HostedDB - Dedicated UNIX Servers

Securing-Optimizing-RH-Linux-1_2_59
Comments and suggestions concerning this book should be mailed to gmourani@videotron.ca © Copyright 1999-2000 Gerhard Mourani and Open Network Architecture ® 59 [root@deep /]# chmod a-s /bin/umount [root@deep /]# chmod a-s /bin/ping [root@deep /]# chmod a-s /sbin/netreport If you want to know what those programs do, make a man program-name and read. As an example: [root@deep /]# man netreport 33. Unusual or hidden files It is important to not forget to look everywhere on the system for unusual or hidden files (files that start with a period and are normally not shown by the “ls” command), as these can be used to hide tools and information (password cracking programs, password files from other systems, etc.). A common technique on UNIX systems is to put a hidden directory or file in a user's account with an unusual name, something like '...' or '.. ' (dot dot space) or '..^G' (dot dot control- G). The “find” program can be used to look for hidden files. As an example: [root@deep /]# find / -name ".. " -print -xdev [root@deep /]# find / -name ".*" -print -xdev | cat -v NOTE: Files with names such as '.xx' and '.mail' have been used (that is, files that might appear to be normal). 34. Find all files with the SUID/SGID bit enabled All SUID and SGID files that still exist on your system after we have removed those that won't absolutely require such privilege is a potential security risk, and should be monitored closely. Because these programs grant special privileges to the user who is executing them, it is necessary to ensure that insecure programs will not be installed. A favorite trick of crackers is to exploit SUID "root" programs, and leave a SUID program as a backdoor to get in the next time. Find all SUID and SGID programs on your system, and keep track of what they are, so you are aware of any changes, which could indicate a potential intruder. · Use the following command to find all SUID/SGID programs on your system: [root@deep /]# find / -type f \( -perm -04000 -o -perm -02000 \) \-exec ls -lg {} \; NOTE: See in this book under the chapter 10 “Securities Software (Monitoring Tools)” for more information about the software sXid that will make the job for you automatically each day and report the results via mail. 35. Find group and World Writable files and directories Group and world writable files and directories particularly system files (partions), can be a security hole if a cracker gain access to your system and modifies them. Additionally, world- writable directories are dangerous, since they allow a cracker to add or delete files as he/she wishes on these directories. In the normal course of operation, several files will be writable, including some from the “/dev”, “/var/catman” directories, and all symbolic links on your system. · To locate all group & world-writable files on your system, use the command: [root@deep /]# find / -type f \( -perm -2 -o -perm -20 \) -exec ls -lg {} \;