1
1
Secure System Administration - SANS GIAC
© 2000, 2001
Securing and Auditing Unix
Examples tested on a Red Hat Linux 6.1 (Hedwig) build
Welcome to Unix and Linux, security for these operating systems is a complete paradigm shift from
Windows. Unix has been around a lot longer. The source code for Linux is freely available, so
would be attackers are free to examine it and test it for holes such as buffer overflows and deadlock
conditions.
Linux is different than Unix. Has the source code been available for Unix? Certainly, you used to
be able to license source for both the ATT and BSD versions of Unix. It is rumored the Sun source
code was stolen once via a workstation with a modem connection.
This means that we are dealing with a lot more “knowns” than with Windows. Well, at least that
was true until October 2000 and critical Microsoft source code was stolen. From now on the rules of
the game are “who knows the most wins”.
Let’s start our discussion with the notion of a firm foundation. Nothing is certain, but if we can start
with a clean build we have a better chance of ending up with a secure system.
2
2
Secure System Administration - SANS GIAC
© 2000, 2001
A Clean Build is a Happy Build
• Load from CD
• Load from Net
• Load from another system??????
• Load from tape??????
Windows loads from CDs. They are licensed and controlled. Though it is possible there could be a
compromised version, it is unlikely. The initial load of Unix can be a whole new ballgame.
Many Unix systems make it easy to clone a system from an existing system. You plug in your
Ethernet cable, power on the system, and the new computer looks for a system to boot from. This is

separated by a “ / ” (forward slash). In DOS, file names are case-INsensitive while in Unix they are
case-sensitive. The “ . ” character is used as a separator between the file name and extension in
DOS, but that syntax does not have the same context in Unix (older DOS allows only one “ . ”; Unix
permits more than one).
Both operating systems support the concept of a “pipe” (the vertical bar | ) that can be used to
‘connect’ commands, such as type file.txt | more (DOS) to show the file named
file.txt one screen at a time.
Both operating systems support the use of “ * ” as a wild card character.
Regarding floppy disks, DOS (and Windows) use a: to refer to the first floppy disk drive in the
system while Unix treats everything as a file and uses a name such as /dev/fd0 to refer to the
floppy disk.
In general, Unix command equivalents have a broader functionality than the DOS cousins. This is
somewhat of an oversimplification, but it will meet our needs for this introductory module. You
need to be familiar with basic Unix commands to be ready for Security Essentials where you will
gain the fundamental skills to enable you to handle an incident involving a Unix system.
4
4
Secure System Administration - SANS GIAC
© 2000, 2001
More Basics
• List files: ls -lart
• Show the file on the screen: cat, more
• Display system processes: ps -ef, ps -
ax, ps -ewf
• Display network information:
netstat -a
• Verify a system file is not corrupt
rpm -V filename (no news is good news)
Every Unix variant is different and many of the commands listed have multiple options. We
encourage you to become familiar with the operating systems that are used in your organization. A

strings
•Examine the bits:
od, od -x
• Are these two files the same?
diff
The tools on this slide help you manipulate and inspect files. mv allows you to move a file from one
place to another so it is similar to ren (rename). mv a.txt b.txt would rename a.txt to
b.txt in the same way ren a.txt b.txt would in a Windows command prompt. However,
you can move whole directories with mv, change the name or the location.
copy in Windows is similar to cp in Unix, but there are a number of powerful options. One to
know is cp -p (for preserve the date). If you want to edit a system file it is a good idea to make a
backup file. For instance, if you edit the Internet Daemon configuration file, inetd.conf, you
might first:
cp -p inetd.conf inetd.conf.22OCT00
This will preserve the files date so if you list the /etc directory with ls -lart the original file’s
age will be preserved and the edited file will be obvious.
The strings command will print the displayable ASCII strings of printable characters in files. For
each file given, strings prints the printable character sequences that are at least 4 characters long
and are followed by an unprintable character. By default, it only prints the strings from the
initialized and loaded sections of object files; for other types of files, it prints the strings from the
whole file.
od (octal dump) dumps (lists) the file in binary mode; od -h and od –x will each dump a file in
hex.
diff displays the differences between two files and is the programmer’s friend.