Deleting all unused services on a host not only helps to make a system more secure but also frees memory and other resources. The fewer services that are installed on a system, the easier it will be to manage. By reducing the number of services on a host, the amount of conflicts and other administrative issues are also reduced.
Many other tasks (such as Patching – security or otherwise) are decreased at the same time as there is less code running on a system. Most attacks against Internet systems are a result of poorly configured and unpatched systems. Good patch management and few services running on a host is a good starting point towards creating a secure environment.
Guidance for Network Services
An unnecessary service is any service which is not needed by the host to complete its functions. For example, a Linux web server with FTP, Apache and SSH with no default FTP pages would have at least FTP as an unnecessary service. It may be argued that SSH is necessary (to load pages – SCP and for administration) but an unused service should never be left enabled. SSH (utilizing SCP) may be used to administratively upload files on this server in a more secure manner than FTP (thus making FTP administratively redundant).
When assessing a system, an auditor should note any network service on the UNIX system that is running. Next, the auditor should be able to either validate that the service is required on the system or alternatively seek a justification as to why the service is running.
Unnecessary Services
It is essential to always ensure that servers are hardened (that is, patched and unused services removed) prior to having a system “go live.” The auditor's role is to verify that any new system is configured against the baseline standard. A default install of nearly any Operating Systems leaves a vast number of services running which, at best, are feasible to never be used, or at worst, leave ports open to external break-ins. The first stage in removing unneeded services is to work out which services are running on a host and to decide which are essential services needed for the operation of the system. UNIX is no different. In fact, the primary difference with UNIX is that although it starts with many enabled services, it can be quite simple to turn these off and configure the host as a bastion running only a single service.
In many cases it is also possible to further restrict the individual services on the host. Many services are configurable with access control conditions or lists to further restrict the services needed on a host. A good example of this would be restricting access via SSH to an administrative LAN using the SSH server configuration directives. Client systems and desktops as well as Servers and network devices come installed with excessive services enabled by default which does not aid in securing a system. The removal of unnecessary services is needed. It is important to remember that this not only makes the system more secure but increases a system's efficiency and thus:
1 Makes the systems better value for money (increases ROI)
2 Makes administration and diagnostics on the host easier.
In this pursuit, netstat is one of the most effective tools available to the auditor. This tool lists all active connections in addition to the ports where programs are listening for connections. Simply use the command “netstat -p -a –inet” for a listing of this information. Note however that many versions of UNIX did not support the “netstat –p” option. Consequently on the systems it may be necessary to use other tools in order to find process information. Read your system manual for more information.
Turning Off Services in UNIX
This process will vary dependant on the version of UNIX or Linux being run. Most settings are contained within configuration files though some UNIX's (such as HP-UX) have a registry system. Always ensure that you have thoroughly investigated the system that you are going to audit before you start the audit.
RPC and Portmapper
UNIX uses “portmap” to register Remote Procedure Call (RPC) programs. If an application wishes to connect to an RPC-based application, it will first query the portmapper for information about the application. This is done in order to save on low numbered ports. The portmapper allows multiple ports to be assigned as they are needed. Unfortunately, the portmapper service may be named in a variety of ways. For this reason it is essential that a checklist is created for your specific system. Many of the aforementioned sites such as SANS, CIS and NIST have created comprehensive lists dedicated to a number of operating systems. Portmapper may be designated under UNIX as portmap, rpc.bind, portmapper or several other possibilities.
The portmapper application is actually an RPC program as well. The distinction is that it always listens on ports 111 TCP and UDP. On certain operating systems such as Solaris, portmapper may also listen on some other high numbered ports. The role the portmapper service is to provide a directory services. These permit applications to register their versions and the port numbers such that applications that may query the portmapper to discover if the service is active and which port number it is associated with. This then allows the application to connect to that port.
The tool “rpcinfo” is a standard tool available on practically all varieties of UNIX. The primary commands that the auditor will need to know include:
▪ “rpcinfo –p” which is used to discover local services, and
▪ “rpcinfo –p <target>” which allows the user to discover remote services
Controlling Services at Boot Time
Before we get into how services are started, we will take a brief look at how their underlying stack may be configured. The reason for this is that individual services will be impacted through the underlying configurations. The file, “
/etc/sysctl.conf” is common to the majority of UNIX systems. The contents, configurations and memory processing will vary across systems. The System Control (sysctl) configuration will in the majority of cases control the system configurations that are of prime importance to the auditor. All of the following options may not be found in this file, but they may be included in one format or another:
▪ ip_forward This option lets the IP stack act as a router and forward packets. Multiple interfaces are not required for this functionality.
