Powered By GitBook
110.1. Perform security administration tasks

110.1 Perform security administration tasks

Weight: 3
Description: Candidates should know how to review system configuration to ensure host security in accordance with local security policies.
Key Knowledge Areas:
    Audit a system to find files with the suid/sgid bit set
    Set or change user passwords and password aging information
    Being able to use nmap and netstat to discover open ports on a system
    Set up limits on user logins, processes and memory usage
    Determine which users have logged in to the system or are currently logged in
    Basic sudo configuration and usage
Terms and Utilities:
    find
    passwd
    fuser
    lsof
    nmap
    chage
    netstat
    sudo
    /etc/sudoers
    su
    usermod
    ulimit
    who, w, last
In this lesson we just take a look at basic security audits. First we review several commands we have learned from the security perspective and then get introduced to some other new commands.

find suid/guid

We have learned about suid/guid when we talked about managing file permissions and owner ship, as a quick review see table bellow:
access mode
on file
on directory
SUID
executes with permissions of file owner
nothing
GUID
executes with the permissions of group
new files have group membership of directory
Sticky Bit
nothing
only owner can delete files
There are some security concerns while using suid/guid such as, what will happen if a destructive program has suid/guid permission set on it? Why should dangerous programs such as rm has suid permission? To search for all suid/guid files we use find command:
sudo find / -perm -u+s
sudo find / -perm -g+s
1
[email protected]:~# find / -perm -u+s
2
/bin/ping
3
/bin/fusermount
4
/bin/ping6
5
/bin/mount
6
/bin/su
7
/bin/ntfs-3g
8
/bin/umount
9
find: ‘/run/user/1001/gvfs’: Permission denied
10
/usr/bin/chsh
11
/usr/bin/passwd
12
/usr/bin/gpasswd
13
/usr/bin/pkexec
14
/usr/bin/newgrp
15
/usr/bin/sudo
16
/usr/bin/chfn
17
/usr/lib/x86_64-linux-gnu/oxide-qt/chrome-sandbox
18
/usr/lib/snapd/snap-confine
19
/usr/lib/policykit-1/polkit-agent-helper-1
20
/usr/lib/eject/dmcrypt-get-device
21
/usr/lib/vmware-tools/bin64/vmware-user-suid-wrapper
22
/usr/lib/vmware-tools/bin32/vmware-user-suid-wrapper
23
/usr/lib/dbus-1.0/dbus-daemon-launch-helper
24
/usr/lib/openssh/ssh-keysign
25
/usr/lib/xorg/Xorg.wrap
26
/usr/sbin/pppd
27
...
28
29
[email protected]:~# find / -perm -g+s
30
find: ‘/run/user/1001/gvfs’: Permission denied
31
/run/log/journal
32
/run/log/journal/b4f9fc6cf1ca4724b56e6e4235c77155
33
/usr/bin/wall
34
/usr/bin/crontab
35
/usr/bin/bsd-write
36
/usr/bin/chage
37
/usr/bin/expiry
38
/usr/bin/ssh-agent
39
/usr/bin/mlocate
40
/usr/share/ppd/custom
41
...
Copied!
obviously going to each of these files and finding out what they do is beyond the scope of this course, but we should keep our eyes open to find if any of these don't make sense, like thing might be find in home directory of users. It is recommended to save this list for future comparing and detecting new changes.

looking for open ports

It is important to verify which ports are listening on the server’s network interfaces. Below are the different categories of ports:
    1.
    0-1023 – the Well Known Ports, also referred to as System Ports.
    2.
    1024-49151 – the Registered Ports, also known as User Ports.
    3.
    49152-65535 – the Dynamic Ports, also referred to as the Private Ports.
We need to pay attention to open ports to detect an intrusion. Apart from an intrusion, for troubleshooting purposes, it may be necessary to check if a port is already in use by a different application on our servers. For example, we may install Apache and Nginx server on the same system!
This section provides steps to use the netstat, lsof and nmap command to check the ports in use and view the application that is utilizing the port.

