Unix System Administration - PowerPoint PPT Presentation

Loading...

PPT – Unix System Administration PowerPoint presentation | free to view - id: 14aadb-MjY2Y



Loading


The Adobe Flash plugin is needed to view this content

Get the plugin now

View by Category
About This Presentation
Title:

Unix System Administration

Description:

System dependent or variable items are usually in italics: /var/sadm/patch ... website' refer to IIPS page http://nciips.cc.nc.us/Standards. ... equiv files: ... – PowerPoint PPT presentation

Number of Views:180
Avg rating:3.0/5.0
Slides: 56
Provided by: charles275
Category:

less

Write a Comment
User Comments (0)
Transcript and Presenter's Notes

Title: Unix System Administration


1
Unix System Administration
  • IT Audit Preparation

2006-08-21
2
Presentation Conventions
  • Names (files, users, daemons) are usually in
    bold/etc/syslog.conf
  • System dependent or variable items are usually in
    italics /var/sadm/patch/patchnumber/log
  • File entries and output are in mono-spaced
    typegt root 8036 c Tue Apr 26 235900 2005
    lt root 8036 c
    Tue Apr 26 235959 2005
  • Ä marks a line wrapped to fit on the slide mv
    Solaris_9_Recommended_Patch_Cluster_log
  • ÄSolaris_9_Recommended_Patch_Cluster_log.yyyymmd
    d
  • ð marks a horizontal tab (09 hex)
  • Reference OE is Solaris 9

3
Introduction
  • Suggestions for preparing your system prior to
    running script from auditors office and before
    auditors port scan.
  • Based on script supplied by schools most recently
    audited script name is comcol06.
  • Primary focus is on audit, not on making your
    system more secure.

4
Introduction continued
  • Comments within the script help with what the
    auditors are looking for, but sometimes may have
    to guess.
  • References to website refer to IIPS page
    http//nciips.cc.nc.us/Standards.html section
    Helpful information and scripts for your next
    audit

5
Solution Methods
  • Single-shot command, i.e. find blah-blah exec
    (usually not recommended). If you use, keep a log
    of what you have done.
  • Ad-hoc custom scripts
  • Sun applications such as Solaris Security
    Toolkit, or individual Sun scripts from the
    toolkit (fixmodes, nddconfig, etc.)
  • Third-party security applications YASSP, TITAN
    (4.0 for Solaris 9), etc.
  • Cfengine configuration program.

6
1 37 Introduction
  • Notes on how to execute directions refer to
    previous version of file (comcol05).
  • Prints host name and domain name, etc.

7
38-48 list /etc/syslog.conf
  • Presumably looking at configuration to see if the
    system is logging repeated login failures.
  • The default Solaris 9 /etc/syslog.conf already
    does this in lines 12 and 13.errkern.noticea
    uth.notice /dev/sysmsg.errkern.debugdaemon.not
    icemail.crit /var/adm/messages

8
Default /etc/syslog.conf line 12.errkern.noti
ceauth.notice /dev/sysmsg
  • The authorization system reports repeated login
    failures and password change failures at the crit
    level, so auth.notice would send messages about
    these to the console.

9
Default /etc/syslog.conf line 13.errkern.debu
gdaemon.noticemail.critÄ /var/adm/messages
  • .err logs all facility messages of err or
    higher therefore the default configuration will
    log repeated login failures, which are at the
    crit level, to the messages fileMay 8
    104028 sun0 login REPEATED LOGIN ÄFAILURES ON
    /dev/pts/23 FROM 10.1.7.220

10
49 56 list patches showrev -p
  • Because the script does not interrogate the
    system to determine which packages are installed,
    it is possible that the auditors will incorrectly
    conclude that your system is missing some
    required patches.
  • Try providing the auditors with the recommended
    cluster log , Solaris_9_Recommended_Patch_Cluster_
    log in /var/sadm/install_data.

11
49 56 list patches continued
  • The cluster log will indicate patches that
    cannot be applied because the package isnt on
    the system withOne or more patch packages
    included in - are not installed on this
    system.Patchadd is terminating.

12
71 86 List /etc/inetd.conf
  • Checking to see if services with known
    vulnerabilities have been commented out.
  • inetd.conf is the configuration file for the
    inetd daemon.
  • inetd is the server process for some Internet
    standard services (but not all).
  • Will start services only when requested and if
    they are listed in inetd.conf.
  • This file will also effect the auditors port
    scan.

13
List /etc/inetd.conf continued
  • Two types of services are listed in inetd.conf
  • Standard socket-based services that use the
    well-known port numbers these match the service
    name listed in /etc/services.
  • Non-standard services that use a service name
    instead of a well-known port, based on RFC 1078
    TCP Port Service Multiplexor (TCPMUX). In other
    words, RPC services.

