Sunday, February 12, 2012

C|EH Notes: Top Security Challenges

Essential Terminologies:
  • Hack Value: It is the notion among hackers that something is worth doing or is interesting.
  • Target of Evaluation: An IT system, product, or component that is identified/subjected to a required security evaluation.
  • Attack: An assault on the system security derived from an intelligent threat.  An attack is any action violating security.
  • Threat: an action or event that might compromise security.  A threat is a potential violation of security.
Security Challenges:
  • Compliance to government laws and regulations.
  • Evolution of technology focused on ease of use.
  • Increased number of network-based applications.
  • Increasing complexity of computer infrastructure administration and management.
  • It is difficult to centralize security in a distributed computing environment.
  • Direct impact of security breach on corporate asset base and goodwill.
Top Security Challenges:
  1. Increase in sophisticated cyber criminals.
  2. Data leakage, malicious insiders, and remote workers.
  3. Mobile security, adaptive authentication, and social media strategies.
  4. Cyber security workforce.
  5. Exploited vulnerabilities, operationalizing security.
  6. Critical infrastructure protection.
  7. Balancing sharing with privacy requirements.
  8. Identity access strategies and lifecycle.
List of Security Risks:
  1. Trojans/Info Stealing/Keyloggers
  2. Fast Flux Botnets
  3. Data Loss/Breaches
  4. Internal Threats
  5. Organized Cyber Crime
  6. Phishing/Social Engineering
  7. New emerging viruses
  8. Cyber Espionage
  9. Zero-Day Exploits
  10. Web 2.0 Threats
  11. Phishing attacks
  12. Identity black market
  13. Cyber-extortion
  14. Transportable data (USB, laptops, backup tapes)
  15. "Zombie" networks
  16. Exploits in new technology
  17. Outsourcing projects
  18. Social networking
  19. Business interruption
  20. Virtualization and cloud Computing
Application Security Attacks:
  • Phishing
  • Session hijacking
  • Man-in-the-middle attack
  • The Web Parameter Tampering attack - is based on the manipulation of parameters exchanged between client and server in order to modify application data, such as user credentials and permissions, price and quantity of products.
  • Directory traversal attacks - the goal of this attack is to order an application to access a computer file that is not intended to be accessible. This attack exploits a lack of security (the software is acting exactly as it is supposed to) as opposed to exploiting a bug in the code.  Also known as the ../ (dot dot slash) attack.
    • Canonicalization (c14n) - a process for converting data that has more than one possible representation into a "standard", "normal", or canonical form.
Vulnerability Research Websites:

C|EH Notes: Regional Internet Registries (RIR)

Active and Passive Reconnaissance
Notes from the CERT Software Engineering Institute (SEI) lectures for the Certified Ethical Hacker (C|EH) certificate.

Regional Internet Registries:
  • African Network Information Center (AfriNIC)
  • Asia Pacific Network Information Center (APNIC)
  • American Registry for Internet Numbers (ARIN)
  • Latin America and Caribbean Network Information Centre (LACNIC)
  • Réseaux IP Européens Network Coordination Centre (RIPE NCC)
Top Level Domain Registries
InterNIC - Public Information Regarding Internet Domain Name Registration Services

DNS Enumeration:

# Get Service-oriented architecture record (SOA) and display all nslookup default parameters.
MBP:~ dafinga$ nslookup -all -type=SOA google.com

Set options:
  novc nodebug nod2
  search recurse
  timeout = 0 retry = 3 port = 53
  querytype = A       class = IN
  srchlist = 
Server: 10.0.0.1
Address: 10.0.0.1#53


Non-authoritative answer:
google.com
origin = ns1.google.com
mail addr = dns-admin.google.com
serial = 2012020700
refresh = 7200
retry = 1800
expire = 1209600
minimum = 300


Authoritative answers can be found from:

