Cybersecurity Essentials - Module 8 Cheat Sheet

# Module 8: Linux Overview :::success Here is a cheat sheet generated from the course content using ChatGPT. It recaps the main concepts of each module, definitions and examples. At the end of (almost) each part, you will find a link to online related flashcards. ::: ### 8.1 Linux Basics --- #### **8.1.1 What is Linux?** **Definition**: Linux is an open-source operating system created in 1991. It is highly customizable, reliable, and requires minimal hardware resources. **Key Features**: - **Open Source**: Free to inspect, modify, and redistribute. - **Network-Centric**: Simplifies development of network-based applications. - **Wide Usage**: Found on devices ranging from wristwatches to supercomputers. - **Distributions (Distros)**: Customized versions of Linux with specific tools. Examples include: - **Debian** - **Red Hat** - **Ubuntu** - **CentOS** - **SUSE** --- #### **8.1.2 The Value of Linux** **Why Linux is Preferred in Security Operations Centers (SOC)**: 1. **Open Source**: - Free and modifiable for specific needs. - Enables tailored security analysis platforms. 2. **Powerful CLI**: - More efficient than GUI. - Enables local and remote terminal-based tasks. 3. **User Control**: - The root (administrator) user can modify every aspect of the system. 4. **Network Communication Control**: - Ideal for creating and fine-tuning network applications. - Supports numerous Linux-only network-based tools. --- #### **8.1.3 Linux in the SOC** Linux is highly flexible, allowing complete customization for security analysis in SOCs. Administrators can build lean systems with only essential tools and packages. **Common SOC Tools**: - **Network Packet Capture Software**: - **Example**: Wireshark. - Captures and inspects network transactions in detail. - **Malware Analysis Tools**: - Enable safe execution and observation of malware. - **Intrusion Detection Systems (IDSs)**: - Monitors traffic in real-time. - Executes pre-defined actions when rules are matched. - **Firewalls**: - Implements rules to allow or block network traffic. - **Log Managers**: - Processes and organizes log entries for easy monitoring. - **Security Information and Event Management (SIEM)**: - Provides real-time analysis of alerts and logs from tools like IDSs and firewalls. - **Ticketing Systems**: - Manages task assignments and security alerts. **Example Tool**: - **Security Onion**: A Linux distribution designed for network security analysis. Features tools like Sguil, a cybersecurity analyst console. --- #### **8.1.4 Linux Tools** SOC Linux systems often include **penetration testing tools** (PenTesting) to identify vulnerabilities through simulated attacks. **Examples of PenTesting Tools**: - **Packet Generators**: Create and test custom network packets. - **Port Scanners**: Identify open ports on a network or system. - **Proof-of-Concept Exploits**: Test vulnerabilities in a controlled environment. **Popular Distribution**: - **Kali Linux**: - A specialized distro containing a wide range of PenTesting tools. - Categories of tools include network testing, exploitation frameworks, and forensic tools. Linux's versatility and toolset make it indispensable for SOC analysts and penetration testers. >[!Warning]Recap >Linux is a fast, reliable, and small open-source operating system. It requires few hardware resources to run and is highly customizable. It is designed to be used on networks. The Linux kernel is distributed by different organizations with different tools and software packages. A customized version of Linux that is called Security Onion contains software and tools that are designed for use in network security monitoring by cybersecurity analysts. Kali Linux is another customized Linux distribution that has numerous tools that are designed for network security penetration testing. ### 8.2 Working in the Linux Shell #### **8.2.1 The Linux Shell** - Linux users interact with the OS via CLI or GUI. - **Terminal Emulators:** Applications like Terminator, xterm, gnome-terminal provide CLI access. - **Key Tools:** - Use `ls` to view directory content. - Use **`man` command** for command documentation. #### **8.2.2 Basic Commands** | **Command** | **Description** | |--------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------| | `mv` | Moves or renames files and directories. | | `chmod` | Modifies file permissions. | | `chown` | Changes the ownership of a file. | | `dd` | Copies data from an input to an output. | | `pwd` | Displays the name of the current directory. | | `ps` | Lists the processes that are currently running in the system. | | `su` | Simulates a login as another user or to become a superuser. | | `sudo` | Runs a command as a superuser, by default, or another named user. | | `grep` | Used to search