Upload
horace-lane
View
226
Download
1
Embed Size (px)
Citation preview
11
LINUX SECURITYLINUX SECURITY
22
OutlineOutline
IntroductionIntroduction
- UNIX file permission- UNIX file permission
- SUID / SGID- SUID / SGID
- File attributes- File attributes
33
Securing LINUX boxSecuring LINUX box
- Hidden files- Hidden files
- Tightening script files- Tightening script files
Control mounting a file systemControl mounting a file system
44
LoggingLogging
- Syslogd- Syslogd
- Klogd- Klogd
- Remote logging- Remote logging
- Shell logging- Shell logging
55
UNIX file permissionsUNIX file permissions
Each directory and file on the Each directory and file on the system has a set of permission system has a set of permission flags which specify read, write, flags which specify read, write, and execute permissions for the and execute permissions for the ‘user’, ‘group’, and ‘other’‘user’, ‘group’, and ‘other’
‘‘ls’ with –l option gives info on file ls’ with –l option gives info on file permission.permission.
66
Binary / Octal representation:Binary / Octal representation:
File permissions can be changed File permissions can be changed
using octal notation.using octal notation.
Octal 744 = Binary 111 100 100Octal 744 = Binary 111 100 100
user group otheruser group other
ChmodChmod command command
E.g.: Chmod 744 myfileE.g.: Chmod 744 myfile
77
SUID/SGIDSUID/SGID
SetuidSetuid program is a program which program is a program which has its has its setuidsetuid bit set. bit set.
gid-2, uid-4, both-6 (octal value gid-2, uid-4, both-6 (octal value prepended to standard permission prepended to standard permission set)set)
If the owner of the If the owner of the setuidsetuid is root is root then the commands in the program then the commands in the program are run with root privileges.are run with root privileges.
suid/sgid : Is it a threat?suid/sgid : Is it a threat?
88
Locating SUID/SGID Locating SUID/SGID programs:programs:
Find command:Find command: To find all files with To find all files with the suid bits set:the suid bits set:
# find / -type f (-perm -4000 –o -2000 \) -ls# find / -type f (-perm -4000 –o -2000 \) -ls
To disable the suid bits on selected To disable the suid bits on selected
programs use chmod command. Ex:programs use chmod command. Ex: # chmod a-s /bin/mount.# chmod a-s /bin/mount.
99
File Attributes:File Attributes:
The Linux ext2 file system supports The Linux ext2 file system supports the following file attributes.the following file attributes.
‘‘A’ – Don’t update the access timeA’ – Don’t update the access time
‘‘S’ – Synchronous updatesS’ – Synchronous updates
‘‘a’ – Append onlya’ – Append only
‘‘c’ – Compressedc’ – Compressed
1010
ContdContd
‘‘i’ – Immutablei’ – Immutable‘‘d’ – No dumpd’ – No dump‘‘s’ – Secure deletions’ – Secure deletion‘‘u’ – Undeletableu’ – Undeletablechattr:chattr: Changes the file attributes. Changes the file attributes. The format is +or- = [ASacdisv]The format is +or- = [ASacdisv] # chattr +a myfile# chattr +a myfile lsattrlsattr: Lists attributes for a file: Lists attributes for a file
# lsattr myfile# lsattr myfile
1111
Hidden Files:Hidden Files:
Hidden files can be used to hide Hidden files can be used to hide tools and password cracking tools and password cracking programs.programs.
# find / -name “..*” –print # find / -name “..*” –print
# find / -name “.*” -print# find / -name “.*” -print
1212
World Writable filesWorld Writable files
Group and World writable files and Group and World writable files and directories can be a security hole.directories can be a security hole.
Look for the files and directories that Look for the files and directories that should not be group or world should not be group or world writable.writable.
#find / -type f -perm +022 –ls #find / -type f -perm +022 –ls
#find / -type d -perm +022 –ls#find / -type d -perm +022 –ls
1313
Unowned files:Unowned files:
Files with no owner.Files with no owner. Potential threatPotential threat Sometimes we may uninstall a Sometimes we may uninstall a
program and get unowned file.program and get unowned file.
#find / -nouser –o –nogroup#find / -nouser –o –nogroup
1414
Tightening script filesTightening script files
Script files are responsible for Script files are responsible for starting and stopping all your starting and stopping all your normal processesnormal processes
#chmod –R 700 etc/rc.d/init.d/*#chmod –R 700 etc/rc.d/init.d/* No reason for users to be able to No reason for users to be able to
view or edit startup scriptsview or edit startup scripts
1515
Removing banner infoRemoving banner info
Edit the /etc/rc.d/rc.local file and Edit the /etc/rc.d/rc.local file and comment the following lines comment the following lines
-- # #echo “” > /etc/issueecho “” > /etc/issue
- #echo “$R” >> /etc/issue- #echo “$R” >> /etc/issue
- #echo “Kernel $(uname –r) on $a $(uname –- #echo “Kernel $(uname –r) on $a $(uname –m)” >> /etc/issuem)” >> /etc/issue
- Remove the files issue.net and issue under /etc- Remove the files issue.net and issue under /etc
- - # rm –f /etc/issue# rm –f /etc/issue
- - # rm –f /etc/issue.net# rm –f /etc/issue.net
1616
/etc/services file/etc/services file
This file contains information This file contains information about port numbers on which about port numbers on which standard services are offered.standard services are offered.
Should be protected.Should be protected.# chattr +i etc/services.# chattr +i etc/services. SimilarSimilar forfor other important filesother important files
– /etc/passwd, /etc/shadow, /etc/passwd, /etc/shadow, /etc/group, configurations files./etc/group, configurations files.
1717
Control mounting a file Control mounting a file systemsystem
In Linux all file systems (hard In Linux all file systems (hard drives, CD-ROM’s, floppy drives drives, CD-ROM’s, floppy drives etc) are mounted onto one logical etc) are mounted onto one logical tree with root being the parent tree with root being the parent directory.directory.
The ext2 file system enforces a The ext2 file system enforces a security model security model
1818
Mount:Mount:
Mount command attaches a file Mount command attaches a file system to the file system system to the file system hierarchy at the mount point.hierarchy at the mount point.
The standard form of mount The standard form of mount commandcommand
mount –t type device dirmount –t type device dir
1919
Options:Options:
defaults: Allow suid, read write, quota.defaults: Allow suid, read write, quota.
nosuid: Do not set SUID/SGID access on nosuid: Do not set SUID/SGID access on
this partition.this partition.
nodev: Do not set character or special nodev: Do not set character or special
devices access on this platform.devices access on this platform.
ro: Allow read only on this partitionro: Allow read only on this partition
rw: Allow read-write on this partitionrw: Allow read-write on this partition
2020
/etc/fstab /etc/fstab
Text file containing info about Text file containing info about how different partitions on the how different partitions on the hard disk are mounted in Linux hard disk are mounted in Linux directories.directories.
Each entry has 6 fields namelyEach entry has 6 fields namely
Block_device l mount_point l type l options l dump l Block_device l mount_point l type l options l dump l passpass
2121
contdcontd
Block-deviceBlock-device: The partition in the HD: The partition in the HD Mount-point:Mount-point: Local directory where Local directory where partition is mounted.partition is mounted. TypeType: Type of partition or file system: Type of partition or file system Options:Options: mount(8) mount(8) Dump:Dump: Whether partition should be Whether partition should be dumped for backupsdumped for backups Pass:Pass: Order in which fsck checks the file Order in which fsck checks the file
system for corruption at booting timesystem for corruption at booting time
2222
Logging:Logging:
Logging is defined as the process Logging is defined as the process of recording actions that have of recording actions that have occurred.occurred.
Important to maintain the Important to maintain the integrity of the different log files.integrity of the different log files.
Syslogd: utility program that Syslogd: utility program that accomplishes logging facility.accomplishes logging facility.
2323
contdcontd
Syslogd reads /etc/syslog.conf file.Syslogd reads /etc/syslog.conf file. The file consists of two fields.The file consists of two fields.
- selector and - selector and
- action field- action field
authpriv.*;mail.*;daemon. info authpriv.*;mail.*;daemon. info /dev/lp0 /dev/lp0
2424
Klogd daemonKlogd daemon
Intercepts and logs kernel Intercepts and logs kernel messagesmessages
Log info may be in /proc file Log info may be in /proc file system or sys_syslogsystem or sys_syslog
Remote logging:Remote logging: Easy to control Easy to control and added security.and added security.
2525
Shell loggingShell logging
Bash shell stores up to 500 old Bash shell stores up to 500 old commands in the commands in the ~/.bash_history~/.bash_history
Password threatPassword threat Edit /etc/profileEdit /etc/profile
histfilesize=20 and histsize=20histfilesize=20 and histsize=20
Edit /etc/skel/.bash_logoutEdit /etc/skel/.bash_logout
rm –f $HOME/.bash_historyrm –f $HOME/.bash_history
2626
UTMP and WTMPUTMP and WTMP
UTMP is a system log file that records UTMP is a system log file that records users currently logged in.users currently logged in.
UTMP is a place for exploitation to UTMP is a place for exploitation to cause system damage cause system damage
UTMP contains accounting and access UTMP contains accounting and access info for commands who, last , lastlog info for commands who, last , lastlog etc.etc.
WTMP contains history for UTMP data WTMP contains history for UTMP data basebase
2727
Questions ?Questions ?