LFCA: Yadda ake Inganta Tsarin Tsaro na Linux - Sashe na 20
Kamar yadda muka sani, tushen mai amfani sarki ne kuma yana da damar da ba ta da iyaka akan tsarin Linux. Kodayake masu amfani da tushen suna iyakance ga ayyuka na asali. Bugu da kari, ana ba masu amfani da sudo wani takamaiman damar gata kamar yadda suka dace da mai amfani da ita don yin takamaiman ayyuka.
Batutuwa na faruwa yayin da masu amfani na yau da kullun suka sami damar isa ga albarkatu ko aka haɓaka zuwa tushen su ba da gangan ba. Wannan haɗarin haɗari ne na tsaro wanda zai iya haifar da ɓarna, gyare-gyaren da ba a so, kuma a cikin mafi munin yanayi, rushe tsarin. Wani haɗarin haɗari shine lokacin da fayiloli basu da amintaccen izinin fayil. Misali, fayilolin taya tare da rubutattun izini ga masu amfani da duniya ana iya sauƙaƙawa ko lalatata sakamakon haifar da tsarin karyewa.
[Hakanan kuna iya son: Nasihu Masu Amfani don Kula da Bayanai da Linux]
Duk da yake zamu iya aiwatar da zahiri, hanyar sadarwar, da kuma bayanan bayanai, mai amfani da cutarwa zai iya kaucewa matakan tsaro kuma yayi amfani da irin waɗannan hanyoyin. Saboda wannan dalili ne ya kamata a ɗauki tsaron tsarin fayil da mahimmanci. Tana bayar da ƙarin tsaro a fuskar hare-hare ko barazanar ɓoye daga mugayen ma'aikata waɗanda ba lallai ne su ɗauki nauyi ba wajen keɓance matakan tsaro don samun damar fayiloli.
A cikin tsarin tsaro, zamu mai da hankali kan mahimman mahimman bayanai:
- Hakkokin samun dama - Izinin mai amfani da ƙungiya.
- Aiwatar da manufofin shiga kalmar sirri tare da tsarin PAM.
Hakkokin Samun - Rariyar Mai amfani da Rukuni
Tabbas tabbas kun ji cewa duk abin da ke cikin Linux ana ɗaukar shi fayil. Kuma idan ba haka ba, hanya ce. Kowane fayil a kan tsarin Linux mallakar mai amfani ne da mai amfani da rukuni. Hakanan yana ɗaukar izini na fayil don nau'ikan mai amfani 3: Mai amfani (u), Rukuni (g), da Wasu (o). An wakilta izini a cikin karatu, rubutu da aiwatarwa (rwx) ga kowane rukunin mai amfani.
rwx rwx rwx User Group Others
Kamar yadda aka gani a baya, a cikin umarnin ls kamar yadda aka nuna.
$ ls -l
Kawai don sake bayani, yawanci haruffa tara suke wakilta izini. Haruffa uku na farko suna wakiltar haƙƙin samun dama na ainihin mai amfani mallakin fayil ɗin. Saiti na biyu na haruffa suna wakiltar izinin mamallakin rukunin fayil ɗin. A ƙarshe, saiti na ƙarshe don wasu ko masu amfani da duniya. Waɗannan haruffa koyaushe suna cikin karatun, rubuta, aiwatar da umarnin (rwx).
Bayan izini, muna da mallakar mai amfani da ƙungiya, tare da fayel ko girman kundin adireshi, kwanan watan gyara, kuma a ƙarshe sunan fayil ɗin.
Canza Izini na Fayil/Directory Izini da kuma Mallaka
Izinin mai amfani na fayiloli da kundayen adireshi za a iya gyaggyara su kamar yadda suka dace. Tsarin yatsa shine a yi amfani da mafi ƙarancin gatan tsaro. A sauƙaƙe, tabbatar da masu amfani sun sami ƙaramar haƙƙoƙin isa ko izini da ake buƙata don yin aikin.
Principlea'idodin mafi ƙarancin gata sun taƙaita masu amfani ga wasu matsayi kawai kuma ta yin hakan, yana rage haɗarin maharan samun dama da gyaggyara bayanai masu mahimmanci ta hanyar amfani da asusun mai amfani da ƙananan ƙarfi. Hakanan yana rage farfajiyar harin & takaita yaduwar malware a yayin da maharin ya mallaki tsarinku.
Sabili da haka, idan mai amfani kawai yana buƙatar duba abubuwan cikin fayil ko kundin adireshi, bai kamata a basu izinin aiwatarwa ko rubuta izini ba. A matakin farko, ba da izini kaɗan izini da mallakan da mai amfani ke buƙata don cim ma ayyuka. Mun magance yadda za a gyara izinin masu amfani da mallaka a kan fayiloli/kundayen adireshi ta amfani da chmod da umarnin da aka zaba a cikin ainihin dokokin umarnin Linux.
Don mai gudanar da tsarin ya sami saukin lokacin gudanar da izini, izini na musamman ko haƙƙoƙin isa ga duk kundin adireshi. Ofayan izini na musamman waɗanda za'a iya amfani dasu don ƙuntata sharewa da gyare-gyare na fayil ko kundin adireshi shine bit mai ɗan m.
A cikin yanayi inda duk masu amfani a cikin tsarin ko hanyar sadarwar za su iya samun damar yin amfani da kundin adireshi, akwai haɗarin da wasu masu amfani za su iya sharewa ko gyara fayilolin da ke cikin kundin adireshin. Wannan ba a ke so idan kuna son kula da mutuncin kundin adireshin. Kuma wannan shine inda ɗan madogarar ya shigo.
Abun ɗan m shine izinin izini na musamman wanda aka saita akan fayil ko gabaɗaya. Yana ba mai mallakar wannan file/directory kawai izinin sharewa ko yin canje-canje ga fayil ɗin ko abun cikin kundin adireshin. Babu wani mai amfani da zai iya share ko gyaggyara fayil/kundin adireshi. Yana da darajar alama ta t da ƙimar adadi na 1000.
Don kunna ɗan ɗan sanda a kan kundin adireshi, yi amfani da umarnin chmod kamar haka:
$ chmod +t directory_name
A cikin misalin da ke ƙasa, mun yi amfani da ɗan abu kaɗan zuwa ga kundin adireshin da ake kira gwaji. A halin da ake ciki na kundin adireshi, duk abubuwan da ke ciki za su gaji izinin izini mai ɗan kaɗan. Kuna iya tabbatar da izinin izini mai ɗan kaɗan ta amfani da umarnin ls -ld. Tabbatar da lura da alamar t a ƙarshen izinin izini na fayil.
$ ls -ld test
Idan wani mai amfani yayi kokarin share shugabanci ko gyara fayil din a cikin kundin, ana gaishe su da Kuskuren da aka hana izinin.
Kuma wannan shine mahimmin izinin izini na ɗan sanda.
SUID (Saita ID ɗin Mai amfani) wani izini ne na musamman wanda yake bawa wani mai amfani na yau da kullun damar gudanar da fayil tare da izinin fayil na mai shi. Yawancin lokaci ana nuna shi ta darajar alama s a ɓangaren mai amfani na izinin izini a maimakon x wanda ke wakiltar aiwatar da izini. SUID na da adadi na 4000.
SGID, (Saita ID na Rukuni) yana bawa mai amfani na yau da kullun damar gaji izinin rukuni na mamallakin rukunin fayil. Maimakon x don aiwatar da izini, zaku ga s a cikin ɓangaren rukuni na izinin izini. SGID yana da ƙimar adadi na 2000.
Duk da yadda suka dace da zama, izinin SUID da SGID suna da alaƙa da haɗarin tsaro kuma yakamata a guje su ta halin kaka. Wannan saboda suna ba da dama ta musamman ga masu amfani na yau da kullun. Idan wani ɓarna da ya fito fili a matsayin mai amfani na yau da kullun ya gamu da fayil ɗin zartarwa wanda mallakar mai amfani da shi tare da ɗan ƙaramin SUID akan sa, za su iya amfani da wannan hanyar ta hanyar amfani da tsarin.
Don nemo duk fayiloli tare da SUID bit wanda aka saita a cikin Linux gudanar da umarnin nema azaman tushen mai amfani.
$ find / -perm -4000 type -f
Don kundayen adireshi:
$ find / -perm -4000 type -d
Don nemo duk fayilolin tare da SGID bit set run:
$ find / -perm -2000 type -f
Don kundayen adireshi kashe:
$ find / -perm -2000 type -d
Don cire SUID bit akan fayil, gudanar da umarnin chmod kamar yadda aka nuna:
$ chmod u-s /path/to/file
Don cire SGID bit a kan fayil aiwatar da umarnin:
$ chmod g-s filename /path/to/file
Baƙon abu bane ga masu amfani su saita kalmomin shiga mara ƙarfi. Kyakkyawan lamba an saita gajere, bayyane, kuma mai sauƙin lambobin sirri don kaucewa manta su yayin shiga. Yayinda yake dacewa, ana iya keta kalmomin shiga masu rauni ta amfani da rubutun zalunci.
Aikin PAM (Module Authentication Module) sashi ne wanda yake bawa masu gudanar da tsarin damar aiwatar da manufofin shiga cikin tsarin Linux. Don cimma wannan, kuna buƙatar tsarin pam_pwquality wanda aka samar ta laburaren libpam_pwquality. Modulea'idodin pam_pwquality yana bincika ƙarfin kalmar shiga kan saitin dokoki & ƙamus na tsarin da nuna ma'anar kalmar sirri mara ƙarfi.
Don shigar da tsarin pam_pwquality akan Ubuntu 18.04 kuma daga baya iri, gudu:
$ sudo apt install libpam_pwquality
Don RHEL/CentOS 8, gudanar da umarnin:
$ sudo dnf install libpwquality
An samo fayil ɗin sanyi a wuri mai zuwa:
- Akan Tsarin Debian - /etc/pam.d/common-password
- Akan Tsarin RedHat - /etc/pam.d/system-auth
Kafin mu fara gyaggyara fayil ɗin sanyi na PAM, bari mu fara la'akari da tattara bayanai game da ikon tsufa.
