Security Toolbox
Auditing Security
There are many applications and application suites available to perform regular security audits and track changes to critical files. In addition, you have the power to perform a quick security audit on your system by using the find command. This is by no means a deep security audit but just a quick and dirty scan of your system to find files that have the SUID/SGID permission set that shouldn’t. Having these permissions bits set on files owned by root is a serious vulnerability, because they can allow users who do not have root access to execute commands as root and potentially initiate a root account compromise.
What you’re looking for is files that have permissions set similar to the following:
-rwSr-xr-x (SUID) or –rw-r-Sr-x (SGID)
The following find command locates all files with the SUID permission set for root:
# find / -type f -perm -u=s -ls
Here are some examples of files that match this permission:
12734848 44 -rwsr-xr-x 1 root root 44320 Mar 14 05:37 /usr/bin/mount 12734863 32 -rwsr-xr-x 1 root root 32208 Mar 14 05:37 /usr/bin/su 12734867 32 -rwsr-xr-x 1 root root 32048 Mar 14 05:37 /usr/bin/umount 13025626 144 ---s--x--x 1 root root 147392 Oct 30 2018 /usr/bin/sudo 12777317 60 -rwsr-xr-x 1 root root 57664 Nov 20 2018 /usr/bin/crontab 13037754 28 -rwsr-xr-x 1 root root 27832 Jun 10 2014 /usr/bin/passwd
Similarly, the find command to locate files that have the SGID permission set is as follows:
# find / -type f -perm -u=s -ls
And here are some examples of matching files:
12649555 16 -r-xr-sr-x 1 root tty 15344 Jun 9 2014 /usr/bin/wall 12734873 20 -rwxr-sr-x 1 root tty 19624 Mar 14 05:37 /usr/bin/write 13015059 376 ---x--s--x 1 root nobody 382240 Apr 10 2018 /usr/bin/ssh-agent
As you can see from you own listing, the number of files with SGID set is far fewer than those with SUID set. Some system files require SUID/SGID permission to be set, but there are very few of them. You need to perform a baseline audit of your systems upon initial installation and then track those changes periodically to be sure that no rogue programs or users have exploited this security flaw.
Conclusion
There are several other Linux hardening methods such as PAM, iptables, enabling SELinux, removing any X display managers, and regular port monitoring, but these are outside the scope of this article. I may revisit them in future installments individually. As stated previously, you can’t remove all network access to your servers, because that defeats the purpose of having a server. But now you have a small but powerful toolbox of utilities and techniques that will help you to keep your systems safer.
« Previous 1 2 3
Buy Linux Magazine
Subscribe to our Linux Newsletters
Find Linux and Open Source Jobs
Subscribe to our ADMIN Newsletters
Support Our Work
Linux Magazine content is made possible with support from readers like you. Please consider contributing when you’ve found an article to be beneficial.
News
-
Halcyon Creates Anti-Ransomware Protection for Linux
As more Linux systems are targeted by ransomware, Halcyon is stepping up its protection.
-
Valve and Arch Linux Announce Collaboration
Valve and Arch have come together for two projects that will have a serious impact on the Linux distribution.
-
Hacker Successfully Runs Linux on a CPU from the Early ‘70s
From the office of "Look what I can do," Dmitry Grinberg was able to get Linux running on a processor that was created in 1971.
-
OSI and LPI Form Strategic Alliance
With a goal of strengthening Linux and open source communities, this new alliance aims to nurture the growth of more highly skilled professionals.
-
Fedora 41 Beta Available with Some Interesting Additions
If you're a Fedora fan, you'll be excited to hear the beta version of the latest release is now available for testing and includes plenty of updates.
-
AlmaLinux Unveils New Hardware Certification Process
The AlmaLinux Hardware Certification Program run by the Certification Special Interest Group (SIG) aims to ensure seamless compatibility between AlmaLinux and a wide range of hardware configurations.
-
Wind River Introduces eLxr Pro Linux Solution
eLxr Pro offers an end-to-end Linux solution backed by expert commercial support.
-
Juno Tab 3 Launches with Ubuntu 24.04
Anyone looking for a full-blown Linux tablet need look no further. Juno has released the Tab 3.
-
New KDE Slimbook Plasma Available for Preorder
Powered by an AMD Ryzen CPU, the latest KDE Slimbook laptop is powerful enough for local AI tasks.
-
Rhino Linux Announces Latest "Quick Update"
If you prefer your Linux distribution to be of the rolling type, Rhino Linux delivers a beautiful and reliable experience.