Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Linux Security Crash Course


Published on

A crash course in Linux security walking through Linux access control, firewalls, auditing, and more.

Published in: Technology
  • Hi! Who wants to chat with me? My Nu photos here :)
    Are you sure you want to  Yes  No
    Your message goes here
  • Be the first to like this

Linux Security Crash Course

  1. 1. Linux Security Crash Course February 7th, 2018
  2. 2. Get in touch with us Mailing List - Sign in and check “Add to Mailing List” Website - Slack - #csg on Email - 2
  3. 3. Announcements Lab Hangouts - ECSS 4.619 - 4 PM Thursday - February 15 Pentesting Session - FO 1.202 February 24th, 1 - 4pm State Farm CTF Sign-up - March 5th - 12th 3
  4. 4. Linux Security Crash Course 1. Authentication a. PAM 2. Authorization a. sudo b. setuid & setgid c. capabilities d. ACL 3. Audit a. auditd 4 4. Services a. sshd 5. Firewall a. iptables b. firewalld 6. Intrusion Detection a. AIDE 7. Compliance a. OpenSCAP
  5. 5. Authentication 5
  6. 6. Pluggable Authentication Modules (PAM) Provide authentication for Linux A configurable collection of modules used to authenticate users Used by most services that want to authenticate the user 6
  7. 7. PAM System Auth 7
  8. 8. PAM - Tasks PAM supports the following tasks: ● auth - verify the user’s identity ● account - confirm the user can do the requested action ● session - control tasks at the beginning and end of a session ● password - control steps around changing passwords 8
  9. 9. PAM - Controls Modules support the following controls: ● required - fails after the stack is processed ● requisite - fails immediately ● sufficient - if succeeds (with no prior failures), stack succeeds ● optional - only matters if it is the only module in the stack 9
  10. 10. PAM - Useful Modules pam_faildelay - How long the user is delayed after failure pam_unix - Authentication from /etc/passwd and /etc/shadow pam_succeed_if - Set constraints on attributes like uid pam_pwquality - Set constraints on new passwords 10
  11. 11. PAM - Malicious Uses Given a user with root access to the system: ● Add a malicious module that logs user’s passwords ● Add a malicious module that sets a password backdoor ● Change to configuration to lock out users 11
  12. 12. 12
  13. 13. Authorization 13
  14. 14. Sudo ● A Program that allows users to run programs with different security privileges ● Sudo defaults to the superuser or root allowing for greater privileges ● Different from the command su because users supply personal password instead of root ● Configuration file in /etc/sudoers, this contains a list of all users allow to sudo 14
  15. 15. Sudo Sudo su username -- switches user to username Sudo -i -- switches to root user environment Sudo -s -- runs root shell in current directory Sudo -l -U username -- checks to see what commands the user generic can run/capabilities 15
  16. 16. Sudo Replay To start sudoreplay : Sudo visudo: Defaults log_output Defaults!/usr/bin/sudoreplay !log_output Defaults!/sbin/reboot !log_output Sudo replay -l (this will list all sudo commands and users that used the command) 16
  17. 17. setuid & setgid Part of the “mysterious” first octet of chmod setuid - sets the process owner to the owner of the file setgid - sets the process group to the group of the file Generally used to grant root permissions to an executable (i.e. sudo) 17
  18. 18. Finding setuid and setgid binaries setuid - find <path> -perm -4000 setgid - find <path> -perm -2000 18
  19. 19. Consequences of setuid & setgid binaries ● System is only secure as your root setuid & setgid binaries ● GNU Screen Exploit ● Makes for fun CTF/Wargame Challenges 19
  20. 20. Capabilities Added in Kernel 2.2 (1999) Switches the traditional permissions (root or not) into granular capabilities Follows the idea of least privileges 20
  21. 21. Capabilities - Actively in use /usr/bin/ping = cap_net_raw+p As ping requires access to a raw socket, systems without capabilities require ping to be suid root 21
  22. 22. Managing Capabilities getcap - List the capabilities for a file setcap - set the capabilities for a file capsh - list the capabilities for the current process 22
