Abstract: This lecture is about adding a layer of protection beyond proper configuration of the OS and applications. This layer of protection consists of tools that help detect changes in the system and monitor (suspicious) system activity.
Fortification is the addition of packages to improve security. It should be done after a system has been properly configured with the supplied components. Fortification frequently will discard a supplied component in preference to a carefully chosen added component. Some what rarely, fortification involves deletion of components. In our discussion, we will postpone certain "fortification" items as "hardening" items even though we cannot offer a rigorous definition regarding the use of these two terms.
Of the many fortification suggestions made in this lecture, virus scanners are probably the most universally experienced item. Windows-based virus scanners do focus on detecting not only viruses but also Trojans and root kits and are often also integrity checkers.
Loadable kernel modules (LKM) bring run-time modularity to Linux. Device drivers and their modules are loaded only when necessary keeping the core kernel small. On the negative side, LKM rootkits are the easiest and most “elegant” way to modify the running kernel. In a modularized kernel the attacker can insert rootkits into kernel once he gains root privileges. Through LKM rootkit the attacker can modify any part of the kernel. Typically LKM rootkits would redirect the system calls to the attacker’s own implementation.
The character device" /dev/kmem is an image of the kernels virtual memory. Through this device, an attacker can modify the kernels text or data, and can drastically change the behavior of kernel. Other memory devices which can similarly be exploited are /dev/mem and /dev/port which give direct access to physical memory of the system.
Unless a file system auditor is in place, it is not easy to spot the root kits after their installation. The time to be alert is when the root kits are being installed.
apt-get install chkrootkit rkhunter unhide
Look up Kerberos.
Read https://help.ubuntu.com/community/LDAPClientAuthentication
apt-get install munge otp john
"A process creates a credential by requesting one from the local MUNGE service. The encoded credential contains the UID and GID of the originating process. This process sends the credential to another process within the security realm as a means of proving its identity. The receiving process validates the credential with the use of its local MUNGE service. The decoded credential provides the receiving process with a reliable means of ascertaining the UID and GID of the originating process, and this information can be used for accounting or access control decisions."
otp == One Time Passwords
Capture the output of ps aux and examine all processes periodically. The exact list will depend on the (Linux) distribution. However, from one session to another, the first few are not expected to have different process ids. The remainder may get higher or lower pids depending on what is included in the boot up scripts. However, once the boot scripts have stabilized you must make a note of all process ids, and expect them to remain unchanged until the scripts change again.
You should also check that all processes owned by user "nobody" are running programs explicitly identified as legitimate for untrusted, unverified, remote users. Each process belonging to a non-root system user is explicitly identified as legitimate for that user in this environment.
Intruders often replace binaries with their own Trojan versions. Many system administrators relied on time-stamping and check sum the files to determine when a binary file has been modified. But it is fairly simple to recreate the same time-stamp for the Trojan file as the original file. For example, if your standard touch does not do touch -r /bin/login develop a touch program that does it. Or, by setting the system clock time back to the original file's time and then adjusting the Trojan file's time to the system clock. Once the binary Trojan file has the exact same time as the original, the system clock is reset to the current time. Simple check sum programs rely on a CRC checksum and are easily spoofed. MD5 check sums are based on an algorithm that no one has yet spoofed. This technology is behind the well known Tripwire.
apt-get install tripwire systraq
Systraq daily consists of few very small shell scripts that warn when system files change.
A few open-source activity monitoring programs (including intrusion detection/prevention tools) are described below.
snort/ can be used as a packet sniffer like tcpdump, a packet logger, or as a network intrusion prevention/detection system. Its rule-based system can detect buffer overflows, stealth port scans, CGI attacks, SMB probes, OS fingerprinting attempts, etc.
Firewalls: iptables and some GUI frontend are standard in Linux distributions. Consider installing shorewall and webmin.
apt-get install tiger "is a set of Bourne shell scripts, C programs and data files which are used to perform a security audit of unix/Linux systems."
xinetd: "xinetd has access control mechanisms, extensive logging capabilities, the ability to make services available based on time, and can place limits on the number of servers that can be started, among other things. It has the ability to redirect TCP streams to a remote host and port. This is useful for those of that use IP masquerading, or NAT, and want to be able to reach your internal hosts. It also has the ability to bind specific services to specific interfaces. This is useful when you want to make services available for your internal network, but not the rest of the world. Or to have a different service running on the same port, but different interfaces."
TCP Wrapper: When a potentially insecure service must be run, tcp_wrappers should be utilized to "wrap" it. The wrapper software does more detailed logging and better access control checking by "wrapping" itself around the normal network daemons configured in inetd.conf. The tcpd used in Linux is a new version of the TCP wrapper.
ifstatus is a standalone program to check for promiscuous interfaces available from ftp://coast.cs.purdue.edu/pub/tools/unix/ifstatus
dtk or "Deception Toolkit" is a kit of fake daemons and services designed to waste an intruders time. dtk is available from all.net/dtk/example.html
Bastille Linux is a series of scripts which tighten up security on stock Linux systems, by changing permissions and disabling features.
Network Information Service (NIS) has been source of many weaknesses. Using Rsync + SSH as a replacement for NIS is often better.
Logs produced by the kerneld, syslogd, tcpd, and the various services can become so large that it is humanly impossible to scan them for spotting suspicious activity and take a more serious look. A few well known log analyzers are listed below.
The kernels supplied in various distributions are generic and security-wise permissive. It is possible to recompile the kernel using the same source code as used by the distributor but with different selection of components and including them in the vmlinuz binary instead of as a dynamically loadable module.
POSIX capabilities (Pcaps) can turn a setuid-root file into a file with minimum privileges, run a daemon with uid=0 but with amost no superuser privileges, etc. Privileges are granted to processes instead of users. Pcaps are implemented in Linux kernels since 2.6.x; capsh, getpcaps, getcap, setcap are some of the tools. Pcaps divide privileges that are typically granted to root user.
The table below presents PCaps for a few typical suid-root binaries. The CAP-names used are defined in /usr/include/linux/capability.h.
| ping | CAP_NET_RAW (13) |
| traceroute | CAP_NET_RAW (13) |
| chsh | CAP_CHOWN (0), CAP_DAC_READ_SEARCH (2), CAP_FSETID (4), CAP_SETUID (7) |
| chfn | CAP_CHOWN (0), CAP_DAC_READ_SEARCH (2), CAP_FSETID (4), CAP_SETUID (7) |
| chage | CAP_DAC_READ_SEARCH (2) |
| passwd | CAP_CHOWN (0), CAP_DAC_OVERRIDE (1), CAP_FOWNER (3) |
| mount | CAP_DAC_OVERRIDE (1), CAP_SYS_ADMIN (21) |
| umount | CAP_DAC_OVERRIDE (1), CAP_SYS_ADMIN (21) |
To change, run chmod u-s /usr/bin/chsh; setcap 0,2,4,7=ep /usr/bin/chsh
All work should be carried out in Operating Systems and Internet Security (OSIS) Lab, 429 Russ. Use any of the PCs numbered 23 to 30. No other WSU facilities are allowed.
Objective: Experience a file system audit tool.