Operating System Security Optional Labs © 2002 ProsoftTraining All Rights Reserved. Version 3.07 0Handouts: Optional LabsOperating System Security Optional Labs © 2002 ProsoftTraining All Rights Reserved. Version 3.07 Optional Lab 1-1: Understanding the /etc/securetty file In this lab, you will examine a PAM component, the /etc/securetty file. 1. Boot into Linux as root. Open a Telnet client and attempt to log on to your partner's system as root. This attempt should fail, because the /etc/securetty file disallows it. 2. Make a copy of the /etc/securetty file: host# cp /etc/securetty /etc/securetty.orig 3. Now, move the /etc/securetty file to the /root directory: host# mv /etc/securetty /root/securetty 4. Make sure that the /etc/securetty file no longer exists. 5. Have your partner log on to your system directly as root. Was he or she successful? 6. Now, move the /root/securetty file back to /etc/securetty.Operating System Security Optional Labs © 2002 ProsoftTraining All Rights Reserved. Version 3.07 Optional Lab 1-2: Denying Telnet access using the /etc/nologin file In this lab, you will use another PAM element, the /etc/nologin file, to deny Telnet access. 1. Use touch to create a file named /etc/nologin. 2. Enter the following text: ********************************************* Access denied. Contact your Security Manager. ********************************************* 3. Using a non-root account, try to access this system using Telnet. 4. Have your partner try to access your system. 5. With your /etc/nologin file still present, open an FTP session to your partner's server. 6. Notice that the session is successful because the nologin file applies only to Telnet-based logon sessions. 7. When you are finished experimenting, delete the /etc/nologin file.Operating System Security Optional Labs © 2002 ProsoftTraining All Rights Reserved. Version 3.07 Optional Lab 2-1: Pruning users and determining system state in Linux 1. Boot into Linux and log on as root. 2. Use the /usr/sbin/useradd program to add the following users: • sales • marketing1 • marketing2 3. Use the passwd command to create passwords for each user. 4. Log in as root and change to the /etc/home directory. 5. Notice that home directories have been created for the sales and marketing users. 6. Log out as root and log in as these users. 7. Log out and log back in as root. 8. As root, use the /usr/sbin/userdel command to remove the sales user: /usr/sbin/userdel 9. The sales user has been removed. Change to the /home/ directory. You should still see the home directory for the sales user. Still in the /home/ directory, issue the following command: rm -fr sales Warning: Be extremely careful when using the -fr options with the rm command. These options cause the rm command to delete everything you specify. For example, rm will delete all files, directories and sub-directories. 10. Still as root, use the /usr/sbin/userdel -r command to remove the marketing1 and marketing2 users: /usr/sbin/userdel -r marketing1 /usr/sbin/userdel -r marketing2 11. List the /home/ directory. You will see that these user directories are no longer present.Operating System Security Optional Labs © 2002 ProsoftTraining All Rights Reserved. Version 3.07 12. Still as root, add a group: /usr/sbin/groupadd ciw 13. Delete this group: /usr/sbin/groupdel ciw 14. Now, read your hard drive’s configuration: cat /etc/fstab 15. Consider saving this information so that you know the system’s original state. 16. To discover the open processes on your system, issue the following command: ps aux > processes.txt 17. Use the less command to view this file: less processes.txt 18. Scroll up and down this file using the up and down arrow keys on your keyboard. When you are finished viewing these processes, press q. 19. Now, have a partner log in to your system and run the top command. 20. While your partner is logged in, issue the following command: ps aux > processes2.txt 21. You now have two files that are essentially snapshots of your system’s state. The /usr/bin/diff command compares the contents of two files to determine the differences between the two. Issue the following command: /usr/bin/diff processes processes2 22. What do these files tell you about how your system state has changed? 23. System modules allow your Linux system to use NICs, sound cards, and other devices. You do not want anyone to install additional modules without your permission. The fact that additional modules have been installed could point to illicit activity. You should create a baseline that allows you to determine what modules are installed. Now, use the /sbin/lsmod command to view the modules currently installed on your system. Now, issue the following command to store this information: /sbin/lsmod > modules.infoOperating System Security Optional Labs © 2002 ProsoftTraining All Rights Reserved. Version 3.07 24. Now you can run lsmod in the future and compare the output to this file. 25. Now, use the lsof command to list all open files on the system: /usr/sbin/lsof | less 26. Because Linux treats everything as if it were a file, the lsof command lists open processes, files and even network connections. Scroll down the file by pressing the down arrow key. If you want to scan this list quickly, press the space bar to have the less command scroll down the information a screen at a time. 27. When you are finished, press q. 28. The lsof command is quite versatile. For example, you can list files opened by a specific user. Create an account named lsoftest, give it a password, and have your partner log in to your system using this account. After your partner has logged in, issue the following command: lsof –ulsoftest | less 29. You should see a list of all files (including modules, login files, and terminals) that this user has opened, simply because this user has logged in. 30. You can also see the activity associated with an IP address. For example, suppose your system’s IP address is 192.168.2.1. To view all activity emanating from 192.168.2.4, you would issue the following command: lsof [email protected] Now, use this command to trace the changes your partner’s connection makes to your system’s state. Note: You can also check for Ipv6 addresses: lsof -i@[0:1:2:3:4:5:6:7] 31. You can also use lsof to see remote connections to a port on your host. Have your partner connect to your system using Telnet. Start the Telnet