  23. 23. Capabilities - Consequences (?) Some claim many capabilities can be abused to achieve root access f62fd5d3472562540a7e608ce4e#p10271 - February 2002 23
  24. 24. File Access Control List (ACL) Similar to chmod Be able to set user groups and user access to files and directories Give more in depth permissions for different files with user groups and users 24
  25. 25. File ACL getfacl Directory or File -- show owner, group and permissions setfacl -m (modify) user:username:rwx , group:group:rwx directory -This will set a directory to be owned by user and group with read write and execute permissions 25
  26. 26. Audit 26
  27. 27. Auditd ● Provides more information should an incident occur ● Designed to allow admins to quickly show what activity has been happening ● Rule based, so can be hard to manage 27
  28. 28. Auditd - Auditing Events ● File Access ● System Calls ● Commands Run ● Failed Logins ● Firewall Changes 28
  29. 29. Auditd - RedHat Examples File System Changes: auditctl -w /etc/passwd -p wa -k passwd_changes File Execution: auditctl -w /sbin/insmod -p x -k module_insertion System Call: auditctl -a always,exit -F arch=b64 -S adjtimex -S settimeofday -k time_change 29
  30. 30. Auditd - Utilities ausearch - query audit logs for events aureport - show and overview of the events audited 30
  31. 31. Services 31
  32. 32. SSHD Service of SSH, SSH daemon Config located in /etc/ssh/sshd_config Restart ssh or sshd for ever change in config file 32
  33. 33. SSHD Config After opening sshd config PermitRootLogin no #stops people from login into root over ssh PubkeyAuthentication yes #uses key authentication for login over ssh AuthorizedKeysFile .ssh/authorized_keys #AuthorizedKey file to check for public keys PasswordAuthenticiation no #Disable password login PermitEmptyPassword no #No empty passwords UsePAM yes #Use PAM settings 33
  34. 34. Firewall 34
  35. 35. iptables Iptables allows you to set firewall rules throughout the system opening and closing ports This also allows you to block or allow certain ip address Very important to open only needed ip address and ports for security, unused ports should not be left open 35
  36. 36. Firewalld and UFW All these programs interface with iptables and write to the ruleset but giver easier use Firewalld - acts like an api with iptables to add/subtract/view rules default in centos/fedora UFW - full gui built to be used standalone but uses iptable to add/subtract/view rules default in ubuntu 36
  37. 37. Firewalld/Firewall-cmd Start on boot = sudo systemctl enable firewalld Start in session = sudo systemctl start firewalld Status = sudo firewall-cmd --state Add Rule = firewall-cmd --zone=public --add-service=https(or anyservice) --permanent(if you want permanent) Reload rules = firewall-cmd --reload 37
  38. 38. UFW Start = ufw enable Check status = ufw status Allow port = ufw allow 22 || ufw allow 22/tcp Deny Rule = ufw deny 22 || ufw deny 22/tcp 38
  39. 39. Intrusion Detection 39
  40. 40. AIDE - Linux Configuration 40 Linux is primarily configured through text files Users - /etc/passwd Passwords - /etc/shadow Authentication - /etc/pam.d/*
  41. 41. Advanced Intrusion Detection Environment Stores the file system state and compares it on subsequent runs 41
  42. 42. AIDE - Cron checking Running AIDE in check mode on a cronjob can quickly detect configuration changes Cron can send email on task failure 42
  43. 43. Compliance 43
  44. 44. Compliance 44 Corporate Standards Legal Standards (PCI, FIPS)
  45. 45. Security Content Automation Protocol NIST Standard to allow automated configuration for a secure environment Linux implementation - OpenSCAP GUI - SCAP Workbench 45
  46. 46. OpenSCAP 46
  47. 47. Linux Security Crash Course 1. Authentication a. PAM 2. Authorization a. sudo b. setuid & setgid c. capabilities d. ACL 3. Audit a. auditd 47 4. Services a. sshd 5. Firewall a. iptables b. firewalld 6. Intrusion Detection a. AIDE 7. Compliance a. OpenSCAP
  48. 48. Further reading SELinux AppArmor 48
  49. 49. Get in touch with us Mailing List - Sign in and check “Add to Mailing List” Website - Slack - #csg on Email - 49