Title: Securing/Hardening UNIX
1Securing/Hardening UNIX
2Hardening Solaris
- Session objective This section is to show
what and how to harden a Unix Platform - with a
strong emphasis on what a hacker will do to you
if you forget - What is hardening?
- Making secure by improving file permissions,
removing unnecessary services and patching the
system
3Recap on Unix Security
- Authorisation is by User and Group
- User / uid obtained at login from /etc/passwd
- Password stored in /etc/shadow
- Group / Gid is stored in /etc/group
- ? AIX - /etc/security/user
- - /etc/security/passwd
- ? HPUX -/tcb/auth
4/etc/passwd
more passwd rootx01Super-User//sbin/sh dae
monx11/ binx22/usr/bin sysx33/ a
dmx44Admin/var/adm lpx718Line Printer
Admin/usr/spool/lp smtpx00Mail Daemon
User/ uucpx55uucp Admin/usr/lib/uucp nuucp
x99uucp Admin/var/spool/uucppublic/usr/lib/u
ucp/uucico listenx374Network
Admin/usr/net/nls nobodyx6000160001Nobody/
noaccessx6000260002No Access
User/ nobody4x6553465534SunOS 4.x
Nobody/ wwwx2000200WWW User/export/home/www
/bin/sh
5/etc/group
cat group root0root other1 bin2root,bin
,daemon sys3root,bin,sys,adm adm4root,adm,da
emon uucp5root,uucp mail6root tty7root,tt
y,adm lp8root,lp,adm nuucp9root,nuucp staff
10 daemon12root,daemon sysadmin14 nobody
60001 noaccess60002 nogroup65534 www200r
oot
6/etc/shadow
cat shadow rootJipOt8gyLGBHw10569 daem
onNP6445 binNP6445 sysNP6445
admNP6445 lpNP6445 smtpNP6445
uucpNP6445 nuucpNP6445 list
enLK nobodyNP6445 noaccessNP64
45 nobody4NP6445
7File permissions
- rwx-rwx-rwx
- Owner-group-everyone else
8Outline
- Patching
- Service removal
- Security settings
- Default permissions
- File permissions
- ASET
- Tripwire
- Commercial Applications
9Patching
- Why? to remove security bugs
- Two tools built in to manage patches
- patchadd to install directory format patches to a
Solaris system - patchrm to remove patches on a solaris system
10Patching
- Some useful commands to manage patches
- showrev p shows all patches applied to the
system - pkgparam pkgid PATCHLIST shows all patches
applied to the package identified by pkgid - pkgparam pkgid PATCH_INFO_patch-number shows
the installation date and name of host - patchadd p shows all patches applied to a
system - ? AIX installp or smit
11Patching
- showrev p
- showrev
-
- Hostname Bankx
- Hostid 8388c2d53
- Release 5.8
- Kernel architecture sun4u
- Application architecture sparc
- Hardware provider Sun_Microsystems
- Domain uk.bank.com
- Kernel version SunOS 5.8 Generic 108528-09 June
2001
12Service removal - Inetd
- Inetd the super listener
- Configuring this IS the NO. 1 major hardening
task - Controlled by /etc/inetd.conf
- How it can be used to hide network access once a
machine is compromised or escalate access to root
if writable. - To modify
- cp inetd.conf inetd.conf.old
- vi inetd.conf
- Comment out services not needed save
- ps ef grep inetd then note the process id
- /sbin/kill HUP process id from above
13Service removal - Inetd
- Inetd.conf before hardening (page 1)
- more inetd.conf
-
- Syntax for TLI-based Internet services
-
- ltservice_namegt tli ltprotogt ltflagsgt ltusergt
ltserver_pathnamegt ltargsgt -
- Ftp and telnet are standard Internet services.
-
- ftp stream tcp nowait root
/usr/sbin/in.ftpd in.ftpd - telnet stream tcp nowait root
/usr/sbin/in.telnetd in.telnetd -
14Service removal - Inetd
- Inetd.conf before hardening (page 2)
Shell, login, exec, comsat and talk are BSD
protocols. shell stream tcp nowait root
/usr/sbin/in.rshd in.rshd login stream
tcp nowait root /usr/sbin/in.rlogind
in.rlogind exec stream tcp nowait root
/usr/sbin/in.rexecd in.rexecd comsat dgram
udp wait root /usr/sbin/in.comsat
in.comsat talk dgram udp wait root
/usr/sbin/in.talkd in.talkd Must run as
root (to read /etc/shadow) "-n" turns off
logging in utmp/wtmp. uucp stream tcp
nowait root /usr/sbin/in.uucpd
in.uucpd Tftp service is provided primarily for
booting. tftp dgram udp wait root
/usr/sbin/in.tftpd in.tftpd tftp dgram
udp wait root /usr/sbin/in.tftpd
in.tftpd -s /tftpboot Finger, systat and
netstat give out user information which may
be --More--
15Service removal - Inetd
- Inetd.conf before hardening (page 3)
- finger stream tcp nowait nobody
/usr/sbin/in.fingerd in.fingerd - echo stream tcp nowait root internal
- daytime stream tcp nowait root internal
- daytime dgram udp wait root internal
- chargen stream tcp nowait root internal
- RPC services syntax
- ltrpc_proggt/ltversgt ltendpoint-typegt rpc/ltprotogt
ltflagsgt ltusergt \ - ltpathnamegt ltargsgt
- Solstice system and network administration
class agent server - 100232/10 tli rpc/udp wait root
/usr/sbin/sadmind sadmind - rquotad/1 tli rpc/datagram_v wait root
/usr/lib/nfs/rquotad rquotad - The rusers service gives out user information.
