-
May 12th, 2003, 06:32 PM
#1
Additional Security Measures for *nix
Many posts here go into great detail about which services to lock down on *nix servers and which versions of security toolz to run such as tripwire and such. One area that seems to get neglect is SUID files, GUID files and world-writable files.
Whenever I am asked to prepare a *nix server, I *always* issue these commands to check and see which files are SUID,GUID and world-writable.
* For SUID:
==============================
find / -type f -perm -4000 -ls
** For GUID
==============================
find / type f -perm -2000 -ls
For World-Writable
==============================
find / -perm -2 -type f -print
You may ask, well, what is the significance of this? It's simple. If I'm looking to comprimise your server and I have exausted all the typical easy avenues, I will eventually begin looking for world writable filez in order to gain root access. In addition, I will certainly look for SUID files that programs use on your machine. Pay close attention to the /dev partition too as it is *very* dangerous to have devices that are world-writable.
Once you lock down file permissions, services and have applied the proper security patches, you shold have a solid *nix system. At this point I usually hammer against the box to be sure that I haven't missed anything. Only after this point, will I install the necessary software and then hammer on it one more time before approving it for internet exposure.
Anyway, just wanted to share a little *nix tip with the AO community.
* Fat finger typo pointed out by Itch
** Fat finger typo pointed out by Itch
--TH13
Our scars have the power to remind us that our past was real. -- Hannibal Lecter.
Talent is God given. Be humble. Fame is man-given. Be grateful. Conceit is self-given. Be careful. -- John Wooden
-
May 12th, 2003, 06:39 PM
#2
hey, thanx thehorse13, always looking for cool *nix tips...
i'm starting up a BSD Server, and will def. follow your lead
yeah, I\'m gonna need that by friday...
-
May 12th, 2003, 07:06 PM
#3
hmmmmm... a few corrections.
On my redhat linux boxes anyway...
to find SUID you need to change the line
find / -type f -perm -0400 -ls
to
find / -type f -perm -4000 -ls
for SGID you need to change
find / -type f -perm -0200 -ls
to
find / -type f -perm -2000 -ls
The world writeable seems to be ok though. It is in fact returning world writable files
Good luck,
IchNiSan
-
May 12th, 2003, 07:12 PM
#4
Ah yes itch, it seems that my extra fat fingers did it again!!! I have gone back and adjusted the syntax giving you credit for the bust!
Thanks!
Our scars have the power to remind us that our past was real. -- Hannibal Lecter.
Talent is God given. Be humble. Fame is man-given. Be grateful. Conceit is self-given. Be careful. -- John Wooden
-
May 12th, 2003, 07:25 PM
#5
Sweet. Thanks for the tip! I just rebuilt my server at home and I can use this.
I didn't see it mentioned in the many guides that I have read nor did it come up in any of the utilities that I used to check the security.
I'll have to doublecheck.
I used a tool called Tiger and it turned up all kinds of recommendations. Its called Tiger
TIGER is a set of Bourne shell scripts, C programs, and data files which are used to perform a security audit of Unix systems. The security audit results are useful both for system analysis (security auditing) and for real-time, host-based intrusion detection.
http://savannah.nongnu.org/projects/tiger
They actaully just released a new version of it a couple days ago.
It alerted me to a bunch of things that I hadn't thought about... but this is my first try at securing a *nix box.
I'm learning so much that I think I need to go home for the day cause my brain is full....
Anywho, has anyone used it? What do you think?
Quitmzilla is a firefox extension that gives you stats on how long you have quit smoking, how much money you\'ve saved, how much you haven\'t smoked and recent milestones. Very helpful for people who quit smoking and used to smoke at their computers... Helps out with the urges.
-
May 12th, 2003, 07:28 PM
#6
Phish buddy,
Another good site is http://www.bastille-linux.org
This is taken directly from the site:
The Bastille Hardening System attempts to "harden" or "tighten" Unix operating systems. It currently supports the Red Hat, Debian, Mandrake, SuSE and TurboLinux Linux distributions along with HP-UX and Mac OS X. We attempt to provide the most secure, yet usable, system possible. The project is run by Jon Lasser, Lead Coordinator and Jay Beale, Lead Developer, and involves a number of developers, beta-testers and concept-creators. Bastille Linux was developed with several major goals:
COMPREHENSIVENESS
Bastille Linux draws from every available major reputable source on Linux Security. The initial development integrated Jay Beale's existing O/S hardening experience for Solaris and Linux with most major points from the SANS' Securing Linux Step by Step, Kurt Seifried's Linux Administrator's Security Guide, and countless other sources.
INSTRUCTIVENESS
Bastille Linux has been designed to educate the installing administrator about the security issues involved in each of the script's tasks, thereby securing both the box and the administrator. Each step is optional and contains a description of the security issues involved.
Our scars have the power to remind us that our past was real. -- Hannibal Lecter.
Talent is God given. Be humble. Fame is man-given. Be grateful. Conceit is self-given. Be careful. -- John Wooden
-
May 12th, 2003, 07:47 PM
#7
Thanks for the bastille-linux link thehorse13.
I have heard about it before, but never took the time to look it up.
Thanks for the other info about suid/sgid stuff, its nice to get some info here that lots of people can use to help make their systems more secure.
