scsc 455 computer security 2011 spring n.
Skip this Video
Loading SlideShow in 5 Seconds..
SCSC 455 Computer Security 2011 Spring PowerPoint Presentation
Download Presentation
SCSC 455 Computer Security 2011 Spring

Loading in 2 Seconds...

play fullscreen
1 / 32
Download Presentation

SCSC 455 Computer Security 2011 Spring - PowerPoint PPT Presentation

Download Presentation

SCSC 455 Computer Security 2011 Spring

- - - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript

  1. SCSC 455 Computer Security2011 Spring Chapter 4 File Security

  2. Index • File permissions • Monitor log files • File integrity

  3. File Security • Files are crucial asset to protect • contain business and personal data • contain system / security configuration data • Unauthorized users may want to: • View files to access data or to see how security settings are configured • delete files to make it unavailable, disrupt business plans, or corrupt system configurations • modify existing files or create new files either to corrupt data, to cover signs of their activity, or to alter security settings for future attacks.

  4. Linux File Permissions • The first line of defense is careful use of Linux file permissions • For any file or directory, Linux file permissions are … • Each can be assigned to …

  5. Permissions on files and directories • chmod command: change file permissions Examples …

  6. Examples • E.g 1: In a directory reports, $ ls –ld d rwx rwx --- 2 frank faculty 4096 Mar 24 12:20 reports Means ? • E.g. 2: there’re two data files in the directory reports $ ls –l - rw- --- --- 2 frank faculty 16350 Mar 25 18:10 private_report - rw- r-- --- 2 frank faculty 21340 Mar 25 18:10 public_report Means ?

  7. Examples • E.g. If Bob in student group tires the following command $ cd reports Result ? • If Alice in faculty group tires the following commands $ cd reports $ cat private_report $ cat public_report $ cp public_report private_report Results ?

  8. User Private Groups • Several Linux distributions (such as RH Linux) use a techniques User Private Groups to enhance file security • Every file and directory are assigned both a user and a group, each with separate permissions • It is more secure to have a group with only a single member, then make that the default group for all files created by that user • User Private Group is defined in file /etc/passwd Example …

  9. Set User ID (SUID) --- Revisit • SUID bit • causes the user who executes a program to assume the permissions of the owner of that file. $ ls -l test - rws r-x r-x1 frank faculty 3240 Mar 26 11:42 test • SUID bit is necessary for some programs • logging in • changing passwords • low level networking routines • control of graphical display functions • su • However SUID presents a security hazard • If hackers can set SUID bit of other system files, they may gain root access. • SUID is insecure on script files, as script files can be easily modified  Linux kernel does NOT allow a SUID bit when set on a script file.

  10. Set Group ID (SGID) • SGID bit • When SGID is set on a file, the user who executes a file to assume the permissions of the group of that file. • not a useful feature  rarely used. • When SGID is set on a directory, any file created within that directory is assigned the group of the directory, rather than the group of the user that creates the file.

  11. SGID Example SGID is a convenient method for creating a working space for a group of users Example … Q: what if Tom creates a file in his own directory?

  12. Example 2: another technique w/o using SGID • Deny access to members of a group: the owner has a certain access rights, the members of a group cannot access it, everyone else has a certain access rights. Example …

  13. Linux file system access control When a user requests access a directory or file Step1: System checks whether this user is owner Yes  check owner access privilege  access deny / grant No  goto Step 2 Step2: System checks whether this user belongs to the group assigned to the file/directory Yes  check group access privilege  access deny / grant No  goto Step 3 Step3: System knows this user belongs to others check others access privilege  access deny / grant

  14. Index • File permissions • Monitor log files • File integrity

  15. System Log Files • System log files may reveal security problems • Log files record the activity of programs such as login, FTP, email servers … • System logging daemons store log messages in several different files, depending on which type of program generated the message • defined in file /etc/syslog.conf • Messages in these log files are important to monitor system/security events e.g., found a large number of failed login attempted in /var/log/messages

  16. /etc/syslog.conf # Log all kernel messages to the console. # Logging much else clutters up the screen. #kern.* /dev/console # Log anything (except mail) of level info or higher. # Don't log private authentication messages! *.info;mail.none;authpriv.none;cron.none /var/log/messages # The authpriv file has restricted access. authpriv.* /var/log/secure # Log all the mail messages in one place. mail.* /var/log/maillog # Log cron stuff cron.* /var/log/cron

