Diferencias

Muestra las diferencias entre dos versiones de la página.

--- notas:seguridad [2012/08/24 18:20] – [Seguridad] cayu
+++ notas:seguridad [Fecha desconocida] (actual) – borrado - editor externo (Fecha desconocida) 127.0.0.1
@@ Línea 1: / Línea 1: @@
-====== Seguridad ======
-Notas cortas de seguridad e inseguridad informática que me sirvieron en mi trabajo
-  * [[notas:seguridad:Auditd]]
-  * [[notas:seguridad:Process Accounting (PSACCT)]]
-=== Exploits ===
-Exploits útiles cuando vas a un lugar donde no se acuerdan el password de root
-{{:notas:seguridad:jessica_biel_naked_in_my_bed.c.gz|}} Linux vmsplice Local Root Exploit - Linux 2.6.17 - 2.6.24.1
-{{:notas:seguridad:2009-linux-sendpage.c.gz|}} Linux Kernel 2.4/2.6 sock_sendpage() Local Root Exploit
-{{:notas:seguridad:mempodipper.c.gz|}} Escalada de privilegios remota con /proc/pid/mem write - Kernel 2.6.39 a 3.2
-===== Understanding Bash fork() bomb ~ :(){ :|:& };: =====
-**Q.** Can you explain following bash code or bash fork() bomb?
-:(){ :|:& };:
-**A.** This is a bash function. It gets called recursively (recursive function). This is most horrible code for any Unix / Linux box. It is often used by sys admin to test user processes limitations (Linux process limits can be configured via /etc/security/limits.conf and PAM).
-Once a successful fork bomb has been activated in a system it may not be possible to resume normal operation without rebooting, as the only solution to a fork bomb is to destroy all instances of it.
-[Warning examples may crash your computer] WARNING! These examples may crash your computer if executed.
-Understanding :(){ :|:& };: fork() bomb code
-:() - It is a function name. It accepts no arguments at all. Generally, bash function is defined as follows:
-<code bash>
-foo(){
- arg1=$1
- echo ''
- #do_something on $arg argument
-}
-</code>
-fork() bomb is defined as follows:
-<code bash>
-:(){
- :|:&
-};:
-</code>
-**
-:|:** - Next it call itself using programming technique called recursion and pipes the output to another call of the function ':'. The worst part is function get called two times to bomb your system.
-**&** - Puts the function call in the background so child cannot die at all and start eating system resources.
-**;** - Terminate the function definition
-**:** - Call (run) the function aka set the fork() bomb.
-Here is more human readable code:
-<code bash>
-bomb() {
- bomb | bomb &
-}; bomb
-</code>
-Properly configured Linux / UNIX box should not go down when fork() bomb sets off.
-==== Extra ====
-Perl exmaple:
-<code perl>
-perl -e "fork while fork" &
-</code>
-Python example:
-<code python>
-import os
-  while(1):
-      os.fork()
-</code>
-Windows XP / Vista bat file example:
-<code>
-:bomb
-start %0
-goto bomb
-</code>
-UNIX style for Windows:
-<code>
-%0|%0
-</code>
-C program example:
-<code c>
-#include
- int main() {   while(1)      fork();  }
-</code>
-Plz note that the fork bomb is a form of denial of service, so don’t run on production or unauthorized system.
-==== Fuente ====
-http://www.cyberciti.biz/faq/understanding-bash-fork-bomb/#comment-37097
-===== How to: Prevent a fork bomb by limiting user process =====
-Limiting user processes is important for running a stable system. To limit user process just add user name or group or all users to **/etc/security/limits.conf** file and impose process limitations.
