scsc 455 computer security 2011 spring chapter 3 user security
TRANSCRIPT
![Page 1: SCSC 455 Computer Security 2011 Spring Chapter 3 User Security](https://reader033.vdocuments.mx/reader033/viewer/2022050714/56649e6c5503460f94b6bdc5/html5/thumbnails/1.jpg)
SCSC 455 Computer Security 2011 Spring
Chapter 3
User Security
![Page 2: SCSC 455 Computer Security 2011 Spring Chapter 3 User Security](https://reader033.vdocuments.mx/reader033/viewer/2022050714/56649e6c5503460f94b6bdc5/html5/thumbnails/2.jpg)
Index
Password security Pluggable Authentication Modules (PAM) User security utilities sudo utility
![Page 3: SCSC 455 Computer Security 2011 Spring Chapter 3 User Security](https://reader033.vdocuments.mx/reader033/viewer/2022050714/56649e6c5503460f94b6bdc5/html5/thumbnails/3.jpg)
Access computer system
Users can access computer systems in two different ways: To use client software that connects to a server
Q: What is client/server computing paradigm?
Q: what is a server? The user’s access is limited to the functions performed by the
service running on the server
To log in as a user on the system The user must have a valid user account The user must enter a password corresponding to a user ID
Creating good passwords and keeping them secure is crucial
![Page 4: SCSC 455 Computer Security 2011 Spring Chapter 3 User Security](https://reader033.vdocuments.mx/reader033/viewer/2022050714/56649e6c5503460f94b6bdc5/html5/thumbnails/4.jpg)
Creating good passwords
What are the good practices of creating passwords?Must be long enough (the length >= 8 characters) Include at least one number or symbol (@#$%^&*) Could include two or three words separated by symbols or
numbers Using words are foreign or altered so that they do not appear
in a dictionary Using a series of numbers or a pattern of altered letters can
make it easier to remember
Examples …
![Page 5: SCSC 455 Computer Security 2011 Spring Chapter 3 User Security](https://reader033.vdocuments.mx/reader033/viewer/2022050714/56649e6c5503460f94b6bdc5/html5/thumbnails/5.jpg)
Attack on Passwords
Attackers utilize social engineering to gain access to your system Q: What is social engineering? Examples …
Attackers can also resort to brute force attack Q: what is brute force attack?
all possible combinations are tried until one succeeds in guessing a password
![Page 6: SCSC 455 Computer Security 2011 Spring Chapter 3 User Security](https://reader033.vdocuments.mx/reader033/viewer/2022050714/56649e6c5503460f94b6bdc5/html5/thumbnails/6.jpg)
How to protect passwords?
Protect password from social engineering Passwords must not be written down
especially not anywhere near the computer to which they provide access
Passwords must be chosen carefully so they can be remembered without a written aid
Passwords should not include easily guessed words or numbers
Users should never tell anyone their password
Q: How to protect password from brute force attack?
![Page 7: SCSC 455 Computer Security 2011 Spring Chapter 3 User Security](https://reader033.vdocuments.mx/reader033/viewer/2022050714/56649e6c5503460f94b6bdc5/html5/thumbnails/7.jpg)
Linux Password files When a new user account is added to the system, a
single line is added to file /etc/passwd
Example …
The actual encrypted password is stored in the file /etc/shadow can only access by root In Red Hat Linux, passwords are encrypted by MD5 by default
Example …
Q: why using two files for passwords?
![Page 8: SCSC 455 Computer Security 2011 Spring Chapter 3 User Security](https://reader033.vdocuments.mx/reader033/viewer/2022050714/56649e6c5503460f94b6bdc5/html5/thumbnails/8.jpg)
Managing Linux Passwords
Each user can change his/her password using the passwd utilitye.g. $ passwd When this command is entered, the user is prompted to enter
their current password, then their new password two times passwd utility performs a few basic checks on the entered
password based on the configuration of Linux PAM modules.
Root can change any user’s passworde.g. # passwd bob
Caution: should NOT edit /etc/password and /etc/shadow files directly in a text editor.