14
List /etc/inetd.conf continued
  • For example the inetd.conf entry shell stream
    tcp nowait root Ä/usr/sbin/in.rshd in.rshdin
    inetd.conf corresponds to the /etc/services
    entry shell 514/tcp
  • A request on tcp port 514 will result in inetd
    running the remote shell in.rshd found in
    /usr/sbin as root.

15
List /etc/inetd.conf continued
  • An RPC entry follows the service name with a /
    and version number, etc. For example the
    inetd.conf entry rquotad/1 tli
    rpc/datagram_vÄwait root /usr/lib/nfs/rquotad
    Ärquotad is the entry for UFS disk quotas for
    NFS clients.
  • rpcbind listens in port 111, and handles a
    request for the service based on the services
    name.

16
Removing Services from inetd.conf
  • Only run services that are required, based on
    appropriate risk assessment.
  • Remove services by inserting comment symbol ()
    at beginning of the line that configures the
    service.
  • Signal inetd daemon to use new configuration
    pkill -1 inetd

17
/etc/inetd.conf socket-based services that should
always be removed
  • name (in.tnamed)
  • shell (in.rshd)
  • login (in.rlogind)
  • exec (in.rexecd)
  • comsat (in.comsat)
  • talk (in.talkd)
  • finger (in.fingerd)
  • systat
  • netstat
  • time
  • echo
  • discard
  • daytime
  • chargen

18
/etc/inetd.conf rpc services that should always
be removed (1)
  • 100232 (sadmind)
  • rquotad
  • rusersd
  • sprayd
  • walld
  • rstatd
  • rexd
  • uucp ¹
  • 100083 (ToolTalk DB)
  • 100221 (kcms server ²)
  • fs (Sun Font Server)
  • 100235 (cachefsd)
  • Recommend removing both uucp packages SUNWbnur
    and SUNWbnuu.
  • Recommend removing all Kodak Color Management
    System packages SUNWkcspf, SUNWkcspg,
    SUNWkcsrl, SUNWkcsrr, and SUNWkcsrt.

19
/etc/inetd.conf rpc services that should always
be removed (2)
  • 100134 (Kerberos warning message daemon)
  • 100242 (Kerberos DB Propagation daemon)
  • 100146 (smartcard amiserv)
  • 100147 (smartcard amiserv)
  • 100150 (smartcard OCF daemon)
  • sun-dr (dynamic configuration server)
  • 300326 (dynamic configuration server E10000)
  • 100424 (Standard Type Services Framework (STSF)
    Font Server

20
/etc/inetd.conf Entries Requiring a Risk
Assessment
  • ftp
  • telnet
  • tftp
  • printer
  • NetBackup related 100234 (gssd), bpcd, vnetd,
    bpjava-msvc
  • Logical Volume Management 100229, 100230,
    100068, 100242, 100155, 100422.
  • SunVTS 100153
  • Removable Media Server 100155/1

21
/etc/inetd.conf ftp
  • Vulnerability Unsecure clear-text transfer of
    authentication credentials and data.
  • Risk Assessment Required for Datatel
    Communications Management if not using Secure UI.
  • Other file transfers may be replaced with SunSSH
    scp or sftp programs.
  • Note in audit script states that in.ftpd should
    have -l option for logging. Put this in to make
    auditors happy.

22
/etc/inetd.conf ftp continued
  • Due to change in ftp daemon to wu-ftp in Solaris
    9, in order to actually log ftp connections
    /etc/default/inetd will need to have comment
    removed from the line with ENABLE_CONNECTION_LOGG
    INGYES
  • Recommend these entries in /etc/ftpd/ftpaccessba
    nner /etc/ftpd/banner.msggreeting
    tersemessage /etc/ftpd/welcome.msg login
  • Recommend /etc/ftpd/banner.msg have same legal
    warning message as /etc/issue and have no
    /etc/ftpd/welcome.msg file.

23
/etc/inetd.conf telnet
  • Vulnerability Unsecure clear-text transfer of
    authentication credentials and data.
  • Risk Assessment
  • Required for Datatel client access if not using
    UI SSL.
  • Datatel InstallShield requires regardless of UI
    setting.
  • Recommend use of ssh for administrative logins.

24
/etc/inetd.conf tftp
  • Vulnerability
  • No authentication
  • Unpredictable results when attempting to change
    home directory
  • Runs as user nobody can read all publicly
    readable files and write to all publicly writable
    files
  • Risk Assessment Leave enabled only if required
    to boot print servers or other diskless clients.

