home-OS    Why an OS     Basics OS     Networking     P&T OS     P&T Middleware     OS security     MY OS Notes
Unix sec    Win sec     Mainframe sec    Web sec    Network sec    Hack & Hardening     Links&Policies    top  bottom

Operating System Security

Security- operating
With all kind of IT (Information Technology), OS level security is hit. Altough not my major area of interest, I got very many issues with it.

A dedicated chapter is justified by all those involvments. Experiencing having that much work to get/find the infromation by my self, and trying to get it well done.

As the subjects are getting classified and documented it amazazes me how much of these subjects should be:
  1. common known
  2. already in place


OS Security


linux logo

Unix / alikes




Unix (Unix alikes) Security

Many Unix versions and a likes, Linux Android (google) OS-X IOS (apple), are existing. See: unix family (wiki)
Dedicated versions info like: The opengroup specfication is a very good document to common technical approaches like ~ usage(home/user), shell, $ variabels parameters usage, scripting , exit staus


They all share the same fundamentals of:
  1. users (id-s) , groups (gid-s) as numbers
  2. files and directory Discretionary access control (DAC)


With all Unix security (wiki) information you can build a secure environment at this Unix host-level.



Unix users/groups


Users id
papers The User administration is by default local on the machine. All keys are identified by the system on numbers id User identifier
Natural names are just shown if the administration contains a name for that number.
The key named "root" gets number 0. All access to the system is open for this key. The User and group administration is done with "root".
Everyone is able to view user and group information on the system. Passwords are (if hardennig done well) in hash available to root-level access.

With all EndUser-Standard-Introduction (fedora redhat)

In an operational system The responsibility to maintain users/groups is moved tot LDAP (or something like BOKS).

Groups gid
papers The User administration is by default local on the machine. All keys are identified by the system on numbers. gid Group identifier .

id gid information
papers User information is somentimes available by ""lsuser (Aix)". Administration files are open.
   grep username /etc/passwd
   grep username /etc/groups
   


Group information is sometimes available by ""lsgroup(Aix)". Administration file is open.
 grep ^staff: /etc/group
   
papers
User settings: rlogin login su
These are user settings getting much attention in hardening unix . Search IBM (aix): aix 61 cmds chuser
Normal switch users is su usage. Login as command can also have the switch user function. linux about - login Traceablity is not as good as sometimes required. su wiki

rlogin is remote access between Unix-systems. This method is seen as unsafe (no encrypted password usage). Shoul be set to "false". See: rlogin wiki


The login (command and user attribute) is the normal access to Unix-systems using a terminal. It is using the shell typing commands. It is like old PC-DOS age. unix shell wiki

papers
User settings: AIX
.profile usages (startup autoexec)

maxage maxexpired

papers
User settings: RedHat (fedora)
. profile .bash_profile http://www.redhat.com/mirrors/LDP/HOWTO/Path-6.html http://www.linuxfromscratch.org/blfs/view/6.3/postlfs/profile.html pass_max_days
complex
setuid setgid, (Posix)
The Posix standard is describing the setuid fucntionality 009695399/functions/setuid If the process has appropriate privileges, setuid() shall set the real user ID, effective user ID, and the saved set-user-ID of the calling process to uid.
The rationale is describing the why and how from design view. Not wanting the use the superuser (root) to be used.
With Linux the Posix guideline is followed Setuid Demystified Hao Chen David Wagner(University of California at Berkeley), Drew Dean(SRI international). Remark: OpenSSH contains many setuid calls. Out of the list from: Proceedings of the 11th USENIX Security Symposium, pages 171--190, San Francisco, CA, August 2002.

In the SUA envirnment of Windows the Unix setuid and setgid mechanisms are wel described: Setuid in Subsystem for UNIX-based Applications

nosshd
geniaal handys How to control the terminal access uasage with Unix " Secure SHell Demon" sshd is a basic question. The trick, config file: /etc/ssh/sshd_config
At au-ssh_restrict (IBM) and sshd_config linuxhowtos are some hits. The simple way of managing is becoming clear.
Optional configuration statements are: ALLOWUSERS / ALLOWGROUPS / DENYUSERS / DENYGROUPS.
Defining a membership to a group denying ssh wil prohibit ssh access.

