Aide,sudo,tcp_wrappers,pam authentication and other system security access mechanism

AIDE

Advanced Intrusion Detection environment: is an intrusion detection tool, the main purpose is to check the integrity of files, audit the computer files have been changed.

Aide is able to construct a database of the specified file, which uses aide.conf as its configuration file. The aide database is capable of saving various properties of a file, including: Permissions (permission), index node ordinal (inode number), owning User (username), owning user group, file size, last modified time (mtime), Creation time (CTime ), last access Time (atime), increased size, and number of connections. Aide is also able to use the following algorithms: SHA1, MD5, rmd160, Tiger, to establish the checksum or hash number of each file in ciphertext form.

Configuration file:/etc/aide.conf

# These is the default rules. #p:      permissions#i:      inode: #n: Number of      links#u:      user#g:      group#s:      size#b:      block count#m:      mtime#a:      atime#c:      ctime#s:      Check for growing size#acl:           Access Control lists#selinux        selinux security context#xattrs:        Extended file attributes#md5:    MD5 CHECKSUM#SHA1:   SHA1 checksum#sha256:        sha256 checksum#sha512:        sha512 checksum#rmd160:rmd160 Checksum #tiger:  Tiger checksum#haval:  haval Checksum (Mhash only) #gost:   gost checksum (Mhash only) #crc32:  CRC32 Checksum (Mhash only) #whirlpool:     Whirlpool Checksum (Mhash only) #R:             p+i+n+u+g+s+m+c+acl+ Selinux+xattrs+md5#l:             p+i+n+u+g+acl+selinux+xattrs#e:             Empty group#>:             growing logfile p+u+g+i+n+ S+acl+selinux+xattrs

1. Installation

# Yum Install aide

2. Configure the folder to be monitored

[Email protected] ~]# vim/etc/aide.conf/data/* R

3. Build the database and rename it to the file name you are using now

[Email protected] ~]# Cd/var/lib/aide/[[email protected] aide]# aide--initaide, version 0.14### aide database at/var/l ib/aide/aide.db.new.gz initialized. [Email protected] aide]# Lsaide.db.new.gz[[email protected] aide]# mv aide.db.new.gz aide.db.gz    

4, check the integrity of the file, it is recommended to store the aide database in a safe place

# aide--check

5. Update the database

# aide--update

Sudo

Ability to authorize specified users to execute certain instructions on behalf of a specified user on a specified host.

sudo command

• -V Detailed information
• -u username on behalf of users
• -l lists the commands available to the user on the host
• -V Refresh password timestamp
• -k Remove Password Expiration time stamp
• -K Reset Timestamp to 1970
• -B executes instructions in the background
• -P Change the prompt to ask for a password
• %p represents the user name
• %H indicates host name
• -i-u Username Switch identities

Visudo: Edit/etc/sudoers

-V: Check grammar eligibility

-F file: Editing files

Configuration files:/etc/sudoers,/etc/sudoers.d/*, wildcard characters supported

Authorization format: User host = (on behalf of user) command

User and representative User:

• Username
• #uid
• %group_name
• % #gid
• User_alias|runas_alias

Host:

• IP or hostname
• Network (/netmask)
• Host_alias

Command:

• Command name
• Directory
• Sudoedit
• Cmnd_alias

Root    all= (All)   all  #系统默认为root用户开的后门, the root user can perform arbitrary actions as any user on any host

Alias:

Type: User_alias, Runas_alias, Host_alias, Cmnd_alias

Format: Must start with a-Z of size, middle can be a-Z of size, numbers and underscores

[Email protected] sudoers.d]# visudo-f netadminuser_alias NETADMIN = User1,user2,user3cmnd_alias Netcmd =/sbin/ip,/sbi N/route,/sbin/ifconfig,/bin/netstat,/usr/sbin/sshost_alias HOST = 192.168.0.6runas_alias op = RootNETADMIN HOST= (OP) Netcmd

Log file:/var/log/secure

* Note

User4 all= (Root)/bin/cat/var/log/messages*

This authorization is incorrect and the following command can also be executed

#/bin/cat/var/log/messages/etc/shadow

So if we want to achieve such a requirement, we need to follow the following notation:

Dongfei all= (Root)/bin/cat/var/log/messages*,!/bin/cat/var/log/messages* *

[[email protected] ~]$ sudo cat/var/log/messages/etc/shadowsorry, user Dongfei is not allowed to execute '/bin/cat/var/ Log/messages/etc/shadow ' as Root on centos6.

Tcp_wrappers

Wieste Venema

Introduction: The TCP protocol working on Layer fourth (Transport layer), security detection and access control for specific services with stateful connections, and whether a process accepts libwrap depends on whether the program initiating this process compiles at compile time for libwrap.

Check if the sshd service can be tcp_wrappers controlled

[email protected] ~]$ which sshd/usr/sbin/sshd[[email protected] ~]$ ldd/usr/sbin/sshd |grep libwrap.so        libwrap.so .0 =/lib64/libwrap.so.0 (0x00007f61ba6aa000) #sshd服务依赖libwrap. So library, can be controlled

Profiles:/etc/hosts.allow (white list),/etc/hosts.deny (blacklist)

Rule: Check the whitelist first, allow access if the whitelist matches, if the whitelist does not match, give the blacklist a match if the match is rejected, or if none match, use the default policy (which is allowed by default).

