A malicious user crippling a system and getting superuser rights is a nightmare for any system administrator. In defense of open UNIX platforms, the following small shell application we're going to look at will put another brick into the open UNIX security barrier.
The open UNIX operating systems FreeBSD and Linux Mandrake both have integrated shell security systems. The FreeBSD program is located in /etc/security. The Mandrake Security Package for Linux can be found in /usr/share/msec. These standard tools are similar in functionality, but they limit the file system integrity control to files with SUID and SGID flags. But Mandrake calculates MD5 file checksums differently from FreeBSD.
Usually a running program gains access to system resources relative to the program user's rights. Setting up SGID and SUID flags changes this so that the access rights are assigned according to a file owner's rights. Thus, a running executable owned by root gets unlimited access to system resources regardless of the program's user. In this case, setting SUID and SGID flags cause inheritance of file owner's rights and group owner's rights respectively. Privileges are then changed (usually extended) only for the run time and only for the program. Other processes launched by the application also inherit its rights. Therefore, SUID and SGID flags should be set with caution and only for those programs that can not launch arbitrary tasks.
The solution: using MD5 checksums
Tracing modifications made to new system files with SGID/SUID flags is an extremely difficult task. But with enough experience and caution, system services and settings can be modified without changing standard file attributes (usually an administrator pays attention to the dates a file was created and modified). The following program traces changes made to all the files of a specified directory using an integrity test based on MD5 checksum, which prevents modifications from being masked.
files-diffs configuration and source code for FreeBSD
Standard services are located in the following directories: /etc *, /bin, /sbin, /modules, /usr/bin, /usr/sbin, /usr/lib *, /usr/libexec *, /usr/X11R6/bin, /usr/X11R6/lib *, /usr/local/bin, /usr/local/etc *, and /usr/local/sbin. This hierarchy traces the integrity of the standard services but does not keep track of additional services that could also be crippled (Perl, Web, News, etc.). Directories marked with * contain additional hierarchies and should also be traced. It is a good idea to have the root user receive daily e-mail reports concerning modified files. To set up our shell program:
- login as root
- [
cd /etc/periodic/daily] - save the code to
files-diffs file - [
chmod 755 files-diffs] - [
chown root:wheel files-diffs]
Listing 1. files-diffs for FreeBSD
#!/bin/bash
#
#Checking files for modification
#
#Written by Igor B. Maximov, uniug@cris.net
#
#Dirs with sub-folders checking
DeepDirs="/boot /etc /lib /sbin /usr/bin /usr/lib /usr/libexec"
#Dirs without sub-folders checking
Dirs="/bin /usr/local/bin /usr/local/sbin /usr/sbin"
TMP=/var/run/files-diff.$$
LOG=/var/log/security
(
for j in $DeepDirs
do
cd $j
for i in `/usr/bin/find . -type f -or -type l -or -type s -or -type p -xdev`
do
echo ${j}"/ "`(/bin/ls -l $i; /usr/bin/md5sum $i)`
done
done
for j in $Dirs
do
cd $j
for i in `/usr/bin/find . -type f -or -type l -or -type s -or -type p -xdev -maxdepth 1`
do
echo ${j}"/ "`(/bin/ls -l $i; /usr/bin/md5sum $i)`
done
done
)>${TMP}
if [ ! -f ${LOG}/files-diff.today ]; then
(
echo "No ${LOG}/files-diff.today"
cp ${TMP} ${LOG}/files-diff.today
)|mail -sNo_${LOG}/files-diff.today root
fi
if cmp ${LOG}/files-diff.today ${TMP} >/dev/null; then :; else
(
echo "files diffs: "
diff -b ${LOG}/files-diff.today ${TMP}