In this way the sshd (terminal) can be limited to al list of groups or users. Notice this part of security is just a config-file.

su - sudo
geniaal handys sudo is a program for Unix-like computer operating systems that allows users to run programs with the security privileges of another user (normally the superuser, or root).[3] Its name is a concatenation of the su command (which grants the user a shell of another user, normally the superuser) and "do", or take action.

In some cases sudo has completely supplanted the superuser login for administrative tasks, most notably in Linux distributions, such as Fedora and Ubuntu, as well as Apple's Mac OS X.

sudo license at the official sudo home site. (Todd C. Miller)
All information is available.
op operator access
geniaal handys op vs sudo (github)
op vs sudo (Dan Lowe)
op (ss64)
op (linux)
boks
geniaal handys Boks FoxT ServerControl wiki is adding keystroke logging.
FoxT website.
Has a from sudo different command to switch uiser context. Propagates All keys/passwords to the local machine.
The advantages to direct LDAP are clear.
The disadvantages:
  1. No information of implemented access is visible
  2. No command switching with SAS/connect (and others) possible. Reason not clear

No technical information is available. In dutch: BrochureWatIsBoKS

Analyses
Searching environment: One difference with normal terminal usage: term=dumb No meaning just old default terminal type.



Unix DAC, rlogin adm-files


DAC - File Directory access
papers and See wiki: Access_control_list , Discretionary access control , Filesystem_permissions , chmod lets a user tell the system how much (or little) access it should permit to a file.


To make life easier with alle levels and naming conventions a "link" Symbolic_link (wiki) can be used. The target file and directory are security still under full control of the OS. Even the complete path is checked, no way to escape these checks when build in correctly.

chown change owner, restricted to used by root-key.
Chgrp change group unrestricted command. Requres membership of the new group.

Linux File Permission Confusion pt 1 , Linux File Permission Confusion pt 2
The desing of a HFS (Hierarchical File System), Unix File System, Filesystem Hierarchy Standard, Guide_to_Unix/Files , Unix directory structure has some weird properties.

The effects:

GID SetUID sticky-bit
modern Security of directories are behaving something different. They give access to the descriptive part of files. Setuid - Symlink race Secure usage of this kind of programs is excluding usage and file access by standard users.


umask home
papers umask is a global approach defining the default DAC settings a new file owned by this key should get.

ACL
modern The classic DAC approach has limitations. New optiosn are being implemented.

nohup
papers The Nohup option to start processes make it possible to start new processes and keep them running after a terminal logoff.




NSF , Unix shares
papers The nfs-security-trusted-untrusted-environments_1956 (sans) It was designed to be simple and efficient, not to be secure ...
It states that sharing data in Linux (Unix like) systems by NSF has risks. This is not expected as the way with using Microsoft Server with sharing is common usage and stated as safe.
Within secure datacenters the risks should be acceptable.

The 9.5 Securing NFS s1-nfs-security (redhat) NFSv4 includes ACL support based on the Microsoft Windows NT model, not the POSIX model, because of its features and because it is widely deployed.

Samba, Unix to others shares
papers The technet of microsoft contains a lot. How to Shoot Yourself in the Foot with Security, Part 1 How to Shoot Yourself in the Foot with Security, Part 2: To ACL or Not to ACL

wiki.xbmc.org: smb CIFS Samba SMB/SAMBA/CIFS sharing has many advantages over the other options, ...

samba.org Samba is an important component to seamlessly integrate Linux/Unix Servers and Desktops into Active Directory environments using the winbind daemon.

X11 graphical , X-server - Mouse - call out
papers X11 is X Windows System (wiki). The X.org X was designed to be used over a network...
Due to the ubiquity of support for X software on Unix, Linux and Mac OS X, X is commonly used to run client applications on personal computers even when there is no need for time-sharing.
is built as an additional (application) abstraction layer on top of the operating system kernel


Usage of X11 with server-access is not common practice. You need a X-server program on your desktop-client. The X11 protocol is started from the host using a more typewriter mode terminal. It also implies of coding the ip-adress of the desktop at the server-side. Wanting to secure your desktop to incoming calls you would register the server ip-adresses. There is no way of registrating desktops ip-s at hte server-side.

notes:




Unix security limitations


etc/passwd hash shadow- 8 chars limit
unsafe Amazingly Unix is very limited with passwords. Just the eight (8) characters are normally used. The longer string-part is ignored. Jumpin into this subject: blog anthonyrthompson   user techdocs
The old crypt() routine is till used in compatiblity reasons. A DES algoritmen limiting the hasing. The number of chars is limited from all 256 code to about 52 (digits upper and lowe case chars). Easy to crack/hack with no additional measures. Even worse is: to get confronted this subject with unexpected behavior. Wondering why something is reacting that way in using machines.

