AIDE
Advance Intrution Detection Enviornment is a tool to check the file integritty. It is a opensource substitute for TRIPWIRE. It allows to take snapshot of all the major configuration files, binaries as well libraries stats. And helps to find which binaries has been changed in case of compramisation of the system . This can be downloaded from http://sourceforge.net
Download both the binaries and signature file.
Import and Verify the GPG keys.
Compiling and installing the AIDE
Read the INSTALL doc in the source code of AIDE to get the requirement of the packages. The mhash utility is needed prior to the installation of the AIDE. Download the mhash utility that is needed for running the AIDE. Download it from sourceforge.net
Extract the packages AIDE & MHASH
installing the MHASH
# tar -zxvf mhash-0.9.2.tar.gz
# cd mhash-0.9.2
# ./configure
# make
# make install
this will place the binaries and libraries in to /usr/local
Installing the AIDE
# tar -zxvf aide-0.10.tar.gz
# cd aide-0.10
# ./configure
# make "this will create the aide binary"
# make install
will copy the binaries to /usr/local/bin.
note:-
Making note of the md5sum for the binary which has been installed is a good idea to trace out the man in middle attack .
Configuring and Monitoring the files with AIDE
Step 1.
Generate aide DB (creating the snapshot of file stats)
edit aide.conf configuration file from the aide-0.10/doc/ directory to define the rule that which directory has to be monitored.
------
# 3 type of line are there
# 1. variables
# 2. Macros
# 3. types of file, which includes the directories, to monitor.
database=file:/home/kiran/aide/aide.db (this will define the aide database store location)
#Now define here the aide rules
#This will monitor all the subdirectories beneath /etc/
/etc R
# check the defnition for R in the aide.conf file.
#=/etc/ R (Only etc directory will be moniotoerd)
------
Now create the aide DB.
# aide -c aide.conf --init
This will create a new database called aide.db.new. This command will scan all the files in the /etc/ directory and stores as a database called aide.db.new
Note:-
AIDE uses the stat command to get the details of the file including the permissions, inode, acess time modified time etc and will store in the aide.db file
Comparing the AIDE with the DB
# aide -c aide.conf --check
This will show the status of the current /etc/ subdirectory by comparing with the aide.db, the snap shot taken from the previos command.
Now test the AIDE Functionality.
#edit any file in /etc/ sub directory
now check again with the command
# aide -c aide.conf --check
This will show the change of the file from previos state.
Note:-
The aide --check has to be done in frequent. and if we found any changes verify it and again update the aide DB.
Updating the aide DB after checking the aide db
# aide -c aide.conf --update
This will reset the database to current status of the /etc/ subdirectories.
Including the more directories to monitor.
#edit aide.conf
-------------
/boot R
/bin R
/etc R
/lib R
/usr R
/install R
/sbin$ R #aide will not recurse in to the subdirectories
-------------
Other configuration options
-------
/ R
!/var # This will make to monitor all the directories inside the "/" and will exclude the /var directory.
-------
# aide -c aide.conf --init
This will generate a new DB for all the directories defined in the aide.conf.
Note:-
This will help us to trace out which file has been effected incase of any compramise happened to the system by comparission with the DB taken prior. Once we have the aide db created better to burn the aide binary config files and the aide db in to any read only medium. So this will increase the integrity of the aide DB.
#mkisofs -V Aide_DB`date +%F` -J -R -o aide.iso /Aide/directory
#cdrecord -v -eject aide.iso
Later incase of any suspect to exploit can load these binary, aide DB and config file for AIDE Audit.
Tuesday, October 13, 2009
Monday, October 12, 2009
Linux Securirty Notes 10: Account Policies & Password Crack
CHAGE - Account policies.
/etc/passwd and /etc/shadow files are manipulated to configure the account policies. /etc/groups stores the information about the groups
/etc/passwd Format:
-------
root:x:0:0:root:/root:/bin/bash
#User ID: Refer password to Shadow File: User ID: Group ID: Comment: Home directory: SHELL.
------
This file has to be regularly checked for any root equivalent entry (any other users having the user id '0') in case of any suspected compromise to the system.
/etc/shadow Format:
root:$!*&^#*&J@*(&#JHJKgFU:13037:0:99999:7:::
This file contains the encrypted password and the password policies information.
