Table of Content
110.1 Perform security administration tasks
Weight: 3
Description: Candidates should know how to review system configuration to ensure host security in accordance with local security policies.
Key Knowledge Areas:
- Audit a system to find files with the suid/sgid bit set
- Set or change user passwords and password aging information
- Being able to use nmap and netstat to discover open ports on a system
- Set up limits on user logins, processes and memory usage
- Determine which users have logged in to the system or are currently logged in
- Basic sudo configuration and usage
Terms and Utilities:
find passwd fuser lsof nmap chage netstat sudo /etc/sudoers su usermod ulimit who, w, last
find
oldhorse@dclab:~$ sudo find / -perm +6000 -type f /sbin/unix_chkpwd /sbin/pam_extrausers_chkpwd /usr/sbin/pppd /usr/lib/libvte-2.91-0/gnome-pty-helper /usr/lib/utempter/utempter /usr/lib/vmware-tools/bin32/vmware-user-suid-wrapper /usr/lib/vmware-tools/bin64/vmware-user-suid-wrapper /usr/lib/evolution/camel-lock-helper-1.2 /usr/lib/x86_64-linux-gnu/oxide-qt/chrome-sandbox oldhorse@dclab:~$ ll /sbin/pam_extrausers_chkpwd -rwxr-sr-x 1 root shadow 35576 Apr 22 2015 /sbin/pam_extrausers_chkpwd*
SUID/SGID
-rw-rw-r-- 1 oldhorse oldhorse 0 Feb 12 07:51 ttt oldhorse@dclab:~$ chmod u+s ttt oldhorse@dclab:~$ ls -ltr ttt -rwSrw-r-- 1 oldhorse oldhorse 0 Feb 12 07:51 ttt oldhorse@dclab:~$ chmod g+s ttt oldhorse@dclab:~$ ls -ltr ttt -rwSrwSr-- 1 oldhorse oldhorse 0 Feb 12 07:51 ttt oldhorse@dclab:~$ find . -perm +2000 -type f ./ttt oldhorse@dclab:~$ find . -perm +4000 -type f ./tool/vmware-tools-distrib/lib/bin32/vmware-user-suid-wrapper ./tool/vmware-tools-distrib/lib/bin64/vmware-user-suid-wrapper ./ttt oldhorse@dclab:~$ find . -perm -u=s -type f ./tool/vmware-tools-distrib/lib/bin32/vmware-user-suid-wrapper ./tool/vmware-tools-distrib/lib/bin64/vmware-user-suid-wrapper ./ttt oldhorse@dclab:~$ find . -perm -g=s -type f ./ttt
chage
chage [-l] [-m mindays] [-M maxdays] [-d lastday] [-I inactivedays] [-E expiredate] [-W warndays] username chage -E 2050/01/01 user // never expired oldhorse@dclab:~$ sudo cat /etc/shadow|grep oldhorse oldhorse:$1$MySBJvCJ$emv0BL6gQweU13kzUqLqi1:16691:0:99999:7::: oldhorse@dclab:~$ oldhorse@dclab:~$ sudo chage -E 2050/01/01 oldhorse oldhorse@dclab:~$ sudo cat /etc/shadow|grep oldhorse oldhorse:$1$MySBJvCJ$emv0BL6gQweU13kzUqLqi1:16691:0:99999:7::29220: oldhorse@dclab:~$
lsof
root@dclab:/etc/init.d# lsof -i|grep sshd sshd 1224 root 3u IPv4 17767 0t0 TCP *:ssh (LISTEN) sshd 1224 root 4u IPv6 17772 0t0 TCP *:ssh (LISTEN) sshd 1629 root 3u IPv4 20251 0t0 TCP 192.168.126.51:ssh->192.168.126.1:58015 (ESTABLISHED) sshd 1692 oldhorse 3u IPv4 20251 0t0 TCP 192.168.126.51:ssh->192.168.126.1:58015 (ESTABLISHED) root@dclab:/etc/init.d# lsof -i :22 COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME sshd 1224 root 3u IPv4 17767 0t0 TCP *:ssh (LISTEN) sshd 1224 root 4u IPv6 17772 0t0 TCP *:ssh (LISTEN) ^C root@dclab:/etc/init.d# lsof -i :ssh COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME sshd 1224 root 3u IPv4 17767 0t0 TCP *:ssh (LISTEN) sshd 1224 root 4u IPv6 17772 0t0 TCP *:ssh (LISTEN)
nmap
-sT scan TCP
-sU scan UDP
root@dclab:/etc/init.d# route -n Kernel IP routing table Destination Gateway Genmask Flags Metric Ref Use Iface 0.0.0.0 192.168.100.2 0.0.0.0 UG 0 0 0 eth0 169.254.0.0 0.0.0.0 255.255.0.0 U 1000 0 0 eth1 192.168.100.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0 192.168.126.0 0.0.0.0 255.255.255.0 U 0 0 0 eth1 root@dclab:/etc/init.d# nmap -sT 192.168.100.1 Starting Nmap 6.47 ( http://nmap.org ) at 2016-03-13 18:43 EDT Nmap scan report for 192.168.100.1 Host is up (0.0035s latency). Not shown: 982 closed ports PORT STATE SERVICE 135/tcp open msrpc 139/tcp open netbios-ssn 445/tcp open microsoft-ds 902/tcp open iss-realsecure 912/tcp open apex-mesh 2492/tcp open groove 3389/tcp open ms-wbt-server 5357/tcp open wsdapi 7000/tcp open afs3-fileserver 7001/tcp open afs3-callback 7002/tcp open afs3-prserver 7004/tcp open afs3-kaserver 7007/tcp open afs3-bos 8800/tcp open sunwebadmin 49152/tcp open unknown 49153/tcp open unknown 49154/tcp open unknown 49155/tcp open unknown MAC Address: 00:50:56:C0:00:08 (VMware) Nmap done: 1 IP address (1 host up) scanned in 3.85 seconds root@dclab:/etc/init.d# nmap -sU 127.0.0.1 Starting Nmap 6.47 ( http://nmap.org ) at 2016-03-13 18:44 EDT Nmap scan report for localhost (127.0.0.1) Host is up (0.000013s latency). Not shown: 996 closed ports PORT STATE SERVICE 68/udp open|filtered dhcpc 123/udp open ntp 631/udp open|filtered ipp 5353/udp open|filtered zeroconf Nmap done: 1 IP address (1 host up) scanned in 3.13 seconds +++ fuser determine the processes currently using a particular network port root@dclab:/etc/init.d# fuser 22/tcp 22/tcp: 1224 1629 1692 root@dclab:/etc/init.d# ps 1224 PID TTY STAT TIME COMMAND 1224 ? Ss 0:00 /usr/sbin/sshd -D root@dclab:/etc/init.d# ps 1629 PID TTY STAT TIME COMMAND 1629 ? Ss 0:00 sshd: oldhorse [priv] root@dclab:/etc/init.d# ps 1692 PID TTY STAT TIME COMMAND 1692 ? S 0:00 sshd: oldhorse@pts/8 root@dclab:/etc/init.d# fuser -v 22/tcp USER PID ACCESS COMMAND 22/tcp: root 1224 F.... sshd root 1629 F.... sshd oldhorse 1692 F.... sshd root@dclab:/etc/init.d# fuser -nv udp 631 631/udp: 1145 root@dclab:/etc/init.d# ps 1145 PID TTY STAT TIME COMMAND 1145 ? Ssl 0:00 /usr/sbin/cups-browsed
config file
[root@dclab-centos7 init.d]# cat /etc/inittab # inittab is no longer used when using systemd. # # ADDING CONFIGURATION HERE WILL HAVE NO EFFECT ON YOUR SYSTEM. # # Ctrl-Alt-Delete is handled by /usr/lib/systemd/system/ctrl-alt-del.target # # systemd uses 'targets' instead of runlevels. By default, there are two main targets: # # multi-user.target: analogous to runlevel 3 # graphical.target: analogous to runlevel 5 # # To view current default target, run: # systemctl get-default # # To set a default target, run: # systemctl set-default TARGET.target # [root@dclab-centos7 init.d]# systemctl get-default multi-user.target
sudoers
[root@dclab-centos7 init.d]# cat /etc/sudoers|grep oldhorse # user oldhorse can use all root privilege oldhorse ALL=(ALL) ALL
who
[root@dclab-centos7 init.d]# who root tty1 2016-03-13 13:04 oldhorse pts/0 2016-03-13 13:06 (192.168.126.1) [root@dclab-centos7 init.d]# who -a system boot 2016-03-13 12:44 root + tty1 2016-03-13 13:04 05:43 744 run-level 3 2016-03-13 12:44 oldhorse + pts/0 2016-03-13 13:06 . 2402 (192.168.126.1) [root@dclab-centos7 init.d]# [root@dclab-centos7 init.d]# w 18:49:35 up 2:06, 2 users, load average: 0.00, 0.01, 0.05 USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT root tty1 13:04 5:44m 0.03s 0.03s -bash oldhorse pts/0 192.168.126.1 13:06 7.00s 0.36s 0.14s sshd: oldhorse [priv]
