OS Hardening

Justin WhiteheadFrancisco Robles

OS Hardening

• Installing kernel/software patches and configuring a system in order to prevent attackers from exploiting and attacking your system.

Motivations

• Why? Add security features not present in

default installs– Vendors leave default installs open for more

customizability– Kernel & System level patches – work for

known and unknown bugs

Bugs/Exploits in software

How

• Patches Apply security patches to Linux kernel Apply bug patches to software

• Security tools Extra system logs and auditing

• System rules and policies Restrict user privileges Disabling unnecessary processes

The Best in Hardening…

• GRsecurity Kernel patch Features

– Non-Executable Stack– Change root (chroot) hardening– /tmp race prevention– Extensive auditing – Additional randomness in the TCP/IP stack – /proc restrictions

Hardening Utilities

• Bastille Linux www.bastille-linux.org Automated security

program, Security wizard

– SUID restrictions– SecureInetd– DoS attack detection

and prevention– Automated firewall

scripting– User privileges– Education

Common Issues and Exploits

• Stack-based attacks• /proc• /tmp• SUID• TCP Sequence Numbers

/proc

• /proc is a pseudo file system used for the kernel-level modules to send and retrieve information to and from processes

• Some files changeable, but primarily read-only but still allows users to gather information on specific processes.

/proc Solutions

• grsecurity /proc rights restrictions that don't leak

information about process owners Option to hide kernel processes /proc filedescriptor/memory protection

/tmp exploits

• /tmp directory is used by many programs to create and access files.

• Do not need permissions to create files

• Programs using /tmp must be carefully written in order to avoid exploits

/tmp exploits

• Race Condition Replacing a file during the time a

program accesses it and opens it.– Allows attacker to manipulate program with

their own data, “winning the race”

Performing a race attack on a symlink can allow an attacker to create a file somewhere else on the system– Attackers can also gain root access

/tmp Solutions

• GRsecurity Places restrictions on hardlinks/symlinks

• Bastille Each process using /tmp gets its own

safe /tmp directory

SUID Exploits

• SUID Set-User ID – allows processes to be

executed with the permissions of its owner, not the user running it

Example: passwd• SUID programs can be exploited to

gain root access Bad inputs Buffer overflows

SUID solutions

• Bastille Disables many SUID programs it

believes users should not run anyways– mount, umount?– Up to admin

TCP/IP Stack randomization

• Initial sequence numbers can be guessed or discovered by attackers Allows session hijacking IP spoofing

• Security patches attempt to add more randomization to initial sequence numbers grsecurity

What you will be doing

• Base RH 8.0 Install Run a series of exploits and collect TCP

traffic data

• Applying patch to kernel, recompiling kernel

• Configuring system with Bastille Linux

Before and After

• Port scan• TCP data capture• Running a stack exploit• Running /tmp and SUID exploits• Comparing User Privileges

SUID programs Access to gcc /proc

Base Install

• RH 8.0• Telnet, FTP, and other insecure inetd

services running• No firewall• No RH updates• Minimum security settings

GR Security Patch

• Apply patch to kernel, rebuild kernel Perform stack exploit Perform port scan Record differences in /proc Perform /tmp exploit Compare results to base install

Bastille-Linux

• Install and run Configure SecureInetd daemon Disable problematic daemons and SUID

programs Configure firewall Enable /tmp security

• Repeat previous tests