Auditing Security

There are many applications and application suites available to perform regular security audits and track changes to critical files. In addition, you have the power to perform a quick security audit on your system by using the find command. This is by no means a deep security audit but just a quick and dirty scan of your system to find files that have the SUID/SGID permission set that shouldn’t. Having these permissions bits set on files owned by root is a serious vulnerability, because they can allow users who do not have root access to execute commands as root and potentially initiate a root account compromise.

What you’re looking for is files that have permissions set similar to the following:

-rwSr-xr-x (SUID) or –rw-r-Sr-x (SGID)

The following find command locates all files with the SUID permission set for root:

# find / -type f -perm -u=s -ls

Here are some examples of files that match this permission:

12734848   44 -rwsr-xr-x  1 root root  44320 Mar 14 05:37 /usr/bin/mount
12734863   32 -rwsr-xr-x  1 root root  32208 Mar 14 05:37 /usr/bin/su
12734867   32 -rwsr-xr-x  1 root root  32048 Mar 14 05:37 /usr/bin/umount
13025626  144 ---s--x--x  1 root root  147392 Oct 30  2018 /usr/bin/sudo
12777317   60 -rwsr-xr-x  1 root root   57664 Nov 20  2018 /usr/bin/crontab
13037754   28 -rwsr-xr-x  1 root root   27832 Jun 10  2014 /usr/bin/passwd

Similarly, the find command to locate files that have the SGID permission set is as follows:

# find / -type f -perm -u=s -ls

And here are some examples of matching files:

12649555  16 -r-xr-sr-x 1 root tty     15344 Jun  9  2014 /usr/bin/wall
12734873  20 -rwxr-sr-x 1 root tty     19624 Mar 14 05:37 /usr/bin/write
13015059 376 ---x--s--x 1 root nobody 382240 Apr 10  2018 /usr/bin/ssh-agent

As you can see from you own listing, the number of files with SGID set is far fewer than those with SUID set. Some system files require SUID/SGID permission to be set, but there are very few of them. You need to perform a baseline audit of your systems upon initial installation and then track those changes periodically to be sure that no rogue programs or users have exploited this security flaw.

Conclusion

There are several other Linux hardening methods such as PAM, iptables, enabling SELinux, removing any X display managers, and regular port monitoring, but these are outside the scope of this article. I may revisit them in future installments individually. As stated previously, you can’t remove all network access to your servers, because that defeats the purpose of having a server. But now you have a small but powerful toolbox of utilities and techniques that will help you to keep your systems safer.

© Nikolay Okhitin, Fotolia.com