CHAGE
Using this chage command we can alter the password policies.
Setting up the accound policies:
/etc/login.defs
This file defines the key variables that appiles to all users while creating the new users.This includes the following settings
Default Mail directory
Max password age days
Min Passsword held days
Password warining days etc
minimum and maximum user IDs and the option of creating the home directories etc.
After altering the file a new user created will be inheriting the new settings. Old users will retain their previous settings.
Now create a user and check the password policy using
# chage -l user
This will show the default account policy set.
If need to change the password policy upon per user basis can set password policy using chage.
#chage -m 3 user
this updates the calue of minimum days of password held to 3
#chage -M 45 -W 7 user
THis will change the value of Maximum password days to 45 and gives a Warining before 7 days of password expiration.
extract the usernames from the password file
# for i in `awk -F : {' print $1 '} /etc/passwd; do echo $i; done
awk runs as field separator and prints the field 1. and extracts the user names from the file /etc/passwd
John The Ripper Tool:
This is the password integritty checker as well password cracker. Download the tool and signature from www.openwall.com.
#gpg --import
# gpg --verify john-1.7.tar.sig john-1.7.tar.gz
# tar -zxvf john-1.7.tar.gz
# cd john-1.6
# make
This will return the list of system that this program can compiled on. So search for the file that has the similarities to our hardware.
eg :- "linux-x86-mmx-elf"
# make linux-x86-mmx-elf
Now the binary will be compiled
# cd run
In this file we will get the newly compiled binary named "john"
#./john -users:root,kiran,jithu /etc/shadow
If you have got a weak password in shadow it will echo the result of the password crack. including the alorithm used for encryption. This process result in creation of a file called john.pot which contains the encryption string and corressponding password.
#./john -show -users:root,kiran,jithu /etc/shadow
This will show the password cracked history (read from the file john.pot) in clear text format
kiran:kiran123:13037:3:45:7::: (the shadow file format)
The more difficult password the time taken by the tool and the utilization of CPU will be more. Even more length of password with out any combination of case sensitive will make more time to crack. So usage of the password having more than 7 characters of minimum length will make more time to crack the passwords
#./john /etc/shadow
This will crack all the users in the system.
/etc/passwd and /etc/shadow files are manipulated to configure the account policies. /etc/groups stores the information about the groups
/etc/passwd Format:
-------
root:x:0:0:root:/root:/bin/bash
#User ID: Refer password to Shadow File: User ID: Group ID: Comment: Home directory: SHELL.
------
This file has to be regularly checked for any root equivalent entry (any other users having the user id '0') in case of any suspected compromise to the system.
/etc/shadow Format:
root:$!*&^#*&J@*(&#JHJKgFU:13037:0:99999:7:::
This file contains the encrypted password and the password policies information.
CHAGE
Using this chage command we can alter the password policies.
Setting up the accound policies:
/etc/login.defs
This file defines the key variables that appiles to all users while creating the new users.This includes the following settings
Default Mail directory
Max password age days
Min Passsword held days
Password warining days etc
minimum and maximum user IDs and the option of creating the home directories etc.
After altering the file a new user created will be inheriting the new settings. Old users will retain their previous settings.
Now create a user and check the password policy using
# chage -l user
This will show the default account policy set.
If need to change the password policy upon per user basis can set password policy using chage.
#chage -m 3 user
this updates the calue of minimum days of password held to 3
#chage -M 45 -W 7 user
THis will change the value of Maximum password days to 45 and gives a Warining before 7 days of password expiration.
extract the usernames from the password file
# for i in `awk -F : {' print $1 '} /etc/passwd; do echo $i; done
awk runs as field separator and prints the field 1. and extracts the user names from the file /etc/passwd
John The Ripper Tool:
This is the password integritty checker as well password cracker. Download the tool and signature from www.openwall.com.
#gpg --import
# gpg --verify john-1.7.tar.sig john-1.7.tar.gz
# tar -zxvf john-1.7.tar.gz
# cd john-1.6
# make
This will return the list of system that this program can compiled on. So search for the file that has the similarities to our hardware.
eg :- "linux-x86-mmx-elf"
# make linux-x86-mmx-elf
Now the binary will be compiled
# cd run
In this file we will get the newly compiled binary named "john"
#./john -users:root,kiran,jithu /etc/shadow
If you have got a weak password in shadow it will echo the result of the password crack. including the alorithm used for encryption. This process result in creation of a file called john.pot which contains the encryption string and corressponding password.
