1 LINUX SECURITY. 2 Outline Introduction Introduction - UNIX file permission - UNIX file permission - SUID / SGID - SUID / SGID - File attributes - File.

11

LINUX SECURITYLINUX SECURITY

22

OutlineOutline

IntroductionIntroduction

- UNIX file permission- UNIX file permission

- SUID / SGID- SUID / SGID

- File attributes- File attributes

33

Securing LINUX boxSecuring LINUX box

- Hidden files- Hidden files

- Tightening script files- Tightening script files

Control mounting a file systemControl mounting a file system

44

LoggingLogging

- Syslogd- Syslogd

- Klogd- Klogd

- Remote logging- Remote logging

- Shell logging- Shell logging

55

UNIX file permissionsUNIX file permissions

Each directory and file on the Each directory and file on the system has a set of permission system has a set of permission flags which specify read, write, flags which specify read, write, and execute permissions for the and execute permissions for the ‘user’, ‘group’, and ‘other’‘user’, ‘group’, and ‘other’

‘‘ls’ with –l option gives info on file ls’ with –l option gives info on file permission.permission.

66

Binary / Octal representation:Binary / Octal representation:

File permissions can be changed File permissions can be changed

using octal notation.using octal notation.

Octal 744 = Binary 111 100 100Octal 744 = Binary 111 100 100

user group otheruser group other

ChmodChmod command command

E.g.: Chmod 744 myfileE.g.: Chmod 744 myfile

77

SUID/SGIDSUID/SGID

SetuidSetuid program is a program which program is a program which has its has its setuidsetuid bit set. bit set.

gid-2, uid-4, both-6 (octal value gid-2, uid-4, both-6 (octal value prepended to standard permission prepended to standard permission set)set)

If the owner of the If the owner of the setuidsetuid is root is root then the commands in the program then the commands in the program are run with root privileges.are run with root privileges.

suid/sgid : Is it a threat?suid/sgid : Is it a threat?

88

Locating SUID/SGID Locating SUID/SGID programs:programs:

Find command:Find command: To find all files with To find all files with the suid bits set:the suid bits set:

# find / -type f (-perm -4000 –o -2000 \) -ls# find / -type f (-perm -4000 –o -2000 \) -ls

To disable the suid bits on selected To disable the suid bits on selected

programs use chmod command. Ex:programs use chmod command. Ex: # chmod a-s /bin/mount.# chmod a-s /bin/mount.

99

File Attributes:File Attributes:

The Linux ext2 file system supports The Linux ext2 file system supports the following file attributes.the following file attributes.

‘‘A’ – Don’t update the access timeA’ – Don’t update the access time

‘‘S’ – Synchronous updatesS’ – Synchronous updates

‘‘a’ – Append onlya’ – Append only

‘‘c’ – Compressedc’ – Compressed

1010

ContdContd

‘‘i’ – Immutablei’ – Immutable‘‘d’ – No dumpd’ – No dump‘‘s’ – Secure deletions’ – Secure deletion‘‘u’ – Undeletableu’ – Undeletablechattr:chattr: Changes the file attributes. Changes the file attributes. The format is +or- = [ASacdisv]The format is +or- = [ASacdisv] # chattr +a myfile# chattr +a myfile lsattrlsattr: Lists attributes for a file: Lists attributes for a file

# lsattr myfile# lsattr myfile

1111

Hidden Files:Hidden Files:

Hidden files can be used to hide Hidden files can be used to hide tools and password cracking tools and password cracking programs.programs.

# find / -name “..*” –print # find / -name “..*” –print

# find / -name “.*” -print# find / -name “.*” -print

1212

World Writable filesWorld Writable files

Group and World writable files and Group and World writable files and directories can be a security hole.directories can be a security hole.

Look for the files and directories that Look for the files and directories that should not be group or world should not be group or world writable.writable.

#find / -type f -perm +022 –ls #find / -type f -perm +022 –ls

#find / -type d -perm +022 –ls#find / -type d -perm +022 –ls

1313

Unowned files:Unowned files:

Files with no owner.Files with no owner. Potential threatPotential threat Sometimes we may uninstall a Sometimes we may uninstall a

program and get unowned file.program and get unowned file.

