Notas cortas de seguridad e inseguridad informática que me sirvieron en mi trabajo

Exploits útiles cuando vas a un lugar donde no se acuerdan el password de root

jessica_biel_naked_in_my_bed.c.gz Linux vmsplice Local Root Exploit - Linux 2.6.17 - 2.6.24.1

2009-linux-sendpage.c.gz Linux Kernel 2.4/2.6 sock_sendpage() Local Root Exploit

mempodipper.c.gz Escalada de privilegios remota con /proc/pid/mem write - Kernel 2.6.39 a 3.2

Q. Can you explain following bash code or bash fork() bomb? :(){ :|:& };:

A. This is a bash function. It gets called recursively (recursive function). This is most horrible code for any Unix / Linux box. It is often used by sys admin to test user processes limitations (Linux process limits can be configured via /etc/security/limits.conf and PAM).

Once a successful fork bomb has been activated in a system it may not be possible to resume normal operation without rebooting, as the only solution to a fork bomb is to destroy all instances of it. [Warning examples may crash your computer] WARNING! These examples may crash your computer if executed. Understanding :(){ :|:& };: fork() bomb code

:() - It is a function name. It accepts no arguments at all. Generally, bash function is defined as follows:

foo(){
 arg1=$1
 echo ''
 #do_something on $arg argument
}

fork() bomb is defined as follows:

:(){
 :|:&
};:

:|: - Next it call itself using programming technique called recursion and pipes the output to another call of the function ':'. The worst part is function get called two times to bomb your system.

& - Puts the function call in the background so child cannot die at all and start eating system resources.

; - Terminate the function definition

: - Call (run) the function aka set the fork() bomb.

Here is more human readable code:

bomb() {
 bomb | bomb &
}; bomb

Properly configured Linux / UNIX box should not go down when fork() bomb sets off.

Perl exmaple:

perl -e "fork while fork" &

Python example:

import os
  while(1):
      os.fork()

Windows XP / Vista bat file example:

:bomb
start %0
goto bomb

UNIX style for Windows:

%0|%0

C program example:

#include
 int main() {   while(1)      fork();  } 

Plz note that the fork bomb is a form of denial of service, so don’t run on production or unauthorized system.

http://www.cyberciti.biz/faq/understanding-bash-fork-bomb/#comment-37097

Limiting user processes is important for running a stable system. To limit user process just add user name or group or all users to /etc/security/limits.conf file and impose process limitations.

Each line describes a limit for a user in the form: <domain> <type> <item> <value> Where:

• domain can be:
  • an user name
  • a group name, with @group syntax
  • the wildcard *, for default entry
  • the wildcard %, can be also used with %group syntax, for maxlogin limit
• type can have the two values:
  • “soft” for enforcing the soft limits
  • “hard” for enforcing hard limits
• item can be one of the following:
  • core - limits the core file size (KB)
• value can be one of the following:
  • core - limits the core file size (KB)
  • data - max data size (KB)
  • fsize - maximum filesize (KB)
  • memlock - max locked-in-memory address space (KB)
  • nofile - max number of open files
  • rss - max resident set size (KB)
  • stack - max stack size (KB)
  • cpu - max CPU time (MIN)
  • nproc - max number of processes
  • as - address space limit
  • maxlogins - max number of logins for this user
  • maxsyslogins - max number of logins on the system
  • priority - the priority to run user process with
  • locks - max number of file locks the user can hold
  • sigpending - max number of pending signals
  • msgqueue - max memory used by POSIX message queues (bytes)
  • nice - max nice priority allowed to raise to
  • rtprio - max realtime priority
  • chroot - change root to directory (Debian-specific)

Login as the root and open configuration file:

# vi /etc/security/limits.conf

Following will prevent a “fork bomb”:

vivek hard nproc 300
@student hard nproc 50
@faculty soft nproc 100
@pusers hard nproc 200

Above will prevent anyone in the student group from having more than 50 processes, faculty and pusers group limit is set to 100 and 200. Vivek can create only 300 process. Please note that KDE and Gnome desktop system can launch many process.

Save and close the file. Test your new system by dropping a form bomb:

$ :(){ :|:& };:

http://www.cyberciti.biz/tips/linux-limiting-user-process.html

This is one of the key questions many new sys admin ask:

How do I audit file events such as read / write etc? How can I use audit to see who changed a file in Linux?

