SUDO / SUDOERS / VISUDO
- In this exercise a Linux Debian server is used:
1 - Introduction
- sudo is a program for Unix-like computer operating systems that allows users to run programs with the security privileges of another user, by default the superuser.
- It originally stood for "superuser do" as the older versions of sudo were designed to run commands only as the superuser.
- However, the later versions added support for running commands not only as the superuser but also as other (restricted) users, and thus it is also commonly expanded as "substitute user do".
- Unlike the similar command su, users must, by default, supply their own password for authentication, rather than the password of the target user.
- After authentication, and if the configuration file, which is typically located at /etc/sudoers, permits the user access, the system invokes the requested command.
- The configuration file sudoers offers detailed access permissions, including enabling commands only from the invoking terminal; requiring a password per user or group; requiring re-entry of a password every time or never requiring a password at all for a particular command line. It can also be configured to permit passing arguments or multiple commands.
https://en.wikipedia.org/wiki/sudo
- Installing sudo (in case it is not already installed by default):
- Properties of sudo:
- visudo is a command-line utility that allows editing the configuration file sudoers in a fail-safe manner.
- It prevents multiple simultaneous edits with locks and performs sanity and syntax checks.
- In my Debian system visudo opens nano editor by default, but it could be changed to another preferred editor:
2 - Editing "sudoers" for users
- Editing sudoers and adding a configuration line for the user roch:
- If sudo is not used roch cannot perform the apt-get update command:
- However, now with the new line added to the file sudoers, the command sudo allows roch to update the system:
- Adding another line for the user johndoe. For instance in this example johndoe will be allowed to reload the Apache server:
- Going to the johndoe user account:
- When trying to reload Apache without sudo it fails:
- Using sudo it works:
3 - Editing "sudoers" for groups
- Creating the group team:
- Adding the user johndoe to the group team:
- Checking that the group team has been correctly created:
- Editing sudoers, let's add a line for the group team, allowing its members to update the system without using any password (NOPASSWD option):
- Going back to jonhdoe (member of the group team):
- Not allowed updating without sudo:
- However updating is successful for johndoe with sudo:
4 - Editing "sudoers" for alias
- Editing sudoers and i) creating the group alias TEAMER , ii) adding johndoe:
- Adding the command alias ON_OFF for both reboot and shutdown commands:
- Assigning ON_OFF to TEAMER:
- Going back to johndoe:
- Now johndoe can reboot the system successfully:
5 - Checking sudo configurations for users
- The sudo command with options (-l = list, -U = users) allows to consult the list of allowed/forbidden command for each user:
- Let's see some examples, like users root and johndoe who are part of the sudoers file:
- If the user is not part of the sudoers file, like marie:
SETTING PASSWORD RESTRICTIONS WITH PAM (PLUGGABLE AUTHENTICATION MODULE)
- In this exercise a Linux Debian server is used:
1 - Introduction to PAM
- PAM (Pluggable Authentication Module) is a mechanism to integrate multiple low-level authentication schemes into a high-level application programming interface (API).
- PAM is built as an intermediary between authentication services and the applications that require user authentication
- It allows programs that rely on authentication to be written independently of the underlying authentication scheme.
- In the past previous distributions contained used and passwords at /etc/passwd and corresponding hashes at /etc/shadow. However this results on the security problem of the chance for hackers of obtaining those two files and achieving the credentials.
- Modern Unix-like systems such as the Debian system provide PAM mechanism to the administrator to configure his system.
- PAM offers a flexible authentication mechanism used by the application software that involves password data exchange.
- All the programs using PAM have their authentication configuration at the directory /etc/pam.d
2 - PAM Organization
- Linux's version of PAM divides module functionality into different categories depending on which part of the process they are involved in. Here is a brief explanation of the categories:
a) Authentication: The authentication modules validate the user's authentication credentials. This means it checks if the user can supply valid credentials.
b) Account: These modules are responsible for deciding if the account that is trying to sign in has access to the resources that it is requesting at this time. PAM allows you to specify controls that can deny or allow users based on predetermined criteria.
c) Session: These modules establish the environment that will be built up and torn down after user log in or log off. Session files can determine which commands need to be run to prepare the environment.
d) Password: These modules are responsible for updating various services' authentication details. If a password needs to be changed for a service, this module can assist in communicating with the service and modifying the correct values.
* from Carmen Balan
3 - common-auth
- Let's check the contents of the file common-auth:
- The first line refers to the the "pam_unix" module, which provides standard unix authentication configured through the "/etc/nsswitch.conf" file. Usually this just means checking the /etc/passwd and /etc/shadow files, as expected.
- The "nullok_secure" argument being passed to the unix module specifies that accounts with no password are ok as long as login information checks out with the /etc/securetty file.
