4 Implementing Extra Security Features and Best Practices
This section describes more ways to enhance the security of an Oracle Linux system and further information about best practices for securing an environment.
Working with Core Dumps
A core dump is a file that's produced when a process malfunctions and ends prematurely. The core dump contains an image of the process's memory. You can use a core dump to debug problems and inspect the stage of the program when it ended. You can produce core dumps on-demand or they can be created automatically on termination.
The core file, also referred to as core, is created in the current working directory. Note that the writing of core fails if the directory to which it's to be created is read-only, or if a file exists with the same name in that location, and that file is read-only or not a regular file.
Core dumps can contain information that an attacker could exploit. Core dumps can also take up a lot of disk space. Therefore Oracle Linux, by default, disables the core dump function. It does so by limiting the maximum size of a core dump file to 0. You can find the current core size for a system using the following ulimit command. For example, this command shows that the ulimit size for the current terminal user session is set to the default 0 value:
ulimit -c
0
ulimit -c 1000
To make changes persist between reboots you can limit or restrict access to core dumps to
various users or groups. See the limits.conf(5)
manual page for details.
setuid
and setgid
programs, programs that have changed credentials, and programs containing binaries that don't
have read permission from dumping core. To ensure that this setting is still disabled, run the
following command:
sysctl fs.suid_dumpable
A value of fs.suid_dumpable = 0
indicates that the setting is still
disabled.
Note:
Enabling dump files for these programs isn't recommended. If, for some reason, you need to
enable dump files for these programs, you can enable this dump file by setting the
fs.suid_dumpable
value to 1
or 2
. A
value of 1
creates core dumps that are readable by the owner of the dumping
process. A value of 2
creates core dumps that are only readable by
root
for debugging purposes.
For more information about temporarily enabling core dumps to troubleshoot a malfunctioning system, see Oracle Linux 8: Monitoring and Tuning the System.
Working with the Automatic Bug Reporting Tool
Note:
The Automatic Bug Reporting Tool has been deprecated. Consider usingsystemd-coredump
feature instead. For more information about using
the coredumpctl
command, see Oracle Linux 8: Monitoring and Tuning the System
and the systemd-coredump
manual pages.
To stop and disable the abrtd
service
entirely, run:
sudo systemctl disable --now abrtd
When running the service, you can restrict the service so that it only analyzes core dumps for binaries installed using signed packages. You can also prevent the service from analyzing particular binaries that reveal sensitive information in a dump by adding them to a denylist.
For example, edit
/etc/abrt/abrt-action-save-package-data.conf
to set the following parameters:
# Require a GPG signature for a package OpenGPGCheck = yes # Add any package names to the Blacklist that contain binaries # that you want abrt to not store dump data for BlackList = nspluginwrapper, valgrind, strace, mono-core, bash # Disable processing of unpackaged binaries ProcessUnpackaged = no # Add any paths to the BlackListedPaths that may contain binary # executables that you want abrt to not store dump data for BlackListedPaths = /usr/share/doc/*, */example*, /usr/bin/nspluginviewer, \ /usr/lib*/firefox/plugin-container
Note that although the BlackList
and BlackListedPaths
options can be used to prevent the service from storing dump data, the dumps are still
generated and written to disk for a short time before being removed, so that
abrtd
can notify system administrators about a crash without using up disk
space.
To prevent the core dumps from being written to disk, and prevent abrtd
from detecting crashes in an application, edit the
/etc/abrt/plugins/CCpp.conf
file and add the absolute path of the binary to
the IgnoredPaths
list. For example:
IgnoredPaths = /path/to/binary
Configuring and Using Kernel Security Mechanisms
The Linux kernel features some extra security mechanisms that enhance the security of a system. These mechanisms randomize the layout of the address space for a process or prevent code from being run in non-executable memory.
Address Space Layout Randomization
/proc/sys/kernel/randomize_va_space
. The
randomize_va_space
parameter can take the following values:
- 0
-
Disable ASLR. This setting is applied if the kernel is booted with the
norandmaps
boot parameter. - 1
-
Randomize the positions of the stack, virtual dynamic shared object (VDSO) page, and shared memory regions. The base address of the data segment is immediately after the end of the executable code segment.
