Page |1 Capability and System Hardening Date Assigned: mm/dd/yyyy Date Due: mm/dd/yyyy by hh:mm Educational Objectives This lab is designed to help you gain a better understanding of system hardening principles and hands-on experiences with common hardening techniques. Lab Environment One Fedora 18 system is needed for this lab. Please turn SELinux in permissive mode (setenforce 0). Resources: Most of the materials in the rest of this lab are derived from the following documents: [1] Guide to the Secure Configuration of Red Hat Enterprise Linux 5, Revision 4.1, February 28, 2011, by Operating Systems Division Unix Team of the Systems and Network Analysis Center, National Security Agency (NSA). [2] Security Configuration Benchmark for Red Hat Enterprise Linux 5, Version 2.0.0, December 16th, 2011, the Center for Internet Security (CIS). Section 1 Introduction to Linux Capabilities Unix/Linux systems use a security system that gives regular users a minimal amount of privilege, while gives “root” full privileges. Privileged operations are necessary in operating systems. Programs often need root privileges for a single activity, such as binding to a privileged port, or opening a file only root can access. In order to allow regular users to run these programs, the mechanism of Set-UID is introduced. Set-UID programs turn regular users into privileged users temporarily. This is proven dangerous. If the program is compromised, adversaries may obtain root privilege. In most cases, the involved operations usually do not need root privilege. Capabilities divide root privilege into a set of granular privileges. Each of these privileges is called a capability. With capabilities, a common user does not need to be a root to conduct privileged operations. All the user needs is to have the capability that is necessary for the privileged operations. If a privileged program is compromised, adversaries can only obtain limited privilege. The technology of capabilities has been implemented since Linux kernel 2.1 and has been significantly improved since kernel 2.6.24. A good introduction can be found from the following link: Page |2 http://www.linuxjournal.com/article/5737 Available capabilities and their privileges are given in the following file: /usr/include/linux/capability.h A good example is the command ping. Please perform the following as root before working on the rest of the lab: setcap –r /bin/ping chmod u+s /bin/ping In order to make it work for root and a regular user, ping is now a Set-UID program, as shown in the following screenshot: The letter s in the owner’s field indicates that ping is a Set-UID program. When a regular user execute ping, his/her effective user id becomes root. If ping is compromised, the entire system can be compromised. The question is whether we can remove this privilege from ping. Let’s turn ping into a non-Set-UID program by executing the following as a root. chmod u-s /bin/ping Now, log in as a regular user and run ping www.google.com. You will receive the following error: The command does not work for a regular user, although it works for the root (test it). This is because ping uses ICMP that needs to open a RAW socket, which is a privileged operation. That is why ping has to be a Set-UID program. With capabilities, we do not need to give too much privilege to ping. The privilege it needs is to open a RAW socket, which can be granted with the cap_net_raw capability. This capability can be assigned to ping by doing the following as root: Page |3 setcap cap_net_raw=ep /bin/ping Now, log in as a regular user and run ping www.google.com again. The ping succeeds this time, as it is shown below: Please use man pages to study how to use the following commands: setcap getcap The following command displays all Set-UID programs in the system: find / -type f –perm -4000 –print Please find the capabilities needed for a program from the article in the following link: https://wiki.archlinux.org/index.php/Using_File_Capabilities_Instead_Of_Setuid Why some of the capabilities are desired? Please read the following post: http://stackoverflow.com/questions/7844933/usr-bin-passwd-and-the-cap-chown-capability Question 1: Choose one of the Set-UID programs you are interested in. Remove the SUID bit from the program and set proper capabilities to the program. Were you able to make it to work for a regular user without SUID bit being set? Please test your solution. a) What is the program you choose? b) Does it work for a regular user without the SUID bit being set? One common use of capabilities is to assign some application programs with desired privileges. Some applications need privileged operations to access certain resources. However, you don’t Page |4 want to run them as a root for security purposes. In this case, you can assign desired capabilities to such programs. For example, the program shown in Figure 1 needs to open the file /etc/shadow for reading purpose. If the operation is allowed, it shows “Reading successful”. Otherwise, it shows “Reading failed.” Figure 1 A simple application program Task 1 You are given an application program shown in Figure 1. You need to configure the program so that a regular user can run it and the result shows “Reading successful”. For security purpose, you don’t want to make it owned by root and be a Set-UID program. In addition, you don’t want to make the /etc/shadow file accessible to common users. Then you want to test your configuration to ensure it works as expected. Question 2: What do you need to do to achieve the goals specified in Task 1? Please use screenshots to demonstrate your work and results. Section 2 System-wide hardening Some of common system wide hardening items will be introduced in this section. 