OS Hardening Justin Whitehead Francisco Robles
ECE Internetwork Security OS Hardening Installing kernel/software patches and configuring a system in order to prevent attackers from exploiting and attacking your system.
ECE Internetwork Security Motivations Why? Add security features not present in default installs –Vendors leave default installs open for more customizability –Kernel & System level patches – work for known and unknown bugs Bugs/Exploits in software
ECE Internetwork Security How Patches Apply security patches to Linux kernel Apply bug patches to software Security tools Extra system logs and auditing System rules and policies Restrict user privileges Disabling unnecessary processes
ECE Internetwork Security The Best in Hardening… GRsecurity Kernel patch Features –Non-Executable Stack –Change root (chroot) hardening –/tmp race prevention –Extensive auditing –Additional randomness in the TCP/IP stack –/proc restrictions
ECE Internetwork Security Hardening Utilities Bastille Linux Automated security program, Security wizard –SUID restrictions –SecureInetd –DoS attack detection and prevention –Automated firewall scripting –User privileges –Education
ECE Internetwork Security Common Issues and Exploits Stack-based attacks /proc /tmp SUID TCP Sequence Numbers
ECE Internetwork Security /proc /proc is a pseudo file system used for the kernel-level modules to send and retrieve information to and from processes Some files changeable, but primarily read- only but still allows users to gather information on specific processes.
ECE Internetwork Security /proc Solutions grsecurity /proc rights restrictions that don't leak information about process owners Option to hide kernel processes /proc filedescriptor/memory protection
ECE Internetwork Security /tmp exploits /tmp directory is used by many programs to create and access files. Do not need permissions to create files Programs using /tmp must be carefully written in order to avoid exploits
ECE Internetwork Security /tmp exploits Race Condition Replacing a file during the time a program accesses it and opens it. –Allows attacker to manipulate program with their own data, “winning the race” Performing a race attack on a symlink can allow an attacker to create a file somewhere else on the system –Attackers can also gain root access
ECE Internetwork Security /tmp Solutions GRsecurity Places restrictions on hardlinks/symlinks Bastille Each process using /tmp gets its own safe /tmp directory
ECE Internetwork Security SUID Exploits SUID Set-User ID – allows processes to be executed with the permissions of its owner, not the user running it Example: passwd SUID programs can be exploited to gain root access Bad inputs Buffer overflows
ECE Internetwork Security SUID solutions Bastille Disables many SUID programs it believes users should not run anyways –mount, umount? –Up to admin
ECE Internetwork Security TCP/IP Stack randomization Initial sequence numbers can be guessed or discovered by attackers Allows session hijacking IP spoofing Security patches attempt to add more randomization to initial sequence numbers grsecurity
ECE Internetwork Security What you will be doing Base RH 8.0 Install Run a series of exploits and collect TCP traffic data Applying patch to kernel, recompiling kernel Configuring system with Bastille Linux
ECE Internetwork Security Before and After Port scan TCP data capture Running a stack exploit Running /tmp and SUID exploits Comparing User Privileges SUID programs Access to gcc /proc
ECE Internetwork Security Base Install RH 8.0 Telnet, FTP, and other insecure inetd services running No firewall No RH updates Minimum security settings
ECE Internetwork Security GR Security Patch Apply patch to kernel, rebuild kernel Perform stack exploit Perform port scan Record differences in /proc Perform /tmp exploit Compare results to base install
ECE Internetwork Security Bastille-Linux Install and run Configure SecureInetd daemon Disable problematic daemons and SUID programs Configure firewall Enable /tmp security Repeat previous tests