Linux keeps its device configurations in /sys. For our example here we are trying to scan our Small Computer System Interface (SCSI) and it doesn't matter if the host is using SCSI or Fiber or not. In /sys/class/scsi_host/ you may find multiple hostN directories. Where N is the number of HBA cards you may have installed. A very basic system may only have host0. It depends on how many SCSI target IDs (up to 15) you have configured to probe. Larger systems with multiple paths and connections will have more for reliability and serviceability. But for our example we have one - host0. In /sys/class/scsi_host/host0 we find several files that hold important information. When it comes to dynamically scanning a SCSI device for newly attached hardware we want to populate a file called "scan." The file has some funny permissions:
--w------- 1 root root 4096 Apr 11 15:13 scan
You can't read it - even if you are root. But you can write to it (as root or with sudo).
Here's what we want to add. The file takes 3 fields. Here is one way to quickly populate the file to get it to dynamically check for new hardware.
echo "- - -" > /sys/class/scsi_host/host0/scan
Then run fdisk (before and after) to see the newly attached device.
/sbin/fdisk -l | grep Disk
That's it! That's all the magic it takes to dynamically scan a SCSI device for a new disk or tape.
But wait, there's more. Who's to say this little bit of information can't be exploited by some vulnerability in Samba or some other software on your Linux host? In these days of virtual devices you may have a fortress of physical security but everything is virtualized. Your attacker doesn't even have to be in the same country! What's keeping someone from gaining privileged access to virtually attach their USB device to your Linux host to do something malicious? A lot of people may be skeptical of such activities but being paranoid is actually a good thing! Let's look at some of the protections that (may be) built in to your environment to prevent this from happening.
- First, keep your Linux host up to date with patches. Patch daily if possible. Even fully patched servers have zero-day vulnerabilities. So we need more layers to protect our host.
- Lock your system down. Also known as hardening the operating system. If you follow the free advice from the NSA, NIST and other organizations you would have possibly already turned off the USB device at the BIOS level and within the configuration of the operating system (packages, kernel, services, config files, etc.). This step alone can go a LONG ways to preventing unanticipated reactions to a flaw in software.
- Have a local firewall enabled and locked down to only allow certain traffic in and out. If you are feeling brave configure Security Enhanced Linux (SELinux) to isolate applications. At the very least enable SELinux to do logging (permissive mode).
- Monitor host for changes. Tripwire is a product that can help with this. It will send alerts if you configure it properly. Monitor your system configuration and set it up to alert you. When a new volume (disk, tape, CD, DVD, USB, etc.) shows up mounted or in raw form you should know about it! Hardware should never magically appear and disappear without some notification. Always monitor from internal and external points if at all possible. Who is monitoring your monitor? Eliminate single points of failure in your monitoring system.
- Permissions are already tight on our "scan" file. We can only write to it if we are root or with sudo privileges. We can't edit the file because it's not readable. We can't execute the file because its permissions are not set to execute. We can apply further permissions by setting ACLs or access control lists. We use ACLs in a lot of different devices. From routers to servers.
- Logging. If someone gained access through a vulnerability in other software I hope you are doing enough logging of events (and alerting of course) and auditing. Linux comes with syslog to configure logging levels. And we can also turn on the audit daemon to know who made the change. Logrythm and Splunk provide robust software to help analyze and alert based on events. You can configure software to help with Security Information and Event Monitoring (SIEM). The goal is to know what happened by whom (or what) and when. Which may lead you to an Incident Response and then Forensics investigation (topics for another blog).
- At the network, data and physical link layers we can do even more scanning, filtering, collecting and also alerting. Types of attacks have signatures so they can be identified when they occur. Tools like Intrusion Detection Systems (IDS), Intrusion Prevention Systems (IPS) and passive taps on your network can automatically detect and prevent (and alert you to) attacks. Configuration is the key to setting them up properly. Include configuration with the purchase so the vendor will certify the system before they go. False positives are like the boy who cried wolf too many times. Network Access Control (NAC) systems are popular because they combine several tools (anti-virus, intrusion prevention and vulnerability management) into one. There are other appliances that consolidate your tools. Beware some perform well at some tasks and not well at others.
No comments:
Post a Comment