Configuring and Hardening a New Server to Replace Compromised Machine
Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
OK I've finally got samhain installed and it seems to be sending mail to me and one other account. which is a huge relief. On the other hand, I don't feel like my postfix config is really correct yet due to delivery failures for local accounts (e.g., daemon, root@localhost, etc.).
I am now digging into the tiger output and trying to repair the issues reported to me.
Code:
--WARN-- [pass014w] Login (backup) is disabled, but has a valid shell.
--WARN-- [pass014w] Login (bin) is disabled, but has a valid shell.
--WARN-- [pass014w] Login (daemon) is disabled, but has a valid shell.
--WARN-- [pass014w] Login (games) is disabled, but has a valid shell.
--WARN-- [pass014w] Login (gnats) is disabled, but has a valid shell.
--WARN-- [pass014w] Login (irc) is disabled, but has a valid shell.
--WARN-- [pass014w] Login (sneakyimp) is disabled, but has a valid shell.
--WARN-- [pass014w] Login (sneakyimps_boss) is disabled, but has a valid shell.
--WARN-- [pass014w] Login (libuuid) is disabled, but has a valid shell.
--WARN-- [pass014w] Login (list) is disabled, but has a valid shell.
--WARN-- [pass014w] Login (lp) is disabled, but has a valid shell.
--WARN-- [pass014w] Login (mail) is disabled, but has a valid shell.
--WARN-- [pass014w] Login (man) is disabled, but has a valid shell.
--WARN-- [pass014w] Login (news) is disabled, but has a valid shell.
--WARN-- [pass014w] Login (nobody) is disabled, but has a valid shell.
--WARN-- [pass014w] Login (proxy) is disabled, but has a valid shell.
--WARN-- [pass014w] Login (root) is disabled, but has a valid shell.
--WARN-- [pass015w] Login ID sshd does not have a valid shell
(/usr/sbin/nologin).
--WARN-- [pass015w] Login ID sync does not have a valid shell (/bin/sync).
--WARN-- [pass014w] Login (sys) is disabled, but has a valid shell.
--WARN-- [pass014w] Login (ubuntu) is disabled, but has a valid shell.
--WARN-- [pass014w] Login (uucp) is disabled, but has a valid shell.
--WARN-- [pass014w] Login (www-data) is disabled, but has a valid shell.
I see unSpawn's comments in the other thread:
Quote:
Originally Posted by unSpawn
- This is a system account, necessary to run a service. Review if you need (to remove) the service which should remove the account.
- Possible targets for removal are: irc (there should not be IRC software or an IRC daemon on the system at this stage), games (this is a server), news (you're not running a NNTP daemon).
- Review the other system accounts for the need of a shell. For instance Apache does not need one and can use any inert binary as shell like /sbin/nologin or /bin/false.
- Set password aging and stronger password for root and all unprivileged (human) accounts.
My thoughts/questions:
* I'm not sure exactly how this list is generated, but it has my account and my boss' account here which are notservices but rather 'unprivileged' accounts with sudo capability. Obviously, they must stay or we lose root-level access to the box. They will stay unmolested.
* which ones definitely need to go? i don't have www-data now but will once i've installed apache. i'm also guessing root must stay. irc, news, and games can be removed, right?
* How does one remove these? Is it enough just to deluser --remove-home --remove-all-files them? Is that going to cause problems with other binaries/daemons/configuration? Is it preferable to somehow disable their login?
* What does it mean that sshd and sync don't have a shell?
Code:
--WARN-- [pass006w] Integrity of password files questionable (/usr/sbin/pwck -r).
I ran pwck and all results are about missing dirs. It's my understanding that this doesn't pose a problem:
Code:
$ sudo pwck -r
user 'lp': directory '/var/spool/lpd' does not exist
user 'news': directory '/var/spool/news' does not exist
user 'uucp': directory '/var/spool/uucp' does not exist
user 'www-data': directory '/var/www' does not exist
user 'list': directory '/var/list' does not exist
user 'irc': directory '/var/run/ircd' does not exist
user 'gnats': directory '/var/lib/gnats' does not exist
user 'nobody': directory '/nonexistent' does not exist
user 'syslog': directory '/home/syslog' does not exist
user 'haldaemon': directory '/var/run/hald' does not exist
pwck: no changes
Code:
--WARN-- [acc021w] Login ID landscape appears to be a dormant account.
I'm not sure what landscape is, but I think it's related to this message I see after logging in:
Code:
Graph this data and manage this system at https://landscape.canonical.com/
apt-cache search landscape returns these two items:
Code:
landscape-client - The Landscape administration system client
landscape-common - The Landscape administration system client
I doubt I'll be using this. If I must remove it, should I delete the account or try an apt-get remove ?
Code:
--WARN-- [acc022w] Login ID nobody home directory (/nonexistent) is not accessible.
I don't expect this is a problem, but it's not mentioned in the other thread. Can I ignore it?
Code:
--WARN-- [root003w] Root user has message capability turned on.
As instructed in the other thread, I edited /root/.bashrc and add this line at the end:
Code:
mesg n; dmesg -n 4
Code:
--WARN-- [path009w] /etc/profile does not export an initial setting for PATH.
This is not mentioned in the other thread. Suggestions?
Code:
--WARN-- [cron004w] Root crontab does not exist
I understand from the other thread that this is desirable.
Code:
--WARN-- [cron005w] Use of cron is not restricted
I see your suggestions that we do a deny/allow:
Quote:
Originally Posted by unSpawn
See manual page about /etc/cron.{deny,allow}. (Same should apply to the 'at' service.)
but given that I don't know which users to limit it to, I haven't made any changes here. Suggestions welcome as there appear to be numerous cron jobs.
Code:
--WARN-- [inet003w] The port for service sieve is also assigned to service
cisco-sccp.
--WARN-- [inet003w] The port for service ndtp is also assigned to service
pipe_server.
--WARN-- [inet003w] The port for service ndtp is also assigned to service
search.
--WARN-- [inet003w] The port for service postgres is also assigned to service
postgresql.
--WARN-- [inet003w] The port for service postgres is also assigned to service
postgresql.
--WARN-- [inet003w] The port for service sane is also assigned to service
sane-port.
--WARN-- [inet003w] The port for service webcache is also assigned to service
http-alt.
--WARN-- [inet003w] The port for service webcache is also assigned to service
http-alt.
Not sure what to make of these.
Code:
--ALERT-- [perm023a] /bin/su is setuid to `root'.
--ALERT-- [perm023a] /usr/bin/at is setuid to `daemon'.
--ALERT-- [perm024a] /usr/bin/at is setgid to `daemon'.
--WARN-- [perm001w] The owner of /usr/bin/at should be root (owned by daemon).
