0% found this document useful (0 votes)
284 views11 pages

LinuxCBT Key Files Edition

1. The document discusses key files and directories that are present on Linux systems including '/boot', '/etc/inittab', '/etc/init.d/', '/etc/rc.*', '/proc/', '/usr/sbin/', '/etc/sysctl.conf', and '/etc/xinetd.conf'. 2. It provides details on the contents and purpose of files in these locations that are important for the core functionality and security of the system. 3. Checks are recommended to validate the integrity of these critical files through checksums and using tools like AIDE to monitor for unauthorized changes.

Uploaded by

Michael T
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as TXT, PDF, TXT or read online on Scribd
0% found this document useful (0 votes)
284 views11 pages

LinuxCBT Key Files Edition

1. The document discusses key files and directories that are present on Linux systems including '/boot', '/etc/inittab', '/etc/init.d/', '/etc/rc.*', '/proc/', '/usr/sbin/', '/etc/sysctl.conf', and '/etc/xinetd.conf'. 2. It provides details on the contents and purpose of files in these locations that are important for the core functionality and security of the system. 3. Checks are recommended to validate the integrity of these critical files through checksums and using tools like AIDE to monitor for unauthorized changes.

Uploaded by

Michael T
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as TXT, PDF, TXT or read online on Scribd
You are on page 1/ 11

1.

Key files && directories that are present across-the-board on Linux system
s
2.Pertains to security due to sensitive nature of files
Note:Files also pertain to directories (d ---------)
'/boot' - Present on all linux systems
Features:
1.Houses Kernel
2.INITRD || INITRAMFS - (Present on modern implementations)
3.GRUB & related files
4.Post-BIOS,'/boot' is consulted for various stages of boot
5.Typically is provisioned as a dedicated partition to ensure system boot
6.Traditionally,'/boot' or BOOT environment for various OSs have been abstra
cted|separated from other volumes,i.e,Windows (c:(os)...(Exchange || MS SQL) ||
etc.)
Files:
1.'config' - Kernel configuration options (Options used to compile Kerne
l)
'uname -a' - reveals kernel version which can be correlated to '/boo
t/{config*,init*,vmlinuz*}'
a.Text files
b.Contains options such as :'y' = static,'m' = modular support
2.'initrd || initramfs' - initial RAM Disk - loaded by GRUB to setup the
environment
a.Used to load drivers to mount '/'(root)
Note:From a security respective,checksum 'config*' && 'init*' && 'vmlin
uz* && System.map*'
3.'vmlinuz' - linux Kernel
a.MUST match 'initrd'
4.'System.map'
a. Symbols for image by Kernel modules
Note:'/boot' need NOT be separated from '/'
Note:Ensure that backup procedures ALWAYS include '/boot'
du -chs /boot/
### INIT ###
Features:
1.First User-Space process
2.PID=1
3.Parent of all User-Space processes on *Nix systems (linux | unix)
4.Loads User-Space environment
Files:
1.'/etc/inittab' - Primary configuration file - Read by '/sbin/init'
i.e,'id:5:initdefault:' - default Runlevel
2.'/etc/init.d/' - Houses Daemons | Services,interface configuration scripts
,etc
Note:Similar to 'services.msc' on Windows
Note:Weather or not the services | daemon run in the current run-level is no
t important
Note:This is where third-party RC script should be played
3.'/etc/rc.*' - Run Control Scripts for appropriate run-levels
'runlevel' - confirms current and optionally previous runlevel
a.'/etc/rc.d/' - contains ALL K* S* scripts to be executed by 'rc' in this
runlevel
b.'/etc/rc.d/rc' - script,which processes distinct runlevel K* & S* script
