In this article, I award to introduce Linxu security mechanisms (just briefly, I too, very deep stuff and I cannot write, huh, huh) 1PAM mechanism PAM is a shared library that provides a framework and a set of programming interfaces that the certification from the programmers there go to ADMIN there.
PAM allows ADMIN in a variety of authentication method between can change local authentication method do not need to recompile your application for certification. PAM includes the following features: * the * encryption password ** allow arbitrary Shandow password ** user resource limits to prevent DOS attack * the * limit users in specific locations from a particular landing * * introduce concept of "clientplug-inagents", the PAM support in C/S machines — machine authentication. PAM mechanism for some of the more advanced authentication methods provide a convenient base, on this basis, it is easy to develop such as smart cards, fingerprint authentication and other high technology certification methods. 2 intrusion detection system (IDS) this is a relatively new technology, now the server is very little Installation IDS systems, LINUX has only recently released a new version with this tool. Tube intrusion detection system's history is short, but the development is very fast, is currently more popular Snort Intrusion detection system, Portsentry, Lids, etc. (Later I will give you specialized briefing intrusion detection system) using LINUX itself is equipped with tools and from the Internet DOWN under tools you can make your LINUX system with an advanced intrusion detection capabilities that include: * the * record intrusion attempts, when attacks occur promptly notify administrator; ** in case of attack occurs, take the measures specified in advance; ** send some error information, such as the masquerade as other * for system so that an attacker will think they are attacking a WindowsNT or Solaris system. (Can we say this is a network spoofing technology?) 3 encryption file system encryption file system is encrypted services into the file system, thereby increasing the security of computer systems. There are too many reasons to require an encrypted file system, such as preventing the hard drive is theft, prevent unauthorized access, etc. The current development of Linux has a variety of encrypting file system, such as the CFS, TCFS, CRYPTFS, which is more representative of TCS, it passed to the cryptographic service is tightly integrated with the file system, so that users do not feel file encryption process. TCFS does not modify the file system data structures, backup and restoration, and user access confidential files unchanged semantics. TCFS can do for the following user unreadable encrypted files: * * legal owner of the user; ** user and remote file system communication lines of eavesdroppers; * the * file system server's root. For legitimate users, access to confidential documents and access to ordinary file almost no difference. 4 security audit even system administrators are very smart to take a variety of security measures, but a new vulnerability is emerging, the attacker fixes the vulnerability was quickly seize the opportunity before the break as many machines. Although LINUX cannot predict when the host is under attack, but it can record the attacker's movements. LINUX system or you can detect and record the time information and network connectivity. This information will be redirected to the log for future reference. The log is Linux security structures in a very important content, it is only provided to attack real evidence (intruder often delete or falsify the log that is the reason). Because now the diversity of methods of attack, so Linux provides the network, host, and user-level log information. LINUX can record the following: * the * record all system and kernel information; ** record remote user application access what file; ** record user can control which processes; ** record specific users, each command; ** record each time the network connection and their source IP address, length, and sometimes also including an attacker username and use the * for the system. 5 mandatory access control for mandatory access control (MAC, the MAC is not a single technology, Mac, we must distinguish), is a system administrator from the perspective of the whole system of defining and implementing access control, it marked the subject and object in the system, the mandatory restrictions on information sharing and flow, so that different users can access only to their related information, on the specified scope, fundamentally prevent information loss exposure and access to the chaos. Traditional MAC implementation are defined based on the TCSEC MLS policy, but due to MLS many shortcomings exist by itself (not the flexibility, compatibility and difficult to manage, etc), researchers have proposed a variety of MAC policies, such as DTE, RBAC, etc. Since Linux is a free * for system, is currently in the implementation of mandatory access control, there are several, the more typical includes SElinux RSBAC, MAC, and so on, to adopt policies vary. The NSA SELinux Flask security architecture is called, in this structure, the security policy of logic and common interface is encapsulated in a system with * independent component, the individual components is known as a secure server. SELinux security server defines a blend of the security policy implemented by the type (TE), role-based access control (RBAC) and multi-level security (MLS). By replacing the Security Server, you can support different security policies. SELinux policy configuration language defined security policy, and then by checkpolicy compiled into binary form, stored in a file/ss_policy, when read in the kernel boot into kernel space. This means that security policy inEvery time the system boots will vary. Policy or even by using security_load_policy interface in system * change during made (as long as you configure policy to allow such changes). The full name is RuleSetBasedAccessControl RSBAC (rule set based access control), it is according to Abrams and LaPadula's GeneralizedFrameworkforAccessControl (GFAC) model development, can be based on more than one module provides flexible access control. All security-related system calls extends security implementation code, the code calls the central decision-making parts, the parts are then call all activation policy modules, and forms a comprehensive decision, then system call extension to the implementation of this decision. RSBAC currently contains module mainly MAC, RBAC, ACL, etc. 6 firewall firewall protected network and the Internet, or in other networks restrict access of a part or a series of parts. LINUX Firewall has the following features: * the * access control, you can perform based on address, time and user access control policy, which can eliminate unauthorized access while protecting legitimate internal user access is not affected. * The * audit, through its network access to records, the establishment of a comprehensive log, auditing and tracking of network access, and can generate reports as needed. ** Hack, firewall systems directly exposed in untrusted networks, on the outside, is firewall protected internal network as a point, all attacks are a direct response to it, the point is known as a bastion of the fortress, thus requiring a high level of safety of machines and ability to resist various attacks. ** Other ancillary functions such as audit-related alerts and intrusion detection, and access control related to authentication, encryption and authentication, VPN, etc. even #### ##### ##### ##### ##### ##### ##### ##### ##### ##### ##### ##### ##### ##### ##### ##### ##### ##### ##### ##### ##### ##### ##### ##### ##### ##### ##### ##### ##### complement previous as PAM mechanism of insight: using PAM to unify identity certification release date: 2000-8-8 Source: BricksTeam; author: bricks is the abbreviation for PAM PLUGGABLEAUTHENTICATIONMODULES. pluggable authentication modules (and not a Linux refers to module) for application authentication mechanisms is programmers or administrators do not need to be rewritten or compiler can change the authentication mechanism. In linux it is already widely used, for example:/etc/securitty/etc/onlogin/etc/ftpusers actually are to it for you in the landing of the input password, and you modify the password is also used it/etc/pam.conf and/etc/pam/* are its configuration file. Its biggest advantage is its flexibility and scalability, you can modify the authentication mechanism, according to your actual need to customize the system after you learn will very clearly. DESIGNGOALS (design target) (a) the administrator can select the authentication method, the password from the simple to the smart card system. (B) for different procedures to configure different authentication mechanisms such as the telnet use-S/Key authentication. While the native login using the general lack of UNIXpassword. (C) support the display of your demand as login needs based on Terminal display, but the x display, dtlogin needs but would ftp ' and would need telnet ' networks to certification. (D) support for a program to configure and use a variety of authentication mechanisms. (E) but the user is using a variety of authentication mechanisms that do not have to type the same password multiple times. (F) but the user needs to carefully enter multiple passwords. (G) when the underlying authentication mechanism changed upper software does not need to be modified. (H) provide a structure for systemauthentication _pluggable_model. (I) must be able to meet existing needs. 4.OVERVIEWOFTHEPAMFRAMEWORK (overview of PAM framework) at its core is actually some library function you write applications to call their .PAM provides you with a set of entrance (thefrontend). This set of function calls to each specific authentication mechanisms defined by the module (thebackend). Simply put like this: do you call a function just tell it you want to acknowledge is that this is sufficient. use that a mechanism for authentication is provided by the configuration file, you only need to take a look at the return value is know for successful certification. for developing applications for people who only need to remember several functions. ftptelnetlogin(Applications) ||| ||| +--------+--------+ | +-----+-----+ |PAMAPI| +-----+-----+ | +--------+--------+ UNIXKerberosSmartCards (Mechanisms) Figure1: basic structure of PAM PAM functionality is divided into four parts: (1) authentication (authentication), (2)Account (account management), (3) the session (dialogue), and (4) password (password management). these four things are? (a) Authenticationmanagement: including would pam_authenticate () ' to authenticate the user, would pam_setcred () ' to set the refresh and the destruction of the user's credentials. (b) Accountmanagement: including would pam_acct_mgmt () ' to check whether the account is valid. can be used to check whether the user has timed out or your account has expired. (c) Sessionmanagement: including would pam_open_session () ' and would pam_close_session () ' for dialogue process management-for example: you can use to record the user's connection times-a telnet process is in fact a session. (d) Passwordmanagement: would pam_chauthtok () ' used for the password. Program by calling
No comments:
Post a Comment