CH 14 LOCAL SECURITY REVIEW

Question 1

RISK MANAGEMENT & MITIGATION

• What is risk?
• How are security systems designed?

Answer 1

RISK - the combinatoin of the probability of an event and its consequence.

• Risk doesn’t imply GOOD or BAD - it imples different.
• Stability is important for systems admins.

Security systems are designed to manage and mitigate risk by making it harder to make changes.

Linux’ local security model was designed with that in mind.

Question 2

RISK MANAGEMENT & MITIGATION

• Cost-Benefit Analysis
• What are costs?

Answer 2

Cost-Benefit Analysis

• Managing and mitigating risk has costs associated.
• Having a compromised server has costs associated.
• Admins must take all costs into consideration when establishing security.

What are costs?

• Finanical Costs
• Opportunity Costs
  
  • Time spent fixing problems v. excessively cumbersome security.
  • Downtime during a security event
  • Loss of reputation

Question 3

SetUID

Answer 3

SetUID - flag that permits users who do not have escalated privileges (root) to execute certain pre-authorized programs (executables) with root permissions.

Certain programs have the SetUID flag set by default.

• ping - generally creating packets is restricted to root only, but ping has a legitimate need to create packets (ICMP requests), so the SetUID flag allows non-root users to run the program as root.

Question 4

SetUID

• Caution when using SetUID

Answer 4

Because programs are executed as root, caution should be used in deciding what programs have the SetUID flage set.

• ALL functions performed by the program ran by a non-privileged user will run as root, regardless if you meant for it to happen or not.
• Ex. you probably don’t want to have rm with the SetUID flag.

Admins must balance the availability of features to users v. the risk of granting escalated privileges to said users.

Question 5

SetUID

• Granting SetUID

Answer 5

Programs granted SetUID has an attribute set that the Linux kernel uses to grant root-like permissions to the program.

Use the ls command to quickly view if an executable has SetUID set.

• The “s” in the ping command permission represents that the SetUID flag has been set for the ping command. -rwsr-xr

Question 6

Determining Necessity of Running Processes?

Run the top command to see all processes running - Are all these processes running necessary?

Answer 6

The answer is - it depends.

First, you must determine the role of the Linux machine.

• Web server vs. end user desktop have very different use.

Based on the role of the Linux machine, certain running services might need to be disabled.

The more running processes, the more opportunities for risks.

• Attack vector - path or means by which a hacker (or cracker) can gain access to a computer or network server in order to deliver a payload or malicious outcome.
• The more running processes, the more attack vectors presented.

Question 7

RUNLEVEL

• What is RunLevel
• Default runlevel
• runlevel command

Answer 7

1. The RunLevel tells the system what amount of functionality at which the system should be running.
2. Most systems default to a runlevel of 5, which gives a GUI and all other resources.
3. For a server, the default runlevel 5, may be too high.
4. Determine the current runlevel by running the runlevel command.

Question 8

RUNLEVEL

• modify the runlevel
• location of runlevel config file
• Types of runlevels

Answer 8

• You can modify the runlevel that the system uses as startup.
• The runlevel is controlled by the /etc/inittab file.
• Types of runlevels:
  
  • id:5:initdefault - GUI
  • id:3:initdefault - bash shell, all other features.
  • id:1:initdefault - maintenance mode

Question 9

NON-HUMAN USER ACCOUNTS

Answer 9

1. Not every account on a system must correspond to an actual person.
2. Many programs run using a nonhuman account - also referred to as a service account.
3. By running applications with a specific account, you can control exactly what that account can and cannot do and/or access.

Question 10

LIMITED RESOURCES

• What consumes resources
• What happens if process consumes too many resources

Answer 10

• Processes / daemons running consume resources.
• Without controls, a process could theoretically consume too many system resources, causing the system to malfunction.
  
  • This is called a runaway process.
  • Sometimes the only way to kill a runaway process is to reboot the server, which causes downtime

Question 11

LIMITED RESOURCES

• How to control resources consumption

Answer 11

• To better control the resources available to processes, the ulimit functionality can be used.
• ulimit restrictions are configured in the /etc/security/limits.conf file.
• Some of the limitations that can be applied are:
  
  • Number of handles (files) that can be opened simulateously.
  • Amount of memory that can be consumed.
  • CPU time /percentage.
  • Number of processes that can be spawned.
• By carefully planning resource allocation, this can keep system overhead to a minimum.

Question 12

ADDITIONAL SECURITY RESOURCES

chroot

Answer 12

• chroot - allows a process and all children processes to redefine what they perceive to be the root directory.
  
  • Less chance that any system files can be modified by a process that is compromised.
  • This is sometimes referred to as “process jail.”

Question 13

ADDITIONAL SECURITY RESOURCES

Security frameworks

Answer 13

Security frameworks

• SELinux and AppArmor - creates a structure of different components of Linux to better control what can be done on a server.
• Uses the basis of “Mandatory Access Control (MAC)” - explicitly granting rights and resources.

Question 14

SYSTEM MONITORING

• Logging
• ps command
• netstat command
• df command

Answer 14

• Logging - most systems log files are stored in /var/log and are rotated automatically.
  
  • This is done to ensure that log files are saved for a period of time, but a single log file does not grow so large that it becomes unusable.
  • Review log files periodically for any unusual entries.
  • Unusual entries can be a sign of a security issue, misconfigured software, or malfunctioning hardware.
• ps and netstat commands - these utilities will review what is going on in a Linux system from a running process and network perspective.
  
  • Example: run ps -auxww
  • Example: run netstat -an
• df command - shows available space on partitions (drives - both physical and logical)
  
  • Large and sudden disk consumption can be a cause for concerns.
  • Example: run df -h

Question 15

SYSTEM UPDATES

Answer 15

• Updates to Linux and associated programs are released on a frequent basis.
• It may seem like a good idea to run updates patches ASAP, but there are risks and costs.
  
  • Small, well-tested patches are usually ok.
  • Consider - what if they have bugs or security holes that haven’t yet been identified?
• For large updates (ie version upgrades) you may want to consider a pre-production (test) environment to verify everything first.
  
  • Some programs might not take well to a new version of Linux - they may need their own updates?

Question 16

SYSTEM UPDATES

• How to keep the kernel and packages up to date

Answer 16

Keeping the kernel and packages up-to-date with these commands:

• yum update
• (no yum upgrade command)
• apt-get update
• apt-get upgrade