Lecture 5 UNIX Security 1 Contents u

Lecture 5 UNIX Security 1

Contents u UNIX login and user accounts u Unix Access control u UNIX instances of General Security Principles u Local Vulnerabilities and exposures u Auditing UNIX system from the inside u Remote Vulnerabilities and exposures u Auditing UNIX system from the outside 2

Login u identification + authentication: = (username, password) u password length: 8 characters u password protection: encrypted with Crypt(3), and stored in /etc/passwd file. 3

Format of the Password File u Format: u Username: encrypted password: user ID: Group ID: ID string: home directory: login shell u ID string = user’s full name u User ID and group ID = explained later. u Login shell: the Unix shell available to the user after successful login. 4

Format of the Password File u Displaying the password file: cat /etc/passwd u dieter: RT. Qs. ZEEsx. T 92: 100026: 53: Dieter Gollman: /home/staff/dieter: usr/local/bin/bash u When the password field is empty, the user does not need a password for login. u If the password field starts with an asterisk, the user cannot login, because such values cannot be the results of an f(cleartext password). 5

Other Issues u Passwd(1): change password by supplying old one twice u Shadow password file: in security conscious version of Unix, it is stored in /. secure/etc/passwd u Expiry date and control of old password: set u Root login: can be restricted to terminals nominated in /etc/ttys 6

Users and Superusers u Users by user name, up to 8 characters u Users by user ID (UID) internally, a 16 bit number u UIDs are linked to user names in /etc/passwd. u Unix does not distinguish between users having the same UID. 7

Special User IDs u Superuser has UID • 0, and the name root. • u The root account is used by the • operating system for • essential tasks like login, recording the • audit log, or access • to I/O devices. • 8 -2 0 1 2 3 4 9 nobody root daemon uucp bin games audit

Special User IDs u Almost all security checks are turned off for the superuser. u The root account performs also certain administrative tasks. u The systems manager should not use root as his personal account. u When necessary, changing to root can be requested by typing /bin/su without specifying a user name. 9

Super User and Protection u Remark: The superuser can do almost everything. u Remark: Every precaution has to be taken to control access to superuser status. 10

Control of Access to Superuser Status u The files /etc/passwd and /etc/group have to be write-protected. [UID => 0 in /etc/passwd] u Record all su attempts in the audit log together with the user (account) who issued the command. u Separate the duties of the system manager, e. g. , by having special users like uucp or daemon to deal with networking. If one of these special users is compromised, not all is lost. 11

Groups u Fact: Users belong to one or more groups. u Why? Collecting users in groups is a convenient basis for access control decisions. u Example: put all users allowed to access email in a group called mail. u Primary group: contains every user. The group ID (GID) of the primary group is stored in /etc/passwd. 12

Set User. ID and Set Group. ID u Question: If /etc/passwd is read-only, how can you change your password? u Answer: controlled invocation, Set User. ID Program (SUID). u Remark: temporarily take on the UID of the owner of the password file. (i. e. , root) 13

Access Control u Tree Structure for files and directories 14

Unix File Structure u The directory is a pointer to a data structure, inode. u – use “ls –l” to find u Fields in the inode that are relevant to access control. 15 FIELDS in inode relevant to security • mode : type of file access rights • uid : user who owns the file • gid : group which owns file • atime: access time • mtime: modification time • itime: inode alteration • block count: size of file • physical location

Unix File Structure u Each directory contains [“ls –a” gives all] ua pointer to itself, the file ‘. ’ u a pointer to its parent directory, the file ‘. . ’ u Each u has file an owner, usually the user who created the file; u belongs to a group (its owner’s or directory’s group). u. A newly created file belongs either to its creator’s group or its directory’s group. 16

Fields in inode u Inspect a directory with command ls -l u u -rw-r--r-- 1 dieter staff 1617 Oct 28 11: 01 d. tex drwx------ 2 dieter staff 512 Oct 25 17: 44 ads/ The 1 st character gives the type of file. ‘-’ a file, ‘d’ a directory, ‘b’ a block device file, ‘c’ a character device file. u The file permission (to be discussed later). u The link counter, the number of links (pointers) to the file. u The name of the owner and the group of the file. u The size of the file in bytes. u The date and time is mtime, the time of the last modification. u The name of the file. The ‘/’ after ads indicates a directory. u The permission bits are grouped in three triples (read, write and execute) access for owner, group, and other. u ‘-’ indicates no grant of right. u 17 The uid, gid tell who own the file. u

