UNIX system administrator security
This paper discusses security issues from the perspective of system administrators. System administrator is a manager of the management system: start the system, stop the system operation, install new software, add new users, delete the old user, and complete the daily business of the development and operation of the system 1. Safety management security management is mainly divided into four aspects: (1) Prevent unauthorized access: This is the most important issue of computer security: people who are not used in the system enter the system. User consciousness, good password management (by System administrators and users work in conjunction), login activity records, reports, users and network activities cycle checks, which are the key to prevent unauthorized access. (2) Prevent leakage: This is an important issue of computer security. Prevent Authorized or unauthorized users to access mutual important information. File system checking, su login and reporting, user awareness, encryption is the key to prevent leakage. (3) Prevent users from rejecting the system: this aspect Safety should be done by the operating system. One system should not be damaged by a user who intends to use too many resources. Unfortunately, Unix does not limit the user's use of resources, one user can use the entire disk space of the file system. And UNIX can't prevent the user from doing so. The system administrator should use the PS command, accounting programs DF, and DU periodically check the system. Isors excessive CUP processes and a large number of files that are occupied. (4) Prevent loss System integrity: This security is working with a good system administrator (for example: periodically backup file system, running FSCK check, repair file system after the system crashes, when there is a new user, detect if the user may make The software that crashes on the system) and maintaining a reliable operating system (ie, the user can't recaller the system. The rest of this article mainly involves the first two problems, the third issue is discussed in the "Security Check Account" section. 2 The Super User Some System Management Commands can only be run by the superuser. Super users have privileges that other users have, and you can read, write any files regardless of the file access licensing method. System administrator usually Use the command: / bin / su or to enter the system with root to become a super user. In the following article, # indicate that should be knocked into a command that must be run by the superuser, and it should be knocked into the command running by all other users. 3 . File System Security (1) Unix File System Overview UNIX File System is the heart part of the UNIX system, providing a list of hierarchies. The file system divides a disk space into a group of 1024 bytes, called (block) (Also use 512 bytes as a piece, such as: sco Xenix). Number of maximum numbers from 0 to the entire disk. All blocks can be divided into four parts, block 0 is called boot block, and the file system does not need this block;
Block 1 is called a dedicated block, and the dedicated block contains many information, with the size of the disk size and the other two parts of all blocks. From block 2, the I node table is started, the I node table contains I nodes, the number of blocks is available If the discussion will be discussed later, it will be discussed. I is an idle storage block (data storage block), which can be used to store file content. The logical structure and physical structure of the file are very different. The logical structure is the user's knocking CAT command. When the file is seen, the user can get a character stream that represents the contents of the file. The physical structure is how the file actually stores the storage format on the disk. The user thinks that their file is the character stream of the frontier, but in fact the document may not be the frontier The way to store on disk, longer than one file is usually stored on the disc. However, when the user accesss the file, the UNIX file system will take each block in the correct order, and provide the logical structure of the file to the user. Of course Some of the UNIX system will have a table, telling the file system how to convert the physical structure into a logical structure. This involves the i node .i node is a 64-byte long table, containing information about a file. There are file sizes, file owners, file access licensing methods, and files for ordinary files, directory files or special files. The most important item in the i node is the disk address table. There are 13 blocks in this table. No. The first 10 blocks are the storage address of the top 10 pieces. These 10 blocks can give a logical structure of up to 10 blocks, and the file will take the order in the disk address table. The corresponding block. What is the file when the file is longer than 10?
The eleventh item in the disk address table gives a block number, which contains 256 blocks in the block indicating that this method satisfies up to 266 pieces of files (272,384 bytes). If the file is greater than the file 266, the twelfth item of the disk address table gives a block number, which contains 256 blocks in the block, and each block of the 256 blocks indicates a block, including 256 blocks in blocks. No. These blocks are used to take the content of the file. The disk address and the thirteenth index addressing method are similar to the twelfth item, just a multi-level indirect index. This, in the UNIX system, the maximum length of the file It is 16, 842, 762, namely 17, 246,988,288 bytes. It is fortunate that the UNIX system has the maximum length of the file (generally 1 to 2M bytes) plus more practical restrictions, and the user will not unintentionally create a full disk 窨. File. The method of converting file names to i node is actually quite simple. A directory is actually a file containing a directory table: for each file in the directory, there is an entry entry, entry item in the catalog table In contained the file name and the I node number corresponding to the file. When the user is knocked into the CAT XXX, the file system finds the entry entry named XXX in the current directory table to get the corresponding I node number corresponding to the file XXX, and then start containing Block of the contents of the file XXX. (2) Communication between the device file UNIX system and the various devices on the system, through special documents, in terms of the program, the disk is file, modem is file, even memory It is also a file. All devices connected to the system have a file in the / dev directory. When the I / O operation is executed on these files, the I / O operation is converted to the actual device. For example, File / dev / mem is the system's memory, if the CAT file is actually the memory of the terminal display system. For security, this file is unreadable to ordinary users. Because at any given time, the memory area may With the password of the user login password or run the program, the editing buffer of a part file, the buffer may contain the text after decrypted with the ed -x command, and the users who don't want others to access all kinds of information. In / dev Document usually referred to as device files, uses ls / dev commands to look at some of the systems in the system: Acuo Call Auto Dial Console System Console DSKNN Block Mode Operation Disk Partition KMEM Core Memory MEM Memory LP Printer MTO Block Mode Operation Tape RDSKNN Flow Method Operation Disk Partition RMTO Flow Mode