Date post: | 08-Apr-2018 |
Category: |
Documents |
Upload: | james-mohr |
View: | 214 times |
Download: | 0 times |
8/7/2019 LinuxSecurity-1-ORIG
http://slidepdf.com/reader/full/linuxsecurity-1-orig 1/43
www.nii.co.in 1
© Network Intelligence India Pvt. Ltd.
Linux Security & Auditing
K. K. Mookhey
Founder-CTO
Network Intelligence India Pvt. Ltd.
8/7/2019 LinuxSecurity-1-ORIG
http://slidepdf.com/reader/full/linuxsecurity-1-orig 2/43
www.nii.co.in 2
© Network Intelligence India Pvt. Ltd.
Agenda
History of LinuxLinux Distributions
Business drivers for Linux
Linux Architecture
Physical SecurityOperating System Security
Network Security
File System Security
User and Group Security Application Security
Linux Security Tools
8/7/2019 LinuxSecurity-1-ORIG
http://slidepdf.com/reader/full/linuxsecurity-1-orig 3/43
www.nii.co.in 3
© Network Intelligence India Pvt. Ltd.
History of Linux
Linus Benedict Torvalds writes an open-sourceoperating system in 1991
Primary purpose is as a research project
At that time, no other open-source Unixflavors available. All are proprietary and costly.
Linux became hugely popular among thestudent and research community
Today it is a viable alternative for enterpriseapplications.
8/7/2019 LinuxSecurity-1-ORIG
http://slidepdf.com/reader/full/linuxsecurity-1-orig 4/43
www.nii.co.in 4
© Network Intelligence India Pvt. Ltd.
Linux Business Drivers
IBM sold $759 million worth of Linux servers in2001 (Dataquest)
Total Linux server market estimated at $4billion and growing rapidly
Oracle, Sun, HP, IBM, Novell, and other majorvendors all actively support Linux
Open-source implies: Cheaper cost of acquisition
Possibility of greater securityMore flexibility in choosing components and
configuring them
8/7/2019 LinuxSecurity-1-ORIG
http://slidepdf.com/reader/full/linuxsecurity-1-orig 5/43
www.nii.co.in 5
© Network Intelligence India Pvt. Ltd.
Linux Distributions
The Linux kernel and associated utilities are packagedand distributed by a number of firms: Red Hat
Mandrake
Debian SuSE
Changes: Most free distributions are no longer free
Red Hat has stopped after Fedora
Mandrake requires payment for security patches
SUSE has been bought over by Novell
Debian, Slackware still free
8/7/2019 LinuxSecurity-1-ORIG
http://slidepdf.com/reader/full/linuxsecurity-1-orig 6/43
www.nii.co.in 6
© Network Intelligence India Pvt. Ltd.
Linux Attack
Portscanner Identifies open ports
Identifies running services
Identifies Operating System
Vulnerability Scanner Identifies versions and vendor of services
Determines vulnerabilities in those
Vulnerability Databases www.SecurityFocus.com/bid
Feed in vendor, software and version number
Check the vulnerabilities and see if any exploits available
Portscan Report Superscan
Portscan Report - Nmap
8/7/2019 LinuxSecurity-1-ORIG
http://slidepdf.com/reader/full/linuxsecurity-1-orig 7/43
www.nii.co.in 7
© Network Intelligence India Pvt. Ltd.
LINUX SECURITY
8/7/2019 LinuxSecurity-1-ORIG
http://slidepdf.com/reader/full/linuxsecurity-1-orig 8/43
www.nii.co.in 8
© Network Intelligence India Pvt. Ltd.
Linux Architecture
Linux Kernel the actual code that interfaces between user applications andhardware resources
Hardware controllers used by the kernel
to interact with hardwareOperating System Services softwareother than the kernel that are considered part of the OS: X Windows system, command shell
User Applications software other thankernel and services: text editors, browsers,etc.
8/7/2019 LinuxSecurity-1-ORIG
http://slidepdf.com/reader/full/linuxsecurity-1-orig 9/43
8/7/2019 LinuxSecurity-1-ORIG
http://slidepdf.com/reader/full/linuxsecurity-1-orig 10/43
www.nii.co.in 10
© Network Intelligence India Pvt. Ltd.
Key points about Linux Kernel
It is separately distributed from userapplications and other software
Uses modules, which can be dynamicallyloaded
For instance, support for FAT32 need not befixed, but can be added dynamically
Kernel can be completely recompiled andunnecessary components can be removed
unlike WindowsKernel has had buffer overflow vulnerabilitiesbeing discovered in it very critical
8/7/2019 LinuxSecurity-1-ORIG
http://slidepdf.com/reader/full/linuxsecurity-1-orig 11/43
www.nii.co.in 11
© Network Intelligence India Pvt. Ltd.
Kernel Security
One of the most important ways to keep Linuxsecure is to ensure a patched kernel
Check your kernel version uname a
Third-party kernel patches for enhancedsecurity: Linux Intrusion Detection System for ensuring
integrity of critical files
Secure Linux Patch prevent common bufferoverflows, and simple security measures
International Kernel Patch kernel-level strongencryption to be built-in
8/7/2019 LinuxSecurity-1-ORIG
http://slidepdf.com/reader/full/linuxsecurity-1-orig 12/43
www.nii.co.in 12
© Network Intelligence India Pvt. Ltd.
Click and run Security
Bastille Linux Available for popular Linux flavors
www.Bastille-linux.org
Youll also need Perl-Tk
Creates a set of security measures through a GUI
Most of the implemented changes can be undone
Must be first run on test systems
Demo
8/7/2019 LinuxSecurity-1-ORIG
http://slidepdf.com/reader/full/linuxsecurity-1-orig 13/43
www.nii.co.in 13
© Network Intelligence India Pvt. Ltd.
Bastille-Linux snapshot
8/7/2019 LinuxSecurity-1-ORIG
http://slidepdf.com/reader/full/linuxsecurity-1-orig 14/43
www.nii.co.in 14
© Network Intelligence India Pvt. Ltd.
Boot Security
Boot configuration is decided by LILO (LinuxLoader) or GRUB (Grand Unified Boot Loader)
Check that only one OS is configured to load
If required ensure there is an entry forpassword= in lilo.conf
Also, ensure permissions are 600
Demo
8/7/2019 LinuxSecurity-1-ORIG
http://slidepdf.com/reader/full/linuxsecurity-1-orig 15/43
www.nii.co.in 15
© Network Intelligence India Pvt. Ltd.
Operating System Security
Check processes top n 1 b
ps- aux
Check installed software
rpm q a RPM = Red Hat Package Manager = installer packages for
software on RH systems
Look out for unnecessary packages
Also ensure latest versions of packages are installed
especially those that are used by lower-privileged users:httpd, openssh, kernel, sendmail, etc.
rpm q a | grep kernel
8/7/2019 LinuxSecurity-1-ORIG
http://slidepdf.com/reader/full/linuxsecurity-1-orig 16/43
www.nii.co.in 16
© Network Intelligence India Pvt. Ltd.
Cron and At
Cron is used to schedule regular jobs. At is used to schedule one time job in thefuture
Both can be misused to install time-bombs on
the system, which may suddenly cause thesystem to malfunction
Can be restricted using files /etc/cron.allow,cron.deny, at.allow and at.deny
DEMO cron.allow contains root
cron.deny contains ALL
8/7/2019 LinuxSecurity-1-ORIG
http://slidepdf.com/reader/full/linuxsecurity-1-orig 17/43
www.nii.co.in 17
© Network Intelligence India Pvt. Ltd.
Linux Auditing
Linux auditing is done using syslogdConfiguration file is /etc/syslog.conf
Format is:Facility.Priority Action to be taken
Facility the application/program that is generatingthe logs
Priority Emerg, alert, crit, err, warning, notice, info,debug, none
Action send it to a file, send it to console, send it via
email, send it to another system (loghost)Segregation of responsibilities send logs to anothersystem, where the security administrator has control
8/7/2019 LinuxSecurity-1-ORIG
http://slidepdf.com/reader/full/linuxsecurity-1-orig 18/43
www.nii.co.in 18
© Network Intelligence India Pvt. Ltd.
Linux Auditing important commands
Recent logins last
Last login time for all users (dormant users) lastlog
Last failed logins (requires to create /var/log/btmpfile) lastb
Security related events /var/log/secure
Tools for Log Analysis Swatch real-time monitoring of logs
Logsentry
Logwatch
8/7/2019 LinuxSecurity-1-ORIG
http://slidepdf.com/reader/full/linuxsecurity-1-orig 19/43
www.nii.co.in 19
© Network Intelligence India Pvt. Ltd.
Tools for testing
COPS Computer Oracle and Password System
Outdated
Checks for common mis-configurations, weak
passwords, insecure permissions, etc.TIGER Similar to COPS, but more comprehensive
Also not recently updated
TAR AMost updated and recent version of TIGER
Runs using shell scripts or preferably Perl
8/7/2019 LinuxSecurity-1-ORIG
http://slidepdf.com/reader/full/linuxsecurity-1-orig 20/43
www.nii.co.in 20
© Network Intelligence India Pvt. Ltd.
Network Security
Services are started by /etc/rc.d scripts andxinetd chkconfig --list
chkconfig levels {numbers} {service} on|off
Xinetd services are configured by individualfiles in /etc/xinetd.d/
Open network connections netstat antp
Use the p option to see which processes areresponsible for which open ports
Also lsof can be used
8/7/2019 LinuxSecurity-1-ORIG
http://slidepdf.com/reader/full/linuxsecurity-1-orig 21/43
www.nii.co.in 21
© Network Intelligence India Pvt. Ltd.
Network Services
Possibly not required:NFS and related services: autofs, nfs, nfsserver,
nfslock
Unused networking services: routed, gated, ratvf,
snmpd, named, dhcpd, dhclient, dhrelay, nscd, smbMail Services: Sendmail, postfix
Optional network and local services: atd, ldap,kudzu, rhnsd, ypbind, apache, quota, quotad,
myself, etc. Printing services: lpr, cups, lprng
8/7/2019 LinuxSecurity-1-ORIG
http://slidepdf.com/reader/full/linuxsecurity-1-orig 22/43
www.nii.co.in 22
© Network Intelligence India Pvt. Ltd.
Xinetd
Logic change from earlier inetd.conf fileBuilds in controls similar to TCPWrappers andmore:
Access_control: which hosts are allowed to connect and at what times
Logging: which data gets logged
Resource utilization: limits on maximumconnections supported, CPU usage, etc.
Others
8/7/2019 LinuxSecurity-1-ORIG
http://slidepdf.com/reader/full/linuxsecurity-1-orig 23/43
www.nii.co.in 23
© Network Intelligence India Pvt. Ltd.
Trusted Hosts
Entries in /etc/hosts.equiv and /etc/hosts.lpdare critical
They allow users from those hosts to connect without supplying a password!
Also, users can create .rhosts and .netrc filesin their home directories, which functionsimilarly. Find these as well
8/7/2019 LinuxSecurity-1-ORIG
http://slidepdf.com/reader/full/linuxsecurity-1-orig 24/43
www.nii.co.in 24
© Network Intelligence India Pvt. Ltd.
Telnet and FTP vs. SSH
Telnet and FTP are plain-text protocolsShould be replaced by SSH
Any inside user can sniff the traffic, even on
switched networks with relative easeSSH uses encryption to provide servicesequivalent to Telnet and FTP
Configuration is in /etc/sshd/sshd_config
SSH clients are available for free putty forWindows
8/7/2019 LinuxSecurity-1-ORIG
http://slidepdf.com/reader/full/linuxsecurity-1-orig 25/43
www.nii.co.in 25
© Network Intelligence India Pvt. Ltd.
User and Group Security
User accounts are created in /etc/passwdHashed passwords, password and account lockout policies are in /etc/shadow
Password and account lockout policies can be
set during account creation, or with the chagecommand:Minimum password age
Maximum password age
Expiry warning time Inactive time after which account is locked out
Some future data when account will be locked out
8/7/2019 LinuxSecurity-1-ORIG
http://slidepdf.com/reader/full/linuxsecurity-1-orig 26/43
www.nii.co.in 26
© Network Intelligence India Pvt. Ltd.
Checks for these files
No dormant or generic accounts present Accounts of separated users not present
All system (non-user) accounts have /bin/false for theshell
All system accounts have *NP* or *LK* in theirpassword fields in /etc/shadow
SOP exists for verifying validity of accounts in thesefiles
Every account in passwd has a corresponding entry in
shadowOnly one line contains 0 in the uid field in the passwdfile
8/7/2019 LinuxSecurity-1-ORIG
http://slidepdf.com/reader/full/linuxsecurity-1-orig 27/43
www.nii.co.in 27
© Network Intelligence India Pvt. Ltd.
