The software described in this documentation is either in Extended Support or Sustaining Support. See https://www.oracle.com/us/support/library/enterprise-linux-support-policies-069172.pdf for more information.
Oracle recommends that you upgrade the software described by this documentation as soon as possible.
Use separate disk partitions for operating system and user data to prevent a
file system full issue from impacting the operation of a server. For
example, you might create separate partitions for /home
,
/tmp
, p
, /oracle
, and so on.
Establish disk quotas to prevent a user from accidentally or intentionally filling up a file system and denying access to other users.
To prevent the operating system files and utilities from being altered during an attack,
mount the /usr
file system read-only. If you need to update any RPMs on the
file system, use the -o remount,rw option with the mount
command to remount /usr
for both read and write access. After performing
the update, use the -o remount,ro option to return the
/usr
file system to read-only mode.
To limit user access to non-root
local file systems such as
/tmp
or removable storage partitions, specify the -o noexec,
nosuid, nodev options to mount. These option prevent the
execution of binaries (but not scripts), prevent the setuid
bit from having
any effect, and prevent the use of device files.
Use the find command to check for unowned files and directories on each file system, for example:
#find
#mount_point
-mount -type f -nouser -o -nogroup -exec ls -l {} \;find
mount_point
-mount -type d -nouser -o -nogroup -exec ls -l {} \;
Unowned files and directories might be associated with a deleted user account, they might indicate an error with software installation or deleting, or they might a sign of an intrusion on the system. Correct the permissions and ownership of the files and directories that you find, or remove them. If possible, investigate and correct the problem that led to their creation.
Use the find command to check for world-writable directories on each file system, for example:
# find mount_point
-mount -type d -perm /o+w -exec ls -l {} \;
Investigate any world-writable directory that is owned by a user other than a system user. The user can remove or change any file that other users write to the directory. Correct the permissions and ownership of the directories that you find, or remove them.
You can also use find to check for setuid
and
setgid
executables.
# find path
-type f \( -perm -4000 -o -perm -2000 \) -exec ls -l {} \;
If the setuid
and setgid
bits are set, an executable
can perform a task that requires other rights, such as root
privileges.
However, buffer overrun attacks can exploit such executables to run unauthorized code with the
rights of the exploited process.
If you want to stop a setuid
and setgid
executable
from being used by non-root
users, you can use the following commands to
unset the setuid
or setgid
bit:
#chmod u-s
#file
chmod g-s
file
For example, you could use the chmod command to unset the
setuid
bit for the /bin/ping6
command:
#ls -al /bin/ping6
-rwsr-xr-x. 1 root root 36488 May 20 2011 /bin/ping6 #chmod u-s /bin/ping6
#ls -al /bin/ping6
-rwxr-xr-x. 1 root root 36488 May 20 2011 /bin/ping6
The following table lists programs for which you might want to consider unsetting
setuid
and setgid
:
Program File |
Bit Set |
Description of Usage |
---|---|---|
|
| Sends an ICMP |
|
| Sends an ICMPv6 |
|
| Runs a task in a control group. |
|
| Mounts an NFS file system. Note
|
|
| Requests notification of changes to network interfaces. |
|
| Finds out password aging information (via the -l option). |
|
| Changes |
|
| Changes the login shell. |
|
| Edits, lists, or removes a |
|
| Sends a system-wide message. |
|
| Sends a message to another user. |
|
| Invokes the X Windows server. |
|
|
Runs the SSH helper program for host-based authentication. |
|
| Switches user before executing external CGI and SSI programs. This program is intended to be used by the Apache HTTP server. For more information, see http://httpd.apache.org/docs/2.2/suexec.html. |
|
| Controls network interfaces. Permission for a user to alter the state of a network inerface
also requires |
This list is not exhaustive as many optional packages contain setuid
and
setgid
programs.