IBM is documenting this with an improvement. ibm support passwords geater than 8 characters and aix v6r1 security

Also Microsoft mentions it (connecting to unix): cc770596   Intro to AD integration

The hash-code and the shadowfile are key elements in protecting the systems integrity
Additonal: Do not usage the standard key of the default isntallation and never ... never .. the standard key-pswd of the default installation.
As time is the major factor. Delay in the login attempts and waringing systems is the best way of defence. Straight locking out keys can have serious impact. They can be the running service knocking down. In that case a DOS (Denial OF Service) attach is not necessary by the attacker. This chage of policy can be found at the SANS institute site.


maximum number of groups/key
unsafe One unexpected limitation is the maximum number of groups/key (ngroups_max limits.h )
It is changing in different Unix versions but also NFS is affected. It looks like newer systems are eliminating this limitation.
IBM is describing very well what it is doing redbook Aix06 security
Red Hat is a Linux (Unix type) with his own support RED HAT

PAM - LAM
modern PAM Pluggable_Authentication_Modules are mechanism to change the security system. It lacks the identification.
IBM is also using LAM aix pluggable covering a lot technical stuff.

note SAS®
A note 21/154 pam support 9.1 sasauth. And the bisecag is mentioning ... pam

not getting updated groups
complex Running processes in Unix are noet getting updated with new group rights when they are deleted or added.
Can be a pitfall whe trying to change to new requirements. You have to restart the service to get it active.

It wil become a serious problem when running for months, a restart is needed an then discovering somewhere in time security groups have been changed without notification. And not ablw to restart the services again because some rights (groups) are needed.


root usage 2 (toor)
light save alternate root key to differentiate in work. superuser wiki alt superuser wiki



Unix sec    Win sec     Mainframe sec    Web sec    Network sec    Hack & Hardening     Links&Policies    top  bottom

OS Security


Windows img

Windows





Access Control Model
papers The security systems in Windows 2000 are based on technologies originally developed for Windows NT. The Access Control Model is based on:

Windows Security

Although more Windows versions exists, just one company is responsible, Microsoft.

A lot of Unix and other techniques are as common knowledge or by regulations the same.



Windows users/groups

Admin accounts
complex The security of Windows is advanced.
Don´t expect an Admin-account to be a Admin-account when used by a spawner
very process in Windows has some dedicated limitations. The local service account can´t create admins accounts rights. (elevation)

Windows has many different master accounts; domain-admin, local-admin service-account, ...
They are set up for differenr purposes and have different rights. This has far more evoluated then Unix.


To understand it all, it has brought more complexity.

Windows has some limits on the number of keys and group. See:

Windows has a SAM File is it similar to the hash-file of Unix. See: how-cracked-windows-password-part1   how-cracked-windows-password-part2 (windowsecurity.com)


Managing Directory Security Principals in the .NET Framework 3.5  

old xp
Windows XP could not start because the following file is missing or corrupt: \WINDOWS\SYSTEM32\CONFIG\SYSTEM
System error: Lsass.exe When trying to update a password the return status indicates that the value provided as the current password is not correct.
kb 307545 How to recover from a corrupted registry that prevents Windows XP from starting

cc962102 Using the System Key  

forum w7itprosecurity  Where is the password stored in windows 7? 

Knowing the way of how it can be opened, measures are to be taken to get it safe.



profiles (user)
complex A roaming profile is designed for using several desktops without losing you personal settings.
helge/2011/04/01 profile migration

With roaming profiles (part of domain ) what ot do if a profile gets corrupted?
Some Links founds: questions/63017 (superuser), cc749823 technect describing xp delprof su,   windows-7-profile-synchronization-problem-profilelist  

Strange behavior can occur when profile-registry and mappings are not in sync.

