LDP
/
old-www
1
1
Fork 0
Code Issues Pull Requests Releases Wiki Activity
old-www/LDP/solrhe/Securing-Optimizing-Linux-R.../chap5sec62.html

487 lines
10 KiB
HTML
Raw Permalink Blame History

<HTML
><HEAD
><TITLE
>Unusual or hidden files</TITLE
><META
NAME="GENERATOR"
CONTENT="Modular DocBook HTML Stylesheet Version 1.60"><LINK
REL="HOME"
TITLE="Securing and Optimizing Linux"
HREF="index.html"><LINK
REL="UP"
TITLE="General System Security"
HREF="gen-syssecured.html"><LINK
REL="PREVIOUS"
TITLE="Log Spoofed, Source Routed and Redirect Packets"
HREF="chap5sec61.html"><LINK
REL="NEXT"
TITLE="System is compromised !"
HREF="chap5sec63.html"></HEAD
><BODY
CLASS="section"
BGCOLOR="#FFFFFF"
TEXT="#000000"
LINK="#0000FF"
VLINK="#840084"
ALINK="#0000FF"
><DIV
CLASS="NAVHEADER"
><TABLE
WIDTH="100%"
BORDER="0"
CELLPADDING="0"
CELLSPACING="0"
><TR
><TH
COLSPAN="3"
ALIGN="center"
>Securing and Optimizing Linux: RedHat Edition -A Hands on Guide</TH
></TR
><TR
><TD
WIDTH="10%"
ALIGN="left"
VALIGN="bottom"
><A
HREF="chap5sec61.html"
>Prev</A
></TD
><TD
WIDTH="80%"
ALIGN="center"
VALIGN="bottom"
>Chapter 5. General System Security</TD
><TD
WIDTH="10%"
ALIGN="right"
VALIGN="bottom"
><A
HREF="chap5sec63.html"
>Next</A
></TD
></TR
></TABLE
><HR
ALIGN="LEFT"
WIDTH="100%"></DIV
><DIV
CLASS="section"
><H1
CLASS="section"
><A
NAME="AEN4243"
>5.33. Unusual or hidden files</A
></H1
><P
>&#13; It is important to not forget to look everywhere on the system for unusual or hidden files -files that start with a period and are normally not shown by
the <B
CLASS="command"
>ls</B
> command, as these can be used to hide tools and information password cracking programs, password files from other systems, etc..
A common technique on UNIX systems is to put a hidden directory or file in a user's account with an unusual name, something like '...' or '.. ' -dot dot space
or <B
CLASS="keycap"
>..</B
>-<B
CLASS="keycap"
>^G</B
> -dot dot ctrl-G.
The find program can be used to look for hidden files.
</P
><DIV
CLASS="example"
><A
NAME="AEN4250"
></A
><P
><B
>Example 5-5. Use find to find</B
></P
><P
>&#13; <TABLE
BORDER="0"
BGCOLOR="#E0E0E0"
WIDTH="100%"
><TR
><TD
><PRE
CLASS="screen"
>&#13; [root@deep] /# <B
CLASS="command"
>find</B
> / -name ".. " -print -xdev
[root@deep] /# <B
CLASS="command"
>find</B
> / -name ".*" -print -xdev | cat -v
</PRE
></TD
></TR
></TABLE
>
</P
></DIV
><DIV
CLASS="note"
><BLOCKQUOTE
CLASS="note"
><P
><B
><SPAN
CLASS="inlinemediaobject"
><IMG
SRC="./images/Note.gif"
ALT="Note"
></IMG
></SPAN
>: </B
>
Files with names such as <TT
CLASS="literal"
>.xx</TT
> and <TT
CLASS="literal"
>.mail</TT
> have been used that is, files that might appear to be normal.
</P
></BLOCKQUOTE
></DIV
><P
>&#13; All <SPAN
CLASS="acronym"
>SUID</SPAN
> and <SPAN
CLASS="acronym"
>SGID</SPAN
> files that still exist on your system after we have removed those that won't absolutely require such privilege
are a potential security risk, and should be monitored closely. Because these programs grant special privileges to the user who is executing them, it is necessary to
ensure that insecure programs are not installed.
