1. Authentication : Verification of someone's identity (THe ability to prove who you are). (ie a login name & password, an IP address of a computer system, or a digital certificate)
2. Authorization: Verifies a users authority. People can accomplish what they are authorized to do and unauthorized people cannot do what they should not. (File and directory permissions, shost files, trusted hosts, ACLs,)
3. Confidentiality: Keep the Contents of a communication secret. (Usually acomplished with cryptography, steganography)
4. Message & Data Integrity: Has the data been tampered with or were there any unauthorized modifications or deletions ? (acomplished with hashing, checksums, MD5)
5. Accountability: The goal of accountability is to hold someone accountable for thier actions with logging and audit trails. (Triwire, BSM, syslog, praudit)
6. Availability: Involveds ensuring that attackers cannot stop legitimate users from access the system. (ie web server response time, dial tone a phone, any kind of DOS attack including filling up /var/tmp etc)
7. Non-Repudiation: Non-Redudiation is Undeniability. Non-repudiation services provide unforgeable evidence that a specific action occurred. (a digitally signed statement, a video recording of a transaction)

1. D : Minimal protection is provided.
2. C1 : Discretionary access control and access permissions. Logins with passwords are required.
3. C2 : Auditing and authentication events are audited. Authentication events are kept in a secure place.
4. B1 : Mandatory access control and labeled output. Acces based on labels.
5. B2 : Configuration control, facility management, and system configuration must be documented and controlled; All administrative and security operator functions are seperated.
6. B3 : Access control lists and full system documentation are provide. Access is based on lists of users plus labels.
7. A : Formal proof of the security of the system is required.

service rsync
{
        disable = yes
        socket_type     = stream
        wait            = no
        user            = root
        server          = /usr/bin/rsync
        server_args     = --daemon
        log_on_failure  += USERID
     
        instances = 4  : Limit 4 concurrent instances of myserver
        cps = 10 30   : (Prevent DOS Attacks) Limit 10 connections per second or sleep for 30 seconds.
        max_load = 3.0  : Reject new requests if the one minute load system avg exceeds 3.0.
	access_times = 8:00-16:00  : Restrict service Usage by time
        only_from += 192.162.2.0   : (only accept traffic from)
        no_access = badguy.evil.org  : (explicitly block a server (everyone except)) 
}

{
	...
	server=/usr/sbin/ssh
 	redirect=192.168.1.26 22
}

• To check if a network service daemon is dynamically linked to libwrap, strings /usr/sbin/xinetd |grep libwrap
• If a particular network service daemon does not have libwrap compiled in, you can invoke tcpd in xinetd.conf to intercept the call and then launch the real service as an server argument.

  (from xinet config file)
  {
  	...
  	flags = ...NAMEINARGS  This directive tells xinetd to look in the server_args line.
  	server=/usr/sbin/tcpd Calls tcpd to intercept telnet traffic, and to fire up telnetd daemon
          server_args = /usr/sbin/in.telnetd 
  }
  

• After wrapping the telnet daemon in tcpd , in /etc/hosts.allow you can then restrict users as follows :
• in.telnet.d : 192.168.1.100
• in.telnet.d : ALL : DENY

• User Account Based Filtering in ssh
• /etc/ssh/sshd_config
• AllowedUsers john, mary, jack

service ftpd
{
 	...
	user = root
	server = /usr/sbin/chroot  Invokes a chroot jail as the service
	server_args = /var/cage /usr/sbin/myservice -a -b  /var/cage is the root directory for this service. Just be sure to include all relevant libraries and files in the new "/". 
      ...
}

1. /etc/securetty (remove pseudo-devices etc)