When Practical UNIX Security was first published in 1991, it became an instant classic. Crammed with information about host security, it saved many a UNIX system administrator and user from disaster.

This second edition is a complete rewrite of the original book. It's packed with twice the pages and offers even more practical information for UNIX users and administrators. In it you'll find coverage of features of many types of UNIX systems, including SunOS, Solaris, BSDI, AIX, HP-UX, Digital UNIX, Linux, and others. The first edition was practical, entertaining, and full of useful scripts, tips, and warnings. This edition is all those things — and more.

If you are a UNIX system administrator or user in this security-conscious age, you need this book. It's a practical guide that spells out, in readable and entertaining language, the threats, the system vulnerabilities, and the countermeasures you can adopt to protect your UNIX system, network, and Internet connection. It's complete — covering both host and network security — and doesn't require that you be a programmer or a UNIX guru to use it.

Practical UNIX & Internet Security describes the issues, approaches, and methods for implementing security measures. It covers UNIX basics, the details of security, the ways that intruders can get into your system, and the ways you can detect them, clean up after them, and even prosecute them if they do get in. Filled with practical scripts, tricks, and warnings, Practical UNIX & Internet Security tells you everything you need to know to make your UNIX system as secure as it possible can be.

Contents include:

• Part I: Computer Security Basics. Introduction and security policies.
• Part II: User Responsibilities. Users and their passwords, groups, the superuser, the UNIX filesystem, and cryptography.
• Part III: System Administrator Responsibilities. Backups, defending accounts, integrity checking, log files, programmed threats, physical security, and personnel security.
• Part IV: Network and Internet Security: telephone security, UUCP, TCP/IP networks, TCP/IP services, WWW, RPC, NIS, NIS+, Kerberos, and NFS.
• Part V: Advanced Topics: firewalls, wrappers, proxies, and secure programming.
• Part VI: Handling Security Incidents: discovering a breakin, U.S. law, and trust.
• VII: Appendices. UNIX system security checklist, important files, UNIX processes, paper and electronic sources, security organizations, and table of IP services.

This second

 Table of Contents

Preface to the Second Edition   
UNIX "Security?"        
What this Book is.      
What This Book isn't    
Scope of This Book      
Which Unix System?      
"Secure" Versions of Unix       
Conventions Used in This Book   
Obtaining the Examples 
Acknowledgments 
First Edition   
Second Edition  
Comments and Questions  
A Note to Nitpickers and Computer Crackers    

1. Introduction  
       What Is Computer Security?
       What Is an Operating System?
       History of UNIX
       Security and UNIX
       Expectations
       Software Quality
       Add-On Functionality Breeds Problems
       Role of This Book

2. Policies & Guidelines 
       Planning your Security Needs
       Trust
       Risk Assessment
       A Simple Assessment Strategy
       Identifying Assets
       Identifying Threats
       Quantifying the Threats
       Review Your Risks
       Cost-Benefit Analysis
       The Cost of Loss
       The cost of prevention  
       Adding up the Numbers
       Risk Cannot Be Eliminated
       Convincing Management
       Policy  
       The Role of Policy
       Standards
       Guidelines
       Some Key Ideas in Developing a Workable Policy  
       Assign an Owner
       Be positive
       Remember that employees are people too  
       Concentrate on education
       Have authority commensurate with responsibility
       Pick a basic philosophy
       Defend in Depth
       The Problem with Security Through Obscurity
       Going Public
       Confidential Information
       Risk Management Means Common Sense

3. Users and Passwords
      Usernames
      Passwords
      The /etc/passwd File
      The /etc/passwd File and Network Databases
      Authentication  
      Passwords are a Shared Secret
      Why Use Passwords?
      Conventional UNIX Passwords
      Entering Your Password  
      Changing Your Password  
      Verifying Your New Password
      The Care and Feeding of Passwords
      Bad Passwords: Open Doors
      Smoking Joe
      Good Passwords: Locked Doors
      Passwords on Multiple Machines  
      Writing Down Passwords  
      One-Time Passwords
      Summary

