Solaris Security [Paperback]

Peter H. Gregory (Adapter), Peter Gregory (Author)

Book Description

Publication Date: August 17, 1999 | ISBN-10: 0130960535 | ISBN-13: 978-0130960535 | Edition: 1st

For Solaris sysadmins, it's been very difficult to find solid information on Solaris security. Most Solaris books don't cover security well; most security books don't cover Solaris well. Now, there's an outstanding security book focused totally on Solaris environments: The Solaris Security Handbook. Author Peter Gregory has been responsible for securing everything from top-secret AT&T facilities to casinos. Now, he shares his expert insights, offering specific techniques for protecting every element of a Solaris-based network. Start with an up-to-date look at today's security challenges, and a real-world framework for planning system security. Then, walk through standalone system security: PROMs, physical security, boot paths, filesystem security; permissions; auditing tools; user accounts; passwords; startup and shutdown, and more. Next, learn how to secure network interfaces; architect your network for better security; protect E-mail and printing; restrict access over the network; and enhance the security of NIS, NIS+, DNS, and NFS. You'll even find detailed coverage of disaster recovery -- from advance preparation through recovering compromised systems. For all Solaris and UNIX system administrators.

Editorial Reviews

From the Inside Flap

PrefaceWho Should Read This Book

Solaris Security has two audiences — IS/IT and security managers and UNIX administrators.

The content for IS/IT and security managers appears primarily in

Chapter 1, "The Security Problem"

Chapter 2, "The Security Paradigm"

Chapter 10, "Network/System Architecture"

Chapter 16, "System Recovery Preparation"

The remaining chapters in the book are primarily technical and written for the UNIX administrator. However, any IS/IT or security manager who needs to learn more about UNIX technology (in the security context) will find all of the technical chapters easy to read. Most chapters open with "What's in this chapter" and "Why this is important" sections. This allows you to choose whether any particular chapter needs immediate attention or whether it can or should be considered in the future.A Quick Look at the Contents

This book discusses the physical, logical, and human-factor aspects of computer and network security in the specific context of Solaris 2.x and Solaris 7 running on Sun Microsystems computers. There are five parts.

Introduction. The computer security problem is dramatically illustrated in chapter 1, "The Security Problem." Chapter 2, "The Security Paradigm," is a principle-based prescription recommended for use by all UNIX administrators, but also applicable to those managing computers of other vintages.

The standalone system. This part focuses on the computer itself and covers all aspects of security. Regardless of whether or not it is connected to a network, every system is also a standalone system. Chapter 3, "PROM, OpenBoot, and Physical Security," covers one of the least-known vulnerabilities of a Solaris system, as well as practical means for securing a Sun on a desktop or in a data center. Chapter 4, "The Filesystem," is a comprehensive review of file and directory security, and includes sections on filesystem auditing tools and suggestions for UNIX administrators. Everything about user accounts is discussed in chapter 5, "User Accounts and Environments." The intricacies of system booting are covered in Chapter 6, "System Startup and Shutdown." Chapter 7, "cron and at," and chapter 8, "System Logs," provide a thorough look at those respective areas.

The network-connected system. This part of the book is dedicated to the role and place of a Sun system on a network. Most severe vulnerabilities of a system are related to its being connected to a network. Chapter 9, "Network Interfaces and Services," discusses the logical attachment of Sun systems to the network and its vulnerable services. The principles of network and system architecture are covered in chapter 10, "Network/System Architecture." "Electronic Mail" is the topic of chapter 11. Chapter 12 reveals vulnerabilities with printing. Chapter 13, "Network Access Control," describes the best means for controlling access to a system via the network. DNS, NIS, and NIS+ are discussed in chapter 14, "Name Services." Chapter 15, "NFS and the Automounter," dissects these services and offers ways of improving their security.

Disaster and recovery. Disasters, whether caused by human error, malice, or natural events, will occur. Chapter 16, "System Recovery Preparation," gives a detailed look at the measures to be taken before a disaster strikes to ensure a rapid, accurate, and complete recovery.

Appendices. Appendix A, "Online Sources for Security Information," is a thorough review of web sites, FTP sites, and mailing lists. Likewise, a comprehensive list of security tool sources is found in appendix B, "Online Sources for Public-Domain Security Tools." Complete information on Solaris patches is found in appendix C, "Obtaining and Applying Solaris Patches." Appendix D, "Suggested Reading," refers the reader to online and in-print publications of further interest. Sun's Solaris security products are discussed in appendix E. The steps required to implement and manage C2 security are found in appendix F. Appendix G explains how to verify the integrity of public-domain software. A glossary of attacks appears in appendix H. Appendix I is a secure system checklist.Technical Prerequisites for the Practitioner

Solaris Security is written for the intermediate to advanced UNIX administrator who needs a thorough understanding of the Solaris operating system from a security perspective. If you are a technical reader, you should have the following tools and experience:

A C compiler — either one furnished by Sun or the Gnu C compiler. This is because most public-domain tools are packaged in source form only and require compilation.

