Professional Documents
Culture Documents
A.Davous, 01/02/2009
FOREWORD
No absolute security as long as system is accessed In system administration, the evil is in details
For questions, contact is antoine.davous@aviler.com with [ESGI] in subject field otherwise, mail will be 01/02/2009 considered as spam by server rules. A.Davous, Unix Security Advanced Admin
INTRODUCTION
UNIX FLAVORS COMMON SENSE RULES OF SECURITY HOW SECURITY IS COMPROMISED UNIX DAEMONS, SERVICES AND SERVERS HANDS-ON : SUN VIRTUAL BOX
A.Davous, 01/02/2009
WELL-KNOWN EXAMPLES
Sendmail debug commands mode as sendmail runs with setuid root so user can run any command with root power (try sudo and vi !...) Command passwd f : no control of entered GECOS field so user can add any new line in password file Buffer overflow is a variant User can execute shellcode (to get run root shell) previously saved at some memory address for programs that accepts any entry without control (exploit) More generally, any software that do not control file ownership you just have to link to any system file
A.Davous, 01/02/2009
Solaris
Linux
FOR INFORMATION UNIX FLAVORS Unix time line http://www.levenez.com/unix/ Linux distributions time line http://futurist.se/gldt/gldt76.png
A.Davous, 01/02/2009
A.Davous, 01/02/2009
WELL-KNOWN ATTACKS
Name Sniffing Category Network Definition Get information from network transactions Take identity of someone else
Spoofing or Network masquerading Denial of service Replaying Repudiation Spam Phishing Hoax Dictionary
A.Davous, 01/02/2009
Network
Authentication Replay abusive authentication or transaction Authentication Reject authentication or transaction Mail Mail Mail Password Undesirable mail Disguised mail to get confidential data Joke with more or less consequences
Unix Security Advanced Admin
A.Davous, 01/02/2009
STRATEGIES
Strategies : Accept threat but have a recovery plan Reduce threat by appropriate means Transfer threat to a vendor Bypass threat by blocking access Understanding is key: Example of mail user privilege Protect all layers example of firewalls Reduce exposed surface Protect but detect and answer administrate ! Security is or must be part of : conception, operation and deployment
A.Davous, 01/02/2009 Unix Security Advanced Admin 11
HOW TO DO
In-depth (passive) protection (Physical premises access) Network filtering Passwords Encryption Backup (Active) security process Monitor and add corrections Full audit Upgrade
A.Davous, 01/02/2009 Unix Security Advanced Admin 13
SECURED DESIGN
Open design or secret design debate (hidden flaws, issues discovered by community, provocation to exploits) Common breaches Least user access (chroot as solution) Buffer overflow Printf function (insert conversion keys into string) Web programming (URL forging) Transactions, client/server (man-in-the middle, encryption, hashing as solutions)
A.Davous, 01/02/2009
14
A.Davous, 01/02/2009
REMINDER : PROCESSES
Processes have four identities : real (for accounting) and effective (for access permissions) UID and GID ; usually the same except with setuid or setgid bit set Command ps Kinds of processes Interactive controlled with &, ^Z, jobs Batch Daemons
A.Davous, 01/02/2009
16
A.Davous, 01/02/2009
17
init DAEMON
First process to run after system boot Always have PID 1 and is ancestor of all other processes After startup, init consults /etc/inittab (or for BSD /etc/ttys) to determine on which physical ports it should expect users to log in (getty processes even tough large use of network daemons today, or xdm for graphical interface) Also take care of zombie processes (not running but listed) Init defines run levels (passed as argument to it from boot loader) : 0 to 6 and s (single-user) Additional layer is given with startup scripts in /etc/init.d, linked to startup and stop scripts in /etc/rcX.d