2.1. Password complexity In a Linux system, password complexity requirements are defined in the file /etc/login.defs. Please study the file and try to harden your system. Question 3: What changes would you like to make to the Password aging controls section in the /etc/login.defs file in order to harden your system? Page |5 2.2. Account and password verification To ensure that no accounts have an empty password field, the following command should have no output: awk -F: ‘($2 == “”) {print}’ /etc/shadow If this generates any output, fix the problem by locking each account or by setting a password for each account. To ensure that no password hashes are stored in /etc/passwd, the following command should have no output: awk -F: ‘($2 != “x”) {print}’ /etc/passwd The hashes for all user account passwords should be stored in the file /etc/shadow and never in /etc/passwd, which is readable by all users. Question 4: Did you get any outputs by performing the above commands? If you did, please harden your system. 2.3. Group-writable and world-writable files User’s home directory should not be writable by others except specific commissions are defined. You don’t want to share your privacy with others. For each human user USER of the system, view the permissions of the user’s home directory: ls -ld /home/USER Ensure that the directory is not group-writable and that it is not world-readable (not worldwritable). If necessary, repair the permissions: chmod g-w /home/USER chmod o-rwx /home/USER For each human user USER of the system, view the permissions of all dot-files in the user’s home directory: Page |6 ls -ld /home/USER /.[A-Za-z0-9]* Ensure that none of these files are group- or world-writable. Correct each mis-configured file FILE by executing: chmod go-w /home/USER /FILE Question 5: Why would you perform the above checks in practice? 2.4. Verify that all world-writable directories have sticky bits set Locate any directories in current partition which are world-writable and do not have their sticky bits set. The following command will discover and print those directories if any. Run it once for each partition: find / -xdev -type d \( -perm -0002 -a ! -perm -1000 \) -print Question 6: Did you see any output when running the above command? If this command produces any output, fix each reported directory /dir using the command: chmod +t /dir When the so-called “sticky bit” is set on a directory, only the owner of a given file may remove that file from the directory. Without the sticky bit, any user with write access to a directory may remove any file from that directory. Setting the sticky bit prevents users from removing each other’s files. 2.5. Find unauthorized SUID/SGID system executables The following command discovers and prints any setuid or setgid files on local partitions. Run it once for each local partition: find / -xdev \( -perm -4000 -o -perm -2000 \) -type f -print If the file does not require a setuid or setgid bit set, then these bits can be removed by running the command: chmod -s fileName Page |7 System executables that need setuid or setgid bits set are listed in the security configuration guide. You may also be able to find this list in a manual or a system specification. In addition, replacing the setuid and setgid bits with proper capabilities will always limit the damage to the system when the program is compromised. Un-owned files are not directly exploitable, but they are generally a sign that something is wrong with some system process. They may be caused by an intruder, by incorrect software installation or incomplete software removal, or by failure to remove all files belonging to a deleted account. The files should be repaired so that they will not cause problems when accounts are created in the future, and the problem which led to un-owned files should be discovered and addressed. The following command will discover and print any files on local partitions which do not belong to a valid user and a valid group. Run it once for each local partition: find / -xdev \( -nouser -o -nogroup \) -print If this command shows any results, investigate each reported file. Then, either assign it to an appropriate user and group or remove it. Locate any directories in local partitions which are world-writable and ensure that they are owned by root or another system account. The following command will discover and print those directories (assuming that only system accounts have a uid lower than 500). Run it once for each local partition: find / -xdev -type d -perm -0002 -uid +500 -print If this command produces any output, investigate why the current owner is not root or another system account. Allowing a user account to own a world-writable directory is undesirable because it allows the owner of that directory to remove or replace any files that may be placed in the directory by other users. Question 7: How many system executables that have setuid or setgid bits set are there on your system? Give the command that you would use to obtain this number. 