300 likes | 574 Views
FOREWORD. ?No absolute security as long as system is accessed"?In system administration, the evil is in details"For questions, contact is antoine.davous@aviler.com with [ESGI] in subject field ? otherwise, mail will be considered as spam by server rules.. A.Davous, 01/02/2009. 2. Unix Secur
E N D
1. UNIX SYSTEM SECURITY AND ADVANCED ADMINISTRATION (SÉCURITÉ SYSTÈME SOUS UNIX ET ADMINISTRATION AVANCÉE) A.Davous, 01/02/2009 1 Unix Security Advanced Admin
2. FOREWORD “No absolute security as long as system is accessed”
“In system administration, the evil is in details”
For questions, contact is antoine.davous@aviler.com
with [ESGI] in subject field – otherwise, mail will be considered as spam by server rules. A.Davous, 01/02/2009 2 Unix Security Advanced Admin
3. INTRODUCTION UNIX FLAVORS
COMMON SENSE RULES OF SECURITY
HOW SECURITY IS COMPROMISED
UNIX DAEMONS, SERVICES AND SERVERS
HANDS-ON : SUN VIRTUAL BOX A.Davous, 01/02/2009 3 Unix Security Advanced Admin
4. WELL-KNOWN EXAMPLES Sendmail debug commands modeas sendmail runs with setuid rootso user can run any command with root power(try sudo and vi !...)
Command passwd –f : no control of entered GECOS fieldso user can add any new line in password file
Buffer overflow is a variantUser can execute shellcode (to get run root shell) previously saved at some memory address for programs that accepts any entry without control (exploit)
More generally, any software that do not control file ownership – you just have to link to any system file A.Davous, 01/02/2009 Unix Security Advanced Admin 4
5. FOR INFORMATION – UNIX RELEASES A.Davous, 17/09/2008 5 Solaris vs. Linux
6. FOR INFORMATION – UNIX FLAVORS Unix time line http://www.levenez.com/unix/
Linux distributions time line http://futurist.se/gldt/gldt76.png A.Davous, 01/02/2009 Unix Security Advanced Admin 6
7. REMINDER – UNIX MANDATORY Read, read again documentationman, man –k, makewhatis -u
vi – what else could be expected ?vim but config and security
Shells : sh – best choice for scriptingthen tcsh or bash… (current : ps)
find, diff, touch, sort [-n]
xargs
grep, egrep, awk, Perl, expect A.Davous, 01/02/2009 7 Unix Security Advanced Admin Find command and shell interactionFind command and shell interaction
8. WELL-KNOWN ATTACKS A.Davous, 01/02/2009 Unix Security Advanced Admin 8
9. MALICIOUS PROGRAMS (MALWARES) A.Davous, 01/02/2009 Unix Security Advanced Admin 9
10. SECURITY KEY CONCEPTS 3 security goals: confidentiality, integrity, availability
3 usual answers to threats: ignore, improvise or try to ‘over’ secure
Right answer: determine field, identify and evaluate cost of resources (financial, confidentiality or production), determine security risks and strategy, monitor, upgrade A.Davous, 01/02/2009 Unix Security Advanced Admin 10
11. STRATEGIES Strategies :Accept threat – but have a recovery planReduce threat – by appropriate meansTransfer threat – to a vendorBypass threat – by blocking access
Understanding is key:Example of mail user privilegeProtect all layers – example of firewallsReduce exposed surfaceProtect but detect and answer – administrate !
Security is or must be part of :conception, operation and deployment A.Davous, 01/02/2009 Unix Security Advanced Admin 11
12. RISKS AND STRATEGY Risks
Human – malicious but often from authorized users
Technical – hardware (physical access), software
This is up to sysadmin to decide what are they and right level of protection
Strategy
Security and comfort is a compromise
Have a security policy especially recovery procedure A.Davous, 01/02/2009 Unix Security Advanced Admin 12
13. HOW TO DO In-depth (passive) protection
(Physical – premises access)
Network filtering
Passwords
Encryption
Backup
(Active) security process
Monitor and add corrections
Full audit
Upgrade
A.Davous, 01/02/2009 Unix Security Advanced Admin 13
14. SECURED DESIGN Open design or secret design debate(hidden flaws, issues discovered by community, provocation to exploits)
Common breaches
Least user access (chroot as solution)
Buffer overflow
Printf function (insert conversion keys into string)
Web programming (URL forging)
Transactions, client/server (man-in-the middle, encryption, hashing as solutions) A.Davous, 01/02/2009 Unix Security Advanced Admin 14
15. SOME TABLE LAWS… If someone can execute something on your computer or if someone can modify your OS, or if someone can physically access to your computer, it will not belong to you anymore
As well, if someone can execute something on your web site, it will not belong to you anymore
Weak passwords leads to security breach
System is as secured as sysadmin wants
Encrypted data are as secured as the used key to encrypt
An anti-virus not updated is as useful as no anti-virus
Anonymity is not useful but confidentiality is
Technology is not be-all
Security measures works well when they are simple to use for sysadmin and transparent to users A.Davous, 01/02/2009 Unix Security Advanced Admin 15
16. REMINDER : PROCESSES Processes have four identities : real (for accounting) and effective (for access permissions) UID and GID ; usually the same except with setuid or setgid bit set
Command ps
