 |  |
12.6. Viruses
A computer virus is a piece of code that modifies the operating system or system utilities with harmful or annoying side effects. Like human viruses, a computer virus reproduces itself and spreads through a vector, or carrier. Once one computer is infected, the virus attempts to copy itself onto floppies or other removable media that will be taken to other systems. When an infected disk is inserted into a healthy system, the virus loads itself into the uninfected system. Entire networks of computers may be infected from a single disk that infects a system that later infects a file server, for example. Effects of viruses vary greatly. Some simply render the machine useless, echoing annoying messages back to the user but preventing any "real" command execution. Others are destructive in nature, scribbling on critical filesystem information on hard disks or removing key files. Viruses are virtually unknown in time-sharing operating systems such as Unix that enforce kernel protection. The operating system cannot be modified without superuser permission, so random user applications cannot inject viruses into the system. The Windows operating system, on the other hand, does not protect its kernel code or disk files, so an executable can overwrite parts of the kernel, the DOS image on disk, or various system utilities. Once the disk image is infected, the system remains infected, even through reboots or power cycles. Note that viruses are not the same as worms, rabbits, or other user-level processes that consume resources or reproduce rapidly enough to bring a system to a halt. A computer virus specifically damages the operating system. Enforcing basic security around the root password and superuser access to machines should be sufficient to deter deliberate planting of viruses in the Unix kernel. In addition to securing access from the local area network, verify that your systems are safe from attacks from external networks such as the Internet. If you can prevent unauthorized superuser access, then you must only worry about things that you or your system administrators do as root. Watch what you put into cron entries. Any script that gets run by cron should be owned by root and either not writable or writable only by root. If a user asks for a shell script to be added to root 's crontab, install the script so that the user cannot modify it once it has been added to the crontab file. Similarly, avoid any package that requires an executable to be run as root as part of its installation process, unless you can vouch for the integrity of the package's provider. In general, vendors stand behind the safety of their software, and you should not worry about "branding" utilities that write serial number information into executable images or packages. It is becoming the norm for vendors to include a strong cryptographic checksum like MD5, or a verifiable digital signature with software on removable media or web sites. Such practices are a good sign that your vendor is taking care to secure its software from viruses, but such practices do you the most good when you take the time to verify the checksum or signature before installing the software. The same guidelines that apply to Windows users also apply to Unix system administrators: if you don't know where an executable came from, don't run it as root. This is especially true for executables taken from public domain sources. If you can't get the source code, don't experiment with it unless you are willing to perform a post-installation check for damage. Above all else, use common sense. If you feel uncomfortable loaning your car keys to a complete stranger, you should feel equally queasy about installing strange software on your system as root. |  | |
| 12.5. Stronger security for NFS |  | 13. Network Diagnostic and Administrative Tools |
Copyright © 2002 O'Reilly & Associates. All rights reserved.