Linux Security Cookbook

S/MIME

    native support by Mozilla 

    support by Evolution mailer 

sa -s command (truncating process accounting the log file) 

Samhain (integrity checker) 

scp command

    mirroring set of files securely between computers 

    options for remote file copying 

    securely copying files between computers 

    syntax 

scripts, enabling/disabling network interfaces 

search path, testing 

    . (period) in 

    relative directories in, dangers of 

SEC_BIN global variable (Tripwire) 

secret keys

    adding to GnuPG keyring 

    default key for GnuPG operations 

    listing for GnuPG 

secret-key encryption 

secure integrity checks 

    creating bootable CD-ROM securely 

    dual-ported disk array, using 

Secure Sockets Layer  [See SSL]

securetty file, editing to prevent root logins via terminal devices 

security policies  [See policies]

security tests  [See monitoring systems for suspicious activity]

security tools (Insecure.org) 

self-signed certificates 

    creating 

    generating X.509 certificate 

    man-in-the-middle attacks, risk of 

    setting up your own CA to issue certificates 

sending-filters for email (PinePGP) 

sendmail

    accepting mail from other hosts 

    authentication mechanisms accepted as trusted 

    daemons (visible), security risks with 

    restriction on accepting connections from only same host, changing 

    SSL, using to protect entire SMTP session 

sense keyword (PAM, listfile module) 

server arguments (inetd.conf file) 

server authentication  [See Kerberos; PAM; SSH; SSL; trusted-host authentication]

server keyword (xinetd) 

server program, OpenSSH 

service filter configuration file (logwatch) 

service filter executable (logwatch) 

service names

    conversion of port numbers to by netstat and lsof 

    executable 

    modifying to invoke tcpd in /etc/xinetd.d startup file 

    PAM  2nd 

services file, adding service names to inetd.conf 

session protection for mail 

setgid bit on directories 

setgid/setuid programs

    security checks 

setgid/setuid programs, security checks

    finding and interactively fixing 

    listing all files 

    listing scripts only 

    removing setgid/setuid bits from a file 

    setuid programs for hostbased authentication 

setlogsock (Sys::Syslog) 

setuid root, ssh-keysign program 

sftp 

shadow directive (/etc/pam.d/system-auth) 

shadow password file  2nd 

sharing files

    prohibiting directory listings 

    protecting shared directory 

shell command substitution, exceeding command line maximum 

shell item (PAM) 

shell prompts, standards used 

shell scripts

    in your current directory 

    writing system log entries  2nd 

shell-style wildcard expansion 

shells

    bash 

    checking for dormant accounts 

    invoking MH commands from prompt 

    invoking with root privileges by sudo, security risks 

    process substitution 

    root login shell, running 

    root shell vs. root login shell 

    terminating SSH agent on logout 

    umask command 

shosts.equiv file 

show command, decrypting email displayed with 

shutdowns (system), records of 

shutting down network interfaces 

signature ID (Snort alerts) 

signed cryptographic keys 

signing files  [See digital signatures]

single computer

    blocking spoofed addresses 

    firewall design 

single-threaded services (inetd.conf file) 

site key (Tripwire) 

    creating with twinstall.sh script 

    fingerprints, creating in secure integrity checks 

    read-only integrity checking 

size, file

    /bin/login, changes since last Tripwire check 

    verifying for RPM-installed files 

SLAC (Stanford Linear Accelerator), Network Monitoring Tools page 

SMTP

    blocking requests for mail service from a remote host 

    capturing messages from with dsniff program mailsnarf 

    protecting dedicated server for smtp services 

    requiring authentication by server before relaying mail 

    using server from arbitrary clients 

snapshots  [See Tripwire]

Snort 

    decoding alert messages 

        nmap port scan detected 

        priority levels 

        writing alerts to file instead of syslog 

    detecting intrusions with 

        dumping statistics to the system logger 

        promiscuous mode, setting 

        running in background as daemon 

    packet sniffing with 

    partitioning logs into separate files 

    upgrading and tuning ruleset 

socket type (inetd.conf file) 

software packages, risk of Trojan horses in 

sort command 

    -z option for null filename separators 

source address verification

    enabling 

    enabling in kernel 

    website information on 

source addresses

    controlling access by 

    limiting server sessions by 

source name for remote file copying 

source quench, blocking 

sources for system messages 

spoofed addresses

    blocking access from 

    MAC 

    source addresses 

SquirrelMail 

SSH (Secure Shell) 

    agents  [See ssh-agent]

    authenticating between client/server by trusted host 

    authenticating between SSH2 client/OpenSSH server 

    authenticating by public key 

    changing client defaults 

    client configurations in ~/.ssh/config 

    connecting via ssh with Kerberos authentication 

    cryptographic authentication 

    download site for OpenSSH 

    fetchmail, use of 

    important programs and files 

        scp (client program) 

        ssh (client program) 

    Kerberos, using with 

        debugging 

        Kerberos-5 support 

    permitting only incoming access via SSH with firewall 

    protecting dedicated server for ssh services 

    public-key and ssh-agent, using with Pine 

    public-key authentication between SSH2 client/OpenSSH server 

    public/private authentication keys 

    remote user access by public key authentication 

    restricting access by remote users 

    restricting access to server by account 

    restricting access to server by host 

    running root commands via 

    securing POP/IMAP 

        with Pine 

    sharing root privileges via 

    SSH-2 connections, trusted-host authentication 

    SSH2 server and OpenSSH client, authenticating between with OpenSSH key 

    SSH2 server and OpenSSH client, authenticating between with SSH2 key 

    superusers, authentication of 

    tailoring per host 

    transferring email from another ISP over tunnel 

    tunneling NNTP with 

    tunneling TCP connection through 

    web site 

ssh command

    -t option (for pseudo-tty) 

