Improve the security of EXT3 file system with Chattr
This article will detail how the properties of the EXT3 file system have used this feature protection system.
1. What is an attribute of EXT3 (Attribute)
Starting from Linux's 1.1 series kernel, the EXT2 file system begins to support some additional tags for files and directories or attributes. In the 2.2 and 2.4 series kernels, the EXT3 file system supports the settings and queries of the following properties:
A
Atime. Tell the system not to modify the last access time for this file.
S
Sync. Once the application performs a write on this file, the system immediately writes the modified result to the disk.
a
Append online. The system only allows data to add data after this file, and no process is allowed to overwrite or truncated this file. If the directory has this property, the system will only allow files to be established and modified in this directory without allowing any files.
i
Immutable. The system does not allow any modifications to this file. If the directory has this property, then any process can only modify the file below the directory, and the file is not allowed to establish and delete files.
di
NO DUMP. DUMP programs will ignore this file when performing file system backups.
c
COMPRESS. The system compresses this file in a transparent manner. When reading from this file, it is returned to the data after extracting; when writing data in this file, the data is first compressed, and is written to the disk.
s
Secure delete. Let the system use 0 to populate the area where the file is located when the file is deleted.
U
Undelete. When an application requests to delete this file, the system will retain its data block so you can resume this file later.
However, although the file system can accept and reserve flags indicating each attribute, these properties are not necessarily valid, depending on the versions of the kernel and various applications. The following table shows the properties logo supported by each version:
* Allow this flag to take effect
i allows this flag to ignore its value
- completely ignore this logo
1.0 1.2 2.0 2.2 2.4
A - - * * *
S * * * * *
A - * * * *
I - * * * *
D - * * * *
C i i i i i
S * * i i i
u i i i i
Although the early kernel version supports secure deletion feature, from the 1.3 series of kernels, the developer discards the implementation of this feature, because it seems to be able to improve a little security, but it is not familiar with safety. Users who delete inheritance problems cause secure illusion.
When operating a file with a A property, a property can improve a certain performance. The S attribute can maximize the integrity of the document.
This article will focus on the A attribute and i attribute, as these two attributes have great benefits to improving the security of the file system and the integrity of the file system. Similarly, some open source BSD systems (such as FreeBSD and OpenBSD) also support similar features in their UFS or FFS implementations.
2. Use what order settings and display the properties of the EXT3 file system
In any case, the standard LS command does not extend the extension attribute of a file or directory. There are two tools in the EXT3 File System Toolkit - Interchattr and Lsattr designed to set up and query file properties. Because EXT3 is a standard Linux file system, almost all publishing has an E2FSProgs toolkit. If you don't have this tool in the system for some reason, you can download the source code compile and install from the following address: http://sourceforge.net/projects/e2fsprogs
The lsattr command only supports few options, which are as follows:
-A
List all files in the directory, including.
-d
List the directory in the same manner as the file and display the content it contains.
-R
List the properties and their contents of the directory in a recursive manner.
-V
List file versions (for network file system NFS).
The chattr command can be performed in the following three ways:
Chattr Si Test.txt
Add synchronization and non-variable properties to Test.txt files.
Chattr -ai test.txt
Remove the only extension attribute and non-variable properties.
Chattr = aia test.txt
Make the test.txt file only A, I, and A properties.
Finally, each command supports the -R option to recursively operate on the directory and its subdirectories.
3. The difference between attribute and file permissions
Almost all system administrators understand the permissions of the UNIX style file system and the display of the owner and the LS command, for example:
[root @ typhoid nixe0n] # ls -al test *
-rw-rw-r - 1 nixe0n users 0 nov 17 17:02 Test.conf
-rw-rw-r - 1 niXe0n users 0 nov 17 17:02 Test.log
-rw-rw-r - 1 nixe0n users 0 NOV 16 19:41 Test.txt
From the LS output result, these files belong to the user NiXe0n, and the user group where NiXe0n is located is Users. User Nixe0n I and the member of the User Group have a modification of the file, while other users only read the file permission. Below is the output of the lsattr command:
[root @ typhoid nixe0n] # lsattr --a test *
--- i -------- Test.conf
---- A ------- Test.log
------------ Test.txt
The output is displayed, and Test.log can only be added, and the test.conf file is not allowed to modify. In UNIX systems, if a user logs in with ROOT, the rights control of the file system will not be able to limit the root user and the process running with ROOT permission. Such an operating system for UNIX classes, if an attacker gets ROOT permissions through remote or local attacks, it may cause serious damage to the system. The EXT2 file system can be used as the last line, minimizing the degree of destruction of the system and saves the attachment of the attacker. EXT2 attributes are invoked by Sys_Open () and sys_truncate () and other system, which are not affected by user identification number and other factors, in any case, any modification of the file with the IMMutable property. Failure, whether it is a modification of the root user.
However, there is a problem that the root privilege can make changes to the file by deleting the i properties. This kind of protective is only given to the attacker who has obtained root privileges, and the security of the system is not fundamentally improved.
