Softpanorama
(slightly skeptical)
Open Source Software Educational Society
May the source be with you, but remember the KISS principle ;-)
Softpanorama Search
|
Softpanorama |
May the source be with you, but remember the KISS principle ;-)
Softpanorama Search
|
| News | See also | Recommended Links | Books | Static System Scanners | Solaris Specific issues | Specialised Scanners |
| Faqs | RFCs | Archives |
Cops (audit, dead) |
Tiger (audit, dead) |
YASSP (dead ?) |
Bastille (RH Linux only hardening, very weak, needs work) |
Note: This page contains only historically important information about such milestones in Unix hardening as
Current information is located at Softpanorama Hardening page
Dr. Nikolai Bezroukov
|
|||||||
Perl Cops disguided as cops-1.04.tgz (i386)
doclib.org - -Linux-system-security-cops_104_linux -- Modification for Linux ?
.[packet storm]. - http--packetstormsecurity.org -- same packages
AP. Lawrence SCO Unix Consultant Security COPS SCO port ?
Below are historically important documents that are still available on the Internet:
This program checks for 14 common SunOS configuration security loopholes. It has been tested only on SunOS4.0.3 on Sun4, Sun3, and Sun386i machines. Each test reports its findings, and offers to fix any discovered problems. The program must be run as root to fix any of the problems but, it can be run from any account by replying \'n\' to any fix requests.
ftp.auscert.org.au - Coast mirror
Useful Usenet FAQs
FAQ Network Intrusion Detection Systems
Security Audit FAQ
Technical Whitepapers and Publications
New Site Security Handbook -- old but useful
Old Site Security Handbook -- the original version: mainly historical value
| COPS | Tiger | Sherpa | Etc |
*** Dead ? YASSP Yet Another Solaris Security Package by Jean Chouanard, Xerox PARC. Jean Chouanard left Xerox PARC and the development is stalled. The main attraction is the YASSP functionality includes installation of TCP Wrappers, Tripwire and several other tools. Bravo Jean !!!. Sysadmins are notoriously lazy and installing TCP Wrappers for them is a valuable service ;-) Like titan it uses Fix-modes script to correct permissions of critical files and directories. This scripts also contain a promising idea of creating the central configuration file for yassp.conf that controls the behavior of other scripts. It requires a competent administrator to use.
See What's new on more current information on updates of the paper and package.
Yassp Post installation steps -- a very good paper that contain an excellent list of Solaris hardening resources
How-to:
This is a short "how to", dedicated to people having to deal with host security under solaris 2.6//7 and 8
The goal is to install Solaris and have a good host security without having to spent hours in modification. Also, as the basic configuration will be standard, I have add a set of useful tools compiled and package to make their installation easiest. At the end, the install should be *clean* (= "pkgchk -n" has no error)
The first step is to disable everything which is not needed.
Each package will install their default configuration files if they do not exist, and run any init script if needed. They won't delete their configurations files at the de-install time which ease your work for updating these package.
We have used this packaging to install files servers, ftp servers, NIS servers, firewalls and host. It is quite nice not to have to wonder how to do that and very useful to be able to update package independently.As the source of the SECclean package are available, it is easy for you to copy it and to localize it so it will reflect your configuration. From this package, we have derived different classes of package to install NIS server, NFS server and end user workstation.
For more information on the SECclean package and on how to localize it to meet your need, see: ftp://ftp.parc.xerox.com/pub/jean/solins/secclean.html
Files Installed:
Installed files are listed in the prototype file.
- /etc/shells : defaults shells, from getusershell(3C)
- /etc/ftpusers : list of denied users for ftp: by default all the existing system users.
- /usr/bin/openwin : a shell wrapper to *try* to avoid stating openwin without rpcbind running as it will hang the workstation.
- /etc/hosts.equiv : empty. Just to control it, as being installed with the right mode and part of the package.
- /.rhosts : empty. Just to control it, as being installed with the right mode and part of the package.
- /var/adm/loginlog : empty. Solaris will log bad login attend if this file exist.
Files Replaced:
Files replaced are handle by the postinstall script. See next section "Package modification". The postinstall script defined this list as its internal variable SA
- /etc/inet/services: add various useful services not part of SUN distribution as the SecurID ACE services or for the FWTK (TIS)
- /etc/profile : minor changes include /opt/local on the PATH and MANPATH
- /etc/passwd : based on the distributed passwd file, just disable all system login
- /etc/syslogd.conf : some cleanup. Nothing should be write on the console.
