1 / 39

Securing/Hardening UNIX

Securing/Hardening UNIX. Section 7. Hardening Solaris. Session objective: This section is to show what and how to harden a Unix Platform - with a strong emphasis on what a hacker will do to you if you forget What is hardening?

raine
Download Presentation

Securing/Hardening UNIX

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Securing/Hardening UNIX Section 7

  2. Hardening Solaris • Session objective: This section is to show what and how to harden a Unix Platform - with a strong emphasis on what a hacker will do to you if you forget • What is hardening? Making secure by improving file permissions, removing unnecessary services and patching the system

  3. Recap on Unix Security Authorisation is by User and Group User / uid obtained at login from /etc/passwd Password stored in /etc/shadow Group / Gid is stored in /etc/group AIX - /etc/security/user - /etc/security/passwd  HPUX -/tcb/auth*

  4. /etc/passwd # more passwd root:x:0:1:Super-User:/:/sbin/sh daemon:x:1:1::/: bin:x:2:2::/usr/bin: sys:x:3:3::/: adm:x:4:4:Admin:/var/adm: lp:x:71:8:Line Printer Admin:/usr/spool/lp: smtp:x:0:0:Mail Daemon User:/: uucp:x:5:5:uucp Admin:/usr/lib/uucp: nuucp:x:9:9:uucp Admin:/var/spool/uucppublic:/usr/lib/uucp/uucico listen:x:37:4:Network Admin:/usr/net/nls: nobody:x:60001:60001:Nobody:/: noaccess:x:60002:60002:No Access User:/: nobody4:x:65534:65534:SunOS 4.x Nobody:/: www:x:2000:200:WWW User:/export/home/www:/bin/sh

  5. /etc/group $ cat group root::0:root other::1: bin::2:root,bin,daemon sys::3:root,bin,sys,adm adm::4:root,adm,daemon uucp::5:root,uucp mail::6:root tty::7:root,tty,adm lp::8:root,lp,adm nuucp::9:root,nuucp staff::10: daemon::12:root,daemon sysadmin::14: nobody::60001: noaccess::60002: nogroup::65534: www::200:root

  6. /etc/shadow $ # cat shadow root:JipOt8gyLGBHw:10569:::::: daemon:NP:6445:::::: bin:NP:6445:::::: sys:NP:6445:::::: adm:NP:6445:::::: lp:NP:6445:::::: smtp:NP:6445:::::: uucp:NP:6445:::::: nuucp:NP:6445:::::: listen:*LK*::::::: nobody:NP:6445:::::: noaccess:NP:6445:::::: nobody4:NP:6445::::::

  7. File permissions • rwx-rwx-rwx • Owner-group-everyone else

  8. Outline • Patching • Service removal • Security settings • Default permissions • File permissions • ASET • Tripwire • Commercial Applications

  9. Patching Why? – to remove security bugs Two tools built in to manage patches: • patchadd to install directory format patches to a Solaris system • patchrm to remove patches on a solaris system

  10. Patching Some useful commands to manage patches: • ‘showrev –p’ shows all patches applied to the system • ‘pkgparam pkgid PATCHLIST’ shows all patches applied to the package identified by pkgid • ‘pkgparam pkgid PATCH_INFO_patch-number’ shows the installation date and name of host • ‘patchadd –p’ shows all patches applied to a system  AIX – installp or smit

  11. Patching ‘showrev –p’ # showrev Hostname: Bankx Hostid: 8388c2d53 Release: 5.8 Kernel architecture: sun4u Application architecture: sparc Hardware provider: Sun_Microsystems Domain: uk.bank.com Kernel version: SunOS 5.8 Generic 108528-09 June 2001

  12. Service removal - Inetd Inetd – the super listener • Configuring this IS the NO. 1 major hardening task • Controlled by /etc/inetd.conf • How it can be used to hide network access once a machine is compromised or escalate access to root if writable. To modify • # cp inetd.conf inetd.conf.old • # vi inetd.conf • Comment out services not needed & save • # ps –ef | grep inetd then note the process id • #/sbin/kill –HUP “process id from above”

  13. Service removal - Inetd Inetd.conf – before hardening (page 1) $more inetd.conf # # Syntax for TLI-based Internet services: # # <service_name> tli <proto> <flags> <user> <server_pathname> <args> # # Ftp and telnet are standard Internet services. # ftp stream tcp nowait root /usr/sbin/in.ftpd in.ftpd telnet stream tcp nowait root /usr/sbin/in.telnetd in.telnetd # #

