¡Esta es una revisión vieja del documento!
Tabla de Contenidos
Seguridad
Notas cortas de seguridad e inseguridad informática que me sirvieron en mi trabajo
Exploits
Exploits útiles cuando vas a un lugar donde no se acuerdan el password de root
jessica_biel_naked_in_my_bed.c.gz Linux vmsplice Local Root Exploit - Linux 2.6.17 - 2.6.24.1
2009-linux-sendpage.c.gz Linux Kernel 2.4/2.6 sock_sendpage() Local Root Exploit
mempodipper.c.gz Escalada de privilegios remota con /proc/pid/mem write - Kernel 2.6.39 a 3.2
Understanding Bash fork() bomb ~ :(){ :|:& };:
Q. Can you explain following bash code or bash fork() bomb? :(){ :|:& };:
A. This is a bash function. It gets called recursively (recursive function). This is most horrible code for any Unix / Linux box. It is often used by sys admin to test user processes limitations (Linux process limits can be configured via /etc/security/limits.conf and PAM).
Once a successful fork bomb has been activated in a system it may not be possible to resume normal operation without rebooting, as the only solution to a fork bomb is to destroy all instances of it. [Warning examples may crash your computer] WARNING! These examples may crash your computer if executed. Understanding :(){ :|:& };: fork() bomb code
:() - It is a function name. It accepts no arguments at all. Generally, bash function is defined as follows:
foo(){ arg1=$1 echo '' #do_something on $arg argument }
fork() bomb is defined as follows:
:(){ :|:& };:
:|: - Next it call itself using programming technique called recursion and pipes the output to another call of the function ':'. The worst part is function get called two times to bomb your system.
& - Puts the function call in the background so child cannot die at all and start eating system resources.
; - Terminate the function definition
: - Call (run) the function aka set the fork() bomb.
Here is more human readable code:
bomb() { bomb | bomb & }; bomb
Properly configured Linux / UNIX box should not go down when fork() bomb sets off.
Extra
Perl exmaple:
perl -e "fork while fork" &
Python example:
import os while(1): os.fork()
Windows XP / Vista bat file example:
:bomb start %0 goto bomb
UNIX style for Windows:
%0|%0
C program example:
#include int main() { while(1) fork(); }
Plz note that the fork bomb is a form of denial of service, so don’t run on production or unauthorized system.
Fuente
How to: Prevent a fork bomb by limiting user process
Limiting user processes is important for running a stable system. To limit user process just add user name or group or all users to /etc/security/limits.conf file and impose process limitations.
Understanding /etc/security/limits.conf file
Each line describes a limit for a user in the form: <domain> <type> <item> <value> Where:
- domain can be:
- an user name
- a group name, with @group syntax
- the wildcard *, for default entry
- the wildcard %, can be also used with %group syntax, for maxlogin limit
- type can have the two values:
- “soft” for enforcing the soft limits
- “hard” for enforcing hard limits
- item can be one of the following:
- core - limits the core file size (KB)
- value can be one of the following:
- core - limits the core file size (KB)
- data - max data size (KB)
- fsize - maximum filesize (KB)
- memlock - max locked-in-memory address space (KB)
- nofile - max number of open files
- rss - max resident set size (KB)
- stack - max stack size (KB)
- cpu - max CPU time (MIN)
- nproc - max number of processes
- as - address space limit
- maxlogins - max number of logins for this user
- maxsyslogins - max number of logins on the system
- priority - the priority to run user process with
- locks - max number of file locks the user can hold
- sigpending - max number of pending signals
- msgqueue - max memory used by POSIX message queues (bytes)
- nice - max nice priority allowed to raise to
- rtprio - max realtime priority
- chroot - change root to directory (Debian-specific)
Login as the root and open configuration file:
# vi /etc/security/limits.conf
Following will prevent a “fork bomb”:
vivek hard nproc 300 @student hard nproc 50 @faculty soft nproc 100 @pusers hard nproc 200
Above will prevent anyone in the student group from having more than 50 processes, faculty and pusers group limit is set to 100 and 200. Vivek can create only 300 process. Please note that KDE and Gnome desktop system can launch many process.