Own experience with firewall.
as common used tool(s):

Technical by hand: helge/2008/10/16 (sepago)

ff458273 What´s New in Folder Redirection and User Profiles (win-7)




Firewall
complex Is present on the machine as introduced with XP. Knowledge is not very common shared.

cc754986 After you have identified your requirements, and have the information about the network layout and computers available, you can begin to design the GPO settings and rules that will enable you to enforce your requirements on the computers. cc771920 Netsh Commands for Windows Firewall with Advanced Security
kb/947709 How to use the "netsh advfirewall firewall" context instead of the "netsh firewall" context to control Windows Firewall behavior in Windows Server 2008 and in Windows Vista

cc771920 The firewall has nested settings enable. Firewall rules defined by the local administrator are merged with firewall rules from GPOs and are applied to the computer. ook de stores zijn genest)

cc749242 Common Troubleshooting Situations using Windows Firewall with Advanced Security

Local
This name is loop-back definition within TCP/IP. The name resolver should find it.
Instead a firewall pop-up was popping-up.
Still searching the cause of this behavior kb 307545  




Windows DAC & AD


takeown icacls robocopy
complex Some Microsoft links:

With DACL-s are it is possible to implement a very detailed secuyrity scheme.
Don´t expect these tools to be suppported. In reducing the complextity of security, the network access is ofte set back to the basic share security.
Still you need this. There is much overlapping in files at the windows(desktop) eg with SAS.

icacls.exe and takeown.exe are present at Windows-7 home installations.

logical link
papers The concept of logical link was missing in Windows. In Windows7 it is there: mklink  




Encrypted File System
papers How EFS Works
EFS uses public key encryption in conjunction with symmetric key encryption to provide confidentiality for files that resists all but the most sophisticated methods of attack. The file encryption key (FEK) — a symmetric bulk encryption key — is used to encrypt the file and is then itself encrypted by using the public key taken from the user's certificate, which is located in the user's profile. The encrypted FEK is stored with the encrypted file and is unique to it. To decrypt the FEK, EFS uses the encryptor's private key which only the file encryptor has.




Unix Posix in Windows
complex Windows (DOS) has copied much from Unix. Many small diffences that looked to be working away. The slashes / and \ are exchanged, but internet ia forcing the / as standard. md and mkdir are logical equal and with Win7 mkdir also is correct. posix command with win7 does not exist at my installation

Some Microsoft links and the sponsored developments:

Some Microsoft links: Some Other links:
SAM Software Asset Management
papers License management is something different as security: SAM Micorosoft Implementing SAM protects your software investments and helps you recognize what you have, where it's running, and if your organization is using your assets efficiently.



Windows security limitations


complex
.Net Caspol manifest file
These are advanced and very disturbing approaches. The standard AD security is replaced with a new security mechanisme with new administration.
As not expected to have som effects normally ingored. .Net security is designed for web-access. The local machine is defined to be open. Local intranet is teh samen as networked file-shares and is setup to be closed.
Moving a program form local drive to networked drive is effected by thase policies.

Note:
In the .NET Framework version 4, the common language runtime (CLR) is moving away from providing security policy for computers. Microsoft is recommending the use of Windows Software Restriction Policies as a replacement for CLR security policy. The information in this topic applies to the .NET Framework version 3.5 and earlier; it does not apply to version 4.0 and later. For more information about this and other changes, see Security Changes in the .NET Framework 4.


Unix sec    Win sec     Mainframe sec    Web sec    Network sec    Hack & Hardening     Links&Policies    top  bottom

OS Security




Mainframe img

Mainframe (Server)

(to come)



Unix sec    Win sec     Mainframe sec    Web sec    Network sec    Hack & Hardening     Links&Policies    top  bottom

WEB Security

JBOSS Apache WEblogic

(to come)
complex

PHP

PHP is commonly used together with apache (webserver) and Mysql (database)
It has the same issues as all tools installing on an OS.

PHP PHP is a widely-used general-purpose scripting language that is especially suited for Web development and can be embedded into HTML.
PHP install on Unix   PHP filessytem security

complex

PKI, Token, ACL





complex

GUID UID

PHP is commonly used together with apache (webserver) and Mysql (database)
It has the same issues as all tools installing on an OS.

