Pick a Free OS

Securing Linux: Part 1

The following command "chattr" helps you go a step further than the "chmod"

command, which allows you to only change the files ownership rights and nothing

further. Using the "chattr" command, root can specify files and directories to

be "immutable" and "read-only". These implement restricted access to the files

and prevent tampering around with the actual system files or replacement with

any other alternate ones.

bash# chattr +i /sbin/lets_rock <-- The immutable bit

bash# chattr +a /var/log/messages <-- The append only bit

Take for example the second flag mentioned above, "+a". This allows root to set

the append only bit for /var/log/messages and prevents it from unwanted

tampering.

At this point of time, it is suggested you lay your hands on a PDF document

available at www.linuxsecurity.com called "Quick Reference Card.pdf". It is an

Adobe Acrobat document (PDF format) and quite informative about the basic

security measures a system administrator should take.

Password protecting your boot sequence

Most of us are familiar with the boot loader that comes along with most Linux

distributions, LILO. Until sometime ago, most Linux distributions had

vulnerability as follows. Anyone with physical access to your machine could

reboot it and at the LILO prompt say 'linux single' to get to a root shell

without being prompted for a password.

LILO: linux single <-- The LILO boot prompt

Red Hat 6.2 works this way but other distributions, like SuSE, verifies the root

user by asking for a password before providing the user with a shell.

You can remedy this situation by getting LILO to always ask for a password if

any command line parameters are passed to it while bootup.

To make the following changes to your /etc/lilo.conf file, su to root, open the

lilo.conf file in your favorite text editor and make the following changes.

image = /boot/vmlinuz-2.2.17

label = Linux

read-only

restricted <--

password = your-password <--

You'll need to append the last two lines to your /etc/lilo.conf file. Add a

password of your choice and re-run lilo.

bash# lilo

There is a lot more but for now check out the following links.