find Command as Admin Security Tool

Similar documents
User Commands find ( 1 )

File Commands. Objectives

UNIX File Hierarchy: Structure and Commands

Table of contents. Our goal. Notes. Notes. Notes. Summer June 29, Our goal is to see how we can use Unix as a tool for developing programs

Outline. UNIX security ideas Users and groups File protection Setting temporary privileges. Examples. Permission bits Program language components

Operating Systems. Copyleft 2005, Binnur Kurt

Operating Systems 3. Operating Systems. Content. What is an Operating System? What is an Operating System? Resource Abstraction and Sharing

Welcome to Linux. Lecture 1.1

Unix Internal Assessment-2 solution. Ans:There are two ways of starting a job in the background with the shell s & operator and the nohup command.

CS 307: UNIX PROGRAMMING ENVIRONMENT FIND COMMAND

A shell can be used in one of two ways:

The UNIX File System

Systems Programming/ C and UNIX

A Brief Introduction to Unix

The UNIX File System

commandname flags arguments

Common File System Commands

Unix Introduction to UNIX

Shell Scripting. Todd Kelley CST8207 Todd Kelley 1

CSC UNIX System, Spring 2015

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Unix Basics. UNIX Introduction. Lecture 14

5/20/2007. Touring Essential Programs

Unix Handouts. Shantanu N Kulkarni

UNIX Shell Programming

Files

Linux Essentials. Programming and Data Structures Lab M Tech CS First Year, First Semester

More Scripting and Regular Expressions. Todd Kelley CST8207 Todd Kelley 1

User Commands ls ( 1 )

Unix as a Platform Exercises. Course Code: OS-01-UNXPLAT

Unix as a Platform Exercises + Solutions. Course Code: OS 01 UNXPLAT

A Brief Introduction to the Linux Shell for Data Science

The Unix Shell & Shell Scripts

Capability and System Hardening

Linux Shell Script. J. K. Mandal

CST8207: GNU/Linux Operating Systems I Lab Six Linux File System Permissions. Linux File System Permissions (modes) - Part 1

CSCI 211 UNIX Lab. Shell Programming. Dr. Jiang Li. Jiang Li, Ph.D. Department of Computer Science

CSE II-Sem)

A Big Step. Shell Scripts, I/O Redirection, Ownership and Permission Concepts, and Binary Numbers

I/O and Shell Scripting

2) clear :- It clears the terminal screen. Syntax :- clear

Software I: Utilities and Internals

CENG 334 Computer Networks. Laboratory I Linux Tutorial

Operating Systems, Unix Files and Commands SEEM

Project 5 File System Protection

Subcontractors. bc math help for the shell. interactive or programatic can accept its commands from stdin can accept an entire bc program s worth

Scripting. Shell Scripts, I/O Redirection, Ownership and Permission Concepts, and Binary Numbers

AC109/AT109 UNIX & SHELL PROGRAMMING DEC 2014

lsx [ls_options ] [names]

UNIX System Programming Lecture 3: BASH Programming

Filesystem Hierarchy and Permissions

d. Permissions 600 on directory dir and 300 on file dir/foo. c. Permissions 700 on directory dir and 200 on file dir/foo.

Project 5 File System Protection

Filesystem Hierarchy and Permissions

Privileges: who can control what

Introduction to the UNIX command line

Useful Unix Commands Cheat Sheet

CISC 220 fall 2011, set 1: Linux basics

Permissions and Links

Operating systems fundamentals - B10

S E C T I O N O V E R V I E W

CS395T: Introduction to Scientific and Technical Computing

UNIX files searching, and other interrogation techniques

Permission and Ownership

Please choose the best answer. More than one answer might be true, but choose the one that is best.

Course 144 Supplementary Materials. UNIX Fundamentals

Utilities. September 8, 2015

Shells & Shell Programming (Part B)

d. 1 e. test: $a: integer expression expected

Linux shell programming for Raspberry Pi Users - 2

D. Delete the /var/lib/slocate/slocate.db file because it buffers all search results.

LAB 8 (Aug 4/5) Unix Utilities

Answers to Even-numbered Exercises

The e switch allows Perl to execute Perl statements at the command line instead of from a script.

INSE 6130 Operating System Security. Overview of Design Principles

PESIT Bangalore South Campus

Introduction to Linux Workshop 1

Unix Guide. Meher Krishna Patel. Created on : Octorber, 2017 Last updated : December, More documents are freely available at PythonDSP

ITST Searching, Extracting & Archiving Data

Essential Linux Shell Commands

Files (review) and Regular Expressions. Todd Kelley CST8207 Todd Kelley 1

The Unix Shell. Permissions

Introduction to Unix May 24, 2008

Hardware. Ahmet Burak Can Hacettepe University. Operating system. Applications programs. Users

5/8/2012. Creating and Changing Directories Chapter 7

INSE 6130 Operating System Security

Introduction to the Linux Command Line

5/8/2012. Exploring Utilities Chapter 5

Operating System Security

Lecture 4. Log into Linux Reminder: Homework 1 due today, 4:30pm Homework 2 out, due next Tuesday Project 1 out, due next Thursday Questions?