- 2
-
Randomize the positions of the stack, VDSO page, shared memory regions, and the data segment. This is the default setting.
You can change the setting temporarily by writing a new value
to /proc/sys/kernel/randomize_va_space
, for
example:
echo value | sudo tee /proc/sys/kernel/randomize_va_space
To change the value permanently, add this setting to /etc/sysctl.conf
:
kernel.randomize_va_space = value
Then, run the sysctl -p command.
If you change the value of randomize_va_space
, it's considered good
practice to test the application stack to ensure that it's compatible with the new setting.
You can optionally disable ASLR for a specific program and its child processes:
setarch `uname -m` -R program [args ...]
Data Execution Prevention or No eXecute
The Data Execution Prevention (DEP) feature, also known as No eXecute (NX), prevents an application or service from executing code in a non-executable memory region. Hardware-enforced DEP works in conjunction with the NX bit on compatible CPUs to help prevent certain types of buffer overflow attacks. This feature uses hardware capabilities to protect the system, so it's enabled by default and can't be disabled.
Oracle Linux doesn't emulate the NX bit in software for CPUs that don't implement the NX bit in hardware.
Position Independent Executables
The Position Independent Executables (PIE) feature loads executable binaries at random memory addresses so that the kernel can disallow text relocation. Developers can use this feature to code applications that load at different memory addresses each time the application loads, making it more difficult for an attacker to predict where the application is stored in memory, thereby helping to protect against memory-related exploits.
To generate a position-independent binary:
-
Specify the -fpie option to gcc when compiling.
-
Specify the -pie option to ld when linking.
To test whether a binary or library has been built with PIE enabled, run the following command:
sudo readelf -d elfname | grep -i flags
The command often indicates whether the PIE
flag is set. By default, on
Oracle Linux 8 binaries are typically built
with this flag set, unless there's a specific reason not to do so, such as a compile issue
resulting from setting this option.
Configuring System Cryptograpic Policies
From Oracle Linux 8 onward, Oracle Linux provides a facility to set a system-wide cryptographic policy. Many applications implement cryptographic protocols to secure communications or to encrypt data. Historically, applications have maintained their own configuration of cryptographic policies in various ways, which meant that changing cryptographic policy across an entire system needed to be performed for each application and often the configuration method differed from application to application.
The ability to define a system-wide cryptographic policy that applications can hook into often reduces administrative overhead and simplifies the process. An administrator can configure the system-wide cryptographic policy and have confidence that most applications can use the same policy, by default.
Policies enable an administrator to configure:
- TLS/SSL (and DTLS) versions that are accepted
- Ciphersuites that are accepted and the preferred order
- Parameters that are accepted for certificates and key exchange, including:
- the minimum acceptable size of parameters (DH,ECDH,RSA,DSA,ECDSA),
- the acceptable elliptic curves (ECDH,ECDSA),
- the acceptable signature hash functions.
- Other TLS options including safe-renegotiation
Most of the major cryptographic software on Oracle Linux is already configured to use the system-wide cryptographic policy by default. Applications that are configured to behave in this manner include important applications such as OpenSSH and bind, in addition to any applications that use the OpenSSL, GnuTLS, NSS, libkrb5 libraries and
Configuring system-wide policy doesn't enforce behavior across the system. That policy
provides a common configuration across a wide variety of applications. Any application that's
not designed to use the system-wide policy continues to function according to the different
policy configuration that it uses. Many applications also provide options to override the
system-wide cryptographic policy if required. For example, OpenSSH provides options to set
different cryptographic policies on the server and client applications, and commands such as
wget
and curl
provide options to define a custom cipher
selection and order by using the --ciphers
option, effectively overriding the
system-wide policy.
The system-wide policy defines the default cryptographic behavior within applications so that you can harden a system and remove insecure protocols to match your security requirements.
Oracle Linux includes the update-crypto-policies command that can be used to configure which cryptographic algorithms, ciphers, and protocols are enabled on a system for use by applications and services. That command can be used to either relax policy or to harden it further.
