Securing Linux Distros Part 2

Nathaniel Wonderly

2 min read
Share

In the last post we've covered mainly securing the boundary of the Ubuntu operating system, now we will go over more of the internal permissions and lock down certain aspects of the Ubuntu OS that can be used to elevate permissions.

We will start by making sure the sudo command is installed, if you've had to use a Linux system you probably are used to this command. The sudo command elevates previously insufficient privileged commands to run as root, therefor allowing normal users to use commands they don't usually have without switching to the root account.

Running this command will tell you if you've installed sudo:
dpkg-query -s sudo &>/dev/null && echo "sudo is installed"
If not you'll have to install it:
apt install sudo

Next we will make sure sudo is using pty, pty prevents malicous programs from using sudo to fork background process, therefor allowing those background process to persist after the main process is terminated.

Run this command using grep to check the sudoers file:
grep -rPi -- '^\h*Defaults\h+([^#\n\r]+,\h*)?use_pty\b' /etc/sudoers*
If by some reason the sudoers file is not using pty then you'll have to vim or visudo to edit the /etc/sudoers and add this line:
Defaults use_pty
grep is a syntax based search tool in linux, it is very powerful but also hard to use in my opinion, for a lot of the stuff you can use grep for you can also just browse the files to find the information yourself as well.

Next we are going to setup some auditing controls by making sure the sudo logging is enabled and setup in a default location.

An easy check is to view the /etc/sudoers file, if it exists it should look like this:
Defaults logfile="??"
If this is missing from your sudoers file then add this, you can change the path but this path stated is in a decent location:
Defaults logfile="/var/log/sudo.log"

Location of this file can be changed depending on your needs, also you can use the chmod and chown commands to make sure the file cannot be changed or deleted, examples are:
chmod 744 /var/log/sudo.log
chown -R root /var/log/sudo.log

Lastly, we will restrict the su command, su allows a user to switch to another user which can allow restricted accounts the potential to log into a more privileged account.

First we will check the /etc/pam.d/su file for this line:
pam_wheel.so use_uid group=<groupname>
Most likely this will be missing but we can easily add it along with a group we want to use to be allowed to use this priviledge.
Create a group and add your users to this account, probably yourself!
sudo groupadd suusers
sudo adduser myadmin suusers
Then you'll want to edit the /etc/pam.d/su file with vim and add an updated line denoting the group you want to have those permissions
pam_wheel.so use_uid group=suusers

One of the amazing things when it comes to securing your Linux distro is all the great resources on the web! One of the best resources I use is the CIS Benchmarks site, as part of a SLTT (State, Local, Territory, or Tribal) entity I constantly use this site as a resource to set baselines in deployments of all my OS's and Services.

Along with using quality resources I suggest the following as final words on the topic: regular update schedule/automatic updates, use supported Ubuntu versions, use a strong password policy, disable unnecessary programs, and preform regular audits.

Read more