Linux Networking and Security Chapter 10 File Security

Correctly set up special Linux file permissions Monitor log files to check suspicious system activity Automate checks for file integrity and unauthorized modifications

Reviewing Linux File Permissions Unauthorized users may want to:  view files to access or to see how security settings are configured  delete data to make it unavailable, disrupt business plans, or corrupt system configurations  modify existing files or create new files, either to corrupt data, to cover signs of their activity, or to alter security settings for their continued purposes The first line of defense is careful use of Linux file permissions

Reviewing Linux File Permissions

For any file or directory, standard Linux file permissions are:  read (represented by r)  write (represented by w)  execute (represented by x) Each can be assigned to:  the owner of a file or directory (u, for user)  to a group defined in /etc/group (g)  to all other users who are logged in but who are not the owner or part of the named group (o)

Reviewing Linux File Permissions Several Linux distributions use a techniques called User Private Groups to enhance file-based security Because every file and directory are assigned both a user and a group, each with separate permissions, it is more secure to have a group with only a single member, then make that the default group for all files created by that user

Reviewing Linux File Permissions Other group-related techniques to help manage file security  When SGID is set on a directory, any file created within that directory is assigned the group of the directory, rather than the group of the user that creates the file  Members of a group can be denied access, which implies that all authorized users have a certain level of access, but users of this particular group can not access the file or directory

Using the System Log for Security Checks System log files may reveal security problems These files record the activity of programs such as login, FTP, servers and many others System log files are usually stored in /var/log/messages A number of utilities can help watch for log messages that indicate potential security violations

Using the System Log for Security Checks Log files require regular attention because they can become very large The logrotate command helps automate the process of compressing and archiving log files so that the logs don’t grow unreasonably large, and so that older log data can be stored in another location logrotate is executed through the cronjob entry stored in /etc/cron.daily and is configured by etc/logrotate.conf

Using the System Log for Security Checks The programs running on Linux system are constantly adding to their corresponding log files and this information needs to be tracked The logfile information can be viewed by:  opening the log file in a text editor  using the grep or the tail commands If running Linux with a graphical desktop, use the xlogmaster program to view system resources, including the system log file

Using the System Log for Security Checks

The logcheck package does much more than display log entries - it checks them hourly for suspicious entries and if found, they are ed to the root user The logcheck package is not part of most Linux distributions, but can be obtained from various Internet download sites The commercial version of logcheck is called LogSentry offered by Psionic Technologies

Maintaining File Integrity It is necessary to keep track of the state of important system files for any unexpected changes, due to the fact that some crackers can gain access and the system log does not indicate a problem Once a cracker has obtained root access, a way to maintain that access is to use a rootkit, a collection of programs and scripts designed to permit continued access, even if the original break-in is discovered

Maintaining File Integrity

The chkrootkit package is used to check the system for evidence of a rootkit This package includes a script that works much like a virus checker, and though it can report the presence of a rootkit, it cannot eliminate it from the system chkrootkit can check for modifications to user login files, and for Linux Kernel modules (LKMs), which permit complete access to your system

Maintaining File Integrity If a rootkit is discovered on the system:  If possible, shut down networking on the server until the problem is cleaned up  Back up the entire system, including all of the operating system files and all data files; this data can be reviewed later to assist in tracking down the cracker  Rebuild the system, either by updating the infected packages, or by reinstalling the entire operating system

Maintaining File Integrity A broader more constant approach to file security than checking for rootkits, is to watch the integrity of files on the system Tripwire is the best known integrity checker Tripwire is available in a free version included with many Linux distributions and a commercial version is available from Tripwire, Incorporated

Maintaining File Integrity

To use Tripwire, start with a freshly installed system before it is connected to any networks Tripwire creates a baseline, or snapshot, of the critical system files according to a policy that is configured by the system administrator Once the baseline is established, Tripwire is run at regular intervals to see whether the state of the system has changed Tripwire configuration files are protected by a cryptographic signature

Maintaining File Integrity Another file integrity checker is Samhain and some of its key features are:  Runs as a daemon instead of a cron job  Can detect kernel modules that were loaded as part of a rootkit  Can operate in a client/server environment  Report and audit logs are supported  Database and configuration files are signed  Runs on a number of UNIX and Linux platforms  HTML status pages show information about any client system being monitored

Maintaining File Integrity For more tools regarding file integrity, consider installing the binutils package binutils includes more than a dozen utilities useful for exploring the contents of files  objdump allows examination of the contents of a file byte by byte  strings lists all the text strings within any binary file, including system utilities and shared libraries

Chapter Summary Crackers who break into a system typically want to view or modify the files on that system, either for their own direct use or to cause problems for the organization running the server Linux file permissions do not allow such sophisticated control as some other operating systems because they only permit assigning rights to a file’s owner, a single group, and to all other users User Private Groups enhance security by creating a group for each new user account; when that user creates files, no other group member will have access to them

Chapter Summary Using file permissions can create unexpected results unless you are familiar with their exact consequences Log files are important to system security because they may contain evidence of crackers attempting to break into a system or of actions by programs running on the system that indicate security issues Rotating logs keeps them a manageable size and permits easy backup by breaking log entries into groups by date Running the logrotate command as a cron job makes automated log rotation easy

Chapter Summary System services are continually adding lines to the log files and they are often reviewed using the grep search utility or the tail program The xlogmaster program displays log file and other system data in a graphical window The logcheck utility package watches log files for specific words and phrases that may indicate an attempted security breach or a successful one The commercial version of logcheck is called LogSentry and is available from Psionic Technologies

Chapter Summary Crackers hide their activities by replacing system utilities with new versions designed to ignore special cracker-related files, or to prevent reporting the crackers processes and networking connections A rootkit helps a cracker easily install a number of programs on a compromised system that permit continued root access; the chkrootkit package can detect many of these, much like a virus checker Linux rootkits often include loadable kernel modules (LKMs) that are particularly useful for crackers and difficult to detect without the proper software

Chapter Summary To remove a rootkit, you can reinstall affected programs, or you may choose to reinstall the entire operating system A simple step to protect a system from further damage by rootkits is to store statically linked copies of core utilities on diskette or CD-ROM to use when examining a system that has a suspected rootkit Regularly checking the integrity of system utilities and configuration files will help you identify changes made by unauthorized users; Tripwire is the most widely used utility for checking the integrity of files and directories

Chapter Summary To use Tripwire, you set up a policy and configuration text files, generate policy and configuration binary files with cryptographic signatures, then establish a baseline snapshot of the system; comparison snapshots are made at regular intervals to determine unexpected system alterations Tripwire utilities such as twprint and twadmin let you maintain up-to-date policy files and manage the Tripwire reports

Chapter Summary Another impressive file integrity-checking package is Samhain; this package provides a client/server model to allow maintenance of multiple servers from a central location, plus it runs continually rather than occasionally, as Tripwire does The binutils package includes several useful utilities for exploring Linux files; the strings command is one example and it displays all text strings stored in any binary file