One quick note to people though about suid and sgid. Don't just willy nilly go removing the sgid or suid setting from these files. Some of them will certainly be fine if you remove the suid or sgid bit from them, but others(like /usr/bin/passwd) need to be suid in order for regular users to perform nescessary functions, like changing their password, as passwd needs to be able to write to /etc/passwd(and also call the shadow utils to edit /etc/shadow and really change your password on systems using shadow passwords, which are hopefully most of them) which is writeable only by root.
Here is a list of SUID files from a default redhat linux 7.3 install.
344699 40 -rwsr-xr-x 1 root root 37624 Feb 12 17:47 /usr/bin/chage
343445 36 -rwsr-xr-x 1 root root 34972 Feb 12 17:48 /usr/bin/gpasswd
343616 20 -rws--x--x 1 root root 16835 Aug 30 2002 /usr/bin/chfn
343617 16 -rws--x--x 1 root root 15664 Aug 30 2002 /usr/bin/chsh
343635 8 -rws--x--x 1 root root 6999 Aug 30 2002 /usr/bin/newgrp
343657 40 -rwsr-xr-x 1 root root 37140 Jul 24 2002 /usr/bin/at
343863 16 -r-s--x--x 1 root root 15368 May 28 2002 /usr/bin/passwd
343933 20 -rwsr-xr-x 1 root root 19131 Jun 23 2002 /usr/bin/rcp
343935 16 -rwsr-xr-x 1 root root 15376 Jun 23 2002 /usr/bin/rlogin
343936 12 -rwsr-xr-x 1 root root 10689 Jun 23 2002 /usr/bin/rsh
343955 88 ---s--x--x 1 root root 84984 Jun 27 2002 /usr/bin/sudo
343974 36 -rwsr-xr-x 1 root root 34662 Jul 19 2002 /usr/bin/crontab
376099 8 -rwsr-xr-x 1 root root 5100 Sep 5 2002 /usr/libexec/pt_chown
180057 164 -rws--x--x 1 root root 162476 Aug 14 2002 /usr/libexec/openssh/ssh-keysign
392470 36 -rwsr-xr-x 1 root root 33071 Jun 23 2002 /usr/sbin/ping6
392474 16 -rwsr-xr-x 1 root root 13718 Jun 23 2002 /usr/sbin/traceroute6
392511 16 -rwsr-xr-x 1 root root 15502 Sep 4 2002 /usr/sbin/usernetctl
392528 32 -rws--x--x 1 root root 29676 Sep 4 2002 /usr/sbin/userhelper
392580 12 -rwsr-xr-x 1 root root 10205 Jul 1 2002 /usr/sbin/userisdnctl
392646 32 -rwsr-xr-x 1 root root 32076 Jun 23 2002 /usr/sbin/traceroute
392891 20 -r-s--x--- 1 root apache 20469 Oct 9 2002 /usr/sbin/suexec
771123 1844 -rws--x--x 1 root root 1884018 Sep 5 2002 /usr/X11R6/bin/XFree86
1095603 36 -rwsr-xr-x 1 root root 35302 Jun 23 2002 /bin/ping
1095643 88 -rwsr-xr-x 1 root root 81996 Aug 30 2002 /bin/mount
1095644 40 -rwsr-xr-x 1 root root 40700 Aug 30 2002 /bin/umount
1095654 20 -rwsr-xr-x 1 root root 19132 Aug 29 2002 /bin/su
654474 8 -r-s--x--x 1 root root 7096 Feb 6 21:15 /sbin/pam_timestamp_check
655431 124 -r-sr-xr-x 1 root root 119400 Feb 6 21:15 /sbin/pwdb_chkpwd
654476 20 -r-sr-xr-x 1 root root 17080 Feb 6 21:15 /sbin/unix_chkpwd
Many of these should be able to have their suid bit removed and have very little effect on the box, but some, like passwd must have suid as root in order for regular users to change their password on a multi-user box. If you are the only user, sure, you could remove that suid(I dont think it would break anything else) and just change your own account password while logged in as root. Also, you might not want to remove the suid from su or sudo. Things like traceroute should be fine to remove it, but some of them might cause you unforseen dificulties.
My only point is MAKE SURE YOU HAVE A CLUE what the file you are removing suid or sgid from does and have some inkling how it will affect your system before removing suid or sgid.
Thanks again for the info thehorse13
-
May 12th, 2003, 07:53 PM
#8
Member
"Once you lock down file permissions, services and have applied
the proper security patches, you shold have a solid *nix system"
Get Lids to lock down the system that is if you want to keep
the bads guy out.
http://www.lids.org/about.html
Doc
-
May 12th, 2003, 08:29 PM
#9
um, also, you do know that the bastille has been stormed before right?
http://utut.essortment.com/thestormingof_rksu.htm
hehe 8)
-
May 12th, 2003, 08:42 PM
#10
Itch,
Indeed I do know that it has been stormed. Actually, world history is another one of my interests.
Also, good follow up to my post. When I pop this info up on AO, I assume that the reader has the appropriate knowledge needed to utilize the info. I have faith in most people here
Our scars have the power to remind us that our past was real. -- Hannibal Lecter.
Talent is God given. Be humble. Fame is man-given. Be grateful. Conceit is self-given. Be careful. -- John Wooden
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
|