Append only logfiles freebsd/linux

Udgivet den juli 9, 2004 af mike 
Use file attributes to prevent intruders from removing traces of their break-in.

In the course of an intrusion, an attacker will more than likely leave telltale signs of his actions in various system logs. This is a valuable audit trail that should be well protected. Without reliable logs, it can be very difficult to figure out how the attacker got in, or where the attack came from. This information is crucial in analyzing the incident and then responding to it by contacting the appropriate parties involved [Hack #100] . However, if the break-in attempt is successful and the intruder gains root privileges, what's to stop him from removing the traces of his misbehavior?

This is where file attributes come in to save the day (or at least make it a little better). Both Linux and the BSDs have the ability to assign extra attributes to files and directories. This is different from the standard Unix permissions scheme in that the attributes set on a file apply universally to all users of the system, and they affect file accesses at a much deeper level than file permissions or ACLs [Hack #4]. In Linux you can see and modify the attributes that are set for a given file by using the lsattr and chattr commands, respectively. Under the BSDs, ls -lo can be used to view the attributes, and chflags can be used to modify them. At the time of this writing, file attributes in Linux are available only when using the ext2 and ext3 filesystems. There are also kernel patches available for attribute support in XFS and reiserfs.

One useful attribute for protecting log files is append-only. When this attribute is set, the file cannot be deleted, and writes are only allowed to append to the end of the file.

To set the append-only flag under Linux, run this command:

# chattr +a 
filename

Under the BSDs, use this:

# chflags sappnd 
filename

See how the +a attribute works by creating a file and setting its append-only attribute:

# touch /var/log/logfile

# echo "append-only not set" > /var/log/logfile

# chattr +a /var/log/logfile

# echo "append-only set" > /var/log/logfile

bash: /var/log/logfile: Operation not permitted

The second write attempt failed, since it would overwrite the file. However, appending to the end of the file is still permitted:

# echo "appending to file" >> /var/log/logfile

# cat /var/log/logfile

append-only not set

appending to file

Obviously, an intruder who has gained root privileges could realize that file attributes are being used and just remove the append-only flag from our logs by running chattr -a. To prevent this, we need to disable the ability to remove the append-only attribute. To accomplish this under Linux, use its capabilities mechanism. Under the BSDs, use its securelevel facility.

The Linux capabilities model divides up the privileges given to the all-powerful root account and allows you to selectively disable them. In order to prevent a user from removing the append-only attribute from a file, we need to remove the CAP_LINUX_IMMUTABLE capability. When present in the running system, this capability allows the append-only attribute to be modified. To modify the set of capabilities available to the system, we will use a simple utility called lcap (http://packetstormsecurity.org/linux/admin/lcap-0.0.3.tar.bz2).

To unpack and compile the tool, run this command:

# tar xvfj lcap-0.0.3.tar.bz2 && cd lcap-0.0.3 && make

Then, to disallow modification of the append-only flag, run:

# ./lcap CAP_LINUX_IMMUTABLE

# ./lcap CAP_SYS_RAWIO

The first command removes the ability to change the append-only flag, and the second command removes the ability to do raw I/O. This is needed so that the protected files cannot be modified by accessing the block device they reside on. It also prevents access to /dev/mem and /dev/kmem, which would provide a loophole for an intruder to reinstate the CAP_LINUX_IMMUTABLE capability. To remove these capabilities at boot, add the previous two commands to your system startup scripts (e.g., /etc/rc.local). You should ensure that capabilities are removed late in the boot order, to prevent problems with other startup scripts. Once lcap has removed kernel capabilities, they can be reinstated only by rebooting the system.

The BSDs accomplish the same thing through the use of securelevels. The securelevel is a kernel variable that can be set to disallow certain functionality. Raising the securelevel to 1 is functionally the same as removing the two previously discussed Linux capabilities. Once the securelevel has been set to a value greater than 0, it cannot be lowered. By default, OpenBSD will raise the securelevel to 1 when in multiuser mode. In FreeBSD, the securelevel is -1 by default.

To change this behavior, add the following line to /etc/sysctl.conf:

kern.securelevel=1

Before doing this, you should be aware that adding append-only flags to your log files will most likely cause log rotation scripts to fail. However, doing this will greatly enhance the security of your audit trail, which will prove invaluable in the event of an incident.
Udgivet i FreeBSD, Knowledge Base, Linux, Old Base | Skriv en kommentar

Access Control Lists , advanced permisions in linux

Udgivet den juli 9, 2004 af mike 
Most of the time, the traditional Unix file permission system fits the bill just fine. But in a highly collaborative environment with multiple people needing access to files, this scheme can become unwieldy. Access control lists, otherwise known as ACLs (pronounced to rhyme with "hackles"), are a feature that is relatively new to the Linux operating system, but has been available in FreeBSD and Solaris for some time. While ACLs do not inherently add "more security" to a system, they do reduce the complexity of managing permissions. ACLs provide new ways to apply file and directory permissions without resorting to the creation of unnecessary groups.

