|
Preventing root escalation on Unix and Linux
systems
Regardless of the particular operating system, certain things
need to be done to systems to ensure that they remain secure
over time. Assuming that your system has at least a baseline
level of security, you need to do the following to maintain
security:
- Install new patches in a timely manner. The longer you
wait to install a patch, the greater the probability that
the vulnerability that the patch fixes will be exploited.
- Read your system's security and system log entries regularly,
ideally every day.
- Make backups (full and incremental) as often as appropriate.
Mission-critical servers should have full backups no less
than once a week. Verify each backup after you make it.
- Check permissions and ownerships in critical files and
directories (such as the /, /bin and /etc directories in
Unix and Linux systems and the %systemroot% folder (which
is normally the Windows folder in newer Windows systems,
such as Windows XP and Windows Server 2003) in Windows systems
to ensure that they have not been changed.
- Check accounts and group memberships to ensure that changes
such as the addition of unauthorized accounts have not occurred.
Disable all unused accounts.
- Determine who has root access in Unix and Linux systems
and Administrator-level privileges in Windows systems, ensuring
that no one has gained superuser privileges without authorization.
- Check the assignment of rights and abilities in Windows
systems to ensure that no one but Administrators has rights
such as scheduling tasks and that restrictions such as denying
anonymous enumeration of SAM accounts and shares are still
in place.
- Inspect services that your machine is running and turn
off the ones that are not needed. Examine mail, Web and
FTP services in particular.
- Close all applications that you do not need.
Top
Preventing root escalation on
Unix and Linux systems
Please note that there are many ways to escalate privileges
on a Unix or Linux system. For this reason, preventing root
escalation is a difficult problem. The following bullets don’t
guarantee privilege cannot be escalated, but attempt to make
it more difficult for an attacker to gain root access:
- Keep system patches current
- For Linux systems, run the latest kernel
- Ensure privileged accounts have good (uncrackable) passwords
- Monitor system for SUID/GUID files
find / -type f \( -perm -4000 -o -perm -2000 \) -exec ls
-l {} \;
- Understand and use good file system permissions
- Ensure accounts have good umasks (e.g., 022 or 027)
- Minimize UID 0 and GID 0 accounts
- Ensure all directories in roots path have permissions
that limit binary replacement
- Minimize system services
- Keep in mind the principle of “least privilege"—access
to files, directories, services, etc. should be at the minimum
privilege required for the job
- The best security measure is an alert system administrator:
- Understand that good security takes work
- Regularly monitor system logs
- Regularly examine system directories for changed/new
files and/or timestamps – tools such as tripwire
can help here
- Permissions on system directories must only allow root
to write:
- /, /bin, /sbin, /etc, /usr, /usr/bin, etc.
- Passwords (especially system accounts) should follow
complexity guidelines
- Some systems (Linux) have mechanisms for enforcement
- Regularly change passwords
- Consider limiting coredumps, as coredumps can provide
opportunities for privilege escalation
- Only required services should run on system
- Check inetd or xinetd configuration
- Check services started up by /etc/rc —
often by means of chkconfig
- Root path shouldn’t include current directory,
in fact, should only contain fully qualified directory names
— this prevents execution by root of Trojans in current
directory
- Avoid having ~.rhosts file entries in the / directory
- Never do a root login in cleartext
|
