UNIX SECURITY.doc

UNIX SECURITYUNIX has taken the industry by storm in recent years. UNIXs popularity is a result of its ability to provide a true multiprocessing, multitasking operating environment for todays applications. In addition, UNIX is a scaleable operating system working on a mainframe through a personal computer. This scalability has and will accrue further selections of UNIX for future applications in the Client/Server environment. Finally, UNIX runs extremely well on the RISC technology of today. Reduced Instruction Set Computing (RISC) currently supports symmetrical processing and reduced instruction code. UNIX is one of the few operating systems that takes advantage of this technology. Given all of these reasons and that organizations are trying to downsize to take advantage of the power of smaller computers and the result is the growth in UNIX.UNIX for all its good points still is an operating system that needs security. For that reason this article addresses ten risks areas that require review.We need to review a couple of rules about UNIX. First UNIX is case sensitive. All commands are in lower case whereas files and directories could be upper or lower or a combination of both. Second, UNIX is a hierarchical file system. The top directory is the root directory and the slash / leans forward within UNIX. So the root directory is simply a forward ” /”. Under the root directory there are several system subdirectories. These include the following:/bin This directory has all the system commands within UNIX/usr This directory has all the user accounts specifically their home directories/tmp This directory is used to sort files and compile programs temporarily/dev This directory is used to define all the devices that will be attached to the UNIX machine/etc This directory is used to define many files that relate to security and controlIn order to audit or secure UNIX the reviewer will need to learn five UNIX commands. They are as follows:ls The ls command will list a directory or file and provide a list of security permissionscat The cat command will list the contents of a filewho The who command will list the contents of a binary log filefind The find command will search for users, permissions, and files and list them out for reviewgrep The grep command will scan a file with a pattern search This commands and filesare delineated within this article when appropriate. Now lets look at the various risk categories.1. Administration RiskWithin the UNIX environment the administration of the system configuration and the security configuration are paramount. With UNIX a knowledgeable administrator is mandatory to maintain an effective and secured environment. This can be accomplished two ways. First each UNIX machine is assigned a UNIX administrator. The second would be to set up a UNIX support group that is responsible for the actual operating configuration and security and control of each machine. It should be obvious that the second approach provides the best benefits to the organization. The first approach results in one individual who is responsible for all UNIX system activity including configuration, security, change control, violation reporting reviews, and quality assurance. Successful implementation of approach number two would allow the organization to maximize the talent of a central pool while decreasing the training and problem resolution costs that accompany a distributed implementation. In addition, change control, security, and the other responsibilities mentioned above could be separated within the group and reviewed by competent personnel. The user group would still be responsible for the application layer security but all of the operating system configuration parameters would reside with the central group. Additional dynamic security controls could be installed on each machine to certify that the security and control features installed have not been altered once in the field. With the power of the networks today including the network management agents such as Simple Network Management Protocol (SNMP) which runs under the UNIX protocol of Transmission Control Protocol/Internet Protocol (TCP/IP) one could design an effective monitoring system for many UNIX installations throughout the organization.Auditing, Security, and System Administration should work together to set up the dynamic controls base on the risks defined within this article. However, auditing and security still must perform periodic audits and reviews to ensure that the specific system is security and that the dynamic routines are still operating effectively.Finally it is important to note that most UNIX environments do not allow for the separation of system administration verses security administration. This fact allows should be addressed by purchasing a third party product that divides the function of the all encompassing system administration authority. This authority within the UNIX environment is call root. Root is a user who has a userid (uid) is equal to “0”. Several products are on the market to provide this separation. One such product is “Wizdom” from Tivoli Systems Inc. of Austin Texas. 