4. Users, Groups, and the Superuser
      Users and Groups
      User Identifiers (UIDs)
      Multiple Accounts with the Same UID
      Groups and Group Identifiers (GIDs)
      The /etc/group File
      Groups and Early System V Unix  
      Groups and BSD or System V.4 Unix
      Special Usernames
      The Superuser
      Any username can be the superuser
      Superuser is not for casual use
      What the Superuser Can Do
      What the superuser can't do
      The Problem with the Superuser  
      Other Special Users
      Impact of the /etc/passwd and /etc/group Files on Security
      su: Changing Who You Claim to Be
      Real and Effective UIDs
      Becoming the Superuser  
      Using su with Caution
      Restricting su  
      The Bad su Log  
      The sulog under Berkeley UNIX
      Other Uses of su
      Summary

5. The UNIX Filesystem
      Files
      Directories
      Inodes  
      Current Directory and Paths
      Using the ls Command
      File Times
      Understanding File Permissions  
      File Permissions in Detail
      Using File Permissions  
      chmod: Changing a File's Permissions
      Changing a File's Permissions
      Calculating Octal File Permissions
      Using Octal File Permissions
      Access Control Lists
      AIX Access Control Lists
      HP-UX access control lists
      The umask
      The umask Command
      Common umask Values
      Using Directory Permissions
      SUID
      SUID, SGID, and Sticky Bits
      Problems with SUID
      SUID Shell Scripts
      write: Example of a Possible SUID/SGID Security Hole
      Another SUID Example: IFS and the /usr/lib/preserve Hole
      Finding All of the SUID and SGID Files  
      The ncheck Command.
      Turning Off SUID and SGID in Mounted Filesystems
      SGID and Sticky Bits on Directories
      SGID Bit on Files (System V UNIX Only)  
      Device Files
      chown: Changing a File's Owner  
      chgrp: Changing a File's Group  
      Oddities and Dubious Ideas
      Dual-universes  
      Context-Dependent Files
      Summary

6. Cryptography  
      A Brief History of Cryptography
      Code Making and Code Breaking
      Cryptography and Digital Computers
      Modern Controversy
      What is Encryption?
      What You Can Do with Encryption
      The Elements of Encryption
      Cryptographic Strength  
      Why Use Encryption With UNIX?
      The Enigma Encryption System
      Common Cryptographic Algorithms
      Summary of Private key systems:
      Summary of Public key systems:  
      ROT13: Great for Encoding Offensive Jokes
      DES
      Use and Export of DES
      DES Modes
      DES Strength
      Improving the Security of DES
      Double DES
      Triple DES
      RSA and Public Key Cryptography
      How RSA Works
      An RSA Example  
      Strength of RSA
      An Unbreakable Encryption Algorithm
      Proprietary Encryption Systems  
      Message Digests and Digital Signatures  
      Message Digests
      Using Message Digests
      Digital Signatures
      Common Digest Algorithms
      MD4 and MD5 Message Digest Functions
      SHA
      HAVAL
      SNEFRU  
      Other Codes
      Checksums
      Message Authentication Codes
      Encryption Programs Available for UNIX  
      UNIX crypt(1): The Original UNIX Encryption Command
      The crypt(1) algorithm  
      Ways of Improving the Security of crypt
      Example
      des(1): The Data Encryption Standard
      PGP: Pretty Good Privacy
      Encrypting Files with IDEA
      Creating Your PGP Public Key
      Encrypting A Message
      Adding a Digital Signature to an Announcement
      Decrypting Messages and Verifying Signatures
      PGP Detached Signatures
      Encryption and U.S. Law
      Cryptography and the U.S. Patent System
      Cryptography and Export Controls

