UNIX OVERVIEW AND SITE INFORMATION

Organizational Relationships

Organizational relationships play a significant role in providing secure computing environments.

The site must provide a robust and secure environment that protects the software environment

from unauthorized access. This includes the protection of system-level resources (i.e., database

systems, applications, and other utilities) used by the DOD user community. Data owners must

define access requirements for their resources (i.e., actual databases, master files, and interactive

transactions). Data owners are responsible for providing an access matrix that reflects subjects

(processes and authorized personnel) and their access to resources (databases and applications).

Security Administration

Security administration is accomplished through the ongoing efforts of a number of personnel.

The SM is the principal advisor to the site Commander/Director for the administration and

management of the overall site security program. The IAM is responsible for the information

assurance program of a DOD information system or organization. The IAO is responsible for

implementing security requirements and ensuring the operational Information Assurance (IA)

posture is maintained for a DOD information system or organization. The IAO is responsible to

the IAM. The SA is responsible for the operational readiness and secure state of a computer

system. The SA assists the IAO with implementing security directives in the operations

environment and reports to the IAO.

Processing Environment

There are many objectives and goals to be considered when securing a UNIX operating system.

When configuring UNIX operating system security, consider these critical principals of security

known as the Confidentiality, Integrity, and Availability (CIA) triad:

- Confidentiality Access controls protect the systems and resources from unauthorized access and in some

implementations can determine levels of authorizations. Access controls can include physical

access restrictions to ensure only authorized personnel may access system equipment and the

environments in which these systems reside. Access controls may also include system level

access controls. System level access controls restrict access to system resources and objects, as

well as restricting the capabilities of subjects to communicate with other subjects.

Auditing tools can track system activities to warn an SA of suspicious activity, allow the SA to

understand the types of access that took place, identify a security breach, and aid in the research

of the breach.

Backups are performed with prevention and recovery in mind. This includes, but is not limited

to, the prevention of data loss and the loss of availability to data and resources. A daily backup

of all changeable data and the proper storage of the data are invaluable in restoring data once a

compromise has been detected and traced to the time it first occurred. Without these continual

and consistent backups, recovery procedures are not reliable. Backups are also the most

common way Continuity of Operations Plan (COOP) is implemented during catastrophe, natural

disaster, hardware failures, and other circumstances. In all cases, the quality and depth of

backups and the security of backup storage will have a direct impact on the quality and depth of

restorative operations and COOP. Backups are the only path back to confidentiality, integrity,

and availability of data once there has been a compromise, a natural disaster, or a catastrophe.

- Integrity

- Availability

In addition to incorporating security controls that relate to the CIA triad, there are three

additional security features that directly affect CIA and aid the overall site security program:

- Access control

- Auditing

- Backups

Access controls protect the systems and resources from unauthorized access and in some

implementations can determine levels of authorizations. Access controls can include physical

access restrictions to ensure only authorized personnel may access system equipment and the

environments in which these systems reside. Access controls may also include system level

access controls. System level access controls restrict access to system resources and objects, as

well as restricting the capabilities of subjects to communicate with other subjects.

Auditing tools can track system activities to warn an SA of suspicious activity, allow the SA to

understand the types of access that took place, identify a security breach, and aid in the research

of the breach.

Backups are performed with prevention and recovery in mind. This includes, but is not limited

to, the prevention of data loss and the loss of availability to data and resources. A daily backup

of all changeable data and the proper storage of the data are invaluable in restoring data once a

compromise has been detected and traced to the time it first occurred. Without these continual

and consistent backups, recovery procedures are not reliable. Backups are also the most

common way Continuity of Operations Plan (COOP) is implemented during catastrophe, natural

disaster, hardware failures, and other circumstances. In all cases, the quality and depth of

backups and the security of backup storage will have a direct impact on the quality and depth of

restorative operations and COOP. Backups are the only path back to confidentiality, integrity,

and availability of data once there has been a compromise, a natural disaster, or a catastrophe.

Why Companies Support Kernel Development

The list of companies participating in Linux kernel development

includes many of the most successful technology firms in existence.

