 Please raise your hand if you're hung over Thank you. Please raise your hand if you wish you were hung over Okay, thanks. This is Defconn, baby. Okay So I'm gonna talk to you about locking down OS X. I've got an OS X machine. I'm only projecting I've got two laptops, but one of them is on both projectors So we're gonna primarily stay on the slides and I'll demo as we have time and energy and desire So you guys can indicate desire by shouting at me yelling at me don't throw things because I know you will But I'll tell you about basically locking down OS X. I got a nice little OS X machine a while ago and And started playing around that and said, you know, it'd really be nice to have a machine that might you know I don't know Run word or something like that or or maybe just you know I could lend it to my girlfriend and it would she'd I like not break it Still be easy to use not the Linux box But at the same time wouldn't break itself Windows style just you know crashing every six to twelve hours like clockwork So I got one of these things and tried it out and the first thing I did was locked it down And you'll see basically my experience is in locking it down right here. Okay, so what I'm going to talk to you about is First auditing the operating system and then locking the sucker down and I'll tell you about how we've made best deal Linux Do some of this automatically for you Okay, so what do you get in one hour of lockdown? Well, you don't get you don't get something massively complete But you do get something probably safe enough to bring the DEF CON Provided you don't want to like use it as a web server like you want to use it as a laptop. Okay, so what are we going to do? Basically in terms of in terms of in terms of quick lockdown pre DEF CON and I understand this is post DEF CON But you know you still got a good six hours or so to get hacked here What would you be doing one is that you would stop somebody from coming and booting your laptop in a single user mode Starting out as route changing on your passwords copying all your data and then deleting the drive if they feel like it Okay, that's called boot security The next thing you do is actually do what's called a demon order the network demon on it That's where you're turning off It's where you're turning off network demons in general and programs in general that you're not using that could turn out to Be vulnerable later on and get your laptop hacked. Okay other things you might look at I'll tell you about these if we've got time set you ID audit So you're looking at the programs on the system that an ordinary user can run Where it runs is root where it gives them root privilege for a specific operation. That's things like changing your password We'll talk about cron jobs all this all the shit that runs automatically for you And then actually talk about the last bit of stuff that we you know You don't have time for in one hour Which is actually going and taking demons that are on the box like a web server like a DNS server and going and configuring it for Better security, that's what you do in a lockdown if you want to do something very complete and comprehensive Okay, so OS X OS X seems to kind of be a hodgepodge of things to me. I like it It's useful. It feels like it's got this whole little free BSD Infrastructure it's got this whole mock kernel going on basically it feels like BSD you're next to me on the other hand It's got some weird next stuff thrown in and that seems to be because Apple bought next and brought Steve Jobs And he was like hi, we made some stuff. Can we put it into? So so you'll see that as we go through Okay the thing you need to understand for the first part in terms of how Any kitty here is you know if you leave them with your laptop for 30 seconds is rooting your laptops to understand how the boot process works okay, so Basically what goes on is you've got your machine and you turn it on and you've got a bootloader Okay, that's like that's like bio. It's like your bios on a PC machine Sorry, you've got a you've got a you've got a hardware loader. That's that's whatever e from here bios Eprom on Sun e from here bios on Intel machines that starts a bootloader that starts your kernel Your kernel on this thing is what's called your kernel your kernels your kernels gonna start your kernels mock and what mock starts Is process called mocking it? Everyone know what it is raise your hand if you know what an it is yes mostly all the way okay cool So mocking it is this weird little process We're all used to like the kernel starting in it and that just being it well apples like making things a little weird So the kernel starts mocking it and mocking it actually goes and starts in it And it's like the one it's like and it's that process We're all used to being like the first one or at least it's number one and all the other stuff on the system like get Started by an it so the way that works here is and it starts runs runs RC runs a script called RC dot boot and a script called RC and Then RC dot boots important for single user mode. We can take a look at it RC actually goes and runs a program called system starter and I'll show you that system starters actually how System starter is is OS X is kind of RC scripts It's it's you know, it's the RC 3 RC 4 RC 5 type stuff from sys 5 or you know standard RC scripts from from BSD anyway Let's take a look at it what I would do With my Apple laptop it was up here and you wanted me to we had lots of time would be I'd hold down that slide in your slides That little square box. That's an open Apple Okay, if you take this system and it's turned off and you hold down open Apple S and you turn it on Your system boots directly into single user mode. Okay, this is you know, if you've forgotten your root password This is number one way to get it if you find somebody's OS X system sitting on a table You know, maybe you're at root foo and and somebody goes off and runs the bathrooms like hey watch my laptop. You're like sure Okay, open Apple S Boom single user mode change passwords create yourself an account, you know, let the thing boot up normally your body gets back It's probably all done in yeah, two minutes or so. Okay, so this open Apple S thing That's not as much fun as you'd think if you're the guy who actually went to the bathroom So if you're the guy who went to the bathroom What you'd want to do ahead of time was change this RC dot boot script to require some kind of authentication before it just Let's boot continue By the way, if you think this is kind of like a weird little Apple thing a lot of operating systems do this red Hats been doing this for years if you start up a machine and type Linux single Okay, you know, you're the Lilo prompt you're the grub problem type Linux single and full it drops through single user mode Same basic thing an operating system vendor thinks this might be a useful way to handle those calls when somebody calls it Says I lost my root password. What do I do? Can you all hear me back there? I'm a little horse In the back you can hear yes. Okay, cool so What can you do? There is there is for those of you who've got a machine in the room something to test would be there is an etc TTY's file and in the etsy TTY's file you can find the console line and change it from insecure to secure and theoretically from what the documentation says that should fix this that should make single user mode inaccessible by that method on My build that has not worked and so I went googling and what did I find I found somebody wrote this script called secure it and What secure it does as you run this things install program and it inserts a little thing into our C.boot it says if this is a single user if this is a single user boot Then run a program called password PL which is a pearl script and that pearl script basically Is just going to check a password and if you've got the right password if you've got the right password Then you're allowed through and if you're not it forces a reboot. Okay, so Basically the way password PL works is when you install this it asks you for a password you give it a password This should not be a root password should just be an independent password It goes and crypts the password and stores it and then whenever you trust someone tries to boot in a single user mode It asks for that boot password. Okay, that let's call it that your secure it password And so if you you know type the right one you're in and if you don't it reboots Okay There's another thing you could do and I really don't like this so much But I did find this when I was googling you can actually replace your entire kernel with one that doesn't that doesn't boot in the single user mode at all Okay, I haven't checked this out. My guess is it basically skips RC dot boot entirely Okay Go for it if you want to my problem is that you know I have to be assisted men sometimes and having my first hardware failure come up and finding that single user mode It's a little hard to get into a little bit of a pain in the butt So I Don't know if you know, I don't know if you want to if you want to eradicate single user mode entirely If you're really paranoid mofo when this is your laptop and you're really concerned. Maybe that's something you want to do There any questions so far? Yeah, is there any way to boot disable booting from CD you think I planted him there Hey Steve Gee wow Thank you Okay, so The nice thing is that okay that single use mode It's really great when you can just walk up to a machine no CD in hand nothing no tools Nothing and just grab root real quick while somebody runs up to the bathroom even if they're like really fast, okay? Although the way they put the bathrooms in Lexus Park. It's gonna take them 10 minutes to get out there and back so Supposing that you did have that 10 minutes or and you were carrying around an Apple boot CD in your pocket It's kind of cool You can take the CD stick it in the drive and what you do is you hold down the option key You hold down the option key and turn the machine on and what will happen is the apple will come up It'll take a little while but the apple will come up with a graphical menu It'll show your hard disk It'll show your CD ROM and if you've got any firewire drives If you've got any firewire drives plugged in including say an iPod it'll actually show you that be like Hey, which of these do you want to boot from? okay, so The deal is one of the cool things is that if you do that with the normal with the with the install media Okay, normally with install media you have to have a clue right you like boot from install media You have to go and remount the drives read write go and change You know go and you know look at the right password file, etc. It changed the password file Etc. You maybe have to maybe you'll charoot into that you'll charoot into Slash mount slash CD and change password from there Whatever here. It's actually nice and easy. They actually include a password utility So you can take when you boot from CD you can go up to this little nice little menu and you can go to the password You tell it and they'll be like hi, which drives you want to change the password on and you're like This one and it says which account so it doesn't have to be a root account issue It's like which account would like to change the password for and you're like no that one and it's like okay What's the new password you type it in and congratulations is new password now? You could also just boot from CD and you know do all the normal food you normally do But this kind of makes things nice and easy again when you're looking for the 10-minute bathroom break attack. This is excellent Okay, so what's the counter measure well the counter measure is that the thing was booting from CD is you know One of those one of those pre bootloader things. This is the firmware So if the issue is that we were able to talk to the firmware and have it boot from CD or fire wire or whatever the hell Then maybe what we want to do is we want to stick a password on firmware So what you can do is you can boot into firmware. You just as you're turning the machine on This starts getting easier and easier and this puts getting harder and harder You're holding down the option key the Apple the open Apple key and oh F for open firmware Okay, and then once that boots up you get a prompt and at that prompt you type password and it says hey What's your password and you set a boot password? This could be the same one used for secure it if you're like me You probably use yet another password here just in case somebody gets root access on the system and can read It's read secure its file or whatever. I don't know okay type in a password You type type in a password for the bootloader and now you type set and security mode command Okay, what command means is that allow the system to boot normally unless they want to boot from alternate media And if they want to boot from alternate media require a password Okay, on the other hand if you want you can also instead of command You can write full and what that means is don't freaking boot unless they know the password don't boot from anything Just don't boot. Okay. How many people have set this on their Sunboxes? full Full who set full okay of the people raising their hands. There aren't that many people in the room or raise their hands Has anybody forgotten both the root password and the e-prom password at the same time? anybody No one's gonna admit to that, huh? You know if you go on eBay you will often find a very steady trade in replacement e-prom's for Suns Because if you forget both the root password and the e-prom password, you know You might be in a and you've set it to full so won't even boot to a hard drive without this You quite possibly gonna be in the situation where you need to replace the e-prom people been doing this for years eBay's selling tons of these Okay, whatever when you're done with this set end either full or command type reset all you reboot the system Congratulations, nobody gets to the disc without getting past the password now the next question is well Jay. What's the next? What's the next attack? What's the next attack on the boot process? You know, can you get past this and my answer is yeah, I don't know Okay, and you say is he a lamar and I'm like yeah, I'm a lamar But no no it's it's the issue is some of you are like wait a second How come there has to be an attack and it's like well there always will be right? They'll always be another way they'll always be potentially another way to you know violate the boot process and grab root That's just that's just part of operating system security. There's attacks. There's defenses There's attacks as defenses and somebody freaking clever is coming up with attacks So when I hear about the next one, maybe I'll come up with a defense or someone else will come up with a defense What else what else makes what else makes apples easier hard to break into yeah question over there sweet Okay, we have a new we haven't we have a new attack Okay, I am told by my colleague over there with the nice shiny laptop that you can you can change the open firmware password if you just Pop open the machine pop open the machine Adding more RAM pull out RAM if you change the amount of RAM you can change the open firmware password. That sucks Rearrange the RAM Excellent, so so part one all you got to do is rearrange the RAM part two J you ignorant slut you tried this in the wrong order You see if you set an open firmware password when you try to boot in the single user mode You'll be required to submit the open firmware password Thank you Ask these guys. Does this include taking the RAM out and popping it back in my guess is no, but ask these guys Anybody I'll go over here first No, you have to move the RAM question Yeah, anybody know this are there any are there any user space tools for modifying open firmware while booted? Either in either on any on it. Let's say let's broaden the question on any on any on any operating system that runs on this platform Right you can set the password from user space tools Okay so No Okay, so what else can you do? What else? So in terms of boot security Apple actually that my laptop came configured with this nice little option by default and that was that the sucker Just logged right in for me, you know, I like I like started up I turned the machine on and asked me for a first user first