Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x

Linux Security

The Linux operating system, in all its flavors, has its own share of security flaws that allow intrusions, but there are various mechanisms by which these flaws can be removed, generally divided into two parts: authentication and access control. Authentication is responsible for ensuring that a user requesting access to the system is really the user with the account, while access control is responsible for controlling which resources each account has access to and what kind of access is permitted.

Share tech news, updates, or what's on your mind.

Sign up to Post

Hi,

I have a folder called

home/system/xyz

now xyz has many sub directories  like abc , def
now abc has directories like lms, pqr etc

xyz is currently owned by me. problem is others cannot see xyz and its all subdirectories for possible issues on the server settings.
now i want to give ownership to xyz directory to ADMIN user say  crm and password say p@ssword so that all the team mates who has ADMIN crm  access can view and modify any directories and files within xyz no matter how deep they are.
how to give access to this one?
0
Independent Software Vendors: We Want Your Opinion
Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Experts - I’d like to create a Linux/Unix read-only-root role for Auditors, InfoSec and Tech Ops, so they can examine a system without risk of breaking anything.
-      Using sudo or Centrify, we can grant the privileges to run some commands as root, e.g.  ls, cat, cksum and tail –f
-      I don’t want to allow root privileges for e.g. find, view or more/less, as they can be used to modify a system

Creating the role is easy; Making it easy to use is harder
-      `sudo cat filename |less` would work fine – the `cat` is run as root, the `less` as the unprivileged user. I can create a little script utility called something like “Auditors_less” to remove the need to remember the syntax.
-      `dzdo cat filename > ~/my_copy_of_filename` would work for the same reason, and give them a local copy to work with. Call it “Auditors_cp” or just “Acp”
(`dzdo` is the Centrify equivalent to sudo)

Replacing the functionality of `find` is the part I can’t figure out. The output of `find` gives the full path to a file. `find` also allows you to select on ownership, permissions etc., but that part could be replaced by
`dzdo ls -l |grep {pattern}`

So a scriptlet that takes a starting directory as input and produces output in the form
/path/to/file      : ls –l output of file
would be great, as grep can filter the output, e.g. for globally writeable files/directories

I’ve found similar questions on formatting `ls -lR` output on stackoverflow.com, but no usable answers – general opinion seems to be…
0
1. Centos server 6.9 in AD = OK

2. Only access feathers for users of group_USER_AD, applying control via /etc/security/access.conf = OK
3. Blocked root access directly to no server. /etc/ssh/sshd_config (PermitRootLogin no) = OK

 4. To use local account, you will need to use "su -" and do not log in without server with local account = OK

----------------

I have an application that runs with a local account. How can I release the user's access to use the winscp tool and write the application's non /home? Attempts without success

1.) Add the network user's AD group within the application's local group.

2.) There are many network users AD. I can not add one by one in the local group.

How do I solve it?
0
Can i able to connect SuSE linux to Redhat satellite and patch?
0
Hi,
how to transfer
site booksmarks to shared bookmarks in winscp

please advise
0
Hi,

how to teach winscp remember password. Every time entering password is pain for me. please advise
0
Hello ,

I have a problem with interfaces on a multihomed topology. My interfaces can not ping each other and can not ping theirselves too
sysctl as given below.

But it is able to ping the interface ip when i directly write ping 37.123.98.142 , if the both interface are not able to ping this interface's ip how does it ping it or from where ?

I have to let them have access each other how shoud i do it ?