The answer is to use 2.6 kernels audit system. Modern Linux kernel (2.6.x) comes with auditd daemon. It's responsible for writing audit records to the disk. During startup, the rules in /etc/audit.rules are read by this daemon. You can open /etc/audit.rules file and make changes such as setup audit file log location and other option. The default file is good enough to get started with auditd.

In order to use audit facility you need to use following utilities⇒ auditctl - a command to assist controlling the kernel’s audit system. You can get status, and add or delete rules into kernel audit system. Setting a watch on a file is accomplished using this command:

⇒ ausearch - a command that can query the audit daemon logs based for events based on different search criteria.

⇒ aureport - a tool that produces summary reports of the audit system logs.

Note that following all instructions are tested on CentOS 4.x and Fedora Core and RHEL 4/5 Linux.

The audit package contains the user space utilities for storing and searching the audit records generate by the audit subsystem in the Linux 2.6 kernel. CentOS/Red Hat and Fedora core includes audit rpm package. Use yum or up2date command to install package

# yum install audit
# up2date install audit

Auto start auditd service on boot

# ntsysv
# chkconfig auditd on
# /etc/init.d/auditd start

Let us say you would like to audit a /etc/passwd file. You need to type command as follows:# auditctl -w /etc/passwd -p war -k password-file

Where,

• -w /etc/passwd : Insert a watch for the file system object at given path i.e. watch file called /etc/passwd
• -p war : Set permissions filter for a file system watch. It can be r for read, w for write, x for execute, a for append.
• -k password-file : Set a filter key on a /etc/passwd file (watch). The password-file is a filterkey (string of text that can be up to 31 bytes long). It can uniquely identify the audit records produced by the watch. You need to use password-file string or phrase while searching audit logs.

In short you are monitoring (read as watching) a /etc/passwd file for anyone (including syscall) that may perform a write, append or read operation on a file.

Wait for some time or as a normal user run command as follows:$ grep 'something' /etc/passwd$ vi /etc/passwd

Following are more examples:

Add a watch on “/etc/shadow” with the arbitrary filterkey “shadow-file” that generates records for “reads, writes, executes, and appends” on “shadow”

# auditctl -w /etc/shadow -k shadow-file -p rwxa

The next rule suppresses auditing for mount syscall exits# auditctl -a exit,never -S mount

Add a watch “tmp” with a NULL filterkey that generates records “executes” on “/tmp” (good for a webserver)

# auditctl -w /tmp -p e -k webserver-watch-tmp

To see all syscalls made by a program called sshd (pid - 1005):

# auditctl -a entry,always -S all -F pid=1005

Use ausearch command as follows:

# ausearch -f /etc/passwd
# ausearch -f /etc/passwd | less
# ausearch -f /etc/passwd -i | less

Where

• -f /etc/passwd : Only search for this file
• -i : Interpret numeric entities into text. For example, uid is converted to account name.

Output:

type=PATH msg=audit(03/16/2007 14:52:59.985:55) : name=/etc/passwd flags=follow,open inode=23087346 dev=08:02 mode=file,644 ouid=root ogid=root rdev=00:00
type=CWD msg=audit(03/16/2007 14:52:59.985:55) :  cwd=/webroot/home/lighttpd
type=FS_INODE msg=audit(03/16/2007 14:52:59.985:55) : inode=23087346 inode_uid=root inode_gid=root inode_dev=08:02 inode_rdev=00:00
type=FS_WATCH msg=audit(03/16/2007 14:52:59.985:55) : watch_inode=23087346 watch=passwd filterkey=password-file perm=read,write,append perm_mask=read
type=SYSCALL msg=audit(03/16/2007 14:52:59.985:55) : arch=x86_64 syscall=open success=yes exit=3 a0=7fbffffcb4 a1=0 a2=2 a3=6171d0 items=1 pid=12551 auid=unknown(4294967295) uid=lighttpd gid=lighttpd euid=lighttpd suid=lighttpd fsuid=lighttpd egid=lighttpd sgid=lighttpd fsgid=lighttpd comm=grep exe=/bin/grep

Let us try to understand output

• audit(03/16/2007 14:52:59.985:55) : Audit log time
• uid=lighttpd gid=lighttpd : User ids in numerical format. By passing -i option to command you can convert most of numeric data to human readable format. In our example user is lighttpd used grep command to open a file
• exe=“/bin/grep” : Command grep used to access /etc/passwd file
• perm_mask=read : File was open for read operation

So from log files you can clearly see who read file using grep or made changes to a file using vi/vim text editor. Log provides tons of other information. You need to read man pages and documentation to understand raw log format.