--WARN-- [perm002w] The group owner of /usr/bin/at should be root.
--ALERT-- [perm023a] /usr/bin/passwd is setuid to `root'.
--ALERT-- [perm024a] /usr/bin/wall is setgid to `tty'.
These don't appear to be mentioned in the other thread and look rather severe as they are ALERTS. Suggestions?
Code:
--WARN-- [boot02] The configuration file /boot/grub/menu.lst has group
permissions. Should be 0600
--FAIL-- [boot02] The configuration file /boot/grub/menu.lst has world
permissions. Should be 0600
--WARN-- [boot06] The Grub bootloader does not have a password configured.
Your advice here is ambiguous:
Quote:
Originally Posted by unSpawn
All users must be able to read in /etc, but no user except root has any business reading /boot. Chmod files to 0640.
Does that mean sudo chmod 0640 /boot/grub/menu.lst or are there other files/permissions involved?
Code:
--WARN-- [misc021w] There are no umask entries in /etc/init.d/rcS
Quote:
Originally Posted by unSpawn
Add line "umask 027" or "umask 022" depending on your needs.
I don't know what my needs are so I'm unable to implement your advice. Please advise.
[code]--WARN-- [lin012w] The system accepts ICMP redirection messages
# Checking md5sums of installed files
--FAIL-- [lin005f] Installed file
`/lib/modules/2.6.32-33-server/modules.pcimap' checksum differs from
installed package 'linux-image-2.6.32-33-virtual'.
--FAIL-- [lin005f] Installed file
`/lib/modules/2.6.32-33-server/modules.usbmap' checksum differs from
installed package 'linux-image-2.6.32-33-virtual'.
--FAIL-- [lin005f] Installed file
`/lib/modules/2.6.32-33-server/modules.alias' checksum differs from
installed package 'linux-image-2.6.32-33-virtual'.
--FAIL-- [lin005f] Installed file `/lib/modules/2.6.32-33-server/modules.dep'
checksum differs from installed package
'linux-image-2.6.32-33-virtual'.
--FAIL-- [lin005f] Installed file
`/lib/modules/2.6.32-33-server/modules.alias.bin' checksum differs
from installed package 'linux-image-2.6.32-33-virtual'.
--FAIL-- [lin005f] Installed file
`/lib/modules/2.6.32-33-server/modules.symbols' checksum differs from
installed package 'linux-image-2.6.32-33-virtual'.
# Checking installed files against packages...
--WARN-- [lin001w] File `/lib/ufw/user.rules' does not belong to any package.
--WARN-- [lin001w] File `/lib/ufw/user6.rules' does not belong to any package.
--WARN-- [lin001w] File `/lib/modules/2.6.32-317-ec2/modules.ieee1394map' does
not belong to any package.
--WARN-- [lin001w] File `/lib/modules/2.6.32-317-ec2/modules.alias' does not
belong to any package.
--WARN-- [lin001w] File `/lib/modules/2.6.32-317-ec2/modules.usbmap' does not
belong to any package.
--WARN-- [lin001w] File `/lib/modules/2.6.32-317-ec2/modules.symbols.bin' does
not belong to any package.
--WARN-- [lin001w] File `/lib/modules/2.6.32-317-ec2/modules.isapnpmap' does
not belong to any package.
--WARN-- [lin001w] File `/lib/modules/2.6.32-317-ec2/modules.pcimap' does not
belong to any package.
--WARN-- [lin001w] File `/lib/modules/2.6.32-317-ec2/modules.builtin.bin' does
not belong to any package.
--WARN-- [lin001w] File `/lib/modules/2.6.32-317-ec2/modules.dep.bin' does not
belong to any package.
--WARN-- [lin001w] File `/lib/modules/2.6.32-317-ec2/modules.symbols' does not
belong to any package.
--WARN-- [lin001w] File `/lib/modules/2.6.32-317-ec2/modules.inputmap' does
not belong to any package.
--WARN-- [lin001w] File `/lib/modules/2.6.32-317-ec2/modules.ccwmap' does not
belong to any package.
--WARN-- [lin001w] File `/lib/modules/2.6.32-317-ec2/modules.seriomap' does
not belong to any package.
--WARN-- [lin001w] File `/lib/modules/2.6.32-317-ec2/modules.alias.bin' does
not belong to any package.
--WARN-- [lin001w] File `/lib/modules/2.6.32-317-ec2/modules.dep' does not
belong to any package.
--WARN-- [lin001w] File `/lib/modules/2.6.32-317-ec2/modules.ofmap' does not
belong to any package.
What the heck? Aside from the perl/CPAN installs, the only things I've installed have been using apt-get. Weird that this stuff would be broken already.
Code:
--WARN-- [dev003w] The directory /dev/block resides in a device directory.
--WARN-- [dev003w] The directory /dev/char resides in a device directory.
??
Code:
--FAIL-- [logf005f] Log file /var/log/btmp permission should be 660
I think your post says 0640 but there was a different error. Suggestions?
Code:
--WARN-- [misc026w] There is no default umask settings for user login shells
in /etc/login.defs
Not in the other thread. Suggestions?
Code:
--WARN-- [lin002i] The process `dhclient3' is listening on socket 68 (UDP) on
every interface.
--WARN-- [lin002i] The process `sshd' is listening on socket 22 (TCP) on every
interface.
As previously discussed, ssh should be locked down pretty darn tight. i don't know what dhclient3 is, but suspect that between AWS security group and ip tables, it's not a problem at the moment. Should this service be removed/halted? If so, how?
Code:
--ERROR-- [init006e] `/etc/printcap' does not exist (file definition src).
--ERROR-- [init006e] `/etc/printcap' does not exist (file definition infile).
Not mentioned in the other file.
Code:
--FAIL-- [netw020f] There is no /etc/ftpusers file.
We'll get to this at some point. I think I'll only have a couple of ftp users.
Code:
--WARN-- [fsys013w] cannot access /lib/udev/devices/sndstat is a dangling
symlink.
--WARN-- [fsys013w] cannot access /usr/lib/tiger/systems/Linux/issue.net is a
dangling symlink.
--WARN-- [fsys013w] cannot access /usr/share/doc/bash/completion-contrib is a
dangling symlink.
--WARN-- [fsys013w] cannot access /usr/share/man/man5/modprobe.d.5 is a
dangling symlink.
I am now digging into the tiger output and trying to repair the issues reported to me.
Code:
--WARN-- [pass014w] Login (backup) is disabled, but has a valid shell.
(..)
--WARN-- [pass014w] Login (root) is disabled, but has a valid shell.
--WARN-- [pass015w] Login ID sshd does not have a valid shell
(/usr/sbin/nologin).
--WARN-- [pass015w] Login ID sync does not have a valid shell (/bin/sync).
