New York Institute of Technology (NYIT)- Jordan’s campus-2006 Prepared By: Abdelsalam Aref Manhal Tawfiq Supervised By: Dr. Lo’ai Tawalbeh 2006 outlines • • • • • • • • • What is UNIX? UNIX POPULARITY Structure of UNIX Advantages of UNIX Disadvantages of UNIX Unix security Unix forensics tools Summary references What is UNIX ? Is a general – purpose multi-user operating system developed at Bell Laboratories as a private research project by a small group of people starting in 1969. About one year later during the early 1970 , unix was unveiled to the general public. The main goals of the group were to design an operating system to satisfy the following objectives: •Simple and elegant . •Written in a high level language rather than assembly language . •Allow re-use of code . Cont. • • • • Today UNIX has evolved into three main categories: BSD (Berkley software distributed) System V Release 4 And hybrid • • • • • • • Some of the most populer UNIX are: IBM’s AIX Sun Microsystems’ salaries SGI’S IRIX LINUX OPEN BSD AND FREE BSD UNIX POPULARITY • Only a very small amount of code in UNIX is written in assembly language. This makes it relatively easy for a computer vendor to get. • The application program interface allows many different types of applications to be easily implemented under UNIX without writing assembly language. • Vendor-independent networking allows users to easily network multiple systems from many different vendors. Structure of UNIX: The Unix system consists of 3 levels: • Kernel that schedules tasks and manages data storage. It performs low levels jobs to schedule processes, keep track of files and control hardware devices. • The shell is a program that interprets the commands typed by the user and translates them into commands that the kernel understands. • The outermost layer consists of tools and applications adding special capabilities to the operating system. The tools come either with the operating system or could be obtained from third party to enhance the functioning of the operating system. Advantages of UNIX • UNIX is portable from large systems to medium-sized systems to single user systems . • UNIX's utilities are brief, single-operation commands that can be combined to achieve almost any desired result. • UNIX is device independent. Since it includes the device drivers as part of the operating system, UNIX can be configured to run any device. • UNIX is multitasking. Multiple programs can run at one time. • UNIX is multi-user. The same design that permits multitasking permits multiple users to use the computer. Multiple users can simultaneously use a single computer running UNIX. Cont. •UNIX runs on older, less powerful machines. Chances are that if a computer does not have enough CPU speed and memory for Windows, it can still run UNIX . • Several UNIX variants, such as FreeBSD, are free. High quality, free applications, like the emacs text editor, Apache web server and GIMP image editor are available for UNIX platforms . cont. •Unix is more flexible and can be installed on many different types of machines, including main-frame computers, supercomputers and microcomputers. • Unix is more stable and does not go down as often as Windows does, therefore requires less administration and maintenance. • Unix has greater built-in security and permissions features than Windows. •Unix possesses much greater processing power than Windows. • Unix is the leader in serving the Web. About 90% of the Internet relies on Unix operating systems running on Apache, the world's most widely used Web server. • Software upgrades from Microsoft often require the user to purchase new or more hardware or prerequisite software. That is not the case with Unix. Disadvantages of UNIX • UNIX is harder to install, maintain and upgrade than Windows . • UNIX's commands are so brief that novice users find the operating system unfriendly. • More home oriented applications run under Windows than UNIX. • There is no single standard version of the operating system. Unix security : Design concepts User and administrative techniques Unix security: Design concepts 1. Permissions : •A core security feature in these systems is the permissions system. All files have permissions set enabling different access to a file. •Unix permissions permit different users access to a file. Different user groups have different permissions on a file. •More advanced Unix file systems include the Access Control List concept which allows permissions to be granted to multiple users or groups. An Access Control List may be used to grant permission to additional individual users or groups. Unix security: Design concepts UNIX defines three fields of 3 bits each – r w x r controls read access w controls write access x controls execution In this scheme 9 bits per file are needed to record protection information. A separate field is kept for the file owner, for the file’s group, and for all other users. Unix security: Design concepts A Sample UNIX Directory Listing • The first field describes the file or directory’s protection. • A d as the first character indicates a subdirectory. • Also, shown are: – The number of links to the file – The owner’s name – The group’s name – The size of the file in units of bytes – The date of last modification – The file’s name (with optional extension) Unix security: Design concepts 2. User groups: Users under Unix operating systems often belong to managed groups with specific access permissions. This enables users to be grouped by the level of access they have to this system. 