Path: utzoo!mnetor!tmsoft!torsqnt!news-server.csri.toronto.edu!math.lsa.umich.edu!zaphod.mps.ohio-state.edu!samsung!umich!ox.com!emv From: df@sei.cmu.edu (Dan Farmer) Newsgroups: comp.archives Subject: [alt.security] cops, new stuff, RFC Keywords: 1.02 Message-ID: <1990Dec29.221217.11815@ox.com> Date: 29 Dec 90 22:12:17 GMT References: <9824@as0c.sei.cmu.edu> Sender: emv@ox.com (Edward Vielmetti) Reply-To: df@sei.cmu.edu (Dan Farmer) Followup-To: alt.security Organization: Carnegie-Mellon University (Software Engineering Institute), Pgh, PA Lines: 124 Approved: emv@ox.com (Edward Vielmetti) X-Original-Newsgroups: alt.security Archive-name: security/unix/cops/1990-12-29 Archive-directory: cert.sei.cmu.edu:/pub/cops/ [128.237.253.5] Original-posting-by: df@sei.cmu.edu (Dan Farmer) Original-subject: cops, new stuff, RFC Reposted-by: emv@ox.com (Edward Vielmetti) (Sorry if this gets out twice (well, the heading won't, since I had to rewrite the sucker), BTW -- our posting mechanism snarled and shredded my last post, methinks.) Anyway, I'm about to put out a new patch for cops, and am asking for any requests, comments, code, or whatever, before doing so. I'm putting a brief description of the changes below; I think this is all done, I'm just working on the stupid documentation, and should put the patch out in a week or two. I'll be posting first to alt.sources, then firing it off (after any comments trickle in) to comp.unix.sources, for the "official" new version. Hopefully this will shake out any problems with the new stuff, plus alt.sources gives instant gratification :-) Send code, flames, questions, and accolades to me. Oh, for those who don't have it, or don't know what cops is, you can get it via anon-ftp from uunet.uu.net or other fine archive sites, or at my private stash at cert.sei.cmu.edu, in ~ftp/pub/cops (read the README file.) It's currently at version 1.01. Will someone send me some uucp checking code? -- dan COPS 1.02 ============ More changes from last time to make your lives easier, in addition to fixing some bugs and making things hopefully more portable: Everything is rewritten in perl. Just kidding. Testing you to see if anyone reads this stuff. If everyone had perl, though... Hey! You! Get perl. Do the world a favor, ok? Wonderful, wonderful thing. Run, don't walk to your local perl archive site (jpl-devvax.jpl.nasa.gov, tut.cis.ohio-state.edu are good for this.) However, kuang *has* been rewritten in perl, for those lucky people who have it. *Fast* Very fast. Steve Romig did this (thanks, Steve!); more incentive to get perl for your site. He's working on an even better version as I speak. A crc blaster -- generates crc's for files; you can specify a personal key of sorts, to get unique value for your files, to prevent tampering. Anonymous ftp setup checker (ftp.chk -a); don't leave home without it. The SUID finding program now also flags any world writable SUID files and shell scripts (or anything non-executable; your choice) as an added danger (as well as reporting them as before.) Optional password diff checker (pass_diff.chk -- amazing, huh?) -- only checks passwords that have changed since the last time. If you change $ONLY_DIFF to "yes", in the cops shell script, it will only mail you a report if things have changed since last report. New checks for tftp, uudecode alias, rexd, and uuencode (misc.chk). Room for lots more if anyone wants to send them to me. Trivial flag added to the password cruncher chews on arbitrary password files, so you can grind away at your yp stuff as well, or chew at it from one of your big guns. You probably already had this added. How 'bout sending me some diffs? Some bugs, memory leaks, etc. have been fixed, plus a new option or two may be added. Reports are now saved in a file with the name "year_month_day". By default, are saved in a directory with the same name as the host, so you don't have to keep track of which reports are where, or colliding reports. Checks made for world writable files now looks at parent directory structure of a path, and flags if any are world writable. This can make the warning: "warning -- /usr/foo/bar/local/sun/command is world writable" confusing if the directory "/usr/foo" is world writable, but none of the other files or dirs are; keep this in mind. "root.chk" checks to see if /.login, /bin, etc. are owned by root -- if they aren't, you can blow over the password file and such, by using rcp (from, say user "bin", which you shouldn't be able to do. I'm not sure if I'll keep this here or not... don't know if it's all that important. "user.chk" checks .logout and .rhosts files (was .rhost) now, too. file.chk and dir.chk have been replaced by is_able.chk. This reads a config file for all the info, as before. Is_able can check for readibility, writability, and suid status (big deal, eh?) All scripts start with a ":" on line 1 instead of #!/bin/sh, since it didn't work on some stupid machines. New, optional directory structure (for multiple machine/binary sites). Looks something like: $SECURE/cops -- | -- docs | -- src |--- archtype1 binaries (sun, or whatever) | | | | - results for sun workstation 1 | | - results for sun workstation 2 | |--- archtype2 binaries(dec) | | | | - results for dec workstation 1 | | - results for dec workstation 2 | |--- archtype3 binaries(vax) | | - results for vax 1 | - results for vax 2 You run "cops archtype", and it would cd into the binary directory, use those binaries, and put any results in a subdirectory of the appropriate host name. Results would be stored with a date as the title, not some stupid number. Alternately, you can just run "cops", and it will take your hostname as a directory to store the results. Probably some other minor stuff I can't think of right now. Send bugs, comments, etc, to df@cert.sei.cmu.edu.