-==== Understanding /etc/security/limits.conf file ====
-Each line describes a limit for a user in the form:
-<domain> <type> <item> <value>
-Where:
-  * **domain** can be:
-    * an user name
-    * a group name, with @group syntax
-    * the wildcard *, for default entry
-    * the wildcard %, can be also used with %group syntax, for maxlogin limit
-  * **type** can have the two values:
-    * "soft" for enforcing the soft limits
-    * "hard" for enforcing hard limits
-  * **item** can be one of the following:
-    * core - limits the core file size (KB)
-  * **value** can be one of the following:
-    * core - limits the core file size (KB)
-    * data - max data size (KB)
-    * fsize - maximum filesize (KB)
-    * memlock - max locked-in-memory address space (KB)
-    * nofile - max number of open files
-    * rss - max resident set size (KB)
-    * stack - max stack size (KB)
-    * cpu - max CPU time (MIN)
-    * **nproc - max number of processes**
-    * as - address space limit
-    * maxlogins - max number of logins for this user
-    * maxsyslogins - max number of logins on the system
-    * priority - the priority to run user process with
-    * locks - max number of file locks the user can hold
-    * sigpending - max number of pending signals
-    * msgqueue - max memory used by POSIX message queues (bytes)
-    * nice - max nice priority allowed to raise to
-    * rtprio - max realtime priority
-    * chroot - change root to directory (Debian-specific)
-Login as the root and open configuration file:
-<code>
-# vi /etc/security/limits.conf
-</code>
-Following will prevent a "fork bomb":
-<code>
-vivek hard nproc 300
-@student hard nproc 50
-@faculty soft nproc 100
-@pusers hard nproc 200
-</code>
-Above will prevent anyone in the student group from having more than 50 processes, faculty and pusers group limit is set to 100 and 200. Vivek can create only 300 process. Please note that KDE and Gnome desktop system can launch many process.
-Save and close the file. Test your new system by dropping a form bomb:
-<code>
-$ :(){ :|:& };:
-</code>
-==== Fuente ====
-http://www.cyberciti.biz/tips/linux-limiting-user-process.html
-===== Prevenir fingerprints =====
-Como ayudar a que los fingerprint que realizen nuestros atacantes sean un poco menos exactos, configurar las sysctl de nuestro sistema de la siguiente manera:
-<code>
-net.ipv4.ip_default_ttl = 128
-net.ipv4.tcp_timestamps = 0
-net.ipv4.tcp_window_scaling = 0
-net.ipv4.conf.all.accept_redirects = 0
-net.ipv4.conf.all.send_redirects = 0
-net.ipv4.icmp_echo_ignore_all = 1
-# Enable IP spoofing protection
-net.ipv4.conf.all.rp_filter=1
-# Disable IP source routing
-net.ipv4.conf.all.accept_source_route=0
-# Ignoring broadcasts request
-net.ipv4.icmp_echo_ignore_broadcasts=1
-net.ipv4.icmp_ignore_bogus_error_responses=1
-# Make sure spoofed packets get logged
-net.ipv4.conf.all.log_martians = 1
-net.ipv4.conf.default.log_martians = 1
-</code>
-===== Conocer que procesos bloquean tal cosa =====
-<code>
-Uso: fuser [-fMuv] [-a|-s] [-4|-6] [-c|-m|-n ESPACIO] [-k [-i] [-SIGNAL]] NOMBRE...
-       fuser -l
-       fuser -V
-Muestra que procesos usan los archivos, zócalos o sistemas de archivos indicados.