2.6. Ensuring system is not acting as a network sniffer The system should not be acting as a network sniffer. The file /proc/net/packet should contain exactly one header line, with entries similar to: sk RefCnt Type Proto Iface R Rmem User Inode Page |8 If numbers appear in a row below this header, then a sniffing process is using the interface and this should be investigated. Please perform the above check to find whether your system is acting as a network sniffer. Question 8: Is your system acting as a network sniffer? In what case do you want a computer to function as a sniffer? Why you don’t want your computer to act as a network sniffer? 2.7. Disabling all unneeded services at boot time Running as few services as possible on a system is one of the guidelines for hardening a system. Before you can take this hardening step, you need to determine which services are needed. Then you need to know which services are running on your system. The following command will tell you which services are enabled at boot: chkconfig --list | grep :on The first column of the output is the names of services which are currently enabled at boot. Review each listed service to determine whether it can be disabled. If it is appropriate to disable some service srvname, do so using the command: chkconfig srvname off Please perform the above command and study the services that are enabled at boot on your system. Question 9: What are some of the services that you are enabled at boot? 2.8. Using group Help Desk Six software engineers are working on a project. They create a number of files. They want to make the files accessible (read and write) by the group members only (including root). Question 10: Sketch an approach to meeting the requirements specified in Help Desk. Section 3 Bonus (4%) Page |9 In order to receive bonus points, you need to pick four (4) items from the security guide and/or hardening benchmark documents that you think are interesting and were not included in the previous section. Construct four questions, practice/test them on your computers and answer the questions in the format similar with those in the previous section. Put your questions and answers in your answer sheet as Bonus Questions. Your questions and answers will be verified and tested while grading. Four Questions (B01 – B04) of your choices Survey Questions Questions in this section will not be graded, but will make your suggestions and voice heard by your instructor. GQ 1. What changes would you like to make to this lab? GQ 2. How much time did you spend to finish this lab? GQ 3. Do you learn anything new or gain a better understanding of class lecture by finishing this lab? Well, you have completed another lab for this class. Hope you enjoyed doing this lab. Please let me know if you have any comments. P a g e | 10 Answer Sheet ========================== Required Questions =========================== Question 1: Choose one of the Set-UID programs you are interested in. Remove the SUID bit from the program and set proper capabilities to the program. Were you able to make it to work for a regular user without SUID bit being set? Please test your solution. c) What is the program you choose? d) Does it work for a regular user without the SUID bit being set? Question 2: What do you need to do to achieve the goals specified in Task 1? Please use screenshots to demonstrate your work and results. Question 3: What changes would you like to make to the Password aging controls section in the /etc/login.defs file in order to harden your system? Question 4: Did you get any output by performing the above commands? Question 5: Why would you perform the above checks in practice? Question 6: Did you see any output when running the above command? Question 7: How many system executables that have setuid or setgid bits set are there on your system? Give the command that you would use to obtain this number. Question 8: Is your system acting as a network sniffer? In what case do you want a computer to function as a sniffer? Why you don’t want your computer to act as a network sniffer? Question 9: What are some of the services that you are enabled at boot? P a g e | 11 Question 10: Sketch an approach to meeting the requirements specified in Help Desk. ========================= Bonus Questions (4%) ========================== Four Questions (B01 – B04) of your choices =========================== Survey Questions =========================== GQ1. Would you like to make any changes to this lab? GQ2. How long did it take you to complete this lab? GQ3. Do you learn anything new or gain a better understanding of class lecture by finishing this lab?