</P
><P
>&#13; A favorite trick of crackers is to exploit <SPAN
CLASS="acronym"
>SUID</SPAN
> root programs, and leave a <SPAN
CLASS="acronym"
>SUID</SPAN
> program as a backdoor to get in the next time. Find all <SPAN
CLASS="acronym"
>SUID</SPAN
>
and <SPAN
CLASS="acronym"
>SGID</SPAN
> programs on your system, and keep track of what they are so that you are aware of any changes, which could indicate a potential intruder.
Use the following command to find all <SPAN
CLASS="acronym"
>SUID/SGID</SPAN
> programs on your system:
<TABLE
BORDER="0"
BGCOLOR="#E0E0E0"
WIDTH="100%"
><TR
><TD
><PRE
CLASS="screen"
>&#13; [root@deep] /# <B
CLASS="command"
>find</B
> / -type f \( -perm -04000 -o -perm -02000 \) \-exec ls -lg {} \;
</PRE
></TD
></TR
></TABLE
>
</P
><DIV
CLASS="tip"
><BLOCKQUOTE
CLASS="tip"
><P
><B
><SPAN
CLASS="inlinemediaobject"
><IMG
SRC="./images/Tip.gif"
ALT="Tip"
></IMG
></SPAN
>: </B
>
See in this book under <A
HREF="soft-secmonitor.html"
>Securities Software/Monitoring Tools</A
> for more information about the software <A
HREF="chap14sec112.html"
>sXid</A
>that will do the job for you automatically each day and report the results via mail.
</P
></BLOCKQUOTE
></DIV
><P
>&#13; Group and world writable files and directories particularly system files partitions, can be a security hole if a cracker gains access to your system and modifies them. Additionally, world-writable
directories are dangerous, since they allow a cracker to add or delete files as he or she wishes in these directories. In the normal course of operation, several files will be writable, including
some from the <TT
CLASS="filename"
>/dev, /var/catman</TT
> directories, and all symbolic links on your system.
To locate all group &#38; world-writable files on your system, use the command:
<TABLE
BORDER="0"
BGCOLOR="#E0E0E0"
WIDTH="100%"
><TR
><TD
><PRE
CLASS="screen"
>&#13; [root@deep] /# <B
CLASS="command"
>find</B
> / -type f \( -perm -2 -o -perm -20 \) -exec ls -lg {} \;
</PRE
></TD
></TR
></TABLE
>
To locate all group &#38; world-writable directories on your system, use the command:
<TABLE
BORDER="0"
BGCOLOR="#E0E0E0"
WIDTH="100%"
><TR
><TD
><PRE
CLASS="screen"
>&#13; [root@deep] /# <B
CLASS="command"
>find</B
> / -type d \( -perm -2 -o -perm -20 \) -exec ls -ldg {} \;
</PRE
></TD
></TR
></TABLE
>
</P
><DIV
CLASS="tip"
><BLOCKQUOTE
CLASS="tip"
><P
><B
><SPAN
CLASS="inlinemediaobject"
><IMG
SRC="./images/Tip.gif"
ALT="Tip"
></IMG
></SPAN
>: </B
>
A file and directory integrity checker like Tripwire software can be used regularly to scan, manage and find modified group or world writable files and directories easily. See in this book under <A
HREF="soft-secmonitor.html"
>Securities Software/Monitoring Tools</A
>
for more information about Tripwire.
</P
></BLOCKQUOTE
></DIV
><P
>&#13; Don't permit any unowned file. Unowned files may also be an indication that an intruder has accessed your system. If you find unowned file or directory on your system, verify its integrity, and
if all looks fine, give it an owner name. Some time you may uninstall a program and get an unowned file or directory related to this software; in this case you can remove the file or directory safely.
To locate files on your system that do not have an owner, use the following command:
<TABLE
BORDER="0"
BGCOLOR="#E0E0E0"
WIDTH="100%"
><TR
><TD
><PRE
CLASS="screen"
>&#13; [root@deep] /#<B
CLASS="command"
>find</B
> / -nouser -o -nogroup
</PRE
></TD
></TR
></TABLE
>
Please Note Once again, files reported under <TT
CLASS="filename"
>/dev</TT
> directory don't count.
