Joined: 19 Dec 2003
|Posted: Wed Apr 21, 2004 5:00 am Post subject: Book Review - Linux Security Cookbook
Linux Security Cookbook
Author(s): Daniel J. Barrett, Richard E. Silverman & Robert G. Byrnes
Date Published: 2003
Book Specifications: Softcover, 311 pages
Category: Security and System Administration
Publisher's Suggested User Level: Intermediate
Reviewer's Recommended User Level: Intermediate
Suggested Publisher Price: $39.95 US / $61.95 CDN / £28.50 UK
Amazon.com: Linux Security Cookbook US
Amazon.co.uk: Linux Security Cookbook UK
Blurb from back cover:
Computer security is a complex process, but our easy-to-follow recipes can help improve the security of any Linux system. Need a quick way to send encrypted email within Emacs? Want to restrict access to your network services at particular times of the day? Firewall your web server? Sniff your network? Set up public-key authentication for SSH? Linux Security Cookbook reveals the exact commands and configuration-file entries to accomplish these vital tasks, one step at a time, so you don't have to wade through dozens of manpages. This book is filled with practical, security-related recipes for intermediate-level Linux users and system administrators.
Computer security can be a daunting subject. You have to think of everything, or someone else will. If you administer any Linux systems, following the recipes in this book can avert a potential disaster.
This book is for someone who asks a lot of "How do I...?" questions. It's separated into chapters of related recipes which answer very specific and very small questions. The book designed so you can pick it up, flip to a random page and begin reading; recipes can be read independently, they don't rely on anything learned from past recipes to show you how to do something. It's important to note that these recipes only skim the surface of the subject they cover, they don't even pretend to be in-depth articles. They do, however, do an excellent job of making sure you know where to get more information and always have a list of related man pages. The book assumes you are at least a competent Linux user. It will not stop and explain how to set an environment variable. If you're new to Linux, this book will be difficult to follow.
Content and Overview
The book is organized into nine chapters of related recipes. Each chapter is composed of an introductory section which gives a broad overview of the subject then each following section is a recipe which solves a problem or accomplishes a task. The first three chapters are intended to be read entirely as they cover subjects the authors deem the most important. Each of the chapters start with the most mundane, simple tasks and progress gradually to complex, often extreme, solutions for the truly paranoid. For example, the first chapter, System Snapshots with Tripwire, starts off by showing you how to make the initial database of file attributes. It then progresses slowly to the creation of a bootable CDROM to run checks on your possibly compromised system safely. Many of the recipes in this book will not be needed for the average user, but since any chapter can be safely skimmed or skipped, this is not a problem.
The first chapter will take you through the installation and configuration of Tripwire, the initial creation of tripwire's database files, and other basic tasks such as checking for alterations, updating the database and safe storage of the database and configuration files. Also covered are issues with VFAT filesystems, alternatives to tripwire using rsync and RPM, and as mentioned before, several extreme solutions for the ultra-paranoid.
The second chapter covers firewalls with either iptables or ipchains. The complex syntax of these programs is handled nicely to present the needed information, and the recipes cover the most common uses for firewalls, but goes out of its way to make sure you know that the subject is broad and you should seek more information.
Chapter three covers inetd and xinetd almost exclusively. Common tasks like adding or removing a service, as well as uncommon tasks like redirecting a service to another port are covered.
Chapter four covers PAM, SSL and Kerberos. Chapter five covers techniques for sharing root privileges between a group of users, sharing files between users, and covers sudo nicely. Chapter six deals with SSH almost exclusively but leaves much to be desired if you don't know SSH in the first place. However, it does reccomend SSH: The Definitive Guide (the Snail book), a must for anyone working with SSH. Chapter seven covers file permissions and encryption with GPG. Chapter eight tells how to use PGP or GPG with a variety of email clients for encrypting or signing email messages, as well as how to decrypt and authenticate signed email messages by hand. Chapter nine is the largest with 42 recipes and ranges from log watchers and snort to what you should do if you are hacked.
Style and Detail
Each chapter stays on topic and the recipes are short, precise and easy to follow. In-depth information is lacking, but references to in-depth information are abundant. Each recipe is broken into Problem, Solution and Discussion sections and the longest recipes are all of 3 pages. The information is quite dry, there are no cute jokes or word play as the intent is to keep the recipes short and to the point, and it works well.
There are not many tips or warnings around, this helps to keep each recipe in its own small section, but there are a few page long side notes that shed a little light on some things you may be scratching your head about. There are not many tables, but there's plenty of very useful code. Plenty of stones are left unturned in the recipes, but they hit all the big ones.
The intent of this book is to provide solutions to common problems and tasks without you digging through pages of documentation. At this, it succeeds admirably, but it could have covered more ground. Mail filtering to keep your mail server from getting hammered by SPAM and viruses and physical security would be a good addition. Apache is barely mentioned, how to turn of CGI, add .htaccess authentication and remove directories from the web path would be good additions as well. Even a section on desktop oriented activities would have fit well, things like cookie management with common browsers and X Windows security and access control. In the end, the book is good, it does a good job at everything it covers, but it's a bit light, after I finished reading it, I was left wondering why there wasn't more.
This book receives an honored SFDC Rating of 7/10.
- Michael Morin
Keywords: Linux, Security, System Administration, Review, UziMonkey
This review is copyright 2004 by the author and Security-Forums Dot Com, and may not be reproduced in any form in any media without the express permission of the author, or Security-Forums Dot Com.
Last edited by UziMonkey on Wed Apr 21, 2004 6:08 am; edited 1 time in total