0% found this document useful (0 votes)
28 views48 pages

Linuxsec3e PPT ch05

Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PPTX, PDF, TXT or read online on Scribd
0% found this document useful (0 votes)
28 views48 pages

Linuxsec3e PPT ch05

Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PPTX, PDF, TXT or read online on Scribd
You are on page 1/ 48

CHAPTER 5

Filesystems,
Volumes, and
Encryption

Copyright © 2024 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com.
Learning Objective(s) and Key Concepts

Learning Objective(s) Key Concepts

Copyright © 2024 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com
 Explain user account management,  Filesystem organization and
configure file permissions and mounting options
filesystem settings, enforce
 How options for journals, formats,
encryption, and secure Linux
and file sizes affect security
services.
 Encrypting files, directories,
partitions, and volumes
 Local and network file and folder
permissions
 Filesystem quotas and access
control lists (ACLs)
Filesystem Organization

 All data stored as files

Copyright © 2024 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com
 Filesystem specifies how files are stored, marked, and retrieved
 Filesystems may be local or remote
 Linux has a defined structure for some directory names, which includes the
expected contents of those directories
The Filesystem Hierarchy Standard (FHS)

 The way files and directories are organized on a Linux system

Copyright © 2024 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com
 Directories may be dedicated to different functions:
 Boot process
 User files
 Logs
 Command
 Utilities
 Directories that belong with the root directory: /bin/, /dev/, /etc/, /lib/, and /sbin/
 Some are listed as virtual directories; nothing is stored in the filesystem on disk.
 These directories only have contents if the system is running because the kernel
populates the information at boot time.
Important Filesystem Hierarchy Standard Directories
(1 of 3)

DIRECTORY DESCRIPTION

Copyright © 2024 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com
/ Top-level root directory, always mounted separately

/bin/ Basic command-line utilities; should always be a part of /


Linux kernel, initial RAM disk, bootloader files; frequently mounted
/boot/
separately
/dev/ Device files for hardware and software; should always be part of /

/etc/ Configuration files; should always be part of /


Home directories for every regular user; frequently mounted
/home/
separately
/lib/ Program libraries; should always be part of /
Important Filesystem Hierarchy Standard Directories
(2 of 3)

DIRECTORY DESCRIPTION

Copyright © 2024 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com
Standard mount point for removable media such as CD/DVD drives
/media/ and universal serial bus (USB) keys; may also be used for other
volumes such as a directory formatted to a Microsoft file system
Common legacy mount point for removable media and temporary
/mnt/
filesystems
Common location for some third-party applications; may be empty
/opt/
and can be mounted separately
/proc/ Virtual directory that contains information about running processes
The home directory for the root administrative user; should always be
/root/
part of /
Runtime data, which would commonly be variable; may include files
/run/
or other information associated to processes that are executing
Important Filesystem Hierarchy Standard Directories
(3 of 3)

DIRECTORY DESCRIPTION

Copyright © 2024 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com
/sbin/ Primarily for administrative commands; should always be part of /
Directory commonly used for network services such as those that
/srv/
share using FTP and HTTP; may be helpful to mount separately
/sys/ Has information about devices, drivers, and some kernel information
Common location for temporary files; if the /tmp/ filesystem is full,
/tmp/
users cannot log into the GUI
Read-only user data, including the executables and other associated
/usr/
files
Log files, print spools; some distributions use it for network service
/var/ files; may be helpful to mount separately; is variable data, which
means the files may grow or shrink
Copyright © 2024 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com
Contents of the /proc Directory
Good Volume Organization Can Help Protect a System
(1 of 2)

 Mount point
 A directory that effectively becomes a shortcut to an external device

Copyright © 2024 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com
 Partition
 A way to segment a drive
 Can have multiple partitions on a drive
 Volume
 A single entity that can be formatted with a filesystem
 Can be a partition, a portion of a multi-disk storage device like a redundant
array of independent disks (RAID) system, a storage area network (SAN),
etc.
 Volumes mounted as noexec prevent anything from executing from it
Good Volume Organization Can Help Protect a System
(2 of 2)

 Directories safe to use as mount points:


 /boot/

Copyright © 2024 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com
 /home/
 /opt/
 /srv/
 /tmp/
 /var/
Read-Only Mount Points

 Can mount a volume or partition in read-only mode

Copyright © 2024 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com
 Read-only mount points can make it more difficult for malicious users to do real
damage to systems
 Three directory candidates for mounting in read-only mode:
 /boot/, /opt/, and /usr/