2. Authentication RiskAll users within the UNIX environment must be established within the /etc directory in a file called passwd. The full path definition would be /etc/passwd. The passwd file has at least one entry for each user.To obtain a listing of the passwd file you can issue the following commands:$ cd /etc/passwd This command points you to the UNIX passwd file within the etc directory$ cat passwd This command list out the contents of the passwd file. Each entry in the passwd file looks like the following:root:fi3sed95ibgr6:0:1:System Administrator:/:/bin/shLets break each parameter ,which are separated by colons, of this entryroot = user namepassword = the encrypted password string for this account0 = the uid 1 = the gid the primary group to which this user belongsSystem Administrator = account information/description/ = the directory where this user will be placed after signing on to the system/bin/sh = the program that will be executed after the user is signed on to the systemFrom a security point of view this is not a secured version of UNIX as the second parameter, the encrypted password string, is readable by everyone. This is true within UNIX as the permission levels on the passwd file have to be read for everyone so they can signon to the system. This would allow a user to copy off the password file and try to hack it by guessing a users password and comparing their encrypted version to the actual encrypted version in the passwd file. In order to eliminate this exposure the UNIX system should be converted to a C2 implementation that removes the encrypted password string from the primary passwd file and places it in a secondary file also called a shadow or security file. By placing the encrypted password string in a secondary file, nobody on the system except for root can read the file.Secondly, most user should not start off using a program called /bin/sh. This program is called a shell program and is really the users system interface program. This program provides the user with the capability to execute UNIX commands. UNIX has hundreds of commands with many options. It is safer from a security stand point to place the user right into an application system so they do not realize that they are on a UNIX system. To them it looks like a normal application. Since UNIX is difficult to secure it makes it much easier if most of the users cannot navigate using UNIX commands. The entry in the password file with both of these option for a user frank would look like:frank:*:22:35:local user: /usr/frank: /lib/pay:The user is frankThe * indicates that the passwd file has a shadow or C2 implementationThe uid is 22The gid is 35The description is local userThe start up directory is /usr/frankThe start up program is in the lib directory and is the pay program that will start an application menu There are different types of shell programs. You have the option on your systems to use the one best suited for your environment. The type of shell programs are:sh = Bourne shellcsh = C shellksh = Korn shellrsh = Restricted shelltsh = Trusted shellAll of these do allow a user to interface with UNIX and issue commands.In review then , it is important to ensure that all accounts have a password. That the password is stored in a shadow file that is readable only by root. That all passwords are constructed with rules that force some alpha and numeric characters and that the length is sufficient. Users that do not need to use operating system commands should be placed directly into an application menu to reduce the level of training and errors and to help secure the overall environment. 3. File Level Permissions RiskUNIX treats everything as a file. This means that a directory is a file, a terminal is a file, a disk is a file, and a file is of course a file. When a file is created in UNIX a header file called an inode is created. The inode has many entries of value both from an operational and security aspect. The inode is the file identifier. It contents are as follows:inode numberfile typeaccess rightsnumber of references to a file or if a directory the number of subdirectoriesowner of the filegroup that has accesslength in bytespointers to the actual data blockstime of last accesstime of last modificationtime of creationfile name When you zero out the inode number you have effectively removed any pointers to the physical data. The way that you can identify file types is by the leading character of the file listing. A file listing of the inode information is obtained by entering the following command:# ls -l This is the list command and the results of the command look like the following:-rwxr-xr- 1 frank audit 345 Jan 28 15:45 traceThe possible leading characters are as follows:- means a data or program filed means a directoryc character fileb block filel symbolic linkp pipe fileThe second set of characters indicate the current permission levels for this file. The first three characters (rwx) represent the permissions for the file owner who in this example is frank. The second set of characters (r-x) represent the permissions for the audit group. The third set of characters (r-) represent the permissions for anyone else that can signon to this UNIX environment. The rest of the information from the ls command indicates the size of the file the last modification date and the name of the file “trace”. All commands within UNIX have options. The ls command is no exception. By supplying different options you could obtain all of the inode information. Some examples of the options for the ls command are as follows:ls -l displays the inode information with the last modification date (mtime)ls -lu displays the inode information with the last access time (atime)ls -lc displays the inode information with the last change time (ctime)These dates have a lot of value but you should be warned that someone with the right authority could change any or all of these dates to hid some suspicious activity. Permissions in UNIX have the following meaning:For