Chapter 4 - Security
This chapter has 4 basic areas for linux security :
- Traditional Linux file Permissions
- Access Control Lists
- SE Linux
- Basic Firewall Control w / iptables
Installing the GUI desktop tool for iptables ...
[root@server01 tmp]# yum install system-config-firewall
Linux Basic File Permissions : (reference http://www.zzee.com/solutions/linux-permissions.shtml )
- Symbol in the position 0 ("-")is the type of the file. It is either "d" if the item is a directory, or "l" if it is a link, or "-" if the item is a regular file.
- Symbols in positions 1 to 3 ("rwx") are permissions for the owner of the file.
- Symbols in positions 4 to 6 ("r--") are permissions for the group.
- Symbols in positions 7 to 9 ("r--") are permissions for others.
- Symbol + denotes ACL control
- Symbol "." denotes control under SELinux
r | Read access is allowed |
w | Write access is allowed |
x | Execute access is allowed |
- | Replaces "r", "w" or "x" if according access type is denied |
------------------------------------------------------------------------------------
This table shows what numeric values mean:
Octal digit | Text equivalent | Binary value | Meaning |
---|---|---|---|
0 | --- | 000 | All types of access are denied |
1 | --x | 001 | Execute access is allowed only |
2 | -w- | 010 | Write access is allowed only |
3 | -wx | 011 | Write and execute access are allowed |
4 | r-- | 100 | Read access is allowed only |
5 | r-x | 101 | Read and execute access are allowed |
6 | rw- | 110 | Read and write access are allowed |
7 | rwx | 111 | Everything is allowed |
SUID Example :
[root@server01 tmp]# ls -lrt *.txt
-rw-r--r--. 1 root root 29 Jun 8 05:04 file1.txt
[root@server01 tmp]# chmod 4644 file1.txt
[root@server01 tmp]# ls -lrt *.txt
-rwSr--r--. 1 root root 29 Jun 8 05:04 file1.txt
Or passwd binary
[root@server01 tmp]# ls -l /usr/bin/passwd
-rwsr-xr-x. 1 root root 32200 Jan 28 2010 /usr/bin/passwd
SUID means that other users besides the owner can execute the file and the process will run as that user's ID, not the owners ID
SGID Example :
[root@server01 tmp]# chmod 2644 file1.txt
[root@server01 tmp]# ls -lrt file1.txt
-rw-r-Sr--. 1 root root 29 Jun 8 05:04 file1.txt
[root@server01 tmp]#
[root@server01 tmp]# ls -l /usr/bin/ssh-agent
-rwxr-sr-x. 1 root nobody 112704 Apr 4 2011 /usr/bin/ssh-agent
SGUID on a directory will mean that every file created within that directory will take on the group ownership of that directory, not the group ownership of the user who created it .
Sticky Bit Example :
[root@server01 tmp]# ls -ld /tmp
drwxrwxrwt. 16 root root 4096 Jun 12 07:15 /tmp
[root@server01 tmp]# chmod 1647 file1.txt
[root@server01 tmp]# ls -lrt file1.txt
-rw-r--rwt. 1 root root 29 Jun 8 05:04 file1.txt
In addition to the basic permissions discussed above, there are also three bits of information defined for files in Linux:
- SUID or setuid: change user ID on execution. If setuid bit is set, when the file will be executed by a user, the process will have the same rights as the owner of the file being executed.
- SGID or setgid: change group ID on execution. Same as above, but inherits rights of the group of the owner of the file on execution. For directories it also may mean that when a new file is created in the directory it will inherit the group of the directory (and not of the user who created the file).
- Sticky bit. It was used to trigger process to "stick" in memory after it is finished, now this usage is obsolete. Currently its use is system dependant and it is mostly used to suppress deletion of the files that belong to other users in the folder where you have "write" access to. It also means that users can copy theirs files to that directory, and retain ownership of their files .