None of these companies are supporting Linux development as an

act of charity; in each case, these companies find that improving the

kernel helps them to be more competitive in their markets. Some

examples:

• Companies like IBM, Intel, SGI, MIPS, Freescale, HP, etc. are all

working to ensure that Linux runs well on their hardware. That, in

turn, makes their offerings more attractive to Linux users, resulting

in increased sales.

• Distributors like Red Hat, Novell, and MontaVista have a clear

interest in making Linux as capable as it can be. Though these

firms compete strongly with each other for customers, they all

work together to make the Linux kernel better.

• Companies like Sony, Nokia, and Samsung ship Linux as a

component of products like video cameras, television sets, and

mobile telephones. Working with the development process helps

these companies ensure that Linux will continue to be a solid

base for their products in the future.

• Companies which are not in the information technology business

can still find working with Linux beneficial. The 2.6.25 kernel will include an implementation of the PF_CAN network protocol which

was contributed by Volkswagen. PF_CAN allows for reliable

communications between components in an interference-prone

environment – such as that found in an automobile. Linux gave

Volkswagen a platform upon which it could build its networking

code; the company then found it worthwhile to contribute the code

back so that it could be maintained with the rest of the kernel. See

http://lwn.net/Articles/253425/ for more information on this work.

There are a number of good reasons for companies to support

the Linux kernel. As a result, Linux has a broad base of support

which is not dependent on any single company. Even if the largest

contributor were to cease participation tomorrow, the Linux kernel

would remain on a solid footing with a large and active development

community.

Development Model

With the 2.6.x series, the Linux kernel has moved to a relatively

strict, time-based release model. At the 2005 Kernel Developer

Summit in Ottawa, Canada, it was decided that kernel releases

would happen every 2-3 months, with each release being a “major”

release in that it includes new features and internal API changes.

The quick release cycle was chosen as a way to get new features

out to users in a stable form with minimal delay. As a result, new code

– features, device drivers, etc. – is available in a stable kernel within

a few months of its completion, minimizing or eliminating the need for

distributors to backport developmental code into stable releases. So

the kernels released by distributors contain many fewer distributionspecific

modifications, yielding higher stability and fewer differences

between distributions.

Each 2.6.x release is a stable release, in that it is made available

when the list of outstanding bugs is made as small as possible. For

problems which turn up after a kernel release, the “-stable” branch

exists as a way to quickly get fixes out to the community.

The kernel team released the 2.6.19 kernel as a stable release.

Then the developers started working on new features and started

releasing the release candidate versions as development kernels so

that people could help test and debug the changes. After everyone

agreed that the development release was stable enough, it was

released as the 2.6.20 kernel.

While the development of new features was happening, the

2.6.19.1, 2.6.19.2 and other stable kernel versions were released,

containing bug fixes and security updates.This paper focuses exclusively on the main 2.6.x releases, to the

exclusion of the stable updates. Those updates are small, and, in

any case, the design of the development process requires that fixes

accepted for -stable also be accepted into the mainline for the next

major release.

Basic Linux Commands

Linux commands are still and they will always be very useful in a Linux system. I will try to

list here, for linux beginners, some of the most important console commands:Starting &

Stopping shutdown -h now - Shutdown the system now and do not reboot.halt - Stop all

processes - same as above. shutdown -r 5 - Shutdown the system in 5 minutes and reboot.

shutdown -r now - Shutdown the system now and reboot.reboot - Stop all processes and

then reboot - as above.startx - Start the X system.Accessing & mounting file systems

mount -t iso9660 /dev/cdrom /mnt/cdrom - Mount the device cdrom and call it cdrom under

the /mnt directory.mount -t msdos /dev/hdd /mnt/ddrive - Mount hard disk "d" as a msdos

file system and call it ddrive under the /mnt directory.mount -t vfat /dev/hda1 /mnt/cdrive -

Mount hard disk "a" as a VFAT file system and call it cdrive under the /mnt directory.umount

/mnt/cdrom - Unmount the cdromFinding files and text within filesfind /

-name fname - Starting with the root directory, look for the file called fname.find / -name

