Introduction

You must understand a host s environment to effectively monitor its integrity for two reasons: planning and response.

A solid understanding of a host s environment will facilitate the translation of security requirements into a practical configuration, thereby providing a foundation for effective planning. Imagine that one of your goals is to protect the data associated with a Web server. First, you must know where the data files are kept, who has access to them, which file permissions will compromise the security of the data, which access methods the Web server provides, and which changes indicate a compromise in security. Being able to answer these questions requires an understanding of the host environment, file permissions, access control, and so on.

The second reason for understanding the environment is your response. As an administrator or a security officer, you must understand the meaning of any alert and any significance that those changes will have on the integrity of the system. Is the change a false positive? Does it indicate a serious threat to the integrity of your host? Understanding the nature of a detected change can help you initiate the incident response procedures defined in your security policy and, in turn, effectively manage the integrity of your hosts.

This chapter examines some of the important elements of modern host environments, including users and groups, files and file systems, kernels, libraries, runtime security issues, networks, and nonvolatile memory. The goal is to provide information about the most commonly monitored parts of...