#./john -show -users:root,kiran,jithu /etc/shadow
This will show the password cracked history (read from the file john.pot) in clear text format
kiran:kiran123:13037:3:45:7::: (the shadow file format)
The more difficult password the time taken by the tool and the utilization of CPU will be more. Even more length of password with out any combination of case sensitive will make more time to crack. So usage of the password having more than 7 characters of minimum length will make more time to crack the passwords
#./john /etc/shadow
This will crack all the users in the system.
Linux Securirty Notes 9: GPG Encryption
GPG
Gnu Privacy Gard is an open source of Pretty Good Privacy and 100% compatible with PGP.It based on PKI (Public key private key encryption). GPG encrypts data / mails etc.
Steps in Encrypting Data using the GPG
Step 1:
Genarate PKI pairs (Public/private Key)
# gpg --gen-key
This will Prompt for options like key strength and various other details and store the key inside ~/.gnupg/.
pubring.gpg and secring.gpg are the public and private keys respectively.
Now make note of the key finger print. This is used to matching the public keys.
# gpg --list-keys
This will show the keys that has been generated
# gpg --fingerprint
This will show the finger print for the keys.
Step 2:
Now we can encrypt the data using the private key
Encrypt the data:
# gpg --list-keys
This will list the keys
# gpg --encrypt -r kiran install.log
-r is used to define the public key ID also can use the user name(This reffers which key has to be used) and the install.log is the file that we are encrypting. As a result a new file will be created by the name install.log.gpg. Now if we cat the content of the file install.log.gpg now we can see that the file is been encrypted (This will use the compression as well so file size will be less than the original file).
Decrypt the data:
#gpg --decrypt install.log.gpg
Will decrypt the file and the STDOUT will be shown in the bash terminal.
# gpg -o install.log --decrypt install.log.gpg
This will decrypt to the file install.log
Encryption Decryption using the Armor
# gpg -e --armor -r kiran install.log
This will encrypt the data with armored (Neatly encrypts the data). Creates the file with the name install.log.asc
# gpg --decrypt install.log.asc
this will decrypt the encryption with armor
Encryption and Decryption accross the network:
Now in this case we have to export the publicring keys and import it on remote machine to decrypt the data.
Exporting the public Key.
In host1:
# gpg --export --armor -o remotehost1.asc.pub
This will export the public key to the file remotehost.asc. Now this key can be imported to any host for decryption.
In host2:
# gpg --export --armor -o remotehost2.asc.pub
Now both the users have exported their public keys. Now we can import the public keys to system to create "web of trust".
Now import the keys
In Host 1:
get the public key of Host2 "remotehost2.asc.pub" securely and import it
# gpg --import remotehost2.asc.pub
This will import the key of Host2 in host1 for the current user
# gpg --list-keys
This will show all the keys.
Now import the keys
In Host 2 also:
get the public key of Host1 "remotehost1.asc.pub" securely and import it
# gpg --import remotehost1.asc.pub
# gpg --list-keys
Now we have both the pub keys installed in both systems.
Testing the encryption:
# gpg --list-keys
# gpg -e -r 89909823636 --armor -o test.txt.asc test.txt
While encryption make sure that the same key is used. For this instead of giving the username for the flag " -r " use the key ID in our case it is "89909823636". Now this will re-confirm the key that going to encrypt.
This will encrypt the file and send this accross the wire to host2.
In host2
# gpg --list-keys
Find the key which has the ID 89909823636 from above command
# gpg --decrypt -r 89909823636 -o test.txt test.txt.asc
This will decrypt the file and create the new file test.txt.
GPG - Signing & Encryption
* Signing is different from encrypting the data. Signing is to prove the authenticity of the data send to the reciever stating that "This data belongs to the sender". Signing is independent to encryption of data. We can encrypt without signing. Sign and Encrypt to prove authenticity is recommended.
Signing a file:
The Private key of the sender is used to sign the data. And the recipient decrypts the signature using senders public key.
Encrypt the data
# gpg -e --armor -r 80098FC8 file.txt
This will armor and encrypt the file using the key ID 80098FC8 .
