# Securing and Auditing Unix

Chia sẻ: Huy Hoang | Ngày: | Loại File: PDF | Số trang:13

0
77
lượt xem
9

## Securing and Auditing Unix

Mô tả tài liệu

Welcome to Unix and Linux, security for these operating systems is a complete paradigm shift from Windows. Unix has been around a lot longer. The source code for Linux is freely available, so would be attackers are free to examine it and test it for holes such as buffer overflows and deadlock conditions.

Chủ đề:

Bình luận(0)

Lưu

## Nội dung Text: Securing and Auditing Unix

1. Securing and Auditing Unix Examples tested on a Red Hat Linux 6.1 (Hedwig) build Secure System Administration - SANS GIAC © 2000, 2001 1 Welcome to Unix and Linux, security for these operating systems is a complete paradigm shift from Windows. Unix has been around a lot longer. The source code for Linux is freely available, so would be attackers are free to examine it and test it for holes such as buffer overflows and deadlock conditions. Linux is different than Unix. Has the source code been available for Unix? Certainly, you used to be able to license source for both the ATT and BSD versions of Unix. It is rumored the Sun source code was stolen once via a workstation with a modem connection. This means that we are dealing with a lot more “knowns” than with Windows. Well, at least that was true until October 2000 and critical Microsoft source code was stolen. From now on the rules of the game are “who knows the most wins”. Let’s start our discussion with the notion of a firm foundation. Nothing is certain, but if we can start with a clean build we have a better chance of ending up with a secure system. 1
9. Auditing • History files • Several Unix systems such as Solaris have additional logging that can be turned on • Host based intrusion detection system vendors may have logging agents available For either of these to be successful they would have to be implemented well before the incident Secure System Administration - SANS GIAC © 2000, 2001 9 The history command performs one of several operations related to recently-executed commands recorded in a history list. Each of these recorded commands is referred to as an event''. It is amazing how many attackers have left the history files intact. A shell with history should always be the default for the user root. Try the following commands to see if you have a .history, (this is pronounced “dot history”). cd ls -la .history The user root sometimes has a .history file. Try: cd / (You may need to type cd /root) ls -la .history Some Unix systems have additional auditing and logging features that can be enabled. Note that every choice has a cost - turning on a lot of auditing can eat up disk space and cause degradation in system performance. On the other hand, a root level compromise may not be a lot of fun to try to recover from with no indication as to what happened. In addition, there are host based intrusion detection systems that can record information as well. As the slide says, these features must be implemented before the incident to be effective. 9
11. Bring Your Own Tools • Mounting a floppy drive – You can have common binaries as discussed in this section on the floppy # mount /dev/fd0 -t vfat /mnt/floppy • Set path or explicitly execute all binaries # $PATH=/mnt/floppy:$PATH # set (to check) Secure System Administration - SANS GIAC © 2000, 2001 11 Because attackers have access to source code, they can easily build tools that act like the real tools, but have slight differences that help the attackers. This means we need to keep a copy of known good binaries on removable media. I prefer to burn CD-ROMs. Burners are cheap and available and CDs are less than a dollar. In the example below, we mount a floppy disk with a set of binaries. Then we look at them with the ls command. Next we execute them to ensure they are working. See the notes for details of the commands we’ll need. [root@sleuth /root]# mount /dev/fd0 -t vfat /mnt/floppy [root@sleuth /root]# ls /mnt/floppy cp egrep kill ls mount mv netstat ps [root@sleuth /root]# cd /mnt/floppy [root@sleuth floppy]# ./ls cp egrep kill ls mount mv netstat ps For CDs try /mnt/cdrom! 11