This covers CMOS setups, disable ports, TCP wrappers, shadow passwds, etc.
First thing, I would recommend to do in addition to following TrinityOS for your needed purposes, read LDP's Security HOWTO for a more detailed explanation of what to do. Interestingly enough, I never read it until recently and a LOT of things I had independantly recommend was already in the Security HOWTO too! So, it sounds like we are on-track! I recommend you read it too! The URL is in Section 5.
Upon system boot, enter into the CMOS setup
- I recommend the combination of upper and lower case characters with numbers!
By changing the BIOS boot order from A:,C: to C:,A:
If you are extra paranoid, you can set the floppy drive to READ only or even disable the floppy drive all together if you wish.
- Now, boot back into Linux and make sure you have a password for the root login
passwd root
Pl3a5eGet0ut and Pl3a5eGe
Because of this, you need a strong password and it can ONLY be 8-characters long. You REALLY should use a combination of UPPER and lower case characters, numbers, and special characters such as:
[ `~!@#$%^&*()-_=+{[]}\|'";:,<.>/? ]
Fortunately enough, the newer Linux distributions have fixed this issue. But regardless if this has been fixed on your distribution or not, it IS important that you choose a strong passwd.
This ensures that only the file's owner can delete
a given file in /tmp (Fixed in RH6.x):
chmod 1777 /tmp
- This is pretty important if you don't have the best physical security on the box:
- Do implement this, edit /etc/inittab and change the line:
ca::ctrlaltdel:/sbin/shutdown -t3 -r now
to
#ca::ctrlaltdel:/sbin/shutdown -t3 -r now
- Now, for the system to understand the change, type in the following at a prompt
/sbin/init q
Newer Redhat:
prompt=yes
prompt=no
NOTE: Use this command if you are logged in as root and want to LOCK the ttys without having to log fully out and back in again. Nice!
NOTE: Regardless of Linux distribution, you might want to SKIP some of the following steps if you plan to run:
(though this is specific to Redhat, the following is a good read for ALL Linux users.)
The way that Redhat boots is the SysV way. This is where the OS will execute ALL files for a given runlevel (see definition below) that start with a "S" (that's a CAPITAL "S") and have a number after that in a numerical order from lowest to highest. For example, it will run "S10network" before it runs "S30syslog".
So what's a RUN-level? A run-level is the mode that the machine will load various system programs. Though this varies from Unix to Unix (Linux, Solaris, AIX, HP-UX, etc.), they are similar. For Linux, this is the run-levels (from /etc/inittab):
Please note that some Linux distributions have slight variations:
Also, if you didn't already notice, all of the files in various runlevel directories like /etc/rc.d/rc0, 1, 2, 3, 4, 5, 6.d are actually just symbolic links to all the real script files in /etc/rc.d/init.d! This makes things more manageable.
So, since Linux usually runs in multi-user / non-Xwindows mode, that means runlevel "3" will execute all files in the /etc/rc.d/rc3.d directory. Then, the system will begin to run ALL files starting with "S" in order. When you shutdown or restart the machine, you change the machine into runlevel "0" or "1". This will first execute all commands from the initial runlevel directory of "3" starting with "K". If the given process isn't already running, like my example for LPD, it will just skip it and move on. Get it?
The way that Slackware boots is the BSD way. It will execute the /etc/rc.d/rc.inet1 (network interfaces) file first. Then, it will run the /etc/rc.d/rc.inet2 (network services) file. This is much more readable than the Redhat method but its harder to maintain (IMHO).
BSD-Style: Edit the following files in /etc/rc.d/ and make these changes unless you need that service.
- rc.M (disable email and WWW servers)
- line 75: #'d out all lines for Sendmail
- line 97: #'d out all lines for httpd
- rc.inet2 (disable SERVER and NFS servers)
- line 14: #'d out all lines for lpd
- line 15: #'d out all lines for lpd
- line 31: #'d out all lines for portmap
- line 72: #'d out all lines for mountd, nfsd, pcnfsd, bwnfsd
There are at least (6) ways to turn on/off what daemons load:
Via A GUI interface:
This process manipulation can be done either via:
Note - Though I'm a command line bigot, I feel the "ntsysv" GUI is the fastest way to modify these options!
