Auditing the Three Finger Salute

“Its only running a single service, we’re fully patched and it has a local firewall that denies by default.”
“What happens if i do Ctrl-Alt-Delete?”

<h3>Introduction</h3>
One of the basic premises of computer security is that it's almost

impossible to fully secure any machine to which an attacker has physical access. While we cannot cover all eventualities, we can make some simple changes to catch any use of the more blatant avenues of abuse. In this document we will cover how to stop unauthorised people from casually rebooting your machines.

<h3>The Problem</h3>
Anyone who walks up to a keyboard connected to a Linux machine can

press Control-Alt-Delete to reboot it without entering a username or a password. Even Windows machines require a valid login (either the current user or one with Administrator privileges) before you can reboot a running machine like this if it has a locked screen. This does not even have to be an issue of malice, it is not uncommon for people familiar with Windows NT or Windows 2000 to use Control-Alt-Delete in an X-Windows session expecting to be shown a screen to lock the workstation, or open the task manager and instead seeing the dreaded “The system is going down for reboot NOW!” message as their work vanishes along with the systems uptime.

<h3>A Solution</h3>
In many Linux distributions the key combination of

Control-Alt-Delete (Which is often referred to as ctrl-alt-del or “the 3 finger salute”) is pre-configured to reboot the machine. While this may be acceptable for a single user desktop at home it is an unnecessary risk for office workstations or even servers because of one important fact, it requires no authentication to perform.

To prevent this destructive behavour we are going catch

Control-Alt-Delete’s and disable this “feature” by replacing the default action with a script of our own. We will also add auditing in order to catch and log any attempts to reboot. To do this we will add a single shell script to the system, make a change to the '/etc/inittab' configuration file so our own handler gets called and then add a little log rotation (If you run 'logrotate') to keep everything shipshape.

The bash shell script that does most of the actual work is called

'audit_cad.sh' and can be found here. It can be invoked in two ways. The first way is to call it is with the '-c' argument. In this mode the script will check that all of its external dependencies are both present and executable. This is the best way to ensure that your system satisfies all the prerequisites.

If any of the tests fail then an error will be printed containing

the name of the suspect binary and the script will carry on until it has finished checking them all. If any of the checks fail, when the script finishes executing a exit code of ‘1’ will be returned. The external binaries we depend on are:

<ul>
  <li>/usr/bin/logger</li>
  <li>/usr/bin/tr</li>
  <li>/bin/date</li>
  <li>/usr/bin/basename</li>
</ul>

Of these the only one that may need manual editing is

basename which often varies between the '/usr/bin' and '/bin' directories. Typically you will run the script in check mode when you first install it to ensure that it will run correctly and nothing is missing. As this script is run as root it is a good idea to ensure that the permissions are as tight as possible with only the super user having any access to the file. Ideally they should be set to -rwx------, you can do this with the following command; 'chmod 0700 audit_cad.sh'.

The second way to call it is without arguments, when run in this

fashion it logs an entry to both 'syslog' (with a user specified facility and level) and an external file, which defaults to '/var/log/shutattempt'. This is how it will be executed to audit Control-Alt-Delete’s.

For the purposes of this document we call the script

'audit_cad.sh' and it is located in '/usr/local/sbin/'. To change either of these settings or any of the other ones just open the script in your editor of choice and scroll along. All the configuration options are commented.

Now we have the script in place we are going to edit the default

handler for Ctrl-Alt-Delete in the '/etc/inittab' file. The line we want instructs 'init' to listen for Control-Alt-Delete events and tells it to execute a specific command when it receives one. In most distributions the id will be ‘ca’ and the actual entry will look similar to "ca:12345:ctrlaltdel:/sbin/shutdown -t1 -a -r now" The important section of this line is the last field which begins '/sbin/shutdown', to change the systems behaviour you can edit the current command and point it to our 'audit_cad.sh' script. If you have been following along with the examples the full path will be '/usr/local/sbin/audit_cad.sh'

Once you have made this change you need to tell the

'init' process that 'inittab' has changed. The easiest way of doing this is to run 'telinit q' which causes 'init' to reread its configuration file without restarting

Now we are in a position to test our changes, before you do this i

recommend closing down anything that is not essential to the system such as GUI’s and editing sessions, if we have made a mistake while following the examples the system is about to reboot and its better to be safe than annoyed at the author! When you are ready press Ctrl-Alt-Delete and nothing at all should happen.

If your system is still up at this point then check both the syslog

file (typically this is '/var/log/messages' or '/var/log/syslog') and the external log file we specified in the 'audit_cad.sh' file to ensure that the logging was successful. If your system has rebooted then check each step and try again.

Once you have this working it's worth going the final mile and

adding some automated log processing. This can vary from setting up 'SWATCH' or 'logwatch' to send you automated alerts to adding log rotation to keep the file sizes down. A simple example if you have 'logrotate' running on your machine (Both recent Redhat and Debian distributions do) is given below and can also be found here.

daily
rotate 7
compress
delaycompress

/var/log/shutattempt {
  nomail
  notifempty
  missingok
  create 0600 root root
}

To add this to `'logrotate'`'s processing list just add a

file called audit_cad to your 'logrotate' directory, which is often located at '/etc/logrotate.d' with the above snippet or another similar one as contents and you no longer have to worry about it eating up disk space.

<h3>Closing Notes</h3>
While this technique will successfully log any attempts to reboot

the machine there are a couple of points worth noting. The first is accountability, it is not possible using this script alone to determine who actually tried to take the machine over. This is because no authentication information is available for logging, 'init', the program that actually handles the Ctrl-Alt-Delete, runs as root so any attempts to capture the invoking username will return ‘root’.

By making some minor changes to 'audit_cad.sh' it would be possible

to capture the output of w or who to the logs but this information isn’t as useful as you may think in this situation, these commands only track the valid users that have supplied credentials to logon, something that someone who just walks upto your keyboard and presses Control-Alt-Delete does not need to supply and so the person who actually tried is the only one not logged!

The second point to consider is how obvious to make this script. If

you want to be sneaky and obscure its presence you can call it 'shutdown' and save it in a non-standard location.

<h3>Further Reading</h3>
For further information on the format and purpose of

'inittab' please see 'man 5 inittab' and for a full list of the options 'telinit' supports please read 'man 8 telnint'. If you are unfamiliar with 'logrotate' then its manpage is a good starting point 'man 8 logrotate'.

Links to the code used in this article can be found here:<br>
<a href="/code/audit_cad.sh">audit_cad.sh</a><br>
<a href="/code/shutdown_logrotate">Logrotation configuration</a>