▪ accept_source_route This setting configures the operating system to accept source routed packets.
▪ tcp_max_syn_backlog This setting allows the configurations of the maximum number of SYNs in the wait state.
▪ rp_filter This setting provides basic IP spoofing protection for incoming packets.
accept_redirects This setting configures the network stack to accept redirect messages and allow them to alter routing tables.
▪ tcp_syncookies This setting provides syn-cookie based protection against syn flood DOS attacks.
▪ send_redirects This setting controls whether or not the system can generate redirect messages.
▪ accept_redirects This setting is a secondary control used to configure redirect acceptance behavior.
The auditor should create a script to test these settings. The benefits are twofold:
1 The settings may be initially tested against an agreed baseline standard
2 The settings may be tested over time such that a system may be compared to its baseline standard and also a change log.
inetd and xinetd
Network services on UNIX start in a variety of different ways. A common method used by many applications is the “
Super Daemon”. A daemon on a UNIX system is a process or service that is initiated and which subsequently continues to run without further interaction. It may initiate further actions from time to time or may wait for a network connection before taking any other action. SMTP (the mail daemon) is an example of such a service. The mail forwarder will bind socket (generally to TCP port 25) and wait for a connection from another mail server before it does anything.
The two super daemons are inetd and xinetd. inetd has no access control built into itself by default. It was the original version of the software. Although both versions may be found on most UNIX systems, the added functionality and increased security of xinetd makes it the better choice. The configuration of xinetd is not the same as that for inetd. Instead of a separate consideration file (as is used by inetd), xinetd relies on a particular directory (usually “/etc/xinetd.d”). This directory generally contains an individual confederation file for each of the services that are available and which are set to run at boot on the system. The auditor needs to note that services may be run even without a valid configurations file and in some instances services may not be running where there is a valid configurations file. In some instances services may have a configurations file that is marked “disable = yes”!
The primary reason for choosing xinetd over inetd is that xinetd integrates TCPWrappers into xinetd in order to allow access controls for the individual services. This means that access control through ACLs is offered by the “Super Daemon” without a requirement to call tcpd for each of the services as they are launched.
And the majority of systems (unless specially configured), inetd services will not have particularly strong authentication methods associated with them. Further, inetd –based services do not generally log individual accesses to syslog. TCPwrappers adds the capability to screen access based on the client's IP address creating a simple host-based firewall. This also has the capability to log both successful attempts to access the service and also failed attempts. These logs will contain the IP address of the system that has accessed or attempted to access the service. Configuring the access control lists (ACLs) used by TCPwrappers does potentially take some time and a fair bit of planning. The upside however is that once this file is in place and running the system will be far more secure. One of the key principles of defense in depth is to not rely on single points of failure. Your site may have firewalls at different points on the network, but the addition of access control lists on the system increase the security further for very little cost.
Authentication and Validation
There are a variety of ways in which a user can authenticate in UNIX. The two primary differences involve authentication to the operating system against authentication to an application alone. In the case of an application such as a window manager (for example, X-Window), authentication to the application is in fact of authenticating to the operating system itself. Additionally, authentication may be divided into both local and networked authentication. In either case, the same applications may provide access to either the local or remote system. For instance, X-Window may be used both as a local window manager and as a means of accessing a remote UNIX system. Additionally, network access tools such as SSH provide the capability of connecting to a remote host but may also connect to the local machine by connecting to either its advertised IP address or the local host (127.0.0.1) address.
The UNIX authentication scheme is based on the /etc/passwd file. Pluggable authentication modules (PAM) has extended this functionality and allowed for the integration of many other authentication schemes. PAM was first proposed by Sun Microsystems in 1995 and was integrated into Red Hat Linux the following year. Subsequently, PAM has become the mainstay authentication schema for Linux and many UNIX varieties. PAM has been standardized as a component of the X/Open UNIX standardization process.
This resulted in the X/Open Single Sign-on (XSSO) standard. From the auditor's perspective, PAM, however, necessitates a recovery mechanism that needs to be integrated into the operating system in case a difficulty develops in the linker or shared libraries. The auditor also needs to come to an understanding of the complete authentication and authorization methodology deployed on the system. PAM allows for single sign-on across multiple servers. Additionally, there are a large number of plug-ins to PAM that vary in their strength. It is important to assess the overall level of security provided by these and remember that the system is only as secure as the weakest link.
The fallback authentication method for any UNIX system lies with the /etc/passwd (password) file (see Figure
17.2). In modern UNIX systems this will be coupled with a shadow file. The password file contains information about the user, the user ID (UID), the group ID (GID), a descriptor that is generally taken by the name, the user's home directory, and the users default shell.
