Path: utzoo!utgpu!news-server.csri.toronto.edu!rpi!usc!cs.utexas.edu!uunet!beartrk!ceilidh!dnichols From: dnichols@ceilidh.beartrack.com (DoN Nichols) Newsgroups: comp.sys.3b1 Subject: Re: COPS security audit and the unix pc. Message-ID: <1991Mar26.162116.28066@ceilidh.beartrack.com> Date: 26 Mar 91 16:21:16 GMT References: <1991Mar23.004007.2024@shibaya.lonestar.org> Organization: D and D Data, Vienna, VA. Lines: 100 In article <1991Mar23.004007.2024@shibaya.lonestar.org> afc@shibaya.lonestar.org (Augustine Cano) writes: >When I first ran the COPS security package on my 3b1, I got a report more >than 250 lines long. Most of the entries were about files and directories >being world-writable. Surprisingly, the following few commands eliminated >the vast majority. You'll also have problems with newer programs which are suid or sgid. As they pass the age of six months, the format of the 'ls -l' output will change. This will be reported as new suid files, and files no longer being suid. (If you have the newest COPS, this may no longer be the case. I don't have it yet, and don't know whether it is dependant upon the format of the 'ls -l' command. By the way, the command for directory listing buried in COPS is tailored to the BSD world. It uses 'ls -lg' to INCLUDE group ownership in the report. On our ls, this TURNS OFF the group ownership part of the report. I would reccomend running coffdates(1) on all the bin directories, to set the date shown in the 'ls -l' to the compilation date, to make sure that the older ones won't change format on you six months after installation. > >One directory that CANNOT be treated in this manner is /usr/spool/uucp. >I tried it and kermit couldn't then set or clear locks. Well, you COULD make kermit sgid to mail :-) >The COPS security report is now down to the following: >(actual COPS output follows '>', my comments follow each (group of) entry(ies)) > [ ... ] >> Warning! /etc/drvtab is _World_ writable! >> Warning! /etc/inittab is _World_ writable! >> Warning! /etc/wtmp is _World_ writable! > >Does anybody know if this has to be so? (particularly for /etc/wtmp). I don't THINK so. >> Warning! /usr/adm/NBS.log is _World_ writable! >> Warning! /usr/adm/UNIX.log is _World_ writable! >> Warning! /usr/adm/cronlog is _World_ writable! >> Warning! /usr/adm/drv.log is _World_ writable! >> Warning! /usr/adm/sulog is _World_ writable! >> Warning! /usr/adm/unix.log is _World_ writable! > >Log files... the security risk coming from here is, even in the worst case, >minimal. Well, it allows one to cover his tracks when attempting a breakin, if he has any kind of account on the system. >> Warning! /usr/lib/crontab is _World_ readable! >> Warning! /usr/adm/sulog is _World_ readable! > >Should anybody care about these two? COPS output is looking more and more >like lint... /usr/lib/crontab IS a risk, since it allows an intruder to see easily which programs/shell-scripts are being run from cron, and as whom. This helps identify good targets for trojan-horse attacks. Find out what is being run with privilege, see whether you can modify/substitute one of those to do YOUR sinister work. >> Warning! File /dev/console (in /etc/rc*) is _World_ writable! >> Warning! File /dev/window (in /etc/rc*) is _World_ writable! >> Warning! File /usr/lib/ua/.blanktime (in /etc/rc*) is _World_ writable! No need to keep .blanktime writable. Set it once as install, then set it to 444. That way, nobody is going to change it on you. [ ... ] >> Warning! /usr/lbin/uudecode creates setuid files! > >This, according to the documentation, is pretty common, but without >re-inforcing other problems, seems to be ok. Depends on what you allow for remote execution. If you are running HDB and have the permissable executable list properly limited, you are probably reasonably safe. >Comments anyone? Most of these "problems" (corrected and remaining) >originated with the standard installation of the standard unix pc >software, so it's likely you also have them. Whether they can be safely >ignored is up to you... Most systems, as they are shipped, are criminally lax. >Stay tuned for coming attractions: AT&T external monitor for the unix pc? I'm waiting. Safe Computing DoN. -- Donald Nichols (DoN.) | Voice (Days): (703) 664-1585 D&D Data | Voice (Eves): (703) 938-4564 Disclaimer: from here - None | Email: --- Black Holes are where God is dividing by zero ---