netstat

One of netstat command line tool usage is for monitoring network incoming and outgoing connections. By default, netstat displays a list of open sockets which is not very usefull so we usually use it along with -tuna switches.
netstat switch
usage
-t
show tcp ports
-u
show udp ports
-n
Show numerical addresses instead of trying to determine symbolic host, port or user names
-a
Show both listening and non-listening (for TCP this means established connections)
1
[email protected]:~# netstat -tuna
2
Active Internet connections (servers and established)
3
Proto Recv-Q Send-Q Local Address Foreign Address State
4
tcp 0 0 127.0.1.1:53 0.0.0.0:* LISTEN
5
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN
6
tcp 0 0 127.0.0.1:631 0.0.0.0:* LISTEN
7
tcp 0 0 0.0.0.0:445 0.0.0.0:* LISTEN
8
tcp 0 0 127.0.0.1:3306 0.0.0.0:* LISTEN
9
tcp 0 0 0.0.0.0:139 0.0.0.0:* LISTEN
10
tcp 0 0 192.168.52.144:41270 172.217.0.227:80 ESTABLISHED
11
tcp 0 0 192.168.52.144:43418 72.21.91.29:80 TIME_WAIT
12
tcp 0 0 192.168.52.144:43416 72.21.91.29:80 TIME_WAIT
13
tcp 0 0 127.0.0.1:631 127.0.0.1:52720 ESTABLISHED
14
...
15
udp 0 0 0.0.0.0:45821 0.0.0.0:*
16
udp 14400 0 0.0.0.0:51238 0.0.0.0:*
17
udp 11520 0 127.0.1.1:53 0.0.0.0:*
18
udp 10880 0 0.0.0.0:68 0.0.0.0:*
19
udp 0 0 0.0.0.0:631 0.0.0.0:*
20
udp 24576 0 192.168.52.255:137 0.0.0.0:*
21
udp 0 0 192.168.52.144:137 0.0.0.0:*
22
udp 52224 0 0.0.0.0:137 0.0.0.0:*
23
udp 34560 0 192.168.52.255:138 0.0.0.0:*
24
udp 0 0 192.168.52.144:138 0.0.0.0:*
25
udp 7680 0 0.0.0.0:138 0.0.0.0:*
26
udp 6144 0 0.0.0.0:5353 0.0.0.0:*
27
...
Copied!
Before a TCP connection can be opened, we need to have a server with a listener. The listener will listen on incoming connections on a specific port, This state is represented as LISTEN. If everything worked properly, the connection is marked as ESTABLISHED on both end-point. In these tables 0.0.0.0 dictates any address or any interface.

