LinuxSecurity - Linux Security Benchmarking, Security...

Info iconThis preview shows page 1. Sign up to view the full content.

View Full Document Right Arrow Icon
This is the end of the preview. Sign up to access the rest of the document.

Unformatted text preview: Linux Security Benchmarking, Security Tools, Syslog Implementation, Incident Handling CERT-In Guidelines • Security Template By CERT-In – A guide to configure Redhat Linux 9.0 as web server • Central Syslog server guide – A guide to setup central syslog server with syslog-ng, mysql, apache, php Tools • CISecurity – Benchmark security configuration • Bastile – Automated security setup tool CISecurity • – Benchmark security configuration • ./cis-scan Bastile • Bastille is an open source program that facilitates the hardening of a Linux system. • The administrator answers a series of “Yes” and “No” questions through an interactive textbased interface. Currently available for various Linux distros – – – – – SuSE TurboLinux Mandrake (several versions) RedHat (several versions) Debian Also available on MacOS X and HP/UX Installation The Bastille Linux package can be downloaded from http://www.bastille-linux,org/. $ cd /usr/local/src $ wget /bastille-linux/Bastille-2.0.4-1.0.i386.rpm We also have to download the Perl Curses package: $ wget To start the installation. Log in as root: # rpm --nodeps -ivh perl-Curses-l.O6-4mdk.i586.rpm warning: perl-Curses-1.06-4mdk.i586.rpm: V3 DSA signature: NOKEY, key ID 70771ff3 Preparing. . . ### [100%] # rpm -ivh Bastille-2.0.4-1.0.i386.rpm preparing... ### [100%] l:Bastille ### [100%] Run Bastille with the -c option: # bastille -c After typing Accept on a couple of screens we'll be presented with a set of 18 screens. Bastille Text Interface Screen Option Our selection 1 Title screen (introduction to Bastille) Select Next 2 Would you like to set more restrictive permissions on the administration utilities? Select Yes, and then Next Only root user will be able to access these utilities like ifconfig, runlevel,portmap, fsck, linuxconf. Disabling SUID status permission for the following programs. Only user with root privilege will be able to run these programs. Would you like to disable sum status for Mountlumount, at, r-tools (like rsh and rcp), usernetctl, XFree86? (ping, traceroute, XFree86 programs will have SUID status enabled) Yes Should Bastille disable clear-text r-protocols that use IP-based authentication? Would you like to enforce password aging? Would you like to restrict the use of cron to administrative accounts? Do you want to set a default umask? What umask would you like to set for users on the system? Should we disallow root login on tty's 1-6? Yes 3 Yes Yes Yes 077 No 4 Would you like to password-protect the GRUB prompt? Would you like to disable CTRL-ALT-DELETE rebooting? Would you like to password protect single-user mode? No Yes Yes 5 Would you like to set a default-deny on TCP Wrappers and xinetd? Should Bastille ensure the telnet service does not run on this system? Should Bastille ensure the FTP service does not run on this system? Would you like to display "Authorized Use" messages at log-in time? N ow you will get a chance to customize the display message. Who is responsible for granting authorization to use this machine? No Yes Yes Yes Input administrator now 6 Would you like to disable the gcc compiler? No 7 Would you like to put limits on system resource usage? Should we restrict console access to a small group of user accounts? No No 8 Would you like to add additional logging? This script is adding additional logging files: /var/log/kernel - kernel messages /var/log/syslogmessages of severity 'warning' and 'error' Also, if you check the 7th and 8th TTYs, by hitting ALT-F7 or ALT-F8, you'll find that we are now logging to virtual TTY s as well. If you try this, remember that you can use ALT-Fl to get back to the first virtual TTY. Do you have a remote logging host? (Will configure it manually) Yes 9 Would you like to disable apmd? Would you like to disable GPM? Would you like to deactivate NIS server programs? Yes No Yes 10 Do