Re: LINUX Security
Matt Zimmerman [EMAIL PROTECTED] writes: On Mon, Dec 16, 2002 at 05:08:54PM +0100, Susanne Oberhauser wrote: Sergey Korzhevsky [EMAIL PROTECTED] writes: Could you explain me, please, what is the reason to remove 'root' name from a system? there is none --- to the contrary doing so is Evil (tm) for LSB compliant distributions. However, to rely on LSB compliance in portable programs is just as Evil. 10 Thou shalt foreswear, renounce, and abjure the vile heresy which claimeth that ``All the world's [an LSB-compliant Linux system]'', and have no commerce with the benighted heathens who cling to this barbarous belief, that the days of thy program may be long even though the days of thy current machine be short. :))) ok, ok, I do --- being no native speaker, I can't abjure that poetically, but yes, of course there are other operating systems out there ;), I've even heard of some with very strange names for root, Stratminidator or the like... Nevertheless would you agree with me that for systmes claiming to run on *Linux*, relying on the existence of a user 'root' should be ok? This would allow portable software to have just *one* platform specific backend for *all* flavors of Linux, and would ease porting of such software to Linux. Susanne
Re: LINUX Security
On Tue, 2002-12-17 at 15:08, Susanne Oberhauser wrote: Nevertheless would you agree with me that for systmes claiming to run on *Linux*, relying on the existence of a user 'root' should be ok? This would allow portable software to have just *one* platform specific backend for *all* flavors of Linux, and would ease porting of such software to Linux. Its a very bad habit but generally safe. If you want be more correct you canuse getpwuid(0) and ask the OS what root is
Re: LINUX Security
On Tue, Dec 17, 2002 at 04:08:26PM +0100, Susanne Oberhauser wrote: Nevertheless would you agree with me that for systmes claiming to run on *Linux*, relying on the existence of a user 'root' should be ok? This would allow portable software to have just *one* platform specific backend for *all* flavors of Linux, and would ease porting of such software to Linux. Certainly, a program which is not expected to work on anything but an LSB-compliant system can make this assumption, and many others. But in this specific case, it is (in many cases) in fact easier to check for uid=0 than username=root anyway, and in general, there are relatively few cases where it makes sense to test for root privileges rather than something more specific. With the continuing development and proliferation of more fine-grained access control systems for Linux, root will become less magic, and could be removed or assigned reduced privileges. -- - mdz
Re: LINUX Security
On Tue, 17 Dec 2002, Matt Zimmerman wrote: On Tue, Dec 17, 2002 at 04:08:26PM +0100, Susanne Oberhauser wrote: Nevertheless would you agree with me that for systmes claiming to run on *Linux*, relying on the existence of a user 'root' should be ok? This would allow portable software to have just *one* platform specific backend for *all* flavors of Linux, and would ease porting of such software to Linux. Certainly, a program which is not expected to work on anything but an LSB-compliant system can make this assumption, and many others. But in this specific case, it is (in many cases) in fact easier to check for uid=0 than username=root anyway, and in general, there are relatively few cases where it makes sense to test for root privileges rather than something more specific. With the continuing development and proliferation of more fine-grained access control systems for Linux, root will become less magic, and could be removed or assigned reduced privileges. Indeed. Engarde Linux has been around a while, and it's hardened with LIDS. There's no gurantee that root can do anything you'd want to if you're running LIDS-enabled. I'm pretty sure you will encounter difficulty if you're using selinux or Bastille. Possessors of such systems won't care whether they're LSB-compliant, though they mare care that tests for privilege fail. -- Cheers John. Join the Linux Support by Small Businesses list at http://mail.computerdatasafe.com.au/mailman/listinfo/lssb
Re: LINUX Security
Hi Could you explain me, please, what is the reason to remove 'root' name from a system? Local user can read /etc/passwd and find out who is really root, so it is not save us. For remote logins we can disable root. Is this not enough? Thank you. WBR, Sergey
Re: LINUX Security
On Mon, 2002-12-16 at 11:04, Sergey Korzhevsky wrote: Hi Could you explain me, please, what is the reason to remove 'root' name from a system? In many languages the letter sequence root is meaningless, or even not in their default characters.
Re: LINUX Security
Alan Cox wrote: On Mon, 2002-12-16 at 11:04, Sergey Korzhevsky wrote: Could you explain me, please, what is the reason to remove 'root' name from a system? In many languages the letter sequence root is meaningless, or even not in their default characters. So what about names like like /etc, /mnt, /var, /bin, /proc, which probably don't translate well either. And commands (ls, mv, cp), and file names (/etc/shadow, /etc/fstab). Where does one draw the line? But of course I agree with the UID/GID thing... If something needs priveledges of UID 0, then the process should check that UID is 0, not that username is root. Most any requirement that a username/groupname be news, ftp, root, nobody, etc is poor design (a bug), but all in all, standardized system usernames are a good thing, aren't they? ~ Daniel --- This message is the property of Time Inc. or its affiliates. It may be legally privileged and/or confidential and is intended only for the use of the addressee(s). No addressee should forward, print, copy, or otherwise reproduce this message in any manner that would allow it to be viewed by any individual not originally listed as a recipient. If the reader of this message is not the intended recipient, you are hereby notified that any unauthorized disclosure, dissemination, distribution, copying or the taking of any action in reliance on the information herein is strictly prohibited. If you have received this communication in error, please immediately notify the sender and delete this message. Thank you.
Re: LINUX Security
On Mon, 2002-12-16 at 14:53, Daniel Jarboe wrote: So what about names like like /etc, /mnt, /var, /bin, /proc, which probably don't translate well either. And commands (ls, mv, cp), and file names (/etc/shadow, /etc/fstab). Where does one draw the line? Wherever you like. Note that for file naming you want symlinks because the standards make guarantees. Normally people just translate the gui. However, when you log in, you do with your username...
Re: LINUX Security
It is all right, but when i asked this question, i mean for security. Does it improve security? WBR, Sergey Alan Cox [EMAIL PROTECTED] Sent by: Linux on 390 Port [EMAIL PROTECTED] 16.12.2002 18:12 Please respond to Linux on 390 Port To: [EMAIL PROTECTED] cc: Subject:Re: LINUX Security On Mon, 2002-12-16 at 14:53, Daniel Jarboe wrote: So what about names like like /etc, /mnt, /var, /bin, /proc, which probably don't translate well either. And commands (ls, mv, cp), and file names (/etc/shadow, /etc/fstab). Where does one draw the line? Wherever you like. Note that for file naming you want symlinks because the standards make guarantees. Normally people just translate the gui. However, when you log in, you do with your username...
