LinuxHardening

jimpop1998

Netlab2_Manual_2a.pdf

Home >Computer Science homework help >LinuxHardening

LINUX+ LAB SERIES (LX0-102)

Lab 9: Basic Security Administration

Document Version: 2015-09-24

This work by the National Information Security and Geospatial Technologies Consortium (NISGTC), and except where otherwise noted, is licensed under the Creative Commons Attribution 3.0 Unported License.

Development was funded by the Department of Labor (DOL) Trade Adjustment Assistance Community College and Career Training (TAACCCT) Grant No. TC-22525-11-60-A-48; The National Information Security, Geospatial Technologies Consortium (NISGTC) is an entity of Collin College of Texas, Bellevue College of Washington, Bunker Hill Community College of Massachusetts, Del Mar College of Texas, Moraine Valley Community College of Illinois, Rio Salado College of Arizona, and Salt Lake Community College of Utah.

This workforce solution was funded by a grant awarded by the U.S. Department of Labor's Employment and Training Administration. The solution was created by the grantee and does not necessarily reflect the official position of the U.S. Department of Labor. The Department of Labor makes no guarantees, warranties or assurances of any kind, express or implied, with respect to such information, including any information on linked sites, and including, but not limited to accuracy of the information or its completeness, timeliness, usefulness, adequacy, continued availability or ownership.

http://creativecommons.org/licenses/by/3.0/deed.en_US

Linux+ Lab Series (LX0-102) Lab 9: Basic Security Administration

Contents

Introduction ........................................................................................................................ 2 Objective ............................................................................................................................. 2 Linux+ LX0-102 Exam Objectives ........................................................................................ 3 Lab Topology ....................................................................................................................... 4 Lab Settings ......................................................................................................................... 5 1 Finding Files with Special Permissions ........................................................................ 6 2 Modifying Passwords and Password Aging .............................................................. 10 3 Discovering Open Ports ............................................................................................. 14 4 Establishing Limits on User Logins, Processes and Memory Usage ......................... 17 5 Configuring and Using sudo ...................................................................................... 24

Linux+ Lab Series (LX0-102) Lab 9: Basic Security Administration

Introduction

This lab provides guidance on performing Lab 9: Basic Security Administration of the Linux+ LX0-102 course, using a NETLAB+ system. By performing this lab, students will learn how to perform tasks related to maintaining system security. Objective

The following tasks will be performed: Security administration tasks to ensure security.

Linux+ Lab Series (LX0-102) Lab 9: Basic Security Administration

Linux+ LX0-102 Exam Objectives

This lab will cover the topics for the following LX0-102 objectives: 110.1 Perform security administration tasks

1. Audit a system to find files with the suid/sgid bit set. 2. Set or change user passwords and password aging information 3. Being able to use nmap and netstat to discover open ports on a system. 4. Set up limits on user logins, processes and memory usage. 5. Basic sudo configuration and usage.

The following is a partial list of the used files, terms, and utilities:

a. find b. passwd c. lsof d. nmap e. chage f. netstat g. sudo h. /etc/sudoers i. su j. usermod k. ulimit

Linux+ Lab Series (LX0-102) Lab 9: Basic Security Administration

Lab Topology

Linux+ Lab Series (LX0-102) Lab 9: Basic Security Administration

Lab Settings

The information in the table below will be used to complete the lab. Additional details will be provided within the task sections as required.

System Username/Password

CentOS Server sysadmin/netlab123

Ubuntu Server sysadmin/netlab123

Fedora Workstation sysadmin/netlab123

Ubuntu Workstation sysadmin/netlab123

All Machines root/netlab123

Linux+ Lab Series (LX0-102) Lab 9: Basic Security Administration

1 Finding Files with Special Permissions

In this task, you will use the find command to discover files that have special permissions, such as suid and sgid.

1. Click on the Fedora Workstation icon in the pod topology to launch the virtual machine.

2. The virtual machine will display a login screen. Make sure sysadmin is in the user field. Enter the password netlab123 and press Enter.

Linux+ Lab Series (LX0-102) Lab 9: Basic Security Administration

3. Once you have logged in, a terminal window may appear. If it does not, click on the Kickoff Application Launcher, the “f”, in the lower-left corner of the desktop. In the search bar, type konsole and click on Konsole, which will launch a terminal window:

Linux+ Lab Series (LX0-102) Lab 9: Basic Security Administration

4. Switch users to the root user to prevent error messages because of permission issues:

su -

netlab123

5. Execute a find command to locate all files with the suid permission set: find / -perm -4000 -ls

Your output should be similar to the following:

Files that are suid and owned by the root user should be closely monitored, as they pose a potential security risk.