Save and close the file. Test your new system by dropping a form bomb:
$ :(){ :|:& };:
Fuente
Prevenir fingerprints
Como ayudar a que los fingerprint que realizen nuestros atacantes sean un poco menos exactos, configurar las sysctl de nuestro sistema de la siguiente manera:
net.ipv4.ip_default_ttl = 128 net.ipv4.tcp_timestamps = 0 net.ipv4.tcp_window_scaling = 0 net.ipv4.conf.all.accept_redirects = 0 net.ipv4.conf.all.send_redirects = 0 net.ipv4.icmp_echo_ignore_all = 1 # Enable IP spoofing protection net.ipv4.conf.all.rp_filter=1 # Disable IP source routing net.ipv4.conf.all.accept_source_route=0 # Ignoring broadcasts request net.ipv4.icmp_echo_ignore_broadcasts=1 net.ipv4.icmp_ignore_bogus_error_responses=1 # Make sure spoofed packets get logged net.ipv4.conf.all.log_martians = 1 net.ipv4.conf.default.log_martians = 1
Conocer que procesos bloquean tal cosa
Uso: fuser [-fMuv] [-a|-s] [-4|-6] [-c|-m|-n ESPACIO] [-k [-i] [-SIGNAL]] NOMBRE... fuser -l fuser -V Muestra que procesos usan los archivos, zócalos o sistemas de archivos indicados. -a,--all muestra también los archivos no usados -i,--interactive pregunta antes de finalizar (ignorado con -k) -k,--kill finaliza los procesos que acceden al archivo NOMBRE -l,--list-signals lista los nombres de señales disponibles -m,--mount muestra todos los procesos que usan el sistema de ficheros o dispositivo de bloques con ese nombre -M,--ismountpoint cumple la petición solo si NOMBRE es un punto de montaje -n,--namespace ESPACIO busca en este nombre de espacio (archivo, udp, o tcp) -s,--silent funcionamiento silencioso -SIGNAL envía esta señal en lugar de SIGKILL -u,--user muestra los ID de usuario -v,--verbose salida detallada -V,--version muestra información de la versión -4,--ipv4 buscar solamente zócalos IPv4 -6,--ipv6 buscar solamente zócalos IPv6 - opciones de reinicio nombres udp/tcp: [local_port][,[rmt_host][,[rmt_port]]]
Ejemplo si queremos ver que proceso nos bloquea el pendrive y no nos deja desmontarlo
$ fuser -m /dev/sdb1 /dev/sdb1: 13542
Que proceso bloquea el archivo /usr/local/nagios/var/nagios.lock
fuser /usr/local/nagios/var/nagios.lock /usr/local/nagios/var/nagios.lock: 3178 13194 13342 13459 13472
Si queremos ver que PID usa el puerto 80 tcp.
fuser 80/tcp 80/tcp: 17233 17652 17870 18252 18779 19234 19484 19547 19621 19679 32454
Referencia útil como ver procesos escondidos: http://www.cyberciti.biz/tips/linux-unix-windows-find-hidden-processes-tcp-udp-ports.html
Linux Audit
This is one of the key questions many new sys admin ask:
How do I audit file events such as read / write etc? How can I use audit to see who changed a file in Linux?
The answer is to use 2.6 kernels audit system. Modern Linux kernel (2.6.x) comes with auditd daemon. It's responsible for writing audit records to the disk. During startup, the rules in /etc/audit.rules are read by this daemon. You can open /etc/audit.rules file and make changes such as setup audit file log location and other option. The default file is good enough to get started with auditd.
In order to use audit facility you need to use following utilities⇒ auditctl - a command to assist controlling the kernel’s audit system. You can get status, and add or delete rules into kernel audit system. Setting a watch on a file is accomplished using this command:
⇒ ausearch - a command that can query the audit daemon logs based for events based on different search criteria.
⇒ aureport - a tool that produces summary reports of the audit system logs.