Note: loopback interface activated
Note2: em interfaces are all down

[root@spd network-scripts]# sysctl -p
net.ipv4.ip_forward = 1
net.ipv4.conf.p1p1.rp_filter = 2
net.ipv4.conf.p1p2.rp_filter = 2
net.ipv4.conf.all.rp_filter = 2
net.ipv4.conf.default.rp_filter = 2
net.ipv4.conf.lo.rp_filter = 2
net.ipv4.conf.p1p1.accept_local = 1
net.ipv4.conf.p1p2.accept_local = 1
net.ipv4.conf.all.accept_local = 1
net.ipv4.conf.default.accept_local = 1
net.ipv4.conf.lo.accept_local = 1
net.ipv4.conf.default.arp_filter = 0
net.ipv4.conf.all.arp_filter = 0
net.ipv4.conf.p1p2.arp_filter = 0
net.ipv4.conf.p1p1.arp_filter = 0
net.ipv4.conf.lo.arp_announce = 2
net.ipv4.conf.all.arp_announce = 2
net.ipv4.conf.default.arp_announce = 2
net.ipv4.conf.p1p1.arp_announce = 2
net.ipv4.conf.p1p2.arp_announce = 2

Open in new window


PING 37.123.98.142 (37.123.98.142) from 37.123.98.142 p1p1: 56(84) bytes of data.

^C
--- 37.123.98.142 ping statistics ---
3 packets transmitted, 0 received, 100% packet loss, time 2055ms

[root@spd network-scripts]# ping -I p1p1 37.123.98.138
PING 37.123.98.138 (37.123.98.138) from 37.123.98.142 p1p1: 56(84) bytes of data.

^C
--- 37.123.98.138 ping statistics ---
4 packets transmitted, 0 received, 100% packet loss, time 3064ms

[root@spd network-scripts]# ping -I p1p2 37.123.98.138
PING 37.123.98.138 (37.123.98.138) from 37.123.98.138 p1p2: 56(84) bytes of data.

^C
--- 37.123.98.138 ping statistics ---
2 packets transmitted, 0 received, 100% packet loss, time 1038ms

[root@spd network-scripts]# ping -I p1p2 37.123.98.142
PING 37.123.98.142 (37.123.98.142) from 37.123.98.138 p1p2: 56(84) bytes of data.

^C
--- 37.123.98.142 ping statistics ---
3 packets transmitted, 0 received, 100% packet loss, time 2060ms

Open in new window


[root@spd network-scripts]# ping 37.123.98.142
PING 37.123.98.142 (37.123.98.142) 56(84) bytes of data.
64 bytes from 37.123.98.142: icmp_seq=1 ttl=64 time=0.019 ms
64 bytes from 37.123.98.142: icmp_seq=2 ttl=64 time=0.022 ms
64 bytes from 37.123.98.142: icmp_seq=3 ttl=64 time=0.017 ms
64 bytes from 37.123.98.142: icmp_seq=4 ttl=64 time=0.015 ms

Open in new window




Open in new window

0
Hello ,

Is there any possible way to drop bogus packets as seem below .

for this packets ; packet payload is smaller then the length of the packet

 Screen-Shot-2017-08-23-at-22.22.46.png
0
Hi,

I have user called xyz under that folder there is folder call test under that there is folder called abc, def, hij etc

i want to search to search in all above folders and subfolders for a particular keyword say " nullpointerexception " how t do that .
please advise
0
hi,

winscp how to sudo as admin?
I currently logged in as my user say xyz but i am not able to delete particulr folder/directory. I have to login or pseudo as admin user say rrr to that. how to psedo in the winscp to rrr user?pleaseadcise
0
Free Tool: Site Down Detector
LVL 10
Free Tool: Site Down Detector

Helpful to verify reports of your own downtime, or to double check a downed website you are trying to access.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Hi,

winscp how to compare 2 different unix users say xyz and abc by opening xyz on left hands side and abc on right hand side. As of now on the left hands side i was able to open my windows laptop folder structure like C drive etc and on right hands side i am able to open one unix user like abc or xyz etc. please advise
0
hi

on the unix box various users like xyz, abc etc.

Looks like disk space is running out of server and i need to cleanup.

How to know how much user xyz occupying size and how much abc user is occupying size. please advise
0
Hi,

In unix using vi how do i copy paste from one file say abc.ccfg to xyz.ccfg.

in windows i simply say on abc.ccfg select all then control c then go to xyz.ccfg say control v .

