Execute a command as another user
sudo [options] cmd
-b Background, cannot use shell job control to manipulate the process.
-E Preserve environment override the env_reset option in sudoers. Only
available when either the matching command has the SETENV tag or the
setenv option is set in sudoers.
-e Edit, user wishes to edit one or more files. In lieu of a command,
the string "sudoedit" is used when consulting the sudoers file.
-H Sets HOME environment variable to the homedir of the target user
(root by default)
-i Simulate initial login
-l List out the allowed (and forbidden) commands
-u User causes sudo to run the specified command as another user
What commands can user mark run under sudo
$ sudo -l
[sudo] password for mark:
User mark may run the following commands on this host:
Sudo configuration file editor
- locks the sudoers file against multiple simultaneous edits - displays a message to try again later
- provides basic sanity checks
- checks for parse errors
-c Enable check-only mode.
-f Specify and alternate sudoers file location.
-q Enable quiet mode. Syntax errors are not printed.
-s Enable strict checking of the sudoers file.
Check for syntax/parse errors
# visudo -c
/etc/sudoers file parsed OK
Sudo configuration file
Contains a list of which users may execute what.
# This file MUST be edited with the 'visudo' command as root.
# Host alias specification
# User alias specification
# Cmd alias specification
# User privilege specification . This allows root to become any user on the system
root ALL=(ALL) ALL
# Group sudo members do not need to enter a passwd
# %sudo ALL=NOPASSWD: ALL
# Members of the admin group may gain root privileges
%admin ALL=(ALL) ALL
# usr|%grp|+netgroup Who the rule applies to
# host[, host, ...] = usr[, user, ...] The host(s) and user(s) to run under
# cmd[, cmd, ...] List of commands user can run
Allow user mark to run 'find' and 'rm' as root, on any host - /etc/sudoers
mark ALL=(root) /usr/bin/find, /bin/rm
Allow user fred to run 'kill' and 'killall' as root, on any host, without having to supply a password - /etc/sudoers
fred ALL=(root) NOPASSWD: /bin/kill, /usr/bin/killall
# User alias specification
User_Alias FULLTIMERS=millert, mikef, dowdy
# Runas alias specification
Runas_Alias OP=root, operator
Runas_Alias DB=oracle, sybase
# Host alias specification
Host_Alias SPARC=bigtime, eclipse, moet, anchor : HPPA = boa, nag, python
# Cmnd alias specification
Cmnd_Alias DUMPS=/usr/bin/mt, /usr/sbin/dump, /usr/sbin/rdump, /usr/sbin/rrestore
Cmnd_Alias PRINTING=/usr/sbin/lpc, /usr/bin/lprm , /usr/sbin/restore, /usr/sbin/rrestore
# Override built-in defaults
# User specification - who can run what
root ALL=(ALL) ALL
# Members of wheel can run all cmds, as any user on any system
%wheel ALL=(ALL) ALL
# Members of User_Alias FULLTIMERS do not need to supply a password
FULLTIMERS ALL=NOPASSWD: ALL
# lisa can run any command on any host in the CUNETS subnet
# operator user may run the aliased commands on any system
operator ALL=DUMPS, KILL, SHUTDOWN, sudoedit /etc/printcap
# jo can only su to operator
joe ALL=/usr/bin/su operator
# pete can change users passwords on HPPA Host_Alias machines except roots
pete HPPA=/usr/bin/passwd [A-z]*, !/usr/bin/passwd root
# bob can run commands(su) as root or operator on SPARC and HPPA machines
bob SPARC=(OP) ALL : HPPA = (OP) ALL
# jim can run any cmd in the biglab netgroup
# fred can run any cmd in DB TUNAS_ALIAS w/o a password
fred ALL=(DB) NOPASSWD: ALL
- Bastille is a program that does the hardening for you.
- Its installed as a separate package.
- When run it prompts for the answers to several questions relating to hardening then goes off and makes the changes.
Some hardening options/actions:
- Disables SUID root for many admin utilities.
- Disables all 'r' protocols (rsh, rlogin, ...).
- Implements password ageing.
- Disables ctrl-alt-delete keys reboot.
- Optimises TCP wrappers.
- Adds Authorised Use banners - indemnification.
- Limits system resources - core file size, max user file size, max processes per user, ...
- Restricts console access. If using sudo no need for root console access.
- Deactivates NFS, Samba, RPC prtmapper, ...
- Implements process accounting
- Hardens Apache Web Server
Once the changes have been made removing/uninstalling Bastille will not set them back to what they were.