a File:r = read To read or copy a filew = write To write, delete, and update a file (must also have read or it only allows you to append to the file.) x = execute To execute a programFor a Directory:r = read To list (ls) the names of the files and other directories Cannot perform a ls -l or long list unless the user also has execute authorityw = write To add, rename, remove (use of mv and rm commands) files or directoriesx = execute To search the directory (required for use of a cd commandFile permissions could be established by using an octal interpretation. By using the chmod command the owner of the file or root (superuser) could change the access permissions to a file as follows:r = 4w = 2x =1By combining the values for each permission an owner or root could change the permissions for owner, group, and other. For example$ ls -l trace-rwxr-xr- 1 frank audit 345 Jan 28 15:45 trace$ chmod 775$ ls -l trace-rwxrwxr-x 1 frank audit 345 Jan 28 15:45 traceThe first 7 pertains to the owner. The second 7 pertains to the group. And the 5 pertains to other authorities. The chmod command could use any combination of numbers to define the authorities for owner, group, and other.Using this octal interpretation the system can be set up to have default permission values for any file that is created by any user. These default permissions are defined in a variable called umask. The umask value can be established in a couple of locations within the system and these will be discussed later in this article. How the umask value works is of greater interest at present. The umask value as defined must be subtracted from the full permission values to determine the default permission values when a file is created. For example:umask 027 represents a default permission value of 750 or just subtract from 777 - the umask valueIn this example the default permission on the file would be rwx for owner, r-x for group, and - no access for other.The more advanced UNIX implementations also have a permission type called ACL or access control list. This ACL can be used to identify individual users or groups other than the original owner or group attached to the file who need direct read, write, or execute authority into the file. These users would be added to the effectively to the other category as discrete users based on their ACL entry.4. User Initialization RiskUNIX has several initialization routines that it goes through to bring up a user onto the system. The key files are called profile and .profile. The first file, profile, is located in the /etc directory. There is only one file called profile in this directory. Whereas the second file, .profile, is located in each of the users home directory. What makes these files similar is that as a user signs onto the system each of these files are executed to help establish the user environment. For example the umask value could be defined in the /etc/profile file and that value would be retained for each user signing onto the system. The key parameters within each of these files would be:PATHTERMumask5. System Initialization RiskUNIX like all operating systems must initialize itself when booting up. Key files during this initialization process allow the operating system to establish an operational environment. All of these initialization files are owned by root and run with root authority. Each of these files should be properly protected from unauthorized access. Otherwise someone could, for example, place a program to execute a remote connection to the Internet or to add an entry to the local password files. Therefore the audit step would be to verify the permission levels on all initialization files and to verify that only authorized programs are executed during the startup process.The key initiation file is the “inittab” under the /etc directory. This file looks like the following:cron:2:respawn: /etc/cron Label Level Action ProgramLabel is the label of the entry and only has meaning based on how descriptive it is. Level pertains to when this entry will be executed. The Level refers to the operating system levels. The UNIX operating systems runs at different levels (0 through 6 with user defined levels of 7 through 9). Each of these levels results from the current status of the operating system such as single user mode of level 0 or multi-user mode of level 2. During the execution of a specific level, the initialization process reviews the “inittab” and executes any entry that equals that operating system level. Action allows the entry to act accordingly. For example, the respawn means that the process will be executed and when terminated it will be executed again. Some of the other entries include:Wait = Wait until this program process is completedOff = Do not execute this programOnce = Execute this program only once.The program entry itself identifies the actual program that will be executed. This program should be a certified program . In addition, this program should be properly protected from unauthorized access in the directory or file where it is stored. Notice that the full path call is used to identify where the program is stored to ensure that the correct program is identified and executed. It is also important to identify any other programs that are called from this original program during the initialization process. What this means is that any program that call another during this initialization process could compromise the system if it can be modified by an unauthorized user. Remember these program run with root authority and therefore have the opportunity to perform an