�߼�Linux��ȫ��-��Linuxϵͳ�Ż�

2005-10-28 otto

��Linux��ϵͳ��һ��Դ��Ѳ��ϵͳ��ܵ�Խ��Խ��û��Ļ�ӭ��Linux ��ϵͳ��ҹ��Ĳ��ռ��йص��Ÿ��ǽ��Linux��Ȩ�Ĳ��ϵͳ��ߵ��Ϣ��ȫ�ĸ߶��ǲ��Ԥ�� Linux��ϵͳ��ҹ��õ��ķ�չ��ȻLinux��UNIX��ƣ��֮��Ҳ��һЩ��Ҫ�Ĳ�𡣶��ڶ��ϰ��UNIX�� WindowsNT��ϵͳ��Ա��α�֤Linux��ϵͳ�İ�ȫ��µ��ս��Ľ��һϵ��ʵ�õ�Linux��ȫ��顣

һ��ļ�ϵͳ

��Linuxϵͳ�У��ֱ�Ϊ��ͬ��Ӧ�ð�װ��ؼ��ķ��Ϊֻ��ļ�ϵͳ�İ�ȫ��Ҫ�漰��Linux��ext2�ļ�ϵͳ��ֻ��ӣ�ֻ��ӣ��Ͳ��ɱ��ԡ�

�� ļ��Linux��ļ�ϵͳ��Էֳɼ��Ҫ�ķ��ÿ��ֱ��в�ͬ��úͰ�װ��һ��Ҫ��/��/usr/local��/var�� /home�ȷ��/usr��԰�װ��ֻ��ҿ��Ա��Ϊ�ǲ��޸ĵġ��/usr��κ��ļ��˸ı䣬��ôϵͳ��ȫ��Ȼ�ⲻ��û��Լ��ı�/usr�е��ݡ�/lib��/boot��/sbin�İ�װ��Ҳһ��ڰ�װʱӦ�þ��Ϊֻ��Ҷ��ǵ��ļ��Ŀ¼��Խ��е��κ��޸Ķ��ᵼ��ϵͳ��

��Ȼ��Ҫ�ķ��Ϊֻ��ǲ��ܵ�,�еķ��/var�ȣ��ʾ;��˲��ܽ��Ϊֻ��Ӧ�ò��ִ��Ȩ�ޡ�

�� չext2ʹ��ext2�ļ�ϵͳ�ϵ�ֻ��ӺͲ��ɱ��ļ��Կ��Խ�һ��߰�ȫ��𡣲��ɱ��ֻ��ֻ��չext2�ļ�ϵͳ��Ա�־�ķ��һ��Ϊ��ɱ��ļ��ܱ��޸ģ��ܱ��û��޸ġ�һ��Ϊֻ��ӵ��ļ��Ա��޸ģ��ֻ��ĺ��ݣ��ʹ��û�Ҳֻ��ˡ�

��ͨ��chattr��޸��ļ��Щ��ԣ��Ҫ�鿴��ֵ�Ļ��ʹ��lsattr��Ҫ��˽��Ĺ��ext2�ļ��Ե��Ϣ��ʹ��manchattr��Ѱ��ļ��ڼ��ڿ��ͼ��е��ļ��а�װ��ֺ��ʱ�Ǻ��õġ�Ϊ�˰�ȫ��һ��⵽��Ļ��Ӧ��ֹ��Ϣ��

��Ĺؼ��ļ�ϵͳ��װ��ֻ��Ĳ��ļ��Ϊ��ɱ�ģ��߱��°�װϵͳ��ɾ��Щ��ɱ��ļ��̲��ʹ��˱��Ƿ��ֵĻ��ᡣ

�� log�ļ��log�ļ��log��һ��ʹ��ʱ��ɱ��ֻ��ļ��ر��á�ϵͳ��ԱӦ�ý����log�ļ��Ϊֻ��ӡ�� log��ʱ��²��log��ļ��Ӧ��óɲ��ɱ�ģ��µĻ��log�ļ��ֱ��ֻ��ӡ��ͨ��Ҫ��log��½ű��һЩ��

��

��Linuxϵͳ�İ�װ�Ժ�Ӧ�ö��ϵͳ��б��ݣ��Ժ��Ը��֤ϵͳ��ԣ��Ϳ��Է��ϵͳ�ļ��Ƿ񱻷Ƿ��ܸĹ��ϵͳ�ļ��Ѿ��ƻ��Ҳ��ʹ��ϵͳ��ָ��״̬��

��CD -ROM��ݵ�ǰ��õ�ϵͳ��ݽ��ʾ��CD-ROM��̣��Ժ��Զ��ڽ�ϵͳ��ݽ��бȽ��֤ϵͳ��Ƿ��⵽�ƻ��԰�ȫ��Ҫ��ر�ߣ��ô��Խ��Ϊ��Ĳ��ҽ��֤��Ϊϵͳ��̵�һ��֡��ֻҪ��ͨ��˵��ϵͳ��δ��ƻ��

��㴴��һ��ֻ��ķ��ô��Զ��ڴӹ��ӳ��װ��ǡ��ʹ��/boot��/lib��/sbin��ܱ��װ��ֻ��ķ��Ȼ��Ը��ݹ��ӳ��ǣ��ʱ��һ��ȫ��ӳ��ǡ�

�� ʽ�ı��Ȼ/etc�е��ļ��仯��/etc�е��Ȼ��Էŵ��ϵͳ��֤��޸ĵ��ļ��Ա��ݵ��һ��ϵͳ��Ŵ��ѹ��һ��ֻ��Ŀ¼�С��ְ취��ʹ�ù��ӳ��֤�Ļ��ٽ��ж��ϵͳ��Լ�顣

��Ȼ��ھ��ϵͳ��ڶ��һ��ṩ�ģ��һ��CD-ROM��̻��֤�̲��ʮ�ַ��ģ��һ��ʮ��Ч��ֿ��е��֤��

��Ľ�ϵͳ�ڲ��ȫ��

��ͨ��Ľ�Linux��ϵͳ��ڲ��ֹ��ƻ��ǿȴ��Ԥ��Ĺ��ʽ��Ȼ��ĸĽ��Ҫϵͳ��Ա��൱�ḻ�ľ��ͼ��ɣ��԰�ȫ��Ҫ��ߵ�Linuxϵͳ��Ǻ��б�Ҫ�ġ�

��SolarisDesigner�İ�ȫLinux��SolarisDesigner��2.0��ں˵İ�ȫLinux��ṩ��һ��ִ�е�ջ��ٻ��в��Ӷ��ϵͳ�İ�ȫ�ԡ�

��ʵʩ��൱��ѵģ��Ϊ��߱��ܹ��ж�Ǳ�ڵĻ��ʱ��Լ��ڴ��е�ʲôλ�ó��֡��Ԥ��Ҳʮ��ѣ�ϵͳ��Ա��ȫȥ��ڵ��ܷ�ֹ��ַ�ʽ�Ĺ��Ϊ��ˣ��LinuxTorvalds��Ҳ��Ϊ��ȫLinux��ʮ��Ҫ��Ϊ��ֹ��ʹ�û��Ĺ��Ҫ��ע��ǣ��Щ��Ҳ�ᵼ�¶�ִ��ջ��ĳЩ��Ϳ��⣬��Щ��Ҳ��ϵͳ��Ա��µ��ս��

��ִ�е�ջ��Ѿ��లȫ�ʼ��б��securedistros@nl.linux.org��н��зַ��û��ص��ǵȡ�

��StackGuardStackGuard��һ��ʮ��ǿ��İ�ȫ��ߡ��ʹ�þ�StackGuard�޲��gcc�汾��±��ӹؼ��Ӧ�á�

StackGuard��б��ʱ��ջ��Է�ֹ��ջ��Ȼ��ᵼ��ϵͳ��½��ڰ�ȫ��Ҫ��ߵ��ض�Ӧ��StackGuard��Ȼ��һ��ʮ�ֹ��õĹ��ߡ�

��Ѿ��һ��ʹ��SafeGuard��Linux�汾��û�ʹ��StackGuard��ס��Ȼʹ��StackGuard�ᵼ��ϵͳ��½�Լ10��20%��ܹ��ֹ��һ�๥��

��µķ��ʿ��ƹ��Linux��2.3��ں��ͼ��ļ�ϵͳ��ʵ��һ��ʿ��б��Ҫ��ԭ��ࣨowner��group��other)��ʿ��ƻ��ƵĻ��Ӹ��ϸ�ķ��ʿ��ơ�

��2.2 ��2.3��Linux�ں��л��µķ��ʿ��ƹ��ܣ��ս��Ӱ�쵱ǰ�й�ext2�ļ��Ե�һЩ��⡣�봫ͳ�ľ��ext2�ļ�ϵͳ��ṩ��һ��Ӿ�ȷ�İ�ȫ��ƹ��ܡ��µ��ԣ�Ӧ�ó��ܹ��ڲ��г��û�Ȩ�޵��·��ĳЩϵͳ��Դ��ʼ�׽ӵȡ�

��ڹ��򼯵ķ��ʿ��йص�Linux��ڿ��һ��ڹ��ķ��ʿ��ƣ�RSBAC��Ŀ��Ŀ��ܹ�ʹLinux��ϵͳʵ��B1��İ�ȫ�� RSBAC�ǻ��ڷ��ʿ��Ƶ��չ��ܲ��չ��ϵͳ��÷��֧�ֶ��ֲ�ͬ�ķ��ʺ��֤��չ�ͼ�ǿLinuxϵͳ��ڲ��ͱ��ذ�ȫ��һ��õġ�

�ġ��ݾ��۹�

��ν�ݾ��Ǽ��ʱ�ܹ��¼��۹ޣ�honeypot��ָ��ͼ�ߴ��ר�ŵı��ݾ��ͨ��ݾ��۹޳��һ��¼�ϵͳ��Ժܿ췢��У�һ�㶼��ר�ŵ��ݾ��ݾ��һ��Ϊ��֣�һ��ֻ��߶��ȡ��ж��һ��ͬʱ��ȡ��ж��

��۹޵�һ�ֳ��÷��ǹ��Linuxϵͳʹ��˾��Ե�IMAP��汾��߶��ЩIMAP��д��˿�ɨ��ͻ��ݾ��Ҽ��ϵͳ��

��һ��۹��ݾ��Ӿ��Ǻ��phf��һ��ǳ��Webcgi-bin�ű��phf��ҵ绰��ģ��һ��صİ�ȫ©��ʹ��ϵͳ��ļ��ִ��ϵͳ��Ա��һ��ٵ�phf�ű��ǽ�ϵͳ�Ŀ��ļ��͸��ߣ��߷��һЩ��Ϣ��ͬʱ��ϵͳ��Ա��

��һ��۹��ݾ��ͨ��ڷ��ǽ�н��ߵ�IP��ַ��Ϊ��ܾ��߼��з��ʡ��ܾ��Ѻõķ��ʼȿ��Ƕ��ڵģ�Ҳ��ǳ��ڵġ�Linux�ں��еķ��ǽ��ǳ��ʺ��

�塢��ѿ״̬

��߽��й��֮ǰ���һ��Ƕ˺�ɨ�飬��ܹ��ʱ��ֺ��ֹ��ߵĶ˺�ɨ��Ϊ��ô��Դ��¼��ķ��ʡ��Ӧϵͳ��һ��򵥵�״̬��Ҳ��һ��ӵ��ּ��ϵͳ��õķ��ǽ��

��AbacusPortSentryAbacusPortSentry �ǿ��Դ��Ĺ��߰��ܹ��ӿڲ��ǽ��رն˿�ɨ�鹥��ڽ��еĶ˿�ɨ��ʱ��AbacusSentry��Ѹ��ֹ��ִ�С��ò��Ҳ��ⲿ��ϵͳ�а�װ�ܾ��񹥻��

AbacusPortSentry�� Linux��͸��Ĵ��һ��ʹ�ÿ��ṩһ��ǳ��Ч��ַ��ʩ��Խ�Ϊ��IP��ַ�ṩͨ�÷��δʹ�ö˿��ض�� PortSentry�У�PortSentry��߲�ȡ��һ��ж�֮ǰ��ʱ��⵽��ֹ�˿�ɨ�顣

AbacusPortSentry �ܹ��⵽��ɨ�飨slowscan��ܼ�⵽�ṹ��structuredattack��ַ�ʽ��Ŀ�Ķ�Ҫ��ͼ�ڸǹ��ͼ��ɨ��ͨ��˿�ɨ��ɢ��ܳ��ʱ��ɣ��ڽṹ��Ĺ��У��ͼͨ��ɨ��̽��Դ��ַ��ڸ��Լ��ʵ��Ŀ�ꡣ

��ȷ��ʹ��ܹ��Ч�ط�ֹ��IMAP��Ĳ��ɨ�鲢��ֹ��ߡ�AbacusSentry��Linux2.2�ں˵�IPChains��һ��ʹ��ʱ��Ч��IPChains�ܹ��Զ��еĶ˿�ɨ��Ϊ��PortSentry��

Linux2.0�ں˿��ʹ��IPChains��޲��AbacusPortSentryҲ��ڵ�2.0��ں��е�ipfwadm��һ��ʹ�ã�ipfwadm��2.2�汾�Ժ�IPChainsȡ��ˡ�

AbacusPortSentry��Ա��Linuxϵͳ�ϵ�UDPɨ��Ӧ��ԶԸ��ְ�ɨ��Ӧ��FINɨ�飬��ɨ��ͼͨ��ֻ��ͺ�С��̽��ǽ��һ��ⱻ��֡�

��Ȼ��õİ취��ʹ��ר�ŵ��ּ��ϵͳ��ISS��˾��RealSecure�ȣ��ǿ��Ը��ֱ��͹��ǩ��÷��ǽ��Ĳ�Ʒһ��۸�ϸߣ��ռ��û��ѡ�

��

ϵͳ��Ҫͨ��ֹ��ͼ��ֹ��֣��ϵͳ��Է��ж˿�ɨ��Ĺ��һ��߲��ıδ�ܵóѣ��ҡ��·��

��Щ��ȫϵͳ��AbacusSentry��һ��ķ��е�վ��˷�ֹ�û�ͨ��telnet��ӣ��Ӧ��telnet��ʱ��ϵͳ��һЩ��ܻ�ӭ�Ķ��Ϣ��ֻ��һ��Ҳ��΢�ķ��ʩ��

һ��²��ᳫʹ�÷��ܣ��Ϊ��ķ��ʩ��ױ��Ƿ��ϵͳ��

�ߡ��Ľ��¼

��ϵͳ�ĵ�¼��Ƶ�һ��Ļ��л��ϵͳ�İ�ȫ��ʹ��һ��ȫ�ĵ�¼��ȡ��Linux��ĵ�¼��Ҳ��Խ�һ��߰�ȫ��

�ڴ��Linux��У��ʹ��һ��ĵ�¼��syslog��һ��ܹ��ϵͳ��¼��ӵ��㹻�Ĵ��̿ռ�ķ��ϵͳ��ϵͳ��Ӧ��û��ķ��С��ȫ�ĵ�¼��͸��¼ϵͳ�ܸ��־�ļ��

�� ȫsyslog��ʹʹ�õ��ĵ�¼��Linux��syslog��Ҳ��൱��ȫ�ġ��ˣ��˿��ν�İ�ȫlog��ǩ��ɵ��־�С��ȷ��߼�ʹ�ڴܸ�ϵͳ��־�Ժ�Ҳ�޷��֡���õ��ȡ��syslog�İ�ȫlog��Ϊ��ȫsyslog ��ssyslong��û��Դ�CoreSDIվ��http://www.core-sdi.com/ssylog��ߡ��ػ��ʵ��һ��ΪPEQ-1��Э��ʵ�ֶ�ϵͳ��־��Զ��ơ��ʹ��߻��ϵͳ��û�Ȩ�޵��Ҳ��Ȼ��Խ��ƣ��ΪЭ�鱣֤��ǰ�Լ��ֹ��еĵ�log��Ϣû��ߣ��Զ�̿��ε��ϣ��֪ͨ�޷��޸ġ�

��syslog-ng��һ��ȡ��syslog�Ĺ�� syslog-ng��һ��syslog��һ��ӿ��õ��ػ��̣��ṩ��ǩ��־�ļ��Ĵܸġ��밲ȫ��¼��Զ��ƹ��һ��ʹ��߼��ѽ��־�ܸĲ��ҷǳ��ױ��⵽��Ĳ��ͼ��û��Դ�www.babit.hu/products/syslog- ng.html��ߡ�

�ˡ�ʹ�õ�һ��¼

ϵͳά��ɢ�Ĵ��绷��еĶ��û��ʺŶ��ϵͳ��Ա��һ��ǳ�ͷ�۵��顣��һЩ��һ�ĵ�¼��signon��ϵͳ��Լ��Ա�ĸ��ͬʱ��˰�ȫ��

��Ϣ��NIS��һ��ܺõĵ�һ��¼ϵͳ��Sun��˾��YellowPage��Ļ��Ϸ�չ��ģ��Ļ��ȫ��Բ��״��ڲ��һЩ bug�ʹ��Ա��Ϸ��Ϊ��߷��NetworkIntruderService��NIS�ĸ��°汾NIS+ԭNIS�Ĳ��˸Ľ��Ѿ��Linux��NIS+�汾��

KerberosҲ��һ�ַǳ��ĵ�һ��¼ϵͳ��Kerberosv4��һЩ��İ�ȫ©��߿��߽����Kerberoscookie��ᱻ��֡�Ketberosv5��˸Ľ��v4��⡣

