|
|
Home | Switchboard | Unix Administration | Red Hat | TCP/IP Networks | Neoliberalism | Toxic Managers |
| (slightly skeptical) Educational society promoting "Back to basics" movement against IT overcomplexity and bastardization of classic Unix | |||||||
|
|
Seccheck is a very simple (actually weak in comparison with JASS and Titan) security checker for Suse and Red Hat. It consists three monolithic bash scripts
/usr/lib/secchk/security-daily.sh /usr/lib/secchk/security-monthly.sh /usr/lib/secchk/security-weekly.sh
and one driver script that invokes them and is responsible for emailing reports:
/usr/lib/secchk/security-control.sh
Seccheck is installed, it automatically adds a crontab, /etc/cron.d/seccheck, to run daily, weekly and monthly security checks.
# rpm -ql seccheck /etc/cron.d/seccheck /usr/lib/secchk /usr/lib/secchk/checkneverlogin /usr/lib/secchk/security-control.sh /usr/lib/secchk/security-daily.sh /usr/lib/secchk/security-monthly.sh /usr/lib/secchk/security-weekly.sh /usr/share/doc/packages/seccheck /usr/share/doc/packages/seccheck/CHANGES /usr/share/doc/packages/seccheck/LICENCE /usr/share/doc/packages/seccheck/README /usr/share/doc/packages/seccheck/TODO /var/adm/fillup-templates/sysconfig.seccheck /var/lib/secchk /var/lib/secchk/data
|
|
The Seccheck daily, run at midnight, checks for user security vulnerabilities, system abnormalities, modules changes and port changes. It also checks for changes in user and group information and for common weaknesses that may indicate an intrusion. The changes from the last daily Seccheck run are then mailed to root.
Here is the content of cron jobs that are created during installation of the package
RUN_FROM_CRON=yes # # SuSE Security Checks # 0 0 * * * root test -x /usr/lib/secchk/security-control.sh && /usr/lib/secchk/security-control.sh daily & 0 1 * * 1 root test -x /usr/lib/secchk/security-control.sh && /usr/lib/secchk/security-control.sh weekly & 0 4 1 * * root test -x /usr/lib/secchk/security-control.sh && /usr/lib/secchk/security-control.sh monthly &
Library /usr/lib/secchk contains the following entries
-rwxr----- 1 root root 865 Jun 16 2006 checkneverlogin -rwxr----- 1 root root 3415 Jun 16 2006 security-control.sh -rwxr----- 1 root root 16459 Jun 16 2006 security-daily.sh -rwxr----- 1 root root 1815 Jun 16 2006 security-monthly.sh -rwxr----- 1 root root 4988 Jun 16 2006 security-weekly.shScripts can be run individually from this directory.
Daily report is not that helpful:
/usr/lib/secchk # ./security-daily.sh Checking the /etc/group file: Group bin(1) has got the following members: daemon The following loadable kernel modules are currently installed: af_packet ata_generic ata_piix bnx2 bridge button cdrom crc_t10dif dcdbas dm_mod e1000e edac_core edd ehci_hcd enclosure ext3 fan fat fuse hid hwmon i5000_edac i5k_amb ide_cd_mod ide_core ipv6_lib iTCO_vendor_support iTCO_wdt jbd joydev libata llc loop lp mbcache megaraid_sas microcode mperf nls_utf8 parport parport_pc pciehp pci_hotplug pcspkr ppdev processor rtc_cmos scsi_dh scsi_dh_alua scsi_dh_emc