SlideShare a Scribd company logo

HCLOS.Reduce to 600 dpi average quality

Vinayak Wadhwa
Vinayak Wadhwa
1 of 54
Download to read offline
Building a Hardened Customised Linux Operating System Presented by : Vinayak Wadhwa M.Tech. IS ( 4th Semester ) 01310100814 Thesis Presentation Ambedkar Institute of Advanced Communication Technologies and Research
 Geeta Colony, Delhi-110031 Mentor: Mrs. Bhar7 Nagpal Assistant Professor AIACTR
About ME Hello , this is Mr. Vinayak Wadhwa, M.Tech , AIACT&R Today I will be presenting my research work on hardening and building a custom Linux based Operating System. For what Linux offers is flexibility and is totally dependent on the user to configure and create a secure environment to work on. Thus it creates a necessity for a normal student/user to know how to configure security in Linux. My researched aimed at development of such an Operating System that is pre configured and pre patched for all the known and future threats to Linux Operating Systems. This OS is named ‘HCLOS’. It is currently in testing phase. Vinayak Wadhwa, Research Student
Table of ContentsIntroduction Literature Survey Proposed Work Problem Formulation Result and Analysis Future Scope References
INTRODUCTION
Principles of HCLOS Security KNOW YOUR ENEMIES PROTECTION IS KEY, DETECTION IS MUST DEFENCE IN DEPTH PRINCIPLE OF LEAST PRIVILEGE Know YOUR SYSTEM DEFENCE IN DEPTH
LITERATURE SURVEY
2011 Linux kernel vulnerabilities: State-of- the-art defenses and open problems. In. Proceedings of the Second Asia-Pacific Workshop on Systems. ACM 2013 Advanced Linux Security, In. American Journal of Engineering Research (AJER) 2014 Overview of Linux Vulnerabilities. In 2nd International Conference on Soft Computing in Information Communication Technology. Atlantis Press 2011 Faults in Linux: Ten years later. In Proc. Int’l Conf. Architectural Support for Programming Languages and Operating Systems (ASPLOS), pages 305–318. ACM Press 2013 25 Years of Vulnerabilities: 1988-2012, Sourcefire Crop, 2013. LITERATURE SURVEY 2011 2011 2013 2013 2014
LINUX VULNERABILITIES SOME IMPORTANT FACTS Vulnerabilities in years ( CVE DATABASE 1988-2015 )
Red Hat Suse Gentoo Ubuntu Mac OSX Windows XP Chrome Linux Kernel Internet explorer Firefox SOME IMPORTANT FACTS Vulnerabilities in Linux Distributions Top Vulnerabilities Classified in [5]
PROPOSED METHODOLOGY
HCLOS DEVELOPMENT FLOWCHART Lorem ipsum dolor sit amet, consectetur adipiscing elit. Nunc bibendum eleifend tortor, non porta justo gravida posuere.
Security Checklist This checklist will be our problem formulation, and will be used to validate our implementation S. No. Security Classifications Short Description Tick 1 Boot Loader Security Additional layer of security for bootloader access, secure configuration of boot files, etc. 2 Kernel Security Configure Kernel Compile time parameters for security. 3 Password Security and Encryption Ensuring Password strength, Password Policies, Pluggable USB Authentication, Restrict old or empty passwords, etc. 4 File System Security Limiting filesystem, UMask configuration, Administer filesystem, minimization of packages, etc. 5 Network Security Packet sniffers, Iptable firewalling, Anti port scanning and maintaining anonymity. 6 Security Preparedness D a t a B a c k u p s , B a c k u p encryption, Log monitoring tools etc. 7 Intrusion Detection Auditd and NIDS etc. 8 Cryptovirus Protection Crypdef service. 9 Other Necessary Security Elements SeLinux Patches, Truecrypt, Nmap etc tools etc.
PROBLEM FORMULATION
Hardening of Custom Linux Distribution Following eight Elements of security were implemented thoroughly in HCLOS. Additional Layer of Security Secure Boot Configuration Physical Security BOOTLOADER SECURITY Packet Sniffers TCP Wrapper Network Parameters Limiting System Services IP Tables Network Scanners Anti Port Scanners Anonymous Browsing NETWORK SECURITY Kernel Compilation Options KERNEL SECURITY Full Data Backup Disable USB Detection Backup Encryption Logspot Tool SECUIRTY PREPAREDNESS Password Policies Password Strength Password Logging Indirect Root Login PAM USB Restrict Old Passwords Restrict Empty Passwords PASSWORD SECURITY List all current listening ports List all current services Turn off dangerous Network Services Check users with Empty Passwords HCLOSADMIN Limiting Filesystem hclosADMTracker umask Configuration Integrity checking Minimisation of Packages Configure /Boot FILE SYSTEM SECURITY Anti - Cryptovirus shell scripts CRYPDEF
BOOTLOADER SECURITY Exploits Faced: • Init = /bin/bash Vulnerability • Recovery CD Bypass • Hardware Bypass 1.Additional Layer of Security 2. Secure Boot Configuration 3. Physical security Recommended. For This, BIOS settings are configured to set Main hard disk as only booting option. This is recommended as Security is incomplete with physical security hence alarms/tripwires need to be implemented. A SHA 512 Password is generated, and configured as entry level access control to Bootloader. Thus ensuring no unauthorised personnel can bypass HCLOS Login.
KERNEL SECURITY While Kernel Compilation, there are certain Options that are Otherwise ignored, that I configured in HCLOS 1. Enables security options: [*] Enable different security models [*] Default Linux Capabilities 2. Now Following Options were also configured : • Network Firewalls (CONFIG_FIREWALL) This option should be on if you intend to run any firewalling or masquerading on your Linux machine. In HCLOS its configured to be on. • IP: syn cookies (CONFIG_SYN_COOKIES) a "SYN Attack" is a denial of service (DoS) attack that consumes all the resources on your machine, forcing you to reboot. I can't think of a reason you wouldn't normally enable this. • IP: firewall packet logging (CONFIG_IP_FIREWALL_VERBOSE) This option gives you information about packets your firewall received, like sender, recipient, port, etc. • IP: Drop source routed frames (CONFIG_IP_NOSR) This option should be enabled. Source routed frames contain the entire path to their destination inside of the packet. This means that routers through which the packet goes do not need to inspect it, and just forward it on. This could lead to data entering your system that may be a potential exploit. • Packet Signatures (CONFIG_NCPFS_PACKET_SIGNING) This is an option that is available in the HCLOS that will sign NCP packets for stronger security.
PASSWORD SECURITY Exploits Faced: • Credential Cracking • Privilege Escalation • Brute force • Shoulder Surfing • Weak Passwords 1.Strong Password Policies 2.Password Strength 3.Password Logging 4.Indirect Root Login 5.Pluggable Authentication Module USB 6.Restrict Old Passwords 7.Restrict Empty Passwords
1. Strong Password Policies Strong Password Policies are framed for our custom linux distribution keeping in mind following parameters: Number of days a password is valid Validity Minimum Number of days between change of Password. LIFE Number of days before expiry warning is showed EXPIRY WARNING BEFORE AFTER HCLOS
2. PASSWORD STRENGTH To increase strength of password default configuration is altered, so that only a highly secure password is accepted by user. Only 3 attempts are allowed Limiting Attempts Minimum length of password is 8 characters Minimum length Old and New password must differ by three characters Different passwords BEFORE AFTER Mandatory Characters There must be one uppercase, one lowercase, one non-alphanumeric/ special, and one numerical character. HCLOS
3. PASSWORD LOGGING Maintenance of Audit Trails and all necessary changes to passwords are logged in HCLOS Only 3 attempts are allowed CREATION OF LOG FILE Minimum length of password is 8 characters LINKING PAM TO LOG. Log File Creation Log Config. HCLOS
4. INDIRECT ROOT LOGIN Disabling direct root login enables better tracking of any privilege escalation scenario Only 3 attempts are allowed CONFIGURE ALL PAM FILES Minimum length of password is 8 characters MARKING SECURETTY NULL 2. Append logging parameters in /etc/pam.d file. Fig, 13. – Modification of PAM for password logging. 3.2.5.3.4 Indirect root Login Disallowing Direct root login enables audit trails so as to know which local user gained privileges and hence is very useful in tracking. Also we don’t want any intruder to directly gain privileges from an unprivileged account. Thus to insure only local users can gain privileges I have done the following 1. Ensure all the PAM configuration files, even the ones used for display manager have the following command in their configuration file. Examples of such files are /etc/pam.d/login.defs , /etc/pam.d/gdm-password. Command: # auth required /lib/security/pam_securetty.so 2. Now I will specify that that no device is authenticated for root login by making ‘securrety’ null. Command: #echo "null" > /etc/securetty 3.2.5.3.5 Pluggable Authentication Module USB Linux Distributions ship with a unified authentication mechanism known as ‘Pluggable Authentication Module’. This module helps in configuring Authentication methods and criteria. One more enhancement to securing the system is by introducing a second factor to authentication using this module. Passwords lie under category of ‘Something you know’, linking it with ‘some- thing you possess’ can increase factors to authentication. This possession can be any physical device that has a unique identifier attached to it. For such purpose PAM device is being configured. It is a USB device, distributed along with the HCLOS, it serves as a primary authentication device to login to the system or gain super user privileges. To setup this two factor authentication, follow these steps: 1. Installation of PAM modules
5. PLUGGABLE AUTHENTICATION MODULE USB This will add another layer of security by requiring a smart token authentication to login to OS or for gaining privilege Device are registered first based on their UUID and Serial Numbers CreatING Device Users are registered for particular device REGISTERING USERS PAM USB configured to system with ‘required’ privileges, making it necessary to have device and password both for authentication CONFIGURING PAM INTO SYSTEM With USB Without USB
6. Restricting EMPTY PASSWORDS EMPTY password are clue towards an unauthorised access to the system. So in HCLOS they are restricted This is a tool made specially for HCLOS, that helps the user/consumer to monitor their system. one of its option is to check and remove all accounts with empty passwords. HCLOSADMTRACKER
FILESYSTEM SECURITY Needs to be Addressed: • Review Trojan horses • Review Unowned files • Review SUID/SGID processes • Integrity checking • Protection of Important • directories • Configuring umask.1.Limiting File System 2.hclosAdmTracker - HCLOS Admin tool 3.umask Configuration 4.Integrity checking ( checks integrity of files ) 5.Minimisation of Packages ( reduce no. of modules) 6.Configuration of /boot ( make it read only )
1. Limiting FILEsystem Limiting the number of processes per user can be useful for giving users only required rights over processing. New users are prohibited creation of core files, number of processes are limited to 40 and memory to 4mb per user. Resource Limitation 3.2.5.4 File System Security Preparation before and attack is a must and securing File system guarantees that attacker does not get a chance to exploit any vulnerable loophole in the system. Correctly configured access control and properly managed admin logs can evade any attacker. What we have to address to while securing the file system: 1. Review if any Trojan Horses are installed 2. Review if any Unowned files exist 3. Review if any .rhosts are there 4. Review for SUID and SGID processes running 5. Integrity checking of important binaries. 6. Protect Start up Files, Audit Trails and Security Logs. 7. Configuration of Default Protection for new file creation Keeping in mind above mentioned problems, following features were implemented in HCLOS: 3.2.5.4.1 Limiting File System By Limiting filesystem I mean, limiting number of open files and processes for a user. Default value is unlimited. This can be configured for single users or group. This is done by using the resource−limits PAM module and/etc/pam.d/limits.conf. A Sample configu- ration is @commonusers hard core 0 @commonusers hard nproc 40 @commonusers hard rss 4000 This says to prohibit the creation of core files, restrict the number of processes to 40, and restrict memory usage per user to 4Mb. 3.2.5.4.2 hclosAdmTracker – HCLOS tool One potential way for a user to escalate privileges on a system is to exploit a vulnerability in an SUID or SGID program. SUID and SGID are legitimately used when programs need special permissions above and beyond those that are available to the user who is running them. Therefore, these programs should be monitored and any suspicious program must be revoked of privileges. Another executable that can be vulnerable are world writable files, these files have all per- missions to all users, hence anybody can read, modify, execute such files. Moreover, world writable directories allow anyone to add or delete files in them. Attackers can take ad- vantage of such directories. Hence they also need to be monitored. There may be certain files in your system that are unowned. These files may indicate sus- picious activity as they do not belong to any user, and possibly are created from an un- privileged user.