Operation Tape Swap Exchange Area Syscon System Terminal TTYNN Terminal X25 Network Port, etc. (3) / etc / mknod command is used to establish device files. Only root can use this command to establish a setting File. Its parameters are file names, letters C, or B represent characters special files or block special files, main device numbers, and secondary device numbers. Block special files are like tapes, and some of the devices such as blocking data in blocks. The character special file is a device that transmits a character, including the device, which transmits a character, a device, which is transmitted in a device, including the device, including the disk drive that mimics the manifold of the disk. The main device number specifies the system subroutine ( Device driver) When I / O is executed on the device, the system will call this driver. When calling the device driver, the secondary device number will pass to the driver (the second device specifies the specific disk drive, with drive, signal Line numbers, or disk partitions). Each type of device generally has its own device driver. The file system stores the main device number and the secondary device number in the disk address table in the i node, so there is no disk space allocated to the device. Document (except for the disk area occupied by the I node itself). When the program tries to execute I / O operations on the device file, the system identifies that the file is a special file, and calls the device driver specified by the main device number, The device number is the parameter of the calling device driver. (4) Security considerations to process the device into files, so that the UNIX program is independent of the device, that is, the program does not have to understand any characteristics of the device being used, and the access device does not need to record the length. Such information, block size, transmission speed, network protocol, etc. All annoying details are carefully considered by the device driver. To access the device, the program only needs to open the device file, and then use it as a normal UNIX file. From safe Views are good to do so, because I / O operations on any device have only passed a small number of channels (ie equipment files). The user cannot access the device directly. So if the disk partition is properly set up Users can only access disks through UNIX file system. The file system has internal security mechanisms (file license). Unfortunately, if the disk partition device is incorrect, any user can write a program read disk partition. Document, the practice is simple:
Read one I node, then appear in the order in the disk address table, read the blocks indicated by the file content in turn. So not ROOT, never make the disk partition to be written to anyone. Because of the owner Some information such as file access is stored in the i node. Anyone can set the SUID license for any files, regardless of the owner of the file, and don't have to use CHMOD () Command, you can also avoid the security check of the system. The memory files MEM, KMEM, and the replacement file SWAP are also the same. These files contain user information, and a "patience" program can extract user information. To Avoid disk partitions (and other devices) readable writable, should set the block to establish a block with the Umask command before establishing the device file. In general, the terminal port on the UNIX system is writable to anyone, thus The user can send information with the Write command. Although the Write command is prone to security issues, most users think that WRITE gets information for other users, so the system will be able to write the terminal device access to all users. The / dev directory should be 755 access licensing method, and it is all for root. Do not allow any user read or written partitions outside ROOT, there is an exception, that is, some programs (usually database systems) require direct access to disk partitions. The disk partition that solves this problem is dedicated (not installing the file system), and the user should be informed that the user of the program will be completed by the programself rather than the UNIX file system. (5) Find command The Find command is used to search the directory tree and perform some operations on all files on the directory tree. The parameters are the directory table (indicating which starting points starting search), and give one or more options, which must be performed on each file. What is the operation. Find. -Print will list each file of the directory tree in the current working directory. Find / -user bob -print will list all files that belong to BOB users found in the system. Find / usr / bob -Perm 666 -Print will list all access licenses under the / usr / bob directory tree to 666. If 666 is changed to -666, all files with access to access to 666 will be listed ( Such as 777). Find / usr / bob -type b -print will list all block special files under the / usr / bob directory tree (C as a character special file). Find / -user root -perm -4000 -exec ls -l {} /; Is a more complicated command, -exec command /; allows you to run the specified command for each file found. Command D. If the Command contains {}, {} will replace the file name found by Find. Comman must be in /;
End. The above example introduces the use of find, each option can be used to achieve stronger function. (6) Secure program system administrator should be a program to periodically check the system files in the system, including checking device files and SUID, SGID programs, especially pay attention to check SUID, SGID programs, check / etc / passwd, and / etc / group files, find whether you have not logged in, whether the important files are modified. (The source list will be published in the future) (7 NCHECK command is used to check the file system, using only one disk partition name as a parameter, will list the same files as the I node number and the corresponding file name. I Note: The list of list files listed The first domain of the mount command will not be listed in front of the file. Because it is inspection inside the file system, nCheck does not know the directory of the file system installation point. You can also use this command to search all in the file system. SUID and SGID programs and device files, use the -s option to complete this feature. (8) Installing and disassembling the file system UNIX file system is installed, which means that each file system can connect to any directory tree On the node (the root directory is always installed). The directory of the installation file system is called the installation point. /Etc/mount command is used to install the file system, with this command to install the file system in any existing directory structure At. When installing the file system, the file and directory of the installation point are not accessible. When the file system is not installed, do not deposit the file into the installation point directory. After the file system is installed, the installation license method of the installation point and all Person will change to the licensing method and owner of the installed file root directory. Be careful when installing the file system: The properties of the installation point will change! Pay attention to the new file, unless the new file system is established by the standard file, system The standard file will set the appropriate access license, otherwise the new file system access license will be 777! You can use the -R option to install the file system into a read-only file system. Request