October 17, 2001, 4:46 PM — Consider your to-do list, based on your
security plan. It should include one or more of the following steps:
- Scan the system for known OS holes and fix them
- Check for generic Unix problems and fix them
- Check directory structure for proper permissions
- Check for network-attack vulnerabilities
- Check for bad user (and root) passwords
- Determine who has the root password and if it isn't
needed, take it away from them
- Install tools to monitor the system and generate
alerts when the system file is altered
- Log all network connections
- Limit access to network daemons
- Prevent users from choosing easy-to-guess passwords
We'll address the first half of that list this month, and the rest next
month.
Scan the system for known OS holes and fix them
There are some holes that the available tools do not check for. These
include recent problems, under-publicized problems, and problems
specific to your site. For these, you need to keep alert to current
problems. Methods include the bug list in this
column, CERT advisories, and mailing lists like
"sneakers."
Check for generic Unix problems and fix them;
Check directory structure for proper permissions
The second and third step can be accomplished by two worthy and free
tools.
The tools are Tiger
and COPS.
Tiger is more up-to-date and more inclusive than COPS, so
it's the one I recommend.
(Note: the TAMU ftp server does not seem to respond well to WWW browser
HTML links, so you may need to step back in time and use ol'
ftp to grab Tiger.)
Running tiger (the executable for the Tiger package)
produces an extensive system scan. Depending on the size and speed of
the system, the check can take from 15 minutes to several hours. Also
note that it is CPU and disk intensive. Here is a snippet from the
beginning of its report:
# ./tiger Configuring... Will try to check using config for 'sun4m' running SunOS 5.3... --CONFIG-- [con004c] Using configuration files for SunOS 5.3. Tiger security scripts *** 2.2.3, 1994.0309.2038 *** 12:20> Beginning security report for tanis. 12:20> Starting file systems scans in background... 12:20> Checking password files... 12:20> Checking group files... 12:20> Checking user accounts... 12:20> Checking .rhosts files... 12:20> Checking .netrc files... 12:20> Checking PATH settings... 12:23> Checking anonymous ftp setup... 12:23> Checking mail aliases... 12:23> Checking cron entries... 12:24> Checking 'inetd' configuration... ./scripts/sub/check_devs: bad substitution 12:25> Checking NFS export entries... 12:25> Checking permissions and ownership of system files... 12:26> Checking for altered or out of date binaries... 12:27> Checking for indications of breakin... 12:27> Performing system specific checks... 12:27> Performing check of embedded pathnames... 12:44> Waiting for filesystems scans to complete... 12:44> Filesystems scans completed... 12:44> Security report completed for tanis. Security report is in `./security.report.tanis.950907-12:20'.
One problem with Tiger is that in some ways it is too
complete. The output from the above run, on a standard-installation
SPARCstation 5, was 782 KB. The output can be even more voluminous if
you install the appropriate signatures for your system. These
are secure checksums of system files based on the original release
of the operating system. Tiger compares the signatures to the current
checksums of your system files, and reports any differences. Files
that are different from the standard release may have been
trojan-horsed by miscreants or somehow changed for ill intent. Tiger
includes a limited, built-in list. You can
get an expanded list from the Tiger ftp site
(again, the TAMU server may not permit browser-initiated ftp requests).
