Securing and Optimizing Linux:RedHat Edition | All about OS

Unusual or hidden files

Категория: Securing and Optimizing

Unowned files
Don’t permit any unowned file. Unowned files may also be an indication that an intruder has accessed your system. If you find unowned file or directory on your system, verify its integrity, and if all looks fine, give it an owner name. Some time you may uninstall a program and get an unowned file or directory related to this software; in this case you can remove the file or directory safely.
• To locate files on your system that do not have an owner, use the following command: [root@deep /]# find / -nouser -o -nogroup
NOTE: Once again, files reported under 7dev” directory don’t count.
Finding “.rhosts” files
Finding all the “.rhosts” files that could exist on your server should be a part of your regular system administration duties, as these files should not be permitted on your system. Remember that a cracker only needs one insecure account to potentially gain access to your entire network.
• You can locate all “.rhosts” files on your system with the following command:
[root@deep /]# find /home -name .rhosts
You can also use a cron job to periodically check for, report the contents of, and delete $HOME/.rhosts files. Also, users should be made aware that you regularly perform this type of audit, as directed by policy.
• To use a cron job to periodically check and report via mail all “.rhosts” files, do the following:
Create as “root” the find_rhosts_files script file under 7etc/cron.daily” directory (touch /etc/cron.daily/find_rhosts_files) and add the following lines in this script file:
#!/bin/sh
/usr/bin/find /home -name .rhosts | (cat «EOF
This is an automated report of possible existent “.rhosts” files on the server
deep.openna.com, generated by the find utility command.
New detected “.rhosts” files under the “/home” directory include:
EOF
cat
) | /bin/mail -s “Content of .rhosts file audit report” root
Now make this script file executable, verify the owner, and change the group to “root”. [root@deep /]# chmod 755 /etc/cron.daily/find_rhosts_files [root@deep /]# chown 0.0 /etc/cron.daily/find_rhosts_files
Each day mail will be sent to “root” with a subject:” Content of .rhosts file audit report” containing potential new “.rhosts” files.
System has been compromised
If you believe that your system has been compromised, contact CERT ® Coordination Center or your representative in FIRST (Forum of Incident Response and Security Teams).
Internet Email: cert@.cert.orq
CERT Hotline: (+1) 412-268-7090
Facsimile: (+1)412-268-6989
CERT/CC personnel answer 8:00 a.m. - 8:00 p.m. EST (GMT -5)/EDT (GMT -4)) on working
days; they are on call for emergencies during other hours and on weekends and holidays.

Страниц: 1 2

« The kernel tunable parameters
General System Optimization »