Securing/Hardening UNIX - PowerPoint PPT Presentation

About This Presentation
Title:

Securing/Hardening UNIX

Description:

Application architecture: sparc. Hardware provider: Sun_Microsystems. Domain: ... 2.8, AIX 4.3, HP-UX 11.0 and 11i, FreeBSD 4.2 and 4.3 and some Linux flavours ... – PowerPoint PPT presentation

Number of Views:338
Avg rating:3.0/5.0
Slides: 40
Provided by: me690
Category:

less

Transcript and Presenter's Notes

Title: Securing/Hardening UNIX


1
Securing/Hardening UNIX
  • Section 7

2
Hardening Solaris
  • Session objective This section is to show
    what and how to harden a Unix Platform - with a
    strong emphasis on what a hacker will do to you
    if you forget
  • What is hardening?
  • Making secure by improving file permissions,
    removing unnecessary services and patching the
    system

3
Recap on Unix Security
  • Authorisation is by User and Group
  • User / uid obtained at login from /etc/passwd
  • Password stored in /etc/shadow
  • Group / Gid is stored in /etc/group
  • ? AIX - /etc/security/user
  • - /etc/security/passwd
  • ? HPUX -/tcb/auth

4
/etc/passwd
more passwd rootx01Super-User//sbin/sh dae
monx11/ binx22/usr/bin sysx33/ a
dmx44Admin/var/adm lpx718Line Printer
Admin/usr/spool/lp smtpx00Mail Daemon
User/ uucpx55uucp Admin/usr/lib/uucp nuucp
x99uucp Admin/var/spool/uucppublic/usr/lib/u
ucp/uucico listenx374Network
Admin/usr/net/nls nobodyx6000160001Nobody/
noaccessx6000260002No Access
User/ nobody4x6553465534SunOS 4.x
Nobody/ wwwx2000200WWW User/export/home/www
/bin/sh
5
/etc/group
cat group root0root other1 bin2root,bin
,daemon sys3root,bin,sys,adm adm4root,adm,da
emon uucp5root,uucp mail6root tty7root,tt
y,adm lp8root,lp,adm nuucp9root,nuucp staff
10 daemon12root,daemon sysadmin14 nobody
60001 noaccess60002 nogroup65534 www200r
oot
6
/etc/shadow
cat shadow rootJipOt8gyLGBHw10569 daem
onNP6445 binNP6445 sysNP6445
admNP6445 lpNP6445 smtpNP6445
uucpNP6445 nuucpNP6445 list
enLK nobodyNP6445 noaccessNP64
45 nobody4NP6445
7
File permissions
  • rwx-rwx-rwx
  • Owner-group-everyone else

8
Outline
  • Patching
  • Service removal
  • Security settings
  • Default permissions
  • File permissions
  • ASET
  • Tripwire
  • Commercial Applications

9
Patching
  • Why? to remove security bugs
  • Two tools built in to manage patches
  • patchadd to install directory format patches to a
    Solaris system
  • patchrm to remove patches on a solaris system

10
Patching
  • Some useful commands to manage patches
  • showrev p shows all patches applied to the
    system
  • pkgparam pkgid PATCHLIST shows all patches
    applied to the package identified by pkgid
  • pkgparam pkgid PATCH_INFO_patch-number shows
    the installation date and name of host
  • patchadd p shows all patches applied to a
    system
  • ? AIX installp or smit

11
Patching
  • showrev p
  • showrev
  • Hostname Bankx
  • Hostid 8388c2d53
  • Release 5.8
  • Kernel architecture sun4u
  • Application architecture sparc
  • Hardware provider Sun_Microsystems
  • Domain uk.bank.com
  • Kernel version SunOS 5.8 Generic 108528-09 June
    2001

12
Service removal - Inetd
  • Inetd the super listener
  • Configuring this IS the NO. 1 major hardening
    task
  • Controlled by /etc/inetd.conf
  • How it can be used to hide network access once a
    machine is compromised or escalate access to root
    if writable.
  • To modify
  • cp inetd.conf inetd.conf.old
  • vi inetd.conf
  • Comment out services not needed save
  • ps ef grep inetd then note the process id
  • /sbin/kill HUP process id from above

13
Service removal - Inetd
  • Inetd.conf before hardening (page 1)
  • more inetd.conf
  • Syntax for TLI-based Internet services
  • ltservice_namegt tli ltprotogt ltflagsgt ltusergt
    ltserver_pathnamegt ltargsgt
  • Ftp and telnet are standard Internet services.
  • ftp stream tcp nowait root
    /usr/sbin/in.ftpd in.ftpd
  • telnet stream tcp nowait root
    /usr/sbin/in.telnetd in.telnetd

14
Service removal - Inetd
  • Inetd.conf before hardening (page 2)

Shell, login, exec, comsat and talk are BSD
protocols. shell stream tcp nowait root
/usr/sbin/in.rshd in.rshd login stream
tcp nowait root /usr/sbin/in.rlogind
in.rlogind exec stream tcp nowait root
/usr/sbin/in.rexecd in.rexecd comsat dgram
udp wait root /usr/sbin/in.comsat
in.comsat talk dgram udp wait root
/usr/sbin/in.talkd in.talkd Must run as
root (to read /etc/shadow) "-n" turns off
logging in utmp/wtmp. uucp stream tcp
nowait root /usr/sbin/in.uucpd
in.uucpd Tftp service is provided primarily for
booting. tftp dgram udp wait root
/usr/sbin/in.tftpd in.tftpd tftp dgram
udp wait root /usr/sbin/in.tftpd
in.tftpd -s /tftpboot Finger, systat and
netstat give out user information which may
be --More--
15
Service removal - Inetd
  • Inetd.conf before hardening (page 3)
  • finger stream tcp nowait nobody
    /usr/sbin/in.fingerd in.fingerd
  • echo stream tcp nowait root internal
  • daytime stream tcp nowait root internal
  • daytime dgram udp wait root internal
  • chargen stream tcp nowait root internal
  • RPC services syntax
  • ltrpc_proggt/ltversgt ltendpoint-typegt rpc/ltprotogt
    ltflagsgt ltusergt \
  • ltpathnamegt ltargsgt
  • Solstice system and network administration
    class agent server
  • 100232/10 tli rpc/udp wait root
    /usr/sbin/sadmind sadmind
  • rquotad/1 tli rpc/datagram_v wait root
    /usr/lib/nfs/rquotad rquotad
  • The rusers service gives out user information.
    Sites concerned
  • with security may choose to disable it.
  • rusersd/2-3 tli rpc/datagram_v,circuit_v
    wait root /usr/lib/netsv c/rusers/rpc.rusersd
    rpc.rusersd

16
Service removal - Inetd
  • Inetd.conf after hardening

more inetd.conf Syntax for TLI-based
Internet services ltservice_namegt tli
ltprotogt ltflagsgt ltusergt ltserver_pathnamegt
ltargsgt echo stream tcp nowait root
internal Some sites harden the configuration
still further with a tcp wrapper
17
Service removal - NFS
  • NFS the Network File System daemons
  • Configuring this IS the NO2 major hardening task
  • Controlled by /etc/dfs/dfstab which controls what
    is exported(I.e shared in Bill-Gates-Speak)
  • If not needed, all daemons should be not started
    rc3.d/s15nfs.server
  • To modify a share to limit access to certain
    machines
  • vi /etc/dfs/dfstab
  • Change share statement from
  • share -F nfs -d apps" /apps
  • TO
  • share -F nfs -o rw192.9.200.1 -d apps"
    /apps

