The checksecurity command runs a small collection of simple system checks whcih are designed to catch a few common security issues. Checksecurity is run by cron on a daily basis. Several known hacker foot-prints are investigated on the system as well as a full system RPM verification. This program is not intended to protect or disinfect a system.
Tiger is composed of a series of modules. Each of these modules check specific security issues related to UNIX systems. The framework provided by Tiger allows the provision of both generic modules and those specific for the operating system the software runs in. Modules can be executed stand alone, from cron or through the tiger program (which will execute all those available). If you want to write additional modules for your system read the README.writemodules document. Tiger currently provides the following modules:
check_accounts
Checks the accounts provided in the system, looking for disabled accounts with cron, rhosts, .forward, and valid shells.
check_aliases
Performs a check for mail aliases and improper configuration.
check_anonftp
Determines if the anonymous FTP service is properly configured.
check_cron
Validates the cron entries in the system.
check_embedded
Determines if embedded pathnames are configured properly.
check_exports
Analyses configuration files for NFS exported filesystems to see if access is properly restricted.
check_group
Checks the UNIX groups available in the system, looking for conflicts and improper entries.
check_inetd
Checks the inetd configuration file: compares against services definition, valid directory paths, non-existent binaries and active services.
check_known
Looks for known intrusion signs including backdoors and mail spools.
check_netrc
Checks if users’s netrc files are insecurely configured.
check_nisplus
Looks for wrong configuration in the NIS+ entries.
check_passwd
Checks the UNIX users available in the system, looking for conflicts and improper entries.
check_path
Validates the binaries in user’s PATHs as well as PATH definitions used by scripts in order to determine insecure definitions.
check_perms
Check filepermissions and inconsistencies.
check_printcap
Analyses the configuration for the printer control file.
check_rhosts
Checks rhosts files in order to see if user’s configuration leaves the system open to attack.
check_sendmail
Checks sendmail configuration files. check_signatures Compares binary files signatures against those stored in the local database (provided with the program).
check_system
This module calls the operating system’s specific modules available at /usr/lib/tiger/systems/.
check_apache
Checks the Apache configuration file and reports on generic issues which might introduce exposures or vulnerabilities in the system.
check_devices
Checks for devices’s permissions, warning about devices that have world permissions.
check_exrc
Analyses .exrc files that are not in user’s home directories. The vi command will look for the existence of such a file in the current directory, and so may inadvertently perform commands that can compromise your system’s security when starting vi or ex.
check_finddeleted
Checks if deleted files are being used by any process in the current system. This might be an indication of intrusion (a user executing processes and then deleting its files) or of unpatched servers (which, if not restarted use old library files and are still vulnerable).
check_ftpusers
Analyses the system’s /etc/ftpusers and determines if the administrative users are in that file.
check_issue
Checks the /etc/issue and /etc/issue.net file to determine if they contain the appropriate content (this is defined in the ISSUEFILE and ISSUENETFILE).
check_logfiles
Checks for the existence of log files (wtmp, btmp, lastlog and utmp). It will also check for proper umask settings.
check_lilo
Analyses configuration files for lilo and grub boot loaders (Linux-specific).
check_listeningprocs
Checks for processes listening on TCP/IP sockets (servers) in the system as well as users running them. Will warn if the user running a server is not an authorised one or if the server is listening on all available interfaces.
check_passwdformat
Checks the format of the /etc/passwd file in order to determine inconsistencies which indicate an intrusion or misconfiguration.
check_patches
Checks if patches are available for the system (i.e. new packages). It will use autorpm or apt-get to check this (so this tools need to be properly configured). This check is specific to Linux (RedHat or Debian).
check_root
Checks if remote root login is allowed to the local system.
check_rootdir
Checks the permissions for the root directory.
check_rootkit
Tries to find systems which have been rootkited, it does so by looking for trojaned ls and find commands. It also includes a wrapper to run the chkrootkit program and format the results in Tiger’s message format.
check_single
Checks if the system is properly configured to disallow single-user access. This check is specific to Linux.
check_release
Analyses the version of the operating system and determines if it is too out of date. This check is specific to Linux (RedHat or Debian).
check_runprocs
This module will check if the processes configured in tigerrc are running currently in the system. If any of the processes is not running, Tiger will warn the administrator (this acts as a lightweight software watchdog)
check_services
Check which services are configured in the system (usually in /etc/services) versus the ones that should be configured (in the provided services file)
check_tcpd
Tests for the existence of tcp-wrappers and changes in their configuration it also determines which services are running wrapped in tcp-wrappers.
check_umask
Check for umask setting in configuration files.
check_xinetd
Checks which xinetd services are enabled or disabled.
crack_run
Runs a local installation of the Crack program which can be used to determine if local user passwords are easy (or not) to guess.
tripwire_run aide_run integrit_run
Wrappers for a number of integrity checkers, these programs enhance the support of Tiger for MD5 and SHA-1 binary signatures and file system permission checks (implemented with the the check_perms and check_signatures scripts). You should consider installing any of these three programs (Tripwire, Aide or Integrit) and use read-only locations (such as CD-ROM) to store the hashes of the system.
deb_checkadvisories
This module checks against a list of stored Debian Security Advisories in order to see if the system has any package installed whose version might be subject to any security vulnerability (Debian-specific).
deb_checkmd5sums
Compares the MD5 sums of binary files against those provided after installation. Changes in these files might be an indication of a compromised system (Debian-specific).
deb_nopackfiles
Looks for files installed in the system’s directories that are not provided by any installed Debian packages (Debian-specific).
Tiger Website: http://www.nongnu.org/tiger/
Tiger Readme: http://cvs.savannah.gnu.org/viewvc/*checkout*/tiger/tiger/README?content-type=text%2Fplain&revision=HEAD
Tiger man: http://www.penguin-soft.com/penguin/man/8/tiger.html
Rootkit Hunter (RKH) is an easy-to-use tool which checks computers running UNIX (clones) for the presence of rootkits and other unwanted tools. You can use RKH along with ckrootkit to routinely check your system for possible infestation. You could manually update or scan your system or you could use a crontan script like this:
#!/bin/sh
( /usr/local/bin/rkhunter –versioncheck
/usr/local/bin/rkhunter –update
/usr/local/bin/rkhunter –cronjob –report-warnings-only
) | /bin/mail -s ‘rkhunter Daily Run’ root
For Linux systems, if the script is saved in the /etc/cron.daily directory, then the system will automatically run it once per day.
Alternatively, the rkhunter command can be added directly to your root crontab. For example:
30 5 * * * /rkhunter -c –cronjob
Rootkit Hunter will now run at 5:30 (AM).
Rootkit Hunter in action:
One of the first things that should be done after a fresh operating system install is to see what services are running, and remove any unneeded services from the system startup process. You could use a port scanner (such as nmap ) and run it against the host, but if one didn’t come with the operating system install, you’ll likely have to connect your fresh (and possibly insecure) machine to the network to download one. Also, nmap can be fooled if the system is using firewall rules. With proper firewall rules, a service can be completely invisible to nmap unless certain criteria (such as the source IP address) also match. When you have shell access to the server itself, it is usually more efficient to find open ports using programs that were installed with the operating system. One program that will do what we need is netstat, a program that will display various network-related information and statistics.
To get a list of listening ports and their owning processes under Linux, run this:
From the output, you can see that this machine is probably a workstation, since it just has a DHCP client running along with an SSH daemon for remote access. The ports in use are listed after the colon in the Local Address column (68 for dhclient).
Unfortunately, the BSD version of netstat does not let us list the processes and the process IDs (PIDs) that own the listening port. Nevertheless, the BSD netstat command is still useful for listing the listening ports on your system.
To get a list of listening ports under FreeBSD, run this command:
The ports in use are listed in the Local Address column. Many have memorized the common port numbers for popular services, and can see that this server is running SSH, SMTP, DNS, IMAP, and IMAP+SSL services. If you are ever in doubt about which services typically run on a given port, either eliminate the -n switch from netstat (which tells netstat to use names but can take much longer to run when looking up DNS addresses) or manually grep the /etc/services file:
For most other Unix-like operating systems you can use the lsof utility (http://ftp.cerias.purdue.edu/pub/tools/unix/sysutils/lsof/). lsof is short for “list open files” and, as the name implies, allows you to list files that are open on a system, in addition to the processes and PIDs that have them open. Since sockets and files work the same way under Unix, lsof can also be used to list open sockets. This is done with the -i command-line option.
To get a list of listening ports and the processes that own them using lsof, run this command:
# lsof -i -n | egrep ‘COMMAND|LISTEN’
[ Taken from the Book: Network Security Hacks ]
Linux Commands/Tools Security Tips
Loading ...
iEntry 10th Anniversary
LinuxHaxor
WH
MH