CIS 193A - Lesson 1 CIS 193A - Lesson 1 Welcome to CIS 193A UNIX/Linux Security Administration
Dec 14, 2015
CIS 193A - Lesson 1CIS 193A - Lesson 1
Welcometo
CIS 193A
UNIX/LinuxSecurity Administration
CIS 193A - Lesson 1
How this Class Works
CIS 193A - Lesson 1
Class Flowchart
• Question & Answers• Practice Drills• Lecture• Homework: labs and assigned reading
Grades
1. Lab assignments2. Final exam3. Log book
CIS 193A - Lesson 1
Resources
• Class Web site: www.cabrillo.edu/~jgriffin• CIS 193 Forum: opus.cabrillo.edu/forum• Opus user account: with ssh access• Virtual machines: cislab.cabrillo.edu - vCenter• CCC Confer: lecture playbacks – www.cccconfer.org• Open labs: CTC and CIS Lab room 1403• Textbook and suggested readings
CIS 193A - Lesson 1
How to be successful in this class• Start labs assignments early• Use the forum• Read labs before starting and follow each step carefully• Use the lecture slides and CCC Confer videos as references when doing labs• Use the forum to clarify expectations or confusing topics• Experiment to see how things work• Don't wait till the last minute to do labs• Read the forum before starting a lab• Get organized, read the Calendar and plan ahead• Check your progress on Grades page• Use the textbook to deepen your understanding• Use Google for command syntax• Think through labs ahead of time and make checklists as necessary• Use the forum's search box (upper right corner)• Read the lesson PowerPoint's when stuck on a lab• Post lessons learned on the forum after completing a lab• Check for Howtos for the task you are trying to accomplish• Read the forum often• Ask lots of questions on the forum• Answer lots of questions on the forum• Don't blindly follow instructions in labs, make sure you know what is happening• Experiment to better understand things• Follow all the instructions in a lab (especially the submittal part)• Use Google when troubleshooting error messages• Study groups are great for labs• Get organized, use the Calendar to plan ahead• Use the forum• Check the Grades web page to see if you need to do extra credit• Follow the instructions in labs• Keep a cheat sheet of Linux commands• Add scp and dhclient to your cheat sheet• Use the forum• Don't wait untill the last minute to start labs
CIS 193A - Lesson 1
CIS 193Class Forum
Use Search to find relevant posts
• Collaborate on lab assignments
• Get clarifications• Get help when stuck on
something• Share Linux related
information• Catch up when you miss a
class
CIS 193A - Lesson 1
CIS 193Class Forum
Forum Policy: Account names must
be first and last name.
Availability is 24 / 7.
Post topics on any-thing related to class.
Top 5 contributors earn extra credit.
Avatars are allowed, but identifying photos are preferred.
Visiting other forums is permitted.
Look for theCIS 193A forum
CIS 193A - Lesson 1
Computer Security
CIS 193A - Lesson 1
Focus Question
What are three of the most common vulnerabilities that allow crackers to compromise Linux systems?
CIS 193A - Lesson 1
What Is Security?
• The protection of value from threats.• A computer system is secure when
everyone who is authorized has access to the resources, and anyone who is not authorized, doesn’t have access.
• Question: Question: Is a computer cased in concrete and shot to the moon, a secure computer?
