Archive
Posts in Security
Locating setuid and setgid files
One unnerving thing about UNIX Operating Systems is the number of setuid and setgid root binaries. These binaries run with root privileges, and are often the first binaries examined by individuals wishing to escalate privileges on a system. To keep tabs on setuid and setgid files, the following find(1) statement can be run periodically: This will find and sort all binaries with the setuid or setgid bit set. The output can be stored in a secure location, and periodically compared (with a trusted kernel and version of find) with the current set of binaries on a server…
$ read more →PF's skip on interface directive
The OpenBSD packet filter (PF) received several enhancements in OpenBSD 3.7. One of the coolest things is the ability to tell PF not to filter traffic on specific interfaces, such as the loopback interface. This behavior is defined in the pf.conf configuration file with the "set skip on" statement: Prior to the "set skip on" option you had to explicilty allow traffic to flow with the following pass statements: This of course assumes a default policy of "block everything not explicilty allowed," which all firewalls SHOULD be using.
$ read more →Generating random numbers
Randomness is a key element in cryptography (seeds and shared secrets), TCP (ISNs), and can be useful when simulating client access patterns in test scripts. If an OS supports the /dev/random pseudo-device, the dd, od, and awk utiltiies can be used to generate random values: This will pipe a string of entropy to od, which will use od's type field to generate an unsigned random integer, which will then be piped into awk to print the second value in the string. You can also use openssl to generate entropy on a system: I am sure there are more efficient ways to do this, and would love to get feedback. :)
$ read more →IP filter logging
In my previous post, I described how to setup IP filter to protect a desktop workstation. The IP filter policy allowed SSH connections, and dropped and logged all other inbound traffic. When a packet is dropped and logged, IP filter writes the packet headers to the /dev/ipl pseudo-device. This device is monitored by ipmon(1m), which is started by the IP filter initialization scripts…
$ read more →Reading OpenBSD PF log entries in realtime
When the OpenBSD packet filter (PF) is configured to log traffic, each packet is logged to the OpenBSD "pflog" pseudo-device. This device can be queried with several tools, including tcpdump: If you are running a busy firewall, you are probably using pflogd to archive this information to a file on your FFS file system. I occasionally like to monitor pflog0 when I am testing new services, especially ones that don't play nicely with firewalls.
$ read more →