Cayu - Wiki de Sergio Cayuqueo

Herramientas de usuario

Herramientas del sitio

Traza:
notas:seguridad

Diferencias

Muestra las diferencias entre dos versiones de la página.

Enlace a la vista de comparación

Ambos lados, revisión anteriorRevisión previa
Próxima revisión		Revisión previa
notas:seguridad [2012/01/24 13:36] – [Seguridad] cayunotas:seguridad [Fecha desconocida] (actual) – borrado - editor externo (Fecha desconocida) 127.0.0.1
Línea 1: Línea 1:
-====== Seguridad ====== 
- 
-Notas cortas de seguridad e inseguridad informática que me sirvieron en mi trabajo 
- 
-=== Exploits === 
- 
-Exploits útiles cuando vas a un lugar donde no se acuerdan el password de root 
- 
-{{:notas:seguridad:jessica_biel_naked_in_my_bed.c.gz|}} Linux vmsplice Local Root Exploit - Linux 2.6.17 - 2.6.24.1 
- 
-{{:notas:seguridad:2009-linux-sendpage.c.gz|}} Linux Kernel 2.4/2.6 sock_sendpage() Local Root Exploit 
- 
-{{:notas:seguridad:mempodipper.c.gz|}} Escalada de privilegios remota con /proc/pid/mem write - Kernel 2.6.39 a 3.2 
-===== Understanding Bash fork() bomb ~ :(){ :|:& };: ===== 
- 
-**Q.** Can you explain following bash code or bash fork() bomb? 
-:(){ :|:& };: 
- 
-**A.** This is a bash function. It gets called recursively (recursive function). This is most horrible code for any Unix / Linux box. It is often used by sys admin to test user processes limitations (Linux process limits can be configured via /etc/security/limits.conf and PAM). 
- 
-Once a successful fork bomb has been activated in a system it may not be possible to resume normal operation without rebooting, as the only solution to a fork bomb is to destroy all instances of it. 
-[Warning examples may crash your computer] WARNING! These examples may crash your computer if executed. 
-Understanding :(){ :|:& };: fork() bomb code 
- 
-:() - It is a function name. It accepts no arguments at all. Generally, bash function is defined as follows: 
- 
-<code bash> 
-foo(){ 
- arg1=$1 
- echo '' 
- #do_something on $arg argument 
-} 
-</code> 
- 
-fork() bomb is defined as follows: 
- 
-<code bash> 
-:(){ 
- :|:& 
-};: 
-</code> 
-** 
-:|:** - Next it call itself using programming technique called recursion and pipes the output to another call of the function ':'. The worst part is function get called two times to bomb your system. 
- 
-**&** - Puts the function call in the background so child cannot die at all and start eating system resources. 
- 
-**;** - Terminate the function definition 
- 
-**:** - Call (run) the function aka set the fork() bomb. 
- 
-Here is more human readable code: 
- 
-<code bash> 
-bomb() { 
- bomb | bomb & 
-}; bomb 
-</code> 
- 
-Properly configured Linux / UNIX box should not go down when fork() bomb sets off. 
- 
-==== Extra ==== 
- 
-Perl exmaple: 
- 
-<code perl> 
-perl -e "fork while fork" & 
-</code> 
- 
-Python example: 
- 
-<code python> 
-import os 
-  while(1): 
-      os.fork() 
-</code> 
- 
-Windows XP / Vista bat file example: 
- 
-<code> 
-:bomb 
-start %0 
-goto bomb 
-</code> 
- 
-UNIX style for Windows: 
- 
-<code> 
-%0|%0 
-</code> 
- 
-C program example: 
- 
-<code c> 
-#include 
- int main() {   while(1)      fork();  
-</code> 
- 
-Plz note that the fork bomb is a form of denial of service, so don’t run on production or unauthorized system. 
- 
- 
-==== Fuente ==== 
- 
- 
-http://www.cyberciti.biz/faq/understanding-bash-fork-bomb/#comment-37097 
- 
- 
-===== How to: Prevent a fork bomb by limiting user process ===== 
- 
-Limiting user processes is important for running a stable system. To limit user process just add user name or group or all users to **/etc/security/limits.conf** file and impose process limitations. 
- 
- 
-==== Understanding /etc/security/limits.conf file ==== 
- 
- 
-Each line describes a limit for a user in the form: 
-<domain> <type> <item> <value> 
-Where: 
- 
- 
-  * **domain** can be: 
-    * an user name 
-    * a group name, with @group syntax 
-    * the wildcard *, for default entry 
-    * the wildcard %, can be also used with %group syntax, for maxlogin limit 
