Security O & M: File System Security

1. Lock important system files

System O & M personnel may sometimes encounter situations where the root user cannot modify or delete a file. Most of the reasons may be that the file is locked. In Linux, the command for locking a file is chattr. You can use this command to modify the file attributes in the ext2, ext3, and ext4 file systems. However, this command must be executed by the root user. The command corresponding to this command is lsattr, which is used to query file attributes.

Modifying the file attributes of a file or directory through the chattr command can improve the security of the system. The following describes the usage of the chattr and lsattr commands.

The syntax format of the chattr command is as follows:

Chattr [-RV] [-V version] [mode] file or directory

 

The main parameters are as follows:

-R: recursively modify all files and subdirectories.

-V: displays the modified content in detail and prints the output.

The Mode part is used to control the attributes of a file. Common parameters are shown in the following table:

 

Parameter description

+ Append parameters based on the original parameter settings

-Remove the parameter based on the original parameter settings.

= Updated to the specified parameter

A Is append. After this parameter is set, data can only be added to the file, but cannot be deleted. This attribute is often used for server log file security. Only the root user can set this attribute.

C is compresse, which sets whether the file is compressed before being stored. Automatic decompression is required for reading.

I is immutable. The set file cannot be modified, deleted, renamed, or linked, and cannot be written or added at the same time. This parameter is very helpful for security settings of the file system.

S secure deletion of files or directories, that is, after the files are deleted, all hard disk space is reclaimed

The U is the opposite of the S parameter. When it is set to U, the system retains its data block so that the file can be restored and deleted later. Among these parameters, the most common ones are a and I. A parameters are often used in security settings of server log files, while I parameters are more strict and do not allow any operations on files, even root users.

 

Lsattr is used to query file attributes. Its Syntax format is as follows:

Lsattr [-adlrvv] file or directory

Common parameters are shown in the following table.

 

Parameter description

-A: List all files in the directory, including files starting.

-D: display the properties of the specified directory

-R recursively lists all files, subdirectories, and attribute values in a directory.

-V: display the file or directory version

 

In Linux, if a user logs on with the root permission or a process runs with the root permission, there will be no restrictions on the user's permission to use it. Therefore, attackers can obtain the root permission of the system through remote or local attacks. In this case, the file system will be the last line of defense to protect system security. Reasonable attribute settings can minimize the damage to the system by attackers, using the chattr command to lock some important files or directories in the system is the most direct and effective way to protect the security of the file system.

You can add the "I" attribute to some important directories and files. Common files and directories include:

Chattr-R + I/bin/boot/lib/sbin

Chattr-R + I/usr/bin/usr/include/usr/lib/usr/sbin

Chattr + I/etc/passwd

Chattr + I/etc/shadow

Chattr + I/etc/hosts

Chattr + I/etc/resolv. conf

Chattr + I/etc/fstab

Chattr + I/etc/sudoers

 

You can add the "A" attribute to some important log files. Common log files include:

Chattr + A/var/log/messages

Chattr + A/var/log/wtmp

Although locking important files can improve server security, it may cause some inconvenience, for example, during software installation and upgrade, you may need to remove the immutable attribute and append-only attribute related to directories and files, and set the append-only attribute for log files, logrotate may fail. Therefore, before using the chattr command, you need to consider whether to set the immutable attribute and append-only attribute based on the application environment of the server.

In addition, although modifying file attributes through the chattr command can improve the security of the file system, it is not suitable for all directories. The chattr command cannot protect directories such as/,/dev,/tmp, And/var.

The root directory cannot have attributes that cannot be modified, because if the root directory has attributes that cannot be modified, the system cannot work at all:/dev at startup, syslog must be deleted and the/dev/log socket device needs to be re-established. If the properties cannot be modified, problems may occur; the/tmp directory contains many applications and system programs that need to create temporary files in this directory, and cannot set attributes that cannot be modified./var is the log directory of the system and program, if the attribute is set to unchangeable, logs cannot be written by the system, and therefore cannot be protected by the chattr command.

Although the security of directories such as/Dev and/tmp cannot be guaranteed through the chattr command, there are other methods to achieve this, which will be described in detail.

 

Ii. File Permission check and Modification

Incorrect permission settings directly threaten the security of the system. Therefore, the O & M personnel should be able to promptly detect these incorrect permission settings and immediately correct them to prevent them from happening. The following lists several methods to find insecure system permissions.

(1) Find the files or directories in the system that any user has the write permission

Find the file: Find/-type F-Perm-2-o-Perm-20 | xargs LS-Al

Find/-type D-Perm-2-o-Perm-20 | xargs LS-LD

(2) Find all programs with "S" in the system

Find/-type F-Perm-4000-o-Perm-2000-print | xargs LS-Al

Programs with the "S" bit permission pose a great threat to system security. By searching for all programs with the "S" bit permission in the system, remove unnecessary "S"-bit programs to prevent users from abusing their permissions or improving their permissions.

