Fcheck File System Security on Linux, Unix

Fcheck File System Security on Linux, Unix :-
Download fcheck (see resources) and unpack it. fcheck is a cross-platform Perl script which runs on UNIX and Windows systems (as long as they have Perl installed).

$mkdir /usr/local/fcheck
$cp fcheck /usr/local/fcheck
$cp fcheck.cfg /usr/local/fcheck

Edit /usr/local/fcheck/fcheck.cfg with your favorite editor and change the following values:
Directory, FileTyper, Database, Logger, TimeZone, and Signature.

# Directories that will be monitored
# if there is a trailing / it will be recursive

Directory = /etc/
Directory = /bin/
Directory = /sbin/
Directory = /lib/
Directory = /usr/bin/
Directory = /usr/sbin/
Directory = /usr/lib/
TimeZone = PST8PDT # For Pacific Standard

# Database of file signatures

DataBase = /usr/local/fcheck/sol.dbf
Logger = /usr/bin/logger -t fcheck

# Utility to determin file type

FileTyper = /bin/file

# What to use to create signatures Database of
# file signatures

$Signature = /usr/bin/md5sum#
DataBase = /usr/local/fcheck/sol.dbf
Logger = /usr/bin/logger -tfcheck

# Utility to determin file type

FileTyper = /bin/file

Also edit the fcheck script and change the path of the configuration file to /usr/local/fcheck/fcheck.cfg

Then run fcheck for the first time to create the baseline database.

# Options explained:
# c create the database
# a is for all
# d is to monitor directory creation
# s is to create signatures for all files
# x is for extended permissions monitoring

$ ./fcheck -cadsx

To test that everything has been setup correctly run the following commands and fcheck should alert you to the difference.

$ touch /etc/FOO
$ ./fcheck -adsx

fcheck should display some information about /etc/FOO. $rm /etc/FOO will prevent future messages.
Next, create a short shell script that will be run periodically by cron and check for changes. Open your favorite editor and create /usr/local/bin/fcheck_script.

When using the `cron` utility lookout for _symlink attacks_ :-

#!/bin/bash
# Use mktemp instead of $$ to prevent sym-link attacks
FCHECK_LOG=`mktemp`

# Grep for any changes
/usr/local/fcheck/fcheck -adsx \
| grep -Ev ^PROGRESS: |^STATUS:^$ > $FCHECK_LOG

# If there were any changes email the sys-admin
if [-s $FCHECK_LOG ] then
/usr/bin/mail -s fcheck \
`hostname` youremail@yourprovider.com < \
$FCHECK_LOG
/bin/rm $FCHECK_LOG
fi

The cron utility will be used to run periodic checks of the file-system and will compare it to the baseline database. The following command will edit root’s crontab:

$ crontab -e

# Add this line to run the script every 15 minutes
# using nice lower priority when the system load
# is high.
*/15 * * * * nice /usr/local/bin/fcheck_script > \
/dev/null

Symlink Attacks :-

Side Note: Symlink Attacks running an IDS package usually involve running a script at a pre-configured time using the cron utility. This opens up systems to symlink attacks. Symlink Attacks rely on the attacker knowing that a certain file is going to be created at a certain time with a certain name. A common shell scripting technique that generates some randomness is the use of $$, which is the PID of the running script. However, this is vulnerable to Symlink Attacks because most PIDs are below 35K and most file systems can have 35K files. The correct technique is the use of mktemp, which is a truly random file name.

Read more...

File System Security on Linux, Unix

File system security on Linux, Unix :-

There is a File System Security on Linux like Red Hat, Ubuntu, Centos and Unix System.
The UNIX file system has several standard directories: /, /tmp, /var, /usr and /home. The two that present the weakest links for a variety of attacks are /tmp and /var. The two most common attacks are: “Denial of Service”, by causing the root partition to fill up with logs or other junk (assuming all these directories are mounted on one partition); and running rootkits from the /tmp directory.

One solution to file system Denial of Service attacks is to have these directories mounted on their own partitions, this will prevent the / file system from filling up and stop that avenue of attack.

Rootkits typically write to the /tmp directory and then attempt to run from /tmp. A crafty way to prevent this is to mount the /tmp directory on a separate partition with the noexec, nodev, and nosuid options enabled. This prevents binaries from being executed under /tmp, disables any binary to be suid root, and disables any block or character devices from being created under /tmp.

Edit /etc/fstab with your favorite editor, find the line corresponding to /tmp and change it to look like this one.
/dev/hda2 /tmp ext3 nodev,nosuid, noexec 0 0

Wikipedia [6] defines rootkits as a set of software tools frequently used by a third party (usually an intruder) after gaining access to a computer system. This translates to custom versions of ps that won’t list the irc server the attacker installed, or a custom version of ls that doesn’t show certain files. Tools like chkrootkit must be run in combination with IDS systems like fcheck to prevent the successful deployment of rootkits.

chkrootkit is very simple to run, and doesn’t require any installation or configuration.

It’s a good idea to run chkrootkit at regular intervals, see the script below used by fcheck for inspiration.

# Use the wget utility to download the latest
# version of chkrootkit

wget ftp://ftp.pangeia.com.br/pub/seg/pac/chkrootkit.tar.gz
tar -xzvf chkrootkit.tar.gz
cd chkrootkit-version (whatever version is)
./chkrootkit

The next layer of file system security is maintaining and verifying the integrity of configuration files that are typically located under /etc. Intrusion Detection Systems (IDS) allow us to create cryptographic identifiers of important configuration files and store them in a database. They are then periodically re-created and verified against those stored in the database. If there is a mis-match, the file has been changed, you know your system integrity has been violated and which aspects of it are affected. Two well known IDS packages are tripwire and fcheck, which work equally well. However, fcheck has a much simpler configuration and installation process, which is why I favored it for this article.
see file system security by fcheck

Read more...