Agenda: host-security-exercises.txt

File host-security-exercises.txt, 5.7 KB (added by admin, 7 years ago)
Line 
1
2Host Security Exercises
3-----------------------
4
5I.  System Services
6
7In this section we'll be using some of the commands that are used to
8monitor a running system.  Unix Systems Administrators use these
9commands every day.  Remember to use the manual pages if you need
10to check the options and syntax of commands:
11
12        % man ps
13        % man netstat
14
15( the manpages below will not be there until you install the utilities )
16
17        % man lsof
18        % man nmap
19        % man last
20        % man acct
21
22You need to know how to stop and start services.
23
24a) service
25
26        1. Start a webserver on your system.  Verify that the
27        system is running using: 1) ps 2) lsof 3) nmap
28
29        % sudo apt-get install apache2
30
31Did the webserver start up after install?
32If you open a browser, can you connect to: http://pcXX.ws.nsrc.org
33
34        2. Stop the service
35
36        % sudo service apache2 stop
37
38Try the browser test again.  Can you connect?
39
40        3. Start the service again
41
42        % sudo service apache2 start
43
44Now, instead of using a browser, let's verify that the service
45is running using all of our tools: %ps, %lsof, %netstat, and %nmap
46
47* INSTALL THE nmap and lsof PACKAGES! *
48
49        % sudo apt-get install nmap
50        % sudo apt-get install lsof
51
52Now let's see what is running on the system:
53
54        % ps -af | grep apache2
55
56        % netstat -apt
57
58        % netstat -lpt                          # is the webserver running???
59
60        % netstat -lnpt  ( what is different on this command )
61
62        % nmap localhost                        # is the webserver running???
63
64        % sudo lsof | grep apache2
65
66        % sudo lsof | grep apache2 | grep TCP   # is the webserver running???
67
68Now, stop the service again.
69
70        4. Stop the service again
71
72        % sudo service apache2 stop
73
74        Now run your different commands for looking at the system again.
75
76        % ps -af | grep apache2
77        % netstat -lpt
78        % nmap localhost
79        % sudo lsof | grep apache2
80
81        Did you see anything running?
82       
83b) update-rc.d
84
85Now, let's make sure that we have all of the systems in place
86so that if the machine is rebooted, we know whether or not the
87apache2 service is going to be started.
88
891. see what is there now
90
91        % ls /etc/init.d
92
93        % ls /etc/rc3.d
94
95        % ls /etc/rc5.d
96
97Are the apache startup files in the system?
98That is, do you see files named: /etc/rc3.d/SXXapache2
99or named /etc/rc5.d/SXXapache2 ???
100
1012. let's say we do *NOT* want apache2 to run at startup.
102Let's disable the service using the "update-rc.d" command:
103
104        % sudo service apache2 stop
105
106        % sudo update-rc.d apache disable
107
108Now let's look at those directories again.
109Do we have any startup files in /etc/rc?.d/S*apache* ???
110
111        % ls /etc/init.d
112        % ls /etc/rc3.d
113        % ls /etc/rc5.d
114
115Take a look at rc3.d and rc5.d directories.
116What other scripts run in rc3.d ???
117
118c) initctl
119
120List the running services?  What is the command option
121you use with initctl to show all services?
122
123        % man initctl
124
125        % sudo initctl ???
126
127------------------------------------
128
129II. System Updates
130
131Let's make sure the system is up-to-date.
132When ever we install a system, the first thing
133we do is apply updates.
134
135a) system updates
136
137        % sudo apt-get update           # this updates the package cache
138
139        % sudo apt-get upgrade          # this performs the upgrade
140
141Now let's make sure that we have Security updates automatically.
142To do this we need the "unattended-upgrades" package?
143
144b) security updates
145
146Do you already have the packages?
147
148        % sudo ls /etc/apt/apt.conf.d
149
150If not, install it:
151
152        % sudo apt-get install unattended-upgrades
153
154Now let's check again:
155
156        % sudo ls /etc/apt/apt.conf.d
157
158------------------------------------
159
160III. Filesystem Integrity
161
162In this section, we'll add the programs necessary for monitoring
163filesystem integrity.  We'll do this at multiple levels, using the
164debsums, the fcheck, and the incron packages.
165
166a) debsums
167
168You keep the checksums of the files up to date.  You must remember to
169update the checksums after you make major changes to the system.
170
171        % sudo apt-get install debsums
172
173Initialize the debsums database:
174
175        % sudo debsums_init
176
177Now let's change something in the filesystem and see if
178debsums can detect it:
179
180        % sudo mv /sbin/ss /sbin/st
181
182        % sudo debsums -c
183
184Did debsums detect the change???
185
186        % let's move the file back in place
187
188        % sudo mv /sbin/st /sbin/ss
189
190b) incrond
191
192Inotify in the kernel can provide real-time notification of filesystem
193changes.  Install the incron package and configure incrond to monitor important
194filesystems.
195
196        % sudo apt-get install incron
197
198        % tail /var/log/sys
199
200        % cd /etc/incron.d
201
202        % vi globals            # add the following line to the globals file:
203
204/etc IN_MODIFY,IN_CLOSE_WRITE,IN_CREATE,IN_DELETE /usr/bin/logger -p news.warn "$% $@/$#"
205
206That's it.  The changes you make to incron are updated automatically.
207Because incron can recognize changes, it even recognizes when you change
208the configuration for incron, and it updates.
209
210Now add a file to the /etc directory:
211
212        % sudo touch /etc/dog
213
214Take a look at /var/log/syslog.  What does it say???
215
216        % sudo tail /var/log/syslog
217
218From now on, any changes you make in the /etc directory will
219generate syslog messages.
220
221------------------------------------
222
223IV. Enable System Accounting
224
225System accounting gives us logs of all the commands that
226have run and terminated on the system.  Let's see if we
227have the acct package:
228
229        % which sa
230
231Did "which" find the command?  If not install the package:
232
233        % sudo apt-get install acct
234
235        % which sa
236
237Let's run a command and see if acct records it.
238
239        % whoami
240
241        % sudo sa -u
242
243Did "sa" show a record for the command?
244
245Let's try the "lastcomm" command as well:
246
247        % lastcomm sysadm
248       
249---
250
251Now we have a system that is up-to-date, and it
252gets security updates automatically.  We are monitoring
253the system files with debsums, and we are logging changes
254immediately as well with the incron/inotify.  We have
255disabled services that are not necessary.  And we have
256accounting records to log commands.
257
258This is basic host security that system administrators
259will do on every host they deploy.
260
261--- End
262
263
264