7. Backups
      Make Backups!
      Why Make Backups?
      A taxonomy of computer failures
      What Should You Back Up?
      Types of Backups
      Guarding against media failure  
      How Long Should You Keep a Backup?
      Security for Backups
      Physical security for backups
      Write-protect your backups
      Data security for backups
      Legal Issues
      Sample Backup Strategies
      Individual Workstation  
      Backup plan
      Media Rotation.
      Small Network of Workstations and a Server
      Backup plan:
      Retention schedule
      Large Service-Based Network with Small Budgets  
      Backup plan:
      Retention schedule:
      Large Service-based Networks with Large Budgets
      Deciding upon a backup Strategy
      Backing up System Files
      What Files to Back up?  
      Building an Automatic Backup System
      Software for Backups
      Simple Local Copies
      Simple Archives
      Specialized Backup Programs
      Encrypting your backups
      Backups Across the Net  
      Commercial Offerings
      inode modification times

8. Defending Your Accounts
      Dangerous Accounts
      Accounts Without Passwords
      Default Accounts
      Accounts That Run a Single Command
      Open Accounts
      Restricted Shells under System V Unix
      Restricted Shells Under Berkeley Versions
      Restricted Korn Shell
      No Restricted bash
      How to Set Up a Restricted Account with rsh
      Potential Problems with rsh
      Restricted File System  
      Limited users
      Checking new software
      Group Accounts  
      Monitoring File Format  
      Restricting Logins
      Managing Dormant Accounts
      Changing an Account's Password  
      Changing the Account's Login Shell
      Finding Dormant Accounts
      Protecting the root Account
      Secure Terminals
      The wheel Group
      TCB and Trusted Path
      Trusted Path
      Trusted Computing Base  
      The UNIX Encrypted Password System
      The crypt() Algorithm
      What Is Salt?
      What the Salt doesn't do
      Crypt16() and Other Algorithms  
      One-Time Passwords
      Integrating one-time passwords with Unix
      Token Cards
      Code Books
      Administrative Techniques For Conventional Passwords
      Assigning Passwords to Users
      Constraining Passwords  
      Cracking Your Own Passwords
      Joetest: a Simple Password Cracker
      The Dilemma of Password Crackers
      Password Generators
      Shadow Password Files
      Password Aging and Expiration
      Algorithm and Library Changes
      Disabling an Account by Changing its Password
      Account Names Revisited: Using Aliases for Increased Security

9. Integrity Management  
      Prevention
      Immutable Filesystems
      Read-only Filesystems
      Detecting Change
      Comparison copies
      Local copies
      Remote Copies
      Rdist
      Checklists
      Simple Listing  
      Ancestor directories
      Checksums
      Tripwire
      Building Tripwire
      Running Tripwire
      A Final Note

10. Auditing and Logging 
      The Basic Log Files
      The lastlog File
      The utmp and wtmp Files
      The su command and the /etc/utmp and /var/adm/wtmp files
      The last Program
      Pruning the wtmp File
      The loginlog file
      The acct/pacct log File
      Accounting with System V
      Accounting with BSD
      The messages logfile
      Program-Specific Log Files
      The aculog file
      The sulog logfile
      The xferlog logfile
      uucp Log Files  
      The access_log logfile  
      Logging Network Services
      Other Logs
      Per-User Trails in the File System
      Shell History
      Mail
      Network Setup
      The UNIX System Log (syslog) Facility
      The syslog.conf Configuration File
      Where to Log
      Logging to a printer
      Logging across the network
      Log Everything Everywhere
      Syslog Messages
      Beware False Log Entries
      Swatch: A logfile tool  
      Running Swatch  
      The Swatch Configuration File
      Manual Logs
      Per-site Logs
      Exception and activity reports  
      Informational material  
      Per-Machine Logs
      Exception and activity reports  
      Informational material  
      Managing Log Files