Friday, February 10, 2012

Modifying Network Parameters in Solaris 10

My reference: The Center for Internet Security (Solaris 10 Benchmarks v4.0).  To get the SMF service to run correctly, do the following:

mkdir -m 755 /var/svc/method
chown root:sys /var/svc/method
cd /var/svc/method

cat > cis_netconfig.sh << END
#!/sbin/sh
#IPv4 source route forwarding is disabled
ndd -set /dev/ip ip_forward_src_routed 0
#IPv6 source route forwarding is disabled
ndd -set /dev/ip ip6_forward_src_routed 0
#Reverse source routed packets are disabled
ndd -set /dev/tcp tcp_rev_src_routes 0
#Forwarding broadcasts are disabled
ndd -set /dev/ip ip_forward_directed_broadcasts 0
#Unestablished tcp connection queue are disabled
ndd -set /dev/tcp tcp_conn_req_max_q0 4096
#Established tcp connection queue are disabled
ndd -set /dev/tcp tcp_conn_req_max_q 1024
#Respond to ICMP timestamp request are disabled
ndd -set /dev/ip ip_respond_to_timestamp 0
#Respond to ICMP broadcast timestamp request is disabled
ndd -set /dev/ip ip_respond_to_timestamp_broadcast 0
#Respond to ICMP netmask request is disabled
ndd -set /dev/ip ip_respond_to_address_mask_broadcast 0
#Respond to ICMP echo broadcast is disabled
ndd -set /dev/ip ip_respond_to_echo_broadcast 0
#The ARP cache cleanup interval is disabled
ndd -set /dev/arp arp_cleanup_interval 60000
#The ARP IRE scan rate is set to 60000 (milliseconds "1 min")
ndd -set /dev/ip ip_ire_arp_interval 60000
#The IPv4 ICMP redirect is disabled
ndd -set /dev/ip ip_ignore_redirect 1
#The IPv6 ICMP redirect is disabled
ndd -set /dev/ip ip6_ignore_redirect 1
#Extended TCP reserved ports is set to port 6112
ndd -set /dev/tcp tcp_extra_priv_ports_add 6112
#IPv4 strict multihoming system drops any packets that appear to originate from a network attached to another interface
ndd -set /dev/ip ip_strict_dst_multihoming 1
#IPv6 strict multihoming system drops any packets that appear to originate from a network attached to another interface
ndd -set /dev/ip ip6_strict_dst_multihoming 1
#ICMPv4 redirects are disabled
ndd -set /dev/ip ip_send_redirects 0
#ICMPv6 redirects are enabled
ndd -set /dev/ip ip6_send_redirects 1
END

chown root:sys ./*
chmod 555 ./*

Now create the service manifest for /var/svc/method/cis_netconfig.sh

cat > cis_netconfig.xml << END
<?xml version="1.0"?>
<!DOCTYPE service_bundle SYSTEM
"/usr/share/lib/xml/dtd/service_bundle.dtd.1">

<service_bundle type='manifest' name='CIS:cis_netconfig'>

<service
  name='site/cis_netconfig'
  type='service'
  version='1'>

  <create_default_instance enabled='true' />

  <single_instance />

  <dependency
    name='usr'
    type='service'
    grouping='require_all'
    restart_on='none'>
    <service_fmri value='svc:/system/filesystem/minimal' />
  </dependency>

<!-- Run ndd commands after network/physical is plumbed. -->
  <dependency
    name='network-physical'
    grouping='require_all'
    restart_on='none'
    type='service'>
    <service_fmri value='svc:/network/physical' />
  </dependency>

<!-- but run the commands before network/initial -->
  <dependent
    name='ndd_network-initial'
    grouping='optional_all'
    restart_on='none'>
    <service_fmri value='svc:/network/initial' />
  </dependent>

  <exec_method
    type='method'
    name='start'
    exec='/var/svc/method/cis_netconfig.sh'
    timeout_seconds='60' />

  <exec_method
    type='method'
    name='stop'
    exec=':true'
    timeout_seconds='60' />

  <property_group name='startd' type='framework'>
    <propval name='duration' type='astring' value='transient' />
  </property_group>

  <stability value='Unstable' />

  <template>
    <common_name>
      <loctext xml:lang='C'>
          CIS Network Parameter Set
      </loctext>
    </common_name>
  </template>
</service>

</service_bundle>
END

Now it is time to import the SMF service, by performing the following: svccfg import cis_netconfig.xml.