EECS2301. Lab 1 Winter 2016

Files and Directories

Introduction to Linux

Exercise Sheet 2. (Classifications of Operating Systems)

. Fill in the Blank: A directory named mydir has just been... Points:10. Add Question Success: 64 questions added as a copy.

PROGRAMMAZIONE I A.A. 2015/2016

Lezione 8. Shell command language Introduction. Sommario. Bioinformatica. Mauro Ceccanti e Alberto Paoluzzi

Operating Systems. Engr. Abdul-Rahman Mahmood MS, PMP, MCP, QMR(ISO9001:2000) alphapeeler.sf.net/pubkeys/pkey.htm

Lecture 3 Tonight we dine in shell. Hands-On Unix System Administration DeCal

Basic File Attributes

Transcription:

find Command as Admin Security Tool Dr. Bill Mihajlovic INCS-620 Operating Systems Security find Command find command searches for the file or files that meet certain condition. like: Certain name Certain size Certain access permissions Not or Yes accessed for n days Has m links Is owned by some user, or does not have owner, Flexible logic search expressions, etc. 1

find Command find command searches for the files only in the directories for which the user has access permission: Certain name find Example find is very powerful but hard to use file management command. # find /dirx name filex -print Search starts at /dirx Criterion is FileName = filex Each time found printing of the pathname is done The expression print says display the path names of all matching files. The expression name filename returns true for those files matching filename. 2

find Example -name To find filey anywhere under /dirx by name, use: # find /dirx name filey print To find all c-language source files, use: # find /dirx name *.c -print To find all files that end with one letter extenssion, use: # find /dirx name *.? -print find Example -atime To find all files under /dirx that have been accessed exactly 7 days ago, use: # find /dirx atime 7 -print To find all files under /dirx that have been accessed 14 days ago or later (in less than 14 days ago), use: # find /dirx atime -14 -print 3

find Example mtime To find all files last modified exactly 20 days ago, use: # find /dirx mtime 20 -print To find all files that have been modified in more than 40 days ago, use: # find /dirx mtime +40 -print To find all files last modified in less than 20 days ago, use: # find /dirx mtime -20 -print find Example core To find all core files older than 7 days and remove them form the system, use: # find / name core -mtime -7 \ -exec rm {} \; Core files are entire memory map snap-shot memory- content copy files made at a time of OS kernel crush. In case of intrusion caused system crush, core dump file analysis may help perform forensic analysis. Core files are huge on powerful memory rich servers! Must be periodically removed. 4

find Groups of Files Print all files under /usr/src ending in.c or.p: # find /usr/src name *.[cp] -print exec Example Remove (-exec rm {}) all ordinary files ( type f) of fewer than 30 characters (-size 30c) under the directory /dirz: # find /dirz type f -size 30c \ -exec rm {} \; 5

find Example Relative Age Produce a list of names of all files under the directory /var modified d since /etc/logfie was modified: d # find /var newer /etc/logfile -print find Example Illegal Words Find and print every line of every file on the system that contains the text string sex (or maybe d drugs ). # find / exec grep sex {} \; 6

Finding Files Links via Common ID Numbers Linked files are identical to the original and may be located in many directories under various names, (all linked files must have the same i-node number) To locate all links to a file one must first get the i-node of a one of the linked files and than search for all linked files. To find all links to vi program do the following: # ls li vi 1286 -rwxr-xr-x 2 715 100 1024 Mar 1 vi # find / -inum 1286 -print /usr/bin/vi /usr/bin/edit /usr/bin/ex /usr/bin/view /usr/bin/vedit # Finding Files Without Owner Every file on a Unix system will have an owner and an associated UID. Numeric user identifier with a normal long listing, instead of the name mean that the identifier doesn't correspond to any currently defined user or, at least, that the owner's entry has been removed from the /etc/passwd file or NIS/NIS+ map. To locate files that are not associated with any currently defined user, you can look for numeric identifiers in long listings or search for them by using the find criteria "-nouser"" as shown in this example: # find./* -nouser -ls -rwxr-xr-x 2 715 100 1024 Mar 11 /export/home/bud/filex 7

