III. File Permissions, Security, and Logs In this section, you will investigate
ID: 3852354 • Letter: I
Question
III. File Permissions, Security, and Logs
In this section, you will investigate three trouble tickets that you have received regarding some issues that have arisen related to the UNIX accounts of three employees.
A. Issues with UNIX Accounts: For each issue listed, find the problem (document this by taking a screenshot of the incorrect configuration and a screenshot of the error message within the corresponding log file) and document the corrective actions to resolve each problem.
Employee 1 (Bob): Contacted by the Information Assurance (IA) Department and informed that his account is in violation of company policy and that his password is visible in plain-text. His account was locked.
Incorrect configuration (screenshot):PLEASE PROVIDE SCREENSHOT
Corrective actions (typed response)?
Employee 2 (Frank): Unable to log into his UNIX account. He receives the error message “su: failed to execute /dev/null: Permission denied.”
Incorrect configuration (screenshot):
Error message in log (screenshot):
Corrective actions (typed response)?
Employee 3 (Henry): Reports that he receives the following error message when he logs into his UNIX account: “warning: cannot change directory to /home/henry: Permission denied” followed by the error “-bash: /home/henry/.bash_profile: Permission denied”. Oddly, his command prompt is different from what he usually sees as well.
What is wrong (typed response)?
Corrective actions (typed response)?
Correct Permissions: You received a trouble ticket indicating that the SLASH/data directory is no longer readable. Correct the permissions to user read/write/execute, group read/write, and world read. Perform an ls -la of the SLASH/data directory and take a screenshot of the output. Paste the screenshot here:
Reading Log Files: You must check the last few lines of output of a few important log files. Tail the last 5 lines of the messages log file and the last 5 lines of the secure log file. Screenshot the output from both tail commands. Paste the screenshot here:
Work Verification: Take a screenshot (or multiple screenshots if needed) that captures the output of the pwd and history commands. Paste these screenshots here:
PLEASE PROVIDE SCREENSHOTS SO I CAN SEE AND UNDERSTAND THE WORK. THANK YOU
Explanation / Answer
if you want to have read and write and execute
than we need to exceute command
at the $prompt chmod 777 name of the file we want to have permissions
The standard log files that are usually defined in syslog.conf are:
Many versions of Unix provide a general-purpose logging facility called syslog.
Individual programs that need to have information logged, send the information to syslog.
Unix syslog is a host-configurable, uniform system logging facility. The system uses a centralized system logging process that runs the program /etc/syslogd or /etc/syslog.
The operation of the system logger is quite straightforward. Programs send their log entries to syslogd, which consults the configuration file /etc/syslogd.conf or /etc/syslog and, when a match is found, writes the log message to the desired log file.
There are four basic syslog terms that you should understand
S.No.
Term & Description
1
Facility
The identifier used to describe the application or process that submitted the log message. For example, mail, kernel, and ftp.
2
Priority
An indicator of the importance of the message. Levels are defined within syslog as guidelines, from debugging information to critical events.
3
Selector
A combination of one or more facilities and levels. When an incoming event matches a selector, an action is performed.
4
Action
What happens to an incoming message that matches a selector — Actions can write the message to a log file, echo the message to a console or other device, write the message to a logged in user, or send the message along to another syslog server.
4
Action
What happens to an incoming message that matches a selector — Actions can write the message to a log file, echo the message to a console or other device, write the message to a logged in user, or send the message along to another syslog server.
Syslog Facilities
We will now understand about the syslog facilities. Here are the available facilities for the selector. Not all facilities are present on all versions of Unix.
Facility
Description
1
auth
Activity related to requesting name and password (getty, su, login)
2
authpriv
Same as auth but logged to a file that can only be read by selected users
3
console
Used to capture messages that are generally directed to the system console
4
cron
Messages from the cron system scheduler
5
daemon
System daemon catch-all
6
ftp
Messages relating to the ftp daemon
7
kern
Kernel messages
8
local0.local7
Local facilities defined per site
9
lpr
Messages from the line printing system
10
Messages relating to the mail system
11
mark
Pseudo-event used to generate timestamps in log files
12
news
Messages relating to network news protocol (nntp)
13
ntp
Messages relating to network time protocol
14
user
Regular user processes
15
uucp
UUCP subsystem
Syslog Priorities
The syslog priorities are summarized in the following table
emerg
Emergency condition, such as an imminent system crash, usually broadcast to all users
alert
Condition that should be corrected immediately, such as a corrupted system database
crit
Critical condition, such as a hardware error
err
Ordinary error
Warning
Warning
notice
Condition that is not an error, but possibly should be handled in a special way
info
Informational message
debug
Messages that are used when debugging programs
none
Pseudo level used to specify not to log messages
The combination of facilities and levels enables you to be discerning about what is logged and where that information goes.
