingone
oftheBSDscanletyouspendlesstimeonsecurityconcernsandmoreonyour
otherduties.Ifyou'repartofalargestaffrunningmanyservers,you'llseehow
BSDserverscanbesolidpillarsinyourinfrastructure.They'reeasytodeploy
andscale,andmaintainingthemisabreeze.Securingthemiseasyenough,too,
withthehelpofthisbook.
AssumptionsThisBookMakes
We'rereallyfocusedonimprovingtheskillsetofanestablishedsystem
administrator,sowearen'tgoingtoexplainalotofbasics.Weassumeyoucan
findyourwaytoacommandlineandworkyourwaythroughthefilesystemwith
speedandgrace.Weexpectthatyoualreadyhaveasolidunderstandingofbasic
Unixpermissions,arecomfortableinstallingandconfiguringhardwareand
software,andsoon.
Ifatanytimeyoufeelyou'reinoveryourhead,fearnot.Bothoperatingsystems
havestrongfollowingsandeasytofinddocumentationforallthebasics.You
canlookatFAQs,HOWTOs,andhandbooksonline,oryoucanbuyoneofthe
manygoodreferencesinprint.The"Resources"sectionattheendofevery
chapteralwayslistsgoodresourcesthatprovideadditionalcoverageofrelevant
topics.Inmanycases,theseadditionalresourcesprovidethefoundationinthe
technologyyouneedtoleveragetherecommendationsinthisbook.
TheInternetiseverywhere,andeveryadministratorneedsabasicunderstanding
oflocal-andwide-areanetworking.We'renotgoingtotellyouwhatTCP/IPis,
howDHCPworks,orhowtocableupyourswitchesandhubs.We'llexplain
whatyouneedtoknowwhenwegetintoasecuritytopicthatisrootedinthe
deep,darkcornersofaprotocolspecificationorsomeotherrelativelyobscure
topic.Networksecurityandconfigurationareimportant,butweassumeyou've
alreadygotthatundercontrol.
ContentsofThisBook
We'vetriedtobreakthebookupintothreesections.Webeginbyestablishinga
foundationinFreeBSDandOpenBSD,moveontodiscussspecificdeployment
scenariosbasedonthisfoundation,andwewrapupwithabroaderlookatthese
operatingsystemsinyourexistingnetwork.
PartI:SecurityFoundation
ThegoalofPartIistogiveyouthefoundationforbuildingandrunningsecure
systemswithFreeBSDorOpenBSD.
Chapter1isanintroductiontosystemsecurityandgeneralsecuritytopicsthat
arerelevanttotherestofourdiscussion.Ittellsyouwhatyou'reupagainstand
givesyousomeideasabouthowwe'llapproachsecuringsystems.
Chapter2isallaboutthefundamentalbuildingblocksyougetforsecuring
systemsbasedoneitherOpenBSDorFreeBSD.Therearesomedifferences,so
wehighlightthoseaswego.Wecoverfilesystemfeatures,kernelfeatures,
inherentoperatingsystemfeatures,andtweakingyourkerneltoenhancespecific
securitypostures.
Chapter3augmentswhatyoualreadyknowaboutinstallation.Weexplorethe
security-relatedoptions,trade-offs,andconfigurationsyoumustconsiderwhen
installing.WewalkthroughinstallingbothFreeBSDandOpenBSD,butdwell
mainlyonareaswherechoicesatinstallationtimecanhaveimportantsecurity
ramifications.
Chapter4isatourdeforceofadministrationconcerns.You'vegotitinstalled,
you'rerunningitday-to-day,sonowwhat?Wedescribecontrollingaccess,
installingandupgradingsoftware,networksecurity,backups,andsystem
monitoring.
PartII:DeploymentSituations
Everyserverhasaspecificpurposeinlife,andFreeBSDandOpenBSDsystems
areidealcandidatesforhandlingcriticalinfrastructureserviceslikeDNS
servers,firewalls,mailgateways,andwebservers.PartIIcoversthese
deploymentsandhowyoucanleveragespecificBSDfeaturestoimprovethe
securitypostureoftheservicesyouprovide.Wedon'ttellyoueverythingabout
deployingthespecificservice,however;justtheextraoptionsandspecial
circumstanceswhereyoucantakeadvantageofOpenBSDorFreeBSD.Thegoal
ofthissectionistoofferguidelinesforsecurelydeployingthesoftwarethatwill
runcriticalservicesinyournetwork.