Thats all i have to do.

VI editor is something i hate.

not at all use friendly.

even moving cursor is big thing there.

any good shortcuts and tips, links on using vi.
0
Hi,

I have xyz.ccfg under my weblogic server.

I logged in to unix weblogic server box.
How do i search on above file name 'xyz.ccfg' to find its exact location like

abc/home/user1/......

i am not sure exactly where it is?


please advise
0
Hi Experts

I am trying install CentOS 6.8 minimal thru kick start on an Virtual Machine(VMware workstation) and assigning kickstart file thru http on another VM, kickstarts goes thru smoothly creates partitions and all but stuck on repo section unable to find repo following types of error, errors attached

Stuck with this error from few days, Please help

In /var/www/html location has ks.cfg file and all centos 6.8 minimal dvd content as it is

[root@srv1 html]# ls
CentOS_BuildTag  isolinux                  RPM-GPG-KEY-CentOS-6
EFI              ks.cfg                    RPM-GPG-KEY-CentOS-Debug-6
EULA             Packages                  RPM-GPG-KEY-CentOS-Security-6
GPL              RELEASE-NOTES-en-US.html  RPM-GPG-KEY-CentOS-Testing-6
images           repodata                  TRANS.TBL

Open in new window


Section of kickstart file i am assign is shown below
# Kickstart file automatically generated by anaconda.

#version=DEVEL
install
url --url=http://10.0.0.11/
text
lang en_US.UTF-8
keyboard us
network --onboot yes --device eth0 --mtu=1496 --bootproto static --ip 10.91.48.17 --netmask 255.255.255.224 --gateway 10.91.48.1 --noipv6 --nameserver 8.8.8.8 --hostname nac17
network --onboot no --device eth1 --bootproto dhcp --noipv6 --hostname nac17
rootpw  --iscrypted 
# Reboot after installation
reboot --eject
firewall --disabled
authconfig --enableshadow --passalgo=sha512
selinux --enforcing
timezone --utc Asia/Kolkata
#bootloader 

Open in new window

0
How to disable disable any 96-bit hmac algorithms in centos
0
Hi,

I am working on a tenable nessus audit file for ibm aix.

What i am trying to achieve is 2 compliance check on the /etc/hosts.equiv file:

1. To find all UID less that 100 and UID not equals to the default system user ids (0,1,2,3,4,5)

2. To find all GID less that 100 and GID not equals to the default system group ids (0,1,2,3,4,5)

<custom_item>
type: CMD_EXEC
description: "UID less than 100 and not system default UID"
cmd: ""
expect: ""
</custom_item>

<custom_item>
type: CMD_EXEC
description: "GID less than 100 and not system default GID"
cmd: ""
expect: ""
</custom_item>

I am really new to working with tenable and also new to aix.

Really apperciate if anyone can help me out with what i should put for the cmd and expect statement on how to make the compliance check work.

Thanks really apperciate it!

Link: https://www.ibm.com/support/knowledgecenter/ssw_aix_71/com.ibm.aix.security/passwords_etc_passwd_file.htm
0
We need to have a standalone IPS solution put in.  We currently run two pfSense firewalls in an HA setup.  I was looking around on eBay and saw a Tipping Point 210E (two of them).  Are they still good with updates to definitions?  Any other less cost recommendations?
pfSense HA works a little odd too, so I'm not sure if this will even work.
Firewall 1 WAN IP x.x.x.1
Firewall 2 WAN IP x.x.x.2
Firewall Shared WAN IP x.x.x.3

Same setup with internal LAN IPs.  Each firewall has its own physical connection to the modem via ethernet for the WAN side and LAN side.
0
Short question that requires a lengthy answer....   For security reasons -- Should we host our website on a linux box or Windows?    Ultimately it will have to share data with our MS SQL server.   Also looking for someone reasonably priced but excellent web developer.... (do those go hand-in-hand?)

