Linux: Host-Security Review
When working in Linux and reviewing host security, three parts of focusing on assessing the security mechanisms include looking at each of the following areas:
Prevention: Install operating system updates, secure passwords, improve file permissions, set up a password for a boot loader, and use encryption.
Detection: Capture log messages and check file integrity with Tripwire (a tool that can detect changes to system files).
Response: Make routine backups and develop incident response procedures.
Operating system updates
Linux distributions release updates soon. When security vulnerabilities are found, Linux distributions release an update to fix the problem. Many distributions offer online updates that you can enable and use to keep your system up to date. The details of updating the operating system depend on the distribution.
Protect important system files with appropriate file ownerships and file permissions. The key procedures in assigning file-system ownerships and permissions are as follows:
Figure out which files contain sensitive information and why. Some files may contain sensitive data related to your work or business, whereas many other files are sensitive because they control the Linux system configuration.
Maintain a current list of authorized users and what they are authorized to do on the system.
Set up passwords, groups, file ownerships, and file permissions to allow only authorized users to access the files.
This table lists some important system files in Linux, showing the typical numeric permission setting for each file (this may differ slightly, depending on the distribution).
|/boot/grub/menu.lst||600||GRUB boot loader menu file|
|/etc/cron.allow||400||List of users permitted to use cron
to submit periodic jobs
|/etc/cron.deny||400||List of users who can’t use cron to submit periodic jobs|
|/etc/crontab||644||System-wide periodic jobs|
|/etc/hosts.allow||644||List of hosts allowed to use Internet services that are started
using TCP wrappers
|/etc/hosts.deny||644||List of hosts denied access to Internet services that are
started using TCP wrappers
|/etc/logrotate.conf||644||File that controls how log files rotate|
|/etc/pam.d||755||Directory with configuration files for pluggable authentication
|/etc/passwd||644||Old-style password file with user account information but not
|/etc/rc.d||755||Directory with system-startup scripts|
|/etc/securetty||600||TTY interfaces (terminals) from which root can log in|
|/etc/security||755||Policy files that control system access|
|/etc/shadow||400||File with encrypted passwords and password expiration
|/etc/shutdown.allow||400||Users who can shut down or reboot by pressing
|/etc/ssh||755||Directory with configuration files for the Secure Shell
|/etc/sysconfig||755||System configuration files|
|/etc/sysctl.conf||644||Kernel configuration parameters|
|/etc/syslog.conf||644||Configuration file for the syslogd
server that logs messages
|/etc/udev/udev.conf||644||Configuration file for udev —
the program that provides the capability to dynamically name
hot-pluggable devices and create the device files in the /dev directory
|/etc/vsftpd||600||Configuration file for the Very Secure FTP server|
|/etc/vsftpd.ftpusers||600||List of users who are not allowed to use FTP to transfer
|/etc/xinetd.conf||644||Configuration file for the xinetd
|/etc/xinetd.d||755||Directory containing configuration files for specific services
that the xinetd server can start
|/var/log||755||Directory with all log files|
|/var/log/lastlog||644||Information about all previous logins|
|/var/log/messages||644||Main system message log file|
|/var/log/wtmp||664||Information about current logins|
Another important check is to look for executable program files that have the setuid permission. If a program has setuid permission and is owned by root, the program runs with root privileges, no matter who actually runs the program. You can find all setuid programs with the following find command:
find / -perm +4000 -print
You may want to save the output in a file (just append > filename to the command) and then examine the file for any unusual setuid programs. For example, a setuid program in a user’s home directory is unusual.