Program: CS

Course: Unix Security

Lab 4: Processes security

Name: ______Jay Dhaliwal_______________

Import the VM provided in Debian-Server.ova into Virtual Box. Then, respond to all questions
in your own words, providing screenshots of your work to support it.

NOTE: If you are using a previously imported VM, it is recommendable to create a snapshot before
making any modifications requested in this lab. After finishing, you can restore the snapshot to get
to the original state.

Part A: The /proc special filesystem

Resource: https://www.redhat.com/sysadmin/linux-proc-filesystem

1. Log in as herzing. Move to /proc. Long list the directory filtering by your username. All
files that are numbers represent a Process ID (PID). Pick a random number from the list.
Compare it with “ps -ef | grep PID”. Show all your commands.
cd /proc
ls -l | grep herzing # Replace "herzing" with your actual username
# Note a random PID (e.g., 12345)
ps -ef | grep 12345 # Replace 12345 with the PID you noted

2. List the directory for this process with “ls -l PID”. This contains information about the live
process. For instance, “ls -l PID/map_files” will show opened files by this process. Use
head to show the status of this process.
ls -l /proc/PID
ls -l /proc/PID/map_files # To see opened files by this process
cat /proc/PID/status | head # To see the status of this process

3. You can see information about other user’s processes. Try to check the status of a process
belonging to root with head as well.
( but I would Replace "ROOT_PID" with the actual PID of a root-owned process )

ls -l /proc/ROOT_PID
cat /proc/ROOT_PID/status | head # To see the status of the root process
Program: CS
Course: Unix Security
Lab 4: Processes security

4. You can check as well information about the system. What command would show you
information about the CPU?
cat /proc/cpuinfo

5. The kernel parameters can also be obtained from /proc. For instance,
/proc/sys/net/ipv4/icmp_echo_ignore_all can be configured with 0 or 1. What is the
actual value of this configuration? What does it mean? Check the permissions of this special
file. Who can modify it?
cat /proc/sys/net/ipv4/icmp_echo_ignore_all

6. Become root. Execute “ping -c 1 127.0.0.1”, which should work. Then, enable this
setting and try the ping again.
echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_all

7. Check the setting but this time use the command “sysctl PATH_TO_SETTING”,
specifying the path to the setting you want to check (the one you just changed), but instead
of a slash (/), use a dot (.) to separate the directories. Hint: do not include proc and sys in the
path.
sysctl net.ipv4.icmp_echo_ignore_all

8. This tool allows to modify the kernel settings. Change back the value of
icmp_echo_ignore_all so it is disabled and pings work again. Show how you did it and
a ping working.
echo "0" > /proc/sys/net/ipv4/icmp_echo_ignore_all

9. Enable once more this setting and reboot. Then, check its value. How can you permanently
enable the setting to ignore pings even if the machine is restarted?
net.ipv4.icmp_echo_ignore_all=1
sysctl -p

Part B: Process isolation

Some systems require additional security measures to isolate processes from each other, specially
when they belong to different applications. This is the case of, for instance, containers.
Resource: https://www.nginx.com/blog/what-are-namespaces-cgroups-how-do-they-work/
Program: CS
Course: Unix Security
Lab 4: Processes security

10. As root, remount the proc special filesystem with the option hidepid=2. Then, back to
herzing’s session, try to see processes from other users. Show the commands you used and
explain what happens.
mount -o remount,hidepid=2 /proc
ps aux
- What happens is that the user herzing can no longer see processes from other users due to the
hidepid=2 setting. Which enhances processes isolation

11. Remount it again with hidepid=0, so you get back to the original options. Then, still as
root, list the properties of the webserver Apache2 by executing “systemctl show
apache2”. What is the value of the property MemoryLimit? What does it mean?
mount -o remount,hidepid=0 /proc
systemctl show apache2
- It means that the property represents the maximum amount of memory that the Apache2 service
can use. It specifies a memory limit for the service

12. We are going to set a limit on Apache2 of 1% the total RAM for the system. Execute
“systemctl set-property apache2 PROPERTY=VALUE” with the appropriate
property and value. Then, use grep to filter this property in the list.
systemctl set-property apache2 MemoryLimit=1%
(use grep to filter and display this property )
systemctl show apache2 | grep MemoryLimit

13. A file, shown in the list of properties, has been created under /etc/systemd. Show its
content and explain what the number is.
cat /etc/systemd/system/apache2.service.d/your-file-name.conf
- What the number represents the memory limit set for the Apache 2 service

14. Set a memory usage of 1MB for Apache2, which would be ridiculous in a real-world
scenario and has only an educational purpose here. Explain what happens.
systemctl set-property apache2 MemoryLimit=1M
- This limit is too low, and Apache2 may not function properly or may crash due to insufficient
memory. This is for educational purposes to illustrate the impact of low memory limits.
Program: CS
Course: Unix Security
Lab 4: Processes security

15. Explain a use case for memory and CPU limits for certain processes.

Containerization: In container environments like Docker or Kubernetes, memory and CPU limits
ensure that containers do not consume excessive resources, allowing for better resource allocation
and isolation between containers.

Multi-tenancy: In shared hosting environments or cloud services, resource limits prevent one user or
application from monopolizing server resources, ensuring fair usage and performance for all users.

Fault tolerance: Resource limits can help prevent a single misbehaving process from causing
system-wide resource exhaustion, which could lead to crashes or instability.

Quality of Service (QoS): Resource limits can be used to enforce QoS policies, ensuring that critical
applications always have the necessary resources to operate efficiently.

Security: Resource limits can also be used for security purposes, preventing malicious or
compromised processes from consuming excessive resources and disrupting the system or other
applications.

Part C: AppArmor
Tutorial: https://debian-handbook.info/browse/stable/sect.apparmor.html
Reference: https://ubuntu.com/server/docs/security-apparmor
16. Working as root, execute “aa-status | grep profiles”. How many profiles are loaded
and how many of them are being actively used by processes?
aa-status | grep profiles
This command will display information about the loaded AppArmor profiles. The output will
indicate the number of profiles loaded and how many of them are actively being used by processes.

17. Move to /etc/apparmor.d and check the profile for the traceroute command. The
process traceroute has some permissions over the file traceroute.db. What
permissions? What they mean collectively?
cd /etc/apparmor.d
cat traceroute
Program: CS
Course: Unix Security
Lab 4: Processes security

In the profile for traceroute, you should find permissions related to the traceroute.db file. The
permissions will specify what actions the traceroute command is allowed to perform on that file.

18. What are the two main modes a profile can have?
AppArmor profiles can have two main modes:

Enforce Mode: In this mode, the AppArmor security policies are actively enforced. Processes
running with an AppArmor profile in enforce mode will be restricted to the permissions defined in
the profile. If a process attempts to perform an action not allowed by the profile, it will be denied,
and an audit log entry will be generated.

Complain Mode: In this mode, AppArmor profiles act as a monitoring tool. Security policy
violations are logged, but the actions are not blocked. This mode is useful for profiling and
identifying what permissions a process needs before switching it to enforce mode.

19. What command would you use to enforce the profile for /usr/sbin/traceroute?
aa-enforce /usr/sbin/traceroute
This command will switch the traceroute profile to enforce mode, ensuring that it is actively
enforced for the specified executable.

20. Check the permissions that the Samba smbd daemon has in AppArmor. What can the
daemon do with home directories?
aa-status | grep smbd

The output will display the AppArmor profiles associated with the smbd daemon, including the
permissions and rules that specify what the daemon can do with home directories and other
resources. You can review the specific permissions and actions allowed for smbd in its AppArmor
profiles