6 - 1 Unix Security - SANS ©2001 1 Unix for Security Professionals Security Essentials The SANS Institute All material in this course Copyright © Hal Pomeranz and Deer Run Associates, 2000-2001. All rights reserved. Hal Pomeranz * Founder/CEO * hal@deer-run.com Deer Run Associates * PO Box 20370 * Oakland, CA 94620-0370 +1 510-339-7740 (voice) * +1 510-339-3941 (fax) http://www.deer-run.com/ 6 - 2 Unix Security - SANS ©2001 2 Agenda • A Brief History of Unix • Booting Unix • The Unix File System • Manipulating Files and Directories • Unix Privileges This page intentionally left blank. 6 - 3 Unix Security - SANS ©2001 3 Agenda (cont.) • Unix Processes •Networking • System Services •Unix Backups •Wrap Up This page intentionally left blank. 6 - 4 Unix Security - SANS ©2001 4 Unix Backups This section covers the basic utilities for backing up Unix systems. Enough to help you make and emergency backup (and restore the data later), or to make a backup of a compromised system for later forensic analysis. A great deal of time, energy, and thought has been put towards the subject of enterprise-wide backups for large organizations, but these issues are beyond the scope of this presentation. For a good introduction to the larger world of Unix backups, see: Nemeth et. al., Unix System Administration Handbook , Prentice Hall, ISBN 0-13-151051-7 6 - 5 Unix Security - SANS ©2001 5 Three Options • tar – Portable archive format, easy to use, good for quick backups • dump/restore – standard full-featured Unix backup utilities •dd– Copies raw file system information, can capture "deleted" data There are several different commands available under Unix for archiving and later restoring files. Which one you choose depends a lot on your situation and your reason for making the archive. •The tar (tape archive) command takes a list of files and/or directories and gathers them together into a single file– which can be written to tape or disk. The tar archive file (usually we just say "tar file") preserves the file owner, group owner, and timestamp information on all files and directories in the archive. The tar archive format is portable, so for example a tar file written on a Linux Intel (little-endian) workstation can be read on a Solaris Sparc (big-endian) system. •The dump command creates a backup of a Unix partition which can later be recovered using the restore program. dump and restore have all of the features you would want in a normal backup regimen– the ability to do "incremental" backups (back up only the files that have changed since the last backup), split backups across multiple tapes, easily restore both individual files as well as entire partitions, etc. However, the format of the archive file written by dump is dependent on the OS (Linux and Solaris machines write different dump formats), the processor architecture (big-endian vs. little-endian), and the underlying file system type (Solaris UFS vs. BSD FFS, for example)– generally, it's a good bet that you will be able to read back your dumps only on another system of the same type. •The dd command is used to copy raw data from one place to another. dd has many uses (some of which we'll cover shortly), but one common use is to dump an image from a raw disk device to tape (or some other location) for forensic analysis. Because dd is blindly copying the raw bits off the disk drive, it will pick up even the currently "unused" data blocks in the file system– which might contain data from files or directories which have been deleted by the attacker. 6 - 6 Unix Security - SANS ©2001 6 tar Pro – Can be used on "active" file systems – Byte-order independent format Con – Can't span multiple volumes – Various versions have some limitations tar is the portable archive format for Unix systems. Tar files made on one machine can be read almost anywhere (including by some Windows-based utilities). This is why so much of the software and source code, which is available on the Internet, is made into tar archives for easy downloading. tar operates by simply working its way through the list of files and directories that the user specifies on the command line. If one of the targets for the archive file is a directory, tar simply recursively descends through the directory and gathers up all files and subdirectories into the archive. Because tar gathers files/directories "one-by-one" as it were, you can use tar to archive file systems which are currently "active"– that is, which have one or more users adding/deleting/modifying files while the archive is happening (this turns out not to be true for dump). One downside to tar is that it doesn't handle splitting an archive across multiple tapes (some tar implementations claim to have this feature, but they usually don't work properly). This used to be more of an issue in the old days when tapes didn't hold much information. Of course, it's always possible to make several separate archives which backup all of your data into archives which will fit on your available media. Different versions of tar have also had various odd (mostly historical) limitations. For example, some versions of tar can't handle pathnames longer than some fixed limit (some as low as 100 characters), some won't back up device files or other special sorts of files, etc. However, GNU tar has none of these limitations and is portable across a wide variety of systems. If you will be making heavy use of tar, it's a good idea to download (from ftp://ftp.gnu.org/gnu/tar/) and install GNU tar on all of your systems (if it's not there already). 