The document discusses strategies for understanding and mitigating Linux system intrusions, focusing on rootkits, malware handling, and potential defenses. It highlights common vulnerabilities, detection challenges, and the necessity for security tools and practices such as system hardening and continuous scanning. The presentation concludes with the importance of detection, restoration, and ongoing learning to enhance security measures.

1. Linux Systems
Compromised
Understanding and dealing with break-ins
Ede, 5 February 2016
Michael Boelen
michael.boelen@cisofy.com

2. Agenda
Today
1. How do “they” get in
2. Rootkits
3. Malware handling
4. Defenses
2

3. Michael Boelen
● Security Tools
○ Rootkit Hunter (malware scan)
○ Lynis (security audit)
● 150+ blog posts
● Founder of CISOfy
3

4. How do “they” get in

5. Intrusions
● Passwords
● Vulnerabilities
● Weak configurations
5

6. Why?
6

7. Keeping Control
● Rootkits
● Backdoors
7

8. Rootkits 101

9. Rootkits
● (become | stay) root
● (software) kit
9

10. Rootkits
● Stealth
● Persistence
● Backdoors
10

11. How to be the best rootkit?

12. Hiding ★
In plain sight!
/etc/sysconfig/…
/tmp/mysql.sock
/bin/audiocnf
12

13. Hiding ★★
Slightly advanced
● Rename processes
● Delete file from disk
● Backdoor binaries
13

14. Hiding ★★★
Advanced
● Kernel modules
● Change system calls
● Hidden passwords
14

15. Demo

16. Demo
16

17. Demo
17

18. Continuous Game
18

19. Detection

21. Challenges
● We can’t trust anything
● Even ourselves
● No guarantees
21

22. Rootkit Hunter
Detect the
undetectable!
22

23. Dealing with malware

24. ● Owner?
● Risk?
● What if we pull the plug?
Activate your plan!
24

25. VLAN
Bogus DNS
Looks Real™
Quarantine
25

26. Consider Research
Memory dump
(Volatility)
Static analysis
26

27. Restore
Does it include malware?
27

28. Defense

29. Best protection
At least
● Perform security scans
● Collect data
● System Hardening
29

30. Frameworks / Patches
● SELinux
● AppArmor
● Grsecurity
30

31. Compilers
● Remove
● Limit usage
31

32. Harden Applications
● Use chroot
● Limit permissions
● Change defaults
32

33. Kernel Hardening
● sysctl -a
● Don’t allow ptrace
33

34. Automation

35. Tip: Lynis
● Linux / UNIX
● Open source
● GPLv3
35

36. Conclusions

37. Conclusions
● Good rootkits are hard to detect
● Use cost-effective methods
● Detect
● Restore
● Learn
● Apply hardening
37

38. You finished this presentation
Success!

39. More Linux security?
Presentations
michaelboelen.com/presentations/
Follow
● Blog Linux Audit (linux-audit.com)
● Twitter @mboelen
39

40. 40