Đang chuẩn bị liên kết để tải về tài liệu:
hack sun book hack proofing sun solaris phần 7

Đang chuẩn bị nút TẢI XUỐNG, xin hãy chờ

We duyệt ngăn chặn điều này bằng cách xác định rằng có thể xem là thiết lập để no.We xác định ba người dùng hợp lệ, một trong số họ có quyền truy cập hành chính. Truy cập quản trị, được định nghĩa bởi các tham số người dùng quản trị, nên được xem xét cẩn thận. | 234 Chapter 8 Configuring Solaris as a Secure Router and Firewall The side against an accessible local C compiler fears a local user compiling exploits or other programs and using the system for unauthorized activities. Such violations could lead to a local user gaining elevated privileges or unauthorized network access. The other side of the argument believes that having a C compiler on the local system is a necessary utility.Without a C compiler they believe it s impossible to build programs from source. I m happy to announce that I m a proud member of both camps. I m against local users having unlimited free reign of a system through some goody built with a C compiler but I m not against having the C compiler. This risk can be eliminated through proper permissions and access control such as RBAC or simple access control lists. Minimal Services A router needs very little in terms of services. Since the system has one purpose there isn t a necessity for things such as NFS NIS RPC and sendmail. By eliminating these services you enhance overall system performance. Additionally eliminating these services closes entry points for possible intruders. By limiting the channels that allow an intruder potential access to the system we ve mitigated the risk of opening a system to future compromise by a new vulnerability. Shutting down all services or using the system solely as a router isn t always possible.This is however the recommended practice. Many of these services are started via the Internet daemon inetd . Commenting out the services is a good practice. Commenting out the services and not starting inetd at all is the best methodology. The inetd is started in the etc rc2.d S69inet script. Another good practice is checking the rc directories in etc for programs that might be started. For example the rc3.d directory starts a number of services that in addition to being unnecessary also have a history of security risks. Services such as the NFS server and the DMI .