2. HCLOSADMTRACKER This is an all in one tool for monitoring various files that are necessary for security This is a tool made specially for HCLOS, that helps the user/consumer to monitor their system. SGID/SUID files, unowned files, .rhost files can be tracked. More options to check for empty passwords, listening ports is also present. HCLOSADMTRACKER
3. UMASK Configuration Umask tell the default permissions for a new file. 077, is the default configured umask in HCLOS Default ROOT UMASK New files are given 644 permissions because of above umask. RESULTING NEW FILE UMASK
NETWORK SECURITY 1.Avoiding Packet Sniffers 2.TCP Wrappers 3.Network Parameters 4.Limiting System services 5.IP Tables 6.Network Scanners 7.Anti Port Scanners 8.Anonymous Browsing
1. Avoiding Packet Sniffers Avoiding Sniffers can be effective even if the system is compromised as crucial information is still hidden To avoid these sniffers secure shel is used for encryption of passwords. SSH v2 is used Default port is changed Root access s disallowed after configuration SSH
2. TCPWRAPPERS AcCess control Access control can be achieved with help of TCP Wrappers. It disables access to services that are TCP Wrapper aware or use tcpd. TCP Wrappers
3. NETWORK PARAMETERS This helps in configuring net.ipv4.tcp_max_syn_backlog = 4096 This will handle sun packets better by clearing extraneous packets. Handling SYN FLOOD
4. Limiting Network Services This helps in configuring Vulnerable network services T h i s h e l p s i n l i m i t i n g dangerous network services t h a t a u t h e n t i c a t e w i t h passwords sent in clear text. More over NFS will be terminated by this HCLOSADMINTRACKER Tools
5. IPTABLES - FIREWALLS Pre Configured Ip Tables enable better packet handling and intrusion prevention, its implemented in HCLOS This is necessary to avoid locking out. ALLOW SSH PACKETS Flagless TCP packets are dropped. DROP ALL TCP PACKETS Limit connections for new traffic , enabling protection against DOS Attacks. LIMIT NEW TRAFFIC REJECT SYN FLOOD Limit burst of new SYN forged packets ALL flag set - TCP packets are dropped. REJECT ALL XMAS PACKETS ICMP bursts are limited. LIMIT SMURF PACKETS Logging of all dropped packets LOG EVERYTHING
EXAMPLE OF IPTABLE rule in HCLOS This rule blocks all NEW traffic on port 80 to prevent Denial of Service Attacks # sudo iptables -A INPUT -p tcp --dport 80 -m state --state NEW -m limit --limit 50/minute --limit-burst 200 -j ACCEPT Lets break that rule down into intelligible chunks. -p tcp --dport 80 => Specifies traffic on port 80 (Normally Apache, but as you can see here I am using nginx). -m state NEW => This rule applies to NEW connections. -m limit --limit 50/minute --limit-burst 200 -j ACCEPT =>This is the essence of preventing DOS.In a nutshell 200 new connections (packets really) are allowed before the limit of 50 NEW connections (packets) per minute is applied.
6. NETWORK VULNERABILITY SCANNERS These scanning tools are pre installed in HCLOS for referencing it is Open source, it checks whole system for vulnerabilities. NIKTO It helps in validation of SQL injection, XSS, etc. VEGA
7. PORT SCAN ACTIVE DETECTION This module is a behavioural IDPS, which creates IPTable rules automatically by observing traffic. Danger levels are configured for monitoring burst of packets, according to which particular IPs are blocked. This detects rigorous NMAP scans and Blacklists that IP. PSAD
8. Anonymous Browsing For this purpose onion browsing protocol is used and TOR is pre implemented and configured in HCLOS This peer to peer anonymous network, provide a sufficient secure communication path and avoids direct linkage with any server. ONION BROWSING
SECURITY PREPAREDNESS 1.Backup Encryption 2.Logspot Tool
1. BACKUP ENCRYPTION Backing up and encrypting the backup is pretty easy in HCLOS as custom commands are built. RSA keys are generated from OpenSSL. Generation of RSA key pair Encryption commands backs up home directory and encrypts it. ENCRYPTION SCRIPT This decrypts the home directory and replaces original one when required. DECRYPTION SCRIPT Encryption Script Decryption Script
2. LOGSPOT TOOL This tool is one stop for all logs to be monitored. User can easily manage their logs here All logs are aggregated as viewable in the diagram in this tool. LOGSPOT
CRYPDEF 1.Script for detection 2.Running Script as Cron Job 3.Script for Removal of Crypto Virus 4.Automate deployment on detection
RESULTS, ANALYSIS and DISCUSSION
Security Checklist EVALUATION Lorem ipsum dolor sit amet, consectetur adipiscing elit. Nunc bibendum eleifend tortor, non porta justo gravida posuere. S. No. Security Classifications Short Description Tick 1 Boot Loader Security Additional layer of security for bootloader access, secure configuration of boot files, etc. DONE 2 Kernel Security Configure Kernel Compile time parameters for security. DONE 3 Password Security and Encryption Ensuring Password strength, Password Policies, Pluggable USB Authentication, Restrict old or empty passwords, etc. DONE 4 File System Security Limiting filesystem, UMask configuration, Administer filesystem, minimization of packages, etc. DONE 5 Network Security Packet sniffers, Iptable firewalling, Anti port scanning and maintaining anonymity. DONE 6 Security Preparedness D a t a B a c k u p s , B a c k u p encryption, Log monitoring tools etc. DONE 7 Intrusion Detection Auditd and NIDS etc. DONE 8 Cryptovirus Protection Crypdef service. DONE 9 Other Necessary Security Elements SeLinux Patches, Truecrypt, Nmap etc tools etc. DONE
NETWORK SCANNING S. No. Machine Name DHCP Address 1 Ubuntu 16.04 LTS 192.168.1.38 2 Mac OSX El Capitan v10.11 192.168.1.36 3 Windows 10 192.168.1.41 4 HCLOS 192.168.1.40 Original Fingerprint Original system Identification by Network Mapper Match Percentage Ubuntu Linux 2.6.17 100% Windows 10 Microsoft Windows 8 93% Mac OSX Apple OSX 10.7-10 100% HCLOS Not identified 0% Detected Fingerprint Match Ratio NMAP These are the Network Mapper results, were obtained by doing an intensive scan with OS detection. HCLOS was not guessed by NMAP.
NETWORK SCANNING IPTables before Attack IPTables after Attack These results shows PSAD in Action and active blocking of Malicious IP
AUDITINGTable below gives the summary of audit reports: Table. 3. – Comparison of Lynis Audit Report summary for HCLOS and Ubuntu Audit Category Ubuntu 16.04 Hardening Index HCLOS Hardening Index Index No. of Tests Index No. of Tests Accounting 6 14 94 18 Authentication 10 32 92 33 File Permissions 3 10 97 11 Logging 12 25 97 26 Kernel Hardening 26 11 78 12 Firewalling 15 14 95 11 Networking 1 19 95 20 Hardening 1 13 90 14 Average: 9.25%, Total tests = 138 92.25 %, Total tests = 145 This is represented graphically also as: Comparison of Hardening between HCLOS and Ubuntu with Lynis Auditing Index This Table shows the No. of Auditing tests performed and their index per category between HCLOS and Ubuntu
AUDITING The result is presented graphically here : T h i s c o n c l u d e s t h a t t h e r e i s approximately 83% difference in the hardening of both the systems proving that our HCLOS is far better secure than a normal Ubuntu distribution
DENIAL OF SERVICE ATTACK 58 To test and verify network hardening in HCLOS, we will use apache benchmarking tool. ‘ab’ is a tool for benchmarking your Apache Hypertext Transfer Protocol (HTTP) server. It is designed to give you an impression of how your current Apache installation performs. This especially shows you how many requests per second your Apache installation is capable of serving. Whereas DOS attack tool performs Denial of Service attack by forging packets and continuously bombarding on the specified host. Results are shared as follows: 1. Apache Benchmark Test: First case – without any rules (like stock Ubuntu ) #ab -n 100 -c 10 http://hclos_machine_server/ This is ApacheBench, Version 2.3 <$Revision: 655654 $> Copyright 1996 Adam Twiss, Zeus Technology Ltd, http://www.zeustech.net/ Licensed to The Apache Software Foundation, http://www.apache.org/ Benchmarking hclos_machine_server (be pa tient).....done connection Times (ms) min mean [+/-sd] median max Connect: 122 129 2.2 128 134 Processing: 1151 1182 19.1 1177 1260 Waiting: 125 132 8.2 128 170 Total: 1280 1310 19.3 1305 1390 Percentage of the requests served within a certain time (ms) 50% 1305 66% 1313 75% 1316 80% 1321 90% 1328 95% 1354 98% 1386 99% 1390 100% 1390 (longest request) Results: Requests per second: 7.59 [#/sec] Total time for requests: 13 seconds (Data) Transfer rate: 444.98 [Kbytes/sec] Apache Benchmark Results Second case – with Iptables rules implemented. Benchmarking hclos_machine_server.com (be patient) ... apr_poll: The timeout specified has expired (70007) Total of 99 requests completed Thus it proves that a minor DOS simulation from apache benchmark was detected and stopped at HCLOS server end. 4.2.4 Cryptoviral Extortion Attack This Attack is mitigated by using a custom detection and removal script particularly written for Linux Encoder. Currently detection of Zepto and Locky based viruses are also supported. It is a benchmarking framework i used to bombard packets on to our server HCLOS We received timeout message on out System
CRYPTOVIRAL EXTORTION ATTACK We used Zepto and Locky samples to attack the system and were able to detect and mitigate attacks
LOGIN BYPASS ATTACK Trying to bypass Login with Init=/ bin/bash vulnerability failed as additional password was required in HCLOS However in Ubuntu I succeeded.
COMPARITVE ANALYSIS This Table shows a Comparative analysis between the top ten most used Operating Systems in market with our Hardened Customized Linux Operating System (HCLOS)
REFERENCES
ReFERENCES [1] Chen,Haogang,et al., Linux kernel vulnerabilities: State-of-the-art defenses and open problems. Proceedings of the Second Asia-Pacific Workshop on Systems. ACM, 2011. [2] N. Palix, G. Thomas, S. Saha, C. Calvès, J. Lawall, and G. Muller. Faults in Linux: Ten years later. In Proc. Int’l Conf. Architectural Support for Programming Languages and Operating Systems (ASPLOS), pages 305–318. ACM Press, 2011. [3] Nimbalkar R,Patel P,Meshram. Advanced Linux Security, American Journal of Engineering Research (AJER),2013. [4] Younan Y. 25 Years of Vulnerabilities: 1988-2012[J], Sourcefire Crop,2013. [5] S. Niu, J. Mo, Z. Zhang, and Z. Lv. Overview of Linux Vulnerabilities. In 2nd International Conference on Soft Computing in Information Communication Technology. Atlantis Press, May 2014. [6]  P. E. McKenney and J. Walpole. Introducing technology into the Linux kernel: a case study. ACM SIGOPS Operating Systems Review, 42(5):4– 17, 2008. [7] N. Elhage. CVE-2010-4258: Turning denial-of-service into privilege escalation. http://blog.nelhage.com/2010/ 12/ cve-2010-4258-from-dos-to-privesc/, 2010. [8] S. A. Mokhov, M.-A. Laverdiere, and D. Benredjem. Taxon- omy of Linux kernel vulnerability solutions. Innovative Tech- niques in Instruction Technology, E-learning, E-assessment, and Education, 2008. [9] Cisco 2014 Annual security report[J], Cisco, 2014. [10] Linux. http://en.wikipedia.org/wiki/Linux. [11] Lyon, Gordon Fyodor. Nmap network scanning: The official Nmap project guide to network discovery and security scanning. Insecure, 2009. [12] Jung, Sung-Jae, and Kyung Sung. "A Study on the Iptables Ruleset Against DoS Attacks." The Journal of Advanced Navigation Technology 19.3 (2015): 257-263. [13] Lynis auditing framework , https://cisofy.com/lynis/ [14] Nmap Network Mapper , https://nmap.org/ [15] Wadhwa V., Nagpal B.: Chapter 34. Cryptoviral Extortion: Evolution, Scenarios and Analysis , In: Proceedings of the International Conference on Signal, Networks, Computing, and Systems: Volume 2, Springer India, 2016 [16] Linux Security checklist, SANS Institute; https://www.sans.org/media/score/checklists/linuxchecklist.pdf
Few Demonstrations: Init=/bin/bash vulnerability PAM USB authentication Logspot HclosAdmTracker

