Securing User Envirionment Flashcards
what is the password file in linux?
/etc/passwd is the file where all users are categorized and listed as having pws and group policies listed.
What is the format for each line in the passwd file?
what is the category of files you will find in /etc ?
all config files for the system and programs. all of them are customizable.
How does the /etc/group File work?
What is the /etc/shadow File?
What is the /etc/login.def ?
This is called the login.default file.
Commands to create user accounts and setting account passwords
How does the chage command work?
Looks like CHANGE, but chage shows how long ago a password was changed.
But it’s really CH-AGE, change age.
and setting password policies for when the password can be change, min/max days allowed to change password or have it expire. also set the days before hand that they will be warned that their pw is expire. and you can make the account inactive after x days expires that it’s disabled.
examples of how to use chage command by finding the user id, etc.
The image chage example is missing the actual username, which should be specified at the end of the syntax.
Setting password policy.
what are the 3 main files where you can set password policy?
How would you change the the number of previous passwords it would compare against? IOW, you can’t use any of the previous 5 pws, for example…
How would you require a pw length?
How would you set the minimum number of required class of characters for use in the password?
How does the useradd document work and where is it located?
How do you lock or disable user accounts manually?
How to lock a user account after 3 failed attempts?
What happeneds after a user’s account is locked after x failed attempts and they use the CORRECT password?
It will fail just like it did previously for the first x number of attempts BEFORE you used the right one. This is because the account is locked an no password will open it.
Deployed in conjunction with snort, what is bro.org bro IDS?
Anomaly detection
Network analysis framework
IDS - intrusion detection system
Domain specific language
Traffic analysis
Programming experience required
What is Openwips-ng?
openwips-ng.org
Wireless intrusion prevention system
Open source
Sig based intrusion detection
Composed of 3 parts:
Sensor - dumb devices that capture wireless traffic and send it to the server for analysis. They respond to attacks
Server - aggregates the data from all sensors analyzes it and responds to attacks. Also logs
Interface - gui manages the server and displays information about the threats on your wireless networks
What’s a HIDS?
Host based intrusion detection system
What is ossec?
Open source HIDS Security
O S SEC
Scalable
Supports multiple platforms
Maintained by trendmicro
It performs log analysis, file integrity checks, windows reg monitoring, centralized policy enforcement, root kit detection, real time alerting, and active response.
The active response is supposed to be really nice.
Windows requires an agent, the other OS are agentless.
Free.
Has high admin burden
Honey pots might be a better solution if you don’t have the man power to support it and deploy it
ossec.conf
/var/ossec/etc/ossec.conf
Configure server completely here
Manage agents config command
manage_agents
sudo /var/ossec/bin/manage_agents
Add an agent
Can get auth keys here for agents
Network analysis tools for NBA
What’s NBA?
Network behavior analysis
Network security monitoring
NBA Sguil (squeal)
Network security analyzer
Gui
Access to real-time events, session data and raw packet captures
The client is written in tickleTK
Xplico.org
X pleeco
Network forensics and analysis tool
Web gui
Supports lots of protocols
It’s in many distros
Like Kali and security onion
NetworkMiner
Network forensic analysis tool for windows and some Linux distros
Can packet capture without outing any traffic on the network. The caps will reveal hosts, files shared or downloaded, messages, creds, sessions, dns requests
Portswigger.net
Burp
Proxy software
Mitmproxy
Man in the middle proxy. Can install on os and find out what it’s connecting to
OWASP Zed Attack Proxy (ZAP)
Burp and Zap are also good proxy’s for detection if you want to check out what’s happening in your web traffic
FIMs
File integrity monitoring
Host based
Preforms the act of validating files
Checks hash against the calculated check some
Other ways to check for file integrity as well
Typically automated with alerts on changes
Recommended FIMs:
Osquery
Ossec
Intrusion detection
Can also act as a FIM
Windows files to include in FIM
