Embed Size (px)
Citation preview
Cybersecurity
Computer Science Innovations, LLC
Overview
Define Security
Discretionary Access Control
Trusted Computer System Evaluation Criteria (TCSEC) - Orange Book
1984 by MITRE Corporation
Basis for all we do in Security
Define Security, how me measure it.
Long-term goal
Given a System, X, tell me the security level. C2, B1, PL3, PL3+
What does the security level imply?
It implies, what you can do with the system.
Says Who?
Commercial world – Underwriter?
What's an Underwriter? Quantify?
Insurance Companies.
The Present Situation
If I am Responsible for System, X, how do I bring it into Production?
Someone must Approve.
Somebody must assume risk.
Who is that? Insurance company
DOD Adjudicator.
Someone who assumes the risk.
Development up to present
If your system, and you are well defined.
If your security model is simple and based on standards.
If you speak the same language as the decision maker?
It is easier to get someone to put their neck on the line.
Einstein said, If I saw further than others it is because I was standing on the shoulders of Giants.
Goals
Einstein said, As simple as possible, but no simpler.
If you cannot explain it simply, you do not understand it well enough.
Any fool can make things more complex it takes genius to find the simplicity.
Great science is simple.
Science Being SimpleComputer Science – Simple seems to win.
P-V Semaphore --- Seven lines of code.
Google ---- Processing Paradigms....
Simplicity in processing.
Map/Reduce …. Solr...
Open Source......
Definitions
Levels of Security
Lowest D... Not even discuss it.
Next Level up is C... C1 and C2
C1 and C2 rely on Discretionary Access Control.
Next level up is B1, B2, B3 which are largely related.
B level uses Mandatory Access Control
Use of Definitions The same definitions are used for Commercial as Government
In other words, there is just one Security.
There is Computer Security Used in Different Areas.
What is Discretionary Access Control?
Subjects and Objects Access Control... Can the subject read or write the Object? That is one
thing we are concerned with.
Auditing... What did the subject do on June 30th? Who are the subjects that accessed my mail.
Assurance – How can I be Guaranteed that all access to th data have access control and Auditing. And … Does my model work?
Access Control Access Control has some pieces....
What are the pieces? The first two are
Identity Assertion
Role Gathering
Systems do this.
We knew this in 1984.. This is not new and pre-dates the Internet.
Identity Assertion Eminem – I am who you say I am.
How do you find out your identity?
Google... Username and Password
Google.. Additional Security through a Token
Show Something About yourself
Biometric Devices.
Prove who you are.
How Do We Do Identity Assertion
Web ServerBrowser
Www.bankofamerica.com
Do
I ha
ve
a se
ssi
on
Do I have a session
How Do We Assert and Identity
Username and Password
Sitekey
Identity Asserter is username and password.
Google --- username and password.
Challenge ---> send a key to cell phone
Biometrics... cheap....
Identity Assertion Identity Asserters must be pluggable.
What does that mean?
It means if I change the Identity Asserter, I do not need to change the software.
Best Practice … Run the software with two different Identity Asserters without changing, compiling or writing Software.
Role Gathering
Browser Web server
Asserts IdentityGathers roles
Role Gathering Having proven who I am.... What can I do?
The Roles Dictate what you can do.
So if my role is Administrator.. I can do a lot.
If my role is Guest... I can do a little.
Show me what you mean. Ok. Let's do a practical Example.
Where do We See Roles
Web applications.....
Web.xml
Directory ---- roles can work in the directory
Page --- useradmin ----> roles can see it are
Administrator....
Browser... look up web.xml roles..... See it.
Practical Example - Roles id
uid=1000(scott) gid=1000(scott) groups=1000(scott),27(sudo),30(dip),46(plugdev),109(lpadmin),124(sambashare),129(vboxusers)
Groups are Synonymous with Roles... Spec says.
They say what I can do. Use Plug in Devices
Line Printer Administrator, Share Files...etc.
What Happened? Logged into my machine.
Asserted my identity by username password.
Gathered my roles.
Determined what I can do.
Why? It's the standard.