lsof

lsof meaning ‘LiSt Open Files’ is used to find out which files are open by which process. As we know, in Linux everything is a file, so we can even check the files that are opened by some network connections in the system using lsof command with -i switch, -i list all network connections:
1
2
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
3
avahi-dae 791 avahi 12u IPv4 24139 0t0 UDP *:mdns
4
avahi-dae 791 avahi 13u IPv6 24140 0t0 UDP *:mdns
5
avahi-dae 791 avahi 14u IPv4 24141 0t0 UDP *:45821
6
avahi-dae 791 avahi 15u IPv6 24142 0t0 UDP *:57596
7
mysqld 967 mysql 27u IPv4 27331 0t0 TCP localhost:mysql (LISTEN)
8
sshd 979 root 3u IPv4 468063 0t0 TCP *:ssh (LISTEN)
9
sshd 979 root 4u IPv6 468070 0t0 TCP *:ssh (LISTEN)
10
nmbd 1745 root 16u IPv4 31466 0t0 UDP *:netbios-ns
11
nmbd 1745 root 17u IPv4 31467 0t0 UDP *:netbios-dgm
12
nmbd 1745 root 21u IPv4 468314 0t0 UDP 192.168.52.136:netbios-ns
13
nmbd 1745 root 24u IPv4 468315 0t0 UDP 192.168.52.255:netbios-ns
14
nmbd 1745 root 25u IPv4 468316 0t0 UDP 192.168.52.136:netbios-dgm
15
nmbd 1745 root 26u IPv4 468317 0t0 UDP 192.168.52.255:netbios-dgm
16
smbd 1761 root 34u IPv6 31629 0t0 TCP *:microsoft-ds (LISTEN)
17
smbd 1761 root 35u IPv6 31630 0t0 TCP *:netbios-ssn (LISTEN)
18
smbd 1761 root 36u IPv4 31631 0t0 TCP *:microsoft-ds (LISTEN)
19
smbd 1761 root 37u IPv4 31632 0t0 TCP *:netbios-ssn (LISTEN)
20
cupsd 3683 root 10u IPv6 41942 0t0 TCP ip6-localhost:ipp (LISTEN)
21
cupsd 3683 root 11u IPv4 41943 0t0 TCP localhost:ipp (LISTEN)
22
cups-brow 3685 root 8u IPv4 41958 0t0 UDP *:ipp
23
gvfsd-smb 14071 user1 13u IPv4 465267 0t0 TCP 192.168.52.144:60122->192.168.52.144:netbios-ssn (ESTABLISHED)
24
gvfsd-smb 14071 user1 14u IPv4 465449 0t0 TCP 192.168.52.144:60124->192.168.52.144:netbios-ssn (ESTABLISHED)
25
dnsmasq 14148 nobody 4u IPv4 466564 0t0 UDP ubuntu:domain
26
dnsmasq 14148 nobody 5u IPv4 466565 0t0 TCP ubuntu:domain (LISTEN)
27
dnsmasq 14148 nobody 11u IPv4 466600 0t0 UDP *:44999
28
dhclient 14166 root 6u IPv4 466685 0t0 UDP *:bootpc
Copied!
this command shows the command, PID, user running it and source and destination IP and tells of if this is a LISTENING or STABLISHED connection.
lsof switch
usage
-iTCP or -iUDP
just show TCP or UDP Connections
-i 4 or -i 6
you can have IPv4 and IPv6 files displayed separately
-n
Do not use DNS name
-P
do not convert port numbers to port names
If we want to check which process is using specific port , we can grep the output of any above commands or simply use the fuser command.

fuser

The fuser command is a very smart utility used to find which process is using a file, a directory or a socket.
The following command creates a tcp listener on port 8080:
1
[email protected]:~# nc -l -p 8080
2
Copied!
Since a tcp server is listening on port 8080, the fuser utility can be used to find the process which is using the server’s socket. The -v option is used to put the fuser utility in verbose mode and the -n option is used to select the tcp protocol as a name space:
1
[email protected]:~# fuser -v -n tcp 8080
2
USER PID ACCESS COMMAND
3
8080/tcp: root 15663 F.... nc
Copied!
By default, the fuser tool will look in both IPv6 and IPv4 sockets, but the default option can be changed with the -4 and -6 options.

nmap

The Nmap aka Network Mapper is an open source and a very versatile tool for Linux system/network administrators. Nmap is used for exploring networks, perform security scans, network audit and finding open ports on local or remote machine.
Please note that scanning websites from Nmap is not legal, in some cases if you are trying to too much in deep then you will need written permissions from the owner of the website and the IP holder.
1
[email protected]:~# nmap localhost
2
3
Starting Nmap 7.01 ( https://nmap.org ) at 2020-03-18 00:47 +0330
4
Nmap scan report for localhost (127.0.0.1)
5
Host is up (0.000025s latency).
6
Not shown: 995 closed ports
7
PORT STATE SERVICE
8
22/tcp open ssh
9
139/tcp open netbios-ssn
10
445/tcp open microsoft-ds
11
631/tcp open ipp
12
3306/tcp open mysql
13
14
Nmap done: 1 IP address (1 host up) scanned in 1.62 seconds
Copied!
By default, Nmap scans the most common 1,000 ports for each protocol.
nmap Target selection
Description
nmap 192.168.10.151
scan a single IP
nmap scanme.nmap.org
scan a host
nmap 192.168.10.150-155
scan a range of IPs
nmap 192.168.10.0/24
scan a subnet
nmap -iL myserverlist.txt
scan targets from a text file
nmap -6 [IP-V6-HERE]
enables IP v6 scanning
nmap has lots of switches to gain more information about hosts.
nmap switch
usage
-v
gives more detailed information
-p <port#>
scan for information regarding a specific port
-A
discover the operating system information
-O
reveal further operating system information

examine sudo configuration

su vs sudo

sudo and su, the very important and mostly used commands in Linux. It is very important for a Linux user to understand these two to increase security and prevent unexpected things that a user may have to go through. Firstly we will see what these commands do then we’ll know the difference between both of them. So let’s get started.
before beginning, in some distributions like ubuntu the default root password is not set by default when you install a fresh os, so set it usingsudo passwd rootcommand first.

su

The Linux command ‘su’ is used to switch from one account to another. User will be prompted for the password of the user switching to.
1
[email protected]:~$ su payam
2
Password:
3
[email protected]:/home/user1$
Copied!
Users can also use su to switch to root account. If user types only ‘su’ without any option then It will be considered as root and user will be prompted to enter root user password.
1
[email protected]:/home/user1$ su
2
Password:
3
[email protected]:/home/user1# pwd
4
/home/user1
5
[email protected]:/home/user1# exit
6
exit
Copied!
what's the difference between 'su' and 'su -' ?
Well, difference is environment variables. su - change environment, su don't. the su keeps the environment of the old/original user even after the switch to root has been made, while the su - creates a new environment (as dictated by the ~/.bashrc of the root user), similar to the case when you explicitly log in as root user from the log-in screen.
1
[email protected]:/home/user1$ su -
2
Password:
4
/root
Copied!
plaese note that -, -l, --loginswitches are all the same.

sudo

As we all know, Linux in many ways protects users’ computer being used for bad purposes by some nasty people around us. Using sudo is one of those good ways. Whenever a user tries to install, remove and change any piece of software, the user has to have the root privileges to perform such tasks. sudo, linux command is used to give such permissions to any particular command that a user wants to execute. sudo requires the user to enter user password to give system based permissions. For example user wants to update the operating system by passing command:
1
[email protected]:~$ apt-get update
2
Reading package lists... Done
3
W: chmod 0700 of directory /var/lib/apt/lists/partial failed - SetupAPTPartialDirectory (1: Operation not permitted)
4
E: Could not open lock file /var/lib/apt/lists/lock - open (13: Permission denied)
5
E: Unable to lock directory /var/lib/apt/lists/
6
W: Problem unlinking the file /var/cache/apt/pkgcache.bin - RemoveCaches (13: Permission denied)
7
W: Problem unlinking the file /var/cache/apt/srcpkgcache.bin - RemoveCaches (13: Permission denied)
Copied!
This error is due to not having root privileges to the user ‘payam’. The root privileges can be required by passing sudo at the very beginning, like below:
1
[email protected]:~$ sudo apt-get update
2
[sudo] password for payam:
3
Hit:1 http://ppa.launchpad.net/peek-developers/stable/ubuntu xenial InRelease
4
Hit:2 http://archive.ubuntu.com/ubuntu xenial InRelease
5
Get:3 http://archive.ubuntu.com/ubuntu xenial-updates InRelease [109 kB]
6
Get:4 http://archive.ubuntu.com/ubuntu xenial-backports InRelease [107 kB]
7
Get:5 http://archive.ubuntu.com/ubuntu xenial-security InRelease [109 kB]
8
0% [5 InRelease 240 B/109 kB 0%]
9
...
Copied!

/etc/sudoers

but how sudo knows who should has root permission? which command could be run under root privilages? sudo keeps its configurations in /etc/sudoers file:
1
[email protected]:~# cat /etc/sudoers
2
#
3
# This file MUST be edited with the 'visudo' command as root.
4
#
5
# Please consider adding local content in /etc/sudoers.d/ instead of
6
# directly modifying this file.
7
#
8
# See the man page for details on how to write a sudoers file.
9
#
10
Defaults env_reset
11
Defaults mail_badpass
12
Defaults secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/bin"
13
14
# Host alias specification
15
16
# User alias specification
17
18
# Cmnd alias specification
19
20
# User privilege specification
21
root ALL=(ALL:ALL) ALL
22
23
# Members of the admin group may gain root privileges
24
%admin ALL=(ALL) ALL
25
26
# Allow members of group sudo to execute any command
27
%sudo ALL=(ALL:ALL) ALL
28
29
# See sudoers(5) for more information on "#include" directives:
30
31
#includedir /etc/sudoers.d
Copied!
The syntax specification for a rule in the sudoers file is:
user (host)=(user:group) commands
the 3 important lines:
    (root ALL=(ALL) ALL) just lets root do everything on any machine as any user.
    (%admin ALL=(ALL) ALL) lets anybody in the admin group run anything as any user.
    %sudo ALL=(ALL:ALL) ALL all users in the sudo group have the privileges to run any command
note: In CentOS, the wheel group is often found instead of sudo group.

The difference between wheel/sudo group and sudo user

In CentOS and Debian, a user belonging to the wheel /sudo group can execute su and directly ascend to root. Meanwhile, a sudo user would have use the sudo su first. Essentially, there is no real difference except for the syntax used to become root, and users belonging to both groups can use the sudo command.
How to edit /etc/sudors file ? If you use a plain editor, mess up the syntax, and save... sudo will (probably) stop working, and, since /etc/sudoers is only modifiable by root, you're stuck! so we use visudo instead. visudo edits the sudoers file in a safe fashion, by doing two things:
    visudo checks the file syntax before actually overwriting the sudoers file.
    Additionally, visudo locks thesudoers file against multiple simultaneous edits. This locking is important if you need to ensure nobody else can mess up your carefully considered config changes.

Managing system resources

Linux operating systems have the ability to limit the amount of various system resources available to a user process. These limitations include how many files a process can have open, how large of a file the user can create, and how much memory can be used by the different components of the process. ulimit is the command used to accomplish this.

ulimit

The ulimit command provides control over the resources available to the shell and/or to processes started by it.
1
2
unlimited
Copied!
To get the report in details, add the “-a” flag at the end. This will print all the resource limits for the current user.
To set ulimit value on a parameter use the below command:
ulimit -<letter Option> <NewValue>
as an example lets put limits on file size in the current shell:
1
[email protected]:~$ ulimit -f 0
2
3
[email protected]:~$ ulimit -a | grep file
4
core file size (blocks, -c) 0
5
file size (blocks, -f) 0
6
open files (-n) 1024
7
file locks (-x) unlimited
8
9
[email protected]:~$ vim new.txt
10
Vim: Caught deadly signal XFSZ
11
Vim: Finished.
12
13
14
15
File size limit exceeded (core dumped)
Copied!
For the ulimits to persists across reboots we need to set the ulimit values in the configuration file /etc/security/limits.conf. it is also used for system wide limits:
1
[email protected]:~# cat /etc/security/limits.conf
2
# /etc/security/limits.conf
3
#
4
#Each line describes a limit for a user in the form:
5
#
6
#<domain> <type> <item> <value>
7
#
8
#Where:
9
#<domain> can be:
10
# - a user name
11
# - a group name, with @group syntax
12
# - the wildcard *, for default entry
13
# - the wildcard %, can be also used with %group syntax,
14
# for maxlogin limit
15
# - NOTE: group and wildcard limits are not applied to root.
16
# To apply a limit to the root user, <domain> must be
17
# the literal username root.
18
#
19
#<type> can have the two values:
20
# - "soft" for enforcing the soft limits
21
# - "hard" for enforcing hard limits
22
#
23
#<item> can be one of the following:
24
# - core - limits the core file size (KB)
25
# - data - max data size (KB)
26
# - fsize - maximum filesize (KB)
27
# - memlock - max locked-in-memory address space (KB)
28
# - nofile - max number of open files
29
# - rss - max resident set size (KB)
30
# - stack - max stack size (KB)
31
# - cpu - max CPU time (MIN)
32
# - nproc - max number of processes
33
# - as - address space limit (KB)
34
# - maxlogins - max number of logins for this user
35
# - maxsyslogins - max number of logins on the system
36
# - priority - the priority to run user process with
37
# - locks - max number of file locks the user can hold
38
# - sigpending - max number of pending signals
39
# - msgqueue - max memory used by POSIX message queues (bytes)
40
# - nice - max nice priority allowed to raise to values: [-20, 19]
41
# - rtprio - max realtime priority
42
# - chroot - change root to directory (Debian-specific)
43
#
44
#<domain> <type> <item> <value>
45
#
46
47
#* soft core 0
48
#root hard core 100000
49
#* hard rss 10000
50
#@student hard nproc 20
51
#@faculty soft nproc 20
52
#@faculty hard nproc 50
53
#ftp hard nproc 0
54
#ftp - chroot /ftp
55
#@student - maxlogins 4
56
57
# End of file
Copied!
There are two types of limits: A soft limit is like a warning and hard limit is a real max limit. For example, following will prevent anyone in the faculty group from having more than 50 processes, and a warning will be given at 20 processes.
note: soft limit cannot be higher than the hard limit.
ulimits is a part of pluggable authentication module(PAM) system which will be discussed in lpic-2 book.