25
/etc/inetd.conf printer
  • Vulnerability
  • at one time there was a buffer overflow exploit
    in in.lpd.
  • Runs as root vulnerable to spoofing as uses IP
    address for authentication.
  • Risk Assessment The buffer overflow
    vulnerability was fixed in 2001. But this service
    is not required if system has EasySpooler
    installed recommend leaving enabled only if
    system does not have EasySpooler and needs to
    provide BSD printer services.

26
/etc/inetd.conf NetBackup Services
  • NetBackup inserts these entries into inetd.conf
  • 100234 (gssd Generic Security Service)
  • bpcd
  • ventd
  • vopied
  • bpjava-misc
  • Risk Assessment Required if using NetBackup
    100234 is only required if backing up remote
    clients using NFS.

27
/etc/inetd.conf Logical Volume Management
  • Solaris Volume Manager may insert the following
    entries
  • 100229 (rpc.metad remote metaset services)
  • 100230 (rpc.metamhd manage multi-hosted disks)
  • 100242 (rpc.metamedd manages mediator
    information)
  • 100442 (rpc.mdcommd Multi-node communication
    daemon)
  • Risk Assessment Very little information provided
    by Sun. rpc.metad and rpc.metamhd were used for
    remote systems or by metatool, which is no longer
    in Solaris 9. Volume management seems to work
    without rpc.metamedd and rpc.mdcommd but Im
    still running as a precaution.

28
/etc/inetd.conf sunvts
  • Vulnerability At one time there was a buffer
    overflow potential with older versions.
  • Risk Assessment Sun Validation and Test Suite
    seems to require this inetd.conf entry for both
    local and remote. Depends on whether you want to
    run sunvts.

29
/etc/inetd.conf rpc.smserverd
  • Vulnerability None that I can find, other than
    the usual RPC problems.
  • Risk Assessment Handles requests from client
    applications to handle removable media (tape and
    cd media, not PCMCIA devices). Seems safe to use
    at this time.

30
87 93 List /etc/ftpusers
  • In Solaris 9 Sun modified the in.ftpd daemon to
    one based on the Washington Univeristy FTP
    (wu-ftp) server.
  • As a result, the use of /etc/ftpusers has been
    deprecated users who cannot login to the ftp
    server should be listed in /etc/ftpd/ftpusers.
  • Therefore there probably may not be an
    /etc/ftpusers file that can be listed, so this
    may have to be pointed out to the auditors.

31
101 List /etc/init.d/inetinit
  • inetinit is the startup script that handles
    TCP/IP configuration.
  • Sets up default router, ipsec, etc.
  • Reads /etc/default/inetinit for to set TCP ISS
    (Initial Sequence Number) generation see next
    slide.
  • No need to modify this script. Use Suns
    nddconfig script to hard network stack you may
    want to show this to the auditors.

32
105 List /etc/default/inetinit
  • Looking for the TCP_STRONG_ISS setting
  • A TCP session is easily hijacked if initial
    session numbers are easily guessed (see CERT
    Advisory CA-2001-09 and RFC 1948).
  • Be sure TCP_STRONG_ISS setting in
    /etc/default/inetinit isTCP_STRONG_ISS2

33
107 109 List /etc/notrouter
  • System should not be running a routing protocol
    and forwarding packets.
  • When machine boots, /etc/rc2.d/S69inet will setup
    machine for routing if there is no /etc/notrouter
    file.
  • Make sure system has /etc/notrouter if not
    create by giving commandstouch
    /etc/notrouterchgrp other /etc/notrouterchmod
    400 /etc/notrouter

34
111 113 List /etc/defaultrouter
  • Existence prevents system from running a routing
    protocol.
  • Make sure system has /etc/defaultrouter
    specifying the hosts default router(s).

35
115 130 List /etc/hosts and /etc/hosts
  • Lists /etc/hosts to help in reading other files?
  • Looking for hosts.equiv files
  • There are files for specifying trusted hosts and
    users for the r commands (rcp, rlogin, rsh,
    rcmd).
  • Should not have these allow trusted users to
    access a system with supplying a password.
  • If system is running tcp_wrappers, there may be
    hosts.allow or hosts.deny these are not a
    security problem.

36
131 137 List /etc/netgroups
  • Looking for NIS netgroup file.
  • Should not have remove if system has one.

37
138 148 List all rhosts files
  • There are also files for specifying trusted hosts
    and users for the BSD r commands (rcp, rlogin,
    rsh, rcmd).
  • Should not have these allow trusted users to
    access a system with supplying a password.
  • Remove if system has them or be prepared to
    explain why they are on the system.