-  * **type** can have the two values: 
-    * "soft" for enforcing the soft limits 
-    * "hard" for enforcing hard limits 
-  * **item** can be one of the following: 
-    * core - limits the core file size (KB) 
-  * **value** can be one of the following: 
-    * core - limits the core file size (KB) 
-    * data - max data size (KB) 
-    * fsize - maximum filesize (KB) 
-    * memlock - max locked-in-memory address space (KB) 
-    * nofile - max number of open files 
-    * rss - max resident set size (KB) 
-    * stack - max stack size (KB) 
-    * cpu - max CPU time (MIN) 
-    * **nproc - max number of processes** 
-    * as - address space limit 
-    * maxlogins - max number of logins for this user 
-    * maxsyslogins - max number of logins on the system 
-    * priority - the priority to run user process with 
-    * locks - max number of file locks the user can hold 
-    * sigpending - max number of pending signals 
-    * msgqueue - max memory used by POSIX message queues (bytes) 
-    * nice - max nice priority allowed to raise to 
-    * rtprio - max realtime priority 
-    * chroot - change root to directory (Debian-specific) 
- 
-Login as the root and open configuration file: 
- 
-<code> 
-# vi /etc/security/limits.conf 
-</code> 
- 
-Following will prevent a "fork bomb": 
- 
-<code> 
-vivek hard nproc 300 
-@student hard nproc 50 
-@faculty soft nproc 100 
-@pusers hard nproc 200 
-</code> 
- 
-Above will prevent anyone in the student group from having more than 50 processes, faculty and pusers group limit is set to 100 and 200. Vivek can create only 300 process. Please note that KDE and Gnome desktop system can launch many process. 
- 
-Save and close the file. Test your new system by dropping a form bomb: 
- 
-<code> 
-$ :(){ :|:& };: 
-</code> 
- 
-==== Fuente ==== 
- 
-http://www.cyberciti.biz/tips/linux-limiting-user-process.html 
- 
- 
-===== Linux Audit ===== 
- 
-This is one of the key questions many new sys admin ask: 
- 
-How do I audit file events such as read / write etc? How can I use audit to see who changed a file in Linux? 
- 
-The answer is to use 2.6 kernels audit system. Modern Linux kernel (2.6.x) comes with auditd daemon. It's responsible for writing audit records to the disk. During startup, the rules in /etc/audit.rules are read by this daemon. You can open /etc/audit.rules file and make changes such as setup audit file log location and other option. The default file is good enough to get started with auditd. 
- 
-In order to use audit facility you need to use following utilities=> **auditctl** - a command to assist controlling the kernel’s audit system. You can get status, and add or delete rules into kernel audit system. Setting a watch on a file is accomplished using this command: 
- 
-=> **ausearch** - a command that can query the audit daemon logs based for events based on different search criteria. 
- 
-=> **aureport** - a tool that produces summary reports of the audit system logs. 
- 
-Note that following all instructions are tested on CentOS 4.x and Fedora Core and RHEL 4/5 Linux. 
- 
-==== Task: install audit package ==== 
- 
-The audit package contains the user space utilities for storing and searching the audit records generate by the audit subsystem in the Linux 2.6 kernel. CentOS/Red Hat and Fedora core includes audit rpm package. Use yum or up2date command to install package 
- 
-<code> 
-# yum install audit 
-# up2date install audit 
-</code> 
- 
-Auto start auditd service on boot 
- 
-<code> 
-# ntsysv 
-# chkconfig auditd on 
-# /etc/init.d/auditd start 
-</code> 
- 
-==== How do I set a watch on a file for auditing? ==== 
- 
-Let us say you would like to audit a /etc/passwd file. You need to type command as follows:''# auditctl -w /etc/passwd -p war -k password-file'' 
- 
-Where, 
- 
-  * **-w /etc/passwd** : Insert a watch for the file system object at given path i.e. watch file called /etc/passwd 
-  * **-p war** : Set permissions filter for a file system watch. It can be r for read, w for write, x for execute, a for append. 
