1. Building a Hardened Customised Linux Operating System
Presented by : Vinayak Wadhwa
M.Tech. IS ( 4th Semester )
01310100814
Thesis Presentation
Ambedkar Institute of Advanced Communication
Technologies and Research
Geeta Colony, Delhi-110031
Mentor: Mrs. Bhar7 Nagpal
Assistant Professor
AIACTR
2. About ME
Hello , this is Mr. Vinayak Wadhwa, M.Tech , AIACT&R
Today I will be presenting my research work on hardening and building a custom Linux based Operating
System. For what Linux offers is flexibility and is totally dependent on the user to configure and create a secure
environment to work on. Thus it creates a necessity for a normal student/user to know how to configure security
in Linux. My researched aimed at development of such an Operating System that is pre configured and pre
patched for all the known and future threats to Linux Operating Systems. This OS is named ‘HCLOS’. It is
currently in testing phase.
Vinayak Wadhwa, Research Student
5. Principles of HCLOS Security
KNOW YOUR ENEMIES
PROTECTION IS KEY, DETECTION IS MUST
DEFENCE IN DEPTH
PRINCIPLE OF LEAST PRIVILEGE
Know YOUR SYSTEM
DEFENCE IN DEPTH
7. 2011
Linux kernel
vulnerabilities: State-of-
the-art defenses and open
problems. In. Proceedings of
the Second Asia-Pacific
Workshop on Systems. ACM
2013
Advanced Linux Security,
In. American Journal of
Engineering Research (AJER)
2014
Overview of Linux
Vulnerabilities. In 2nd
International Conference on
Soft Computing in Information
Communication Technology.
Atlantis Press
2011
Faults in Linux: Ten years
later. In Proc. Int’l Conf.
Architectural Support for
Programming Languages and
Operating Systems (ASPLOS),
pages 305–318. ACM Press
2013
25 Years of Vulnerabilities:
1988-2012, Sourcefire Crop,
2013.
LITERATURE SURVEY
2011
2011
2013
2013
2014
9. Red Hat Suse Gentoo Ubuntu Mac OSX Windows XP Chrome
Linux Kernel Internet explorer Firefox
SOME IMPORTANT FACTS
Vulnerabilities in Linux Distributions Top Vulnerabilities Classified in [5]
11. HCLOS DEVELOPMENT FLOWCHART
Lorem ipsum dolor sit amet, consectetur adipiscing elit. Nunc bibendum eleifend tortor, non porta justo gravida posuere.
12. Security Checklist
This checklist will be our problem formulation, and will be used to validate our implementation
S. No. Security Classifications Short Description Tick
1 Boot Loader Security Additional layer of security for
bootloader access, secure
configuration of boot files, etc.
2 Kernel Security Configure Kernel Compile time
parameters for security.
3 Password Security and Encryption Ensuring Password strength,
Password Policies, Pluggable
USB Authentication, Restrict
old or empty passwords, etc.
4 File System Security Limiting filesystem, UMask
configuration, Administer
filesystem, minimization of
packages, etc.
5 Network Security Packet sniffers, Iptable
firewalling, Anti port scanning
and maintaining anonymity.
6 Security Preparedness D a t a B a c k u p s , B a c k u p
encryption, Log monitoring
tools etc.
7 Intrusion Detection Auditd and NIDS etc.
8 Cryptovirus Protection Crypdef service.
9 Other Necessary Security Elements SeLinux Patches, Truecrypt,
Nmap etc tools etc.
14. Hardening of Custom Linux Distribution
Following eight Elements of security were implemented thoroughly in HCLOS.
Additional Layer of Security
Secure Boot Configuration
Physical Security
BOOTLOADER SECURITY
Packet Sniffers
TCP Wrapper
Network Parameters
Limiting System Services
IP Tables
Network Scanners
Anti Port Scanners
Anonymous Browsing
NETWORK SECURITY
Kernel Compilation Options
KERNEL SECURITY
Full Data Backup
Disable USB Detection
Backup Encryption
Logspot Tool
SECUIRTY PREPAREDNESS
Password Policies
Password Strength
Password Logging
Indirect Root Login
PAM USB
Restrict Old Passwords
Restrict Empty Passwords
PASSWORD SECURITY
List all current listening ports
List all current services
Turn off dangerous Network Services
Check users with Empty Passwords
HCLOSADMIN
Limiting Filesystem
hclosADMTracker
umask Configuration
Integrity checking
Minimisation of Packages
Configure /Boot
FILE SYSTEM SECURITY
Anti - Cryptovirus shell scripts
CRYPDEF
15. BOOTLOADER SECURITY
Exploits Faced:
• Init = /bin/bash Vulnerability
• Recovery CD Bypass
• Hardware Bypass
1.Additional Layer of Security
2. Secure Boot Configuration
3. Physical security Recommended.
For This, BIOS settings are configured to
set Main hard disk as only booting option.
This is recommended as Security is
incomplete with physical security
hence alarms/tripwires need to be
implemented.
A SHA 512 Password is generated, and configured as entry
level access control to Bootloader. Thus ensuring no
unauthorised personnel can bypass HCLOS Login.
16. KERNEL SECURITY
While Kernel Compilation, there are certain Options that are Otherwise ignored, that I configured in HCLOS
1. Enables security options:
[*] Enable different security models
[*] Default Linux Capabilities
2. Now Following Options were also configured :
• Network Firewalls (CONFIG_FIREWALL)
This option should be on if you intend to run any firewalling or masquerading on your Linux machine. In HCLOS its configured to be on.
• IP: syn cookies (CONFIG_SYN_COOKIES)
a "SYN Attack" is a denial of service (DoS) attack that consumes all the resources on your machine, forcing you to reboot. I can't think of a reason you wouldn't
normally enable this.
• IP: firewall packet logging (CONFIG_IP_FIREWALL_VERBOSE)
This option gives you information about packets your firewall received, like sender, recipient, port, etc.
• IP: Drop source routed frames (CONFIG_IP_NOSR)
This option should be enabled. Source routed frames contain the entire path to their destination inside of the packet. This means that routers through which the packet
goes do not need to inspect it, and just forward it on. This could lead to data entering your system that may be a potential exploit.
• Packet Signatures (CONFIG_NCPFS_PACKET_SIGNING)
This is an option that is available in the HCLOS that will sign NCP packets for stronger security.
18. 1. Strong Password Policies
Strong Password Policies are framed for our custom linux distribution keeping in mind following parameters:
Number of days a password
is valid
Validity
Minimum Number of days
between change of
Password.
LIFE
Number of days before
expiry warning is showed
EXPIRY WARNING
BEFORE
AFTER
HCLOS
19. 2. PASSWORD STRENGTH
To increase strength of password default configuration is altered, so that only a highly secure password is accepted by user.
Only 3 attempts are
allowed
Limiting Attempts
Minimum length of
password is 8 characters
Minimum length
Old and New password
must differ by three
characters
Different passwords
BEFORE
AFTER
Mandatory Characters
There must be one
uppercase, one lowercase,
one non-alphanumeric/
special, and one numerical
character.
HCLOS
20. 3. PASSWORD LOGGING
Maintenance of Audit Trails and all necessary changes to passwords are logged in HCLOS
Only 3 attempts are
allowed
CREATION OF LOG FILE
Minimum length of
password is 8 characters
LINKING PAM TO LOG.
Log File
Creation
Log
Config.
HCLOS
21. 4. INDIRECT ROOT LOGIN
Disabling direct root login enables better tracking of any privilege escalation scenario
Only 3 attempts are
allowed
CONFIGURE ALL PAM FILES
Minimum length of
password is 8 characters
MARKING SECURETTY NULL
2. Append logging parameters in /etc/pam.d file.
Fig, 13. – Modification of PAM for password logging.
3.2.5.3.4 Indirect root Login
Disallowing Direct root login enables audit trails so as to know which local user gained
privileges and hence is very useful in tracking. Also we don’t want any intruder to
directly gain privileges from an unprivileged account. Thus to insure only local users
can gain privileges I have done the following
1. Ensure all the PAM configuration files, even the ones used for display manager
have the following command in their configuration file. Examples of such files are
/etc/pam.d/login.defs , /etc/pam.d/gdm-password.
Command:
# auth required /lib/security/pam_securetty.so
2. Now I will specify that that no device is authenticated for root login by making
‘securrety’ null.
