Security Toolbox
Auditing Security
There are many applications and application suites available to perform regular security audits and track changes to critical files. In addition, you have the power to perform a quick security audit on your system by using the find command. This is by no means a deep security audit but just a quick and dirty scan of your system to find files that have the SUID/SGID permission set that shouldn’t. Having these permissions bits set on files owned by root is a serious vulnerability, because they can allow users who do not have root access to execute commands as root and potentially initiate a root account compromise.
What you’re looking for is files that have permissions set similar to the following:
-rwSr-xr-x (SUID) or –rw-r-Sr-x (SGID)
The following find command locates all files with the SUID permission set for root:
# find / -type f -perm -u=s -ls
Here are some examples of files that match this permission:
12734848 44 -rwsr-xr-x 1 root root 44320 Mar 14 05:37 /usr/bin/mount 12734863 32 -rwsr-xr-x 1 root root 32208 Mar 14 05:37 /usr/bin/su 12734867 32 -rwsr-xr-x 1 root root 32048 Mar 14 05:37 /usr/bin/umount 13025626 144 ---s--x--x 1 root root 147392 Oct 30 2018 /usr/bin/sudo 12777317 60 -rwsr-xr-x 1 root root 57664 Nov 20 2018 /usr/bin/crontab 13037754 28 -rwsr-xr-x 1 root root 27832 Jun 10 2014 /usr/bin/passwd
Similarly, the find command to locate files that have the SGID permission set is as follows:
# find / -type f -perm -u=s -ls
And here are some examples of matching files:
12649555 16 -r-xr-sr-x 1 root tty 15344 Jun 9 2014 /usr/bin/wall 12734873 20 -rwxr-sr-x 1 root tty 19624 Mar 14 05:37 /usr/bin/write 13015059 376 ---x--s--x 1 root nobody 382240 Apr 10 2018 /usr/bin/ssh-agent
As you can see from you own listing, the number of files with SGID set is far fewer than those with SUID set. Some system files require SUID/SGID permission to be set, but there are very few of them. You need to perform a baseline audit of your systems upon initial installation and then track those changes periodically to be sure that no rogue programs or users have exploited this security flaw.
Conclusion
There are several other Linux hardening methods such as PAM, iptables, enabling SELinux, removing any X display managers, and regular port monitoring, but these are outside the scope of this article. I may revisit them in future installments individually. As stated previously, you can’t remove all network access to your servers, because that defeats the purpose of having a server. But now you have a small but powerful toolbox of utilities and techniques that will help you to keep your systems safer.
« Previous 1 2 3