os/doc
3
0
Fork 0
Code Issues Pull requests Projects Releases Wiki Activity

I can't sleep ... improve documentation by adding three new sections:

Browse source 
Add a section on portaudit[1],
Add a section on file flags[2],
Add a section on process accounting[3].

Inspired by:	murray[1], josef[2], remko[3]
This commit is contained in:
Tom Rhodes 2005-03-01 12:00:36 +00:00
parent 36a34adf34
commit 07a6ff28c5
Notes: svn2git 2020-12-08 03:00:23 +00:00 
svn path=/head/; revision=23959
2 changed files with 221 additions and 3 deletions
en_US.ISO8859-1/books/handbook
basics
chapter.sgml
security
chapter.sgml

58
en_US.ISO8859-1/books/handbook/basics/chapter.sgml
View file

@ -36,7 +36,8 @@
FreeBSD.</para>
</listitem>
<listitem>
<para>How &unix; file permissions work.</para>
<para>How &unix; file permissions work along with
understanding file flags in &os;.</para>
</listitem>
<listitem>
<para>The default &os; file system layout.</para>
@ -569,6 +570,60 @@ total 530
a file; it does not add or delete them.</para>
-->
</sect2>
<sect2>
<sect2info>
<authorgroup>
<author>
<firstname>Tom</firstname>
<surname>Rhodes</surname>
<contrib>Contributed by </contrib>
</author>
</authorgroup>
</sect2info>
<title>&os; File Flags</title>
<para>In addition to file permissions discussed previously, &os;
supports the use of <quote>file flags.</quote> These flags
add an additional level of security and control over files, but
not directories.</para>
<para>These file flags add an additional level of control over
files, helping to ensure that in some cases not even the
<username>root</username> can remove or files.</para>
<para>File flags are altered by using the &man.chflags.1; utility,
using a simple interface. For example, to enable the system
undeletable flag on the file <filename>file1</filename>,
issue the following command:</para>
<screen>&prompt.root; <userinput>chflags sunlink
<filename>file1</filename></userinput></screen>
<para>And to disable the system undeletable flag, simply
issue the previous command with <quote>no</quote> in
front of the <option>sunlink</option>. Observe:</para>
<screen>&prompt.root; <userinput>chflags nosunlink
<filename>file1</filename></userinput></screen>
<para>To view the flags of this file, use the &man.ls.1;
with the <option>-lo</option> flags:</para>
<screen>&prompt.root; <userinput>ls -lo <filename>file1</filename>
</userinput></screen>
<para>The output should look like the following:</para>
<programlisting>-rw-r--r-- 1 trhodes trhodes sunlnk 0 Mar 1 05:54 file1</programlisting>
<para>Several flags may only added or removed to files by the
<username>root</username> user. In other cases, the file owner
may set these flags. It is recommended an administrator read
over the &man.chflags.1; and &man.chflags.2; manual pages for
more information.</para>
</sect2>
</sect1>
<sect1 id="dirstructure">
@ -2512,4 +2567,3 @@ Swap: 256M Total, 38M Used, 217M Free, 15% Inuse
sgml-parent-document: ("../book.sgml" "part" "chapter")
End:
-->