Impromptu Lab
Go to your linux instance. Any linux instance.
id command
then do a
sudo su -
then do a
adduser pedro
su - pedro
id
Unix File Permissions
For a file or a directory we have
Modes xxx yyy zzz
For xxx we have read, write and execute for the user (you).
For yyy we have read, write and execute for the group(all group membership).
For zzz we have read, write and execute for the world (everyone on the computer).
So the question is, what permissions does a file get at creation?
It is determined by umask or user mask
So where do you set it.
Umask where is it
The Unix command umask is set somewhere, most commonly in .bashrc
It also has a default for the system. It is common to set it in your .bashrc
Umask is the permissions give to newly created files.
Unix Convention – More than
When you create a user, say sherman then the user is sherman and sherman is the name of the private group.
So now the home directory is owned by sherman as the user and sherman as a private group.
Private groups are used for ownership of things the user is only allowed to write.
So your private group has your files for write.
Create a User and Private Group
Command – useradd -U sherman
root@ip-10-138-35-253:~# su - sherman
No directory, logging in with HOME=/
$ id
uid=1001(sherman) gid=1001(sherman) groups=1001(sherman)
Command useradd -U wilson
No directory, logging in with HOME=/
$ id
uid=1002(wilson) gid=1002(wilson) groups=1002(wilson)
Create a Group to ShareWe wish to create a group, called seahawks and make wilson and sherman members of that group. We
do not wish to change their primary membership, we wish to add them as members of the group.
Command – groupadd seahawks
root@ip-10-138-35-253:~# groupadd seahawks
root@ip-10-138-35-253:~# usermod wilson -G seahawks
root@ip-10-138-35-253:~# su - wilson
No directory, logging in with HOME=/
$ id
uid=1002(wilson) gid=1002(wilson) groups=1002(wilson),1003(seahawks)
$ exit
root@ip-10-138-35-253:~# usermod sherman -G seahawks
root@ip-10-138-35-253:~# su - sherman
No directory, logging in with HOME=/
$ id
uid=1001(sherman) gid=1001(sherman) groups=1001(sherman),1003(seahawks)
$
Let's Explore the Private Group
Your home directory is not shared.
/home/sherman would have file owned by sherman
The ownership is user:group so for these files
Permissions sherman:sherman
So we have the octets xxx yyy zzz and now ownership.
If we look at a home directory we should see
ubuntu@ip-10-138-35-253:~$ ls -al .bashrc
-rw-r--r-- 1 ubuntu ubuntu 3646 Feb 12 20:32 .bashrc
ubuntu@ip-10-138-35-253:~$
Let's Look at the shared Group
Setup an area on disk to share. Let's use
root@ip-10-138-35-253:/opt# chown -R sherman:seahawks shared/
root@ip-10-138-35-253:/opt# ls -al
total 12
drwxr-xr-x 3 root root 4096 Feb 12 20:50 .
drwxr-xr-x 22 root root 4096 Feb 12 20:17 ..
drwxr-xr-x 2 sherman seahawks 4096 Feb 12 20:50 shared
root@ip-10-138-35-253:/opt# su - sherman
No directory, logging in with HOME=/
$ cd /opt/shared
$ touch x
$ ls -al x
-rw-rw-r-- 1 sherman sherman 0 Feb 12 20:51 x
The Shared Group uses the Private Group
The private group is dominating the directories private group.
When we do a touch x as sherman the group owner is sherman.
The problem is sherman cannot share with wilson, therefore we do not have a shared group.
So chmod 2775 to the rescue.
root@ip-10-138-35-253:/opt# chmod 2775 shared/
root@ip-10-138-35-253:/opt# ls -al
total 12
drwxr-xr-x 3 root root 4096 Feb 12 20:50 .
drwxr-xr-x 22 root root 4096 Feb 12 20:17 ..
drwxrwsr-x 2 sherman seahawks 4096 Feb 12 20:51 shared
Some Limitations
If you have a directory tree, then all directories must be set with the 2775.
So how do you change just the directories?
Command chmod -R * –- DO NOT DO THIS. IT CHANGES EVERYTHING INCLUDING FILES.
Proper Command is find . -type d -exec chmod 2775 {} \;
Common Shortcomings? Let's say you have a machine with a web server.