"*fname*" - Starting with the root directory, look for the file containing the string fnamelocate

missingfilename - Find a file called missingfilename using the locate command - this

assumes you have already used the command updatedb (see next).updatedb - Create or

update the database of files on all file systems attached to the linux root directory.which

missingfilename - Show the subdirectory containing the executable file called

missingfilename.grep textstringtofind - Starting with the directory called dir, /dir look for and

list all files containing textstringtofind.Moving, copying, deleting & viewing filesls -l - List

files in current directory using long format.ls -F - List files in current directory and indicate

the file type.ls -laC - List all files in current directory in long format and display in columns.

rm name - Remove a file or directory called name.rm -rf name - Kill off an entire directory

and all that includes files and subdirectories.cp filename /home/dirname - Copy the file

called filename to the /home/dirname directory.mv filename /home/dirname - Move the

file called filename to the /home/dirname directory.cat filetoview - Display the file called

filetoview.man -k keyword - Display man pages containing keyword.more filetoview -

Display the file called filetoview one page at a time, proceed to next page using the

spacebar.head filetoview - Display the first 10 lines of the file called filetoview.head -20

filetoview - Display the first 20 lines of the file called filetoview.tail filetoview - Display the

last 10 lines of the file called filetoview.tail -20 filetoview - Display the last 20 lines of the file

called filetoview.Installing software for Linuxrpm -ihv name.rpm - Install the rpm package

called name.rpm -Uhv name.rpm - Upgrade the rpm package called name.rpm -e package -

Delete the rpm package called package.rpm -l package - List the files in the package called

package.rpm -ql package - List the files and state the installed version of the package called

package.rpm -i --force package - Reinstall the rpm package called package having deleted

parts of it (not deleting using rpm -e).tar -zxvf archive.tar.gz or tar -zxvf archive.tgz -

Decompress the files contained in the zipped and tarred archive called archive./configure -

Execute the script preparing the installed files for compiling.User Administrationadduser

accountname - Create a new user call accountname.passwd accountname - Give

accountname a new password.su - Log in as superuser from current login.exit - Stop being

superuser and revert to normal user.

Linux Features

· multitasking: several programs running at the same time.

· multiuser: several users on the same machine at the same time (and no two−user licenses!).

· multiplatform: runs on many different CPUs, not just Intel.

· multiprocessor: SMP support is available on the Intel and SPARC platforms (with work currently in

progress on other platforms), and Linux is used in several loosely−coupled MP applications,

including Beowulf systems the Fujitsu AP1000+ SPARC−based supercomputer.

· multithreading: has native kernel support for multiple independent threads of control within a single

process memory space.

· runs in protected mode on the 386.

· has memory protection between processes, so that one program can't bring the whole system down.

· demand loads executables: Linux only reads from disk those parts of a program that are actually used.

· shared copy−on−write pages among executables. This means that multiple process can use the same

memory to run in. When one tries to write to that memory, that page (4KB piece of memory) is

copied somewhere else. Copy−on−write has two benefits: increasing speed and decreasing memory

use.

· virtual memory using paging (not swapping whole processes) to disk: to a separate partition or a file

in the filesystem, or both, with the possibility of adding more swapping areas during runtime (yes,

they're still called swapping areas). A total of 16 of these 128 MB (2GB in recent kernels) swapping

areas can be used at the same time, for a theoretical total of 2 GB of useable swap space. It is simple

to increase this if necessary, by changing a few lines of source code.

· a unified memory pool for user programs and disk cache, so that all free memory can be used for

caching, and the cache can be reduced when running large programs.

· dynamically linked shared libraries (DLL's), and static libraries too, of course.

· does core dumps for post−mortem analysis, allowing the use of a debugger on a program not only

while it is running but also after it has crashed.

· mostly compatible with POSIX, System V, and BSD at the source level.

· through an iBCS2−compliant emulation module, mostly compatible with SCO, SVR3, and SVR4 at

the binary level.

· all source code is available, including the whole kernel and all drivers, the development tools and all

user programs; also, all of it is freely distributable. Plenty of commercial programs are being provided for Linux without source, but everything that has been free, including the entire base

operating system, is still free.