to write protected with drives and disks should be in this way To install. With any parameter / etc / mount to obtain information about the file system installed in the system. Include: the installation point directory installed by the file system, which device, only read or readable written written in the corresponding / DEV , Installation time and date, etc. From a secure point of view, the danger of installing the system is from the user that the system administrator may request the system administrator to install the user's own file system. If the user's file system is installed, it should be allowed to access Prior to the file system, first scan the user's file system, search the SUID / SGID program and device file. Install the file system in the directory that cannot be executed outside the root, list suspicious files with the FIND command or Secure, delete all users SUID / SGID license for files. User's file system is used up, use UMO The UND command removes the file system. And reforms the owner of the installation point directory back to the root, and the access license is changed to 755. (9) There are many files in the system directory and file UNIX systems that do not allow users to write, such as: / bin, / USR / BIN, / USR / LBIN, / ETC / Passwd, / USR / LIB / CRONTAB, / UNIX, / ETC / RC, / etc / inittabs such files and directory (most system directory), writable directory Allow mobile files, will cause security issues. System administrators should regularly check the system files and directory license privileges and owners. You can make a program that is described according to the rule file provided by the system (in / etc / permlist file) And permission rules check each document. (The source list will be published in the future) Note: If the system is safe and management, or the system is new installation, its security program is not high enough, you can use the Make mode in a safe system Upload the above procedures, copy the license rule file to the new system, and then run the above program on the new system in the setting mode, you can improve the security program of the system. But remember that the two systems must run the same UNIX system Version. 4. As a root run, some programs are running as root processes by the system. These programs do not always have Suid licenses, because many programs are only running only by root, system administrators need to know these programs What to do, and these programs will also run other programs. (1) Start the system When some UNIX systems (such as SCO UNIX / Xenix) are started, it is operated in a manner called single user, in this way Users cannot log in, only the process is init, swapper, and some of the system administrator running from the console. The subscriber method of theunix system is started, so that the system administrator can check the system operation before allowing the normal user to log in. Make sure the system is normal, when the system is in a single user mode, the console as a super user, the command is revealed "#"
Some UNIX systems do not confirm that the Super User Password is recognized that the console is root, gives the # prompt. This may become a security problem. (2) Init process UNIX system always runs some or some kind of operation There are several operating levels, which are controlled by the init process. Theunix system is running in a single user mode, also called Level 1 or S, and Unix has a multi-user operating mode for other users. Calling Level 2 .INIT Process Control System Runtness Level, it reads files / etc / inittab, which is specified in which process is running in. When root is knocked into init n, the system enters n-level. INIT reads this file to determine which process is terminated, start on which processes are started. The valid run level is from 0 to 6 and s. Note: The process established by the init is run from the UID 0 runs from / etc / inittab. The program is also run as root, so system administrators must make sure you know what work in / etc / inittab, make sure these programs and directorys where these programs are located until / and / etc / inittab in addition to ROOT, no one can write. 3) When entering multiple users When the UNIX system enters a multi-user mode, a series of events will be built, and then starting GetTys, allowing other users to log in to enter the system. If you look at the / etc / inittab file, you will see GetTys definition in run Level 2, at least three shell programs / etc / brc, / etc / bCheckrc, / etc / rc * are also defined in running level 2. These programs are running before gettys. These shell programs are run as root, and they cannot be only just ROOT can also check the command of the shell program run because these commands will also be run as root. (4) Shutdown commands Use the shutdown command to check the system, the shutdown shell program Send a warning notifies all users to leave the system, "given the time limit "After it is here, the process, disassemble the file system, enter the single user mode or shutdown status. Once you enter a single user mode, all getTys stop running, the user can no longer log in. After entering the shutdown state, you can turn the system. Shutdown can only The user logged in as root is run from the system console. So any Shutdown runs only written to root. (5) The system V is running while the UNIX system is multi-user mode, according to the specified time Arrange to execute the specified command, check the file / usr / lib / crontab every other minute, look for programs that should be running?
If you find the program you want to run, you run the program, otherwise sleep waiting for one minute. The actual / usr / lib / crontab is used to run the program according to the rules schedule of the whole day, or you can still run during the day, afraid to reduce other User speed program. The program that is usually run by cron is a program such as billing. Cron typically starts by / etc / rc after entering multiple users. When Shutdown runs the killall command, the operation is terminated. Run by cron The program is used as root, so I should pay attention to what program is in crontab, but also make sure that any program listed in / usr / lib / crontab and the table is not writable. If the user needs to execute a program by cron, system management Can use the su command to create an entry in the crontab table, the user's program cannot obtain root permissions. (6) The cron program after system V version 2 In System V Version 2, cron is modified to allow users to build their own crontab. The entrance, / usr / lib / crontab file no longer exists, instead of files in directory / usr / spool / cron / crontabs. These files are the same as crontab, but each file corresponds to one of the systems, and The name of a user is run by cron. If you want to limit the user who can build crontab, you can list users who allow the crontab command to run the crontab command in the file /us r/lib/cron/cron.allow file. No one is not listed in the file cannot Run crontab. Conversely, if you are more willing to list users who are not allowed to run crontab commands, they can be included in the / usr / lib / cron / cron.deny file, and other users who are not listed in the file will be allowed to establish crontab. Note: If both files exist, the system will use cron.allow to ignore cron.deny. If both files do not exist, only root can run crontab. So, to allow all users in the system to run The crontab command should create an empty cron.deny file, if the cron.allow also exists, remove the file. This version of