ACLs are stored as extended attributes within the filesystem metadata. As the name implies, they allow you to define lists that either grant or deny access to a given file based on the criteria you provide. However, ACLs do not abandon the traditional permission system completely. ACLs may be specified for both users and groups and are still separated into the realms of read, write, and execute access. In addition, a control list may be defined for any user or group that does not correspond to any of the user or group ACLs, much like the "other" mode bits of a file. Access control lists also have what is called an ACL mask, which acts as a permission mask for all ACLs that specifically mention a user and a group. This is similar to a umask, but not quite the same. For instance, if you set the ACL mask to r--, any ACLs that pertain to a specific user or group and are looser in permissions (e.g., rw-) will effectively become r--. Directories also may contain a default ACL, which specifies the initial ACLs of files and subdirectories created within them.

To modify or remove ACLs, use the setfacl command. To modify an ACL, the -m option is used, followed by an ACL specification and a filename or list of filenames. You can delete an ACL by using the -x option and specifying an ACL or list of ACLs.

There are three general forms of an ACL: one for users, another for groups, and one for others. Let's look at them here:

# User ACL

u:[user]:<mode>

# Group ACL

g:[group]:<mode>

# Other ACL

o:<mode>

Notice that in the user and group ACLs, the actual user and group names that the ACL applies to are optional. If these are omitted, it means that the ACL will apply to the base ACL, which is derived from the file's mode bits. Thus, if you modify these, the mode bits will be modified and vice versa.

See for yourself by creating a file and then modifying its base ACL:

$ touch myfile

$ ls -l myfile

-rw-rw-r--    1 andrew   andrew          0 Oct 13 15:57 myfile

$ setfacl -m u::---,g::---,o:--- myfile

$ ls -l myfile

----------    1 andrew   andrew          0 Oct 13 15:57 myfile

From this example, you can also see that multiple ACLs can be listed by separating them with commas.

You can also specify ACLs for an arbitrary number of groups or users:

$ touch foo

$ setfacl -m u:jlope:rwx,g:wine:rwx ,o:--- foo

$ getfacl foo

# file: foo

# owner: andrew

# group: andrew

user::rw-

user:jlope:rwx

group::---

group:wine:rwx

mask::rwx

other::---

Now if you changed the mask to r--, the ACLs for jlope and wine would effectively become r-- as well:

$ setfacl -m m:r-- foo

$ getfacl foo

# file: foo

# owner: andrew

# group: andrew

user::rw-

user:jlope:rwx                  #effective:r--

group::---

group:wine:rwx                  #effective:r--

mask::r--

other::---

As mentioned earlier, directories can have default ACLs that will automatically be applied to files that are created within the directory. Default ACLs are set by prepending a d: to the ACL that you want to set:

$ mkdir mydir

$ setfacl -m d:u:jlope:rwx mydir

$ getfacl mydir

# file: mydir

# owner: andrew

# group: andrew

user::rwx

group::---

other::---

default:user::rwx

default:user:jlope:rwx

default:group::---

default:mask::rwx

default:other::---



$ touch mydir/bar

$ getfacl mydir/bar

# file: mydir/bar

# owner: andrew

# group: andrew

user::rw-

user:jlope:rwx                  #effective:rw-

group::---

mask::rw-

other::---

As you may have noticed from the previous examples, you can list ACLs by using the getfacl command. This command is pretty straightforward and has only a few options. The most useful is the -R option, which allows you to list ACLs recursively and works very much like ls -R.
Udgivet i Knowledge Base, Old Base | Skriv en kommentar

Loosy dir permisions and sticky bit

Udgivet den juli 9, 2004 af mike 
# find / -type d \( -perm -g+w -o -perm -o+w \) -exec ls -lad {} \;

Any directories that are listed in the output should have the sticky bit set, which is denoted by a t in the directory's permission bits. A world-writable directory with the sticky bit set ensures that even though anyone may create files in the directory, they may not delete or modify another user's files. If you see a directory in the output that does not contain a sticky bit, consider whether it really needs to be world-writable or whether the use of groups or ACLs [Hack #4] will work better for your situation. If you really do need the directory to be world-writable, set the sticky bit on it using chmod +t.

To get a list of the directories that don't have their sticky bit set, run this:

# find / -type d \( -perm -g+w -o -perm -o+w \) \

  -not -perm -a+t -exec ls -lad {} \;

If you're using a system that creates a unique group for each user (e.g., you create a user andrew, which in turn creates a group andrew as the primary group), you may want to modify the commands to not scan for group-writable directories. (Otherwise, you will get a lot of output that really isn't pertinent.) To do this, run the command without the -perm -g+w portion.
Udgivet i Knowledge Base, Linux, Old Base | Skriv en kommentar

Scan for SUID and SGID programs

Udgivet den juli 9, 2004 af mike 
Unfortunately, a poorly written SUID or SGID binary can be used to quickly and easily escalate a user's privileges. Also, an attacker who has already gained root access may hide SUID binaries throughout your system in order to leave a backdoor for future access. This leads us to the need for scanning systems for SUID and SGID binaries. This is a simple process and can be done with the following command:

# find / \( -perm -4000 -o -perm -2000 \) -type f -exec ls -la {} \;

One important thing to consider is whether an SUID program is in fact a shell script rather than an executable, since it's trivial for someone to change an otherwise innocuous script into a backdoor. Most operating systems will ignore any SUID or SGID bits on a shell script, but if you want to find all SUID or SGID scripts on a system, change the argument to the -exec option in the last command and add a pipe so that the command reads:

# find / \( -perm -4000 -o -perm -2000 \) \

  -type f -exec file {} \; | grep -v ELF

Now every time an SUID or SGID file is encountered, the file command will run and determine what type of file is being examined. If it's an executable, grep will filter it out; otherwise, it will be printed to the screen with some information about what kind of file it is. Most operating systems use ELF-format executables, but if you're running an operating system that doesn't (older versions of Linux used a.out, and AIX uses XCOFF), you'll need to replace the ELF in the previous grep command with the binary format used by your operating system and architecture. If you're unsure of what to look for, run the file command on any binary executable, and it will report the string you're looking for.
Udgivet i Knowledge Base, Old Base | Skriv en kommentar

Secure mount points

Udgivet den juli 9, 2004 af mike 
A mount option is a flag that controls how the filesystem may be accessed. It is passed to the operating system kernel's code when the filesystem is brought online. Mount options can be used to prevent files from being interpreted as device nodes, to disallow  binaries from being executed, and to disallow the SUID bit from taking affect (by using the nodev, noexec, and nosuid flags). Filesystems can also be mounted read-only with the ro option.

These options are specified from the command line by running mount with the -o flag. For example, if you have a separate partition for /tmp that is on the third partition of your first IDE hard disk, you can mount with the nodev, noexec, and nosuid flags, which are enabled by running the following command:

# mount -o nodev,noexec,nosuid /dev/hda3 /tmp

An equivalent entry in your /etc/fstab would look something like this:

/dev/hda3    /tmp    ext3    defaults,nodev,noexec,nosuid    1 2
Udgivet i Knowledge Base, Linux, Old Base | Skriv en kommentar

Using Vim Editor

Udgivet den juli 9, 2004 af Brian Lund Klint 
Coding in Vim: Vim is a great coder interface, remember cmd's can be added to ~/.vimrc
:syntax on       : enable syntax highlighting on many types og source
:set autoindent  : Autoindent 
:set cindent     : Automatic indent for c source
:set smartindent : Things should be smarter, dunno how/why or when

auto indenting code : 
Visual block code, go to top type a, press page dow to select all code and press "="


Multi Windowing: Very powerfull feature of this briliant editor.

CTRL-W s , splitter vinduet
:split /etc/passwd , editere /etc/passwd i nyt vindue
CTRL-W n , eller :new , nyt vindue
CTRL-W c , eller :cl[ose] , skjul og luk vindue
CTRL-W o , eller :on[ly] , kun vis aktuel vindue
CTRL-W j , flyt til vindue nedenunder
CTRL-W k , flyt til vindue ovenover
CTRL-W CTRL-W , eller CTRL-W w , skift vindue
CTRL-W r , byt om med nedre vindue
CTRL-W R , byt om med oevre vindue
CTRL-W = , alle vinduer lige hoeje
CTRL-W + , goer aktuel vindue stoerer
CTRL-W - , goer akutel vindue mindre

