Security; Additional Resources - Red Hat ENTERPRISE LINUX 4 - INTRODUCTION TO SYSTEM ADMINISTRATION Administration Manual

10 Chapter 1. The Philosophy of System Administration
The subject of the best text editor has sparked debate for nearly as long as computers have existed and
will continue to do so. Therefore, the best approach is to try each editor for yourself, and use what
works best for you.
For HTML editors, system administrators can use the Composer function of the Mozilla Web browser.
Of course, some system administrators prefer to hand-code their HTML, making a regular text editor
a perfectly acceptable tool as well.
As far as email is concerned, Red Hat Enterprise Linux includes the Evolution graphical email client,
the Mozilla email client (which is also graphical), and mutt, which is text-based. As with text editors,
the choice of an email client tends to be a personal one; therefore, the best approach is to try each
client for yourself, and use what works best for you.

1.10.3. Security

As stated earlier in this chapter, security cannot be an afterthought, and security under Red Hat Enter-
prise Linux is more than skin-deep. Authentication and access controls are deeply-integrated into the
operating system and are based on designs gleaned from long experience in the UNIX community.
For authentication, Red Hat Enterprise Linux uses PAM — Pluggable Authentication Modules. PAM
makes it possible to fine-tune user authentication via the configuration of shared libraries that all
PAM-aware applications use, all without requiring any changes to the applications themselves.
Access control under Red Hat Enterprise Linux uses traditional UNIX-style permissions (read, write,
execute) against user, group, and "everyone else" classifications. Like UNIX, Red Hat Enterprise
Linux also makes use of setuid and setgid bits to temporarily confer expanded access rights to pro-
cesses running a particular program, based on the ownership of the program file. Of course, this makes
it critical that any program to be run with setuid or setgid privileges must be carefully audited to ensure
that no exploitable vulnerabilities exist.
Red Hat Enterprise Linux also includes support for access control lists. An access control list (ACL)
is a construct that allows extremely fine-grained control over what users or groups may access a file
or directory. For example, a file's permissions may restrict all access by anyone other than the file's
owner, yet the file's ACL can be configured to allow only user to write and group to
bob finance
read the file.
Another aspect of security is being able to keep track of system activity. Red Hat Enterprise Linux
makes extensive use of logging, both at a kernel and an application level. Logging is controlled by
the system logging daemon , which can log system information locally (normally to files in
syslogd
the directory) or to a remote system (which acts as a dedicated log server for multiple
/var/log/
computers.)
Intrusion detection sytems (IDS) are powerful tools for any Red Hat Enterprise Linux system ad-
ministrator. An IDS makes it possible for system administrators to determine whether unauthorized
changes were made to one or more systems. The overall design of the operating system itself includes
IDS-like functionality.
Because Red Hat Enterprise Linux is installed using the RPM Package Manager (RPM), it is possible
to use RPM to verify whether any changes have been made to the packages comprising the operating
system. However, because RPM is primarily a package management tool, its abilities as an IDS are
somewhat limited. Even so, it can be a good first step toward monitoring a Red Hat Enterprise Linux
system for unauthorized modifications.

1.11. Additional Resources

This section includes various resources that can be used to learn more about the philosophy of system
administration and the Red Hat Enterprise Linux-specific subject matter discussed in this chapter.