Unix Security

 Security architecture  File system and user accounts  Integrity management  Auditing and intrusion detection

Layers in a computer system hardware operating system (incl networking) application users

Unix security  User access controls  File access controls  System administrator’s control

User access controls  Login in through user name and password.  Password is used to store an encrypted version of 64 bits of zeros.  Note there are two crypt functions on Unix system!!

File access controls  directory based  a file for each user on access objects  access control list based  a list for each user on access objects  access control matrix  capability  a unforgeable token/ticket for access certain objects  procedure-oriented (info. hiding)

Directory based access prog1.crw- cmnd1--x User A’s access directory prog1.cr-- cmnd1rwx User B’s access directory resources (objects) printer1-w- printer1-w-

All users Groups Group User Group All users

Super user and SUID and SGID  Control invocation of privileges are achieved by set {user,group} ID programs.  By setting the permission of those programs, a normal user can effectively run the programs as its owner (group member).  e.g: passwd, login, at, su, etc  Need to monitor the integrity of SUID programs.

File protection  basic  all-none protection  group protection  single permission  password or token  temporary acquired permission  per-object & per user protection  Example  UNIX

Integrity management  Is achieved by  prevention  detecting change

Prevention  By placing controls – such as software, hardware, file system and operating system controls.  By having immutable and append-only files  immutable files are those that cannot be modified once the system is running (suitable for system programs such as login, passwd) and append-only files to which data can be appended, but in which the existing data cannot be changed(suitable for log files)

Detection change  Comparison of files with a (good) backup copy.  the backup copy has to be in a protected mode.  comparison has to be performed byte-by-byte and hence time consuming process (especially for large files – such as database files)  once an authorised change is detected, replace the altered version with the comparison copy, thereby restoring the system to normal.

Detection change  Checklists and metadata  Store only a summary of important characteristics of each file and directory and use this information for comparison. e.g. of summary information – time stamps (last read/modified, file protection modes,link count using ncheck etc) Running this kind of detection change as a crom job may not be a good idea!

Detection change  Checksum and signatures  changes can be made in such a way that the checklists and metadata may not change and hence the previous method may fail. e.g. setting the clock backwards, perform the changes and the set the clock forward  CRC checksums – useful only when there are few bits of change and they are generated by well known polynomials.  generate a signature using a one-way hash function (such as MD5).

Tripwire  In practice one need not generate digital signature on the content of each of the file.  e.g. We need to know if the owner or protection of /etc/passwd file is changed, but we do not care about the size or checksum because we do expect the contents to change while we should be concerned if the contents of /bin/login is altered.  tripwire is a package that allows to configure the files, directories that need to be monitored using MD algorithms. ftp://coast.cs.purdue/edu/pub/COAST/Tripwire

Auditing and Intrusion Detection  After establishing the protection mechanism, you need to monitor the system.  Monitoring is a process of auditing.  Audit trail is carried with the help of log files, however log files itself is vulnerable to security threats (after all they are also files in the system!)

Location of log files  usually in /var/adm  The useful files are: acct or pact – records commands run by every user aculog – records of dial-out modems lastlog – logs each user’s most recent successful login time, and possibly last unsuccessful login too messages – records output to the system’s console and other messages generated from the syslog facility sulog – logs use fo the su command utmp – records each user current login (may be in /etc directory) wtmp – provides a permanent record of each time a user logged in and logged out. Also records system shutdowns and startups vold.log – logs errors encountered with the use of external media, such as tapes, floppy drives, etc. xferlog – logs FTP access

swatch – a log file tool  A perl program to monitor log files.  Available from ftp://sierra.standford.edu/swatch or ftp://coast.cs.purdue.edu/pub/tools/swatch ftp://sierra.standford.edu/swatch ftp://coast.cs.purdue.edu/pub/tools/swatch

Managing log files  Plan to backup log files  Review periodically the log files (may be daily or more often)  Apply filters so that you do not get bored seeing the log messages  Don’t trust logs completely!! – they can be altered or deleted by intruder  Plan to install software which can add security to the operating systems controls (such as tcp wrappers).