1 LINUX SECURITY

2 Outline Introduction Introduction - UNIX file permission - UNIX file permission - SUID / SGID - SUID / SGID - File attributes - File attributes

3 Securing LINUX box Securing LINUX box - Hidden files - Hidden files - Tightening script files - Tightening script files Control mounting a file system Control mounting a file system

4 Logging Logging - Syslogd - Syslogd - Klogd - Klogd - Remote logging - Remote logging - Shell logging - Shell logging

5 UNIX file permissions Each directory and file on the system has a set of permission flags which specify read, write, and execute permissions for the ‘user’, ‘group’, and ‘other’ Each directory and file on the system has a set of permission flags which specify read, write, and execute permissions for the ‘user’, ‘group’, and ‘other’ ‘ls’ with –l option gives info on file permission. ‘ls’ with –l option gives info on file permission.

6 Binary / Octal representation: Binary / Octal representation: File permissions can be changed using octal notation. Octal 744 = Binary user group other user group other Chmod command E.g.: Chmod 744 myfile

7 SUID/SGID Setuid program is a program which has its setuid bit set. Setuid program is a program which has its setuid bit set. gid-2, uid-4, both-6 (octal value prepended to standard permission set) gid-2, uid-4, both-6 (octal value prepended to standard permission set) If the owner of the setuid is root then the commands in the program are run with root privileges. If the owner of the setuid is root then the commands in the program are run with root privileges. suid/sgid : Is it a threat? suid/sgid : Is it a threat?

8 Locating SUID/SGID programs: Find command: To find all files with the suid bits set: Find command: To find all files with the suid bits set: # find / -type f (-perm –o \) -ls To disable the suid bits on selected programs use chmod command. Ex: To disable the suid bits on selected programs use chmod command. Ex: # chmod a-s /bin/mount. # chmod a-s /bin/mount.

9 File Attributes: The Linux ext2 file system supports the following file attributes. The Linux ext2 file system supports the following file attributes. ‘A’ – Don’t update the access time ‘S’ – Synchronous updates ‘a’ – Append only ‘c’ – Compressed

10 Contd ‘i’ – Immutable ‘d’ – No dump ‘s’ – Secure deletion ‘u’ – Undeletable chattr: Changes the file attributes. The format is +or- = [ASacdisv] The format is +or- = [ASacdisv] # chattr +a myfile # chattr +a myfile lsattr: Lists attributes for a file # lsattr myfile # lsattr myfile

11 Hidden Files: Hidden files can be used to hide tools and password cracking programs. Hidden files can be used to hide tools and password cracking programs. # find / -name “..*” –print # find / -name “..*” –print # find / -name “.*” -print

12 World Writable files Group and World writable files and directories can be a security hole. Group and World writable files and directories can be a security hole. Look for the files and directories that should not be group or world writable. Look for the files and directories that should not be group or world writable. #find / -type f -perm +022 –ls #find / -type d -perm +022 –ls

13 Unowned files: Files with no owner. Files with no owner. Potential threat Potential threat Sometimes we may uninstall a program and get unowned file. Sometimes we may uninstall a program and get unowned file. #find / -nouser –o –nogroup #find / -nouser –o –nogroup

14 Tightening script files Script files are responsible for starting and stopping all your normal processes Script files are responsible for starting and stopping all your normal processes #chmod –R 700 etc/rc.d/init.d/* #chmod –R 700 etc/rc.d/init.d/* No reason for users to be able to view or edit startup scripts No reason for users to be able to view or edit startup scripts

15 Removing banner info Edit the /etc/rc.d/rc.local file and comment the following lines Edit the /etc/rc.d/rc.local file and comment the following lines - # echo “” > /etc/issue - #echo “$R” >> /etc/issue - #echo “Kernel $(uname –r) on $a $(uname –m)” >> /etc/issue - Remove the files issue.net and issue under /etc - # rm –f /etc/issue - # rm –f /etc/issue.net

16 /etc/services file This file contains information about port numbers on which standard services are offered. This file contains information about port numbers on which standard services are offered. Should be protected. Should be protected. # chattr +i etc/services. Similar for other important files Similar for other important files –/etc/passwd, /etc/shadow, /etc/group, configurations files.

17 Control mounting a file system In Linux all file systems (hard drives, CD-ROM’s, floppy drives etc) are mounted onto one logical tree with root being the parent directory. In Linux all file systems (hard drives, CD-ROM’s, floppy drives etc) are mounted onto one logical tree with root being the parent directory. The ext2 file system enforces a security model The ext2 file system enforces a security model

18 Mount: Mount command attaches a file system to the file system hierarchy at the mount point. Mount command attaches a file system to the file system hierarchy at the mount point. The standard form of mount command The standard form of mount command mount –t type device dir mount –t type device dir

19 Options: defaults: Allow suid, read write, quota. nosuid: Do not set SUID/SGID access on this partition. this partition. nodev: Do not set character or special devices access on this platform. devices access on this platform. ro: Allow read only on this partition rw: Allow read-write on this partition

20 /etc/fstab Text file containing info about how different partitions on the hard disk are mounted in Linux directories. Text file containing info about how different partitions on the hard disk are mounted in Linux directories. Each entry has 6 fields namely Each entry has 6 fields namely Block_device l mount_point l type l options l dump l pass

21 contd Block-device: The partition in the HD Block-device: The partition in the HD Mount-point: Local directory where Mount-point: Local directory where partition is mounted. partition is mounted. Type: Type of partition or file system Type: Type of partition or file system Options: mount(8) Options: mount(8) Dump: Whether partition should be Dump: Whether partition should be dumped for backups dumped for backups Pass: Order in which fsck checks the file system for corruption at booting time Pass: Order in which fsck checks the file system for corruption at booting time

22 Logging: Logging is defined as the process of recording actions that have occurred. Logging is defined as the process of recording actions that have occurred. Important to maintain the integrity of the different log files. Important to maintain the integrity of the different log files. Syslogd: utility program that accomplishes logging facility. Syslogd: utility program that accomplishes logging facility.

23 contd Syslogd reads /etc/syslog.conf file. Syslogd reads /etc/syslog.conf file. The file consists of two fields. The file consists of two fields. - selector and - selector and - action field - action field authpriv.*;mail.*;daemon. info /dev/lp0

24 Klogd daemon Intercepts and logs kernel messages Intercepts and logs kernel messages Log info may be in /proc file system or sys_syslog Log info may be in /proc file system or sys_syslog Remote logging: Easy to control and added security. Remote logging: Easy to control and added security.

25 Shell logging Bash shell stores up to 500 old commands in the ~/.bash_history Bash shell stores up to 500 old commands in the ~/.bash_history Password threat Password threat Edit /etc/profile Edit /etc/profile histfilesize=20 and histsize=20 histfilesize=20 and histsize=20 Edit /etc/skel/.bash_logout Edit /etc/skel/.bash_logout rm –f $HOME/.bash_history rm –f $HOME/.bash_history

26 UTMP and WTMP UTMP is a system log file that records users currently logged in. UTMP is a system log file that records users currently logged in. UTMP is a place for exploitation to cause system damage UTMP is a place for exploitation to cause system damage UTMP contains accounting and access info for commands who, last, lastlog etc. UTMP contains accounting and access info for commands who, last, lastlog etc. WTMP contains history for UTMP data base WTMP contains history for UTMP data base

27 Questions ?