110.1 Perform Security Administration Tasks

Weight: 3

Goal: Review system configuration to ensure host security in accordance with local security policies.

This objective is a toolbox of small tasks: auditing what’s running, finding SUID files, checking who can log in, setting resource limits, and so on.

1. Auditing What’s Listening on the Network

A first security check is “what services are exposed?” Two tools answer this.

ss and netstat

ss -tuln              # TCP+UDP, listening sockets, numeric
ss -tunap             # all states, with the owning processes (needs root)

netstat -tuln         # legacy equivalent
netstat -tunap        # with processes

Look for:

• Listeners on 0.0.0.0:port or :::port (every interface) — exposed to the network.
• Listeners on 127.0.0.1:port or ::1:port — local-only, safer.
• Unexpected ports — a daemon you didn’t intend to install or enable.

lsof — list open files (and sockets)

lsof -i                            # all network connections
lsof -i :22                        # who is using port 22?
lsof -i tcp                        # only TCP
lsof -iUDP                         # only UDP
lsof -i @192.168.1.10              # connections to/from a specific host
lsof -nP -i                        # numeric, fast (no DNS, no port-name lookup)

lsof shows the process name and PID for each open socket — useful when ss -p doesn’t give you enough.

nmap — see yourself from outside

Run from another machine, nmap tells you what is actually reachable across the network:

nmap -sT 192.168.1.10              # full TCP connect scan
nmap -sS 192.168.1.10              # SYN scan (root)
nmap -sU 192.168.1.10              # UDP scan
nmap -p 1-1024 192.168.1.10        # specific ports
nmap -sV 192.168.1.10              # service/version detection

Use only on systems you are authorized to scan.

2. Auditing Running Processes

ps, pstree, top

These were covered in LPIC-101 and are reused here as security tools:

ps -ef                            # full process list
ps auxf                           # BSD-style, with a tree view
pstree -p                         # tree with PIDs
top                               # live view

Unfamiliar processes — especially those running as root or listening on a port — are worth investigating.

Identifying suspicious things

• Processes whose command line doesn’t match a known package.
• Long-running shells you didn’t start.
• Programs running from /tmp/, /dev/shm/, or a user home.

3. SUID and SGID Files

A binary with the SUID bit runs with the privileges of its owner instead of the user invoking it. If that owner is root, the binary is a potential privilege-escalation target.

Showing the bits

ls -l /usr/bin/passwd
# -rwsr-xr-x 1 root root ...   the `s` in the owner-execute slot = SUID
ls -l /some/dir
# drwxr-sr-x ... = SGID set on a directory

s instead of x in the owner field means SUID. s in the group field means SGID.

Finding SUID and SGID files

# Find all SUID files anywhere on the system
find / -perm -4000 -type f 2>/dev/null

# All SGID files
find / -perm -2000 -type f 2>/dev/null

# SUID or SGID
find / -perm /6000 -type f 2>/dev/null

# Newer than a known-good baseline
find / -perm -4000 -newer /var/log/baseline 2>/dev/null

These commands appear in security audits all the time. Memorize the octal: 4000 = SUID, 2000 = SGID, 1000 = sticky.

Removing SUID/SGID

chmod u-s file        # remove SUID
chmod g-s file        # remove SGID

4. User Accounts and Logins

Currently logged-in users

who                # who is logged in (from /var/run/utmp)
w                  # who is logged in AND what they're doing
users              # just the names
last               # login history (from /var/log/wtmp)
last -n 20         # last 20 logins
lastb              # FAILED login attempts (from /var/log/btmp)
lastlog            # last login time of every user

Inspecting password and account state

passwd -S alice                    # one-line status
chage -l alice                     # aging info

passwd -S codes: PS (password set), LK (locked), NP (no password).

Locking and disabling

5. Resource Limits: ulimit and /etc/security/limits.conf

Linux can cap the resources each user (or process) can consume. This prevents accidental or malicious resource exhaustion — fork bombs, runaway memory use, etc.

ulimit — show and set per-shell limits

ulimit -a              # show all current limits
ulimit -n              # current limit for open files
ulimit -n 4096         # set it (this shell only)
ulimit -u 100          # max user processes
ulimit -f 1000000      # max file size in 1K blocks
ulimit -v unlimited    # max virtual memory

ulimit itself comes in two flavors:

• soft limit (-S) — what the shell currently enforces; the user may raise it up to the hard limit.
• hard limit (-H) — the absolute cap; only root can raise it.

Without -S or -H, the change applies to both.

/etc/security/limits.conf — persistent limits

This file is read by PAM (pam_limits.so) at login. It sets limits per user or group.

Format: four fields per line.

# <domain>   <type>   <item>    <value>
*            soft     nofile    1024
*            hard     nofile    65535
@developers  hard     nproc     200
alice        -        core      0
root         hard     nproc     unlimited

Drop-in fragments go in /etc/security/limits.d/.

Limits in this file take effect at the next login, not immediately for already-running sessions.

6. sudo and the Wheel Group

sudo lets selected users run commands as root (or any other user) without sharing the root password.

Usage

sudo command                       # run as root
sudo -u alice command              # run as user alice
sudo -i                            # interactive root shell
sudo -l                            # list what YOU may run
sudo -k                            # forget cached credentials immediately

/etc/sudoers and visudo

The configuration lives in /etc/sudoers (and drop-ins in /etc/sudoers.d/). Never edit it directly — always use visudo, which checks syntax before saving. A broken sudoers file can lock you out of root entirely.

visudo                             # edit /etc/sudoers safely
visudo -f /etc/sudoers.d/myrule    # edit a drop-in file

Typical lines

# Format: user/group   host=(runas)   commands

root        ALL=(ALL:ALL) ALL
%sudo       ALL=(ALL:ALL) ALL                # group "sudo" can do anything
%wheel      ALL=(ALL)     ALL                # RHEL: group "wheel"
alice       ALL=(ALL)     NOPASSWD: /usr/sbin/reboot

Read each rule as:

• who (a username, or %group)
• on which hosts the rule applies (usually ALL)
• as which user(s) they may run (in parentheses)
• which commands they may run

NOPASSWD: removes the password prompt for those commands.

sudo vs su

• su switches to another user (usually root) using that user’s password. su - simulates a full login.
• sudo runs one command (or starts a shell) as another user, using the calling user’s password, and is fine-grained per command.

For modern administration, sudo is strongly preferred.

7. PAM-Related Files Worth Recognizing

You don’t have to master PAM for this objective, but two files come up:

• /etc/security/limits.conf — covered above.
• /etc/login.defs — system-wide defaults for useradd, passwd aging policy, UID/GID ranges, terminal permissions, etc. Configures the password aging defaults (PASS_MAX_DAYS, PASS_MIN_DAYS, PASS_WARN_AGE).
• /etc/nologin — if this file exists, only root can log in. Useful right before a reboot or during maintenance.

8. Discovering Open Services and Their Owners

A short workflow for “what is exposed on this box?”:

ss -tunap                          # what is listening and on what port
sudo lsof -i -nP                   # which process owns each socket
ps -ef | grep <PID>                # full command line of the offender
systemctl list-units --type=service --state=running

Disable services you don’t need:

systemctl stop nginx
systemctl disable nginx

9. Brief Note on TCP Wrappers (Awareness)

Older Linux systems used TCP Wrappers (the libwrap library) to control which hosts could connect to certain services, via:

• /etc/hosts.allow
• /etc/hosts.deny

Format example:

# /etc/hosts.allow
sshd: 192.168.1.0/24
ALL:  127.0.0.1

# /etc/hosts.deny
ALL: ALL

Rules: hosts.allow is checked first; if matched, access is granted. Otherwise hosts.deny is checked.

TCP Wrappers are now deprecated and removed from many modern distributions, but the exam may still mention these files.

10. Reviewing Files for Suspicious Permissions

Quick find recipes useful in audits:

# World-writable files (anyone can modify)
find / -type f -perm -002 2>/dev/null

# World-writable directories without sticky bit
find / -type d -perm -002 ! -perm -1000 2>/dev/null

# Files with no owner (orphaned UIDs)
find / -nouser -o -nogroup 2>/dev/null

11. Quick Reference for the Exam

Commands:

• ss, netstat — listening ports
• lsof -i — sockets to processes
• nmap — external port scan
• ps, pstree, top — running processes
• find -perm — SUID/SGID hunting
• who, w, last, lastb, lastlog — logins
• passwd -S, chage -l — account status
• ulimit — current session limits
• sudo, su, visudo — privilege

Files:

• /etc/sudoers, /etc/sudoers.d/
• /etc/security/limits.conf, /etc/security/limits.d/
• /etc/login.defs
• /etc/nologin
• /etc/hosts.allow, /etc/hosts.deny (legacy TCP wrappers)
• /var/log/wtmp, /var/log/btmp, /var/run/utmp

Concepts:

• SUID = 4000, SGID = 2000, sticky = 1000
• Soft vs hard limits
• The classic sudoers line layout

12. Likely Exam Questions (Self-Check)

1. What command lists all currently listening TCP and UDP ports with numeric output? ss -tuln (or netstat -tuln).

2. What command shows which process is using TCP port 22? lsof -i :22 (or ss -tnlp 'sport = :22').

3. How do you find every SUID-set file on the system? find / -perm -4000 -type f 2>/dev/null.

4. What is the octal value for the SUID bit, the SGID bit, and the sticky bit? 4000, 2000, 1000.

5. What is the difference between a soft and a hard limit in ulimit? The soft limit is currently enforced and may be raised by the user up to the hard limit. The hard limit is the absolute ceiling; only root can raise it.

6. What file controls per-user resource limits at login? /etc/security/limits.conf (and drop-ins in /etc/security/limits.d/), applied by pam_limits.

7. What is the format of a line in /etc/security/limits.conf? <domain> <type> <item> <value>, for example @developers hard nproc 200.

8. Why must you edit /etc/sudoers with visudo rather than a normal editor? visudo syntax-checks the file before saving. A broken sudoers can prevent anyone from gaining root.

9. Read this sudoers line: alice ALL=(ALL) NOPASSWD: /usr/sbin/reboot. What does it mean? User alice may run /usr/sbin/reboot as any user ((ALL)), on any host, without being prompted for a password.

10. What’s the difference between su and sudo? su switches identities using the target user’s password and starts a shell. sudo runs a specific command (or a shell) as another user, using the calling user’s password, with fine-grained rules.

11. What does the file /etc/nologin do if it exists? It prevents all non-root users from logging in. Useful before reboot or maintenance.

12. What is the difference between last and lastb? last shows successful logins (from /var/log/wtmp). lastb shows failed login attempts (from /var/log/btmp).

13. Which command displays the last-login time of every user on the system? lastlog.

14. What is the modern command-line tool for scanning a remote host’s open ports? nmap.

15. What is the role of /etc/hosts.allow and /etc/hosts.deny? They are configuration files for TCP Wrappers, which gate access to services that use the libwrap library based on client hostname or IP. Largely deprecated today.

16. You change /etc/security/limits.conf to raise a user’s open-file limit. Does it apply to the user’s currently running shell? No — it applies at the next login. Existing sessions keep their old limits.