Changing Permissions with chmod by owner or superuser only u Absolute mode u chmod [-f. R] absolute file specify the value for all permission bits chmod 644 = 110100100 = rw-r--r-u chmod 777 = 11111 = rwxrwxrwx u chmod 755 = 111101101 = rwxr-xr-x u The option -f suppresses error messages, the option -R applies the specified change recursively to all subdirectories of the current directory. u u Symbolic u will 18 mode not introduced here. For details, see, page 91

Default Permissions u Unix utilities (e. g. , editors or compilers): u u u Adjust the permissions by umask, specifying the rights that should be withheld. u u u umask 777 denies every access umask 000 does not add any further restriction 022 all for owner, r and x for group and other. 077 all for owner, no for group and other. umask value is in /etc/profile actual default permission is computed as: u u 19 666 when creating a new file 777 when creating a new program default ^ umask = 666 ^ 077 = 600 A^B = A and [not(B)] (AND NOT)

Instances of General Security Principles u Deleting Files u Question: If we remove (delete) a file from the file system, does it still exist in some form? u Remark: We have to talk about how a file was constructed! u Two types of copying: cp, link and ln cp: identical but independent file owned by the user running cp. u link, ln: only create a new file name with a pointer to the original file and increase the link counter of the original file. u 20

Deleting Files u u Conclusion: If a new file shares its content with the original, and if the original is deleted with rm or rmdir, it disappears from its parent directory, but its contents as well as its copy still exist. Question: How do we get rid of a file? u u u Conclusion: Once a file has been deleted, the memory space allocated to this file becomes available again. However, until these memory locations have actually been used again, they will still contain the file’s contents. Question: How do we get rid of a file? u 21 The super user runs ncheck to list all the links to that file and then deletes those links. Overwrite its contents with all-zeros before deleting it.

Protection of Devices u u u 22 Information: Unix treats devices like files. Thus access to memory or a printer can be controlled like access to a file through setting permission bits. How to create devices: use the mknod command which should only be executable by root. /dev/console – console terminal /dev/mem – main memory map device (image of the physical memory) /dev/kmem – kernel memory map device (image of the virtual memory) /dev/tty – terminal

Memory Device Must be Protected u An attacker can bypass the controls set on files on directories, if they can access to the memory devices holding these files. u If the read or write permission bits are set on a memory device, an attacker can browse through memory or modify data in memory without being affected by the permissions defined for the files stored in this memory. u Conclusion: Almost all devices should NOT be readable or write-able by others. 23

u Attacks are the result of one of two problems u Vulnerability u A weakness in a system that leads to unexpected, undesired, or unauthorized results. u Exposure u A state in system that is not a universal vulnerability. Includes a capability the behaves as expected, but can be compromised. Vulnerabilities allow attackers to execute commands as another user. u Exposures allow an attacker to conduct information 24 gathering. u

Local/System V&Es u Physical Compromise Countermeasures u u u Secure the host and console in a cabinet or locked room. Password protect console and BIOS Disable booting from removable media Password protect single user mode Buffer Overflows Countermeasures u u u Disable the execution of code on the stack, via OS patch or kernel parameters. Use safe programming practices: strncpy() instead of strcpy() u u 25 char *strcpy(char *dest, const char *src); char *strncpy(char *dest, const char *src, size_t n); Remove SUID bit from executables that aren’t required for normal system operation. Apply vendor OS and application patches.

Symlink Attacks u. A symbolic link is a pointer file that names (or points to) another file elsewhere in the filesystem. u Sometimes programs create a temporary file in /tmp and modify the permissions such that other users can read or write the file. u Attackers pre-create a symlink file with the right name that points to a file they want to modify. u When the application does a chmod(), the target of the symbolic link will inherit the permissions of the chmod(). 26

Symlink Attack Countermeasures u Check to see if the application respects the $TMP environment variable. By setting $TMP to a directory that isn’t “world” writeable, you can prevent other users from creating symbolic links. u Apply vendor patches, or submit a complaint/bug report with the vendor if no patches exist. 27

u LKMs Trojaned LKM Countermeasures are loadable kernel modules: they’re code (usually device drivers) that get loaded by the kernel when access to the particular device is needed. u LKMs can be trojaned to modify the kernel in malicious ways; to mask a system cracker’s presence for example. u Countermeasure: compile a monolithic kernel with all device drivers included. (Only available in some OSes. ) u 28 http: //www. redhat. com/docs/manuals/linux/RHL-7. 3 Manual/custom-guide/s 1 -custom-kernel-monolithic. html

