Auditing the Three Finger Salute
"Its only running a single service, we’re fully patched and it
has a local firewall that denies by default.“
"What happens if i do Ctrl-Alt-Delete?“
<h3>Introduction</h3>
One of the basic premises of computer security is that it's almost
impossible to fully secure any machine to which an attacker has physical access. While we cannot cover all eventualities, we can make some simple changes to catch any use of the more blatant avenues of abuse. In this document we will cover how to stop unauthorised people from casually rebooting your machines.
<h3>The Problem</h3>
Anyone who walks up to a keyboard connected to a Linux machine can
press Control-Alt-Delete to reboot it without entering a username or a password. Even Windows machines require a valid login (either the current user or one with Administrator privileges) before you can reboot a running machine like this if it has a locked screen. This does not even have to be an issue of malice, it is not uncommon for people familiar with Windows NT or Windows 2000 to use Control-Alt-Delete in an X-Windows session expecting to be shown a screen to lock the workstation, or open the task manager and instead seeing the dreaded “The system is going down for reboot NOW!” message as their work vanishes along with the systems uptime.
<h3>A Solution</h3>
In many Linux distributions the key combination of
Control-Alt-Delete (Which is often referred to as ctrl-alt-del or “the 3 finger salute”) is pre-configured to reboot the machine. While this may be acceptable for a single user desktop at home it is an unnecessary risk for office workstations or even servers because of one important fact, it requires no authentication to perform.
To prevent this destructive behavour we are going catch
Control-Alt-Delete’s and disable this “feature” by replacing the default
action with a script of our own. We will also add auditing in order to
catch and log any attempts to reboot. To do this we will add a single shell
script to the system, make a change to the '/etc/inittab'
configuration file so our own handler gets called and then add a little log
rotation (If you run 'logrotate'
) to keep everything
shipshape.
The bash shell script that does most of the actual work is called
'audit_cad.sh'
and can be found here. It can be invoked in two ways. The first
way is to call it is with the '-c'
argument. In this mode the
script will check that all of its external dependencies are both present
and executable. This is the best way to ensure that your system satisfies
all the prerequisites.
If any of the tests fail then an error will be printed containing
the name of the suspect binary and the script will carry on until it has finished checking them all. If any of the checks fail, when the script finishes executing a exit code of ‘1’ will be returned. The external binaries we depend on are:
<ul>
<li>/usr/bin/logger</li>
<li>/usr/bin/tr</li>
<li>/bin/date</li>
<li>/usr/bin/basename</li>
</ul>
Of these the only one that may need manual editing is
basename
which often varies between the
'/usr/bin'
and '/bin'
directories. Typically you
will run the script in check mode when you first install it to ensure that
it will run correctly and nothing is missing. As this script is run as root
it is a good idea to ensure that the permissions are as tight as possible
with only the super user having any access to the file. Ideally they should
be set to -rwx------
, you can do this with the following
command; 'chmod 0700 audit_cad.sh'
.
The second way to call it is without arguments, when run in this
fashion it logs an entry to both 'syslog'
(with a user
specified facility and level) and an external file, which defaults to
'/var/log/shutattempt'
. This is how it will be executed to
audit Control-Alt-Delete’s.
For the purposes of this document we call the script
'audit_cad.sh'
and it is located in
'/usr/local/sbin/'
. To change either of these settings or any
of the other ones just open the script in your editor of choice and scroll
along. All the configuration options are commented.
Now we have the script in place we are going to edit the default
handler for Ctrl-Alt-Delete in the '/etc/inittab'
file. The
line we want instructs 'init'
to listen for Control-Alt-Delete
events and tells it to execute a specific command when it receives one. In
most distributions the id will be ‘ca’ and the actual entry will look
similar to "ca:12345:ctrlaltdel:/sbin/shutdown -t1 -a -r now"
The important section of this line is the last field which begins
'/sbin/shutdown'
, to change the systems behaviour you can edit
the current command and point it to our 'audit_cad.sh'
script.
If you have been following along with the examples the full path will be
'/usr/local/sbin/audit_cad.sh'
Once you have made this change you need to tell the
'init'
process that 'inittab'
has changed. The
easiest way of doing this is to run 'telinit q'
which causes
'init'
to reread its configuration file without restarting
Now we are in a position to test our changes, before you do this i
recommend closing down anything that is not essential to the system such as GUI’s and editing sessions, if we have made a mistake while following the examples the system is about to reboot and its better to be safe than annoyed at the author! When you are ready press Ctrl-Alt-Delete and nothing at all should happen.
If your system is still up at this point then check both the syslog
file (typically this is '/var/log/messages'
or
'/var/log/syslog'
) and the external log file we specified in
the 'audit_cad.sh'
file to ensure that the logging was
successful. If your system has rebooted then check each step and try
again.
Once you have this working it's worth going the final mile and
adding some automated log processing. This can vary from setting up
'SWATCH'
or 'logwatch'
to send you automated
alerts to adding log rotation to keep the file sizes down. A simple example
if you have 'logrotate'
running on your machine (Both recent
Redhat and Debian distributions do) is given below and can also be found here.
daily
rotate 7
compress
delaycompress
/var/log/shutattempt {
nomail
notifempty
missingok
create 0600 root root
}
To add this to `'logrotate'`'s processing list just add a
file called audit_cad
to your 'logrotate'
directory, which is often located at '/etc/logrotate.d'
with
the above snippet or another similar one as contents and you no longer have
to worry about it eating up disk space.
<h3>Closing Notes</h3>
While this technique will successfully log any attempts to reboot
the machine there are a couple of points worth noting. The first is
accountability, it is not possible using this script alone to determine who
actually tried to take the machine over. This is because no authentication
information is available for logging, 'init'
, the program that
actually handles the Ctrl-Alt-Delete, runs as root so any attempts to
capture the invoking username will return ‘root’.
By making some minor changes to 'audit_cad.sh' it would be possible
to capture the output of w
or who
to the logs but
this information isn’t as useful as you may think in this situation, these
commands only track the valid users that have supplied credentials to
logon, something that someone who just walks upto your keyboard and presses
Control-Alt-Delete does not need to supply and so the person who actually
tried is the only one not logged!
The second point to consider is how obvious to make this script. If
you want to be sneaky and obscure its presence you can call it
'shutdown'
and save it in a non-standard location.
<h3>Further Reading</h3>
For further information on the format and purpose of
'inittab'
please see 'man 5 inittab'
and for a
full list of the options 'telinit'
supports please read
'man 8 telnint'
. If you are unfamiliar with
'logrotate'
then its manpage is a good starting point
'man 8 logrotate'
.
Links to the code used in this article can be found here:<br>
<a href="/code/audit_cad.sh">audit_cad.sh</a><br>
<a href="/code/shutdown_logrotate">Logrotation configuration</a>