It Auditing: Using Controls to Protect Information Assets [IT AUDITING -OS N/D]
If you are new to the Unix world, it is helpful to obtain access to a Unix/Linux system while reading through this section. Try the commands out for yourself to become familiar with them.
Windows users can easily turn their machine into a Linux system without altering their Windows file system. Just download and burn one of the many bootable Linux CDs, such as the popular Knoppix (http://www.knoppix.org/), and boot into a full-featured Linux distribution. If you have a spare PC to work with, then consider visiting http://www.distrowatch.com and selecting "Major Distributions." you'll find a wealth of information about the various free distributions available there.
Note | When you're learning these commands, remember that you can access help at any time by typing man <command name> for comprehensive help or <commandname> --help for abbreviated help. |
File System Layout, Navigation, and Permissions
The file system can be thought of as a tree, and the base of every tree is its root. So the root directory, designated "/," is the base from which other directories branch off. Every Unix system will have a root directory, but there will be some variance in what you find from there. Table 7-1 lists some common directories that you usually will find.
Directory | Description |
---|---|
/bin | Location of most of the system binaries (programs) |
/sbin | Contains binaries that are reserved for use by privileged accounts |
/etc | Contains system configuration files |
/boot | Contains location of the kernel in many systems |
/home | Typical location for user home directories |
/var | Contains information that programs need to keep track of as they run (such as the process ID on the system); usually contains log files as well |
/lib | System and application libraries; these aren't executed directly but are used by applications as they run. |
/opt | Many add-on packages will be installed here. |
/usr | Another place for user-added packages; often /usr will duplicate many of the top-level directories within itself, so you'll have /usr/etc, /usr/bin, etc. Documentation is often placed into /usr/share. |
/root | The home directory for the root account is often here. |
/tmp | Temporary directory that any user typically can access; often this is cleared when the system is booted. |
/mnt | Remote file systems may be mounted under this directory. |
/dev | Represents the concept that everything is a file; hence you will find device files in this directory representing the hardware in your system. |
/proc | This pseudo-file system doesn't exist on a physical disk, but it contains memory-resident information about both the processes running on a system and the system itself. |
There are some essential commands for navigating Linux and Unix file systems. These allow users at the command prompt to get their jobs done. The most essential commands are illustrated in Table 7-2 along with some common and helpful switches.
Command | Meaning | Description | Tips for Use |
---|---|---|---|
cd | Change directory | This command allows you to change your directory location like you would from the windows command prompt. | cd~ Change directory to user's home: . signifies current directory .. signifies parent directory |
ls | List directory contents | Lists the contents of a directory along with information such as ownership, permissions, file size, etc. when used with the -l option. | ls -l uses long listing format for the files within the directory. ls -ld provides the long listing format for the directory itself. ls -a lists all directory contents including hidden files. ls -R provides a recursive directory listing. |
pwd | Print working directory | This prints the current working directory to the screen. | Use this command when you copy screen output for an audit to show someone reviewing your work paper where you are on the system. |
more cat less | List file contents | Lists the contents of a file. | cat displays all the file's contents at once. more displays the file's contents one page at a time. less displays the file's contents one page at a time and allows backward navigation. |
ypcat | List NIS file contents | Lists the contents of a centralized NIS file. | Use this command if you're using NIS for centralized account management in order to display the contents of the NIS password and group files. |
su | Switch user | Allows a user to switch to another user ID. | This only works if you have "root" access or if you know the password of the account to which you wish to switch. |
Note that when navigating a *nix system, the presence or absence of the leading "/" in the path is very important and, if present, serves to anchor the path at the root directory. Thus, if you are currently in /usr, cd /bin and cd bin will take you to different places (/bin and /usr/bin, respectively). These are known as absolute or relative path names. The absolute path always starts with "/" and traces the entire path from the root directory. The relative path, with no leading "/," starts with the present directory.
File System Permissions
File and directory permissions are broken into separate user, group, and world permissions. Both files and directories have their own permission sets. You can see how this can get tricky, but remember that the most restrictive set of permissions wins every time. For example, if a file has world-read permissions but is restricted under its parent directory to disallow world-read permissions, then the world (meaning everyone) will not be able to read the file.
You will notice two ways these permissions are shown. Some places use three sets of rwx for read, write, and execute. The three sets are for the owner, group, and world. An example might be rwxr-xr--. This means that the file's owner has read, write, and execute permissions on the file, the owner's group has read and execute permissions, and everyone else has read permissions.
Other places use a three-digit number such as 754. This is identical to the rwxr-xr--and shown in Figure 7-1. For those who never studied binary numbers, just remember that read is worth 4 points, write is worth 2, and execute is worth 1. Add them up for each set (i.e., owner, group, and world), and you have your permissions. Thus 754 is a way to say, "I don't mind if other people read this file and if those in my group run this file, but only I should be able to modify it."