NOTE #2 - It should be noted that some people really feel that if you are going to disable a package, you might as well REMOVE IT. This is technically MORE secure (nothing to run an exploit against) nor does it take up any disk space. Personally, I usually side with functionality and rather just disable the service vs. delete it all together. Now, if you're sure that you'll NEVER use this service, definately recommend to delete the package.
To DELETE a given package:
To remove packages:
NOTE #3 - I've found that when you first run these GUI tools, they will default to running and disabling some processes they SHOULDN'T! So, be careful and make sure that the tool is starting/stopping the correct daemons. Confirm this by going into the correct runlevel directory, say /etc/rc.d/rc3.d, and making sure only the minimal S* files are there.
With "chkconfig":
Please note that there might be some daemons that are missing and/or extra in your specific /etc/rc.d/init.d directory so make sure you enable/disable the appropriate ones for your needs.
--
#Disable automounters
chkconfig --level 2345 amd off
#Disable unless this is a laptop
chkconfig --level 2345 apmd off
#Disable unless you want to run batch programs within certain loads
chkconfig --level 2345 atd off
#Disable unless you want emails of EVERY ARP on your network segment
chkconfig --level 2345 arpwatch off
#Disable unless you want boot diskless workstations
chkconfig --level 2345 bootparamd off
#Disable unless this machine will be a DHCP *SERVER*
chkconfig --level 2345 dhcpd off
#Disable unless this machine will be a full blown router
chkconfig --level 2345 gated off
#Disable unless this machine will be a WWW server
chkconfig --level 2345 httpd off
#Disable unless this machine uses a modularized kernel
# NOTE: Not needed for 2.2.x+ kernels
chkconfig --level 2345 kerneld off
#Disable unless you really want to configure remote machines via Linuxconf
chkconfig --level 2345 linuxconf off
#Disable unless this machine will be a print server
#(for the local or remote machine)
chkconfig --level 2345 lpd off
#Disable unless you really need the proprietary MC server
chkconfig --level 2345 mcserv off
#Disable unless this machine will be a database server
chkconfig --level 2345 mysql off
#Disable unless this machine will be a caching or full blown DNS server
chkconfig --level 2345 named off
#Disable unless this machine will be a NFS server
chkconfig --level 2345 nfs off
#Disable unless this machine is a laptop or the PC has PCMCIA cards
chkconfig --level 2345 pcmcia off
#Disable unless this machine will be an NFS server or needs RPC tools
chkconfig --level 2345 portmap off
#Disable all R-cmds
chkconfig --level 2345 rusersd off
chkconfig --level 2345 rwalld off
chkconfig --level 2345 rwhod off
#Disable unless this machine is a email server
chkconfig --level 345 sendmail off
#Disable unless this machine is a Samba (MS File&Print) server
chkconfig --level 345 smb off
#Disable unless this machine is to support SNMP
chkconfig --level 2345 snmpd off
#Disable unless this machine is a local/remote HTTP proxy server
chkconfig --level 2345 squid off
#Disable unless this machine will be running X-windows
chkconfig --level 2345 xfs off
#Disable unless this machine will be an NTP server
chkconfig --level 2345 xntpd off
#Disable unless this machine will be part of a NIS/YP domain
chkconfig --level 2345 ypbind off
chkconfig --level 2345 yppasswdd off
#Disable unless this machine will be a NIS/YP server
chkconfig --level 2345 ypserv off
Manually:
NOTE: only do this to the processes you WON'T use.
NOTE #2: If, for some reason, any of the K or S* files don't exist and you want them to be there, use one of the GUI tools above.
