FaF (File Anomaly Finder) is a wrapper for the *nix 'find' utility. It generates audit reports for data matching specific characteristics; such data as setgid/setuid, unowned, and more. The objectives are simply to create a simple anomaly finder that identifies common flawed permissions or otherwise suspicious file system characteristics.

The main features of FaF are:
  • simplistic and to the point audit reports
  • easy setup and configuration
  • audits emailed to customizable address or user
  • ideal for web servers or general purpose workstations
  • audits of setgid/setuid, hidden, unowned, & world writable data
  • very portable
 http://www.r-fx.org/faf.php # wget http://www.r-fx.ca/downloads/faf-current.tar.gz
# tar xvf  faf-current.tar.gz

# cd faf*
# ./install.sh

Install path:     /usr/local/faf/
Config path:     /usr/local/faf/conf.faf
Executable path: /usr/local/sbin/faf


Why do you need such tool?
Never trust anyone, including sometimes yourself ;-) this tool correctly used just insured You that You will never forget any files with too much permissions. It may also reveal a hacker, putting some new files under the user nobody...

What to do with the output?

You'll have to react differently for each occurrence in the report....

SUID/SGID Binaries

Sticky bit was used on executables in linux (which was used more often) so that they would remain in the memory more time after the initial execution, hoping they would be needed in the near future. But since today we have more sophisticated memory accessing techniques and the bottleneck related to primary memory is diminishing, the sticky bit is not used today for this. Instead, it is used on folders, to imply that a file or folder created inside a sticky bit-enabled folder could only be deleted by the creator itself. A nice implementation of sticky bit is the /tmp folder,where every user has write permission but only users who own a file can delete them. Remember files inside a folder which has write permission can be deleted even if the file doesn't have write permission. The sticky bit comes useful here.

SUID or SetUID bit, the executable which has the SUID set runs with the ownership of the program owner. That is, if you own an executable, and another person issues the executable, then it runs with your permission and not his. The default is that a program runs with the ownership of the person executing the binary.

Consider also reading:
What are the SUID, SGID and the Sticky Bits?

You can find them also manually by entering:
# find / -type f \( -perm -04000 -o -perm -02000 \;
The SGID bit is the same as of SUID, only the case is that it runs with the permission of the group. Another use is it can be set on folders,making nay files or folders created inside the SGID set folder to have a common group ownership.

files in /srv   (http root folder)
   You should accept NO files with SUID/SGID in http root folder. Remove them all 
        # find /srv -type f \( -perm -04000 -o -perm -02000 \) -exec  chmod \;

No Owner/Group
May also be an indication an intruder has accessed your system...
Can also be found manually by typing:
# find / \( -nouser -o -nogroup \) -print
files in /srv  (http root folder)

Permissions and ownership are linked together to make your server work peacefully. The basic idea is always to give the minimum rights to the file.

A rule for thumbs would be:
read only for all file, r--r--r-- or r---------
read, execute for all directory r-xr-xr-x or r-x------
The problem is that apache and PHP also run under their own user...

A very informative article explaining the problem on a concrete example (Gallery2) can be found at  http://codex.gallery2.org/Gallery2:Security

At least (worst), when apache run as wwwrun user in www group, in your HTTP directory
# chown -R wwwrun .
# chgrp  -R www .
then all files has to be  rw- --- --- and directory r-x------
Advantages: you can use Joomla! administrator panel
BUT: any bug in PHP code, attack can read or overwrite any files! -> highly insecure

Better would be for all files/dir in your HTTP directory to changes accordingly to the right web user!
# chown -R cedric .
# chgrp  -R psacln  .
Change all files/directories that has to be written  by apache (cache directories) to
# chown -R wwwrun cache
# chgrp  -R www cache
Advantages: a bug in apache/php, or attack can not touch any of your files.
BUt: if PHP do not run under your user, the Joomla! panel wont be usable, as Apache/PHP wont be able to install any new components/images.