For more information on this tool and the applications that are
affected by it, see the crypto-policies(7)
and update-crypto-policies(8)
manual pages.
About Predefined Policies
- LEGACY: Configures certain legacy protocols to maximize compatibility with legacy systems. It includes enabling 3DES, RC1, DSA, TLSv1.0 and TLSv1.1. It also sets a 1024 bit minimum parameter size for DH and RSA. Protocols and values specified in this policy aren't considered highly secure but aren't easily exploitable.
- DEFAULT: Configures standard modern protocols including TLSv1.2 and TLSv1.3 , IKEv2 and SSH2. It sets a 2048 bit minimum parameter size for DH and RSA.
- FIPS: Configures the system to meet FIPS 140-2 requirements for cryptographic policies. This policy is enabled by the
fips-mode-setup
command used to enable FIPS mode on an Oracle Linux system. See Configuring a System in FIPS Mode for more information on using this policy. - FUTURE: A conservative policy level that disables SHA-1 and CBC and sets a 3072 bit minimum parameter size for DH and RSA. This policy can disable communications with many older systems but is worth exploring to decide what actions you can perform in future to ensure that applications continue to function securely.
Restrictions in these policies can change over time as new secure default values are decided.
You can use the update-crypto-policies
tool to view the current system
policy and to change which policy is applied to the system.
Reviewing the Current System-Wide Policy
Any user can review the current system-wide cryptographic policy by running:
update-crypto-policies --show
Setting the System-Wide Policy
Switching between cryptographic policies on Oracle Linux can be achieved using the
update-crypto-policies --set
command with the name of the policy.
For example, to switch to the LEGACY policy, run:
sudo update-crypto-policies --set LEGACY
The policy is updated immediately and any applications that are enabled to use the system-wide cryptographic policy work with the new policy immediately when they're run or restarted. Because some applications might already be running using a custom policy it's good practice to reboot the system after changing policy to ensure that all applications are using the correct policy.
To switch back to the DEFAULT policy, run:
sudo update-crypto-policies --set DEFAULT
Extending a Policy By Using Modules
You can customize the system-wide policy by creating a policy module or a subpolicy. You can
fine-tune a policy without needing to create an entire policy from scratch by
creating a module. For example, if you intended to use the
DEFAULT
system policy and also disable the weaker SHA-1
hash functionality in all applications, rather than rewriting the entire DEFAULT
system policy, you can apply a module by setting the DEFAULT
policy with an
appended module for example:
sudo update-crypto-policies --set DEFAULT:NO-SHA1
Oracle Linux provides some extra modules that have already been configured and can be used
immediately in the /usr/share/crypto-policies/policies/modules/
directory.
You can create custom modules in the /etc/crypto-policies/policies/modules/
directory. Modules must be named in uppercase and have a lowercase
.pmod
extension. For example, you can create a module named
/etc/crypto-policies/policies/modules/NO-AES-128.pmod
to
add this content to the file to disable the AES-128 cipher entirely:
# Disable the AES-128 cipher cipher = -AES-128-*
Note that to disable the cipher, you must prefixed it with a -
character. To
enable a functionality, specify it without a prefix. In the example, the
*
character is also used to specify a wildcard so that the
rule matches all modes of the AES-128 cipher.
You can also chain modules together when you set the system-wide cryptograpic policy:
sudo update-crypto-policies --set DEFAULT:NO-SHA1:NO-AES-128
For more information about the syntax for policy definition files, see the
crypto-policies(7)
manual pages.
Creating a New System-Wide Cryptographic Policy
You can create a custom cryptographic policy from scratch instead of using any of the
predefined policies provided with Oracle Linux. Policies can be defined in the
/etc/crypto-policies/policies/
directory. Policy file names
must be uppercase and end in the lowercase suffix .pol
. Policy
files use the INI file format with standard key = value
entries.
The predefined policies provided with Oracle Linux are stored in the
/usr/share/crypto-policies/policies/
directory. To define a
custom policy, you can copy an existing policy and then configure it as you need.
