Path: utzoo!utgpu!jarvis.csri.toronto.edu!mailrus!uwm.edu!srcsip!mingus!jkimball From: jkimball@SRC.Honeywell.COM (John Kimball) Newsgroups: comp.unix.wizards Subject: Re: What should go into a security-checking shell script? Message-ID: <36970@srcsip.UUCP> Date: 31 Oct 89 00:17:32 GMT References: <363@nisca.ircc.ohio-state.edu> Sender: news@src.honeywell.COM Reply-To: jkimball@src.honeywell.com (John Kimball) Distribution: usa Organization: Honeywell Systems & Research Center Lines: 106 >Re: What should go into a security-checking shell script? Here's the list which I've been maintaining. Apologies for the terseness. Some of the stuff is BSD/Sun specific. I have a script (with associated programs) which checks most of these; it's pretty raw yet. *** Compare the attributes of "critical" files against a snapshot taken at a certain time. Attributes to check: uid, gid permissions modification time number of links checksum / CRC size Files to check: /vmunix any suid/sgid /bin/* , /usr/ucb/* , /usr/bin/* /etc/* /usr/etc/* /usr/local/* (?) /usr/lib/many-things /usr/lib/uucp/many-things /usr/include/many-things /lib/many-things *** scan all files for dangerous combinations of file attributes SUIDs, SGID SUIDs, SGIDs writable by group,other SUIDs, SGIDs owned by system ids but not in system bins/libs any SUIDs in non-system (ie user) areas special files block special files readable/writable by group,other char special files readable/writable by group,other (excluding ttys, sigh) block/char special files not in /dev writable system files system directories writable by other, or by group (excluding tmp directories, uucppublic) system files writable by other/group (excluding tmp directories, uucppublic) writable binaries, writeable stuff in /etc certain readable system files syslog*! crontab, /dev/mem, /dev/kmem, and L.sys shouldn't be other-readable. user startup files user startup files writable by group/other (.login, .cshrc, .profile, .exrc, .mailrc, .emacs, .logout) user .exrc files in directories writable by group/other user dirs writable by group/other user files writable by other *** scan for dangerous attributes within critical files (and yp maps) /etc/passwd users without passwords including uucp! users with same uid including non-root accounts with uid 0! guest accounts blank lines, ::0:0:: number of fields length of fields (ie number of characters in field) /etc/group users in administrative groups (eg, bin) number of fields length of fields (ie number of characters in field) crontab reduce number of things run as root (su to news, etc, instead) /etc/servers Only run the minimum number of servers you need. rpc.rexd is bad news /usr/lib/uucp/USERFILE only /usr/spool/uucppublic should be readable/writable for incoming uucps /usr/lib/uucp/L.cmds only rmail and rnews should be uuxqtable /.rhosts, /etc/hosts.equiv look for nonlocal hosts, '+'. /etc/securetty or /etc/ttytab disallow root login on most/all terminals /etc/netgroup, /etc/exports /.profile, /.cshrc, /.login check for bad PATH (have *no* ., or . as last!) look for bad user PATHs look for user .rhosts files mentioning external hosts *** scan for untoward users stale logins (users who haven't logged in for a long time) trivial passwords It's best to catch these at password-changing time, but password guessers are also available. *** scan for odd activity last: look for logins/ftps by sync, daemon, sysdiag, etc. ps: look for cpu-eaters, etc *** dangerous filenames user .rhost files disallow if feasible su,login,passwd,crypt in strange places *** monitor the various logs search the uucp logs, the syslog logs, etc, for oddities.