<< Prev  |  TOC  |  Front Page  |  Talkback  |  FAQ  |  Next >>
LINUX GAZETTE
...making Linux just a little more fun!
Auditing the Three Finger Salute
By Dean Wilson

"Its only running a single service, we're fully patched and it has a local firewall that denies by default."
"What happens if i do Ctrl-Alt-Delete?"

Introduction

One of the basic premises of computer security is that it's almost impossible to fully secure any machine to which an attacker has physical access. While we cannot cover all eventualities, we can make some simple changes to catch any use of the more blatant avenues of abuse. In this document we will cover how to stop unauthorised people from casually rebooting your machines.

The Problem

Anyone who walks up to a keyboard connected to a Linux machine can press Control-Alt-Delete to reboot it without entering a username or a password. Even Windows machines require a valid login (either the current user or one with Administrator privileges) before you can reboot a running machine like this if it has a locked screen. This does not even have to be an issue of malice, it is not uncommon for people familiar with Windows NT or Windows 2000 to use Control-Alt-Delete in an X-Windows session expecting to be shown a screen to lock the workstation, or open the task manager and instead seeing the dreaded "The system is going down for reboot NOW!" message as their work vanishes along with the systems uptime.

A Solution

In many Linux distributions the key combination of Control-Alt-Delete (Which is often referred to as ctrl-alt-del or "the 3 finger salute") is pre-configured to reboot the machine. While this may be acceptable for a single user desktop at home it is an unnecessary risk for office workstations or even servers because of one important fact, it requires no authentication to perform.

To prevent this destructive behavour we are going catch Control-Alt-Delete's and disable this "feature" by replacing the default action with a script of our own. We will also add auditing in order to catch and log any attempts to reboot. To do this we will add a single shell script to the system, make a change to the '/etc/inittab' configuration file so our own handler gets called and then add a little log rotation (If you run 'logrotate') to keep everything shipshape.

The bash shell script that does most of the actual work is called 'audit_cad.sh' and can be found here. It can be invoked in two ways. The first way is to call it is with the '-c' argument. In this mode the script will check that all of its external dependencies are both present and executable. This is the best way to ensure that your system satisfies all the prerequisites.

If any of the tests fail then an error will be printed containing the name of the suspect binary and the script will carry on until it has finished checking them all. If any of the checks fail, when the script finishes executing a exit code of '1' will be returned. The external binaries we depend on are:

Of these the only one that may need manual editing is basename which often varies between the '/usr/bin' and '/bin' directories. Typically you will run the script in check mode when you first install it to ensure that it will run correctly and nothing is missing. As this script is run as root it is a good idea to ensure that the permissions are as tight as possible with only the super user having any access to the file. Ideally they should be set to -rwx------, you can do this with the following command; 'chmod 0700 audit_cad.sh'.

The second way to call it is without arguments, when run in this fashion it logs an entry to both 'syslog' (with a user specified facility and level) and an external file, which defaults to '/var/log/shutattempt'. This is how it will be executed to audit Control-Alt-Delete's.

For the purposes of this document we call the script 'audit_cad.sh' and it is located in '/usr/local/sbin/'. To change either of these settings or any of the other ones just open the script in your editor of choice and scroll along. All the configuration options are commented.

Now we have the script in place we are going to edit the default handler for Ctrl-Alt-Delete in the '/etc/inittab' file. The line we want instructs 'init' to listen for Control-Alt-Delete events and tells it to execute a specific command when it receives one. In most distributions the id will be 'ca' and the actual entry will look similar to "ca:12345:ctrlaltdel:/sbin/shutdown -t1 -a -r now" The important section of this line is the last field which begins '/sbin/shutdown', to change the systems behaviour you can edit the current command and point it to our 'audit_cad.sh' script. If you have been following along with the examples the full path will be '/usr/local/sbin/audit_cad.sh'

Once you have made this change you need to tell the 'init' process that 'inittab' has changed. The easiest way of doing this is to run 'telinit q' which causes 'init' to reread its configuration file without restarting

Now we are in a position to test our changes, before you do this i recommend closing down anything that is not essential to the system such as GUI's and editing sessions, if we have made a mistake while following the examples the system is about to reboot and its better to be safe than annoyed at the author! When you are ready press Ctrl-Alt-Delete and nothing at all should happen.

If your system is still up at this point then check both the syslog file (typically this is '/var/log/messages' or '/var/log/syslog') and the external log file we specified in the 'audit_cad.sh' file to ensure that the logging was successful. If your system has rebooted then check each step and try again.

Once you have this working it's worth going the final mile and adding some automated log processing. This can vary from setting up 'SWATCH' or 'logwatch' to send you automated alerts to adding log rotation to keep the file sizes down. A simple example if you have 'logrotate' running on your machine (Both recent Redhat and Debian distributions do) is given below and can also be found here.


daily
rotate 7
compress
delaycompress

/var/log/shutattempt {
  nomail
  notifempty
  missingok
  create 0600 root root
}

To add this to 'logrotate''s processing list just add a file called audit_cad to your 'logrotate' directory, which is often located at '/etc/logrotate.d' with the above snippet or another similar one as contents and you no longer have to worry about it eating up disk space.

Closing Notes

While this technique will successfully log any attempts to reboot the machine there are a couple of points worth noting. The first is accountability, it is not possible using this script alone to determine who actually tried to take the machine over. This is because no authentication information is available for logging, 'init', the program that actually handles the Ctrl-Alt-Delete, runs as root so any attempts to capture the invoking username will return 'root'.

By making some minor changes to 'audit_cad.sh' it would be possible to capture the output of w or who to the logs but this information isn't as useful as you may think in this situation, these commands only track the valid users that have supplied credentials to logon, something that someone who just walks upto your keyboard and presses Control-Alt-Delete does not need to supply and so the person who actually tried is the only one not logged!

The second point to consider is how obvious to make this script. If you want to be sneaky and obscure its presence you can call it 'shutdown' and save it in a non-standard location.

Further Reading

For further information on the format and purpose of 'inittab' please see 'man 5 inittab' and for a full list of the options 'telinit' supports please read 'man 8 telnint'. If you are unfamiliar with 'logrotate' then its manpage is a good starting point 'man 8 logrotate'.

 

[BIO] Dean Wilson is (this week) a systems administrator and occasional updater to his pages at www.unixdaemon.net


Copyright © 2003, Dean Wilson. Copying license http://www.linuxgazette.net/copying.html
Published in Issue 93 of Linux Gazette, August 2003

<< Prev  |  TOC  |  Front Page  |  Talkback  |  FAQ  |  Next >>