For example:
sudo cp /usr/share/crypto-policies/policies/DEFAULT.pol /etc/crypto-policies/policies/MYPOLICY.pol
See the section titled "CRYPTO POLICY DEFINITON FORMAT" in the
crypto-policies(7)
manual page for more information about
the file format and structure.
When you have finished editing the custom policy, you can enable it with this command:
sudo update-crypto-policies --set MYPOLICY
Remember to reboot the system after enabling a custom system-wide policy so that it's enabled for all running services.
Note:
Consider whether you can achieve what you need to do by extending an existing policy using a module. Maintaining a custom system-wide cryptographic policy requires that you consistently monitor new security standards and research, so by extending the predefined policies to meet security requirements you can avoid needing to maintaining an entire policy by yourself.Checking User Accounts and Privileges
Checking the system for unlocked user accounts often is considered good security practice, for example by using this command:
for u in $(awk -F: '{print $1}' /etc/passwd;); do sudo passwd -S "$u"; done | sort
The following output is displayed:
adm LK 2023-03-31 0 99999 7 -1 (Alternate authentication scheme in use.) bin LK 2023-03-31 0 99999 7 -1 (Alternate authentication scheme in use.) chrony LK 2023-06-20 -1 -1 -1 -1 (Password locked.) clevis LK 2023-06-20 -1 -1 -1 -1 (Password locked.) cockpit-wsinstance LK 2023-06-20 -1 -1 -1 -1 (Password locked.) cockpit-ws LK 2023-06-20 -1 -1 -1 -1 (Password locked.) ...
In the output from this command, the second field shows if a user account is locked
(LK
), doesn't have a password (NP
), or has a valid
password (PS
). The third field shows the date on which the user last changed
their password. The remaining fields show the minimum age, maximum age, warning period, and
inactivity period for the password and extra information about the password's status. The unit
of time is days.
You can use the passwd command to set passwords on any accounts that aren't protected.
To lock unused accounts, use the passwd -l command. You can also use the userdel command to remove the accounts entirely.
Caution:
System accounts must be preserved. These are any accounts with user IDs that are less than 1000, and especially any user IDs that are less than 100.
For more information, see the passwd(1)
and
userdel(8)
manual pages.
To specify how users' passwords are aged, edit the settings in
the /etc/login.defs
file that are described
in the following table.
Setting | Description |
---|---|
|
Maximum number of days for which a password can be used before it must be changed. The default value is 99,999 days. |
|
Minimum number of days that's allowed between password changes. The default value is 0 days. |
|
Number of days' warning that's provided before a password expires. The default value is 7 days. |
For more information, see the login.defs(5)
manual page.
To change the length of time a user's account can be inactive before it's locked, use the usermod command. For example, you would set the inactivity period to 30 days as follows:
sudo usermod -f 30 username
To change the default inactivity period for new user accounts, use the useradd command:
sudo useradd -D -f 30
A value of -1
specifies that user accounts are never locked because of
inactivity.
For more information, see the useradd(8)
and
usermod(8)
manual pages.
To verify that no user accounts other than
root
have a user ID of 0
,
you would use the following command:
sudo awk -F":" '$3 == 0 { print $1 }' /etc/passwd
The following is the output of the previous command:
root
If you install software that creates a default user account and password, it's considered good security practice to change the vendor's default password immediately. Centralized user authentication using an LDAP implementation such as OpenLDAP can centralize user authentication and management tasks, and also reduce the risks arising from unused accounts or accounts without a password.
By default, an Oracle Linux 8 system is
configured to prevent users from logging in directly as root
. You must log in
as a named user before using either the su or
sudo command to perform tasks as the root
user so
that system accounting can trace the original username of any user who performs a privileged
administrative action. To grant certain users authority to perform specific administrative
tasks by using the sudo command, use the visudo
command to configure the /etc/sudoers
file.
For example, the following entry grants the user user1
the same privileges
as root
when using the sudo command, but defines a
limited set of privileges to user2
so that they can run commands such as
systemctl, rpm, and
dnf:
user1 ALL=(ALL) ALL user2 ALL= SERVICES, SOFTWARE
For more information about setting up user accounts and authentication, see Oracle Linux 8: Setting Up System Users and Authentication.
