Either they are intentional or not, system misconfiguration can lead to very big problems. For example :<\/p>\n
To avoid these problems you should regularly scan your system for known “misconfiguration patterns”. This article will explain how to do so using\u00a0<\/span>bash<\/i>\u00a0<\/span>on a GNU Linux system.\u00a0<\/span><\/p>\n In this section I will describe commands that can be used to have a general overview of your system\u2019s security potential risks.<\/p>\n I.1 Setuid et Setgid files\u00a0<\/span><\/b> I.2 World writable files\u00a0<\/span><\/b> I.3 Opened socket connections<\/b> I.5 Sticky bit files\u00a0<\/span><\/b> After the general scan, you can do more detailed scan to find abnormal configurations or real dangers.<\/p>\n II.1 File access rights risks<\/b> Another concern about world writable directories is that, when allowed (ex insind \/var or \/tmp) they must have the sticky bit on to prevent unauthorized file deletion.<\/p>\n II.2 file ownership risks<\/b> It is also interesting to verify if all files belong to an existing user and group.\u00a0<\/span><\/p>\n \u00a0<\/span>I. General system scan<\/h2>\n
\nFiles with the setuid bit set are not necessarily evil, and setgid folders are really useful and can improve your system\u2019s security. However an awfully huge lot of exploits takes advantage of vulnerabilities in setuid files because it is an easy way to escalate privileges (when exploiting a setuid bit file belonging to root). You should always have a look at those files and ensure that each one really needs to have the setuid bits on and are known to be secure and stable.
\nList all setuid files :
\nfind \/ \u00a0 -perm -4000 2>\/dev\/null<\/code>
\nList all setuid files owned by root :
\nfind \/ \u00a0 -perm -4000 -user root 2>\/dev\/null<\/code>
\nList all setgid files :
\nfind \/ \u00a0 -perm -4000 2>\/dev\/null<\/code>
\nList all setgid files owned by root :
\nfind \/ \u00a0 -perm -4000 -user root 2>\/dev\/null<\/code><\/p>\n
\nThe other big danger on filesystems is bad rights management (it can be admin mistakes). A world writable file owned by root can lead to easy privileges escalation or system corruption.
\nList all world writable files:
\nfind \u00a0 \/ \u00a0! -type l -perm -002 \u00a02>\/dev\/null<\/code><\/p>\n
\nIn Linux system, everything is a file, even sockets. And every admin should have a regular look at the opened connections on a machine.\u00a0<\/span>
\nThe classical way to list all transport layer connections would be to use netstat :\u00a0<\/span>
\nnetstat -tupl<\/code>
\nHowever I prefer the\u00a0<\/span>lsof<\/i>\u00a0<\/span>tool that offers way more possibilities and is cabable of describing precisely any opened file on the system (lsof is for “list opened files”. Sockets are files, so a nice way to monitor your opened connections would be to use the next command :\u00a0<\/span>
\nlsof | grep -E \"IPv4|IPv6|COMMAND.*USER\" | \u00a0sed -r \u00a0\"s\/ +\/ \/g\" | cut -d \" \" -f 1,2,3,5,8,9 | column -t | sed \"s\/.*\/ &\/\"<\/code>
\nThat command will list all IPv4 and IPv6 opened connections and display the corresponding command, pid, user, the connexion type, the transport layer protocol used and the connection description (IP address and port). The\u00a0<\/span>column<\/i>\u00a0<\/span>and\u00a0<\/span>sed<\/i>\u00a0<\/span>part is just for nice formatting ;-).\u00a0<\/span>
\nI.4 Broken Symbolic links\u00a0<\/span><\/b>
\nIt can be useful to be able to list the broken symlinks on the system (example, for a cleaning task).
\nExample, list all broken symlinks in \/usr directory :
\nfind -L \u00a0\/usr -type l -maxdepth 8 2>\/dev\/null\u00a0<\/span><\/code><\/p>\n
\nThe sticky bit is important, it should always be set on world writable folders to prevent a user from removing a file he doesn\u2019t own.
\nList all sticky bit files on the system :\u00a0<\/span>
\nfind \/ \u00a0-perm -1000 2>\/dev\/null<\/code>\u00a0<\/span><\/p>\nII. Potential threats scan<\/h2>\n
\nSome files should never be world writable or even world readable. For example the directories \/bin, \/sbin, \/boot, \/etc, \/lib, \/root, \/usr should never be world writable. A world writable file in these directories could lead to system trojaning\/corruption.
\nHere is a simple way to scan all these folders for world writable files.<\/p>\n\n
\n
\nAre you sure that all system files are really owned by root? You can imagine the potential disaster for your system if not.
\nHere is a way to verify that.<\/p>\n\n
\n
\nII.3 Special files risks<\/b>
\n“Special” files like devices, socket and symlinks should be considered carefully. For example you should verify that devices are only stored in special directories like \/dev or …\/udev\/ which can be done using the next script :<\/p>\n\n