Overview
PAM (Pluggable Authentication Modules) provides authentication functionality in Linux distributions. PAM allows you to change the user authentication scheme without having to recompile your programs, by simply editing a configuration file.
This documentation provides an insight on how the Capsule8 sensor provides PAM support and the impact of using PAM for logins without configuring PAM credential enrichment in the sensor. In addition are the steps on how to get it running on your environment as shown below:
Recommendation
- Please note that this only works when running the sensor outside of a container
- When running the steps below please do NOT close the two instances running the ldap process and sensor
- Ensure that docker is install in the ubuntu 18 that you will be using
- The steps were performed using vagrant. You can use your own preferred vm.
Validation Steps
- Start an OpenLDAP container on a clean ubuntu 18.04:
docker run -p 389:389 -p 636:636 --env LDAP_READONLY_USER=true --env LDAP_READONLY_USER_USERNAME=fooo --env LDAP_READONLY_USER_PASSWORD=password osixia/openldap:1.3.0 --loglevel debug
- In a different terminal,
vagrant ssh
into the ubuntu 18.04 machine and verify that LDAP has a user:
docker exec -it `docker ps -q` ldapsearch -x -H ldap://localhost -b dc=example,dc=org -D "cn=admin,dc=example,dc=org" -w admin
- Install LDAP utilities on the host:
sudo apt-get update
sudo apt-get install ldap-utils
- Perform
sudo bash
- Verify local tools can access LDAP:
ldapsearch -x -H ldap://localhost -b dc=example,dc=org -D "cn=admin,dc=example,dc=org" -w admin
- Install LDAP PAM module:
sudo apt-get install libpam-ldap nslcd-utils
ldap:///127.0.0.1
dc=example,dc=org #it seems default is 'net', change to 'org' manually
3
<No>
<No>
ldap://127.0.0.1/
dc=example,dc=org # autofill from router should be change as well to this
- Configure host in /etc/ldap.conf (commenting out existing settings) [simply copy and paste the below config]
base dc=example,dc=org
host 127.0.0.1
binddn cn=admin,dc=example,dc=org
bindpw admin
ldap_version 3
pam_password md5
- Setup LDAP support in /etc/nsswitch.conf (i.e Add ldap to the end of each line)
passwd: compat systemd ldap
group: compat systemd ldap
shadow: compat ldap
- No longer as sudo bash, just a normal user. Create a local file fooo.ldif indicating fooo should be able to login as a POSIX user:
dn: cn=fooo,dc=example,dc=org
changetype: modify
add: objectClass
objectClass: posixAccount
-
add: homeDirectory
homeDirectory: /home/fooo
-
add: uid
uid: fooo
-
add: uidNumber
uidNumber: 5250
-
add: gidNumber
gidNumber: 0
sudo bash
again, then Import the fooo.ldif file to modify the account in LDAP:
docker exec -i `docker ps -q` ldapmodify -x -H ldap://localhost -D "cn=admin,dc=example,dc=org" -w admin < fooo.ldif
- Remove the following line from /etc/pam.d/login if present:
auth [success=ok new_authtok_reqd=ok ignore=ignore user_unknown=bad default=die] pam_securetty.so
- Restart nscd
sudo systemctl restart nscd
- Create
capsule8-analytics.yaml
file in/etc/capsule8
(may be necessary to create/etc/capsule8
directory also). Then Setup a wget blocking program policy incapsule8-analytics.yaml
:
WGET Policy:
policy: program
enabled: true
alertMessage: Wgotten
priority: Low
rules:
- match programName == "wget"
- default ignore
comments: Audit of when wget is run
additionalCategories:
- MITRE.Execution.Command-Line Interface
- MITRE.Execution.User Execution
- Start sensor with PAM support configured.
sudo CAPSULE8_PAM_CREDENTIAL_ENRICHMENT=true ./capsule8-sensor
- BUT if you do not have your sensor already installed or configured as shown above, please follow this guide to install the capsule8 sensor. After installing the sensor do NOT install the content, do NOT enable the sensor simply run this command below:
sudo CAPSULE8_PAM_CREDENTIAL_ENRICHMENT=true capsule8-sensor
- In a different terminal,
vagrant ssh
into the ubuntu 18.04 machine and start a new login session as the new ryan LDAP user:
sudo login
fooo
password
- Run wget:
wget
- Note that the sensor has generated an alert with
fooo
as theusername
androot
as thegroup
in the other terminal running the sensor - Note that fooo is not in /etc/passwd
cat /etc/passwd | grep fooo
Comments
0 comments
Please sign in to leave a comment.