| View previous topic :: View next topic |
| Author |
Message |
lutel
Tux's lil' helper
Joined: 19 Oct 2003
Posts: 110
Location: Pomroczna
|
 Posted: Sun Feb 22, 2004 7:29 pm Post subject: hardened filesystem permissions |
 |
|
Hi,
I would like to share this little scripts which harends permissions on all of my servers (no problems so far)
| Code: | chmod -R go-rwx /boot /root /home
chmod a+x /home
chmod -R go-rwx /etc
chmod a+x /etc /etc/wget /etc/security
chmod a+r /etc/passwd /etc/group /etc/DIR_COLORS /etc/profile.env /etc/inputrc /etc/resolv.conf /etc/security/limits.conf /etc/services /etc/wget/wgetrc /etc
/screenrc /etc/hosts /etc/hostname 2>/dev/null
chmod a+rx /etc/profile 2>/dev/null
chmod g+r /etc/sudoers
chown named:named /etc/bind
chown squid:squid /etc/squid
chown snort:snort /etc/snort
chmod -R go-rwx /var/log
chmod g+rw /var/log/wtmp
chmod g+rwxs /var/log/portage
for f in `find / -perm +u+s -type f -uid 0 -or -perm +g+s -type f -gid 0`; do
echo "Remove SUID `ls -al $f` (y/n)" ?
read -n 1 -s keypress
if [ "$keypress" = "y" ]; then
echo "remove SUID from: `ls -al $f`" | logger
chmod a-s $f
fi;
done
|
best regards
Tomek |
|
| Back to top |
|
 |
spudicus
Apprentice
Joined: 05 Dec 2002
Posts: 177
Location: Geraldton, Australia
|
| Posted: Mon Feb 23, 2004 2:05 am Post subject: |
|
|
I've got a similar one (which is a bit chaotically laid out) that may also be of use,
however, it assumes/requires the / partition to be ex2/3 when using the chattr command.
If certain permissions cause problems, figure out what does work and add/alter the permissions script, revert to original permissions then try running the premissions script again. This script is only a starting point, and will more than likely need slight alterations to suit individuals needs.
| Code: | #!/bin/bash
r_only="/boot /sbin /usr/sbin/* /usr/local/sbin" #Accessible only by root
w_ex="/* /bin /usr/* /usr/local/* /home"
if [ "$(mount | grep /boot)" = "" ]; then
mount /boot -o rw
fi
for i in "/bin /root $r_only"; do
chattr -VR -i $i
if [ "$i" -ne "/bin" ]; then
chown -cR root:root $i
chmod -cR 0700 $i
fi
done
#Change top level, usr and local directories to only be world executable
for i in $w_ex; do
chown -c root:root $i
chmod -c 711 $i
done
chmod -cR 755 /bin
chmod -c 755 /usr/sbin
chmod -c 755 /usr/bin
chown -cR :proc /proc
chmod -cR g+r /proc
chown -cR portage:portage /usr/portage
chown -cR portage:portage /var/tmp/portage
#Add sticky to /tmp
chmod -c 1717 /tmp
chmod -c 1717 /var/tmp
chmod -c 0644 /var/run/utmp
chown root:utmp /var/run/screen
chmod -Rc 0700 /var/run/screen
chmod -c 0777 /var/run/screen
chown -Rc log /var/log/
chmod -Rc 0755 /var/log/
chown -Rc log:portage /var/log/portage
chmod -Rc 0755 /var/log/portage
chmod -c 0644 /var/log/wtmp
chown -c root:wheel /sbin
chown -c root:wheel /sbin/ifconfig
chmod -c 0710 /sbin
chmod -c 2710 /sbin/ifconfig
for i in {ssh_host_dsa_key,ssh_host_key,ssh_host_rsa_key}; do
chown -c root:root /etc/ssh/$i
chmod -c 700 /etc/ssh/$i
chattr -V +i /etc/ssh/$i
done
#Ensure /etc/ is writeable only by root and some subdirectories only readable by
# owning group.
chown -cR root:root /etc
chmod -cR 755 /etc/*
chown -cR root:sshd /etc/ssh
chown -cR root:snort /etc/snort
if [ ! -d "/var/log/snort" ]; then
mkdir /var/log/snort
fi
chown -cR log:snort /var/log/snort
chmod -cR 660 /var/log/snort
#Allow squid to access it's config directories
chown -cR root:squid /etc/squid
chown -cR root:squid /usr/lib/squid
chmod -cR 770 /usr/lib/squid
#Root only access
for i in {cron*,secur*,shadow*,init.d,runlevels,modules*,firewall*,fstab,ssh,snort,squid}; do
chmod -cR 700 /etc/$i
done
chmod -c 0440 /etc/sudoers
chmod -Rc ug-s /*
chmod -c 6755 /bin/su
for i in {gpg,procmail,xtrlock,xscreensaver,sudo}; do
chmod -c 4111 /usr/bin/$i
done
for i in {bin/vmware,bin/vmware-ping,lib/bin/vmware-vmx}; do
chmod -c 4115 /opt/vmware/$i
done
chmod -c 4111 /usr/X11R6/bin/Xwrapper
chown -cR root:audio /usr/local/mp3
chmod -Rc 771 /usr/local/mp3
for i in "/bin $r_only"; do
chattr -VR +i $i
done
if [ "$(mount | grep /boot)" != "" ]; then
umount /boot
fi
|
To unlock the lsattr settings I use:
| Code: | #!/bin/bash
r_only="/boot /sbin /usr/sbin /usr/local/sbin" #Accessible only by root
#
if [ "$(mount | grep /boot)" = "" ]; then
mount /boot -o rw
fi
#
for i in "/bin $r_only"; do
chattr -VR -i $i
done
if [ "$(mount | grep /boot)" != "" ]; then
umount /boot
fi
|
Mine is definitely a work in progress... So please refrain from to much flaming 
I've also got a script (another work in progress) that records the permissions for all files
which can be used prior to major hardening as reference for backing out:
| Code: | #!/bin/bash
file="./perm.orig"
##
#Determine which file to write to.
#If first run use perm.orig, otherwise use perm.$DATE
##
if [ -e $file ]; then
file="perm.$(date +"%H-%M_%d-%m-%y")"
fi
##
#Determine which filesystems aren't mounted and add to $fstab then mount.
#This could be done a lot simpler by force mounting everything (mount -a) then mounting
#any filesystem with the noauto switch, however, this remembers which device was mounted
#so it can be unmounted later, returning the system to it's previous condition
##
for i in $(egrep -v \(^none\|^#\) /etc/fstab |egrep -o [[:space:]]\(/\\w\*\)\+); do
if [[ "$i" != "/" && -z `egrep -o [[:space:]]$i[[:space:]] /etc/mtab` ]]; then
fstab="$fstab $i"
mount $i
fi
done
##
#Get a list of files owned by each group
##
find / ! \( -fstype proc -prune \) -a ! \( -fstype sysfs -prune \) -a -printf "%U:%G:%m:/%P\n" > $file
##
#Unmount devices mounted for check
##
for i in $fstab; do
umount $i
done
|
And to restore permissions I use the following C program:
| Code: | #include <stdio.h>
#include <unistd.h>
#include <sys/types.h>
#include <sys/stat.h>
int main(int argc, char **argv){
char in [1600];
char filename [sizeof in];
int owner, group, mode;
FILE *f = fopen(argv[1],"r");
while(fgets(in,sizeof in,f)){
sscanf(in, "%d:%d:%o:%s", &owner, &group, &mode, filename);
chown(filename,owner,group);
chmod(filename,mode);
}
return 0;
}
|
Compiled with: | Code: | | gcc -O3 -Wall -ansi -o fix fix.c |
and run using a permissions file created with the above script | Code: | ./fix perm.orig
or
./fix perm_DATE |
Obviously all the above need to be run su/sudo root.
[disclaimer] I'm a BASH/hardening noob. There are definitely better ways of doing these.[/disclaimer]. |
|
| Back to top |
|
|
louman
n00b
Joined: 02 Jan 2005
Posts: 31
|
| Posted: Thu Nov 17, 2005 12:56 am Post subject: |
|
|
| i was just thinking of doing something similarly myself, but i feel that i'm a n00b as well. i have moderate experience with bash scripting but hardly any with real system administration. i just wanted to start securing up my services a bit since i'm starting to use them and let others use them. i'll read through these scripts and maybe i'll learn something. thanks for posting your work guys |
|
| Back to top |
|
|
|
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
|
Networking & Security