6 - 7 Unix Security - SANS ©2001 7 dump/restore Pro – Supports multiple volumes – Supports "incremental" backups – "Interactive" mode for restore Con – Format is byte-order dependent – Can get confused if file system is active – Can only back up one partition at a time dump and restore are the common utilities for doing normal Unix backups. If a file system is so large that the backup doesn't fit on a single tape, dump will split the backup across multiple tapes automatically. dump supports the notion of "dump levels"– level 0 through level 9. Level 0 means dump everything. Higher dump levels will only dump files that have been modified since the last dump with a lower dump number. For example, if you start off with a level 0 dump and then do a level 5 dump, the level 5 dump only captures the changes since the level 0 dump. If you later do a level 9 dump, then you only get the changes since the level 5 dump. If you follow that with a level 4 dump, you get everything that's changed since the original level 0 dump (and you can throw away or re-use the level 5 and level 9 tapes). restore can be used to bring back an entire dump, or selectively restore individual files. restore has a very nice "interactive" mode which allows the administrator to view the files in the dump archive as if they were actually in the Unix file system and selectively mark files which they want to restore (more on this later). Note that a full restore of a lost file system generally means restoring your last level 0 dump, and then "overlaying" all active incremental dumps you've made since that time (again, more on this a bit later). As we mentioned earlier, however, the format of the dump archive is incredibly system- dependent and not at all portable. Also, dump only works on a single partition at a time, so backing up a complete Unix file system generally involves several successive dumps. The big problem with dump, though, is that it actually dumps the file system using several "passes“. The first pass maps the file system, the next pass dumps the directory structure to tape, and the final pass backs up the actual file information. If the file system changes while the dump is being performed, your backup may actually get corrupted and be useless. This is why dumps should be performed late at night when nobody is using the system, or in "single-user" mode by an admin on the console of the system. 6 - 8 Unix Security - SANS ©2001 8 dd Pro – May capture data that other tools miss – Can perform data conversions as well Con – Must usually be used with other tools – Odd command line syntax dd is not an archiving utility per se, rather a means of copying raw data from one place to another (disk-to-tape, disk-to-disk, tape-to-tape, etc.). This generally means that you will need to use dd in combination with some other utility (like tar or dump/restore) in order to actually read and interpret the data. The plus side is that dd captures everything– even data that other archiving programs might miss. This makes dd a useful tool when performing forensic analysis on compromised systems. Also, as we'll see shortly, dd does have some nice data conversion features which make it possible to migrate data from one type of system (even old mainframe systems) to another. dd is one of the oldest Unix utilities (in fact, it actually pre-dates the Unix operating system), so it has a funny "non-Unix" command line syntax. 6 - 9 Unix Security - SANS ©2001 9 Digression: Tape Devices Examples: /dev/nrst0 First tape device, raw, no rewind /dev/rst1 Second tape device, raw mode /dev/st0 First tape device, "blocked" mode /dev/nrst0 "No rewind" "Raw" SCSI tape Device instance Before we get into examples of how to use tar, dump, dd, etc., it's useful to know how to locate and name the tape device(s) under Unix. These days, tape devices are usually found at /dev/st? on most Unix systems. The "st" means SCSI-attached tape device (older tape devices may have a non-SCSI interface, and these are generally accessed via /dev/mt?–"mt" for "magnetic tape"). The number after the "st" specifies a particular tape device. The first tape drive is /dev/st0, the second tape drive /dev/st1, and so on. The letters before the "st?", specify tape handling options. An "r" means that data is read/written from the tape one byte at a time ("raw mode"), rather than in blocks of data. The standard Unix backup utilities all use raw mode when accessing tapes. Generally if you make a mistake and don't specify the raw tape device, the backup utility you're using will transparently grab the raw tape device instead. The "n" specifies "no rewind" mode. By default, any time you access a tape on a Unix system, the tape will rewind to the beginning before your command is executed and again once the operation you're performing is completed. However, let's suppose you wanted to dump several partitions onto a single large tape. If the tape rewound after each dump, then each dump would overwrite the one before it (and, trust me, plenty of sites have been burned by this throughout the history of Unix)! It's generally a good practice to always specify the no rewind tape device unless you're absolutely certain of what you're doing. We'll talk about commands for rewinding and repositioning tapes at the end of this section. Note that SYSV machines (notably Solaris) use a different device naming scheme for tapes. Raw tape devices are found under /dev/rmt/? (even if the tape is a SCSI tape), and the no rewind option appears after the tape instance number– e.g., /dev/rmt/0n. 6 - 10 Unix Security - SANS ©2001 10 The Tao of tar tar has three main mode options: -c Create a new archive -x Extract files from archive -t Show archive table of contents Other useful options: -f Specify an archive file or tape dev -v Verbose mode -p Preserve owner/access times w/ -x tar generally operates in one of three major