One of the most daunting tasks of a system administrator is to find and remove all of those potentially dangerous binaries that get included in a default Linux distributions. There are plenty of lockdown guides that will tell you which binaries can be dangerous. There are even tools like Chef, Puppet and Fanout that can help you remove these binaries once they’ve been located. The real trick however is figuring out which of your servers have those binaries installed so you can take steps to properly lock them down. Luckily Halo can assist you with this task.
First, let’s make sure we are all on the same page. When I say “potentially dangerous binaries”, I’m not talking about malware or rootkits. I’m talking about those binaries that can be extremely useful to a system or security administrator, yet can be dangerous if they fall into the hands of someone who has penetrated your system.
As an example, consider the Telnet binary. Telnet can be used to connect to a remote server, but it can also be used to scan for open TCP ports. Likewise tcpdump is a great tool for monitoring network traffic flow, but it can be leveraged by an attacker to pull sensitive information out of the payload of passing packets. So if the server in question is a Web, database or mail server, there is probably no need to leave these binaries on the server just waiting for an attacker to use them against you.
Of course there are some potentially dangerous binaries that we might actually use on a regular basis. For example Ping can be used by a system administrator to check connectivity, but it can also be leveraged by an attacker to map your network. You need to decide if connectivity testing warrants the slight increase in risk by leaving Ping on the system. Obviously the answer to this question will vary from environment to environment.
So let’s assume you’ve gone through the lockdown guides and have made a list of binaries you wish to find on your servers. You will also need to know where the binaries are normally stored on the system. If unsure, use the “which” command. For example:
~# which tcpdump
Next, logon to your Halo account. From the main menu, mouse over the “Policies” menu option. When the drop down menu appears, click on the “Configuration Policies” menu item. This will bring you to the “My Configuration Policies” page. Click the “Add New Configuration Policy” button at the top of the screen. This will bring you to the “Add New Configuration Policy” screen shown in Figure 1.
Give the policy a descriptive name such as “Find Dangerous Binaries”. In the description field you can include more verbose information about the policy. Once this is complete, click the “Submit” button. This will bring you to the policy edit screen. Click the triangle next to the “System Configuration” item. Your screen should now appear similar to Figure 2.
When you click on the “Add a New Rule” link, the “New Rule” properties window will be displayed. Add an informative name and description for this rule, similar to what I have done in Figure 3.
Now click the “Add New Check” button. This will expand the window showing all of the possible types of checks Halo can perform. We want to click on the second item on the list, “File Presence”. Doing so will open the “File Presence Check” screen as shown in Figure 4.
Identify the full path to the file you wish to check for, as well as include any remedial information on what should be done when the file is found. Note that we want to leave the “Should not be present” radial button selected. This way the check will only fail and warn us if the binary is present on the system.
*TIP*: When the File Presence Check screen is yellow, you have not yet saved your changes. Clicking the “Save All” button will turn this screen to gray, identifying that your changes have been saved.
We can now click “Save All” to save our changes. If we wish to check for additional files, we can click the “Add New Check” button and repeat the last portion of this process. Once we are done, simply click on the “Servers” option in the main menu.
Identifying Which Servers to Check
Next we need to tell Halo which servers we wish to check with our new policy. From the “Servers” screen, click on the name of the group which contains the servers you wish to check. Clicking the group name will produce a new option titled “Edit Details”. Click this option.
When the “Edit Group Details” window appears, notice that the line titled “Configuration Policies” has a pull down option. Expand the pull down and select the name of the policy you just created. Your screen should now appear similar to Figure 5. Click the “Save” button.
We’re done! During the next server scan, Halo will check for each of the indicated binaries. If any of them are found, they will be clearly identified in the daily report. If we do not wish to wait for the next report cycle, we can always kick off a manual scan.
Note that this simple check should not be mistaken for a true forensic analysis. If a user changes a binary’s name, or moves it to a different directory, the check will miss it. So while this check is useful as part of a general purpose lockdown, we would need more stringent checks if we are attempting to analyze a known to be compromised system.