for specific strings of characters within a file or other command outputs. To search through the output of a previous command, `grep` must be piped. | | `ifconfig` | Used to display or configure network card-related information. Note: While still widely in use, this command is deprecated. Use `ip address` instead. | | `apt-get` | Used to install, configure, and remove packages on Debian and its derivatives. | | `iwconfig` | Used to display or configure wireless network card-related information. | | `shutdown` | Shuts down the system. It can be instructed to perform tasks such as restarting, halting, or sleeping. | | `passwd` | Used to change the password. If no parameters are provided, `passwd` changes the password for the current user. | | `cat` | Used to list the contents of a file and expects the file name as the parameter. The `cat` command is usually used on text files. | | `man` | Used to display the documentation for a specific command. | #### **8.2.3 File and Directory Commands** | **Command** | **Description** | |--------------|---------------------------------------------------------------------------------------------------------------------| | `ls` | Displays the files inside a directory. | | `cd` | Changes the current directory. | | `mkdir` | Creates a directory under the current directory. | | `cp` | Copies files from source to destination. | | `mv` | Moves or renames files and directories. | | `rm` | Removes files. | | `grep` | Searches for specific strings of characters within a file or other command outputs. | | `cat` | Lists the contents of a file and expects the file name as the parameter. | #### **8.2.4 Working with Text Files** - **Command-line text editors** (e.g., `nano`, `vim`) are crucial for remote administration. - Benefits: - Lightweight and functional without a GUI. - Essential for editing configuration files remotely via SSH. - **Example:** - Use `nano filename` to open and edit a file. - Press `Ctrl+O` to save, `Ctrl+X` to exit. #### **8.2.5 Importance of Text Files in Linux** - **Everything as a File:** Includes hardware, directories, and memory. - **Configuration Files:** Used to store application or service settings. - Changes are made using text editors and saved to alter application behavior. - Example: - `sudo nano /etc/hosts`: Edit host configurations with superuser permissions. >[!Warning]Recap >In Linux, the user communicates with the operating system through a GUI or a command-line interface (CLI), or shell. If a GUI is running, the shell is accessed through at terminal application such as xterm or gnome terminal. Linux commands are programs that perform a specific task. The man command, followed by a specific command, provides documentation for that command. It is important to know at least basic Linux commands, file and directory commands, and commands for working with text files. In Linux everything is treated is if it were a file, including the memory, disks, monitor, and directories. ### **8.3 Linux Servers and Clients Cheat Sheet** #### **8.3.1 Introduction to Client-Server Communications** - **Server:** A computer with software that provides services to clients across a network. Examples include file servers, email servers, and web servers. - **Client:** A hardware/software combination used directly by users to access resources or services from servers. - **Client-Server Model Workflow:** - Resources (e.g., files) are stored on the server. - Clients request and retrieve resources via a network. - Files can be downloaded from the server to the client or uploaded from the client to the server. ![image](https://hackmd.io/_uploads/SyHqtIafJg.png) --- #### **8.3.2 Servers, Services, and Their Ports** | **Port** | **Service** | |-------------|----------------------------------------------| | 20/21 | File Transfer Protocol (FTP) | | 22 | Secure Shell (SSH) | | 23 | Telnet remote login service | | 25 | Simple Mail Transfer Protocol (SMTP) | | 53 | Domain Name System (DNS) | | 67/68 | Dynamic Host Configuration Protocol (DHCP) | | 69 | Trivial File Transfer Protocol (TFTP) | | 80 | Hypertext Transfer Protocol (HTTP) | | 110 | Post Office Protocol version 3 (POP3) | | 123 | Network Time Protocol (NTP) | | 143 | Internet Message Access Protocol (IMAP) | | 161/162 | Simple Network Management Protocol (SNMP) | | 443 | HTTP Secure (HTTPS) | - **Well-known Ports:** Commonly used ports for specific services, predefined for easier client-server communication. - **Port Listening:** A server "listens" on a specific port when it is ready to provide a service using that port. --- #### **8.3.3 Clients** - **Definition:** Programs or applications designed to communicate with specific types of servers using predefined protocols. - **Examples of Clients:** - **Web Browsers:** Communicate with web servers using HTTP on port 80 or HTTPS on port 443. - **FTP Clients:** Communicate with FTP servers for file transfer on ports 20/21. - **Client-Server Interaction Workflow:** - Clients upload files to servers for storage or download resources stored on servers. - Communication is handled through well-defined protocols, ensuring compatibility and efficiency. ![image](https://hackmd.io/_uploads/Hyl3tITfke.png) >[!Warning]Recap >Servers are computers that have software installed that enables them to provide services to client computers across the network. Some services provide access to external resources such as files, email, and web pages, to clients upon request. Other services run internally and perform tasks such as log management, memory management, or disk scanning. To enable a computer to provide multiple services, ports are used. A port is a reserved network resource that “listens” for requests by clients. While the port number that is used by a service can be configured, most services listen on default “well-known” ports. Client software applications are designed to communicate with specific types of servers. Web browsers are designed to communicate with web servers by using the HTTP protocol on port 80. FTP clients communicate with FTP servers to transfer files. ### 8.4 Basic Server Administration #### **8.4.1 Service Configuration Files** - **Overview**: - Linux services are managed through configuration files. - Common options: port numbers, resource locations, client authorization details. - Service changes often require restarting the service. - **Key Notes**: - Editing configuration files typically requires **superuser privileges**. - Configuration examples: - **Nginx** configuration (`/etc/nginx/nginx.conf`): Manages worker processes and connection limits. - **NTP** configuration (`/etc/ntp.conf`): Specifies time servers and access restrictions. - **Snort** configuration (`/etc/snort/snort.conf`): Used to set network variables for intrusion detection. --- #### **8.4.2 Hardening Devices** - **Objective**: - Improve device security by applying tested measures and controlling administrative access. - **Best Practices**: - Ensure **physical security** of devices. - **Minimize installed packages**: Remove unnecessary software. - **Disable unused services**: Prevent unnecessary background processes. - Use **SSH** for secure logins: - Disable **root login** over SSH. - Regularly **update the system** to patch vulnerabilities. - Disable **USB auto-detection** to prevent unauthorized USB device usage. - Enforce **strong passwords**: - Periodically require password changes. - Disallow reuse of old passwords. --- #### **8.4.3 Monitoring Service Logs** - **Purpose**: - Log files are essential for tracking events, system performance, and identifying potential issues. - **Types of Logs**: - **Application logs**: Events specific to applications. - **Event logs**: Records of general system events. - **Service logs**: Logs generated by daemons. - **System logs**: Kernel and OS-related messages. - **Key Log Files**: | **Log File** | **Description** | |-----------------------------|---------------------------------------------------------------------------------------------------------------------------------------------------| | `/var/log/messages` | Contains general activity logs; stores non-critical system messages. | | `/var/log/auth.log` | Tracks authentication events on Debian/Ubuntu systems. | | `/var/log/secure` | Tracks authentication and sudo events on Red Hat/CentOS systems. | | `/var/log/boot.log` | Logs messages from the system boot process. | | `/var/log/dmesg` | Captures kernel ring buffer messages; useful for hardware and driver diagnostics. | | `/var/log/kern.log` | Stores kernel-generated messages. | | `/var/log/cron` | Logs scheduled tasks (cron jobs) and their execution status. | | `/var/log/mysqld.log` | Logs events for MySQL database operations. | | `/var/log/mysql.log` | An alternative MySQL log location for Debian and Ubuntu distributions. | - **Example Command**: - View `/var/log/messages`: ```bash sudo cat /var/log/messages ``` - **Sample Log Output**: ```plaintext Mar 20 15:28:45 secOps kernel: Linux version 4.15.10-1-ARCH Mar 20 15:28:45 secOps kernel: BIOS-provided physical RAM map: Mar 20 15:28:45 secOps kernel: Command line: BOOT_IMAGE=/boot/vmlinuz-linux root=UUID=07c6b457-3f39-4ddf-bfd8-c169e8a877b2 rw quiet ``` - **Daemon Example**: - **System Security Services Daemon (SSSD)**: - Handles remote access and authentication for single sign-on. >[!Warning]Recap >In Linux, servers are managed by using configuration files. Various settings can be modified and saved in configuration files. When a service is started, it looks at its configuration file(s) to know how it should run. There is no rule for the way configuration