password What do they do it was like okay cool and now whenever I turn the machine on it auto logs in for me And that's kind of nice But you know again one of those things where it's like if you leave this thing turned on you lock your screen You step away somebody walks up turns the machine off turns it back on it comes up logs directly And as you that was an easy screen saver hack so in terms of Turning that back off in terms of turning auto log in off if you've had it if you've never turned it off You can actually do that with the GUI You just go to system preferences Accounts users and then you've got a little a little checkbox It says log in automatically as user and you can specify user So if you just turn that off your auto log in this toast, which is which is good Okay restart and shut down If you're out of log in prompt on if you're out of if you're at the graphical login thing Okay, this thing will let you it'll let you cleanly shut down the system and start it back up Some people think of that as some people think of that as a weakness. Some people don't Okay, so if you want to change that system preferences account login options and you can click on hide the restart and shut down buttons Okay, additionally, there's another way to do this. You can change this in this etsy tty's file You find the console line and you add in the parameter power off disabled. Yes okay, so Doing okay on time Okay, so in terms of the next thing that's basically boot security That's the quickie boot security audit The next thing to do is to take a look at other programs that are running on the system And then also network demons that are running on the system and the network demons are really what's most important to me Because I want to have this I want to have the I want to have this system not listening on the network quite so much Okay, so what I've got is that remember we had we had we had the kernels starting mocking it mocking it started And it started RC dot boot and RC and RC is normally what we think of you know as the script that's going to start everything else Okay parent isn't it but RC runs our RC runs RC common and it's going to run RC common to do some to do some general stuff and Also importantly to us to host a file called. I mean a source of file called etsy host config Okay, and then what RC does is it runs system starter and system starter is kind of is kind of the replacement here for the BSV BSD and sys 5 normal boot methods, and I'll show you that What system starter does and this kind of this is you know this thing is this thing's very BSD But system starter feels sys 5 to me what system starter does it looks through two directories And let's just look at that We're only going to look at the first one here because the second one something you're supposed to populate and that first directory Is slash systems slash library slash startup items and inside that directory inside that startup items directory There'll be a script called you know say It'll be a script called you know Apache slash Apache I mean they'll be there'll be a directory called Apache and in that directory will be a script called Apache and What system starters doing is it's looking at all those sub directories For scripts of the same name and then it's going to run all of them and actually you know sys 5 We were they all got run in the numerical order BSD they all got run in the order that they were in a long script Okay, here system starter actually determines the order dynamically. It's kind of cool Okay, so basically if we're looking at system library startup items Apache Apache that that that directory Apache Has some other files in it and one of those files is startup parameters dot P list and what startup parameters dot P list is Is it's a bunch of stuff? Let me see if I've got a slide on this Yeah, I do. Okay, what startup parameters dot P list has is a bunch of stuff that says that Helps it helps system sort of decide what order to run this all in. Okay, so these we've got a description Apache web server We've got provides and requires and uses Provides is you know, what's going to be what service? You know what what thing is going to be there for the other things to require and use After we start after this gets started requires. It's what is what's got to be running before this will go Okay, uses things that this uses that might be useful to be on Okay, order preference order preference can be none. It can be first. It can be last it can be early I think the other one's late. Okay, and what that says is this is roughly when I'd like to go I'd like to go first system sort of doesn't have to actually obey any of that order preference stuff Okay, it it can add its own option So when you're creating scripts of your own, this is kind of the way you're doing this So in terms of what order things get run on that's chosen. That's basically dynamically generated on each boot Okay, so if you want to start turning this off like we said before RC common Gets run by every but basically every single system starter script and that it does that each of the system started scripts Do that so that they could source that is that they can source host config So if you want to turn off demons You can actually go and hack on the scripts yourself with a preferable way Of course vendor supported would be to go and modify at C host config most of the time We can do that some of the stuff we want to turn off. We can't turn off through host config okay, so