(3) Check all SUID and SGID files in the system

Find/-User Root-Perm-2000-print-exec md5sum {}\;

Find/-User Root-Perm-4000-print-exec md5sum {}\;

Save the check result to the file for reference in future system checks.

(4) check that there are no master files in the system

Find/-nouser-o-nogroup

Orphan files without owner are dangerous and often used by hackers. Therefore, after finding these files, they are either deleted or modified to keep them secure.

 

Iii./tmp,/var/tmp,/dev/SHM Security Settings

 

In Linux, there are two main directories or partitions used to store temporary files:/tmp and/var/tmp. The directory or partition used to store temporary files has a common feature that all users can read, write, and execute. This poses a security risk to the system. Attackers can put viruses or Trojan scripts in the directory of temporary files for information collection or disguise, seriously affecting the security of the server. In this case, if you modify the read and write permissions of the temporary directory, it may also affect the normal operation of applications on the system. Therefore, if you want to consider both, you need to set these two directories or partitions.

/Dev/SHM is a shared memory device in Linux. When Linux is started,/dev/SHM is loaded by default, the loaded/dev/SHM uses the tmpfs file system, while tmpfs is a memory file system. The data stored in the tmpfs file system will completely reside in Ram, in this way, the system memory can be directly controlled through/dev/SHM, which is very dangerous. Therefore, it is critical to ensure the security of/dev/SHM.

For the security setting of/tmp, you need to check whether/tmp is an independent disk partition or a folder under the root partition. If/tmp is an independent disk partition, the setting is very simple, modify the Mount attributes of/tmp partitions in the/etc/fstab file, and add the nosuid, noexec, and nodev options. The modified Mount attributes of/tmp partitions are similar to the following:

Label =/tmp ext3 RW, nosuid, noexec, nodev 0 0

The nosuid, noexec, and nodev options indicate that no SUID program is allowed, and no script or other programs can be executed in this partition, and no device file exists.

After setting the Mount attribute, Remount the/tmp partition to make sure the setting takes effect.

For/var/tmp, if it is an independent partition, install/tmp by modifying the/etc/fstab file. If it is a directory in the/var partition, you can move all the data in the/var/tmp directory to the/tmp partition, and then perform a soft connection to/tmp under/var. That is, perform the following operations:

[[Email protected] ~] # Mv/var/tmp/*/tmp

[[Email protected] ~] # Ln-S/tmp/var/tmp

If/tmp is a directory under the root directory, the setting is slightly complicated. You can create a loopback File System to mount the file system to/tmp using the loopback feature of the Linux kernel, then, specify the loading restriction option during mounting. A simple operation example is as follows:

[[Email protected] ~] # Dd If =/dev/Zero of =/dev/tmpfs BS = 1 m COUNT = 10000

[[Email protected] ~] # Mke2fs-J/dev/tmpfs

[[Email protected] ~] # Cp-Av/tmp. Old

[[Email protected] ~] # Mount-o loop, noexec, nosuid, RW/dev/tmpfs/tmp

[[Email protected] ~] # Chmod 1777/tmp

[[Email protected] ~] # Mv-F/tmp. Old/*/tmp/

[[Email protected] ~] # Rm-RF/tmp. Old

Finally, edit/etc/fstab and add the following content so that the system can automatically load the loopback file system at startup:

/Dev/tmpfs/tmp ext3 loop, nosuid, noexec, RW 0 0

To verify whether the specified loading restriction option takes effect during mounting, you can create a shell file in the/tmp partition as follows:

[[Email protected] TMP] # ls-Al | grep Shell

-Rwxr-XR-x 1 Root 22 Oct 6 shell-test.sh

[[Email protected] ~] # Pwd

/Tmp

[[Email protected] TMP] #./shell-test.sh

-Bash:./shell-test.sh: Permission denied

It can be seen that although the file has executable attributes, it cannot execute any files in the/tmp partition.

Finally, modify the Security Settings of/dev/SHM. Because/dev/SHM is a shared memory device, you can also modify the/etc/fstab file settings. By default,/dev/SHM is loaded using the ults option, it is not enough to ensure its security. Modify the Mount attribute of/dev/SHM as follows:

Tmpfs/dev/SHM tmpfs defaults, nosuid, noexec, RW 0 0

In this way, any SUID program is restricted, and the executable permissions of/dev/SHM are also restricted. The system security is further improved.

Security O & M: File System Security