Page 1 of 2 12 LastLast
Results 1 to 10 of 16

Thread: Additional Security Measures for *nix

  1. #1
    Master-Jedi-Pimps0r & Moderator thehorse13's Avatar
    Join Date
    Dec 2002
    Location
    Washington D.C. area
    Posts
    2,885

    Additional Security Measures for *nix

    Many posts here go into great detail about which services to lock down on *nix servers and which versions of security toolz to run such as tripwire and such. One area that seems to get neglect is SUID files, GUID files and world-writable files.

    Whenever I am asked to prepare a *nix server, I *always* issue these commands to check and see which files are SUID,GUID and world-writable.

    * For SUID:
    ==============================

    find / -type f -perm -4000 -ls

    ** For GUID
    ==============================
    find / type f -perm -2000 -ls

    For World-Writable
    ==============================
    find / -perm -2 -type f -print

    You may ask, well, what is the significance of this? It's simple. If I'm looking to comprimise your server and I have exausted all the typical easy avenues, I will eventually begin looking for world writable filez in order to gain root access. In addition, I will certainly look for SUID files that programs use on your machine. Pay close attention to the /dev partition too as it is *very* dangerous to have devices that are world-writable.

    Once you lock down file permissions, services and have applied the proper security patches, you shold have a solid *nix system. At this point I usually hammer against the box to be sure that I haven't missed anything. Only after this point, will I install the necessary software and then hammer on it one more time before approving it for internet exposure.

    Anyway, just wanted to share a little *nix tip with the AO community.

    * Fat finger typo pointed out by Itch
    ** Fat finger typo pointed out by Itch
    --TH13
    Our scars have the power to remind us that our past was real. -- Hannibal Lecter.
    Talent is God given. Be humble. Fame is man-given. Be grateful. Conceit is self-given. Be careful. -- John Wooden

  2. #2
    Senior Member tampabay420's Avatar
    Join Date
    Aug 2002
    Posts
    953
    hey, thanx thehorse13, always looking for cool *nix tips...
    i'm starting up a BSD Server, and will def. follow your lead
    yeah, I\'m gonna need that by friday...

  3. #3
    Senior Member
    Join Date
    Jul 2001
    Posts
    461
    hmmmmm... a few corrections.
    On my redhat linux boxes anyway...

    to find SUID you need to change the line
    find / -type f -perm -0400 -ls
    to
    find / -type f -perm -4000 -ls

    for SGID you need to change
    find / -type f -perm -0200 -ls
    to
    find / -type f -perm -2000 -ls

    The world writeable seems to be ok though. It is in fact returning world writable files

    Good luck,

    IchNiSan

  4. #4
    Master-Jedi-Pimps0r & Moderator thehorse13's Avatar
    Join Date
    Dec 2002
    Location
    Washington D.C. area
    Posts
    2,885
    Ah yes itch, it seems that my extra fat fingers did it again!!! I have gone back and adjusted the syntax giving you credit for the bust!


    Thanks!
    Our scars have the power to remind us that our past was real. -- Hannibal Lecter.
    Talent is God given. Be humble. Fame is man-given. Be grateful. Conceit is self-given. Be careful. -- John Wooden

  5. #5
    AO übergeek phishphreek's Avatar
    Join Date
    Jan 2002
    Posts
    4,325
    Sweet. Thanks for the tip! I just rebuilt my server at home and I can use this.

    I didn't see it mentioned in the many guides that I have read nor did it come up in any of the utilities that I used to check the security.
    I'll have to doublecheck.

    I used a tool called Tiger and it turned up all kinds of recommendations. Its called Tiger

    TIGER is a set of Bourne shell scripts, C programs, and data files which are used to perform a security audit of Unix systems. The security audit results are useful both for system analysis (security auditing) and for real-time, host-based intrusion detection.
    http://savannah.nongnu.org/projects/tiger

    They actaully just released a new version of it a couple days ago.

    It alerted me to a bunch of things that I hadn't thought about... but this is my first try at securing a *nix box.
    I'm learning so much that I think I need to go home for the day cause my brain is full....

    Anywho, has anyone used it? What do you think?
    Quitmzilla is a firefox extension that gives you stats on how long you have quit smoking, how much money you\'ve saved, how much you haven\'t smoked and recent milestones. Very helpful for people who quit smoking and used to smoke at their computers... Helps out with the urges.

  6. #6
    Master-Jedi-Pimps0r & Moderator thehorse13's Avatar
    Join Date
    Dec 2002
    Location
    Washington D.C. area
    Posts
    2,885
    Phish buddy,

    Another good site is http://www.bastille-linux.org

    This is taken directly from the site:

    The Bastille Hardening System attempts to "harden" or "tighten" Unix operating systems. It currently supports the Red Hat, Debian, Mandrake, SuSE and TurboLinux Linux distributions along with HP-UX and Mac OS X. We attempt to provide the most secure, yet usable, system possible. The project is run by Jon Lasser, Lead Coordinator and Jay Beale, Lead Developer, and involves a number of developers, beta-testers and concept-creators. Bastille Linux was developed with several major goals:


    COMPREHENSIVENESS
    Bastille Linux draws from every available major reputable source on Linux Security. The initial development integrated Jay Beale's existing O/S hardening experience for Solaris and Linux with most major points from the SANS' Securing Linux Step by Step, Kurt Seifried's Linux Administrator's Security Guide, and countless other sources.

    INSTRUCTIVENESS
    Bastille Linux has been designed to educate the installing administrator about the security issues involved in each of the script's tasks, thereby securing both the box and the administrator. Each step is optional and contains a description of the security issues involved.
    Our scars have the power to remind us that our past was real. -- Hannibal Lecter.
    Talent is God given. Be humble. Fame is man-given. Be grateful. Conceit is self-given. Be careful. -- John Wooden

  7. #7
    Senior Member
    Join Date
    Jul 2001
    Posts
    461
    Thanks for the bastille-linux link thehorse13.

    I have heard about it before, but never took the time to look it up.

    Thanks for the other info about suid/sgid stuff, its nice to get some info here that lots of people can use to help make their systems more secure.

    One quick note to people though about suid and sgid. Don't just willy nilly go removing the sgid or suid setting from these files. Some of them will certainly be fine if you remove the suid or sgid bit from them, but others(like /usr/bin/passwd) need to be suid in order for regular users to perform nescessary functions, like changing their password, as passwd needs to be able to write to /etc/passwd(and also call the shadow utils to edit /etc/shadow and really change your password on systems using shadow passwords, which are hopefully most of them) which is writeable only by root.

    Here is a list of SUID files from a default redhat linux 7.3 install.