 Possible read-only configuration directive for the /boot/ directory in the /etc/fstab
configuration file:
 /dev/sda1 /boot ext2 ro,exec,auto,nouser,async 1 2
How Options for Journals, Formats, and File Sizes Affect
Security

 Filesystem journals
 Keeps track of transactions that have been applied to the filesystem

Copyright © 2024 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com
 Enable transactions to be checked against filesystem data to ensure
integrity
 Journaled filesystems keep track of changes to be written
 Journaling is supported starting with filesystem ext3
 Not all filesystems that Linux supports are journaled

 A filesystem partition identifier and a filesystem format are not the same thing.
 When fdisk creates a partition, it assumes you’re using the standard Linux
partition ID of 83. If you’re setting up a different kind of partition, you’ll need to
know different partition types.
Partition Types

 82: The Linux swap partition is used for partitions dedicated to swap space.

Copyright © 2024 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com
 83: The Linux partition is used for standard partitions with data.
 85: The Linux extended partition can contain logical partitions.
 8e: The Linux LVM partition configures a partition that can be used as a
component of a logical volume.
 fd: The Linux RAID auto partition specifies partitions that can be used as
components of a RAID array.
 Most Linux partitions with data are of type 83. If you want to format a partition to
the ext2, ext3, ext4, reiserfs, or xfs filesystems, you’ll want to configure a
partition of type 83.
Copyright © 2024 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com
Linux Partition Type Identifiers
The Right Format Choice

 ext2: The second extended filesystem does not include journaling. Because the
partition associated with the /boot/ directory can be small, it may be well suited

Copyright © 2024 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com
to the ext2 filesystem. Writes to that partition are infrequent.
 ext3: The third extended filesystem writes data to a journal before writing it to
the actual filesystem. Because the system writes to file twice, performance is
slower.
 ext4: The fourth extended filesystem is suited for filesystems with some large
files. It includes a defragmentation tool.
 Other major Linux filesystems include variations on journaling: xfs, ZFS, and
reiserfs
Available Format Tools

 The mkfs command and variations


 Commands for formatting and building a Linux filesystem

Copyright © 2024 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com
 Use to format
 Linux filesystems
 Microsoft VFAT and NTFS filesystems
 Apple Hierarchical Filesystem (HFS)
 Swap partitions (mkswap command)
Using Encryption

 Encryption tools  Encrypted files


 Kernel space  Passphrase

Copyright © 2024 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com
 User space  Public/private key pair

Linux File-Encryption Commands


COMMAND DESCRIPTION
7z While 7z is known as a zip utility, meaning it compresses files, it can also
encrypt files using AES-256.

bcrypt Uses the blowfish encryption algorithm, based on a passphrase.


ccrypt Uses the U.S. Advanced Encryption Standard (AES); uses passphrases.
gpg Users may select from different encryption algorithms; may use
passphrases or public and private key pairs.
Copyright © 2024 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com
Gpg Prompt for Passphrase
Copyright © 2024 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com
Gpg Prompt for Passphrase (Second Time)
Copyright © 2024 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com
Encrypted Home Directory
Encrypted Partitions and Volumes

 Red Hat–enabled filesystem encryption during installation

Copyright © 2024 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com
 Uses the Linux unified key setup (LUKS) disk-encryption specification
Encrypting a Partition or Volume

1. Create the partition, logical volume, or RAID array to be encrypted.

Copyright © 2024 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com
2. Fill the device with random data. For example:
# dd if=/dev/urandom of=/dev/vda1
3. Format the device with the cryptsetup command using the noted LUKS
extension:
# cryptsetup luksFormat /dev/vda1
4. Verify detailed encryption information for the noted device:
# cryptsetup luksDump /dev/vda1
5. Set up a device name to be used when the volume is decrypted during the
boot process:
# cryptsetup luksOpen /dev/vda1 secret
Local File and Folder Permissions

 Ownership and permissions

Copyright © 2024 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com
 Make up the standard discretionary access control system
 File permissions elementary part of Linux security
 Everything in Linux is a file
 Output from the ls -l command provides all needed info
 A dash (-) indicates a regular file
 d indicates a directory
 l indicates a soft-linked file
 These basic file and folder permissions are one method of discretionary access
control (DAC)
 Access control lists (ACLs) are a second level of DAC
Basic File Ownership Concepts (1 of 2)

 Every file has two owners: a user and a group.

