Manualshelf

Administrator's Guide

ManualsBrandsHP ManualsSoftwareHP HP-UX Auditing System Extensions
101102103104105106107108109110
5.10 Controlling File Security on a Network
From the perspective of security, networked systems are more vulnerable than standalone
systems. Networking increases system accessibility, but also adds greater risk of security
violations.
Although you cannot completely control security over the network, you can control the
security of each node on the network to limit penetration risk without reducing the
usefulness of the system or user productivity.
Ensure that all network administration programs are owned by a protected,
network-specific account, such as uucp, nso, or daemon, rather than by root.
5.10.1 Check Permission Settings on Network Control Files
Modes, owners, and groups on all system files are set carefully. Check these files regularly
for any changes. Note and correct any changes from the original values.
Pay particular attention to the network control files in the /etc directory. These files are
of notable interest to those attempting to gain unauthorized access, because they provide
access to the network itself. Network control files should never be writable by the public.
These files include:
exports List of file systems being exported to NFS clients
hosts Network hosts and their addresses
hosts.equiv Remote hosts allowed access equivalent to the local host
inetd.conf Internet configuration file
netgroup List of networkwide groups
networks Network names and their addresses
protocols Protocol name database
services Services name database
5.10.2 Files Mounted in an NFS Environment
A Network File System (NFS) provides the following conveniences:
Saves file space.
Maintains consistent file usage.
Provides a lean cooperative user environment.
NFS streamlines filesharing between server and client systems by controlling access via
the /etc/exports file. Entries in /etc/exports provide permission to mount a file
system existing on the server onto any client machine or specified list of machines. When
a file system is put into /etc/exports, the information is available to anyone who can
do an NFS mount. Thus, the NFS client user can access a server file system without having
logged in to the server system. See exports(4) for information on controlling access to
exported file systems and see Section 5.10.2.3 for security guidelines.
106 File System Security