--WARN-- [pass014w] Login (sys) is disabled, but has a valid shell.
--WARN-- [pass014w] Login (ubuntu) is disabled, but has a valid shell.
--WARN-- [pass014w] Login (uucp) is disabled, but has a valid shell.
--WARN-- [pass014w] Login (www-data) is disabled, but has a valid shell.
I see unSpawn's comments in the other thread:
Quote:
Originally Posted by unSpawn
- This is a system account, necessary to run a service. Review if you need (to remove) the service which should remove the account.
- Possible targets for removal are: irc (there should not be IRC software or an IRC daemon on the system at this stage), games (this is a server), news (you're not running a NNTP daemon).
- Review the other system accounts for the need of a shell. For instance Apache does not need one and can use any inert binary as shell like /sbin/nologin or /bin/false.
- Set password aging and stronger password for root and all unprivileged (human) accounts.
My thoughts/questions:
* I'm not sure exactly how this list is generated, but it has my account and my boss' account here which are notservices but rather 'unprivileged' accounts with sudo capability. Obviously, they must stay or we lose root-level access to the box. They will stay unmolested.
I don't have the Tiger source to look at right now but I'd say it's generated from /etc/passwd nfo, so when it says "disabled" I suspect it means "administratively disabled" as in the account being locked. If the sneakyimp and sneakyimps_boss account are properly set up with strong password and aging ('sudo chage -l sneakyimp') then this could be a glitch in Tiger. I'll have a look at my 10.04 LTS machine later on to confirm.
Quote:
Originally Posted by sneakyimp
* which ones definitely need to go? i don't have www-data now but will once i've installed apache. i'm also guessing root must stay. irc, news, and games can be removed, right?
* How does one remove these? Is it enough just to deluser --remove-home --remove-all-files them? Is that going to cause problems with other binaries/daemons/configuration? Is it preferable to somehow disable their login?
Some accounts come with the system by default and some will be installed once (server) software is installed (find out for each account with 'sudo find / -xdev -user ${LOGNAME}'). For now I would 'sudo vipw' and change the shells for games, gnats, irc, lp (probably not install CUPS), news, proxy and uucp to '/bin/false' or '/usr/sbin/nologin', ensuring there is no single point of failure. (I am not familiar with the 'list' account: check your Ubuntu documentation please).
Quote:
Originally Posted by sneakyimp
* What does it mean that sshd and sync don't have a shell?
Shells must be added to /etc/shells to be considered valid. That's all, the chosen binary itself is in both cases OK.
Quote:
Originally Posted by sneakyimp
Code:
--WARN-- [pass006w] Integrity of password files questionable (/usr/sbin/pwck -r).
I ran pwck and all results are about missing dirs. It's my understanding that this doesn't pose a problem:
Code:
$ sudo pwck -r
user 'lp': directory '/var/spool/lpd' does not exist
user 'news': directory '/var/spool/news' does not exist
user 'uucp': directory '/var/spool/uucp' does not exist
(..)
user 'list': directory '/var/list' does not exist
user 'irc': directory '/var/run/ircd' does not exist
user 'gnats': directory '/var/lib/gnats' does not exist
(..)
pwck: no changes
The above shouldn't exist unless SW is installed and the ones I removed should be ignored.
Quote:
Originally Posted by sneakyimp
Code:
--WARN-- [acc021w] Login ID landscape appears to be a dormant account.
I'm not sure what landscape is, but I think it's related to this message I see after logging in:
Code:
Graph this data and manage this system at https://landscape.canonical.com/
apt-cache search landscape returns these two items:
Code:
landscape-client - The Landscape administration system client
landscape-common - The Landscape administration system client
I doubt I'll be using this. If I must remove it, should I delete the account or try an apt-get remove ?
When in doubt please search your man and info pages, package info or Ubuntu documentation. The package says "Landscape is a web-based tool for managing Ubuntu systems. This package is necessary if you want your machine to be managed in a Landscape account."
Packages that are not dependencies for other packages should be removed.
Quote:
Originally Posted by sneakyimp
Code:
--WARN-- [acc022w] Login ID nobody home directory (/nonexistent) is not accessible.
I don't expect this is a problem, but it's not mentioned in the other thread. Can I ignore it?
Ignore. Nobody shouldn't have a home or "/".
Quote:
Originally Posted by sneakyimp
Code:
--WARN-- [path009w] /etc/profile does not export an initial setting for PATH.
This is not mentioned in the other thread. Suggestions?
I understand from the other thread that this is desirable.
Yes. Cronjobs should either be run by unprivileged users where possible or from crontab files in /etc/cron*.
Quote:
Originally Posted by sneakyimp
Code:
--WARN-- [cron005w] Use of cron is not restricted
I see your suggestions that we do a deny/allow:
Quote:
Originally Posted by unSpawn
See manual page about /etc/cron.{deny,allow}. (Same should apply to the 'at' service.)
but given that I don't know which users to limit it to, I haven't made any changes here. Suggestions welcome as there appear to be numerous cron jobs.
- Look up who owns the cron files and its parent directory,
- Look up which user the cron daemon runs at.
- echo those account names into /etc/cron.allow.
Quote:
Originally Posted by sneakyimp
Code:
--WARN-- [inet003w] The port for service ${SERVICE_NAME} is also assigned to service
${OTHER_SERVICE_NAME}.
Not sure what to make of these.
If you 'getent services sieve' it should only return one service name entry and not multiple ones as that collides with IANA port assignments. Note in a few cases there's duplicate or alternative service names: pick the one Ubuntu applications and documentation support.
Quote:
Originally Posted by sneakyimp
Code:
--ALERT-- [perm023a] /bin/su is setuid to `root'.
--ALERT-- [perm023a] /usr/bin/at is setuid to `daemon'.
--ALERT-- [perm024a] /usr/bin/at is setgid to `daemon'.
--WARN-- [perm001w] The owner of /usr/bin/at should be root (owned by daemon).
--WARN-- [perm002w] The group owner of /usr/bin/at should be root.
--ALERT-- [perm023a] /usr/bin/passwd is setuid to `root'.
--ALERT-- [perm024a] /usr/bin/wall is setgid to `tty'.
These don't appear to be mentioned in the other thread and look rather severe as they are ALERTS. Suggestions?
passwd and wall look OK to me, the others may be Ubuntu, Debian or upstream default Tiger does not recognize. Unless Hangdog42 does I'll confirm later on.
Quote:
Originally Posted by sneakyimp
Code:
--WARN-- [boot02] The configuration file /boot/grub/menu.lst has group
permissions. Should be 0600
--FAIL-- [boot02] The configuration file /boot/grub/menu.lst has world
permissions. Should be 0600
--WARN-- [boot06] The Grub bootloader does not have a password configured.