Witheachofthesecriticalnetworkservices,wetaketimetoexplainthekindsof
risksyouface,thesortsofattacksyoumightneedtorepel,andwhyyouand
yourorganizationcareaboutrunningtheservicesecurely.Whenwetalkabout
installingandconfiguringsoftware,though,wereferbacktothegeneral
techniquesandbuildingblocksthatwelaidoutinPartI.You'llwanttobeat
leastpassinglyfamiliarwiththetechniques,becausewecombinethemin
interestingandsometimessubtleways.
Chapter5describesDNSandhowtobuildasecureDNSserver.DNSiscritical
toeveryInternetservice,andgettingitrightisfundamentallyimportant,sowe
coveritfirst.WetalkaboutbothBINDanddjbdnsandhowtheycanbe
installed,configured,andoperatedsecurely.
Chapter6coversmail:arguablythemostcriticalelectroniccommunicationyou
supportinyourorganization.Wediscusssettingupasecuremailarchitectureas
wellasfilteringandrejectingunwantedmail.WedescribebothSendmailand
Postfixandhowtosecurelyinstall,configure,andadministerthem.
Chapter7offersawealthofinformationonsecuringApache-basedwebservers.
Wecoverrisksandthreats,configurationandinstallation,andmanagingwhat
optionsyouruserscanset.Wealsodescribethttpd,asmall,fast,no-frillsweb
serverthatcanperformadmirablyincertainsituations.Intheendwetalkabout
someinterestingcombinationsofFreeBSD'sjailsandwebserverstoisolateand
containlotsofwebsitesintheirownsandboxes.
Chapter8isaboutbuildingfirewalls.OpenBSDandFreeBSDmakeexcellent
choicesasfirewallplatforms.Gettingafirewalloperationalisn'ttoohard,but
makingsurethatit'sappropriatelysecuredneedstobedonecarefully.Inthis
chapter,we'lltalkaboutipfwonFreeBSDandpfnowavailableonboth
platforms.
Chapter9outlinesthetopicofintrusiondetectionsystem(IDS)onFreeBSDor
OpenBSD.WecoverthepurposesforusingIDSesaswellasalternative
approachessuchasloganalysisandintrusionprevention.Wegiveyousome
goodguidanceonhowtobuildaneffectivearchitectureandmonitoritfor
nefariousactivity.
PartIII:AuditingandIncidentResponse
Auditingandincidentresponsearetopicsinsystemadministrationtheorythat
arecriticalbutoftenoverlooked.Theyarenotspecificservicesthatyourunas
muchasconcernsyoukeepinthebackofyourmindallthetime.
Chapter10talksaboutmanagingtheaudittrails.Aproperlyconfiguredsystem
shouldbewarningyouaboutsuspiciousactivity,buthowdoyoumanageallthe
alertsandwarnings?Wetalkaboutwhatyouwanttolog,howyoucanlogit
securely,andhowtomanagethelogsyougenerate.
Chapter11describesincidentresponseandcomputerforensics.Whenthe
inevitablehappensandyouhaveanincidenttorespondto,howwillyoudoit?
Wetalkaboutrespondingtoattacks,andtrackingdownhowtheattack
succeeded,throughforensicanalysis.
ConventionsUsedinThisBook
WeusebothtypographyandcommonUnixdocumentationconventionstogive
youadditionalinformationinthetext.
TypographicConventions
Plaintext
Indicatesmenutitles,menuoptions,menubuttons,andkeyboard
accelerators(suchasAltandCtrl).
Italic
Indicatesnewortechnicalterms,systemcalls,URLs,hostnames,email
addresses,filenames,fileextensions,pathnames,anddirectories.
Constantwidth
Indicatescommands,options,switches,variables,attributes,keys,
functions,types,objects,HTMLtags,macros,thecontentsoffiles,orthe
outputfromcommands.