Recommended

thesis sample
thesis samplethesis sample
thesis sampleVinayak Wadhwa
 
Essential security for linux servers
Essential security for linux serversEssential security for linux servers
Essential security for linux serversJuan Carlos Pérez Pardo
 
Linux security-fosster-09
Linux security-fosster-09Linux security-fosster-09
Linux security-fosster-09Dr. Jayaraj Poroor
 
Protecting Your Key Asset – Data Protection Best Practices V2.0 Final
Protecting Your Key Asset – Data Protection Best Practices V2.0 FinalProtecting Your Key Asset – Data Protection Best Practices V2.0 Final
Protecting Your Key Asset – Data Protection Best Practices V2.0 FinalVinod Kumar
 
Host Based Security Best Practices
Host Based Security Best PracticesHost Based Security Best Practices
Host Based Security Best Practiceswebhostingguy
 
Linux Security
Linux SecurityLinux Security
Linux Securitynayakslideshare
 
Basic Linux Security
Basic Linux SecurityBasic Linux Security
Basic Linux Securitypankaj009
 
Threats, Vulnerabilities & Security measures in Linux
Threats, Vulnerabilities & Security measures in LinuxThreats, Vulnerabilities & Security measures in Linux
Threats, Vulnerabilities & Security measures in LinuxAmitesh Bharti
 

Recommended

thesis sample
thesis samplethesis sample
thesis sampleVinayak Wadhwa
 
Essential security for linux servers
Essential security for linux serversEssential security for linux servers
Essential security for linux serversJuan Carlos Pérez Pardo
 
Linux security-fosster-09
Linux security-fosster-09Linux security-fosster-09
Linux security-fosster-09Dr. Jayaraj Poroor
 
Protecting Your Key Asset – Data Protection Best Practices V2.0 Final
Protecting Your Key Asset – Data Protection Best Practices V2.0 FinalProtecting Your Key Asset – Data Protection Best Practices V2.0 Final
Protecting Your Key Asset – Data Protection Best Practices V2.0 FinalVinod Kumar
 
Host Based Security Best Practices
Host Based Security Best PracticesHost Based Security Best Practices
Host Based Security Best Practiceswebhostingguy
 
Linux Security
Linux SecurityLinux Security
Linux Securitynayakslideshare
 
Basic Linux Security
Basic Linux SecurityBasic Linux Security
Basic Linux Securitypankaj009
 
Threats, Vulnerabilities & Security measures in Linux
Threats, Vulnerabilities & Security measures in LinuxThreats, Vulnerabilities & Security measures in Linux
Threats, Vulnerabilities & Security measures in LinuxAmitesh Bharti
 
Mc Afee And Georgia State University Taking Aim At Network Intruders With I...
Mc Afee And Georgia State University Taking Aim At Network Intruders With I...Mc Afee And Georgia State University Taking Aim At Network Intruders With I...
Mc Afee And Georgia State University Taking Aim At Network Intruders With I...Tammy Clark
 
2009-08-11 IBM Teach the Teachers (IBM T3), Linux Security Overview
2009-08-11 IBM Teach the Teachers (IBM T3), Linux Security Overview2009-08-11 IBM Teach the Teachers (IBM T3), Linux Security Overview
2009-08-11 IBM Teach the Teachers (IBM T3), Linux Security OverviewShawn Wells
 
File System Implementation & Linux Security
File System Implementation & Linux SecurityFile System Implementation & Linux Security
File System Implementation & Linux SecurityGeo Marian
 
CCNA Security 06- AAA
CCNA Security 06- AAACCNA Security 06- AAA
CCNA Security 06- AAAAhmed Habib
 
Feb. 9, 2010 ICACT 2010@Phoenix Park, Korea
Feb. 9, 2010 ICACT 2010@Phoenix Park, Korea Feb. 9, 2010 ICACT 2010@Phoenix Park, Korea
Feb. 9, 2010 ICACT 2010@Phoenix Park, Korea webhostingguy
 
Windows 7 professional Vs Windows 7 enterprise
Windows 7 professional Vs Windows 7 enterpriseWindows 7 professional Vs Windows 7 enterprise
Windows 7 professional Vs Windows 7 enterprise247infotech
 
Operating system vulnerability and control
Operating system vulnerability and control Operating system vulnerability and control
Operating system vulnerability and control أحلام انصارى
 
Windows server hardening 1
Windows server hardening 1Windows server hardening 1
Windows server hardening 1Frank Avila Zapata
 
MID_Complex_Network_Security_Alex_de_Graaf_EN
MID_Complex_Network_Security_Alex_de_Graaf_ENMID_Complex_Network_Security_Alex_de_Graaf_EN
MID_Complex_Network_Security_Alex_de_Graaf_ENVladyslav Radetsky
 
Windows 7 Security
Windows 7 SecurityWindows 7 Security
Windows 7 SecurityJorge Orchilles
 
Ibm informix security functionality overview
Ibm informix security functionality overviewIbm informix security functionality overview
Ibm informix security functionality overviewBeGooden-IT Consulting
 
Top 10 ways to make hackers excited: All about the shortcuts not worth taking
Top 10 ways to make hackers excited: All about the shortcuts not worth takingTop 10 ways to make hackers excited: All about the shortcuts not worth taking
Top 10 ways to make hackers excited: All about the shortcuts not worth takingPaula Januszkiewicz
 
Open network architecture e book
Open network architecture e bookOpen network architecture e book
Open network architecture e bookCOMSATS
 
SELinux_@gnu_group_meetup
SELinux_@gnu_group_meetupSELinux_@gnu_group_meetup
SELinux_@gnu_group_meetupJayant Chutke
 
13. Neville Varnham - PeopleSoft Cyber Security
13. Neville Varnham - PeopleSoft Cyber Security13. Neville Varnham - PeopleSoft Cyber Security
13. Neville Varnham - PeopleSoft Cyber SecurityCedar Consulting
 
Windows 7 Security Enhancements
Windows 7 Security EnhancementsWindows 7 Security Enhancements
Windows 7 Security EnhancementsPresentologics
 
Server Hardening Primer - Eric Vanderburg - JURINNOV
Server Hardening Primer - Eric Vanderburg - JURINNOVServer Hardening Primer - Eric Vanderburg - JURINNOV
Server Hardening Primer - Eric Vanderburg - JURINNOVEric Vanderburg
 
Silk Test Install Guide
Silk Test Install GuideSilk Test Install Guide
Silk Test Install Guideguestcdd1af
 
Security @ Windows 10 Partner Technical Bootcamp Microsoft Norway October 2015
Security @ Windows 10 Partner Technical Bootcamp Microsoft Norway October 2015Security @ Windows 10 Partner Technical Bootcamp Microsoft Norway October 2015
Security @ Windows 10 Partner Technical Bootcamp Microsoft Norway October 2015Jan Ketil Skanke
 
ISTSEC 2013 - Bulut Bilişim ve Güvenlik
ISTSEC 2013 - Bulut Bilişim ve GüvenlikISTSEC 2013 - Bulut Bilişim ve Güvenlik
ISTSEC 2013 - Bulut Bilişim ve GüvenlikBGA Cyber Security
 
SSecuring Your MongoDB Deployment
SSecuring Your MongoDB DeploymentSSecuring Your MongoDB Deployment
SSecuring Your MongoDB DeploymentMongoDB
 
James Jara Portfolio 2014 - InfoSec White Paper- Part 5
James Jara Portfolio 2014 - InfoSec White Paper- Part 5James Jara Portfolio 2014 - InfoSec White Paper- Part 5
James Jara Portfolio 2014 - InfoSec White Paper- Part 5James Jara
 

More Related Content

What's hot

Mc Afee And Georgia State University Taking Aim At Network Intruders With I...
Mc Afee And Georgia State University Taking Aim At Network Intruders With I...Mc Afee And Georgia State University Taking Aim At Network Intruders With I...
Mc Afee And Georgia State University Taking Aim At Network Intruders With I...Tammy Clark
 
2009-08-11 IBM Teach the Teachers (IBM T3), Linux Security Overview
2009-08-11 IBM Teach the Teachers (IBM T3), Linux Security Overview2009-08-11 IBM Teach the Teachers (IBM T3), Linux Security Overview
2009-08-11 IBM Teach the Teachers (IBM T3), Linux Security OverviewShawn Wells
 
File System Implementation & Linux Security
File System Implementation & Linux SecurityFile System Implementation & Linux Security
File System Implementation & Linux SecurityGeo Marian
 
CCNA Security 06- AAA
CCNA Security 06- AAACCNA Security 06- AAA
CCNA Security 06- AAAAhmed Habib
 
Feb. 9, 2010 ICACT 2010@Phoenix Park, Korea
Feb. 9, 2010 ICACT 2010@Phoenix Park, Korea Feb. 9, 2010 ICACT 2010@Phoenix Park, Korea
Feb. 9, 2010 ICACT 2010@Phoenix Park, Korea webhostingguy
 
Windows 7 professional Vs Windows 7 enterprise
Windows 7 professional Vs Windows 7 enterpriseWindows 7 professional Vs Windows 7 enterprise
Windows 7 professional Vs Windows 7 enterprise247infotech
 
Operating system vulnerability and control
Operating system vulnerability and control Operating system vulnerability and control
Operating system vulnerability and control أحلام انصارى
 
MID_Complex_Network_Security_Alex_de_Graaf_EN
MID_Complex_Network_Security_Alex_de_Graaf_ENMID_Complex_Network_Security_Alex_de_Graaf_EN
MID_Complex_Network_Security_Alex_de_Graaf_ENVladyslav Radetsky
 
Ibm informix security functionality overview
Ibm informix security functionality overviewIbm informix security functionality overview
Ibm informix security functionality overviewBeGooden-IT Consulting
 
Top 10 ways to make hackers excited: All about the shortcuts not worth taking
Top 10 ways to make hackers excited: All about the shortcuts not worth takingTop 10 ways to make hackers excited: All about the shortcuts not worth taking
Top 10 ways to make hackers excited: All about the shortcuts not worth takingPaula Januszkiewicz
 
Open network architecture e book
Open network architecture e bookOpen network architecture e book
Open network architecture e bookCOMSATS
 
SELinux_@gnu_group_meetup
SELinux_@gnu_group_meetupSELinux_@gnu_group_meetup
SELinux_@gnu_group_meetupJayant Chutke
 
13. Neville Varnham - PeopleSoft Cyber Security
13. Neville Varnham - PeopleSoft Cyber Security13. Neville Varnham - PeopleSoft Cyber Security
13. Neville Varnham - PeopleSoft Cyber SecurityCedar Consulting
 
Windows 7 Security Enhancements
Windows 7 Security EnhancementsWindows 7 Security Enhancements
Windows 7 Security EnhancementsPresentologics
 
Server Hardening Primer - Eric Vanderburg - JURINNOV
Server Hardening Primer - Eric Vanderburg - JURINNOVServer Hardening Primer - Eric Vanderburg - JURINNOV
Server Hardening Primer - Eric Vanderburg - JURINNOVEric Vanderburg
 
Silk Test Install Guide
Silk Test Install GuideSilk Test Install Guide
Silk Test Install Guideguestcdd1af
 
Security @ Windows 10 Partner Technical Bootcamp Microsoft Norway October 2015
Security @ Windows 10 Partner Technical Bootcamp Microsoft Norway October 2015Security @ Windows 10 Partner Technical Bootcamp Microsoft Norway October 2015
Security @ Windows 10 Partner Technical Bootcamp Microsoft Norway October 2015Jan Ketil Skanke
 
ISTSEC 2013 - Bulut Bilişim ve Güvenlik
ISTSEC 2013 - Bulut Bilişim ve GüvenlikISTSEC 2013 - Bulut Bilişim ve Güvenlik
ISTSEC 2013 - Bulut Bilişim ve GüvenlikBGA Cyber Security
 

What's hot (20)

Mc Afee And Georgia State University Taking Aim At Network Intruders With I...
Mc Afee And Georgia State University Taking Aim At Network Intruders With I...Mc Afee And Georgia State University Taking Aim At Network Intruders With I...
Mc Afee And Georgia State University Taking Aim At Network Intruders With I...
 
