Securing and Optimizing Linux:RedHat Edition | All about OS

Unusual or hidden files

Категория: Securing and Optimizing

It is important to not forget to look everywhere on the system for unusual or hidden files (files that start with a period and are normally not shown by the “Is” command), as these can be used to hide tools and information (password cracking programs, password files from other systems, etc.). A common technique on UNIX systems is to put a hidden directory or file in a user’s account with an unusual name, something like ‘…’ or’..’ (dot dot space) or ‘..AG’ (dot dot control-G). The “find” program can be used to look for hidden files.
As an example:
[root@deep /]# find / -name “.. ” -print -xdev
[root@deep /]# find / -name “.*” -print -xdev | cat -v
NOTE: Files with names such as ‘.xx’ and ‘.mail’ have been used (that is, files that might appear to be normal).
Find all files with the SUID/SGID bit enabled
All SUID and SGID files that still exist on your system after we have removed those that won’t absolutely require such privilege are a potential security risk, and should be monitored closely.
Because these programs grant special privileges to the user who is executing them, it is necessary to ensure that insecure programs are not installed.
A favorite trick of crackers is to exploit SUID “root” programs, and leave a SUID program as a backdoor to get in the next time. Find all SUID and SGID programs on your system, and keep track of what they are so that you are aware of any changes, which could indicate a potential intruder.
• Use the following command to find all SUID/SGID programs on your system: [root@deep /]# find / -type f \( -perm -04000 -o -perm -02000 \) \-exec Is -Ig 0 \;
NOTE: See in this book under chapter 10 “Securities Software (Monitoring Tools)” for more information about the software sXid that will do the job for you automatically each day and report the results via mail.
Find group and World Writable files and directories
Group and world writable files and directories particularly system files (partions), can be a security hole if a cracker gains access to your system and modifies them. Additionally, world-writable directories are dangerous, since they allow a cracker to add or delete files as he or she wishes in these directories. In the normal course of operation, several files will be writable, including some from the 7dev”, 7var/catman” directories, and all symbolic links on your system.
• To locate all group & world-writable files on your system, use the command:
[root@deep /]# find / -type f \( -perm -2 -o -perm -20 \) -exec Is -Ig 0 \;
• To locate all group & world-writable directories on your system, use the command:
[root@deep /]# find / -type d \( -perm -2 -o -perm -20 \) -exec Is -Idg 0 \;
NOTE: A file and directory integrity checker like Tripwire software can be used regularly to scan, manage and find modified group or world writable files and directories easily. See in this book under chapter 10 “Securities Software (Monitoring Tools)” for more information about Tripwire.

Страниц: 1 2

« The kernel tunable parameters
General System Optimization »