Review File and Directory Access Controls


Maintaining file and directory permissions on a server is very easy because the majority of the work can be automated with scripts and cron jobs. All of these techniques use the find command to search for files with particular permission sets. Use the -perm option to match a particular mode and the -type option to look for files ( -type f ) or directories

( -typ e d).

Verify the Sticky Bit for Temporary Directories

The term temporary directory means a permanent directory that is used by applications and users to store temporary files or files that are only needed for a short period of time before they can be erased. These directories need the sticky bit set because multiple users write to the same directory, and it is important to prevent users from modifying someone else s files. Look for directories with the sticky bit set. The -ls option prints the equivalent of the ls -dils command (the first column is the inode number).

 # find / -type d -perm -1000 ls    971  0 drwxrwxrwt   2 root   root    40 Jun 10 23:39 /dev/shm 309473  4 drwxrwxrwt   2 root   root  4096 Jun 10 15:26 /var/tmp 1270606  4 drwxrwxrwt   2 root   root  4096 Aug 11  2003 /var/spool/vbox  97875  4 drwx-----T   2 lp     sys   4096 Sep  1  2003 /var/spool/cups/tmp 1564241  4 drwxrwxrwt   2 root   root  4096 Sep 25  2003 /var/spool/samba 211745  4 drwxrwxrwt   5 root   root  4096 Jun 10 23:40 /tmp 440693  4 drwxrwxrwt   2 xfs    xfs   4096 Jun 10 23:40 /tmp/.font-unix 

Instead of relying on the formatted output of the -ls option, you can use the -printf option to create a customized list that may be more script-friendly. The additional information you can access via -printf is of great use during forensic investigations as well. Here is the same command, but with different formatting of the output:

 # find / -type d -perm -1000 \ > -printf "%p, %u(%U), %g(%G), %k, %m, %AY%Am%Ad-%AT%AZ\n" /devshm, root(0), root(0), 0, 1777, 20040610-23:39:55PDT /vartmp, root(0), root(0), 4, 1777, 20040611-00:58:38PDT /var/spoolvbox, root(0), root(0), 4, 1777, 20040611-00:58:38PDT /var/spool/cupstmp, lp(4), sys(3), 4, 1700, 20040611-00:58:38PDT /var/spoolsamba, root(0), root(0), 4, 1777, 20040611-00:58:38PDT /tmp, root(0), root(0), 4, 1777, 20040611-00:58:38PDT /tmp.font-unix, xfs(43), xfs(43), 4, 1777, 20040611-00:58:38PDT 

This creates a comma-delimited list with the full path and filename ( %p ), username ( %u ) and UID ( %U ), group name ( %g ) and GID ( %G ), size in 1K blocks ( %k ), permission modes ( %m ), and access time ( %AY%Am%Ad-%AT%AZ ). Delimited output is easier to parse with Perl, Python, the cut command, and other methods . To create a truly forensics-friendly list, include the last status change ( %CY%Cm%Cd-%CT%CZ ) and last modification ( %TY%Tm%Td-%TT%TZ ) times.

Note  

A file or directory s modification, access, and change times are immensely helpful for debugging problems as well as providing a detailed picture of the activity of an intruder. It s also a good idea to use %s instead of %k in order to report the exact file size in bytes.

Sticky bits should appear on /tmp, /var/tmp, and /var/spool/samba at the very least.

Record SUID/SGID Files and Directories

Obtain a list of all current SUID and SGID files and directories once a system has been installed and configured. This list contains all of the special privileges files and directories that are necessary for the system to function properly. It is unlikely that you will add more files with SUID permissions. Periodically check the list for new files or files in directories that aren t expected to have binaries. If these are present, they may indicate an intrusion, a malicious user, or a user who does not understand the implications of SUID and SGID security requirements.

