12.6. Viruses
A computer virus is a piece of code
that
modifies the operating system or system utilities with harmful or
annoying side effects. Like human viruses, a computer virus
reproduces itself and spreads through a vector, or carrier. Once one
computer is infected, the virus attempts to copy itself onto floppies
or other removable media that will be taken to other systems. When an
infected disk is inserted into a healthy system, the virus loads
itself into the uninfected system. Entire networks of computers may
be infected from a single disk that infects a system that later
infects a file server, for example.
Effects of viruses vary greatly. Some simply render the machine
useless, echoing annoying messages back to the user but preventing
any "real" command execution. Others are destructive in
nature, scribbling on critical filesystem information on hard disks
or removing key files.
Viruses are virtually unknown in time-sharing operating systems such
as Unix that enforce kernel protection. The operating system cannot
be modified without superuser permission, so random user applications
cannot inject viruses into the system. The Windows operating system,
on the other hand, does not protect its kernel code or disk files, so
an executable can overwrite parts of the kernel, the DOS image on
disk, or various system utilities. Once the disk image is infected,
the system remains infected, even through reboots or power cycles.
Note that viruses are not the same as worms, rabbits, or other
user-level processes that consume resources or reproduce rapidly
enough to bring a system to a halt. A computer virus specifically
damages the operating system.
Enforcing basic security around the root password and superuser
access to machines should be sufficient to deter deliberate planting
of viruses in the Unix kernel. In addition to securing access from
the local area network, verify that your systems are safe from
attacks from external networks such as the Internet. If you can
prevent unauthorized superuser access, then you must only worry about
things that you or your system administrators do as root.
Watch what you put into
cron entries. Any
script
that gets run by cron should be owned by root and either not writable
or writable only by root. If a user asks for a shell script to be
added to root 's
crontab, install the
script so that the user cannot modify it once it has been added to
the
crontab file.
Similarly, avoid any package that requires an executable to be run as
root as part of its installation process, unless you can vouch for
the integrity of the package's provider. In general, vendors
stand behind the safety of their software, and you should not worry
about "branding" utilities that write serial number
information into executable images or packages. It is becoming the
norm for vendors to include a strong cryptographic checksum like MD5,
or a verifiable digital signature with software on removable media or
web sites. Such practices are a good sign that your vendor is taking
care to secure its software from viruses, but such practices do you
the most good when you take the time to verify the checksum or
signature before installing the software.
The same guidelines that apply to Windows users also apply to Unix
system administrators: if you don't know where an executable
came from, don't run it as
root. This is
especially true for executables taken from public domain sources. If
you can't get the source code, don't experiment with it
unless you are willing to perform a post-installation check for
damage. Above all else, use common sense. If you feel uncomfortable
loaning your car keys to a complete stranger, you should feel equally
queasy about installing strange software
on your system as
root.
| | |
12.5. Stronger security for NFS | | 13. Network Diagnostic and Administrative Tools |