Tighten console permissions for privileged users

Tighten console permissions for privileged users

Tighten console permissions for privileged users

The console.perms security file of Linux, which use the pam_console.so

 module to operate, is designed to give to privileged users at the physical

console (virtual terminals and local xdm-managed X sessions) capabilities

that they would not otherwise have, and to take those capabilities away

 when they are no longer logged in at the console.

It provides two main kinds of capabilities: file permissions and authentication.

When a user logs in at the console and no other user is currently logged in

 at the console, the pam_console.so module will change permissions and

 ownership of files as described in the file /etc/security/console.perms.

Please note that privileged users are nothing in common with regular users

 you may add to the server, they are special users like floppy, cdrom, scanner,

 etc which in an networking server environment are also considered and

 treated as users.

 Step 1

The default console.perms configuration file of Linux is secure enough

for regular use of the system where an Xwindow interface is considered

 to be installed but in a highly secure environment where the Graphical

User Interface (GUI) is not installed or where some special

devices like sound, jaz, etc have no reason to exist, we can tighten the console.perms

security file of Linux to be more secure by eliminating non-existent or unneeded privileged

users to have capabilities that they  would not otherwise have.

Edit the console.perms file (vi /etc/security/console.perms), and change

 the default lines inside this file:

  # file classes — these are regular expressions

<console>=tty[0-9][0-9]* vc/[0-9][0-9]* :[0-9]\.[0-9] :[0-9]

<xconsole>=:[0-9]\.[0-9] :[0-9]

 

# device classes — these are shell-style globs

<floppy>=/dev/fd[0-1]* \

         /dev/floppy/* /mnt/floppy*

<sound>=/dev/dsp* /dev/audio* /dev/midi* \

        /dev/mixer* /dev/sequencer \

        /dev/sound/* /dev/beep

<cdrom>=/dev/cdrom* /dev/cdroms/* /dev/cdwriter* /mnt/cdrom*

<pilot>=/dev/pilot

<jaz>=/mnt/jaz*

<zip>=/mnt/pocketzip* /mnt/zip*

<ls120>=/dev/ls120 /mnt/ls120*

<scanner>=/dev/scanner /dev/usb/scanner*

<rio500>=/dev/usb/rio500

<camera>=/mnt/camera* /dev/usb/dc2xx* /dev/usb/mdc800*

<memstick>=/mnt/memstick*

<flash>=/mnt/flash*

<diskonkey>=/mnt/diskonkey*

<rem_ide>=/mnt/microdrive*

<fb>=/dev/fb /dev/fb[0-9]* \

     /dev/fb/*

<kbd>=/dev/kbd

<joystick>=/dev/js[0-9]*

<v4l>=/dev/video* /dev/radio* /dev/winradio* /dev/vtx* /dev/vbi* \

      /dev/video/*

<gpm>=/dev/gpmctl

<dri>=/dev/nvidia* /dev/3dfx*

<mainboard>=/dev/apm_bios

 

# permission definitions

<console>  ۰۶۶۰ <floppy>     ۰۶۶۰ root.floppy

<console>  ۰۶۰۰ <sound>      ۰۶۰۰ root

<console>  ۰۶۰۰ <cdrom>      ۰۶۶۰ root.disk

<console>  ۰۶۰۰ <pilot>      ۰۶۶۰ root.uucp

<console>  ۰۶۰۰ <jaz>        ۰۶۶۰ root.disk

<console>  ۰۶۰۰ <zip>        ۰۶۶۰ root.disk

<console>  ۰۶۰۰ <ls120>      ۰۶۶۰ root.disk

<console>  ۰۶۰۰ <scanner>    ۰۶۰۰ root

<console>  ۰۶۰۰ <camera>     ۰۶۰۰ root

<console>  ۰۶۰۰ <memstick>   ۰۶۰۰ root

<console>  ۰۶۰۰ <flash>      ۰۶۰۰ root

<console>  ۰۶۰۰ <diskonkey>  ۰۶۶۰ root.disk

<console>  ۰۶۰۰ <rem_ide>    ۰۶۶۰ root.disk

<console>  ۰۶۰۰ <fb>         ۰۶۰۰ root

<console>  ۰۶۰۰ <kbd>        ۰۶۰۰ root

<console>  ۰۶۰۰ <joystick>   ۰۶۰۰ root

<console>  ۰۶۰۰ <v4l>        ۰۶۰۰ root

<console>  ۰۷۰۰ <gpm>        ۰۷۰۰ root

<console>  ۰۶۰۰ <mainboard>  ۰۶۰۰ root

<console>  ۰۶۰۰ <rio500>     ۰۶۰۰ root

 <xconsole> 0600 /dev/console 0600 root.root

<xconsole> 0600 <dri>        ۰۶۰۰ root

  To read :

# file classes — these are regular expressions

<console>=tty[0-9][0-9]* vc/[0-9][0-9]* :[0-9]\.[0-9] :[0-9]

 # device classes — these are shell-style globs

<floppy>=/dev/fd[0-1]* \

         /dev/floppy/* /mnt/floppy*

<cdrom>=/dev/cdrom* /dev/cdroms/* /dev/cdwriter* /mnt/cdrom*

<pilot>=/dev/pilot

<fb>=/dev/fb /dev/fb[0-9]* \

     /dev/fb/*

<kbd>=/dev/kbd

<gpm>=/dev/gpmctl

<mainboard>=/dev/apm_bios

 # permission definitions

<console>  ۰۶۶۰ <floppy>     ۰۶۶۰ root.floppy

<console>  ۰۶۰۰ <cdrom>      ۰۶۶۰ root.disk

<console>  ۰۶۰۰ <pilot>      ۰۶۶۰ root.uucp

<console>  ۰۶۰۰ <fb>         ۰۶۰۰ root

<console>  ۰۶۰۰ <kbd>        ۰۶۰۰ root

<console>  ۰۷۰۰ <gpm>        ۰۷۰۰ root

<console>  ۰۶۰۰ <mainboard>  ۰۶۰۰ root

 

Here we removed every privileged user related to the Graphical User

 Interface and others related to sound, zip drive, jaz drive, scanner, joystick

 and video media at the physical console on the server.

Please see this article for reading about how to disable console access with PAM 

Please see this article for reading about how to limit the password Length with PAM 

0 replies

Leave a Reply

Want to join the discussion?
Feel free to contribute!

Leave a Reply

Your email address will not be published. Required fields are marked *