GUID The term GUID typically refers to various implementations of the universally unique identifier (UUID) standard.
UUID A universally unique identifier (UUID) is an identifier standard used in software construction, standardized by the Open Software Foundation (OSF) as part of the Distributed Computing Environment (DCE).
The intent of UUIDs is to enable distributed systems to uniquely identify information without significant central coordination
PHP filessytem security



Unix sec    Win sec     Mainframe sec    Web sec    Network sec    Hack & Hardening     Links&Policies    top  bottom

Network Security

SSL Certificates

(to come)

Two factor

A note of IBM securing mobile communications: Tivoli encap


Unix sec    Win sec     Mainframe sec    Web sec    Network sec    Hack & Hardening     Links&Policies    top  bottom

Hack & Hardening

Always: Don not trust everyone on his word - message.
  Generic
Backdoor Not yet a trojan
  Unix
change password failures unknown other fucntions
checklists hardening
trace truss debugging
  Windows
Personal machine Owner rights
Current dir dropping malware
  Mainframe
Backdoor Not yet a trojan
  WEB services
Backdoor Not yet a trojan
  Networking
Backdoor Not yet a trojan


confused

Generic apporaches


Backdoor
believe Harmless code (eastern eggs) also as Backdoor (wiki) is just funny
The Rootkit (wiki) is the ulitmate goal of a cracked system.
The technical implementation is the same. How can you predict the funny message is harmless?



linux logo

Unix Security


change password failures
papers One of the most threatening is involved with wrong or incorrected changes. How do you know sure the new situation is safe? Al lot of technical documentation can be found.

Changing passx routines
Aix newpassx IBM
Why searched for this? Changed new situation does not work. Found new version checks if login-date is filled and max-age an minage not zero the new password required. The old situaton did not check everything (security exploit) and new sitaution did not synchronize settings correct (max-age - minage).

Found like a needle in a haystack. It was hurting. Any more security exploits?
checklists
papers linux security (cyberciti)
linuxchecklist (sans)
trace truss
complex Debugging of problems is requiring dedicated tools. Aix truss (ibm)
These tools can also open up information that should be kept secret. truss to find password (youtube)



Windows logo

Windows (Server)


personal machine
papers (to come)
Current map
papers (to come)



Mainframe img

Mainframe (Server)

Isolated by 3270
papers (to come)



Injections

SQL
papers SQL injection SQL injection is a technique often used to attack databases through a website.
LDAP
papers Lightweight Directory Access Protocol (LDAP) Injection is an attack used to exploit web based applications that construct LDAP statements based on user input.



WEB services

Java

papers
obfuscating
Obfuscation is the hiding the source. It is popular with malware. With Java Java_Virtual_Machine , JavaScript becoming open source debugging / reverse engineering of code to source became possible.

As a reaction wanting hiding the source as license/copyright measure.
DOS XML
XML Denial of Service Attacks and Defenses. (msdn)
cross site scripting
Cross-site_scripting



Unix sec    Win sec     Mainframe sec    Web sec    Network sec    Hack & Hardening     Links&Policies    top  bottom

Generic policies & links

Password
papers Cracking/hacking passwords can be easy, use secre/ admin/admin. There are many password policies to make it more difficult to guess.
knowing the hash-code and the algoritme, or a way to check, every password can be cracked. It is a matter of time.
Some links: cracking passwords (geodsoft) garykessler pam_cracklib (deer-run)

Password (wiki) Password_policy (wiki) Salt_(cryptography) (wiki) Password_strength (wiki)

Base64 (wiki) MD5 (wiki)
Sandbox - DTAP
papers Sandbox_(software_development) (wiki)
Sandbox_(computer_security) (wiki)
Development,_testing,_acceptance_and_production (wiki)

papers
not validating input

buffer overflow
Buffer_overflow (wiki) This is a special case of violation of memory safety.
code injection
Code_injection (wiki) abuse to run code.

Design failure
top 25 Software errors (sans).

papers
getting out of service

DDOS
Distributed_denial-of-service (wiki) In computing, a denial-of-service attack (DoS attack) or distributed denial-of-service attack (DDoS attack) is an attempt to make a machine or network resource unavailable to its intended users.
Blocking service accounts
Code_injection (wiki) abuse to run code.




Links


hardening others
Red Hat Linux: SELinunx
Red Hat Linux: SELinunx V6 benefits
Suse Linux: SELinunx by cyberciti.biz armor Suse
Fedora Linux: SELinunx by fedora project



Unix sec    Win sec     Mainframe sec    Web sec    Network sec    Hack & Hardening     Links&Policies    top  bottom
home-OS    Why an OS     Basics OS     Networking     P&T OS     P&T Middleware     OS security     MY OS Notes

© 2012 J.A.Karman (02 mar 2012)

working on this I´m working mostly on other pages at this moment (mar 2012).
Found this was subject to do as dedicated subject. Links and parapgraph´s will be moved to here.

For the most time this page will be a mesh-up. As soon I see the hit-ratio will grow I will do a clean-up. -->