mv ${LOG}/files-diff.today ${LOG}/files-diff.yesterday
mv ${TMP} ${LOG}/files-diff.today
)|mail -sfiles-diff root
fi
if [ -f ${TMP} ]; then
rm ${TMP}
fi |
files-diffs configuration and source code for Linux Mandrake
Standard services are located in the following directories: /boot *, /etc *, /bin, /sbin *, /usr/bin *, /usr/sbin, /usr/lib *, /usr/libexec *, /usr/local/bin, /usr/local/etc *, and /usr/local/sbin. Assuming that you have the Mandrake Security Package (for RPM: /System/Base/msec) already installed, follow these set up instructions:
- login as root
- [
cd /usr/share/msec] - save the code to files-diffs file
- [
chmod 755 files-diffs.sh] - [
chown root:root files-diffs.sh] - open Security.sh file for editing and add the following string to the end
of file:
. /usr/share/msec/files-diffs.sh
Listing 2. files-diffs for Linux Mandrake
#!/bin/sh
#
#Checking files for modification
#
#Written by Igor B. Maximov, uniug@cris.net
#
#Dirs with sub-folders checking
DeepDirs="/etc /usr/lib /usr/libexec /usr/X11R6/lib /usr/local/etc"
#Dirs without sub-folders checking
Dirs="/bin /sbin /modules /usr/bin /usr/sbin /usr/X11R6/bin /usr/local/bin /usr/local/sbin"
TMP=/var/run/_files-diffs.$$
LOG=/var/log
(
for j in $DeepDirs
do
cd $j
for i in `/usr/bin/find . -type f -or -type l -or -type s -or -type p -xdev`
do
echo ${j}"/ "`(/bin/ls -l $i; /sbin/md5 $i)`
done
done
for j in $Dirs
do
cd $j
for i in `/usr/bin/find . -type f -or -type l -or -type s -or -type p -xdev -maxdepth 1`
do
echo ${j}"/ "`(/bin/ls -l $i; /sbin/md5 $i)`
done
done
)>${TMP}
if [ ! -f ${LOG}/files-diffs.today ]; then
(
echo "No ${LOG}/files-diffs.today"
cp ${TMP} ${LOG}/files-diffs.today
)|mail -sNo_${LOG}/files-diffs.today root
fi
if cmp ${LOG}/files-diffs.today ${TMP} >/dev/null; then :; else
(
echo "files diffs:"
diff -b ${LOG}/files-diffs.today ${TMP}
mv ${LOG}/files-diffs.today ${LOG}/files-diffs.yesterday
mv ${TMP} ${LOG}/files-diffs.today
)|mail -sfiles-diffs root
fi
if [ -f ${TMP} ]; then
rm ${TMP}
fi |
You can further improve a system's stability by using this program separately from the standard security system. If you do this, the program should be located in another directory, and the different paths used for storing temporary files and source code. Thus, the presence of a monitoring system is not evident to the malicious user and can therefore not be easily evaded.
- Go to the FreeBSD official site for news, software, documentation. and support.
- Read the FreeBSD Handbook to find out about the installation and day-to-day use of FreeBSD 4.3.
- Go to the official Linux Mandrake site for news and developer and product support information.
- Find out more about MDx.
- Get the description and source code for MD5.
- Read the Man pages:
- for FreeBSD: [
man md5] - for Linux Mandrake: [
man md5sum]
- for FreeBSD: [
- Browse a list of articles, redbooks, and resources showing how IBM's eServer products support Linux, in the article "Linux is here--now--on eServer products".
- Find out more about IBM's ViaVoice ASR SDK for Linux Mandrake and other distributions.
- Find out more about IBM's Internet Security Services.
- Also on developerWorks, read:
- Addressing security issues in Linux
- Linux hardware stability guide, Part 1
- Linux hardware stability guide, Part 2
- Tutorial: Installing FreeBSD
- Take a look at the Security resources on developerWorks.
- Browse more Linux resources on developerWorks.
- Browse more Open source resources on developerWorks.
Igor Maximov is a Web Developer and System Administrator of the softPilot.2000 project (CONSUL Bureau, Sevastopol, Ukraine). His focus is on new ideas in network security and Web programming. You can contact Igor at uniug@cris.net.
Comments (Undergoing maintenance)





