22 essential Linux security commands

There are many aspects to security on Linux systems – from setting up accounts to ensuring that legitimate users have no more privilege than they need to do their jobs. This is look at some of the most essential security commands for day-to-day work on Linux systems.

sudo

Running privileged commands with sudo  – instead of switching user to root  – is one essential good practice as it helps to ensure that you only use root privilege when needed and limits the impact of mistakes. Your access to the sudo command depends on settings in the /etc/sudoers and /etc/group files.

$ sudo adduser shark
Adding user `shark' ...
Adding new group `shark' (1007) ...
Adding new user `shark' (1007) with group `shark' ...
Creating home directory `/home/shark' ...
Copying files from `/etc/skel' ...
Enter new UNIX password:
Retype new UNIX password:
passwd: password updated successfully
Changing the user information for shark
Enter the new value, or press ENTER for the default Full Name []: shark Room Number []: Work Phone []: Home Phone []: Other []:
Is the information correct? [Y/n] Y

If you run sudo and ask who you are, for example, you’ll get confirmation that you’re running the command as root.

$ sudo whoami
root

If you manage the sudo setup for users, you also need to be comfortable with the visudo command.

visudo

The visudo command allows you to make changes to the /etc/sudoers file by opening the file in a text editor and checking your changes for syntax. Run the command with “sudo visudo” and make sure that you understand the syntax. Privileges can be assigned by user or by group. On most Linux systems, the /etc/sudoers file will already be configured with groups like those shown below that allow the privileges to be assigned to groups set up in the /etc/group file. In those cases, you don’t need to use the visudo command at all  – just be familiar with the groups that bestow root privileges in this way, and make your updates to the /etc/group file.

%admin ALL=(ALL) ALL
%sudo ALL=(ALL:ALL) ALL
%wheel ALL=(ALL:ALL) ALL

Note that group names are preceded by the % sign.

You can probably display the group providing sudo access in your /etc/group file like this since it is probably one of these:

$ egrep "admin|sudo|wheel" /etc/group
sudo:x:27:shs,jdoe

The easiest way to give someone sudo privilege is to add them to the empowered group in /etc/group. However, that means that they can run any command as root. If you want some users to have root authority for a limited set of commands (e.g., adding and removing accounts) you can define the commands you want them to be able to run through a command alias like this:

Cmnd_Alias ACCT_CMDS = /usr/sbin/adduser, /usr/sbin/deluser

Then give the user or group the ability to run these commands using sudo with a command like one of these:

nemo ALL=(ALL) ACCT_CMDS
%techs ALL=(ALL:ALL) ACCT_CMDS

The first line allows the user “nemo” to run the twp (adduser and deluser) commands with sudo while the second assigns the same privileges to anyone in the “tech” group in the /etc/group file.

who and w

The who and w commands show you who is logged into the system though w shows more information such as where they logged in from, when they logged in and how long they’ve been idle.

$ w 18:03:35 up 9 days, 22:48, 2 users, load average: 0.00, 0.00, 0.00
USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT
joe tty2 /dev/tty2 27Apr18 9days 7:34 0.09s /usr/lib/x86_64-linux
shs pts/1 192.168.0.15 09:50 7.00s 0.28s 0.00s w

Use the “sudo update-alternatives  – config editor” command if you don’t like the default editor that’s called into play when you run the visudo command. It will offer a number of editors as options and change your setting.

last

The last command shows you recent logins for users and is often helpful when you’re trying to track down changes or other activity.

$ last nemo
nemo pts/1 192.168.0.15 Wed May 2 07:01 - 08:29 (01:27)
wtmp begins Tue May 1 10:21:35 2018

Nemo hasn’t logged in for a while. He might be on vacation (maybe fishing?) or have just recently left the company. This kind of information can be useful in deciding whether you need to follow up on this.

find

The find command is used for many types of searches. When it comes to security, you might find yourself looking for files that have no owners (no corresponding accounts) or are both world-writable and executable. Find commands are easy to compose but require some familiarity with its many options for defining what you’re looking for. The first of these two commands will find files with no currently defined owners. The second will find files that likely anyone can both run and modify.

$ sudo find /home -nouser
$ sudo find / -perm -o=wx

Keep in mind that the -o in the second command refers to the “other” group – not the owner and not the group associated with the files.

file

The file command looks at a file and determines what kind of file it is based on its contents, not its name. Many files (like jpeg files) contain identifiers near the beginnings of the files that identify them. The “.jpg” file in the example below is clearly not a true jpeg file but an executable  – in spite of its name.

READ MORE HERE