Configuration syntax: Service list @ Host IP: Client address List [: Options]

Service List @ Host IP:

1. A binary file name for a single application, not a service name, such as VSFTPD
2. A comma-or space-delimited list of application file names, such as: SSHD,VSFTPD
3. All means all service programs that accept Tcp_wrapper control
4. Host has multiple IPs that can be @hostip for control

Client list:

1. List of clients separated by commas or spaces
2. Based on IP address: 192.168.10.1 192.168.1.
3. Based on host name: www.magedu.com. magedu.com less
4. Based on network/mask: 192.168.0.0/255.255.255.0
5. Based on NET/PREFIXLEN:192.168.1.0/24 (CENTOS7)
6. Based on network group (NIS domain): @mynetwork
7. Built-in Acl:all,local,known,unknown,paranoid
   • All indicates that all hosts
   • Loacal represents the local network, matching any host name without the "." The host
   • UNKNOWN cannot resolve host name to IP
   • Known can resolve host name to IP
   • EXCEPT exclusions

Options:

1. Deny Deny
2. Spawn triggering an action
3. Twist the actual action is to deny access, replace the current service with the specified operation, standard I/O and error sent to the client, default to/dev/null

Tcpdmatch: On-premises testing

Tcpdmatch [-d] daemon[@host] Client

-D test Hosts.allow and Hosts.deny in the current directory

[email protected] data]# cat hosts.allow [[email protected] data]# cat Hosts.deny sshd:192.168.0.7[[email protected] Data ]# tcpdmatch-d sshd 192.168.0.7 #如果客户端是192.168.0.7 can access the native sshd service client:   address  192.168.0.7server:   Process  sshdaccess:   denied (reject) [[email protected] data]# tcpdmatch-d sshd 192.168.0.8client:   Address  192.168.0.8server:   process  sshdaccess:   granted

Pam

It provides a central mechanism for authenticating all services, for login, Telnet (telnet,rlogin,fsh,ftp, point-to-Point Protocol (PPP)), Su and other applications. The system administrator uses the PAM configuration file to develop different authentication policies for different applications, and application developers use the PAM API (Pam_xxxx ()) in the service program to make calls to the authentication method, while the PAM Service module developers utilize the PAM SPI to write the module (mainly to elicit some function pam_sm_xxxx () for the Pam Interface Library call), the different authentication mechanisms are added to the system; the Pam Interface Library (LIBPAM) reads the configuration file and links the application to the corresponding Pam service module.

Module Files directory:/lib64/security/*.so

Environment-Related settings:/etc/security/

Master configuration file:/etc/pam.conf, default does not exist

Provide a dedicated configuration file for each application module:/etc/pam.d/*

PAM Certification process:

1. The user executes the/USR/BIN/PASSWD program and enters the password
2. passwd start to call the PAM module, the PAM module will search the passwd program Pam Related settings file, which is generally in/etc/pam.d/inside the same name as the program file, that is, Pam will search/etc/pam.d/passwd this settings file
3. Through the data of the/ETC/PAM.D/PASSWD settings file, take the relevant module provided by PAM to verify
4. The validation results are passed back to the passwd program, and the passwd program determines the next action based on the results of the PAM callback (re-entering the password or verifying it)

Private configuration file/etc/pam.d/* format

　　Module-type Control Module-path Arguments

• Module Type (module-type)
  • Auth account authentication and authorization
  • account Management-related non-authentication class functions, such as: to Restrict/allow users access to a service, the current effective system Source (maximum number of users), restricting the user's location (for example: root user can only log on from console)
  • Password password complexity check mechanism when user modifies password
  • Session Some additional actions are required before the user gets to the service or after the service is completed, such as logging on/off data, monitoring directories, etc.
  • -type indicates that modules that cannot be loaded because they are missing are not logged to the system log and are useful for modules that are not always installed on the system
• Control Pam Library How to handle the success or failure of the PAM module associated with the service
  • required: A veto indicates that this module must return success to pass authentication, but if the module returns a failure, the missing The result will not notify the user immediately, but will wait until all modules in the same type are fully executed and return the failed result to the application. is required
  • requisite: One veto, the module must return success to pass authentication, but once the module returns to failure, any module within the same type is no longer executed, and control is returned directly to the application. is a necessary condition
  • sufficient: A pass, indicating that the module returned successfully through the requirements of identity authentication, no longer need to execute other modules within the same type, but if the module returned failure can be ignored, that is sufficient condition
  • optional : This module is optional, its success does not play a key role in identity authentication, and its return value is generally ignored
  • include: Invoke configuration information defined in other configuration files
• module-path to indicate this module The path name of the corresponding program file
  • the module in the/lib64/security directory can use relative paths
• Arguments parameters to pass to the module

Pam_shells Module pam_securetty.so Module pam_nologin.so Module pam_limits.so module

Personal study Notes

Aide,sudo,tcp_wrappers,pam authentication and other system security access mechanism