If we look at let me see if I've got a slide with the script listed or whether this was something I was really hoping we had access for Okay, if we look at system library startup items NFS NFS. That's one of the scripts It starts one of the programs get started is called Auto mount Okay, Auto Auto mount runs Auto mounts gonna run by default Okay, but you can deactivate it by turn it by turning off Auto mount by setting Auto mount equals No instead of Auto mount equals. Yes. Okay, Auto mount is just the it's just it's an NFS It's an NFS client demon and you use it if you want to have NFS if you want to have given Directories mounted remotely from NFS servers as your users use them and unmounted whenever they've been idle for a while Okay, so if we're an NFS client We're gonna we might want to keep this on if we're not an FS client I want off right if we are an NFS client. I might use this I might not have to decide But in terms of locking it down, that's that's a good part of what locking down a system is is deciding what the system is being Used for and adjusting it accordingly Okay, so what else NFS we've got This script NFS NFS the NFS script it starts it starts the auto mount or it also starts NFS D and mount T But it only starts them if you've actually got if you've actually got stuff listed at CX ports You're actually exporting directories. That's kind of cool. It's a pretty smart script. Okay So if you've got stuff in at CX ports or if you're actually if If netto info which we'll talk about later Says that you've got things it says that you've got things that you're exporting and sharing with other systems Then these things run if they don't they don't run The other weird thing though is there's another program that gets run by this script called NFS IOD and Basically NFS IOD demon runs whether you like it or not it runs whether you're an NFS client or not So you can turn off auto mount and you can you know you can have nothing you cannot have no NFS to share out But the club but but NFS IOD is a club is an NFS client demon. Okay, and that runs no matter what There's no way to really turn that off through Etsy host config okay, so What we can do what I do with that particular one is you're actually going to the script and you just comment the sucker out Okay, does that now now there's an obvious question if I'm gonna go and if I'm gonna go and start modifying start scripts What's my obvious question? that goal Anybody system ins in the room. What's that? What happens when I upgrade? Okay? What happens when I upgrade the other thing I was looking for is what happens when I patch Okay, so when I patch when I upgrade there's some very good chance the vendor is going to go and smack You know new or updated or the original boot scripts right back on the system And if they do well, then I'm kind of you know, I'm kind of yes NFS demon is off by default NFS client demons on NFS IOD that's on right I'm sorry Auto mount or is Auto disk mount is started by default. I know that hold on. Let me check my system. You could be right. Let's check so on my on my straight Build I've got on I've got Auto mount. I've got Auto mount set to yes by default so it gets started It might close up like we can go look at the script This is this is I can tell you this is a default install because I rebuilt it last night. I can't 10 to 3 10 to 3. I'm sorry. I'm sorry No, 10 3 right 10 which which which is the 10 3 is and I looked at 10 3 and actually I've got I have I got an install of 10 3 On a system back at home This has changed in 10 to 4. Okay, so your fair speaker has his default CD and This is 10 to 3. This is what Apple sold me and I didn't immediately update it No, I didn't immediately update it because I was looking for issues No, I didn't immediately update at the 10 to 4 Okay Are you guys Apple? Okay, just checking What was the who shouted what I didn't hear? L S O F minus Yeah, the gentlemen are saying that quite possibly are you saying on 10 to 4? That I won't have any system that I won't have anything listening by default there Or is it on 10 3 that I won't have anything listening there? Okay, I'm not going to argue this if I'm completely and totally wrong slam me after the talk and you know heck out You know, but I don't want to I've got a 50 minute talk that I've got 22 minutes left of Okay, yeah, if I'm an ignorant slut you can call me on it Okay, so on my reference 10 to 3 system on a fresh install And if as I OD starts whether I like it or not I get multiple instances. I remember that So I can edit the script to turn this off, but it's not accessible or it wasn't accessible Let's stick with I'll try to stick with past tense guys. Okay. It wasn't accessible via host config Okay, I am not busting on the operating system here. I'm just telling you how to harden it if they're going to come out of the gate Perfect for me. I mean completely perfect for me. That's great Okay, some of them do but you know, I don't expect it to I expect to have to do some amount of configuration on the system I Don't know I have stuff. I still do it open VSD You know and they've got you know, they've got a pretty good attitude about this stuff Okay, if you really wanted to do a thorough audit I mean what I what I encourage if you really want to do a thorough audit You should read your you should read your boot script start to finish I mean you just go through and basically trace what the system starting when it's starting if it's starting, etc