Auditing Files
In addition to disabling user login, another user security-related
issue you need to be familiar with is auditing files that have SUID
root permissions set. As you learned in Chapter 11, SUID stands for
Set User ID. When an executable file with the SUID permission set is
run, the process is granted access to the system as the user who owns
the executable file, not on the user who actually ran the command.
This is a serious issue if the file is owned by root. When the root
user owns a file with the SUID permission set, it allows the process
created by the file to perform actions as root, which the user who
started it is probably not allowed to do. The same issue applies to
files owned by the root group that have the SGID permission set.
Be aware that a small number of files owned by root on a Linux system
do need to have these permissions set. However, other files owned by
root/root that have the SUID/SGID permission set represent a security
vulnerability on your system. Many exploits are facilitated using
files with this permission set. A file that has the SUID permission
set appears as follows when listed with the ls command at the shell
prompt:
-rwSr-xr-x
A file that has the SGID permission sets appears as follows when
listed with the ls command at the shell prompt:
-rw-r-Sr-x
Therefore, you should consider running periodic audits to identify any
files owned by root that have either of these permissions set. Any
files beyond the minimal necessary files should be scrutinized
carefully to make sure they aren’t part of some type of exploit. You
can search for files on your Linux system that have SUID permissions
set using the following command at the shell prompt as your root user:
find / -type f -perm -u=s -ls
Here is an example:
openSUSE:/etc # find / -type f -perm -u=s –ls
36406 32 -rwsr-xr-x 1 root root 31848 Sep 5 2009 /bin/su
30659 36 -rwsr-xr-x 1 root root 35796 May 3 2007 /bin/ping
84596 20 -rwsr-xr-x 1 root root 20252 Jun 16 2006 /bin/eject
85643 324 -rwsr-xr-x 1 root root 330420 Sep 5 2009 /bin/mount
30661 36 -rwsr-xr-x 1 root root 35716 May 3 2007 /bin/ping6
85644 120 -rwsr-xr-x 1 root root 121111 Sep 5 2009 /bin/umount
The –perm option tells find to match files that have the specified
permission assigned to the mode; in this case, the S permission is
assigned to user.
You can also identify any files with the SGID permission set using the following command:
find / -type f -perm -g=s -ls
When you do, a list of all files with the SGID permission set is
displayed. Here is an example:
openSUSE:~ # find / -type f -perm -g=s –ls
94451 12 -rwxr-sr-x 1 root tty 10588 May 18 2007
/opt/gnome/lib/vte/ gnome-pty-helper
85710 12 -rwxr-sr-x 1 root tty 10404 Sep 5 2009 /usr/bin/wall
5867 12 -rwxr-sr-x 1 root shadow 8800 Jun 16 2006 /usr/bin/vlock
85713 12 -rwxr-sr-x 1 root tty 9024 Sep 5 2009 /usr/bin/write
93913 12 -rwxr-sr-x 1 root maildrop 11300 Sep 5 2009usr/sbin/postdrop
93919 12 -rwxr-sr-x 1 root maildrop 11668 Sep 5 2009 /usr/sbin/postqueue
26192 8 -rwxr-sr-x 1 root tty 7288 Jun 16 2006 /usr/sbin/utempter
35720 24 -rwxr-sr-x 1 root shadow 20672 Sep 5 2009 /sbin/unix_chkpwd
LX0-104 Exam Objectives (V and U, 323, 647 - 689)
No comments:
Post a Comment