Security: world readable logs/configurations/directories on linux
Solution 1:
You may want to dig a little deeper before 'fixing' this and make sure your changes are fully thought-out. Of the files you mentioned:
I happen to know that /etc/passwd has to be readable for any number of programs (ls) to access user name information in standard configurations. Nothing in /etc/passwd is secret or privileged on any modern machine as that's what the shadow files are for, or the secrets are hosted on the network via LDAP, Kerberos or some other such thing.
I'm less sure about the other two. cron runs as the user whose jobs it is executing, so it probably needs to be able to read that file as any user who can run cron. Any user on an average system can run last,w to see recent and current logins (read from lastlog and wtmp, afair), and so these files are readable. You may certainly remove those commands, or user access to them, and then you might want to change the perms on the files or remove them altogether, once you are quite certain they are not used.
The Securing Debian Manual may be able to answer more of these questions for you or explain things better. Although it is not actively maintained it is still quite good. Other distros have similar resources.
Solution 2:
-
/etc/passwd
should be world readable; many programs need to read it. This is not a security risk (unless you consider that showing which users exist on the machine is a security risk); the password is not stored in it now, and never was stored unencrypted. -
/var/log/lastlog
- if this is world readable, it means people can see whether there are problems on the machine that the administrators need to be looking at without having to pester the administrators first. -
List of running cron jobs - this is shown by
ps
, I presume? If you are worried about users seeing what other people are doing on the same machine, then you have problems. Unix and Linux generally work best where there's a modicum of trust between the users on a machine. You can run securely with fairly general public read access; it is much harder to run without it.
If you want to run a secure system, consider SELinux. I'm not sure whether it deals with those particular issues, but of all the Linux systems, SELinux or one of its derivatives is the most likely to do it.