1 lecture 5 unix security. 2 contents u unix login and user accounts u unix access control u unix...
Post on 15-Jan-2016
240 views
TRANSCRIPT
1
Lecture 5
UNIX Security
2
Contents UNIX login and user accounts Unix Access control UNIX instances of General Security
Principles Local Vulnerabilities and exposures Auditing UNIX system from the inside Remote Vulnerabilities and exposures Auditing UNIX system from the outside
3
Login identification + authentication: =
(username, password) password length: 8 characters password protection: encrypted with
Crypt(3), and stored in /etc/passwd file.
4
Format of the Password File
Format: Username: encrypted password:user ID:
Group ID: ID string: home directory: login shell
ID string = user’s full name User ID and group ID = explained later. Login shell: the Unix shell available to
the user after successful login.
5
Format of the Password File Displaying the password file: cat
/etc/passwd dieter:RT.QsZEEsxT92:100026:53:Dieter
Gollman:/home/staff/dieter:usr/local/bin/bash
When the password field is empty, the user does not need a password for login.
If the password field starts with an asterisk, the user cannot login, because such values cannot be the results of an f(cleartext password).
6
Other Issues Passwd(1): change password by
supplying old one twice Shadow password file: in security
conscious version of Unix, it is stored in /.secure/etc/passwd
Expiry date and control of old password: set
Root login: can be restricted to terminals nominated in /etc/ttys
7
Users and Superusers Users by user name, up to 8 characters Users by user ID (UID) internally, a 16-
bit number UIDs are linked to user names in
/etc/passwd. Unix does not distinguish between
users having the same UID.
8
Special User IDs Superuser has UID
0, and the name root.
The root account is used by the operating system for essential tasks like login, recording the audit log, or access to I/O devices.
• -2 nobody• 0 root• 1 daemon• 2 uucp• 3 bin• 4 games• 9 audit
9
Special User IDs Almost all security checks are turned
off for the superuser. The root account performs also certain
administrative tasks. The systems manager should not use
root as his personal account. When necessary, changing to root can
be requested by typing /bin/su without specifying a user name.
10
Super User and Protection
Remark: The superuser can do almost everything.
Remark: Every precaution has to be taken to control access to superuser status.
11
Control of Access to Superuser Status
The files /etc/passwd and /etc/group have to be write-protected. [UID => 0 in /etc/passwd]
Record all su attempts in the audit log together with the user (account) who issued the command.
Separate the duties of the system manager, e.g., by having special users like uucp or daemon to deal with networking. If one of these special users is compromised, not all is lost.
12
Groups Fact: Users belong to one or more groups. Why? Collecting users in groups is a
convenient basis for access control decisions.
Example: put all users allowed to access email in a group called mail.
Primary group: contains every user. The group ID (GID) of the primary group is stored in /etc/passwd.
13
Set UserID and Set GroupID
Question: If /etc/passwd is read-only, how can you change your password?
Answer: controlled invocation, Set UserID Program (SUID).
Remark: temporarily take on the UID of the owner of the password file. (i.e., root)
14
Access Control
Tree Structure for files and directories
15
Unix File Structure The directory is a
pointer to a data structure, inode.
– use “ls –l” to find
Fields in the inode that are relevant to access control.
FIELDS in inode relevant to security
• mode : type of file access rights• uid : user who owns the file• gid : group which owns file• atime: access time • mtime: modification time• itime: inode alteration• block count: size of file•physical location
16
Unix File Structure Each directory contains [“ls –a” gives all]
a pointer to itself, the file ‘.’ a pointer to its parent directory, the file ‘..’
Each file has an owner, usually the user who created the
file; belongs to a group (its owner’s or directory’s
group).
A newly created file belongs either to its creator’s group or its directory’s group.
17
Fields in inode Inspect a directory with command ls -l
-rw-r--r-- 1 dieter staff 1617 Oct 28 11:01 d.tex drwx------ 2 dieter staff 512 Oct 25 17:44 ads/
The 1st character gives the type of file. ‘-’ a file, ‘d’ a directory, ‘b’ a block device file, ‘c’ a character device file.
The file permission (to be discussed later). The link counter, the number of links (pointers) to the file. The name of the owner and the group of the file. The size of the file in bytes. The date and time is mtime, the time of the last modification. The name of the file. The ‘/’ after ads indicates a directory. The permission bits are grouped in three triples (read,
write and execute) access for owner, group, and other. ‘-’ indicates no grant of right. The uid, gid tell who own the file.
18
Changing Permissions with chmod by owner or superuser only
Absolute mode chmod [-fR] absolute file specify the value for all
permission bits chmod 644 = 110100100 = rw-r--r-- chmod 777 = 111111111 = rwxrwxrwx chmod 755 = 111101101 = rwxr-xr-x The option -f suppresses error messages, the option -R
applies the specified change recursively to all subdirectories of the current directory.
Symbolic mode will not introduced here. For details, see, page 91
19
Default Permissions Unix utilities (e.g., editors or compilers):
666 when creating a new file 777 when creating a new program
Adjust the permissions by umask, specifying the rights that should be withheld. umask 777 denies every access umask 000 does not add any further restriction 022 all for owner, r and x for group and other. 077 all for owner, no for group and other.
umask value is in /etc/profile actual default permission is computed as:
default ^ umask = 666 ^ 077 = 600 A^B = A and [not(B)] (AND NOT)
20
Instances of General Security Principles
Deleting Files Question: If we remove (delete) a file from the
file system, does it still exist in some form? Remark: We have to talk about how a file was
constructed!
Two types of copying: cp, link and ln cp: identical but independent file owned by the user
running cp. link, ln: only create a new file name with a pointer
to the original file and increase the link counter of the original file.
21
Deleting Files Conclusion: If a new file shares its content with the
original, and if the original is deleted with rm or rmdir, it disappears from its parent directory, but its contents as well as its copy still exist.
Question: How do we get rid of a file? The super user runs ncheck to list all the links to that file and
then deletes those links. Conclusion: Once a file has been deleted, the memory
space allocated to this file becomes available again. However, until these memory locations have actually been used again, they will still contain the file’s contents.
Question: How do we get rid of a file? Overwrite its contents with all-zeros before deleting it.
22
Protection of Devices Information: Unix treats devices like files. Thus
access to memory or a printer can be controlled like access to a file through setting permission bits.
How to create devices: use the mknod command which should only be executable by root.
/dev/console – console terminal /dev/mem – main memory map device (image of
the physical memory) /dev/kmem – kernel memory map device (image of
the virtual memory) /dev/tty – terminal
23
Memory Device Must be Protected
An attacker can bypass the controls set on files on directories, if they can access to the memory devices holding these files.
If the read or write permission bits are set on a memory device, an attacker can browse through memory or modify data in memory without being affected by the permissions defined for the files stored in this memory.
Conclusion: Almost all devices should NOT be readable or write-able by others.
24
Attacks Attacks are the result of one of two problems Vulnerability
A weakness in a system that leads to unexpected, undesired, or unauthorized results.
Exposure A state in system that is not a universal
vulnerability. Includes a capability the behaves as expected, but can be compromised.
Vulnerabilities allow attackers to execute commands as another user.
Exposures allow an attacker to conduct information gathering.
25
Local/System V&Es Physical Compromise Countermeasures
Secure the host and console in a cabinet or locked room. Password protect console and BIOS Disable booting from removable media Password protect single user mode
Buffer Overflows Countermeasures Disable the execution of code on the stack, via OS patch or
kernel parameters. Use safe programming practices: strncpy() instead of strcpy()
char *strcpy(char *dest, const char *src); char *strncpy(char *dest, const char *src, size_t n);
Remove SUID bit from executables that aren’t required for normal system operation.
Apply vendor OS and application patches.
26
Symlink Attacks A symbolic link is a pointer file that names (or
points to) another file elsewhere in the filesystem. Sometimes programs create a temporary file
in /tmp and modify the permissions such that other users can read or write the file.
Attackers pre-create a symlink file with the right name that points to a file they want to modify.
When the application does a chmod(), the target of the symbolic link will inherit the permissions of the chmod().
27
Symlink Attack - Countermeasures
Check to see if the application respects the $TMP environment variable. By setting $TMP to a directory that isn’t “world” writeable, you can prevent other users from creating symbolic links.
Apply vendor patches, or submit a complaint/bug report with the vendor if no patches exist.
28
Trojaned LKM Countermeasures
LKMs are loadable kernel modules: they’re code (usually device drivers) that get loaded by the kernel when access to the particular device is needed.
LKMs can be trojaned to modify the kernel in malicious ways; to mask a system cracker’s presence for example.
