Changing file permissions on macOS (and using flags)

Using file flags on macOS While performing system hardening on macOS, you may encounter a typical chmod error. Something like this: chmod: Unable to change file mode on /usr/bin/gcc: Operation not permitted Even with root permissions, you can’t change the permissions of some files. How is this possible? This is caused by flags. Showing file permissions and flags To see if a file has any flags set, use the ls command with the l (el) and O (capital o). ls -lO /usr/bin/gcc […]

Read more

File permissions of the /etc/shadow password file

Linux password files and permissions The password files are an important cornerstone of the security of your Linux system. Commonly they are /etc/passwd and /etc/shadow, and installed by default. Sometimes we receive questions what the right permissions of these files should be. Therefore this blog post to have a look at the file permissions (and ownership) of both files. Passwd file The password file stores local accounts of the system. It is a readable text file and uses colons (:) […]

Read more

Linux Capabilities: Hardening Linux binaries by removing setuid

Linux Capabilities Hardening Linux binaries by removing setuid Normally Unix based systems use two kind of processes: privileged and unprivileged. The first category is usually used for administrative purposes, like starting and stopping other processes, tuning the kernel and opening sockets. Root permissions The command ping is a great example why even small programs needs root permissions. In a first glance you might consider this tool to be simple: send a package to a host and see if it responds. The […]

Read more

PCI DSS (v3) Linux: Restrict log file viewing (A.1.2.d)

Restrict log file viewing A.1.2.d Verify that viewing of log entries is restricted to the owning entity. To limit exposure to information, PCI DSS requires access of logging to only the entity owning that log file. In other words, we have to search for those entries which can be seen by others. Search related log files By default, most log files on Linux based systems will be stored in /var/log. We can do a quick check for any files which […]

Read more

Conduct a Linux Server Security Audit

Conduct a Linux Server Security Audit Auditing a system can be a time consuming job, which is no different when conducting a Linux server security audit. Within this article we give some highlights regarding the audit and tips to automate them by using Lynis. The business goal Before auditing any system, determine the business goal of the system. How critical is this system for doing business? What if the system goes down? Usually each system has a clear role or […]

Read more