Secure System Administration - SANS GIAC © 2000, 2001 Securing and Auditing Unix Examples tested on a Red Hat Linux 6.1 Hedwig build Welcome to Unix and Linux, security for these operati
Trang 1Secure System Administration - SANS GIAC © 2000, 2001
Securing and Auditing Unix
Examples tested on a Red Hat Linux 6.1 (Hedwig) build
Welcome to Unix and Linux, security for these operating systems is a complete paradigm shift from
Windows Unix has been around a lot longer The source code for Linux is freely available, so
would be attackers are free to examine it and test it for holes such as buffer overflows and deadlock
conditions
Linux is different than Unix Has the source code been available for Unix? Certainly, you used to
be able to license source for both the ATT and BSD versions of Unix It is rumored the Sun source
code was stolen once via a workstation with a modem connection
This means that we are dealing with a lot more “knowns” than with Windows Well, at least that
was true until October 2000 and critical Microsoft source code was stolen From now on the rules of
the game are “who knows the most wins”
Let’s start our discussion with the notion of a firm foundation Nothing is certain, but if we can start
with a clean build we have a better chance of ending up with a secure system
Trang 2Secure System Administration - SANS GIAC © 2000, 2001
A Clean Build is a Happy Build
• Load from CD
• Load from Net
• Load from another system??????
• Load from tape??????
Windows loads from CDs They are licensed and controlled Though it is possible there could be a
compromised version, it is unlikely The initial load of Unix can be a whole new ballgame
Many Unix systems make it easy to clone a system from an existing system You plug in your
Ethernet cable, power on the system, and the new computer looks for a system to boot from This is
great…unless the system you boot from is already compromised The same thing goes for backup
tapes This is a big problem in incident handling How do you know you are loading from a clean
operating system?
For Linux, it is possible to load from an Internet site, but in general, it is best to load from the
CD-ROM If you start out compromised, you may never get control So we send a pristine system out
into the cold, cruel world If it is compromised, or we suspect it is compromised, what do we do? In
this section we will learn commands to evaluate Unix systems, but if source code has been available,
attackers can replace system commands with theirs We’ll also cover some basic ways you can make
it more difficult for the attacker to compromise the system, as well as some tools you can use to aid
in detection and recovery
Oh yes, Unix and Linux have the equivalent of Service Packs and hotfixes – they are called patches
and it is important to keep track of the patch status for these computers as well Plan on needing to
do an update at least quarterly – more frequently as advisories get issued
Trang 3Secure System Administration - SANS GIAC © 2000, 2001
The Basics
• Similarities
• Differences
• Some basic commands
Just as we’ve seen with other operating systems, Unix and Linux have an orderly start up sequence
Much of what gets the computer going can be found in the “rc” (run command) files in the /etc
directory and the inted.conffile (also located in /etc) Theinetd.conf file is the Internet
Daemon configuration file that specifies which daemons are accessible via the network (such as
telnetdand ftpdetc.) Other daemons such as email (smtpd) get started at bootup
This is a good time to review some similarities and differences between MS-DOS (as would be used
in a DOS command window in Microsoft Windows) and Unix commands and conventions For
example, the directories in a DOS path are separated by a “ \ ” (backslash); those in Unix are
separated by a “ / ” (forward slash) In DOS, file names are case-INsensitive while in Unix they are
case-sensitive The “ ” character is used as a separator between the file name and extension in
DOS, but that syntax does not have the same context in Unix (older DOS allows only one “ ”; Unix
permits more than one)
Both operating systems support the concept of a “pipe” (the vertical bar | ) that can be used to
‘connect’ commands, such as type file.txt | more(DOS) to show the file named
file.txtone screen at a time
Both operating systems support the use of “ * ” as a wild card character
Regarding floppy disks, DOS (and Windows) use a:to refer to the first floppy disk drive in the
system while Unix treats everything as a file and uses a name such as /dev/fd0to refer to the
floppy disk
In general, Unix command equivalents have a broader functionality than the DOS cousins This is
somewhat of an oversimplification, but it will meet our needs for this introductory module You
need to be familiar with basic Unix commands to be ready for Security Essentials where you will
gain the fundamental skills to enable you to handle an incident involving a Unix system
Trang 4Secure System Administration - SANS GIAC © 2000, 2001
More Basics
• List files: ls -lart
• Show the file on the screen: cat, more
• Display system processes: ps ef, ps
-ax, ps -ewf
• Display network information: netstat -a
• Verify a system file is not corrupt
rpm -V filename (no news is good news)
Every Unix variant is different and many of the commands listed have multiple options We
encourage you to become familiar with the operating systems that are used in your organization A