- /var/spool/cron/crontabs/root : cleanup.
- /etc/default/su : PATH and SUPATH to include /opt/local/bin.
- /etc/default/login : PATH and SUPATH to include /opt/local/bin. Enforce 'CONSOLE=/dev/console' so that root can only login from the console.
- /etc/default/inetinit : Enforce 'TCP_STRONG_ISS=2' RFC 1948 sequence number generation, unique-per-connection-ID.
Files Modified:
- /etc/inet/inetd.conf : all services turn OFF by default. Easy! :-)
- /etc/pam.conf : turn off rhosts_auth
- /etc/system : increase File descriptor limits, BSD style ptys and SVR4 style ptys. Attempt to prevent and log stack-smashing attacks. enable advanced memory paging technique.
Files Deleted:
Files deleted are Handle by the postinstall script. See next section "Package modification". The postinstall script defined this list as its internal variable SD
- "/etc/auto_home /etc/auto_master /etc/dfs/dfstab /var/spool/cron/crontabs/adm /var/spool/cron/crontabs/sys /var/spool/cron/crontabs/lp /var/spool/cron/crontabs/uucp"
RC files:
Most of these modifications are done in the postinstall script. See next section "Package modification".
RC files Deleted
The postinstall script defined this list as its internal variable RC
Long list of RC files turn off : "cacheos cachefs.root asppp uucp cachefs.daemon xntpd spc rpc autoinstall nfs.client autofs nscd lp nfs.server volmgt PRESERVE sendmail cacheos.finish sysid.sys sysid.net snmpdx dmi dtlogin power init.dmi init.snmpdx".
These names are the name of the init files located in the /etc/init.d directory. For all the links existing under any /etc/rc?.d/ directory, the postinstall script will delete these link and write a trace trace log under /etc/rc?.d/Disable-By-SECclean which enable you to re-create the link if needed.
If you need to re-enable some of these RC file, you can either re-create the package to fit your need (see Package modification) or just manually recreate the link after the install.RC files Replaced
The postinstall script defined this list as its internal variable NRC
- inetsvc
- inetinit
These files are based on the SUN distribution files, but have been simplify.
RC files Added
- /etc/init.d/nettune with link from /etc/rcS.d/S31nettune. It is based on Jens-S. Vöckler IP tuning script for Solaris (See his Very good page on tcp tuning under solaris).
- /etc/init.d/umask.sh with a symbolink from: etc/rc0.d/S00umask.sh, etc/rc1.d/S00umask.sh, etc/rc2.d/S00umask.sh, etc/rc3.d/S00umask.sh, etc/rcS.d/S00umask.sh to control/force the UMASK by default of deamons.
Developer directory: Directory of -packages-security-TAMU -- do not expect much, anyway ;-)
Derivatives:
TARA (Tiger Analytical Research Assistant) -- This is not a new product but ripware -- renamed original package (Tiger 2.2.3) with just minor bugfix ( IMHO it fixes only one error (env. GROUPS variable should be better renamed to GROUPSS or any other name because of the conflict with existing global env. variable of some Unix systems). Fix was made by Ripclaw on July 31st 1999, but since then development seems stopped. See web site TARA - Tiger Analytical Research Assistant, if it's still alive.
COPS (Computer Oracle and Password System)
*** Largely outdated abandonware written by Dan Farmer. Available from ftp.cert.org and many other places but has mainly historical importance(the last vertion -- 1.02 is dated by 1991).
Historically this was the first widely available set of scripts that identifies security risks on a Unix system. It checks for empty passwords in /etc/passwd, world-writable files, misconfigured anonymous ftp and several other vulnerabilities. Last version is 1.02. Produces several reports that can be integrated by carp tool:
There are several derivatives: Perl Cops and, to a certain (limited) extent, Tiger and Titan (see below).