-  * **-k password-file** : Set a filter key on a /etc/passwd file (watch). The password-file is a filterkey (string of text that can be up to 31 bytes long). It can uniquely identify the audit records produced by the watch. You need to use password-file string or phrase while searching audit logs. 
- 
-In short you are monitoring (read as watching) a /etc/passwd file for anyone (including syscall) that may perform a write, append or read operation on a file. 
- 
-Wait for some time or as a normal user run command as follows:''$ grep 'something' /etc/passwd$ vi /etc/passwd'' 
- 
-Following are more examples: 
- 
-==== File System audit rules ==== 
- 
-Add a watch on "/etc/shadow" with the arbitrary filterkey "shadow-file" that generates records for "reads, writes, executes, and appends" on "shadow" 
-<code> 
-# auditctl -w /etc/shadow -k shadow-file -p rwxa 
-</code> 
- 
-=== syscall audit rule === 
- 
-The next rule suppresses auditing for mount syscall exits''# auditctl -a exit,never -S mount'' 
- 
-=== File system audit rule === 
- 
-Add a watch "tmp" with a NULL filterkey that generates records "executes" on "/tmp" (good for a webserver) 
-<code> 
-# auditctl -w /tmp -p e -k webserver-watch-tmp 
-</code> 
-=== syscall audit rule using pid === 
- 
-To see all syscalls made by a program called sshd (pid - 1005): 
- 
-<code> 
-# auditctl -a entry,always -S all -F pid=1005 
-</code> 
-==== How do I find out who changed or accessed a file /etc/passwd? ==== 
- 
-Use ausearch command as follows: 
- 
-<code> 
-# ausearch -f /etc/passwd 
-# ausearch -f /etc/passwd | less 
-# ausearch -f /etc/passwd -i | less 
-</code> 
- 
-Where 
- 
-  * **-f /etc/passwd** : Only search for this file 
-  * **-i** : Interpret numeric entities into text. For example, uid is converted to account name. 
- 
-Output: 
- 
-<code> 
-type=PATH msg=audit(03/16/2007 14:52:59.985:55) : name=/etc/passwd flags=follow,open inode=23087346 dev=08:02 mode=file,644 ouid=root ogid=root rdev=00:00 
-type=CWD msg=audit(03/16/2007 14:52:59.985:55) :  cwd=/webroot/home/lighttpd 
-type=FS_INODE msg=audit(03/16/2007 14:52:59.985:55) : inode=23087346 inode_uid=root inode_gid=root inode_dev=08:02 inode_rdev=00:00 
-type=FS_WATCH msg=audit(03/16/2007 14:52:59.985:55) : watch_inode=23087346 watch=passwd filterkey=password-file perm=read,write,append perm_mask=read 
-type=SYSCALL msg=audit(03/16/2007 14:52:59.985:55) : arch=x86_64 syscall=open success=yes exit=3 a0=7fbffffcb4 a1=0 a2=2 a3=6171d0 items=1 pid=12551 auid=unknown(4294967295) uid=lighttpd gid=lighttpd euid=lighttpd suid=lighttpd fsuid=lighttpd egid=lighttpd sgid=lighttpd fsgid=lighttpd comm=grep exe=/bin/grep 
-</code> 
- 
-Let us try to understand output 
- 
-  * **audit(03/16/2007 14:52:59.985:55)** : Audit log time 
-  * **uid=lighttpd gid=lighttpd** : User ids in numerical format. By passing **-i** option to command you can convert most of numeric data to human readable format. In our example user is lighttpd used grep command to open a file 
-  * **exe="/bin/grep"** : Command grep used to access /etc/passwd file 
-  * perm_mask=read : File was open for read operation 
- 
-So from log files you can clearly see who read file using grep or made changes to a file using vi/vim text editor. Log provides tons of other information. You need to read man pages and documentation to understand raw log format. 
- 
-==== Other useful examples ==== 
- 
-Search for events with date and time stamps. if the date is omitted, today is assumed. If the time is omitted, now is assumed. Use 24 hour clock time rather than AM or PM to specify time. An example date is 10/24/05. An example of time is 18:00:00. 
- 
-<code> 
-# ausearch -ts today -k password-file 
-# ausearch -ts 3/12/07 -k password-file 
-</code> 
- 
-Search for an event matching the given executable name using -x option. For example find out who has accessed /etc/passwd using rm command: 
- 
-<code> 
-# ausearch -ts today -k password-file -x rm 
