Secure Architectures with OpenBSD Book Review : OpenBSD Explained : Poised Solutions Library

Secure Architectures with OpenBSD Book Review

Secure Architectures with OpenBSD

Author:: Brandon Palmer
Jose Nazario
Publisher:: Addison-Wesley
Published:: 2004
Pages:: 519

Secure Architectures with OpenBSD is one of the best books on administering OpenBSD systems.

Secure Architectures with OpenBSD Chapters

Introduction
- What Will This Book Cover?
- Whom Is This Book For?
- Book Syntax
- About the Authors
  - Brandon Palmer
  - Jose Nazario
  - Contributing Authors
- Acknowledgements
Overview of OpenBSD
- A Brief History of OpenBSD
- OpenBSD Security
  - The OpenBSD Security Model
  - The Audit
  - Cryptography
  - Proactive Security
- Which Application Are and Are Not Secure?
- Licensing
- The Feel of OpenBSD
  - Filesystem Layout
  - Security
  - User Friendliness
- Packages and Ports
- Where is OpenBSD Used?
Installation
- Supported Hardware
- System Preparation
- Getting Files for Installation
- Selecting Boot Media
- Booting
  - The Boot Configuration
  - Creating a Serial Console
  - Platform-Specific Information
  - Boot Example
- Filesystem Partitioning
  - A Private System
  - A Multiuser System with Untrusted Users
  - Server Partitioning
  - Firewall
  - Swap Space Allocation
  - Partitioning Example
- Network Configuration
  - Network Setup Example
- Base Software Set Installation
  - Types of Installations
  - Descriptions of the Installation Sets
  - Installation Example
- Post-Installation
  - Time Zone Information and Example
  - After Reboot
- Customizing the Installation Process
  - Creating Site-Specific Files
  - Jumpstarting Installations
  - Customized Installation Floppies
- Upgrading an Installation
Basic Use
- General File System Layout
  - /bin and /sbin
  - /usr/bin and /usr/bin
  - /var
  - /tmp
  - /usr/local
  - /home
  - /dev
  - /sys
  - /stand
- Start-up and Shutdown
- Logging In
- RC Scripts
- Default Processes
  - Random PID Values
- Ports and Packages
- Networking in Brief
- APM: Automatic Power Management
- Mouse Control with wsmoused
Basic Default Services
- inetd: The Super-Server
- syslog: The Logging Service
- Electronic Mail with sendmail
- The Secure Shell Server sshd
Online Help Resources
- Manual Pages
  - Which Manual Page?
  - The Layout of the Manual
  - Notable Manual Pages
  - Added Sections
  - Writing Your Own Manual Pages
- GNU Info Pages
  - Converting Info to Manual Pages
- perldoc and Pod
- Package Specific Documentation
- Other Sources
X Window System
- Installation
- Quick Setup
  - Troubleshooting Configuration
- xdm
- Window Managers
- Basic X Applications
- Remote Display
- X and Security
User Administration
- User Creation and Deletion
  - Altering the Default New user Options
- vipw and Group Management
  - Self Account Administration for Users
- User Limits with ulimit
- Process Accounting
- Privileged Users with sudo
  - The sudoers File
  - Logging with sudo
  - Security of sudo
- Restricted Shells
- Restricting Users with systrace
Networking
- Device Support
- Basic Setup
- DNS Client Configuration
- DHCP
- Alia Addresses
- ARP: Address Resolution Protocol
- Routing
- Bridging
- PPP
  - User Dial-Up with PPP
- Listening Ports and Processes
- Troubleshooting
inetd
- ftpd
  - sftpd
- telenetd
- shell
- fingerd
- identd
- comsat
- ntalkd
- popa 3d
- Internal Services
- Kerberos Services
- RPC services
Other Installed Services
- tftpd
- rarpd/bootparamd
- The Remote Shell
- Time Services
- Mouse Services
- Priniting
- dhcpcd: The DHCP Server
  - Requirements
  - Configuration
  - Starting dhcpd
  - DHCP Leases
  - Considerations to Note
  - BOOTP Support
Pre-compiled Third Party Software: Packages
- An Overview of Packages
- Installation of Packages
  - Local Installation Sources
  - Network Installation Sources
