Controlling File Permissions & Attributes:
Monitoring the permissions on system files is crucial to maintain host integrity.
• Regularly audit your systems for any unauthorized and unnecessary use of the setuid or setgid
permissions. “Set-user-ID root” programs run as the root user, regardless of who is executing them,
and are a frequent cause of buffer overflows. Many programs are setuid and setgid to enable a
normal user to perform operations that would otherwise require root, and can be removed if your
users do not need such permission. Find all setuid and setgid programs on your host and
descriminately remove the setuid or setgid permissions on a suspicious program with chmod:
root# find / -type f -perm +6000 -ls
59520 30 -rwsr-xr-x 1 root root 30560 Apr 15 1999 /usr/bin/chage
59560 16 -r-sr-sr-x 1 root lp 15816 Jan 6 2000 /usr/bin/lpq
root# chmod -s /usr/bin/chage /usr/bin/lpq
root# ls -l /usr/bin/lpq /usr/bin/chage
-rwxr-xr-x 1 root root 30560 Apr 15 1999 /usr/bin/chage
-r-xr-xr-x 1 root lp 15816 Jan 6 2000 /usr/bin/lpq
• World-writable files are easily altered or removed. Locate all world-writable files on your system:
root# find / -perm -2 ! -type l -ls
In the normal course of operation, several files will be world-writable, including some from /dev and
the /tmp directory itself.
• Locate and identify all files that do not have an owner or belong to a group. Unowned files may also
be an indication an intruder has accessed your system.
root# find / -nouser -o -nogroup
• Using the lsattr and chattr commands, administrators can modify characteristics of files and
directories, including the ability to control deletion and modification above what normal chmod
provides. The use of “append-only” and “immutable” attributes can be particularly effective in
preventing log files from being deleted, or Trojan Horses from being placed on top of trusted
binaries. While not a guarantee a system file or log won’t be modified, only root has the ability to
remove this protection. The chattr command is used to add or remove these properties, while the
lsattr can be used to list them.
Log files can be protected by only permitting appending to them. Once the data has been written, it
cannot be removed. While this will require modifications to your log rotation scripts, this can provide
additional protection from a cracker attempting to remove his tracks. Once rotated, they should be
changed to immutable. Files suitable for these modifications include /bin/login, /bin/rpm,
/etc/shadow, and others that should not change frequently.
# chattr +i /bin/login
# chattr +a /var/log/messages
# lsattr /bin/login /var/log/messages
—-i— /bin/login
—–a– /var/log/messages
• There should never be a reason for user’s to be able to run setuid programs from their home
directories. Use the nosuid option in /etc/fstab for partitions that are writable by others than
root. You may also wish to use the nodev and noexec on user’s home partitions, as well as /var,
which prohibits execution of programs, and creation of character or block devices, which should
never be necessary anyway. See the mount man page for more information.