SUID | If set, then replaces "x" in the owner permissions to "s", if owner has execute permissions, or to "S" otherwise. Examples: -rws------ both owner execute and SUID are set -r-S------ SUID is set, but owner execute is not set |
SGID | If set, then replaces "x" in the group permissions to "s", if group has execute permissions, or to "S" otherwise. Examples: -rwxrws--- both group execute and SGID are set -rwxr-S--- SGID is set, but group execute is not set |
Sticky | If set, then replaces "x" in the others permissions to "t", if others have execute permissions, or to "T" otherwise. Examples: -rwxrwxrwt both others execute and sticky bit are set -rwxrwxr-T sticky bit is set, but others execute is not set |
More examples of how to set the SUID, SGID, and Sticky bits :
SUID :
[root@server01 tmp]# chmod 4744 script1.sh
[root@server01 tmp]# ls -l script1.sh
-rwsr--r--. 1 root root 29 Jun 8 05:04 script1.sh
SGID :
[root@server01 tmp]# chmod 2755 file2.txt
[root@server01 tmp]# ls -l file2.txt
-rwxr-sr-x. 1 root root 29 Jun 8 05:04 file2.txt
Sticky Bit :
[root@server01 tmp]# chmod 1755 file3.txt
[root@server01 tmp]# ls -l file3.txt
-rwxr-xr-t. 1 root root 29 Jun 8 05:04 file3.txt
Umask Explained
Default umask :
[root@server01 tmp]# umask
0022
For new file creation 0666 - umask = new file permissions
for new directory reation 0777 - umask = new dir permissions
Exmaple :
umask 0022
0666 - 0022 = 644
[root@server01 tmp]# touch newfile1.txt
[root@server01 tmp]# ls -l newfile1.txt
-rw-r--r--. 1 root root 0 Jun 12 08:04 newfile1.txt
0777 - 0022 = 755
[root@server01 tmp]# mkdir newdir1
[root@server01 tmp]# ls -ld newdir1
drwxr-xr-x. 2 root root 4096 Jun 12 08:04 newdir1
[root@server01 tmp]# umask 0066
[root@server01 tmp]# mkdir newdir2
[root@server01 tmp]# ls -ld newdir2
drwx--x--x. 2 root root 4096 Jun 12 08:06 newdir2
[root@server01 tmp]# touch newfile2.txt
[root@server01 tmp]# ls -l newfile2.txt
-rw-------. 1 root root 0 Jun 12 08:07 newfile2.txt
umask is globally set within :
/etc/bashrc
# By default, we want umask to get set. This sets it for non-login shell.
# Current threshold for system reserved uid/gids is 200
# You could check uidgid reservation validity in
# /usr/share/doc/setup-*/uidgid file
if [ $UID -gt 199 ] && [ "`id -gn`" = "`id -un`" ]; then
umask 002
else
umask 022
fi
Using chmod and chgrp commands :
to set execute permissions for the owner of a file :
[root@server01 tmp]# ls -l shellscript2.sh
-rw-------. 1 root root 0 Jun 12 08:07 shellscript2.sh
[root@server01 tmp]# chmod u+x shellscript2.sh
[root@server01 tmp]# ls -l shellscript2.sh
-rwx------. 1 root root 0 Jun 12 08:07 shellscript2.sh
[root@server01 tmp]#
to remove wriet perms for group and other
[root@server01 tmp]# ls -l newfile1.txt
-rw-rw-rw-. 1 root root 0 Jun 12 08:04 newfile1.txt
[root@server01 tmp]# chmod go-w newfile1.txt
[root@server01 tmp]# ls -l newfile1.txt
-rw-r--r--. 1 root root 0 Jun 12 08:04 newfile1.txt
Format in this manner for chmod is :
chmod ugo/(+ or -)/rwx
Or octal (just user the numbers ...i.e. chmod 644)
[root@server01 tmp]# chmod u+s newdir2
[root@server01 tmp]# chmod g+s newdir2
[root@server01 tmp]# chmod o+t newdir2
[root@server01 tmp]# ls -ld newdir2/
drws--s--t. 2 root root 4096 Jun 12 08:06 newdir2/
Chown examples :
[root@server01 tmp]# chown rhill newfile2.txt