Undoing Bastille changes
One of three ways is sufficient:
- Run bastille again answering the questions differently so that the previous settings will be implemented. Not quite so straight forward as, unless you made a note of what changes you originally made, its easy to forget (a) what you changed and (b) what its original value(s) was.
- Run 'Undo.pl', a perl script written to 'undo' bastille changes.
- Replace each changed file (changed by bastille on its first run) with the original. Bastille backs these up in /root/bastille/undo/backup. No doubt this is what the 'Undo.pl' script does.
- A package consisting of Bourne Shell scripts, C code and data files which is used for checking for security problems on a UNIX system.
- It scans system configuration files, file systems, and user configuration files for possible security problems and reports them.
- It can be used to setup a host-based intrusion detection system (see it's documentation).
- The command 'tigexp' can be used to obtain explanations of the problems reported by 'tiger'.
- Documentation (debian) in /usr/share/doc/tiger/
- Main confuguration file is /etc/tiger/tigerrc. Can only contain variable assignments and comments where a variable represents a check and an assignment value is either 'Y' to run the check or 'N' not to.
- /etc/tiger/tiger.ignore file contains a list of messages that, even if raised by any check, should not be included in the final report.
- /etc/tiger/cronrc checks to run periodically.
Tiger produces five (six) different message levels. The last letter of a message id reflects the message level.
Install and run tiger
||Tiger has detected a possible intrusion attempt or troublesome misconfiguration which can expose the whole system to attacks.
||Indicate a violation of a generic security policy or a possible intrusion. Appropriate action should be taken to fix this security issue.
||Indicate a security issue which should be checked further and might indicate a probable vulnerability or exposure. Most Tiger messages appear in this category.
||Not necessarily a security violation but might be useful for the administrator. Can 'switch off' via Tiger_Show_INFO_Msgs option in the tigerrc file. Default is 'off'.
||Errors in the execution of Tiger (or any of its scripts), this is probably due to a misconfiguration. The script which outputs this error should be investigated.
||Not errors but notices for the user running the program explaining, for example, which configuration might be used.
Install (debian) package
$ sudo apt-get install tiger
# tiger -h
Usage: ./tiger [-vthqGSH] [-B dir] [-l dir|@host] [-w dir] [-b dir] [-e|-E] [-c config] [-A arch] [-O os] [-R release]
-v Show the Tiger version.
-t Run in test mode.
-h Show usage.
-q Supress messages only security messages will be shown.
-B dir Directory where tiger is installed. Default is '/usr/lib/tiger'.
-l dir Directory to write Security report to. Default is '/var/log/tiger'.
Report filename of the form 'security.report.host-name.date.time.'
@dir will be interpreted as a tiger logging server.
-w dir Working directory. Defaults to '/var/lib/tiger/work'.
-b dir Directory for the binaries generated from the C modules.
-c name Alternate name for control file. Default is '/etc/tiger/tigerrc'.
-e Insert explanations into report. Does so after each message. Report
can get very large, explanations repeated.
-E Create a separate explanation report. Explanations for each type
of message only appear once. Report filename will be of the form
-G Generate the signatures (MD5 hashes and file permissions) for
system binary files.
-H Format the report into HTML with local links to problem descriptions.
-S Run a surface level check of diskless client configuration files.
Overrides for values detected by the configuration system:
-A arch Specify an alternate architecture
-O os Specify an alternate operating system
-R release Specify an alternate operating system release
Output of this command has been modified .i.e. shortened.
$ sudo tiger
$ sudo ls /var/log/tiger
Ran all checks that were enabled by default - took about 30 mins (fairly slow, single user laptop with pretty much a default Mint 16 install).
Explain tiger messages
tigexp msgid [msgid[msgid...]]
tigexp [-f|-F] [security_report]
-f Scan the report and generate explanations. One per unique
message id. If no report given read from stdin.
-F Output report with explanations inserted after each entry
in the report. If no report given read from stdin.
List the unique message ids for FAIL messages
# grep 'FAIL' /var/log/tiger/security.report.mark-Lenovo-G585.131211-01:14 | cut -d' ' -f2 | uniq
Need root privileges.
Get explanations for a couple of msgids
# tigexp logf007f dev002f
The log file "messages" should exist to show a trace of the system
logs (including reboots and kernel messages), it is also often used by
the messages file might contain bad login attempts from local users and
Devices that have improper (world) permissions might be accessed by any
system user. This might open security holes if these are shared devices
device to multiple users, for example).