Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
hardened filesystem permissions
View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Networking & Security
View previous topic :: View next topic  
Author Message
lutel
n00b
n00b


Joined: 19 Oct 2003
Posts: 63
Location: Pomroczna

PostPosted: Sun Feb 22, 2004 7:29 pm    Post subject: hardened filesystem permissions Reply with quote

Hi,
I would like to share this little scripts which harends permissions on all of my servers (no problems so far)

Code:
chmod -R go-rwx /boot /root /home
chmod a+x /home

chmod -R go-rwx /etc
chmod a+x /etc /etc/wget /etc/security
chmod a+r /etc/passwd /etc/group /etc/DIR_COLORS /etc/profile.env /etc/inputrc /etc/resolv.conf /etc/security/limits.conf /etc/services /etc/wget/wgetrc /etc
/screenrc /etc/hosts /etc/hostname 2>/dev/null
chmod a+rx /etc/profile 2>/dev/null
chmod g+r /etc/sudoers
chown named:named /etc/bind
chown squid:squid /etc/squid
chown snort:snort /etc/snort

chmod -R go-rwx /var/log
chmod g+rw /var/log/wtmp
chmod g+rwxs /var/log/portage

for f in `find / -perm +u+s -type f -uid 0 -or -perm +g+s -type f -gid 0`; do
 echo "Remove SUID `ls -al $f` (y/n)" ?
 read -n 1 -s keypress
 if [ "$keypress" = "y" ]; then
  echo "remove SUID from: `ls -al $f`" | logger
  chmod a-s $f
 fi;
done


best regards
Tomek
Back to top
View user's profile Send private message
spudicus
Apprentice
Apprentice


Joined: 05 Dec 2002
Posts: 177
Location: Geraldton, Australia

PostPosted: Mon Feb 23, 2004 2:05 am    Post subject: Reply with quote

I've got a similar one (which is a bit chaotically laid out) that may also be of use,
however, it assumes/requires the / partition to be ex2/3 when using the chattr command.
If certain permissions cause problems, figure out what does work and add/alter the permissions script, revert to original permissions then try running the premissions script again. This script is only a starting point, and will more than likely need slight alterations to suit individuals needs.

Code:
#!/bin/bash
r_only="/boot /sbin /usr/sbin/* /usr/local/sbin" #Accessible only by root
w_ex="/* /bin /usr/* /usr/local/* /home"

if [ "$(mount | grep /boot)" = "" ]; then
    mount /boot -o rw
fi

for i in "/bin /root $r_only"; do
  chattr -VR  -i $i
  if [ "$i" -ne "/bin" ]; then
    chown -cR root:root $i
    chmod -cR 0700 $i
  fi
done


#Change top level, usr and local directories to only be world executable
for i in $w_ex; do
    chown -c root:root $i
    chmod -c 711 $i
done
chmod -cR 755 /bin
chmod -c 755 /usr/sbin
chmod -c 755 /usr/bin

chown -cR :proc /proc
chmod -cR g+r /proc
chown -cR portage:portage /usr/portage
chown -cR portage:portage /var/tmp/portage

#Add sticky to /tmp
chmod -c 1717 /tmp
chmod -c 1717 /var/tmp
chmod -c 0644 /var/run/utmp
chown root:utmp /var/run/screen
chmod -Rc 0700 /var/run/screen
chmod -c 0777 /var/run/screen
chown -Rc log /var/log/
chmod -Rc 0755 /var/log/
chown -Rc log:portage /var/log/portage
chmod -Rc 0755 /var/log/portage
chmod -c 0644 /var/log/wtmp


chown -c root:wheel /sbin
chown -c root:wheel /sbin/ifconfig
chmod -c 0710 /sbin
chmod -c 2710 /sbin/ifconfig

for i in {ssh_host_dsa_key,ssh_host_key,ssh_host_rsa_key}; do
    chown -c root:root /etc/ssh/$i
    chmod -c 700 /etc/ssh/$i
    chattr -V +i /etc/ssh/$i
done

#Ensure /etc/ is writeable only by root and some subdirectories only readable by
# owning group.
chown -cR root:root /etc
chmod -cR 755 /etc/*
chown -cR root:sshd /etc/ssh
chown -cR root:snort /etc/snort
if [ ! -d "/var/log/snort" ]; then
    mkdir /var/log/snort
fi
chown -cR log:snort /var/log/snort
chmod -cR 660 /var/log/snort
#Allow squid to access it's config directories
chown -cR root:squid /etc/squid
chown -cR root:squid /usr/lib/squid
chmod -cR 770 /usr/lib/squid