Re: LINUX Security
Sergey Korzhevsky [EMAIL PROTECTED] writes: Hi Could you explain me, please, what is the reason to remove 'root' name from a system? there is none --- to the contrary doing so is Evil (tm) for LSB compliant distributions. From http://www.linuxbase.org/spec/gLSB/gLSB/usernames.html: Linux Standard Base Specification 1.3.pr8 Prev Chapter 19. Users Groups Next --- User Group Names Below is a table of required mnemonic user and group names. This specification makes no attempt to numerically assign uid or gid numbers. The exception is the uid and gid for root which are equal to 0. Table 19-1. Required User Group Names +-+ |User |Group |Comments | |--+--+---| |root |root |Administrative user with no restrictions | ... Table 19-2. Optional User Group Names +---+ |User|Group |Comments | |++-| |adm |adm |Administrative special privileges| |lp |lp |Printer special privileges | |sync|sync|Login to sync the system | |shutdown|shutdown|Login to shutdown the system | |halt|halt|Login to halt the system | |mail|mail|Mail special privileges | |news|news|News special privileges | |uucp|uucp|UUCP special privileges | |operator|root|Operator special privileges | |man |man |Man special privileges | |nobody |nobody |Used by NFS | +---+ -- Susanne Oberhauser penguins SuSE Linux AG +49-911-74053-574enjoy Deutschherrnstr. 15-19 [EMAIL PROTECTED] dinosaurs90429 Nürnberg
Re: LINUX Security
On Mon, Dec 16, 2002 at 05:08:54PM +0100, Susanne Oberhauser wrote: Sergey Korzhevsky [EMAIL PROTECTED] writes: Could you explain me, please, what is the reason to remove 'root' name from a system? there is none --- to the contrary doing so is Evil (tm) for LSB compliant distributions. However, to rely on LSB compliance in portable programs is just as Evil. 10 Thou shalt foreswear, renounce, and abjure the vile heresy which claimeth that ``All the world's [an LSB-compliant Linux system]'', and have no commerce with the benighted heathens who cling to this barbarous belief, that the days of thy program may be long even though the days of thy current machine be short. -- - mdz
Re: LINUX Security
On Mon, 16 Dec 2002, Sergey Korzhevsky wrote: It is all right, but when i asked this question, i mean for security. Does it improve security? Not nearly as much as having a decent password. -- Cheers John. Join the Linux Support by Small Businesses list at http://mail.computerdatasafe.com.au/mailman/listinfo/lssb
Re: LINUX Security
On Thu, Dec 12, 2002 at 10:18:07AM +0800, John Summerfield wrote: However, don't suppose that not having a root account called root is something you would want to do. It would earn you dirty looks from wizened UNIX folk, but should be supported. Just a couple of hours ago I was looking at a Debian script that asumes id -u -n returns root for UID=0. Please report a bug against that package, or tell me where you saw this and I will report the bug. -- - mdz
Re: LINUX Security
On Fri, Dec 13, 2002 at 05:25:52AM +0800, John Summerfield wrote: On Thu, 12 Dec 2002, Matt Zimmerman wrote: Please report a bug against that package, or tell me where you saw this and I will report the bug. The script is su-to-root, the package menu. Bug I'd certainly not bet that the same thing doesn't occur in Red Hat Linux, and the fact someone ran RHL without an account called root doesn't mean a lot. I'm sure I could run this system for a long time without running into the problem. Probably so. This is generally valid, but definitely nonstandard. In the case of su-to-root, the script will do the wrong thing for users with uid 0 which are not named 'root', which is wrong anyway. I don't think using UID=0 as a test for whether a user has the capacity to perform some action is all that wonderful either, though I don't know a better way. In some cases, one can test by trying to do it - to see if I can write in a particular directory, try to create a file there.Lots of people here have /usr mounted ro. Some may have played with LIDS. I had a play with Engarde Linux a while ago, and root is severely curtailed. In the case of su-to-root, checking for uid 0 is the best solution available due to the nature of the interface provided. It provides a means for arbitrary commands which require root privileges to be (for example) launched from a menu interface, by providing the user the opportunity to su. If they are already root, this is obviously unnecessary. On a filesystem, the access() system call is the right thing to do. -- - mdz
Re: LINUX Security
On Thu, Dec 12, 2002 at 04:53:54PM -0500, Matt Zimmerman wrote: Bug Bug #172831, that is. -- - mdz
Re: LINUX Security
We have not tried it yet but there exists MKS AD4Unix which is an NT/2000 Active Directory Extension to allow Unix authentication and user information to be stored in Active Directory. Check out: http://www.css-solutions.ca/ad4unix/ and http://online.securityfocus.com/infocus/1563 James Melin [EMAIL PROTECTED]To: [EMAIL PROTECTED] epin.mn.us cc: Sent by: Linux on Subject: Re: [LINUX-390] LINUX Security 390 Port [EMAIL PROTECTED] ST.EDU 12/10/2002 01:26 PM Please respond to Linux on 390 Port I'd like to add a follow-on question to this Has anone gotten Linux to update user ID's/Passwords from an NT central domain ? Is it possible to synchronize those, or failing that has anyone gotten Linux security to refresh from RACF or ACF2 secuirity databases, or even authenticate logon using LDAP into RACF or ACF2 instead of manually trying to synchronize Linux user lists/passwords/groups/ etc |-+ | | Joseph Sumi | | | [EMAIL PROTECTED]| | | v | | | Sent by: Linux on| | | 390 Port | | | [EMAIL PROTECTED]| | | IST.EDU | | || | || | | 12/10/2002 09:42 | | | AM | | | Please respond to| | | Linux on 390 Port| | || |-+ --| | | | To: [EMAIL PROTECTED] | | cc: | | Subject: LINUX Security | --| Hello, we have just started to research SUSE Linux under z/VM, and I've been asked these questions: - Does SUSE Linux issue any SAF (RACF) calls for security in the z/VM environment ? If not, how is security handled ? - Are there any types of SMF records cut to record access or violations to resources in a Linux z/VM environment ? - Does anyone have a link to more specific security / Linux information ? Thanks.
Re: LINUX Security
On Thu, 12 Dec 2002, Matt Zimmerman wrote: On Thu, Dec 12, 2002 at 04:53:54PM -0500, Matt Zimmerman wrote: Bug Bug #172831, that is. Thanks Matt. One of the things I like about Debian is the ability to report bugs bu email. I've not yet tried reporting a bug offline, but I have hopes. -- Cheers John. Join the Linux Support by Small Businesses list at http://mail.computerdatasafe.com.au/mailman/listinfo/lssb
Re: LINUX Security
On Wednesday 11 December 2002 04:42 am, you wrote: Hello, we have just started to research SUSE Linux under z/VM, and I've been asked these questions: - Does SUSE Linux issue any SAF (RACF) calls for security in the z/VM environment ? If not, how is security handled ? - Are there any types of SMF records cut to record access or violations to resources in a Linux z/VM environment ? - Does anyone have a link to more specific security / Linux information ? http://www.linuxsecurity.com/ http://lsm.immunix.org/ http://www.nsa.gov/selinux/ http://sourceforge.net/project/showfiles.php?group_id=21266 http://www.grsecurity.net/ http://www.snort.org/ http://www.chkrootkit.org/ http://www.wiretapped.net/ http://www.cert.org/ That's what I came up with on short notice. security-enhanced linux and grsecurity-linux have an intensive development of Access Control Lists and Role Based Access Control, though in different ways. I expect they would be of equal interest at this preliminary stage. I don't know anything about SuSE; I don't use it. Wesley Parish Thanks. -- Mau e ki, He aha te mea nui? You ask, What is the most important thing? Maku e ki, He tangata, he tangata, he tangata. I reply, It is people, it is people, it is people.
Re: LINUX Security
Thanks to everyone !! Joe [EMAIL PROTECTED] 12/10/02 06:11PM On Wednesday 11 December 2002 04:42 am, you wrote: Hello, we have just started to research SUSE Linux under z/VM, and I've been asked these questions: - Does SUSE Linux issue any SAF (RACF) calls for security in the z/VM environment ? If not, how is security handled ? - Are there any types of SMF records cut to record access or violations to resources in a Linux z/VM environment ? - Does anyone have a link to more specific security / Linux information ? http://www.linuxsecurity.com/ http://lsm.immunix.org/ http://www.nsa.gov/selinux/ http://sourceforge.net/project/showfiles.php?group_id=21266 http://www.grsecurity.net/ http://www.snort.org/ http://www.chkrootkit.org/ http://www.wiretapped.net/ http://www.cert.org/ That's what I came up with on short notice. security-enhanced linux and grsecurity-linux have an intensive development of Access Control Lists and Role Based Access Control, though in different ways. I expect they would be of equal interest at this preliminary stage. I don't know anything about SuSE; I don't use it. Wesley Parish Thanks. -- Mau e ki, He aha te mea nui? You ask, What is the most important thing? Maku e ki, He tangata, he tangata, he tangata. I reply, It is people, it is people, it is people.
Re: LINUX Security
Vince, I guess my question is, if I have 50 linux images running under VM and each of them have a root user, can I have a different password for each of them? Carlos :-) Saying goes: Great minds think alike - I say: Great minds think for themselves! Carlos A. Ordonez IBM Corporation Server Consolidation |-+--- | | Re, Vincent | | | [EMAIL PROTECTED]| | | om | | | Sent by: Linux | | | on 390 Port | | | [EMAIL PROTECTED]| | | RIST.EDU | | | | | | | | | 12/10/2002 05:20| | | PM | | | Please respond | | | to Linux on 390 | | | Port| | | | |-+--- ---| | | |To: [EMAIL PROTECTED] | |cc: | | From: | | Subject: Re: LINUX Security | | | ---| Vince, can you have multiple root ids and passwords? Carlos :-) If you're asking whether you can have multiple user IDs with UID=0, then the answer is yes. UID/GID, shell program and home directory all come from the PAM server (ACF2, Top Secret, etc.), and there's no reason you couldn't have multiple UID 0 IDs if you wanted to. The nice thing about our PAM implementation is that you have a lot of flexibility when it comes to restricting which Linux images (or facilities within a Linux system) a given user can access. You might set it up so that users get root privileges, but only on a particular Linux image. Or, perhaps you'd let them use Telnet but not FTP. Because the authentication is processed by ACF2/Top Secret, all of the normal system entry controls are extended and apply to Linux as well. For example, an earlier post asked about auditing, and with our PAM plug-in, you will most definitely see a complete audit trail of Linux sign-on activity in your z/OS SMF records. Having said that, multiple UID 0 users might or might not be a good thing on Linux because there would be no way to segregate their permissions (that is, once logged on, any root user would have access to all resources). Keep in mind that PAM is just for user authentication - if you want true access control then you need something more. This is where our eTrust Access Control product fits in: it's essentially z/OS-style resource protection for Linux, and it provides the kind of granular resource protection (including controlling what root users may do), auditing, etc. that mainframe sites would be accustomed to. Vince Re Computer Associates
Re: LINUX Security
On Tue, 10 Dec 2002 15:06:39 -0500 David Boyes said: If you are an ACF2 (or CA-Top Secret) customer, then we have an open-source PAM plug-in that lets you authenticate directly against ACF2 or Top Secret. The client side (the part that runs on Linux) is available in source code or pre-built RPM form (both Intel and mainframe Linux). The server is simply a built-in integrated part of ACF2. With our plug-in installed, you need no user definition on Linux - your existing mainframe security rules and passwords are all that's needed. Nice. Will it be available for VM:Secure? How about RACF? Cheers, Arty
Re: LINUX Security
if I have 50 linux images running under VM and each of them have a root user, can I have a different password for each of them? There are lots of options here, depending on exactly what you're trying to achieve. Personally (as one who hates to remember different passwords), I would rather have one ID and password, and use security policy to control which systems I'm allowed to connect to. But if I prefer, I could just as easily have a different root account/password on each system. Or a mixture of both. The exact details vary depending on which security product (ACF2, Top Secret, eTrust Access Control) you're working with, but in general all of the system entry validation features of the security products apply. Vince Re Computer Associates
Re: LINUX Security
Thanks... that's cool - very nicely done Carlos :-) Saying goes: Great minds think alike - I say: Great minds think for themselves! Carlos A. Ordonez IBM Corporation Server Consolidation |-+--- | | Re, Vincent | | | [EMAIL PROTECTED]| | | om | | | Sent by: Linux | | | on 390 Port | | | [EMAIL PROTECTED]| | | RIST.EDU | | | | | | | | | 12/11/2002 09:22| | | AM | | | Please respond | | | to Linux on 390 | | | Port| | | | |-+--- ---| | | |To: [EMAIL PROTECTED] | |cc: | | From: | | Subject: Re: LINUX Security | | | ---| if I have 50 linux images running under VM and each of them have a root user, can I have a different password for each of them? There are lots of options here, depending on exactly what you're trying to achieve. Personally (as one who hates to remember different passwords), I would rather have one ID and password, and use security policy to control which systems I'm allowed to connect to. But if I prefer, I could just as easily have a different root account/password on each system. Or a mixture of both. The exact details vary depending on which security product (ACF2, Top Secret, eTrust Access Control) you're working with, but in general all of the system entry validation features of the security products apply. Vince Re Computer Associates
Re: LINUX Security
On Wed, 11 Dec 2002, Ihno Krumreich wrote: I hope my understanding of the terms is right.. For me accouting is to find out WHO has used a resource how much (to write bills). systat does not provide this information. systat just tells you how much a resource has been used at a given time. Its main goal is to find bottlenecks or to find a reason to the statement the system is slow. I don't know; I've not used it. However, this makes me think it might do more: -x pid | SELF | SUM | ALL Report statistics for a given process. pid is the process iden- tification number. The SELF keyword indicates that statistics Maybe the information's there. Presumably, Sebastien Godard [EMAIL PROTECTED], the author, would know what's there and what can be added. -- Cheers John. Join the Linux Support by Small Businesses list at http://mail.computerdatasafe.com.au/mailman/listinfo/lssb
Re: LINUX Security
Does it work with Top Secret on z/OS 1.4 ? -Original Message- From: Re, Vincent [mailto:[EMAIL PROTECTED]] Sent: Tuesday, December 10, 2002 3:32 PM To: [EMAIL PROTECTED] Subject:Re: LINUX Security The short answer is that yes, we're committed to including PAM server components in all of our security products. I believe ACF2 VM and Top Secret VM PAM support are already announced, and I also believe VM:Secure is in the works. We're also looking at providing PAM server support in our eTrust Access Control product, which runs on Windows, Linux (mainframe and Intel) and a number of UNIX platforms. Vince Re Computer Associates
Re: LINUX Security
On Wed, 2002-12-11 at 13:02, Carlos Ordonez wrote: Vince, I guess my question is, if I have 50 linux images running under VM and each of them have a root user, can I have a different password for each of them? Carlos :-) You don't have to call your uid 0 root either btw. Unix cares about uid and cap bits not about the name. The name is a userspace construct purely for human convenience. So you can have bofh:*:0:... etc for your root
Re: LINUX Security
At 23:20 10-12-02, Re, Vincent wrote: If you're asking whether you can have multiple user IDs with UID=0, then the answer is yes. We tried this because I thought it would be nice to automatically logon the account 'Operator' on the console and let it have uid=0, but be able to separate from 'root' in that it has its own home directory and things. Unfortunately that made the 'id' command under root return 'Operator' with all kind of annoying effects. Rob
Re: LINUX Security
While there are exceptions to every rule it is VERY BAD form to use the root account for much of anything! Its just too dangerous. The current best practice is to disable logins as root. First root should never login over a network and probably should be locked completely. what one should do instead is setup sudo such that groups of persons have explicit access to what they need to do. This has the advantage of logging any root level actions that are performed and any unauthorized attempts to perform root level actions. for more information see 'man sudo' 'man sudoers' and do a google search on sudo. -Jere On Wed, Dec 11, 2002 at 04:35:43PM +0100, Rob van der Heij wrote: At 23:20 10-12-02, Re, Vincent wrote: If you're asking whether you can have multiple user IDs with UID=0, then the answer is yes. We tried this because I thought it would be nice to automatically logon the account 'Operator' on the console and let it have uid=0, but be able to separate from 'root' in that it has its own home directory and things. Unfortunately that made the 'id' command under root return 'Operator' with all kind of annoying effects. Rob ---end quoted text--- -- - | Jere Julian, RHCE, CCNA Cisco Systems, Inc. ITD - IBM Sustaining | | mailto:[EMAIL PROTECTED] 7025 Kit Creek Rd, RTP, NC 27709 | - msg10239/pgp0.pgp Description: PGP signature
Re: LINUX Security
Beware though that with the current rootkits available a total idiot with a browser can download programs that can bypass many of these schemes and become root very, very, very easily. You really need to know nothing in most cases to run these rootkits so beware and keep your ftp, ssh and ssl daemons patched up to the minute. M Katz RAE Internet -Original Message- From: Linux on 390 Port [mailto:[EMAIL PROTECTED]]On Behalf Of Jere Julian Sent: Wednesday, December 11, 2002 11:24 AM To: [EMAIL PROTECTED] Subject: Re: LINUX Security While there are exceptions to every rule it is VERY BAD form to use the root account for much of anything! Its just too dangerous. The current best practice is to disable logins as root. First root should never login over a network and probably should be locked completely. what one should do instead is setup sudo such that groups of persons have explicit access to what they need to do. This has the advantage of logging any root level actions that are performed and any unauthorized attempts to perform root level actions. for more information see 'man sudo' 'man sudoers' and do a google search on sudo. -Jere On Wed, Dec 11, 2002 at 04:35:43PM +0100, Rob van der Heij wrote: At 23:20 10-12-02, Re, Vincent wrote: If you're asking whether you can have multiple user IDs with UID=0, then the answer is yes. We tried this because I thought it would be nice to automatically logon the account 'Operator' on the console and let it have uid=0, but be able to separate from 'root' in that it has its own home directory and things. Unfortunately that made the 'id' command under root return 'Operator' with all kind of annoying effects. Rob ---end quoted text--- -- - | Jere Julian, RHCE, CCNA Cisco Systems, Inc. ITD - IBM Sustaining | | mailto:[EMAIL PROTECTED] 7025 Kit Creek Rd, RTP, NC 27709 | -
Re: LINUX Security
On Wed, 11 Dec 2002 23:42, you wrote: On Wed, 2002-12-11 at 13:02, Carlos Ordonez wrote: Vince, I guess my question is, if I have 50 linux images running under VM and each of them have a root user, can I have a different password for each of them? Carlos :-) You don't have to call your uid 0 root either btw. Unix cares about uid and cap bits not about the name. The name is a userspace construct purely for human convenience. So you can have bofh:*:0:... etc for your root However, don't suppose that not having a root account called root is something you would want to do. Just a couple of hours ago I was looking at a Debian script that asumes id -u -n returns root for UID=0. -- Cheers John Summerfield Microsoft's most solid OS: http://www.geocities.com/rcwoolley/ Join the Linux Support by Small Businesses list at http://mail.computerdatasafe.com.au/mailman/listinfo/lssb
Re: LINUX Security
- Does SUSE Linux issue any SAF (RACF) calls for security in the z/VM environment ? No. If not, how is security handled ? Purely internally. Treat it as a standalone Unix system, with the exact same requirements. - Are there any types of SMF records cut to record access or violations to resources in a Linux z/VM environment ? There are entries in /var/log, just as on a normal Unix system. Neale's hcp command can be used to write those messages from syslog to a VM-based service, but it is not in the standard distributions. There is also rudimentary SVC 76 support for writing accounting records, but this also doesn't fit the bill. - Does anyone have a link to more specific security / Linux information ? It is done exactly like discrete Intel boxes. Your local bookstore should have plenty of Linux security books.
Re: LINUX Security
On Tue, 10 Dec 2002 11:52:52 -0500 David Boyes said: - Does SUSE Linux issue any SAF (RACF) calls for security in the z/VM environment ? No. If not, how is security handled ? Purely internally. Treat it as a standalone Unix system, with the exact same requirements. - Are there any types of SMF records cut to record access or violations to resources in a Linux z/VM environment ? There are entries in /var/log, just as on a normal Unix system. Neale's hcp command can be used to write those messages from syslog to a VM-based service, but it is not in the standard distributions. There is also rudimentary SVC 76 support for writing accounting records, but this also doesn't fit the bill. SVC 76 is LOGREC (aka EREP), and while similar in many ways to syslog, isn't going to have SMF80 records, which I believe is what you would want from MVS. The syslog is going to record that in Linux. One of the biggest differences between SMF and syslog is that SMF allows binary data. For VM, if journalling is turned on, SMF80 would be accounting records cut and collected by DISKACNT on most systems or your ESM would do it itself. Other type of SMF records would end up being Monitor records. With the DIAG driver, you could use DIAG 4C to cut VM accounting records from Linux, but you would need OPTION ACCT in the CP directory and they still wouldn't be the exact same format as the CP generated bad logon, bad link etc. - Does anyone have a link to more specific security / Linux information ? It is done exactly like discrete Intel boxes. Your local bookstore should have plenty of Linux security books.
Re: LINUX Security
I'd like to add a follow-on question to this Has anone gotten Linux to update user ID's/Passwords from an NT central domain ? Is it possible to synchronize those, or failing that has anyone gotten Linux security to refresh from RACF or ACF2 secuirity databases, or even authenticate logon using LDAP into RACF or ACF2 instead of manually trying to synchronize Linux user lists/passwords/groups/ etc |-+ | | Joseph Sumi | | | [EMAIL PROTECTED]| | | v | | | Sent by: Linux on| | | 390 Port | | | [EMAIL PROTECTED]| | | IST.EDU | | || | || | | 12/10/2002 09:42 | | | AM | | | Please respond to| | | Linux on 390 Port| | || |-+ --| | | | To: [EMAIL PROTECTED] | | cc: | | Subject: LINUX Security | --| Hello, we have just started to research SUSE Linux under z/VM, and I've been asked these questions: - Does SUSE Linux issue any SAF (RACF) calls for security in the z/VM environment ? If not, how is security handled ? - Are there any types of SMF records cut to record access or violations to resources in a Linux z/VM environment ? - Does anyone have a link to more specific security / Linux information ? Thanks.
Re: LINUX Security
Although I'm not deep enough into the process to be dangerous, you might want to look at the z/OS LDAP server. Check the Redbook Securing Linux for zSeries with a Central z/OS (RACF) LDAP Server and the two publications SC24-5923-03 and SC24-5924-02 dealing with administration and Client programming. It might answer some of your questions. We're looking at it as a way to perform the old RACHECK from a client application to authenticate a user's connection to a specific RACF group. On Tuesday 10 December 2002 13:26, you wrote: I'd like to add a follow-on question to this Has anone gotten Linux to update user ID's/Passwords from an NT central domain ? Is it possible to synchronize those, or failing that has anyone gotten Linux security to refresh from RACF or ACF2 secuirity databases, or even authenticate logon using LDAP into RACF or ACF2 instead of manually trying to synchronize Linux user lists/passwords/groups/ etc |-+ | | | Joseph Sumi | | | [EMAIL PROTECTED]| | | v | | | Sent by: Linux on| | | 390 Port | | | [EMAIL PROTECTED]| | | IST.EDU | | | | | | | 12/10/2002 09:42 | | | AM | | | Please respond to| | | Linux on 390 Port| | |-+ | - -| | To: [EMAIL PROTECTED] | | | cc: | | Subject: | LINUX Security | | | - -| Hello, we have just started to research SUSE Linux under z/VM, and I've been asked these questions: - Does SUSE Linux issue any SAF (RACF) calls for security in the z/VM environment ? If not, how is security handled ? - Are there any types of SMF records cut to record access or violations to resources in a Linux z/VM environment ? - Does anyone have a link to more specific security / Linux information ? Thanks.
Re: LINUX Security
If you are an ACF2 (or CA-Top Secret) customer, then we have an open-source PAM plug-in that lets you authenticate directly against ACF2 or Top Secret. The client side (the part that runs on Linux) is available in source code or pre-built RPM form (both Intel and mainframe Linux). The server is simply a built-in integrated part of ACF2. With our plug-in installed, you need no user definition on Linux - your existing mainframe security rules and passwords are all that's needed. Compared to the LDAP approach, our PAM implementation is faster, just as secure (we use OpenSSL on the network connection), and includes a number of additional features that help you control who should be able to connect to a particular Linux image. It's described in the ACF2 6.5 Product Announcement, which you can read here: http://www3.ca.com/Files/ProductAnnouncements/etrust_acf2_pd_rel65.pdf Vince Re Computer Associates -Original Message- From: James Melin [mailto:[EMAIL PROTECTED]] Sent: Tuesday, December 10, 2002 1:27 PM To: [EMAIL PROTECTED] Subject: Re: LINUX Security I'd like to add a follow-on question to this Has anone gotten Linux to update user ID's/Passwords from an NT central domain ? Is it possible to synchronize those, or failing that has anyone gotten Linux security to refresh from RACF or ACF2 secuirity databases, or even authenticate logon using LDAP into RACF or ACF2 instead of manually trying to synchronize Linux user lists/passwords/groups/ etc |-+ | | Joseph Sumi | | | [EMAIL PROTECTED]| | | v | | | Sent by: Linux on| | | 390 Port | | | [EMAIL PROTECTED]| | | IST.EDU | | || | || | | 12/10/2002 09:42 | | | AM | | | Please respond to| | | Linux on 390 Port| | || |-+ --- ---| | | | To: [EMAIL PROTECTED] | | cc: | | Subject: LINUX Security | --- ---| Hello, we have just started to research SUSE Linux under z/VM, and I've been asked these questions: - Does SUSE Linux issue any SAF (RACF) calls for security in the z/VM environment ? If not, how is security handled ? - Are there any types of SMF records cut to record access or violations to resources in a Linux z/VM environment ? - Does anyone have a link to more specific security / Linux information ? Thanks.