Abstract: This is a perl version of Dan's version of Bob Baldwin's Kuang program (originally written as some shell scripts and C programs). Features including Caches passwd/group file entries in an associative array for faster lookups. This is particularly helpful on insecure systems using YP where password and group lookups are slow and you have to do a lot of them, can specify target (uid or gid) on command line, can use -l option to generate PAT for a goal, can use -f to preload file owner, group and mode info, which is helpful in speeding things up and in avoiding file system 'shadows'.
sherpa - a system security configuration tool for GNU-Linux -- abandoned tool that can provide a good starting ground for additional work.
sherpa inventories basic filesystem security (permissions, file ownership) and creates a report of what it finds. It can also be used as a remedial tool, one that will change file permissions and ownership according to the modes listed in perms.lst.
sherpa will do a series basic check of RedHat GNU/Linux 5.x/6.x and SuSE 6.0 filesystems and should be run (a) after inital installation of the operating system and then (b) periodically. Many of the checks performed herein are based on sources I have studied and found useful.
sherpa performs the following checks on your local filesystems:
- Checks for SUID and SGID files
- Checks for world writable files
- Checks for .rhosts and hosts.equiv files
- Summarizes configured network services (via inetd) and checks for use of tcp_wrappers
- Checks for use of shadow passwords
- Checks file and directory permissions, as well as ownership against a set list (a sample list for RedHat 6.x is here)
Also, sherpa is written in Perl because of ease of use when it comes to report generation and system administration needs. While I'm sure a C program would be faster, it would be a lot less *practical* than a Perl script and less amenable to localized tweaking as the need to do so arises.
Features
- scanning of system configuration files for common problems
- scanning of file system permissions and ownership bits including SUID/SGID bits
- inventory of world-writable files/dirs
- generates reports (ASCII or HTML) and/or logs of scanning results
- suitable for periodic execution via cron
- can automatically fix permission/ownership problems if desired
Firewall-1 Table Script 1.0
<http://www.enteract.com/~lspitz/fwtable.html>
The purpose of this PERL script is to help you gain a better understanding of Check Point FW-1's stateful inspection table. This table is where FW-1 maintains all concurrent... [ more ]
| IDS Alert Script for FW-1 1.3 | |
< http://www.enteract.com/~lspitz/intrusion.html > Platforms: Solaris |
Size: 18.00Kb Score: Not scored yet |
Flexible network based IDS script for CheckPoint Firewall-1 installations. Build Intrusion Detection into your firewall. Features include: Automated alerting, logging, and archiving Automated blocking of attacking source Automated identification and email remote site Installation and test script Fully configurable Ver 1.3 Optimized for performance, over 50% speed increase.
| Firewall Info (Firewall-1) | |
< http://www.sabernet.net/software/ > Platforms: Solaris |
Size: 5.94Kb Score: Not scored yet |
This is a modified version of the fwobjects.pl script posted to the # fw-1-mailinglist. Author unknown. It's purpose is to document FireWall-1 security policies in HTML (Unix).
| IDS Alert Script for FW-1 1.3 | |
< http://www.enteract.com/~lspitz/intrusion.html > Platforms: Solaris |
Size: 18.00Kb Score: Not scored yet |
Flexible network based IDS script for CheckPoint Firewall-1 installations. Build Intrusion Detection into your firewall. Features include: Automated alerting, logging, and archiving Automated blocking of attacking source Automated identification and email remote site Installation and test script Fully configurable Ver 1.3 Optimized for performance, over 50% speed increase.
| Homepage: | http://www.secnet.com/ntinfo/ntaudit.html |
The NetBIOS Auditing Tool, or NAT for short is a completely free tool meant
to audit NetBIOS file shares and password integrity on Windows NT and UNIX
machines running SAMBA.
This utility tests host for well known NFS problems. Among these tests include finding world exported file systems, determine whether export restrictions work, determine whether file systems can be mounted through the portmapper, try to guess file handles, and excercise various bugs to access file systems.
See also Chris Metcalf's hacks
CheckXusers - Checks every user logged onto a system for unrestricted X-windows access
Abstract: raudit is a Perl script which audits each user's .rhosts file
and reports on various findings. Without arguments raudit will report on the
total number of rhosts entries, the total number of non-operations entries
(entries for which the hosts is listed in the /etc/hosts.equiv file, the total
number of remote entries (entries for which the host is a non-NAS host. raudit
will also report on any entries which may be illegal. An entrie is considered
illegal if the username does not mach the username from the password file or if
the entry contains a "+" or a "-". Raudit is normally run on a weekly basis via
a cron job which runs rhosts.audit. The output is mailed to the NAS security
analyst(s).