the cron command is high than the previous high, because users can only look at their crontab, system administrator You don't have to worry about whether other users are run as root, because each system is allowed to have their own crontab, but also simplifies the process of running by cron, but does not have to be run as root running. Must ensure root The crontab file is only writable for root, and the directory where the file is located and all the parent directories are only writable to root. (7) / etc / profile When the user (including root) is logged in, execute the / etc / profile file by the shell, make sure this file and the programs and commands run from this file can be written only for root. 5./etc/passwd file / etc / The Passwd file is one of UNIX security. This file is used to check the user's password when the user logs in. Of course, it should only be written to root. The general format of each line in the file is: logname: Password: Uid: GID: UserInfo : Home: The first two of the shell is the login name and encrypted password. The two numbers behind are the UID and GID, and the next item is the system administrator to write any information about the user, the last two items It is two pathnames: one is allocated to the user's Home directory, the second is the shell who will execute after the user is logged in (default is / bin / sh). (1) Password time limit / etc / passwd file The format allows system administrators to require users to regularly change their password. You can see in the password file, some encrypted passwords have commas, there are several characters and a colon after comma. Such as: Steve: XYDFCCCTRT180X, m. Y8: 0: 0: admin: /: / bin / sh restrict: pomjk109jky41, .1: 0: 0: admin: /: 0: 0: admin: /: / bin / sh pattern: xmottvoyumjls: 0: 0: admin: /: / bin / sh Seeing that Steve's password has 4 characters, there is 2 characters, and there is 2 pat. There is no comma. The first character after the comma is the maximum number of words valid. The second character determines the user before modifying the oral. The minimum number of weeks should be used (this prevents the user from changing back to the old password). The rest of the characters indicate the latest modification time of the password. To read the information after the password, you must first know how to use Passwd_esc count, counting method is:. = 0 / = 1 0-9 =
2-11 AZ = 12-37 AZ = 38-63 System administrator must put the first two characters into the / etc / passwd file to require user regular modification password, and two characters When the user modifies the password, by passwd The command is filled. Note: If you want the user to modify the password, you can put two "." When the last password is modified, then the next user login will be required to modify his password. There are two special circumstances:. The maximum number of weeks (first characters) is less than the minimum weeks (second characters), the user is not allowed to modify the password, only the super user can modify the user's password. The first character and the second character are "." "At this time, the user is required to modify the password when the user is logged in. After modifying the password, the passwd command will" delete it, and will then require the user to modify the password. (2) UID and GID / etc / passwd UID information is very important, The system uses the UID instead of the login name. In general, the user's UID should be unique. Other users should not have the same UID value. According to the practice, the UID from 0 to 99 reserves the UID used as the system user (root " , bin, uucp, etc.) If there are two different entry items in the / etc / passwd file have the same UID, the two users have the same access rights to each other. 6./etc/group file The / etc / group file contains information about the group, and each GID in / etc / passwd should have the corresponding entry item in this document. In the entrance item, the group name and the group in the group are listed. This is convenient to understand each A group of users, otherwise, according to the GID in the / etc / passwd file from the beginning to the end to the end, the control is not necessary to control the license permissions of the group, because the system uses UID, GID (take Self / etc / passwd determines the file access rights, even if the / etc / group file does not exist in the system, the same GID user can also share files in groups. The team can have passwords like logging in to users. If the second domain of the / etc / group file entry item is non-empty, it will be considered a encrypted password, and the newgrp command will require the user to give the password, then encrypt the password, and compare the encryption password of the domain. To the group Establishing a password is generally not a good practice. First, if you share a file in the group, if someone guess the group password, the file of all users of the group may leak;
Second, the management group password is very much because there is no similar passwd command for the group. You can use / usr / lib / makekey to generate a password write / etc / group. The following cases must be established: (1) It may be necessary to add new users. This user does not belong to any existing group. (2) Some users may often need a group of groups alone. (3) Some users may have an SGID program that requires alone. (4) Sometimes you may have to install Software system running SGID, the software system needs to establish a new group. To add a new group, you must edit the file, add an entry to the new group. Due to the user login, the system takes GID from the / etc / passwd file. Instead of taking GID from / etc / group, the Group file and password file should have consistency. For a user, the UID and GID should be the same. The GID of the multi-user team should be different from any user's UID, general For 5 digits, this can be identified according to the 5-bit data GID file, which will reduce the confusion of adding new groups and new users. 7. Increase, delete, move Take the user (1) to increase the user to increase the user has three processes:. Write the new user entry item in the / etc / passwd file. Establish an HOME directory for the new login user. In / etc / group An entry. When writing to the new entry item in the / etc / passwd file, the password section can be set to Nologin, so as not to be asked for this new user. Before modifying the file, you should mkdir / etc / ptmp, so as to avoid others At the same time, this document is modified. The new user is generally independent of a new group, the GID number is the same as the UID number (unless he wants to join a new group), the UID number must be different from others, and the home directory is typically set in / usr or The / home directory creates a directory for the user's login name as its home directory. (2) Delete the user to delete the user's work is just the opposite, first delete the user in / etc / passwd and / etc / group file Inlet item, then delete the user's Home Directory and all files. RM -R / USR / loginname deletes the entire directory tree. If the user has a crontab file in / usr / spool / cron / crontabs, it should also be deleted. (3) will User moves to another system This is a complex issue, not just copying the user's file and the entry entry in the / etc / passwd file. First, one problem is that the user's UID and GID may have been used for another system, if This happens, you must assign additional UID and GID to the user you want to move, if you change the user's UID And GID, you must search all files for the user, change the original UID and GID of the file to new UID and GID. Use the find command to complete this modification: Find. -User Olduid -exec chown newuid {} /; find . -group oldgid -exec chgrp newgid {} /