Re: LINUX Security
If you are an ACF2 (or CA-Top Secret) customer, then we have an open-source PAM plug-in that lets you authenticate directly against ACF2 or Top Secret. The client side (the part that runs on Linux) is available in source code or pre-built RPM form (both Intel and mainframe Linux). The server is simply a built-in integrated part of ACF2. With our plug-in installed, you need no user definition on Linux - your existing mainframe security rules and passwords are all that's needed. Nice. Will it be available for VM:Secure? -- db
Re: LINUX Security
We are currently an ACF2 shop, but as of Sunday the 15th, we're RACF - unfortunately for us. We are removing every piece of CA software on our OS/390 system because of the prohibitively high licensing costs our manager 'negotiated'. I would have preferred to keep ACF2, but alas. |-+ | | Re, Vincent| | | [EMAIL PROTECTED]| | | m | | | Sent by: Linux on| | | 390 Port | | | [EMAIL PROTECTED]| | | IST.EDU | | || | || | | 12/10/2002 01:48 | | | PM | | | Please respond to| | | Linux on 390 Port| | || |-+ --| | | | To: [EMAIL PROTECTED] | | cc: | | Subject: Re: LINUX Security | --| If you are an ACF2 (or CA-Top Secret) customer, then we have an open-source PAM plug-in that lets you authenticate directly against ACF2 or Top Secret. The client side (the part that runs on Linux) is available in source code or pre-built RPM form (both Intel and mainframe Linux). The server is simply a built-in integrated part of ACF2. With our plug-in installed, you need no user definition on Linux - your existing mainframe security rules and passwords are all that's needed. Compared to the LDAP approach, our PAM implementation is faster, just as secure (we use OpenSSL on the network connection), and includes a number of additional features that help you control who should be able to connect to a particular Linux image. It's described in the ACF2 6.5 Product Announcement, which you can read here: http://www3.ca.com/Files/ProductAnnouncements/etrust_acf2_pd_rel65.pdf Vince Re Computer Associates -Original Message- From: James Melin [mailto:[EMAIL PROTECTED]] Sent: Tuesday, December 10, 2002 1:27 PM To: [EMAIL PROTECTED] Subject: Re: LINUX Security I'd like to add a follow-on question to this Has anone gotten Linux to update user ID's/Passwords from an NT central domain ? Is it possible to synchronize those, or failing that has anyone gotten Linux security to refresh from RACF or ACF2 secuirity databases, or even authenticate logon using LDAP into RACF or ACF2 instead of manually trying to synchronize Linux user lists/passwords/groups/ etc |-+ | | Joseph Sumi | | | [EMAIL PROTECTED]| | | v | | | Sent by: Linux on| | | 390 Port | | | [EMAIL PROTECTED]| | | IST.EDU | | || | || | | 12/10/2002 09:42 | | | AM | | | Please respond to| | | Linux on 390 Port| | || |-+ --- ---| | | | To: [EMAIL PROTECTED] | | cc: | | Subject: LINUX Security | --- ---| Hello, we have just started to research SUSE Linux under z/VM, and I've been asked these questions: - Does SUSE Linux issue any SAF (RACF) calls for security in the z/VM environment ? If not, how is security handled ? - Are there any types of SMF records cut to record access or violations to resources in a Linux z/VM environment ? - Does anyone have a link to more specific security / Linux information ? Thanks.
Re: LINUX Security
Is this a proprietary solution? We have installed (on an Intel-based Linux) a PAM plug-in that authenticates - via LDAP - to both RACF and ACF2 LDAP servers running on OS/390 2.10; We are just starting to test the same on S390-based Linux. How would the CA Direct-to-ACF2/TopSecret solution be faster? Chuck Gowans USDA - Nat'l IT Center -Original Message- From: Re, Vincent [mailto:[EMAIL PROTECTED]] Sent: Tuesday, December 10, 2002 1:49 PM To: [EMAIL PROTECTED] Subject: Re: LINUX Security If you are an ACF2 (or CA-Top Secret) customer, then we have an open-source PAM plug-in that lets you authenticate directly against ACF2 or Top Secret. The client side (the part that runs on Linux) is available in source code or pre-built RPM form (both Intel and mainframe Linux). The server is simply a built-in integrated part of ACF2. With our plug-in installed, you need no user definition on Linux - your existing mainframe security rules and passwords are all that's needed. Compared to the LDAP approach, our PAM implementation is faster, just as secure (we use OpenSSL on the network connection), and includes a number of additional features that help you control who should be able to connect to a particular Linux image. It's described in the ACF2 6.5 Product Announcement, which you can read here: http://www3.ca.com/Files/ProductAnnouncements/etrust_acf2_pd_rel65.pdf Vince Re Computer Associates -Original Message- From: James Melin [mailto:[EMAIL PROTECTED]] Sent: Tuesday, December 10, 2002 1:27 PM To: [EMAIL PROTECTED] Subject: Re: LINUX Security I'd like to add a follow-on question to this Has anone gotten Linux to update user ID's/Passwords from an NT central domain ? Is it possible to synchronize those, or failing that has anyone gotten Linux security to refresh from RACF or ACF2 secuirity databases, or even authenticate logon using LDAP into RACF or ACF2 instead of manually trying to synchronize Linux user lists/passwords/groups/ etc |-+ | | Joseph Sumi | | | [EMAIL PROTECTED]| | | v | | | Sent by: Linux on| | | 390 Port | | | [EMAIL PROTECTED]| | | IST.EDU | | || | || | | 12/10/2002 09:42 | | | AM | | | Please respond to| | | Linux on 390 Port| | || |-+ --- ---| | | | To: [EMAIL PROTECTED] | | cc: | | Subject: LINUX Security | --- ---| Hello, we have just started to research SUSE Linux under z/VM, and I've been asked these questions: - Does SUSE Linux issue any SAF (RACF) calls for security in the z/VM environment ? If not, how is security handled ? - Are there any types of SMF records cut to record access or violations to resources in a Linux z/VM environment ? - Does anyone have a link to more specific security / Linux information ? Thanks.
Re: LINUX Security
The short answer is that yes, we're committed to including PAM server components in all of our security products. I believe ACF2 VM and Top Secret VM PAM support are already announced, and I also believe VM:Secure is in the works. We're also looking at providing PAM server support in our eTrust Access Control product, which runs on Windows, Linux (mainframe and Intel) and a number of UNIX platforms. Vince Re Computer Associates -Original Message- From: David Boyes [mailto:[EMAIL PROTECTED]] Sent: Tuesday, December 10, 2002 3:07 PM To: [EMAIL PROTECTED] Subject: Re: LINUX Security If you are an ACF2 (or CA-Top Secret) customer, then we have an open-source PAM plug-in that lets you authenticate directly against ACF2 or Top Secret. The client side (the part that runs on Linux) is available in source code or pre-built RPM form (both Intel and mainframe Linux). The server is simply a built-in integrated part of ACF2. With our plug-in installed, you need no user definition on Linux - your existing mainframe security rules and passwords are all that's needed. Nice. Will it be available for VM:Secure? -- db
Re: LINUX Security
Vince, can you have multiple root ids and passwords? Carlos :-) Saying goes: Great minds think alike - I say: Great minds think for themselves! Carlos A. Ordonez IBM Corporation Server Consolidation |-+--- | | Re, Vincent | | | [EMAIL PROTECTED]| | | om | | | Sent by: Linux | | | on 390 Port | | | [EMAIL PROTECTED]| | | RIST.EDU | | | | | | | | | 12/10/2002 02:48| | | PM | | | Please respond | | | to Linux on 390 | | | Port| | | | |-+--- ---| | | |To: [EMAIL PROTECTED] | |cc: | | From: | | Subject: Re: LINUX Security | | | ---| If you are an ACF2 (or CA-Top Secret) customer, then we have an open-source PAM plug-in that lets you authenticate directly against ACF2 or Top Secret. The client side (the part that runs on Linux) is available in source code or pre-built RPM form (both Intel and mainframe Linux). The server is simply a built-in integrated part of ACF2. With our plug-in installed, you need no user definition on Linux - your existing mainframe security rules and passwords are all that's needed. Compared to the LDAP approach, our PAM implementation is faster, just as secure (we use OpenSSL on the network connection), and includes a number of additional features that help you control who should be able to connect to a particular Linux image. It's described in the ACF2 6.5 Product Announcement, which you can read here: http://www3.ca.com/Files/ProductAnnouncements/etrust_acf2_pd_rel65.pdf Vince Re Computer Associates -Original Message- From: James Melin [mailto:[EMAIL PROTECTED]] Sent: Tuesday, December 10, 2002 1:27 PM To: [EMAIL PROTECTED] Subject: Re: LINUX Security I'd like to add a follow-on question to this Has anone gotten Linux to update user ID's/Passwords from an NT central domain ? Is it possible to synchronize those, or failing that has anyone gotten Linux security to refresh from RACF or ACF2 secuirity databases, or even authenticate logon using LDAP into RACF or ACF2 instead of manually trying to synchronize Linux user lists/passwords/groups/ etc |-+ | | Joseph Sumi | | | [EMAIL PROTECTED]| | | v | | | Sent by: Linux on| | | 390 Port | | | [EMAIL PROTECTED]| | | IST.EDU | | || | || | | 12/10/2002 09:42 | | | AM | | | Please respond to| | | Linux on 390 Port| | || |-+ --- ---| | | | To: [EMAIL PROTECTED] | | cc: | | Subject: LINUX Security | --- ---| Hello, we have just started to research SUSE Linux under z/VM, and I've been asked these questions: - Does SUSE Linux issue any SAF (RACF) calls for security in the z/VM environment ? If not, how is security handled ? - Are there any types of SMF records cut to record access or violations to resources in a Linux z/VM environment ? - Does anyone have a link to more specific security / Linux information ? Thanks.
