Question : The Nautilus security team performed an audit of all servers present in Stratos DC. During the audit some critical data/files were identified as having the wrong permissions as per standards. Once the report was shared with the production support team, they started working to fix the issue. It has been identified that one of the files /etc/hostname on Nautilus App 1 server has the wrong permissions, so that needs to be fixed and the correct ACLs need to be set.
The owner and group owner of the file should be root user.
Others must have read only permissions on the file.
User anita must not have any permission on the the file.
User eric should have read only permission on the file.
1. Login on App server as per the task
thor@jump_host /$ ssh tony@stapp01 The authenticity of host 'stapp01 (172.16.238.10)' can't be established. ECDSA key fingerprint is SHA256:RIRt2SqEVQ3yKDQ+cX5QLPw7mJNJhXUcT5Dpsy4GU1U. ECDSA key fingerprint is MD5:bd:f7:14:9e:c0:fd:41:0d:2d:e4:30:47:8a:34:35:ae. Are you sure you want to continue connecting (yes/no)? yes Warning: Permanently added 'stapp01,172.16.238.10' (ECDSA) to the list of known hosts. tony@stapp01's password: [tony@stapp01 ~]$ sudo su - We trust you have received the usual lecture from the local System Administrator. It usually boils down to these three things: #1) Respect the privacy of others. #2) Think before you type. #3) With great power comes great responsibility. [sudo] password for tony: [root@stapp01 ~]# |
2. Check the existing file permission
|
[root@stapp01
~]# getfacl /etc/hostname
getfacl:
Removing leading '/' from absolute path names # file:
etc/hostname
# owner:
root
# group:
root
user::rw-
group::r--
other::r-- [root@stapp01
~]# |
3. As per the task check users are already existing or not
|
[root@stapp01
~]#id anita uid=1002(anita)
gid=1002(anita) groups=1002(anita) [root@stapp01
~]# [root@stapp01
~]# id eric uid=1003(eric)
gid=1003(eric) groups=1003(eric) [root@stapp01
~]# |
4. Set the ACL permissoin as per the task
|
[root@stapp01
~]#setfacl -m u:anita:-,eric:r /etc/hostname [root@stapp01
~]# |
The setfacl utility sets ACLs (Access Control Lists) of files and directories. On the command line, a sequence of commands is followed by a sequence of files (which in turn can be followed by another sequence of commands, and so on).
The options -m and -x expect an ACL on the command line. Multiple ACL entries are separated by commas (","). The options -M and -X read an ACL from a file or from standard input. The ACL entry format is described in the ACL Entries section, below.
The --set and --set-file options set the ACL of a file or a directory. The previous ACL is replaced. ACL entries for this operation must include permissions.
The -m (--modify) and -M (--modify-file) options modify the ACL of a file or directory. ACL entries for this operation must include permissions.
The -x (--remove) and -X (--remove-file) options remove ACL entries. It is not an error to remove an entry which does not exist. Only ACL entries without the perms field are accepted as parameters, unless the POSIXLY_CORRECT environment variable is defined.
The perms field is a combination of characters that indicate the permissions: read ("r"), write ("w"), execute ("x"), or "execute only if the file is a directory or already has execute permission for some user" (capital "X"). Alternatively, the perms field is an octal digit ("0"-"7").
|
[root@stapp01
~]#getfacl /etc/hostname getfacl:
Removing leading '/' from absolute path names # file:
etc/hostname # owner: root # group: root user::rw-
[root@stapp01 ~]# |
6. Click on Finish & Confirm to complete the task successful
Happy Learning!!!!
0 Comments