Linux Security

Question 1

File Types

Answer 1

• Regular
  d - directory
  l - linksoft link
  c - special or device /dev
  s - socket
  /dev/log - used for communication between processes like syslog
  p - named pipe Allow communication between two local processes
  b - block device/dev

Question 2

How to change the owner or group on a file/directory

Answer 2

chown chgrp -R

Question 3

Change the permissions on this to rwx for user group and other

Answer 3

chmod 777 this
chmod u+rwx,g+rwx,o+rwx this

Question 4

How do you know a file has an acl on it
setfacl for a user
now a group
now recursively
remove user
remove all entries
If you give a user the w permission can they delete?

Answer 4

+ at the end of the permissions

setfacl -m u:delsinm:rwx /home/delinsm/fart.txt

setfacl -m g:delsinm:rwx /home/delsinm/fart.txt

setfacl -rm u:delsinm:rwx /home/delinsm/fart.txt

setfacl -x u:delsinm /home/delsinm/fart.txt

setfacl -b /home/delsinm/fart.txt

No

Question 5

Change the greeting message for the server

Answer 5

vi /etc/motd

or

vi /etc/profile.d/motd.sh
vi /etc/ssh/sshd_config
ReadMotd no
systemctl restart sshd

Question 6

Orphan Packages

Answer 6

Package dependencies of deleted packages

Question 7

How to find and delete orphaned packages

Answer 7

dnf install yum-utils
package-cleanup –leaves
dnf remove ‘package-cleanup –leaves’

Question 8

difference between update and upgrade

Answer 8

upgrade deletes the old packages so if something goes wrong you can’t roll back

update preserves old packages

Question 9

Show your system version two ways

Answer 9

cat /etc/redhat-release
uname -a

Question 10

delete something that you’ve downloaded via dnf

Answer 10

dnf history
dnf history undo 2

Question 11

update system (this is something you should do for security)

Answer 11

dnf update
dnf upgrade

Question 12

Difference between a service and a package

Answer 12

Service is something that runs as a process in your machine

When a service isn’t used it’s just a package

Question 13

How to disable services through PAM

Answer 13

If you see services you don’t use, just change their names and it will disable

Question 14

Different ways to show services

Answer 14

netstat -l (shows listening “ready” packages/services

netstat -tunlp

systemctl -a
systemctl –list-all

chkconfig –list

service –stat-all | grep running

ps -ef (just the running one’s opposed to netstat -l)

Question 15

Disable a httpd

Answer 15

systemctl stop httpd
chkconfig httpd off

Question 16

Why should you partition different directories like
/boot
/usr
/home
/tmp
/var
/opt

Answer 16

This will make it harder for malware to spread
Also, if one fills up completely, like /tmp, it won’t affect the root directory.

Question 17

What do you used if you want to extend a disk?

Answer 17

LVM
Logical Volume Management

Question 18

What does Ctrl+Alt+Del

Answer 18

can log you out and reboot

Question 19

Check if Ctrl+Alt+Del is enabled
Disable Ctrl+Alt+Del (non-gui)
Disable Ctrl+Alt+Del (with gui)

Answer 19

systemctl status ctrl-alt-del.target
systemctl disable ctrl-alt-del.target

older
/etc/init/control-alt-delete.conf
(set parameter as no)

System tools
settings
devices
keyboard
double click logout
press delete and then set

Question 20

Show all targets
show default target

Answer 20

systemctl list-units –type target

systemctl get-default

systemctl set-default whatever

Question 21

service vs program

Answer 21

same thing

Question 22

Should you run multiple services/programs on one server?

Answer 22

No, this would make them all vulnerable, they’d also have a lot of ports to try and get into

Question 23

Console

Answer 23

port to plug into server to manage it

Question 24

Why would you want to disable usb stick detection?

Disable USB stick detection

Answer 24

It could have a script on it to gather data or plant a virus.

touch /etc/modprobe.d/no-usb
install usb-storage /bin/true

Question 25

What are the benefits of chronyd or ntpd? (synchronization)

Answer 25

Accurate time info across all devices and applications

Tracking security breaches, network usage or problems. This can be impossible if they’re not on same time.

Financial services and transactions require accurate time keeping which is required by law.

Question 26

Config files for ntp and chrony

checking info on them

where are logs stored

Answer 26

/etc/ntp.conf
/etc/chronyd.conf

chronyc sources
ntpq peers

/var/log/messages
/var/log/chrony/

Question 27

Where do you allow/deny users to run crontab?

How to only allow one user to use crontab?

Answer 27

add names into either:
/etc/cron.allow
/etc/cron.deny

put root and the other person’s name in allow and nothing in deny

Question 28

What port is rdp?

