Lab: Config and Pruning and Grafting

This lab deals with a few config and fortification steps, postponing hardening etc. to later labs.

1. Recognize that out of the box installations of OS are insecure.
2. Examine a Linux installation for what needs to be pruned. Reducing the installed footprint is considered a reduction of attack surface.
3. We also need to be proactive in observing suspicious events and take action.

1. This lab is not net-centric; so there is no need for the NetUtils setup.
2. This lab asks for a certain number of fixes in the categories of (i) properly configured, and (ii) fortified, (iii) postponing hardening to a later lab.
3. Write the fixes you suggest as a bash script named configProperly.sh that can be applied by root. Include these scripts as appendices to the lab report. These scripts can include commands such as wget URL or apt-get install/remove package. You are welcome to use a scripting language other than bash; change the file name extension accordingly.
4. Should you be unable to find such fixes, report on what you discovered, and stake a claim that the Linux distribution you chose was "so perfect". If we discover otherwise, you will earn corresponding negative points.

1. Install a Linux distribution of your choice, that you are able to modify at will.
   1. This can be the multiboot USBD you created in an earlier lab. You will need to mount the system rw (read-and-write). The so-called frugal-install can be mounted rw, but requires know-how not covered in the lectures.
   2. The ISO loop-mount based installs will-not do.
   3. The easiest is to install an Ubuntu family distro, onto a USBD as if it is a HDD. You will need a USB drive of 8 GB or higher capacity.
   4. Should you wish to work with non-Ubuntu distros, adapt the details given below appropriately.
2. Establish at least 5 ordinary users with names and passwords of your choice. Learn how to to do this as a script. Include the script in your submission.
3. We will refer to this installation as LXU. Boot the PC into LXU. Login as needed. Login as an ordinary user or as root.

1. Take five examples as-is from LXU and explain file and process ownership DAC ideas.
2. Find and report all files with peculiar permissions. Examples: (i) no permissions given --- --- ---, (ii) executable but not readable, (iii) readable for group and others but not the owner, (iv) unsearchable directories, etc.
3. Files and directories whose names begin with a dot are unlisted by ls unless -a flag is used. Find and report all such files and directories whose size is larger than 10 MB.
4. Should root be allowed to login? Ubuntu/ Debian do not assign a passwd to root. Discuss the pro/cons of this choice.
5. How will you assign a password to root?
6. What is the purpose of /etc/securetty? The default installed has many unnecessary entries. Trim it.

1. AppArmor is a Mandatory Access Control (MAC) system. This is installed by default on Ubuntu systems. Related files are at /etc/apparmor*.
2. Install Google Chrome browser for Linux. Develop an AppArmor profile for Google Chrome based on the /etc/apparmor.d/usr.bin.firefox profile. This should be your own work. Include appropriate citations. Do not submit cut-n-paste of what you may find by googling.

1. The /etc/sudoers file has a line

   root ALL=(ALL:ALL) ALL
   
   

   Suppose we delete this line. What privileges does the root user lose?

2. Out of the 5 users you created (let us call them U1 .. U5), permit two users, U1 and U2, to be able to mount, umount but no other priviledged commands. Assign two users U3 and U4 to group sudo. Make appropriate changes so that U5 can do everything that root can. Explain your work. Include the revised /etc/sudoers in the lab pdf.

3. Discover all suid scripts and programs on LXU. The following examines only /bin.

   find /bin -user root -perm -4000
   
   

4. For five of these, write a paragraph either defending its presence or suggesting its suid status removal.
5. Does rewriting scripts into programs improve security? Discuss.

1. Take stock of what software is installed on LXU.
2. Starting from LXU, uninstall at least two packages, without breaking the installation. Imagine that LXU is intended for use only in support of this course. Why did you choose the two?

1. Linux records various logs in /var/log/*. There is a log rotation system. To be aware of the logs manually is a tedious task. There are several log analyses tools that help. See e.g.,
   1. https://www.tecmint.com/best-linux-log-monitoring-and-management-tools/
   2. http://www.pinoylinux.org/system-adminstration/open-source-sysadmin-resources/ Monitoring and Security sections
2. Install and experience a tool of your choice that analyzes log reports found in /var/log/.
3. Install the monitoring tool: apt install auditd and then reaad man auditd . For an example ruleset, read https://security.stackexchange.com/questions/4629/
4. The auditd package ships with some example configuration files based on a few standards. They can be found at /usr/share/doc/auditd/examples/. Tailor one example to suit the needs of this course, as you see fit.

1. https://sourceforge.net/projects/bastille-linux/ Bastille Linux is a script which enhances the security of a Linux box, by configuring daemons, system settings and firewalling. It functions on most major Linux distributions, but has been inactive for years.
2. Make this run properly on LXU and submit the report it generates.

1. Linux systems have not generally experienced virus attacks. But, worm attacks, backdoors and rootkits have happened enough times.
2. Defend your LXU by installing a rootkit detector and schedule its runs periodically.
3. Ex: chkrootkit, rkhunter

1. https://packetstormsecurity.com/ is a whitehat site that hosts the sources of several exploits and attacks for research.
2. Find a rootkit source package and make it work within LXU.
3. E.g., Vlany is a Linux 2016 rootkit "that provides process hiding, user hiding, network hiding, LXC container, anti-debug, anti-forensics, persistent reinstalls, dynamic linker modifications, backdoors, and more."