checking the users in the system

As a system administrator, you may want to know who is on the system at any give point in time. You may also want to know what they are doing. In this article let us review 3 different methods to identify who is on your Linux system.

w

w command in Linux is used to show who is logged on and what they are doing. This command shows the information about the users currently on the machine and their processes.
2
01:24:45 up 4:33, 4 users, load average: 0.00, 0.00, 0.00
3
USER TTY FROM [email protected] IDLE JCPU PCPU WHAT
4
user1 tty7 :0 15:11 10:13m 40.45s 0.27s /sbin/upstart -
5
payam pts/19 127.0.0.1 01:11 12:47 0.04s 0.04s -bash
6
user2 pts/21 127.0.0.1 01:24 13.00s 0.04s 0.04s -bash
7
root pts/22 192.168.52.133 01:16 3:41 0.03s 0.03s -bash
Copied!
The output of the w command contains the following columns:
    1.
    The header shows, in this order, the current time, how long the system has been running, how many users are currently logged on, and the system load averages for the past 1, 5, and 15 minutes.
    2.
    The following entries are displayed for each user:
    Name of the user
    User’s machine number or tty number
    Remote machine address
    User’s Login time
    Idle time (not usable time)
    Time used by all processes attached to the tty (JCPU time)
    Time used by the current process (PCPU time)
    Command currently getting executed by the users
w has some options, try w --help to see them.

who

The who command is used to get information about currently logged in user on to system.
2
user1 tty7 2020-03-22 15:11 (:0)
3
payam pts/19 2020-03-23 01:11 (127.0.0.1)
4
user2 pts/21 2020-03-23 01:24 (127.0.0.1)
5
root pts/22 2020-03-23 01:16 (192.168.52.133)
Copied!
The who command displays the following information for each user currently logged in to the system if no option is provided :
    1.
    Login name of the users
    2.
    Terminal line numbers
    3.
    Login time of the users in to system
    4.
    Remote host name of the user
who has lots of option try who --help.
w and who reads their information from /var/run/utmp file. This file contains information about the users who are currently logged onto the system.
so we need another command to get information about logged out people, and that is last .

last

The last command in Linux is used to display the list of all the users logged in and out.
2
user2 pts/21 127.0.0.1 Mon Mar 23 01:24 still logged in
3
root pts/22 192.168.52.133 Mon Mar 23 01:16 still logged in
4
user2 pts/21 127.0.0.1 Mon Mar 23 01:13 - 01:21 (00:08)
5
payam pts/19 127.0.0.1 Mon Mar 23 01:11 still logged in
6
7
wtmp begins Mon Mar 23 01:11:58 2020
Copied!
The output of this command contains the following columns:
    1.
    User name
    2.
    Tty device number
    3.
    Login date and time
    4.
    Logout time
    5.
    Total working time
the last command uses /var/log/wtmp file to display listing of last logged in users. This file is like history for utmp file, i.e. it maintains the logs of all logged in and logged out users (in the past).
/var/log/btmp keeps track of failed login attempts. So try last -f /var/log/btmp to check last failed logins .
last also gives us information about latest system reboots, do not forget to take a look at last --help.
.
.
.
.
Last modified 1yr ago