OS HardeningSlide 2MotivationsHowThe Best in Hardening…Hardening UtilitiesCommon Issues and Exploits/proc/proc Solutions/tmp exploitsSlide 11/tmp SolutionsSUID ExploitsSUID solutionsTCP/IP Stack randomizationWhat you will be doingBefore and AfterBase InstallGR Security PatchBastille-LinuxOS HardeningJustin WhiteheadFrancisco RoblesOS Hardening•Installing kernel/software patches and configuring a system in order to prevent attackers from exploiting and attacking your system.Motivations•Why?Add security features not present in default installs–Vendors leave default installs open for more customizability–Kernel & System level patches – work for known and unknown bugsBugs/Exploits in softwareHow•PatchesApply security patches to Linux kernelApply bug patches to software•Security toolsExtra system logs and auditing•System rules and policiesRestrict user privilegesDisabling unnecessary processesThe Best in Hardening…•GRsecurityKernel patchFeatures–Non-Executable Stack–Change root (chroot) hardening–/tmp race prevention–Extensive auditing –Additional randomness in the TCP/IP stack –/proc restrictionsHardening Utilities•Bastille Linux www.bastille-linux.orgAutomated security program, Security wizard–SUID restrictions–SecureInetd–DoS attack detection and prevention–Automated firewall scripting–User privileges–EducationCommon Issues and Exploits•Stack-based attacks•/proc•/tmp•SUID•TCP Sequence Numbers/proc•/proc is a pseudo file system used for the kernel-level modules to send and retrieve information to and from processes •Some files changeable, but primarily read-only but still allows users to gather information on specific processes./proc Solutions•grsecurity/proc rights restrictions that don't leak information about process owners Option to hide kernel processes/proc filedescriptor/memory protection/tmp exploits•/tmp directory is used by many programs to create and access files.•Do not need permissions to create files•Programs using /tmp must be carefully written in order to avoid exploits/tmp exploits•Race ConditionReplacing a file during the time a program accesses it and opens it.–Allows attacker to manipulate program with their own data, “winning the race”Performing a race attack on a symlink can allow an attacker to create a file somewhere else on the system–Attackers can also gain root access/tmp Solutions•GRsecurityPlaces restrictions on hardlinks/symlinks•BastilleEach process using /tmp gets its own safe /tmp directorySUID Exploits•SUIDSet-User ID – allows processes to be executed with the permissions of its owner, not the user running itExample: passwd•SUID programs can be exploited to gain root accessBad inputsBuffer overflowsSUID solutions•BastilleDisables many SUID programs it believes users should not run anyways–mount, umount?–Up to adminTCP/IP Stack randomization•Initial sequence numbers can be guessed or discovered by attackersAllows session hijacking IP spoofing•Security patches attempt to add more randomization to initial sequence numbersgrsecurityWhat you will be doing•Base RH 8.0 InstallRun a series of exploits and collect TCP traffic data•Applying patch to kernel, recompiling kernel•Configuring system with Bastille LinuxBefore and After•Port scan•TCP data capture•Running a stack exploit•Running /tmp and SUID exploits•Comparing User PrivilegesSUID programsAccess to gcc/procBase Install•RH 8.0•Telnet, FTP, and other insecure inetd services running•No firewall•No RH updates•Minimum security settingsGR Security Patch•Apply patch to kernel, rebuild kernelPerform stack exploitPerform port scanRecord differences in /procPerform /tmp exploitCompare results to base installBastille-Linux•Install and runConfigure SecureInetd daemonDisable problematic daemons and SUID programsConfigure firewallEnable /tmp security•Repeat previous
View Full Document