Securing and Optimizing Linux:RedHat Edition | All about OS

Fix the permissions under “/etc/rc.d/init.d” directory for script files

Категория: Securing and Optimizing

Such programs include, but aren’t limited to:
• Programs you never use.
• Programs that you don’t want any non-root users to run.
• Programs you use occasionally, and don’t mind having to su (1) to root to run.
We’ve placed an asterisk (*) next to each program we personally might disable and consider to be not absolutely required for the duty work of our server. Remember that your system needs some suid root programs to work properly, so be careful.
• To find all files with the ’s’ bits from root-owned programs, use the command:
[root@deep]# find / -type f \( -perm -04000 -o -perm -02000 \) \-exec Is -Ig {} \;

*-rwsr-xr-x ‘ I root root 35168 Sep 22 23:35 /usr/bin/chage
*-rwsr-xr-x ‘ I root root 36756 Sep 22 23:35 /usr/bin/gpasswd
*-r-xr-sr-x I root tty 6788 Sep 6 18:17 /usr/bin/wall
-rwsr-xr-x root root 33152 Aug 16 16:35 /usr/bin/at
-rwxr-sr-x I root man 34656 Sep 13 20:26 /usr/bin/man
-r-s—x~x I root root 22312 Sep 25 11:52 /usr/bin/passwd
-rws-x-x : I root root 518140 Aug 30 23:12 /usr/bin/suidperl
-rws—x~x ! I root root 518140 Aug 30 23:12 /usr/bin/sperl5.00503
-rwxr-sr-x I root slocate 24744 Sep 20 10:29 /usr/bin/slocate
*-rws~x~x ‘ I root root 14024 Sep 9 01:01 /usr/bin/chfn
*-rws~x~x ‘ I root root 13768 Sep 9 01:01 /usr/bin/chsh
*-rws~x~x ‘ I root root 5576 Sep 9 01:01 /usr/bin/newgrp
*-rwxr-sr-x ‘ I root tty 8328 Sep 9 01:01 /usr/bin/write
-rwsr-xr-x root root 21816 Sep 10 16:03 /usr/bin/crontab
*-rwsr-xr-x ‘ I root root 5896 Nov 23 21:59 /usr/sbin/usernetctl
*-rwsr-xr-x ‘ I root bin 16488 Jul 2 10:21 /usr/sbin/traceroute
-rwxr-sr-x I root utmp 6096 Sep 13 20:11 /usr/sbin/utempter
-rwsr-xr-x I root root 14124 Aug 17 22:31 /bin/su
*-rwsr-xr-x ‘ I root root 53620 Sep 13 20:26 /bin/mount
*-rwsr-xr-x ‘ I root root 26700 Sep 13 20:26 /bin/umount
*-rwsr-xr-x ‘ I root root 18228 Sep 10 16:04 /bin/ping
*-rwxr-sr-x ‘ I root root 3860 Nov 23 21:59 /sbin/net report
-r-sr-xr-x I root root 26309 Oct 11 20:48 /sbin/pwdb_chkpwd
To disable the suid bits on selected programs above, type the following commands:
[root@deep /]# chmod a-s /usr/bin/chage
[root@deep /]# chmod a-s /usr/bin/gpasswd
[root@deep /]# chmod a-s /usr/bin/wall
[root@deep /]# chmod a-s /usr/bin/chfn
[root@deep /]# chmod a-s /usr/bin/chsh
[root@deep /]# chmod a-s /usr/bin/newgrp
[root@deep /]# chmod a-s /usr/bin/write
[root@deep /]# chmod a-s /usr/sbin/usernetctl
[root@deep /]# chmod a-s /usr/sbin/traceroute
[root@deep /]# chmod a-s /bin/mount
[root@deep /]# chmod a-s /bin/umount [root@deep /]# chmod a-s /bin/ping [root@deep /]# chmod a-s /sbin/netreport
If you want to know what those programs do, type “man program-name” and read the man page.
As an example: [root@deep /]# man netreport

Страниц: 1 2

« Disable the Control-Alt-Delete keyboard shutdown command
The kernel tunable parameters »