- The control field, which has "[success=1 default=ignore]" allows for more fine-grained control. In this instance, if the module returns success, it skips the next "1" line. The default case, which handles every other return value of the module, results in the line being ignored and moving on.
- The second line has the control value of "requisite" meaning that if it fails, the entire configuration returns a failure immediately. It also calls on the "pam_deny" module, which returns a failure for every call. This means that this will always fail. The only exception is when this line is skipped, which happens when the first line returns successfully.
- The third line is required and calls the "pam_permit" module, which returns success every time. This simply resets the current "pass/fail" record at this point to ensure that there aren't some strange values from earlier.
4 - Checking if PAM is being used
- Let's check if PAM is being used for some services.
- login:
- apache (no result):
- sshd:
- password:
5 - Passwords restrictions with command "chage"
- Let's change the password for the user roch in a normal way (no restrictions so far):
- The command chage is useful for dealing with passwords restrictions:
- Checking the default settings for the user roch:
- Now let's enter some new some restrictions for the user roch using the command chage:
- Options for command chage are:
a) -m 7 = minimum number of days between password change
b) -M 60 = maximum number of days between password change
c) -W 3 = number of days of warning before password expires
- Going back to the user roch account:
- When trying to change the password from the roch user account there is a message telling that it is not possible to perform the change. The reason is that there is a restriction stating that at least 7 days must be waited until doing a password change:
- However, it is interesting to notice that root can change password and restrictions. For instance, root can remove restrictions going back to the default setting:
- Checking that the default setting is now active:
6 - Password restrictions with PAM
- PAM allows a more detailed approach to password restrictions.
- First of all, let's install some dependencies:
- Editing the file pwquality.conf, some password restrictions can be entered, for instance related with length, number and type of characters, etc ...
- Also, editing the file common-password a maximum number of 3 retries can be set:
- Going back to the user roch account:
- When trying to change a password that doesn't comply with the restrictions a message is displayed, stating that the change cannot be performed, up to a maximum of 3 trials:
- However, it is interesting to notice that root can perform any password change overruling the restrictions, though a warning message is displayed:
SECURE UPDATE OF PACKAGE SOURCES AND REPOSITORIES
- In this exercise a Linux Debian server is used:
1 - Package sources and repositories
- From the security perspective it is very important to keep all pakckages updated to its most recent versions in order to reduce vulnerabilities.
- The sources.list file included in the folder /etc/apt/ lists the sources from where Linux (Debian in this case) updated packages can be obtained.
- The format for the entries in the file sources.list is as follows:
a) archive type: the first word on each line, deb or deb-src, indicates the type of archive. Deb indicates that the archive contains binary packages (deb), the pre-compiled packages that we normally use. Deb-src indicates source packages, which are the original program sources plus the Debian control file (.dsc) and the diff.gz containing the changes needed for packaging the program.
b) repository URL: the next entry on the line is a URL to the repository where to download the packages from. A Debian repository is a set of Debian binary or source packages organized in a special directory tree and with various infrastructure files - checksums, indices, signatures, descriptions translations, ... - added. Client computers can connect to the repository to download and install the packages using an Apt-based package management tool. The main list of Debian repository mirrors is here:
https://www.debian.org/CD/http-ftp/#mirrors
c) distribution: the 'distribution' can be either the release code name / alias (jessie, stretch, buster, sid) or the release class (oldstable, stable, testing, unstable) respectively. If you mean to be tracking a release class then use the class name, if you want to track a Debian point release, use the code name. For example, if you have a system running Debian 9.1 "stretch" and don't want to upgrade when Debian buster releases, use 'stretch' instead of 'stable' for the distribution. If you always want to help test the testing release, use 'testing'. If you are tracking buster and want to stay with it from testing to end of life, use 'buster'.
d) Component: there are three types of components:
i) main: All free software that follows the DFSG (Debian Free Software Guidelines). These are the only packages considered part of the Debian distribution.
ii) contrib: Free software that follows DFSG but depends on non-free software.
iii) non-free: All kinds of non-free software that doesn't follow the DFSG.
- For further information:
https://wiki.debian.org/SourcesList
https://wiki.debian.org/DebianRepository
2 - Updating sources.list
- Now, let's add a trustful source just editing a line of /etc/apt/sources.list:
- It is important not to add packages from dubious or unreliable sources to the sources.list file because some malware could be included.
- As seen before, the sources included in the official website deb http://security.debian.org are completely safe, like the line included before.
- Finally, using apt-get and aptitude to update recent changes to the repository:
- apt-get and aptitude are quite similar command line interfaces. The main difference is that aptitude provides a terminal menu interface whereas apt-get does not. Also, aptitude actually performs the functions of not just apt-get, but also some of its companion tools, such as apt-cache and apt-mark.
