File System Security
File system security is about making sure your users can only do what you want them to be able to do. This means
that you want system programs to be secure and users to only be able to write where you want them to be able to do
so.
NFS Security
Only run NFS as needed, apply latest patches. When creating your /etc/exports file, be certain to use
limited access flags when possible such as readonly or nosuid. By using fully qualified hostnames, you are
guaranteed that only the host you want to be able to access the filesystem can access it.
Device Security
Device files /dev/null, /dev/tty & /dev/console should be world writeable but NEVER executable. Most
other device files should be unreadable and unwriteable by regular users.
Script Security
Never write setuid/setgid shell scripts (can break out). Instead, write a compiled program in a language
like "C". Scripts should ALWAYS have full pathnames.
Program Security
Always get your programs from a known source. Verify that it hasn't been hampered with via checksum. If you
are compiling your own program, make sure you know that the compiler hasn't been tampered with as well.
General Security Measures
Create minimal writable filesystems (esp. system files/directories!). Generally, users should only be able
to write in their own directories, and /tmp. In addition, there will be directories for a specific group to
write in. This way you control how each user can access specific areas of the system.
Make sure that important files are only accessible by authorized personnel. Use setuid/setgid only where
necessary.
COPS will find many of these problems.
|