The software described in this documentation is either in Extended Support or Sustaining Support. See https://www.oracle.com/us/support/library/enterprise-linux-support-policies-069172.pdf for more information.
Oracle recommends that you upgrade the software described by this documentation as soon as possible.
Use separate disk partitions for operating system and user data
to prevent a file system full issue from
impacting the operation of a server. For example, you might
create separate partitions for /home
,
/tmp
, p
,
/oracle
, and so on.
Establish disk quotas to prevent a user from accidentally or intentionally filling up a file system and denying access to other users.
To prevent the operating system files and utilities from being
altered during an attack, mount the /usr
file
system read-only. If you need to update any RPMs on the file
system, use the -o remount,rw option with the
mount command to remount
/usr
for both read and write access. After
performing the update, use the -o remount,ro
option to return the /usr
file system to
read-only mode.
To limit user access to non-root
local file
systems such as /tmp
or removable storage
partitions, specify the -o noexec, nosuid,
nodev options to mount. These
option prevent the execution of binaries (but not scripts),
prevent the setuid
bit from having any
effect, and prevent the use of device files.
Use the find command to check for unowned files and directories on each file system, for example:
#find
#mount_point
-mount -type f -nouser -o -nogroup -exec ls -l {} \;find
mount_point
-mount -type d -nouser -o -nogroup -exec ls -l {} \;
Unowned files and directories might be associated with a deleted user account, they might indicate an error with software installation or deleting, or they might a sign of an intrusion on the system. Correct the permissions and ownership of the files and directories that you find, or remove them. If possible, investigate and correct the problem that led to their creation.
Use the find command to check for world-writable directories on each file system, for example:
# find mount_point
-mount -type d -perm /o+w -exec ls -l {} \;
Investigate any world-writable directory that is owned by a user other than a system user. The user can remove or change any file that other users write to the directory. Correct the permissions and ownership of the directories that you find, or remove them.
You can also use find to check for
setuid
and setgid
executables.
# find path
-type f \( -perm -4000 -o -perm -2000 \) -exec ls -l {} \;
If the setuid
and setgid
bits are set, an executable can perform a task that requires
other rights, such as root
privileges.
However, buffer overrun attacks can exploit such executables to
run unauthorized code with the rights of the exploited process.
If you want to stop a setuid
and
setgid
executable from being used by
non-root
users, you can use the following
commands to unset the setuid
or
setgid
bit:
#chmod u-s
#file
chmod g-s
file
For example, you could use the chmod command
to unset the setuid
bit for the
/bin/ping6 command:
#ls -al /bin/ping6
-rwsr-xr-x. 1 root root 36488 May 20 2011 /bin/ping6 #chmod u-s /bin/ping6
#ls -al /bin/ping6
-rwxr-xr-x. 1 root root 36488 May 20 2011 /bin/ping6
The following table lists programs for which you might want to
consider unsetting setuid
and
setgid
:
Program File | Bit Set | Description of Usage |
---|---|---|
|
|
Sends an ICMP |
|
|
Sends an ICMPv6 |
|
| Runs a task in a control group. |
|
| Mounts an NFS file system. Note
|
|
| Requests notification of changes to network interfaces. |
|
| Finds out password aging information (via the -l option). |
|
|
Changes |
|
| Changes the login shell. |
|
|
Edits, lists, or removes a
|
|
| Sends a system-wide message. |
|
| Sends a message to another user. |
|
| Invokes the X Windows server. |
|
| Runs the SSH helper program for host-based authentication. |
|
| Switches user before executing external CGI and SSI programs. This program is intended to be used by the Apache HTTP server. For more information, see http://httpd.apache.org/docs/2.2/suexec.html. |
|
|
Controls network interfaces. Permission for a user
to alter the state of a network inerface also
requires |
This list is not exhaustive as many optional packages contain
setuid
and setgid
programs.