As each program sends its messages dutifully to the system logger, the logger makes decisions on what to keep track of and what to discard based on the levels defined in the selector.
When you specify a level, the system will keep track of everything at that level and higher.
The /etc/syslog.conf file
The /etc/syslog.conf file controls where messages are logged. A typical syslog.conf file might look like this
Each line of the file contains two parts
A message selector that specifies which kind of messages to log. For example, all error messages or all debugging messages from the kernel.
An action field that says what should be done with the message. For example, put it in a file or send the message to a user's terminal.
Following are the notable points for the above configuration
Message selectors have two parts: a facility and a priority. For example, kern.debug selects all debug messages (the priority) generated by the kernel (the facility).
Message selector kern.debug selects all priorities that are greater than debug.
An asterisk in place of either the facility or the priority indicates "all". For example, *.debug means all debug messages, while kern.* means all messages generated by the kernel.
You can also use commas to specify multiple facilities. Two or more selectors can be grouped together by using a semicolon.
The logger Command
Unix provides the logger command, which is an extremely useful command to deal with system logging. The loggercommand sends logging messages to the syslogd daemon, and consequently provokes system logging.
This means we can check from the command line at any time the syslogd daemon and its configuration. The logger command provides a method for adding one-line entries to the system log file from the command line.
The format of the command is
Here is the detail of the parameters
-f filename
Uses the contents of file filename as the message to log.
-i
Logs the process ID of the logger process with each line.
-p priority
Enters the message with the specified priority (specified selector entry); the message priority can be specified numerically, or as a facility.priority pair. The default priority is user.notice.
-t tag
Marks each line added to the log with the specified tag.
message
The string arguments whose contents are concatenated together in the specified order, separated by the space.
You can use Manpage Help to check complete syntax for this command.
Log Rotation
Log files have the propensity to grow very fast and consume large amounts of disk space. To enable log rotations, most distributions use tools such as newsyslog or logrotate.
These tools should be called on a frequent time interval using the cron daemon. Check the man pages for newsyslog or logrotate for more details.
Important Log Locations
All the system applications create their log files in /var/log and its sub-directories. Here are few important applications and their corresponding log directories
IF YOU WANT USER IN UNIX WE HAVE COMMAND
AT $ PROMPT WE CAN EXECUTE THIS COMMAND
$adduser username
ask the password give password to the user
if you want to change the password
change password useing the command
$passwd
give the previous password
asks new passwword give the new password password is changed sucessfully
To list the directories and files use the follpwing command:
$ls -l
total 19621
drwxrwxr-x 2 amrood amrood 4096 Dec 25 09:59 uml
-rw-rw-r-- 1 amrood amrood 5341 Dec 25 08:38 uml.jpg
drwxr-xr-x 2 amrood amrood 4096 Feb 15 2006 univ
drwxr-xr-x 2 root root 4096 Dec 9 2007 urlspedia
-rw-r--r-- 1 root root 276480 Dec 9 2007 urlspedia.tar
drwxr-xr-x 8 root root 4096 Nov 25 2007 usr
-rwxr-xr-x 1 root root 3192 Nov 25 2007 webthumb.php
-rw-rw-r-- 1 amrood amrood 20480 Nov 25 2007 webthumb.tar
-rw-rw-r-- 1 amrood amrood 5654 Aug 9 2007 yourfile.mid
-rw-rw-r-- 1 amrood amrood 166255 Aug 9 2007 yourfile.swf
All data in Unix is organized into files. All files are organized into directories. These
directories are organized into a tree-like structure called the filesystem.
You can use the ls command to list out all the files or directories available in a directory.
