Operating System Security
A Windows and UNIX Introduction
UNIX Security
Unix is a multi-user computing environment with multitasking capabilities. It is widely used because it is generally more stable, more reliable and more scalable than most other operating systems.
Typical Uses: Enterprise Resource Planning (SAP, PeopleSoft, Oracle, etc.) Engineering Applications (CAD/CAM, process controllers,
etc.) Electronic Commerce (web servers, transaction processors,
etc.) Database Servers (Oracle, Informix, etc.) Firewalls (Checkpoint Firewall-1, Sidewinder, etc.)
Some UNIX History
Unix was developed at AT&T Bell Labs in 1969.
By the early 1970s, it was rewritten to make it an “open” system with portability.
As an open system, Unix became widespread as universities and others began using it more and more.
Two UNIX coding schemes became dominant. Most subsequent Unix variants are based on them.System V - AT&TBSD - Berkeley Software Distribution
UNIX Features
Written in the C programming language.First to include TCP/IP in computers. This
made possible the Internet and the World-Wide Web.
Linux is based on Unix. Unix runs most Internet Service Providers.Unix is generally insecure upon default
installation and is one of the most vulnerable operating systems to hackers.
Unix Architecture - Shells
Unix Architecture - Shells
Shell Program(C, Bourne, Korn)
Login Program
Commands being sent to system
User Accounts - Overview
Every person who uses a UNIX computer system must have an account or username to log in with.
Each account is identified by user identification number (“UID”).
All accounts are stored in the /etc/passwd file. Each user has a line in /etc/passwd.
When a user logs in, UNIX needs the password file to authenticate the user and execute several start-up files.
Users - The /etc/passwd file
daemon:*:1:1::/tmp:root:diw&5kdiwlj^#:0:1::/:ftp:*:2:2:FTP User:/usr/spool/ftpbobp:Je834,dfsjiv@:10:5:Bob
Paris:/home/admin:/bin/shrodj:9Iuh,.KjhgTr4:10:5:Rod
Jackson:/home/admin:/bin/shkevl:M,mnnh875Jkg:100:100:Klevrone:/home/
acc:/bin/shleel:8JHgjgj45d.,L:102:100:LeeLabrada:/
home/acc/:bin/sh
/etc/passwd - The username
bobp:Je834,dfsjiv@:10:5:BobParis:/home/admin:/usr/bin/sh
can be 1-8 characters in length can be alphabetic or numeric problems with special characters
/etc/passwd - Passwords
bobp:Je834,dfsjiv@:10:5:Bob Paris:/home/admin:/usr/bin/sh
passwords encrypted using DES
an asterisk (*) means EITHER: account is revoked or there is a shadow password file – to explain later
if blank, then the account has no password
NP is also sometimes used to lock an account
etc/passwd - User ID numbers (UID)
bobp:Je834,dfjiv@:10:5:BobParis:/home/admin:/usr/bin/sh
UID 0-9 used for system accounts. Unix identifies user by UID not username i.e.
10 Users can have the same UID UID = 0 assigns superuser privileges
/etc/passwd - Group ID (GID)
bobp:Je834,dfsjiv@:10:5:Bob Paris:/home/admin:/usr/bin/sh
GID defines user’s primary group GID=0 assigns superuser group Users can belong to more than one group. This
is evidenced by being included in several groups in the /etc/group file.
/etc/passwd - The GECOS field
bobp:Je834,dfsjiv@:10:5:Bob Paris:/home/admin:/usr/bin/sh
General Electric Computer Operating System free text field (should be meaningful) used as output for finger command
/etc/passwd - Home directory
bobp:Je834,dfsjiv@:10:5:Bob Paris:/home/admin:/usr/bin/sh
location of user’s startup files includes user’s /.profile file default directory
/etc/passwd - The shell field
bobp:Je834,dfsjiv@:10:5:Bob Paris:/home/admin:/usr/bin/sh
different types of Unix shells can be something like /prod/payroll/menu a blank defaults to Bourne Shell (/bin/sh)
Password Security
Different flavors of UNIX provide different level of account and password controls: password aging minimum password length alpha-numeric passwords account lockout
Shadowed Passwords
UNIX requires all users to be able to read the /etc/passwd for login purposes
To protect the encrypted password against users with password guessers, a shadow file is used:
/etc/shadow (Sun), /etc/security/passwd (AIX) The encrypted password is a one-way hash algorithm Format of entries is different among Unix variants Your participant guide has standard shadow names!
/etc/shadow
Entry format (Sun): username:password:lastchg Sample: markmcguire:cob6j4NEL3H7Q:9827
password: A 13-character encrypted password for the user, a
lock string to indicate that the login is not accessible,
or no string, which shows that there is no password
for the login.
lastchg: The number of days between January 1, 1970, and the
date that the password was last modified.
Default Accounts
Default user IDs are common to most systems (therefore known and attacked). These IDs are powerful system IDs that are used by the kernel to run applications and internal processes.
Typical Unix default accounts:
root adm bin dev daemon sync sys lp nobody listen uucp
Access must be controlled. No system user ID (except root) should be able to login and obtain a prompt!
Applications and databases often create a default user account when they are being installed. If root is installing the program these install user IDs could be powerful and are usually not needed after installation. Administrators often fail to remove these accounts.
Example accounts: oracle, informix, sap, tivoli, tng
Generic Accounts
Administrators more interested in flexibility than security often assign users generic user accounts. Generic user accounts are user IDs that often represent a group, class, or department of user instead of the name of the individual.
Samples: guest, trainer, student, accounting, accounts_payable operator, helpdesk, sales, consultant, temp1
Unless needed, generic accounts are generally a BAD idea because they fail to assign responsibility of the user ID’s actions to a specific individual.
Good practices for user ID:
employee number, employee name, specific identification of
consultants and temporary employees
Superusers
Commonly called “root” Any UID number 0 is a superuser Superusers can:
override all file permissions bypass all normal security checks create new users
Hacking Superusers
A HACKER’S GOAL IS TO BECOME THE ROOT USER
Once users have become root they may:
Modify log files to cover their tracks
Add users they can use later to access the system
Install backdoor programs to gain later access or to launch malicious code, such as distributed denial of service attacks (e.g. Yahoo, CNN, etc.)
Install daemons that capture and transmit sensitive information to the hackers
File Permissions in UNIX
r (read) List (ls) the directory's contents
w (write) Add or remove files in the directory
x (execute) Make the directory your current directory Open files within the directory
TCP Wrappers - Overview
TCP wrapper is a mechanism for providing access control.
It is a program allowing you to control which hosts your inet daemons will accept connections from.
Can be done on basis of service (e.g. ftpd, telnetd, etc.) Has support for wildcards (e.g. *.ncsa.uiuc.edu) Can be configured strict (e.g. only allow connections
from *.ncsa.uiuc.edu) Can be configured loose (e.g. allow connections from
everyone but *.spam.net)
Job Scheduling - Cron
Cron is a clock daemon that starts a process that executes commands at specified dates and
times.
Regularly scheduled commands can be specified according to instructions found in crontab files in the directory /var/spool/cron/crontabs.
Users can submit their own crontab file using the crontab command.
Cron only examines crontab files during its own process initialization phase and when the crontab or “at” command is run.
CRON – Cont’d
All executables and files referenced by cron should NOT be world-readable or world-writeable!
Usually administrators are the only ones with a need to use cron. If users have access to execute the crontab command, ask why there is a need.
Audit Subsystem and Audit Files
UNIX has limited auditing capabilities Basic audit features provided for logging
Last logins Login and logout Failed logins System accounting Use of su command System events
Sample Audit Files
acct/pacct records user commands lastlog records users last login loginlog records failed logins messages records syslog messages sulog records su attempts utmp records each user logged in wtmp records logins and logouts