Skip to main content

skip to main content

developerWorks  >  Linux | Security  >

Improving the security of open UNIX platforms

Using Mandrake MD5 checksums

developerWorks
Document options

Document options requiring JavaScript are not displayed


Rate this page

Help us improve this content


Level: Intermediate

Igor Maximov (uniug@cris.net), Web developer, softPilot.2000

01 Sep 2001

This article takes a look at a little shell application that uses an innovative approach to increasing open UNIX security. A step-by-step analysis of the code is provided. The author's areas of expertise are in Web programming and cutting-edge network security development.

A malicious user crippling a system and getting superuser rights is a nightmare for any system administrator. In defense of open UNIX platforms, the following small shell application we're going to look at will put another brick into the open UNIX security barrier.

The open UNIX operating systems FreeBSD and Linux Mandrake both have integrated shell security systems. The FreeBSD program is located in /etc/security. The Mandrake Security Package for Linux can be found in /usr/share/msec. These standard tools are similar in functionality, but they limit the file system integrity control to files with SUID and SGID flags. But Mandrake calculates MD5 file checksums differently from FreeBSD.

Usually a running program gains access to system resources relative to the program user's rights. Setting up SGID and SUID flags changes this so that the access rights are assigned according to a file owner's rights. Thus, a running executable owned by root gets unlimited access to system resources regardless of the program's user. In this case, setting SUID and SGID flags cause inheritance of file owner's rights and group owner's rights respectively. Privileges are then changed (usually extended) only for the run time and only for the program. Other processes launched by the application also inherit its rights. Therefore, SUID and SGID flags should be set with caution and only for those programs that can not launch arbitrary tasks.

MD5
MD5 is the message digest algorithm for digital signature applications and was developed by Ronald L. Rivest in 1991. See Resources later in this article for the algorithm source code and more info.

The solution: using MD5 checksums

Tracing modifications made to new system files with SGID/SUID flags is an extremely difficult task. But with enough experience and caution, system services and settings can be modified without changing standard file attributes (usually an administrator pays attention to the dates a file was created and modified). The following program traces changes made to all the files of a specified directory using an integrity test based on MD5 checksum, which prevents modifications from being masked.



Back to top


files-diffs configuration and source code for FreeBSD

Standard services are located in the following directories: /etc *, /bin, /sbin, /modules, /usr/bin, /usr/sbin, /usr/lib *, /usr/libexec *, /usr/X11R6/bin, /usr/X11R6/lib *, /usr/local/bin, /usr/local/etc *, and /usr/local/sbin. This hierarchy traces the integrity of the standard services but does not keep track of additional services that could also be crippled (Perl, Web, News, etc.). Directories marked with * contain additional hierarchies and should also be traced. It is a good idea to have the root user receive daily e-mail reports concerning modified files. To set up our shell program:

  1. login as root
  2. [cd /etc/periodic/daily]
  3. save the code to files-diffs file
  4. [chmod 755 files-diffs]
  5. [chown root:wheel files-diffs]

Listing 1. files-diffs for FreeBSD
#!/bin/bash
#
#Checking files for modification
#
#Written by Igor B. Maximov, uniug@cris.net
#
#Dirs with sub-folders checking
DeepDirs="/boot /etc /lib /sbin /usr/bin /usr/lib /usr/libexec"

#Dirs without sub-folders checking
Dirs="/bin /usr/local/bin /usr/local/sbin /usr/sbin"

TMP=/var/run/files-diff.$$  
LOG=/var/log/security

(
for j in $DeepDirs
do
  cd $j
  for i in `/usr/bin/find . -type f -or -type l -or -type s -or -type p  -xdev` 
  do
	echo ${j}"/ "`(/bin/ls -l $i; /usr/bin/md5sum $i)`
  done
done

for j in $Dirs
do
  cd $j
  for i in `/usr/bin/find . -type f -or -type l -or -type s -or -type p  -xdev -maxdepth 1` 
  do
	echo ${j}"/ "`(/bin/ls -l $i; /usr/bin/md5sum $i)`
  done
done