Answer 28

3389

Question 29

Where can you go to look at all ports?

Answer 29

/etc/services

Question 30

DAC vs MAC

Answer 30

Discretionary Access Control
Up to the admin

Mandatory Access Control
Mandatory

Question 31

After modifying selinux, what should you do?

Answer 31

/.autorelabel
Relabel everything for selinux enablement, otherwise it will have to do it on boot which takes forever.

Question 32

What are the different parts of selinux context

Answer 32

user:role:type:level

Question 33

How to check http at the socket level

Answer 33

netstat -tunlpZ | grep http

Question 34

Turn a boolean on permanently

Answer 34

setsebool -P thing on

Question 35

Change the context of a file permanently then just for this session

Answer 35

semanage fcontext -at httpd_syscontent_t /absolute/path/filename
or
semanage fcontext -mt httpd_sys_content_t “/absolute/path/directory(/.*)?”

restorecon -Rv /absolute/path/directory

(this will do everything in directory and -m just mean modify instead of -a add)

restorecon -v /absolute/path/filename

chcon -t httpd_syscontent_t filename

Question 36

Troubleshooting context if it’s not showing up, what can you look at?

Answer 36

semanage fcontext -l | grep /path/to/filename

cat /etc/selinux/targeted/contexts/files/file_contexts.local

Question 37

Where are actions such as allowing access stored?

Answer 37

AVC
Access Vector Cache

Question 38

Command to set and individual domain as permissive

Answer 38

semanage permissive -a httpd_t
-a add record
semanage module –list | grep http

Question 39

What format are levels typed out?
Where can you view detailed info on levels?

Answer 39

lowlevel-highlevel
c0,c3
/etc/selinux/targeted/setrans.conf

Question 40

Add a user named FART and give hime the staff user option.
Confirm afterword
How would you add FART after he was made to staff?

Answer 40

useradd -Z staff_u FART
passwd FART
logout
login
id -Z FART

login as root

semanage login -l

semanage login -d FART

semanage login -d FART (to modify instead of add, use the -m option)

semanage login -as staff_u FART

Question 41

Map __default__ to user_u so you have some SElinux user security going on, This will make default SELinux users user_u

Answer 41

semanage login -m -s user_u -r s0 __default__

-m modify
-s seuser
-range

semanage login -l

adduser test
passwd test
login as test
id -Z - to confirm

Question 42

Show further details why selinux denied something

Answer 42

sealert -l “*”

Question 43

Say you’re trying to turn the boolean on for httpd_can_network_connect_db and you want it to persist through a reboot. What would that command look like?

Answer 43

setsebool -P httpd_can_network_connect_db on

Question 44

Show selinux users and the user what user_u options you have

Answer 44

semanage login -l
seinfo -u

Question 45

confirm selinux is running

Answer 45

sestatus
getenforce
cat /etc/sysconfig/selinux
cat /etc/selinux/config

Question 46

What can guest_r and xguest_r and user_r and staff_r do?

Answer 46

guest_r can execute files in /tmp and /home

xguest_r can access network through browser and execute /tmp and /home

user_r Full permissions but no sudo

staff_r Can run sudo

Question 47

Let sysadmn connect via ssh
add new user called admin and give him sysadmn role and put him in the wheel group

Answer 47

setsebool -P ssh_sysadm_login on
adduser -G wheel -Z sysadm_u admin
semanage login -l

Question 48

Chapter 4
Change httpd port to 3131
Change Document root to /var/test_www/html
add file this to it and wget it.

Answer 48

Install policycoreutils-python-utils and setroubleshoot-server and httpd

WHEN CHANGING DOCUMENT ROOT YOU NEED TO CHANGE THE TWO DIRECTORY FIELDS AS WELL

semanage port -l | grep http
semanage port -at http_port_t -p tcp 3131

wget localhost:3131/this.txt

sealalert -l “*”

matchpathcon /var/www /var/test_www

semanage fcontext -ae /var/www /var/test_www
restorecon -Rv /var
or
semanage fcontext -at http_sys_content_t “/var/www/test_html(/.*)?”

systemctl restart httpd

Question 49

Install all the selinux packages

Answer 49

policycoreutils-python-utils <- Selinux

setroubleshoot-server <- check sealerts

setools-console <- shows seinfo

selinux-policy-devel <- for boolean stuff

Question 50

Let’s say a user can’t access a particular application (via selinux) what can we check to see what might be going wrong?

Answer 50

What is the role of the user?
let’s say it’s “user_r”
type in the below command to list what context(type) the user can access
seinfo -ruser_r -x

Question 51

What is a domain in selinux?

Answer 51

user, type, role, level,
Levels are determiners for what they can access in terms of other levelers
Sometimes types are just referred to as the domain`