2009-08-11 IBM Teach the Teachers (IBM T3), Linux Security Overview
2009-08-11 IBM Teach the Teachers (IBM T3), Linux Security Overview2009-08-11 IBM Teach the Teachers (IBM T3), Linux Security Overview
2009-08-11 IBM Teach the Teachers (IBM T3), Linux Security Overview
 
File System Implementation & Linux Security
File System Implementation & Linux SecurityFile System Implementation & Linux Security
File System Implementation & Linux Security
 
CCNA Security 06- AAA
CCNA Security 06- AAACCNA Security 06- AAA
CCNA Security 06- AAA
 
Feb. 9, 2010 ICACT 2010@Phoenix Park, Korea
Feb. 9, 2010 ICACT 2010@Phoenix Park, Korea Feb. 9, 2010 ICACT 2010@Phoenix Park, Korea
Feb. 9, 2010 ICACT 2010@Phoenix Park, Korea
 
Windows 7 professional Vs Windows 7 enterprise
Windows 7 professional Vs Windows 7 enterpriseWindows 7 professional Vs Windows 7 enterprise
Windows 7 professional Vs Windows 7 enterprise
 
Operating system vulnerability and control
Operating system vulnerability and control Operating system vulnerability and control
Operating system vulnerability and control
 
Windows server hardening 1
Windows server hardening 1Windows server hardening 1
Windows server hardening 1
 
MID_Complex_Network_Security_Alex_de_Graaf_EN
MID_Complex_Network_Security_Alex_de_Graaf_ENMID_Complex_Network_Security_Alex_de_Graaf_EN
MID_Complex_Network_Security_Alex_de_Graaf_EN
 
Windows 7 Security
Windows 7 SecurityWindows 7 Security
Windows 7 Security
 
Ibm informix security functionality overview
Ibm informix security functionality overviewIbm informix security functionality overview
Ibm informix security functionality overview
 
Top 10 ways to make hackers excited: All about the shortcuts not worth taking
Top 10 ways to make hackers excited: All about the shortcuts not worth takingTop 10 ways to make hackers excited: All about the shortcuts not worth taking
Top 10 ways to make hackers excited: All about the shortcuts not worth taking
 
Open network architecture e book
Open network architecture e bookOpen network architecture e book
Open network architecture e book
 
SELinux_@gnu_group_meetup
SELinux_@gnu_group_meetupSELinux_@gnu_group_meetup
SELinux_@gnu_group_meetup
 
13. Neville Varnham - PeopleSoft Cyber Security
13. Neville Varnham - PeopleSoft Cyber Security13. Neville Varnham - PeopleSoft Cyber Security
13. Neville Varnham - PeopleSoft Cyber Security
 
Windows 7 Security Enhancements
Windows 7 Security EnhancementsWindows 7 Security Enhancements
Windows 7 Security Enhancements
 
Server Hardening Primer - Eric Vanderburg - JURINNOV
Server Hardening Primer - Eric Vanderburg - JURINNOVServer Hardening Primer - Eric Vanderburg - JURINNOV
Server Hardening Primer - Eric Vanderburg - JURINNOV
 
Silk Test Install Guide
Silk Test Install GuideSilk Test Install Guide
Silk Test Install Guide
 
Security @ Windows 10 Partner Technical Bootcamp Microsoft Norway October 2015
Security @ Windows 10 Partner Technical Bootcamp Microsoft Norway October 2015Security @ Windows 10 Partner Technical Bootcamp Microsoft Norway October 2015
Security @ Windows 10 Partner Technical Bootcamp Microsoft Norway October 2015
 
ISTSEC 2013 - Bulut Bilişim ve Güvenlik
ISTSEC 2013 - Bulut Bilişim ve GüvenlikISTSEC 2013 - Bulut Bilişim ve Güvenlik
ISTSEC 2013 - Bulut Bilişim ve Güvenlik
 

Similar to HCLOS.Reduce to 600 dpi average quality

SSecuring Your MongoDB Deployment
SSecuring Your MongoDB DeploymentSSecuring Your MongoDB Deployment
SSecuring Your MongoDB DeploymentMongoDB
 
James Jara Portfolio 2014 - InfoSec White Paper- Part 5
James Jara Portfolio 2014 - InfoSec White Paper- Part 5James Jara Portfolio 2014 - InfoSec White Paper- Part 5
James Jara Portfolio 2014 - InfoSec White Paper- Part 5James Jara
 
Chapter 09
Chapter 09Chapter 09
Chapter 09cclay3
 
LOUCA23 Yusuf Hadiwinata Linux Security BestPractice
LOUCA23 Yusuf Hadiwinata Linux Security BestPracticeLOUCA23 Yusuf Hadiwinata Linux Security BestPractice
LOUCA23 Yusuf Hadiwinata Linux Security BestPracticeYusuf Hadiwinata Sutandar
 
Decentralized access control with authentication anonymous of data stored in ...
Decentralized access control with authentication anonymous of data stored in ...Decentralized access control with authentication anonymous of data stored in ...
Decentralized access control with authentication anonymous of data stored in ...Guellord Mpia
 
Module 17 (novell hacking)
Module 17 (novell hacking)Module 17 (novell hacking)
Module 17 (novell hacking)Wail Hassan
 
Tips to Remediate your Vulnerability Management Program
Tips to Remediate your Vulnerability Management ProgramTips to Remediate your Vulnerability Management Program
Tips to Remediate your Vulnerability Management ProgramBeyondTrust
 
Study notes for CompTIA Certified Advanced Security Practitioner
Study notes for CompTIA Certified Advanced Security PractitionerStudy notes for CompTIA Certified Advanced Security Practitioner
Study notes for CompTIA Certified Advanced Security PractitionerDavid Sweigert
 
Azure Security Best Practises for Enterprises
Azure Security Best Practises for EnterprisesAzure Security Best Practises for Enterprises
Azure Security Best Practises for EnterprisesNuvento Systems Pvt Ltd
 
System security by Amin Pathan
System security by Amin PathanSystem security by Amin Pathan
System security by Amin Pathanaminpathan11
 
Remote security with Red Hat Enterprise Linux
Remote security with Red Hat Enterprise LinuxRemote security with Red Hat Enterprise Linux
Remote security with Red Hat Enterprise LinuxGiuseppe Paterno'
 
Dr3150012012202 1.getting started
Dr3150012012202 1.getting startedDr3150012012202 1.getting started
Dr3150012012202 1.getting startedNamgu Jeong
 
EXAM NOTES for DOD Standard 8570 CompTia Advanced Security Practitioner (CASP)
EXAM NOTES for DOD Standard 8570 CompTia Advanced Security Practitioner (CASP)EXAM NOTES for DOD Standard 8570 CompTia Advanced Security Practitioner (CASP)
EXAM NOTES for DOD Standard 8570 CompTia Advanced Security Practitioner (CASP)David Sweigert
 
Unleash the Power: How to Install Kali Linux With a Twist
Unleash the Power: How to Install Kali Linux With a TwistUnleash the Power: How to Install Kali Linux With a Twist
Unleash the Power: How to Install Kali Linux With a TwistFredReynolds2
 
Network Security 2016
Network Security 2016 Network Security 2016
Network Security 2016 Mukesh Pathak
 
Microsoft Offical Course 20410C_12
Microsoft Offical Course 20410C_12Microsoft Offical Course 20410C_12
Microsoft Offical Course 20410C_12gameaxt
 
Creating Secure Applications
Creating Secure Applications Creating Secure Applications
Creating Secure Applications guest879f38
 

Similar to HCLOS.Reduce to 600 dpi average quality (20)

SSecuring Your MongoDB Deployment
SSecuring Your MongoDB DeploymentSSecuring Your MongoDB Deployment
SSecuring Your MongoDB Deployment
 
James Jara Portfolio 2014 - InfoSec White Paper- Part 5
James Jara Portfolio 2014 - InfoSec White Paper- Part 5James Jara Portfolio 2014 - InfoSec White Paper- Part 5
James Jara Portfolio 2014 - InfoSec White Paper- Part 5
 
Chapter 09
Chapter 09Chapter 09
Chapter 09
 
LOUCA23 Yusuf Hadiwinata Linux Security BestPractice
LOUCA23 Yusuf Hadiwinata Linux Security BestPracticeLOUCA23 Yusuf Hadiwinata Linux Security BestPractice
LOUCA23 Yusuf Hadiwinata Linux Security BestPractice
 
Decentralized access control with authentication anonymous of data stored in ...
Decentralized access control with authentication anonymous of data stored in ...Decentralized access control with authentication anonymous of data stored in ...
Decentralized access control with authentication anonymous of data stored in ...
 
