1 / 26

Securing Computer Systems: OS Security Features, Boot Time Security, and System Logs

Learn about OS security features, bypassing OS security, boot time security, BIOS security, and system logs. Understand authentication, access control, auditing, encryption, isolation, and patching.

jrachel
Download Presentation

Securing Computer Systems: OS Security Features, Boot Time Security, and System Logs

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. CIT 480: Securing Computer Systems Operating System Security CIT 480: Securing Computer Systems

  2. Topics • OS Security Features • Bypassing OS Security • Boot time security • BIOS security • System Logs CIT 480: Securing Computer Systems

  3. OS Security Features • Authentication • Access Control • Auditing (Logging) • Encryption (Filesystems) • Isolation (VM) • Patching (Updates) CIT 480: Securing Computer Systems

  4. The Boot Sequence The action of loading an operating system into memory from a powered-off state is known as booting or bootstrapping. When a computer is turned on, it first executes code stored in a firmware component known as the BIOS (basic input/output system). On modern systems, the BIOS loads into memory the second-stage boot loader, which handles loading the rest of the operating system into memory and then passes control of execution to the operating system.

  5. Boot Process Detail CIT 480: Securing Computer Systems

  6. BIOS CIT 480: Securing Computer Systems

  7. Reconfiguring Boot Media Attacker boots with their OS that ignores your ACLs CIT 480: Securing Computer Systems

  8. BIOS Passwords CIT 480: Securing Computer Systems

  9. Removing the BIOS Password CIT 480: Securing Computer Systems

  10. Protecting the BIOS Password CIT 480: Securing Computer Systems

  11. Bootloader CIT 480: Securing Computer Systems

  12. Reconfiguring the Bootloader CIT 480: Securing Computer Systems

  13. Single User Mode CIT 480: Securing Computer Systems

  14. Single User Mode Password CIT 480: Securing Computer Systems

  15. Changing init CIT 480: Securing Computer Systems

  16. GRUB Password CIT 480: Securing Computer Systems

  17. Hibernation Modern machines have the ability to go into a powered-off state known as hibernation. While going into hibernation, the OS stores the contents of machine’s memory into a hibernation file (such as hiberfil.sys) on disk so the computer can be quickly restored later. 1. User closes a laptop computer, putting it into hibernation. 2. Attacker copies the hiberfil.sys file to discover any unencrypted passwords that were stored in memory when the computer was put into hibernation.

  18. Cold Memory Attack CIT 480: Securing Computer Systems

  19. Startup Processes: Windows CIT 480: Securing Computer Systems

  20. Startup Services: Linux CIT 480: Securing Computer Systems

  21. System Logs Logs record status and error conditions. Where do log messages come from? • Kernel • Accounting system • System services Logging methods: • Service records own logs (apache, cron). • Service uses system service to manage logs. CIT 480: Securing Computer Systems

  22. Windows Event Log CIT 480: Securing Computer Systems

  23. Finding UNIX Logs Most logs are stored under • /var/log • /var/adm Check syslog's configuration • /etc/syslog.conf To find other logs, read startup scripts • /etc/init.d/* • and manuals for services started by scripts. CIT 480: Securing Computer Systems

  24. Finding Logs CIT 480: Securing Computer Systems

  25. Example Syslog Messages Feb 11 10:17:01 localhost /USR/SBIN/CRON[1971]: (root) CMD ( run-parts --report /etc/cron.hourly) Feb 11 10:37:22 localhost -- MARK -- Feb 11 10:51:11 localhost dhclient: DHCPREQUEST on eth1 to 192.168.1.1 port 67 Feb 11 10:51:11 localhost dhclient: DHCPACK from 10.42.1.1 Feb 11 10:51:11 localhost dhclient: bound to 10.42.1.55 -- renewal in 35330 seconds. Feb 11 14:37:22 localhost -- MARK -- Feb 11 14:44:21 localhost mysqld[7340]: 060211 14:44:21 /usr/sbin/mysqld: Normal shutdown Feb 12 04:46:42 localhost sshd[29093]: Address 218.38.30.101 maps to ns.thundernet.co.kr, but this does not map back to the address - POSSIBLE BREAKIN ATTEMPT! Feb 12 04:46:44 localhost sshd[29097]: Invalid user matt from ::ffff:218.38.30.101 CIT 480: Securing Computer Systems

  26. References • Anderson, Security Engineering 2nd Edition, Wiley, 2008. • Goodrich and Tammasia, Introduction to Computer Security, Pearson, 2011. CIT 480: Securing Computer Systems

More Related