  14. Service removal - Inetd Inetd.conf – before hardening (page 2) Shell, login, exec, comsat and talk are BSD protocols. # shell stream tcp nowait root /usr/sbin/in.rshd in.rshd login stream tcp nowait root /usr/sbin/in.rlogind in.rlogind exec stream tcp nowait root /usr/sbin/in.rexecd in.rexecd comsat dgram udp wait root /usr/sbin/in.comsat in.comsat talk dgram udp wait root /usr/sbin/in.talkd in.talkd # # Must run as root (to read /etc/shadow); "-n" turns off logging in utmp/wtmp. # uucp stream tcp nowait root /usr/sbin/in.uucpd in.uucpd # Tftp service is provided primarily for booting. tftp dgram udp wait root /usr/sbin/in.tftpd in.tftpd # tftp dgram udp wait root /usr/sbin/in.tftpd in.tftpd -s /tftpboot # Finger, systat and netstat give out user information which may be --More--

  15. Service removal - Inetd Inetd.conf – before hardening (page 3) finger stream tcp nowait nobody /usr/sbin/in.fingerd in.fingerd echo stream tcp nowait root internal daytime stream tcp nowait root internal daytime dgram udp wait root internal chargen stream tcp nowait root internal # RPC services syntax: # <rpc_prog>/<vers> <endpoint-type> rpc/<proto> <flags> <user> \ # <pathname> <args> # Solstice system and network administration class agent server 100232/10 tli rpc/udp wait root /usr/sbin/sadmind sadmind rquotad/1 tli rpc/datagram_v wait root /usr/lib/nfs/rquotad rquotad # The rusers service gives out user information. Sites concerned # with security may choose to disable it. rusersd/2-3 tli rpc/datagram_v,circuit_v wait root /usr/lib/netsv c/rusers/rpc.rusersd rpc.rusersd

  16. Service removal - Inetd Inetd.conf – after hardening $more inetd.conf # # Syntax for TLI-based Internet services: # # <service_name> tli <proto> <flags> <user> <server_pathname> <args> echo stream tcp nowait root internal # Some sites harden the configuration still further with a tcp wrapper

  17. Service removal - NFS NFS – the Network File System daemons • Configuring this IS the NO2 major hardening task • Controlled by /etc/dfs/dfstab which controls what is exported(I.e shared in Bill-Gates-Speak) • If not needed, all daemons should be not started rc3.d/s15nfs.server To modify a share to limit access to certain machines • # vi /etc/dfs/dfstab • Change share statement from share -F nfs -d “apps" /apps TO share -F nfs -o rw=192.9.200.1 -d “apps" /apps

  18. Service removal – NFS  AIX – /etc/exports  HPUX – /etc/exports

  19. Service removal – NFS (2) Identify the Network File System daemons # ps –ef then note the processes UID PID PPID C STIME TTY TIME CMD root 108 1 0 Dec 22 ? 0:00 /usr/sbin/rpcbind root 21787 21784 0 10:03:51 pts/1 0:00 ps -ef root 110 1 0 Dec 22 ? 0:00 /usr/sbin/keyserv root 146 1 0 Dec 22 ? 0:00 /usr/lib/nfs/lockd < root 144 1 0 Dec 22 ? 0:00 /usr/lib/nfs/statd < root 161 1 0 Dec 22 ? 0:08 /usr/lib/autofs/automountd root 199 1 0 Dec 22 ? 0:00 /usr/lib/lpsched root 269 1 0 Dec 22 ? 0:04 /usr/lib/snmp/snmpdx -y -c /etc/snmp/conf root 296 269 0 Dec 22 ? 0:00 mibiisa -p 32790 root 284 1 0 Dec 22 ? 0:00 /usr/lib/dmi/snmpXdmid -s avon root 294 291 0 Dec 22 ? 0:03 /usr/lib/saf/ttymon root 288 1 0 Dec 22 ? 0:00 /usr/dt/bin/dtlogin -daemon root 13496 1 0 Jan 15 ? 0:13 /usr/lib/sendmail -bd -q15m root 17075 1 0 Jan 19 ? 0:34 /usr/sbin/in.named $ Also remove - nfsd mountd biod

  20. Service removal Generally, you should not start unnecessary daemons These may include: • Snmp = /usr/lib/snmp/snmpdx & mibiisa • RPC = /usr/sbin/rpcbind Rpcinfo –p Netstat –an  AIX – portmap

  21. Service removal • Ipsched • Routed • vold

  22. Security settings Security settings: • /etc/passwd – check permissions, ensure integrity and locked accounts have a shell of /bin/false • /etc/shadow & group – check permissions and ensure integrity • /etc/default/login – restrict root access to console by: • CONSOLE=/dev/console • PASSREQ=YES • AIX – /etc/security/user or /etc/security/login • HPUX - /etc/securetty • /etc/default/inetinit - TCP initial sequence • TCP_STRONG_ISS=2

  23. Security settings Solaris - Ip stack settings $ ndd -get /dev/ip ip_forward_directed_broadcasts 0 # ndd -get /dev/ip ip_forward_src_routed 0 # ndd -get /dev/ip ip_ignore_redirect 1 # ndd -get /dev/ip ip_respond_to_address_mask_broadcast 0 # ndd -get /dev/ip ip_respond_to_echo_broadcast 0 # ndd -get /dev/ip ip_respond_to_timestamp 0 # ndd -get /dev/ip ip_send_redirects 0 # ndd -get /dev/tcp tcp_rev_src_routes 0