-  -a,--all              muestra también los archivos no usados
-  -i,--interactive      pregunta antes de finalizar (ignorado con -k)
-  -k,--kill             finaliza los procesos que acceden al archivo NOMBRE
-  -l,--list-signals     lista los nombres de señales disponibles
-  -m,--mount            muestra todos los procesos que usan el sistema de ficheros o dispositivo de bloques con ese nombre
-  -M,--ismountpoint     cumple la petición solo si NOMBRE es un punto de montaje
-  -n,--namespace ESPACIO  busca en este nombre de espacio (archivo, udp, o tcp)
-  -s,--silent           funcionamiento silencioso
-  -SIGNAL               envía esta señal en lugar de SIGKILL
-  -u,--user             muestra los ID de usuario
-  -v,--verbose          salida detallada
-  -V,--version          muestra información de la versión
-  -4,--ipv4             buscar solamente zócalos IPv4
-  -6,--ipv6             buscar solamente zócalos IPv6
-  -                     opciones de reinicio
-  nombres udp/tcp: [local_port][,[rmt_host][,[rmt_port]]]
-</code>
-Ejemplo si queremos ver que proceso nos bloquea el pendrive y no nos deja desmontarlo
-<code>
-$ fuser -m /dev/sdb1
-/dev/sdb1: 13542
-</code>
-Que proceso bloquea el archivo /usr/local/nagios/var/nagios.lock
-<code>
-fuser /usr/local/nagios/var/nagios.lock
-/usr/local/nagios/var/nagios.lock:  3178 13194 13342 13459 13472
-</code>
-Si queremos ver que PID usa el puerto 80 tcp.
-<code>
-fuser 80/tcp
-/tcp:              17233 17652 17870 18252 18779 19234 19484 19547 19621 19679 32454
-</code>
-Referencia útil como ver procesos escondidos: http://www.cyberciti.biz/tips/linux-unix-windows-find-hidden-processes-tcp-udp-ports.html
-===== Linux Audit =====
-This is one of the key questions many new sys admin ask:
-How do I audit file events such as read / write etc? How can I use audit to see who changed a file in Linux?
-The answer is to use 2.6 kernels audit system. Modern Linux kernel (2.6.x) comes with auditd daemon. It's responsible for writing audit records to the disk. During startup, the rules in /etc/audit.rules are read by this daemon. You can open /etc/audit.rules file and make changes such as setup audit file log location and other option. The default file is good enough to get started with auditd.
-In order to use audit facility you need to use following utilities=> **auditctl** - a command to assist controlling the kernelÃ¢â‚¬â„¢s audit system. You can get status, and add or delete rules into kernel audit system. Setting a watch on a file is accomplished using this command:
-=> **ausearch** - a command that can query the audit daemon logs based for events based on different search criteria.
-=> **aureport** - a tool that produces summary reports of the audit system logs.
-Note that following all instructions are tested on CentOS 4.x and Fedora Core and RHEL 4/5 Linux.
-==== Task: install audit package ====
-The audit package contains the user space utilities for storing and searching the audit records generate by the audit subsystem in the Linux 2.6 kernel. CentOS/Red Hat and Fedora core includes audit rpm package. Use yum or up2date command to install package
-<code>
-# yum install audit
-# up2date install audit
-</code>
-Auto start auditd service on boot
-<code>
-# ntsysv
-# chkconfig auditd on
-# /etc/init.d/auditd start
-</code>
-==== How do I set a watch on a file for auditing? ====
-Let us say you would like to audit a /etc/passwd file. You need to type command as follows:''# auditctl -w /etc/passwd -p war -k password-file''
-Where,
-  * **-w /etc/passwd** : Insert a watch for the file system object at given path i.e. watch file called /etc/passwd
-  * **-p war** : Set permissions filter for a file system watch. It can be r for read, w for write, x for execute, a for append.
-  * **-k password-file** : Set a filter key on a /etc/passwd file (watch). The password-file is a filterkey (string of text that can be up to 31 bytes long). It can uniquely identify the audit records produced by the watch. You need to use password-file string or phrase while searching audit logs.
-In short you are monitoring (read as watching) a /etc/passwd file for anyone (including syscall) that may perform a write, append or read operation on a file.