Note that following all instructions are tested on CentOS 4.x and Fedora Core and RHEL 4/5 Linux.
Task: install audit package
The audit package contains the user space utilities for storing and searching the audit records generate by the audit subsystem in the Linux 2.6 kernel. CentOS/Red Hat and Fedora core includes audit rpm package. Use yum or up2date command to install package
# yum install audit # up2date install audit
Auto start auditd service on boot
# ntsysv # chkconfig auditd on # /etc/init.d/auditd start
How do I set a watch on a file for auditing?
Let us say you would like to audit a /etc/passwd file. You need to type command as follows:# auditctl -w /etc/passwd -p war -k password-file
Where,
- -w /etc/passwd : Insert a watch for the file system object at given path i.e. watch file called /etc/passwd
- -p war : Set permissions filter for a file system watch. It can be r for read, w for write, x for execute, a for append.
- -k password-file : Set a filter key on a /etc/passwd file (watch). The password-file is a filterkey (string of text that can be up to 31 bytes long). It can uniquely identify the audit records produced by the watch. You need to use password-file string or phrase while searching audit logs.
In short you are monitoring (read as watching) a /etc/passwd file for anyone (including syscall) that may perform a write, append or read operation on a file.
Wait for some time or as a normal user run command as follows:$ grep 'something' /etc/passwd$ vi /etc/passwd
Following are more examples:
File System audit rules
Add a watch on “/etc/shadow” with the arbitrary filterkey “shadow-file” that generates records for “reads, writes, executes, and appends” on “shadow”
# auditctl -w /etc/shadow -k shadow-file -p rwxa
syscall audit rule
The next rule suppresses auditing for mount syscall exits# auditctl -a exit,never -S mount
File system audit rule
Add a watch “tmp” with a NULL filterkey that generates records “executes” on “/tmp” (good for a webserver)
# auditctl -w /tmp -p e -k webserver-watch-tmp
syscall audit rule using pid
To see all syscalls made by a program called sshd (pid - 1005):
# auditctl -a entry,always -S all -F pid=1005
How do I find out who changed or accessed a file /etc/passwd?
Use ausearch command as follows:
# ausearch -f /etc/passwd # ausearch -f /etc/passwd | less # ausearch -f /etc/passwd -i | less
Where
- -f /etc/passwd : Only search for this file
- -i : Interpret numeric entities into text. For example, uid is converted to account name.
Output:
type=PATH msg=audit(03/16/2007 14:52:59.985:55) : name=/etc/passwd flags=follow,open inode=23087346 dev=08:02 mode=file,644 ouid=root ogid=root rdev=00:00 type=CWD msg=audit(03/16/2007 14:52:59.985:55) : cwd=/webroot/home/lighttpd type=FS_INODE msg=audit(03/16/2007 14:52:59.985:55) : inode=23087346 inode_uid=root inode_gid=root inode_dev=08:02 inode_rdev=00:00 type=FS_WATCH msg=audit(03/16/2007 14:52:59.985:55) : watch_inode=23087346 watch=passwd filterkey=password-file perm=read,write,append perm_mask=read type=SYSCALL msg=audit(03/16/2007 14:52:59.985:55) : arch=x86_64 syscall=open success=yes exit=3 a0=7fbffffcb4 a1=0 a2=2 a3=6171d0 items=1 pid=12551 auid=unknown(4294967295) uid=lighttpd gid=lighttpd euid=lighttpd suid=lighttpd fsuid=lighttpd egid=lighttpd sgid=lighttpd fsgid=lighttpd comm=grep exe=/bin/grep
Let us try to understand output
- audit(03/16/2007 14:52:59.985:55) : Audit log time
- uid=lighttpd gid=lighttpd : User ids in numerical format. By passing -i option to command you can convert most of numeric data to human readable format. In our example user is lighttpd used grep command to open a file
- exe=“/bin/grep” : Command grep used to access /etc/passwd file
- perm_mask=read : File was open for read operation
So from log files you can clearly see who read file using grep or made changes to a file using vi/vim text editor. Log provides tons of other information. You need to read man pages and documentation to understand raw log format.
