Unix for Security Professionals

Trang 1

Security Essentials The SANS Institute

Hal Pomeranz * Founder/CEO * hal@deer-run.com

Deer Run Associates * PO Box 20370 * Oakland, CA 94620-0370

+1 510-339-7740 (voice) * +1 510-339-3941 (fax)

http://www.deer-run.com/

Trang 2

Agenda

• A Brief History of Unix

• Booting Unix

• The Unix File System

• Manipulating Files and Directories

• Unix Privileges

This page intentionally left blank

Trang 3

Trang 4

Unix Backups

This section covers the basic utilities for backing up Unix systems Enough to help you make and emergency backup (and restore the data later), or to make a backup of a compromised system for later forensic analysis

A great deal of time, energy, and thought has been put towards the subject of enterprise-wide backups for large organizations, but these issues are beyond the scope of this presentation For a good introduction to the larger world of Unix backups, see:

Nemeth et al., Unix System Administration Handbook, Prentice Hall, ISBN 0-13-151051-7

Trang 5

Three Options

• tar – Portable archive format, easy to

use, good for quick backups

• dump/restore – standard full-featured

Unix backup utilities

• dd – Copies raw file system information,

can capture "deleted" data

There are several different commands available under Unix for archiving and later restoring files Which one you choose depends a lot on your situation and your reason for making the archive

• The tar (tape archive) command takes a list of files and/or directories and gathers them

together into a single file– which can be written to tape or disk The tar archive file (usually we

just say "tar file") preserves the file owner, group owner, and timestamp information on all files

and directories in the archive The tar archive format is portable, so for example a tar file written on a Linux Intel (little-endian) workstation can be read on a Solaris Sparc (big-endian) system

• The dump command creates a backup of a Unix partition which can later be recovered using the restore program dump and restore have all of the features you would want in a normal backup regimen– the ability to do "incremental" backups (back up only the files that have

changed since the last backup), split backups across multiple tapes, easily restore both individual files as well as entire partitions, etc However, the format of the archive file written by dump is dependent on the OS (Linux and Solaris machines write different dump formats), the processor architecture (big-endian vs little-endian), and the underlying file system type (Solaris UFS vs BSD FFS, for example)– generally, it's a good bet that you will be able to read back your dumps only on another system of the same type

• The dd command is used to copy raw data from one place to another dd has many uses (some

of which we'll cover shortly), but one common use is to dump an image from a raw disk device to tape (or some other location) for forensic analysis Because dd is blindly copying the raw bits off the disk drive, it will pick up even the currently "unused" data blocks in the file system– which might contain data from files or directories which have been deleted by the attacker

Trang 6

tar

Pro

– Can be used on "active" file systems

– Byte-order independent format

Con

– Can't span multiple volumes

– Various versions have some limitations

tar is the portable archive format for Unix systems Tar files made on one machine can be read almost anywhere (including by some Windows-based utilities) This is why so much of the software and source code, which is available on the Internet, is made into tar archives for easy downloading

tar operates by simply working its way through the list of files and directories that the user specifies on the command line If one of the targets for the archive file is a directory, tar simply recursively descends through the directory and gathers up all files and subdirectories into the archive Because tar gathers files/directories "one-by-one" as it were, you can use tar to archive file systems which are currently "active"– that is, which have one or more users

adding/deleting/modifying files while the archive is happening (this turns out not to be true for dump)

One downside to tar is that it doesn't handle splitting an archive across multiple tapes (some tar implementations claim to have this feature, but they usually don't work properly) This used

to be more of an issue in the old days when tapes didn't hold much information Of course, it's always possible to make several separate archives which backup all of your data into archives which will fit on your available media

Trang 7

dump/restore

Pro

– Supports multiple volumes

– Supports "incremental" backups

– "Interactive" mode for restore

Con

– Format is byte-order dependent

– Can get confused if file system is active

– Can only back up one partition at a time

dump and restore are the common utilities for doing normal Unix backups If a file system

is so large that the backup doesn't fit on a single tape, dump will split the backup across multiple tapes automatically

dump supports the notion of "dump levels"– level 0 through level 9 Level 0 means dump everything Higher dump levels will only dump files that have been modified since the last dump with a lower dump number For example, if you start off with a level 0 dump and then do a level

5 dump, the level 5 dump only captures the changes since the level 0 dump If you later do a level 9 dump, then you only get the changes since the level 5 dump If you follow that with a level 4 dump, you get everything that's changed since the original level 0 dump (and you can throw away or re-use the level 5 and level 9 tapes)

restore can be used to bring back an entire dump, or selectively restore individual files restore has a very nice "interactive" mode which allows the administrator to view the files in the dump archive as if they were actually in the Unix file system and selectively mark files which they want to restore (more on this later) Note that a full restore of a lost file system generally means restoring your last level 0 dump, and then "overlaying" all active incremental dumps you've made since that time (again, more on this a bit later)

As we mentioned earlier, however, the format of the dump archive is incredibly dependent and not at all portable Also, dump only works on a single partition at a time, so backing up a complete Unix file system generally involves several successive dumps The big problem with dump, though, is that it actually dumps the file system using several "passes“ The first pass maps the file system, the next pass dumps the directory structure to tape, and the final pass backs up the actual file information If the file system changes while the dump is being performed, your backup may actually get corrupted and be useless This is why dumps should be performed late at night when nobody is using the system, or in "single-user" mode by an admin

system-on the csystem-onsole of the system

Trang 8

interpret the data The plus side is that dd captures everything– even data that other archiving

programs might miss This makes dd a useful tool when performing forensic analysis on

Trang 9

Digression: Tape Devices

Examples:

/dev/nrst0 First tape device, raw, no rewind

/dev/rst1 Second tape device, raw mode

/dev/st0 First tape device, "blocked" mode

are generally accessed via /dev/mt?– "mt" for "magnetic tape") The number after the "st"

specifies a particular tape device The first tape drive is /dev/st0, the second tape drive /dev/st1, and so on

The letters before the "st?", specify tape handling options An "r" means that data is

read/written from the tape one byte at a time ("raw mode"), rather than in blocks of data The

standard Unix backup utilities all use raw mode when accessing tapes Generally if you make a mistake and don't specify the raw tape device, the backup utility you're using will transparently grab the raw tape device instead

The "n" specifies "no rewind" mode By default, any time you access a tape on a Unix

system, the tape will rewind to the beginning before your command is executed and again once the operation you're performing is completed However, let's suppose you wanted to dump several partitions onto a single large tape If the tape rewound after each dump, then each dump would overwrite the one before it (and, trust me, plenty of sites have been burned by this

throughout the history of Unix)! It's generally a good practice to always specify the no rewind

tape device unless you're absolutely certain of what you're doing We'll talk about commands for rewinding and repositioning tapes at the end of this section

Note that SYSV machines (notably Solaris) use a different device naming scheme for tapes Raw tape devices are found under /dev/rmt/? (even if the tape is a SCSI tape), and the no

rewind option appears after the tape instance number– e.g., /dev/rmt/0n.

Trang 10

The Tao of tar

tar has three main mode options:

-c Create a new archive -x Extract files from archive -t Show archive table of contents

Other useful options:

-f Specify an archive file or tape dev

-p Preserve owner/access times w/ -x

tar generally operates in one of three major modes: You're either creating an archive (-c),

extracting files from an archive (-x), or testing/looking at the table of contents of an archive (-t) These modes are mutually exclusive, so you'll only ever specify one of –c/-t/-x per command line

tar has other options as well (for complete information, consult the on-line manual page for the version of tar your are using) The most important of these is –f for specifying where the archive should be written The argument to the –f option is the name of a tape device or just a file name where you want the file archive created

–v turns on verbose mode When writing or extracting files from an archive, -v causes the name of

each file to be printed Note that printing each file name significantly slows down the process of reading or writing the archive When used with the –t option, verbose mode causes a detailed listing of the archive contents– similar to the output of ls –l

tar always stores the owner and access times on files in the archive When extracting files from the archive, the extracted files will normally be owned by the user who unpacks the tar file and the

access times will be lost However, the –p option tells tar to preserve the owner and access times of

the original files when the extraction is done -p generally only works if you're running tar as the superuser

Trang 11

Using tar

Dump entire file system to tape:

Extract that same archive:

tar –xpf /dev/rst0

Get a verbose listing of tape contents:

tar –tvf /dev/rst0

Dump a directory to a file on disk

tar –cf hal.tar /home/hal # Danger!

The first example shows how to use tar to make an archive of an entire Unix file system We're

using –c to create a new archive and the archive is going to be written to the tape device

/dev/rst0 (-f /dev/rst0) The list of files to be archived is '/', the root of the directory tree (and therefore all files and subdirectories below that point) This command is dangerous in a couple

of respects First, tar will happily traverse NFS mounts, so you may end up capturing file systems that are mounted from other servers We'll discuss the other reason this command is dangerous in the next couple of slides

If you later wanted to extract all of the files from that archive, you would use –x to specify extract

and –f to specify the tape drive again In this case, we want to bring the files back with their

original owners and access times, so we also use –p to preserve that information.

We can get a detailed (-v for verbose) listing of the contents of the archive file with –t.

These days, it's actually more common to write tar files to disk rather than to tape So, instead of specifying a tape device with the –f option, we just specify a file name, as in our last example Note that this last example shares a problem with our first example…

Trang 12

Warning! Absolute Paths!

tar –cf hal.tar /home/hal

• Standard versions of tar will preserve

full path names

• When this archive is extracted,

/home/hal directory gets overwritten!

• Note that GNU tar automatically strips

off the leading '/'

The problem is that tar preserves complete pathname information from the point in the file system that you specify This means that if you create an archive starting at /home/hal, all of the file names in the archive will start /home/hal/… If you later extract files from that archive, they will

be extracted to /home/hal/…, usually overwriting the current version of the file at that location!