Countermeasure: compile a monolithic kernel with all device drivers included. (Only available in some OSes.)
http://www.redhat.com/docs/manuals/linux/RHL-7.3-Manual/custom-guide/s1-custom-kernel-monolithic.html
29
Audit Logs & IntrusionDetection
Auditing: records security relevant events in an audit log (audit trail) for later analysis.
Intrusion detection: detects suspicious events when they happen and inform the system manager by email or by messages sent to the operator console.
Comment: The audit log should be well protected from writing by an attacker.
30
Auditing your system (from inside)
Steps you need to take (we’ll go over each) Verify most recent patches are applied to
OS and applications Disable unused services and daemons Address user account and password issues Protect from unauthorized remote access Other general types of checks
31
Protecting the Audit Log
Set a “logical protection” on the audit log so that only privileged users have write access.
Sent the audit log to another computer where root on the audited machine has no superuser privilege.
Sent the audit log to a secure printer.
32
Auditing - Verify patches Verify that you have installed the most recent
OS and application patches Most Operating System vendors and
applications have web pages and mailing lists to announce product updates.
Some automated tools exist up2date for OS and kernel updates to red hat
Linux. Debian is much more slick at this Also gnorpm is helpful, but not great. www.windowsupdate.microsoft.com (now has an
automatic install)
33
Auditing - Unused services Disable any unused services and daemons. They may be exploited if they are vulnerable
and you (the administrator) aren’t aware they’re running.
The commands “ps” and “netstat” are useful for determining which processes are running, and what (if any) network ports processes are listening on.
See Unix Review lecture notes or man pages for the use of ps and netstat.
34
Auditing - Unused services: “ps” ps -e
shows information about all processes currently running on the system.
ps -l shows, among other things, the priority of your
job, the memory size in blocks of your process, and the cumulative CPU time of the process.
http://www.computerhope.com/unix/ups.htm#03
35
Using netstat to find open ports
netstat --inet --all (Linux, show network ports) netstat -f inet (Solaris, Digital Unix) netstat provides useful information regarding traffic flow. In particular, netstat -i lists statistics for each interface,
netstat -s provides a full listing of several counters, and netstat -rs provides routing table statistics.
netstat -an reports all open ports. netstat -k provides a useful summary of several network-
related statistics, but this option is officially unsupported and may be removed in a future release.
36
Auditing - Disabling stand-alone daemons
Disable stand-alone daemons that are started at boot time by modifying the “rc” start-up script. rc is the command script which controls the startup of
various services For Example: sendmail In /etc/rc.d/rc2.d the sendmail startup
script is S88sendmail. Move S88sendmail to s88sendmail and the
“rc” process will ignore it. (The “rc” process is looking for all files starting with a capital letter)
On Linux this can also be done with the linuxconf and sysconfig utilities.
37
Various Daemons S05kudzu detects and configures new and/or changed hardware on a system S10network Activates/Deactivates all network interfaces configured to start at boot time.
S11portmap manages RPC connections, which are used by protocols such as NFS and NIS
S14nfslock Network File System (NFS) functionality
S16apmd battery/power management for laptops S20random used for random number generation S25netfs mounts NFS and Samba mount points S30syslog assists programs in logging events S35identd matches users to TCP connections S40atd like cron, but for users S40crond periodically runs programs S45pcmcia for supporting cards on laptops S50inet starts and runs inetd S55xntpd Runs the Networks Time Protocol for syncing clocks
38
Services that should be firewalled
These services don’t need internet connectivity at all. Anything NFS related RPC services (remote procedure call) Printer lpd
Probably don’t need these: Sendmail (plenty of holes historically) Qmail BIND (DNS) Replace all of these with ssh (scp, and sftp)
r-services: rsh, rlogin, rcp telnet ftp
39
Auditing - User accounts and passwords
Establish a clearly defined password policy frequency of forced password changes enforce mixture of alpha, numeric and other characters. Educate users to not share or write down their passwords
Disable unused accounts Enable shadowed passwords Frequently do the following:
Check that all accounts have a password Check if any accounts other than root have UID 0 Run a password cracker to ensure secure passwords
40
Auditing- Unauthorized access
If you need to run the “r-services” (you don’t), make sure it’s done as securely as possible.
Disallow and periodically check for users’ .rhosts files. This file lists the hosts and users that are allowed to log into the user’s account via the r-services without providing a password.