Re: LINUX Security
Is this a proprietary solution? The client side (the PAM plug-in that runs on Linux) is open-source. In the example we talked about below, the *server* - which is an integrated feature of our ACF2 (or our other security products) - is proprietary, but there's no reason that IBM (or anyone else) couldn't develop an alternate server of their own. In this regard, our PAM plug-in is exactly like what you're using for LDAP: the protocol and clients are open-source, but the LDAP server implementation (whether you use IBM's or ours) is proprietary. How would the CA Direct-to-ACF2/TopSecret solution be faster? The short answer is that our protocol is more efficient because it's tailored to the specific needs of a Linux user logging on through PAM. In contrast, LDAP is a general purpose function capable of much more than just authenticating Linux users, and this added complexity makes it less efficient. Since ACF2 includes both LDAP and direct PAM interfaces, you could certainly setup both and compare...I believe you'll see less CPU utilization and network traffic with our PAM solution. Vince Re Computer Associates
Re: LINUX Security
Keep us informed on this, will you Joe? Christmas is a funny season. What other time of the year do you sit in front of a dead tree and eat candy out of your socks? Gordon Wolfe, Ph.D. (425)865-5940 VM Technical Services, The Boeing Company -- From: Joe Poole Reply To: Linux on 390 Port Sent: Tuesday, December 10, 2002 11:31 AM To: [EMAIL PROTECTED] Subject: Re: LINUX Security Although I'm not deep enough into the process to be dangerous, you might want to look at the z/OS LDAP server. Check the Redbook Securing Linux for zSeries with a Central z/OS (RACF) LDAP Server and the two publications SC24-5923-03 and SC24-5924-02 dealing with administration and Client programming. It might answer some of your questions. We're looking at it as a way to perform the old RACHECK from a client application to authenticate a user's connection to a specific RACF group. On Tuesday 10 December 2002 13:26, you wrote: I'd like to add a follow-on question to this Has anone gotten Linux to update user ID's/Passwords from an NT central domain ? Is it possible to synchronize those, or failing that has anyone gotten Linux security to refresh from RACF or ACF2 secuirity databases, or even authenticate logon using LDAP into RACF or ACF2 instead of manually trying to synchronize Linux user lists/passwords/groups/ etc |-+ | | | Joseph Sumi | | | [EMAIL PROTECTED]| | | v | | | Sent by: Linux on| | | 390 Port | | | [EMAIL PROTECTED]| | | IST.EDU | | | | | | | 12/10/2002 09:42 | | | AM | | | Please respond to| | | Linux on 390 Port| | |-+ | - -| | To: [EMAIL PROTECTED] | | | cc: | | Subject: | LINUX Security | | | - -| Hello, we have just started to research SUSE Linux under z/VM, and I've been asked these questions: - Does SUSE Linux issue any SAF (RACF) calls for security in the z/VM environment ? If not, how is security handled ? - Are there any types of SMF records cut to record access or violations to resources in a Linux z/VM environment ? - Does anyone have a link to more specific security / Linux information ? Thanks.
Re: LINUX Security
On Tue, 10 Dec 2002, A. Harry Williams wrote: - Are there any types of SMF records cut to record access or violations to resources in a Linux z/VM environment ? I don't know of a way to detect accesses to datasets a user shouldn't be accessing. An ordinary user can't read /etc/shadow, but I don't know how to detect the attempt. There are entries in /var/log, just as on a normal Unix system. Neale's hcp command can be used to write those messages from syslog to a VM-based service, but it is not in the standard distributions. There is also rudimentary SVC 76 support for writing accounting records, but this also doesn't fit the bill. There is accounting available. Look at sysstat, homepage http://perso.wanadoo.fr/sebastien.godard/ I've no idea how it performs, accounting is not something I've wanted to do. -- Cheers John. Join the Linux Support by Small Businesses list at http://mail.computerdatasafe.com.au/mailman/listinfo/lssb
Re: LINUX Security
Will do. Also, for those with access to the presentations from the October Tech Conference in Miami (VM/VSE/zOS/Linux) see A02 and A08 by Jon Furminger of IBM. Good overviews. On Tuesday 10 December 2002 15:37, you wrote: Keep us informed on this, will you Joe? Christmas is a funny season. What other time of the year do you sit in front of a dead tree and eat candy out of your socks? Gordon Wolfe, Ph.D. (425)865-5940 VM Technical Services, The Boeing Company -- From: Joe Poole Reply To: Linux on 390 Port Sent: Tuesday, December 10, 2002 11:31 AM To: [EMAIL PROTECTED] Subject: Re: LINUX Security Although I'm not deep enough into the process to be dangerous, you might want to look at the z/OS LDAP server. Check the Redbook Securing Linux for zSeries with a Central z/OS (RACF) LDAP Server and the two publications SC24-5923-03 and SC24-5924-02 dealing with administration and Client programming. It might answer some of your questions. We're looking at it as a way to perform the old RACHECK from a client application to authenticate a user's connection to a specific RACF group. On Tuesday 10 December 2002 13:26, you wrote: I'd like to add a follow-on question to this Has anone gotten Linux to update user ID's/Passwords from an NT central domain ? Is it possible to synchronize those, or failing that has anyone gotten Linux security to refresh from RACF or ACF2 secuirity databases, or even authenticate logon using LDAP into RACF or ACF2 instead of manually trying to synchronize Linux user lists/passwords/groups/ etc |-+ | | | Joseph Sumi | | | [EMAIL PROTECTED]| | | v | | | Sent by: Linux on| | | 390 Port | | | [EMAIL PROTECTED]| | | IST.EDU | | | | | | | 12/10/2002 09:42 | | | AM | | | Please respond to| | | Linux on 390 Port| | |-+ | -- --- - | | To: [EMAIL PROTECTED] | | cc: | | Subject: | | LINUX Security | -- --- - | Hello, we have just started to research SUSE Linux under z/VM, and I've been asked these questions: - Does SUSE Linux issue any SAF (RACF) calls for security in the z/VM environment ? If not, how is security handled ? - Are there any types of SMF records cut to record access or violations to resources in a Linux z/VM environment ? - Does anyone have a link to more specific security / Linux information ? Thanks.
