Transcript Chapter 10
Linux Networking and
Security
Chapter 10
File Security
File Security
Correctly set up special Linux file permissions
Monitor log files to check suspicious system activity
Automate checks for file integrity and unauthorized
modifications
Reviewing Linux File Permissions
Unauthorized users may want to:
view files to access or to see how security settings are
configured
delete data to make it unavailable, disrupt business plans, or
corrupt system configurations
modify existing files or create new files, either to corrupt data, to
cover signs of their activity, or to alter security settings for their
continued purposes
The first line of defense is careful use of Linux file
permissions
Reviewing Linux File Permissions
Reviewing Linux File Permissions
Reviewing Linux File Permissions
For any file or directory, standard Linux file permissions
are:
read (represented by r)
write (represented by w)
execute (represented by x)
Each can be assigned to:
the owner of a file or directory (u, for user)
to a group defined in /etc/group (g)
to all other users who are logged in but who are not the owner or
part of the named group (o)
Reviewing Linux File Permissions
Several Linux distributions use a techniques called User
Private Groups to enhance file-based security
Because every file and directory are assigned both a
user and a group, each with separate permissions, it is
more secure to have a group with only a single member,
then make that the default group for all files created by
that user
Reviewing Linux File Permissions
Other group-related techniques to help manage file
security
When SGID is set on a directory, any file created within that
directory is assigned the group of the directory, rather than the
group of the user that creates the file
Members of a group can be denied access, which implies that all
authorized users have a certain level of access, but users of this
particular group can not access the file or directory
Using the System Log for Security
Checks
System log files may reveal security problems
These files record the activity of programs such as login,
FTP, email servers and many others
System log files are usually stored in /var/log/messages
A number of utilities can help watch for log messages
that indicate potential security violations
Using the System Log for Security
Checks
Log files require regular attention because they can
become very large
The logrotate command helps automate the process of
compressing and archiving log files so that the logs don’t
grow unreasonably large, and so that older log data can
be stored in another location
logrotate is executed through the cronjob entry stored in
/etc/cron.daily and is configured by etc/logrotate.conf
Using the System Log for Security
Checks
The programs running on Linux system are constantly
adding to their corresponding log files and this
information needs to be tracked
The logfile information can be viewed by:
opening the log file in a text editor
using the grep or the tail commands
If running Linux with a graphical desktop, use the
xlogmaster program to view system resources, including
the system log file
Using the System Log for Security
Checks
Using the System Log for Security
Checks
Using the System Log for Security
Checks
The logcheck package does much more than display log
entries - it checks them hourly for suspicious entries and
if found, they are emailed to the root user
The logcheck package is not part of most Linux
distributions, but can be obtained from various Internet
download sites
The commercial version of logcheck is called LogSentry
offered by Psionic Technologies
Maintaining File Integrity
It is necessary to keep track of the state of important
system files for any unexpected changes, due to the fact
that some crackers can gain access and the system log
does not indicate a problem
Once a cracker has obtained root access, a way to
maintain that access is to use a rootkit, a collection of
programs and scripts designed to permit continued
access, even if the original break-in is discovered
Maintaining File Integrity
Maintaining File Integrity
The chkrootkit package is used to check the system for
evidence of a rootkit
This package includes a script that works much like a
virus checker, and though it can report the presence of a
rootkit, it cannot eliminate it from the system
chkrootkit can check for modifications to user login files,
and for Linux Kernel modules (LKMs), which permit
complete access to your system
Maintaining File Integrity
If a rootkit is discovered on the system:
If possible, shut down networking on the server until the problem
is cleaned up
Back up the entire system, including all of the operating system
files and all data files; this data can be reviewed later to assist in
tracking down the cracker
Rebuild the system, either by updating the infected packages, or
by reinstalling the entire operating system
Maintaining File Integrity
A broader more constant approach to file security than
checking for rootkits, is to watch the integrity of files on
the system
Tripwire is the best known integrity checker
Tripwire is available in a free version included with many
Linux distributions and a commercial version is available
from Tripwire, Incorporated
Maintaining File Integrity
Maintaining File Integrity
To use Tripwire, start with a freshly installed system
before it is connected to any networks
Tripwire creates a baseline, or snapshot, of the critical
system files according to a policy that is configured by
the system administrator
Once the baseline is established, Tripwire is run at
regular intervals to see whether the state of the system
has changed
Tripwire configuration files are protected by a
cryptographic signature
Maintaining File Integrity
Another file integrity checker is Samhain and some of its
key features are:
Runs as a daemon instead of a cron job
Can detect kernel modules that were loaded as part of a rootkit
Can operate in a client/server environment
Report and audit logs are supported
Database and configuration files are signed
Runs on a number of UNIX and Linux platforms
HTML status pages show information about any client system
being monitored
Maintaining File Integrity
For more tools regarding file integrity, consider installing
the binutils package
binutils includes more than a dozen utilities useful for
exploring the contents of files
objdump allows examination of the contents of a file byte by byte
strings lists all the text strings within any binary file, including
system utilities and shared libraries
Chapter Summary
Crackers who break into a system typically want to view or
modify the files on that system, either for their own direct use or
to cause problems for the organization running the server
Linux file permissions do not allow such sophisticated control as
some other operating systems because they only permit
assigning rights to a file’s owner, a single group, and to all other
users
User Private Groups enhance security by creating a group for
each new user account; when that user creates files, no other
group member will have access to them
Chapter Summary
Using file permissions can create unexpected results unless you
are familiar with their exact consequences
Log files are important to system security because they may
contain evidence of crackers attempting to break into a system
or of actions by programs running on the system that indicate
security issues
Rotating logs keeps them a manageable size and permits easy
backup by breaking log entries into groups by date
Running the logrotate command as a cron job makes automated
log rotation easy
Chapter Summary
System services are continually adding lines to the log files and
they are often reviewed using the grep search utility or the tail
program
The xlogmaster program displays log file and other system data
in a graphical window
The logcheck utility package watches log files for specific words
and phrases that may indicate an attempted security breach or a
successful one
The commercial version of logcheck is called LogSentry and is
available from Psionic Technologies
Chapter Summary
Crackers hide their activities by replacing system utilities with
new versions designed to ignore special cracker-related files, or
to prevent reporting the crackers processes and networking
connections
A rootkit helps a cracker easily install a number of programs on
a compromised system that permit continued root access; the
chkrootkit package can detect many of these, much like a virus
checker
Linux rootkits often include loadable kernel modules (LKMs) that
are particularly useful for crackers and difficult to detect without
the proper software
Chapter Summary
To remove a rootkit, you can reinstall affected programs, or you
may choose to reinstall the entire operating system
A simple step to protect a system from further damage by
rootkits is to store statically linked copies of core utilities on
diskette or CD-ROM to use when examining a system that has a
suspected rootkit
Regularly checking the integrity of system utilities and
configuration files will help you identify changes made by
unauthorized users; Tripwire is the most widely used utility for
checking the integrity of files and directories
Chapter Summary
To use Tripwire, you set up a policy and configuration text files,
generate policy and configuration binary files with cryptographic
signatures, then establish a baseline snapshot of the system;
comparison snapshots are made at regular intervals to
determine unexpected system alterations
Tripwire utilities such as twprint and twadmin let you maintain
up-to-date policy files and manage the Tripwire reports
Chapter Summary
Another impressive file integrity-checking package is Samhain;
this package provides a client/server model to allow
maintenance of multiple servers from a central location, plus it
runs continually rather than occasionally, as Tripwire does
The binutils package includes several useful utilities for
exploring Linux files; the strings command is one example and it
displays all text strings stored in any binary file