Linux: Host-Security Review - dummies

By Emmett Dulaney

When working in Linux and reviewing host security, three parts of focusing on assessing the security mechanisms include looking at each of the following areas:

  • Prevention: Install operating system updates, secure passwords, improve file permissions, set up a password for a boot loader, and use encryption.

  • Detection: Capture log messages and check file integrity with Tripwire (a tool that can detect changes to system files).

  • Response: Make routine backups and develop incident response procedures.

Operating system updates

Linux distributions release updates soon. When security vulnerabilities are found, Linux distributions release an update to fix the problem. Many distributions offer online updates that you can enable and use to keep your system up to date. The details of updating the operating system depend on the distribution.

File permissions

Protect important system files with appropriate file ownerships and file permissions. The key procedures in assigning file-system ownerships and permissions are as follows:

  • Figure out which files contain sensitive information and why. Some files may contain sensitive data related to your work or business, whereas many other files are sensitive because they control the Linux system configuration.

  • Maintain a current list of authorized users and what they are authorized to do on the system.

  • Set up passwords, groups, file ownerships, and file permissions to allow only authorized users to access the files.

This table lists some important system files in Linux, showing the typical numeric permission setting for each file (this may differ slightly, depending on the distribution).

Important System Files and Their Permissions
File Pathname Permission Description
/boot/grub/menu.lst 600 GRUB boot loader menu file
/etc/cron.allow 400 List of users permitted to use cron
to submit periodic jobs
/etc/cron.deny 400 List of users who can’t use cron to submit periodic jobs
/etc/crontab 644 System-wide periodic jobs
/etc/hosts.allow 644 List of hosts allowed to use Internet services that are started
using TCP wrappers
/etc/hosts.deny 644 List of hosts denied access to Internet services that are
started using TCP wrappers
/etc/logrotate.conf 644 File that controls how log files rotate
/etc/pam.d 755 Directory with configuration files for pluggable authentication
modules (PAMs)
/etc/passwd 644 Old-style password file with user account information but not
the passwords
/etc/rc.d 755 Directory with system-startup scripts
/etc/securetty 600 TTY interfaces (terminals) from which root can log in
/etc/security 755 Policy files that control system access
/etc/shadow 400 File with encrypted passwords and password expiration
/etc/shutdown.allow 400 Users who can shut down or reboot by pressing
/etc/ssh 755 Directory with configuration files for the Secure Shell
/etc/sysconfig 755 System configuration files
/etc/sysctl.conf 644 Kernel configuration parameters
/etc/syslog.conf 644 Configuration file for the syslogd
server that logs messages
/etc/udev/udev.conf 644 Configuration file for udev
the program that provides the capability to dynamically name
hot-pluggable devices and create the device files in the /dev directory
/etc/vsftpd 600 Configuration file for the Very Secure FTP server
/etc/vsftpd.ftpusers 600 List of users who are not allowed to use FTP to transfer
/etc/xinetd.conf 644 Configuration file for the xinetd
/etc/xinetd.d 755 Directory containing configuration files for specific services
that the xinetd server can start
/var/log 755 Directory with all log files
/var/log/lastlog 644 Information about all previous logins
/var/log/messages 644 Main system message log file
/var/log/wtmp 664 Information about current logins

Another important check is to look for executable program files that have the setuid permission. If a program has setuid permission and is owned by root, the program runs with root privileges, no matter who actually runs the program. You can find all setuid programs with the following find command:

find / -perm +4000 -print

You may want to save the output in a file (just append > filename to the command) and then examine the file for any unusual setuid programs. For example, a setuid program in a user’s home directory is unusual.