recommended practice is to print the man(manual) pages ahead of time for each OS to create a
reference notebook If you are having trouble printing the manpages, you might find some variation
of “nroff - man filename | lp” (meaning: new runoff, manual <filename of manual>,
pipe to line printer) helpful To determine the exact syntax to print the man pages usingnroff,
type man nroff
Use a highlighter for the options you feel may help you meet your needs Sometimes man pages
may be a bit cryptic so you may want to test these commands ahead of time and write in examples
with the options that work Some of these will be a review for you, but we will go quickly lsfor
Unix is like dirfor Windows, ls -lartlists all files, hidden or not, in time order, with the most
recent change on the bottom and is very helpful
We can use the cat(for concatenate) command to view the contents of a file on the screen For
example cat /etc/passwdwill display to standard output (the screen) the contents of the file
passwdin the /etcdirectory
The ps(for list process status) command lists active processes: pswithout any options lists the
processes that are yours The options needed to list ALL processes running varies by operating
system; learn what works on yours Commonly ps –axand ps –efwill work
netstatwill display network connections, routing tables, interface statistics, masquerade
connections, netlink messages, and multicast memberships
For Linux, the Redhat Package Manager (RPM) can verify a file has not been modified or
compromised with the -voption
Trang 5Secure System Administration - SANS GIAC © 2000, 2001
Still More Basics
• Copy a file: cp
• Looking for text in a “binary” file:
strings
The tools on this slide help you manipulate and inspect files mvallows you to move a file from one
place to another so it is similar to ren(rename) mv a.txt b.txtwould rename a.txtto
b.txtin the same way ren a.txt b.txtwould in a Windows command prompt However,
you can move whole directories with mv, change the name or the location
copyin Windows is similar to cpin Unix, but there are a number of powerful options One to
know is cp -p(for preserve the date) If you want to edit a system file it is a good idea to make a
backup file For instance, if you edit the Internet Daemon configuration file, inetd.conf, you
might first:
cp -p inetd.conf inetd.conf.22OCT00
This will preserve the files date so if you list the /etcdirectory with ls -lartthe original file’s
age will be preserved and the edited file will be obvious
The stringscommand will print the displayable ASCII strings of printable characters in files For
each file given, stringsprints the printable character sequences that are at least 4 characters long
and are followed by an unprintable character By default, it only prints the strings from the
initialized and loaded sections of object files; for other types of files, it prints the strings from the
whole file
od(octal dump) dumps (lists) the file in binary mode; od -h and od –xwill each dump a file in
hex
diffdisplays the differences between two files and is the programmer’s friend
Trang 6Secure System Administration - SANS GIAC © 2000, 2001
Finding things – find & grep
• look for suid and sgid files
find / -perm +2000 -o -perm +4000
• look for files modified today
find / -mtime -1 –print
• look for files with a pl extension
find -name *.pl –print
• print all lines in file.txt containing “aaa”
grep aaa file.txt
The find command is very powerful, but takes some serious practice To get started type “man
find” to get a sense of what you can do I strongly recommend that you try a few incantations and
then write them down exactly so that you have commands that can search for the things you would
need The slide above has but three of MANY examples
The greputility enables you to search through a set of files for all lines that match a specified
pattern You can usegrep as a filter to extract the matching lines from standard input and send
those lines to standard output
The last example in the slide:
grep aaa file.txt will print all lines in file.txtwhich contain the text “aaa”
Other examples include the following:
grep -i dude file.txt - Print all lines with “dude”in file.txt, case insensitive
grep -v dude file.txt - Print all lines in file.txtwithout “dude”
You now have the basic commands needed to make your way through a Unix system We have
chosen commands that are oriented towards auditing and forensics so you can make sure your
system is secure Now that you know how to manipulate files, let’s find out where they are
Trang 7Secure System Administration - SANS GIAC © 2000, 2001
What to Look For - File
System
• what file systems are mounted
• file system table can provide
information about mountable systems
cat /etc/fstab, cat /etc/mtab
So far we have mostly been concerned with files and files are kept in file systems Linux supports a
large number of file systems that can be mounted On this slide we see the commanddf -awhich
lists all information df displays the amount of disk space available on the file system containing
each file name argument If no file name is given, the space available on all currently mounted file
systems is shown
To view the contents of the /etc/fstabfile we can use the catcommand as shown in the slide
You can also type:
more /etc/fstab and
more /etc/mtab
to view what the system thinks is mounted and mountable (respectively) The morecommand
