Hank Beaver

Is it possible to audit Unix/Linux server root access per task and on temporary basis?

Yes.

Years ago I wrote a ’sudo’ equivalent in W32, but with a big twist. It was called “RunAuth”. It used the API “run as” mechanisms. It gave admin access based on an OTP (http://en.wikipedia.org/wiki/One_time_password). The OTP was NOT automatic. The person had to call the helpdesk to get a code. It was based on a shared secret and MD5. Secondly, the code provided  defined the exact process that could be executed by the RunAuth client.

Use Case:
Field Sales Person wants to install a new HP Printer. User does NOT have local admin. How to install a printer driver without shipping computer to IT?

Solution:
Start RunAuth, choose install printer driver, a challenge code is presented. Tell the IT person over the phone the code. They provide a response that immediately executes the install printer wizard as admin. The actual MD5 signature of the DLL or EXE is also validated before running to ensure no trojan or backdoor is created. Upon completion of task, the machine logs out the user or requires reboot.

Point:
The same can be accomplished in Linux.
Think of sudo with one time password access. Why is this important? Because that means admins don’t have single control over root access. It requires “dual” access. Someone else who is not an admin, has to consent to the changes or stated objective to provide the admin a one time sudo password. So if the automated provisioning cannot handle a task or an emergency occurs, there is still a regimented procedure to perform ad hoc tasks,but there is change control enforced at the OS.

I’d like to have opinions?

H

The problem is how to securely lock down your firewalls for very privileged services like SSH or a intranet server?

Is adding port knocking together with OTP a good,solid solution for perimeter defense? I’m going to play with this. The idea:

• Port knock sequence numbers are based on a secret key and a cipher to create an 16 bit sequence or port numbers. ex. “7111 31189 40922″.
  1. That is UDP knock: 7111, 31189, and 40922.
  2. These numbers change approx. every 1-2 minutes. based on secret key and cipher and date/time seed.
• The payload of each packet is a sequence number + 2 digit OTP number.
  ex: packet 1: “1|3dz”, packet 2: “2|js9″, packet 3: “3|34m”
• There is a REQUEST packet that goes on another port based on cipher, ex. 5433 (changes daily?)
  The request packet provides the next sequence number,asks for what port to open: 22, ssh in this example that is ENCRYPTED also with IP Address. like so: “4|22|67.100.40.23″ => encrypted as “f321a0a5eb48f2ef2f89f52124bcc11a”
• The entire sequence is started by a START port number and END port number that changes every day with a simple string as payload. ex: START port: 8765,END port: 64100.So the entire OTP +port knock sequence from my OTP+port knock client:
• • UDP:8765=>”START_PK_SEQ”
  • UDP: 7111 -> “1|3dz”
  • UDP: 31189 => “2|js9″
  • UDP: 40922 => “3|34m”
  • UDP: 5433 => ‘f321a0a5eb48f2ef2f89f52124bcc11a”
  • UDP:64100=>”END_PK_SEQ”Port 22 is now open on the host firewall for the requesting ip based on successfully decrypting packet #5.
• In theory this would be resistant against man-in-the-middle and reply attacks.

This is DEPRECATED, because Gavin Stark wrote a native ruby class last month. I will leave this up if someone wants a C implementation for OSX, but after that Gavin did the work in Ruby and I encourage looking there:

 http://hasmanyquestions.wordpress.com/2007/11/23/perfect-paper-passwords-in-ruby/

Ruby Extension for GRC’s Perfect Paper Passwords V3.
UPDATE 12/11/2007, current version only supports Mac OSX, I will be creating a Linux version shortly. Not sure if I’ll wrap a Windows version.
Ruby Extension for GRC’s Perfect Paper Passwords/PPP C (http://www.grc.com/ppp/) implementation by John Graham-Cumming.
Create with SWIG.
Version .01
CODE/LIB: http://www.1000fires.com/ppp3-Ruby-extension.zip
C Ref: http://www.jgc.org/blog/2007/11/steve-gibsons-ppp-new-version-3-in-java.html
NOTE: Because of the way C works, the first argument must be a space (not a null char).

Entry point to ppp3 is “Ppp3.main” Ruby call after include with a Ruby array as argument.

USAGE in ruby:

require ‘ppp3′ #ppp3.bundle#Usage 1, just get a random sequence key.
Ppp3.main([” “,” “])

# Usage 2, create an array and call with arguments.
# call the Ppp3.main call with this array:

a = Array[”",”efbda242bd1db23fd343b516a2a10d0eed08250e542a789811307f2011a92df6″,”0″,”2″]
Ppp3.main(a)

#Usage 3, call with implied array string.
Ppp3.main([”",”efbda242bd1db23fd343b516a2a10d0eed08250e542a789811307f2011a92df6″,”0″,”70″])

TODO. Add a Ruby convenience library to do some parsing and pretty printing as well as prepare for Rails integration.

For the life of me I can’t get ethereal or any variant to work on my OS X 10.4 ( yes I have X11 installed). So for some method I get ethereal which comes with tethereal ( a command line variant ). The below is how I sniffed my Rails app in action.

/sw/bin/tethereal -V -S -i lo0 -d ‘tcp.port==3000,http’

applications.rb implements :before_filter that will

model for actions: ‘action_permissions’

model for user permissions: ‘user_permissions’

the session level user permission variable: ‘user_permission_sum’ using the previously discussed base2 sum of all allowed permissions .
check that the user can execute the controller/action using ‘permission_token’

REVISED:

ACL, privilege , permission system based on sum of exponents. {REVISED: sum of square exponents from 2 and including 1} Huh?

A little theory:

Look at this NOW: Masking

Idea/Premise:

I present the automatic bar tender. It makes sure people of age get served beverages and also people who have partial liver failure only get beer.

RULES:
Everyone has a number on their driver’s license. It’s a single number that can’t be forged (please assume this). it’s easy to read and easy to carry. The automatic bartender can read this simply by scanning your license. Let’s call it your “Permission Number”:

Permission Number Examples

List of possible drinks, these numbers are all square exponents of 2 and including
————————
1 Drink Water
2 Drink Soda
4 Drink Beer
8 Drink Gin

The sum of all permission numbers in binary might be represented as:

00001111

Permission numbers for our test subjects. These are created by SUMming the permission numbers.
———————
Sara:
1 Drink Water
+ 4 Drink Beer
+ 8 Drink Gin
————
Permission Number = 13 (00001101)

Fun Bobby:
+ 4 Drink Beer
+ 8 Drink Gin
————
Permission Number = 12 (00001100)

Underage Kid:
+ 1 Drink Water
+ 2 Drink Soda
————–
Permission Number = 3 (00000011)

Ok now that the example people have their numbers. Let’s play fun. The math is really simple. Because each drink permission is subject to masking, I can tell by your single permission number what drinks you can drink.

Ordering Drinks Example(paste into irb for fun!):

#!/usr/bin/ruby
class Rbar_Tender  #rbar_tender.rb

########################################
# The bartender. He's actually very stupid.
########################################
def self.order_drink(drink_permission,person_permission)

response = "Talk to the manager, I can't serve you now."
if (person_permission.to_i & drink_permission.to_i) > 0
response =  "here's your drink, thanks for your business."
end
return response
end
end #end of class

#basic permissions
drink_water = 1 #0001b
drink_soda = 2 #0010b
drink_beer = 4 #0100b
drink_gin = 8 #1000b

#people's permissions
sara_permission = 13 #1101 #assigned during walking into bar with ID.

#open for business
puts "sara wants a beer..."

#drink_beer.to_i & sara_permission.to_i
puts Rbar_Tender.order_drink(drink_beer,sara_permission)

puts "\n...a minutes later....\n\n"

puts "sara wants a soda..."
#drink_soda.to_i & sara_permission.to_i
puts Rbar_Tender.order_drink(drink_soda,sara_permission)

What is your point Hank? Well, in applications and web applications in particular, you need lot’s of permissions to do stuff. I mean literally dozens or hundreds of unique permissions:
*Login to your account.
*Delete pictures.
*Email a friend.

When someone wants to do something, you check that persons own record if they have access. Below are some examples of permissions you might have to look up each time for each person (NOTE looking this up takes time and resources), I’ve included a 2 exponent example beside it:

HAS_LOGIN_ACCESS (64)
HAS_DELETE_PICTURE_ACCESS (256)
HAS_EMAIL_FRIEND_ACCESS (1024)
HAS_ABILITY_TO_INVADE_IRAQ (73,786,976,295,000,000,000)

——
But wouldn’t it be cooler and use a lot less typing to have a single number, say for me 19. And magically b/c of math, we know what you are permitted to do. No database look ups for each time you need to do something. Your number IS what you can do. And each time you do an ACTION, that action has it’s permission number.

UPDATE: 7/21/2007

The above idea does have one limitation. DUH! The permission numbers grow exponentially as we add permissions. Simply having 66 permissions creates the huge number for HAS_ABILITY_TO_INVADE_IRAQ above. So I will explore something like TCP with a series of 8 or 16 bit binaries and do XOR on those instead. So the above permissions would be like so:

HAS_LOGIN_ACCESS (1000010)
HAS_DELETE_PICTURE_ACCESS (100000000)
HAS_EMAIL_FRIEND_ACCESS (10000000000)…

H

Ok, this is a very idealistic concept. We all hate SPAM and phishing!! Would you not install an application that would attack BACK at the phishing sites? I would, damn skippy!

If you have not heard of Seti, or SETI do a google and come back.

The idea is simple. A program that runs in the background and when you are not doing anything, like a screensaver. This program will work with other computers to shutdown known phishing web sites by flooding then with web requests.

I can explain the technology later, but suffice, I think it might work.

Comments?

Ok I’m a little of a freak about security. I realize using a system like Rails and trusting everything works as advertised takes a leap of faith anyway. And with allowing users to provide future web output ( or any input for that matter ) is inherently insecure.

This is a simple idea that if anyone peruses the web and would like to comment on, please do. I will be implementing this in my current in future projects. Especially on my “settings” tables and anything that has the potential for injection above and beyond normal forms.

Each table in your model will implement a signature field.

In the example of my rcron idea of table columns:

dayofweek,month,dayofmonth,hour,minute,
signature,update_on,created_at,lock_type

1. environment.rb contains a private key/passphrase = “1234″. For non Rails people this file is not viewable from the web and is a config file.

1.1 OR more strongly, put it in a separate file, in the not web root, and have ONLY one call to it in a library. That way the variable is not global and goes out of scope after being used (make the call a class method). So nothing can access the key other than this code.

2. All tables have a signature field that is an encrypted string of command. This in effect like a digital signature, I work with VeriSign so it makes sense I think about this.

3. BEFORE command is run the signature is verified always. This means a cracker could not simply replace the contents of the table through a future exploit.

4. So in theory, you can sleep a little easier knowing IF someone access your DB tables, they can’t cause havoc or insert a ‘rm -Rf’ into a table that actually reads the values and executes them. Like a background job table or an rcron table.