[root@server01 tmp]# ls -ld newfile2.txt
-rw-------. 1 rhill root 0 Jun 12 08:07 newfile2.txt
Immutable Attribute examples :
[root@server01 tmp]# chattr +i newfile2.txt
[root@server01 tmp]# lsattr newfile2.txt
----i--------e- newfile2.txt
[root@server01 tmp]# rm newfile2.txt
rm: remove regular empty file `newfile2.txt'? y
rm: cannot remove `newfile2.txt': Operation not permitted
[root@server01 tmp]# chattr -i newfile2.txt
[root@server01 tmp]# lsattr newfile2.txt
-------------e- newfile2.txt
[root@server01 tmp]# ls -ld newfile2.txt
-rw-------. 1 rhill root 0 Jun 12 08:07 newfile2.txt
[root@server01 tmp]# rm newfile2.txt
rm: remove regular empty file `newfile2.txt'? y
[root@server01 tmp]#
------------------------------
ACL basics :
[root@server01 tmp]# df -ha | grep -A2 home
/dev/mapper/vg_server01-lv_home
5.5G 140M 5.1G 3% /home
none 0 0 0 - /proc/sys/fs/binfmt_misc
sunrpc 0 0 0 - /var/lib/nfs/rpc_pipefs
[root@server01 tmp]# mount -o remount -o acl /dev/mapper/vg_server01-lv_home /home
[root@server01 tmp]#
[root@server01 tmp]# mount | grep home
/dev/mapper/vg_server01-lv_home on /home type ext4 (rw,acl)
[root@server01 tmp]# ls -l /root/anaconda-ks.cfg
-rw-------. 1 root root 1746 Jun 6 06:59 /root/anaconda-ks.cfg
Show a file ACL :
[root@server01 tmp]# getfacl /root/anaconda-ks.cfg
getfacl: Removing leading '/' from absolute path names
# file: root/anaconda-ks.cfg
# owner: root
# group: root
user::rw-
group::---
other::---
Set an active ACL for user rhill on the anaconda-ks.cfg file :
[root@server01 tmp]# setfacl -m u:rhill:rwx /root/anaconda-ks.cfg
[root@server01 tmp]#
[root@server01 tmp]# getfacl /root/anaconda-ks.cfg
getfacl: Removing leading '/' from absolute path names
# file: root/anaconda-ks.cfg
# owner: root
# group: root
user::rw-
user:rhill:rwx
group::---
mask::rwx
other::---
Remove an active ACL for user rhill on the anaconda-ks.cfg file :
[root@server01 tmp]# setfacl -x u:rhill /root/anaconda-ks.cfg
[root@server01 tmp]# getfacl /root/anaconda-ks.cfg
getfacl: Removing leading '/' from absolute path names
# file: root/anaconda-ks.cfg
# owner: root
# group: root
user::rw-
group::---
mask::---
other::---
Set an active ACL for group rhill on the anaconda-ks.cfg file :
[root@server01 tmp]# setfacl -m g:rhill:r-- /root/anaconda-ks.cfg
[root@server01 tmp]# getfacl /root/anaconda-ks.cfg
getfacl: Removing leading '/' from absolute path names
# file: root/anaconda-ks.cfg
# owner: root
# group: root
user::rw-
group::---
group:rhill:r--
mask::r--
other::---
Remove all ACL's on a file :
[root@server01 tmp]# setfacl -b /root/anaconda-ks.cfg
[root@server01 tmp]# getfacl /root/anaconda-ks.cfg
getfacl: Removing leading '/' from absolute path names
# file: root/anaconda-ks.cfg
# owner: root
# group: root
user::rw-
group::---
other::---
Deny a user file access with ACL's :
[root@server01 tmp]# setfacl -m u:rhill:--- /root/anaconda-ks.cfg
[root@server01 tmp]# getfacl /root/anaconda-ks.cfg
getfacl: Removing leading '/' from absolute path names
# file: root/anaconda-ks.cfg
# owner: root
# group: root
user::rw-
user:rhill:---
group::---
mask::---
other::---
IPtable basics :
iptables -t tabletype <action direction> <packet pattern> -j <what to do>
Show what is currently configured with iptables :
[root@server01 tmp]# iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT udp -- anywhere anywhere udp dpt:domain
