RH253 Unit 1 System Performance and Security

最新推荐文章于 2024-09-25 11:06:23 发布

weixin_34082177

最新推荐文章于 2024-09-25 11:06:23 发布

阅读量109

点赞数

文章标签：数据库

原文链接：http://blog.51cto.com/jackiechen/203808

版权

Objectives

Upon completion of this unit, you should be able to:

1) Understand system performance security goals

2) Describe security domains

3) Describe system faults

4) Explain system fault analysis methods

5) Explain benefits of maintaining system state

6) Describe networking resource concerns

7) Describe data storage resource concerns

8) Describe processing resource concerns

9) Describe log file analysis

System Resources as Services

1) Comuting infrastructure is comprised of roles

- system that serve

- sytems that request

2) System infrastructure is comprised of roles

- Processes that serve

- processes that request

3) Processing infrastructure is comprised of roles

- account that serve

- accounts that request

4) System resources, and their use, must be accounted for as policy of securing the system

Security in Principle

1) Security Domains

- Physical

- Local

- Remote

- Personnel

Security in Practice

1) By design, the system serves available resources

2) By policy, the system preserves available resources

3) Host only services you must, and only to those you must

4) Monitor system resources for vulnerabilities and poor performance

Security Policy: the People

1) Managing human activities

- includes security policy maintenance

2) Who is in charge of what?

3) Who makes final decision about false alarms?

4) When is law-enforcement notified?

Security Policy: the System

1) Managing system activities

2) Regular system monitoring

- Log to an external server in case of compromise

- Monitor logs with logwatch

- Monitor bandwidth usage inbound and outbound

3) Regular backups of system data

Responese Strategies

1) Assume suspected system is untrustworthy

- Do not run programs from the suspected system

- Boot from trusted media to verify breach

- Analyze logs of remote logger and “local” logs

- Check file integrity against read-only backup of rpm database

2) Make an p_w_picpath of the machine for further analysis/evidence-gathering

3) Wipe the machine, re-install and restore from backup

System Faults and Breaches

1) Both effect system performance

2) System performance is the security concern

- a system fault yields an infrastructure void

- an infrastructure void yields opportunity for alternative resource access

- an opportunity for alternative resource access yields unaccountable resource access

- an unaccountable resource access is a breach of security policy

Method of Fault Analysis

1) Characterize the problem

2) Reprodue the problem

3) Find further information

Fault Analysis: Hypothesis

1) Form a series of hypotheses

2) Pick a hypothesis to check

3) Test the hypothesis

Method of Fault Analysis, continued

1) Note the result, the reform or test a new hypothesis if needed

2) If the easier hypothese yield no positive result, further characterize the problem

Fault Analysis: Gathering Data

1) strace command

2) tail –f logfile

3) *.debug in syslog

4) –debug option is application

Benefit of System Monitoring

1) System performance and security may be maintained with regular system monitoring

2) System monitoring includes:

- Network monitoring and analysis

- File system monitoring

- Process monitoring

- Log file analysis

Network Monitoring Utilities

1) Network interface (ip)

- Show what interfaces are available on a system

2) Port scanners (nmap)

- Show what services are available on a system

3) Packets sniffers (tcpdump, wireshark)

- Store and analyszed all network traffic visible to the “sniffering” system

Networking, a Local view

1) The ip utility

- Called by intialization scripts

- Greater capability than ifconfig

2) Use netstat –ntaupe for a list of:

- active network servers

- established connections

Networking, a Remote view

1) nmap reports active services on ports open to remote connection attempts

- Advanced scanning options available

- Offers remote OS detection

- Scan on small or large subnets

2) Do not use without written permission of the scanned system’s admin!

3) Graphical front-end available (nmapfe)

File System Analysis

1) Regular file system monitoring can prevent:

- Exhausting system resources

- Security breaches due to poor access controls

2) File system monitoring shoudl include:

- Data integrity scans

- Investigating suspect files

3) Utilies: df, du

Typical Problematic Permissions

1) Files without known owners may indicate unauthorized access:

- Locate files and directories with no user or group entries in the /etc/passwd file: find / \( –nouser –o –nogroup \)

2) Files/Directories with “other’ write permission (o+w) may indicate a problem

- Locate other-writable files with: find / –type f –perm –002

- Locate other-writable directories with: find / –type d –perm –2

Monitoring Processes

1) Monitoring processes to determine:

- Cause of decreased performance

- If suspicious processes are executing

2) Monitoring utilities

- top

- gnome-system-monitor

- sar

Process Monitoring Utilities

1) top

- view processor activity in real-time

- interactively kill or renice processes

- watch system statistics update through time, either in units or cumulatively

2) GUI system monitoring tools

- gnome-system-monitor: GNOME process, CPU, and memory monitor

- kpm: KDE version of top

System Activity Reporting

1) Frequent reports, over time

- cron spawn sa1 and sa2

- sar reads and generates “human friendly” logs

2) Commonly used for performance tuning

- more accurate statistics

binary “database” collection method

regular intervals

3) Evidence of pattern establishes “normal” activity

Managing Process by Account

1) Use PAM to set controls on account resource limits:

- pam_access.so can be used to limit access by account and location

- pam_time.so can be used to limit access by day and time

- pam_limits.so can be used to limit resources available to process

System Log Files

1) Why monitor log files?

2) Which logs to monitor?

3) Logging services: