Review/Practical Unix and Internet Security

Beta version 0.7; May 17, 1998; Practical Unix and Internet Security; by Simson Garfinkel, Gene Spafford; List: $39.95. Usual discount 20%.

2nd Edition
Paperback, 1004 pages
Published by O'Reilly & Associates
Publication date: April 1996
ISBN: 1565921488

Reviewed by Nikolai Bezroukov: April 30, 1998

Abstract

Somewhat outdated (two years old in a very dynamic field: how to fight Rootkit is not even mentioned; Bugtraq mentioned only in the supplement, etc.). Far from being practical the book can be used only as an introductory text in Unix security. Much more correct title would be Unix Security Cookbook, Introduction to UNIX and Internet Security or even Unix Security for Dummies. The book is not recommended for Internet security (superficial and incomplete). Good style -- Simson Garfinkel of The UNIX-Haters Handbook fame is a talented journalist (but now a journalist only, see his interview with Amazon.com). The main problem with the book is that instead of relying on tools as any Unix author should, the authors use a cookbook/reference approach, giving recipes about improving security. References to important RFCs, FAQ and CERT advisories are absent. For example RFC1244 (now superseded by RTC2196) is not mentioned in the index (and probably in the text as well) although chapter 2 and chapter 24 mirror its content. No attempts were made to explain what tools can be used for checking/fixing a particular class of problems or to present a bigger picture in which the flaw exists. The typesetting is primitive. Although one of the authors is a (former) programmer judging by just the book content it is difficult to believe that he is able to spell PERL ;-). The book is not updated enough to compete with newer books on Internet Security. For corporate users possible alternatives are combinations of one book on Unix security (for example, Unix System Security by David A. Curry; IMHO a second edition of this book would be really great) and one book on Internet security (for example Actually Useful Internet Security Techniques by Larry J. Hughes). The last is recommended as an alternative for PUIS for readers who cannot afford two books. Often books written by a specialist in particular areas can be a better deal than books from security folks. For example TCP/IP Network Administration by Craig Hunt contains a lot more information about how to properly configure TCP/IP than this book and in chapter12 has a very decent overview of security in just 40 pages.

The problem with second edition of the "Practical Unix and Internet Security" (PUIS for short) is that authors tried to kill two birds with one stone and as a result the book is neither very good for Unix security, nor for Internet security (actually the book is pretty weak as for Internet security -- the problem of CGI security is discussed only in passing (p.544-549) although it definitely deserve a special chapter; language issues (Java, JavaScript, Perl etc) are not discussed at all).

The authors compile a vast amount of available material on UNIX security into quite a readable volume written in a very good (for an introductory book) style. The emphasis is on understanding areas in which security is compromised, but some general information about UNIX is also provided. After the map of such areas is constructed one can do own research. The list of the "support stuff" is really impressive and includes Dan Farmer and Wietse Venema (the latter reviewed chapter on wrappers).

The book is very good in providing history of UNIX in general and particular subsystem. For example it is one of the few books I read, that provides some information on Multix (p.9) as a predecessor of UNIX. Most just mention this fact.

Although almost all information from the book (and much more) is available on the WEB and conference proceedings, it would take some time to get it and systemize the way the authors did. There are summaries after each chapter -- a plus for an introductory book. The book covers a large number of topics, although some of them are slightly remote from the subject (computer crime law, physical security, personnel security, etc.). As an introductory book it is fairy good in providing some basic UNIX system administration information.

The threats to a UNIX system used as a server in the commercial environment vary greatly in terms of intent, sophistication, technical means, and potential impact. In order of diminishing probability threats can be categorized into the following groups:

Overworked (and sometimes incompetent, inquisitive, or just lazy) sysadmins (no patches applied for years, blatant configuration holes, no backups, etc.). Unfortunately, few UNIX administrators can spend several hours a week reading advisories, installing patches to keep security of their machines on the highest possible level, but still configuration errors is the security problem that probably should be addressed first.
Disgruntled employee, contractors, trainees or other people intent on seeking revenge for some perceived wrong; here some monitoring can help, but it's much more difficult task than the first one.
Crooks interested in personal financial gain or stealing services or information (difficult to counter);
People driven by more or less pure technical challenge (hackers, very difficult to counter if they are insiders);
Organized crime;
Industrial espionage.

Based on validated incidents the first three category are most common, while the last three are getting most media coverage.

Chapters are very uneven. Generally they can be read in any order. I would like to recommend to read chapter 4 (Users, Groups. and the Superuser), chapter 5 (The UNIX filesystem), chapter 6 (defending Your Accounts), chapter 7 (TCP/IP services), chapter8 (Defending Your Accounts), chapter 10 (Auditing and Logging) chapter 20 (NFS Security) and chapter 23 (Wrappers and Proxies). They contain useful material and can serve as a good starting point for collecting additional information on the Net.

Shortcoming

I see the following shortcomings in the second edition:

Wrong views about level of the (in)security of UNIX in general and of free Unix clones specifically. Probably neither author read Winston Churchill commentary about capitalism (I do not remember exact wording, but it was something like "capitalism is a bad political system; the problem is that all others are even worse"). Value of the book is somewhat diminished by snobbish (and idealistic) remarks like "People designing software don't seem to be very good about learning from the past"(p.446). Two questions immediately arise "In what area humans are very good in learning from the past ? Who are this guys and what significant piece of software they have written, so that they have moral right to say that?".
Other interesting "revelation" in on page XV "... But the truth is, UNIX hasn't became significantly more secure with its increase in popularity, That's because fundamental flaws still remain in the interaction of the operating system and its users. The UNIX Superuser remains a single point of attack: any intruder or insider who can became the UNIX Superuser can take over the system, booby-trap its program...".

Simple question. What if UNIX is installed on CD -- they are really cheap now and one can make a new version each day ;-). How much damage to programs on CD can this evil Superuser inflict ? One does not even need CD. Just SCSI disk with read-only switch can help. Probably even BSD immutable attributes can be enough in most situations.

OK, let's assume that Unix is insecure, but what alternative is better. NT? I doubt, and authors need facts to prove that. NT is a very complex and controversial (driver model, Win32 subsystem, etc.) operating system. The behavior of the NT security system in such a complex environment is difficult to predict -- with BackOffice installed it looks like another "Alice's Adventures in Wonderland" story. Service packs break applications, and vice versa. If is always a mystery what version of DLL is installed, because each application can update them during installation. The system registry is an excellent illustration of the idea that the hell is paved with good intentions ;-). MVS? VM/CMS? VMS ? They all have problems. I am not a big UNIX specialist, but I know that Unix is much more dynamic in this respect that other OSes. Several new features that improve UNIX security were introduced in recent years. Among them pluggable password security modules that prevent user from selecting weak passwords, new configuration errors checking tools (Solaris now have one built-in), access control lists, new attributes (immutable and append only -- for sequentially written logs; on BSD once set, these flags can be reset only in a single-user mode), better protection against some attacks (for example FreeBSD 2.2.6. contains protection against various buffer overruns and "LAND attacks").

I was really surprised to read the "The many faces of 'Free Unix'" on page XXIV. It contains another "revelation" as "The Linux operating system makes things even more complicated. That's because Linux is an anarchic, moving target. There are many different versions of Linux. Some have minor differences, such as the installation of a patch or two. Other are drastically different, with different kernels, different driver software, and radically different security models". After reading about "radically different security models" and stances like "Today, the world of free Unix is a maelstrom. It's like if commercial UNIX was being promoted and developed by several thousand different vendors" I was ready to recycle the book. I beleave SUN does not need such advocates ;-). If they refer to MKLinux this is not fare. If they refer to x86 Linux this in simply wrong. IMHO official patches of the kernel are common for all x86 Linux distributions (this is the nature of Linux project -- kernel code is controlled by Linus Torvalds and he is the final authority that approved patches to the kernel, see for example his letter on the latest patch-2.0.33 ) and all versions of Linux come with GNU utilities which are more crash-resistant than implementations of commercial vendors. See for example:
- Fuzz Revisited: A Re-examination of the Reliability of UNIX Utilities and Services . Barton P. Miller, David Koski, Cjin Pheow Lee, Vivekananda Maganty, Ravi Murthy, Ajitkumar Natarajan and Jeff Steidl. (CS-TR-95-1268)
- An Empirical Study of the Reliability of Operating System Utilities . Barton P. Miller, Lars Fredriksen and Bryan So. (CS-TR-89-830)
Somewhat questionable view on distribution of security-related information. Notes to Computer Crackers (p.XXIX) do not inspire confidence. Any security-related information can be misused and the authors can do nothing about it. So what they mean by writing phrases like "We've tried to write this book in such a way that it can't be used easily as a "how-to" manual for potential system crackers. Don't buy this book if you are looking for hints on how to break into the systems" ? As for the quality information they are probably right, and I tend to agree that they partially succeed (see my remark on UNIX tools below). As for hints -- the whole book is one pretty detailed hint ;-). Or they meant Rootkit, Satan, etc.? That's naive. Who in the cracker world care much about such a book? Internet contains so much more up-to-date information on Unix (in)security that getting this book in order to break into a Unix system looks like pretty stupid method indeed. If the authors withhold information they withhold it from the good guys, bad guys will find in anyway, if they do not have it already and they have pretty good channels of collecting and redistributing such information.
No real understanding of trends in UNIX architecture and its ability to compensate for existing weaknesses. The authors just collected information in certain problem area, but do not see bigger picture behind individual flaws (see also Simson Garfinkel The Fundamental Flaws of Unix essay). IMHO the authors do not understand that the flexibility of Unix is a very important asset in security and modern versions of Unix(see for example Open Group CAE Specification: DCE 1.1: Authentication and Security Services) on modern hardware (for example installed on SCSI hard drives with remotely controlled read-only switch, etc.) are very competitive with other OSes (especially NT) as for achievable level of security.
The word "practical" in the tittle is a misleading. Much more correct title would be Unix Security Cookbook, Introduction to UNIX and Internet Security or even Unix Security for Dummies. The treatment of the subject is oriented for the audience that know little about Unix and paradoxically is in essence anti-Unix -- the authors does not rely on tools to check various Unix configuration problems and do not provide clear guidance as for what is the best tool(s) check and eliminate a particular configuration problem. Coverage of COPS, Tiger, ISS, Satan and other important tools is very weak. Even coverage of Tripwire (co-authored by Gene Spafford) is pretty much superficial. This "anti-tool" approach is probably the second major problem with the book. There are vast resources of security tools available for the UNIX sysadmins; some of the best are offered for free on the Internet. Regular usage of such tools make Unix much more secure. Regrettably they are generally ignored in the book. Also the authors seems do not understand that technical measures in one area do not improve security much if other areas are not addressed (the theory of the weakest link) and here tools like COPS Tiger, Satan are extremely useful. Without such tools people tend to do what is easy (for example to introduce new, more strict password policy or even one-time passwords) rather that what is really necessary but difficult -- keeping the system on the adequate patch level all the time and checking for configuration errors on a regular basis. I wonder whether one time passwords is a good idea on the systems that do not have all available patches installed.
