File System Security on Linux, Unix
Wednesday, April 15, 2009
File system security on Linux, Unix :-
There is a File System Security on Linux like Red Hat, Ubuntu, Centos and Unix System.
The UNIX file system has several standard directories: /, /tmp, /var, /usr and /home. The two that present the weakest links for a variety of attacks are /tmp and /var. The two most common attacks are: “Denial of Service”, by causing the root partition to fill up with logs or other junk (assuming all these directories are mounted on one partition); and running rootkits from the /tmp directory.
The UNIX file system has several standard directories: /, /tmp, /var, /usr and /home. The two that present the weakest links for a variety of attacks are /tmp and /var. The two most common attacks are: “Denial of Service”, by causing the root partition to fill up with logs or other junk (assuming all these directories are mounted on one partition); and running rootkits from the /tmp directory.
One solution to file system Denial of Service attacks is to have these directories mounted on their own partitions, this will prevent the / file system from filling up and stop that avenue of attack.
Rootkits typically write to the /tmp directory and then attempt to run from /tmp. A crafty way to prevent this is to mount the /tmp directory on a separate partition with the noexec, nodev, and nosuid options enabled. This prevents binaries from being executed under /tmp, disables any binary to be suid root, and disables any block or character devices from being created under /tmp.
Edit /etc/fstab with your favorite editor, find the line corresponding to /tmp and change it to look like this one.
/dev/hda2 /tmp ext3 nodev,nosuid, noexec 0 0
Wikipedia [6] defines rootkits as a set of software tools frequently used by a third party (usually an intruder) after gaining access to a computer system. This translates to custom versions of ps that won’t list the irc server the attacker installed, or a custom version of ls that doesn’t show certain files. Tools like chkrootkit must be run in combination with IDS systems like fcheck to prevent the successful deployment of rootkits.
chkrootkit is very simple to run, and doesn’t require any installation or configuration.
It’s a good idea to run chkrootkit at regular intervals, see the script below used by fcheck for inspiration.
# Use the wget utility to download the latest
# version of chkrootkit
wget ftp://ftp.pangeia.com.br/pub/seg/pac/chkrootkit.tar.gz
tar -xzvf chkrootkit.tar.gz
cd chkrootkit-version (whatever version is)
./chkrootkit
The next layer of file system security is maintaining and verifying the integrity of configuration files that are typically located under /etc. Intrusion Detection Systems (IDS) allow us to create cryptographic identifiers of important configuration files and store them in a database. They are then periodically re-created and verified against those stored in the database. If there is a mis-match, the file has been changed, you know your system integrity has been violated and which aspects of it are affected. Two well known IDS packages are tripwire and fcheck, which work equally well. However, fcheck has a much simpler configuration and installation process, which is why I favored it for this article.
see file system security by fcheck
see file system security by fcheck
0 comments:
Post a Comment