Use mode 4000 for SUID files and mode 2000 for SGID files or directories. This is the command to find SUID files:

 # find / -type f -perm -4000 \ > -printf "%p, %u(%U), %g(%G), %k, %m, %AY%Am%Ad-%AT%AZ\n" /usr/X11R6/bin/XFree86, root(0), root(0), 1908, 4711, 20040610-21:50:02PDT /usr/sbin/usernetctl,  root(0), root(0), 16, 4755, 20030925-21:39:16PDT /usr/sbin/userhelper,  root(0), root(0), 28, 4711, 20040610-22:41:12PDT /usr/sbin/userisdnctl,  root(0), root(0), 8, 4755, 20030811-13:50:39PDT /usr/sbin/suexec,  root(0), apache(48), 20, 4510, 20030925-06:31:52PDT /usr/bin/chage,  root(0), root(0), 36, 4755, 20030604-12:18:20PDT /usr/bin/gpasswd,  root(0), root(0), 36, 4755, 20030604-12:18:21PDT /usr/bin/chfn,  root(0), root(0), 16, 4711, 20030925-06:10:33PDT /usr/bin/chsh,  root(0), root(0), 12, 4711, 20030925-06:10:33PDT /usr/bin/newgrp,  root(0), root(0), 8, 4711, 20030925-06:10:33PDT /usr/bin/passwd,  root(0), root(0), 16, 4511, 20030213-13:19:55PST ...<snip>... 

This is the command to find SGID files:

 # find / -type f -perm -2000 \ > -printf "%p, %u(%U), %g(%G), %k, %m, %AY%Am%Ad-%AT%AZ\n" /usr/sbin/lockdev, root(0), lock(54), 12, 2755, 20030908-14:01:28PDT /usr/sbin/utempter, root(0), utmp(22), 36, 2755, 20030218-17:26:19PST /usr/sbin/sendmail.sendmail, root(0), smmsp(51), 724, 2755, 20040610- 3:40:38PDT /usr/bin/wall, root(0), tty(5), 8, 2555, 20030625-13:31:56PDT /usr/bin/write, root(0), tty(5), 20, 2755, 20030925-06:10:25PDT /usr/bin/lockfile, root(0), mail(12), 16, 2755, 20030124-22:39:17PST /usr/bin/slocate, root(0), slocate(21), 28, 2755, 20040610-04:04:19PDT ...<snip>... 

The following is the command to find SGID directories. It is unlikely that your system will have such directories, although /var/spool/mail is a possible match.

 # find / -type d -perm -2000 \ > -printf "%p, %u(%U), %g(%G), %k, %m, %AY%Am%Ad-%AT%AZ\n" /tmp/temp, root(0), root(0), 4, 2755, 20040611-01:13:55PDT 

The following is the command to find world-writeable files. No such file should be on your system. If one is present, it may have been created by a poorly written application or the permission was set by accident . It should be removed or the world- writeable bit removed.

 # find / -type f -perm -0002 \ > -printf "%p, %u(%U), %g(%G), %k, %m, %AY%Am%Ad-%AT%AZ\n" /tmp/temp.txt, root(0), root(0), 0, 777, 20040611-01:17:27PDT 

The following is the command to find world-writeable directories. Any such directory should also have the sticky bit set. All of the directories in this example adhere to this rule (the first mode is 1).

 # find / -type d -perm -0002 \ > -printf "%p, %u(%U), %g(%G), %k, %m, %AY%Am%Ad-%AT%AZ\n" /dev/shm, root(0), root(0), 0, 1777, 20040610-23:39:55PDT /var/tmp, root(0), root(0), 4, 1777, 20040611-01:15:51PDT /var/spool/vbox, root(0), root(0), 4, 1777, 20040611-01:15:51PDT /var/spool/samba, root(0), root(0), 4, 1777, 20040611-01:15:51PDT /tmp, root(0), root(0), 4, 1777, 20040611-01:15:51PDT /tmp/.font-unix, xfs(43), xfs(43), 4, 1777, 20040611-01:15:51PDT 

Each of these commands should be run just before the system is placed into production and the output stored in a secure location. Then the commands should be run on a periodic basis and their output compared with the known good copy. Any discrepancies should be investigated and resolved by the administrator.




Hardening Linux
Hardening Linux
ISBN: 0072254971
EAN: 2147483647
Year: 2004
Pages: 113

Similar book on Amazon

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net