\input{gl2.slide-header-beamer}%
\errorcontextlines=99
%% Subtopic Number = '1.114.2'
%% Title: 'Setup host security'
%% Weight: 3
%% Description:
%% Candidate should know how to set up a basic level of host
%%        security. Tasks include syslog configuration, shadowed passwords, set up
%%        of a mail alias for root's mail and turning of all network services not
%%        in use.
%% Key files, terms, and utilities include:
%%        /etc/inetd.conf or /etc/inet.d/*
%%        /etc/nologin
%%        /etc/passwd
%%        /etc/shadow
%%        /etc/syslog.conf
\title{1.114.2\\Setup host security\\Weight 3}
\date{2005 October}
\author[Nick Urbanik]{Nick Urbanik \texttt{<nicku@nicku.org>}\\
{\scriptsize This document Licensed under GPL---see section~\ref{sec:license}}}
\subtitle{Linux Professional Institute Certification --- 102}%
\mode<article>{\chead{1.114.2}}%


\begin{document}
\maketitle
\mode<article>{\thispagestyle{empty}}

\begin{frame}
  \frametitle{Outline}
  \mode<presentation>
  {%
    %\footnotesize
    \begin{multicols}{2}
      \tableofcontents
    \end{multicols}
    % You might wish to add the option [pausesections]
  }%
  \mode<article>
  {%
    \tableofcontents
  }%
\end{frame}

\section{Context}
\label{sec:context}

\begin{frame}
  \frametitle{Topic 114 Security [8]}%
  \framesubtitle{Where we are up to}%
    \begin{description}
    \item[1.114.1] Perform security administration tasks [4]
    % \uline depends on \usepackage[normalem]{ulem}:
    \item[1.114.2] \textbf{\uline{Setup host security [3]}}
    \item[1.114.3] Setup user level security [1]
    \end{description}
\end{frame}

\section{Objectives}
\label{sec:objectives}

\begin{frame}
  \frametitle{Description of Objective}%
  \framesubtitle{1.114.2\ \ Setup host security [3]}%
  \mode<presentation>{\Large}%
  Candidate should know how to set up a basic level of host security.
  Tasks include syslog configuration, shadowed passwords, set up of a
  mail alias for root's mail and turning of \yellow{[sic]} all network
  services not in use.
\end{frame}

\begin{frame}[fragile]
  \frametitle{Key files, terms, and utilities include:}%
  \framesubtitle{1.114.2\ \ Setup host security [3]}%
  \mode<presentation>{\large}%
\begin{description}
  \item[\texttt{/etc/inetd.conf} \textnormal{or}
    \texttt{/etc/inet.d/*}] --- Where you turn off all unneeded
    \texttt{xinetd} services
  \item[\texttt{\red{/etc/nologin}}] --- \blue{only allows
      \texttt{root} to log in if this file exists.  Other users shown
      contents of this file.  For maintenance.}
  \item[\texttt{/etc/passwd}] --- the file that \emph{should not}
    contain passwords.  See topic 1.111.1 Manage users and group
    accounts and related system files
  \item[\texttt{/etc/shadow}] --- Where shadow passwords belong
  \item[\texttt{/etc/syslog.conf}] --- Where syslog is configured.
    See notes for topic 1.111.3 Configure and use system log files to meet
    administrative and security needs
\end{description}
\end{frame}

\section{Set up mail alias for \texttt{root}'s mail}
\label{sec:alias-for-root}

\begin{frame}[fragile]
  \frametitle{Set up mail alias for \texttt{root}'s mail}
  \begin{itemize}
  \item Many important problems are sent as mail to the \texttt{root} user
  \item You should \alert{not} be logging in as \texttt{root}, use
    \texttt{sudo}
  \item You should be reading that email
  \item \ldots\ so you should create an alias for \texttt{root} that
    sends \texttt{root}'s mail to you:
\begin{semiverbatim}
\cmd{grep '^root' /etc/postfix/aliases}
root:           nicku
\end{semiverbatim}
  \end{itemize}
\end{frame}