Code folding (thanks to BT)

first hilite the code you're going to fold. use 'zf' and a movement descriptor
eg: to make a folding block of 10 lines, type 'zf 9 down'

now the fold is created and is folded, to unfold go to the folded line, and type 'zo' to open it

the fold stays in memory, to refold it, type 'zc'
Udgivet i Knowledge Base, Vim | Skriv en kommentar

sparc console cable and other cables

Udgivet den juli 8, 2004 af black 
ethernet kabler:
http://www.ertyu.org/~steven_nikkel/ethernetcables.html

diverse console kabler
http://www.pitt.edu/~bdgregg/Cable_Wireing.html

sparc console kabel:
fra PC til sparc
fra lille 9 pins hun til stort 25 pins han
fra	til
1	8
2	2
3	3
4	20
5	7
6	6
7	4
8	5
9	22

Std modem kabel:
fra pc til modem
fra lille 9 pins hun til stort 25 pins han
fra	til
1	8
2	3
3	2
4	20
5	7
6	6
7	4
8	5
9	22
Udgivet i Knowledge Base, Old Base, Sparc | Skriv en kommentar

how to make hotplug on slackware not plug in pci

Udgivet den juli 6, 2004 af black 
just remove the file /etc/hotplug/pci.rc
  mv /etc/hotplug/pci.rc /etc/hotplug/pci.rc.old
(the script only looks for *.rc)

should also work with pcmcia =D
Udgivet i Knowledge Base, Linux, Old Base | Skriv en kommentar

bt keder sig meget

Udgivet den juli 6, 2004 af black 
eject /mnt/cdrom/ && sleep 5 && mount /mnt/cdrom/ && installpkg /mnt/cdrom/slackware/n/tcpdump-3.8.3-i486-2.tgz && eject /mnt/cdrom
Udgivet i Humor, Knowledge Base, Old Base, Shellscript | Skriv en kommentar

Set up IPSEC in openbsd

Udgivet den juli 4, 2004 af mike

Use IPsec the OpenBSD way.

Setting up IPsec in OpenBSD is fairly easy since it’s compiled into the kernel that ships with each release and is enabled by default. All that is left to do is to create the appropriate /etc/isakmpd/isakmpd.conf and /etc/isakmpd/isakmpd.policy files and start isakmpd (the IPsec key-management daemon). This may sound daunting, but OpenBSD’s outstanding documentation and example configuration files make it easier.

First of all, you’ll need to put something similar to this in your /etc/isakmpd/isakmpd.policy:

KeyNote-Version: 2

Authorizer: “POLICY”

Licensees: “passphrase:mypassword”

Conditions: app_domain == “IPsec policy” &&

esp_present == “yes” &&

esp_enc_alg == “aes” &&

esp_auth_alg == “hmac-sha” -> “true”;

This sets a password to use for the IPsec connection.

Now you’ll need to edit your /etc/isakmpd/isakmpd.conf to contain the following:

[General]

Listen-on= 192.168.1.1

Shared-SADB= Defined

[Phase 1]

Default= ISAKMP-peer-remote

#Default= ISAKMP-peer-remote-aggressive

[Phase 2]

Passive-Connections=IPsec-local-remote

[ISAKMP-peer-remote]

Phase= 1

Transport= udp

Local-address= 192.168.1.1

Configuration= Default-main-mode

Authentication= mypassword

[ISAKMP-peer-remote-aggressive]

Phase= 1

Transport= udp

Local-address= 192.168.1.1

Configuration= Default-aggressive-mode

Authentication= mypassword

[IPsec-local-remote]

Phase= 2

ISAKMP-peer= ISAKMP-peer-remote

Configuration= Default-quick-mode

Local-ID= Net-local

Remote-ID= Net-remote

[Net-remote]

ID-type= IPV4_ADDR

Address= 0.0.0.0

[Net-local]

ID-type= IPV4_ADDR

Address= 0.0.0.0

[Default-main-mode]

DOI= IPSEC

EXCHANGE_TYPE= ID_PROT

Transforms= 3DES-SHA

[Default-aggressive-mode]

DOI= IPSEC

EXCHANGE_TYPE= AGGRESSIVE

Transforms= 3DES-SHA-RSA

[Default-quick-mode]

DOI= IPSEC

EXCHANGE_TYPE= QUICK_MODE

Suites= QM-ESP-AES-SHA-PFS-SUITE

This configuration will allow anyone to connect with the password mypassword.

After you’ve edited the configuration files, you can start isakmpd by running this command:

# /sbin/isakmpd

To have isakmpd start up with each system boot, you should edit your /etc/rc.conf.local (or create one if it doesn’t exist) and put the following line in it:

isakmpd_flags=””

That should do it. As usual, check your system logs if your tunnel has trouble connecting.

Udgivet i Knowledge Base, Networking, Old Base, OpenBSD | Skriv en kommentar