Files in / must generally only be available to root
# chown -R root /etc
# chgrp  -R root /etc
# find /etc -f -exec chmod 600 {} /;

World Writable

files in /srv
must be avoid at any costs! This line remove the world writable bit to  all files in /srv
# find /srv -f -exec chmod o-w {} /;
This line remove the world writable bit to  all directories in /srv
# find /srv -d -exec chmod o-w {} /;
Files in /
You should ignores /proc files, /dev files (hundreds of these are correctly world writable),
Symbolic (soft) links (which should have mode 777), directories with the sticky (save text) bit on, and
sockets, as that is relatively safe.
Hidden Files/Paths

You should normally have no such files! try to understand why (look in google), open them and/or move/delete them
comments powered by Disqus

You might like also

The Appthority® App Report
The Appthority® App Report for February 2013 provides an overview of the security risks behind 100 free iOS and Android apps. Appthority examined the differences between the Android and iOS app ecosystems; compared app behaviors across five popular app categories (business, education, entertainment, finance, games); and looked at the developers behind these apps. Report Highlights The vast majority of free apps send and receive data to outside parties without encryption. 96% of total apps share data with advertising networks and/or …
2295 Days ago
CryptoParty Handbook v1.1 has been released
CryptoParty is a grassroots global endeavor to introduce the basics of practical cryptography such as the Tor anonymity network, key signing parties, True Crypt, and virtual private networks to the general public. The first draft of the 442-page CryptoParty&160;Handbook (the hard copy of which is available at cost), was pulled together in three days using the book sprint approach, and was released 2012-10-04 under a CC-BY-SA license; it remains under constant revision. The CryptoParty&160;Handbook v1.1 has been released and you …
2339 Days ago
Virtualizes a Linux server on the fly with RSYNC
You'll need a lot of patience...Since there is no VMWARE Converter for Linux...My objective is to virtualizes my Internet server running SUSE in a VMWARE to ease the migration to a more powerful and up to date server. I am using RSYNC since: I have no access to the machine, So I can't stop the server and make a binary images of the disk as the server is in a STRATO data center in Germany (Berlin) I don't like operations …
3987 Days ago
How to Secure Your Windows Computer and Protect Your Privacy
Anybody using internet should really read this article. While targeted at windows users, most of the rules also apply to users of Linux and mac. "Security consultant Howard Fosdick has contributed the latest entry in the 2008 OSNews Article Contest: a highly detailed examination of security and privacy on the Windows platform, and how to use free software tools and a little knowledge to protect your privacy online. Do you know that -- Windows secretly records all the web sites …
4095 Days ago
No Thumbnail was found
I know that Secure, Safe, Fast Linux Hosting sound silly as nothing can be fast and secure at the same time, but I've compiled a list of things that are worth doing if you are maintaining your own server. This list is clearly targeted for people running an open source stack made of Apache, MySQL, PHP and Linux. This list is an ongoing work, thta is why it has also a version number in it (v1.0). As soon as I …
4156 Days ago
Security made easy, automatic scan and update of your installed applications
If you are on the paranoia side, and you better should, if you're using ebanking on an internet connected pc. Secunia is a well known internet site, Secunia is a Danish computer security service provider best known for tracking vulnerabilities in more than 12,400 pieces of software and operating systems. Numbers of "unpatched" vulnerabilities in popular applications are frequently quoted in software comparisons.Secunia also tracks currently active computer viruses. Secunia has gained publicity and a notable reputation with the discovery …
4281 Days ago
No Thumbnail was found
SIM is a system and services monitor for ‘SysVinit’ systems. It is designed to be intuitive and modular in nature, and to provide a clean and informative status system. It does this by consistently verifying that services are online, load averages are in check, and log files are at reasonable sizes. Many other SIM modules sport different and in-depth features to bring a well rounded tool to your disposal to stop otherwise common issues daunting internet hosts. Features: - Service …
4380 Days ago
No Thumbnail was found
Rootkit scanner is scanning tool to ensure you for about 99.9%* you're clean of nasty tools. This tool scans for rootkits, backdoors and local exploits by running tests like: MD5 hash compare Look for default files used by rootkits Wrong file permissions for binaries Look for suspected strings in LKM and KLD modules Look for hidden files Optional scan within plaintext and binary filesRootkit Hunter is released as GPL licensed project and free for everyone to use. …
4381 Days ago
No Thumbnail was found
chkrootkit is a tool to locally check for signs of a rootkit. chkrootkit is a common unix-based program intended to help system administrators check their system for known rootkits. It works by using several mechanisms, including comparison of file signatures to known rootkits, checking for suspicious activity (processes listed in the proc filesystem but not in the output of the 'ps' command. …
4381 Days ago
No Thumbnail was found
CSF : A Stateful Packet Inspection (SPI) firewall, Login/Intrusion Detection and Security application for Linux servers. It easily replace APF and (Advanced policy firewall) and BFD (Brute Force Detection). It is also runing 28 basics but non obvious checks... …
4383 Days ago