When the system is rebooted, the cis_netconfig.sh script will be executed and the appropriate network parameters will be updated. Store the file in /var/svc/manifest/site if it has to be re-imported into the system at a later date.

Note that we are creating a new script that will be executed at boot time to reconfigure various network parameters.

The file cis_netconfig.xml is an SMF manifest for the cis_netconfig service. Once imported into the SMF database, the cis_netconfig.sh will run on every system reboot to set the network parameters appropriately.

If this hinders functionality, disable this service by perform the following: svcadm -v disable svc:/site/cis_netconfig:default

Wednesday, February 8, 2012

Solaris Basic Security Mode (BSM) Auditing

This whole post was copied from The Blog of Ben Rockwood, I just wanted to make another copy of the site in case it gets removed.  Thanks Ben, your post was extremely helpful in my knowledge of Solaris auditing.

You trust your users right? Me neither. Ever watched top/psrinfo or repeatedly use the w command to attempt to watch users on your system? We all have at some point. There are a lot of ways to see what users are doing, from checking their .bash_history to using DTrace (see 'shellsnoop'). But this is all kids stuff. There are times you not only want to watch your users but you really need to know what their doing. If you want to know exactly what people are doing on your systems, I'm glad to say there is a solution: Solaris Auditing, otherwise known as the Solaris Basic Security Module (BSM). Its a valued part of Trusted Solaris and available to you in Solaris 10 out of the box (and Nevada Solaris Express).

When auditing is enabled the system will log as much detail about whats occuring on the system as you wish. You can see everything from logins and logouts to executions to process creation to file access. If it happens, you can see it. When an action occurs that you want to capture the action is recorded and placed into an "audit trace file". Later, these trace files can be used to provide all sorts of details about system activity. The possibilities are nearly endless.

You'll find the auditing configuration files in /etc/security/. In that directory are several config files for auditing, some scripts for enabling or disabling auditing, as well as some RBAC related files that we're not worried about here. In particular, you'll see the following files:
  • audit_class: Defines classes of audit events that are packed together for easy use.
  • audit_control: Primary audit configuration file
  • audit_data: Datafile maintained by auditd, don't edit this file. 
  • audit_event: Defines all the auditable events 
  • audit_record_attr: Defines the record format for various types of events 
  • audit_startup: Script for starting BSM/Auditing services 
  • audit_user: Define user specific audit flags (from audit_class) 
  • audit_warn: Auditd warning notification script 
  • bsmconv: Script for enabling BSM/Auditing 
  • bsmunconv: Script for removing BSM/Auditing
That list might look like a lot, but its really not. If you want to setup the level of auditing for all users you'll edit audit_control, and if you want to use diffrent levels for each user individually, you'll edit audit_user, other than that the rest of the files are just reference or setup.

To get started on your auditing journey, you need to execute the /etc/security/bsmconv script as root. Once you run this you'll need to reboot so shut down most things before your run the script and when it completes do the reboot. The docs suggest you do this in single-user mode, but unless the system is in production I wouldn't worry about it. Following the reboot, check the auditing service svcs -a auditd, if its not enabled you can do so with svcadm enable auditd. You'll see the "auditd" process running via ps -ef.

When defining what events you want to record, you'll want to look at the classes defined in audit_class, and to better understand those classes you'll want to look at audit_event. Classes are represented by 2 letters, for instance "fr" represents "File Read". You can string together these classes to get just the sort of records you want.