Password and Account Lockout
Other stronger policies require use of PAM Pluggable Authentication Modules
PAM Allows the following to be set
Minimum password length
No dictionary words
No part of username in the password
Number of alphanumeric and punctuationcharacters to be present
PAM is configured in the /etc/pam.d folder
DEMO change of password for user auditor
8/7/2019 LinuxSecurity-1-ORIG
http://slidepdf.com/reader/full/linuxsecurity-1-orig 28/43
www.nii.co.in 28
© Network Intelligence India Pvt. Ltd.
Password Strength Verification
Also known as Password CrackingUse Crack fromhttp://www.users.dircon.co.uk/~crypto/download/c50-faq.html
Works on almost all Unix platforms, and isvery fast
Also viable password cracker is John the
RipperSet these tools running for a day or two andferret out all weak passwords
8/7/2019 LinuxSecurity-1-ORIG
http://slidepdf.com/reader/full/linuxsecurity-1-orig 29/43
www.nii.co.in 29
© Network Intelligence India Pvt. Ltd.
Root Security
No user must login directly as root Administrators must login with their own accounts,and then use su to become root.
This ensures accountability
Viable alternative is the sudo utility, which allows: Listing of privileged accounts
Actions that can be taken by these accounts
Download from http://www.courtesan.com/sudo/intro.html
Time out of logged in user, so he has to re-authenticate inorder to use sudo
8/7/2019 LinuxSecurity-1-ORIG
http://slidepdf.com/reader/full/linuxsecurity-1-orig 30/43
www.nii.co.in 30
© Network Intelligence India Pvt. Ltd.
File System Security
Unix Permissions are applicable to threeentities:
Owner of the file (everything in Unix is a file)
Group owner of file
Everyone else
Three main permissions apply, with numericrepresentations
Read = 4
Write = 2
Execute = 1
8/7/2019 LinuxSecurity-1-ORIG
http://slidepdf.com/reader/full/linuxsecurity-1-orig 31/43
www.nii.co.in 31
© Network Intelligence India Pvt. Ltd.
Unix Permissions
Permissions are visible in the ls l output: Example
First character identified type of fileD = directory
- = file S = socket
L = link (shortcut)
P = pipe
Next three identify read, write and executefor owner, next three identify for group, andlast three for everyone else
8/7/2019 LinuxSecurity-1-ORIG
http://slidepdf.com/reader/full/linuxsecurity-1-orig 32/43
www.nii.co.in 32
© Network Intelligence India Pvt. Ltd.
Unix Permissions
These letters are added up:For instances:
- rw- r-- r--
Its a file
Owner can Read (4) and Write (2)
Group can Read (4)
Everyone else can Read (4)
So permissions on this file are644
Conversely permissions, like 700 represent
-rwx --- ---
8/7/2019 LinuxSecurity-1-ORIG
http://slidepdf.com/reader/full/linuxsecurity-1-orig 33/43
www.nii.co.in 33
© Network Intelligence India Pvt. Ltd.
Other File Security Measures
Permissions of a new files are determined by the valueumask
Advanced Windows-like Access Control Lists can alsobe created on Linux using the linux-acl package
Disk usage can be periodically verified with the df- k command
SUID and SGID files are executables that can beexecuted by anyone, but they execute with privilegesof owner (usually root) or group very critical checks!
find / -perm 4000
find / -perm 2000
8/7/2019 LinuxSecurity-1-ORIG
http://slidepdf.com/reader/full/linuxsecurity-1-orig 34/43
www.nii.co.in 34
© Network Intelligence India Pvt. Ltd.
File Integrity
File Integrity can be verified:Size and timestamp can be modified to foolthe auditor
MD5 hashes secured method, but tedious
File Integrity Software:
Must be used immediately after the installation
Create a database of MD5 hashes of all critical files
Monitor changes to these files and send alerts Tripwire commercial, scalable, central console
AIDE open-source, reasonably enterprise-level
8/7/2019 LinuxSecurity-1-ORIG
http://slidepdf.com/reader/full/linuxsecurity-1-orig 35/43
www.nii.co.in 35
© Network Intelligence India Pvt. Ltd.
Application Security
Linux systems can be used as File Servers Samba Windows-compatible file
server
Print Servers lpd, cups, etc.