CIS 193A - Lesson 1
A Security Model
Threat Agent
Information Assets
Threat
Confidentiality
Integrity
Availability
Incident Damage
Prevention Correction*
Safeguards
Detection Recovery
* also called Aversion or Damage Control
CIS 193A - Lesson 1
Risk Threats * Vulnerabilities
• People– Social Engineering– Evesdropping– Wiretappiing
• Software– Malware– Steganography– Covert operations
• Nature– Fire, Flood– EM radiation
• People– Poor passwords– Unattended stations– Not following policies
• Software– Buffer overflows– Poor input validation
• Configuration Errors– Poor permissions– No passwords– Unneeded services
Threats Vulnerabilities
CIS 193A - Lesson 1
RRisk Threats * Vulnerabilities - Safeguards
• Prevention: Strong passwords, Encryption, Software updates, Firewalls
• Detection: Intrusion Detection Systems, Logging, Monitoring,
Auditing
• Correction: Killing processes, routing re- directs, reconfiguration, halt
• Recovery: Backups, Restore, DRP,Business Recovery Plan
Safeguards
CIS 193A - Lesson 1
Exercises
CIS 193A - Lesson 1
Resetting Root Password• Method 1
– Boot into single-user mode add single as a kernel parameter on boot line
– Set the password using the passwd cmd
• Method 2– Boot into a bash shell
add init=/bin/bash as a kernel parameter
– Remount the root file system as rw mount –o remount,rw /dev/sda2 /
– Set the password using the passwd cmd
• Method 3– Use an installation disk in “Rescue Mode”
CIS 193A - Lesson 1
Cracking Passwords
• Log in as cis193 and download “John the Ripper” from Opus $ scp guest193@opus:../depot/john-1.7.4.tar.gz .
• Extract the compressed tarball $ tar xzvf john-1.7.4.tar.gz
• Compile the binary $ cd john-1.7.4/src; make linux-x86-any
• Copy the /etc/shadow file to the run directory $ cd ../run; cp /etc/shadow . # How?
• Run John the Ripper $ ./john shadow
CIS 193A - Lesson 1
Testing Passwords
• From cis193’s home directory, compile a program to test for good passwords:
$ cc –o crack –lcrack src/crack.c$ ./crack
CIS 193A - Lesson 1
Accounts With No Passwords
• Check to see if any accounts have blank passwords # cut –f1,2 –d: /etc/shadow | grep ‘:$’also check the password file
# cut –f1,2 –d: /etc/passwd | grep ‘:$’
CIS 193A - Lesson 1
Finding Superuser Backdoors
• Search the password file for uid=0$ awk –F: ‘$3 == 0 {print $1, \
“is a superuser!” }’ /etc/passwd
CIS 193A - Lesson 1
Suspicious Account Use
• Look at a user’s login history $ last [username]
• To look at failed login attempts $ lastb [username]
note: lastb depends on /var/run/btmp
CIS 193A - Lesson 1
Testing User’s Search PATH
• Ensure that your search path contains no relative directories, including ‘.’
$ perl –e ‘print “PATH contains insecure relative directory \”$_\”\n”
foreach grep ! m[^/], split /:/,
$ENV{“PATH”}, -1;’
Note: it may be easier just to check the PATH variable in the .bash_profile.
CIS 193A - Lesson 1
Searching File Systems Using the Find Command
• Find searches for inode information -type [fdlbc] # file types: reg, dir, link … -user username | uid # owner of the file -groups groupname | gid # group of the file -perm permissions # octal number or symbol -size n[bckMG] # size in various units -inum n # inode number
Each option is a boolean term in an AND expression
find / -type d –user root –size 4k
will find all directories owned by root that are 4K in size
CIS 193A - Lesson 1
Search File Systems For setuid/setgid Programs
• Check for insecure setuid (or setgid) programs
# find /dir –type f –perm +ug=s
• Check for setgid directories# find /dir –type d –perm –g=s
CIS 193A - Lesson 1
Finding Writable Files
• Find world-writable files# find /dir –xdev –type f -perm –o=w
• Find world-writable directories# find /dir –xdev –type d -perm –o=w
• Find world-writeable files and directories that don’t have their sticky bit set.
# find / -xdev –perm –o=w ! \( -type d –perm –o=t \) ! –type l
CIS 193A - Lesson 1
Review
CIS 193A - Lesson 1
Answer to Focus Question
What are three of the most common vulnerabilities that allow crackers to compromise Linux systems?
1. Weak passwords
2. Non-updated software
3. Running unneeded services
CIS 193A - Lesson 1
Review
• Becoming root: sudo or su –
• To get command documentation:• man command• google.com (linux xxxxxx command)
• To try again for a network connection: # service network restart
• To copy files to and from a remote system:• scp filename user@hostname:path• scp user@hostname:path filename• scp lab [email protected]:
The – is very important as this gets you root's environment
filename could be just dot (.).