Maybe you have to remove some other files for users: / usr / mail / user and / usr / spool / cron / crontabs / user. If the user moves from one system administrator, the user's directory structure should be dealt. Run the program to check. Users who are unsafe systems may have a SuiD / SGID program that exists with other files, and this Suid / SGID program belongs to another. In this case, if you use a CPIO or TAR command Copy the user's directory structure to this system, the SUID / SGID program will also copy to this system without any warning information. The Suid / SGID license of this file should be removed before allowing users to use the new system. In short, always insist Checking the files of the user is always more secure. You can also use the su command to enter the user's account, then copy the user file, the owner of this file is the user, not root. 8. Security check like Find and Secure like this The program is called the checked program, and they search the file system, find Suid / SGID files, device files, any person-writable system files, and the login user with password, the user with the same UID / GID, etc. (1) Remember The UNIX accounting package can be used as a security check tool. In addition to the last login time record, the billing system can save full records of all processes running all day, and information stored in a process includes UID, command name The process begins executing and ending time, CPU time, and actual consumption time, whether the process is a root process, which will help the system administrator understand what the user is doing. AcctCom command can list a day account table Multiple accounting data files in the system, the billing information is saved in File / USR / ADM / PACCT *, / usr / adm / pACCT is the current record file, / usr / adm / pACCTN is the previous accounting Document (n is an integer). If you have a number of billing files to view, you can specify the file name in the acctcom command: accctcom / usr / adm / pACCT?
One of the USR / ADM / PACCT to check the problem is: Find a user's excessive login process in the output of acctcom. If there is, it will be described that someone may try to log in, guess the password, and try to illegally enter the system. In addition, you should also view the root process. In addition to the system administrator from entering the root, system start, system stop time, and by init (usually init only get getty, login, login shell), cron started process and ROOT There should be no ROOT process outside the command. There should be a root process. You can also obtain statistics on the number of CPU utilization, running processes, running of each user. (2) Other check commands * DU: Report at the Hierarchical Contents The number of disk blocks occupied by each directory in the structure (current working directory or specified directory). Can be used to check the user's usage of the file system. * DF: Report the current spatial usage of the entire file system. Can be used to reasonably adjust the disk space Use and manage. * Ps: Check all the processes that are running in the current system. For a large number of CPU time, the user who runs many processes, runs for a long time but the user process with very little CPU should be In-depth examination. You can also detect users running an unlimited loop of the background process that is not logged out of the user's user (typically in the terminal that is directly connected). * WHO: You can tell the system administrator system Many information, etc., check the user's login time, log in to the terminal. * SU: When the user tries to enter the system user, the command will write a message in the / usr / adm / sulog file, if the file is recorded A large number of invalid operation information attempting to enter root is shown, indicating that some people may try to decipher the root password. * Login: In some systems, the login program records an invalid login attempt (if the system's Login program does not do this There is a login source program in the system, and the login should be modified. There is always a small amount of invalid login every day. If the number of invalid logins suddenly increases, it is indicated that some people may try to enter the system by guessing the login and password, illegally enter the system. (3) The problem of the security checkproofline is a warning for the above inspection method. If there is a deception, there are not a few in these methods to prevent fraud. Such as find commands, if the path name is more than 256 characters or more than 200 Directory of files, will give up processing the file or directory, the user is likely to use the establishment of multi-layer directory structure or big directory hide the SUID program, so that it escapes inspection (but the Find command gives an error message, the system administrator should manually Check these directories and files). You can also use the ncheck command to search the file system, but it doesn't have a Find command to specify which file of search. If you regularly access .profile file, check for a long time The method where the user is not logged in will not work. When the user uses the su command, unless the parameter is not read with the user. There are three ways to find an account that is not logged in for a long time:. UNIX accounting system in file / usr / ADM / ACCT / SUM / LOGIN, for each user, the last login date is retained. The advantage of this file is that the file is maintained by system, so it is fully affirmed that the login date is accurate. Diffility must run on the system The accounting program is updated to the loginlog file, if the billing program is run in the morning (after midnight), the day's login date may be cleared. / Etc / passwd file The password time domain will tell the system administrator, user Whether the password has expired, if expired, it means that the account has not been used since the expiration. The advantage of this method is that the system has recorded a long time, the inspection process is simple, and does not require the disk required by the billing system. Resources, the disadvantage is that you may not want the system administrator to set the password timeliness on the system, and this method is only accurate in the maximum validity period (only a few weeks). System administrator can write a program, returned and reboot When the system is scanned / etc / wtmp, the user's last login time record, the advantage of this method does not need to account for the program, and the time is accurate, the disadvantage is to write a program itself. Any method can be and / usr / The ADM / SULOG file is combined, and the last login time of the login or su login account is found. If someone survives the system security, the first thing to do is to find the checked program. The destroyer will modify the checkproof, so that it cannot report Any abnormal event may also stop the system accounting, delete the bill file, so that the system administrator can't find what the destroyer has done. The most important point here is that system management is not familiar with your users and users' work habits, The more you can quickly discover any unusual events in your system, and unusual events means that the system has been confused. (4) What should I do after the system is leaking?