3. Issues : Most Unix style systems have an account or group which enables a user to exact complete control over the system, often known as a root account. If access to this account is gained by an unwanted user, this results in a complete breach of the system. A root account however is necessary for administrative purposes . usage of the root account can be more closely monitored. Unix security :User and administrative techniques 1. Passwords : • Selecting a strong password and guarding it properly is probably the most important things a user can do to improve Unix security. In Unix systems passwords are usually stored under the file /etc/passwd. Actually this file stores more rather than just passwds, it keeps track of the users registered in the system and their main definitions. The entries in /etc/passwd are like this: • nickname:password_hash:UserID:GroupID:Complete_Name:home_ dir:shell_bin • An example would be: xfze:$1$zuW2nX3sslp3qJm9MYDdglEApAc36r/:1000:100:José Carlos D. S. Saraiva:/home/xfze:/bin/bash Cont. But as all users must have access to this file in order for the system to compare the password given at the login prompt with the one stored in the file , anyone could have access to the file and retrieve other users' password hash . To solve this problem, is to use what is known as a "shadow" file (/etc/shadow). The whole idea is then to move the encrypted passwords from /etc/passwd to /etc/shadow, and make the latter not readable by normal users. Unix security :User and administrative techniques 2. Users and accounts : • Administrators should delete old accounts promptly. • only, no remote root logins UNIX forensics tools • • • • • Data Acquisition / IR Tools Media Management Analysis Tools File System Analysis Tools Application Analysis Tools Network Analysis Tools Data Acquisition / IR Tools • Title: Automated Image and Restore (AIR) • Description: AIR (Automated Image & Restore) is a GUI front-end to dd/dcfldd designed for easily creating forensic bit images. • Title: dcfl-dd • Description: dcfl-dd is a modified version of the GNU binutils version of 'dd'. It calculates the MD5 hash value of the data while it copies the data. • Title: dd • Description: 'dd' is a common UNIX tool that copies data from one file to another. It can also be used with 'netcat' to send data to a server over the network. Media Management Analysis Tools • • • • Title:CDfs Description:CDfs is a file system for Linux systems that `exports' all tracks and boot images on a CD as normal files. These files can then be mounted (e.g. for ISO and boot images), copied, played (audio and VideoCD tracks). Title: Cdrecord Description: Cdrecord supports DVD-R and DVD-RW with all known DVDwriters on all UNIX-like OS and on Win32. DVD writing support is implemented in cdrecord since march 1998. Cdrecord writes DVD media similar to CD media. The readcd tool can be used to read the contents of a CD. Title:disktype Description: The purpose of disktype is to detect the content format of a disk or disk image. It knows about common file systems, partition tables, and boot codes. (Ed: It is similar to 'file', but gives much more details about the file system or partition table) File System Analysis Tools • • Title: Autopsy Forensic Description: Autopsy is a graphical interface to the command line tools in The Sleuth Kit and allows one to view deleted NTFS, FAT, EXTxFS, and FFS files, perform keyword searches, and create timelines of file activity. • • Title:disktype Description: The purpose of disktype is to detect the content format of a disk or disk image. It knows about common file systems, partition tables, and boot codes. (Ed: It is similar to 'file', but gives much more details about the file system or partition table) • Title: e2salvage • Description: e2salvage is a utility which tries to do in-place data recovery a from damaged ext2 filesystems. Unlike e2fsck, it does not look for the data at particular places and it don't tend to believe the data it finds; thus it can handle much more damaged filesystem. Network Analysis Tools • Title: tcpflow • Description: tcpflow is a program that captures data transmitted as part of TCP connections (flows), and stores the data in a way that is convenient for protocol analysis or debugging. A program like 'tcpdump' shows a summary of packets seen on the wire, but usually doesn't store the data that's actually being transmitted. In contrast, tcpflow reconstructs the actual data streams and stores each flow in a separate file for later analysis. • Title: Ethereal • Description: Ethereal is used by network professionals around the world for troubleshooting, analysis, software and protocol development, and education. It has all of the standard features you would expect in a protocol analyzer, and several features not seen in any other product. Its open source license allows talented experts in the networking community to add enhancements. It runs on all popular computing platforms, including Unix, Linux, and Windows. Application Analysis Tools • • Title: Autopsy Forensic Browser Description: Autopsy is a graphical interface to the command line tools in The Sleuth Kit and allows one to view deleted NTFS, FAT, EXTxFS, and FFS files, perform keyword searches, and create timelines of file activity. • • Title: binutils Description: The GNU Binutils are a collection of binary tools. For forensics, these are used for binary analysis, including 'strings'. • Title: findAuthor: • Description: The find program searches a directory tree to find a file or group of files. It traverses the directory tree and reports all occurrences of a file matching the user's specifications. The find program includes very powerful searching capability. Summary • Unix operating systems are widely used in both servers and workstations. • UNIX has several advantages as an operating system, such as portability, powerful utilities, device independence, being multitasking, allowing multi-user, low system requirements, and the availability of free software. • There are disadvantages of using the UNIX operating system. Some of them are unfriendly commands, no standard version of UNIX, difficult installation, and lack of commercially available software. • We found that Windows NT has slightly more rigorous security features than “standard” UNIX but the two systems display similar vulnerabilities. The conclusion is that there are no significant differences in the “real” level of security between these systems. Resources: •Books: •Maurice J. Bach, The Design of The UNIX Operating System. Prentice-Hall Inc,1986. •UNIX System Security: A Guide for Users and System Administrators. Addison- Wesley, 1994, •Abraham Silberschatz and Peter Galvin, “Operating System Concepts,” 6th Edition by,Addison-Wesley Publisher 2001 •Websites: •http://ftimes.sourceforge.net/FTimes/index.shtml •http://sourceforge.net/projects/biatchux •http://directory.fsf.org/sysadmin/Backup/sdd.html •http://freshmeat.net/projects/cdrecord/ Questions?