Handling of compromised Linux systems
4 likes3,314 views
The document discusses strategies for understanding and mitigating Linux system intrusions, focusing on rootkits, malware handling, and potential defenses. It highlights common vulnerabilities, detection challenges, and the necessity for security tools and practices such as system hardening and continuous scanning. The presentation concludes with the importance of detection, restoration, and ongoing learning to enhance security measures.
Handling of compromised Linux systems
- 1. Linux Systems Compromised Understanding and dealing with break-ins Ede, 5 February 2016 Michael Boelen [email protected]
- 2. Agenda Today 1. How do “they” get in 2. Rootkits 3. Malware handling 4. Defenses 2
- 3. Michael Boelen ● Security Tools ○ Rootkit Hunter (malware scan) ○ Lynis (security audit) ● 150+ blog posts ● Founder of CISOfy 3
- 4. How do “they” get in
- 5. Intrusions ● Passwords ● Vulnerabilities ● Weak configurations 5
- 6. Why? 6
- 7. Keeping Control ● Rootkits ● Backdoors 7
- 8. Rootkits 101
- 9. Rootkits ● (become | stay) root ● (software) kit 9
- 10. Rootkits ● Stealth ● Persistence ● Backdoors 10
- 11. How to be the best rootkit?
- 12. Hiding ★ In plain sight! /etc/sysconfig/… /tmp/mysql.sock /bin/audiocnf 12
- 13. Hiding ★★ Slightly advanced ● Rename processes ● Delete file from disk ● Backdoor binaries 13
- 14. Hiding ★★★ Advanced ● Kernel modules ● Change system calls ● Hidden passwords 14
- 15. Demo
- 16. Demo 16
- 17. Demo 17
- 19. Detection
- 21. Challenges ● We can’t trust anything ● Even ourselves ● No guarantees 21
- 24. ● Owner? ● Risk? ● What if we pull the plug? Activate your plan! 24
- 26. Consider Research Memory dump (Volatility) Static analysis 26
- 27. Restore Does it include malware? 27
- 28. Defense
- 29. Best protection At least ● Perform security scans ● Collect data ● System Hardening 29
- 30. Frameworks / Patches ● SELinux ● AppArmor ● Grsecurity 30
- 31. Compilers ● Remove ● Limit usage 31
- 32. Harden Applications ● Use chroot ● Limit permissions ● Change defaults 32
- 33. Kernel Hardening ● sysctl -a ● Don’t allow ptrace 33
- 34. Automation
- 35. Tip: Lynis ● Linux / UNIX ● Open source ● GPLv3 35
- 36. Conclusions
- 37. Conclusions ● Good rootkits are hard to detect ● Use cost-effective methods ● Detect ● Restore ● Learn ● Apply hardening 37
- 38. You finished this presentation Success!
- 39. More Linux security? Presentations michaelboelen.com/presentations/ Follow ● Blog Linux Audit (linux-audit.com) ● Twitter @mboelen 39
- 40. 40