File System Configuration
Some file systems are static in nature and won’t change unless you’re doing some type of upgrade. Therefore to safeguard against unkown modifications to the files in these file systems and possible addition of trojan horses, it makes sense to mount these files systems read-only. (/usr and /opt are examples) You also want to ensure that setuid programs are not executed in a non-root file system. To do this these file systems must be mounted with the nosuid option. (/var and /home are examples). An example of a secure /etc/fstab can be found in Appendix C.
- ____ /usr/bin/vi /etc/fstab
- ____ Add ro option to /opt and /usr
- ____ Add nosuid to /stand, /var, /home
/usr/local by default has been configured with world-writeable permissions on all directories. Change this to a safer 755.
- ____ find /usr/local –type d –exec chmod 755 {} \;
Remove write group permissions for /etc/.
- ____ chmod –R g-w /etc
No comments