Fundamentals of Linux Platform Security

Security Training Course

Dr. Charles J. Antonelli The University of Michigan

2012

Fundamentals of Linux Platform Security

Module 10 Platform Security

Roadmap

•  Real-World Linux Security •  RHEL Security Guides •  Host-based Intrusion Detection

  TripWire   Bastille Linux

3 10/12 cja 2012

Real-World Linux Security

Real-World Linux Security

The seven deadly sins  Weak/default passwords  Open network ports  Old software versions   Insecure programs   Insufficient resources   Stale/unnecessary accounts   Procrastination

5 10/12 cja 2012

Bob Toxen, “Real World Linux Security: intrusion detection, prevention, and recovery,” 2nd Ed., Prentice-Hall 2003.

Turn off insecure passwords

•  Use SHA-512 & passphrases   Password hashes in /etc/shadow should

start with $6$! Maximum password length is 256 characters

•  Use /etc/shadow •  Both defined by default

6 10/12 cja 2012

Prevent ARP Cache Poisoning

•  Prevent ARP entries from being spoofed by making them permanent   add known ARP entries to /etc/ethers   add following to /etc/rc.d/rc.local  arp -f /etc/ethers  entries read from file are marked

permanent •  Use network switch port configurations

7 10/12 cja 2012

arp

•  /sbin/arp command   w/o args, displays contents of ARP cache   -a show all cache entries   -d h delete entry for host h   -s h e set permanent entry for host h with layer 2

address e   -s h e temp

set temporary entry for host h with layer 2 address e

  -f f read (default permanent) entries from file f   -n don’t convert host addresses to names

8 10/12 cja 2012

arping

•  Similar to ping, but uses ARP requests and replies for probing  Doesn’t require sender to have a IP address   Limited to local subnet, unless proxy ARP

10/12 9 cja 2012

arping

•  /sbin/arping destination   w/o args, displays usage   -I i use interface i (required)   -b use only Layer 2 broadcasts   -s s use source address s   -U unsolicited ARP   -D detect duplicate IP addr (RFC 2131)

10 10/12 cja 2012

arpwatch

•  Monitors ARP traffic •  Detects Layer 2 / Layer 3 address pairing changes

  Records to syslog   Emails to administrator

•  Changes detected   New station – new pairing using previously unseen layer 2 address   New activity – new pairing using previously seen layer 2 address   Flip flop – layer 2 address changed in existing pairing   Changed ethernet address – layer 2 address changed on host

10/12 11 cja 2012

arpwatch lab

•  Look at man page   man arpwatch

•  Display syslog messages   Start another terminal window   sudo tail –f /var/log/messages

•  Edit config file   sudo vi /etc/sysconfig/arpwatch   Insert “-i ethN” into OPTIONS if needed, adjust others as necessary

•  (Optional) set arpwatch to start on boot   chkconfig --list arpwatch   chkconfig arpwatch on   chkconfig --list arpwatch

•  Start arpwatch   sudo service arpwatch start   You should see ethN entering promiscuous mode in the syslog

•  Generate some ARP traffic   Empty, then list your ARP cache   You should see something like the following in the log (and in an email message, if you’ve set that up)

Apr 21 16:10:58 localhost arpwatch: new station 172.16.234.2 0:50:56:e7:f7:34

•  No output? Get arpwatch to forget:   sudo service arpwatch stop   sudo cp /dev/null /var/lib/arpwatch/arp.dat

  sudo service arpwatch start

12 10/12 cja 2012

RHEL Security Guides

•  Canonical step-by-step guide   Security overview   Attackers and Vulnerabilities   Security Updates   Workstation Security   Server Security   Virtual Private Networks   Firewalls   Vulnerablity Assessment   Intrusion Detection   Incident Response

13 10/12 cja 2012

Security Guides

•  Three guides:   http://www.nsa.gov/ia/_files/os/redhat/rhel5-guide-

i731.pdf   http://people.redhat.com/sgrubb/files/hardening-

rhel5.pdf   http://docs.redhat.com/docs/en-US/

Red_Hat_Enterprise_Linux/6/pdf/Security_Guide/Red_Hat_Enterprise_Linux-6-Security_Guide-en-US.pdf

14 10/12 cja 2012

Host-based IDS

16

Host Based IDS (HIDS)

•  Intrusion Detection performed on the host   (Host) network layer  Not vulnerable to obfuscation games  HIDS sees exactly what the application layer

sees   Library proxy  Entercept/Cisco CSA/etc  Did you really get every one?

» Multiple kernel entry points in Windows ~ Hundreds of ways to execute a program

10/12 cja 2012

Windows NT Architecture

10/12 17 cja 2012

18

HIDS

•  Behavioral   Behavior is learned  Has this program ever executed cmd.exe

before?  Has it ever generated network traffic to this

host? •  System call shim

  Behavior is explicitly specified  systrace!

10/12 cja 2012

19

Tripwire

•  Binary checksums   Tripwire

•  Log aggregators can take both HIDS & NIDS input  Correlate your own events

•  HIDS are “push”, NIDS are “pull”  Have to manually deploy HIDS  NIDS see everything

10/12 cja 2012

20

Tripwire

•  HIDS tool •  Initially creates hashes of all stored files in a database •  Subsequently compares stored hashes to files and

reports any changes •  Configuration

  twcfg.txt - general configuration   twpol.txt - policy: what files to monitor, what file attributes to

monitor for change, what to do if changes are detected  As shipped, monitors a large set of standard files  You will want to modify this file for your site

•  Security   Site passphrase - encrypts and signs Tripwire files   Local passphrase - needed to run Tripwire

10/12 cja 2012

21

Tripwire lab

•  Install   cd /usr/local/lab/tripwire

  sudo ./INSTALL.sh

  File /tmp/victim created for Tripwire to trip over later •  Configure

  sudo tripwire-setup-keyfiles

 Create passphrases when prompted   Signs and encrypts the Tripwire configuration and policy files

 Enter passphrases when prompted •  Initialize database

  sudo tripwire --init

 Enter passphrase when prompted   Creates the encrypted database

10/12 cja 2012

22

Tripwire lab

•  Check integrity -- should show no changes   sudo tripwire --check

 Report sent to standard output and saved as *.twr in report directory

•  Change something and re-check integrity -- should show change   Change something about /tmp/victim   sudo tripwire --check

 Shows changes   sudo twprint -m r -r /var/lib/tripwire/report/[report].twr

 Substitute appropriate report file name for [report]  List /var/lib/tripwire/report to find the right one

»  File name reflects date and time file was generated

10/12 cja 2012

23

Bastille Linux

•  http://www.bastille-unix.org/  Cybersquatter on bastille-linux.org

•  Wizard for locking down Linux •  Support for the major distributions •  Step-by-step walkthroughs

 … including iptables •  Undo feature

10/12 cja 2012

24

Bastille lab

•  Install bastille   cd /usr/local/lab/bastille   sudo ./INSTALL.sh

•  Run bastille   man bastille!  sudo bastille --assess (“guaranteed” read-

only)  Accept the terms …

  sudo bastille! Explore

10/12 cja 2012

References

•  Bob Toxen, “Real World Linux Security: intrusion detection, prevention, and recovery,” 2nd Ed., Prentice-Hall 2003.

•  “Red Hat Enterprise Linux 4 Security Guide,” Red Hat, Inc., 2005. http://www.redhat.com/docs/manuals/enterprise/RHEL-4-Manual/pdf/rhel-sg-en.pdf

•  “Red Hat Enterprise Linux 4.5.0 Security Guide,” Red Hat, Inc., 2007. http://www.redhat.com/docs/manuals/enterprise/RHEL-4-Manual/en-US/Security_Guide/

•  “Guide to the Secure Configuration of Red Hat Enterprise Linux 5,” Revision 2, National Security Agency, December 20, 2007. http://www.nsa.gov/ia/_files/os/redhat/rhel5-guide-i731.pdf

•  Niels Provos, “Systrace - Interactive Policy Generation for System Calls,” Center for Information Technology Integration, University of Michigan, 2003. Retrieved October 2009. http://www.citi.umich.edu/u/provos/systrace/

•  Tripwire http://sourceforge.net/projects/tripwire/ •  Bastille http://www.bastille-unix.org/

10/12 cja 2012 25