PowerPoint Presentation

ITIS 3110System AuditingoverviewUNIX historyInstalled softwareSystem servicesOpen ports (network services)Running processesAccount and permission management

system auditingSome of this lecture may be familiarBits and pieces have come up during labsAim is to tie some of these things together

why unix?http://en.wikipedia.org/wiki/Usage_share_of_operating_systems#ServersUNIX/Linux/etcMS WindowsSuper computersSame ref as above

why unix?According to W3Techs (Aug 2011), 64% of all web servers are Unix basedMost of these are LinuxDoes not include Unix derived infrastructure equipmenthome based routers, Cisco IOS, etcDoes not include mobile platformsyes, android phones run a Linux kernelunix family

unix historyTwo main branches to be concerned withAT&T System VDerived from UNIX developed at Bell LabsBSDRe-implementation from Berkley

System V vs. BSDSystem V and BSD tend to do things differentlyDue to schism in the 1970'sLinux inherits quirks from both familiesCan be seen in system commandsps -ef (System V)ps aux (BSD)linux family

package managementSoftware on most Linux machines are split into packagesA Package manager is used to perform tasks related to packages

pm capabilitiesSearchingDownloadingDependency detection and resolutionConflict detection and resolutionInstallationConfigurationUpgradingRemovingVerificationDetermining ownership of files

typesPackage managers are usually split into two categoriesSimple package managersFront-ends

typesSimple package managers have been around almost as long as LinuxFront-ends add functionality to a simple package managerdependency resolutionnetwork accessgraphical user interface

rpmrpm package manageroriginally Red Hat Package ManagerDeveloped by Red HatPart of the Linux Standards BaseUsed in:CentOSNovell NetwareIBM AIXmany othersdpkgDeveloped for Debian LinuxCirca 1993Comparable to RPMUsed by many Linux distributionsUsed by fink on OS X

rpm front-endsyum is de facto standardYellowdog Updater, ModifiedDeveloped at Dukeup2date is used by Red Hat for paying customersOthers

dpkg front-endsMany, many front-ends availableCommand line front-endsaptitude apt-getGraphical front-endsynaptic

look familiar?You have used two package manager front-ends in your labsaptitude (Debian)yum (CentOS)

package listingsyum updates package listings automatically

aptitude update

updating packagesyum update

aptitude safe-upgradeaptitude dist-upgrade

Inspecting installed packagesFunctionRPMDPKGinstalledrpm -qadpkg -lcontentsrpm -ql packagedpkg -L packageownerrpm -qf pathdpkg -S filenameVerifying files rpm can verify files on disk using stored metadatarpm -Varpm -V packagerpm -Vf path

rpm verify

linux boot sequenceLinux kernel only calls one process: initinit handles loading processes and servicesMajority of Linux systems use an init based on System V System V initbased on concept of run levelsConfiguration is in /etc/inittabservices started by each run level in /etc/rc?.d/ where ? is the run level

run levelsRun levels usually numbered 0-6Others can exist (e.g. S)Meaning of each run level usually described in /etc/inittab standard run levels0 Halt the system1 Single user 2 Multi-user (without NFS)3 Multi-user4 unused5 Multi-user, graphical mode6 reboot

Notes: System may only be in one runlevel at a time0 and 1 are usually used to debugVarious distros may interpret differently

debian run levels2-5 are multi-userS - system initialization

centos run levels0 halt1 single user2 - multi-user without NFS (no networking)3 - full multi-user5 - X116 - reboot

default run levelDefault run level is stored in /etc/inittabid:3:initdefault:Current and previous run level can be checked with runlevel#sudo runlevel#N 3Run level can be changed with telinit

/etc/rc?.d/Contains links to service scripts in /etc/init.d/Starting and stopping services:K##service stops service in this run levelS##servicestarts service in this run levelWhere:## is a numberScripts are started or stopped in alphabetic order

/etc/init.d/Contains scripts to start and stop servicesService scripts have minimum of three options:start, stop, restartOthers options may be supportedstatus, reload

Notes: varies by system system command can control tooTries to be the same between systems

servicesMost services are daemonsDaemons: programs running in backgroundNo open terminalServices are started and stopped from scripts in /etc/init.d/Services include things like networkingweb serversX11

33servicesRunning services increases potential attack vectorsUnused services should be disabledRemoving is a better option if practicalRunning services take up resources

disabling servicesServices can be disabled by moving S##service in all /etc/rc?.d/ directories to K##serviceMost distributions provide helper utilitieschkconfig (CentOS)update-rc.d (Debian)

disabling servicesCentOS/etc/init.d/service stopchkconfig service offDebian/etc/init.d/service stoprm /etc/rc?.d/[SK]??serviceupdate-rc.d service stop ## 0 1 2 3 4 5 6 S .

