Lecture 5 - Permissions & Security
Advanced Packaging Tool - APT
- apt-get install <package>
- apt-get build-dep <package>
- auto-apt run <command_string>
- apt-get update
- apt-get upgrade
- dpkg-reconfigure <package>
- apt-get remove <package>
- apt-get purge <package>
Ubuntu Firewall (UFW)
Uncomplicated Firewall (UFW)
- ufw allow <port>
- ufw allow <port>/tcp
- ufw deny <port>
- ufw delete <original_rule>
- ufw allow <service_name>
- ufw allow from <ip_address> to <ip_address> port <port>
- iptables -A INPUT --dport <port> -j ACCEPT
- iptables -A INPUT -p tcp --dport <port> -j ACCEPT
- iptables -A INPUT -p tcp --dport <port> -j REJECT
- Must save and restore rules on restart
Trend Micro AntiVirus
- You work for an insurance company
- You receive a request to install unknown software on a system
- How do you ensure the software is safe to use?
- What are the risks?
- Verify the software comes from a well-known source
- Do they create other programs?
- Have they been reviewed?
- What does the company offer for support?
- Is there an active user community?
- Are there common problems reports in forums
- Can you request in-person help if major issues arise?
Company History & Coding
- Does the company have a history of software issues?
- Do they have proper coding practices in place (code reviews, secure processes, etc.)?
- Are they frequently issuing security fixes? (Is that a good thing or a bad thing?)
- Similar to Web Security certificates
- Allows publishers to verify that the software came from them
- Can be subverted if the root certificate is compromised
- Ex: Windows WQHL Drivers
- Many sites provide checksums for software that can be downloaded
- Verifying the checksum ensures that it hasn't been changed or corrupted
Data Storage & Access
- Where does the program store data?
- Is it encrypted or plain-text?
- What data does it request?
- How does it use the data?
- Once software is installed, it usually has full network access
- Use tools such as TCPView and netstat to monitor network connections
- Look for connections to random servers or large data throughput
- What data does it send through the network?
- Is the data encrypted or plain-text?
- What protocols and ports does it use?
Read License Agreement
- Read the license agreement; it may surprise you
- Make sure you understand EVERYTHING that it covers
- Acknowledge the rights you are giving away
- Test the software on a variety of systems
- Spend time testing (don't just install and review)
- Test on a variety of systems and configurations
- Roll out in stages in large organizations
- Install updates provided by the manufacturer
- Test updates before installing
- Monitor the system and report bugs
- Determines which users can read/write files
- Based on user and group memberships
- Helps prevent unwanted access to files
- Full Control - Can take ownership & change permissions
- Modify - Read/Write/Change/Delete
- Read & Execute
- List Folder Contents - Folders Only
- Read - Access files
- Write - Modify files
- 3 classes: User, Group, Others
- 3 rights:
- Read - Can read contents
- Write - Can create/modify/delete
- Execute - Can run programs/scripts
Modifying Ubuntu Permissions
- chmod - Change permissions
- chmod [class][op][mode] file/folder
- chmod [octal_mode] filename/folder
- chown - Change User/Group (sudo)
- chown [user]:[group] filename/folder
- chgrp - Change Group (must own file)
- chgrp [group] filename/folder
- R = 4, W = 2, X = 1
- Sum the numbers to get mode
- 660 = rw-rw----
- 644 = rw-r--r--
- 700 = rwx------
- chmod 644 <filename>
- Lab 1 - Secure Workstations - Due Sunday, Feb 9th by 12:30 PM
- Build secure Windows & Linux using VMWare Workstation
- Turn in:
- CIS Transient Storage
- via Storage Media in class Monday Feb 9th