Audit Logs & Intrusion Detection u Auditing: records security relevant events in an audit log (audit trail) for later analysis. u Intrusion detection: detects suspicious events when they happen and inform the system manager by email or by messages sent to the operator console. u Comment: The audit log should be well protected from writing by an attacker. 29

Auditing your system (from inside) u Steps you need to take (we’ll go over each) u Verify most recent patches are applied to OS and applications u Disable unused services and daemons u Address user account and password issues u Protect from unauthorized remote access u Other general types of checks 30

Protecting the Audit Log u Set a “logical protection” on the audit log so that only privileged users have write access. u Sent the audit log to another computer where root on the audited machine has no superuser privilege. u Sent the audit log to a secure printer. 31

Auditing - Verify patches u Verify that you have installed the most recent OS and application patches u Most Operating System vendors and applications have web pages and mailing lists to announce product updates. u Some automated tools exist for OS and kernel updates to red hat Linux. u Debian is much more slick at this u Also gnorpm is helpful, but not great. u www. windowsupdate. microsoft. com (now has an automatic install) u up 2 date 32

Auditing - Unused services u Disable any unused services and daemons. u They may be exploited if they are vulnerable and you (the administrator) aren’t aware they’re running. u The commands “ps” and “netstat” are useful for determining which processes are running, and what (if any) network ports processes are listening on. u See Unix Review lecture notes or man pages for the use of ps and netstat. 33

Auditing - Unused services: “ps” u ps -e u shows information about all processes currently running on the system. u ps -l u shows, among other things, the priority of your job, the memory size in blocks of your process, and the cumulative CPU time of the process. u http: //www. computerhope. com/unix/ups. ht m#03 34

Using netstat to find open ports u u u 35 netstat --inet --all (Linux, show network ports) netstat -f inet (Solaris, Digital Unix) netstat provides useful information regarding traffic flow. In particular, netstat -i lists statistics for each interface, netstat -s provides a full listing of several counters, and netstat -rs provides routing table statistics. netstat -an reports all open ports. netstat -k provides a useful summary of several networkrelated statistics, but this option is officially unsupported and may be removed in a future release.

u Disable Auditing - Disabling stand-alone daemons that are started at boot time by modifying the “rc” start-up script. u rc is the command script which controls the startup of various services u For Example: sendmail In /etc/rc. d/rc 2. d the sendmail startup script is S 88 sendmail. Move S 88 sendmail to s 88 sendmail and the “rc” process will ignore it. (The “rc” process is looking for all files starting with a capital letter) u On Linux this can also be done with the linuxconf and sysconfig utilities. 36

Various Daemons u u u u 37 u S 05 kudzu detects and configures new and/or changed hardware on a system S 10 network Activates/Deactivates all network interfaces configured to start at boot time. S 11 portmap manages RPC connections, which are used by protocols such as NFS and NIS S 14 nfslock Network File System (NFS) functionality S 16 apmd battery/power management for laptops S 20 random used for random number generation S 25 netfs mounts NFS and Samba mount points S 30 syslog assists programs in logging events S 35 identd matches users to TCP connections S 40 atd like cron, but for users S 40 crond periodically runs programs S 45 pcmcia for supporting cards on laptops S 50 inet starts and runs inetd S 55 xntpd Runs the Networks Time Protocol for syncing clocks

Services that should be firewalled u These services don’t need internet connectivity at all. u u Anything NFS related RPC services (remote procedure call) Printer lpd Probably don’t need these: u u Sendmail (plenty of holes historically) Qmail BIND (DNS) Replace all of these with ssh (scp, and sftp) u u u 38 r-services: rsh, rlogin, rcp telnet ftp

Auditing - User accounts and passwords u Establish a clearly defined password policy u u u Disable unused accounts Enable shadowed passwords Frequently do the following: u u u 39 frequency of forced password changes enforce mixture of alpha, numeric and other characters. Educate users to not share or write down their passwords Check that all accounts have a password Check if any accounts other than root have UID 0 Run a password cracker to ensure secure passwords

Auditing- Unauthorized access u u 40 If you need to run the “r-services” (you don’t), make sure it’s done as securely as possible. Disallow and periodically check for users’. rhosts files. This file lists the hosts and users that are allowed to log into the user’s account via the r-services without providing a password. Disallow /etc/hosts. equiv, which lists hosts considered to be “trusted” (i. e. users can connect via r-services from those hosts without supplying a password) We will spend an entire class on how to exploit the rsh service.

