Security Toolbox
Auditing Security
There are many applications and application suites available to perform regular security audits and track changes to critical files. In addition, you have the power to perform a quick security audit on your system by using the find command. This is by no means a deep security audit but just a quick and dirty scan of your system to find files that have the SUID/SGID permission set that shouldn’t. Having these permissions bits set on files owned by root is a serious vulnerability, because they can allow users who do not have root access to execute commands as root and potentially initiate a root account compromise.
What you’re looking for is files that have permissions set similar to the following:
-rwSr-xr-x (SUID) or –rw-r-Sr-x (SGID)
The following find command locates all files with the SUID permission set for root:
# find / -type f -perm -u=s -ls
Here are some examples of files that match this permission:
12734848 44 -rwsr-xr-x 1 root root 44320 Mar 14 05:37 /usr/bin/mount 12734863 32 -rwsr-xr-x 1 root root 32208 Mar 14 05:37 /usr/bin/su 12734867 32 -rwsr-xr-x 1 root root 32048 Mar 14 05:37 /usr/bin/umount 13025626 144 ---s--x--x 1 root root 147392 Oct 30 2018 /usr/bin/sudo 12777317 60 -rwsr-xr-x 1 root root 57664 Nov 20 2018 /usr/bin/crontab 13037754 28 -rwsr-xr-x 1 root root 27832 Jun 10 2014 /usr/bin/passwd
Similarly, the find command to locate files that have the SGID permission set is as follows:
# find / -type f -perm -u=s -ls
And here are some examples of matching files:
12649555 16 -r-xr-sr-x 1 root tty 15344 Jun 9 2014 /usr/bin/wall 12734873 20 -rwxr-sr-x 1 root tty 19624 Mar 14 05:37 /usr/bin/write 13015059 376 ---x--s--x 1 root nobody 382240 Apr 10 2018 /usr/bin/ssh-agent
As you can see from you own listing, the number of files with SGID set is far fewer than those with SUID set. Some system files require SUID/SGID permission to be set, but there are very few of them. You need to perform a baseline audit of your systems upon initial installation and then track those changes periodically to be sure that no rogue programs or users have exploited this security flaw.
Conclusion
There are several other Linux hardening methods such as PAM, iptables, enabling SELinux, removing any X display managers, and regular port monitoring, but these are outside the scope of this article. I may revisit them in future installments individually. As stated previously, you can’t remove all network access to your servers, because that defeats the purpose of having a server. But now you have a small but powerful toolbox of utilities and techniques that will help you to keep your systems safer.
« Previous 1 2 3
Buy Linux Magazine
Subscribe to our Linux Newsletters
Find Linux and Open Source Jobs
Subscribe to our ADMIN Newsletters
Support Our Work
Linux Magazine content is made possible with support from readers like you. Please consider contributing when you’ve found an article to be beneficial.
News
-
Canonical Bumps LTS Support to 12 years
If you're worried that your Ubuntu LTS release won't be supported long enough to last, Canonical has a surprise for you in the form of 12 years of security coverage.
-
Fedora 40 Beta Released Soon
With the official release of Fedora 40 coming in April, it's almost time to download the beta and see what's new.
-
New Pentesting Distribution to Compete with Kali Linux
SnoopGod is now available for your testing needs
-
Juno Computers Launches Another Linux Laptop
If you're looking for a powerhouse laptop that runs Ubuntu, the Juno Computers Neptune 17 v6 should be on your radar.
-
ZorinOS 17.1 Released, Includes Improved Windows App Support
If you need or desire to run Windows applications on Linux, there's one distribution intent on making that easier for you and its new release further improves that feature.
-
Linux Market Share Surpasses 4% for the First Time
Look out Windows and macOS, Linux is on the rise and has even topped ChromeOS to become the fourth most widely used OS around the globe.
-
KDE’s Plasma 6 Officially Available
KDE’s Plasma 6.0 "Megarelease" has happened, and it's brimming with new features, polish, and performance.
-
Latest Version of Tails Unleashed
Tails 6.0 is based on Debian 12 and includes GNOME 43.
-
KDE Announces New Slimbook V with Plenty of Power and KDE’s Plasma 6
If you're a fan of KDE Plasma, you'll be thrilled to hear they've announced a new Slimbook with an AMD CPU and the latest version of KDE Plasma desktop.
-
Monthly Sponsorship Includes Early Access to elementary OS 8
If you want to get a glimpse of what's in the pipeline for elementary OS 8, just set up a monthly sponsorship to help fund its continued existence.