Variable File Systems

Why should the use of variable file systems be restricted? This is the focus of our first security column.

It has been known for several years, even before the "Shitrix" hack, that variable files systems on Linux servers should be protected against misuse.

"Shitrix" was the name given to an attack on the firewall of a well-known manufacturer. In this case, an attacker exploited a vulnerability in the web application server, uploaded malware, and stored it in the tmp directory. When launched from this directory, the malware appeared in the process list under the rather inconspicuous name "httpd." It was only when the process list was displayed with the parameter showing the full startup path that the anomaly could be detected. The attacker also managed to set up a corresponding cron job, which ensured the malware was always running.

To prevent variable file systems, like defined tmp and var directories from becoming vulnerable to attacks, it is recommended to move them to their own partitions and then remount them with parameters such as NOEXEC, NOSUID, and/or NODEV. This helps to prevent the execution of malicious software from these generally accessible directories. At this point, the hardening guidelines from the "Center for Internet Security" are always a good recommendation.

Finally, it should be noted that the administrator of this firewall appliance had limited options to counter the attack. Nevertheless, there are lessons to be learned from this incident.

Do you have questions about the secure implementation of your IT systems? Or do you need assistance with an incident ? We are here to help!