Auditing-Unauthorized access u Don’t allow root to log directly; force user with root password to log in then “su” to root. u Or, only allow root to log in from the console. (Assuming the console is in a secure location) u On Linux, /etc/securetty contains a list of terminals that root can login from. u Why are you logging in as root at all? Don’t run programs or surf the web as root. 41

Auditing- Other things to check u Make sure root’s $PATH does NOT contain a “. ” u $PATH is set to a list of directories where commands (binaries) can be found and is searched each time a command is executed. $PATH=/usr/bin: /usr/sbin: /usr/local/bin Attack: malicious user Mallory looks at roots. profile and realizes root has “. ” as part of the $PATH. Mallory creates a shell script in her home directory called “ls” which copies /usr/bin/bash to a specified location and make it SUID root. u Mallory then tells the admin. that there’s something wrong in her home directory, the admin goes to look in her home dir. and types “ls”. If the “. ” is in the path before the directory that contains the real “ls”, Mallory’s “ls” will get executed, and 42 Malloy will have access to an SUID root shell. u

Local auditing Tools u COPS - Local system auditing application u Crack - Password cracking program for UNIX u netstat - Can be used to show “open” network ports. u lsof - Used to show network ports associated with processes. u Tripwire - Application to hash system files and periodically check to see if files have changed. u Bastille Linux - Linux “hardening scripts” 43

Other various suggestions u Why stay connected to the Internet all the time? u u Don’t trust wireless services for several years or more. u u 44 If you aren’t running a server, consider disconnecting network services at night, or while at work. Place them outside your firewall Only use secure application level services above them, like ssh or secure web browsing. Use xlock-locks the local X display until a password is entered Use vlock-either locks the current terminal (which may be any kind of terminal, local or remote), or locks the entire virtual console system, completely disabling all console access. vlock gives up these locks when either the password of the user who started vlock or the root password is typed.

Remote Vulnerabilities and Exposures u Over the course of the semester we will be studying several remote vulnerabilities. u Some include: u Remote Buffer overflow u Session Hijacking u Unauthorized access to network services 45

Remote Buffer Overflow Countermeasures u Disable the execution of code on the stack, via OS patch or kernel parameter u Use safe programming practices. u Apply vendor OS and application patches u. Something you should do anyway for other types of exploits. 46

Session Hijacking - Countermeasures u Session hijacking is a method by which an attacker can steal a connection from another host. u The attacker can insert whatever it wants into the TCP stream u E. g. , echo “* *” >>. rhosts u Such attacks are based on the ability of the attacker to guess the TCP initial sequence number during the three way handshake. u Apply system patches or tweak kernel variable to increase randomness of TCP initial sequence generation u Sufficiently randomizing TCP sequence numbers 47 makes session hijacking more difficult.

Unauthorized Access to Network services - Countermeasures u IP based access control u TCP Wrappers u ftp: //ftp. porcupine. org/unix/security u Secure portmapper/rpcbind u ftp: //ftp. porcupine. org u NFS 48 shares (/etc/exports, /etc/dfstab)

tcp_wrappers u IP based access control to services spawned by inetd can be configured using the tcp_wrappers package developed by Weitse Venema. u Stand alone daemons such as ssh, sendmail and secure portmapper/rpcbind can be compiled using libwrap. a, a shared library which provides tcp_wrappers access control. u tcp_wrappers uses the configuration files /etc/hosts. allow and /etc/hosts. deny to determine whether or not a specific host can gain access to a service. 49

tcp_wrappers u Example: Check out the line for telnet in /etc/inetd. conf: telnet stream tcp nowait root /usr/sbin/tcpd in. telnetd "tcpd" is the wrapper program, and it calls in. telnetd (the telnet daemon) after it "authenticates" the remote host for a service. The best and most paranoid method of configuring is denying all services to all hosts; u then give explicit permissions to those you want to be able to connect on an individual service basis. u 50 Why not disallow access to your home machine from all hosts but a specific machine at UMass?

tcp_wrappers u In this example, give telnet access to u 192. 168. 10. 1 and 192. 168. 3. 024 u /etc/hosts. deny would contain (# is a comment): # service : host # Deny all hosts and all services ALL: ALL u /etc/hosts. allow u 51 would contain: #service : host # Allow hosts telnet : 192. 168. 10. 1, 192. 168. 3.

