Welcome to Linux Knowledge Base and Tutorial
"The place where you learn linux"
Linux Magazine: The source for advanced Linux know-how

 Create an AccountHome | Submit News | Your Account  

Tutorial Menu
Linux Tutorial Home
Table of Contents
Up to --> Security

· What You Can Do About It
· Trusted Hosts
· Modem Security
· Backups
· The Official Word
· Changing Attitudes
· System Security
· Security and the Law

Man Pages
Linux Topics
Test Your Knowledge

Site Menu
Site Map
Copyright Info
Terms of Use
Privacy Info
Masthead / Impressum
Your Account

Private Messages

News Archive
Submit News
User Articles
Web Links


The Web

Who's Online
There are currently, 173 guest(s) and 0 member(s) that are online.

You are an Anonymous user. You can register for free by clicking here

Linux Tutorial - Security - What You Can Do About It - The Official Word
  Backups ---- Changing Attitudes  

The Official Word

There are several organizations and agencies that deal with computer security issues. Perhaps the most widely know is the Computer Emergency Response Team (CERT) at Carnegie-Mellon University. They serve like a clearing house for known security problems for most common operating systems. They regularly issue CERT Advisories that detail the steps necessary to correct security problems, without revealing too much about how to use the problem to break in. For details, check out their web site: www.cert.org.

One organization that is vital for the security of your system is your own management. They have to take an active, if not pro-active stance in promoting security on your system. It is up to them to define what security means for the company and how important it is. In addition, the must give you, as system administrator, all the tools necessary to put these goals into effect.

Security and Network Policies

A security policy is a set of decisions, that collectively determines organizations posture toward security This not only includes what is and what is not acceptable behavior, it also defines what actions are taken when the policy is violated. A network policy defines what is acceptable when using the Internet. They cover different areas, but are very much intertwined.

Before you define a security policy you need to define your security stance. This is more or less decided by your company's attitude on security. If you believe that everyone should have access to everything and nothing will be limited, your security policy will be significantly different than if you want security above all, no matter how inconvenient it is for your users.

It's often difficult to define what is considered a "acceptable" behavior. Some companies give their employees the freedom to hang themselves. That is, they have complete access to the Internet, including email, WWW, ftp and so on. If the company discovers that they spent all their time downloading games and not working, they get a warning, a reprimand and finally termination. On the other end of the scale some companies say that a computer is for company business and will not be use at all for personal use, even if it means you can't get email from your brother.

One thing I feel should be in there not matter what end you are on is that you must clearly state that employees' activity on the Internet should present the "proper" image for the company. I had to put the word "proper" into quotes, because this will obviously be different from company to company.

I worked in two places that were very similar on the surface. Father-Son businesses, both with about 1500 people worldwide. One was very rigid and formal ("Good morning, Mr. Smith) and the other was very laid back ("Mornin' Tom, how's it going?") What was proper in one place was not in the other. On a business trip to Australia, I was told that when you call someone Mr. or Mrs. you are angry or upset or want to be sarcastic.

The first step in defining either your security or Internet policy is to define what is and what is not permitted. Spell it out in clear text, so that everyone know what it means. In order to make things easier and perhaps the list smaller, you could simply defined the "don'ts." Define what is not permitted. This could include the hours during which Internet activity is not allowed and the types of material cannot be brought into the company (i.e. pornography, pirated software).

Also part of the security policy should be what protocols and programs you are going to allow. If you are only going to allow outbound connection, then the policy should state this. If inbound connection are okay, what protocols can be used? Are incoming ftp and HTTP connections okay, but not incoming telnet? If so, this needs to be spelled out in the security policy.

A key aspect of your security policy is your stance on passwords. If you have decided that passwords are to be a specific length and cannot have specific contents (such as the user's first name or spouse's name) this needs to be spelled out.

The policy should also define the system administrator's responsibility. On a Linux system it's a simply matter to change the source code to the passwd program to check a list of unauthorized passwords or do some manipulation of the password so as not to use unauthorized passwords, but spelled backwards. If necessary, the security policy can state that it is the system administrator's responsibility to ensure that such password cannot be used. This can be easily accomplished by using the npasswd program.

Have your company management sign a password security policy and make all employees sign it as well. This policy should specifically define what is unacceptable behavior when dealing with passwords. Make sure that the employee is aware of the consequences of violating this policy such as letters of reprimand and even immediate termination. Users must be told that they will be held accountable for action taken by anyone using their account.

At first, termination might seem a little harsh for a person who gives is password to someone else in the same department, for example. However, there is no need to. If that other person really needs access to the data, either the permissions on the file should be set or the file should be copied to a common area. If access to the account is necessary, have their supervisor or someone else who is known to the system administrators call. The sysadmin will either copy the file, change permissions or change the password to something known (in accordance with the company password policy). This password will them be changed again when the account is no longer needed.

Users must keep their passwords to themselves and must never be written down anywhere. This includes blotters, calendars, post-its and especially in files on the computer. The hacker in The Cuckoo's Egg scanned email files and found one where the user was telling a co-worker his password.

Users must change their password from time to time. Certain dialects of UNIX can force users to change their passwords. If the version of Linux you have cannot, you could implement a program that checks for specific dates and then notifies users. One possibility is to send mail to half the employees one month and the other half the next month.

However, users must know to never reset passwords to specific values based on email they have received. This would prevent a hacker from compromising the mail system and send a message to an unsuspecting user. Would your users be able to recognize mail if it doesn't come from a real administrator. All your mail should do is say that the password time has expired and that it should be changed. If the user gets a message to change it to a specific password, then it didn't come from an administrator.

 Previous Page
  Back to Top
Table of Contents
Next Page 
Changing Attitudes


Test Your Knowledge

User Comments:

You can only add comments if you are logged in.

Copyright 2002-2009 by James Mohr. Licensed under modified GNU Free Documentation License (Portions of this material originally published by Prentice Hall, Pearson Education, Inc). See here for details. All rights reserved.
Show your Support for the Linux Tutorial

Purchase one of the products from our new online shop. For each product you purchase, the Linux Tutorial gets a portion of the proceeds to help keep us going.



Security Code
Security Code
Type Security Code

Don't have an account yet? You can create one. As a registered user you have some advantages like theme manager, comments configuration and post comments with your name.

Help if you can!

Amazon Wish List

Did You Know?
The Linux Tutorial can use your help.


Tell a Friend About Us

Bookmark and Share

Web site powered by PHP-Nuke

Is this information useful? At the very least you can help by spreading the word to your favorite newsgroups, mailing lists and forums.
All logos and trademarks in this site are property of their respective owner. The comments are property of their posters. Articles are the property of their respective owners. Unless otherwise stated in the body of the article, article content (C) 1994-2013 by James Mohr. All rights reserved. The stylized page/paper, as well as the terms "The Linux Tutorial", "The Linux Server Tutorial", "The Linux Knowledge Base and Tutorial" and "The place where you learn Linux" are service marks of James Mohr. All rights reserved.
The Linux Knowledge Base and Tutorial may contain links to sites on the Internet, which are owned and operated by third parties. The Linux Tutorial is not responsible for the content of any such third-party site. By viewing/utilizing this web site, you have agreed to our disclaimer, terms of use and privacy policy. Use of automated download software ("harvesters") such as wget, httrack, etc. causes the site to quickly exceed its bandwidth limitation and are therefore expressly prohibited. For more details on this, take a look here

PHP-Nuke Copyright © 2004 by Francisco Burzi. This is free software, and you may redistribute it under the GPL. PHP-Nuke comes with absolutely no warranty, for details, see the license.
Page Generation: 0.11 Seconds