simple unix security improvements

  • always work under the account of the user with the least privileges necessary to accomplish the task

    • if user dave can do it, don’t do it as root.

  • keep the filesystem clean

    • this makes troubleshooting, debugging, and cleanup much, much, much easier after a (possible) break-in.

    • this speeds normal maintenance

      • ls doesn’t scroll off the screen after filling it with tons of useless garbage.

      • tab-completion works

      • files are easier to find in a sparse display on a small console

    • preserves disk space for files that are really needed

    • improves system performance

    • makes upgrades and sytem/application patches much simpler

    • improves security

      • harder for crackers to hide files

      • easier to identify suspicious files

      • easier to track changes to the system

    • remove extraneous files

      • system accounts should not contain most "skel" files in their home

        • remove .ssh (except for root)

        • remove all X-related files

        • remove bogus login and rc dot files: .emacs, .config, .w3m, .kbd, etc.

  • remove files created during this session for the task at hand

    • 6 months down the road someone will be wondering what they are

  • put files where they belong

    • applications belong in …/bin

    • temporary files belong in …/tmp

      • but beware of security implications!

      • remove temprorary work files when through with the task!

    • on systems with multiple partitions, especially!

      • might leave insufficient room for data, log, or other app/system files

  • check (and double-check) file permissions and ownerships

    • always do "ls -l" on any files or directories after:

      • chmod

      • chown

      • tar -x

      • cp

      • mv

      • especially if done as root

  • take a minute after the task is complete to do a few quick health/security checks:

    • who

      • there shouldn’t be anyone logged into production machines especially, any sessions of long duration.

    • ps fax

      • look for unknown or unusual processes

    • last | head

      • who has been logging into the host?

    • uptime

      • look especially at the load average

    • df -h

      • check for disks that are nearly full

      • ensure there are no silly mounts like the cdrom, a usb device, or an extraneous nfs filesystem.

    • netstat -punat | egrep -v EST|WAIT

      • note any unusual (or unneeded) process names

      • look for weird ports that are listening for connections on external interfaces