you want to stop sendmail from running in daemon mode? No 11 Would you like to chroot named and set it to run as a non-root user? No 12 Would you like to bind the web server to listen only to the localhost? Would you like to bind the web server to a particular interface? (Will be doing Apache configuration manually) Would you like to deactivate the following of symbolic links? (Will be doing Apache configuration manually) Would you like to deactivate server-side includes? (Will be doing Apache configuration manually) Would you like to disable CGI scripts, at least for now? (Will be doing Apache configuration manually) Would you like to disable indexes? (Will be doing Apache configuration manually) No No No No No No 13 Would you like to disable printing? Yes 14 Would you like to install TMPDIR/TMP scripts? No 15 Would you like to run the packet filtering script? No Tripwire • Install tripwire – • Configure tripwire – /etc/tripwire/ – /etc/tripwire/twpol.txt • Build database – tripwire --init • Run Integrity check – tripwire --check > report.txt Vulnerability Scanner • Nessus • Nikto Centralized Syslog server Log levels LOG_EMERG A panic condition. This is normally broadcast to all users LOG_ALERT A condition that should be corrected immediately, such as a corrupted system database. LOG_CRIT Critical conditions, e.g., hard device errors. LOG_ERR Error conditions. LOG_WARNING Warning messages. LOG_NOTICE Normal, but significant Conditions that should possibly be handled specially. LOG_INFO Informational messages. LOG_DEBUG Debug-level Messages Log facility LOG_AUTH security/authorization messages (DEPRECATED Use LOG_AUTHPRIV instead) LOG_AUTHPRIV security/authorization messages (private) LOG_CRON clock daemon (cron and at) LOG_DAEMON system daemons without separate facility value LOG_FTP ftp daemon LOG_KERN kernel messages LOG_LOCAL0 reserved for local use. through LOG_LOCAL7 LOG_LPR line printer subsystem LOG_MAIL mail subsystem LOG_NEWS USENET news subsystem LOG_SYSLOG messages generated internally by syslogd LOG_USER generic user-level messages (default) LOG_UUCP UUCP subsystem Advantages of centralized syslogging: • Hacker won’t be able to delete logs after breaking into a system. • The Central syslog can be put on a different segment with higher security. • Log messages from all machines could allow for better co-relation of attacks on different machines. • Easier Backup Policy, File permission Logs: Central log Server • Default syslogd – Server • /etc/sysconfig/syslog – SYSLOGD_OPTIONS="-m 0 -r -x" – Client • /etc/syslog.conf – *.* @loghost_server Syslog-NG The advantages of Syslog-NG over Syslog are : • ability to transport syslog messages over TCP • filtering based on message contents • logging of complete chain of forwarding loghosts (unlike regular syslog which will only record the name of last step) • support digital signatures and encryption. • Can be run in a chrooted environment Syslog-NG – Configuration component • Syslog-ng+MySQL+Apache+php – Log Analysis • • Swatch logsurfer Configure server • /etc/syslog-ng.conf – Configure source source gateway { unix-stream("/dev/log"); internal(); udp(ip( port(514)); }; – Configure Destination destination localhost { file("/var/log/syslog-ng.all"); }; configure • Combine a defined source and destination log { source(gateway); destination(localhost); }; Configure filter • Combine a defined source and destination filter f_host { host("host1"); }; # This ties our source and destination together, (src + dst = logging) log { source(gateway); filter(f_host); destination(localhost); }; Send logs to MySQL destination d_mysql { pipe("/tmp/mysql.pipe" template("INSERT INTO logs (host, facility, priority, level, tag, date, time, program, msg) VALUES ( '$HOST', '$FACILITY', '$PRIORITY', '$LEVEL', '$TAG', '$YEAR-$MONTH-$DAY', '$HOUR:$MIN:$SEC', '$PROGRAM', '$MSG' );\n") template-escape(yes)); }; log { source(net); destination(d_mysql); }; Send logs to MySQL • Create the mysql schema – mysql -u root -p < syslog.sql • Create a fifo pipe file – mkfifo /tmp/mysql.pipe • Start syslog-ng – syslog-ng -f /etc/syslog-ng.conf • pipe the file mysql.pipe to mysql database – # mysql -u root --password= syslog< /tmp/mysql.pipe Viewing syslog-ng mysql logs php-syslog-ng • Install the php file to apache document root and configure necessary file • Edit the file includes/common_inc.php # $result = mysql_pconnect("localhost", "UserName", "Password"); • Edit the file includes/ db_fns.php # $result = mysql_pconnect("localhost", “username", “password"); Logging Apache error_log to syslog-NG • Edit httpd.conf and put syslog instead of the filename in the ErrorLog – # LogLevel notice – # ErrorLog syslog • Apache uses the local7 syslog facility id, by default. Thus, a corresponding entry is required in /etc/syslog.conf – # local7.* @syslog-nghost Logging Apache access_log to syslog-NG • Edit httpd.conf add the following line in access Log – # CustomLog “| /usr/bin/logger –p” common • Thus, a corresponding entry is required in /etc/syslog.conf – # local1.* @syslog-nghost Linux Incident Handling • Identify Incident Type – DOS – Unauthorized access – Malicious code – Combination of any of the above Incident Handling DOS • SYN attack – monitoring number of TCP Connection in a syn_rcvd state. – netstat –an –f |grep SYN_RCVD |wc –l • Watch the value of the TcpHalfOpenDrop parameter – netstat -s -P | grep tcpHalfOpenDrop Incident Handling (contd..) Preparing toolkit – – – – – – – – – – – – – – – – shared libraries static system libraries netstat lsof gdb / nm ps ls su passwd netcat strace / ltrace MD5-generator fdisk / cfdisk who / finger / w di g find Incident Handling (contd..) Information collection cat /proc/version cat /proc/sys/kernel/nam e cat /proc/sys/kernel/dom ainame cat /proc/cpuinfo cat /proc/swaps cat /proc/partitions cat /proc/self/mounts cat /proc/uptime cat /proc/modules last, w, who Date -u arp –an Route -Cn Version of the operating system Host name Domain name Information about hardware All swap partitions All local file systems Mounted file systems Uptime List of modules loaded to kernel memory Get listings of logged in users, prior logins, etc. Current Date Current ARP Cache Current routing Table Incident Handling • Look for change in permission – World writable permissions • find / -perm -2 -type f –print – Find SUID root files • find / -type f -perm -04000 -ls – Find GUID root files • find / -type f – Time stamp • • • -perm -02000 -ls Find files access for last 1 day, 1 hr etc Find -- atime Ls –lautR Incident Handling • • • Check for promiscuous mode. – Ifconfig -a Check for new user existence. – /etc/passwd Find list of open ports – nmap scan – Netstat -l • • Current processes – Ps -aux system calls by an executable. (Trojanoid Binaries) – ltrace, strace, trussCheck Incident Handling • Compare checksum – Tripwaire --check • Check for traffic in out – Ethereal, tcpdump etc • Examine suspicious binaries – strings Incident Handling • Presence of malicious code – Chkrootkit • Checks for presence of rootkits – Tripwire • Compare checksum • The Coroners tool kit • Collection of different forensics tollkits The Coroners tool kit • TCT is a collection of tools written with the specific goal of gathering or analyzing forensic information on a Un*x machine... • Four major parts of TCT: – grave-robber – the C tools (ils, icat, pcat, file, etc.) – unrm & lazarus – mactime The Coroners tool kit grave-robber -v / • Automated way of collecting forensic info • Gathers, in order – Memory – Unallocated filesystem – netstat, route, arp, etc. – ps/lsof, capture all process data – stat & MD5 on all files, strings on directories – Config, log, interesting files (cron, at, etc.) grave-robber • data capturing tool at the heart of TCT • runs various commands and records the output • captures by order of volatility • most effectively used when run as root over an entire filesystem • • • • pcat Process CAT ils Inode LS icat Inode CAT shell commands Thank You ...
View Full Document

This note was uploaded on 02/09/2012 for the course COMPUTER S a303 taught by Professor None during the Spring '11 term at BEM Bordeaux Management School.

Ask a homework question - tutors are online