CIS 193A - Lesson 1CIS 193A - Lesson 1

Welcometo

CIS 193A

UNIX/LinuxSecurity Administration

CIS 193A - Lesson 1

How this Class Works

CIS 193A - Lesson 1

Class Flowchart

• Question & Answers• Practice Drills• Lecture• Homework: labs and assigned reading

Grades

1. Lab assignments2. Final exam3. Log book

CIS 193A - Lesson 1

Resources

• Class Web site: www.cabrillo.edu/~jgriffin• CIS 193 Forum: opus.cabrillo.edu/forum• Opus user account: with ssh access• Virtual machines: cislab.cabrillo.edu - vCenter• CCC Confer: lecture playbacks – www.cccconfer.org• Open labs: CTC and CIS Lab room 1403• Textbook and suggested readings

CIS 193A - Lesson 1

How to be successful in this class• Start labs assignments early• Use the forum• Read labs before starting and follow each step carefully• Use the lecture slides and CCC Confer videos as references when doing labs• Use the forum to clarify expectations or confusing topics• Experiment to see how things work• Don't wait till the last minute to do labs• Read the forum before starting a lab• Get organized, read the Calendar and plan ahead• Check your progress on Grades page• Use the textbook to deepen your understanding• Use Google for command syntax• Think through labs ahead of time and make checklists as necessary• Use the forum's search box (upper right corner)• Read the lesson PowerPoint's when stuck on a lab• Post lessons learned on the forum after completing a lab• Check for Howtos for the task you are trying to accomplish• Read the forum often• Ask lots of questions on the forum• Answer lots of questions on the forum• Don't blindly follow instructions in labs, make sure you know what is happening• Experiment to better understand things• Follow all the instructions in a lab (especially the submittal part)• Use Google when troubleshooting error messages• Study groups are great for labs• Get organized, use the Calendar to plan ahead• Use the forum• Check the Grades web page to see if you need to do extra credit• Follow the instructions in labs• Keep a cheat sheet of Linux commands• Add scp and dhclient to your cheat sheet• Use the forum• Don't wait untill the last minute to start labs

CIS 193A - Lesson 1

CIS 193Class Forum

Use Search to find relevant posts

• Collaborate on lab assignments

• Get clarifications• Get help when stuck on

something• Share Linux related

information• Catch up when you miss a

class

CIS 193A - Lesson 1

CIS 193Class Forum

Forum Policy: Account names must

be first and last name.

Availability is 24 / 7.

Post topics on any-thing related to class.

Top 5 contributors earn extra credit.

Avatars are allowed, but identifying photos are preferred.

Visiting other forums is permitted.

Look for theCIS 193A forum

CIS 193A - Lesson 1

Computer Security

CIS 193A - Lesson 1

Focus Question

What are three of the most common vulnerabilities that allow crackers to compromise Linux systems?

CIS 193A - Lesson 1

What Is Security?

• The protection of value from threats.• A computer system is secure when

everyone who is authorized has access to the resources, and anyone who is not authorized, doesn’t have access.

• Question: Question: Is a computer cased in concrete and shot to the moon, a secure computer?

