The document discusses elements of Linux security. It outlines threats like remote access attacks, local access attacks, and post-exploit activities. It also discusses countermeasures like minimizing exploit potential through patching and firewalls, minimizing post-exploit damage through privileges and capabilities, and maximizing discovery through auditing and monitoring. Security elements covered include authentication, access control, availability, integrity, and confidentiality.

1. ELEMENTS OF LINUX
SECURITY
Dr. Jayaraj Poroor
Presented at TIFAC CORE in Cyber Security
(2009)
Amrita University

2. SYSTEM MODEL
/
ROOT-FS
FS FS
Primary Memory/CPU
P
KNL
P (Kernel) P
P
LOAD, CRUD
Secondary Memory
(Process)
(File System)

3. SECURITY
 CIA Triad
 Confidentiality – Eavesdropping, Viewing
 Integrity - Modification
 Availability – Denial of Service
 Authentication – Identity Spoofing, Fabrication
 Access Control – Intrusion, Privilege Escalation
 Policy
 Enforcement

4. THREAT MODEL
(3) PHYSICAL NETWORK
USER-FS
P
KNL
P
ACCESS
(1) REMOTE ACCESS
(2) LOCAL ACCESS
ATTACKER-FS

5. LOCAL/PHYSICAL ACCESS ATTACKS
 Threat: Single User Mode Login
 Prevention: Set GRUB boot password
 Threat: Attacker Boot CD/USB Disk
 Prevention: Set BIOS password
 Threat: Physical HD removal
 Prevention: Encrypted File System/Files
 Threat: Login Trojan
 Prevention: Ctrl+Alt+Backspace, Ctrl-Z, Ctrl-C
 Threat: Data Loss in all cases
 Prevention: Backup

6. REMOTE ACCESS ATTACKS
 INDIRECT
 DIRECT
 INFRASTRUCTURE
 ATTACKER
WORM
 BOTNET ZOMBIE
 PERSON

7. REMOTE –
INDIRECT/INFRASTRUCTURE
 Phishing emails
http://militarybankonline.bankofamerica.com.f1hj.net
 Virus/trojans via emails, usb-drives
 Pharming – DNS Cache Poisoning
 Use TLS Sites and verify Certificates

8. DIRECT REMOTE ATTACKS
• Open/Weak WiFi
– Use WPA2 and strong keys
• Attacking Network Services
– Port scanning
– Banner grabbing, OS Fingerprinting
– Exploit known vulnerabilities
– DoS attacks
– Remote login: password guessing

9. POST-EXPLOIT
 Install Root-kit, backdoor
 Botnet Zombie
 Steal data and leave without trace
 Destroy data

10. COUNTER-MEASURES
 Principle of Least Privilege
 Fail-safe Defaults
 Open Design
 Separation of Privilege
 Least Common Mechanism

11. IN PRACTICE
 MINIMIZE EXPLOIT POTENTIAL
 MINIMIZE POST-EXPLOIT DAMAGE
 MAXIMIZE CHANCE OF DISCOVERY

12. MINIMIZE EXPLOIT POTENTIAL
• Update patches
• Configure iptables firewall
• iptables -A INPUT -p tcp --dport 80 --syn -j
ACCEPT
• iptables -A INPUT -p tcp --syn -j DROP
• Disable unnecessary services
• Use netstat, nmap
• Don’t run insecure services
• Don’t use ftp/telnet, use sftp/ssh

13. NETSTAT

14. MINIMIZE POST-EXPLOIT DAMAGE
 Don’t run as root
 setuid(), setgid()
 Use CHROOT jail
 chroot
 Use POSIX Capabilities
 lcap, getpcaps, setpcaps
 Use EXT2 ACL
mount –o acl, setfacl, getfacl
 setfacl –m u:test:r file

15. CAPABILITY BOUNDING SET

16. MAXIMIZE CHANCE OF DISCOVERY
• IDS
– Tripwire, Snort
• Monitor Syslog
• Use chkrootkit
 Use Kernel Audits for critical files
 auditctl, ausearch
 Use EXT2 Extended Attributes
 lsattr, chattr
 Immutable (i), Append-only (a), Safe-delete (s),
Allow Undelete (u)

17. EXTENDED ATTRIBUTES

18. TRY OUT WITHOUT BURNING
YOURSELF
 SCRATCH FILE SYSTEM
 dd if=/dev/zero bs=1024 count=1024 of=disk.img
mke2fs disk.img
mount –o loop,acl disk.img <dir>
 VIRTUA L MACHINE
 http://www.virtualbox.org

19. REFERENCES
OWASP – http://www.owasp.org
 Open Web Application Security Project
MITRE – http://www.mitre.org
 SANS – http://www.sans.org
 System Administration & Network Security
 COBIT – http://www.isaca.org/cobit/
 Control Objectives for Information & Related
Technology
 ISO 17799 – http://www.iso.org
 Risk-based Information Security Management
 Anti-Phishing.Org - http://www.antiphishing.org/
 CMU CERT/CC - http://www.cert.org/

20. THANK YOU