Improve ext3 File System Security with chattr

Improve ext3 File System Security with chattr

This article describes in detail how to use this feature to protect the security of the EXT3 file system.

1. What is the attribute of ext3)

Starting from the Linux 1.1 series kernel, The ext2 file system supports additional tags or attributes for files and directories ). In the 2.2 and 2.4 series kernels, The ext3 file system supports setting and querying the following attributes:

A
Atime. Tell the system not to modify the last access time to this file.

S
Sync. Once the application writes the file, the system immediately writes the Modification result to the disk.

A
Append Only. The system can only append data after the file, and does not allow any process to overwrite or intercept the file. If the directory has this attribute, the system will only allow the creation and modification of files under this directory, and will not allow the deletion of any files.

I
Immutable. The system does not allow any modifications to this file. If the directory has this attribute, any process can only modify files under the directory, and does not allow Creation or Deletion of files.

D
No dump. During file system backup, the dump program ignores this file.

C
Compress. The system compresses the file transparently. When reading from this file, the returned data is extracted. When writing data to this file, the data is first compressed before being written to the disk.

S
Secure Delete. Let the system fill in the area of the file with 0 When deleting this file.

U
Undelete. When an application requests to delete this file, the system will keep its data block so that the file can be restored and deleted later.

However, although the file system can accept and retain the flag indicating each attribute, these attributes are not necessarily valid, depending on the kernel and various application versions. The following table shows the attribute flags supported by each version:

* Allow setting this flag to take effect
I allow setting this flag but ignore its value
-Ignore this flag completely

1.0 1.2 2.0 2.2 2.4
A --***
S *****
A -****
I -****
D -****
C I
S ** I
U I

Although earlier kernel versions support secure feature deletion, developers have abandoned the implementation of this feature since the 1.3 series kernel because it only seems to be able to improve a little bit of security, what's worse is that it creates a security illusion for users who are not familiar with the security deletion Inheritance Problem.

When operating files with the attribute, the attribute can improve the performance. The S attribute maximizes file integrity.

This article will mainly discuss attributes a and I, because these two attributes are of great benefit to improve the security of the file system and ensure the integrity of the file system. Similarly, some open-source BSD systems (such as FreeBSD and OpenBSD) also support similar features in their UFS or FFS implementations.

2. What commands are used to set and display the properties of the ext3 file system?

In any case, the standard ls command does not have an extended attribute of a file or directory. The ext3 File System toolkit has two tools: chattr and lsattr, which are used to set and query file attributes. Because ext3 is a standard Linux File System, almost all releases have e2fsprogs toolkit. If this tool is not available in the system for some reason, you can download the source code compilation and installation of this toolkit from the address below: http://sourceforge.net/projects/e2fsprogs

The lsattr command only supports a few options. The options are as follows:

-
List all files in the directory, including files starting.

-D
List directories in the same way as files and display their contents.

-R
Recursively lists the attributes and contents of a directory.

-V
List file versions (used for network file system NFS ).

The chattr command can be executed in the following three ways:

Chattr + Si test.txt
Add synchronization and immutable attributes to the test.txt file.

Chattr-ai test.txt
Remove the append-only attributes and immutable attributes of the file.

Chattr = aiA test.txt
Make the test.txt file only have attributes a, I, and.

Finally, each command supports the-R option to recursively operate directories and Their subdirectories.

3. Differences between ext3 attributes and File Permissions

Almost all system administrators understand the permissions of UNIX-style file systems and the display of the owner and ls commands. For example:

[Root @ typhoid nixe0n] # ls-Al test *
-RW-r -- 1 nixe0n users 0 Nov 17 17:02 test. conf
-RW-r -- 1 nixe0n users 0 Nov 17 17:02 test. Log
-RW-r -- 1 nixe0n users 0 Nov 16 :41 test.txt

According to the LS output, these files belong to the user nixe0n, and the user group where nixe0n is located is users. The user nixe0n and users user group members have the permission to modify files, while other users only have the permission to read files. The output of the lsattr command is as follows:

[Root @ typhoid nixe0n] # lsattr-a test *
--- I -------- test. conf
---- A ------- test. Log
------------ Test.txt

The output shows that test. log can only be added, but the test. conf file cannot be modified. In Unix systems, if a user logs on with the root permission, the file system's permission control system will not be able to impose any restrictions on the root user and the processes running with the root permission. In this way, for UNIX operating systems, attackers can obtain root privileges through remote or local attacks, which may cause serious damage to the system. The ext2 file system can serve as the last line of defense to minimize the damage to the system and save the attacker's whereabouts. The ext2 attribute is checked and assigned by sys_open (), sys_truncate (), and other system calls. It is not affected by user identification numbers and other factors. In any case, it cannot be modified (immutable) any modification to the attribute file will fail, regardless of whether the file is modified by the root user.

However, another problem is that root users can modify files by deleting the I attribute. This kind of protection only adds a little trouble to attackers who have the root permission, and the security of the system has not been fundamentally improved.

In kernel versions earlier than 2.1, there is a security layer (securelevel) feature. The security layer can solve the above problem, because if the system's security layer is greater than 0, the kernel cannot modify the I attribute of any file. These versions of the kernel are controlled by the "kernel. securelevel" variable of the sysctl command. If the value of this variable is set to 1 or greater at startup, the kernel will not allow modifications to files with the I and a properties, unless the flag moves to the single user status.

However, due to the introduction of more flexible kernel capabilities (kernel capabilities), later kernels no longer support the security layer. Similar restrictions can be implemented using kernel capabilities. The tool lcap is used to query and adjust the kernel capability clustering set (kernel capabilities bounding set ). Add the following command to the startup script to implement protection for the I and a property files:

Lcap CAP_LINUX_IMMUTABLE
Lcap CAP_SYS_RAWIO

The first command deletes the capability of any user (including the Super User) to modify the I flag. The second command deletes the raw access capability of any user (mainly for superusers) to block devices, preventing some skilled attackers from directly modifying the immutable domain of the file system index node. BTW: when the system is started, CAP_SYS_RAWIO capability should be deleted directly. This capability is a great potential threat. After attackers obtain super user permissions, they can directly modify the kernel memory through the/dev/kmem device. In this way, kernel capabilities bounding can be damaged ). If there are no parameters, the kernel capabilities supported by the kernel and the pre-effective kernel capabilities are listed.

Once a kernel capability is deleted, the capacity limit can be deleted only when the system restarts and enters the single-user mode.

Interested readers can learn more about the capabilities from the following connections:

LCAP-Linux Kernel capability cube Editor (Linux Kernel Capabilities Bounding Set Editor)
Http://pw1.netcom.com /~ Spoon/lcap/

4. What should we do with chattr?

The host is directly exposed to the Internet or in other dangerous environments. There are many shell accounts or network services such as HTTP and FTP. Generally, the following command should be used after the installation and configuration is complete:

Chattr-R + I/bin/boot/etc/lib/sbin
Chattr-R + I/usr/bin/usr/include/usr/lib/usr/sbin
Chattr + a/var/log/messages/var/log/secure (...)

If you rarely add, change, or delete an account, setting/home to the immutable attribute will not cause any problems. In many cases, the entire/usr directory tree should also have unchangeable attributes. In fact, in addition to the chattr-R + ii/usr/command for the/usr directory, you can also use the ro option in the/etc/fstab file, load the partition of the/usr directory in read-only mode. In addition, setting the system log file to only append-only makes it impossible for intruders to erase their traces.

Of course, if you use this security measure, you need the system administrator to modify the management mode.

4. 1. Install and upgrade the software

Because software management programs need to add and delete certain files and directories, you need to delete the immutable and append-only attributes of some directories and files before installing and upgrading the software. For Linux systems, we generally use the rpm management software package. You can run the following command to check which files are included in the software package to be installed or upgraded:

Rpm-qipl foopackage. rpm

Then tune the immutable and append-only attributes related to directories and files. Most software packages require the rpm command to write one or more of the following directories:

/Bin
/Sbin
/Usr/bin
/Usr/sbin
/Usr/man
/Lib
/Etc

Note: If you need to upgrade/usr/sbin/someprogram, you should remove the someprogram file and the immutable attribute of the/usr/sbin directory.

4. 2. Manage Users and user groups

For users and user groups, the following directories and files must be read and written:

/Etc
/Etc/. pwd. lock
/Etc/passwd
/Etc/passwd-
/Etc/shadow
/Etc/shadow-
/Etc/group
/Etc/group-
/Etc/gshadow
/Etc/gshadow-

Passwd (1), chsh (1), chfn (1), vipw (8), vigr (8), and useradd (8) you need to create a temporary copy under the/etc directory, modify the copy, delete the original file, and finally copy the new file.

5. directories that cannot use the chattr command

Although attributes can improve system security, they are not suitable for all directories. Misuse of chattr in the system may cause many problems or even make the system unable to work.

/
Obviously, the root partition cannot have the immutable attribute. If the root partition has the immutable attribute, the system cannot work at all.

/Dev
At startup, syslog needs to be deleted and the/dev/log socket device needs to be re-established. If immutable and append-only attributes are set for the/dev/directory, a problem may occur, except that other sockets are specified by the-p option when syslogd is started. For example: /var/run/syslog. sock. Even in this case, there are still some problems. The syslog client program requires/dev/log socket device, so it is necessary to establish a symbolic connection from the real socket. To reduce the trouble, do not set immutable and append-only attributes in this directory.

/Tmp
Many applications and system programs need to create temporary files in this directory, so immutable and append-only attributes cannot be set in this directory.

/Var
The immutable attribute cannot be set for this directory. The use of the append-only attribute depends on the actual situation. For example, setting the append-only attribute for log files in the var/log directory will make logrotate impossible, but will not cause too many problems, you need to weigh the pros and cons of using log rotation to determine whether to set the append-only attribute for log files. For example, the sendmail program regularly truncates or overwrites the/var/log/sendmail. st file, so the append-only attribute cannot be set.

Summary

Although the attributes of the ext3 file system have been around for a long time, there are not many introductions to its applications and systems. Using the attributes of the file system can greatly improve the security of the system.