If the perpetrator is a non-authorized user, you have to worst-case assumptions: the perpetrators has managed to become root, and the system files and programs that have been compromised.
System administrators should find out who is responsible for the idea, he created what damage? it should also be on the entire file to do a thorough check, and not just check the SUID and SGID, device files. If the system security is a hostile user damage, should take the following steps:. Gateway system and then reboot, do not enter the multi-user mode, enter single user mode. The installation contains the original version of the UNIX system and the floppy disk. Will/bin,/usr/bin,/etc,/usr/lib files copied to a temporary directory. Will all the files in the staging directory checksum (sum with the original version of the program copies do checksums, do not use the suM program/bin) and systems all on the file's checksum to compare the differences, if any, to identify the causes of the difference. If the checksums are different, because you have installed a new version of the program, confirm a phase is indeed installed a new version of the program. If you cannot find the checksums are different, with staging directory commands replace original system command in.. In the confirmation system command has not been tampered with before, do not use the system for the central command. Use staging directory shell, and the PATH is set to only the staging directory search command. According to the staging directory all system command access license, check all the commands in the system of access permission. Check all system directory-access license, if you used the perms, check whether the tampered permlist file.. If the system UNIX (/unix) checksum is different from the original checksum, and the system administrator has modified core, you should consider that an illegal "able", from the scratch buffer reload system. System administrators can gradually increase the file system backup user files, but check back in the "interesting" file, can't do file recovery. Change all passwords in the system, notify the user their password has changed, you should find the system administrator to get a new password. When users come to the new password, tell the user had a safety accidents, they should review its own files and directories are lurking hazards (such as SUID files, Trojan, writable directory), and report system administrator any unusual circumstances. Try to identify how security breaches occur? if you do not have a description perpetrator, it may be impossible to understand. If you cannot find the perpetrators how to enter the system, trying to block this security vulnerability. First install the UNIX system, you can set the shell, the sum command, all files of the checksum stored in the security of the media (tape, floppy disk, hard disk and any sound you can remove and lock up). So no more from the original system take to reload the file, you can install the backup media, and mount the shell and the sum will be present with checksum system file checksum comparison. The system administrator may want to write a program to calculate the checksum, predators will not be able to know the program algorithm, if the program and the checksum stored in the zone, this method of confidentiality will decrease to a physical security problem, i.e. simply locking up. 9. the limit of the environment (1) limit of shell (rs), the shell is almost the same with ordinary shell, the shell has been designed to limit the ability of a user, does not allow the user to have some standard shell allows behaviors:. can't change working directory (cd) in Paris. You cannot change the PATH or SHELLshell variable .. You cannot use a contains a "/" command name. Cannot redirect output (> and > >) … Cannot execute a program with the exec-user at logon, in honor of .profile file after the system has these restrictions imposed, if a user in the .profile file is interpreted by the BREAK key or DELETE key, the user will be logged off. these simple constraints, use write to restricted user's .profile file system administrators can use to the user, what is the command for full control. it should be noted that: System V limit of the shell is not actually very safe, in hostile users do not use system V release 2 and subsequent releases added restrictions more secure shell. but if allow restricted users use certain commands (such as env, cp, ln), users will be able to escape the constraints of the shell, enter non-restriction of sell. (2) use chroot () limit users if you do want to restrict a user, may use the chroot () subroutine for the user to establish a completely isolated environment that has changed the concept of the root directory of the process, and therefore can be used to add a user in the entire file system of a layer in the directory structure, so that users cannot use the cd command to go out on that directory structure, you cannot access the file system to the rest of any file. This restriction means than limit of shell. The user command should be a system administrator in the new root directory, create a bin directory, and establish user available commands for the chain to the system 's/bin directory on the appropriate command file (if in a different file system, you should copy the command file). Should establish new passwd file, leave the system logon account (in order to properly address and ls-l restricted child file system files related to the correct login name) and a user account, but the system account's password is changed to NOLOGIN so that restricted users cannot access the system log on the real password, so that the "decryption" program of any attempt to vanish into thin air. Utmp file is who need this file contains the system logged-in user's list. New/etc/profile file nor the building chain file so that restricted users can perform different startup command. The/dev directory in a terminal device file is linked to the newThe/dev directory, because the command who produce output to view these files. In the system V and beyond UNIX versions, the login command with chroot () function. If the password file entries in the user's login shell (the last field) is *, login will be chroot () is called the user's root directory is set to become the password file entries in the user logon directory domain specified directory. And then calls the exec () implementation of the login, a new login will open in a new subsystem file using the logon for that user. Chroot () is not the root blockade in a file system, so give restricted user commands should be taken into account, when you have the root suid license program may give the user the ability to root. Should be possible to reduce to the minimum, to users of the command should be taken to clear the suid trap system command. Link files can reduce the disk footprint area, but remember, when dealing with hostile users to link to the chroot directory structure (especially command) system files is very dangerous. If you create a restricted environment like this, be sure to install the new 's/bin for each command are done testing, some programs may have a system administrator had not expected the unexpected results. In order for these commands to work, but also in the limit of file system plus services directory or files such as:/tmp,/etc/termcap,/usr/lib/terminfo,/dev/mem,/dev/kmem,/dev/swap, users logged on/dev file as well as in tty/unix. some programs in the child file system run time are not very good, if the spooler and network command copy to the limit of the file system, and put it in to two commands are designed to build the directory structure, they may also run.
No comments:
Post a Comment