220 likes | 559 Views
OS Hardening. Justin Whitehead Francisco Robles. OS Hardening. Installing kernel/software patches and configuring a system in order to prevent attackers from exploiting and attacking your system. . Motivations. Why? Add security features not present in default installs
E N D
OS Hardening Justin WhiteheadFrancisco Robles
OS Hardening • Installing kernel/software patches and configuring a system in order to prevent attackers from exploiting and attacking your system. ECE 4112 - Internetwork Security
Motivations • Why? • Add security features not present in default installs • Vendors leave default installs open for more customizability • Kernel & System level patches – work for known and unknown bugs • Bugs/Exploits in software ECE 4112 - Internetwork Security
How • Patches • Apply security patches to Linux kernel • Apply bug patches to software • Security tools • Extra system logs and auditing • System rules and policies • Restrict user privileges • Disabling unnecessary processes ECE 4112 - Internetwork Security
The Best in Hardening… • GRsecurity • Kernel patch • Features • Non-Executable Stack • Change root (chroot) hardening • /tmp race prevention • Extensive auditing • Additional randomness in the TCP/IP stack • /proc restrictions ECE 4112 - Internetwork Security
Hardening Utilities • Bastille Linux www.bastille-linux.org • Automated security program, Security wizard • SUID restrictions • SecureInetd • DoS attack detection and prevention • Automated firewall scripting • User privileges • Education ECE 4112 - Internetwork Security
Common Issues and Exploits • Stack-based attacks • /proc • /tmp • SUID • TCP Sequence Numbers ECE 4112 - Internetwork Security
/proc • /proc is a pseudo file system used for the kernel-level modules to send and retrieve information to and from processes • Some files changeable, but primarily read-only but still allows users to gather information on specific processes. ECE 4112 - Internetwork Security
/proc Solutions • grsecurity • /proc rights restrictions that don't leak information about process owners • Option to hide kernel processes • /proc filedescriptor/memory protection ECE 4112 - Internetwork Security
/tmp exploits • /tmp directory is used by many programs to create and access files. • Do not need permissions to create files • Programs using /tmp must be carefully written in order to avoid exploits ECE 4112 - Internetwork Security
/tmp exploits • Race Condition • Replacing a file during the time a program accesses it and opens it. • Allows attacker to manipulate program with their own data, “winning the race” • Performing a race attack on a symlink can allow an attacker to create a file somewhere else on the system • Attackers can also gain root access ECE 4112 - Internetwork Security
/tmp Solutions • GRsecurity • Places restrictions on hardlinks/symlinks • Bastille • Each process using /tmp gets its own safe /tmp directory ECE 4112 - Internetwork Security
SUID Exploits • SUID • Set-User ID – allows processes to be executed with the permissions of its owner, not the user running it • Example: passwd • SUID programs can be exploited to gain root access • Bad inputs • Buffer overflows ECE 4112 - Internetwork Security
SUID solutions • Bastille • Disables many SUID programs it believes users should not run anyways • mount, umount? • Up to admin ECE 4112 - Internetwork Security
TCP/IP Stack randomization • Initial sequence numbers can be guessed or discovered by attackers • Allows session hijacking • IP spoofing • Security patches attempt to add more randomization to initial sequence numbers • grsecurity ECE 4112 - Internetwork Security
What you will be doing • Base RH 8.0 Install • Run a series of exploits and collect TCP traffic data • Applying patch to kernel, recompiling kernel • Configuring system with Bastille Linux ECE 4112 - Internetwork Security
Before and After • Port scan • TCP data capture • Running a stack exploit • Running /tmp and SUID exploits • Comparing User Privileges • SUID programs • Access to gcc • /proc ECE 4112 - Internetwork Security
Base Install • RH 8.0 • Telnet, FTP, and other insecure inetd services running • No firewall • No RH updates • Minimum security settings ECE 4112 - Internetwork Security
GR Security Patch • Apply patch to kernel, rebuild kernel • Perform stack exploit • Perform port scan • Record differences in /proc • Perform /tmp exploit • Compare results to base install ECE 4112 - Internetwork Security
Bastille-Linux • Install and run • Configure SecureInetd daemon • Disable problematic daemons and SUID programs • Configure firewall • Enable /tmp security • Repeat previous tests ECE 4112 - Internetwork Security