Sites concerned - with security may choose to disable it.
- rusersd/2-3 tli rpc/datagram_v,circuit_v
wait root /usr/lib/netsv c/rusers/rpc.rusersd
rpc.rusersd
16Service removal - Inetd
- Inetd.conf after hardening
more inetd.conf Syntax for TLI-based
Internet services ltservice_namegt tli
ltprotogt ltflagsgt ltusergt ltserver_pathnamegt
ltargsgt echo stream tcp nowait root
internal Some sites harden the configuration
still further with a tcp wrapper
17Service removal - NFS
- NFS the Network File System daemons
- Configuring this IS the NO2 major hardening task
- Controlled by /etc/dfs/dfstab which controls what
is exported(I.e shared in Bill-Gates-Speak) - If not needed, all daemons should be not started
rc3.d/s15nfs.server - To modify a share to limit access to certain
machines - vi /etc/dfs/dfstab
- Change share statement from
- share -F nfs -d apps" /apps
- TO
- share -F nfs -o rw192.9.200.1 -d apps"
/apps
18Service removal NFS
- ? AIX /etc/exports
- ? HPUX /etc/exports
19Service removal NFS (2)
- Identify the Network File System daemons
- ps ef then note the processes
- UID PID PPID C STIME TTY TIME CMD
- root 108 1 0 Dec 22 ? 000
/usr/sbin/rpcbind - root 21787 21784 0 100351 pts/1 000 ps
-ef - root 110 1 0 Dec 22 ? 000
/usr/sbin/keyserv - root 146 1 0 Dec 22 ? 000
/usr/lib/nfs/lockd lt - root 144 1 0 Dec 22 ? 000
/usr/lib/nfs/statd lt - root 161 1 0 Dec 22 ? 008
/usr/lib/autofs/automountd - root 199 1 0 Dec 22 ? 000
/usr/lib/lpsched - root 269 1 0 Dec 22 ? 004
/usr/lib/snmp/snmpdx -y -c /etc/snmp/conf - root 296 269 0 Dec 22 ? 000
mibiisa -p 32790 - root 284 1 0 Dec 22 ? 000
/usr/lib/dmi/snmpXdmid -s avon - root 294 291 0 Dec 22 ? 003
/usr/lib/saf/ttymon - root 288 1 0 Dec 22 ? 000
/usr/dt/bin/dtlogin -daemon - root 13496 1 0 Jan 15 ? 013
/usr/lib/sendmail -bd -q15m - root 17075 1 0 Jan 19 ? 034
/usr/sbin/in.named
Also remove - nfsd mountd biod
20Service removal
- Generally, you should not start unnecessary
daemons - These may include
- Snmp /usr/lib/snmp/snmpdx mibiisa
- RPC /usr/sbin/rpcbind
- Rpcinfo p
- Netstat an
- ? AIX portmap
21Service removal
22Security settings
- Security settings
- /etc/passwd check permissions, ensure integrity
and locked accounts have a shell of /bin/false - /etc/shadow group check permissions and
ensure integrity - /etc/default/login restrict root access to
console by - CONSOLE/dev/console
- PASSREQYES
- AIX /etc/security/user or /etc/security/login
- HPUX - /etc/securetty
- /etc/default/inetinit - TCP initial sequence
- TCP_STRONG_ISS2
23Security settings
- Solaris - Ip stack settings
- ndd -get /dev/ip ip_forward_directed_broadcasts
- 0
- ndd -get /dev/ip ip_forward_src_routed
- 0
- ndd -get /dev/ip ip_ignore_redirect
- 1
- ndd -get /dev/ip ip_respond_to_address_mask_br
oadcast - 0
- ndd -get /dev/ip ip_respond_to_echo_broadcast
- 0
- ndd -get /dev/ip ip_respond_to_timestamp
- 0
- ndd -get /dev/ip ip_send_redirects
- 0
- ndd -get /dev/tcp tcp_rev_src_routes
- 0
24Security settings
- AIX - Ip stack settings
- no o ipforwarding
- no o ipsendredirects
- no o nonlocsrcroute
- no o subnetsarelocal
-
25Default permissions keeping files tight
- The umask determines the default file permission
for new files created - Normally set in /etc/default/login /etc/profile
- 3 digits such as 077 or 022
- umask 022
- gt testfile
- ls l testfile
- -rwxr-xr-x 6 root sys 404 Jan 6
2000 testfile
26File permissions
- Important categories
- System start-up scripts
- System configuration file
- Home directories
- Cron
- /dev esp kmem or drum
- /proc
- All other files
27File permissions -System start-up scripts
- Unix start-up sequence
- System boots and loads kernel
- System kernel forks to create init pid 1
- Init reads /etc/inittab and runs any programs
specified - In Solaris/HPUX 10, it then runs the scripts
/etc/rc0-5.d/ - In AIX / HPUX 8-9 , it then runs the scripts