Copyright © 2024 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com
 If your Linux distribution uses a user private group scheme, every user is a
member of a group of the same name.
 Any user can be a member of any group.
 Take a look at this output from the ls -l /var/log/cups/access_log
command:
-rw-r----- 1 root adm 30853 Oct 12 18:55 access_log
 The user owner of this file is root, and the group owner of this file is adm.
Basic File Ownership Concepts (2 of 2)

 File ownership in Linux can be modified with the chown and chgrp commands.

Copyright © 2024 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com
 The chown command changes the identity of the user who owns a file.
 The chgrp command changes the identity of the group that owns a file.
 Example: # chown adelle.users somefile
 For both commands, the -R switch changes ownership recursively.
Basic File-Permission Concepts (1 of 3)

 Standard Linux file permissions can be assigned in three categories:


 User owner

Copyright © 2024 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com
 Group owner
 All other users on the local system

 In short, these categories are known as user, group, and others.


 Each file may be configured with read, write, and execute permissions for the
user, the group, and world (also known as every other user on the system).
Basic File-Permission Concepts (2 of 3)

 Examine the output from an ls -l command on a hypothetical directory:

Copyright © 2024 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com
drwxr-xr-- 1 root project 100387 Mar 10 12:43 project

 The first d confirms this is a directory.


 The nine characters that follow specify the permissions for the user, group, and
world or others.
 The first trio of characters is rwx, which specifies that the owner, the root
administrative user, has read, write, and execute permissions on the project/
directory.
Basic File-Permission Concepts (3 of 3)

 Examine the output from an ls -l command on a hypothetical directory


(cont.):

Copyright © 2024 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com
drwxr-xr-- 1 root project 100387 Mar 10 12:43 project

 The second trio of characters is r-x, which specifies that the group that owns
the directory—the project group—has read and execute permissions on that
directory.
 The last trio of characters is r--, provides read permissions to all other users
(world) on that directory.
Changing File Permissions (1 of 2)

 You can use the chmod command to change file permissions.

Copyright © 2024 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com
 The most efficient way to use chmod is based on an octal representation of the
permissions of the user owner, group owner, and other users.
 Each type may or may not have read, write, and execute permissions.
 That’s three bits. In a binary system, 2^3 = 8, which is why such permissions
can be represented octally.
PERMISSION NUMERICAL REPRESENTATION
r 4
w 2
x 1
Changing File Permissions (2 of 2)

 The user owner of a file can use the chmod command to change permissions
on a file.

Copyright © 2024 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com
 To change the permissions for the user, group, and others in a file, you need
three numbers.
 For example, look at the following command, where localfile is some
arbitrary file in the local directory:
$ chmod 754 localfile
Networked File and Folder Permissions

 Services
 Network File System (NFS)

Copyright © 2024 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com
 Samba
 File Transfer Protocol (FTP)
NFS Issues

 NFS prevents some security issues such as root administrative access to files
and directories

Copyright © 2024 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com
 Unknown users (and local root administrative user) are redirected to accounts
like nobody or nfsnobody
 Different user authentication databases may experience problems due to
different user ID (UID) values
 NFS-based ACLs can override standard read, write, and executable
permissions for files on shared directories
Samba/CIFS Network Permissions (1 of 2)

 smb.conf
 The main Samba configuration file

Copyright © 2024 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com
 Located in the /etc/samba/ directory
 Split into two sections, “Global Settings” and “Share Definitions”
 Standard share is of user home directories
 Associated with the [homes] stanza
 Configured options supersede any regular local permissions for the shared
files and directories
Samba/CIFS Network Permissions (2 of 2)

 If you’ve set up write access in your Samba configuration file, the following
directives apply to the creation of files and directories:

Copyright © 2024 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com
 create mask value sets up read and write permissions for user owner of
new files
 directory mask value sets up read, write, and execute permissions for
user owner of new directories
Samba Directives Related to Shared Directories

SAMBA DIRECTIVE DESCRIPTION

Copyright © 2024 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com
acl check permissions Checks ACL-based permissions from a Microsoft client

acl group control Allows users of a group owner to change permissions and ACLs

admin users Lists users with full administrative privileges


Configures the share so no password is required;synonymous with
guest ok
public
Sets hostnames or Internet Protocol (IP) addresses of allowed
hosts allow
systems; opposite of hosts deny
locking Supports a lock file to prevent simultaneous access to the same file

path Sets a directory path for the share

printer admin Lists users allowed to administer printers

write list Lists users allowed read-write access to a share


vsftp Security-Related Service Directives (1 of 2)