Do this in /etc/rc.d/rc2.d, /etc/rc.d/rc3.d, and /etc/rc.d/rc5.d
- mv S08autofs K08autofs
- mv S20nfs K20nfs
(unless this is for a full or caching NFS server)
- mv S20rusersd K20rusersd
- mv S20rwalld K20rwalld
- mv S20rwhod K20rwhod
- mv S30mcserv K30mcserv
- mv S98kerneld K98kerneld
- mv S35smb K35smb (unless this is for a Samba F&P server)
- mv S60lpd K60lpd (unless this is for a print server)
- mv S65portmap K65portmap (unless this is for a NFS server)
- mv S95nfsfs K95nfsfs (unless this is for a NFS server)
- mv S45pcmcia K45pcmcia (unless this for a laptop)
- mv S65dhcpd K65dhcpd (unless this is for a DHCP server)
- mv S85httpd K85httpd (unless this is for a WWW server)
- mv S80sendmail K80sendmail (unless this is for a mail server)
Inetd and Xinetd are called the "super servers" as they load a network server based upon a request from the network. I personally recommend that any service that you DON'T need shouldn't be able to load. This both minimizes CPU and Memory load as well as greatly reduces your security risk.
* The exceptions that I leave in and secure via a firewall and * TCPwrappers are: * * TELNET, FTP, SSH, sometimes TALK, POP-3, IMAP, and maybe FINGER. *
Newer Linux distributions no longer use "inetd" but instead use a newer version called "xinetd". This new version allows for much more granular configuration as well as superior logging, etc. Overall, I really recommend Xinetd though it does take a little time to get used to.
XINETD: ------- Go into the /etc/xinetd.d directory and edit each of the files in that directoru. In each one of the service files that should be disabled, make sure that a line reading "disable = yes" is present. For example
/etc/xinetd.d/chargen
# default: off
# description: A chargen server. This is the tcp \
# version.
service chargen
{
type = INTERNAL
id = chargen-stream
socket_type = stream
protocol = tcp
user = root
wait = no
disable = yes
}
I recommend to disable the following services and any other services enabled in your machine that you don't need (unless noted below).
To make the change take effect, type in:
INETD: ------ I recommend to edit the /etc/inetd.conf file and place a "#" in front of the lines to disable them (if not already done).
As noted above for Xinetd, some items you might want to leave enabled. Some you might want to leave available until you install a secure alternative like SSH):
Once you make these changes, finish editing the file. To make the change take effect, type in:
More and more Linux distributions are shipping with secure defaults. But, never ASSUME that things are locked down. CONFIRM IT!
- Edit "/etc/hosts.deny" and insert the following at the end of the file:
ALL: ALL
It should also be noted that TCP wrappers supports extensive logging and remote banners. Please see the end of this section for a detailed example.
- edit "/etc/hosts.allow" and insert lines at the end of the file for each IP and or Domain that you want to allow access to the Linux box.
NOTE: Do NOT use DNS names for the hosts as DNS can be spoofed. Use TCP/IP addresses instead.
ALL: 127.0.0.1 #Needed for some local services like comsat
ALL: 200.211.0.40 #Securehost
ALL: w.x.y.z
For example:
ALL: 192.168.0.2 #Allow everything from coyote2
ALL: 200.211.0.40 #Allow all traffic from Explict Allowed #1
ALL: 200.211.1. #Allow *ALL* traffic from all hosts on the 200.211.1.x
#network. Yes, the option should END with a
single "."
in.ftpd: 192.168.0.2 #Allow only FTP traffic from coyote2
in.pop3d: 200.211.0.40 #All only pop-3 traffuc from Explict Allowed #1
TCP Wrapper logging and banner support
As mentioned above, TCP wrappers support advanced features like logging and sending text banners to the remote machine. To do this, you want to change the /etc/hosts.deny file to look something like the following:
# The following example will DENY all traffic except finger.
# For finger, it will allow the request but log it, send a banner and THEN
# deny it
#
# First, set up a booby trap and bounce message for all except finger
# and log attempt to /var/log/tcpwrappers.log
ALL except in.fingerd: ALL \
:spawn (/usr/sbin/safe_finger -l @%h | /bin/mail -s %d-%h root;\
date >>/var/log/tcpwrappers.log;\
echo '%u@%h (%d) connection attempted.' >>/root/access.log)& \
:rfc931 45\
:twist /bin/echo \
$'\nAccess to this system is limited to authorized users. \
\n%u@%h is not a valid ID to access %d \
\non this system. This attempt has been logged. \n'
# Now log and bounce message for finger
#
in.fingerd: ALL\
:spawn (date >>/var/log/tcpwrappers.log; \
echo '%u@%h (%d) connection attempted.' >>/var/log/tcpwrappers.log)& \
:rfc931 45\
:twist /bin/echo \
$'\nAccess to this system is limited to authorized users. \
\n%u@%h is not a valid ID to access %d \
\non this system. This \
attempt has been logged.\
\n'
Disable anonymous FTP to your box by editing /etc/ftpaccess and change the common first line that looks like:
class all real,guest,anonymous *
class all real *
In most earily Linux distributions, all user's passwords were stored in the /etc/passwd file. These passwords were then encrypted by the "crypt" tool. The problem with this setup was that anyone could get these encrypted passwords and crypt's encryption was very poor. These passwords could then be broken with publically available tools. In recent times, the shadow system was implemented where the passwords were hashed with the MD5 algorithm and placed the resulting MD5 hased passwords in /etc/shadow.
To quickly see if your machine is "shadow" enabled, look at the "/etc/passwd" file. In this file, you will see the username, password, UserID (UID), GroupID (GID), Home Directory, and the user's default shell all separated by colons (:). Anyway, if you see "x"s in the second left-hand field, the password field, then you are done! If you DON'T see "x"s in that field.. you need to follow these directions or better yet.. get a newer distribution!
Slackware v3.2 did not come with Shadow passwords enabled but v3.4+ does. For several reasons, I recommend that you just upgrade to Slackware v3.4 if you are running an older Slackware distribution. The upgrade will fix numerous security issues and has many other features as well.
Redhat5, out of the box, does NOT do shadow passwords (stupid) but it is fixed in RH 6.1 and onward.
Confirm that your system is using SHADOW passwords by looking at the /etc/passwd file and make sure that the second left-hand field next to the username is a ":x:". If so, make sure everthing in this section is setup the same on your box.
If it isn't do the following:
- login as root
- type in "pwconv"
- This will convert the /etc/passwd file and move the encrypted passwords over to /etc/shadow and change the encryption algorithm from the weak "crypt" system to "md5"
- More info is available in "/usr/doc/pam-0.64/txts/pam.txt"
- NOTE: Using passwords more than 8 characters will NOT work. Use larger passwords and prepare NOT to be able to login again!
- Edit the /etc/pam.d/passwd file and change the bottom lines
NOTE: There are (2) methods shown below. Crypt is the OLD UNIX method and is considered weak. The newer method uses MD5 hashing. I recommend the MD5 method.
So, edit the file and change it to the following:
For MD5 hashing (more secure and recommended):
--
auth required /lib/security/pam_pwdb.so shadow nullok
account required /lib/security/pam_pwdb.so
password required /lib/security/pam_cracklib.so retry=3
password required /lib/security/pam_pwdb.so shadow use_authtok nullok md5
--
--
auth required /lib/security/pam_pwdb.so shadow nullok
account required /lib/security/pam_pwdb.so
password required /lib/security/pam_cracklib.so retry=3
password required /lib/security/pam_pwdb.so shadow use_authtok nullok
--
By default, most Linux distributions don't allow direct "root" logins via TELNET or SSH. This is considered good security.