c.'/etc/rc.d/rc.sysinit' - items that should be run regardless of runlevel
when system is invoked
d.'/etc/rc.d/rc.local' - place third-party programs here to be launched pos
t-runlevel-invocation
Note:'sha256sum /etc/init.d/*' generates checksums for later references
Note:RPM DB provides checksums for installed files: i.e,'/sbin/init',howeve
r,if RPM DB is corrupted,then you may be trojaned without your knowledge
rpm -qf /sbin/init
Note:Various SYSTEM v systems will use different Daemon | service name,howev
er,the startup is virtually the same
Note:Part of your checksums checks could also includes file size
Note:For security purposes,store your checksums on a remote system
Note:use BASH,Perl,Python,etc to take snapshots
Note:Consider taking snapshots manually to mitigate compromised system thre
ats
Note:Mulicious,unauthorized user may compromised automated checksums check t
o publish to the aggregation system,data consistent with your expectation
Note:If your automate checksums check,consider manually spot-checking on a s
omewhat random basis the checksums that are generated
Note:Also ensure that you checksum the checksum-generation script,in the eve
nt unauthorized user change the behavior of the script
### Kernel Modules ###
Features:
1.Kernel modules for myriad()categories,CPU Frequency,Networking,Sound,etc
2.References via:'/lib/modules/`uname -r`'
3.Each accessible | available Kernel has its own '/lib/modules/`uname -r`'
'/lib/module/$(uname -r)'
a.'modules.alias' - shortcuts
b.'modules.dep' - Module dependencies - path are relative to '/lib/modules/
$(uname -r)'
c.'kernel/*' - Categorical storeage of modules per Kernel version
lsmod - Reveals loaded models from '/proc/modules'
correlate loaded modules to :'/lib/modules/*'
find ./ -name cpufreq
'modinfo cpufreq_stats' - Return MORE information
'/etc/modprobe.d' - Configuration of specific module
dmesg
### '/proc/' ###
Features:
1.Run-time Kernel configuration options - '/proc'
2.Virtual in memory File System
3.User-space tools derive key information from:'/proc/'
df -h | grep proc
mount | grep proc
4.Stores PIDs of running processes i.e '/proc/PID' - '/proc/1'
5.contains many,in-memory zero-byte files files due to temporary
PID Directories
'cmdline' - returns most recent invocation of OS
i.e 'ro root=/dev/mapper/VolGroup-lv_root rd_NO_LUKS.UTF-8 rd_NO_MD rd_LVM_L
V=VolGroup/lv_swap SYSFONT=latarcyrheb-sun16 rd_LVM_LV=VolGroup/lv_root KEYBOA
RDTYPE=pc KEYTABLE=us rd_NO_DM rhgb quiet'
i.e,Debian:'/proc/cmdline' - BOOT_IMAGE=/boot/vmlinuz-3.8.0-36-generic root=
UUID=56a7fe0d-1d1c-4aa5-82ad-59dedb0177b3 ro
Note:You can review UUID or storage block
'devices' - reveals detected/supported devices
'filesystems' - returns kernel supported filesystems
'partitions' - returns know partitions on the system
fdisk -l
'swaps'
swapon --help
swapon -s
'cpuinfo' - use this to determine:
a.Number of present CPUs
b.Features supplied by the present CPUs
'meminfo' - returns memory configuration in detail
'/et/'- Network details
arp -a
arp -an
'/sys/' - reflect current usage of system resources in a number of categorie
s,i.e,'net','audio','video',etc
grep proc /etc/fstab
Note:Ensure the integrity of '/etc/fstab' upon each system boot:i.e,ensure t
hat :'/proc/' is loaded
### '/[usr][/local]sbin' ###
Features:
1.Mostly privileged binaries
2.Some binaries are executable by non-privileged users via 'SETUID'
3.'/usr/sbin/' - $SHELL tools || Daemons || Services
4.'/usr/[local]/sbin' - $SHELL tools || Daemons || Services - i.e,'amacron',
'ntpd','crond','sshd'
SETGID Examples:
1.'/usr/sbin/postpost[dq]*' - These files flagged SETGID ensure consistent p
ermission(fore created files)
ps -ef | grep post
Examples of privileged binaries || scripts
1.'dhclient'
find /[usr[local]]/sbin
find / -name 'dhclient'
rpm -qf dhclient
find . -name 'dhc*'
2.'arp'
arp -an
3.'ifconfig'
dpkg -S `which ifconfig`
rpm -qf`which ifconfig`
rpm -ql net-tools
4.'route'
5.'ip[6]tables*'
6.'fdisk' - manipulate partition tables
fdisk -l
7.'parted'- manipulate partition tables
8.'lv* | pv* | vg*' - LVM Tools
9.'blkid' - UUID - Guard as well because corrupted 'blkid' could yield incorrec
t UUIDs that you may inadvertently use and corrupt your system
10.'mke2fs && mkfs.*'
Note Use a third-party tool such as AIDE to guard the integrity of these import
ant files
11.'lsmod'
12.'modprob'
13.'adduser||useradd||usermod||userdel'
14.'reboot||shutdown||restart'
### System Control Configuration '/etc/sysctl.conf' ###
Features:
1.Alter the start-up || run-time Linux Kernel options '/proc/sys'
2.Facilitates run-time Kernel options manipulation:i.e,dynamic changes to Ke
rnel akin to dynamic router changes
3.User-space tool:'sysctl' - to manipulate run-time Kernel options
Note:Ensure its (/sbin/sysctl) integrity(,)
4.global startup configuration file:'/etc/sysctl.conf'
Tasks:
1.Use 'sysctl' to dump variables
a.'sysctl -a' - enumerates Kernel run-time possibilities
2.Set some simple variables
hostname =f
a.'sysctl "kernel.domainname=linuxcbt.interal"'
b.'sysctl "kernelNaNy.max=8192"' = useful for very busy,shared servers
sysctl kernelNaNy.max
Example of exhausting() PID Max:
$USER -> ptx/4 -> PID s->(Numerous PIDs) - i.e,Nessus,Nmap
Note:The Kernel will usually log messages: /var/log/messages && console (cri
tical)
c.'sysctl "kernel.pid_max=65536"'
3.Ensure that tweaked variables persist:'/etc/sysctl.conf'
a
#LinuxcBT Classroom System Performance Kernel Tweaks
kernel.domainname = linuxcbt.internal
kernelNaNy.mx = 8192
kernel.pid_max = 65536
4.Ensure that values take effect immediately
a.'sysctl -p ' - reads of /etc/sysctl.conf
Note:Errors reading values should appear immediately on STDOUT
Note:System control (sysctl) influence,directly,and dynamically,the Kernel
Note:if '/etc/sysctl.conf' is corrupted,your Kernel will misbehave
Note:Inproper '/etc/sysctl.conf' - could result in:
1.Failure to boot the system,resulting in a Kernel Panic
2.Intermittent application behavior
3.Extremely slow application responses
4.Dropped connections TCP,UDP,SCTP && Application Level
Note:monitor '/etc/sysctl.conf' using appropriate integrity tools
### '/etc/[x]inetd.conf' ###
Features;
1.Auto-spawned services || daemons as needed
2.Reduces consumption of resources CPU | memory
3.Resource control
4.Forwarding of ports (XINETD)
5.Extends tradition '/etc/init.d' spawning of services || daemon
yum install xinetd
apt-get install xinetd
6.'/etc/xinetd.conf' - primary XINETD config File
7.'/etc/inetd.conf' - primary traditional inetd config file - Debian and der
ivatives
8.'/etc/xinetd.d' - This directory is read for individual XINETD-controlled
services || daemon files
Tasks:
1.Explore typical XINETD setup
a.'/etc/xinetd.conf' - primary config
b.'/etc/xinetd.d/' - primary config container for individual services || da
emons
Note:It is up to you to ensure that 'XINETD' && IENTD services are disabled
as needed
yum search tftp
yum install tftp-server
apt-get install tftpd
Note:'grep disable /etc/xinet.d/*' - to determine enabled services
Note:This will not include services that are described sans:'disabled = yes'
Note:'netstat -nutlp | grep xinetd' - reveals XINETD-controlled services
Note:Importance:Trojans,unauthorized processes can be easily invoked via XIN
ETD
Note:Because XINETD is more advanced than INETD,look out for services that r
eally forward ports in '/etc/xinetd.d'
Note:YOu should also remove superfluous XINETD files from :'/etc/xinetd.d' i