Command:
#echo "null" > /etc/securetty
3.2.5.3.5 Pluggable Authentication Module USB
Linux Distributions ship with a unified authentication mechanism known as
‘Pluggable Authentication Module’. This module helps in configuring Authentication
methods and criteria. One more enhancement to securing the system is by introducing
a second factor to authentication using this module.
Passwords lie under category of ‘Something you know’, linking it with ‘some-
thing you possess’ can increase factors to authentication. This possession can be any
physical device that has a unique identifier attached to it. For such purpose PAM device
is being configured. It is a USB device, distributed along with the HCLOS, it serves as
a primary authentication device to login to the system or gain super user privileges. To
setup this two factor authentication, follow these steps:
1. Installation of PAM modules
22. 5. PLUGGABLE AUTHENTICATION MODULE USB
This will add another layer of security by requiring a smart token authentication to login to OS or for gaining privilege
Device are registered first
based on their UUID and
Serial Numbers
CreatING Device
Users are registered for
particular device
REGISTERING USERS
PAM USB configured to
system with ‘required’
privileges, making it
necessary to have device
and password both for
authentication
CONFIGURING PAM INTO SYSTEM
With USB
Without
USB
23. 6. Restricting EMPTY PASSWORDS
EMPTY password are clue towards an unauthorised access to the system. So in HCLOS they are restricted
This is a tool made specially
for HCLOS, that helps the
user/consumer to monitor
their system. one of its
option is to check and
remove all accounts with
empty passwords.
HCLOSADMTRACKER
24. FILESYSTEM SECURITY
Needs to be Addressed:
• Review Trojan horses
• Review Unowned files
• Review SUID/SGID processes
• Integrity checking
• Protection of Important
• directories
• Configuring umask.1.Limiting File System
2.hclosAdmTracker - HCLOS Admin tool
3.umask Configuration
4.Integrity checking ( checks integrity of files )
5.Minimisation of Packages ( reduce no. of modules)
6.Configuration of /boot ( make it read only )
25. 1. Limiting FILEsystem
Limiting the number of processes per user can be useful for giving users only required rights over processing.
New users are prohibited
creation of core files,
number of processes are
limited to 40 and memory to
4mb per user.
Resource Limitation
3.2.5.4 File System Security
Preparation before and attack is a must and securing File system guarantees that attacker does
not get a chance to exploit any vulnerable loophole in the system. Correctly configured access
control and properly managed admin logs can evade any attacker. What we have to address to
while securing the file system:
1. Review if any Trojan Horses are installed
2. Review if any Unowned files exist
3. Review if any .rhosts are there
4. Review for SUID and SGID processes running
5. Integrity checking of important binaries.
6. Protect Start up Files, Audit Trails and Security Logs.
7. Configuration of Default Protection for new file creation
Keeping in mind above mentioned problems, following features were implemented in HCLOS:
3.2.5.4.1 Limiting File System
By Limiting filesystem I mean, limiting number of open files and processes for a user.
Default value is unlimited. This can be configured for single users or group. This is done
by using the resource−limits PAM module and/etc/pam.d/limits.conf. A Sample configu-
ration is
@commonusers hard core 0
@commonusers hard nproc 40
@commonusers hard rss 4000
This says to prohibit the creation of core files, restrict the number of processes to 40, and
restrict memory usage per user to 4Mb.
3.2.5.4.2 hclosAdmTracker – HCLOS tool
One potential way for a user to escalate privileges on a system is to exploit a vulnerability
in an SUID or SGID program. SUID and SGID are legitimately used when programs need
special permissions above and beyond those that are available to the user who is running
them. Therefore, these programs should be monitored and any suspicious program must be
revoked of privileges.
Another executable that can be vulnerable are world writable files, these files have all per-
missions to all users, hence anybody can read, modify, execute such files. Moreover, world
writable directories allow anyone to add or delete files in them. Attackers can take ad-
vantage of such directories. Hence they also need to be monitored.
There may be certain files in your system that are unowned. These files may indicate sus-
picious activity as they do not belong to any user, and possibly are created from an un-
privileged user.
26. 2. HCLOSADMTRACKER
This is an all in one tool for monitoring various files that are necessary for security
This is a tool made specially
for HCLOS, that helps the
user/consumer to monitor
their system. SGID/SUID files,
unowned files, .rhost files
can be tracked. More
options to check for empty
passwords, listening ports is
also present.
