Document Sample
04 Powered By Docstoc
					SCSC 455 Computer Security
2011 Spring

Chapter 4
File Security

   File permissions
   Monitor log files
   File integrity
File Security
   Files are crucial asset to protect
       contain business and personal data
       contain system / security configuration data
   Unauthorized users may want to:
     View files

        to access data or to see how security settings are configured
       delete files
        to make it unavailable, disrupt business plans, or corrupt system
       modify existing files or create new files
        either to corrupt data, to cover signs of their activity, or to alter
        security settings for future attacks.
Linux File Permissions
   The first line of defense is careful use of Linux file
       For any file or directory, Linux file permissions are …

   Each can be assigned to …
Permissions on files and directories

 chmod command: change file permissions
Examples …
   E.g 1: In a directory reports,

$ ls –ld
d rwx rwx --- 2 frank faculty 4096 Mar 24 12:20 reports

Means ?

   E.g. 2: there’re two data files in the directory reports
$ ls –l
- rw- --- --- 2 frank faculty 16350 Mar 25 18:10 private_report
- rw- r-- --- 2 frank faculty 21340 Mar 25 18:10 public_report

Means ?

   E.g. If Bob in student group tires the following command
$ cd reports

Result ?

   If Alice in faculty group tires the following commands

$ cd reports
$ cat private_report
$ cat public_report
$ cp public_report private_report

Results ?
User Private Groups
   Several Linux distributions (such as RH Linux) use a
    techniques User Private Groups to enhance file
       Every file and directory are assigned both a user and
        a group, each with separate permissions
       It is more secure to have a group with only a single
        member, then make that the default group for all files
        created by that user
       User Private Group is defined in file /etc/passwd

    Example …
Set User ID (SUID) --- Revisit
   SUID bit
       causes the user who executes a program to assume the permissions of
        the owner of that file.
    $ ls -l test
    - rws r-x r-x 1 frank faculty 3240 Mar 26 11:42 test
   SUID bit is necessary for some programs
       logging in
       changing passwords
       low level networking routines
       control of graphical display functions
       su
   However SUID presents a security hazard
       If hackers can set SUID bit of other system files, they may gain root
       SUID is insecure on script files, as script files can be easily modified
         Linux kernel does NOT allow a SUID bit when set on a script file.
Set Group ID (SGID)

   SGID bit
       When SGID is set on a file, the user who executes a file to
        assume the permissions of the group of that file.
         not a useful feature  rarely used.

       When SGID is set on a directory, any file created within that
        directory is assigned the group of the directory, rather than the
        group of the user that creates the file.
SGID Example
  SGID is a convenient method for creating a
  working space for a group of users

Example …

Q: what if Tom creates a file in his own directory?
    Example 2: another technique w/o using SGID

    Deny access to members of a group:
     the owner has a certain access rights, the members of a
     group cannot access it, everyone else has a certain
     access rights.

Example …
Linux file system access control

When a user requests access a directory or file
Step1: System checks whether this user is owner
Yes  check owner access privilege  access deny / grant
No  goto Step 2
Step2: System checks whether this user belongs to the group
   assigned to the file/directory
Yes  check group access privilege  access deny / grant
No  goto Step 3
Step3: System knows this user belongs to others
check others access privilege  access deny / grant

   File permissions
   Monitor log files
   File integrity
System Log Files

   System log files may reveal security problems
       Log files record the activity of programs such as login, FTP, email
        servers …
       System logging daemons store log messages in several different
        files, depending on which type of program generated the message
         defined in file /etc/syslog.conf

       Messages in these log files are important to monitor
        system/security events
        e.g., found a large number of failed login attempted in /var/log/messages
# Log all kernel messages to the console.
# Logging much else clutters up the screen.
#kern.*                                                   /dev/console

# Log anything (except mail) of level info or higher.
# Don't log private authentication messages!
*.info;mail.none;authpriv.none;cron.none                /var/log/messages

# The authpriv file has restricted access.
authpriv.*                                                /var/log/secure

# Log all the mail messages in one place.
mail.*                                                    /var/log/maillog

# Log cron stuff
cron.*                                                     /var/log/cron
Log File Utilities

   Log files are important part of system maintenance
    and security
       A number of utilities can help watch for log messages
        that indicate potential security violations
           Rotating log files -- logrotate package
           Tracking log files
               shell commands: grep, tail
               GUI tools: xlogmaster, logcheck
Rotating Log Files
   Log files require regular attention because they can become very large
   The logrotate command helps automate the process of compressing and
    archiving log files
     older log data can be stored in another location (CD or backup tape)