Configuring User Authentication and Password Policies
If you follow traditional digital identity policies, the Pluggable Authentication Modules (PAM) feature can be used to enforce strong user authentication and password policies, including rules that decide password complexity, length, age, expiration, and the reuse of previous passwords. You can configure PAM to block user access after too many failed login attempts, after normal working hours, or if too many concurrent sessions are open. Note that some of these policies are no longer considered helpful for security as they can lead users to implement their own poor security practices when storing passwords or when renewing. See https://pages.nist.gov/800-63-3/sp800-63-3.html for more information.
pam_pwquality.so
tests password strength. The PAM configuration file (/etc/pam.d/system-auth
)
contains the following default entries for testing a password's strength:
password requisite pam_pwquality.so local_users_only retry=3 authtok_type= enforce_for_root password requisite pam_pwhistory.so use_authtok enforce_for_root remember=4 password sufficient pam_unix.so sha512 shadow use_authtok enforce_for_root remember=4 password sufficient pam_sss.so use_authtok password required pam_deny.so
The line for pam_pwquality.so
defines that a user gets three tries to
choose a good password. From the module's default settings, the password length must a minimum
of six characters, of which three characters can't be the same as a previous password. The
module only tests the quality of passwords for users who are defined in the
/etc/passwd
file.
The line for pam_unix.so
specifies that the module tests the old password
that was specified in the stack before prompting for a new password and uses the SHA-512
password hashing and the /etc/shadow
file to decide access. Note that
pam_pwquality
will have performed such checks for users that have been
defined in the /etc/passwd
file.
You can configure the control flags and module parameters to change the checks that are performed when a user changes their password:
password required pam_pwquality.so retry=3 minlen=8 difok=5 minclass=-1 password required pam_unix.so use_authtok sha512 shadow remember=5 password required pam_deny.so
The line for pam_pwquality.so
specifies that a user is allowed three tries
to choose a good password, with a minimum of eight characters, of which five characters must
be different from the previous password, and which must contain at least one uppercase letter,
one lowercase letter, one numeric digit, and one special character.
The line for pam_unix.so
specifies that the module doesn't perform password
checking, uses SHA-512 password hashing and the /etc/shadow
file, and saves
information about the previous five passwords for each user in the
/etc/security/opasswd
file.
For more information, see the pam_deny(8)
,
pam_pwquality(8)
, and
pam_unix(8)
manual pages.
Configuring File System Mounts, File Permissions, and File Ownerships
Using separate disk partitions for OS and user data can prevent a "file system full"
error from impacting the operation of a server. For example, you can create separate
partitions for /home
, /tmp
, /oracle
, and so
on.
Establishing disk quotas can prevent a user from filling up a file system (intentionally or not) and therefore denying access to other users.
To prevent the OS files and utilities from being altered during an intrusion, you can mount
the /usr
file system with read-only permissions. If you need to update any
RPMs on the file system, use the -o remount,rw option with the
mount command to remount /usr
for both read and
write access. After performing the update, you can use the -o
remount,ro option to return the /usr
file system to read-only
mode.
To limit user access to non-root
local file systems such as
/tmp
or removable storage partitions, you can specify the -o
noexec, nosuid, nodev options to mount. These options
prevent the execution of binaries (but not scripts), prevent the setuid
bit
from having any effect, and prevent the use of device files.
To check for unowned files and directories on each file system, use the find command:
sudo find mount_point -mount -type f -nouser -o -nogroup -exec ls -l {} \;
Unowned files and directories can be associated with a deleted user account, and that might indicate an error with software installation or removal, or they might a sign of an intrusion on the system. You can correct the permissions and ownership of the files and directories that you find, or remove them. Investigating and correcting the problem that led to their creation is considered good security practice.
To check for world-writable directories on each file system, use the find command:
sudo find mount_point -mount -type d -perm /o+w -exec ls -l {} \;
Investigating any world-writable directory that's owned by a user other than a system user is considered good security practice. If the user can remove or change any file that other users write to the directory, you can correct the permissions and ownership of any directories that you find or remove them.