When retrieving files from an archive (whether that archive is made with tar, dump, or some other utility), you almost always want to extract the files into some temporary directory and then copy the files into a place where the users on the system can get at them If you simply overwrite the user's files, you run the risk of destroying new information that the user may have created since the archive

was made However, if the pathnames in the archive file are absolute (that is, are rooted from the top

of the file system), then the files you extract from the archive will automatically overwrite the original file in the appropriate directory

The moral of this story is that you want to make sure never to create archives with a leading '/' on

path names In fact, GNU tar is smart enough to automatically strip off leading '/'s when creating

an archive file (though this behavior can be disabled with the –P command line option if you're sure you know what you're doing)

Trang 13

The "Right" Way To Do It

Dump entire file system to tape:

cd / tar –cf /dev/rst0

Dump a directory to a file on disk:

cd /home tar –cf hal.tar hal

However, you might not be using GNU tar, so let's look at the "safe" way to make the archive files

we talked about on the earlier slide

To make an archive from the root of the file system, just cd / and then use '.' to specify the current directory as the target of the tar archive Since we're running the command from the root directory, we'll still archive the entire file system, but there won't be any leading '/' on the file path names Note, that you still run the risk of archiving partitions which are NFS mounted from remote file servers

The best way to archive a user's home directory is to cd to wherever you put user home directories and then just run the tar command specifying the user(s) whose directories you want to archive When you later go back to review or extract files from the archive, having the user name at the front

of the file path names will help you remember whose files you're dealing with

Trang 14

tar Tricks

Create compressed archive file:

tar –cf – hal | gzip > hal.tar.gz

Check contents of compressed archive:

zcat bindsrc.tgz | tar tf

-Extract a compressed archive:

zcat bind-src.tgz | tar -xf –

The recursive directory copy idiom:

tar -cf – hal | (cd /new/dir; tar -xfp –)

When writing a tar file to disk, it's usually a good idea to compress the data as well Tar files are generally slightly larger than the sum of the sizes of the files in the archive (due

to overhead of the tar archive format itself) You could compress all of the files before

archiving them, but you generally get better compression if you archive the files and then

compress the archive You can do this easily by creating an archive file and streaming the output

to the standard output (-f -) and then piping that output into the gzip program, which

performs data compression (actually, GNU tar has a –z option which tells tar to automatically write the archive in gzip-ed format) gzip-ed files generally have a gz extension (by

convention), so we direct the output of our tar/gzip pipeline to a file with a tar.gz

extension to indicate that this is a gzip-ed tar archive (if you are using the Unix compresscommand instead of gzip, then the normal extension for the file is tar.Z)

Sometimes you'll download an archive file with a tgz extension, which is just

a shorthand notation for tar.gz zcat uncompresses a gzip-ed file and spits the result to the standard output, so you can just pipe that to another tar command to see the contents of the

.tgz file or to extract those contents Note that it's always a good idea to use tar –tf – to

look at the table of contents first, before using tar –xf – to extract the files After all, you don't know for certain where the files in the archive are going to be extracted The archive might contain absolute path names that will corrupt or overwrite system files and damage or

compromise your machine

The last example shows how you can use tar to copy a directory from one partition to another The parentheses on the right-hand side of the pipe symbol group the cd

Trang 15

The dump Command

dump 0u d s f 1600 1700 /dev/rst0 /home

Tape Density

Tape Length (Size)

Tape Device

Partition

to Dump

Dump Level

Store

Dump Date

The dump command has a somewhat strange command line syntax Generally, the arguments to the command break down into three sections:

dump options arguments partition-name

The first options chunk specifies the dump level number and all command options (no spaces, no leading dash) The arguments section is all of the arguments to the options which were specified

in the options chunk (for example, the name of the tape device for the "f" option) The

arguments are specified in the order the options were given in the first chunk The last thing on the command line is the file system that should be dumped

In our example above, we're doing a level 0 dump and we're telling the dump command to write

the date of this dump into the /etc/dumpdates file– that's the "u" (update) option

/etc/dumpdates is used by the dump command when performing incremental dumps–without this information, dump wouldn't know the date of the last dump, so it couldn’t figure out which files were modified since this time Note that sometimes, particularly for "emergency"

dumps which aren't part of your normal backup cycle, you may want to not use the "u" argument

so that your emergency backup doesn't alter /etc/dumpdates and interfere with your normal backup schedule

The "d" option specifies the tape density (in bits per inch, or bpi) and "s" specifies the tape length (size) in feet These options allow dump to calculate whether the dump will fit on one tape, or

whether multiple tapes ("volumes" in dump-speak) are required These options were important when tapes were smaller, but are not commonly used today

"f" specifies the name of a tape device or file, just like when using tar Also like tar, dump

Tiêu đề	Unix For Security Professionals
Tác giả	Hal Pomeranz
Trường học	SANS Institute
Chuyên ngành	Security
Thể loại	Course
Năm xuất bản	2001
Thành phố	Oakland

Định dạng
Số trang	30
Dung lượng	435,17 KB