  - Options for Package Installation
- Uninstalling Packages
  - Options for Uninstallation
  - Upgrading Packages
- Information About Installed Packages
- Third-Party Software and Security
The Ports Tree: Third Party Software from Source
- Ports
  - Getting the Ports Tree
  - The Structure of the Ports Tree
  - The Life Cycle of a Ports Build
  - Building a Package from Ports
- Making Many Ports at Once
- Updating Specific Ports
- Troubleshooting
Disks and Filesystems
- Ports
  - Getting the Ports Tree
  - The Structure of the Ports Tree
  - The Life Cycle of a Ports Build
  - Building a Package from Ports
- Making Many Ports at Once
- Updating Specific Ports
- Troubleshooting
Backup Utilities
- Introduction
- Devices
- Preliminaries
- Backup Strategies
  - Data-Specific Options
  - Authetication
- Avaialable Tools
  - cpio
  - pax
  - dump and restore
  - tar
- Additional Tools from Ports and Packages
  - Amanda
  - GNU tar for Backups
  - Backup Using rsync
Housekeeping
- What is Housekeeping?
- Regular System Scripts
  - Daily Checks
  - Weekly Checks
  - Monthly Checks
- Logfile Rotation
- Scheduling Facilities
  - The cron System
  - at
  - Controlling Execution of at Jobs
Mail Server Operations
- Introduction to Electronic Mail
- Overview of Electronic Mail in OpenBSD
- sendmail
- Virtual Hosting
- Security with STARTTLS
- Upgrading
- POP Server Administration
- IMAP Server Administration
- Mailing List Software
- E-mail Security
  - MTA Security
  - POP Security
  - Message Security
The Domain Name Services
- Introduction to DNS
- Configuring the Resolver
- The DNS Server named
  - A Simple Caching-Only Nameserver
- DNS Security Issues
  - Firewall Rules for DNS
- Upgrading named
  - BIND8 and BIND9
  - DJBDNS
- DNS Tools
  - dig
  - host
  - nslookup
  - nslint
- Resources
- Troubleshooting
Web Servers with Apache
- Apache
  - Quick Overview
  - chroot
  - SSL
- Using Dynamic Content in the chroot Environment
- Modules for Apache
- Other Web Servers
- Miscellaneous Web Server Tools
  - Squid
  - mod_load
  - weblint
  - analog
OpenSSH
- Command-Line Use
  - ssh
  - scp
  - ssh-keygen
  - ssh-agent and ssh-add
  - sshd
- Configuration
  - Use in Other Packages
  - Command Line
  - Privilege Separation
  - sftp
The OpenBSD Development Environment
- Introduction
- Editors
- Compilers and Languages
  - Base Language Support
  - Default Security Options
- Additional Languages from Ports
- Debuggers
  - Additional Debugging Tools from Ports
  - Tracing System Calls
  - Additional Source Code Development Tools
- make
  - automake
  - Imake and xmkmf
- Libraries
- Shared Library and Object Tools
- Documentation
Packet Filtering and NAT
- Introduction to Firewalls
- Introduction to PF
  - The PF Configuration File
- Firewalls with PF
- Introduction to Network Address Translation
- NAT with PF
- Redirection
- Advanced PF Usage
  - Tables
  - Anchors
  - Packet Scrubbing
  - Rate Limiting
  - Transparent Filtering
  - Load Balncing
- Selective Filtering Based on the Operating System
- Logging with pflogd
- Examiing the State Table with pfsync
- Determining Firewall Rules
  - Opening Ports
- Authenticated Firewall Rules
- Firewall Performance Tuning
NFS: The Network Filesystem
- Introduction to NFS
- NFS Client Configuration
- NFS Server Configurations
- NFS Security
NIS and YP Services
- Introduction to NIS
- Client Setup
- Server Setup
- Security
- Resources
Kerberos
- What is Kerberos?
  - Why Use Kerberos?
- Key Concepts in Kerberos
- Overall System Setup
  - Clock Synchronization
  - Build Support for Kerberos
- Client Setup
  - Client Configuration
  - Obtaining Tickets
- Kerberos Server Setup
  - KDC Configuration
  - keytab Creation
  - Initialization Realm
  - Controlling Access to the Administrative Server
  - Starting the Kerberos Server
