More Related Content Similar to Linux security-fosster-09 (20) Linux security-fosster-091. ELEMENTS OF LINUX
SECURITY
Dr. Jayaraj Poroor
Presented at TIFAC CORE in Cyber Security
(2009)
Amrita University
2. SYSTEM MODEL
/
ROOT-FS
FS FS
Primary Memory/CPU
P
KNL
P (Kernel) P
P
LOAD, CRUD
Secondary Memory
(Process)
(File System)
3. SECURITY
CIA Triad
Confidentiality – Eavesdropping, Viewing
Integrity - Modification
Availability – Denial of Service
Authentication – Identity Spoofing, Fabrication
Access Control – Intrusion, Privilege Escalation
Policy
Enforcement
4. THREAT MODEL
(3) PHYSICAL NETWORK
USER-FS
P
KNL
P
ACCESS
(1) REMOTE ACCESS
(2) LOCAL ACCESS
ATTACKER-FS
5. LOCAL/PHYSICAL ACCESS ATTACKS
Threat: Single User Mode Login
Prevention: Set GRUB boot password
Threat: Attacker Boot CD/USB Disk
Prevention: Set BIOS password
Threat: Physical HD removal
Prevention: Encrypted File System/Files
Threat: Login Trojan
Prevention: Ctrl+Alt+Backspace, Ctrl-Z, Ctrl-C
Threat: Data Loss in all cases
Prevention: Backup
7. REMOTE –
INDIRECT/INFRASTRUCTURE
Phishing emails
http://militarybankonline.bankofamerica.com.f1hj.net
Virus/trojans via emails, usb-drives
Pharming – DNS Cache Poisoning
Use TLS Sites and verify Certificates
8. DIRECT REMOTE ATTACKS
• Open/Weak WiFi
– Use WPA2 and strong keys
• Attacking Network Services
– Port scanning
– Banner grabbing, OS Fingerprinting
– Exploit known vulnerabilities
– DoS attacks
– Remote login: password guessing
9. POST-EXPLOIT
Install Root-kit, backdoor
Botnet Zombie
Steal data and leave without trace
Destroy data
11. IN PRACTICE
MINIMIZE EXPLOIT POTENTIAL
MINIMIZE POST-EXPLOIT DAMAGE
MAXIMIZE CHANCE OF DISCOVERY
12. MINIMIZE EXPLOIT POTENTIAL
• Update patches
• Configure iptables firewall
• iptables -A INPUT -p tcp --dport 80 --syn -j
ACCEPT
• iptables -A INPUT -p tcp --syn -j DROP
• Disable unnecessary services
• Use netstat, nmap
• Don’t run insecure services
• Don’t use ftp/telnet, use sftp/ssh
14. MINIMIZE POST-EXPLOIT DAMAGE
Don’t run as root
setuid(), setgid()
Use CHROOT jail
chroot
Use POSIX Capabilities
lcap, getpcaps, setpcaps
Use EXT2 ACL
mount –o acl, setfacl, getfacl
setfacl –m u:test:r file
16. MAXIMIZE CHANCE OF DISCOVERY
• IDS
– Tripwire, Snort
• Monitor Syslog
• Use chkrootkit
Use Kernel Audits for critical files
auditctl, ausearch
Use EXT2 Extended Attributes
lsattr, chattr
Immutable (i), Append-only (a), Safe-delete (s),
Allow Undelete (u)
18. TRY OUT WITHOUT BURNING
YOURSELF
SCRATCH FILE SYSTEM
dd if=/dev/zero bs=1024 count=1024 of=disk.img
mke2fs disk.img
mount –o loop,acl disk.img <dir>
VIRTUA L MACHINE
http://www.virtualbox.org
19. REFERENCES
OWASP – http://www.owasp.org
Open Web Application Security Project
MITRE – http://www.mitre.org
SANS – http://www.sans.org
System Administration & Network Security
COBIT – http://www.isaca.org/cobit/
Control Objectives for Information & Related
Technology
ISO 17799 – http://www.iso.org
Risk-based Information Security Management
Anti-Phishing.Org - http://www.antiphishing.org/
CMU CERT/CC - http://www.cert.org/