Upload
tanya-guthridge
View
214
Download
0
Tags:
Embed Size (px)
Citation preview
Page : 2
Identify the challenges for computer and network security
• Ten-fifteen years ago Firewalls, IDS, anti-virus software, OS update
were rare• Now
Virus attacks : every day E-mail : scanned for suspicious attachments Network admins : work overtime to
• Build the latest security defenses• Keep the defenses up-to-date
Computer attacks via the Internet• Making computer security one of the prime concerns
Page : 3
Identify the challenges for computer and network security
• Why security is becoming increasingly difficult Speed of attacks
•Widely available of modern tools–Used to scan systems
»To find weaknesses»Launch attacks
•Most tools are automated –Easy to attack target systems
Page : 4
Identify the challenges for computer and network security
Speed of attacks: (examples)
In 2003 : the Slammer worm infected 75,000 computers in the first 11 minutes after it was released and infected double every 8.5 seconds. As its peak, Slammer was scanning 55 million computers per second looking for a computer to infect.
Later that year, Blaster worm infected 138,000 computers in its first four hours and eventually infected over 1.4 million computers.**
** From M. Ciampa, Security + Guide to Network Security Fundamentals, 2nd edition, Thompson, 2005
Page : 5
Identify the challenges for computer and network security (cont.)
• Why security is becoming increasingly difficult Sophistication of attacks
•Security attacks are becoming more complex– Difficult to detect
Faster detection of weaknesses•Newly discovered system vulnerabilities double
annually»More difficult for software developers to update
their products
Page : 6
Identify the challenges for computer and network security (cont.)
• Why security is becoming increasingly difficult Distributed attacks
•Multiple systems can be used to attack against a single computer or network
•(many against one) approach– Impossible to stop an attack by identifying and
blocking the source Difficulties in patching
• So, users do not apply patches
Page : 7
Identify the challenges for computer and network security (cont.)
Attack name
Impact of attack Date patch first issued
Date attack began
Days between patch and attack
Bugbear Infected more than 2 million computers
16/5/2001 30/9/2002 5002
Yaha Unleashed 7,000 attacks per day as an e-mail distributed distributed-denial-of-service worm
16/5/2001 22/6//2002 402
Blaster Infected > 1.4 million computers
16/7/2003 11/8/2003 26
9
Vulnerabilities and Exploits
Vulnerabilities Security weaknesses that open a program to attack An exploit takes advantage of a vulnerability Vendors develop fixes Zero-day exploits: exploits that occur before fixes are
released Exploits often follow the vendor release of fixes
within days or even hours Companies must apply fixes quickly
10
Vulnerabilities and Exploits
Fixes Work-arounds
▪ Manual actions to be taken▪ Labor-intensive so expensive and error-prone
Patches:▪ Small programs that fix vulnerabilities▪ Usually easy to download and install
Service packs (groups of fixes in Windows) Version upgrades
CompromiseThe successful exploitation of a target by an attacker
11
Applying Patching
Problems with Patching Must find operating system patches
▪ Windows Server does this automatically▪ LINUX versions often use rpm▪ …
Companies get overwhelmed by number of patches▪ Use many programs; vendors release many patches per
product▪ Especially a problem for a firm’s many application programs
12
Applying Patching
Problems with Patching Cost of patch installation
▪ Each patch takes some time and labor costs▪ Usually lack the resources to apply all
Prioritization▪ Prioritize patches by criticality▪ May not apply all patches, if risk analysis does not justify
them
13
Applying Patching
Problems with Patching Risks of patch installation
▪ Reduced functionality
▪ Freeze machines, do other damage—sometimes with no uninstall possible
▪ Should test on a test system before deployment on servers
14
Threat An adversary (devil/satan) who is capable and
motivated to exploit a vulnerability▪ (exploit = utilize, especially for profit)
A person, thing, event▪ which poses some danger to an asset in terms of that
asset’s confidentiality, integrity, availability Accident threats Delibrate threats : Passive and Active
Threats
15
Examples of threat Hacker/cracker Script kiddies Spies and Malware Denial-of-service (DoS) attack Zombies Insecure/poorly designed applications Virus Worms
Threats
16
Script kiddies Want to break into computers like crackers, but
▪ unskilled users▪ download software from web sites, use to break into
computers
Script kiddies
Page : 17
Spies
• Spies A person who
• Has been hired to break into a computer and steal information
• Do not randomly search for unsecured computers to attack
•Malware•A group of destructive programs such as viruses,
worms, Trojan horse, logic bombs, and spyware
18
Virus
Virus : a computer program that can copy itself and infect a computer without
permission or knowledge of the user spreads from one computer to another when its
host (such as an infected file) is taken to that computer
viruses always infect or corrupt files on a targeted computer
19
Worm
Worm : a computer program that is a self-replicating code
▪ Resides in active memory (the program is executed)▪ Propagates itself
uses a network to send copies of itself to other node can spread itself to other computers without
needing to be transferred as part of an infected file always harm the network
20
Trojan horse
Trojan horse : a program that installs malicious software while under the guise of
doing something else differs from a virus in that
▪ a Trojan horse does not insert its code into other computer files
▪ appears harmless until executed
21
Logic Bomb
Logic Bomb : a program that inactive until it is triggered by a specific event, e.g.
▪ a certain date being reached once triggered, the program can perform many
malicious activities is difficult to defend against
22
Spyware
Spyware : a computer program that installed surreptitiously on a personal computer
▪ to intercept or take partial control over the user's interaction with the computer, without the user's awareness• installing additional software • redirecting web browser activity
▪ secretly monitors the user's behavior• collects various types of personal information,
23
Mobile Code (more spyware) Executable code on a webpage Code is executed automatically when the webpage is
downloaded Javascript, Microsoft Active-X controls, etc. Can do damage if computer has vulnerability
Mobile Code
24
Social Engineering in Malware Social engineering is attempting to trick users into
doing something that goes against security policies Several types of malware use social engineering
▪ Spam
▪ Phishing
▪ Spear phishing (aimed at individuals or specific groups)
▪ Hoaxes
Social Engineering in Malware
25
Denial-of-service (DoS) attack
Denial-of-service (DoS) attack : a threat that Prevents legitimate traffic from being able to access
the protected resource Common DoS
▪ Crashes a targeted service or server▪ Normally done by
• Exploiting program buffer overflow problem• Sending too many packets to a host causing the host to
crash
26
Zombies
Zombies : systems that Have been infected with software (e.g. Trojan or
back doors)▪ Under control of attackers
Be used to launch an attack against other targets Insecure/poorly designed applications
One of the most difficult threats to be detected
Page : 27
Cyberterrorists
• Cyberterrorists Terrorists that attack the network and computer
infrastructure to • Deface electronic information (such as web sites)• Deny service to legitimate computer users• Commit unauthorised intrusions into systems and
networks that result in infrastructure outages and corruption of vital data
Page : 28
Security Terminology
• Security attack• Any action that compromises security information, or• The use or exploitation of a vulnerability.
• Security mechanism• A mechanism that designed to detect, prevent, or
recover from a security attack• Security service
• A service that enhances the security of data processing systems and information transfers.
