os security intro Flashcards
what is os security
measures and mechanisms implemented to protect the os from threats vulnerabilities and unauthorised access
what is access control
controlling the resources that a user can access based on authentication and authorization
authentication
verifying the identity of a user
authorization
granting and restricting access based on the users roles and permissions
what is the active entity
the subject
user/process
what is the passive entitiy
the object
the file/resource
discretionary access control
the owner of the resource decided who is allowed access
mandatory access control
a system-wide policy decides who is allowed access
what are user identifiers
unique numbers assigned to users to identify and manage their access
what are the five types of user identifiers
user id uid
group id gid
effective uid euid
real uid ruid
saved uid suid
uid
assigned to each user
what is the uid of the root and why is this special
0
gives unrestricted access to the system
gid
assigned to a group of users
what are two benefits of gid
more effective as you dont need to configure permissions for each user
easier to modify permissions for the group rather than each user separately
euid
determines permissions for processes
ruid
the uid of the user who started the process
suid
allows a process to switch back to privileged uid after temporarily dropping privileges
nobody uid
massive number
used for running untrusted processes so it has minimal priveleges
how does assigning uid work
when a user logs in the system designs their uid and guid and all the files and processes created by them have the same uid and gid
when they attempt to access a resource the permissions are checked against their uid and gid
what are two of the potential threats with access control
privilege escalation
uid reuse
how is uid reuse a potential threat in access control
reassigning the uid to a new user may mean that they still have the same privileges of the old user
how is privilege escalation a potential threat in access control
hackers can exploit a misconfigured uid to gain privileges
what is file system security
protecting files and directories via permissions and encrypting sensitive data to avoid unauthorised access
what are the three parts of file permissions (+ explain them)
ownership: all owned by a specific user/group that decide the permissions
permission types (r, w, x)
levels: user(owner) , group, others
which two apps can we use to check the integrity of a file and what exactly do they do
tripwire
aid
checks for unauthorised access
what is the concept of least privilege
is privileges are appropriate they’ll allows processes and users to have the least privileges required to carry out their tasks
what are the uid 1-999 reserved for
for system services and daemons
how does file permissions work in linux
rwx stored together for user, group and others with - if they dont have that permission
e.g. rwxr—–
process isolation
ensures that each process has its own space so they dont interfere with each other and access/ corrupt each others memory
what is an example of process isolation
windows container
memory protection
ensures that a process only accesses authorised memory regions
prevents unauthorised access to the kernel and other memory regions
how do privilege levels work in process and memory protection
separate user and kernel space
the user has limited access whilst the kernel has access to all software hardware and memory resources
what are the three potential threats in process and memory protection
denial of service
privilege escalation
buffer overflow
how do we mitigate privilege escalation in process and memory protection
strict separation between user and kernel mode
how do we mitigate dos in process and memory protection
resource limits and process scheduling
what is a buffer
a contiguous memory block that stores data temporarily
how do attackers use buffer overflows to their benefit
overwriting memory via exploiting poorly written code to execute malicious code
what can an attacker do with a buffer overflow
add an account
control the app remotely
alter the system configuration
force the program to execute commands to the cmd shell
what are the three types of messages with buffer overflows
bus error
segmentation error
general protection fault
segmentation error + general protection fault
memory protection deny access: usually means that theres a buffer overflow
bus error
memory doesnt exist
what are some good practices for memory and process protection
secure coding to avoid buffer overflows
enabling security features
regular software updates
limit privileges
monitor and audit
what are some security features that can be enabled in memory and process protection
alsr: address space layout randomisation
nx: non-executable
alsr: address space layout randomisation
random memory allocation to attackers dont know where the buffers are
nx: non-executable
protected areas
patch management
applying security patches(updates) regularly and updating the os to fix vulnerabilities and bugs
what are the four types of patches
security
bug fixes
feature update
performance patches
security patches
fix vulnerabilities that could be exploited by hackers
big fixes (patches)
resolve bugs causing crashes and errors
feature updates (patches)
new functionality/ improve existing features
performance patches
optimise os usage and increase software performance
what are the four types of audits
security
compliance
operational
forensic
security audit
evaluate the effectiveness of security control and identify vulnerabilities
compliance audit
ensure adherence to regulated requirements
operational audit
assess efficiency and effectiveness of operational processes
forensic audit
investigate security incidents/breaches to determine the cause and impact
what are the five types of logs
system
application
security
network
audit
system log
record system events
e.g. shutdown
application logs
track events within specific apps
e.g. login attempts
security logs
security related events
e.g. authentication
network logs
monitor the network for traffic and connections
audit logs
track user activities for accountability
what are the best practices for auditing and logging
enable comprehensive logging
centralise log management
protect logs
regularly review logs
retain logs
conduct regular audits
what do we mean by enable comprehensive logging
ensure all critical components generate logs and are logging relevant details
e.g. timestamps, uid pid
how do we centralise log management
collect and analyse logs from multiple sources
how do we protect logs
encrypt and restrict access to logs
user write-once storage to prevent tampering
why and how do we regularly review logs
to detect anomalies via automated tools
how do we retain logs
should keep them for a time period as defined by policies and regulations
they should be archived for future reference
why do we conduct regular audits
we can use audit trails to investigate incidents and track changes
auditing
reviewing and analysing logs and records to detect anomalies
logging
recording events and activities in the system/app/network
what are the 6 key components of patch management
inventory and assessment
vulnerability monitoring
patch acquisition
testing
deployment (deploy after testing)
verification and documentation
inventory and assessment (patch management)
maintaining an inventory of hardware and software
identify which applications require patches
vulnerability monitoring (patch management)
using vulnerability scanners to find new vulnerabilities and patches
patch acquisition (patch management)
downloading patches from trusted sources and verifying their integrity via checksums/digital signatures
testing (patch management)
testing patches in a controlled environment and checking for compatibility with the system/apps
usually dont by the company deploying them
verification and documentation (patch management)
check theyre successfully applied and functioning correctly
monitoring for issues
maintain records of patching activities - which ones have been applied where and when
