Top

A Linux User Reference

Search tips
  • search ignores words that are less than 4 characters in length
  • searches are case insensitve
  • if a search does not return anything try it in Boolean mode then Query expansion mode by checking the appropriate radio button e.g. searching for 'cron' in just the Administration category returns nothing - presumably because the 50% threshold is reached. Boolean mode ignores this threshold so a search for 'cron' returns several hits
  • in Boolean mode preceding a word with a '+' means the result must include that word, a '-' means it must not
  • in Boolean mode '+crontab -anacron' means match articles about crontab that DO NOT mention anacron
  • to match a phrase e.g. 'manage system' check the Boolean mode radio button and enclose the phrase in quotes "some phrase ..."
  • in Query expansion mode the search context is expanded beyond the keywords you entered - relevancy of hits may well be degraded

SECURITY

Hardening tools

  • Execute a command as another user
    /usr/bin/sudo

    Command usage

    sudo [options] cmd
    
    Some options:
     -b                Background, cannot use shell job control to manipulate the process.
     -E                Preserve environment override the env_reset option in sudoers. Only
                       available when either the matching command has the SETENV tag or the
                       setenv option is set in sudoers.
     -e                Edit, user wishes to edit one or more files.  In lieu of a command,
                       the string "sudoedit" is used when consulting the sudoers file.
     -H                Sets HOME environment variable to the homedir of the target user
                       (root by default)
     -i                Simulate initial login
     -l                List out the allowed (and forbidden) commands
     -u                User causes sudo to run the specified command as another user
    

    What commands can user mark run under sudo

    $ sudo -l
    [sudo] password for mark:
    User mark may run the following commands on this host:
        (ALL) ALL
    
  • Sudo configuration file editor
    /usr/sbin/visudo
    • locks the sudoers file against multiple simultaneous edits - displays a message to try again later
    • provides basic sanity checks
    • checks for parse errors
    visudo [options]
    
    Some options:
     -c                Enable check-only mode.
     -f                Specify and alternate sudoers file location.
     -q                Enable quiet mode.  Syntax errors are not printed.
     -s                Enable strict checking of the sudoers file.
     -V                Version
    

    Check for syntax/parse errors

    # visudo -c
    /etc/sudoers file parsed OK
    
  • Sudo configuration file
    /etc/sudoers

    Contains a list of which users may execute what.

    # This file MUST be edited with the 'visudo' command as root.
    Defaults    env_reset
    
    # Host alias specification
    
    # User alias specification
    
    # Cmd alias specification
    
    # User privilege specification . This allows root to become any user on the system
    root    ALL=(ALL) ALL
    
    # Group sudo members do not need to enter a passwd
    # %sudo ALL=NOPASSWD: ALL
    
    # Members of the admin group may gain root privileges
    %admin ALL=(ALL) ALL
    
    #-------------------------------------------------------------------------------
    # usr|%grp|+netgroup                        Who the rule applies to
    # host[, host, ...] = usr[, user, ...]      The host(s) and user(s) to run under
    # cmd[, cmd, ...]                           List of commands user can run
    #-------------------------------------------------------------------------------
    

    Allow user mark to run 'find' and 'rm' as root, on any host - /etc/sudoers

    mark ALL=(root) /usr/bin/find, /bin/rm
    

    Allow user fred to run 'kill' and 'killall' as root, on any host, without having to supply a password - /etc/sudoers

    fred ALL=(root) NOPASSWD: /bin/kill, /usr/bin/killall
    
  • Sudoers examples
    /etc/sudoers
    # User alias specification
    User_Alias     FULLTIMERS=millert, mikef, dowdy
    
    # Runas alias specification
    Runas_Alias    OP=root, operator
    Runas_Alias    DB=oracle, sybase
    
    # Host alias specification
    Host_Alias     SPARC=bigtime, eclipse, moet, anchor : HPPA = boa, nag, python
    Host_Alias     CUNETS=128.138.0.0/255.255.0.0
    
    # Cmnd alias specification
    Cmnd_Alias     DUMPS=/usr/bin/mt, /usr/sbin/dump, /usr/sbin/rdump, /usr/sbin/rrestore
    Cmnd_Alias     KILL=/usr/bin/kill
    Cmnd_Alias     PRINTING=/usr/sbin/lpc, /usr/bin/lprm , /usr/sbin/restore, /usr/sbin/rrestore
    
    # Override built-in defaults
    Defaults               syslog=auth
    Defaults:FULLTIMERS    !lecture
    
    # User specification - who can run what
    root           ALL=(ALL) ALL
    
    # Members of wheel can run all cmds, as any user on any system
    %wheel         ALL=(ALL) ALL
    
    # Members of User_Alias FULLTIMERS do not need to supply a password
    FULLTIMERS     ALL=NOPASSWD: ALL
    
    # lisa can run any command on any host in the CUNETS subnet
    lisa           CUNETS=ALL
    
    # operator user may run the aliased commands on any system
    operator       ALL=DUMPS, KILL, SHUTDOWN, sudoedit /etc/printcap
    
    # jo can only su to operator
    joe            ALL=/usr/bin/su operator
    
    # pete can change users passwords on HPPA Host_Alias machines except roots
    pete           HPPA=/usr/bin/passwd [A-z]*, !/usr/bin/passwd root
    
    # bob can run commands(su) as root or operator on SPARC and HPPA machines
    bob            SPARC=(OP) ALL : HPPA = (OP) ALL
    
    # jim can run any cmd in the biglab netgroup
    jim            +biglab=ALL
    
    # fred can run any cmd in DB TUNAS_ALIAS w/o a password
    fred           ALL=(DB) NOPASSWD: ALL
    
  • Bastille
    • Bastille is a program that does the hardening for you.
    • Its installed as a separate package.
    • When run it prompts for the answers to several questions relating to hardening then goes off and makes the changes.

    Some hardening options/actions:

    • Disables SUID root for many admin utilities.
    • Disables all 'r' protocols (rsh, rlogin, ...).
    • Implements password ageing.
    • Disables ctrl-alt-delete keys reboot.
    • Optimises TCP wrappers.
    • Adds Authorised Use banners - indemnification.
    • Limits system resources - core file size, max user file size, max processes per user, ...
    • Restricts console access. If using sudo no need for root console access.
    • Deactivates NFS, Samba, RPC prtmapper, ...
    • Implements process accounting
    • Hardens Apache Web Server

    Once the changes have been made removing/uninstalling Bastille will not set them back to what they were.

    Undoing Bastille changes

    One of three ways is sufficient:

    1. Run bastille again answering the questions differently so that the previous settings will be implemented. Not quite so straight forward as, unless you made a note of what changes you originally made, its easy to forget (a) what you changed and (b) what its original value(s) was.
    2. Run 'Undo.pl', a perl script written to 'undo' bastille changes.
    3. Replace each changed file (changed by bastille on its first run) with the original. Bastille backs these up in /root/bastille/undo/backup. No doubt this is what the 'Undo.pl' script does.
  • Tiger
    • A package consisting of Bourne Shell scripts, C code and data files which is used for checking for security problems on a UNIX system.
    • It scans system configuration files, file systems, and user configuration files for possible security problems and reports them.
    • It can be used to setup a host-based intrusion detection system (see it's documentation).
    • The command 'tigexp' can be used to obtain explanations of the problems reported by 'tiger'.
    • Documentation (debian) in /usr/share/doc/tiger/
    • Main confuguration file is /etc/tiger/tigerrc. Can only contain variable assignments and comments where a variable represents a check and an assignment value is either 'Y' to run the check or 'N' not to.
    • /etc/tiger/tiger.ignore file contains a list of messages that, even if raised by any check, should not be included in the final report.
    • /etc/tiger/cronrc checks to run periodically.

    Tiger produces five (six) different message levels. The last letter of a message id reflects the message level.