18
Service removal NFS
  • ? AIX /etc/exports
  • ? HPUX /etc/exports

19
Service removal NFS (2)
  • Identify the Network File System daemons
  • ps ef then note the processes
  • UID PID PPID C STIME TTY TIME CMD
  • root 108 1 0 Dec 22 ? 000
    /usr/sbin/rpcbind
  • root 21787 21784 0 100351 pts/1 000 ps
    -ef
  • root 110 1 0 Dec 22 ? 000
    /usr/sbin/keyserv
  • root 146 1 0 Dec 22 ? 000
    /usr/lib/nfs/lockd lt
  • root 144 1 0 Dec 22 ? 000
    /usr/lib/nfs/statd lt
  • root 161 1 0 Dec 22 ? 008
    /usr/lib/autofs/automountd
  • root 199 1 0 Dec 22 ? 000
    /usr/lib/lpsched
  • root 269 1 0 Dec 22 ? 004
    /usr/lib/snmp/snmpdx -y -c /etc/snmp/conf
  • root 296 269 0 Dec 22 ? 000
    mibiisa -p 32790
  • root 284 1 0 Dec 22 ? 000
    /usr/lib/dmi/snmpXdmid -s avon
  • root 294 291 0 Dec 22 ? 003
    /usr/lib/saf/ttymon
  • root 288 1 0 Dec 22 ? 000
    /usr/dt/bin/dtlogin -daemon
  • root 13496 1 0 Jan 15 ? 013
    /usr/lib/sendmail -bd -q15m
  • root 17075 1 0 Jan 19 ? 034
    /usr/sbin/in.named

Also remove - nfsd mountd biod
20
Service removal
  • Generally, you should not start unnecessary
    daemons
  • These may include
  • Snmp /usr/lib/snmp/snmpdx mibiisa
  • RPC /usr/sbin/rpcbind
  • Rpcinfo p
  • Netstat an
  • ? AIX portmap

21
Service removal
  • Ipsched
  • Routed
  • vold

22
Security settings
  • Security settings
  • /etc/passwd check permissions, ensure integrity
    and locked accounts have a shell of /bin/false
  • /etc/shadow group check permissions and
    ensure integrity
  • /etc/default/login restrict root access to
    console by
  • CONSOLE/dev/console
  • PASSREQYES
  • AIX /etc/security/user or /etc/security/login
  • HPUX - /etc/securetty
  • /etc/default/inetinit - TCP initial sequence
  • TCP_STRONG_ISS2

23
Security settings
  • Solaris - Ip stack settings
  • ndd -get /dev/ip ip_forward_directed_broadcasts
  • 0
  • ndd -get /dev/ip ip_forward_src_routed
  • 0
  • ndd -get /dev/ip ip_ignore_redirect
  • 1
  • ndd -get /dev/ip ip_respond_to_address_mask_br
    oadcast
  • 0
  • ndd -get /dev/ip ip_respond_to_echo_broadcast
  • 0
  • ndd -get /dev/ip ip_respond_to_timestamp
  • 0
  • ndd -get /dev/ip ip_send_redirects
  • 0
  • ndd -get /dev/tcp tcp_rev_src_routes
  • 0

24
Security settings
  • AIX - Ip stack settings
  • no o ipforwarding
  • no o ipsendredirects
  • no o nonlocsrcroute
  • no o subnetsarelocal

25
Default permissions keeping files tight
  • The umask determines the default file permission
    for new files created
  • Normally set in /etc/default/login /etc/profile
  • 3 digits such as 077 or 022
  • umask 022
  • gt testfile
  • ls l testfile
  • -rwxr-xr-x 6 root sys 404 Jan 6
    2000 testfile

26
File permissions
  • Important categories
  • System start-up scripts
  • System configuration file
  • Home directories
  • Cron
  • /dev esp kmem or drum
  • /proc
  • All other files

27
File permissions -System start-up scripts
  • Unix start-up sequence
  • System boots and loads kernel
  • System kernel forks to create init pid 1
  • Init reads /etc/inittab and runs any programs
    specified
  • In Solaris/HPUX 10, it then runs the scripts
    /etc/rc0-5.d/
  • In AIX / HPUX 8-9 , it then runs the scripts
    (i.e. /etc/rc.tcpip ) as defined point 3
  • If a hacker can add a command into either
    /etc/rc0-5.d/ or /etc/inittab, it will be able
    to update an file on the system