- If you DO need to login via telnet as root then edit or create the /etc/securetty file and ADD the following:
ttyp0
ttyp1
ttyp2
Please note that newer Linux distributions now use the DevFS system. If your system uses DevFS, you should add the following in addition to the "ttyp0, ttyp1, etc." system. If you are using DevFS full time, you can delete the ttyp0, etc. lines.
vc/1
vc/2
**** MAKE SURE YOU PUT "#"s IN FRONT OF THESE NEW LINES ONCE YOU ARE DONE! ****
It seems that some Linux distributions do not come with the /etc/ftpusers file. This file basically is for when any usernames in this file, they are NOT allowed to FTP in. Usually, it is considered POOR security to be able to FTP in as ROOT. By putting the word "root" into this file, this disables FTP logins from "root".
- If you ever need to FTP into the linux box as ROOT (you shouldn't be able to by default), edit the "/etc/ftpusers" file and put a "#" in front of "root".
NOTE: If the /etc/ftpusers file DOESN'T already exist, just create it. Once you are done, LEAVE it there with at least the line "root" without a "#" in front of it.
*********************************************************
**** MAKE SURE YOU REMOVE THIS "#" ONCE YOU ARE DONE ****
**** SINCE THIS IS A BIG SECURITY ISSUE ****
*********************************************************
* When users install Redhat, they usually install more programs than they plan to initially use. Though Redhat allows users to later choose what daemons are and are NOT run upon boot, this does NOT disable some things that are loaded into the cron file.
As mentioned before in this section, unless you plan on using the functionality of a specific product, DON'T disable a given cron entry. Just delete the package all together as described above.
**NOTE**: DON'T disable: logrotate, tmpwatch, updatedb.cron, makewhatis.cron
- Look in the /etc/cron.hourly, /etc/cron.daily, /etc/cron.weekly, and /etc/cron.monthly and make sure that nothing is installed that you don't want. For example, I had to do the following for RH 5.2:
mkdir -m 700 /etc/cron.disabled
mkdir -m 700 /etc/cron.disabled/cron.hourly
mkdir -m 700 /etc/cron.disabled/cron.daily
mv /etc/cron.hourly/inn-cron-nntpsend /etc/cron.disabled/cron.hourly
mv /etc/cron.daily/inn-cron-expire /etc/cron.disabled/cron.daily
mv /etc/cron.daily/inn-cron-rnews /etc/cron.disabled/cron.daily
mv /etc/cron.daily/tetex.cron /etc/cron.disabled/cron.daily
**NOTE**: DON'T disable: updatedb.cron
- Realistically, you won't have the same issues as Redhat users because Slackware doesn't have as many bells and whistles as RH does. BUT, check to make sure. All of Slackware's cron configuration is stored here.
less /var/spool/cron/crontabs/root
A lot of the default file permissions on Linux distributions just give away too much information to the end user or hacker. Some people might think that some of these are paranoid but I'd rather be safe than sorry:
NOTE: Most of these permissions reflect Redhat 5.2 but most will apply to any Linux distribution.
NOTE2: If you receive any ERRORs when applying these changes, don't worry. That just means you don't have that package installed.
It is highly recommended that you apply these permissions via the TrinityOS-security script to avoid typing mistakes and save time.
