“given enough eyeballs, all bugs are shallow” -Linus Torvald Linux Security “given enough eyeballs, all bugs are shallow” -Linus Torvald Presented By- D.Girish(2011188) Swapnil Bharadwaj(2011230) D.Sandilya(2011246) Y.Hemanth(2011266) G.Dileep Kumar(2010230)

Introduction In 80's ,Microsoft's DOS was the Dominant OS for PC. Mac was better , but expensive. UNIX was much better , but much more expensive. People was looking for a UNIX based system , which is cheaper , user friendly , and could run on PC. DOS, Mac and UNIX Kernels was away from development. A student at Helsinki University , called “Linus Torvalds” , developed the first Linux Kernel version 0.0.1. after MINIX which is simplified version of UNIX.

Main Features Application Platform Hardware Moderator Security Connectivity

Main Features Application Platform: An operating system provides applications with a platform where they can run, managing their access to the CPU and system memory. Hardware Moderator: The operating system also serves as a mediator between running applications and the system hardware. Most applications are not written to directly address a computer’s hardware.

Main Features Security: The operating system is responsible for providing a degree of security for the data it hosts. Connectivity: The operating system manages connectivity between computer systems using a variety of network media and interfaces, including infrared, Ethernet and wireless.

Additional Features Open Source Virus-Free. Free. Compatibility on most hardware. Well documented. Customizable. Great Graphical interface.. Support for running web servers, such as Apache , to run protocols like FTP.

Linux v/s Windows Windows Operating systems like XP faced worst criticism for its poor security features. It was declared very ineffective against the Malware, worms and Trojan horses. The Linux operating systems on the other hand are rarely crashed and can be used without rebooting for years due to its sound security features. One more reason which is contributed to the strong security of Linux OS is that the code of the Linux is available to the authorize users.

Linux v/s Windows If they find presence of any virus they can modify the code and change files accordingly. However in case of Windows the users has to wait for the response of the company in order to make adjustments. Windows XP came with many patch and anti virus versions but still failed to fight the worms and viruses. Microsoft defended itself on many grounds like a correspondent once said that the hackers are paid to break the Windows code due its expansion and popularity. However this is not the case in reality. The fact is that all of the Windows versions have poor quality security features.

Linux Security Hardening Configure the BIOS to disable booting from CD/DVD, External Devices, Floppy Drive in BIOS. Next, enable BIOS password & also protect GRUB with password to restrict physical access of your system. Linux kernel and its related files are in /boot directory which is by default as read-write. Changing it to read-only reduces the risk of unauthorized modification of critical boot files. To do this, open “/etc/fstab” file. # vi /etc/fstab Add the following line at the bottom, save and close it. LABEL=/boot /boot ext2 defaults,ro 1 2

Use Secure Shell (SSH) Telnet and rlogin protocols uses plain text, not encrypted format which is the security breaches. SSH is a secure protocol that use encryption technology during communication with server. Never login directly as root unless necessary. Use “sudo” to execute commands. sudo are specified in /etc/sudoers file also can be edited with the “visudo” utility which opens in VI editor. It’s also recommended to change default SSH 22 port number with some other higher level port number.

Security-Enhanced Linux (SELinux) Security-Enhanced Linux (SELinux) is a compulsory access control security mechanism provided in the kernel SELinux provides three basic modes of operation and they are. Enforcing: This is default mode which enable and enforce the SELinux security policy on the machine. Permissive: In this mode, SELinux will not enforce the security policy on the system, only warn and log actions. This mode is very useful in term of troubleshooting SELinux related issues. Disabled: SELinux is turned off. You can view current status of SELinux mode from the command line using ‘system-config-selinux‘, ‘getenforce‘ or ‘sestatus‘ commands.