Kinds of processes
Interactive – controlled with &, ^Z, jobs
Batch
Daemons A.Davous, 01/02/2009 Unix Security Advanced Admin 16
17. DAEMONS, SERVERS, SERVICES Daemon, server, service concepts
Daemon : programs not part of kernel ; process that performs a specific function or system-related task
Start at boot time or on demand
Specific system daemons
init primordial process
cron that schedule commands
inetd that manages some of them
A.Davous, 01/02/2009 Unix Security Advanced Admin 17
18. WELL KNOWN DAEMONS A.Davous, 01/02/2009 Unix Security Advanced Admin 18
19. init DAEMON First process to run after system boot
Always have PID 1 and is ancestor of all other processes
After startup, init consults /etc/inittab (or for BSD /etc/ttys) to determine on which physical ports it should expect users to log in (getty processes – even tough large use of network daemons today, or xdm for graphical interface)
Also take care of zombie processes (not running but listed)
Init defines run levels (passed as argument to it from boot loader) : 0 to 6 and s (single-user)
Additional layer is given with startup scripts in /etc/init.d, linked to startup and stop scripts in /etc/rcX.d A.Davous, 01/02/2009 Unix Security Advanced Admin 19
20. REMINDER : BOOTING – SHUTTING DOWN A.Davous, 17/09/2008 Solaris vs. Linux 20
21. OTHER CONCEPTS Command dmesg
Core dump : ulimit –c
Path : - try not modify root profile PATH variable- do not set empty or ‘.’ in PATH variable- in scripts (and configurations like cron), always use full path for commands (as variables at beginning)
Disk quotas may be use to isolate an application (vs. original purpose)
vi and other editors dump files feature
History of shell commands
who –r
cp -p A.Davous, 01/02/2009 Unix Security Advanced Admin 21
22. PASSWORD CRACK TOOLS Usage of these tools are illegal on computers where you have not been explicitly authorized to do it.
But it is recommended to test your own password files – anyhow, crackers will do it with them.
Crack
Locations: /usr/share/crack ; /usr/libexec/crack ; /usr/bin
Quick-start commands:# umask 077# ~/scripts/shadmrg.sv /etc/passwd /etc/shadow > /root/unshadp# Crack –nice 5 /root/unshadp# CrackReporter
Results in ~/run directory
John the Ripper
Locations: /usr/share/john ; /usr/libexec/john
Quick start commands:# umask 077# unshadow /etc/passwd /etc/shadow > /root/unshadp# john [--rules --wordfile=FILE] /root/unshadp
Results in ~/john.pot A.Davous, 01/02/2009 Unix Security Advanced Admin 22
23. ROOT PASSWORD RECOVERY To show importance of physical access
Grub bootloader must have timeout (/boot/grub/menu.lst) – suppress it (0) or set a password to bootloader
Simplest procedure using single user mode – case of Fedora 10
When Grub screen, edit current boot line (e)
Edit kernel line (e) by adding ‘single’ at end (single user mode)
Save and boot (b)
Command passwd can be entered with root privileges to reset root password
A.Davous, 17/09/2008 Solaris vs. Linux 23
24. Sun xVM VirtualBox - 1 VirtualBox release 2.1.2 found at www.virtualbox.org (accept installation of USB and network drivers)Host and guest concepts, see manualGuest additions concept
Fedora 10 found at fedoraproject.org/en/get-fedora (F10-i686-Live.iso, 32 bits although 64 supported by xVM, English edition, installable Live CD)
A.Davous, 01/02/2009 Unix Security Advanced Admin 24
25. Sun xVM VirtualBox - 2 Installation procedure (example is Fedora)New machine ; choose OS, select memory size (2 GB but less than host !), add virtual disk (fixed, 10 GB).Mount OS ISO local file as CD/DVD-ROMStart !... (ignore both messages – no additions installed yet)When started, use Install on hard disk icon. Select French keyboard.Shut down, unmount CD/DVD and restart.Upgrade system and application packages (Yum).Install dkms package (Dynamic Kernel Module Support Framework).Install GNU make, gcc packages.Mount Guest Additions ISO with Devices, Install Guest Additions xVM menu.Run Sun’s script (cd /media/VBOXADDITIONS_2.1.2_41885/ ; sh ./VBoxLinuxAdditions-x86.run)Restart. A.Davous, 01/02/2009 Unix Security Advanced Admin 25
26. Sun xVM VirtualBox - 3 Installation procedure particularities for Debian 4Installation of small image via Internet.Disk partitioning without LVM, one root partition.Desktop and system packages.Synaptic Package Manager used for package installation : make, gcc and kernel headers (linux-headers-2.6.18-6 and linux-headers-2.6.18-6-686 ; check release with command uname –a). A.Davous, 01/02/2009 Unix Security Advanced Admin 26
27. REMOTE ACCESS TO SYSTEM Xming XLaunch utility
But otherwise, X specific, “exporting display” :Run your X server on PC (nothing required if PuTTY used because X protocol is SSH’d encapsulated - port 22 ; otherwise, ports XDMCP 177 and 6000 should be opened)Then, on client : setenv DISPLAY server:0.0echo $DISPLAY
Putty A.Davous, 01/02/2009 Unix Security Advanced Admin 27
28. USEFUL LINKS A.Davous, 01/02/2009 28 Unix Security Advanced Admin 16:5016:50
29. WORTH READING A.Davous, 01/02/2009 Unix Security Advanced Admin 29 16:5516:55
30. WINDOWS TOOLS USED DURING THIS SESSION A.Davous, 01/02/2009 Unix Security Advanced Admin 30 17:0017:00