Over the numerous configuration reviews and pentest engagements that we have performed for our clients, we’ve observed a common pattern in the configuration weaknesses in Linux systems. We believe reviewing these common weaknesses and taking them into consideration may save a lot of time and resources, and more importantly help system administrators with creating more secure environments.
The 5 Common Linux Misconfiguration are as follows:
- User home directory permissions
- getgid and setuid binaries
- World-readable and writable files/folders
- Weak services in use
- Default NFS mount options or insecure export options
1. User home permissions
On most Linux distributions the default permissions for home folders is 755 which means that any user who had access to the server can see what is in other user’s home folders. Some users such as administrators or developers may have scripts or backups of files in their home folders which contain sensitive information such as user passwords and keys to services to the same or other servers on the network.
2. Setgid and setuid binaries
The set uid bit on a file is dangerous because it allows that file to run as a potentially privileged user such as root. If a file is owned by root and had the set uid bit set the file will run with the privileges of root. This means that if an attacker can find a vulnerability or unexpected uses of that file he can then perform commands on the system as the root user which means a full compromise of the server.
The command to find these files:https://gist.github.com/anonymous/10165224
3. World readable and writable files/folders
World-readable and writable files and folders introduce similar issues as loose user home permissions but throughout the system. The main cause of world readable files is the default umask used for file creation of either 0022 or 0002. As a result of this configuration weakness, files that may contain sensitive information will be readable by anyone that has access to the system. Files may also be modified by anyone on the system if they are world-writable. This can lead to an attacker modifying files or scripts to hide forensic evidence or to execute commands by modifying a script used by Administrators.
The command to find world-writable files and folders:
4. Weak services or configurations
Services are configured with the minimum configuration changes needed to get them up and running. It is not uncommon to find services Also, Weak and possibly default credentials and configurations when using less secure communication channels are also typical, increasing the risk and attack surface of the server. When using services the options and configuration should be reviewed to ensure that what is being deployed is secure or properly configured. It’s also not uncommon to find these services bound to multiple interfaces on the server instead of just listening locally or just on the specified interface.
5. Default mount options or insecure export options
The default keyword for all mounts has the following options “rw, suid, dev, exec, auto, nouser, and async”. These options are weak since they allow for the honoring of the suid and guid bits that are set on externally mounted file systems via protocols such as NFS. When exporting NFS shares it is recommended that the no_root_squash option not be set. The root-squash option is the default behavior but it is commonly seen to be changed. If root-squashing is not done it allows users to create files on the exported NFS share as the root user. These weaknesses if left as defaults can allow for root access on servers where such access is not provided for users.
The settings identified here are areas that are commonly overlooked when configuring a Linux server. These weaknesses can be used by attackers or malicious users to gain a wealth of information or elevated privileges on a server. Hardening your system makes it more difficult for a user to compromise it, and also more difficult to use the system as means to access other systems within the environment.