last
last root
last reboot
[root@dclab-centos7 init.d]# lastb btmp begins Sun Mar 13 12:44:25 2016 [root@dclab-centos7 init.d]# lastlog -u oldhorse Username Port From Latest oldhorse pts/0 192.168.126.1 Sun Mar 13 13:06:39 -0400 2016 lastlog
usermod
oldhorse@dclab:~$ usermod -h Usage: usermod [options] LOGIN Options: -c, --comment COMMENT new value of the GECOS field -d, --home HOME_DIR new home directory for the user account -e, --expiredate EXPIRE_DATE set account expiration date to EXPIRE_DATE -f, --inactive INACTIVE set password inactive after expiration to INACTIVE -g, --gid GROUP force use GROUP as new primary group -G, --groups GROUPS new list of supplementary GROUPS -a, --append append the user to the supplemental GROUPS mentioned by the -G option without removing him/her from other groups -h, --help display this help message and exit -l, --login NEW_LOGIN new value of the login name -L, --lock lock the user account -m, --move-home move contents of the home directory to the new location (use only with -d) -o, --non-unique allow using duplicate (non-unique) UID -p, --password PASSWORD use encrypted password for the new password -R, --root CHROOT_DIR directory to chroot into -s, --shell SHELL new login shell for the user account -u, --uid UID new UID for the user account -U, --unlock unlock the user account -v, --add-subuids FIRST-LAST add range of subordinate uids -V, --del-subuids FIRST-LAST remvoe range of subordinate uids -w, --add-subgids FIRST-LAST add range of subordinate gids -W, --del-subgids FIRST-LAST remvoe range of subordinate gids -Z, --selinux-user SEUSER new SELinux user mapping for the user account usermod -l oldname newname usermod -L user // lock user usermod -U user // unlock user oldhorse@dclab:~$ sudo cat /etc/shadow|grep oldhorse oldhorse:!$1$MySBJvCJ$emv0BL6gQweU13kzUqLqi1:16691:0:99999:7::: oldhorse@192.168.100.128's password: Permission denied (publickey,password). usermod -U oldhorse same as passwd passwd -l user passwd -u user oldhorse@dclab:~$ sudo passwd -l oldhorse passwd: password expiry information changed. oldhorse@dclab:~$ sudo cat /etc/shadow|grep oldhorse oldhorse:!$1$MySBJvCJ$emv0BL6gQweU13kzUqLqi1:16691:0:99999:7:::
nologin
/etc/nologin exist then only root can login [oldhorse@dclab-centos7 ~]$ ssh oldhorse@192.168.100.128 oldhorse@192.168.100.128's password: Connection closed by 192.168.100.128
ulimit
[oldhorse@dclab-centos7 ~]$ ulimit -a core file size (blocks, -c) 0 data seg size (kbytes, -d) unlimited scheduling priority (-e) 0 file size (blocks, -f) unlimited pending signals (-i) 3872 max locked memory (kbytes, -l) 64 max memory size (kbytes, -m) unlimited open files (-n) 1024 pipe size (512 bytes, -p) 8 POSIX message queues (bytes, -q) 819200 real-time priority (-r) 0 stack size (kbytes, -s) 8192 cpu time (seconds, -t) unlimited max user processes (-u) 3872 virtual memory (kbytes, -v) unlimited file locks (-x) unlimited [oldhorse@dclab-centos7 ~]$ cat /etc/security/limits.conf #* soft core 0 #* hard rss 10000 #@student hard nproc 20 #@faculty soft nproc 20 #@faculty hard nproc 50 #ftp hard nproc 0 #@student - maxlogins 4