11. Protecting Against Programmed Threats
      Programmed Threats: Definitions
      Security Tools  
      Back Doors and Trap Doors
      Logic Bombs
      Trojan Horses
      Viruses
      Worms
      Bacteria and Rabbits
      Damage  
      Authors
      Entry
      Protecting Yourself
      Shell Features  
      PATH Attacks
      IFS Attacks
      HOME Attacks
      Filename Attacks
      Start-up File Attacks
      .login, .profile, /etc/profile  
      .cshrc, .kshrc  
      GNU .EMACS
      .exrc
      .forward, .procmailrc
      Other Files
      Other Initializations
      Abusing Automatic Mechanisms
      crontab Entries
      inetd.conf
      /usr/lib/aliases, /etc/aliases, or /etc/sendmail/aliases
      The at Program  
      System Initialization Files
      Other Files
      Protecting Your System  
      File Protections
      World-writable User Files and Directories
      Writable System Files and Directories
      Group-writable Files
      World-readable Backup Devices
      Shared Libraries

12. Physical Security
      One Forgotten Threat
      The Physical Security Plan
      Protecting Computer Hardware
      The Environment
      Fire
      Smoke
      Dust
      Earthquake
      Explosion
      Temperature Extremes
      Bugs (Biological)
      Electrical Noise
      Lightning
      Vibration
      Humidity
      Water
      Environmental Monitoring
      Preventing Accidents
      Food and Drink  
      Physical Access
      Raised Floors and Dropped Ceilings
      Entrance Through Air Ducts
      Glass Walls
      Vandalism
      Ventilation Holes
      Network Cables  
      Network Connectors
      Defending Against Acts of War and Terrorism
      Preventing Theft
      Physically Secure Your Computer
      Encryption
      Portables
      Minimizing Downtime
      Related Concerns
      Protecting Data
      Eavesdropping
      Wiretapping
      Eavesdropping by Ethernet and 10Base-T  
      Eavesdropping by Radio & TEMPEST
      Auxiliary Ports on Terminals
      Fiber Optic Cable
      Protecting Backups
      Verify Your Backups
      Protect Your Backups
      Sanitize Your Media Before Disposal
      Backup Encryption
      Other Media
      Protecting Local Storage
      Printer Buffers
      Printer Output  
      Multiple Screens
      X Terminals
      Function Keys
      Unattended Terminals
      Built-in Shell autologout
      X Screen Savers
      Key Switches
      Story: A Failed Site Inspection
      What we found...
      Potential for Eavesdropping and Data Theft:
      Easy Pickings
      Physical Access to Critical Computers
      Possibility for Sabotage:
      "Nothing to lose?"

13. Personnel Security
      Background checks
      On the Job
      Initial Training
      On-going Training and Awareness
      Performance Reviews and Monitoring
      Auditing Access
      Least-Privilege and Separation  
      Departure
      Outsiders

14. Modems
      Theory of Operation
      Serial Interfaces
      The RS-232 Serial Protocol
      Originate and Answer
      Modems and Security
      One-way Phone Lines
      Caller-ID (CNID)
      Protecting Against Eavesdropping
      Kinds of Eavesdropping  
      Protection Against Eavesdropping
      Modems and UNIX
      Hooking Up a Modem to Your Computer
      Setting Up the UNIX Device
      Checking Your Modem
      Originate Testing
      Answer Testing  
      Privilege Testing
      Physical Protection of Modems
      Additional Security for Modems  

15. UUCP 438
      About UUCP
      The uucp Command
      uucp with the C Shell
      The uux Command
      The mail Command
      How the uucp Commands Work
      Versions of UUCP
      UUCP and Security
      Assigning Additional UUCP Logins
      Establishing UUCP Passwords
      Security of the L.sys and Systems Files
      Security in Version 2 UUCP
      USERFILE: Providing Remote File Access  
      USERFILE Entries
      USERFILE Entries for Local Users
      Format of USERFILE Entry Without System Name
      Special Permissions
      Requiring Callback
      A USERFILE Example
      Some bad examples
      L.cmds: Providing Remote Command Execution
      Security in BNU UUCP
      The Permissions File
      Starting Up
      Name-Value Pairs
      A Sample Permissions File
      Permissions Commands
      uucheck: Checking Your Permissions File
      Additional Security Concerns
      Mail Forwarding for UUCP
      Automatic Execution of Cleanup Scripts  
      Early Security Problems with UUCP
      UUCP Over Networks
      Summary