Resume 9/29network servicesKnowing what ports are open on a system is important to keeping it secureDisabling unused services will limit the number of ports available to crackers checking open portsnetstat is your friend when dealing with networkingdisplay routing table: netstat -rdisplay open ports: netstat atunpSee next page for explanations

netstat options-a show listening and non-listening sockets-t TCP-u UDP-n do not resolve host or port names-p show process names and IDs (root only)

iptablesiptables is the current firewall in Linuxalso for NATMany systems ship with it enabled by defaultIf you are having odd problemscheck to see if it runningIt usually is controlled from /etc/init.d/Firewalls are recommendedbut checking it is an important troubleshooting step

iptables

running processesps is the quintessential tool to view the process listps aux a u and x are separate optionscan be in any orderview all processes on a systemps auxwwfor piping to another commandps fauxview processes as a forestchildren processes are shown below parent

Note: - is "not needed" for some optionsindeed ps aux and ps -aux are different options-a is different than a

ps popular optionsfshow process hierarchy (forrest)ashow processes belonging to all usersudisplay user-oriented formatxinclude processes without a TTYTTY == teletype == interactive processw wide output twice (ww) is unlimited output

toptop Interactive way to view the process listFrom a CLI terminal changes sort column1 toggles individual and combined CPU viewsz enables color output

lsoflsof Displays open files and internet socketsTons of options!

cron and atcrondaemon that runs jobs at set intervalsatdaemon that runs a job at a specified time

cron jobs repeatDoes not run if machine is offUse anacronat a job is only run once

croncrontab -l to view your cron jobs/etc/cron.deny contains users not permitted to use cronone per lineCron jobs can be stored in:/var/spool/cron/$USER/etc/crontab/etc/cron.{d,hourly,daily,weekly,monthly}/

crontab format

anacronSimilar to cronDoes not require computer to be running continuouslyRuns next time computer startedIf the job was to run when the system was offOptions to specify how to run missed jobsatatqview your pending jobs/etc/at.deny contains users not permitted to use atone per line

finding filesapropos allows searching of man pagesVery important!locate database is index of files on systemDatabase created by updatedbOften out of date, if database is built at allfind Lets you find filesSlow but powerful

find examplesfind / -xdev -name \*.java -print 2>/dev/nullfind . -name core -print0 | xargs -0 rmfind / -xdev -perm /600 -printfind / \( -nouser -o -nogroup \) print

Options described on next page

find options-xdev stop at filesystem boundaries-name match filenames matching pattern-print output results-print0 output results separated by a \0use if the file name may contain a newline character-perm matches file permissions permissionsAll files belong to an owner and a groupThree sets of permissions: ownergroupworldThree permissions available: readwriteexecuteExecute on a directory allows a user to cd into it

special permissionsThree special permissions: suidProgram executed with file owners permissionsssgidProgram executed with groups permissionssstickyPrograms stay in memory after executiontUNIX permissions are traditionally specified in octal rwx = 4+2+1 = 7

Note: S or T SxID set, normal r, w, or x not sets or t SxID set, normal r, w or x is also set

permissions-rwsr-xr-x 1 root root 37312 Sep 26 2009 /bin/pingdrwxrwxrwt 6 root root 12288 Oct 20 18:46 /tmpaccount managementBriefly covered name services beforeAgain, getent is your friendFor an external account management like LDAP or Kerberosroot should be only account with local password

account managementw tells you people currently logged in and from wheremore details than wholast gives you login history for all users /proc filesystemLinux exposes much of its internals via /proc/sys/proc contains information about all running processes by process IDOriginal intent was to make debugging easierMany options can be tweaked via /proc or /sysNote: /sys and /proc are not realpseudo-filesmost are read-only

baselinesThe commands covered allow you to gather a large amount of information about a systemBeing familiar with these commands on systems you administer is importantIf something goes wrong, you need a frame of reference to see if anything is out of the ordinary

data hidingDifferent forms of data hiding have been used by hackers to cover their tracksHidden files and directoriese.g. . , ... .^G.mangling argv[0]Replacing system utilities with hacked copies