Disallow /etc/hosts.equiv, which lists hosts considered to be “trusted” (i.e. users can connect via r-services from those hosts without supplying a password)
We will spend an entire class on how to exploit the rsh service.
41
Auditing-Unauthorized access
Don’t allow root to log directly; force user with root password to log in then “su” to root.
Or, only allow root to log in from the console. (Assuming the console is in a secure location)
On Linux, /etc/securetty contains a list of terminals that root can login from.
Why are you logging in as root at all? Don’t run programs or surf the web as root.
42
Auditing- Other things to check Make sure root’s $PATH does NOT contain a “.”
$PATH is set to a list of directories where commands (binaries) can be found and is searched each time a command is executed.
$PATH=/usr/bin:/usr/sbin:/usr/local/bin Attack: malicious user Mallory looks at roots . profile and
realizes root has “.” as part of the $PATH. Mallory creates a shell script in her home directory called “ls” which copies /usr/bin/bash to a specified location and make it SUID root.
Mallory then tells the admin . that there’s something wrong in her home directory, the admin goes to look in her home dir. and types “ls”. If the “.” is in the path before the directory that contains the real “ls”, Mallory’s “ls” will get executed, and Malloy will have access to an SUID root shell.
43
Local auditing Tools COPS - Local system auditing application Crack - Password cracking program for UNIX netstat - Can be used to show “open” network
ports. lsof - Used to show network ports associated
with processes. Tripwire - Application to hash system files and
periodically check to see if files have changed. Bastille Linux - Linux “hardening scripts”
44
Other various suggestions Why stay connected to the Internet all the time?
If you aren’t running a server, consider disconnecting network services at night, or while at work.
Don’t trust wireless services for several years or more. Place them outside your firewall Only use secure application level services above them, like ssh or
secure web browsing.
Use xlock-locks the local X display until a password is entered
Use vlock-either locks the current terminal (which may be any kind of terminal, local or remote), or locks the entire virtual console system, completely disabling all console access. vlock gives up these locks when either the password of the user who started vlock or the root password is typed.
45
Remote Vulnerabilities and Exposures
Over the course of the semester we will be studying several remote vulnerabilities.
Some include: Remote Buffer overflow Session Hijacking Unauthorized access to network services
46
Remote Buffer Overflow - Countermeasures
Disable the execution of code on the stack, via OS patch or kernel parameter
Use safe programming practices. Apply vendor OS and application patches
Something you should do anyway for other types of exploits.
47
Session Hijacking - Countermeasures Session hijacking is a method by which an attacker
can steal a connection from another host. The attacker can insert whatever it wants into the TCP
stream E.g., echo “* *” >> .rhosts
Such attacks are based on the ability of the attacker to guess the TCP initial sequence number during the three way handshake.
Apply system patches or tweak kernel variable to increase randomness of TCP initial sequence generation
Sufficiently randomizing TCP sequence numbers makes session hijacking more difficult.
48
Unauthorized Access to Network services - Countermeasures
IP based access control TCP Wrappers
ftp://ftp.porcupine.org/unix/security
Secure portmapper/rpcbind ftp://ftp.porcupine.org
NFS shares (/etc/exports, /etc/dfs/dfstab)
49
tcp_wrappers IP based access control to services spawned by
inetd can be configured using the tcp_wrappers package developed by Weitse Venema.
Stand alone daemons such as ssh, sendmail and secure portmapper/rpcbind can be compiled using libwrap.a, a shared library which provides tcp_wrappers access control.
tcp_wrappers uses the configuration files /etc/hosts.allow and /etc/hosts.deny to determine whether or not a specific host can gain access to a service.
50
tcp_wrappers Example:
Check out the line for telnet in /etc/inetd.conf:telnet stream tcp nowait root /usr/sbin/tcpd
in.telnetd "tcpd" is the wrapper program, and it calls in.telnetd (the telnet daemon) after it "authenticates" the remote host for a service.The best and most paranoid method of configuring is denying all services to all hosts;
then give explicit permissions to those you want to be able to connect on an individual service basis.
Why not disallow access to your home machine from all hosts but a specific machine at UMass?
51
In this example, give telnet access to 192.168.10.1 and 192.168.3.0\24
/etc/hosts.deny would contain (# is a comment):# service : host# Deny all hosts and all servicesALL: ALL
/etc/hosts.allow would contain: #service : host# Allow hoststelnet : 192.168.10.1, 192.168.3.
tcp_wrappers
52
tcp_wrappers tcp_wrappers attempts to confirm hostname -> IP
and IP->hostname mappings. Can be configured to drop IP source routed
packets. We’ll talk in a later class about the exploits possible with
source routing.
