A crash course in Linux security walking through Linux access control, firewalls, auditing, and more.

1. Linux Security
Crash Course
February 7th, 2018

2. Get in touch with us
Mailing List - Sign in and check “Add to Mailing List”
Website - csg.utdallas.edu
Slack - #csg on ecsutd.slack.com
Email - utdcsg@gmail.com
2

3. Announcements
Lab Hangouts - ECSS 4.619 - 4 PM Thursday - February 15
Pentesting Session - FO 1.202 February 24th, 1 - 4pm
State Farm CTF Sign-up - March 5th - 12th
3

4. Linux Security Crash Course
1. Authentication
a. PAM
2. Authorization
a. sudo
b. setuid & setgid
c. capabilities
d. ACL
3. Audit
a. auditd
4
4. Services
a. sshd
5. Firewall
a. iptables
b. firewalld
6. Intrusion Detection
a. AIDE
7. Compliance
a. OpenSCAP

5. Authentication
5

6. Pluggable Authentication Modules (PAM)
Provide authentication for Linux
A configurable collection of modules used to authenticate users
Used by most services that want to authenticate the user
6

7. PAM System Auth
7

8. PAM - Tasks
PAM supports the following tasks:
● auth - verify the user’s identity
● account - confirm the user can do the requested action
● session - control tasks at the beginning and end of a session
● password - control steps around changing passwords
8

9. PAM - Controls
Modules support the following controls:
● required - fails after the stack is processed
● requisite - fails immediately
● sufficient - if succeeds (with no prior failures), stack succeeds
● optional - only matters if it is the only module in the stack
9

10. PAM - Useful Modules
pam_faildelay - How long the user is delayed after failure
pam_unix - Authentication from /etc/passwd and /etc/shadow
pam_succeed_if - Set constraints on attributes like uid
pam_pwquality - Set constraints on new passwords
10

11. PAM - Malicious Uses
Given a user with root access to the system:
● Add a malicious module that logs user’s passwords
● Add a malicious module that sets a password backdoor
● Change to configuration to lock out users
11

12. https://github.com/eurialo/pambd/
12

13. Authorization
13

14. Sudo
● A Program that allows users to run programs with different security privileges
● Sudo defaults to the superuser or root allowing for greater privileges
● Different from the command su because users supply personal password instead
of root
● Configuration file in /etc/sudoers, this contains a list of all users allow to sudo
14

15. Sudo
Sudo su username -- switches user to username
Sudo -i -- switches to root user environment
Sudo -s -- runs root shell in current directory
Sudo -l -U username -- checks to see what commands the user generic can run/capabilities
15

16. Sudo Replay
To start sudoreplay :
Sudo visudo:
Defaults log_output
Defaults!/usr/bin/sudoreplay !log_output
Defaults!/sbin/reboot !log_output
Sudo replay -l (this will list all sudo commands and users that used the command)
16

17. setuid & setgid
Part of the “mysterious” first octet of chmod
setuid - sets the process owner to the owner of the file
setgid - sets the process group to the group of the file
Generally used to grant root permissions to an executable (i.e. sudo)
17

18. Finding setuid and setgid binaries
setuid - find <path> -perm -4000
setgid - find <path> -perm -2000
18

19. Consequences of setuid & setgid binaries
● System is only secure as your root setuid & setgid binaries
● GNU Screen Exploit
● Makes for fun CTF/Wargame Challenges
19

20. Capabilities
Added in Kernel 2.2 (1999)
Switches the traditional permissions (root or not) into granular
capabilities
Follows the idea of least privileges
20

21. Capabilities - Actively in use
/usr/bin/ping = cap_net_raw+p
As ping requires access to a raw socket, systems without capabilities
require ping to be suid root
21

22. Managing Capabilities
getcap - List the capabilities for a file
setcap - set the capabilities for a file
capsh - list the capabilities for the current process
22

23. Capabilities - Consequences (?)
Some claim many capabilities can be abused to achieve root access
https://forums.grsecurity.net/viewtopic.php?f=7&t=2522&sid=c6fbc
f62fd5d3472562540a7e608ce4e#p10271 - February 2002
23