16. TCP/IP Networks
      Networking
      The Internet
      Who is on the Internet?
      Networking and Unix
      IPv4: The Internet Protocol Version 4
      Internet Addresses
      IP networks
      Classical network addresses
      CIDR addresses  
      Routing
      Hostnames
      The /etc/hosts file
      Packets and Protocols
      ICMP
      TCP
      UDP
      Clients and Servers
      Name Service
      DNS under UNIX  
      Other naming services
      IP Security
      Link-level Security
      Security and Nameservice
      Authentication  
      Other Network Protocols
      IPX
      SNA
      DECNet  
      OSI
      XNS
      Summary

17. UNIX TCP/IP Services 
      Understanding UNIX Internet Servers
      The /etc/services File  
      Starting the Servers
      The /etc/inetd Program  
      Controlling Access To Servers
      Notable UNIX Network Services
      systat (tcp port 11)
      FTP (tcp ports 20 & 21)
      FTP Passive Mode
      Using anonymous FTP
      Passive vs. Active FTP  
      Setting up an FTP server
      Restricting FTP with the standard UNIX FTP server
      Setting up anonymous FTP with the standard UNIX FTP Server
      Allowing only FTP access
      tcp port 23: TELNET
      SMTP (Electronic Mail) (tcp port 25)
      sendmail and Security
      Using sendmail to receive email
      Improving the security of Berkeley Sendmail V8  
      TACACS (UDP port 49)
      Domain Name System (TCP and UDP port 53)
      DNS zone transfers
      DNS nameserver attacks  
      TFTP (UDP port 69)
      finger (tcp port 79)
      The .plan and .project files
      Disabling finger
      Replacing finger
      HTTP (Hypter-Text Transfer Protocol) (tcp port 80)
      POP (Post Office Protocol) (tcp ports 109 & 110)
      udp & tcp port 111: Sun RPC's Portmapper
      Identification protocol (auth) (tcp port 113)
      NNTP (Network News Transport Protocol) (tcp port 119)
      NTP (Network Time Protocol) (udp port 123)
      SNMP (Simple Network Management Protocol) (udp ports 161 & 162)
      NSWS (NextStep Window Server) (tcp port 178)
      rexec (tcp port 512)
      rlogin and rsh (tcp ports 513 & 514)
      Trusted Hosts and Users
      The Problem with Trusted Hosts  
      Setting Up Trusted Hosts
      The ~/.rhosts file
      Searching for .rhosts Files
      The /etc/hosts.lpd File
      rip (a.k.a. route) (udp port 520)
      UUCP over TCP (tcp port 540)
      The X Window System (tcp ports 6000-6063)
      /etc/fbtab and /etc/logindevperm
      X security
      The xhost facility
      Using Xauthority Magic Cookies  
      Denial of Service Attacks Under X
      RPC rpc.rexd
      Other TCP ports: MUDs and Internet Relay Chat (IRC)
      Security Implications of Network Services
      Monitoring Your Network with netstat
      Network Scanning
      SATAN
      ISS
      PingWare
      Summary