It is found that when someone has destroyed the system security, the system administrator should first do it, if the user does not deliberately, and the company does not have the rules about "destroying safety", Damage, the system administrator only needs to clean the system and pay attention to the user for some time. If the user has caused some damage, the relevant person should be reported as much as possible to the original state. If the perpetrator is right Authorized users, then they have to make the worst assumption: The perpetrators have tried to become root and the files and procedures of this system have been discouraged. The system administrator should think of who is the perpetrator, what is it damaged? Do a comprehensive examination for the entire file, not just check Suid and SGID, device files. If the system is safely destroyed by an hostile user, the following steps should be used: related system, then reboot, do not enter multiple user mode Enter a single user mode. Install the belt and floppy disk containing the original UNIX version of this system. Copy the / bin, / usr / bin, / etc, / usr / lib into a temporary directory. The checksum of all files in the deposit record (with the original version of the SUM program copy, do not use the SUM program in / bin) to compare the verification and checksum of all pairs of files in the system, if any Differences, you have to check the reason for the difference. If two checksums are different, it is because the new version of the program is installed, confirming whether the new version of the program is installed. If you can't find a checksum, Use the original command in the system with the command in the temporary directory. Do not use the system in the original command before confirming that the commands in the system are not changed. Use the SHELL in the directory and set the PATH to only temporary Search commands in the depository. Based on the access license of all system commands in the temporary directory, check the access license for all commands in the system. Check if the access license for all system directories, if you use Perms, check if the Permlist file is If the system Unix (/ UNIX) checksum is different from the original verification, and the system administrator has never modified the core, it should be considered that an illegal person "is very dry", from the temporary buffer Reloading the system. System administrators can restore user files from the step-by-step file system backup, but cannot do file recovery before checking the "interest" file in the backup. Change all passwords in the system, inform users them The password has changed, and the system administrator should be found to get a new password. When the user wants a new password, tell the user a security incident, they should look at whether their files and directories have latent harm (such as Suid files, Trull According to Tumao, anyone can write a directory), and report any exotic situation of the system administrator. How does it happen to check the safety destruction? If there is no perpetrator, this may be impossible. Clear. If you can find how the perpetrator enters the system, try to block this security vulnerability. When you install the UNIX system, you can use the shell, sum command, all files to be calibrated on a secure medium (with floppy disk) , Hard disk and any media that can be removed and locked). If you don't have to reload files from the original system, you can install backup media, load Shell and Sum, and put the checksum and system in the belt. The verification and comparison of the file. The system administrator may want to write a program that calculate the checksum, and the destroyer will not know the program's algorithm, if the program and checksum are saved, this method Confidentiality issues reduce a physical security issue, that is, just lock it ...
9. A restricted environment (1) add-restricted shell (RSH) This shell is almost the same as the ordinary shell, but the shell design can limit the ability of a user and does not allow users to have some standard shells Allowed: Cannot change the working directory (CD). You cannot change the PATH or Shell shell variable. You cannot use the "/" command name. You can't redirect the output (> and >>). You can't use the Exec execute. User When logging in, the system is enrolled after the.Profile file is strong. If the user presses the BREAK button or the DELETE button when the user is being explained, the user will be canceled. These simple restrictions, use the write space limit user The system administrator of the .profile file can use what command can use to make a complete control. It should be noted that the system V plus restricted shell is actually not very safe, do not use it when hostile users. System V version 2 The surplus shell is more secure. However, if the restricted user is allowed to use certain commands (such as ENV, CP, LN), the user will evade the restricted shell, enter non-limiting shell. (2) with chroot () Restricting the user if you do to limit a user, you can use the chroot () subroutine to create a fully isolated environment, change the process of the process to the root directory, so you can use a user to block a certain layer of the entire file system. In the directory structure, users cannot transfer to the layer directory structure with the CD command, which cannot access any files in the file system. This restriction method is much better than the limit of the limit. The command used by the user should be managed by system management Create a bin directory in the new root directory, and create a user-can-use command to the system / bin directory on the corresponding command file (if you should copy the command file). You should also create new Passwd Document, retain the system login account (in order to correct LS -L correctly report the correct login name related to the file in the restricted subfinite) and user account, but the password of the system account is changed to NOLOGIN to make the restricted user cannot Get the true password of the system login, make "broken"
Any attempt of the program is a bubble .utmp file is required by WHO, which contains a list of logged in users in the system. The new / etc / profile file is not a chain file, so that the restricted user can perform different startup commands The terminal device file in the ./dev directory is linked to the new / dev directory, because the command WHO wants to view these files when the output is output. In the system V and later UNIX version, the login command has a chroot () function. if The login shell domain of the user entry item in the password file is *, login will call Chroot () to set the user's root directory to log in to the directory domain specified in the user entry item. Then call EXEC () Execute Login, the new login will execute the user's login in the new sub-system file. Chroot () is not blocked in a subfile system, so it should be considered when the command is restricted, and there is root. Suid licensed programs may give user root's ability. This may reduce the minimum level, and the command to handle it to the user should be taken from the system command of the SUID trap. Link file reduces disk occupation area, but Remember that when you deal with hostilities, link to the chroot directory structure (especially command) is very dangerous. If you create a restriction environment like this, ensure each command to install to the new / bin. Both have been testing, some programs may have unexpected execution results that the system administrator has not been thought of. In order to make these commands can run, add a service directory or files in the plus restricted subfold system such as: / TMP, / ETC / TERMCAP, / USR / LIB / TERMINFO, / DEV / MEM, / DEV / KMEM, / DEV / SWAP, TTY files in the user log in and / UNIX. Some programs do not run in subfile systems Will it be good, if you copy the fake offline program and the network command to the plus restricted subfile system, it may not run under the directory layer structure for the two commands. 