Linux+ Lab Series (LX0-102) Lab 9: Basic Security Administration

6. Execute a find command to locate all files with the guid permission set: find / -perm -2000 -ls

Your output should be similar to the following:

7. Run the exit command to exit from the root shell: exit

Linux+ Lab Series (LX0-102) Lab 9: Basic Security Administration

2 Modifying Passwords and Password Aging

In this task, you will configure password aging policies.

1. Change the sysadmin password to p@$$2013 using the passwd command: passwd

(current) UNIX password: netlab123

New password: p@$$2013

Retype new password: p@$$2013

Your output should be similar to the following:

2. Switch users to the root user to prevent error messages because of permission issues:

su -

netlab123

Linux+ Lab Series (LX0-102) Lab 9: Basic Security Administration

3. Set the password for the sysadmin user to netlab123 using the passwd command:

passwd sysadmin

New password: netlab123

Retype new password: netlab123

Your output should be similar to the following:

Although the password netlab123 is a bad choice because it is based upon a dictionary word, the root user is still allowed to set this password, but an ordinary user would not.

4. Use the chage command to view the password aging information for the

sysadmin user: chage -l sysadmin

Your output should be similar to the following:

The Last password change value shown below should match the current date, since the password for this user was just updated.

Linux+ Lab Series (LX0-102) Lab 9: Basic Security Administration

5. Set the maximum number of days between password changes to thirty days for the sysadmin user and list the password aging information again:

chage -M 30 sysadmin

chage -l sysadmin

Your output should be similar to the following:

The Password expires value shown below should now be a date that is thirty days from the current date.

6. Set the sysadmin account to expire December 31, 2020 with the chage

command and list the password aging information again: chage -E 12/31/2020 sysadmin

chage -l sysadmin

Your output should be similar to the following:

Linux+ Lab Series (LX0-102) Lab 9: Basic Security Administration

7. Set the sysadmin account to expire January 1, 2020 with the usermod command and list the password aging information again:

usermod -e 2020-01-01 sysadmin

chage -l sysadmin

Your output should be similar to the following:

8. Run the exit command to exit from the root shell: exit

Linux+ Lab Series (LX0-102) Lab 9: Basic Security Administration

3 Discovering Open Ports

In this task, you will use utilities to determine which network ports are open on your system.

1. Use the following netstat command to list TCP ports that are listening (open to incoming connections). The following options will display the port name:

netstat -tl

Your output should be similar to the following:

2. Use the netstat command to list TCP ports that are listening (open to incoming connections). The following options will display the port number:

netstat -tln

Tip: The file /etc/services contains the names and port numbers of the most commonly used ports.

Linux+ Lab Series (LX0-102) Lab 9: Basic Security Administration

3. Display the port numbers of the UDP ports that are listening, using the netstat command:

netstat -uln

Your output should be similar to the following:

4. Switch users to the root user to prevent error messages because of permission issues:

su -

netlab123

Linux+ Lab Series (LX0-102) Lab 9: Basic Security Administration

5. Execute the lsof command to list open network files: lsof -i

Your output should be similar to the following:

6. You may click the X in the upper-right corner to close the terminal window. 7. Close the Fedora Workstation remote pc window.

Linux+ Lab Series (LX0-102) Lab 9: Basic Security Administration

4 Establishing Limits on User Logins, Processes and Memory Usage

In this task, you will configure PAM, a utility that the root user can use to limit system resources such as maximum number of logins, maximum number of simultaneous processes and maximum memory usage.

1. Click on the CentOS Server icon in the pod topology to launch the virtual machine.

2. The virtual machine will display a login screen. Click on sysadmin and enter the password netlab123.

Linux+ Lab Series (LX0-102) Lab 9: Basic Security Administration

3. Once you have logged in, open a terminal by clicking on Applications, then System Tools, and finally selecting Terminal:

4. Switch to the root user in the terminal window that opens: su -

netlab123

Linux+ Lab Series (LX0-102) Lab 9: Basic Security Administration

5. Use the following more command to review the /etc/security/limits.conf file to remind yourself of its functionality:

more /etc/security/limits.conf

Your output should be similar to the following:

You can also execute the following command to learn more about this file: man limits.conf

6. Use the following command to make a copy of the

/etc/security/limits.conf file in the event that you accidently incorrectly modify the file during this lab:

cp /etc/security/limits.conf /tmp

Linux+ Lab Series (LX0-102) Lab 9: Basic Security Administration

7. Execute the following echo command to add a line to /etc/security/limits.conf file that will limit the sysadmin user to being able to have only one active login to the system at a time. Verify your work with the tail command:

echo 'student - maxlogins 1' >> /etc/security/limits.conf

tail /etc/security/limits.conf

Your output should be similar to the following:

The limits that we will be establishing are enforced by a feature called Pluggable Authentication Modules (PAM).