Your advice here is ambiguous:
Quote:
Originally Posted by unSpawn
All users must be able to read in /etc, but no user except root has any business reading /boot. Chmod files to 0640.
Does that mean sudo chmod 0640 /boot/grub/menu.lst or are there other files/permissions involved?
It only talks about menu.lst but other than that as only root is allowed write rights and no passwd should be set on a server to boot or use alternative boot entries I'd say ignore.
Quote:
Originally Posted by sneakyimp
Code:
--WARN-- [misc021w] There are no umask entries in /etc/init.d/rcS
Quote:
Originally Posted by unSpawn
Add line "umask 027" or "umask 022" depending on your needs.
I don't know what my needs are so I'm unable to implement your advice. Please advise.
For human accounts I'd suggest 'umask 027': edit shell resource files for existing users and modify /etc/skell shell resource files for new users. Services may go with the default or '022' as output is often confined to directories owned by the user running the daemon. Also consult the above "environment" page.
Quote:
Originally Posted by sneakyimp
[code]--WARN-- [lin012w] The system accepts ICMP redirection messages
I have performed this step (and even tried sudo ech0 0 >) but it says permission denied. Suggestions?
Use sudo?
Quote:
Originally Posted by sneakyimp
Code:
--FAIL-- [lin016f] The system permits source routing from incoming packets
I have tried echo 0 > /proc/sys/net/ipv4/conf/all/accept_source_route but permission denied. Also tried sudo.
Running 'sysctl -a|grep source' may provide you with a list of sysctl locations to change. Note modifications don't survive a reboot unless you add them to /etc/sysctl.conf or equivalent or local startup file in /etc.
Quote:
Originally Posted by sneakyimp
Code:
--WARN-- [lin017w] The system is not configured to log suspicious (martian) packets
tried echo 1 > /proc/sys/net/ipv4/conf/all/log_martians put permission denied (even with sudo). Am I putting the sudo in the wrong place?
'sysctl -a|grep martian'?
Quote:
Originally Posted by sneakyimp
Code:
--WARN-- [osv004w] Unreleased Debian GNU/Linux version `squeeze/sid'
This does not appear to be addressed in the other thread.
Tiger needs to be patched. I'll see if I can get Javier to pick up changes we encouter here. The sysctl output only if you can't solve things yourself and only those items and nothing more, please.
Quote:
Originally Posted by sneakyimp
This is the bit I found rather worrisome:
Code:
# Checking md5sums of installed files
--FAIL-- [lin005f] Installed file
`/lib/modules/2.6.*/modules.*' checksum differs from
installed package 'linux-image-2.6.32-33-virtual'.
(..)
# Checking installed files against packages...
--WARN-- [lin001w] File `/lib/ufw/user.rules' does not belong to any package.
--WARN-- [lin001w] File `/lib/ufw/user6.rules' does not belong to any package.
(..)
--WARN-- [lin001w] File `/lib/modules/2.6.32-317-ec2/modules.*' does not
belong to any package.
Kernels may generate module maps after installation or on reboot, etc, etc (may not exist or are regenerated). As long as the kernel version doesn't change the hash won't change only MAC times and inode. The UFW rules may be generated by a package post-install script.
Quote:
Originally Posted by sneakyimp
Code:
--WARN-- [dev003w] The directory /dev/block resides in a device directory.
--WARN-- [dev003w] The directory /dev/char resides in a device directory.
??
Ignore known /dev/ entries.
Quote:
Originally Posted by sneakyimp
Code:
--FAIL-- [logf005f] Log file /var/log/btmp permission should be 660
I think your post says 0640 but there was a different error. Suggestions?
Best left at distro default unless some service needs access. What does 'sudo stat /var/log/btmp' say?
Quote:
Originally Posted by sneakyimp
Code:
--WARN-- [misc026w] There is no default umask settings for user login shells
in /etc/login.defs
Not in the other thread. Suggestions?
Does /etc/login.defs even exist?
Quote:
Originally Posted by sneakyimp
Code:
--WARN-- [lin002i] The process `dhclient3' is listening on socket 68 (UDP) on
every interface.
--WARN-- [lin002i] The process `sshd' is listening on socket 22 (TCP) on every
interface.
As previously discussed, ssh should be locked down pretty darn tight. i don't know what dhclient3 is, but suspect that between AWS security group and ip tables, it's not a problem at the moment. Should this service be removed/halted? If so, how?
No, it's your DHCP client!
Quote:
Originally Posted by sneakyimp
Code:
--ERROR-- [init006e] `/etc/printcap' does not exist (file definition src).
--ERROR-- [init006e] `/etc/printcap' does not exist (file definition infile).
Not mentioned in the other file.
If it doesn't exist then ignore.
Quote:
Originally Posted by sneakyimp
Code:
--FAIL-- [netw020f] There is no /etc/ftpusers file.
We'll get to this at some point. I think I'll only have a couple of ftp users.
Code:
--WARN-- [fsys013w] cannot access /lib/udev/devices/sndstat is a dangling
symlink.
--WARN-- [fsys013w] cannot access /usr/lib/tiger/systems/Linux/issue.net is a
dangling symlink.
--WARN-- [fsys013w] cannot access /usr/share/doc/bash/completion-contrib is a
dangling symlink.
--WARN-- [fsys013w] cannot access /usr/share/man/man5/modprobe.d.5 is a
dangling symlink.
??
Run 'sudo readlink -f /path//to/symlink' and check what it is supposed to link to. Then check your packages repo what package holds the file. Decide if you need the package. Else delete the symlink.
Tiger is looking pretty handy as a security audit tool. Sadly, I know little about what it's trying to tell me.
Well now you know a little more. Moe importantly you know how you can find information yourself. This should become second nature real soon leaving you with only the important questions to ask. BTW next time I'll be talking to you you probably have Apache, MySQL and PHP installed.. :-]
I don't have the Tiger source to look at right now but I'd say it's generated from /etc/passwd nfo, so when it says "disabled" I suspect it means "administratively disabled" as in the account being locked. If the sneakyimp and sneakyimps_boss account are properly set up with strong password and aging ('sudo chage -l sneakyimp') then this could be a glitch in Tiger. I'll have a look at my 10.04 LTS machine later on to confirm.
AFAIK, sneakyimp and sneakyimps_boss will only be able to login using a 4096-bit cert. I didn't give these users passwords. Do we really need to fiddle with their passwd expiration values? Am I missing something here?
Quote:
Originally Posted by unSpawn
Some accounts come with the system by default and some will be installed once (server) software is installed (find out for each account with 'sudo find / -xdev -user ${LOGNAME}'). For now I would 'sudo vipw' and change the shells for games, gnats, irc, lp (probably not install CUPS), news, proxy and uucp to '/bin/false' or '/usr/sbin/nologin', ensuring there is no single point of failure. (I am not familiar with the 'list' account: check your Ubuntu documentation please).