Constantwidthbold
Showscommandsorothertextthatshouldbetypedliterallybytheuser.
Constantwidthitalic
Showstextthatshouldbereplacedwithuser-suppliedvalues.
Thisiconsignifiesatip,suggestion,orgeneralnote.
Thisiconindicatesawarningorcaution.
Therearetimeswhenitisveryimportanttopayattentiontothetypography
becauseitdistinguishesbetweentwosimilarlynamed,butdifferentconcepts.
Forexample,thehostcommandandthe/etc/hostsfile,orthejail(2)system
callversusthejail(8)command.Sometimesthetypefaceisanimportant
cluetohelpyourememberwhichonewe'rereferringtoinagivencontext.
ConventionsinExamples
Youwillseetwodifferentpromptsintheexampleswegiveforrunning
commands.Wefollowthetime-honoredUnixconventionofusing%torepresent
anon-rootshell(e.g.,onerunningasyournormaluserID)and#torepresenta
root-equivalentshell.Commandsthatappearaftera%promptcan(andprobably
should)berunbyanunprivilegeduser.Commandsthatappearaftera#prompt
mustberunwithrootprivileges.ExampleP-1showsthreedifferentcommands
thatillustratethispoint.
ExampleP-1.Severalcommandswithdifferentprompts
%ls-lo/var/log
%sudoifconfiglo0127.0.0.2netmask255.255.255.255
#shutdown-rnow
Thelscommandrunsasanormaluser.Theifconfigcommandrunsasroot,
butonlybecauseanormaluserusessudotoelevatehisprivilegesmomentarily
(sudoisdiscussedindetailinChapter4).Thelastcommandshowsthe#
prompt,assumingthatyouhavealreadybecomerootsomehowbeforeexecuting
theshutdowncommand.
UsingCodeExamples
Thisbookisheretohelpyougetyourjobdone.Ingeneral,youmayusethe
codeinthisbookinyourprogramsanddocumentation.Youdonotneedto
contactusforpermissionunlessyou'rereproducingasignificantportionofthe
code.Forexample,writingaprogramthatusesseveralchunksofcodefromthis
bookdoesnotrequirepermission.SellingordistributingaCD-ROMof
examplesfromO'Reillybooksdoesrequirepermission.Answeringaquestionby
citingthisbookandquotingexamplecodedoesnotrequirepermission.
Incorporatingasignificantamountofexamplecodefromthisbookintoyour
product'sdocumentationdoesrequirepermission.
Weappreciate,butdonotrequire,attribution.Anattributionusuallyincludesthe
title,author,publisher,andISBN.Forexample:MasteringFreeBSDand
OpenBSDSecuritybyYanekKorff,PacoHope,andBrucePotter.Copyright
2005O'ReillyMedia,Inc.,0-596-00626-8.
Ifyoufeelyouruseofcodeexamplesfallsoutsidefairuseorthepermissions
givenabove,feelfreetocontactusat
CommentsandQuestions
Pleaseaddresscommentsandquestionsconcerningthisbooktothepublisher:
O'ReillyMedia,Inc.
1005GravensteinHighwayNorth
Sebastopol,CA95472
(800)998-9938(intheUnitedStatesorCanada)
(707)829-0515(internationalorlocal)
(707)829-0104(fax)
Wehaveawebpageforthisbook,wherewelisterrata,examples,andany
additionalinformation.Youcanaccessthispageat:
/>Tocommentorasktechnicalquestionsaboutthisbook,sendemailto:
Formoreinformationaboutourbooks,conferences,ResourceCenters,andthe
O'ReillyNetwork,seeourwebsiteat:
SafariEnabled
WhenyouseeaSafari®Enabledicononthecoverofyourfavorite
technologybook,thatmeansthebookisavailableonlinethroughtheO'Reilly
NetworkSafariBookshelf.
Safarioffersasolutionthat'sbetterthane-books.It'savirtuallibrarythatlets
youeasilysearchthousandsoftoptechbooks,cutandpastecodesamples,
downloadchapters,andfindquickanswerswhenyouneedthemostaccurate,
currentinformation.Tryitforfreeat.