  - Activating Kerberos V Services at Start Up
- Kerberising Services
  - Secure Shell
  - telnet
- Windows 2000 and Kerberos V
- Security of the Kerberos Scheme
- Resources
- Troubleshooting
Authentication Methods
- Authentication Overview
- passwd
- skey
  - S/Key Setup
  - Getting Passphrases
  - sshd Setup and Usage with S/Key
- Additional Login Classes
  - lchpass
  - chpass
  - Token-Based Authentication Methods
  - Kerberos
  - radius Method
  - reject Method
IPsec: Security at the IP Layer
- Introduction
- IPSec Basics
  - Creating x509 Keys
- Setting Up IPSec
  - Kernel Requirements
- Endpoint Setup
  - Manual Configuration
  - Automatic Configuration
- Testing / Debugging the Configuration
  - tcpdump
  - ipsecadm monitor
  - /kern/ipsec
  - /var/run/isakmpd.pcap
  - /var/run/isakmpd.report
  - netstat-nr
- Example VPN Configurations
  - Transport: OpenBSD-OpenBSD + Tunnel: Net-Net
  - Transport: None + Tunnel: Net-Net
  - Transport: OpenBSD-OpenBSD + Tunnel:None
  - Wireless Laptops to a Secure Gateway
  - OpenBSD-OpenBSD Through an OpenBSD PF NAT Firewall
IPv6: IP Version 6
- How IPv6 Works
  - Special Addresses
  - Tunnelling IPv4 and IPv6
  - Kernel Setup
  - Userland Setup
- Normal Use
  - Manual Configuration
  - Configuring a Router for IPv6
  - Configuring a Host for IPv6 Automatically
- Getting on IPv6 Network
  - Freenet6
  - IPv4 and IPv6 Proxying
- Some IPv6 Ready Applications
- Service Support for IPv6
  - sendmail
  - Secure Shell Daemon
  - DNS
  - Apache
  - Routing Daemons
  - DHCP Daemons
  - IPsec with ISAKMP
  - Kerberos V
- Programming with IPv6
- IPv6 and Security
  - Firewalling IPv6 with pf
- Resources
- Troubleshooting
systrace
- Introduction
  - Example Use
- Creating Policies
  - Editing Policies
  - The Benefit of a Local Caching Name Server
- Privilege Elevation with systrace
- Where to Use systrace
- System Coverage with systrace
- Additional Uses for systrace
  - Software Testing
  - IDS Logging
- Limitations of systrace
- Resources
Network Intrusion Detection
- Introduction
- Snort
  - Installation
  - Configurations
  - Loading New Rules
  - Snort Add-Ons
  - Integration with PF
- Other IDS Solutions
- Important Notes
- Resources
Upgrading
- Upgrading an Installation
- CVS and Branches
- System Preparation
- Upgrading from Binary Sets
- Upgrading from Source
- Upgrading Configuration Files
  - Using mergemaster
  - Manual Merging
- Binary Format Changes and Upgrades
Kernel Compilation
- Why Recompile a Kernel?
  - Why Not Reconfigure and Rebuild Your Kernel?
- Where to Get the Source and How to Compile
- Information to Be Set in the Configuration Files
- Tweaking a Built Kernel
- Kernel-Userland Synchronization
Bug Reports with OpenBSD
- Introduction
- Diagnosing a Problem
- Check with Others
- Develop a Solution
- The OpenBSD bug Tracking System
- Reporting Bugs with sendbug

Secure Architectures with OpenBSD Appendices

CVS Basics
- How to Set Yourself Up for CVS
  - CVS and the pserver
- Using CVS
- CVS and Tags
- Speeding Up CVS
  - Choosing a Mirror
  - Compression
  - Ignoring Parts of the Tree
- Resources
Applying Source Code Patches
- What Are Patches?
- The Structure of a Patch
- Using the patch Tool
- Obtaining Patches for OpenBSD
Tuning the Kernel with sysctl
- What Are Tunable Parameters?
- Using sysctl
  - Reading Variables
  - Writing to Variables
- The Variable Hierarchy
- Filesystems Improvements
A dmesg Walkthrough
- What Does the dmesg Give Us?
- What Do the Message Mean?
  - The Boot Messages
Core File Evaluation
- Applications That Crashed
- Kernel Crash Dump Analysis
  - Using ddb
  - Post-Reboot Analysis
  - Examining the Process Tables
Other OpenBSD Tools and Resources
- Web Pages
- Software Mirrors
  - BSD-Specific Software
  - Generic Software Sites
- Mailing Lists
- User Groups
- Newsgroups
- RFC Availability
IPsec m4
Index