Scsc 455 computer security
1 / 32

SCSC 455 Computer Security - PowerPoint PPT Presentation

  • Uploaded on

SCSC 455 Computer Security. Chapter 4 File Security. Index. File permissions Monitor log files File integrity. File Security. Files are crucial asset to protect contain business and personal data contain system / security configuration data Unauthorized users may want to: View files

I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
Download Presentation

PowerPoint Slideshow about ' SCSC 455 Computer Security' - joelle-carson

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.

- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
Scsc 455 computer security

SCSC 455 Computer Security

Chapter 4

File Security


  • File permissions

  • Monitor log files

  • File integrity

File security
File Security

  • Files are crucial asset to protect

    • contain business and personal data

    • contain system / security configuration data

  • Unauthorized users may want to:

    • View files

      to access data or to see how security settings are configured

    • delete files

      to make it unavailable, disrupt business plans, or corrupt system


    • modify existing files or create new files

      either to corrupt data, to cover signs of their activity, or to alter

      security settings for future attacks.

Linux file permissions
Linux File Permissions

  • The first line of defense is careful use of Linux file permissions

    • For any file or directory, Linux file permissions are …

  • Each can be assigned to …

Permissions on files and directories
Permissions on files and directories

  • chmod command: change file permissions

    Examples …


  • E.g 1: In a directory reports,

    $ ls –ld

    d rwx rwx --- 2 frank faculty 4096 Mar 24 12:20 reports

    Means ?

  • E.g. 2: there’re two data files in the directory reports

    $ ls –l

    - rw- --- --- 2 frank faculty 16350 Mar 25 18:10 private_report

    - rw- r-- --- 2 frank faculty 21340 Mar 25 18:10 public_report

    Means ?


  • E.g. If Bob in student group tires the following command

    $ cd reports

    Result ?

  • If Alice in faculty group tires the following commands

    $ cd reports

    $ cat private_report

    $ cat public_report

    $ cp public_report private_report

    Results ?

User private groups
User Private Groups

  • Several Linux distributions (such as RH Linux) use a techniques User Private Groups to enhance file security

    • Every file and directory are assigned both a user and a group, each with separate permissions

    • It is more secure to have a group with only a single member, then make that the default group for all files created by that user

    • User Private Group is defined in file /etc/passwd

      Example …

Set user id suid revisit
Set User ID (SUID) --- Revisit

  • SUID bit

    • causes the user who executes a program to assume the permissions of the owner of that file.

      $ ls -l test

      - rws r-x r-x1 frank faculty 3240 Mar 26 11:42 test

  • SUID bit is necessary for some programs

    • logging in

    • changing passwords

    • low level networking routines

    • control of graphical display functions

    • su

  • However SUID presents a security hazard

    • If hackers can set SUID bit of other system files, they may gain root access.

    • SUID is insecure on script files, as script files can be easily modified

       Linux kernel does NOT allow a SUID bit when set on a script file.

Set group id sgid
Set Group ID (SGID)

  • SGID bit

    • When SGID is set on a file, the user who executes a file to assume the permissions of the group of that file.

      • not a useful feature  rarely used.

    • When SGID is set on a directory, any file created within that directory is assigned the group of the directory, rather than the group of the user that creates the file.

Sgid example
SGID Example

SGID is a convenient method for creating a working space for a group of users

Example …

Q: what if Tom creates a file in his own directory?

Example 2 another technique w o using sgid
Example 2: another technique w/o using SGID

  • Deny access to members of a group:

    the owner has a certain access rights, the members of a group cannot access it, everyone else has a certain access rights.

    Example …

Linux file system access control
Linux file system access control

When a user requests access a directory or file

Step1: System checks whether this user is owner

Yes  check owner access privilege  access deny / grant

No  goto Step 2

Step2: System checks whether this user belongs to the group assigned to the file/directory

Yes  check group access privilege  access deny / grant

No  goto Step 3

Step3: System knows this user belongs to others

check others access privilege  access deny / grant


  • File permissions

  • Monitor log files

  • File integrity

System log files
System Log Files

  • System log files may reveal security problems

    • Log files record the activity of programs such as login, FTP, email servers …

    • System logging daemons store log messages in several different files, depending on which type of program generated the message

      • defined in file /etc/syslog.conf

    • Messages in these log files are important to monitor system/security events

      e.g., found a large number of failed login attempted in /var/log/messages

Etc syslog conf

# Log all kernel messages to the console.

# Logging much else clutters up the screen.

#kern.* /dev/console

# Log anything (except mail) of level info or higher.

# Don't log private authentication messages!

*.info;mail.none;authpriv.none;cron.none /var/log/messages

# The authpriv file has restricted access.

authpriv.* /var/log/secure

# Log all the mail messages in one place.

mail.* /var/log/maillog

# Log cron stuff

cron.* /var/log/cron

Log file utilities
Log File Utilities

  • Log files are important part of system maintenance and security

    • A number of utilities can help watch for log messages that indicate potential security violations