28
File permissions - System configuration file
  • A selection of key files and what a hacker might
    do them
  • /etc/hosts.equiv add to the file
  • /etc/hosts change the address of a host
  • /etc/pam.conf change authentication (solaris
    only)
  • /etc/inetd.conf add new service
  • /etc/profile add chmod 777 /etc/shadow
  • /etc/nsswitch.conf change name
    resolution/authentication
  • /etc/Resolv.conf change name server (could
    effect trusted hosts)
  • /etc/passwd - change uid to 0
  • /etc/shadow - change root password

29
File permissions home directories
  • Important files to look at
  • .rhosts
  • .profile
  • .kshrc .netrc
  • .login .logout
  • .exrc

30
File permissions - general
  • Things to look for
  • Suid files
  • Sgid files
  • World writeable files
  • World writeable directories

31
File permissions
  • Umtp and umtpx world write permissions
  • Files with no user associated with it
  • Files with no group associated with it

32
Radical hardening
  • remove root Suid bit if possible
  • remove gcc or cc
  • Mount file systems readonly
  • Large main memory small swap

33
ASET
  • Automated Security Enhancement Tool
  • Comes with all new sun operating systems
  • Low setting ensures that all system files are set
    to release values. Reports potential weaknesses
    but does not make any changes
  • Medium Setting makes some changes to security
    settings but do not affect system services
  • High setting makes more changes to security
    settings and security takes precedence to system
    behaviour

34
ASET
  • Task that ASET performs
  • Systems file verification check
  • System files check
  • User/Group check
  • System configuration files check
  • Environment check
  • eeprom check
  • Firewall setup

35
ASET output
  • aset p high
  • Begin Enviroment Check Warning! umask set
    to umask 022 in /etc/profile - not
    recommended. End Enviroment Check
    ASET Execution Log ASET
    running at security level highMachine server
    Current time 0114_2026aset Using /usr/aset
    as working directoryExecuting task list
    ... firewall env sysconf usrgrp tune cklist
    eepromAll tasks executed. Some background
    tasks may still be running.Run
    /usr/aset/util/taskstat to check their status
    /usr/aset/util/taskstat aset_dirwhere
    aset_dir is ASET's operating directory,currently/
    usr/aset.When the tasks complete, the reports
    can be found in /usr/aset/reports/latest/.r
    pt

36
ASET output II
  • where aset_dir is ASET's operating
    directory,currently/usr/aset.When the tasks
    complete, the reports can be found in
    /usr/aset/reports/latest/.rptYou can view them
    by more /usr/aset/reports/latest/.rpt
    Begin Firewall Task IP forwarding already
    disabled.IP forwarding already disabled in rc
    files.ROUTED daemon already configured to be
    opaque. End Firewall Task Begin
    System Scripts Check cp /usr/aset/archives/in
    etd.conf.arch.high No space left on
    deviceCannot archive /etc/inetd.conf. Task
    skipped!Task firewall is done.Task env is
    done.Task sysconf is done.Task usrgrp is
    done. Begin Tune Task

37
ASET output III
  • Begin Tune Task ... setting attributes
    on the system objects defined in
    /usr/aset/masters/tune.high Begin User And
    Group Checking Checking /etc/passwd
    ...Checking /etc/shadow ...Warning! Shadow
    file, line 1, no password root6445...
    end user check.Checking /etc/group ......
    end group check. End User And Group Checking
     

38
Tripwire
  • Monitors file changes, verifies integrity and
    notifies of any violation on data at rest on
    network servers
  • Identifies attributes such as file size, access
    flags, write time, file permissions, file add,
    file delete, file modifications and etc
  • Supports Windows NT4, Win2K, Solaris 2.6,2.7 and
    2.8, AIX 4.3, HP-UX 11.0 and 11i, FreeBSD 4.2 and
    4.3 and some Linux flavours

39
Commercial Applications
  • Axent ESM
  • CA Unicenter
  • Bindview
Write a Comment
User Comments (0)
About PowerShow.com