Wednesday, October 11th, 2006
find . -name “*.ext”
find . -user mike #owned by mike
find . -type d #All directories -type f for all files
find . -size +1024M #More than 1 GB
find . -name *.jpg ! -name bb* #All jpgs except those that start with bb
find /etc -mtime -1 #All files in /etc that have been modified within the last [...]
Monday, October 9th, 2006
RPM packages have a file of names like foo-1.0-2.i386.rpm, which include the
package name (foo), version (1.0), release (2), and architecture (i386).
� To display package information before installing the program, use the command:
# rpm -qpi foo-2.3-8.i386.rpm
� To install a RPM package, use the command:
# rpm -ivh foo-1.0-2.i386.rpm
� To upgrade a RPM package, use the command:
# rpm [...]
Monday, October 9th, 2006
Linux has a special command (linux single) also known as ‘single-user mode’, which can be
entered at the boot prompt during startup of the system. The single-user mode is generally used
for system maintenance. You can boot Linux in single-user mode by typing at the LILO boot
prompt the following command:
LILO: linux single
This will place the system in [...]
Monday, October 9th, 2006
Configure the /etc/exports file with the most restrictive access possible. This means not using wildcards, not allowing root
write access, and mounting read-only wherever possible.
� Edit the exports file (vi /etc/exports) and add:
As an example:
/dir/to/export host1.mydomain.com(ro,root_squash)
/dir/to/export host2.mydomain.com(ro,root_squash)
Where /dir/to/export is the directory you want to export, host1.mydomain.com is the machine allowed to log in this directory, the [...]
Monday, October 9th, 2006
- Mounting boot partition read only, increases security of kernel. This how you do it in /etc/fstab
LABEL=/boot /boot ext2 defaults,ro 1 2
And reload changes
# mount /boot -oremount
And yes, make it writable when you are planning kernel upgrade. Otherwise new kernel wont be able to enter
Other security options in the fstab file are:
� defaults [...]
Monday, October 9th, 2006
By default, when you login to a Linux machine, it tells you the Linux distribution name, version, kernel version, and the name of the server. This is giving away too much info. We’d rather just prompt users with a “Login:” prompt.
To do this, edit the rc.local file (vi /etc/rc.local) and place “#” in front of [...]
Monday, October 9th, 2006
To find all files with the ‘s’ bits from root-owned programs, use the command:
# find / -type f \( -perm -04000 -o -perm -02000 \) -exec ls -l {} \;
software named “sXid�? that will do the job for you automatically each
day and report the results via mail.
To disable the suid bits on selected programs above, [...]
Monday, October 9th, 2006
The password length
Edit the passwd file (vi /etc/pam.d/passwd) and remove the following line:
password required /lib/security/pam_stack.so service=system-auth
Edit the system-auth file (vi /etc/pam.d/system-auth) and remove the lines:
password required /lib/security/pam_cracklib.so retry=3
password sufficient /lib/security/pam_unix.so nullok use_authtok md5 shadow
password required /lib/security/pam_deny.so
Now add the following lines to /etc/pam.d/passwd. We use the PAM “pam_cracklib�? module here with the argument “minlen�? to enforce [...]
Monday, October 9th, 2006
Fix the permissions of the script files that are responsible for starting and stopping all your normal processes that need to run at boot time.
To fix the permissions of those files, use the following command:
[root@deep /]# chmod -R 700 /etc/init.d/*
Which means just the super-user “root�? is allowed to Read, Write, and Execute scripts files on [...]
Monday, October 9th, 2006
http://www.securityfocus.com/infocus/1613