How to Restrict Permissions on Files Used by cron
1. Restrict the permissions on the primary system crontab file.
# chown root:root /etc/crontab
# chmod 600 /etc/crontab
2. If anacron has not been removed, restrict the permissions on its primary configuration.
# chown root:root /etc/anacrontab
# chmod 600 /etc/anacrontab
3. Restrict the permission on all system crontab directories:
# cd /etc
# chown -R root:root cron.hourly cron.daily cron.weekly cron.monthly cron.d
# chmod -R go-rwx cron.hourly cron.daily cron.weekly cron.monthly cron.d
4. Restrict the permissions on the spool directory for user crontab files.
# chown root:root /var/spool/cron
# chmod -R go-rwx /var/spool/cron
Cron and anacron make use of a number of configuration and directories. The system crontabs need only be edited by root, and user crontabs are edited using the setuid root crontab command. If unprivileged users can modify system configuration, they may be able to gain elevated privileges, so all unnecessary access to these files should be disabled.
How to confirm Existence and Permissions of System Log Files
For each log file LOGFILE referenced in /etc/syslog.conf or /etc/rsyslog.conf, run the commands:
# touch LOGFILE
# chown root:root LOGFILE
# chmod 0600 LOGFILE
Syslog will refuse to log to a file which does not exist. All messages intended for that file will be silently discarded, so it is important to verify that all log files exist. Some logs may contain sensitive information, so it is better to restrict permissions so that only administrative users can read or write logfiles.
How to check for Unlabeled Device Files
Device files are used for communication with important system resources. SELinux contexts should exist for these. If a device file is not labeled, then misconfiguration is likely.
To check for unlabeled device files, run the following command:
# ls -Z | grep unlabeled_t
It should produce no output in a well-configured system.
How to find and Repair Unowned Files
The following command will discover and print any files on local partitions which do not belong to a valid user and a valid group. Run it once for each local partition PART:
# find PART -xdev \( -nouser -o -nogroup \) -print
If this command prints any results, investigate each reported file and either assign it to an appropriate user and group or remove it.
Unowned files are not directly exploitable, but they are generally a sign that something is wrong with some system process. They may be caused by an intruder, by incorrect software installation or incomplete software removal, or by failure to remove all files belonging to a deleted account. The files should be repaired so that they will not cause problems when accounts are created in the future, and the problem which led to unowned files should be discovered and addressed.
The LVM Configuration Files
LVM supports multiple configuration files. At system startup, the lvm.conf configuration file is loaded from the directory specified by the environment variable LVM_SYSTEM_DIR, which is set to /etc/lvm by default.
The lvm.conf file can specify additional configuration files to load. Settings in later files override settings from earlier ones. To display the settings in use after loading all the configuration files, execute the lvm dumpconfig command.
The following files are used for LVM configuration:
/etc/lvm/lvm.conf
Central configuration file read by the tools.
–
/etc/lvm/lvm_hosttag.conf
For each host tag, an extra configuration file is read if it exists: lvm_hosttag.conf.