18. WWW Security 
      Security and the World Wide Web
      Running A Secure Server
      The Server's UID
      Understand Your Server's Directory Structure
      Configuration Files
      Additional Configuration Issues
      Writing Secure CGI Scripts and Programs
      Do Not Trust the User!  
      Testing is not enough!  
      Sending Mail
      Tainting with Perl
      Beware stray CGI scripts
      Keep Your Scripts Secret!
      Beware Mixing HTTP with Anonymous FTP
      Other Issues
      Controlling Access to Files on Your Server
      The access.conf and .htaccess file
      Command within the  block
      Examples
      Setting up Web users and passwords
      Avoiding the Risks of Eavesdropping
      Eavesdropping Over the Wire
      Eavesdropping Through Log Files
      Risks of Web Browsers
      Executing Code from the Net
      Trusting Your Software Vendor
      Dependence on Third Parties
      Conclusion

19. RPC and Configuration Management
      Securing Network Services
      Sun's Remote Procedure Call (RPC)
      Sun's portmap/rpcbind
      RPC Authentication
      AUTH_NONE
      AUTH_UNIX
      AUTH_DES
      AUTH_KERB
      Secure RPC (AUTH_DES)
      Secure RPC Authentication
      Proving Your Identity
      Using Secure RPC Services
      Setting the Window
      Setting Up Secure RPC With NIS  
      Creating Passwords for Users
      Creating Passwords for Hosts
      Making Sure Secure RPC Programs are Running on Every Workstation
      Using Secure NFS
      Mounting a Secure Filesystem
      Using Secure RPC
      Limitations of Secure RPC
      Sun's Network Information Service (NIS)
      Including or Excluding Specific Accounts:
      Importing accounts without really importing accounts
      NIS Domains
      NIS Netgroups
      Setting Up Netgroups
      Using Netgroups to limit the importing of accounts
      Limitations with NIS
      Spoofing RPC
      Spoofing NIS
      NIS is Confused about "+"
      Unintended Disclosure of Site Information with NIS
      NIS+
      What NIS+ Does  
      NIS+ Objects
      NIS+ Tables
      Using NIS+
      Changing your password  
      When a User's Passwords Don't Match
      NIS+ Limitations
      Kerberos
      Kerberos Authentication
      Initial Login
      Using the Ticket Granting Ticket
      Authentication, Data Integrity, and Secrecy
      Kerberos 4 vs. Kerberos 5
      Kerberos vs. Secure RPC
      Installing Kerberos
      Using Kerberos  
      Kerberos Limitations
      Other Network Authentication Systems
      DCE
      SESAME  

20. NFS  
      Understanding NFS
      NFS History
      File Handles
      MOUNT
      The NFS Protocol
      How NFS creates a reliable filesystem from a best-effort protocol
      Hard vs. Soft
      Connectionless and stateless
      NFS and root
      NFS Version 3
      Server-Side NFS Security
      Limiting Client Access: /etc/exports and /etc/dfs/dfstab
      /etc/exports
      /usr/etc/exportfs
      Exporting NFS directories under System V: share(1) and dfstab
      The showmount Command
      Client-Side NFS Security
      Improving NFS Security  
      Limit Exported and Mounted filesystems  
      The example explained
      Export Read-only
      Use Root Ownership
      Remove Group Write Permission for Files And Directories
      Do Not Export Server Executables
      Do not Export Home Directories  
      Use fsirand
      Set the portmon Variable
      Use Secure NFS  
      Some Last Comments
      Well-Known Bugs
      For Real Security, Don't use NFS

21. Firewalls
      What's a Firewall?
      Default Permit vs. Default Deny
      Uses of Firewalls
      Anatomy of a Firewall:  
      Dual-ported host: The First Firewalls
      Packet Filtering: A simple firewall with only a choke
      One Choke, One Gate: Screened host architecture
      Two chokes and One gate: Screened Subnet Architecture
      Multiple Gates  
      Internal Firewalls
      Building Your Own Firewall
      Planning your Configuration
      Assembling the Parts
      Setting up the Choke
      Choosing the Choke's Protocols  
      Example: Cisco Systems Routers as Chokes
      The access-list Command
      access-list: standard form
      access-list: extended form
      Seeing the Current Access Lists
      Protecting Virtual Terminals: The access-class command  
      Protecting IP Interfaces: The ip access-group Command
      Using IP Accounting to Detect Access Violations
      Setting Up the Gate
      Name Service
      Electronic Mail
      Netnews
      FTP
      Creating an FTPOUT account to allow FTP without proxies.
      Finger  
      Telnet and rlogin From Remote Sites into your Network
      Special Considerations  
      Final Comments  
      Firewalls Can Be Dangerous
      Firewalls Sometimes Fail
      Do You Really Need Your Desktop Machines on the Internet?