38
154 158 List /etc/motd and /etc/issue
  • Should be legal warning and not reveal
    information about the system.
  • See standard C3 Legal Warning Banners
  • If nothing else, be sure that /etc/motd is not
    the default that reveals the Operating System and
    versionSun Microsystems, Inc. SunOS 5.9Ä
    Generic January 2003

39
159 192 List /etc passwd, shadow, and group
  • Specifically looking for all accounts have
    passwords or are locked, odd user names and
    unique UIDs.
  • Review /etc/passwd and /etc/shadow. Make sure
    users have password aging, inactivity days set,
    etc.
  • The logins command is helpful
  • logins d will display logins with duplicate uids
  • logins p will display logins with no password

40
159 192 List /etc passwd, shadow, and group
continued
  • The passwd command can be used to set password
    aging
  • passwd x 90 jdoe
  • The usermod command can be used to set the
    maximum number of days allowed between uses of a
    login ID before it is made invalid (auditors like
    180 days)
  • usermod f 180 jdoe

41
193 211 List SUID and SGID Files Owned by Root
  • Lists last 200 root SUID files found, and last
    200 root SGID files found.
  • Use spreadsheet at website to make risk
    assessment (will update for Solaris 9) before
    removing SUID or SGID some files must have these
    bits set in order for the system to function.

42
212 267 Examines crontab access
  • /etc/cron.d/cron.allow
  • Usually should have only root, lp, and sys.
  • If using cron to resize Datatel files, either add
    datatel user or run with su datatel c
    option.
  • /etc/cron.d/at.allow Either do not have, or have
    root as only entry.
  • /etc/cron.d/cron.deny and /etc/cron.d/at.deny
    Should not exist.

43
268 274 List Files Without a Legal Owner
  • See standard C1 File Ownership Guidelines.
  • Will put delete.user script on website to help.

44
275 285 List perms and contents of /var/adm/log
  • Make sure to have /var/adm/loginlog
  • touch /var/adm/loginlog
  • chown rootsys /var/adm/loginlog
  • chmod 600 /var/adm/loginlog
  • Note that the script command will list every file
    in /var/adm ending in log.

45
286 295 List perms and contents of
/etc/default/login
  • Make sure to uncomment line CONSOLE/dev/console
    to prevent remote root login.
  • Most of the other entries can set elsewhere or
    are defaults.
  • If you want to log every single failed login
    attempt, change SYSLOG_FAILED_LOGINS to 0 as well
    as RETRIES.

46
296 314 List perms and contents (last 100
lines) of /var/adm/sulog
  • May have to explain some entries.

47
286 295 List perms and contents of
/etc/default/login
  • May have to explain some entries.

286 295 List perms and contents of
/etc/default/login Check UMASK setting (007).
48
340 360 List perms and contents of all user
.profile files.
  • The method used to list the file contents (cat
    /export/home//profile) will make it impossible
    for the auditor to know which contents belong to
    which file (unless every file has a comment
    header).

49
361 368 List perms and contents of a root
profile (/.profile).
  • Solaris 9 doesnt have one as /etc/default/su
    handles some of a root .profiles functions.
  • Some security folks prefer a separate root home
    directory and .profile Solaris has / as roots
    home directory. May have to explain to auditors.

50
369 379 List perms of /export/home directories.
Check for world-writable perms, shouldnt be any.
51
380 395 List cron log (last 100 lines)
  • Script Determine if the sync utility is
    periodically executed to copy disk buffer to disk
    so that loss of data is kept at a minimum in the
    event of system failure. This can be verified by
    reviewing the contents of the table stored in the
    crontab file, which lists the programs executed
    periodically. These programs are executed by the
    cron utility as background processes. The system
    administrator typically maintains the
    \etc\crontab file.

52
380 395 List cron log continued
  • It is not necessary to call sync in crontab
    because there is a Solaris fsflush daemon that
    automatically (and intelligently) handles this
    process the default setting runs the daemon
    every 30 seconds.
  • If you need to show them any documentation, the
    Solaris Tunable Parameters Reference Manual
    (817-1759) starting on page 29 discusses the
    fsflush daemon and its settings for /etc/system.

53
396 403 List permissions of tape devices
  • See standard C8 Backup Device Security.
  • Method used will probably not give actual
    permissions nay want to usels lL /dev/rmtand
    give auditors results.

54
404 414 List world-writable directories
  • Script The only world writable directories
    should be spool/public directories e.g. /tmp
    and should have the sticky bit set. Pay
    particular attention to any system owned
    directories that contains executables (sic)
  • Check withfind / -type d perm -0002 Äexec ls
    ld \

55
415 423 List world-writable files
  • Script Obtain a list of the world writable
    files and examine them for validity. Pay
    particular attention to any system owned
    executable or control file.
  • Check withfind / -type f perm -0002 Äexec ls
    al \
About PowerShow.com