See also Securing X Windows
Title:checkXusers
Authors: Bob Vickers
File size: 3232 bytes
Abstract:
This script checks for people logged on to a local machine from insecure X servers. It is intended for system administrators to check up on whether users are exposing the system to unacceptable risks. Like many commands, such as finger(1), checkXusers could potentially be used for less honorable purposes. checkXusers should be run from an ordinary user account, not root. It uses kill which is pretty dangerous for a superuser. It assumes that the netstat command is somewhere in the PATH. Table of Contents
Linux Today SuSE Security Announcement - new security tools
Harden SuSE - A special script for hardening a SuSE Linux 5.3 - 6.3. By answering 9 questions, the system is reconfigured very tightly. e.g. disabling insecure network services, removing suid/sgid/world-writable permissions which are not critical. RPM: hardsuse.rpm
Homepage: http://www.haqd.demon.co.uk/security.htm
Download: TUCOWS Linux Download Page for SBScan 0.05
Weak. Simple shell script plus couple of C program. Nothing special.
SBScan is a localhost security scanner. It checks for numerous security problems on a linux box. Written by and for slackware linux primarily, but should run on any linux based system. Currently checks loads of stuff, such as unpassworded accounts, MD5 sums, inetd.conf, ports open, shadow passwords, groups, tcp wrappers, anonymous FTP, people grabbing passwd files, log file permissions, dir permissions, NFS exports, X hosts, rootkits, suspicious files, Rhosts, suid programs in user areas, promisc checks, subnet promisc checks, etc.
Check.pl -- rather basic, not much even historical value (see Shepra for a better solution as early Perl hardening tool). Not recommended even as a free codebase.
| Download: | [ packet storm ] -packetstorm.securify.com |
| Homepage: | Jeff Tranter's Home Page |
audit check files in home directory for strange permission, ownership, etc. Feb 07th 1999, 22:10 stable: none - devel: 0.2
Merlin by CIAC
Merlin is a http front-end system that allows point and click
internal vulnerability scanning. Merlin runs in conjunction with the Netscape
browser and any security package, such as COPS, Crack, TAMU-tiger, etc. Simply
download desired security packages and then run merlin. Merlin makes system
scanning easy with its innovative http interface. Merlin is a useful tool for
system administrators who have little time to perform the necessary security
scans. ToC
Hobgoblin
Kenneth Rich and Scott
Leadley. hobgoblin: A File and Directory Auditor. In Proceedings of the
Fifth Large Installation Systems Administration Conference, page p. 199. USENIX
Association, Berkeley, CA, September 1991. 44
Hobgoblin checks file system consistency against a description.
Hobgoblin is a language and an interpreter. The language describes properties of
a set of hierarchically organized files. The interpreter checks the description
for conformity between the described and actual file properties. The description
constitutes a model for this set of files. Consistency Ondishko checking
verifies that the real state of these files corresponds to the model, flagging
any exceptions. Hobgoblin can verify conformity of system files on a large
number of systems to a uniform model. Relying on this verification, system
managers can deal with a small number of conceptual models of systems, instead
of a large number of unique systems. Also, checking for conformity to an
appropriate model can enhance system reliability and security by detecting
incorrect access permissions or non-conforming program and configuration files.
chkacct v1.1, by Shabbir Safdar : Chkacct was designed to complement tools like COPS and Tiger. Instead of checking for configuration problems in the entire system, it is designed to check the settings and security of the current user's account. It then prints explanatory messages to the user about how to fix the problems. It may be preferable to have a security administrator ask problem users to run chkacct rather than directly alter files in their home directories.
noshell, by
Michele D. Crabb,
Noshell provides an informative alternative to /bin/false.
Copyright © 1996-2009 by Dr. Nikolai Bezroukov. www.softpanorama.org was created as a service to the UN Sustainable Development Networking Programme (SDNP) in the author free time. Submit comments This document is an industrial compilation designed and created exclusively for educational use and is placed under the copyright of the Open Content License(OPL). Site uses AdSense so you need to be aware of Google privacy policy. Original materials copyright belong to respective owners. Quotes are made for educational purposes only in compliance with the fair use doctrine.
Disclaimer:
Created: May 16, 1997; Last modified: August 15, 2009