Acknowledgments
Manypeoplehelpedmakethisbookpossible,someoftheminbigwaysand
othersincritical,yetnearlyinvisibleways.We'dliketoacknowledgethemhere.
YanekKorff
Firstandforemost,I'dliketothankmywife,whosepatiencecontinuesto
surpriseme.Thisbookwouldneverhavebeenpossiblewithoutherhelpandher
support.Also,althoughshe'snotoldenoughtoharboragrudgeorappreciate
gratefulness,I'dliketothankmyone-year-olddaughter.She'sonlyeverknowna
workaholicfatheranddoesn'trealizesheshouldbejealous.
Anobviousthankyoutomyparentsforputtingmeontheroadtogeekdomback
inearly90s,andofcourseputtingmethroughcollege.Maymyeducators
forgivemeforeverythingI'veforgotten.
I'dalsoliketothankVirenShahwhointroducedmetoFreeBSD.Iwouldn'tbe
whereIamtodaywithoutthesupportandmentoringhe'sprovidedmeoverthe
years.
Finally,thankstomygoodfriendMattRowley,ownerofmuchcomputerjunk.
Someofthatjunkandtheadvicethatcamewithitwereintegraltothisbook's
creation.
PacoHope
I'dliketothankmywife,Rebecca,whoadministeredeverythingthatdoesn'trun
FreeBSD(likechildren,houses,andpets)whileIwasbuildingFrankenstein's
BSDlabinourbasement.IamgratefulformytimeintheDepartmentof
ComputerScienceattheUniversityofVirginia,whereIcutmyteethasasystem
administrator.IthankthefolksatCigital,Inc.forintroducingmetorisk-based
approachestosoftwareandsystemsecurity.Lastly,IthankAdrianFilipi,who
gavememyfirstBSD/386floppiesbackin1993.
BrucePotter
Iwouldliketothankmywifeforbeingincrediblyunderstandingthroughoutthe
writingofthisbookandthemillionotherthingsIhadgoingoninthelastyear.
Shewasamazing,evenwhenIwasnot.I'dliketothankmykids,Terranand
Bobby,and"UncleAndy"forgivingmetimetowrite.Also,Iwouldliketo
thankallthemembersofTheShmooGroupforhelpingmebecomethegeekI
amtoday.Withouttheirfriendshipandexpertise,Idon'tknowwheremycareer
wouldbetoday(fullofmoose,nodoubt).Thesamegoestomyfolkswho
supportedmethroughmyfitsandstartsincollege.Andfinally,aspecificthanks
toJoelSadler,whogavememyfirstFreeBSDdiskin1995tellingme,"Here,
trythis.It'sbetterthanLinux."
OurReviewers
Weappreciateallthefeedbackwereceivedfromourtechnicalreviewers.They
definitelykeptusonourtoesandmadethisbookbetterbylendingtheirexpert
adviceandopinions.ThankstoFlávioMarceloAmaral,RenBitonio,Mark
Delany,AdrianFilipi,EricJackson,JoseNazario,NeilNeely,WaynePascoe,
VirenShah,andShi-MinYeh.
O'Reilly
Finally,wethankthestaffatO'Reilly,especiallyTatianaDiaz,Nathan
Torkington,AllisonRandal,DavidChu,AndrewSavikas,andtheinnumerable
otherswhohavemadethisbookarealitywithoutourknowledgeoftheir
existence.AnextrathankyougoestoTatianaforhelpingusrebootthiseffort
afteritlockedupinthemiddleof2004.
PartI:SecurityFoundation
ThegoalofPartIistogiveyouthefoundationforbuildingandrunning
securesystemswithFreeBSDorOpenBSD.
Chapter1,TheBigPicture
Chapter2,BSDSecurityBuildingBlocks
Chapter3,SecureInstallationandHardening
Chapter4,SecureAdministrationTechniques
Chapter1.TheBigPicture
Firstwecracktheshell,thenwecrackthenutsinside.
Rumble
TheTransformers:TheMovie
Securityishard.Wehaveallheardthisphraseasarationaleforinsecuresystems
andpooradministrativepractices.What'sworse,administratorsseemtohave
differentideasaboutwhat"security"entails.Therearetwocommonapproaches
tosecuringsystems:someviewsecurityasadestinationwhileothersseeitasa
journey.
