[GLLUG] Setuid and file permissions scripts
Scott Harrison
harris41 at msu.edu
Wed Sep 13 10:52:46 EDT 2006
Just a small note...
Mandrake/Mandriva (which unfortunately IMHO has suffered from
some lousy end-of-life policies, and low consistency
of quality from release to release) does something very similar
to what Mark describes which I have found to be very effective.
In its highest security mode, it can also act as a safeguard for overtly
prototyped apps which get a little too loose with file perms, etc.
(It is nice to have a cron-jobbed formalized file permissions
approach on top of a formal package management system.)
Here is descriptive URL:
http://iew3.technion.ac.il/CC/Comp_news/Mandrake_starter/drakperm.html
I presume ubuntu/debian may have something similar? But,
I'm still in preliminary stages of investigating ubuntu (used
to do a bit of debian in the past though).
Scott
Lachniet, Mark writes:
> Sorry apparently my CRLF was mangled. Here it is as an attachment.
>
> Mark
>
>
> -----Original Message-----
> From: linux-user-bounces at egr.msu.edu
> [mailto:linux-user-bounces at egr.msu.edu] On Behalf Of Lachniet, Mark
> Sent: Wednesday, September 13, 2006 8:00 AM
> To: Linux User
> Subject: [GLLUG] Setuid and file permissions scripts
>
> As you may know, one of the many things you need to worry about for
> security on a *nix box is your file permissions. World writable files
> (especiallly scripts that get run by root), inappropriate setuid
> permissions (that might allow a backdoor) are all risks.
>
> I run the following script nightly so I get an emailed report of these
> types of files. Although its not perfect, it will sometimes be obvious
> if someone has monkeyed around. This is also a good script to run when
> you are first sitting down to harden a production server as it can tell
> you what files you can secure. For example, removing setuid on games,
> and utilities that you *never* expect your users to run
>
> You'll need to download logwatch.pl if you want the full
> functionality... http://www2.logwatch.org:8080/tabs/download/. With
> logwatch.pl it will also parse through some of your log files to give
> you some statistics on mail and web usage.
>
> Change the email address at the end of the script to your own.
>
> Cheers,
>
> Mark
>
> -------8<---------------
>
> lachniet:/etc/cron.daily # cat findstuff.sh #!/bin/sh -f mv ~/files
> ~/files.old touch ~/files echo *** START >> ~/files
> /etc/log.d/scripts/logwatch.pl --detail High --print >> ~/files date >>
> ~/files uname -a >> ~/files echo *************** >> ~/files echo find
> SUID files >> ~/files echo *************** >> ~/files find / -perm -u+s
> | grep -v mailman | grep -v proc >> ~/files echo *************** >>
> ~/files echo find GID files >> ~/files echo *************** >> ~/files
> find / -perm -g+s | grep -v mailman | grep -v proc >> ~/files echo
> *************** >> ~/files echo find group world writable files >>
> ~/files echo *************** >> ~/files find / -perm -g+w ! \( -type l
> -o -type p \) |grep -v /dev | grep -v mailman | grep -v proc >>
> ~/files echo *************** >> ~/files echo find other world writable
> files >> ~/files echo *************** >> ~/files find / -perm -o+w ! \(
> -type l -o -type p \) |grep -v /dev | grep -v mailman | grep -v proc
>>> ~/files echo *************** >> ~/files echo Last few users >>
> ~/files echo *************** >> ~/files last -n 20 >> ~/files echo
> *************** >> ~/files echo What >> ~/files echo *************** >>
> ~/files /usr/bin/w >> ~/files mail -s whatever mark < ~/files
>
> _______________________________________________
> linux-user mailing list
> linux-user at egr.msu.edu
> http://mailman.egr.msu.edu/mailman/listinfo/linux-user
Scott
-----
*******************
** DISCLAIMER :P **
*******************
This E-mail message and any attachments may contain information.
More information about the linux-user
mailing list