Archive for May, 2012

Disable Mounting of Uncommon Filesystem Types

Append the following lines to /etc/modprobe.conf in order to prevent the usage of uncommon filesystem types:

install cramfs /bin/true
install freevxfs /bin/true
install jffs2 /bin/true
install hfs /bin/true
install hfsplus /bin/true
install squashfs /bin/true
install udf /bin/true

Using the install command inside /etc/modprobe.conf instructs the kernel module loading system to run the command specified (here, /bin/true) instead of inserting the module in the kernel as normal. This effectively prevents usage of these uncommon filesystems.

Disable Modprobe Loading of USB Storage Driver

If USB storage devices should not be used, the modprobe program used for automatic kernel module loading should be configured to not load the USB storage driver upon demand.

Add the following line to /etc/modprobe.conf to prevent loading of the usb-storage kernel module:

install usb-storage /bin/true

This will prevent the modprobe program from loading the usb-storage module, but will not prevent an administrator (or another program) from using the insmod program to load the module manually.


Restrict Console Device Access

Restrict Console Device Access

The default system configuration grants the console user enhanced privileges
normally reserved for the root user, including temporary ownership of most system devices.

If not necessary, these privileges should be removed and restricted to root only.

Restrict device ownership to root only.
Edit /etc/security/console.perms.d/50-default.perms and locate the section prefaced by the following comment:

# permission definitions
Prepend a # symbol to comment out each line in that section which starts with [console] or [xconsole]

Edit /etc/security/console.perms and make the following changes:

[console]=tty[0-9][0-9]* vc/[0-9][0-9]* :0\.[0-9] :0
[xconsole]=:0\.[0-9] :0

Using nodev, nosuid, and noexec Options to Temporary Storage Partitions

Temporary storage directories such as /tmp and /dev/shm potentially provide storage space for malicious executables.

Although mount options options cannot prevent interpreted code stored there from
getting executed by a program in another partition, using certain mount options can
be disruptive to malicious code.

Add nodev, nosuid, and noexec Options to /tmp
#Edit the file /etc/fstab. Add the text nodev,nosuid,noexec to the list of mount options in column 4.
#Edit the file /etc/fstab. Add the text ,nodev,nosuid,noexec to the list of mount options in column 4

Add nodev Option to Non-Root Local Partitions

Edit the file /etc/fstab. The important columns for purposes of this section are column 2 (mount point), column 3 (filesystem type), and column 4 (mount options). For any line which satisfies all of the conditions:

The filesystem type is ext2 or ext3
The mount point is not /

add the text “,nodev” to the list of mount options in column 4.

The nodev option prevents users from mounting unauthorized devices on any partition which is known not to contain any authorized devices. The root partition typically contains the /dev directory, which is the primary location for authorized devices, so this option should not be set on /. However, if system programs are being run in chroot jails, this advice may need to be modified further, since it is often necessary to create device files inside the chroot directory for use by the restricted program.

« Prev - Next »