     In RH Linux, logrotate is executed through the cronjob entry stored in
/usr/sbin/logrotate       /etc/logrotate.conf

       check logrotate config file
        $ cat   /etc/logrotate.conf
# rotate log files weekly

# keep 4 weeks worth of backlogs
rotate 4
# create new (empty) log files after rotating old ones
# uncomment this if you want your log files compressed
# RPM packages drop log rotation information into this directory
include /etc/logrotate.d
# no packages own wtmp -- we'll rotate them here
/var/log/wtmp {
   create 0664 root utmp
   rotate 1
Tracking Log Files

   Several log daemons are constantly adding log
    entries to their corresponding log files
       this information needs to be tracked
   The log file can be viewed by root:
       opening the log file in a text editor (gedit, vi, …)
       using the grep or the tail commands

    Example …

   In graphical desktop, use xlogmaster program to
    view the system log file
Xlogmaster package
   View system log file via Xlogmaster
       is not part of most Linux distributions
       can be downloaded http://www.gnu.org/software/xlogmaster/
Logcheck package
   The logcheck package does much more than display
    log entries
       checks log files hourly for suspicious entries
       if found, they are emailed to the root user
         After being installed, a cron job file is placed in
            /etc/cron.hourly so that logcheck runs each hour.
       is not part of most Linux distributions, but can be

   The commercial version of logcheck is called
    LogSentry offered by Psionic Technologies

   File permissions
   Monitor log files
   File integrity
Maintaining File Integrity

   It is necessary to keep track of the state of
    important system files for any unexpected
       sometimes hackers can gain access, but the system log
        does NOT indicate a problem

   E.g. A hacker replaces your inetd superserver
    daemon with a bogus inetd, …

   Once a cracker has obtained root access, he could
    install a rootkit
       Rootkit is a collection of programs and scripts designed to permit
        continued access, even if the original break-in is discovered.

     A hacker discovered you were using an outdated DNS server that

      permit a hacker to obtain root access. The hacker then installed a
      rootkit in your system.
     Later you updated the DNS server. However, the hacker still has

      the access to your system.
Rootkit lrk4
One example of rootkit is lrk4
 Released in November 1998

 Several more recent versions are available (lrk5 and lrk6)

 It modifies the following programs in your system
chkrootkit package

   The chkrootkit package is used to check the
    system for evidence of a rootkit
       includes a script that works like a virus checker
           Examines system binary files to detect evidence of
            about 60 different rootkits
           chkrootkit reports the presence of a rootkit
           It cannot eliminate rootkit from the system

   chkrootkit package is not included on most Linux
    distributions, can download www.chkrootkit.org
After a rootkit is discovered
   If possible, shut down networking on the server until
    the problem is cleaned up
   Back up the entire system, including all of the
    operating system files and all data files
       this data can be reviewed later to assist in tracking
        down the cracker

   Rebuild the system
    either by updating the infected packages, or by
    reinstalling the entire operating system
Maintaining File Integrity

    A broader and more constant approach to file
     security than checking for rootkits is to watch the
     integrity of files on the system

    Special file integrity utilities can help you track a
     large number of files on your system
        Tripwire is the best known integrity checker
            is available in a free version included with many Linux
            a commercial version is available from Tripwire, Inc.
How to use Tripwire
   To use Tripwire, start with a freshly installed system
    before it is connected to any networks
       Tripwire creates a baseline of the critical system files
       Once the baseline is established, Tripwire is run at
        regular intervals to see whether the state of the system
        has changed
           If the changes are expected, you can update the baseline
            in Tripwire so that the changes are not marked as potential
       To protect the protector:
        Tripwire configuration files are protected by a
        cryptographic signature based on a passphrase
Samhain package
   Samhain is similar to Tripwire with several potential
       comibines a file integrity checker, a log file checker, and a network
   Key features of Samhain:
       Runs as a daemon instead of a cron job
       Can detect kernel modules that were loaded as part of a rootkit
       Can operate in a client/server environment
       Report and audit logs are supported
       Database and configuration files are signed
       Runs on a number of UNIX and Linux platforms
       HTML status pages show information about any client system
        being monitored
Other File Integrity utilities

   For more tools regarding file integrity, consider
    installing the binutils package

       includes more than a dozen utilities useful for
        exploring the contents of files

       Examples …

Shared By: