Dengan menggunakan sistem operasi linux pastinya belum tentu aman 100% dari serangan cyber. Bisa saja attacker secara diam-diam telah berhasil masuk kedalam sistem linux kita tanpa diketahui, biasanya setelah berhasil masuk kedalam system linux maka sang attacker tersebut akan meninggalkan jalan masuk yang lain yang hanya khusus dibuat untuk dirinya sendiri, hal itu yang biasa disebut dengan backdoor. Sedangkan toolsnya untuk mendapatkan root dari system linux biasa disebut dengan rootkit.
Disini saya akan membahas cara sederhana untuk melakukan audit security untuk OS Linux dari internal system linux itu sendiri untuk mengetahui keberadaan backdoor / rootkit yang ada di sysmtem linux. Tools atau program yang saya pakai disini pastinya free dan sudah tersedia di repository ubuntu.
Tools pertama adalah "chkrootkit"
chkrootkit ini digunakan untuk mendeteksi adanya rootkit atau backdoor yang ada di system linux kita. Untuk mendapatkannya sangat mudah, berikut cara instalasinya :
$ sudo apt-get install chkrootkit
Setelah terinstall maka dapat langsung dijalankan, commandnya seperti ini :
# chkrootkit
ROOTDIR is `/'
Checking `amd'... not found
Checking `basename'... not infected
Checking `biff'... not found
Checking `chfn'... not infected
Checking `chsh'... not infected
Checking `cron'... not infected
Checking `crontab'... not infected
Checking `date'... not infected
Checking `du'... not infected
Checking `dirname'... not infected
Checking `echo'... not infected
Checking `egrep'... not infected
Checking `env'... not infected
Checking `find'... not infected
Checking `fingerd'... not found
Checking `gpm'... not found
Checking `grep'... not infected
Checking `hdparm'... not infected
Checking `su'... not infected
Checking `ifconfig'... not infected
Checking `inetd'... not infected
Checking `inetdconf'... not found
Checking `identd'... not found
Checking `init'... not infected
Checking `killall'... not infected
Checking `ldsopreload'... not infected
Checking `login'... not infected
Checking `ls'... not infected
Checking `lsof'... not infected
Checking `mail'... not infected
Checking `mingetty'... not found
Checking `netstat'... not infected
Checking `named'... not found
Checking `passwd'... not infected
Checking `pidof'... not infected
Checking `pop2'... not found
Checking `pop3'... not found
Checking `ps'... not infected
Checking `pstree'... not infected
Checking `rpcinfo'... not infected
Checking `rlogind'... not found
Checking `rshd'... not found
Checking `slogin'... not infected
Checking `sendmail'... not infected
Checking `sshd'... not infected
Checking `syslogd'... not tested
Checking `tar'... not infected
Checking `tcpd'... not infected
Checking `tcpdump'... not infected
Checking `top'... not infected
Checking `telnetd'... not found
Checking `timed'... not found
Checking `traceroute'... not found
Checking `vdir'... not infected
Checking `w'... not infected
Checking `write'... not infected
Checking `aliens'... no suspect files
Searching for sniffer's logs, it may take a while... nothing found
Searching for rootkit HiDrootkit's default files... nothing found
Searching for rootkit t0rn's default files... nothing found
Searching for t0rn's v8 defaults... nothing found
Searching for rootkit Lion's default files... nothing found
Searching for rootkit RSHA's default files... nothing found
Searching for rootkit RH-Sharpe's default files... nothing found
Searching for Ambient's rootkit (ark) default files and dirs... nothing found
Searching for suspicious files and dirs, it may take a while... The following suspicious files and directories were found:
/usr/lib/libreoffice/basis3.4/program/.services.rdb /usr/lib/python2.7/dist-packages/PyQt4/uic/widget-plugins/.noinit /usr/lib/jvm/.java-1.6.0-openjdk.jinfo /usr/lib/pymodules/python2.7/.path /usr/lib/python2.6/dist-packages/PyQt4/uic/widget-plugins/.noinit
Searching for LPD Worm files and dirs... nothing found
Searching for Ramen Worm files and dirs... nothing found
Searching for Maniac files and dirs... nothing found
Searching for RK17 files and dirs... nothing found
Searching for Ducoci rootkit... nothing found
Searching for Adore Worm... nothing found
Searching for ShitC Worm... nothing found
Searching for Omega Worm... nothing found
Searching for Sadmind/IIS Worm... nothing found
Searching for MonKit... nothing found
Searching for Showtee... nothing found
Searching for OpticKit... nothing found
Searching for T.R.K... nothing found
Searching for Mithra... nothing found
Searching for LOC rootkit... nothing found
Searching for Romanian rootkit... nothing found
Searching for Suckit rootkit... nothing found
Searching for Volc rootkit... nothing found
Searching for Gold2 rootkit... nothing found
Searching for TC2 Worm default files and dirs... nothing found
Searching for Anonoying rootkit default files and dirs... nothing found
Searching for ZK rootkit default files and dirs... nothing found
Searching for ShKit rootkit default files and dirs... nothing found
Searching for AjaKit rootkit default files and dirs... nothing found
Searching for zaRwT rootkit default files and dirs... nothing found
Searching for Madalin rootkit default files... nothing found
Searching for Fu rootkit default files... nothing found
Searching for ESRK rootkit default files... nothing found
Searching for rootedoor... nothing found
Searching for ENYELKM rootkit default files... nothing found
Searching for common ssh-scanners default files... nothing found
Searching for suspect PHP files... nothing found
Searching for anomalies in shell history files... nothing found
Checking `asp'... not infected
Checking `bindshell'... not infected
Checking `lkm'... chkproc: nothing detected
chkdirs: nothing detected
Checking `rexedcs'... not found
Checking `sniffer'... lo: not promisc and no packet sniffer sockets
eth1: not promisc and no packet sniffer sockets
Checking `w55808'... not infected
Checking `wted'... chkwtmp: nothing deleted
Checking `scalper'... not infected
Checking `slapper'... not infected
Checking `z2'... chklastlog: nothing deleted
Checking `chkutmp'... The tty of the following user process(es) were not found
in /var/run/utmp !
! RUID PID TTY CMD
! root 1233 tty7 /usr/bin/X :0 -auth /var/run/lightdm/root/:0 -nolisten tcp vt7 -novtswitch -background none
chkutmp: nothing deleted
Checking `OSX_RSPLUG'... not infected
Program chkrootkit ini akan mendeteksi adanya backdoor atau rootkit di system linux anda, disini yang hanya perlu diperhatikan adalah dari output yang diberikan oleh chkrootkit ini apakah ada yang terinfeksi atau tidak.
Untuk lebih detail mengenai chkrootkit dapat dilihat di situsnya : http://www.chkrootkit.org/README
------------------------------------------------------
Untuk tools atau program yang kedua yang digunakan untuk melakukan audit security di system linux adalah "lynis"
Kelebihan dari lynis dibandingkan dengan chkrootkit adalah dapat memberikan report langsung berupa file dari hasil auditnya.
Untuk melakukan instalasinya sama seperti chkrootkit :
$ sudo apt-get install lynis
Setelah selesai install, maka kita dapat mengecek terlebih dahulu update dari tools lynis ini :
$ sudo lynis --check-update
== Lynis ==
Version : 1.2.9
Release date : 15 December 2009
== Databases ==
Current Latest Status
-----------------------------------------------------------------------------
Malware : 2008062700 2008062700 Up-to-date
File perms : 2008053000 2008053000 Up-to-date
Copyright 2007-2009 - Michael Boelen, http://www.rootkit.nl/
Untuk melakukan audit system linux dengan lynis, berikut perintahnya :
$ sudo lynis --check-all --auditor "Dony Ramansyah"
[ Lynis 1.2.9 ]
################################################################################
Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are
welcome to redistribute it under the terms of the GNU General Public License.
See LICENSE file for details about using this software.
Copyright 2007-2009 - Michael Boelen, http://www.rootkit.nl/
################################################################################
[+] Initializing program
------------------------------------
- Detecting OS... [ DONE ]
- Clearing log file (/var/log/lynis.log)... [ DONE ]
---------------------------------------------------
Program version: 1.2.9
Operating system: Linux
Operating system name: Ubuntu
Operating system version: 11.10
Kernel version: 3.0.0-13-generic
Hardware platform: x86_64
Hostname: XXXXX-DONY
Auditor: Dony Ramansyah
Profile: /etc/lynis/default.prf
Log file: /var/log/lynis.log
Report file: /var/log/lynis-report.dat
Report version: 1.0
---------------------------------------------------
[ Press [ENTER] to continue, or [CTRL]+C to stop ]
- Checking profile file (/etc/lynis/default.prf)...