modes: You're either creating an archive (-c), extracting files from an archive (-x), or testing/looking at the table of contents of an archive (-t). These modes are mutually exclusive, so you'll only ever specify one of –c/-t/-x per command line. tar has other options as well (for complete information, consult the on-line manual page for the version of tar your are using). The most important of these is –f for specifying where the archive should be written. The argument to the –f option is the name of a tape device or just a file name where you want the file archive created. –v turns on verbose mode. When writing or extracting files from an archive, -v causes the name of each file to be printed. Note that printing each file name significantly slows down the process of reading or writing the archive. When used with the –t option, verbose mode causes a detailed listing of the archive contents– similar to the output of ls –l. tar always stores the owner and access times on files in the archive. When extracting files from the archive, the extracted files will normally be owned by the user who unpacks the tar file and the access times will be lost. However, the –p option tells tar to preserve the owner and access times of the original files when the extraction is done. -p generally only works if you're running tar as the superuser. [...]... ISBN 0-201-54979-4 Kernighan and Pike, The Unix Programming Environment, Prentice Hall, ISBN 0-13-937681-X Garfinkel and Spafford, Practical Unix and Internet Security, O'Reilly and Assoc, ISBN 1-56592-148-8 Unix Security - SANS ©2001 28 These books were used during the preparation of this course A Quarter Century of Unix is a very complete history of the Unix operating system from 1969 through 1994... books on Unix operating system internals It is useful for both SYSV and BSD Unix because so many critical kernel components (including the networking and file system code) was developed under BSD Kernighan and Pike is a somewhat dated (1984) but still highly useful introduction to the Unix system from a user perspective Garfinkel and Spafford is a good overview of security issues common to most Unix systems... 9-track) tape device 6 - 20 The Real Use For dd ssh otherhost \ dump 0usf 1000000 - /home | \ dd if=- of=/dev/nrst0 • Implies that the machine otherhost trusts the tape server as root • Performance can be improved with compression and weaker crypto Unix Security - SANS ©2001 21 In normal practice, however, the most common use for dd is as a component of pipelines that perform backups of systems over a network... the authors)– which sometimes leaves novice security administrators guessing about the right way to fix their systems 6 - 28 That's It! • Final questions? • Please fill out your surveys! Unix Security - SANS ©2001 This space intentionally left blank 6 - 29 29 Course Revision History Unix Security - SANS ©2001 30 v1.0 – Hal Pomeranz – April 2001 v1.1 – edited/formatted by J Kolde – 8 May 2001 v1.1a –... including data blocks that used to be part of files that were deleted 6 - 26 Wrap Up Unix Security - SANS ©2001 One quick slide with references for further reading and a reminder to fill out your surveys! 6 - 27 27 References Peter Salus, A Quarter Century of Unix, Addison-Wesley, ISBN 0-201-54777-5 Nemeth et al, Unix System Administration Handbook, Prentice Hall, ISBN 0-13-151051-7 McKusick et al,... copy idiom: tar -cf – hal | (cd /new/dir; tar -xfp –) Unix Security - SANS ©2001 14 When writing a tar file to disk, it's usually a good idea to compress the data as well Tar files are generally slightly larger than the sum of the sizes of the files in the archive (due to overhead of the tar archive format itself) You could compress all of the files before archiving them, but you generally get better compression... happen Specify next volume #: 1 Always answer no! set owner/mode for '.'? [yn] n # mv mail/hal /var/mail/hal Unix Security - SANS ©2001 18 As we mentioned earlier, the restore command also has an interactive mode to assist the administrator who only wants to restore a few files or directories restore –i reads the directory structure information saved by the first pass of the dump, and then puts you... disk tar –cf hal.tar /home/hal # Danger! Unix Security - SANS ©2001 11 The first example shows how to use tar to make an archive of an entire Unix file system We're using –c to create a new archive and the archive is going to be written to the tape device /dev/rst0 (-f /dev/rst0) The list of files to be archived is '/', the root of the directory tree (and therefore all files and subdirectories below... machine 6 - 23 A Useful Shell Script #!/bin/sh PARTITIONS=`df –k –t ffs | tail +2 | \ awk '{ print $6 }'` mt –f /dev/rst0 rew for $part in $PARTITIONS do dump 0usf 1000000 /dev/nrst0 $part done mt –f /dev/rst0 rewoffl Unix Security - SANS ©2001 24 This is a little bit of shell code for automatically dumping all of the partitions on a machine to a local tape drive: • First we pipe the output of the df command... Converting Data Swapping byte order: dd if=/dev/rst0 of=- conv=swab | \ restore –rf – Converting old mainframe data: dd if=/dev/rmt0 of=/dev/rst0 conv=ascii Unix Security - SANS ©2001 20 In addition to copying bytes from one place to another, dd can perform several different conversions ("conv=") on those bytes during the copy process One conversion is byte-swapping– conv=swab This allows you to transfer . 6 - 1 Unix Security - SANS ©2001 1 Unix for Security Professionals Security Essentials The SANS Institute All material. 6 - 2 Unix Security - SANS ©2001 2 Agenda • A Brief History of Unix • Booting Unix • The Unix File System • Manipulating Files and Directories • Unix Privileges