unix_security - Day 4

IDS

• defacto standard is snort
• the location of the sniffer on the network: dmz or firewalled, honeypot
• stealthing the IDS: cables, no IP, on a box
• configuration of the device into promiscuous mode

integrity checking with tripwire

• installs a db of file/dir properties
• start with a known-good install
• both tripwire and the database should be on a Read-Only filesystem

p   permission and file mode bits
i   inode number
n   number of links (i.e., inode reference count) 
u   user id of owner
g   group id of owner
s   size of file
a   access timestamp
m   modification timestamp
c   inode creation/modification  timestamp
0   signature 0 - null signature
1   signature  1  -  MD5,  the RSA Data Security,  Inc.  Message  Digesting Algorithm.
etc

slowing viral threats

1. be root only when necessary
2. keep your distribution up to date (check that digital sig!)
3. "roll your own" from trusted sources (check that digital sig!) rather than using binaries
4. restrict access to the c compiler to a trusted group
5. keep . and other wacky dirs out of your PATH, particularly as root
6. lock down permissions in binary and personal directories to keep others from writing

   slowing worm threats

   Worms travel from box to box but usually do not carry a non-replication payload. Shut down unneeded services. Frequently proof-of-concept exercises.

   slowing rabbit/bacteria threats

   Bacteria/rabbits overmultiply to cause resource starvation; use shell wrappers to minimize memory/inode usage

   trojan threats

   Trojans are files that appear to be harmless or orthodox, but deliver a payload; only run trusted binaries, and keep . out of your PATH.

   homebuilt security

   • suid/sgid: nice find / -perm +004000 -o -perm +002000 -type f. Related: nosuid mount option
   • 777: nice find / -perm -000777 -type f
   • files with no users: nice find / -nouser
   • files with specific user: nice find / -user user
   • tailing logs
   • watching for timebombs in crontabs and atq

   Network File System

   • security is similar to rlogin model: user, host
   • standard filesystem sharing for unix boxes (cf. SMB for windows)
   • mount remote FS's as if they were local (everything in unix is a file!)
   • for intranet use only
   • often used with NIS for reasons to be seen in a moment
   • on the NFS server: mountd, nfsd, lockd, statd. share on Solaris and /etc/export on free unixes.
   • on the NFS client: mount
   • querying NFS servers: showmount -e [hostname]
   • security considerations
     • share only across protected network
     • group shared dirs under a known point (/export ?)
     • share only what directories provide value
     • give read-only access where possible
     • give access only to known hosts
     • give access only to known users
     • use automount to reduce resource consumption
     • realized that a mountpoint hides local information under the mountpoint

   Conclusion

   Where to go from here

   • other coursework
   • outside work

   ---

   http://www.mousetrap.net/syllabus/unix_security/day4.html
   $Id: day4.orb,v 1.6 2002/04/10 00:00:38 mouse Exp $

   Remember, your login is based on your machine's hostname, not on any other number.
   ~/[initials] refers to the subdirectory under your homedir, named after your initials. Everything except for .dotfiles will be stored in your ~/[initials] directory.

© 1995-2001 jason carr
Distributed under the terms of the GNU Free Documentation License.