Securing User Envirionment

Question 1

what is the password file in linux?

Answer 1

/etc/passwd is the file where all users are categorized and listed as having pws and group policies listed.

Question 2

What is the format for each line in the passwd file?

Answer 2

Question 3

what is the category of files you will find in /etc ?

Answer 3

all config files for the system and programs. all of them are customizable.

Question 4

How does the /etc/group File work?

Answer 4

Question 5

What is the /etc/shadow File?

Answer 5

Question 6

What is the /etc/login.def ?

Answer 6

This is called the login.default file.

Question 7

Commands to create user accounts and setting account passwords

Answer 7

Question 8

How does the chage command work?

Answer 8

Looks like CHANGE, but chage shows how long ago a password was changed.

But it’s really CH-AGE, change age.

and setting password policies for when the password can be change, min/max days allowed to change password or have it expire. also set the days before hand that they will be warned that their pw is expire. and you can make the account inactive after x days expires that it’s disabled.

Question 9

examples of how to use chage command by finding the user id, etc.

Answer 9

The image chage example is missing the actual username, which should be specified at the end of the syntax.

Question 10

Setting password policy.

what are the 3 main files where you can set password policy?

Answer 10

Question 11

How would you change the the number of previous passwords it would compare against? IOW, you can’t use any of the previous 5 pws, for example…

Answer 11

Question 12

How would you require a pw length?

Answer 12

Question 13

How would you set the minimum number of required class of characters for use in the password?

Answer 13

Question 14

How does the useradd document work and where is it located?

Answer 14

Question 15

How do you lock or disable user accounts manually?

Answer 15

Question 16

How to lock a user account after 3 failed attempts?

Answer 16

Question 17

What happeneds after a user’s account is locked after x failed attempts and they use the CORRECT password?

Answer 17

It will fail just like it did previously for the first x number of attempts BEFORE you used the right one. This is because the account is locked an no password will open it.

Question 19

Deployed in conjunction with snort, what is bro.org bro IDS?

Answer 19

Anomaly detection
Network analysis framework
IDS - intrusion detection system
Domain specific language
Traffic analysis
Programming experience required

Question 20

What is Openwips-ng?
openwips-ng.org

Answer 20

Wireless intrusion prevention system
Open source
Sig based intrusion detection
Composed of 3 parts:
Sensor - dumb devices that capture wireless traffic and send it to the server for analysis. They respond to attacks

Server - aggregates the data from all sensors analyzes it and responds to attacks. Also logs

Interface - gui manages the server and displays information about the threats on your wireless networks

Question 21

What’s a HIDS?

Answer 21

Host based intrusion detection system

Question 22

What is ossec?

Answer 22

Open source HIDS Security
O S SEC

Scalable
Supports multiple platforms
Maintained by trendmicro
It performs log analysis, file integrity checks, windows reg monitoring, centralized policy enforcement, root kit detection, real time alerting, and active response.
The active response is supposed to be really nice.
Windows requires an agent, the other OS are agentless.

Free.
Has high admin burden

Honey pots might be a better solution if you don’t have the man power to support it and deploy it

Question 23

ossec.conf

Answer 23

/var/ossec/etc/ossec.conf
Configure server completely here

Question 24

Manage agents config command
manage_agents

Answer 24

sudo /var/ossec/bin/manage_agents
Add an agent
Can get auth keys here for agents

Question 25

Network analysis tools for NBA
What’s NBA?

Answer 25

Network behavior analysis
Network security monitoring

Question 26

NBA Sguil (squeal)

Answer 26

Network security analyzer
Gui
Access to real-time events, session data and raw packet captures
The client is written in tickleTK

Question 27

Xplico.org

Answer 27

X pleeco
Network forensics and analysis tool
Web gui
Supports lots of protocols
It’s in many distros
Like Kali and security onion

Question 28

NetworkMiner

Answer 28

Network forensic analysis tool for windows and some Linux distros
Can packet capture without outing any traffic on the network. The caps will reveal hosts, files shared or downloaded, messages, creds, sessions, dns requests

Question 29

Portswigger.net
Burp

Answer 29

Proxy software

Question 30

Mitmproxy

Answer 30

Man in the middle proxy. Can install on os and find out what it’s connecting to

Question 31

OWASP Zed Attack Proxy (ZAP)

Answer 31

Burp and Zap are also good proxy’s for detection if you want to check out what’s happening in your web traffic

Question 32

FIMs

Answer 32

File integrity monitoring
Host based
Preforms the act of validating files
Checks hash against the calculated check some
Other ways to check for file integrity as well
Typically automated with alerts on changes

Question 33

Recommended FIMs:
Osquery
Ossec

Answer 33

Intrusion detection
Can also act as a FIM

Question 34

Windows files to include in FIM

Answer 34