Find Files with no User To locate files that are not associated with any currently defined user, you can look for numeric identifiers in long listings or search for them by using the find criteria -nouser" as shown in this example: # find./* -nouser -ls -rwxr-xr-x 2 715 100 1024 Mar 1 /export/home/bud/datafile -rw-r-xr-- 2 715 100 2124 Mar 7 /export/home/bud/filex # Find Given User s Files To locate files that belong to certain user (e.g. frank) or associated group (e.g. students), in a mixture of many files belonging to many users, one can use user and group option with an OR o operator: # find./ \( -user frank o group students \) -print /export/home/frank/project.c /export/home/frank/.profile /export/home/jo/fx # To prevent the shell from interpreting itself, the escape character \ is necessary with characters ( and ). 8

find Example It is necessary to quote any file arguments that contain *,?. or [. # find. name poem.? -print Logical Tests and Search One can ad any number of tests yo yhe find-test list. Each test in a sequence is ANDed so the final action is invoked only if all the tests return TRUE. No explicit AND operator is needed; simply use spaces between tests. # find. name poem.? -size +2 -perm 711 -print This lists only files matching poem.?, that have more than 2 blocks of storage and has permissions rwx- x--x 9

Logical Tests Tests can be logically ORed using the o operator, or logically reversed with the! (bang) operator. The three logical operators, OR (-o), AND (implied by space), and NOT (!), can be combined in any way required. Logical operator precedence must be observed. (higher precedence operators must be applied before the lower precedence operators.) To override precedence or to enhance legibility, use the escaped parentheses \( and \). # find./ \( name poem.? or name poet* \) -size +2 -print \(, \) Escaped Parentheses If you do use un escaped parentheses with find, the shell will try to interpret Boolean expressions commands. Boolean expression should be evaluated by the find command not by the shell. Escape \ character neutralizes default shell-meaning of the following character, (Performs an escape from the default-common reality-meaning i of the escapedcharacter. 10

-size Arguments Argument Meaning n TRUE if file has exactly n blocks +n TRUE if file has more than n blocks -n TRUE if file has less than n blocks find Example? Print all files owned by root with permission rws x x or rwsr-xr-x: # find / user root perm 0411 -print 11

find Command Expressions Expression -name filename -size [+ -]n Definition Finds files matching the specified filename. Metacharacters are acceptable if placed inside quotes. Finds files that are larger than +n, smaller than n, or exactly n. The n represents 512-byte blocks. -atime [+ -]n Finds files that have been accessed more than +n, less than -n, or exactly n days. -mtime [+ -]n Finds files that have been modified d more than +n, less than -n, or exactly n days. -user loginid Finds all files that are owned by the login IDname. -type Finds a file type; for example, f (file) or d (directory). -perm Finds files that have certain access permission bits. find Command Actions Action -exec command {} \; -ok command {} \; -print -ls Definition Executes the specified command on each file located, automatically. A set of braces, {}, delimits where the file name is passed to the command from the preceding expressions. A space, backslash, and semicolon, \;, delimits the end of the command. There must be a space before the backslash ( \). Interactive form of -exec. It requires input before find applies the command to the file; otherwise, it behaves as the -exec action. Instructs find to print the current path name to the terminal screen. This is the default. Prints the current path name, together with its associated statistics, such as inode number, size in kilobytes, protection mode, number of hard links, and user. 12

Find Disk Abusers Find out who the top ten users of disc space are on your system. #!/bin/sh # spacehogs find / -type f -exec /bin/ls -ls {} ';' awk ' { using[$4] += $1 } END { for (name in using) { print using[name], name } }' sort -nr head exit 0 SETUID/SETGID Programs Find all the SETUID/SETGID programs on your system: #!/bin/sh # find -setuid SUIDFILES=/etc/sfiles TEMPFILE=/tmp/$0.$$ find / -type f -a \( -perm 2000 -o -perm 4000 \) -print > $TEMPFILE if [! -f $SUIDFILES ]; then echo "$0: creating list of SUID/SGID files in $SUIDFILES" mv $TEMPFILE $SUIDFILES chmod 400 $SUIDFILES else echo "$0: differences between current and past SUID/SGID files:" diff $TEMPFILE $SUIDFILES fi 13

Find Large FIles Find the top ten files (by size) on your system and who owns them: #!/bin/sh # top-ten-files if [ "$1" = "" ]; then WHERE=/ else #WHERE="$1 -mount" # if your find uses "-mount" WHERE="$1 -xdev" # if your find uses "-xdev" fi TEMP=/tmp/top-ten-files.$$ find $WHERE -type f -exec /bin/ls -s {} ';' sort -nr head awk '{ print $2 }' > $TEMP for file in `cat $TEMP` do DETAILS=` ls -l $file awk '{ print $3 " " $4 }'` echo $file $DETAILS done rm -f $TEMP exit 0 The End 14

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback