File System Security
File System Security :
File system security is about making sure your users can only do what you want them to be able to do. This means that you want system programs to be secure and users to only be able to write where you want them to be able to do so.
NFS Security
Only run NFS as needed, apply latest patches. When creating your /etc/exports file, be certain to use limited access flags when possible such as readonly or nosuid. By using fully qualified hostnames, you are guaranteed that only the host you want to be able to access the filesystem can access it.
Device Security
Device files /dev/null, /dev/tty & /dev/console should be world writeable but NEVER executable. Most other device files should be unreadable and unwriteable by regular users.
Script Security Never write setuid/setgid shell scripts (can break out). Instead, write a compiled program in a language like "C". Scripts should ALWAYS have full pathnames.
Program Security Always get your programs from a known source. Verify that it hasn't been hampered with via checksum. If you are compiling your own program, make sure you know that the compiler hasn't been tampered with as well.
General Security Measures Create minimal writable filesystems (esp. system files/directories!). Generally, users should only be able to write in their own directories, and /tmp. In addition, there will be directories for a specific group to write in. This way you control how each user can access specific areas of the system.
Make sure that important files are only accessible by authorized personnel. Use setuid/setgid only where necessary.
COPS will find many of these problems.
No comments:
Post a Comment