Sometimes the authors uncritically reproduce questionable information. For example on p. 805 they repeat a warning about PKZIP30.EXE Trojan that became a hoax similar to PenPal, Good Times, Deeyenda and other hoaxes: "In the spring of 1995, a program called PKZIP30.EXE made its way around a variety of FTP sites on the Internet and through America Online. This program appeared to be the 3.0 beta release of PKZIP, a popular DOS compression utility. But when the program was run, it erased the user's hard disk." I would like to cite the following except from the CIAC Notes H-05 released November 20, 1996: "The PKZ300 Trojan is a real Trojan program, but the initial warning about it was released over a year ago. For information pertaining to PKZ300 Trojan reference CIAC Notes issue 95-10, that was released in June of 1995. http://ciac.llnl.gov/ciac/notes/Notes10.shtml. The warning itself, on the other hand, is gaining urban legend status. There has been an extremely limited number of sightings of this Trojan and those appeared over a year ago. Even though the Trojan warning is real, the repeated circulation of the warning is a nuisance. Individuals who need the current release of PKZIP should visit the PKWARE web page at http://www.pkware.com. CIAC recommends that you DO NOT recirculate the warning about this particular Trojan.". Probably the authors do not know about this advisory. And they never tried to correct this error in later printings.
The structure is poorly thought out. For example absence of a chapter on X Windows security in such a book is really strange. Another very important subject -- messaging -- is covered very superficially(see Actually Useful Internet Security Techniques for good coverage of this area). Chapters look isolated and IMHO one can read them in any order. Chapter on cryptography like several other chapters contain long and mostly irrelevant even for beginners introduction, several other chapters are slightly remote from the subject (law, physical security, personnel security, etc.). My impression is that authors lack practical experience of administering a Unix network in a large organization. That explains the absence of prioritization and several other problems with the structure and contents of the book.
The book is non system specific. Authors intentionally avoid providing any version specific information so there is no way to figure out is a particular systems has this flaw or not, or this flaw exists only in obsolete versions. With just five main system representing probably more than 80% of all UNIX installations (Linux, FreeBSD, Solaris, HP-UX and AIX) that seems to be a wrong approach Alternative approach -- identifying both common ground and differences worked well in Unix System Administration Handbook by Evi Nemeth and others (six flavors of UNIX were used: Solaris 2.4, SunOS 4.1.3, Irix 5.2, DEC OSF/1 2.0, HP-UX 9.0 and BSD 1.1).
Absence of references to relevant RFCs, FAQ and CERT advisories. For example RFC1244 (now superseded by RTC2196). At the same time chapter 2 (Policies and Guidelines) and chapter 24 (Discovering a Break-in) contain a material very similar to RFC1244. Generally the book provides very weak links to the common base of knowledge available on the Internet (including not only RTCs, but FAQs, and what is especially strange CERT advisories) and from that point of view can be judged as somewhat anti-Internet oriented. That somewhat diminish the value of the book.
The book lucks interesting examples/scripts in the text. Although one of the authors is a (former) programmer judging by just the book content it difficult to believe that he is able to spell PERL ;-).
Typesetting is primitive. Layout is essentially plain text with very limited attempts to provide side notes, highlight important thoughts, etc. This in unacceptable for an introductory book.

The most important problem is that the authors do not explain what tools to use and how to use them and what are reasonable priorities in UNIX security. For example they do mention that most of security problems are configuration problems, but only in passing. IMHO this should be the central theme of the book. I was unable to find The most difficult issue in UNIX security is to avoid introducing arbitrary and often unnecessary measures(for example "password fascism") that makes users less productive without influencing (or even making it worse) an overall security.

The book does not have Web page with updated WEB resources, but this is a minor fault as COAST archive can be used instead (there is a standard page on O'Reilly WEB site, it should be probably ignored). I would like to recommend course notes to the course LT 468 -- Internet and System Security, Dept. of Computer Sciences, Purdue University.

There are also some minor points. For example they consider UUCP not suitable for 14.4Kb or faster lines, which is not true. In Europe it is widely used (Taylor UUCP is probably the most common type of Internet connection in xUSSR and works well at 14.4Kb or faster lines). There is no "Recommended Supplementary Reading" information after each chapter.

Conclusions

The main question that needs to be answered is how well the book fare in comparison with RFCs and other materials freely available on the Net. The answer is that it is a useful starting point and contains basic information on a lot of aspects of UNIX security. One can get almost all information from the WEB, but with additional efforts.

The second question is how well the book fairs among other similar book. I would like to say that it is above average as for UNIX security (compare with Unix System Security by David A. Curry) and below average as for Internet/Web security.

Alternatives include combining one book on Unix security with a book on Internet security. I would reccomend the following book on Unix seciruty:

Unix System Security: A Guide for Users and System Administrators (Addison-Wesley Professional Computing Series) by David A. Curry. See also Improving the Security of Your UNIX System The "SRI Paper" that has been widely distributed around the Internet. It was written in 1990 and was a predecessor to the UNIX System Security book. David A. Curry is the author of UNIX Systems Programming for SVR4 and is also active tool developer (see his home page for the complete list). Among them are(description are borrowed from the author's page):

Sendmail-CF -- "A fully complete, fairly powerful, and reasonably generic sendmail configuration file. Fully documented and much easier
to understand than the stuff sendmail ships with",
Bind - "Patches to BIND 4.9.5-P1 to allow you to restrict the networks from which it will accept queries. This lets you run it on a firewall and know about both internal and external addresses, but protect the internal knowledge from the outside world".
NFSwatch -- "A program to monitor Network File System traffic on a network, and summarize it in a number of different ways, including by client, by file system, by server, etc."

As for Internet Security I would like to recommend:

Actually Useful Internet Security Techniques by Larry J. Hughes -- much better source of information on Internet security than this book. Contains chapters on Kerberos, Messaging, X-windows system and Satan and the list actually useful security tools (chapter12). It is more technical that PUIS and more based on tools-oriented approach to security.
Web Security : A Step-By-Step Reference Guide - Lincoln D. Stein (the author of WEB security FAQ); Paperback (see review in DDJ by Curtis D. Frye);
Internet Security: Professional reference ISBN: 156205760X; (similar to Actually Useful Internet Security Techniques; contains the chapters on SATAN, Kerberous, CGI security, although the book is somewhat spoiled by a long chapter written by Carey Nachenberg about computer viruses);
Internet Firewalls and Network Security by Karanjit, Ph.D. Siyan, Chris Hare
Web Security Sourcebook by Aviel D. Rubin, Daniel Geer, Marcus J. Ranum

Generally there are now a lot of comprehensive books on Internet/Web Security. Often books written by a specialist in a particular protocol can be a better deal that the book from security professionals (paraphrasing old saying about teaching one can say that "those who can -- write programs, those who cannot go to system administration and those who neither can write program nor perform system administration write books about computer security" :-). For example TCP/IP Network Administration by Craig Hunt contains a lot more information about how properly configure TCP/IP than PUIS and in Chapter 12 has a very decent overview of security in just 40 pages.

IMHO the book is best suited to the users with little or no programming experience (students, hobbyists, probably IS managers, etc.) and a limited exposure to UNIX. It is not the best book for professional UNIX system administrators, but still it's a well-written introductory book. IMHO to pretend that this is a professional reference was a major mistake made by the authors. All in all I would like to mark it with 7 on 10 grade scale.

Examples are available via FTP ftp.ora

Authors info:

Simson Garfinkel of The UNIX-Haters Handbook fame is a gifted journalist, columnist at WIRED Magazine. He recently created own his own ISP company(see www.www.vineyard.net) that in April, 1998 has approximately a hundred customers. So now he probably has some experience "from the trenches" unless due to his "unix_hatism" he use NT (see for example his "unix_hatist" essay The Fundamental Flaws of Unix -- the essay that surprisingly superficial and lucks understanding of current trends in UNIX architecture -- cornerstone of any such explore). Currently he is a a freelance technology writer working mainly in Wired. Some years ago he was an editor at SunExpert magazine. He graduated from MIT in '87 then was a Ph.D. candidate at the Media Lab from 90-91. Now he is resident of a little island off Massachusetts -- Martha's Vineyard. It isn't as exciting as everyone thinks to live of such an island, however. They don't even have a mall, and it probably gets mighty boring in the winter ;-).

