System HardeningSystem Hardening

Borrowed from the CLICS groupBorrowed from the CLICS group

System HardeningSystem Hardening

How do we respond to problems? (e.g. How do we respond to problems? (e.g. operating system deadlock)operating system deadlock) DetectDetect (Detect and) Terminate(Detect and) Terminate PreventPrevent

Security AnalogySecurity Analogy Better to prevent than try to clean upBetter to prevent than try to clean up

System Hardening - GoalsSystem Hardening - Goals

Prevent intrusion on a particular systemPrevent intrusion on a particular system Note: idea can (and should) be applied to Note: idea can (and should) be applied to

network as wellnetwork as well

Two main approachesTwo main approaches 1) Develop and ship in hardened state1) Develop and ship in hardened state 2) Harden after setup2) Harden after setup

Security Certification LevelsSecurity Certification Levels

Department of Defense, Trusted Computer Department of Defense, Trusted Computer System Evaluation Criteria (TCSEC)System Evaluation Criteria (TCSEC)Orange book – systems; Red book – Orange book – systems; Red book – systems/networkssystems/networksLevelsLevels Class D (minimal protection)Class D (minimal protection) Class C1 (discretionary security protection)Class C1 (discretionary security protection) Class C2 (controlled access protection)Class C2 (controlled access protection) Class B1 (labeled security protection)Class B1 (labeled security protection) Class B2 (structured protection)Class B2 (structured protection) Class B3 (security domains)Class B3 (security domains) Class A1 (verified design)Class A1 (verified design)

1) Hardening Before Shipping1) Hardening Before Shipping

System architecture should be designed to System architecture should be designed to prevent attacks/intrusionprevent attacks/intrusion Configured for high security as defaultConfigured for high security as default System programmed defensivelySystem programmed defensively

assume any user could be unfriendlyassume any user could be unfriendly System is audited for security problemsSystem is audited for security problems System built to contain known problemsSystem built to contain known problems

Examples – Operating System LevelExamples – Operating System Level OpenBSD ( OpenBSD ( http://www.openbsd.org ) ) SELinux ( SELinux ( http://www.nsa.gov/selinux ) )

2) Hardening After Delivery2) Hardening After Delivery

TechniquesTechniques ConfigurationConfiguration

Changing system configuration to deal with Changing system configuration to deal with security issuessecurity issues

WrappersWrappersProxy programs that are run in place of actual Proxy programs that are run in place of actual program, check for certain problems before calling program, check for certain problems before calling original program (which is moved to a non-public original program (which is moved to a non-public directory)directory)

Wrapper ExampleWrapper Example

TCP Wrappers (Linux)TCP Wrappers (Linux)Monitors and filters incoming requests for the Monitors and filters incoming requests for the SYSTAT, FINGER, FTP, TELNET, RLOGIN, RSH, SYSTAT, FINGER, FTP, TELNET, RLOGIN, RSH, EXEC, TFTP, TALK, and other network servicesEXEC, TFTP, TALK, and other network services

Provides tiny daemon wrapper programs that can Provides tiny daemon wrapper programs that can be installed without any changes to existing be installed without any changes to existing software or to existing configuration filessoftware or to existing configuration files

The wrappers report the name of the client host The wrappers report the name of the client host and of the requested serviceand of the requested service

Imposes no overhead on the actual conversation Imposes no overhead on the actual conversation between the client and server applicationsbetween the client and server applications

System Hardening Tools - LinuxSystem Hardening Tools - Linux

Example: bastilleExample: bastille http://www.bastille-linux.org Script to help automate security changes in a Script to help automate security changes in a

number of areas (file transfer, mail, general number of areas (file transfer, mail, general configuration)configuration)

Bastille --assessmentBastille --assessment Certain actions still have to be done manuallyCertain actions still have to be done manually Be careful not to turn off needed services Be careful not to turn off needed services

accidentallyaccidentallyE.g. Don’t disallow root access at console unless you E.g. Don’t disallow root access at console unless you have other accounts you can use to gain superuser have other accounts you can use to gain superuser statusstatus

System Hardening Tools System Hardening Tools (Windows)(Windows)

Microsoft Baseline Security AnalyzerMicrosoft Baseline Security Analyzer More accurately a vulnerability analysis toolMore accurately a vulnerability analysis tool But notes contain links or information are very But notes contain links or information are very

useful in system hardeninguseful in system hardening Start/Programs/Microsoft Baseline Security Start/Programs/Microsoft Baseline Security

AnalyzerAnalyzer

Tools for specific applicationsTools for specific applications E.g. Internet Information Server is weak pointE.g. Internet Information Server is weak point IIS Lockdown ToolIIS Lockdown Tool C:\Tools\IISLockDC:\Tools\IISLockD

Port/Service Closure - LinuxPort/Service Closure - Linux

GUI Interface UtilitiesGUI Interface Utilities <RedHat icon> -> Server Settings -> Services<RedHat icon> -> Server Settings -> Services Choose run-level (e.g. 3: without X; 5: with X)Choose run-level (e.g. 3: without X; 5: with X) Remove services through checkboxesRemove services through checkboxes

ManuallyManually Directory hierarchy: /etc/rc.dDirectory hierarchy: /etc/rc.d

Subdirectories for different run-levels, main script Subdirectories for different run-levels, main script directory (init.d)directory (init.d)

Port/Service Closure - WindowsPort/Service Closure - Windows

Add and remove servicesAdd and remove services Start/Programs/Administrative Tools/ServicesStart/Programs/Administrative Tools/Services

See processes currently runningSee processes currently running Task Manager (ctrl-alt-del), Processes tabTask Manager (ctrl-alt-del), Processes tab