Other useful examples
Search for events with date and time stamps. if the date is omitted, today is assumed. If the time is omitted, now is assumed. Use 24 hour clock time rather than AM or PM to specify time. An example date is 10/24/05. An example of time is 18:00:00.
# ausearch -ts today -k password-file # ausearch -ts 3/12/07 -k password-file
Search for an event matching the given executable name using -x option. For example find out who has accessed /etc/passwd using rm command:
# ausearch -ts today -k password-file -x rm # ausearch -ts 3/12/07 -k password-file -x rm
Search for an event with the given user name (UID). For example find out if user vivek (uid 506) try to open /etc/passwd:
# ausearch -ts today -k password-file -x rm -ui 506 # ausearch -k password-file -ui 506
Fuente : http://www.cyberciti.biz/tips/linux-audit-files-to-see-who-made-changes-to-a-file.html
Otros ejemplos
auditctl -w /etc/fstab -p war -k someconfig-exclude -F auid!=0
To see all syscalls made by a specific program:
auditctl -a entry,always -S all -F pid=1005
To see files opened by a specific user:
auditctl -a exit,always -S open -F auid=510
To see unsuccessful open call's:
auditctl -a exit,always -S open -F success=0
To watch a file for changes (2 ways to express):
auditctl -w /etc/shadow -p wa auditctl -a exit,always -F path=/etc/shadow -F perm=wa
To recursively watch a directory for changes (2 ways to express):
auditctl -w /etc/ -p wa auditctl -a exit,always -F dir=/etc/ -F perm=wa
Script parser de audit.log
Script para parsear el contenido del audit.log y ver el timestamp en formato humano
- auditsearch.pl
#!/usr/bin/perl use strict; # what do I want to look for in the audit log. my $pattern = $ARGV[0]; # Define the audit directory if the user doesn't provide one. my $dir = '/var/log/audit'; $dir = $ARGV[1] if scalar(@ARGV) == 2; # Strip any trailing slash $dir =~ s/\/$//g; # walk through the directory and save the list of files as an array. # find is nice because it gives you full path + executable my @files = `sudo find $dir`; # strip new lines from the array. chomp(@files); # loop through each element in the array and do something. for my $file (@files) { # declare the empty array before use my @arr; # determine if we use zgrep or grep # zgrep is needed for gz and grep is for regular files if ( $file =~ /gz$/ ) { @arr = `sudo zgrep $pattern $file`; } else { @arr = `sudo grep $pattern $file`; } # print the filename only if we found something in the file print "\nFile: $file\n" if ( scalar(@arr) > 0 ); # for each element in the array translate epoch to human readable foreach(@arr) { chomp; # do a little regex for easy matching if ( /(.*msg=audit\()(\d+)(\.\d+:\d+.*)/ ) { convert epoch to human readable my $td = scalar localtime $2; print "$1$td$3\n"; } } }
O ni solución mucho mas simple :
# cat /var/log/audit/audit.log | perl -pw -e "s/^*\d+\.\d+/localtime $&/e;"
Referencias útiles:
http://www.ibm.com/developerworks/linux/library/l-security-audit.html
http://www.debian.org/doc/manuals/securing-debian-howto/ch-sec-services.en.html
http://www.redhat.com/mailman/listinfo/linux-audit
http://www.nsa.gov/ia/_files/os/redhat/rhel5-guide-i731.pdf
http://www.nsa.gov/ia/_files/os/redhat/rhel5-pamphlet-i731.pdf
http://www.cyberciti.biz/tips/linux-audit-files-to-see-who-made-changes-to-a-file.html
http://manpages.ubuntu.com/manpages/gutsy/man8/auditctl.8.html
http://www.puschitz.com/SecuringLinux.shtml
http://www.cyberciti.biz/faq/linux-kernel-etcsysctl-conf-security-hardening
Linux kernel IP sysctl documentation.
http://www.linuxinsight.com/proc_sys_net_ipv4.html
http://www.novell.com/documentation/sled10/pdfdoc/audit_sp2/audit_sp2.pdf