22. Wrappers & Proxies
      Why Wrappers?
      The TIS smap/smapd sendmail Wrapper
      What smap/smapd Do
      Getting smap/smapd
      Installing the TIS smap/smapd sendmail wrapper  
      Possible Drawbacks
      tcpwrapper
      What TCP Wrapper Does
      Understanding Access Control
      Installing tcpwrapper
      Advanced tcpwrapper options
      Making sense of your tcpwrapper configuration files
      SOCKS
      What SOCKS Does
      Getting SOCKS
      Getting SOCKS Running
      SOCKS and Usernames
      SOCKS Identification Policy
      The SOCKS Server Configuration File: /etc/sockd.conf:
      NO_IDENTD and #BAD_ID  
      Example /etc/sockd.conf configuration files
      The SOCKS Client Configuration File: /etc/socks.conf:
      Example /etc/socks.conf File
      UDP Relayer
      Getting UDP Relayer
      Writing Your Own Wrappers
      Wrappers that Provide Temporary Patches
      Wrappers that Provide Extra Logging

23. Writing Secure SUID and Network Programs
      One bug can Ruin Your Whole Day...
      The Lesson of the Internet Worm
      An Empirical Study of the Reliability of UNIX Utilities
      What They Found
      Where's the Beef?
      Tips on Avoiding Security-Related Bugs  
      Network Programs
      Writing SUID/SGID Programs
      Using chroot()  
      Passwords
      Use Message Digests for Storing Passwords
      Generating Random Numbers
      UNIX Pseudo-Random Functions
      rand()  
      random()
      drand48(), lrand48(), mrand48()
      Other random number generators  
      Picking a Random Seed
      A Good Random Seed Generator

24. Discovering a Break-in
      Prelude
      Rule #1: DON'T PANIC!
      Rule #2: DOCUMENT!
      Rule #3: PLAN AHEAD
      Discovering an Intruder
      Catching One in the Act
      What to Do When You Catch Somebody
      Monitoring the Intruder
      Tracing a Connection
      Other tip-offs  
      How to Contact the System Administrator of a Computer You Don't Know
      Getting Rid of the Intruder
      Anatomy of a Break-in
      The Log Files: Discovering an Intruder's Tracks
      Cleaning Up After the Intruder  
      New Accounts
      Changes in File Contents
      Changes in File and Directory Protections
      New SUID and SGID Files
      Changes in .rhosts Files
      Changes to the /etc/hosts.equiv File
      Changes to Start-up Files
      Hidden Files and Directories
      Unowned Files
      An Example
      Never Trust Anything Except Hardcopy
      Resuming Operation
      Damage control  

25. Denial of Service Attacks and Solutions
      Destructive Attacks
      Overload Attacks
      Process Overload Problems
      Too Many Processes
      System Overload Attacks
      Disk Attacks
      Disk Full Attacks
      The quot Command
      Inode Problems  
      Using Partitions to Protect Your Users  
      Using Quotas
      Reserved Space  
      Hidden space
      Tree Structure Attacks  
      Swap Space Problems
      /tmp Problems
      Soft Process Limits: Preventing Accidental Denial of Service
      Network Denial of Service Attacks
      Service Overloading
      Message Flooding
      Signal Grounding
      Clogging

