The only secure computer is one that can't be turned on. If you
turn it on, it can be used. If it can be used, someone unauthorized might
use it. If you connect it to a modem or network, any number of people
can use it. Preventing unauthorized use of the computer and unauthorized
access to the data is one of the most important jobs of a system administrator.
Unauthorized access is not the exclusive domain of international
spies. It is more likely that someone will breach your system's security
from within. So, if you really want to detect all breaches, you must
watch access to your system from the inside and the outside. To paraphrase:
while a system administrator rarely needs to be paranoid, that doesn't mean
someone isn't out to get your data.
In this issue we present several ways to make your system more secure.
Chris Hare discusses C2 class trusted systems based on the Department of
Defense's Orange Book. Many UNIX vendors include C2 with their distributions,
yet some system administrators install it thinking This Is Good while others don't
install it thinking This Is Going To Get In My Way, neither group always knowing
what C2 is about. In another article, Don Pipkin shows you how you can
selectively apply super-user privileges. Larry Reznick details a method for dealing
with unsecured, idle workstations, and Bill Rieken presents several security
techniques every system administrator can use.
The basis for building a secure system is to think carefully about who has access to
your system and to your files, both inside and outside of your company. You'll need
also to think about permissions, distributed read/write device access, and availability,
then review the security features your system offers and decide which should be
implemented. You may want to apply the security techniques your fellow administrators
have contributed to this issue. And if you have solved a security problem or found a
technique that reduced the vulnerability of your system, write us. Tell us about it.
We can all benefit from the problems and solutions you've found.
email@example.com (". . . ! uunet!rdpub!saletter")