.e,small TCP/IP services
2.Explore typical INETD setup
a.'/etc/inetd.conf' - primary configuration file
Note:INETD-system tend to lump ALL services || daemons into 1 monolithic() file
s
Note:INETD systems will load services || daemons from :'/etc/inetd.conf' tha
t are NOT uncommented
Note:Like with XINETD,small TCP/UDP services are referenced,but commented,in
'/etc/inetd.conf'
Note:Consider removing small TCP/UDP services from '/etc/inetd.conf'
b.Disable TFTP
c.Disable Samba SWAT
d.Disable ALL-mail-retrieval protocols
invoke.rc.d openbsd-inetd restart
Note:If all services managed by: XINETD|INETD are disabled,the service to in
voke,which releases/avails resources
Note:Both XINETD|INETD control traditional inetd services i.e,SSHD,etc
Note:Debian-derived systems ALSO support XINETD,however,INETD is the traditi
onal super-server
Note:There is a conversion process required to go from :INETD to XINETD
e.Remove distinct services || daemons entries for small TCP/IP services from
:'/etc/inetd.conf'
e1.'/etc/init.d/openbsd-inetd restart'
Note:The various areas covered thus-far,are ALL vectors of attack to comprom
ise you system
### /etc/{passwd,shadow} ###
Features:
1.Store accounts DBs
2.used even with LDAP usage,i.e,daemons| services | root | default non-privi
leged user(linuxcbt)
3.'login.defs'
Tasks:
1.Peruse both files
a.'/etc/passwd'
root:x:0:0:root:/root:/usr/bin/zsh
1.username
2.references of shadow
3.uid
4.gid
5.user's description - usually a full name
6.home directory
7.user's shell
sshd:x:116:65534::/var/run/sshd:/usr/sbin/nologin
cat /etc/shells
Note:Check '/etc/shells' to determine permitted $SHELLS
Note:Check,aside from daemons | services accounts,that each user has a $HOME
directory
Note:$USERs sans $HOME directories will often be relegated() to '/',unless the
enveloping daemon | service prohibits() this
b.'/etc/shadow' - contains 1 entry per entry in '/etc/passwd'
Note:look for mismatches
Note:If using LDAP,check LDAP DB for other account mismatches
Note:LDAP can be corrupted via corrupt sources files:/etc/{passwd,shadow}
Note:LDAP data can be corrupted from any host with connectivity
c.'/etc/login.defs' - Contains default user accounts policies
c1.Tighten default policy
userdel -r username
groupdel groupname
c2.Ensure that SHA256 or higher us in-use
getet
Note:Use 'getent passwd' to dump possible sources of user accounts for your
system
getent group
getent gshadow
### Pluggable Authentication Modules(PAM) ###
Features:
1.Centralized AUTH,Account,Session services
2.Abstracts programs i.e,SSH,Samba,Telnet,FTP,etc,from having to implement s
imilar services
3.Extensible i.e,LDAP,AD,MySQL,PostgreSQL,etc
4.Stack of modules required for AUTH,ACCOUNT,SESSION,PASSWARD
Key files:
1.'/etc/pam.conf'
Note:Some system:i.e,Redhat ad derivatives may not have a general:'/etc/pam.
conf',however,look for:'/etc/pam.d/' with numerous per application:i.e,'SSH'
Note:Debian 6x has:'/etc/pam.conf' AND '/etc/pam.d/'
Note.PAM relies upon distinct libraries beneath the platform-specific librar
y directory
Note:i.e,for x86_64:'/lib64/security'
Note:PAM,like PHP and other program,supports 'include' directive to incorpor
ate the PAM stack from other files
Note:PAM also ensues via the 'su' PAM stack that the environment is properly
configured on a per-user basis,i.e,if logged in as 'root','/sbin/;'/usr/local/s
bin;/usr/sbin' are added to you $PATH
Note:Upgrades | security patches may change the contents of '/etc/pam.d' and
force into action
Note:This may mean generating a new set of checksums
Note:/etc/security/pam_env.conf - consulted by ANY processes,i.e,gdm,sshd,et
c,that relied upon general AUTH to the system.
