Page |1
Capability and System Hardening
Date Assigned: mm/dd/yyyy
Date Due: mm/dd/yyyy by hh:mm
Educational Objectives
This lab is designed to help you gain a better understanding of system hardening principles and
hands-on experiences with common hardening techniques.
Lab Environment


One Fedora 18 system is needed for this lab.
Please turn SELinux in permissive mode (setenforce 0).
Resources:
Most of the materials in the rest of this lab are derived from the following documents:
[1] Guide to the Secure Configuration of Red Hat Enterprise Linux 5, Revision 4.1, February 28,
2011, by Operating Systems Division Unix Team of the Systems and Network Analysis
Center, National Security Agency (NSA).
[2] Security Configuration Benchmark for Red Hat Enterprise Linux 5, Version 2.0.0, December
16th, 2011, the Center for Internet Security (CIS).
Section 1 Introduction to Linux Capabilities
Unix/Linux systems use a security system that gives regular users a minimal amount of privilege,
while gives “root” full privileges. Privileged operations are necessary in operating systems.
Programs often need root privileges for a single activity, such as binding to a privileged port, or
opening a file only root can access. In order to allow regular users to run these programs, the
mechanism of Set-UID is introduced. Set-UID programs turn regular users into privileged users
temporarily. This is proven dangerous. If the program is compromised, adversaries may obtain
root privilege.
In most cases, the involved operations usually do not need root privilege. Capabilities divide root
privilege into a set of granular privileges. Each of these privileges is called a capability. With
capabilities, a common user does not need to be a root to conduct privileged operations. All the
user needs is to have the capability that is necessary for the privileged operations. If a privileged
program is compromised, adversaries can only obtain limited privilege.
The technology of capabilities has been implemented since Linux kernel 2.1 and has been
significantly improved since kernel 2.6.24. A good introduction can be found from the following
link:
Page |2
http://www.linuxjournal.com/article/5737
Available capabilities and their privileges are given in the following file:
/usr/include/linux/capability.h
A good example is the command ping. Please perform the following as root before working on
the rest of the lab:
setcap –r /bin/ping
chmod u+s /bin/ping
In order to make it work for root and a regular user, ping is now a Set-UID program, as shown in
the following screenshot:
The letter s in the owner’s field indicates that ping is a Set-UID program. When a regular user
execute ping, his/her effective user id becomes root. If ping is compromised, the entire system
can be compromised. The question is whether we can remove this privilege from ping.
Let’s turn ping into a non-Set-UID program by executing the following as a root.
chmod u-s /bin/ping
Now, log in as a regular user and run ping www.google.com. You will receive the following
error:
The command does not work for a regular user, although it works for the root (test it). This is
because ping uses ICMP that needs to open a RAW socket, which is a privileged operation. That
is why ping has to be a Set-UID program. With capabilities, we do not need to give too much
privilege to ping. The privilege it needs is to open a RAW socket, which can be granted with the
cap_net_raw capability. This capability can be assigned to ping by doing the following as root:
Page |3
setcap cap_net_raw=ep /bin/ping
Now, log in as a regular user and run ping www.google.com again. The ping succeeds this time,
as it is shown below:
Please use man pages to study how to use the following commands:
setcap
getcap
The following command displays all Set-UID programs in the system:
find / -type f –perm -4000 –print
Please find the capabilities needed for a program from the article in the following link:
https://wiki.archlinux.org/index.php/Using_File_Capabilities_Instead_Of_Setuid
Why some of the capabilities are desired? Please read the following post:
http://stackoverflow.com/questions/7844933/usr-bin-passwd-and-the-cap-chown-capability
Question 1: Choose one of the Set-UID programs you are interested in. Remove the SUID bit
from the program and set proper capabilities to the program. Were you able to make it to work
for a regular user without SUID bit being set? Please test your solution.
a) What is the program you choose?
b) Does it work for a regular user without the SUID bit being set?
One common use of capabilities is to assign some application programs with desired privileges.
Some applications need privileged operations to access certain resources. However, you don’t
Page |4
want to run them as a root for security purposes. In this case, you can assign desired capabilities
to such programs. For example, the program shown in Figure 1 needs to open the file
/etc/shadow for reading purpose. If the operation is allowed, it shows “Reading successful”.