ACCEPT tcp -- anywhere anywhere tcp dpt:domain
ACCEPT udp -- anywhere anywhere udp dpt:bootps
ACCEPT tcp -- anywhere anywhere tcp dpt:bootps
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT icmp -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:ssh
REJECT all -- anywhere anywhere reject-with icmp-host-prohibited
Chain FORWARD (policy ACCEPT)
target prot opt source destination
ACCEPT all -- anywhere 192.168.122.0/24 state RELATED,ESTABLISHED
ACCEPT all -- 192.168.122.0/24 anywhere
ACCEPT all -- anywhere anywhere
REJECT all -- anywhere anywhere reject-with icmp-port-unreachable
REJECT all -- anywhere anywhere reject-with icmp-port-unreachable
REJECT all -- anywhere anywhere reject-with icmp-host-prohibited
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
The iptables file :
[root@server01 tmp]# cat /etc/sysconfig/iptables
# Firewall configuration written by system-config-firewall
# Manual customization of this file is not recommended.
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
COMMIT
Examlple to allow for port 22 access from anywhere :
[root@server01 tmp]# iptables -L | grep ssh
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:ssh
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:ssh
[root@server01 tmp]# iptables -L | grep ssh
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:ssh
And ...
[root@server01 tmp]# cat /etc/sysconfig/iptables|grep 22
-A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
http://www.cyberciti.biz/faq/linux-open-iptables-firewall-port-22-23/
[root@server01 tmp]# system-config-firewall-tui
[root@server01 tmp]# system-config-firewall
SELinux basics :
SELinux has 3 options : enforcing, permissive, disabled w.
[root@server01 tmp]# getenforce
Enforcing
[root@server01 tmp]# sestatus
SELinux status: enabled
SELinuxfs mount: /selinux
Current mode: enforcing
Mode from config file: enforcing
Policy version: 24
Policy from config file: targeted
[root@server01 tmp]# cat /etc/sysconfig/selinux
# This file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
# enforcing - SELinux security policy is enforced.
# permissive - SELinux prints warnings instead of enforcing.
# disabled - No SELinux policy is loaded.
SELINUX=enforcing
# SELINUXTYPE= can take one of these two values:
# targeted - Targeted processes are protected,
# mls - Multi Level Security protection.
SELINUXTYPE=targeted
Check for SELinux policy violations within /var/log/audit/audit.log
[root@server01 tmp]# setenforce 0
[root@server01 tmp]# getenforce
Permissive
[root@server01 tmp]# setenforce -1
usage: setenforce [ Enforcing | Permissive | 1 | 0 ]
[root@server01 tmp]# id -Z
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
[rhill@server01 ~]$ id -Z
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
[root@server01 tmp]# yum search semanage
Loaded plugins: product-id, refresh-packagekit, subscription-manager
Updating Red Hat repositories.
=================================================================== N/S Matched: semanage ====================================================================
libsemanage-python.x86_64 : semanage python bindings for libsemanage
libsemanage.i686 : SELinux binary policy manipulation library
libsemanage.x86_64 : SELinux binary policy manipulation library
Name and summary matches only, use "search all" for everything.
