Presentation on theme: "Va-scanCopyright 2002, Marchany Unit 6 – Solaris File Security Randy Marchany VA Tech Computing Center."— Presentation transcript:
va-scanCopyright 2002, Marchany Unit 6 – Solaris File Security Randy Marchany VA Tech Computing Center
va-scanCopyright 2002, Marchany Regular Expressions - grep The grep command searches its target for a specific string. It is a very powerful tool. Regular expression are used in combination with grep and other commands to do pattern matching. * - allows selection of 0 or more characters – Example: *.doc selects anything that end with.doc
va-scanCopyright 2002, Marchany Regular Expressions ? – allows selection of any single character. – ?J will select any occurrence of the letter J. . – following any character will match that character. – X. will match the X followed by any character. ^ - matches the characters that follow it if they are at the beginning of a line. – ^J selects any line that begins with a J $ - matches the characters that follow it if they are at the end of the line. – J$ selects any line that ends with a J
va-scanCopyright 2002, Marchany Grep Options -b – prints the block number where the pattern was found -c – prints the count of lines matching the pattern -i – matches upper or lower case -l – prints only the filename of those matching the pattern. -n – prints the line number where the pattern was found.
va-scanCopyright 2002, Marchany Grep Options -v – suppresses lines that match the pattern. In other words, search for everything BUT the pattern -w – search for the pattern as if it were a word
va-scanCopyright 2002, Marchany ls Command Options The ls command lists the contents of a directory. There are several options that are very useful when examining possible security issues. -l – list the long format, access permission, owner, group, date modified, etc. -a – list all hidden files -t – sort by time stamp, latest first -i – list by inode
va-scanCopyright 2002, Marchany chmod Command The chmod command modifies the permissions of a file or directory. I use the numeric method of denoting the permission 7 = rwx, if a directory, the X bit set allows searching in the directory 777 = rwx rwx rwx (owner, group, other) 1000 – sticky bit 2000 – SGID bit 4000 – SUID bit
va-scanCopyright 2002, Marchany Sticky Bit Purpose is to prevent files in a directory from being removed, renamed or deleted. One of the following conditions must be met before a user can delete the file: – The user must own the file – The user must own the directory – The file must be writable by the user – The user is root
va-scanCopyright 2002, Marchany umask Command The umask command sets the default permissions for new files. Umask values are usually set in /etc/profile. Umask values are a little strange. They are the 1’s complement of the the permission you want. Subtract the umask value from the default permissions to see what your target value is.
va-scanCopyright 2002, Marchany Access Control Lists Solaris allows more granular access control on files and directories. This is an Access Control List (ACL). Example: you can specify a certain group ownership for a file but you can allow multiple groups to have lesser permissions on the same file. Not possible under the standard group permissions. ACLs make it possible.
va-scanCopyright 2002, Marchany ACL To display the File System ACLs: – getfacl –ad file -a – display the filename, owner, group owner and the ACL of the file -d – display the filename, owner, group owner and default ACL if it exists. – You can assign multiple users different permissions on the file.
va-scanCopyright 2002, Marchany ACL Getfacl output – ACLs are displayed in the order in which they are evaluated when an access check is done. – User entry – user::perm means the permissions are granted to the owner only. User:randy:perm would mean user ‘randy’ has the following permissions. – Group entry - similar to user but it applies to groups.
va-scanCopyright 2002, Marchany ACL Getfacl output – Mask entry indicates the max permissions allow to any user except the owner of the file and to any group owner including the file group owner. This mask restricts the permissions you can give out. – Example: mask is set to RW, you try to specify RWX for a user, the mask will allow you to set it to RW only.
va-scanCopyright 2002, Marchany setfacl Setfacl sets the permissions for ACL. syntax: – setfacl acl_entries file Setfacl will do one of the following – Replace the entire ACL including the default ACL for a directory – Add, modify or delete one or more ACL entries including default entries