Finally, it is important to note that file permissions are not completely independent of the permissions of the directory that contains the file. This interaction is illustrated in Table 7-3. For example, if you have rwx access to a file, but that file is sitting in a directory to which you have no access, then you will have no actual ability to do anything to the file.
Directory Permissions (Across), File Permissions (Down) | ||||
- | r | x | wx | |
- | No access | No access | No access | Delete file |
r | No access | No access | Read data | Delete file or read data |
w | No access | No access | Add to or clear data | Delete file or add to or clear data |
rw | No access | No access | Update data | Delete file or update data |
x | Can't execute | Can't execute | Execute | Delete file or execute |
Note that execute permissions on all parent directories back to "/" are required for operations on a file within that path. For example, permissions are 777 on a file in /home/andrew, but permissions in the andrew directory are 700. Nonroot users other than Andrew therefore will not be able to read or delete that file.
Users and Authentication
Access to a Unix system typically is controlled by means of a username and password. This authentication information may be kept on the local file system, or it may be kept in a central location on the network, where many systems can access the same information. In the simplest case, where all the information is local, we typically would consider three files, /etc/passwd, /etc/shadow, and /etc/group.
Unix Password File (Table 7-4)
Field | Use |
---|---|
Account | Represents the user to the system. It is the name that is used when logging in. |
Password | Encrypted password, but note that it may be kept in /etc/shadow instead. This field may also contain an *, x, !, or other character. |
UID | Numeric user ID. |
GID | Numeric group ID for the user's primary group. |
GECOS | Optional field used to store arbitrary additional information about the account. A typical use would be the real name and/or employee ID of the user. |
Directory | Location of the user's home directory |
Shell | User's default shell. The shell is the command-line environment that interprets commands and passes them to the kernel. |
Lines in /etc/password have the format
account:password:UID:GID:GECOS:directory:shell
Unix Shadow File (Table 7-5)
Field | Use |
---|---|
Account | Name representing the user to the system. |
Password | Encrypted password. *LK* indicates that the account is locked. |
Lastchange | Number of days since the password was changed. |
Min | Minimum number of days allowed between password changes. |
Max | Maximum number of days allowed between password changes. |
Warn | Number of days before Max, at which point the user will be warned that he or she needs to change his or her password |
Inactive | Number of days of inactivity after which the user's account will be disabled. |
Expired | Number of days since January 1, 1970. that the account has been disabled. |
Reserved | An extra field that is not used. |
Lines in /etc/shadow have the format
account:password:lastchange:min:max:warn:inactive:expired:reserved
Unix Group File (Table 7-6)
Field | Use |
---|---|
Name | Name of the group. |
Password | Group password, if one is used. |
GID | Numeric group ID. |
Users | List of users who are members of the group, although members of the group who are assigned to it through their GID in /etc/password (see Table 7-4) won't necessarily be on this list. |
Lines in /etc/group have the format
name:password:GID:users
LDAP, NIS, or NIS+
In more complicated cases, credentials can be checked against an authentication database located on the network; typically, this is LDAP, NIS, or NIS+. You may be able to determine if one of these is used in preliminary discussions with the system administra-tor, or you may wish to look at the systems yourself.
Determine whether NIS, NIS+, or LDAP is used by looking at the line beginning with passwd in /etc/nsswitch.conf. The presence of nis, nisplus, or ldap indicates use of those protocols. These typically will be present in addition to files, which is for the local password file. You also may see compat, which enables the use of "+" and "−" in the local password file for NIS/NIS+. If compat mode is used, then a "+" at the beginning of a line in /etc/passwd would indicate that NIS/NIS+ is being used. Review of the passwd_compat entry in /etc/nisswitch. conf should allow you to distinguish between the two. Note that local access only can show you everything you need to know about local Unix authentication. You may need more information to determine the effectiveness of a network authentication scheme such as NIS or LDAP. For these, you may wish to do a separate review of the given authentication infrastructure.
Network Services
To understand areas of potential risk in your environment, it is critical to know the avenues by which a system can be accessed. In order to do this, you need to be able to determine what network services are enabled on the system. Most systems will have the netstat command available to show you this information. The most generic usage would be netstat -an, and this will list a lot of information. Services running on Transmission Control Protocol (TCP) ports that are listening for external connections usually will say LISTEN in the output. Universal Data Ports (UDPs) may say IDLE on some systems such as Solaris. On Linux, look for UDP ports that have a listed Remote Address of 0.0.0.0. Once you have identified the open ports, you should determine what applications (often called a daemon) are running on them. You often can determine this by mapping the port to the list of well-known ports maintained by IANA at http://www.iana.org/assignments/port-numbers. However, you should be aware that just because TCP port 25 is supposed to be for SMTP, there's no reason you can't run a web server on that port instead. If there's any question, ask the system administrator. You also may wish to use some of the tools listed in the "Tools and Technology" section later in this chapter that can automate the process of identifying open ports and the applications running on them.