You can also use the find command to check
for setuid
and setgid
executables.
sudo find path -type f \( -perm -4000 -o -perm -2000 \) -exec ls -l {} \;
If the setuid
and setgid
bits are set, an executable can
perform a task that requires other rights, such as root
privileges. However,
buffer overrun attacks can still exploit those executables to run unauthorized code with the
rights of the exploited process.
Restricting Access to SSH Connections
The Secure Shell (SSH) provides protected, encrypted communication with other systems. As SSH is an entry point into the system, it's considered good security practice to disable it if it's not required.
You can edit the /etc/ssh/sshd_config
file to restrict local access to the
root
user and remote access to certain users and groups by configuring the
settings. You can also configure settings in the /etc/ssh/sshd_config
file so
that the SSH client automatically times out after of period of inactivity.
Disabling password-based authentication for SSH and to requiring public key authentication instead is considered good security practice. By doing this, you can limit access to users who own an authorized private key.
After making any changes to the configuration file, you must
restart the sshd
service for the changes to
take effect.
For more information, see Oracle Linux: Connecting to Remote Systems With OpenSSH and the
sshd_config(5)
manual page.
Using System Auditing and Monitoring
The Auditing service on Oracle Linux collects data at the kernel level that you can analyze to identify unauthorized activity. Auditing collects more data in greater detail than system logging, but most audited events are uninteresting and insignificant. The process of examining audit trails to find events of interest can be a significant challenge that you can automate.
The audit configuration file,
/etc/audit/auditd.conf
, defines the data
retention policy, the maximum size of the audit volume, the
action to take if the capacity of the audit volume is exceeded,
and the locations of local and remote audit trail volumes. The
default audit trail volume is
/var/log/audit/audit.log
.
For more detailed information about auditing and monitoring Oracle Linux systems, see Oracle Linux 8: Monitoring and Tuning the System.
Using Advanced Intrusion Detection Environment
Advanced Intrusion Detection Environment (AIDE) is an application that uses various tools to detect changes to particular files on a system and report on them so that you can maintain baseline file integrity and detect unauthorized changes and potential tootkits.
This tool is installed as follows:
sudo dnf install -y aide
When AIDE is installed, you can change the configuration in /etc/aide.conf
.
The configuration file is used to decide which files and directories are monitored by AIDE and
also how logging and output are handled.
AIDE stores its current information about a system's configuration state in a database
stored in the /var/lib/aide/aide.db
. If you store a copy of this database
file at an external location then you can replace it with a known safe state for AIDE when you
perform an audit. If the file doesn't yet exist, you can create one for the current system
state by running:
sudo aide --init
sudo cp /var/lib/aide/aide.db.new.gz /var/lib/aide/aide.db.gz
When you have created a database, you can check file integrity at any time by running:
sudo aide --check
If no differences are found, AIDE returns the results with the following message:
AIDE found NO differences between database and filesystem. Looks okay!!
If you configure this tool to run as an automated cron
job, then you can
get regular reports to indicate changes to system configuration and state that could help with
early intrusion detection.
See the aide(1)
and
aide.conf(5)
manual pages for more
information.
Implementing System Process Accounting
psacct
package provides the process accounting service in addition to
the following utilities that you can use to monitor process activities:
- ac
-
Displays connection times in hours for a user as recorded in the
wtmp
file (by default,/var/log/wtmp
). - accton
-
Turns on process accounting to the specified file. If you don't specify a file name argument, process accounting is stopped. The default system accounting file is
/var/account/pacct
. - lastcomm
-
Displays information about any commands recorded in the system accounting file.
- sa
-
Summarizes information about any commands recorded in the system accounting file.
Note:
Ensure that the file system has enough space to store the system accounting and
wtmp
files to monitor process activity. Monitoring the size of the log
files and truncating them if needed is considered good security practice.
For more information, see the ac(1)
,
accton(8)
, lastcomm(1)
, and
sa(8)
manual pages.
