Embedded Files
Once the system is setup correctly, it's time to lock filesystem permissions and executions. This should be implemented after the operating system is completely setup and ready for filesystem permission lock-down. This section guides you on how to lock-down filesystem with options.
Identified Threats
Identified Threats
These are the identified threats related to Debian Software.
(T-24) Partitions and Critical Directories Are Mounted with Write and Execute Permissions by Default
(T-24) Partitions and Critical Directories Are Mounted with Write and Execute Permissions by Default
By default, the fstab set all mounting points its default full write and execute permission including but not limited to /tmp and /var in /etc/fstab.
(T-25) Apt Will Not Work When /tmp is Not Executable
(T-25) Apt Will Not Work When /tmp is Not Executable
In situation where /tmp is mounted as non-executable mount point, apt update will fail drastically.
(T-26) Apt Will Not Work When /usr is Not Writable
(T-26) Apt Will Not Work When /usr is Not Writable
In situation where /usr is mounted as read-only mount point, apt update will fail drastically.
Actions Required
Actions Required
Here are the list if actions to counter the issues.
Set Mounting Configurations with noexec
Set Mounting Configurations with noexec
To ensure mount points that are not supposed to hold executable permission, one should add noexec into that mount point in /etc/fstab.
Set Mounting Configurations with nosuid
Set Mounting Configurations with nosuid
To ensure mount points that are not supposed to operate with suid, one should add nosuid into that mount point in /etc/fstab.
Set Mounting Configurations with nodev
Set Mounting Configurations with nodev
Instruct Apt to Use Other Locations as non-executable /tmp Replacement
Instruct Apt to Use Other Locations as non-executable /tmp Replacement
Review a self-clean temporary storage for apt to work with. Some usual locations would be:
/var/tmp/var/local/tmp
Then, set /etc/apt/apt.conf.d/50-extract-templates with:
APT{ ExtractTemplates { TempDir "/var/tmp"; };};Instruct Apt to set /usr back to Write permission for Apt Update and Upgrade
Instruct Apt to set /usr back to Write permission for Apt Update and Upgrade
For read-only /usr mount-point, one can instruct apt to set it back to writable during update and then set it back to read-only through a config file in /etc/apt/apt.conf.d/01tmp-location with:
DPkg{ Pre-Invoke { "mount /usr -o remount,rw" }; Post-Invoke { "mount /usr -o remount,ro" };};That's all for hardening Debian by hardening filesystem permission configurations.
Page updated
Google Sites
Report abuse