Beruflich Dokumente
Kultur Dokumente
1)
i)ProperAuthenticationmechanismshouldbeimplementedwhereeverpossible
ii)Itsrecommendedtoclearhistory,cookies,cacheandrestrictpriveledgestopeople
iii)Specialcharactersmustnotbeusedforusernames.Allpagemusthaveoutputforaspecific
input
iv)Modifypriveledgestoselectedusers
v)Asanadditionallevelofsecuritybiometricsecuritycanbeusedtoallowaccesstoemployees
oftheorganization
viii)DirectoryonwhichDatabaseismountedmusthaveMultifactorAuthenticationMechanism
forstrongersecuritypolicy
ix)PrivateVPNshouldbeusedwhereeverpossible
x)AccesstoTrafficmustbewhitelistedonlyforcertainIPaddressofhostsystems
ThemostcosteffectiveonewouldbeimplememtingMFA,strongsecuritypoliciesandusing
256bitAESencryption
3)TheGriffithPocliyaddressesthefollowing
Theintegrityandvalidityofinformation
TheprotectionofUniversityassetsusingauthenticationmechanisms
Thepocilcydoesntaddressalltheissuesjustbecauseitsaysprotectionofunibersityassets.
Wedontknowwhatkindofauthenticationandsecuritymechanismareimplaceandwhich
peoplehaveaccesstowhatcontrolsandsystems
Thepolicymustclearlyspecifythetypeofauthenticationusedandwhohasaccesstowhatto
avoidconfusion
1)DescribethepermissionofpingandhowdoyouknowifitsisSetUIDProgram
Firstofallpingneedstoberunfromrootlevelwhichislikeanadminlevel.Pingalsoallows
ustosetSETUID.Oneofthewaysthiscanbedoneisasfollows:
i)UsingthePasswdCommand
ii)UsingCronTabandAtCommand
WecancheckifSetUIDissetbytypingthefollowingcommandinterminal
Chmodu+smyfile.txt//myfileisasamplefileIcreated
lsl//lsisusedtolistfiles
ThiscommandcanbeusedtocheckifauserAinownerpermissionfieldisreplacedbysor
S
Examplelistingafilefile1.txtisasfollows
BeforeusingSUIDbit
AfterusingSUIDbit
2)Describeyourobservation
Beforeusingsudochmodus/bin/pingwecanseepingworks
Afterusingsudochmodus/bin/ping
ThisisbecausepingneedstogenerateandreceiveICMPpackets,andusuallythat'sdone
using"rawsockets"afeaturelimitedtoroot(cap_net_raw)becauseitcouldalsobeabused
tosniffanddisruptothertrafficonthesystem.
Manydistributionsnowjustgivepingthecap_net_rawprivilegeinsteadoffullsetuidroot.
Thishoweverneedsboththekernelandthefilesystemtosupportextendedattributes(xattrs),
andsome"minimal"systemsdisablethose.
3)Describeyourobservation
Note:Ihavenotaddedscreenshotoflastcommandduetoitssecurityimplicsationsofthe
command.Oncethepermissionisprovideditbecomesdifficulttodisableit
4)/usr/bin/passwdistofacilitatechangingofuser'spassword.Ifyouuseitasshelloftheuser,
theuserwillnotbeabletologinbutwillbeableto(orputtingitmorecorrectly,alwaysbe
forcedto)changehis/hberpasswordateveryloginattempt