Security - verify that All World-Writable Directories Have Sticky Bits Set
Locate any directories in local partitions which are world-writable and do not have their sticky bits set. The following command will discover and print these. Run it once for each local partition:
# find PARTITION -xdev -type d \( -perm -0002 -a ! -perm -1000 \) -print
If this command produces any output, fix each reported directory /dir using the command:
When the so-called “sticky bit” is set on a directory, only the owner of a given file may remove that file from the directory. Without the sticky bit, any user with write access to a directory may remove any file in the directory. Setting the sticky bit prevents users from removing each other’s files. In cases where there is no reason for a directory to be world-writable, a better solution is to remove that permission rather than to set the sticky bit.
Tags: Bits, Directories, Security, sticky, World-Writable
Disable Mounting of Uncommon Filesystem Types
Append the following lines to /etc/modprobe.conf in order to prevent the usage of uncommon filesystem types:
install cramfs /bin/true
install freevxfs /bin/true
install jffs2 /bin/true
install hfs /bin/true
install hfsplus /bin/true
install squashfs /bin/true
install udf /bin/true
Using the install command inside /etc/modprobe.conf instructs the kernel module loading system to run the command specified (here, /bin/true) instead of inserting the module in the kernel as normal. This effectively prevents usage of these uncommon filesystems.
Tags: Disable, filesystem, mounting, Types, Uncommon
Disable Modprobe Loading of USB Storage Driver
If USB storage devices should not be used, the modprobe program used for automatic kernel module loading should be configured to not load the USB storage driver upon demand.
Add the following line to /etc/modprobe.conf to prevent loading of the usb-storage kernel module:
install usb-storage /bin/true
This will prevent the modprobe program from loading the usb-storage module, but will not prevent an administrator (or another program) from using the insmod program to load the module manually.
Tags: Disable, Driver, Loading, Modprobe, Storage
Restrict Console Device Access
The default system configuration grants the console user enhanced privileges
normally reserved for the root user, including temporary ownership of most system devices.
If not necessary, these privileges should be removed and restricted to root only.
Restrict device ownership to root only.
Edit /etc/security/console.perms.d/50-default.perms and locate the section prefaced by the following comment:
# permission definitions
Prepend a # symbol to comment out each line in that section which starts with [console] or [xconsole]
Edit /etc/security/console.perms and make the following changes:
[console]=tty[0-9][0-9]* vc/[0-9][0-9]* :0\.[0-9] :0
[xconsole]=:0\.[0-9] :0
Tags: Access, Console, device, Restrict
Using nodev, nosuid, and noexec Options to Temporary Storage Partitions
Temporary storage directories such as /tmp and /dev/shm potentially provide storage space for malicious executables.
Although mount options options cannot prevent interpreted code stored there from
getting executed by a program in another partition, using certain mount options can
be disruptive to malicious code.
Add nodev, nosuid, and noexec Options to /tmp
#Edit the file /etc/fstab. Add the text nodev,nosuid,noexec to the list of mount options in column 4.
#Edit the file /etc/fstab. Add the text ,nodev,nosuid,noexec to the list of mount options in column 4
Tags: nodev, noexec, nosuid, Partitions