I don't understand what sudo find / -xdev -user ${LOGNAME} does. I see that this command returns a lot of files for my own account. Am I to su as each user and then run the command?
vipw uses vi. EWWWW!
Quote:
Originally Posted by unSpawn
When in doubt please search your man and info pages, package info or Ubuntu documentation. The package says "Landscape is a web-based tool for managing Ubuntu systems. This package is necessary if you want your machine to be managed in a Landscape account."
Packages that are not dependencies for other packages should be removed.
Is there an easy/foolproof way to determine whether a package is a dependency?
Quote:
Originally Posted by unSpawn
Yes. Cronjobs should either be run by unprivileged users where possible or from crontab files in /etc/cron*.
My fear here is that I'll deny cron access to some user that runs an important cron job. All of the cron jobs in /etc/cron* are user and group ROOT. Is there some way to determine which users currently have cron jobs? Or, for new packages/services/applications (e.g., mysql or apache or php), is there some way to determine if a cron job is necessary?
Quote:
Originally Posted by unSpawn
- Look up who owns the cron files and its parent directory,
- Look up which user the cron daemon runs at.
- echo those account names into /etc/cron.allow.
I did sudo ls -ral /etc/cron* and all the resulting directories and files are owned by root. Not sure where else I might find cron files or their parent directories. Unless I'm mistaken, the following command tells me that the cron daemon is owned by root:
If you 'getent services sieve' it should only return one service name entry and not multiple ones as that collides with IANA port assignments. Note in a few cases there's duplicate or alternative service names: pick the one Ubuntu applications and documentation support.
So the point is to reconfigure one service or the other to a different port? This sounds like a good way to break things. I wonder what these services do
Quote:
Originally Posted by unSpawn
For human accounts I'd suggest 'umask 027': edit shell resource files for existing users and modify /etc/skell shell resource files for new users. Services may go with the default or '022' as output is often confined to directories owned by the user running the daemon. Also consult the above "environment" page.
Shell resource files? Every sentence here is a bit over my head.
Quote:
Originally Posted by unSpawn
Use sudo?
Got those echo > file things sorted. I tried to edit the original post out of embarassment but was too late.
Quote:
Originally Posted by unSpawn
Ignore known /dev/ entries.
I don't know anything about these entries at all. Please elaborate?
Quote:
Originally Posted by unSpawn
Best left at distro default unless some service needs access. What does 'sudo stat /var/log/btmp' say?
I'm somewhat shocked that my server would need a DHCP client. Does this mean my internal IP address is likely to change? Is the DHCP client listening on a port so that it knows when its IP has been reassigned? I'm worried now that my iptables rules might block some critical incoming notification about the IP address changing at which point my computer fails to listen and becomes unresponsive.
Quote:
Originally Posted by unSpawn
Maybe false positive. Have to look it up.
Unexpected device file...what does it mean?
Quote:
Originally Posted by unSpawn
Well now you know a little more. Moe importantly you know how you can find information yourself. This should become second nature real soon leaving you with only the important questions to ask. BTW next time I'll be talking to you you probably have Apache, MySQL and PHP installed.. :-]
Really?? Are we there yet? I'm really grateful for the hand-holding and do feel as though I understand a lot more. The learning curve this past week or two has been pretty rough and I'm extremely anxious to move on. I still have some substantial anxiety about these items:
* samhain is installed and running (and has even sent a couple of notifications when I start it up). I'm wondering what I might do to trigger a notification. Obviously, I want to make sure it's properly detecting intrusions. I could also use a bit of help understanding what the startup notifications mean.
* I've still got some issues with postfix. Namely, mail to root@localhost is not getting delivered. It somehow gets transmogrified into root@localhost.myplan.com and then rejected with 'local delivery is disabled'. *sigh*.
* For Apache/MySQL/PHP, I expect to install using packages of course, but I'm wondering how to keep these up-to-date. You've recommended a staging machine before but I'm wondering if it might be safe to automate security updates? I seriously doubt I'll get authorization for enough hours to continuously monitor this machine and test and apply each patch individually. I'm thinking the best I can hope for is a (brief) monthly audit. Any advice welcome.
--WARN-- [lin012w] The system accepts ICMP redirection messages
Quote:
Originally Posted by unSpawn
echo 0 > /proc/sys/net/ipv4/conf/all/accept_redirects
echo 0 > /proc/sys/net/ipv4/conf/all/send_redirects
I have performed this step (and even tried sudo ech0 0 >) but it says permission denied. Suggestions?
Use sudo?
There is something, err, variant about the way Ubuntu handles this - I've seen this with the set-up stuff for a firewall. Where, with most distros you'd expect to be able to echo 1's or 0's to the appropriate place in the proc filesystem, from your set up script (as root, of course, which seems to be the source of the problem), Ubuntu seems unhappy with this.
For Ubuntu, it seems that you need the formal sysctl interface to make the changes: 'man sysctl' for more details.
AFAIK, sneakyimp and sneakyimps_boss will only be able to login using a 4096-bit cert. I didn't give these users passwords. Do we really need to fiddle with their passwd expiration values? Am I missing something here?
Human user accounts need passwords. Passwords need to be changed every so often. If the password isn't changed to Something Completely Different then locking out an account seems prudent.
Quote:
Originally Posted by sneakyimp
I don't understand what sudo find / -xdev -user ${LOGNAME} does. I see that this command returns a lot of files for my own account. Am I to su as each user and then run the command?
No, just sudo-run find for each account name slotted for disabling to find files owned by the user.
Quote:
Originally Posted by sneakyimp
Is there an easy/foolproof way to determine whether a package is a dependency?
I'm not distro-agnostic enough to recommend any of 'apt-cache depends' or 'apt-rdepends' or 'dpkg-deb -I' or 'dpkg --info' over the other. Please consult the manual and info pages for each.
Quote:
Originally Posted by sneakyimp
My fear here is that I'll deny cron access to some user that runs an important cron job.
Instead of explicitly allowing certain users you could blacklist users that are known to not run or need cron jobs. Echo those accounts into /etc/{at,cron}.deny.
Quote:
Originally Posted by sneakyimp
All of the cron jobs in /etc/cron* are user and group ROOT.
/etc is for the system and cron files usually are owned and writable by root as the cron daemon runs them on behalf of root (/etc/crontab or equivalent).
Quote:
Originally Posted by sneakyimp
Is there some way to determine which users currently have cron jobs? Or, for new packages/services/applications (e.g., mysql or apache or php), is there some way to determine if a cron job is necessary?
Non-root users usually have their crontab in the cron spool dir but starting or replacing a crontab is easy, see 'man 1 crontab', "-u [file|-]". Seen it before. Cron jobs or tabs should be seen added to any /etc/cron* location or created in the cron spool dir.
Both root and utmp are allowed to write to btmp, the latter because of non-root processes. Suggest leaving it as it is.
Quote:
Originally Posted by sneakyimp
Aye it does exist.
Please consult the Ubuntu documentation if you should use 'pam_umask' for daemons (and users?). For users umask can be set in /etc/profile, /etc/login.defs, and users can change theirs in ~/.profile and ~/.bashrc. For login.defs an umask entry looks like "UMASK 027".
Quote:
Originally Posted by sneakyimp
I'm somewhat shocked that my server would need a DHCP client. Does this mean my internal IP address is likely to change?
Please consult AWS documentation with respect to MAC - IP assignments, lease time
Quote:
Originally Posted by sneakyimp
Is the DHCP client listening on a port so that it knows when its IP has been reassigned?
That's not how I whould phrase it but in short: yes. Please see the documentation that comes with the package for an overview or use a 'net search.
Quote:
Originally Posted by sneakyimp
I'm worried now that my iptables rules might block some critical incoming notification about the IP address changing at which point my computer fails to listen and becomes unresponsive.
Hmm. Good time to refresh your rule listing if you've made any changes since we last saw it.
Quote:
Originally Posted by sneakyimp
Unexpected device file...what does it mean?
Have to look it up.
Quote:
Originally Posted by sneakyimp
Really?? Are we there yet? (..) I'm extremely anxious to move on.
No we aren't but I've shown you one method to use in addition to your distribution and general system security documentation I posted earlier on. From here on it is your choice and responsibility to read and revisit (or not) said documentation, use checklists (or not) to track progress and issues, run tests (or not) to evaluate the systems security footprint, etc, etc...
Quote:
Originally Posted by sneakyimp
samhain is installed and running (and has even sent a couple of notifications when I start it up). I'm wondering what I might do to trigger a notification. Obviously, I want to make sure it's properly detecting intrusions. I could also use a bit of help understanding what the startup notifications mean.
Please break out all Samhain issues to a new thread, attach config ('grep -v ^# samhainrc|grep .;') and complete (error) messages.
Best leave separate threads separate and hope a fellow LQ member shows up. In the meanwhile reading the Postfix configuration examples may work as it's one of the hits when I search for "local_transport = error:local delivery is disabled"...
Quote:
Originally Posted by sneakyimp
For Apache/MySQL/PHP, I expect to install using packages of course, but I'm wondering how to keep these up-to-date. You've recommended a staging machine before but I'm wondering if it might be safe to automate security updates?
LTS is meant to provide a stable computing environment users can depend on so updates (should) have an assured level of quality to avoid service outage or worse. While on the package level this may all work out fine there still may appear local problems due to configuration, any software installed outside of package management, etc, etc. While this may be OK for the average SOHO case in a production environment loss of service means loss of money or even worse: loss of customer trust. While securing and monitoring production machines is one way to protect this investment you both make (because that's what it basically boils down to) it would seem ludicrous to not use means that may help avoid problems. It doesn't need to be a EC2 instance: it may well be on local virtualization or whatever else you can think of that you can use to test updates or configuration changes on, roll out software or just to test out new stuff out on. I'm not trying to force this on you as in the end you have to work with it: it's your decision.
Some accounts come with the system by default and some will be installed once (server) software is installed (find out for each account with 'sudo find / -xdev -user ${LOGNAME}'). For now I would 'sudo vipw' and change the shells for games, gnats, irc, lp (probably not install CUPS), news, proxy and uucp to '/bin/false' or '/usr/sbin/nologin', ensuring there is no single point of failure. (I am not familiar with the 'list' account: check your Ubuntu documentation please).
OK got it. I've used the sudo find -user command to check each each of those users listed in the tiger report. Only daemon and libuuid have any files yet:
I've set the default shell to /bin/false for the ones you recommended. These users do not appear to own any files (the find command above returned nothing) and have not yet been altered:
Code:
backup
bin
list
mail
man
nobody
sshd
sync
sys
www-data
I have incorporated mail into my postfix configuration (using flag user=mail in the master.cf file). I have seen nobody used sometimes as the apache user. www-data will eventually be my apache user. Do I need to worry about changing the default shell to /bin/false for any of these other users?
Run 'sudo readlink -f /path//to/symlink' and check what it is supposed to link to. Then check your packages repo what package holds the file. Decide if you need the package. Else delete the symlink.
I keep getting notifications from tiger's cron job that are arriving VERY erratically:
Code:
From: root@mydomain.com (Cron Daemon)
To: root@mydomain.com
Subject: Cron <root@ip-WWW-XXX-YYY-ZZZ> test -x /usr/sbin/tigercron && { [ -r "$DEFAULT" ] && . "$DEFAULT" ; nice -n$NICETIGER /usr/sbin/tigercron -q ; }
Content-Type: text/plain; charset=ANSI_X3.4-1968
X-Cron-Env: <DEFAULT=/etc/default/tiger>
X-Cron-Env: <NICETIGER=10>
X-Cron-Env: <SHELL=/bin/sh>
X-Cron-Env: <HOME=/root>
X-Cron-Env: <PATH=/usr/bin:/bin>
X-Cron-Env: <LOGNAME=root>
Message-Id: <00000131905f8830-befbb171-6be1-4185-89ee-0464763db0ce-000000@email.amazonses.com>
Date: Wed, 3 Aug 2011 16:00:05 +0000
X-AWS-Outgoing: 199.255.192.14
--CONFIG-- [con010c] Filesystem 'devtmpfs' used by 'none' is not recognised as a valid filesystem
A few things bother me about this:
* Erratic timing. Seems to be due to an hourly cron job but I've only received it at 10pm last night, 1 am this morning, 9 am this morning, etc.
* the email subject appears to be some kind of improperly evaluated shell command
* I don't know what to make of the message being sent.
# Checking services from /etc/services.
--WARN-- [inet003w] The port for service sieve is also assigned to service
cisco-sccp.
--WARN-- [inet003w] The port for service ndtp is also assigned to service
pipe_server.
--WARN-- [inet003w] The port for service ndtp is also assigned to service
search.
--WARN-- [inet003w] The port for service postgres is also assigned to service
postgresql.
--WARN-- [inet003w] The port for service postgres is also assigned to service
postgresql.
--WARN-- [inet003w] The port for service sane is also assigned to service
sane-port.
--WARN-- [inet003w] The port for service webcache is also assigned to service
http-alt.
--WARN-- [inet003w] The port for service webcache is also assigned to service
http-alt.
OK I've been looking at /etc/services and I am still trying to understand what the problem is here and how to fix it. Could you help me understand the different between the ok aliases and the real problem ones? I'm guessing this is a problem:
definitely need this what to do about the symlink? just delete?
In the Tiger source systems/Linux/2/config, scripts/check_network and /scripts/check_issue reference "/etc/issue.net" but this seems an odd location. May be a Ubuntu or Debian addition. Dunno.
Hm. delete symlink? rename and hope nothing breaks?
Should be "/usr/share/man/man5/modprobe.d.5.gz" I think.
Either way these symlinks aren't that problematic, just file system lint ('man fslint').
Quote:
Originally Posted by sneakyimp
Erratic timing. Seems to be due to an hourly cron job but I've only received it at 10pm last night, 1 am this morning, 9 am this morning, etc.
Your observation is not supported by crontab entries, maillog excerpts or email headers.
Quote:
Originally Posted by sneakyimp
the email subject appears to be some kind of improperly evaluated shell command
May be due to the cronjob itself. Could output to report file instead and if size is not zero email the file with the appropriate 'mail' command. BTW I don't run Tiger as a hourly cronjob. I only use it for an initial baseline and run it manually after say major changes.
Quote:
Originally Posted by sneakyimp
I don't know what to make of the message being sent.
I explained how to interweave explanations in tiger reporting and besides that "tiger -E" just grabs parts from Tigers doc/ dir contents which you could grep recursively for the listed code.
so the /etc/services file is wrong. The /etc/services "database" is used to resolve (which you usually should avoid using "-n") mappings. For example if you change "ssh 22/tcp" to read "syslog 22/tcp" then if you run sshd the 'netstat -alt' output would show "syslog" running in the address columns. It's not a threat.
Last edited by unSpawn; 08-03-2011 at 08:21 PM.
Reason: //Less *is* more
I keep getting notifications from tiger's cron job that are arriving VERY erratically:
(...)
A few things bother me about this:
* Erratic timing. Seems to be due to an hourly cron job but I've only received it at 10pm last night, 1 am this morning, 9 am this morning, etc.
* the email subject appears to be some kind of improperly evaluated shell command
* I don't know what to make of the message being sent.
Have I configured something improperly?
The email above appears to be the result of this cron job in /etc/cron.d/tiger:
Code:
#
# Regular cron jobs for the tiger package
#
# Configuration file
DEFAULT=/etc/default/tiger
# default setting, overriden in the above file
NICETIGER=10
#
0 * * * * root test -x /usr/sbin/tigercron && { [ -r "$DEFAULT" ] && . "$DEFAULT" ; nice -n$NICETIGER /usr/sbin/tigercron -q ; }
The error code in the email, con010c, is nowhere to be found in any of the explanation docs in /var/log/tiger nor in any logs there.
Here is every single mail log entry from "today" on the server. The server is set to UTC time which is a pain when trying to connect mail log dates to local arrival times for my incoming email, but I believe each of these 4 messages corresponds to one of these weird tiger cron jobs -- including one that just arrived as I was creating this post:
Code:
Aug 4 00:00:04 ip-WWW-XXX-YYY-ZZZ postfix/pickup[6684]: B8CBB72132: uid=0 from=<root>
Aug 4 00:00:04 ip-WWW-XXX-YYY-ZZZ postfix/cleanup[8616]: B8CBB72132: message-id=<20110804000004.B8CBB72132@ip-WWW-XXX-YYY-ZZZ.mydomain.com>
Aug 4 00:00:04 ip-WWW-XXX-YYY-ZZZ postfix/qmgr[6461]: B8CBB72132: from=<root@mydomain.com>, size=792, nrcpt=1 (queue active)
Aug 4 00:00:05 ip-WWW-XXX-YYY-ZZZ postfix/pipe[8618]: B8CBB72132: to=<root@mydomain.com>, orig_to=<root>, relay=aws-email, delay=3.9, delays=3.1/0.01/0/0.74, dsn=2.0.0, status=sent (delivered via aws-email service)
Aug 4 00:00:05 ip-WWW-XXX-YYY-ZZZ postfix/qmgr[6461]: B8CBB72132: removed
Aug 4 02:00:03 ip-WWW-XXX-YYY-ZZZ postfix/pickup[8630]: 7FF91721A6: uid=0 from=<root>
Aug 4 02:00:03 ip-WWW-XXX-YYY-ZZZ postfix/cleanup[31301]: 7FF91721A6: message-id=<20110804020003.7FF91721A6@ip-WWW-XXX-YYY-ZZZ.mydomain.com>
Aug 4 02:00:03 ip-WWW-XXX-YYY-ZZZ postfix/qmgr[6461]: 7FF91721A6: from=<root@mydomain.com>, size=591, nrcpt=1 (queue active)
Aug 4 02:00:04 ip-WWW-XXX-YYY-ZZZ postfix/pipe[31308]: 7FF91721A6: to=<root@mydomain.com>, orig_to=<root>, relay=aws-email, delay=0.68, delays=0.04/0.01/0/0.64, dsn=2.0.0, status=sent (delivered via aws-email service)
Aug 4 02:00:04 ip-WWW-XXX-YYY-ZZZ postfix/qmgr[6461]: 7FF91721A6: removed
Aug 4 05:00:02 ip-WWW-XXX-YYY-ZZZ postfix/pickup[31434]: D238A72132: uid=0 from=<root>
Aug 4 05:00:02 ip-WWW-XXX-YYY-ZZZ postfix/cleanup[32499]: D238A72132: message-id=<20110804050002.D238A72132@ip-WWW-XXX-YYY-ZZZ.mydomain.com>
Aug 4 05:00:02 ip-WWW-XXX-YYY-ZZZ postfix/qmgr[6461]: D238A72132: from=<root@mydomain.com>, size=792, nrcpt=1 (queue active)
Aug 4 05:00:03 ip-WWW-XXX-YYY-ZZZ postfix/pipe[32501]: D238A72132: to=<root@mydomain.com>, orig_to=<root>, relay=aws-email, delay=1.1, delays=0.18/0.01/0/0.95, dsn=2.0.0, status=sent (delivered via aws-email service)
Aug 4 05:00:03 ip-WWW-XXX-YYY-ZZZ postfix/qmgr[6461]: D238A72132: removed
Aug 4 08:00:04 ip-WWW-XXX-YYY-ZZZ postfix/pickup[492]: 3AD2572132: uid=0 from=<root>
Aug 4 08:00:04 ip-WWW-XXX-YYY-ZZZ postfix/cleanup[2307]: 3AD2572132: message-id=<20110804080004.3AD2572132@ip-WWW-XXX-YYY-ZZZ.mydomain.com>
Aug 4 08:00:04 ip-WWW-XXX-YYY-ZZZ postfix/qmgr[6461]: 3AD2572132: from=<root@mydomain.com>, size=792, nrcpt=1 (queue active)
