- Vulnerability: linux single (GRUB):
During boot, on the GRUB
screen, hit 'e' to edit the boot configuration, then arrow keys to select the 'kernel'
line, then 'e' to edit this line. Append 'single' to the end then 'b' to boot.
We end up with 'root'.
Defense: 'man sulogin' and 'man inittab'. Insert sulogin after
the System initialization line. Your /etc/inittab should look like...
<![CDATA[
...
# System initialization
si::sysinit:/etc/rc.d/rc.sysinit
~~:S:respawn:/sbin/sulogin
...
]]>
- Vulnerability: linux GRUB
Again, during boot, append
<![CDATA[
init=/bin/bash
]]>
to the end of the kernel line and then boot.
Defense: For the RH72 VM do the following...
<![CDATA[
cd /boot/grub
cp grub.conf grub.conf.bak
/sbin/grub-md5-crypt
# put in your password
# grab the hash you see on the screen and modify grub.conf so that it looks like
....
timeout=10
password --md5 ...................................
^^^^^the pasted hash goes here^^^^^
splashimage=....
....
chmod 600 grub.conf
]]>
For details on later versions of Linux (Ubuntu), see password protect the grub bootloader
- Vulnerability: User tries to boot off another device (they pressed F2 during boot)
(CD, USB, etc)
In this case, they can
<![CDATA[
1) Boot from CD/USB/Network
2) mount /dev/hda1 /mnt
3) echo "r00t::0:0:r00t:/:/bin/bash" >> /etc/passwd (etc.)
]]>
Defense: make sure that system boots from HD first, password protect BIOS.
- Vulnerability: User opens up box, removes battery from system
to clear BIOS settings (undoing your password protection above).
Defense: Lock the system. (ok, you are using a VM, so you don't have to do this step).
- Vulnerability: set-uid/set-gid vulnerabilities
Defense: locate all programs that are settuid root, determine
who should be allowed to run these, whether they need root privilege.
For example, you probably do not want the web server to be able to
run many of the set-uid programs.
For this exercise, we just locate all set-uid and set-gid
programs.
<![CDATA[
find / -perm -04000 -uid 0 -print > Set-UID-root-programs
find / -perm -02000 -gid 0 -print > Set-GID-root-programs
]]>
- Vulnerability: World writable files and directories. These are in general a bad thing,
especially for system files. Any user can modify these!
Defense: For this exercise, we just do an audit.
<![CDATA[
find / -perm -002 -type f -ls > world-writable-files
find / -perm -002 -type d -ls > world-writable-directories
]]>
- Vulnerability: All users can run 'cron' jobs on the system. Among other things, this allows
an attacker to install jobs that run intermittently. They do not usually appear in a 'ps'
since they are usually not running.
Defense: find out whats scheduled. See /etc/crontab (/etc/cron.hourly, /etc/cron.daily, /etc/cron/weekly, ...).
What is scheduled to run and by whom?
Defense: Limit who can run cron jobs. See Intro To cron
especially "Controlling Access to cron".
Basically, if /etc/cron.allow is present, then only accounts listed in it
are allowed to run cron jobs. If /etc/cron.allow does not exist, then every
account can use cron, except those listed in /etc/cron.deny.
Remember, it is better to whitelist than to blacklist.
- Vulnerability: Users can run 'at' jobs on the system.
Defense: find out whats scheduled. See /var/spool/at to see if there are any
jobs scheduled. Try to schedule a job and see what happens. Take a look at /var/spool/at after you schedule a job.
<![CDATA[
at now + 1 minute
echo "hello"
]]>
Defense: Similar to 'cron' above. See at manpage
Especially the discussion on at.allow and at.deny. Is the RH72 VM configured to allow anyone
to schedule at jobs?
- Vulnerability: umask is too permissive by default.
Defense: modify umask in /etc/bashrc and /etc/csh.login (how about umask 077?)
- Vulnerability: hacker can cause a core dump and then gdb it to find out how things
work. Find hidden data in memory etc.
Defense: /etc/security/limits.conf, prevent core dumps
<![CDATA[
# prevent core dumps
* hard core 0
]]>
- Vulnerability: Hacker can DOS the system (use up resources)
Defense: /etc/security/limits.conf
<![CDATA[
#limit user processes per user to 150
* soft nproc 100
* hard nproc 150
#limit size of any one file to 100MB
* hard fsize 100000
]]>
- Vulnerability: Weak passwords
Defense: Run john the ripper to determine any weak passwords.
Strengthen them/advise users.
<![CDATA[
cd ~
rm -fr .john
unshadow /etc/passwd /etc/shadow > myPasswords.txt
john myPasswords.txt
]]>
See the John documentation.
Defense: Set password policy (in /etc/login.defs)