Module 17 (novell hacking)
Module 17 (novell hacking)Module 17 (novell hacking)
Module 17 (novell hacking)
 
Tips to Remediate your Vulnerability Management Program
Tips to Remediate your Vulnerability Management ProgramTips to Remediate your Vulnerability Management Program
Tips to Remediate your Vulnerability Management Program
 
Study notes for CompTIA Certified Advanced Security Practitioner
Study notes for CompTIA Certified Advanced Security PractitionerStudy notes for CompTIA Certified Advanced Security Practitioner
Study notes for CompTIA Certified Advanced Security Practitioner
 
Azure Security Best Practises for Enterprises
Azure Security Best Practises for EnterprisesAzure Security Best Practises for Enterprises
Azure Security Best Practises for Enterprises
 
System security by Amin Pathan
System security by Amin PathanSystem security by Amin Pathan
System security by Amin Pathan
 
Remote security with Red Hat Enterprise Linux
Remote security with Red Hat Enterprise LinuxRemote security with Red Hat Enterprise Linux
Remote security with Red Hat Enterprise Linux
 
Dr3150012012202 1.getting started
Dr3150012012202 1.getting startedDr3150012012202 1.getting started
Dr3150012012202 1.getting started
 
Cloud Security_ Unit 4
Cloud Security_ Unit 4Cloud Security_ Unit 4
Cloud Security_ Unit 4
 
Ch11
Ch11Ch11
Ch11
 
Ch11 system administration
Ch11 system administration Ch11 system administration
Ch11 system administration
 
EXAM NOTES for DOD Standard 8570 CompTia Advanced Security Practitioner (CASP)
EXAM NOTES for DOD Standard 8570 CompTia Advanced Security Practitioner (CASP)EXAM NOTES for DOD Standard 8570 CompTia Advanced Security Practitioner (CASP)
EXAM NOTES for DOD Standard 8570 CompTia Advanced Security Practitioner (CASP)
 
Unleash the Power: How to Install Kali Linux With a Twist
Unleash the Power: How to Install Kali Linux With a TwistUnleash the Power: How to Install Kali Linux With a Twist
Unleash the Power: How to Install Kali Linux With a Twist
 
Network Security 2016
Network Security 2016 Network Security 2016
Network Security 2016
 
Microsoft Offical Course 20410C_12
Microsoft Offical Course 20410C_12Microsoft Offical Course 20410C_12
Microsoft Offical Course 20410C_12
 
Creating Secure Applications
Creating Secure Applications Creating Secure Applications
Creating Secure Applications
 

HCLOS.Reduce to 600 dpi average quality

  • 1. Building a Hardened Customised Linux Operating System Presented by : Vinayak Wadhwa M.Tech. IS ( 4th Semester ) 01310100814 Thesis Presentation Ambedkar Institute of Advanced Communication Technologies and Research
 Geeta Colony, Delhi-110031 Mentor: Mrs. Bhar7 Nagpal Assistant Professor AIACTR
  • 2. About ME Hello , this is Mr. Vinayak Wadhwa, M.Tech , AIACT&R Today I will be presenting my research work on hardening and building a custom Linux based Operating System. For what Linux offers is flexibility and is totally dependent on the user to configure and create a secure environment to work on. Thus it creates a necessity for a normal student/user to know how to configure security in Linux. My researched aimed at development of such an Operating System that is pre configured and pre patched for all the known and future threats to Linux Operating Systems. This OS is named ‘HCLOS’. It is currently in testing phase. Vinayak Wadhwa, Research Student
  • 3. Table of ContentsIntroduction Literature Survey Proposed Work Problem Formulation Result and Analysis Future Scope References
  • 5. Principles of HCLOS Security KNOW YOUR ENEMIES PROTECTION IS KEY, DETECTION IS MUST DEFENCE IN DEPTH PRINCIPLE OF LEAST PRIVILEGE Know YOUR SYSTEM DEFENCE IN DEPTH
  • 7. 2011 Linux kernel vulnerabilities: State-of- the-art defenses and open problems. In. Proceedings of the Second Asia-Pacific Workshop on Systems. ACM 2013 Advanced Linux Security, In. American Journal of Engineering Research (AJER) 2014 Overview of Linux Vulnerabilities. In 2nd International Conference on Soft Computing in Information Communication Technology. Atlantis Press 2011 Faults in Linux: Ten years later. In Proc. Int’l Conf. Architectural Support for Programming Languages and Operating Systems (ASPLOS), pages 305–318. ACM Press 2013 25 Years of Vulnerabilities: 1988-2012, Sourcefire Crop, 2013. LITERATURE SURVEY 2011 2011 2013 2013 2014
  • 8. LINUX VULNERABILITIES SOME IMPORTANT FACTS Vulnerabilities in years ( CVE DATABASE 1988-2015 )
  • 9. Red Hat Suse Gentoo Ubuntu Mac OSX Windows XP Chrome Linux Kernel Internet explorer Firefox SOME IMPORTANT FACTS Vulnerabilities in Linux Distributions Top Vulnerabilities Classified in [5]
  • 11. HCLOS DEVELOPMENT FLOWCHART Lorem ipsum dolor sit amet, consectetur adipiscing elit. Nunc bibendum eleifend tortor, non porta justo gravida posuere.
  • 12. Security Checklist This checklist will be our problem formulation, and will be used to validate our implementation S. No. Security Classifications Short Description Tick 1 Boot Loader Security Additional layer of security for bootloader access, secure configuration of boot files, etc. 2 Kernel Security Configure Kernel Compile time parameters for security. 3 Password Security and Encryption Ensuring Password strength, Password Policies, Pluggable USB Authentication, Restrict old or empty passwords, etc. 4 File System Security Limiting filesystem, UMask configuration, Administer filesystem, minimization of packages, etc. 5 Network Security Packet sniffers, Iptable firewalling, Anti port scanning and maintaining anonymity. 6 Security Preparedness D a t a B a c k u p s , B a c k u p encryption, Log monitoring tools etc. 7 Intrusion Detection Auditd and NIDS etc. 8 Cryptovirus Protection Crypdef service. 9 Other Necessary Security Elements SeLinux Patches, Truecrypt, Nmap etc tools etc.
  • 14. Hardening of Custom Linux Distribution Following eight Elements of security were implemented thoroughly in HCLOS. Additional Layer of Security Secure Boot Configuration Physical Security BOOTLOADER SECURITY Packet Sniffers TCP Wrapper Network Parameters Limiting System Services IP Tables Network Scanners Anti Port Scanners Anonymous Browsing NETWORK SECURITY Kernel Compilation Options KERNEL SECURITY Full Data Backup Disable USB Detection Backup Encryption Logspot Tool SECUIRTY PREPAREDNESS Password Policies Password Strength Password Logging Indirect Root Login PAM USB Restrict Old Passwords Restrict Empty Passwords PASSWORD SECURITY List all current listening ports List all current services Turn off dangerous Network Services Check users with Empty Passwords HCLOSADMIN Limiting Filesystem hclosADMTracker umask Configuration Integrity checking Minimisation of Packages Configure /Boot FILE SYSTEM SECURITY Anti - Cryptovirus shell scripts CRYPDEF
  • 15. BOOTLOADER SECURITY Exploits Faced: • Init = /bin/bash Vulnerability • Recovery CD Bypass • Hardware Bypass 1.Additional Layer of Security 2. Secure Boot Configuration 3. Physical security Recommended. For This, BIOS settings are configured to set Main hard disk as only booting option. This is recommended as Security is incomplete with physical security hence alarms/tripwires need to be implemented. A SHA 512 Password is generated, and configured as entry level access control to Bootloader. Thus ensuring no unauthorised personnel can bypass HCLOS Login.
  • 16. KERNEL SECURITY While Kernel Compilation, there are certain Options that are Otherwise ignored, that I configured in HCLOS 1. Enables security options: [*] Enable different security models [*] Default Linux Capabilities 2. Now Following Options were also configured : • Network Firewalls (CONFIG_FIREWALL) This option should be on if you intend to run any firewalling or masquerading on your Linux machine. In HCLOS its configured to be on. • IP: syn cookies (CONFIG_SYN_COOKIES) a "SYN Attack" is a denial of service (DoS) attack that consumes all the resources on your machine, forcing you to reboot. I can't think of a reason you wouldn't normally enable this. • IP: firewall packet logging (CONFIG_IP_FIREWALL_VERBOSE) This option gives you information about packets your firewall received, like sender, recipient, port, etc. • IP: Drop source routed frames (CONFIG_IP_NOSR) This option should be enabled. Source routed frames contain the entire path to their destination inside of the packet. This means that routers through which the packet goes do not need to inspect it, and just forward it on. This could lead to data entering your system that may be a potential exploit. • Packet Signatures (CONFIG_NCPFS_PACKET_SIGNING) This is an option that is available in the HCLOS that will sign NCP packets for stronger security.
  • 17. PASSWORD SECURITY Exploits Faced: • Credential Cracking • Privilege Escalation • Brute force • Shoulder Surfing • Weak Passwords 1.Strong Password Policies 2.Password Strength 3.Password Logging 4.Indirect Root Login 5.Pluggable Authentication Module USB 6.Restrict Old Passwords 7.Restrict Empty Passwords
  • 18. 1. Strong Password Policies Strong Password Policies are framed for our custom linux distribution keeping in mind following parameters: Number of days a password is valid Validity Minimum Number of days between change of Password. LIFE Number of days before expiry warning is showed EXPIRY WARNING BEFORE AFTER HCLOS
  • 19. 2. PASSWORD STRENGTH To increase strength of password default configuration is altered, so that only a highly secure password is accepted by user. Only 3 attempts are allowed Limiting Attempts Minimum length of password is 8 characters Minimum length Old and New password must differ by three characters Different passwords BEFORE AFTER Mandatory Characters There must be one uppercase, one lowercase, one non-alphanumeric/ special, and one numerical character. HCLOS
  • 20. 3. PASSWORD LOGGING Maintenance of Audit Trails and all necessary changes to passwords are logged in HCLOS Only 3 attempts are allowed CREATION OF LOG FILE Minimum length of password is 8 characters LINKING PAM TO LOG. Log File Creation Log Config. HCLOS
  • 21. 4. INDIRECT ROOT LOGIN Disabling direct root login enables better tracking of any privilege escalation scenario Only 3 attempts are allowed CONFIGURE ALL PAM FILES Minimum length of password is 8 characters MARKING SECURETTY NULL 2. Append logging parameters in /etc/pam.d file. Fig, 13. – Modification of PAM for password logging. 3.2.5.3.4 Indirect root Login Disallowing Direct root login enables audit trails so as to know which local user gained privileges and hence is very useful in tracking. Also we don’t want any intruder to directly gain privileges from an unprivileged account. Thus to insure only local users can gain privileges I have done the following 1. Ensure all the PAM configuration files, even the ones used for display manager have the following command in their configuration file. Examples of such files are /etc/pam.d/login.defs , /etc/pam.d/gdm-password. Command: # auth required /lib/security/pam_securetty.so 2. Now I will specify that that no device is authenticated for root login by making ‘securrety’ null. Command: #echo "null" > /etc/securetty 3.2.5.3.5 Pluggable Authentication Module USB Linux Distributions ship with a unified authentication mechanism known as ‘Pluggable Authentication Module’. This module helps in configuring Authentication methods and criteria. One more enhancement to securing the system is by introducing a second factor to authentication using this module. Passwords lie under category of ‘Something you know’, linking it with ‘some- thing you possess’ can increase factors to authentication. This possession can be any physical device that has a unique identifier attached to it. For such purpose PAM device is being configured. It is a USB device, distributed along with the HCLOS, it serves as a primary authentication device to login to the system or gain super user privileges. To setup this two factor authentication, follow these steps: 1. Installation of PAM modules
  • 22. 5. PLUGGABLE AUTHENTICATION MODULE USB This will add another layer of security by requiring a smart token authentication to login to OS or for gaining privilege Device are registered first based on their UUID and Serial Numbers CreatING Device Users are registered for particular device REGISTERING USERS PAM USB configured to system with ‘required’ privileges, making it necessary to have device and password both for authentication CONFIGURING PAM INTO SYSTEM With USB Without USB
  • 23. 6. Restricting EMPTY PASSWORDS EMPTY password are clue towards an unauthorised access to the system. So in HCLOS they are restricted This is a tool made specially for HCLOS, that helps the user/consumer to monitor their system. one of its option is to check and remove all accounts with empty passwords. HCLOSADMTRACKER
  • 24. FILESYSTEM SECURITY Needs to be Addressed: • Review Trojan horses • Review Unowned files • Review SUID/SGID processes • Integrity checking • Protection of Important • directories • Configuring umask.1.Limiting File System 2.hclosAdmTracker - HCLOS Admin tool 3.umask Configuration 4.Integrity checking ( checks integrity of files ) 5.Minimisation of Packages ( reduce no. of modules) 6.Configuration of /boot ( make it read only )
  • 25. 1. Limiting FILEsystem Limiting the number of processes per user can be useful for giving users only required rights over processing. New users are prohibited creation of core files, number of processes are limited to 40 and memory to 4mb per user. Resource Limitation 3.2.5.4 File System Security Preparation before and attack is a must and securing File system guarantees that attacker does not get a chance to exploit any vulnerable loophole in the system. Correctly configured access control and properly managed admin logs can evade any attacker. What we have to address to while securing the file system: 1. Review if any Trojan Horses are installed 2. Review if any Unowned files exist 3. Review if any .rhosts are there 4. Review for SUID and SGID processes running 5. Integrity checking of important binaries. 6. Protect Start up Files, Audit Trails and Security Logs. 7. Configuration of Default Protection for new file creation Keeping in mind above mentioned problems, following features were implemented in HCLOS: 3.2.5.4.1 Limiting File System By Limiting filesystem I mean, limiting number of open files and processes for a user. Default value is unlimited. This can be configured for single users or group. This is done by using the resource−limits PAM module and/etc/pam.d/limits.conf. A Sample configu- ration is @commonusers hard core 0 @commonusers hard nproc 40 @commonusers hard rss 4000 This says to prohibit the creation of core files, restrict the number of processes to 40, and restrict memory usage per user to 4Mb. 3.2.5.4.2 hclosAdmTracker – HCLOS tool One potential way for a user to escalate privileges on a system is to exploit a vulnerability in an SUID or SGID program. SUID and SGID are legitimately used when programs need special permissions above and beyond those that are available to the user who is running them. Therefore, these programs should be monitored and any suspicious program must be revoked of privileges. Another executable that can be vulnerable are world writable files, these files have all per- missions to all users, hence anybody can read, modify, execute such files. Moreover, world writable directories allow anyone to add or delete files in them. Attackers can take ad- vantage of such directories. Hence they also need to be monitored. There may be certain files in your system that are unowned. These files may indicate sus- picious activity as they do not belong to any user, and possibly are created from an un- privileged user.