Aug 4 08:00:04 ip-WWW-XXX-YYY-ZZZ postfix/pipe[2309]: 3AD2572132: to=<root@mydomain.com>, orig_to=<root>, relay=aws-email, delay=3.6, delays=2.9/0.01/0/0.72, dsn=2.0.0, status=sent (delivered via aws-email service)
Aug 4 08:00:04 ip-WWW-XXX-YYY-ZZZ postfix/qmgr[6461]: 3AD2572132: removed
Aug 4 16:00:04 ip-WWW-XXX-YYY-ZZZ postfix/pickup[3339]: D3B2A72132: uid=0 from=<root>
Aug 4 16:00:04 ip-WWW-XXX-YYY-ZZZ postfix/cleanup[5204]: D3B2A72132: message-id=<20110804160004.D3B2A72132@ip-WWW-XXX-YYY-ZZZ.mydomain.com>
Aug 4 16:00:04 ip-WWW-XXX-YYY-ZZZ postfix/qmgr[6461]: D3B2A72132: from=<root@mydomain.com>, size=792, nrcpt=1 (queue active)
Aug 4 16:00:05 ip-WWW-XXX-YYY-ZZZ postfix/pipe[5206]: D3B2A72132: to=<root@mydomain.com>, orig_to=<root>, relay=aws-email, delay=3.6, delays=3/0.01/0/0.6, dsn=2.0.0, status=sent (delivered via aws-email service)
Aug 4 16:00:05 ip-WWW-XXX-YYY-ZZZ postfix/qmgr[6461]: D3B2A72132: removed
Here's a complete email -- the latest one (with domains and incriminating IPs redacted):
Code:
Delivered-To: root@mydomain.com
Received: by 10.42.2.201 with SMTP id 9cs154136icl;
Thu, 4 Aug 2011 09:00:08 -0700 (PDT)
Received: by 10.224.201.194 with SMTP id fb2mr762848qab.208.1312473607760;
Thu, 04 Aug 2011 09:00:07 -0700 (PDT)
Return-Path: <000001319585e423-d10c94f7-c316-400a-a89b-af00d42ddcc1-000000@email-bounces.amazonses.com>
Received: from a192-14.smtp-out.amazonses.com (a192-14.smtp-out.amazonses.com [199.255.192.14])
by mx.google.com with ESMTP id fi1si4410526qab.32.2011.08.04.09.00.06;
Thu, 04 Aug 2011 09:00:06 -0700 (PDT)
Received-SPF: pass (google.com: domain of 000001319585e423-d10c94f7-c316-400a-a89b-af00d42ddcc1-000000@email-bounces.amazonses.com designates 199.255.192.14 as permitted sender) client-ip=199.255.192.14;
Authentication-Results: mx.google.com; spf=pass (google.com: domain of 000001319585e423-d10c94f7-c316-400a-a89b-af00d42ddcc1-000000@email-bounces.amazonses.com designates 199.255.192.14 as permitted sender) smtp.mail=000001319585e423-d10c94f7-c316-400a-a89b-af00d42ddcc1-000000@email-bounces.amazonses.com
Return-Path: 000001319585e423-d10c94f7-c316-400a-a89b-af00d42ddcc1-000000@email-bounces.amazonses.com
From: root@mydomain.com (Cron Daemon)
To: root@mydomain.com
Subject: Cron <root@ip-WWW-XXX-YYY-ZZZ> test -x /usr/sbin/tigercron && { [ -r "$DEFAULT" ] && . "$DEFAULT" ; nice -n$NICETIGER /usr/sbin/tigercron -q ; }
Content-Type: text/plain; charset=ANSI_X3.4-1968
X-Cron-Env: <DEFAULT=/etc/default/tiger>
X-Cron-Env: <NICETIGER=10>
X-Cron-Env: <SHELL=/bin/sh>
X-Cron-Env: <HOME=/root>
X-Cron-Env: <PATH=/usr/bin:/bin>
X-Cron-Env: <LOGNAME=root>
Message-Id: <000001319585e423-d10c94f7-c316-400a-a89b-af00d42ddcc1-000000@email.amazonses.com>
Date: Thu, 4 Aug 2011 16:00:05 +0000
X-AWS-Outgoing: 199.255.192.14
--CONFIG-- [con010c] Filesystem 'devtmpfs' used by 'none' is not recognised as a valid filesystem
Quote:
Originally Posted by unSpawn
I explained how to interweave explanations in tiger reporting and besides that "tiger -E" just grabs parts from Tigers doc/ dir contents which you could grep recursively for the listed code.
That particular error code doesn't exist in any explanation logs in /var/log/tiger. I've tried looking in the script /usr/sbin/tigercron, but I can't locate any place to put an -e or -E flag in there.
Ultimately, I'm most keen to understand what kind of problem this is reporting and whether it needs fixing and, if so, how to fix it. I did a google search on the error string and it looks like some people are treating it as a bug.
As for the wonky symlinks, it doesn't sound from your post as though you consider them to be any sort of threat. I have no desire to fix them unless they are going to interfere with my server's proper functioning. How about I just leave them alone? Ditto for the /etc/services file. Maybe I could notify a developer or package maintainer somehwere? File a bug report?
Some good news: Finally worked out the postfix configuration to my liking. Also have samhain playing nice with email. Hoping to complete install of fail2ban today.
I'm somewhat familiar with environment variables. The Ubuntu docs you link list /etc/profile immediately under the words "not recommended." I've been googling around for path009w and see a lot of people asking about this particular complaint but I haven't found a solution anywhere. There is a file mentioned in the Ubuntu docs, /etc/environment. which does in fact contain a PATH variable. I'm wondering if the tiger complaint is applicable on an ubuntu system?
I want to understand the goal for these tiger complaints:
[code]
# Checking for correct umask settings for init scripts...
--WARN-- [misc021w] There are no umask entries in /etc/init.d/rcS
# Checking for correct umask settings for user login shells...
--WARN-- [misc026w] There is no default umask settings for user login shells
in /etc/login.defs
[code]
It's to insure a umask of 022 for services and one of 027 for human users?
I'm hoping to install a few more packages
* fail2ban - Because this program monitors logs, I'm thinking I should try to install FTP or SFTP first in the hope that the fail2ban package installer will automatically locate the ftp files and configure itself to watch them.
* sftp - we'll need a file transfer program to maintain the website assets. I'm accustomed to installing protfpd or vsftpd but am hoping to make sure that all FTP connections are encrypted. Is that sftp? or ftp-over-ssl ?
* chkrootkit - this was apparently installed with tiger but you instructed me to run it separately. Any additional configuration detail for this would be most helpful.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
