|
|
|
| Daemon News Ezine | BSD News | BSD Mall | BSD Support Forum | BSD Advocacy | BSD Updates |
Mastering FreeBSD and OpenBSD SecurityBy Yanek Korff, Paco Hope & Bruce PotterReview by David Bogen 
Remember those days gone by when securing your BSD system meant making sure someone wasn't running a dictionary attack on your /etc/passwd file? Since then, the world has moved on and three authors have combined their knowledge to give us 413 pages of reminders of just how far it has gone. Mastering FreeBSD and OpenBSD Security (ISBN: 0-596-00626-8) by Yanek Korff, Paco Hope & Bruce Potter covers not just securing your password file (which is still good security practice), but also running intrusion detection systems, securing your mail transfer agent, walling off vulnerable web services, and other security practices common in this time. A problem faced by many authors writing books about freely available software is where the book should stop and the on-line documentation should begin. After all, no book publisher these days is falling all over themselves to simply reprint an on-line HOWTO. How can they compete with free? Korff et al. clearly walked that fine line when putting together their book. Their explanatory text and examples for writing a pf ruleset run about two pages. That's not much of an introduction to the configuration of this complex and powerful piece of software. However, there isn't much to be gained from reprinting the copious on-line documentation. So, the authors outline a few tips and tricks and point the reader towards on-line documentation which is noted in the Resources section at the end of the chapter. Most of the book mirrors the format of the chapter about firewalls. Rather than writing a detailed HOWTO for every subject in the book, the authors introduce the concept, give a rough overview of the landscape, and hand the reader a map to enable further exploration. For most readers, this format works. If the reader is truly interested in a subject, the Resources section at the end of each chapter offers pointers to further information on-line. If the reader couldn't care less about Nagios, for instance, they're not burdened with 75 pages of explanation about configuration options. For those dying to read more about Nagios, the authors send readers to the Nagios home page for further edification. If you buy this book looking for a detailed, step-by-step account of how to secure your network, you will probably be disappointed. No one would describe me as an inexperienced administrator, but when I attempted to follow the information in chapter 7 to secure Apache in a jail on FreeBSD, it took hours and the book, quite frankly, wasn't much help. Between the book, on-line documentation, and my own experience I eventually got it working, but if I had relied entirely on the book for hand-holding I'd still be working on the problem today. Hand-holding isn't the book's strength, or even its focus, however. The book forces administrators to really think about security. For instance, the authors' reminder that vi and other editors can spawn subshells with the uid of the original process is a good reminder for admins to consider all actions that an application can take before granting users sudo rights. The authors' description of how or why you might want to remove the CD9660 option from your custom FreeBSD kernel configuration and what effect this change will have on your system depending on the current securelevel is a good example of thinking about all aspects of security, including physical security. Ultimately, while the book has a few warts, it is a worthy addition to system administrators' book shelves. Korff, Hope & Potter have produced a book that should help administrators secure their systems both now and in the future.
|