-Wait for some time or as a normal user run command as follows:''$ grep 'something' /etc/passwd$ vi /etc/passwd''
-Following are more examples:
-==== File System audit rules ====
-Add a watch on "/etc/shadow" with the arbitrary filterkey "shadow-file" that generates records for "reads, writes, executes, and appends" on "shadow"
-<code>
-# auditctl -w /etc/shadow -k shadow-file -p rwxa
-</code>
-=== syscall audit rule ===
-The next rule suppresses auditing for mount syscall exits''# auditctl -a exit,never -S mount''
-=== File system audit rule ===
-Add a watch "tmp" with a NULL filterkey that generates records "executes" on "/tmp" (good for a webserver)
-<code>
-# auditctl -w /tmp -p e -k webserver-watch-tmp
-</code>
-=== syscall audit rule using pid ===
-To see all syscalls made by a program called sshd (pid - 1005):
-<code>
-# auditctl -a entry,always -S all -F pid=1005
-</code>
-==== How do I find out who changed or accessed a file /etc/passwd? ====
-Use ausearch command as follows:
-<code>
-# ausearch -f /etc/passwd
-# ausearch -f /etc/passwd | less
-# ausearch -f /etc/passwd -i | less
-</code>
-Where
-  * **-f /etc/passwd** : Only search for this file
-  * **-i** : Interpret numeric entities into text. For example, uid is converted to account name.
-Output:
-<code>
-type=PATH msg=audit(03/16/2007 14:52:59.985:55) : name=/etc/passwd flags=follow,open inode=23087346 dev=08:02 mode=file,644 ouid=root ogid=root rdev=00:00
-type=CWD msg=audit(03/16/2007 14:52:59.985:55) :  cwd=/webroot/home/lighttpd
-type=FS_INODE msg=audit(03/16/2007 14:52:59.985:55) : inode=23087346 inode_uid=root inode_gid=root inode_dev=08:02 inode_rdev=00:00
-type=FS_WATCH msg=audit(03/16/2007 14:52:59.985:55) : watch_inode=23087346 watch=passwd filterkey=password-file perm=read,write,append perm_mask=read
-type=SYSCALL msg=audit(03/16/2007 14:52:59.985:55) : arch=x86_64 syscall=open success=yes exit=3 a0=7fbffffcb4 a1=0 a2=2 a3=6171d0 items=1 pid=12551 auid=unknown(4294967295) uid=lighttpd gid=lighttpd euid=lighttpd suid=lighttpd fsuid=lighttpd egid=lighttpd sgid=lighttpd fsgid=lighttpd comm=grep exe=/bin/grep
-</code>
-Let us try to understand output
-  * **audit(03/16/2007 14:52:59.985:55)** : Audit log time
-  * **uid=lighttpd gid=lighttpd** : User ids in numerical format. By passing **-i** option to command you can convert most of numeric data to human readable format. In our example user is lighttpd used grep command to open a file
-  * **exe="/bin/grep"** : Command grep used to access /etc/passwd file
-  * perm_mask=read : File was open for read operation
-So from log files you can clearly see who read file using grep or made changes to a file using vi/vim text editor. Log provides tons of other information. You need to read man pages and documentation to understand raw log format.
-==== Other useful examples ====
-Search for events with date and time stamps. if the date is omitted, today is assumed. If the time is omitted, now is assumed. Use 24 hour clock time rather than AM or PM to specify time. An example date is 10/24/05. An example of time is 18:00:00.
-<code>
-# ausearch -ts today -k password-file
-# ausearch -ts 3/12/07 -k password-file
-</code>
-Search for an event matching the given executable name using -x option. For example find out who has accessed /etc/passwd using rm command:
-<code>
-# ausearch -ts today -k password-file -x rm
-# ausearch -ts 3/12/07 -k password-file -x rm
-</code>
-Search for an event with the given user name (UID). For example find out if user vivek (uid 506) try to open /etc/passwd:
-<code>
-# ausearch -ts today -k password-file -x rm -ui 506
-# ausearch -k password-file -ui 506
-</code>
-Fuente : http://www.cyberciti.biz/tips/linux-audit-files-to-see-who-made-changes-to-a-file.html
-=== Otros ejemplos ===
-<code>
-auditctl -w /etc/fstab -p war -k someconfig-exclude -F auid!=0
-</code>
-To see all syscalls made by a specific program:
-<code>
-auditctl -a entry,always -S all -F pid=1005
-</code>
-To see files opened by a specific user:
-<code>
-auditctl -a exit,always -S open -F auid=510
-</code>
-To see unsuccessful open call's:
-<code>
-auditctl -a exit,always -S open -F success=0
-</code>
-To watch a file for changes (2 ways to express):
-<code>
-auditctl -w /etc/shadow -p wa
-auditctl -a exit,always -F path=/etc/shadow -F perm=wa
-</code>
-To recursively watch a directory for changes (2 ways to express):
-<code>
-auditctl -w /etc/ -p wa
-auditctl -a exit,always -F dir=/etc/ -F perm=wa
-</code>
-=== Script parser de audit.log ===
-Script para parsear el contenido del audit.log y ver el timestamp en formato humano
-<file perl auditsearch.pl>
-#!/usr/bin/perl
-use strict;
-# what do I want to look for in the audit log.