Some experience with building public-domain tools on a UNIX system. This is not as critical a requirement as it was during UNIX's first decade, when public-domain tools were not as portable, where they required a lot of modification before they would compile (much less work properly). Further, advances in the configuration tools that accompany most public-domain packages permit those with little or no experience with the C language to get even the most complex public-domain tools up and running.Conventions Used in This BookCommands and Filenames

I emphasize commands and filenames within paragraphs with italics. For example, the file /etc/passwd contains system password information. The trap command is used to prevent premature exit.

Commands and filenames outside of paragraphs are set in Courier font; for example

share -F NFS -o rw=homeusers -d "Home Directories" /export/home

Portions of commands indicating syntax (vs. the actual intended content) are set in italics, as follows.

share -F FStype -o options -d description path

In the example above, FStype, options, description, and path are to be replaced with actual values appropriate in practice (I will always point this out in the text where such examples occur in the book).File Contents and Scripts

Shell scripts and the contents of computer files are set apart from paragraphs and are set in Courier font. The following example user's .profile file illustrates.# .profile file for application userstrap exit 1 2 3 15PATH=/export/app/binexec /export/app/bin/applicationexit

A sample /etc/default/passwd file appears as follows.#ident "@(#)passwd.dfl 1.3 92/07/14 SMI"MAXWEEKS=4MINWEEKS=1WARNWEEKS=3PASSLENGTH=6Computer Sessions

Examples of sessions with the computer are set apart from paragraphs and set in Courier font. Input from the user is underlined to distinguish it from computer output. An example session follows.% iduid=1001(jim) gid=101(users)% su bobPassword: ********% iduid=1004(bob) gid=102(cust)% lp -d localprinter /home/bob/eom.prtrequest-id is localprinter-87 (1 file(s))%

Also note from this example that the user-entered password is represented by a string of underlined asterisks. In reality, Solaris does not echo any actual characters typed when a user enters a password; the underlined asterisks signify a user entering non-echoed text.

Note: Some commands include the underscore (_) character, which is obscured in underlined text. Commands with underscores are not underlined in this book, and all such examples are footnoted. An example command with an underscore follows.# ndd -set /dev/ip ip_forwarding 0Cautions and Warnings

Special notes and cautions are set apart, like this.

Caution: /usr/bin/su has the SetUID bit turned on. Su will no longer work if this bit is turned off.Sources for Information

This book references several information sources. Each chapter ends with a section entitled "Where to Go for Additional Information" in which one or more of the following types of references are cited.

AnswerBook. This is an online reference provided by Sun and included with the Solaris 2.x release media. AnswerBook employs hyperlinks to give you the ability to quickly retrieve documents referenced within other documents. Any user can start a local AnswerBook session with the answerbook (Sun's proprietary browser that predates Web technology) or answerbook2 (Web browser interface) command.

Man pages. This is the original UNIX command reference, useful if you know the command or file name you wish to learn more about.

Note: Man page references in this book contain the man page section number to help differentiate those instances where an entry appears in more than one section. For example, when the passwd man page is cited, it may appear as "passwd(1M)" (the passwd command) or "passwd(4)" (the passwd file). To call up the "passwd(1M)" man page, enter the command man -s 1M passwd. To call up the "passwd(4)" man page, enter the command man -s 4 passwd.

docs.sun.SunSolve. This is an information service made available to Sun customers on current maintenance or support contracts.A userid and password are required to use this site.

Web sites. These are organizations or collections of information useful for the security specialist.

Publications. This ranges from paper to electronic magazines, books, and articles.Security Remedies and Public-Domain Software

This book illustrates security weaknesses in the Solaris operating system and proposes remedies for those weaknesses. Remedies take the form of

Syste

From the Back Cover

At last, a security book just for Solaris and UNIX(r) system administrators. Learn the specifics for making your system secure, whether it's an organization-wide network or a standalone workstation. Expert author Peter Gregory has managed security for everything from top-secret corporate research facilities to casinos. Take advantage of his experience to build a secure, reliable system of your own.

Solaris Security looks at the physical, logical, and human factors that affect security, including:

• PROMs, physical security, bootpaths, permissions, auditing tools, system logs, passwords, and more
• Secure network interfaces and services for remote and Internet access, intrusion detection, access control, email, and printing
• Enhanced security for NIS, NIS+, DNS, and NFS

A special section shows you how to plan for the inevitable disasters so you can recover your data quickly and accurately without compromising security. References to books, journals, and online resources will help you keep up with the latest innovations.