files are written. Configuration file formatting depends on the creator of the server software. Linux devices should be secured by using proven methods to protect the device and administrative access. This is known as hardening devices. One way to harden a device is to maintain passwords, configure enhanced login features, and implement secure remote login with SSH. It is also very important to keep the operating system up to date. Other ways to harden a device are to force periodic password changes, enforce strong passwords, and to prevent reuse of passwords. Finally, Linux clients and servers use logfiles to record the operation of the system and important events. A number of different logfiles are maintained including application logs, event logs, service logs, and system logs. Server logs record activities that are conducted by remote users who access system services. It is important to know the location of different logs in the Linux file system so that they can be accessed and monitored for problems. ### 8.5 The Linux File System #### **8.5.1 The File System Types in Linux** **Common File System Types**: - **ext2**: Optimized for flash storage due to lack of journaling. - **ext3**: Adds journaling for file recovery in case of crashes. - **ext4**: Improved version of ext3 with better performance and stability. - **NFS (Network File System)**: Access files over a network as if they are local. - **CDFS**: Designed for optical discs. - **Swap File System**: Used when RAM is full, stores inactive memory on disk. - **HFS+ (Hierarchical File System Plus)**: Used by Apple for Macintosh computers. - **APFS (Apple File System)**: Updated Apple file system optimized for SSDs. - **MBR (Master Boot Record)**: Manages partition information and OS loading. **Mounting File Systems**: - **Mounting** assigns a directory to a partition, allowing access to its file system. - Example command output: ```plaintext /dev/sda1 on / type ext4 (rw,relatime) ``` - `/dev/sda1`: First partition on the first drive. - `/`: Root file system, formatted as `ext4`. --- #### **8.5.2 Linux Roles and File Permissions** **File Permission Basics**: - Linux enforces file permissions for **users**, **groups**, and **others**. - **Permission Types**: - **Read \(r)**: View file contents. - **Write (w)**: Modify file contents. - **Execute (x)**: Run the file as a program. **Permission Representation**: | **Binary** | **Octal** | **Permission** | **Description** | |------------|-----------|----------------|--------------------------------| | 000 | 0 | --- | No access | | 001 | 1 | --x | Execute only | | 010 | 2 | -w- | Write only | | 011 | 3 | -wx | Write and execute | | 100 | 4 | r-- | Read only | | 101 | 5 | r-x | Read and execute | | 110 | 6 | rw- | Read and write | | 111 | 7 | rwx | Read, write, and execute | **Example**: Command: `ls -l space.txt` Output: ```plaintext -rwxrw-r-- 1 analyst staff 253 May 20 12:49 space.txt ``` - **-rwxrw-r--**: Permission string. - **User (rwx)**: Read, write, execute. - **Group (rw-)**: Read and write. - **Other (r--)**: Read only. - **analyst**: File owner. - **staff**: Group owner. --- #### **8.5.3 Hard Links and Symbolic Links** **Hard Links**: - Created with the `ln` command. - Points to the same inode as the original file. - Changes to one file affect all linked files. - Deleting a hard link does not affect other links. Example: ```bash ln original.txt link.txt ls -l original.txt link.txt ``` Output: ```plaintext -rw-r--r-- 2 analyst analyst 239 May 7 18:18 original.txt -rw-r--r-- 2 analyst analyst 239 May 7 18:18 link.txt ``` **Symbolic Links**: - Created with the `ln -s` command. - Points to the original file’s location. - Deleting the original file breaks the link. Example: ```bash ln -s original.txt symlink.txt ls -l symlink.txt ``` Output: ```plaintext lrwxrwxrwx 1 analyst analyst 11 May 7 20:17 symlink.txt -> original.txt ``` **Key Differences**: | **Feature** | **Hard Link** | **Symbolic Link** | |------------------------|--------------------------------------|------------------------------------| | File system restriction| Same file system | Can link across file systems | | Directory linking | Not possible | Possible | | Point of failure | Independent | Breaks if the original file is deleted | >[!Warning]Recap >Linux supports a number of different file systems that vary by speed, flexibility, security, size, structure, logic, and more. Some of the file systems that are supported by Linux are ext2, ext3, ext4, NFS, and CDFS. File systems are mounted on partitions and accessed through mounting points, or directories. Windows drive letters are examples of mounting points. The mount command can be used to display details of the file systems that are currently mounted on a Linux computer. The root file system is represented by the “/” symbol. It contains all of the files in the computer by default. Linux uses file permissions to control who is permitted to have different types of access to files and directories. Permissions include read (r), write (w), and execute (x). Files and directories have permissions that are assigned for users, groups, and others. The permissions for files and folders are displayed with the ls -l command. This command also displays the links for a file. Hard links create another file with a different name that is linked to the same place in the file system. The owner of the file and the group for the file are also displayed along with the date and time of the last modification to the file. File permissions are powerful features of the Linux file system and can’t be violated. Only the root user can override file permissions. Because of the power of the root user, root access should be carefully controlled. Hard links are created with the ln command. Changes to one of the hard-linked files are also made to the original file. Symbolic links, or symlinks, are similar to hard links in that a change to the linked file is reflected in the original file. Symbolic links have several advantages over hard links. ### 8.6 Working with the Linux GUI Cheat Sheet #### 8.6.1 X Window System - **Definition**: A windowing system for managing graphical user interfaces (GUIs) in Linux, often referred to as X or X11. - **Functions**: Provides the basic framework for: - Drawing and moving windows. - Interaction with input devices like a mouse and keyboard. - **Remote Access**: X allows remote users to connect and run graphical applications from a networked terminal. - **Abstraction**: - X does not define the graphical user interface (GUI). - Components like buttons, fonts, icons, and window borders are defined by window managers (e.g., Gnome, KDE). **Window Managers:** - **Gnome**: - User-friendly and focused on accessibility. - Often the default for Ubuntu Linux. - **KDE**: - Customizable and visually appealing with various advanced features. --- #### 8.6.2 The Linux GUI - **GUI Importance**: - While not required, GUIs provide a user-friendly alternative to the CLI. - Linux GUIs are modular and replaceable, allowing high customization. - **Default GUI in Ubuntu**: - **Gnome 3** is the default GUI. - Designed to make Ubuntu more accessible to users. | **UI Component** | **Description** | |----------------------------|---------------------------------------------------------------------------------------------------------------------------------------------------| | **Apps Menu** | - Shows icons for installed apps. | | | - Right-click menu provides shortcuts to start or configure apps. | | | - System search box is available from Activities View. | | **Ubuntu Dock** | - Dock located on the left side for launching and switching between apps. | | | - Click to open or switch apps, displays all instances if multiple instances are running. | | | - Right-click on apps for detailed options. | | **Top Bar** | - Displays the current time and system messages. | | | - Provides access to Activity desktop view and system Status Menu. | | **Calendar and System Message Tray** | - Shows a full calendar and system messages. | | | - Create new appointments from here. | | **Activities** | - Switch to application view to open or close apps. | | | - A search tool helps find apps, files, and values within files. | | | - Allows workspace switching. | | **Status Menu** | - Allows configuring network adapters and other devices. | | | - Supports user logoff, system configuration changes, and system locking or shutdown. | >[!Warning]Recap >The X Windows, or X11, system is a basic software framework that includes functions for creating, controlling, and configuring a windows GUI in a point-and-click interface. Different vendors use the X Windows system to create different windows manager GUIs for Linux. Examples of windows managers are Gnome and KDE. The Ubuntu Linux distribution uses Gnome 3 by default. The Gnome 3 desktop consists of the Apps Menu, Ubuntu Dock, Top Bar, Calendar and System Message tray, the Activities area, and the Status Menu. ### 8.7 Working on a Linux Host #### **8.7.1 Installing and Running Applications on a Linux Host** Many Linux distributions include **package managers** to simplify application installation. A **package** contains the application and all required supporting files. Popular package managers include: - **Arch Linux**: Uses `pacman`. - **Debian/Ubuntu**: Uses `dpkg` and `apt`. **Command Examples**: - `sudo apt-get update`: Updates the local package database. - `sudo apt-get upgrade`: Upgrades all installed packages. --- #### **8.7.2 Keeping the System Up to Date** Operating system (OS) updates, also called **patches**, are released periodically