1 / 20

OS Hardening

OS Hardening. Justin Whitehead Francisco Robles. OS Hardening. Installing kernel/software patches and configuring a system in order to prevent attackers from exploiting and attacking your system. Motivations. Why? Add security features not present in default installs

rmccarty
Download Presentation

OS Hardening

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. OS Hardening Justin WhiteheadFrancisco Robles

  2. OS Hardening • Installing kernel/software patches and configuring a system in order to prevent attackers from exploiting and attacking your system. ECE 4112 - Internetwork Security

  3. Motivations • Why? • Add security features not present in default installs • Vendors leave default installs open for more customizability • Kernel & System level patches – work for known and unknown bugs • Bugs/Exploits in software ECE 4112 - Internetwork Security

  4. How • Patches • Apply security patches to Linux kernel • Apply bug patches to software • Security tools • Extra system logs and auditing • System rules and policies • Restrict user privileges • Disabling unnecessary processes ECE 4112 - Internetwork Security

  5. The Best in Hardening… • GRsecurity • Kernel patch • Features • Non-Executable Stack • Change root (chroot) hardening • /tmp race prevention • Extensive auditing • Additional randomness in the TCP/IP stack • /proc restrictions ECE 4112 - Internetwork Security

  6. Hardening Utilities • Bastille Linux www.bastille-linux.org • Automated security program, Security wizard • SUID restrictions • SecureInetd • DoS attack detection and prevention • Automated firewall scripting • User privileges • Education ECE 4112 - Internetwork Security

  7. Common Issues and Exploits • Stack-based attacks • /proc • /tmp • SUID • TCP Sequence Numbers ECE 4112 - Internetwork Security

  8. /proc • /proc is a pseudo file system used for the kernel-level modules to send and retrieve information to and from processes • Some files changeable, but primarily read-only but still allows users to gather information on specific processes. ECE 4112 - Internetwork Security

  9. /proc Solutions • grsecurity • /proc rights restrictions that don't leak information about process owners • Option to hide kernel processes • /proc filedescriptor/memory protection ECE 4112 - Internetwork Security

  10. /tmp exploits • /tmp directory is used by many programs to create and access files. • Do not need permissions to create files • Programs using /tmp must be carefully written in order to avoid exploits ECE 4112 - Internetwork Security

  11. /tmp exploits • Race Condition • Replacing a file during the time a program accesses it and opens it. • Allows attacker to manipulate program with their own data, “winning the race” • Performing a race attack on a symlink can allow an attacker to create a file somewhere else on the system • Attackers can also gain root access ECE 4112 - Internetwork Security

  12. /tmp Solutions • GRsecurity • Places restrictions on hardlinks/symlinks • Bastille • Each process using /tmp gets its own safe /tmp directory ECE 4112 - Internetwork Security

  13. SUID Exploits • SUID • Set-User ID – allows processes to be executed with the permissions of its owner, not the user running it • Example: passwd • SUID programs can be exploited to gain root access • Bad inputs • Buffer overflows ECE 4112 - Internetwork Security

  14. SUID solutions • Bastille • Disables many SUID programs it believes users should not run anyways • mount, umount? • Up to admin ECE 4112 - Internetwork Security

  15. TCP/IP Stack randomization • Initial sequence numbers can be guessed or discovered by attackers • Allows session hijacking • IP spoofing • Security patches attempt to add more randomization to initial sequence numbers • grsecurity ECE 4112 - Internetwork Security

  16. What you will be doing • Base RH 8.0 Install • Run a series of exploits and collect TCP traffic data • Applying patch to kernel, recompiling kernel • Configuring system with Bastille Linux ECE 4112 - Internetwork Security

  17. Before and After • Port scan • TCP data capture • Running a stack exploit • Running /tmp and SUID exploits • Comparing User Privileges • SUID programs • Access to gcc • /proc ECE 4112 - Internetwork Security

  18. Base Install • RH 8.0 • Telnet, FTP, and other insecure inetd services running • No firewall • No RH updates • Minimum security settings ECE 4112 - Internetwork Security

  19. GR Security Patch • Apply patch to kernel, rebuild kernel • Perform stack exploit • Perform port scan • Record differences in /proc • Perform /tmp exploit • Compare results to base install ECE 4112 - Internetwork Security

  20. Bastille-Linux • Install and run • Configure SecureInetd daemon • Disable problematic daemons and SUID programs • Configure firewall • Enable /tmp security • Repeat previous tests ECE 4112 - Internetwork Security

More Related