LPI LVL3 Security: Area 2 – Local Security
Deals with local security issues – user and authentication systems such as shadow passwords, PAM, filesystem and partition security, configuring local daemons and services, X-Windows, LIDS, Logging, Mail security, physical and bootloader security, incident response, etc.
i. Boot loader security
1. Boot password
2. Designating an “emergency kernel”
ii. Booting to single user mode Init / inittab
iii. Understanding runlevels
1. Identifying current runlevel
2. changing runlevels
3. changing runlevel configurations
i. Custom kernel modifications
ii. Disabling unnecessary protocols and services
iii. Recompiling the kernel
iv. Kernel-specific security enhancements
1. SELinux from the NSA
2. Kernel patches
3. CSA Auditing
i. /etc/passwd
ii. /etc/shadow - differences
iii. Account information tied to user config (password expiry, primary group membership, etc.)
iv. Setuid
i. /etc/groups
ii. Chgrp
iii. Gpasswd
iv. Groupadd / groupdel / groupmod
v. setgid
i. Install packages to fix security vulnerabilities
ii. Patch source code w/ diff files and recompile to fix security vulnerabilities
iii. Download updated ‘tarball’ and recompile to fix security vulnerabilities
iv. Configure automated package update utilities (up2date, YaST, etc.)
i. Overview of filesystems
1. Journaling vs. non-journalling
2. Level of logging
3. Fragmentation issues (availability)
4. ext2, iso9660, fat, etc.
5. Creating a volume with fdisk
6. Formating a volume with mkfs
ii. Chmod
iii. Chown
iv. Attrib
1. Especially attrib +i (immutable)
v. Setuid and setgid binaries
vi. Using mount
vii. Fstab / mtab
i. Different options for mounting filesystems
1. R/O vs. R/W
2. no symlinks
3. NFS
4. Samba (smbmount)
5. NFS (nfsmount)
6. re-exporting a mount
ii. File locking systems
iii. Creating secure /home and /tmp directories
iv. Creating encrypted volumes
1. not /boot or equivalent
2. runefs – whatever is built in
v. Disk quotas
i. Identify listening ports with netstat
ii. Identify listening ports with lsof
i. Starting a process with a specific ‘nice’ level
ii. Starting a process with another visible name
iii. Using sudo
i. Configure XDM security
ii. Configure security with ‘xhosts’
iii. Configure locking screen savers
iv. Tunnel remote X-windows sessions through SSH
v. Understand the .Xauthority file
vi. Use ‘–nolisten tcp’ to stop remote X sessions
i. SELinux from the NSA
ii. Kernel patches
i. Configuring syslog
1. Changing log settings
2. Logging to a remote host
3. Accepting syslog connections from a remote host
ii. .bash_history / Shell history
iii. Wtmp
iv. Utmp
i. Establish a system to identify an incident
1. Automated systems (IDS)
2. Manual systems (manual reconciliation / log analysis)
3. Establish thresholds for what defines an “incident”
ii. Establish a system to respond to an incident
1. An incident response team
2. A recommended set of IR steps
3. A means to limit further exposure
4. A means to capture as much relevant information as possible
5. A means to communicate information up and down the chain
6. A plan to deal with management, employees, the media, etc.
7. A means to analyze the effectiveness of the plan after and incident and revise as appropriate
8. Take into account applicable IR Laws (California HB 1386)
iii. Using find to identify interesting files
1. –ctime, -mtime, -atime
2. File ownership
3. Analyze slack / unallocated inodes
iv. Identifying running processes
v. Identifying current network connections
vi. Using MD5 hashes to find Trojans/backdoors
vii. Using software to find Trojans/backdoors
1. Find rootkit
2. Anti-virus
viii. Using TCT
ix. Using FIRE
x. Other forensic tools