Note:SYSLOG route | handles PAM log entries,i.e,on CentOS && RH:/var/log/sec
ure.log or Debian:/var/log/auth.log
### '/etc/{hosts,protocols,services}' ###
Features:
1.Layer 4 - Layer 3 resolution - i.e,'linuxcbtrouter1.linuxcbt.internal' ->
192.168.75.1
->MAC
2.Protocols naming,i.e,IP[0],TCP(6),UDP(17) - '/etc/protocols'
3.Well-known services translations:'/etc/services',i.e,ssh -> tcp/22
Basic '/etc/hosts' for TCP/IP-complaint system:
#IPv4
127.0.0.1 localhost localhost.localdomain linuxcbtcent1 linuxcbtcent1.linuxcbt.i
nternal
#IPv6
::1 localhost localhost.localdomain linuxcbtcent1 linuxcbtcent1.linuxcbt.i
nternal
#Routable Addresses
#RFC 1918 Address 192.168.75.0/24
192.168.75.105 site1.liuxcbt.internal
192.168.75.105 site2.liuxcbt.internal
Tasks
1.Corrupt '/etc/hosts'
a.place incorrect for www.linuxcbt.com
Note:Many malware() packages will corrupt '/etc/hosts' to redirect traffic
Note:Most target malware sites will resemble authentic site
Note:Insofar as L4 to L3 resolution is concerned,'/etc/hosts' is usually con
sulted prior to DNS
2.corrupt '/etc/protocols'
Note:If '/etc/protocols' are corrupted,package handling could,in theory be a
lso corrupted
3.corrupte '/etc/services'
Note:If '/etc/services' is corrupt,packet-interpretation and handing could a
lso go awny
Note:The port-range is 2**16,however,'/etc/services'
sha256sum /etc/{hosts,services,protocols}
NOTE:Another example of corrupted '/etc/hosts' ,is the redirection of Backup
Evec client/server communications via incorrect:IPv[46]
Note:malware Typically hits'/etc/hosts'
Note:If you detect mismatches in packet analyses programs,i.e,TCPDump,WireSh
ar,Snort,NMap,Nessus,etc,then consult'/etc/{protocols,services}
### Name Services Switch Configuration (NSSWITCH) ###
Features:
1.Name services resolution order
2.Indicates various databases to be used for lookup of various data
i.e,l4-l3 names are resolved using NSSWITCH
i.e,User accounts DB location is indicates via NSSWITCH
3.Centralized name resolution service: resolver
4.Polls name=value pairs from target DBs
5.Abstracts applications from having to maintain resolution services:akin to
PAM
i.e,ping www.linuxcbt.com -> NSSWITCH ->hosts: files dns
Note:The 'hosts' DB type is consulted when tools such as 'ping','traceroute'
,web browser,etc,require l4(host name)-l3(IPv[46]) translations
Note:'/etc/hosts' is he ky files for 'hosts' resolution
6.NSSWITCH facilitates redundant means of resoving targets
Tasks:
1.Explore '/etc/nsswitch.conf' configuration
Note:NIS(plus) are still supported,but rather somewhat deprecated due to:LDA
P & DNS a l :Artive Directory(AD)
a.NIS
b.DNS - considerable support - glue of internet
2.Reorder '/etc/nsswitch.conf' and evaluate
a.'hosts dns files' - causes name resolver to use DNS first
b.ping www3.linuxcbt.com
Note:'files' references tends to be consistent across distributions of linux
| unix due to regularly
cat /etc/ethers
cat /etc/networks
Note:If your system is configured or use LDAP AUTH,then '/etc/nsswitch' will
be updated insofar as:
passwd files
shadow files
group files
Note:That usage of LDAP does NOT disable local 'files' reference
Note:Insofar,as malware is concerned,watch:
passwd files
shadow files
group files
hosts files dns
NSSWITCH is used by virtually ALL *Nix applications to resolve key DBs
host www.google.com
### DNS Client Resolution ###
Features:
1.file:'/etc/resolv.conf' - located on ALL *Nix systems
2.DNS Client resolver lookup file
3.Consulted by DNS Client,dig,nslookup,web browser,lynx,curl,lftp,etc
4.L4 lookup servers are placed here normally using IPv[46] addresses
5.Auto-configured if using DHCP client
6.Manually configured IPv[46] system must also configure '/etc/resolv.conf'
manually
Tasks:
1.Explore '/etc/resolv.conf'
search localhost.localdomain # This domain is appended to DNS Client req