Thosewhoseesecurityasadestinationtendtocharacterizesystemsecurityin
termsofblackandwhite;eitherasystemissecureoritisnot.Thisimpliesthat
youcanattainsecurity.Youcanarriveattheendofajourneyandyou'll
somehowbesecure;youwin.Oneproblemwiththisviewpointisdetermining
where"there"is.Howdoyouknowwhenyou'vearrived?Furthermore,howdo
youstaythere?Asyoursystemchanges,areyoustillatyoursecuregoal?Did
youmoveawayfromit,orwereyounottheretobeginwith?Asyoucan
probablytell,thisisnotourphilosophy.
Insteadofbeingadestination,wethinksecurityisbestdescribedasajourneya
productofongoingriskmanagement.Ratherthantryingtomakeyoursystem
impregnable,youcontinuallyevaluateyourexposuretorisksandkeepthe
systemassecureasyouneedittobe.Anappropriatelevelofsecurityis
achievedwhentherisksfacingasystembalanceagainstthelevelofeffortspent
mitigatingthoserisks.Noonebuysa$5,000vaulttosafeguardapairoffuzzy
slippers.Youjudgethevalueofwhatyou'reprotectingagainstthekindsof
threatsitfacesandthelikelihoodthosethreatswillsucceed,andthenyouapply
appropriatesafeguards.Thisisamuchmorepracticalwaytoviewmodernday
informationsecurity.
Whenfollowingariskmitigationprocess,youwillperiodicallypassupthe
opportunitytoenablecertainsecuritymechanisms,eventhoughyou'recapable
ofdoingso.Theadditionaleffortmaynotbewarrantedgiventhelevelofrisk
yourorganizationfaces.Youwilleventuallyreachapointofdiminishingreturns
whereyousimplyacceptsomerisksbecausetheyaretoocostlytomitigate
relativetothelikelihoodofthethreatortheactualdamagethatwouldoccur.
Sure,itmaybefuntouseencryptedfilesystems,storeallOSdataonaCDROM,anddeployeveryothercountermeasureyoucanthinkof,butdoyou
reallyneedto?
Wedefinesecurityinthecontextofrisk.Riskispresentaslongasthesystem
exists,andrisksareconstantlychanging,sosecuritycannotbeadestination;it
mustbeanongoingprocess."Doingsecurity,"then,isaniterativeprocessof
identifyingandrespondingtorisks.Thisisthephilosophythatweencourage
youtotakeinsecuringyourinfrastructure.
Asyou'llseeintherestofthisbook,FreeBSDandOpenBSDarerobust
operatingsystemsthatoffermyriadwaystomaintainsecuresystems.
Throughoutthebookweprovidesecurity-mindedwalkthroughsofsoftware
installation,configuration,andmaintenance.Alongthewayyou'llnoticethatwe
seemtopointoutmoresecurity-relatedconfigurationoptionsthanyoucareto
implement.Justbecauseweexploreoptionsdoesn'tmeanthatyoushould
implementthem.Comeatitfromtheperspectiveofmanagingriskandyou'll
maximizethecost-benefitof"doingsecurity."
Beforewegetaheadofourselves,however,weneedtocoverafewconceptsand
principles.Inthischapter,wedefinesystemsecurity,specificallyforOpenBSD
andFreeBSDsystems,butalsomoregenerally.Welookatavarietyofattacksso
thatyou,asanadministrator,willhavesomeperspectiveonwhatyou'retryingto
defendagainst.We'lllookatriskresponseanddescribehowexactlyyoucango
aboutsecuringyourFreeBSDandOpenBSDsystems.
1.1.WhatIsSystemSecurity?