- Program update status... [ NO UPDATE ]
Selebihnya kita tinggal tekan enter-enter saja jika diminta untuk melanjutkan proses scaning sampai selesai.
Berikut report yang diberikan oleh Lynis :
-[ Lynis 1.2.9 Results ]-
Tests performed: 143
Warnings:
----------------------------
- [13:21:39] Warning: grpck binary found errors in one or more group files [test:AUTH-9216] [impact:M]
- [13:24:46] Warning: Root can directly login via SSH [test:SSH-7412] [impact:M]
- [13:25:32] Warning: No running NTP daemon or available client found [test:TIME-3104] [impact:M]
Suggestions:
----------------------------
- [13:21:39] Suggestion: Run grpck manually and check your group files [test:AUTH-9216]
- [13:21:40] Suggestion: Install a PAM module for password strength testing like pam_cracklib or pam_passwdqc [test:AUTH-9262]
- [13:21:40] Suggestion: When possible set expire dates for all password protected accounts [test:AUTH-9282]
- [13:21:40] Suggestion: Configure password aging limits to enforce password changing on a regular base [test:AUTH-9286]
- [13:21:40] Suggestion: Default umask in /etc/profile could be more strict like 027 [test:AUTH-9328]
- [13:21:40] Suggestion: Default umask in /etc/login.defs could be more strict like 027 [test:AUTH-9328]
- [13:21:40] Suggestion: Default umask in /etc/init.d/rc could be more strict like 027 [test:AUTH-9328]
- [13:22:07] Suggestion: To decrease the impact of a full /tmp file system, place /tmp on a separated partition [test:FILE-6310]
- [13:22:12] Suggestion: Disable drivers like USB storage when not used, to prevent unauthorized storage or data theft [test:STRG-1840]
- [13:22:12] Suggestion: Disable drivers like firewire storage when not used, to prevent unauthorized storage or data theft [test:STRG-1846]
- [13:24:00] Suggestion: Install package apt-show-versions for patch management purposes [test:PKGS-7394]
- [13:24:35] Suggestion: Configure a firewall/packet filter to filter incoming and outgoing traffic [test:FIRE-4590]
- [13:25:21] Suggestion: Add legal banner to /etc/issue, to warn unauthorized users [test:BANN-7126]
- [13:25:21] Suggestion: Add legal banner to /etc/issue.net, to warn unauthorized users [test:BANN-7130]
- [13:25:31] Suggestion: Enable auditd to collect audit information [test:ACCT-9628]
- [13:25:32] Suggestion: Check if any NTP daemon is running or a NTP client gets executed daily, to prevent big time differences and avoid problems with services like kerberos, authentication or logging differences. [test:TIME-3104]
- [13:26:07] Suggestion: Harden the system by removing unneeded compilers. This can decrease the chance of customized trojans, backdoors and rootkits to be compiled and installed [test:HRDN-7220]
================================================================================
Files:
- Test and debug information : /var/log/lynis.log
- Report data : /var/log/lynis-report.dat
================================================================================
Hardening index : [45] [######### ]
================================================================================
Lynis 1.2.9
Copyright 2007-2009 - Michael Boelen, http://www.rootkit.nl/
================================================================================
Dari report yang diberikan ada 2 kategori, yaitu warning dan suggestions. Warning sendiri berarti hasil report sucurity yang harus segera diperbaiki karena besar kemungkinannya dapat menjadi sasaran attacker selanjutnya atau memang ada rootkit / backdoor yang telah dipasang oleh attacker yang sudah berhasil masuk. Sedangkan suggestions hanya berupa saran-saran untuk lebih meningkatkan lagi keamanan dari system linux kita.
Untuk file hasil report dari audit yang dilakukan oleh lynis ini dapat dilihat di /var/log/lynis-report.dat
Untuk lebih lengkapnya mengenai tools lynis sendiri dapat dilihat di : http://www.rootkit.nl/projects/lynis.html
Semoga bermanfaat untuk teman semua :)
Dony Ramansyah
site : http://dony-ramansyah.bravehost.com
blog : dony-ramansyah.blogspot.com
email : dony.ramansyah[at]gmail.com
Registered linux user : ID 400171