# Files in /dev chmod 660 /dev/lp* # Files in /bin echo "Bru is a commercial backup program but some Linux distributions come with it" chmod 750 /bin/bru chmod 750 /bin/linuxconf chmod 750 /bin/mount chmod 750 /bin/mt chmod 750 /bin/rpm chmod 750 /bin/setserial chmod 4750 /bin/su chgrp adm /bin/su chmod 750 /bin/umount # Files in /sbin chmod 750 /sbin/accton chmod 750 /sbin/badblocks chmod 750 /sbin/ctrlaltdel chmod 750 /sbin/chkconfig chmod 750 /sbin/chkraid chmod 750 /sbin/debugfs chmod 750 /sbin/depmod chmod 750 /sbin/dhcpcd chmod 750 /sbin/dump* chmod 750 /sbin/fdisk chmod 750 /sbin/fsck* chmod 750 /sbin/ftl* chmod 750 /sbin/getty chmod 750 /sbin/halt chmod 750 /sbin/hdparm chmod 750 /sbin/hwclock chmod 750 /sbin/ide_info chmod 750 /sbin/if* chmod 750 /sbin/init chmod 750 /sbin/insmod echo "IPFWADM is only installed for v2.0 kernels" chmod 750 /sbin/ipfwadm chmod 750 /sbin/ipx* chmod 750 /sbin/isapnp chmod 750 /sbin/kerneld chmod 750 /sbin/killall* echo "This is the new location for klogd. Please disregard any errors if this doesn't work." chmod 750 /sbin/klogd chmod 750 /sbin/lilo chmod 750 /sbin/mgetty chmod 750 /sbin/mingetty chmod 750 /sbin/mk* chmod 750 /sbin/mod* chmod 750 /sbin/netreport chmod 750 /sbin/pam* chmod 750 /sbin/pcinitrd chmod 750 /sbin/pnpdump chmod 750 /sbin/portmap chmod 750 /sbin/quotaon chmod 750 /sbin/raidadd chmod 750 /sbin/restore chmod 750 /sbin/runlevel chmod 750 /sbin/stinit echo "This is the old location for klogd. Please disregard any errors if this doesn't work." chmod 750 /sbin/syslogd chmod 750 /sbin/swapon chmod 750 /sbin/tune2fs chmod 750 /sbin/uugetty chmod 750 /sbin/vgetty echo "Files in /usr/bin" chmod 750 /usr/bin/control-panel chmod 750 /usr/bin/comanche chmod 750 /usr/bin/eject chmod 750 /usr/bin/glint chmod 750 /usr/bin/gnome* chmod 750 /usr/bin/gpasswd chmod 750 /usr/bin/ipx* chmod 750 /usr/bin/kernelcfg chmod 755 /usr/bin/lp* chmod 4755 /usr/bin/lpr #NOTE: I feel setting "lpr" to allow any group to execute it is # a bad thing. # # I would like to add UNIX users and even the Samba process to # the "lp" group already defined in /etc/groups and then be able # to put things back to to 4750. BUT, I just talked to a buddy # of mine and this really isn't possible. Linux doesn't support # multiple groups per file and Linux doesn't support access lists # (ACLs') yet. So, you either have to do all this or run LPRng. # # Stock permissionss are: # -r-sr-sr-x 1 root lp 15436 Oct 17 06:49 lpq # -r-sr-sr-x 1 root lp 16176 Oct 17 06:49 lpr # -r-sr-sr-x 1 root lp 16132 Oct 17 06:49 lprm chmod 750 /usr/bin/mformat chmod 750 /usr/bin/minicom chmod 750 /usr/bin/mtools chmod 750 /usr/bin/netcfg chmod 750 /usr/bin/rusers chmod 750 /usr/bin/rwall chmod 750 /usr/bin/uucp echo "Files in /usr/sbin" chmod 750 /usr/sbin/am* chmod 750 /usr/sbin/at* chmod 750 /usr/sbin/automount chmod 750 /usr/sbin/bootp* chmod 750 /usr/sbin/crond chmod 750 /usr/sbin/dhc* chmod 750 /usr/sbin/dip chmod 750 /usr/sbin/dump* chmod 750 /usr/sbin/edquota chmod 750 /usr/sbin/exportfs chmod 750 /usr/sbin/fixmount chmod 750 /usr/sbin/ftpshut chmod 750 /usr/sbin/gated chmod 750 /usr/sbin/group* chmod 750 /usr/sbin/grp* chmod 750 /usr/sbin/imapd chmod 750 /usr/sbin/in.