8. Limit the maximum number of all active logins on the system to ten users by

executing the following echo command. Verify your work with the tail command:

echo '* - maxsyslogins 10' >> /etc/security/limits.conf

tail /etc/security/limits.conf

Your output should be similar to the following:

Linux+ Lab Series (LX0-102) Lab 9: Basic Security Administration

9. Limit the number of processes that the sysadmin user can have running. Set a soft limit of 50 and a hard limit of 200 processes. Execute the following echo command and then verify your work with the tail command:

echo 'sysadmin soft nproc 50' >> /etc/security/limits.conf

echo 'sysadmin hard nproc 200' >> /etc/security/limits.conf

tail /etc/security/limits.conf

Your output should be similar to the following:

10. Limit the amount of memory that the sysadmin user can lock in. Set a soft limit of 10000 and a hard limit of 20000 processes. Execute the following echo command and then verify your work with the tail command:

echo 'sysadmin soft memlock 10000' >> /etc/security/limits.conf

echo 'sysadmin hard memlock 20000' >> /etc/security/limits.conf

tail /etc/security/limits.conf

Your output should be similar to the following:

Linux+ Lab Series (LX0-102) Lab 9: Basic Security Administration

11. View all the limits for the root user with the ulimit command: ulimit -a

12. Switch users back to the sysadmin user. Do not exit back to the sysadmin user, as the new limits are not effective on a user who is currently logged in, so you need to "log in again" with the su command to view the changes. View the limits of the sysadmin user with the ulimit command:

su - sysadmin

ulimit -a

Linux+ Lab Series (LX0-102) Lab 9: Basic Security Administration

13. View only the limit on the number of processes. Raise the limit to the maximum (which you set to 200 in the /etc/security/limits.conf file) and view the limit again.

ulimit -u

ulimit -u 200

ulimit -u

14. Now, try to go beyond that hard limit. Note that it is expected to fail to go

beyond the hard limit:

ulimit -u 201

15. You may click the X in the upper-right corner to close the terminal window. 16. Close the CentOS Server remote pc window.

Linux+ Lab Series (LX0-102) Lab 9: Basic Security Administration

5 Configuring and Using sudo

In this task, you will configure sudo, a utility that allows users to execute commands as other users. This utility is typically used to allow a regular user to execute specific commands as the root user.

1. Click on the Fedora Workstation icon in the pod topology to launch the virtual machine.

2. The virtual machine will display a login screen. Make sure sysadmin is in the user field. Enter the password netlab123 and press Enter.

Linux+ Lab Series (LX0-102) Lab 9: Basic Security Administration

3. Once you have logged in, a terminal window may appear. If it does not, click on the Kickoff Application Launcher, the “f”, in the lower-left corner of the desktop. In the search bar, type konsole, and click on Konsole, which will launch a terminal window:

Linux+ Lab Series (LX0-102) Lab 9: Basic Security Administration

4. Switch users to the root user to prevent error messages because of permission issues:

su -

netlab123

5. Verify the wheel group has permissions in the /etc/sudoers file by executing the

following grep command: grep wheel /etc/sudoers

Tip: Updating /etc/sudoers to grant sudo access to users based upon membership in the wheel group is an efficient way to change this configuration file. Users can now be granted or denied sudo access simply by either adding them or removing them from the wheel group.

6. Modify the sysadmin user to be a member of the wheel group and verify the

membership: usermod -aG wheel sysadmin

grep wheel /etc/group

Your output should be similar to the following:

Linux+ Lab Series (LX0-102) Lab 9: Basic Security Administration

7. Switch to the sysadmin account and verify your group membership with the id command. Use sudo to execute tail to view the /var/log/secure file, which will require root access. Notice that running sudo commands less than five minutes apart does not require the user authenticate with their password:

su - sysadmin

Your output should be similar to the following:

8. Attempt to view the /var/log/secure file with the following command. This command will fail as you need root access to view this file:

tail -3 /var/log/secure

Linux+ Lab Series (LX0-102) Lab 9: Basic Security Administration

9. Now use sudo to execute tail to view the /var/log/secure file. The password that sudo requests is the sysadmin password, not the root password:

sudo tail -3 /var/log/secure

netlab123

10. Click the X in the upper-right corner to close the terminal window. 11. Close the Fedora Workstation remote pc window. 12. Click the I’m Done button to end the reservation.