• Makes use of one or more security mechanisms
Page : 29
Risk
• Risk A qualitative assessment describing the likelihood
of an attacker/threat using an exploit to ▪ successfully bypass a defender▪ Attack a vulnerability▪ Compromise a system
• Risk analysis : Provides a quantitative means of determining
whether an expenditure on safeguards is warranted
Page : 30
Definition of computer and network security
Security In a general-use environment, the system will not be
openly vulnerable to Attacks, Data loss, Privacy loss
• Security is about the protection of assets*
Protective measures• Prevention • Detection• Reaction/Response* From : Gollmann D., Computer Security, John Wiley &Sons, 1999
Page : 31
Definition of computer and network security
• Information security The tasks of guarding digital information
• Information : – Typically processed by a computer– Stored on a some devices– Transmitted over a network
Ensures that protective measures are properly implemented• A protection method
Page : 32
Definition of computer and network security
• Computer Security Computer security deals with the prevention and
detection of unauthorized actions by users of computer system*
The goal is to protect data and resources Only an issue on shared systems
• Like a network or a time-sharing OS No “global” solution
* From : Gollmann D., Computer Security, John Wiley &Sons, 1999
Page : 33
Definition of computer and network security
• Computer security No absolute “secure” system Security mechanisms protect against specific
classes of attacks
Page : 34
Definition of computer and network security
• Network security Security of data in transit
• Over network link• Over store-and-forward node
Security of data at the end point• Files• Email• Hardcopies
Page : 35
• Network security differences from computer security Attacks can come from anywhere, anytime Highly automated (script) Physical security measures are inadequate Wide variety of applications, services, protocols
• Complexity• Different constraints, assumptions, goals
No single “authority”/administrators
Definition of computer and network security
36
•Prevention – Take measures that prevent assets from being
damaged– Addresses the steps to deter an attack or lessen a
system compromise– The measures, e.g.
– Physical network architecture– Firewall elements– Antivirus systems– System hardening– User education
Protective measures
37
•Detection– Take measures that be able to detect when
an asset has been damaged– Knowing when a system is under attack– Provides an important step toward
responding to threats– Examples of measures
– Intrusion Detection System (IDS)– SNORT
Protective measures
38
•Reaction/Response– Take measures that be able to recover from a
damage– Common mitigation (lessen) options
– Intrusion Prevention System (IPS) – (an IDS that remove access control)
– Backup devices– Response procedure
Protective measures
39
Example of response procedure (POLICIES) Turn off the compromised systems : may be
desirable to▪ Power off and individual workstation▪ Shutting off a server
▪ (could cause a significant impact for many mission-critical environment)
Inform law enforcement▪ Which organization?
Protective measures
40
Example of response procedure (POLICIES) Reset the system, investigate the cause
▪ Some attacks▪ Restore the system should be sufficient
▪ Complicated attacks▪ Blindly resetting a system may not lessen the problem▪ Should analyze the attack methods▪ Reset the environment to a state that led to the initial compromise !!
For sensitive information▪ How much information was compromised>▪ How long was the attacker accessing the system?▪ Knowing this
▪ Directly leads to damage control
Protective measures
41
Example of response procedure (POLICIES) An individual/team in charge of leading the response
▪ Have one can save valuable time
Protective measures
43
Internal attacker motivation Corporate spies Disgruntled employees
▪ Personal issues, e.g.▪ Disagreement with boss or coworker▪ General frustration
▪ Unfair disadvantage▪ Greed
▪ May see value in selling insider access to an interested external party
▪ Curiosity▪ Ignorance
▪ May not be aware that specific information should be confidential
Threat Models : Internal versus External
44
External attacker motivation Political Status demonstrate his/her skill Power show his/her technical superiority
Threat Models : Internal versus External
45
Internal v.s External Attacker/ing
Corporate Site
128.171.17.13
128.171.17.47
Attacker
1.IP Address Scanning PacketResponse Confirms a Host at
128.171.17.13
3.ExploitPacket
128.171.17.22
2.Port Scanning Packet
to Identify RunningApplications
Probe and Exploit Attack Packets
46
Internal v.s External Attacker/ing
128.171.17.13
128.171.17.47
Attacker
1.Spoofed Packet to 128.171.17.13
Source IP address = 128.171.17.47Instead of 10.6.4.3 10.6.4.3
2.Reply goes to
Host 128.171.17.47
IP Address SpoofingHides the Attacker's Identity.
