|
File System Security for Unix Systems
File system security is about making sure your users can only do what
you want them to be able to do. This means that you want system programs
to be secure and users to only be able to write where you want them to be able to do so.
- NFS Security
Only run NFS as needed, apply latest patches. When creating
your /etc/exports file, be certain to use limited access flags when
possible such as readonly or nosuid. By using fully qualified hostnames,
you are guaranteed that only the host you want to be able to access
the filesystem can access it.
More on NFS here...
- Device Security
Device files /dev/null, /dev/tty & /dev/console should be world writeable but NEVER executable.
Most other device files should be unreadable and unwriteable by regular users.
- Script Security
Never write setuid/setgid shell scripts (can break out). Instead,
write a compiled program in a language like "C".
Scripts should ALWAYS have full pathnames.
- Program Security
Always get your programs from a known source. Verify that it
hasn't been hampered with via checksum. If you are compiling your
own program, make sure you know that the compiler hasn't been tampered
with as well.
- General Security Measures
Create minimal writable filesystems (esp. system files/directories!).
Generally, users should only be able to write in their own directories,
and /tmp. In addition, there will be directories for a specific group
to write in. This way you control how each user can access specific
areas of the system.
Make sure that important files are only accessible by authorized personnel.
Use setuid/setgid only where necessary.
COPS will find many of these problems.
|