He is the author of several other books:

NeXTStep Programming (with Michael K. Mahoney, Springer-Verlag 1993);
PGP: Pretty Good Privacy (O'Reilly, 1995);
Web Security & Commerce (Nutshell Handbook) again with Gene Spafford (O'Reilly, 1997).

See also Amazon.com Author Interview -- Amazon.com talks to Simson L. Garfinkel. In this interview to amazon.com he told "...I think that the biggest issue facing our society today is the lack of rational design, peer review, and common sense that is going into technological systems.". This is of course true, but to a certain extent applied to his books ;-).

Eugene H. Spafford (Dept. of Computer Sciences, Purdue University) probably belong to the "computer security establishment". He is a professor of Computer Sciences (according to his vita since 1979 he has taught courses in OS, compiler and language design, computer security, computer architecture, software engineering, networking and data communications, and somewhat alarming ;-) on issues of ethics and professional responsibility), the founder and director of the Computer Operations, Audit, and Security Technology (COAST) Laboratory (that maintains the world's largest archive on computer security).

He seems published all his books with co-authors, most frequently with Simson Garfinkel. Some materials on his page are rather outdated (probably 1996) but it seems that till 1996 he lead Purdue Security Seminar -- semi-regular, informal seminar on issues of computer security and taught course CS 590T -- Penetration Analysis. His resume shows that he probably switched to mainly managerial duties connected with COAST approximately from 1993. An interesting project that he was involved was the Spyder Project concerned with research into new methods of debugging software. He was also participated in design of the current naming structure of Usenet. For 11 years, he updated the news.announce.newuser and posted them to the Usenet. In 1993, he retired from the task. Here is the collection of quotes that can probably give some insights into his personality. He also manage Web-head list. He definitely has a good sense of humor.

Somewhat alarming is the fact that he claims to be a co-author of a book on computer viruses (Eugene H. Spafford, Kathleen A. Heaphy, and D. J. Ferbrache; Computer Viruses: Dealing with Electronic Vandalism and Programmed Threats; ADAPSO, Arlington, VA; 123 pages; 1989). I am generally very skeptical about people who ever wrote a book about computer viruses, especially if they have co-authors ;-). But while probably not an active fighter and definitely not an active writer (all books published with co-authors), Prof. Spafford seems to be an eminent collector of security-related information and his major achievement -- the COAST archive is really important.

Other reviews available:

GTER Vol. 4, Issue 4, May 1, 1997

DDJ December '94

Practical Unix and Internet Security Second Edition -- review by Dan Wilder Linux Journal #34 Feb.1997

Table of Contents
Preface
I. Computer Security Basics
1. Introduction
2. Policies and Guidelines
II. User Responsibilities
3. Users and Passwords
4. Users, Groups, and the Superuser
5. The UNIX Filesystem
6. Cryptography
III. System Security
7. Backups
8. Defending Your Accounts
9. Integrity Management
10. Auditing and Logging
11. Protecting Against Programmed Threats
12. Physical Security
13. Personnel Security
IV. Network and Internet Security
14. Telephone Security
15. UUCP
16. TCP/IP Networks
17. TCP/IP Services
18. WWW Security
19. RPC, NIS, NIS+, and Kerberos
20. NFS
V. Advanced Topics
21. Firewalls
22. Wrappers and Proxies
23. Writing Secure SUID and Network Programs
VI. Handling Security Incidents
24. Discovering a Break-in
25. Denial of Service Attacks and Solutions
26. Computer Security and U.S. Law
27. Who Do You Trust?
VII. Appendixes
App. A: UNIX Security Checklist
App. B: Important Files
App. C: UNIX Processes
App. D: Paper Sources
App. E: Electronic Resources
App. F: Organizations
App. G: Table of IP Services
Index

Full Table of content

Copyright 1998, Dr. Nikolai Bezroukov. Standard Disclaimer applies. This review is distributed under GNU copyright license as a service to the UNIX community in general and to Linux users in particular.