166
en_US.ISO8859-1/books/handbook/security/chapter.sgml
View file

@ -79,11 +79,21 @@
<para>What file system <acronym>ACL</acronym>s are and how to use them.</para>
</listitem>
<listitem>
<para>How to use the <application>Portaudit</application>
utility to audit third party software packages installed
from the Ports Collection.</para>
</listitem>
<listitem>
<para>How to utilize the &os; security advisories
publications.</para>
</listitem>
<listitem>
<para>Have an idea of what Process Accounting is and how to
enable it on &os;.</para>
</listitem>
</itemizedlist>
<para>Before reading this chapter, you should:</para>
@ -4680,6 +4690,93 @@ drwxr-xr-x 2 robert robert 512 Nov 10 11:54 public_html</programlisting>
</sect2>
</sect1>
<sect1 id="security-portaudit">
<sect1info>
<authorgroup>
<author>
<firstname>Tom</firstname>
<surname>Rhodes</surname>
<contrib>Contributed by </contrib>
</author>
</authorgroup>
</sect1info>
<indexterm>
<primary>Portaudit</primary>
</indexterm>
<title>Monitoring Third Party Security Issues</title>
<para>In recent years, the security world has made many improvements
to how vulnerability assessment is handled. The threat of system
intrusion increases as third party utilities are installed and
configured for virtually any operating system available
today.</para>
<para>Vulnerability assessment is a key factor in security, and
while &os; releases advisories for the base system, doing so
for every third party utility is beyond the &os; Project's
capability. There is a way to mitigate third party
vulnerabilities and warn administrators of known security
issues. A &os; add on utility known as
<application>Portaudit</application> exists solely for this
purpose.</para>
<para>The <filename role="port">security/portaudit</filename> port
polls a database, updated and maintained by the &os; Security
Team and ports developers, for known security issues.</para>
<para>To begin using <application>Portaudit</application>, one
must install it from the Ports Collection:</para>
<screen>&prompt.root; <userinput>cd /usr/ports/security/portaudit &&
make install clean</userinput></screen>
<para>During the install process, the configuration files for
&man.periodic.8; will be updated, permitting
<application>Portaudit</application> output in the daily security
runs. No more configuration will be required here.</para>
<para>After installation, an administrator must update the database
stored locally in
<filename role="directory">/var/db/portaudit</filename> by
invoking the following command:</para>
<screen>&prompt.root; <userinput>portaudit -F</userinput></screen>
<note>
<para>The database will automatically be updated during the
&man.periodic.8; run; thus, the previous command is completely
optional. It is only required for the following
examples.</para>
</note>
<para>To audit the third party utilities installed as part of
the Ports Collection, an administrator need only run the
following command:</para>
<screen>&prompt.root; <userinput>portaudit -a</userinput></screen>
<para>An example of output is provided:</para>
<programlisting>Affected package: cups-base-1.1.22.0_1
Type of problem: cups-base -- HPGL buffer overflow vulnerability.
Reference: &lt;http://www.FreeBSD.org/ports/portaudit/40a3bca2-6809-11d9-a9e7-0001020eed82.html&gt;
1 problem(s) in your installed packages found.
You are advised to update or deinstall the affected package(s) immediately.</programlisting>
<para>By pointing a web browser to the <acronym>URL</acronym> shown,
an administrator may obtain more information about the
vulnerability in question. This will include versions affected,
by &os; Port version, along with other web sites which may contain
security advisories.</para>
<para>In short, <application>Portaudit</application> is a power
utility and extremely useful when coupled with the
<application>Portupgrade</application> port.</para>
</sect1>
<sect1 id="security-advisories">
<sect1info>
<authorgroup>
@ -4875,6 +4972,74 @@ VII. References<co id="co-ref"></programlisting>
</calloutlist>
</sect2>
</sect1>
<sect1 id="security-accounting">
<sect1info>
<authorgroup>
<author>
<firstname>Tom</firstname>
<surname>Rhodes</surname>
<contrib>Contributed by </contrib>
</author>
</authorgroup>
</sect1info>
<indexterm>
<primary>Process Accounting</primary>
</indexterm>
<title>Process Accounting</title>
<para>Process accounting is a security method in which an
administrator may keep track of system resources used,
their allocation among users, provide for system monitoring,
and minimally track a user's commands.</para>
<para>This indeed has its own positive and negative points. One of
the positives is that an intrusion may be narrowed down
to the point of entry. A negative is the amount of logs
generated by process accounting, and the disk space they may
require. This section will walk an administrator through
the basics of process accounting.</para>
<sect2>
<title>Enable and Utilizing Process Accounting</title>
<para>Before making use of process accounting, an administrator
must be enabled. To do this, execute the following
commands:</para>
<screen>&prompt.root; <userinput>touch
<filename>/var/account/acct</filename></userinput></screen>
<screen>&prompt.root; <userinput>accton
<filename>/var/account/acct</filename></userinput></screen>
<screen>&prompt.root; <userinput>echo 'accounting_enable="YES"'
&gt;&gt; <filename>/etc/rc.conf</filename></userinput></screen>
<para>Once enabled, accounting will begin to track
<acronym>CPU</acronym> stats, commands, etc. All accounting
logs are in a non-human readable format and may be viewed
using the &man.sa.8; utility. If issued without any options,
<command>sa</command> will print information relating to the
number of per user calls, the total elapsed time in minutes,
total <acronym>CPU</acronym> and user time in minutes, average
number of I/O operations, etc.</para>
<para>To view information about commands being issued, one
would use the &man.lastcomm.1; utility. The
<command>lastcomm</command> may be used to print out commands
issued by users on specific &man.ttys.5;, for example:</para>
<screen>&prompt.root; <userinput>lastcomm ls
<username>trhodes</username> ttyp1</userinput></screen>
<para>Would print out all known usage of the <command>ls</command>
by <username>trhodes</username> on the ttyp1 terminal.</para>
<para>Many other useful options exist and are explained in the
&man.lastcomm.1;, &man.acct.5; and &man.sa.8; manual
pages.</para>
</sect2>
</sect1>
</chapter>
<!--
@ -4887,4 +5052,3 @@ VII. References<co id="co-ref"></programlisting>
sgml-parent-document: ("../book.sgml" "part" "chapter")
End:
-->