Maintaining file and directory permissions on a server is very easy because the majority of the work can be automated with scripts and cron jobs. All of these techniques use the find command to search for files with particular permission sets. Use the -perm option to match a particular mode and the -type option to look for files ( -type f ) or directories
( -typ e d).
The term temporary directory means a permanent directory that is used by applications and users to store temporary files or files that are only needed for a short period of time before they can be erased. These directories need the sticky bit set because multiple users write to the same directory, and it is important to prevent users from modifying someone else s files. Look for directories with the sticky bit set. The -ls option prints the equivalent of the ls -dils command (the first column is the inode number).
# find / -type d -perm -1000 ls 971 0 drwxrwxrwt 2 root root 40 Jun 10 23:39 /dev/shm 309473 4 drwxrwxrwt 2 root root 4096 Jun 10 15:26 /var/tmp 1270606 4 drwxrwxrwt 2 root root 4096 Aug 11 2003 /var/spool/vbox 97875 4 drwx-----T 2 lp sys 4096 Sep 1 2003 /var/spool/cups/tmp 1564241 4 drwxrwxrwt 2 root root 4096 Sep 25 2003 /var/spool/samba 211745 4 drwxrwxrwt 5 root root 4096 Jun 10 23:40 /tmp 440693 4 drwxrwxrwt 2 xfs xfs 4096 Jun 10 23:40 /tmp/.font-unix
Instead of relying on the formatted output of the -ls option, you can use the -printf option to create a customized list that may be more script-friendly. The additional information you can access via -printf is of great use during forensic investigations as well. Here is the same command, but with different formatting of the output:
# find / -type d -perm -1000 \ > -printf "%p, %u(%U), %g(%G), %k, %m, %AY%Am%Ad-%AT%AZ\n" /devshm, root(0), root(0), 0, 1777, 20040610-23:39:55PDT /vartmp, root(0), root(0), 4, 1777, 20040611-00:58:38PDT /var/spoolvbox, root(0), root(0), 4, 1777, 20040611-00:58:38PDT /var/spool/cupstmp, lp(4), sys(3), 4, 1700, 20040611-00:58:38PDT /var/spoolsamba, root(0), root(0), 4, 1777, 20040611-00:58:38PDT /tmp, root(0), root(0), 4, 1777, 20040611-00:58:38PDT /tmp.font-unix, xfs(43), xfs(43), 4, 1777, 20040611-00:58:38PDT
This creates a comma-delimited list with the full path and filename ( %p ), username ( %u ) and UID ( %U ), group name ( %g ) and GID ( %G ), size in 1K blocks ( %k ), permission modes ( %m ), and access time ( %AY%Am%Ad-%AT%AZ ). Delimited output is easier to parse with Perl, Python, the cut command, and other methods . To create a truly forensics-friendly list, include the last status change ( %CY%Cm%Cd-%CT%CZ ) and last modification ( %TY%Tm%Td-%TT%TZ ) times.
Note | A file or directory s modification, access, and change times are immensely helpful for debugging problems as well as providing a detailed picture of the activity of an intruder. It s also a good idea to use %s instead of %k in order to report the exact file size in bytes. |
Sticky bits should appear on /tmp, /var/tmp, and /var/spool/samba at the very least.
Obtain a list of all current SUID and SGID files and directories once a system has been installed and configured. This list contains all of the special privileges files and directories that are necessary for the system to function properly. It is unlikely that you will add more files with SUID permissions. Periodically check the list for new files or files in directories that aren t expected to have binaries. If these are present, they may indicate an intrusion, a malicious user, or a user who does not understand the implications of SUID and SGID security requirements.