Mich
0
Protect Your Retail Business and Reputation
Protect Your Retail Business and Reputation

Wi-Fi access doesn't just impact your business & customer experience, it can also affect your security.  Join us for an informative webinar to learn more about the top threats and trends impacting retail today, and the key solutions to protecting retail networks and reputations.

Hello Folks,
I have a few users to create for centos, and I would like to set them with restrictions such "system tools, create shortcuts, folders...similar to a kiosk " is there any way to do that or is there a special profile that needs to be created?

thanks for looking
0
I need to connect a Virtual Machine hosted somewhere running CentOS 6 to a client which is allowing connection through VPN only. However I have almost no knowledge about VPNs. The client has given me following info for connection:

VPN Remote Endpoint: <IP Address given by the client>
VPN Hardware: NGX R75.45 (SPLAT)

IKE (Phase 1)
==================
Authentication Method: Pre shared key (TBA)
DIffie-Hellman group: DH-2
Encryption Algorithm: AES-128
Hashing Algorithm: SHA-1
Renegotiate IKE: 14400 seconds

IPSEC (phase 2)
======================
Encryption Algorithm: AES-128
Hashing Algorithm: SHA-1
Renegotiate IKE: 3600 seconds
PFS Enabled: Yes

I am not sure where to put all these info in CentOS to make it to connect to the client's network.

I will be much thankful for any help.
0
Dear All,

We have created a chrooted jail environment for our SFTP access. Using chrooted environment, we restrict users either to their home directory or to a specific directory. Now my question is if there's anyway we can an additional username to access the same home directory for other username? Or any other words, is there anyway I can assign different usernames to the same home-directory and have it chrooted jail?

Below is our current config if that helps:

group add sftponly


vi /etc/ssh/sshd_config

#Subsystem sftp /usr/libexec/openssh/sftp-server
Subsystem sftp internal-sftp
Match Group sftponly
ChrootDirectory %h
ForceCommand internal-sftp
X11Forwarding no
AllowTcpForwarding no

systemctl restart sshd.service

useradd USERNAME –g sftponly –s /bin/false
passwd  USERNAME


mkdir /home/USERNAME/SFTPWRITE
chown root /home/USERNAME
chmod 755 /home/USERNAME
chown USERNAME /home/USERNAME/SFTPWRITE
chmod 755 /home/USERNAME/SFTPWRITE

setsebool –P ssh_chroot_rw_homedirs on
0
On RH 6 systems running rsyslog 5.8.10 we noticed that if we setup a
client system to use TCP to log to a remote server:
*.*       @@192.168.1.2

Open in new window

If the remote log server is not reachable for some reason no logging takes place, not even local logging to the local system log files.
When the log server is available and rsyslog is restarted  both local logging and remote logging work.   I would like to come up with a config that would ensure that local logging still occurs when  the TCP remote server is down?  I think I need to look at action queues, but was hoping someone could provide an example on how to get this to work.
0
I have nas disk mounted as nfs mount point i linux. how to create a dd image of this. the mount point is like that
s
tor01-nas.llg:/export/shared/ps_oem   nfs     2G  9.9K  2G    1% /oem1
0
Having a hard time trying to add to the domain a machine using Arch Linux, somehow I managed to sort of make the machine to join the domain but when it comes to the authentication part the computer won't recognize the credentials. Has anyone had luck doing this? if so can someone please help with the proper commands to make this work? Been dealing with this issue for a week now and I'm getting really frustrated. Bottom line if there's an easier way to make this machine to join the domain and authenticate properly that would be fantastic.

Many thanks in advance to anyone with the answer out there!
0

Linux Security

The Linux operating system, in all its flavors, has its own share of security flaws that allow intrusions, but there are various mechanisms by which these flaws can be removed, generally divided into two parts: authentication and access control. Authentication is responsible for ensuring that a user requesting access to the system is really the user with the account, while access control is responsible for controlling which resources each account has access to and what kind of access is permitted.