    344699 40 -rwsr-xr-x 1 root root 37624 Feb 12 17:47 /usr/bin/chage
    343445 36 -rwsr-xr-x 1 root root 34972 Feb 12 17:48 /usr/bin/gpasswd
    343616 20 -rws--x--x 1 root root 16835 Aug 30 2002 /usr/bin/chfn
    343617 16 -rws--x--x 1 root root 15664 Aug 30 2002 /usr/bin/chsh
    343635 8 -rws--x--x 1 root root 6999 Aug 30 2002 /usr/bin/newgrp
    343657 40 -rwsr-xr-x 1 root root 37140 Jul 24 2002 /usr/bin/at
    343863 16 -r-s--x--x 1 root root 15368 May 28 2002 /usr/bin/passwd
    343933 20 -rwsr-xr-x 1 root root 19131 Jun 23 2002 /usr/bin/rcp
    343935 16 -rwsr-xr-x 1 root root 15376 Jun 23 2002 /usr/bin/rlogin
    343936 12 -rwsr-xr-x 1 root root 10689 Jun 23 2002 /usr/bin/rsh
    343955 88 ---s--x--x 1 root root 84984 Jun 27 2002 /usr/bin/sudo
    343974 36 -rwsr-xr-x 1 root root 34662 Jul 19 2002 /usr/bin/crontab
    376099 8 -rwsr-xr-x 1 root root 5100 Sep 5 2002 /usr/libexec/pt_chown
    180057 164 -rws--x--x 1 root root 162476 Aug 14 2002 /usr/libexec/openssh/ssh-keysign
    392470 36 -rwsr-xr-x 1 root root 33071 Jun 23 2002 /usr/sbin/ping6
    392474 16 -rwsr-xr-x 1 root root 13718 Jun 23 2002 /usr/sbin/traceroute6
    392511 16 -rwsr-xr-x 1 root root 15502 Sep 4 2002 /usr/sbin/usernetctl
    392528 32 -rws--x--x 1 root root 29676 Sep 4 2002 /usr/sbin/userhelper
    392580 12 -rwsr-xr-x 1 root root 10205 Jul 1 2002 /usr/sbin/userisdnctl
    392646 32 -rwsr-xr-x 1 root root 32076 Jun 23 2002 /usr/sbin/traceroute
    392891 20 -r-s--x--- 1 root apache 20469 Oct 9 2002 /usr/sbin/suexec
    771123 1844 -rws--x--x 1 root root 1884018 Sep 5 2002 /usr/X11R6/bin/XFree86
    1095603 36 -rwsr-xr-x 1 root root 35302 Jun 23 2002 /bin/ping
    1095643 88 -rwsr-xr-x 1 root root 81996 Aug 30 2002 /bin/mount
    1095644 40 -rwsr-xr-x 1 root root 40700 Aug 30 2002 /bin/umount
    1095654 20 -rwsr-xr-x 1 root root 19132 Aug 29 2002 /bin/su
    654474 8 -r-s--x--x 1 root root 7096 Feb 6 21:15 /sbin/pam_timestamp_check
    655431 124 -r-sr-xr-x 1 root root 119400 Feb 6 21:15 /sbin/pwdb_chkpwd
    654476 20 -r-sr-xr-x 1 root root 17080 Feb 6 21:15 /sbin/unix_chkpwd

    Many of these should be able to have their suid bit removed and have very little effect on the box, but some, like passwd must have suid as root in order for regular users to change their password on a multi-user box. If you are the only user, sure, you could remove that suid(I dont think it would break anything else) and just change your own account password while logged in as root. Also, you might not want to remove the suid from su or sudo. Things like traceroute should be fine to remove it, but some of them might cause you unforseen dificulties.

    My only point is MAKE SURE YOU HAVE A CLUE what the file you are removing suid or sgid from does and have some inkling how it will affect your system before removing suid or sgid.

    Thanks again for the info thehorse13

  8. #8
    "Once you lock down file permissions, services and have applied
    the proper security patches, you shold have a solid *nix system"

    Get Lids to lock down the system that is if you want to keep
    the bads guy out.

    http://www.lids.org/about.html


    Doc

  9. #9
    Senior Member
    Join Date
    Jul 2001
    Posts
    461
    um, also, you do know that the bastille has been stormed before right?

    http://utut.essortment.com/thestormingof_rksu.htm

    hehe 8)

  10. #10
    Master-Jedi-Pimps0r & Moderator thehorse13's Avatar
    Join Date
    Dec 2002
    Location
    Washington D.C. area
    Posts
    2,885
    Itch,

    Indeed I do know that it has been stormed. Actually, world history is another one of my interests.

    Also, good follow up to my post. When I pop this info up on AO, I assume that the reader has the appropriate knowledge needed to utilize the info. I have faith in most people here
    Our scars have the power to remind us that our past was real. -- Hannibal Lecter.
    Talent is God given. Be humble. Fame is man-given. Be grateful. Conceit is self-given. Be careful. -- John Wooden

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •