Questions
Hello i try to harden my debian server.
I use yasat for perform some «stupid» check.
#yasat -f
In the Check system rights Debian i have some WARNING, BAD status.
First :
331 files have invalid others rights in /boot [
WARNING ] Do a chmod o-rxw <i>name_of_the_file</i>
Right of /boot: 755 [ BAD ]
I use an full (exept boot (ext2)) encrypt lvm «hard drive». (haven’t
try the grub2 full encrypt beta option).
I understand security implication for wrong rights. There is a real
risk with boot wrong rights ? Why are not set by default, it prevent
some things to work ?
Pretty same question for others rights warning :
/etc/shadow is not 600 root root [ WARNING ]
/etc/gshadow is not 400 root root [ WARNING ]
and for a bunch of cron files :
8 files have invalid others rights in /etc/cron.d [
WARNING ] Do a chmod o-rxw <i>name_of_the_file</i>
Right of /etc/cron.d: 755 [ BAD ]
same for hourly/daily/weekly/monthly
And for services like :
Checking /etc/apache2 [ INFO ]
170 files have invalid others rights in /etc/apache2 [ WARNING ]
Do a chmod o-rxw <i>name_of_the_file</i>
Right of /etc/apache2: 755 [ BAD ]
Checking /etc/mysql [ INFO ]
12 files have invalid others rights in /etc/mysql [
WARNING ] Do a chmod o-rxw <i>name_of_the_file</i>
Right of /etc/mysql: 755 [ BAD ]
/etc/sysctl.conf is not 640 root root [ WARNING ]
/etc/logrotate.conf is not 640 root root [ WARNING ]
/etc/crontab is not 640 root root [ WARNING ]
/var/log/faillog is not 600 root root [ WARNING ]
/var/log/mysql is not 750 mysql mysql [ WARNING ]
Checking /var/lib/mysql [ INFO ]
2 files have invalid others rights in /var/lib/mysql [
WARNING ] Do a chmod o-rxw <i>name_of_the_file</i>
Right of /var/lib/mysql: 755 [ BAD ]
Bad owner /var/lib/mysql (must be mysql) [ WARNING ]
/var/lib/mysql/debian-10.1.flag [ root ]
/var/lib/mysql/mysql_upgrade_info [ root ]
Bad group /var/lib/mysql (must be mysql) [ WARNING ]
/var/lib/mysql/debian-10.1.flag [ root ]
/var/lib/mysql/mysql [ root ]
/var/lib/mysql/mysql_upgrade_info [ root ]
I want do understand all of this «warning».
If they are false positive maybe this part should be update because
it’s debian related ?
Thx.
Reply to: