Embed Size (px)
DESCRIPTION
Unix Security. Unix Security. Security architecture File system and user accounts Integrity management Auditing and intrusion detection. Layers in a computer system. users. application. operating system (incl networking). hardware. Unix security. User access controls - PowerPoint PPT Presentation
Citation preview
Unix Security
Unix Security
Security architecture File system and user accounts
Integrity management Auditing and intrusion detection
Layers in a computer system
hardware
operating system(incl networking)
application
users
Unix security
User access controls File access controls System administrator’s control
User access controls
Login in through user name and password.
Password is used to store an encrypted version of 64 bits of zeros.
Note there are two crypt functions on Unix system!!
File access controls
directory baseda file for each user on access objects
access control list baseda list for each user on access objects
access control matrix capability
a unforgeable token/ticket for access certain objects
procedure-oriented (info. hiding)
Directory based access
prog1.c rw-
cmnd1 --x
User A’s access directory
prog1.c r--
cmnd1 rwx
User B’s access directory
resources(objects)
printer1 -w- printer1 -w-
All users
Groups
GroupUser
Group
All users
Super user and SUID and SGID
Control invocation of privileges are achieved by set {user,group} ID programs.
By setting the permission of those programs, a normal user can effectively run the programs as its owner (group member). e.g: passwd, login, at, su, etc
Need to monitor the integrity of SUID programs.
File protection
basicall-none protectiongroup protection
single permissionpassword or tokentemporary acquired permission
per-object & per user protection Example
UNIX
Integrity management
Is achieved by prevention detecting change
Prevention
By placing controls – such as software, hardware, file system and operating system controls.
By having immutable and append-only files immutable files are those that cannot be
modified once the system is running (suitable for system programs such as login, passwd) and append-only files to which data can be appended, but in which the existing data cannot be changed(suitable for log files)
Detection change
Comparison of files with a (good) backup copy. the backup copy has to be in a protected
mode. comparison has to be performed byte-by-byte
and hence time consuming process (especially for large files – such as database files)
once an authorised change is detected, replace the altered version with the comparison copy, thereby restoring the system to normal.
Detection change
Checklists and metadata Store only a summary of important
characteristics of each file and directory and use this information for comparison.
• e.g. of summary information – time stamps (last read/modified, file protection modes,link count using ncheck etc)
• Running this kind of detection change as a crom job may not be a good idea!
Detection change
Checksum and signatures changes can be made in such a way that the
checklists and metadata may not change and hence the previous method may fail.
• e.g. setting the clock backwards, perform the changes and the set the clock forward
CRC checksums – useful only when there are few bits of change and they are generated by well known polynomials.
generate a signature using a one-way hash function (such as MD5).
Tripwire
In practice one need not generate digital signature on the content of each of the file. e.g. We need to know if the owner or
protection of /etc/passwd file is changed, but we do not care about the size or checksum because we do expect the contents to change while we should be concerned if the contents of /bin/login is altered.
tripwire is a package that allows to configure the files, directories that need to be monitored using MD algorithms. ftp://coast.cs.purdue/edu/pub/COAST/Tripwire
Auditing and Intrusion Detection
After establishing the protection mechanism, you need to monitor the system.
Monitoring is a process of auditing. Audit trail is carried with the help of log
files, however log files itself is vulnerable to security threats (after all they are also files in the system!)
Location of log files
usually in /var/adm The useful files are:
acct or pact – records commands run by every useraculog – records of dial-out modemslastlog – logs each user’s most recent successful login time, and possibly last unsuccessful login toomessages – records output to the system’s console and other messages generated from the syslog facilitysulog – logs use fo the su commandutmp – records each user current login (may be in /etc directory)wtmp – provides a permanent record of each time a user logged in and logged out. Also records system shutdowns and startupsvold.log – logs errors encountered with the use of external media, such as tapes, floppy drives, etc.xferlog – logs FTP access
swatch – a log file tool
A perl program to monitor log files. Available from ftp://sierra.standford.edu/swatch or
ftp://coast.cs.purdue.edu/pub/tools/swatch
Managing log files
Plan to backup log files Review periodically the log files (may be
daily or more often) Apply filters so that you do not get bored
seeing the log messages Don’t trust logs completely!! – they can be
altered or deleted by intruder Plan to install software which can add
security to the operating systems controls (such as tcp wrappers).