When a file is singed, when decrypting the the data the gpg will show the signature
Signing and Encrypting:
#gpg -se --armor -r 80098FC8 file.txt
This will encrypt as well as sign the data using the private key 80098FC8 . Now when we decrypt the data the gpg will show the signature as well as Key finger print and also about the key whether it is trusted or not in the shell output.
#gpg -d -r 80098FC8 file.txt.asc
This will decrypt the data along with it will show the signature too. But if the trust level of the key is not set this will show you the msg that "there is no indication that this key belongs to sender"
Increasing the Trust Level of the KEY.(Certifying the key with trusted signature):
#gpg --edit-key 8177ACE
This will give the promtp to edit the key having the ID 8177ACE.
Command> help
Will show the help menu
Command> trust
Now give the trust level(the each level will be explained by the interactive menu in gpg) Select from 1 to 5 class of trust.
Command> quit
Now the trust level is set.
So now sign, encrypt and send to remote user. Now decrypt the file in the remote machine.
Note:- Still if u see that trust need to increased in remote machine, This means in remote system also we have to increase the trust level. Now test again.
GPG - detaching the signature:
(--detach-sign or -b) This option will detach the signature from the encrypted file and both the signature and encrypted file can be send it separately to remote system.When creating the detached signature no need to specify the recipients (-r) public key. The process of creating the signature relies upon the senders private key.
Creating the encrypted file and a separate signature for it.
# gpg -ea -r 8900DAC08 test.txt
This will create a encrypted file called test.txt.asc. But this will not be signed.
# gpg -b test.txt.asc
(-b will tell to create a seperate signature) The signature created by each and every file will be different.
This will create a file called test.txt.asc.sig
Now send both the file to remote system.
Testing the file with the signature in remote system.
When verifying and decrypting the content of assosiated encrypted file follow this
1. Verify the md5sum
2. Verify the signature
3. Decrypt the encrypted file
Verify the md5sum
# Check the md5sum and compare with the sender's md5sum for both the file and signature
Verify the signature
# gpg --verify test.text.asc.sig test.text.asc
This will return the signature status.
Decrypt the encrypted file
# gpg -d -o test.txt test.text.asc
Integrating the GPG with mail clients:
The encryption is based on the email address in allmost all the MUA. It is not done by the key ID. So make sure that the matching key has been installed in both of senders and relievers MUA before encrypting and sending the msg. The GPG key has to be created and trust level has to be defined with the exact mail ID.
Gnu Privacy Gard is an open source of Pretty Good Privacy and 100% compatible with PGP.It based on PKI (Public key private key encryption). GPG encrypts data / mails etc.
Steps in Encrypting Data using the GPG
Step 1:
Genarate PKI pairs (Public/private Key)
# gpg --gen-key
This will Prompt for options like key strength and various other details and store the key inside ~/.gnupg/.
pubring.gpg and secring.gpg are the public and private keys respectively.
Now make note of the key finger print. This is used to matching the public keys.
# gpg --list-keys
This will show the keys that has been generated
# gpg --fingerprint
This will show the finger print for the keys.
Step 2:
Now we can encrypt the data using the private key
Encrypt the data:
# gpg --list-keys
This will list the keys
# gpg --encrypt -r kiran install.log
-r is used to define the public key ID also can use the user name(This reffers which key has to be used) and the install.log is the file that we are encrypting. As a result a new file will be created by the name install.log.gpg. Now if we cat the content of the file install.log.gpg now we can see that the file is been encrypted (This will use the compression as well so file size will be less than the original file).
Decrypt the data:
#gpg --decrypt install.log.gpg
Will decrypt the file and the STDOUT will be shown in the bash terminal.
# gpg -o install.log --decrypt install.log.gpg
This will decrypt to the file install.log
Encryption Decryption using the Armor
# gpg -e --armor -r kiran install.log
This will encrypt the data with armored (Neatly encrypts the data). Creates the file with the name install.log.asc
# gpg --decrypt install.log.asc
this will decrypt the encryption with armor
Encryption and Decryption accross the network:
Now in this case we have to export the publicring keys and import it on remote machine to decrypt the data.
Exporting the public Key.