    -X option (for X forwarding) 

    using with rsync to mirror set of files between computers 

ssh file 

ssh-add 

ssh-agent 

    automatic authentication (without password) 

    invoking between backticks (` `) 

    public-key authentication without passphrase 

    terminating on logout 

ssh-keygen 

    conversion of SSH2 private key into OpenSSH private key with -i (import) option 

ssh-keysign 

    setuid root on client 

ssh_config file 

    ~/.ssh file, using instead of 

    client configuration keywords 

    HostbasedAuthentication, enabling 

ssh_known_hosts file 

    OpenSSH client, using ~/.ssh file instead of 

sshd 

    AllowUsers keyword 

    authorizing users to restart 

    restricting access from specific remote hosts 

    TCP wrappers support 

sshd_config file

    AllowUsers keyword 

    HostbasedAuthentication, enabling 

    HostbasedUsesNameFromPacketOnly 

    KerberosTgtPassing, enabling 

    ListenAddress statements, adding 

    PermitRootLogin, setting 

    PublicAuthentication, permitting 

    X11Forwarding setting 

SSL (Secure Sockets Layer) 

    connection problems, server-side debugging 

    converting certificates from DER to PEM 

    creating self-signed certificate 

    decoding SSL certificates 

    generating Certificate Signing Request (CSR) 

    installing new certificate 

    OpenSSL 

        web site 

    POP/IMAP security 

        mail server, running with 

        mail sessions for Evolution 

        mutt mail client, using with 

        stunnel, using 

        with pine mail client 

    setting up CA and issuing certificates 

    STARTTLS command (IMAP), negotiating protection for mail 

    STLS command (POP), negotiating protection for email 

    validating a certificate 

    verifying connection to secure POP or IMAP server 

SSL-port

    on mail servers 

    POP or IMAP connections for mutt client 

    testing use in pine mail client 

standard input, redirecting from /dev/null 

Stanford Linear Accelerator (SLAC) Network Monitoring Tools page 

starting network interfaces 

STARTTLS command (IMAP) 

    mail server support for SSL 

    mutt client connection over IMAP, testing 

    testing use in pine mail client 

startup scripts (bootable CD-ROM), disabling networking 

stateful 

stateless 

sticky bit

    set on world-writable directories 

    setting on world-writable directory 

STLS command (POP)  2nd 

strace command  2nd 

strings

    matching with fgrep command 

    searching network traffic for 

strings command 

strong authentication for email sessions 

strong session protection for mail (by SSL) 

stunnel, securing POP/IMAP with SSL 

su command 

    invoking with root privileges by sudo, security risks 

    ksu (Kerberized su) 

        authentication via Kerberos 

        sharing root privileges via 

    su -, running root login shell 

su configuration (PAM) 

subject (certificates) 

    components of certificate subject name 

    self-signed 

sudo command 

    bypassing password authentication 

    careful practices for using 

    forcing password authentication 

    killing processes via 

    listing invocations 

    logging remotely 

    password changes, authorizing via 

    prohibiting command-line arguments for command run via 

    read-only access to shared file 

    running any program in a directory 

    running commands as another user 

    starting/stopping daemons 

    user authorization privileges, allowing per host 

sudoers file 

    argument lists for each command, specifying meticulously 

    editing with visudo program 

    listing permissible commands for root privileges 

    running commands as another user 

    timestamp_timeout variable 

    user authorization to kill certain processes 

superdaemons 

    inetd  [See inetd]

    xinetd  [See xinetd]

superuser  2nd  [See also root]

    assigning privileges via ssh without disclosing root password 

    finding all accounts on system 

    ksu (Kerberized su) 

    processes owned by others, examining 

SuSE Linux

    firewall rules, building 

    Heimdal Kerberos 

    inetd superdaemon 

    loading firewall rules at boot time 

    process accounting RPM 

    script allowing users to start/stop daemons 

    Snort, starting automatically at boot 

    SSL certificates  2nd 

    TCP wrappers  2nd 

switched networks

    packet sniffers and 

    simulated attacks with dsniff 

symbolic links

    for encrypted files on separate system 

    inability to verify with manual integrity check 

    permission bits, ignoring 

    scp command and 

symmetric encryption 

    file encryption with gpg -c 

    files encrypted with GnuPG, decrypting 

    problems with 

    single encrypted file containing all files in directory 

SYN_RECV state, large numbers of network connections in 

synchronizing files on two machines (rsync) 

    integrity checking with 

Sys::Lastlog and Sys::Utmp modules (Perl) 

Sys::Syslog module 

syslog function 

    using in C program 

syslog-ng (Ònew generationÓ) 

syslog.conf file

    directing messages to different log files by facility and priority 

    remote logging, configuring  2nd 

    RPM-installed, verifying with Tripwire 

    setting up for local logging 

    signaling system logger about changes in 

    tracing configuration errors in 

syslogd

    -r flag to receive remote messages 

    signaling to pick up changes in syslog.conf 

system accounts, login activity on  2nd 

system calls, tracing on network 

system logger

    combining log files 

    debugging SSL connections 

    directing system messages to log files 

    log files created by, permissions and 

    logging messages remotely 

    programs not using 

    scanning log files for problem reports 

    sending messages to 

    signaling changes in syslog.conf 

    standard API, functions provided by 

    testing and monitoring 

    writing system log entries

        in C  2nd 

        in Perl 

        in shell scripts 

    xinetd, logging to 

system-wide authentication (Kerberos with PAM) 

system_auth (/etc/pam.d startup file)

    forbidding local password validation 

    Kerberos in 

systems

    authentication methods and policies (authconfig) 

    security tests on  [See monitoring systems for suspicious activity]