to address vulnerabilities. Modern systems often notify users of updates, but they can also be checked manually via: - **Arch Linux**: `pacman -Syy` to update the package list and `pacman -Syu` to upgrade all packages. - **Debian/Ubuntu**: `apt-get update` followed by `apt-get upgrade`. | **Task** | **Arch** | **Debian/Ubuntu** | |-------------------------------|--------------|--------------------| | Install a package by name | `pacman -S` | `apt install` | | Remove a package by name | `pacman -Rs` | `apt remove` | | Update a local package | `pacman -Syy`| `apt-get update` | | Upgrade all installed packages| `pacman -Syu`| `apt-get upgrade` | --- #### **8.7.3 Processes and Forks** A **process** is an active instance of a program. Linux uses **forking** to create new processes. This allows programs like web servers (e.g., Apache) to efficiently handle multiple requests. When a process calls a **fork**, the parent creates a **child process**, and both run independently but share the same code. **Commands to Manage Processes**: | **Command** | **Description** | |-------------|---------------------------------------------------------------------------------------------------------| | `ps` | Lists running processes. | | `top` | Displays running processes dynamically (press `q` to exit). | | `kill` | Modifies a specific process by its **PID** (e.g., to terminate it). Run `ps` or `top` first to get the PID.| --- #### **8.7.4 Malware on a Linux Host** Linux is generally secure, but vulnerabilities can still exist. Common Linux malware includes **viruses, Trojans, worms**, and **rootkits**. Administrators must stay vigilant by: - Updating software to fix vulnerabilities. - Closing unused ports and services. **Example Attack**: An attacker probes a web server running **nginx 1.12.0** to find known vulnerabilities using the `telnet` command: ```bash telnet 209.165.200.224 80 ``` --- #### **8.7.5 Rootkit Check** **Rootkits** modify kernel code and compromise a system. Detection methods include: 1. Booting from trusted media. 2. Using trusted tools like **chkrootkit** for rootkit detection. **chkrootkit Output**: ```bash sudo ./chkrootkit Checking 'basename'... not infected Checking 'chfn'... not infected Checking 'cron'... not infected ``` --- #### **8.7.6 Piping Commands** **Piping** (`|`) allows chaining commands to perform complex tasks. The output of one command serves as the input to another. **Examples**: 1. List files containing "host": ```bash ls -l | grep host ``` 2. Filter files containing "file": ```bash ls -l | grep file ``` **Command Output**: ```bash -rw-r--r-- 1 analyst analyst 9 May 20 10:51 hostfile1.txt -rw-r--r-- 1 analyst analyst 9 May 20 10:51 hostfile2.txt ``` >[!Warning]Recap >In order to install applications on Linux hosts, programs called package managers are used. Packages are software applications and all of their supporting files. Package managers are extremely helpful for installing complex software applications from centralized package repositories that are accessible over the internet. Different Linux distributions use different package managers. For example, Arch Linux uses pacman, Debian uses dpkg as the base package manager and apt to communicate with dpkg. Ubuntu also uses apt. Package manager CLI commands are used to install, remove, and update software packages. Upgrade commands upgrade all currently installed packages. Package management can also be performed in a GUI. Software processes are instances of computer programs that are running. Multitasking operating systems can run many processes at the same time. Forking is a method that the kernel uses to allow a running process to copy itself. The ps command lists the running processes, top displays information about running processes dynamically, and kill is used to remove, restart, or pause running processes. While Linux is considered to be better protected against malicious software (malware) than other operating systems, it is still susceptible to Trojan horses, worms, and other types of malware. Linux is usually attacked through its services and processes. Out of date software is often vulnerable to attack. Threat actors can probe a device for open ports that are linked to out of date server processes. With this knowledge, attacks can be launched. It is important to keep the operating system and its components and applications up to date. The chkrootkit program is designed to detect rootkit malware. Rootkits are deep level malware programs that are very difficult to detect and remove. They can change the fundamental operation of the operating system itself and can be used to create unauthorized access to systems. Piping commands uses the “`|`” symbol to chain different commands together by using the output of one command as the input for another.