  17. Log File Utilities • Log files are important part of system maintenance and security • A number of utilities can help watch for log messages that indicate potential security violations • Rotating log files -- logrotate package • Tracking log files • shell commands: grep, tail • GUI tools: xlogmaster, logcheck

  18. Rotating Log Files • Log files require regular attention because they can become very large • The logrotate command helps automate the process of compressing and archiving log files • older log data can be stored in another location (CD or backup tape) • In RH Linux, logrotate is executed through the cronjob entry stored in /etc/cron.daily/logrotate #!/bin/sh /usr/sbin/logrotate /etc/logrotate.conf • check logrotate config file $ cat /etc/logrotate.conf

  19. /etc/logrotate.conf # rotate log files weekly weekly # keep 4 weeks worth of backlogs rotate 4 # create new (empty) log files after rotating old ones create # uncomment this if you want your log files compressed #compress # RPM packages drop log rotation information into this directory include /etc/logrotate.d # no packages own wtmp -- we'll rotate them here /var/log/wtmp { monthly create 0664 root utmp rotate 1 }

  20. Tracking Log Files • Several log daemons are constantly adding log entries to their corresponding log files • this information needs to be tracked • The log file can be viewed by root: • opening the log file in a text editor (gedit, vi, …) • using the grep or the tail commands Example … • In graphical desktop, use xlogmaster program to view the system log file

  21. Xlogmaster package • View system log file via Xlogmaster • is not part of most Linux distributions • can be downloaded

  22. Logcheck package • The logcheck package does much more than display log entries • checks log files hourly for suspicious entries • if found, they are emailed to the root user • After being installed, a cron job file is placed in /etc/cron.hourly so that logcheck runs each hour. • is not part of most Linux distributions, but can be obtained • The commercial version of logcheck is called LogSentry offered by Psionic Technologies

  23. Index • File permissions • Monitor log files • File integrity

  24. Maintaining File Integrity • It is necessary to keep track of the state of important system files for any unexpected changes • sometimes hackers can gain access, but the system log does NOT indicate a problem • E.g. A hacker replaces your inetd superserver daemon with a bogus inetd, …

  25. Rootkit • Once a cracker has obtained root access, he could install a rootkit • Rootkit is a collection of programs and scripts designed to permit continued access, even if the original break-in is discovered. Examples: • A hacker discovered you were using an outdated DNS server that permit a hacker to obtain root access. The hacker then installed a rootkit in your system. • Later you updated the DNS server. However, the hacker still has the access to your system.

  26. Rootkit lrk4 One example of rootkit is lrk4 • Released in November 1998 • Several more recent versions are available (lrk5 and lrk6) • It modifies the following programs in your system

  27. chkrootkit package • The chkrootkit package is used to check the system for evidence of a rootkit • includes a script that works like a virus checker • Examines system binary files to detect evidence of about 60 different rootkits • chkrootkit reports the presence of a rootkit • It cannot eliminate rootkit from the system • chkrootkit package is not included on most Linux distributions, can download

  28. After a rootkit is discovered • If possible, shut down networking on the server until the problem is cleaned up • Back up the entire system, including all of the operating system files and all data files • this data can be reviewed later to assist in tracking down the cracker • Rebuild the system either by updating the infected packages, or by reinstalling the entire operating system

  29. Maintaining File Integrity • A broader and more constant approach to file security than checking for rootkits is to watch the integrity of files on the system • Special file integrity utilities can help you track a large number of files on your system • Tripwire is the best known integrity checker • is available in a free version included with many Linux distributions • a commercial version is available from Tripwire, Inc.

  30. How to use Tripwire • To use Tripwire, start with a freshly installed system before it is connected to any networks • Tripwire creates a baseline of the critical system files • Once the baseline is established, Tripwire is run at regular intervals to see whether the state of the system has changed • If the changes are expected, you can update the baseline in Tripwire so that the changes are not marked as potential problems • To protect the protector: Tripwire configuration files are protected by a cryptographic signature based on a passphrase

  31. Samhain package • Samhain is similar to Tripwire with several potential advantages. • comibines a file integrity checker, a log file checker, and a network monitor. • Key features of Samhain: • Runs as a daemon instead of a cron job • Can detect kernel modules that were loaded as part of a rootkit • Can operate in a client/server environment • Report and audit logs are supported • Database and configuration files are signed • Runs on a number of UNIX and Linux platforms • HTML status pages show information about any client system being monitored

  32. Other File Integrity utilities • For more tools regarding file integrity, consider installing the binutils package • includes more than a dozen utilities useful for exploring the contents of files • Examples …