</P
><P
>&#13; Finding all the <TT
CLASS="filename"
>.rhosts</TT
> files that could exist on your server should be a part of your regular system administration duties, as these files should not be permitted on your system. Remember that a cracker
only needs one insecure account to potentially gain access to your entire network.
You can locate all <TT
CLASS="filename"
>.rhosts</TT
> files on your system with the following command:
<TABLE
BORDER="0"
BGCOLOR="#E0E0E0"
WIDTH="100%"
><TR
><TD
><PRE
CLASS="screen"
>&#13; [root@deep] /#<B
CLASS="command"
>find</B
> /home -name .rhosts
</PRE
></TD
></TR
></TABLE
>
You can also use a cron job to periodically check for, report the contents of, and delete <TT
CLASS="filename"
>$HOME/.rhosts</TT
> files. Also, users should be made aware that you regularly perform this type
of audit, as directed by policy.
</P
><P
>&#13; To use a cron job to periodically check and report via mail all <TT
CLASS="filename"
>.rhosts</TT
> files, do the following:
Create as root the <TT
CLASS="filename"
>find_rhosts_files</TT
> script file under <TT
CLASS="filename"
>/etc/cron.daily</TT
> directory <TT
CLASS="userinput"
><B
>touch</B
></TT
> <TT
CLASS="filename"
>/etc/cron.daily/find_rhosts_files</TT
> and add the following
lines in this script file:
<TABLE
BORDER="0"
BGCOLOR="#E0E0E0"
WIDTH="100%"
><TR
><TD
><PRE
CLASS="programlisting"
>&#13; #!/bin/sh
/usr/bin/find /home -name .rhosts | (cat &#60;&#60;EOF
This is an automated report of possible existent .rhosts files on the server
deep.openna.com, generated by the find utility command.
New detected <TT
CLASS="filename"
>.rhosts</TT
> files under the <TT
CLASS="filename"
>/home</TT
> directory include:
EOF
cat
) | /bin/mail -s "Content of .rhosts file audit report" root
</PRE
></TD
></TR
></TABLE
>
Now make this script file executable, verify the owner, and change the group to root.
<TABLE
BORDER="0"
BGCOLOR="#E0E0E0"
WIDTH="100%"
><TR
><TD
><PRE
CLASS="screen"
>&#13; [root@deep] /#<B
CLASS="command"
>chmod</B
> 755 /etc/cron.daily/find_rhosts_files
[root@deep] /#<B
CLASS="command"
>chown</B
> 0.0 /etc/cron.daily/find_rhosts_files
</PRE
></TD
></TR
></TABLE
>
Each day mail will be sent to root with a subject: Content of .rhosts file audit report containing potential new <TT
CLASS="filename"
>.rhosts</TT
> files.
</P
></DIV
><DIV
CLASS="NAVFOOTER"
><HR
ALIGN="LEFT"
WIDTH="100%"><TABLE
WIDTH="100%"
BORDER="0"
CELLPADDING="0"
CELLSPACING="0"
><TR
><TD
WIDTH="33%"
ALIGN="left"
VALIGN="top"
><A
HREF="chap5sec61.html"
>Prev</A
></TD
><TD
WIDTH="34%"
ALIGN="center"
VALIGN="top"
><A
HREF="index.html"
>Home</A
></TD
><TD
WIDTH="33%"
ALIGN="right"
VALIGN="top"
><A
HREF="chap5sec63.html"
>Next</A
></TD
></TR
><TR
><TD
WIDTH="33%"
ALIGN="left"
VALIGN="top"
>Log Spoofed, Source Routed and Redirect Packets</TD
><TD
WIDTH="34%"
ALIGN="center"
VALIGN="top"
><A
HREF="gen-syssecured.html"
>Up</A
></TD
><TD
WIDTH="33%"
ALIGN="right"
VALIGN="top"
>System is compromised !</TD
></TR
></TABLE
></DIV
></BODY
></HTML
>
Reference in New Issue View Git Blame Copy Permalink