2.7 FILE SYSTEM SECURITY
2.7 FILE SYSTEM SECURITY
2.7.1 Secure File System Mount Options
This section outlines edits that can be made to the /etc/fstab file to enhance the security of the system. Please note that the recommendations for mount options on the /usr and /home partitions should only be applied to systems where Server or Custom type was chosen during installation (see Section 2.1.1). This is because if Workstation or Laptop was selected, the /usr and /home directories will be part of the root partition (/), and the root partition must not be read-only, nodev, or nosuid.
Mount the /usr partition as read-only. Most of the executable commands on the system are located in the /usr filesystem. Mounting it as read-only is a good way to protect against Trojaned binaries being installed.
LABEL=/usr /usr ext3 ro 1 2
| Note | The /usr file system will have to be remounted read-write before applying most rpm upgrades (including any scheduled to be applied by update agents like up2date or autorpm) with the following command: |
[root@localhost]# mount -o remount,rw /usr
Once the installation is complete, the partition can be mounted read-only again with the following command:
[root@localhost]# mount -o remount,ro /usr
To prevent SUID or device files from being introduced to the system by removable media, add the nosuid and nodev options to the lines for all removable media (e.g. floppy, cdrom )
/dev/fd0 /mnt/floppy ext3 nosuid,nodev 1 2 /dev/cdrom /mnt/cdrom ext3 nosuid,nodev 1 2
Lastly, the file system containing user home directories should also have the nosuid and nodev options set
LABEL=/home /home ext3 nosuid,nodev 1 2
2.7.2 Tighten Permissions on Files
2.7.2.1 Restrict Access to Administrative Utilities
Administrative utilities ( e.g. chkconfig, traceroute, ifconfig, and iptables) reside in the /sbin and /usr/sbin directories. Under normal circumstances, unprivileged users should not need to execute any of these commands. Issue the following command to remove read, write and execute privileges for users that do not own the files (and do not belong to the groups that do own them) from all files in these directories.
[root@localhost]# /bin/chmod -R o-rwx /usr/sbin 'ls /sbin/* grep -v consoletype'
The consoletype utility is left out of the tightened file permissions because the files /etc/profile.d/lang.sh and /etc/profile.d/lang.csh call it, with the privileges of a normal user, to determine the type of console the user is logged into when starting a new shell.
2.7.3 SUID Permissions for Executable Programs
Other utilities that normal users can run reside in the /bin and /usr/bin directories. Some of these require SUID in order to work, for example, the passwd command needs to be able to write the updated password hash to the /etc/shadow file to which the user does not have read or write permission. However, on most files, the SUID and SGID permissions are an optional convenience, for example the ping command. To see a list of all the files with SUID or SGID permission use the following command:
[root@localhost]# /usr/bin/find /bin /usr/bin -type f \( -perm -04000 -o -perm -02000 \) -ls
Review the resulting list and remove the SUID or SGID permissions from files that do not require it by setting the permission on each of these files to 755. For example
[root@localhost]# /bin/chmod 755 /bin/mount /bin/umount /bin/ping /usr/bin/chfn /usr/bin/chsh /usr/ bin/chage
2.7.4 Remove Compiler Packages (Servers and Workstations Not Used for Software Development)
Many exploits used by crackers are distributed as program source code and must be compiled on the target system before they can be used. If the compiler packages are removed from the system, then the cracker will have to upload a compiler along with the exploit source code before attempting to exploit the system. In addition to thwarting "script-kiddies", the increased activity required to install a compiler should facilitate detection of the unauthorized intrusion.
Issue the following command to remove:
[root@localhost]# /bin/rpm --e cpp gcc gcc-c++ gcc-g77
EAN: 2147483647
Pages: 39