Securityprofessionalsbreakthetermsecurityintothreeparts:confidentiality,
integrity,andavailability.This"CIATriad"isasetofsecurityrequirements;if
you'renottakingintoaccountallthreeoftheseconcerns,you'renotworking
towardsprovidingsecurity.Weofferalotofrecommendationsinthisbookthat
shouldhelpyouworktowardsbuildingsecuresystems,butwedon'ttellyou
howtheserecommendationsfitinwiththeCIATriad.That'snotwhatthisbook
isabout,anditwoulddetractfromtherealmessage.Nevertheless,asyou're
lookingatbuildingencryptedtunnelsfortransferringfiles,jailingapplications,
andsoon,thinkaboutwhatpartoftheTriadyou'refocusingon.Makesure
you'veaddressedallthreepartsbeforeyourprojectisdone.
Whetherwe'retalkingaboutphysicalsecurity,informationsecurity,network
security,orsystemsecurity,theCIATriadapplies.Thequestionis,exactlyhow
doesitapplytosystemsecurity?
1.1.1.Confidentiality
Confidentialityisallaboutdeterminingtheappropriatelevelofaccessto
information.Confidentialityisoftenimplementedatthemostbasiclevelon
FreeBSDandOpenBSDsystemsbytraditionalUnixpermissions.Therearea
varietyoffilesscatteredacrossthefilesystemthatarereadableonlybytheroot
user.Mostnotable,perhaps,is/etc/master.passwd,whichcontainshashesfor
users'passwords.Thevastmajorityoffilesarereadablebyeveryone,however.
Evensystemconfigurationfileslike/etc/resolv.conf,/etc/hosts,andsoonare
worldreadable.Isthiswrong?Notnecessarily.Again,confidentialityisn'tabout
havingtoprotectdatafrompryingeyes;it'saboutclassifyingdataandmaking
surethatinformationdeemedsensitiveinsomewayisprotectedappropriately.
Filesystemlevelprotectionsareofcourseonlyonefacetofconfidentiality.Data
maybeexposedthroughsomeservicedesignedtoserveinformationlikeDNS,
orawebserver.Inthesecases,themethodyouemploytoprotectdatawon't
necessarilybefilesystempermissions;perhapsyou'llcontrolwhatsystemsare
allowedtoqueryyourDNSserver,orwhichweb-authenticatedusersare
permittedtoviewacertaindocumenttree.Whenyouneedtoprotectdatafrom
eavesdroppingasitmovesacrossanetwork,you'llprobablyuseencryption.
Whenimplementedappropriately,ithelpsensurethatonlytheintendedrecipient
canreadthetransmitteddata.
1.1.2.Integrity
Dataintegrityrelatestotrust.Ifyoucannotguaranteetheintegrityofsome
informationonyoursystem,youcan'ttrustit.Consequently,resourcesforwhich
integrityisanimportantissueneedtobeidentifiedandappropriatelyprotected
againstmodification.
Confidentialitymaynothavebeenanissueforyour/etc/resolv.conffile.
Allowinguserstoseewhatresolversyoursystemdependsonisokay.Allowing
userstomodifythelistofresolversisnot!Yoursystem'sresolversareadata
source.WhenyouaccessaserverprovidinganonymousCVSaccesstoyour
OpenBSDsources,yoursystemwillaskoneoftheserverslistedin
/etc/resolv.conftofindtheIPaddressforthenameyouprovided.Ifyoucan't
guaranteetheintegrityofthedatainthisfile,youcan'ttrusttheIPaddressyou
getfromtheresolver.Asaconsequence,youcan'ttrustthesourcesyou
downloadeither.
Likeconfidentiality,thefilesystempermissionsmodelhelpsenforcedata
integrity.Unfortunatelyfilepermissionsaren'tenoughbythemselves.If
someonehasbrokenthroughyourfilesystemprotectionssomehow,youwon't
knowthatyourdatahasbeentamperedwith.Thatis,notwithoutgoodauditing.
Moreover,youwon'tbeabletorestoreaknowngoodconfigurationwithoutdata
backups.
Dataintegrityisalsoanissueduringnetworktransfers.Howcanyoubesure
thattheinformationhasnotbeenmodifiedintransit?TheBSDoperating
systemswillprovide"signatures,"whichuniquelyidentifyfiledistributions.
Whenyoudownloadapackageorsourcetarballorinstallaport,youcancheck
yourlocalfilesagainsttheremotesignatures.Ifit'samatch,yourfilehasnot
beenmodifiedwhileintransit.
1.1.3.Availability