Logs via the syslog utility. A denied connection attempt gets logged as follows:
Mar 24 14:15:22 server ftpd[29291]: refused connect from evilhost.crackerz.com
53
Secure portmap/rpcbind portmap (BSD) and rpcbind (SysV) are used by
remote procedure call (RPC) programs. They provide a mapping of program to RPC number.
secure portmap and rpcbind provides tcp_wrappers support to control who can receive information from the rpcbind/portmap daemons.
Although it’s one level of defense, it doesn’t prevent an attacker from figuring out RPC numbers and attacking RPC daemons directly.
(these services should be firewalled!)
54
Auditing your system from the outside
NFS shares rpcinfo nmap Remote Auditing tools try exploits against specific services.
55
Auditing - NFS Network File Service (NFS) allows a host to
access a shared filesystem on another host as if it was a locally connected filesystem.
NFS shares on the NFS server have an access control list to specify which hosts and users have access to a particular shared resource.
Check that the NFS access lists are properly configured such that it’s not sharing file systems to “the world”
The showmount command can be used to view NFS exported filesystems.
56
Aditing - nmap nmap is an extremely versatile port scanning tool which
can be used to determine which services are running. It can also be used as a rudimentary packet filter or
tcp_wrappers test. http://www.insecure.org/nmap Using the command “nmap -sT laptop.oit.umass.edu”
Starting nmap V. 2.53 by [email protected] Interesting ports on laptop.oit.umass.edu (128.119.xxx.xxx):(The 1519 ports scanned but not shown below are in state: closed)Port State Service80/tcp open http 111/tcp open sunrpc 1024/tcp open kdm 6000/tcp open X11
57
Auditing - Remote auditing tools.
Several utilities are available to “attack” or gather information about services/daemons on a system. SAINT - Based on SATAN utility SARA - Also based on SATAN Nessus - Excellent open source vulnerability scanner
http://www.nessus.org
Commercial: ISS scanner Cybercop
58
Backing up Once you system is installed, configured, and secured,
but not on the net make a backup It’s the only time you know you haven’t been hacked yet. Attacks often have signatures:
Snort tries to stop attacks as they occur by filtering out specific packets. E.g., ones that contain “exec /bin/sh”
After an attack is complete, file time stamps, sizes, and contents will change.
Checking your computer against what you installed is key;
Restoring your computer to a previous state requires a backup.
59
Tripwire Tripwire is a tool originally developed at Purdue
as an academic project. The basic idea is keep a hash of each file on your
system. Anytime a single bit is altered in a file, the resulting
hash will change. Store the hashes of your files on read-only media (CD-
ROM); compare results of the current system to the saved results: find files that have changed.
Can be used in /etc, or even for your web pages. Source code is still available .
60
Unix Telnet Wrapper Telnet work as follows. The inetd daemon listens to
incoming network connections. When a connection is made, inetd starts the appropriate server program and then returns to listening for further connections.
The inetd daemon has a configuration file that maps services to programs. Entries in this file have the formatservice type protocol waitflag userid executable command-line
Entry for telnet could betelnet stream tcp nowait root /usr/bin/in.telnetd in.telnet
When inetd receives a request for a service, it consults the configuration file and creates a new process that runs the program (executable) specified. The name of this new process is the name given in the command-line field.
61
Often, the name of the executable and the command-line entry are the same. In this case, point the inetd daemon to a wrapper program instead of the original executable; use the name of the process to remember the name of the original executable, which is called after the wrapper has performed its security controls.
New configuration file entry for telnet:telnet stream tcp nowait root /usr/bin/tcpd in.telnet
The program executed is now /usr/bin/tcpd, the TCP wrapper executable. The process executing the wrapper is still called in.telnet. The wrapper can perform access control, logging ...
The wrapper knows the directory it is in, i.e. /usr/bin, and its own name, in.telnet, so it can call the original server program /usr/bin/in.telnet
Users see no difference, receive the same service as before
Unix Telnet Wrapper (Cnt’d)
62
Summary UNIX login and user accounts Unix Access control UNIX instances of General Security
Principles Local Vulnerabilities and exposures Auditing UNIX system from the inside Remote Vulnerabilities and exposures Auditing UNIX system from the outside