)>${TMP}

if [ ! -f ${LOG}/files-diff.today ]; then
        (
	echo "No ${LOG}/files-diff.today"
	cp ${TMP} ${LOG}/files-diff.today
        )|mail -sNo_${LOG}/files-diff.today root

fi

if cmp ${LOG}/files-diff.today ${TMP} >/dev/null; then :; else
        (
	echo "files diffs: "
	diff -b ${LOG}/files-diff.today ${TMP}
	mv ${LOG}/files-diff.today ${LOG}/files-diff.yesterday
	mv ${TMP} ${LOG}/files-diff.today
        )|mail -sfiles-diff root

fi 

if [ -f ${TMP} ]; then 
  rm ${TMP} 
fi



Back to top


files-diffs configuration and source code for Linux Mandrake

Standard services are located in the following directories: /boot *, /etc *, /bin, /sbin *, /usr/bin *, /usr/sbin, /usr/lib *, /usr/libexec *, /usr/local/bin, /usr/local/etc *, and /usr/local/sbin. Assuming that you have the Mandrake Security Package (for RPM: /System/Base/msec) already installed, follow these set up instructions:

  1. login as root
  2. [cd /usr/share/msec]
  3. save the code to files-diffs file
  4. [chmod 755 files-diffs.sh]
  5. [chown root:root files-diffs.sh]
  6. open Security.sh file for editing and add the following string to the end of file:
    . /usr/share/msec/files-diffs.sh

Listing 2. files-diffs for Linux Mandrake
#!/bin/sh 
#
#Checking files for modification
#
#Written by Igor B. Maximov, uniug@cris.net
#
#Dirs with sub-folders checking
DeepDirs="/etc /usr/lib /usr/libexec /usr/X11R6/lib /usr/local/etc"

#Dirs without sub-folders checking
Dirs="/bin /sbin /modules /usr/bin /usr/sbin /usr/X11R6/bin /usr/local/bin /usr/local/sbin"

TMP=/var/run/_files-diffs.$$ 
LOG=/var/log

(
for j in $DeepDirs
do

  cd $j
  for i in `/usr/bin/find . -type f -or -type l -or -type s -or -type p  -xdev` 
  do
	echo ${j}"/ "`(/bin/ls -l $i; /sbin/md5 $i)`
  done
done

for j in $Dirs
do
  cd $j
  for i in `/usr/bin/find . -type f -or -type l -or -type s -or -type p  -xdev -maxdepth 1` 
  do
	echo ${j}"/ "`(/bin/ls -l $i; /sbin/md5 $i)`
  done
done

)>${TMP}
if [ ! -f ${LOG}/files-diffs.today ]; then
        (
	echo "No ${LOG}/files-diffs.today"
	cp ${TMP} ${LOG}/files-diffs.today
        )|mail -sNo_${LOG}/files-diffs.today root
fi

if cmp ${LOG}/files-diffs.today ${TMP} >/dev/null; then :; else
        (
	echo "files diffs:"
	diff -b ${LOG}/files-diffs.today ${TMP}
	mv ${LOG}/files-diffs.today ${LOG}/files-diffs.yesterday
	mv ${TMP} ${LOG}/files-diffs.today
        )|mail -sfiles-diffs root
fi 

if [ -f ${TMP} ]; then
  rm ${TMP} 
fi



Back to top


Further improvements

You can further improve a system's stability by using this program separately from the standard security system. If you do this, the program should be located in another directory, and the different paths used for storing temporary files and source code. Thus, the presence of a monitoring system is not evident to the malicious user and can therefore not be easily evaded.



Resources



About the author

Igor Maximov is a Web Developer and System Administrator of the softPilot.2000 project (CONSUL Bureau, Sevastopol, Ukraine). His focus is on new ideas in network security and Web programming. You can contact Igor at uniug@cris.net.




Rate this page


Please take a moment to complete this form to help us better serve you.



YesNoDon't know
 


 


12345
Not
useful		Extremely
useful
 


Back to top