Lock and Unlock Account Manually The lock and unlock features are very useful, instead of removing an account from the system, you can lock it for an week or a month. To lock a specific user, you can use the follow command. # passwd -l accountName Note : The locked user is still available for root user only. The locking is performed by replacing encrypted password with an (!) string. If someone trying to access the system using this account, he will get an error similar to below. # su - accountName This account is currently not available. To unlock or enable access to an locked account, use the command as. This will remove (!) string with encrypted password. # passwd -u accountName

Access Control Access control under UNIX systems, including Linux, is performed through the use of unique numeric identifiers. A user identifier(UID) identifies a single user or a single set of access rights. A group identifier(GID) is an extra identifier that can be used to identify rights belonging to more than one user

Access Control Every file available in the system is protected by the standard access-control mechanism. In addition, other shared-memory sections and semaphores, employ the same access system. The only exception is the privileged root UID. A process with this special UID is granted automatic access to any object in the system, bypassing normal access checks. Such processes are also granted permission to perform privileged operations, such as reading any physical memory or opening reserved network sockets. Linux performs access control by assigning objects a protection mask that specifies which access modes –read, write ,execute – are to be granted processes with owner, group, or world access

Access rights We already used the long option to list files using the ls -l command. This command also displays file permissions for these three user categories; they are indicated by the nine characters that follow the first character, which is the file type indicator at the beginning of the file properties line.

Access rights The first three characters in this series of nine display access rights for the actual user that owns the file. The next three are for the group owner of the file, the last three for other users. The permissions are always in the same order: read, write, execute for the user, the group and the others.

Access rights Examples Users with user name marise or users belonging to the group users can read and write (change/move/delete) the file, but they can't execute it (second and third dash). All other users are only allowed to read this file, but they can't write or execute it (fourth and fifth dash). The second example is an executable file, the difference: everybody can run this program, but you need to be root to change it.

sudo The sudo command stands for "superuser do". It prompts you for your personal password and confirms your request to execute a command by checking a file, called sudoers, which the system administrator configures yet still keep the superuser password secret sudo keeps a log of all activity in the /var/log/secure file. Thus, there isan audit trail recording everything done in the name of the system administrator.

sudo To use the sudo command, at the command prompt, enter: The sudo command also makes it easier to practice the principle of least privilege (PoLP), which is a computer security concept that helps control system access and potential system exploits and compromises.

sudo sudo accepts the following command line options: -l The -l (list) option will list out the allowed (and forbidden) commands for the user on the current host. -v If given the -v (validate) option, sudo will update the user's timestamp, prompting for the user's password if necessary. -k The -k (kill) option to sudo invalidates the user's timestamp by setting the time on it to the epoch. It was added to allow a user to evoke sudo permissions from a .logout file. This option does not require a password and was added to allow a user to revoke sudo permissions from a .logout file. -K The -K (sure kill) option to sudo removes the user's timestamp entirely. -p The -p (prompt) option allows you to override the default password prompt and use a custom one.

sudo -a The -a (authentication type) option causes sudo to use the specified authentication type when validating the user, as allowed by /etc/login.conf. The system administrator may specify a list of sudo-specific authentication methods by adding an ``auth-sudo'' entry in /etc/login.conf. This option is only available on systems that support BSD authentication where sudo has been configured with the --with-bsdauth option. -u The -u (user) option causes sudo to run the specified command as a user other thanroot. To specify a uid instead of a username, use #uid. -H The -H (HOME) option sets the HOME environment variable to the homedir of the target user (root by default). By default, sudo does not modify HOME.

The su Command The su command stands for "switch user", and allows you to become another user. To use the su command on a per-command basis, enter: su user -c command (Replace user with the name of the account which you'd like to run the command as, and command with the command you need to run as another user). To switch users before running many commands, enter: su user (Replace user with the name of the account which you'd like to run the commands as). The user feature is optional; if you don't provide a user, the su command defaults to the root account, which in Unix is the system administrator account. In either case, you'll be prompted for the password associated with the account for which you're trying to run the command. If you supply a user, you will be logged in as that account until you exit it. 

References Operating System Concepts, 8th edition, Abraham Silberschatz, Peter B.Galvin, Greg Gagne http://www.cybercity.biz/tips/linux-security.html http://en.wikipedia.org/wiki/Access_control http://en.wikipedia.org/wiki/Comparison_of_operating _systems http://en.wikipedia.org/wiki/Sudo

Thank you…!