      • Rotating log files -- logrotate package

      • Tracking log files

        • shell commands: grep, tail

        • GUI tools: xlogmaster, logcheck

Rotating log files
Rotating Log Files

  • Log files require regular attention because they can become very large

  • The logrotate command helps automate the process of compressing and archiving log files

    • older log data can be stored in another location (CD or backup tape)

    • In RH Linux, logrotate is executed through the cronjob entry stored in /etc/cron.daily/logrotate


      /usr/sbin/logrotate /etc/logrotate.conf

    • check logrotate config file

      $ cat /etc/logrotate.conf

Etc logrotate conf

# rotate log files weekly


# keep 4 weeks worth of backlogs

rotate 4

# create new (empty) log files after rotating old ones


# uncomment this if you want your log files compressed


# RPM packages drop log rotation information into this directory

include /etc/logrotate.d

# no packages own wtmp -- we'll rotate them here

/var/log/wtmp {


create 0664 root utmp

rotate 1


Tracking log files
Tracking Log Files

  • Several log daemons are constantly adding log entries to their corresponding log files

    • this information needs to be tracked

  • The log file can be viewed by root:

    • opening the log file in a text editor (gedit, vi, …)

    • using the grep or the tail commands

      Example …

  • In graphical desktop, use xlogmaster program to view the system log file

Xlogmaster package
Xlogmaster package

  • View system log file via Xlogmaster

    • is not part of most Linux distributions

    • can be downloaded

Logcheck package
Logcheck package

  • The logcheck package does much more than display log entries

    • checks log files hourly for suspicious entries

    • if found, they are emailed to the root user

      • After being installed, a cron job file is placed in /etc/cron.hourly so that logcheck runs each hour.

    • is not part of most Linux distributions, but can be obtained

  • The commercial version of logcheck is called LogSentry offered by Psionic Technologies


  • File permissions

  • Monitor log files

  • File integrity

Maintaining file integrity
Maintaining File Integrity

  • It is necessary to keep track of the state of important system files for any unexpected changes

    • sometimes hackers can gain access, but the system log does NOT indicate a problem

  • E.g. A hacker replaces your inetd superserver daemon with a bogus inetd, …


  • Once a cracker has obtained root access, he could install a rootkit

    • Rootkit is a collection of programs and scripts designed to permit continued access, even if the original break-in is discovered.


    • A hacker discovered you were using an outdated DNS server that permit a hacker to obtain root access. The hacker then installed a rootkit in your system.

    • Later you updated the DNS server. However, the hacker still has the access to your system.

Rootkit lrk4
Rootkit lrk4

One example of rootkit is lrk4

  • Released in November 1998

  • Several more recent versions are available (lrk5 and lrk6)

  • It modifies the following programs in your system

Chkrootkit package
chkrootkit package

  • The chkrootkit package is used to check the system for evidence of a rootkit

    • includes a script that works like a virus checker

      • Examines system binary files to detect evidence of about 60 different rootkits

      • chkrootkit reports the presence of a rootkit

      • It cannot eliminate rootkit from the system

  • chkrootkit package is not included on most Linux distributions, can download

After a rootkit is discovered
After a rootkit is discovered

  • If possible, shut down networking on the server until the problem is cleaned up

  • Back up the entire system, including all of the operating system files and all data files

    • this data can be reviewed later to assist in tracking down the cracker

  • Rebuild the system

    either by updating the infected packages, or by reinstalling the entire operating system

Maintaining file integrity1
Maintaining File Integrity

  • A broader and more constant approach to file security than checking for rootkits is to watch the integrity of files on the system

  • Special file integrity utilities can help you track a large number of files on your system

    • Tripwire is the best known integrity checker

      • is available in a free version included with many Linux distributions

      • a commercial version is available from Tripwire, Inc.

How to use tripwire
How to use Tripwire

  • To use Tripwire, start with a freshly installed system before it is connected to any networks

    • Tripwire creates a baseline of the critical system files

    • Once the baseline is established, Tripwire is run at regular intervals to see whether the state of the system has changed

      • If the changes are expected, you can update the baseline in Tripwire so that the changes are not marked as potential problems

    • To protect the protector:

      Tripwire configuration files are protected by a cryptographic signature based on a passphrase

Samhain package
Samhain package

  • Samhain is similar to Tripwire with several potential advantages.

    • comibines a file integrity checker, a log file checker, and a network monitor.

  • Key features of Samhain:

    • Runs as a daemon instead of a cron job

    • Can detect kernel modules that were loaded as part of a rootkit

    • Can operate in a client/server environment

    • Report and audit logs are supported

    • Database and configuration files are signed

    • Runs on a number of UNIX and Linux platforms

    • HTML status pages show information about any client system being monitored

Other file integrity utilities
Other File Integrity utilities

  • For more tools regarding file integrity, consider installing the binutils package

    • includes more than a dozen utilities useful for exploring the contents of files

    • Examples …