Operating System Security

A Windows and UNIX Introduction

UNIX Security

Unix is a multi-user computing environment with multitasking capabilities. It is widely used because it is generally more stable, more reliable and more scalable than most other operating systems.

Typical Uses: Enterprise Resource Planning (SAP, PeopleSoft, Oracle, etc.) Engineering Applications (CAD/CAM, process controllers,

etc.) Electronic Commerce (web servers, transaction processors,

etc.) Database Servers (Oracle, Informix, etc.) Firewalls (Checkpoint Firewall-1, Sidewinder, etc.)

Some UNIX History

Unix was developed at AT&T Bell Labs in 1969.

By the early 1970s, it was rewritten to make it an “open” system with portability.

As an open system, Unix became widespread as universities and others began using it more and more.

Two UNIX coding schemes became dominant. Most subsequent Unix variants are based on them.System V - AT&TBSD - Berkeley Software Distribution

UNIX Features

Written in the C programming language.First to include TCP/IP in computers. This

made possible the Internet and the World-Wide Web.

Linux is based on Unix. Unix runs most Internet Service Providers.Unix is generally insecure upon default

installation and is one of the most vulnerable operating systems to hackers.

Unix Architecture - Shells

Unix Architecture - Shells

Shell Program(C, Bourne, Korn)

Login Program

Commands being sent to system

User Accounts - Overview

Every person who uses a UNIX computer system must have an account or username to log in with.

Each account is identified by user identification number (“UID”).

All accounts are stored in the /etc/passwd file. Each user has a line in /etc/passwd.

When a user logs in, UNIX needs the password file to authenticate the user and execute several start-up files.

Users - The /etc/passwd file

daemon:*:1:1::/tmp:root:diw&5kdiwlj^#:0:1::/:ftp:*:2:2:FTP User:/usr/spool/ftpbobp:Je834,dfsjiv@:10:5:Bob

Paris:/home/admin:/bin/shrodj:9Iuh,.KjhgTr4:10:5:Rod

Jackson:/home/admin:/bin/shkevl:M,mnnh875Jkg:100:100:Klevrone:/home/

acc:/bin/shleel:8JHgjgj45d.,L:102:100:LeeLabrada:/

home/acc/:bin/sh

/etc/passwd - The username

bobp:Je834,dfsjiv@:10:5:BobParis:/home/admin:/usr/bin/sh

can be 1-8 characters in length can be alphabetic or numeric problems with special characters

/etc/passwd - Passwords

bobp:Je834,dfsjiv@:10:5:Bob Paris:/home/admin:/usr/bin/sh

passwords encrypted using DES

an asterisk (*) means EITHER: account is revoked or there is a shadow password file – to explain later

if blank, then the account has no password

NP is also sometimes used to lock an account

etc/passwd - User ID numbers (UID)

bobp:Je834,dfjiv@:10:5:BobParis:/home/admin:/usr/bin/sh

UID 0-9 used for system accounts. Unix identifies user by UID not username i.e.

10 Users can have the same UID UID = 0 assigns superuser privileges

/etc/passwd - Group ID (GID)

bobp:Je834,dfsjiv@:10:5:Bob Paris:/home/admin:/usr/bin/sh

GID defines user’s primary group GID=0 assigns superuser group Users can belong to more than one group. This

is evidenced by being included in several groups in the /etc/group file.

/etc/passwd - The GECOS field

bobp:Je834,dfsjiv@:10:5:Bob Paris:/home/admin:/usr/bin/sh

General Electric Computer Operating System free text field (should be meaningful) used as output for finger command

/etc/passwd - Home directory

bobp:Je834,dfsjiv@:10:5:Bob Paris:/home/admin:/usr/bin/sh

location of user’s startup files includes user’s /.profile file default directory

/etc/passwd - The shell field

bobp:Je834,dfsjiv@:10:5:Bob Paris:/home/admin:/usr/bin/sh

different types of Unix shells can be something like /prod/payroll/menu a blank defaults to Bourne Shell (/bin/sh)

Password Security

Different flavors of UNIX provide different level of account and password controls: password aging minimum password length alpha-numeric passwords account lockout

Shadowed Passwords

UNIX requires all users to be able to read the /etc/passwd for login purposes

To protect the encrypted password against users with password guessers, a shadow file is used:

/etc/shadow (Sun), /etc/security/passwd (AIX) The encrypted password is a one-way hash algorithm Format of entries is different among Unix variants Your participant guide has standard shadow names!

/etc/shadow

Entry format (Sun): username:password:lastchg Sample: markmcguire:cob6j4NEL3H7Q:9827

password: A 13-character encrypted password for the user, a

lock string to indicate that the login is not accessible,

or no string, which shows that there is no password

for the login.

lastchg: The number of days between January 1, 1970, and the

date that the password was last modified.

Default Accounts

Default user IDs are common to most systems (therefore known and attacked). These IDs are powerful system IDs that are used by the kernel to run applications and internal processes.

Typical Unix default accounts:

root adm bin dev daemon sync sys lp nobody listen uucp

Access must be controlled. No system user ID (except root) should be able to login and obtain a prompt!

Applications and databases often create a default user account when they are being installed. If root is installing the program these install user IDs could be powerful and are usually not needed after installation. Administrators often fail to remove these accounts.

Example accounts: oracle, informix, sap, tivoli, tng

Generic Accounts

Administrators more interested in flexibility than security often assign users generic user accounts. Generic user accounts are user IDs that often represent a group, class, or department of user instead of the name of the individual.

Samples: guest, trainer, student, accounting, accounts_payable operator, helpdesk, sales, consultant, temp1

Unless needed, generic accounts are generally a BAD idea because they fail to assign responsibility of the user ID’s actions to a specific individual.

Good practices for user ID:

employee number, employee name, specific identification of

consultants and temporary employees

Superusers

Commonly called “root” Any UID number 0 is a superuser Superusers can:

override all file permissions bypass all normal security checks create new users

Hacking Superusers

A HACKER’S GOAL IS TO BECOME THE ROOT USER

Once users have become root they may:

Modify log files to cover their tracks

Add users they can use later to access the system

Install backdoor programs to gain later access or to launch malicious code, such as distributed denial of service attacks (e.g. Yahoo, CNN, etc.)

Install daemons that capture and transmit sensitive information to the hackers

File Permissions in UNIX

r (read) List (ls) the directory's contents

w (write) Add or remove files in the directory

x (execute) Make the directory your current directory Open files within the directory

TCP Wrappers - Overview

TCP wrapper is a mechanism for providing access control.

It is a program allowing you to control which hosts your inet daemons will accept connections from.

Can be done on basis of service (e.g. ftpd, telnetd, etc.) Has support for wildcards (e.g. *.ncsa.uiuc.edu) Can be configured strict (e.g. only allow connections

from *.ncsa.uiuc.edu) Can be configured loose (e.g. allow connections from

everyone but *.spam.net)

Job Scheduling - Cron

Cron is a clock daemon that starts a process that executes commands at specified dates and

times.

Regularly scheduled commands can be specified according to instructions found in crontab files in the directory /var/spool/cron/crontabs.

Users can submit their own crontab file using the crontab command.

Cron only examines crontab files during its own process initialization phase and when the crontab or “at” command is run.

CRON – Cont’d

All executables and files referenced by cron should NOT be world-readable or world-writeable!

Usually administrators are the only ones with a need to use cron. If users have access to execute the crontab command, ask why there is a need.

Audit Subsystem and Audit Files

UNIX has limited auditing capabilities Basic audit features provided for logging

Last logins Login and logout Failed logins System accounting Use of su command System events

Sample Audit Files

acct/pacct records user commands lastlog records users last login loginlog records failed logins messages records syslog messages sulog records su attempts utmp records each user logged in wtmp records logins and logouts