Use mode 4000 for SUID files and mode 2000 for SGID files or directories. This is the command to find SUID files:
# find / -type f -perm -4000 \ > -printf "%p, %u(%U), %g(%G), %k, %m, %AY%Am%Ad-%AT%AZ\n" /usr/X11R6/bin/XFree86, root(0), root(0), 1908, 4711, 20040610-21:50:02PDT /usr/sbin/usernetctl, root(0), root(0), 16, 4755, 20030925-21:39:16PDT /usr/sbin/userhelper, root(0), root(0), 28, 4711, 20040610-22:41:12PDT /usr/sbin/userisdnctl, root(0), root(0), 8, 4755, 20030811-13:50:39PDT /usr/sbin/suexec, root(0), apache(48), 20, 4510, 20030925-06:31:52PDT /usr/bin/chage, root(0), root(0), 36, 4755, 20030604-12:18:20PDT /usr/bin/gpasswd, root(0), root(0), 36, 4755, 20030604-12:18:21PDT /usr/bin/chfn, root(0), root(0), 16, 4711, 20030925-06:10:33PDT /usr/bin/chsh, root(0), root(0), 12, 4711, 20030925-06:10:33PDT /usr/bin/newgrp, root(0), root(0), 8, 4711, 20030925-06:10:33PDT /usr/bin/passwd, root(0), root(0), 16, 4511, 20030213-13:19:55PST ...<snip>...
This is the command to find SGID files:
# find / -type f -perm -2000 \ > -printf "%p, %u(%U), %g(%G), %k, %m, %AY%Am%Ad-%AT%AZ\n" /usr/sbin/lockdev, root(0), lock(54), 12, 2755, 20030908-14:01:28PDT /usr/sbin/utempter, root(0), utmp(22), 36, 2755, 20030218-17:26:19PST /usr/sbin/sendmail.sendmail, root(0), smmsp(51), 724, 2755, 20040610- 3:40:38PDT /usr/bin/wall, root(0), tty(5), 8, 2555, 20030625-13:31:56PDT /usr/bin/write, root(0), tty(5), 20, 2755, 20030925-06:10:25PDT /usr/bin/lockfile, root(0), mail(12), 16, 2755, 20030124-22:39:17PST /usr/bin/slocate, root(0), slocate(21), 28, 2755, 20040610-04:04:19PDT ...<snip>...
The following is the command to find SGID directories. It is unlikely that your system will have such directories, although /var/spool/mail is a possible match.
# find / -type d -perm -2000 \ > -printf "%p, %u(%U), %g(%G), %k, %m, %AY%Am%Ad-%AT%AZ\n" /tmp/temp, root(0), root(0), 4, 2755, 20040611-01:13:55PDT
The following is the command to find world-writeable files. No such file should be on your system. If one is present, it may have been created by a poorly written application or the permission was set by accident . It should be removed or the world- writeable bit removed.
# find / -type f -perm -0002 \ > -printf "%p, %u(%U), %g(%G), %k, %m, %AY%Am%Ad-%AT%AZ\n" /tmp/temp.txt, root(0), root(0), 0, 777, 20040611-01:17:27PDT
The following is the command to find world-writeable directories. Any such directory should also have the sticky bit set. All of the directories in this example adhere to this rule (the first mode is 1).
# find / -type d -perm -0002 \ > -printf "%p, %u(%U), %g(%G), %k, %m, %AY%Am%Ad-%AT%AZ\n" /dev/shm, root(0), root(0), 0, 1777, 20040610-23:39:55PDT /var/tmp, root(0), root(0), 4, 1777, 20040611-01:15:51PDT /var/spool/vbox, root(0), root(0), 4, 1777, 20040611-01:15:51PDT /var/spool/samba, root(0), root(0), 4, 1777, 20040611-01:15:51PDT /tmp, root(0), root(0), 4, 1777, 20040611-01:15:51PDT /tmp/.font-unix, xfs(43), xfs(43), 4, 1777, 20040611-01:15:51PDT
Each of these commands should be run just before the system is placed into production and the output stored in a secure location. Then the commands should be run on a periodic basis and their output compared with the known good copy. Any discrepancies should be investigated and resolved by the administrator.