10. Small system security Small enough, UNIX system running in the office is a small system. Such small systems also include all desktop UNIX machines. According to security perspectives, small systems are particularly particularly special:. Small system users Less users, usually a small group of users, so that system administrators can be familiar with everyone, security issues can be directly processed directly. Because small Unix system management is simpler, only one system administrator can only maintain system security The responsibility is only one person to be responsible. If it is not only the user is a system administrator, it will not spend a lot of time to consider the system security. If you own the system and a system administrator, you may have the right to directly use the user from the system directly from the system delete And there are not a few large-system administrators can have this right. If you are the only user of the system, it will be both users and administrators, and the task of maintaining system security is very simple. You only need to ensure that all systems are all The password of the login account is good. If you can't lock the system, save the sensitive data on the floppy disk, lock the floppy disk. Even if there are several users in the system, if the system's terminal is produced is a wired connection And the users will keep the door lock, the system will also be safe, at least within this group of users. The small system usually has a movable medium (floppy disk), can be installed on the system with the mount command, Providing a safe way to install the floppy disk yourself on your system, otherwise the system administrator has to dry these trivial installation discs every day. Allow users to install the floppy disk to give the user a SUID program, the program is basically completed The same operation is installed with the system administrator, first check if there is a Suid / SGID / device file on the floppy disk. If you find any strange files, the floppy disk is refused to install it. When the small system is powered, the system is generally from the hard disk. Before booting, try to boot from the floppy disk. This means that the computer will first try to load the program from the floppy disk. If the floppy is not in the drive, the system will be loaded from the hard disk into the UNIX kernel. The floppy can almost contain any programs, including starting at the console Root Shell's UNIX system version. If the destroyer has a screwdriver and some knowledge inside the system, even if the system is considered special "microcode" that is considered to prevent the occurrence of safety accidents.
The password may also be deceived from the floppy disk. Even if the small system does not lock, people who never store personal or secrets in large systems can not know users on all systems), nor will they Want to store such information on a small system. Small system system administrators often have experience in using UNIX systems, and the security management system requires a certain use system. 11. Physical security Small or large computers running any operating system, physical security is an important issue to consider. Physical security includes: locks on the house, alarm system, guard, all local communication facilities placed in a place that cannot be locked, including Cable communication line, telephone line, local area network, remote network, answer modem, key or credit card identification device, give users passwords and key allocation, any pre-communication facility encryption device, file protection, backup or recovery scheme (called security insurance The solution is used as a case where an accidental or deliberate data or computing device is destroyed), the upper lock output 仃, the latching waste box and the shredder. Total considerations in physical security should be: in security The cost paid should not be more than the value of protection (hardware or software). The following focuses on the protection of various communication lines to protect users. For any system that can be accessed, communication is particularly serious. Safe and weak links. When the user is allowed to drive the Dial MODEM access system to the local telephone company, the system's security will be greatly weakened, anyone with phone and modem may illegally enter the system. It should be avoided To ensure that the MODEM phone number is not listed on the phone, it is best to put the phone number on the switch different from the ordinary telephone number of the company. In short, don't assume that no one knows your own dial-in number! Most Both home computers can program a Dial number throughout the day, record the number of other modems. If possible, install a local PBX so that the dialing of the outside will generate a second-dialed beacon, and must Enter a expansion number associated with Modem. 12. User sense of responsibility of UNIX system administrator is to ensure user security. The job is completed by the user's management department, but as a system administrator, responsible for discovering The system administrator is responsible for the operation of the system. Avoiding a system security incident method is preventive, when the user logs in, its shell is given the prompt to execute the / etc / profile file, to ensure the file The PATH specifies the last search of the current work directory, which will reduce the opportunity to run Trojan horse. Setting the settings of the file to establish a shield value is also very suitable, and it can be set to at least prevent the user. Inadvertently burst into files (022/026). Be careful to choose this value, if the limit is too strict, the user will be in its own .profil E. Re-call Umask to resist system administrators. If the user uses a group permission sharing file, the system administrator will set the shield value of the restriction group access rights. System administrators must establish system security and user "pain the amount"
The balance between the pain is the anger function caused by safety limits. Regularly use the grep command to see the user. Umask in theProfile file, you can understand whether the system security restriction exceeds the user's pain limit. System administrator can randomly Choose a user, send the user's security check result (the user's login newsletter, SUID / SGID file list) to his management department and himself. There are four main purposes:. Most users receive at least An email of a file check condition will cause users to consider security issues (although not meant users will have actions to strengthen security). There are a large number of writable files, get a message once a week, until they cancel Write a write permission. The lengthy annoying mail information may be enough to cause these users to take action, delete the file write license. The message will list the user's SuID program, causing the user to have a Suid program, the user knows if there is Not the SuID program built by yourself. Send a security checklist for users to manage their own files, and users know that the management of the file is related to the data security. If the system administrator is going to do so, you should let the users know in advance, so that they know Safety check mail. Send mail is to make users with security awareness, do not complain to send mail. Management awareness is another important factor in improving security. If the user's management department is not strong, the system administrator may also forget to strengthen Safety rules. It is best to build a safety standard that everyone must comply with each person. If the system administrator builds its own security rules on this basis, it strengthens security. Management helps to strengthen user awareness, let users Clearly, information is a valuable asset. System administrators should make safety protection methods as simple as possible, provide some tools to improve security, such as: Announced the lock terminal of the Lock program, let the user run the Secure program yourself, put the PWEXP ( Programs checking user password information) In / etc / profile, users know their own password time. Multi-taught some knowledge about system security, make sure users know their license permission and umask command settings. If you pay attention When you do a stupid thing, give them some prompts to do it. The more knowledge about safety, the less knowledge, the system administrator does things in protecting users. 13. System administrator awareness ( 1) Keep the system administrator's personal login security If the system administrator's login password is leaked, the screamer is only one step away from the stealing root, because the system administrator often runs as root, the lack of illegally enters the system administrator. After the account, the system administrator will replace some of the system administrators with Trumi, and the system administrator will run these replaced programs as root. For this reason, in the UNIX system, the administrator's household is most often Attack. Even if the su command is usually not available anything Recording all of the readable files that you want to be a root, you can also use the billing data or PS command to identify users running the su command. Also, the system administrator should be particularly careful when running the program as root, because the minor negligence is also possible "Shankwate". The following guidelines can drive system administrators to drive a "rugged ship": Do not run as root or run other users with their own login account, first use the su command to enter the user's account.. Never The current work directory is ranked in front of the Path path table, which is actually attracting Trojan horse. When the system administrator enters root with the su command, his PATH will change, let Path keep this way to avoid Troyi The invasion of Trojans. If there is a SU source code, it is changed to run the full path name (ie, the SU must confirm that the first character of Argv [0] is "/" running) Over time, users and administrators will develop the habit of knocking / bin / su. Do not deregis, leave the terminal, especially when the root user is not like this. When the system administrator acts as a root user, Command prompt is "#"
This prompt may be a red light sign for some people. Do not allow root to log in any terminal except the console (this is the option to compile the login), if there is no login source code, you will log in to root Change to other names, so that the destroyed can't guess a variety of possible passwords at the root login, illegally enter the root account. Guess a variety of possible passwords, which illegally enters the root account. Change root The password. Confirm that the Su command is written down to run the SU attempt to record / usr / adm / sulog, the licensing method of the record file is 600, and it is all. This is illegally like to choose to replace the Trojan horse. Don't let someone run as root, even for a few minutes, even if the system administrator looks around! (2) Keep system security. Consider some key weak links in the system: a. Does the phone number are published? B. Is the system connected? Is there any system to connect to the network? C. System administrator uses a unknown or unreliable program? D. System administrator is important Information is placed in the system? E. The user user is familiar with the use of the system or no newcomer? F. Does the user attach great importance to safety? G. Does the user pay attention to security? Maintain system file security. Check all systems The access license for files, any program with Suid licenses is an illegal selection object. To pay special attention to the access license of the device file. To review the SUID / SGID of the system ID / system team in the user directory Licensed files. Do not install the user's file system before the SUID / SGID program and device files of the user's file system. Store the disk's backup in a safe place. Set the password time limit, if you can access UNIX Source code, move the encryption password and information to only the ROOT readable file, and modify the password processing subroutine of the system. This can increase the security of the password. Modify the passwd, make the passwd to delete the password head and the end of the password, Then check the user's new password according to the personal information of the user in the SPell dictionary and / etc / passwd, and also check the case of the user's new instructions in the login name. If the new password is the word in the spell dictionary, or / etc / passwd The entry item of the entrance item, or the substring of the login name, the passwd will not allow the user to change the password. Record the system of the user and its authorized use of the system. Check the login account for a long time, and cancel it Households. Make sure there is no login account. Start the billing system.. Isors an unusual system usage, such as a lot of occupied disks, a lot of CPU time, a large number of processes, a lot of use S u 's attempt, a large number of invalid logins, a large number of networks to a system, strange UUCP requests.. Modify the shell to terminate the run without task. Modify Login, make it print out users After logging in, after three invalid logins, the communication line hangs so that the system administrator can check if someone tries to illegally enters the system. Make sure that login does not allow root to log in anywhere in addition to the console.. Modify SU, make Only root can enter a certain account with the expiration password. When installing the source of unreliable sources, check the source and makefile files, see special subroutine calls or commands. Even if you are a reliable software, you must Check if there is a SUID (SGID) program, confirm that these licenses are indeed necessary. If possible, do not let these programs have the SUID (SGID) license of the system ID (or group), but should establish a new user (or give) Software runs. If the system is in the office, the door should be locked, save important data on or on the floppy disk, and lock it.. Secure, perms, and any other SHELL program access license is only Execute, better to exist these shell programs on removable media. Remember, as long as there is any person to be called, the system is impossible. System administrators can prevent The system is accidentally destroyed. But those who have patience, plan, know what they are doing, and to have a prestimated attack on the system. If the system administrator believes that the system has been discussed, it should be found. The perpetrator. If the perpetrator is the user of the system, contact the user's management department, check the user's file, find any suspicious file, and then carefully supervise the user's login to be carefully supervised a few weeks. If the perpetrator is not this The system can make the company take legal measures and require all users to change the password, so that users know the safety accident, users should check if their files have signs. If the system administrator considers the system software Has been changed, it should be tape from the original system (or;