DIRECTIVE DESCRIPTION

Copyright © 2024 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com
anon_upload_enable Allows uploads by anonymous users; can be set to NO
Allows anonymous users to create directories; can be
anon_mkdir_write_enable
set to NO
Sets up a list of users who are limited to their home
chroot_list_file
directories
local_umask Configures permissions for created files and directories
Specifies the pluggable authentication module (PAM)
pam_service_name
configuration file in the /etc/pam.d/ directory
vsftp Security-Related Service Directives (2 of 2)

DIRECTIVE DESCRIPTION

Copyright © 2024 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com
rsa_cert_file Specifies the RSA certificate file
rsa_private_key_file Specifies the file with the RSA private key
Configures a directory that should not be writable by the
secure_chroot_dir
ftp user
userlist_enable Configures a list to allow or deny users
Allows users to write to a server; can also apply to
write_enable
anonymous users
Configuring and Implementing Quotas on a Filesystem
(1 of 2)

 Quotas
 Limit the resources taken by a user or by a group of users

Copyright © 2024 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com
 Protect the space available on critical directories
 Help limit the damage if one of the accounts on your system has been
compromised
Configuring and Implementing Quotas on a Filesystem
(2 of 2)

 Step 1
 Configure filesystem to allow quotas in /etc/fstab using the command:

Copyright © 2024 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com
 /dev/sda2 /home ext4 defaults,usrquota,grpquota 1 2
 Step 2
 Remount the home filesystem using the command:
 mount -o remount /home
 Step 3
 Initialize the quota database using the command:
 quotacheck –cugm /home
Copyright © 2024 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com
Editing a User Quota
Copyright © 2024 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com
Quota Grace Periods
How to Configure and Implement Access Control Lists
on a Filesystem

 Access control list (ACL)


 Allows you to set different permissions for specific users and groups

Copyright © 2024 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com
 Provides a second level of discretionary access control
 ACL support in Linux is mature
 ACL support available for the standard Linux filesystems and directories shared
through NFS
Configure a Filesystem for ACLs

 The process is similar to configuring a filesystem for quotas.

Copyright © 2024 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com
 Two standard ACL commands are getfacl and setfacl.
 To implement ACL permanently, configure it on appropriate filesystems in the
/etc/fstab configuration file.
 Filesystems requiring custom access are good candidates for ACLs.
 The /home/ directory is a prime candidate for customization.
ACL Commands

 u:user:permissions filename
 Sets ACL permissions for the specified user, by username or UID number

Copyright © 2024 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com
 g:group:permissions filename
 Sets ACL permissions for the specified group, by group name or GID
number
 m:permissions filename
 Sets the standard effective rights mask for ACL permissions for users and
groups
 o:permissions filename
 Sets ACL permissions for users who are not members of the group that
owns the file
Best Practices: Filesystems, Volumes, and Encryption
(1 of 3)

 Understanding FHS is key to understanding which directories can be mounted


and those that should be mounted on different filesystems.

Copyright © 2024 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com
 The right filesystem format helps protect in case of compromise by a malicious
user.
 Journaling filesystems can speed recovery in case of problems.
 Encrypt individual files, directories, and entire filesystems.
Best Practices: Filesystems, Volumes, and Encryption
(2 of 3)

 Local file and folder permissions provide one level of discretionary access
control.

Copyright © 2024 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com
 File and folder permissions differ when shared over a network.
 Quotas can limit damage in case of data exposure.
 Quotas can limit the amount of space or number of inodes taken by a user or
group.
Best Practices: Filesystems, Volumes, and Encryption
(3 of 3)

 Users and groups can be reviewed with regular quota reports.

Copyright © 2024 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com
 With ACLs, you can implement discretionary access controls to another level.
 Depending on configuration, ACL rules can be configured for specific users and
access limited to key files and directories.
Summary

 Filesystem organization and mounting options

Copyright © 2024 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com
 How options for journals, formats, and file sizes affect security
 Encrypting files, directories, partitions, and volumes
 Local and network file and folder permissions
 Filesystem quotas and access control lists (ACLs)

You might also like