File System Security
Pre-installation Percussions
When installing a fresh OS, its better to keep these directories in separate partitions to prevent local attacks, starvation and lower the privilege escalation vector:
Directory Security Mount Options
nodev Option** **
The nodev mount option specifies that the filesystem cannot contain special devices.
/tmp
Since the /tmp filesystem is not intended to support devices, set this option to ensure that users cannot attempt to create block or character special devices in /tmp.
Edit the /etc/fstab file and add nodev to the fourth field (mounting options) for the /tmp partition.
See the fstab(5) manual page for more information.
Run the following command to remount /tmp :
# mount -o remount,nodev /tmp
/var/tmp
mount | grep /var/tmp
Edit the /etc/fstab file and add nodev to the fourth field
# mount -o remount,nodev /var/tmp
/hom
mount | grep /home
Edit the /etc/fstab file and add nodev to the fourth field:
# mount -o remount,nodev
dev/shm:
mount | grep /dev/shm
Edit the /etc/fstab file and add nodev to the fourth field:
# mount -o remount,nodev
removable media partitions
Run the following command and verify that the nodev option is set on all removable media partitions
mount
Edit the /etc/fstab file and add nodev to the fourth field
nosuid Option** **
/tmp
If a /tmp partition exists run the following command and verify that the nosuid option is set on /tmp:
# mount | grep /tmp
Edit the /etc/fstab file and add nosuid to the fourth field (mounting options) for the /tmp partition Run the following command to remount /tmp :
# mount -o remount,nosuid /tmp
/var/tmp
mount | grep /var/tmp
Edit the /etc/fstab file and add nosuid to the fourth field:
# mount -o remount,nosuid
/dev/shm
mount | grep /dev/shm
Edit the /etc/fstab file and add nosuid to the fourth field:
# mount -o remount,nosuid /dev/shm
removable media partitions
Run the following command and verify that the nosuid option is set on all removable media partitions
mount
Edit the /etc/fstab file and add nosuid to the fourth field
noexec Option** **
/var/tmp
mount | grep /var/tmp
Edit the /etc/fstab file and add noexec to the fourth field:
# mount -o remount,noexec /var/tmp
/dev/shm
mount | grep /dev/shm
Edit the /etc/fstab file and add noexec to the fourth field:
#mount -o remount,noexec /dev/shm
removable media partitions
Run the following command and verify that the noexec option is set on all removable media partitions
mount
Edit the /etc/fstab file and add noexec to the fourth field
Sticky Bit on World-writable Directories
Run the following command to verify no world writable directories exist without the sticky bit set:
# df --local -P | awk {'if (NR!=1) print $6'} | xargs -I '{}' find '{}' -xdev -type d \( -perm -0002 -a ! -perm -1000 \) 2>/dev/null
No output should be returned.
Run the following command to set the sticky bit on all world writable directories:
df --local -P | awk {'if (NR!=1) print $6'} | xargs -I '{}' find '{}' -xdev -type d -perm -0002 2>//dev/null | xargs chmod a+t
Disable Auto Mounting
Run the following command to verify autofs is not enabled:
# systemctl is-enabled autofs
Verify result is not "enabled". to disable autof:
systemctl disable autofs
Security Related Mount Options
nodev : no device access
nosuid : no setuid
programs noexec : prevent running exec
--remount, noexec : mount again with no exe
File System Integrity
Creating an Audit Database
Install AIDE:
apt install aide aide-common
Initiate the Database
# aideinit
While initializing the database aide will take an snapshot of all system libraries and binaries for future compare to see if anything changed or not copy the new created db in /var/lib/aide aide.db.new.gz to aide.db.gz do a check for all files for mismatches: ****
Check Integrity
# aide --check
if there was a change we will see a warning
Updating the aide DB after checking the aide db:
This will reset the database to the current status of the /etc/sub-director
Config Files
conf file: /etc/aide.conf
log file: /etc/log/aide
db: /etc/lib/aid
scheduling
determine if there is a cron job scheduled to run the aide check:
Run the following command:
crontab -u root -e
Add the following line to the crontab:
File System Permissions
Permissions on /etc/passwd
Permissions on /etc/shadow
Permissions on /etc/group
Permissions on /etc/gshadow
Permissions on /etc/passwd Backup Files
World-writeable Files
Run the following command and verify no files are returned:
df --local -P | awk '{if (NR!=1) print $6}' | xargs -I '{}' find '{}' -xdev -type f -perm -0002
r the following command can be run manually for each partition:
find [partition] -xdev -type f -perm -0002
Check for Unowned Files or Directories
Run the following command and verify no files are returned:
df --local -P | awk {'if (NR!=1) print $6'} | xargs -I '{}' find '{}' -xdev -nouser
the following command can be run manually for each partition:
find [partition] -xdev -nouser
Check for Ungrouped Files or Directories
Run the following command and verify no files are returned:
df --local -P | awk '{if (NR!=1) print $6}' | xargs -I '{}' find '{}' -xdev -nogroup
the following command can be run manually for each partition:
find [partition] -xdev -nogroup
Audit SUID/SGID Executables
Run the following command to list SUID files:
df --local -P | awk '{if (NR!=1) print $6}' | xargs -I '{}' find '{}' -xdev -type f -perm -4000
df --local -P | awk '{if (NR!=1) print $6}' | xargs -I '{}' find '{}' -xdev -type f -perm -2000
r the following command can be run manually for each partition:
find [partition] -xdev -type f -perm -4000
find [partition] -xdev -type f -perm -2000
Add/remove SUID/SGID Attribute
Adding the Setuid & Setgid Attributes:
chmod ug+s /path/to/file
chmod 6755 /path/to/file
Removing the Setgid Attribute:
chmod g-s /path/to/file
chmod 0755 /path/to/file
Last updated