You have 5 people that are Web Server Administrators
What are your options?
You can have a Group Account
Or you can setup the machine to allow multiple people to update the Web Server.
What is Wrong with a Group Account?
It Violates Discretionary Access Control.
Why? Named Subject, Named Object.
NOT
Named Group containing many Subjects and Named Object.
Must be one to one – Person to Subject.
Now Three More Topics for C2.
Bringing Up A Web Server
Web Server ---- runs on port 80
Web Server ---- runs on port 8080
Ports < 1024 require Admin Privilege to Start Process.
Ports >= 1024 do not require Admin
Why do we care? Least Privilege....
Have “Normal” Users Web Admin
So Let's say --- Morris Mo... he is a web admin
Cheri is a web admin.... They are going to run
As normal users... But they need to share
The web server.. and we do not want to violate
DAC.. So we need to separate them and
Keep Least Privilege...
Separate Users
Step 1
Create a group per user
And create a shared group.
Mo Al
Webguys shared group.
How To
root@companion:/opt# groupadd mo
root@companion:/opt# groupadd al
root@companion:/opt# groupadd webguys
root@companion:/opt# useradd mo -g mo -G webguys
root@companion:/opt# useradd al -g al -G webguysroot@companion:/opt# useradd mo -g mo -G webguysroot@companion:/opt# useradd al -g al -G webguys
How To
root@companion:/opt# mkdir /opt/share
root@companion:/opt# chown al:webguys /opt/share
root@companion:/opt# chmod 2775 /opt/share
the 2 is the set groupid bit. It means that all
files created inherit the group from the directory not the user.
root@companion:/opt# useradd mo -g mo -G webguysroot@companion:/opt# useradd al -g al -G webguys
Three More Topics Confidentiality
No one can listen in and gain information.
Encryption
Least Privilege
Very Very Important.
Am I doing the action with the least amount of Authority. Don't work as Root or Admin
Non-Repudiation
How can I not deny that I sent it.
Confidentiality https
Hyper Text Transport Protocol Secure
When you read your email are you
http or https?
Log into your mail.
Is it http or https? https
Least Privilege I must work as a normal user
Or
I must work as an admin.
Which is better?
Why? Myself? Why? You don't mess up the system on purpose or by accident.
Ports... https which port is that? 443
Who do you have to be to work as 443?
For ports less than 1024 you must be admin
How Do We Do Least Privilege With https?
The browser (Source) wants to communicate on 443.... Default
The system wants to use a normal user.
So what happens?
So your Firewall or Router maps 443 to 8443
So the Source requests 443 the System responds with 8443 the Router maps them.
Best Practice … Always map <1024 ports to > 1024 to preserve Least Privilege.
Outside World to Inside
Https in a browser it says communicate on 443
But we want least privilege … So how do we do that.
8443 on the local system.
We need our firewall/router administrator to set this up for us.
Let's Look At This
Web Server8443Browser 443
FirewallAl Admin
Map Incoming443 to intenal 8443 On a specifc Server
Apache and Least Privilege ubuntu@ip-10-204-147-104:~$ ps -ef | grep apache
root 3725 1 0 14:55 ? 00:00:00 /usr/sbin/apache2 -k start
www-data 3727 3725 0 14:55 ? 00:00:00 /usr/sbin/apache2 -k start
www-data 3729 3725 0 14:55 ? 00:00:00 /usr/sbin/apache2 -k start
www-data 3730 3725 0 14:55 ? 00:00:00 /usr/sbin/apache2 -k start
ubuntu 3828 865 0 14:55 pts/0 00:00:00 grep --color=auto apache
ubuntu@ip-10-204-147-104:~$ sudo su -
root@ip-10-204-147-104:~# cd /etc/
root@ip-10-204-147-104:/etc# grep www-data passwd
www-data:x:33:33:www-data:/var/www:/bin/sh
Apache is not adhering to Least Privilege
Unix Cheat Sheet The command ls is the same thing as dir in windows
The command ps is process status and commonly used as ps -ef | more
Do a ps -ef | more
The command pwd is print working directory
The command chmod is change mode
The command chown is change user and group
DAC in UNIX In Unix we get DAC out of the box.
