The Implementation

Search in book...
Toggle Font Controls
Create new playlist

Name your new playlist

Playlist description (optional)
Sign In

Email address

Password

Forgot Password?

or

Continue with Facebook

Continue with Google
Sign Up

Full Name

Email address

Confirm Email Address

Password

or

Continue with Facebook

Continue with Google

The Implementation

To help us administer our systems, we have written a few short scripts (which can go in our standard toolset). The first will search for root-owned files with ACLs and report the filename along with the actual ACL to a log file. If we run this script from cron regularly and examine the log file, we can be sure that no one will hide anything in a file's ACL. The script is cumbersome in the way it finds the ACLs, so it is advisable to run it during a quiet time. The script is as follows:

#!/bin/ksh
# shell script called from the root crontab to
# search for files owned by root, but with ACLs set
# and report them to a log
#
date=$(date +%d%m%y)
aclLog=/usr/local/utils/logs/acl_${date}.log
prog=$(basename $0)
# for each file with ACLs set write the filename and the
# ACL to the log file


for file in $(find / -user root -exec ls -ld {} ; | grep
'^..........+' | sed 's/^.* //')
do
  echo "$file has the following ACL set:"
  getfacl $file
  echo "==================================="
done > $aclLog

The above script will only report ACLs on files and directories that belong to root. The sort of thing we would need to look out for is a file whose standard permissions only allow root to update it, but has an ACL set that allows some other user to update it also. The script could be improved by making it report only the files that were a potential threat (to save us from having to search through the log for them).

The second script is based on the examples we saw earlier of using find to report setuid files, but this time we have taken the work away from the administrator. The script looks for setuid files owned by root that are writeable by group or others. If any are found, an email is sent to the root user so the administrator does not need to examine any logs:

#!/bin/ksh
# shell script called from the root crontab to
# search for setuid files owned by root that are writeable
# by group or other
# Alert the system administrator of any found by email
grpw=$(find / -user root -perm -4000 -type f -exec ls -ld
   {} ; | grep '^.....w' | sed 's/.* //')
othw=$(find / -user root -perm -4000 -type f -exec ls -ld
   {} ; | grep '^........w' | sed 's/.* //')
if [[ ! -z ${grpw} ]]
then
  echo "WARNING - The following files are setuid root and
      writable by group
$grpw" | mail root
fi
if [[ ! -z ${othw} ]]
then
  echo "WARNING - The following files are setuid root and
      writable by anyone
$grpw" | mail root
fi

..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.

Table of Contents for The Implementation

Create new playlist

Sign In

Sign Up

The Implementation

Table of Contents for
The Implementation