-# ausearch -ts 3/12/07 -k password-file -x rm 
-</code> 
- 
-Search for an event with the given user name (UID). For example find out if user vivek (uid 506) try to open /etc/passwd: 
- 
-<code> 
-# ausearch -ts today -k password-file -x rm -ui 506 
-# ausearch -k password-file -ui 506 
-</code> 
- 
- 
- 
- 
-Fuente : http://www.cyberciti.biz/tips/linux-audit-files-to-see-who-made-changes-to-a-file.html 
- 
-=== Otros ejemplos === 
- 
-<code> 
-auditctl -w /etc/fstab -p war -k someconfig-exclude -F auid!=0 
-</code> 
- 
-To see all syscalls made by a specific program: 
-<code> 
-auditctl -a entry,always -S all -F pid=1005 
-</code> 
-To see files opened by a specific user: 
-<code> 
-auditctl -a exit,always -S open -F auid=510 
-</code> 
-To see unsuccessful open call's: 
-<code> 
-auditctl -a exit,always -S open -F success=0 
-</code> 
-To watch a file for changes (2 ways to express): 
-<code> 
-auditctl -w /etc/shadow -p wa 
-auditctl -a exit,always -F path=/etc/shadow -F perm=wa 
-</code> 
-To recursively watch a directory for changes (2 ways to express): 
-<code> 
-auditctl -w /etc/ -p wa 
-auditctl -a exit,always -F dir=/etc/ -F perm=wa 
-</code> 
- 
-=== Script parser de audit.log === 
- 
-Script para parsear el contenido del audit.log y ver el timestamp en formato humano 
- 
-<file perl auditsearch.pl> 
-#!/usr/bin/perl 
-use strict; 
- 
-# what do I want to look for in the audit log. 
-my $pattern = $ARGV[0]; 
- 
-# Define the audit directory if the user doesn't provide one. 
-my $dir = '/var/log/audit'; 
-$dir = $ARGV[1] if scalar(@ARGV) == 2; 
- 
-# Strip any trailing slash 
-$dir =~ s/\/$//g; 
- 
-# walk through the directory and save the list of files as an array. 
-# find is nice because it gives you full path + executable 
-my @files = `sudo find $dir`; 
-# strip new lines from the array. 
-chomp(@files); 
- 
-# loop through each element in the array and do something. 
-for my $file (@files) 
-{ 
-  # declare the empty array before use 
-  my @arr; 
- 
-  # determine if we use zgrep or grep 
-  # zgrep is needed for gz and grep is for regular files 
-  if ( $file =~ /gz$/ ) 
-  {  
-    @arr = `sudo zgrep $pattern $file`; 
-  } 
-  else 
-  { 
-    @arr = `sudo grep $pattern $file`; 
-  } 
- 
-  # print the filename only if we found something in the file 
-  print "\nFile: $file\n" if ( scalar(@arr) > 0 ); 
-   
-  # for each element in the array translate epoch to human readable 
-  foreach(@arr) 
-  { 
-    chomp; 
-    # do a little regex for easy matching 
-    if ( /(.*msg=audit\()(\d+)(\.\d+:\d+.*)/ ) 
-    { 
-      convert epoch to human readable 
-      my $td = scalar localtime $2; 
-      print "$1$td$3\n"; 
-    } 
-  } 
-} 
-</file> 
- 
-Original : http://www.linuxquestions.org/questions/linux-software-2/how-can-i-read-the-audit-time-stamp-msg%3Daudit-1213186256-105-20663-a-648547/ 
- 
- 
-O ni solución mucho mas simple : 
- 
-<code perl> 
-# cat /var/log/audit/audit.log | perl -pw -e "s/^*\d+\.\d+/localtime $&/e;" 
-</code> 
- 
-Referencias útiles: 
- 
-[[http://www.ibm.com/developerworks/linux/library/l-security-audit.html]] 
- 
-[[http://www.debian.org/doc/manuals/securing-debian-howto/ch-sec-services.en.html]] 
- 
-[[http://www.redhat.com/mailman/listinfo/linux-audit]] 
- 
-[[http://www.nsa.gov/ia/_files/os/redhat/rhel5-guide-i731.pdf]] 
- 
-[[http://www.nsa.gov/ia/_files/os/redhat/rhel5-pamphlet-i731.pdf]] 
- 
-[[http://www.cyberciti.biz/tips/linux-audit-files-to-see-who-made-changes-to-a-file.html]] 
- 
-[[http://manpages.ubuntu.com/manpages/gutsy/man8/auditctl.8.html]] 
- 
-[[http://www.puschitz.com/SecuringLinux.shtml]] 
- 
-[[http://www.cyberciti.biz/faq/linux-kernel-etcsysctl-conf-security-hardening]] 
- 
-[[http://www.cyberciti.biz/files/linux-kernel/Documentation/networking/ip-sysctl.txt|Linux kernel IP sysctl documentation.]] 
- 
-[[http://www.linuxinsight.com/proc_sys_net_ipv4.html]] 
- 
-[[http://www.novell.com/documentation/sled10/pdfdoc/audit_sp2/audit_sp2.pdf]] 
  
notas/seguridad.1327412204.txt.gz · Última modificación: 2012/01/24 13:36 por cayu