2. Get in touch with us
Mailing List - Sign in and check “Add to Mailing List”
Website - csg.utdallas.edu
Slack - #csg on ecsutd.slack.com
Email - utdcsg@gmail.com
2
3. Announcements
Lab Hangouts - ECSS 4.619 - 4 PM Thursday - February 15
Pentesting Session - FO 1.202 February 24th, 1 - 4pm
State Farm CTF Sign-up - March 5th - 12th
3
4. Linux Security Crash Course
1. Authentication
a. PAM
2. Authorization
a. sudo
b. setuid & setgid
c. capabilities
d. ACL
3. Audit
a. auditd
4
4. Services
a. sshd
5. Firewall
a. iptables
b. firewalld
6. Intrusion Detection
a. AIDE
7. Compliance
a. OpenSCAP
6. Pluggable Authentication Modules (PAM)
Provide authentication for Linux
A configurable collection of modules used to authenticate users
Used by most services that want to authenticate the user
6
8. PAM - Tasks
PAM supports the following tasks:
● auth - verify the user’s identity
● account - confirm the user can do the requested action
● session - control tasks at the beginning and end of a session
● password - control steps around changing passwords
8
9. PAM - Controls
Modules support the following controls:
● required - fails after the stack is processed
● requisite - fails immediately
● sufficient - if succeeds (with no prior failures), stack succeeds
● optional - only matters if it is the only module in the stack
9
10. PAM - Useful Modules
pam_faildelay - How long the user is delayed after failure
pam_unix - Authentication from /etc/passwd and /etc/shadow
pam_succeed_if - Set constraints on attributes like uid
pam_pwquality - Set constraints on new passwords
10
11. PAM - Malicious Uses
Given a user with root access to the system:
● Add a malicious module that logs user’s passwords
● Add a malicious module that sets a password backdoor
● Change to configuration to lock out users
11
14. Sudo
● A Program that allows users to run programs with different security privileges
● Sudo defaults to the superuser or root allowing for greater privileges
● Different from the command su because users supply personal password instead
of root
● Configuration file in /etc/sudoers, this contains a list of all users allow to sudo
14
15. Sudo
Sudo su username -- switches user to username
Sudo -i -- switches to root user environment
Sudo -s -- runs root shell in current directory
Sudo -l -U username -- checks to see what commands the user generic can run/capabilities
15
16. Sudo Replay
To start sudoreplay :
Sudo visudo:
Defaults log_output
Defaults!/usr/bin/sudoreplay !log_output
Defaults!/sbin/reboot !log_output
Sudo replay -l (this will list all sudo commands and users that used the command)
16
17. setuid & setgid
Part of the “mysterious” first octet of chmod
setuid - sets the process owner to the owner of the file
setgid - sets the process group to the group of the file
Generally used to grant root permissions to an executable (i.e. sudo)
17
19. Consequences of setuid & setgid binaries
● System is only secure as your root setuid & setgid binaries
● GNU Screen Exploit
● Makes for fun CTF/Wargame Challenges
19
20. Capabilities
Added in Kernel 2.2 (1999)
Switches the traditional permissions (root or not) into granular
capabilities
Follows the idea of least privileges
20
21. Capabilities - Actively in use
/usr/bin/ping = cap_net_raw+p
As ping requires access to a raw socket, systems without capabilities
require ping to be suid root
21
22. Managing Capabilities
getcap - List the capabilities for a file
setcap - set the capabilities for a file
capsh - list the capabilities for the current process
22
23. Capabilities - Consequences (?)
Some claim many capabilities can be abused to achieve root access
https://forums.grsecurity.net/viewtopic.php?f=7&t=2522&sid=c6fbc
f62fd5d3472562540a7e608ce4e#p10271 - February 2002
23
24. File Access Control List (ACL)
Similar to chmod
Be able to set user groups and user access to files and directories
Give more in depth permissions for different files with user groups
and users
24
25. File ACL
getfacl Directory or File -- show owner, group and permissions
setfacl -m (modify) user:username:rwx , group:group:rwx directory
-This will set a directory to be owned by user and group with
read write and execute permissions
25
27. Auditd
● Provides more information should an incident occur
● Designed to allow admins to quickly show what activity has been
happening
● Rule based, so can be hard to manage
27
32. SSHD
Service of SSH, SSH daemon
Config located in /etc/ssh/sshd_config
Restart ssh or sshd for ever change in config file
32
33. SSHD Config
After opening sshd config
PermitRootLogin no #stops people from login into root over ssh
PubkeyAuthentication yes #uses key authentication for login over ssh
AuthorizedKeysFile .ssh/authorized_keys #AuthorizedKey file to check for public keys
PasswordAuthenticiation no #Disable password login
PermitEmptyPassword no #No empty passwords
UsePAM yes #Use PAM settings
33
35. iptables
Iptables allows you to set firewall rules throughout the system
opening and closing ports
This also allows you to block or allow certain ip address
Very important to open only needed ip address and ports for
security, unused ports should not be left open
35
36. Firewalld and UFW
All these programs interface with iptables and write to the ruleset
but giver easier use
Firewalld - acts like an api with iptables to add/subtract/view rules
default in centos/fedora
UFW - full gui built to be used standalone but uses iptable to
add/subtract/view rules default in ubuntu
36
37. Firewalld/Firewall-cmd
Start on boot = sudo systemctl enable firewalld
Start in session = sudo systemctl start firewalld
Status = sudo firewall-cmd --state
Add Rule = firewall-cmd --zone=public --add-service=https(or
anyservice) --permanent(if you want permanent)
Reload rules = firewall-cmd --reload
37
40. AIDE - Linux Configuration
40
Linux is primarily configured through text files
Users - /etc/passwd
Passwords - /etc/shadow
Authentication - /etc/pam.d/*
45. Security Content Automation Protocol
NIST Standard to allow automated configuration for a secure
environment
Linux implementation - OpenSCAP
GUI - SCAP Workbench
45
47. Linux Security Crash Course
1. Authentication
a. PAM
2. Authorization
a. sudo
b. setuid & setgid
c. capabilities
d. ACL
3. Audit
a. auditd
47
4. Services
a. sshd
5. Firewall
a. iptables
b. firewalld
6. Intrusion Detection
a. AIDE
7. Compliance
a. OpenSCAP
49. Get in touch with us
Mailing List - Sign in and check “Add to Mailing List”
Website - csg.utdallas.edu
Slack - #csg on ecsutd.slack.com
Email - utdcsg@gmail.com
49