linuxsecurity
Linux Security
To create an encrypted password:
NOTE: the first part of the command (up to '&&') hides the clear text password from the history file!
history -d $((HISTCMD -1)) && perl -e 'print crypt("new password", rand(100))'
To create an encrypted output suitable for passwd command:
history -d $((HISTCMD -1)) && echo USERNAME:`perl -e 'print crypt("new password", rand(100))'`
To change passwords on multiple servers. Take the above output and run it through a for loop:
for i in server1 server2 server3; do ssh $i "echo OUTPUT | chpasswd -e"; done
File and Folder Permissions
Access permissions for files and folders mean different things from the user standpoint. The table below shows the difference.
| Access type | File | Folder |
|---|---|---|
| Read (4) | If the file contents can be read | If the directory listing can be obtained |
| Write (2) | If user or process can write to the file (change its contents) | If user or process can change directory contents somehow: create new or delete existing files in the directory or rename files. |
| Execute (1) | If the file can be executed | If user or process can access the directory, that is, go to it (make it to be the current working directory) |
| SUID (4xxx) | Executes the file as owner | n/a |
| SGID (2xxx) | n/a | Creates new files and folders with group owner |
Immutable files
| Set: | chattr +i some_file |
| Unset: | chattr -i some_file |
| List: | lsattr some_file |
To prevent logins:
- create a file – /etc/nologin
- if above file exists only root can login
- contents of file are displayed to users attempting to login
Linux - Password Complexity
Linux enforces password complexity using pam_cracklib. Note the following rules when having issues creating or changing passwords:
- No palindromes (same forward and backward)
- Case Change Only - when changing passwords, changing case only is insufficient
- Too small - minumum length is 5 characters
- Similar - this is most likely to cause problems. By default the new password must be different by a factor of 10 or 1/2 the number of characters in the new password, with an absolute minimum of 5 characters that were not in the previous password.
SELinux
Disabling SELinux Edit /etc/selinux/config and reboot
RHEL5
- Runs setroubleshootd
- logs to /var/log/audit/audit.log
- Command 'sealert' used to interface with setroubleshootd
sealert -a /var/log/audit/audit.log
Sudo - Password Caching
By default sudo caches password for 5 minutes.
To run sudo remotely
Add the following to /etc/sudoers:
Defaults:uptagent !requiretty
To allow very specific access
Add the following to /etc/sudoers to allow users in NAMED_GROUP to start/stop myservice as root and run any command as myuser:
User_Alias NAMED_GROUP=user1,user2
Cmnd_Alias COMMAND_GROUP=/etc/init.d/myservice,/bin/vi /etc/service.conf
NAMED_GROUP ALL=(root)NOPASSWD:COMMAND_GROUP
NAMED_GROUP ALL=(myuser)NOPASSWD:ALL
linuxsecurity.txt · Last modified: 2017/11/10 01:45 by mark