THE REAL WORLD SCENARIO

Throughout this semester, the machines you are administering have rested securely behind the CS firewall, the threat of intrusion a faint murmur in your consciousness. As of 00:00:01 on July 27th, 1999, this will all change. EACH TEAM WILL DEFEND ITS OWN MACHINES AND SEEK TO ATTACK THE MACHINES OF THE OTHER SYSADM GROUPS. Attacks may continue until Midnight on August 2nd, 1999. Journals will be due the following day.

In your journals, note the research you have done and the steps you have taken to secure your machines. Be careful to include the specific dangers you are seeking to avoid (and an outline of how such attacks could be performed). Note your thought processes. Also note what attacks have been mounted and what potential weaknesses each attack was designed to exploit.

Your grade in this exercise will reflect your success in securing your machine against the widest possible variety of attacks (with the exceptions noted below) AND your success in gaining access to the machines of other groups. The methods to employ, within the Rules of Engagement (below) are yours to research and choose. Thorough research and diligent implementation, rather than perfect performance, will count most strongly in the grading process.

To begin: each team will collect three (hard copy) "flags" from Jeff Bauer, who will act as umpire of these games. Each flag is a unique bit string which must be stored on the appropriate computer's filesystem. This flag is the secret value that will be the "prize" of the attackers and the object that you must defend. Each flag must be placed in a regular file called (literally, including case) flag.nt, flag.solaris or flag.linux (depending on the machine). It must be stored somewhere (anywhere) in a mounted filesystem on the host computer and must be owned by root/administrator.

Next, carefully read the paper, "Improving the Security of Your Site by Breaking Into it", by Dan Farmer and Wietse Venema (you can find Dan's security links at www.fish.com/security). Teams are encouraged to follow the techniques outlined there and to research and implement any security software mentioned therein or elsewhere that you feel is appropriate. Good examples include COPS, Tiger, Tripwire and Crack. All can be located on the net. Do further research into possible attack scenarios by visiting www.rootshell.com and other hacker/security sites. Research "Bugtraq" for the latest hacks (see the class home page for more security links).

As a start, properly configure syslogd and optionally install any wrappers or other monitoring software designed to track attempted break-ins. You must attempt to discover everything possible about the attacking entity and the method(s) used to (attempt to) gain access to your machine. Should your machine be successfully attacked, you will be notified. You will then have the opportunity to remove this "smirch" upon your reputation, and grade by, within 24 hours of notice, 1) determining, the method of attack and 2) making defensive changes to prevent the same attack (which will be made again). You will be given a new flag at the time of notice (the method used to deliver the new flag will be up to the individual teams).

RULES OF ENGAGEMENT

The following are the rules of engagement for the sysadm wars. ANY violation will result in a zero for this assignment for all team members. These apply to both the sysadm class "defenders" and the attacking team.

1. PURPOSE OF EXERCISE. Be sure that you understand that the purpose of this exercise is NOT to foster a "hacker" mentality or to arbitrarily teach the methods used by hackers (or crackers, i.e. criminals who not only gain access but cause damage). Knowledge of the techniques used by attackers must be understood to properly secure a network, which is one of the more critical jobs of the modern system administrator. Use what you learn in a responsible manner; misuse of these tools may be illegal. See, for example, the Florida Computer Crimes Act, Fl. Stat. 815.01 et. seq.
2. SCOPE OF USE. In this exercise, strictly limit all attacks and attempts to gain information to the sysadm machines and to the networks that these machines reside on. Any use of such techniques or ANY such use on ANY CS machines or those of any other system is strictly prohibited and will entail consequences far beyond the grade in this course. Be careful and stay within your "sysrt1" and "sysrt2" sandboxes.
3. NO ACTUAL DAMAGE. The goal of this exercise is to gain access; not to damage ANY portion of the target computer, including its filesystems or to cause ANY mischief whatsoever. DO NO DAMAGE. Teams may, however, take actions designed to facilitate reentry to the target machine. Any such actions must be easily correctable.
4. NO PHYSICAL INTRUSION. For the purposes of this exercise, it will be assumed that each machine is physically secure. Therefore, no attempt may be made to gain physical access to the components of a given computer or to access said computer from the console. Attempting to boot said computer from a floppy disk or other physical media attached to the subject computer is specifically prohibited. All access must be made over the network. All other methods of attack will be fair game.
5. ACTS UPON INTRUSION. Upon successful capture of an opponent's flag, immediately communicate this (along with the captured flag) to Mr. Bauer. You may NOT attempt the same attack until notified by the umpire (approximately 24 hours later) but are required to make the same attack again to determine if the target team has made successful modifications.
6. USER ACCOUNTS. Regular user accounts (e.g. "linux"/"solaris" created during a previous assignment) must exist and remain normally usable on all three machines. Create at least a "linux"/"solaris" account on your Linux and Solaris machines if you have not done so.
7. NORMAL SERVICES. All three machines must continue to provide normal user services to the users. For example, the following services MUST be running and available to regular users.

   	Linux/Solaris: Sendmail, Web Server, Telnet and FTP servers.
   
           NT: Web Server, Telnet and FTP servers.
   

   Moreover, regular users must have access to all normal UNIX or NT user commands.

   Should any service be disabled, clearly note same in your journals along with the specific reasons for each and the expected effect this will have on the network and its users. Drastic curtailment of user powers in the name of security may be deemed excessive (attempt to maintain a defensible balance, and defend same in your write-ups).

8. PACKET SNIFFERS. Packet sniffing is allowed, but only within the confines of your local network created by sysrt1 and sysrt2. You should naturally not use any passwords for your machines that you use outside of the sandboxes, as they may become compromised.
9. QUESTIONS. Questions as to these requirements should be promptly relayed to me.