HCLOSADMTRACKER
27. 3. UMASK Configuration
Umask tell the default permissions for a new file.
077, is the default
configured umask in HCLOS
Default ROOT UMASK
New files are given 644
permissions because of
above umask.
RESULTING NEW FILE UMASK
29. 1. Avoiding Packet Sniffers
Avoiding Sniffers can be effective even if the system is compromised as crucial information is still hidden
To avoid these sniffers
secure shel is used for
encryption of passwords.
SSH v2 is used
Default port is changed
Root access s disallowed
after configuration
SSH
30. 2. TCPWRAPPERS AcCess control
Access control can be achieved with help of TCP Wrappers.
It disables access to
services that are TCP
Wrapper aware or use
tcpd.
TCP Wrappers
31. 3. NETWORK PARAMETERS
This helps in configuring
net.ipv4.tcp_max_syn_backlog
= 4096
This will handle sun packets
better by clearing extraneous
packets.
Handling SYN FLOOD
32. 4. Limiting Network Services
This helps in configuring Vulnerable network services
T h i s h e l p s i n l i m i t i n g
dangerous network services
t h a t a u t h e n t i c a t e w i t h
passwords sent in clear text.
More over NFS will be
terminated by this
HCLOSADMINTRACKER Tools
33. 5. IPTABLES - FIREWALLS
Pre Configured Ip Tables enable better packet handling and intrusion prevention, its implemented in HCLOS
This is necessary to avoid
locking out.
ALLOW SSH PACKETS
Flagless TCP packets are
dropped.
DROP ALL TCP PACKETS
Limit connections for new
traffic , enabling protection
against DOS Attacks.
LIMIT NEW TRAFFIC
REJECT SYN FLOOD
Limit burst of new SYN
forged packets
ALL flag set - TCP packets
are dropped.
REJECT ALL XMAS PACKETS
ICMP bursts are limited.
LIMIT SMURF PACKETS
Logging of all dropped
packets
LOG EVERYTHING
34. EXAMPLE OF IPTABLE rule in HCLOS
This rule blocks all NEW traffic on port 80 to prevent Denial of Service Attacks
# sudo iptables -A INPUT -p tcp --dport 80 -m state --state NEW
-m limit --limit 50/minute --limit-burst 200 -j ACCEPT
Lets break that rule down into intelligible chunks.
-p tcp --dport 80 => Specifies traffic on port 80 (Normally
Apache, but as you can see here I am using nginx).
-m state NEW => This rule applies to NEW connections.
-m limit --limit 50/minute --limit-burst 200 -j ACCEPT
=>This is the essence of
preventing DOS.In a nutshell 200 new connections (packets
really) are allowed before the limit of 50 NEW connections
(packets) per minute is applied.
35. 6. NETWORK VULNERABILITY SCANNERS
These scanning tools are pre installed in HCLOS for referencing
it is Open source, it checks
whole system for
vulnerabilities.
NIKTO
It helps in validation of SQL
injection, XSS, etc.
VEGA
36. 7. PORT SCAN ACTIVE DETECTION
This module is a behavioural IDPS, which creates IPTable rules automatically by observing traffic.
Danger levels are
configured for monitoring
burst of packets, according
to which particular IPs are
blocked. This detects
rigorous NMAP scans and
Blacklists that IP.
PSAD
37. 8. Anonymous Browsing
For this purpose onion browsing protocol is used and TOR is pre implemented and configured in HCLOS
This peer to peer
anonymous network,
provide a sufficient secure
communication path and
avoids direct linkage with
any server.
ONION BROWSING
39. 1. BACKUP ENCRYPTION
Backing up and encrypting the backup is pretty easy in HCLOS as custom commands are built.
RSA keys are generated
from OpenSSL.
Generation of RSA key pair
Encryption commands
backs up home directory
and encrypts it.
ENCRYPTION SCRIPT
This decrypts the home
directory and replaces
original one when required.
DECRYPTION SCRIPT
Encryption
Script
Decryption
Script
40. 2. LOGSPOT TOOL
This tool is one stop for all logs to be monitored. User can easily manage their logs here
All logs are aggregated as
viewable in the diagram in
this tool.
LOGSPOT
43. Security Checklist EVALUATION
Lorem ipsum dolor sit amet, consectetur adipiscing elit. Nunc bibendum eleifend tortor, non porta justo gravida posuere.
S. No. Security Classifications Short Description Tick
1 Boot Loader Security Additional layer of security for
bootloader access, secure
configuration of boot files, etc.
DONE
2 Kernel Security Configure Kernel Compile time
parameters for security.
DONE
3 Password Security and Encryption Ensuring Password strength,
Password Policies, Pluggable
USB Authentication, Restrict
old or empty passwords, etc.
DONE
4 File System Security Limiting filesystem, UMask
configuration, Administer
filesystem, minimization of
packages, etc.
DONE
5 Network Security Packet sniffers, Iptable
firewalling, Anti port scanning
and maintaining anonymity.
DONE
6 Security Preparedness D a t a B a c k u p s , B a c k u p
encryption, Log monitoring
tools etc.
DONE
7 Intrusion Detection Auditd and NIDS etc. DONE
8 Cryptovirus Protection Crypdef service. DONE
9 Other Necessary Security Elements SeLinux Patches, Truecrypt,
Nmap etc tools etc.
DONE
44. NETWORK SCANNING
S. No. Machine Name DHCP Address
1 Ubuntu 16.04 LTS 192.168.1.38
2 Mac OSX El Capitan v10.11 192.168.1.36
3 Windows 10 192.168.1.41
4 HCLOS 192.168.1.40
Original Fingerprint Original system Identification by
Network
Mapper
Match Percentage
Ubuntu Linux 2.6.17 100%
Windows 10 Microsoft Windows 8 93%
Mac OSX Apple OSX 10.7-10 100%
HCLOS Not identified 0%
Detected Fingerprint Match Ratio
NMAP
These are the Network Mapper results, were obtained by doing an intensive scan with OS detection. HCLOS was
not guessed by NMAP.
45. NETWORK SCANNING
IPTables before Attack IPTables after Attack
These results shows PSAD in Action and active blocking of Malicious IP
46. AUDITINGTable below gives the summary of audit reports:
Table. 3. – Comparison of Lynis Audit Report summary for HCLOS and Ubuntu
Audit Category Ubuntu 16.04
Hardening Index
HCLOS
Hardening Index
Index No. of Tests Index No. of Tests
Accounting 6 14 94 18
Authentication 10 32 92 33
File Permissions 3 10 97 11
Logging 12 25 97 26
Kernel Hardening 26 11 78 12
Firewalling 15 14 95 11
Networking 1 19 95 20
Hardening 1 13 90 14
Average: 9.25%, Total tests = 138 92.25 %, Total tests = 145
This is represented graphically also as:
Comparison of Hardening between
HCLOS and Ubuntu with Lynis Auditing
Index
This Table shows the No. of Auditing tests performed and their index per category between HCLOS and Ubuntu
47. AUDITING
The result is presented graphically here :
T h i s c o n c l u d e s t h a t t h e r e i s
approximately 83% difference in the
hardening of both the systems proving
that our HCLOS is far better secure than
a normal Ubuntu distribution
48. DENIAL OF SERVICE ATTACK
58
To test and verify network hardening in HCLOS, we will use apache benchmarking tool.
‘ab’ is a tool for benchmarking your Apache Hypertext Transfer Protocol (HTTP) server. It is
designed to give you an impression of how your current Apache installation performs. This
especially shows you how many requests per second your Apache installation is capable of
serving. Whereas DOS attack tool performs Denial of Service attack by forging packets and
continuously bombarding on the specified host. Results are shared as follows:
1. Apache Benchmark Test:
First case – without any rules (like stock Ubuntu )
#ab -n 100 -c 10 http://hclos_machine_server/
This is ApacheBench, Version 2.3 <$Revision: 655654
$>
Copyright 1996 Adam Twiss, Zeus Technology Ltd,
http://www.zeustech.net/
Licensed to The Apache Software Foundation,
http://www.apache.org/
Benchmarking hclos_machine_server (be pa
tient).....done
connection Times (ms)
min mean [+/-sd] median max
Connect: 122 129 2.2 128 134
Processing: 1151 1182 19.1 1177 1260
Waiting: 125 132 8.2 128 170
Total: 1280 1310 19.3 1305 1390
Percentage of the requests served within a certain
time (ms)
50% 1305
66% 1313
75% 1316
80% 1321
90% 1328
95% 1354
98% 1386
99% 1390
100% 1390 (longest request)
Results:
Requests per second: 7.59 [#/sec]
Total time for requests: 13 seconds
(Data) Transfer rate: 444.98 [Kbytes/sec]
Apache Benchmark Results
Second case – with Iptables rules implemented.