Otherwise, it shows “Reading failed.”
Figure 1 A simple application program
Task 1
You are given an application program shown in Figure 1. You need to configure the program so
that a regular user can run it and the result shows “Reading successful”. For security purpose,
you don’t want to make it owned by root and be a Set-UID program. In addition, you don’t want
to make the /etc/shadow file accessible to common users. Then you want to test your
configuration to ensure it works as expected.
Question 2: What do you need to do to achieve the goals specified in Task 1? Please use
screenshots to demonstrate your work and results.
Section 2 System-wide hardening
Some of common system wide hardening items will be introduced in this section.
2.1. Password complexity
In a Linux system, password complexity requirements are defined in the file /etc/login.defs.
Please study the file and try to harden your system.
Question 3: What changes would you like to make to the Password aging controls section in
the /etc/login.defs file in order to harden your system?
Page |5
2.2. Account and password verification
To ensure that no accounts have an empty password field, the following command should have
no output:
awk -F: ‘($2 == “”) {print}’ /etc/shadow
If this generates any output, fix the problem by locking each account or by setting a password for
each account.
To ensure that no password hashes are stored in /etc/passwd, the following command should
have no output:
awk -F: ‘($2 != “x”) {print}’ /etc/passwd
The hashes for all user account passwords should be stored in the file /etc/shadow and never in
/etc/passwd, which is readable by all users.
Question 4: Did you get any outputs by performing the above commands?
If you did, please harden your system.
2.3. Group-writable and world-writable files
User’s home directory should not be writable by others except specific commissions are defined.
You don’t want to share your privacy with others.
For each human user USER of the system, view the permissions of the user’s home directory:
ls -ld /home/USER
Ensure that the directory is not group-writable and that it is not world-readable (not worldwritable). If necessary, repair the permissions:
chmod g-w /home/USER
chmod o-rwx /home/USER
For each human user USER of the system, view the permissions of all dot-files in the user’s
home directory:
Page |6
ls -ld /home/USER /.[A-Za-z0-9]*
Ensure that none of these files are group- or world-writable. Correct each mis-configured file
FILE by executing:
chmod go-w /home/USER /FILE
Question 5: Why would you perform the above checks in practice?
2.4. Verify that all world-writable directories have sticky bits set
Locate any directories in current partition which are world-writable and do not have their sticky
bits set. The following command will discover and print those directories if any. Run it once for
each partition:
find / -xdev -type d \( -perm -0002 -a ! -perm -1000 \) -print
Question 6: Did you see any output when running the above command?
If this command produces any output, fix each reported directory /dir using the command:
chmod +t /dir
When the so-called “sticky bit” is set on a directory, only the owner of a given file may remove
that file from the directory. Without the sticky bit, any user with write access to a directory may
remove any file from that directory. Setting the sticky bit prevents users from removing each
other’s files.
2.5. Find unauthorized SUID/SGID system executables
The following command discovers and prints any setuid or setgid files on local partitions. Run it
once for each local partition:
find / -xdev \( -perm -4000 -o -perm -2000 \) -type f -print
If the file does not require a setuid or setgid bit set, then these bits can be removed by running
the command:
chmod -s fileName
Page |7
System executables that need setuid or setgid bits set are listed in the security configuration
guide. You may also be able to find this list in a manual or a system specification.
In addition, replacing the setuid and setgid bits with proper capabilities will always limit the
damage to the system when the program is compromised.
Un-owned files are not directly exploitable, but they are generally a sign that something is wrong
with some system process. They may be caused by an intruder, by incorrect software installation
or incomplete software removal, or by failure to remove all files belonging to a deleted account.
The files should be repaired so that they will not cause problems when accounts are created in
the future, and the problem which led to un-owned files should be discovered and addressed.
The following command will discover and print any files on local partitions which do not belong
to a valid user and a valid group. Run it once for each local partition:
find / -xdev \( -nouser -o -nogroup \) -print
If this command shows any results, investigate each reported file. Then, either assign it to an
appropriate user and group or remove it.