#find / -nouser –o –nogroup#find / -nouser –o –nogroup

1414

Tightening script filesTightening script files

Script files are responsible for Script files are responsible for starting and stopping all your starting and stopping all your normal processesnormal processes

#chmod –R 700 etc/rc.d/init.d/*#chmod –R 700 etc/rc.d/init.d/* No reason for users to be able to No reason for users to be able to

view or edit startup scriptsview or edit startup scripts

1515

Removing banner infoRemoving banner info

Edit the /etc/rc.d/rc.local file and Edit the /etc/rc.d/rc.local file and comment the following lines comment the following lines

-- # #echo “” > /etc/issueecho “” > /etc/issue

- #echo “$R” >> /etc/issue- #echo “$R” >> /etc/issue

- #echo “Kernel $(uname –r) on $a $(uname –- #echo “Kernel $(uname –r) on $a $(uname –m)” >> /etc/issuem)” >> /etc/issue

- Remove the files issue.net and issue under /etc- Remove the files issue.net and issue under /etc

- - # rm –f /etc/issue# rm –f /etc/issue

- - # rm –f /etc/issue.net# rm –f /etc/issue.net

1616

/etc/services file/etc/services file

This file contains information This file contains information about port numbers on which about port numbers on which standard services are offered.standard services are offered.

Should be protected.Should be protected.# chattr +i etc/services.# chattr +i etc/services. SimilarSimilar forfor other important filesother important files

– /etc/passwd, /etc/shadow, /etc/passwd, /etc/shadow, /etc/group, configurations files./etc/group, configurations files.

1717

Control mounting a file Control mounting a file systemsystem

In Linux all file systems (hard In Linux all file systems (hard drives, CD-ROM’s, floppy drives drives, CD-ROM’s, floppy drives etc) are mounted onto one logical etc) are mounted onto one logical tree with root being the parent tree with root being the parent directory.directory.

The ext2 file system enforces a The ext2 file system enforces a security model security model

1818

Mount:Mount:

Mount command attaches a file Mount command attaches a file system to the file system system to the file system hierarchy at the mount point.hierarchy at the mount point.

The standard form of mount The standard form of mount commandcommand

mount –t type device dirmount –t type device dir

1919

Options:Options:

defaults: Allow suid, read write, quota.defaults: Allow suid, read write, quota.

nosuid: Do not set SUID/SGID access on nosuid: Do not set SUID/SGID access on

this partition.this partition.

nodev: Do not set character or special nodev: Do not set character or special

devices access on this platform.devices access on this platform.

ro: Allow read only on this partitionro: Allow read only on this partition

rw: Allow read-write on this partitionrw: Allow read-write on this partition

2020

/etc/fstab /etc/fstab

Text file containing info about Text file containing info about how different partitions on the how different partitions on the hard disk are mounted in Linux hard disk are mounted in Linux directories.directories.

Each entry has 6 fields namelyEach entry has 6 fields namely

Block_device l mount_point l type l options l dump l Block_device l mount_point l type l options l dump l passpass

2121

contdcontd

Block-deviceBlock-device: The partition in the HD: The partition in the HD Mount-point:Mount-point: Local directory where Local directory where partition is mounted.partition is mounted. TypeType: Type of partition or file system: Type of partition or file system Options:Options: mount(8) mount(8) Dump:Dump: Whether partition should be Whether partition should be dumped for backupsdumped for backups Pass:Pass: Order in which fsck checks the file Order in which fsck checks the file

system for corruption at booting timesystem for corruption at booting time

2222

Logging:Logging:

Logging is defined as the process Logging is defined as the process of recording actions that have of recording actions that have occurred.occurred.

Important to maintain the Important to maintain the integrity of the different log files.integrity of the different log files.

Syslogd: utility program that Syslogd: utility program that accomplishes logging facility.accomplishes logging facility.

2323

contdcontd

Syslogd reads /etc/syslog.conf file.Syslogd reads /etc/syslog.conf file. The file consists of two fields.The file consists of two fields.

- selector and - selector and

- action field- action field

authpriv.*;mail.*;daemon. info authpriv.*;mail.*;daemon. info /dev/lp0 /dev/lp0

2424

Klogd daemonKlogd daemon

Intercepts and logs kernel Intercepts and logs kernel messagesmessages

Log info may be in /proc file Log info may be in /proc file system or sys_syslogsystem or sys_syslog

Remote logging:Remote logging: Easy to control Easy to control and added security.and added security.

2525

Shell loggingShell logging

Bash shell stores up to 500 old Bash shell stores up to 500 old commands in the commands in the ~/.bash_history~/.bash_history

Password threatPassword threat Edit /etc/profileEdit /etc/profile

histfilesize=20 and histsize=20histfilesize=20 and histsize=20

Edit /etc/skel/.bash_logoutEdit /etc/skel/.bash_logout

rm –f $HOME/.bash_historyrm –f $HOME/.bash_history

2626

UTMP and WTMPUTMP and WTMP

UTMP is a system log file that records UTMP is a system log file that records users currently logged in.users currently logged in.

UTMP is a place for exploitation to UTMP is a place for exploitation to cause system damage cause system damage

UTMP contains accounting and access UTMP contains accounting and access info for commands who, last , lastlog info for commands who, last , lastlog etc.etc.

WTMP contains history for UTMP data WTMP contains history for UTMP data basebase

2727

Questions ?Questions ?