#Root only access
for i in {cron*,secur*,shadow*,init.d,runlevels,modules*,firewall*,fstab,ssh,snort,squid}; do
    chmod -cR 700 /etc/$i
done
chmod -c 0440 /etc/sudoers

chmod -Rc ug-s /*
chmod -c 6755 /bin/su

for i in {gpg,procmail,xtrlock,xscreensaver,sudo}; do
    chmod -c 4111 /usr/bin/$i
done

for i in {bin/vmware,bin/vmware-ping,lib/bin/vmware-vmx}; do
  chmod -c 4115 /opt/vmware/$i
done

chmod -c 4111 /usr/X11R6/bin/Xwrapper
chown -cR root:audio /usr/local/mp3
chmod -Rc 771 /usr/local/mp3
for i in "/bin $r_only"; do
        chattr -VR +i $i
done

if [ "$(mount | grep /boot)" != "" ]; then
    umount /boot
fi


To unlock the lsattr settings I use:

Code:
#!/bin/bash
r_only="/boot /sbin /usr/sbin /usr/local/sbin" #Accessible only by root
#
if [ "$(mount | grep /boot)" = "" ]; then
    mount /boot -o rw
fi
#
for i in "/bin $r_only"; do
  chattr -VR  -i $i
done
if [ "$(mount | grep /boot)" != "" ]; then
    umount /boot
fi


Mine is definitely a work in progress... So please refrain from to much flaming :)

I've also got a script (another work in progress) that records the permissions for all files
which can be used prior to major hardening as reference for backing out:

Code:
#!/bin/bash
file="./perm.orig" 

##
#Determine which file to write to.
#If first run use perm.orig, otherwise use perm.$DATE
##

if [ -e $file ]; then
    file="perm.$(date +"%H-%M_%d-%m-%y")"
fi

##
#Determine which filesystems aren't mounted and add to $fstab then mount.
#This could be done a lot simpler by force mounting everything (mount -a) then mounting
#any filesystem with the noauto switch, however, this remembers which device was mounted
#so it can be unmounted later, returning the system to it's previous condition
##

for i in $(egrep -v \(^none\|^#\) /etc/fstab |egrep -o [[:space:]]\(/\\w\*\)\+); do
    if [[ "$i" != "/" && -z `egrep -o [[:space:]]$i[[:space:]] /etc/mtab` ]]; then
        fstab="$fstab $i"
        mount $i
    fi
done

##
#Get a list of files owned by each group
##

find / ! \( -fstype proc -prune \) -a ! \( -fstype sysfs -prune \) -a -printf "%U:%G:%m:/%P\n" > $file

##
#Unmount devices mounted for check
## 

for i in $fstab; do
    umount $i
done


And to restore permissions I use the following C program:

Code:
#include <stdio.h>
#include <unistd.h>
#include <sys/types.h>
#include <sys/stat.h>

int main(int argc, char **argv){
  char in [1600];
  char filename [sizeof in];
  int  owner, group, mode;
  FILE *f = fopen(argv[1],"r");

  while(fgets(in,sizeof in,f)){
    sscanf(in, "%d:%d:%o:%s", &owner, &group, &mode, filename);
    chown(filename,owner,group);
    chmod(filename,mode);
  }
  return 0;
}


Compiled with:
Code:
gcc -O3 -Wall -ansi -o fix fix.c

and run using a permissions file created with the above script
Code:
./fix perm.orig
or
./fix perm_DATE


Obviously all the above need to be run su/sudo root.

[disclaimer] I'm a BASH/hardening noob. There are definitely better ways of doing these.[/disclaimer].
Back to top
View user's profile Send private message
louman
n00b
n00b


Joined: 02 Jan 2005
Posts: 31

PostPosted: Thu Nov 17, 2005 12:56 am    Post subject: Reply with quote

i was just thinking of doing something similarly myself, but i feel that i'm a n00b as well. i have moderate experience with bash scripting but hardly any with real system administration. i just wanted to start securing up my services a bit since i'm starting to use them and let others use them. i'll read through these scripts and maybe i'll learn something. thanks for posting your work guys :)
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Networking & Security All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum