PowerPoint Presentation
ITIS 3110System AuditingoverviewUNIX historyInstalled softwareSystem servicesOpen ports (network services)Running processesAccount and permission management
system auditingSome of this lecture may be familiarBits and pieces have come up during labsAim is to tie some of these things together
why unix?http://en.wikipedia.org/wiki/Usage_share_of_operating_systems#ServersUNIX/Linux/etcMS WindowsSuper computersSame ref as above
why unix?According to W3Techs (Aug 2011), 64% of all web servers are Unix basedMost of these are LinuxDoes not include Unix derived infrastructure equipmenthome based routers, Cisco IOS, etcDoes not include mobile platformsyes, android phones run a Linux kernelunix family
unix historyTwo main branches to be concerned withAT&T System VDerived from UNIX developed at Bell LabsBSDRe-implementation from Berkley
System V vs. BSDSystem V and BSD tend to do things differentlyDue to schism in the 1970'sLinux inherits quirks from both familiesCan be seen in system commandsps -ef (System V)ps aux (BSD)linux family
package managementSoftware on most Linux machines are split into packagesA Package manager is used to perform tasks related to packages
pm capabilitiesSearchingDownloadingDependency detection and resolutionConflict detection and resolutionInstallationConfigurationUpgradingRemovingVerificationDetermining ownership of files
typesPackage managers are usually split into two categoriesSimple package managersFront-ends
typesSimple package managers have been around almost as long as LinuxFront-ends add functionality to a simple package managerdependency resolutionnetwork accessgraphical user interface
rpmrpm package manageroriginally Red Hat Package ManagerDeveloped by Red HatPart of the Linux Standards BaseUsed in:CentOSNovell NetwareIBM AIXmany othersdpkgDeveloped for Debian LinuxCirca 1993Comparable to RPMUsed by many Linux distributionsUsed by fink on OS X
rpm front-endsyum is de facto standardYellowdog Updater, ModifiedDeveloped at Dukeup2date is used by Red Hat for paying customersOthers
dpkg front-endsMany, many front-ends availableCommand line front-endsaptitude apt-getGraphical front-endsynaptic
look familiar?You have used two package manager front-ends in your labsaptitude (Debian)yum (CentOS)
package listingsyum updates package listings automatically
aptitude update
updating packagesyum update
aptitude safe-upgradeaptitude dist-upgrade
Inspecting installed packagesFunctionRPMDPKGinstalledrpm -qadpkg -lcontentsrpm -ql packagedpkg -L packageownerrpm -qf pathdpkg -S filenameVerifying files rpm can verify files on disk using stored metadatarpm -Varpm -V packagerpm -Vf path
rpm verify
linux boot sequenceLinux kernel only calls one process: initinit handles loading processes and servicesMajority of Linux systems use an init based on System V System V initbased on concept of run levelsConfiguration is in /etc/inittabservices started by each run level in /etc/rc?.d/ where ? is the run level
run levelsRun levels usually numbered 0-6Others can exist (e.g. S)Meaning of each run level usually described in /etc/inittab standard run levels0 Halt the system1 Single user 2 Multi-user (without NFS)3 Multi-user4 unused5 Multi-user, graphical mode6 reboot
Notes: System may only be in one runlevel at a time0 and 1 are usually used to debugVarious distros may interpret differently
debian run levels2-5 are multi-userS - system initialization
centos run levels0 halt1 single user2 - multi-user without NFS (no networking)3 - full multi-user5 - X116 - reboot
default run levelDefault run level is stored in /etc/inittabid:3:initdefault:Current and previous run level can be checked with runlevel#sudo runlevel#N 3Run level can be changed with telinit
/etc/rc?.d/Contains links to service scripts in /etc/init.d/Starting and stopping services:K##service stops service in this run levelS##servicestarts service in this run levelWhere:## is a numberScripts are started or stopped in alphabetic order
/etc/init.d/Contains scripts to start and stop servicesService scripts have minimum of three options:start, stop, restartOthers options may be supportedstatus, reload
Notes: varies by system system command can control tooTries to be the same between systems
servicesMost services are daemonsDaemons: programs running in backgroundNo open terminalServices are started and stopped from scripts in /etc/init.d/Services include things like networkingweb serversX11
33servicesRunning services increases potential attack vectorsUnused services should be disabledRemoving is a better option if practicalRunning services take up resources
disabling servicesServices can be disabled by moving S##service in all /etc/rc?.d/ directories to K##serviceMost distributions provide helper utilitieschkconfig (CentOS)update-rc.d (Debian)
disabling servicesCentOS/etc/init.d/service stopchkconfig service offDebian/etc/init.d/service stoprm /etc/rc?.d/[SK]??serviceupdate-rc.d service stop ## 0 1 2 3 4 5 6 S .
