In this article we have covered security administration tasks performed by a Linux system administrator.
Table of contents.
- Finding files with suid/sgid bitset.
- Managing passwords and accounts.
- Discovering open ports and services.
- Limiting file sizes to preserve disk space.
- Viewing user logins, logouts, failed logins, system reboots.
- Viewing files.
The tasks performed by a system administrator to uphold security of a Linux system involve scanning the system for open ports as they could be vulnerable, managing passwords and user accounts on the system, auditing a system to find suid/sgid files, viewing processes and users associated with those processes, limiting users' file sizes so as to control how disk space is used.
Finding files with suid/sgid bitset.
Linux files have special permissions such as SUID and SGID.
SUID bit gives the owner permission to execute a file. Numerically it is represented by 4000 or symbolically by s or S.
SGID can be set on both files and directories, it work similar to SUID on files but on directories it will allow files created in the specified directory to inherit ownership of the directory's group. It is numerically represented by 2000 or symbolically by s or S.
Assuming you want to change your password, the passwd command is used and it saves the new password in the /etc/shadow file. Passwords saved here are in encrypted format an hence unreadable.
The /etc/shadow file can only be read or updated by a root user.
The suid permission bit in the file attributes for the passwd command enables passwd command to update /etc/shadow file.
To view file permissions of files related to passwd command, write,
stat -c '%A %#a %U %G %n' /etc/shadow /etc/passwd /usr/bin/passwd
-rw-r----- 0640 root shadow /etc/shadow -rw-r--r-- 0644 root root /etc/passwd -rwsr-xr-x 04755 root root /usr/bin/passwd
From the output, we see the permission -rwsr-xr-x which is equivalent to 4000 in octal form which means that passwd program is executed with special permissions as if root user executed it and this is how it can access and update /etc/shadow file.
Executables such as these which can access any part of the system with root privileges pose a security risk. To find such files with SUID bit set we write,
$ sudo find / -perm -4000
-4000 will be used to match files with all the specified bits set.
To find files with a SGID bit set we write,
sudo find / -perm -2000
Managing passwords and accounts.
A system admin can use the passwd command to reset a forgotten password, set a temporary password which should be changed during the next login, specify the time period before a password expires, locking a user out of the system etc.
Create a new user as follows,
sudo adduser bob
You can su bob to switch to bob's account to see if the user account was created successfully or cat /etc/passwd | grep bob.
Assuming user bob forgot his password and is locked out of the system we can reset bob's password or any system user for that matter as follows,
First we generate a random password as follows,
$ mktemp -u bob-XXX bob-mfA
bob-mfA is the new password we send our user who forgot their password via other means such as text or email.
To reset the password we write,
$ sudo passwd bob New password: Retype new password: passwd: password updated successfully
Now try switching accounts with su.
Since this is a temporary password to allow the user to be able to access the system we need to give it an expiry. For this we use the -e option as follows,
$ sudo passwd -e bob passwd: password expiry information changed.
The next time bob logs in, he will have to change his password,
$su bob Password: You are required to change your password immediately (administrator enforced). Changing password for bob. Current password: New password: Retype new password: You must choose a longer password. New password: Retype new password:
The system administrator can also decide the maximum number of days a user is allowed to use a password before resetting it including the number of days to issue a warning to the user before the grace period has ended and the account locked.
To set bob's minimum and maximum password lifetime we write,
$ sudo passwd -n 30 -x 100 bob passwd: password expiry information changed.
This means that bob is not able to change the password for at least 30 days and after 100 days, he is required to change the password.
You can confirm this information by using the chage command as follows,
sudo chage -l bob
To set a 7-day warning period and 10 days grace period we write,
sudo chage -W 7 -I 10 bob
Bob will be warned by the system to change his password for 7 days and after the deadline has passed he will have 10 days grace period before his current password fails.
To confirm this information using passwd command write,
$ sudo passwd -S bob bob P 02/03/2022 1 30 8 10
To lock a password, we write,
$ sudo passwd -l bob passwd: password expiry information changed.
The -l option locks a password by prepending a ! character in the password for bob in the /etc/shadow file and thus it will become invalid. One can perform this operation by editing the file manually,
We can confirm this in the file by writing,
$ sudo cat /etc/shadow | grep bob
To view the changed information write,
$ sudo passwd -S bob bob L 02/03/2022 1 30 8 10
The L signifies that the password is locked.
After this operation bob cannot login into his account.
You can try to su to bob's account and confirm if it works.
To unlock the password we write,
sudo passwd -u bob passwd: password expiry information changed.
You can try to su into bob's account and you will notice that it can now be accessed.