· POSIX job control.

· pseudoterminals (pty's).

· 387−emulation in the kernel so that programs don't need to do their own math emulation. Every

computer running Linux appears to have a math coprocessor. Of course, if your computer already

contains an FPU, it will be used instead of the emulation, and you can even compile your own kernel

with math emulation removed, for a small memory gain.

· support for many national or customized keyboards, and it is fairly easy to add new ones dynamically.

· multiple virtual consoles: several independent login sessions through the console, you switch by

pressing a hot−key combination (not dependent on video hardware). These are dynamically

allocated; you can use up to 64.

· Supports several common filesystems, including minix, Xenix, and all the common system V

filesystems, and has an advanced filesystem of its own, which offers filesystems of up to 4 TB, and

names up to 255 characters long.

· transparent access to MS−DOS partitions (or OS/2 FAT partitions) via a special filesystem: you don't

need any special commands to use the MS−DOS partition, it looks just like a normal Unix filesystem

(except for funny restrictions on filenames, permissions, and so on). MS−DOS 6 compressed

partitions do not work at this time without a patch (dmsdosfs). VFAT (WNT, Windows 95) support

and FAT−32 is available in Linux 2.0

· special filesystem called UMSDOS which allows Linux to be installed on a DOS filesystem.

· read−only HPFS−2 support for OS/2 2.1

· HFS (Macintosh) file system support is available separately as a module.

· CD−ROM filesystem which reads all standard formats of CD−ROMs.

· TCP/IP networking, including ftp, telnet, NFS, etc.

· Appletalk server

· Netware client and server

· Lan Manager/Windows Native (SMB) client and server

· Many networking protocols: the base protocols available in the latest development kernels include

TCP, IPv4, IPv6, AX.25, X.25, IPX, DDP (Appletalk), Netrom, and others. Stable network protocols

included in the stable kernels currently include TCP, IPv4, IPX, DDP, and AX.25.

Introduction to Linux

Linux is a completely free reimplementation of the POSIX specification, with SYSV and BSD extensions

(which means it looks like Unix, but does not come from the same source code base), which is available in

both source code and binary form. Its copyright is owned by Linus Torvalds and

other contributors, and is freely redistributable under the terms of the GNU General Public License (GPL). A

copy of the GPL is included with the Linux source; you can also get a copy from

ftp://prep.ai.mit.edu/pub/gnu/COPYING

Linux, per se, is only the kernel of the operating system, the part that controls hardware, manages files,

separates processes, and so forth. There are several combinations of Linux with sets of utilities and

applications to form a complete operating system. Each of these combinations is called a distribution of

Linux. The word Linux, though it in its strictest form refers specifically to the kernel, is also widely and

correctly to refer to an entire operating system built around the Linux kernel. For a list and brief discription of

various distributions, see http://sunsite.unc.edu/LDP/HOWTO/Distribution−HOWTO.htmlNone of these

distributions is ``the official Linux''.

Linux is not public domain, nor is it `shareware'. It is `free' software, commonly called freeware or Open

Source Software[tm] (see http://www.opensource.org), and you may give away or sell copies, but you must

include the source code or make it available in the same way as any binaries you give or sell. If you distribute

any modifications, you are legally bound to distribute the source for those modifications. See the GNU

General Public License for details.

Linux is still free as of version 2.0, and will continue to be free. Because of the nature of the GPL to which

Linux is subject, it would be illegal for it to be made not free. Note carefully: the `free' part involves access to

the source code rather than money; it is perfectly legal to charge money for distributing Linux, so long as you

also distribute the source code. This is a generalization; if you want the fine points, read the GPL.

Linux runs on 386/486/Pentium machines with ISA, EISA, PCI and VLB busses. MCA (IBM's proprietary

bus) is not well−supported in 2.0.x and earlier versions, but support has been added to the current them.

In contrast, the closed and centralized model means that there is only one person or team working on the

project, and they only release software that they think is working well. Often this leads to long intervals

between releases, long waiting for bug fixes, and slower development. The latest release of such software to

the public is sometimes of higher quality, but the development speed is generally much slower.