Resume 9/29network servicesKnowing what ports are open on a system is important to keeping it secureDisabling unused services will limit the number of ports available to crackers checking open portsnetstat is your friend when dealing with networkingdisplay routing table: netstat -rdisplay open ports: netstat atunpSee next page for explanations
netstat options-a show listening and non-listening sockets-t TCP-u UDP-n do not resolve host or port names-p show process names and IDs (root only)
iptablesiptables is the current firewall in Linuxalso for NATMany systems ship with it enabled by defaultIf you are having odd problemscheck to see if it runningIt usually is controlled from /etc/init.d/Firewalls are recommendedbut checking it is an important troubleshooting step
iptables
running processesps is the quintessential tool to view the process listps aux a u and x are separate optionscan be in any orderview all processes on a systemps auxwwfor piping to another commandps fauxview processes as a forestchildren processes are shown below parent
Note: - is "not needed" for some optionsindeed ps aux and ps -aux are different options-a is different than a
ps popular optionsfshow process hierarchy (forrest)ashow processes belonging to all usersudisplay user-oriented formatxinclude processes without a TTYTTY == teletype == interactive processw wide output twice (ww) is unlimited output
toptop Interactive way to view the process listFrom a CLI terminal changes sort column1 toggles individual and combined CPU viewsz enables color output
lsoflsof Displays open files and internet socketsTons of options!
cron and atcrondaemon that runs jobs at set intervalsatdaemon that runs a job at a specified time
cron jobs repeatDoes not run if machine is offUse anacronat a job is only run once
croncrontab -l to view your cron jobs/etc/cron.deny contains users not permitted to use cronone per lineCron jobs can be stored in:/var/spool/cron/$USER/etc/crontab/etc/cron.{d,hourly,daily,weekly,monthly}/
crontab format
anacronSimilar to cronDoes not require computer to be running continuouslyRuns next time computer startedIf the job was to run when the system was offOptions to specify how to run missed jobsatatqview your pending jobs/etc/at.deny contains users not permitted to use atone per line
finding filesapropos allows searching of man pagesVery important!locate database is index of files on systemDatabase created by updatedbOften out of date, if database is built at allfind Lets you find filesSlow but powerful
find examplesfind / -xdev -name \*.java -print 2>/dev/nullfind . -name core -print0 | xargs -0 rmfind / -xdev -perm /600 -printfind / \( -nouser -o -nogroup \) print
Options described on next page
find options-xdev stop at filesystem boundaries-name match filenames matching pattern-print output results-print0 output results separated by a \0use if the file name may contain a newline character-perm matches file permissions permissionsAll files belong to an owner and a groupThree sets of permissions: ownergroupworldThree permissions available: readwriteexecuteExecute on a directory allows a user to cd into it
special permissionsThree special permissions: suidProgram executed with file owners permissionsssgidProgram executed with groups permissionssstickyPrograms stay in memory after executiontUNIX permissions are traditionally specified in octal rwx = 4+2+1 = 7
Note: S or T SxID set, normal r, w, or x not sets or t SxID set, normal r, w or x is also set
permissions-rwsr-xr-x 1 root root 37312 Sep 26 2009 /bin/pingdrwxrwxrwt 6 root root 12288 Oct 20 18:46 /tmpaccount managementBriefly covered name services beforeAgain, getent is your friendFor an external account management like LDAP or Kerberosroot should be only account with local password
account managementw tells you people currently logged in and from wheremore details than wholast gives you login history for all users /proc filesystemLinux exposes much of its internals via /proc/sys/proc contains information about all running processes by process IDOriginal intent was to make debugging easierMany options can be tweaked via /proc or /sysNote: /sys and /proc are not realpseudo-filesmost are read-only
baselinesThe commands covered allow you to gather a large amount of information about a systemBeing familiar with these commands on systems you administer is importantIf something goes wrong, you need a frame of reference to see if anything is out of the ordinary
data hidingDifferent forms of data hiding have been used by hackers to cover their tracksHidden files and directoriese.g. . , ... .^G.mangling argv[0]Replacing system utilities with hacked copies
Top Related