Use the w command on your system to check the output. This lists down information
associated with the users logged in the system.
to logout of the system then type the command at the $ prompt logout
then you will be logged out from the loging connection
System shutdown use the following commands:
Command Description
halt Brings the system down immediately
init 0 Powers off the system using predefined scripts to synchronize and
clean up the system prior to shutting down
init 6 Reboots the system by shutting it down completely and then
restarting it
poweroff Shuts down the system by powering off
reboot Reboots the system
shutdown shut downs the system
drwxr-xr-x 11 amrood amrood 4096 May 29 2007 zlib-1.2.3
$
Here is the information about all the listed columns –
First Column: Represents the file type and the permission given on the file. Below
is the description of all type of files.
Second Column: Represents the number of memory blocks taken by the file or
directory.
Third Column: Represents the owner of the file. This is the Unix user who created
this file.
Fourth Column: Represents the group of the owner. Every Unix user will have an
associated group.
Fifth Column: Represents the file size in bytes.
Sixth Column: Represents the date and the time when this file was created or
modified for the last time.
Seventh Column: Represents the file or the directory name.
In the ls -l listing example, every file line begins with a d, -, or l. These characters indicate
the type of the file that's listed.
Prefix Description
- Regular file, such as an ASCII text file, binary executable, or hard link
b Block special file. Block input/output device file such as a physical hard
drive
c Character special file. Raw input/output device file such as a physical
hard drive
d Directory file that contains a listing of other files and directories
l Symbolic link file. Links on any regular file
p Named pipe. A mechanism for interprocess communications
s Socket used for interprocess communication
An invisible file is one,
the first character of which is the dot or the period character (.).
Unix programs (including the shell) use most of these files to store configuration information. Some common examples of the hidden files include the files .profile –
The Bourne shell ( sh) initialization script· .kshrc –
The Korn shell ( ksh) initialization script· .cshrc –
The C shell ( csh) initialization script· .rhosts –
The remote shell configuration file·
To list the invisible files, specify the -a option to ls –
$ ls -a
. . profile docs lib test_results
.. .rhosts hosts pub users
.emacs bin hw1 res.01 work
.exrc ch07 hw2 res.02
.kshrc ch07. bak hw3 res.03
Single dot (.) This represents the current directory.
Double dot (..) This represents the parent directory
to find the last five lines of a file useing the command at the $ prompt will displays the last five lines of a log file useing the command
$tail logfilename
log.txt file contains
1
2
3
4
5
6
7
8
9
10
it dispalys only
6
7
8
9
10
file permission and access modes in Unix.
File ownership is an important component of Unix that provides a secure method for
storing files.
every unix files will have following perimisssions
Owner permissions The owner's permissions determine what actions the owner
of the file can perform on the file.
Group permissions The group's permissions determine what actions a user,
who is a member of the group that a file belongs to, can perform on the file.
Other (world) permissions The permissions for others indicate what action all
other users can perform on the file.
The Permission Indicators:-
While using ls -l command, it displays various information related to file permission
$ls -l /home/amrood
-rwxr-xr-- 1 amrood users 1024 Nov 2 00:10 myfile
drwxr-xr--- 1 amrood users 1024 Nov 2 00:10 mydir
The permissions are broken into groups of threes, and each position in the group denotes
a specific permission, in this order: read (r), write (w), execute (x)
The first three characters (2-4) represent the permissions for the file's owner. For
example, -rwxr-xr-- represents that the owner has read (r), write (w) and execute
(x) permission.
The second group of three characters (5-7) consists of the permissions for the
group to which the file belongs. For example, -rwxr-xr-- represents that the group
has read (r) and execute (x) permission, but no write permission.
The last group of three characters (8-10) represents the permissions for everyone
else. For example, -rwxr-xr-- represents that there is read (r) only permission.
File Access Modes:-
Read
Grants the capability to read, i.e., view the contents of the file.
Write
Grants the capability to modify, or remove the content of the file.
Execute
User with execute permissions can run a file as a program
Directory Access Modes:-
Read
Access to a directory means that the user can read the contents. The user can look at the
filenames inside the directory.
Write
Access means that the user can add or delete files from the directory.
Execute
Executing a directory doesn't really make sense, so think of this as a traverse permission.
A user must have execute access to the bin directory in order to execute the ls or the cd
command.
Changing Permissions:-
Using chmod in Symbolic Mode
The easiest way for a beginner to modify file or directory permissions is to use the symbolic
mode. With symbolic permissions you can add, delete, or specify the permission set you
want by using the operators
chmod Operator Description
+ Adds the designated permission(s) to a file or directory.
- Removes the designated permission(s) from a file or
directory.
= Sets the designated permission(s).
Here's an example using testfile. Running ls -1 on the testfile shows that the file's
permissions are as follows –
$ls -l testfile
-rwxrwxr-- 1 amrood users 1024 Nov 2 00:10 testfile
chmod command from the preceding table is run on the testfile,
followed by ls –l,
$chmod o+wx testfile
$ls -l testfile
-rwxrwxrwx 1 amrood users 1024 Nov 2 00:10 testfile
$chmod u-x testfile
$ls -l testfile
-rw-rwxrwx 1 amrood users 1024 Nov 2 00:10 testfile
$chmod g=rx testfile
$ls -l testfile
-rw-r-xrwx 1 amrood users 1024 Nov 2 00:10 testfile
$chmod o+wx,u-x,g=rx testfile
$ls -l testfile
-rw-r-xrwx 1 amrood users 1024 Nov 2 00:10 testfile
Using chmod with Absolute Permissions:-
Number Octal Permission Representation Ref
0 No permission ---
1 Execute permission --x
2 Write permission -w-
3 Execute and write permission: 1 (execute) + 2 (write) = 3 -wx
4 Read permission r--
5 Read and execute permission: 4 (read) + 1 (execute) = 5 r-x
6 Read and write permission: 4 (read) + 2 (write) = 6 rw-
7 All permissions: 4 (read) + 2 (write) + 1 (execute) = 7 rwx
$ chmod 755 testfile
$ls -l testfile
-rwxr-xr-x 1 amrood users 1024 Nov 2 00:10 testfile
$chmod 743 testfile
$ls -l testfile
-rwxr---wx 1 amrood users 1024 Nov 2 00:10 testfile
$chmod 043 testfile
$ls -l testfile
----r---wx 1 amrood users 1024 Nov 2 00:10 testfile
Changing Ownership
The chown command changes the:
$ chown user filelist
Changing Group Ownership:
$ chgrp group filelist
The value of group can be the name of a group on the system or the group ID (GID)
of a group on the system.
SUID and SGID File Permission:-
Often when a command is executed, it will have to be executed with special privileges in
order to accomplish its task.
As an example, when you change your password with the passwd command, your new
password is stored in the file /etc/shadow.
As a regular user, you do not have read or write access to this file for security reasons,
but when you change your password, you need to have the write permission to this file.
This means that the passwd program has to give you additional permissions so that you
can write to the file /etc/shadow.
Additional permissions are given to programs via a mechanism known as the Set User ID
(SUID) and Set Group ID (SGID) bits.
To set the SUID and SGID bits for any directory try the following command
$ chmod ug+s dirname
$ ls -l
drwsr-sr-x 2 root root 4096 Jun 19 06:45 dir name
The SUID and SGID bits will appear as the letter "s" if the permission is available. The
SUID "s" bit will be located in the permission bits where the owners’ execute permission
normally resides.
Usually, the type of terminal you are using is automatically configured by either
the login or getty programs. Sometimes, the auto configuration process guesses your
terminal incorrectly.
If your terminal is set incorrectly, the output of the commands might look strange, or you
might not be able to interact with the shell properly.
To make sure that this is not the case, most users set their terminal to the lowest common
denominator in the following way
$TERM=vt100
S.No.
Term & Description
1
Facility
The identifier used to describe the application or process that submitted the log message. For example, mail, kernel, and ftp.
2
Priority
An indicator of the importance of the message. Levels are defined within syslog as guidelines, from debugging information to critical events.
3
Selector
A combination of one or more facilities and levels. When an incoming event matches a selector, an action is performed.
4
Action
What happens to an incoming message that matches a selector — Actions can write the message to a log file, echo the message to a console or other device, write the message to a logged in user, or send the message along to another syslog server.