Ana iya samun waɗannan a cikin fayil din /etc/login.defs.
Fayil ɗin ya ƙunshi maɓallin kalmar wucewa masu zuwa:
- PASS_MAX_DAYS: Ana iya amfani da adadin ranakun da za a iya amfani da kalmar sirri.
- PASS_MIN_DAYS: Mafi qarancin lamba. na kwanakin da aka yarda tsakanin canje-canje kalmomin shiga.
- PASS_WARN_AGE: Adadin kwanaki da aka bayar kafin kalmar wucewa ta ƙare.
Ana nuna tsoffin ƙimar da ke ƙasa.
Siffar PASS_MAX_DAYS tana iyakance adadin ranakun da mai amfani zai iya amfani da kalmar sirri. Lokacin da aka sami wannan darajar ko kalmar wucewa ta ƙare, ana tilasta mai amfani ya canza kalmar sirri don shiga cikin tsarin. Ta hanyar tsoho, an saita wannan ƙimar zuwa 99999, wanda ke fassara zuwa shekaru 273. Wannan ba shi da ma'ana sosai dangane da batun tsaro yayin da mai amfani zai iya ci gaba da amfani da kalmar shigarsu tsawon rayuwarsu.
Kuna iya saita wannan zuwa ƙimar ma'ana, faɗi kwanaki 30 kamar yadda aka nuna.
PASS_MAX_DAYS 30
Bayan kwanaki 30 da wucewa, za a tilasta wa masu amfani canza kalmar shigarsu zuwa ta daban.
Siffar PASS_MIN_DAYS ta fitar da mafi karancin lokacin da masu amfani zasu iya amfani da kalmar wucewarsu kafin su canza ta. Menene ma'anar wannan? Idan, alal misali, an saita wannan ƙimar zuwa kwanaki 15, mai amfani ba zai iya sake canza kalmar shigarsa ba kafin kwanaki 15 su wuce.
PASS_MAX_DAYS 15
Siffar PASS_WARN_AGE takan kayyade adadin ranakun da mai amfani zai samu gargadi game da karewar kalmar shigarsu kafin ta kare. Misali, zaka iya saita wannan zuwa kwana 7 kamar yadda aka nuna.
PASS_MAX_DAYS 7
SAURARA: Waɗannan lambobin sirrin ba sa aiki tare da asusun da suka kasance. Ana amfani da su ne kawai ga sababbin asusun da aka kirkira bayan ayyana dokoki.
Kafin ka shirya fayil ɗin /etc/pam.d/common-password, ƙirƙirar kwafin ajiya. A cikin wannan misalin, mun ƙirƙiri fayil ɗin kwafin ajiya na kowa-kalmar sirri.bak.
$ sudo cp /etc/pam.d/common-password /etc/pam.d/common-password.bak
To bude file din.
$ sudo vim /etc/pam.d/common-password
Gano layin da aka nuna a ƙasa.
password requisite pam_pwquality.so retry=3
Zaɓin sake gwadawa yana saita matsakaicin adadin lokutan da ake buƙatar ku shigar da kalmar wucewa ta dama kafin samun kuskure. Ta hanyar tsoho, an saita wannan zuwa 3. Wannan zaɓi ɗaya ne kawai kuma za mu haɗa da zaɓuɓɓuka da yawa.
Theara waɗannan halayen zuwa layin:
minlen=10 difok=3 lcredit=-1 ucredit=-1 dcredit=-1 ocredit=-1 reject_username
Bari nama daga waɗannan halayen.
- minlen = 10: Ya saita ƙaramar karɓaɓɓe don kalmar sirri. A wannan yanayin, haruffa 10.
- difok = 3: Wannan shine iyakar adadin haruffan da suke a cikin kalmar wucewa ta baya.
- lcredit = -1: Wannan ita ce mafi ƙarancin adadin haruffa waɗanda yakamata su kasance a cikin kalmar sirri.
- ucredit = -1: Wannan shine matsakaicin adadin ƙananan haruffa waɗanda yakamata su kasance a cikin kalmar sirri.
- dcredit = -1: Mafi ƙarancin adadin lambobi waɗanda ya kamata a bayyana a cikin kalmar sirri.
- ocredit = -1: Mafi ƙarancin haruffa na musamman misali @, #, & wannan ya kamata a bayyana a cikin kalmar sirri.
- ƙi_ sunan mai amfani: Wannan zaɓin yana haifar da ƙin amincewa da kalmar sirri idan kalmar sirri sunan mai amfani ne ko dai a madaidaiciya ko kuma baya tsari.
Idan kun gwada ƙirƙirar sabon mai amfani wanda ya gaza manufofin kalmar sirri, zaku yi karo da irin waɗannan kurakurai kamar yadda aka nuna.
Wannan ya ƙare batun akan tsarin tsaro da tushen tsaro gaba ɗaya. A cikin duka babin, mun haskaka haske game da matakan tsaro na yau da kullun waɗanda za ku iya aiwatarwa don kiyaye tsarin Linux ɗinku daga masu amfani da ƙeta irin su masu fashin baki ko ma'aikatan da suka fusata.