But Replies do Not Go to the Attacker,So IP address Spoofing
Cannot be Used for All Purposes
Source IP Address Spoofing
47
Internal v.s External Attacker/ing
Chain of Attack Computers
Target Host60.168.47.47
Attacker1.34.150.37
CompromisedAttack Host3.35.126.7
CompromisedAttack Host
123.125.33.101
Usually Can Only Trace Attackto Direct Attacker (123.125.33.101)
or Second Direct Attacker (3.35.126.7)
Log In Log InAttack
Command
For probes whose replies mustbe received, attacker sendsprobes through a chain of
attack computers.
Victim only knows the identityof the last compromised host
(123.125.33.101)
Not that of the attacker
48
Traditional External Attackers: Hackers
Internal v.s External Attacker/ing
Social Engineering◦ Social engineering is often used in hacking
Call and ask for passwords and other confidential information E-mail attack messages with attractive subjects Piggybacking Shoulder surfing Pretexting Etc.
◦ Often successful because it focuses on human weaknesses instead of technological weaknesses
50
Confidentiality Authenticaion Authorizatoin Integrity Repudiation Availability
(most common : CIA confidentiality, integrity, availability)
Security Goals
51
Confidentiality / privacy System that provide confidentiality
▪ Lessen the risks of eavesdropper or attacker Example
▪ Email is transmitted in plain text problem Authentication
Permits one system to determine the original of another system
Security Goals
52
Authorization and access control The level of access control that is permitted Not everyone is equal Based on authentication
▪ Systems, processes, users are offered different levels of access
Integrity Information is not modified by unauthorized party
Nonrepudiation Ensures that an originator cannot deny
Security Goals
Page : 53
Identification and Authentications
• Authentication Basics• Passwords• Biometrics• Multiple methods
Page : 54
Authentication Basics
• Authentication A process of verifying a user’s identity
• Two reasons for authenticating a user The user identity is a parameter in access control
decision (for a system) The user identity is recorded when logging
security-relevant events in an audit trail
Page : 55
Authentication Basics
• Authentication Binding of an identity to a principal (subject) An identity must provide information to enable the system
to confirm its identity Information (one or more)
• What the identity knows (such as password or secret information)
• What the identity has (such as a badge or card)• What the identity is (such as fingerprints)• Where the identity is (such as in front of a particular
terminal)
Page : 56
Authentication Basics
• Authentication process Obtaining information from the identity Analysing the data Determining if it is associated with that identity
• Thus : authentication process is The process of verifying a claimed identity
Page : 57
Authentication Basics
• Username and Password Very common and simple identities Used to enter into a system Username
• Announce who a user is• This step is called identification
Password• To prove that the user is who claims to be• This step is called authentication
Page : 59
Password
• Password Based on what people know User supplies password Computer validates it If the password is associate with the user, then the
user’s identity is authenticated
Page : 60
Password
• Choosing passwords Password guessing attack is very simple and always
works !!• Because users are not aware of protecting their
passwords Password choice is a critical security issue
• Choose passwords that cannot be easily guessed• Password defenses
• Set a password to every account• Change default passwords• Password length
– A minimum password length should be prescribed
Page : 61
Password
• Password defenses Password format
• Mix upper and lower case symbols• Include numerical and other non-alphabetical symbols
Avoid obvious passwords
Page : 62
Password
• How to improve password security? Password checker tool
• Check passwords against some dictionary of weak password Password generation
• A utility in some system• Producing random password for users
Password aging• A requirement that password be changed after some period of
time • Required mechanism
– Forcing users to change to a different password– Providing notice of need to change– A user-friendly method to change password
Page : 63
Password
• How to improve password security? One-Time Password
• A password is valid for only one use Limit login attempts
• A system monitors unsuccessful login attempts– Reacts by locking the user account if logging in process failed
Inform user• After successful login a system display
– The last login time – The number of failed login attempts
Page : 64
Attacking a password system
• Password guessing Exhaustive search (brute force)
• Try all possible combination of valid symbols Dictionary attack Random selection of passwords Pronounceable and other computer-generated
passwords User selection passwords
• Passwords based on– Account names– User names– Computer names, etc.