![Page 9: SCSC 455 Computer Security 2011 Spring Chapter 3 User Security](https://reader033.vdocuments.mx/reader033/viewer/2022050714/56649e6c5503460f94b6bdc5/html5/thumbnails/9.jpg)
passwd command-line options
![Page 10: SCSC 455 Computer Security 2011 Spring Chapter 3 User Security](https://reader033.vdocuments.mx/reader033/viewer/2022050714/56649e6c5503460f94b6bdc5/html5/thumbnails/10.jpg)
useradd command-line options for password control
![Page 11: SCSC 455 Computer Security 2011 Spring Chapter 3 User Security](https://reader033.vdocuments.mx/reader033/viewer/2022050714/56649e6c5503460f94b6bdc5/html5/thumbnails/11.jpg)
Index
Password security Pluggable Authentication Modules (PAM) User security utilities sudo utility
![Page 12: SCSC 455 Computer Security 2011 Spring Chapter 3 User Security](https://reader033.vdocuments.mx/reader033/viewer/2022050714/56649e6c5503460f94b6bdc5/html5/thumbnails/12.jpg)
Pluggable Authentication Modules The Pluggable Authentication Module (PAM) was
developed by Sun Microsystems PAM is an architecture and set of libraries that let a
programmer create a module to perform a specific security-related function
System administrators can select, configure, and then use one or more PAM modules to control the PAM aware Linux programs
How to use PAM? select the modules necessary to to control the activity
of a program list them in the program’s configuration file
(The details of PAM are not required in this course.)
![Page 13: SCSC 455 Computer Security 2011 Spring Chapter 3 User Security](https://reader033.vdocuments.mx/reader033/viewer/2022050714/56649e6c5503460f94b6bdc5/html5/thumbnails/13.jpg)
Index
Password security Pluggable Authentication Modules (PAM) User security utilities sudo utility
![Page 14: SCSC 455 Computer Security 2011 Spring Chapter 3 User Security](https://reader033.vdocuments.mx/reader033/viewer/2022050714/56649e6c5503460f94b6bdc5/html5/thumbnails/14.jpg)
Security utilities for users There are many security utilities that system
administrators and users need to be aware of Some of security utilities are PAM controlled Others are separated packages that you have to
install and configure before using
Security utilities for users (next a few slides)
Utilities for console security Utilities for login security Utilities for file security Utilities for monitoring user activities
![Page 15: SCSC 455 Computer Security 2011 Spring Chapter 3 User Security](https://reader033.vdocuments.mx/reader033/viewer/2022050714/56649e6c5503460f94b6bdc5/html5/thumbnails/15.jpg)
Utilities for console security
Screen locking programs disable
keyboard input and hide the
screen so that private information
is not visible nor accessible
vlock is used from a text console
xlock is employed from a graphical interface
Linux desktop (Gnome and KDE) also have their own screensaver
![Page 16: SCSC 455 Computer Security 2011 Spring Chapter 3 User Security](https://reader033.vdocuments.mx/reader033/viewer/2022050714/56649e6c5503460f94b6bdc5/html5/thumbnails/16.jpg)
Utilities for login security /etc/securetty file
The root user can only log in from terminals that are listed in the file /etc/securetty
By default this file contains only the virtual consoles terminals.
None of the network or other devices are listed Root cannot login from network
/etc/nologin file If /etc/nologin exists, only root can log in
The contents in this file are displayed for any user tries to log in
When this file is deleted, all users can log in again
![Page 17: SCSC 455 Computer Security 2011 Spring Chapter 3 User Security](https://reader033.vdocuments.mx/reader033/viewer/2022050714/56649e6c5503460f94b6bdc5/html5/thumbnails/17.jpg)
SUID
Set UID bit (SUID) Executable files can have a special file permission set
SUID causes files to take on the permissions of the user who
owns the file rather than the user who executed the file Root can set SUID for a file # chmod u+s
Warning: Too many files with SUID is a great security risk any user on the system could easily get root access.
![Page 18: SCSC 455 Computer Security 2011 Spring Chapter 3 User Security](https://reader033.vdocuments.mx/reader033/viewer/2022050714/56649e6c5503460f94b6bdc5/html5/thumbnails/18.jpg)
Utilities for file security Linux file systems support a number of attributes that
you can set on files Notice that: these attributes are different from file access
control attributes (r, w, x)
Examples …
![Page 19: SCSC 455 Computer Security 2011 Spring Chapter 3 User Security](https://reader033.vdocuments.mx/reader033/viewer/2022050714/56649e6c5503460f94b6bdc5/html5/thumbnails/19.jpg)
Utilities for monitoring user activities Linux includes a number of utilities for monitoring
user activities who – list all of the users who are currently logged in
on the system. who am i (to see who you are logged in as)
w - list all of the users who are currently logged in with their username, terminal, the command that the user is currently running, CPU time … includes the remote location from which the users has
logged in
![Page 20: SCSC 455 Computer Security 2011 Spring Chapter 3 User Security](https://reader033.vdocuments.mx/reader033/viewer/2022050714/56649e6c5503460f94b6bdc5/html5/thumbnails/20.jpg)
Utilities for monitoring user activities
mesg – Enable or disable the ability of other users to send a message to your screen (by using utilities such as write, talk).
dmesg – print the contents of the kernel ring buffer to screen. kernel ring buffer is a memory area holds messages
generated by the kernel. Using dmesg utility to monitor all hardware related
messages
![Page 21: SCSC 455 Computer Security 2011 Spring Chapter 3 User Security](https://reader033.vdocuments.mx/reader033/viewer/2022050714/56649e6c5503460f94b6bdc5/html5/thumbnails/21.jpg)
Utilities for monitoring user activities
last – display a history of user log-ins and log-outs, system reboot information
Examples …
![Page 22: SCSC 455 Computer Security 2011 Spring Chapter 3 User Security](https://reader033.vdocuments.mx/reader033/viewer/2022050714/56649e6c5503460f94b6bdc5/html5/thumbnails/22.jpg)
Index
Password security Pluggable Authentication Modules (PAM) User security utilities sudo utility
![Page 23: SCSC 455 Computer Security 2011 Spring Chapter 3 User Security](https://reader033.vdocuments.mx/reader033/viewer/2022050714/56649e6c5503460f94b6bdc5/html5/thumbnails/23.jpg)
Why do we need “sudo” utility? Ans: If a server needs to be administered by a
number of people, it is normally not a good idea for them all to use the root account. difficult to determine exactly who did what, when and
where if everyone logs in with the same credentials. The sudo utility was designed to overcome this
difficulty.
![Page 24: SCSC 455 Computer Security 2011 Spring Chapter 3 User Security](https://reader033.vdocuments.mx/reader033/viewer/2022050714/56649e6c5503460f94b6bdc5/html5/thumbnails/24.jpg)
Sudo
Sudo lets you assign privileges to any user account to execute only specific programs. The system administrators can complete common
administration task without login as root or su to root
Examples …
/etc/sudoers configuration file to determine which user can perform which task.
![Page 25: SCSC 455 Computer Security 2011 Spring Chapter 3 User Security](https://reader033.vdocuments.mx/reader033/viewer/2022050714/56649e6c5503460f94b6bdc5/html5/thumbnails/25.jpg)
How does sudo utitlity work?
The basic format of a configuration linein /etc/sudoers
user host = command_list
Example …
Note that: to edit /etc/sudoers file, you must use the visudo program
![Page 26: SCSC 455 Computer Security 2011 Spring Chapter 3 User Security](https://reader033.vdocuments.mx/reader033/viewer/2022050714/56649e6c5503460f94b6bdc5/html5/thumbnails/26.jpg)
The security concern of sudo utility Sudo utility can present security dangers if not
properly configured A user should have exactly as much as access as
her job requires. “need to know” “least privilege” A malicious user will try to use access to a single
command to gain access to other commands.
Example …
![Page 27: SCSC 455 Computer Security 2011 Spring Chapter 3 User Security](https://reader033.vdocuments.mx/reader033/viewer/2022050714/56649e6c5503460f94b6bdc5/html5/thumbnails/27.jpg)
The security concern of sudo utility Many program support shelling out.
Q: what is “shelling out” ?
The sudo utility cannot control it once the power is handed out.
Conclusion: system administrator must hand out sudo power carefully.