Linux Security Flashcards
File Types
- Regular
d - directory
l - linksoft link
c - special or device /dev
s - socket
/dev/log - used for communication between processes like syslog
p - named pipe Allow communication between two local processes
b - block device/dev
How to change the owner or group on a file/directory
chown chgrp -R
Change the permissions on this to rwx for user group and other
chmod 777 this
chmod u+rwx,g+rwx,o+rwx this
How do you know a file has an acl on it
setfacl for a user
now a group
now recursively
remove user
remove all entries
If you give a user the w permission can they delete?
+ at the end of the permissions
setfacl -m u:delsinm:rwx /home/delinsm/fart.txt
setfacl -m g:delsinm:rwx /home/delsinm/fart.txt
setfacl -rm u:delsinm:rwx /home/delinsm/fart.txt
setfacl -x u:delsinm /home/delsinm/fart.txt
setfacl -b /home/delsinm/fart.txt
No
Change the greeting message for the server
vi /etc/motd
or
vi /etc/profile.d/motd.sh
vi /etc/ssh/sshd_config
ReadMotd no
systemctl restart sshd
Orphan Packages
Package dependencies of deleted packages
How to find and delete orphaned packages
dnf install yum-utils
package-cleanup –leaves
dnf remove ‘package-cleanup –leaves’
difference between update and upgrade
upgrade deletes the old packages so if something goes wrong you can’t roll back
update preserves old packages
Show your system version two ways
cat /etc/redhat-release
uname -a
delete something that you’ve downloaded via dnf
dnf history
dnf history undo 2
update system (this is something you should do for security)
dnf update
dnf upgrade
Difference between a service and a package
Service is something that runs as a process in your machine
When a service isn’t used it’s just a package
How to disable services through PAM
If you see services you don’t use, just change their names and it will disable
Different ways to show services
netstat -l (shows listening “ready” packages/services
netstat -tunlp
systemctl -a
systemctl –list-all
chkconfig –list
service –stat-all | grep running
ps -ef (just the running one’s opposed to netstat -l)
Disable a httpd
systemctl stop httpd
chkconfig httpd off
Why should you partition different directories like
/boot
/usr
/home
/tmp
/var
/opt
This will make it harder for malware to spread
Also, if one fills up completely, like /tmp, it won’t affect the root directory.
What do you used if you want to extend a disk?
LVM
Logical Volume Management
What does Ctrl+Alt+Del
can log you out and reboot
Check if Ctrl+Alt+Del is enabled
Disable Ctrl+Alt+Del (non-gui)
Disable Ctrl+Alt+Del (with gui)
systemctl status ctrl-alt-del.target
systemctl disable ctrl-alt-del.target
older
/etc/init/control-alt-delete.conf
(set parameter as no)
System tools
settings
devices
keyboard
double click logout
press delete and then set
Show all targets
show default target
systemctl list-units –type target
systemctl get-default
systemctl set-default whatever
service vs program
same thing
Should you run multiple services/programs on one server?
No, this would make them all vulnerable, they’d also have a lot of ports to try and get into
Console
port to plug into server to manage it
Why would you want to disable usb stick detection?
Disable USB stick detection
It could have a script on it to gather data or plant a virus.
touch /etc/modprobe.d/no-usb
install usb-storage /bin/true
What are the benefits of chronyd or ntpd? (synchronization)
Accurate time info across all devices and applications
Tracking security breaches, network usage or problems. This can be impossible if they’re not on same time.
Financial services and transactions require accurate time keeping which is required by law.
Config files for ntp and chrony
checking info on them
where are logs stored
/etc/ntp.conf
/etc/chronyd.conf
chronyc sources
ntpq peers
/var/log/messages
/var/log/chrony/
Where do you allow/deny users to run crontab?
How to only allow one user to use crontab?
add names into either:
/etc/cron.allow
/etc/cron.deny
put root and the other person’s name in allow and nothing in deny
What port is rdp?
3389
Where can you go to look at all ports?
/etc/services
DAC vs MAC
Discretionary Access Control
Up to the admin
Mandatory Access Control
Mandatory
After modifying selinux, what should you do?
/.autorelabel
Relabel everything for selinux enablement, otherwise it will have to do it on boot which takes forever.
What are the different parts of selinux context
user:role:type:level
How to check http at the socket level
netstat -tunlpZ | grep http
Turn a boolean on permanently
setsebool -P thing on
Change the context of a file permanently then just for this session
semanage fcontext -at httpd_syscontent_t /absolute/path/filename
or
semanage fcontext -mt httpd_sys_content_t “/absolute/path/directory(/.*)?”
restorecon -Rv /absolute/path/directory
(this will do everything in directory and -m just mean modify instead of -a add)
restorecon -v /absolute/path/filename
chcon -t httpd_syscontent_t filename
Troubleshooting context if it’s not showing up, what can you look at?
semanage fcontext -l | grep /path/to/filename
cat /etc/selinux/targeted/contexts/files/file_contexts.local
Where are actions such as allowing access stored?
AVC
Access Vector Cache
Command to set and individual domain as permissive
semanage permissive -a httpd_t
-a add record
semanage module –list | grep http
What format are levels typed out?
Where can you view detailed info on levels?
lowlevel-highlevel
c0,c3
/etc/selinux/targeted/setrans.conf
Add a user named FART and give hime the staff user option.
Confirm afterword
How would you add FART after he was made to staff?
useradd -Z staff_u FART
passwd FART
logout
login
id -Z FART
login as root
semanage login -l
semanage login -d FART
semanage login -d FART (to modify instead of add, use the -m option)
semanage login -as staff_u FART
Map __default__ to user_u so you have some SElinux user security going on, This will make default SELinux users user_u
semanage login -m -s user_u -r s0 __default__
-m modify
-s seuser
-range
semanage login -l
adduser test
passwd test
login as test
id -Z - to confirm
Show further details why selinux denied something
sealert -l “*”
Say you’re trying to turn the boolean on for httpd_can_network_connect_db and you want it to persist through a reboot. What would that command look like?
setsebool -P httpd_can_network_connect_db on
Show selinux users and the user what user_u options you have
semanage login -l
seinfo -u
confirm selinux is running
sestatus
getenforce
cat /etc/sysconfig/selinux
cat /etc/selinux/config
What can guest_r and xguest_r and user_r and staff_r do?
guest_r can execute files in /tmp and /home
xguest_r can access network through browser and execute /tmp and /home
user_r Full permissions but no sudo
staff_r Can run sudo
Let sysadmn connect via ssh
add new user called admin and give him sysadmn role and put him in the wheel group
setsebool -P ssh_sysadm_login on
adduser -G wheel -Z sysadm_u admin
semanage login -l
Chapter 4
Change httpd port to 3131
Change Document root to /var/test_www/html
add file this to it and wget it.
Install policycoreutils-python-utils and setroubleshoot-server and httpd
WHEN CHANGING DOCUMENT ROOT YOU NEED TO CHANGE THE TWO DIRECTORY FIELDS AS WELL
semanage port -l | grep http
semanage port -at http_port_t -p tcp 3131
wget localhost:3131/this.txt
sealalert -l “*”
matchpathcon /var/www /var/test_www
semanage fcontext -ae /var/www /var/test_www
restorecon -Rv /var
or
semanage fcontext -at http_sys_content_t “/var/www/test_html(/.*)?”
systemctl restart httpd
Install all the selinux packages
policycoreutils-python-utils <- Selinux
setroubleshoot-server <- check sealerts
setools-console <- shows seinfo
selinux-policy-devel <- for boolean stuff
Let’s say a user can’t access a particular application (via selinux) what can we check to see what might be going wrong?
What is the role of the user?
let’s say it’s “user_r”
type in the below command to list what context(type) the user can access
seinfo -ruser_r -x
What is a domain in selinux?
user, type, role, level,
Levels are determiners for what they can access in terms of other levelers
Sometimes types are just referred to as the domain`
