Specifications

ManualsBrandsCabletron Systems ManualsNetwork CardE2100

201

202

203

204

205

206

207

208

209

210

Network Security

buddy” or “jasmine76” are easily guessed even by someone who has only

some casual knowledge about you.

The Boot Procedure

Conﬁgure your system so it cannot be booted from a ﬂoppy or from CD, ei-

ther by removing the drives entirely or by setting a BIOS password and con-

ﬁguring the BIOS to allow booting from a hard disk only.

Normally, a Linux system will be started by a boot loader, allowing you to

pass additional options to the booted kernel. This is crucial to your system’s

security. Not only does the kernel itself run with root permissions, but it is

also the ﬁrst authority to grant root permissions at system start-up. Prevent

others from using such parameters during boot by using the options “re-

stricted” and “password=your_own_password” in /etc/lilo.conf. Exe-

cute the command lilo after making any changes to /etc/lilo.conf and

look for any unusual output the command might produce. If you forget this

password, you will have to know the BIOS password and boot from CD to

read the entry in /etc/lilo.conf from a rescue system.

File Permissions

As a general rule, always work with the most restrictive privileges possible

for a given task. For example, it is deﬁnitely not necessary to be root to

read or write e-mail. If the mail program you use has a bug, this bug could

be exploited for an attack which will act with exactly the permissions of the

program when it was started. By following the above rule, minimize the pos-

sible damage.

The permissions of the more than 200,000 ﬁles included in a SuSE distribu-

tion are carefully chosen. A system administrator who installs additional soft-

ware or other ﬁles should take great care when doing so, especially when set-

ting the permission bits. Experienced and security-conscious system admin-

istrators always use the -l option with the command ls to get an extensive

ﬁle list, which allows them to detect any wrong ﬁle permissions immediately.

An incorrect ﬁle attribute does not only mean that ﬁles could be changed or

deleted. These modiﬁed ﬁles could be executed by root or, in the case of

conﬁguration ﬁles, that programs could use such ﬁles with the permissions

of root. This signiﬁcantly increases the possibilities of an attacker. Attacks

like this are called cuckoo eggs, because the program (the egg) is executed

(hatched) by a different user (bird), just like a cuckoo would trick other birds

into hatching its eggs.

A SuSE Linux system includes the ﬁles permissions, permissions.easy,

permissions.secure, and permissions.paranoid, all in the /etc

199SuSE Linux – Firewall on CD2