nita 412 - linux security administration - lab #4
TRANSCRIPT
8/3/2019 NITA 412 - Linux Security Administration - Lab #4
http://slidepdf.com/reader/full/nita-412-linux-security-administration-lab-4 1/2
Lab #4 - Filesystem Security; Secure-delete; Encryption Stanislav
Lab Steps:I. Interacting with SetUID/SetGID Bits
A. As root, execute find / -type f -user root -perm -4000 > /tmp/suid-root-files B. As root, execute find / -type f -group root -perm -2000 > /tmp/sgid-root-files C. View the contents of each file, observing what kind of files have these special bits set.
D. Execute chmod -s /bin/ping to remove the suid bit from the ping application.E. Become your regular user by issuing a su - bjones
F. Attempt to execute ping 4.2.2.2 and you will be greeted with an error. Exit to again become root.
G. By executing chmod 4755 /bin/ping you will restore the suid bit on the file.H. Again, become your regular user and attempt the ping again. This time, it will succeed.
II. Using Filesystem Mount Parameters to Prevent SUID AbuseA. As the root user, execute a mount to view the mounted partitions on the system.
B. Open /etc/fstab and change the mount line for /home from ʻdefaultsʼ to ʻnosuidʼ.
C. Be sure that you are not working inside of /home and execute mount -o remount /home
D. Execute another mount and note that your mount parameters have changed for /homeE. Execute cp /bin/ping /home/bjones/ to copy our ping binary to our userʼs home directory.
F. Become your user by using su - bjones and then try to execute your local ping with ./pingG. Try to execute the system ping command using /bin/ping 4.2.2.2 and it should work as usual.
III. Using Filesystem Mount Parameters to Prevent Binary Execution
A. Exit your user̓ s shell, back to root. Open /etc/fstab again and replace ʻnosuidʼ with ʻnoexecʼ.B. Remount your /home partition again and view the resulting change using mount output.
C. Change to your userʼs shell as before, and try to execute ./ping again. Observe the new error.D. Revert your /etc/fstab changes to the original. ʻdefaultsʼ should now be where ʻnoexecʼ is.
E. Remount /home one more time to solidify your reverted change. Test your userʼs ping again.
IV. chattr Flags for File Protection
A. Create a temporary file by executing as root, touch /root/foobar
B. Execute a lsattr /root/foobar to view the current flags set on the file.C. Execute a chattr +a /root/foobar and then try to delete the file; you canʼt.
D. Execute an echo “Content” > /root/foobar again, you will receive an error.E. Execute an echo “Content” >> /root/foobar and you will notice you can append to the file.F. Now change the flag on the file to be immutable with chattr +i -a /root/foobar G. You can attempt to append to the file or delete; neither will be allowed to happen.H. Remove the flag from the file and check lsattr /root/foobar again to verify there are no flags.
V. Secure File Deletion Using shred
A. Execute a cat /root/foobar file. Execute a shred /root/foobar and check again.B. Execute dd if=/dev/urandom of=/root/test.img bs=1M count=10
C. Execute shred -uvn 50 /root/test.img to overwrite 50 times and verbosely show output.
VI. Using OpenSSL to Encrypt/Decrypt Files
A. Create a file in your home directory called secret.txt and put some text inside.
B. Run openssl enc -aes-256-cbc -in secret.txt -out secret.enc with ʻlinuxlabʼ as the password.
C. You should now have both secret.txt and secret.enc in your home directory.
D. Execute an md5sum on each file to verify they are different. View them each if you wish.E. To decrypt the file, execute openssl enc -d -aes-256-cbc -in secret.enc -out secret.dec
8/3/2019 NITA 412 - Linux Security Administration - Lab #4
http://slidepdf.com/reader/full/nita-412-linux-security-administration-lab-4 2/2
VII. Creating an Encrypted Filesystem Using a Loopback Device
A. To use cryptoloop devices, we first initialize the kernel module using modprobe cryptoloop B. By using lsmod | grep cryptoloop we can verify that the module was loaded properly.
C. By using the dd utility, we can create a file of any size we desire. dd needs random data togenerate, so we will use the special device /dev/urandom to populate that data. Use the
following:
# # dd if=/dev/urandom of=/root/encrypted.img bs=1M count=10 D. Using losetup -e aes /dev/loop0 /root/encrypted.img letʼs us interact with this file as if it
were a regular device, but with AES encryption. Enter a password of ʻlinuxlabʼ when prompted.
E. Verify that your loopback was setup properly by executing losetup -aF. Create a journaled EXT-3 filesystem on the loopback device using mkfs.ext3 -j /dev/loop0 G. Create a mount point and mount the filesystem using the command below:
# # mkdir /mnt/encrypted && mount -t ext3 /dev/loop0 /mnt/encrypted
H. Verifying using the mount command that the loopback device + filesystem mounted properly.I. Create some files in the mounted filesystem using touch and then change back to /root J. To unmount everything, execute umount /dev/loop0 && losetup -d /dev/loop0 K. Remount your loopback device and filesystem and verify you can still access your files.
VIII. Generate OpenSSH Keys to Do Public-Key Authentication
A. Become your regular system user, if you arenʼt alreadyB. Just to be sure, execute mkdir ~/.ssh ; chmod 700 ~/.ssh and ignore any ʻfile existsʼ errors.C. Execute a ssh-keygen -t rsa and accept defaults and do not enter passwords, just press Enter.
D. Check that you are prompted for a password to SSH by executing ssh -p2222 localhost
E. Now to add your key authorization execute cat .ssh/id_rsa.pub >> .ssh/authorized_keys F. Configure permissions on SSH files using c hmod 600 .ssh/authorized_keys .ssh/id_rsaG. Connect to your system using SSH again and this time you wonʼt be prompted for a password.
H. Logout of all shells and save your virtual machine in a snapshot called “Lab #4 Completed”.