The user ID and group ID give the system the information needed to match access requirements. The home directory in the password file is the default directory that a user will be sent to in the case of an interactive login. The shell directive sets the initial shell assigned to the user on login. In many cases a user will be able to change directories or initiate an alternative shell, but this at least sets the initial environment. It is important to remember that the password file is generally world readable. In order to correlate user IDs to user names when looking at directory listings and process listings, the system requires that the password file the access to all (at least in read only mode) by all authenticated users.
The password field of the /etc/passwd file has a historical origin. Before the password and show files were split, hashes would be stored in this file. To maintain compatibility, the same format has been used. In modern systems where the password and shadow files are split, an “x” is used to represent that the system has stored the password hashes in an alternative file. If there is a blank space instead of the “x” this represents that the account has no password. It is crucial that the auditor validates the authentication method used.
The default shell may be a standard interactive shell, a custom script or application designed to limit the functionality of the user or even a false shell designed to restrict the use and stop interactive logins. False shells are generally used in the case of service accounts. This allows the account to login (such as in the case of “lp” for print services) and complete the task it is assigned. Additionally, users
may be configured to run an application. A custom script could be configured to start the application allowing the user limited access to the system and to then log the user off the system when they exit the application. It is important for the auditor to check that breakpoints cannot be set allowing the user to gain an interactive shell. Further, in the case of the application access, it is also important to check that the application does not allow the user to spawn an interactive shell if this is not desired.
As was previously mentioned, the majority of modern UNIX systems deploy a shadow file. This file is associated with the password file, but unlike the password file should not be accessible (even to read) by the majority of users on the system. The format of this file is:
UserPassword_HashLast_ChangedPassword Policy
This allows the system to match the user and other information in the shadow file to the password file. The password is in actuality a password hash. The reason that this should be protected comes to the reason that the file first came into existence. In the early versions of UNIX there was no shadow file. Since the password file was world readable, a common attack was to copy the password file and use a dictionary to “crack” the password hashes. By splitting the password and shadow file, the password hash is not available to all users and thus it makes it more difficult for a user to attack the system. The password hash function always creates the same number of characters (this may vary from system to system based on the algorithm deployed, such as MD5 and DES).
UNIX systems are characteristically configured to allow zero days between changes and 99,999 days between changes. In effect this means that the password policies are ineffective. The fields that exist in the shadow file are detailed below:
▪ The number of days since 01 Jan 1970 that password was last changed
▪ The number of days that must past before password can be changed
▪ The number of days after which password must be changed
▪ The number of days before expiration that user is warned,
▪ The number of days after expiration that account is disabled
▪ The number of days since 01 Jan 1970 that account has been disabled
Being that the hash function will always create a password hash of the same length, it is possible to restrict logins by changing the password hash variable in the shadow file. For instance, changing the password hash field to something like “No_login” will create a disabled account. As this string is less than the length of the password hash, no password hash could ever be created matching that string. So in this instance we have created an account that is not disabled but will not allow interactive logins.
Many systems also support complex password policies. This information is generally stored in the “password policy” section of the show file. The password policy generally consists of the minimum password age, maximum password age, expiration warning timer, post expiration disable timer, and a count for how many days an account has been disabled. Most system administrators do not know how to interpret the shadow file. As an auditor, knowledge of this information will be valuable. Not only will it allow you to validate password policy information, but it may also help in displaying a level of technical knowledge.
When auditing access rights, it is important to look at both how the user logs in and where they log in from. Always consider the question of whether users should be able to log in to the root account directly. Should they be able to do this across the network? Should they authenticate to the system first and then re-authenticate as root (using a tool such as “su” or “SUDO”)? When auditing the system, these are some of the questions that you need to consider.
Many UNIX systems control this type of access using the “/etc/securetty” file. This file includes an inventory of all of the“ ttys” used by the system. When auditing the system it is important the first collated a list of all locations that would be considered secure enough to sanction the root user to log into from these points. When testing the system verify that only terminals that are physically connected to the server can log into the system as root. Generally, this means that there is either a serial connection to a secure management server or more likely it means allowing connections only from the root console itself. It is also important to note that many services such as SSH have their own configuration files which allow all restrict authentication from root users. It is important to check not only the “/etc/securetty” file but any other related configurations files associated with individual applications.
Side note: TTY stands for teletype. Back in the early days of UNIX, one of the standard ways of accessing a terminal was via the teletype service. Although this is one of the many technologies that have faded into obscurity, UNIX was first created in the 1960s and 70s. Many of the terms have come down from those long-distant days.