scsi_dh_hp_sw scsi_dh_rdac scsi_mod sd_mod serio_raw ses sg shpchp sr_mod st stp thermal_sys uhci_hcd usb_common usbcore usbhid usb_storage vfat The following programs have got bound sockets: apxgw root 0t0 TCP *:5135 (LISTEN) coda root 0t0 TCP 127.0.0.1:37649 (LISTEN) gdm root 0t0 UDP *:177 httpd2-pr root 0t0 TCP *:80 (LISTEN) httpd2-pr wwwrun 0t0 TCP *:80 (LISTEN) master root 0t0 TCP *:25 (LISTEN) ntpd ntp 0t0 UDP 10.201.101.53:123 ntpd ntp 0t0 UDP 10.201.54.53:123 ntpd ntp 0t0 UDP *:123 ntpd ntp 0t0 UDP 127.0.0.1:123 ntpd ntp 0t0 UDP 127.0.0.2:123 opcacta root 0t0 TCP 127.0.0.1:33429 (LISTEN) opcmsga root 0t0 TCP 127.0.0.1:42010 (LISTEN) opcmsga root 0t0 UDP *:35456 ovbbccb root 0t0 TCP *:383 (LISTEN) ovcd root 0t0 TCP 127.0.0.1:59688 (LISTEN) ovcd root 0t0 TCP 127.0.0.1:59994 (LISTEN) ovconfd root 0t0 TCP 127.0.0.1:37722 (LISTEN) ovtrcd root 0t0 TCP *:5053 (LISTEN) rpcbind root 0t0 TCP *:111 (LISTEN) rpcbind root 0t0 UDP *:111 rpcbind root 0t0 UDP *:668 sshd root 0t0 TCP *:22 (LISTEN) xinetd root 0t0 TCP *:21 (LISTEN) xinetd root 0t0 TCP *:23 (LISTEN) xinetd root 0t0 TCP *:5555 (LISTEN) xinetd root 0t0 TCP *:5801 (LISTEN) xinetd root 0t0 TCP *:5901 (LISTEN) xinetd root 0t0 UDP *:69 X root 0t0 TCP *:6000 (LISTEN)Weekly report is more helpful
/usr/lib/secchk # ./security-weekly.sh Password security checking not possible, package john not installed. Please check and perhaps disable the following unused accounts: Warning: user mcevoyg has got a password and a valid shell but never logged in. Warning: user burragjl has got a password and a valid shell but never logged in. The following files are suid/sgid: + -rwsr-xr-x 1 root audio 23880 2012-03-06 20:48 /bin/eject + -rwsr-xr-x 1 root root 94776 2012-03-06 20:15 /bin/mount + -rwsr-xr-x 1 root root 40048 2012-03-06 20:08 /bin/ping + -rwsr-xr-x 1 root root 35792 2012-03-06 20:08 /bin/ping6 + -rwsr-xr-x 1 root root 40016 2012-04-09 17:22 /bin/su + -rwsr-xr-x 1 root root 69208 2012-03-06 20:15 /bin/umount + -rwsr-x--- 1 root messagebus 47880 2012-03-06 20:15 /lib64/dbus-1/dbus-daemon-launch-helper + -r-sr-sr-x 1 root root 585384 2011-06-09 09:25 /opt/omni/lbin/cat_d + -r-s------ 1 root root 503552 2011-06-09 09:25 /opt/omni/lbin/inet + -rwsr-xr-x 1 root root 111272 2012-03-06 20:48 /sbin/mount.nfs + -rwsr-xr-x 1 root shadow 10736 2012-03-06 20:13 /sbin/unix2_chkpwd + -rwsr-xr-x 1 root shadow 35688 2012-03-06 19:59 /sbin/unix_chkpwd + -rwsr-xr-x 1 root trusted 52360 2012-03-06 20:48 /usr/bin/at + -rwsr-xr-x 1 root shadow 86200 2012-03-06 20:13 /usr/bin/chage + -rwsr-xr-x 1 root shadow 82472 2012-03-06 20:13 /usr/bin/chfn + -rwsr-xr-x 1 root shadow 77848 2012-03-06 20:13 /usr/bin/chsh + -rwsr-xr-x 1 root trusted 40432 2012-03-06 20:48 /usr/bin/crontab + -rwsr-xr-x 1 root shadow 19320 2012-03-06 20:13 /usr/bin/expiry + -rwsr-xr-x 1 root trusted 31552 2012-03-06 20:48 /usr/bin/fusermount + -rwsr-x--- 1 root lp 10624 2012-03-06 20:23 /usr/bin/get_printing_ticket + -rwsr-xr-x 1 root shadow 85952 2012-03-06 20:13 /usr/bin/gpasswd + -rwxr-sr-x 1 lp lp 14904 2012-03-06 20:13 /usr/bin/lppasswd + -rwsr-xr-x 1 root root 19416 2012-03-06 20:13 /usr/bin/newgrp + -rwsr-xr-x 1 root root 44304 2012-03-06 20:22 /usr/bin/opiepasswd + -rwsr-xr-x 1 root root 44752 2012-03-06 20:22 /usr/bin/opiesu + -rwsr-xr-x 1 root shadow 81856 2012-03-06 20:13 /usr/bin/passwd + -rwsr-xr-x 1 root root 23408 2012-03-06 20:23 /usr/bin/rcp + -rwsr-xr-x 1 root root 19248 2012-03-06 20:23 /usr/bin/rlogin + -rwsr-xr-x 1 root root 15088 2012-03-06 20:23 /usr/bin/rsh + -rwsr-xr-x 1 root root 225800 2012-03-06 20:10 /usr/bin/sudo + -rwxr-sr-x 1 root shadow 15128 2011-04-06 03:20 /usr/bin/vlock + -rwxr-sr-x 1 root tty 15000 2012-03-06 20:48 /usr/bin/wall + -rwxr-sr-x 1 root tty 14896 2012-03-06 20:48 /usr/bin/write + -rws--x--x 1 root root 1910344 2012-03-06 20:48 /usr/bin/Xorg + -rwsr-xr-x 1 root root 26897 2012-03-06 19:57 /usr/lib64/pt_chown + -rwsr-xr-x 1 root root 19192 2012-03-06 20:31 /usr/lib/libgnomesu/gnomesu-pam-backend + -rwxr-sr-x 1 root polkituser 19008 2012-03-06 20:16 /usr/lib/PolicyKit/polkit-explicit-grant-helper + -rwxr-sr-x 1 root polkituser 19208 2012-03-06 20:16 /usr/lib/PolicyKit/polkit-grant-helper + -rwsr-x--- 1 root polkituser 10744 2012-03-06 20:16 /usr/lib/PolicyKit/polkit-grant-helper-pam + -rwxr-sr-x 1 root polkituser 14856 2012-03-06 20:16 /usr/lib/PolicyKit/polkit-read-auth-helper + -rwxr-sr-x 1 root polkituser 23160 2012-03-06 20:16 /usr/lib/PolicyKit/polkit-revoke-helper + -rwsr-xr-x 1 polkituser root 23176 2012-03-06 20:16 /usr/lib/PolicyKit/polkit-set-default-helper + -rwxr-sr-x 1 root tty 15096 2012-03-06 20:21 /usr/lib/vte/gnome-pty-helper + -rwxr-sr-x 1 root maildrop 15136 2012-03-06 20:23 /usr/sbin/postdrop + -rwxr-sr-x 1 root maildrop 19176 2012-03-06 20:23 /usr/sbin/postqueue + -rwxr-sr-x 1 root tty 10680 2012-03-06 20:02 /usr/sbin/utempter + -rwsr-xr-x 1 root root 10632 2012-04-09 16:43 /usr/sbin/zypp-refresh-wrapper The following program executables are group/world writeable: + -rwxrwxr-x 1 lotusmes bezroun 1240 2011-05-02 18:29 /home/lotusmes/close_mes.sh + -rwxrwxr-x 1 lotusmes bezroun 81 2011-05-02 18:29 /home/lotusmes/etalon.forward + -rwxrwxr-x 1 lotusmes bezroun 1328 2011-05-02 18:29 /home/lotusmes/etalon.pipe + -rwxrwxr-x 1 lotusmes bezroun 88583 2011-05-02 18:29 /home/lotusmes/lotusmes + -rwxrwxr-x 1 lotusmes bezroun 123 2011-05-02 18:29 /home/lotusmes/lotusmes.log + -rwxrwxr-x 1 lotusmes bezroun 147 2011-05-02 18:29 /home/lotusmes/mailtest.sh + -rwxrwxr-x 1 lotusmes bezroun 612 2011-05-02 18:29 /home/lotusmes/pmake + -rwxrwxr-x 1 lotusmes bezroun 112 2011-05-02 18:29 /home/lotusmes/run.sh + -rwxrwxr-x 1 lotusmes bezroun 142 2011-05-02 18:29 /home/lotusmes/test2 + -rwxrwxr-x 1 lotusmes bezroun 76 2011-05-02 18:29 /home/lotusmes/testbacbridge.sh + -rwxrwxr-x 1 lotusmes bezroun 3113 2011-05-02 18:29 /home/lotusmes/testmes + -rwxrwxr-x 1 lotusmes bezroun 3113 2011-05-02 18:29 /home/lotusmes/testmes.bac + -rwxrwxr-x 1 lotusmes bezroun 119 2011-05-02 18:29 /home/lotusmes/test_of_close.sh + -rwxrwxr-x 1 lotusmes bezroun 142 2011-05-02 18:29 /home/lotusmes/test_of_post2171.sh + -rwxrwxr-x 1 lotusmes bezroun 141 2011-05-02 18:29 /home/lotusmes/test_of_post.sh + -rwxrwxr-x 1 lotusmes bezroun 160 2011-05-02 18:29 /home/lotusmes/test_of_postz.sh + -rwxrwxr-- 1 root root 1836 2012-09-04 13:00 /tmp/deact_users.sh + -rwxrwxr-- 1 root root 1727 2012-09-04 13:00 /tmp/delete_users.sh + -rwxrwxr-- 1 root root 28 2012-09-04 13:00 /tmp/run_usermaint.sh + -rwxrwxr-- 1 root root 544 2011-11-30 10:53 /tmp/tivoli_cleanup_lnx + -rwxrwxr-- 1 root root 5978 2012-05-29 13:12 /usr/BASFBIN/addusers/add_users + -rwxrwxr-- 1 root root 40 2012-05-29 13:12 /usr/BASFBIN/addusers/run_add_users + -rwxrwxr-- 1 root root 4525 2012-05-21 09:55 /usr/BASFBIN/fs_warn.sh The following files/directories are world writeable and not sticky: + /opt/apxpccu + /opt/apxpccu/bin + /opt/apxpccu/log + /opt/apxpccu/log/pccUcmdlog.txt + /opt/apxpccu/var + /opt/apxpccu/var/apxlog + /opt/apxpccu/var/APXRD.FLAG + /opt/apxpccu/var/APXWR.FLAG + /opt/apxpccu/var/OUTPUT + /opt/omni/newconfig/var/opt/omni/enhincrdb + /opt/omni/newconfig/var/opt/omni/log + /opt/omni/newconfig/var/opt/omni/tmp + /var/opt/omni/enhincrdb + /var/opt/omni/log + /var/opt/omni/log/debug.log + /var/opt/omni/log/inet.log + /var/opt/omni/server/log + /var/opt/omni/tmp + /var/opt/omni/tmp/usr_omni + /var/opt/omni/tmp/usr_omni/log + /var/opt/omni/tmp/usr_omni/log/debug.log + /var/opt/omni/tmp/usr_omni/log/inet.log + /var/opt/omni/tmp/usr_omni/tmp + /var/opt/omni/windu + /var/opt/OV/tmp/public/OpC/monagtq + /var/opt/OV/tmp/public/OpC/msgiq
| Check | Explanation |
| /etc/passwd check | Length/number/contents of fields, accounts with same uid accounts with uid/gid of 0 or 1 beside root and bin |
| /etc/shadow check | Length/number/contents of fields, accounts with no password |
| /etc/group check | Length/number/contents of fields |
| User root checks | Secure umask and PATH |
| /etc/ftpusers | Checks if important system users are put there |
| /etc/aliases | Checks for mail aliases which execute programs |
| .rhosts check | Checks if users' .rhosts file contain + signs |
| Home directory | Checks if home directories are writable or owned by someone else |
| dot-files check | Checks many dot-files in the home directories if they are writable or owned by someone else |
| Mailbox check | Checks if user mailboxes are owned by user and unreadable |
| NFS export check | Exports should not be exported globally |
| NFS import check | NFS mounts should have the "nosuid" option set |
| Promisc check | Checks if network cards are in promiscuous mode |
| list modules | Lists loaded modules |
| list sockets | Lists open ports |
The weekly security check is a more exhaustive user and file system check, checks that are important but too intensive to run daily. The weekly scripts are run every Monday at 1:00am. They include checks for weak passwords, changes in the system files, files and executables that are group or world writable and all system devices. Again, only the differences from the previous weekly security scan are mailed to root. See Table 3 for a list of checks in the weekly scan.