Locate any directories in local partitions which are world-writable and ensure that they are
owned by root or another system account. The following command will discover and print those
directories (assuming that only system accounts have a uid lower than 500). Run it once for each
local partition:
find / -xdev -type d -perm -0002 -uid +500 -print
If this command produces any output, investigate why the current owner is not root or another
system account.
Allowing a user account to own a world-writable directory is undesirable because it allows the
owner of that directory to remove or replace any files that may be placed in the directory by
other users.
Question 7: How many system executables that have setuid or setgid bits set are there on your
system? Give the command that you would use to obtain this number.
2.6. Ensuring system is not acting as a network sniffer
The system should not be acting as a network sniffer. The file /proc/net/packet should contain
exactly one header line, with entries similar to:
sk RefCnt Type Proto Iface R Rmem User Inode
Page |8
If numbers appear in a row below this header, then a sniffing process is using the interface and
this should be investigated.
Please perform the above check to find whether your system is acting as a network sniffer.
Question 8: Is your system acting as a network sniffer? In what case do you want a computer to
function as a sniffer? Why you don’t want your computer to act as a network sniffer?
2.7. Disabling all unneeded services at boot time
Running as few services as possible on a system is one of the guidelines for hardening a system.
Before you can take this hardening step, you need to determine which services are needed. Then
you need to know which services are running on your system. The following command will tell
you which services are enabled at boot:
chkconfig --list | grep :on
The first column of the output is the names of services which are currently enabled at boot.
Review each listed service to determine whether it can be disabled.
If it is appropriate to disable some service srvname, do so using the command:
chkconfig srvname off
Please perform the above command and study the services that are enabled at boot on your
system.
Question 9: What are some of the services that you are enabled at boot?
2.8. Using group
Help Desk
Six software engineers are working on a project. They create a number of files. They want to
make the files accessible (read and write) by the group members only (including root).
Question 10: Sketch an approach to meeting the requirements specified in Help Desk.
Section 3 Bonus (4%)
Page |9
In order to receive bonus points, you need to pick four (4) items from the security guide and/or
hardening benchmark documents that you think are interesting and were not included in the
previous section. Construct four questions, practice/test them on your computers and answer the
questions in the format similar with those in the previous section. Put your questions and answers
in your answer sheet as Bonus Questions. Your questions and answers will be verified and tested
while grading.
Four Questions (B01 – B04) of your choices
Survey Questions
Questions in this section will not be graded, but will make your suggestions and voice heard by
your instructor.
GQ 1. What changes would you like to make to this lab?
GQ 2. How much time did you spend to finish this lab?
GQ 3. Do you learn anything new or gain a better understanding of class lecture by finishing this
lab?
Well, you have completed another lab for this class. Hope you enjoyed doing this lab. Please let
me know if you have any comments.
P a g e | 10
Answer Sheet
========================== Required Questions ===========================
Question 1: Choose one of the Set-UID programs you are interested in. Remove the SUID bit
from the program and set proper capabilities to the program. Were you able to make it to work
for a regular user without SUID bit being set? Please test your solution.
c) What is the program you choose?
d) Does it work for a regular user without the SUID bit being set?
Question 2: What do you need to do to achieve the goals specified in Task 1? Please use
screenshots to demonstrate your work and results.
Question 3: What changes would you like to make to the Password aging controls section in
the /etc/login.defs file in order to harden your system?
Question 4: Did you get any output by performing the above commands?
Question 5: Why would you perform the above checks in practice?
Question 6: Did you see any output when running the above command?
Question 7: How many system executables that have setuid or setgid bits set are there on your
system? Give the command that you would use to obtain this number.
Question 8: Is your system acting as a network sniffer? In what case do you want a computer to
function as a sniffer? Why you don’t want your computer to act as a network sniffer?
Question 9: What are some of the services that you are enabled at boot?
P a g e | 11
Question 10: Sketch an approach to meeting the requirements specified in Help Desk.
========================= Bonus Questions (4%) ==========================
Four Questions (B01 – B04) of your choices
=========================== Survey Questions ===========================
GQ1. Would you like to make any changes to this lab?
GQ2. How long did it take you to complete this lab?
GQ3. Do you learn anything new or gain a better understanding of class lecture by finishing this
lab?