PAM-Disable Console Access
Tighten console permissions for privileged users
The console.perms security file of Linux, which use the pam_console.so
module to operate, is designed to give to privileged users at the physical
console (virtual terminals and local xdm-managed X sessions) capabilities
that they would not otherwise have, and to take those capabilities away
when they are no longer logged in at the console.
It provides two main kinds of capabilities: file permissions and authentication.
When a user logs in at the console and no other user is currently logged in
at the console, the pam_console.so module will change permissions and
ownership of files as described in the file /etc/security/console.perms.
Please note that privileged users are nothing in common with regular users
you may add to the server, they are special users like floppy, cdrom, scanner,
etc which in an networking server environment are also considered and
treated as users.
Step 1
The default console.perms configuration file of Linux is secure enough
for regular use of the system where an Xwindow interface is considered
to be installed but in a highly secure environment where the Graphical
User Interface (GUI) is not installed or where some special devices like sound, jaz, etc have no reason to exist, we can tighten the console.perms security file of Linux to be more secure by eliminating non-existent or unneeded privileged users to have capabilities that they would not otherwise have.
? Edit the console.perms file (vi /etc/security/console.perms), and change
the default lines inside this file:
# file classes -- these are regular expressions
<console>=tty[0-9][0-9]* vc/[0-9][0-9]* :[0-9]\.[0-9] :[0-9]
<xconsole>=:[0-9]\.[0-9] :[0-9]
# device classes -- these are shell-style globs
<floppy>=/dev/fd[0-1]* \
/dev/floppy/* /mnt/floppy*
<sound>=/dev/dsp* /dev/audio* /dev/midi* \
/dev/mixer* /dev/sequencer \
/dev/sound/* /dev/beep
<cdrom>=/dev/cdrom* /dev/cdroms/* /dev/cdwriter* /mnt/cdrom*
<pilot>=/dev/pilot
<jaz>=/mnt/jaz*
<zip>=/mnt/pocketzip* /mnt/zip*
<ls120>=/dev/ls120 /mnt/ls120*
<scanner>=/dev/scanner /dev/usb/scanner*
<rio500>=/dev/usb/rio500
<camera>=/mnt/camera* /dev/usb/dc2xx* /dev/usb/mdc800*
<memstick>=/mnt/memstick*
<flash>=/mnt/flash*
<diskonkey>=/mnt/diskonkey*
<rem_ide>=/mnt/microdrive*
<fb>=/dev/fb /dev/fb[0-9]* \
/dev/fb/*
<kbd>=/dev/kbd
<joystick>=/dev/js[0-9]*
<v4l>=/dev/video* /dev/radio* /dev/winradio* /dev/vtx* /dev/vbi* \
/dev/video/*
<gpm>=/dev/gpmctl
<dri>=/dev/nvidia* /dev/3dfx*
领英推荐
<mainboard>=/dev/apm_bios
# permission definitions
<console> 0660 <floppy> 0660 root.floppy
<console> 0600 <sound> 0600 root
<console> 0600 <cdrom> 0660 root.disk
<console> 0600 <pilot> 0660 root.uucp
<console> 0600 <jaz> 0660 root.disk
<console> 0600 <zip> 0660 root.disk
<console> 0600 <ls120> 0660 root.disk
<console> 0600 <scanner> 0600 root
<console> 0600 <camera> 0600 root
<console> 0600 <memstick> 0600 root
<console> 0600 <flash> 0600 root
<console> 0600 <diskonkey> 0660 root.disk
<console> 0600 <rem_ide> 0660 root.disk
<console> 0600 <fb> 0600 root
<console> 0600 <kbd> 0600 root
<console> 0600 <joystick> 0600 root
<console> 0600 <v4l> 0600 root
<console> 0700 <gpm> 0700 root
<console> 0600 <mainboard> 0600 root
<console> 0600 <rio500> 0600 root
<xconsole> 0600 /dev/console 0600 root.root
<xconsole> 0600 <dri> 0600 root
To read :
# file classes -- these are regular expressions
<console>=tty[0-9][0-9]* vc/[0-9][0-9]* :[0-9]\.[0-9] :[0-9]
# device classes -- these are shell-style globs
<floppy>=/dev/fd[0-1]* \
/dev/floppy/* /mnt/floppy*
<cdrom>=/dev/cdrom* /dev/cdroms/* /dev/cdwriter* /mnt/cdrom*
<pilot>=/dev/pilot
<fb>=/dev/fb /dev/fb[0-9]* \
/dev/fb/*
<kbd>=/dev/kbd
<gpm>=/dev/gpmctl
<mainboard>=/dev/apm_bios
# permission definitions
<console> 0660 <floppy> 0660 root.floppy
<console> 0600 <cdrom> 0660 root.disk
<console> 0600 <pilot> 0660 root.uucp
<console> 0600 <fb> 0600 root
<console> 0600 <kbd> 0600 root
<console> 0700 <gpm> 0700 root
<console> 0600 <mainboard> 0600 root
Here we removed every privileged user related to the Graphical User
Interface and others related to sound, zip drive, jaz drive, scanner, joystick
and video media at the physical console on the server.
#Linux #Security #Tips #Disable #Console #Access