(i.e. /etc/rc.tcpip ) as defined point 3 - If a hacker can add a command into either
/etc/rc0-5.d/ or /etc/inittab, it will be able
to update an file on the system
28File permissions - System configuration file
- A selection of key files and what a hacker might
do them - /etc/hosts.equiv add to the file
- /etc/hosts change the address of a host
- /etc/pam.conf change authentication (solaris
only) - /etc/inetd.conf add new service
- /etc/profile add chmod 777 /etc/shadow
- /etc/nsswitch.conf change name
resolution/authentication - /etc/Resolv.conf change name server (could
effect trusted hosts) - /etc/passwd - change uid to 0
- /etc/shadow - change root password
29File permissions home directories
- Important files to look at
- .rhosts
- .profile
- .kshrc .netrc
- .login .logout
- .exrc
30File permissions - general
- Things to look for
- Suid files
- Sgid files
- World writeable files
- World writeable directories
31File permissions
- Umtp and umtpx world write permissions
- Files with no user associated with it
- Files with no group associated with it
32Radical hardening
- remove root Suid bit if possible
- remove gcc or cc
- Mount file systems readonly
- Large main memory small swap
33ASET
- Automated Security Enhancement Tool
- Comes with all new sun operating systems
- Low setting ensures that all system files are set
to release values. Reports potential weaknesses
but does not make any changes - Medium Setting makes some changes to security
settings but do not affect system services - High setting makes more changes to security
settings and security takes precedence to system
behaviour
34ASET
- Task that ASET performs
- Systems file verification check
- System files check
- User/Group check
- System configuration files check
- Environment check
- eeprom check
- Firewall setup
35ASET output
- aset p high
- Begin Enviroment Check Warning! umask set
to umask 022 in /etc/profile - not
recommended. End Enviroment Check
ASET Execution Log ASET
running at security level highMachine server
Current time 0114_2026aset Using /usr/aset
as working directoryExecuting task list
... firewall env sysconf usrgrp tune cklist
eepromAll tasks executed. Some background
tasks may still be running.Run
/usr/aset/util/taskstat to check their status
/usr/aset/util/taskstat aset_dirwhere
aset_dir is ASET's operating directory,currently/
usr/aset.When the tasks complete, the reports
can be found in /usr/aset/reports/latest/.r
pt
36ASET output II
- where aset_dir is ASET's operating
directory,currently/usr/aset.When the tasks
complete, the reports can be found in
/usr/aset/reports/latest/.rptYou can view them
by more /usr/aset/reports/latest/.rpt
Begin Firewall Task IP forwarding already
disabled.IP forwarding already disabled in rc
files.ROUTED daemon already configured to be
opaque. End Firewall Task Begin
System Scripts Check cp /usr/aset/archives/in
etd.conf.arch.high No space left on
deviceCannot archive /etc/inetd.conf. Task
skipped!Task firewall is done.Task env is
done.Task sysconf is done.Task usrgrp is
done. Begin Tune Task
37ASET output III
- Begin Tune Task ... setting attributes
on the system objects defined in
/usr/aset/masters/tune.high Begin User And
Group Checking Checking /etc/passwd
...Checking /etc/shadow ...Warning! Shadow
file, line 1, no password root6445...
end user check.Checking /etc/group ......
end group check. End User And Group Checking
Â
38Tripwire
- Monitors file changes, verifies integrity and
notifies of any violation on data at rest on
network servers - Identifies attributes such as file size, access
flags, write time, file permissions, file add,
file delete, file modifications and etc - Supports Windows NT4, Win2K, Solaris 2.6,2.7 and
2.8, AIX 4.3, HP-UX 11.0 and 11i, FreeBSD 4.2 and
4.3 and some Linux flavours
39Commercial Applications
- Axent ESM
- CA Unicenter
- Bindview