Summary
This chapter discussed fundamental concepts in system security. When considering security, begin by securing the hardware in a secure location. Remember: Anyone who has physical access to the computer can access the operating system and data, regardless of how secure you’ve made everything else.
Keep your data secure by controlling the user logins on the system. Make sure that users have secure passwords and are not making their logins and passwords public. Implement password aging and restricted shells where they make sense.
Set up file and directory permissions to ensure that users have access to only the data that they are authorized to see. Utilize secure umask values and, if necessary, ACLs. Monitor all user activities using the Solaris utilities described in this chapter. Finally, do not set setuid and setgid permissions unless absolutely necessary.
If your system is on a network, implement the network security measures that were described in this chapter. Turn off unneeded services. Use the “deny first, then allow” rule. In other words, turn off as many services and applications as possible, and then selectively turn on those that are essential. Utilize trusted systems carefully. Also, keep your operating system security patches up-to-date. As new threats are discovered, they are quickly fixed through a security patch. Chapter 12, “Software Package Administration,” describes the process of obtaining and loading system patches.
Lastly, secure the superuser password. Keep it under tight control and make sure that it is never made available to anyone except those who are authorized. Limit using the superuser login unless the task to be performed requires root privileges.
Although system crackers seem to always find new ways to break into systems, the concepts described in this chapter provide a strong defense against an attack. Refer back to Chapter 13 for putting these concepts to practical use as you set up and manage user accounts.
In the next chapter, I’ll describe role based access control (RBAC) which is a great alternative to giving out the root password to system operators and junior-level administrators.