Re: LINUX Security
Vince, can you have multiple root ids and passwords? Carlos :-) If you're asking whether you can have multiple user IDs with UID=0, then the answer is yes. UID/GID, shell program and home directory all come from the PAM server (ACF2, Top Secret, etc.), and there's no reason you couldn't have multiple UID 0 IDs if you wanted to. The nice thing about our PAM implementation is that you have a lot of flexibility when it comes to restricting which Linux images (or facilities within a Linux system) a given user can access. You might set it up so that users get root privileges, but only on a particular Linux image. Or, perhaps you'd let them use Telnet but not FTP. Because the authentication is processed by ACF2/Top Secret, all of the normal system entry controls are extended and apply to Linux as well. For example, an earlier post asked about auditing, and with our PAM plug-in, you will most definitely see a complete audit trail of Linux sign-on activity in your z/OS SMF records. Having said that, multiple UID 0 users might or might not be a good thing on Linux because there would be no way to segregate their permissions (that is, once logged on, any root user would have access to all resources). Keep in mind that PAM is just for user authentication - if you want true access control then you need something more. This is where our eTrust Access Control product fits in: it's essentially z/OS-style resource protection for Linux, and it provides the kind of granular resource protection (including controlling what root users may do), auditing, etc. that mainframe sites would be accustomed to. Vince Re Computer Associates
Re: Linux security questions
I have to find some answers to these questions for our security plan (why is that part always harder than the install). This is for SuSE 2.4.7 kernel. 1. How can I enforce a password to contain at least 1 numeric, 1 alpha, and 1 special character? I suspect you will need to change passwd (unix passwords) or smbpasswd (passwords for Windows users) or provide a wrapper and hide those programs. 2. How can I lockout a userid after 3 bad attempts at password pass. It's an invitation to a DoS attack tough. 3. How can I set a login to timeout if a valid userid/pwd is not entered within 2 minutes? Isn't one minute good enough? The standard login has one minute; ssh (I think) has its own limit which may be different, but it does time out. I have to say one minute can be a pain. I've had problems when the system was thrashing (on Linux AND OS/2) and I could not login within the minute so as to be able to investigate. -- Cheers John Summerfield Microsoft's most solid OS: http://www.geocities.com/rcwoolley/ Note: mail delivered to me is deemed to be intended for me, for my disposition. == If you don't like being told you're wrong, be right!
Re: Linux security questions
Mary Cortes wrote: 1. How can I enforce a password to contain at least 1 numeric, 1 alpha, and 1 special character? 2. How can I lockout a userid after 3 bad attempts at password 3. How can I set a login to timeout if a valid userid/pwd is not entered within 2 minutes? This is all stuff handled by the PAM (Pluggable Authentication Modules) mechanism. Unfortunately, PAM is so infinitely configurable that I'm always at a loss trying to find out how to achieve any particular setting ;-( Maybe someone else knows the details, otherwise I can only suggest reading the documentation, starting with 'man pam' and looking under /usr/doc/packages/pam/. Bye, Ulrich -- Dr. Ulrich Weigand [EMAIL PROTECTED]
Re: Linux security questions
Marcy, Most of this would be controlled by /etc/login.defs. I don't know if PAM overrules what's in here, honors it, ignores it, or what, though. 1. I'm not sure you can enforce this, per se, but if you enable cracklib checking of passwords, they'll be reasonably strong passwords. CRACKLIB_DICTPATH /var/cache/cracklib/cracklib_dict 2. I don't know if locking out someone is possible, out of the box. 3. Two minutes is kind of long, but: LOGIN_TIMEOUT 120 Mark Post -Original Message- From: Marcy Cortes [mailto:[EMAIL PROTECTED]] Sent: Thursday, May 02, 2002 4:37 PM To: [EMAIL PROTECTED] Subject: Linux security questions I have to find some answers to these questions for our security plan (why is that part always harder than the install). This is for SuSE 2.4.7 kernel. 1. How can I enforce a password to contain at least 1 numeric, 1 alpha, and 1 special character? 2. How can I lockout a userid after 3 bad attempts at password 3. How can I set a login to timeout if a valid userid/pwd is not entered within 2 minutes? Thanks in advance! Marcy Cortes VM Systems Programming Wells Fargo Services Company
Re: Linux Security
Gerard, Just a quick look at the links on the linuxvm.org site turned up these. There are others that will be more valuable coming from other people (and then I get to add them to the list of links!): Site Security Handbook - http://www.faqs.org/rfcs/rfc2196.html Securing DNS (Linux version) - http://www.psionic.com/papers/dns/dns-linux Linux-Privs - POSIX capabilities (security) - http://www.uk.kernel.org/pub/linux/libs/security/linux-privs/ Linux Security State of the Union - http://oss.software.ibm.com/developer/opensource/linux/whitepapers/LTC-Secur ity-Whitepaper-external.pdf Mark Post -Original Message- From: Gerard Graham [mailto:[EMAIL PROTECTED]] Sent: Thursday, December 20, 2001 10:00 AM To: [EMAIL PROTECTED] Subject: Linux Security In our efforts to move Linux along we are try to get internet access to our mainframe running Linux under VM. With that said I need to furnish my security department with documentation and articles that releate to Linux security. This is a new world for them and the better understanding they have of Linux security the faster they will move in getting our Linux out to the net. The VM RACF or ACF2 stuff I can handle I just need more security doc on Linux. Can anyone point me in the right direction?
Re: Linux Security
On Thu, 20 Dec 2001, Gerard Graham wrote: In our efforts to move Linux along we are try to get internet access to our mainframe running Linux under VM. With that said I need to furnish my security department with documentation and articles that releate to Linux security. This is a new world for them and the better understanding they have of Linux security the faster they will move in getting our Linux out to the net. The VM RACF or ACF2 stuff I can handle I just need more security doc on Linux. Can anyone point me in the right direction? I'm doing a lot of security work and part of my job was to come up with a comprehensive security standard and procedure for all our Linux servers which are connected to the Internet (we are constantly under a security audit by another company). Here are my recommendations: - Securing Linux: Step-by-Step from the SANS institute: http://www.sansstore.org/ Try to follow these steps as close as possible for getting basic security installed on your servers. - Securing Optimizing Linux: The Ultimate Solution http://www.puschitz.com/Security.html This book is a must. It helps you to install _very_ secure Linux servers. Hope this helps Werner