26. Computer Security and U.S. Law
      Legal Options After a Break-in  
      Criminal Prosecution
      The Local Option
      Federal Jurisdiction
      Federal Computer Crime Laws
      Hazards of Criminal Prosecution
      If You or One of Your Employees is a Target of an Investigation..  
      Other Tips
      A Final Note on Criminal Actions
      Civil Actions
      Other Liability
      Munitions Export
      Copyright Infringement  
      Software Piracy and the SPA
      Patent Concerns
      Trademark Violations
      Pornography and Indecent Material
      Harrassment, Threatening Communication, and Defamation  

27. Who Do You Trust?
      Can you Trust Your Computer?
      Harry's Compiler
      Trusting Trust  
      What the Superuser Can and Cannot Do
      Can You Trust Your Suppliers?
      Hardware Bugs
      Viruses on the Distribution Disk
      Buggy Software  
      Hacker Challenges
      Security Bugs that Never Get Fixed
      Network Providers that Network Too Well
      Your Employees?
      Your System Admin?
      Your Vendor?
      Your Consultants?
      Response Personnel?
      What This All Means

APPENDICES.

A. UNIX Security Checklist
B. Important Files
      System Files
      Important Files in Your Home Directory  
      SUID Files in Berkeley UNIX
      SGID Files in Berkeley UNIX
      SUID Files in System V R3.2 UNIX
      SGID Files in System V UNIX
C. UNIX Processes
      Processes
      Processes and Programs  
      The ps Command  
      Listing Processes on systems derived from System V
      Listing Processes with Berkeley-dervied versions of UNIX
      Process Properties
      Process Identification Numbers (PID)
      Process Real and Effective UID  
      Process Priority and Niceness
      Process Groups and Sessions
      Creating Processes
      Signals
      The kill Command
      Starting Up UNIX and Logging In
      Process #1: /etc/init
      Letting Users Log In
      Running the User's Shell
D. Paper Sources 
      UNIX Security References
      Other Computer References
      Computer Crime and Law  
      Computer-Related Risks  
      Computer Viruses and Programmed Threats
      Cryptography
      Cryptography Papers and Other Publications
      General Computer Security
      Network Technology and Security
      Security Products and Services Information
      Understanding the Computer Security 'Culture'
      UNIX Programming and System Administration
      Miscellaneous References
      Periodicals
      Computer Audit Update
      Computer Fraud & Security Update
      Computer Law & Security Report
      Computers & Security
E. Electronic Resources  
      Mailing Lists
      Academic-Firewalls
      BugTraq
      CERT-Advisory
      Firewalls mailing list  
      FWALL-Users
      RISKS
      WWW-Security
      Usenet Groups
      WWW Pages
      Telstra
      COAST
      Software Resources
      CERN HTTP Daemon
      Chrootuid
      COPS (Computer Oracle and Password System)
      Source Code by UUCP
      ISS (Internet Security Scanner)
      Kerberos
      Portmap
      SATAN
      SOCKS
      SWATCH  
      TCP Wrapper
      TIGER
      TIS Internet Firewall Toolkit
      trimlog
      Tripwire
      UDP Packet Relayer
      wuarchive ftpd  
F. Other Sources 
      Professional Organizations
      Association for Computing Machinery (ACM)
      American Society for Industrial Security (ASIS)
      Center for Computer Law
      Computer Security Institute (CSI)
      High Technology Crimes Investigation Association (HTCIA)
      Information Systems Security Association (ISSA)
      Internet Society
      IEEE Computer Society
      USENIX/SAGE
      Governmental Organizations
      Computer Emergency Response Team (CERT)
      National Computer Security Center (NCSC)
      National Institute of Standards and Technology (NIST)
      National Security Agency (NSA)  
      Emergency Response Organizations
      Department of Energy's Computer Incident Advisory Capability (CIAC) 
      Department of Justice (DOJ)
      Federal Bureau of Investigation (FBI)
      U.S. Secret Service (USSS)
      Forum of Incident and Response Security Teams (FIRST)