| Check | Explanation |
| Password check | Runs john to crack the password file, user will get an email notice to change his password |
| rpm md5 check | Checks for changed files via rpm's md5 checksum feature |
| suid/sgid check | Lists all suid and sgid files |
| exec group write | Lists all executables which are group/world writable |
| Writable check | Lists all files which are world writable (incl. Above) |
| Device check | Lists all devices |
The monthly security check is run on the first day of every month at 4:00am, and it sends a complete set of information in both daily and weekly checks to root. One pitfall of using Seccheck is that one has to pay attention to when changes are reported. Since only changes to the system from the last Seccheck analysis are e-mailed, anomalies appear only once. If you miss a change, you may not catch suspicious activity for a week or even a month.
Seccheck is a good set of security auditing tools that monitor many of the user-related vulnerabilities. It is surprising that is it not enabled by default.
Even though Seccheck has a filesystem integrity check, it is always better to install a separate system integrity checker with control of the file signature database.
Google matched content |
Society
Groupthink : Two Party System as Polyarchy : Corruption of Regulators : Bureaucracies : Understanding Micromanagers and Control Freaks : Toxic Managers : Harvard Mafia : Diplomatic Communication : Surviving a Bad Performance Review : Insufficient Retirement Funds as Immanent Problem of Neoliberal Regime : PseudoScience : Who Rules America : Neoliberalism : The Iron Law of Oligarchy : Libertarian Philosophy
Quotes
War and Peace : Skeptical Finance : John Kenneth Galbraith :Talleyrand : Oscar Wilde : Otto Von Bismarck : Keynes : George Carlin : Skeptics : Propaganda : SE quotes : Language Design and Programming Quotes : Random IT-related quotes : Somerset Maugham : Marcus Aurelius : Kurt Vonnegut : Eric Hoffer : Winston Churchill : Napoleon Bonaparte : Ambrose Bierce : Bernard Shaw : Mark Twain Quotes
Bulletin:
Vol 25, No.12 (December, 2013) Rational Fools vs. Efficient Crooks The efficient markets hypothesis : Political Skeptic Bulletin, 2013 : Unemployment Bulletin, 2010 : Vol 23, No.10 (October, 2011) An observation about corporate security departments : Slightly Skeptical Euromaydan Chronicles, June 2014 : Greenspan legacy bulletin, 2008 : Vol 25, No.10 (October, 2013) Cryptolocker Trojan (Win32/Crilock.A) : Vol 25, No.08 (August, 2013) Cloud providers as intelligence collection hubs : Financial Humor Bulletin, 2010 : Inequality Bulletin, 2009 : Financial Humor Bulletin, 2008 : Copyleft Problems Bulletin, 2004 : Financial Humor Bulletin, 2011 : Energy Bulletin, 2010 : Malware Protection Bulletin, 2010 : Vol 26, No.1 (January, 2013) Object-Oriented Cult : Political Skeptic Bulletin, 2011 : Vol 23, No.11 (November, 2011) Softpanorama classification of sysadmin horror stories : Vol 25, No.05 (May, 2013) Corporate bullshit as a communication method : Vol 25, No.06 (June, 2013) A Note on the Relationship of Brooks Law and Conway Law
History:
Fifty glorious years (1950-2000): the triumph of the US computer engineering : Donald Knuth : TAoCP and its Influence of Computer Science : Richard Stallman : Linus Torvalds : Larry Wall : John K. Ousterhout : CTSS : Multix OS Unix History : Unix shell history : VI editor : History of pipes concept : Solaris : MS DOS : Programming Languages History : PL/1 : Simula 67 : C : History of GCC development : Scripting Languages : Perl history : OS History : Mail : DNS : SSH : CPU Instruction Sets : SPARC systems 1987-2006 : Norton Commander : Norton Utilities : Norton Ghost : Frontpage history : Malware Defense History : GNU Screen : OSS early history