From the command sudo chage -l bob we have seen that the account never expires,
Account expires : never
Assuming that we only want an account to be active only in a limited amount of time after which it is disabled, we can use the chage command for such,
To define an expiration for an account we write,
$ sudo chage -E $(date -d 'tomorrow' +%F) bob
Now if you execute chage -l bob you will see that after tomorrow the account will be disabled.
To test this right away we write
$ sudo chage -E $(date -d '1 day ago' +%F) bob
to expire the account yesterday.
Now to try to log into bob's account we write,
$ su bob Password: Your account has expired; please contact your system administrator. su: Authentication failure
We could also define a date as follows,
sudo chage -E $(date -d '2030-10-20' +%F) bob
Now the account will expire on the 20th of october 2030.
To change the last password change for a user, we use the -d option,
sudo chage -d $(date -d '1 day ago' +%F) bob
Some of these operations can also be performed with the usermod command.
Discovering open ports and services.
The next item on the list is to discover open ports, open ports usually have an application listening on them and this application could be vulnerable thereby putting a system at risk.
For this operation we use the nmap(Network Mapper) command.
To perform a basic scan we write,
We can confirm ports from the output of the command by viewing the /etc/services file, use grep.
A port is closed if the host responds with a TCP reset message and it is filtered if there is no response e.g a firewall blocking packets.
We can check for a specific port using its name or port number as follows,
nmap -p ssh 192.168.100.*
The command checks for ssh ports.
We can also check multiple ports as follows,
nmap -p 22-25,'http*' 192.168.100.*
The command checks ports in the range of 22 to 25 and all ports for whose service start
s with http including https etc.
We have discussed nmap commands in a another article, the link is provided in the prerequisites section.
We can also use netstat command to discover open ports, for example, since we are mostly interested with outside communications we can get all TCP ports as follows
To get display UPD ports,
To list port numbers we use the -n option,
We can also use -l to get all listening ports,
Limiting file sizes to preserve disk space.
Linux is a multiuser operating system and as such multiple users will be working on the same system at the same time.
Assuming we have a user in the system who is running an application that is consuming a lot of memory such that others cannot launch their applications or is creating large files that consume alot of space.
We can control such behavior using the ulimit command.
To list all limits on our account we write,
User limits can be soft or hard, the former allows a user to increase or decrease their own limit upto the hard limit, the latter is the exact limit beyond which non-system users cannot raise their own limits.
First we change to bob's account,
To print out the soft and hard limits we use the -S and -H respectively,
For example to print out the soft limit for file size we write,
And to print out the hard limit for file we write,
To set soft and hard limits for files sizes, that is, 10000 blocks size and 20000 blocks size respectively we write,
ulimit -Sf 10000
And for the hard limit,
ulimit -Hf 20000
This means that a user bob cannot create file of size greater than 20 MB.
Let's try to create such a file,
$ head -c 20M </dev/urandom >testFile File size limit exceeded $ du -sh testFile 9.8M testFile
From the created file you can notice that the file won't go above the set soft limit.
/dev/urandom server as pseudorandom number generators, we have used it here to generate random numbers and try to fill it testFile.
testFile will not go above the soft limit, as bob we can modify it so that it goes beyond the soft limit but not above the hard limit as follows,
$ ulimit -Sf $(ulimit -Hf) $ head -c 30M </dev/urandom >testFile File size limit exceeded $ du -sh testFile 20M testFile
To confirm the number of blocks we can calculate as follows,
$ echo $((20000 * 1024))
assuming each block size is 1024 bytes, We have 20480000 bytes which is our testFile file size.
$ ls -l -rw-r--r-- 1 bob bob 20480000 Oct 4 00:28 testFile
Limits defined using ulimit are applicable to all non-system users.
Viewing user logins, logouts, failed logins, system reboots.
System administrators often need information on who is currently logged into the system, fortunately Linux has two main files which store user information namely /var/run/utmp and /var/log/wtmp the former contains information of users currently using the system, the latter stores information about logins, logouts, system reboots.
A third file /var/log/btmp will store failed login attempts.
To view utmp file containing currently logged in users write,
$ cat /var/run/utmp | strings
We can also use the who command as follows,
For even more information we use the w command which combines information from /proc file system.
To view wtmp file which contains information about login and logout activity we use the last command.
If the btmp file exists we can view failed login attempts using the lastb command as follows,
As as system administrator sometimes we need information to know who is using what file so as to avoid unmounting a file system while they work.
Here we use the lsof (list of files) which lists all files currently opened in the system.
To count the files, we write,
lsof | wc
We can also use lsof to find out a user or process blocking unmounting of a file system.
You can read up on lsof command in a different article which we have covered, the link is provided in the references section.
Other system administration tasks involve limiting RAM, processor or other system resources, monitoring system logs, configuring sudo and sudoers, encrypting files and password protecting them etc.
For references on the commands consult the manuals which can be displayed by executing man command.