Okay, if you want to do a thorough audit, that's that's what you do Okay, what we're going to do is go and change Etsy host config Turn stuff off that we want off and then go and look at you know if we wanted to reboot whatever Look at what's still running at that point And go and find out how that got started and turn that off. Okay, that's kind of the applied and quick quick audit Okay, if I look at this file What do I have it's on auto mounters the auto mounters on by default in 10 to 3? Okay? I can turn that off What else is on? Okay? Well, I'm just want to just show you we've got cups on we've got IPv6 So I'm gonna turn that off net info server set to automatic RPC server set to automatic time sync is set to yes Okay, so we can look at each of those So the first thing is we know we can set an auto mount to know okay? We know we can set auto amount to know if we're not using that Okay, what else? Well, we've got a variable called cups and what cups does is it's actually controlling whether printing services printing services runs Cups D by default or not Okay If we are not printing from this system if we're not ever you know if this is if this is a machine that's serving as a little web Server, you know, I know this is a laptop, but suppose suppose for a second It's a little machine that's serving as a web server in my dorm room, you know, it's not doing anything else I might turn off printing if I want to turn off printing that's easy enough. I can change the cups variable Okay, I can run that script. I can run the print certain printing services printing services with stop Okay, and that'll stop if I want I can what I really should do to make sure that it's really gonna be off on the next boot Is I should change that variable and I should pass it to restart so that it stops or I can pass it stop Make sure it's off then run start to make sure that when I when the script gets started that Cops D doesn't actually run and that's what I'd say is the safest thing to do here Okay So I've got a typo on this slide Updated slides on the web on the on the defcon website net info service another variable and I don't remember the script name that it's actually looking at But basically controls whether and I basically this Net info service is going to control whether and I bind D or net in or net info D gets started Okay, and if it's set to automatic it starts and I bind D If I actually need to if I actually need to offer net in if I actually need to get net info information off the network Okay, and starts net info D if I don't okay, if you've got an OS X system To my knowledge what you're doing is all your past information your shadow information Exports, etc. This is all maintained through net info. Okay. I don't know tons about that info. I know it came from next I know it's a useful thing. I know it smells like an IS to me I know that my system basically requires it. Okay, I can't turn it off What else time sink? Okay that time sink variable it controls whether this system runs Whether the system runs NTP. Okay, and whether it's actually updating whether whether it's actually updating time very precisely Okay, you might turn this off if you're really paranoid if you're running on a hacker conference, whatever on the other hand If you're you know if you're looking at IDS logs and firewall logs and machines that have broken into and you want to correlate all the information You got out of that Okay, or even you know in the case of a penetration or even you just want to see hey One of the it looks like one of the servers is down and see what time and events happen and see that multiple logs different places You really may very much want time sink and you may want time you may want your time synchronized very closely So it's kind of your call if I'm running around DEF CON, you know I probably shut this off if I'm not you know if I'm if I'm in my normal operational environment I probably leave it on it's all depending on your paranoia Okay, so if I'm going through and as I'm shutting these down I can either do one of two things I can do I can go and run the stop scripts or I can reboot the system once I'm done Once I'm done with that what I want to do is start this thing back up and see what's left Okay, and I can run PS and look at all the processes that are left and start deciding whether I want them or not Okay, the first one that caught my eye When I looked at a PS listing on a 10 to 3 system and this will not show up 10 to 4 it went away, right? 10 to 4 or 10 3 they stop buying at D listening Okay That's cool Debating that still listening. Okay. Well, so I net D if we look at the IP services script IP services starts both I net D and X I net D Okay, X I net D and I net X I net D is a replacement for X sign it for I net D They can both run at the same time on a system as long as they listen on separate ports So Apple by default has a really not has really nice defaults here I net D and I net D's got every single line commented out if you grep that file for non commented lines I don't think you even get me any blank lines. I think it's actually perfect file Okay, but there's nothing in I net D's configuration file and everything in that X sign at D is supposed to listen for That's all turned off by default to it turns out that X sign at D You know if it's got nothing to run it immediately exits I net D if it's got nothing to run it it You know keeps running, but it's actually not listening on any ports. So it's