Every chapter opens with a checklist of key topics and their significance, so you can quickly find the information you need. Whether you are a security manager, Information Technology/Systems manager or a network administrator, Solaris(tm) Security is the single resource to answer all your questions and get your systems in shape now and for the future.

See all Editorial Reviews

Product Details

• Paperback: 290 pages
• Publisher: Prentice Hall PTR; 1st edition (August 17, 1999)
• Language: English
• ISBN-10: 0130960535
• ISBN-13: 978-0130960535
• Product Dimensions: 9.1 x 7 x 0.9 inches
• Shipping Weight: 1.5 pounds
• Average Customer Review: 2.7 out of 5 stars  See all reviews (15 customer reviews)
• Amazon Best Sellers Rank: #1,065,546 in Books (See Top 100 in Books)
  • #39 in Books > Computers & Technology > Operating Systems > Solaris

More About the Author

Peter H. Gregory, CISA, CISSP, DRCE, is a career technologist and the security and risk manager at a financial management company in Redmond. He is the author of over twenty-five books on security and technology. Peter is a board member of Evergreen State InfraGard, co-founder of the Pacific CISO Forum, a graduate of the FBI Citizens' Academy, and a member of the board of advisors and an instructor, for the University of Washington certificate program on Information Assurance and Cybersecurity.

Customer Reviews

Most Helpful Customer Reviews

5 of 5 people found the following review helpful:

5.0 out of 5 stars great breadth of security issues, not for experts, July 8, 2000

By A Customer

This review is from: Solaris Security (Paperback)

I'm a junior sysadmin, and really enjoyed this book for the great overview it gave of security issues, especially Solaris. It covers a very wide breadth of topics, and gives you perhaps 80% of what you would need on a normal basis. Sure, it's not super in-depth 100% on every subject, but it gives many references for further reading. This would not be a book for the expert Solaris security admin, but it gives me exactly what I need. It's a real time-saver because of its breadth, and its very easy and quick to read and understand, it includes copies of what you'd see in log files, and walks you thru the exact commands and output you'd see on the command line, and it includes diagrams/tables for summaries/descriptions for various commands/programs/services, and the recommendations in dis/enabling them.

It covers PROM commands, file permissions, account security, x-windows, auditing tools, cron/at, system logs/syslog, IP, routing, snoop, sendmail, printing, DNS, NFS,NIS+, disaster recovery, security checklist, network access control, overview of 3rd party tools, PGP/MD5 verification of downloaded tools, and 50 pages of appendices.

I found this to be an excellent starting-point for exploring security issues.

By the way, the previous reviewer Nikolai N Bezroukov who gave it one star may be misleading about one point. He wrote:

--- begin quote ---

The quality of the book can be illustrated by the folowing quote (preface, page XLI):

ftp://ftp.win.tne.nl/pub/security/tcp_wrappers_7.6tar.gz

--- end quote ---

The author was using that as a lesson about how URLs in books and on the Web become outdated and obsolete, and he gave tips about them and also suggested readers check the appendices in the back of the book for additional security sites.

4 of 4 people found the following review helpful:

5.0 out of 5 stars System and Security Admins in Large Enterp. Need this., April 17, 2000

By 

S. Craig "all about pizza" (Detroit, MI) - See all my reviews
(REAL NAME)   

This review is from: Solaris Security (Paperback)

The Solaris Security book is very well laid out, easy to read, and has information every Solaris admin and security admin needs to know. I've been working with many different versions of Unix and even though I'm not new to Solaris, I found this book helpful by being able to find the reference or background knowledge quickly. If you're lucky enough to work with only Solaris 100% of the time then maybe this book won't knock your socks off - but I'd still recommend it as a reference book and to pass around to your co-workers. Having the references to other sources makes it feel more realistic by getting other points of view and for other priorities (such as having a checklist, more in-depth on networking, etc). I give it 5 stars for the best Solaris Security book in print.

3 of 3 people found the following review helpful:

4.0 out of 5 stars Great start for Solaris Security, April 3, 2000

By 

Brian Birkinbine - See all my reviews

This review is from: Solaris Security (Paperback)

I have been securing solaris servers for a couple years now, and I wish I had this book when I first got started. The general UNIX security books are just not enough. Each UNIX OS has their own configuration procedures for tightening security. Any print book cannot keep up with Internet time, but for those who need a jumpstart to securing their Solaris server, this is a great start. A good security program requires further research. There are many good solaris security sites on the internet.