uests if FQDN is omitted by user,i.e,'dig linuxcbtcent1' - NOT FQDN,DNS Client w
ill rewrite to 'dig linuxcbtcent1.linuxcbt.internal'
nameserver 192.168.1.1 # indicates PRIMARY DNS server to consult
Note:If '/etc/resolv.conf' is corrupted,DNS client requests can easily be re-rer
outed to rogue() DNS servers,rendering illegitimate() responses
dig @8.8.8.8 www.linuxcbt.com
Note:Some malware will remove your normal DNS servers in:'/etc/resolv.conf',
in exchange for polluted DNS Servers
Note:while other malware,will simply include polluted DNS servers as default
servers,leaving your original entries as subsequent entries
Note:By default,DNS client resolvers will bypass'/etc/hosts' and use servers
specified in '/etc/resolv.conf'
Note:This does NOT include applications such as web browser,will always cons
ults the order in '/etc/nsswitch.conf'
2.Perform Queries:
a.dig @8.8.8.8 www.linuxcbt.com - forces DNS Client resolution off server:8
.8.8.8
b.'dig www.linuxcbt.com' - users default DNS Server prescribed in '/etc/res
olv.conf'
Suggesting:
Internally(),direct DNS traffic to internal,company-managed,DNS servers,and s
ubsequently(),forward unfulfilled(|) requests to internet DNS server,i.e,ISP
m
Client -> Internal DNS Server(s) -> ISP Server -> Public Servers(Google 8.8
.8.8|8.4.4.4) -> Root DNS Servers
3.Example Debian APT 'sources.list' File
'deb http://security.debian.org/ squeeze/updates main contrib'
dig security.debian.org
dig security.debian.org(L4) -> 149.20.20.6(L3)
If L3 Server address is poisoned,then NEW rogue target server,COULD supply o
ur APT framework with rogue,malicious,and|or compromised packages
Note:Try to ensure that PROD systems have consistent '/etc/resolv.conf' file
s
### User Profiles ###
Features:
1.Ability to aggregate and present a consistent user experience across:icons
,files,colors,etc
2.Default $SHELl= BASH
Files:
1.'/etc/bashrc,profile,profile.d,shells,skel'
a.'/etc/profile' - system-wide $SHELL file,that configures initial environm
ent
echo $HISTSIZE
echo $HISTFILESIZE
echo $PS1
echo $PATH
echo $LOGNAME
echo $USER
b.'etc/profile.d' - contains $SHELL includes:i.e,coloration, of 'ls' output
c.'/etc/shells' - This file dictates allowable $SHELLs
Note:Ensure that '/etc/shells' does not contain unknown ,unidentified $SHEL
Ls
d.'/etc/skel' - used to provision new users
2.'~/.bash_history' - Guard contents,because passwords,credentials may be pr
esent
Note:Consider purging the contents of '~/.bash_history' to a facility such a
s '/dev/null'
Note:consider reducing the history size to a small number:i.e,'10'
3.'$HOME/bin' - This is a per-user executable directory,Monitor this directo
ry for potential,rogue processes
4.'~/.vnc' - This directory houses files associated with VNC access
a.'xstartup' - executable file that is invoked when a new VNC/GNOME/KDE ses
sion is created
Note:This features is akin to :Windows->startup group - It will cause appli
cations to launch upon invocation
netstat -ntl | grep 591
5.'password' - ensure this file exists,if VNC is in use
### CRON ###
Features:
1.Process automation
Example of misuse:
1.DNS client poisoning
2.Bad package (RPM|APT) is installed
3.Rogue process is invoked via CRON,regularly
4.Host becomes a member of a BotNet
Key Files:
1.'/etc/crontab' - System Cron Tables - defines basis of operation
2.'/etc/cron.d' - Default jobs are called,Varies by Distro,However,concepts
are similar
Note:these entries are NOT executables,however,simply included as part of la
rger CRON config
Note:If you notice executable items in '/etc/cron.d',something is amiss
3.'/usr/sbin/crond' - CROND process - checksum this
rpm -qf 0anacron
4.'/etc/cron.hourly' - jobs that are executable(scripts),and run hourly
Note:Normally,CRON jobs are not binaries,if you see files that run as jobs a
nd are represented as binaries,have a deeper look.
5.Ensure the integrity of :'/bin/run-parts' - this utility runs N number of
scripts from a directory
rpm -qa | grep cron
6.'/usr/bin/crontab' - checksum as well as this could submitted jobs
7.'/var/spool/cron' - Check for unrelated user jobs - look for unresolved ID
s 'ls -l /var/spool/cron'
8.Ensure the integrity of 'crond' itself using 'rpm' i.e,'rpm -Vvf `which cr
ond`'
Note:Perform these checks before system enters:PROD,and during PROD.
### DNS Server Configuration ###( TODO Learn bind)
Features:
1.Glue of the Internet
2.L4-L3 conversions
Tasks:
1.Explore environment
a.'/etc/bind' - Debian
b.'/etc/named' - && '/var/named' - CentOS | RedHat
Note:Ensure that you have a baseline
netstat -nump
c.'/etc/bind/named.*' - Both OSs - Ensure zones listed are ones that you are
responsible for
2.Follow each Zone file to source file on FS and examine
dig @localhost hostname
3.Also run random queries occasionally to ensure the validate of DNS records
4.Ensure that RFC-1912 && RFC-1918 zones,if defined,are accurate
Note:ALL named.* files that are included are part of a monolithic() configurati
on (1-big config),which means you are at liberty to place any zone config (descr
iptor) anywhere
5.Ensure ROOT servers are accurate:'/var/named/named.ca' on RedHat derived s
ystem
6.Ensure that you constantly look for:
a.Unauthorized zones
b.Changes to existing zones
c.Invalid records,i.e,pointers to unauthorized IP addresses[4|y]
d.Incomplete records,i.e,present IPv4 and missing IPv6 records
e.Missing reverse entries - this causes some applications to break
### Syslog ###
Features:
1.Logs key system information from programs,services,daemons,kernel,etc
2.Optionally logs information from remote,Syslog aware systems:devices | rou
ters,switches,firewalls,etc
Explore Syslog Environment
1.'lib/[64]/rsyslog/*' - contains modules to extends - RedHat|CentOS
2.'/usr/lib/rsyslog/*' - Debian
3.'/usr/sbin/rsyslogd' - Debian && '/sbin/rsyslogd' -RedHat | CentOS
Comment Tcp || UDP listeners if NOT in use - Syslog does not offer AUTH secu
rity by default
Note:This means,once clients have network access to the rsyslog server, they
can ,if configured with appropriate facility and|or level send messages to SYSL
OG
#Hypothetical() Case
Rogue ,infected,Windows machine on-the-wire,sends considerable SYSLOG da
ta to your rsyslog instance,For this reason,consider provision dedicated '/var'
per HOST
# Provides UDP syslog reception
#$ModLoad imudp
#$UDPServerRun 514
# Provides TCP syslog reception
#$ModLoad imtcp
#$InputTCPServerRun 514
rpm -ql rsyslog
Suggesting:
Consider restricting TCP:514 AND |OR UDP 514 via IPTables AND | OR Exter
nal firewall
iptables -l
Ensure that you have a comprehensive list of supported Syslog:
1.Facilitates:local,user,mail,kern,cron,auth|priv
2.Levels:debug -> emerg
Note:Ensure that you organizational security policy details accepted Syslog
configuration,This help to mitigate() problems,nerves(),anxieties(),when things go
y()
i.e,DDOS attacks generate enormous of data on a number of levels that impact
*Nix systtem:
1.NIDS Systems parsing gigabit traffic
2.Syslog must capture requests incomming from NIDS,edge processes,and otherw
ise

You might also like