Page : 65
Biometrics
• The automated measurement of biological or behavioral features that identifies a person
• Method: A set of measurement of a user is taken (recorded)
when a user is given an account When a user access the system
• The biometric authentication mechanism identify the identity
Page : 66
Biometrics
• Fingerprints• Voices• Eyes• Faces• Keystrokes
Keystroke intervals Keystroke pressure Keystroke duration
• combinations
68
Intrusion Profiles
Exploiting passwords Exploiting known vulnerabilities Exploiting protocol flaws Examining source files for new security flaws Denial-of-service attacks Abusing anonymous FTP Installing sniffer programs IP source address spoofing
69
Typical Network Intrusions
Locate a system to attack New systems Network sweeps
Gain entry to a user’s account No password or easy-to-guess password Sniffed password
Exploiting system configuration weakness or software vulnerability to obtain access to a privileged account
70
Typical Network Intrusion
Once inside, and intruder may: Remove traces from auditing records Install back door for future use Install Trojan Horse programs to capture system and
account information Jump to other hosts on your network Use your system to launch attacks against other sites Modify, destroy, or inappropriately disclose
information
71
Why Should You Care
Protect your own operational environment Protect your user’s data Provide service to your users
73
Internet Etiquette-1
Do: Understand and respect security policies Take responsible for your own security Respect other Internet neighbours Cooperate to provide security
74
Internet Etiquette-2
Avoid: Unauthorised access to other accounts and systems Cracking password file from other systems Sharing accounts Unauthorised access to unprotected files Reading the e-mail of other users Disrupting service
76
Security Management
Understanding Security Writing a security policy Monitoring the network Auditing the network Preparing for an attack Handling an attack Forensics Log analysis Damage control
77
Monitoring Your Network
The Shape of Logging System What to Log Logging Mechanisms Time Sensor Log Management
78
Monitoring Your Network
Goals of a monitoring system Reduce the likelihood of an attack going unlogged Increase the likelihood that the events logged for an
attack will be recognized as an attack
79
The Shape of Logging System
Problem of logging system What events to be logged?
▪ if every event is logged the log file will be very large▪ if only selected events are logged some crucial events
might not be logged !! Log file can be tampered by attackers
▪ To delete attack traces Attackers can tamper the log file
▪ If the logs are accessible to them
80
The Shape of Logging System
Log should not be accessible to an attacker Mechanisms can deny access to logs
The logs are kept on a separate machine The logs are encrypted The logs are stored in a write-only media The logs are stored in multiple places
81
The Shape of Logging System
Log should not be tampered with Tampering efforts should be easily detected
Achieved by Cryptographically signing each log entry to detect
invalid entries Monitoring the log entries to look for a sudden
decrease in log size▪ Indicates that the log entries have been deleted
Assigning a sequence number to each log entry and verifying that the sequence is unbroken
82
What to Log
The network should log any events necessary to detect known attack patterns
The network should log any events necessary to detect unusual patterns of access
83
Logging Mechanisms
Syslog The most common network logging mechanism Runs on Unix systems
Components Syslog daemon Syslog ruleset Syslog-enabled programs
84
Syslog
Syslog daemon A program that runs in a background on all machines
using syslog Serves several purposes
▪ Collects messages from syslog-enabled programs on the machine hosting it
▪ Collects certain messages from the system that are not syslog enabled (such as kernel messages regarding starting-up and some device problems)
▪ Listens on the syslog port (port 514/UDP) for messages ▪ Save all of the above messages in a file
85
Syslog Ruleset
Usually in /etc/syslog.conf Contains directives to the syslog daemon
Determine where various types of messages should be logged
Choices of logging Put a message into a file Log a message to another machine via UDP Write a message to the system console Write a message to all log-in users
86
Syslog-enabled Program
Syslog is a standard facility in Unix many Unix programs have calls to syslog built into
them Enable these programs to log various events
▪ To the local syslog daemon
87
Pro (of syslog)
Universally available Standard implementation Available from nonprogrammable devices A read-only logging mechanism
88
Con (syslog)
Unauthenticated protocol Can be spoofed
Unencrypted transmission Can be eavesdropped by attackers
Unreliable UDP transmission Not all syslog messages reach their intended
destination
89
Time
An important issue in log gathering and analysisJun 4 22:33:21 machine1.ycom.com login: user smt login okJun 4 22:34:29 machine3.ycom.com login: user smt login ok
Time is used in analysis process It should be accurate and synchronised with
other systems A logging system should synchronise its time
with a time server machine (NTP server)
90
Sensors
A mechanism that can be used to aid device-based logging
Provides a means for gathering information and integrating it into the logging system
91
Sensors
Examples Some sensors can detect several variations on
attacks Some sensors can detect problems with the network
being monitored
92
Sensors
Some sensors are built to detect conditions on the logging system Are the logs increasing monotonically?
▪ If not a log file might be tampered Is the logging system receiving all the logs that are
being sent?▪ Some devices transmit a sequence number with each log
entry▪ if a particular number is missing something goes wrong
93
Sensors
Has any machine stopped logging?▪ A machine that has stopped logging
▪ Might indicate a network problem OR an attack
96
Unix Security: Security Features
Authentication and authorization mechanism Account
▪ Stores information about users (subjects)▪ Including privileges granted to a user
Identification and authentication▪ Verify a user identity
▪ Allowing the system to associate the user’s privileges with any process started by the user
Permissions on resources (objects)▪ Can be set by the system manager or the owner of the
resource
97
Super User Account◦ Every operating system has a super user account◦ The owner of this account can do anything◦ (Called Administrator in Windows)◦ Called root in UNIX
Hacking Root◦ Goal is to take over the super user account◦ Will then “own the box”◦ Generically called hacking root
The Super User Account
98
Appropriate Use of a Super User Account Log in as an ordinary user
Switch to super user only when needed▪ In Windows, the command is RunAs▪ In UNIX, the command is su (switch user)
Quickly revert to ordinary account when super user privileges are no longer needed
The Super User Account
99
Assigning Permissions in UNIX
Category UNIXNumber of permissions Only 3: read (read only), write
(make changes), and execute (for programs).Referred to as rwx
For a file or directory, different permissions can be assigned to
The account ownerA single group, andAll other accounts
100
Unix Security : Security Features
Authentication and authorisation mechanism When a user request to access any resource
▪ An operating system has to make a decision▪ Grant or deny the access ?▪ Based on
User’s identity User’s privilege The permission of the object
Detection mechanism Unix provides an audit log (audit trail)
▪ To keep track of actions performed by users▪ These records can be used to investigate security breaches
101
Unix Security : Authentication and authorisation
Unix users (accounts) are defined by user names Users are authenticated by passwords Passwords
(most unix systems) limited to 8 characters Enciphered with the crypt(3) algorithm
▪ Repeats a slightly modified DES algorithm 25 times▪ Using all-zero block as start value▪ Using the password as key
The encrypted passwords are stored in the /etc/passwd file
102
Unix Security : Authentication and authorisation
Example of /etc/passwd file (old versions of Unix systems)
For security-conscious version of unix Stored encrypted password field in another file, such
as /etc/shadow or /.secure/etc/passwd An entry in a /etc/passwd file is as follows
user_name:encrypted password: userID:groupID:User full name:home directory:login shell
user_name:*: userID:groupID:User full name:home directory:login shell
103
Unix Security : Authentication and authorisation
Changing password Command passwd(1)
▪ A user is asked to supply the current password ▪ To prevent someone else changing a user password
▪ A user is then asked to enter new password two times▪ Password characters are not displayed on the screen when
the password is entered Logging
/usr/adm/lastlog log user last login time
Unix Security : Authentication and authorisation
Users and Superuser A user name is represented internally (in a system or
user process) by a 16-bit number, called uid (userID) Unix does not distinguish between users having the
same uid▪ several user name can be set to the same uid
Some of the uid have special meanings such as
-2
nobody 2 uucp
0 root 3 bin
1 daemon
9 audit
Unix Security : Authentication and authorisation
In every Unix system There is a user with special privileges It is called superuser , has a uid = 0 User name is usually called root The root privilege is used
▪ By an operating system for essential tasks, such as▪ Recording the audit log▪ Access to I/O devices
▪ By system administrators to▪ Perform certain system administration tasks
Almost all security check is turned off for the superuser account !!
106
Unix Security : Authentication and authorisation
The superuser Very powerful, can do everything, such as
▪ Can become any other users▪ Can change the system clock▪ Can write into a read-only file (if a proper methods are
used) This becomes a weakness of Unix systems
▪ If an attacker achieves a superuser status ▪ It can take control of the entire system !!!
107
Unix Security : Access Control
Access control Based on attributes of users and resources Standard Unix systems facilitate discretionary access
control with a granularity of owner, group, world Unix treats all resources in a uniform manner
▪ Making no distinction between files and devices
Unix Security : Access Control
Unix File Structure Arranges files in a tree-structured file system Containing files and directories
-rwxr--r--1 user1 users 1212 Jan 23 11:21 myfile.txt
drwx----- 2 user1 users 512 Jan 21 16:42 mydirectory
File type file permission link counter (counting the number of links (pointers) to the file
size of the file (in bytes) file name
name of the owner and group of the file
Modified/accessed/created time
mode Type of file and access rigths
Uid User who owns this file
Gid Group which owns this file
Atime Access time
Mtime Modification time
Itime Inode alteration
Block count
Size of file
Selected fields in the inode (file data structure of Unix systems)
109
Unix Security : Access Control
Unix File Structure File permissions (permission bits)
▪ 3-group ▪ Read▪ Write ▪ Execute
▪ Each group is for▪ An owner of the file▪ Group (users in the same group)▪ Other (other users)
- r w - r - - r - -
Gives read and write access to owner
Read access to group and other
110
Unix Security : Access Control
Access permission granting decision making If the user uid indicates that it is the owner of the file
▪ The permission bits for owner decide whether the user can get access
if the user is not the owner of the file, but the gid indicates that the user’s gro up owns the file▪ The permission bits for the group decide whether the user
can get access If the user is neither the owner of the file nor a
member of the group that owns the file▪ The permission bits for other decide whether the user can
get access
111
Unix Security : Audit Log and Intrusion Detection
Unix provides some mechanisms which allow to detect Security violations Suspicious events
Examples of these mechanisms Auditing Intrusion detection Automatic retaliation (intrusion response)
112
Unix Security : Audit Log and Intrusion Detection
Auditing Records security relevant events in and audit log or
audit trail files The audit log files must be protected
▪ Set the logical protection ▪ Only privileged users have write access
▪ Send the audit log to another computer ▪ Root on the audited machine has no superuser privilege▪ Offer double protection
▪ Send the audit log to a secure printer▪ Physical security measures are required to protect the integrity of the
audit log
113
Unix Security : Audit Log and Intrusion Detection
Auditing files (for some Unix versions)
/usr/adm/lastlog Records the last time a user has logged in; this information can be displayed with the fingercommand
/var/adm/utmp Records accounting information used by the who command
/var/adm/wtmp Records every time a user logs in or logs out; this information can be displayed with the last command. To prevent this file from taking over all available memory, it may be pruned automatically at regular intervals
/var/adm/acct Records all executed commands; this information can be displayed with the lastcomm command