Benchmarking hclos_machine_server.com (be patient)
...
apr_poll: The timeout specified has expired (70007)
Total of 99 requests completed
Thus it proves that a minor DOS simulation from apache benchmark was detected and stopped
at HCLOS server end.
4.2.4 Cryptoviral Extortion Attack
This Attack is mitigated by using a custom detection and removal script particularly written
for Linux Encoder. Currently detection of Zepto and Locky based viruses are also supported.
It is a benchmarking framework i used
to bombard packets on to our server HCLOS
We received timeout message on out System
49. CRYPTOVIRAL EXTORTION ATTACK
We used Zepto and Locky samples to attack the system
and were able to detect and mitigate attacks
50. LOGIN BYPASS ATTACK
Trying to bypass Login with Init=/
bin/bash vulnerability failed as
additional password was required in
HCLOS
However in Ubuntu I succeeded.
51. COMPARITVE
ANALYSIS
This Table shows a
Comparative analysis
between the top ten
most used
Operating Systems
in market with our
Hardened Customized
Linux Operating System
(HCLOS)
53. ReFERENCES
[1] Chen,Haogang,et al., Linux kernel vulnerabilities: State-of-the-art defenses and open problems. Proceedings of the Second
Asia-Pacific Workshop on Systems. ACM, 2011.
[2] N. Palix, G. Thomas, S. Saha, C. Calvès, J. Lawall, and G. Muller. Faults in Linux: Ten years later. In Proc. Int’l Conf.
Architectural Support for Programming Languages and Operating Systems (ASPLOS), pages 305–318. ACM Press, 2011.
[3] Nimbalkar R,Patel P,Meshram. Advanced Linux Security, American Journal of Engineering Research (AJER),2013.
[4] Younan Y. 25 Years of Vulnerabilities: 1988-2012[J], Sourcefire Crop,2013.
[5] S. Niu, J. Mo, Z. Zhang, and Z. Lv. Overview of Linux Vulnerabilities. In 2nd International Conference on Soft Computing
in Information Communication Technology. Atlantis Press, May 2014.
[6] P. E. McKenney and J. Walpole. Introducing technology into the Linux kernel: a case study. ACM SIGOPS Operating
Systems Review, 42(5):4– 17, 2008.
[7] N. Elhage. CVE-2010-4258: Turning denial-of-service into privilege escalation. http://blog.nelhage.com/2010/ 12/
cve-2010-4258-from-dos-to-privesc/, 2010.
[8] S. A. Mokhov, M.-A. Laverdiere, and D. Benredjem. Taxon- omy of Linux kernel vulnerability solutions. Innovative Tech-
niques in Instruction Technology, E-learning, E-assessment, and Education, 2008.
[9] Cisco 2014 Annual security report[J], Cisco, 2014.
[10] Linux. http://en.wikipedia.org/wiki/Linux.
[11] Lyon, Gordon Fyodor. Nmap network scanning: The official Nmap project guide to network discovery and security
scanning. Insecure, 2009.
[12] Jung, Sung-Jae, and Kyung Sung. "A Study on the Iptables Ruleset Against DoS Attacks." The Journal of Advanced
Navigation Technology 19.3 (2015): 257-263.
[13] Lynis auditing framework , https://cisofy.com/lynis/
[14] Nmap Network Mapper , https://nmap.org/
[15] Wadhwa V., Nagpal B.: Chapter 34. Cryptoviral Extortion: Evolution, Scenarios and Analysis , In: Proceedings of the
International Conference on Signal, Networks, Computing, and Systems: Volume 2, Springer India, 2016
[16] Linux Security checklist, SANS Institute; https://www.sans.org/media/score/checklists/linuxchecklist.pdf