In host1:
# gpg --export --armor -o remotehost1.asc.pub
This will export the public key to the file remotehost.asc. Now this key can be imported to any host for decryption.
In host2:
# gpg --export --armor -o remotehost2.asc.pub
Now both the users have exported their public keys. Now we can import the public keys to system to create "web of trust".
Now import the keys
In Host 1:
get the public key of Host2 "remotehost2.asc.pub" securely and import it
# gpg --import remotehost2.asc.pub
This will import the key of Host2 in host1 for the current user
# gpg --list-keys
This will show all the keys.
Now import the keys
In Host 2 also:
get the public key of Host1 "remotehost1.asc.pub" securely and import it
# gpg --import remotehost1.asc.pub
# gpg --list-keys
Now we have both the pub keys installed in both systems.
Testing the encryption:
# gpg --list-keys
# gpg -e -r 89909823636 --armor -o test.txt.asc test.txt
While encryption make sure that the same key is used. For this instead of giving the username for the flag " -r " use the key ID in our case it is "89909823636". Now this will re-confirm the key that going to encrypt.
This will encrypt the file and send this accross the wire to host2.
In host2
# gpg --list-keys
Find the key which has the ID 89909823636 from above command
# gpg --decrypt -r 89909823636 -o test.txt test.txt.asc
This will decrypt the file and create the new file test.txt.
GPG - Signing & Encryption
* Signing is different from encrypting the data. Signing is to prove the authenticity of the data send to the reciever stating that "This data belongs to the sender". Signing is independent to encryption of data. We can encrypt without signing. Sign and Encrypt to prove authenticity is recommended.
Signing a file:
The Private key of the sender is used to sign the data. And the recipient decrypts the signature using senders public key.
Encrypt the data
# gpg -e --armor -r 80098FC8 file.txt
This will armor and encrypt the file using the key ID 80098FC8 .
When a file is singed, when decrypting the the data the gpg will show the signature
Signing and Encrypting:
#gpg -se --armor -r 80098FC8 file.txt
This will encrypt as well as sign the data using the private key 80098FC8 . Now when we decrypt the data the gpg will show the signature as well as Key finger print and also about the key whether it is trusted or not in the shell output.
#gpg -d -r 80098FC8 file.txt.asc
This will decrypt the data along with it will show the signature too. But if the trust level of the key is not set this will show you the msg that "there is no indication that this key belongs to sender"
Increasing the Trust Level of the KEY.(Certifying the key with trusted signature):
#gpg --edit-key 8177ACE
This will give the promtp to edit the key having the ID 8177ACE.
Command> help
Will show the help menu
Command> trust
Now give the trust level(the each level will be explained by the interactive menu in gpg) Select from 1 to 5 class of trust.
Command> quit
Now the trust level is set.
So now sign, encrypt and send to remote user. Now decrypt the file in the remote machine.
Note:- Still if u see that trust need to increased in remote machine, This means in remote system also we have to increase the trust level. Now test again.
GPG - detaching the signature:
(--detach-sign or -b) This option will detach the signature from the encrypted file and both the signature and encrypted file can be send it separately to remote system.When creating the detached signature no need to specify the recipients (-r) public key. The process of creating the signature relies upon the senders private key.
Creating the encrypted file and a separate signature for it.
# gpg -ea -r 8900DAC08 test.txt
This will create a encrypted file called test.txt.asc. But this will not be signed.
# gpg -b test.txt.asc
(-b will tell to create a seperate signature) The signature created by each and every file will be different.
This will create a file called test.txt.asc.sig
Now send both the file to remote system.
Testing the file with the signature in remote system.
When verifying and decrypting the content of assosiated encrypted file follow this
1. Verify the md5sum
2. Verify the signature
3. Decrypt the encrypted file
Verify the md5sum
# Check the md5sum and compare with the sender's md5sum for both the file and signature
Verify the signature
# gpg --verify test.text.asc.sig test.text.asc
This will return the signature status.
Decrypt the encrypted file
# gpg -d -o test.txt test.text.asc
Integrating the GPG with mail clients:
The encryption is based on the email address in allmost all the MUA. It is not done by the key ID. So make sure that the matching key has been installed in both of senders and relievers MUA before encrypting and sending the msg. The GPG key has to be created and trust level has to be defined with the exact mail ID.
Subscribe to:
Posts (Atom)