causes the output to be displayed one screenful at a time
Next we will go on a quick tour of the way the Unix file system is organized This is so you know
where you can expect to find certain files There are variations among Unix file systems so you will
want to check to see if things are the same for your file system But since we will be following the
File System Standard, we should be pretty close to what you have
Trang 8Secure System Administration - SANS GIAC © 2000, 2001
What to Look For - FSSTND
• The following directories are
common from /, /bin, /boot, /dev,
/etc, /home, /lib, /lost+found,
/mnt, /proc, /sbin, /tmp, /usr, /var
• /, /usr, /usr/sbin, /bin, /mnt, /etc
This is the file system according to the File System Standard FSSTNDand gives some insight into a
typical file system layout We can investigate further usingls The “ls” and “ls -lart”
commands are safe and will not break anything Start with:
ls /
This will list the files in the top or root directory of your Unix system Now look again with ls -l
The command cd /usr(change directory) will take you to the /usrfile system This is where
unchanging files are kept, including commands, documentation, and libraries
Of special interest is /usr/sbin This contains system administrator commands Many may be
unfamiliar, but one to know is list open files, lsof
Where are the commands that we have been learning? The command whereis mvwill give you
the location of the mvcommand and it is in /bin cd /binand take a look The /bindirectory
contains many of the commands we have been learning
There are three more places we need to be familiar with in order to know our Unix system:
ls -l /mnt, will show the files in the mount directory My system has a mount point for floppy,
CD-ROM, and Zip These are the removable media I use When I put the removable media in the
system, I have to mount it As a convenience, I can list and copy files between Linux and Windows
withmcopy a:andmdir a:and avoid having to use the mountcommand
ls -l /etcwill show the location of the configuration files for this system
more /etc/inetd.confis a safe way to see what network daemons are started at bootup If a
line in the file begins with a # symbol, the daemon(s) listed on that line are commented out and will
not be run at startup You can view the files that end with conf and cf in general
is a directory for temporary files, and since anyone can write there, it is a target for attackers
Trang 9Secure System Administration - SANS GIAC © 2000, 2001
Auditing
• History files
• Several Unix systems such as Solaris
have additional logging that can be
turned on
• Host based intrusion detection system
vendors may have logging agents
available
For either of these to be successful they would have to be implemented well before the incident
The historycommand performs one of several operations related to recently-executed commands
recorded in a history list Each of these recorded commands is referred to as an ``event'' It is
amazing how many attackers have left the history files intact A shell with history should always be
the default for the user root Try the following commands to see if you have a history, (this is
pronounced “dot history”)
cd
ls -la history
The user rootsometimes has a history file Try:
cd /
(You may need to typecd /root)
ls -la history
Some Unix systems have additional auditing and logging features that can be enabled Note that
every choice has a cost - turning on a lot of auditing can eat up disk space and cause degradation in
system performance On the other hand, a root level compromise may not be a lot of fun to try to
recover from with no indication as to what happened
In addition, there are host based intrusion detection systems that can record information as well As
the slide says, these features must be implemented before the incident to be effective.
Trang 10Secure System Administration - SANS GIAC © 2000, 2001
More Auditing
• syslog
• messages
• dmesg
• application logs
Unix and Linux operating systems come with a built-in logging system The syslogdaemon gets
started in the “rc” files at bootup The events are recorded in the syslog file written to the loghost
specified in the /etc/hostsfile It’s easy to send the information on one computer to another by
specifying that other server as the loghost It’s not completely secure, but it does get the information
recorded in another location – very useful in the event of suspicious activity or compromise
Another location that contains useful clues is the messagesfile in /var/adm/messages This
file rotates through (typically) six versions on a weekly basis (a new file each week) before
overwriting the earliest version The messagesfile keeps track of what is happening (primarily at
the system hardware level) and records useful information such as bus errors and other data of a
similar nature
Another useful auditing tool is the information available from dmesg It begins collecting
information on startup and keeps track of events until the computer is up and running The program
helps users to print out their bootup messages Instead of copying the messages by hand, the user
need only type:
dmesg > boot.messages
and mail the boot.messagesfile to whoever can debug their problem
Finally, we have application logs to help sort out what is happening If we are running a web server,
the logs from that application can be configured to will tell us which computers have accessed which
files in the web tree