Mail Server Sendmail (historically insecure),Qmail, Postfix
VPN Server FreeS/WAN
Databases PostgreSQL, MySQL (free), Oracle,Sybase, DB2 (commercial)
DNS Servers BIND LDAP Servers
Time Servers
8/7/2019 LinuxSecurity-1-ORIG
http://slidepdf.com/reader/full/linuxsecurity-1-orig 36/43
www.nii.co.in 36
© Network Intelligence India Pvt. Ltd.
Application Security Web Servers
The Apache web server is an open-source,stable, robust and scalable solution with 64% market share
Apache is usually configured to run with lower-
privileged account apache or nobody Installation location is referred to as$ServerRoot, and web site contents arelocated at $Document Root
Configuration file is at $ServerRoot/httpd.conf Configuration is done with the help of
Directives
8/7/2019 LinuxSecurity-1-ORIG
http://slidepdf.com/reader/full/linuxsecurity-1-orig 37/43
www.nii.co.in 37
© Network Intelligence India Pvt. Ltd.
Important Directives
Directory: access control based on source IP addressor domain name for various files and folders of thewebsite, using Allow and Deny keywords
Also, within this directive, various options can be set.Recommended to set Options None
Denial of Service and Buffer Overflow attacks can beprevented by Limit Request* and Rlimit* directives
CGI security is most important, to ensure scriptscannot be misused for compromising the server
Apache uses various modules for added functionality.These must be reduced to a minimum
Banner of Apache must be changed
Apache must be run in chroot environment
8/7/2019 LinuxSecurity-1-ORIG
http://slidepdf.com/reader/full/linuxsecurity-1-orig 38/43
www.nii.co.in 38
© Network Intelligence India Pvt. Ltd.
Linux Security Software
Linux Firewall: IPTables (new version of IPChains)
Scalable
Cost-effective
Robust
Linux IDS Snort
Scalable
Robust
Slight learning curve Demo
IPCop Bootable CD version of firewall and IDS
8/7/2019 LinuxSecurity-1-ORIG
http://slidepdf.com/reader/full/linuxsecurity-1-orig 39/43
www.nii.co.in 39
© Network Intelligence India Pvt. Ltd.
Security Testing Software
NmapMost popular security tool
Port scanner
Detects Operating System also
Can run in very stealth mode
Demo
Nessus
Vulnerability Assessment software
Client-Server mode, server only in Unix
Uses Plugins for tests
8/7/2019 LinuxSecurity-1-ORIG
http://slidepdf.com/reader/full/linuxsecurity-1-orig 40/43
www.nii.co.in 40
© Network Intelligence India Pvt. Ltd.
ConclusionLinux is not secure in default configuration
Security can be added to a very high level, but must be balanced with functionality
The correct Linux distribution must be chosen, andminimum installation done
Patches must be diligently appliedSyslog logs must be exported and analyzedperiodically
Network Services must be kept to a minimum
User and groups must be periodically audited
File/folder access control lists must be set
File Integrity software may be used in high-securityinstallations
Application-specific security measures are also a must
8/7/2019 LinuxSecurity-1-ORIG
http://slidepdf.com/reader/full/linuxsecurity-1-orig 41/43
www.nii.co.in 41
© Network Intelligence India Pvt. Ltd.
References
The Unix Auditors Practical Handbook K. K. Mookheyhttp://www.nii.co.in/research/papers.html
Practical Unix and Internet Security
Simson Garfinkel and Gene Spafford
Linux Security Benchmark -http://www.cisecurity.org/
Linux Security and Controls ISACA & K.K. Mookhey to be available at ISACAbookstore in 2nd quarter
8/7/2019 LinuxSecurity-1-ORIG
http://slidepdf.com/reader/full/linuxsecurity-1-orig 42/43
www.nii.co.in 42
© Network Intelligence India Pvt. Ltd.
About NetIntel
IT Security Consultancy FirmPenetration Testing
Security Auditing
Security Training Unix, Windows,
Databases, Ethical Hacking, IntrusionDetection, etc.
BS7799 Consultancy
Application Security Audit
Business Continuity Management
Security Implementation & Design
8/7/2019 LinuxSecurity-1-ORIG
http://slidepdf.com/reader/full/linuxsecurity-1-orig 43/43
www.nii.co.in 43
© Network Intelligence India Pvt. Ltd.
THANK YOU
Questions