How do we do it.
Name Subject …. logging in
How do we protect files?
This is access control.
Unix History How did we get to Unix?
Who created it? Brian Kerrnighan, Dennis Ritchie, Thompson.
They worked for AT&T in New Jersey in the 70's. They had an idea. What if an operating systems was created that worked on any hardware?
So they needed a hardware independent language – they called it C.
Unix History Continued AT&T gave it away for free.
How many run Android's. Unix kernel
How many run IPhones. Unix.
There are two flavors. System V – MIT – Linux
BSD – Berkeley – Cal Berkley – Mac/OS
AT&T – Created this.
Commands - Unix Permissions
wwwxxxyyy for a file or directory.
Now let's define www it has 3 digit for RWE
So RWE is what … 7 now www is for the user's permission.
xxx is for the group's permission and
yyy is for the world's permission.
So if a file is 400 like .pem file what is that?
400 100 000 000 which is R------ at the owner level.
More Permissions So if I want a file to be Read and Write for the Owner (User) of the file and
Read for the Group and Nothing for the world.
Let's do it together
www xxx yyy
U G O
The three digits RWE
110 100 000 = 6 4 0
Lab on Permissions So..... A User may Read Write and Execute.
The Group may Read and Write.
The Other may only Read.
What is the pattern?
Remember www xxx yyy RWE U G O
1 1 1 1 10 100
7 6 4
So Back to Commands The command ls -al full listing. You can see the pattern.
So we a couple more commands and we are done.
The command chmod 3DIGITS files changes the mode. chmod 777 allows all access.
The command chgrp user:group and it lets yo set the owner.
The World of Discretionary Access Control
Says I should have a way to protect my private files.......
Well, let's create two users. Chris and Dave
Chris should see Chris files and David could see Chris files, but only Chris can update Chris files and only Dave can update Dave files.
Let's Do It root@companion:/opt# groupadd class
root@companion:/opt# groupadd dave
root@companion:/opt# groupadd chris
root@companion:/opt# useradd dave -g dave -G class
root@companion:/opt# useradd chris -g chris -G class
So class is a shared group with two members dave and chris.
So, dave has a primary group …. dave
So,, chris has a primary group …. chris
See DAC Common area and it is call /opt … which is for optional software
The command mkdir makes a directory.
root@companion:/opt# echo "hello" > chris.txt
root@companion:/opt# echo "goodbye" > dave.txt
root@companion:/opt# more chris.txt
hello
root@companion:/opt# more dave.txt
goodbye
root@companion:/opt# ls -al chris.txt dave.txt
-rw-r--r-- 1 root root 6 Jun 25 13:40 chris.txt
-rw-r--r-- 1 root root 8 Jun 25 13:40 dave.txt
Chris and Dave – Private for Writing
Command chown user:group file
Command chown chris:chris chris.txt
Command chown dave:dave dave.txt
Command ls -al *.txt
root@companion:/opt# ls -al *.txt
-rw-r--r-- 1 chris chris 6 Jun 25 13:40 chris.txt
-rw-r--r-- 1 dave dave 8 Jun 25 13:40 dave.txt
root@companion:/opt# su - dave
No directory, logging in with HOME=/
$ cd /opt
umask The opposite of bits set on a file when created
scott@companion:~$ umask
0002
scott@companion:~$ touch zzzz
scott@companion:~$ ls -al zzzz
-rw-rw-r-- 1 scott scott 0 Dec 6 20:11 zzzz
When I create a file the only bit to NOT set is the 2 bit.
Command ls -al *.txt
root@companion:/opt# ls -al *.txt
-rw-r--r-- 1 chris chris 6 Jun 25 13:40 chris.txt
-rw-r--r-- 1 dave dave 8 Jun 25 13:40 dave.txt
root@companion:/opt# su - dave
No directory, logging in with HOME=/
$ cd /opt
umask (continued) The opposite of bits set on a file when created
scott@companion:~$ umask 22
scott@companion:~$ touch zzyy
scott@companion:~$ ls -al zzyy
-rw-r--r-- 1 scott scott 0 Dec 6 20:13 zzyy
umask with a value sets the umask.
setting it as 22 means not to set the write bit
for users and groups.
