Linux SystemsCompromised
Understanding and dealing with break-ins
Ede, 5 February 2016
Michael [email protected]
Agenda
Today1. How do “they” get in2. Rootkits3. Malware handling4. Defenses
2
Michael Boelen
● Security Tools○ Rootkit Hunter (malware scan)
○ Lynis (security audit)
● 150+ blog posts
● Founder of CISOfy
3
Intrusions
● Passwords● Vulnerabilities● Weak configurations
5
Rootkits
● (become | stay) root● (software) kit
9
Rootkits
● Stealth● Persistence● Backdoors
10
How to be the best rootkit?
Hiding ★
In plain sight!
/etc/sysconfig/…/tmp/mysql.sock/bin/audiocnf
12
Hiding ★★
Slightly advanced
● Rename processes● Delete file from disk● Backdoor binaries
13
Hiding ★★★
Advanced
● Kernel modules● Change system calls● Hidden passwords
14
Challenges
● We can’t trust anything● Even ourselves● No guarantees
21
● Owner?● Risk?● What if we pull the plug?
Activate your plan!
24
Best protection
At least● Perform security scans● Collect data● System Hardening
29
Frameworks / Patches
● SELinux● AppArmor● Grsecurity
30
Harden Applications
● Use chroot● Limit permissions● Change defaults
32
Kernel Hardening
● sysctl -a● Don’t allow ptrace
33
Tip: Lynis
● Linux / UNIX● Open source● GPLv3
35
Conclusions
● Good rootkits are hard to detect
● Use cost-effective methods● Detect● Restore● Learn
● Apply hardening
37
You finished this presentation
Success!
More Linux security?
Presentationsmichaelboelen.com/presentations/
Follow● Blog Linux Audit (linux-audit.com)● Twitter @mboelen
39