Quick Security Finds
Bear Giles | April 6, 2011While I’m on the subject of file permissions here are some oldies but goodies. Reiterating an earlier point you should use a statically linked version of ‘find’, ideally one loaded from a read-only device such as a CD-ROM or NFS mount.
List all SUID files on the system.
$ find / -type f -perm +4000 -ls
There should be less than 30 files and you should make sure you understand the reason why every one of these files is present. You may not need some of them, e.g., /usr/sbin/ppp.
Extension: most partitions should be mounted with the ‘nosuid’ flag.
List all GUID files on the system.
$ find / -type f -perm +2000 -ls
Again there should be less than 30 files and you should make sure you understand the reason why every one of these files is present.
List all block and character devices.
$ find / -type b -ls | grep -v ^/dev/
$ find / -type c -ls | grep -v ^/dev/
No block or character devices should be present outside of the /dev partition. Direct access to these devices allows circumvention of all security measures.
Extension: every partition other than /dev should be mounted with the ‘nodev’ flag.
List all world-writable files.
$ find / -type f -perm +002 -ls | grep -v ^/proc/
No files should be world-writable.