240 likes | 565 Views
Unix Security. Unix Security. Security architecture File system and user accounts Integrity management Auditing and intrusion detection. Layers in a computer system. users. application. operating system (incl networking). hardware. Unix security. User access controls
E N D
Unix Security • Security architecture • File system and user accounts • Integrity management • Auditing and intrusion detection
Layers in a computer system users application operating system (incl networking) hardware
Unix security • User access controls • File access controls • System administrator’s control
User access controls • Login in through user name and password. • Password is used to store an encrypted version of 64 bits of zeros. • Note there are two crypt functions on Unix system!!
File access controls • directory based • a file for each user on access objects • access control list based • a list for each user on access objects • access control matrix • capability • a unforgeable token/ticket for access certain objects • procedure-oriented (info. hiding)
cmnd1 rwx printer1 -w- printer1 -w- Directory based access resources (objects) User A’s access directory User B’s access directory prog1.c rw- prog1.c r-- cmnd1 --x
Groups All users All users Group Group User
Super user and SUID and SGID • Control invocation of privileges are achieved by set {user,group} ID programs. • By setting the permission of those programs, a normal user can effectively run the programs as its owner (group member). • e.g: passwd, login, at, su, etc • Need to monitor the integrity of SUID programs.
File protection • basic • all-none protection • group protection • single permission • password or token • temporary acquired permission • per-object & per user protection • Example • UNIX
Integrity management • Is achieved by • prevention • detecting change
Prevention • By placing controls – such as software, hardware, file system and operating system controls. • By having immutable and append-only files • immutable files are those that cannot be modified once the system is running (suitable for system programs such as login, passwd) and append-only files to which data can be appended, but in which the existing data cannot be changed(suitable for log files)
Detection change • Comparison of files with a (good) backup copy. • the backup copy has to be in a protected mode. • comparison has to be performed byte-by-byte and hence time consuming process (especially for large files – such as database files) • once an authorised change is detected, replace the altered version with the comparison copy, thereby restoring the system to normal.
Detection change • Checklists and metadata • Store only a summary of important characteristics of each file and directory and use this information for comparison. • e.g. of summary information – time stamps (last read/modified, file protection modes,link count using ncheck etc) • Running this kind of detection change as a crom job may not be a good idea!
Detection change • Checksum and signatures • changes can be made in such a way that the checklists and metadata may not change and hence the previous method may fail. • e.g. setting the clock backwards, perform the changes and the set the clock forward • CRC checksums – useful only when there are few bits of change and they are generated by well known polynomials. • generate a signature using a one-way hash function (such as MD5).
Tripwire • In practice one need not generate digital signature on the content of each of the file. • e.g. We need to know if the owner or protection of /etc/passwd file is changed, but we do not care about the size or checksum because we do expect the contents to changewhile we should be concerned if the contents of /bin/login is altered. • tripwire is a package that allows to configure the files, directories that need to be monitored using MD algorithms.ftp://coast.cs.purdue/edu/pub/COAST/Tripwire
Auditing and Intrusion Detection • After establishing the protection mechanism, you need to monitor the system. • Monitoring is a process of auditing. • Audit trail is carried with the help of log files, however log files itself is vulnerable to security threats (after all they are also files in the system!)
Location of log files • usually in /var/adm • The useful files are:acct or pact – records commands run by every useraculog – records of dial-out modemslastlog – logs each user’s most recent successful login time, and possibly last unsuccessful login toomessages – records output to the system’s console and other messages generated from the syslog facilitysulog – logs use fo the su commandutmp – records each user current login (may be in /etc directory)wtmp – provides a permanent record of each time a user logged in and logged out. Also records system shutdowns and startupsvold.log – logs errors encountered with the use of external media, such as tapes, floppy drives, etc.xferlog – logs FTP access
swatch – a log file tool • A perl program to monitor log files. • Available from ftp://sierra.standford.edu/swatch or ftp://coast.cs.purdue.edu/pub/tools/swatch
Managing log files • Plan to backup log files • Review periodically the log files (may be daily or more often) • Apply filters so that you do not get bored seeing the log messages • Don’t trust logs completely!! – they can be altered or deleted by intruder • Plan to install software which can add security to the operating systems controls (such as tcp wrappers).