24. File Access Control List (ACL)
Similar to chmod
Be able to set user groups and user access to files and directories
Give more in depth permissions for different files with user groups
and users
24

25. File ACL
getfacl Directory or File -- show owner, group and permissions
setfacl -m (modify) user:username:rwx , group:group:rwx directory
-This will set a directory to be owned by user and group with
read write and execute permissions
25

26. Audit
26

27. Auditd
● Provides more information should an incident occur
● Designed to allow admins to quickly show what activity has been
happening
● Rule based, so can be hard to manage
27

28. Auditd - Auditing Events
● File Access
● System Calls
● Commands Run
● Failed Logins
● Firewall Changes
28

29. Auditd - RedHat Examples
File System Changes:
auditctl -w /etc/passwd -p wa -k passwd_changes
File Execution:
auditctl -w /sbin/insmod -p x -k module_insertion
System Call:
auditctl -a always,exit -F arch=b64 -S adjtimex -S settimeofday -k
time_change
29

30. Auditd - Utilities
ausearch - query audit logs for events
aureport - show and overview of the events audited
30

31. Services
31

32. SSHD
Service of SSH, SSH daemon
Config located in /etc/ssh/sshd_config
Restart ssh or sshd for ever change in config file
32

33. SSHD Config
After opening sshd config
PermitRootLogin no #stops people from login into root over ssh
PubkeyAuthentication yes #uses key authentication for login over ssh
AuthorizedKeysFile .ssh/authorized_keys #AuthorizedKey file to check for public keys
PasswordAuthenticiation no #Disable password login
PermitEmptyPassword no #No empty passwords
UsePAM yes #Use PAM settings
33

34. Firewall
34

35. iptables
Iptables allows you to set firewall rules throughout the system
opening and closing ports
This also allows you to block or allow certain ip address
Very important to open only needed ip address and ports for
security, unused ports should not be left open
35

36. Firewalld and UFW
All these programs interface with iptables and write to the ruleset
but giver easier use
Firewalld - acts like an api with iptables to add/subtract/view rules
default in centos/fedora
UFW - full gui built to be used standalone but uses iptable to
add/subtract/view rules default in ubuntu
36

37. Firewalld/Firewall-cmd
Start on boot = sudo systemctl enable firewalld
Start in session = sudo systemctl start firewalld
Status = sudo firewall-cmd --state
Add Rule = firewall-cmd --zone=public --add-service=https(or
anyservice) --permanent(if you want permanent)
Reload rules = firewall-cmd --reload
37

38. UFW
Start = ufw enable
Check status = ufw status
Allow port = ufw allow 22 || ufw allow 22/tcp
Deny Rule = ufw deny 22 || ufw deny 22/tcp
38

39. Intrusion Detection
39

40. AIDE - Linux Configuration
40
Linux is primarily configured through text files
Users - /etc/passwd
Passwords - /etc/shadow
Authentication - /etc/pam.d/*

41. Advanced Intrusion Detection Environment
Stores the file system state and compares it on subsequent runs
41

42. AIDE - Cron checking
Running AIDE in check mode on a cronjob can quickly detect
configuration changes
Cron can send email on task failure
42

43. Compliance
43

44. Compliance
44
Corporate Standards
Legal Standards (PCI, FIPS)

45. Security Content Automation Protocol
NIST Standard to allow automated configuration for a secure
environment
Linux implementation - OpenSCAP
GUI - SCAP Workbench
45

46. OpenSCAP
46
https://www.open-scap.org

47. Linux Security Crash Course
1. Authentication
a. PAM
2. Authorization
a. sudo
b. setuid & setgid
c. capabilities
d. ACL
3. Audit
a. auditd
47
4. Services
a. sshd
5. Firewall
a. iptables
b. firewalld
6. Intrusion Detection
a. AIDE
7. Compliance
a. OpenSCAP

48. Further reading
SELinux
AppArmor
48

49. Get in touch with us
Mailing List - Sign in and check “Add to Mailing List”
Website - csg.utdallas.edu
Slack - #csg on ecsutd.slack.com
Email - utdcsg@gmail.com
49