* chmod 750 /usr/sbin/inetd chmod 750 /usr/sbin/ipop* echo "This is the old location for klogd. Please disregard any errors if this doesn't work." chmod 750 /usr/sbin/klogd chmod 750 /usr/sbin/logrotate chmod 750 /usr/sbin/lp* chmod 755 /usr/sbin/lsof chmod 750 /usr/sbin/makemap chmod 750 /usr/sbin/mk-amd-map chmod 750 /usr/sbin/mouseconfig chmod 750 /usr/sbin/named* chmod 750 /usr/sbin/nmbd chmod 750 /usr/sbin/newusers chmod 750 /usr/sbin/ntp* chmod 750 /usr/sbin/ntsysv chmod 750 /usr/sbin/pppd chmod 750 /usr/sbin/pnpprobe chmod 750 /usr/sbin/pw* chmod 750 /usr/sbin/quota* chmod 750 /usr/sbin/rdev chmod 750 /usr/sbin/rdist chmod 750 /usr/sbin/repquota chmod 750 /usr/sbin/rhbackup chmod 750 /usr/sbin/rotatelogs chmod 750 /usr/sbin/rpc* chmod 750 /usr/sbin/rwhod chmod 750 /usr/sbin/samba chmod 750 /usr/sbin/setup chmod 750 /usr/sbin/showmount chmod 750 /usr/sbin/smb* chmod 750 /usr/sbin/sndconfig chmod 750 /usr/sbin/snmp* chmod 750 /usr/sbin/squid echo "This is the old location for sysklogd. Please disregard any errors if this doesn't work." chmod 750 /usr/sbin/syslogd chmod 750 /usr/sbin/taper chmod 750 /usr/sbin/tcpd* chmod 750 /usr/sbin/time* chmod 750 /usr/sbin/tmpwatch chmod 750 /usr/sbin/tunelp chmod 750 /usr/sbin/user* chmod 750 /usr/sbin/uu* chmod 750 /usr/sbin/vi* chmod 750 /usr/sbin/wire-test chmod 750 /usr/sbin/xntp*
- Check that there aren't any SUID ROOT (programs that execute as the ROOT user) that are WRITABLE by other users. To do this, execute this following command (per http://rlz.ne.mediaone.net/linux/index.html):
mkdir -m700 /etc/info
find / -type f \( -perm -04000 -o -perm -02000 \) -ls > /etc/info/suid-results
So what do you do with these results?
Figure out the SUID programs that you need and note which ones they are and where they are. The issue is to just make sure that no other unknonwn programs don't get added to this list. What about just changing their permissions to NOT be SUID root? This would be bad because most programs that are usually SUID ROOT *must* be this way or they won't work right.
But, for example, GnuPlot on a recent copy of SuSE was found SUID though it shouldn't have been. Later, a person on BugTraq found this and created both a root exploit and patch for it. So, this is where you can be proactive and fix things.
For the other SUID programs you don't need or know what they are, change their permissions to 700 (chmod 700 *) or even better yet, change their permissionss to 700, move them to a temporary directory to later delete them once you are SURE you don't need the programs.
*** Once you have resolved all your SUID issues, rename this *** /etc/info/suid-results file to /etc/info/suid-results-checked and then *** fix the permissions:
mv /etc/info/suid-results /etc/info/suid-results-checked
chmod 600 /etc/info/suid-results-checked
We will use this file later as a template file to check for changed SUID files in Section 9
Much like looking for SUID files above, it is also a good idea to look for R-command permission files.
find / | grep -e ".rhosts" -e "hosts.equiv" > /etc/info/rcmd-results
Once you have reviewed this /etc/info/rcmd-results file for any entries that DON'T belong in there, rename it and fix its permissions:
mv /etc/info/rcmd-results /etc/info/rcmd-results-checked
chmod 600 /etc/info/rcmd-results-checked
* This was exploited recently in Xfree86 but I still feel that the sticky bit on the /tmp/.X11-unix directory should be set
rm -rf /tmp/.X11-unix
mkdir -p -m 1777 /tmp/.X11-unix
chmod o+t /tmp/.X11-unix