Lab Create a private group for you and your partner along with a shared group.
Create a user for you and your partner with the private group as your primary group (-g) and the shared group (-G) as your supplemental group.
Add each user.
Put a file in opt for each user. Use chmod and chown to make the file globally read but only private write.
Annoying Cannot Save Backup File
When you are working as a user... you have a private home directory, where you can work.
The command useradd has a way to specify the home directory, which we did not do, so it defaulted to the root of the system which is owned by root. So you cannot write to it.
To Consider
There is an appropriate tool for a job. This is not Religion. We are trying to get a job done. There are 2M LAMP developers worldwide.
Wikipedia – written in LAMP. Bugzilla, written in LAMP.
So, what Computer Scientists say is LAMP is not real computer science. I disagree,
To Consider
There is an appropriate tool for a job. This is not Religion. We are trying to get a job done. There are 2M LAMP developers worldwide.
Wikipedia – written in LAMP. Bugzilla, written in LAMP.
So, what Computer Scientists say is LAMP is not real computer science. I disagree,
We Want To Use Least Privilege
We get our web server (Tomcat) to work as a normal users.
What does this imply?
Port # >= 1024... No privileged User.
Example of this
Google Technology
Starting out... Google ingested the entire web and searches it.
But the technology that ingest the entire web is called Map/Reduce and is the open source Apache project – Hadoop.
The technology to read the entire web is called the Apache project Solr.
Solr
Runs with Least Privilege.
Show me!
Ran Solr:
Accessed it through http://localhost:8080/solr
Did a ps -ef | grep tomcat.
Running as scott
AWS.amazon.com/amis – these are amazon machine images.
Top Down.... A specification committee gets together,,, they understand the need.... they build a specification. Many are good, some are bad.
Bottom up... The specification committees do not know about this. A vendor starts it.... It gets critical mass... It becomes a defacto standard.
Somethings That Came From a Specification
TCP/IP
HTML
Web Archives.
Java.
Browsers.
Some Things not from a Specification (defacto)
Processors on PC
Wiki's
Spring Framework
Social Networking
RESTFull
Amazon - AMI
Amazon Machine Images
https://aws.amazon.com/amis
65,000 different machine machine images.
Ubuntu 12.04, MySQL Apache, php, postfix
Server … Elastic... Managed in a secure way.
Why is this Popular
Speed, efficiency, cost
Shawn – I can bring up a production instance in less than 5 minutes.
Cost – Initial costs are nominal. I pay as I go.
How Do I do This
First go to amazon EC2. (Elastic Compute Cloud)
classic wizard gives you different ones to choose from. Amazon gives you their own AMI default. Can go out to community and see the ones out there running . Choose an instance of them. Takes the image out there running and takes a copy of it.
Launched an Instance
I have a security key that I use to get to the server. This is going to lead to a best practice.
scott@companion:~/Desktop$ ls -al elijah.pem
-rw-rw-r-- 1 scott scott 1696 Sep 11 11:13 elijah.pem
scott@companion:~/Desktop$ chmod 600 elijah.pem
scott@companion:~/Desktop$ ls -al elijah.pem
-rw------- 1 scott scott 1696 Sep 11 11:13 elijah.pem
scott@companion:~/Desktop$
Let's Get to our Server
ssh -i elijah.pem [email protected]
So if we do not use a private key
Permission denied (publickey)
Best Practices?
No unencrypted access. Commands rsh, telnet, ftp-- never use and they are not installed by default.
Only ssh or https
443 22 80, ports that are open
DAC – Single User to account. Groups. Shared, etc.
And Private key to get into ssh no accepting of passwords.
LabGo back to Amazon,
Create an instance.
Log on to the server.
Remember.... chmod 400 on the key
Do not lose the key.
Password redskins1992
Review
Security Levels:
D everything
C1 – DAC with group level
C2 - DAC individual users and objects.
B1 - Mandatory Access Control – It is what we need for Multi-level secure.
B2, B3, A1 is the same as B1 with more Assurance.
