Solved

Access Required to Read Linux Security Settings and User Permissions

Posted on 2016-09-14
13
86 Views
Last Modified: 2016-09-20
I want to create a service account that can connect to a Linux operating system and read the following:

- Users' permissions (Read, Write, etc.) to certain directories - not just for the service account but for ALL users;

- Log on settings like Password Length, Password Complexity, and Maximum Logon Failures.

It is really important for this service account to have as little access to change, delete, or create data as possible.  Ideally, It would be Read access.

What is the minimum access permissions the service account will need to be able to do this?

I am obviously not a Linux expert.  If the service account needs to be an Admin to do this, is there some way to restrict the access of an Admin account to disable its ability to change, delete, and create data on the Linux operating system
0
Comment
Question by:humbleamateur
  • 4
  • 2
  • 2
  • +3
13 Comments
 
LVL 23

Expert Comment

by:David
ID: 41799456
You are asking for information that is restricted to the root Superuser. Secondly, you're asking for information that is extremely susceptible to abuse from a hacker. To the best of my knowledge, then, the answer to your question is no. Search access is restricted to root as the authorized privileged user.
0
 
LVL 34

Assisted Solution

by:Duncan Roe
Duncan Roe earned 62 total points
ID: 41799466
You might be able to avoid the need to be root (the Admin account) with some cooperation from the users.
All user accounts normally belong to the users group, group id 100. Generally, users' directories have  group read & execute permissions, so any normal user can read any other user's directories. This does depend on site policy as possibly overridden by individual users: they can set the [default) permissions as they please.
This does not help you with system directories. If the system of interest (client system) uses the distribution default umask 022 (octal 22: i.e. deny write access to all but user) this will not matter because most system directories will be world-readable. Some sensitive ones are not: you will have to be root.
For passwords, IN BRIEF: you have to be root. The file /etc/passwd is and has to be world readable, but it doesn't contain passwords any more (ancient installations like mine excepted). Passwords are stored in /etc/shadow which is strictly root access only. You cannot tell what is the password complexity except by trying to crack it (and there are products that will do just that for you: some of them are very good (or were, 20 years ago)).
I have not come across Maximum Logon Failures, but I don't run SELinux (are your clients systems running it?)
is there some way to restrict the access of an Admin account to disable its ability to change, delete, and create data on the Linux operating system
Test it very thoroughly before installation.
0
 
LVL 28

Assisted Solution

by:Jan Springer
Jan Springer earned 62 total points
ID: 41799706
You would be best served to create an account and configure sudo for that account with permissions to run certain commands on certain directories requiring no password and optionally (if this is a script) no tty.
1
 
LVL 23

Expert Comment

by:David
ID: 41799739
I read the question as though it were generic. The asker wants a method to come into a system virtually undetected.
0
 
LVL 28

Expert Comment

by:Jan Springer
ID: 41799762
It seems more like an audit  point but I agree.   This is normally a check that's run by root.  And the password complexity cannot necessarily be determined by looking at the crypt password.
0
 
LVL 34

Expert Comment

by:Duncan Roe
ID: 41799779
I meant to point out: the passwords in /etc/shadow are more strongly encrypted than /etc/passwd used to be. That's why you can't tell how long or simple the original password was except if it cracks easily.
0
How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

 

Author Comment

by:humbleamateur
ID: 41800431
Yes, this was a thought on automating some auditing of servers.
0
 
LVL 23

Assisted Solution

by:David
David earned 62 total points
ID: 41800480
A useful idea. Consider, however, connecting to each server as root to run the validation on the directories as a report file rather than some interactive process. For the passwords, on the other hand, perhaps your best approach is to set up the system security with the constraints you need, and show your constraints as proof of compliance.
0
 
LVL 23

Expert Comment

by:David
ID: 41800490
If you have time, do a web search on the Defense Information Systems Agency, or DISA. Read up on their STIGS.
0
 
LVL 20

Assisted Solution

by:Daniel McAllister
Daniel McAllister earned 62 total points
ID: 41800593
OK, a few things need to be answered -- without regard to the INTENT of the author:
 - To read the PERMISSIONS of a file, you ONLY need access to the METADATA -- which is stored in the inode, and is accessed through the DIRECTORY (Folder).
   -- To read the NAMES in a folder (directory), you must have READ permission on it
   -- To OPEN the inode and read the METADATA about a file, you must have EXECUTE permission on the folder
   -- The Linux program you would want to use to access this data is stat
 - To access EVERYONE (no exceptions), you will have to use the program (both the "search" and the "stat") with root-level access. This is indeed dangerous, but can be managed with the sudo command.
 - Password information (like length, complexity, etc) is UNAVAILABLE on most Unix/Linux type systems. That is because they use a "seeded hash" to store the password.
   -- that means that the password is created by running what the user enters into a hash algorithm with a random seed. Only the output of the hash and the seed are stored (typically in /etc/shadow).
   -- To verify a user, the password they enter (to be authenticated) is hashed with the saved seed, then compared to the stored hash output. Since ALL passwords (1 character to 255 characters) generate a hash result of the same length, there is NOTHING you can tell from the stored hash to reveal information about the original password.
   -- In simpler terms -- "you can't do that"


The rest of the question appears to already be addressed in my answer above. To summarize:
 - Only root can access ABSOLUTELY EVERY FILE -- so your process will have to get root permissions SHOMEHOW, and to me, the best way would be through the restricted access of LS, perhaps CD, and STAT. (Restricted via SUDO).
 - STAT is the best candidate for seeing file permissions and access times
 - You CANNOT evaluate password data for users on a standard Unix/Linux system..

I hope this helps

Dan
IT4SOHO
1
 
LVL 20

Accepted Solution

by:
tfewster earned 252 total points
ID: 41800719
> Password information (like length, complexity, etc) is UNAVAILABLE on most Unix/Linux type systems.
That's true if you're looking at a particular password hash in /etc/shadow; But your MINIMUM requirements for length, complexity etc. are defined in config files, and that's what an auditor would want to see, that the system enforces a minimum that meets the the company policy.

Basic Linux security uses /etc/login.defs, but that's mainly superseded by pam; Config files for pam will be under /etc/pam.d. The exact pam filenames and the syntax vary by Linux distro and version.
e.g.
grep minlen /etc/pam.d/*
password requisite pam_cracklib.so try_first_pass retry=3 minlen=14 dcredit=-1 ucredit=-1 ocredit=-1 lcredit=-1
(It may not be pam_cracklib - that's from the RHEL 6 benchmark - but it gives you an idea of what to look for)

I highly recommend the (free) CIS security benchmarks that explain the security measures and how to test for (and fix) them for various Linux versions
https://benchmarks.cisecurity.org/downloads/browse/index.cfm?category=benchmarks.os.linux

Another possible workaround for the permissions issue is for root to run a script to collect this info regularly and send it to you
1
 
LVL 20

Expert Comment

by:Daniel McAllister
ID: 41805331
While it is true that you can set restrictions on the "general populace", another tenet of Unix (and Linux) is that root can do almost anything -- including overriding the password limits.

But I do agree that for audit requirements, you can use the system settings to demonstrate that password restrictions / complexity enforcement are in place. Still, for someone who has done security audits on Linux systems for many MANY years, I can't tell you how many times I've audited systems that had perfectly good, secure settings for users, but the root password was incredibly simple (and well known to many users).

Never the less, the author never stated a purpose for his inquiry, and I made no assumptions. Perhaps I read into the question that he wanted to see CURRENT PASSWORD complexity, length, and other characteristics... if so, my bad.

FWIW: The idea of keeping passwords in such a way as even admins cannot see the passwords is a GOOD one -- if you don't believe me, ask the admins over at DropBox -- where they just lost some 68+ million passwords to a hack... but they're all hashed! And compare their level of worry with those of Linked-IN -- who is trying to manage the loss of 100+ million actual passwords (stored in clear text!).

Dan
IT4SOHO
0
 

Author Closing Comment

by:humbleamateur
ID: 41807055
It was hard to figure out how to distribute points.  I appreciate everyone's assistance.  Thanks!
0

Featured Post

Maximize Your Threat Intelligence Reporting

Reporting is one of the most important and least talked about aspects of a world-class threat intelligence program. Here’s how to do it right.

Join & Write a Comment

Suggested Solutions

Title # Comments Views Activity
Which NIC is live in Win/Linux? 25 71
Sed question 2 48
Problem logging tar errors 11 35
Replace Ubuntu Desktop with Ubuntu Server 7 46
Using 'screen' for session sharing, The Simple Edition Step 1: user starts session with command: screen Step 2: other user (logged in with same user account) connects with command: screen -x Done. Both users are connected to the same CLI sessio…
I. Introduction There's an interesting discussion going on now in an Experts Exchange Group — Attachments with no extension (http://www.experts-exchange.com/discussions/210281/Attachments-with-no-extension.html). This reminded me of questions tha…
Learn how to navigate the file tree with the shell. Use pwd to print the current working directory: Use ls to list a directory's contents: Use cd to change to a new directory: Use wildcards instead of typing out long directory names: Use ../ to move…
This demo shows you how to set up the containerized NetScaler CPX with NetScaler Management and Analytics System in a non-routable Mesos/Marathon environment for use with Micro-Services applications.

705 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

15 Experts available now in Live!

Get 1:1 Help Now