�ڴ��У��NIS��Kerberos��ĵ�һ�ĵ�¼ϵͳ��Ȼ��һ�棬��Ҳ��һ�档һ��棬�ڲ�ͬϵͳ�϶��֤��ڸ��ù��ܲ��Ҽ��໥֮��Ӱ�졣��һ��棬һ��һ��ϵͳ�е�ĳ��ʺű��ƻ��п�ͨ��ʺŷ��ʵ�ϵͳ��ͬ��⵽�ƻ��ڵ�һ�ĵ�¼ϵͳ��ر�Ҫ��нϸ߷��²�ˮƽ�Ŀ��֡�

��Windows��WindowsNT��ϵͳ��Լ��ĵ�һ��¼ϵͳ��Linuxϵͳ��Ը��Windowsϵͳ��֤��û��Windowsϵͳ��޸ġ�ά��͹��ǵ��ʺźͿ��ֲ��޸Ľ��ͬʱ��UNIX��¼�еõ��֡��ʹ��pam_smb��Linuxϵͳ��Ը��WindowsSMBDomain��֤��Windows��Ϊ��ĵ��൱��ģ��Ҳ��Windows��֤ϵͳ��һЩ��ȫ�ԡ�

�š��°�ȫ��Ʒ�ͼ��

��Ϊһ��ϵͳ��Ա��ʱ�̸��Linux��ȫ��ķ�չ��򣬲��ʱ��ø��Ƚ��Linux��ȫ��ߡ�Ŀǰ��й�Linux��ȫ��о��Ϳ��Ŀ��Ŀǰ��ȫLinux��Ŀ�Ѿ��ÿ��Ŀ��Ŀ�궼��Լ��Ĳ��ص㣬��Ƿֱ��ǣ�

�� ȫLinux��SecureLinux��ȫLinux��www.reseau.nl/securelinux��Ŀ��Ŀ��ṩһ�� Internet��ϵͳ�İ�ȫ��Linux�ַ��Ŀ��Ѱ��Ʒ�м��ǿ��һЩ��Web��ܡ��Ȼ��֮�ⴴ��ģ��ǿ��ܹ��õ��Ľ��밲ȫ��ܵ��ȫ��Ʒ��ڷ��ɵ��ơ�

��BastilleLinuxBastilleLinux(www.bastille-linux.org��ĿѰ��Linux��н��һ��OpenBSD�ı�׼��Ŀ��Ƶ�Ŀ��Ϊ̨ʽ��һ��ȫ�ķַ��ʹ��߿��Բ��õ��û��İ�ȫ��

��Kha0sLinuxKha0sLinux��www.kha0s.org��Ѱ�󴴽��һ��ǿ��ܺ��OpenBSD�İ�ȫ��ߵ��С�İ�ȫLinux�ַ��С��Ŀǰ��Webվ��ȫ��û��ͳ��̵Ĳ��ͺ��

��֮�⣬��ڹ��Ա��Linux��ȫ��ˮƽҲ��ʮ��õģ�

��ʰ�ȫLinux�ʼ��б��Linux��ȫ��ʼ��б��securedistros@nl.linux.org��Kha0s-dev@kha0s.org�ȣ��Щ�ʼ��б��Եõ��İ�ȫ��Ϣ��

��һ��ͨ�õ��ʼ��б��security-audit@ferret.lmh.ox.ac.uk��ר��Դ��İ�ȫ��Ƶġ��б��ʼ��б��д��ظ��˽�Դ��ƺ��صİ�ȫ��Ļ��Ǻ�ֵ��һ��ġ�

ʮ��

�κ�һ�ֵ�һ�İ�ȫ��ʩ��޵ģ�һ��ȫ��ϵͳ��ȡ��ְ�ȫ��ʩ��²��ܸ��õı�֤��ȫ��һ��Linuxϵͳ��ȡ��ϸ��ְ�ȫ��ʩ��ôҪ��ϵͳ��߽��ò��ƹ��ǽ��ܿ��ּ��ϵͳ��ݾ��ͨ��ϵͳ��ӹ��־��޸��ļ�ϵͳ��ԡ��ƻ��ȫ��¼��մﵽĿ�ġ��κ�һ��ڶ��ܼ��Ҫ��ϵͳ��ֲ��ּ��ǲ��ܵġ�
��α༭: otto

�߼�Linux��ȫ��

�� 1 ��

Ƶ��

��½̳�

��Ƽ�

�߼�Linux��ȫ��������

���� 1 ������

Ƶ������

���½̳�

����Ƽ�

�߼�Linux��ȫ��

�� 1 ��

Ƶ��

��½̳�

��Ƽ