In the /etc/security/audit_control configuration file there are two lines in particular that your interested in: flags and naflags. The "flags" line specifies the default event classes to audit. These flags can be over-riden by specifying flags for a user by name in audit_user. The "naflags" specifies event classes to audit only when the event can not be attributed to a specific user (naflags meaning "non-attributable flags"). You can modify the flags you specify with a + or -, where +flag means only record the event on success and -flag means only record the event on failure. A good example might be if you only want to audit file writes that fail or only logins that succeed.

Some interesting audit classes include (see the list in audit_class:
  • fr: file read
  • fw: file write
  • nt: network
  • lo: login or logout
  • fc: file create
  • fd: file delete
  • xx: All X events
Thats only a taste. There is also an "all" meta-class. The all class is fun to play with but creates a huge amount of data! On my home workstation with just one user (me) that was largely idle for 24 hours it dumped 2.2GB of data into the audit trails. Playing with "all" is great to see what you can do but I don't recommend using it beyond just fiddling. After editing the config files make sure that you start the audit service: svcadm restart auditd or with audit -s.

The following is an example audit_control (refer to the audit_control and audit_user man pages for more details):

dir:/var/audit
minfree:20
flags:lo,am,+fd,ss,-fa
naflags:lo,am


Naturally, storing all this data isn't easy. Events are recorded into an "audit trail", by default these audit trails are stored in /var/audit, although for security purposes its recommended that they be places on a remote mount point (more on this later). Audit trails can get really really large based on how much your auditing so be careful to watch them closely for a day or two following enabling it. In order to speed things up, trails are written in binary, which means that you need to "close" them before moving them around and you can't just cat or tail the trails. The currently active audit trail will have "not_terminated" in its file name. Before doing analysis you should "close" the trail, which can be done by stopping auditd or by using auditreduce -O and then removing the not_termianted trail.

In order to read the binary audit trails we can use praudit. This tool can output audit trails in raw format (-r), short form (-s) with one line per record (-l), or in XML form (-x). The short form is useful for digging through manually, while the XML form is handy if you want to use an XML processor to convert it into another more interesting and presentable format. I recommend XML form for those new to audit trails because all the output data is enclosed in tags that describe what your looking at which is handy for learning.

Another useful tool is auditreduce, which can merge and select audit records from audit trail files. This is handy when you want to consolidate one or more audit trails or for moving audit trails around. Its handy if you want to, say, move audit trails off to another system on a regular basis instead storing the trails directly on NFS this would be the tool for you, or even if you wanted to take audit trails from multiple effected systems (such as during a breakin) and create a single audit trail to search through.

In Solaris10 a really kool feature was added to BSM: plugins! Using a plugin (shared lib) you can now output audit events directly to Syslog! This means that you don't need to leave audit trails on disk, NFS or local, but can send them, as they happen, off to a secure system. To enable it just add a line such as the following to your /etc/security/audit_control:
 
plugin: name=audit_syslog.so;p_flags=lo,ss,am

Note that the flags specified on this line don't define what gets audited. The flags are there to define what events should be passed via Syslog, effectively allowing you to filter certain flags to be syslog'ed even if you use other flags elsewhere. Please see Martin Englund's blog for more info, or read the audit_syslog man page.

Once you've enabled the syslog plugin for BSM, redirect the Syslog to a remote server with a line like this in /etc/syslog.conf:

audit.notice     @logdump.cuddletech.com

Auditing provides you with a lot of useful capabilities. Security, of course, is the key, but it goes further than that. Ever get tired of a user saying "I don't know what I did, but..."? If you used auditing you could look back through the users execs() and see what they had done. Curious if users are snooping through files? You could look through the audit trail at all file reads on a certain file.

You can even use auditing for troubleshooting! As an example, when I went to the MySQL Users Confrence I took my dev workstation with me for demos. At home I use an LDAP server so when I booted the system at the show it got really angry that LDAP wasn't present so I disabled the LDAP client service. When I got home I forgot about it and didn't re-enable LDAP although most of the user accounts are still in local files so the system was uneffected and I didn't notice. Because I didn't remove ldap from the nsswitch.conf, the system still was constantly trying LDAP lookups despite not having a client to preform the lookups on its behalf and I never realized it untill I was setting up auditng for this blog entry and realized that I kept seeing a lot of failed read requests to the Solaris Door of the name service... d0h! I'm not saying auditing is your first choice in troubleshooting tools, but it sure came in handy for me that time. The point simply is, auditing isn't just about security, it has a wide range of uses.