\section{Turning off unused network services}
\label{sec:turning-off-unused-services}

\subsection{Some basic rules of security}
\label{sec:basic-rule-of-security}

\begin{frame}
  \frametitle{Some basic rules of security}
  \begin{itemize}
  \item Use minimum privilege to do what is required
  \item Provide only the services your users need
  \end{itemize}
\end{frame}


\subsection{Identify running services}
\label{sec:identify-running-services}

\begin{frame}
  \frametitle{Identify running services}
  \begin{itemize}
  \item See what services are configured to start:
    \cmdbox{chkconfig --list | grep on}
  \item Determine what package each service turned on comes from with
    a command like \cmdbox{rpm -qif /etc/init.d/\meta{service-name}}
  \item Decide whether this service should be turned off
  \item You can also check running processes with \texttt{ps} and
    \texttt{top}
  \end{itemize}
\end{frame}


\subsection{Turning off services on Red Hat/Fedora}
\label{sec:turning-off-in-fedora}

\begin{frame}[fragile]
  \frametitle{Turning off services on Red Hat/Fedora}
  \begin{itemize}
  \item On Red Hat/Fedora systems:
    \begin{itemize}
    \item Remove the software package, e.g., \cmdbox{rpm -e telnet}
      \par%
      or
    \item Disable the service: \cmdbox{chkconfig --del sendmail}
      \par%
      or
      \cmdbox{chkconfig sendmail off}
    \end{itemize}
  \item Note that \texttt{chkconfig} also turns services on and off in
    \texttt{xinetd} as well.
  \item You should also be able to turn them off manually:
\begin{semiverbatim}
\cmd{grep disable /etc/xinetd.d/telnet}
        disable         = yes
\end{semiverbatim}
  \end{itemize}
\end{frame}

\subsection{Turning off services on Debian/Ubuntu}
\label{sec:turning-off-in-ubuntu}

\begin{frame}
  \frametitle{Identify what runlevels a service starts/stops}
  \begin{itemize}
  \item To find what runlevels a service \meta{service} will start and
    stop on, do:
    \par%
    \cmdbox{find /etc/rc* -name '*\meta{service}'}
  \item Example: to see what links exist for \texttt{squid}:
    \par%
    \cmdbox{find /etc/rc* -name '*squid'}
  \end{itemize}
\end{frame}  

\begin{frame}
  \frametitle{Turning off services on Debian/Ubuntu}
  \begin{itemize}
  \item See \cmdbox{man update-rc.d}
  \item To disable a service \meta{service} that normally starts, do:
    \par%
    \cmd{sudo update-rc.d -f \meta{service} remove}
  \item For example, to disable initialisation of
    \texttt{squid}, do:
    \par%
    \cmd{sudo update-rc.d -f squid remove}
  \item Turn off \texttt{xinetd} service \meta{service} by editing
    \texttt{/etc/xinetd.d/\meta{service}}, or if possible, turn
    \texttt{xinetd} off altogether:
    \par%
    \cmd{sudo update-rc.d -f xinetd remove}
  \item Finally, if you liked \texttt{ntsysv} on Red Hat, then do
    \par%
    \cmdbox{sudo apt-get install rcconf}
  \end{itemize}
\end{frame}


\mode<presentation>
{%
\begin{frame}
  \frametitle{Topics Covered}
  %\footnotesize
  %\begin{multicols}{2}
    \tableofcontents[pausesections,pausesubsections]
  %\end{multicols}
  % You might wish to add the option [pausesections]
\end{frame}
}

\section{License Of This Document}
\label{sec:license}

\begin{frame}
  \frametitle{License Of This Document}
  \raggedright%
  Copyright \copyright\ 2005  Nick Urbanik <nicku@nicku.org>
  \par
  You can redistribute modified or unmodified copies of this document
  provided that this copyright notice and this permission notice are
  preserved on all copies under the terms of the GNU General Public
  License as published by the Free Software Foundation --- either
  version 2 of the License or (at your option) any later version.
\end{frame}
\end{document}