Unix Security Advanced Admin 19
A.Davous, 01/02/2009
REMINDER : BOOTING SHUTTING DOWN Solaris SPARC Solaris x86/64 Linux (Fedora Core)
(device detection) Access with STOP-A Boot boot s : PROM single-user (device boot r :detection) reconfigure with STOP-A See lsAccess l /dev/rdsk/c0t0d0s0 boot s : single-user boot r : reconfigure See ls l /dev/rdsk/c0t0d0s0
Solaris x86/64
Boot loader
(GRUB since 5.10, (GRUB see /boot/grub/menu.lst) Kernel loading and initialization see /boot/grub/menu.lst)
startup scripts Execution of startup scripts Level 0 : shut down (init 0Execution ) - Level 1 of or S : single user (init s) - Level 6 : reboot Level 0 : shut down (init 0) - Level ( 1 or S : user (init s) - Level 6 : reboot Level 0 : shut down (init 0) - Level 1 or S init 6single ) Level s : the same (init none 6) : single user (init s) Level 6 : reboot Scripts management or see 5.10 Scripts management Scripts management none or see 5.10 (init 6): chkconfig Configuration : /etc/default Configuration : /etc/sysconfig Configuration : /etc/default Scripts management : chkconfig Configuration : /etc/sysconfig
Shutdown /usr/sbin/shutdown g secs /usr/sbin/shutdown gi6 secs i6 /usr/sbin/shutdown g secs /usr/sbin/shutdown gi0 secs i0 /usr/sbin/shutdown g secs /usr/sbin/shutdown giS secs iS
Shutdown ShutdownShutdown
/usr/sbin/shutdown (reboot)/usr/sbin/shutdown secs secs r r /usr/sbin/shutdown (shut down)/usr/sbin/shutdown secs secs h h (single user) /usr/sbin/shutdown (skip scandisk)/usr/sbin/shutdown secs secs f f
A.Davous, 17/09/2008
20
OTHER CONCEPTS
Command dmesg Core dump : ulimit c Path : - try not modify root profile PATH variable - do not set empty or . in PATH variable - in scripts (and configurations like cron), always use full path for commands (as variables at beginning) Disk quotas may be use to isolate an application (vs. original purpose) vi and other editors dump files feature History of shell commands who r cp -p
Unix Security Advanced Admin 21
A.Davous, 01/02/2009
Crack
Locations: /usr/share/crack ; /usr/libexec/crack ; /usr/bin Quick-start commands: # umask 077 # ~/scripts/shadmrg.sv /etc/passwd /etc/shadow > /root/unshadp # Crack nice 5 /root/unshadp # CrackReporter Results in ~/run directory Locations: /usr/share/john ; /usr/libexec/john Quick start commands: # umask 077 # unshadow /etc/passwd /etc/shadow > /root/unshadp # john [--rules --wordfile=FILE] /root/unshadp Results in ~/john.pot
Unix Security Advanced Admin 22
A.Davous, 01/02/2009
Simplest procedure using single user mode case of Fedora 10 When Grub screen, edit current boot line (e) Edit kernel line (e) by adding single at end (single user mode) Save and boot (b) Command passwd can be entered with root privileges to reset root password
A.Davous, 17/09/2008 Solaris vs. Linux 23
A.Davous, 01/02/2009
24
A.Davous, 01/02/2009
A.Davous, 01/02/2009
26
A.Davous, 01/02/2009
27
USEFUL LINKS
http://www.dwheeler.com/secure-programs/ www.cpan.org http://www.sun.com/software/security/jass http://www.digilife.be/quickreferences/quickrefs.htm
Secure Programming for Linux and Unix HOWTO Perl packages and more Suns JASS Solaris Security Toolkit Quick Reference Cards useful for those related to Unix CERT Security information AusCERT Unix and Linux Security Checklist v3.0 RADCOM protocols.com web site (protocols map)
A.Davous, 01/02/2009
28
WORTH READING
Unix System Administration Handbook Evi Nemeth, Garth Snyder, Scott Seebass, Trent R. Hein Prentice Hall Essential System Administration Aeleen Frisch OReilly TCP/IP illustrated Richard Stevens TCP/IP Network Administration Craig Hunt OReilly
A.Davous, 01/02/2009
29
http://www.chiark.greenend.org.uk/~sg
http://www.straightrunning.com/Xming
http://www.virtualbox.org/
http://neosmart.net/ http://jakarta.apache.org/jmeter/
A.Davous, 01/02/2009
30