Please realize that by the nature of auditing your writting data to disk (or NFS) every time your system preforms and event that it needs to audit. It doesn't take a genius to realize that this is going to effect performance negatively. In my test its not generally a significant hit, but if you are going to consider using Solaris Auditing in production limit your audited events as much as possible and carefully monitor server and application performance for a day or two following the time that you enabled it.

Auditing can seem difficult. I avoided it for years because it seemed so hard... but it really isn't. The config files have like a whopping 4 lines, so if you've never tried out auditing, give it a whirl and see if its for you.

Thursday, February 2, 2012

Formatting and Command Line tips

These commands were performed on a Solaris 10 i386 & SPARC system.

A quick method to monitor CPU intensive processes:
# ps -ef | egrep -v "STIME|$LOGNAME" | sort +3 -r | head -n 15

Formatting USB Devices to create a Unix File System (UFS) on Solaris 10

Make sure that your USB drive is not plugged into the Solaris system.
# svcadm disable volfs

Plug in your USB drive, the data provided is just for example.
# rmformat –l

Looking for devices …
1. Logical Node: /dev/rdsk/c0t0d0p0
Physical Node: /pci@0,0/pci17aa,20ab@1d,7 /storage@2/disk@0,0
Connected Device: Seagate    10EAVS External 1.75
Device Type: Removable

Run fdisk on the “Volmgt Node” for your device
# fdisk /dev/rdsk/c0t0d0p0

Delete any existing partitions and create a new partition with the SOLARIS2 option.  Make sure to choose option 5 to update disk configuration and exit.

Perform the following command to create your UFS file system.
# newfs /dev/rdsk/c0t0d0s2

FAT32 Creation on Solaris 10

Make sure that your USB drive is not plugged into the Solaris system.
# svcadm disable volfs

Plug in your USB drive, the data provided is just for example.
# rmformat –l

Looking for devices …
2. Logical Node: /dev/rdsk/c0t0d0p0
Physical Node: /pci@0,0/pci17aa,20ab@1d,7 /storage@2/disk@0,0
Connected Device: Seagate    10EAVS External 1.75
Device Type: Removable

Run fdisk on the “Volmgt Node” for your device
# fdisk /dev/rdsk/c0t0d0p0

Delete any existing partitions and create a new partition with the FAT32 option.  Make sure to choose option 5 to update disk configuration and exit.

Perform the following command to create your FAT32 file system.
# mkfs –F pcfs –o b=SEAGATE,fat=32 /dev/rdsk/c0t0d0p0:c
(the “b” is a labelname … useful if you want to label USB sticks)

To mount the newly created USB drive, perform the following:
# rmformat -l
# mount –F pcfs /dev/dsk/<USB DRIVE>:c /mnt
*Note* <USB DRIVE> could look like c0t0d0p0 depending on USB connection.

How to perform a flash archive split in Solaris


Make sure you have enough space on your hard drive prior to performing this action.  When you perform the FLAR split command, change directory into a location that has at least 8-12GBs available.
# cd /export/FLAR
# cp /export/install/FLARFILES/<image>.flar .
# flar split <image>.flar
# mkdir –m 755 ./image
# cd image
# cat ../archive | uncompress | cpio –id
... 20 minutes later

The FLAR image is now uncompressed and can be viewed in the image directory.  The image directory will have a complete snapshot of the Solaris restore hierarchy.

Wednesday, February 1, 2012

How to Identify Solaris's Instruction Set Attribute

It is easy!

# isainfo –v
64-bit sparcv9 applications
        vis
32-bit sparc applications
        vis v8plus div32 mul32