Question : After conducting a security audit within the Stratos DC, the Nautilus security team discovered misconfigured permissions on critical files. To address this, corrective actions are being taken by the production support team. Specifically, the file named /etc/hostsname on Nautilus App 1 server requires adjustments to its Access Control Lists (ACLs) as follows:
1. The file's user owner and group owner should be set to root.
2. Others should possess read only permissions on the file.
3. User anita must not have any permissions on the file.
4. User eric should be granted read only permission on the file
1. Login on App server as per the task
thor@jump_host /$ ssh tony@stapp01 The authenticity of host 'stapp01 (172.16.238.10)' can't be established. ECDSA key fingerprint is SHA256:RIRt2SqEVQ3yKDQ+cX5QLPw7mJNJhXUcT5Dpsy4GU1U. ECDSA key fingerprint is MD5:bd:f7:14:9e:c0:fd:41:0d:2d:e4:30:47:8a:34:35:ae. Are you sure you want to continue connecting (yes/no)? yes Warning: Permanently added 'stapp01,172.16.238.10' (ECDSA) to the list of known hosts. tony@stapp01's password: [tony@stapp01 ~]$ sudo su - We trust you have received the usual lecture from the local System Administrator. It usually boils down to these three things: #1) Respect the privacy of others. #2) Think before you type. #3) With great power comes great responsibility. [sudo] password for tony: [root@stapp01 ~]# |
2. Check the existing file permission
[root@stapp01 ~]# getfacl /etc/hostname getfacl: Removing leading '/' from absolute path names # file: etc/hostname # owner: root # group: root user::rw- group::r-- other::r-- [root@stapp01 ~]# |
3. As per the task check users are already existing or not
[root@stapp01 ~]#id anita uid=1002(anita) gid=1002(anita) groups=1002(anita) [root@stapp01 ~]# [root@stapp01 ~]# id eric uid=1003(eric) gid=1003(eric) groups=1003(eric) [root@stapp01 ~]# |
4. Set the ACL permissoin as per the task
[root@stapp01 ~]#setfacl -m u:anita:-,eric:r /etc/hostname [root@stapp01 ~]# |
The setfacl utility sets ACLs (Access Control Lists) of files and directories. On the command line, a sequence of commands is followed by a sequence of files (which in turn can be followed by another sequence of commands, and so on).
The options -m and -x expect an ACL on the command line. Multiple ACL entries are separated by commas (","). The options -M and -X read an ACL from a file or from standard input. The ACL entry format is described in the ACL Entries section, below.
The --set and --set-file options set the ACL of a file or a directory. The previous ACL is replaced. ACL entries for this operation must include permissions.
The -m (--modify) and -M (--modify-file) options modify the ACL of a file or directory. ACL entries for this operation must include permissions.
The -x (--remove) and -X (--remove-file) options remove ACL entries. It is not an error to remove an entry which does not exist. Only ACL entries without the perms field are accepted as parameters, unless the POSIXLY_CORRECT environment variable is defined.
The perms field is a combination of characters that indicate the permissions: read ("r"), write ("w"), execute ("x"), or "execute only if the file is a directory or already has execute permission for some user" (capital "X"). Alternatively, the perms field is an octal digit ("0"-"7").
[root@stapp01 ~]#getfacl /etc/hostname getfacl: Removing leading '/' from absolute path names # file: etc/hostname # owner: root # group: root user::rw-
[root@stapp01 ~]# |
6. Click on Finish & Confirm to complete the task successful
Happy Learning!!!!
0 Comments