UP | HOME
../../

Lab: Configuring a System Properly

Table of Contents

1 Educational Objectives

Millions of machines are connected to the Internet are personal machines running Windows and Linux with little supervision from system administrators. These have become targets of script kiddies. This lecture and the associated lab experiment are intended to help configure personal systems running Linux.

Objectives

  1. Examine a Linux installation for what needs to be properly configured, postponing fortification and hardening to later labs.
  2. Recognize that out of the box installations of OS are insecure.
  3. Know the typical problem spots.

2 Background

  1. This lab is not net-centric; so there is no need for the NetUtils setup.
  2. This lab asks for a certain number of fixes in the categories of (i) properly configured, and (ii) fortified, (iii) hardening [postponing to a later lab].
  3. Write the fixes you suggest as a bash script named <tt>configProperly.sh</tt> that can be applied by root. Include these scripts as appendices to the lab report. These scripts can include commands such as <tt>wget URL</tt> or <tt>apt-get install/remove package</tt>. You are welcome to use a language other than bash; change the file name extension accordingly.
  4. Should you be unable to find such fixes, report on what you discovered, and stake a claim that the Linux distribution you chose was "so perfect". If we discover otherwise, you will earn corresponding negative points.
  5. Required Reading and Recopmmended Reading: See References

3 Lab for 201x CEG 4420/6420

This lab gets you started on proper config. It is not exhaustive.

  1. Task: Install a Linux Distro
  2. Task: DAC Examples
  3. Task: Configure /etc/sudoers
  4. Task: Examine suid Programs
  5. Task: AppArmor and Google Chrome

4 Tasks

4.1 Task: Install a Linux Distro

  1. You will need a USB drive of 8 GB or higher capacity. Install a Linux distribution of your choice, but within the Ubuntu family, onto the USB drive as if it is a HDD.
    1. This can be the multiboot USBD you created in an earlier lab. You will need to mount the system read-and-write. The so-called frugal-install or ISO based installs will not do.
    2. Should you wish to work with non-Ubuntu distros, adapt the following appropriately.
  2. Establish at least 5 ordinary users with names and passwords of your choice. Learn how to to do this as a script. Include the script in your submission.
  3. We will refer to this installation as LXU. Boot the PC into LXU. Login as needed, as an ordinary user or as root.

4.2 Task: DAC Examples

  1. Take five examples as-is from LXU and explain DAC ideas.

4.3 Task: File Permissions, Etc

  1. Find and report all files with peculiar permissions. Examples: no permissions given --- --- ---, executable but not readable, readable for group and others but not the owner, unsearchable directories, etc.
  2. Files and directories whose names begin with a dot are unlisted by ls unless -a flag is used. Find and report all such files and directories whose size is larger than 10 MB.

4.4 Task: Check for Weak Logins

  1. No password shoul be breakable within an hour. List the names and plain text passwords of such users. Assume you are root.
  2. Should root be allowed to login? Ubuntu/ Debian do not assign a passwd to root. Discuss the pro/cons of this choice.
  3. How will you assign a password to root?
  4. What is the purpose of /etc/securetty? The default installed has many unnecessary entries. Trim it.

4.5 Task: Configure /etc/sudoers

  1. The /etc/sudoers file has a line 

    root    ALL=(ALL:ALL) ALL

    Suppose we delete this line. What privileges does the root user lose?

  2. Out of the 5 users you created (let us call them U1 .. U5), permit two users, U1 and U2, to be able to mount, umount only.
  3. Assign two other users (U3 and U4) to group sudo.
  4. Make appropriate changes so that U5 can do everything that root can.

4.6 Task: Examine suid Programs

  1. Make a list of suid root porgrams. The following examines only /bin. 

    find /bin -user root -perm -4000 -exec ls -li {} \; >/tmp/suid-bin.txt
  2. For five of these, write a paragraph either defending its presence or suggesting its suid status removal.

4.7 Task: AppArmor and Google Chrome

  1. AppArmor is a Mandatory Access Control (MAC) system. This is installed by default on Ubuntu systems. Related files are at /etc/apparmor*. Read What Is AppArmor, and How Does It Keep Ubuntu Secure? by Chris Hoffman on September 28th, 2016
  2. Install Google Chrome browser for Linux. Develop an AppArmor profile for Google Chrome based on the /etc/apparmor.d/usr.bin.firefox FireFox profile. This should be your own work. Include appropriate citations. Do not submit cut-n-paste of what you may find by googling.

4.8 Task: [Bonus Task] Revive Bastille Linux Script

  1. https://sourceforge.net/projects/bastille-linux/ Bastille Linux is a proper config and Reporting/Auditing Program which enhances the security of a Linux box, by configuring daemons, system settings and firewalling. It currently functions on most major Linux distributions and HP-UX. [Has been inactive for years.]
  2. Make this run properly on LXU and submit the report it generates.
  3. Recommended Reading: https://www.symantec.com/connect/articles/bastille-linux-walkthrough 2000

5 TurnIn

  1. Submit on Pilot into the folder L4 Config Properly
  2. The Lab Report should include a section that describes the chosen LXU briefly, and a detailed section explaining the rationale behind the changes (what and why) you suggest.

6 References

  1. See the references of Proper Configuration.

7 End

Copyright © 2017 www.wright.edu/~pmateti • 2017-09-20