Protecting the Root Directory by Using chroot Jails
A chroot command changes the visible root directory for running
processes and their children, so it can be used to run a program with a root directory other
than /
. The program can't see or access files outside of the configured
directory tree. Such an artificial root directory is called a "chroot jail", and its purpose
is to limit the directory access of malicious processes and hackers. The chroot jail locks
down each process and any user ID that's using it so that all they can access is the directory
in which the process is running. The process is also tricked into thinking that the directory
in which it's running is the root directory.
Note:
The chroot mechanism can't defend against intentional tampering or
low-level access to system devices by privileged users. For example, a
chroot
root
user could create device nodes and mount file systems on them. A
program can also gain access to resources outside of a chroot jail if it can gain
root
privilege and use chroot()
to change its current
working directory to the real root
directory. For this reason, it's
considered good security practice to ensure that a chroot jail doesn't contain any
setuid
or setgid
executables inside it that are owned by
root
.
For a chroot process to start successfully, you must populate the chroot directory with all required program files, configuration files, device nodes, and shared libraries at their expected locations relative to the level of the chroot directory.
Running DNS and FTP Services in a Chroot Jail
If the DNS name service daemon (named
) runs in a chroot jail, any hacker
that accesses a system by using a BIND exploit is isolated to the files under the chroot jail
directory. Installing the bind-chroot
package creates the
/var/named/chroot
directory, which becomes the chroot jail for all BIND
files.
You can configure the vsftpd
FTP server to
automatically start chroot jails for clients. By default,
anonymous users are placed in a chroot jail. However, local
users that access an vsftpd
FTP server are
placed in their home directory. Specify the
chroot_local_user=YES
option in the
/etc/vsftpd/vsftpd.conf
file to place local
users in a chroot jail based on their home directory.
Creating a Chroot Jail
-
Create the directory that becomes the
root
directory of the chroot jail, for example:sudo mkdir /home/oracle/jail
-
Use the ldd command to decide which libraries are required by the command that you intend to run in the chroot jail, for example /usr/bin/bash:
sudo ldd /usr/bin/bash
The following output is displayed:
linux-vdso.so.1 (0x00007fffa5726000) libtinfo.so.6 => /lib64/libtinfo.so.6 (0x00007f29127fa000) libc.so.6 => /lib64/libc.so.6 (0x00007f29125f1000) /lib64/ld-linux-x86-64.so.2 (0x00007f291298c000)
Note:
Although the path is displayed as
/lib64
, the actual path is/usr/lib64
because/lib64
is a symbolic link to/usr/lib64
. Similarly,/bin
is a symbolic link to/usr/bin
. You need to re-create such symbolic links within the chroot jail. -
Create subdirectories of the chroot jail's root directory that have the same relative paths as the command binary and its required libraries in the real root directory, for example:
sudo mkdir -p /home/oracle/jail/usr/bin
sudo mkdir -p /home/oracle/jail/usr/lib64
-
Create the symbolic links that link to the binary and library directories in the same manner as the symbolic links that exists in the real root directory, for example:
sudo ln -s /home/oracle/jail/usr/bin /home/oracle/jail/bin
sudo ln -s /home/oracle/jail/usr/lib64 /home/oracle/jail/lib64
-
Copy the binary and the shared libraries to the directories under the chroot jail's root directory, for example:
sudo cp /usr/bin/bash /home/oracle/jail/usr/bin
sudo cp /usr/lib64/{libtinfo.so.5,libdl.so.2,libc.so.6,ld-linux-x86-64.so.2} /home/oracle/jail/usr/lib64
Using a Chroot Jail
To run a command in a chroot jail within an existing directory (chroot_jail), use the following command:
sudo chroot chroot_jail command
If you don't specify a command argument, chroot runs with the value
of the SHELL
environment variable, or /usr/bin/sh
if
SHELL
isn't set.
For example, you could run the /usr/bin/bash command in a chroot jail as follows:
sudo chroot /home/oracle/jail
Note that you can run built-in shell commands such as pwd in this shell, but not other commands unless you have copied their binaries and any required shared libraries to the chroot jail.
For more information, see the chroot(1)
manual page.