-my $pattern = $ARGV[0];
-# Define the audit directory if the user doesn't provide one.
-my $dir = '/var/log/audit';
-$dir = $ARGV[1] if scalar(@ARGV) == 2;
-# Strip any trailing slash
-$dir =~ s/\/$//g;
-# walk through the directory and save the list of files as an array.
-# find is nice because it gives you full path + executable
-my @files = `sudo find $dir`;
-# strip new lines from the array.
-chomp(@files);
-# loop through each element in the array and do something.
-for my $file (@files)
-{
-  # declare the empty array before use
-  my @arr;
-  # determine if we use zgrep or grep
-  # zgrep is needed for gz and grep is for regular files
-  if ( $file =~ /gz$/ )
-  {
-    @arr = `sudo zgrep $pattern $file`;
-  }
-  else
-  {
-    @arr = `sudo grep $pattern $file`;
-  }
-  # print the filename only if we found something in the file
-  print "\nFile: $file\n" if ( scalar(@arr) > 0 );
-  # for each element in the array translate epoch to human readable
-  foreach(@arr)
-  {
-    chomp;
-    # do a little regex for easy matching
-    if ( /(.*msg=audit\()(\d+)(\.\d+:\d+.*)/ )
-    {
-      convert epoch to human readable
-      my $td = scalar localtime $2;
-      print "$1$td$3\n";
-    }
-  }
-}
-</file>
-Original : http://www.linuxquestions.org/questions/linux-software-2/how-can-i-read-the-audit-time-stamp-msg%3Daudit-1213186256-105-20663-a-648547/
-O ni solución mucho mas simple :
-<code perl>
-# cat /var/log/audit/audit.log | perl -pw -e "s/^*\d+\.\d+/localtime $&/e;"
-</code>
-=== Archivo de reglas de ejemplo ===
-<code>
-# This file contains the auditctl rules that are loaded
-# whenever the audit daemon is started via the initscripts.
-# The rules are simply the parameters that would be passed
-# to auditctl.
-# First rule - delete all
--D
-# Increase the buffers to survive stress events.
-# Make this bigger for busy systems
--b 320
-# Archivos de configuración de audit
--w /etc/audit/auditd.conf -p wa
--w /etc/audit/audit.rules -p wa
--w /etc/libaudit.conf -p wa
--w /etc/sysconfig/auditd -p wa
-# Feel free to add below this line. See auditctl man page
--w /etc/fstab   -p wa  -k filesystems
--w /etc/sudoers -p wa  -k auth
--w /etc/security/limits.conf -p wa  -k auth
--w /etc/hosts   -p wa  -k network
--w /etc/sysctl.conf -p wa -k sysctl_parameters
--w /etc/login.defs -p wa
--w /etc/securetty
-# Actividades de sistema
--a entry,always -S chmod -S fchmod -S chown -S fchown -S lchown
-#-a entry,always -S creat -S open -S truncate -S truncate64 -S ftruncate -S ftruncate64
--a entry,always -S mkdir -S rmdir
--a entry,always -S unlink -S rename -S link -S symlink
--a entry,always -S setxattr
--a entry,always -S lsetxattr
--a entry,always -S fsetxattr
--a entry,always -S removexattr
--a entry,always -S lremovexattr
--a entry,always -S fremovexattr
--a entry,always -S mknod
--a entry,always -S mount
--a entry,always -S umount2
--a exit,always -S setdomainname
--w /etc/inittab -p wa
--w /etc/init.d/
--w /etc/init.d/auditd -p wa
-# Librerias de sistema
--w /etc/ld.so.conf -p wa
--w /etc/localtime -p wa
-# Configuracion de modulos
--w /etc/modprobe.d/
--w /etc/modprobe.conf.local -p wa
--w /etc/modprobe.conf -p wa
-# Configuración de CRON
--w /etc/cron.allow -p wa
--w /etc/cron.deny -p wa
--w /etc/cron.d/ -p wa
--w /etc/cron.daily/ -p wa
--w /etc/cron.hourly/ -p wa
--w /etc/cron.monthly/ -p wa
--w /etc/cron.weekly/ -p wa
--w /etc/crontab -p wa
--w /var/spool/cron/root
-# --- Recomendaciones de la NSA
-#- Records Events that Modify Date and Time Information
--a always,exit -S settimeofday -k time-change
--a always,exit -S clock_settime -k time-change
--w /etc/localtime -p wa -k time-change
-#- Record Events that Modify User/Group Information
--w /etc/group -p wa -k identity
--w /etc/passwd -p wa -k identity
--w /etc/gshadow -p wa -k identity
--w /etc/shadow -p wa -k identity
-#- Record Events that Modify the System’s Network Environment
--a exit,always -S sethostname -S setdomainname -k system-locale
--w /etc/issue -p wa -k system-locale
--w /etc/issue.net -p wa -k system-locale
--w /etc/hosts -p wa -k system-locale
--w /etc/sysconfig/network -p wa -k system-locale
-#- Record Attempts to Alter Logon and Logout Events
--w /var/log/faillog -p wa -k logins
--w /var/log/lastlog -p wa -k logins
-#- Record Attempts to Alter Process and Session Initiation Information
--w /var/run/utmp -p wa -k session
--w /var/log/btmp -p wa -k session
--w /var/log/wtmp -p wa -k session
-#- Ensure auditd Collects Information on Kernel Module Loading and Unloading
--w /sbin/insmod -p x -k modules
--w /sbin/rmmod -p x -k modules
--w /sbin/modprobe -p x -k modules
--a always,exit -S init_module -S delete_module -k modules
-#- Make the auditd Conﬁguration Immutable
-#Add the following as the last rule in /etc/audit/audit.rules in order to make the conﬁguration immutable:
-#-e 2
-#With this setting, a reboot will be required to change any audit rules.
-</code>
-Referencias útiles:
-[[http://www.ibm.com/developerworks/linux/library/l-security-audit.html]]
-[[http://www.debian.org/doc/manuals/securing-debian-howto/ch-sec-services.en.html]]
-[[http://www.redhat.com/mailman/listinfo/linux-audit]]
-[[http://www.nsa.gov/ia/_files/os/redhat/rhel5-guide-i731.pdf]]
-[[http://www.nsa.gov/ia/_files/os/redhat/rhel5-pamphlet-i731.pdf]]
-[[http://www.cyberciti.biz/tips/linux-audit-files-to-see-who-made-changes-to-a-file.html]]
-[[http://manpages.ubuntu.com/manpages/gutsy/man8/auditctl.8.html]]
-[[http://www.puschitz.com/SecuringLinux.shtml]]
-[[http://www.cyberciti.biz/faq/linux-kernel-etcsysctl-conf-security-hardening]]
-[[http://www.cyberciti.biz/files/linux-kernel/Documentation/networking/ip-sysctl.txt|Linux kernel IP sysctl documentation.]]
-[[http://www.linuxinsight.com/proc_sys_net_ipv4.html]]
-[[http://www.novell.com/documentation/sled10/pdfdoc/audit_sp2/audit_sp2.pdf]]