In the kernel version prior to 2.1, there is a feature of a security layer (SecureLevel). The above problem can be solved using the security layer because the kernel will not allow the i attribute of any file to be modified. These versions of the kernel are controlled by the "kernel.secureevel" variable of the sysctl command. If at startup, the value of this variable is set to a value of 1 or more, the kernel will not allow modification of the I attribute and A attribute file, unless the flag is moved to a single user state.
However, due to the introduction of more flexible kernel capability features, the following kernels no longer support the security layer. Using kernel capabilities, similar limits can be implemented. Tools LCAP is used to query and adjust the kernel Capabilities Bounding Set. Add the following command to the startup script, you can implement protection with I attribute and A property files: LCAP CAP_LINUX_IMMUTABLE
LCAP CAP_SYS_RAWIO
The first command deletes any user (including superuser) modification capabilities. The second command deletes any user (mainly for superusers) to the original access (RAW Access) capabilities of block devices, preventing some technically superb attackers from directly modifying the IMMutable domain of the file system index node. BTW, when the system is started, CAP_SYS_RAWIO can be deleted directly, this ability is a very large potential threat. After the high-end attacker got the superuser author, you can directly modify the kernel memory through the / dev / kmem device. In this way, the kernel capacity constraint set of the system can be destroyed. If there is no parameters, the capabilities of kernel support and the core capabilities of the past.
Once a core capacity is deleted, only the system restarts and enters the single user mode to delete the capability limit.
Interested readers can get more detailed knowledge from the following connections:
LCAP - Linux kernel capacity constraint set editor (Linux kernel Capabilities Bounding Set Editor)
http://pw1.netcom.com/~spoon/lcap/
4. What should we do with Chattr?
The host directly exposes the Internet or other dangerous environments, there are many Shell accounts or network services such as HTTP and FTP, which should generally use the following commands after the installation configuration is completed:
Chattr -R I / bin / boot / etc / lib / sbin
Chattr -R I / USR / bin / usr / include / usr / lib / usr / sbin
Chattr A / VAR / log / messages / var / log / secure (...)
If you add, change or delete your account, set the / home itself to the immutable attribute. In many cases, the entire / usr directory tree should also have a changeable attribute. In fact, in addition to using the Chattr II / USR / command on the / usr directory, you can use the RO option in the / etc / fstab file to load the / usr directory to be loaded in read-only. In addition, set the system log file to only the attribute (Append-ONLY), will make the intruder unable to erase their own traces.
Of course, if this security measures are used, the system administrator needs to modify management.
4.1. Installation, upgrade software
Since software management programs need to join and delete certain files and directories, you need to delete the Immutable and Append- Only properties of certain directories and files before performing software installation and upgrade. For Linux systems, we generally use the RPM management package, you can use the following commands to see which files you want to install or upgrade:
RPM -QIPL FoOPackage.rpm
Then Tune the Immutable and Append-Only properties of the directory and files. Most packages require an RPM command to write one or more of the following directories:
/ bin
/ sbin
/ usr / bin
/ usr / sbin
/ usr / man
/ lib
/ ETC
Note that if you need to upgrade / usr / sbin / someprogram, you should remove the homeprogram file and the Immutable property of the directory / usr / sbin. 4.2. Manage users and user groups
If you want to perform a user and user group, the following directory and file need to be read and write:
/ ETC
/etc/.pwd.lock
/ etc / passwd
/ etc / passwd-
/ etc / shadow
/ etc / shadow-
/ etc / group
/ etc / group-
/ etc / gshadow
/ etc / gshadow-
Passwd (1), Chsh (1), CHFN (1), VIPW (8), Vigr (8) and Useradd (8), etc. need to establish temporary copies in the / etc directory, modify this copy, then delete the original file Finally, put a new copy.
5. Can't use the catalog of the chattr command
Although attributes improve system security, it is not suitable for all directories. If Chattr is abused in the system, there may be many problems, and even make the system uncomfortable.
/
Obviously, the root partition cannot have an Immutable property. If the root partition has an Immutable property, the system will not work at all.
/ dev
At startup, syslog needs to delete and re-establish the / dev / log sociions. If the immutable and append-only attributes are set to the / dev / directory, there may be problems that other sockets are specified using the -p option when starting syslogd, for example: /var/run/syslog.sock. Even if there are still some problems, the Syslog client requires / dev / log socket devices, so you need to establish a symbolic connection from the true socket. All in all, in order to reduce trouble, this directory still does not set the immutable and append-only properties.
/ TMP
There are many applications and system programs that need to establish temporary files in this directory, so this directory cannot set the immutable and append-only properties.
/ var
This directory cannot set the immutable property. Use the use of the append-only property is based on the actual situation. For example, the Append-Only property is set for the log file in the var / log directory, which will not make the log rush, but will not cause too much problem, you need to trade out the pros and cons of the log rush to absolutely The log file sets the append-only attribute. For example, the Sendmail program will truncate or override the /var/log/sendmail.st file, so the append-only property cannot be set.
to sum up
Although the properties of the EXT3 file system have already taken a long time, it is not a lot of introduction to its application and system. It is very beneficial to use the properties of the file system in a very manner.