[root@server01 tmp]#
[root@server01 tmp]# yum install libsemanage -y
[root@server01 tmp]# semanage
-bash: semanage: command not found
Aha !! : http://www.cyberciti.biz/faq/redhat-install-semanage-selinux-command-rpm/
# yum -y install policycoreutils-python
[root@server01 tmp]# semanage login -a -s user_u rhill
[root@server01 tmp]# getsebool -a
abrt_anon_write --> off
allow_console_login --> on
allow_cvs_read_shadow --> off
allow_daemons_dump_core --> on
allow_daemons_use_tcp_wrapper --> off
allow_daemons_use_tty --> on
allow_domain_fd_use --> on
allow_execheap --> off
allow_execmem --> on
allow_execmod --> on
allow_execstack --> on
allow_ftpd_anon_write --> off
allow_ftpd_full_access --> off
allow_ftpd_use_cifs --> off
allow_ftpd_use_nfs --> off
allow_gssd_read_tmp --> on
allow_guest_exec_content --> off
allow_httpd_anon_write --> off
<...>
[root@server01 tmp]# getsebool -a | grep allow_user_exec_content
allow_user_exec_content --> on
[root@server01 tmp]# setsebool allow_user_exec_content off
[root@server01 tmp]# getsebool -a | grep allow_user_exec_content
allow_user_exec_content --> off
[root@server01 tmp]# ls -Z /var/ftp/
drwxr-xr-x. root root system_u:object_r:public_content_t:s0 pub
[root@server01 tmp]# mkdir /root/ftp
[root@server01 tmp]# ls -Z /root/ftp/
[root@server01 tmp]#
[root@server01 tmp]# ls -Zd /root/ftp
drwx--x--x. root root unconfined_u:object_r:admin_home_t:s0 /root/ftp
[root@server01 tmp]# chcon -R -u system_u -t public_content_t /root/ftp
[root@server01 tmp]# ls -Zd /root/ftp
drwx--x--x. root root system_u:object_r:public_content_t:s0 /root/ftp
Restore original context of a file :
[root@server01 tmp]# restorecon -F /root/ftp
[root@server01 tmp]# ls -Zd /root/ftp
drwx--x--x. root root system_u:object_r:admin_home_t:s0 /root/ftp
[root@server01 tmp]# ps -eZ | head
LABEL PID TTY TIME CMD
system_u:system_r:init_t:s0 1 ? 00:00:01 init
system_u:system_r:kernel_t:s0 2 ? 00:00:00 kthreadd
system_u:system_r:kernel_t:s0 3 ? 00:00:00 migration/0
system_u:system_r:kernel_t:s0 4 ? 00:00:00 ksoftirqd/0
system_u:system_r:kernel_t:s0 5 ? 00:00:00 migration/0
system_u:system_r:kernel_t:s0 6 ? 00:00:00 watchdog/0
system_u:system_r:kernel_t:s0 7 ? 00:00:00 events/0
system_u:system_r:kernel_t:s0 8 ? 00:00:00 cpuset
system_u:system_r:kernel_t:s0 9 ? 00:00:00 khelper
[root@server01 tmp]#
Troubleshooting SELinux :
[root@server01 tmp]# ausearch -m avc -c sudo
<no matches>
[root@server01 tmp]# sealeart -a /var/log/audit/audit.log
-bash: sealeart: command not found
IDK what package this tool is supposed to be in , could not find it ...the book says the selinux gui is supposed to be much more 'user friendly'
[root@server01 tmp]# yum install policycoreutils-gui -y
# system-config-selinux
Note to self : Need more selinux examples , and ACL advanced examples (mask, etc)
when using command sealeart –a /var/log/audit/audit.log
ReplyDeleteyou need package:
yum install setroubleshoot
I am also using the Jang book, that is how I came across your site, when trying to do an example that would not work!
Dave
when using command sealeart –a /var/log/audit/audit.log you need setroubleshoot package but also you need to have rsyslogd and auditd daemons on
ReplyDelete~]# chkconfig --levels 2345 auditd on
~]# chkconfig --levels 2345 rsyslog on
The correct filename is "sealert" not "sealeart". However, as stated the required dependency is setroubleshoot-server.
ReplyDelete