Embed Size (px)
Citation preview
ELEMENTS OF LINUX SECURITYDr. Jayaraj Poroor
Presented at TIFAC CORE in Cyber Security (2009)
Amrita University
SYSTEM MODEL
ROOT-FS
FSFS
/
P
KNL(Kernel)
PP
PLOAD, CRUD
Primary Memory/CPU
Secondary Memory
(Process)
(File System)
SECURITY
CIA Triad Confidentiality – Eavesdropping, Viewing Integrity - Modification Availability – Denial of Service
Authentication – Identity Spoofing, Fabrication
Access Control – Intrusion, Privilege Escalation Policy Enforcement
THREAT MODEL
USER-FS
P
KNL
P
NETWORK(3) PHYSICAL ACCESS
(1) REMOTE ACCESS
(2) LOCAL ACCESS
ATTACKER-FS
LOCAL/PHYSICAL ACCESS ATTACKS
Threat: Single User Mode Login Prevention: Set GRUB boot password
Threat: Attacker Boot CD/USB Disk Prevention: Set BIOS password
Threat: Physical HD removal Prevention: Encrypted File System/Files
Threat: Login Trojan Prevention: Ctrl+Alt+Backspace, Ctrl-Z, Ctrl-C
Threat: Data Loss in all cases Prevention: Backup
REMOTE ACCESS ATTACKS
INDIRECT
DIRECT
INFRASTRUCTURE
ATTACKER WORM BOTNET ZOMBIE PERSON
REMOTE – INDIRECT/INFRASTRUCTURE
Phishing emailshttp://militarybankonline.bankofamerica.com.f1hj.net
Virus/trojans via emails, usb-drives
Pharming – DNS Cache Poisoning Use TLS Sites and verify Certificates
DIRECT REMOTE ATTACKS
• Open/Weak WiFi– Use WPA2 and strong keys
• Attacking Network Services– Port scanning– Banner grabbing, OS Fingerprinting– Exploit known vulnerabilities– DoS attacks– Remote login: password guessing
POST-EXPLOIT
Install Root-kit, backdoor
Botnet Zombie
Steal data and leave without trace
Destroy data
COUNTER-MEASURES
Principle of Least Privilege
Fail-safe Defaults
Open Design
Separation of Privilege
Least Common Mechanism
IN PRACTICE
MINIMIZE EXPLOIT POTENTIAL
MINIMIZE POST-EXPLOIT DAMAGE
MAXIMIZE CHANCE OF DISCOVERY
MINIMIZE EXPLOIT POTENTIAL
• Update patches
• Configure iptables firewall• iptables -A INPUT -p tcp --dport 80 --syn -j
ACCEPT• iptables -A INPUT -p tcp --syn -j DROP
• Disable unnecessary services• Use netstat, nmap
• Don’t run insecure services• Don’t use ftp/telnet, use sftp/ssh
NETSTAT
MINIMIZE POST-EXPLOIT DAMAGE
Don’t run as root setuid(), setgid()
Use CHROOT jail chroot
Use POSIX Capabilities lcap, getpcaps, setpcaps
Use EXT2 ACL mount –o acl, setfacl, getfacl setfacl –m u:test:r file
CAPABILITY BOUNDING SET
MAXIMIZE CHANCE OF DISCOVERY• IDS
– Tripwire, Snort
• Monitor Syslog
• Use chkrootkit
Use Kernel Audits for critical files auditctl, ausearch
Use EXT2 Extended Attributes lsattr, chattr Immutable (i), Append-only (a), Safe-delete (s),
Allow Undelete (u)
EXTENDED ATTRIBUTES
TRY OUT WITHOUT BURNING YOURSELF
SCRATCH FILE SYSTEM dd if=/dev/zero bs=1024 count=1024 of=disk.img mke2fs disk.img mount –o loop,acl disk.img <dir>
VIRTUA L MACHINE http://www.virtualbox.org
REFERENCES OWASP – http://www.owasp.org
Open Web Application Security Project MITRE – http://www.mitre.org SANS – http://www.sans.org
System Administration & Network Security COBIT – http://www.isaca.org/cobit/
Control Objectives for Information & Related Technology
ISO 17799 – http://www.iso.org Risk-based Information Security Management
Anti-Phishing.Org - http://www.antiphishing.org/ CMU CERT/CC - http://www.cert.org/
THANK YOU