CIS 193A - Lesson 1

A Security Model

Threat Agent

Information Assets

Threat

Confidentiality

Integrity

Availability

Incident Damage

Prevention Correction*

Safeguards

Detection Recovery

* also called Aversion or Damage Control

CIS 193A - Lesson 1

Risk Threats * Vulnerabilities

• People– Social Engineering– Evesdropping– Wiretappiing

• Software– Malware– Steganography– Covert operations

• Nature– Fire, Flood– EM radiation

• People– Poor passwords– Unattended stations– Not following policies

• Software– Buffer overflows– Poor input validation

• Configuration Errors– Poor permissions– No passwords– Unneeded services

Threats Vulnerabilities

CIS 193A - Lesson 1

RRisk Threats * Vulnerabilities - Safeguards

• Prevention: Strong passwords, Encryption, Software updates, Firewalls

• Detection: Intrusion Detection Systems, Logging, Monitoring,

Auditing

• Correction: Killing processes, routing re- directs, reconfiguration, halt

• Recovery: Backups, Restore, DRP,Business Recovery Plan

Safeguards

CIS 193A - Lesson 1

Exercises

CIS 193A - Lesson 1

Resetting Root Password• Method 1

– Boot into single-user mode add single as a kernel parameter on boot line

– Set the password using the passwd cmd

• Method 2– Boot into a bash shell

add init=/bin/bash as a kernel parameter

– Remount the root file system as rw mount –o remount,rw /dev/sda2 /

– Set the password using the passwd cmd

• Method 3– Use an installation disk in “Rescue Mode”

CIS 193A - Lesson 1

Cracking Passwords

• Log in as cis193 and download “John the Ripper” from Opus $ scp guest193@opus:../depot/john-1.7.4.tar.gz .

• Extract the compressed tarball $ tar xzvf john-1.7.4.tar.gz

• Compile the binary $ cd john-1.7.4/src; make linux-x86-any

• Copy the /etc/shadow file to the run directory $ cd ../run; cp /etc/shadow . # How?

• Run John the Ripper $ ./john shadow

CIS 193A - Lesson 1

Testing Passwords

• From cis193’s home directory, compile a program to test for good passwords:

$ cc –o crack –lcrack src/crack.c$ ./crack

CIS 193A - Lesson 1

Accounts With No Passwords

• Check to see if any accounts have blank passwords # cut –f1,2 –d: /etc/shadow | grep ‘:$’also check the password file

# cut –f1,2 –d: /etc/passwd | grep ‘:$’

CIS 193A - Lesson 1

Finding Superuser Backdoors

• Search the password file for uid=0$ awk –F: ‘$3 == 0 {print $1, \

“is a superuser!” }’ /etc/passwd

CIS 193A - Lesson 1

Suspicious Account Use

• Look at a user’s login history $ last [username]

• To look at failed login attempts $ lastb [username]

note: lastb depends on /var/run/btmp

CIS 193A - Lesson 1

Testing User’s Search PATH

• Ensure that your search path contains no relative directories, including ‘.’

$ perl –e ‘print “PATH contains insecure relative directory \”$_\”\n”

foreach grep ! m[^/], split /:/,

$ENV{“PATH”}, -1;’

Note: it may be easier just to check the PATH variable in the .bash_profile.

CIS 193A - Lesson 1

Searching File Systems Using the Find Command

• Find searches for inode information -type [fdlbc] # file types: reg, dir, link … -user username | uid # owner of the file -groups groupname | gid # group of the file -perm permissions # octal number or symbol -size n[bckMG] # size in various units -inum n # inode number

Each option is a boolean term in an AND expression

find / -type d –user root –size 4k

will find all directories owned by root that are 4K in size

CIS 193A - Lesson 1

Search File Systems For setuid/setgid Programs

• Check for insecure setuid (or setgid) programs

# find /dir –type f –perm +ug=s

• Check for setgid directories# find /dir –type d –perm –g=s

CIS 193A - Lesson 1

Finding Writable Files

• Find world-writable files# find /dir –xdev –type f -perm –o=w

• Find world-writable directories# find /dir –xdev –type d -perm –o=w

• Find world-writeable files and directories that don’t have their sticky bit set.

# find / -xdev –perm –o=w ! \( -type d –perm –o=t \) ! –type l

CIS 193A - Lesson 1

Review

CIS 193A - Lesson 1

Answer to Focus Question

What are three of the most common vulnerabilities that allow crackers to compromise Linux systems?

1. Weak passwords

2. Non-updated software

3. Running unneeded services

CIS 193A - Lesson 1

Review

• Becoming root: sudo or su –

• To get command documentation:• man command• google.com (linux xxxxxx command)

• To try again for a network connection: # service network restart

• To copy files to and from a remote system:• scp filename user@hostname:path• scp user@hostname:path filename• scp lab guest193@opus.cabrillo.edu:

The – is very important as this gets you root's environment

filename could be just dot (.).