Classic books:
The Peter Principle : Parkinson Law : 1984 : The Mythical Man-Month : How to Solve It by George Polya : The Art of Computer Programming : The Elements of Programming Style : The Unix Hater’s Handbook : The Jargon file : The True Believer : Programming Pearls : The Good Soldier Svejk : The Power Elite
Most popular humor pages:
Manifest of the Softpanorama IT Slacker Society : Ten Commandments of the IT Slackers Society : Computer Humor Collection : BSD Logo Story : The Cuckoo's Egg : IT Slang : C++ Humor : ARE YOU A BBS ADDICT? : The Perl Purity Test : Object oriented programmers of all nations : Financial Humor : Financial Humor Bulletin, 2008 : Financial Humor Bulletin, 2010 : The Most Comprehensive Collection of Editor-related Humor : Programming Language Humor : Goldman Sachs related humor : Greenspan humor : C Humor : Scripting Humor : Real Programmers Humor : Web Humor : GPL-related Humor : OFM Humor : Politically Incorrect Humor : IDS Humor : "Linux Sucks" Humor : Russian Musical Humor : Best Russian Programmer Humor : Microsoft plans to buy Catholic Church : Richard Stallman Related Humor : Admin Humor : Perl-related Humor : Linus Torvalds Related humor : PseudoScience Related Humor : Networking Humor : Shell Humor : Financial Humor Bulletin, 2011 : Financial Humor Bulletin, 2012 : Financial Humor Bulletin, 2013 : Java Humor : Software Engineering Humor : Sun Solaris Related Humor : Education Humor : IBM Humor : Assembler-related Humor : VIM Humor : Computer Viruses Humor : Bright tomorrow is rescheduled to a day after tomorrow : Classic Computer Humor
The Last but not Least Technology is dominated by two types of people: those who understand what they do not manage and those who manage what they do not understand ~Archibald Putt. Ph.D
Copyright © 1996-2021 by Softpanorama Society. www.softpanorama.org was initially created as a service to the (now defunct) UN Sustainable Development Networking Programme (SDNP) without any remuneration. This document is an industrial compilation designed and created exclusively for educational use and is distributed under the Softpanorama Content License. Original materials copyright belong to respective owners. Quotes are made for educational purposes only in compliance with the fair use doctrine.
FAIR USE NOTICE This site contains copyrighted material the use of which has not always been specifically authorized by the copyright owner. We are making such material available to advance understanding of computer science, IT technology, economic, scientific, and social issues. We believe this constitutes a 'fair use' of any such copyrighted material as provided by section 107 of the US Copyright Law according to which such material can be distributed without profit exclusively for research and educational purposes.
This is a Spartan WHYFF (We Help You For Free) site written by people for whom English is not a native language. Grammar and spelling errors should be expected. The site contain some broken links as it develops like a living tree...
|
|
You can use PayPal to to buy a cup of coffee for authors of this site |
Disclaimer:
The statements, views and opinions presented on this web page are those of the author (or referenced source) and are not endorsed by, nor do they necessarily reflect, the opinions of the Softpanorama society. We do not warrant the correctness of the information provided or its fitness for any purpose. The site uses AdSense so you need to be aware of Google privacy policy. You you do not want to be tracked by Google please disable Javascript for this site. This site is perfectly usable without Javascript.
Last modified: March 12, 2019