not that I net D is is listening It's just that it's kind of running taking up a couple cycles here and there Okay, so this isn't again something that I can control through host config so the best thing I can think of as far as I net D goes Sorry, this is our slide the best thing I can do as far as I net D goes is to maybe write some shellcode and that shellcode That's at the bottom of there. It's not the most, you know, it's not you could do something It was a lot smarter than this Okay, but what I've done is basically, you know, you could wrap it in some shellcode so that I net D only runs if there's something in the file Okay, that's that's a decent thing to do if you know that you're gonna be admitting the system And you know, you just want to if you want to what I would do is you know You could comment I net D out entirely And turn it back on if you want to You know, you could put an exit you could put an exit the top of the script Again, we did we ever solve the question of what we're gonna do if our we ever solved the question What we're gonna do when we went and hand edited scripts that were possibly gonna be replaced that by the vendor on A patch or an upgrade and patches what I'm really concerned about because I because you know, I'm gonna patch often right so What's going on? Well if I go and modify scripts and I want to make sure that my that my changes stay when the vendor When the vendor comes around and brings me patches my best bet is I go and automate this I mean, you know once you've locked down once you've done this to one system Even if you only have one you might put together a tiny script that you can run it after you after you apply patches That will go in and make these make your hand changes again. Okay, I would definitely try to automate this That's the best thing that I can think of if you're using you know if using something at your site already like CF engine Okay, or some other solution you can use that some kind of automation that brings you back after patches If anybody else has any easy solutions for this, let me know What's that in the back? What's that? Binary is replaced on the patch. What if the binary is replaced on the patch good point? So the install overwrite your binary. I mean, it's you know What's that? S change. That's just like an immutable bed or a locked bed. Yeah, so as change bit But how does my installer be how does my install react to that? Okay, so we don't know Okay, xinad. I net e.com was Empty of anything if we want to look at xinad and see the same thing We just look at this is the this is a sample xinad configuration file If you look at them all they all have a disable line and the disable line sets. Yes We know in I net e.com if every line's commented out nothing's gonna get listened on with xinad We're looking for disable lines if there's no disable line the service gets run Okay, if there is a disable line and it's yes the service doesn't get run So if we look through on if we look through on our on our reference system We find that xinad is got every single everything every single thing in Etsy xinad d dot d Every single files got disabled equals. Yes, then we know it's off and we don't worry about it next slide Okay, so if we're looking at our ps listing we look at what other programs are what other programs are left We're doing something quick Okay, one of the other things that stands out is auto disc mount Okay, what's auto disc mount for auto disc mounts actually pretty darn useful Okay auto disc mount is I take my I take my CD-ROM I stick it in the drive it mounts up automatically it appears on there It appears it appears on my screen. I can click on it. I can get a I can get a finder listing of it, etc What else is it for? Well, it's for floppies. Yes, but what else is it for on top of that? Well, if I'm downloading if I'm not a downloading disk image files Okay, one of the big ways you install software as you download a disk image file You click on it and it basically comes up as you know as if you were mounting a little as if you were mounting an external hard drive Except it's not it's just a disk image file feels like an ISO to me But you know if I've got a disk image file Auto disc mounts. What's actually what's actually opening that up for me? Okay, what's showing that as as a What's what's mounting that for me and so that I can just pop it up see directory and get and have it nice and easy Okay, again, whether I leave this on or not depends on how I'm using the system Okay, if this system is you know if I want to I can turn off auto disc mount between times when I'm using that functionality Okay, or I can leave it in place What else? DNS responder and DNS responder multicast DNS responder. So okay, we talked about auto disc mount And if you wanted to turn off auto disc mount, okay You can basically just go into discs into the disc script and comment it out again That's one of those things. It's not host config accessible in 10 to 3. Okay mdns responder Used for rendezvous. Okay rendezvous. What's rendezvous do who knows what rendezvous does? I know you guys do Here anybody anybody yeah, okay automatic host discovery It's basically his way of finding people to chat with you to do I chat. Okay finding people who are on the local area land I'm sorry. I can't hear you Very nice right you're sharing anybody else have favorite favorite things to do with rendezvous. I'm sorry Hydra Hydra I Didn't know about that one What's hydro do what's hydro do? Everyone can work on the document at the same time. They're just on the local area land Wow Okay, so as far as as far as as far as rendezvous goes sounds like really useful functionality I'm scared out of my I'm scared on my wits having this on at DEF CON so If you also are scared Thank you If you also were scared you can turn that off by commenting or deleting it out of mdns responder again This would be nice on this is stuff where we're gonna hope that it's all gonna be in host config later on for now We're just commenting it out Okay, so like I said to do a thorough audit you're gonna you read through all the start scripts and decide what to turn off I do a more thorough audit in this article that is that I'm gonna post up on my website Probably come Monday So in terms of where you go from here, we've gone through we've gone through some of the scripts in terms of where you go From here the first thing I'm gonna do is actually go and run net stat and get a list of what's listening on different ports Okay, I'll use net stat to get a list of what's listening. I'll use LSOF to tell me what programs That's that gives me a list of listening ports LSOF gives me, you know for a given port. What's actually listening on it? Okay, so what I might do is am I going to use net stat and I see port 1030 port 1033 is listening on local host And if I see that I'll run LSOF and it'll say net info D is listening on that port and I'll say that's okay I need that that's fine. I need that info. I can't turn it off Okay, that's fine with me and the fact that it only listens on loopback makes it a little less dangerous anyway Okay, UDP if I'm going and doing a UDP audit these are the ports that came up listening Okay, 1033 is also net info. I can go through each port with LSOF Okay, and I see there are different pieces of their different pieces of the operating system And I can go and actually look at what each one is and decide whether I want to keep it or not Okay, I'm keeping look up D I'm keeping net info D. I'm keeping syslog. But why the heck is syslog listening on the network? Okay, if I go and look at the man page for syslog, and that's what we that's what we do time permitting What I if I look at the man page for syslog syslog says you have to have you know, you have to have the minus t command line option be listening on the network and it says hey This is you know kind of an old insecure thing and you're a open a DOS attack. And so then what I what do I do? Well, I notice that this that if I do a ps Syslog isn't being run with minus t if I look at the script syslog isn't being run with that option So I'm sorry minus you What do I do? I say it's it says that it's listening on the port But my my man page my start script doesn't indicate that's listening on the port that it should be that should be accepting remote logs So I'm sorry what I do I thought I had a slide on that What I do is I fire off my my my my syslog client and just start firing off logs at the box And I start firing them off from different IP addresses and seeing what happens and I find oh Hey, I can't get this thing to log to log anything. Okay. It'd be nice if it didn't listen on the port But it's going to So is there anything is there anything you guys can think of that I can do about it if I'm still paranoid about this IP fw exactly so I can make sure that IP fw is currently blocking all access to the port Okay, what else I find port 68 is listening. I find that's config D port 68. That's my DHCP client port I need that there. That's okay. I might use IP fw to make sure that it only gets I might use IP fw to make sure that It only gets communication from the known DHCP server on the network Otherwise I need it because the system is doing DHCP. I can also go static route and not worry about it Okay, from there. What are my next steps? My next steps are look at doing a set you ID audit doing a set GID audit Okay, my net audit con jobs look at demon configurations do a permissions audit In terms of a set you a set you ID art These are the commands I use and what I'm looking for what I'm looking for are Programs that let ordinary users and potentially every ordinary user on the system Run his route. Am I really out of time? Okay, I'm out of time, so I'm going to show you the slides and stop Okay, so there's my commands for a set you a D audit. I'll look at cron jobs Cron runs periodic periodic runs a bunch of stuff out of the directories Etsy periodic daily monthly weekly I'll go through and actually look at demon configurations later on if I have time And he can any demons actually still want to run I'll make better configurations read references on this some of them are on my website Permissions audit. I'll actually go and look at the system and see what somebody could do in terms of world-rightable files and directories Replacing data or replacing executables. Okay, there's commands to do that Bastille Linux. Bastille Linux is an increasingly misnamed Program that is a hardening script that'll actually go through and do some lockdown You can do a much better job always by hand because you're a boatload smarter than a pearl script But this might help you in terms of automation in terms of getting a first start in terms of doing these lots of systems Bastille Linux works on HP rex and OS X and five Linux distros. I've got articles. You might read on lockdown There they are and we're out of slides Is this useful except for the people are going to flay me