  • 26. 2. HCLOSADMTRACKER This is an all in one tool for monitoring various files that are necessary for security This is a tool made specially for HCLOS, that helps the user/consumer to monitor their system. SGID/SUID files, unowned files, .rhost files can be tracked. More options to check for empty passwords, listening ports is also present. HCLOSADMTRACKER
  • 27. 3. UMASK Configuration Umask tell the default permissions for a new file. 077, is the default configured umask in HCLOS Default ROOT UMASK New files are given 644 permissions because of above umask. RESULTING NEW FILE UMASK
  • 28. NETWORK SECURITY 1.Avoiding Packet Sniffers 2.TCP Wrappers 3.Network Parameters 4.Limiting System services 5.IP Tables 6.Network Scanners 7.Anti Port Scanners 8.Anonymous Browsing
  • 29. 1. Avoiding Packet Sniffers Avoiding Sniffers can be effective even if the system is compromised as crucial information is still hidden To avoid these sniffers secure shel is used for encryption of passwords. SSH v2 is used Default port is changed Root access s disallowed after configuration SSH
  • 30. 2. TCPWRAPPERS AcCess control Access control can be achieved with help of TCP Wrappers. It disables access to services that are TCP Wrapper aware or use tcpd. TCP Wrappers
  • 31. 3. NETWORK PARAMETERS This helps in configuring net.ipv4.tcp_max_syn_backlog = 4096 This will handle sun packets better by clearing extraneous packets. Handling SYN FLOOD
  • 32. 4. Limiting Network Services This helps in configuring Vulnerable network services T h i s h e l p s i n l i m i t i n g dangerous network services t h a t a u t h e n t i c a t e w i t h passwords sent in clear text. More over NFS will be terminated by this HCLOSADMINTRACKER Tools
  • 33. 5. IPTABLES - FIREWALLS Pre Configured Ip Tables enable better packet handling and intrusion prevention, its implemented in HCLOS This is necessary to avoid locking out. ALLOW SSH PACKETS Flagless TCP packets are dropped. DROP ALL TCP PACKETS Limit connections for new traffic , enabling protection against DOS Attacks. LIMIT NEW TRAFFIC REJECT SYN FLOOD Limit burst of new SYN forged packets ALL flag set - TCP packets are dropped. REJECT ALL XMAS PACKETS ICMP bursts are limited. LIMIT SMURF PACKETS Logging of all dropped packets LOG EVERYTHING
  • 34. EXAMPLE OF IPTABLE rule in HCLOS This rule blocks all NEW traffic on port 80 to prevent Denial of Service Attacks # sudo iptables -A INPUT -p tcp --dport 80 -m state --state NEW -m limit --limit 50/minute --limit-burst 200 -j ACCEPT Lets break that rule down into intelligible chunks. -p tcp --dport 80 => Specifies traffic on port 80 (Normally Apache, but as you can see here I am using nginx). -m state NEW => This rule applies to NEW connections. -m limit --limit 50/minute --limit-burst 200 -j ACCEPT =>This is the essence of preventing DOS.In a nutshell 200 new connections (packets really) are allowed before the limit of 50 NEW connections (packets) per minute is applied.
  • 35. 6. NETWORK VULNERABILITY SCANNERS These scanning tools are pre installed in HCLOS for referencing it is Open source, it checks whole system for vulnerabilities. NIKTO It helps in validation of SQL injection, XSS, etc. VEGA
  • 36. 7. PORT SCAN ACTIVE DETECTION This module is a behavioural IDPS, which creates IPTable rules automatically by observing traffic. Danger levels are configured for monitoring burst of packets, according to which particular IPs are blocked. This detects rigorous NMAP scans and Blacklists that IP. PSAD
  • 37. 8. Anonymous Browsing For this purpose onion browsing protocol is used and TOR is pre implemented and configured in HCLOS This peer to peer anonymous network, provide a sufficient secure communication path and avoids direct linkage with any server. ONION BROWSING
  • 39. 1. BACKUP ENCRYPTION Backing up and encrypting the backup is pretty easy in HCLOS as custom commands are built. RSA keys are generated from OpenSSL. Generation of RSA key pair Encryption commands backs up home directory and encrypts it. ENCRYPTION SCRIPT This decrypts the home directory and replaces original one when required. DECRYPTION SCRIPT Encryption Script Decryption Script
  • 40. 2. LOGSPOT TOOL This tool is one stop for all logs to be monitored. User can easily manage their logs here All logs are aggregated as viewable in the diagram in this tool. LOGSPOT
  • 41. CRYPDEF 1.Script for detection 2.Running Script as Cron Job 3.Script for Removal of Crypto Virus 4.Automate deployment on detection
  • 43. Security Checklist EVALUATION Lorem ipsum dolor sit amet, consectetur adipiscing elit. Nunc bibendum eleifend tortor, non porta justo gravida posuere. S. No. Security Classifications Short Description Tick 1 Boot Loader Security Additional layer of security for bootloader access, secure configuration of boot files, etc. DONE 2 Kernel Security Configure Kernel Compile time parameters for security. DONE 3 Password Security and Encryption Ensuring Password strength, Password Policies, Pluggable USB Authentication, Restrict old or empty passwords, etc. DONE 4 File System Security Limiting filesystem, UMask configuration, Administer filesystem, minimization of packages, etc. DONE 5 Network Security Packet sniffers, Iptable firewalling, Anti port scanning and maintaining anonymity. DONE 6 Security Preparedness D a t a B a c k u p s , B a c k u p encryption, Log monitoring tools etc. DONE 7 Intrusion Detection Auditd and NIDS etc. DONE 8 Cryptovirus Protection Crypdef service. DONE 9 Other Necessary Security Elements SeLinux Patches, Truecrypt, Nmap etc tools etc. DONE
  • 44. NETWORK SCANNING S. No. Machine Name DHCP Address 1 Ubuntu 16.04 LTS 192.168.1.38 2 Mac OSX El Capitan v10.11 192.168.1.36 3 Windows 10 192.168.1.41 4 HCLOS 192.168.1.40 Original Fingerprint Original system Identification by Network Mapper Match Percentage Ubuntu Linux 2.6.17 100% Windows 10 Microsoft Windows 8 93% Mac OSX Apple OSX 10.7-10 100% HCLOS Not identified 0% Detected Fingerprint Match Ratio NMAP These are the Network Mapper results, were obtained by doing an intensive scan with OS detection. HCLOS was not guessed by NMAP.
  • 45. NETWORK SCANNING IPTables before Attack IPTables after Attack These results shows PSAD in Action and active blocking of Malicious IP
  • 46. AUDITINGTable below gives the summary of audit reports: Table. 3. – Comparison of Lynis Audit Report summary for HCLOS and Ubuntu Audit Category Ubuntu 16.04 Hardening Index HCLOS Hardening Index Index No. of Tests Index No. of Tests Accounting 6 14 94 18 Authentication 10 32 92 33 File Permissions 3 10 97 11 Logging 12 25 97 26 Kernel Hardening 26 11 78 12 Firewalling 15 14 95 11 Networking 1 19 95 20 Hardening 1 13 90 14 Average: 9.25%, Total tests = 138 92.25 %, Total tests = 145 This is represented graphically also as: Comparison of Hardening between HCLOS and Ubuntu with Lynis Auditing Index This Table shows the No. of Auditing tests performed and their index per category between HCLOS and Ubuntu
  • 47. AUDITING The result is presented graphically here : T h i s c o n c l u d e s t h a t t h e r e i s approximately 83% difference in the hardening of both the systems proving that our HCLOS is far better secure than a normal Ubuntu distribution
  • 48. DENIAL OF SERVICE ATTACK 58 To test and verify network hardening in HCLOS, we will use apache benchmarking tool. ‘ab’ is a tool for benchmarking your Apache Hypertext Transfer Protocol (HTTP) server. It is designed to give you an impression of how your current Apache installation performs. This especially shows you how many requests per second your Apache installation is capable of serving. Whereas DOS attack tool performs Denial of Service attack by forging packets and continuously bombarding on the specified host. Results are shared as follows: 1. Apache Benchmark Test: First case – without any rules (like stock Ubuntu ) #ab -n 100 -c 10 http://hclos_machine_server/ This is ApacheBench, Version 2.3 <$Revision: 655654 $> Copyright 1996 Adam Twiss, Zeus Technology Ltd, http://www.zeustech.net/ Licensed to The Apache Software Foundation, http://www.apache.org/ Benchmarking hclos_machine_server (be pa tient).....done connection Times (ms) min mean [+/-sd] median max Connect: 122 129 2.2 128 134 Processing: 1151 1182 19.1 1177 1260 Waiting: 125 132 8.2 128 170 Total: 1280 1310 19.3 1305 1390 Percentage of the requests served within a certain time (ms) 50% 1305 66% 1313 75% 1316 80% 1321 90% 1328 95% 1354 98% 1386 99% 1390 100% 1390 (longest request) Results: Requests per second: 7.59 [#/sec] Total time for requests: 13 seconds (Data) Transfer rate: 444.98 [Kbytes/sec] Apache Benchmark Results Second case – with Iptables rules implemented. Benchmarking hclos_machine_server.com (be patient) ... apr_poll: The timeout specified has expired (70007) Total of 99 requests completed Thus it proves that a minor DOS simulation from apache benchmark was detected and stopped at HCLOS server end. 4.2.4 Cryptoviral Extortion Attack This Attack is mitigated by using a custom detection and removal script particularly written for Linux Encoder. Currently detection of Zepto and Locky based viruses are also supported. It is a benchmarking framework i used to bombard packets on to our server HCLOS We received timeout message on out System
  • 49. CRYPTOVIRAL EXTORTION ATTACK We used Zepto and Locky samples to attack the system and were able to detect and mitigate attacks
  • 50. LOGIN BYPASS ATTACK Trying to bypass Login with Init=/ bin/bash vulnerability failed as additional password was required in HCLOS However in Ubuntu I succeeded.
  • 51. COMPARITVE ANALYSIS This Table shows a Comparative analysis between the top ten most used Operating Systems in market with our Hardened Customized Linux Operating System (HCLOS)
  • 53. ReFERENCES [1] Chen,Haogang,et al., Linux kernel vulnerabilities: State-of-the-art defenses and open problems. Proceedings of the Second Asia-Pacific Workshop on Systems. ACM, 2011. [2] N. Palix, G. Thomas, S. Saha, C. Calvès, J. Lawall, and G. Muller. Faults in Linux: Ten years later. In Proc. Int’l Conf. Architectural Support for Programming Languages and Operating Systems (ASPLOS), pages 305–318. ACM Press, 2011. [3] Nimbalkar R,Patel P,Meshram. Advanced Linux Security, American Journal of Engineering Research (AJER),2013. [4] Younan Y. 25 Years of Vulnerabilities: 1988-2012[J], Sourcefire Crop,2013. [5] S. Niu, J. Mo, Z. Zhang, and Z. Lv. Overview of Linux Vulnerabilities. In 2nd International Conference on Soft Computing in Information Communication Technology. Atlantis Press, May 2014. [6]  P. E. McKenney and J. Walpole. Introducing technology into the Linux kernel: a case study. ACM SIGOPS Operating Systems Review, 42(5):4– 17, 2008. [7] N. Elhage. CVE-2010-4258: Turning denial-of-service into privilege escalation. http://blog.nelhage.com/2010/ 12/ cve-2010-4258-from-dos-to-privesc/, 2010. [8] S. A. Mokhov, M.-A. Laverdiere, and D. Benredjem. Taxon- omy of Linux kernel vulnerability solutions. Innovative Tech- niques in Instruction Technology, E-learning, E-assessment, and Education, 2008. [9] Cisco 2014 Annual security report[J], Cisco, 2014. [10] Linux. http://en.wikipedia.org/wiki/Linux. [11] Lyon, Gordon Fyodor. Nmap network scanning: The official Nmap project guide to network discovery and security scanning. Insecure, 2009. [12] Jung, Sung-Jae, and Kyung Sung. "A Study on the Iptables Ruleset Against DoS Attacks." The Journal of Advanced Navigation Technology 19.3 (2015): 257-263. [13] Lynis auditing framework , https://cisofy.com/lynis/ [14] Nmap Network Mapper , https://nmap.org/ [15] Wadhwa V., Nagpal B.: Chapter 34. Cryptoviral Extortion: Evolution, Scenarios and Analysis , In: Proceedings of the International Conference on Signal, Networks, Computing, and Systems: Volume 2, Springer India, 2016 [16] Linux Security checklist, SANS Institute; https://www.sans.org/media/score/checklists/linuxchecklist.pdf
  • 54. Few Demonstrations: Init=/bin/bash vulnerability PAM USB authentication Logspot HclosAdmTracker