  24. Security settings AIX - Ip stack settings $ no –o ipforwarding $ no –o ipsendredirects $ no –o nonlocsrcroute $ no –o subnetsarelocal

  25. Default permissions – keeping files tight • The umask determines the default file permission for new files created • Normally set in /etc/default/login /etc/profile • 3 digits such as 077 or 022 $ umask 022 $ > testfile $ls –l testfile -rwxr-xr-x 6 root sys 404 Jan 6 2000 testfile

  26. File permissions Important categories: • System start-up scripts • System configuration file • Home directories • Cron • /dev esp kmem or drum • /proc • All other files

  27. File permissions -System start-up scripts Unix start-up sequence: • System boots and loads kernel • System kernel forks to create init pid 1 • Init reads /etc/inittab and runs any programs specified • In Solaris/HPUX 10, it then runs the scripts /etc/rc[0-5].d/* • In AIX / HPUX 8-9 , it then runs the scripts (i.e. /etc/rc.tcpip ) as defined point 3 If a hacker can add a command into either /etc/rc[0-5].d/* or /etc/inittab, it will be able to update an file on the system

  28. File permissions - System configuration file A selection of key files and what a hacker might do them • /etc/hosts.equiv – add + + to the file • /etc/hosts – change the address of a host • /etc/pam.conf – change authentication (solaris only) • /etc/inetd.conf – add new service • /etc/profile – add “chmod 777 /etc/shadow” • /etc/nsswitch.conf – change name resolution/authentication • /etc/Resolv.conf – change name server (could effect trusted hosts) • /etc/passwd - change uid to 0 • /etc/shadow - change root password

  29. File permissions – home directories Important files to look at: • .rhosts • .profile • .kshrc .netrc • .login .logout • .exrc

  30. File permissions - general Things to look for • Suid files • Sgid files • World writeable files • World writeable directories

  31. File permissions • Umtp and umtpx world write permissions • Files with no user associated with it • Files with no group associated with it

  32. Radical hardening • remove root Suid bit if possible • remove gcc or cc • Mount file systems readonly • Large main memory – small swap

  33. ASET • Automated Security Enhancement Tool • Comes with all new sun operating systems • Low setting ensures that all system files are set to release values. Reports potential weaknesses but does not make any changes • Medium Setting makes some changes to security settings but do not affect system services • High setting makes more changes to security settings and security takes precedence to system behaviour

  34. ASET Task that ASET performs • Systems file verification check • System files check • User/Group check • System configuration files check • Environment check • eeprom check • Firewall setup

  35. ASET output £ aset –p high *** Begin Enviroment Check ***Warning! umask set to umask 022 in /etc/profile - not recommended.*** End Enviroment Check ***======= ASET Execution Log =======ASET running at security level highMachine = server; Current time = 0114_20:26aset: Using /usr/aset as working directoryExecuting task list ... firewall env sysconf usrgrp tune cklist eepromAll tasks executed. Some background tasks may still be running.Run /usr/aset/util/taskstat to check their status: /usr/aset/util/taskstat [aset_dir]where aset_dir is ASET's operating directory,currently=/usr/aset.When the tasks complete, the reports can be found in: /usr/aset/reports/latest/*.rpt

  36. ASET output II where aset_dir is ASET's operating directory,currently=/usr/aset.When the tasks complete, the reports can be found in: /usr/aset/reports/latest/*.rptYou can view them by: more /usr/aset/reports/latest/*.rpt*** Begin Firewall Task ***IP forwarding already disabled.IP forwarding already disabled in rc files.ROUTED daemon already configured to be opaque.*** End Firewall Task ****** Begin System Scripts Check ***cp: /usr/aset/archives/inetd.conf.arch.high: No space left on deviceCannot archive /etc/inetd.conf. Task skipped!Task firewall is done.Task env is done.Task sysconf is done.Task usrgrp is done.*** Begin Tune Task ***

  37. ASET output III *** Begin Tune Task ***... setting attributes on the system objects defined in /usr/aset/masters/tune.high*** Begin User And Group Checking ***Checking /etc/passwd ...Checking /etc/shadow ...Warning! Shadow file, line 1, no password: root::6445::::::... end user check.Checking /etc/group ...... end group check.*** End User And Group Checking ***

  38. Tripwire • Monitors file changes, verifies integrity and notifies of any violation on data at rest on network servers • Identifies attributes such as file size, access flags, write time, file permissions, file add, file delete, file modifications and etc • Supports Windows NT4, Win2K, Solaris 2.6,2.7 and 2.8, AIX 4.3, HP-UX 11.0 and 11i, FreeBSD 4.2 and 4.3 and some Linux flavours

  39. Commercial Applications • Axent ESM • CA Unicenter • Bindview

More Related