Lab05 - Securing Linux - answers for 5th lab PDF

Preview

Summary

answers for 5th lab...

Description

CST8230

Lab #5

Securing Linux

Section A. Preliminary Information Section B. Security Updates Explain how you would configure your server to install security updates automatically. 

Install and configure “unattended-upgrades” package o sudo dpkg-reconfigure --priority=low unattended-upgrades o Creates /etc/apt/apt.cronf.d/20auto-upgrades o Other otpions are under /etc/apt/apt.cronf.d/50unattended-upgrades



Write a script similar to above and run it as cron job

Section C. Controlling File Permissions and Attributes How can log files help improve your server security against this problem? 

Use any internal mechanisms designed to notice if this kind of thing is going on; o By this, I mainly mean system/process log files  E.g. check /var/log/wtmp and /var/run/utmp to see who logged in, examine /var/log/auth.log for authentication errors, etc… o Using an appropriate log analyzer (e.g. graylog2, logcheck, logwatch, logstash) might help to automate the process, rather than manually viewing each log to try and find them.



Set logs to appropriate rights (e.g. append mode only) to ensure they don’t get fiddled with o Use the chattr command o Just don’t set them to immutable, ‘cause NO one can append to them then.



Might use something like Tripwire, Aide or Osiris to do file integrity checks (e.g. CRC) o These kinds of add-on programs can be run periodically (cron jobs) and will mail/log any changes in the integrity check since the last time it was run.



Use the resource-limits PAM module and edit /etc/pam.d/limits.conf to set files system limits (default is unlimited) o You can also set the same limits using /etc/login.defs



As an add-on, limit access to setuid, setgid, chmod, chown, chattr, umask, etc…(e.g. file rights to root only) and using sudo’s built in access control and appropriate right;



I’m quite certain there are other potential solutions. These are a sample of the most common ones I know of and have found over time 

V 1.6.4

December 7, 2016

Page 1 of 4

CST8230

Lab #5

Securing Linux

Section D. Kernel Security Document the current values of the kernel options listed in the table below. List what each of them means, specifically. You may have to do some research to find the answers. Value 1000

Item icmp_ratelimit

ip_forward

0

tcp_keepalive_time

7200

tcp_synack_retries

5

Meaning maximum rate at which the kernel generates icmp messages means that we can turn off the functions for forwarding packets between interfaces, which lets the computer act as a firewall, or router how often to send TCP keep alive packets to keep a connection alive if it is currently unused tells the system how many times to try to establish a passive TCP connection that was started by another host

Section E. Password Security What error message(s) did you receive, if any? Explain. Depends on who you’re logged in as & what rule(s) you violate: - root can do it no matter what - other user won’t be able to do it, will get “minimum password time not expired yet” or “manipulation authentication error” depending on the violation Examples of error messages include, but not limited to: - Authentication token manipulation error - You have to wait longer to change password - etc…

V 1.6.4

December 7, 2016

Page 2 of 4

CST8230

Lab #5

Securing Linux

Section F. Managing Accounts What mechanism in the /etc/passwd file is currently used to ensure that the sshd user cannot log into the system? Explain how this mechanism works. /sbin/nologin or similar in /usr/sbin – dummy shell that exits immediately after login in, thus not allowing the user to log in at all - returns message that account is not available, exits and returns an exit code 1 # changes– what was Q6 on the original lab was actually a comment, not a question What about the mechanism /sbin/false (might be /bin/false) how is it different? Unlike nologin, false is a binary that immediately exits and doesn’t display a message Did it work? Explain why, specifically. No, by changing the X to something else, the link between the /etc/passwd and /etc/shadow files is broken, and the system can no longer verify identify against password. It therefore assumes the password hash is in the /etc/passwd file. N.B.: Once the link between passwd and shadow is broken, it’s hard to re-establish properly without re-creating the account. Users would normally have access to the reboot command, unless administratively removed … but without proper credentials, things get strange. Did it work? Explain why compared to last time. Yes. Root doesn’t need to supply a password to become someone else using SU, the system assumes it has the right to do so by default. Did it work? Explain why. No. In this case, the environment variables were not accurate, nor were any of the user initialization scripts run. We just changed user names, nothing more. Explain what changed for the normal user when you changed the UID and GID to 0? Changing UID and GID to “0” effectively turns the account into root.

V 1.6.4

December 7, 2016

Page 3 of 4

CST8230

Lab #5

Securing Linux

Section G. Security Audit using Lynis What areas seem to be the most problematic, as per Lynis? Most common ones are: - Running NTP daemon or client - SSL certificate expiration - Configured nameserver -> minimal of 2 responsive nameservers - Kernel Hardening (all sorts various issues) - Debian repository security - Login shells under users, groups and authentication - Console TTYs under shells - Old files in /tmp under file system - Password protection - etc… If done with screenshots, needs to show the warning/problem(s). Do you believe that all of these warnings are to be mitigated? Explain. Generally, yes, since the software is designed to find internal security issues. HOWEVER, might want to check if the changes will be detrimental to the user’s experience and/or abilities. AND one might want to run a VA test after changing the settings, just to make sure, since the settings Lynis is looking for tend to be “internal” settings… How does Lynis compare to MS-oriented products like MBSA & SCA? Very similar product/approach, just specialized to specific O/S (i.e. Windows vs Linux).

V 1.6.4

December 7, 2016

Page 4 of 4...