Review - II
So, how can I prove Solr is running with Least Privilege?
Possibly – it is running on port 8080 >= 1024.
scott@companion:~$ ps -ef | grep tomcat
scott 10139 18578 0 14:55 pts/4 0
User is scott
Command grep scott /etc/passwd
Command su - scott
SSHroot@companion:~# groupadd jonroot@companion:~# useradd jon -g jon -d /home/jon -s/bin/bashroot@companion:~# cd /root@companion:/# cd /homeroot@companion:/home# mkdir /home/jonroot@companion:/home# chown jon:jon /home/jon
jon@companion:~$ ssh localhostjon@localhost's password: Welcome to Ubuntu 12.04.1 LTS (GNU/Linux 3.2.0-30-generic-pae i686)
Requires password!!!!
No Password – How?
$ ssh-keygen
Enter file in which to save the key (/home/jon/.ssh/id_rsa):
Enter passphrase (empty for no passphrase):
Your public key has been saved in /home/jon/.ssh/id_rsa.pub.
jon@companion:~$ ls -al .ssh
-rw------- 1 jon jon 1675 Sep 11 14:18 id_rsa
-rw-r--r-- 1 jon jon 395 Sep 11 14:18 id_rsa.pub
-rw-r--r-- 1 jon jon 222 Sep 11 14:16 known_hosts
jon@companion:~/.ssh$ mv id_rsa.pub authorized_keys
prove it: ssh localhost
We ssh now
jon@companion:~$ ssh localhost
Welcome to Ubuntu 12.04.1 LTS (GNU/Linux 3.2.0-30-generic-pae i686)
* Documentation: https://help.ubuntu.com/
Let's us in without a password!!!
Look at this a little further
jon@companion:~/.ssh$ more id_rsa
-----BEGIN RSA PRIVATE KEY-----
MIIEowIBAAKCAQEA1/O96EGofjJ/fdBvF5VVIiGtnCeLgc+Ygt0XIv/N3M9lmCLN
9m6TGkJgn9AzrdVREb+R93i0D4Tvpv/kufd3LP9joAWPHIoFIEq6rRsrhj1U4qnb
jon@companion:~/.ssh$ more authorized_keys
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDX873oQah+Mn990G8XlVUiIa2cJ4uBz5iC3Rci/83c
z2WYIs32bpMaQmCf0DOt1VERv5H3eLQPhO+m/+S593cs/2OgBY8cigUgSrqtGyuGPVTiqduNzfWyx9ky
Lk+fXTZ0UTr745rR2BSnz2lhgLAmVyJiqIdxxX++Wqkc2Ku3uukntLCyQKO0p+6cubufLi7wdbw9FpW3
tKHLFJeOWjA86F32rZTSdNmz5Cv1ieXgO92Mt81wsAQ/yHO4ZvBPHdH97r91gdu1qftEskZJumZq9gO0
ElxFaX4SR+HLoZpVrjkE1kEE5xVdZHDsWB/6YWkzfBsGCsdvfhcSEEnxsL21 jon@companion
SSH With Passphrase
jon@companion:~$ ssh-keygen
Generating public/private rsa key pair.
Enter file in which to save the key (/home/jon/.ssh/id_rsa):
Enter passphrase (empty for no passphrase): lakers
Enter same passphrase again: lakers
jon@companion:~/.ssh$ mv id_rsa.pub authorized_keys
jon@companion:~/.ssh$ ssh localhost
Enter passphrase for key '/home/jon/.ssh/id_rsa':
Welcome to Ubuntu 12.04.1 LTS (GNU/Linux 3.2.0-30-generic-pae i686)
Lab 3
Use ssh-keygen to create a public and private key.
Use this to get access to your account via ssh
without a password.
Setting SSHD to only allow Private Key
sudo su -
cd /etc/ssh/
edit sshd_config
change
#PasswordAuthentication yes
PasswordAuthentication no
Lab 4
Allow private key only access to your account.
Log out of Xwindows and see password still works.
THIS ONLY IMPACTS SSH, WHICH SHOULD BE YOUR ONLY EXTERNAL ACCESS. Physical access - we do not care.