    Level Description
    ALERT Tiger has detected a possible intrusion attempt or troublesome misconfiguration which can expose the whole system to attacks.
    FAIL Indicate a violation of a generic security policy or a possible intrusion. Appropriate action should be taken to fix this security issue.
    WARN Indicate a security issue which should be checked further and might indicate a probable vulnerability or exposure. Most Tiger messages appear in this category.
    INFO Not necessarily a security violation but might be useful for the administrator. Can 'switch off' via Tiger_Show_INFO_Msgs option in the tigerrc file. Default is 'off'.
    ERROR Errors in the execution of Tiger (or any of its scripts), this is probably due to a misconfiguration. The script which outputs this error should be investigated.
    CONFIG Not errors but notices for the user running the program explaining, for example, which configuration might be used.
  • Install and run tiger

    Install (debian) package

    $ sudo apt-get install tiger
    

    Configuration directory

    /etc/tiger
    ??? cronrc
    ??? templates/
    ??? tiger.ignore
    ??? tigerrc
    

    Command usage

    # tiger -h
    .....
    Tiger, version 
    Usage: ./tiger [-vthqGSH]  [-B dir] [-l dir|@host] [-w dir] [-b dir] [-e|-E] [-c config] [-A arch] [-O os] [-R release]
    
     -v            Show the Tiger version.
     -t            Run in test mode.
     -h            Show usage.
     -q            Supress messages only security messages will be shown.
     -B dir        Directory where tiger is installed.  Default is '/usr/lib/tiger'.
     -l dir        Directory to write Security report to. Default is '/var/log/tiger'. 
                   Report filename of the form 'security.report.host-name.date.time.'    
                   @dir will be interpreted as a tiger logging server.
     -w dir        Working directory. Defaults to '/var/lib/tiger/work'.
     -b dir        Directory for the binaries generated from the C modules.
     -c name       Alternate name for control file. Default is '/etc/tiger/tigerrc'.
     -e            Insert explanations into report.  Does so after each message. Report
                   can get very large, explanations repeated.
     -E            Create a separate explanation report. Explanations for each type
                   of message only appear once. Report filename will be of the form
                   'explain.report.hostname.date.time.'
     -G            Generate the signatures (MD5 hashes and file permissions) for 
                   system binary files.
     -H            Format the report into HTML with local links to problem descriptions.
     -S            Run a surface level check of diskless client configuration files.
    
    Overrides for values detected by the configuration system:
     -A arch       Specify an alternate architecture
     -O os         Specify an alternate operating system
     -R release    Specify an alternate operating system release  
    

    Output of this command has been modified .i.e. shortened.

    Run checks

    $ sudo tiger
    
    $ sudo ls /var/log/tiger
    security.report.mark-Lenovo-G585.131211-01:14
    

    Ran all checks that were enabled by default - took about 30 mins (fairly slow, single user laptop with pretty much a default Mint 16 install).

  • Explain tiger messages
    /usr/sbin/tigexp

    Command usage

    tigexp msgid [msgid[msgid...]]
    tigexp [-f|-F] [security_report]
    
    OPTIONS
     -f            Scan the report and generate explanations. One per unique 
                   message id. If no report given read from stdin.
     -F            Output report with explanations inserted after each entry 
                   in the report.  If no report given read from stdin.
    

    List the unique message ids for FAIL messages

    # grep 'FAIL' /var/log/tiger/security.report.mark-Lenovo-G585.131211-01:14 | cut -d' ' -f2 | uniq
    [lin016f]
    [lin019f]
    [lin005f]
    [dev002f]
    [logf007f]
    [ssh005w]
    [netw020f]
    

    Need root privileges.

    Get explanations for a couple of msgids

    # tigexp logf007f dev002f
    [logf007f]
    
    The log file "messages" should exist to show a trace of the system
    logs (including reboots and kernel messages), it is also often used by
    .....
    the messages file might contain bad login attempts from local users and
    remote hosts.
    
    [dev002f]
    
    Devices that have improper (world) permissions might be accessed by any
    system user. This might open security holes if these are shared devices
    .....
    device to multiple users, for example).