AFTER the Security Leak
fostel at ncsu.UUCP
fostel at ncsu.UUCP
Wed Jun 22 03:36:46 AEST 1983
Someone suggested the REAL problem was what happens after a villian
has broken thru. Probably true. Sadly if they are a clever villian
you are in deep trouble. A few things will thwart novice villians.
(Wow three misspellings in a row!).
1) In the crontab, put a late night find over the entire file system
to look for:
progs setuid to root, or setgid to administrative groups
files which are strangely comparable to things like "rogue" in size
Fortunately, if the find is run as SU, it will look in dirs that
start with a "." -- a common hiding place. A SU ls will too.
2) As part of you "backup" proceedures, you might want to copy in fresh
material for the sources and executables for all programs. This will
foil bastardized copies of "passwd" or other booby-traps.
3) Check the search path, login profiles and other default action files
(.mailrc ...) to see that there are no tricks installed there. This
is only needed for privaledged users. Check / also as that is often
the home directory for root and some shells will look here for profiles
and such. Check the personal bins or other bins on you search dir,
or prefereably don't search other peoples dirs.
4) Check protections on crucial files and directories. You'll need to
use the -d and -g switches. Classic is / not protected: how often do
you try "ls -ld /"?
And so on into the night. It is possible to automate a lot of this to
be done periodically. Be sure to check, by hand, that no one has touched
up you checker deamon to no longer check something it used to. If you
want to play with the kernel, a military trick is to not allow SU except
on certain terminals, like the one locked in your office. Certainly NOT
on dial-ups. Another Military trick is to put code to check whenever
/etc/passwd is opened that there is indeed only the expected number of
processes: shell and passwd. This foils the "prog that prints login:
and then waits" trick. Oh this is so much fun!
But seriously, making a UNIX secure is VERY HARD WORK! And I presume the
tapes you refresh the sources and utilities from are kept in a locked
vault to prevent forgeries...... ARRRRRRGGHHHHHHH!
----GaryFostel----
More information about the Comp.unix.wizards
mailing list