What should go into a security-checking shell script?
John Kimball
jkimball at SRC.Honeywell.COM
Tue Oct 31 11:17:32 AEST 1989
>Re: What should go into a security-checking shell script?
Here's the list which I've been maintaining. Apologies for the terseness.
Some of the stuff is BSD/Sun specific. I have a script (with associated
programs) which checks most of these; it's pretty raw yet.
*** Compare the attributes of "critical" files against a snapshot taken
at a certain time.
Attributes to check:
uid, gid
permissions
modification time
number of links
checksum / CRC
size
Files to check:
/vmunix
any suid/sgid
/bin/* , /usr/ucb/* , /usr/bin/*
/etc/*
/usr/etc/*
/usr/local/* (?)
/usr/lib/many-things
/usr/lib/uucp/many-things
/usr/include/many-things
/lib/many-things
*** scan all files for dangerous combinations of file attributes
SUIDs, SGID
SUIDs, SGIDs writable by group,other
SUIDs, SGIDs owned by system ids but not in system bins/libs
any SUIDs in non-system (ie user) areas
special files
block special files readable/writable by group,other
char special files readable/writable by group,other
(excluding ttys, sigh)
block/char special files not in /dev
writable system files
system directories writable by other, or by group
(excluding tmp directories, uucppublic)
system files writable by other/group
(excluding tmp directories, uucppublic)
writable binaries, writeable stuff in /etc
certain readable system files
syslog*!
crontab, /dev/mem, /dev/kmem, and L.sys shouldn't be
other-readable.
user startup files
user startup files writable by group/other
(.login, .cshrc, .profile, .exrc, .mailrc, .emacs,
.logout)
user .exrc files in directories writable by group/other
user dirs writable by group/other
user files writable by other
*** scan for dangerous attributes within critical files (and yp maps)
/etc/passwd
users without passwords
including uucp!
users with same uid
including non-root accounts with uid 0!
guest accounts
blank lines, ::0:0::
number of fields
length of fields (ie number of characters in field)
/etc/group
users in administrative groups (eg, bin)
number of fields
length of fields (ie number of characters in field)
crontab
reduce number of things run as root (su to news, etc, instead)
/etc/servers
Only run the minimum number of servers you need.
rpc.rexd is bad news
/usr/lib/uucp/USERFILE
only /usr/spool/uucppublic should be readable/writable for
incoming uucps
/usr/lib/uucp/L.cmds
only rmail and rnews should be uuxqtable
/.rhosts, /etc/hosts.equiv
look for nonlocal hosts, '+'.
/etc/securetty or /etc/ttytab
disallow root login on most/all terminals
/etc/netgroup, /etc/exports
/.profile, /.cshrc, /.login
check for bad PATH (have *no* ., or . as last!)
look for bad user PATHs
look for user .rhosts files mentioning external hosts
*** scan for untoward users
stale logins (users who haven't logged in for a long time)
trivial passwords
It's best to catch these at password-changing time, but
password guessers are also available.
*** scan for odd activity
last: look for logins/ftps by sync, daemon, sysdiag, etc.
ps: look for cpu-eaters, etc
*** dangerous filenames
user .rhost files
disallow if feasible
su,login,passwd,crypt in strange places
*** monitor the various logs
search the uucp logs, the syslog logs, etc, for oddities.
More information about the Comp.unix.wizards
mailing list