Archive for the tag 'Checking'

SBDavid

Checking all directadmin.conf values

Note that if the value does not exist in the directadmin.conf, it will be the default internal value within DirectAdmin.

Adding a value to the directadmin.conf would override the internal default.
You can always see what values are being used on your system by typing:

/usr/local/directadmin/directadmin c

Variables with default values which are (null) should not be added to the directadmin.conf unless you plan on using them.

If you want to remove that variable, then completely remove it from the directadmin.conf

SBDavid

Checking for Unlocked Accounts

Checking for Unlocked Accounts

It is important that all system and vendor accounts that are not used for logins are locked.

To get a list of unlocked accounts on your system, you can check for accounts that do NOT have an encrypted password string starting with “!” or “*” in the /etc/shadow file. If you lock an account using passwd -l, it will put a ‘!!’ in front of the encrypted password, effectively disabling the password.

If you lock an account using usermod -L, it will put a ‘!’ in front of the encrypted password. Many system and shared accounts are usually locked by default by having a ‘*’ or ‘!!’ in the password field which renders the encrypted password into an invalid string.

~$ sudo egrep -v ‘.*:\*|:\!’ /etc/shadow | awk -F: ‘{print $1}’
root
buddies
nagios

Also make sure all accounts have a ‘x’ in the password field in /etc/passwd. The following command lists all accounts that do not have a ‘x’ in the password field:

# grep -v ‘:x:’ /etc/passwd

A ‘x’ in the password fields means that the password has been shadowed, i.e. the encrypted password has to be looked up in the /etc/shadow file. If the password field in /etc/passwd is empty, then the system will not lookup the shadow file and it will not prompt the user for a password at the login prompt.

All system or vendor accounts that are not being used by users, applications, by the system or by daemons should be removed from the system. You can use the following command to find out if there are any files owned by a specific account:

# find / -path /proc -prune -o -user [account] -ls

The -prune option in this example is used to skip the /proc filesystem. If you are sure that an account can be deleted, you can remove the account using the following command:

# userdel -r [account]

Checking File Permissions and Ownership for Security

A simple way to calculate umask values is to remember that the number 2 in the umask turns off write permission, while 7 turns off read, write, and execute permission.

The umask (UNIX shorthand for “user file-creation mode mask”) is a four-digit octal number that UNIX uses to determine the file permission for newly created files. Every process has its own umask, inherited from its parent process.

The umask specifies the permissions you do not want given by default to newly created files and directories. umask works by doing a bitwise AND with the bitwise complement of the umask. Bits that are set in the umask correspond to permissions that are not automatically assigned to newly created files.

The most common umask values are 022, 027, and 077. A umask value of 022 lets the owner both read and write all newly created files, but everybody else can only read them:

0666 default file-creation mode

(0022) umask

0644 resultant mode

A umask value of 077 lets only the file’s owner read all newly created files:

A recent trend among computing centers has been to set up new accounts with a umask of 077, so a user’s files will, by default, be unreadable by anyone else on the system unless the user makes a conscious choice to make them readable.

« Prev