tcp_wrappers u tcp_wrappers attempts to confirm hostname -> IP and IP->hostname mappings. u Can be configured to drop IP source routed packets. u We’ll talk in a later class about the exploits possible with source routing. u Logs u. A via the syslog utility. denied connection attempt gets logged as follows: Mar 24 14: 15: 22 server ftpd[29291]: refused connect from evilhost. crackerz. com 52

Secure portmap/rpcbind u portmap (BSD) and rpcbind (Sys. V) are used by remote procedure call (RPC) programs. They provide a mapping of program to RPC number. u secure portmap and rpcbind provides tcp_wrappers support to control who can receive information from the rpcbind/portmap daemons. u Although it’s one level of defense, it doesn’t prevent an attacker from figuring out RPC numbers and attacking RPC daemons directly. u (these services should be firewalled!) 53

Auditing your system from the outside u NFS shares u rpcinfo u nmap u Remote Auditing tools u try exploits against specific services. 54

Auditing - NFS u Network 55 File Service (NFS) allows a host to access a shared filesystem on another host as if it was a locally connected filesystem. u NFS shares on the NFS server have an access control list to specify which hosts and users have access to a particular shared resource. u Check that the NFS access lists are properly configured such that it’s not sharing file systems to “the world” u The showmount command can be used to view NFS exported filesystems.

Aditing - nmap u u nmap is an extremely versatile port scanning tool which can be used to determine which services are running. It can also be used as a rudimentary packet filter or tcp_wrappers test. http: //www. insecure. org/nmap Using the command “nmap -s. T laptop. oit. umass. edu” Starting nmap V. 2. 53 by fyodor@insecure. org Interesting ports on laptop. oit. umass. edu (128. 119. xxx): (The 1519 ports scanned but not shown below are in state: closed) Port State Service 80/tcp open http 111/tcp open sunrpc 1024/tcp open kdm 6000/tcp open X 11 56

Auditing - Remote auditing tools. u Several utilities are available to “attack” or gather information about services/daemons on a system. u SAINT - Based on SATAN utility u SARA - Also based on SATAN u Nessus - Excellent open source vulnerability scanner u http: //www. nessus. org u Commercial: u ISS scanner u Cybercop 57

Backing up u u u Once you system is installed, configured, and secured, but not on the net make a backup It’s the only time you know you haven’t been hacked yet. Attacks often have signatures: u u 58 Snort tries to stop attacks as they occur by filtering out specific packets. E. g. , ones that contain “exec /bin/sh” After an attack is complete, file time stamps, sizes, and contents will change. Checking your computer against what you installed is key; Restoring your computer to a previous state requires a backup.

Tripwire u Tripwire is a tool originally developed at Purdue as an academic project. u The basic idea is keep a hash of each file on your system. u Anytime a single bit is altered in a file, the resulting hash will change. u Store the hashes of your files on read-only media (CDROM); compare results of the current system to the saved results: find files that have changed. u Can be used in /etc, or even for your web pages. u Source code is still available. 59

Unix Telnet Wrapper u u 60 Telnet work as follows. The inetd daemon listens to incoming network connections. When a connection is made, inetd starts the appropriate server program and then returns to listening for further connections. The inetd daemon has a configuration file that maps services to programs. Entries in this file have the format service type protocol waitflag userid executable command-line Entry for telnet could be telnet stream tcp nowait root /usr/bin/in. telnetd in. telnet When inetd receives a request for a service, it consults the configuration file and creates a new process that runs the program (executable) specified. The name of this new process is the name given in the commandline field.

Unix Telnet Wrapper (Cnt’d) u u u 61 Often, the name of the executable and the command-line entry are the same. In this case, point the inetd daemon to a wrapper program instead of the original executable; use the name of the process to remember the name of the original executable, which is called after the wrapper has performed its security controls. New configuration file entry for telnet: telnet stream tcp nowait root /usr/bin/tcpd in. telnet The program executed is now /usr/bin/tcpd, the TCP wrapper executable. The process executing the wrapper is still called in. telnet. The wrapper can perform access control, logging. . . The wrapper knows the directory it is in, i. e. /usr/bin, and its own name, in. telnet, so it can call the original server program /usr/bin/in. telnet Users see no difference, receive the same service as before

Summary u UNIX login and user accounts u Unix Access control u UNIX instances of General Security Principles u Local Vulnerabilities and exposures u Auditing UNIX system from the inside u Remote Vulnerabilities and exposures u Auditing UNIX system from the outside 62