Search for events with date and time stamps. if the date is omitted, today is assumed. If the time is omitted, now is assumed. Use 24 hour clock time rather than AM or PM to specify time. An example date is 10/24/05. An example of time is 18:00:00.

# ausearch -ts today -k password-file
# ausearch -ts 3/12/07 -k password-file

Search for an event matching the given executable name using -x option. For example find out who has accessed /etc/passwd using rm command:

# ausearch -ts today -k password-file -x rm
# ausearch -ts 3/12/07 -k password-file -x rm

Search for an event with the given user name (UID). For example find out if user vivek (uid 506) try to open /etc/passwd:

# ausearch -ts today -k password-file -x rm -ui 506
# ausearch -k password-file -ui 506

Fuente : http://www.cyberciti.biz/tips/linux-audit-files-to-see-who-made-changes-to-a-file.html

auditctl -w /etc/fstab -p war -k someconfig-exclude -F auid!=0

To see all syscalls made by a specific program:

auditctl -a entry,always -S all -F pid=1005

To see files opened by a specific user:

auditctl -a exit,always -S open -F auid=510

To see unsuccessful open call's:

auditctl -a exit,always -S open -F success=0

To watch a file for changes (2 ways to express):

auditctl -w /etc/shadow -p wa
auditctl -a exit,always -F path=/etc/shadow -F perm=wa

To recursively watch a directory for changes (2 ways to express):

auditctl -w /etc/ -p wa
auditctl -a exit,always -F dir=/etc/ -F perm=wa

Script para parsear el contenido del audit.log y ver el timestamp en formato humano

auditsearch.pl

#!/usr/bin/perl
use strict;
 
# what do I want to look for in the audit log.
my $pattern = $ARGV[0];
 
# Define the audit directory if the user doesn't provide one.
my $dir = '/var/log/audit';
$dir = $ARGV[1] if scalar(@ARGV) == 2;
 
# Strip any trailing slash
$dir =~ s/\/$//g;
 
# walk through the directory and save the list of files as an array.
# find is nice because it gives you full path + executable
my @files = `sudo find $dir`;
# strip new lines from the array.
chomp(@files);
 
# loop through each element in the array and do something.
for my $file (@files)
{
  # declare the empty array before use
  my @arr;
 
  # determine if we use zgrep or grep
  # zgrep is needed for gz and grep is for regular files
  if ( $file =~ /gz$/ )
  { 
    @arr = `sudo zgrep $pattern $file`;
  }
  else
  {
    @arr = `sudo grep $pattern $file`;
  }
 
  # print the filename only if we found something in the file
  print "\nFile: $file\n" if ( scalar(@arr) > 0 );
 
  # for each element in the array translate epoch to human readable
  foreach(@arr)
  {
    chomp;
    # do a little regex for easy matching
    if ( /(.*msg=audit\()(\d+)(\.\d+:\d+.*)/ )
    {
      convert epoch to human readable
      my $td = scalar localtime $2;
      print "$1$td$3\n";
    }
  }
}

Original : http://www.linuxquestions.org/questions/linux-software-2/how-can-i-read-the-audit-time-stamp-msg%3Daudit-1213186256-105-20663-a-648547/

O ni solución mucho mas simple :

# cat /var/log/audit/audit.log | perl -pw -e "s/^*\d+\.\d+/localtime $&/e;"

Referencias útiles:

http://www.ibm.com/developerworks/linux/library/l-security-audit.html

http://www.debian.org/doc/manuals/securing-debian-howto/ch-sec-services.en.html

http://www.redhat.com/mailman/listinfo/linux-audit

http://www.nsa.gov/ia/_files/os/redhat/rhel5-guide-i731.pdf

http://www.nsa.gov/ia/_files/os/redhat/rhel5-pamphlet-i731.pdf

http://www.cyberciti.biz/tips/linux-audit-files-to-see-who-made-changes-to-a-file.html

http://manpages.ubuntu.com/manpages/gutsy/man8/auditctl.8.html

http://www.puschitz.com/SecuringLinux.shtml

http://www.cyberciti.biz/faq/linux-kernel-etcsysctl-conf-security-hardening

Linux kernel IP sysctl documentation.

http://www.linuxinsight.com/proc_sys_net_ipv4.html

http://www.novell.com/documentation/sled10/pdfdoc/audit_sp2/audit_sp2.pdf