1
1
Secure System Administration - SANS GIAC
© 2000, 2001
Securing and Auditing Unix
Examples tested on a Red Hat Linux 6.1 (Hedwig) build
Welcome to Unix and Linux, security for these operating systems is a complete paradigm shift from
Windows. Unix has been around a lot longer. The source code for Linux is freely available, so
would be attackers are free to examine it and test it for holes such as buffer overflows and deadlock
conditions.
Linux is different than Unix. Has the source code been available for Unix? Certainly, you used to
be able to license source for both the ATT and BSD versions of Unix. It is rumored the Sun source
code was stolen once via a workstation with a modem connection.
This means that we are dealing with a lot more “knowns” than with Windows. Well, at least that
was true until October 2000 and critical Microsoft source code was stolen. From now on the rules of
the game are “who knows the most wins”.
Let’s start our discussion with the notion of a firm foundation. Nothing is certain, but if we can start
with a clean build we have a better chance of ending up with a secure system.
2
2
Secure System Administration - SANS GIAC
© 2000, 2001
A Clean Build is a Happy Build
• Load from CD
• Load from Net
• Load from another system??????
• Load from tape??????
Windows loads from CDs. They are licensed and controlled. Though it is possible there could be a
compromised version, it is unlikely. The initial load of Unix can be a whole new ballgame.
Many Unix systems make it easy to clone a system from an existing system. You plug in your
Ethernet cable, power on the system, and the new computer looks for a system to boot from. This is

great…unless the system you boot from is already compromised. The same thing goes for backup
tapes. This is a big problem in incident handling. How do you know you are loading from a clean
operating system?
For Linux, it is possible to load from an Internet site, but in general, it is best to load from the CD-
ROM. If you start out compromised, you may never get control. So we send a pristine system out
into the cold, cruel world. If it is compromised, or we suspect it is compromised, what do we do? In
this section we will learn commands to evaluate Unix systems, but if source code has been available,
attackers can replace system commands with theirs. We’ll also cover some basic ways you can make
it more difficult for the attacker to compromise the system, as well as some tools you can use to aid
in detection and recovery.
Oh yes, Unix and Linux have the equivalent of Service Packs and hotfixes – they are called patches
and it is important to keep track of the patch status for these computers as well. Plan on needing to
do an update at least quarterly – more frequently as advisories get issued.
3
3
Secure System Administration - SANS GIAC
© 2000, 2001
The Basics
•Startup: boot, rc, inetd.conf
• Similarities
• Differences
• Some basic commands
Just as we’ve seen with other operating systems, Unix and Linux have an orderly start up sequence.
Much of what gets the computer going can be found in the “rc” (run command) files in the /etc
directory and the inted.conf file (also located in /etc). The inetd.conf file is the Internet
Daemon configuration file that specifies which daemons are accessible via the network (such as
telnetd and ftpd etc.). Other daemons such as email (smtpd) get started at bootup.
This is a good time to review some similarities and differences between MS-DOS (as would be used
in a DOS command window in Microsoft Windows) and Unix commands and conventions. For
example, the directories in a DOS path are separated by a “ \ ” (backslash); those in Unix are

separated by a “ / ” (forward slash). In DOS, file names are case-INsensitive while in Unix they are
case-sensitive. The “ . ” character is used as a separator between the file name and extension in
DOS, but that syntax does not have the same context in Unix (older DOS allows only one “ . ”; Unix
permits more than one).
Both operating systems support the concept of a “pipe” (the vertical bar | ) that can be used to
‘connect’ commands, such as type file.txt | more (DOS) to show the file named
file.txt one screen at a time.
Both operating systems support the use of “ * ” as a wild card character.
Regarding floppy disks, DOS (and Windows) use a: to refer to the first floppy disk drive in the
system while Unix treats everything as a file and uses a name such as /dev/fd0 to refer to the
floppy disk.
In general, Unix command equivalents have a broader functionality than the DOS cousins. This is
somewhat of an oversimplification, but it will meet our needs for this introductory module. You
need to be familiar with basic Unix commands to be ready for Security Essentials where you will
gain the fundamental skills to enable you to handle an incident involving a Unix system.
4
4
Secure System Administration - SANS GIAC
© 2000, 2001
More Basics
• List files: ls -lart
• Show the file on the screen: cat, more
• Display system processes: ps -ef, ps -
ax, ps -ewf
• Display network information:
netstat -a
• Verify a system file is not corrupt
rpm -V filename (no news is good news)
Every Unix variant is different and many of the commands listed have multiple options. We
encourage you to become familiar with the operating systems that are used in your organization. A

recommended practice is to print the man (manual) pages ahead of time for each OS to create a
reference notebook. If you are having trouble printing the man pages, you might find some variation
of “nroff - man filename | lp” (meaning: new runoff, manual <filename of manual>,
pipe to line printer) helpful. To determine the exact syntax to print the man pages using nroff,
type man nroff.
Use a highlighter for the options you feel may help you meet your needs. Sometimes man pages
may be a bit cryptic so you may want to test these commands ahead of time and write in examples
with the options that work. Some of these will be a review for you, but we will go quickly. ls for
Unix is like dir for Windows, ls -lart lists all files, hidden or not, in time order, with the most
recent change on the bottom and is very helpful.
We can use the cat (for concatenate) command to view the contents of a file on the screen. For
example cat /etc/passwd will display to standard output (the screen) the contents of the file
passwd in the /etc directory.
The ps (for list process status) command lists active processes: ps without any options lists the
processes that are yours. The options needed to list ALL processes running varies by operating
system; learn what works on yours. Commonly ps –ax and ps –ef will work.
netstat will display network connections, routing tables, interface statistics, masquerade
connections, netlink messages, and multicast memberships.
For Linux, the Redhat Package Manager (RPM) can verify a file has not been modified or
compromised with the -v option.
5
5
Secure System Administration - SANS GIAC
© 2000, 2001
Still More Basics
• Rename or move a file:
mv
• Copy a file:
cp
• Looking for text in a “binary” file:

strings
•Examine the bits:
od, od -x
• Are these two files the same?
diff
The tools on this slide help you manipulate and inspect files. mv allows you to move a file from one
place to another so it is similar to ren (rename). mv a.txt b.txt would rename a.txt to
b.txt in the same way ren a.txt b.txt would in a Windows command prompt. However,
you can move whole directories with mv, change the name or the location.
copy in Windows is similar to cp in Unix, but there are a number of powerful options. One to
know is cp -p (for preserve the date). If you want to edit a system file it is a good idea to make a
backup file. For instance, if you edit the Internet Daemon configuration file, inetd.conf, you
might first:
cp -p inetd.conf inetd.conf.22OCT00
This will preserve the files date so if you list the /etc directory with ls -lart the original file’s
age will be preserved and the edited file will be obvious.
The strings command will print the displayable ASCII strings of printable characters in files. For
each file given, strings prints the printable character sequences that are at least 4 characters long
and are followed by an unprintable character. By default, it only prints the strings from the
initialized and loaded sections of object files; for other types of files, it prints the strings from the
whole file.
od (octal dump) dumps (lists) the file in binary mode; od -h and od –x will each dump a file in
hex.
diff displays the differences between two files and is the programmer’s friend.