| |
Linux system security performance check notes:
1. Check Accounts
# Less / etc / passwd
# Grep: 0: / etc / passwd
Note that the new user, and the UID, GID is 0 users.
2. Log inspection
Note "entered promiscuous mode"
Note that the error message
Note that the Remote Procedure Call (rpc) programs with a log entry that includes a large number (> 20) strange characters (- ^ PM- ^ PM- ^ PM- ^ PM- ^ PM- ^ PM- ^ PM- ^ PM)
The last one is currently not understand, did not come across, please give pointers.
3. Check Processes
# Ps -aux
Note that the UID is 0
# Lsof -p process ID suspect
View the processes and files open ports
4. Check Files
# Find / -uid 0 -perm -4000 -print
# Find / -size + 10000k -print
# Find / -name "..." -print
# Find / -name ".." -print
# Find / -name "." -print
# Find / -name "" -print
Note that SUID file suspicious greater than 10M ,. . . . . . And spaces file
5. Rpm inspection
# Rpm -Va
Output formats:
S - File size differs
M - Mode differs (permissions)
5 - MD5 sum differs
D - Device number mismatch
L - readLink path mismatch
U - user ownership differs
G - group ownership differs
T - modification time differs
Note that these associated / sbin, / bin, / usr / sbin, and / usr / bin
When you install a third-party documents usually develop the habit of check MD5, Oh, to be less horrible
Running time will be a lot 5 or missing tips, if not pass the directory above, not too much attention
6. Network inspection
# Ip link | grep PROMISC
Normal network card should not be in promisc mode, except of course the security server, otherwise someone may have broken in sniffer
# Lsof -i
# Netstat -nap
View unusual open TCP / UDP ports, hey, need usually note that comparison, if I have not had such intentions :)
# Arp -a
The more horrible, as people do document all of the MAC address of the first
7. Schedule Check
Note that root and the UID is schedule 0
# Crontab -u root -l
# Cat / etc / crontab
# Ls /etc/cron.* |
|
|
|